[Pkg-swan-devel] [strongswan] 01/01: Import upstream release 5.2.1

Romain Francoise rfrancoise at moszumanska.debian.org
Tue Oct 21 19:50:00 UTC 2014


This is an automated email from the git hooks/post-receive script.

rfrancoise pushed a commit to branch upstream
in repository strongswan.

commit 2b8de74ff4c334c25e89988c4a401b24b5bcf03d
Author: Romain Francoise <rfrancoise at debian.org>
Date:   Tue Oct 21 19:28:38 2014 +0200

    Import upstream release 5.2.1
---
 Android.common.mk                                  |    2 +-
 Makefile.in                                        |    8 +
 NEWS                                               |   25 +
 conf/Makefile.am                                   |    8 +-
 conf/Makefile.in                                   |   16 +-
 conf/options/charon-systemd.conf                   |   16 +
 conf/options/charon-systemd.opt                    |   13 +
 conf/options/charon.conf                           |    8 +-
 conf/options/charon.opt                            |    8 +-
 conf/options/starter.conf                          |    3 +
 conf/options/starter.opt                           |    3 +
 conf/plugins/eap-radius.conf                       |    6 +-
 conf/plugins/eap-radius.opt                        |    6 +-
 conf/plugins/ext-auth.conf                         |   11 +
 conf/plugins/ext-auth.opt                          |   15 +
 conf/plugins/kernel-netlink.conf                   |   10 +
 conf/plugins/kernel-netlink.opt                    |   15 +
 conf/plugins/stroke.conf                           |    3 +
 conf/plugins/stroke.opt                            |    3 +
 conf/strongswan.conf.5.main                        |   75 +-
 config.h.in                                        |    3 +
 configure                                          | 1038 ++++++++--
 configure.ac                                       |   96 +-
 init/Makefile.am                                   |    8 +-
 init/Makefile.in                                   |   15 +-
 init/systemd-swanctl/Makefile.am                   |   11 +
 init/systemd-swanctl/Makefile.in                   |  598 ++++++
 init/systemd-swanctl/strongswan-swanctl.service.in |    9 +
 init/systemd/Makefile.in                           |    8 +
 init/systemd/strongswan.service.in                 |    2 +-
 man/Makefile.am                                    |    6 +-
 man/Makefile.in                                    |   17 +-
 man/ipsec.conf.5.in                                |    5 +-
 scripts/Makefile.in                                |    8 +
 src/Makefile.am                                    |    8 +-
 src/Makefile.in                                    |   28 +-
 src/_copyright/Makefile.in                         |    8 +
 src/_updown/Makefile.in                            |    8 +
 src/_updown_espmark/Makefile.in                    |    8 +
 src/aikgen/Makefile.in                             |    8 +
 src/charon-cmd/Makefile.in                         |    8 +
 src/charon-cmd/charon-cmd.c                        |    5 +-
 src/charon-nm/Makefile.in                          |    8 +
 src/charon-nm/nm/nm_backend.c                      |    2 +-
 src/charon-svc/Makefile.in                         |    8 +
 src/charon-systemd/Makefile.am                     |   19 +
 src/charon-systemd/Makefile.in                     |  765 +++++++
 src/charon-systemd/charon-systemd.c                |  403 ++++
 src/charon-tkm/Makefile.in                         |    8 +
 src/charon-tkm/src/charon-tkm.c                    |    2 +-
 src/charon-tkm/src/tkm/tkm_diffie_hellman.c        |    3 +-
 src/charon-tkm/tests/tests.c                       |    2 +-
 src/charon/Makefile.in                             |    8 +
 src/charon/charon.c                                |    6 +-
 src/checksum/Makefile.am                           |    5 -
 src/checksum/Makefile.in                           |   43 +-
 src/conftest/Makefile.in                           |    8 +
 src/conftest/hooks/ike_auth_fill.c                 |    2 +-
 src/conftest/hooks/reset_seq.c                     |    2 +-
 src/dumm/Makefile.in                               |    8 +
 src/include/Makefile.in                            |    8 +
 src/ipsec/Makefile.in                              |    8 +
 src/ipsec/_ipsec.8                                 |   14 +-
 src/ipsec/_ipsec.8.in                              |   12 +-
 src/ipsec/_ipsec.in                                |   51 +-
 src/libcharon/Android.mk                           |    3 +-
 src/libcharon/Makefile.am                          |   10 +-
 src/libcharon/Makefile.in                          |  296 +--
 src/libcharon/bus/bus.c                            |   37 +-
 src/libcharon/bus/bus.h                            |   23 +-
 src/libcharon/bus/listeners/listener.h             |   18 +-
 src/libcharon/config/child_cfg.c                   |   11 +
 src/libcharon/config/proposal.c                    |   10 +-
 src/libcharon/daemon.c                             |    2 +-
 src/libcharon/encoding/message.c                   |  997 +++++++--
 src/libcharon/encoding/message.h                   |   72 +-
 src/libcharon/encoding/parser.c                    |    2 +-
 .../encoding/payloads/encrypted_fragment_payload.h |   85 +
 .../encoding/payloads/encrypted_payload.c          | 1022 ++++++++++
 .../encoding/payloads/encrypted_payload.h          |  132 ++
 .../encoding/payloads/encryption_payload.c         |  634 ------
 .../encoding/payloads/encryption_payload.h         |  111 -
 src/libcharon/encoding/payloads/ike_header.c       |   16 +-
 src/libcharon/encoding/payloads/notify_payload.c   |   18 +-
 src/libcharon/encoding/payloads/notify_payload.h   |    4 +
 src/libcharon/encoding/payloads/payload.c          |   41 +-
 src/libcharon/encoding/payloads/payload.h          |   24 +-
 src/libcharon/encoding/payloads/sa_payload.c       |   17 +-
 src/libcharon/network/receiver.c                   |    4 +-
 src/libcharon/plugins/addrblock/Makefile.in        |    8 +
 src/libcharon/plugins/android_dns/Makefile.in      |    8 +
 src/libcharon/plugins/android_log/Makefile.in      |    8 +
 src/libcharon/plugins/certexpire/Makefile.in       |    8 +
 src/libcharon/plugins/coupling/Makefile.in         |    8 +
 src/libcharon/plugins/dhcp/Makefile.in             |    8 +
 src/libcharon/plugins/dnscert/Makefile.in          |    8 +
 src/libcharon/plugins/duplicheck/Makefile.in       |    8 +
 src/libcharon/plugins/eap_aka/Makefile.in          |    8 +
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |    8 +
 src/libcharon/plugins/eap_dynamic/Makefile.in      |    8 +
 src/libcharon/plugins/eap_gtc/Makefile.in          |    8 +
 src/libcharon/plugins/eap_identity/Makefile.in     |    8 +
 src/libcharon/plugins/eap_md5/Makefile.in          |    8 +
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |    8 +
 src/libcharon/plugins/eap_peap/Makefile.in         |    8 +
 src/libcharon/plugins/eap_radius/Makefile.in       |    8 +
 src/libcharon/plugins/eap_radius/eap_radius.c      |   50 +
 .../plugins/eap_radius/eap_radius_accounting.c     |   10 +
 src/libcharon/plugins/eap_sim/Makefile.in          |    8 +
 src/libcharon/plugins/eap_sim_file/Makefile.in     |    8 +
 src/libcharon/plugins/eap_sim_pcsc/Makefile.in     |    8 +
 .../plugins/eap_simaka_pseudonym/Makefile.in       |    8 +
 .../plugins/eap_simaka_reauth/Makefile.in          |    8 +
 src/libcharon/plugins/eap_simaka_sql/Makefile.in   |    8 +
 src/libcharon/plugins/eap_tls/Makefile.in          |    8 +
 src/libcharon/plugins/eap_tnc/Makefile.in          |    8 +
 src/libcharon/plugins/eap_ttls/Makefile.in         |    8 +
 src/libcharon/plugins/error_notify/Makefile.in     |    8 +
 src/libcharon/plugins/ext_auth/Makefile.am         |   18 +
 src/libcharon/plugins/ext_auth/Makefile.in         |  774 +++++++
 src/libcharon/plugins/ext_auth/ext_auth_listener.c |  203 ++
 src/libcharon/plugins/ext_auth/ext_auth_listener.h |   59 +
 src/libcharon/plugins/ext_auth/ext_auth_plugin.c   |  156 ++
 src/libcharon/plugins/ext_auth/ext_auth_plugin.h   |   49 +
 src/libcharon/plugins/farp/Makefile.in             |    8 +
 src/libcharon/plugins/ha/Makefile.in               |    8 +
 src/libcharon/plugins/ha/ha_dispatcher.c           |    2 +
 src/libcharon/plugins/ipseckey/Makefile.in         |    8 +
 src/libcharon/plugins/kernel_iph/Makefile.in       |    8 +
 src/libcharon/plugins/kernel_libipsec/Makefile.in  |    8 +
 src/libcharon/plugins/kernel_wfp/Makefile.in       |    8 +
 src/libcharon/plugins/led/Makefile.in              |    8 +
 src/libcharon/plugins/load_tester/Makefile.in      |    8 +
 src/libcharon/plugins/lookip/Makefile.in           |    8 +
 src/libcharon/plugins/maemo/Makefile.in            |    8 +
 src/libcharon/plugins/medcli/Makefile.in           |    8 +
 src/libcharon/plugins/medsrv/Makefile.in           |    8 +
 src/libcharon/plugins/osx_attr/Makefile.in         |    8 +
 src/libcharon/plugins/radattr/Makefile.in          |    8 +
 src/libcharon/plugins/smp/Makefile.in              |    8 +
 src/libcharon/plugins/socket_default/Makefile.in   |    8 +
 .../plugins/socket_default/socket_default_socket.c |    5 +-
 src/libcharon/plugins/socket_dynamic/Makefile.in   |    8 +
 .../plugins/socket_dynamic/socket_dynamic_socket.c |    5 +-
 src/libcharon/plugins/socket_win/Makefile.in       |    8 +
 .../plugins/socket_win/socket_win_socket.c         |    5 +-
 src/libcharon/plugins/sql/Makefile.in              |    8 +
 src/libcharon/plugins/stroke/Makefile.in           |    8 +
 src/libcharon/plugins/stroke/stroke_cred.c         |   12 +-
 src/libcharon/plugins/systime_fix/Makefile.in      |    8 +
 src/libcharon/plugins/tnc_ifmap/Makefile.in        |    8 +
 src/libcharon/plugins/tnc_pdp/Makefile.in          |    8 +
 src/libcharon/plugins/uci/Makefile.in              |    8 +
 src/libcharon/plugins/unit_tester/Makefile.in      |    8 +
 src/libcharon/plugins/unity/Makefile.in            |    8 +
 src/libcharon/plugins/unity/unity_narrow.c         |   69 +-
 src/libcharon/plugins/updown/Makefile.in           |    8 +
 src/libcharon/plugins/updown/updown_listener.c     |  461 ++---
 src/libcharon/plugins/vici/Makefile.am             |    7 +
 src/libcharon/plugins/vici/Makefile.in             |  210 +-
 src/libcharon/plugins/vici/README.md               |  698 ++++++-
 src/libcharon/plugins/vici/libvici.c               |    5 +-
 src/libcharon/plugins/vici/libvici.h               |    4 +-
 src/libcharon/plugins/vici/ruby/Makefile.am        |   22 +
 src/libcharon/plugins/vici/ruby/Makefile.in        |  556 +++++
 src/libcharon/plugins/vici/ruby/lib/vici.rb        |  569 ++++++
 src/libcharon/plugins/vici/ruby/vici.gemspec.in    |   16 +
 src/libcharon/plugins/vici/suites/test_message.c   |    2 +-
 src/libcharon/plugins/vici/vici_control.c          |   12 +
 src/libcharon/plugins/vici/vici_cred.c             |    5 +-
 src/libcharon/plugins/vici/vici_message.c          |    4 +
 src/libcharon/plugins/whitelist/Makefile.in        |    8 +
 src/libcharon/plugins/xauth_eap/Makefile.in        |    8 +
 src/libcharon/plugins/xauth_generic/Makefile.in    |    8 +
 src/libcharon/plugins/xauth_noauth/Makefile.in     |    8 +
 src/libcharon/plugins/xauth_pam/Makefile.in        |    8 +
 src/libcharon/processing/jobs/adopt_children_job.c |   40 +
 src/libcharon/processing/jobs/adopt_children_job.h |    8 +
 src/libcharon/processing/jobs/update_sa_job.c      |    7 +-
 src/libcharon/sa/ike_sa.c                          |  138 +-
 src/libcharon/sa/ike_sa.h                          |   34 +-
 src/libcharon/sa/ike_sa_manager.c                  |   48 +-
 src/libcharon/sa/ikev1/phase1.c                    |   12 +
 src/libcharon/sa/ikev1/task_manager_v1.c           |  445 ++--
 src/libcharon/sa/ikev1/tasks/aggressive_mode.c     |   32 +-
 src/libcharon/sa/ikev1/tasks/informational.c       |    6 +-
 src/libcharon/sa/ikev1/tasks/isakmp_vendor.c       |   39 +-
 src/libcharon/sa/ikev1/tasks/main_mode.c           |   31 +-
 src/libcharon/sa/ikev1/tasks/quick_mode.c          |   26 +-
 src/libcharon/sa/ikev1/tasks/xauth.c               |   23 +-
 src/libcharon/sa/ikev1/tasks/xauth.h               |    5 +
 src/libcharon/sa/ikev2/task_manager_v2.c           |  307 ++-
 src/libcharon/sa/ikev2/tasks/ike_init.c            |   23 +
 src/libcharon/sa/ikev2/tasks/ike_mobike.c          |   95 +-
 src/libcharon/sa/ikev2/tasks/ike_mobike.h          |    8 +-
 src/libfast/Makefile.in                            |    8 +
 src/libhydra/Makefile.am                           |    3 +-
 src/libhydra/Makefile.in                           |   11 +-
 src/libhydra/plugins/attr/Makefile.in              |    8 +
 src/libhydra/plugins/attr_sql/Makefile.in          |    8 +
 src/libhydra/plugins/kernel_netlink/Makefile.in    |    8 +
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |   86 +-
 .../plugins/kernel_netlink/kernel_netlink_net.c    |   90 +-
 .../plugins/kernel_netlink/kernel_netlink_shared.c |   79 +-
 .../plugins/kernel_netlink/kernel_netlink_shared.h |   10 +-
 src/libhydra/plugins/kernel_pfkey/Makefile.in      |    8 +
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |    4 +-
 src/libhydra/plugins/kernel_pfroute/Makefile.in    |    8 +
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    |   53 +-
 src/libhydra/plugins/resolve/Makefile.in           |    8 +
 src/libimcv/Android.mk                             |   57 +-
 src/libimcv/Makefile.am                            |  106 +-
 src/libimcv/Makefile.in                            |  777 ++++++-
 src/libimcv/ietf/ietf_attr.c                       |   29 +-
 src/libimcv/ietf/ietf_attr.h                       |    8 +-
 src/libimcv/ietf/ietf_attr_assess_result.c         |   29 +-
 src/libimcv/ietf/ietf_attr_assess_result.h         |    8 +-
 src/libimcv/ietf/ietf_attr_attr_request.c          |   30 +-
 src/libimcv/ietf/ietf_attr_attr_request.h          |   10 +-
 src/libimcv/ietf/ietf_attr_default_pwd_enabled.c   |   26 +-
 src/libimcv/ietf/ietf_attr_default_pwd_enabled.h   |    6 +-
 src/libimcv/ietf/ietf_attr_fwd_enabled.c           |   26 +-
 src/libimcv/ietf/ietf_attr_fwd_enabled.h           |    8 +-
 src/libimcv/ietf/ietf_attr_installed_packages.c    |  138 +-
 src/libimcv/ietf/ietf_attr_installed_packages.h    |   18 +-
 src/libimcv/ietf/ietf_attr_numeric_version.c       |   29 +-
 src/libimcv/ietf/ietf_attr_numeric_version.h       |    8 +-
 src/libimcv/ietf/ietf_attr_op_status.c             |   24 +-
 src/libimcv/ietf/ietf_attr_op_status.h             |    8 +-
 src/libimcv/ietf/ietf_attr_pa_tnc_error.c          |   82 +-
 src/libimcv/ietf/ietf_attr_pa_tnc_error.h          |   28 +-
 src/libimcv/ietf/ietf_attr_port_filter.c           |   30 +-
 src/libimcv/ietf/ietf_attr_port_filter.h           |    8 +-
 src/libimcv/ietf/ietf_attr_product_info.c          |   30 +-
 src/libimcv/ietf/ietf_attr_product_info.h          |    8 +-
 src/libimcv/ietf/ietf_attr_remediation_instr.c     |   26 +-
 src/libimcv/ietf/ietf_attr_remediation_instr.h     |    8 +-
 src/libimcv/ietf/ietf_attr_string_version.c        |   26 +-
 src/libimcv/ietf/ietf_attr_string_version.h        |    8 +-
 src/libimcv/imc/imc_agent.c                        |   28 +-
 src/libimcv/imc/imc_agent.h                        |   12 +-
 src/libimcv/imc/imc_msg.c                          |  239 ++-
 src/libimcv/imc/imc_msg.h                          |    6 +-
 src/libimcv/imc/imc_os_info.h                      |    2 +-
 src/libimcv/imc/imc_state.h                        |   11 +-
 src/libimcv/imcv.c                                 |   45 +-
 src/libimcv/imcv.h                                 |   12 +
 src/libimcv/imcv_tests.c                           |   45 +
 src/libimcv/imcv_tests.h                           |   17 +
 src/libimcv/imv/data.sql                           |   35 +
 src/libimcv/imv/imv_agent.c                        |   26 +
 src/libimcv/imv/imv_agent.h                        |   10 +
 src/libimcv/imv/imv_msg.c                          |  238 ++-
 src/libimcv/imv/imv_msg.h                          |    6 +-
 src/libimcv/imv/imv_os_info.h                      |    2 +-
 src/libimcv/imv/imv_state.h                        |    8 +
 src/libimcv/ita/ita_attr.c                         |   19 +-
 src/libimcv/ita/ita_attr.h                         |    8 +-
 src/libimcv/ita/ita_attr_angel.c                   |   12 +-
 src/libimcv/ita/ita_attr_angel.h                   |    5 +-
 src/libimcv/ita/ita_attr_command.c                 |   30 +-
 src/libimcv/ita/ita_attr_command.h                 |    7 +-
 src/libimcv/ita/ita_attr_device_id.c               |   27 +-
 src/libimcv/ita/ita_attr_device_id.h               |    7 +-
 src/libimcv/ita/ita_attr_dummy.c                   |   34 +-
 src/libimcv/ita/ita_attr_dummy.h                   |    9 +-
 src/libimcv/ita/ita_attr_get_settings.c            |   29 +-
 src/libimcv/ita/ita_attr_get_settings.h            |    8 +-
 src/libimcv/ita/ita_attr_settings.c                |   28 +-
 src/libimcv/ita/ita_attr_settings.h                |    5 +-
 src/libimcv/os_info/os_info.h                      |    1 -
 src/libimcv/pa_tnc/pa_tnc_attr.h                   |   13 +-
 src/libimcv/pa_tnc/pa_tnc_attr_manager.c           |  161 +-
 src/libimcv/pa_tnc/pa_tnc_attr_manager.h           |   26 +-
 src/libimcv/pa_tnc/pa_tnc_msg.c                    |  221 +-
 src/libimcv/pa_tnc/pa_tnc_msg.h                    |    6 +-
 src/libimcv/plugins/imc_attestation/Makefile.am    |   18 +
 src/libimcv/plugins/imc_attestation/Makefile.in    |  765 +++++++
 .../plugins/imc_attestation/imc_attestation.c      |  335 +++
 .../imc_attestation/imc_attestation_process.c      |  480 +++++
 .../imc_attestation/imc_attestation_process.h      |    0
 .../imc_attestation/imc_attestation_state.c        |  260 +++
 .../imc_attestation/imc_attestation_state.h        |   86 +
 src/libimcv/plugins/imc_os/Makefile.in             |    8 +
 src/libimcv/plugins/imc_os/imc_os.c                |   70 +-
 src/libimcv/plugins/imc_os/imc_os_state.c          |   16 +-
 src/libimcv/plugins/imc_scanner/Makefile.in        |    8 +
 src/libimcv/plugins/imc_scanner/imc_scanner.c      |   10 +-
 .../plugins/imc_scanner/imc_scanner_state.c        |   16 +-
 src/libimcv/plugins/imc_swid/Makefile.am           |   37 +
 src/libimcv/plugins/imc_swid/Makefile.in           |  826 ++++++++
 src/libimcv/plugins/imc_swid/imc_swid.c            |  424 ++++
 src/libimcv/plugins/imc_swid/imc_swid_state.c      |  203 ++
 .../plugins/imc_swid/imc_swid_state.h              |    0
 ...id.2004-03.org.strongswan_strongSwan.swidtag.in |    0
 src/libimcv/plugins/imc_test/Makefile.in           |    8 +
 src/libimcv/plugins/imc_test/imc_test.c            |   36 +-
 src/libimcv/plugins/imc_test/imc_test_state.c      |   16 +-
 src/libimcv/plugins/imv_attestation/Makefile.am    |   33 +
 src/libimcv/plugins/imv_attestation/Makefile.in    |  847 ++++++++
 src/libimcv/plugins/imv_attestation/attest.c       |  484 +++++
 src/libimcv/plugins/imv_attestation/attest_db.c    | 1995 ++++++++++++++++++
 src/libimcv/plugins/imv_attestation/attest_db.h    |  267 +++
 .../plugins/imv_attestation/attest_usage.c         |    0
 .../plugins/imv_attestation/attest_usage.h         |    0
 .../plugins/imv_attestation/build-database.sh      |   84 +
 .../plugins/imv_attestation/imv_attestation.c      |    0
 .../imv_attestation/imv_attestation_agent.c        |  931 +++++++++
 .../imv_attestation/imv_attestation_agent.h        |    0
 .../imv_attestation/imv_attestation_build.c        |  155 ++
 .../imv_attestation/imv_attestation_build.h        |    0
 .../imv_attestation/imv_attestation_process.c      |  567 ++++++
 .../imv_attestation/imv_attestation_process.h      |    0
 .../imv_attestation/imv_attestation_state.c        |  560 +++++
 .../imv_attestation/imv_attestation_state.h        |  192 ++
 src/libimcv/plugins/imv_os/Makefile.in             |    8 +
 src/libimcv/plugins/imv_os/imv_os_agent.c          |   65 +-
 src/libimcv/plugins/imv_os/imv_os_state.c          |   32 +-
 src/libimcv/plugins/imv_os/imv_os_state.h          |   12 +-
 src/libimcv/plugins/imv_scanner/Makefile.in        |    8 +
 .../plugins/imv_scanner/imv_scanner_agent.c        |   23 +-
 .../plugins/imv_scanner/imv_scanner_state.c        |   14 +
 src/libimcv/plugins/imv_swid/Makefile.am           |   21 +
 src/libimcv/plugins/imv_swid/Makefile.in           |  769 +++++++
 .../plugins/imv_swid/imv_swid.c                    |    0
 src/libimcv/plugins/imv_swid/imv_swid_agent.c      |  726 +++++++
 .../plugins/imv_swid/imv_swid_agent.h              |    0
 .../plugins/imv_swid/imv_swid_rest.c               |    0
 src/libimcv/plugins/imv_swid/imv_swid_rest.h       |   63 +
 src/libimcv/plugins/imv_swid/imv_swid_state.c      |  402 ++++
 src/libimcv/plugins/imv_swid/imv_swid_state.h      |  136 ++
 src/libimcv/plugins/imv_test/Makefile.in           |    8 +
 src/libimcv/plugins/imv_test/imv_test_agent.c      |   30 +-
 src/libimcv/plugins/imv_test/imv_test_state.c      |   16 +-
 .../pts/components/ita/ita_comp_func_name.c        |    0
 .../pts/components/ita/ita_comp_func_name.h        |    0
 src/libimcv/pts/components/ita/ita_comp_ima.c      |  914 +++++++++
 .../pts/components/ita/ita_comp_ima.h              |    0
 src/libimcv/pts/components/ita/ita_comp_tboot.c    |  362 ++++
 .../pts/components/ita/ita_comp_tboot.h            |    0
 .../pts/components/ita/ita_comp_tgrub.c            |    0
 .../pts/components/ita/ita_comp_tgrub.h            |    0
 .../pts/components/pts_comp_evidence.c             |    0
 .../pts/components/pts_comp_evidence.h             |    0
 src/libimcv/pts/components/pts_comp_func_name.c    |  162 ++
 .../pts/components/pts_comp_func_name.h            |    0
 .../pts/components/pts_component.h                 |    0
 .../pts/components/pts_component_manager.c         |    0
 .../pts/components/pts_component_manager.h         |    0
 .../pts/components/tcg/tcg_comp_func_name.c        |    0
 .../pts/components/tcg/tcg_comp_func_name.h        |    0
 src/{libpts => libimcv}/pts/pts.c                  |    0
 src/libimcv/pts/pts.h                              |  315 +++
 src/{libpts => libimcv}/pts/pts_creds.c            |    0
 src/{libpts => libimcv}/pts/pts_creds.h            |    0
 src/{libpts => libimcv}/pts/pts_database.c         |    0
 src/{libpts => libimcv}/pts/pts_database.h         |    0
 src/{libpts => libimcv}/pts/pts_dh_group.c         |    0
 src/{libpts => libimcv}/pts/pts_dh_group.h         |    0
 src/{libpts => libimcv}/pts/pts_error.c            |    0
 src/{libpts => libimcv}/pts/pts_error.h            |    0
 src/{libpts => libimcv}/pts/pts_file_meas.c        |    0
 src/{libpts => libimcv}/pts/pts_file_meas.h        |    0
 src/{libpts => libimcv}/pts/pts_file_meta.c        |    0
 src/{libpts => libimcv}/pts/pts_file_meta.h        |    0
 src/{libpts => libimcv}/pts/pts_file_type.c        |    0
 src/{libpts => libimcv}/pts/pts_file_type.h        |    0
 src/{libpts => libimcv}/pts/pts_ima_bios_list.c    |    0
 src/{libpts => libimcv}/pts/pts_ima_bios_list.h    |    0
 src/{libpts => libimcv}/pts/pts_ima_event_list.c   |    0
 src/{libpts => libimcv}/pts/pts_ima_event_list.h   |    0
 src/{libpts => libimcv}/pts/pts_meas_algo.c        |    0
 src/{libpts => libimcv}/pts/pts_meas_algo.h        |    0
 src/{libpts => libimcv}/pts/pts_pcr.c              |    0
 src/{libpts => libimcv}/pts/pts_pcr.h              |    0
 src/{libpts => libimcv}/pts/pts_proto_caps.h       |    0
 .../pts/pts_req_func_comp_evid.h                   |    0
 .../pts/pts_simple_evid_final.h                    |    0
 src/libimcv/seg/seg_contract.c                     |  479 +++++
 src/libimcv/seg/seg_contract.h                     |  180 ++
 src/libimcv/seg/seg_contract_manager.c             |   94 +
 src/libimcv/seg/seg_contract_manager.h             |   63 +
 src/libimcv/seg/seg_env.c                          |  306 +++
 src/libimcv/seg/seg_env.h                          |  119 ++
 src/libimcv/suites/test_imcv_seg.c                 |  738 +++++++
 src/{libpts => libimcv}/swid/swid_error.c          |    0
 src/libimcv/swid/swid_error.h                      |   58 +
 src/libimcv/swid/swid_inventory.c                  |  454 +++++
 src/libimcv/swid/swid_inventory.h                  |   84 +
 src/libimcv/swid/swid_tag.c                        |  102 +
 src/libimcv/swid/swid_tag.h                        |   70 +
 src/libimcv/swid/swid_tag_id.c                     |  114 ++
 src/libimcv/swid/swid_tag_id.h                     |   73 +
 src/libimcv/tcg/pts/tcg_pts_attr_aik.c             |  266 +++
 src/libimcv/tcg/pts/tcg_pts_attr_aik.h             |   67 +
 src/libimcv/tcg/pts/tcg_pts_attr_dh_nonce_finish.c |  287 +++
 src/libimcv/tcg/pts/tcg_pts_attr_dh_nonce_finish.h |   92 +
 .../tcg/pts/tcg_pts_attr_dh_nonce_params_req.c     |  258 +++
 .../tcg/pts/tcg_pts_attr_dh_nonce_params_req.h     |   75 +
 .../tcg/pts/tcg_pts_attr_dh_nonce_params_resp.c    |  306 +++
 .../tcg/pts/tcg_pts_attr_dh_nonce_params_resp.h    |   96 +
 src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c       |  356 ++++
 src/libimcv/tcg/pts/tcg_pts_attr_file_meas.h       |   68 +
 src/libimcv/tcg/pts/tcg_pts_attr_gen_attest_evid.c |  225 +++
 src/libimcv/tcg/pts/tcg_pts_attr_gen_attest_evid.h |   56 +
 src/libimcv/tcg/pts/tcg_pts_attr_get_aik.c         |  222 ++
 src/libimcv/tcg/pts/tcg_pts_attr_get_aik.h         |   56 +
 .../tcg/pts/tcg_pts_attr_get_tpm_version_info.c    |  225 +++
 .../tcg/pts/tcg_pts_attr_get_tpm_version_info.h    |   57 +
 src/libimcv/tcg/pts/tcg_pts_attr_meas_algo.c       |  243 +++
 src/libimcv/tcg/pts/tcg_pts_attr_meas_algo.h       |   71 +
 src/libimcv/tcg/pts/tcg_pts_attr_proto_caps.c      |  244 +++
 src/libimcv/tcg/pts/tcg_pts_attr_proto_caps.h      |   70 +
 src/libimcv/tcg/pts/tcg_pts_attr_req_file_meas.c   |  314 +++
 src/libimcv/tcg/pts/tcg_pts_attr_req_file_meas.h   |   93 +
 src/libimcv/tcg/pts/tcg_pts_attr_req_file_meta.c   |  296 +++
 src/libimcv/tcg/pts/tcg_pts_attr_req_file_meta.h   |   84 +
 .../tcg/pts/tcg_pts_attr_req_func_comp_evid.c      |  389 ++++
 .../tcg/pts/tcg_pts_attr_req_func_comp_evid.h      |   83 +
 .../tcg/pts/tcg_pts_attr_simple_comp_evid.c        |  532 +++++
