[Pkg-swan-devel] [strongswan] 01/05: Imported Upstream version 5.2.0

Yves-Alexis Perez corsac at moszumanska.debian.org
Fri Jul 11 19:52:30 UTC 2014


This is an automated email from the git hooks/post-receive script.

corsac pushed a commit to branch master
in repository strongswan.

commit 81c63b0eed39432878f78727f60a1e7499645199
Author: Yves-Alexis Perez <corsac at debian.org>
Date:   Fri Jul 11 07:23:31 2014 +0200

    Imported Upstream version 5.2.0
---
 Android.common.mk                                  |    2 +-
 Android.mk                                         |    1 +
 Doxyfile.in                                        | 2346 ++++++++++-------
 Makefile.am                                        |    2 +-
 Makefile.in                                        |   21 +-
 NEWS                                               |   48 +
 README                                             | 1266 ++++-----
 aclocal.m4                                         |  139 +-
 conf/Makefile.am                                   |   10 +-
 conf/Makefile.in                                   |   38 +-
 conf/format-options.py                             |   51 +-
 conf/options/aikgen.conf                           |    7 +
 conf/options/aikgen.opt                            |    2 +
 conf/options/charon.conf                           |   20 +
 conf/options/charon.opt                            |   27 +
 conf/options/pki.conf                              |    7 +
 conf/options/pki.opt                               |    2 +
 conf/options/scepclient.conf                       |    7 +
 conf/options/scepclient.opt                        |    2 +
 conf/options/swanctl.conf                          |    7 +
 conf/options/swanctl.opt                           |    2 +
 conf/options/tools.conf                            |   14 -
 conf/options/tools.opt                             |    5 -
 conf/plugins/eap-tnc.conf                          |    2 +-
 conf/plugins/eap-tnc.opt                           |    2 +-
 conf/plugins/eap-ttls.conf                         |    3 +
 conf/plugins/eap-ttls.opt                          |    3 +
 conf/plugins/imc-attestation.conf                  |   21 -
 conf/plugins/imc-attestation.opt                   |   14 +-
 conf/plugins/imc-os.conf                           |    3 -
 conf/plugins/imc-os.opt                            |   14 +-
 conf/plugins/imc-scanner.conf                      |    3 -
 conf/plugins/imc-scanner.opt                       |    2 +-
 conf/plugins/imc-swid.conf                         |    3 -
 conf/plugins/imc-swid.opt                          |   11 +-
 conf/plugins/imc-test.conf                         |   15 -
 conf/plugins/imc-test.opt                          |   10 +-
 conf/plugins/imv-attestation.conf                  |   37 -
 conf/plugins/imv-attestation.opt                   |   22 +-
 conf/plugins/imv-os.conf                           |    3 -
 conf/plugins/imv-os.opt                            |    2 +-
 conf/plugins/imv-scanner.conf                      |    3 -
 conf/plugins/imv-scanner.opt                       |    2 +-
 conf/plugins/imv-swid.conf                         |    8 +
 conf/plugins/imv-swid.opt                          |    5 +
 conf/plugins/imv-test.conf                         |    3 -
 conf/plugins/imv-test.opt                          |    2 +-
 conf/plugins/kernel-klips.conf                     |   14 -
 conf/plugins/kernel-klips.opt                      |    5 -
 conf/plugins/load-tester.conf                      |    4 +
 conf/plugins/load-tester.opt                       |    4 +
 conf/plugins/vici.conf                             |   11 +
 conf/plugins/vici.opt                              |    2 +
 conf/strongswan.conf.5.main                        |  332 ++-
 config.h.in                                        |   16 +-
 configure                                          | 1221 ++++++---
 configure.ac                                       |  221 +-
 init/Makefile.in                                   |    6 +-
 init/systemd/Makefile.in                           |    6 +-
 man/Makefile.in                                    |    6 +-
 man/ipsec.conf.5.in                                |    9 +
 scripts/Makefile.am                                |    3 +-
 scripts/Makefile.in                                |   26 +-
 scripts/hash_burn.c                                |    3 +-
 scripts/settings-test.c                            |  126 +
 src/Makefile.am                                    |   20 +-
 src/Makefile.in                                    |   44 +-
 src/_copyright/Makefile.in                         |    6 +-
 src/_updown/Makefile.in                            |    6 +-
 src/_updown_espmark/Makefile.in                    |    6 +-
 src/aikgen/Makefile.am                             |   15 +
 src/aikgen/Makefile.in                             |  731 ++++++
 src/aikgen/aikgen.c                                |  554 ++++
 src/charon-cmd/Makefile.in                         |    6 +-
 src/charon-cmd/charon-cmd.c                        |    5 +-
 src/charon-cmd/cmd/cmd_connection.c                |    8 +-
 src/charon-cmd/cmd/cmd_creds.c                     |    4 +-
 src/charon-nm/Makefile.in                          |    6 +-
 src/charon-nm/nm/nm_service.c                      |    2 +
 src/charon-svc/Makefile.am                         |   16 +
 src/charon-svc/Makefile.in                         |  735 ++++++
 src/charon-svc/charon-svc.c                        |  333 +++
 src/charon-tkm/Makefile.in                         |    6 +-
 src/charon-tkm/src/tkm/tkm_kernel_ipsec.c          |    5 +-
 src/charon-tkm/src/tkm/tkm_listener.c              |    2 +-
 src/charon/Makefile.in                             |    6 +-
 src/charon/charon.c                                |   15 +-
 src/checksum/Makefile.am                           |   11 +-
 src/checksum/Makefile.in                           |   20 +-
 src/conftest/Makefile.am                           |    2 +-
 src/conftest/Makefile.in                           |    8 +-
 src/conftest/README                                |    2 +-
 src/conftest/config.c                              |    3 +
 src/conftest/hooks/add_notify.c                    |    5 +-
 src/conftest/hooks/add_payload.c                   |    3 +-
 src/conftest/hooks/custom_proposal.c               |    5 +-
 src/conftest/hooks/force_cookie.c                  |    2 +-
 src/conftest/hooks/ike_auth_fill.c                 |    2 +-
 src/conftest/hooks/log_id.c                        |    4 +-
 src/conftest/hooks/log_ke.c                        |    2 +-
 src/conftest/hooks/log_proposals.c                 |    2 +-
 src/conftest/hooks/log_ts.c                        |    4 +-
 src/conftest/hooks/pretend_auth.c                  |   18 +-
 src/conftest/hooks/rebuild_auth.c                  |    6 +-
 src/conftest/hooks/set_critical.c                  |    3 +-
 src/conftest/hooks/set_length.c                    |    3 +-
 src/conftest/hooks/set_proposal_number.c           |    2 +-
 src/conftest/hooks/set_reserved.c                  |   13 +-
 src/conftest/hooks/unencrypted_notify.c            |    5 +-
 src/conftest/hooks/unsort_message.c                |    3 +-
 src/dumm/Makefile.in                               |    6 +-
 src/dumm/ext/dumm.c                                |    2 +
 src/include/Makefile.in                            |    6 +-
 src/ipsec/Makefile.in                              |    6 +-
 src/ipsec/_ipsec.8                                 |    2 +-
 src/ipsec/_ipsec.in                                |    6 +-
 src/libcharon/Android.mk                           |    5 +-
 src/libcharon/Makefile.am                          |   37 +-
 src/libcharon/Makefile.in                          |  463 ++--
 src/libcharon/bus/bus.c                            |   92 +-
 src/libcharon/bus/bus.h                            |    8 +
 src/libcharon/bus/listeners/file_logger.c          |   14 +
 src/libcharon/bus/listeners/listener.h             |   18 +-
 src/libcharon/config/child_cfg.c                   |   31 +-
 src/libcharon/config/child_cfg.h                   |   20 +-
 src/libcharon/config/ike_cfg.c                     |    5 +-
 src/libcharon/config/ike_cfg.h                     |    5 +-
 src/libcharon/config/peer_cfg.c                    |    3 +-
 src/libcharon/config/proposal.c                    |  170 +-
 src/libcharon/config/proposal.h                    |    8 +
 src/libcharon/control/controller.c                 |    1 -
 src/libcharon/daemon.c                             |   80 +-
 src/libcharon/encoding/generator.c                 |   19 +-
 src/libcharon/encoding/message.c                   |  753 +++---
 src/libcharon/encoding/parser.c                    |   19 +-
 src/libcharon/encoding/payloads/auth_payload.c     |    4 +-
 src/libcharon/encoding/payloads/cert_payload.c     |    4 +-
 src/libcharon/encoding/payloads/certreq_payload.c  |   12 +-
 .../encoding/payloads/configuration_attribute.c    |    8 +-
 .../encoding/payloads/configuration_attribute.h    |    6 +-
 src/libcharon/encoding/payloads/cp_payload.c       |   10 +-
 src/libcharon/encoding/payloads/cp_payload.h       |    4 +-
 src/libcharon/encoding/payloads/delete_payload.c   |   12 +-
 src/libcharon/encoding/payloads/delete_payload.h   |    2 +-
 src/libcharon/encoding/payloads/eap_payload.c      |    4 +-
 .../encoding/payloads/encryption_payload.c         |   16 +-
 .../encoding/payloads/encryption_payload.h         |    2 +-
 src/libcharon/encoding/payloads/endpoint_notify.c  |    2 +-
 src/libcharon/encoding/payloads/fragment_payload.c |    4 +-
 src/libcharon/encoding/payloads/hash_payload.c     |    4 +-
 src/libcharon/encoding/payloads/hash_payload.h     |    2 +-
 src/libcharon/encoding/payloads/id_payload.c       |   12 +-
 src/libcharon/encoding/payloads/id_payload.h       |    6 +-
 src/libcharon/encoding/payloads/ike_header.c       |    2 +-
 src/libcharon/encoding/payloads/ke_payload.c       |    8 +-
 src/libcharon/encoding/payloads/ke_payload.h       |    4 +-
 src/libcharon/encoding/payloads/nonce_payload.c    |    8 +-
 src/libcharon/encoding/payloads/nonce_payload.h    |    2 +-
 src/libcharon/encoding/payloads/notify_payload.c   |   12 +-
 src/libcharon/encoding/payloads/notify_payload.h   |    4 +-
 src/libcharon/encoding/payloads/payload.c          |  154 +-
 src/libcharon/encoding/payloads/payload.h          |  118 +-
 .../encoding/payloads/proposal_substructure.c      |   82 +-
 .../encoding/payloads/proposal_substructure.h      |   10 +-
 src/libcharon/encoding/payloads/sa_payload.c       |   20 +-
 src/libcharon/encoding/payloads/sa_payload.h       |    2 +-
 .../payloads/traffic_selector_substructure.c       |    4 +-
 .../encoding/payloads/transform_attribute.c        |    4 +-
 .../encoding/payloads/transform_attribute.h        |    4 +-
 .../encoding/payloads/transform_substructure.c     |   20 +-
 .../encoding/payloads/transform_substructure.h     |    4 +-
 src/libcharon/encoding/payloads/ts_payload.c       |    8 +-
 src/libcharon/encoding/payloads/unknown_payload.c  |    2 +-
 .../encoding/payloads/vendor_id_payload.c          |    2 +-
 .../encoding/payloads/vendor_id_payload.h          |    4 +-
 src/libcharon/network/receiver.c                   |    2 +-
 src/libcharon/plugins/addrblock/Makefile.am        |    2 +-
 src/libcharon/plugins/addrblock/Makefile.in        |    8 +-
 src/libcharon/plugins/android_dns/Makefile.am      |    2 +-
 src/libcharon/plugins/android_dns/Makefile.in      |    8 +-
 src/libcharon/plugins/android_log/Makefile.am      |    2 +-
 src/libcharon/plugins/android_log/Makefile.in      |    8 +-
 src/libcharon/plugins/certexpire/Makefile.am       |    2 +-
 src/libcharon/plugins/certexpire/Makefile.in       |    8 +-
 src/libcharon/plugins/coupling/Makefile.am         |    2 +-
 src/libcharon/plugins/coupling/Makefile.in         |    8 +-
 .../plugins/coupling/coupling_validator.c          |   10 +-
 src/libcharon/plugins/dhcp/Makefile.am             |    2 +-
 src/libcharon/plugins/dhcp/Makefile.in             |    8 +-
 src/libcharon/plugins/dnscert/Makefile.am          |    2 +-
 src/libcharon/plugins/dnscert/Makefile.in          |    8 +-
 src/libcharon/plugins/duplicheck/Makefile.am       |    2 +-
 src/libcharon/plugins/duplicheck/Makefile.in       |    8 +-
 src/libcharon/plugins/eap_aka/Makefile.am          |    2 +-
 src/libcharon/plugins/eap_aka/Makefile.in          |    8 +-
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.am    |    2 +-
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |    8 +-
 src/libcharon/plugins/eap_dynamic/Makefile.am      |    2 +-
 src/libcharon/plugins/eap_dynamic/Makefile.in      |    8 +-
 src/libcharon/plugins/eap_gtc/Makefile.am          |    2 +-
 src/libcharon/plugins/eap_gtc/Makefile.in          |    8 +-
 src/libcharon/plugins/eap_gtc/eap_gtc.c            |    6 +-
 src/libcharon/plugins/eap_identity/Makefile.am     |    2 +-
 src/libcharon/plugins/eap_identity/Makefile.in     |    8 +-
 src/libcharon/plugins/eap_md5/Makefile.am          |    2 +-
 src/libcharon/plugins/eap_md5/Makefile.in          |    8 +-
 src/libcharon/plugins/eap_mschapv2/Makefile.am     |    2 +-
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |    8 +-
 src/libcharon/plugins/eap_peap/Makefile.am         |    2 +-
 src/libcharon/plugins/eap_peap/Makefile.in         |    8 +-
 src/libcharon/plugins/eap_peap/eap_peap_avp.c      |   15 -
 src/libcharon/plugins/eap_radius/Makefile.am       |    2 +-
 src/libcharon/plugins/eap_radius/Makefile.in       |    8 +-
 .../plugins/eap_radius/eap_radius_accounting.c     |    2 +-
 .../plugins/eap_radius/eap_radius_forward.c        |    7 +-
 .../plugins/eap_radius/eap_radius_xauth.c          |   10 +-
 src/libcharon/plugins/eap_sim/Makefile.am          |    2 +-
 src/libcharon/plugins/eap_sim/Makefile.in          |    8 +-
 src/libcharon/plugins/eap_sim_file/Makefile.am     |    2 +-
 src/libcharon/plugins/eap_sim_file/Makefile.in     |    8 +-
 src/libcharon/plugins/eap_sim_pcsc/Makefile.am     |    2 +-
 src/libcharon/plugins/eap_sim_pcsc/Makefile.in     |    8 +-
 .../plugins/eap_simaka_pseudonym/Makefile.am       |    2 +-
 .../plugins/eap_simaka_pseudonym/Makefile.in       |    8 +-
 .../plugins/eap_simaka_reauth/Makefile.am          |    2 +-
 .../plugins/eap_simaka_reauth/Makefile.in          |    8 +-
 src/libcharon/plugins/eap_simaka_sql/Makefile.am   |    2 +-
 src/libcharon/plugins/eap_simaka_sql/Makefile.in   |    8 +-
 src/libcharon/plugins/eap_tls/Makefile.am          |    2 +-
 src/libcharon/plugins/eap_tls/Makefile.in          |    8 +-
 src/libcharon/plugins/eap_tnc/Makefile.am          |    2 +-
 src/libcharon/plugins/eap_tnc/Makefile.in          |    8 +-
 src/libcharon/plugins/eap_tnc/eap_tnc.c            |   54 +-
 src/libcharon/plugins/eap_tnc/eap_tnc.h            |   28 +-
 src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c     |    8 +
 src/libcharon/plugins/eap_ttls/Makefile.am         |    2 +-
 src/libcharon/plugins/eap_ttls/Makefile.in         |    8 +-
 src/libcharon/plugins/eap_ttls/eap_ttls_server.c   |   30 +-
 src/libcharon/plugins/error_notify/Makefile.am     |    2 +-
 src/libcharon/plugins/error_notify/Makefile.in     |    8 +-
 src/libcharon/plugins/farp/Makefile.am             |    2 +-
 src/libcharon/plugins/farp/Makefile.in             |    8 +-
 src/libcharon/plugins/ha/Makefile.am               |    2 +-
 src/libcharon/plugins/ha/Makefile.in               |    8 +-
 src/libcharon/plugins/ha/ha_dispatcher.c           |   10 +-
 src/libcharon/plugins/ha/ha_tunnel.c               |    2 +
 src/libcharon/plugins/ipseckey/Makefile.am         |    2 +-
 src/libcharon/plugins/ipseckey/Makefile.in         |    8 +-
 src/libcharon/plugins/kernel_iph/Makefile.am       |   20 +
 src/libcharon/plugins/kernel_iph/Makefile.in       |  768 ++++++
 src/libcharon/plugins/kernel_iph/kernel_iph_net.c  |  775 ++++++
 src/libcharon/plugins/kernel_iph/kernel_iph_net.h  |   46 +
 .../plugins/kernel_iph/kernel_iph_plugin.c         |   76 +
 .../plugins/kernel_iph/kernel_iph_plugin.h         |   42 +
 src/libcharon/plugins/kernel_libipsec/Makefile.am  |    2 +-
 src/libcharon/plugins/kernel_libipsec/Makefile.in  |    8 +-
 .../kernel_libipsec/kernel_libipsec_ipsec.c        |    9 +-
 src/libcharon/plugins/kernel_wfp/Makefile.am       |   33 +
 src/libcharon/plugins/kernel_wfp/Makefile.in       |  801 ++++++
 src/libcharon/plugins/kernel_wfp/ipsecdump.c       |  666 +++++
 .../plugins/kernel_wfp/kernel_wfp_compat.c         |  157 ++
 .../plugins/kernel_wfp/kernel_wfp_compat.h         |  205 ++
 .../plugins/kernel_wfp/kernel_wfp_ipsec.c          | 2551 ++++++++++++++++++
 .../plugins/kernel_wfp/kernel_wfp_ipsec.h          |   47 +
 .../plugins/kernel_wfp/kernel_wfp_plugin.c         |   77 +
 .../plugins/kernel_wfp/kernel_wfp_plugin.h         |   43 +
 .../plugins/kernel_wfp/mingw-w64-4.8.1.diff        |   26 +
 src/libcharon/plugins/led/Makefile.am              |    2 +-
 src/libcharon/plugins/led/Makefile.in              |    8 +-
 src/libcharon/plugins/load_tester/Makefile.am      |    2 +-
 src/libcharon/plugins/load_tester/Makefile.in      |    8 +-
 .../plugins/load_tester/load_tester_config.c       |    4 +-
 .../plugins/load_tester/load_tester_creds.c        |   26 +-
 .../plugins/load_tester/load_tester_ipsec.c        |    9 +-
 src/libcharon/plugins/lookip/Makefile.am           |    2 +-
 src/libcharon/plugins/lookip/Makefile.in           |    8 +-
 src/libcharon/plugins/maemo/Makefile.am            |    2 +-
 src/libcharon/plugins/maemo/Makefile.in            |    8 +-
 src/libcharon/plugins/maemo/maemo_service.c        |    2 +
 src/libcharon/plugins/medcli/Makefile.am           |    2 +-
 src/libcharon/plugins/medcli/Makefile.in           |    8 +-
 src/libcharon/plugins/medcli/medcli_config.c       |    4 +
 src/libcharon/plugins/medsrv/Makefile.am           |    2 +-
 src/libcharon/plugins/medsrv/Makefile.in           |    8 +-
 src/libcharon/plugins/medsrv/medsrv_config.c       |    1 +
 src/libcharon/plugins/osx_attr/Makefile.am         |    2 +-
 src/libcharon/plugins/osx_attr/Makefile.in         |    8 +-
 src/libcharon/plugins/radattr/Makefile.am          |    2 +-
 src/libcharon/plugins/radattr/Makefile.in          |    8 +-
 src/libcharon/plugins/radattr/radattr_listener.c   |    4 +-
 src/libcharon/plugins/smp/Makefile.am              |    2 +-
 src/libcharon/plugins/smp/Makefile.in              |    8 +-
 src/libcharon/plugins/socket_default/Makefile.am   |    2 +-
 src/libcharon/plugins/socket_default/Makefile.in   |    8 +-
 src/libcharon/plugins/socket_dynamic/Makefile.am   |    2 +-
 src/libcharon/plugins/socket_dynamic/Makefile.in   |    8 +-
 src/libcharon/plugins/socket_win/Makefile.am       |   21 +
 src/libcharon/plugins/socket_win/Makefile.in       |  769 ++++++
 .../plugins/socket_win/socket_win_plugin.c         |   76 +
 .../plugins/socket_win/socket_win_plugin.h         |   42 +
 .../plugins/socket_win/socket_win_socket.c         |  501 ++++
 .../plugins/socket_win/socket_win_socket.h         |   44 +
 src/libcharon/plugins/sql/Makefile.am              |    2 +-
 src/libcharon/plugins/sql/Makefile.in              |    8 +-
 src/libcharon/plugins/sql/sql_config.c             |    2 +
 src/libcharon/plugins/stroke/Makefile.am           |    2 +-
 src/libcharon/plugins/stroke/Makefile.in           |    8 +-
 src/libcharon/plugins/stroke/stroke_config.c       |    6 +
 src/libcharon/plugins/stroke/stroke_socket.c       |   90 +-
 src/libcharon/plugins/systime_fix/Makefile.in      |    6 +-
 src/libcharon/plugins/tnc_ifmap/Makefile.am        |    2 +-
 src/libcharon/plugins/tnc_ifmap/Makefile.in        |    8 +-
 src/libcharon/plugins/tnc_pdp/Makefile.am          |    2 +-
 src/libcharon/plugins/tnc_pdp/Makefile.in          |    8 +-
 src/libcharon/plugins/tnc_pdp/tnc_pdp.c            |   91 +-
 src/libcharon/plugins/uci/Makefile.am              |    2 +-
 src/libcharon/plugins/uci/Makefile.in              |    8 +-
 src/libcharon/plugins/unit_tester/Makefile.am      |    2 +-
 src/libcharon/plugins/unit_tester/Makefile.in      |    8 +-
 src/libcharon/plugins/unity/Makefile.am            |    2 +-
 src/libcharon/plugins/unity/Makefile.in            |    8 +-
 src/libcharon/plugins/updown/Makefile.am           |    2 +-
 src/libcharon/plugins/updown/Makefile.in           |    8 +-
 src/libcharon/plugins/updown/updown_listener.c     |    4 +-
 src/libcharon/plugins/vici/Makefile.am             |   69 +
 src/libcharon/plugins/vici/Makefile.in             | 1183 +++++++++
 src/libcharon/plugins/vici/README.md               |  176 ++
 src/libcharon/plugins/vici/libvici.c               |  764 ++++++
 src/libcharon/plugins/vici/libvici.h               |  459 ++++
 src/libcharon/plugins/vici/suites/test_event.c     |  224 ++
 src/libcharon/plugins/vici/suites/test_message.c   |  407 +++
 src/libcharon/plugins/vici/suites/test_request.c   |  247 ++
 src/libcharon/plugins/vici/suites/test_socket.c    |  133 +
 src/libcharon/plugins/vici/vici_attribute.c        |  713 +++++
 src/libcharon/plugins/vici/vici_attribute.h        |   54 +
 src/libcharon/plugins/vici/vici_builder.c          |  253 ++
 src/libcharon/plugins/vici/vici_builder.h          |  129 +
 src/libcharon/plugins/vici/vici_config.c           | 2006 ++++++++++++++
 src/libcharon/plugins/vici/vici_config.h           |   53 +
 src/libcharon/plugins/vici/vici_control.c          |  496 ++++
 src/libcharon/plugins/vici/vici_control.h          |   47 +
 src/libcharon/plugins/vici/vici_cred.c             |  330 +++
 src/libcharon/plugins/vici/vici_cred.h             |   47 +
 src/libcharon/plugins/vici/vici_dispatcher.c       |  524 ++++
 src/libcharon/plugins/vici/vici_dispatcher.h       |  122 +
 src/libcharon/plugins/vici/vici_logger.c           |  130 +
 src/libcharon/plugins/vici/vici_logger.h           |   54 +
 src/libcharon/plugins/vici/vici_message.c          |  727 ++++++
 src/libcharon/plugins/vici/vici_message.h          |  248 ++
 src/libcharon/plugins/vici/vici_plugin.c           |  169 ++
 src/libcharon/plugins/vici/vici_plugin.h           |   42 +
 src/libcharon/plugins/vici/vici_query.c            | 1039 ++++++++
 src/libcharon/plugins/vici/vici_query.h            |   47 +
 src/libcharon/plugins/vici/vici_socket.c           |  679 +++++
 src/libcharon/plugins/vici/vici_socket.h           |   95 +
 src/libcharon/plugins/vici/vici_tests.c            |   46 +
 src/libcharon/plugins/vici/vici_tests.h            |   19 +
 src/libcharon/plugins/whitelist/Makefile.am        |    2 +-
 src/libcharon/plugins/whitelist/Makefile.in        |    8 +-
 src/libcharon/plugins/xauth_eap/Makefile.am        |    2 +-
 src/libcharon/plugins/xauth_eap/Makefile.in        |    8 +-
 src/libcharon/plugins/xauth_eap/xauth_eap.c        |    6 +-
 src/libcharon/plugins/xauth_generic/Makefile.am    |    2 +-
 src/libcharon/plugins/xauth_generic/Makefile.in    |    8 +-
 .../plugins/xauth_generic/xauth_generic.c          |   12 +-
 src/libcharon/plugins/xauth_noauth/Makefile.am     |    2 +-
 src/libcharon/plugins/xauth_noauth/Makefile.in     |    8 +-
 src/libcharon/plugins/xauth_pam/Makefile.am        |    2 +-
 src/libcharon/plugins/xauth_pam/Makefile.in        |    8 +-
 src/libcharon/plugins/xauth_pam/xauth_pam.c        |   13 +-
 .../plugins/xauth_pam/xauth_pam_listener.h         |    2 +-
 .../processing/jobs/process_message_job.c          |    2 +-
 src/libcharon/processing/jobs/rekey_ike_sa_job.c   |   49 +-
 src/libcharon/sa/authenticator.c                   |    2 +-
 src/libcharon/sa/child_sa.c                        |   31 +-
 src/libcharon/sa/ike_sa.c                          |   51 +-
 src/libcharon/sa/ike_sa.h                          |   26 +-
 src/libcharon/sa/ike_sa_manager.c                  |   19 +-
 .../sa/ikev1/authenticators/psk_v1_authenticator.c |    4 +-
 .../ikev1/authenticators/pubkey_v1_authenticator.c |    4 +-
 src/libcharon/sa/ikev1/keymat_v1.c                 |    6 +-
 src/libcharon/sa/ikev1/phase1.c                    |   10 +-
 src/libcharon/sa/ikev1/task_manager_v1.c           |    8 +-
 src/libcharon/sa/ikev1/tasks/aggressive_mode.c     |   16 +-
 src/libcharon/sa/ikev1/tasks/informational.c       |    4 +-
 src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c    |    6 +-
 src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c     |    8 +-
 src/libcharon/sa/ikev1/tasks/isakmp_delete.c       |    2 +-
 src/libcharon/sa/ikev1/tasks/isakmp_dpd.c          |    2 +-
 src/libcharon/sa/ikev1/tasks/isakmp_natd.c         |   16 +-
 src/libcharon/sa/ikev1/tasks/isakmp_vendor.c       |    6 +-
 src/libcharon/sa/ikev1/tasks/main_mode.c           |   16 +-
 src/libcharon/sa/ikev1/tasks/mode_config.c         |   33 +-
 src/libcharon/sa/ikev1/tasks/quick_delete.c        |    4 +-
 src/libcharon/sa/ikev1/tasks/quick_mode.c          |   24 +-
 src/libcharon/sa/ikev1/tasks/xauth.c               |   20 +-
 .../sa/ikev2/authenticators/eap_authenticator.c    |    6 +-
 .../sa/ikev2/authenticators/psk_authenticator.c    |    2 +-
 .../sa/ikev2/authenticators/pubkey_authenticator.c |    2 +-
 src/libcharon/sa/ikev2/connect_manager.c           |    2 +-
 src/libcharon/sa/ikev2/task_manager_v2.c           |   10 +-
 src/libcharon/sa/ikev2/tasks/child_create.c        |   30 +-
 src/libcharon/sa/ikev2/tasks/child_delete.c        |    6 +-
 src/libcharon/sa/ikev2/tasks/child_rekey.c         |    6 +-
 src/libcharon/sa/ikev2/tasks/ike_auth.c            |   28 +-
 src/libcharon/sa/ikev2/tasks/ike_cert_post.c       |   14 +-
 src/libcharon/sa/ikev2/tasks/ike_cert_pre.c        |    8 +-
 src/libcharon/sa/ikev2/tasks/ike_config.c          |   25 +-
 src/libcharon/sa/ikev2/tasks/ike_delete.c          |    2 +-
 src/libcharon/sa/ikev2/tasks/ike_init.c            |   12 +-
 src/libcharon/sa/ikev2/tasks/ike_me.c              |   10 +-
 src/libcharon/sa/ikev2/tasks/ike_mobike.c          |    2 +-
 src/libcharon/sa/ikev2/tasks/ike_natd.c            |    6 +-
 src/libcharon/sa/ikev2/tasks/ike_rekey.c           |   14 +-
 src/libcharon/sa/ikev2/tasks/ike_vendor.c          |    4 +-
 src/libcharon/sa/shunt_manager.c                   |   43 +-
 src/libfast/Makefile.am                            |    2 +-
 src/libfast/Makefile.in                            |    8 +-
 src/libhydra/Makefile.am                           |   11 +-
 src/libhydra/Makefile.in                           |   63 +-
 src/libhydra/attributes/attributes.h               |    2 +-
 src/libhydra/kernel/kernel_interface.c             |   14 +-
 src/libhydra/kernel/kernel_interface.h             |    9 +-
 src/libhydra/kernel/kernel_ipsec.h                 |    2 +
 src/libhydra/kernel/kernel_net.h                   |    4 +-
 src/libhydra/plugins/attr/Makefile.am              |    2 +-
 src/libhydra/plugins/attr/Makefile.in              |    8 +-
 src/libhydra/plugins/attr_sql/Makefile.am          |    2 +-
 src/libhydra/plugins/attr_sql/Makefile.in          |    8 +-
 src/libhydra/plugins/kernel_klips/Makefile.am      |   18 -
 src/libhydra/plugins/kernel_klips/Makefile.in      |  762 ------
 .../plugins/kernel_klips/kernel_klips_ipsec.c      | 2652 -------------------
 .../plugins/kernel_klips/kernel_klips_ipsec.h      |   46 -
 .../plugins/kernel_klips/kernel_klips_plugin.c     |   76 -
 .../plugins/kernel_klips/kernel_klips_plugin.h     |   42 -
 src/libhydra/plugins/kernel_klips/pfkeyv2.h        |  322 ---
 src/libhydra/plugins/kernel_netlink/Makefile.am    |    2 +-
 src/libhydra/plugins/kernel_netlink/Makefile.in    |    8 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |   88 +-
 .../plugins/kernel_netlink/kernel_netlink_net.c    |  264 +-
 src/libhydra/plugins/kernel_pfkey/Makefile.am      |    2 +-
 src/libhydra/plugins/kernel_pfkey/Makefile.in      |    8 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |  206 +-
 src/libhydra/plugins/kernel_pfroute/Makefile.am    |    2 +-
 src/libhydra/plugins/kernel_pfroute/Makefile.in    |    8 +-
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    |    2 +-
 src/libhydra/plugins/resolve/Makefile.am           |    2 +-
 src/libhydra/plugins/resolve/Makefile.in           |    8 +-
 src/libimcv/Android.mk                             |   66 +
 src/libimcv/Makefile.am                            |   11 +-
 src/libimcv/Makefile.in                            |   52 +-
 src/libimcv/ietf/ietf_attr_installed_packages.c    |   10 +-
 src/libimcv/ietf/ietf_attr_installed_packages.h    |    3 +-
 src/libimcv/imc/imc_agent.c                        |    3 +-
 src/libimcv/imc/imc_msg.c                          |   18 +-
 src/libimcv/imc/imc_os_info.c                      |  632 +++++
 src/libimcv/imc/imc_os_info.h                      |  107 +
 src/libimcv/imcv.c                                 |   51 +-
 src/libimcv/imcv.h                                 |    6 +
 src/libimcv/imv/_imv_policy                        |   14 +-
 src/libimcv/imv/data.sql                           |  345 ++-
 src/libimcv/imv/imv_agent.c                        |   48 +-
 src/libimcv/imv/imv_agent.h                        |    4 +-
 src/libimcv/imv/imv_database.c                     |  302 +--
 src/libimcv/imv/imv_database.h                     |   20 -
 src/libimcv/imv/imv_if.h                           |   55 +-
 src/libimcv/imv/imv_os_info.c                      |  168 ++
 src/libimcv/imv/imv_os_info.h                      |   88 +
 src/libimcv/imv/imv_policy_manager.c               |   13 +-
 src/libimcv/imv/imv_policy_manager_usage.c         |    3 +-
 src/libimcv/imv/imv_session.c                      |  147 +-
 src/libimcv/imv/imv_session.h                      |   80 +-
 src/libimcv/imv/imv_session_manager.c              |  131 +
 src/libimcv/imv/imv_session_manager.h              |   69 +
 src/libimcv/imv/imv_state.h                        |   27 +-
 src/libimcv/imv/tables-mysql.sql                   |  200 ++
 src/libimcv/imv/tables.sql                         |  151 +-
 src/libimcv/os_info/os_info.c                      |  553 +---
 src/libimcv/os_info/os_info.h                      |   82 +-
 src/libimcv/pa_tnc/pa_tnc_attr.h                   |    6 +-
 src/libimcv/pa_tnc/pa_tnc_msg.c                    |   21 +-
 src/libimcv/pa_tnc/pa_tnc_msg.h                    |    3 +-
 src/libimcv/plugins/imc_os/Makefile.am             |    2 +-
 src/libimcv/plugins/imc_os/Makefile.in             |    8 +-
 src/libimcv/plugins/imc_os/imc_os.c                |  165 +-
 src/libimcv/plugins/imc_scanner/Makefile.am        |    2 +-
 src/libimcv/plugins/imc_scanner/Makefile.in        |    8 +-
 src/libimcv/plugins/imc_test/Makefile.am           |    2 +-
 src/libimcv/plugins/imc_test/Makefile.in           |    8 +-
 src/libimcv/plugins/imv_os/Makefile.am             |    4 +-
 src/libimcv/plugins/imv_os/Makefile.in             |   26 +-
 src/libimcv/plugins/imv_os/imv_os_agent.c          |  164 +-
 src/libimcv/plugins/imv_os/imv_os_database.c       |   67 +-
 src/libimcv/plugins/imv_os/imv_os_database.h       |   14 +-
 src/libimcv/plugins/imv_os/imv_os_state.c          |  136 +-
 src/libimcv/plugins/imv_os/imv_os_state.h          |   37 +-
 src/libimcv/plugins/imv_os/pacman.sh               |   23 +-
 src/libimcv/plugins/imv_scanner/Makefile.am        |    2 +-
 src/libimcv/plugins/imv_scanner/Makefile.in        |    8 +-
 .../plugins/imv_scanner/imv_scanner_agent.c        |    5 +-
 .../plugins/imv_scanner/imv_scanner_state.c        |   44 +-
 src/libimcv/plugins/imv_test/Makefile.am           |    2 +-
 src/libimcv/plugins/imv_test/Makefile.in           |    8 +-
 src/libimcv/plugins/imv_test/imv_test_state.c      |   36 +-
 src/libipsec/Makefile.in                           |    6 +-
 src/libipsec/esp_packet.c                          |    4 +-
 src/libipsec/ip_packet.c                           |    4 +-
 src/libipsec/ipsec_policy_mgr.c                    |    5 +-
 src/libpts/Android.mk                              |   78 +
 src/libpts/Makefile.am                             |    8 +
 src/libpts/Makefile.in                             |   39 +-
 src/libpts/plugins/imc_attestation/Makefile.am     |    2 +-
 src/libpts/plugins/imc_attestation/Makefile.in     |    8 +-
 .../plugins/imc_attestation/imc_attestation.c      |   54 +-
 src/libpts/plugins/imc_swid/Makefile.am            |    2 +-
 src/libpts/plugins/imc_swid/Makefile.in            |    8 +-
 src/libpts/plugins/imc_swid/imc_swid.c             |  208 +-
 ...id.2004-03.org.strongswan_strongSwan.swidtag.in |   40 +-
 src/libpts/plugins/imv_attestation/Makefile.am     |    2 +-
 src/libpts/plugins/imv_attestation/Makefile.in     |    8 +-
 src/libpts/plugins/imv_attestation/attest.c        |   57 +-
 src/libpts/plugins/imv_attestation/attest_db.c     |  207 +-
 src/libpts/plugins/imv_attestation/attest_db.h     |   10 +-
 .../plugins/imv_attestation/build-database.sh      |  293 +--
 .../imv_attestation/imv_attestation_agent.c        |  230 +-
 .../imv_attestation/imv_attestation_build.c        |   14 +-
 .../imv_attestation/imv_attestation_process.c      |   93 +-
 .../imv_attestation/imv_attestation_state.c        |   68 +-
 .../imv_attestation/imv_attestation_state.h        |   26 +-
 src/libpts/plugins/imv_swid/Makefile.am            |    8 +-
 src/libpts/plugins/imv_swid/Makefile.in            |   17 +-
 src/libpts/plugins/imv_swid/imv_swid_agent.c       |  359 ++-
 src/libpts/plugins/imv_swid/imv_swid_rest.c        |  122 +
 src/libpts/plugins/imv_swid/imv_swid_rest.h        |   63 +
 src/libpts/plugins/imv_swid/imv_swid_state.c       |  172 +-
 src/libpts/plugins/imv_swid/imv_swid_state.h       |   63 +-
 src/libpts/pts/components/ita/ita_comp_ima.c       |  694 +++--
 src/libpts/pts/components/ita/ita_comp_tboot.c     |   95 +-
 src/libpts/pts/components/ita/ita_comp_tgrub.c     |    7 +-
 src/libpts/pts/components/pts_component.h          |    5 +-
 src/libpts/pts/pts.c                               |  152 +-
 src/libpts/pts/pts.h                               |   22 +-
 src/libpts/pts/pts_database.c                      |  172 +-
 src/libpts/pts/pts_database.h                      |   62 +-
 src/libpts/pts/pts_file_meas.c                     |  117 +-
 src/libpts/pts/pts_file_meas.h                     |    5 +-
 src/libpts/pts/pts_ima_bios_list.c                 |  294 +++
 src/libpts/pts/pts_ima_bios_list.h                 |   74 +
 src/libpts/pts/pts_ima_event_list.c                |  330 +++
 src/libpts/pts/pts_ima_event_list.h                |   80 +
 src/libpts/pts/pts_meas_algo.c                     |    7 +-
 src/libpts/pts/pts_meas_algo.h                     |    4 +-
 src/libpts/swid/swid_error.c                       |    2 +-
 src/libpts/swid/swid_inventory.c                   |  238 +-
 src/libpts/swid/swid_inventory.h                   |    9 +-
 src/libpts/swid/swid_tag.c                         |   40 +-
 src/libpts/swid/swid_tag.h                         |   19 +-
 src/libpts/swid/swid_tag_id.c                      |   42 +-
 src/libpts/swid/swid_tag_id.h                      |   19 +-
 src/libpts/tcg/swid/tcg_swid_attr_req.c            |    7 +-
 src/libpts/tcg/swid/tcg_swid_attr_req.h            |    4 +-
 src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.c     |   66 +-
 src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.h     |   25 +-
 src/libpts/tcg/swid/tcg_swid_attr_tag_inv.c        |   60 +-
 src/libpts/tcg/swid/tcg_swid_attr_tag_inv.h        |   24 +-
 src/libpttls/Makefile.am                           |    4 +
 src/libpttls/Makefile.in                           |   15 +-
 src/libpttls/pt_tls.h                              |    2 +-
 src/libradius/Makefile.in                          |    6 +-
 src/libsimaka/Makefile.in                          |    6 +-
 src/libsimaka/simaka_message.h                     |    2 +-
 src/libstrongswan/Android.mk                       |   30 +-
 src/libstrongswan/AndroidConfigLocal.h             |    2 -
 src/libstrongswan/Makefile.am                      |   70 +-
 src/libstrongswan/Makefile.in                      |  686 +++--
 src/libstrongswan/asn1/asn1.c                      |    2 +-
 src/libstrongswan/asn1/oid.h                       |    2 +-
 src/libstrongswan/asn1/oid.pl                      |    2 +-
 src/libstrongswan/collections/array.c              |    2 +-
 src/libstrongswan/collections/dictionary.h         |   55 +
 src/libstrongswan/collections/enumerator.c         |  103 +-
 src/libstrongswan/collections/enumerator.h         |   37 +-
 src/libstrongswan/collections/hashtable.c          |   39 +-
 src/libstrongswan/collections/hashtable.h          |    9 +
 src/libstrongswan/credentials/auth_cfg.c           |    2 +-
 src/libstrongswan/credentials/certificates/crl.h   |   28 +-
 src/libstrongswan/credentials/cred_encoding.h      |    2 +
 src/libstrongswan/credentials/sets/cert_cache.c    |    1 -
 src/libstrongswan/credentials/sets/mem_cred.c      |   76 +-
 src/libstrongswan/crypto/crypto_factory.c          |   18 +-
 src/libstrongswan/crypto/crypto_tester.c           |    8 +-
 src/libstrongswan/crypto/transform.h               |    2 +-
 src/libstrongswan/eap/eap.c                        |   11 +-
 src/libstrongswan/eap/eap.h                        |    1 +
 src/libstrongswan/fetcher/fetcher.h                |    6 +
 src/libstrongswan/fetcher/fetcher_manager.c        |    4 +
 src/libstrongswan/ipsec/ipsec_types.h              |    6 +-
 src/libstrongswan/library.c                        |   16 +-
 src/libstrongswan/library.h                        |    2 +-
 src/libstrongswan/networking/host.h                |    4 +-
 src/libstrongswan/networking/host_resolver.c       |    2 -
 src/libstrongswan/networking/streams/stream.c      |  133 +-
 src/libstrongswan/networking/streams/stream.h      |   51 -
 .../networking/streams/stream_manager.c            |   19 +-
 .../networking/streams/stream_service.c            |   99 +-
 .../networking/streams/stream_service.h            |   19 -
 .../networking/streams/stream_service_tcp.c        |   64 +
 .../networking/streams/stream_service_tcp.h        |   33 +
 .../networking/streams/stream_service_unix.c       |   75 +
 .../networking/streams/stream_service_unix.h       |   42 +
 src/libstrongswan/networking/streams/stream_tcp.c  |   99 +
 src/libstrongswan/networking/streams/stream_tcp.h  |   52 +
 src/libstrongswan/networking/streams/stream_unix.c |   69 +
 src/libstrongswan/networking/streams/stream_unix.h |   48 +
 src/libstrongswan/networking/tun_device.c          |  124 +-
 src/libstrongswan/plugins/acert/Makefile.am        |    2 +-
 src/libstrongswan/plugins/acert/Makefile.in        |    8 +-
 src/libstrongswan/plugins/aes/Makefile.am          |    2 +-
 src/libstrongswan/plugins/aes/Makefile.in          |    8 +-
 src/libstrongswan/plugins/aes/aes_crypter.c        |  687 +----
 src/libstrongswan/plugins/af_alg/Makefile.am       |    2 +-
 src/libstrongswan/plugins/af_alg/Makefile.in       |    8 +-
 src/libstrongswan/plugins/agent/Makefile.am        |    2 +-
 src/libstrongswan/plugins/agent/Makefile.in        |    8 +-
 src/libstrongswan/plugins/blowfish/Makefile.am     |    2 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |    8 +-
 src/libstrongswan/plugins/ccm/Makefile.am          |    2 +-
 src/libstrongswan/plugins/ccm/Makefile.in          |    8 +-
 src/libstrongswan/plugins/cmac/Makefile.am         |    2 +-
 src/libstrongswan/plugins/cmac/Makefile.in         |    8 +-
 src/libstrongswan/plugins/constraints/Makefile.am  |    2 +-
 src/libstrongswan/plugins/constraints/Makefile.in  |    8 +-
 src/libstrongswan/plugins/ctr/Makefile.am          |    2 +-
 src/libstrongswan/plugins/ctr/Makefile.in          |    8 +-
 src/libstrongswan/plugins/curl/Makefile.am         |    2 +-
 src/libstrongswan/plugins/curl/Makefile.in         |    8 +-
 src/libstrongswan/plugins/curl/curl_fetcher.c      |   21 +-
 src/libstrongswan/plugins/des/Makefile.am          |    2 +-
 src/libstrongswan/plugins/des/Makefile.in          |    8 +-
 src/libstrongswan/plugins/dnskey/Makefile.am       |    2 +-
 src/libstrongswan/plugins/dnskey/Makefile.in       |    8 +-
 src/libstrongswan/plugins/fips_prf/Makefile.am     |    2 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |    8 +-
 src/libstrongswan/plugins/gcm/Makefile.am          |    2 +-
 src/libstrongswan/plugins/gcm/Makefile.in          |    8 +-
 src/libstrongswan/plugins/gcrypt/Makefile.am       |    2 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |    8 +-
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c   |   54 +-
 src/libstrongswan/plugins/gmp/Makefile.am          |    2 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |    8 +-
 src/libstrongswan/plugins/hmac/Makefile.am         |    2 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |    8 +-
 src/libstrongswan/plugins/keychain/Makefile.am     |    2 +-
 src/libstrongswan/plugins/keychain/Makefile.in     |    8 +-
 src/libstrongswan/plugins/ldap/Makefile.am         |    2 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |    8 +-
 src/libstrongswan/plugins/md4/Makefile.am          |    2 +-
 src/libstrongswan/plugins/md4/Makefile.in          |    8 +-
 src/libstrongswan/plugins/md5/Makefile.am          |    2 +-
 src/libstrongswan/plugins/md5/Makefile.in          |    8 +-
 src/libstrongswan/plugins/mysql/Makefile.am        |    2 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |    8 +-
 src/libstrongswan/plugins/mysql/mysql_database.c   |   12 +-
 src/libstrongswan/plugins/mysql/mysql_database.h   |    1 +
 src/libstrongswan/plugins/nonce/Makefile.am        |    2 +-
 src/libstrongswan/plugins/nonce/Makefile.in        |    8 +-
 src/libstrongswan/plugins/ntru/Makefile.am         |    5 +-
 src/libstrongswan/plugins/ntru/Makefile.in         |    9 +-
 src/libstrongswan/plugins/openssl/Makefile.am      |    4 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |   13 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.c |   21 +-
 src/libstrongswan/plugins/openssl/openssl_rng.c    |    2 +
 src/libstrongswan/plugins/openssl/openssl_util.h   |    6 +
 src/libstrongswan/plugins/padlock/Makefile.am      |    2 +-
 src/libstrongswan/plugins/padlock/Makefile.in      |    8 +-
 src/libstrongswan/plugins/pem/Makefile.am          |    2 +-
 src/libstrongswan/plugins/pem/Makefile.in          |    8 +-
 src/libstrongswan/plugins/pgp/Makefile.am          |    2 +-
 src/libstrongswan/plugins/pgp/Makefile.in          |    8 +-
 src/libstrongswan/plugins/pgp/pgp_builder.c        |    3 +-
 src/libstrongswan/plugins/pkcs1/Makefile.am        |    2 +-
 src/libstrongswan/plugins/pkcs1/Makefile.in        |    8 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c    |   47 +-
 src/libstrongswan/plugins/pkcs11/Makefile.am       |    2 +-
 src/libstrongswan/plugins/pkcs11/Makefile.in       |    8 +-
 src/libstrongswan/plugins/pkcs11/pkcs11_library.h  |    2 +-
 src/libstrongswan/plugins/pkcs12/Makefile.am       |    2 +-
 src/libstrongswan/plugins/pkcs12/Makefile.in       |    8 +-
 src/libstrongswan/plugins/pkcs7/Makefile.am        |    2 +-
 src/libstrongswan/plugins/pkcs7/Makefile.in        |    8 +-
 src/libstrongswan/plugins/pkcs8/Makefile.am        |    2 +-
 src/libstrongswan/plugins/pkcs8/Makefile.in        |    8 +-
 src/libstrongswan/plugins/plugin_loader.c          |    2 +
 src/libstrongswan/plugins/pubkey/Makefile.am       |    2 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |    8 +-
 src/libstrongswan/plugins/random/Makefile.am       |    2 +-
 src/libstrongswan/plugins/random/Makefile.in       |    8 +-
 src/libstrongswan/plugins/random/random_plugin.c   |    5 +
 src/libstrongswan/plugins/rc2/Makefile.am          |    2 +-
 src/libstrongswan/plugins/rc2/Makefile.in          |    8 +-
 src/libstrongswan/plugins/rdrand/Makefile.am       |    2 +-
 src/libstrongswan/plugins/rdrand/Makefile.in       |    8 +-
 src/libstrongswan/plugins/revocation/Makefile.am   |    2 +-
 src/libstrongswan/plugins/revocation/Makefile.in   |    8 +-
 src/libstrongswan/plugins/sha1/Makefile.am         |    2 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |    8 +-
 src/libstrongswan/plugins/sha1/sha1_hasher.c       |    4 +-
 src/libstrongswan/plugins/sha1/sha1_prf.c          |    3 +-
 src/libstrongswan/plugins/sha2/Makefile.am         |    2 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |    8 +-
 src/libstrongswan/plugins/soup/Makefile.am         |    2 +-
 src/libstrongswan/plugins/soup/Makefile.in         |    8 +-
 src/libstrongswan/plugins/soup/soup_fetcher.c      |   16 +-
 src/libstrongswan/plugins/sqlite/Makefile.am       |    2 +-
 src/libstrongswan/plugins/sqlite/Makefile.in       |    8 +-
 src/libstrongswan/plugins/sqlite/sqlite_database.c |   10 +-
 src/libstrongswan/plugins/sshkey/Makefile.am       |    2 +-
 src/libstrongswan/plugins/sshkey/Makefile.in       |    8 +-
 src/libstrongswan/plugins/sshkey/sshkey_builder.c  |   49 +-
 src/libstrongswan/plugins/sshkey/sshkey_builder.h  |   15 +-
 src/libstrongswan/plugins/sshkey/sshkey_plugin.c   |    4 +-
 src/libstrongswan/plugins/test_vectors/Makefile.am |    2 +-
 src/libstrongswan/plugins/test_vectors/Makefile.in |    8 +-
 src/libstrongswan/plugins/unbound/Makefile.am      |    2 +-
 src/libstrongswan/plugins/unbound/Makefile.in      |    8 +-
 src/libstrongswan/plugins/unbound/unbound_rr.c     |    4 +-
 src/libstrongswan/plugins/winhttp/Makefile.am      |   18 +
 src/libstrongswan/plugins/winhttp/Makefile.in      |  766 ++++++
 .../plugins/winhttp/winhttp_fetcher.c              |  396 +++
 .../plugins/winhttp/winhttp_fetcher.h              |   46 +
 src/libstrongswan/plugins/winhttp/winhttp_plugin.c |   74 +
 src/libstrongswan/plugins/winhttp/winhttp_plugin.h |   42 +
 src/libstrongswan/plugins/x509/Makefile.am         |    2 +-
 src/libstrongswan/plugins/x509/Makefile.in         |    8 +-
 src/libstrongswan/plugins/x509/x509_ac.c           |   25 +-
 src/libstrongswan/plugins/x509/x509_cert.c         |    5 -
 .../plugins/x509/x509_ocsp_response.c              |   25 +-
 src/libstrongswan/plugins/xcbc/Makefile.am         |    2 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |    8 +-
 src/libstrongswan/processing/processor.c           |   12 +-
 src/libstrongswan/processing/watcher.c             |  118 +-
 src/libstrongswan/selectors/traffic_selector.c     |    7 +-
 src/libstrongswan/settings/settings.c              |  944 +++++++
 src/libstrongswan/settings/settings.h              |  353 +++
 src/libstrongswan/settings/settings_lexer.c        | 2686 +++++++++++++++++++
 src/libstrongswan/settings/settings_lexer.l        |  201 ++
 src/libstrongswan/settings/settings_parser.c       | 1747 +++++++++++++
 src/libstrongswan/settings/settings_parser.h       |   79 +
 src/libstrongswan/settings/settings_parser.y       |  290 +++
 src/libstrongswan/settings/settings_types.c        |  321 +++
 src/libstrongswan/settings/settings_types.h        |  177 ++
 src/libstrongswan/tests/Makefile.am                |    3 +-
 src/libstrongswan/tests/Makefile.in                |   27 +-
 src/libstrongswan/tests/suites/test_asn1.c         |    4 +-
 src/libstrongswan/tests/suites/test_chunk.c        |   12 +-
 .../tests/suites/test_crypto_factory.c             |  312 +++
 src/libstrongswan/tests/suites/test_enum.c         |   52 +-
 src/libstrongswan/tests/suites/test_fetch_http.c   |   84 +-
 src/libstrongswan/tests/suites/test_host.c         |    4 +-
 .../tests/suites/test_identification.c             |    8 +-
 src/libstrongswan/tests/suites/test_settings.c     |  435 +++-
 src/libstrongswan/tests/suites/test_stream.c       |    3 +-
 src/libstrongswan/tests/suites/test_threading.c    |    6 +-
 src/libstrongswan/tests/suites/test_utils.c        |   82 +-
 src/libstrongswan/tests/suites/test_watcher.c      |    9 +-
 src/libstrongswan/tests/test_runner.c              |   67 +-
 src/libstrongswan/tests/test_runner.h              |    8 +-
 src/libstrongswan/tests/test_suite.c               |  232 +-
 src/libstrongswan/tests/test_suite.h               |   46 +-
 src/libstrongswan/tests/tests.c                    |   10 +-
 src/libstrongswan/tests/tests.h                    |    1 +
 src/libstrongswan/threading/thread.c               |    3 +
 src/libstrongswan/threading/windows/mutex.c        |  196 ++
 src/libstrongswan/threading/windows/rwlock.c       |  220 ++
 src/libstrongswan/threading/windows/semaphore.c    |  101 +
 src/libstrongswan/threading/windows/spinlock.c     |   79 +
 src/libstrongswan/threading/windows/thread.c       |  677 +++++
 src/libstrongswan/threading/windows/thread.h       |   74 +
 src/libstrongswan/threading/windows/thread_value.c |  178 ++
 src/libstrongswan/utils/backtrace.c                |  253 +-
 src/libstrongswan/utils/capabilities.c             |   40 +-
 src/libstrongswan/utils/chunk.c                    |   50 +-
 src/libstrongswan/utils/chunk.h                    |   11 +
 src/libstrongswan/utils/debug.h                    |    2 +-
 src/libstrongswan/utils/enum.c                     |    8 +-
 src/libstrongswan/utils/enum.h                     |   25 +-
 src/libstrongswan/utils/identification.c           |   21 +-
 src/libstrongswan/utils/leak_detective.c           |    8 +-
 src/libstrongswan/utils/optionsfrom.c              |    9 +-
 src/libstrongswan/utils/parser_helper.c            |  261 ++
 src/libstrongswan/utils/parser_helper.h            |  161 ++
 .../utils/printf_hook/printf_hook_builtin.c        |  124 +
 src/libstrongswan/utils/settings.c                 | 1520 -----------
 src/libstrongswan/utils/settings.h                 |  348 ---
 src/libstrongswan/utils/test.c                     |   71 +-
 src/libstrongswan/utils/test.h                     |   18 +-
 src/libstrongswan/utils/utils.c                    |  279 +-
 src/libstrongswan/utils/utils.h                    |  173 +-
 src/libstrongswan/utils/utils/strerror.c           |  122 +-
 src/libstrongswan/utils/utils/strerror.h           |   10 +
 src/libstrongswan/utils/windows.c                  |  641 +++++
 src/libstrongswan/utils/windows.h                  |  584 +++++
 src/libtls/Makefile.am                             |    4 +
 src/libtls/Makefile.in                             |   16 +-
 src/libtls/tests/Makefile.am                       |    2 +-
 src/libtls/tests/Makefile.in                       |    8 +-
 src/libtls/tls.c                                   |    8 +-
 src/libtls/tls_crypto.c                            |    4 +-
 src/libtls/tls_eap.c                               |  113 +-
 src/libtls/tls_eap.h                               |    4 +-
 src/libtnccs/Makefile.am                           |    6 +-
 src/libtnccs/Makefile.in                           |   56 +-
 src/libtnccs/plugins/tnc_imc/Makefile.am           |    2 +-
 src/libtnccs/plugins/tnc_imc/Makefile.in           |    8 +-
 src/libtnccs/plugins/tnc_imc/tnc_imc.c             |    6 +-
 src/libtnccs/plugins/tnc_imv/Makefile.am           |    2 +-
 src/libtnccs/plugins/tnc_imv/Makefile.in           |    8 +-
 src/libtnccs/plugins/tnc_imv/tnc_imv.c             |    2 +
 src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c     |   13 +-
 src/libtnccs/plugins/tnc_tnccs/Makefile.am         |    2 +-
 src/libtnccs/plugins/tnc_tnccs/Makefile.in         |    8 +-
 src/libtnccs/plugins/tnccs_11/Makefile.am          |    2 +-
 src/libtnccs/plugins/tnccs_11/Makefile.in          |    8 +-
 .../plugins/tnccs_11/messages/tnccs_error_msg.c    |    5 +-
 src/libtnccs/plugins/tnccs_11/messages/tnccs_msg.c |    6 +-
 src/libtnccs/plugins/tnccs_20/Makefile.am          |    2 +-
 src/libtnccs/plugins/tnccs_20/Makefile.in          |    8 +-
 src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c |   13 +-
 src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h |    3 +
 .../plugins/tnccs_20/messages/ietf/pb_pa_msg.c     |    2 +-
 .../plugins/tnccs_20/messages/ietf/pb_pa_msg.h     |    2 +
 src/libtnccs/plugins/tnccs_20/tnccs_20.c           |   38 +-
 src/libtnccs/plugins/tnccs_dynamic/Makefile.am     |    2 +-
 src/libtnccs/plugins/tnccs_dynamic/Makefile.in     |    8 +-
 src/libtnccs/tnc/tnc.c                             |    8 +-
 src/libtncif/Makefile.in                           |    6 +-
 src/manager/Makefile.am                            |    2 +-
 src/manager/Makefile.in                            |    8 +-
 src/medsrv/Makefile.am                             |    2 +-
 src/medsrv/Makefile.in                             |    8 +-
 src/pki/Makefile.in                                |    6 +-
 src/pki/command.c                                  |    2 +-
 src/pki/commands/acert.c                           |    5 +-
 src/pki/commands/gen.c                             |    2 +-
 src/pki/commands/issue.c                           |    5 +-
 src/pki/commands/keyid.c                           |    1 +
 src/pki/commands/pkcs7.c                           |    1 +
 src/pki/commands/print.c                           |    1 +
 src/pki/commands/pub.c                             |    2 +
 src/pki/commands/req.c                             |    5 +-
 src/pki/commands/self.c                            |    5 +-
 src/pki/commands/signcrl.c                         |    4 +-
 src/pki/commands/verify.c                          |  135 +-
 src/pki/man/Makefile.in                            |    6 +-
 src/pki/man/pki---verify.1.in                      |   16 +-
 src/pki/pki.c                                      |  106 +-
 src/pki/pki.h                                      |    5 +
 src/pool/Makefile.in                               |    6 +-
 src/pt-tls-client/Makefile.am                      |    2 +-
 src/pt-tls-client/Makefile.in                      |    8 +-
 src/pt-tls-client/pt-tls-client.c                  |  118 +-
 src/scepclient/Android.mk                          |   28 +
 src/scepclient/Makefile.am                         |    1 +
 src/scepclient/Makefile.in                         |    7 +-
 src/scepclient/scepclient.c                        |    2 +-
 src/starter/Android.mk                             |   12 +-
 src/starter/Makefile.am                            |   28 +-
 src/starter/Makefile.in                            |  321 ++-
 src/starter/README                                 |  101 -
 src/starter/args.c                                 |  357 +--
 src/starter/args.h                                 |   17 +-
 src/starter/confread.c                             |  999 +++----
 src/starter/confread.h                             |   43 +-
 src/starter/ipsec-parser.h                         |   55 -
 src/starter/keywords.c                             |   47 +-
 src/starter/keywords.h                             |   13 +-
 src/starter/keywords.txt                           |    1 +
 src/starter/lexer.c                                | 1992 --------------
 src/starter/lexer.l                                |  215 --
 src/starter/parser.c                               | 1870 -------------
 src/starter/parser.h                               |  106 -
 src/starter/parser.y                               |  272 --
 src/starter/parser/conf_parser.c                   |  667 +++++
 src/starter/parser/conf_parser.h                   |  122 +
 src/starter/parser/lexer.c                         | 2737 ++++++++++++++++++++
 src/starter/parser/lexer.l                         |  205 ++
 src/starter/parser/parser.c                        | 1700 ++++++++++++
 src/starter/parser/parser.h                        |   86 +
 src/starter/parser/parser.y                        |  254 ++
 src/starter/starter.c                              |   27 +
 src/starter/starterstroke.c                        |   50 +-
 src/starter/tests/Makefile.am                      |   19 +
 src/starter/tests/Makefile.in                      |  856 ++++++
 src/starter/tests/starter_tests.c                  |   43 +
 src/starter/tests/starter_tests.h                  |   16 +
 src/starter/tests/suites/test_parser.c             |  575 ++++
 src/stroke/Makefile.in                             |    6 +-
 src/stroke/stroke.c                                |  340 +--
 src/stroke/stroke_msg.h                            |    1 +
 src/swanctl/Makefile.am                            |   66 +
 src/swanctl/Makefile.in                            |  981 +++++++
 src/swanctl/command.c                              |  309 +++
 src/swanctl/command.h                              |  108 +
 src/swanctl/commands/initiate.c                    |  132 +
 src/swanctl/commands/install.c                     |  125 +
 src/swanctl/commands/list_certs.c                  |  670 +++++
 src/swanctl/commands/list_conns.c                  |  242 ++
 src/swanctl/commands/list_pols.c                   |  210 ++
 src/swanctl/commands/list_pools.c                  |  101 +
 src/swanctl/commands/list_sas.c                    |  366 +++
 src/swanctl/commands/load_conns.c                  |  419 +++
 src/swanctl/commands/load_creds.c                  |  574 ++++
 src/swanctl/commands/load_pools.c                  |  292 +++
 src/swanctl/commands/log.c                         |  101 +
 src/swanctl/commands/stats.c                       |  118 +
 src/swanctl/commands/terminate.c                   |  157 ++
 src/swanctl/commands/version.c                     |   96 +
 src/swanctl/swanctl.8.in                           |   83 +
 src/swanctl/swanctl.c                              |   57 +
 src/swanctl/swanctl.conf                           |  306 +++
 src/swanctl/swanctl.conf.5.head.in                 |   24 +
 src/swanctl/swanctl.conf.5.main                    |  957 +++++++
 src/swanctl/swanctl.conf.5.tail.in                 |   10 +
 src/swanctl/swanctl.h                              |   69 +
 src/swanctl/swanctl.opt                            |  779 ++++++
 testing/Makefile.in                                |    6 +-
 testing/config/kernel/config-3.15                  | 2083 +++++++++++++++
 testing/do-tests                                   |   96 +-
 testing/hosts/alice/etc/swanctl/rsa/aliceKey.pem   |   27 +
 testing/hosts/alice/etc/swanctl/x509/aliceCert.pem |   25 +
 .../alice/etc/swanctl/x509ca/strongswanCert.pem    |   22 +
 testing/hosts/bob/etc/swanctl/rsa/bobKey.pem       |   27 +
 testing/hosts/bob/etc/swanctl/x509/bobCert.pem     |   25 +
 .../bob/etc/swanctl/x509ca/strongswanCert.pem      |   22 +
 testing/hosts/carol/etc/swanctl/rsa/carolKey.pem   |   27 +
 testing/hosts/carol/etc/swanctl/x509/carolCert.pem |   25 +
 .../carol/etc/swanctl/x509ca/strongswanCert.pem    |   22 +
 testing/hosts/dave/etc/swanctl/rsa/daveKey.pem     |   27 +
 testing/hosts/dave/etc/swanctl/x509/daveCert.pem   |   25 +
 .../dave/etc/swanctl/x509ca/strongswanCert.pem     |   22 +
 testing/hosts/default/etc/hosts                    |    2 +-
 testing/hosts/default/etc/init.d/charon            |  156 ++
 testing/hosts/moon/etc/swanctl/rsa/moonKey.pem     |   27 +
 testing/hosts/moon/etc/swanctl/x509/moonCert.pem   |   25 +
 .../moon/etc/swanctl/x509ca/strongswanCert.pem     |   22 +
 testing/hosts/sun/etc/swanctl/rsa/sunKey.pem       |   27 +
 testing/hosts/sun/etc/swanctl/x509/sunCert.pem     |   25 +
 .../sun/etc/swanctl/x509ca/strongswanCert.pem      |   22 +
 testing/hosts/venus/etc/swanctl/rsa/venusKey.pem   |   27 +
 testing/hosts/venus/etc/swanctl/x509/venusCert.pem |   24 +
 .../venus/etc/swanctl/x509ca/strongswanCert.pem    |   22 +
 testing/hosts/winnetou/etc/openssl/index.txt       |    5 +-
 testing/hosts/winnetou/etc/openssl/index.txt.old   |    6 +-
 testing/hosts/winnetou/etc/openssl/newcerts/29.pem |   25 +
 testing/hosts/winnetou/etc/openssl/serial          |    2 +-
 testing/hosts/winnetou/etc/openssl/serial.old      |    2 +-
 testing/scripts/build-baseimage                    |    4 +-
 testing/scripts/build-guestimages                  |    9 +-
 testing/scripts/recipes/014_swid_generator.mk      |   16 +
 testing/scripts/recipes/015_strongTNC.mk           |   22 +
 testing/testing.conf                               |   12 +-
 .../hosts/moon/etc/ipsec.d/aacerts/aa.pem          |   19 +
 .../etc/ipsec.d/acerts/carol-sales-finance.pem     |   18 +
 .../moon/etc/ipsec.d/acerts/dave-marketing.pem     |   18 +
 .../moon/etc/ipsec.d/acerts/dave-sales-expired.pem |   18 +
 .../hosts/moon/etc/ipsec.d/private/aa.pem          |   27 +
 .../etc/ipsec.d/acerts/carol-finance-expired.pem   |   18 +
 .../hosts/carol/etc/ipsec.d/acerts/carol-sales.pem |   18 +
 .../hosts/moon/etc/ipsec.d/aacerts/aa.pem          |   19 +
 .../hosts/moon/etc/ipsec.d/private/aa.pem          |   27 +
 .../hosts/carol/etc/ipsec.d/acerts/carol-sales.pem |   18 +
 .../dave/etc/ipsec.d/acerts/dave-expired-aa.pem    |   18 +
 .../dave/etc/ipsec.d/acerts/dave-marketing.pem     |   18 +
 .../hosts/moon/etc/ipsec.d/aacerts/aa-expired.pem  |   19 +
 .../hosts/moon/etc/ipsec.d/aacerts/aa.pem          |   19 +
 .../hosts/moon/etc/ipsec.d/private/aa-expired.pem  |   27 +
 .../hosts/moon/etc/ipsec.d/private/aa.pem          |   27 +
 .../ikev2/shunt-policies-nat-rw/description.txt    |    7 +
 .../tests/ikev2/shunt-policies-nat-rw/evaltest.dat |   12 +
 .../hosts/alice/etc/ipsec.conf                     |   27 +
 .../hosts/alice/etc/strongswan.conf                |    7 +
 .../shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf |   20 +
 .../hosts/sun/etc/iptables.rules                   |   24 +
 .../hosts/sun/etc/strongswan.conf                  |    5 +
 .../hosts/venus/etc/ipsec.conf                     |   27 +
 .../hosts/venus/etc/strongswan.conf                |    7 +
 .../tests/ikev2/shunt-policies-nat-rw/posttest.dat |    5 +
 .../tests/ikev2/shunt-policies-nat-rw/pretest.dat  |   11 +
 .../tests/ikev2/shunt-policies-nat-rw/test.conf    |   21 +
 testing/tests/ikev2/shunt-policies/description.txt |   11 -
 testing/tests/ikev2/shunt-policies/evaltest.dat    |   16 -
 .../ikev2/shunt-policies/hosts/moon/etc/ipsec.conf |   40 -
 .../shunt-policies/hosts/moon/etc/iptables.rules   |   32 -
 .../shunt-policies/hosts/moon/etc/strongswan.conf  |    7 -
 .../ikev2/shunt-policies/hosts/sun/etc/ipsec.conf  |   22 -
 .../shunt-policies/hosts/sun/etc/strongswan.conf   |    6 -
 testing/tests/ikev2/shunt-policies/posttest.dat    |    5 -
 testing/tests/ikev2/shunt-policies/pretest.dat     |    6 -
 testing/tests/ikev2/shunt-policies/test.conf       |   21 -
 .../carol/etc/ipsec.d/certs/carolCert-002.pem      |   34 +-
 .../carol/etc/ipsec.d/private/carolKey-002.pem     |   50 +-
 .../hosts/moon/etc/ipsec.d/certs/moonCert.asc      |   15 +
 .../hosts/moon/etc/ipsec.d/certs/sunCert.asc       |   15 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.asc     |   19 +
 .../hosts/sun/etc/ipsec.d/certs/moonCert.asc       |   15 +
 .../hosts/sun/etc/ipsec.d/certs/sunCert.asc        |   15 +
 .../hosts/sun/etc/ipsec.d/private/sunKey.asc       |   19 +
 testing/tests/pfkey/compress/description.txt       |    4 +
 testing/tests/pfkey/compress/evaltest.dat          |   12 +
 .../pfkey/compress/hosts/carol/etc/ipsec.conf      |   21 +
 .../pfkey/compress/hosts/carol/etc/strongswan.conf |    5 +
 .../tests/pfkey/compress/hosts/moon/etc/ipsec.conf |   21 +
 .../pfkey/compress/hosts/moon/etc/strongswan.conf  |    5 +
 testing/tests/pfkey/compress/posttest.dat          |    4 +
 testing/tests/pfkey/compress/pretest.dat           |    6 +
 testing/tests/pfkey/compress/test.conf             |   22 +
 .../pfkey/shunt-policies-nat-rw/description.txt    |    7 +
 .../tests/pfkey/shunt-policies-nat-rw/evaltest.dat |   12 +
 .../hosts/alice/etc/ipsec.conf                     |   27 +
 .../hosts/alice/etc/strongswan.conf                |    7 +
 .../shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf |   20 +
 .../hosts/sun/etc/iptables.rules                   |   24 +
 .../hosts/sun/etc/strongswan.conf                  |    5 +
 .../hosts/venus/etc/ipsec.conf                     |   27 +
 .../hosts/venus/etc/strongswan.conf                |    7 +
 .../tests/pfkey/shunt-policies-nat-rw/posttest.dat |    5 +
 .../tests/pfkey/shunt-policies-nat-rw/pretest.dat  |   11 +
 .../tests/pfkey/shunt-policies-nat-rw/test.conf    |   21 +
 testing/tests/pfkey/shunt-policies/description.txt |   11 -
 testing/tests/pfkey/shunt-policies/evaltest.dat    |   20 -
 .../pfkey/shunt-policies/hosts/moon/etc/ipsec.conf |   40 -
 .../shunt-policies/hosts/moon/etc/iptables.rules   |   32 -
 .../shunt-policies/hosts/moon/etc/strongswan.conf  |    7 -
 .../pfkey/shunt-policies/hosts/sun/etc/ipsec.conf  |   22 -
 .../shunt-policies/hosts/sun/etc/strongswan.conf   |    6 -
 testing/tests/pfkey/shunt-policies/posttest.dat    |    5 -
 testing/tests/pfkey/shunt-policies/pretest.dat     |    6 -
 testing/tests/pfkey/shunt-policies/test.conf       |   21 -
 .../sql/shunt-policies-nat-rw/description.txt      |    7 +
 .../tests/sql/shunt-policies-nat-rw/evaltest.dat   |   12 +
 .../hosts/alice/etc/ipsec.conf                     |    3 +
 .../hosts/alice/etc/ipsec.d/data.sql               |  199 ++
 .../hosts/alice}/etc/ipsec.secrets                 |    0
 .../hosts/alice/etc/strongswan.conf                |   12 +
 .../shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf |    3 +
 .../hosts/sun/etc/ipsec.d/data.sql                 |  195 ++
 .../hosts/sun/etc/ipsec.secrets                    |    0
 .../hosts/sun/etc/iptables.rules                   |   24 +
 .../hosts/sun/etc/strongswan.conf                  |   13 +
 .../hosts/venus/etc/ipsec.conf                     |    3 +
 .../hosts/venus/etc/ipsec.d/data.sql               |  199 ++
 .../hosts/venus}/etc/ipsec.secrets                 |    0
 .../hosts/venus/etc/strongswan.conf                |   12 +
 .../tests/sql/shunt-policies-nat-rw/posttest.dat   |    8 +
 .../tests/sql/shunt-policies-nat-rw/pretest.dat    |   20 +
 testing/tests/sql/shunt-policies-nat-rw/test.conf  |   21 +
 testing/tests/sql/shunt-policies/description.txt   |   11 -
 testing/tests/sql/shunt-policies/evaltest.dat      |   20 -
 .../sql/shunt-policies/hosts/moon/etc/ipsec.conf   |    5 -
 .../shunt-policies/hosts/moon/etc/ipsec.d/data.sql |  227 --
 .../shunt-policies/hosts/moon/etc/iptables.rules   |   32 -
 .../shunt-policies/hosts/moon/etc/strongswan.conf  |   11 -
 .../sql/shunt-policies/hosts/sun/etc/ipsec.conf    |    5 -
 .../shunt-policies/hosts/sun/etc/ipsec.d/data.sql  |  152 --
 .../shunt-policies/hosts/sun/etc/strongswan.conf   |   10 -
 testing/tests/sql/shunt-policies/posttest.dat      |    6 -
 testing/tests/sql/shunt-policies/pretest.dat       |   12 -
 testing/tests/swanctl/ip-pool-db/description.txt   |   10 +
 testing/tests/swanctl/ip-pool-db/evaltest.dat      |   23 +
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |   11 +
 .../hosts/carol/etc/swanctl/swanctl.conf           |   33 +
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |   11 +
 .../ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf |   33 +
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |   21 +
 .../ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf |   31 +
 testing/tests/swanctl/ip-pool-db/posttest.dat      |   11 +
 testing/tests/swanctl/ip-pool-db/pretest.dat       |   21 +
 testing/tests/swanctl/ip-pool-db/test.conf         |   21 +
 testing/tests/swanctl/ip-pool/description.txt      |   10 +
 testing/tests/swanctl/ip-pool/evaltest.dat         |   15 +
 .../ip-pool/hosts/carol/etc/strongswan.conf        |   13 +
 .../ip-pool/hosts/carol/etc/swanctl/swanctl.conf   |   33 +
 .../swanctl/ip-pool/hosts/dave/etc/strongswan.conf |   13 +
 .../ip-pool/hosts/dave/etc/swanctl/swanctl.conf    |   33 +
 .../swanctl/ip-pool/hosts/moon/etc/strongswan.conf |   13 +
 .../ip-pool/hosts/moon/etc/swanctl/swanctl.conf    |   37 +
 testing/tests/swanctl/ip-pool/posttest.dat         |    8 +
 testing/tests/swanctl/ip-pool/pretest.dat          |   15 +
 testing/tests/swanctl/ip-pool/test.conf            |   21 +
 testing/tests/swanctl/net2net-cert/description.txt |    6 +
 testing/tests/swanctl/net2net-cert/evaltest.dat    |    5 +
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |   13 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   34 +
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |   13 +
 .../hosts/sun/etc/swanctl/swanctl.conf             |   34 +
 testing/tests/swanctl/net2net-cert/posttest.dat    |    5 +
 testing/tests/swanctl/net2net-cert/pretest.dat     |    9 +
 .../net2net-cert}/test.conf                        |    0
 .../tests/swanctl/net2net-route/description.txt    |    9 +
 testing/tests/swanctl/net2net-route/evaltest.dat   |    7 +
 .../net2net-route/hosts/moon/etc/strongswan.conf   |   13 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   34 +
 .../net2net-route/hosts/sun/etc/strongswan.conf    |   13 +
 .../hosts/sun/etc/swanctl/swanctl.conf             |   34 +
 testing/tests/swanctl/net2net-route/posttest.dat   |    5 +
 testing/tests/swanctl/net2net-route/pretest.dat    |    9 +
 .../net2net-route}/test.conf                       |    0
 .../tests/swanctl/net2net-start/description.txt    |    6 +
 testing/tests/swanctl/net2net-start/evaltest.dat   |    5 +
 .../net2net-start/hosts/moon/etc/strongswan.conf   |   13 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   34 +
 .../net2net-start/hosts/sun/etc/strongswan.conf    |   13 +
 .../hosts/sun/etc/swanctl/swanctl.conf             |   34 +
 testing/tests/swanctl/net2net-start/posttest.dat   |    5 +
 testing/tests/swanctl/net2net-start/pretest.dat    |    9 +
 .../net2net-start}/test.conf                       |    0
 testing/tests/swanctl/rw-cert/description.txt      |    6 +
 testing/tests/swanctl/rw-cert/evaltest.dat         |   10 +
 .../rw-cert/hosts/carol/etc/strongswan.conf        |   13 +
 .../rw-cert/hosts/carol/etc/swanctl/swanctl.conf   |   32 +
 .../swanctl/rw-cert/hosts/dave/etc/strongswan.conf |   13 +
 .../rw-cert/hosts/dave/etc/swanctl/swanctl.conf    |   32 +
 .../swanctl/rw-cert/hosts/moon/etc/strongswan.conf |   13 +
 .../rw-cert/hosts/moon/etc/swanctl/swanctl.conf    |   30 +
 testing/tests/swanctl/rw-cert/posttest.dat         |    8 +
 testing/tests/swanctl/rw-cert/pretest.dat          |   14 +
 testing/tests/swanctl/rw-cert/test.conf            |   21 +
 testing/tests/swanctl/rw-psk-fqdn/description.txt  |    6 +
 testing/tests/swanctl/rw-psk-fqdn/evaltest.dat     |   10 +
 .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf    |   13 +
 .../hosts/carol/etc/swanctl/swanctl.conf           |   41 +
 .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf     |   13 +
 .../hosts/dave/etc/swanctl/swanctl.conf            |   39 +
 .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf     |   13 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   41 +
 testing/tests/swanctl/rw-psk-fqdn/posttest.dat     |    8 +
 testing/tests/swanctl/rw-psk-fqdn/pretest.dat      |   17 +
 testing/tests/swanctl/rw-psk-fqdn/test.conf        |   21 +
 testing/tests/swanctl/rw-psk-ipv4/description.txt  |    6 +
 testing/tests/swanctl/rw-psk-ipv4/evaltest.dat     |   10 +
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |   13 +
 .../hosts/carol/etc/swanctl/swanctl.conf           |   40 +
 .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf     |   13 +
 .../hosts/dave/etc/swanctl/swanctl.conf            |   39 +
 .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf     |   13 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   40 +
 testing/tests/swanctl/rw-psk-ipv4/posttest.dat     |    8 +
 testing/tests/swanctl/rw-psk-ipv4/pretest.dat      |   17 +
 testing/tests/swanctl/rw-psk-ipv4/test.conf        |   21 +
 .../tnccs-11-fhh/hosts/carol/etc/strongswan.conf   |    7 +
 .../tnccs-11-fhh/hosts/dave/etc/strongswan.conf    |    7 +
 .../tnccs-11-fhh/hosts/moon/etc/strongswan.conf    |    8 +-
 .../hosts/carol/etc/strongswan.conf                |    7 +
 .../hosts/dave/etc/strongswan.conf                 |    7 +
 .../hosts/alice/etc/pts/data1.sql                  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    7 +
 .../hosts/dave/etc/strongswan.conf                 |    7 +
 .../hosts/carol/etc/strongswan.conf                |    7 +
 .../tnccs-11-radius/hosts/dave/etc/strongswan.conf |    7 +
 .../tnc/tnccs-11/hosts/carol/etc/strongswan.conf   |    7 +
 .../tnc/tnccs-11/hosts/dave/etc/strongswan.conf    |    7 +
 .../tnc/tnccs-11/hosts/moon/etc/strongswan.conf    |    8 +-
 .../tnccs-20-block/hosts/carol/etc/strongswan.conf |    7 +-
 .../tnccs-20-block/hosts/dave/etc/strongswan.conf  |    5 +-
 .../tnccs-20-block/hosts/moon/etc/strongswan.conf  |    7 +-
 .../hosts/carol/etc/strongswan.conf                |    8 +-
 .../hosts/dave/etc/strongswan.conf                 |    7 +-
 .../hosts/moon/etc/strongswan.conf                 |    7 +-
 .../tnccs-20-fhh/hosts/carol/etc/strongswan.conf   |    8 +-
 .../tnccs-20-fhh/hosts/dave/etc/strongswan.conf    |    8 +-
 .../tnccs-20-fhh/hosts/moon/etc/strongswan.conf    |    7 +-
 testing/tests/tnc/tnccs-20-os-pts/description.txt  |   22 +
 testing/tests/tnc/tnccs-20-os-pts/evaltest.dat     |   20 +
 .../tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf |   23 +
 .../tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets  |    3 +
 .../hosts/carol/etc/strongswan.conf                |   15 +
 .../tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config |    4 +
 .../tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf  |   23 +
 .../tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets   |    3 +
 .../tnccs-20-os-pts/hosts/dave/etc/strongswan.conf |   21 +
 .../tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config  |    4 +
 .../tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf  |   34 +
 .../tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets   |    6 +
 .../tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql   |   29 +
 .../tnccs-20-os-pts/hosts/moon/etc/strongswan.conf |   31 +
 .../hosts/moon/etc/tnc_config                      |    0
 testing/tests/tnc/tnccs-20-os-pts/posttest.dat     |    8 +
 testing/tests/tnc/tnccs-20-os-pts/pretest.dat      |   18 +
 testing/tests/tnc/tnccs-20-os-pts/test.conf        |   26 +
 testing/tests/tnc/tnccs-20-os/description.txt      |   13 +-
 testing/tests/tnc/tnccs-20-os/evaltest.dat         |    4 +-
 .../tnccs-20-os/hosts/carol/etc/strongswan.conf    |    8 +-
 .../tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf |    7 +-
 .../tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql   |    4 +-
 .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf |    7 +-
 testing/tests/tnc/tnccs-20-os/pretest.dat          |    2 +-
 .../description.txt                                |    0
 testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat    |   29 +
 .../alice/etc/apache2/sites-available/default      |   26 +
 .../tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf    |    9 +
 .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem      |    0
 .../hosts/alice/etc/ipsec.d/private/aaaKey.pem     |    0
 .../hosts/alice/etc/ipsec.secrets                  |    0
 .../tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql |   61 +
 .../hosts/alice/etc/strongTNC/settings.ini         |   19 +
 .../hosts/alice/etc/strongswan.conf                |   35 +
 .../hosts/alice/etc/tnc_config                     |    0
 .../tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf    |   23 +
 .../hosts/carol/etc/ipsec.secrets                  |    0
 .../hosts/carol/etc/strongswan.conf                |   18 +
 .../tnccs-20-pdp-eap/hosts/carol/etc/tnc_config    |    4 +
 .../tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf |   23 +
 .../hosts/dave/etc/ipsec.secrets                   |    0
 .../hosts/dave/etc/strongswan.conf                 |   30 +
 .../tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config |    4 +
 .../hosts/moon/etc/ipsec.conf                      |    0
 .../hosts/moon/etc/ipsec.secrets                   |    0
 .../hosts/moon/etc/iptables.rules                  |    0
 .../hosts/moon/etc/strongswan.conf                 |    0
 testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat    |    9 +
 testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat     |   21 +
 .../{tnccs-20-pdp => tnccs-20-pdp-eap}/test.conf   |    0
 .../description.txt                                |    0
 testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat |   19 +
 .../alice/etc/apache2/sites-available/default      |   26 +
 .../tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf |    9 +
 .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem      |    0
 .../hosts/alice/etc/ipsec.d/private/aaaKey.pem     |    0
 .../hosts/alice/etc/ipsec.secrets                  |    0
 .../hosts/alice/etc/iptables.rules                 |   24 +
 .../hosts/alice/etc/pts/data1.sql                  |   61 +
 .../hosts/alice/etc/strongTNC/settings.ini         |   19 +
 .../hosts/alice/etc/strongswan.conf                |   29 +
 .../hosts/alice/etc/tnc_config                     |    0
 .../hosts/carol/etc/ipsec.conf                     |    0
 .../hosts/carol/etc/ipsec.secrets                  |    0
 .../hosts/carol/etc/ipsec.sql                      |    0
 .../hosts/carol/etc/iptables.rules                 |    0
 .../hosts/carol/etc/pts/options                    |    6 +
 .../hosts/carol/etc/strongswan.conf                |    9 +
 .../hosts/carol/etc/tnc_config                     |    0
 .../hosts/dave/etc/ipsec.conf                      |    0
 .../hosts/dave/etc/ipsec.secrets                   |    0
 .../hosts/dave/etc/ipsec.sql                       |    0
 .../hosts/dave/etc/iptables.rules                  |    0
 .../tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options |    7 +
 .../hosts/dave/etc/strongswan.conf                 |   21 +
 .../hosts/dave/etc/tnc_config                      |    0
 testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat |    9 +
 testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat  |   23 +
 .../test.conf                                      |    0
 testing/tests/tnc/tnccs-20-pdp/evaltest.dat        |   22 -
 .../tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf    |    9 -
 .../tnccs-20-pdp/hosts/alice/etc/strongswan.conf   |   30 -
 .../tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config    |    4 -
 .../tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf    |   23 -
 .../tnccs-20-pdp/hosts/carol/etc/strongswan.conf   |   18 -
 .../tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config    |    4 -
 .../tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf     |   23 -
 .../tnccs-20-pdp/hosts/dave/etc/strongswan.conf    |   21 -
 .../tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config     |    4 -
 testing/tests/tnc/tnccs-20-pdp/posttest.dat        |    7 -
 testing/tests/tnc/tnccs-20-pdp/pretest.dat         |   14 -
 testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat     |   12 -
 .../tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf |    9 -
 .../tnccs-20-pt-tls/hosts/alice/etc/iptables.rules |   20 -
 .../tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql  |   61 -
 .../hosts/alice/etc/strongswan.conf                |   28 -
 .../tnccs-20-pt-tls/hosts/carol/etc/pts/options    |    5 -
 .../hosts/carol/etc/strongswan.conf                |   25 -
 .../tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options |    6 -
 .../tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf |   22 -
 testing/tests/tnc/tnccs-20-pt-tls/posttest.dat     |    8 -
 testing/tests/tnc/tnccs-20-pt-tls/pretest.dat      |   19 -
 .../tests/tnc/tnccs-20-pts-no-ecc/description.txt  |   15 +-
 testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    8 +-
 .../hosts/dave/etc/strongswan.conf                 |    7 +-
 .../hosts/moon/etc/pts/data1.sql                   |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    7 +-
 testing/tests/tnc/tnccs-20-pts/description.txt     |   13 +-
 testing/tests/tnc/tnccs-20-pts/evaltest.dat        |   16 +-
 .../tnccs-20-pts/hosts/carol/etc/strongswan.conf   |    8 +-
 .../tnccs-20-pts/hosts/dave/etc/strongswan.conf    |    6 +-
 .../tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql  |    2 +-
 .../tnccs-20-pts/hosts/moon/etc/strongswan.conf    |    7 +-
 .../tnc/tnccs-20-pts/hosts/moon/etc/tnc_config     |    1 -
 .../tnc/tnccs-20-server-retry/description.txt      |    9 +-
 .../hosts/carol/etc/strongswan.conf                |    8 +-
 .../hosts/dave/etc/strongswan.conf                 |    7 +-
 .../hosts/moon/etc/strongswan.conf                 |    7 +-
 testing/tests/tnc/tnccs-20-tls/description.txt     |    9 +-
 .../tnccs-20-tls/hosts/carol/etc/strongswan.conf   |    8 +-
 .../tnccs-20-tls/hosts/dave/etc/strongswan.conf    |    8 +-
 .../tnccs-20-tls/hosts/moon/etc/strongswan.conf    |   17 +-
 .../tnc/tnccs-20/hosts/carol/etc/strongswan.conf   |    8 +-
 .../tnc/tnccs-20/hosts/dave/etc/strongswan.conf    |    7 +-
 .../tnc/tnccs-20/hosts/moon/etc/strongswan.conf    |    7 +-
 testing/tests/tnc/tnccs-dynamic/description.txt    |    1 +
 .../tnccs-dynamic/hosts/carol/etc/strongswan.conf  |    5 +
 .../tnccs-dynamic/hosts/dave/etc/strongswan.conf   |    5 +
 .../tnccs-dynamic/hosts/moon/etc/strongswan.conf   |    1 +
 1302 files changed, 74032 insertions(+), 22840 deletions(-)

diff --git a/Android.common.mk b/Android.common.mk
index 9f49831..490f810 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.1.3"
+strongswan_VERSION := "5.2.0"
 
diff --git a/Android.mk b/Android.mk
index 6ad220b..7b8bc8f 100644
--- a/Android.mk
+++ b/Android.mk
@@ -60,6 +60,7 @@ strongswan_CFLAGS := \
 	-DHAVE_ALLOCA_H \
 	-DHAVE_ALLOCA \
 	-DHAVE_CLOCK_GETTIME \
+	-DHAVE_DLADDR \
 	-DHAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC \
 	-DHAVE_PRCTL \
 	-DHAVE_LINUX_UDP_H \
diff --git a/Doxyfile.in b/Doxyfile.in
index af172e3..8adf83c 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -1,110 +1,121 @@
-# Doxyfile 1.8.1.2
+# Doxyfile 1.8.6
 
 # This file describes the settings to be used by the documentation system
 # doxygen (www.doxygen.org) for a project.
 #
-# All text after a hash (#) is considered a comment and will be ignored.
+# All text after a double hash (##) is considered a comment and is placed in
+# front of the TAG it is preceding.
+#
+# All text after a single hash (#) is considered a comment and will be ignored.
 # The format is:
-#       TAG = value [value, ...]
-# For lists items can also be appended using:
-#       TAG += value [value, ...]
-# Values that contain spaces should be placed between quotes (" ").
+# TAG = value [value, ...]
+# For lists, items can also be appended using:
+# TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (\" \").
 
 #---------------------------------------------------------------------------
 # Project related configuration options
 #---------------------------------------------------------------------------
 
 # This tag specifies the encoding used for all characters in the config file
-# that follow. The default is UTF-8 which is also the encoding used for all
-# text before the first occurrence of this tag. Doxygen uses libiconv (or the
-# iconv built into libc) for the transcoding. See
-# http://www.gnu.org/software/libiconv for the list of possible encodings.
+# that follow. The default is UTF-8 which is also the encoding used for all text
+# before the first occurrence of this tag. Doxygen uses libiconv (or the iconv
+# built into libc) for the transcoding. See http://www.gnu.org/software/libiconv
+# for the list of possible encodings.
+# The default value is: UTF-8.
 
 DOXYFILE_ENCODING      = UTF-8
 
-# The PROJECT_NAME tag is a single word (or sequence of words) that should
-# identify the project. Note that if you do not use Doxywizard you need
-# to put quotes around the project name if it contains spaces.
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded by
+# double-quotes, unless you are using Doxywizard) that should identify the
+# project for which the documentation is generated. This name is used in the
+# title of most generated pages and in a few other places.
+# The default value is: My Project.
 
 PROJECT_NAME           = "@PACKAGE_NAME@"
 
-# The PROJECT_NUMBER tag can be used to enter a project or revision number.
-# This could be handy for archiving the generated documentation or
-# if some version control system is used.
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. This
+# could be handy for archiving the generated documentation or if some version
+# control system is used.
 
 PROJECT_NUMBER         = "@PACKAGE_VERSION@"
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
-# for a project that appears at the top of each page and should give viewer
-# a quick idea about the purpose of the project. Keep the description short.
+# for a project that appears at the top of each page and should give viewer a
+# quick idea about the purpose of the project. Keep the description short.
 
 PROJECT_BRIEF          =
 
-# With the PROJECT_LOGO tag one can specify an logo or icon that is
-# included in the documentation. The maximum height of the logo should not
-# exceed 55 pixels and the maximum width should not exceed 200 pixels.
-# Doxygen will copy the logo to the output directory.
+# With the PROJECT_LOGO tag one can specify an logo or icon that is included in
+# the documentation. The maximum height of the logo should not exceed 55 pixels
+# and the maximum width should not exceed 200 pixels. Doxygen will copy the logo
+# to the output directory.
 
 PROJECT_LOGO           =
 
-# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
-# base path where the generated documentation will be put.
-# If a relative path is entered, it will be relative to the location
-# where doxygen was started. If left blank the current directory will be used.
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path
+# into which the generated documentation will be written. If a relative path is
+# entered, it will be relative to the location where doxygen was started. If
+# left blank the current directory will be used.
 
 OUTPUT_DIRECTORY       = apidoc
 
-# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create
-# 4096 sub-directories (in 2 levels) under the output directory of each output
-# format and will distribute the generated files over these directories.
-# Enabling this option can be useful when feeding doxygen a huge amount of
-# source files, where putting all generated files in the same directory would
-# otherwise cause performance problems for the file system.
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub-
+# directories (in 2 levels) under the output directory of each output format and
+# will distribute the generated files over these directories. Enabling this
+# option can be useful when feeding doxygen a huge amount of source files, where
+# putting all generated files in the same directory would otherwise causes
+# performance problems for the file system.
+# The default value is: NO.
 
 CREATE_SUBDIRS         = NO
 
 # The OUTPUT_LANGUAGE tag is used to specify the language in which all
 # documentation generated by doxygen is written. Doxygen will use this
 # information to generate all constant output in the proper language.
-# The default language is English, other supported languages are:
-# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional,
-# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German,
-# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English
-# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian,
-# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrillic, Slovak,
-# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese.
+# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese,
+# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States),
+# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian,
+# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages),
+# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian,
+# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian,
+# Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish,
+# Ukrainian and Vietnamese.
+# The default value is: English.
 
 OUTPUT_LANGUAGE        = English
 
-# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will
-# include brief member descriptions after the members that are listed in
-# the file and class documentation (similar to JavaDoc).
-# Set to NO to disable this.
+# If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member
+# descriptions after the members that are listed in the file and class
+# documentation (similar to Javadoc). Set to NO to disable this.
+# The default value is: YES.
 
 BRIEF_MEMBER_DESC      = YES
 
-# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend
-# the brief description of a member or function before the detailed description.
-# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
+# If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief
+# description of a member or function before the detailed description
+#
+# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
 # brief descriptions will be completely suppressed.
+# The default value is: YES.
 
 REPEAT_BRIEF           = YES
 
-# This tag implements a quasi-intelligent brief description abbreviator
-# that is used to form the text in various listings. Each string
-# in this list, if found as the leading text of the brief description, will be
-# stripped from the text and the result after processing the whole list, is
-# used as the annotated text. Otherwise, the brief description is used as-is.
-# If left blank, the following values are used ("$name" is automatically
-# replaced with the name of the entity): "The $name class" "The $name widget"
-# "The $name file" "is" "provides" "specifies" "contains"
-# "represents" "a" "an" "the"
+# This tag implements a quasi-intelligent brief description abbreviator that is
+# used to form the text in various listings. Each string in this list, if found
+# as the leading text of the brief description, will be stripped from the text
+# and the result, after processing the whole list, is used as the annotated
+# text. Otherwise, the brief description is used as-is. If left blank, the
+# following values are used ($name is automatically replaced with the name of
+# the entity):The $name class, The $name widget, The $name file, is, provides,
+# specifies, contains, represents, a, an and the.
 