 .../tcg/pts/tcg_pts_attr_simple_comp_evid.h        |   67 +
 .../tcg/pts/tcg_pts_attr_simple_evid_final.c       |  405 ++++
 .../tcg/pts/tcg_pts_attr_simple_evid_final.h       |   96 +
 .../tcg/pts/tcg_pts_attr_tpm_version_info.c        |  248 +++
 .../tcg/pts/tcg_pts_attr_tpm_version_info.h        |   73 +
 src/libimcv/tcg/pts/tcg_pts_attr_unix_file_meta.c  |  372 ++++
 src/libimcv/tcg/pts/tcg_pts_attr_unix_file_meta.h  |   68 +
 src/libimcv/tcg/seg/tcg_seg_attr_max_size.c        |  254 +++
 src/libimcv/tcg/seg/tcg_seg_attr_max_size.h        |   73 +
 src/libimcv/tcg/seg/tcg_seg_attr_next_seg.c        |  258 +++
 src/libimcv/tcg/seg/tcg_seg_attr_next_seg.h        |   73 +
 src/libimcv/tcg/seg/tcg_seg_attr_seg_env.c         |  257 +++
 src/libimcv/tcg/seg/tcg_seg_attr_seg_env.h         |   76 +
 src/libimcv/tcg/swid/tcg_swid_attr_req.c           |  349 ++++
 src/libimcv/tcg/swid/tcg_swid_attr_req.h           |  106 +
 src/libimcv/tcg/swid/tcg_swid_attr_tag_id_inv.c    |  396 ++++
 src/libimcv/tcg/swid/tcg_swid_attr_tag_id_inv.h    |  109 +
 src/libimcv/tcg/swid/tcg_swid_attr_tag_inv.c       |  389 ++++
 src/libimcv/tcg/swid/tcg_swid_attr_tag_inv.h       |  108 +
 src/libimcv/tcg/tcg_attr.c                         |  270 +++
 src/libimcv/tcg/tcg_attr.h                         |  105 +
 src/libipsec/Makefile.in                           |    8 +
 src/libipsec/ip_packet.c                           |  298 ++-
 src/libipsec/ip_packet.h                           |   35 +-
 src/libpts/Android.mk                              |   78 -
 src/libpts/Makefile.am                             |   94 -
 src/libpts/Makefile.in                             | 1181 -----------
 src/libpts/libpts.c                                |   96 -
 src/libpts/libpts.h                                |   52 -
 src/libpts/plugins/imc_attestation/Makefile.am     |   20 -
 src/libpts/plugins/imc_attestation/Makefile.in     |  760 -------
 .../plugins/imc_attestation/imc_attestation.c      |  339 ----
 .../imc_attestation/imc_attestation_process.c      |  476 -----
 .../imc_attestation/imc_attestation_state.c        |  244 ---
 .../imc_attestation/imc_attestation_state.h        |   86 -
 src/libpts/plugins/imc_swid/Makefile.am            |   39 -
 src/libpts/plugins/imc_swid/Makefile.in            |  821 --------
 src/libpts/plugins/imc_swid/imc_swid.c             |  479 -----
 src/libpts/plugins/imc_swid/imc_swid_state.c       |  189 --
 src/libpts/plugins/imv_attestation/Makefile.am     |   36 -
 src/libpts/plugins/imv_attestation/Makefile.in     |  844 --------
 src/libpts/plugins/imv_attestation/attest.c        |  487 -----
 src/libpts/plugins/imv_attestation/attest_db.c     | 1994 ------------------
 src/libpts/plugins/imv_attestation/attest_db.h     |  267 ---
 .../plugins/imv_attestation/build-database.sh      |   84 -
 .../imv_attestation/imv_attestation_agent.c        |  909 ---------
 .../imv_attestation/imv_attestation_build.c        |  150 --
 .../imv_attestation/imv_attestation_process.c      |  563 ------
 .../imv_attestation/imv_attestation_state.c        |  546 -----
 .../imv_attestation/imv_attestation_state.h        |  191 --
 src/libpts/plugins/imv_swid/Makefile.am            |   23 -
 src/libpts/plugins/imv_swid/Makefile.in            |  762 -------
 src/libpts/plugins/imv_swid/imv_swid_agent.c       |  717 -------
 src/libpts/plugins/imv_swid/imv_swid_rest.h        |   63 -
 src/libpts/plugins/imv_swid/imv_swid_state.c       |  388 ----
 src/libpts/plugins/imv_swid/imv_swid_state.h       |  137 --
 src/libpts/pts/components/ita/ita_comp_ima.c       |  914 ---------
 src/libpts/pts/components/ita/ita_comp_tboot.c     |  361 ----
 src/libpts/pts/components/pts_comp_func_name.c     |  159 --
 src/libpts/pts/pts.h                               |  315 ---
 src/libpts/swid/swid_error.h                       |   58 -
 src/libpts/swid/swid_inventory.c                   |  458 -----
 src/libpts/swid/swid_inventory.h                   |   81 -
 src/libpts/swid/swid_tag.c                         |  102 -
 src/libpts/swid/swid_tag.h                         |   70 -
 src/libpts/swid/swid_tag_id.c                      |  114 --
 src/libpts/swid/swid_tag_id.h                      |   73 -
 src/libpts/tcg/pts/tcg_pts_attr_aik.c              |  245 ---
 src/libpts/tcg/pts/tcg_pts_attr_aik.h              |   65 -
 src/libpts/tcg/pts/tcg_pts_attr_dh_nonce_finish.c  |  265 ---
 src/libpts/tcg/pts/tcg_pts_attr_dh_nonce_finish.h  |   89 -
 .../tcg/pts/tcg_pts_attr_dh_nonce_params_req.c     |  236 ---
 .../tcg/pts/tcg_pts_attr_dh_nonce_params_req.h     |   72 -
 .../tcg/pts/tcg_pts_attr_dh_nonce_params_resp.c    |  284 ---
 .../tcg/pts/tcg_pts_attr_dh_nonce_params_resp.h    |   93 -
 src/libpts/tcg/pts/tcg_pts_attr_file_meas.c        |  295 ---
 src/libpts/tcg/pts/tcg_pts_attr_file_meas.h        |   65 -
 src/libpts/tcg/pts/tcg_pts_attr_gen_attest_evid.c  |  203 --
 src/libpts/tcg/pts/tcg_pts_attr_gen_attest_evid.h  |   53 -
 src/libpts/tcg/pts/tcg_pts_attr_get_aik.c          |  200 --
 src/libpts/tcg/pts/tcg_pts_attr_get_aik.h          |   53 -
 .../tcg/pts/tcg_pts_attr_get_tpm_version_info.c    |  203 --
 .../tcg/pts/tcg_pts_attr_get_tpm_version_info.h    |   54 -
 src/libpts/tcg/pts/tcg_pts_attr_meas_algo.c        |  221 --
 src/libpts/tcg/pts/tcg_pts_attr_meas_algo.h        |   68 -
 src/libpts/tcg/pts/tcg_pts_attr_proto_caps.c       |  221 --
 src/libpts/tcg/pts/tcg_pts_attr_proto_caps.h       |   67 -
 src/libpts/tcg/pts/tcg_pts_attr_req_file_meas.c    |  292 ---
 src/libpts/tcg/pts/tcg_pts_attr_req_file_meas.h    |   90 -
 src/libpts/tcg/pts/tcg_pts_attr_req_file_meta.c    |  275 ---
 src/libpts/tcg/pts/tcg_pts_attr_req_file_meta.h    |   81 -
 .../tcg/pts/tcg_pts_attr_req_func_comp_evid.c      |  367 ----
 .../tcg/pts/tcg_pts_attr_req_func_comp_evid.h      |   80 -
 src/libpts/tcg/pts/tcg_pts_attr_simple_comp_evid.c |  511 -----
 src/libpts/tcg/pts/tcg_pts_attr_simple_comp_evid.h |   64 -
 .../tcg/pts/tcg_pts_attr_simple_evid_final.c       |  383 ----
 .../tcg/pts/tcg_pts_attr_simple_evid_final.h       |   93 -
 src/libpts/tcg/pts/tcg_pts_attr_tpm_version_info.c |  226 ---
 src/libpts/tcg/pts/tcg_pts_attr_tpm_version_info.h |   70 -
 src/libpts/tcg/pts/tcg_pts_attr_unix_file_meta.c   |  350 ----
 src/libpts/tcg/pts/tcg_pts_attr_unix_file_meta.h   |   65 -
 src/libpts/tcg/swid/tcg_swid_attr_req.c            |  328 ---
 src/libpts/tcg/swid/tcg_swid_attr_req.h            |  105 -
 src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.c     |  331 ---
 src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.h     |   95 -
 src/libpts/tcg/swid/tcg_swid_attr_tag_inv.c        |  319 ---
 src/libpts/tcg/swid/tcg_swid_attr_tag_inv.h        |   94 -
 src/libpts/tcg/tcg_attr.c                          |  239 ---
 src/libpts/tcg/tcg_attr.h                          |   96 -
 src/libpttls/Makefile.in                           |    8 +
 src/libradius/Makefile.in                          |    8 +
 src/libsimaka/Makefile.in                          |    8 +
 src/libstrongswan/Android.mk                       |    2 +-
 src/libstrongswan/Makefile.am                      |    4 +-
 src/libstrongswan/Makefile.in                      |   36 +-
 src/libstrongswan/asn1/asn1.c                      |   35 +-
 src/libstrongswan/collections/array.c              |    8 +-
 src/libstrongswan/collections/array.h              |    5 +
 src/libstrongswan/credentials/auth_cfg.c           |    2 +-
 src/libstrongswan/credentials/credential_manager.c |    2 +-
 src/libstrongswan/crypto/diffie_hellman.c          |   36 +-
 src/libstrongswan/crypto/diffie_hellman.h          |    8 +
 src/libstrongswan/library.c                        |   16 +-
 src/libstrongswan/library.h                        |    5 +
 src/libstrongswan/networking/packet.h              |    5 +
 .../networking/streams/stream_service.c            |   88 +-
 src/libstrongswan/plugins/acert/Makefile.in        |    8 +
 src/libstrongswan/plugins/aes/Makefile.in          |    8 +
 src/libstrongswan/plugins/af_alg/Makefile.in       |    8 +
 src/libstrongswan/plugins/agent/Makefile.in        |    8 +
 src/libstrongswan/plugins/blowfish/Makefile.in     |    8 +
 src/libstrongswan/plugins/ccm/Makefile.in          |    8 +
 src/libstrongswan/plugins/cmac/Makefile.in         |    8 +
 src/libstrongswan/plugins/constraints/Makefile.in  |    8 +
 src/libstrongswan/plugins/ctr/Makefile.in          |    8 +
 src/libstrongswan/plugins/curl/Makefile.in         |    8 +
 src/libstrongswan/plugins/curl/curl_fetcher.c      |    7 +-
 src/libstrongswan/plugins/curl/curl_plugin.c       |  127 +-
 src/libstrongswan/plugins/des/Makefile.in          |    8 +
 src/libstrongswan/plugins/dnskey/Makefile.in       |    8 +
 src/libstrongswan/plugins/fips_prf/Makefile.in     |    8 +
 src/libstrongswan/plugins/gcm/Makefile.in          |    8 +
 src/libstrongswan/plugins/gcrypt/Makefile.in       |    8 +
 src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c   |    2 +
 src/libstrongswan/plugins/gmp/Makefile.in          |    8 +
 src/libstrongswan/plugins/hmac/Makefile.in         |    8 +
 src/libstrongswan/plugins/keychain/Makefile.in     |    8 +
 src/libstrongswan/plugins/ldap/Makefile.in         |    8 +
 src/libstrongswan/plugins/md4/Makefile.in          |    8 +
 src/libstrongswan/plugins/md5/Makefile.in          |    8 +
 src/libstrongswan/plugins/mysql/Makefile.in        |    8 +
 src/libstrongswan/plugins/nonce/Makefile.in        |    8 +
 src/libstrongswan/plugins/ntru/Makefile.in         |    8 +
 src/libstrongswan/plugins/openssl/Makefile.in      |    8 +
 .../plugins/openssl/openssl_ec_private_key.c       |   12 +-
 .../plugins/openssl/openssl_ec_public_key.c        |   12 +-
 src/libstrongswan/plugins/openssl/openssl_plugin.c |    2 +
 src/libstrongswan/plugins/padlock/Makefile.in      |    8 +
 src/libstrongswan/plugins/pem/Makefile.in          |    8 +
 src/libstrongswan/plugins/pgp/Makefile.in          |    8 +
 src/libstrongswan/plugins/pkcs1/Makefile.in        |    8 +
 src/libstrongswan/plugins/pkcs11/Makefile.in       |    8 +
 src/libstrongswan/plugins/pkcs12/Makefile.in       |    8 +
 src/libstrongswan/plugins/pkcs7/Makefile.in        |    8 +
 src/libstrongswan/plugins/pkcs8/Makefile.in        |    8 +
 src/libstrongswan/plugins/plugin_loader.c          |   31 +-
 src/libstrongswan/plugins/plugin_loader.h          |    8 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |    8 +
 src/libstrongswan/plugins/random/Makefile.in       |    8 +
 src/libstrongswan/plugins/rc2/Makefile.in          |    8 +
 src/libstrongswan/plugins/rdrand/Makefile.in       |    8 +
 src/libstrongswan/plugins/revocation/Makefile.in   |    8 +
 src/libstrongswan/plugins/sha1/Makefile.in         |    8 +
 src/libstrongswan/plugins/sha2/Makefile.in         |    8 +
 src/libstrongswan/plugins/soup/Makefile.in         |    8 +
 src/libstrongswan/plugins/sqlite/Makefile.in       |    8 +
 src/libstrongswan/plugins/sshkey/Makefile.in       |    8 +
 src/libstrongswan/plugins/test_vectors/Makefile.in |    8 +
 src/libstrongswan/plugins/unbound/Makefile.in      |    8 +
 src/libstrongswan/plugins/winhttp/Makefile.in      |    8 +
 src/libstrongswan/plugins/x509/Makefile.in         |    8 +
 src/libstrongswan/plugins/xcbc/Makefile.in         |    8 +
 src/libstrongswan/processing/watcher.c             |   32 +-
 src/libstrongswan/processing/watcher.h             |   20 +
 src/libstrongswan/settings/settings.c              |    2 +-
 src/libstrongswan/settings/settings_parser.c       |    4 +-
 src/libstrongswan/settings/settings_parser.y       |    4 +-
 src/libstrongswan/tests/Makefile.am                |    1 +
 src/libstrongswan/tests/Makefile.in                |   27 +
 src/libstrongswan/tests/suites/test_chunk.c        |   49 +
 src/libstrongswan/tests/suites/test_process.c      |  227 +++
 src/libstrongswan/tests/suites/test_threading.c    |    6 +-
 src/libstrongswan/tests/test_runner.c              |   45 +-
 src/libstrongswan/tests/test_runner.h              |    1 +
 src/libstrongswan/tests/tests.h                    |    1 +
 src/libstrongswan/threading/mutex.c                |   21 +-
 src/libstrongswan/threading/thread.h               |   28 +
 src/libstrongswan/utils/backtrace.c                |    1 +
 src/libstrongswan/utils/chunk.c                    |   31 +
 src/libstrongswan/utils/chunk.h                    |   25 +
 src/libstrongswan/utils/leak_detective.c           |    2 +
 src/libstrongswan/utils/process.c                  |  592 ++++++
 src/libstrongswan/utils/process.h                  |   97 +
 src/libstrongswan/utils/utils.h                    |   17 +-
 src/libtls/Makefile.in                             |    8 +
 src/libtls/tests/Makefile.in                       |    8 +
 src/libtls/tls_aead.c                              |    1 +
 src/libtls/tls_aead_expl.c                         |    9 +-
 src/libtls/tls_aead_impl.c                         |    8 +
 src/libtnccs/Makefile.in                           |    8 +
 src/libtnccs/plugins/tnc_imc/Makefile.in           |    8 +
 src/libtnccs/plugins/tnc_imv/Makefile.in           |    8 +
 src/libtnccs/plugins/tnc_tnccs/Makefile.in         |    8 +
 src/libtnccs/plugins/tnccs_11/Makefile.in          |    8 +
 src/libtnccs/plugins/tnccs_20/Makefile.in          |    8 +
 src/libtnccs/plugins/tnccs_dynamic/Makefile.in     |    8 +
 src/libtncif/Makefile.in                           |    8 +
 src/manager/Makefile.in                            |    8 +
 src/medsrv/Makefile.in                             |    8 +
 src/pki/Makefile.in                                |    8 +
 src/pki/man/Makefile.in                            |    8 +
 src/pool/Makefile.in                               |    8 +
 src/pt-tls-client/Makefile.in                      |    8 +
 src/pt-tls-client/pt-tls-client.c                  |    2 +-
 src/scepclient/Makefile.in                         |    8 +
 src/starter/Makefile.in                            |    8 +
 src/starter/confread.c                             |   10 +-
 src/starter/invokecharon.c                         |    9 +
 src/starter/starter.c                              |   14 +-
 src/starter/tests/Makefile.in                      |    8 +
 src/stroke/Makefile.in                             |    8 +
 src/swanctl/Makefile.am                            |   12 +-
 src/swanctl/Makefile.in                            |   35 +-
 src/swanctl/command.c                              |    5 +-
 src/swanctl/command.h                              |    2 +-
 src/swanctl/commands/initiate.c                    |    6 +-
 src/swanctl/commands/install.c                     |    3 +-
 src/swanctl/commands/list_certs.c                  |    7 +-
 src/swanctl/commands/list_conns.c                  |    7 +-
 src/swanctl/commands/list_pols.c                   |    7 +-
 src/swanctl/commands/list_pools.c                  |    3 +-
 src/swanctl/commands/list_sas.c                    |    8 +-
 src/swanctl/commands/load_all.c                    |  103 +
 src/swanctl/commands/load_conns.c                  |   81 +-
 src/swanctl/commands/load_conns.h                  |   26 +
 src/swanctl/commands/load_creds.c                  |   71 +-
 src/swanctl/commands/load_creds.h                  |   28 +
 src/swanctl/commands/load_pools.c                  |   83 +-
 src/swanctl/commands/load_pools.h                  |   26 +
 src/swanctl/commands/log.c                         |    4 +-
 src/swanctl/commands/reload_settings.c             |   88 +
 src/swanctl/commands/stats.c                       |    4 +-
 src/swanctl/commands/terminate.c                   |    6 +-
 src/swanctl/commands/version.c                     |    4 +-
 src/swanctl/swanctl.8.in                           |    9 +
 src/swanctl/swanctl.conf                           |    4 +-
 src/swanctl/swanctl.conf.5.main                    |   21 +-
 src/swanctl/swanctl.opt                            |   15 +-
 testing/Makefile.in                                |    8 +
 testing/config/kernel/config-3.16                  | 2097 +++++++++++++++++++
 testing/config/kernel/config-3.17                  | 2135 ++++++++++++++++++++
 testing/config/kvm/alice.xml                       |    4 +-
 testing/config/kvm/bob.xml                         |    4 +-
 testing/config/kvm/carol.xml                       |    4 +-
 testing/config/kvm/dave.xml                        |    4 +-
 testing/config/kvm/moon.xml                        |    4 +-
 testing/config/kvm/sun.xml                         |    4 +-
 testing/config/kvm/venus.xml                       |    4 +-
 testing/config/kvm/winnetou.xml                    |    4 +-
 .../hosts/alice/etc/ipsec.d/certs/aliceCert.pem    |   34 +-
 .../hosts/alice/etc/ipsec.d/private/aliceKey.pem   |   50 +-
 testing/hosts/alice/etc/swanctl/rsa/aliceKey.pem   |   50 +-
 testing/hosts/alice/etc/swanctl/x509/aliceCert.pem |   34 +-
 testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem    |   34 +-
 testing/hosts/bob/etc/ipsec.d/private/bobKey.pem   |   50 +-
 testing/hosts/bob/etc/swanctl/rsa/bobKey.pem       |   50 +-
 testing/hosts/bob/etc/swanctl/x509/bobCert.pem     |   34 +-
 .../hosts/carol/etc/ipsec.d/certs/carolCert.pem    |   34 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   52 +-
 testing/hosts/carol/etc/swanctl/rsa/carolKey.pem   |   50 +-
 testing/hosts/carol/etc/swanctl/x509/carolCert.pem |   34 +-
 testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem  |   34 +-
 testing/hosts/dave/etc/ipsec.d/private/daveKey.pem |   50 +-
 testing/hosts/dave/etc/swanctl/rsa/daveKey.pem     |   50 +-
 testing/hosts/dave/etc/swanctl/x509/daveCert.pem   |   34 +-
 testing/hosts/default/etc/inittab                  |   71 +
 testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem  |   34 +-
 testing/hosts/moon/etc/ipsec.d/private/moonKey.pem |   50 +-
 testing/hosts/moon/etc/swanctl/rsa/moonKey.pem     |   50 +-
 testing/hosts/moon/etc/swanctl/x509/moonCert.pem   |   34 +-
 testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem    |   34 +-
 testing/hosts/sun/etc/ipsec.d/private/sunKey.pem   |   50 +-
 testing/hosts/sun/etc/swanctl/rsa/sunKey.pem       |   50 +-
 testing/hosts/sun/etc/swanctl/x509/sunCert.pem     |   34 +-
 .../hosts/venus/etc/ipsec.d/certs/venusCert.pem    |   30 +-
 .../hosts/venus/etc/ipsec.d/private/venusKey.pem   |   50 +-
 testing/hosts/venus/etc/swanctl/rsa/venusKey.pem   |   50 +-
 testing/hosts/venus/etc/swanctl/x509/venusCert.pem |   30 +-
 testing/hosts/winnetou/etc/bind/db.strongswan.org  |  124 +-
 .../certs/07de9420646e493941432a451e7c14fd28fb9307 |  Bin 0 -> 1058 bytes
 .../certs/0e35060aed55a85aa8520815c166588fc35bcd93 |  Bin 965 -> 0 bytes
 .../certs/160769ece9ead9c1c4d89c34aa004c3b66402081 |  Bin 1062 -> 0 bytes
 .../certs/16bf9080ac60d035d7a75ca7f634ed4427f00c0f |  Bin 0 -> 1076 bytes
 .../certs/174b20a63b8469706e6695e185ac8cc90bb9e69f |  Bin 0 -> 965 bytes
 .../certs/1b260aa901f29db73635f568c34e27d1f1cb23ab |  Bin 959 -> 0 bytes
 .../certs/24d9077c072f5a22ad0c6f65f9f20ebda2afa491 |  Bin 0 -> 965 bytes
 .../certs/394ceefaef48af8394d9a0e63d74cc56a4117a23 |  Bin 1062 -> 0 bytes
 .../certs/3b389ed7670f8698f37e8a90b4f99389d3c8e3c0 |  Bin 0 -> 1060 bytes
 .../certs/430651fd670098ad72f02c4cc34a017f9931c88b |  Bin 1049 -> 0 bytes
 .../certs/442b7162c7a4c27bd0f1076e345c5664bed53c7c |  Bin 1060 -> 0 bytes
 .../certs/45b967b2f9b4a8855235b2d01249cd1e079348aa |  Bin 1062 -> 0 bytes
 .../certs/47a2450a79a68462c105747751a6526aa8a20277 |  Bin 1043 -> 0 bytes
 .../certs/4f4b98c28a1d286274f529e75000cfbb02ce4c64 |  Bin 1039 -> 0 bytes
 .../certs/53b5bf163ae90d54271288852c2ab062fb9e74e3 |  Bin 1061 -> 0 bytes
 .../certs/53c790f4502ef25e04d6924ac63e65ec224495db |  Bin 0 -> 1061 bytes
 .../certs/548acbf0651d74df8175e709d52e24d9fcf1a1e5 |  Bin 0 -> 1062 bytes
 .../certs/55b8d682bccbba72d48faa4e31b885c589d94e35 |  Bin 0 -> 1060 bytes
 .../certs/57b8d46c89658ec3a53e7aec7fd99aa42636d8a8 |  Bin 0 -> 1062 bytes
 .../certs/5bd93cb213b4b31885da0a0efc2a79f4a7070708 |  Bin 0 -> 1080 bytes
 .../certs/644c5cc8c42a6c8cfe62f6a83bb0dbb43f0f0fb4 |  Bin 1059 -> 0 bytes
 .../certs/65b352233dc5cf96ecd69271587e47eea59446f1 |  Bin 0 -> 1070 bytes
 .../certs/679aaf150f9eef2897cf419485667387a8b8579a |  Bin 0 -> 1059 bytes
 .../certs/694f095095ab926875841456736263fe40696930 |  Bin 0 -> 1062 bytes
 .../certs/7c6a448fb938e5c19ab75631f0d0cbb92b25f2a9 |  Bin 1049 -> 0 bytes
 .../certs/7db109750703f47b822eb10cf205159f90fe3634 |  Bin 1119 -> 0 bytes
 .../certs/878cbc01427f1c1f5335b68604256705e85bfcd1 |  Bin 0 -> 1043 bytes
 .../certs/8c16a693aa59f4f4ed7eec7fd8a4ba7799e3c531 |  Bin 0 -> 1119 bytes
 .../certs/8dcd0fcfbfdcfce2480a4f18b20007517df2091f |  Bin 965 -> 0 bytes
 .../certs/8e9be7e9f0de2874707245ee200bfb971a646ba9 |  Bin 1059 -> 0 bytes
 .../certs/9319a45e2618f95fa64c539edb6bb6ef5e19a27e |  Bin 0 -> 1062 bytes
 .../certs/982d8252943f432acfacb002a0e576442402ba50 |  Bin 0 -> 959 bytes
 .../certs/9ff39ec266e309f2b53748a4fe0cfd3923955ff4 |  Bin 1095 -> 0 bytes
 .../certs/a91bb369a86604673f42f25b3fc94422eb73afd5 |  Bin 1041 -> 0 bytes
 .../certs/af19b02dcdc28a4e86d1657b656f0cac63b5474b |  Bin 1059 -> 0 bytes
 .../certs/b15a2fbbd5613781df896d28f82e4b0893011530 |  Bin 1070 -> 0 bytes
 .../certs/bb027269812f2cb0c1ba534c0016b7f33bdca83f |  Bin 1041 -> 0 bytes
 .../certs/c45be2b38883548967f4f959fd5ec0822f65237b |  Bin 1058 -> 0 bytes
 .../certs/cb516460e6f70eb2601effee6b7b6c7884c23fdb |  Bin 0 -> 1095 bytes
 .../certs/cedd2d5985ee0efde7acb2f788ed1a4237197d01 |  Bin 1062 -> 0 bytes
 .../certs/dbb808e4f319d815aadd8dab6f6ae5b717800e83 |  Bin 1043 -> 0 bytes
 .../certs/de106e5254cbafddb683117f90174910f43b5ae3 |  Bin 1062 -> 0 bytes
 .../certs/de216601f06d10a41171392fdfc9127f0bb9d5b0 |  Bin 1062 -> 0 bytes
 .../certs/e07015ca76fba1039b247ce96c214bb038539cc8 |  Bin 1058 -> 0 bytes
 .../certs/e079576c2006eb01569cb79c6e39dbb488050a86 |  Bin 0 -> 1092 bytes
 .../certs/e08213ec6a79e05c86a6f8a378eb4d5086352a7b |  Bin 1059 -> 0 bytes
 .../certs/e1fc65a76e366f513effaba487ac6cf2c144b7a7 |  Bin 0 -> 1059 bytes
 .../certs/edde495f4fb6db4e3eff85bcaecda2a3ccc58fcf |  Bin 1076 -> 0 bytes
 .../certs/f2595dbd1ee26d9df0e8c5beae47875c68b97b4c |  Bin 1062 -> 0 bytes
 testing/hosts/winnetou/etc/openssl/index.txt       |   22 +-
 testing/hosts/winnetou/etc/openssl/index.txt.old   |   22 +-
 testing/hosts/winnetou/etc/openssl/newcerts/2A.pem |   25 +
 testing/hosts/winnetou/etc/openssl/newcerts/2B.pem |   25 +
 testing/hosts/winnetou/etc/openssl/newcerts/2D.pem |   25 +
 testing/hosts/winnetou/etc/openssl/newcerts/2E.pem |   25 +
 testing/hosts/winnetou/etc/openssl/newcerts/2F.pem |   25 +
 testing/hosts/winnetou/etc/openssl/newcerts/30.pem |   25 +
 testing/hosts/winnetou/etc/openssl/newcerts/31.pem |   25 +
 testing/hosts/winnetou/etc/openssl/serial          |    2 +-
 testing/hosts/winnetou/etc/openssl/serial.old      |    2 +-
 testing/scripts/build-baseimage                    |    4 +-
 testing/scripts/build-guestimages                  |    1 +
 testing/scripts/build-rootimage                    |    1 +
 testing/scripts/build-strongswan                   |   66 +
 testing/scripts/function.sh                        |   12 +
 testing/scripts/recipes/005_anet.mk                |   10 +-
 testing/scripts/recipes/006_tkm-rpc.mk             |   10 +-
 testing/scripts/recipes/007_x509-ada.mk            |   12 +-
 testing/scripts/recipes/008_xfrm-ada.mk            |   10 +-
 testing/scripts/recipes/009_xfrm-proxy.mk          |   10 +-
 testing/scripts/recipes/010_tkm.mk                 |   10 +-
 testing/scripts/recipes/013_strongswan.mk          |   20 +-
 testing/start-testing                              |    1 +
 .../af-alg/rw-cert/hosts/dave/etc/strongswan.conf  |    2 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    2 +-
 .../ha/both-active/hosts/alice/etc/strongswan.conf |    2 +-
 .../ha/both-active/hosts/carol/etc/strongswan.conf |    2 +-
 .../ha/both-active/hosts/dave/etc/strongswan.conf  |    2 +-
 .../ha/both-active/hosts/moon/etc/strongswan.conf  |    2 +-
 .../ike/rw-cert/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ike/rw-cert/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ike/rw-cert/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw_v1-net_v2/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw_v1-net_v2/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf |    2 +-
 .../alg-3des-md5/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-3des-md5/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../alg-sha256/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha256/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ikev1/compress/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev1/compress/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../config-payload/hosts/carol/etc/strongswan.conf |    2 +-
 .../config-payload/hosts/dave/etc/strongswan.conf  |    2 +-
 .../config-payload/hosts/moon/etc/strongswan.conf  |    2 +-
 .../double-nat-net/hosts/alice/etc/strongswan.conf |    2 +-
 .../double-nat-net/hosts/bob/etc/strongswan.conf   |    2 +-
 .../double-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev1/double-nat/hosts/bob/etc/strongswan.conf |    2 +-
 .../dpd-clear/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev1/dpd-clear/hosts/moon/etc/strongswan.conf |    2 +-
 .../dpd-restart/hosts/carol/etc/strongswan.conf    |    2 +-
 .../dpd-restart/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/certs/carolCert.pem     |   34 +-
 .../hosts/dave/etc/ipsec.d/private/carolKey.pem    |   52 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/certs/carolCert.pem     |   34 +-
 .../hosts/dave/etc/ipsec.d/private/carolKey.pem    |   52 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |    2 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |    2 +-
 .../host2host-ah/hosts/moon/etc/strongswan.conf    |    2 +-
 .../host2host-ah/hosts/sun/etc/strongswan.conf     |    2 +-
 .../host2host-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../host2host-cert/hosts/sun/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ikev1/ip-pool/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev1/ip-pool/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev1/ip-pool/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../multi-level-ca/hosts/carol/etc/strongswan.conf |    2 +-
 .../multi-level-ca/hosts/dave/etc/strongswan.conf  |    2 +-
 .../multi-level-ca/hosts/moon/etc/strongswan.conf  |    2 +-
 .../ikev1/nat-rw/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ikev1/nat-rw/hosts/sun/etc/strongswan.conf     |    2 +-
 .../ikev1/nat-rw/hosts/venus/etc/strongswan.conf   |    2 +-
 .../nat-virtual-ip/hosts/moon/etc/strongswan.conf  |    2 +-
 .../nat-virtual-ip/hosts/sun/etc/strongswan.conf   |    2 +-
 .../net2net-ah/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ikev1/net2net-ah/hosts/sun/etc/strongswan.conf |    2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |    2 +-
 .../tests/ikev1/net2net-fragmentation/evaltest.dat |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-cert-unity/hosts/carol/etc/strongswan.conf  |    4 +-
 .../rw-cert-unity/hosts/moon/etc/strongswan.conf   |    2 +-
 .../ikev1/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev1/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev1/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../virtual-ip/hosts/carol/etc/strongswan.conf     |    2 +-
 .../virtual-ip/hosts/dave/etc/strongswan.conf      |    2 +-
 .../virtual-ip/hosts/moon/etc/strongswan.conf      |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../acert-cached/hosts/carol/etc/strongswan.conf   |    2 +-
 .../acert-cached/hosts/dave/etc/strongswan.conf    |    2 +-
 .../etc/ipsec.d/acerts/carol-sales-finance.pem     |   18 +-
 .../moon/etc/ipsec.d/acerts/dave-marketing.pem     |   18 +-
 .../moon/etc/ipsec.d/acerts/dave-sales-expired.pem |   18 +-
 .../acert-cached/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/ikev2/acert-cached/reissue.txt       |   23 +
 .../etc/ipsec.d/acerts/carol-finance-expired.pem   |   18 +-
 .../hosts/carol/etc/ipsec.d/acerts/carol-sales.pem |   18 +-
 .../acert-fallback/hosts/carol/etc/strongswan.conf |    2 +-
 .../acert-fallback/hosts/moon/etc/strongswan.conf  |    2 +-
 testing/tests/ikev2/acert-fallback/reissue.txt     |   15 +
 .../hosts/carol/etc/ipsec.d/acerts/carol-sales.pem |   18 +-
 .../acert-inline/hosts/carol/etc/strongswan.conf   |    2 +-
 .../dave/etc/ipsec.d/acerts/dave-expired-aa.pem    |   18 +-
 .../dave/etc/ipsec.d/acerts/dave-marketing.pem     |   18 +-
 .../acert-inline/hosts/dave/etc/strongswan.conf    |    2 +-
 .../acert-inline/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/ikev2/acert-inline/reissue.txt       |   23 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../alg-3des-md5/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-3des-md5/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-aes-ccm/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-aes-ccm/hosts/moon/etc/strongswan.conf     |    2 +-
 .../alg-aes-ctr/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-aes-ctr/hosts/moon/etc/strongswan.conf     |    2 +-
 .../alg-aes-gcm/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-aes-gcm/hosts/moon/etc/strongswan.conf     |    2 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../alg-sha256-96/hosts/carol/etc/strongswan.conf  |    2 +-
 .../alg-sha256-96/hosts/moon/etc/strongswan.conf   |    2 +-
 .../alg-sha256/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha256/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |    2 +-
 .../any-interface/hosts/alice/etc/strongswan.conf  |    2 +-
 .../any-interface/hosts/bob/etc/strongswan.conf    |    2 +-
 .../any-interface/hosts/moon/etc/strongswan.conf   |    2 +-
 .../any-interface/hosts/sun/etc/strongswan.conf    |    2 +-
 .../compress-nat/hosts/alice/etc/strongswan.conf   |    2 +-
 .../compress-nat/hosts/bob/etc/strongswan.conf     |    2 +-
 .../compress-nat/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ikev2/compress/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/compress/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../config-payload/hosts/carol/etc/strongswan.conf |    2 +-
 .../config-payload/hosts/dave/etc/strongswan.conf  |    2 +-
 .../config-payload/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../crl-from-cache/hosts/carol/etc/strongswan.conf |    2 +-
 .../crl-from-cache/hosts/moon/etc/strongswan.conf  |    2 +-
 .../carol/etc/ipsec.d/certs/carolRevokedCert.pem   |   34 +-
 .../carol/etc/ipsec.d/private/carolRevokedKey.pem  |   50 +-
 .../crl-revoked/hosts/carol/etc/strongswan.conf    |    2 +-
 .../crl-revoked/hosts/moon/etc/strongswan.conf     |    2 +-
 .../crl-to-cache/hosts/carol/etc/strongswan.conf   |    2 +-
 .../crl-to-cache/hosts/moon/etc/strongswan.conf    |    2 +-
 .../default-keys/hosts/carol/etc/strongswan.conf   |    2 +-
 .../default-keys/hosts/moon/etc/strongswan.conf    |    2 +-
 .../dhcp-dynamic/hosts/carol/etc/strongswan.conf   |    2 +-
 .../dhcp-dynamic/hosts/dave/etc/strongswan.conf    |    2 +-
 .../dhcp-dynamic/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../dhcp-static-mac/hosts/dave/etc/strongswan.conf |    2 +-
 .../dhcp-static-mac/hosts/moon/etc/strongswan.conf |    2 +-
 .../double-nat-net/hosts/alice/etc/strongswan.conf |    2 +-
 .../double-nat-net/hosts/bob/etc/strongswan.conf   |    2 +-
 .../double-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/double-nat/hosts/bob/etc/strongswan.conf |    2 +-
 .../dpd-clear/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/dpd-clear/hosts/moon/etc/strongswan.conf |    2 +-
 .../ikev2/dpd-hold/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/dpd-hold/hosts/moon/etc/strongswan.conf  |    2 +-
 .../dpd-restart/hosts/carol/etc/strongswan.conf    |    2 +-
 .../dpd-restart/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/certs/carolCert.pem     |   34 +-
 .../hosts/dave/etc/ipsec.d/private/carolKey.pem    |   52 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-md5-128/hosts/moon/etc/strongswan.conf |    2 +-
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |    2 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ikev2/farp/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ikev2/farp/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ikev2/farp/hosts/moon/etc/strongswan.conf      |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../force-udp-encaps/hosts/sun/etc/strongswan.conf |    2 +-
 .../host2host-ah/hosts/moon/etc/strongswan.conf    |    2 +-
 .../host2host-ah/hosts/sun/etc/strongswan.conf     |    2 +-
 .../host2host-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../host2host-cert/hosts/sun/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ip-pool-wish/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ip-pool-wish/hosts/dave/etc/strongswan.conf    |    2 +-
 .../ip-pool-wish/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ikev2/ip-pool/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/ip-pool/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/ip-pool/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../ip-two-pools-db/hosts/dave/etc/strongswan.conf |    2 +-
 .../ip-two-pools-db/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ip-two-pools/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ikev2/lookip/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ikev2/lookip/hosts/dave/etc/strongswan.conf    |    2 +-
 .../ikev2/lookip/hosts/moon/etc/strongswan.conf    |    2 +-
 .../mobike-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/mobike-nat/hosts/sun/etc/strongswan.conf |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ikev2/mobike/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ikev2/mobike/hosts/sun/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../multi-level-ca/hosts/carol/etc/strongswan.conf |    2 +-
 .../multi-level-ca/hosts/dave/etc/strongswan.conf  |    2 +-
 .../multi-level-ca/hosts/moon/etc/strongswan.conf  |    2 +-
 .../nat-rw-mark/hosts/alice/etc/strongswan.conf    |    2 +-
 .../nat-rw-mark/hosts/sun/etc/strongswan.conf      |    2 +-
 .../nat-rw-mark/hosts/venus/etc/strongswan.conf    |    2 +-
 .../ikev2/nat-rw/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ikev2/nat-rw/hosts/sun/etc/strongswan.conf     |    2 +-
 .../ikev2/nat-rw/hosts/venus/etc/strongswan.conf   |    2 +-
 .../nat-virtual-ip/hosts/moon/etc/strongswan.conf  |    2 +-
 .../nat-virtual-ip/hosts/sun/etc/strongswan.conf   |    2 +-
 .../net2net-ah/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ikev2/net2net-ah/hosts/sun/etc/strongswan.conf |    2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |    2 +-
 .../hosts/moon/etc/ipsec.d/certs/moonPub.der       |  Bin 294 -> 294 bytes
 .../hosts/sun/etc/ipsec.d/certs/sunPub.der         |  Bin 294 -> 294 bytes
 .../net2net-esn/hosts/moon/etc/strongswan.conf     |    2 +-
 .../net2net-esn/hosts/sun/etc/strongswan.conf      |    2 +-
 .../ikev2/net2net-fragmentation/description.txt    |    9 +
 .../tests/ikev2/net2net-fragmentation/evaltest.dat |   15 +
 .../hosts/moon/etc/ipsec.conf                      |   22 +
 .../hosts/moon/etc/strongswan.conf                 |    0
 .../net2net-fragmentation/hosts/sun/etc/ipsec.conf |   22 +
 .../hosts/sun}/etc/strongswan.conf                 |    0
 .../tests/ikev2/net2net-fragmentation/posttest.dat |    5 +
 .../tests/ikev2/net2net-fragmentation/pretest.dat  |    6 +
 .../tests/ikev2/net2net-fragmentation/test.conf    |   21 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/ipsec.d/private/moonCert.p12    |  Bin 3766 -> 3661 bytes
 .../net2net-pkcs12/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/sun/etc/ipsec.d/private/sunCert.p12      |  Bin 3764 -> 3661 bytes
 .../net2net-pkcs12/hosts/sun/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../net2net-psk-dscp/hosts/sun/etc/strongswan.conf |    2 +-
 .../net2net-rfc3779/hosts/moon/etc/strongswan.conf |    2 +-
 .../net2net-rfc3779/hosts/sun/etc/strongswan.conf  |    2 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../net2net-start/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-start/hosts/sun/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../ocsp-local-cert/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../carol/etc/ipsec.d/certs/carolRevokedCert.pem   |   34 +-
 .../carol/etc/ipsec.d/private/carolRevokedKey.pem  |   50 +-
 .../ocsp-revoked/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ocsp-revoked/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ocsp-root-cert/hosts/carol/etc/strongswan.conf |    2 +-
 .../ocsp-root-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |    2 +-
 .../reauth-early/hosts/carol/etc/strongswan.conf   |    2 +-
 .../reauth-early/hosts/moon/etc/strongswan.conf    |    2 +-
 .../reauth-late/hosts/carol/etc/strongswan.conf    |    2 +-
 .../reauth-late/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/ipsec.d/certs/moonPub.der       |  Bin 294 -> 294 bytes
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../rw-eap-dynamic/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-dynamic/hosts/dave/etc/strongswan.conf  |    2 +-
 .../rw-eap-dynamic/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-eap-peap-md5/hosts/dave/etc/strongswan.conf |    2 +-
 .../rw-eap-peap-md5/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-hash-and-url/hosts/dave/etc/strongswan.conf |    2 +-
 .../rw-hash-and-url/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-mark-in-out/hosts/alice/etc/strongswan.conf |    2 +-
 .../rw-mark-in-out/hosts/sun/etc/strongswan.conf   |    2 +-
 .../rw-mark-in-out/hosts/venus/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/ipsec.d/private/carolKey.pem   |   54 +-
 .../ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf |    2 +-
 .../hosts/dave/etc/ipsec.d/private/daveKey.pem     |   56 +-
 .../ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf  |    2 +-
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |   52 +-
 .../ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-whitelist/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw-whitelist/hosts/dave/etc/strongswan.conf    |    2 +-
 .../rw-whitelist/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/ikev2/rw-whitelist/pretest.dat       |    4 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../two-certs/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/two-certs/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../virtual-ip/hosts/carol/etc/strongswan.conf     |    2 +-
 .../virtual-ip/hosts/dave/etc/strongswan.conf      |    2 +-
 .../virtual-ip/hosts/moon/etc/strongswan.conf      |    2 +-
 .../wildcards/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/wildcards/hosts/dave/etc/strongswan.conf |    2 +-
 .../ikev2/wildcards/hosts/moon/etc/strongswan.conf |    2 +-
 .../host2host-ikev1/hosts/moon/etc/strongswan.conf |    2 +-
 .../host2host-ikev1/hosts/sun/etc/strongswan.conf  |    2 +-
 .../host2host-ikev2/hosts/moon/etc/strongswan.conf |    2 +-
 .../host2host-ikev2/hosts/sun/etc/strongswan.conf  |    2 +-
 .../net2net-ikev1/hosts/moon/etc/strongswan.conf   |    4 +-
 .../net2net-ikev1/hosts/sun/etc/strongswan.conf    |    4 +-
 .../ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf   |    1 +
 .../net2net-ikev2/hosts/moon/etc/strongswan.conf   |    5 +-
 .../ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf    |    1 +
 .../net2net-ikev2/hosts/sun/etc/strongswan.conf    |    5 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf   |    2 +-
 .../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../transport-ikev1/hosts/moon/etc/strongswan.conf |    2 +-
 .../transport-ikev1/hosts/sun/etc/strongswan.conf  |    2 +-
 .../transport-ikev2/hosts/moon/etc/strongswan.conf |    2 +-
 .../transport-ikev2/hosts/sun/etc/strongswan.conf  |    2 +-
 .../host2host-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../host2host-cert/hosts/sun/etc/strongswan.conf   |    2 +-
 .../net2net-3des/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-3des/hosts/sun/etc/strongswan.conf     |    2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |    2 +-
 .../rw-suite-b/hosts/carol/etc/strongswan.conf     |    2 +-
 .../rw-suite-b/hosts/dave/etc/strongswan.conf      |    2 +-
 .../rw-suite-b/hosts/moon/etc/strongswan.conf      |    4 +-
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-ecp-high/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-ecp-high/hosts/dave/etc/strongswan.conf    |    2 +-
 .../alg-ecp-high/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-ecp-low/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-ecp-low/hosts/dave/etc/strongswan.conf     |    2 +-
 .../alg-ecp-low/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |    2 +-
 .../alg-aes-gcm/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-aes-gcm/hosts/dave/etc/strongswan.conf     |    2 +-
 .../alg-aes-gcm/hosts/moon/etc/strongswan.conf     |    2 +-
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-blowfish/hosts/dave/etc/strongswan.conf    |    2 +-
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-camellia/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-camellia/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../alg-ecp-high/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-ecp-high/hosts/dave/etc/strongswan.conf    |    2 +-
 .../alg-ecp-high/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-ecp-low/hosts/carol/etc/strongswan.conf    |    2 +-
 .../alg-ecp-low/hosts/dave/etc/strongswan.conf     |    2 +-
 .../alg-ecp-low/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ecdsa-certs/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ecdsa-certs/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ecdsa-certs/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ecdsa-pkcs8/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ecdsa-pkcs8/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ecdsa-pkcs8/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/moon/etc/ipsec.d/private/moonCert.p12    |  Bin 3766 -> 3661 bytes
 .../net2net-pkcs12/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/sun/etc/ipsec.d/private/sunCert.p12      |  Bin 3764 -> 3661 bytes
 .../net2net-pkcs12/hosts/sun/etc/strongswan.conf   |    2 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    3 +-
 .../rw-cert/hosts/dave/etc/strongswan.conf         |    2 +-
 .../rw-cert/hosts/moon/etc/strongswan.conf         |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf |    3 +-
 .../rw-suite-b-128/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-suite-b-128/hosts/dave/etc/strongswan.conf  |    4 +-
 .../rw-suite-b-128/hosts/moon/etc/strongswan.conf  |    4 +-
 .../rw-suite-b-192/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-suite-b-192/hosts/dave/etc/strongswan.conf  |    4 +-
 .../rw-suite-b-192/hosts/moon/etc/strongswan.conf  |    4 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../medsrv-psk/hosts/alice/etc/strongswan.conf     |    2 +-
 .../medsrv-psk/hosts/bob/etc/strongswan.conf       |    2 +-
 .../medsrv-psk/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |    2 +-
 .../pfkey/compress/hosts/carol/etc/strongswan.conf |    2 +-
 .../pfkey/compress/hosts/moon/etc/strongswan.conf  |    2 +-
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |    2 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../pfkey/nat-rw/hosts/alice/etc/strongswan.conf   |    2 +-
 .../pfkey/nat-rw/hosts/sun/etc/strongswan.conf     |    2 +-
 .../pfkey/nat-rw/hosts/venus/etc/strongswan.conf   |    2 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |    2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |    2 +-
 .../pfkey/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../pfkey/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../pfkey/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |    8 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |    8 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |    8 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |    8 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |    8 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |    8 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ip-pool-db/hosts/carol/etc/ipsec.d/data.sql    |    8 +-
 .../sql/ip-pool-db/hosts/carol/etc/strongswan.conf |    2 +-
 .../sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql |    8 +-
 .../sql/ip-pool-db/hosts/dave/etc/strongswan.conf  |    2 +-
 .../sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql |    8 +-
 .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |    8 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |    8 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |    8 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |    8 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |    8 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |    8 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |    2 +-
 .../multi-level-ca/hosts/carol/etc/strongswan.conf |    2 +-
 .../multi-level-ca/hosts/dave/etc/ipsec.d/data.sql |    2 +-
 .../multi-level-ca/hosts/dave/etc/strongswan.conf  |    2 +-
 .../multi-level-ca/hosts/moon/etc/ipsec.d/data.sql |    8 +-
 .../multi-level-ca/hosts/moon/etc/strongswan.conf  |    2 +-
 .../net2net-cert/hosts/moon/etc/ipsec.d/data.sql   |    8 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-cert/hosts/sun/etc/ipsec.d/data.sql    |    8 +-
 .../sql/net2net-cert/hosts/sun/etc/strongswan.conf |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |    6 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/ipsec.d/data.sql                 |    6 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |    6 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/ipsec.d/data.sql                 |    6 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql   |    8 +-
 .../sql/rw-cert/hosts/carol/etc/strongswan.conf    |    2 +-
 .../sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql    |    8 +-
 .../sql/rw-cert/hosts/dave/etc/strongswan.conf     |    2 +-
 .../sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql    |    8 +-
 .../sql/rw-cert/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |    2 +-
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql |    8 +-
 .../hosts/carol/etc/ipsec.d/data.sql               |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/ipsec.d/data.sql                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/ipsec.d/data.sql                |    8 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-rsa-keyid/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw-rsa-keyid/hosts/dave/etc/strongswan.conf    |    2 +-
 .../rw-rsa-keyid/hosts/moon/etc/strongswan.conf    |    2 +-
 .../sql/rw-rsa/hosts/carol/etc/strongswan.conf     |    2 +-
 .../sql/rw-rsa/hosts/dave/etc/strongswan.conf      |    2 +-
 .../sql/rw-rsa/hosts/moon/etc/strongswan.conf      |    2 +-
 .../hosts/alice/etc/ipsec.d/data.sql               |    8 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/sun/etc/ipsec.d/data.sql                 |    8 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/venus/etc/ipsec.d/data.sql               |    8 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 testing/tests/swanctl/ip-pool/pretest.dat          |    3 +-
 .../swanctl/net2net-cert-ipv6/description.txt      |    6 +
 .../tests/swanctl/net2net-cert-ipv6/evaltest.dat   |    5 +
 .../hosts/moon/etc/strongswan.conf                 |   15 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   35 +
 .../hosts/sun/etc/strongswan.conf                  |   15 +
 .../hosts/sun/etc/swanctl/swanctl.conf             |   35 +
 .../tests/swanctl/net2net-cert-ipv6/posttest.dat   |   11 +
 .../tests/swanctl/net2net-cert-ipv6/pretest.dat    |   16 +
 testing/tests/swanctl/net2net-cert-ipv6/test.conf  |   21 +
 testing/tests/swanctl/net2net-cert/pretest.dat     |    3 +-
 testing/tests/swanctl/net2net-route/pretest.dat    |    5 +-
 testing/tests/swanctl/net2net-start/pretest.dat    |    5 +-
 testing/tests/swanctl/rw-cert/pretest.dat          |    3 +-
 testing/tests/swanctl/rw-psk-fqdn/pretest.dat      |    3 +-
 testing/tests/swanctl/rw-psk-ipv4/pretest.dat      |    3 +-
 .../hosts/moon/etc/tkm/moonKey.der                 |  Bin 1191 -> 1191 bytes
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/tkm/moonKey.der                 |  Bin 1191 -> 1191 bytes
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/tkm/moonKey.der                 |  Bin 1191 -> 1191 bytes
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../multiple-clients/hosts/sun/etc/tkm/sunKey.der  |  Bin 1192 -> 1191 bytes
 .../hosts/moon/etc/tkm/moonKey.der                 |  Bin 1191 -> 1191 bytes
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/tkm/moonKey.der                 |  Bin 1191 -> 1191 bytes
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../tnccs-11-fhh/hosts/carol/etc/strongswan.conf   |    2 +-
 .../tnccs-11-fhh/hosts/dave/etc/strongswan.conf    |    2 +-
 .../tnccs-11-fhh/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/alice/etc/pts/data1.sql                  |    8 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 testing/tests/tnc/tnccs-11-radius-pts/pretest.dat  |    1 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../tnccs-11-radius/hosts/dave/etc/strongswan.conf |    2 +-
 .../tnccs-11-radius/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../tnc/tnccs-11/hosts/carol/etc/strongswan.conf   |    2 +-
 .../tnc/tnccs-11/hosts/dave/etc/strongswan.conf    |    2 +-
 .../tnc/tnccs-11/hosts/moon/etc/strongswan.conf    |    2 +-
 .../tnccs-20-block/hosts/carol/etc/strongswan.conf |    2 +-
 .../tnccs-20-block/hosts/dave/etc/strongswan.conf  |    2 +-
 .../tnccs-20-block/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../tnccs-20-fhh/hosts/carol/etc/strongswan.conf   |    2 +-
 .../tnccs-20-fhh/hosts/dave/etc/strongswan.conf    |    2 +-
 .../tnccs-20-fhh/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/tnc/tnccs-20-os-pts/evaltest.dat     |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../tnccs-20-os-pts/hosts/dave/etc/strongswan.conf |    2 +-
 .../tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql   |    8 +-
 .../tnccs-20-os-pts/hosts/moon/etc/strongswan.conf |    3 +-
 testing/tests/tnc/tnccs-20-os-pts/pretest.dat      |    1 +
 testing/tests/tnc/tnccs-20-os/evaltest.dat         |    4 +-
 .../tnccs-20-os/hosts/carol/etc/strongswan.conf    |    2 +-
 .../tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf |    2 +-
 .../tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql   |   14 +-
 .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf |    2 +-
 testing/tests/tnc/tnccs-20-os/pretest.dat          |    1 +
 testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat    |    8 +-
 .../tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql |   14 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    6 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat     |    1 +
 testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat |    8 +-
 .../hosts/alice/etc/pts/data1.sql                  |   14 +-
 .../hosts/alice/etc/strongswan.conf                |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat  |    1 +
 testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/pts/data1.sql                   |    8 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat  |    1 +
 testing/tests/tnc/tnccs-20-pts/evaltest.dat        |    4 +-
 .../tnccs-20-pts/hosts/carol/etc/strongswan.conf   |    2 +-
 .../tnccs-20-pts/hosts/dave/etc/strongswan.conf    |    2 +-
 .../tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql  |    8 +-
 .../tnccs-20-pts/hosts/moon/etc/strongswan.conf    |    3 +-
 testing/tests/tnc/tnccs-20-pts/pretest.dat         |    1 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../tnccs-20-tls/hosts/carol/etc/strongswan.conf   |    2 +-
 .../tnccs-20-tls/hosts/dave/etc/strongswan.conf    |    2 +-
 .../tnccs-20-tls/hosts/moon/etc/strongswan.conf    |    2 +-
 .../tnc/tnccs-20/hosts/carol/etc/strongswan.conf   |    2 +-
 .../tnc/tnccs-20/hosts/dave/etc/strongswan.conf    |    2 +-
 .../tnc/tnccs-20/hosts/moon/etc/strongswan.conf    |    2 +-
 .../tnccs-dynamic/hosts/carol/etc/strongswan.conf  |    2 +-
 .../tnccs-dynamic/hosts/dave/etc/strongswan.conf   |    2 +-
 .../tnccs-dynamic/hosts/moon/etc/strongswan.conf   |    2 +-
 1582 files changed, 49303 insertions(+), 28638 deletions(-)