 ABBREVIATE_BRIEF       =
 
 # If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
-# Doxygen will generate a detailed section even if there is only a brief
+# doxygen will generate a detailed section even if there is only a brief
 # description.
+# The default value is: NO.
 
 ALWAYS_DETAILED_SEC    = NO
 
@@ -112,169 +123,204 @@ ALWAYS_DETAILED_SEC    = NO
 # inherited members of a class in the documentation of that class as if those
 # members were ordinary class members. Constructors, destructors and assignment
 # operators of the base classes will not be shown.
+# The default value is: NO.
 
 INLINE_INHERITED_MEMB  = NO
 
-# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full
-# path before files name in the file list and in the header files. If set
-# to NO the shortest path that makes the file name unique will be used.
+# If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path
+# before files name in the file list and in the header files. If set to NO the
+# shortest path that makes the file name unique will be used
+# The default value is: YES.
 
 FULL_PATH_NAMES        = YES
 
-# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag
-# can be used to strip a user-defined part of the path. Stripping is
-# only done if one of the specified strings matches the left-hand part of
-# the path. The tag can be used to show relative paths in the file list.
-# If left blank the directory from which doxygen is run is used as the
-# path to strip.
+# The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path.
+# Stripping is only done if one of the specified strings matches the left-hand
+# part of the path. The tag can be used to show relative paths in the file list.
+# If left blank the directory from which doxygen is run is used as the path to
+# strip.
+#
+# Note that you can specify absolute paths here, but also relative paths, which
+# will be relative from the directory where doxygen is started.
+# This tag requires that the tag FULL_PATH_NAMES is set to YES.
 
 STRIP_FROM_PATH        =
 
-# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of
-# the path mentioned in the documentation of a class, which tells
-# the reader which header file to include in order to use a class.
-# If left blank only the name of the header file containing the class
-# definition is used. Otherwise one should specify the include paths that
-# are normally passed to the compiler using the -I flag.
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the
+# path mentioned in the documentation of a class, which tells the reader which
+# header file to include in order to use a class. If left blank only the name of
+# the header file containing the class definition is used. Otherwise one should
+# specify the list of include paths that are normally passed to the compiler
+# using the -I flag.
 
 STRIP_FROM_INC_PATH    =
 
-# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter
-# (but less readable) file names. This can be useful if your file system
-# doesn't support long names like on DOS, Mac, or CD-ROM.
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but
+# less readable) file names. This can be useful is your file systems doesn't
+# support long names like on DOS, Mac, or CD-ROM.
+# The default value is: NO.
 
 SHORT_NAMES            = NO
 
-# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen
-# will interpret the first line (until the first dot) of a JavaDoc-style
-# comment as the brief description. If set to NO, the JavaDoc
-# comments will behave just like regular Qt-style comments
-# (thus requiring an explicit @brief command for a brief description.)
+# If the JAVADOC_AUTOBRIEF tag is set to YES then doxygen will interpret the
+# first line (until the first dot) of a Javadoc-style comment as the brief
+# description. If set to NO, the Javadoc-style will behave just like regular Qt-
+# style comments (thus requiring an explicit @brief command for a brief
+# description.)
+# The default value is: NO.
 
 JAVADOC_AUTOBRIEF      = YES
 
-# If the QT_AUTOBRIEF tag is set to YES then Doxygen will
-# interpret the first line (until the first dot) of a Qt-style
-# comment as the brief description. If set to NO, the comments
-# will behave just like regular Qt-style comments (thus requiring
-# an explicit \brief command for a brief description.)
+# If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first
+# line (until the first dot) of a Qt-style comment as the brief description. If
+# set to NO, the Qt-style will behave just like regular Qt-style comments (thus
+# requiring an explicit \brief command for a brief description.)
+# The default value is: NO.
 
 QT_AUTOBRIEF           = NO
 
-# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen
-# treat a multi-line C++ special comment block (i.e. a block of //! or ///
-# comments) as a brief description. This used to be the default behaviour.
-# The new default is to treat a multi-line C++ comment block as a detailed
-# description. Set this tag to YES if you prefer the old behaviour instead.
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make doxygen treat a
+# multi-line C++ special comment block (i.e. a block of //! or /// comments) as
+# a brief description. This used to be the default behavior. The new default is
+# to treat a multi-line C++ comment block as a detailed description. Set this
+# tag to YES if you prefer the old behavior instead.
+#
+# Note that setting this tag to YES also means that rational rose comments are
+# not recognized any more.
+# The default value is: NO.
 
 MULTILINE_CPP_IS_BRIEF = NO
 
-# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented
-# member inherits the documentation from any documented member that it
-# re-implements.
+# If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the
+# documentation from any documented member that it re-implements.
+# The default value is: YES.
 
 INHERIT_DOCS           = YES
 
-# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce
-# a new page for each member. If set to NO, the documentation of a member will
-# be part of the file/class/namespace that contains it.
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a
+# new page for each member. If set to NO, the documentation of a member will be
+# part of the file/class/namespace that contains it.
+# The default value is: NO.
 
 SEPARATE_MEMBER_PAGES  = NO
 
-# The TAB_SIZE tag can be used to set the number of spaces in a tab.
-# Doxygen uses this value to replace tabs by spaces in code fragments.
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen
+# uses this value to replace tabs by spaces in code fragments.
+# Minimum value: 1, maximum value: 16, default value: 4.
 
 TAB_SIZE               = 4
 
-# This tag can be used to specify a number of aliases that acts
-# as commands in the documentation. An alias has the form "name=value".
-# For example adding "sideeffect=\par Side Effects:\n" will allow you to
-# put the command \sideeffect (or @sideeffect) in the documentation, which
-# will result in a user-defined paragraph with heading "Side Effects:".
-# You can put \n's in the value part of an alias to insert newlines.
+# This tag can be used to specify a number of aliases that act as commands in
+# the documentation. An alias has the form:
+# name=value
+# For example adding
+# "sideeffect=@par Side Effects:\n"
+# will allow you to put the command \sideeffect (or @sideeffect) in the
+# documentation, which will result in a user-defined paragraph with heading
+# "Side Effects:". You can put \n's in the value part of an alias to insert
+# newlines.
 
 ALIASES                =
 
 # This tag can be used to specify a number of word-keyword mappings (TCL only).
-# A mapping has the form "name=value". For example adding
-# "class=itcl::class" will allow you to use the command class in the
-# itcl::class meaning.
+# A mapping has the form "name=value". For example adding "class=itcl::class"
+# will allow you to use the command class in the itcl::class meaning.
 
 TCL_SUBST              =
 
-# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C
-# sources only. Doxygen will then generate output that is more tailored for C.
-# For instance, some of the names that are used will be different. The list
-# of all members will be omitted, etc.
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
+# only. Doxygen will then generate output that is more tailored for C. For
+# instance, some of the names that are used will be different. The list of all
+# members will be omitted, etc.
+# The default value is: NO.
 
 OPTIMIZE_OUTPUT_FOR_C  = NO
 
-# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java
-# sources only. Doxygen will then generate output that is more tailored for
-# Java. For instance, namespaces will be presented as packages, qualified
-# scopes will look different, etc.
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or
+# Python sources only. Doxygen will then generate output that is more tailored
+# for that language. For instance, namespaces will be presented as packages,
+# qualified scopes will look different, etc.
+# The default value is: NO.
 
 OPTIMIZE_OUTPUT_JAVA   = NO
 
 # Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran
-# sources only. Doxygen will then generate output that is more tailored for
-# Fortran.
+# sources. Doxygen will then generate output that is tailored for Fortran.
+# The default value is: NO.
 
 OPTIMIZE_FOR_FORTRAN   = NO
 
 # Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL
-# sources. Doxygen will then generate output that is tailored for
-# VHDL.
+# sources. Doxygen will then generate output that is tailored for VHDL.
+# The default value is: NO.
 
 OPTIMIZE_OUTPUT_VHDL   = NO
 
 # Doxygen selects the parser to use depending on the extension of the files it
-# parses. With this tag you can assign which parser to use for a given extension.
-# Doxygen has a built-in mapping, but you can override or extend it using this
-# tag. The format is ext=language, where ext is a file extension, and language
-# is one of the parsers supported by doxygen: IDL, Java, Javascript, CSharp, C,
-# C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, C++. For instance to make
+# parses. With this tag you can assign which parser to use for a given
+# extension. Doxygen has a built-in mapping, but you can override or extend it
+# using this tag. The format is ext=language, where ext is a file extension, and
+# language is one of the parsers supported by doxygen: IDL, Java, Javascript,
+# C#, C, C++, D, PHP, Objective-C, Python, Fortran, VHDL. For instance to make
 # doxygen treat .inc files as Fortran files (default is PHP), and .f files as C
-# (default is Fortran), use: inc=Fortran f=C. Note that for custom extensions
-# you also need to set FILE_PATTERNS otherwise the files are not read by doxygen.
+# (default is Fortran), use: inc=Fortran f=C.
+#
+# Note For files without extension you can use no_extension as a placeholder.
+#
+# Note that for custom extensions you also need to set FILE_PATTERNS otherwise
+# the files are not read by doxygen.
 
 EXTENSION_MAPPING      =
 
-# If MARKDOWN_SUPPORT is enabled (the default) then doxygen pre-processes all
-# comments according to the Markdown format, which allows for more readable
+# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments
+# according to the Markdown format, which allows for more readable
 # documentation. See http://daringfireball.net/projects/markdown/ for details.
-# The output of markdown processing is further processed by doxygen, so you
-# can mix doxygen, HTML, and XML commands with Markdown formatting.
-# Disable only in case of backward compatibilities issues.
+# The output of markdown processing is further processed by doxygen, so you can
+# mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in
+# case of backward compatibilities issues.
+# The default value is: YES.
 
 MARKDOWN_SUPPORT       = YES
 
+# When enabled doxygen tries to link words that correspond to documented
+# classes, or namespaces to their corresponding documentation. Such a link can
+# be prevented in individual cases by by putting a % sign in front of the word
+# or globally by setting AUTOLINK_SUPPORT to NO.
+# The default value is: YES.
+
+AUTOLINK_SUPPORT       = YES
+
 # If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
-# to include (a tag file for) the STL sources as input, then you should
-# set this tag to YES in order to let doxygen match functions declarations and
-# definitions whose arguments contain STL classes (e.g. func(std::string); v.s.
-# func(std::string) {}). This also makes the inheritance and collaboration
+# to include (a tag file for) the STL sources as input, then you should set this
+# tag to YES in order to let doxygen match functions declarations and
+# definitions whose arguments contain STL classes (e.g. func(std::string);
+# versus func(std::string) {}). This also make the inheritance and collaboration
 # diagrams that involve STL classes more complete and accurate.
+# The default value is: NO.
 
 BUILTIN_STL_SUPPORT    = NO
 
 # If you use Microsoft's C++/CLI language, you should set this option to YES to
 # enable parsing support.
+# The default value is: NO.
 
 CPP_CLI_SUPPORT        = NO
 
-# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only.
-# Doxygen will parse them like normal C++ but will assume all classes use public
-# instead of private inheritance when no explicit protection keyword is present.
+# Set the SIP_SUPPORT tag to YES if your project consists of sip (see:
+# http://www.riverbankcomputing.co.uk/software/sip/intro) sources only. Doxygen
+# will parse them like normal C++ but will assume all classes use public instead
+# of private inheritance when no explicit protection keyword is present.
+# The default value is: NO.
 
 SIP_SUPPORT            = NO
 
-# For Microsoft's IDL there are propget and propput attributes to indicate getter
-# and setter methods for a property. Setting this option to YES (the default)
-# will make doxygen replace the get and set methods by a property in the
-# documentation. This will only work if the methods are indeed getting or
-# setting a simple type. If this is not the case, or you want to show the
-# methods anyway, you should set this option to NO.
+# For Microsoft's IDL there are propget and propput attributes to indicate
+# getter and setter methods for a property. Setting this option to YES will make
+# doxygen to replace the get and set methods by a property in the documentation.
+# This will only work if the methods are indeed getting or setting a simple
+# type. If this is not the case, or you want to show the methods anyway, you
+# should set this option to NO.
+# The default value is: YES.
 
 IDL_PROPERTY_SUPPORT   = YES
 
@@ -282,67 +328,61 @@ IDL_PROPERTY_SUPPORT   = YES
 # tag is set to YES, then doxygen will reuse the documentation of the first
 # member in the group (if any) for the other members of the group. By default
 # all members of a group must be documented explicitly.
+# The default value is: NO.
 
 DISTRIBUTE_GROUP_DOC   = NO
 
-# Set the SUBGROUPING tag to YES (the default) to allow class member groups of
-# the same type (for instance a group of public functions) to be put as a
-# subgroup of that type (e.g. under the Public Functions section). Set it to
-# NO to prevent subgrouping. Alternatively, this can be done per class using
-# the \nosubgrouping command.
+# Set the SUBGROUPING tag to YES to allow class member groups of the same type
+# (for instance a group of public functions) to be put as a subgroup of that
+# type (e.g. under the Public Functions section). Set it to NO to prevent
+# subgrouping. Alternatively, this can be done per class using the
+# \nosubgrouping command.
+# The default value is: YES.
 
 SUBGROUPING            = YES
 
-# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and
-# unions are shown inside the group in which they are included (e.g. using
-# @ingroup) instead of on a separate page (for HTML and Man pages) or
-# section (for LaTeX and RTF).
+# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions
+# are shown inside the group in which they are included (e.g. using \ingroup)
+# instead of on a separate page (for HTML and Man pages) or section (for LaTeX
+# and RTF).
+#
+# Note that this feature does not work in combination with
+# SEPARATE_MEMBER_PAGES.
+# The default value is: NO.
 
 INLINE_GROUPED_CLASSES = NO
 
-# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and
-# unions with only public data fields will be shown inline in the documentation
-# of the scope in which they are defined (i.e. file, namespace, or group
-# documentation), provided this scope is documented. If set to NO (the default),
-# structs, classes, and unions are shown on a separate page (for HTML and Man
-# pages) or section (for LaTeX and RTF).
+# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions
+# with only public data fields or simple typedef fields will be shown inline in
+# the documentation of the scope in which they are defined (i.e. file,
+# namespace, or group documentation), provided this scope is documented. If set
+# to NO, structs, classes, and unions are shown on a separate page (for HTML and
+# Man pages) or section (for LaTeX and RTF).
+# The default value is: NO.
 
 INLINE_SIMPLE_STRUCTS  = NO
 
-# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum
-# is documented as struct, union, or enum with the name of the typedef. So
+# When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or
+# enum is documented as struct, union, or enum with the name of the typedef. So
 # typedef struct TypeS {} TypeT, will appear in the documentation as a struct
 # with name TypeT. When disabled the typedef will appear as a member of a file,
-# namespace, or class. And the struct will be named TypeS. This can typically
-# be useful for C code in case the coding convention dictates that all compound
+# namespace, or class. And the struct will be named TypeS. This can typically be
+# useful for C code in case the coding convention dictates that all compound
 # types are typedef'ed and only the typedef is referenced, never the tag name.
+# The default value is: NO.
 
 TYPEDEF_HIDES_STRUCT   = YES
 
-# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to
-# determine which symbols to keep in memory and which to flush to disk.
-# When the cache is full, less often used symbols will be written to disk.
-# For small to medium size projects (<1000 input files) the default value is
-# probably good enough. For larger projects a too small cache size can cause
-# doxygen to be busy swapping symbols to and from disk most of the time
-# causing a significant performance penalty.
-# If the system has enough physical memory increasing the cache will improve the
-# performance by keeping more symbols in memory. Note that the value works on
-# a logarithmic scale so increasing the size by one will roughly double the
-# memory usage. The cache size is given by this formula:
-# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0,
-# corresponding to a cache size of 2^16 = 65536 symbols.
-
-SYMBOL_CACHE_SIZE      = 0
-
-# Similar to the SYMBOL_CACHE_SIZE the size of the symbol lookup cache can be
-# set using LOOKUP_CACHE_SIZE. This cache is used to resolve symbols given
-# their name and scope. Since this can be an expensive process and often the
-# same symbol appear multiple times in the code, doxygen keeps a cache of
-# pre-resolved symbols. If the cache is too small doxygen will become slower.
-# If the cache is too large, memory is wasted. The cache size is given by this
-# formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range is 0..9, the default is 0,
-# corresponding to a cache size of 2^16 = 65536 symbols.
+# The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This
+# cache is used to resolve symbols given their name and scope. Since this can be
+# an expensive process and often the same symbol appears multiple times in the
+# code, doxygen keeps a cache of pre-resolved symbols. If the cache is too small
+# doxygen will become slower. If the cache is too large, memory is wasted. The
+# cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range
+# is 0..9, the default is 0, corresponding to a cache size of 2^16=65536
+# symbols. At the end of a run doxygen will report the cache usage and suggest
+# the optimal cache size from a speed point of view.
+# Minimum value: 0, maximum value: 9, default value: 0.
 
 LOOKUP_CACHE_SIZE      = 0
 
@@ -351,339 +391,390 @@ LOOKUP_CACHE_SIZE      = 0
 #---------------------------------------------------------------------------
 
 # If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
-# documentation are documented, even if no documentation was available.
-# Private class members and static file members will be hidden unless
-# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
+# documentation are documented, even if no documentation was available. Private
+# class members and static file members will be hidden unless the
+# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
+# Note: This will also disable the warnings about undocumented members that are
+# normally produced when WARNINGS is set to YES.
+# The default value is: NO.
 
 EXTRACT_ALL            = NO
 
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class
-# will be included in the documentation.
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class will
+# be included in the documentation.
+# The default value is: NO.
 
 EXTRACT_PRIVATE        = NO
 
-# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal scope will be included in the documentation.
+# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal
+# scope will be included in the documentation.
+# The default value is: NO.
 
 EXTRACT_PACKAGE        = NO
 
-# If the EXTRACT_STATIC tag is set to YES all static members of a file
-# will be included in the documentation.
+# If the EXTRACT_STATIC tag is set to YES all static members of a file will be
+# included in the documentation.
+# The default value is: NO.
 
 EXTRACT_STATIC         = NO
 
-# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs)
-# defined locally in source files will be included in the documentation.
-# If set to NO only classes defined in header files are included.
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined
+# locally in source files will be included in the documentation. If set to NO
+# only classes defined in header files are included. Does not have any effect
+# for Java sources.
+# The default value is: YES.
 
 EXTRACT_LOCAL_CLASSES  = NO
 
-# This flag is only useful for Objective-C code. When set to YES local
-# methods, which are defined in the implementation section but not in
-# the interface are included in the documentation.
-# If set to NO (the default) only methods in the interface are included.
+# This flag is only useful for Objective-C code. When set to YES local methods,
+# which are defined in the implementation section but not in the interface are
+# included in the documentation. If set to NO only methods in the interface are
+# included.
+# The default value is: NO.
 
 EXTRACT_LOCAL_METHODS  = NO
 
 # If this flag is set to YES, the members of anonymous namespaces will be
 # extracted and appear in the documentation as a namespace called
-# 'anonymous_namespace{file}', where file will be replaced with the base
-# name of the file that contains the anonymous namespace. By default
-# anonymous namespaces are hidden.
+# 'anonymous_namespace{file}', where file will be replaced with the base name of
+# the file that contains the anonymous namespace. By default anonymous namespace
+# are hidden.
+# The default value is: NO.
 
 EXTRACT_ANON_NSPACES   = NO
 
-# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all
-# undocumented members of documented classes, files or namespaces.
-# If set to NO (the default) these members will be included in the
-# various overviews, but no documentation section is generated.
-# This option has no effect if EXTRACT_ALL is enabled.
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all
+# undocumented members inside documented classes or files. If set to NO these
+# members will be included in the various overviews, but no documentation
+# section is generated. This option has no effect if EXTRACT_ALL is enabled.
+# The default value is: NO.
 
 HIDE_UNDOC_MEMBERS     = NO
 
-# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all
-# undocumented classes that are normally visible in the class hierarchy.
-# If set to NO (the default) these classes will be included in the various
-# overviews. This option has no effect if EXTRACT_ALL is enabled.
+# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
+# undocumented classes that are normally visible in the class hierarchy. If set
+# to NO these classes will be included in the various overviews. This option has
+# no effect if EXTRACT_ALL is enabled.
+# The default value is: NO.
 
 HIDE_UNDOC_CLASSES     = NO
 
-# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all
-# friend (class|struct|union) declarations.
-# If set to NO (the default) these declarations will be included in the
-# documentation.
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
+# (class|struct|union) declarations. If set to NO these declarations will be
+# included in the documentation.
+# The default value is: NO.
 
 HIDE_FRIEND_COMPOUNDS  = NO
 
-# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any
-# documentation blocks found inside the body of a function.
-# If set to NO (the default) these blocks will be appended to the
-# function's detailed documentation block.
+# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
+# documentation blocks found inside the body of a function. If set to NO these
+# blocks will be appended to the function's detailed documentation block.
+# The default value is: NO.
 
 HIDE_IN_BODY_DOCS      = NO
 
-# The INTERNAL_DOCS tag determines if documentation
-# that is typed after a \internal command is included. If the tag is set
-# to NO (the default) then the documentation will be excluded.
-# Set it to YES to include the internal documentation.
+# The INTERNAL_DOCS tag determines if documentation that is typed after a
+# \internal command is included. If the tag is set to NO then the documentation
+# will be excluded. Set it to YES to include the internal documentation.
+# The default value is: NO.
 
 INTERNAL_DOCS          = NO
 
-# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate
-# file names in lower-case letters. If set to YES upper-case letters are also
+# If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
+# names in lower-case letters. If set to YES upper-case letters are also
 # allowed. This is useful if you have classes or files whose names only differ
 # in case and if your file system supports case sensitive file names. Windows
 # and Mac users are advised to set this option to NO.
+# The default value is: system dependent.
 
 CASE_SENSE_NAMES       = YES
 
-# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen
-# will show members with their full class and namespace scopes in the
-# documentation. If set to YES the scope will be hidden.
+# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
+# their full class and namespace scopes in the documentation. If set to YES the
+# scope will be hidden.
+# The default value is: NO.
 
 HIDE_SCOPE_NAMES       = NO
 
-# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen
-# will put a list of the files that are included by a file in the documentation
-# of that file.
+# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
+# the files that are included by a file in the documentation of that file.
+# The default value is: YES.
 
 SHOW_INCLUDE_FILES     = NO
 
-# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen
-# will list include files with double quotes in the documentation
-# rather than with sharp brackets.
+# If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each
+# grouped member an include statement to the documentation, telling the reader
+# which file to include in order to use the member.
+# The default value is: NO.
+
+SHOW_GROUPED_MEMB_INC  = NO
+
+# If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include
+# files with double quotes in the documentation rather than with sharp brackets.
+# The default value is: NO.
 
 FORCE_LOCAL_INCLUDES   = NO
 
-# If the INLINE_INFO tag is set to YES (the default) then a tag [inline]
-# is inserted in the documentation for inline members.
+# If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the
+# documentation for inline members.
+# The default value is: YES.
 
 INLINE_INFO            = YES
 
-# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen
-# will sort the (detailed) documentation of file and class members
-# alphabetically by member name. If set to NO the members will appear in
-# declaration order.
+# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
+# (detailed) documentation of file and class members alphabetically by member
+# name. If set to NO the members will appear in declaration order.
+# The default value is: YES.
 
 SORT_MEMBER_DOCS       = NO
 
-# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the
-# brief documentation of file, namespace and class members alphabetically
-# by member name. If set to NO (the default) the members will appear in
-# declaration order.
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
+# descriptions of file, namespace and class members alphabetically by member
+# name. If set to NO the members will appear in declaration order. Note that
+# this will also influence the order of the classes in the class list.
+# The default value is: NO.
 
 SORT_BRIEF_DOCS        = NO
 
-# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen
-# will sort the (brief and detailed) documentation of class members so that
-# constructors and destructors are listed first. If set to NO (the default)
-# the constructors will appear in the respective orders defined by
-# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS.
-# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO
-# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO.
+# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the
+# (brief and detailed) documentation of class members so that constructors and
+# destructors are listed first. If set to NO the constructors will appear in the
+# respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS.
+# Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief
+# member documentation.
+# Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting
+# detailed member documentation.
+# The default value is: NO.
 
 SORT_MEMBERS_CTORS_1ST = NO
 
-# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the
-# hierarchy of group names into alphabetical order. If set to NO (the default)
-# the group names will appear in their defined order.
+# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the hierarchy
+# of group names into alphabetical order. If set to NO the group names will
+# appear in their defined order.
+# The default value is: NO.
 
 SORT_GROUP_NAMES       = YES
 
-# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be
-# sorted by fully-qualified names, including namespaces. If set to
-# NO (the default), the class list will be sorted only by class name,
-# not including the namespace part.
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by
+# fully-qualified names, including namespaces. If set to NO, the class list will
+# be sorted only by class name, not including the namespace part.
 # Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
-# Note: This option applies only to the class list, not to the
-# alphabetical list.
+# Note: This option applies only to the class list, not to the alphabetical
+# list.
+# The default value is: NO.
 
 SORT_BY_SCOPE_NAME     = NO
 
-# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to
-# do proper type resolution of all parameters of a function it will reject a
-# match between the prototype and the implementation of a member function even
-# if there is only one candidate or it is obvious which candidate to choose
-# by doing a simple string match. By disabling STRICT_PROTO_MATCHING doxygen
-# will still accept a match between prototype and implementation in such cases.
+# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper
+# type resolution of all parameters of a function it will reject a match between
+# the prototype and the implementation of a member function even if there is
+# only one candidate or it is obvious which candidate to choose by doing a
+# simple string match. By disabling STRICT_PROTO_MATCHING doxygen will still
+# accept a match between prototype and implementation in such cases.
+# The default value is: NO.
 
 STRICT_PROTO_MATCHING  = NO
 
-# The GENERATE_TODOLIST tag can be used to enable (YES) or
-# disable (NO) the todo list. This list is created by putting \todo
-# commands in the documentation.
+# The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the
+# todo list. This list is created by putting \todo commands in the
+# documentation.
+# The default value is: YES.
 
 GENERATE_TODOLIST      = NO
 
-# The GENERATE_TESTLIST tag can be used to enable (YES) or
-# disable (NO) the test list. This list is created by putting \test
-# commands in the documentation.
+# The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the
+# test list. This list is created by putting \test commands in the
+# documentation.
+# The default value is: YES.
 
 GENERATE_TESTLIST      = NO
 
-# The GENERATE_BUGLIST tag can be used to enable (YES) or
-# disable (NO) the bug list. This list is created by putting \bug
-# commands in the documentation.
+# The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug
+# list. This list is created by putting \bug commands in the documentation.
+# The default value is: YES.
 
 GENERATE_BUGLIST       = NO
 
-# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or
-# disable (NO) the deprecated list. This list is created by putting
-# \deprecated commands in the documentation.
+# The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO)
+# the deprecated list. This list is created by putting \deprecated commands in
+# the documentation.
+# The default value is: YES.
 
 GENERATE_DEPRECATEDLIST= NO
 
-# The ENABLED_SECTIONS tag can be used to enable conditional
-# documentation sections, marked by \if sectionname ... \endif.
+# The ENABLED_SECTIONS tag can be used to enable conditional documentation
+# sections, marked by \if <section_label> ... \endif and \cond <section_label>
+# ... \endcond blocks.
 
 ENABLED_SECTIONS       =
 
-# The MAX_INITIALIZER_LINES tag determines the maximum number of lines
-# the initial value of a variable or macro consists of for it to appear in
-# the documentation. If the initializer consists of more lines than specified
-# here it will be hidden. Use a value of 0 to hide initializers completely.
-# The appearance of the initializer of individual variables and macros in the
-# documentation can be controlled using \showinitializer or \hideinitializer
-# command in the documentation regardless of this setting.
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the
+# initial value of a variable or macro / define can have for it to appear in the
+# documentation. If the initializer consists of more lines than specified here
+# it will be hidden. Use a value of 0 to hide initializers completely. The
+# appearance of the value of individual variables and macros / defines can be
+# controlled using \showinitializer or \hideinitializer command in the
+# documentation regardless of this setting.
+# Minimum value: 0, maximum value: 10000, default value: 30.
 
 MAX_INITIALIZER_LINES  = 30
 
-# Set the SHOW_USED_FILES tag to NO to disable the list of files generated
-# at the bottom of the documentation of classes and structs. If set to YES the
-# list will mention the files that were used to generate the documentation.
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
+# the bottom of the documentation of classes and structs. If set to YES the list
+# will mention the files that were used to generate the documentation.
+# The default value is: YES.
 
 SHOW_USED_FILES        = NO
 
-# Set the SHOW_FILES tag to NO to disable the generation of the Files page.
-# This will remove the Files entry from the Quick Index and from the
-# Folder Tree View (if specified). The default is YES.
+# Set the SHOW_FILES tag to NO to disable the generation of the Files page. This
+# will remove the Files entry from the Quick Index and from the Folder Tree View
+# (if specified).
+# The default value is: YES.
 
 SHOW_FILES             = YES
 
-# Set the SHOW_NAMESPACES tag to NO to disable the generation of the
-# Namespaces page.
-# This will remove the Namespaces entry from the Quick Index
-# and from the Folder Tree View (if specified). The default is YES.
+# Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces
+# page. This will remove the Namespaces entry from the Quick Index and from the
+# Folder Tree View (if specified).
+# The default value is: YES.
 
 SHOW_NAMESPACES        = YES
 
 # The FILE_VERSION_FILTER tag can be used to specify a program or script that
 # doxygen should invoke to get the current version for each file (typically from
 # the version control system). Doxygen will invoke the program by executing (via
-# popen()) the command <command> <input-file>, where <command> is the value of
-# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file
-# provided by doxygen. Whatever the program writes to standard output
-# is used as the file version. See the manual for examples.
+# popen()) the command command input-file, where command is the value of the
+# FILE_VERSION_FILTER tag, and input-file is the name of an input file provided
+# by doxygen. Whatever the program writes to standard output is used as the file
+# version. For an example see the documentation.
 
 FILE_VERSION_FILTER    =
 
 # The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
 # by doxygen. The layout file controls the global structure of the generated
 # output files in an output format independent way. To create the layout file
-# that represents doxygen's defaults, run doxygen with the -l option.
-# You can optionally specify a file name after the option, if omitted
-# DoxygenLayout.xml will be used as the name of the layout file.
+# that represents doxygen's defaults, run doxygen with the -l option. You can
+# optionally specify a file name after the option, if omitted DoxygenLayout.xml
+# will be used as the name of the layout file.
+#
+# Note that if you run doxygen from a directory containing a file called
+# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE
+# tag is left empty.
 
 LAYOUT_FILE            =
 
-# The CITE_BIB_FILES tag can be used to specify one or more bib files
-# containing the references data. This must be a list of .bib files. The
-# .bib extension is automatically appended if omitted. Using this command
-# requires the bibtex tool to be installed. See also
-# http://en.wikipedia.org/wiki/BibTeX for more info. For LaTeX the style
-# of the bibliography can be controlled using LATEX_BIB_STYLE. To use this
-# feature you need bibtex and perl available in the search path.
+# The CITE_BIB_FILES tag can be used to specify one or more bib files containing
+# the reference definitions. This must be a list of .bib files. The .bib
+# extension is automatically appended if omitted. This requires the bibtex tool
+# to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info.
+# For LaTeX the style of the bibliography can be controlled using
+# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
+# search path. Do not use file names with spaces, bibtex cannot handle them. See
+# also \cite for info how to create references.
 
 CITE_BIB_FILES         =
 
 #---------------------------------------------------------------------------
-# configuration options related to warning and progress messages
+# Configuration options related to warning and progress messages
 #---------------------------------------------------------------------------
 
-# The QUIET tag can be used to turn on/off the messages that are generated
-# by doxygen. Possible values are YES and NO. If left blank NO is used.
+# The QUIET tag can be used to turn on/off the messages that are generated to
+# standard output by doxygen. If QUIET is set to YES this implies that the
+# messages are off.
+# The default value is: NO.
 
 QUIET                  = NO
 
 # The WARNINGS tag can be used to turn on/off the warning messages that are
-# generated by doxygen. Possible values are YES and NO. If left blank
-# NO is used.
+# generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES
+# this implies that the warnings are on.
+#
+# Tip: Turn warnings on while writing the documentation.
+# The default value is: YES.
 
 WARNINGS               = YES
 
-# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings
-# for undocumented members. If EXTRACT_ALL is set to YES then this flag will
-# automatically be disabled.
+# If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate
+# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
+# will automatically be disabled.
+# The default value is: YES.
 
 WARN_IF_UNDOCUMENTED   = NO
 
-# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for
-# potential errors in the documentation, such as not documenting some
-# parameters in a documented function, or documenting parameters that
-# don't exist or using markup commands wrongly.
+# If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for
+# potential errors in the documentation, such as not documenting some parameters
+# in a documented function, or documenting parameters that don't exist or using
+# markup commands wrongly.
+# The default value is: YES.
 
 WARN_IF_DOC_ERROR      = YES
 
-# The WARN_NO_PARAMDOC option can be enabled to get warnings for
-# functions that are documented, but have no documentation for their parameters
-# or return value. If set to NO (the default) doxygen will only warn about
-# wrong or incomplete parameter documentation, but not about the absence of
-# documentation.
+# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
+# are documented, but have no documentation for their parameters or return
+# value. If set to NO doxygen will only warn about wrong or incomplete parameter
+# documentation, but not about the absence of documentation.
+# The default value is: NO.
 
 WARN_NO_PARAMDOC       = YES
 
-# The WARN_FORMAT tag determines the format of the warning messages that
-# doxygen can produce. The string should contain the $file, $line, and $text
-# tags, which will be replaced by the file and line number from which the
-# warning originated and the warning text. Optionally the format may contain
-# $version, which will be replaced by the version of the file (if it could
-# be obtained via FILE_VERSION_FILTER)
+# The WARN_FORMAT tag determines the format of the warning messages that doxygen
+# can produce. The string should contain the $file, $line, and $text tags, which
+# will be replaced by the file and line number from which the warning originated
+# and the warning text. Optionally the format may contain $version, which will
+# be replaced by the version of the file (if it could be obtained via
+# FILE_VERSION_FILTER)
+# The default value is: $file:$line: $text.
 
 WARN_FORMAT            = "$file:$line: $text"
 
-# The WARN_LOGFILE tag can be used to specify a file to which warning
-# and error messages should be written. If left blank the output is written
-# to stderr.
+# The WARN_LOGFILE tag can be used to specify a file to which warning and error
+# messages should be written. If left blank the output is written to standard
+# error (stderr).
 
 WARN_LOGFILE           =
 
 #---------------------------------------------------------------------------
-# configuration options related to the input files
+# Configuration options related to the input files
 #---------------------------------------------------------------------------
 
-# The INPUT tag can be used to specify the files and/or directories that contain
-# documented source files. You may enter file names like "myfile.cpp" or
-# directories like "/usr/src/myproject". Separate the files or directories
-# with spaces.
+# The INPUT tag is used to specify the files and/or directories that contain
+# documented source files. You may enter file names like myfile.cpp or
+# directories like /usr/src/myproject. Separate the files or directories with
+# spaces.
+# Note: If this tag is empty the current directory is searched.
 
-INPUT                  = @SRC_DIR@/src/
+INPUT                  = @SRC_DIR@/
 
 # This tag can be used to specify the character encoding of the source files
-# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is
-# also the default input encoding. Doxygen uses libiconv (or the iconv built
-# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for
-# the list of possible encodings.
+# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
+# libiconv (or the iconv built into libc) for the transcoding. See the libiconv
+# documentation (see: http://www.gnu.org/software/libiconv) for the list of
+# possible encodings.
+# The default value is: UTF-8.
 
 INPUT_ENCODING         = UTF-8
 
 # If the value of the INPUT tag contains directories, you can use the
-# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
-# and *.h) to filter out the source-files in the directories. If left
-# blank the following patterns are tested:
-# *.c *.cc *.cxx *.cpp *.c++ *.d *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh
-# *.hxx *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.dox *.py
-# *.f90 *.f *.for *.vhd *.vhdl
+# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and
+# *.h) to filter out the source-files in the directories. If left blank the
+# following patterns are tested:*.c, *.cc, *.cxx, *.cpp, *.c++, *.java, *.ii,
+# *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h, *.hh, *.hxx, *.hpp,
+# *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc, *.m, *.markdown,
+# *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf,
+# *.qsf, *.as and *.js.
 
-FILE_PATTERNS          = *.h
+FILE_PATTERNS          = *.h *.md
 
-# The RECURSIVE tag can be used to turn specify whether or not subdirectories
-# should be searched for input files as well. Possible values are YES and NO.
-# If left blank NO is used.
+# The RECURSIVE tag can be used to specify whether or not subdirectories should
+# be searched for input files as well.
+# The default value is: NO.
 
 RECURSIVE              = YES
 
 # The EXCLUDE tag can be used to specify files and/or directories that should be
 # excluded from the INPUT source files. This way you can easily exclude a
 # subdirectory from a directory tree whose root is specified with the INPUT tag.
+#
 # Note that relative paths are relative to the directory from which doxygen is
 # run.
 
@@ -692,14 +783,16 @@ EXCLUDE                = @SRC_DIR@/src/include
 # The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
 # directories that are symbolic links (a Unix file system feature) are excluded
 # from the input.
+# The default value is: NO.
 
 EXCLUDE_SYMLINKS       = YES
 
 # If the value of the INPUT tag contains directories, you can use the
 # EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
-# certain files from those directories. Note that the wildcards are matched
-# against the file with absolute path, so to exclude all test directories
-# for example use the pattern */test/*
+# certain files from those directories.
+#
+# Note that the wildcards are matched against the file with absolute path, so to
+# exclude all test directories for example use the pattern */test/*
 
 EXCLUDE_PATTERNS       = */.git/*
 
@@ -708,755 +801,1080 @@ EXCLUDE_PATTERNS       = */.git/*
 # output. The symbol name can be a fully qualified name, a word, or if the
 # wildcard * is used, a substring. Examples: ANamespace, AClass,
 # AClass::ANamespace, ANamespace::*Test
+#
+# Note that the wildcards are matched against the file with absolute path, so to
+# exclude all test directories use the pattern */test/*
 
 EXCLUDE_SYMBOLS        =
 
-# The EXAMPLE_PATH tag can be used to specify one or more files or
-# directories that contain example code fragments that are included (see
-# the \include command).
+# The EXAMPLE_PATH tag can be used to specify one or more files or directories
+# that contain example code fragments that are included (see the \include
+# command).
 
 EXAMPLE_PATH           =
 
 # If the value of the EXAMPLE_PATH tag contains directories, you can use the
-# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
-# and *.h) to filter out the source-files in the directories. If left
-# blank all files are included.
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
+# *.h) to filter out the source-files in the directories. If left blank all
+# files are included.
 
 EXAMPLE_PATTERNS       =
 
 # If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
-# searched for input files to be used with the \include or \dontinclude
-# commands irrespective of the value of the RECURSIVE tag.
-# Possible values are YES and NO. If left blank NO is used.
+# searched for input files to be used with the \include or \dontinclude commands
+# irrespective of the value of the RECURSIVE tag.
+# The default value is: NO.
 
 EXAMPLE_RECURSIVE      = NO
 
-# The IMAGE_PATH tag can be used to specify one or more files or
-# directories that contain image that are included in the documentation (see
-# the \image command).
+# The IMAGE_PATH tag can be used to specify one or more files or directories
+# that contain images that are to be included in the documentation (see the
+# \image command).
 
 IMAGE_PATH             =
 
 # The INPUT_FILTER tag can be used to specify a program that doxygen should
 # invoke to filter for each input file. Doxygen will invoke the filter program
-# by executing (via popen()) the command <filter> <input-file>, where <filter>
-# is the value of the INPUT_FILTER tag, and <input-file> is the name of an
-# input file. Doxygen will then use the output that the filter program writes
-# to standard output.
-# If FILTER_PATTERNS is specified, this tag will be
-# ignored.
+# by executing (via popen()) the command:
+#
+# <filter> <input-file>
+#
+# where <filter> is the value of the INPUT_FILTER tag, and <input-file> is the
+# name of an input file. Doxygen will then use the output that the filter
+# program writes to standard output. If FILTER_PATTERNS is specified, this tag
+# will be ignored.
+#
+# Note that the filter must not add or remove lines; it is applied before the
+# code is scanned, but not when the output code is generated. If lines are added
+# or removed, the anchors will not be placed correctly.
 
 INPUT_FILTER           =
 
 # The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
-# basis.
-# Doxygen will compare the file name with each pattern and apply the
-# filter if there is a match.
-# The filters are a list of the form:
-# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further
-# info on how filters are used. If FILTER_PATTERNS is empty or if
-# non of the patterns match the file name, INPUT_FILTER is applied.
+# basis. Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match. The filters are a list of the form: pattern=filter
+# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how
+# filters are used. If the FILTER_PATTERNS tag is empty or if none of the
+# patterns match the file name, INPUT_FILTER is applied.
 
 FILTER_PATTERNS        =
 
 # If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
-# INPUT_FILTER) will be used to filter the input files when producing source
-# files to browse (i.e. when SOURCE_BROWSER is set to YES).
+# INPUT_FILTER ) will also be used to filter the input files that are used for
+# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
+# The default value is: NO.
 
 FILTER_SOURCE_FILES    = NO
 
 # The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file
-# pattern. A pattern will override the setting for FILTER_PATTERN (if any)
-# and it is also possible to disable source filtering for a specific pattern
-# using *.ext= (so without naming a filter). This option only has effect when
-# FILTER_SOURCE_FILES is enabled.
+# pattern. A pattern will override the setting for FILTER_PATTERN (if any) and
+# it is also possible to disable source filtering for a specific pattern using
+# *.ext= (so without naming a filter).
+# This tag requires that the tag FILTER_SOURCE_FILES is set to YES.
 
 FILTER_SOURCE_PATTERNS =
 
+# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that
+# is part of the input, its contents will be placed on the main page
+# (index.html). This can be useful if you have a project on for instance GitHub
+# and want to reuse the introduction page also for the doxygen output.
+
+USE_MDFILE_AS_MAINPAGE =
+
 #---------------------------------------------------------------------------
-# configuration options related to source browsing
+# Configuration options related to source browsing
 #---------------------------------------------------------------------------
 
-# If the SOURCE_BROWSER tag is set to YES then a list of source files will
-# be generated. Documented entities will be cross-referenced with these sources.
-# Note: To get rid of all source code in the generated output, make sure also
-# VERBATIM_HEADERS is set to NO.
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will be
+# generated. Documented entities will be cross-referenced with these sources.
+#
+# Note: To get rid of all source code in the generated output, make sure that
+# also VERBATIM_HEADERS is set to NO.
+# The default value is: NO.
 
 SOURCE_BROWSER         = YES
 
-# Setting the INLINE_SOURCES tag to YES will include the body
-# of functions and classes directly in the documentation.
+# Setting the INLINE_SOURCES tag to YES will include the body of functions,
+# classes and enums directly into the documentation.
+# The default value is: NO.
 
 INLINE_SOURCES         = NO
 
-# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct
-# doxygen to hide any special comment blocks from generated source code
-# fragments. Normal C, C++ and Fortran comments will always remain visible.
+# Setting the STRIP_CODE_COMMENTS tag to YES will instruct doxygen to hide any
+# special comment blocks from generated source code fragments. Normal C, C++ and
+# Fortran comments will always remain visible.
+# The default value is: YES.
 
 STRIP_CODE_COMMENTS    = NO
 
-# If the REFERENCED_BY_RELATION tag is set to YES
-# then for each documented function all documented
-# functions referencing it will be listed.
+# If the REFERENCED_BY_RELATION tag is set to YES then for each documented
+# function all documented functions referencing it will be listed.
+# The default value is: NO.
 
 REFERENCED_BY_RELATION = NO
 
-# If the REFERENCES_RELATION tag is set to YES
-# then for each documented function all documented entities
-# called/used by that function will be listed.
+# If the REFERENCES_RELATION tag is set to YES then for each documented function
+# all documented entities called/used by that function will be listed.
+# The default value is: NO.
 
 REFERENCES_RELATION    = NO
 
-# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
-# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
-# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
-# link to the source code.
-# Otherwise they will link to the documentation.
+# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
+# to YES, then the hyperlinks from functions in REFERENCES_RELATION and
+# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
+# link to the documentation.
+# The default value is: YES.
 
 REFERENCES_LINK_SOURCE = YES
 
-# If the USE_HTAGS tag is set to YES then the references to source code
-# will point to the HTML generated by the htags(1) tool instead of doxygen
-# built-in source browser. The htags tool is part of GNU's global source
-# tagging system (see http://www.gnu.org/software/global/global.html). You
-# will need version 4.8.6 or higher.
+# If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the
+# source code will show a tooltip with additional information such as prototype,
+# brief description and links to the definition and documentation. Since this
+# will make the HTML file larger and loading of large files a bit slower, you
+# can opt to disable this feature.
+# The default value is: YES.
+# This tag requires that the tag SOURCE_BROWSER is set to YES.
+
+SOURCE_TOOLTIPS        = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code will
+# point to the HTML generated by the htags(1) tool instead of doxygen built-in
+# source browser. The htags tool is part of GNU's global source tagging system
+# (see http://www.gnu.org/software/global/global.html). You will need version
+# 4.8.6 or higher.
+#
+# To use it do the following:
+# - Install the latest version of global
+# - Enable SOURCE_BROWSER and USE_HTAGS in the config file
+# - Make sure the INPUT points to the root of the source tree
+# - Run doxygen as normal
+#
+# Doxygen will invoke htags (and that will in turn invoke gtags), so these
+# tools must be available from the command line (i.e. in the search path).
+#
+# The result: instead of the source browser generated by doxygen, the links to
+# source code will now point to the output of htags.
+# The default value is: NO.
+# This tag requires that the tag SOURCE_BROWSER is set to YES.
 
 USE_HTAGS              = NO
 
-# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen
-# will generate a verbatim copy of the header file for each class for
-# which an include is specified. Set to NO to disable this.
+# If the VERBATIM_HEADERS tag is set the YES then doxygen will generate a
+# verbatim copy of the header file for each class for which an include is
+# specified. Set to NO to disable this.
+# See also: Section \class.
+# The default value is: YES.
 
 VERBATIM_HEADERS       = YES
 
 #---------------------------------------------------------------------------
-# configuration options related to the alphabetical class index
+# Configuration options related to the alphabetical class index
 #---------------------------------------------------------------------------
 
-# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index
-# of all compounds will be generated. Enable this if the project
-# contains a lot of classes, structs, unions or interfaces.
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all
+# compounds will be generated. Enable this if the project contains a lot of
+# classes, structs, unions or interfaces.
+# The default value is: YES.
 
 ALPHABETICAL_INDEX     = YES
 
-# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then
-# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
-# in which this list will be split (can be a number in the range [1..20])
+# The COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns in
+# which the alphabetical index list will be split.
+# Minimum value: 1, maximum value: 20, default value: 5.
+# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
 
 COLS_IN_ALPHA_INDEX    = 5
 
-# In case all classes in a project start with a common prefix, all
-# classes will be put under the same header in the alphabetical index.
-# The IGNORE_PREFIX tag can be used to specify one or more prefixes that
-# should be ignored while generating the index headers.
+# In case all classes in a project start with a common prefix, all classes will
+# be put under the same header in the alphabetical index. The IGNORE_PREFIX tag
+# can be used to specify a prefix (or a list of prefixes) that should be ignored
+# while generating the index headers.
+# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
 
 IGNORE_PREFIX          =
 
 #---------------------------------------------------------------------------
-# configuration options related to the HTML output
+# Configuration options related to the HTML output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_HTML tag is set to YES (the default) Doxygen will
-# generate HTML output.
+# If the GENERATE_HTML tag is set to YES doxygen will generate HTML output
+# The default value is: YES.
 
 GENERATE_HTML          = YES
 
-# The HTML_OUTPUT tag is used to specify where the HTML docs will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
-# put in front of it. If left blank `html' will be used as the default path.
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: html.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_OUTPUT            = .
 
-# The HTML_FILE_EXTENSION tag can be used to specify the file extension for
-# each generated HTML page (for example: .htm,.php,.asp). If it is left blank
-# doxygen will generate files with .html extension.
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
+# generated HTML page (for example: .htm, .php, .asp).
+# The default value is: .html.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_FILE_EXTENSION    = .html
 
-# The HTML_HEADER tag can be used to specify a personal HTML header for
-# each generated HTML page. If it is left blank doxygen will generate a
-# standard header. Note that when using a custom header you are responsible
-#  for the proper inclusion of any scripts and style sheets that doxygen
-# needs, which is dependent on the configuration options used.
-# It is advised to generate a default header using "doxygen -w html
-# header.html footer.html stylesheet.css YourConfigFile" and then modify
-# that header. Note that the header is subject to change so you typically
-# have to redo this when upgrading to a newer version of doxygen or when
-# changing the value of configuration settings such as GENERATE_TREEVIEW!
+# The HTML_HEADER tag can be used to specify a user-defined HTML header file for
+# each generated HTML page. If the tag is left blank doxygen will generate a
+# standard header.
+#
+# To get valid HTML the header file that includes any scripts and style sheets
+# that doxygen needs, which is dependent on the configuration options used (e.g.
+# the setting GENERATE_TREEVIEW). It is highly recommended to start with a
+# default header using
+# doxygen -w html new_header.html new_footer.html new_stylesheet.css
+# YourConfigFile
+# and then modify the file new_header.html. See also section "Doxygen usage"
+# for information on how to generate the default header that doxygen normally
+# uses.
+# Note: The header is subject to change so you typically have to regenerate the
+# default header when upgrading to a newer version of doxygen. For a description
+# of the possible markers and block names see the documentation.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_HEADER            =
 
-# The HTML_FOOTER tag can be used to specify a personal HTML footer for
-# each generated HTML page. If it is left blank doxygen will generate a
-# standard footer.
+# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each
+# generated HTML page. If the tag is left blank doxygen will generate a standard
+# footer. See HTML_HEADER for more information on how to generate a default
+# footer and what special commands can be used inside the footer. See also
+# section "Doxygen usage" for information on how to generate the default footer
+# that doxygen normally uses.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_FOOTER            =
 
-# The HTML_STYLESHEET tag can be used to specify a user-defined cascading
-# style sheet that is used by each HTML page. It can be used to
-# fine-tune the look of the HTML output. If the tag is left blank doxygen
-# will generate a default style sheet. Note that doxygen will try to copy
-# the style sheet file to the HTML output directory, so don't put your own
-# style sheet in the HTML output directory as well, or it will be erased!
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style
+# sheet that is used by each HTML page. It can be used to fine-tune the look of
+# the HTML output. If left blank doxygen will generate a default style sheet.
+# See also section "Doxygen usage" for information on how to generate the style
+# sheet that doxygen normally uses.
+# Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as
+# it is more robust and this tag (HTML_STYLESHEET) will in the future become
+# obsolete.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_STYLESHEET        =
 
+# The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user-
+# defined cascading style sheet that is included after the standard style sheets
+# created by doxygen. Using this option one can overrule certain style aspects.
+# This is preferred over using HTML_STYLESHEET since it does not replace the
+# standard style sheet and is therefor more robust against future updates.
+# Doxygen will copy the style sheet file to the output directory. For an example
+# see the documentation.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_EXTRA_STYLESHEET  =
+
 # The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
 # other source files which should be copied to the HTML output directory. Note
 # that these files will be copied to the base HTML output directory. Use the
-# $relpath$ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
-# files. In the HTML_STYLESHEET file, use the file name only. Also note that
-# the files will be copied as-is; there are no commands or markers available.
+# $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
+# files. In the HTML_STYLESHEET file, use the file name only. Also note that the
+# files will be copied as-is; there are no commands or markers available.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_EXTRA_FILES       =
 
-# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output.
-# Doxygen will adjust the colors in the style sheet and background images
-# according to this color. Hue is specified as an angle on a colorwheel,
-# see http://en.wikipedia.org/wiki/Hue for more information.
-# For instance the value 0 represents red, 60 is yellow, 120 is green,
-# 180 is cyan, 240 is blue, 300 purple, and 360 is red again.
-# The allowed range is 0 to 359.
+# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
+# will adjust the colors in the stylesheet and background images according to
+# this color. Hue is specified as an angle on a colorwheel, see
+# http://en.wikipedia.org/wiki/Hue for more information. For instance the value
+# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
+# purple, and 360 is red again.
+# Minimum value: 0, maximum value: 359, default value: 220.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_COLORSTYLE_HUE    = 220
 
-# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of
-# the colors in the HTML output. For a value of 0 the output will use
-# grayscales only. A value of 255 will produce the most vivid colors.
+# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors
+# in the HTML output. For a value of 0 the output will use grayscales only. A
+# value of 255 will produce the most vivid colors.
+# Minimum value: 0, maximum value: 255, default value: 100.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_COLORSTYLE_SAT    = 100
 
-# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to
-# the luminance component of the colors in the HTML output. Values below
-# 100 gradually make the output lighter, whereas values above 100 make
-# the output darker. The value divided by 100 is the actual gamma applied,
-# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2,
-# and 100 does not change the gamma.
+# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the
+# luminance component of the colors in the HTML output. Values below 100
+# gradually make the output lighter, whereas values above 100 make the output
+# darker. The value divided by 100 is the actual gamma applied, so 80 represents
+# a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not
+# change the gamma.
+# Minimum value: 40, maximum value: 240, default value: 80.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_COLORSTYLE_GAMMA  = 80
 
 # If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
-# page will contain the date and time when the page was generated. Setting
-# this to NO can help when comparing the output of multiple runs.
+# page will contain the date and time when the page was generated. Setting this
+# to NO can help when comparing the output of multiple runs.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_TIMESTAMP         = YES
 
 # If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
 # documentation will contain sections that can be hidden and shown after the
 # page has loaded.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_DYNAMIC_SECTIONS  = YES
 
-# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of
-# entries shown in the various tree structured indices initially; the user
-# can expand and collapse entries dynamically later on. Doxygen will expand
-# the tree to such a level that at most the specified number of entries are
-# visible (unless a fully collapsed tree already exceeds this amount).
-# So setting the number of entries 1 will produce a full collapsed tree by
-# default. 0 is a special value representing an infinite number of entries
-# and will result in a full expanded tree by default.
+# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries
+# shown in the various tree structured indices initially; the user can expand
+# and collapse entries dynamically later on. Doxygen will expand the tree to
+# such a level that at most the specified number of entries are visible (unless
+# a fully collapsed tree already exceeds this amount). So setting the number of
+# entries 1 will produce a full collapsed tree by default. 0 is a special value
+# representing an infinite number of entries and will result in a full expanded
+# tree by default.
+# Minimum value: 0, maximum value: 9999, default value: 100.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 HTML_INDEX_NUM_ENTRIES = 100
 
-# If the GENERATE_DOCSET tag is set to YES, additional index files
-# will be generated that can be used as input for Apple's Xcode 3
-# integrated development environment, introduced with OSX 10.5 (Leopard).
-# To create a documentation set, doxygen will generate a Makefile in the
-# HTML output directory. Running make will produce the docset in that
-# directory and running "make install" will install the docset in
-# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find
-# it at startup.
-# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html
+# If the GENERATE_DOCSET tag is set to YES, additional index files will be
+# generated that can be used as input for Apple's Xcode 3 integrated development
+# environment (see: http://developer.apple.com/tools/xcode/), introduced with
+# OSX 10.5 (Leopard). To create a documentation set, doxygen will generate a
+# Makefile in the HTML output directory. Running make will produce the docset in
+# that directory and running make install will install the docset in
+# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at
+# startup. See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html
 # for more information.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 GENERATE_DOCSET        = NO
 
-# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the
-# feed. A documentation feed provides an umbrella under which multiple
-# documentation sets from a single provider (such as a company or product suite)
-# can be grouped.
+# This tag determines the name of the docset feed. A documentation feed provides
+# an umbrella under which multiple documentation sets from a single provider
+# (such as a company or product suite) can be grouped.
+# The default value is: Doxygen generated docs.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
 
 DOCSET_FEEDNAME        = "Doxygen generated docs"
 
-# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that
-# should uniquely identify the documentation set bundle. This should be a
-# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen
-# will append .docset to the name.
+# This tag specifies a string that should uniquely identify the documentation
+# set bundle. This should be a reverse domain-name style string, e.g.
+# com.mycompany.MyDocSet. Doxygen will append .docset to the name.
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
 
 DOCSET_BUNDLE_ID       = org.doxygen.Project
 
-# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely identify
+# The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify
 # the documentation publisher. This should be a reverse domain-name style
 # string, e.g. com.mycompany.MyDocSet.documentation.
+# The default value is: org.doxygen.Publisher.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
 
 DOCSET_PUBLISHER_ID    = org.doxygen.Publisher
 
-# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher.
+# The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher.
+# The default value is: Publisher.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
 
 DOCSET_PUBLISHER_NAME  = Publisher
 
-# If the GENERATE_HTMLHELP tag is set to YES, additional index files
-# will be generated that can be used as input for tools like the
-# Microsoft HTML help workshop to generate a compiled HTML help file (.chm)
-# of the generated HTML documentation.
+# If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three
+# additional HTML index files: index.hhp, index.hhc, and index.hhk. The
+# index.hhp is a project file that can be read by Microsoft's HTML Help Workshop
+# (see: http://www.microsoft.com/en-us/download/details.aspx?id=21138) on
+# Windows.
+#
+# The HTML Help Workshop contains a compiler that can convert all HTML output
+# generated by doxygen into a single compiled HTML file (.chm). Compiled HTML
+# files are now used as the Windows 98 help format, and will replace the old
+# Windows help format (.hlp) on all Windows platforms in the future. Compressed
+# HTML files also contain an index, a table of contents, and you can search for
+# words in the documentation. The HTML workshop also contains a viewer for
+# compressed HTML files.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 GENERATE_HTMLHELP      = NO
 
-# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can
-# be used to specify the file name of the resulting .chm file. You
-# can add a path in front of the file if the result should not be
+# The CHM_FILE tag can be used to specify the file name of the resulting .chm
+# file. You can add a path in front of the file if the result should not be
 # written to the html output directory.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 
 CHM_FILE               =
 
-# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can
-# be used to specify the location (absolute path including file name) of
-# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run
-# the HTML help compiler on the generated index.hhp.
+# The HHC_LOCATION tag can be used to specify the location (absolute path
+# including file name) of the HTML help compiler ( hhc.exe). If non-empty
+# doxygen will try to run the HTML help compiler on the generated index.hhp.
+# The file has to be specified with full path.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 
 HHC_LOCATION           =
 
-# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag
-# controls if a separate .chi index file is generated (YES) or that
-# it should be included in the master .chm file (NO).
+# The GENERATE_CHI flag controls if a separate .chi index file is generated (
+# YES) or that it should be included in the master .chm file ( NO).
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 
 GENERATE_CHI           = NO
 
-# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING
-# is used to encode HtmlHelp index (hhk), content (hhc) and project file
-# content.
+# The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc)
+# and project file content.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 
 CHM_INDEX_ENCODING     =
 
-# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag
-# controls whether a binary table of contents is generated (YES) or a
-# normal table of contents (NO) in the .chm file.
+# The BINARY_TOC flag controls whether a binary table of contents is generated (
+# YES) or a normal table of contents ( NO) in the .chm file.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 
 BINARY_TOC             = NO
 
-# The TOC_EXPAND flag can be set to YES to add extra items for group members
-# to the contents of the HTML help documentation and to the tree view.
+# The TOC_EXPAND flag can be set to YES to add extra items for group members to
+# the table of contents of the HTML help documentation and to the tree view.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 
 TOC_EXPAND             = NO
 
 # If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and
-# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated
-# that can be used as input for Qt's qhelpgenerator to generate a
-# Qt Compressed Help (.qch) of the generated HTML documentation.
+# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that
+# can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help
+# (.qch) of the generated HTML documentation.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 GENERATE_QHP           = NO
 
-# If the QHG_LOCATION tag is specified, the QCH_FILE tag can
-# be used to specify the file name of the resulting .qch file.
-# The path specified is relative to the HTML output folder.
+# If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify
+# the file name of the resulting .qch file. The path specified is relative to
+# the HTML output folder.
+# This tag requires that the tag GENERATE_QHP is set to YES.
 
 QCH_FILE               =
 
-# The QHP_NAMESPACE tag specifies the namespace to use when generating
-# Qt Help Project output. For more information please see
-# http://doc.trolltech.com/qthelpproject.html#namespace
+# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help
+# Project output. For more information please see Qt Help Project / Namespace
+# (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#namespace).
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_QHP is set to YES.
 
 QHP_NAMESPACE          = org.doxygen.Project
 
-# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating
-# Qt Help Project output. For more information please see
-# http://doc.trolltech.com/qthelpproject.html#virtual-folders
+# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt
+# Help Project output. For more information please see Qt Help Project / Virtual
+# Folders (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#virtual-
+# folders).
+# The default value is: doc.
+# This tag requires that the tag GENERATE_QHP is set to YES.
 
 QHP_VIRTUAL_FOLDER     = doc
 
-# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to
-# add. For more information please see
-# http://doc.trolltech.com/qthelpproject.html#custom-filters
+# If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom
+# filter to add. For more information please see Qt Help Project / Custom
+# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom-
+# filters).
+# This tag requires that the tag GENERATE_QHP is set to YES.
 
 QHP_CUST_FILTER_NAME   =
 
-# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the
-# custom filter to add. For more information please see
-# <a href="http://doc.trolltech.com/qthelpproject.html#custom-filters">
-# Qt Help Project / Custom Filters</a>.
+# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the
+# custom filter to add. For more information please see Qt Help Project / Custom
+# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom-
+# filters).
+# This tag requires that the tag GENERATE_QHP is set to YES.
 
 QHP_CUST_FILTER_ATTRS  =
 
 # The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
-# project's
-# filter section matches.
-# <a href="http://doc.trolltech.com/qthelpproject.html#filter-attributes">
-# Qt Help Project / Filter Attributes</a>.
+# project's filter section matches. Qt Help Project / Filter Attributes (see:
+# http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes).
+# This tag requires that the tag GENERATE_QHP is set to YES.
 
 QHP_SECT_FILTER_ATTRS  =
 
-# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can
-# be used to specify the location of Qt's qhelpgenerator.
-# If non-empty doxygen will try to run qhelpgenerator on the generated
-# .qhp file.
+# The QHG_LOCATION tag can be used to specify the location of Qt's
+# qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the
+# generated .qhp file.
+# This tag requires that the tag GENERATE_QHP is set to YES.
 
 QHG_LOCATION           =
 
-# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files
-#  will be generated, which together with the HTML files, form an Eclipse help
-# plugin. To install this plugin and make it available under the help contents
-# menu in Eclipse, the contents of the directory containing the HTML and XML
-# files needs to be copied into the plugins directory of eclipse. The name of
-# the directory within the plugins directory should be the same as
-# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before
-# the help appears.
+# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be
+# generated, together with the HTML files, they form an Eclipse help plugin. To
+# install this plugin and make it available under the help contents menu in
+# Eclipse, the contents of the directory containing the HTML and XML files needs
+# to be copied into the plugins directory of eclipse. The name of the directory
+# within the plugins directory should be the same as the ECLIPSE_DOC_ID value.
+# After copying Eclipse needs to be restarted before the help appears.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 GENERATE_ECLIPSEHELP   = NO
 
-# A unique identifier for the eclipse help plugin. When installing the plugin
-# the directory name containing the HTML and XML files should also have
-# this name.
+# A unique identifier for the Eclipse help plugin. When installing the plugin
+# the directory name containing the HTML and XML files should also have this
+# name. Each documentation set should have its own identifier.
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES.
 
 ECLIPSE_DOC_ID         = org.doxygen.Project
 
-# The DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs)
-# at top of each HTML page. The value NO (the default) enables the index and
-# the value YES disables it. Since the tabs have the same information as the
-# navigation tree you can set this option to NO if you already set
-# GENERATE_TREEVIEW to YES.
+# If you want full control over the layout of the generated HTML pages it might
+# be necessary to disable the index and replace it with your own. The
+# DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top
+# of each HTML page. A value of NO enables the index and the value YES disables
+# it. Since the tabs in the index contain the same information as the navigation
+# tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 DISABLE_INDEX          = NO
 
 # The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
-# structure should be generated to display hierarchical information.
-# If the tag value is set to YES, a side panel will be generated
-# containing a tree-like index structure (just like the one that
-# is generated for HTML Help). For this to work a browser that supports
-# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser).
-# Windows users are probably better off using the HTML help feature.
-# Since the tree basically has the same information as the tab index you
-# could consider to set DISABLE_INDEX to NO when enabling this option.
+# structure should be generated to display hierarchical information. If the tag
+# value is set to YES, a side panel will be generated containing a tree-like
+# index structure (just like the one that is generated for HTML Help). For this
+# to work a browser that supports JavaScript, DHTML, CSS and frames is required
+# (i.e. any modern browser). Windows users are probably better off using the
+# HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can
+# further fine-tune the look of the index. As an example, the default style
+# sheet generated by doxygen has an example that shows how to put an image at
+# the root of the tree instead of the PROJECT_NAME. Since the tree basically has
+# the same information as the tab index, you could consider setting
+# DISABLE_INDEX to YES when enabling this option.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 GENERATE_TREEVIEW      = YES
 
-# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values
-# (range [0,1..20]) that doxygen will group on one line in the generated HTML
-# documentation. Note that a value of 0 will completely suppress the enum
-# values from appearing in the overview section.
+# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that
+# doxygen will group on one line in the generated HTML documentation.
+#
+# Note that a value of 0 will completely suppress the enum values from appearing
+# in the overview section.
+# Minimum value: 0, maximum value: 20, default value: 4.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 ENUM_VALUES_PER_LINE   = 1
 
-# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be
-# used to set the initial width (in pixels) of the frame in which the tree
-# is shown.
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used
+# to set the initial width (in pixels) of the frame in which the tree is shown.
+# Minimum value: 0, maximum value: 1500, default value: 250.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 TREEVIEW_WIDTH         = 250
 
-# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open
-# links to external symbols imported via tag files in a separate window.
+# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to
+# external symbols imported via tag files in a separate window.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 EXT_LINKS_IN_WINDOW    = NO
 
-# Use this tag to change the font size of Latex formulas included
-# as images in the HTML documentation. The default is 10. Note that
-# when you change the font size after a successful doxygen run you need
-# to manually remove any form_*.png images from the HTML output directory
-# to force them to be regenerated.
+# Use this tag to change the font size of LaTeX formulas included as images in
+# the HTML documentation. When you change the font size after a successful
+# doxygen run you need to manually remove any form_*.png images from the HTML
+# output directory to force them to be regenerated.
+# Minimum value: 8, maximum value: 50, default value: 10.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 FORMULA_FONTSIZE       = 10
 
 # Use the FORMULA_TRANPARENT tag to determine whether or not the images
-# generated for formulas are transparent PNGs. Transparent PNGs are
-# not supported properly for IE 6.0, but are supported on all modern browsers.
-# Note that when changing this option you need to delete any form_*.png files
-# in the HTML output before the changes have effect.
+# generated for formulas are transparent PNGs. Transparent PNGs are not
+# supported properly for IE 6.0, but are supported on all modern browsers.
+#
+# Note that when changing this option you need to delete any form_*.png files in
+# the HTML output directory before the changes have effect.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 FORMULA_TRANSPARENT    = YES
 
-# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax
-# (see http://www.mathjax.org) which uses client side Javascript for the
-# rendering instead of using prerendered bitmaps. Use this if you do not
-# have LaTeX installed or if you want to formulas look prettier in the HTML
-# output. When enabled you may also need to install MathJax separately and
-# configure the path to it using the MATHJAX_RELPATH option.
+# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
+# http://www.mathjax.org) which uses client side Javascript for the rendering
+# instead of using prerendered bitmaps. Use this if you do not have LaTeX
+# installed or if you want to formulas look prettier in the HTML output. When
+# enabled you may also need to install MathJax separately and configure the path
+# to it using the MATHJAX_RELPATH option.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 USE_MATHJAX            = NO
 
-# When MathJax is enabled you need to specify the location relative to the
-# HTML output directory using the MATHJAX_RELPATH option. The destination
-# directory should contain the MathJax.js script. For instance, if the mathjax
-# directory is located at the same level as the HTML output directory, then
-# MATHJAX_RELPATH should be ../mathjax. The default value points to
-# the MathJax Content Delivery Network so you can quickly see the result without
-# installing MathJax.
-# However, it is strongly recommended to install a local
-# copy of MathJax from http://www.mathjax.org before deployment.
+# When MathJax is enabled you can set the default output format to be used for
+# the MathJax output. See the MathJax site (see:
+# http://docs.mathjax.org/en/latest/output.html) for more details.
+# Possible values are: HTML-CSS (which is slower, but has the best
+# compatibility), NativeMML (i.e. MathML) and SVG.
+# The default value is: HTML-CSS.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_FORMAT         = HTML-CSS
+
+# When MathJax is enabled you need to specify the location relative to the HTML
+# output directory using the MATHJAX_RELPATH option. The destination directory
+# should contain the MathJax.js script. For instance, if the mathjax directory
+# is located at the same level as the HTML output directory, then
+# MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax
+# Content Delivery Network so you can quickly see the result without installing
+# MathJax. However, it is strongly recommended to install a local copy of
+# MathJax from http://www.mathjax.org before deployment.
+# The default value is: http://cdn.mathjax.org/mathjax/latest.
+# This tag requires that the tag USE_MATHJAX is set to YES.
 
 MATHJAX_RELPATH        = http://cdn.mathjax.org/mathjax/latest
 
-# The MATHJAX_EXTENSIONS tag can be used to specify one or MathJax extension
-# names that should be enabled during MathJax rendering.
+# The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax
+# extension names that should be enabled during MathJax rendering. For example
+# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols
+# This tag requires that the tag USE_MATHJAX is set to YES.
 
 MATHJAX_EXTENSIONS     =
 
-# When the SEARCHENGINE tag is enabled doxygen will generate a search box
-# for the HTML output. The underlying search engine uses javascript
-# and DHTML and should work on any modern browser. Note that when using
-# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets
-# (GENERATE_DOCSET) there is already a search function so this one should
-# typically be disabled. For large projects the javascript based search engine
-# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution.
+# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces
+# of code that will be used on startup of the MathJax code. See the MathJax site
+# (see: http://docs.mathjax.org/en/latest/output.html) for more details. For an
+# example see the documentation.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_CODEFILE       =
+
+# When the SEARCHENGINE tag is enabled doxygen will generate a search box for
+# the HTML output. The underlying search engine uses javascript and DHTML and
+# should work on any modern browser. Note that when using HTML help
+# (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET)
+# there is already a search function so this one should typically be disabled.
+# For large projects the javascript based search engine can be slow, then
+# enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to
+# search using the keyboard; to jump to the search box use <access key> + S
+# (what the <access key> is depends on the OS and browser, but it is typically
+# <CTRL>, <ALT>/<option>, or both). Inside the search box use the <cursor down
+# key> to jump into the search results window, the results can be navigated
+# using the <cursor keys>. Press <Enter> to select an item or <escape> to cancel
+# the search. The filter options can be selected when the cursor is inside the
+# search box by pressing <Shift>+<cursor down>. Also here use the <cursor keys>
+# to select a filter and <Enter> or <escape> to activate or cancel the filter
+# option.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
 
 SEARCHENGINE           = NO
 
 # When the SERVER_BASED_SEARCH tag is enabled the search engine will be
-# implemented using a PHP enabled web server instead of at the web client
-# using Javascript. Doxygen will generate the search PHP script and index
-# file to put on the web server. The advantage of the server
-# based approach is that it scales better to large projects and allows
-# full text search. The disadvantages are that it is more difficult to setup
-# and does not have live searching capabilities.
+# implemented using a web server instead of a web client using Javascript. There
+# are two flavours of web server based searching depending on the
+# EXTERNAL_SEARCH setting. When disabled, doxygen will generate a PHP script for
+# searching and an index file used by the script. When EXTERNAL_SEARCH is
+# enabled the indexing and searching needs to be provided by external tools. See
+# the section "External Indexing and Searching" for details.
+# The default value is: NO.
+# This tag requires that the tag SEARCHENGINE is set to YES.
 
 SERVER_BASED_SEARCH    = NO
 
+# When EXTERNAL_SEARCH tag is enabled doxygen will no longer generate the PHP
+# script for searching. Instead the search results are written to an XML file
+# which needs to be processed by an external indexer. Doxygen will invoke an
+# external search engine pointed to by the SEARCHENGINE_URL option to obtain the
+# search results.
+#
+# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# (doxysearch.cgi) which are based on the open source search engine library
+# Xapian (see: http://xapian.org/).
+#
+# See the section "External Indexing and Searching" for details.
+# The default value is: NO.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTERNAL_SEARCH        = NO
+
+# The SEARCHENGINE_URL should point to a search engine hosted by a web server
+# which will return the search results when EXTERNAL_SEARCH is enabled.
+#
+# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# (doxysearch.cgi) which are based on the open source search engine library
+# Xapian (see: http://xapian.org/). See the section "External Indexing and
+# Searching" for details.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SEARCHENGINE_URL       =
+
+# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed
+# search data is written to a file for indexing by an external tool. With the
+# SEARCHDATA_FILE tag the name of this file can be specified.
+# The default file is: searchdata.xml.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SEARCHDATA_FILE        = searchdata.xml
+
+# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the
+# EXTERNAL_SEARCH_ID tag can be used as an identifier for the project. This is
+# useful in combination with EXTRA_SEARCH_MAPPINGS to search through multiple
+# projects and redirect the results back to the right project.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTERNAL_SEARCH_ID     =
+
+# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through doxygen
+# projects other than the one defined by this configuration file, but that are
+# all added to the same external search index. Each project needs to have a
+# unique id set via EXTERNAL_SEARCH_ID. The search mapping then maps the id of
+# to a relative location where the documentation can be found. The format is:
+# EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ...
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTRA_SEARCH_MAPPINGS  =
+
 #---------------------------------------------------------------------------
-# configuration options related to the LaTeX output
+# Configuration options related to the LaTeX output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will
-# generate Latex output.
+# If the GENERATE_LATEX tag is set to YES doxygen will generate LaTeX output.
+# The default value is: YES.
 
 GENERATE_LATEX         = NO
 
-# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
-# put in front of it. If left blank `latex' will be used as the default path.
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: latex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 LATEX_OUTPUT           = latex
 
 # The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
-# invoked. If left blank `latex' will be used as the default command name.
-# Note that when enabling USE_PDFLATEX this option is only used for
-# generating bitmaps for formulas in the HTML output, but not in the
-# Makefile that is written to the output directory.
+# invoked.
+#
+# Note that when enabling USE_PDFLATEX this option is only used for generating
+# bitmaps for formulas in the HTML output, but not in the Makefile that is
+# written to the output directory.
+# The default file is: latex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 LATEX_CMD_NAME         = latex
 
-# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to
-# generate index for LaTeX. If left blank `makeindex' will be used as the
-# default command name.
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to generate
+# index for LaTeX.
+# The default file is: makeindex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 MAKEINDEX_CMD_NAME     = makeindex
 
-# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact
-# LaTeX documents. This may be useful for small projects and may help to
-# save some trees in general.
+# If the COMPACT_LATEX tag is set to YES doxygen generates more compact LaTeX
+# documents. This may be useful for small projects and may help to save some
+# trees in general.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 COMPACT_LATEX          = NO
 
-# The PAPER_TYPE tag can be used to set the paper type that is used
-# by the printer. Possible values are: a4, letter, legal and
-# executive. If left blank a4wide will be used.
+# The PAPER_TYPE tag can be used to set the paper type that is used by the
+# printer.
+# Possible values are: a4 (210 x 297 mm), letter (8.5 x 11 inches), legal (8.5 x
+# 14 inches) and executive (7.25 x 10.5 inches).
+# The default value is: a4.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 PAPER_TYPE             = a4wide
 
-# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX
-# packages that should be included in the LaTeX output.
+# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
+# that should be included in the LaTeX output. To get the times font for
+# instance you can specify
+# EXTRA_PACKAGES=times
+# If left blank no extra packages will be included.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 EXTRA_PACKAGES         =
 
-# The LATEX_HEADER tag can be used to specify a personal LaTeX header for
-# the generated latex document. The header should contain everything until
-# the first chapter. If it is left blank doxygen will generate a
-# standard header. Notice: only use this tag if you know what you are doing!
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the
+# generated LaTeX document. The header should contain everything until the first
+# chapter. If it is left blank doxygen will generate a standard header. See
+# section "Doxygen usage" for information on how to let doxygen write the
+# default header to a separate file.
+#
+# Note: Only use a user-defined header if you know what you are doing! The
+# following commands have a special meaning inside the header: $title,
+# $datetime, $date, $doxygenversion, $projectname, $projectnumber. Doxygen will
+# replace them by respectively the title of the page, the current date and time,
+# only the current date, the version number of doxygen, the project name (see
+# PROJECT_NAME), or the project number (see PROJECT_NUMBER).
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 LATEX_HEADER           =
 
-# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for
-# the generated latex document. The footer should contain everything after
-# the last chapter. If it is left blank doxygen will generate a
-# standard footer. Notice: only use this tag if you know what you are doing!
+# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
+# generated LaTeX document. The footer should contain everything after the last
+# chapter. If it is left blank doxygen will generate a standard footer.
+#
+# Note: Only use a user-defined footer if you know what you are doing!
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 LATEX_FOOTER           =
 
-# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
-# is prepared for conversion to pdf (using ps2pdf). The pdf file will
-# contain links (just like the HTML output) instead of page references
-# This makes the output suitable for online browsing using a pdf viewer.
+# The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the LATEX_OUTPUT output
+# directory. Note that the files will be copied as-is; there are no commands or
+# markers available.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_FILES      =
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated is
+# prepared for conversion to PDF (using ps2pdf or pdflatex). The PDF file will
+# contain links (just like the HTML output) instead of page references. This
+# makes the output suitable for online browsing using a PDF viewer.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 PDF_HYPERLINKS         = NO
 
-# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of
-# plain latex in the generated Makefile. Set this option to YES to get a
+# If the LATEX_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
+# the PDF file directly from the LaTeX files. Set this option to YES to get a
 # higher quality PDF documentation.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 USE_PDFLATEX           = NO
 
-# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode.
-# command to the generated LaTeX files. This will instruct LaTeX to keep
-# running if errors occur, instead of asking the user for help.
-# This option is also used when generating formulas in HTML.
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \batchmode
+# command to the generated LaTeX files. This will instruct LaTeX to keep running
+# if errors occur, instead of asking the user for help. This option is also used
+# when generating formulas in HTML.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 LATEX_BATCHMODE        = NO
 
-# If LATEX_HIDE_INDICES is set to YES then doxygen will not
-# include the index chapters (such as File Index, Compound Index, etc.)
-# in the output.
+# If the LATEX_HIDE_INDICES tag is set to YES then doxygen will not include the
+# index chapters (such as File Index, Compound Index, etc.) in the output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 LATEX_HIDE_INDICES     = NO
 
-# If LATEX_SOURCE_CODE is set to YES then doxygen will include
-# source code with syntax highlighting in the LaTeX output.
-# Note that which sources are shown also depends on other settings
-# such as SOURCE_BROWSER.
+# If the LATEX_SOURCE_CODE tag is set to YES then doxygen will include source
+# code with syntax highlighting in the LaTeX output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 LATEX_SOURCE_CODE      = NO
 
 # The LATEX_BIB_STYLE tag can be used to specify the style to use for the
-# bibliography, e.g. plainnat, or ieeetr. The default style is "plain". See
-# http://en.wikipedia.org/wiki/BibTeX for more info.
+# bibliography, e.g. plainnat, or ieeetr. See
+# http://en.wikipedia.org/wiki/BibTeX and \cite for more info.
+# The default value is: plain.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
 
 LATEX_BIB_STYLE        = plain
 
 #---------------------------------------------------------------------------
-# configuration options related to the RTF output
+# Configuration options related to the RTF output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output
-# The RTF output is optimized for Word 97 and may not look very pretty with
-# other RTF readers or editors.
+# If the GENERATE_RTF tag is set to YES doxygen will generate RTF output. The
+# RTF output is optimized for Word 97 and may not look too pretty with other RTF
+# readers/editors.
+# The default value is: NO.
 
 GENERATE_RTF           = NO
 
-# The RTF_OUTPUT tag is used to specify where the RTF docs will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
-# put in front of it. If left blank `rtf' will be used as the default path.
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: rtf.
+# This tag requires that the tag GENERATE_RTF is set to YES.
 
 RTF_OUTPUT             = rtf
 
-# If the COMPACT_RTF tag is set to YES Doxygen generates more compact
-# RTF documents. This may be useful for small projects and may help to
-# save some trees in general.
+# If the COMPACT_RTF tag is set to YES doxygen generates more compact RTF
+# documents. This may be useful for small projects and may help to save some
+# trees in general.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
 
 COMPACT_RTF            = NO
 
-# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated
-# will contain hyperlink fields. The RTF file will
-# contain links (just like the HTML output) instead of page references.
-# This makes the output suitable for online browsing using WORD or other
-# programs which support those fields.
-# Note: wordpad (write) and others do not support links.
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated will
+# contain hyperlink fields. The RTF file will contain links (just like the HTML
+# output) instead of page references. This makes the output suitable for online
+# browsing using Word or some other Word compatible readers that support those
+# fields.
+#
+# Note: WordPad (write) and others do not support links.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
 
 RTF_HYPERLINKS         = NO
 
-# Load style sheet definitions from file. Syntax is similar to doxygen's
-# config file, i.e. a series of assignments. You only have to provide
-# replacements, missing definitions are set to their default value.
+# Load stylesheet definitions from file. Syntax is similar to doxygen's config
+# file, i.e. a series of assignments. You only have to provide replacements,
+# missing definitions are set to their default value.
+#
+# See also section "Doxygen usage" for information on how to generate the
+# default style sheet that doxygen normally uses.
+# This tag requires that the tag GENERATE_RTF is set to YES.
 
 RTF_STYLESHEET_FILE    =
 
-# Set optional variables used in the generation of an rtf document.
-# Syntax is similar to doxygen's config file.
+# Set optional variables used in the generation of an RTF document. Syntax is
+# similar to doxygen's config file. A template extensions file can be generated
+# using doxygen -e rtf extensionFile.
+# This tag requires that the tag GENERATE_RTF is set to YES.
 
 RTF_EXTENSIONS_FILE    =
 
 #---------------------------------------------------------------------------
-# configuration options related to the man page output
+# Configuration options related to the man page output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_MAN tag is set to YES (the default) Doxygen will
-# generate man pages
+# If the GENERATE_MAN tag is set to YES doxygen will generate man pages for
+# classes and files.
+# The default value is: NO.
 
 GENERATE_MAN           = NO
 
-# The MAN_OUTPUT tag is used to specify where the man pages will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
-# put in front of it. If left blank `man' will be used as the default path.
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it. A directory man3 will be created inside the directory specified by
+# MAN_OUTPUT.
+# The default directory is: man.
+# This tag requires that the tag GENERATE_MAN is set to YES.
 
 MAN_OUTPUT             = man
 
-# The MAN_EXTENSION tag determines the extension that is added to
-# the generated man pages (default is the subroutine's section .3)
+# The MAN_EXTENSION tag determines the extension that is added to the generated
+# man pages. In case the manual section does not start with a number, the number
+# 3 is prepended. The dot (.) at the beginning of the MAN_EXTENSION tag is
+# optional.
+# The default value is: .3.
+# This tag requires that the tag GENERATE_MAN is set to YES.
 
 MAN_EXTENSION          = .3
 
-# If the MAN_LINKS tag is set to YES and Doxygen generates man output,
-# then it will generate one additional man file for each entity
-# documented in the real man page(s). These additional files
-# only source the real man page, but without them the man command
-# would be unable to find the correct page. The default is NO.
+# If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
+# will generate one additional man file for each entity documented in the real
+# man page(s). These additional files only source the real man page, but without
+# them the man command would be unable to find the correct page.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_MAN is set to YES.
 
 MAN_LINKS              = YES
 
 #---------------------------------------------------------------------------
-# configuration options related to the XML output
+# Configuration options related to the XML output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_XML tag is set to YES Doxygen will
-# generate an XML file that captures the structure of
-# the code including all documentation.
+# If the GENERATE_XML tag is set to YES doxygen will generate an XML file that
+# captures the structure of the code including all documentation.
+# The default value is: NO.
 
 GENERATE_XML           = NO
 
-# The XML_OUTPUT tag is used to specify where the XML pages will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
-# put in front of it. If left blank `xml' will be used as the default path.
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: xml.
+# This tag requires that the tag GENERATE_XML is set to YES.
 
 XML_OUTPUT             = xml
 
-# The XML_SCHEMA tag can be used to specify an XML schema,
-# which can be used by a validating XML parser to check the
-# syntax of the XML files.
+# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a
+# validating XML parser to check the syntax of the XML files.
+# This tag requires that the tag GENERATE_XML is set to YES.
 
 XML_SCHEMA             =
 
-# The XML_DTD tag can be used to specify an XML DTD,
-# which can be used by a validating XML parser to check the
-# syntax of the XML files.
+# The XML_DTD tag can be used to specify a XML DTD, which can be used by a
+# validating XML parser to check the syntax of the XML files.
+# This tag requires that the tag GENERATE_XML is set to YES.
 
 XML_DTD                =
 
-# If the XML_PROGRAMLISTING tag is set to YES Doxygen will
-# dump the program listings (including syntax highlighting
-# and cross-referencing information) to the XML output. Note that
-# enabling this will significantly increase the size of the XML output.
+# If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program
+# listings (including syntax highlighting and cross-referencing information) to
+# the XML output. Note that enabling this will significantly increase the size
+# of the XML output.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_XML is set to YES.
 
 XML_PROGRAMLISTING     = YES
 
 #---------------------------------------------------------------------------
-# configuration options for the AutoGen Definitions output
+# Configuration options related to the DOCBOOK output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_DOCBOOK tag is set to YES doxygen will generate Docbook files
+# that can be used to generate PDF.
+# The default value is: NO.
+
+GENERATE_DOCBOOK       = NO
+
+# The DOCBOOK_OUTPUT tag is used to specify where the Docbook pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be put in
+# front of it.
+# The default directory is: docbook.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_OUTPUT         = docbook
+
+#---------------------------------------------------------------------------
+# Configuration options for the AutoGen Definitions output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will
-# generate an AutoGen Definitions (see autogen.sf.net) file
-# that captures the structure of the code including all
-# documentation. Note that this feature is still experimental
-# and incomplete at the moment.
+# If the GENERATE_AUTOGEN_DEF tag is set to YES doxygen will generate an AutoGen
+# Definitions (see http://autogen.sf.net) file that captures the structure of
+# the code including all documentation. Note that this feature is still
+# experimental and incomplete at the moment.
+# The default value is: NO.
 
 GENERATE_AUTOGEN_DEF   = NO
 
 #---------------------------------------------------------------------------
-# configuration options related to the Perl module output
+# Configuration options related to the Perl module output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_PERLMOD tag is set to YES Doxygen will
-# generate a Perl module file that captures the structure of
-# the code including all documentation. Note that this
-# feature is still experimental and incomplete at the
-# moment.
+# If the GENERATE_PERLMOD tag is set to YES doxygen will generate a Perl module
+# file that captures the structure of the code including all documentation.
+#
+# Note that this feature is still experimental and incomplete at the moment.
+# The default value is: NO.
 
 GENERATE_PERLMOD       = NO
 
-# If the PERLMOD_LATEX tag is set to YES Doxygen will generate
-# the necessary Makefile rules, Perl scripts and LaTeX code to be able
-# to generate PDF and DVI output from the Perl module output.
+# If the PERLMOD_LATEX tag is set to YES doxygen will generate the necessary
+# Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
+# output from the Perl module output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
 
 PERLMOD_LATEX          = NO
 
-# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be
-# nicely formatted so it can be parsed by a human reader.
-# This is useful
-# if you want to understand what is going on.
-# On the other hand, if this
-# tag is set to NO the size of the Perl module output will be much smaller
-# and Perl will parse it just the same.
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be nicely
+# formatted so it can be parsed by a human reader. This is useful if you want to
+# understand what is going on. On the other hand, if this tag is set to NO the
+# size of the Perl module output will be much smaller and Perl will parse it
+# just the same.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
 
 PERLMOD_PRETTY         = YES
 
-# The names of the make variables in the generated doxyrules.make file
-# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX.
-# This is useful so different doxyrules.make files included by the same
-# Makefile don't overwrite each other's variables.
+# The names of the make variables in the generated doxyrules.make file are
+# prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. This is useful
+# so different doxyrules.make files included by the same Makefile don't
+# overwrite each other's variables.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
 
 PERLMOD_MAKEVAR_PREFIX =
 
@@ -1464,106 +1882,129 @@ PERLMOD_MAKEVAR_PREFIX =
 # Configuration options related to the preprocessor
 #---------------------------------------------------------------------------
 
-# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will
-# evaluate all C-preprocessor directives found in the sources and include
-# files.
+# If the ENABLE_PREPROCESSING tag is set to YES doxygen will evaluate all
+# C-preprocessor directives found in the sources and include files.
+# The default value is: YES.
 
 ENABLE_PREPROCESSING   = YES
 
-# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro
-# names in the source code. If set to NO (the default) only conditional
-# compilation will be performed. Macro expansion can be done in a controlled
-# way by setting EXPAND_ONLY_PREDEF to YES.
+# If the MACRO_EXPANSION tag is set to YES doxygen will expand all macro names
+# in the source code. If set to NO only conditional compilation will be
+# performed. Macro expansion can be done in a controlled way by setting
+# EXPAND_ONLY_PREDEF to YES.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
 MACRO_EXPANSION        = YES
 
-# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES
-# then the macro expansion is limited to the macros specified with the
-# PREDEFINED and EXPAND_AS_DEFINED tags.
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES then
+# the macro expansion is limited to the macros specified with the PREDEFINED and
+# EXPAND_AS_DEFINED tags.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
 EXPAND_ONLY_PREDEF     = NO
 
-# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
-# pointed to by INCLUDE_PATH will be searched when a #include is found.
+# If the SEARCH_INCLUDES tag is set to YES the includes files in the
+# INCLUDE_PATH will be searched if a #include is found.
+# The default value is: YES.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
 SEARCH_INCLUDES        = YES
 
 # The INCLUDE_PATH tag can be used to specify one or more directories that
-# contain include files that are not input files but should be processed by
-# the preprocessor.
+# contain include files that are not input files but should be processed by the
+# preprocessor.
+# This tag requires that the tag SEARCH_INCLUDES is set to YES.
 
 INCLUDE_PATH           =
 
 # You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
 # patterns (like *.h and *.hpp) to filter out the header-files in the
-# directories. If left blank, the patterns specified with FILE_PATTERNS will
-# be used.
+# directories. If left blank, the patterns specified with FILE_PATTERNS will be
+# used.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
 INCLUDE_FILE_PATTERNS  =
 
-# The PREDEFINED tag can be used to specify one or more macro names that
-# are defined before the preprocessor is started (similar to the -D option of
-# gcc). The argument of the tag is a list of macros of the form: name
-# or name=definition (no spaces). If the definition and the = are
-# omitted =1 is assumed. To prevent a macro definition from being
-# undefined via #undef or recursively expanded use the := operator
-# instead of the = operator.
+# The PREDEFINED tag can be used to specify one or more macro names that are
+# defined before the preprocessor is started (similar to the -D option of e.g.
+# gcc). The argument of the tag is a list of macros of the form: name or
+# name=definition (no spaces). If the definition and the "=" are omitted, "=1"
+# is assumed. To prevent a macro definition from being undefined via #undef or
+# recursively expanded use the := operator instead of the = operator.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
-PREDEFINED             = LEAK_DETECTIVE __attribute__(x)=
+PREDEFINED             = LEAK_DETECTIVE \
+                         __attribute__(x)=
 
-# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then
-# this tag can be used to specify a list of macro names that should be expanded.
-# The macro definition that is found in the sources will be used.
-# Use the PREDEFINED tag if you want to use a different macro definition that
-# overrules the definition found in the source code.
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
+# tag can be used to specify a list of macro names that should be expanded. The
+# macro definition that is found in the sources will be used. Use the PREDEFINED
+# tag if you want to use a different macro definition that overrules the
+# definition found in the source code.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
 EXPAND_AS_DEFINED      =
 
-# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then
-# doxygen's preprocessor will remove all references to function-like macros
-# that are alone on a line, have an all uppercase name, and do not end with a
-# semicolon, because these will confuse the parser if not removed.
+# If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
+# remove all refrences to function-like macros that are alone on a line, have an
+# all uppercase name, and do not end with a semicolon. Such function macros are
+# typically used for boiler-plate code, and will confuse the parser if not
+# removed.
+# The default value is: YES.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
 SKIP_FUNCTION_MACROS   = YES
 
 #---------------------------------------------------------------------------
-# Configuration::additions related to external references
+# Configuration options related to external references
 #---------------------------------------------------------------------------
 
-# The TAGFILES option can be used to specify one or more tagfiles. For each
-# tag file the location of the external documentation should be added. The
-# format of a tag file without this location is as follows:
-#
+# The TAGFILES tag can be used to specify one or more tag files. For each tag
+# file the location of the external documentation should be added. The format of
+# a tag file without this location is as follows:
 # TAGFILES = file1 file2 ...
 # Adding location for the tag files is done as follows:
-#
 # TAGFILES = file1=loc1 "file2 = loc2" ...
-# where "loc1" and "loc2" can be relative or absolute paths
-# or URLs. Note that each tag file must have a unique name (where the name does
-# NOT include the path). If a tag file is not located in the directory in which
-# doxygen is run, you must also specify the path to the tagfile here.
+# where loc1 and loc2 can be relative or absolute paths or URLs. See the
+# section "Linking to external documentation" for more information about the use
+# of tag files.
+# Note: Each tag file must have an unique name (where the name does NOT include
+# the path). If a tag file is not located in the directory in which doxygen is
+# run, you must also specify the path to the tagfile here.
 
 TAGFILES               =
 
-# When a file name is specified after GENERATE_TAGFILE, doxygen will create
-# a tag file that is based on the input files it reads.
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create a
+# tag file that is based on the input files it reads. See section "Linking to
+# external documentation" for more information about the usage of tag files.
 
 GENERATE_TAGFILE       =
 
-# If the ALLEXTERNALS tag is set to YES all external classes will be listed
-# in the class index. If set to NO only the inherited external classes
-# will be listed.
+# If the ALLEXTERNALS tag is set to YES all external class will be listed in the
+# class index. If set to NO only the inherited external classes will be listed.
+# The default value is: NO.
 
 ALLEXTERNALS           = NO
 
-# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed
-# in the modules index. If set to NO, only the current project's groups will
-# be listed.
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed in
+# the modules index. If set to NO, only the current project's groups will be
+# listed.
+# The default value is: YES.
 
 EXTERNAL_GROUPS        = YES
 
+# If the EXTERNAL_PAGES tag is set to YES all external pages will be listed in
+# the related pages index. If set to NO, only the current project's pages will
+# be listed.
+# The default value is: YES.
+
+EXTERNAL_PAGES         = YES
+
 # The PERL_PATH should be the absolute path and name of the perl script
-# interpreter (i.e. the result of `which perl').
+# interpreter (i.e. the result of 'which perl').
+# The default file (with absolute path) is: /usr/bin/perl.
 
 PERL_PATH              = /usr/bin/perl
 
@@ -1571,222 +2012,293 @@ PERL_PATH              = /usr/bin/perl
 # Configuration options related to the dot tool
 #---------------------------------------------------------------------------
 
-# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will
-# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base
-# or super classes. Setting the tag to NO turns the diagrams off. Note that
-# this option also works with HAVE_DOT disabled, but it is recommended to
-# install and use dot, since it yields more powerful graphs.
+# If the CLASS_DIAGRAMS tag is set to YES doxygen will generate a class diagram
+# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
+# NO turns the diagrams off. Note that this option also works with HAVE_DOT
+# disabled, but it is recommended to install and use dot, since it yields more
+# powerful graphs.
+# The default value is: YES.
 
 CLASS_DIAGRAMS         = YES
 
 # You can define message sequence charts within doxygen comments using the \msc
-# command. Doxygen will then run the mscgen tool (see
-# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the
+# command. Doxygen will then run the mscgen tool (see:
+# http://www.mcternan.me.uk/mscgen/)) to produce the chart and insert it in the
 # documentation. The MSCGEN_PATH tag allows you to specify the directory where
 # the mscgen tool resides. If left empty the tool is assumed to be found in the
 # default search path.
 
 MSCGEN_PATH            =
 
-# If set to YES, the inheritance and collaboration graphs will hide
-# inheritance and usage relations if the target is undocumented
-# or is not a class.
+# You can include diagrams made with dia in doxygen documentation. Doxygen will
+# then run dia to produce the diagram and insert it in the documentation. The
+# DIA_PATH tag allows you to specify the directory where the dia binary resides.
+# If left empty dia is assumed to be found in the default search path.
+
+DIA_PATH               =
+
+# If set to YES, the inheritance and collaboration graphs will hide inheritance
+# and usage relations if the target is undocumented or is not a class.
+# The default value is: YES.
 
 HIDE_UNDOC_RELATIONS   = YES
 
 # If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
-# available from the path. This tool is part of Graphviz, a graph visualization
-# toolkit from AT&T and Lucent Bell Labs. The other options in this section
-# have no effect if this option is set to NO (the default)
+# available from the path. This tool is part of Graphviz (see:
+# http://www.graphviz.org/), a graph visualization toolkit from AT&T and Lucent
+# Bell Labs. The other options in this section have no effect if this option is
+# set to NO
+# The default value is: NO.
 
 HAVE_DOT               = NO
 
-# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is
-# allowed to run in parallel. When set to 0 (the default) doxygen will
-# base this on the number of processors available in the system. You can set it
-# explicitly to a value larger than 0 to get control over the balance
-# between CPU load and processing speed.
+# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
+# to run in parallel. When set to 0 doxygen will base this on the number of
+# processors available in the system. You can set it explicitly to a value
+# larger than 0 to get control over the balance between CPU load and processing
+# speed.
+# Minimum value: 0, maximum value: 32, default value: 0.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 DOT_NUM_THREADS        = 0
 
-# By default doxygen will use the Helvetica font for all dot files that
-# doxygen generates. When you want a differently looking font you can specify
-# the font name using DOT_FONTNAME. You need to make sure dot is able to find
-# the font, which can be done by putting it in a standard location or by setting
-# the DOTFONTPATH environment variable or by setting DOT_FONTPATH to the
-# directory containing the font.
+# When you want a differently looking font n the dot files that doxygen
+# generates you can specify the font name using DOT_FONTNAME. You need to make
+# sure dot is able to find the font, which can be done by putting it in a
+# standard location or by setting the DOTFONTPATH environment variable or by
+# setting DOT_FONTPATH to the directory containing the font.
+# The default value is: Helvetica.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
-DOT_FONTNAME           = FreeSans
+DOT_FONTNAME           =
 
-# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs.
-# The default size is 10pt.
+# The DOT_FONTSIZE tag can be used to set the size (in points) of the font of
+# dot graphs.
+# Minimum value: 4, maximum value: 24, default value: 10.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 DOT_FONTSIZE           = 10
 
-# By default doxygen will tell dot to use the Helvetica font.
-# If you specify a different font using DOT_FONTNAME you can use DOT_FONTPATH to
-# set the path where dot can find it.
+# By default doxygen will tell dot to use the default font as specified with
+# DOT_FONTNAME. If you specify a different font using DOT_FONTNAME you can set
+# the path where dot can find it using this tag.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 DOT_FONTPATH           =
 
-# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen
-# will generate a graph for each documented class showing the direct and
-# indirect inheritance relations. Setting this tag to YES will force the
-# CLASS_DIAGRAMS tag to NO.
+# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for
+# each documented class showing the direct and indirect inheritance relations.
+# Setting this tag to YES will force the CLASS_DIAGRAMS tag to NO.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 CLASS_GRAPH            = YES
 
-# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen
-# will generate a graph for each documented class showing the direct and
-# indirect implementation dependencies (inheritance, containment, and
-# class references variables) of the class with other documented classes.
+# If the COLLABORATION_GRAPH tag is set to YES then doxygen will generate a
+# graph for each documented class showing the direct and indirect implementation
+# dependencies (inheritance, containment, and class references variables) of the
+# class with other documented classes.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 COLLABORATION_GRAPH    = YES
 
-# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen
-# will generate a graph for groups, showing the direct groups dependencies
+# If the GROUP_GRAPHS tag is set to YES then doxygen will generate a graph for
+# groups, showing the direct groups dependencies.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 GROUP_GRAPHS           = YES
 
 # If the UML_LOOK tag is set to YES doxygen will generate inheritance and
 # collaboration diagrams in a style similar to the OMG's Unified Modeling
 # Language.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 UML_LOOK               = NO
 
-# If the UML_LOOK tag is enabled, the fields and methods are shown inside
-# the class node. If there are many fields or methods and many nodes the
-# graph may become too big to be useful. The UML_LIMIT_NUM_FIELDS
-# threshold limits the number of items for each type to make the size more
-# managable. Set this to 0 for no limit. Note that the threshold may be
-# exceeded by 50% before the limit is enforced.
+# If the UML_LOOK tag is enabled, the fields and methods are shown inside the
+# class node. If there are many fields or methods and many nodes the graph may
+# become too big to be useful. The UML_LIMIT_NUM_FIELDS threshold limits the
+# number of items for each type to make the size more manageable. Set this to 0
+# for no limit. Note that the threshold may be exceeded by 50% before the limit
+# is enforced. So when you set the threshold to 10, up to 15 fields may appear,
+# but if the number exceeds 15, the total amount of fields shown is limited to
+# 10.
+# Minimum value: 0, maximum value: 100, default value: 10.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 UML_LIMIT_NUM_FIELDS   = 10
 
-# If set to YES, the inheritance and collaboration graphs will show the
-# relations between templates and their instances.
+# If the TEMPLATE_RELATIONS tag is set to YES then the inheritance and
+# collaboration graphs will show the relations between templates and their
+# instances.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 TEMPLATE_RELATIONS     = NO
 
-# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT
-# tags are set to YES then doxygen will generate a graph for each documented
-# file showing the direct and indirect include dependencies of the file with
-# other documented files.
+# If the INCLUDE_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are set to
+# YES then doxygen will generate a graph for each documented file showing the
+# direct and indirect include dependencies of the file with other documented
+# files.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 INCLUDE_GRAPH          = YES
 
-# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and
-# HAVE_DOT tags are set to YES then doxygen will generate a graph for each
-# documented header file showing the documented files that directly or
-# indirectly include this file.
+# If the INCLUDED_BY_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are
+# set to YES then doxygen will generate a graph for each documented file showing
+# the direct and indirect include dependencies of the file with other documented
+# files.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 INCLUDED_BY_GRAPH      = YES
 
-# If the CALL_GRAPH and HAVE_DOT options are set to YES then
-# doxygen will generate a call dependency graph for every global function
-# or class method. Note that enabling this option will significantly increase
-# the time of a run. So in most cases it will be better to enable call graphs
-# for selected functions only using the \callgraph command.
+# If the CALL_GRAPH tag is set to YES then doxygen will generate a call
+# dependency graph for every global function or class method.
+#
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable call graphs for selected
+# functions only using the \callgraph command.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 CALL_GRAPH             = NO
 
-# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then
-# doxygen will generate a caller dependency graph for every global function
-# or class method. Note that enabling this option will significantly increase
-# the time of a run. So in most cases it will be better to enable caller
-# graphs for selected functions only using the \callergraph command.
+# If the CALLER_GRAPH tag is set to YES then doxygen will generate a caller
+# dependency graph for every global function or class method.
+#
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable caller graphs for selected
+# functions only using the \callergraph command.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 CALLER_GRAPH           = NO
 
-# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen
-# will generate a graphical hierarchy of all classes instead of a textual one.
+# If the GRAPHICAL_HIERARCHY tag is set to YES then doxygen will graphical
+# hierarchy of all classes instead of a textual one.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 GRAPHICAL_HIERARCHY    = YES
 
-# If the DIRECTORY_GRAPH and HAVE_DOT tags are set to YES
-# then doxygen will show the dependencies a directory has on other directories
-# in a graphical way. The dependency relations are determined by the #include
-# relations between the files in the directories.
+# If the DIRECTORY_GRAPH tag is set to YES then doxygen will show the
+# dependencies a directory has on other directories in a graphical way. The
+# dependency relations are determined by the #include relations between the
+# files in the directories.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 DIRECTORY_GRAPH        = YES
 
 # The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
-# generated by dot. Possible values are svg, png, jpg, or gif.
-# If left blank png will be used. If you choose svg you need to set
-# HTML_FILE_EXTENSION to xhtml in order to make the SVG files
-# visible in IE 9+ (other browsers do not have this requirement).
+# generated by dot.
+# Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order
+# to make the SVG files visible in IE 9+ (other browsers do not have this
+# requirement).
+# Possible values are: png, jpg, gif and svg.
+# The default value is: png.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 DOT_IMAGE_FORMAT       = png
 
 # If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
 # enable generation of interactive SVG images that allow zooming and panning.
-# Note that this requires a modern browser other than Internet Explorer.
-# Tested and working are Firefox, Chrome, Safari, and Opera. For IE 9+ you
-# need to set HTML_FILE_EXTENSION to xhtml in order to make the SVG files
-# visible. Older versions of IE do not have SVG support.
+#
+# Note that this requires a modern browser other than Internet Explorer. Tested
+# and working are Firefox, Chrome, Safari, and Opera.
+# Note: For IE 9+ you need to set HTML_FILE_EXTENSION to xhtml in order to make
+# the SVG files visible. Older versions of IE do not have SVG support.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 INTERACTIVE_SVG        = NO
 
-# The tag DOT_PATH can be used to specify the path where the dot tool can be
+# The DOT_PATH tag can be used to specify the path where the dot tool can be
 # found. If left blank, it is assumed the dot tool can be found in the path.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 DOT_PATH               =
 
 # The DOTFILE_DIRS tag can be used to specify one or more directories that
-# contain dot files that are included in the documentation (see the
-# \dotfile command).
+# contain dot files that are included in the documentation (see the \dotfile
+# command).
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 DOTFILE_DIRS           =
 
 # The MSCFILE_DIRS tag can be used to specify one or more directories that
-# contain msc files that are included in the documentation (see the
-# \mscfile command).
+# contain msc files that are included in the documentation (see the \mscfile
+# command).
 
 MSCFILE_DIRS           =
 
-# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of
-# nodes that will be shown in the graph. If the number of nodes in a graph
-# becomes larger than this value, doxygen will truncate the graph, which is
-# visualized by representing a node as a red box. Note that doxygen if the
-# number of direct children of the root node in a graph is already larger than
-# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note
-# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+# The DIAFILE_DIRS tag can be used to specify one or more directories that
+# contain dia files that are included in the documentation (see the \diafile
+# command).
+
+DIAFILE_DIRS           =
+
+# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
+# that will be shown in the graph. If the number of nodes in a graph becomes
+# larger than this value, doxygen will truncate the graph, which is visualized
+# by representing a node as a red box. Note that doxygen if the number of direct
+# children of the root node in a graph is already larger than
+# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note that
+# the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+# Minimum value: 0, maximum value: 10000, default value: 50.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 DOT_GRAPH_MAX_NODES    = 50
 
-# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the
-# graphs generated by dot. A depth value of 3 means that only nodes reachable
-# from the root by following a path via at most 3 edges will be shown. Nodes
-# that lay further from the root node will be omitted. Note that setting this
-# option to 1 or 2 may greatly reduce the computation time needed for large
-# code bases. Also note that the size of a graph can be further restricted by
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the graphs
+# generated by dot. A depth value of 3 means that only nodes reachable from the
+# root by following a path via at most 3 edges will be shown. Nodes that lay
+# further from the root node will be omitted. Note that setting this option to 1
+# or 2 may greatly reduce the computation time needed for large code bases. Also
+# note that the size of a graph can be further restricted by
 # DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+# Minimum value: 0, maximum value: 1000, default value: 0.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 MAX_DOT_GRAPH_DEPTH    = 0
 
 # Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
-# background. This is disabled by default, because dot on Windows does not
-# seem to support this out of the box. Warning: Depending on the platform used,
-# enabling this option may lead to badly anti-aliased labels on the edges of
-# a graph (i.e. they become hard to read).
+# background. This is disabled by default, because dot on Windows does not seem
+# to support this out of the box.
+#
+# Warning: Depending on the platform used, enabling this option may lead to
+# badly anti-aliased labels on the edges of a graph (i.e. they become hard to
+# read).
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 DOT_TRANSPARENT        = NO
 
 # Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
 # files in one run (i.e. multiple -o and -T options on the command line). This
-# makes dot run faster, but since only newer versions of dot (>1.8.10)
-# support this, this feature is disabled by default.
+# makes dot run faster, but since only newer versions of dot (>1.8.10) support
+# this, this feature is disabled by default.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 DOT_MULTI_TARGETS      = NO
 
-# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will
-# generate a legend page explaining the meaning of the various boxes and
-# arrows in the dot generated graphs.
+# If the GENERATE_LEGEND tag is set to YES doxygen will generate a legend page
+# explaining the meaning of the various boxes and arrows in the dot generated
+# graphs.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 GENERATE_LEGEND        = YES
 
-# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will
-# remove the intermediate dot files that are used to generate
-# the various graphs.
+# If the DOT_CLEANUP tag is set to YES doxygen will remove the intermediate dot
+# files that are used to generate the various graphs.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
 
 DOT_CLEANUP            = YES
diff --git a/Makefile.am b/Makefile.am
index 7e3c72b..0703abc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -55,7 +55,7 @@ cov-report:
 		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
 			 -o $(top_builddir)/coverage/coverage.cleaned.info \
 			 --rc lcov_branch_coverage=1
-		genhtml --num-spaces 4 --legend --branch-coverage \
+		genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \
 				-t "$(PACKAGE_STRING)" \
 				-o $(top_builddir)/coverage/html \
 				-p `readlink -m $(abs_top_srcdir)`/src \
diff --git a/Makefile.in b/Makefile.in
index 7115717..e8c0ff5 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -294,6 +294,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -312,6 +313,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -339,6 +341,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -430,6 +433,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -492,8 +496,8 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 
 config.h: stamp-h1
-	@if test ! -f $@; then rm -f stamp-h1; else :; fi
-	@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) stamp-h1; else :; fi
+	@test -f $@ || rm -f stamp-h1
+	@test -f $@ || $(MAKE) $(AM_MAKEFLAGS) stamp-h1
 
 stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
 	@rm -f stamp-h1
@@ -725,10 +729,16 @@ dist-xz: distdir
 	$(am__post_remove_distdir)
 
 dist-tarZ: distdir
+	@echo WARNING: "Support for shar distribution archives is" \
+	               "deprecated." >&2
+	@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
 	tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
 	$(am__post_remove_distdir)
 
 dist-shar: distdir
+	@echo WARNING: "Support for distribution archives compressed with" \
+		       "legacy program 'compress' is deprecated." >&2
+	@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
 	shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
 	$(am__post_remove_distdir)
 
@@ -770,9 +780,10 @@ distcheck: dist
 	  && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
 	  && am__cwd=`pwd` \
 	  && $(am__cd) $(distdir)/_build \
-	  && ../configure --srcdir=.. --prefix="$$dc_install_base" \
+	  && ../configure \
 	    $(AM_DISTCHECK_CONFIGURE_FLAGS) \
 	    $(DISTCHECK_CONFIGURE_FLAGS) \
+	    --srcdir=.. --prefix="$$dc_install_base" \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
 	  && $(MAKE) $(AM_MAKEFLAGS) check \
@@ -992,7 +1003,7 @@ cov-reset-common:
 @COVERAGE_TRUE@		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
 @COVERAGE_TRUE@			 -o $(top_builddir)/coverage/coverage.cleaned.info \
 @COVERAGE_TRUE@			 --rc lcov_branch_coverage=1
- at COVERAGE_TRUE@		genhtml --num-spaces 4 --legend --branch-coverage \
+ at COVERAGE_TRUE@		genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \
 @COVERAGE_TRUE@				-t "$(PACKAGE_STRING)" \
 @COVERAGE_TRUE@				-o $(top_builddir)/coverage/html \
 @COVERAGE_TRUE@				-p `readlink -m $(abs_top_srcdir)`/src \
diff --git a/NEWS b/NEWS
index fd33fb0..cebeeba 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,51 @@
+strongswan-5.2.0
+----------------
+
+- strongSwan has been ported to the Windows platform. Using a MinGW toolchain,
+  many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2
+  and newer releases. charon-svc implements a Windows IKE service based on
+  libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec
+  backend on the Windows platform. socket-win provides a native IKE socket
+  implementation, while winhttp fetches CRL and OCSP information using the
+  WinHTTP API.
+
+- The new vici plugin provides a Versatile IKE Configuration Interface for
+  charon. Using the stable IPC interface, external applications can configure,
+  control and monitor the IKE daemon. Instead of scripting the ipsec tool
+  and generating ipsec.conf, third party applications can use the new interface
+  for more control and better reliability.
+
+- Built upon the libvici client library, swanctl implements the first user of
+  the VICI interface. Together with a swanctl.conf configuration file,
+  connections can be defined, loaded and managed. swanctl provides a portable,
+  complete IKE configuration and control interface for the command line.
+  The first six swanctl example scenarios have been added.
+
+- The SWID IMV implements a JSON-based REST API which allows the exchange
+  of SWID tags and Software IDs with the strongTNC policy manager.
+
+- The SWID IMC can extract all installed packages from the dpkg (Debian,
+  Ubuntu, Linux Mint etc.), rpm (Fedora, RedHat, OpenSUSE, etc.), or
+  pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using the
+  swidGenerator (https://github.com/strongswan/swidGenerator) which generates
+  SWID tags according to the new ISO/IEC 19770-2:2014 standard.
+
+- All IMVs now share the access requestor ID, device ID and product info
+  of an access requestor via a common imv_session object.
+
+- The Attestation IMC/IMV pair supports the IMA-NG measurement format
+  introduced with the Linux 3.13 kernel.
+
+- The aikgen tool generates an Attestation Identity Key bound to a TPM.
+
+- Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network
+  Connect.
+
+- The ipsec.conf replay_window option defines connection specific IPsec replay
+  windows. Original patch courtesy of Zheng Zhong and Christophe Gouault from
+  6Wind.
+
+
 strongswan-5.1.3
 ----------------
 
diff --git a/README b/README
index aa40fe3..e344424 100644
--- a/README
+++ b/README
@@ -1,82 +1,35 @@
-                 ----------------------------
-                  strongSwan - Configuration
-                 ----------------------------
-
-
-Contents
---------
-
-   1. Overview
-   2. Quickstart
-    2.1 Site-to-Site case
-    2.2 Host-to-Host case
-    2.3 Roadwarrior case
-    2.4 Roadwarrior case with virtual IP
-   3. Generating X.509 certificates and CRLs
-    3.1 Generating a CA certificate
-    3.2 Generating a host or user certificate
-    3.3 Generating a CRL
-    3.4 Revoking a certificate
-   4. Configuring the connections - ipsec.conf
-    4.1 Configuring my side
-    4.2 Multiple certificates
-    4.3 Configuring the peer side using CA certificates
-    4.4 Handling Virtual IPs and wildcard subnets
-    4.5 Protocol and port selectors
-    4.6 IPsec policies based on wildcards
-    4.7 IPsec policies based on CA certificates
-   5. Configuring certificates and CRLs
-    5.1 Installing CA certificates
-    5.2 Installing optional Certificate Revocation Lists (CRLs)
-    5.3 Dynamic update of certificates and CRLs
-    5.4 Local caching of CRLs
-    5.5 Online Certificate Status Protocol (OCSP)
-    5.6 CRL policy
-    5.7 Configuring the peer side using locally stored certificates
-   6. Configuring the private keys - ipsec.secrets
-    6.1 Loading private key files in PKCS#1 format
-    6.2 Entering passphrases interactively
-    6.3 Multiple private keys
-   7. Configuring CA properties - ipsec.conf
-   8. Monitoring functions
-   9. Firewall support functions
-       9.1 Environment variables in the updown script
-       9.2 Automatic insertion and deletion of iptables firewall rules
-
-
-1. Overview
-   --------
-
-strongSwan is an OpenSource IPsec solution for Unix based operating systems.
+# strongSwan Configuration #
+
+## Overview ##
+
+strongSwan is an OpenSource IPsec-based VPN solution.
 
 This document is just a short introduction, for more detailed information
-consult the manual pages and our wiki:
+consult the man pages and [**our wiki**](http://wiki.strongswan.org).
 
-    http://wiki.strongswan.org
 
+## Quickstart ##
 
-2. Quickstart
-   ----------
+In the following examples we assume, for reasons of clarity, that **left**
+designates the **local** host and that **right** is the **remote** host.
 
-In the following examples we assume for reasons of clarity that left designates
-the local host and that right is the remote host.  Certificates for users,
-hosts and gateways are issued by a fictitious strongSwan CA.  How to generate
-private keys and certificates using OpenSSL or the strongSwan PKI tool will be
-explained in section 3.  The CA certificate "strongswanCert.pem" must be present
-on all VPN end points in order to be able to authenticate the peers.
+Certificates for users, hosts and gateways are issued by a fictitious
+strongSwan CA.  How to generate private keys and certificates using OpenSSL or
+the strongSwan PKI tool will be explained in one of the sections below.
+The CA certificate `strongswanCert.pem` must be present on all VPN endpoints
+in order to be able to authenticate the peers.
 
 
-2.1 Site-to-site case
-    -----------------
+### Site-to-site case ###
 
-In this scenario two security gateways moon and sun will connect the
-two subnets moon-net and sun-net with each other through a VPN tunnel
+In this scenario two security gateways _moon_ and _sun_ will connect the
+two subnets _moon-net_ and _sun-net_ with each other through a VPN tunnel
 set up between the two gateways:
 
     10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
       moon-net          moon                 sun           sun-net
 
-Configuration on gateway moon:
+Configuration on gateway _moon_:
 
     /etc/ipsec.d/cacerts/strongswanCert.pem
 
@@ -96,7 +49,7 @@ Configuration on gateway moon:
             rightid="C=CH, O=strongSwan, CN=sun.strongswan.org"
             auto=start
 
-Configuration on gateway sun:
+Configuration on gateway _sun_:
 
     /etc/ipsec.d/cacerts/strongswanCert.pem
 
@@ -117,8 +70,7 @@ Configuration on gateway sun:
             auto=start
 
 
-2.2 Host-to-host case
-    -----------------
+### Host-to-host case ###
 
 This is a setup between two single hosts which don't have a subnet behind
 them.  Although IPsec transport mode would be sufficient for host-to-host
@@ -127,7 +79,7 @@ connections we will use the default IPsec tunnel mode.
     | 192.168.0.1 | === | 192.168.0.2 |
          moon                sun
 
-Configuration on host moon:
+Configuration on host _moon_:
 
     /etc/ipsec.d/cacerts/strongswanCert.pem
 
@@ -145,7 +97,7 @@ Configuration on host moon:
             rightid="C=CH, O=strongSwan, CN=sun.strongswan.org"
             auto=start
 
-Configuration on host sun:
+Configuration on host _sun_:
 
     /etc/ipsec.d/cacerts/strongswanCert.pem
 
@@ -164,8 +116,7 @@ Configuration on host sun:
             auto=start
 
 
-2.3 Roadwarrior case
-    ----------------
+### Roadwarrior case ###
 
 This is a very common case where a strongSwan gateway serves an arbitrary
 number of remote VPN clients usually having dynamic IP addresses.
@@ -173,7 +124,7 @@ number of remote VPN clients usually having dynamic IP addresses.
     10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
       moon-net          moon              carol
 
-Configuration on gateway moon:
+Configuration on gateway _moon_:
 
     /etc/ipsec.d/cacerts/strongswanCert.pem
 
@@ -191,7 +142,7 @@ Configuration on gateway moon:
             right=%any
             auto=add
 
-Configuration on roadwarrior carol:
+Configuration on roadwarrior _carol_:
 
     /etc/ipsec.d/cacerts/strongswanCert.pem
 
@@ -211,29 +162,28 @@ Configuration on roadwarrior carol:
             auto=start
 
 
-2.6 Roadwarrior case with virtual IP
-    --------------------------------
+### Roadwarrior case with virtual IP ###
 
 Roadwarriors usually have dynamic IP addresses assigned by the ISP they are
-currently attached to.  In order to simplify the routing from moon-net back
-to the remote access client carol it would be desirable if the roadwarrior had
-an inner IP address chosen from a pre-assigned pool.
+currently attached to.  In order to simplify the routing from _moon-net_ back
+to the remote access client _carol_ it would be desirable if the roadwarrior had
+an inner IP address chosen from a pre-defined pool.
 
     10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x | -- 10.3.0.1
       moon-net          moon              carol       virtual IP
 
 In our example the virtual IP address is chosen from the address pool
-10.3.0.0/16 which can be configured by adding the parameter
+`10.3.0.0/16` which can be configured by adding the parameter
 
     rightsourceip=10.3.0.0/16
 
-to the gateway's ipsec.conf.  To request an IP address from this pool a
+to the gateway's `ipsec.conf`.  To request an IP address from this pool a
 roadwarrior can use IKEv1 mode config or IKEv2 configuration payloads.
 The configuration for both is the same
 
     leftsourceip=%config
 
-Configuration on gateway moon:
+Configuration on gateway _moon_:
 
     /etc/ipsec.d/cacerts/strongswanCert.pem
 
@@ -252,7 +202,7 @@ Configuration on gateway moon:
             rightsourceip=10.3.0.0/16
             auto=add
 
-Configuration on roadwarrior carol:
+Configuration on roadwarrior _carol_:
 
     /etc/ipsec.d/cacerts/strongswanCert.pem
 
@@ -273,29 +223,28 @@ Configuration on roadwarrior carol:
             auto=start
 
 
-3. Generating certificates and CRLs
-   --------------------------------
+## Generating certificates and CRLs ##
 
 This section is not a full-blown tutorial on how to use OpenSSL or the
 strongSwan PKI tool.  It just lists a few points that are relevant if you want
 to generate your own certificates and CRLs for use with strongSwan.
 
 
-3.1 Generating a CA certificate
-    ---------------------------
+### Generating a CA certificate ###
 
 The OpenSSL statement
 
     openssl req -x509 -days 1460 -newkey rsa:4096 \
                 -keyout strongswanKey.pem -out strongswanCert.pem
 
-creates a 4096 bit RSA private key strongswanKey.pem and a self-signed CA
-certificate strongswanCert.pem with a validity of 4 years (1460 days).
+creates a 4096 bit RSA private key `strongswanKey.pem` and a self-signed CA
+certificate `strongswanCert.pem` with a validity of 4 years (1460 days).
 
     openssl x509 -in cert.pem -noout -text
 
-lists the properties of  a X.509 certificate cert.pem. It allows you to verify
-whether the configuration defaults in openssl.cnf have been inserted correctly.
+lists the properties of  a X.509 certificate `cert.pem`. It allows you to verify
+whether the configuration defaults in `openssl.cnf` have been inserted
+correctly.
 
 If you prefer the CA certificate to be in binary DER format then the following
 command achieves this transformation:
@@ -311,28 +260,27 @@ The statements
     ipsec pki --print --in strongswanCert.der
 
 achieve about the same with the strongSwan PKI tool.  Unlike OpenSSL the tool
-stores keys and certificates in the binary DER format by default.  The --outform
-option may be used to write PEM encoded files.
+stores keys and certificates in the binary DER format by default.
+The `--outform` option may be used to write PEM encoded files.
 
-The directory /etc/ipsec.d/cacerts contains all required CA certificates either
-in binary DER or in base64 PEM format, irrespective of the file suffix the
-correct format will be determined.
+The directory `/etc/ipsec.d/cacerts` contains all required CA certificates
+either in binary DER or in Base64 PEM format, irrespective of the file suffix
+the correct format will be determined.
 
 
-3.2 Generating a host or user certificate
-    -------------------------------------
+### Generating a host or user certificate ###
 
 The OpenSSL statement
 
      openssl req -newkey rsa:2048 -keyout hostKey.pem \
                  -out hostReq.pem
 
-generates a 2048 bit RSA private key hostKey.pem and a certificate request
-hostReq.pem which has to be signed by the CA.
+generates a 2048 bit RSA private key `hostKey.pem` and a certificate request
+`hostReq.pem` which has to be signed by the CA.
 
-If you want to add a subjectAltName field to the host certificate you must edit
-the OpenSSL configuration file openssl.cnf and add the following line in the
-[ usr_cert ] section:
+If you want to add a _subjectAltName_ field to the host certificate you must
+edit the OpenSSL configuration file `openssl.cnf` and add the following line in
+the `[ usr_cert ]` section:
 
      subjectAltName=DNS:moon.strongswan.org
 
@@ -340,7 +288,7 @@ if you want to identify the host by its Fully Qualified Domain Name (FQDN), or
 
      subjectAltName=IP:192.168.0.1
 
-if you want the ID to be of type IPV4_ADDR. Of course you could include both
+if you want the ID to be of type _IPV4_ADDR_. Of course you could include both
 ID types with
 
      subjectAltName=DNS:moon.strongswan.org,IP:192.168.0.1
@@ -348,7 +296,7 @@ ID types with
 but the use of an IP address for the identification of a host should be
 discouraged anyway.
 
-For user certificates the appropriate ID type is RFC822_ADDR which can be
+For user certificates the appropriate ID type is _RFC822_ADDR_ which can be
 specified as
 
      subjectAltName=email:carol at strongswan.org
@@ -361,15 +309,15 @@ Now the certificate request can be signed by the CA with the command
 
      openssl ca -in hostReq.pem -days 730 -out hostCert.pem -notext
 
-If you omit the -days option then the default_days value (365 days) specified
-in openssl.cnf is used.  The -notext option avoids that a human readable
-listing of the certificate is prepended to the base64 encoded certificate
-body.
+If you omit the `-days` option then the `default_days` value (365 days)
+specified in `openssl.cnf` is used.  The `-notext` option avoids that a human
+readable listing of the certificate is prepended to the Base64 encoded
+certificate body.
 
-If you want to use the dynamic CRL fetching feature described in section 4.7
-then you may include one or several crlDistributionPoints in your end
-certificates.  This can be done in the [ usr_cert ] section of the openssl.cnf
-configuration file:
+If you want to use the dynamic CRL fetching feature described in one of the
+following sections then you may include one or several _crlDistributionPoints_
+in your end certificates.  This can be done in the `[ usr_cert ]` section of the
+`openssl.cnf` configuration file:
 
     crlDistributionPoints=@crl_dp
 
@@ -394,11 +342,11 @@ Again the statements
               --san moon.strongswan.org --san 192.168.0.1 \
               --crl http://crl.strongswan.org/strongswan.crl > moonCert.der
 
-do something thing similar using the strongSwan PKI tool.
+do something similar using the strongSwan PKI tool.
 
 Usually, a Windows or Mac OS X (or iOS) based VPN client needs its private key,
-its host or user certificate, and the CA certificate. The most convenient way
-to load this information is to put everything into a PKCS#12 file:
+its host or user certificate, and the CA certificate.  The most convenient way
+to load this information is to put everything into a PKCS#12 container:
 
      openssl pkcs12 -export -inkey carolKey.pem \
                     -in carolCert.pem -name "carol" \
@@ -406,32 +354,30 @@ to load this information is to put everything into a PKCS#12 file:
                     -out carolCert.p12
 
 
-3.3 Generating a CRL
-    ----------------
+### Generating a CRL ###
 
 An empty CRL that is signed by the CA can be generated with the command
 
      openssl ca -gencrl -crldays 15 -out crl.pem
 
-If you omit the -crldays option then the default_crl_days value (30 days)
-specified in openssl.cnf is used.
+If you omit the `-crldays` option then the `default_crl_days` value (30 days)
+specified in `openssl.cnf` is used.
 
 If you prefer the CRL to be in binary DER format then this conversion
 can be achieved with
 
      openssl crl -in crl.pem -outform DER -out cert.crl
 
-The strongSwan PKI tool provides the ipsec pki --signcrl command to sign CRLs.
+The strongSwan PKI tool provides the `--signcrl` command to sign CRLs.
 
-The directory /etc/ipsec.d/crls contains all CRLs either in binary DER
-or in base64 PEM format, irrespective of the file suffix the correct format
+The directory `/etc/ipsec.d/crls` contains all CRLs either in binary DER
+or in Base64 PEM format, irrespective of the file suffix the correct format
 will be determined.
 
 
-3.4 Revoking a certificate
-    ----------------------
+### Revoking a certificate ###
 
-A specific host certificate stored in the file host.pem is revoked with the
+A specific host certificate stored in the file `host.pem` is revoked with the
 command
 
      openssl ca -revoke host.pem
@@ -444,30 +390,28 @@ The content of the CRL file can be listed with the command
 
      openssl crl -in crl.pem -noout -text
 
-in the case of a base64 CRL, or alternatively for a CRL in DER format
+in the case of a Base64 CRL, or alternatively for a CRL in DER format
 
      openssl crl -inform DER -in cert.crl -noout -text
 
-Again the ipsec pki --signcrl command may be used to create new CRLs containing
-additional certificates.
+Again the `--signcrl` command of the strongSwan PKI tool may also be used to
+create new CRLs containing additional certificates.
 
 
-4. Configuring the connections - ipsec.conf
-   ----------------------------------------
+## Configuring the connections - ipsec.conf ##
 
-4.1 Configuring my side
-    -------------------
+### Configuring my side ###
 
-Usually the local side is the same for all connections.  Therefore it makes
+Usually the **local** side is the same for all connections.  Therefore it makes
 sense to put the definitions characterizing the strongSwan security gateway into
-the conn %default section of the configuration file /etc/ipsec.conf.  If we
-assume throughout this document that the strongSwan security gateway is left and
-the peer is right then we can write
+the `conn %default` section of the configuration file `/etc/ipsec.conf`.  If we
+assume throughout this document that the strongSwan security gateway is **left**
+and the peer is **right** then we can write
 
-conn %default
-     leftcert=moonCert.pem
-     # load connection definitions automatically
-     auto=add
+    conn %default
+         leftcert=moonCert.pem
+         # load connection definitions automatically
+         auto=add
 
 The X.509 certificate by which the strongSwan security gateway will authenticate
 itself by sending it in binary form to its peers as part of the Internet Key
@@ -475,23 +419,16 @@ Exchange (IKE) is specified in the line
 
      leftcert=moonCert.pem
 
-The certificate can either be stored in base64 PEM-format or in the binary
+The certificate can either be stored in Base64 PEM-format or in the binary
 DER-format. Irrespective of the file suffix the correct format will be
-determined.  Therefore
-
-     leftcert=moonCert.der
-
-or
-
-     leftcert=moonCert.cer
-
+determined.  Therefore `leftcert=moonCert.der` or `leftcert=moonCert.cer`
 would also be valid alternatives.
 
 When using relative pathnames as in the examples above, the certificate files
-must be stored in in the directory /etc/ipsec.d/certs.  In order to distinguish
-strongSwan's own certificates from locally stored trusted peer certificates
-(see section 5.5 for details), they could also be stored in a subdirectory
-below /etc/ipsec.d/certs as e.g. in
+must be stored in in the directory `/etc/ipsec.d/certs`.  In order to
+distinguish strongSwan's own certificates from locally stored trusted peer
+certificates (see below for details), they could also be stored in a
+subdirectory below `/etc/ipsec.d/certs` as e.g. in
 
     leftcert=mycerts/moonCert.pem
 
@@ -502,173 +439,142 @@ Absolute pathnames are also possible as in
 As an ID for the VPN gateway we recommend the use of a Fully Qualified Domain
 Name (FQDN) of the form
 
-conn rw
-     right=%any
-     leftid=@moon.strongswan.org
+    conn rw
+         right=%any
+         leftid=moon.strongswan.org
 
-Important: When a FQDN identifier is used it must be explicitly included as a
-so called subjectAltName of type dnsName (DNS:) in the certificate indicated
-by leftcert.  For details on how to generate certificates with subjectAltNames,
-please refer to section 3.2.
+**Important**: When a FQDN identifier is used it must be explicitly included as
+a so called _subjectAltName_ of type _dnsName_ (`DNS:`) in the certificate
+indicated by `leftcert`.  For details on how to generate certificates with
+_subjectAltNames_, please refer to the sections above.
 
-If you don't want to mess with subjectAltNames, you can use the certificate's
-Distinguished Name (DN) instead, which is an identifier of type DER_ASN1_DN
+If you don't want to mess with _subjectAltNames_, you can use the certificate's
+Distinguished Name (DN) instead, which is an identifier of type _DER_ASN1_DN_
 and which can be written e.g. in the LDAP-type format
 
-conn rw
-     right=%any
-     leftid="C=CH, O=strongSwan, CN=moon.strongswan.org"
+    conn rw
+         right=%any
+         leftid="C=CH, O=strongSwan, CN=moon.strongswan.org"
 
-Since the subject's DN is part of the certificate, the leftid does not have to
+Since the subject's DN is part of the certificate, the `leftid` does not have to
 be declared explicitly. Thus the entry
 
-conn rw
-     right=%any
+    conn rw
+         right=%any
 
-automatically assumes the subject DN of leftcert to be the host ID.
+automatically assumes the subject DN of `leftcert` to be the host ID.
 
 
-4.2 Multiple certificates
-    ---------------------
+### Multiple certificates ###
 
 strongSwan supports multiple local host certificates and corresponding
 RSA private keys:
 
-conn rw1
-     right=%any
-     rightid=@peer1.domain1
-     leftcert=myCert1.pem
-     # leftid is DN of myCert1
+    conn rw1
+         right=%any
+         rightid=peer1.domain1
+         leftcert=myCert1.pem
+         # leftid is DN of myCert1
 
-conn rw2
-     right=%any
-     rightid=@peer2.domain2
-     leftcert=myCert2.pem
-     # leftid is DN of myCert2
+    conn rw2
+         right=%any
+         rightid=peer2.domain2
+         leftcert=myCert2.pem
+         # leftid is DN of myCert2
 
-When peer1 initiates a connection then strongSwan will send myCert1 and will
-sign with myKey1 defined in /etc/ipsec.secrets (see section 6.2) whereas
-myCert2 and myKey2 will be used in a connection setup started from peer2.
+When _peer1_ initiates a connection then strongSwan will send _myCert1_ and will
+sign with _myKey1_ defined in `/etc/ipsec.secrets` (see below) whereas
+_myCert2_ and _myKey2_ will be used in a connection setup started from _peer2_.
 
 
-4.3 Configuring the peer side using CA certificates
-    -----------------------------------------------
+### Configuring the peer side using CA certificates ###
 
 Now we can proceed to define our connections.  In many applications we might
 have dozens of road warriors connecting to a central strongSwan security
 gateway. The following most simple statement:
 
-conn rw
-     right=%any
+    conn rw
+         right=%any
 
-defines the general roadwarrior case.  The line right=%any literally means that
-any IPsec peer is accepted, regardless of its current IP source address and its
-ID, as long as the peer presents a valid X.509 certificate signed by a CA the
-strongSwan security gateway puts explicit trust in.  Additionally, the signature
-during IKE gives proof that the peer is in possession of the private RSA key
-matching the public key contained in the transmitted certificate.
+defines the general roadwarrior case.  The line `right=%any` literally means
+that any IPsec peer is accepted, regardless of its current IP source address and
+its ID, as long as the peer presents a valid X.509 certificate signed by a CA
+the strongSwan security gateway puts explicit trust in.  Additionally, the
+signature during IKE gives proof that the peer is in possession of the private
+key matching the public key contained in the transmitted certificate.
 
 The ID by which a peer is identifying itself during IKE can by any of the ID
-types IPV[46]_ADDR, FQDN, RFC822_ADDR or DER_ASN1_DN.  If one of the first
-three ID types is used, then the accompanying X.509 certificate of the peer
-must contain a matching subjectAltName field of the type ipAddress (IP:),
-dnsName (DNS:) or rfc822Name (email:), respectively.  With the fourth type
-DER_ASN1_DN the identifier must completely match the subject field of the
-peer's certificate.  One of the two possible representations of a
+types _IPV[46]_ADDR_, _FQDN_, _RFC822_ADDR_ or _DER_ASN1_DN_.  If one of the
+first three ID types is used, then the accompanying X.509 certificate of the
+peer must contain a matching _subjectAltName_ field of the type _ipAddress_
+(`IP:`), _dnsName_ (`DNS:`) or _rfc822Name_ (`email:`), respectively.  With the
+fourth type, _DER_ASN1_DN_, the identifier must completely match the subject
+field of the peer's certificate.  One of the two possible representations of a
 Distinguished Name (DN) is the LDAP-type format
 
      rightid="C=CH, O=strongSwan IPsec, CN=sun.strongswan.org"
 
 Additional whitespace can be added everywhere as desired since it will be
-automatically eliminated by the X.509 parser.  An exception is the single
-whitespace between individual words, like e.g. in strongSwan IPsec, which is
-preserved by the parser.
+automatically eliminated by the parser.  An exception is the single whitespace
+between individual words, like e.g. in `strongSwan IPsec`, which is preserved.
 
 The Relative Distinguished Names (RDNs) can alternatively be separated by a
-slash '/' instead of a comma ','
+slash `/` instead of a comma `,`
 
      rightid="/C=CH/O=strongSwan IPsec/CN=sun.strongswan.org"
 
 This is the representation extracted from the certificate by the OpenSSL
-command line option
+`-subject` command line option
 
      openssl x509 -in sunCert.pem -noout -subject
 
 The following RDNs are supported by strongSwan
 
-+-------------------------------------------------------+
-| DC                   Domain Component                 |
-|-------------------------------------------------------|
-| C                    Country                          |
-|-------------------------------------------------------|
-| ST                   State or province                |
-|-------------------------------------------------------|
-| L                    Locality or town                 |
-|-------------------------------------------------------|
-| O                    Organization                     |
-|-------------------------------------------------------|
-| OU                   Organizational Unit              |
-|-------------------------------------------------------|
-| CN                   Common Name                      |
-|-------------------------------------------------------|
-| ND                   NameDistinguisher, used with CN  |
-|-------------------------------------------------------|
-| N                    Name                             |
-|-------------------------------------------------------|
-| G                    Given name                       |
-|-------------------------------------------------------|
-| S                    Surname                          |
-|-------------------------------------------------------|
-| I                    Initials                         |
-|-------------------------------------------------------|
-| T                    Personal title                   |
-|-------------------------------------------------------|
-| E                    E-mail                           |
-|-------------------------------------------------------|
-| Email                E-mail                           |
-|-------------------------------------------------------|
-| emailAddress         E-mail                           |
-|-------------------------------------------------------|
-| SN                   Serial number                    |
-|-------------------------------------------------------|
-| serialNumber         Serial number                    |
-|-------------------------------------------------------|
-| D                    Description                      |
-|-------------------------------------------------------|
-| ID                   X.500 Unique Identifier          |
-|-------------------------------------------------------|
-| UID                  User ID                          |
-|-------------------------------------------------------|
-| TCGID                [Siemens] Trust Center Global ID |
-|-------------------------------------------------------|
-| UN                   Unstructured Name                |
-|-------------------------------------------------------|
-| unstructuredName     Unstructured Name                |
-|-------------------------------------------------------|
-| UA                   Unstructured Address             |
-|-------------------------------------------------------|
-| unstructuredAddress  Unstructured Address             |
-|-------------------------------------------------------|
-| EN                   Employee Number                  |
-|-------------------------------------------------------|
-| employeeNumber       Employee Number                  |
-|-------------------------------------------------------|
-| dnQualifier          DN Qualifier                     |
-+-------------------------------------------------------+
+| Name               | Description                      |
+|--------------------|----------------------------------|
+| DC                 | Domain Component                 |
+| C                  | Country                          |
+| ST                 | State or province                |
+| L                  | Locality or town                 |
+| O                  | Organization                     |
+| OU                 | Organizational Unit              |
+| CN                 | Common Name                      |
+| ND                 | NameDistinguisher, used with CN  |
+| N                  | Name                             |
+| G                  | Given name                       |
+| S                  | Surname                          |
+| I                  | Initials                         |
+| T                  | Personal title                   |
+| E                  | E-mail                           |
+| Email              | E-mail                           |
+| emailAddress       | E-mail                           |
+| SN                 | Serial number                    |
+| serialNumber       | Serial number                    |
+| D                  | Description                      |
+| ID                 | X.500 Unique Identifier          |
+| UID                | User ID                          |
+| TCGID              | [Siemens] Trust Center Global ID |
+| UN                 | Unstructured Name                |
+| unstructuredName   | Unstructured Name                |
+| UA                 | Unstructured Address             |
+| unstructuredAddress| Unstructured Address             |
+| EN                 | Employee Number                  |
+| employeeNumber     | Employee Number                  |
+| dnQualifier        | DN Qualifier                     |
 
 With the roadwarrior connection definition listed above, an IPsec SA for
-the strongSwan security gateway moon.strongswan.org itself can be established.
-If any roadwarrior should be able to reach e.g. the two subnets 10.1.0.0/24
-and 10.1.3.0/24 behind the security gateway then the following connection
+the strongSwan security gateway `moon.strongswan.org` itself can be established.
+If the roadwarriors should be able to reach e.g. the two subnets `10.1.0.0/24`
+and `10.1.3.0/24` behind the security gateway then the following connection
 definitions will make this possible
 
-conn rw1
-     right=%any
-     leftsubnet=10.1.0.0/24
+    conn rw1
+         right=%any
+         leftsubnet=10.1.0.0/24
 
-conn rw3
-     right=%any
-     leftsubnet=10.1.3.0/24
+    conn rw3
+         right=%any
+         leftsubnet=10.1.3.0/24
 
 For IKEv2 connections this can even be simplified by using
 
@@ -677,199 +583,192 @@ For IKEv2 connections this can even be simplified by using
 If not all peers in possession of a X.509 certificate signed by a specific
 certificate authority shall be given access to the Linux security gateway,
 then either a subset of them can be barred by listing the serial numbers of
-their certificates in a certificate revocation list (CRL) as specified in
-section 5.2 or as an alternative, access can be controlled by explicitly
-putting a roadwarrior entry for each eligible peer into ipsec.conf:
+their certificates in a certificate revocation list (CRL) or as an alternative,
+access can be controlled by explicitly putting a roadwarrior entry for each
+eligible peer into `ipsec.conf`:
 
-conn sun
-     right=%any
-     rightid=@sun.strongswan.org
+    conn sun
+         right=%any
+         rightid=sun.strongswan.org
 
-conn carol
-     right=%any
-     rightid=carol at strongswan.org
+    conn carol
+         right=%any
+         rightid=carol at strongswan.org
 
-conn dave
-     right=%any
-     rightid="C=CH, O=strongSwan, CN=dave at strongswan.org"
+    conn dave
+         right=%any
+         rightid="C=CH, O=strongSwan, CN=dave at strongswan.org"
 
 When the IP address of a peer is known to be stable, it can be specified as
 well.  This entry is mandatory when the strongSwan host wants to act as the
 initiator of an IPsec connection.
 
-conn sun
-     right=192.168.0.2
-     rightid=@sun.strongswan.org
+    conn sun
+         right=192.168.0.2
+         rightid=sun.strongswan.org
 
-conn carol
-     right=192.168.0.100
-     rightid=carol at strongswan.org
+    conn carol
+         right=192.168.0.100
+         rightid=carol at strongswan.org
 
-conn dave
-     right=192.168.0.200
-     rightid="C=CH, O=strongSwan, CN=dave at strongswan.org"
+    conn dave
+         right=192.168.0.200
+         rightid="C=CH, O=strongSwan, CN=dave at strongswan.org"
 
-conn venus
-     right=192.168.0.50
+    conn venus
+         right=192.168.0.50
 
-In the last example the ID types FQDN, RFC822_ADDR, DER_ASN1_DN and IPV4_ADDR,
-respectively, were used.  Of course all connection definitions presented so far
-have included the lines in the conn %defaults section, comprising among other
-a leftcert entry.
+In the last example the ID types _FQDN_, _RFC822_ADDR_, _DER_ASN1_DN_ and
+_IPV4_ADDR_, respectively, were used.  Of course all connection definitions
+presented so far have included the lines in the `conn %defaults` section,
+comprising among other a `leftcert` entry.
 
 
-4.4 Handling Virtual IPs and narrowing
-    ----------------------------------
+### Handling Virtual IPs and narrowing ###
 
-Often roadwarriors are behind NAT-boxes with IPsec passthrough, which causes
-the inner IP source address of an IPsec tunnel to be different from the
-outer IP source address usually assigned dynamically by the ISP.
-Whereas the varying outer IP address can be handled by the right=%any
-construct, the inner IP address or subnet must always be declared in a
-connection definition. Therefore for the three roadwarriors rw1 to rw3
-connecting to a strongSwan security gateway the following entries are
-required in /etc/ipsec.conf:
+Often roadwarriors are behind NAT-boxes, which causes the inner IP source
+address of an IPsec tunnel to be different from the outer IP source address
+usually assigned dynamically by the ISP.  Whereas the varying outer IP address
+can be handled by the `right=%any` construct, the inner IP address or subnet
+must always be declared in a connection definition. Therefore for the three
+roadwarriors _rw1_ to _rw3_ connecting to a strongSwan security gateway the
+following entries are required in `/etc/ipsec.conf`:
 
-conn rw1
-     right=%any
-     righsubnet=10.4.0.5/32
+    conn rw1
+         right=%any
+         righsubnet=10.4.0.5/32
 
-conn rw2
-     right=%any
-     rightsubnet=10.4.0.47/32
+    conn rw2
+         right=%any
+         rightsubnet=10.4.0.47/32
 
-conn rw3
-     right=%any
-     rightsubnet=10.4.0.128/28
+    conn rw3
+         right=%any
+         rightsubnet=10.4.0.128/28
 
 Because the charon daemon uses narrowing (even for IKEv1) these three entries
 can be reduced to the single connection definition
 
-conn rw
-     right=%any
-     rightsubnet=10.4.0.0/24
+    conn rw
+         right=%any
+         rightsubnet=10.4.0.0/24
 
 Any host will be accepted (of course after successful authentication based on
 the peer's X.509 certificate only) if it declares a client subnet lying totally
-within the brackets defined by the subnet definition (in our example
-10.4.0.0/24).
+within the boundaries defined by the subnet definition (in our example
+`10.4.0.0/24`).
 
 This strongSwan feature can also be helpful with VPN clients getting a
 dynamically assigned inner IP from a DHCP server located on the NAT router box.
 
+Since the private IP address of roadwarriors will often not be known they are
+usually assigned virtual IPs from a predefined pool.  This also makes routing
+traffic back to the roadwarriors easier. For example, to assign each client an
+IP address from the `10.5.0.0/24` subnet `conn rw` can be defined as
 
-4.5 Protocol and Port Selectors
-    ---------------------------
+    conn rw
+         right=%any
+         rightsourceip=10.5.0.0/24
 
-strongSwan offer the possibility to restrict the protocol and optionally the
-ports in an IPsec SA using the rightprotoport and leftprotoport parameters.
 
-Some examples:
+### Protocol and Port Selectors ###
 
-conn icmp
-     right=%any
-     rightprotoport=icmp
-     leftid=@moon.strongswan.org
-     leftprotoport=icmp
-
-conn http
-     right=%any
-     rightprotoport=6
-     leftid=@moon.strongswan.org
-     leftprotoport=6/80
-
-conn l2tp       # with port wildcard for Mac OS X Panther interoperability
-     right=%any
-     rightprotoport=17/%any
-     leftid=@moon.strongswan.org
-     leftprotoport=17/1701
-
-conn dhcp
-     right=%any
-     rightprotoport=udp/bootpc
-     leftid=@moon.strongswan.org
-     leftsubnet=0.0.0.0/0  #allows DHCP discovery broadcast
-     leftprotoport=udp/bootps
-     rekey=no
-     keylife=20s
-     rekeymargin=10s
-     auto=add
+strongSwan offers the possibility to restrict the protocol and optionally the
+ports in an IPsec SA using the `rightprotoport` and `leftprotoport` parameters.
+For IKEv2 multiple such restrictions can also be configured in
+`leftsubnet` and `rightsubnet`.
 
-Protocols and ports can be designated either by their numerical values
-or by their acronyms defined in /etc/services.
-
-    ipsec status
+Some examples:
 
-shows the following connection definitions:
+    conn icmp
+         right=%any
+         rightprotoport=icmp
+         leftid=moon.strongswan.org
+         leftprotoport=icmp
+
+    conn http
+         right=%any
+         rightprotoport=6
+         leftid=moon.strongswan.org
+         leftprotoport=6/80
+
+    conn l2tp
+         right=%any
+         # with port wildcard for interoperability with certain L2TP clients
+         rightprotoport=17/%any
+         leftid=moon.strongswan.org
+         leftprotoport=17/1701
+
+    conn dhcp
+         right=%any
+         rightprotoport=udp/bootpc
+         leftid=moon.strongswan.org
+         leftsubnet=0.0.0.0/0  #allows DHCP discovery broadcast
+         leftprotoport=udp/bootps
 
-"icmp": 192.168.0.1[@moon.strongswan.org]:1/0...%any:1/0
-"http": 192.168.0.1[@moon.strongswan.org]:6/80...%any:6/0
-"l2tp": 192.168.0.1[@moon.strongswan.org]:17/1701...%any:17/%any
-"dhcp": 0.0.0.0/0===192.168.0.1[@moon.strongswan.org]:17/67...%any:17/68
+Protocols and ports can be designated either by their numerical values
+or by their acronyms defined in `/etc/services`.
 
 Based on the protocol and port selectors appropriate policies will be set
 up, so that only the specified payload types will pass through the IPsec
 tunnel.
 
 
-4.6 IPsec policies based on wildcards
-    ---------------------------------
+### IPsec policies based on wildcards ###
 
 In large VPN-based remote access networks there is often a requirement that
 access to the various parts of an internal network must be granted selectively,
 e.g. depending on the group membership of the remote access user.  strongSwan
 makes this possible by applying wildcard filtering on the VPN user's
-distinguished name (ID_DER_ASN1_DN).
+distinguished name (_ID_DER_ASN1_DN_).
 
 Let's make a practical example:
 
-An organization has a sales department (OU=Sales) and a research group
-(OU=Research).  In the company intranet there are separate subnets for Sales
-(10.0.0.0/24) and Research (10.0.1.0/24) but both groups share a common web
-server (10.0.2.100).  The VPN clients use Virtual IP addresses that are either
+An organization has a sales department (_OU=Sales_) and a research group
+(_OU=Research_).  In the company intranet there are separate subnets for Sales
+(`10.0.0.0/24`) and Research (`10.0.1.0/24`) but both groups share a common web
+server (`10.0.2.100`).  The VPN clients use Virtual IP addresses that are either
 assigned statically or from a dynamic pool.  The sales and research departments
-use IP addresses from separate address pools (10.1.0.0/24) and (10.1.1.0/24),
-respectively.  An X.509 certificate is issued to each employee, containing in
-its subject distinguished name the country (C=CH), the company (O=ACME),
-the group membership(OU=Sales or OU=Research) and the common name (e.g.
-CN=Bart Simpson).
+use IP addresses from separate address pools (`10.1.0.0/24`) and
+(`10.1.1.0/24`), respectively.  An X.509 certificate is issued to each employee,
+containing in its subject distinguished name the country (_C=CH_), the company
+(_O=ACME_), the group membership (_OU=Sales_ or _OU=Research_) and the common
+name (e.g. _CN=Bart Simpson_).
 
 The IPsec policy defined above can now be enforced with the following three
 IPsec security associations:
 
-conn sales
-     right=%any
-     rightid="C=CH, O=ACME, OU=Sales, CN=*"
-     rightsubnet=10.1.0.0/24         # Sales IP range
-     leftsubnet=10.0.0.0/24          # Sales subnet
-
-conn research
-     right=%any
-     rightid="C=CH, O=ACME, OU=Research, CN=*"
-     rightsubnet=10.1.1.0/24         # Research IP range
-     leftsubnet=10.0.1.0/24          # Research subnet
-
-conn web
-     right=%any
-     rightid="C=CH, O=ACME, OU=*, CN=*"
-     rightsubnet=10.1.0.0/23         # Remote access IP range
-     leftsubnet=10.0.2.100/32        # Web server
-     rightprotoport=tcp              # TCP protocol only
-     leftprotoport=tcp/http          # TCP port 80 only
-
-The '*' character is used as a wildcard in relative distinguished names (RDNs).
-In order to match a wildcard template, the ID_DER_ASN1_DN of a peer must contain
-the same number of RDNs (selected from the list in section 4.3) appearing in the
-exact order defined by the template.
+    conn sales
+         right=%any
+         rightid="C=CH, O=ACME, OU=Sales, CN=*"
+         rightsourceip=10.1.0.0/24       # Sales IP range
+         leftsubnet=10.0.0.0/24          # Sales subnet
+
+    conn research
+         right=%any
+         rightid="C=CH, O=ACME, OU=Research, CN=*"
+         rightsourceip=10.1.1.0/24       # Research IP range
+         leftsubnet=10.0.1.0/24          # Research subnet
+
+    conn web
+         right=%any
+         rightid="C=CH, O=ACME, OU=*, CN=*"
+         rightsubnet=10.1.0.0/23         # Remote access IP range
+         leftsubnet=10.0.2.100/32        # Web server
+         rightprotoport=tcp              # TCP protocol only
+         leftprotoport=tcp/http          # TCP port 80 only
+
+The `*` character is used as a wildcard in relative distinguished names (RDNs).
+In order to match a wildcard template, the _ID_DER_ASN1_DN_ of a peer must
+contain the same number of RDNs (selected from the list given earlier) appearing
+in the exact order defined by the template.
 
     "C=CH, O=ACME, OU=Research, OU=Special Effects, CN=Bart Simpson"
 
 matches the templates
 
     "C=CH, O=ACME, OU=Research, OU=*, CN=*"
-
     "C=CH, O=ACME, OU=*, OU=Special Effects, CN=*"
-
     "C=CH, O=ACME, OU=*, OU=*, CN=*"
 
 but not the template
@@ -879,79 +778,74 @@ but not the template
 which doesn't have the same number of RDNs.
 
 
-4.7 IPsec policies based on CA certificates
-    ---------------------------------------
-
-As an alternative to the wildcard based IPsec policies described in section 4.6,
-access to specific client host and subnets can be controlled on the basis of
-the CA that issued the peer certificate
+### IPsec policies based on CA certificates ###
 
+As an alternative to the wildcard based IPsec policies described above, access
+to specific client host and subnets can be controlled on the basis of the CA
+that issued the peer certificate
 
-conn sales
-     right=%any
-     rightca="C=CH, O=ACME, OU=Sales, CN=Sales CA"
-     rightsubnet=10.1.0.0/24         # Sales IP range
-     leftsubnet=10.0.0.0/24          # Sales subnet
+    conn sales
+         right=%any
+         rightca="C=CH, O=ACME, OU=Sales, CN=Sales CA"
+         rightsourceip=10.1.0.0/24       # Sales IP range
+         leftsubnet=10.0.0.0/24          # Sales subnet
 
-conn research
-     right=%any
-     rightca="C=CH, O=ACME, OU=Research, CN=Research CA"
-     rightsubnet=10.1.1.0/24         # Research IP range
-     leftsubnet=10.0.1.0/24          # Research subnet
+    conn research
+         right=%any
+         rightca="C=CH, O=ACME, OU=Research, CN=Research CA"
+         rightsourceip=10.1.1.0/24       # Research IP range
+         leftsubnet=10.0.1.0/24          # Research subnet
 
-conn web
-     right=%any
-     rightca="C=CH, O=ACME, CN=ACME Root CA"
-     rightsubnet=10.1.0.0/23         # Remote access IP range
-     leftsubnet=10.0.2.100/32        # Web server
-     rightprotoport=tcp              # TCP protocol only
-     leftprotoport=tcp/http          # TCP port 80 only
+    conn web
+         right=%any
+         rightca="C=CH, O=ACME, CN=ACME Root CA"
+         rightsubnet=10.1.0.0/23         # Remote access IP range
+         leftsubnet=10.0.2.100/32        # Web server
+         rightprotoport=tcp              # TCP protocol only
+         leftprotoport=tcp/http          # TCP port 80 only
 
-In the example above, the connection "sales" can be used by peers
+In the example above, the connection _sales_ can be used by peers
 presenting certificates issued by the Sales CA, only.  In the same way,
-the use of the connection "research" is restricted to owners of certificates
-issued by the Research CA.  The connection "web" is open to both "Sales" and
-"Research" peers because the required "ACME Root CA" is the issuer of the
-Research and Sales intermediate CAs.  If no rightca parameter is present
+the use of the connection _research_ is restricted to owners of certificates
+issued by the Research CA.  The connection _web_ is open to both "Sales" and
+"Research" peers because the required _ACME Root CA_ is the issuer of the
+Research and Sales intermediate CAs.  If no `rightca` parameter is present
 then any valid certificate issued by one of the trusted CAs in
-/etc/ipsec.d/cacerts can be used by the peer.
+`/etc/ipsec.d/cacerts` can be used by the peer.
 
-The leftca parameter usually doesn't have to be set explicitly because
+The `leftca` parameter usually doesn't have to be set explicitly because
 by default it is set to the issuer field of the certificate loaded via
-leftcert.  The statement
+`leftcert`.  The statement
 
      rightca=%same
 
 sets the CA requested from the peer to the CA used by the left side itself
 as e.g. in
 
-conn sales
-     right=%any
-     rightca=%same
-     leftcert=mySalesCert.pem
+    conn sales
+         right=%any
+         rightca=%same
+         leftcert=mySalesCert.pem
 
 
-5. Configuring certificates and CRLs
-   ---------------------------------
+## Configuring certificates and CRLs ##
 
 
-5.1 Installing the CA certificates
-    ------------------------------
+### Installing the CA certificates ###
 
 X.509 certificates received by strongSwan during the IKE protocol are
 automatically authenticated by going up the trust chain until a self-signed
 root CA certificate is reached.  Usually host certificates are directly signed
 by a root CA, but strongSwan also supports multi-level hierarchies with
 intermediate CAs in between.  All CA certificates belonging to a trust chain
-must be copied in either binary DER or base64 PEM format into the directory
+must be copied in either binary DER or Base64 PEM format into the directory
 
      /etc/ipsec.d/cacerts/
 
 
-5.2 Installing optional certificate revocation lists (CRLs)
-    -------------------------------------------------------
+### Installing optional certificate revocation lists (CRLs) ###
 
-By copying a CA certificate into /etc/ipsec.d/cacerts/, automatically all user
+By copying a CA certificate into `/etc/ipsec.d/cacerts/`, automatically all user
 or host certificates issued by this CA are declared valid.  Unfortunately,
 private keys might get compromised inadvertently or intentionally, personal
 certificates of users leaving a company have to be blocked immediately, etc.
@@ -960,97 +854,85 @@ contain the serial numbers of all user or host certificates that have been
 revoked due to various reasons.
 
 After successful verification of the X.509 trust chain, strongSwan searches its
-list of CRLs either obtained by loading them from the /etc/ipsec.d/crls/
-directory or fetching them dynamically from a HTTP or LDAP server for the
+list of CRLs, either obtained by loading them from the `/etc/ipsec.d/crls/`
+directory, or fetching them dynamically from a HTTP or LDAP server, for the
 presence of a CRL issued by the CA that has signed the certificate.
 
 If the serial number of the certificate is found in the CRL then the public key
-contained in the certificate is declared invalid and the IPsec SA will not be
-established.  If no CRL is found or if the deadline defined in the nextUpdate
+contained in the certificate is declared invalid and the IKE SA will not be
+established.  If no CRL is found or if the deadline defined in the _nextUpdate_
 field of the CRL has been reached, a warning is issued but the public key will
-nevertheless be accepted.  CRLs must be stored either in binary DER or base64
-PEM format in the crls directory.
+nevertheless be accepted (this behavior can be changed, see below).  CRLs must
+be stored either in binary DER or Base64 PEM format in the `crls` directory.
 
 
-5.3 Dynamic update of certificates and CRLs
-    ---------------------------------------
+### Dynamic update of certificates and CRLs ###
 
 strongSwan reads certificates and CRLs from their respective files during system
 startup and keeps them in memory.  X.509 certificates have a finite life span
 defined by their validity field.  Therefore it must be possible to replace CA or
 OCSP certificates kept in system memory without disturbing established IKE SAs.
 Certificate revocation lists should also be updated in the regular intervals
-indicated by the nextUpdate field in the CRL body.  The following interactive
+indicated by the _nextUpdate_ field in the CRL body.  The following interactive
 commands allow the manual replacement of the various files:
 
-+---------------------------------------------------------------------------+
-| ipsec rereadsecrets       reload file /etc/ipsec.secrets                  |
-|---------------------------------------------------------------------------|
-| ipsec rereadcacerts       reload all files in /etc/ipsec.d/cacerts/       |
-|---------------------------------------------------------------------------|
-| ipsec rereadaacerts       reload all files in /etc/ipsec.d/aacerts/       |
-|---------------------------------------------------------------------------|
-| ipsec rereadocspcerts     reload all files in /etc/ipsec.d/ocspcerts/     |
-|---------------------------------------------------------------------------|
-| ipsec rereadacerts        reload all files in /etc/ipsec.d/acerts/        |
-|---------------------------------------------------------------------------|
-| ipsec rereadcrls          reload all files in /etc/ipsec.d/crls/          |
-|---------------------------------------------------------------------------|
-| ipsec rereadall           ipsec rereadsecrets                             |
-|                                 rereadcacerts                             |
-|                                 rereadaacerts                             |
-|                                 rereadocspcerts                           |
-|                                 rereadacerts                              |
-|                                 rereadcrls                                |
-|---------------------------------------------------------------------------|
-| ipsec purgeocsp           purge the OCSP cache and fetching requests      |
-+---------------------------------------------------------------------------+
+
+| Command                 | Action                                          |
+|-------------------------|-------------------------------------------------|
+| ipsec rereadaacerts     | reload all files in `/etc/ipsec.d/aacerts/`     |
+| ipsec rereadacerts      | reload all files in `/etc/ipsec.d/acerts/`      |
+| ipsec rereadcacerts     | reload all files in `/etc/ipsec.d/cacerts/`     |
+| ipsec rereadcrls        | reload all files in `/etc/ipsec.d/crls/`        |
+| ipsec rereadocspcerts   | reload all files in `/etc/ipsec.d/ocspcerts/`   |
+| ipsec rereadsecrets     | reload `/etc/ipsec.secrets` and configured keys |
+| ipsec rereadall         | all the commands above combined                 |
+| ipsec purgecerts        | purge all cached certificates                   |
+| ipsec purgecrl          | purge all cached CRLs                           |
+| ipsec purgeocsp         | purge the OCSP cache                            |
+
 
 CRLs can also be automatically fetched from an HTTP or LDAP server by using
 the CRL distribution points contained in X.509 certificates.
 
 
-5.4 Local caching of CRLs
-    ---------------------
+### Local caching of CRLs ###
 
-The the ipsec.conf option
+The `ipsec.conf` option
 
-   config setup
-        cachecrls=yes
+    config setup
+         cachecrls=yes
 
 activates the local caching of CRLs that were dynamically fetched from an
-HTTP or LDAP server.  Cached copies are stored in /etc/ipsec.d/crls using a
-unique filename formed from the issuer's SubjectKeyIdentifier and the
-suffix .crl.
+HTTP or LDAP server.  Cached copies are stored in `/etc/ipsec.d/crls` using a
+unique filename formed from the issuer's _subjectKeyIdentifier_ and the
+suffix `.crl`.
 
 With the cached copy the CRL is immediately available after startup.  When the
 local copy is about to expire it is automatically replaced with an updated CRL
 fetched from one of the defined CRL distribution points.
 
 
-5.5 Online Certificate Status Protocol (OCSP)
-    -----------------------------------------
+### Online Certificate Status Protocol (OCSP) ###
 
-The Online Certificate Status Protocol is defined by RFC 2560.  It can be
+The _Online Certificate Status Protocol_ is defined by RFC 2560.  It can be
 used to query an OCSP server about the current status of an X.509 certificate
 and is often used as a more dynamic alternative to a static Certificate
 Revocation List (CRL).  Both the OCSP request sent by the client and the OCSP
 response messages returned by the server are transported via a standard
-TCP/HTTP connection.  Therefore cURL support must be enabled during
-configuration.
+TCP/HTTP connection.
 
 In the simplest OCSP setup, a default URI under which the OCSP server for a
-given CA can be accessed is defined in ipsec.conf:
+given CA can be accessed is defined in `ipsec.conf`:
 
-   ca strongswan
-        cacert=strongswanCert.pem
-        ocspuri=http://ocsp.strongswan.org:8880
-        auto=add
+    ca strongswan
+         cacert=strongswanCert.pem
+         ocspuri=http://ocsp.strongswan.org:8880
+         auto=add
 
 The HTTP port can be freely chosen.
 
 OpenSSL implements an OCSP server that can be used in conjunction with an
-openssl-based Public Key Infrastructure.  The OCSP server is started with the
+OpenSSL-based Public Key Infrastructure.  The OCSP server is started with the
 following command:
 
     openssl ocsp -index index.txt -CA strongswanCert.pem -port 8880 \
@@ -1059,34 +941,35 @@ following command:
 
 The command consists of the parameters
 
- -index    index.txt is a copy of the OpenSSL index file containing the list of
-           all issued certificates.  The certificate status in index.txt
-           is designated either by V for valid or R for revoked.  If a new
-           certificate is added or if a certificate is revoked using the
-           openssl ca command, the OCSP server must be restarted in order for
-           the changes in index.txt to take effect.
+    -index   index.txt is a copy of the OpenSSL index file containing the list
+             of all issued certificates.  The certificate status in index.txt
+             is designated either by V for valid or R for revoked.  If a new
+             certificate is added or if a certificate is revoked using the
+             openssl ca command, the OCSP server must be restarted in order for
+             the changes in index.txt to take effect.
 
- -CA       the CA certificate
+    -CA      the CA certificate
 
- -port     the HTTP port the OCSP server is listening on.
+    -port    the HTTP port the OCSP server is listening on.
 
- -rkey     the private key used to sign the OCSP response.  The use of the
-           sensitive CA private key is not recommended since this could
-           jeopardize the security of your production PKI if the OCSP
-           server is hacked.  It is much better to generate a special
-           RSA private key just for OCSP signing use instead.
+    -rkey    the private key used to sign the OCSP response.  The use of the
+             sensitive CA private key is not recommended since this could
+             jeopardize the security of your production PKI if the OCSP
+             server is hacked.  It is much better to generate a special
+             RSA private key just for OCSP signing use instead.
 
- -rsigner  the certificate of the OCSP server containing a public key which
-           matches the private key defined by -rkey and which can be used by
-           the client to check the trustworthiness of the signed OCSP response.
+    -rsigner the certificate of the OCSP server containing a public key which
+             matches the private key defined by -rkey and which can be used by
+             the client to check the trustworthiness of the signed OCSP
+             response.
 
- -resp_no_certs  With this option the OCSP signer certificate defined by
-                 -rsigner is not included in the OCSP response.
+    -resp_no_certs  With this option the OCSP signer certificate defined by
+                    -rsigner is not included in the OCSP response.
 
- -nmin     the validity interval of an OCSP response given in minutes.
+    -nmin    the validity interval of an OCSP response given in minutes.
 
- -text     this option activates a verbose logging output, showing the contents
-           of both the received OCSP request and sent OCSP response.
+    -text    this option activates a verbose logging output, showing the
+             contents of both the received OCSP request and sent OCSP response.
 
 
 The OCSP signer certificate can either be put into the default directory
@@ -1100,91 +983,90 @@ must be included in the OCSP server certificate.  Just insert the parameter
 
     extendedKeyUsage=OCSPSigner
 
-in the [ usr_cert ] section of your openssl.cnf configuration file before
+in the `[ usr_cert ]` section of your `openssl.cnf` configuration file before
 the CA signs the OCSP server certificate.
 
-For a given CA the corresponding ca section in ipsec.conf (see section 7) allows
+For a given CA the corresponding _ca_ section in `ipsec.conf` (see below) allows
 to define the URI of a single OCSP server.  As an alternative an OCSP URI can be
 embedded into each host and user certificate by putting the line
 
     authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
 
-into the [ usr_cert ] section of your openssl.cnf configuration file.
-If an OCSP authorityInfoAccess extension is present in a certificate then this
+into the `[ usr_cert ]` section of your `openssl.cnf` configuration file.
+If an OCSP _authorityInfoAccess_ extension is present in a certificate then this
 record overrides the default URI defined by the ca section.
 
 
-5.6 CRL Policy
-    ----------
+### CRL Policy ###
 
 By default strongSwan is quite tolerant concerning the handling of CRLs. It is
-not mandatory for a CRL to be present in /etc/ipsec.d/crls and if the expiration
-date defined by the nextUpdate field of a CRL has been reached just a warning
-is issued but a peer certificate will always be accepted if it has not been
-revoked.
+not mandatory for a CRL to be present in `/etc/ipsec.d/crls` and if the
+expiration date defined by the _nextUpdate_ field of a CRL has been reached just
+a warning is issued but a peer certificate will always be accepted if it has not
+been revoked.
 
 If you want to enforce a stricter CRL policy then you can do this by setting
-the "strictcrlpolicy" option.  This is done in the "config setup" section
-of the ipsec.conf file:
+the `strictcrlpolicy` option.  This is done in the `config setup` section
+of the `ipsec.conf` file:
 
     config setup
          strictcrlpolicy=yes
           ...
 
 A certificate received from a peer will not be accepted if no corresponding
-CRL or OCSP response is available.  And if an ISAKMP SA re-negotiation takes
-place after the nextUpdate deadline has been reached, the peer certificate
-will be declared invalid and the cached RSA public key will be deleted, causing
+CRL or OCSP response is available.  And if an IKE SA re-negotiation takes
+place after the _nextUpdate_ deadline has been reached, the peer certificate
+will be declared invalid and the cached public key will be deleted, causing
 the connection in question to fail.  Therefore if you are going to use the
-"strictcrlpolicy=yes" option, make sure that the CRLs will always be updated
-in time.  Otherwise a total standstill would ensue.
+`strictcrlpolicy=yes` option, make sure that the CRLs will always be updated
+in time.  Otherwise a total standstill might ensue.
 
-As mentioned earlier the default setting is "strictcrlpolicy=no"
+As mentioned earlier the default setting is `strictcrlpolicy=no`.
 
 
-5.7 Configuring the peer side using locally stored certificates
-    -----------------------------------------------------------
+### Configuring the peer side using locally stored certificates ###
 
-If you don't want to use trust chains based on CA certificates as proposed in
-section 4.3 you can alternatively import trusted peer certificates directly.
-Thus you do not have to rely on the certificate to be transmitted by the peer
-as part of the IKE protocol.
+If you don't want to use trust chains based on CA certificates as proposed above
+you can alternatively import trusted peer certificates directly.
 
-With the conn %default section defined in section 4.1 and the use of the
-rightcert keyword for the peer side, the connection definitions in section 4.3
-can alternatively be written as
+With the `conn %default` section defined above and the use of the `rightcert`
+keyword for the peer side, the connection definitions presented earlier can
+alternatively be written as
 
     conn sun
           right=%any
-          rightid=@sun.strongswan.org
+          rightid=sun.strongswan.org
           rightcert=sunCert.cer
 
      conn carol
           right=192.168.0.100
           rightcert=carolCert.der
 
-If the peer certificates are loaded locally then there is no sense in sending
-any certificates to the other end via the IKE protocol.  Especially if
-self-signed certificates are used which wouldn't be accepted anyway by
-the other side.  In these cases it is recommended to add
+If the peer certificates are loaded locally then there is no need to send any
+certificates to the other end via the IKE protocol.  Especially if self-signed
+certificates are used which wouldn't be accepted anyway by the other side.
+In these cases it is recommended to add
 
     leftsendcert=never
 
-to the connection definition[s] in order to avoid the sending of the host's
+to the connection definition(s) in order to avoid the sending of the host's
 own certificate.  The default value is
 
     leftsendcert=ifasked
 
-If a peer does not send a certificate request then use the setting
+which causes certificates to only be sent if a certificate request is received.
+If a peer does not send a certificate request then the setting
 
     leftsendcert=always
 
-If a peer certificate contains a subjectAltName extension, then an alternative
-rightid type can be used, as the example "conn sun" shows.  If no rightid
+may be used to force sending of the certificate to the other peer.
+
+If a peer certificate contains a _subjectAltName_ extension, then an alternative
+`rightid` type can be used, as the example `conn sun` shows.  If no `rightid`
 entry is present then the subject distinguished name contained in the
 certificate is taken as the ID.
 
-Using the same rules concerning pathnames that apply to strongSwan's own
+Using the same rules concerning pathnames that apply to the gateway's own
 certificates, the following two definitions are also valid for trusted peer
 certificates:
 
@@ -1195,21 +1077,20 @@ or
     rightcert=/usr/ssl/certs/carolCert.der
 
 
-6. Configuring the private keys - ipsec.secrets
-   --------------------------------------------
+## Configuring the private keys - ipsec.secrets ##
+
 
-6.1 Loading private key files in PKCS#1 or PKCS#8 format
-    ----------------------------------------------------
+### Loading private key files ###
 
-Besides strongSwan's raw private key format strongSwan has been enabled to
-load RSA (or ECDSA) private keys in the PKCS#1 or PKCS#8 file format.
-The key files can be optionally secured with a passphrase.
+strongSwan is able to load RSA (or ECDSA) private keys in the PKCS#1 or PKCS#8
+file formats, or from PKCS#12 containers. The key files can optionally be
+secured with a passphrase.
 
-RSA private key files are declared in /etc/ipsec.secrets using the syntax
+RSA private key files are declared in `/etc/ipsec.secrets` using the syntax
 
     : RSA <my keyfile> "<optional passphrase>"
 
-The key file can be either in base64 PEM-format or binary DER-format.  The
+The key file can be either in Base64 PEM-format or binary DER-format.  The
 actual coding is detected automatically.  The example
 
     : RSA moonKey.pem
@@ -1231,44 +1112,37 @@ cipher using a transport key derived from a cryptographically strong
 passphrase.
 
 Once on the security gateway the private key can either be permanently
-unlocked so that it can be used by Pluto without having to know a
+unlocked so that it can be used by the IKE daemon without having to know a
 passphrase
 
     openssl rsa -in moonKey.pem -out moonKey.pem
 
 or as an option the key file can remain secured.  In this case the passphrase
 unlocking the private key must be added after the pathname in
-/etc/ipsec.secrets
+`/etc/ipsec.secrets`
 
     : RSA moonKey.pem "This is my passphrase"
 
-Some CAs distribute private keys embedded in a PKCS#12 file. Since strongSwan
-is not yet able to read this format directly, the private key part must
-first be extracted using the command
-
-     openssl pkcs12 -nocerts -in moonCert.p12 -out moonKey.pem
-
-if the key file moonKey.pem is to be secured again by a passphrase, or
-
-     openssl pkcs12 -nocerts  -nodes -in moonCert.p12 -out moonKey.pem
+Some CAs distribute private keys embedded in a PKCS#12 file. strongSwan can read
+private keys directly from such a file (end-entity and CA certificates are
+also extracted):
 
-if the private key is to be stored unlocked.
+    : P12 moonCert.p12 "This is my passphrase"
 
 
-6.2 Entering passphrases interactively
-    ----------------------------------
+### Entering passphrases interactively ###
 
 On a VPN gateway you would want to put the passphrase protecting the private
-key file right into /etc/ipsec.secrets as described in the previous paragraph,
+key file right into `/etc/ipsec.secrets` as described in the previous section,
 so that the gateway can be booted in unattended mode.  The risk of keeping
 unencrypted secrets on a server can be minimized by putting the box into a
 locked room.  As long as no one can get root access on the machine the private
 keys are safe.
 
 On a mobile laptop computer the situation is quite different.  The computer can
-be stolen or the user is leaving it unattended so that unauthorized persons
+be stolen or the user may leave it unattended so that unauthorized persons
 can get access to it.  In theses cases it would be preferable not to keep any
-passphrases openly in /etc/ipsec.secrets but to prompt for them interactively
+passphrases openly in `/etc/ipsec.secrets` but to prompt for them interactively
 instead.  This is easily done by defining
 
     : RSA moonKey.pem %prompt
@@ -1287,228 +1161,138 @@ and which causes a passphrase prompt to appear.  To abort entering a passphrase
 enter just a carriage return.
 
 
-6.3 Multiple private keys
-    ---------------------
+## Configuring CA properties - ipsec.conf ##
 
-strongSwan supports multiple private keys. Since the connections defined
-in ipsec.conf can find the correct private key based on the public key
-contained in the certificate assigned by leftcert, default private key
-definitions without specific IDs can be used
-
-    : RSA myKey1.pem "<optional passphrase1>"
-
-    : RSA myKey2.pem "<optional passphrase2>"
-
-
-7. Configuring CA properties - ipsec.conf
-   --------------------------------------
-
-Besides the definition of IPsec connections the ipsec.conf file can also
+Besides the definition of IPsec connections the `ipsec.conf` file can also
 be used to configure a few properties of the certification authorities
 needed to establish the X.509 trust chains.  The following example shows
 some of the parameters that are currently available:
 
     ca strongswan
-       cacert=strongswanCert.pem
-       ocspuri=http://ocsp.strongswan.org:8880
-       crluri=http://crl.strongswan.org/strongswan.crl'
-       crluri2="ldap://ldap.strongswan.org/O=strongSwan, C=CH?certificateRevocationList"
-       auto=add
+        cacert=strongswanCert.pem
+        ocspuri=http://ocsp.strongswan.org:8880
+        crluri=http://crl.strongswan.org/strongswan.crl'
+        crluri2="ldap://ldap.strongswan.org/O=strongSwan, C=CH?certificateRevocationList"
+        auto=add
 
-In a similar way as conn sections are used for connection definitions, an
-arbitrary number of optional ca sections define the basic properties of CAs.
+In a similar way as `conn` sections are used for connection definitions, an
+arbitrary number of optional `ca` sections define the basic properties of CAs.
 
 Each ca section is named with a unique label
 
-       ca strongswan
+    ca strongswan
 
 The only mandatory parameter is
 
-       cacert=strongswanCert.pem
+    cacert=strongswanCert.pem
 
 which points to the CA certificate which usually resides in the default
-directory /etc/ipsec.d/cacerts/ but could also be retrieved via an absolute
+directory `/etc/ipsec.d/cacerts/` but could also be retrieved via an absolute
 path name.
 
 The OCSP URI
 
-       ocspuri=http://ocsp.strongswan.org:8880
+    ocspuri=http://ocsp.strongswan.org:8880
 
 allows to define an individual OCSP server per CA.  Also up to two additional
 CRL distribution points (CDPs) can be defined
 
-       crluri=http://crl.strongswan.org/strongswan.crl'
-       crluri2="ldap://ldap.strongswan.org/O=strongSwan, C=CH?certificateRevocationList"
+    crluri=http://crl.strongswan.org/strongswan.crl'
+    crluri2="ldap://ldap.strongswan.org/O=strongSwan, C=CH?certificateRevocationList"
 
 which are added to any CDPs already present in the received certificates
 themselves.
 
-With the auto=add statement the ca definition is automatically loaded during
-startup.  Setting auto=ignore will ignore the ca section.
+With the `auto=add` statement the `ca` definition is automatically loaded during
+startup.  Setting `auto=ignore` will ignore the `ca` section.
 
 Any parameters which appear in several ca definitions can be put in
-a common ca %default section
+a common `ca %default` section
 
     ca %default
-       crluri=http://crl.strongswan.org/strongswan.crl'
+        crluri=http://crl.strongswan.org/strongswan.crl'
 
 
-8. Monitoring functions
-   --------------------
+## Monitoring functions ##
 
 strongSwan offers the following monitoring functions:
 
-The command
-
-    ipsec listalgs
+| Command             | Action                                            |
+|---------------------|---------------------------------------------------|
+| ipsec listaacerts   | list all Authorization Authority certificates loaded from `/etc/ipsec.d/aacerts/` |
+| ipsec listacerts    | list all X.509 attribute certificates loaded from `/etc/ipsec.d/acerts/` |
+| ipsec listalgs      | list cryptographic algorithms for IKE             |
+| ipsec listcacerts   | list all CA certificates loaded from `/etc/ipsec.d/cacerts/` or received via IKE |
+| ipsec listcainfos   | list all properties defined in `ca` sections in `ipsec.conf` |
+| ipsec listcerts     | list all certificates loaded via `leftcert` and `rightcert` |
+| ipsec listcounters  | list global or connection specific counter values |
+| ipsec listcrls      | list all CLRs loaded from `/etc/ipsec.d/crls/`    |
+| ipsec listocsp      | list contents of the OCSP response cache          |
+| ipsec listocspcerts | list all OCSP signer certificates loaded from `/etc/ipsec.d/ocspcerts/` or received in OCSP responses |
+| ipsec listplugins   | list all loaded plugin features                   |
+| ipsec listpubkeys   | list all raw public keys e.g. loaded via `leftsigkey` and `rightsigkey` |
+| ipsec listall       | all the above commands combined                   |
+| ipsec status        | list concise status information on established connections |
+| ipsec statusall     | list detailed status information on connections |
 
-lists all IKE cryptographic algorithms that are currently
-registered with strongSwan.
 
+## Firewall support functions ##
 
-The command
 
-    ipsec listcerts [--utc]
-
-lists all local certificates, both strongSwan's own and those of
-trusted peer loaded via leftcert and rightcert, respectively.
-
-
-The command
-
-    ipsec listcacerts [--utc]
-
-lists all CA certificates that have been either been loaded from the directory
-/etc/ipsec.d/cacerts/ or received via the IKE protocol.
-
-
-The command
-
-    ipsec listaacerts [--utc]
-
-lists all Authorization Authority certificates that have been loaded from
-the directory /etc/ipsec.d/aacerts/.
-
-
-The command
-
-    ipsec listocspcerts [--utc]
-
-lists all OCSO signer certificates that have been either loaded from
-/etc/ipsec.d/ocspcerts/ or have been received included in the OCSP server
-response.
-
-
-The command
-
-    ipsec listacerts [--utc]
-
-lists all X.509 attribute certificates that have been loaded from the directory
-/etc/ipsec.d/acerts/.
-
-
-The command
-
-    ipsec listcainfos [--utc]
-
-lists the properties defined by the ca definition sections in ipsec.conf.
-
-
-The command
-
-    ipsec listcrls [--utc]
-
-lists all CRLs that have been loaded from /etc/ipsec.d/crls/.
-
-
-The command
-
-
-    ipsec listocsp [--utc]
-
-lists the contents of the OCSP response cache.
-
-
-The command
-
-    ipsec listall [--utc]
-
-is equivalent to using all of the above commands.
-
-
-9. Firewall support functions
-   --------------------------
-
-
-9.1 Environment variables in the updown script
-    ------------------------------------------
+### Environment variables in the updown script ###
 
 strongSwan makes the following environment variables available
-in the updown script indicated by the leftupdown option:
-
-+-------------------------------------------------------------------+
-| Variable               Example                    Comment         |
-|-------------------------------------------------------------------|
-| $PLUTO_PEER_ID         carol at strongswan.org       RFC822_ADDR (1) |
-|-------------------------------------------------------------------|
-| $PLUTO_PEER_PROTOCOL   17                         udp         (2) |
-|-------------------------------------------------------------------|
-| $PLUTO_PEER_PORT       68                         bootpc      (3) |
-|-------------------------------------------------------------------|
-| $PLUTO_PEER_CA         C=CH, O=ACME, CN=Sales CA              (4) |
-|-------------------------------------------------------------------|
-| $PLUTO_MY_ID           @moon.strongswan.org       FQDN        (1) |
-|-------------------------------------------------------------------|
-| $PLUTO_MY_PROTOCOL     17                         udp         (2) |
-|-------------------------------------------------------------------|
-| $PLUTO_MY_PORT         67                         bootps      (3) |
-+-------------------------------------------------------------------+
+in the _updown_ script indicated by the `leftupdown` option:
+
+| Variable              | Example                   | Comment         |
+|-----------------------|---------------------------|-----------------|
+| $PLUTO_PEER_ID        | carol at strongswan.org      | RFC822_ADDR (1) |
+| $PLUTO_PEER_PROTOCOL  | 17                        | udp         (2) |
+| $PLUTO_PEER_PORT      | 68                        | bootpc      (3) |
+| $PLUTO_MY_ID          | moon.strongswan.org       | FQDN        (1) |
+| $PLUTO_MY_PROTOCOL    | 17                        | udp         (2) |
+| $PLUTO_MY_PORT        | 67                        | bootps      (3) |
 
 (1) $PLUTO_PEER_ID/$PLUTO_MY_ID contain the IDs of the two ends
     of an established connection. In our examples these
-    correspond to the strings defined by rightid and leftid,
+    correspond to the strings defined by `rightid` and `leftid`,
     respectively.
 
 (2) $PLUTO_PEER_PROTOCOL/$PLUTO_MY_PROTOCOL contain the protocol
-    defined by the rightprotoport and leftprotoport options,
+    defined by the `rightprotoport` and `leftprotoport` options,
     respectively. Both variables contain the same protocol value.
     The variables take on the value '0' if no protocol has been defined.
 
 (3) $PLUTO_PEER_PORT/$PLUTO_MY_PORT contain the ports defined by
-    the rightprotoport and leftprotoport options, respectively.
+    the `rightprotoport` and `leftprotoport` options, respectively.
     The variables take on the value '0' if no port has been defined.
 
-(4) $PLUTO_PEER_CA contains the distinguished name of the CA that
-    issued the peer's certificate.
-
 There are several more, refer to the provided default script for a documentation
-of these.
+of them.
 
 
-9.2 Automatic insertion and deletion of iptables firewall rules
-    -----------------------------------------------------------
+### Automatic insertion and deletion of iptables firewall rules ###
 
-The default _updown script automatically inserts and deletes dynamic iptables
-firewall rules upon the establishment or teardown, respectively, of an IPsec
-security association.  This feature is activated with the line
+The default `_updown` script automatically inserts and deletes dynamic
+`iptables` firewall rules upon the establishment or teardown, respectively, of
+an IPsec security association.  This feature is activated with the line
 
-   leftfirewall=yes
+    leftfirewall=yes
 
-If you define a local client subnet with a netmask larger than /32 behind
-the gateway then the automatically inserted FORWARD iptables rules will
-not allow to access the internal IP address of the host although it is
-part of the client subnet definition.  If you want additional INPUT and
-OUTPUT iptables rules to be inserted, so that the host itself can be accessed
-then add the following line:
+If you define a `leftsubnet` with a netmask larger than `/32` then the
+automatically inserted _FORWARD_ `iptables` rules will not allow clients to
+access the internal IP address of the gateway even if it is part of that subnet
+definition.  If you want additional _INPUT_ and _OUTPUT_ `iptables` rules to be
+inserted, so that the host itself can be accessed then add the following line:
 
-   lefthostaccess=yes
+    lefthostaccess=yes
 
-The _updown script also features a logging facility which will register the
+The `_updown` script also features a logging facility which will register the
 creation (+) and the expiration (-) of each successfully established VPN
 connection in a special syslog file in the following concise and easily
 readable format:
 
-Jul 19 18:58:38 moon vpn:
-    + @carol.strongswan.org  192.168.0.100 -- 192.168.0.1 == 10.1.0.0/16
-Jul 19 22:15:17 moon vpn:
-    - @carol.strongswan.org  192.168.0.100 -- 192.168.0.1 == 10.1.0.0/16
+    Jul 19 18:58:38 moon vpn:
+        + carol.strongswan.org  192.168.0.100 -- 192.168.0.1 == 10.1.0.0/16
+    Jul 19 22:15:17 moon vpn:
+        - carol.strongswan.org  192.168.0.100 -- 192.168.0.1 == 10.1.0.0/16
diff --git a/aclocal.m4 b/aclocal.m4
index e8f4624..4521f37 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
-# generated automatically by aclocal 1.13.3 -*- Autoconf -*-
+# generated automatically by aclocal 1.14.1 -*- Autoconf -*-
 
 # Copyright (C) 1996-2013 Free Software Foundation, Inc.
 
@@ -21,7 +21,7 @@ If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically 'autoreconf'.])])
 
 # lib-prefix.m4 serial 7 (gettext-0.18)
-dnl Copyright (C) 2001-2005, 2008-2010 Free Software Foundation, Inc.
+dnl Copyright (C) 2001-2005, 2008-2013 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
 dnl with or without modifications, as long as this notice is preserved.
@@ -417,10 +417,10 @@ fi[]dnl
 # generated from the m4 files accompanying Automake X.Y.
 # (This private macro should not be called outside this file.)
 AC_DEFUN([AM_AUTOMAKE_VERSION],
-[am__api_version='1.13'
+[am__api_version='1.14'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.13.3], [],
+m4_if([$1], [1.14.1], [],
       [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
 
@@ -436,7 +436,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.13.3])dnl
+[AM_AUTOMAKE_VERSION([1.14.1])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
 _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
@@ -840,6 +840,12 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
 # This macro actually does too much.  Some checks are only needed if
 # your package does certain things.  But this isn't really a big deal.
 