diff --git a/Android.common.mk b/Android.common.mk
index 490f810..c650cb8 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.2.0"
+strongswan_VERSION := "5.2.1"
 
diff --git a/Makefile.in b/Makefile.in
index e8c0ff5..8effaa3 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -263,6 +263,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -323,6 +324,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -388,6 +390,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -435,6 +439,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/NEWS b/NEWS
index cebeeba..f1a4b21 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,28 @@
+strongswan-5.2.1
+----------------
+
+- The new charon-systemd IKE daemon implements an IKE daemon tailored for use
+  with systemd. It avoids the dependency on ipsec starter and uses swanctl
+  as configuration backend, building a simple and lightweight solution. It
+  supports native systemd journal logging.
+
+- Support for IKEv2 fragmentation as per RFC 7383 has been added.  Like IKEv1
+  fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf.
+
+- Support of the TCG TNC IF-M Attribute Segmentation specification proposal.
+  All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID
+  and IETF/Installed Packages attributes can be processed incrementally on a
+  per segment basis.
+
+- The new ext-auth plugin calls an external script to implement custom IKE_SA
+  authorization logic, courtesy of Vyronas Tsingaras.
+
+- For the vici plugin a ruby gem has been added to allow ruby applications
+  to control or monitor the IKE daemon. The vici documentation has been updated
+  to include a description of the available operations and some simple examples
+  using both the libvici C interface and the ruby gem.
+
+
 strongswan-5.2.0
 ----------------
 