+dnl Redefine AC_PROG_CC to automatically invoke _AM_PROG_CC_C_O.
+m4_define([AC_PROG_CC],
+m4_defn([AC_PROG_CC])
+[_AM_PROG_CC_C_O
+])
+
 # AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE])
 # AM_INIT_AUTOMAKE([OPTIONS])
 # -----------------------------------------------
@@ -948,7 +954,48 @@ dnl macro is hooked onto _AC_COMPILER_EXEEXT early, see below.
 AC_CONFIG_COMMANDS_PRE(dnl
 [m4_provide_if([_AM_COMPILER_EXEEXT],
   [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl
-])
+
+# POSIX will say in a future version that running "rm -f" with no argument
+# is OK; and we want to be able to make that assumption in our Makefile
+# recipes.  So use an aggressive probe to check that the usage we want is
+# actually supported "in the wild" to an acceptable degree.
+# See automake bug#10828.
+# To make any issue more visible, cause the running configure to be aborted
+# by default if the 'rm' program in use doesn't match our expectations; the
+# user can still override this though.
+if rm -f && rm -fr && rm -rf; then : OK; else
+  cat >&2 <<'END'
+Oops!
+
+Your 'rm' program seems unable to run without file operands specified
+on the command line, even when the '-f' option is present.  This is contrary
+to the behaviour of most rm programs out there, and not conforming with
+the upcoming POSIX standard: <http://austingroupbugs.net/view.php?id=542>
+
+Please tell bug-automake at gnu.org about your system, including the value
+of your $PATH and any error possibly output before this message.  This
+can help us improve future automake versions.
+
+END
+  if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then
+    echo 'Configuration will proceed anyway, since you have set the' >&2
+    echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2
+    echo >&2
+  else
+    cat >&2 <<'END'
+Aborting the configuration process, to ensure you take notice of the issue.
+
+You can download and install GNU coreutils to get an 'rm' implementation
+that behaves properly: <http://www.gnu.org/software/coreutils/>.
+
+If you want to complete the configuration process using your problematic
+'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
+to "yes", and re-run configure.
+
+END
+    AC_MSG_ERROR([Your 'rm' program is bad, sorry.])
+  fi
+fi])
 
 dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion.  Do not
 dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further
@@ -956,7 +1003,6 @@ dnl mangled by Autoconf and run in a shell conditional statement.
 m4_define([_AC_COMPILER_EXEEXT],
 m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])])
 
-
 # When config.status generates a header, we must update the stamp-h file.
 # This file resides in the same directory as the config header
 # that is generated.  The stamp files are numbered to have different names.
@@ -1068,38 +1114,6 @@ AC_MSG_RESULT([$_am_result])
 rm -f confinc confmf
 ])
 
-# Copyright (C) 1999-2013 Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# AM_PROG_CC_C_O
-# --------------
-# Like AC_PROG_CC_C_O, but changed for automake.
-AC_DEFUN([AM_PROG_CC_C_O],
-[AC_REQUIRE([AC_PROG_CC_C_O])dnl
-AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
-AC_REQUIRE_AUX_FILE([compile])dnl
-# FIXME: we rely on the cache variable name because
-# there is no other way.
-set dummy $CC
-am_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']`
-eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
-if test "$am_t" != yes; then
-   # Losing compiler, so override with the script.
-   # FIXME: It is wrong to rewrite CC.
-   # But if we don't then we get into trouble of one sort or another.
-   # A longer-term fix would be to have automake use am__CC in this case,
-   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
-   CC="$am_aux_dir/compile $CC"
-fi
-dnl Make sure AC_PROG_CC is never called again, or it will override our
-dnl setting of CC.
-m4_define([AC_PROG_CC],
-          [m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])])
-])
-
 # Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
 
 # Copyright (C) 1997-2013 Free Software Foundation, Inc.
@@ -1176,6 +1190,53 @@ AC_DEFUN([_AM_IF_OPTION],
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# _AM_PROG_CC_C_O
+# ---------------
+# Like AC_PROG_CC_C_O, but changed for automake.  We rewrite AC_PROG_CC
+# to automatically call this.
+AC_DEFUN([_AM_PROG_CC_C_O],
+[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+AC_REQUIRE_AUX_FILE([compile])dnl
+AC_LANG_PUSH([C])dnl
+AC_CACHE_CHECK(
+  [whether $CC understands -c and -o together],
+  [am_cv_prog_cc_c_o],
+  [AC_LANG_CONFTEST([AC_LANG_PROGRAM([])])
+  # Make sure it works both with $CC and with simple cc.
+  # Following AC_PROG_CC_C_O, we do the test twice because some
+  # compilers refuse to overwrite an existing .o file with -o,
+  # though they will create one.
+  am_cv_prog_cc_c_o=yes
+  for am_i in 1 2; do
+    if AM_RUN_LOG([$CC -c conftest.$ac_ext -o conftest2.$ac_objext]) \
+         && test -f conftest2.$ac_objext; then
+      : OK
+    else
+      am_cv_prog_cc_c_o=no
+      break
+    fi
+  done
+  rm -f core conftest*
+  unset am_i])
+if test "$am_cv_prog_cc_c_o" != yes; then
+   # Losing compiler, so override with the script.
+   # FIXME: It is wrong to rewrite CC.
+   # But if we don't then we get into trouble of one sort or another.
+   # A longer-term fix would be to have automake use am__CC in this case,
+   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+   CC="$am_aux_dir/compile $CC"
+fi
+AC_LANG_POP([C])])
+
+# For backward compatibility.
+AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])])
+
+# Copyright (C) 1999-2013 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
 
 # AM_PATH_PYTHON([MINIMUM-VERSION], [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
 # ---------------------------------------------------------------------------
diff --git a/conf/Makefile.am b/conf/Makefile.am
index 61a0add..373be16 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -8,6 +8,7 @@ optionstemplatedir = $(templatesdir)/strongswan.d
 pluginstemplatedir = $(templatesdir)/plugins
 
 options = \
+	options/aikgen.opt \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
@@ -15,10 +16,12 @@ options = \
 	options/manager.opt \
 	options/medsrv.opt \
 	options/pacman.opt \
+	options/pki.opt \
 	options/pool.opt \
+	options/scepclient.opt \
 	options/starter.opt \
-	options/tnc.opt \
-	options/tools.opt
+	options/swanctl.opt \
+	options/tnc.opt
 
 plugins = \
 	plugins/android_log.opt \
@@ -51,10 +54,10 @@ plugins = \
 	plugins/imv-attestation.opt \
 	plugins/imv-os.opt \
 	plugins/imv-scanner.opt \
+	plugins/imv-swid.opt \
 	plugins/imv-test.opt \
 	plugins/ipseckey.opt \
 	plugins/led.opt \
-	plugins/kernel-klips.opt \
 	plugins/kernel-libipsec.opt \
 	plugins/kernel-netlink.opt \
 	plugins/kernel-pfroute.opt \
@@ -78,6 +81,7 @@ plugins = \
 	plugins/tnccs-20.opt \
 	plugins/unbound.opt \
 	plugins/updown.opt \
+	plugins/vici.opt \
 	plugins/whitelist.opt \
 	plugins/xauth-eap.opt \
 	plugins/xauth-pam.opt
diff --git a/conf/Makefile.in b/conf/Makefile.in
index e14c44e..a0ad980 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -111,28 +111,6 @@ AM_V_at = $(am__v_at_ at AM_V@)
 am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
 am__v_at_0 = @
 am__v_at_1 = 
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-AM_V_lt = $(am__v_lt_ at AM_V@)
-am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 = 
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_ at AM_V@)
-am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
-am__v_CC_0 = @echo "  CC      " $@;
-am__v_CC_1 = 
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo "  CCLD    " $@;
-am__v_CCLD_1 = 
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
@@ -239,6 +217,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -257,6 +236,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -284,6 +264,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -375,6 +356,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -395,6 +377,7 @@ templatesdir = $(pkgdatadir)/templates/config
 optionstemplatedir = $(templatesdir)/strongswan.d
 pluginstemplatedir = $(templatesdir)/plugins
 options = \
+	options/aikgen.opt \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
@@ -402,10 +385,12 @@ options = \
 	options/manager.opt \
 	options/medsrv.opt \
 	options/pacman.opt \
+	options/pki.opt \
 	options/pool.opt \
+	options/scepclient.opt \
 	options/starter.opt \
-	options/tnc.opt \
-	options/tools.opt
+	options/swanctl.opt \
+	options/tnc.opt
 
 plugins = \
 	plugins/android_log.opt \
@@ -438,10 +423,10 @@ plugins = \
 	plugins/imv-attestation.opt \
 	plugins/imv-os.opt \
 	plugins/imv-scanner.opt \
+	plugins/imv-swid.opt \
 	plugins/imv-test.opt \
 	plugins/ipseckey.opt \
 	plugins/led.opt \
-	plugins/kernel-klips.opt \
 	plugins/kernel-libipsec.opt \
 	plugins/kernel-netlink.opt \
 	plugins/kernel-pfroute.opt \
@@ -465,6 +450,7 @@ plugins = \
 	plugins/tnccs-20.opt \
 	plugins/unbound.opt \
 	plugins/updown.opt \
+	plugins/vici.opt \
 	plugins/whitelist.opt \
 	plugins/xauth-eap.opt \
 	plugins/xauth-pam.opt
diff --git a/conf/format-options.py b/conf/format-options.py
index fc6e6e1..d046e24 100755
--- a/conf/format-options.py
+++ b/conf/format-options.py
@@ -67,8 +67,8 @@ class ConfigOption:
 		self.desc = []
 		self.options = []
 
-	def __cmp__(self, other):
-		return  cmp(self.name, other.name)
+	def __lt__(self, other):
+		return  self.name < other.name
 
 	def add_paragraph(self):
 		"""Adds a new paragraph to the description"""
@@ -92,8 +92,9 @@ class ConfigOption:
 
 class Parser:
 	"""Parses one or more files of configuration options"""
-	def __init__(self):
+	def __init__(self, sort = True):
 		self.options = []
+		self.sort = sort
 
 	def parse(self, file):
 		"""Parses the given file and adds all options to the internal store"""
@@ -145,7 +146,8 @@ class Parser:
 			found.adopt(option)
 		else:
 			parent.options.append(option)
-			parent.options.sort()
+			if self.sort:
+				parent.options.sort()
 
 	def __get_option(self, parts, create = False):
 		"""Searches/Creates the option (section) based on a list of section names"""
@@ -160,7 +162,8 @@ class Parser:
 					break
 				option = ConfigOption(fullname, section = True)
 				options.append(option)
-				options.sort()
+				if self.sort:
+					options.sort()
 			options = option.options
 		return option
 
@@ -227,31 +230,32 @@ class ConfFormatter:
 		if len(opt.desc):
 			self.__wrapper.initial_indent = '{0}# '.format(self.__indent * indent)
 			self.__wrapper.subsequent_indent = self.__wrapper.initial_indent
-			print format(self.__wrapper.fill(self.__tags.replace(opt.desc[0])))
+			print(self.__wrapper.fill(self.__tags.replace(opt.desc[0])))
 
 	def __print_option(self, opt, indent, commented):
 		"""Print a single option with description and default value"""
 		comment = "# " if commented or opt.commented else ""
 		self.__print_description(opt, indent)
 		if opt.default:
-			print '{0}{1}{2} = {3}'.format(self.__indent * indent, comment, opt.name, opt.default)
+			print('{0}{1}{2} = {3}'.format(self.__indent * indent, comment, opt.name, opt.default))
 		else:
-			print '{0}{1}{2} ='.format(self.__indent * indent, comment, opt.name)
-		print
+			print('{0}{1}{2} ='.format(self.__indent * indent, comment, opt.name))
+		print('')
 
 	def __print_section(self, section, indent, commented):
 		"""Print a section with all options"""
-		comment = "# " if commented or section.commented else ""
+		commented = commented or section.commented
+		comment = "# " if commented else ""
 		self.__print_description(section, indent)
-		print '{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name)
-		print
+		print('{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name))
+		print('')
 		for o in sorted(section.options, key=attrgetter('section')):
 			if o.section:
-				self.__print_section(o, indent + 1, section.commented)
+				self.__print_section(o, indent + 1, commented)
 			else:
-				self.__print_option(o, indent + 1, section.commented)
-		print '{0}{1}}}'.format(self.__indent * indent, comment)
-		print
+				self.__print_option(o, indent + 1, commented)
+		print('{0}{1}}}'.format(self.__indent * indent, comment))
+		print('')
 
 	def format(self, options):
 		"""Print a list of options"""
@@ -282,14 +286,14 @@ class ManFormatter:
 		if option.section and not len(option.desc):
 			return
 		if option.section:
-			print '.TP\n.B {0}\n.br'.format(option.fullname)
+			print('.TP\n.B {0}\n.br'.format(option.fullname))
 		else:
-			print '.TP'
+			print('.TP')
 			default = option.default if option.default else ''
-			print '.BR {0} " [{1}]"'.format(option.fullname, default)
+			print('.BR {0} " [{1}]"'.format(option.fullname, default))
 		for para in option.desc if len(option.desc) < 2 else option.desc[1:]:
-			print self.__groffize(self.__wrapper.fill(para))
-			print ''
+			print(self.__groffize(self.__wrapper.fill(para)))
+			print('')
 
 	def format(self, options):
 		"""Print a list of options"""
@@ -309,9 +313,12 @@ options.add_option("-f", "--format", dest="format", type="choice", choices=["con
 options.add_option("-r", "--root", dest="root", metavar="NAME",
 				   help="root section of which options are printed, "
 				   "if not found everything is printed")
+options.add_option("-n", "--nosort", action="store_false", dest="sort",
+				   default=True, help="do not sort sections alphabetically")
+
 (opts, args) = options.parse_args()
 
-parser = Parser()
+parser = Parser(opts.sort)
 if len(args):
 	for filename in args:
 		try:
diff --git a/conf/options/aikgen.conf b/conf/options/aikgen.conf
new file mode 100644
index 0000000..10d362f
--- /dev/null
+++ b/conf/options/aikgen.conf
@@ -0,0 +1,7 @@
+aikgen {
+
+    # Plugins to load in ipsec aikgen tool.
+    # load =
+
+}
+
diff --git a/conf/options/aikgen.opt b/conf/options/aikgen.opt
new file mode 100644
index 0000000..2d33947
--- /dev/null
+++ b/conf/options/aikgen.opt
@@ -0,0 +1,2 @@
+aikgen.load =
+	Plugins to load in ipsec aikgen tool.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 5cab2b1..ec3a39a 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -1,6 +1,9 @@
 # Options for the charon IKE daemon.
 charon {
 
+    # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+    # accept_unencrypted_mainmode_messages = no
+
     # Maximum number of half-open IKE_SAs for a single peer IP.
     # block_threshold = 5
 
@@ -131,6 +134,11 @@ charon {
     # will be allocated.
     # port_nat_t = 4500
 
+    # By default public IPv6 addresses are preferred over temporary ones (RFC
+    # 4941), to make connections more stable. Enable this option to reverse
+    # this.
+    # prefer_temporary_addrs = no
+
     # Process RTM_NEWROUTE and RTM_DELROUTE events.
     # process_route = yes
 
@@ -254,6 +262,18 @@ charon {
 
     }
 
+    # Section containing a list of scripts (name = path) that are executed when
+    # the daemon is started.
+    start-scripts {
+
+    }
+
+    # Section containing a list of scripts (name = path) that are executed when
+    # the daemon is terminated.
+    stop-scripts {
+
+    }
+
     tls {
 
         # List of TLS encryption ciphers.
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index c6f4f1e..1eb1b88 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -8,6 +8,21 @@ charon {}
 	**charon-cmd** instead of **charon**). For many options defaults can be
 	defined in the **libstrongswan** section.
 
+charon.accept_unencrypted_mainmode_messages = no
+	Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+
+	Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+
+	Some implementations send the third Main Mode message unencrypted, probably
+	to find the PSKs for the specified ID for authentication. This is very
+	similar to Aggressive Mode, and has the same security implications: A
+	passive attacker can sniff the negotiated Identity, and start brute forcing
+	the PSK using the HASH payload.
+
+	It is recommended to keep this option to no, unless you know exactly
+	what the implications are and require compatibility to such devices (for
+	example, some SonicWall boxes).
+
 charon.block_threshold = 5
 	Maximum number of half-open IKE_SAs for a single peer IP.
 
@@ -196,6 +211,10 @@ charon.port_nat_t = 4500
 	allocated.  Has to be different from **charon.port**, otherwise a random
 	port will be allocated.
 
+charon.prefer_temporary_addrs = no
+	By default public IPv6 addresses are preferred over temporary ones (RFC
+	4941), to make connections more stable. Enable this option to reverse this.
+
 charon.process_route = yes
 	Process RTM_NEWROUTE and RTM_DELROUTE events.
 
@@ -256,6 +275,14 @@ charon.send_delay_type = 0
 charon.send_vendor_id = no
 	Send strongSwan vendor ID payload
 
+charon.start-scripts {}
+	Section containing a list of scripts (name = path) that are executed when
+	the daemon is started.
+
+charon.stop-scripts {}
+	Section containing a list of scripts (name = path) that are executed when
+	the daemon is terminated.
+
 charon.threads = 16
 	Number of worker threads in charon.
 
diff --git a/conf/options/pki.conf b/conf/options/pki.conf
new file mode 100644
index 0000000..f64a091
--- /dev/null
+++ b/conf/options/pki.conf
@@ -0,0 +1,7 @@
+pki {
+
+    # Plugins to load in ipsec pki tool.
+    # load =
+
+}
+
diff --git a/conf/options/pki.opt b/conf/options/pki.opt
new file mode 100644
index 0000000..c57dcc8
--- /dev/null
+++ b/conf/options/pki.opt
@@ -0,0 +1,2 @@
+pki.load =
+	Plugins to load in ipsec pki tool.
diff --git a/conf/options/scepclient.conf b/conf/options/scepclient.conf
new file mode 100644
index 0000000..0b1a131
--- /dev/null
+++ b/conf/options/scepclient.conf
@@ -0,0 +1,7 @@
+scepclient {
+
+    # Plugins to load in ipsec scepclient tool.
+    # load =
+
+}
+
diff --git a/conf/options/scepclient.opt b/conf/options/scepclient.opt
new file mode 100644
index 0000000..7e30f5c
--- /dev/null
+++ b/conf/options/scepclient.opt
@@ -0,0 +1,2 @@
+scepclient.load =
+	Plugins to load in ipsec scepclient tool.
diff --git a/conf/options/swanctl.conf b/conf/options/swanctl.conf
new file mode 100644
index 0000000..cb18239
--- /dev/null
+++ b/conf/options/swanctl.conf
@@ -0,0 +1,7 @@
+swanctl {
+
+    # Plugins to load in swanctl.
+    # load =
+
+}
+
diff --git a/conf/options/swanctl.opt b/conf/options/swanctl.opt
new file mode 100644
index 0000000..f78b4bc
--- /dev/null
+++ b/conf/options/swanctl.opt
@@ -0,0 +1,2 @@
+swanctl.load =
+	Plugins to load in swanctl.
\ No newline at end of file
diff --git a/conf/options/tools.conf b/conf/options/tools.conf
deleted file mode 100644
index 781635c..0000000
--- a/conf/options/tools.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-pki {
-
-    # Plugins to load in ipsec pki tool.
-    # load =
-
-}
-
-scepclient {
-
-    # Plugins to load in ipsec scepclient tool.
-    # load =
-
-}
-
diff --git a/conf/options/tools.opt b/conf/options/tools.opt
deleted file mode 100644
index 72a49de..0000000
--- a/conf/options/tools.opt
+++ /dev/null
@@ -1,5 +0,0 @@
-pki.load =
-	Plugins to load in ipsec pki tool.
-
-scepclient.load =
-	Plugins to load in ipsec scepclient tool.
diff --git a/conf/plugins/eap-tnc.conf b/conf/plugins/eap-tnc.conf
index aca72f1..27ef136 100644
--- a/conf/plugins/eap-tnc.conf
+++ b/conf/plugins/eap-tnc.conf
@@ -9,7 +9,7 @@ eap-tnc {
 
     # IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0,
     # tnccs-dynamic).
-    # protocol = tnccs-1.1
+    # protocol = tnccs-2.0
 
 }
 
diff --git a/conf/plugins/eap-tnc.opt b/conf/plugins/eap-tnc.opt
index 8e060ce..5593152 100644
--- a/conf/plugins/eap-tnc.opt
+++ b/conf/plugins/eap-tnc.opt
@@ -1,6 +1,6 @@
 charon.plugins.eap-tnc.max_message_count = 10
 	Maximum number of processed EAP-TNC packets (0 = no limit).
 
-charon.plugins.eap-tnc.protocol = tnccs-1.1
+charon.plugins.eap-tnc.protocol = tnccs-2.0
 	IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_,
 	_tnccs-dynamic_).
diff --git a/conf/plugins/eap-ttls.conf b/conf/plugins/eap-ttls.conf
index 5229625..0614dcb 100644
--- a/conf/plugins/eap-ttls.conf
+++ b/conf/plugins/eap-ttls.conf
@@ -23,6 +23,9 @@ eap-ttls {
     # Start phase2 EAP TNC protocol after successful client authentication.
     # phase2_tnc = no
 
+    # Phase2 EAP TNC transport protocol (pt as IETF standard or legacy tnc)
+    # phase2_tnc_method = pt
+
     # Request peer authentication based on a client certificate.
     # request_peer_auth = no
 
diff --git a/conf/plugins/eap-ttls.opt b/conf/plugins/eap-ttls.opt
index 21a6cb6..7dcee82 100644
--- a/conf/plugins/eap-ttls.opt
+++ b/conf/plugins/eap-ttls.opt
@@ -16,5 +16,8 @@ charon.plugins.eap-ttls.phase2_piggyback = no
 charon.plugins.eap-ttls.phase2_tnc = no
 	Start phase2 EAP TNC protocol after successful client authentication.
 
+charon.plugins.eap-ttls.phase2_tnc_method = pt
+	Phase2 EAP TNC transport protocol (_pt_ as IETF standard or legacy _tnc_)
+
 charon.plugins.eap-ttls.request_peer_auth = no
 	Request peer authentication based on a client certificate.
diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf
index 2d8deaa..eed706f 100644
--- a/conf/plugins/imc-attestation.conf
+++ b/conf/plugins/imc-attestation.conf
@@ -1,29 +1,8 @@
 imc-attestation {
 
-    # AIK encrypted private key blob file.
-    # aik_blob =
-
-    # AIK certificate file.
-    # aik_cert =
-
-    # AIK public key file.
-    # aik_key =
-
     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
     load = yes
 
-    # Enforce mandatory Diffie-Hellman groups.
-    # mandatory_dh_groups = yes
-
-    # DH nonce length.
-    # nonce_len = 20
-
-    # Whether to send pcr_before and pcr_after info.
-    # pcr_info = yes
-
-    # Use Quote2 AIK signature instead of Quote signature.
-    # use_quote2 = yes
-
 }
 
diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt
index aaac4c2..9b60b9e 100644
--- a/conf/plugins/imc-attestation.opt
+++ b/conf/plugins/imc-attestation.opt
@@ -1,20 +1,20 @@
-charon.plugins.imc-attestation.aik_blob =
+libimcv.plugins.imc-attestation.aik_blob =
 	AIK encrypted private key blob file.
 
-charon.plugins.imc-attestation.aik_cert =
+libimcv.plugins.imc-attestation.aik_cert =
 	AIK certificate file.
 
-charon.plugins.imc-attestation.aik_key =
+libimcv.plugins.imc-attestation.aik_pubkey =
 	AIK public key file.
 
-charon.plugins.imc-attestation.mandatory_dh_groups = yes
+libimcv.plugins.imc-attestation.mandatory_dh_groups = yes
 	Enforce mandatory Diffie-Hellman groups.
 
-charon.plugins.imc-attestation.nonce_len = 20
+libimcv.plugins.imc-attestation.nonce_len = 20
 	DH nonce length.
 
-charon.plugins.imc-attestation.use_quote2 = yes
+libimcv.plugins.imc-attestation.use_quote2 = yes
 	Use Quote2 AIK signature instead of Quote signature.
 
-charon.plugins.imc-attestation.pcr_info = yes
+libimcv.plugins.imc-attestation.pcr_info = no
 	Whether to send pcr_before and pcr_after info.
diff --git a/conf/plugins/imc-os.conf b/conf/plugins/imc-os.conf
index 1d245d3..56b2182 100644
--- a/conf/plugins/imc-os.conf
+++ b/conf/plugins/imc-os.conf
@@ -4,8 +4,5 @@ imc-os {
     # priority of this plugin.
     load = yes
 
-    # Send operating system info without being prompted.
-    # push_info = yes
-
 }
 
diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt
index 2a6333f..4f559f2 100644
--- a/conf/plugins/imc-os.opt
+++ b/conf/plugins/imc-os.opt
@@ -1,2 +1,14 @@
-charon.plugins.imc-os.push_info = yes
+libimcv.plugins.imc-os.device_cert =
+	Manually set the path to the client device certificate
+    (e.g. /etc/pts/aikCert.der)
+
+libimcv.plugins.imc-os.device_id =
+	Manually set the client device ID in hexadecimal format
+   (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
+
+libimcv.plugins.imc-os.device_pubkey =
+	Manually set the path to the client device public key
+    (e.g. /etc/pts/aikPub.der)
+
+libimcv.plugins.imc-os.push_info = yes
 	Send operating system info without being prompted.
diff --git a/conf/plugins/imc-scanner.conf b/conf/plugins/imc-scanner.conf
index 7f2f531..fb05a08 100644
--- a/conf/plugins/imc-scanner.conf
+++ b/conf/plugins/imc-scanner.conf
@@ -4,8 +4,5 @@ imc-scanner {
     # priority of this plugin.
     load = yes
 
-    # Send open listening ports without being prompted.
-    # push_info = yes
-
 }
 
diff --git a/conf/plugins/imc-scanner.opt b/conf/plugins/imc-scanner.opt
index 84e6dfa..9cc12b9 100644
--- a/conf/plugins/imc-scanner.opt
+++ b/conf/plugins/imc-scanner.opt
@@ -1,2 +1,2 @@
-charon.plugins.imc-scanner.push_info = yes
+libimcv.plugins.imc-scanner.push_info = yes
 	Send open listening ports without being prompted.
diff --git a/conf/plugins/imc-swid.conf b/conf/plugins/imc-swid.conf
index 8b33171..4893703 100644
--- a/conf/plugins/imc-swid.conf
+++ b/conf/plugins/imc-swid.conf
@@ -4,8 +4,5 @@ imc-swid {
     # priority of this plugin.
     load = yes
 
-    # Directory where SWID tags are located.
-    # swid_directory = ${prefix}/share
-
 }
 
diff --git a/conf/plugins/imc-swid.opt b/conf/plugins/imc-swid.opt
index 67f7c79..74490c1 100644
--- a/conf/plugins/imc-swid.opt
+++ b/conf/plugins/imc-swid.opt
@@ -1,2 +1,11 @@
-charon.plugins.imc-swid.swid_directory = ${prefix}/share
+libimcv.plugins.imc-swid.swid_directory = ${prefix}/share
 	Directory where SWID tags are located.
+
+libimcv.plugins.imc-swid.swid_generator = /usr/local/bin/swid_generator
+	SWID generator command to be executed.
+
+libimcv.plugins.imc-swid.swid_pretty = FALSE
+	Generate XML-encoded SWID tags with pretty indentation.
+
+libimcv.plugins.imc-swid.swid_full = FALSE
+	Include file information in the XML-encoded SWID tags.
diff --git a/conf/plugins/imc-test.conf b/conf/plugins/imc-test.conf
index 0d66e3d..4deac76 100644
--- a/conf/plugins/imc-test.conf
+++ b/conf/plugins/imc-test.conf
@@ -1,23 +1,8 @@
 imc-test {
 
-    # Number of additional IMC IDs.
-    # additional_ids = 0
-
-    # Command to be sent to the Test IMV.
-    # command = none
-
-    # Size of dummy attribute to be sent to the Test IMV (0 = disabled).
-    # dummy_size = 0
-
     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
     load = yes
 
-    # Do a handshake retry.
-    # retry = no
-
-    # Command to be sent to the Test IMV in the handshake retry.
-    # retry_command =
-
 }
 
diff --git a/conf/plugins/imc-test.opt b/conf/plugins/imc-test.opt
index c3169b5..e15b069 100644
--- a/conf/plugins/imc-test.opt
+++ b/conf/plugins/imc-test.opt
@@ -1,14 +1,14 @@
-charon.plugins.imc-test.additional_ids = 0
+libimcv.plugins.imc-test.additional_ids = 0
 	Number of additional IMC IDs.
 
-charon.plugins.imc-test.command = none
+libimcv.plugins.imc-test.command = none
 	Command to be sent to the Test IMV.
 
-charon.plugins.imc-test.dummy_size = 0
+libimcv.plugins.imc-test.dummy_size = 0
 	Size of dummy attribute to be sent to the Test IMV (0 = disabled).
 
-charon.plugins.imc-test.retry = no
+libimcv.plugins.imc-test.retry = no
 	Do a handshake retry.
 
-charon.plugins.imc-test.retry_command =
+libimcv.plugins.imc-test.retry_command =
 	Command to be sent to the Test IMV in the handshake retry.
diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf
index 3a1a7f2..29a4209 100644
--- a/conf/plugins/imv-attestation.conf
+++ b/conf/plugins/imv-attestation.conf
@@ -1,45 +1,8 @@
-imc-attestation {
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr17_after =
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr17_before =
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr17_meas =
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr18_after =
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr18_before =
-
-    # Dummy data if the TBOOT log is not retrieved.
-    # pcr18_meas =
-
-}
-
 imv-attestation {
 
-    # Path to directory with AIK cacerts.
-    # cadir =
-
-    # Preferred Diffie-Hellman group.
-    # dh_group = ecp256
-
-    # Preferred measurement hash algorithm.
-    # hash_algorithm = sha256
-
     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
     load = yes
 
-    # Enforce mandatory Diffie-Hellman groups.
-    # mandatory_dh_groups = yes
-
-    # DH minimum nonce length.
-    # min_nonce_len = 0
-
 }
 
diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt
index f266281..3ad5162 100644
--- a/conf/plugins/imv-attestation.opt
+++ b/conf/plugins/imv-attestation.opt
@@ -1,32 +1,32 @@
-charon.plugins.imv-attestation.cadir =
+libimcv.plugins.imv-attestation.cadir =
 	Path to directory with AIK cacerts.
 
-charon.plugins.imv-attestation.mandatory_dh_groups = yes
+libimcv.plugins.imv-attestation.mandatory_dh_groups = yes
 	Enforce mandatory Diffie-Hellman groups.
 
-charon.plugins.imv-attestation.dh_group = ecp256
+libimcv.plugins.imv-attestation.dh_group = ecp256
 	Preferred Diffie-Hellman group.
 
-charon.plugins.imv-attestation.hash_algorithm = sha256
+libimcv.plugins.imv-attestation.hash_algorithm = sha256
 	Preferred measurement hash algorithm.
 
-charon.plugins.imv-attestation.min_nonce_len = 0
+libimcv.plugins.imv-attestation.min_nonce_len = 0
 	DH minimum nonce length.
 
-charon.plugins.imc-attestation.pcr17_after
+libimcv.plugins.imc-attestation.pcr17_after
 	Dummy data if the TBOOT log is not retrieved.
 
-charon.plugins.imc-attestation.pcr17_before
+libimcv.plugins.imc-attestation.pcr17_before
 	Dummy data if the TBOOT log is not retrieved.
 
-charon.plugins.imc-attestation.pcr17_meas
+libimcv.plugins.imc-attestation.pcr17_meas
 	Dummy data if the TBOOT log is not retrieved.
 
-charon.plugins.imc-attestation.pcr18_after
+libimcv.plugins.imc-attestation.pcr18_after
 	Dummy data if the TBOOT log is not retrieved.
 
-charon.plugins.imc-attestation.pcr18_before
+libimcv.plugins.imc-attestation.pcr18_before
 	Dummy data if the TBOOT log is not retrieved.
 
-charon.plugins.imc-attestation.pcr18_meas
+libimcv.plugins.imc-attestation.pcr18_meas
 	Dummy data if the TBOOT log is not retrieved.
diff --git a/conf/plugins/imv-os.conf b/conf/plugins/imv-os.conf
index 8f0da37..f2786cc 100644
--- a/conf/plugins/imv-os.conf
+++ b/conf/plugins/imv-os.conf
@@ -4,8 +4,5 @@ imv-os {
     # priority of this plugin.
     load = yes
 
-    # URI pointing to operating system remediation instructions.
-    # remediation_uri =
-
 }
 
diff --git a/conf/plugins/imv-os.opt b/conf/plugins/imv-os.opt
index eab9262..fe83bb6 100644
--- a/conf/plugins/imv-os.opt
+++ b/conf/plugins/imv-os.opt
@@ -1,2 +1,2 @@
-charon.plugins.imv-os.remediation_uri =
+libimcv.plugins.imv-os.remediation_uri =
 	URI pointing to operating system remediation instructions.
diff --git a/conf/plugins/imv-scanner.conf b/conf/plugins/imv-scanner.conf
index 25719d0..4b9da8f 100644
--- a/conf/plugins/imv-scanner.conf
+++ b/conf/plugins/imv-scanner.conf
@@ -4,8 +4,5 @@ imv-scanner {
     # priority of this plugin.
     load = yes
 
-    # URI pointing to scanner remediation instructions.
-    # remediation_uri =
-
 }
 
diff --git a/conf/plugins/imv-scanner.opt b/conf/plugins/imv-scanner.opt
index 7af8749..d23c6ba 100644
--- a/conf/plugins/imv-scanner.opt
+++ b/conf/plugins/imv-scanner.opt
@@ -1,2 +1,2 @@
-charon.plugins.imv-scanner.remediation_uri =
+libimcv.plugins.imv-scanner.remediation_uri =
 	URI pointing to scanner remediation instructions.
diff --git a/conf/plugins/imv-swid.conf b/conf/plugins/imv-swid.conf
new file mode 100644
index 0000000..bfd49bd
--- /dev/null
+++ b/conf/plugins/imv-swid.conf
@@ -0,0 +1,8 @@
+imv-swid {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/imv-swid.opt b/conf/plugins/imv-swid.opt
new file mode 100644
index 0000000..d451c78
--- /dev/null
+++ b/conf/plugins/imv-swid.opt
@@ -0,0 +1,5 @@
+libimcv.plugins.imv-swid.rest_api_uri = 
+	HTTP URI of the SWID REST API.
+
+libimcv.plugins.imv-swid.rest_api_timeout = 120
+	Timeout of SWID REST API HTTP POST transaction.
diff --git a/conf/plugins/imv-test.conf b/conf/plugins/imv-test.conf
index 9bd2487..b268765 100644
--- a/conf/plugins/imv-test.conf
+++ b/conf/plugins/imv-test.conf
@@ -4,8 +4,5 @@ imv-test {
     # priority of this plugin.
     load = yes
 
-    # Number of IMC-IMV retry rounds.
-    # rounds = 0
-
 }
 
diff --git a/conf/plugins/imv-test.opt b/conf/plugins/imv-test.opt
index 2cbddc8..196559e 100644
--- a/conf/plugins/imv-test.opt
+++ b/conf/plugins/imv-test.opt
@@ -1,2 +1,2 @@
-charon.plugins.imv-test.rounds = 0
+libimcv.plugins.imv-test.rounds = 0
 	Number of IMC-IMV retry rounds.
diff --git a/conf/plugins/kernel-klips.conf b/conf/plugins/kernel-klips.conf
deleted file mode 100644
index 10ca308..0000000
--- a/conf/plugins/kernel-klips.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-kernel-klips {
-
-    # Number of ipsecN devices.
-    # ipsec_dev_count = 4
-
-    # Set MTU of ipsecN device.
-    # ipsec_dev_mtu = 0
-
-    # Whether to load the plugin. Can also be an integer to increase the
-    # priority of this plugin.
-    load = yes
-
-}
-
diff --git a/conf/plugins/kernel-klips.opt b/conf/plugins/kernel-klips.opt
deleted file mode 100644
index ad9806e..0000000
--- a/conf/plugins/kernel-klips.opt
+++ /dev/null
@@ -1,5 +0,0 @@
-charon.plugins.kernel-klips.ipsec_dev_count = 4
-	Number of ipsecN devices.
-
-charon.plugins.kernel-klips.ipsec_dev_mtu = 0
-	Set MTU of ipsecN device.
diff --git a/conf/plugins/load-tester.conf b/conf/plugins/load-tester.conf
index e69c029..17281ba 100644
--- a/conf/plugins/load-tester.conf
+++ b/conf/plugins/load-tester.conf
@@ -16,6 +16,10 @@ load-tester {
     # Seconds to start CHILD_SA rekeying after setup.
     # child_rekey = 600
 
+    # URI to a CRL to include as certificate distribution point in generated
+    # certificates.
+    # crl =
+
     # Delay between initiatons for each thread.
     # delay = 0
 
diff --git a/conf/plugins/load-tester.opt b/conf/plugins/load-tester.opt
index 7afe326..e68adec 100644
--- a/conf/plugins/load-tester.opt
+++ b/conf/plugins/load-tester.opt
@@ -20,6 +20,10 @@ charon.plugins.load-tester.ca_dir =
 charon.plugins.load-tester.child_rekey = 600
 	Seconds to start CHILD_SA rekeying after setup.
 
+charon.plugins.load-tester.crl
+	URI to a CRL to include as certificate distribution point in generated
+	certificates.
+
 charon.plugins.load-tester.delay = 0
 	Delay between initiatons for each thread.
 
diff --git a/conf/plugins/vici.conf b/conf/plugins/vici.conf
new file mode 100644
index 0000000..08fa586
--- /dev/null
+++ b/conf/plugins/vici.conf
@@ -0,0 +1,11 @@
+vici {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Socket the vici plugin serves clients.
+    # socket = unix://${piddir}/charon.vici
+
+}
+
diff --git a/conf/plugins/vici.opt b/conf/plugins/vici.opt
new file mode 100644
index 0000000..0fca873
--- /dev/null
+++ b/conf/plugins/vici.opt
@@ -0,0 +1,2 @@
+charon.plugins.vici.socket = unix://${piddir}/charon.vici
+	Socket the vici plugin serves clients.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 12fde49..d93c208 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -1,4 +1,8 @@
 .TP
+.BR aikgen.load " []"
+Plugins to load in ipsec aikgen tool.
+
+.TP
 .BR attest.database " []"
 File measurement information database URI. If it contains a password, make sure
 to adjust the permissions of the config file accordingly.
@@ -28,6 +32,20 @@ in the
 section.
 
 .TP
+.BR charon.accept_unencrypted_mainmode_messages " [no]"
+Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+
+Some implementations send the third Main Mode message unencrypted, probably to
+find the PSKs for the specified ID for authentication. This is very similar to
+Aggressive Mode, and has the same security implications: A passive attacker can
+sniff the negotiated Identity, and start brute forcing the PSK using the HASH
+payload.
+
+It is recommended to keep this option to no, unless you know exactly what the
+implications are and require compatibility to such devices (for example, some
+SonicWall boxes).
+
+.TP
 .BR charon.block_threshold " [5]"
 Maximum number of half\-open IKE_SAs for a single peer IP.
 
@@ -666,7 +684,7 @@ Maximum number of processed EAP\-TLS packets (0 = no limit).
 Maximum number of processed EAP\-TNC packets (0 = no limit).
 
 .TP
-.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]"
+.BR charon.plugins.eap-tnc.protocol " [tnccs-2.0]"
 IF\-TNCCS protocol version to be used 
 .RI "(" "tnccs\-1.1" ","
 .RI "" "tnccs\-2.0" ","
@@ -698,6 +716,14 @@ Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
 Start phase2 EAP TNC protocol after successful client authentication.
 
 .TP
+.BR charon.plugins.eap-ttls.phase2_tnc_method " [pt]"
+Phase2 EAP TNC transport protocol 
+.RI "(" "pt" ""
+as IETF standard or legacy
+.RI "" "tnc" ")"
+
+
+.TP
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate.
 
@@ -735,134 +761,10 @@ to 0 to disable.
 .TP
 .BR charon.plugins.ha.segment_count " [1]"
 .TP
-.BR charon.plugins.imc-attestation.aik_blob " []"
-AIK encrypted private key blob file.
-
-.TP
-.BR charon.plugins.imc-attestation.aik_cert " []"
-AIK certificate file.
-
-.TP
-.BR charon.plugins.imc-attestation.aik_key " []"
-AIK public key file.
-
-.TP
-.BR charon.plugins.imc-attestation.mandatory_dh_groups " [yes]"
-Enforce mandatory Diffie\-Hellman groups.
-
-.TP
-.BR charon.plugins.imc-attestation.nonce_len " [20]"
-DH nonce length.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr17_after " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr17_before " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr17_meas " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr18_after " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr18_before " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr18_meas " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr_info " [yes]"
-Whether to send pcr_before and pcr_after info.
-
-.TP
-.BR charon.plugins.imc-attestation.use_quote2 " [yes]"
-Use Quote2 AIK signature instead of Quote signature.
-
-.TP
-.BR charon.plugins.imc-os.push_info " [yes]"
-Send operating system info without being prompted.
-
-.TP
-.BR charon.plugins.imc-scanner.push_info " [yes]"
-Send open listening ports without being prompted.
-
-.TP
-.BR charon.plugins.imc-swid.swid_directory " [${prefix}/share]"
-Directory where SWID tags are located.
-
-.TP
-.BR charon.plugins.imc-test.additional_ids " [0]"
-Number of additional IMC IDs.
-
-.TP
-.BR charon.plugins.imc-test.command " [none]"
-Command to be sent to the Test IMV.
-
-.TP
-.BR charon.plugins.imc-test.dummy_size " [0]"
-Size of dummy attribute to be sent to the Test IMV (0 = disabled).
-
-.TP
-.BR charon.plugins.imc-test.retry " [no]"
-Do a handshake retry.
-
-.TP
-.BR charon.plugins.imc-test.retry_command " []"
-Command to be sent to the Test IMV in the handshake retry.
-
-.TP
-.BR charon.plugins.imv-attestation.cadir " []"
-Path to directory with AIK cacerts.
-
-.TP
-.BR charon.plugins.imv-attestation.dh_group " [ecp256]"
-Preferred Diffie\-Hellman group.
-
-.TP
-.BR charon.plugins.imv-attestation.hash_algorithm " [sha256]"
-Preferred measurement hash algorithm.
-
-.TP
-.BR charon.plugins.imv-attestation.mandatory_dh_groups " [yes]"
-Enforce mandatory Diffie\-Hellman groups.
-
-.TP
-.BR charon.plugins.imv-attestation.min_nonce_len " [0]"
-DH minimum nonce length.
-
-.TP
-.BR charon.plugins.imv-os.remediation_uri " []"
-URI pointing to operating system remediation instructions.
-
-.TP
-.BR charon.plugins.imv-scanner.remediation_uri " []"
-URI pointing to scanner remediation instructions.
-
-.TP
-.BR charon.plugins.imv-test.rounds " [0]"
-Number of IMC\-IMV retry rounds.
-
-.TP
 .BR charon.plugins.ipseckey.enable " [no]"
 Enable fetching of IPSECKEY RRs via DNS.
 
 .TP
-.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
-Number of ipsecN devices.
-
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
-Set MTU of ipsecN device.
-
-.TP
 .BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]"
 Allow that the remote traffic selector equals the IKE peer. The route installed
 for such traffic (via TUN device) usually prevents further IKE traffic. The
@@ -928,6 +830,11 @@ Directory to load (intermediate) CA certificates from.
 Seconds to start CHILD_SA rekeying after setup.
 
 .TP
+.BR charon.plugins.load-tester.crl " []"
+URI to a CRL to include as certificate distribution point in generated
+certificates.
+
+.TP
 .BR charon.plugins.load-tester.delay " [0]"
 Delay between initiatons for each thread.
 
@@ -1360,6 +1267,10 @@ Config or IKEv2 Config Payloads (if enabled they can't be handled by other
 plugins, like resolve)
 
 .TP
+.BR charon.plugins.vici.socket " [unix://${piddir}/charon.vici]"
+Socket the vici plugin serves clients.
+
+.TP
 .BR charon.plugins.whitelist.enable " [yes]"
 Enable loaded whitelist plugin.
 
@@ -1397,6 +1308,11 @@ otherwise a random port
 will be allocated.
 
 .TP
+.BR charon.prefer_temporary_addrs " [no]"
+By default public IPv6 addresses are preferred over temporary ones (RFC 4941),
+to make connections more stable. Enable this option to reverse this.
+
+.TP
 .BR charon.process_route " [yes]"
 Process RTM_NEWROUTE and RTM_DELROUTE events.
 
@@ -1480,6 +1396,18 @@ Specific IKEv2 message type to delay, 0 for any.
 Send strongSwan vendor ID payload
 
 .TP
+.B charon.start-scripts
+.br
+Section containing a list of scripts (name = path) that are executed when the
+daemon is started.
+
+.TP
+.B charon.stop-scripts
+.br
+Section containing a list of scripts (name = path) that are executed when the
+daemon is terminated.
+
+.TP
 .B charon.syslog
 .br
 Section to define syslog loggers, see LOGGER CONFIGURATION in
@@ -1567,6 +1495,156 @@ Plugins to load in IMC/IMVs with stand\-alone
 library.
 
 .TP
+.BR libimcv.plugins.imc-attestation.aik_blob " []"
+AIK encrypted private key blob file.
+
+.TP
+.BR libimcv.plugins.imc-attestation.aik_cert " []"
+AIK certificate file.
+
+.TP
+.BR libimcv.plugins.imc-attestation.aik_pubkey " []"
+AIK public key file.
+
+.TP
+.BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]"
+Enforce mandatory Diffie\-Hellman groups.
+
+.TP
+.BR libimcv.plugins.imc-attestation.nonce_len " [20]"
+DH nonce length.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr17_after " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr17_before " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr17_meas " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr18_after " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr18_before " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr18_meas " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr_info " [no]"
+Whether to send pcr_before and pcr_after info.
+
+.TP
+.BR libimcv.plugins.imc-attestation.use_quote2 " [yes]"
+Use Quote2 AIK signature instead of Quote signature.
+
+.TP
+.BR libimcv.plugins.imc-os.device_cert " []"
+Manually set the path to the client device certificate (e.g.
+/etc/pts/aikCert.der)
+
+.TP
+.BR libimcv.plugins.imc-os.device_id " []"
+Manually set the client device ID in hexadecimal format (e.g.
+1083f03988c9762703b1c1080c2e46f72b99cc31)
+
+.TP
+.BR libimcv.plugins.imc-os.device_pubkey " []"
+Manually set the path to the client device public key (e.g. /etc/pts/aikPub.der)
+
+.TP
+.BR libimcv.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted.
+
+.TP
+.BR libimcv.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted.
+
+.TP
+.BR libimcv.plugins.imc-swid.swid_directory " [${prefix}/share]"
+Directory where SWID tags are located.
+
+.TP
+.BR libimcv.plugins.imc-swid.swid_full " [FALSE]"
+Include file information in the XML\-encoded SWID tags.
+
+.TP
+.BR libimcv.plugins.imc-swid.swid_generator " [/usr/local/bin/swid_generator]"
+SWID generator command to be executed.
+
+.TP
+.BR libimcv.plugins.imc-swid.swid_pretty " [FALSE]"
+Generate XML\-encoded SWID tags with pretty indentation.
+
+.TP
+.BR libimcv.plugins.imc-test.additional_ids " [0]"
+Number of additional IMC IDs.
+
+.TP
+.BR libimcv.plugins.imc-test.command " [none]"
+Command to be sent to the Test IMV.
+
+.TP
+.BR libimcv.plugins.imc-test.dummy_size " [0]"
+Size of dummy attribute to be sent to the Test IMV (0 = disabled).
+
+.TP
+.BR libimcv.plugins.imc-test.retry " [no]"
+Do a handshake retry.
+
+.TP
+.BR libimcv.plugins.imc-test.retry_command " []"
+Command to be sent to the Test IMV in the handshake retry.
+
+.TP
+.BR libimcv.plugins.imv-attestation.cadir " []"
+Path to directory with AIK cacerts.
+
+.TP
+.BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
+Preferred Diffie\-Hellman group.
+
+.TP
+.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]"
+Preferred measurement hash algorithm.
+
+.TP
+.BR libimcv.plugins.imv-attestation.mandatory_dh_groups " [yes]"
+Enforce mandatory Diffie\-Hellman groups.
+
+.TP
+.BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
+DH minimum nonce length.
+
+.TP
+.BR libimcv.plugins.imv-os.remediation_uri " []"
+URI pointing to operating system remediation instructions.
+
+.TP
+.BR libimcv.plugins.imv-scanner.remediation_uri " []"
+URI pointing to scanner remediation instructions.
+
+.TP
+.BR libimcv.plugins.imv-swid.rest_api_timeout " [120]"
+Timeout of SWID REST API HTTP POST transaction.
+
+.TP
+.BR libimcv.plugins.imv-swid.rest_api_uri " []"
+HTTP URI of the SWID REST API.
+
+.TP
+.BR libimcv.plugins.imv-test.rounds " [0]"
+Number of IMC\-IMV retry rounds.
+
+.TP
 .BR libimcv.stderr_quiet " [no]"
 Disable output to stderr with a stand\-alone
 .RI "" "libimcv" ""
@@ -1670,3 +1748,7 @@ Plugins to load in starter.
 .BR starter.load_warning " [yes]"
 Disable charon plugin load option warning.
 
+.TP
+.BR swanctl.load " []"
+Plugins to load in swanctl.
+
diff --git a/config.h.in b/config.h.in
index bfcb4e2..1899b70 100644
--- a/config.h.in
+++ b/config.h.in
@@ -67,8 +67,8 @@
 /* Define to 1 if you have the `funopen' function. */
 #undef HAVE_FUNOPEN
 
-/* have GCC __sync_* atomic operations */
-#undef HAVE_GCC_ATOMIC_OPERATIONS
+/* have GCC __sync_* operations */
+#undef HAVE_GCC_SYNC_OPERATIONS
 
 /* have GCRY_CIPHER_CAMELLIA128 */
 #undef HAVE_GCRY_CIPHER_CAMELLIA
@@ -193,6 +193,9 @@
 /* Define to 1 if you have the `sem_timedwait' function. */
 #undef HAVE_SEM_TIMEDWAIT
 
+/* Define to 1 if you have the `setlinebuf' function. */
+#undef HAVE_SETLINEBUF
+
 /* have sqlite3_prepare_v2() */
 #undef HAVE_SQLITE3_PREPARE_V2
 
@@ -214,6 +217,9 @@
 /* Define to 1 if you have the <string.h> header file. */
 #undef HAVE_STRING_H
 
+/* Define to 1 if you have the `strptime' function. */
+#undef HAVE_STRPTIME
+
 /* Define to 1 if `sadb_x_policy_priority' is a member of `struct
    sadb_x_policy'. */
 #undef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
@@ -221,6 +227,9 @@
 /* Define to 1 if `sa_len' is a member of `struct sockaddr'. */
 #undef HAVE_STRUCT_SOCKADDR_SA_LEN
 
+/* have syslog(3) and friends */
+#undef HAVE_SYSLOG
+
 /* have sys/capability.h */
 #undef HAVE_SYS_CAPABILITY_H
 
@@ -258,9 +267,6 @@
 /* monolithic build embedding plugins */
 #undef MONOLITHIC
 
-/* Define to 1 if your C compiler doesn't accept -c and -o together. */
-#undef NO_MINUS_C_MINUS_O
-
 /* Name of package */
 #undef PACKAGE
 
diff --git a/configure b/configure
index 6c4e4c9..a2004a8 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.1.3.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.2.0.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.1.3'
-PACKAGE_STRING='strongSwan 5.1.3'
+PACKAGE_VERSION='5.2.0'
+PACKAGE_STRING='strongSwan 5.2.0'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -633,10 +633,18 @@ am__EXEEXT_TRUE
 LTLIBOBJS
 LIBOBJS
 strongswan_options
+USE_SVC_FALSE
+USE_SVC_TRUE
+USE_SWANCTL_FALSE
+USE_SWANCTL_TRUE
+USE_AIKGEN_FALSE
+USE_AIKGEN_TRUE
 USE_CMD_FALSE
 USE_CMD_TRUE
 USE_TKM_FALSE
 USE_TKM_TRUE
+USE_DBGHELP_FALSE
+USE_DBGHELP_TRUE
 COVERAGE_FALSE
 COVERAGE_TRUE
 USE_SILENT_RULES_FALSE
@@ -683,8 +691,10 @@ USE_CONFTEST_FALSE
 USE_CONFTEST_TRUE
 USE_SCRIPTS_FALSE
 USE_SCRIPTS_TRUE
-USE_TOOLS_FALSE
-USE_TOOLS_TRUE
+USE_SCEPCLIENT_FALSE
+USE_SCEPCLIENT_TRUE
+USE_PKI_FALSE
+USE_PKI_TRUE
 USE_NM_FALSE
 USE_NM_TRUE
 USE_CHARON_FALSE
@@ -721,8 +731,6 @@ USE_KERNEL_PFKEY_FALSE
 USE_KERNEL_PFKEY_TRUE
 USE_KERNEL_NETLINK_FALSE
 USE_KERNEL_NETLINK_TRUE
-USE_KERNEL_KLIPS_FALSE
-USE_KERNEL_KLIPS_TRUE
 USE_ATTR_SQL_FALSE
 USE_ATTR_SQL_TRUE
 USE_ATTR_FALSE
@@ -733,6 +741,8 @@ USE_ADDRBLOCK_FALSE
 USE_ADDRBLOCK_TRUE
 USE_FARP_FALSE
 USE_FARP_TRUE
+USE_SOCKET_WIN_FALSE
+USE_SOCKET_WIN_TRUE
 USE_SOCKET_DYNAMIC_FALSE
 USE_SOCKET_DYNAMIC_TRUE
 USE_SOCKET_DEFAULT_FALSE
@@ -835,6 +845,10 @@ USE_LOOKIP_FALSE
 USE_LOOKIP_TRUE
 USE_WHITELIST_FALSE
 USE_WHITELIST_TRUE
+USE_KERNEL_IPH_FALSE
+USE_KERNEL_IPH_TRUE
+USE_KERNEL_WFP_FALSE
+USE_KERNEL_WFP_TRUE
 USE_KERNEL_LIBIPSEC_FALSE
 USE_KERNEL_LIBIPSEC_TRUE
 USE_HA_FALSE
@@ -869,6 +883,8 @@ USE_MEDCLI_FALSE
 USE_MEDCLI_TRUE
 USE_MEDSRV_FALSE
 USE_MEDSRV_TRUE
+USE_VICI_FALSE
+USE_VICI_TRUE
 USE_STROKE_FALSE
 USE_STROKE_TRUE
 USE_NTRU_FALSE
@@ -961,6 +977,8 @@ USE_SOUP_FALSE
 USE_SOUP_TRUE
 USE_UNBOUND_FALSE
 USE_UNBOUND_TRUE
+USE_WINHTTP_FALSE
+USE_WINHTTP_TRUE
 USE_CURL_FALSE
 USE_CURL_TRUE
 USE_TEST_VECTORS_FALSE
@@ -969,6 +987,7 @@ t_plugins
 s_plugins
 h_plugins
 c_plugins
+aikgen_plugins
 cmd_plugins
 nm_plugins
 medsrv_plugins
@@ -998,8 +1017,8 @@ dbusservicedir
 maemo_LIBS
 maemo_CFLAGS
 MYSQLCFLAG
-MYSQLLIB
 MYSQLCONFIG
+MYSQLLIB
 clearsilver_LIBS
 RUBYLIB
 RUBYINCLUDE
@@ -1010,8 +1029,14 @@ xml_LIBS
 xml_CFLAGS
 soup_LIBS
 soup_CFLAGS
-PTHREADLIB
+PLUGIN_CFLAGS
+USE_WINDOWS_FALSE
+USE_WINDOWS_TRUE
+OPENSSL_LIB
 RTLIB
+USE_SYSLOG_FALSE
+USE_SYSLOG_TRUE
+PTHREADLIB
 SOCKLIB
 BTLIB
 DLLIB
@@ -1091,6 +1116,7 @@ ipsec_script
 routing_table_prio
 routing_table
 linux_headers
+swanctldir
 nm_ca_dir
 imcvdir
 plugindir
@@ -1188,6 +1214,7 @@ with_ipseclibdir
 with_plugindir
 with_imcvdir
 with_nm_ca_dir
+with_swanctldir
 with_linux_headers
 with_routing_table
 with_routing_table_prio
@@ -1241,6 +1268,7 @@ enable_curl
 enable_ldap
 enable_soup
 enable_unbound
+enable_winhttp
 enable_mysql
 enable_sqlite
 enable_addrblock
@@ -1279,14 +1307,17 @@ enable_xauth_noauth
 enable_kernel_netlink
 enable_kernel_pfkey
 enable_kernel_pfroute
-enable_kernel_klips
+enable_kernel_iph
 enable_kernel_libipsec
+enable_kernel_wfp
 enable_socket_default
 enable_socket_dynamic
+enable_socket_win
 enable_stroke
 enable_smp
 enable_sql
 enable_uci
+enable_vici
 enable_android_dns
 enable_attr
 enable_attr_sql
@@ -1326,6 +1357,7 @@ enable_systime_fix
 enable_test_vectors
 enable_unit_tester
 enable_updown
+enable_aikgen
 enable_charon
 enable_cmd
 enable_conftest
@@ -1336,10 +1368,14 @@ enable_manager
 enable_medcli
 enable_medsrv
 enable_nm
+enable_pki
+enable_scepclient
 enable_scripts
+enable_svc
+enable_swanctl
 enable_tkm
-enable_tools
 enable_bfd_backtraces
+enable_dbghelp_backtraces
 enable_ikev1
 enable_ikev2
 enable_integrity_test
@@ -1929,7 +1965,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.1.3 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.2.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1999,7 +2035,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.1.3:";;
+     short | recursive ) echo "Configuration of strongSwan 5.2.0:";;
    esac
   cat <<\_ACEOF
 
@@ -2054,6 +2090,7 @@ Optional Features:
   --enable-unbound        enable UNBOUND resolver plugin to perform DNS
                           queries via libunbound. Requires libldns and
                           libunbound.
+  --enable-winhttp        enable WinHTTP based HTTP/HTTPS fetching plugin.
   --enable-mysql          enable MySQL database support. Requires
                           libmysqlclient_r.
   --enable-sqlite         enable SQLite database support. Requires libsqlite3.
@@ -2103,17 +2140,22 @@ Optional Features:
                           disable the netlink kernel interface.
   --enable-kernel-pfkey   enable the PF_KEY kernel interface.
   --enable-kernel-pfroute enable the PF_ROUTE kernel interface.
-  --enable-kernel-klips   enable the KLIPS kernel interface.
+  --enable-kernel-iph     enable the Windows IP Helper based networking
+                          backend.
   --enable-kernel-libipsec
                           enable the libipsec kernel interface.
+  --enable-kernel-wfp     enable the Windows Filtering Platform IPsec backend.
   --disable-socket-default
                           disable default socket implementation for charon.
   --enable-socket-dynamic enable dynamic socket implementation for charon
+  --enable-socket-win     enable Winsock2 based socket implementation for
+                          charon
   --disable-stroke        disable charons stroke configuration backend.
   --enable-smp            enable SMP configuration and control interface.
                           Requires libxml.
   --enable-sql            enable SQL database configuration backend.
   --enable-uci            enable OpenWRT UCI configuration plugin.
+  --enable-vici           enable strongSwan IKE generic IPC interface plugin.
   --enable-android-dns    enable Android specific DNS handler.
   --disable-attr          disable strongswan.conf based configuration
                           attribute plugin.
@@ -2163,6 +2205,7 @@ Optional Features:
   --enable-test-vectors   enable plugin providing crypto test vectors.
   --enable-unit-tester    enable unit tests on IKEv2 daemon startup.
   --disable-updown        disable updown firewall script plugin.
+  --enable-aikgen         enable AIK generator.
   --disable-charon        disable the IKEv1/IKEv2 keying daemon charon.
   --enable-cmd            enable the command line IKE client charon-cmd.
   --enable-conftest       enforce Suite B conformance test framework.
@@ -2176,12 +2219,18 @@ Optional Features:
   --enable-medsrv         enable mediation server web frontend and daemon
                           plugin.
   --enable-nm             enable NetworkManager backend.
+  --disable-pki           disable pki certificate utility.
+  --disable-scepclient    disable SCEP client tool.
   --disable-scripts       disable additional utilities (found in directory
                           scripts).
+  --enable-svc            enable charon Windows service.
+  --enable-swanctl        enable swanctl configuration and control tool.
   --enable-tkm            enable Trusted Key Manager support.
-  --disable-tools         disable additional utilities (scepclient and pki).
   --enable-bfd-backtraces use binutils libbfd to resolve backtraces for memory
                           leaks and segfaults.
+  --enable-dbghelp-backtraces
+                          use dbghlp.dll on Windows to create and print
+                          backtraces for memory leaks and segfaults.
   --disable-ikev1         disable IKEv1 protocol support in charon.
   --disable-ikev2         disable IKEv2 protocol support in charon.
   --enable-integrity-test enable integrity testing of libstrongswan and
@@ -2240,6 +2289,8 @@ Optional Packages:
   --with-nm-ca-dir=arg    directory the NM backend uses to look up trusted
                           root certificates (default:
                           /usr/share/ca-certificates).
+  --with-swanctldir=arg   base directory for swanctl configuration files and
+                          credentials (default: ${sysconfdir}/swanctl).
   --with-linux-headers=arg
                           set directory of linux header files to use (default:
                           \${top_srcdir}/src/include).
@@ -2389,7 +2440,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.1.3
+strongSwan configure 5.2.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2911,7 +2962,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.1.3, which was
+It was created by strongSwan $as_me 5.2.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3259,7 +3310,7 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-am__api_version='1.13'
+am__api_version='1.14'
 
 ac_aux_dir=
 for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
@@ -3774,7 +3825,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.1.3'
+ VERSION='5.2.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3941,6 +3992,47 @@ $as_echo "$am_cv_prog_tar_ustar" >&6; }
 
 
 
+# POSIX will say in a future version that running "rm -f" with no argument
+# is OK; and we want to be able to make that assumption in our Makefile
+# recipes.  So use an aggressive probe to check that the usage we want is
+# actually supported "in the wild" to an acceptable degree.
+# See automake bug#10828.
+# To make any issue more visible, cause the running configure to be aborted
+# by default if the 'rm' program in use doesn't match our expectations; the
+# user can still override this though.
+if rm -f && rm -fr && rm -rf; then : OK; else
+  cat >&2 <<'END'
+Oops!
+
+Your 'rm' program seems unable to run without file operands specified
+on the command line, even when the '-f' option is present.  This is contrary
+to the behaviour of most rm programs out there, and not conforming with
+the upcoming POSIX standard: <http://austingroupbugs.net/view.php?id=542>
+
+Please tell bug-automake at gnu.org about your system, including the value
+of your $PATH and any error possibly output before this message.  This
+can help us improve future automake versions.
+
+END
+  if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then
+    echo 'Configuration will proceed anyway, since you have set the' >&2
+    echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2
+    echo >&2
+  else
+    cat >&2 <<'END'
+Aborting the configuration process, to ensure you take notice of the issue.
+
+You can download and install GNU coreutils to get an 'rm' implementation
+that behaves properly: <http://www.gnu.org/software/coreutils/>.
+
+If you want to complete the configuration process using your problematic
+'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
+to "yes", and re-run configure.
+
+END
+    as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5
+  fi
+fi
 # Check whether --enable-silent-rules was given.
 if test "${enable_silent_rules+set}" = set; then :
   enableval=$enable_silent_rules;
@@ -4332,6 +4424,18 @@ fi
 
 
 
+# Check whether --with-swanctldir was given.
+if test "${with_swanctldir+set}" = set; then :
+  withval=$with_swanctldir; swanctldir="$withval"
+
+else
+  swanctldir="${sysconfdir}/swanctl"
+
+
+fi
+
+
+
 # Check whether --with-linux-headers was given.
 if test "${with_linux_headers+set}" = set; then :
   withval=$with_linux_headers; linux_headers="$withval"
@@ -5172,6 +5276,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" unbound"
 
+# Check whether --enable-winhttp was given.
+if test "${enable_winhttp+set}" = set; then :
+  enableval=$enable_winhttp; winhttp_given=true
+		if test x$enableval = xyes; then
+			winhttp=true
+		 else
+			winhttp=false
+		fi
+else
+  winhttp=false
+		winhttp_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" winhttp"
+
 # database plugins
 # Check whether --enable-mysql was given.
 if test "${enable_mysql+set}" = set; then :
@@ -5783,21 +5903,21 @@ fi
 
 	disabled_by_default=${disabled_by_default}" kernel_pfroute"
 
-# Check whether --enable-kernel-klips was given.
-if test "${enable_kernel_klips+set}" = set; then :
-  enableval=$enable_kernel_klips; kernel_klips_given=true
+# Check whether --enable-kernel-iph was given.
+if test "${enable_kernel_iph+set}" = set; then :
+  enableval=$enable_kernel_iph; kernel_iph_given=true
 		if test x$enableval = xyes; then
-			kernel_klips=true
+			kernel_iph=true
 		 else
-			kernel_klips=false
+			kernel_iph=false
 		fi
 else
-  kernel_klips=false
-		kernel_klips_given=false
+  kernel_iph=false
+		kernel_iph_given=false
 
 fi
 
-	disabled_by_default=${disabled_by_default}" kernel_klips"
+	disabled_by_default=${disabled_by_default}" kernel_iph"
 
 # Check whether --enable-kernel-libipsec was given.
 if test "${enable_kernel_libipsec+set}" = set; then :
@@ -5815,6 +5935,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" kernel_libipsec"
 
+# Check whether --enable-kernel-wfp was given.
+if test "${enable_kernel_wfp+set}" = set; then :
+  enableval=$enable_kernel_wfp; kernel_wfp_given=true
+		if test x$enableval = xyes; then
+			kernel_wfp=true
+		 else
+			kernel_wfp=false
+		fi
+else
+  kernel_wfp=false
+		kernel_wfp_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" kernel_wfp"
+
 # Check whether --enable-socket-default was given.
 if test "${enable_socket_default+set}" = set; then :
   enableval=$enable_socket_default; socket_default_given=true
@@ -5847,6 +5983,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" socket_dynamic"
 
+# Check whether --enable-socket-win was given.
+if test "${enable_socket_win+set}" = set; then :
+  enableval=$enable_socket_win; socket_win_given=true
+		if test x$enableval = xyes; then
+			socket_win=true
+		 else
+			socket_win=false
+		fi
+else
+  socket_win=false
+		socket_win_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" socket_win"
+
 # configuration/control plugins
 # Check whether --enable-stroke was given.
 if test "${enable_stroke+set}" = set; then :
@@ -5912,6 +6064,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" uci"
 
+# Check whether --enable-vici was given.
+if test "${enable_vici+set}" = set; then :
+  enableval=$enable_vici; vici_given=true
+		if test x$enableval = xyes; then
+			vici=true
+		 else
+			vici=false
+		fi
+else
+  vici=false
+		vici_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" vici"
+
 # attribute provider/consumer plugins
 # Check whether --enable-android-dns was given.
 if test "${enable_android_dns+set}" = set; then :
@@ -6540,6 +6708,22 @@ fi
 	enabled_by_default=${enabled_by_default}" updown"
 
 # programs/components
+# Check whether --enable-aikgen was given.
+if test "${enable_aikgen+set}" = set; then :
+  enableval=$enable_aikgen; aikgen_given=true
+		if test x$enableval = xyes; then
+			aikgen=true
+		 else
+			aikgen=false
+		fi
+else
+  aikgen=false
+		aikgen_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" aikgen"
+
 # Check whether --enable-charon was given.
 if test "${enable_charon+set}" = set; then :
   enableval=$enable_charon; charon_given=true
@@ -6700,6 +6884,38 @@ fi
 
 	disabled_by_default=${disabled_by_default}" nm"
 
+# Check whether --enable-pki was given.
+if test "${enable_pki+set}" = set; then :
+  enableval=$enable_pki; pki_given=true
+		if test x$enableval = xyes; then
+			pki=true
+		 else
+			pki=false
+		fi
+else
+  pki=true
+		pki_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" pki"
+
+# Check whether --enable-scepclient was given.
+if test "${enable_scepclient+set}" = set; then :
+  enableval=$enable_scepclient; scepclient_given=true
+		if test x$enableval = xyes; then
+			scepclient=true
+		 else
+			scepclient=false
+		fi
+else
+  scepclient=true
+		scepclient_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" scepclient"
+
 # Check whether --enable-scripts was given.
 if test "${enable_scripts+set}" = set; then :
   enableval=$enable_scripts; scripts_given=true
@@ -6716,37 +6932,53 @@ fi
 
 	enabled_by_default=${enabled_by_default}" scripts"
 
-# Check whether --enable-tkm was given.
-if test "${enable_tkm+set}" = set; then :
-  enableval=$enable_tkm; tkm_given=true
+# Check whether --enable-svc was given.
+if test "${enable_svc+set}" = set; then :
+  enableval=$enable_svc; svc_given=true
 		if test x$enableval = xyes; then
-			tkm=true
+			svc=true
 		 else
-			tkm=false
+			svc=false
 		fi
 else
-  tkm=false
-		tkm_given=false
+  svc=false
+		svc_given=false
 
 fi
 
-	disabled_by_default=${disabled_by_default}" tkm"
+	disabled_by_default=${disabled_by_default}" svc"
+
+# Check whether --enable-swanctl was given.
+if test "${enable_swanctl+set}" = set; then :
+  enableval=$enable_swanctl; swanctl_given=true
+		if test x$enableval = xyes; then
+			swanctl=true
+		 else
+			swanctl=false
+		fi
+else
+  swanctl=false
+		swanctl_given=false
 
-# Check whether --enable-tools was given.
-if test "${enable_tools+set}" = set; then :
-  enableval=$enable_tools; tools_given=true
+fi
+
+	disabled_by_default=${disabled_by_default}" swanctl"
+
+# Check whether --enable-tkm was given.
+if test "${enable_tkm+set}" = set; then :
+  enableval=$enable_tkm; tkm_given=true
 		if test x$enableval = xyes; then
-			tools=true
+			tkm=true
 		 else
-			tools=false
+			tkm=false
 		fi
 else
-  tools=true
-		tools_given=false
+  tkm=false
+		tkm_given=false
 
 fi
 
-	enabled_by_default=${enabled_by_default}" tools"
+	disabled_by_default=${disabled_by_default}" tkm"
 
 # optional features
 # Check whether --enable-bfd-backtraces was given.
@@ -6765,6 +6997,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" bfd_backtraces"
 
+# Check whether --enable-dbghelp-backtraces was given.
+if test "${enable_dbghelp_backtraces+set}" = set; then :
+  enableval=$enable_dbghelp_backtraces; dbghelp_backtraces_given=true
+		if test x$enableval = xyes; then
+			dbghelp_backtraces=true
+		 else
+			dbghelp_backtraces=false
+		fi
+else
+  dbghelp_backtraces=false
+		dbghelp_backtraces_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" dbghelp_backtraces"
+
 # Check whether --enable-ikev1 was given.
 if test "${enable_ikev1+set}" = set; then :
   enableval=$enable_ikev1; ikev1_given=true
@@ -7778,6 +8026,65 @@ ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC understands -c and -o together" >&5
+$as_echo_n "checking whether $CC understands -c and -o together... " >&6; }
+if ${am_cv_prog_cc_c_o+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+  # Make sure it works both with $CC and with simple cc.
+  # Following AC_PROG_CC_C_O, we do the test twice because some
+  # compilers refuse to overwrite an existing .o file with -o,
+  # though they will create one.
+  am_cv_prog_cc_c_o=yes
+  for am_i in 1 2; do
+    if { echo "$as_me:$LINENO: $CC -c conftest.$ac_ext -o conftest2.$ac_objext" >&5
+   ($CC -c conftest.$ac_ext -o conftest2.$ac_objext) >&5 2>&5
+   ac_status=$?
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
+   (exit $ac_status); } \
+         && test -f conftest2.$ac_objext; then
+      : OK
+    else
+      am_cv_prog_cc_c_o=no
+      break
+    fi
+  done
+  rm -f core conftest*
+  unset am_i
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_cc_c_o" >&5
+$as_echo "$am_cv_prog_cc_c_o" >&6; }
+if test "$am_cv_prog_cc_c_o" != yes; then
+   # Losing compiler, so override with the script.
+   # FIXME: It is wrong to rewrite CC.
+   # But if we don't then we get into trouble of one sort or another.
+   # A longer-term fix would be to have automake use am__CC in this case,
+   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+   CC="$am_aux_dir/compile $CC"
+fi
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
 DEPDIR="${am__leading_dot}deps"
 
 ac_config_commands="$ac_config_commands depfiles"
@@ -7970,131 +8277,6 @@ else
 fi
 
 
-if test "x$CC" != xcc; then
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC and cc understand -c and -o together" >&5
-$as_echo_n "checking whether $CC and cc understand -c and -o together... " >&6; }
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc understands -c and -o together" >&5
-$as_echo_n "checking whether cc understands -c and -o together... " >&6; }
-fi
-set dummy $CC; ac_cc=`$as_echo "$2" |
-		      sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
-if eval \${ac_cv_prog_cc_${ac_cc}_c_o+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-# Make sure it works both with $CC and with simple cc.
-# We do the test twice because some compilers refuse to overwrite an
-# existing .o file with -o, though they will create one.
-ac_try='$CC -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
-rm -f conftest2.*
-if { { case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } &&
-   test -f conftest2.$ac_objext && { { case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; };
-then
-  eval ac_cv_prog_cc_${ac_cc}_c_o=yes
-  if test "x$CC" != xcc; then
-    # Test first that cc exists at all.
-    if { ac_try='cc -c conftest.$ac_ext >&5'
-  { { case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; }; then
-      ac_try='cc -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
-      rm -f conftest2.*
-      if { { case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } &&
-	 test -f conftest2.$ac_objext && { { case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; };
-      then
-	# cc works too.
-	:
-      else
-	# cc exists but doesn't like -o.
-	eval ac_cv_prog_cc_${ac_cc}_c_o=no
-      fi
-    fi
-  fi
-else
-  eval ac_cv_prog_cc_${ac_cc}_c_o=no
-fi
-rm -f core conftest*
-
-fi
-if eval test \$ac_cv_prog_cc_${ac_cc}_c_o = yes; then
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
-$as_echo "#define NO_MINUS_C_MINUS_O 1" >>confdefs.h
-
-fi
-
-# FIXME: we rely on the cache variable name because
-# there is no other way.
-set dummy $CC
-am_cc=`echo $2 | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
-eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
-if test "$am_t" != yes; then
-   # Losing compiler, so override with the script.
-   # FIXME: It is wrong to rewrite CC.
-   # But if we don't then we get into trouble of one sort or another.
-   # A longer-term fix would be to have automake use am__CC in this case,
-   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
-   CC="$am_aux_dir/compile $CC"
-fi
-
 
 
 # Make sure we can run config.sub.
@@ -16780,6 +16962,10 @@ if test x$fips_prf = xtrue; then
 	fi
 fi
 
+if test x$swanctl = xtrue; then
+	vici=true
+fi
+
 if test x$smp = xtrue -o x$tnccs_11 = xtrue -o x$tnc_ifmap = xtrue; then
 	xml=true
 fi
@@ -17421,11 +17607,11 @@ fi
 
 
 
-# FreeBSD has clock_gettime in libc, Linux needs librt
+# Android has pthread_* functions in bionic (libc), others need libpthread
 LIBS=""
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
-$as_echo_n "checking for library containing clock_gettime... " >&6; }
-if ${ac_cv_search_clock_gettime+:} false; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing pthread_create" >&5
+$as_echo_n "checking for library containing pthread_create... " >&6; }
+if ${ac_cv_search_pthread_create+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -17438,16 +17624,16 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char clock_gettime ();
+char pthread_create ();
 int
 main ()
 {
-return clock_gettime ();
+return pthread_create ();
   ;
   return 0;
 }
 _ACEOF
-for ac_lib in '' rt; do
+for ac_lib in '' pthread; do
   if test -z "$ac_lib"; then
     ac_res="none required"
   else
@@ -17455,86 +17641,15 @@ for ac_lib in '' rt; do
     LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
   fi
   if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_search_clock_gettime=$ac_res
+  ac_cv_search_pthread_create=$ac_res
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if ${ac_cv_search_clock_gettime+:} false; then :
+  if ${ac_cv_search_pthread_create+:} false; then :
   break
 fi
 done
-if ${ac_cv_search_clock_gettime+:} false; then :
-
-else
-  ac_cv_search_clock_gettime=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_clock_gettime" >&5
-$as_echo "$ac_cv_search_clock_gettime" >&6; }
-ac_res=$ac_cv_search_clock_gettime
-if test "$ac_res" != no; then :
-  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-  RTLIB=$LIBS
-fi
-
-for ac_func in clock_gettime
-do :
-  ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
-if test "x$ac_cv_func_clock_gettime" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_CLOCK_GETTIME 1
-_ACEOF
-
-fi
-done
-
-
-
-# Android has pthread_* functions in bionic (libc), others need libpthread
-LIBS=""
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing pthread_create" >&5
-$as_echo_n "checking for library containing pthread_create... " >&6; }
-if ${ac_cv_search_pthread_create+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char pthread_create ();
-int
-main ()
-{
-return pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-for ac_lib in '' pthread; do
-  if test -z "$ac_lib"; then
-    ac_res="none required"
-  else
-    ac_res=-l$ac_lib
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-  fi
-  if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_search_pthread_create=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext
-  if ${ac_cv_search_pthread_create+:} false; then :
-  break
-fi
-done
-if ${ac_cv_search_pthread_create+:} false; then :
+if ${ac_cv_search_pthread_create+:} false; then :
 
 else
   ac_cv_search_pthread_create=no
@@ -17830,7 +17945,7 @@ _ACEOF
 fi
 done
 
-for ac_func in fmemopen funopen mmap memrchr
+for ac_func in fmemopen funopen mmap memrchr setlinebuf strptime
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -17843,6 +17958,25 @@ fi
 done
 
 
+ac_fn_c_check_func "$LINENO" "syslog" "ac_cv_func_syslog"
+if test "x$ac_cv_func_syslog" = xyes; then :
+
+
+$as_echo "#define HAVE_SYSLOG /**/" >>confdefs.h
+
+	syslog=true
+
+fi
+
+ if test "x$syslog" = xtrue; then
+  USE_SYSLOG_TRUE=
+  USE_SYSLOG_FALSE='#'
+else
+  USE_SYSLOG_TRUE='#'
+  USE_SYSLOG_FALSE=
+fi
+
+
 for ac_header in sys/sockio.h glob.h net/if_tun.h linux/fib_rules.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
@@ -17931,7 +18065,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 int
 main ()
 {
-struct in6_addr in6;
+struct in6_addr in6 __attribute__((unused));
 		  in6 = in6addr_any;
   ;
   return 0;
@@ -18082,8 +18216,8 @@ $as_echo "no" >&6; }
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc atomic operations" >&5
-$as_echo_n "checking for gcc atomic operations... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GCC __sync operations" >&5
+$as_echo_n "checking for GCC __sync operations... " >&6; }
 if test "$cross_compiling" = yes; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
@@ -18093,10 +18227,9 @@ else
 /* end confdefs.h.  */
 
 			int main() {
-			volatile int ref = 1;
+			int ref = 1;
 			__sync_fetch_and_add (&ref, 1);
 			__sync_sub_and_fetch (&ref, 1);
-			/* Make sure test fails if operations are not supported */
 			__sync_val_compare_and_swap(&ref, 1, 0);
 			return ref;
 		}
@@ -18106,7 +18239,7 @@ if ac_fn_c_try_run "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; };
 
-$as_echo "#define HAVE_GCC_ATOMIC_OPERATIONS /**/" >>confdefs.h
+$as_echo "#define HAVE_GCC_SYNC_OPERATIONS /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -18160,6 +18293,196 @@ fi
 
 fi
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Windows target" >&5
+$as_echo_n "checking for Windows target... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <windows.h>
+int
+main ()
+{
+#ifndef WIN32
+		  # error WIN32 undefined
+		  #endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		windows=true
+		openssl_lib=eay32
+		PTHREADLIB=""
+
+		# explicitly disable ms-bitfields, as it breaks __attribute__((packed))
+		case "$CFLAGS" in
+			*ms-bitfields*) ;;
+			*) CFLAGS="$CFLAGS -mno-ms-bitfields" ;;
+		esac
+
+else
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		openssl_lib=crypto
+
+		# check for clock_gettime() on non-Windows only. Otherwise this
+		# check might find clock_gettime() in libwinpthread, but we don't want
+		# to link against it.
+		saved_LIBS=$LIBS
+		# FreeBSD has clock_gettime in libc, Linux needs librt
+		LIBS=""
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
+$as_echo_n "checking for library containing clock_gettime... " >&6; }
+if ${ac_cv_search_clock_gettime+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char clock_gettime ();
+int
+main ()
+{
+return clock_gettime ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' rt; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_clock_gettime=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_clock_gettime+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_clock_gettime+:} false; then :
+
+else
+  ac_cv_search_clock_gettime=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_clock_gettime" >&5
+$as_echo "$ac_cv_search_clock_gettime" >&6; }
+ac_res=$ac_cv_search_clock_gettime
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+  RTLIB=$LIBS
+fi
+
+		for ac_func in clock_gettime
+do :
+  ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
+if test "x$ac_cv_func_clock_gettime" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_CLOCK_GETTIME 1
+_ACEOF
+
+fi
+done
+
+
+		LIBS=$saved_LIBS
+
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+OPENSSL_LIB=-l$openssl_lib
+
+ if test "x$windows" = xtrue; then
+  USE_WINDOWS_TRUE=
+  USE_WINDOWS_FALSE='#'
+else
+  USE_WINDOWS_TRUE='#'
+  USE_WINDOWS_FALSE=
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for working __attribute__((packed))" >&5
+$as_echo_n "checking for working __attribute__((packed))... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+		struct test { char a; short b; } __attribute__((packed));
+		char x[sizeof(struct test) == sizeof(char) + sizeof(short) ? 1 : -1]
+			__attribute__((unused));
+		return 0;
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }; as_fn_error $? "__attribute__((packed)) does not work" "$LINENO" 5
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking clang" >&5
+$as_echo_n "checking clang... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+		 #ifndef __clang__
+		 # error not using LLVM clang
+		 #endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		# GCC, but not MinGW requires -rdynamic for plugins
+		if test x$windows != xtrue; then
+			PLUGIN_CFLAGS=-rdynamic
+
+		fi
+
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 if test x$printf_hooks = xvstr; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lvstr" >&5
 $as_echo_n "checking for main in -lvstr... " >&6; }
@@ -18774,6 +19097,53 @@ $as_echo "#define TSS_TROUSERS /**/" >>confdefs.h
 
 fi
 
+if test x$imv_swid = xtrue; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ljson" >&5
+$as_echo_n "checking for main in -ljson... " >&6; }
+if ${ac_cv_lib_json_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ljson  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_json_main=yes
+else
+  ac_cv_lib_json_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_json_main" >&5
+$as_echo "$ac_cv_lib_json_main" >&6; }
+if test "x$ac_cv_lib_json_main" = xyes; then :
+  LIBS="$LIBS"
+else
+  as_fn_error $? "JSON library libjson not found" "$LINENO" 5
+fi
+
+	ac_fn_c_check_header_mongrel "$LINENO" "json/json.h" "ac_cv_header_json_json_h" "$ac_includes_default"
+if test "x$ac_cv_header_json_json_h" = xyes; then :
+
+else
+  as_fn_error $? "JSON header json/json.h not found!" "$LINENO" 5
+fi
+
+
+fi
+
 if test x$dumm = xtrue; then
 
 pkg_failed=no
@@ -19135,7 +19505,55 @@ fi
 fi
 
 if test x$mysql = xtrue; then
-	# Extract the first word of "mysql_config", so it can be a program name with args.
+	if test "x$windows" = xtrue; then
+		ac_fn_c_check_header_mongrel "$LINENO" "mysql.h" "ac_cv_header_mysql_h" "$ac_includes_default"
+if test "x$ac_cv_header_mysql_h" = xyes; then :
+
+else
+  as_fn_error $? "MySQL header file mysql.h not found!" "$LINENO" 5
+fi
+
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lmysql" >&5
+$as_echo_n "checking for main in -lmysql... " >&6; }
+if ${ac_cv_lib_mysql_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lmysql  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_mysql_main=yes
+else
+  ac_cv_lib_mysql_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysql_main" >&5
+$as_echo "$ac_cv_lib_mysql_main" >&6; }
+if test "x$ac_cv_lib_mysql_main" = xyes; then :
+  LIBS="$LIBS"
+else
+  as_fn_error $? "MySQL library not found!" "$LINENO" 5
+fi
+
+		MYSQLLIB=-lmysql
+
+	else
+		# Extract the first word of "mysql_config", so it can be a program name with args.
 set dummy mysql_config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
@@ -19176,13 +19594,14 @@ $as_echo "no" >&6; }
 fi
 
 
-	if test x$MYSQLCONFIG = x; then
-		as_fn_error $? "mysql_config not found!" "$LINENO" 5
-	fi
-	MYSQLLIB=`$MYSQLCONFIG --libs_r`
+		if test x$MYSQLCONFIG = x; then
+			as_fn_error $? "mysql_config not found!" "$LINENO" 5
+		fi
+		MYSQLLIB=`$MYSQLCONFIG --libs_r`
 
-	MYSQLCFLAG=`$MYSQLCONFIG --cflags`
+		MYSQLCFLAG=`$MYSQLCONFIG --cflags`
 
+	fi
 fi
 
 if test x$sqlite = xtrue; then
@@ -19283,13 +19702,14 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test x$openssl = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcrypto" >&5
-$as_echo_n "checking for main in -lcrypto... " >&6; }
-if ${ac_cv_lib_crypto_main+:} false; then :
+	as_ac_Lib=`$as_echo "ac_cv_lib_$openssl_lib''_main" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -l$openssl_lib" >&5
+$as_echo_n "checking for main in -l$openssl_lib... " >&6; }
+if eval \${$as_ac_Lib+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lcrypto  $LIBS"
+LIBS="-l$openssl_lib  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -19303,20 +19723,21 @@ return main ();
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_crypto_main=yes
+  eval "$as_ac_Lib=yes"
 else
-  ac_cv_lib_crypto_main=no
+  eval "$as_ac_Lib=no"
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_main" >&5
-$as_echo "$ac_cv_lib_crypto_main" >&6; }
-if test "x$ac_cv_lib_crypto_main" = xyes; then :
+eval ac_res=\$$as_ac_Lib
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
   LIBS="$LIBS"
 else
-  as_fn_error $? "OpenSSL crypto library not found" "$LINENO" 5
+  as_fn_error $? "OpenSSL lib$openssl_lib not found" "$LINENO" 5
 fi
 
 	ac_fn_c_check_header_mongrel "$LINENO" "openssl/evp.h" "ac_cv_header_openssl_evp_h" "$ac_includes_default"
@@ -20354,6 +20775,7 @@ manager_plugins=
 medsrv_plugins=
 nm_plugins=
 cmd_plugins=
+aikgen_plugins=
 
 # location specific lists for checksumming,
 # for src/libcharon, src/libhydra, src/libstrongswan and src/libtnccs
@@ -20374,15 +20796,25 @@ if test x$curl = xtrue; then
 		s_plugins=${s_plugins}" curl"
 		charon_plugins=${charon_plugins}" curl"
 		scepclient_plugins=${scepclient_plugins}" curl"
+		pki_plugins=${pki_plugins}" curl"
 		scripts_plugins=${scripts_plugins}" curl"
 		nm_plugins=${nm_plugins}" curl"
 		cmd_plugins=${cmd_plugins}" curl"
 
 	fi
 
+if test x$winhttp = xtrue; then
+		s_plugins=${s_plugins}" winhttp"
+		charon_plugins=${charon_plugins}" winhttp"
+		pki_plugins=${pki_plugins}" winhttp"
+		scripts_plugins=${scripts_plugins}" winhttp"
+
+	fi
+
 if test x$soup = xtrue; then
 		s_plugins=${s_plugins}" soup"
 		charon_plugins=${charon_plugins}" soup"
+		pki_plugins=${pki_plugins}" soup"
 		scripts_plugins=${scripts_plugins}" soup"
 		nm_plugins=${nm_plugins}" soup"
 		cmd_plugins=${cmd_plugins}" soup"
@@ -20489,6 +20921,7 @@ if test x$sha1 = xtrue; then
 		attest_plugins=${attest_plugins}" sha1"
 		nm_plugins=${nm_plugins}" sha1"
 		cmd_plugins=${cmd_plugins}" sha1"
+		aikgen_plugins=${aikgen_plugins}" sha1"
 
 	fi
 
@@ -20502,6 +20935,7 @@ if test x$sha2 = xtrue; then
 		attest_plugins=${attest_plugins}" sha2"
 		nm_plugins=${nm_plugins}" sha2"
 		cmd_plugins=${cmd_plugins}" sha2"
+		aikgen_plugins=${aikgen_plugins}" sha2"
 
 	fi
 
@@ -20525,6 +20959,7 @@ if test x$md5 = xtrue; then
 		attest_plugins=${attest_plugins}" md5"
 		nm_plugins=${nm_plugins}" md5"
 		cmd_plugins=${cmd_plugins}" md5"
+		aikgen_plugins=${aikgen_plugins}" md5"
 
 	fi
 
@@ -20538,6 +20973,7 @@ if test x$rdrand = xtrue; then
 		attest_plugins=${attest_plugins}" rdrand"
 		nm_plugins=${nm_plugins}" rdrand"
 		cmd_plugins=${cmd_plugins}" rdrand"
+		aikgen_plugins=${aikgen_plugins}" rdrand"
 
 	fi
 
@@ -20551,6 +20987,7 @@ if test x$random = xtrue; then
 		attest_plugins=${attest_plugins}" random"
 		nm_plugins=${nm_plugins}" random"
 		cmd_plugins=${cmd_plugins}" random"
+		aikgen_plugins=${aikgen_plugins}" random"
 
 	fi
 
@@ -20559,6 +20996,7 @@ if test x$nonce = xtrue; then
 		charon_plugins=${charon_plugins}" nonce"
 		nm_plugins=${nm_plugins}" nonce"
 		cmd_plugins=${cmd_plugins}" nonce"
+		aikgen_plugins=${aikgen_plugins}" nonce"
 
 	fi
 
@@ -20571,12 +21009,14 @@ if test x$x509 = xtrue; then
 		attest_plugins=${attest_plugins}" x509"
 		nm_plugins=${nm_plugins}" x509"
 		cmd_plugins=${cmd_plugins}" x509"
+		aikgen_plugins=${aikgen_plugins}" x509"
 
 	fi
 
 if test x$revocation = xtrue; then
 		s_plugins=${s_plugins}" revocation"
 		charon_plugins=${charon_plugins}" revocation"
+		pki_plugins=${pki_plugins}" revocation"
 		nm_plugins=${nm_plugins}" revocation"
 		cmd_plugins=${cmd_plugins}" revocation"
 
@@ -20600,6 +21040,7 @@ if test x$pubkey = xtrue; then
 		s_plugins=${s_plugins}" pubkey"
 		charon_plugins=${charon_plugins}" pubkey"
 		cmd_plugins=${cmd_plugins}" pubkey"
+		aikgen_plugins=${aikgen_plugins}" pubkey"
 
 	fi
 
@@ -20614,6 +21055,7 @@ if test x$pkcs1 = xtrue; then
 		attest_plugins=${attest_plugins}" pkcs1"
 		nm_plugins=${nm_plugins}" pkcs1"
 		cmd_plugins=${cmd_plugins}" pkcs1"
+		aikgen_plugins=${aikgen_plugins}" pkcs1"
 
 	fi
 
@@ -20697,6 +21139,7 @@ if test x$pem = xtrue; then
 		attest_plugins=${attest_plugins}" pem"
 		nm_plugins=${nm_plugins}" pem"
 		cmd_plugins=${cmd_plugins}" pem"
+		aikgen_plugins=${aikgen_plugins}" pem"
 
 	fi
 
@@ -20717,6 +21160,7 @@ if test x$openssl = xtrue; then
 		attest_plugins=${attest_plugins}" openssl"
 		nm_plugins=${nm_plugins}" openssl"
 		cmd_plugins=${cmd_plugins}" openssl"
+		aikgen_plugins=${aikgen_plugins}" openssl"
 
 	fi
 
@@ -20731,6 +21175,7 @@ if test x$gcrypt = xtrue; then
 		attest_plugins=${attest_plugins}" gcrypt"
 		nm_plugins=${nm_plugins}" gcrypt"
 		cmd_plugins=${cmd_plugins}" gcrypt"
+		aikgen_plugins=${aikgen_plugins}" gcrypt"
 
 	fi
 
@@ -20744,6 +21189,7 @@ if test x$af_alg = xtrue; then
 		attest_plugins=${attest_plugins}" af-alg"
 		nm_plugins=${nm_plugins}" af-alg"
 		cmd_plugins=${cmd_plugins}" af-alg"
+		aikgen_plugins=${aikgen_plugins}" af-alg"
 
 	fi
 
@@ -20766,6 +21212,7 @@ if test x$gmp = xtrue; then
 		attest_plugins=${attest_plugins}" gmp"
 		nm_plugins=${nm_plugins}" gmp"
 		cmd_plugins=${cmd_plugins}" gmp"
+		aikgen_plugins=${aikgen_plugins}" gmp"
 
 	fi
 
@@ -20870,6 +21317,18 @@ if test x$kernel_libipsec = xtrue; then
 
 	fi
 
+if test x$kernel_wfp = xtrue; then
+		c_plugins=${c_plugins}" kernel-wfp"
+		charon_plugins=${charon_plugins}" kernel-wfp"
+
+	fi
+
+if test x$kernel_iph = xtrue; then
+		c_plugins=${c_plugins}" kernel-iph"
+		charon_plugins=${charon_plugins}" kernel-iph"
+
+	fi
+
 if test x$kernel_pfkey = xtrue; then
 		h_plugins=${h_plugins}" kernel-pfkey"
 		charon_plugins=${charon_plugins}" kernel-pfkey"
@@ -20888,13 +21347,6 @@ if test x$kernel_pfroute = xtrue; then
 
 	fi
 
-if test x$kernel_klips = xtrue; then
-		h_plugins=${h_plugins}" kernel-klips"
-		charon_plugins=${charon_plugins}" kernel-klips"
-		starter_plugins=${starter_plugins}" kernel-klips"
-
-	fi
-
 if test x$kernel_netlink = xtrue; then
 		h_plugins=${h_plugins}" kernel-netlink"
 		charon_plugins=${charon_plugins}" kernel-netlink"
@@ -20926,6 +21378,12 @@ if test x$socket_dynamic = xtrue; then
 
 	fi
 
+if test x$socket_win = xtrue; then
+		c_plugins=${c_plugins}" socket-win"
+		charon_plugins=${charon_plugins}" socket-win"
+
+	fi
+
 if test x$farp = xtrue; then
 		c_plugins=${c_plugins}" farp"
 		charon_plugins=${charon_plugins}" farp"
@@ -20938,6 +21396,12 @@ if test x$stroke = xtrue; then
 
 	fi
 
+if test x$vici = xtrue; then
+		c_plugins=${c_plugins}" vici"
+		charon_plugins=${charon_plugins}" vici"
+
+	fi
+
 if test x$smp = xtrue; then
 		c_plugins=${c_plugins}" smp"
 		charon_plugins=${charon_plugins}" smp"
@@ -21296,6 +21760,7 @@ if test x$unit_tester = xtrue; then
 
 
 
+
 # ======================
 #  set Makefile.am vars
 # ======================
@@ -21318,6 +21783,14 @@ else
   USE_CURL_FALSE=
 fi
 
+ if test x$winhttp = xtrue; then
+  USE_WINHTTP_TRUE=
+  USE_WINHTTP_FALSE='#'
+else
+  USE_WINHTTP_TRUE='#'
+  USE_WINHTTP_FALSE=
+fi
+
  if test x$unbound = xtrue; then
   USE_UNBOUND_TRUE=
   USE_UNBOUND_FALSE='#'
@@ -21689,6 +22162,14 @@ else
   USE_STROKE_FALSE=
 fi
 
+ if test x$vici = xtrue; then
+  USE_VICI_TRUE=
+  USE_VICI_FALSE='#'
+else
+  USE_VICI_TRUE='#'
+  USE_VICI_FALSE=
+fi
+
  if test x$medsrv = xtrue; then
   USE_MEDSRV_TRUE=
   USE_MEDSRV_FALSE='#'
@@ -21825,6 +22306,22 @@ else
   USE_KERNEL_LIBIPSEC_FALSE=
 fi
 
+ if test x$kernel_wfp = xtrue; then
+  USE_KERNEL_WFP_TRUE=
+  USE_KERNEL_WFP_FALSE='#'
+else
+  USE_KERNEL_WFP_TRUE='#'
+  USE_KERNEL_WFP_FALSE=
+fi
+
+ if test x$kernel_iph = xtrue; then
+  USE_KERNEL_IPH_TRUE=
+  USE_KERNEL_IPH_FALSE='#'
+else
+  USE_KERNEL_IPH_TRUE='#'
+  USE_KERNEL_IPH_FALSE=
+fi
+
  if test x$whitelist = xtrue; then
   USE_WHITELIST_TRUE=
   USE_WHITELIST_FALSE='#'
@@ -22233,6 +22730,14 @@ else
   USE_SOCKET_DYNAMIC_FALSE=
 fi
 
+ if test x$socket_win = xtrue; then
+  USE_SOCKET_WIN_TRUE=
+  USE_SOCKET_WIN_FALSE='#'
+else
+  USE_SOCKET_WIN_TRUE='#'
+  USE_SOCKET_WIN_FALSE=
+fi
+
  if test x$farp = xtrue; then
   USE_FARP_TRUE=
   USE_FARP_FALSE='#'
@@ -22276,14 +22781,6 @@ else
   USE_ATTR_SQL_FALSE=
 fi
 
- if test x$kernel_klips = xtrue; then
-  USE_KERNEL_KLIPS_TRUE=
-  USE_KERNEL_KLIPS_FALSE='#'
-else
-  USE_KERNEL_KLIPS_TRUE='#'
-  USE_KERNEL_KLIPS_FALSE=
-fi
-
  if test x$kernel_netlink = xtrue; then
   USE_KERNEL_NETLINK_TRUE=
   USE_KERNEL_NETLINK_FALSE='#'
@@ -22431,12 +22928,20 @@ else
   USE_NM_FALSE=
 fi
 
- if test x$tools = xtrue; then
-  USE_TOOLS_TRUE=
-  USE_TOOLS_FALSE='#'
+ if test x$pki = xtrue; then
+  USE_PKI_TRUE=
+  USE_PKI_FALSE='#'
+else
+  USE_PKI_TRUE='#'
+  USE_PKI_FALSE=
+fi
+
+ if test x$scepclient = xtrue; then
+  USE_SCEPCLIENT_TRUE=
+  USE_SCEPCLIENT_FALSE='#'
 else
-  USE_TOOLS_TRUE='#'
-  USE_TOOLS_FALSE=
+  USE_SCEPCLIENT_TRUE='#'
+  USE_SCEPCLIENT_FALSE=
 fi
 
  if test x$scripts = xtrue; then
@@ -22455,7 +22960,7 @@ else
   USE_CONFTEST_FALSE=
 fi
 
- if test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue; then
+ if test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue; then
   USE_LIBSTRONGSWAN_TRUE=
   USE_LIBSTRONGSWAN_FALSE='#'
 else
@@ -22463,7 +22968,7 @@ else
   USE_LIBSTRONGSWAN_FALSE=
 fi
 
- if test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue; then
+ if test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue; then
   USE_LIBHYDRA_TRUE=
   USE_LIBHYDRA_FALSE='#'
 else
@@ -22471,7 +22976,7 @@ else
   USE_LIBHYDRA_FALSE=
 fi
 
- if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue; then
+ if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue; then
   USE_LIBCHARON_TRUE=
   USE_LIBCHARON_FALSE='#'
 else
@@ -22519,7 +23024,7 @@ else
   USE_FILE_CONFIG_FALSE=
 fi
 
- if test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue; then
+ if test x$stroke = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue; then
   USE_IPSEC_SCRIPT_TRUE=
   USE_IPSEC_SCRIPT_FALSE='#'
 else
@@ -22591,7 +23096,7 @@ else
   USE_PTS_FALSE=
 fi
 
- if test x$tss = xtrousers; then
+ if test x$tss = xtrousers -o x$aikgen = xtrue; then
   USE_TROUSERS_TRUE=
   USE_TROUSERS_FALSE='#'
 else
@@ -22623,6 +23128,14 @@ else
   COVERAGE_FALSE=
 fi
 
+ if test x$dbghelp_backtraces = xtrue; then
+  USE_DBGHELP_TRUE=
+  USE_DBGHELP_FALSE='#'
+else
+  USE_DBGHELP_TRUE='#'
+  USE_DBGHELP_FALSE=
+fi
+
  if test x$tkm = xtrue; then
   USE_TKM_TRUE=
   USE_TKM_FALSE='#'
@@ -22639,6 +23152,30 @@ else
   USE_CMD_FALSE=
 fi
 
+ if test x$aikgen = xtrue; then
+  USE_AIKGEN_TRUE=
+  USE_AIKGEN_FALSE='#'
+else
+  USE_AIKGEN_TRUE='#'
+  USE_AIKGEN_FALSE=
+fi
+
+ if test x$swanctl = xtrue; then
+  USE_SWANCTL_TRUE=
+  USE_SWANCTL_FALSE='#'
+else
+  USE_SWANCTL_TRUE='#'
+  USE_SWANCTL_FALSE=
+fi
+
+ if test x$svc = xtrue; then
+  USE_SVC_TRUE=
+  USE_SVC_FALSE='#'
+else
+  USE_SVC_TRUE='#'
+  USE_SVC_FALSE=
+fi
+
 
 # ========================
 #  set global definitions
@@ -22676,6 +23213,9 @@ fi
 
 strongswan_options=
 
+if test -z "$USE_AIKGEN_TRUE"; then :
+  strongswan_options=${strongswan_options}" aikgen"
+fi
 if test -z "$USE_ATTR_SQL_TRUE"; then :
   strongswan_options=${strongswan_options}" pool"
 fi
@@ -22703,8 +23243,14 @@ fi
 if test -z "$USE_MEDSRV_TRUE"; then :
   strongswan_options=${strongswan_options}" medsrv"
 fi
-if test -z "$USE_TOOLS_TRUE"; then :
-  strongswan_options=${strongswan_options}" tools"
+if test -z "$USE_SCEPCLIENT_TRUE"; then :
+  strongswan_options=${strongswan_options}" scepclient"
+fi
+if test -z "$USE_PKI_TRUE"; then :
+  strongswan_options=${strongswan_options}" pki"
+fi
+if test -z "$USE_SWANCTL_TRUE"; then :
+  strongswan_options=${strongswan_options}" swanctl"
 fi
 
 
@@ -22713,14 +23259,14 @@ fi
 #  build Makefiles
 # =================
 
-ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/li [...]
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/li [...]
 
 
 # =================
 #  build man pages
 # =================
 
-ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---acert.1 src/pki/man/pki---verify.1"
+ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---acert.1 src/pki/man/pki---verify.1 src/swanctl/swanctl.8 src/swanctl/swa [...]
 
 
 cat >confcache <<\_ACEOF
@@ -22861,6 +23407,14 @@ if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 
+if test -z "${USE_SYSLOG_TRUE}" && test -z "${USE_SYSLOG_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SYSLOG\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_WINDOWS_TRUE}" && test -z "${USE_WINDOWS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_WINDOWS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_DEV_HEADERS_TRUE}" && test -z "${USE_DEV_HEADERS_FALSE}"; then
   as_fn_error $? "conditional \"USE_DEV_HEADERS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -22873,6 +23427,10 @@ if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
   as_fn_error $? "conditional \"USE_CURL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_WINHTTP_TRUE}" && test -z "${USE_WINHTTP_FALSE}"; then
+  as_fn_error $? "conditional \"USE_WINHTTP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_UNBOUND_TRUE}" && test -z "${USE_UNBOUND_FALSE}"; then
   as_fn_error $? "conditional \"USE_UNBOUND\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -23057,6 +23615,10 @@ if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
   as_fn_error $? "conditional \"USE_STROKE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_VICI_TRUE}" && test -z "${USE_VICI_FALSE}"; then
+  as_fn_error $? "conditional \"USE_VICI\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_MEDSRV_TRUE}" && test -z "${USE_MEDSRV_FALSE}"; then
   as_fn_error $? "conditional \"USE_MEDSRV\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -23125,6 +23687,14 @@ if test -z "${USE_KERNEL_LIBIPSEC_TRUE}" && test -z "${USE_KERNEL_LIBIPSEC_FALSE
   as_fn_error $? "conditional \"USE_KERNEL_LIBIPSEC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_KERNEL_WFP_TRUE}" && test -z "${USE_KERNEL_WFP_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_WFP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_KERNEL_IPH_TRUE}" && test -z "${USE_KERNEL_IPH_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_IPH\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_WHITELIST_TRUE}" && test -z "${USE_WHITELIST_FALSE}"; then
   as_fn_error $? "conditional \"USE_WHITELIST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -23329,6 +23899,10 @@ if test -z "${USE_SOCKET_DYNAMIC_TRUE}" && test -z "${USE_SOCKET_DYNAMIC_FALSE}"
   as_fn_error $? "conditional \"USE_SOCKET_DYNAMIC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_SOCKET_WIN_TRUE}" && test -z "${USE_SOCKET_WIN_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SOCKET_WIN\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_FARP_TRUE}" && test -z "${USE_FARP_FALSE}"; then
   as_fn_error $? "conditional \"USE_FARP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -23349,10 +23923,6 @@ if test -z "${USE_ATTR_SQL_TRUE}" && test -z "${USE_ATTR_SQL_FALSE}"; then
   as_fn_error $? "conditional \"USE_ATTR_SQL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_KERNEL_KLIPS_TRUE}" && test -z "${USE_KERNEL_KLIPS_FALSE}"; then
-  as_fn_error $? "conditional \"USE_KERNEL_KLIPS\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
   as_fn_error $? "conditional \"USE_KERNEL_NETLINK\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -23425,8 +23995,12 @@ if test -z "${USE_NM_TRUE}" && test -z "${USE_NM_FALSE}"; then
   as_fn_error $? "conditional \"USE_NM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_TOOLS_TRUE}" && test -z "${USE_TOOLS_FALSE}"; then
-  as_fn_error $? "conditional \"USE_TOOLS\" was never defined.
+if test -z "${USE_PKI_TRUE}" && test -z "${USE_PKI_FALSE}"; then
+  as_fn_error $? "conditional \"USE_PKI\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_SCEPCLIENT_TRUE}" && test -z "${USE_SCEPCLIENT_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SCEPCLIENT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SCRIPTS_TRUE}" && test -z "${USE_SCRIPTS_FALSE}"; then
@@ -23521,6 +24095,10 @@ if test -z "${COVERAGE_TRUE}" && test -z "${COVERAGE_FALSE}"; then
   as_fn_error $? "conditional \"COVERAGE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_DBGHELP_TRUE}" && test -z "${USE_DBGHELP_FALSE}"; then
+  as_fn_error $? "conditional \"USE_DBGHELP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_TKM_TRUE}" && test -z "${USE_TKM_FALSE}"; then
   as_fn_error $? "conditional \"USE_TKM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -23529,6 +24107,18 @@ if test -z "${USE_CMD_TRUE}" && test -z "${USE_CMD_FALSE}"; then
   as_fn_error $? "conditional \"USE_CMD\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_AIKGEN_TRUE}" && test -z "${USE_AIKGEN_FALSE}"; then
+  as_fn_error $? "conditional \"USE_AIKGEN\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_SWANCTL_TRUE}" && test -z "${USE_SWANCTL_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SWANCTL\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_SVC_TRUE}" && test -z "${USE_SVC_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SVC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 
 : "${CONFIG_STATUS=./config.status}"
 ac_write_fail=0
@@ -23926,7 +24516,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.1.3, which was
+This file was extended by strongSwan $as_me 5.2.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -23992,7 +24582,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.1.3
+strongSwan config.status 5.2.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -24439,6 +25029,7 @@ do
     "src/libstrongswan/plugins/sshkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sshkey/Makefile" ;;
     "src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;;
     "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;;
+    "src/libstrongswan/plugins/winhttp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/winhttp/Makefile" ;;
     "src/libstrongswan/plugins/unbound/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/unbound/Makefile" ;;
     "src/libstrongswan/plugins/soup/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/soup/Makefile" ;;
     "src/libstrongswan/plugins/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ldap/Makefile" ;;
@@ -24460,7 +25051,6 @@ do
     "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
     "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;;
     "src/libhydra/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr_sql/Makefile" ;;
-    "src/libhydra/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_klips/Makefile" ;;
     "src/libhydra/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_netlink/Makefile" ;;
     "src/libhydra/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfkey/Makefile" ;;
     "src/libhydra/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfroute/Makefile" ;;
@@ -24495,6 +25085,7 @@ do
     "src/charon-nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-nm/Makefile" ;;
     "src/charon-tkm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-tkm/Makefile" ;;
     "src/charon-cmd/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-cmd/Makefile" ;;
+    "src/charon-svc/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-svc/Makefile" ;;
     "src/libcharon/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/Makefile" ;;
     "src/libcharon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka/Makefile" ;;
     "src/libcharon/plugins/eap_aka_3gpp2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka_3gpp2/Makefile" ;;
@@ -24522,6 +25113,7 @@ do
     "src/libcharon/plugins/tnc_pdp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_pdp/Makefile" ;;
     "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;;
     "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;;
+    "src/libcharon/plugins/socket_win/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_win/Makefile" ;;
     "src/libcharon/plugins/farp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/farp/Makefile" ;;
     "src/libcharon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/smp/Makefile" ;;
     "src/libcharon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/sql/Makefile" ;;
@@ -24534,6 +25126,8 @@ do
     "src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;;
     "src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;;
     "src/libcharon/plugins/kernel_libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_libipsec/Makefile" ;;
+    "src/libcharon/plugins/kernel_wfp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_wfp/Makefile" ;;
+    "src/libcharon/plugins/kernel_iph/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_iph/Makefile" ;;
     "src/libcharon/plugins/whitelist/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/whitelist/Makefile" ;;
     "src/libcharon/plugins/lookip/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/lookip/Makefile" ;;
     "src/libcharon/plugins/error_notify/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/error_notify/Makefile" ;;
@@ -24548,6 +25142,7 @@ do
     "src/libcharon/plugins/android_log/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android_log/Makefile" ;;
     "src/libcharon/plugins/maemo/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/maemo/Makefile" ;;
     "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
+    "src/libcharon/plugins/vici/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/Makefile" ;;
     "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;;
     "src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;;
     "src/libcharon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unit_tester/Makefile" ;;
@@ -24555,10 +25150,12 @@ do
     "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
     "src/ipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/ipsec/Makefile" ;;
     "src/starter/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/Makefile" ;;
+    "src/starter/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/tests/Makefile" ;;
     "src/_updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown/Makefile" ;;
     "src/_updown_espmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown_espmark/Makefile" ;;
     "src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;;
     "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
+    "src/aikgen/Makefile") CONFIG_FILES="$CONFIG_FILES src/aikgen/Makefile" ;;
     "src/pki/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/Makefile" ;;
     "src/pki/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/man/Makefile" ;;
     "src/pool/Makefile") CONFIG_FILES="$CONFIG_FILES src/pool/Makefile" ;;
@@ -24570,6 +25167,7 @@ do
     "src/checksum/Makefile") CONFIG_FILES="$CONFIG_FILES src/checksum/Makefile" ;;
     "src/conftest/Makefile") CONFIG_FILES="$CONFIG_FILES src/conftest/Makefile" ;;
     "src/pt-tls-client/Makefile") CONFIG_FILES="$CONFIG_FILES src/pt-tls-client/Makefile" ;;
+    "src/swanctl/Makefile") CONFIG_FILES="$CONFIG_FILES src/swanctl/Makefile" ;;
     "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
     "conf/strongswan.conf.5.head") CONFIG_FILES="$CONFIG_FILES conf/strongswan.conf.5.head" ;;
@@ -24589,6 +25187,9 @@ do
     "src/pki/man/pki---signcrl.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---signcrl.1" ;;
     "src/pki/man/pki---acert.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---acert.1" ;;
     "src/pki/man/pki---verify.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---verify.1" ;;
+    "src/swanctl/swanctl.8") CONFIG_FILES="$CONFIG_FILES src/swanctl/swanctl.8" ;;
+    "src/swanctl/swanctl.conf.5.head") CONFIG_FILES="$CONFIG_FILES src/swanctl/swanctl.conf.5.head" ;;
+    "src/swanctl/swanctl.conf.5.tail") CONFIG_FILES="$CONFIG_FILES src/swanctl/swanctl.conf.5.tail" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
diff --git a/configure.ac b/configure.ac
index 2ad372b..8f4d763 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.1.3])
+AC_INIT([strongSwan],[5.2.0])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -56,6 +56,7 @@ ARG_WITH_SUBST([ipseclibdir],        [${libdir%/}/ipsec], [set installation path
 ARG_WITH_SUBST([plugindir],          [${ipseclibdir%/}/plugins], [set the installation path of plugins])
 ARG_WITH_SUBST([imcvdir],            [${ipseclibdir%/}/imcvs], [set the installation path of IMC and IMV dynamic librariers])
 ARG_WITH_SUBST([nm-ca-dir],          [/usr/share/ca-certificates], [directory the NM backend uses to look up trusted root certificates])
+ARG_WITH_SUBST([swanctldir],         [${sysconfdir}/swanctl], [base directory for swanctl configuration files and credentials])
 ARG_WITH_SUBST([linux-headers],      [\${top_srcdir}/src/include], [set directory of linux header files to use])
 ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec routes])
 ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
@@ -160,6 +161,7 @@ ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via l
 ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
 ARG_ENABL_SET([soup],           [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
 ARG_ENABL_SET([unbound],        [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
+ARG_ENABL_SET([winhttp],        [enable WinHTTP based HTTP/HTTPS fetching plugin.])
 # database plugins
 ARG_ENABL_SET([mysql],          [enable MySQL database support. Requires libmysqlclient_r.])
 ARG_ENABL_SET([sqlite],         [enable SQLite database support. Requires libsqlite3.])
@@ -201,15 +203,18 @@ ARG_ENABL_SET([xauth-noauth],   [enable XAuth pseudo-backend that does not actua
 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
 ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
 ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
-ARG_ENABL_SET([kernel-klips],   [enable the KLIPS kernel interface.])
+ARG_ENABL_SET([kernel-iph],     [enable the Windows IP Helper based networking backend.])
 ARG_ENABL_SET([kernel-libipsec],[enable the libipsec kernel interface.])
+ARG_ENABL_SET([kernel-wfp],     [enable the Windows Filtering Platform IPsec backend.])
 ARG_DISBL_SET([socket-default], [disable default socket implementation for charon.])
 ARG_ENABL_SET([socket-dynamic], [enable dynamic socket implementation for charon])
+ARG_ENABL_SET([socket-win],     [enable Winsock2 based socket implementation for charon])
 # configuration/control plugins
 ARG_DISBL_SET([stroke],         [disable charons stroke configuration backend.])
 ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
 ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
+ARG_ENABL_SET([vici],           [enable strongSwan IKE generic IPC interface plugin.])
 # attribute provider/consumer plugins
 ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
 ARG_DISBL_SET([attr],           [disable strongswan.conf based configuration attribute plugin.])
@@ -253,6 +258,7 @@ ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
 ARG_ENABL_SET([unit-tester],    [enable unit tests on IKEv2 daemon startup.])
 ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
 # programs/components
+ARG_ENABL_SET([aikgen],         [enable AIK generator.])
 ARG_DISBL_SET([charon],         [disable the IKEv1/IKEv2 keying daemon charon.])
 ARG_ENABL_SET([cmd],            [enable the command line IKE client charon-cmd.])
 ARG_ENABL_SET([conftest],       [enforce Suite B conformance test framework.])
@@ -263,11 +269,15 @@ ARG_ENABL_SET([manager],        [enable web management console (proof of concept
 ARG_ENABL_SET([medcli],         [enable mediation client configuration database plugin.])
 ARG_ENABL_SET([medsrv],         [enable mediation server web frontend and daemon plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
+ARG_DISBL_SET([pki],            [disable pki certificate utility.])
+ARG_DISBL_SET([scepclient],     [disable SCEP client tool.])
 ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
+ARG_ENABL_SET([svc],            [enable charon Windows service.])
+ARG_ENABL_SET([swanctl],        [enable swanctl configuration and control tool.])
 ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
-ARG_DISBL_SET([tools],          [disable additional utilities (scepclient and pki).])
 # optional features
 ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
+ARG_ENABL_SET([dbghelp-backtraces],[use dbghlp.dll on Windows to create and print backtraces for memory leaks and segfaults.])
 ARG_DISBL_SET([ikev1],          [disable IKEv1 protocol support in charon.])
 ARG_DISBL_SET([ikev2],          [disable IKEv2 protocol support in charon.])
 ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
@@ -397,6 +407,10 @@ if test x$fips_prf = xtrue; then
 	fi
 fi
 
+if test x$swanctl = xtrue; then
+	vici=true
+fi
+
 if test x$smp = xtrue -o x$tnccs_11 = xtrue -o x$tnc_ifmap = xtrue; then
 	xml=true
 fi
@@ -444,12 +458,6 @@ AC_SEARCH_LIBS(socket, socket, [SOCKLIB=$LIBS],
 )
 AC_SUBST(SOCKLIB)
 
-# FreeBSD has clock_gettime in libc, Linux needs librt
-LIBS=""
-AC_SEARCH_LIBS(clock_gettime, rt, [RTLIB=$LIBS])
-AC_CHECK_FUNCS(clock_gettime)
-AC_SUBST(RTLIB)
-
 # Android has pthread_* functions in bionic (libc), others need libpthread
 LIBS=""
 AC_SEARCH_LIBS(pthread_create, pthread, [PTHREADLIB=$LIBS])
@@ -559,7 +567,13 @@ AC_CHECK_FUNC(
 )
 
 AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r)
-AC_CHECK_FUNCS(fmemopen funopen mmap memrchr)
+AC_CHECK_FUNCS(fmemopen funopen mmap memrchr setlinebuf strptime)
+
+AC_CHECK_FUNC([syslog], [
+	AC_DEFINE([HAVE_SYSLOG], [], [have syslog(3) and friends])
+	syslog=true
+])
+AM_CONDITIONAL(USE_SYSLOG, [test "x$syslog" = xtrue])
 
 AC_CHECK_HEADERS(sys/sockio.h glob.h net/if_tun.h linux/fib_rules.h)
 AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
@@ -592,7 +606,7 @@ AC_COMPILE_IFELSE(
 		[[#include <sys/types.h>
 		  #include <sys/socket.h>
 		  #include <netinet/in.h>]],
-		[[struct in6_addr in6;
+		[[struct in6_addr in6 __attribute__((unused));
 		  in6 = in6addr_any;]])],
 	[AC_MSG_RESULT([yes]);
 	 AC_DEFINE([HAVE_IN6ADDR_ANY], [], [have struct in6_addr in6addr_any])],
@@ -667,21 +681,20 @@ AC_COMPILE_IFELSE(
 	[AC_MSG_RESULT([no])]
 )
 
-AC_MSG_CHECKING([for gcc atomic operations])
+AC_MSG_CHECKING([for GCC __sync operations])
 AC_RUN_IFELSE([AC_LANG_SOURCE(
 	[[
 			int main() {
-			volatile int ref = 1;
+			int ref = 1;
 			__sync_fetch_and_add (&ref, 1);
 			__sync_sub_and_fetch (&ref, 1);
-			/* Make sure test fails if operations are not supported */
 			__sync_val_compare_and_swap(&ref, 1, 0);
 			return ref;
 		}
 	]])],
 	[AC_MSG_RESULT([yes]);
-	 AC_DEFINE([HAVE_GCC_ATOMIC_OPERATIONS], [],
-		   [have GCC __sync_* atomic operations])],
+	 AC_DEFINE([HAVE_GCC_SYNC_OPERATIONS], [],
+		   [have GCC __sync_* operations])],
 	[AC_MSG_RESULT([no])],
 	[AC_MSG_RESULT([no])]
 )
@@ -717,6 +730,76 @@ if test x$printf_hooks = xauto -o x$printf_hooks = xglibc; then
 	)
 fi
 
+AC_MSG_CHECKING([for Windows target])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <windows.h>]],
+		[[#ifndef WIN32
+		  # error WIN32 undefined
+		  #endif
+		]])],
+	[
+		AC_MSG_RESULT([yes])
+		windows=true
+		openssl_lib=eay32
+		AC_SUBST(PTHREADLIB, "")
+		# explicitly disable ms-bitfields, as it breaks __attribute__((packed))
+		case "$CFLAGS" in
+			*ms-bitfields*) ;;
+			*) CFLAGS="$CFLAGS -mno-ms-bitfields" ;;
+		esac
+	],
+	[
+		AC_MSG_RESULT([no])
+		openssl_lib=crypto
+
+		# check for clock_gettime() on non-Windows only. Otherwise this
+		# check might find clock_gettime() in libwinpthread, but we don't want
+		# to link against it.
+		saved_LIBS=$LIBS
+		# FreeBSD has clock_gettime in libc, Linux needs librt
+		LIBS=""
+		AC_SEARCH_LIBS(clock_gettime, rt, [RTLIB=$LIBS])
+		AC_CHECK_FUNCS(clock_gettime)
+		AC_SUBST(RTLIB)
+		LIBS=$saved_LIBS
+	]
+)
+AC_SUBST(OPENSSL_LIB, [-l$openssl_lib])
+AM_CONDITIONAL(USE_WINDOWS, [test "x$windows" = xtrue])
+
+AC_MSG_CHECKING([for working __attribute__((packed))])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM([], [[
+		struct test { char a; short b; } __attribute__((packed));
+		char x[sizeof(struct test) == sizeof(char) + sizeof(short) ? 1 : -1]
+			__attribute__((unused));
+		return 0;
+	]])],
+	[AC_MSG_RESULT([yes])],
+	[AC_MSG_RESULT([no]); AC_MSG_ERROR([__attribute__((packed)) does not work])]
+)
+
+AC_MSG_CHECKING([clang])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[], [[
+		 #ifndef __clang__
+		 # error not using LLVM clang
+		 #endif
+		]])],
+	[
+		AC_MSG_RESULT([yes])
+	],
+	[
+		AC_MSG_RESULT([no])
+		# GCC, but not MinGW requires -rdynamic for plugins
+		if test x$windows != xtrue; then
+			AC_SUBST(PLUGIN_CFLAGS, [-rdynamic])
+		fi
+	]
+)
+
 if test x$printf_hooks = xvstr; then
 	AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
 	AC_DEFINE([USE_VSTR], [], [use Vstr string library for printf hooks])
@@ -792,6 +875,11 @@ if test x$tss = xtrousers; then
 	AC_DEFINE([TSS_TROUSERS], [], [use TrouSerS library libtspi as TSS implementation])
 fi
 
+if test x$imv_swid = xtrue; then
+	AC_CHECK_LIB([json],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([JSON library libjson not found])],[])
+	AC_CHECK_HEADER([json/json.h],,[AC_MSG_ERROR([JSON header json/json.h not found!])])
+fi
+
 if test x$dumm = xtrue; then
 	PKG_CHECK_MODULES(gtk, [gtk+-2.0 vte])
 	AC_SUBST(gtk_CFLAGS)
@@ -858,12 +946,18 @@ if test x$fast = xtrue; then
 fi
 
 if test x$mysql = xtrue; then
-	AC_PATH_PROG([MYSQLCONFIG], [mysql_config], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
-	if test x$MYSQLCONFIG = x; then
-		AC_MSG_ERROR([mysql_config not found!])
+	if test "x$windows" = xtrue; then
+		AC_CHECK_HEADER([mysql.h],,[AC_MSG_ERROR([MySQL header file mysql.h not found!])])
+		AC_CHECK_LIB([mysql],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([MySQL library not found!])],[])
+		AC_SUBST(MYSQLLIB, -lmysql)
+	else
+		AC_PATH_PROG([MYSQLCONFIG], [mysql_config], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+		if test x$MYSQLCONFIG = x; then
+			AC_MSG_ERROR([mysql_config not found!])
+		fi
+		AC_SUBST(MYSQLLIB, `$MYSQLCONFIG --libs_r`)
+		AC_SUBST(MYSQLCFLAG, `$MYSQLCONFIG --cflags`)
 	fi
-	AC_SUBST(MYSQLLIB, `$MYSQLCONFIG --libs_r`)
-	AC_SUBST(MYSQLCFLAG, `$MYSQLCONFIG --cflags`)
 fi
 
 if test x$sqlite = xtrue; then
@@ -892,7 +986,7 @@ if test x$sqlite = xtrue; then
 fi
 
 if test x$openssl = xtrue; then
-	AC_CHECK_LIB([crypto],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])],[])
+	AC_CHECK_LIB([$openssl_lib],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL lib$openssl_lib not found])],[])
 	AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
 fi
 
@@ -1060,6 +1154,7 @@ manager_plugins=
 medsrv_plugins=
 nm_plugins=
 cmd_plugins=
+aikgen_plugins=
 
 # location specific lists for checksumming,
 # for src/libcharon, src/libhydra, src/libstrongswan and src/libtnccs
@@ -1069,8 +1164,9 @@ s_plugins=
 t_plugins=
 
 ADD_PLUGIN([test-vectors],         [s charon scepclient pki])
-ADD_PLUGIN([curl],                 [s charon scepclient scripts nm cmd])
-ADD_PLUGIN([soup],                 [s charon scripts nm cmd])
+ADD_PLUGIN([curl],                 [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([winhttp],              [s charon pki scripts])
+ADD_PLUGIN([soup],                 [s charon pki scripts nm cmd])
 ADD_PLUGIN([unbound],              [s charon scripts])
 ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm cmd])
 ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
@@ -1080,19 +1176,19 @@ ADD_PLUGIN([aes],                  [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([des],                  [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([blowfish],             [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([rc2],                  [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([sha1],                 [s charon scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([sha2],                 [s charon scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([sha1],                 [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([sha2],                 [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([md4],                  [s charon manager scepclient pki nm cmd])
-ADD_PLUGIN([md5],                  [s charon scepclient pki scripts attest nm cmd])
-ADD_PLUGIN([rdrand],               [s charon scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([random],               [s charon scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([nonce],                [s charon nm cmd])
-ADD_PLUGIN([x509],                 [s charon scepclient pki scripts attest nm cmd])
-ADD_PLUGIN([revocation],           [s charon nm cmd])
+ADD_PLUGIN([md5],                  [s charon scepclient pki scripts attest nm cmd aikgen])
+ADD_PLUGIN([rdrand],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([random],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([nonce],                [s charon nm cmd aikgen])
+ADD_PLUGIN([x509],                 [s charon scepclient pki scripts attest nm cmd aikgen])
+ADD_PLUGIN([revocation],           [s charon pki nm cmd])
 ADD_PLUGIN([constraints],          [s charon nm cmd])
 ADD_PLUGIN([acert],                [s charon])
-ADD_PLUGIN([pubkey],               [s charon cmd])
-ADD_PLUGIN([pkcs1],                [s charon scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pubkey],               [s charon cmd aikgen])
+ADD_PLUGIN([pkcs1],                [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([pkcs7],                [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([pkcs8],                [s charon scepclient pki scripts manager medsrv attest nm cmd])
 ADD_PLUGIN([pkcs12],               [s charon scepclient pki scripts cmd])
@@ -1101,13 +1197,13 @@ ADD_PLUGIN([dnskey],               [s charon pki])
 ADD_PLUGIN([sshkey],               [s charon pki nm cmd])
 ADD_PLUGIN([dnscert],              [c charon])
 ADD_PLUGIN([ipseckey],             [c charon])
-ADD_PLUGIN([pem],                  [s charon scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pem],                  [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([padlock],              [s charon])
-ADD_PLUGIN([openssl],              [s charon scepclient pki scripts manager medsrv attest nm cmd])
-ADD_PLUGIN([gcrypt],               [s charon scepclient pki scripts manager medsrv attest nm cmd])
-ADD_PLUGIN([af-alg],               [s charon scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([openssl],              [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([gcrypt],               [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([af-alg],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([fips-prf],             [s charon nm cmd])
-ADD_PLUGIN([gmp],                  [s charon scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([gmp],                  [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([agent],                [s charon nm cmd])
 ADD_PLUGIN([keychain],             [s charon cmd])
 ADD_PLUGIN([xcbc],                 [s charon nm cmd])
@@ -1121,15 +1217,18 @@ ADD_PLUGIN([attr],                 [h charon])
 ADD_PLUGIN([attr-sql],             [h charon])
 ADD_PLUGIN([load-tester],          [c charon])
 ADD_PLUGIN([kernel-libipsec],      [c charon cmd])
+ADD_PLUGIN([kernel-wfp],           [c charon])
+ADD_PLUGIN([kernel-iph],           [c charon])
 ADD_PLUGIN([kernel-pfkey],         [h charon starter nm cmd])
 ADD_PLUGIN([kernel-pfroute],       [h charon starter nm cmd])
-ADD_PLUGIN([kernel-klips],         [h charon starter])
 ADD_PLUGIN([kernel-netlink],       [h charon starter nm cmd])
 ADD_PLUGIN([resolve],              [h charon cmd])
 ADD_PLUGIN([socket-default],       [c charon nm cmd])
 ADD_PLUGIN([socket-dynamic],       [c charon cmd])
+ADD_PLUGIN([socket-win],           [c charon])
 ADD_PLUGIN([farp],                 [c charon])
 ADD_PLUGIN([stroke],               [c charon])
+ADD_PLUGIN([vici],                 [c charon])
 ADD_PLUGIN([smp],                  [c charon])
 ADD_PLUGIN([sql],                  [c charon])
 ADD_PLUGIN([updown],               [c charon])
@@ -1196,6 +1295,7 @@ AC_SUBST(manager_plugins)
 AC_SUBST(medsrv_plugins)
 AC_SUBST(nm_plugins)
 AC_SUBST(cmd_plugins)
+AC_SUBST(aikgen_plugins)
 
 AC_SUBST(c_plugins)
 AC_SUBST(h_plugins)
@@ -1210,6 +1310,7 @@ AC_SUBST(t_plugins)
 # -----------------------
 AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
 AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
+AM_CONDITIONAL(USE_WINHTTP, test x$winhttp = xtrue)
 AM_CONDITIONAL(USE_UNBOUND, test x$unbound = xtrue)
 AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue)
 AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
@@ -1259,6 +1360,7 @@ AM_CONDITIONAL(USE_NTRU, test x$ntru = xtrue)
 #  charon plugins
 # ----------------
 AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
+AM_CONDITIONAL(USE_VICI, test x$vici = xtrue)
 AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
 AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
 AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
@@ -1276,6 +1378,8 @@ AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
 AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
 AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
 AM_CONDITIONAL(USE_KERNEL_LIBIPSEC, test x$kernel_libipsec = xtrue)
+AM_CONDITIONAL(USE_KERNEL_WFP, test x$kernel_wfp = xtrue)
+AM_CONDITIONAL(USE_KERNEL_IPH, test x$kernel_iph = xtrue)
 AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
 AM_CONDITIONAL(USE_LOOKIP, test x$lookip = xtrue)
 AM_CONDITIONAL(USE_ERROR_NOTIFY, test x$error_notify = xtrue)
@@ -1327,6 +1431,7 @@ AM_CONDITIONAL(USE_IMC_SWID, test x$imc_swid = xtrue)
 AM_CONDITIONAL(USE_IMV_SWID, test x$imv_swid = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
+AM_CONDITIONAL(USE_SOCKET_WIN, test x$socket_win = xtrue)
 AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
 AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
 AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
@@ -1335,7 +1440,6 @@ AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
 # ---------------
 AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
 AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
-AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
 AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
@@ -1357,18 +1461,19 @@ AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
 AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue)
 AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
-AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
+AM_CONDITIONAL(USE_PKI, test x$pki = xtrue)
+AM_CONDITIONAL(USE_SCEPCLIENT, test x$scepclient = xtrue)
 AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
 AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue)
-AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue)
-AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue)
+AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue)
+AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue)
 AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
 AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
 AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
 AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
-AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
+AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue)
 AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_VSTR, test x$printf_hooks = xvstr)
 AM_CONDITIONAL(USE_BUILTIN_PRINTF, test x$printf_hooks = xbuiltin)
@@ -1377,12 +1482,16 @@ AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
 AM_CONDITIONAL(USE_RADIUS, test x$radius = xtrue)
 AM_CONDITIONAL(USE_IMCV, test x$imcv = xtrue)
 AM_CONDITIONAL(USE_PTS, test x$pts = xtrue)
-AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers)
+AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers -o x$aikgen = xtrue)
 AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
 AM_CONDITIONAL(USE_SILENT_RULES, test x$enable_silent_rules = xyes)
 AM_CONDITIONAL(COVERAGE, test x$coverage = xtrue)
+AM_CONDITIONAL(USE_DBGHELP, test x$dbghelp_backtraces = xtrue)
 AM_CONDITIONAL(USE_TKM, test x$tkm = xtrue)
 AM_CONDITIONAL(USE_CMD, test x$cmd = xtrue)
+AM_CONDITIONAL(USE_AIKGEN, test x$aikgen = xtrue)
+AM_CONDITIONAL(USE_SWANCTL, test x$swanctl = xtrue)
+AM_CONDITIONAL(USE_SVC, test x$svc = xtrue)
 
 # ========================
 #  set global definitions
@@ -1410,6 +1519,7 @@ fi
 
 strongswan_options=
 
+AM_COND_IF([USE_AIKGEN], [strongswan_options=${strongswan_options}" aikgen"])
 AM_COND_IF([USE_ATTR_SQL], [strongswan_options=${strongswan_options}" pool"])
 AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging"])
 AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"])
@@ -1419,7 +1529,9 @@ AM_COND_IF([USE_IMV_OS], [strongswan_options=${strongswan_options}" pacman"])
 AM_COND_IF([USE_LIBTNCCS], [strongswan_options=${strongswan_options}" tnc"])
 AM_COND_IF([USE_MANAGER], [strongswan_options=${strongswan_options}" manager"])
 AM_COND_IF([USE_MEDSRV], [strongswan_options=${strongswan_options}" medsrv"])
-AM_COND_IF([USE_TOOLS], [strongswan_options=${strongswan_options}" tools"])
+AM_COND_IF([USE_SCEPCLIENT], [strongswan_options=${strongswan_options}" scepclient"])
+AM_COND_IF([USE_PKI], [strongswan_options=${strongswan_options}" pki"])
+AM_COND_IF([USE_SWANCTL], [strongswan_options=${strongswan_options}" swanctl"])
 
 AC_SUBST(strongswan_options)
 
@@ -1466,6 +1578,7 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/sshkey/Makefile
 	src/libstrongswan/plugins/pem/Makefile
 	src/libstrongswan/plugins/curl/Makefile
+	src/libstrongswan/plugins/winhttp/Makefile
 	src/libstrongswan/plugins/unbound/Makefile
 	src/libstrongswan/plugins/soup/Makefile
 	src/libstrongswan/plugins/ldap/Makefile
@@ -1487,7 +1600,6 @@ AC_CONFIG_FILES([
 	src/libhydra/Makefile
 	src/libhydra/plugins/attr/Makefile
 	src/libhydra/plugins/attr_sql/Makefile
-	src/libhydra/plugins/kernel_klips/Makefile
 	src/libhydra/plugins/kernel_netlink/Makefile
 	src/libhydra/plugins/kernel_pfkey/Makefile
 	src/libhydra/plugins/kernel_pfroute/Makefile
@@ -1522,6 +1634,7 @@ AC_CONFIG_FILES([
 	src/charon-nm/Makefile
 	src/charon-tkm/Makefile
 	src/charon-cmd/Makefile
+	src/charon-svc/Makefile
 	src/libcharon/Makefile
 	src/libcharon/plugins/eap_aka/Makefile
 	src/libcharon/plugins/eap_aka_3gpp2/Makefile
@@ -1549,6 +1662,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/tnc_pdp/Makefile
 	src/libcharon/plugins/socket_default/Makefile
 	src/libcharon/plugins/socket_dynamic/Makefile
+	src/libcharon/plugins/socket_win/Makefile
 	src/libcharon/plugins/farp/Makefile
 	src/libcharon/plugins/smp/Makefile
 	src/libcharon/plugins/sql/Makefile
@@ -1561,6 +1675,8 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/uci/Makefile
 	src/libcharon/plugins/ha/Makefile
 	src/libcharon/plugins/kernel_libipsec/Makefile
+	src/libcharon/plugins/kernel_wfp/Makefile
+	src/libcharon/plugins/kernel_iph/Makefile
 	src/libcharon/plugins/whitelist/Makefile
 	src/libcharon/plugins/lookip/Makefile
 	src/libcharon/plugins/error_notify/Makefile
@@ -1575,6 +1691,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/android_log/Makefile
 	src/libcharon/plugins/maemo/Makefile
 	src/libcharon/plugins/stroke/Makefile
+	src/libcharon/plugins/vici/Makefile
 	src/libcharon/plugins/updown/Makefile
 	src/libcharon/plugins/dhcp/Makefile
 	src/libcharon/plugins/unit_tester/Makefile
@@ -1582,10 +1699,12 @@ AC_CONFIG_FILES([
 	src/stroke/Makefile
 	src/ipsec/Makefile
 	src/starter/Makefile
+	src/starter/tests/Makefile
 	src/_updown/Makefile
 	src/_updown_espmark/Makefile
 	src/_copyright/Makefile
 	src/scepclient/Makefile
+	src/aikgen/Makefile
 	src/pki/Makefile
 	src/pki/man/Makefile
 	src/pool/Makefile
@@ -1597,6 +1716,7 @@ AC_CONFIG_FILES([
 	src/checksum/Makefile
 	src/conftest/Makefile
 	src/pt-tls-client/Makefile
+	src/swanctl/Makefile
 	scripts/Makefile
 	testing/Makefile
 ])
@@ -1623,6 +1743,9 @@ AC_CONFIG_FILES([
 	src/pki/man/pki---signcrl.1
 	src/pki/man/pki---acert.1
 	src/pki/man/pki---verify.1
+	src/swanctl/swanctl.8
+	src/swanctl/swanctl.conf.5.head
+	src/swanctl/swanctl.conf.5.tail
 ])
 
 AC_OUTPUT
diff --git a/init/Makefile.in b/init/Makefile.in
index 9937f3b..b48d335 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -240,6 +240,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -258,6 +259,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -285,6 +287,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -376,6 +379,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index 18d789d..27a767c 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -209,6 +209,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -227,6 +228,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -254,6 +256,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -345,6 +348,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/man/Makefile.in b/man/Makefile.in
index 72312c4..bd3141d 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -211,6 +211,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -229,6 +230,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -256,6 +258,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -347,6 +350,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index a0be755..0f8564a 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -1049,6 +1049,15 @@ below.
 synonym for
 .BR margintime .
 .TP
+.BR replay_window " = " \-1 " | <number>"
+The IPsec replay window size for this connection. With the default of \-1
+the value configured with
+.I charon.replay_window
+in
+.BR strongswan.conf (5)
+is used. Larger values than 32 are supported using the Netlink backend only,
+a value of 0 disables IPsec replay protection.
+.TP
 .BR reqid " = <number>"
 sets the reqid for a given connection to a pre-configured fixed value.
 .TP
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index ed5147a..abc6d75 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 
 noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \
 	thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch \
-	dnssec malloc_speed aes-test
+	dnssec malloc_speed aes-test settings-test
 
 if USE_TLS
   noinst_PROGRAMS += tls_test
@@ -40,6 +40,7 @@ malloc_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(RTLIB)
 fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 aes_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+settings_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 key2keyid.o :	$(top_builddir)/config.status
 
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index f55ce75..7343465 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -83,7 +83,7 @@ noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \
 	thread_analysis$(EXEEXT) dh_speed$(EXEEXT) \
 	pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) hash_burn$(EXEEXT) \
 	fetch$(EXEEXT) dnssec$(EXEEXT) malloc_speed$(EXEEXT) \
-	aes-test$(EXEEXT) $(am__EXEEXT_1)
+	aes-test$(EXEEXT) settings-test$(EXEEXT) $(am__EXEEXT_1)
 @USE_TLS_TRUE at am__append_1 = tls_test
 subdir = scripts
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
@@ -169,6 +169,10 @@ pubkey_speed_OBJECTS = $(am_pubkey_speed_OBJECTS)
 pubkey_speed_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1)
+settings_test_SOURCES = settings-test.c
+settings_test_OBJECTS = settings-test.$(OBJEXT)
+settings_test_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_thread_analysis_OBJECTS = thread_analysis.$(OBJEXT)
 thread_analysis_OBJECTS = $(am_thread_analysis_OBJECTS)
 thread_analysis_LDADD = $(LDADD)
@@ -216,15 +220,15 @@ SOURCES = aes-test.c $(bin2array_SOURCES) $(bin2sql_SOURCES) \
 	$(fetch_SOURCES) $(hash_burn_SOURCES) $(id2sql_SOURCES) \
 	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
 	$(malloc_speed_SOURCES) $(oid2der_SOURCES) \
-	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) \
-	$(tls_test_SOURCES)
+	$(pubkey_speed_SOURCES) settings-test.c \
+	$(thread_analysis_SOURCES) $(tls_test_SOURCES)
 DIST_SOURCES = aes-test.c $(bin2array_SOURCES) $(bin2sql_SOURCES) \
 	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(dnssec_SOURCES) \
 	$(fetch_SOURCES) $(hash_burn_SOURCES) $(id2sql_SOURCES) \
 	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
 	$(malloc_speed_SOURCES) $(oid2der_SOURCES) \
-	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) \
-	$(am__tls_test_SOURCES_DIST)
+	$(pubkey_speed_SOURCES) settings-test.c \
+	$(thread_analysis_SOURCES) $(am__tls_test_SOURCES_DIST)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -312,6 +316,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -330,6 +335,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -357,6 +363,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -448,6 +455,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -493,6 +501,7 @@ malloc_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(RTLIB)
 fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 aes_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+settings_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
 
 .SUFFIXES:
@@ -593,6 +602,10 @@ pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) $(EX
 	@rm -f pubkey_speed$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS)
 
+settings-test$(EXEEXT): $(settings_test_OBJECTS) $(settings_test_DEPENDENCIES) $(EXTRA_settings_test_DEPENDENCIES) 
+	@rm -f settings-test$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(settings_test_OBJECTS) $(settings_test_LDADD) $(LIBS)
+
 thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENCIES) $(EXTRA_thread_analysis_DEPENDENCIES) 
 	@rm -f thread_analysis$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(thread_analysis_OBJECTS) $(thread_analysis_LDADD) $(LIBS)
@@ -621,6 +634,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/malloc_speed.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/oid2der.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/pubkey_speed.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/settings-test.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/thread_analysis.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tls_test.Po at am__quote@
 
diff --git a/scripts/hash_burn.c b/scripts/hash_burn.c
index 97eab0d..0aa9bf1 100644
--- a/scripts/hash_burn.c
+++ b/scripts/hash_burn.c
@@ -43,8 +43,7 @@ int main(int argc, char *argv[])
 		limit = atoi(argv[2]);
 	}
 
-	alg = enum_from_name(hash_algorithm_short_names, argv[1]);
-	if (alg == -1)
+	if (!enum_from_name(hash_algorithm_short_names, argv[1], &alg))
 	{
 		fprintf(stderr, "unknown hash algorthm: %s\n", argv[1]);
 		return 1;
diff --git a/scripts/settings-test.c b/scripts/settings-test.c
new file mode 100644
index 0000000..452798a
--- /dev/null
+++ b/scripts/settings-test.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <getopt.h>
+#include <errno.h>
+
+#include <library.h>
+#include <settings/settings_types.h>
+
+/**
+ * Defined in libstrongswan but not part of the public API
+ */
+bool settings_parser_parse_file(void *this, char *name);
+
+/**
+ * Recursively print the section and all subsections/settings
+ */
+static void print_section(section_t *section, int level)
+{
+	section_t *sub;
+	kv_t *kv;
+	int i;
+	char indent[256];
+
+	for (i = 0; i < level * 2 && i < sizeof(indent) - 2; i += 2)
+	{
+		indent[i  ] = ' ';
+		indent[i+1] = ' ';
+	}
+	indent[i] = '\0';
+
+	for (i = 0; i < array_count(section->kv_order); i++)
+	{
+		array_get(section->kv_order, i, &kv);
+		printf("%s%s = %s\n", indent, kv->key, kv->value);
+	}
+	for (i = 0; i < array_count(section->sections_order); i++)
+	{
+		array_get(section->sections_order, i, &sub);
+		printf("%s%s {\n", indent, sub->name);
+		print_section(sub, level + 1);
+		printf("%s}\n", indent);
+	}
+}
+
+static void usage(FILE *out, char *name)
+{
+	fprintf(out, "Test strongswan.conf parser\n\n");
+	fprintf(out, "%s [OPTIONS]\n\n", name);
+	fprintf(out, "Options:\n");
+	fprintf(out, "  -h, --help          print this help.\n");
+	fprintf(out, "  -d, --debug         enables debugging of the parser.\n");
+	fprintf(out, "  -f, --file=FILE     config file to load (default STDIN).\n");
+	fprintf(out, "\n");
+}
+
+int main(int argc, char *argv[])
+{
+	char *file = NULL;
+
+	/* don't load strongswan.conf */
+	library_init("", "settings-test");
+	atexit(library_deinit);
+
+	dbg_default_set_level(3);
+
+	while (true)
+	{
+		struct option long_opts[] = {
+			{"help",		no_argument,		NULL,	'h' },
+			{"debug",		no_argument,		NULL,	'd' },
+			{"file",		required_argument,	NULL,	'f' },
+			{0,0,0,0 },
+		};
+		switch (getopt_long(argc, argv, "hdf:", long_opts, NULL))
+		{
+			case EOF:
+				break;
+			case 'h':
+				usage(stdout, argv[0]);
+				return 0;
+			case 'd':
+				setenv("DEBUG_SETTINGS_PARSER", "1", TRUE);
+				continue;
+			case 'f':
+				file = optarg;
+				continue;
+			default:
+				usage(stderr, argv[0]);
+				return 1;
+		}
+		break;
+	}
+
+	if (file)
+	{
+		section_t *root = settings_section_create(strdup("root"));
+
+		settings_parser_parse_file(root, file);
+
+		print_section(root, 0);
+
+		settings_section_destroy(root, NULL);
+	}
+	else
+	{
+		usage(stderr, argv[0]);
+	}
+	return 0;
+}
diff --git a/src/Makefile.am b/src/Makefile.am
index 93da489..95c68d0 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -72,8 +72,16 @@ if USE_UPDOWN
   SUBDIRS += _updown _updown_espmark
 endif
 
-if USE_TOOLS
-  SUBDIRS += scepclient pki
+if USE_SCEPCLIENT
+  SUBDIRS += scepclient
+endif
+
+if USE_PKI
+  SUBDIRS += pki
+endif
+
+if USE_SWANCTL
+  SUBDIRS += swanctl
 endif
 
 if USE_CONFTEST
@@ -112,6 +120,10 @@ if USE_CMD
   SUBDIRS += charon-cmd
 endif
 
+if USE_SVC
+  SUBDIRS += charon-svc
+endif
+
 if USE_LIBPTTLS
   SUBDIRS += pt-tls-client
 endif
@@ -119,3 +131,7 @@ endif
 if USE_INTEGRITY_TEST
   SUBDIRS += checksum
 endif
+
+if USE_AIKGEN
+  SUBDIRS += aikgen
+endif
diff --git a/src/Makefile.in b/src/Makefile.in
index d1950d1..141ca3e 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -95,18 +95,22 @@ host_triplet = @host@
 @USE_NM_TRUE at am__append_16 = charon-nm
 @USE_STROKE_TRUE at am__append_17 = stroke
 @USE_UPDOWN_TRUE at am__append_18 = _updown _updown_espmark
- at USE_TOOLS_TRUE@am__append_19 = scepclient pki
- at USE_CONFTEST_TRUE@am__append_20 = conftest
- at USE_DUMM_TRUE@am__append_21 = dumm
- at USE_FAST_TRUE@am__append_22 = libfast
- at USE_MANAGER_TRUE@am__append_23 = manager
- at USE_MEDSRV_TRUE@am__append_24 = medsrv
- at USE_ATTR_SQL_TRUE@am__append_25 = pool
- at USE_ATTR_SQL_FALSE@@USE_SQL_TRUE at am__append_26 = pool
- at USE_TKM_TRUE@am__append_27 = charon-tkm
- at USE_CMD_TRUE@am__append_28 = charon-cmd
- at USE_LIBPTTLS_TRUE@am__append_29 = pt-tls-client
- at USE_INTEGRITY_TEST_TRUE@am__append_30 = checksum
+ at USE_SCEPCLIENT_TRUE@am__append_19 = scepclient
+ at USE_PKI_TRUE@am__append_20 = pki
+ at USE_SWANCTL_TRUE@am__append_21 = swanctl
+ at USE_CONFTEST_TRUE@am__append_22 = conftest
+ at USE_DUMM_TRUE@am__append_23 = dumm
+ at USE_FAST_TRUE@am__append_24 = libfast
+ at USE_MANAGER_TRUE@am__append_25 = manager
+ at USE_MEDSRV_TRUE@am__append_26 = medsrv
+ at USE_ATTR_SQL_TRUE@am__append_27 = pool
+ at USE_ATTR_SQL_FALSE@@USE_SQL_TRUE at am__append_28 = pool
+ at USE_TKM_TRUE@am__append_29 = charon-tkm
+ at USE_CMD_TRUE@am__append_30 = charon-cmd
+ at USE_SVC_TRUE@am__append_31 = charon-svc
+ at USE_LIBPTTLS_TRUE@am__append_32 = pt-tls-client
+ at USE_INTEGRITY_TEST_TRUE@am__append_33 = checksum
+ at USE_AIKGEN_TRUE@am__append_34 = aikgen
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -183,9 +187,9 @@ CTAGS = ctags
 DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
 	libtls libradius libtncif libtnccs libpttls libimcv libpts \
 	libcharon starter ipsec _copyright charon charon-nm stroke \
-	_updown _updown_espmark scepclient pki conftest dumm libfast \
-	manager medsrv pool charon-tkm charon-cmd pt-tls-client \
-	checksum
+	_updown _updown_espmark scepclient pki swanctl conftest dumm \
+	libfast manager medsrv pool charon-tkm charon-cmd charon-svc \
+	pt-tls-client checksum aikgen
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -274,6 +278,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -292,6 +297,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -319,6 +325,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -410,6 +417,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -429,7 +437,9 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_19) $(am__append_20) $(am__append_21) \
 	$(am__append_22) $(am__append_23) $(am__append_24) \
 	$(am__append_25) $(am__append_26) $(am__append_27) \
-	$(am__append_28) $(am__append_29) $(am__append_30)
+	$(am__append_28) $(am__append_29) $(am__append_30) \
+	$(am__append_31) $(am__append_32) $(am__append_33) \
+	$(am__append_34)
 all: all-recursive
 
 .SUFFIXES:
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 4377ca0..8591e6a 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -232,6 +232,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -250,6 +251,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -277,6 +279,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -368,6 +371,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index b015e3d..ec23208 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -213,6 +213,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -231,6 +232,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -258,6 +260,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -349,6 +352,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index ee814a4..49cdc90 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -213,6 +213,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -231,6 +232,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -258,6 +260,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -349,6 +352,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/aikgen/Makefile.am b/src/aikgen/Makefile.am
new file mode 100644
index 0000000..dc59d20
--- /dev/null
+++ b/src/aikgen/Makefile.am
@@ -0,0 +1,15 @@
+bin_PROGRAMS = aikgen
+
+aikgen_SOURCES = aikgen.c
+
+aikgen_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+aikgen.o :	$(top_builddir)/config.status
+
+if USE_TROUSERS
+  aikgen_LDADD += -ltspi
+endif
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DPLUGINS=\""${aikgen_plugins}\""
diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in
new file mode 100644
index 0000000..77d825f
--- /dev/null
+++ b/src/aikgen/Makefile.in
@@ -0,0 +1,731 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+bin_PROGRAMS = aikgen$(EXEEXT)
+ at USE_TROUSERS_TRUE@am__append_1 = -ltspi
+subdir = src/aikgen
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__installdirs = "$(DESTDIR)$(bindir)"
+PROGRAMS = $(bin_PROGRAMS)
+am_aikgen_OBJECTS = aikgen.$(OBJEXT)
+aikgen_OBJECTS = $(am_aikgen_OBJECTS)
+am__DEPENDENCIES_1 =
+aikgen_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_ at AM_V@)
+am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_ at AM_V@)
+am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(aikgen_SOURCES)
+DIST_SOURCES = $(aikgen_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+aikgen_SOURCES = aikgen.c
+aikgen_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__append_1)
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DPLUGINS=\""${aikgen_plugins}\""
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/aikgen/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/aikgen/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p \
+	 || test -f $$p1 \
+	  ; then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' \
+	    -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' \
+	`; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(bindir)" && rm -f $$files
+
+clean-binPROGRAMS:
+	@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+
+aikgen$(EXEEXT): $(aikgen_OBJECTS) $(aikgen_DEPENDENCIES) $(EXTRA_aikgen_DEPENDENCIES) 
+	@rm -f aikgen$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(aikgen_OBJECTS) $(aikgen_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/aikgen.Po at am__quote@
+
+.c.o:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+ at am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(bindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am: install-binPROGRAMS
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-binPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \
+	clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \
+	ctags ctags-am distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-binPROGRAMS \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am uninstall-binPROGRAMS
+
+aikgen.o :	$(top_builddir)/config.status
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/aikgen/aikgen.c b/src/aikgen/aikgen.c
new file mode 100644
index 0000000..192636a
--- /dev/null
+++ b/src/aikgen/aikgen.c
@@ -0,0 +1,554 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (c) 2008 Hal Finney
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * 
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include <library.h>
+#include <utils/debug.h>
+#include <utils/optionsfrom.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/keys/public_key.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+
+#include <trousers/tss.h>
+#include <trousers/trousers.h>
+
+#include <syslog.h>
+#include <getopt.h>
+#include <errno.h>
+
+/* default directory where AIK keys are stored */
+#define AIK_DIR							IPSEC_CONFDIR "/pts/"
+
+/* default name of AIK private key blob */
+#define DEFAULT_FILENAME_AIKBLOB		AIK_DIR "aikBlob.bin"
+
+/* default name of AIK private key blob */
+#define DEFAULT_FILENAME_AIKPUBKEY		AIK_DIR "aikPub.der"
+
+/* size in bytes of a TSS AIK public key blob */
+#define AIK_PUBKEY_BLOB_SIZE			284
+
+/* logging */
+static bool log_to_stderr = TRUE;
+static bool log_to_syslog = TRUE;
+static level_t default_loglevel = 1;
+
+/* options read by optionsfrom */
+options_t *options;
+
+/* global variables */
+certificate_t *cacert;
+public_key_t *ca_pubkey;
+chunk_t ca_modulus;
+chunk_t aik_pubkey;
+chunk_t aik_keyid;
+
+/* TPM context */
+TSS_HCONTEXT  hContext;
+
+/**
+ * logging function for aikgen
+ */
+static void aikgen_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+	char buffer[8192];
+	char *current = buffer, *next;
+	va_list args;
+
+	if (level <= default_loglevel)
+	{
+		if (log_to_stderr)
+		{
+			va_start(args, fmt);
+			vfprintf(stderr, fmt, args);
+			va_end(args);
+			fprintf(stderr, "\n");
+		}
+		if (log_to_syslog)
+		{
+			/* write in memory buffer first */
+			va_start(args, fmt);
+			vsnprintf(buffer, sizeof(buffer), fmt, args);
+			va_end(args);
+
+			/* do a syslog with every line */
+			while (current)
+			{
+				next = strchr(current, '\n');
+				if (next)
+				{
+					*(next++) = '\0';
+				}
+				syslog(LOG_INFO, "%s\n", current);
+				current = next;
+			}
+		}
+	}
+}
+
+/**
+ * Initialize logging to stderr/syslog
+ */
+static void init_log(const char *program)
+{
+	dbg = aikgen_dbg;
+
+	if (log_to_stderr)
+	{
+		setbuf(stderr, NULL);
+	}
+	if (log_to_syslog)
+	{
+		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+	}
+}
+
+/**
+ * @brief exit aikgen
+ *
+ * @param status 0 = OK, 1 = general discomfort
+ */
+static void exit_aikgen(err_t message, ...)
+{
+	int status = 0;
+
+	DESTROY_IF(cacert);
+	DESTROY_IF(ca_pubkey);
+	free(ca_modulus.ptr);
+	free(aik_pubkey.ptr);
+	free(aik_keyid.ptr);
+	options->destroy(options);
+
+	/* clean up TPM context */
+	if (hContext)
+	{
+		Tspi_Context_FreeMemory(hContext, NULL);
+		Tspi_Context_Close(hContext);
+	}
+
+	/* print any error message to stderr */
+	if (message != NULL && *message != '\0')
+	{
+		va_list args;
+		char m[8192];
+
+		va_start(args, message);
+		vsnprintf(m, sizeof(m), message, args);
+		va_end(args);
+
+		fprintf(stderr, "error: %s\n", m);
+		status = -1;
+	}
+	library_deinit();
+	exit(status);
+}
+
+/**
+ * @brief prints the usage of the program to the stderr output
+ *
+ * If message is set, program is exited with 1 (error)
+ * @param message message in case of an error
+ */
+static void usage(const char *message)
+{
+	fprintf(stderr,
+		"Usage: aikgen  --cacert|capubkey <filename>"
+		" [--aikblob <filename>] [--aikpubkey <filename>] \n"
+		"              [--idreq <filename>] [--force]"
+		" [--quiet] [--debug <level>]\n"
+		"       aikgen --help\n"
+		"\n"
+		"Options:\n"
+		" --cacert (-c)     certificate of [privacy] CA\n"
+		" --capubkey (-k)   public key of [privacy] CA\n"
+		" --aikblob (-b)    encrypted blob with AIK private key\n"
+		" --aikpubkey (-p)  AIK public key\n"
+		" --idreq (-i)      encrypted identity request\n"
+		" --force (-f)      force to overwrite existing files\n"
+		" --help (-h)       show usage and exit\n"
+		"\n"
+		"Debugging output:\n"
+		" --debug (-l)      changes the log level (-1..4, default: 1)\n"
+		" --quiet (-q)      do not write log output to stderr\n"
+		);
+	exit_aikgen(message);
+}
+
+/**
+ * @brief main of aikgen which generates an Attestation Identity Key (AIK)
+ *
+ * @param argc number of arguments
+ * @param argv pointer to the argument values
+ */
+int main(int argc, char *argv[])
+{
+	/* external values */
+	extern char * optarg;
+	extern int optind;
+
+	char *cacert_filename    = NULL;
+	char *capubkey_filename  = NULL;
+	char *aikblob_filename   = DEFAULT_FILENAME_AIKBLOB;
+	char *aikpubkey_filename = DEFAULT_FILENAME_AIKPUBKEY;
+	char *idreq_filename     = NULL;
+	bool force = FALSE;
+	chunk_t identity_req;
+	chunk_t aik_blob;
+	chunk_t aik_pubkey_blob;
+	chunk_t aik_modulus;
+	chunk_t aik_exponent;
+
+	/* TPM variables */
+	TSS_RESULT   result;
+	TSS_HTPM     hTPM;
+	TSS_HKEY     hSRK;
+	TSS_HKEY     hPCAKey;
+	TSS_HPOLICY  hSrkPolicy;
+	TSS_HPOLICY  hTPMPolicy;
+	TSS_HKEY     hIdentKey;
+	TSS_UUID     SRK_UUID = TSS_UUID_SRK;
+	BYTE         secret[] = TSS_WELL_KNOWN_SECRET;
+	BYTE        *IdentityReq;
+	UINT32       IdentityReqLen;
+	BYTE        *blob;
+	UINT32       blobLen;
+
+	atexit(library_deinit);
+	if (!library_init(NULL, "aikgen"))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "aikgen", argv[0]))
+	{
+		fprintf(stderr, "integrity check of aikgen failed\n");
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
+
+	/* initialize global variables */
+	options = options_create();
+
+	for (;;)
+	{
+		static const struct option long_opts[] = {
+			/* name, has_arg, flag, val */
+			{ "help", no_argument, NULL, 'h' },
+			{ "optionsfrom", required_argument, NULL, '+' },
+			{ "cacert", required_argument, NULL, 'c' },
+			{ "capubkey", required_argument, NULL, 'k' },
+			{ "aikblob", required_argument, NULL, 'b' },
+			{ "aikpubkey", required_argument, NULL, 'p' },
+			{ "idreq", required_argument, NULL, 'i' },
+			{ "force", no_argument, NULL, 'f' },
+			{ "quiet", no_argument, NULL, 'q' },
+			{ "debug", required_argument, NULL, 'l' },
+			{ 0,0,0,0 }
+		};
+
+		/* parse next option */
+		int c = getopt_long(argc, argv, "ho:c:b:p:fqd:", long_opts, NULL);
+
+		switch (c)
+		{
+			case EOF:       /* end of flags */
+				break;
+
+			case 'h':       /* --help */
+				usage(NULL);
+
+			case '+':       /* --optionsfrom <filename> */
+				if (!options->from(options, optarg, &argc, &argv, optind))
+				{
+					exit_aikgen("optionsfrom failed");
+				}
+				continue;
+
+			case 'c':       /* --cacert <filename> */
+				cacert_filename = optarg;
+				continue;
+
+			case 'k':       /* --capubkey <filename> */
+				capubkey_filename = optarg;
+				continue;
+
+			case 'b':       /* --aikblob <filename> */
+				aikblob_filename = optarg;
+				continue;
+
+			case 'p':       /* --aikpubkey <filename> */
+				aikpubkey_filename = optarg;
+				continue;
+
+			case 'i':       /* --idreq <filename> */
+				idreq_filename = optarg;
+				continue;
+
+			case 'f':       /* --force */
+				force = TRUE;
+				continue;
+
+			case 'q':       /* --quiet */
+				log_to_stderr = FALSE;
+				continue;
+
+			case 'l':		/* --debug <level> */
+				default_loglevel = atoi(optarg);
+				continue;
+
+			default:
+				usage("unknown option");
+		}
+		/* break from loop */
+		break;
+	}
+
+	init_log("aikgen");
+
+	if (!lib->plugins->load(lib->plugins,
+			lib->settings->get_str(lib->settings, "aikgen.load", PLUGINS)))
+	{
+		exit_aikgen("plugin loading failed");
+	}
+
+	/* read certificate of [privacy] CA if it exists */
+	if (cacert_filename)
+	{
+		cacert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								BUILD_FROM_FILE, cacert_filename, BUILD_END);
+		if (!cacert)
+		{
+			exit_aikgen("could not read ca certificate file '%s'",
+						 cacert_filename);
+		}
+	}
+
+	/* optionally read public key of [privacy CA] if it exists */
+	if (!cacert)
+	{
+		if (!capubkey_filename)
+		{
+			usage("either --cacert or --capubkey option is required");
+		}
+		cacert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+								CERT_TRUSTED_PUBKEY, BUILD_FROM_FILE,
+								capubkey_filename, BUILD_END);
+		if (!cacert)
+		{
+			exit_aikgen("could not read ca public key file '%s'",
+						 capubkey_filename);
+		}
+	}
+
+	/* extract public key from CA certificate or trusted CA public key */
+	ca_pubkey = cacert->get_public_key(cacert);
+	if (!ca_pubkey)
+	{
+		exit_aikgen("could not extract ca public key");
+	}
+	if (ca_pubkey->get_type(ca_pubkey) != KEY_RSA ||
+		ca_pubkey->get_keysize(ca_pubkey) != 2048)
+	{
+		exit_aikgen("ca public key must be RSA 2048 but is %N %d",
+					 key_type_names, ca_pubkey->get_type(ca_pubkey),
+					 ca_pubkey->get_keysize(ca_pubkey));
+	}
+	if (!ca_pubkey->get_encoding(ca_pubkey, PUBKEY_RSA_MODULUS, &ca_modulus))
+	{
+		exit_aikgen("could not extract RSA modulus from ca public key");
+	}
+
+	/* initialize TSS context and connect to it */
+	result = Tspi_Context_Create(&hContext);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_Context_Create", result);
+	}
+	result = Tspi_Context_Connect(hContext, NULL);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_Context_Connect", result);
+	}
+
+	/* get SRK plus SRK policy and set SRK secret */
+	result = Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM,
+										SRK_UUID, &hSRK);
+ 	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_Context_LoadKeyByUUID for SRK", result);
+	}
+	result = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &hSrkPolicy);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_GetPolicyObject for SRK", result);
+	}
+	result = Tspi_Policy_SetSecret(hSrkPolicy, TSS_SECRET_MODE_SHA1, 20, secret);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_Policy_SetSecret for SRK", result);
+	}
+
+	/* get TPM plus TPM policy and set TPM secret */
+	result = Tspi_Context_GetTpmObject (hContext, &hTPM);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_Context_GetTpmObject", result);
+	}
+	result = Tspi_GetPolicyObject(hTPM, TSS_POLICY_USAGE, &hTPMPolicy);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_GetPolicyObject for TPM", result);
+	}
+	result = Tspi_Policy_SetSecret(hTPMPolicy, TSS_SECRET_MODE_SHA1, 20, secret);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_Policy_SetSecret for TPM", result);
+	}
+
+	/* create context for a 2048 bit AIK */
+	result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
+					TSS_KEY_TYPE_IDENTITY | TSS_KEY_SIZE_2048 |
+					TSS_KEY_VOLATILE | TSS_KEY_NOT_MIGRATABLE, &hIdentKey);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_Context_CreateObject for key", result);
+	}
+
+	/* create context for the Privacy CA public key and assign modulus */
+	result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
+					TSS_KEY_TYPE_LEGACY|TSS_KEY_SIZE_2048, &hPCAKey);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_Context_CreateObject for PCA", result);
+	}
+	result = Tspi_SetAttribData (hPCAKey, TSS_TSPATTRIB_RSAKEY_INFO,
+					TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, ca_modulus.len,
+					ca_modulus.ptr);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_SetAttribData for PCA modulus", result);
+	}
+	result = Tspi_SetAttribUint32(hPCAKey, TSS_TSPATTRIB_KEY_INFO,
+					TSS_TSPATTRIB_KEYINFO_ENCSCHEME, TSS_ES_RSAESPKCSV15);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_SetAttribUint32 for PCA "
+					"encryption scheme", result);
+	}
+
+	/* generate AIK */
+	DBG1(DBG_LIB, "Generating identity key...");
+	result = Tspi_TPM_CollateIdentityRequest(hTPM, hSRK, hPCAKey, 0, NULL,
+					hIdentKey, TSS_ALG_AES,	&IdentityReqLen, &IdentityReq);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_TPM_CollateIdentityRequest", result);
+	}
+	identity_req = chunk_create(IdentityReq, IdentityReqLen);
+	DBG3(DBG_LIB, "Identity Request: %B", &identity_req);
+
+	/* optionally output identity request encrypted with ca public key */
+	if (idreq_filename)
+	{
+		if (!chunk_write(identity_req, idreq_filename, 0022, force))
+		{
+			exit_aikgen("could not write AIK identity request file '%s': %s",
+						 idreq_filename, strerror(errno));
+		}
+		DBG1(DBG_LIB, "AIK identity request written to '%s' (%u bytes)",
+					   idreq_filename, identity_req.len);
+	}
+
+	/* load identity key */
+	result = Tspi_Key_LoadKey (hIdentKey, hSRK);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_Key_LoadKey for AIK\n", result);
+	}
+
+	/* output AIK private key in TSS blob format */
+	result = Tspi_GetAttribData (hIdentKey, TSS_TSPATTRIB_KEY_BLOB,
+					TSS_TSPATTRIB_KEYBLOB_BLOB, &blobLen, &blob);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_GetAttribData for private key blob",
+					 result);
+	}
+	aik_blob = chunk_create(blob, blobLen);
+	DBG3(DBG_LIB, "AIK private key blob: %B", &aik_blob);
+
+	if (!chunk_write(aik_blob, aikblob_filename, 0022, force))
+	{
+		exit_aikgen("could not write AIK blob file '%s': %s",
+					 aikblob_filename, strerror(errno));
+	}
+	DBG1(DBG_LIB, "AIK private key blob written to '%s' (%u bytes)",
+				   aikblob_filename, aik_blob.len);
+
+	/* output AIK Public Key in TSS blob format */
+	result = Tspi_GetAttribData (hIdentKey, TSS_TSPATTRIB_KEY_BLOB,
+					TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, &blobLen, &blob);
+	if (result != TSS_SUCCESS)
+	{
+		exit_aikgen("tss 0x%x on Tspi_GetAttribData for public key blob",
+					 result);
+	}
+	aik_pubkey_blob = chunk_create(blob, blobLen);
+	DBG3(DBG_LIB, "AIK public key blob: %B", &aik_pubkey_blob);
+
+	/* create a trusted AIK public key */
+	if (aik_pubkey_blob.len != AIK_PUBKEY_BLOB_SIZE)
+	{
+		exit_aikgen("AIK public key is not in TSS blob format");
+	}
+	aik_modulus = chunk_skip(aik_pubkey_blob, AIK_PUBKEY_BLOB_SIZE - 256);
+	aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
+
+	/* output subjectPublicKeyInfo encoding of AIK public key */
+	if (!lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER, NULL,
+					&aik_pubkey, CRED_PART_RSA_MODULUS, aik_modulus,
+					CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END))
+	{
+		exit_aikgen("subjectPublicKeyInfo encoding of AIK key failed");
+	}
+	if (!chunk_write(aik_pubkey, aikpubkey_filename, 0022, force))
+	{
+		exit_aikgen("could not write AIK public key file '%s': %s",
+					 aikpubkey_filename, strerror(errno));
+	}
+	DBG1(DBG_LIB, "AIK public key written to '%s' (%u bytes)",
+				   aikpubkey_filename, aik_pubkey.len);
+
+	/* display AIK keyid derived from subjectPublicKeyInfo encoding */
+	if (!lib->encoding->encode(lib->encoding, KEYID_PUBKEY_INFO_SHA1, NULL,
+					&aik_keyid, CRED_PART_RSA_MODULUS, aik_modulus,
+					CRED_PART_RSA_PUB_EXP, aik_exponent, CRED_PART_END))
+	{
+		exit_aikgen("computation of AIK keyid failed");
+	}
+	DBG1(DBG_LIB, "AIK keyid: %#B", &aik_keyid);
+
+	exit_aikgen(NULL);
+	return -1; /* should never be reached */
+}
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index 0e5c00a..c74c5b6 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -269,6 +269,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -287,6 +288,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -314,6 +316,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -405,6 +408,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index a70d314..b41cf46 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -126,12 +126,15 @@ static int run()
 			{
 				DBG1(DBG_DMN, "signal of type SIGHUP received. Reloading "
 					 "configuration");
-				if (lib->settings->load_files(lib->settings, NULL, FALSE))
+#ifdef STRONGSWAN_CONF
+				if (lib->settings->load_files(lib->settings, STRONGSWAN_CONF,
+											  FALSE))
 				{
 					charon->load_loggers(charon, levels, TRUE);
 					lib->plugins->reload(lib->plugins, NULL);
 				}
 				else
+#endif
 				{
 					DBG1(DBG_DMN, "reloading config failed, keeping old");
 				}
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
index ac085e1..2c0b7b9 100644
--- a/src/charon-cmd/cmd/cmd_connection.c
+++ b/src/charon-cmd/cmd/cmd_connection.c
@@ -187,6 +187,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 	else
 	{
 		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
 	}
 	peer_cfg = peer_cfg_create("cmd", ike_cfg,
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
@@ -357,6 +358,8 @@ static child_cfg_t* create_child_cfg(private_cmd_connection_t *this,
 	else
 	{
 		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+		child_cfg->add_proposal(child_cfg,
+								proposal_create_default_aead(PROTO_ESP));
 	}
 	while (this->local_ts->remove_first(this->local_ts, (void**)&ts) == SUCCESS)
 	{
@@ -460,10 +463,9 @@ static void add_ts(private_cmd_connection_t *this,
  */
 static void set_profile(private_cmd_connection_t *this, char *name)
 {
-	int profile;
+	profile_t profile;
 
-	profile = enum_from_name(profile_names, name);
-	if (profile == -1)
+	if (!enum_from_name(profile_names, name, &profile))
 	{
 		DBG1(DBG_CFG, "unknown connection profile: %s", name);
 		exit(1);
diff --git a/src/charon-cmd/cmd/cmd_creds.c b/src/charon-cmd/cmd/cmd_creds.c
index 7fee85d..45d008e 100644
--- a/src/charon-cmd/cmd/cmd_creds.c
+++ b/src/charon-cmd/cmd/cmd_creds.c
@@ -72,7 +72,7 @@ static shared_key_t* callback_shared(private_cmd_creds_t *this,
 								id_match_t *match_me, id_match_t *match_other)
 {
 	shared_key_t *shared;
-	char *label, *pwd;
+	char *label, *pwd = NULL;
 
 	if (type == this->prompted)
 	{
@@ -95,7 +95,9 @@ static shared_key_t* callback_shared(private_cmd_creds_t *this,
 		default:
 			return NULL;
 	}
+#ifdef HAVE_GETPASS
 	pwd = getpass(label);
+#endif
 	if (!pwd || strlen(pwd) == 0)
 	{
 		return NULL;
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index edc3d77..5fad214 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -240,6 +240,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -258,6 +259,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -285,6 +287,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -376,6 +379,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 67366a0..fc7e899 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -532,6 +532,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 							(char*)address, IKEV2_UDP_PORT,
 							 FRAGMENTATION_NO, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
 	peer_cfg = peer_cfg_create(priv->name, ike_cfg,
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
 					36000, 0, /* rekey 10h, reauth none */
@@ -565,6 +566,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 								 ACTION_NONE, ACTION_NONE, ACTION_NONE, ipcomp,
 								 0, 0, NULL, NULL, 0);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
 	ts = traffic_selector_create_dynamic(0, 0, 65535);
 	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 	ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
diff --git a/src/charon-svc/Makefile.am b/src/charon-svc/Makefile.am
new file mode 100644
index 0000000..ecccf02
--- /dev/null
+++ b/src/charon-svc/Makefile.am
@@ -0,0 +1,16 @@
+bin_PROGRAMS = charon-svc
+
+charon_svc_SOURCES = charon-svc.c
+
+charon-svc.o :	$(top_builddir)/config.status
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DPLUGINS=\""${charon_plugins}\""
+
+charon_svc_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la
diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in
new file mode 100644
index 0000000..3948362
--- /dev/null
+++ b/src/charon-svc/Makefile.in
@@ -0,0 +1,735 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+bin_PROGRAMS = charon-svc$(EXEEXT)
+subdir = src/charon-svc
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__installdirs = "$(DESTDIR)$(bindir)"
+PROGRAMS = $(bin_PROGRAMS)
+am_charon_svc_OBJECTS = charon-svc.$(OBJEXT)
+charon_svc_OBJECTS = $(am_charon_svc_OBJECTS)
+charon_svc_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la
+AM_V_lt = $(am__v_lt_ at AM_V@)
+am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_ at AM_V@)
+am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(charon_svc_SOURCES)
+DIST_SOURCES = $(charon_svc_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+charon_svc_SOURCES = charon-svc.c
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DPLUGINS=\""${charon_plugins}\""
+
+charon_svc_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon-svc/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon-svc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p \
+	 || test -f $$p1 \
+	  ; then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' \
+	    -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' \
+	`; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(bindir)" && rm -f $$files
+
+clean-binPROGRAMS:
+	@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+
+charon-svc$(EXEEXT): $(charon_svc_OBJECTS) $(charon_svc_DEPENDENCIES) $(EXTRA_charon_svc_DEPENDENCIES) 
+	@rm -f charon-svc$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(charon_svc_OBJECTS) $(charon_svc_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/charon-svc.Po at am__quote@
+
+.c.o:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+ at am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(bindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am: install-binPROGRAMS
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-binPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \
+	clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \
+	ctags ctags-am distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-binPROGRAMS \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am uninstall-binPROGRAMS
+
+
+charon-svc.o :	$(top_builddir)/config.status
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon-svc/charon-svc.c b/src/charon-svc/charon-svc.c
new file mode 100644
index 0000000..03cbdb8
--- /dev/null
+++ b/src/charon-svc/charon-svc.c
@@ -0,0 +1,333 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <hydra.h>
+#include <daemon.h>
+
+#include <utils/backtrace.h>
+#include <threading/thread.h>
+
+/**
+ * The name of our service, both internal and external
+ */
+#define SERVICE_NAME "charon-svc"
+
+/**
+ * Current service status
+ */
+static SERVICE_STATUS status;
+
+/**
+ * Handle for service status
+ */
+static SERVICE_STATUS_HANDLE handle;
+
+/**
+ * Wait event for main thread
+ */
+static HANDLE event;
+
+/**
+ * hook in library for debugging messages
+ */
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
+
+/**
+ * Forward declaration
+ */
+static DWORD WINAPI service_handler(DWORD dwControl, DWORD dwEventType,
+									LPVOID lpEventData, LPVOID lpContext);
+
+/**
+ * Logging hook for library logs, using stderr output
+ */
+static void dbg_stderr(debug_t group, level_t level, char *fmt, ...)
+{
+	va_list args;
+
+	if (level <= 1)
+	{
+		va_start(args, fmt);
+		fprintf(stderr, "00[%N] ", debug_names, group);
+		vfprintf(stderr, fmt, args);
+		fprintf(stderr, "\n");
+		va_end(args);
+	}
+}
+
+/**
+ * Log strongSwan/Windows version during startup
+ */
+static void print_version()
+{
+	OSVERSIONINFOEX osvie;
+
+	memset(&osvie, 0, sizeof(osvie));
+	osvie.dwOSVersionInfoSize = sizeof(osvie);
+
+	if (GetVersionEx((LPOSVERSIONINFO)&osvie))
+	{
+		DBG1(DBG_DMN, "Starting IKE service %s (strongSwan %s, "
+			 "Windows %s %d.%d.%d (SP %d.%d)", SERVICE_NAME, VERSION,
+			 osvie.wProductType == VER_NT_WORKSTATION ? "Client" : "Server",
+			 osvie.dwMajorVersion, osvie.dwMinorVersion, osvie.dwBuildNumber,
+			 osvie.wServicePackMajor, osvie.wServicePackMinor);
+	}
+}
+
+/**
+ * Update service state to SCM, increase check point if state didn't change
+ */
+static void update_status(DWORD state)
+{
+	if (state == status.dwCurrentState)
+	{
+		status.dwCheckPoint++;
+	}
+	else
+	{
+		status.dwCheckPoint = 0;
+	}
+	status.dwCurrentState = state;
+	if (handle)
+	{
+		SetServiceStatus(handle, &status);
+	}
+}
+
+/**
+ * Control handler for console
+ */
+static BOOL WINAPI console_handler(DWORD dwCtrlType)
+{
+	switch (dwCtrlType)
+	{
+		case CTRL_C_EVENT:
+		case CTRL_BREAK_EVENT:
+		case CTRL_CLOSE_EVENT:
+			DBG1(DBG_DMN, "application is stopping, cleaning up");
+			if (status.dwCurrentState == SERVICE_RUNNING)
+			{
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL,
+								   dwCtrlType);
+			}
+			/* signal main thread to clean up */
+			SetEvent(event);
+			return TRUE;
+		default:
+			return FALSE;
+	}
+}
+
+/**
+ * Service handler function
+ */
+static DWORD WINAPI service_handler(DWORD dwControl, DWORD dwEventType,
+									LPVOID lpEventData, LPVOID lpContext)
+{
+	switch (dwControl)
+	{
+		case SERVICE_CONTROL_STOP:
+		case SERVICE_CONTROL_SHUTDOWN:
+			DBG1(DBG_DMN, "service is stopping, cleaning up");
+			if (status.dwCurrentState == SERVICE_RUNNING)
+			{
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL,
+								   dwControl);
+			}
+			/* signal main thread to clean up */
+			SetEvent(event);
+			return NO_ERROR;
+		case SERVICE_CONTROL_INTERROGATE:
+			return NO_ERROR;
+		default:
+			return ERROR_CALL_NOT_IMPLEMENTED;
+	}
+}
+
+/**
+ * Wait for console program shutdown
+ */
+static int console_wait()
+{
+	update_status(SERVICE_RUNNING);
+
+	if (WaitForSingleObjectEx(event, INFINITE, TRUE) != WAIT_OBJECT_0)
+	{
+		return 2;
+	}
+	return 0;
+}
+
+/**
+ * Wait for service shutdown
+ */
+static int service_wait()
+{
+	/* service is initialized, we now accept control requests */
+	status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
+	update_status(SERVICE_RUNNING);
+	status.dwControlsAccepted = 0;
+
+	if (WaitForSingleObjectEx(event, INFINITE, TRUE) != WAIT_OBJECT_0)
+	{
+		return 2;
+	}
+	return 0;
+}
+
+/**
+ * Initialize and run charon using a wait function
+ */
+static void init_and_run(DWORD dwArgc, LPTSTR *lpszArgv, int (*wait)())
+{
+	level_t levels[DBG_MAX];
+	int i;
+
+	for (i = 0; i < DBG_MAX; i++)
+	{
+		levels[i] = LEVEL_CTRL;
+	}
+
+	update_status(SERVICE_START_PENDING);
+	event = CreateEvent(NULL, FALSE, FALSE, NULL);
+	if (event)
+	{
+		update_status(SERVICE_START_PENDING);
+		if (library_init(NULL, SERVICE_NAME))
+		{
+			update_status(SERVICE_START_PENDING);
+			if (libhydra_init())
+			{
+				update_status(SERVICE_START_PENDING);
+				if (libcharon_init())
+				{
+					charon->load_loggers(charon, levels, TRUE);
+					print_version();
+					update_status(SERVICE_START_PENDING);
+					if (charon->initialize(charon, PLUGINS))
+					{
+						update_status(SERVICE_START_PENDING);
+						lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
+						charon->start(charon);
+
+						status.dwWin32ExitCode = wait();
+					}
+					update_status(SERVICE_STOP_PENDING);
+					libcharon_deinit();
+				}
+				update_status(SERVICE_STOP_PENDING);
+				libhydra_deinit();
+			}
+			update_status(SERVICE_STOP_PENDING);
+			library_deinit();
+		}
+		update_status(SERVICE_STOP_PENDING);
+		CloseHandle(event);
+	}
+	update_status(SERVICE_STOPPED);
+}
+
+/**
+ * Main routine when running from console
+ */
+static void console_main(DWORD dwArgc, LPTSTR *lpszArgv)
+{
+	status.dwWin32ExitCode = 1;
+
+	if (SetConsoleCtrlHandler(console_handler, TRUE))
+	{
+		init_and_run(dwArgc, lpszArgv, console_wait);
+		SetConsoleCtrlHandler(console_handler, FALSE);
+	}
+}
+
+/**
+ * Switch the working directory to the executable directory
+ */
+static bool switch_workingdir()
+{
+	CHAR path[MAX_PATH], *pos;
+	HMODULE module;
+
+	module = GetModuleHandle(NULL);
+	if (!module)
+	{
+		return FALSE;
+	}
+	if (!GetModuleFileName(module, path, sizeof(path)))
+	{
+		return FALSE;
+	}
+	pos = strrchr(path, '\\');
+	if (!pos)
+	{
+		return FALSE;
+	}
+	*pos = 0;
+	return SetCurrentDirectory(path);
+}
+
+/**
+ * Service main routine when running as service
+ */
+static void WINAPI service_main(DWORD dwArgc, LPTSTR *lpszArgv)
+{
+	memset(&status, 0, sizeof(status));
+	status.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
+	status.dwWin32ExitCode = 1;
+
+	handle = RegisterServiceCtrlHandlerEx(SERVICE_NAME, service_handler, NULL);
+	if (handle)
+	{
+		if (switch_workingdir())
+		{
+			init_and_run(dwArgc, lpszArgv, service_wait);
+		}
+	}
+}
+
+/**
+ * Main function, starts the service
+ */
+int main(int argc, char *argv[])
+{
+	SERVICE_TABLE_ENTRY services[] = {
+		{
+			.lpServiceName = SERVICE_NAME,
+			.lpServiceProc = service_main,
+		},
+		{ NULL, NULL },
+	};
+	DWORD err;
+
+	dbg = dbg_stderr;
+
+	if (!StartServiceCtrlDispatcher(services))
+	{
+		err = GetLastError();
+		if (err == ERROR_FAILED_SERVICE_CONTROLLER_CONNECT)
+		{
+			console_main(argc, argv);
+		}
+		else
+		{
+			return 2;
+		}
+	}
+	return status.dwWin32ExitCode;
+}
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index 8005d07..ca4cdbf 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -179,6 +179,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -197,6 +198,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -224,6 +226,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -315,6 +318,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
index 72c247d..dbeea93 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -91,8 +91,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool _initiator, bool encap, bool esn, bool inbound,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+	bool _initiator, bool encap, bool esn, bool inbound,
 	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
 {
 	esa_info_t esa;
diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c
index 0505864..b2692a5 100644
--- a/src/charon-tkm/src/tkm/tkm_listener.c
+++ b/src/charon-tkm/src/tkm/tkm_listener.c
@@ -310,7 +310,7 @@ METHOD(listener_t, message, bool,
 	     " (ISA context %llu)", isa_id);
 
 	auth_payload = (auth_payload_t*)message->get_payload(message,
-														 AUTHENTICATION);
+														 PLV2_AUTH);
 	if (auth_payload)
 	{
 		chunk_t auth_data;
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index f808ce0..0e8a49e 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -236,6 +236,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -254,6 +255,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -281,6 +283,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -372,6 +375,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 089ac45..8afac3f 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -26,6 +26,8 @@
 #include <sys/utsname.h>
 #include <unistd.h>
 #include <getopt.h>
+#include <fcntl.h>
+#include <errno.h>
 
 #include <hydra.h>
 #include <daemon.h>
@@ -122,12 +124,15 @@ static void run()
 			{
 				DBG1(DBG_DMN, "signal of type SIGHUP received. Reloading "
 					 "configuration");
-				if (lib->settings->load_files(lib->settings, NULL, FALSE))
+#ifdef STRONGSWAN_CONF
+				if (lib->settings->load_files(lib->settings, STRONGSWAN_CONF,
+											  FALSE))
 				{
 					charon->load_loggers(charon, levels, !use_syslog);
 					lib->plugins->reload(lib->plugins, NULL);
 				}
 				else
+#endif
 				{
 					DBG1(DBG_DMN, "reloading config failed, keeping old");
 				}
@@ -229,6 +234,14 @@ static bool check_pidfile()
 	pidfile = fopen(PID_FILE, "w");
 	if (pidfile)
 	{
+		int fd;
+
+		fd = fileno(pidfile);
+		if (fd == -1 || fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
+		{
+			DBG1(DBG_LIB, "setting FD_CLOEXEC for '"PID_FILE"' failed: %s",
+				 strerror(errno));
+		}
 		ignore_result(fchown(fileno(pidfile),
 							 lib->caps->get_uid(lib->caps),
 							 lib->caps->get_gid(lib->caps)));
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index 82bbadc..821c517 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -22,7 +22,7 @@ AM_CPPFLAGS = \
 	-DPLUGINDIR=\"${DESTDIR}${plugindir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 # we keep track of build dependencies in deps and use libs to store the paths
 # to the installed libraries. for executables we use the built files directly
@@ -99,11 +99,18 @@ if USE_CMD
   exes += $(DESTDIR)$(sbindir)/charon-cmd
 endif
 
-if USE_TOOLS
+if USE_SCEPCLIENT
   exes += $(DESTDIR)$(ipsecdir)/scepclient
+endif
+
+if USE_PKI
   exes += $(DESTDIR)$(bindir)/pki
 endif
 
+if USE_SWANCTL
+  exes += $(DESTDIR)$(sbindir)/swanctl
+endif
+
 if USE_ATTR_SQL
   exes += $(DESTDIR)$(ipsecdir)/pool
 endif
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index d798d31..697899e 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -105,10 +105,11 @@ EXTRA_PROGRAMS = checksum_builder$(EXEEXT)
 @USE_CHARON_TRUE at am__append_24 = $(DESTDIR)$(ipsecdir)/charon
 @MONOLITHIC_FALSE@@USE_CHARON_TRUE at am__append_25 = -DC_PLUGINS=\""${c_plugins}\""
 @USE_CMD_TRUE at am__append_26 = $(DESTDIR)$(sbindir)/charon-cmd
- at USE_TOOLS_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/scepclient \
- at USE_TOOLS_TRUE@	$(DESTDIR)$(bindir)/pki
- at USE_ATTR_SQL_TRUE@am__append_28 = $(DESTDIR)$(ipsecdir)/pool
- at USE_IMV_ATTESTATION_TRUE@am__append_29 = $(DESTDIR)$(ipsecdir)/attest
+ at USE_SCEPCLIENT_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/scepclient
+ at USE_PKI_TRUE@am__append_28 = $(DESTDIR)$(bindir)/pki
+ at USE_SWANCTL_TRUE@am__append_29 = $(DESTDIR)$(sbindir)/swanctl
+ at USE_ATTR_SQL_TRUE@am__append_30 = $(DESTDIR)$(ipsecdir)/pool
+ at USE_IMV_ATTESTATION_TRUE@am__append_31 = $(DESTDIR)$(ipsecdir)/attest
 subdir = src/checksum
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -304,6 +305,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -322,6 +324,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -349,6 +352,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -440,6 +444,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -470,7 +475,7 @@ AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" $(am__append_1) \
 	$(am__append_4) $(am__append_15) $(am__append_25)
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 
 # we keep track of build dependencies in deps and use libs to store the paths
@@ -486,7 +491,8 @@ libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so $(am__append_3) \
 	$(am__append_12) $(am__append_14) $(am__append_17) \
 	$(am__append_19) $(am__append_21) $(am__append_23)
 exes = $(am__append_24) $(am__append_26) $(am__append_27) \
-	$(am__append_28) $(am__append_29)
+	$(am__append_28) $(am__append_29) $(am__append_30) \
+	$(am__append_31)
 all: all-am
 
 .SUFFIXES:
diff --git a/src/conftest/Makefile.am b/src/conftest/Makefile.am
index 900741d..eeb26f2 100644
--- a/src/conftest/Makefile.am
+++ b/src/conftest/Makefile.am
@@ -6,7 +6,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = $(PLUGIN_CFLAGS)
 
 conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 	hooks/hook.h hooks/ike_auth_fill.c hooks/unsort_message.c \
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 453e8f8..edd07b8 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -250,6 +250,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -268,6 +269,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -295,6 +297,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -386,6 +389,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -402,7 +406,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = $(PLUGIN_CFLAGS)
 conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 	hooks/hook.h hooks/ike_auth_fill.c hooks/unsort_message.c \
 	hooks/add_notify.c hooks/unencrypted_notify.c hooks/ignore_message.c \
diff --git a/src/conftest/README b/src/conftest/README
index 617195d..d37539a 100644
--- a/src/conftest/README
+++ b/src/conftest/README
@@ -304,7 +304,7 @@ Compile time options required depend on the test suite. A minimalistic
 strongSwan build with the OpenSSL crypto backend can be configured with:
 