diff --git a/conf/Makefile.am b/conf/Makefile.am
index 373be16..e507739 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -12,6 +12,7 @@ options = \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
+	options/charon-systemd.opt \
 	options/imcv.opt \
 	options/manager.opt \
 	options/medsrv.opt \
@@ -44,6 +45,7 @@ plugins = \
 	plugins/eap-tnc.opt \
 	plugins/eap-ttls.opt \
 	plugins/error-notify.opt \
+	plugins/ext-auth.opt \
 	plugins/gcrypt.opt \
 	plugins/ha.opt \
 	plugins/imc-attestation.opt \
@@ -152,9 +154,9 @@ maintainer-clean-local:
 		rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp
 
 install-data-local: $(plugins_install_src)
-	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)"
-	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)"
-	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)"
+	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" || true
+	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" || true
+	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" || true
 	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
 	for f in $(options_install_src); do \
 		name=`basename $$f`; \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index a0ad980..d5bb3ff 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -186,6 +186,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -246,6 +247,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -311,6 +313,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -358,6 +362,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
@@ -381,6 +389,7 @@ options = \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
+	options/charon-systemd.opt \
 	options/imcv.opt \
 	options/manager.opt \
 	options/medsrv.opt \
@@ -413,6 +422,7 @@ plugins = \
 	plugins/eap-tnc.opt \
 	plugins/eap-ttls.opt \
 	plugins/error-notify.opt \
+	plugins/ext-auth.opt \
 	plugins/gcrypt.opt \
 	plugins/ha.opt \
 	plugins/imc-attestation.opt \
@@ -839,9 +849,9 @@ maintainer-clean-local:
 		rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp
 
 install-data-local: $(plugins_install_src)
-	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)"
-	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)"
-	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)"
+	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" || true
+	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" || true
+	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" || true
 	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
 	for f in $(options_install_src); do \
 		name=`basename $$f`; \
diff --git a/conf/options/charon-systemd.conf b/conf/options/charon-systemd.conf
new file mode 100644
index 0000000..630488a
--- /dev/null
+++ b/conf/options/charon-systemd.conf
@@ -0,0 +1,16 @@
+charon-systemd {
+
+    # Section to configure native systemd journal logger, very similar to the
+    # syslog logger as described in LOGGER CONFIGURATION in strongswan.conf(5).
+    journal {
+
+        # Loglevel for a specific subsystem.
+        # <subsystem> = <default>
+
+        # Default loglevel.
+        # default = 1
+
+    }
+
+}
+
diff --git a/conf/options/charon-systemd.opt b/conf/options/charon-systemd.opt
new file mode 100644
index 0000000..3482f44
--- /dev/null
+++ b/conf/options/charon-systemd.opt
@@ -0,0 +1,13 @@
+charon-systemd.journal {}
+	Section to configure native systemd journal logger, very similar to the
+	syslog logger as described in LOGGER CONFIGURATION in
+	**strongswan.conf**(5).
+
+charon-systemd.journal.default = 1
+	Default loglevel.
+
+	Specifies the default loglevel to be used for subsystems for which no
+	specific loglevel is defined.
+
+charon-systemd.journal.<subsystem> = <default>
+	Loglevel for a specific subsystem.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index ec3a39a..0bec9bb 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -40,9 +40,11 @@ charon {
     # Free objects during authentication (might conflict with plugins).
     # flush_auth_cfg = no
 
-    # Maximum size (in bytes) of a sent fragment when using the proprietary
-    # IKEv1 fragmentation extension.
-    # fragment_size = 512
+    # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
+    # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
+    # address family specific        default values). If specified this limit is
+    # used for both IPv4 and IPv6.
+    # fragment_size = 0
 
     # Name of the group the daemon changes to after startup.
     # group =
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 1eb1b88..678aa37 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -85,9 +85,11 @@ charon.flush_auth_cfg = no
 	this might conflict with plugins that later need access to e.g. the used
 	certificates.
 
-charon.fragment_size = 512
-	Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
-	fragmentation extension.
+charon.fragment_size = 0
+	Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
+	when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
+	address family specific	default values). If specified this limit is used
+	for both IPv4 and IPv6.
 
 charon.group
 	Name of the group the daemon changes to after startup.
diff --git a/conf/options/starter.conf b/conf/options/starter.conf
index 8465f7e..447397b 100644
--- a/conf/options/starter.conf
+++ b/conf/options/starter.conf
@@ -1,5 +1,8 @@
 starter {
 
+    # Location of the ipsec.conf file
+    # config_file = ${sysconfdir}/ipsec.conf
+
     # Plugins to load in starter.
     # load =
 
diff --git a/conf/options/starter.opt b/conf/options/starter.opt
index 4e6574d..54689e9 100644
--- a/conf/options/starter.opt
+++ b/conf/options/starter.opt
@@ -1,3 +1,6 @@
+starter.config_file = ${sysconfdir}/ipsec.conf
+	Location of the ipsec.conf file
+
 starter.load =
 	Plugins to load in starter.
 
diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf
index 64db674..b98b195 100644
--- a/conf/plugins/eap-radius.conf
+++ b/conf/plugins/eap-radius.conf
@@ -7,11 +7,15 @@ eap-radius {
     # updates.
     # accounting_close_on_timeout = yes
 
+    # Interval for interim RADIUS accounting updates, if not specified by the
+    # RADIUS server in the Access-Accept message.
+    # accounting_interval = 0
+
     # If enabled, accounting is disabled unless an IKE_SA has at least one
     # virtual IP.
     # accounting_requires_vip = no
 
-    # Use class attributes in RADIUS-Accept messages as group membership
+    # Use class attributes in Access-Accept messages as group membership
     # information.
     # class_group = no
 
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt
index 0df6a0d..2a6786d 100644
--- a/conf/plugins/eap-radius.opt
+++ b/conf/plugins/eap-radius.opt
@@ -5,12 +5,16 @@ charon.plugins.eap-radius.accounting_close_on_timeout = yes
 	Close the IKE_SA if there is a timeout during interim RADIUS accounting
 	updates.
 
+charon.plugins.eap-radius.accounting_interval = 0
+	Interval for interim RADIUS accounting updates, if not specified by the
+	RADIUS server in the Access-Accept message.
+
 charon.plugins.eap-radius.accounting_requires_vip = no
 	If enabled, accounting is disabled unless an IKE_SA has at least one
 	virtual IP.
 
 charon.plugins.eap-radius.class_group = no
-	Use class attributes in RADIUS-Accept messages as group membership
+	Use class attributes in Access-Accept messages as group membership
 	information.
 
 	Use the _class_ attribute sent in the RADIUS-Accept message as group
diff --git a/conf/plugins/ext-auth.conf b/conf/plugins/ext-auth.conf
new file mode 100644
index 0000000..f5aa45f
--- /dev/null
+++ b/conf/plugins/ext-auth.conf
@@ -0,0 +1,11 @@
+ext-auth {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Shell script to invoke for peer authorization.
+    # script =
+
+}
+
diff --git a/conf/plugins/ext-auth.opt b/conf/plugins/ext-auth.opt
new file mode 100644
index 0000000..bf127b9
--- /dev/null
+++ b/conf/plugins/ext-auth.opt
@@ -0,0 +1,15 @@
+charon.plugins.ext-auth.script =
+	Shell script to invoke for peer authorization.
+
+	Command to pass to the system shell for peer authorization. Authorization
+	is considered successful if the command executes normally with an exit code
+	of zero. For all other exit codes IKE_SA authorization is rejected.
+
+	The following environment variables get passed to the script:
+	_IKE_UNIQUE_ID_: The IKE_SA numerical unique identifier.
+	_IKE_NAME_: The peer configuration connection name.
+	_IKE_LOCAL_HOST_: Local IKE IP address.
+	_IKE_REMOTE_HOST_: Remote IKE IP address.
+	_IKE_LOCAL_ID_: Local IKE identity.
+	_IKE_REMOTE_ID_: Remote IKE identity.
+	_IKE_REMOTE_EAP_ID_: Remote EAP or XAuth identity, if used.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index 6707469..f05f486 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -8,10 +8,20 @@ kernel-netlink {
     # priority of this plugin.
     load = yes
 
+    # MSS to set on installed routes, 0 to disable.
+    # mss = 0
+
+    # MTU to set on installed routes, 0 to disable.
+    # mtu = 0
+
     # Whether to trigger roam events when interfaces, addresses or routes
     # change.
     # roam_events = yes
 
+    # Whether to set protocol and ports in the selector installed on transport
+    # mode IPsec SAs in the kernel.
+    # set_proto_port_transport_sa = no
+
     # Lifetime of XFRM acquire state in kernel.
     # xfrm_acq_expires = 165
 
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index a8e421b..7d44581 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -7,9 +7,24 @@ charon.plugins.kernel-netlink.fwmark =
 	inverts the meaning (i.e. the rule only applies to packets that don't match
 	the mark).
 
+charon.plugins.kernel-netlink.mss = 0
+	MSS to set on installed routes, 0 to disable.
+
+charon.plugins.kernel-netlink.mtu = 0
+	MTU to set on installed routes, 0 to disable.
+
 charon.plugins.kernel-netlink.roam_events = yes
 	Whether to trigger roam events when interfaces, addresses or routes change.
 
+charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
+	Whether to set protocol and ports in the selector installed on transport
+	mode IPsec SAs in the kernel.
+
+	Whether to set protocol and ports in the selector installed on transport
+	mode IPsec SAs in the kernel. While doing so enforces policies for inbound
+	traffic, it also prevents the use of a single IPsec SA by more than one
+	traffic selector.
+
 charon.plugins.kernel-netlink.xfrm_acq_expires = 165
 	Lifetime of XFRM acquire state in kernel.
 
diff --git a/conf/plugins/stroke.conf b/conf/plugins/stroke.conf
index 6dd0630..3d8ee0a 100644
--- a/conf/plugins/stroke.conf
+++ b/conf/plugins/stroke.conf
@@ -14,6 +14,9 @@ stroke {
     # If enabled log level changes via stroke socket are not allowed.
     # prevent_loglevel_changes = no
 
+    # Location of the ipsec.secrets file
+    # secrets_file = ${sysconfdir}/ipsec.secrets
+
     # Socket provided by the stroke plugin.
     # socket = unix://${piddir}/charon.ctl
 
diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt
index 2cfc2c6..4b49b1f 100644
--- a/conf/plugins/stroke.opt
+++ b/conf/plugins/stroke.opt
@@ -8,6 +8,9 @@ charon.plugins.stroke.max_concurrent = 4
 charon.plugins.stroke.prevent_loglevel_changes = no
 	If enabled log level changes via stroke socket are not allowed.
 
+charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets
+	Location of the ipsec.secrets file
+
 charon.plugins.stroke.socket = unix://${piddir}/charon.ctl
 	Socket provided by the stroke plugin.
 
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index d93c208..28f6b12 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -165,9 +165,11 @@ are released to free memory once an IKE_SA is established. Enabling this might
 conflict with plugins that later need access to e.g. the used certificates.
 
 .TP
-.BR charon.fragment_size " [512]"
-Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
-fragmentation extension.
+.BR charon.fragment_size " [0]"
+Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when
+using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for address
+family specific        default values). If specified this limit is used for both
+IPv4 and IPv6.
 
 .TP
 .BR charon.group " []"
@@ -511,6 +513,11 @@ Send RADIUS accounting information to RADIUS servers.
 Close the IKE_SA if there is a timeout during interim RADIUS accounting updates.
 
 .TP
+.BR charon.plugins.eap-radius.accounting_interval " [0]"
+Interval for interim RADIUS accounting updates, if not specified by the RADIUS
+server in the Access\-Accept message.
+
+.TP
 .BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
 If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
 
@@ -732,6 +739,29 @@ Request peer authentication based on a client certificate.
 Socket provided by the error\-notify plugin.
 
 .TP
+.BR charon.plugins.ext-auth.script " []"
+Command to pass to the system shell for peer authorization. Authorization is
+considered successful if the command executes normally with an exit code of
+zero. For all other exit codes IKE_SA authorization is rejected.
+
+The following environment variables get passed to the script:
+.RI "" "IKE_UNIQUE_ID" ":"
+The IKE_SA numerical unique identifier.
+.RI "" "IKE_NAME" ":"
+The peer configuration
+connection name.
+.RI "" "IKE_LOCAL_HOST" ":"
+Local IKE IP address.
+.RI "" "IKE_REMOTE_HOST" ":"
+Remote IKE IP address.
+.RI "" "IKE_LOCAL_ID" ":"
+Local IKE identity.
+.RI "" "IKE_REMOTE_ID" ":"
+Remote IKE identity.
+.RI "" "IKE_REMOTE_EAP_ID" ":"
+Remote EAP or XAuth identity, if used.
+
+.TP
 .BR charon.plugins.gcrypt.quick_random " [no]"
 Use faster random numbers in gcrypt; for testing only, produces weak keys!
 
@@ -782,10 +812,24 @@ table. The format is [!]mark[/mask], where the optional exclamation mark inverts
 the meaning (i.e. the rule only applies to packets that don't match the mark).
 
 .TP
+.BR charon.plugins.kernel-netlink.mss " [0]"
+MSS to set on installed routes, 0 to disable.
+
+.TP
+.BR charon.plugins.kernel-netlink.mtu " [0]"
+MTU to set on installed routes, 0 to disable.
+
+.TP
 .BR charon.plugins.kernel-netlink.roam_events " [yes]"
 Whether to trigger roam events when interfaces, addresses or routes change.
 
 .TP
+.BR charon.plugins.kernel-netlink.set_proto_port_transport_sa " [no]"
+Whether to set protocol and ports in the selector installed on transport mode
+IPsec SAs in the kernel. While doing so enforces policies for inbound traffic,
+it also prevents the use of a single IPsec SA by more than one traffic selector.
+
+.TP
 .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
 Lifetime of XFRM acquire state in kernel. The value gets written to
 /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
@@ -1123,6 +1167,10 @@ Maximum number of stroke messages handled concurrently.
 If enabled log level changes via stroke socket are not allowed.
 
 .TP
+.BR charon.plugins.stroke.secrets_file " [${sysconfdir}/ipsec.secrets]"
+Location of the ipsec.secrets file
+
+.TP
 .BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
 Socket provided by the stroke plugin.
 
@@ -1483,6 +1531,23 @@ Name of the user the daemon changes to after startup.
 Discard certificates with unsupported or unknown critical extensions.
 