 ./configure --sysconfdir=/etc --disable-pluto --disable-scripts \
-  --disable-tools --disable-aes --disable-des --disable-md5 \
+  --disable-scepclient --disable-aes --disable-des --disable-md5 \
   --disable-sha1 --disable-sha2 --disable-fips-prf --disable-gmp \
   --disable-pubkey --disable-pgp --disable-dnskey --disable-updown \
   --disable-attr --disable-resolve --enable-openssl --enable-conftest \
diff --git a/src/conftest/config.c b/src/conftest/config.c
index 5aa742d..c83db7e 100644
--- a/src/conftest/config.c
+++ b/src/conftest/config.c
@@ -129,6 +129,7 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
 	else
 	{
 		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
 	}
 	return ike_cfg;
 }
@@ -180,6 +181,8 @@ static child_cfg_t *load_child_config(private_config_t *this,
 	else
 	{
 		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+		child_cfg->add_proposal(child_cfg,
+								proposal_create_default_aead(PROTO_ESP));
 	}
 
 	token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config, child);
diff --git a/src/conftest/hooks/add_notify.c b/src/conftest/hooks/add_notify.c
index 9611cad..73a9b1a 100644
--- a/src/conftest/hooks/add_notify.c
+++ b/src/conftest/hooks/add_notify.c
@@ -73,8 +73,7 @@ METHOD(listener_t, message, bool,
 		type = atoi(this->type);
 		if (!type)
 		{
-			type = enum_from_name(notify_type_names, this->type);
-			if (type == -1)
+			if (!enum_from_name(notify_type_names, this->type, &type))
 			{
 				DBG1(DBG_CFG, "unknown notify: '%s', skipped", this->type);
 				return TRUE;
@@ -89,7 +88,7 @@ METHOD(listener_t, message, bool,
 		{
 			data = chunk_clone(chunk_create(this->data, strlen(this->data)));
 		}
-		notify = notify_payload_create_from_protocol_and_type(NOTIFY,
+		notify = notify_payload_create_from_protocol_and_type(PLV2_NOTIFY,
 									this->esp ? PROTO_ESP : PROTO_IKE, type);
 		notify->set_spi(notify, this->spi);
 		if (data.len)
diff --git a/src/conftest/hooks/add_payload.c b/src/conftest/hooks/add_payload.c
index 2903bb2..cb5be1a 100644
--- a/src/conftest/hooks/add_payload.c
+++ b/src/conftest/hooks/add_payload.c
@@ -77,8 +77,7 @@ METHOD(listener_t, message, bool,
 		type = atoi(this->type);
 		if (!type)
 		{
-			type = enum_from_name(payload_type_short_names, this->type);
-			if (type == -1)
+			if (!enum_from_name(payload_type_short_names, this->type, &type))
 			{
 				DBG1(DBG_CFG, "unknown payload: '%s', skipped", this->type);
 				return TRUE;
diff --git a/src/conftest/hooks/custom_proposal.c b/src/conftest/hooks/custom_proposal.c
index 38d4286..ee44045 100644
--- a/src/conftest/hooks/custom_proposal.c
+++ b/src/conftest/hooks/custom_proposal.c
@@ -79,8 +79,7 @@ static linked_list_t* load_proposals(private_custom_proposal_t *this,
 			type = strtoul(key, &end, 10);
 			if (end == key || errno)
 			{
-				type = enum_from_name(transform_type_names, key);
-				if (type == -1)
+				if (!enum_from_name(transform_type_names, key, &type))
 				{
 					DBG1(DBG_CFG, "unknown transform: '%s', skipped", key);
 					continue;
@@ -125,7 +124,7 @@ METHOD(listener_t, message, bool,
 		enumerator = message->create_payload_enumerator(message);
 		while (enumerator->enumerate(enumerator, &payload))
 		{
-			if (payload->get_type(payload) == SECURITY_ASSOCIATION)
+			if (payload->get_type(payload) == PLV2_SECURITY_ASSOCIATION)
 			{
 				old = (sa_payload_t*)payload;
 				message->remove_payload_at(message, enumerator);
diff --git a/src/conftest/hooks/force_cookie.c b/src/conftest/hooks/force_cookie.c
index 1b044db..6be516c 100644
--- a/src/conftest/hooks/force_cookie.c
+++ b/src/conftest/hooks/force_cookie.c
@@ -44,7 +44,7 @@ METHOD(listener_t, message, bool,
 		enumerator = message->create_payload_enumerator(message);
 		while (enumerator->enumerate(enumerator, &payload))
 		{
-			if (payload->get_type(payload) == NOTIFY)
+			if (payload->get_type(payload) == PLV2_NOTIFY)
 			{
 				notify_payload_t *notify = (notify_payload_t*)payload;
 				chunk_t data;
diff --git a/src/conftest/hooks/ike_auth_fill.c b/src/conftest/hooks/ike_auth_fill.c
index 09590d4..5cdd5be 100644
--- a/src/conftest/hooks/ike_auth_fill.c
+++ b/src/conftest/hooks/ike_auth_fill.c
@@ -108,7 +108,7 @@ METHOD(listener_t, message, bool,
 			diff = this->bytes - size - CERT_PAYLOAD_HEADER_LENGTH;
 			data = chunk_alloc(diff);
 			memset(data.ptr, 0x12, data.len);
-			pld = cert_payload_create_custom(CERTIFICATE, 201, data);
+			pld = cert_payload_create_custom(PLV2_CERTIFICATE, 201, data);
 			message->add_payload(message, &pld->payload_interface);
 			DBG1(DBG_CFG, "inserting %d dummy bytes certificate payload", diff);
 		}
diff --git a/src/conftest/hooks/log_id.c b/src/conftest/hooks/log_id.c
index 07dd6a4..f47372f 100644
--- a/src/conftest/hooks/log_id.c
+++ b/src/conftest/hooks/log_id.c
@@ -45,8 +45,8 @@ METHOD(listener_t, message, bool,
 		enumerator = message->create_payload_enumerator(message);
 		while (enumerator->enumerate(enumerator, &payload))
 		{
-			if (payload->get_type(payload) == ID_INITIATOR ||
-				payload->get_type(payload) == ID_RESPONDER)
+			if (payload->get_type(payload) == PLV2_ID_INITIATOR ||
+				payload->get_type(payload) == PLV2_ID_RESPONDER)
 			{
 				id_payload = (id_payload_t*)payload;
 				id = id_payload->get_identification(id_payload);
diff --git a/src/conftest/hooks/log_ke.c b/src/conftest/hooks/log_ke.c
index 7104823..66aa4a6 100644
--- a/src/conftest/hooks/log_ke.c
+++ b/src/conftest/hooks/log_ke.c
@@ -43,7 +43,7 @@ METHOD(listener_t, message, bool,
 		enumerator = message->create_payload_enumerator(message);
 		while (enumerator->enumerate(enumerator, &payload))
 		{
-			if (payload->get_type(payload) == KEY_EXCHANGE)
+			if (payload->get_type(payload) == PLV2_KEY_EXCHANGE)
 			{
 				ke = (ke_payload_t*)payload;
 				DBG1(DBG_CFG, "received DH group %N",
diff --git a/src/conftest/hooks/log_proposals.c b/src/conftest/hooks/log_proposals.c
index 347b832..c0d458e 100644
--- a/src/conftest/hooks/log_proposals.c
+++ b/src/conftest/hooks/log_proposals.c
@@ -45,7 +45,7 @@ METHOD(listener_t, message, bool,
 		enumerator = message->create_payload_enumerator(message);
 		while (enumerator->enumerate(enumerator, &payload))
 		{
-			if (payload->get_type(payload) == SECURITY_ASSOCIATION)
+			if (payload->get_type(payload) == PLV2_SECURITY_ASSOCIATION)
 			{
 				sa = (sa_payload_t*)payload;
 				list = sa->get_proposals(sa);
diff --git a/src/conftest/hooks/log_ts.c b/src/conftest/hooks/log_ts.c
index f212efa..79c59b8 100644
--- a/src/conftest/hooks/log_ts.c
+++ b/src/conftest/hooks/log_ts.c
@@ -43,8 +43,8 @@ METHOD(listener_t, message, bool,
 		enumerator = message->create_payload_enumerator(message);
 		while (enumerator->enumerate(enumerator, &payload))
 		{
-			if (payload->get_type(payload) == TRAFFIC_SELECTOR_INITIATOR ||
-				payload->get_type(payload) == TRAFFIC_SELECTOR_RESPONDER)
+			if (payload->get_type(payload) == PLV2_TS_INITIATOR ||
+				payload->get_type(payload) == PLV2_TS_RESPONDER)
 			{
 				ts = (ts_payload_t*)payload;
 				host_t *from, *to;
diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c
index 4166afc..54957b0 100644
--- a/src/conftest/hooks/pretend_auth.c
+++ b/src/conftest/hooks/pretend_auth.c
@@ -79,7 +79,7 @@ static void process_init_request(private_pretend_auth_t *this,
 {
 	nonce_payload_t *nonce;
 
-	nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
+	nonce = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE);
 	if (nonce)
 	{
 		free(this->nonce.ptr);
@@ -98,13 +98,13 @@ static void process_auth_request(private_pretend_auth_t *this,
 	ts_payload_t *tsi, *tsr;
 	linked_list_t *proposals;
 
-	id = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
+	id = (id_payload_t*)message->get_payload(message, PLV2_ID_RESPONDER);
 	if (id)
 	{
 		this->id->destroy(this->id);
 		this->id = id->get_identification(id);
 	}
-	sa = (sa_payload_t*)message->get_payload(message, SECURITY_ASSOCIATION);
+	sa = (sa_payload_t*)message->get_payload(message, PLV2_SECURITY_ASSOCIATION);
 	if (sa)
 	{
 		proposals = sa->get_proposals(sa);
@@ -116,13 +116,13 @@ static void process_auth_request(private_pretend_auth_t *this,
 		proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
 	}
 	tsi = (ts_payload_t*)message->get_payload(message,
-											  TRAFFIC_SELECTOR_INITIATOR);
+											  PLV2_TS_INITIATOR);
 	if (tsi)
 	{
 		this->tsi = tsi->get_traffic_selectors(tsi);
 	}
 	tsr = (ts_payload_t*)message->get_payload(message,
-											  TRAFFIC_SELECTOR_RESPONDER);
+											  PLV2_TS_RESPONDER);
 	if (tsr)
 	{
 		this->tsr = tsr->get_traffic_selectors(tsr);
@@ -154,7 +154,7 @@ static void build_certs(private_pretend_auth_t *this,
 	cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
 	if (cert)
 	{
-		payload = cert_payload_create_from_cert(CERTIFICATE, cert);
+		payload = cert_payload_create_from_cert(PLV2_CERTIFICATE, cert);
 		if (payload)
 		{
 			DBG1(DBG_IKE, "pretending end entity cert \"%Y\"",
@@ -167,7 +167,7 @@ static void build_certs(private_pretend_auth_t *this,
 	{
 		if (type == AUTH_RULE_IM_CERT)
 		{
-			payload = cert_payload_create_from_cert(CERTIFICATE, cert);
+			payload = cert_payload_create_from_cert(PLV2_CERTIFICATE, cert);
 			if (payload)
 			{
 				DBG1(DBG_IKE, "pretending issuer cert \"%Y\"",
@@ -276,7 +276,7 @@ static void process_auth_response(private_pretend_auth_t *this,
 	{
 		notify_payload_t *notify = (notify_payload_t*)payload;
 
-		if (payload->get_type(payload) != NOTIFY ||
+		if (payload->get_type(payload) != PLV2_NOTIFY ||
 			notify->get_notify_type(notify) != AUTHENTICATION_FAILED)
 		{
 			DBG1(DBG_CFG, "no %N notify found, disabling AUTH pretending",
@@ -295,7 +295,7 @@ static void process_auth_response(private_pretend_auth_t *this,
 		return;
 	}
 	message->add_payload(message, (payload_t*)
-				id_payload_create_from_identification(ID_RESPONDER, this->id));
+				id_payload_create_from_identification(PLV2_ID_RESPONDER, this->id));
 	if (this->proposal)
 	{
 		message->add_payload(message, (payload_t*)
diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c
index b7e6f22..bc2f000 100644
--- a/src/conftest/hooks/rebuild_auth.c
+++ b/src/conftest/hooks/rebuild_auth.c
@@ -70,7 +70,7 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
 	u_int32_t *lenpos;
 
 	payload = message->get_payload(message,
-					message->get_request(message) ? ID_INITIATOR : ID_RESPONDER);
+					message->get_request(message) ? PLV2_ID_INITIATOR : PLV2_ID_RESPONDER);
 	if (!payload)
 	{
 		DBG1(DBG_CFG, "ID payload not found to rebuild AUTH");
@@ -160,7 +160,7 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
-		if (payload->get_type(payload) == AUTHENTICATION)
+		if (payload->get_type(payload) == PLV2_AUTH)
 		{
 			message->remove_payload_at(message, enumerator);
 			payload->destroy(payload);
@@ -191,7 +191,7 @@ METHOD(listener_t, message, bool,
 			{
 				nonce_payload_t *nonce;
 
-				nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
+				nonce = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE);
 				if (nonce)
 				{
 					free(this->nonce.ptr);
diff --git a/src/conftest/hooks/set_critical.c b/src/conftest/hooks/set_critical.c
index 8ec84e1..15c313c 100644
--- a/src/conftest/hooks/set_critical.c
+++ b/src/conftest/hooks/set_critical.c
@@ -65,8 +65,7 @@ METHOD(listener_t, message, bool,
 			type = atoi(name);
 			if (!type)
 			{
-				type = enum_from_name(payload_type_short_names, name);
-				if (type == -1)
+				if (!enum_from_name(payload_type_short_names, name, &type))
 				{
 					DBG1(DBG_CFG, "invalid payload name '%s'", name);
 					break;
diff --git a/src/conftest/hooks/set_length.c b/src/conftest/hooks/set_length.c
index c1a867a..b1a1a47 100644
--- a/src/conftest/hooks/set_length.c
+++ b/src/conftest/hooks/set_length.c
@@ -63,8 +63,7 @@ METHOD(listener_t, message, bool,
 		type = atoi(this->type);
 		if (!type)
 		{
-			type = enum_from_name(payload_type_short_names, this->type);
-			if (type == -1)
+			if (!enum_from_name(payload_type_short_names, this->type, &type))
 			{
 				DBG1(DBG_CFG, "unknown payload: '%s', skipped", this->type);
 				return TRUE;
diff --git a/src/conftest/hooks/set_proposal_number.c b/src/conftest/hooks/set_proposal_number.c
index 0cc3cfc..4e572d6 100644
--- a/src/conftest/hooks/set_proposal_number.c
+++ b/src/conftest/hooks/set_proposal_number.c
@@ -85,7 +85,7 @@ METHOD(listener_t, message, bool,
 		enumerator = message->create_payload_enumerator(message);
 		while (enumerator->enumerate(enumerator, &payload))
 		{
-			if (payload->get_type(payload) == SECURITY_ASSOCIATION)
+			if (payload->get_type(payload) == PLV2_SECURITY_ASSOCIATION)
 			{
 				sa = (sa_payload_t*)payload;
 				list = sa->get_proposals(sa);
diff --git a/src/conftest/hooks/set_reserved.c b/src/conftest/hooks/set_reserved.c
index d1a4a97..488e8df 100644
--- a/src/conftest/hooks/set_reserved.c
+++ b/src/conftest/hooks/set_reserved.c
@@ -55,7 +55,7 @@ static void set_bit(private_set_reserved_t *this, message_t *message,
 	payload_t *payload;
 	bool *bit;
 
-	if (type == HEADER)
+	if (type == PL_HEADER)
 	{
 		message->set_reserved_header_bit(message, nr);
 		DBG1(DBG_CFG, "setting reserved bit %d of %N",
@@ -91,7 +91,7 @@ static void set_byte(private_set_reserved_t *this, message_t *message,
 	payload_t *payload;
 	u_int8_t *byte;
 
-	if (type == TRANSFORM_SUBSTRUCTURE || type == PROPOSAL_SUBSTRUCTURE)
+	if (type == PLV2_TRANSFORM_SUBSTRUCTURE || type == PLV2_PROPOSAL_SUBSTRUCTURE)
 	{
 		enumerator_t *transforms, *proposals;
 		transform_substructure_t *transform;
@@ -101,13 +101,13 @@ static void set_byte(private_set_reserved_t *this, message_t *message,
 		payloads = message->create_payload_enumerator(message);
 		while (payloads->enumerate(payloads, &payload))
 		{
-			if (payload->get_type(payload) == SECURITY_ASSOCIATION)
+			if (payload->get_type(payload) == PLV2_SECURITY_ASSOCIATION)
 			{
 				sa = (sa_payload_t*)payload;
 				proposals = sa->create_substructure_enumerator(sa);
 				while (proposals->enumerate(proposals, &proposal))
 				{
-					if (type == PROPOSAL_SUBSTRUCTURE)
+					if (type == PLV2_PROPOSAL_SUBSTRUCTURE)
 					{
 						byte = payload_get_field(&proposal->payload_interface,
 												 RESERVED_BYTE, nr);
@@ -118,7 +118,7 @@ static void set_byte(private_set_reserved_t *this, message_t *message,
 							*byte = byteval;
 						}
 					}
-					else if (type == TRANSFORM_SUBSTRUCTURE)
+					else if (type == PLV2_TRANSFORM_SUBSTRUCTURE)
 					{
 						transforms = proposal->create_substructure_enumerator(
 																	proposal);
@@ -181,8 +181,7 @@ METHOD(listener_t, message, bool,
 			type = atoi(name);
 			if (!type)
 			{
-				type = enum_from_name(payload_type_short_names, name);
-				if (type == -1)
+				if (!enum_from_name(payload_type_short_names, name, &type))
 				{
 					DBG1(DBG_CFG, "invalid payload name '%s'", name);
 					break;
diff --git a/src/conftest/hooks/unencrypted_notify.c b/src/conftest/hooks/unencrypted_notify.c
index f4c3572..2a74985 100644
--- a/src/conftest/hooks/unencrypted_notify.c
+++ b/src/conftest/hooks/unencrypted_notify.c
@@ -68,8 +68,7 @@ METHOD(listener_t, ike_updown, bool,
 		type = atoi(this->type);
 		if (!type)
 		{
-			type = enum_from_name(notify_type_names, this->type);
-			if (type == -1)
+			if (!enum_from_name(notify_type_names, this->type, &type))
 			{
 				DBG1(DBG_CFG, "unknown notify: '%s', skipped", this->type);
 				return TRUE;
@@ -84,7 +83,7 @@ METHOD(listener_t, ike_updown, bool,
 		{
 			data = chunk_clone(chunk_create(this->data, strlen(this->data)));
 		}
-		notify = notify_payload_create_from_protocol_and_type(NOTIFY,
+		notify = notify_payload_create_from_protocol_and_type(PLV2_NOTIFY,
 									this->esp ? PROTO_ESP : PROTO_IKE, type);
 		notify->set_spi(notify, this->spi);
 		if (data.len)
diff --git a/src/conftest/hooks/unsort_message.c b/src/conftest/hooks/unsort_message.c
index 1b2b302..399d293 100644
--- a/src/conftest/hooks/unsort_message.c
+++ b/src/conftest/hooks/unsort_message.c
@@ -69,8 +69,7 @@ METHOD(listener_t, message, bool,
 		order = enumerator_create_token(this->order, ", ", " ");
 		while (order->enumerate(order, &name))
 		{
-			type = enum_from_name(payload_type_short_names, name);
-			if (type != -1)
+			if (enum_from_name(payload_type_short_names, name, &type))
 			{
 				enumerator = list->create_enumerator(list);
 				while (enumerator->enumerate(enumerator, &payload))
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 2f7b2ea..fd4a5db 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -271,6 +271,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -289,6 +290,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -316,6 +318,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -407,6 +410,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index 03ecbe4..d791c08 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -32,6 +32,8 @@
 #undef PACKAGE_URL
 /* avoid redefintiion of snprintf etc. */
 #define RUBY_DONT_SUBST
+/* undef our _GNU_SOURCE, as it gets redefined by <ruby.h> */
+#undef _GNU_SOURCE
 #include <ruby.h>
 
 static dumm_t *dumm;
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index f5277e3..ed755cb 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -179,6 +179,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -197,6 +198,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -224,6 +226,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -315,6 +318,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 545123b..baa4532 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -213,6 +213,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -231,6 +232,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -258,6 +260,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -349,6 +352,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 1701060..3dcb03a 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.2.0dr1" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.2.0" "strongSwan"
 .
 .SH NAME
 .
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index 6163218..e6725d0 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -1,7 +1,7 @@
 #! @IPSEC_SHELL@
 # prefix command to run stuff from our programs directory
 # Copyright (C) 1998-2002  Henry Spencer.
-# Copyright (C) 2006 Andreas Steffen
+# Copyright (C) 2006-2014 Andreas Steffen
 # Copyright (C) 2006 Martin Willi
 #
 # This program is free software; you can redistribute it and/or modify it
@@ -317,6 +317,10 @@ pki)
 	shift
 	exec $IPSEC_BINDIR/pki "$@"
 	;;
+aikgen)
+	shift
+	exec $IPSEC_BINDIR/aikgen "$@"
+	;;
 version|--version)
 	printf "$OS_NAME $IPSEC_NAME $IPSEC_VERSION\n"
 	printf "$IPSEC_DISTRO\n"
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index cc52209..a28b459 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -7,7 +7,6 @@ bus/bus.c bus/bus.h \
 bus/listeners/listener.h \
 bus/listeners/logger.h \
 bus/listeners/file_logger.c bus/listeners/file_logger.h \
-bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
 config/backend_manager.c config/backend_manager.h config/backend.h \
 config/child_cfg.c config/child_cfg.h \
 config/ike_cfg.c config/ike_cfg.h \
@@ -123,6 +122,9 @@ sa/ikev1/tasks/mode_config.c sa/ikev1/tasks/mode_config.h \
 processing/jobs/dpd_timeout_job.c processing/jobs/dpd_timeout_job.h \
 processing/jobs/adopt_children_job.c processing/jobs/adopt_children_job.h
 
+libcharon_la_SOURCES += \
+    bus/listeners/sys_logger.c bus/listeners/sys_logger.h
+
 LOCAL_SRC_FILES := $(filter %.c,$(libcharon_la_SOURCES))
 
 # adding the plugin source files
@@ -199,6 +201,7 @@ LOCAL_C_INCLUDES += $(LOCAL_PATH)/../libtls/
 LOCAL_SRC_FILES += $(addprefix ../libtls/, \
 		tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
 		tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \
+		tls_aead_expl.c tls_aead_impl.c tls_aead_null.c tls_aead.c \
 		tls_server.c tls.c \
 	)
 endif
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index df58eaa..e81c424 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -5,7 +5,6 @@ bus/bus.c bus/bus.h \
 bus/listeners/listener.h \
 bus/listeners/logger.h \
 bus/listeners/file_logger.c bus/listeners/file_logger.h \
-bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
 config/backend_manager.c config/backend_manager.h config/backend.h \
 config/child_cfg.c config/child_cfg.h \
 config/ike_cfg.c config/ike_cfg.h \
@@ -125,6 +124,10 @@ processing/jobs/dpd_timeout_job.c processing/jobs/dpd_timeout_job.h \
 processing/jobs/adopt_children_job.c processing/jobs/adopt_children_job.h
 endif
 
+if USE_SYSLOG
+  libcharon_la_SOURCES += \
+    bus/listeners/sys_logger.c bus/listeners/sys_logger.h
+endif
 
 daemon.lo :		$(top_builddir)/config.status
 
@@ -144,6 +147,10 @@ libcharon_la_LIBADD = \
   $(top_builddir)/src/libhydra/libhydra.la \
   -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB)
 
+if USE_WINDOWS
+  libcharon_la_LIBADD += -lws2_32
+endif
+
 EXTRA_DIST = Android.mk
 
 # compile options
@@ -188,6 +195,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_SOCKET_WIN
+  SUBDIRS += plugins/socket_win
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/socket_win/libstrongswan-socket-win.la
+endif
+endif
+
 if USE_FARP
   SUBDIRS += plugins/farp
 if MONOLITHIC
@@ -202,6 +216,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_VICI
+  SUBDIRS += plugins/vici
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/vici/libstrongswan-vici.la
+endif
+endif
+
 if USE_SMP
   SUBDIRS += plugins/smp
 if MONOLITHIC
@@ -468,6 +489,20 @@ if MONOLITHIC
 endif
 endif
 
+if USE_KERNEL_WFP
+  SUBDIRS += plugins/kernel_wfp
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_wfp/libstrongswan-kernel-wfp.la
+endif
+endif
+
+if USE_KERNEL_IPH
+  SUBDIRS += plugins/kernel_iph
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_iph/libstrongswan-kernel-iph.la
+endif
+endif
+
 if USE_WHITELIST
   SUBDIRS += plugins/whitelist
 if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index b300df3..002da51 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -124,132 +124,144 @@ host_triplet = @host@
 @USE_IKEV1_TRUE at processing/jobs/dpd_timeout_job.c processing/jobs/dpd_timeout_job.h \
 @USE_IKEV1_TRUE at processing/jobs/adopt_children_job.c processing/jobs/adopt_children_job.h
 
+ at USE_SYSLOG_TRUE@am__append_3 = \
+ at USE_SYSLOG_TRUE@    bus/listeners/sys_logger.c bus/listeners/sys_logger.h
+
+ at USE_WINDOWS_TRUE@am__append_4 = -lws2_32
 
 # compile options
 #################
- at USE_ME_TRUE@am__append_3 = encoding/payloads/endpoint_notify.c encoding/payloads/endpoint_notify.h \
+ at USE_ME_TRUE@am__append_5 = encoding/payloads/endpoint_notify.c encoding/payloads/endpoint_notify.h \
 @USE_ME_TRUE@    processing/jobs/initiate_mediation_job.c processing/jobs/initiate_mediation_job.h \
 @USE_ME_TRUE@    processing/jobs/mediation_job.c processing/jobs/mediation_job.h \
 @USE_ME_TRUE@    sa/ikev2/connect_manager.c sa/ikev2/connect_manager.h \
 @USE_ME_TRUE@    sa/ikev2/mediation_manager.c sa/ikev2/mediation_manager.h \
 @USE_ME_TRUE@    sa/ikev2/tasks/ike_me.c sa/ikev2/tasks/ike_me.h
 
- at USE_LOAD_TESTER_TRUE@am__append_4 = plugins/load_tester
- at MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE at am__append_5 = plugins/load_tester/libstrongswan-load-tester.la
- at USE_SOCKET_DEFAULT_TRUE@am__append_6 = plugins/socket_default
- at MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE at am__append_7 = plugins/socket_default/libstrongswan-socket-default.la
- at USE_SOCKET_DYNAMIC_TRUE@am__append_8 = plugins/socket_dynamic
- at MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE at am__append_9 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
- at USE_FARP_TRUE@am__append_10 = plugins/farp
- at MONOLITHIC_TRUE@@USE_FARP_TRUE at am__append_11 = plugins/farp/libstrongswan-farp.la
- at USE_STROKE_TRUE@am__append_12 = plugins/stroke
- at MONOLITHIC_TRUE@@USE_STROKE_TRUE at am__append_13 = plugins/stroke/libstrongswan-stroke.la
- at USE_SMP_TRUE@am__append_14 = plugins/smp
- at MONOLITHIC_TRUE@@USE_SMP_TRUE at am__append_15 = plugins/smp/libstrongswan-smp.la
- at USE_SQL_TRUE@am__append_16 = plugins/sql
- at MONOLITHIC_TRUE@@USE_SQL_TRUE at am__append_17 = plugins/sql/libstrongswan-sql.la
- at USE_DNSCERT_TRUE@am__append_18 = plugins/dnscert
- at MONOLITHIC_TRUE@@USE_DNSCERT_TRUE at am__append_19 = plugins/dnscert/libstrongswan-dnscert.la
- at USE_IPSECKEY_TRUE@am__append_20 = plugins/ipseckey
- at MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE at am__append_21 = plugins/ipseckey/libstrongswan-ipseckey.la
- at USE_UPDOWN_TRUE@am__append_22 = plugins/updown
- at MONOLITHIC_TRUE@@USE_UPDOWN_TRUE at am__append_23 = plugins/updown/libstrongswan-updown.la
- at USE_EAP_IDENTITY_TRUE@am__append_24 = plugins/eap_identity
- at MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE at am__append_25 = plugins/eap_identity/libstrongswan-eap-identity.la
- at USE_EAP_SIM_TRUE@am__append_26 = plugins/eap_sim
- at MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE at am__append_27 = plugins/eap_sim/libstrongswan-eap-sim.la
- at USE_EAP_SIM_FILE_TRUE@am__append_28 = plugins/eap_sim_file
- at MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE at am__append_29 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
- at USE_EAP_SIM_PCSC_TRUE@am__append_30 = plugins/eap_sim_pcsc
- at MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE at am__append_31 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
- at USE_EAP_SIMAKA_SQL_TRUE@am__append_32 = plugins/eap_simaka_sql
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE at am__append_33 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
- at USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_34 = plugins/eap_simaka_pseudonym
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE at am__append_35 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
- at USE_EAP_SIMAKA_REAUTH_TRUE@am__append_36 = plugins/eap_simaka_reauth
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE at am__append_37 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
- at USE_EAP_AKA_TRUE@am__append_38 = plugins/eap_aka
- at MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE at am__append_39 = plugins/eap_aka/libstrongswan-eap-aka.la
- at USE_EAP_AKA_3GPP2_TRUE@am__append_40 = plugins/eap_aka_3gpp2
- at MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE at am__append_41 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
- at MONOLITHIC_TRUE@@USE_SIMAKA_TRUE at am__append_42 = $(top_builddir)/src/libsimaka/libsimaka.la
- at USE_EAP_MD5_TRUE@am__append_43 = plugins/eap_md5
- at MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE at am__append_44 = plugins/eap_md5/libstrongswan-eap-md5.la
- at USE_EAP_GTC_TRUE@am__append_45 = plugins/eap_gtc
- at MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE at am__append_46 = plugins/eap_gtc/libstrongswan-eap-gtc.la
- at USE_EAP_MSCHAPV2_TRUE@am__append_47 = plugins/eap_mschapv2
- at MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE at am__append_48 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
- at USE_EAP_DYNAMIC_TRUE@am__append_49 = plugins/eap_dynamic
- at MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE at am__append_50 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
- at USE_EAP_RADIUS_TRUE@am__append_51 = plugins/eap_radius
- at MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE at am__append_52 = plugins/eap_radius/libstrongswan-eap-radius.la
- at USE_EAP_TLS_TRUE@am__append_53 = plugins/eap_tls
- at MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE at am__append_54 = plugins/eap_tls/libstrongswan-eap-tls.la
- at USE_EAP_TTLS_TRUE@am__append_55 = plugins/eap_ttls
- at MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE at am__append_56 = plugins/eap_ttls/libstrongswan-eap-ttls.la
- at USE_EAP_PEAP_TRUE@am__append_57 = plugins/eap_peap
- at MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE at am__append_58 = plugins/eap_peap/libstrongswan-eap-peap.la
- at USE_EAP_TNC_TRUE@am__append_59 = plugins/eap_tnc
- at MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE at am__append_60 = plugins/eap_tnc/libstrongswan-eap-tnc.la
- at MONOLITHIC_TRUE@@USE_TLS_TRUE at am__append_61 = $(top_builddir)/src/libtls/libtls.la
- at MONOLITHIC_TRUE@@USE_RADIUS_TRUE at am__append_62 = $(top_builddir)/src/libradius/libradius.la
- at USE_TNC_IFMAP_TRUE@am__append_63 = plugins/tnc_ifmap
- at MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE at am__append_64 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
- at USE_TNC_PDP_TRUE@am__append_65 = plugins/tnc_pdp
- at MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE at am__append_66 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
- at MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE at am__append_67 = $(top_builddir)/src/libtnccs/libtnccs.la
- at USE_MEDSRV_TRUE@am__append_68 = plugins/medsrv
- at MONOLITHIC_TRUE@@USE_MEDSRV_TRUE at am__append_69 = plugins/medsrv/libstrongswan-medsrv.la
- at USE_MEDCLI_TRUE@am__append_70 = plugins/medcli
- at MONOLITHIC_TRUE@@USE_MEDCLI_TRUE at am__append_71 = plugins/medcli/libstrongswan-medcli.la
- at USE_DHCP_TRUE@am__append_72 = plugins/dhcp
- at MONOLITHIC_TRUE@@USE_DHCP_TRUE at am__append_73 = plugins/dhcp/libstrongswan-dhcp.la
- at USE_OSX_ATTR_TRUE@am__append_74 = plugins/osx_attr
- at MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE at am__append_75 = plugins/osx_attr/libstrongswan-osx-attr.la
- at USE_ANDROID_DNS_TRUE@am__append_76 = plugins/android_dns
- at MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE at am__append_77 = plugins/android_dns/libstrongswan-android-dns.la
- at USE_ANDROID_LOG_TRUE@am__append_78 = plugins/android_log
- at MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE at am__append_79 = plugins/android_log/libstrongswan-android-log.la
- at USE_MAEMO_TRUE@am__append_80 = plugins/maemo
- at MONOLITHIC_TRUE@@USE_MAEMO_TRUE at am__append_81 = plugins/maemo/libstrongswan-maemo.la
- at USE_HA_TRUE@am__append_82 = plugins/ha
- at MONOLITHIC_TRUE@@USE_HA_TRUE at am__append_83 = plugins/ha/libstrongswan-ha.la
- at USE_KERNEL_LIBIPSEC_TRUE@am__append_84 = plugins/kernel_libipsec
- at MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE at am__append_85 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
- at USE_WHITELIST_TRUE@am__append_86 = plugins/whitelist
- at MONOLITHIC_TRUE@@USE_WHITELIST_TRUE at am__append_87 = plugins/whitelist/libstrongswan-whitelist.la
- at USE_LOOKIP_TRUE@am__append_88 = plugins/lookip
- at MONOLITHIC_TRUE@@USE_LOOKIP_TRUE at am__append_89 = plugins/lookip/libstrongswan-lookip.la
- at USE_ERROR_NOTIFY_TRUE@am__append_90 = plugins/error_notify
- at MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE at am__append_91 = plugins/error_notify/libstrongswan-error-notify.la
- at USE_CERTEXPIRE_TRUE@am__append_92 = plugins/certexpire
- at MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE at am__append_93 = plugins/certexpire/libstrongswan-certexpire.la
- at USE_SYSTIME_FIX_TRUE@am__append_94 = plugins/systime_fix
- at MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE at am__append_95 = plugins/systime_fix/libstrongswan-systime-fix.la
- at USE_LED_TRUE@am__append_96 = plugins/led
- at MONOLITHIC_TRUE@@USE_LED_TRUE at am__append_97 = plugins/led/libstrongswan-led.la
- at USE_DUPLICHECK_TRUE@am__append_98 = plugins/duplicheck
- at MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE at am__append_99 = plugins/duplicheck/libstrongswan-duplicheck.la
- at USE_COUPLING_TRUE@am__append_100 = plugins/coupling
- at MONOLITHIC_TRUE@@USE_COUPLING_TRUE at am__append_101 = plugins/coupling/libstrongswan-coupling.la
- at USE_RADATTR_TRUE@am__append_102 = plugins/radattr
- at MONOLITHIC_TRUE@@USE_RADATTR_TRUE at am__append_103 = plugins/radattr/libstrongswan-radattr.la
- at USE_UCI_TRUE@am__append_104 = plugins/uci
- at MONOLITHIC_TRUE@@USE_UCI_TRUE at am__append_105 = plugins/uci/libstrongswan-uci.la
- at USE_ADDRBLOCK_TRUE@am__append_106 = plugins/addrblock
- at MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE at am__append_107 = plugins/addrblock/libstrongswan-addrblock.la
- at USE_UNITY_TRUE@am__append_108 = plugins/unity
- at MONOLITHIC_TRUE@@USE_UNITY_TRUE at am__append_109 = plugins/unity/libstrongswan-unity.la
- at USE_UNIT_TESTS_TRUE@am__append_110 = plugins/unit_tester
- at MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE at am__append_111 = plugins/unit_tester/libstrongswan-unit-tester.la
- at USE_XAUTH_GENERIC_TRUE@am__append_112 = plugins/xauth_generic
- at MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE at am__append_113 = plugins/xauth_generic/libstrongswan-xauth-generic.la
- at USE_XAUTH_EAP_TRUE@am__append_114 = plugins/xauth_eap
- at MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE at am__append_115 = plugins/xauth_eap/libstrongswan-xauth-eap.la
- at USE_XAUTH_PAM_TRUE@am__append_116 = plugins/xauth_pam
- at MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE at am__append_117 = plugins/xauth_pam/libstrongswan-xauth-pam.la
- at USE_XAUTH_NOAUTH_TRUE@am__append_118 = plugins/xauth_noauth
- at MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE at am__append_119 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+ at USE_LOAD_TESTER_TRUE@am__append_6 = plugins/load_tester
+ at MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE at am__append_7 = plugins/load_tester/libstrongswan-load-tester.la
+ at USE_SOCKET_DEFAULT_TRUE@am__append_8 = plugins/socket_default
+ at MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE at am__append_9 = plugins/socket_default/libstrongswan-socket-default.la
+ at USE_SOCKET_DYNAMIC_TRUE@am__append_10 = plugins/socket_dynamic
+ at MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE at am__append_11 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
+ at USE_SOCKET_WIN_TRUE@am__append_12 = plugins/socket_win
+ at MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE at am__append_13 = plugins/socket_win/libstrongswan-socket-win.la
+ at USE_FARP_TRUE@am__append_14 = plugins/farp
+ at MONOLITHIC_TRUE@@USE_FARP_TRUE at am__append_15 = plugins/farp/libstrongswan-farp.la
+ at USE_STROKE_TRUE@am__append_16 = plugins/stroke
+ at MONOLITHIC_TRUE@@USE_STROKE_TRUE at am__append_17 = plugins/stroke/libstrongswan-stroke.la
+ at USE_VICI_TRUE@am__append_18 = plugins/vici
+ at MONOLITHIC_TRUE@@USE_VICI_TRUE at am__append_19 = plugins/vici/libstrongswan-vici.la
+ at USE_SMP_TRUE@am__append_20 = plugins/smp
+ at MONOLITHIC_TRUE@@USE_SMP_TRUE at am__append_21 = plugins/smp/libstrongswan-smp.la
+ at USE_SQL_TRUE@am__append_22 = plugins/sql
+ at MONOLITHIC_TRUE@@USE_SQL_TRUE at am__append_23 = plugins/sql/libstrongswan-sql.la
+ at USE_DNSCERT_TRUE@am__append_24 = plugins/dnscert
+ at MONOLITHIC_TRUE@@USE_DNSCERT_TRUE at am__append_25 = plugins/dnscert/libstrongswan-dnscert.la
+ at USE_IPSECKEY_TRUE@am__append_26 = plugins/ipseckey
+ at MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE at am__append_27 = plugins/ipseckey/libstrongswan-ipseckey.la
+ at USE_UPDOWN_TRUE@am__append_28 = plugins/updown
+ at MONOLITHIC_TRUE@@USE_UPDOWN_TRUE at am__append_29 = plugins/updown/libstrongswan-updown.la
+ at USE_EAP_IDENTITY_TRUE@am__append_30 = plugins/eap_identity
+ at MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE at am__append_31 = plugins/eap_identity/libstrongswan-eap-identity.la
+ at USE_EAP_SIM_TRUE@am__append_32 = plugins/eap_sim
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE at am__append_33 = plugins/eap_sim/libstrongswan-eap-sim.la
+ at USE_EAP_SIM_FILE_TRUE@am__append_34 = plugins/eap_sim_file
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE at am__append_35 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+ at USE_EAP_SIM_PCSC_TRUE@am__append_36 = plugins/eap_sim_pcsc
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE at am__append_37 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
+ at USE_EAP_SIMAKA_SQL_TRUE@am__append_38 = plugins/eap_simaka_sql
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE at am__append_39 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+ at USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_40 = plugins/eap_simaka_pseudonym
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE at am__append_41 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+ at USE_EAP_SIMAKA_REAUTH_TRUE@am__append_42 = plugins/eap_simaka_reauth
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE at am__append_43 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+ at USE_EAP_AKA_TRUE@am__append_44 = plugins/eap_aka
+ at MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE at am__append_45 = plugins/eap_aka/libstrongswan-eap-aka.la
+ at USE_EAP_AKA_3GPP2_TRUE@am__append_46 = plugins/eap_aka_3gpp2
+ at MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE at am__append_47 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+ at MONOLITHIC_TRUE@@USE_SIMAKA_TRUE at am__append_48 = $(top_builddir)/src/libsimaka/libsimaka.la
+ at USE_EAP_MD5_TRUE@am__append_49 = plugins/eap_md5
+ at MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE at am__append_50 = plugins/eap_md5/libstrongswan-eap-md5.la
+ at USE_EAP_GTC_TRUE@am__append_51 = plugins/eap_gtc
+ at MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE at am__append_52 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+ at USE_EAP_MSCHAPV2_TRUE@am__append_53 = plugins/eap_mschapv2
+ at MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE at am__append_54 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+ at USE_EAP_DYNAMIC_TRUE@am__append_55 = plugins/eap_dynamic
+ at MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE at am__append_56 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
+ at USE_EAP_RADIUS_TRUE@am__append_57 = plugins/eap_radius
+ at MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE at am__append_58 = plugins/eap_radius/libstrongswan-eap-radius.la
+ at USE_EAP_TLS_TRUE@am__append_59 = plugins/eap_tls
+ at MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE at am__append_60 = plugins/eap_tls/libstrongswan-eap-tls.la
+ at USE_EAP_TTLS_TRUE@am__append_61 = plugins/eap_ttls
+ at MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE at am__append_62 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+ at USE_EAP_PEAP_TRUE@am__append_63 = plugins/eap_peap
+ at MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE at am__append_64 = plugins/eap_peap/libstrongswan-eap-peap.la
+ at USE_EAP_TNC_TRUE@am__append_65 = plugins/eap_tnc
+ at MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE at am__append_66 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+ at MONOLITHIC_TRUE@@USE_TLS_TRUE at am__append_67 = $(top_builddir)/src/libtls/libtls.la
+ at MONOLITHIC_TRUE@@USE_RADIUS_TRUE at am__append_68 = $(top_builddir)/src/libradius/libradius.la
+ at USE_TNC_IFMAP_TRUE@am__append_69 = plugins/tnc_ifmap
+ at MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE at am__append_70 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
+ at USE_TNC_PDP_TRUE@am__append_71 = plugins/tnc_pdp
+ at MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE at am__append_72 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
+ at MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE at am__append_73 = $(top_builddir)/src/libtnccs/libtnccs.la
+ at USE_MEDSRV_TRUE@am__append_74 = plugins/medsrv
+ at MONOLITHIC_TRUE@@USE_MEDSRV_TRUE at am__append_75 = plugins/medsrv/libstrongswan-medsrv.la
+ at USE_MEDCLI_TRUE@am__append_76 = plugins/medcli
+ at MONOLITHIC_TRUE@@USE_MEDCLI_TRUE at am__append_77 = plugins/medcli/libstrongswan-medcli.la
+ at USE_DHCP_TRUE@am__append_78 = plugins/dhcp
+ at MONOLITHIC_TRUE@@USE_DHCP_TRUE at am__append_79 = plugins/dhcp/libstrongswan-dhcp.la
+ at USE_OSX_ATTR_TRUE@am__append_80 = plugins/osx_attr
+ at MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE at am__append_81 = plugins/osx_attr/libstrongswan-osx-attr.la
+ at USE_ANDROID_DNS_TRUE@am__append_82 = plugins/android_dns
+ at MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE at am__append_83 = plugins/android_dns/libstrongswan-android-dns.la
+ at USE_ANDROID_LOG_TRUE@am__append_84 = plugins/android_log
+ at MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE at am__append_85 = plugins/android_log/libstrongswan-android-log.la
+ at USE_MAEMO_TRUE@am__append_86 = plugins/maemo
+ at MONOLITHIC_TRUE@@USE_MAEMO_TRUE at am__append_87 = plugins/maemo/libstrongswan-maemo.la
+ at USE_HA_TRUE@am__append_88 = plugins/ha
+ at MONOLITHIC_TRUE@@USE_HA_TRUE at am__append_89 = plugins/ha/libstrongswan-ha.la
+ at USE_KERNEL_LIBIPSEC_TRUE@am__append_90 = plugins/kernel_libipsec
+ at MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE at am__append_91 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+ at USE_KERNEL_WFP_TRUE@am__append_92 = plugins/kernel_wfp
+ at MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE at am__append_93 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
+ at USE_KERNEL_IPH_TRUE@am__append_94 = plugins/kernel_iph
+ at MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE at am__append_95 = plugins/kernel_iph/libstrongswan-kernel-iph.la
+ at USE_WHITELIST_TRUE@am__append_96 = plugins/whitelist
+ at MONOLITHIC_TRUE@@USE_WHITELIST_TRUE at am__append_97 = plugins/whitelist/libstrongswan-whitelist.la
+ at USE_LOOKIP_TRUE@am__append_98 = plugins/lookip
+ at MONOLITHIC_TRUE@@USE_LOOKIP_TRUE at am__append_99 = plugins/lookip/libstrongswan-lookip.la
+ at USE_ERROR_NOTIFY_TRUE@am__append_100 = plugins/error_notify
+ at MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE at am__append_101 = plugins/error_notify/libstrongswan-error-notify.la
+ at USE_CERTEXPIRE_TRUE@am__append_102 = plugins/certexpire
+ at MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE at am__append_103 = plugins/certexpire/libstrongswan-certexpire.la
+ at USE_SYSTIME_FIX_TRUE@am__append_104 = plugins/systime_fix
+ at MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE at am__append_105 = plugins/systime_fix/libstrongswan-systime-fix.la
+ at USE_LED_TRUE@am__append_106 = plugins/led
+ at MONOLITHIC_TRUE@@USE_LED_TRUE at am__append_107 = plugins/led/libstrongswan-led.la
+ at USE_DUPLICHECK_TRUE@am__append_108 = plugins/duplicheck
+ at MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE at am__append_109 = plugins/duplicheck/libstrongswan-duplicheck.la
+ at USE_COUPLING_TRUE@am__append_110 = plugins/coupling
+ at MONOLITHIC_TRUE@@USE_COUPLING_TRUE at am__append_111 = plugins/coupling/libstrongswan-coupling.la
+ at USE_RADATTR_TRUE@am__append_112 = plugins/radattr
+ at MONOLITHIC_TRUE@@USE_RADATTR_TRUE at am__append_113 = plugins/radattr/libstrongswan-radattr.la
+ at USE_UCI_TRUE@am__append_114 = plugins/uci
+ at MONOLITHIC_TRUE@@USE_UCI_TRUE at am__append_115 = plugins/uci/libstrongswan-uci.la
+ at USE_ADDRBLOCK_TRUE@am__append_116 = plugins/addrblock
+ at MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE at am__append_117 = plugins/addrblock/libstrongswan-addrblock.la
+ at USE_UNITY_TRUE@am__append_118 = plugins/unity
+ at MONOLITHIC_TRUE@@USE_UNITY_TRUE at am__append_119 = plugins/unity/libstrongswan-unity.la
+ at USE_UNIT_TESTS_TRUE@am__append_120 = plugins/unit_tester
+ at MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE at am__append_121 = plugins/unit_tester/libstrongswan-unit-tester.la
+ at USE_XAUTH_GENERIC_TRUE@am__append_122 = plugins/xauth_generic
+ at MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE at am__append_123 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+ at USE_XAUTH_EAP_TRUE@am__append_124 = plugins/xauth_eap
+ at MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE at am__append_125 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+ at USE_XAUTH_PAM_TRUE@am__append_126 = plugins/xauth_pam
+ at MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE at am__append_127 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+ at USE_XAUTH_NOAUTH_TRUE@am__append_128 = plugins/xauth_noauth
+ at MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE at am__append_129 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -303,31 +315,32 @@ am__DEPENDENCIES_1 =
 libcharon_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_5) \
-	$(am__append_7) $(am__append_9) $(am__append_11) \
-	$(am__append_13) $(am__append_15) $(am__append_17) \
-	$(am__append_19) $(am__append_21) $(am__append_23) \
-	$(am__append_25) $(am__append_27) $(am__append_29) \
-	$(am__append_31) $(am__append_33) $(am__append_35) \
-	$(am__append_37) $(am__append_39) $(am__append_41) \
-	$(am__append_42) $(am__append_44) $(am__append_46) \
-	$(am__append_48) $(am__append_50) $(am__append_52) \
-	$(am__append_54) $(am__append_56) $(am__append_58) \
-	$(am__append_60) $(am__append_61) $(am__append_62) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__append_7) $(am__append_9) \
+	$(am__append_11) $(am__append_13) $(am__append_15) \
+	$(am__append_17) $(am__append_19) $(am__append_21) \
+	$(am__append_23) $(am__append_25) $(am__append_27) \
+	$(am__append_29) $(am__append_31) $(am__append_33) \
+	$(am__append_35) $(am__append_37) $(am__append_39) \
+	$(am__append_41) $(am__append_43) $(am__append_45) \
+	$(am__append_47) $(am__append_48) $(am__append_50) \
+	$(am__append_52) $(am__append_54) $(am__append_56) \
+	$(am__append_58) $(am__append_60) $(am__append_62) \
 	$(am__append_64) $(am__append_66) $(am__append_67) \
-	$(am__append_69) $(am__append_71) $(am__append_73) \
-	$(am__append_75) $(am__append_77) $(am__append_79) \
-	$(am__append_81) $(am__append_83) $(am__append_85) \
-	$(am__append_87) $(am__append_89) $(am__append_91) \
-	$(am__append_93) $(am__append_95) $(am__append_97) \
-	$(am__append_99) $(am__append_101) $(am__append_103) \
-	$(am__append_105) $(am__append_107) $(am__append_109) \
-	$(am__append_111) $(am__append_113) $(am__append_115) \
-	$(am__append_117) $(am__append_119)
+	$(am__append_68) $(am__append_70) $(am__append_72) \
+	$(am__append_73) $(am__append_75) $(am__append_77) \
+	$(am__append_79) $(am__append_81) $(am__append_83) \
+	$(am__append_85) $(am__append_87) $(am__append_89) \
+	$(am__append_91) $(am__append_93) $(am__append_95) \
+	$(am__append_97) $(am__append_99) $(am__append_101) \
+	$(am__append_103) $(am__append_105) $(am__append_107) \
+	$(am__append_109) $(am__append_111) $(am__append_113) \
+	$(am__append_115) $(am__append_117) $(am__append_119) \
+	$(am__append_121) $(am__append_123) $(am__append_125) \
+	$(am__append_127) $(am__append_129)
 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/logger.h \
 	bus/listeners/file_logger.c bus/listeners/file_logger.h \
-	bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
 	config/backend_manager.c config/backend_manager.h \
 	config/backend.h config/child_cfg.c config/child_cfg.h \
 	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
@@ -468,6 +481,7 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	processing/jobs/dpd_timeout_job.h \
 	processing/jobs/adopt_children_job.c \
 	processing/jobs/adopt_children_job.h \
+	bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
 	encoding/payloads/endpoint_notify.c \
 	encoding/payloads/endpoint_notify.h \
 	processing/jobs/initiate_mediation_job.c \
@@ -519,17 +533,18 @@ am__dirstamp = $(am__leading_dot)dirstamp
 @USE_IKEV1_TRUE@	sa/ikev1/tasks/mode_config.lo \
 @USE_IKEV1_TRUE@	processing/jobs/dpd_timeout_job.lo \
 @USE_IKEV1_TRUE@	processing/jobs/adopt_children_job.lo
- at USE_ME_TRUE@am__objects_3 = encoding/payloads/endpoint_notify.lo \
+ at USE_SYSLOG_TRUE@am__objects_3 = bus/listeners/sys_logger.lo
+ at USE_ME_TRUE@am__objects_4 = encoding/payloads/endpoint_notify.lo \
 @USE_ME_TRUE@	processing/jobs/initiate_mediation_job.lo \
 @USE_ME_TRUE@	processing/jobs/mediation_job.lo \
 @USE_ME_TRUE@	sa/ikev2/connect_manager.lo \
 @USE_ME_TRUE@	sa/ikev2/mediation_manager.lo \
 @USE_ME_TRUE@	sa/ikev2/tasks/ike_me.lo
 am_libcharon_la_OBJECTS = bus/bus.lo bus/listeners/file_logger.lo \
-	bus/listeners/sys_logger.lo config/backend_manager.lo \
-	config/child_cfg.lo config/ike_cfg.lo config/peer_cfg.lo \
-	config/proposal.lo control/controller.lo daemon.lo \
-	encoding/generator.lo encoding/message.lo encoding/parser.lo \
+	config/backend_manager.lo config/child_cfg.lo \
+	config/ike_cfg.lo config/peer_cfg.lo config/proposal.lo \
+	control/controller.lo daemon.lo encoding/generator.lo \
+	encoding/message.lo encoding/parser.lo \
 	encoding/payloads/auth_payload.lo \
 	encoding/payloads/cert_payload.lo \
 	encoding/payloads/certreq_payload.lo \
@@ -574,7 +589,8 @@ am_libcharon_la_OBJECTS = bus/bus.lo bus/listeners/file_logger.lo \
 	sa/xauth/xauth_manager.lo sa/authenticator.lo sa/child_sa.lo \
 	sa/ike_sa.lo sa/ike_sa_id.lo sa/keymat.lo sa/ike_sa_manager.lo \
 	sa/task_manager.lo sa/shunt_manager.lo sa/trap_manager.lo \
-	sa/task.lo $(am__objects_1) $(am__objects_2) $(am__objects_3)
+	sa/task.lo $(am__objects_1) $(am__objects_2) $(am__objects_3) \
+	$(am__objects_4)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
 AM_V_lt = $(am__v_lt_ at AM_V@)
 am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
@@ -657,8 +673,9 @@ am__define_uniq_tagged_files = \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
-	plugins/socket_dynamic plugins/farp plugins/stroke plugins/smp \
-	plugins/sql plugins/dnscert plugins/ipseckey plugins/updown \
+	plugins/socket_dynamic plugins/socket_win plugins/farp \
+	plugins/stroke plugins/vici plugins/smp plugins/sql \
+	plugins/dnscert plugins/ipseckey plugins/updown \
 	plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \
 	plugins/eap_sim_pcsc plugins/eap_simaka_sql \
 	plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \
@@ -669,12 +686,12 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/tnc_pdp plugins/medsrv plugins/medcli plugins/dhcp \
 	plugins/osx_attr plugins/android_dns plugins/android_log \
 	plugins/maemo plugins/ha plugins/kernel_libipsec \
-	plugins/whitelist plugins/lookip plugins/error_notify \
-	plugins/certexpire plugins/systime_fix plugins/led \
-	plugins/duplicheck plugins/coupling plugins/radattr \
-	plugins/uci plugins/addrblock plugins/unity \
-	plugins/unit_tester plugins/xauth_generic plugins/xauth_eap \
-	plugins/xauth_pam plugins/xauth_noauth
+	plugins/kernel_wfp plugins/kernel_iph plugins/whitelist \
+	plugins/lookip plugins/error_notify plugins/certexpire \
+	plugins/systime_fix plugins/led plugins/duplicheck \
+	plugins/coupling plugins/radattr plugins/uci plugins/addrblock \
+	plugins/unity plugins/unit_tester plugins/xauth_generic \
+	plugins/xauth_eap plugins/xauth_pam plugins/xauth_noauth
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -763,6 +780,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -781,6 +799,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -808,6 +827,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -899,6 +919,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -912,8 +933,7 @@ xml_LIBS = @xml_LIBS@
 ipseclib_LTLIBRARIES = libcharon.la
 libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	bus/listeners/logger.h bus/listeners/file_logger.c \
-	bus/listeners/file_logger.h bus/listeners/sys_logger.c \
-	bus/listeners/sys_logger.h config/backend_manager.c \
+	bus/listeners/file_logger.h config/backend_manager.c \
 	config/backend_manager.h config/backend.h config/child_cfg.c \
 	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
 	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
@@ -1001,7 +1021,7 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	sa/ike_sa_manager.h sa/task_manager.h sa/task_manager.c \
 	sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
 	sa/trap_manager.h sa/task.c sa/task.h $(am__append_1) \
-	$(am__append_2) $(am__append_3)
+	$(am__append_2) $(am__append_3) $(am__append_5)
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
@@ -1016,19 +1036,19 @@ AM_LDFLAGS = \
 libcharon_la_LIBADD =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la -lm $(PTHREADLIB) \
-	$(DLLIB) $(SOCKLIB) $(am__append_5) $(am__append_7) \
+	$(DLLIB) $(SOCKLIB) $(am__append_4) $(am__append_7) \
 	$(am__append_9) $(am__append_11) $(am__append_13) \
 	$(am__append_15) $(am__append_17) $(am__append_19) \
 	$(am__append_21) $(am__append_23) $(am__append_25) \
 	$(am__append_27) $(am__append_29) $(am__append_31) \
 	$(am__append_33) $(am__append_35) $(am__append_37) \
-	$(am__append_39) $(am__append_41) $(am__append_42) \
-	$(am__append_44) $(am__append_46) $(am__append_48) \
+	$(am__append_39) $(am__append_41) $(am__append_43) \
+	$(am__append_45) $(am__append_47) $(am__append_48) \
 	$(am__append_50) $(am__append_52) $(am__append_54) \
 	$(am__append_56) $(am__append_58) $(am__append_60) \
-	$(am__append_61) $(am__append_62) $(am__append_64) \
-	$(am__append_66) $(am__append_67) $(am__append_69) \
-	$(am__append_71) $(am__append_73) $(am__append_75) \
+	$(am__append_62) $(am__append_64) $(am__append_66) \
+	$(am__append_67) $(am__append_68) $(am__append_70) \
+	$(am__append_72) $(am__append_73) $(am__append_75) \
 	$(am__append_77) $(am__append_79) $(am__append_81) \
 	$(am__append_83) $(am__append_85) $(am__append_87) \
 	$(am__append_89) $(am__append_91) $(am__append_93) \
@@ -1036,67 +1056,72 @@ libcharon_la_LIBADD =  \
 	$(am__append_101) $(am__append_103) $(am__append_105) \
 	$(am__append_107) $(am__append_109) $(am__append_111) \
 	$(am__append_113) $(am__append_115) $(am__append_117) \
-	$(am__append_119)
+	$(am__append_119) $(am__append_121) $(am__append_123) \
+	$(am__append_125) $(am__append_127) $(am__append_129)
 EXTRA_DIST = Android.mk
- at MONOLITHIC_FALSE@SUBDIRS = . $(am__append_4) $(am__append_6) \
- at MONOLITHIC_FALSE@	$(am__append_8) $(am__append_10) \
- at MONOLITHIC_FALSE@	$(am__append_12) $(am__append_14) \
- at MONOLITHIC_FALSE@	$(am__append_16) $(am__append_18) \
- at MONOLITHIC_FALSE@	$(am__append_20) $(am__append_22) \
- at MONOLITHIC_FALSE@	$(am__append_24) $(am__append_26) \
- at MONOLITHIC_FALSE@	$(am__append_28) $(am__append_30) \
- at MONOLITHIC_FALSE@	$(am__append_32) $(am__append_34) \
- at MONOLITHIC_FALSE@	$(am__append_36) $(am__append_38) \
- at MONOLITHIC_FALSE@	$(am__append_40) $(am__append_43) \
- at MONOLITHIC_FALSE@	$(am__append_45) $(am__append_47) \
- at MONOLITHIC_FALSE@	$(am__append_49) $(am__append_51) \
- at MONOLITHIC_FALSE@	$(am__append_53) $(am__append_55) \
- at MONOLITHIC_FALSE@	$(am__append_57) $(am__append_59) \
+ at MONOLITHIC_FALSE@SUBDIRS = . $(am__append_6) $(am__append_8) \
+ at MONOLITHIC_FALSE@	$(am__append_10) $(am__append_12) \
+ at MONOLITHIC_FALSE@	$(am__append_14) $(am__append_16) \
+ at MONOLITHIC_FALSE@	$(am__append_18) $(am__append_20) \
+ at MONOLITHIC_FALSE@	$(am__append_22) $(am__append_24) \
+ at MONOLITHIC_FALSE@	$(am__append_26) $(am__append_28) \
+ at MONOLITHIC_FALSE@	$(am__append_30) $(am__append_32) \
+ at MONOLITHIC_FALSE@	$(am__append_34) $(am__append_36) \
+ at MONOLITHIC_FALSE@	$(am__append_38) $(am__append_40) \
+ at MONOLITHIC_FALSE@	$(am__append_42) $(am__append_44) \
+ at MONOLITHIC_FALSE@	$(am__append_46) $(am__append_49) \
+ at MONOLITHIC_FALSE@	$(am__append_51) $(am__append_53) \
+ at MONOLITHIC_FALSE@	$(am__append_55) $(am__append_57) \
+ at MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61) \
 @MONOLITHIC_FALSE@	$(am__append_63) $(am__append_65) \
- at MONOLITHIC_FALSE@	$(am__append_68) $(am__append_70) \
- at MONOLITHIC_FALSE@	$(am__append_72) $(am__append_74) \
- at MONOLITHIC_FALSE@	$(am__append_76) $(am__append_78) \
- at MONOLITHIC_FALSE@	$(am__append_80) $(am__append_82) \
- at MONOLITHIC_FALSE@	$(am__append_84) $(am__append_86) \
- at MONOLITHIC_FALSE@	$(am__append_88) $(am__append_90) \
- at MONOLITHIC_FALSE@	$(am__append_92) $(am__append_94) \
- at MONOLITHIC_FALSE@	$(am__append_96) $(am__append_98) \
- at MONOLITHIC_FALSE@	$(am__append_100) $(am__append_102) \
- at MONOLITHIC_FALSE@	$(am__append_104) $(am__append_106) \
- at MONOLITHIC_FALSE@	$(am__append_108) $(am__append_110) \
- at MONOLITHIC_FALSE@	$(am__append_112) $(am__append_114) \
- at MONOLITHIC_FALSE@	$(am__append_116) $(am__append_118)
+ at MONOLITHIC_FALSE@	$(am__append_69) $(am__append_71) \
+ at MONOLITHIC_FALSE@	$(am__append_74) $(am__append_76) \
+ at MONOLITHIC_FALSE@	$(am__append_78) $(am__append_80) \
+ at MONOLITHIC_FALSE@	$(am__append_82) $(am__append_84) \
+ at MONOLITHIC_FALSE@	$(am__append_86) $(am__append_88) \
+ at MONOLITHIC_FALSE@	$(am__append_90) $(am__append_92) \
+ at MONOLITHIC_FALSE@	$(am__append_94) $(am__append_96) \
+ at MONOLITHIC_FALSE@	$(am__append_98) $(am__append_100) \
+ at MONOLITHIC_FALSE@	$(am__append_102) $(am__append_104) \
+ at MONOLITHIC_FALSE@	$(am__append_106) $(am__append_108) \
+ at MONOLITHIC_FALSE@	$(am__append_110) $(am__append_112) \
+ at MONOLITHIC_FALSE@	$(am__append_114) $(am__append_116) \
+ at MONOLITHIC_FALSE@	$(am__append_118) $(am__append_120) \
+ at MONOLITHIC_FALSE@	$(am__append_122) $(am__append_124) \
+ at MONOLITHIC_FALSE@	$(am__append_126) $(am__append_128)
 
 # build optional plugins
 ########################
- at MONOLITHIC_TRUE@SUBDIRS = $(am__append_4) $(am__append_6) \
- at MONOLITHIC_TRUE@	$(am__append_8) $(am__append_10) \
- at MONOLITHIC_TRUE@	$(am__append_12) $(am__append_14) \
- at MONOLITHIC_TRUE@	$(am__append_16) $(am__append_18) \
- at MONOLITHIC_TRUE@	$(am__append_20) $(am__append_22) \
- at MONOLITHIC_TRUE@	$(am__append_24) $(am__append_26) \
- at MONOLITHIC_TRUE@	$(am__append_28) $(am__append_30) \
- at MONOLITHIC_TRUE@	$(am__append_32) $(am__append_34) \
- at MONOLITHIC_TRUE@	$(am__append_36) $(am__append_38) \
- at MONOLITHIC_TRUE@	$(am__append_40) $(am__append_43) \
- at MONOLITHIC_TRUE@	$(am__append_45) $(am__append_47) \
- at MONOLITHIC_TRUE@	$(am__append_49) $(am__append_51) \
- at MONOLITHIC_TRUE@	$(am__append_53) $(am__append_55) \
- at MONOLITHIC_TRUE@	$(am__append_57) $(am__append_59) \
+ at MONOLITHIC_TRUE@SUBDIRS = $(am__append_6) $(am__append_8) \
+ at MONOLITHIC_TRUE@	$(am__append_10) $(am__append_12) \
+ at MONOLITHIC_TRUE@	$(am__append_14) $(am__append_16) \
+ at MONOLITHIC_TRUE@	$(am__append_18) $(am__append_20) \
+ at MONOLITHIC_TRUE@	$(am__append_22) $(am__append_24) \
+ at MONOLITHIC_TRUE@	$(am__append_26) $(am__append_28) \
+ at MONOLITHIC_TRUE@	$(am__append_30) $(am__append_32) \
+ at MONOLITHIC_TRUE@	$(am__append_34) $(am__append_36) \
+ at MONOLITHIC_TRUE@	$(am__append_38) $(am__append_40) \
+ at MONOLITHIC_TRUE@	$(am__append_42) $(am__append_44) \
+ at MONOLITHIC_TRUE@	$(am__append_46) $(am__append_49) \
+ at MONOLITHIC_TRUE@	$(am__append_51) $(am__append_53) \
+ at MONOLITHIC_TRUE@	$(am__append_55) $(am__append_57) \
+ at MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61) \
 @MONOLITHIC_TRUE@	$(am__append_63) $(am__append_65) \
- at MONOLITHIC_TRUE@	$(am__append_68) $(am__append_70) \
- at MONOLITHIC_TRUE@	$(am__append_72) $(am__append_74) \
- at MONOLITHIC_TRUE@	$(am__append_76) $(am__append_78) \
- at MONOLITHIC_TRUE@	$(am__append_80) $(am__append_82) \
- at MONOLITHIC_TRUE@	$(am__append_84) $(am__append_86) \
- at MONOLITHIC_TRUE@	$(am__append_88) $(am__append_90) \
- at MONOLITHIC_TRUE@	$(am__append_92) $(am__append_94) \
- at MONOLITHIC_TRUE@	$(am__append_96) $(am__append_98) \
- at MONOLITHIC_TRUE@	$(am__append_100) $(am__append_102) \
- at MONOLITHIC_TRUE@	$(am__append_104) $(am__append_106) \
- at MONOLITHIC_TRUE@	$(am__append_108) $(am__append_110) \
- at MONOLITHIC_TRUE@	$(am__append_112) $(am__append_114) \
- at MONOLITHIC_TRUE@	$(am__append_116) $(am__append_118)
+ at MONOLITHIC_TRUE@	$(am__append_69) $(am__append_71) \
+ at MONOLITHIC_TRUE@	$(am__append_74) $(am__append_76) \
+ at MONOLITHIC_TRUE@	$(am__append_78) $(am__append_80) \
+ at MONOLITHIC_TRUE@	$(am__append_82) $(am__append_84) \
+ at MONOLITHIC_TRUE@	$(am__append_86) $(am__append_88) \
+ at MONOLITHIC_TRUE@	$(am__append_90) $(am__append_92) \
+ at MONOLITHIC_TRUE@	$(am__append_94) $(am__append_96) \
+ at MONOLITHIC_TRUE@	$(am__append_98) $(am__append_100) \
+ at MONOLITHIC_TRUE@	$(am__append_102) $(am__append_104) \
+ at MONOLITHIC_TRUE@	$(am__append_106) $(am__append_108) \
+ at MONOLITHIC_TRUE@	$(am__append_110) $(am__append_112) \
+ at MONOLITHIC_TRUE@	$(am__append_114) $(am__append_116) \
+ at MONOLITHIC_TRUE@	$(am__append_118) $(am__append_120) \
+ at MONOLITHIC_TRUE@	$(am__append_122) $(am__append_124) \
+ at MONOLITHIC_TRUE@	$(am__append_126) $(am__append_128)
 all: all-recursive
 
 .SUFFIXES:
@@ -1181,8 +1206,6 @@ bus/listeners/$(DEPDIR)/$(am__dirstamp):
 	@: > bus/listeners/$(DEPDIR)/$(am__dirstamp)
 bus/listeners/file_logger.lo: bus/listeners/$(am__dirstamp) \
 	bus/listeners/$(DEPDIR)/$(am__dirstamp)
-bus/listeners/sys_logger.lo: bus/listeners/$(am__dirstamp) \
-	bus/listeners/$(DEPDIR)/$(am__dirstamp)
 config/$(am__dirstamp):
 	@$(MKDIR_P) config
 	@: > config/$(am__dirstamp)
@@ -1513,6 +1536,8 @@ processing/jobs/dpd_timeout_job.lo: processing/jobs/$(am__dirstamp) \
 processing/jobs/adopt_children_job.lo:  \
 	processing/jobs/$(am__dirstamp) \
 	processing/jobs/$(DEPDIR)/$(am__dirstamp)
+bus/listeners/sys_logger.lo: bus/listeners/$(am__dirstamp) \
+	bus/listeners/$(DEPDIR)/$(am__dirstamp)
 encoding/payloads/endpoint_notify.lo:  \
 	encoding/payloads/$(am__dirstamp) \
 	encoding/payloads/$(DEPDIR)/$(am__dirstamp)
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index b461848..d1c138c 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Tobias Brunner
+ * Copyright (C) 2011-2014 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -23,6 +23,31 @@
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
 
+/**
+ * These operations allow us to speed up the log level checks on some platforms.
+ * In particular if acquiring the read lock is expensive even in the absence of
+ * any writers.
+ *
+ * Note that while holding the read/write lock the read does not have to be
+ * atomic as the write lock must be held to set the level.
+ */
+#ifdef HAVE_GCC_ATOMIC_OPERATIONS
+
+#define skip_level(ptr, level) (__atomic_load_n(ptr, __ATOMIC_RELAXED) < level)
+#define set_level(ptr, val) __atomic_store_n(ptr, val, __ATOMIC_RELAXED)
+
+#elif defined(HAVE_GCC_SYNC_OPERATIONS)
+
+#define skip_level(ptr, level) (__sync_fetch_and_add(ptr, 0) < level)
+#define set_level(ptr, val) __sync_bool_compare_and_swap(ptr, *ptr, val)
+
+#else
+
+#define skip_level(ptr, level) FALSE
+#define set_level(ptr, val) ({ *ptr = val; })
+
+#endif
+
 typedef struct private_bus_t private_bus_t;
 
 /**
@@ -173,11 +198,12 @@ static inline void register_logger(private_bus_t *this, debug_t group,
 
 	if (entry->logger->log)
 	{
-		this->max_level[group] = max(this->max_level[group], level);
+		set_level(&this->max_level[group], max(this->max_level[group], level));
 	}
 	if (entry->logger->vlog)
 	{
-		this->max_vlevel[group] = max(this->max_vlevel[group], level);
+		set_level(&this->max_vlevel[group],
+				  max(this->max_vlevel[group], level));
 	}
 }
 
@@ -205,6 +231,7 @@ static inline void unregister_logger(private_bus_t *this, logger_t *logger)
 
 	if (found)
 	{
+		level_t level = LEVEL_SILENT, vlevel = LEVEL_SILENT;
 		debug_t group;
 
 		for (group = 0; group < DBG_MAX; group++)
@@ -214,13 +241,19 @@ static inline void unregister_logger(private_bus_t *this, logger_t *logger)
 				loggers = this->loggers[group];
 				loggers->remove(loggers, found, NULL);
 
-				this->max_level[group] = LEVEL_SILENT;
-				this->max_vlevel[group] = LEVEL_SILENT;
 				if (loggers->get_first(loggers, (void**)&entry) == SUCCESS)
 				{
-					this->max_level[group] = entry->levels[group];
-					this->max_vlevel[group] = entry->levels[group];
+					if (entry->logger->log)
+					{
+						level = entry->levels[group];
+					}
+					if (entry->logger->vlog)
+					{
+						vlevel = entry->levels[group];
+					}
 				}
+				set_level(&this->max_level[group], level);
+				set_level(&this->max_vlevel[group], vlevel);
 			}
 		}
 		free(found);
@@ -324,6 +357,19 @@ METHOD(bus_t, vlog, void,
 	linked_list_t *loggers;
 	log_data_t data;
 
+	/* NOTE: This is not 100% thread-safe and done here only because it is
+	 * performance critical.  We therefore ignore the following two issues for
+	 * this particular case:  1) We might miss some log messages if another
+	 * thread concurrently increases the log level or registers a new logger.
+	 * 2) We might have to acquire the read lock below even if it wouldn't be
+	 * necessary anymore due to another thread concurrently unregistering a
+	 * logger or reducing the level. */
+	if (skip_level(&this->max_level[group], level) &&
+		skip_level(&this->max_vlevel[group], level))
+	{
+		return;
+	}
+
 	this->log_lock->read_lock(this->log_lock);
 	loggers = this->loggers[group];
 
@@ -345,7 +391,9 @@ METHOD(bus_t, vlog, void,
 		{
 			len++;
 			data.message = malloc(len);
-			len = vsnprintf(data.message, len, format, args);
+			va_copy(data.args, args);
+			len = vsnprintf(data.message, len, format, data.args);
+			va_end(data.args);
 		}
 		if (len > 0)
 		{
@@ -833,6 +881,33 @@ METHOD(bus_t, assign_vips, void,
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(bus_t, handle_vips, void,
+	private_bus_t *this, ike_sa_t *ike_sa, bool handle)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->handle_vips)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->handle_vips(entry->listener, ike_sa, handle);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
 /**
  * Credential manager hook function to forward bus alerts
  */
@@ -909,6 +984,7 @@ bus_t *bus_create()
 			.authorize = _authorize,
 			.narrow = _narrow,
 			.assign_vips = _assign_vips,
+			.handle_vips = _handle_vips,
 			.destroy = _destroy,
 		},
 		.listeners = linked_list_create(),
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index 4a0ac68..1d708c5 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -412,6 +412,14 @@ struct bus_t {
 	void (*assign_vips)(bus_t *this, ike_sa_t *ike_sa, bool assign);
 
 	/**
+	 * Virtual IP handler hook.
+	 *
+	 * @param ike_sa	IKE_SA the VIPs/attributes got handled on
+	 * @param assign	TRUE after installing attributes, FALSE on release
+	 */
+	void (*handle_vips)(bus_t *this, ike_sa_t *ike_sa, bool handle);
+
+	/**
 	 * Destroy the event bus.
 	 */
 	void (*destroy) (bus_t *this);
diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c
index 68a386d..e3661bd 100644
--- a/src/libcharon/bus/listeners/file_logger.c
+++ b/src/libcharon/bus/listeners/file_logger.c
@@ -50,6 +50,11 @@ struct private_file_logger_t {
 	FILE *out;
 
 	/**
+	 * Flush after writing a line?
+	 */
+	bool flush_line;
+
+	/**
 	 * Maximum level to log, for each group
 	 */
 	level_t levels[DBG_MAX];
@@ -137,6 +142,12 @@ METHOD(logger_t, log_, void,
 		fprintf(this->out, "%.*s\n", (int)(next - current), current);
 		current = next + 1;
 	}
+#ifndef HAVE_SETLINEBUF
+	if (this->flush_line)
+	{
+		fflush(this->out);
+	}
+#endif /* !HAVE_SETLINEBUF */
 	this->mutex->unlock(this->mutex);
 	this->lock->unlock(this->lock);
 }
@@ -214,14 +225,17 @@ METHOD(file_logger_t, open_, void,
 				 this->filename, strerror(errno));
 			return;
 		}
+#ifdef HAVE_SETLINEBUF
 		if (flush_line)
 		{
 			setlinebuf(file);
 		}
+#endif /* HAVE_SETLINEBUF */
 	}
 	this->lock->write_lock(this->lock);
 	close_file(this);
 	this->out = file;
+	this->flush_line = flush_line;
 	this->lock->unlock(this->lock);
 }
 
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index 57445df..abcc765 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -192,10 +192,10 @@ struct listener_t {
 				narrow_hook_t type, linked_list_t *local, linked_list_t *remote);
 
 	/**
-	 * Virtual IP address assignment hook
+	 * Virtual IP address assignment hook.
 	 *
-	 * This hook gets invoked when a a Virtual IP address is assigned to an
-	 * IKE_SA (assign = TRUE) and again when it is released (assign = FALSE)
+	 * This hook gets invoked after virtual IPs have been assigned to a peer
+	 * for a specific IKE_SA, and again before they get released.
 	 *
 	 * @param ike_sa	IKE_SA the VIPs are assigned to
 	 * @param assign	TRUE if assigned to IKE_SA, FALSE if released
@@ -203,6 +203,18 @@ struct listener_t {
 	 */
 	bool (*assign_vips)(listener_t *this, ike_sa_t *ike_sa, bool assign);
 
+	/**
+	 * Virtual IP and configuration attribute handler hook.
+	 *
+	 * This hook gets invoked after virtual IP and other configuration
+	 * attributes just got installed or are about to get uninstalled on a peer
+	 * receiving them.
+	 *
+	 * @param ike_sa	IKE_SA the VIPs/attributes are handled on
+	 * @param handle	TRUE if handled by IKE_SA, FALSE on release
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*handle_vips)(listener_t *this, ike_sa_t *ike_sa, bool handle);
 };
 
 #endif /** LISTENER_H_ @}*/
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 6fe7d44..7e4a143 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -27,6 +27,9 @@ ENUM(action_names, ACTION_NONE, ACTION_RESTART,
 	"restart",
 );
 
+/** Default replay window size, if not set using charon.replay_window */
+#define DEFAULT_REPLAY_WINDOW 32
+
 typedef struct private_child_cfg_t private_child_cfg_t;
 
 /**
@@ -138,6 +141,11 @@ struct private_child_cfg_t {
 	 * enable installation and removal of kernel IPsec policies
 	 */
 	bool install_policy;
+
+	/**
+	 * anti-replay window size
+	 */
+	u_int32_t replay_window;
 };
 
 METHOD(child_cfg_t, get_name, char*,
@@ -149,7 +157,10 @@ METHOD(child_cfg_t, get_name, char*,
 METHOD(child_cfg_t, add_proposal, void,
 	private_child_cfg_t *this, proposal_t *proposal)
 {
-	this->proposals->insert_last(this->proposals, proposal);
+	if (proposal)
+	{
+		this->proposals->insert_last(this->proposals, proposal);
+	}
 }
 
 METHOD(child_cfg_t, get_proposals, linked_list_t*,
@@ -354,11 +365,11 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
 				{
 					result->remove_at(result, e1);
 					ts1->destroy(ts1);
-					result->reset_enumerator(result, e2);
 					break;
 				}
 			}
 		}
+		result->reset_enumerator(result, e2);
 	}
 	e1->destroy(e1);
 	e2->destroy(e2);
@@ -478,6 +489,18 @@ METHOD(child_cfg_t, get_tfc, u_int32_t,
 	return this->tfc;
 }
 
+METHOD(child_cfg_t, get_replay_window, u_int32_t,
+	private_child_cfg_t *this)
+{
+	return this->replay_window;
+}
+
+METHOD(child_cfg_t, set_replay_window, void,
+	private_child_cfg_t *this, u_int32_t replay_window)
+{
+	this->replay_window = replay_window;
+}
+
 METHOD(child_cfg_t, set_mipv6_options, void,
 	private_child_cfg_t *this, bool proxy_mode, bool install_policy)
 {
@@ -555,6 +578,8 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 			.get_reqid = _get_reqid,
 			.get_mark = _get_mark,
 			.get_tfc = _get_tfc,
+			.get_replay_window = _get_replay_window,
+			.set_replay_window = _set_replay_window,
 			.use_proxy_mode = _use_proxy_mode,
 			.install_policy = _install_policy,
 			.get_ref = _get_ref,
@@ -577,6 +602,8 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 		.my_ts = linked_list_create(),
 		.other_ts = linked_list_create(),
 		.tfc = tfc,
+		.replay_window = lib->settings->get_int(lib->settings,
+				"%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
 	);
 
 	if (mark_in)
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index 20d1fa8..9f7a92b 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -73,10 +73,10 @@ struct child_cfg_t {
 	 * Add a proposal to the list.
 	 *
 	 * The proposals are stored by priority, first added
-	 * is the most preferred.
-	 * After add, proposal is owned by child_cfg.
+	 * is the most preferred. It is safe to add NULL as proposal, which has no
+	 * effect. After add, proposal is owned by child_cfg.
 	 *
-	 * @param proposal		proposal to add
+	 * @param proposal		proposal to add, or NULL
 	 */
 	void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
 
@@ -235,6 +235,20 @@ struct child_cfg_t {
 	u_int32_t (*get_tfc)(child_cfg_t *this);
 
 	/**
+	 * Get anti-replay window size
+	 *
+	 * @return				anti-replay window size
+	 */
+	u_int32_t (*get_replay_window)(child_cfg_t *this);
+
+	/**
+	 * Set anti-replay window size
+	 *
+	 * @param window		anti-replay window size
+	 */
+	void (*set_replay_window)(child_cfg_t *this, u_int32_t window);
+
+	/**
 	 * Sets two options needed for Mobile IPv6 interoperability.
 	 *
 	 * @param proxy_mode	use IPsec transport proxy mode (default FALSE)
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index e08bb3f..42a3e90 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -281,7 +281,10 @@ METHOD(ike_cfg_t, get_dscp, u_int8_t,
 METHOD(ike_cfg_t, add_proposal, void,
 	private_ike_cfg_t *this, proposal_t *proposal)
 {
-	this->proposals->insert_last(this->proposals, proposal);
+	if (proposal)
+	{
+		this->proposals->insert_last(this->proposals, proposal);
+	}
 }
 
 METHOD(ike_cfg_t, get_proposals, linked_list_t*,
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index f9e4fbe..adfcabf 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -148,9 +148,10 @@ struct ike_cfg_t {
 	 * Adds a proposal to the list.
 	 *
 	 * The first added proposal has the highest priority, the last
-	 * added the lowest.
+	 * added the lowest. It is safe to add NULL as proposal, which has no
+	 * effect.
 	 *
-	 * @param proposal		proposal to add
+	 * @param proposal		proposal to add, or NULL
 	 */
 	void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
 
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index d198503..ce93010 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -31,7 +31,8 @@ ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND,
 	"CERT_NEVER_SEND",
 );
 
-ENUM(unique_policy_names, UNIQUE_NO, UNIQUE_KEEP,
+ENUM(unique_policy_names, UNIQUE_NEVER, UNIQUE_KEEP,
+	"UNIQUE_NEVER",
 	"UNIQUE_NO",
 	"UNIQUE_REPLACE",
 	"UNIQUE_KEEP",
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 2ecdb4f..4d881cd 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -627,7 +627,7 @@ proposal_t *proposal_create(protocol_id_t protocol, u_int number)
 /**
  * Add supported IKE algorithms to proposal
  */
-static void proposal_add_supported_ike(private_proposal_t *this)
+static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 {
 	enumerator_t *enumerator;
 	encryption_algorithm_t encryption;
@@ -636,76 +636,91 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 	diffie_hellman_group_t group;
 	const char *plugin_name;
 
-	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+	if (aead)
 	{
-		switch (encryption)
+		enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
 		{
-			case ENCR_AES_CBC:
-			case ENCR_AES_CTR:
-			case ENCR_CAMELLIA_CBC:
-			case ENCR_CAMELLIA_CTR:
-				/* we assume that we support all AES/Camellia sizes */
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
-				break;
-			case ENCR_3DES:
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
-				break;
-			case ENCR_DES:
-				/* no, thanks */
-				break;
-			default:
-				break;
+			switch (encryption)
+			{
+				case ENCR_AES_CCM_ICV8:
+				case ENCR_AES_CCM_ICV12:
+				case ENCR_AES_CCM_ICV16:
+				case ENCR_AES_GCM_ICV8:
+				case ENCR_AES_GCM_ICV12:
+				case ENCR_AES_GCM_ICV16:
+				case ENCR_CAMELLIA_CCM_ICV8:
+				case ENCR_CAMELLIA_CCM_ICV12:
+				case ENCR_CAMELLIA_CCM_ICV16:
+					/* we assume that we support all AES/Camellia sizes */
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+					break;
+				default:
+					break;
+			}
 		}
-	}
-	enumerator->destroy(enumerator);
+		enumerator->destroy(enumerator);
 
-	enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
-	{
-		switch (encryption)
+		if (!array_count(this->transforms))
 		{
-			case ENCR_AES_CCM_ICV8:
-			case ENCR_AES_CCM_ICV12:
-			case ENCR_AES_CCM_ICV16:
-			case ENCR_AES_GCM_ICV8:
-			case ENCR_AES_GCM_ICV12:
-			case ENCR_AES_GCM_ICV16:
-			case ENCR_CAMELLIA_CCM_ICV8:
-			case ENCR_CAMELLIA_CCM_ICV12:
-			case ENCR_CAMELLIA_CCM_ICV16:
-				/* we assume that we support all AES/Camellia sizes */
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
-				break;
-			default:
-				break;
+			return FALSE;
 		}
 	}
-	enumerator->destroy(enumerator);
-
-	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
+	else
 	{
-		switch (integrity)
+		enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
 		{
-			case AUTH_HMAC_SHA1_96:
-			case AUTH_HMAC_SHA2_256_128:
-			case AUTH_HMAC_SHA2_384_192:
-			case AUTH_HMAC_SHA2_512_256:
-			case AUTH_HMAC_MD5_96:
-			case AUTH_AES_XCBC_96:
-			case AUTH_AES_CMAC_96:
-				add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
-				break;
-			default:
-				break;
+			switch (encryption)
+			{
+				case ENCR_AES_CBC:
+				case ENCR_AES_CTR:
+				case ENCR_CAMELLIA_CBC:
+				case ENCR_CAMELLIA_CTR:
+					/* we assume that we support all AES/Camellia sizes */
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+					break;
+				case ENCR_3DES:
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
+					break;
+				case ENCR_DES:
+					/* no, thanks */
+					break;
+				default:
+					break;
+			}
 		}
+		enumerator->destroy(enumerator);
+
+		if (!array_count(this->transforms))
+		{
+			return FALSE;
+		}
+
+		enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
+		{
+			switch (integrity)
+			{
+				case AUTH_HMAC_SHA1_96:
+				case AUTH_HMAC_SHA2_256_128:
+				case AUTH_HMAC_SHA2_384_192:
+				case AUTH_HMAC_SHA2_512_256:
+				case AUTH_HMAC_MD5_96:
+				case AUTH_AES_XCBC_96:
+				case AUTH_AES_CMAC_96:
+					add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
+					break;
+				default:
+					break;
+			}
+		}
+		enumerator->destroy(enumerator);
 	}
-	enumerator->destroy(enumerator);
 
 	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &prf, &plugin_name))
@@ -767,6 +782,8 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 		}
 	}
 	enumerator->destroy(enumerator);
+
+	return TRUE;
 }
 
 /*
@@ -779,7 +796,11 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
 	switch (protocol)
 	{
 		case PROTO_IKE:
-			proposal_add_supported_ike(this);
+			if (!proposal_add_supported_ike(this, FALSE))
+			{
+				destroy(this);
+				return NULL;
+			}
 			break;
 		case PROTO_ESP:
 			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
@@ -807,6 +828,33 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
 /*
  * Describtion in header-file
  */
+proposal_t *proposal_create_default_aead(protocol_id_t protocol)
+{
+	private_proposal_t *this;
+
+	switch (protocol)
+	{
+		case PROTO_IKE:
+			this = (private_proposal_t*)proposal_create(protocol, 0);
+			if (!proposal_add_supported_ike(this, TRUE))
+			{
+				destroy(this);
+				return NULL;
+			}
+			return &this->public;
+		case PROTO_ESP:
+			/* we currently don't include any AEAD proposal for ESP, as we
+			 * don't know if our kernel backend actually supports it. */
+			return NULL;
+		case PROTO_AH:
+		default:
+			return NULL;
+	}
+}
+
+/*
+ * Describtion in header-file
+ */
 proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs)
 {
 	private_proposal_t *this;
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
index 7733143..78b8688 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libcharon/config/proposal.h
@@ -196,6 +196,14 @@ proposal_t *proposal_create(protocol_id_t protocol, u_int number);
 proposal_t *proposal_create_default(protocol_id_t protocol);
 
 /**
+ * Create a default proposal for supported AEAD algorithms
+ *
+ * @param protocol			protocol, such as PROTO_ESP
+ * @return					proposal_t object, NULL if none supported
+ */
+proposal_t *proposal_create_default_aead(protocol_id_t protocol);
+
+/**
  * Create a proposal from a string identifying the algorithms.
  *
  * The string is in the same form as a in the ipsec.conf file.
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index c546da5..25667e5 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -20,7 +20,6 @@
 #include <sys/types.h>
 #include <dirent.h>
 #include <sys/stat.h>
-#include <dlfcn.h>
 
 #include <daemon.h>
 #include <library.h>
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 0cecd1d..a89995a 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -19,8 +19,12 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
-#include <syslog.h>
 #include <time.h>
+#include <errno.h>
+
+#ifdef HAVE_SYSLOG
+#include <syslog.h>
+#endif
 
 #include "daemon.h"
 
@@ -178,6 +182,7 @@ static bool logger_entry_match(logger_entry_t *this, char *target, bool *file)
  */
 static void handle_syslog_identifier(private_daemon_t *this)
 {
+#ifdef HAVE_SYSLOG
 	char *identifier;
 
 	identifier = lib->settings->get_str(lib->settings, "%s.syslog.identifier",
@@ -197,6 +202,7 @@ static void handle_syslog_identifier(private_daemon_t *this)
 		closelog();
 		this->syslog_identifier = NULL;
 	}
+#endif /* HAVE_SYSLOG */
 }
 
 /**
@@ -205,6 +211,7 @@ static void handle_syslog_identifier(private_daemon_t *this)
  */
 static int get_syslog_facility(char *facility)
 {
+#ifdef HAVE_SYSLOG
 	if (streq(facility, "daemon"))
 	{
 		return LOG_DAEMON;
@@ -213,6 +220,7 @@ static int get_syslog_facility(char *facility)
 	{
 		return LOG_AUTHPRIV;
 	}
+#endif /* HAVE_SYSLOG */
 	return -1;
 }
 
@@ -236,10 +244,12 @@ static logger_entry_t *get_logger_entry(char *target, bool is_file_logger,
 		{
 			entry->logger.file = file_logger_create(target);
 		}
+#ifdef HAVE_SYSLOG
 		else
 		{
 			entry->logger.sys = sys_logger_create(get_syslog_facility(target));
 		}
+#endif /* HAVE_SYSLOG */
 	}
 	else
 	{
@@ -380,18 +390,27 @@ METHOD(daemon_t, load_loggers, void,
 
 		for (group = 0; group < DBG_MAX; group++)
 		{
-			sys_logger->set_level(sys_logger, group, levels[group]);
+			if (sys_logger)
+			{
+				sys_logger->set_level(sys_logger, group, levels[group]);
+			}
 			if (to_stderr)
 			{
 				file_logger->set_level(file_logger, group, levels[group]);
 			}
 		}
-		charon->bus->add_logger(charon->bus, &sys_logger->logger);
+		if (sys_logger)
+		{
+			charon->bus->add_logger(charon->bus, &sys_logger->logger);
+		}
 		charon->bus->add_logger(charon->bus, &file_logger->logger);
 
 		sys_logger = add_sys_logger(this, "auth", current_loggers);
-		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
-		charon->bus->add_logger(charon->bus, &sys_logger->logger);
+		if (sys_logger)
+		{
+			sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
+			charon->bus->add_logger(charon->bus, &sys_logger->logger);
+		}
 	}
 	/* unregister and destroy any unused remaining loggers */
 	current_loggers->destroy_function(current_loggers,
@@ -476,6 +495,53 @@ static void destroy(private_daemon_t *this)
 	free(this);
 }
 
+/**
+ * Run a set of configured scripts
+ */
+static void run_scripts(private_daemon_t *this, char *verb)
+{
+	enumerator_t *enumerator;
+	char *key, *value, *pos, buf[1024];
+	FILE *cmd;
+
+	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
+												"%s.%s-scripts", lib->ns, verb);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		DBG1(DBG_DMN, "executing %s script '%s' (%s):", verb, key, value);
+		cmd = popen(value, "r");
+		if (!cmd)
+		{
+			DBG1(DBG_DMN, "executing %s script '%s' (%s) failed: %s",
+				 verb, key, value, strerror(errno));
+			continue;
+		}
+		while (TRUE)
+		{
+			if (!fgets(buf, sizeof(buf), cmd))
+			{
+				if (ferror(cmd))
+				{
+					DBG1(DBG_DMN, "reading from %s script '%s' (%s) failed",
+						 verb, key, value);
+				}
+				break;
+			}
+			else
+			{
+				pos = buf + strlen(buf);
+				if (pos > buf && pos[-1] == '\n')
+				{
+					pos[-1] = '\0';
+				}
+				DBG1(DBG_DMN, "%s: %s", key, buf);
+			}
+		}
+		pclose(cmd);
+	}
+	enumerator->destroy(enumerator);
+}
+
 METHOD(daemon_t, start, void,
 	   private_daemon_t *this)
 {
@@ -483,6 +549,8 @@ METHOD(daemon_t, start, void,
 	lib->processor->set_threads(lib->processor,
 						lib->settings->get_int(lib->settings, "%s.threads",
 											   DEFAULT_THREADS, lib->ns));
+
+	run_scripts(this, "start");
 }
 
 
@@ -598,6 +666,8 @@ void libcharon_deinit()
 		return;
 	}
 
+	run_scripts(this, "stop");
+
 	destroy(this);
 	charon = NULL;
 }
diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c
index 2b6825c..a0a508f 100644
--- a/src/libcharon/encoding/generator.c
+++ b/src/libcharon/encoding/generator.c
@@ -17,7 +17,6 @@
 
 #include <stdlib.h>
 #include <string.h>
-#include <arpa/inet.h>
 #include <stdio.h>
 
 #include "generator.h"
@@ -498,15 +497,15 @@ METHOD(generator_t, generate_payload, void,
 			case ENCRYPTED_DATA:
 				generate_from_chunk(this, rules[i].offset);
 				break;
-			case PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE:
-			case PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE_V1:
-			case PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE:
-			case PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE_V1:
-			case PAYLOAD_LIST + TRANSFORM_ATTRIBUTE:
-			case PAYLOAD_LIST + TRANSFORM_ATTRIBUTE_V1:
-			case PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE:
-			case PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE_V1:
-			case PAYLOAD_LIST + TRAFFIC_SELECTOR_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PLV2_PROPOSAL_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PLV1_PROPOSAL_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PLV2_TRANSFORM_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PLV1_TRANSFORM_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PLV2_TRANSFORM_ATTRIBUTE:
+			case PAYLOAD_LIST + PLV1_TRANSFORM_ATTRIBUTE:
+			case PAYLOAD_LIST + PLV2_CONFIGURATION_ATTRIBUTE:
+			case PAYLOAD_LIST + PLV1_CONFIGURATION_ATTRIBUTE:
+			case PAYLOAD_LIST + PLV2_TRAFFIC_SELECTOR_SUBSTRUCTURE:
 			{
 				linked_list_t *proposals;
 				enumerator_t *enumerator;
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 11e735a..0f5f40a 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -89,7 +89,7 @@ typedef struct {
 typedef struct {
 	/** payload type */
 	payload_type_t type;
-	/** notify type, if payload == NOTIFY */
+	/** notify type, if payload == PLV2_NOTIFY */
 	notify_type_t notify;
 } payload_order_t;
 
@@ -120,11 +120,11 @@ typedef struct {
  */
 static payload_rule_t ike_sa_init_i_rules[] = {
 /*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
-	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
-	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
-	{NONCE,							1,	1,						FALSE,	FALSE},
-	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{PLV2_SECURITY_ASSOCIATION,		1,	1,						FALSE,	FALSE},
+	{PLV2_KEY_EXCHANGE,				1,	1,						FALSE,	FALSE},
+	{PLV2_NONCE,					1,	1,						FALSE,	FALSE},
+	{PLV2_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 };
 
 /**
@@ -132,14 +132,14 @@ static payload_rule_t ike_sa_init_i_rules[] = {
  */
 static payload_order_t ike_sa_init_i_order[] = {
 /*	payload type					notify type */
-	{NOTIFY,						COOKIE},
-	{SECURITY_ASSOCIATION,			0},
-	{KEY_EXCHANGE,					0},
-	{NONCE,							0},
-	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
-	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
-	{NOTIFY,						0},
-	{VENDOR_ID,						0},
+	{PLV2_NOTIFY,					COOKIE},
+	{PLV2_SECURITY_ASSOCIATION,		0},
+	{PLV2_KEY_EXCHANGE,				0},
+	{PLV2_NONCE,					0},
+	{PLV2_NOTIFY,					NAT_DETECTION_SOURCE_IP},
+	{PLV2_NOTIFY,					NAT_DETECTION_DESTINATION_IP},
+	{PLV2_NOTIFY,					0},
+	{PLV2_VENDOR_ID,				0},
 };
 
 /**
@@ -147,12 +147,12 @@ static payload_order_t ike_sa_init_i_order[] = {
  */
 static payload_rule_t ike_sa_init_r_rules[] = {
 /*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	FALSE,	TRUE},
-	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
-	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
-	{NONCE,							1,	1,						FALSE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
-	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	TRUE},
+	{PLV2_SECURITY_ASSOCIATION,		1,	1,						FALSE,	FALSE},
+	{PLV2_KEY_EXCHANGE,				1,	1,						FALSE,	FALSE},
+	{PLV2_NONCE,					1,	1,						FALSE,	FALSE},
+	{PLV2_CERTREQ,					0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
+	{PLV2_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 };
 
 /**
@@ -160,15 +160,15 @@ static payload_rule_t ike_sa_init_r_rules[] = {
  */
 static payload_order_t ike_sa_init_r_order[] = {
 /*	payload type					notify type */
-	{SECURITY_ASSOCIATION,			0},
-	{KEY_EXCHANGE,					0},
-	{NONCE,							0},
-	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
-	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
-	{NOTIFY,						HTTP_CERT_LOOKUP_SUPPORTED},
-	{CERTIFICATE_REQUEST,			0},
-	{NOTIFY,						0},
-	{VENDOR_ID,						0},
+	{PLV2_SECURITY_ASSOCIATION,		0},
+	{PLV2_KEY_EXCHANGE,				0},
+	{PLV2_NONCE,					0},
+	{PLV2_NOTIFY,					NAT_DETECTION_SOURCE_IP},
+	{PLV2_NOTIFY,					NAT_DETECTION_DESTINATION_IP},
+	{PLV2_NOTIFY,					HTTP_CERT_LOOKUP_SUPPORTED},
+	{PLV2_CERTREQ,					0},
+	{PLV2_NOTIFY,					0},
+	{PLV2_VENDOR_ID,				0},
 };
 