 .TP
+.B charon-systemd.journal
+.br
+Section to configure native systemd journal logger, very similar to the syslog
+logger as described in LOGGER CONFIGURATION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon-systemd.journal.<subsystem> " [<default>]"
+Loglevel for a specific subsystem.
+
+.TP
+.BR charon-systemd.journal.default " [1]"
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+
+.TP
 .BR libimcv.debug_level " [1]"
 Debug level for a stand\-alone
 .RI "" "libimcv" ""
@@ -1741,6 +1806,10 @@ Plugins to load in ipsec pool tool.
 Plugins to load in ipsec scepclient tool.
 
 .TP
+.BR starter.config_file " [${sysconfdir}/ipsec.conf]"
+Location of the ipsec.conf file
+
+.TP
 .BR starter.load " []"
 Plugins to load in starter.
 
diff --git a/config.h.in b/config.h.in
index 1899b70..ad095d0 100644
--- a/config.h.in
+++ b/config.h.in
@@ -190,6 +190,9 @@
 /* have netlink RTA_TABLE defined */
 #undef HAVE_RTA_TABLE
 
+/* have PF_ROUTE RTM_IFANNOUNCE defined */
+#undef HAVE_RTM_IFANNOUNCE
+
 /* Define to 1 if you have the `sem_timedwait' function. */
 #undef HAVE_SEM_TIMEDWAIT
 
diff --git a/configure b/configure
index a2004a8..ee7d4cb 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.2.0.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.2.1.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.2.0'
-PACKAGE_STRING='strongSwan 5.2.0'
+PACKAGE_VERSION='5.2.1'
+PACKAGE_STRING='strongSwan 5.2.1'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -633,6 +633,12 @@ am__EXEEXT_TRUE
 LTLIBOBJS
 LIBOBJS
 strongswan_options
+USE_RUBY_GEMS_FALSE
+USE_RUBY_GEMS_TRUE
+USE_LEGACY_SYSTEMD_FALSE
+USE_LEGACY_SYSTEMD_TRUE
+USE_SYSTEMD_FALSE
+USE_SYSTEMD_TRUE
 USE_SVC_FALSE
 USE_SVC_TRUE
 USE_SWANCTL_FALSE
@@ -653,8 +659,6 @@ MONOLITHIC_FALSE
 MONOLITHIC_TRUE
 USE_TROUSERS_FALSE
 USE_TROUSERS_TRUE
-USE_PTS_FALSE
-USE_PTS_TRUE
 USE_IMCV_FALSE
 USE_IMCV_TRUE
 USE_RADIUS_FALSE
@@ -843,6 +847,8 @@ USE_ERROR_NOTIFY_FALSE
 USE_ERROR_NOTIFY_TRUE
 USE_LOOKIP_FALSE
 USE_LOOKIP_TRUE
+USE_EXT_AUTH_FALSE
+USE_EXT_AUTH_TRUE
 USE_WHITELIST_FALSE
 USE_WHITELIST_TRUE
 USE_KERNEL_IPH_FALSE
@@ -999,6 +1005,8 @@ attest_plugins
 pool_plugins
 starter_plugins
 charon_plugins
+RUBYGEMDIR
+GEM
 COVERAGE_LDFLAGS
 COVERAGE_CFLAGS
 GENHTML
@@ -1025,6 +1033,12 @@ RUBYINCLUDE
 RUBY
 gtk_LIBS
 gtk_CFLAGS
+json_LIBS
+json_CFLAGS
+systemd_journal_LIBS
+systemd_journal_CFLAGS
+systemd_daemon_LIBS
+systemd_daemon_CFLAGS
 xml_LIBS
 xml_CFLAGS
 soup_LIBS
@@ -1109,8 +1123,6 @@ charon_udp_port
 ipsecgroup
 ipsecuser
 systemdsystemunitdir
-HAVE_SYSTEMD_FALSE
-HAVE_SYSTEMD_TRUE
 fips_mode
 ipsec_script
 routing_table_prio
@@ -1225,6 +1237,7 @@ with_capabilities
 with_mpz_powm_sec
 with_dev_headers
 with_printf_hooks
+with_rubygemdir
 with_systemdsystemunitdir
 with_user
 with_group
@@ -1295,6 +1308,7 @@ enable_eap_peap
 enable_eap_tnc
 enable_eap_dynamic
 enable_eap_radius
+enable_ext_auth
 enable_ipseckey
 enable_keychain
 enable_pkcs11
@@ -1372,6 +1386,7 @@ enable_pki
 enable_scepclient
 enable_scripts
 enable_svc
+enable_systemd
 enable_swanctl
 enable_tkm
 enable_bfd_backtraces
@@ -1382,6 +1397,7 @@ enable_integrity_test
 enable_load_warning
 enable_mediation
 enable_unwind_backtraces
+enable_ruby_gems
 enable_coverage
 enable_leak_detective
 enable_lock_profiler
@@ -1417,6 +1433,12 @@ soup_CFLAGS
 soup_LIBS
 xml_CFLAGS
 xml_LIBS
+systemd_daemon_CFLAGS
+systemd_daemon_LIBS
+systemd_journal_CFLAGS
+systemd_journal_LIBS
+json_CFLAGS
+json_LIBS
 gtk_CFLAGS
 gtk_LIBS
 maemo_CFLAGS
@@ -1965,7 +1987,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.2.0 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.2.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -2035,7 +2057,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.2.0:";;
+     short | recursive ) echo "Configuration of strongSwan 5.2.1:";;
    esac
   cat <<\_ACEOF
 
@@ -2125,6 +2147,8 @@ Optional Features:
   --enable-eap-tnc        enable EAP TNC trusted network connect module.
   --enable-eap-dynamic    enable dynamic EAP proxy module.
   --enable-eap-radius     enable RADIUS proxy authentication module.
+  --enable-ext-auth       enable plugin calling an external authorization
+                          script.
   --enable-ipseckey       enable IPSECKEY authentication plugin.
   --enable-keychain       enables OS X Keychain Services credential set.
   --enable-pkcs11         enables the PKCS11 token support plugin.
@@ -2224,6 +2248,7 @@ Optional Features:
   --disable-scripts       disable additional utilities (found in directory
                           scripts).
   --enable-svc            enable charon Windows service.
+  --enable-systemd        enable systemd specific IKE daemon charon-systemd.
   --enable-swanctl        enable swanctl configuration and control tool.
   --enable-tkm            enable Trusted Key Manager support.
   --enable-bfd-backtraces use binutils libbfd to resolve backtraces for memory
@@ -2241,6 +2266,7 @@ Optional Features:
   --enable-unwind-backtraces
                           use libunwind to create backtraces for memory leaks
                           and segfaults.
+  --enable-ruby-gems      enable installation of provided ruby gems.
   --enable-coverage       enable lcov coverage report generation.
   --enable-leak-detective enable malloc hooks to find memory leaks.
   --enable-lock-profiler  enable lock/mutex profiling code.
@@ -2315,6 +2341,8 @@ Optional Packages:
   --with-printf-hooks=arg force the use of a specific printf hook
                           implementation (auto, builtin, glibc, vstr).
                           (default: auto).
+  --with-rubygemdir=arg   path to install ruby gems to (default: "gem
+                          environment gemdir").
   --with-systemdsystemunitdir=arg
                           directory for systemd service files (default:
                           $systemdsystemunitdir_default).
@@ -2362,6 +2390,16 @@ Some influential environment variables:
   soup_LIBS   linker flags for soup, overriding pkg-config
   xml_CFLAGS  C compiler flags for xml, overriding pkg-config
   xml_LIBS    linker flags for xml, overriding pkg-config
+  systemd_daemon_CFLAGS
+              C compiler flags for systemd_daemon, overriding pkg-config
+  systemd_daemon_LIBS
+              linker flags for systemd_daemon, overriding pkg-config
+  systemd_journal_CFLAGS
+              C compiler flags for systemd_journal, overriding pkg-config
+  systemd_journal_LIBS
+              linker flags for systemd_journal, overriding pkg-config
+  json_CFLAGS C compiler flags for json, overriding pkg-config
+  json_LIBS   linker flags for json, overriding pkg-config
   gtk_CFLAGS  C compiler flags for gtk, overriding pkg-config
   gtk_LIBS    linker flags for gtk, overriding pkg-config
   maemo_CFLAGS
@@ -2440,7 +2478,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.2.0
+strongSwan configure 5.2.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2962,7 +3000,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.2.0, which was
+It was created by strongSwan $as_me 5.2.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3825,7 +3863,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.2.0'
+ VERSION='5.2.1'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -4547,6 +4585,16 @@ fi
 
 
 
+# Check whether --with-rubygemdir was given.
+if test "${with_rubygemdir+set}" = set; then :
+  withval=$with_rubygemdir; rubygemdir="$withval"
+else
+  rubygemdir="gem environment gemdir"
+
+fi
+
+
+
 if test -n "$PKG_CONFIG"; then
 	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
 fi
@@ -4560,14 +4608,6 @@ else
 fi
 
 
- if test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno; then
-  HAVE_SYSTEMD_TRUE=
-  HAVE_SYSTEMD_FALSE='#'
-else
-  HAVE_SYSTEMD_TRUE='#'
-  HAVE_SYSTEMD_FALSE=
-fi
-
 
 
 
@@ -5710,6 +5750,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" eap_radius"
 
+# Check whether --enable-ext-auth was given.
+if test "${enable_ext_auth+set}" = set; then :
+  enableval=$enable_ext_auth; ext_auth_given=true
+		if test x$enableval = xyes; then
+			ext_auth=true
+		 else
+			ext_auth=false
+		fi
+else
+  ext_auth=false
+		ext_auth_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" ext_auth"
+
 # Check whether --enable-ipseckey was given.
 if test "${enable_ipseckey+set}" = set; then :
   enableval=$enable_ipseckey; ipseckey_given=true
@@ -6948,6 +7004,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" svc"
 
+# Check whether --enable-systemd was given.
+if test "${enable_systemd+set}" = set; then :
+  enableval=$enable_systemd; systemd_given=true
+		if test x$enableval = xyes; then
+			systemd=true
+		 else
+			systemd=false
+		fi
+else
+  systemd=false
+		systemd_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" systemd"
+
 # Check whether --enable-swanctl was given.
 if test "${enable_swanctl+set}" = set; then :
   enableval=$enable_swanctl; swanctl_given=true
@@ -7109,6 +7181,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" unwind_backtraces"
 
+# Check whether --enable-ruby-gems was given.
+if test "${enable_ruby_gems+set}" = set; then :
+  enableval=$enable_ruby_gems; ruby_gems_given=true
+		if test x$enableval = xyes; then
+			ruby_gems=true
+		 else
+			ruby_gems=false
+		fi
+else
+  ruby_gems=false
+		ruby_gems_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" ruby_gems"
+
 # compile options
 # Check whether --enable-coverage was given.
 if test "${enable_coverage+set}" = set; then :
@@ -16952,10 +17040,6 @@ if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$i
 	imcv=true;
 fi
 
-if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue -o x$imc_swid = xtrue -o x$imv_swid = xtrue; then
-	pts=true;
-fi
-
 if test x$fips_prf = xtrue; then
 	if test x$openssl = xfalse; then
 		sha1=true;
@@ -17977,7 +18061,7 @@ else
 fi
 
 
-for ac_header in sys/sockio.h glob.h net/if_tun.h linux/fib_rules.h
+for ac_header in sys/sockio.h glob.h net/if_tun.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@@ -18003,16 +18087,17 @@ fi
 
 done
 
-for ac_header in netinet/ip6.h
+for ac_header in netinet/ip6.h linux/fib_rules.h
 do :
-  ac_fn_c_check_header_compile "$LINENO" "netinet/ip6.h" "ac_cv_header_netinet_ip6_h" "
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "
 	#include <sys/types.h>
 	#include <netinet/in.h>
 
 "
-if test "x$ac_cv_header_netinet_ip6_h" = xyes; then :
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
-#define HAVE_NETINET_IP6_H 1
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -18117,6 +18202,34 @@ $as_echo "no" >&6; }
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for RTM_IFANNOUNCE" >&5
+$as_echo_n "checking for RTM_IFANNOUNCE... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/socket.h>
+		  #include <net/if.h>
+		  #include <net/route.h>
+int
+main ()
+{
+return RTM_IFANNOUNCE;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_RTM_IFANNOUNCE /**/" >>confdefs.h
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for IPSEC_MODE_BEET" >&5
 $as_echo_n "checking for IPSEC_MODE_BEET... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -19047,119 +19160,125 @@ fi
 
 fi
 
-if test x$tss = xtrousers; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ltspi" >&5
-$as_echo_n "checking for main in -ltspi... " >&6; }
-if ${ac_cv_lib_tspi_main+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ltspi  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
+if test x$systemd = xtrue; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for systemd system unit directory" >&5
+$as_echo_n "checking for systemd system unit directory... " >&6; }
+	if test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno; then
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $systemdsystemunitdir" >&5
+$as_echo "$systemdsystemunitdir" >&6; }
+	else
+		as_fn_error $? "not found (try --with-systemdsystemunitdir)" "$LINENO" 5
+	fi
 
 
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_tspi_main=yes
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for systemd_daemon" >&5
+$as_echo_n "checking for systemd_daemon... " >&6; }
+
+if test -n "$systemd_daemon_CFLAGS"; then
+    pkg_cv_systemd_daemon_CFLAGS="$systemd_daemon_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_systemd_daemon_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-daemon" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
-  ac_cv_lib_tspi_main=no
+  pkg_failed=yes
 fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+ else
+    pkg_failed=untried
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tspi_main" >&5
-$as_echo "$ac_cv_lib_tspi_main" >&6; }
-if test "x$ac_cv_lib_tspi_main" = xyes; then :
-  LIBS="$LIBS"
+if test -n "$systemd_daemon_LIBS"; then
+    pkg_cv_systemd_daemon_LIBS="$systemd_daemon_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_systemd_daemon_LIBS=`$PKG_CONFIG --libs "libsystemd-daemon" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
-  as_fn_error $? "TrouSerS library libtspi not found" "$LINENO" 5
+  pkg_failed=yes
 fi
-
-	ac_fn_c_check_header_mongrel "$LINENO" "trousers/tss.h" "ac_cv_header_trousers_tss_h" "$ac_includes_default"
-if test "x$ac_cv_header_trousers_tss_h" = xyes; then :
-
-else
-  as_fn_error $? "TrouSerS header trousers/tss.h not found!" "$LINENO" 5
+ else
+    pkg_failed=untried
 fi
 
 
 
-$as_echo "#define TSS_TROUSERS /**/" >>confdefs.h
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
 fi
+        if test $_pkg_short_errors_supported = yes; then
+	        systemd_daemon_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd-daemon" 2>&1`
+        else
+	        systemd_daemon_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd-daemon" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$systemd_daemon_PKG_ERRORS" >&5
 
-if test x$imv_swid = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ljson" >&5
-$as_echo_n "checking for main in -ljson... " >&6; }
-if ${ac_cv_lib_json_main+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ljson  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
+	as_fn_error $? "Package requirements (libsystemd-daemon) were not met:
 
+$systemd_daemon_PKG_ERRORS
 
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_json_main=yes
-else
-  ac_cv_lib_json_main=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_json_main" >&5
-$as_echo "$ac_cv_lib_json_main" >&6; }
-if test "x$ac_cv_lib_json_main" = xyes; then :
-  LIBS="$LIBS"
-else
-  as_fn_error $? "JSON library libjson not found" "$LINENO" 5
-fi
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables systemd_daemon_CFLAGS
+and systemd_daemon_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
 
-	ac_fn_c_check_header_mongrel "$LINENO" "json/json.h" "ac_cv_header_json_json_h" "$ac_includes_default"
-if test "x$ac_cv_header_json_json_h" = xyes; then :
+Alternatively, you may set the environment variables systemd_daemon_CFLAGS
+and systemd_daemon_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
 
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
 else
-  as_fn_error $? "JSON header json/json.h not found!" "$LINENO" 5
+	systemd_daemon_CFLAGS=$pkg_cv_systemd_daemon_CFLAGS
+	systemd_daemon_LIBS=$pkg_cv_systemd_daemon_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
 fi
 
 
-fi
 
-if test x$dumm = xtrue; then
 
 pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gtk" >&5
-$as_echo_n "checking for gtk... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for systemd_journal" >&5
+$as_echo_n "checking for systemd_journal... " >&6; }
 
-if test -n "$gtk_CFLAGS"; then
-    pkg_cv_gtk_CFLAGS="$gtk_CFLAGS"
+if test -n "$systemd_journal_CFLAGS"; then
+    pkg_cv_systemd_journal_CFLAGS="$systemd_journal_CFLAGS"
  elif test -n "$PKG_CONFIG"; then
     if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-journal\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsystemd-journal") 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
-  pkg_cv_gtk_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 vte" 2>/dev/null`
+  pkg_cv_systemd_journal_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-journal" 2>/dev/null`
 		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
@@ -19167,16 +19286,16 @@ fi
  else
     pkg_failed=untried
 fi
-if test -n "$gtk_LIBS"; then
-    pkg_cv_gtk_LIBS="$gtk_LIBS"
+if test -n "$systemd_journal_LIBS"; then
+    pkg_cv_systemd_journal_LIBS="$systemd_journal_LIBS"
  elif test -n "$PKG_CONFIG"; then
     if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-journal\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsystemd-journal") 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
-  pkg_cv_gtk_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 vte" 2>/dev/null`
+  pkg_cv_systemd_journal_LIBS=`$PKG_CONFIG --libs "libsystemd-journal" 2>/dev/null`
 		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
@@ -19197,22 +19316,22 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1`
+	        systemd_journal_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd-journal" 2>&1`
         else
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1`
+	        systemd_journal_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd-journal" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
-	echo "$gtk_PKG_ERRORS" >&5
+	echo "$systemd_journal_PKG_ERRORS" >&5
 
-	as_fn_error $? "Package requirements (gtk+-2.0 vte) were not met:
+	as_fn_error $? "Package requirements (libsystemd-journal) were not met:
 
-$gtk_PKG_ERRORS
+$systemd_journal_PKG_ERRORS
 
 Consider adjusting the PKG_CONFIG_PATH environment variable if you
 installed software in a non-standard prefix.
 