 /**
@@ -176,24 +176,24 @@ static payload_order_t ike_sa_init_r_order[] = {
  */
 static payload_rule_t ike_auth_i_rules[] = {
 /*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
-	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
-	{ID_INITIATOR,					0,	1,						TRUE,	FALSE},
-	{CERTIFICATE,					0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	TRUE,	FALSE},
-	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
+	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{PLV2_EAP,						0,	1,						TRUE,	TRUE},
+	{PLV2_AUTH,						0,	1,						TRUE,	TRUE},
+	{PLV2_ID_INITIATOR,				0,	1,						TRUE,	FALSE},
+	{PLV2_CERTIFICATE,				0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
+	{PLV2_CERTREQ,					0,	MAX_CERTREQ_PAYLOADS,	TRUE,	FALSE},
+	{PLV2_ID_RESPONDER,				0,	1,						TRUE,	FALSE},
 #ifdef ME
-	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
+	{PLV2_SECURITY_ASSOCIATION,		0,	1,						TRUE,	FALSE},
+	{PLV2_TS_INITIATOR,				0,	1,						TRUE,	FALSE},
+	{PLV2_TS_RESPONDER,				0,	1,						TRUE,	FALSE},
 #else
-	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
+	{PLV2_SECURITY_ASSOCIATION,		0,	1,						TRUE,	FALSE},
+	{PLV2_TS_INITIATOR,				0,	1,						TRUE,	FALSE},
+	{PLV2_TS_RESPONDER,				0,	1,						TRUE,	FALSE},
 #endif /* ME */
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+	{PLV2_CONFIGURATION,			0,	1,						TRUE,	FALSE},
+	{PLV2_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
 };
 
 /**
@@ -201,28 +201,28 @@ static payload_rule_t ike_auth_i_rules[] = {
  */
 static payload_order_t ike_auth_i_order[] = {
 /*	payload type					notify type */
-	{ID_INITIATOR,					0},
-	{CERTIFICATE,					0},
-	{NOTIFY,						INITIAL_CONTACT},
-	{NOTIFY,						HTTP_CERT_LOOKUP_SUPPORTED},
-	{CERTIFICATE_REQUEST,			0},
-	{ID_RESPONDER,					0},
-	{AUTHENTICATION,				0},
-	{EXTENSIBLE_AUTHENTICATION,		0},
-	{CONFIGURATION,					0},
-	{NOTIFY,						IPCOMP_SUPPORTED},
-	{NOTIFY,						USE_TRANSPORT_MODE},
-	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
-	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION,			0},
-	{TRAFFIC_SELECTOR_INITIATOR,	0},
-	{TRAFFIC_SELECTOR_RESPONDER,	0},
-	{NOTIFY,						MOBIKE_SUPPORTED},
-	{NOTIFY,						ADDITIONAL_IP4_ADDRESS},
-	{NOTIFY,						ADDITIONAL_IP6_ADDRESS},
-	{NOTIFY,						NO_ADDITIONAL_ADDRESSES},
-	{NOTIFY,						0},
-	{VENDOR_ID,						0},
+	{PLV2_ID_INITIATOR,				0},
+	{PLV2_CERTIFICATE,				0},
+	{PLV2_NOTIFY,					INITIAL_CONTACT},
+	{PLV2_NOTIFY,					HTTP_CERT_LOOKUP_SUPPORTED},
+	{PLV2_CERTREQ,					0},
+	{PLV2_ID_RESPONDER,				0},
+	{PLV2_AUTH,						0},
+	{PLV2_EAP,						0},
+	{PLV2_CONFIGURATION,			0},
+	{PLV2_NOTIFY,					IPCOMP_SUPPORTED},
+	{PLV2_NOTIFY,					USE_TRANSPORT_MODE},
+	{PLV2_NOTIFY,					ESP_TFC_PADDING_NOT_SUPPORTED},
+	{PLV2_NOTIFY,					NON_FIRST_FRAGMENTS_ALSO},
+	{PLV2_SECURITY_ASSOCIATION,		0},
+	{PLV2_TS_INITIATOR,				0},
+	{PLV2_TS_RESPONDER,				0},
+	{PLV2_NOTIFY,					MOBIKE_SUPPORTED},
+	{PLV2_NOTIFY,					ADDITIONAL_IP4_ADDRESS},
+	{PLV2_NOTIFY,					ADDITIONAL_IP6_ADDRESS},
+	{PLV2_NOTIFY,					NO_ADDITIONAL_ADDRESSES},
+	{PLV2_NOTIFY,					0},
+	{PLV2_VENDOR_ID,				0},
 };
 
 /**
@@ -230,16 +230,16 @@ static payload_order_t ike_auth_i_order[] = {
  */
 static payload_rule_t ike_auth_r_rules[] = {
 /*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
-	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
-	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
-	{CERTIFICATE,					0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
-	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
-	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
+	{PLV2_EAP,						0,	1,						TRUE,	TRUE},
+	{PLV2_AUTH,						0,	1,						TRUE,	TRUE},
+	{PLV2_CERTIFICATE,				0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
+	{PLV2_ID_RESPONDER,				0,	1,						TRUE,	FALSE},
+	{PLV2_SECURITY_ASSOCIATION,		0,	1,						TRUE,	FALSE},
+	{PLV2_TS_INITIATOR,				0,	1,						TRUE,	FALSE},
+	{PLV2_TS_RESPONDER,				0,	1,						TRUE,	FALSE},
+	{PLV2_CONFIGURATION,			0,	1,						TRUE,	FALSE},
+	{PLV2_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
 };
 
 /**
@@ -247,25 +247,25 @@ static payload_rule_t ike_auth_r_rules[] = {
  */
 static payload_order_t ike_auth_r_order[] = {
 /*	payload type					notify type */
-	{ID_RESPONDER,					0},
-	{CERTIFICATE,					0},
-	{AUTHENTICATION,				0},
-	{EXTENSIBLE_AUTHENTICATION,		0},
-	{CONFIGURATION,					0},
-	{NOTIFY,						IPCOMP_SUPPORTED},
-	{NOTIFY,						USE_TRANSPORT_MODE},
-	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
-	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION,			0},
-	{TRAFFIC_SELECTOR_INITIATOR,	0},
-	{TRAFFIC_SELECTOR_RESPONDER,	0},
-	{NOTIFY,						AUTH_LIFETIME},
-	{NOTIFY,						MOBIKE_SUPPORTED},
-	{NOTIFY,						ADDITIONAL_IP4_ADDRESS},
-	{NOTIFY,						ADDITIONAL_IP6_ADDRESS},
-	{NOTIFY,						NO_ADDITIONAL_ADDRESSES},
-	{NOTIFY,						0},
-	{VENDOR_ID,						0},
+	{PLV2_ID_RESPONDER,				0},
+	{PLV2_CERTIFICATE,				0},
+	{PLV2_AUTH,						0},
+	{PLV2_EAP,						0},
+	{PLV2_CONFIGURATION,			0},
+	{PLV2_NOTIFY,					IPCOMP_SUPPORTED},
+	{PLV2_NOTIFY,					USE_TRANSPORT_MODE},
+	{PLV2_NOTIFY,					ESP_TFC_PADDING_NOT_SUPPORTED},
+	{PLV2_NOTIFY,					NON_FIRST_FRAGMENTS_ALSO},
+	{PLV2_SECURITY_ASSOCIATION,		0},
+	{PLV2_TS_INITIATOR,				0},
+	{PLV2_TS_RESPONDER,				0},
+	{PLV2_NOTIFY,					AUTH_LIFETIME},
+	{PLV2_NOTIFY,					MOBIKE_SUPPORTED},
+	{PLV2_NOTIFY,					ADDITIONAL_IP4_ADDRESS},
+	{PLV2_NOTIFY,					ADDITIONAL_IP6_ADDRESS},
+	{PLV2_NOTIFY,					NO_ADDITIONAL_ADDRESSES},
+	{PLV2_NOTIFY,					0},
+	{PLV2_VENDOR_ID,				0},
 };
 
 /**
@@ -273,10 +273,10 @@ static payload_order_t ike_auth_r_order[] = {
  */
 static payload_rule_t informational_i_rules[] = {
 /*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{DELETE,						0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
-	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{PLV2_CONFIGURATION,			0,	1,						TRUE,	FALSE},
+	{PLV2_DELETE,					0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
+	{PLV2_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
 };
 
 /**
@@ -284,13 +284,13 @@ static payload_rule_t informational_i_rules[] = {
  */
 static payload_order_t informational_i_order[] = {
 /*	payload type					notify type */
-	{NOTIFY,						UPDATE_SA_ADDRESSES},
-	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
-	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
-	{NOTIFY,						COOKIE2},
-	{NOTIFY,						0},
-	{DELETE,						0},
-	{CONFIGURATION,					0},
+	{PLV2_NOTIFY,					UPDATE_SA_ADDRESSES},
+	{PLV2_NOTIFY,					NAT_DETECTION_SOURCE_IP},
+	{PLV2_NOTIFY,					NAT_DETECTION_DESTINATION_IP},
+	{PLV2_NOTIFY,					COOKIE2},
+	{PLV2_NOTIFY,					0},
+	{PLV2_DELETE,					0},
+	{PLV2_CONFIGURATION,			0},
 };
 
 /**
@@ -298,10 +298,10 @@ static payload_order_t informational_i_order[] = {
  */
 static payload_rule_t informational_r_rules[] = {
 /*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{DELETE,						0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
-	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{PLV2_CONFIGURATION,			0,	1,						TRUE,	FALSE},
+	{PLV2_DELETE,					0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
+	{PLV2_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
 };
 
 /**
@@ -309,13 +309,13 @@ static payload_rule_t informational_r_rules[] = {
  */
 static payload_order_t informational_r_order[] = {
 /*	payload type					notify type */
-	{NOTIFY,						UPDATE_SA_ADDRESSES},
-	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
-	{NOTIFY,						NAT_DETECTION_DESTINATION_IP},
-	{NOTIFY,						COOKIE2},
-	{NOTIFY,						0},
-	{DELETE,						0},
-	{CONFIGURATION,					0},
+	{PLV2_NOTIFY,					UPDATE_SA_ADDRESSES},
+	{PLV2_NOTIFY,					NAT_DETECTION_SOURCE_IP},
+	{PLV2_NOTIFY,					NAT_DETECTION_DESTINATION_IP},
+	{PLV2_NOTIFY,					COOKIE2},
+	{PLV2_NOTIFY,					0},
+	{PLV2_DELETE,					0},
+	{PLV2_CONFIGURATION,			0},
 };
 
 /**
@@ -323,14 +323,14 @@ static payload_order_t informational_r_order[] = {
  */
 static payload_rule_t create_child_sa_i_rules[] = {
 /*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{SECURITY_ASSOCIATION,			1,	1,						TRUE,	FALSE},
-	{NONCE,							1,	1,						TRUE,	FALSE},
-	{KEY_EXCHANGE,					0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{PLV2_SECURITY_ASSOCIATION,		1,	1,						TRUE,	FALSE},
+	{PLV2_NONCE,					1,	1,						TRUE,	FALSE},
+	{PLV2_KEY_EXCHANGE,				0,	1,						TRUE,	FALSE},
+	{PLV2_TS_INITIATOR,				0,	1,						TRUE,	FALSE},
+	{PLV2_TS_RESPONDER,				0,	1,						TRUE,	FALSE},
+	{PLV2_CONFIGURATION,			0,	1,						TRUE,	FALSE},
+	{PLV2_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
 };
 
 /**
@@ -338,17 +338,17 @@ static payload_rule_t create_child_sa_i_rules[] = {
  */
 static payload_order_t create_child_sa_i_order[] = {
 /*	payload type					notify type */
-	{NOTIFY,						REKEY_SA},
-	{NOTIFY,						IPCOMP_SUPPORTED},
-	{NOTIFY,						USE_TRANSPORT_MODE},
-	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
-	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION,			0},
-	{NONCE,							0},
-	{KEY_EXCHANGE,					0},
-	{TRAFFIC_SELECTOR_INITIATOR,	0},
-	{TRAFFIC_SELECTOR_RESPONDER,	0},
-	{NOTIFY,						0},
+	{PLV2_NOTIFY,					REKEY_SA},
+	{PLV2_NOTIFY,					IPCOMP_SUPPORTED},
+	{PLV2_NOTIFY,					USE_TRANSPORT_MODE},
+	{PLV2_NOTIFY,					ESP_TFC_PADDING_NOT_SUPPORTED},
+	{PLV2_NOTIFY,					NON_FIRST_FRAGMENTS_ALSO},
+	{PLV2_SECURITY_ASSOCIATION,		0},
+	{PLV2_NONCE,					0},
+	{PLV2_KEY_EXCHANGE,				0},
+	{PLV2_TS_INITIATOR,				0},
+	{PLV2_TS_RESPONDER,				0},
+	{PLV2_NOTIFY,					0},
 };
 
 /**
@@ -356,14 +356,14 @@ static payload_order_t create_child_sa_i_order[] = {
  */
 static payload_rule_t create_child_sa_r_rules[] = {
 /*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
-	{SECURITY_ASSOCIATION,			1,	1,						TRUE,	FALSE},
-	{NONCE,							1,	1,						TRUE,	FALSE},
-	{KEY_EXCHANGE,					0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_INITIATOR,	0,	1,						TRUE,	FALSE},
-	{TRAFFIC_SELECTOR_RESPONDER,	0,	1,						TRUE,	FALSE},
-	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
-	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
+	{PLV2_SECURITY_ASSOCIATION,		1,	1,						TRUE,	FALSE},
+	{PLV2_NONCE,					1,	1,						TRUE,	FALSE},
+	{PLV2_KEY_EXCHANGE,				0,	1,						TRUE,	FALSE},
+	{PLV2_TS_INITIATOR,				0,	1,						TRUE,	FALSE},
+	{PLV2_TS_RESPONDER,				0,	1,						TRUE,	FALSE},
+	{PLV2_CONFIGURATION,			0,	1,						TRUE,	FALSE},
+	{PLV2_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
 };
 
 /**
@@ -371,17 +371,17 @@ static payload_rule_t create_child_sa_r_rules[] = {
  */
 static payload_order_t create_child_sa_r_order[] = {
 /*	payload type					notify type */
-	{NOTIFY,						IPCOMP_SUPPORTED},
-	{NOTIFY,						USE_TRANSPORT_MODE},
-	{NOTIFY,						ESP_TFC_PADDING_NOT_SUPPORTED},
-	{NOTIFY,						NON_FIRST_FRAGMENTS_ALSO},
-	{SECURITY_ASSOCIATION,			0},
-	{NONCE,							0},
-	{KEY_EXCHANGE,					0},
-	{TRAFFIC_SELECTOR_INITIATOR,	0},
-	{TRAFFIC_SELECTOR_RESPONDER,	0},
-	{NOTIFY,						ADDITIONAL_TS_POSSIBLE},
-	{NOTIFY,						0},
+	{PLV2_NOTIFY,					IPCOMP_SUPPORTED},
+	{PLV2_NOTIFY,					USE_TRANSPORT_MODE},
+	{PLV2_NOTIFY,					ESP_TFC_PADDING_NOT_SUPPORTED},
+	{PLV2_NOTIFY,					NON_FIRST_FRAGMENTS_ALSO},
+	{PLV2_SECURITY_ASSOCIATION,		0},
+	{PLV2_NONCE,					0},
+	{PLV2_KEY_EXCHANGE,				0},
+	{PLV2_TS_INITIATOR,				0},
+	{PLV2_TS_RESPONDER,				0},
+	{PLV2_NOTIFY,					ADDITIONAL_TS_POSSIBLE},
+	{PLV2_NOTIFY,					0},
 };
 
 #ifdef ME
@@ -390,9 +390,9 @@ static payload_order_t create_child_sa_r_order[] = {
  */
 static payload_rule_t me_connect_i_rules[] = {
 /*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
-	{ID_PEER,						1,	1,						TRUE,	FALSE},
-	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		TRUE,	FALSE}
+	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
+	{PLV2_ID_PEER,					1,	1,						TRUE,	FALSE},
+	{PLV2_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE}
 };
 
 /**
@@ -400,9 +400,9 @@ static payload_rule_t me_connect_i_rules[] = {
  */
 static payload_order_t me_connect_i_order[] = {
 /*	payload type					notify type */
-	{NOTIFY,						0},
-	{ID_PEER,						0},
-	{VENDOR_ID,						0},
+	{PLV2_NOTIFY,					0},
+	{PLV2_ID_PEER,					0},
+	{PLV2_VENDOR_ID,				0},
 };
 
 /**
@@ -410,8 +410,8 @@ static payload_order_t me_connect_i_order[] = {
  */
 static payload_rule_t me_connect_r_rules[] = {
 /*	payload type					min	max						encr	suff */
-	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
-	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		TRUE,	FALSE}
+	{PLV2_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
+	{PLV2_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE}
 };
 
 /**
@@ -419,8 +419,8 @@ static payload_rule_t me_connect_r_rules[] = {
  */
 static payload_order_t me_connect_r_order[] = {
 /*	payload type					notify type */
-	{NOTIFY,						0},
-	{VENDOR_ID,						0},
+	{PLV2_NOTIFY,					0},
+	{PLV2_VENDOR_ID,				0},
 };
 #endif /* ME */
 
@@ -429,284 +429,284 @@ static payload_order_t me_connect_r_order[] = {
  * Message rule for ID_PROT from initiator.
  */
 static payload_rule_t id_prot_i_rules[] = {
-/*	payload type				min	max						encr	suff */
-	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
-	{SECURITY_ASSOCIATION_V1,	0,	1,						FALSE,	FALSE},
-	{KEY_EXCHANGE_V1,			0,	1,						FALSE,	FALSE},
-	{NONCE_V1,					0,	1,						FALSE,	FALSE},
-	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
-	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
-	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
-	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
-	{ID_V1,						0,	1,						TRUE,	FALSE},
-	{CERTIFICATE_V1,			0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
-	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
-	{HASH_V1,					0,	1,						TRUE,	FALSE},
-	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
+/*	payload type					min	max						encr	suff */
+	{PLV1_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{PLV1_SECURITY_ASSOCIATION,		0,	1,						FALSE,	FALSE},
+	{PLV1_KEY_EXCHANGE,				0,	1,						FALSE,	FALSE},
+	{PLV1_NONCE,					0,	1,						FALSE,	FALSE},
+	{PLV1_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_CERTREQ,					0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
+	{PLV1_NAT_D,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_NAT_D_DRAFT_00_03,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_ID,						0,	1,						TRUE,	FALSE},
+	{PLV1_CERTIFICATE,				0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
+	{PLV1_SIGNATURE,				0,	1,						TRUE,	FALSE},
+	{PLV1_HASH,						0,	1,						TRUE,	FALSE},
+	{PLV1_FRAGMENT,					0,	1,						FALSE,	TRUE},
 };
 
 /**
  * payload order for ID_PROT from initiator.
  */
 static payload_order_t id_prot_i_order[] = {
-/*	payload type				notify type */
-	{SECURITY_ASSOCIATION_V1,	0},
-	{KEY_EXCHANGE_V1,			0},
-	{NONCE_V1,					0},
-	{ID_V1,						0},
-	{CERTIFICATE_V1,			0},
-	{SIGNATURE_V1,				0},
-	{HASH_V1,					0},
-	{CERTIFICATE_REQUEST_V1,	0},
-	{NOTIFY_V1,					0},
-	{VENDOR_ID_V1,				0},
-	{NAT_D_V1,					0},
-	{NAT_D_DRAFT_00_03_V1,		0},
-	{FRAGMENT_V1,				0},
+/*	payload type					notify type */
+	{PLV1_SECURITY_ASSOCIATION,		0},
+	{PLV1_KEY_EXCHANGE,				0},
+	{PLV1_NONCE,					0},
+	{PLV1_ID,						0},
+	{PLV1_CERTIFICATE,				0},
+	{PLV1_SIGNATURE,				0},
+	{PLV1_HASH,						0},
+	{PLV1_CERTREQ,					0},
+	{PLV1_NOTIFY,					0},
+	{PLV1_VENDOR_ID,				0},
+	{PLV1_NAT_D,					0},
+	{PLV1_NAT_D_DRAFT_00_03,		0},
+	{PLV1_FRAGMENT,					0},
 };
 
 /**
  * Message rule for ID_PROT from responder.
  */
 static payload_rule_t id_prot_r_rules[] = {
-/*	payload type				min	max						encr	suff */
-	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
-	{SECURITY_ASSOCIATION_V1,	0,	1,						FALSE,	FALSE},
-	{KEY_EXCHANGE_V1,			0,	1,						FALSE,	FALSE},
-	{NONCE_V1,					0,	1,						FALSE,	FALSE},
-	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
-	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
-	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
-	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
-	{ID_V1,						0,	1,						TRUE,	FALSE},
-	{CERTIFICATE_V1,			0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
-	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
-	{HASH_V1,					0,	1,						TRUE,	FALSE},
-	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
+/*	payload type					min	max						encr	suff */
+	{PLV1_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{PLV1_SECURITY_ASSOCIATION,		0,	1,						FALSE,	FALSE},
+	{PLV1_KEY_EXCHANGE,				0,	1,						FALSE,	FALSE},
+	{PLV1_NONCE,					0,	1,						FALSE,	FALSE},
+	{PLV1_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_CERTREQ,					0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
+	{PLV1_NAT_D,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_NAT_D_DRAFT_00_03,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_ID,						0,	1,						TRUE,	FALSE},
+	{PLV1_CERTIFICATE,				0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
+	{PLV1_SIGNATURE,				0,	1,						TRUE,	FALSE},
+	{PLV1_HASH,						0,	1,						TRUE,	FALSE},
+	{PLV1_FRAGMENT,					0,	1,						FALSE,	TRUE},
 };
 
 /**
  * payload order for ID_PROT from responder.
  */
 static payload_order_t id_prot_r_order[] = {
-/*	payload type				notify type */
-	{SECURITY_ASSOCIATION_V1,	0},
-	{KEY_EXCHANGE_V1,			0},
-	{NONCE_V1,					0},
-	{ID_V1,						0},
-	{CERTIFICATE_V1,			0},
-	{SIGNATURE_V1,				0},
-	{HASH_V1,					0},
-	{CERTIFICATE_REQUEST_V1,	0},
-	{NOTIFY_V1,					0},
-	{VENDOR_ID_V1,				0},
-	{NAT_D_V1,					0},
-	{NAT_D_DRAFT_00_03_V1,		0},
-	{FRAGMENT_V1,				0},
+/*	payload type					notify type */
+	{PLV1_SECURITY_ASSOCIATION,		0},
+	{PLV1_KEY_EXCHANGE,				0},
+	{PLV1_NONCE,					0},
+	{PLV1_ID,						0},
+	{PLV1_CERTIFICATE,				0},
+	{PLV1_SIGNATURE,				0},
+	{PLV1_HASH,						0},
+	{PLV1_CERTREQ,					0},
+	{PLV1_NOTIFY,					0},
+	{PLV1_VENDOR_ID,				0},
+	{PLV1_NAT_D,					0},
+	{PLV1_NAT_D_DRAFT_00_03,		0},
+	{PLV1_FRAGMENT,					0},
 };
 
 /**
  * Message rule for AGGRESSIVE from initiator.
  */
 static payload_rule_t aggressive_i_rules[] = {
-/*	payload type				min	max						encr	suff */
-	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
-	{SECURITY_ASSOCIATION_V1,	0,	1,						FALSE,	FALSE},
-	{KEY_EXCHANGE_V1,			0,	1,						FALSE,	FALSE},
-	{NONCE_V1,					0,	1,						FALSE,	FALSE},
-	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
-	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
-	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
-	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
-	{ID_V1,						0,	1,						FALSE,	FALSE},
-	{CERTIFICATE_V1,			0,	1,						TRUE,	FALSE},
-	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
-	{HASH_V1,					0,	1,						TRUE,	FALSE},
-	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
+/*	payload type					min	max						encr	suff */
+	{PLV1_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{PLV1_SECURITY_ASSOCIATION,		0,	1,						FALSE,	FALSE},
+	{PLV1_KEY_EXCHANGE,				0,	1,						FALSE,	FALSE},
+	{PLV1_NONCE,					0,	1,						FALSE,	FALSE},
+	{PLV1_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_CERTREQ,					0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
+	{PLV1_NAT_D,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_NAT_D_DRAFT_00_03,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_ID,						0,	1,						FALSE,	FALSE},
+	{PLV1_CERTIFICATE,				0,	1,						TRUE,	FALSE},
+	{PLV1_SIGNATURE,				0,	1,						TRUE,	FALSE},
+	{PLV1_HASH,						0,	1,						TRUE,	FALSE},
+	{PLV1_FRAGMENT,					0,	1,						FALSE,	TRUE},
 };
 
 /**
  * payload order for AGGRESSIVE from initiator.
  */
 static payload_order_t aggressive_i_order[] = {
-/*	payload type				notify type */
-	{SECURITY_ASSOCIATION_V1,	0},
-	{KEY_EXCHANGE_V1,			0},
-	{NONCE_V1,					0},
-	{ID_V1,						0},
-	{CERTIFICATE_V1,			0},
-	{NAT_D_V1,					0},
-	{NAT_D_DRAFT_00_03_V1,		0},
-	{SIGNATURE_V1,				0},
-	{HASH_V1,					0},
-	{CERTIFICATE_REQUEST_V1,	0},
-	{NOTIFY_V1,					0},
-	{VENDOR_ID_V1,				0},
-	{FRAGMENT_V1,				0},
+/*	payload type					notify type */
+	{PLV1_SECURITY_ASSOCIATION,		0},
+	{PLV1_KEY_EXCHANGE,				0},
+	{PLV1_NONCE,					0},
+	{PLV1_ID,						0},
+	{PLV1_CERTIFICATE,				0},
+	{PLV1_NAT_D,					0},
+	{PLV1_NAT_D_DRAFT_00_03,		0},
+	{PLV1_SIGNATURE,				0},
+	{PLV1_HASH,						0},
+	{PLV1_CERTREQ,					0},
+	{PLV1_NOTIFY,					0},
+	{PLV1_VENDOR_ID,				0},
+	{PLV1_FRAGMENT,					0},
 };
 
 /**
  * Message rule for AGGRESSIVE from responder.
  */
 static payload_rule_t aggressive_r_rules[] = {
-/*	payload type				min	max						encr	suff */
-	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
-	{SECURITY_ASSOCIATION_V1,	0,	1,						FALSE,	FALSE},
-	{KEY_EXCHANGE_V1,			0,	1,						FALSE,	FALSE},
-	{NONCE_V1,					0,	1,						FALSE,	FALSE},
-	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
-	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
-	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
-	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
-	{ID_V1,						0,	1,						FALSE,	FALSE},
-	{CERTIFICATE_V1,			0,	1,						FALSE,	FALSE},
-	{SIGNATURE_V1,				0,	1,						FALSE,	FALSE},
-	{HASH_V1,					0,	1,						FALSE,	FALSE},
-	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
+/*	payload type					min	max						encr	suff */
+	{PLV1_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{PLV1_SECURITY_ASSOCIATION,		0,	1,						FALSE,	FALSE},
+	{PLV1_KEY_EXCHANGE,				0,	1,						FALSE,	FALSE},
+	{PLV1_NONCE,					0,	1,						FALSE,	FALSE},
+	{PLV1_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_CERTREQ,					0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
+	{PLV1_NAT_D,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_NAT_D_DRAFT_00_03,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{PLV1_ID,						0,	1,						FALSE,	FALSE},
+	{PLV1_CERTIFICATE,				0,	1,						FALSE,	FALSE},
+	{PLV1_SIGNATURE,				0,	1,						FALSE,	FALSE},
+	{PLV1_HASH,						0,	1,						FALSE,	FALSE},
+	{PLV1_FRAGMENT,					0,	1,						FALSE,	TRUE},
 };
 
 /**
  * payload order for AGGRESSIVE from responder.
  */
 static payload_order_t aggressive_r_order[] = {
-/*	payload type				notify type */
-	{SECURITY_ASSOCIATION_V1,	0},
-	{KEY_EXCHANGE_V1,			0},
-	{NONCE_V1,					0},
-	{ID_V1,						0},
-	{CERTIFICATE_V1,			0},
-	{NAT_D_V1,					0},
-	{NAT_D_DRAFT_00_03_V1,		0},
-	{SIGNATURE_V1,				0},
-	{HASH_V1,					0},
-	{CERTIFICATE_REQUEST_V1,	0},
-	{NOTIFY_V1,					0},
-	{VENDOR_ID_V1,				0},
-	{FRAGMENT_V1,				0},
+/*	payload type					notify type */
+	{PLV1_SECURITY_ASSOCIATION,		0},
+	{PLV1_KEY_EXCHANGE,				0},
+	{PLV1_NONCE,					0},
+	{PLV1_ID,						0},
+	{PLV1_CERTIFICATE,				0},
+	{PLV1_NAT_D,					0},
+	{PLV1_NAT_D_DRAFT_00_03,		0},
+	{PLV1_SIGNATURE,				0},
+	{PLV1_HASH,						0},
+	{PLV1_CERTREQ,					0},
+	{PLV1_NOTIFY,					0},
+	{PLV1_VENDOR_ID,				0},
+	{PLV1_FRAGMENT,					0},
 };
 
 /**
  * Message rule for INFORMATIONAL_V1 from initiator.
  */
 static payload_rule_t informational_i_rules_v1[] = {
-/*	payload type				min	max						encr	suff */
-	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
-	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{DELETE_V1,					0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
-	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+/*	payload type					min	max						encr	suff */
+	{PLV1_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{PLV1_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{PLV1_DELETE,					0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
+	{PLV1_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
 };
 
 /**
  * payload order for INFORMATIONAL_V1 from initiator.
  */
 static payload_order_t informational_i_order_v1[] = {
-/*	payload type				notify type */
-	{NOTIFY_V1,					0},
-	{DELETE_V1,					0},
-	{VENDOR_ID_V1,				0},
+/*	payload type					notify type */
+	{PLV1_NOTIFY,					0},
+	{PLV1_DELETE,					0},
+	{PLV1_VENDOR_ID,				0},
 };
 
 /**
  * Message rule for INFORMATIONAL_V1 from responder.
  */
 static payload_rule_t informational_r_rules_v1[] = {
-/*	payload type				min	max						encr	suff */
-	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
-	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{DELETE_V1,					0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
-	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+/*	payload type					min	max						encr	suff */
+	{PLV1_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{PLV1_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{PLV1_DELETE,					0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
+	{PLV1_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
 };
 
 /**
  * payload order for INFORMATIONAL_V1 from responder.
  */
 static payload_order_t informational_r_order_v1[] = {
-/*	payload type				notify type */
-	{NOTIFY_V1,					0},
-	{DELETE_V1,					0},
-	{VENDOR_ID_V1,				0},
+/*	payload type					notify type */
+	{PLV1_NOTIFY,					0},
+	{PLV1_DELETE,					0},
+	{PLV1_VENDOR_ID,				0},
 };
 
 /**
  * Message rule for QUICK_MODE from initiator.
  */
 static payload_rule_t quick_mode_i_rules[] = {
-/*	payload type				min	max						encr	suff */
-	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
-	{HASH_V1,					0,	1,						TRUE,	FALSE},
-	{SECURITY_ASSOCIATION_V1,	0,	2,						TRUE,	FALSE},
-	{NONCE_V1,					0,	1,						TRUE,	FALSE},
-	{KEY_EXCHANGE_V1,			0,	1,						TRUE,	FALSE},
-	{ID_V1,						0,	2,						TRUE,	FALSE},
-	{NAT_OA_V1,					0,	2,						TRUE,	FALSE},
-	{NAT_OA_DRAFT_00_03_V1,		0,	2,						TRUE,	FALSE},
+/*	payload type					min	max						encr	suff */
+	{PLV1_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{PLV1_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+	{PLV1_HASH,						0,	1,						TRUE,	FALSE},
+	{PLV1_SECURITY_ASSOCIATION,		0,	2,						TRUE,	FALSE},
+	{PLV1_NONCE,					0,	1,						TRUE,	FALSE},
+	{PLV1_KEY_EXCHANGE,				0,	1,						TRUE,	FALSE},
+	{PLV1_ID,						0,	2,						TRUE,	FALSE},
+	{PLV1_NAT_OA,					0,	2,						TRUE,	FALSE},
+	{PLV1_NAT_OA_DRAFT_00_03,		0,	2,						TRUE,	FALSE},
 };
 
 /**
  * payload order for QUICK_MODE from initiator.
  */
 static payload_order_t quick_mode_i_order[] = {
-/*	payload type				notify type */
-	{NOTIFY_V1,					0},
-	{VENDOR_ID_V1,				0},
-	{HASH_V1,					0},
-	{SECURITY_ASSOCIATION_V1,	0},
-	{NONCE_V1,					0},
-	{KEY_EXCHANGE_V1,			0},
-	{ID_V1,						0},
-	{NAT_OA_V1,					0},
-	{NAT_OA_DRAFT_00_03_V1,		0},
+/*	payload type					notify type */
+	{PLV1_NOTIFY,					0},
+	{PLV1_VENDOR_ID,				0},
+	{PLV1_HASH,						0},
+	{PLV1_SECURITY_ASSOCIATION,		0},
+	{PLV1_NONCE,					0},
+	{PLV1_KEY_EXCHANGE,				0},
+	{PLV1_ID,						0},
+	{PLV1_NAT_OA,					0},
+	{PLV1_NAT_OA_DRAFT_00_03,		0},
 };
 
 /**
  * Message rule for QUICK_MODE from responder.
  */
 static payload_rule_t quick_mode_r_rules[] = {
-/*	payload type				min	max						encr	suff */
-	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
-	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
-	{HASH_V1,					0,	1,						TRUE,	FALSE},
-	{SECURITY_ASSOCIATION_V1,	0,	2,						TRUE,	FALSE},
-	{NONCE_V1,					0,	1,						TRUE,	FALSE},
-	{KEY_EXCHANGE_V1,			0,	1,						TRUE,	FALSE},
-	{ID_V1,						0,	2,						TRUE,	FALSE},
-	{NAT_OA_V1,					0,	2,						TRUE,	FALSE},
-	{NAT_OA_DRAFT_00_03_V1,		0,	2,						TRUE,	FALSE},
+/*	payload type					min	max						encr	suff */
+	{PLV1_NOTIFY,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{PLV1_VENDOR_ID,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+	{PLV1_HASH,						0,	1,						TRUE,	FALSE},
+	{PLV1_SECURITY_ASSOCIATION,		0,	2,						TRUE,	FALSE},
+	{PLV1_NONCE,					0,	1,						TRUE,	FALSE},
+	{PLV1_KEY_EXCHANGE,				0,	1,						TRUE,	FALSE},
+	{PLV1_ID,						0,	2,						TRUE,	FALSE},
+	{PLV1_NAT_OA,					0,	2,						TRUE,	FALSE},
+	{PLV1_NAT_OA_DRAFT_00_03,		0,	2,						TRUE,	FALSE},
 };
 
 /**
  * payload order for QUICK_MODE from responder.
  */
 static payload_order_t quick_mode_r_order[] = {
-/*	payload type				notify type */
-	{NOTIFY_V1,					0},
-	{VENDOR_ID_V1,				0},
-	{HASH_V1,					0},
-	{SECURITY_ASSOCIATION_V1,	0},
-	{NONCE_V1,					0},
-	{KEY_EXCHANGE_V1,			0},
-	{ID_V1,						0},
-	{NAT_OA_V1,					0},
-	{NAT_OA_DRAFT_00_03_V1,		0},
+/*	payload type					notify type */
+	{PLV1_NOTIFY,					0},
+	{PLV1_VENDOR_ID,				0},
+	{PLV1_HASH,						0},
+	{PLV1_SECURITY_ASSOCIATION,		0},
+	{PLV1_NONCE,					0},
+	{PLV1_KEY_EXCHANGE,				0},
+	{PLV1_ID,						0},
+	{PLV1_NAT_OA,					0},
+	{PLV1_NAT_OA_DRAFT_00_03,		0},
 };
 
 /**
  * Message rule for TRANSACTION.
  */
 static payload_rule_t transaction_payload_rules_v1[] = {
-/*	payload type				min	max	encr	suff */
-	{HASH_V1,					0,	1,	TRUE,	FALSE},
-	{CONFIGURATION_V1,			1,	1,	FALSE,	FALSE},
+/*	payload type					min	max	encr	suff */
+	{PLV1_HASH,						0,	1,	TRUE,	FALSE},
+	{PLV1_CONFIGURATION,			1,	1,	FALSE,	FALSE},
 };
 
 /**
  * Payload order for TRANSACTION.
  */
 static payload_order_t transaction_payload_order_v1[] = {
-/*	payload type			notify type */
-	{HASH_V1,					0},
-	{CONFIGURATION_V1,			0},
+/*	payload type					notify type */
+	{PLV1_HASH,						0},
+	{PLV1_CONFIGURATION,			0},
 };
 
 #endif /* USE_IKEV1 */
@@ -1063,7 +1063,7 @@ METHOD(message_t, add_payload, void,
 	{
 		this->first_payload = payload->get_type(payload);
 	}
-	payload->set_next_type(payload, NO_PAYLOAD);
+	payload->set_next_type(payload, PL_NONE);
 	this->payloads->insert_last(this->payloads, payload);
 
 	DBG2(DBG_ENC ,"added payload of type %N to message",
@@ -1086,11 +1086,11 @@ METHOD(message_t, add_notify, void,
 	}
 	if (this->major_version == IKEV2_MAJOR_VERSION)
 	{
-		notify = notify_payload_create(NOTIFY);
+		notify = notify_payload_create(PLV2_NOTIFY);
 	}
 	else
 	{
-		notify = notify_payload_create(NOTIFY_V1);
+		notify = notify_payload_create(PLV1_NOTIFY);
 	}
 	notify->set_notify_type(notify, type);
 	notify->set_notification_data(notify, data);
@@ -1162,8 +1162,8 @@ METHOD(message_t, get_notify, notify_payload_t*,
 	enumerator = create_payload_enumerator(this);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
-		if (payload->get_type(payload) == NOTIFY ||
-			payload->get_type(payload) == NOTIFY_V1)
+		if (payload->get_type(payload) == PLV2_NOTIFY ||
+			payload->get_type(payload) == PLV1_NOTIFY)
 		{
 			notify = (notify_payload_t*)payload;
 			if (notify->get_notify_type(notify) == type)
@@ -1212,8 +1212,8 @@ static char* get_string(private_message_t *this, char *buf, int len)
 		}
 		pos += written;
 		len -= written;
-		if (payload->get_type(payload) == NOTIFY ||
-			payload->get_type(payload) == NOTIFY_V1)
+		if (payload->get_type(payload) == PLV2_NOTIFY ||
+			payload->get_type(payload) == PLV1_NOTIFY)
 		{
 			notify_payload_t *notify;
 			notify_type_t type;
@@ -1239,7 +1239,7 @@ static char* get_string(private_message_t *this, char *buf, int len)
 			pos += written;
 			len -= written;
 		}
-		if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
+		if (payload->get_type(payload) == PLV2_EAP)
 		{
 			eap_payload_t *eap = (eap_payload_t*)payload;
 			u_int32_t vendor;
@@ -1268,8 +1268,8 @@ static char* get_string(private_message_t *this, char *buf, int len)
 			pos += written;
 			len -= written;
 		}
-		if (payload->get_type(payload) == CONFIGURATION ||
-			payload->get_type(payload) == CONFIGURATION_V1)
+		if (payload->get_type(payload) == PLV2_CONFIGURATION ||
+			payload->get_type(payload) == PLV1_CONFIGURATION)
 		{
 			cp_payload_t *cp = (cp_payload_t*)payload;
 			enumerator_t *attributes;
@@ -1365,7 +1365,7 @@ static void order_payloads(private_message_t *this)
 				notify = (notify_payload_t*)payload;
 
 				/**... and check notify for type. */
-				if (order.type != NOTIFY || order.notify == 0 ||
+				if (order.type != PLV2_NOTIFY || order.notify == 0 ||
 					order.notify == notify->get_notify_type(notify))
 				{
 					list->remove_at(list, enumerator);
@@ -1410,11 +1410,11 @@ static encryption_payload_t* wrap_payloads(private_message_t *this)
 
 	if (this->is_encrypted)
 	{
-		encryption = encryption_payload_create(ENCRYPTED_V1);
+		encryption = encryption_payload_create(PLV1_ENCRYPTED);
 	}
 	else
 	{
-		encryption = encryption_payload_create(ENCRYPTED);
+		encryption = encryption_payload_create(PLV2_ENCRYPTED);
 	}
 	while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
 	{
@@ -1500,7 +1500,7 @@ METHOD(message_t, generate, status_t,
 		{	/* insert a HASH payload as first payload */
 			hash_payload_t *hash_payload;
 
-			hash_payload = hash_payload_create(HASH_V1);
+			hash_payload = hash_payload_create(PLV1_HASH);
 			hash_payload->set_hash(hash_payload, hash);
 			this->payloads->insert_first(this->payloads, hash_payload);
 			if (this->exchange_type == INFORMATIONAL_V1)
@@ -1598,7 +1598,7 @@ METHOD(message_t, generate, status_t,
 	}
 	else
 	{
-		next_type = encryption ? ENCRYPTED : NO_PAYLOAD;
+		next_type = encryption ? PLV2_ENCRYPTED : PL_NONE;
 	}
 	payload->set_next_type(payload, next_type);
 	generator->generate_payload(generator, payload);
@@ -1683,7 +1683,7 @@ METHOD(message_t, parse_header, status_t,
 	DBG2(DBG_ENC, "parsing header of message");
 
 	this->parser->reset_context(this->parser);
-	status = this->parser->parse_payload(this->parser, HEADER,
+	status = this->parser->parse_payload(this->parser, PL_HEADER,
 										 (payload_t**)&ike_header);
 	if (status != SUCCESS)
 	{
@@ -1722,7 +1722,7 @@ METHOD(message_t, parse_header, status_t,
 	}
 	this->first_payload = ike_header->payload_interface.get_next_type(
 												&ike_header->payload_interface);
-	if (this->first_payload == FRAGMENT_V1 && this->is_encrypted)
+	if (this->first_payload == PLV1_FRAGMENT && this->is_encrypted)
 	{	/* racoon sets the encryted bit when sending a fragment, but these
 		 * messages are really not encrypted */
 		this->is_encrypted = FALSE;
@@ -1752,7 +1752,7 @@ static bool is_connectivity_check(private_message_t *this, payload_t *payload)
 {
 #ifdef ME
 	if (this->exchange_type == INFORMATIONAL &&
-		payload->get_type(payload) == NOTIFY)
+		payload->get_type(payload) == PLV2_NOTIFY)
 	{
 		notify_payload_t *notify = (notify_payload_t*)payload;
 
@@ -1784,7 +1784,7 @@ static status_t parse_payloads(private_message_t *this)
 		 * payload which is then handled just like a regular payload */
 		encryption_payload_t *encryption;
 
-		status = this->parser->parse_payload(this->parser, ENCRYPTED_V1,
+		status = this->parser->parse_payload(this->parser, PLV1_ENCRYPTED,
 											 (payload_t**)&encryption);
 		if (status != SUCCESS)
 		{
@@ -1797,7 +1797,7 @@ static status_t parse_payloads(private_message_t *this)
 		return SUCCESS;
 	}
 
-	while (type != NO_PAYLOAD)
+	while (type != PL_NONE)
 	{
 		DBG2(DBG_ENC, "starting parsing a %N payload",
 			 payload_type_names, type);
@@ -1826,7 +1826,7 @@ static status_t parse_payloads(private_message_t *this)
 
 		/* an encrypted payload is the last one, so STOP here. decryption is
 		 * done later */
-		if (type == ENCRYPTED)
+		if (type == PLV2_ENCRYPTED)
 		{
 			DBG2(DBG_ENC, "%N payload found, stop parsing",
 				 payload_type_names, type);
@@ -1923,6 +1923,24 @@ static status_t decrypt_and_extract(private_message_t *this, keymat_t *keymat,
 }
 
 /**
+ * Do we accept unencrypted ID/HASH payloads in Main Mode, as seen from
+ * some SonicWall boxes?
+ */
+static bool accept_unencrypted_mm(private_message_t *this, payload_type_t type)
+{
+	if (this->exchange_type == ID_PROT)
+	{
+		if (type == PLV1_ID || type == PLV1_HASH)
+		{
+			return lib->settings->get_bool(lib->settings,
+									"%s.accept_unencrypted_mainmode_messages",
+									FALSE, lib->ns);
+		}
+	}
+	return FALSE;
+}
+
+/**
  * Decrypt payload from the encryption payload
  */
 static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
@@ -1941,7 +1959,7 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
 
 		DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
 
-		if (type == ENCRYPTED || type == ENCRYPTED_V1)
+		if (type == PLV2_ENCRYPTED || type == PLV1_ENCRYPTED)
 		{
 			encryption_payload_t *encryption;
 
@@ -1978,7 +1996,8 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
 			this->exchange_type != AGGRESSIVE)
 		{
 			rule = get_payload_rule(this, type);
-			if (!rule || rule->encrypted)
+			if ((!rule || rule->encrypted) &&
+				!accept_unencrypted_mm(this, type))
 			{
 				DBG1(DBG_ENC, "payload type %N was not encrypted",
 					 payload_type_names, type);
@@ -2097,7 +2116,7 @@ METHOD(message_t, parse_body, status_t,
 			hash_payload_t *hash_payload;
 			chunk_t other_hash;
 
-			if (this->first_payload != HASH_V1)
+			if (this->first_payload != PLV1_HASH)
 			{
 				if (this->exchange_type == INFORMATIONAL_V1)
 				{
@@ -2111,7 +2130,7 @@ METHOD(message_t, parse_body, status_t,
 				chunk_free(&hash);
 				return VERIFY_ERROR;
 			}
-			hash_payload = (hash_payload_t*)get_payload(this, HASH_V1);
+			hash_payload = (hash_payload_t*)get_payload(this, PLV1_HASH);
 			other_hash = hash_payload->get_hash(hash_payload);
 			DBG3(DBG_ENC, "HASH received %B\nHASH expected %B",
 				 &other_hash, &hash);
@@ -2192,7 +2211,7 @@ message_t *message_create_from_packet(packet_t *packet)
 		},
 		.exchange_type = EXCHANGE_TYPE_UNDEFINED,
 		.is_request = TRUE,
-		.first_payload = NO_PAYLOAD,
+		.first_payload = PL_NONE,
 		.packet = packet,
 		.payloads = linked_list_create(),
 		.parser = parser_create(packet->get_data(packet)),
diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c
index 9e7f831..c33e30d 100644
--- a/src/libcharon/encoding/parser.c
+++ b/src/libcharon/encoding/parser.c
@@ -15,7 +15,6 @@
  */
 
 #include <stdlib.h>
-#include <arpa/inet.h>
 #include <string.h>
 
 #include "parser.h"
@@ -486,15 +485,15 @@ METHOD(parser_t, parse_payload, status_t,
 				}
 				break;
 			}
-			case PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE:
-			case PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE_V1:
-			case PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE:
-			case PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE_V1:
-			case PAYLOAD_LIST + TRANSFORM_ATTRIBUTE:
-			case PAYLOAD_LIST + TRANSFORM_ATTRIBUTE_V1:
-			case PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE:
-			case PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE_V1:
-			case PAYLOAD_LIST + TRAFFIC_SELECTOR_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PLV2_PROPOSAL_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PLV1_PROPOSAL_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PLV2_TRANSFORM_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PLV1_TRANSFORM_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PLV2_TRANSFORM_ATTRIBUTE:
+			case PAYLOAD_LIST + PLV1_TRANSFORM_ATTRIBUTE:
+			case PAYLOAD_LIST + PLV2_CONFIGURATION_ATTRIBUTE:
+			case PAYLOAD_LIST + PLV1_CONFIGURATION_ATTRIBUTE:
+			case PAYLOAD_LIST + PLV2_TRAFFIC_SELECTOR_SUBSTRUCTURE:
 			{
 				if (payload_length < header_length ||
 					!parse_list(this, rule_number, output + rule->offset,
diff --git a/src/libcharon/encoding/payloads/auth_payload.c b/src/libcharon/encoding/payloads/auth_payload.c
index 2410a1a..ee3ed54 100644
--- a/src/libcharon/encoding/payloads/auth_payload.c
+++ b/src/libcharon/encoding/payloads/auth_payload.c
@@ -135,7 +135,7 @@ METHOD(payload_t, get_header_length, int,
 METHOD(payload_t, get_type, payload_type_t,
 	private_auth_payload_t *this)
 {
-	return AUTHENTICATION;
+	return PLV2_AUTH;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -214,7 +214,7 @@ auth_payload_t *auth_payload_create()
 			.get_data = _get_data,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payload_length = get_header_length(this),
 	);
 	return &this->public;
diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
index 05d4105..43993ae 100644
--- a/src/libcharon/encoding/payloads/cert_payload.c
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -315,7 +315,7 @@ cert_payload_t *cert_payload_create(payload_type_t type)
 			.get_url = _get_url,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payload_length = get_header_length(this),
 		.type = type,
 	);
@@ -363,7 +363,7 @@ cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url)
 {
 	private_cert_payload_t *this;
 
-	this = (private_cert_payload_t*)cert_payload_create(CERTIFICATE);
+	this = (private_cert_payload_t*)cert_payload_create(PLV2_CERTIFICATE);
 	this->encoding = ENC_X509_HASH_AND_URL;
 	this->data = chunk_cat("cc", hash, chunk_create(url, strlen(url)));
 	this->payload_length = get_header_length(this) + this->data.len;
diff --git a/src/libcharon/encoding/payloads/certreq_payload.c b/src/libcharon/encoding/payloads/certreq_payload.c
index df5e73b..6ac90a2 100644
--- a/src/libcharon/encoding/payloads/certreq_payload.c
+++ b/src/libcharon/encoding/payloads/certreq_payload.c
@@ -66,7 +66,7 @@ struct private_certreq_payload_t {
 	chunk_t data;
 
 	/**
-	 * Payload type CERTIFICATE_REQUEST or CERTIFICATE_REQUEST_V1
+	 * Payload type PLV2_CERTREQ or PLV1_CERTREQ
 	 */
 	payload_type_t type;
 };
@@ -111,7 +111,7 @@ static encoding_rule_t encodings[] = {
 METHOD(payload_t, verify, status_t,
 	private_certreq_payload_t *this)
 {
-	if (this->type == CERTIFICATE_REQUEST &&
+	if (this->type == PLV2_CERTREQ &&
 		this->encoding == ENC_X509_SIGNATURE)
 	{
 		if (this->data.len % HASH_SIZE_SHA1)
@@ -218,7 +218,7 @@ METHOD(certreq_payload_t, create_keyid_enumerator, enumerator_t*,
 {
 	keyid_enumerator_t *enumerator;
 
-	if (this->type == CERTIFICATE_REQUEST_V1)
+	if (this->type == PLV1_CERTREQ)
 	{
 		return enumerator_create_empty();
 	}
@@ -276,7 +276,7 @@ certreq_payload_t *certreq_payload_create(payload_type_t type)
 			.destroy = _destroy,
 			.get_dn = _get_dn,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payload_length = get_header_length(this),
 		.type = type,
 	);
@@ -291,7 +291,7 @@ certreq_payload_t *certreq_payload_create_type(certificate_type_t type)
 	private_certreq_payload_t *this;
 
 	this = (private_certreq_payload_t*)
-					certreq_payload_create(CERTIFICATE_REQUEST);
+					certreq_payload_create(PLV2_CERTREQ);
 	switch (type)
 	{
 		case CERT_X509:
@@ -314,7 +314,7 @@ certreq_payload_t *certreq_payload_create_dn(identification_t *id)
 	private_certreq_payload_t *this;
 
 	this = (private_certreq_payload_t*)
-					certreq_payload_create(CERTIFICATE_REQUEST_V1);
+					certreq_payload_create(PLV1_CERTREQ);
 
 	this->encoding = ENC_X509_SIGNATURE;
 	this->data = chunk_clone(id->get_encoding(id));
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c
index 482eca8..481bb7b 100644
--- a/src/libcharon/encoding/payloads/configuration_attribute.c
+++ b/src/libcharon/encoding/payloads/configuration_attribute.c
@@ -61,7 +61,7 @@ struct private_configuration_attribute_t {
 	chunk_t value;
 
 	/**
-	 * Payload type, CONFIGURATION_ATTRIBUTE or DATA_ATTRIBUTE_V1
+	 * Payload type, PLV2_CONFIGURATION_ATTRIBUTE or DATA_ATTRIBUTE_V1
 	 */
 	payload_type_t type;
 };
@@ -209,7 +209,7 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_configuration_attribute_t *this, encoding_rule_t **rules)
 {
-	if (this->type == CONFIGURATION_ATTRIBUTE)
+	if (this->type == PLV2_CONFIGURATION_ATTRIBUTE)
 	{
 		*rules = encodings_v2;
 		return countof(encodings_v2);
@@ -233,7 +233,7 @@ METHOD(payload_t, get_type, payload_type_t,
 METHOD(payload_t, get_next_type, payload_type_t,
 	private_configuration_attribute_t *this)
 {
-	return NO_PAYLOAD;
+	return PL_NONE;
 }
 
 METHOD(payload_t, set_next_type, void,
@@ -335,7 +335,7 @@ configuration_attribute_t *configuration_attribute_create_value(
 	private_configuration_attribute_t *this;
 
 	this = (private_configuration_attribute_t*)
-					configuration_attribute_create(CONFIGURATION_ATTRIBUTE_V1);
+					configuration_attribute_create(PLV1_CONFIGURATION_ATTRIBUTE);
 	this->attr_type = ((u_int16_t)attr_type) & 0x7FFF;
 	this->length_or_value = value;
 	this->af_flag = TRUE;
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.h b/src/libcharon/encoding/payloads/configuration_attribute.h
index ecc0f9c..946c1b5 100644
--- a/src/libcharon/encoding/payloads/configuration_attribute.h
+++ b/src/libcharon/encoding/payloads/configuration_attribute.h
@@ -68,7 +68,7 @@ struct configuration_attribute_t {
 /**
  * Creates an empty configuration attribute.
  *
- * @param type		CONFIGURATION_ATTRIBUTE or CONFIGURATION_ATTRIBUTE_V1
+ * @param type		PLV2_CONFIGURATION_ATTRIBUTE or PLV1_CONFIGURATION_ATTRIBUTE
  * @return			created configuration attribute
  */
 configuration_attribute_t *configuration_attribute_create(payload_type_t type);
@@ -76,7 +76,7 @@ configuration_attribute_t *configuration_attribute_create(payload_type_t type);
 /**
  * Creates a configuration attribute with type and value.
  *
- * @param type		CONFIGURATION_ATTRIBUTE or CONFIGURATION_ATTRIBUTE_V1
+ * @param type		PLV2_CONFIGURATION_ATTRIBUTE or PLV1_CONFIGURATION_ATTRIBUTE
  * @param attr_type	type of configuration attribute
  * @param chunk		attribute value, gets cloned
  * @return			created configuration attribute
@@ -89,7 +89,7 @@ configuration_attribute_t *configuration_attribute_create_chunk(
  *
  * @param attr_type	type of configuration attribute
  * @param value		attribute value, gets cloned
- * @return			created CONFIGURATION_ATTRIBUTE_V1 configuration attribute
+ * @return			created PLV1_CONFIGURATION_ATTRIBUTE configuration attribute
  */
 configuration_attribute_t *configuration_attribute_create_value(
 					configuration_attribute_type_t attr_type, u_int16_t value);
diff --git a/src/libcharon/encoding/payloads/cp_payload.c b/src/libcharon/encoding/payloads/cp_payload.c
index f6f373f..ef9df84 100644
--- a/src/libcharon/encoding/payloads/cp_payload.c
+++ b/src/libcharon/encoding/payloads/cp_payload.c
@@ -82,7 +82,7 @@ struct private_cp_payload_t {
 	u_int8_t cfg_type;
 
 	/**
-	 * CONFIGURATION or CONFIGURATION_V1
+	 * PLV2_CONFIGURATION or PLV1_CONFIGURATION
 	 */
 	payload_type_t type;
 };
@@ -111,7 +111,7 @@ static encoding_rule_t encodings_v2[] = {
 	{ RESERVED_BYTE,	offsetof(private_cp_payload_t, reserved_byte[1])},
 	{ RESERVED_BYTE,	offsetof(private_cp_payload_t, reserved_byte[2])},
 	/* list of configuration attributes in a list */
-	{ PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE,
+	{ PAYLOAD_LIST + PLV2_CONFIGURATION_ATTRIBUTE,
 						offsetof(private_cp_payload_t, attributes)		},
 };
 
@@ -152,7 +152,7 @@ static encoding_rule_t encodings_v1[] = {
 	{ RESERVED_BYTE,	offsetof(private_cp_payload_t, reserved_byte[0])},
 	{ U_INT_16,			offsetof(private_cp_payload_t, identifier)},
 	/* list of configuration attributes in a list */
-	{ PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE_V1,
+	{ PAYLOAD_LIST + PLV1_CONFIGURATION_ATTRIBUTE,
 						offsetof(private_cp_payload_t, attributes)		},
 };
 
@@ -193,7 +193,7 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_cp_payload_t *this, encoding_rule_t **rules)
 {
-	if (this->type == CONFIGURATION)
+	if (this->type == PLV2_CONFIGURATION)
 	{
 		*rules = encodings_v2;
 		return countof(encodings_v2);
@@ -314,7 +314,7 @@ cp_payload_t *cp_payload_create_type(payload_type_t type, config_type_t cfg_type
 			.set_identifier = _set_identifier,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payload_length = get_header_length(this),
 		.attributes = linked_list_create(),
 		.cfg_type = cfg_type,
diff --git a/src/libcharon/encoding/payloads/cp_payload.h b/src/libcharon/encoding/payloads/cp_payload.h
index c23bc0b..d466989 100644
--- a/src/libcharon/encoding/payloads/cp_payload.h
+++ b/src/libcharon/encoding/payloads/cp_payload.h
@@ -100,7 +100,7 @@ struct cp_payload_t {
 /**
  * Creates an empty configuration payload
  *
- * @param type		payload type, CONFIGURATION or CONFIGURATION_V1
+ * @param type		payload type, PLV2_CONFIGURATION or PLV1_CONFIGURATION
  * @return			empty configuration payload
  */
 cp_payload_t *cp_payload_create(payload_type_t type);
@@ -108,7 +108,7 @@ cp_payload_t *cp_payload_create(payload_type_t type);
 /**
  * Creates an cp_payload_t with type and value
  *
- * @param type		payload type, CONFIGURATION or CONFIGURATION_V1
+ * @param type		payload type, PLV2_CONFIGURATION or PLV1_CONFIGURATION
  * @param cfg_type	type of configuration payload to create
  * @return			created configuration payload
  */
diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c
index 007411f..c2ab3b9 100644
--- a/src/libcharon/encoding/payloads/delete_payload.c
+++ b/src/libcharon/encoding/payloads/delete_payload.c
@@ -78,7 +78,7 @@ struct private_delete_payload_t {
 	chunk_t spis;
 
 	/**
-	 * Payload type, DELETE or DELETE_V1
+	 * Payload type, PLV2_DELETE or PLV1_DELETE
 	 */
 	payload_type_t type;
 };
@@ -178,7 +178,7 @@ METHOD(payload_t, verify, status_t,
 			break;
 		case PROTO_IKE:
 		case 0:
-			if (this->type == DELETE)
+			if (this->type == PLV2_DELETE)
 			{	/* IKEv2 deletion has no spi assigned! */
 				if (this->spi_size != 0)
 				{
@@ -206,7 +206,7 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_delete_payload_t *this, encoding_rule_t **rules)
 {
-	if (this->type == DELETE)
+	if (this->type == PLV2_DELETE)
 	{
 		*rules = encodings_v2;
 		return countof(encodings_v2);
@@ -218,7 +218,7 @@ METHOD(payload_t, get_encoding_rules, int,
 METHOD(payload_t, get_header_length, int,
 	private_delete_payload_t *this)
 {
-	if (this->type == DELETE)
+	if (this->type == PLV2_DELETE)
 	{
 		return 8;
 	}
@@ -355,7 +355,7 @@ delete_payload_t *delete_payload_create(payload_type_t type,
 			.create_spi_enumerator = _create_spi_enumerator,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.protocol_id = protocol_id,
 		.doi = IKEV1_DOI_IPSEC,
 		.type = type,
@@ -364,7 +364,7 @@ delete_payload_t *delete_payload_create(payload_type_t type,
 
 	if (protocol_id == PROTO_IKE)
 	{
-		if (type == DELETE_V1)
+		if (type == PLV1_DELETE)
 		{
 			this->spi_size = 16;
 		}
diff --git a/src/libcharon/encoding/payloads/delete_payload.h b/src/libcharon/encoding/payloads/delete_payload.h
index afce1ec..46a89ea 100644
--- a/src/libcharon/encoding/payloads/delete_payload.h
+++ b/src/libcharon/encoding/payloads/delete_payload.h
@@ -76,7 +76,7 @@ struct delete_payload_t {
 /**
  * Creates an empty delete_payload_t object.
  *
- * @param type			DELETE or DELETE_V1
+ * @param type			PLV2_DELETE or PLV1_DELETE
  * @param protocol_id	protocol, such as AH|ESP
  * @return 				delete_payload_t object
  */
diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c
index f2f35aa..ebdf8a3 100644
--- a/src/libcharon/encoding/payloads/eap_payload.c
+++ b/src/libcharon/encoding/payloads/eap_payload.c
@@ -162,7 +162,7 @@ METHOD(payload_t, get_header_length, int,
 METHOD(payload_t, get_payload_type, payload_type_t,
 	private_eap_payload_t *this)
 {
-	return EXTENSIBLE_AUTHENTICATION;
+	return PLV2_EAP;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -341,7 +341,7 @@ eap_payload_t *eap_payload_create()
 			.is_expanded = _is_expanded,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payload_length = get_header_length(this),
 	);
 	return &this->public;
diff --git a/src/libcharon/encoding/payloads/encryption_payload.c b/src/libcharon/encoding/payloads/encryption_payload.c
index 6a9f9c3..5784562 100644
--- a/src/libcharon/encoding/payloads/encryption_payload.c
+++ b/src/libcharon/encoding/payloads/encryption_payload.c
@@ -74,7 +74,7 @@ struct private_encryption_payload_t {
 	linked_list_t *payloads;
 
 	/**
-	 * Type of payload, ENCRYPTED or ENCRYPTED_V1
+	 * Type of payload, PLV2_ENCRYPTED or PLV1_ENCRYPTED
 	 */
 	payload_type_t type;
 };
@@ -145,7 +145,7 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_encryption_payload_t *this, encoding_rule_t **rules)
 {
-	if (this->type == ENCRYPTED)
+	if (this->type == PLV2_ENCRYPTED)
 	{
 		*rules = encodings_v2;
 		return countof(encodings_v2);
@@ -157,7 +157,7 @@ METHOD(payload_t, get_encoding_rules, int,
 METHOD(payload_t, get_header_length, int,
 	private_encryption_payload_t *this)
 {
-	if (this->type == ENCRYPTED)
+	if (this->type == PLV2_ENCRYPTED)
 	{
 		return 4;
 	}
@@ -241,7 +241,7 @@ METHOD(encryption_payload_t, add_payload, void,
 	{
 		this->next_payload = payload->get_type(payload);
 	}
-	payload->set_next_type(payload, NO_PAYLOAD);
+	payload->set_next_type(payload, PL_NONE);
 	this->payloads->insert_last(this->payloads, payload);
 	compute_length(this);
 }
@@ -281,7 +281,7 @@ static chunk_t generate(private_encryption_payload_t *this,
 			generator->generate_payload(generator, current);
 			current = next;
 		}
-		current->set_next_type(current, NO_PAYLOAD);
+		current->set_next_type(current, PL_NONE);
 		generator->generate_payload(generator, current);
 
 		chunk = generator->get_chunk(generator, &lenpos);
@@ -447,7 +447,7 @@ static status_t parse(private_encryption_payload_t *this, chunk_t plain)
 
 	parser = parser_create(plain);
 	type = this->next_payload;
-	while (type != NO_PAYLOAD)
+	while (type != PL_NONE)
 	{
 		payload_t *payload;
 
@@ -618,13 +618,13 @@ encryption_payload_t *encryption_payload_create(payload_type_t type)
 			.decrypt = _decrypt,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payloads = linked_list_create(),
 		.type = type,
 	);
 	this->payload_length = get_header_length(this);
 
-	if (type == ENCRYPTED_V1)
+	if (type == PLV1_ENCRYPTED)
 	{
 		this->public.encrypt = _encrypt_v1;
 		this->public.decrypt = _decrypt_v1;
diff --git a/src/libcharon/encoding/payloads/encryption_payload.h b/src/libcharon/encoding/payloads/encryption_payload.h
index f4fc7d6..ee44c2d 100644
--- a/src/libcharon/encoding/payloads/encryption_payload.h
+++ b/src/libcharon/encoding/payloads/encryption_payload.h
@@ -103,7 +103,7 @@ struct encryption_payload_t {
 /**
  * Creates an empty encryption_payload_t object.
  *
- * @param type		ENCRYPTED or ENCRYPTED_V1
+ * @param type		PLV2_ENCRYPTED or PLV1_ENCRYPTED
  * @return			encryption_payload_t object
  */
 encryption_payload_t *encryption_payload_create(payload_type_t type);
diff --git a/src/libcharon/encoding/payloads/endpoint_notify.c b/src/libcharon/encoding/payloads/endpoint_notify.c
index 25fb42a..ebe5f32 100644
--- a/src/libcharon/encoding/payloads/endpoint_notify.c
+++ b/src/libcharon/encoding/payloads/endpoint_notify.c
@@ -227,7 +227,7 @@ METHOD(endpoint_notify_t, build_notify, notify_payload_t*,
 	chunk_t data;
 	notify_payload_t *notify;
 
-	notify = notify_payload_create(NOTIFY);
+	notify = notify_payload_create(PLV2_NOTIFY);
 	notify->set_notify_type(notify, ME_ENDPOINT);
 	data = build_notification_data(this);
 	notify->set_notification_data(notify, data);
diff --git a/src/libcharon/encoding/payloads/fragment_payload.c b/src/libcharon/encoding/payloads/fragment_payload.c
index 1a6b323..b861fcc 100644
--- a/src/libcharon/encoding/payloads/fragment_payload.c
+++ b/src/libcharon/encoding/payloads/fragment_payload.c
@@ -124,7 +124,7 @@ METHOD(payload_t, get_header_length, int,
 METHOD(payload_t, get_type, payload_type_t,
 	private_fragment_payload_t *this)
 {
-	return FRAGMENT_V1;
+	return PLV1_FRAGMENT;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -201,7 +201,7 @@ fragment_payload_t *fragment_payload_create()
 			.get_data = _get_data,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 	);
 	this->payload_length = get_header_length(this);
 	return &this->public;
diff --git a/src/libcharon/encoding/payloads/hash_payload.c b/src/libcharon/encoding/payloads/hash_payload.c
index 0cf63ba..a12b018 100644
--- a/src/libcharon/encoding/payloads/hash_payload.c
+++ b/src/libcharon/encoding/payloads/hash_payload.c
@@ -52,7 +52,7 @@ struct private_hash_payload_t {
 	chunk_t hash;
 
 	/**
-	 * either HASH_V1 or NAT_D_V1
+	 * either PLV1_HASH or PLV1_NAT_D
 	 */
 	payload_type_t type;
 };
@@ -169,7 +169,7 @@ hash_payload_t *hash_payload_create(payload_type_t type)
 			.get_hash = _get_hash,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payload_length = get_header_length(this),
 		.type = type,
 	);
diff --git a/src/libcharon/encoding/payloads/hash_payload.h b/src/libcharon/encoding/payloads/hash_payload.h
index cfe2846..604de48 100644
--- a/src/libcharon/encoding/payloads/hash_payload.h
+++ b/src/libcharon/encoding/payloads/hash_payload.h
@@ -59,7 +59,7 @@ struct hash_payload_t {
 /**
  * Creates an empty hash_payload_t object.
  *
- * @param type		either HASH_V1 or NAT_D_V1
+ * @param type		either PLV1_HASH or PLV1_NAT_D
  * @return			hash_payload_t object
  */
 hash_payload_t *hash_payload_create(payload_type_t type);
diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
index 7470bb3..a002a8f 100644
--- a/src/libcharon/encoding/payloads/id_payload.c
+++ b/src/libcharon/encoding/payloads/id_payload.c
@@ -81,7 +81,7 @@ struct private_id_payload_t {
 	u_int16_t port;
 
 	/**
-	 * one of ID_INITIATOR, ID_RESPONDER, IDv1 and NAT_OA_V1
+	 * one of PLV2_ID_INITIATOR, PLV2_ID_RESPONDER, IDv1 and PLV1_NAT_OA
 	 */
 	payload_type_t type;
 };
@@ -165,7 +165,7 @@ METHOD(payload_t, verify, status_t,
 {
 	bool bad_length = FALSE;
 
-	if ((this->type == NAT_OA_V1 || this->type == NAT_OA_DRAFT_00_03_V1) &&
+	if ((this->type == PLV1_NAT_OA || this->type == PLV1_NAT_OA_DRAFT_00_03) &&
 		this->id_type != ID_IPV4_ADDR && this->id_type != ID_IPV6_ADDR)
 	{
 		DBG1(DBG_ENC, "invalid ID type %N for %N payload", id_type_names,
@@ -195,8 +195,8 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_id_payload_t *this, encoding_rule_t **rules)
 {
-	if (this->type == ID_V1 ||
-		this->type == NAT_OA_V1 || this->type == NAT_OA_DRAFT_00_03_V1)
+	if (this->type == PLV1_ID ||
+		this->type == PLV1_NAT_OA || this->type == PLV1_NAT_OA_DRAFT_00_03)
 	{
 		*rules = encodings_v1;
 		return countof(encodings_v1);
@@ -368,7 +368,7 @@ id_payload_t *id_payload_create(payload_type_t type)
 			.get_ts = _get_ts,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payload_length = get_header_length(this),
 		.type = type,
 	);
@@ -400,7 +400,7 @@ id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
 	u_int8_t mask;
 	host_t *net;
 
-	this = (private_id_payload_t*)id_payload_create(ID_V1);
+	this = (private_id_payload_t*)id_payload_create(PLV1_ID);
 
 	if (ts->is_host(ts, NULL))
 	{
diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h
index 9a62494..df1d075 100644
--- a/src/libcharon/encoding/payloads/id_payload.h
+++ b/src/libcharon/encoding/payloads/id_payload.h
@@ -70,7 +70,7 @@ struct id_payload_t {
 /**
  * Creates an empty id_payload_t object.
  *
- * @param type		one of ID_INITIATOR, ID_RESPONDER, ID_V1 and NAT_OA_V1
+ * @param type		one of PLV2_ID_INITIATOR, PLV2_ID_RESPONDER, PLV1_ID and PLV1_NAT_OA
  * @return			id_payload_t object
  */
 id_payload_t *id_payload_create(payload_type_t type);
@@ -78,7 +78,7 @@ id_payload_t *id_payload_create(payload_type_t type);
 /**
  * Creates an id_payload_t from an existing identification_t object.
  *
- * @param type		one of ID_INITIATOR, ID_RESPONDER, ID_V1 and NAT_OA_V1
+ * @param type		one of PLV2_ID_INITIATOR, PLV2_ID_RESPONDER, PLV1_ID and PLV1_NAT_OA
  * @param id		identification_t object
  * @return			id_payload_t object
  */
@@ -89,7 +89,7 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
  * Create an IKEv1 ID_ADDR_SUBNET/RANGE identity from a traffic selector.
  *
  * @param ts		traffic selector
- * @return			ID_V1 id_paylad_t object.
+ * @return			PLV1_ID id_paylad_t object.
  */
 id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts);
 
diff --git a/src/libcharon/encoding/payloads/ike_header.c b/src/libcharon/encoding/payloads/ike_header.c
index 58b6241..7015667 100644
--- a/src/libcharon/encoding/payloads/ike_header.c
+++ b/src/libcharon/encoding/payloads/ike_header.c
@@ -262,7 +262,7 @@ METHOD(payload_t, get_header_length, int,
 METHOD(payload_t, get_type, payload_type_t,
 	private_ike_header_t *this)
 {
-	return HEADER;
+	return PL_HEADER;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
diff --git a/src/libcharon/encoding/payloads/ke_payload.c b/src/libcharon/encoding/payloads/ke_payload.c
index 438ea46..4f552d6 100644
--- a/src/libcharon/encoding/payloads/ke_payload.c
+++ b/src/libcharon/encoding/payloads/ke_payload.c
@@ -69,7 +69,7 @@ struct private_ke_payload_t {
 	chunk_t key_exchange_data;
 
 	/**
-	 * Payload type, KEY_EXCHANGE or KEY_EXCHANGE_V1
+	 * Payload type, PLV2_KEY_EXCHANGE or PLV1_KEY_EXCHANGE
 	 */
 	payload_type_t type;
 };
@@ -148,7 +148,7 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_ke_payload_t *this, encoding_rule_t **rules)
 {
-	if (this->type == KEY_EXCHANGE)
+	if (this->type == PLV2_KEY_EXCHANGE)
 	{
 		*rules = encodings_v2;
 		return countof(encodings_v2);
@@ -160,7 +160,7 @@ METHOD(payload_t, get_encoding_rules, int,
 METHOD(payload_t, get_header_length, int,
 	private_ke_payload_t *this)
 {
-	if (this->type == KEY_EXCHANGE)
+	if (this->type == PLV2_KEY_EXCHANGE)
 	{
 		return 8;
 	}
@@ -233,7 +233,7 @@ ke_payload_t *ke_payload_create(payload_type_t type)
 			.get_dh_group_number = _get_dh_group_number,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.dh_group_number = MODP_NONE,
 		.type = type,
 	);
diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h
index d3aa184..dfc6308 100644
--- a/src/libcharon/encoding/payloads/ke_payload.h
+++ b/src/libcharon/encoding/payloads/ke_payload.h
@@ -63,7 +63,7 @@ struct ke_payload_t {
 /**
  * Creates an empty ke_payload_t object.
  *
- * @param type		KEY_EXCHANGE or KEY_EXCHANGE_V1
+ * @param type		PLV2_KEY_EXCHANGE or PLV1_KEY_EXCHANGE
  * @return			ke_payload_t object
  */
 ke_payload_t *ke_payload_create(payload_type_t type);
@@ -71,7 +71,7 @@ ke_payload_t *ke_payload_create(payload_type_t type);
 /**
  * Creates a ke_payload_t from a diffie_hellman_t.
  *
- * @param type		KEY_EXCHANGE or KEY_EXCHANGE_V1
+ * @param type		PLV2_KEY_EXCHANGE or PLV1_KEY_EXCHANGE
  * @param dh		diffie hellman object containing group and key
  * @return 			ke_payload_t object
  */
diff --git a/src/libcharon/encoding/payloads/nonce_payload.c b/src/libcharon/encoding/payloads/nonce_payload.c
index 3c5eeb5..b0d1c60 100644
--- a/src/libcharon/encoding/payloads/nonce_payload.c
+++ b/src/libcharon/encoding/payloads/nonce_payload.c
@@ -60,7 +60,7 @@ struct private_nonce_payload_t {
 	chunk_t nonce;
 
 	/**
-	 * Payload type, NONCE or NONCE_V1
+	 * Payload type, PLV2_NONCE or PLV1_NONCE
 	 */
 	payload_type_t type;
 };
@@ -110,12 +110,12 @@ METHOD(payload_t, verify, status_t,
 	{
 		bad_length = TRUE;
 	}
-	if (this->type == NONCE &&
+	if (this->type == PLV2_NONCE &&
 		this->nonce.len < 16)
 	{
 		bad_length = TRUE;
 	}
-	if (this->type == NONCE_V1 &&
+	if (this->type == PLV1_NONCE &&
 		this->nonce.len < 8)
 	{
 		bad_length = TRUE;
@@ -209,7 +209,7 @@ nonce_payload_t *nonce_payload_create(payload_type_t type)
 			.get_nonce = _get_nonce,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payload_length = get_header_length(this),
 		.type = type,
 	);
diff --git a/src/libcharon/encoding/payloads/nonce_payload.h b/src/libcharon/encoding/payloads/nonce_payload.h
index 5c47f5f..ee8ad17 100644
--- a/src/libcharon/encoding/payloads/nonce_payload.h
+++ b/src/libcharon/encoding/payloads/nonce_payload.h
@@ -64,7 +64,7 @@ struct nonce_payload_t {
 /**
  * Creates an empty nonce_payload_t object
  *
- * @param type		NONCE or NONCE_V1
+ * @param type		PLV2_NONCE or PLV1_NONCE
  * @return			nonce_payload_t object
  */
 nonce_payload_t *nonce_payload_create(payload_type_t type);
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index 889ad63..dd92e42 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -302,7 +302,7 @@ struct private_notify_payload_t {
 	chunk_t notify_data;
 
 	/**
-	 * Type of payload, NOTIFY or NOTIFY_V1
+	 * Type of payload, PLV2_NOTIFY or PLV1_NOTIFY
 	 */
 	payload_type_t type;
 };
@@ -427,7 +427,7 @@ METHOD(payload_t, verify, status_t,
 	{
 		case INVALID_KE_PAYLOAD:
 		{
-			if (this->type == NOTIFY && this->notify_data.len != 2)
+			if (this->type == PLV2_NOTIFY && this->notify_data.len != 2)
 			{
 				bad_length = TRUE;
 			}
@@ -447,7 +447,7 @@ METHOD(payload_t, verify, status_t,
 		case INVALID_MAJOR_VERSION:
 		case NO_PROPOSAL_CHOSEN:
 		{
-			if (this->type == NOTIFY && this->notify_data.len != 0)
+			if (this->type == PLV2_NOTIFY && this->notify_data.len != 0)
 			{
 				bad_length = TRUE;
 			}
@@ -531,7 +531,7 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_notify_payload_t *this, encoding_rule_t **rules)
 {
-	if (this->type == NOTIFY)
+	if (this->type == PLV2_NOTIFY)
 	{
 		*rules = encodings_v2;
 		return countof(encodings_v2);
@@ -543,7 +543,7 @@ METHOD(payload_t, get_encoding_rules, int,
 METHOD(payload_t, get_header_length, int,
 	private_notify_payload_t *this)
 {
-	if (this->type == NOTIFY)
+	if (this->type == PLV2_NOTIFY)
 	{
 		return 8 + this->spi_size;
 	}
@@ -726,7 +726,7 @@ notify_payload_t *notify_payload_create(payload_type_t type)
 			.destroy = _destroy,
 		},
 		.doi = IKEV1_DOI_IPSEC,
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.type = type,
 	);
 	compute_length(this);
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index c67644a..3c56f06 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -281,7 +281,7 @@ struct notify_payload_t {
 /**
  * Creates an empty notify_payload_t object
  *
- * @param type		payload type, NOTIFY or NOTIFY_V1
+ * @param type		payload type, PLV2_NOTIFY or PLV1_NOTIFY
  * @return			created notify_payload_t object
  */
 notify_payload_t *notify_payload_create(payload_type_t type);
@@ -289,7 +289,7 @@ notify_payload_t *notify_payload_create(payload_type_t type);
 /**
  * Creates an notify_payload_t object of specific type for specific protocol id.
  *
- * @param type					payload type, NOTIFY or NOTIFY_V1
+ * @param type					payload type, PLV2_NOTIFY or PLV1_NOTIFY
  * @param protocol				protocol id (IKE, AH or ESP)
  * @param notify				type of notify
  * @return						notify_payload_t object
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
index f9dd33e..fd61662 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -39,16 +39,16 @@
 #include <encoding/payloads/fragment_payload.h>
 #include <encoding/payloads/unknown_payload.h>
 
-ENUM_BEGIN(payload_type_names, NO_PAYLOAD, NO_PAYLOAD,
-	"NO_PAYLOAD");
-ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION_V1, CONFIGURATION_V1, NO_PAYLOAD,
+ENUM_BEGIN(payload_type_names, PL_NONE, PL_NONE,
+	"PL_NONE");
+ENUM_NEXT(payload_type_names, PLV1_SECURITY_ASSOCIATION, PLV1_CONFIGURATION, PL_NONE,
 	"SECURITY_ASSOCIATION_V1",
 	"PROPOSAL_V1",
 	"TRANSFORM_V1",
 	"KEY_EXCHANGE_V1",
 	"ID_V1",
 	"CERTIFICATE_V1",
-	"CERTIFICATE_REQUEST_V1",
+	"CERTREQ_V1",
 	"HASH_V1",
 	"SIGNATURE_V1",
 	"NONCE_V1",
@@ -56,41 +56,41 @@ ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION_V1, CONFIGURATION_V1, NO_PAYL
 	"DELETE_V1",
 	"VENDOR_ID_V1",
 	"CONFIGURATION_V1");
-ENUM_NEXT(payload_type_names, NAT_D_V1, NAT_OA_V1, CONFIGURATION_V1,
+ENUM_NEXT(payload_type_names, PLV1_NAT_D, PLV1_NAT_OA, PLV1_CONFIGURATION,
 	"NAT_D_V1",
 	"NAT_OA_V1");
-ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, GENERIC_SECURE_PASSWORD_METHOD, NAT_OA_V1,
+ENUM_NEXT(payload_type_names, PLV2_SECURITY_ASSOCIATION, PLV2_GSPM, PLV1_NAT_OA,
 	"SECURITY_ASSOCIATION",
 	"KEY_EXCHANGE",
 	"ID_INITIATOR",
 	"ID_RESPONDER",
 	"CERTIFICATE",
-	"CERTIFICATE_REQUEST",
-	"AUTHENTICATION",
+	"CERTREQ",
+	"AUTH",
 	"NONCE",
 	"NOTIFY",
 	"DELETE",
 	"VENDOR_ID",
-	"TRAFFIC_SELECTOR_INITIATOR",
-	"TRAFFIC_SELECTOR_RESPONDER",
+	"TS_INITIATOR",
+	"TS_RESPONDER",
 	"ENCRYPTED",
 	"CONFIGURATION",
-	"EXTENSIBLE_AUTHENTICATION",
-	"GENERIC_SECURE_PASSWORD_METHOD");
+	"EAP",
+	"GSPM");
 #ifdef ME
-ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_names, PLV2_ID_PEER, PLV2_ID_PEER, PLV2_GSPM,
 	"ID_PEER");
-ENUM_NEXT(payload_type_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, ID_PEER,
+ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_ID_PEER,
 	"NAT_D_DRAFT_V1",
 	"NAT_OA_DRAFT_V1",
 	"FRAGMENT");
 #else
-ENUM_NEXT(payload_type_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_GSPM,
 	"NAT_D_DRAFT_V1",
 	"NAT_OA_DRAFT_V1",
 	"FRAGMENT");
 #endif /* ME */
-ENUM_NEXT(payload_type_names, HEADER, ENCRYPTED_V1, FRAGMENT_V1,
+ENUM_NEXT(payload_type_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
 	"HEADER",
 	"PROPOSAL_SUBSTRUCTURE",
 	"PROPOSAL_SUBSTRUCTURE_V1",
@@ -102,12 +102,12 @@ ENUM_NEXT(payload_type_names, HEADER, ENCRYPTED_V1, FRAGMENT_V1,
 	"CONFIGURATION_ATTRIBUTE",
 	"CONFIGURATION_ATTRIBUTE_V1",
 	"ENCRYPTED_V1");
-ENUM_END(payload_type_names, ENCRYPTED_V1);
+ENUM_END(payload_type_names, PLV1_ENCRYPTED);
 
 /* short forms of payload names */
-ENUM_BEGIN(payload_type_short_names, NO_PAYLOAD, NO_PAYLOAD,
+ENUM_BEGIN(payload_type_short_names, PL_NONE, PL_NONE,
 	"--");
-ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION_V1, CONFIGURATION_V1, NO_PAYLOAD,
+ENUM_NEXT(payload_type_short_names, PLV1_SECURITY_ASSOCIATION, PLV1_CONFIGURATION, PL_NONE,
 	"SA",
 	"PROP",
 	"TRANS",
@@ -122,10 +122,10 @@ ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION_V1, CONFIGURATION_V1, N
 	"D",
 	"V",
 	"CP");
-ENUM_NEXT(payload_type_short_names, NAT_D_V1, NAT_OA_V1, CONFIGURATION_V1,
+ENUM_NEXT(payload_type_short_names, PLV1_NAT_D, PLV1_NAT_OA, PLV1_CONFIGURATION,
 	"NAT-D",
 	"NAT-OA");
-ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, GENERIC_SECURE_PASSWORD_METHOD, NAT_OA_V1,
+ENUM_NEXT(payload_type_short_names, PLV2_SECURITY_ASSOCIATION, PLV2_GSPM, PLV1_NAT_OA,
 	"SA",
 	"KE",
 	"IDi",
@@ -144,19 +144,19 @@ ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, GENERIC_SECURE_PASSWOR
 	"EAP",
 	"GSPM");
 #ifdef ME
-ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_short_names, PLV2_ID_PEER, PLV2_ID_PEER, PLV2_GSPM,
 	"IDp");
-ENUM_NEXT(payload_type_short_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, ID_PEER,
+ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_ID_PEER,
 	"NAT-D",
 	"NAT-OA",
 	"FRAG");
 #else
-ENUM_NEXT(payload_type_short_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_GSPM,
 	"NAT-D",
 	"NAT-OA",
 	"FRAG");
 #endif /* ME */
-ENUM_NEXT(payload_type_short_names, HEADER, ENCRYPTED_V1, FRAGMENT_V1,
+ENUM_NEXT(payload_type_short_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
 	"HDR",
 	"PROP",
 	"PROP",
@@ -168,7 +168,7 @@ ENUM_NEXT(payload_type_short_names, HEADER, ENCRYPTED_V1, FRAGMENT_V1,
 	"CATTR",
 	"CATTR",
 	"E");
-ENUM_END(payload_type_short_names, ENCRYPTED_V1);
+ENUM_END(payload_type_short_names, PLV1_ENCRYPTED);
 
 /*
  * see header
@@ -177,75 +177,75 @@ payload_t *payload_create(payload_type_t type)
 {
 	switch (type)
 	{
-		case HEADER:
+		case PL_HEADER:
 			return (payload_t*)ike_header_create();
-		case SECURITY_ASSOCIATION:
-		case SECURITY_ASSOCIATION_V1:
+		case PLV2_SECURITY_ASSOCIATION:
+		case PLV1_SECURITY_ASSOCIATION:
 			return (payload_t*)sa_payload_create(type);
-		case PROPOSAL_SUBSTRUCTURE:
-		case PROPOSAL_SUBSTRUCTURE_V1:
+		case PLV2_PROPOSAL_SUBSTRUCTURE:
+		case PLV1_PROPOSAL_SUBSTRUCTURE:
 			return (payload_t*)proposal_substructure_create(type);
-		case TRANSFORM_SUBSTRUCTURE:
-		case TRANSFORM_SUBSTRUCTURE_V1:
+		case PLV2_TRANSFORM_SUBSTRUCTURE:
+		case PLV1_TRANSFORM_SUBSTRUCTURE:
 			return (payload_t*)transform_substructure_create(type);
-		case TRANSFORM_ATTRIBUTE:
-		case TRANSFORM_ATTRIBUTE_V1:
+		case PLV2_TRANSFORM_ATTRIBUTE:
+		case PLV1_TRANSFORM_ATTRIBUTE:
 			return (payload_t*)transform_attribute_create(type);
-		case NONCE:
-		case NONCE_V1:
+		case PLV2_NONCE:
+		case PLV1_NONCE:
 			return (payload_t*)nonce_payload_create(type);
-		case ID_INITIATOR:
-		case ID_RESPONDER:
-		case ID_V1:
-		case NAT_OA_V1:
-		case NAT_OA_DRAFT_00_03_V1:
+		case PLV2_ID_INITIATOR:
+		case PLV2_ID_RESPONDER:
+		case PLV1_ID:
+		case PLV1_NAT_OA:
+		case PLV1_NAT_OA_DRAFT_00_03:
 #ifdef ME
-		case ID_PEER:
+		case PLV2_ID_PEER:
 #endif /* ME */
 			return (payload_t*)id_payload_create(type);
-		case AUTHENTICATION:
+		case PLV2_AUTH:
 			return (payload_t*)auth_payload_create();
-		case CERTIFICATE:
-		case CERTIFICATE_V1:
+		case PLV2_CERTIFICATE:
+		case PLV1_CERTIFICATE:
 			return (payload_t*)cert_payload_create(type);
-		case CERTIFICATE_REQUEST:
-		case CERTIFICATE_REQUEST_V1:
+		case PLV2_CERTREQ:
+		case PLV1_CERTREQ:
 			return (payload_t*)certreq_payload_create(type);
-		case TRAFFIC_SELECTOR_SUBSTRUCTURE:
+		case PLV2_TRAFFIC_SELECTOR_SUBSTRUCTURE:
 			return (payload_t*)traffic_selector_substructure_create();
-		case TRAFFIC_SELECTOR_INITIATOR:
+		case PLV2_TS_INITIATOR:
 			return (payload_t*)ts_payload_create(TRUE);
-		case TRAFFIC_SELECTOR_RESPONDER:
+		case PLV2_TS_RESPONDER:
 			return (payload_t*)ts_payload_create(FALSE);
-		case KEY_EXCHANGE:
-		case KEY_EXCHANGE_V1:
+		case PLV2_KEY_EXCHANGE:
+		case PLV1_KEY_EXCHANGE:
 			return (payload_t*)ke_payload_create(type);
-		case NOTIFY:
-		case NOTIFY_V1:
+		case PLV2_NOTIFY:
+		case PLV1_NOTIFY:
 			return (payload_t*)notify_payload_create(type);
-		case DELETE:
-		case DELETE_V1:
+		case PLV2_DELETE:
+		case PLV1_DELETE:
 			return (payload_t*)delete_payload_create(type, 0);
-		case VENDOR_ID:
-		case VENDOR_ID_V1:
+		case PLV2_VENDOR_ID:
+		case PLV1_VENDOR_ID:
 			return (payload_t*)vendor_id_payload_create(type);
-		case HASH_V1:
-		case SIGNATURE_V1:
-		case NAT_D_V1:
-		case NAT_D_DRAFT_00_03_V1:
+		case PLV1_HASH:
+		case PLV1_SIGNATURE:
+		case PLV1_NAT_D:
+		case PLV1_NAT_D_DRAFT_00_03:
 			return (payload_t*)hash_payload_create(type);
-		case CONFIGURATION:
-		case CONFIGURATION_V1:
+		case PLV2_CONFIGURATION:
+		case PLV1_CONFIGURATION:
 			return (payload_t*)cp_payload_create(type);
-		case CONFIGURATION_ATTRIBUTE:
-		case CONFIGURATION_ATTRIBUTE_V1:
+		case PLV2_CONFIGURATION_ATTRIBUTE:
+		case PLV1_CONFIGURATION_ATTRIBUTE:
 			return (payload_t*)configuration_attribute_create(type);
-		case EXTENSIBLE_AUTHENTICATION:
+		case PLV2_EAP:
 			return (payload_t*)eap_payload_create();
-		case ENCRYPTED:
-		case ENCRYPTED_V1:
+		case PLV2_ENCRYPTED:
+		case PLV1_ENCRYPTED:
 			return (payload_t*)encryption_payload_create(type);
-		case FRAGMENT_V1:
+		case PLV1_FRAGMENT:
 			return (payload_t*)fragment_payload_create();
 		default:
 			return (payload_t*)unknown_payload_create(type);
@@ -257,29 +257,29 @@ payload_t *payload_create(payload_type_t type)
  */
 bool payload_is_known(payload_type_t type)
 {
-	if (type == HEADER)
+	if (type == PL_HEADER)
 	{
 		return TRUE;
 	}
-	if (type >= SECURITY_ASSOCIATION && type <= EXTENSIBLE_AUTHENTICATION)
+	if (type >= PLV2_SECURITY_ASSOCIATION && type <= PLV2_EAP)
 	{
 		return TRUE;
 	}
-	if (type >= SECURITY_ASSOCIATION_V1 && type <= CONFIGURATION_V1)
+	if (type >= PLV1_SECURITY_ASSOCIATION && type <= PLV1_CONFIGURATION)
 	{
 		return TRUE;
 	}
-	if (type >= NAT_D_V1 && type <= NAT_OA_V1)
+	if (type >= PLV1_NAT_D && type <= PLV1_NAT_OA)
 	{
 		return TRUE;
 	}
 #ifdef ME
-	if (type == ID_PEER)
+	if (type == PLV2_ID_PEER)
 	{
 		return TRUE;
 	}
 #endif
-	if (type >= NAT_D_DRAFT_00_03_V1 && type <= FRAGMENT_V1)
+	if (type >= PLV1_NAT_D_DRAFT_00_03 && type <= PLV1_FRAGMENT)
 	{
 		return TRUE;
 	}
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
index 0e8a926..d9dd619 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -45,195 +45,195 @@ enum payload_type_t {
 	/**
 	 * End of payload list in next_payload
 	 */
-	NO_PAYLOAD = 0,
+	PL_NONE = 0,
 
 	/**
 	 * The security association (SA) payload containing proposals.
 	 */
-	SECURITY_ASSOCIATION_V1 = 1,
+	PLV1_SECURITY_ASSOCIATION = 1,
 
 	/**
 	 * The proposal payload, containing transforms.
 	 */
-	PROPOSAL_V1 = 2,
+	PLV1_PROPOSAL = 2,
 
 	/**
 	 * The transform payload.
 	 */
-	TRANSFORM_V1 = 3,
+	PLV1_TRANSFORM = 3,
 
 	/**
 	 * The key exchange (KE) payload containing diffie-hellman values.
 	 */
-	KEY_EXCHANGE_V1 = 4,
+	PLV1_KEY_EXCHANGE = 4,
 
 	/**
 	 * ID payload.
 	 */
-	ID_V1 = 5,
+	PLV1_ID = 5,
 
 	/**
 	 * Certificate payload with certificates (CERT).
 	 */
-	CERTIFICATE_V1 = 6,
+	PLV1_CERTIFICATE = 6,
 
 	/**
 	 * Certificate request payload.
 	 */
-	CERTIFICATE_REQUEST_V1 = 7,
+	PLV1_CERTREQ = 7,
 
 	/**
 	 * Hash payload.
 	 */
-	HASH_V1 = 8,
+	PLV1_HASH = 8,
 
 	/**
 	 * Signature payload
 	 */
-	SIGNATURE_V1 = 9,
+	PLV1_SIGNATURE = 9,
 
 	/**
 	 * Nonce payload.
 	 */
-	NONCE_V1 = 10,
+	PLV1_NONCE = 10,
 
 	/**
 	 * Notification payload.
 	 */
-	NOTIFY_V1 = 11,
+	PLV1_NOTIFY = 11,
 
 	/**
 	 * Delete payload.
 	 */
-	DELETE_V1 = 12,
+	PLV1_DELETE = 12,
 
 	/**
 	 * Vendor id payload.
 	 */
-	VENDOR_ID_V1 = 13,
+	PLV1_VENDOR_ID = 13,
 
 	/**
 	 * Attribute payload (ISAKMP Mode Config, aka configuration payload.
 	 */
-	CONFIGURATION_V1 = 14,
+	PLV1_CONFIGURATION = 14,
 
 	/**
 	 * NAT discovery payload (NAT-D).
 	 */
-	NAT_D_V1 = 20,
+	PLV1_NAT_D = 20,
 
 	/**
 	 * NAT original address payload (NAT-OA).
 	 */
-	NAT_OA_V1 = 21,
+	PLV1_NAT_OA = 21,
 
 	/**
 	 * The security association (SA) payload containing proposals.
 	 */
-	SECURITY_ASSOCIATION = 33,
+	PLV2_SECURITY_ASSOCIATION = 33,
 
 	/**
 	 * The key exchange (KE) payload containing diffie-hellman values.
 	 */
-	KEY_EXCHANGE = 34,
+	PLV2_KEY_EXCHANGE = 34,
 
 	/**
 	 * Identification for the original initiator (IDi).
 	 */
-	ID_INITIATOR = 35,
+	PLV2_ID_INITIATOR = 35,
 
 	/**
 	 * Identification for the original responder (IDr).
 	 */
-	ID_RESPONDER = 36,
+	PLV2_ID_RESPONDER = 36,
 