-Alternatively, you may set the environment variables gtk_CFLAGS
-and gtk_LIBS to avoid the need to call pkg-config.
+Alternatively, you may set the environment variables systemd_journal_CFLAGS
+and systemd_journal_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
      	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -19223,56 +19342,458 @@ as_fn_error $? "The pkg-config script could not be found or is too old.  Make su
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
-Alternatively, you may set the environment variables gtk_CFLAGS
-and gtk_LIBS to avoid the need to call pkg-config.
+Alternatively, you may set the environment variables systemd_journal_CFLAGS
+and systemd_journal_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
 See \`config.log' for more details" "$LINENO" 5; }
 else
-	gtk_CFLAGS=$pkg_cv_gtk_CFLAGS
-	gtk_LIBS=$pkg_cv_gtk_LIBS
+	systemd_journal_CFLAGS=$pkg_cv_systemd_journal_CFLAGS
+	systemd_journal_LIBS=$pkg_cv_systemd_journal_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 
 fi
 
 
-	for ac_prog in ruby
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_RUBY+:} false; then :
+fi
+
+if test x$tss = xtrousers; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ltspi" >&5
+$as_echo_n "checking for main in -ltspi... " >&6; }
+if ${ac_cv_lib_tspi_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
-  if test -n "$RUBY"; then
-  ac_cv_prog_RUBY="$RUBY" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-    for ac_exec_ext in '' $ac_executable_extensions; do
-  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_RUBY="$ac_prog"
-    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-  done
-IFS=$as_save_IFS
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ltspi  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
 
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_tspi_main=yes
+else
+  ac_cv_lib_tspi_main=no
 fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
 fi
-RUBY=$ac_cv_prog_RUBY
-if test -n "$RUBY"; then
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUBY" >&5
-$as_echo "$RUBY" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tspi_main" >&5
+$as_echo "$ac_cv_lib_tspi_main" >&6; }
+if test "x$ac_cv_lib_tspi_main" = xyes; then :
+  LIBS="$LIBS"
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+  as_fn_error $? "TrouSerS library libtspi not found" "$LINENO" 5
+fi
+
+	ac_fn_c_check_header_mongrel "$LINENO" "trousers/tss.h" "ac_cv_header_trousers_tss_h" "$ac_includes_default"
+if test "x$ac_cv_header_trousers_tss_h" = xyes; then :
+
+else
+  as_fn_error $? "TrouSerS header trousers/tss.h not found!" "$LINENO" 5
+fi
+
+
+
+$as_echo "#define TSS_TROUSERS /**/" >>confdefs.h
+
+fi
+
+if test x$imv_swid = xtrue; then
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for json" >&5
+$as_echo_n "checking for json... " >&6; }
+
+if test -n "$json_CFLAGS"; then
+    pkg_cv_json_CFLAGS="$json_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json-c\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "json-c") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_json_CFLAGS=`$PKG_CONFIG --cflags "json-c" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$json_LIBS"; then
+    pkg_cv_json_LIBS="$json_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json-c\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "json-c") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_json_LIBS=`$PKG_CONFIG --libs "json-c" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        json_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "json-c" 2>&1`
+        else
+	        json_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "json-c" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$json_PKG_ERRORS" >&5
+
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for json" >&5
+$as_echo_n "checking for json... " >&6; }
+
+if test -n "$json_CFLAGS"; then
+    pkg_cv_json_CFLAGS="$json_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "json") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_json_CFLAGS=`$PKG_CONFIG --cflags "json" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$json_LIBS"; then
+    pkg_cv_json_LIBS="$json_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "json") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_json_LIBS=`$PKG_CONFIG --libs "json" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        json_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "json" 2>&1`
+        else
+	        json_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "json" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$json_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (json) were not met:
+
+$json_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables json_CFLAGS
+and json_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables json_CFLAGS
+and json_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	json_CFLAGS=$pkg_cv_json_CFLAGS
+	json_LIBS=$pkg_cv_json_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for json" >&5
+$as_echo_n "checking for json... " >&6; }
+
+if test -n "$json_CFLAGS"; then
+    pkg_cv_json_CFLAGS="$json_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "json") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_json_CFLAGS=`$PKG_CONFIG --cflags "json" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$json_LIBS"; then
+    pkg_cv_json_LIBS="$json_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "json") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_json_LIBS=`$PKG_CONFIG --libs "json" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        json_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "json" 2>&1`
+        else
+	        json_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "json" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$json_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (json) were not met:
+
+$json_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables json_CFLAGS
+and json_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables json_CFLAGS
+and json_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	json_CFLAGS=$pkg_cv_json_CFLAGS
+	json_LIBS=$pkg_cv_json_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+else
+	json_CFLAGS=$pkg_cv_json_CFLAGS
+	json_LIBS=$pkg_cv_json_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
+fi
+
+if test x$dumm = xtrue; then
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gtk" >&5
+$as_echo_n "checking for gtk... " >&6; }
+
+if test -n "$gtk_CFLAGS"; then
+    pkg_cv_gtk_CFLAGS="$gtk_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_gtk_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 vte" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$gtk_LIBS"; then
+    pkg_cv_gtk_LIBS="$gtk_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_gtk_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 vte" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1`
+        else
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$gtk_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (gtk+-2.0 vte) were not met:
+
+$gtk_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables gtk_CFLAGS
+and gtk_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables gtk_CFLAGS
+and gtk_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	gtk_CFLAGS=$pkg_cv_gtk_CFLAGS
+	gtk_LIBS=$pkg_cv_gtk_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
+	for ac_prog in ruby
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_RUBY+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$RUBY"; then
+  ac_cv_prog_RUBY="$RUBY" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_RUBY="$ac_prog"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+RUBY=$ac_cv_prog_RUBY
+if test -n "$RUBY"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUBY" >&5
+$as_echo "$RUBY" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
 
@@ -20753,6 +21274,58 @@ $as_echo "$as_me: coverage enabled, adding \"-g -O0\" to CFLAGS" >&6;}
 	CFLAGS="${CFLAGS} -g -O0"
 fi
 
+if test x$ruby_gems = xtrue; then
+	# Extract the first word of "gem", so it can be a program name with args.
+set dummy gem; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_GEM+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $GEM in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_GEM="$GEM" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_GEM="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+GEM=$ac_cv_path_GEM
+if test -n "$GEM"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GEM" >&5
+$as_echo "$GEM" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+	if test x$GEM = x; then
+		as_fn_error $? "RubyGems package manager not found" "$LINENO" 5
+	fi
+	if test "x$rubygemdir" = "xgem environment gemdir"; then
+		rubygemdir=$($GEM environment gemdir)
+	fi
+	RUBYGEMDIR="$rubygemdir"
+
+fi
+
 # ===============================================
 #  collect plugin list for strongSwan components
 # ===============================================
@@ -20792,35 +21365,6 @@ if test x$test_vectors = xtrue; then
 
 	fi
 
-if test x$curl = xtrue; then
-		s_plugins=${s_plugins}" curl"
-		charon_plugins=${charon_plugins}" curl"
-		scepclient_plugins=${scepclient_plugins}" curl"
-		pki_plugins=${pki_plugins}" curl"
-		scripts_plugins=${scripts_plugins}" curl"
-		nm_plugins=${nm_plugins}" curl"
-		cmd_plugins=${cmd_plugins}" curl"
-
-	fi
-
-if test x$winhttp = xtrue; then
-		s_plugins=${s_plugins}" winhttp"
-		charon_plugins=${charon_plugins}" winhttp"
-		pki_plugins=${pki_plugins}" winhttp"
-		scripts_plugins=${scripts_plugins}" winhttp"
-
-	fi
-
-if test x$soup = xtrue; then
-		s_plugins=${s_plugins}" soup"
-		charon_plugins=${charon_plugins}" soup"
-		pki_plugins=${pki_plugins}" soup"
-		scripts_plugins=${scripts_plugins}" soup"
-		nm_plugins=${nm_plugins}" soup"
-		cmd_plugins=${cmd_plugins}" soup"
-
-	fi
-
 if test x$unbound = xtrue; then
 		s_plugins=${s_plugins}" unbound"
 		charon_plugins=${charon_plugins}" unbound"
@@ -21292,6 +21836,35 @@ if test x$ntru = xtrue; then
 
 	fi
 
+if test x$curl = xtrue; then
+		s_plugins=${s_plugins}" curl"
+		charon_plugins=${charon_plugins}" curl"
+		scepclient_plugins=${scepclient_plugins}" curl"
+		pki_plugins=${pki_plugins}" curl"
+		scripts_plugins=${scripts_plugins}" curl"
+		nm_plugins=${nm_plugins}" curl"
+		cmd_plugins=${cmd_plugins}" curl"
+
+	fi
+
+if test x$winhttp = xtrue; then
+		s_plugins=${s_plugins}" winhttp"
+		charon_plugins=${charon_plugins}" winhttp"
+		pki_plugins=${pki_plugins}" winhttp"
+		scripts_plugins=${scripts_plugins}" winhttp"
+
+	fi
+
+if test x$soup = xtrue; then
+		s_plugins=${s_plugins}" soup"
+		charon_plugins=${charon_plugins}" soup"
+		pki_plugins=${pki_plugins}" soup"
+		scripts_plugins=${scripts_plugins}" soup"
+		nm_plugins=${nm_plugins}" soup"
+		cmd_plugins=${cmd_plugins}" soup"
+
+	fi
+
 if test x$attr = xtrue; then
 		h_plugins=${h_plugins}" attr"
 		charon_plugins=${charon_plugins}" attr"
@@ -21664,6 +22237,12 @@ if test x$whitelist = xtrue; then
 
 	fi
 
+if test x$ext_auth = xtrue; then
+		c_plugins=${c_plugins}" ext-auth"
+		charon_plugins=${charon_plugins}" ext-auth"
+
+	fi
+
 if test x$lookip = xtrue; then
 		c_plugins=${c_plugins}" lookip"
 		charon_plugins=${charon_plugins}" lookip"
@@ -22330,6 +22909,14 @@ else
   USE_WHITELIST_FALSE=
 fi
 
+ if test x$ext_auth = xtrue; then
+  USE_EXT_AUTH_TRUE=
+  USE_EXT_AUTH_FALSE='#'
+else
+  USE_EXT_AUTH_TRUE='#'
+  USE_EXT_AUTH_FALSE=
+fi
+
  if test x$lookip = xtrue; then
   USE_LOOKIP_TRUE=
   USE_LOOKIP_FALSE='#'
@@ -22960,7 +23547,7 @@ else
   USE_CONFTEST_FALSE=
 fi
 
- if test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue; then
+ if test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then
   USE_LIBSTRONGSWAN_TRUE=
   USE_LIBSTRONGSWAN_FALSE='#'
 else
@@ -22968,7 +23555,7 @@ else
   USE_LIBSTRONGSWAN_FALSE=
 fi
 
- if test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue; then
+ if test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then
   USE_LIBHYDRA_TRUE=
   USE_LIBHYDRA_FALSE='#'
 else
@@ -22976,7 +23563,7 @@ else
   USE_LIBHYDRA_FALSE=
 fi
 
- if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue; then
+ if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then
   USE_LIBCHARON_TRUE=
   USE_LIBCHARON_FALSE='#'
 else
@@ -23088,14 +23675,6 @@ else
   USE_IMCV_FALSE=
 fi
 
- if test x$pts = xtrue; then
-  USE_PTS_TRUE=
-  USE_PTS_FALSE='#'
-else
-  USE_PTS_TRUE='#'
-  USE_PTS_FALSE=
-fi
-
  if test x$tss = xtrousers -o x$aikgen = xtrue; then
   USE_TROUSERS_TRUE=
   USE_TROUSERS_FALSE='#'
@@ -23176,6 +23755,30 @@ else
   USE_SVC_FALSE=
 fi
 
+ if test x$systemd = xtrue; then
+  USE_SYSTEMD_TRUE=
+  USE_SYSTEMD_FALSE='#'
+else
+  USE_SYSTEMD_TRUE='#'
+  USE_SYSTEMD_FALSE=
+fi
+
+ if test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno; then
+  USE_LEGACY_SYSTEMD_TRUE=
+  USE_LEGACY_SYSTEMD_FALSE='#'
+else
+  USE_LEGACY_SYSTEMD_TRUE='#'
+  USE_LEGACY_SYSTEMD_FALSE=
+fi
+
+ if test x$ruby_gems = xtrue; then
+  USE_RUBY_GEMS_TRUE=
+  USE_RUBY_GEMS_FALSE='#'
+else
+  USE_RUBY_GEMS_TRUE='#'
+  USE_RUBY_GEMS_FALSE=
+fi
+
 
 # ========================
 #  set global definitions
@@ -23259,7 +23862,7 @@ fi
 #  build Makefiles
 # =================
 
-ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/li [...]
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswa [...]
 
 
 # =================
@@ -23394,10 +23997,6 @@ else
   am__EXEEXT_FALSE=
 fi
 
-if test -z "${HAVE_SYSTEMD_TRUE}" && test -z "${HAVE_SYSTEMD_FALSE}"; then
-  as_fn_error $? "conditional \"HAVE_SYSTEMD\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
   as_fn_error $? "conditional \"AMDEP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -23699,6 +24298,10 @@ if test -z "${USE_WHITELIST_TRUE}" && test -z "${USE_WHITELIST_FALSE}"; then
   as_fn_error $? "conditional \"USE_WHITELIST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_EXT_AUTH_TRUE}" && test -z "${USE_EXT_AUTH_FALSE}"; then
+  as_fn_error $? "conditional \"USE_EXT_AUTH\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_LOOKIP_TRUE}" && test -z "${USE_LOOKIP_FALSE}"; then
   as_fn_error $? "conditional \"USE_LOOKIP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24075,10 +24678,6 @@ if test -z "${USE_IMCV_TRUE}" && test -z "${USE_IMCV_FALSE}"; then
   as_fn_error $? "conditional \"USE_IMCV\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_PTS_TRUE}" && test -z "${USE_PTS_FALSE}"; then
-  as_fn_error $? "conditional \"USE_PTS\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_TROUSERS_TRUE}" && test -z "${USE_TROUSERS_FALSE}"; then
   as_fn_error $? "conditional \"USE_TROUSERS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24119,6 +24718,18 @@ if test -z "${USE_SVC_TRUE}" && test -z "${USE_SVC_FALSE}"; then
   as_fn_error $? "conditional \"USE_SVC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_SYSTEMD_TRUE}" && test -z "${USE_SYSTEMD_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SYSTEMD\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_LEGACY_SYSTEMD_TRUE}" && test -z "${USE_LEGACY_SYSTEMD_FALSE}"; then
+  as_fn_error $? "conditional \"USE_LEGACY_SYSTEMD\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_RUBY_GEMS_TRUE}" && test -z "${USE_RUBY_GEMS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_RUBY_GEMS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 
 : "${CONFIG_STATUS=./config.status}"
 ac_write_fail=0
@@ -24516,7 +25127,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.2.0, which was
+This file was extended by strongSwan $as_me 5.2.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -24582,7 +25193,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.2.0
+strongSwan config.status 5.2.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -24996,6 +25607,7 @@ do
     "man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile" ;;
     "init/Makefile") CONFIG_FILES="$CONFIG_FILES init/Makefile" ;;
     "init/systemd/Makefile") CONFIG_FILES="$CONFIG_FILES init/systemd/Makefile" ;;
+    "init/systemd-swanctl/Makefile") CONFIG_FILES="$CONFIG_FILES init/systemd-swanctl/Makefile" ;;
     "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
     "src/include/Makefile") CONFIG_FILES="$CONFIG_FILES src/include/Makefile" ;;
     "src/libstrongswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/Makefile" ;;
@@ -25069,11 +25681,6 @@ do
     "src/libtnccs/plugins/tnccs_20/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtnccs/plugins/tnccs_20/Makefile" ;;
     "src/libtnccs/plugins/tnccs_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtnccs/plugins/tnccs_dynamic/Makefile" ;;
     "src/libpttls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpttls/Makefile" ;;
-    "src/libpts/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/Makefile" ;;
-    "src/libpts/plugins/imc_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imc_attestation/Makefile" ;;
-    "src/libpts/plugins/imv_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imv_attestation/Makefile" ;;
-    "src/libpts/plugins/imc_swid/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imc_swid/Makefile" ;;
-    "src/libpts/plugins/imv_swid/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imv_swid/Makefile" ;;
     "src/libimcv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/Makefile" ;;
     "src/libimcv/plugins/imc_test/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_test/Makefile" ;;
     "src/libimcv/plugins/imv_test/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_test/Makefile" ;;
@@ -25081,11 +25688,16 @@ do
     "src/libimcv/plugins/imv_scanner/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_scanner/Makefile" ;;
     "src/libimcv/plugins/imc_os/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_os/Makefile" ;;
     "src/libimcv/plugins/imv_os/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_os/Makefile" ;;
+    "src/libimcv/plugins/imc_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_attestation/Makefile" ;;
+    "src/libimcv/plugins/imv_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_attestation/Makefile" ;;
+    "src/libimcv/plugins/imc_swid/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_swid/Makefile" ;;
+    "src/libimcv/plugins/imv_swid/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_swid/Makefile" ;;
     "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
     "src/charon-nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-nm/Makefile" ;;
     "src/charon-tkm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-tkm/Makefile" ;;
     "src/charon-cmd/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-cmd/Makefile" ;;
     "src/charon-svc/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-svc/Makefile" ;;
+    "src/charon-systemd/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-systemd/Makefile" ;;
     "src/libcharon/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/Makefile" ;;
     "src/libcharon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka/Makefile" ;;
     "src/libcharon/plugins/eap_aka_3gpp2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka_3gpp2/Makefile" ;;
@@ -25129,6 +25741,7 @@ do
     "src/libcharon/plugins/kernel_wfp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_wfp/Makefile" ;;
     "src/libcharon/plugins/kernel_iph/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_iph/Makefile" ;;
     "src/libcharon/plugins/whitelist/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/whitelist/Makefile" ;;
+    "src/libcharon/plugins/ext_auth/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ext_auth/Makefile" ;;
     "src/libcharon/plugins/lookip/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/lookip/Makefile" ;;
     "src/libcharon/plugins/error_notify/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/error_notify/Makefile" ;;
     "src/libcharon/plugins/certexpire/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/certexpire/Makefile" ;;
@@ -25143,6 +25756,7 @@ do
     "src/libcharon/plugins/maemo/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/maemo/Makefile" ;;
     "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
     "src/libcharon/plugins/vici/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/Makefile" ;;
+    "src/libcharon/plugins/vici/ruby/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/ruby/Makefile" ;;
     "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;;
     "src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;;
     "src/libcharon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unit_tester/Makefile" ;;
diff --git a/configure.ac b/configure.ac
index 8f4d763..7a3c328 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
 #
 # Copyright (C) 2007-2014 Tobias Brunner
-# Copyright (C) 2006-2013 Andreas Steffen
-# Copyright (C) 2006-2013 Martin Willi
+# Copyright (C) 2006-2014 Andreas Steffen
+# Copyright (C) 2006-2014 Martin Willi
 # Hochschule fuer Technik Rapperswil
 #
 # This program is free software; you can redistribute it and/or modify it
@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.2.0])
+AC_INIT([strongSwan],[5.2.1])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -68,12 +68,12 @@ ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Cur
 ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
 ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
 ARG_WITH_SET([printf-hooks],         [auto], [force the use of a specific printf hook implementation (auto, builtin, glibc, vstr).])
+ARG_WITH_SET([rubygemdir],           ["gem environment gemdir"], [path to install ruby gems to])
 
 if test -n "$PKG_CONFIG"; then
 	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
 fi
 ARG_WITH_SET([systemdsystemunitdir], [$systemdsystemunitdir_default], [directory for systemd service files])
-AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno])
 AC_SUBST(systemdsystemunitdir)
 
 AC_ARG_WITH(
@@ -190,6 +190,7 @@ ARG_ENABL_SET([eap-peap],       [enable EAP PEAP authentication module.])
 ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.])
 ARG_ENABL_SET([eap-dynamic],    [enable dynamic EAP proxy module.])
 ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
+ARG_ENABL_SET([ext-auth],       [enable plugin calling an external authorization script.])
 ARG_ENABL_SET([ipseckey],       [enable IPSECKEY authentication plugin.])
 ARG_ENABL_SET([keychain],       [enables OS X Keychain Services credential set.])
 ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
@@ -273,6 +274,7 @@ ARG_DISBL_SET([pki],            [disable pki certificate utility.])
 ARG_DISBL_SET([scepclient],     [disable SCEP client tool.])
 ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
 ARG_ENABL_SET([svc],            [enable charon Windows service.])
+ARG_ENABL_SET([systemd],        [enable systemd specific IKE daemon charon-systemd.])
 ARG_ENABL_SET([swanctl],        [enable swanctl configuration and control tool.])
 ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
 # optional features
@@ -284,6 +286,7 @@ ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and p
 ARG_DISBL_SET([load-warning],   [disable the charon plugin load option warning in starter.])
 ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
 ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.])
+ARG_ENABL_SET([ruby-gems],      [enable installation of provided ruby gems.])
 # compile options
 ARG_ENABL_SET([coverage],       [enable lcov coverage report generation.])
 ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
@@ -397,10 +400,6 @@ if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$i
 	imcv=true;
 fi
 
-if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue -o x$imc_swid = xtrue -o x$imv_swid = xtrue; then
-	pts=true;
-fi
-
 if test x$fips_prf = xtrue; then
 	if test x$openssl = xfalse; then
 		sha1=true;
@@ -575,9 +574,9 @@ AC_CHECK_FUNC([syslog], [
 ])
 AM_CONDITIONAL(USE_SYSLOG, [test "x$syslog" = xtrue])
 
-AC_CHECK_HEADERS(sys/sockio.h glob.h net/if_tun.h linux/fib_rules.h)
+AC_CHECK_HEADERS(sys/sockio.h glob.h net/if_tun.h)
 AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
-AC_CHECK_HEADERS(netinet/ip6.h, [], [],
+AC_CHECK_HEADERS([netinet/ip6.h linux/fib_rules.h], [], [],
 [
 	#include <sys/types.h>
 	#include <netinet/in.h>
@@ -630,6 +629,18 @@ AC_COMPILE_IFELSE(
 	[AC_MSG_RESULT([no])]
 )
 
+AC_MSG_CHECKING([for RTM_IFANNOUNCE])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/socket.h>
+		  #include <net/if.h>
+		  #include <net/route.h>]],
+		[[return RTM_IFANNOUNCE;]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_RTM_IFANNOUNCE], [], [have PF_ROUTE RTM_IFANNOUNCE defined])],
+	[AC_MSG_RESULT([no])]
+)
+
 AC_MSG_CHECKING([for IPSEC_MODE_BEET])
 AC_COMPILE_IFELSE(
 	[AC_LANG_PROGRAM(
@@ -869,6 +880,23 @@ if test x$xml = xtrue; then
 	AC_SUBST(xml_LIBS)
 fi
 
+if test x$systemd = xtrue; then
+	AC_MSG_CHECKING([for systemd system unit directory])
+	if test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno; then
+		AC_MSG_RESULT([$systemdsystemunitdir])
+	else
+		AC_MSG_ERROR([not found (try --with-systemdsystemunitdir)])
+	fi
+
+	PKG_CHECK_MODULES(systemd_daemon, [libsystemd-daemon])
+	AC_SUBST(systemd_daemon_CFLAGS)
+	AC_SUBST(systemd_daemon_LIBS)
+
+	PKG_CHECK_MODULES(systemd_journal, [libsystemd-journal])
+	AC_SUBST(systemd_journal_CFLAGS)
+	AC_SUBST(systemd_journal_LIBS)
+fi
+
 if test x$tss = xtrousers; then
 	AC_CHECK_LIB([tspi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])],[])
 	AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
@@ -876,8 +904,10 @@ if test x$tss = xtrousers; then
 fi
 
 if test x$imv_swid = xtrue; then
-	AC_CHECK_LIB([json],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([JSON library libjson not found])],[])
-	AC_CHECK_HEADER([json/json.h],,[AC_MSG_ERROR([JSON header json/json.h not found!])])
+	PKG_CHECK_MODULES(json, [json-c], [],
+		[PKG_CHECK_MODULES(json, [json])])
+	AC_SUBST(json_CFLAGS)
+	AC_SUBST(json_LIBS)
 fi
 
 if test x$dumm = xtrue; then
@@ -1136,6 +1166,17 @@ if test x$coverage = xtrue; then
 	CFLAGS="${CFLAGS} -g -O0"
 fi
 
+if test x$ruby_gems = xtrue; then
+	AC_PATH_PROG([GEM], [gem], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+	if test x$GEM = x; then
+		AC_MSG_ERROR(RubyGems package manager not found)
+	fi
+	if test "x$rubygemdir" = "xgem environment gemdir"; then
+		rubygemdir=$($GEM environment gemdir)
+	fi
+	AC_SUBST(RUBYGEMDIR, "$rubygemdir")
+fi
+
 # ===============================================
 #  collect plugin list for strongSwan components
 # ===============================================
@@ -1164,9 +1205,6 @@ s_plugins=
 t_plugins=
 
 ADD_PLUGIN([test-vectors],         [s charon scepclient pki])
-ADD_PLUGIN([curl],                 [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([winhttp],              [s charon pki scripts])
-ADD_PLUGIN([soup],                 [s charon pki scripts nm cmd])
 ADD_PLUGIN([unbound],              [s charon scripts])
 ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm cmd])
 ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
@@ -1213,6 +1251,9 @@ ADD_PLUGIN([ctr],                  [s charon scripts nm cmd])
 ADD_PLUGIN([ccm],                  [s charon scripts nm cmd])
 ADD_PLUGIN([gcm],                  [s charon scripts nm cmd])
 ADD_PLUGIN([ntru],                 [s charon scripts nm cmd])
+ADD_PLUGIN([curl],                 [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([winhttp],              [s charon pki scripts])
+ADD_PLUGIN([soup],                 [s charon pki scripts nm cmd])
 ADD_PLUGIN([attr],                 [h charon])
 ADD_PLUGIN([attr-sql],             [h charon])
 ADD_PLUGIN([load-tester],          [c charon])
@@ -1270,6 +1311,7 @@ ADD_PLUGIN([android-dns],          [c charon])
 ADD_PLUGIN([android-log],          [c charon])
 ADD_PLUGIN([ha],                   [c charon])
 ADD_PLUGIN([whitelist],            [c charon])
+ADD_PLUGIN([ext-auth],             [c charon])
 ADD_PLUGIN([lookip],               [c charon])
 ADD_PLUGIN([error-notify],         [c charon])
 ADD_PLUGIN([certexpire],           [c charon])
@@ -1381,6 +1423,7 @@ AM_CONDITIONAL(USE_KERNEL_LIBIPSEC, test x$kernel_libipsec = xtrue)
 AM_CONDITIONAL(USE_KERNEL_WFP, test x$kernel_wfp = xtrue)
 AM_CONDITIONAL(USE_KERNEL_IPH, test x$kernel_iph = xtrue)
 AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
+AM_CONDITIONAL(USE_EXT_AUTH, test x$ext_auth = xtrue)
 AM_CONDITIONAL(USE_LOOKIP, test x$lookip = xtrue)
 AM_CONDITIONAL(USE_ERROR_NOTIFY, test x$error_notify = xtrue)
 AM_CONDITIONAL(USE_CERTEXPIRE, test x$certexpire = xtrue)
@@ -1465,9 +1508,9 @@ AM_CONDITIONAL(USE_PKI, test x$pki = xtrue)
 AM_CONDITIONAL(USE_SCEPCLIENT, test x$scepclient = xtrue)
 AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
 AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue)
-AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue)
-AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
+AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
+AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
 AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
 AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
 AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
@@ -1481,7 +1524,6 @@ AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
 AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
 AM_CONDITIONAL(USE_RADIUS, test x$radius = xtrue)
 AM_CONDITIONAL(USE_IMCV, test x$imcv = xtrue)
-AM_CONDITIONAL(USE_PTS, test x$pts = xtrue)
 AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers -o x$aikgen = xtrue)
 AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
 AM_CONDITIONAL(USE_SILENT_RULES, test x$enable_silent_rules = xyes)
@@ -1492,6 +1534,9 @@ AM_CONDITIONAL(USE_CMD, test x$cmd = xtrue)
 AM_CONDITIONAL(USE_AIKGEN, test x$aikgen = xtrue)
 AM_CONDITIONAL(USE_SWANCTL, test x$swanctl = xtrue)
 AM_CONDITIONAL(USE_SVC, test x$svc = xtrue)
+AM_CONDITIONAL(USE_SYSTEMD, test x$systemd = xtrue)
+AM_CONDITIONAL(USE_LEGACY_SYSTEMD, test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno)
+AM_CONDITIONAL(USE_RUBY_GEMS, test x$ruby_gems = xtrue)
 
 # ========================
 #  set global definitions
@@ -1545,6 +1590,7 @@ AC_CONFIG_FILES([
 	man/Makefile
 	init/Makefile
 	init/systemd/Makefile
+	init/systemd-swanctl/Makefile
 	src/Makefile
 	src/include/Makefile
 	src/libstrongswan/Makefile
@@ -1618,11 +1664,6 @@ AC_CONFIG_FILES([
 	src/libtnccs/plugins/tnccs_20/Makefile
 	src/libtnccs/plugins/tnccs_dynamic/Makefile
 	src/libpttls/Makefile
-	src/libpts/Makefile
-	src/libpts/plugins/imc_attestation/Makefile
-	src/libpts/plugins/imv_attestation/Makefile
-	src/libpts/plugins/imc_swid/Makefile
-	src/libpts/plugins/imv_swid/Makefile
 	src/libimcv/Makefile
 	src/libimcv/plugins/imc_test/Makefile
 	src/libimcv/plugins/imv_test/Makefile
@@ -1630,11 +1671,16 @@ AC_CONFIG_FILES([
 	src/libimcv/plugins/imv_scanner/Makefile
 	src/libimcv/plugins/imc_os/Makefile
 	src/libimcv/plugins/imv_os/Makefile
+	src/libimcv/plugins/imc_attestation/Makefile
+	src/libimcv/plugins/imv_attestation/Makefile
+	src/libimcv/plugins/imc_swid/Makefile
+	src/libimcv/plugins/imv_swid/Makefile
 	src/charon/Makefile
 	src/charon-nm/Makefile
 	src/charon-tkm/Makefile
 	src/charon-cmd/Makefile
 	src/charon-svc/Makefile
+	src/charon-systemd/Makefile
 	src/libcharon/Makefile
 	src/libcharon/plugins/eap_aka/Makefile
 	src/libcharon/plugins/eap_aka_3gpp2/Makefile
@@ -1678,6 +1724,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/kernel_wfp/Makefile
 	src/libcharon/plugins/kernel_iph/Makefile
 	src/libcharon/plugins/whitelist/Makefile
+	src/libcharon/plugins/ext_auth/Makefile
 	src/libcharon/plugins/lookip/Makefile
 	src/libcharon/plugins/error_notify/Makefile
 	src/libcharon/plugins/certexpire/Makefile
@@ -1692,6 +1739,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/maemo/Makefile
 	src/libcharon/plugins/stroke/Makefile
 	src/libcharon/plugins/vici/Makefile
+	src/libcharon/plugins/vici/ruby/Makefile
 	src/libcharon/plugins/updown/Makefile
 	src/libcharon/plugins/dhcp/Makefile
 	src/libcharon/plugins/unit_tester/Makefile
diff --git a/init/Makefile.am b/init/Makefile.am
index 69439a1..a72706c 100644
--- a/init/Makefile.am
+++ b/init/Makefile.am
@@ -1,6 +1,12 @@
 
 SUBDIRS =
 
-if HAVE_SYSTEMD
+if USE_LEGACY_SYSTEMD
   SUBDIRS += systemd
 endif
+
+if USE_SYSTEMD
+if USE_SWANCTL
+  SUBDIRS += systemd-swanctl
+endif
+endif
diff --git a/init/Makefile.in b/init/Makefile.in
index b48d335..3da1e65 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -77,7 +77,8 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
- at HAVE_SYSTEMD_TRUE@am__append_1 = systemd
+ at USE_LEGACY_SYSTEMD_TRUE@am__append_1 = systemd
+ at USE_SWANCTL_TRUE@@USE_SYSTEMD_TRUE at am__append_2 = systemd-swanctl
 subdir = init
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -151,7 +152,7 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = systemd
+DIST_SUBDIRS = systemd systemd-swanctl
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -209,6 +210,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -269,6 +271,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -334,6 +337,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -381,6 +386,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
@@ -390,7 +399,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-SUBDIRS = $(am__append_1)
+SUBDIRS = $(am__append_1) $(am__append_2)
 all: all-recursive
 
 .SUFFIXES:
diff --git a/init/systemd-swanctl/Makefile.am b/init/systemd-swanctl/Makefile.am
new file mode 100644
index 0000000..eee30ac
--- /dev/null
+++ b/init/systemd-swanctl/Makefile.am
@@ -0,0 +1,11 @@
+
+EXTRA_DIST = strongswan-swanctl.service.in
+CLEANFILES = strongswan-swanctl.service
+
+systemdsystemunit_DATA = strongswan-swanctl.service
+
+strongswan-swanctl.service : strongswan-swanctl.service.in
+	$(AM_V_GEN) \
+	sed \
+	-e "s:@SBINDIR@:$(sbindir):" \
+	$(srcdir)/$@.in > $@
diff --git a/init/systemd-swanctl/Makefile.in b/init/systemd-swanctl/Makefile.in
new file mode 100644
index 0000000..14089c4
--- /dev/null
+++ b/init/systemd-swanctl/Makefile.in
@@ -0,0 +1,598 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = init/systemd-swanctl
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(systemdsystemunitdir)"
+DATA = $(systemdsystemunit_DATA)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+EXTRA_DIST = strongswan-swanctl.service.in
+CLEANFILES = strongswan-swanctl.service
+systemdsystemunit_DATA = strongswan-swanctl.service
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu init/systemd-swanctl/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu init/systemd-swanctl/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-systemdsystemunitDATA: $(systemdsystemunit_DATA)
+	@$(NORMAL_INSTALL)
+	@list='$(systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(systemdsystemunitdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(systemdsystemunitdir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(systemdsystemunitdir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(systemdsystemunitdir)" || exit $$?; \
+	done
+
+uninstall-systemdsystemunitDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	dir='$(DESTDIR)$(systemdsystemunitdir)'; $(am__uninstall_files_from_dir)
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(DATA)
+installdirs:
+	for dir in "$(DESTDIR)$(systemdsystemunitdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-systemdsystemunitDATA
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-systemdsystemunitDATA
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	cscopelist-am ctags-am distclean distclean-generic \
+	distclean-libtool distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip install-systemdsystemunitDATA installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
+	uninstall-am uninstall-systemdsystemunitDATA
+
+
+strongswan-swanctl.service : strongswan-swanctl.service.in
+	$(AM_V_GEN) \
+	sed \
+	-e "s:@SBINDIR@:$(sbindir):" \
+	$(srcdir)/$@.in > $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/init/systemd-swanctl/strongswan-swanctl.service.in b/init/systemd-swanctl/strongswan-swanctl.service.in
new file mode 100644
index 0000000..818d352
--- /dev/null
+++ b/init/systemd-swanctl/strongswan-swanctl.service.in
@@ -0,0 +1,9 @@
+[Unit]
+Description=strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
+After=network.target
+
+[Service]
+Type=notify
+ExecStart=@SBINDIR@/charon-systemd
+ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt
+ExecReload=@SBINDIR@/swanctl --reload
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index 27a767c..a8c7af6 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -178,6 +178,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -238,6 +239,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -303,6 +305,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -350,6 +354,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/init/systemd/strongswan.service.in b/init/systemd/strongswan.service.in
index dee892e..608078b 100644
--- a/init/systemd/strongswan.service.in
+++ b/init/systemd/strongswan.service.in
@@ -1,5 +1,5 @@
 [Unit]
-Description=strongSwan IPsec
+Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
 After=syslog.target
 
 [Service]
diff --git a/man/Makefile.am b/man/Makefile.am
index fbc78b9..5f9a938 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -1,5 +1,9 @@
-man_MANS = \
+man_MANS =
+
+if USE_FILE_CONFIG
+  man_MANS += \
 	ipsec.conf.5 \
 	ipsec.secrets.5
+endif
 
 CLEANFILES = $(man_MANS)
diff --git a/man/Makefile.in b/man/Makefile.in
index bd3141d..08aee19 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -77,6 +77,10 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
+ at USE_FILE_CONFIG_TRUE@am__append_1 = \
+ at USE_FILE_CONFIG_TRUE@	ipsec.conf.5 \
+ at USE_FILE_CONFIG_TRUE@	ipsec.secrets.5
+
 subdir = man
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(srcdir)/ipsec.conf.5.in $(srcdir)/ipsec.secrets.5.in
@@ -180,6 +184,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -240,6 +245,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -305,6 +311,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -352,6 +360,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
@@ -361,10 +373,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-man_MANS = \
-	ipsec.conf.5 \
-	ipsec.secrets.5
-
+man_MANS = $(am__append_1)
 CLEANFILES = $(man_MANS)
 all: all-am
 
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 0f8564a..fe37dff 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -795,8 +795,9 @@ or
 prefix in front of 0x or 0s, the public key is expected to be in either
 the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
 respectively.
-Also accepted is the path to a file containing the public key in PEM or DER
-encoding.
+Also accepted is the path to a file containing the public key in PEM, DER or SSH
+encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
+are accepted.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
 Accepted values are
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 7343465..811dc29 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -285,6 +285,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -345,6 +346,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -410,6 +412,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -457,6 +461,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/Makefile.am b/src/Makefile.am
index 95c68d0..38363d4 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -40,10 +40,6 @@ if USE_IMCV
   SUBDIRS += libimcv
 endif
 
-if USE_PTS
-  SUBDIRS += libpts
-endif
-
 if USE_LIBCHARON
   SUBDIRS += libcharon
 endif
@@ -60,6 +56,10 @@ if USE_CHARON
   SUBDIRS += charon
 endif
 
+if USE_SYSTEMD
+  SUBDIRS += charon-systemd
+endif
+
 if USE_NM
   SUBDIRS += charon-nm
 endif
diff --git a/src/Makefile.in b/src/Makefile.in
index 141ca3e..2dd0460 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -87,11 +87,11 @@ host_triplet = @host@
 @USE_LIBTNCCS_TRUE at am__append_8 = libtnccs
 @USE_LIBPTTLS_TRUE at am__append_9 = libpttls
 @USE_IMCV_TRUE at am__append_10 = libimcv
- at USE_PTS_TRUE@am__append_11 = libpts
- at USE_LIBCHARON_TRUE@am__append_12 = libcharon
- at USE_FILE_CONFIG_TRUE@am__append_13 = starter
- at USE_IPSEC_SCRIPT_TRUE@am__append_14 = ipsec _copyright
- at USE_CHARON_TRUE@am__append_15 = charon
+ at USE_LIBCHARON_TRUE@am__append_11 = libcharon
+ at USE_FILE_CONFIG_TRUE@am__append_12 = starter
+ at USE_IPSEC_SCRIPT_TRUE@am__append_13 = ipsec _copyright
+ at USE_CHARON_TRUE@am__append_14 = charon
+ at USE_SYSTEMD_TRUE@am__append_15 = charon-systemd
 @USE_NM_TRUE at am__append_16 = charon-nm
 @USE_STROKE_TRUE at am__append_17 = stroke
 @USE_UPDOWN_TRUE at am__append_18 = _updown _updown_espmark
@@ -185,11 +185,11 @@ am__define_uniq_tagged_files = \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
-	libtls libradius libtncif libtnccs libpttls libimcv libpts \
-	libcharon starter ipsec _copyright charon charon-nm stroke \
-	_updown _updown_espmark scepclient pki swanctl conftest dumm \
-	libfast manager medsrv pool charon-tkm charon-cmd charon-svc \
-	pt-tls-client checksum aikgen
+	libtls libradius libtncif libtnccs libpttls libimcv libcharon \
+	starter ipsec _copyright charon charon-systemd charon-nm \
+	stroke _updown _updown_espmark scepclient pki swanctl conftest \
+	dumm libfast manager medsrv pool charon-tkm charon-cmd \
+	charon-svc pt-tls-client checksum aikgen
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -247,6 +247,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -307,6 +308,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -372,6 +374,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -419,6 +423,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 8591e6a..a17bbcc 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -201,6 +201,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -261,6 +262,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -326,6 +328,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -373,6 +377,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index ec23208..a215a25 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -182,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -242,6 +243,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -307,6 +309,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -354,6 +358,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 49cdc90..51a0d9a 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -182,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -242,6 +243,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -307,6 +309,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -354,6 +358,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in
index 77d825f..2bd5be6 100644
--- a/src/aikgen/Makefile.in
+++ b/src/aikgen/Makefile.in
@@ -204,6 +204,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -264,6 +265,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -329,6 +331,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -376,6 +380,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index c74c5b6..9f67eec 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -238,6 +238,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -298,6 +299,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -363,6 +365,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -410,6 +414,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index b41cf46..6f2b6f1 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -126,15 +126,12 @@ static int run()
 			{
 				DBG1(DBG_DMN, "signal of type SIGHUP received. Reloading "
 					 "configuration");
-#ifdef STRONGSWAN_CONF
-				if (lib->settings->load_files(lib->settings, STRONGSWAN_CONF,
-											  FALSE))
+				if (lib->settings->load_files(lib->settings, lib->conf, FALSE))
 				{
 					charon->load_loggers(charon, levels, TRUE);
 					lib->plugins->reload(lib->plugins, NULL);
 				}
 				else
-#endif
 				{
 					DBG1(DBG_DMN, "reloading config failed, keeping old");
 				}
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 5fad214..69cbfe0 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -209,6 +209,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -269,6 +270,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -334,6 +336,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -381,6 +385,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index ebebde2..613c2f6 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -174,5 +174,5 @@ void nm_backend_register()
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
 	};
 	lib->plugins->add_static_features(lib->plugins, "nm-backend", features,
-									  countof(features), TRUE);
+									  countof(features), TRUE, NULL, NULL);
 }
diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in
index 3948362..3783ac9 100644
--- a/src/charon-svc/Makefile.in
+++ b/src/charon-svc/Makefile.in
@@ -203,6 +203,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -263,6 +264,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -328,6 +330,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -375,6 +379,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/charon-systemd/Makefile.am b/src/charon-systemd/Makefile.am
new file mode 100644
index 0000000..1b9ac15
--- /dev/null
+++ b/src/charon-systemd/Makefile.am
@@ -0,0 +1,19 @@
+sbin_PROGRAMS = charon-systemd
+
+charon_systemd_SOURCES = \
+charon-systemd.c
+
+charon-systemd.o :	$(top_builddir)/config.status
+
+charon_systemd_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	$(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
+	-DPLUGINS=\""${charon_plugins}\""
+
+charon_systemd_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
diff --git a/src/charon-systemd/Makefile.in b/src/charon-systemd/Makefile.in
new file mode 100644
index 0000000..790c8ef
--- /dev/null
+++ b/src/charon-systemd/Makefile.in
@@ -0,0 +1,765 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+sbin_PROGRAMS = charon-systemd$(EXEEXT)
+subdir = src/charon