 	/**
 	 * Certificate payload with certificates (CERT).
 	 */
-	CERTIFICATE = 37,
+	PLV2_CERTIFICATE = 37,
 
 	/**
 	 * Certificate request payload (CERTREQ).
 	 */
-	CERTIFICATE_REQUEST = 38,
+	PLV2_CERTREQ = 38,
 
 	/**
 	 * Authentication payload contains auth data (AUTH).
 	 */
-	AUTHENTICATION = 39,
+	PLV2_AUTH = 39,
 
 	/**
 	 * Nonces, for initiator and responder (Ni, Nr, N)
 	 */
-	NONCE = 40,
+	PLV2_NONCE = 40,
 
 	/**
 	 * Notify paylaod (N).
 	 */
-	NOTIFY = 41,
+	PLV2_NOTIFY = 41,
 
 	/**
 	 * Delete payload (D)
 	 */
-	DELETE = 42,
+	PLV2_DELETE = 42,
 
 	/**
 	 * Vendor id paylpoad (V).
 	 */
-	VENDOR_ID = 43,
+	PLV2_VENDOR_ID = 43,
 
 	/**
 	 * Traffic selector for the original initiator (TSi).
 	 */
-	TRAFFIC_SELECTOR_INITIATOR = 44,
+	PLV2_TS_INITIATOR = 44,
 
 	/**
 	 * Traffic selector for the original responser (TSr).
 	 */
-	TRAFFIC_SELECTOR_RESPONDER = 45,
+	PLV2_TS_RESPONDER = 45,
 
 	/**
 	 * Encryption payload, contains other payloads (E).
 	 */
-	ENCRYPTED = 46,
+	PLV2_ENCRYPTED = 46,
 
 	/**
 	 * Configuration payload (CP).
 	 */
-	CONFIGURATION = 47,
+	PLV2_CONFIGURATION = 47,
 
 	/**
 	 * Extensible authentication payload (EAP).
 	 */
-	EXTENSIBLE_AUTHENTICATION = 48,
+	PLV2_EAP = 48,
 
 	/**
 	 * Generic Secure Password Method (GSPM).
 	 */
-	GENERIC_SECURE_PASSWORD_METHOD = 49,
+	PLV2_GSPM = 49,
 
 #ifdef ME
 	/**
 	 * Identification payload for peers has a value from
 	 * the PRIVATE USE space.
 	 */
-	ID_PEER = 128,
+	PLV2_ID_PEER = 128,
 #endif /* ME */
 
 	/**
 	 * NAT discovery payload (NAT-D) (drafts).
 	 */
-	NAT_D_DRAFT_00_03_V1 = 130,
+	PLV1_NAT_D_DRAFT_00_03 = 130,
 
 	/**
 	 * NAT original address payload (NAT-OA) (drafts).
 	 */
-	NAT_OA_DRAFT_00_03_V1 = 131,
+	PLV1_NAT_OA_DRAFT_00_03 = 131,
 
 	/**
 	 * IKE fragment (proprietary IKEv1 extension)
 	 */
-	FRAGMENT_V1 = 132,
+	PLV1_FRAGMENT = 132,
 
 	/**
 	 * Header has a value of PRIVATE USE space.
@@ -241,57 +241,57 @@ enum payload_type_t {
 	 * This type and all the following are never sent over wire and are
 	 * used internally only.
 	 */
-	HEADER = 256,
+	PL_HEADER = 256,
 
 	/**
-	 * PROPOSAL_SUBSTRUCTURE, IKEv2 proposals in a SA payload.
+	 * PLV2_PROPOSAL_SUBSTRUCTURE, IKEv2 proposals in a SA payload.
 	 */
-	PROPOSAL_SUBSTRUCTURE,
+	PLV2_PROPOSAL_SUBSTRUCTURE,
 
 	/**
-	 * PROPOSAL_SUBSTRUCTURE_V1, IKEv1 proposals in a SA payload.
+	 * PLV1_PROPOSAL_SUBSTRUCTURE, IKEv1 proposals in a SA payload.
 	 */
-	PROPOSAL_SUBSTRUCTURE_V1,
+	PLV1_PROPOSAL_SUBSTRUCTURE,
 
 	/**
-	 * TRANSFORM_SUBSTRUCTURE, IKEv2 transforms in a proposal substructure.
+	 * PLV2_TRANSFORM_SUBSTRUCTURE, IKEv2 transforms in a proposal substructure.
 	 */
-	TRANSFORM_SUBSTRUCTURE,
+	PLV2_TRANSFORM_SUBSTRUCTURE,
 
 	/**
-	 * TRANSFORM_SUBSTRUCTURE_V1, IKEv1 transforms in a proposal substructure.
+	 * PLV1_TRANSFORM_SUBSTRUCTURE, IKEv1 transforms in a proposal substructure.
 	 */
-	TRANSFORM_SUBSTRUCTURE_V1,
+	PLV1_TRANSFORM_SUBSTRUCTURE,
 
 	/**
-	 * TRANSFORM_ATTRIBUTE, IKEv2 attribute in a transform.
+	 * PLV2_TRANSFORM_ATTRIBUTE, IKEv2 attribute in a transform.
 	 */
-	TRANSFORM_ATTRIBUTE,
+	PLV2_TRANSFORM_ATTRIBUTE,
 
 	/**
-	 * TRANSFORM_ATTRIBUTE_V1, IKEv1 attribute in a transform.
+	 * PLV1_TRANSFORM_ATTRIBUTE, IKEv1 attribute in a transform.
 	 */
-	TRANSFORM_ATTRIBUTE_V1,
+	PLV1_TRANSFORM_ATTRIBUTE,
 
 	/**
-	 * TRAFFIC_SELECTOR_SUBSTRUCTURE, traffic selector in a TS payload.
+	 * PLV2_TRAFFIC_SELECTOR_SUBSTRUCTURE, traffic selector in a TS payload.
 	 */
-	TRAFFIC_SELECTOR_SUBSTRUCTURE,
+	PLV2_TRAFFIC_SELECTOR_SUBSTRUCTURE,
 
 	/**
-	 * CONFIGURATION_ATTRIBUTE, IKEv2 attribute in a configuration payload.
+	 * PLV2_CONFIGURATION_ATTRIBUTE, IKEv2 attribute in a configuration payload.
 	 */
-	CONFIGURATION_ATTRIBUTE,
+	PLV2_CONFIGURATION_ATTRIBUTE,
 
 	/**
-	 * CONFIGURATION_ATTRIBUTE_V1, IKEv1 attribute in a configuration payload.
+	 * PLV1_CONFIGURATION_ATTRIBUTE, IKEv1 attribute in a configuration payload.
 	 */
-	CONFIGURATION_ATTRIBUTE_V1,
+	PLV1_CONFIGURATION_ATTRIBUTE,
 
 	/**
 	 * This is not really a payload, but rather the complete IKEv1 message.
 	 */
-	ENCRYPTED_V1,
+	PLV1_ENCRYPTED,
 };
 
 /**
@@ -336,7 +336,7 @@ struct payload_t {
 	payload_type_t (*get_type) (payload_t *this);
 
 	/**
-	 * Get type of next payload or NO_PAYLOAD (0) if this is the last one.
+	 * Get type of next payload or PL_NONE (0) if this is the last one.
 	 *
 	 * @return				type of next payload
 	 */
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index 3e35b75..53e8cf3 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -88,7 +88,7 @@ struct private_proposal_substructure_t {
 	linked_list_t *transforms;
 
 	/**
-	 * Type of this payload, PROPOSAL_SUBSTRUCTURE or PROPOSAL_SUBSTRUCTURE_V1
+	 * Type of this payload, PLV2_PROPOSAL_SUBSTRUCTURE or PLV1_PROPOSAL_SUBSTRUCTURE
 	 */
 	payload_type_t type;
 };
@@ -114,7 +114,7 @@ static encoding_rule_t encodings_v1[] = {
 	/* SPI is a chunk of variable size*/
 	{ SPI,				offsetof(private_proposal_substructure_t, spi)				},
 	/* Transforms are stored in a transform substructure list */
-	{ PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE_V1,
+	{ PAYLOAD_LIST + PLV1_TRANSFORM_SUBSTRUCTURE,
 						offsetof(private_proposal_substructure_t, transforms)		},
 };
 
@@ -139,7 +139,7 @@ static encoding_rule_t encodings_v2[] = {
 	/* SPI is a chunk of variable size*/
 	{ SPI,				offsetof(private_proposal_substructure_t, spi)				},
 	/* Transforms are stored in a transform substructure list */
-	{ PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE,
+	{ PAYLOAD_LIST + PLV2_TRANSFORM_SUBSTRUCTURE,
 						offsetof(private_proposal_substructure_t, transforms)		},
 };
 
@@ -329,7 +329,7 @@ METHOD(payload_t, verify, status_t,
 	enumerator_t *enumerator;
 	payload_t *current;
 
-	if (this->next_payload != NO_PAYLOAD && this->next_payload != 2)
+	if (this->next_payload != PL_NONE && this->next_payload != 2)
 	{
 		/* must be 0 or 2 */
 		DBG1(DBG_ENC, "inconsistent next payload");
@@ -361,7 +361,7 @@ METHOD(payload_t, verify, status_t,
 			}
 			break;
 		case PROTO_IKE:
-			if (this->type == PROPOSAL_SUBSTRUCTURE_V1)
+			if (this->type == PLV1_PROPOSAL_SUBSTRUCTURE)
 			{
 				if (this->spi.len <= 16)
 				{	/* according to RFC 2409, section 3.5 anything between
@@ -397,7 +397,7 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_proposal_substructure_t *this, encoding_rule_t **rules)
 {
-	if (this->type == PROPOSAL_SUBSTRUCTURE)
+	if (this->type == PLV2_PROPOSAL_SUBSTRUCTURE)
 	{
 		*rules = encodings_v2;
 		return countof(encodings_v2);
@@ -1028,7 +1028,7 @@ METHOD(proposal_substructure_t, get_proposals, void,
 			proposal->set_spi(proposal, spi);
 			proposals->insert_last(proposals, proposal);
 		}
-		if (this->type == PROPOSAL_SUBSTRUCTURE)
+		if (this->type == PLV2_PROPOSAL_SUBSTRUCTURE)
 		{
 			add_to_proposal_v2(proposal, transform);
 		}
@@ -1266,7 +1266,7 @@ proposal_substructure_t *proposal_substructure_create(payload_type_t type)
 			.get_encap_mode = _get_encap_mode,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.transforms = linked_list_create(),
 		.type = type,
 	);
@@ -1286,7 +1286,7 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
 	u_int16_t alg, key_size;
 	enumerator_t *enumerator;
 
-	transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1,
+	transform = transform_substructure_create_type(PLV1_TRANSFORM_SUBSTRUCTURE,
 												number, IKEV1_TRANSID_KEY_IKE);
 
 	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
@@ -1296,12 +1296,12 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
 		if (alg)
 		{
 			transform->add_transform_attribute(transform,
-				transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+				transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 									TATTR_PH1_ENCRYPTION_ALGORITHM, alg));
 			if (key_size)
 			{
 				transform->add_transform_attribute(transform,
-					transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+					transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 										TATTR_PH1_KEY_LENGTH, key_size));
 			}
 			break;
@@ -1317,7 +1317,7 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
 		if (alg)
 		{
 			transform->add_transform_attribute(transform,
-				transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+				transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 									TATTR_PH1_HASH_ALGORITHM, alg));
 			break;
 		}
@@ -1328,19 +1328,19 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
 	if (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
 		transform->add_transform_attribute(transform,
-			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+			transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 								TATTR_PH1_GROUP, alg));
 	}
 	enumerator->destroy(enumerator);
 
 	transform->add_transform_attribute(transform,
-		transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+		transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH1_AUTH_METHOD, get_ikev1_auth(method)));
 	transform->add_transform_attribute(transform,
-		transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+		transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH1_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS));
 	transform->add_transform_attribute(transform,
-		transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+		transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH1_LIFE_DURATION, lifetime));
 
 	add_transform_substructure(this, transform);
@@ -1366,11 +1366,11 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this,
 		if (alg)
 		{
 			transform = transform_substructure_create_type(
-									TRANSFORM_SUBSTRUCTURE_V1, number, alg);
+									PLV1_TRANSFORM_SUBSTRUCTURE, number, alg);
 			if (key_size)
 			{
 				transform->add_transform_attribute(transform,
-					transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+					transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 											TATTR_PH2_KEY_LENGTH, key_size));
 			}
 		}
@@ -1386,10 +1386,10 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this,
 			if (!transform)
 			{
 				transform = transform_substructure_create_type(
-									TRANSFORM_SUBSTRUCTURE_V1, number, alg);
+									PLV1_TRANSFORM_SUBSTRUCTURE, number, alg);
 			}
 			transform->add_transform_attribute(transform,
-				transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+				transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 									TATTR_PH2_AUTH_ALGORITHM, alg));
 		}
 	}
@@ -1404,30 +1404,30 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this,
 	if (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
 		transform->add_transform_attribute(transform,
-			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+			transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 									TATTR_PH2_GROUP, alg));
 	}
 	enumerator->destroy(enumerator);
 
 	transform->add_transform_attribute(transform,
-		transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+		transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH2_ENCAP_MODE, get_ikev1_mode(mode, udp)));
 	if (lifetime)
 	{
 		transform->add_transform_attribute(transform,
-			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+			transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS));
 		transform->add_transform_attribute(transform,
-			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+			transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH2_SA_LIFE_DURATION, lifetime));
 	}
 	if (lifebytes)
 	{
 		transform->add_transform_attribute(transform,
-			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+			transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_KILOBYTES));
 		transform->add_transform_attribute(transform,
-			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+			transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH2_SA_LIFE_DURATION, lifebytes / 1000));
 	}
 
@@ -1448,12 +1448,12 @@ static void set_from_proposal_v2(private_proposal_substructure_t *this,
 	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
 	while (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
-		transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+		transform = transform_substructure_create_type(PLV2_TRANSFORM_SUBSTRUCTURE,
 												ENCRYPTION_ALGORITHM, alg);
 		if (key_size)
 		{
 			transform->add_transform_attribute(transform,
-				transform_attribute_create_value(TRANSFORM_ATTRIBUTE,
+				transform_attribute_create_value(PLV2_TRANSFORM_ATTRIBUTE,
 											TATTR_IKEV2_KEY_LENGTH, key_size));
 		}
 		add_transform_substructure(this, transform);
@@ -1464,7 +1464,7 @@ static void set_from_proposal_v2(private_proposal_substructure_t *this,
 	enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
 	while (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
-		transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+		transform = transform_substructure_create_type(PLV2_TRANSFORM_SUBSTRUCTURE,
 												INTEGRITY_ALGORITHM, alg);
 		add_transform_substructure(this, transform);
 	}
@@ -1474,7 +1474,7 @@ static void set_from_proposal_v2(private_proposal_substructure_t *this,
 	enumerator = proposal->create_enumerator(proposal, PSEUDO_RANDOM_FUNCTION);
 	while (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
-		transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+		transform = transform_substructure_create_type(PLV2_TRANSFORM_SUBSTRUCTURE,
 												PSEUDO_RANDOM_FUNCTION, alg);
 		add_transform_substructure(this, transform);
 	}
@@ -1484,7 +1484,7 @@ static void set_from_proposal_v2(private_proposal_substructure_t *this,
 	enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
 	while (enumerator->enumerate(enumerator, &alg, NULL))
 	{
-		transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+		transform = transform_substructure_create_type(PLV2_TRANSFORM_SUBSTRUCTURE,
 												DIFFIE_HELLMAN_GROUP, alg);
 		add_transform_substructure(this, transform);
 	}
@@ -1494,7 +1494,7 @@ static void set_from_proposal_v2(private_proposal_substructure_t *this,
 	enumerator = proposal->create_enumerator(proposal, EXTENDED_SEQUENCE_NUMBERS);
 	while (enumerator->enumerate(enumerator, &alg, NULL))
 	{
-		transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+		transform = transform_substructure_create_type(PLV2_TRANSFORM_SUBSTRUCTURE,
 												EXTENDED_SEQUENCE_NUMBERS, alg);
 		add_transform_substructure(this, transform);
 	}
@@ -1543,7 +1543,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v2(
 	private_proposal_substructure_t *this;
 
 	this = (private_proposal_substructure_t*)
-							proposal_substructure_create(SECURITY_ASSOCIATION);
+							proposal_substructure_create(PLV2_SECURITY_ASSOCIATION);
 	set_from_proposal_v2(this, proposal);
 	set_data(this, proposal);
 
@@ -1560,7 +1560,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
 	private_proposal_substructure_t *this;
 
 	this = (private_proposal_substructure_t*)
-						proposal_substructure_create(PROPOSAL_SUBSTRUCTURE_V1);
+						proposal_substructure_create(PLV1_PROPOSAL_SUBSTRUCTURE);
 	switch (proposal->get_protocol(proposal))
 	{
 		case PROTO_IKE:
@@ -1636,31 +1636,31 @@ proposal_substructure_t *proposal_substructure_create_for_ipcomp_v1(
 
 
 	this = (private_proposal_substructure_t*)
-						proposal_substructure_create(PROPOSAL_SUBSTRUCTURE_V1);
+						proposal_substructure_create(PLV1_PROPOSAL_SUBSTRUCTURE);
 
 	/* we currently support DEFLATE only */
-	transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1,
+	transform = transform_substructure_create_type(PLV1_TRANSFORM_SUBSTRUCTURE,
 												   1, IKEV1_IPCOMP_DEFLATE);
 
 	transform->add_transform_attribute(transform,
-		transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+		transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH2_ENCAP_MODE, get_ikev1_mode(mode, udp)));
 	if (lifetime)
 	{
 		transform->add_transform_attribute(transform,
-			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+			transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS));
 		transform->add_transform_attribute(transform,
-			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+			transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH2_SA_LIFE_DURATION, lifetime));
 	}
 	if (lifebytes)
 	{
 		transform->add_transform_attribute(transform,
-			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+			transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_KILOBYTES));
 		transform->add_transform_attribute(transform,
-			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+			transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
 							TATTR_PH2_SA_LIFE_DURATION, lifebytes / 1000));
 	}
 
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h
index c8e7adf..c4614b8 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.h
+++ b/src/libcharon/encoding/payloads/proposal_substructure.h
@@ -168,7 +168,7 @@ struct proposal_substructure_t {
 /**
  * Creates an empty proposal_substructure_t object
  *
- * @param type		PROPOSAL_SUBSTRUCTURE or PROPOSAL_SUBSTRUCTURE_V1
+ * @param type		PLV2_PROPOSAL_SUBSTRUCTURE or PLV1_PROPOSAL_SUBSTRUCTURE
  * @return			proposal_substructure_t object
  */
 proposal_substructure_t *proposal_substructure_create(payload_type_t type);
@@ -177,7 +177,7 @@ proposal_substructure_t *proposal_substructure_create(payload_type_t type);
  * Creates an IKEv2 proposal_substructure_t from a proposal_t.
  *
  * @param proposal	proposal to build a substruct out of it
- * @return			proposal_substructure_t PROPOSAL_SUBSTRUCTURE
+ * @return			proposal_substructure_t PLV2_PROPOSAL_SUBSTRUCTURE
  */
 proposal_substructure_t *proposal_substructure_create_from_proposal_v2(
 														proposal_t *proposal);
@@ -190,7 +190,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v2(
  * @param auth		authentication method to use, or AUTH_NONE
  * @param mode		IPsec encapsulation mode, TRANSPORT or TUNNEL
  * @param udp		ENCAP_UDP to use UDP encapsulation
- * @return			proposal_substructure_t object PROPOSAL_SUBSTRUCTURE_V1
+ * @return			proposal_substructure_t object PLV1_PROPOSAL_SUBSTRUCTURE
  */
 proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
 			proposal_t *proposal,  u_int32_t lifetime, u_int64_t lifebytes,
@@ -205,7 +205,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
  * @param auth		authentication method to use, or AUTH_NONE
  * @param mode		IPsec encapsulation mode, TRANSPORT or TUNNEL
  * @param udp		ENCAP_UDP to use UDP encapsulation
- * @return			IKEv1 proposal_substructure_t PROPOSAL_SUBSTRUCTURE_V1
+ * @return			IKEv1 proposal_substructure_t PLV1_PROPOSAL_SUBSTRUCTURE
  */
 proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
 			linked_list_t *proposals, u_int32_t lifetime, u_int64_t lifebytes,
@@ -221,7 +221,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
  * @param mode				IPsec encapsulation mode, TRANSPORT or TUNNEL
  * @param udp				ENCAP_UDP to use UDP encapsulation
  * @param proposal_number	the proposal number of the proposal to be linked
- * @return					IKEv1 proposal_substructure_t PROPOSAL_SUBSTRUCTURE_V1
+ * @return					IKEv1 proposal_substructure_t PLV1_PROPOSAL_SUBSTRUCTURE
  */
 proposal_substructure_t *proposal_substructure_create_for_ipcomp_v1(
 			u_int32_t lifetime, u_int64_t lifebytes, u_int16_t cpi,
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
index 3a5bb43..8e3a012 100644
--- a/src/libcharon/encoding/payloads/sa_payload.c
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -101,7 +101,7 @@ static encoding_rule_t encodings_v1[] = {
 	/* Situation*/
 	{ U_INT_32,			offsetof(private_sa_payload_t, situation)		},
 	/* Proposals are stored in a proposal substructure list */
-	{ PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE_V1,
+	{ PAYLOAD_LIST + PLV1_PROPOSAL_SUBSTRUCTURE,
 						offsetof(private_sa_payload_t, proposals)		},
 };
 
@@ -140,7 +140,7 @@ static encoding_rule_t encodings_v2[] = {
 	/* Length of the whole SA payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_sa_payload_t, payload_length)		},
 	/* Proposals are stored in a proposal substructure list */
-	{ PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE,
+	{ PAYLOAD_LIST + PLV2_PROPOSAL_SUBSTRUCTURE,
 						offsetof(private_sa_payload_t, proposals)			},
 };
 
@@ -164,7 +164,7 @@ METHOD(payload_t, verify, status_t,
 	enumerator_t *enumerator;
 	proposal_substructure_t *substruct;
 
-	if (this->type == SECURITY_ASSOCIATION)
+	if (this->type == PLV2_SECURITY_ASSOCIATION)
 	{
 		expected_number = 1;
 	}
@@ -196,7 +196,7 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_sa_payload_t *this, encoding_rule_t **rules)
 {
-	if (this->type == SECURITY_ASSOCIATION_V1)
+	if (this->type == PLV1_SECURITY_ASSOCIATION)
 	{
 		*rules = encodings_v1;
 		return countof(encodings_v1);
@@ -208,7 +208,7 @@ METHOD(payload_t, get_encoding_rules, int,
 METHOD(payload_t, get_header_length, int,
 	private_sa_payload_t *this)
 {
-	if (this->type == SECURITY_ASSOCIATION_V1)
+	if (this->type == PLV1_SECURITY_ASSOCIATION)
 	{
 		return 12;
 	}
@@ -295,7 +295,7 @@ METHOD(sa_payload_t, get_proposals, linked_list_t*,
 	proposal_substructure_t *substruct;
 	linked_list_t *substructs, *list;
 
-	if (this->type == SECURITY_ASSOCIATION_V1)
+	if (this->type == PLV1_SECURITY_ASSOCIATION)
 	{	/* IKEv1 proposals start with 0 */
 		struct_number = ignore_struct_number = -1;
 	}
@@ -502,7 +502,7 @@ sa_payload_t *sa_payload_create(payload_type_t type)
 			.get_encap_mode = _get_encap_mode,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.proposals = linked_list_create(),
 		.type = type,
 		/* for IKEv1 only */
@@ -524,7 +524,7 @@ sa_payload_t *sa_payload_create_from_proposals_v2(linked_list_t *proposals)
 	enumerator_t *enumerator;
 	proposal_t *proposal;
 
-	this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
+	this = (private_sa_payload_t*)sa_payload_create(PLV2_SECURITY_ASSOCIATION);
 	enumerator = proposals->create_enumerator(proposals);
 	while (enumerator->enumerate(enumerator, &proposal))
 	{
@@ -542,7 +542,7 @@ sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal)
 {
 	private_sa_payload_t *this;
 
-	this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
+	this = (private_sa_payload_t*)sa_payload_create(PLV2_SECURITY_ASSOCIATION);
 	add_proposal_v2(this, proposal);
 
 	return &this->public;
@@ -560,7 +560,7 @@ sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
 	proposal_substructure_t *substruct;
 	private_sa_payload_t *this;
 
-	this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION_V1);
+	this = (private_sa_payload_t*)sa_payload_create(PLV1_SECURITY_ASSOCIATION);
 
 	if (!proposals || !proposals->get_count(proposals))
 	{
diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h
index b62a341..0ddf361 100644
--- a/src/libcharon/encoding/payloads/sa_payload.h
+++ b/src/libcharon/encoding/payloads/sa_payload.h
@@ -104,7 +104,7 @@ struct sa_payload_t {
 /**
  * Creates an empty sa_payload_t object
  *
- * @param type				SECURITY_ASSOCIATION or SECURITY_ASSOCIATION_V1
+ * @param type				PLV2_SECURITY_ASSOCIATION or PLV1_SECURITY_ASSOCIATION
  * @return					created sa_payload_t object
  */
 sa_payload_t *sa_payload_create(payload_type_t type);
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
index 334823d..83618ff 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
@@ -168,13 +168,13 @@ METHOD(payload_t, get_header_length, int,
 METHOD(payload_t, get_type, payload_type_t,
 	private_traffic_selector_substructure_t *this)
 {
-	return TRAFFIC_SELECTOR_SUBSTRUCTURE;
+	return PLV2_TRAFFIC_SELECTOR_SUBSTRUCTURE;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
 	private_traffic_selector_substructure_t *this)
 {
-	return NO_PAYLOAD;
+	return PL_NONE;
 }
 
 METHOD(payload_t, set_next_type, void,
diff --git a/src/libcharon/encoding/payloads/transform_attribute.c b/src/libcharon/encoding/payloads/transform_attribute.c
index d20f77c..4a5b52d 100644
--- a/src/libcharon/encoding/payloads/transform_attribute.c
+++ b/src/libcharon/encoding/payloads/transform_attribute.c
@@ -98,7 +98,7 @@ struct private_transform_attribute_t {
 	chunk_t attribute_value;
 
 	/**
-	 * Payload type, TRANSFORM_ATTRIBUTE or TRANSFORM_ATTRIBUTE_V1
+	 * Payload type, PLV2_TRANSFORM_ATTRIBUTE or PLV1_TRANSFORM_ATTRIBUTE
 	 */
 	payload_type_t type;
 };
@@ -157,7 +157,7 @@ METHOD(payload_t, get_type, payload_type_t,
 METHOD(payload_t, get_next_type, payload_type_t,
 	private_transform_attribute_t *this)
 {
-	return NO_PAYLOAD;
+	return PL_NONE;
 }
 
 METHOD(payload_t, set_next_type, void,
diff --git a/src/libcharon/encoding/payloads/transform_attribute.h b/src/libcharon/encoding/payloads/transform_attribute.h
index 23897a5..87e283b 100644
--- a/src/libcharon/encoding/payloads/transform_attribute.h
+++ b/src/libcharon/encoding/payloads/transform_attribute.h
@@ -127,7 +127,7 @@ struct transform_attribute_t {
 /**
  * Creates an empty transform_attribute_t object.
  *
- * @param type			TRANSFORM_ATTRIBUTE or TRANSFORM_ATTRIBUTE_V1
+ * @param type			PLV2_TRANSFORM_ATTRIBUTE or PLV1_TRANSFORM_ATTRIBUTE
  * @return				transform_attribute_t object
  */
 transform_attribute_t *transform_attribute_create(payload_type_t type);
@@ -135,7 +135,7 @@ transform_attribute_t *transform_attribute_create(payload_type_t type);
 /**
  * Creates a two byte value or a larger attribute for a given attribute kind.
  *
- * @param type			TRANSFORM_ATTRIBUTE or TRANSFORM_ATTRIBUTE_V1
+ * @param type			PLV2_TRANSFORM_ATTRIBUTE or PLV1_TRANSFORM_ATTRIBUTE
  * @param kind			attribute kind
  * @param value			fixed two byte value
  * @return				transform_attribute_t object
diff --git a/src/libcharon/encoding/payloads/transform_substructure.c b/src/libcharon/encoding/payloads/transform_substructure.c
index a850275..6885d61 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.c
+++ b/src/libcharon/encoding/payloads/transform_substructure.c
@@ -73,13 +73,13 @@ struct private_transform_substructure_t {
 	linked_list_t *attributes;
 
 	/**
-	 * Payload type, TRANSFORM_SUBSTRUCTURE or TRANSFORM_SUBSTRUCTURE_V1
+	 * Payload type, PLV2_TRANSFORM_SUBSTRUCTURE or PLV1_TRANSFORM_SUBSTRUCTURE
 	 */
 	payload_type_t type;
 };
 
 /**
- * Encoding rules for TRANSFORM_SUBSTRUCTURE
+ * Encoding rules for PLV2_TRANSFORM_SUBSTRUCTURE
  */
 static encoding_rule_t encodings_v2[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
@@ -95,12 +95,12 @@ static encoding_rule_t encodings_v2[] = {
 	/* transform identifier, as used by IKEv2 */
 	{ U_INT_16,			offsetof(private_transform_substructure_t, transform_id_v2)	},
 	/* Attributes in a transform attribute list */
-	{ PAYLOAD_LIST + TRANSFORM_ATTRIBUTE,
+	{ PAYLOAD_LIST + PLV2_TRANSFORM_ATTRIBUTE,
 						offsetof(private_transform_substructure_t, attributes)		}
 };
 
 /**
- * Encoding rules for TRANSFORM_SUBSTRUCTURE_V1
+ * Encoding rules for PLV1_TRANSFORM_SUBSTRUCTURE
  */
 static encoding_rule_t encodings_v1[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
@@ -117,7 +117,7 @@ static encoding_rule_t encodings_v1[] = {
 	{ RESERVED_BYTE,	offsetof(private_transform_substructure_t, reserved[1])		},
 	{ RESERVED_BYTE,	offsetof(private_transform_substructure_t, reserved[2])		},
 	/* Attributes in a transform attribute list */
-	{ PAYLOAD_LIST + TRANSFORM_ATTRIBUTE_V1,
+	{ PAYLOAD_LIST + PLV1_TRANSFORM_ATTRIBUTE,
 						offsetof(private_transform_substructure_t, attributes)		}
 };
 
@@ -142,7 +142,7 @@ METHOD(payload_t, verify, status_t,
 	enumerator_t *enumerator;
 	payload_t *attribute;
 
-	if (this->next_payload != NO_PAYLOAD && this->next_payload != 3)
+	if (this->next_payload != PL_NONE && this->next_payload != 3)
 	{
 		DBG1(DBG_ENC, "inconsistent next payload");
 		return FAILED;
@@ -167,7 +167,7 @@ METHOD(payload_t, verify, status_t,
 METHOD(payload_t, get_encoding_rules, int,
 	private_transform_substructure_t *this, encoding_rule_t **rules)
 {
-	if (this->type == TRANSFORM_SUBSTRUCTURE)
+	if (this->type == PLV2_TRANSFORM_SUBSTRUCTURE)
 	{
 		*rules = encodings_v2;
 		return countof(encodings_v2);
@@ -244,7 +244,7 @@ METHOD(transform_substructure_t, get_transform_type_or_number, u_int8_t,
 METHOD(transform_substructure_t, get_transform_id, u_int16_t,
 	private_transform_substructure_t *this)
 {
-	if (this->type == TRANSFORM_SUBSTRUCTURE)
+	if (this->type == PLV2_TRANSFORM_SUBSTRUCTURE)
 	{
 		return this->transform_id_v2;
 	}
@@ -291,7 +291,7 @@ transform_substructure_t *transform_substructure_create(payload_type_t type)
 			.create_attribute_enumerator = _create_attribute_enumerator,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.transform_length = get_header_length(this),
 		.attributes = linked_list_create(),
 		.type = type,
@@ -310,7 +310,7 @@ transform_substructure_t *transform_substructure_create_type(payload_type_t type
 	this = (private_transform_substructure_t*)transform_substructure_create(type);
 
 	this->transform_ton = type_or_number;
-	if (type == TRANSFORM_SUBSTRUCTURE)
+	if (type == PLV2_TRANSFORM_SUBSTRUCTURE)
 	{
 		this->transform_id_v2 = id;
 	}
diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h
index 97717e6..ba821d3 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.h
+++ b/src/libcharon/encoding/payloads/transform_substructure.h
@@ -97,7 +97,7 @@ struct transform_substructure_t {
 /**
  * Creates an empty transform_substructure_t object.
  *
- * @param type			TRANSFORM_SUBSTRUCTURE or TRANSFORM_SUBSTRUCTURE_V1
+ * @param type			PLV2_TRANSFORM_SUBSTRUCTURE or PLV1_TRANSFORM_SUBSTRUCTURE
  * @return				created transform_substructure_t object
  */
 transform_substructure_t *transform_substructure_create(payload_type_t type);
@@ -105,7 +105,7 @@ transform_substructure_t *transform_substructure_create(payload_type_t type);
 /**
  * Creates an empty transform_substructure_t object.
  *
- * @param type				TRANSFORM_SUBSTRUCTURE or TRANSFORM_SUBSTRUCTURE_V1
+ * @param type				PLV2_TRANSFORM_SUBSTRUCTURE or PLV1_TRANSFORM_SUBSTRUCTURE
  * @param type_or_number	Type (IKEv2) or number (IKEv1) of transform
  * @param id				transform id specifc for the transform type
  * @return					transform_substructure_t object
diff --git a/src/libcharon/encoding/payloads/ts_payload.c b/src/libcharon/encoding/payloads/ts_payload.c
index 8dfa47b..e74b9ae 100644
--- a/src/libcharon/encoding/payloads/ts_payload.c
+++ b/src/libcharon/encoding/payloads/ts_payload.c
@@ -103,7 +103,7 @@ static encoding_rule_t encodings[] = {
 	{ RESERVED_BYTE,	offsetof(private_ts_payload_t, reserved_byte[1])},
 	{ RESERVED_BYTE,	offsetof(private_ts_payload_t, reserved_byte[2])},
 	/* wrapped list of traffic selectors substructures */
-	{ PAYLOAD_LIST + TRAFFIC_SELECTOR_SUBSTRUCTURE,
+	{ PAYLOAD_LIST + PLV2_TRAFFIC_SELECTOR_SUBSTRUCTURE,
 						offsetof(private_ts_payload_t, substrs)			},
 };
 
@@ -164,9 +164,9 @@ METHOD(payload_t, get_type, payload_type_t,
 {
 	if (this->is_initiator)
 	{
-		return TRAFFIC_SELECTOR_INITIATOR;
+		return PLV2_TS_INITIATOR;
 	}
-	return TRAFFIC_SELECTOR_RESPONDER;
+	return PLV2_TS_RESPONDER;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -269,7 +269,7 @@ ts_payload_t *ts_payload_create(bool is_initiator)
 			.get_traffic_selectors = _get_traffic_selectors,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payload_length = get_header_length(this),
 		.is_initiator = is_initiator,
 		.substrs = linked_list_create(),
diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c
index fe7ced2..45b91fd 100644
--- a/src/libcharon/encoding/payloads/unknown_payload.c
+++ b/src/libcharon/encoding/payloads/unknown_payload.c
@@ -184,7 +184,7 @@ unknown_payload_t *unknown_payload_create(payload_type_t type)
 			.get_data = _get_data,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payload_length = get_header_length(this),
 		.type = type,
 	);
diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.c b/src/libcharon/encoding/payloads/vendor_id_payload.c
index 0c1df56..400e064 100644
--- a/src/libcharon/encoding/payloads/vendor_id_payload.c
+++ b/src/libcharon/encoding/payloads/vendor_id_payload.c
@@ -178,7 +178,7 @@ vendor_id_payload_t *vendor_id_payload_create_data(payload_type_t type,
 			.get_data = _get_data,
 			.destroy = _destroy,
 		},
-		.next_payload = NO_PAYLOAD,
+		.next_payload = PL_NONE,
 		.payload_length = get_header_length(this) + data.len,
 		.data = data,
 		.type = type,
diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.h b/src/libcharon/encoding/payloads/vendor_id_payload.h
index 9a81477..42c31f9 100644
--- a/src/libcharon/encoding/payloads/vendor_id_payload.h
+++ b/src/libcharon/encoding/payloads/vendor_id_payload.h
@@ -55,7 +55,7 @@ struct vendor_id_payload_t {
 /**
  * Creates an empty Vendor ID payload for IKEv1 or IKEv2.
  *
- * @@param type		VENDOR_ID or VENDOR_ID_V1
+ * @@param type		PLV2_VENDOR_ID or PLV1_VENDOR_ID
  * @return			vendor ID payload
  */
 vendor_id_payload_t *vendor_id_payload_create(payload_type_t type);
@@ -63,7 +63,7 @@ vendor_id_payload_t *vendor_id_payload_create(payload_type_t type);
 /**
  * Creates a vendor ID payload using a chunk of data
  *
- * @param type		VENDOR_ID or VENDOR_ID_V1
+ * @param type		PLV2_VENDOR_ID or PLV1_VENDOR_ID
  * @param data		data to use in vendor ID payload, gets owned by payload
  * @return			vendor ID payload
  */
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index 8dfb47b..a2a3b1f 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -271,7 +271,7 @@ static bool check_cookie(private_receiver_t *this, message_t *message)
 	if (data.len <
 		 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
 		 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
-		*(data.ptr + 16) != NOTIFY ||
+		*(data.ptr + 16) != PLV2_NOTIFY ||
 		*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
 	{
 		/* no cookie found */
diff --git a/src/libcharon/plugins/addrblock/Makefile.am b/src/libcharon/plugins/addrblock/Makefile.am
index 407f22d..33ee60d 100644
--- a/src/libcharon/plugins/addrblock/Makefile.am
+++ b/src/libcharon/plugins/addrblock/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-addrblock.la
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 0aa635a..0655959 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -418,7 +422,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-addrblock.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-addrblock.la
diff --git a/src/libcharon/plugins/android_dns/Makefile.am b/src/libcharon/plugins/android_dns/Makefile.am
index ebad963..1a0d6e6 100644
--- a/src/libcharon/plugins/android_dns/Makefile.am
+++ b/src/libcharon/plugins/android_dns/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-android-dns.la
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index f44734c..287c94a 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -418,7 +422,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-android-dns.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-android-dns.la
diff --git a/src/libcharon/plugins/android_log/Makefile.am b/src/libcharon/plugins/android_log/Makefile.am
index 4d8b485..79c61b5 100644
--- a/src/libcharon/plugins/android_log/Makefile.am
+++ b/src/libcharon/plugins/android_log/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-android-log.la
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 361b361..9fd5150 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -418,7 +422,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-android-log.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-android-log.la
diff --git a/src/libcharon/plugins/certexpire/Makefile.am b/src/libcharon/plugins/certexpire/Makefile.am
index 2bfad94..b8c241d 100644
--- a/src/libcharon/plugins/certexpire/Makefile.am
+++ b/src/libcharon/plugins/certexpire/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-certexpire.la
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index e218c8a..edda93e 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -419,7 +423,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-certexpire.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-certexpire.la
diff --git a/src/libcharon/plugins/coupling/Makefile.am b/src/libcharon/plugins/coupling/Makefile.am
index cbc06a6..badc7b7 100644
--- a/src/libcharon/plugins/coupling/Makefile.am
+++ b/src/libcharon/plugins/coupling/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-coupling.la
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index bb95126..5670f43 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -418,7 +422,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-coupling.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-coupling.la
diff --git a/src/libcharon/plugins/coupling/coupling_validator.c b/src/libcharon/plugins/coupling/coupling_validator.c
index fc35462..0686e0f 100644
--- a/src/libcharon/plugins/coupling/coupling_validator.c
+++ b/src/libcharon/plugins/coupling/coupling_validator.c
@@ -202,6 +202,7 @@ METHOD(coupling_validator_t, destroy, void,
 coupling_validator_t *coupling_validator_create()
 {
 	private_coupling_validator_t *this;
+	hash_algorithm_t alg;
 	char *path, *hash;
 
 	INIT(this,
@@ -219,8 +220,13 @@ coupling_validator_t *coupling_validator_create()
 
 	hash = lib->settings->get_str(lib->settings,
 								  "%s.plugins.coupling.hash", "sha1", lib->ns);
-	this->hasher = lib->crypto->create_hasher(lib->crypto,
-							enum_from_name(hash_algorithm_short_names, hash));
+	if (!enum_from_name(hash_algorithm_short_names, hash, &alg))
+	{
+		DBG1(DBG_CFG, "unknown coupling hash algorithm: %s", hash);
+		destroy(this);
+		return NULL;
+	}
+	this->hasher = lib->crypto->create_hasher(lib->crypto, alg);
 	if (!this->hasher)
 	{
 		DBG1(DBG_CFG, "unsupported coupling hash algorithm: %s", hash);
diff --git a/src/libcharon/plugins/dhcp/Makefile.am b/src/libcharon/plugins/dhcp/Makefile.am
index e0e857e..3c09db0 100644
--- a/src/libcharon/plugins/dhcp/Makefile.am
+++ b/src/libcharon/plugins/dhcp/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-dhcp.la
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 81f2b78..da364b0 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -264,6 +264,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -282,6 +283,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -309,6 +311,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -400,6 +403,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -416,7 +420,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-dhcp.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-dhcp.la
diff --git a/src/libcharon/plugins/dnscert/Makefile.am b/src/libcharon/plugins/dnscert/Makefile.am
index 51d542b..1455625 100644
--- a/src/libcharon/plugins/dnscert/Makefile.am
+++ b/src/libcharon/plugins/dnscert/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-dnscert.la
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index d9eeddf..d408cd2 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -418,7 +422,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-dnscert.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-dnscert.la
diff --git a/src/libcharon/plugins/duplicheck/Makefile.am b/src/libcharon/plugins/duplicheck/Makefile.am
index 4ea2bec..338a114 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.am
+++ b/src/libcharon/plugins/duplicheck/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-duplicheck.la
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index 0b12cf3..97432f1 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -273,6 +273,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -291,6 +292,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -318,6 +320,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -409,6 +412,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -426,7 +430,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-duplicheck.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-duplicheck.la
diff --git a/src/libcharon/plugins/eap_aka/Makefile.am b/src/libcharon/plugins/eap_aka/Makefile.am
index ba6e660..75e8eaf 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.am
+++ b/src/libcharon/plugins/eap_aka/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libsimaka
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-aka.la
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 9e771ae..5b20fe5 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -267,6 +267,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -285,6 +286,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -312,6 +314,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -403,6 +406,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -420,7 +424,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libsimaka
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-aka.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-aka.la
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
index 4e2b207..ec145a3 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libsimaka
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_aka_3gpp2_la_LIBADD = -lgmp
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 91c4bb1..d0ee198 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -268,6 +268,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -286,6 +287,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -313,6 +315,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -404,6 +407,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -421,7 +425,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libsimaka
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_aka_3gpp2_la_LIBADD = -lgmp $(am__append_1)
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.am b/src/libcharon/plugins/eap_dynamic/Makefile.am
index 13b4d10..58b827a 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.am
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-dynamic.la
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 16d0b42..78b66ac 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -418,7 +422,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-dynamic.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-dynamic.la
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.am b/src/libcharon/plugins/eap_gtc/Makefile.am
index 811366a..c3a12ba 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.am
+++ b/src/libcharon/plugins/eap_gtc/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-gtc.la
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 1c8d51b..7f18792 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -265,6 +265,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -283,6 +284,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -310,6 +312,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -401,6 +404,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -417,7 +421,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-gtc.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-gtc.la
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
index e751b51..5fcd9eb 100644
--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
@@ -161,11 +161,11 @@ METHOD(eap_method_t, process_server, status_t,
 	{
 		/* assume that "out" contains username/password attributes */
 		co->destroy(co);
-		ci = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);
+		ci = cp_payload_create_type(PLV1_CONFIGURATION, CFG_REPLY);
 		ci->add_attribute(ci, configuration_attribute_create_chunk(
-					CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, user));
+					PLV1_CONFIGURATION_ATTRIBUTE, XAUTH_USER_NAME, user));
 		ci->add_attribute(ci, configuration_attribute_create_chunk(
-					CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, pass));
+					PLV1_CONFIGURATION_ATTRIBUTE, XAUTH_USER_PASSWORD, pass));
 		switch (xauth->process(xauth, ci, &co))
 		{
 			case SUCCESS:
diff --git a/src/libcharon/plugins/eap_identity/Makefile.am b/src/libcharon/plugins/eap_identity/Makefile.am
index 1c15586..6c5b43f 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.am
+++ b/src/libcharon/plugins/eap_identity/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS =  \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-identity.la
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 4c536b2..5275a34 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -418,7 +422,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-identity.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-identity.la
diff --git a/src/libcharon/plugins/eap_md5/Makefile.am b/src/libcharon/plugins/eap_md5/Makefile.am
index 5835983..16aa191 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.am
+++ b/src/libcharon/plugins/eap_md5/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-md5.la
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index d9938dd..5dd623d 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -265,6 +265,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -283,6 +284,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -310,6 +312,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -401,6 +404,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -417,7 +421,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-md5.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-md5.la
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.am b/src/libcharon/plugins/eap_mschapv2/Makefile.am
index 030682d..4276a08 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.am
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-mschapv2.la
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 7caac9c..c0e4219 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -418,7 +422,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-mschapv2.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-mschapv2.la
diff --git a/src/libcharon/plugins/eap_peap/Makefile.am b/src/libcharon/plugins/eap_peap/Makefile.am
index 19410a4..8960b84 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.am
+++ b/src/libcharon/plugins/eap_peap/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-peap.la
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 29d8c8b..615a916 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -267,6 +267,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -285,6 +286,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -312,6 +314,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -403,6 +406,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -420,7 +424,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-peap.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-peap.la
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_avp.c b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
index f7f634a..3f541ba 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_avp.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
@@ -25,8 +25,6 @@ static const chunk_t MS_AVP_Success = chunk_from_chars(
 											0x80, 0x03, 0x00, 0x02, 0x00, 0x01);
 static const chunk_t MS_AVP_Failure = chunk_from_chars(
 											0x80, 0x03, 0x00, 0x02, 0x00, 0x02);
-static const chunk_t MS_SoH_Request = chunk_from_chars(
-			  0x00, 0x01, 0x37, 0x00, 0x00, 0x00, 0x21, 0x00, 0x02, 0x00, 0x00);
 
 typedef struct private_eap_peap_avp_t private_eap_peap_avp_t;
 
@@ -64,19 +62,6 @@ METHOD(eap_peap_avp_t, build, void,
 		writer->write_uint8(writer, EAP_MSTLV);
 		avp_data = (pkt->code == EAP_SUCCESS) ? MS_AVP_Success : MS_AVP_Failure;
 	}
-	/**
-	 * Still trying to form a correct MS SoH Request
-	 *
-	else if (pkt->type == EAP_MSCHAPV2)
-	{
-		code = (this->is_server) ? EAP_REQUEST : EAP_RESPONSE;
-		writer->write_uint8(writer, code);
-		writer->write_uint8(writer, pkt->identifier);
-		writer->write_uint16(writer, 16);
-		writer->write_uint8(writer, EAP_EXPANDED);
-		avp_data = MS_SoH_Request;
-	}
-	*/
 	else
 	{
 		avp_data = chunk_skip(data, 4);
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am
index 6fdb0d0..bc7a776 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.am
+++ b/src/libcharon/plugins/eap_radius/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libradius
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-radius.la
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index fbce312..cd4355d 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -268,6 +268,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -286,6 +287,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -313,6 +315,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -404,6 +407,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -421,7 +425,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libradius
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-radius.la
 @MONOLITHIC_FALSE at libstrongswan_eap_radius_la_LIBADD = $(top_builddir)/src/libradius/libradius.la
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 5fb1bbb..0020c5d 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -210,7 +210,7 @@ static void add_ike_sa_parameters(private_eap_radius_accounting_t *this,
 {
 	enumerator_t *enumerator;
 	host_t *vip, *host;
-	char buf[128];
+	char buf[MAX_RADIUS_ATTRIBUTE_SIZE + 1];
 	chunk_t data;
 	u_int32_t value;
 
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
index 54d52a9..52ea840 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
@@ -232,8 +232,8 @@ static void ike2queue(message_t *message, linked_list_t *queue,
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
-		if (payload->get_type(payload) == NOTIFY ||
-			payload->get_type(payload) == NOTIFY_V1)
+		if (payload->get_type(payload) == PLV2_NOTIFY ||
+			payload->get_type(payload) == PLV1_NOTIFY)
 		{
 			notify = (notify_payload_t*)payload;
 			if (notify->get_notify_type(notify) == RADIUS_ATTRIBUTE)
@@ -362,8 +362,7 @@ static linked_list_t* parse_selector(char *selector)
 			vendor = atoi(token);
 			token = pos;
 		}
-		type = enum_from_name(radius_attribute_type_names, token);
-		if (type == -1)
+		if (!enum_from_name(radius_attribute_type_names, token, &type))
 		{
 			type = atoi(token);
 		}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
index d00f6bb..0fea509 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
@@ -87,12 +87,12 @@ static bool build_round(private_eap_radius_xauth_t *this, cp_payload_t *cp)
 		return FALSE;
 	}
 	cp->add_attribute(cp, configuration_attribute_create_chunk(
-					CONFIGURATION_ATTRIBUTE_V1, this->round.type, chunk_empty));
+					PLV1_CONFIGURATION_ATTRIBUTE, this->round.type, chunk_empty));
 
 	if (this->round.message && strlen(this->round.message))
 	{
 		cp->add_attribute(cp, configuration_attribute_create_chunk(
-					CONFIGURATION_ATTRIBUTE_V1, XAUTH_MESSAGE,
+					PLV1_CONFIGURATION_ATTRIBUTE, XAUTH_MESSAGE,
 					chunk_from_str(this->round.message)));
 	}
 	return TRUE;
@@ -103,10 +103,10 @@ METHOD(xauth_method_t, initiate, status_t,
 {
 	cp_payload_t *cp;
 
-	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST);
+	cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_REQUEST);
 	/* first message always comes with username */
 	cp->add_attribute(cp, configuration_attribute_create_chunk(
-				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, chunk_empty));
+				PLV1_CONFIGURATION_ATTRIBUTE, XAUTH_USER_NAME, chunk_empty));
 
 	if (build_round(this, cp))
 	{
@@ -211,7 +211,7 @@ METHOD(xauth_method_t, process, status_t,
 	{
 		return verify_radius(this);
 	}
-	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST);
+	cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_REQUEST);
 	if (build_round(this, cp))
 	{
 		*out = cp;
diff --git a/src/libcharon/plugins/eap_sim/Makefile.am b/src/libcharon/plugins/eap_sim/Makefile.am
index 2e9dad1..f681385 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.am
+++ b/src/libcharon/plugins/eap_sim/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libsimaka
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-sim.la
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 10b881f..494efd9 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -267,6 +267,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -285,6 +286,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -312,6 +314,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -403,6 +406,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -420,7 +424,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libsimaka
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-sim.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-sim.la
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.am b/src/libcharon/plugins/eap_sim_file/Makefile.am
index 0d4da07..c38e55e 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.am
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.am
@@ -6,7 +6,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-sim-file.la
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index e4552d1..82e7561 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -268,6 +268,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -286,6 +287,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -313,6 +315,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -404,6 +407,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -422,7 +426,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-sim-file.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-sim-file.la
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.am b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
index e5e9d01..2292204 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
@@ -6,7 +6,7 @@ AM_CPPFLAGS = \
 
 AM_CFLAGS = \
 	${pcsclite_CFLAGS} \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 libstrongswan_eap_sim_pcsc_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_sim_pcsc_la_LIBADD  = ${pcsclite_LIBS}
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 628f537..9a7a190 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -269,6 +269,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -287,6 +288,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -314,6 +316,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -405,6 +408,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -423,7 +427,7 @@ AM_CPPFLAGS = \
 
 AM_CFLAGS = \
 	${pcsclite_CFLAGS} \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 libstrongswan_eap_sim_pcsc_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_sim_pcsc_la_LIBADD = ${pcsclite_LIBS} \
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
index 0f21c68..f40efbd 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libsimaka
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 4a8127f..886b0c5 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -269,6 +269,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -287,6 +288,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -314,6 +316,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -405,6 +408,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -422,7 +426,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libsimaka
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.am b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
index be000c6..0fb6222 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libsimaka
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 8ac480d..57c6424 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -268,6 +268,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -286,6 +287,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -313,6 +315,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -404,6 +407,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -421,7 +425,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libsimaka
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.am b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
index 9a52bd8..b7d6fd4 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
@@ -6,7 +6,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 79b45a9..eb4d3fa 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -267,6 +267,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -285,6 +286,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -312,6 +314,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -403,6 +406,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -421,7 +425,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
diff --git a/src/libcharon/plugins/eap_tls/Makefile.am b/src/libcharon/plugins/eap_tls/Makefile.am
index c4944fc..825beb8 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.am
+++ b/src/libcharon/plugins/eap_tls/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-tls.la
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index c2b8b4f..c63d56b 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -419,7 +423,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-tls.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-tls.la
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.am b/src/libcharon/plugins/eap_tnc/Makefile.am
index 9586bef..6fc78bc 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.am
+++ b/src/libcharon/plugins/eap_tnc/Makefile.am
@@ -7,7 +7,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libtnccs
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 1f2ace2..97552df 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -267,6 +267,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -285,6 +286,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -312,6 +314,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -403,6 +406,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -422,7 +426,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libtnccs
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-tnc.la
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index 2147c04..62d23d0 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -47,6 +47,11 @@ struct private_eap_tnc_t {
 	eap_tnc_t public;
 
 	/**
+	 * Inner EAP authentication type
+	 */
+	eap_type_t type;
+
+	/**
 	 * Outer EAP authentication type
 	 */
 	eap_type_t auth_type;
@@ -124,7 +129,7 @@ METHOD(eap_method_t, initiate, status_t,
 	private_eap_tnc_t *this, eap_payload_t **out)
 {
 	chunk_t data;
-	u_int32_t auth_type;
+	uint32_t auth_type;
 
 	/* Determine TNC Client Authentication Type */
 	switch (this->auth_type)
@@ -175,10 +180,10 @@ METHOD(eap_method_t, process, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-	private_eap_tnc_t *this, u_int32_t *vendor)
+	private_eap_tnc_t *this, uint32_t *vendor)
 {
 	*vendor = 0;
-	return EAP_TNC;
+	return this->type;
 }
 
 METHOD(eap_method_t, get_msk, status_t,
@@ -192,14 +197,14 @@ METHOD(eap_method_t, get_msk, status_t,
 	return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
 	private_eap_tnc_t *this)
 {
 	return this->tls_eap->get_identifier(this->tls_eap);
 }
 
 METHOD(eap_method_t, set_identifier, void,
-	private_eap_tnc_t *this, u_int8_t identifier)
+	private_eap_tnc_t *this, uint8_t identifier)
 {
 	this->tls_eap->set_identifier(this->tls_eap, identifier);
 }
@@ -214,7 +219,7 @@ METHOD(eap_method_t, destroy, void,
 	private_eap_tnc_t *this)
 {
 	chunk_t pdp_server;
-	u_int16_t pdp_port;
+	uint16_t pdp_port;
 	tls_t *tls;
 
 	pdp_server = this->tnccs->get_pdp_server(this->tnccs, &pdp_port);
@@ -245,13 +250,14 @@ METHOD(eap_inner_method_t, set_auth_type, void,
  * Generic private constructor
  */
 static eap_tnc_t *eap_tnc_create(identification_t *server,
-								 identification_t *peer, bool is_server)
+								 identification_t *peer, bool is_server,
+								 eap_type_t type)
 {
 	private_eap_tnc_t *this;
 	int max_msg_count;
 	char* protocol;
 	tnccs_t *tnccs;
-	tnccs_type_t type;
+	tnccs_type_t tnccs_type;
 
 	INIT(this,
 		.public = {
@@ -270,24 +276,25 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 				.set_auth_type = _set_auth_type,
 			},
 		},
+		.type = type,
 	);
 
 	max_msg_count = lib->settings->get_int(lib->settings,
 						"%s.plugins.eap-tnc.max_message_count",
 						EAP_TNC_MAX_MESSAGE_COUNT, lib->ns);
 	protocol = lib->settings->get_str(lib->settings,
-						"%s.plugins.eap-tnc.protocol", "tnccs-1.1", lib->ns);
+						"%s.plugins.eap-tnc.protocol", "tnccs-2.0", lib->ns);
 	if (strcaseeq(protocol, "tnccs-2.0"))
 	{
-		type = TNCCS_2_0;
+		tnccs_type = TNCCS_2_0;
 	}
 	else if (strcaseeq(protocol, "tnccs-1.1"))
 	{
-		type = TNCCS_1_1;
+		tnccs_type = TNCCS_1_1;
 	}
 	else if (strcaseeq(protocol, "tnccs-dynamic") && is_server)
 	{
-		type = TNCCS_DYNAMIC;
+		tnccs_type = TNCCS_DYNAMIC;
 	}
 	else
 	{
@@ -295,8 +302,9 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 		free(this);
 		return NULL;
 	}
-	tnccs = tnc->tnccs->create_instance(tnc->tnccs, type,
-						is_server, server, peer, TNC_IFT_EAP_1_1,
+	tnccs = tnc->tnccs->create_instance(tnc->tnccs, tnccs_type,
+						is_server, server, peer,
+						(type == EAP_TNC) ? TNC_IFT_EAP_1_1 : TNC_IFT_EAP_2_0,
 						is_server ? enforce_recommendation : NULL);
 	if (!tnccs)
 	{
@@ -305,7 +313,7 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 		return NULL;
 	}
 	this->tnccs = tnccs->get_ref(tnccs);
-	this->tls_eap = tls_eap_create(EAP_TNC, &tnccs->tls,
+	this->tls_eap = tls_eap_create(type, &tnccs->tls,
 								   EAP_TNC_MAX_MESSAGE_LEN,
 								   max_msg_count, FALSE);
 	if (!this->tls_eap)
@@ -319,11 +327,23 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 eap_tnc_t *eap_tnc_create_server(identification_t *server,
 								 identification_t *peer)
 {
-	return eap_tnc_create(server, peer, TRUE);
+	return eap_tnc_create(server, peer, TRUE, EAP_TNC);
 }
 
 eap_tnc_t *eap_tnc_create_peer(identification_t *server,
 							   identification_t *peer)
 {
-	return eap_tnc_create(server, peer, FALSE);
+	return eap_tnc_create(server, peer, FALSE, EAP_TNC);
+}
+
+eap_tnc_t *eap_tnc_pt_create_server(identification_t *server,
+								 identification_t *peer)
+{
+	return eap_tnc_create(server, peer, TRUE, EAP_PT_EAP);
+}
+
+eap_tnc_t *eap_tnc_pt_create_peer(identification_t *server,
+							   identification_t *peer)
+{
+	return eap_tnc_create(server, peer, FALSE, EAP_PT_EAP);
 }
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.h b/src/libcharon/plugins/eap_tnc/eap_tnc.h
index 8c881f6..d7ea9f4 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.h
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.h
@@ -26,7 +26,7 @@ typedef struct eap_tnc_t eap_tnc_t;
 #include <sa/eap/eap_inner_method.h>
 
 /**
- * Implementation of the eap_method_t interface using EAP-TNC.
+ * Implementation of the eap_method_t interface using EAP-TNC or PT-EAP.
  */
 struct eap_tnc_t {
 
@@ -43,7 +43,8 @@ struct eap_tnc_t {
  * @param peer		ID of the EAP client
  * @return			eap_tnc_t object
  */
-eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *peer);
+eap_tnc_t *eap_tnc_create_server(identification_t *server,
+								 identification_t *peer);
 
 /**
  * Creates the EAP method EAP-TNC acting as peer.
@@ -52,6 +53,27 @@ eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *pee
  * @param peer		ID of the EAP client
  * @return			eap_tnc_t object
  */
-eap_tnc_t *eap_tnc_create_peer(identification_t *server, identification_t *peer);
+eap_tnc_t *eap_tnc_create_peer(identification_t *server,
+							   identification_t *peer);
+
+/**
+ * Creates the EAP method PT-EAP acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tnc_t object
+ */
+eap_tnc_t *eap_tnc_pt_create_server(identification_t *server,
+									identification_t *peer);
+
+/**
+ * Creates the EAP method PT-EAP acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tnc_t object
+ */
+eap_tnc_t *eap_tnc_pt_create_peer(identification_t *server,
+								  identification_t *peer);
 
 #endif /** EAP_TNC_H_ @}*/
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
index 813a75f..d0f79fa 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
@@ -36,6 +36,14 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(EAP_PEER, EAP_TNC),
 				PLUGIN_DEPENDS(EAP_PEER, EAP_TTLS),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
+		PLUGIN_CALLBACK(eap_method_register, eap_tnc_pt_create_server),
+			PLUGIN_PROVIDE(EAP_SERVER, EAP_PT_EAP),
+				PLUGIN_DEPENDS(EAP_SERVER, EAP_TTLS),
+				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
+		PLUGIN_CALLBACK(eap_method_register, eap_tnc_pt_create_peer),
+			PLUGIN_PROVIDE(EAP_PEER, EAP_PT_EAP),
+				PLUGIN_DEPENDS(EAP_PEER, EAP_TTLS),
+				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.am b/src/libcharon/plugins/eap_ttls/Makefile.am
index 81776d8..3a7a8cd 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.am
+++ b/src/libcharon/plugins/eap_ttls/Makefile.am
@@ -6,7 +6,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libradius
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-ttls.la
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index b693787..70cc184 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -268,6 +268,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -286,6 +287,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -313,6 +315,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -404,6 +407,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -422,7 +426,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libradius
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-eap-ttls.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-eap-ttls.la
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
index 88c2b88..9d145ea 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
- * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010-2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -107,22 +107,34 @@ static status_t start_phase2_auth(private_eap_ttls_server_t *this)
 }
 
 /**
- * If configured, start EAP-TNC protocol
+ * If configured, start PT-EAP or legacy EAP-TNC protocol
  */
 static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
 								 eap_type_t auth_type)
 {
 	eap_inner_method_t *inner_method;
+	eap_type_t type;
+	char *eap_type_str;
 
 	if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
 							"%s.plugins.eap-ttls.phase2_tnc", FALSE, lib->ns))
 	{
-		DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
-		this->method = charon->eap->create_instance(charon->eap, EAP_TNC,
+		eap_type_str = lib->settings->get_str(lib->settings,
+							"%s.plugins.eap-ttls.phase2_tnc_method", "pt",
+							lib->ns);
+		type = eap_type_from_string(eap_type_str);
+		if (type == 0)
+		{
+			DBG1(DBG_IKE, "unrecognized phase2 EAP TNC method \"%s\"",
+						   eap_type_str);
+			return FAILED;
+		}
+		DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type);
+		this->method = charon->eap->create_instance(charon->eap, type,
 									0, EAP_SERVER, this->server, this->peer);
 		if (this->method == NULL)
 		{
-			DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
+			DBG1(DBG_IKE, "%N method not available", eap_type_names, type);
 			return FAILED;
 		}
 		inner_method = (eap_inner_method_t *)this->method;
@@ -135,7 +147,7 @@ static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
 		}
 		else
 		{
-			DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_TNC);
+			DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
 			return FAILED;
 		}
 	}
@@ -151,7 +163,7 @@ METHOD(tls_application_t, process, status_t,
 	eap_payload_t *in;
 	eap_code_t code;
 	eap_type_t type = EAP_NAK, received_type;
-	u_int32_t vendor, received_vendor;
+	uint32_t vendor, received_vendor;
 
 	status = this->avp->process(this->avp, reader, &data);
 	switch (status)
@@ -297,7 +309,7 @@ METHOD(tls_application_t, build, status_t,
 	chunk_t data;
 	eap_code_t code;
 	eap_type_t type;
-	u_int32_t vendor;
+	uint32_t vendor;
 
 	if (this->method == NULL && this->start_phase2 &&
 		lib->settings->get_bool(lib->settings,
diff --git a/src/libcharon/plugins/error_notify/Makefile.am b/src/libcharon/plugins/error_notify/Makefile.am
index 980fe1f..1c64bd2 100644
--- a/src/libcharon/plugins/error_notify/Makefile.am
+++ b/src/libcharon/plugins/error_notify/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-error-notify.la
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index 8dd7875..0782dde 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -274,6 +274,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -292,6 +293,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -319,6 +321,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -410,6 +413,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -427,7 +431,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-error-notify.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-error-notify.la
diff --git a/src/libcharon/plugins/farp/Makefile.am b/src/libcharon/plugins/farp/Makefile.am
index 95e57d8..0d862b0 100644
--- a/src/libcharon/plugins/farp/Makefile.am
+++ b/src/libcharon/plugins/farp/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-farp.la
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 13f0e52..75ff158 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -264,6 +264,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -282,6 +283,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -309,6 +311,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -400,6 +403,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -416,7 +420,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-farp.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-farp.la
diff --git a/src/libcharon/plugins/ha/Makefile.am b/src/libcharon/plugins/ha/Makefile.am
index c10f7f9..50d3423 100644
--- a/src/libcharon/plugins/ha/Makefile.am
+++ b/src/libcharon/plugins/ha/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-ha.la
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index d7a77ee..cec7362 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -419,7 +423,7 @@ AM_CPPFLAGS = \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-ha.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-ha.la
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 1ce9d3a..6ff24c3 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -245,13 +245,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 		{
 			if (old_sa)
 			{
-				peer_cfg_t *peer_cfg = old_sa->get_peer_cfg(old_sa);
-
-				if (peer_cfg)
-				{
-					ike_sa->set_peer_cfg(ike_sa, peer_cfg);
-					ike_sa->inherit(ike_sa, old_sa);
-				}
+				ike_sa->inherit_pre(ike_sa, old_sa);
+				ike_sa->inherit_post(ike_sa, old_sa);
 				charon->ike_sa_manager->checkin_and_destroy(
 												charon->ike_sa_manager, old_sa);
 				old_sa = NULL;
@@ -1077,4 +1072,3 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index 74147e5..dd23993 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -207,6 +207,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 							 charon->socket->get_port(charon->socket, FALSE),
 							 remote, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
 	peer_cfg = peer_cfg_create("ha", ike_cfg, CERT_NEVER_SEND,
 						UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE,
 						TRUE, 30, 0, FALSE, NULL, NULL);
@@ -235,6 +236,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
 	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
 	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
 	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
 
 	this->backend.cfg = peer_cfg;
diff --git a/src/libcharon/plugins/ipseckey/Makefile.am b/src/libcharon/plugins/ipseckey/Makefile.am
index 3a69e52..aed63c1 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.am
+++ b/src/libcharon/plugins/ipseckey/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-ipseckey.la
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index 1f62f40..da2e8d7 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -266,6 +266,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -284,6 +285,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -311,6 +313,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -402,6 +405,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -418,7 +422,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-ipseckey.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-ipseckey.la
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.am b/src/libcharon/plugins/kernel_iph/Makefile.am
new file mode 100644
index 0000000..56946ae
--- /dev/null
+++ b/src/libcharon/plugins/kernel_iph/Makefile.am
@@ -0,0 +1,20 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-iph.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-iph.la
+endif
+
+libstrongswan_kernel_iph_la_SOURCES = \
+	kernel_iph_plugin.h kernel_iph_plugin.c \
+	kernel_iph_net.h kernel_iph_net.c
+
+libstrongswan_kernel_iph_la_LDFLAGS = -module -avoid-version
+libstrongswan_kernel_iph_la_LIBADD = -liphlpapi
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in
new file mode 100644
index 0000000..460c7b7
--- /dev/null
+++ b/src/libcharon/plugins/kernel_iph/Makefile.in
@@ -0,0 +1,768 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/kernel_iph
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_iph_la_DEPENDENCIES =
+am_libstrongswan_kernel_iph_la_OBJECTS = kernel_iph_plugin.lo \
+	kernel_iph_net.lo
+libstrongswan_kernel_iph_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_iph_la_OBJECTS)
+AM_V_lt = $(am__v_lt_ at AM_V@)
+am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libstrongswan_kernel_iph_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_kernel_iph_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+ at MONOLITHIC_FALSE@am_libstrongswan_kernel_iph_la_rpath = -rpath \
+ at MONOLITHIC_FALSE@	$(plugindir)
+ at MONOLITHIC_TRUE@am_libstrongswan_kernel_iph_la_rpath =
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_ at AM_V@)
+am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libstrongswan_kernel_iph_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_iph_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+ at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-iph.la
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-iph.la
+libstrongswan_kernel_iph_la_SOURCES = \
+	kernel_iph_plugin.h kernel_iph_plugin.c \
+	kernel_iph_net.h kernel_iph_net.c
+
+libstrongswan_kernel_iph_la_LDFLAGS = -module -avoid-version
+libstrongswan_kernel_iph_la_LIBADD = -liphlpapi
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_iph/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_iph/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+libstrongswan-kernel-iph.la: $(libstrongswan_kernel_iph_la_OBJECTS) $(libstrongswan_kernel_iph_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_iph_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_kernel_iph_la_LINK) $(am_libstrongswan_kernel_iph_la_rpath) $(libstrongswan_kernel_iph_la_OBJECTS) $(libstrongswan_kernel_iph_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/kernel_iph_net.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/kernel_iph_plugin.Plo at am__quote@
+
+.c.o:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+ at am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_net.c b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
new file mode 100644
index 0000000..a4be404
--- /dev/null
+++ b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
@@ -0,0 +1,775 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/* Windows 7, for some iphlpapi.h functionality */
+#define _WIN32_WINNT 0x0601
+#include <winsock2.h>
+#include <ws2ipdef.h>
+#include <windows.h>
+#include <ntddndis.h>
+#include <naptypes.h>
+#include <iphlpapi.h>
+
+#include "kernel_iph_net.h"
+
+#include <hydra.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+
+/** delay before firing roam events (ms) */
+#define ROAM_DELAY 500
+
+typedef struct private_kernel_iph_net_t private_kernel_iph_net_t;
+
+/**
+ * Private data of kernel_iph_net implementation.
+ */
+struct private_kernel_iph_net_t {
+
+	/**
+	 * Public interface.
+	 */
+	kernel_iph_net_t public;
+
+	/**
+	 * NotifyIpInterfaceChange() handle
+	 */
+	HANDLE changes;
+
+	/**
+	 * EnableRouter() OVERLAPPED
+	 */
+	OVERLAPPED router;
+
+	/**
+	 * Mutex to access interface list
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Known interfaces, as iface_t
+	 */
+	linked_list_t *ifaces;
+
+	/**
+	 * Earliest time of the next roam event
+	 */
+	timeval_t roam_next;
+
+	/**
+	 * Roam event due to address change?
+	 */
+	bool roam_address;
+};
+
+/**
+ * Interface entry
+ */
+typedef struct  {
+	/** interface index */
+	DWORD ifindex;
+	/** interface name */
+	char *ifname;
+	/** interface description */
+	char *ifdesc;
+	/** type of interface */
+	DWORD iftype;
+	/** interface status */
+	IF_OPER_STATUS status;
+	/** list of known addresses, as host_t */
+	linked_list_t *addrs;
+} iface_t;
+
+/**
+ * Clean up an iface_t
+ */
+static void iface_destroy(iface_t *this)
+{
+	this->addrs->destroy_offset(this->addrs, offsetof(host_t, destroy));
+	free(this->ifname);
+	free(this->ifdesc);
+	free(this);
+}
+
+/**
+ * Enum names for Windows IF_OPER_STATUS
+ */
+ENUM(if_oper_names, IfOperStatusUp, IfOperStatusLowerLayerDown,
+	"Up",
+	"Down",
+	"Testing",
+	"Unknown",
+	"Dormant",
+	"NotPresent",
+	"LowerLayerDown",
+);
+
+/**
+ * Callback function that raises the delayed roam event
+ */
+static job_requeue_t roam_event(private_kernel_iph_net_t *this)
+{
+	bool address;
+
+	this->mutex->lock(this->mutex);
+	address = this->roam_address;
+	this->roam_address = FALSE;
+	this->mutex->unlock(this->mutex);
+
+	hydra->kernel_interface->roam(hydra->kernel_interface, address);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Fire delayed roam event, caller should hold mutex
+ */
+static void fire_roam_event(private_kernel_iph_net_t *this, bool address)
+{
+	timeval_t now;
+
+	time_monotonic(&now);
+	this->roam_address |= address;
+	if (timercmp(&now, &this->roam_next, >))
+	{
+		timeval_add_ms(&now, ROAM_DELAY);
+		this->roam_next = now;
+		lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
+							callback_job_create((callback_job_cb_t)roam_event,
+												this, NULL, NULL),
+							ROAM_DELAY);
+	}
+}
+
+/**
+ * Update addresses for an iface entry
+ */
+static void update_addrs(private_kernel_iph_net_t *this, iface_t *entry,
+						 IP_ADAPTER_ADDRESSES *addr, bool log)
+{
+	IP_ADAPTER_UNICAST_ADDRESS *current;
+	enumerator_t *enumerator;
+	linked_list_t *list;
+	host_t *host, *old;
+	bool changes = FALSE;
+
+	list = entry->addrs;
+	entry->addrs = linked_list_create();
+
+	for (current = addr->FirstUnicastAddress; current; current = current->Next)
+	{
+		if (current->Address.lpSockaddr->sa_family == AF_INET6)
+		{
+			struct sockaddr_in6 *sin;
+
+			sin = (struct sockaddr_in6*)current->Address.lpSockaddr;
+			if (IN6_IS_ADDR_LINKLOCAL(&sin->sin6_addr))
+			{
+				continue;
+			}
+		}
+
+		host = host_create_from_sockaddr(current->Address.lpSockaddr);
+		if (host)
+		{
+			bool found = FALSE;
+
+			enumerator = list->create_enumerator(list);
+			while (enumerator->enumerate(enumerator, &old))
+			{
+				if (host->ip_equals(host, old))
+				{
+					list->remove_at(list, enumerator);
+					old->destroy(old);
+					found = TRUE;
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			entry->addrs->insert_last(entry->addrs, host);
+
+			if (!found && log)
+			{
+				DBG1(DBG_KNL, "%H appeared on interface %u '%s'",
+					 host, entry->ifindex, entry->ifdesc);
+				changes = TRUE;
+			}
+		}
+	}
+
+	while (list->remove_first(list, (void**)&old) == SUCCESS)
+	{
+		if (log)
+		{
+			DBG1(DBG_KNL, "%H disappeared from interface %u '%s'",
+				 old, entry->ifindex, entry->ifdesc);
+			changes = TRUE;
+		}
+		old->destroy(old);
+	}
+	list->destroy(list);
+
+	if (changes)
+	{
+		fire_roam_event(this, TRUE);
+	}
+}
+
+/**
+ * Add an interface entry
+ */
+static void add_interface(private_kernel_iph_net_t *this,
+						  IP_ADAPTER_ADDRESSES *addr, bool log)
+{
+	enumerator_t *enumerator;
+	iface_t *entry;
+	bool exists = FALSE;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->ifaces->create_enumerator(this->ifaces);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->ifindex == addr->IfIndex)
+		{
+			exists = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	if (!exists)
+	{
+		char desc[128] = "";
+
+		wcstombs(desc, addr->Description, sizeof(desc));
+
+		INIT(entry,
+			.ifindex = addr->IfIndex,
+			.ifname = strdup(addr->AdapterName),
+			.ifdesc = strdup(desc),
+			.iftype = addr->IfType,
+			.status = addr->OperStatus,
+			.addrs = linked_list_create(),
+		);
+
+		if (log)
+		{
+			DBG1(DBG_KNL, "interface %u '%s' appeared",
+				 entry->ifindex, entry->ifdesc);
+		}
+
+		this->mutex->lock(this->mutex);
+		update_addrs(this, entry, addr, log);
+		this->ifaces->insert_last(this->ifaces, entry);
+		this->mutex->unlock(this->mutex);
+	}
+}
+
+/**
+ * Remove an interface entry that is gone
+ */
+static void remove_interface(private_kernel_iph_net_t *this, NET_IFINDEX index)
+{
+	enumerator_t *enumerator;
+	iface_t *entry;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->ifaces->create_enumerator(this->ifaces);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->ifindex == index)
+		{
+			this->ifaces->remove_at(this->ifaces, enumerator);
+			DBG1(DBG_KNL, "interface %u '%s' disappeared",
+				 entry->ifindex, entry->ifdesc);
+			iface_destroy(entry);
+			fire_roam_event(this, TRUE);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Update an interface entry changed
+ */
+static void update_interface(private_kernel_iph_net_t *this,
+							 IP_ADAPTER_ADDRESSES *addr)
+{
+	enumerator_t *enumerator;
+	iface_t *entry;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->ifaces->create_enumerator(this->ifaces);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->ifindex == addr->IfIndex)
+		{
+			if (entry->status != addr->OperStatus)
+			{
+				DBG1(DBG_KNL, "interface %u '%s' changed state from %N to %N",
+					 entry->ifindex, entry->ifdesc, if_oper_names,
+					 entry->status, if_oper_names, addr->OperStatus);
+				entry->status = addr->OperStatus;
+				fire_roam_event(this, TRUE);
+			}
+			update_addrs(this, entry, addr, TRUE);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * MinGW gets MIB_IPINTERFACE_ROW wrong, as it packs InterfaceLuid just after
+ * Family. Fix that with our own version of the struct header.
+ */
+typedef struct {
+	ADDRESS_FAMILY Family;
+	union {
+		ULONG64 Value;
+		struct {
+			ULONG64 Reserved :24;
+			ULONG64 NetLuidIndex :24;
+			ULONG64 IfType :16;
+		} Info;
+	} InterfaceLuid;
+	NET_IFINDEX InterfaceIndex;
+	/* more would go here if needed */
+} MIB_IPINTERFACE_ROW_FIXUP;
+
+/**
+ * NotifyIpInterfaceChange() callback
+ */
+static void WINAPI change_interface(void *user, PMIB_IPINTERFACE_ROW row_badal,
+									MIB_NOTIFICATION_TYPE type)
+{
+	private_kernel_iph_net_t *this = user;
+	MIB_IPINTERFACE_ROW_FIXUP* row = (MIB_IPINTERFACE_ROW_FIXUP*)row_badal;
+	IP_ADAPTER_ADDRESSES addrs[64], *current;
+	ULONG res, size = sizeof(addrs);
+
+	if (row && type == MibDeleteInstance)
+	{
+		remove_interface(this, row->InterfaceIndex);
+	}
+	else
+	{
+		res = GetAdaptersAddresses(AF_UNSPEC,
+						GAA_FLAG_SKIP_ANYCAST | GAA_FLAG_SKIP_MULTICAST |
+						GAA_FLAG_SKIP_DNS_SERVER | GAA_FLAG_SKIP_FRIENDLY_NAME,
+						NULL, addrs, &size);
+		if (res == NO_ERROR)
+		{
+			current = addrs;
+			while (current)
+			{
+				/* row is NULL only on MibInitialNotification */
+				if (!row || row->InterfaceIndex == current->IfIndex)
+				{
+					switch (type)
+					{
+						case MibParameterNotification:
+							update_interface(this, current);
+							break;
+						case MibInitialNotification:
+							add_interface(this, current, FALSE);
+							break;
+						case MibAddInstance:
+							add_interface(this, current, TRUE);
+							break;
+						default:
+							break;
+					}
+				}
+				current = current->Next;
+			}
+		}
+		else
+		{
+			DBG1(DBG_KNL, "getting IPH adapter addresses failed: 0x%08lx", res);
+		}
+	}
+}
+
+/**
+ * Get an iface entry for a local address, does no locking
+ */
+static iface_t* address2entry(private_kernel_iph_net_t *this, host_t *ip)
+{
+	enumerator_t *ifaces, *addrs;
+	iface_t *entry, *found = NULL;
+	host_t *host;
+
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (!found && ifaces->enumerate(ifaces, &entry))
+	{
+		addrs = entry->addrs->create_enumerator(entry->addrs);
+		while (!found && addrs->enumerate(addrs, &host))
+		{
+			if (host->ip_equals(host, ip))
+			{
+				found = entry;
+			}
+		}
+		addrs->destroy(addrs);
+	}
+	ifaces->destroy(ifaces);
+
+	return found;
+}
+
+METHOD(kernel_net_t, get_interface_name, bool,
+	private_kernel_iph_net_t *this, host_t* ip, char **name)
+{
+	iface_t *entry;
+
+	this->mutex->lock(this->mutex);
+	entry = address2entry(this, ip);
+	if (entry && name)
+	{
+		*name = strdup(entry->ifname);
+	}
+	this->mutex->unlock(this->mutex);
+
+	return entry != NULL;
+}
+
+/**
+ * Address enumerator
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** what kind of address should we enumerate? */
+	kernel_address_type_t which;
+	/** enumerator over interfaces */
+	enumerator_t *ifaces;
+	/** current enumerator over addresses, or NULL */
+	enumerator_t *addrs;
+	/** mutex to unlock on destruction */
+	mutex_t *mutex;
+} addr_enumerator_t;
+
+METHOD(enumerator_t, addr_enumerate, bool,
+	addr_enumerator_t *this, host_t **host)
+{
+	iface_t *entry;
+
+	while (TRUE)
+	{
+		while (!this->addrs)
+		{
+			if (!this->ifaces->enumerate(this->ifaces, &entry))
+			{
+				return FALSE;
+			}
+			if (entry->iftype == IF_TYPE_SOFTWARE_LOOPBACK &&
+				!(this->which & ADDR_TYPE_LOOPBACK))
+			{
+				continue;
+			}
+			if (entry->status != IfOperStatusUp &&
+				!(this->which & ADDR_TYPE_DOWN))
+			{
+				continue;
+			}
+			this->addrs = entry->addrs->create_enumerator(entry->addrs);
+		}
+		if (this->addrs->enumerate(this->addrs, host))
+		{
+			return TRUE;
+		}
+		this->addrs->destroy(this->addrs);
+		this->addrs = NULL;
+	}
+}
+
+METHOD(enumerator_t, addr_destroy, void,
+	addr_enumerator_t *this)
+{
+	DESTROY_IF(this->addrs);
+	this->ifaces->destroy(this->ifaces);
+	this->mutex->unlock(this->mutex);
+	free(this);
+}
+
+METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
+	private_kernel_iph_net_t *this, kernel_address_type_t which)
+{
+	addr_enumerator_t *enumerator;
+
+	if (!(which & ADDR_TYPE_REGULAR))
+	{
+		/* we currently have no virtual, but regular IPs only */
+		return enumerator_create_empty();
+	}
+
+	this->mutex->lock(this->mutex);
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_addr_enumerate,
+			.destroy = _addr_destroy,
+		},
+		.which = which,
+		.ifaces = this->ifaces->create_enumerator(this->ifaces),
+		.mutex = this->mutex,
+	);
+	return &enumerator->public;
+}
+
+METHOD(kernel_net_t, get_source_addr, host_t*,
+	private_kernel_iph_net_t *this, host_t *dest, host_t *src)
+{
+	MIB_IPFORWARD_ROW2 route;
+	SOCKADDR_INET best, *sai_dst, *sai_src = NULL;
+	DWORD res, index = 0;
+
+	res = GetBestInterfaceEx(dest->get_sockaddr(dest), &index);
+	if (res != NO_ERROR)
+	{
+		DBG1(DBG_KNL, "getting interface to %H failed: 0x%08x", dest, res);
+		return NULL;
+	}
+
+	sai_dst = (SOCKADDR_INET*)dest->get_sockaddr(dest);
+	if (src)
+	{
+		sai_src = (SOCKADDR_INET*)src->get_sockaddr(src);
+	}
+	res = GetBestRoute2(0, index, sai_src, sai_dst, 0, &route, &best);
+	if (res != NO_ERROR)
+	{
+		DBG2(DBG_KNL, "getting src address to %H failed: 0x%08x", dest, res);
+		return NULL;
+	}
+	return host_create_from_sockaddr((struct sockaddr*)&best);
+}
+
+METHOD(kernel_net_t, get_nexthop, host_t*,
+	private_kernel_iph_net_t *this, host_t *dest, int prefix, host_t *src)
+{
+	MIB_IPFORWARD_ROW2 route;
+	SOCKADDR_INET best, *sai_dst, *sai_src = NULL;
+	DWORD res, index = 0;
+	host_t *nexthop;
+
+	res = GetBestInterfaceEx(dest->get_sockaddr(dest), &index);
+	if (res != NO_ERROR)
+	{
+		DBG1(DBG_KNL, "getting interface to %H failed: 0x%08x", dest, res);
+		return NULL;
+	}
+
+	sai_dst = (SOCKADDR_INET*)dest->get_sockaddr(dest);
+	if (src)
+	{
+		sai_src = (SOCKADDR_INET*)src->get_sockaddr(src);
+	}
+	res = GetBestRoute2(0, index, sai_src, sai_dst, 0, &route, &best);
+	if (res != NO_ERROR)
+	{
+		DBG2(DBG_KNL, "getting nexthop to %H failed: 0x%08x", dest, res);
+		return NULL;
+	}
+	nexthop = host_create_from_sockaddr((struct sockaddr*)&route.NextHop);
+	if (nexthop)
+	{
+		if (!nexthop->is_anyaddr(nexthop))
+		{
+			return nexthop;
+		}
+		nexthop->destroy(nexthop);
+	}
+	return NULL;
+}
+
+METHOD(kernel_net_t, add_ip, status_t,
+	private_kernel_iph_net_t *this, host_t *virtual_ip, int prefix,
+	char *iface_name)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_net_t, del_ip, status_t,
+	private_kernel_iph_net_t *this, host_t *virtual_ip, int prefix,
+	bool wait)
+{
+	return NOT_SUPPORTED;
+}
+
+/**
+ * Add or remove a route
+ */
+static status_t manage_route(private_kernel_iph_net_t *this, bool add,
+					chunk_t dst, u_int8_t prefixlen, host_t *gtw, char *name)
+{
+	MIB_IPFORWARD_ROW2 row = {
+		.DestinationPrefix = {
+			.PrefixLength = prefixlen,
+		},
+		.SitePrefixLength = prefixlen,
+		.ValidLifetime = INFINITE,
+		.PreferredLifetime = INFINITE,
+		.Metric = 10,
+		.Protocol = MIB_IPPROTO_NETMGMT,
+	};
+	enumerator_t *enumerator;
+	iface_t *entry;
+	ULONG ret;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->ifaces->create_enumerator(this->ifaces);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (streq(name, entry->ifname))
+		{
+			row.InterfaceIndex = entry->ifindex;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	if (!row.InterfaceIndex)
+	{
+		return NOT_FOUND;
+	}
+	switch (dst.len)
+	{
+		case 4:
+			row.DestinationPrefix.Prefix.si_family = AF_INET;
+			memcpy(&row.DestinationPrefix.Prefix.Ipv4.sin_addr,
+				   dst.ptr, dst.len);
+			break;
+		case 16:
+			row.DestinationPrefix.Prefix.si_family = AF_INET6;
+			memcpy(&row.DestinationPrefix.Prefix.Ipv6.sin6_addr,
+				   dst.ptr, dst.len);
+			break;
+		default:
+			return FAILED;
+	}
+	if (gtw)
+	{
+		memcpy(&row.NextHop, gtw->get_sockaddr(gtw),
+			   *gtw->get_sockaddr_len(gtw));
+	}
+
+	if (add)
+	{
+		ret = CreateIpForwardEntry2(&row);
+	}
+	else
+	{
+		ret = DeleteIpForwardEntry2(&row);
+	}
+	if (ret != NO_ERROR)
+	{
+		DBG1(DBG_KNL, "%sing route failed: 0x%08lx", add ? "add" : "remov", ret);
+		return FAILED;
+	}
+
+	if (add)
+	{
+		ret = EnableRouter(NULL, &this->router);
+		if (ret != ERROR_IO_PENDING)
+		{
+			DBG1(DBG_KNL, "EnableRouter router failed: 0x%08lx", ret);
+		}
+	}
+	else
+	{
+		ret = UnenableRouter(&this->router, NULL);
+		if (ret != NO_ERROR)
+		{
+			DBG1(DBG_KNL, "UnenableRouter router failed: 0x%08lx", ret);
+		}
+	}
+	return SUCCESS;
+}
+
+METHOD(kernel_net_t, add_route, status_t,
+	private_kernel_iph_net_t *this, chunk_t dst, u_int8_t prefixlen,
+	host_t *gateway, host_t *src, char *name)
+{
+	return manage_route(this, TRUE, dst, prefixlen, gateway, name);
+}
+
+METHOD(kernel_net_t, del_route, status_t,
+	private_kernel_iph_net_t *this, chunk_t dst, u_int8_t prefixlen,
+	host_t *gateway, host_t *src, char *name)
+{
+	return manage_route(this, FALSE, dst, prefixlen, gateway, name);
+}
+
+METHOD(kernel_net_t, destroy, void,
+	private_kernel_iph_net_t *this)
+{
+	if (this->changes)
+	{
+		CancelMibChangeNotify2(this->changes);
+	}
+	CloseHandle(this->router.hEvent);
+	this->mutex->destroy(this->mutex);
+	this->ifaces->destroy_function(this->ifaces, (void*)iface_destroy);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_iph_net_t *kernel_iph_net_create()
+{
+	private_kernel_iph_net_t *this;
+	ULONG res;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_interface = _get_interface_name,
+				.create_address_enumerator = _create_address_enumerator,
+				.get_source_addr = _get_source_addr,
+				.get_nexthop = _get_nexthop,
+				.add_ip = _add_ip,
+				.del_ip = _del_ip,
+				.add_route = _add_route,
+				.del_route = _del_route,
+				.destroy = _destroy,
+			},
+		},
+		.router = {
+			.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL),
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.ifaces = linked_list_create(),
+	);
+	/* PIPINTERFACE_CHANGE_CALLBACK is not using WINAPI in MinGW, which seems
+	 * to be wrong. Force a cast to our WINAPI call */
+	res = NotifyIpInterfaceChange(AF_UNSPEC, (void*)change_interface,
+								  this, TRUE, &this->changes);
+	if (res != NO_ERROR)
+	{
+		DBG1(DBG_KNL, "registering for IPH interface changes failed: 0x%08lx",
+			 res);
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_net.h b/src/libcharon/plugins/kernel_iph/kernel_iph_net.h
new file mode 100644
index 0000000..c8f35de
--- /dev/null
+++ b/src/libcharon/plugins/kernel_iph/kernel_iph_net.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_iph_net_i kernel_iph_net
+ * @{ @ingroup kernel_iph
+ */
+
+#ifndef KERNEL_IPH_NET_H_
+#define KERNEL_IPH_NET_H_
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_iph_net_t kernel_iph_net_t;
+
+/**
+ * Implementation of the kernel network interface using Windows IP Helper.
+ */
+struct kernel_iph_net_t {
+
+	/**
+	 * Implements kernel_net_t interface
+	 */
+	kernel_net_t interface;
+};
+
+/**
+ * Create IP Helper network backend instance.
+ *
+ * @return			kernel_iph_net_t instance
+ */
+kernel_iph_net_t *kernel_iph_net_create();
+
+#endif /** KERNEL_IPH_NET_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c b/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c
new file mode 100644
index 0000000..c5475e3
--- /dev/null
+++ b/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_iph_plugin.h"
+#include "kernel_iph_net.h"
+
+#include <hydra.h>
+
+typedef struct private_kernel_iph_plugin_t private_kernel_iph_plugin_t;
+
+/**
+ * Private data of kernel iph plugin
+ */
+struct private_kernel_iph_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	kernel_iph_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_kernel_iph_plugin_t *this)
+{
+	return "kernel-iph";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_kernel_iph_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(kernel_net_register, kernel_iph_net_create),
+			PLUGIN_PROVIDE(CUSTOM, "kernel-net"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_kernel_iph_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * See header file
+ */
+plugin_t *kernel_iph_plugin_create()
+{
+	private_kernel_iph_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.h b/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.h
new file mode 100644
index 0000000..616f90e
--- /dev/null
+++ b/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_iph kernel_iph
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_iph_plugin kernel_iph_plugin
+ * @{ @ingroup kernel_iph
+ */
+
+#ifndef KERNEL_IPH_PLUGIN_H_
+#define KERNEL_IPH_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_iph_plugin_t kernel_iph_plugin_t;
+
+/**
+ * Windows IP Helper API based networking backend.
+ */
+struct kernel_iph_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** KERNEL_IPH_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.am b/src/libcharon/plugins/kernel_libipsec/Makefile.am
index a39d067..eca2b23 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.am
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libipsec
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-kernel-libipsec.la
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index 3bc289d..a4e5ba9 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -268,6 +268,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -286,6 +287,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -313,6 +315,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -404,6 +407,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -421,7 +425,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libipsec
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 @MONOLITHIC_TRUE at noinst_LTLIBRARIES = libstrongswan-kernel-libipsec.la
 @MONOLITHIC_FALSE at plugin_LTLIBRARIES = libstrongswan-kernel-libipsec.la
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index b335807..bd07a67 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -252,8 +252,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+	bool initiator, bool encap, bool esn, bool inbound,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
@@ -313,7 +314,7 @@ static void add_exclude_route(private_kernel_libipsec_ipsec_t *this,
 	{
 		DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
 		gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
-												   dst, NULL);
+												   dst, -1, NULL);
 		if (gtw)
 		{
 			char *if_name = NULL;
@@ -444,7 +445,7 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 #ifndef __linux__
 	/* on Linux we cant't install a gateway */
 	route->gateway = hydra->kernel_interface->get_nexthop(
-											hydra->kernel_interface, dst, src);
+										hydra->kernel_interface, dst, -1, src);
 #endif
 
 	if (policy->route)
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.am b/src/libcharon/plugins/kernel_wfp/Makefile.am
new file mode 100644
index 0000000..85e5089
--- /dev/null
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.am
@@ -0,0 +1,33 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-wfp.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-wfp.la
+endif
+
+libstrongswan_kernel_wfp_la_SOURCES = \
+	kernel_wfp_plugin.h kernel_wfp_plugin.c \
+	kernel_wfp_compat.c kernel_wfp_compat.h \
+	kernel_wfp_ipsec.h kernel_wfp_ipsec.c
+
+libstrongswan_kernel_wfp_la_LDFLAGS = -module -avoid-version
+libstrongswan_kernel_wfp_la_LIBADD = -lfwpuclnt
+
+
+noinst_PROGRAMS = ipsecdump
+
+ipsecdump_SOURCES = \
+	ipsecdump.c
+ipsecdump_LDADD = \
+	libstrongswan-kernel-wfp.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+
+EXTRA_DIST = mingw-w64-4.8.1.diff
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in
new file mode 100644
index 0000000..ff987f8
--- /dev/null
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.in
@@ -0,0 +1,801 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+noinst_PROGRAMS = ipsecdump$(EXEEXT)
+subdir = src/libcharon/plugins/kernel_wfp
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_wfp_la_DEPENDENCIES =
+am_libstrongswan_kernel_wfp_la_OBJECTS = kernel_wfp_plugin.lo \
+	kernel_wfp_compat.lo kernel_wfp_ipsec.lo
+libstrongswan_kernel_wfp_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_wfp_la_OBJECTS)
+AM_V_lt = $(am__v_lt_ at AM_V@)
+am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libstrongswan_kernel_wfp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_kernel_wfp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+ at MONOLITHIC_FALSE@am_libstrongswan_kernel_wfp_la_rpath = -rpath \
+ at MONOLITHIC_FALSE@	$(plugindir)
+ at MONOLITHIC_TRUE@am_libstrongswan_kernel_wfp_la_rpath =
+PROGRAMS = $(noinst_PROGRAMS)
+am_ipsecdump_OBJECTS = ipsecdump.$(OBJEXT)
+ipsecdump_OBJECTS = $(am_ipsecdump_OBJECTS)
+ipsecdump_DEPENDENCIES = libstrongswan-kernel-wfp.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_ at AM_V@)
+am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libstrongswan_kernel_wfp_la_SOURCES) $(ipsecdump_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_wfp_la_SOURCES) \
+	$(ipsecdump_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+ at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-wfp.la
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrong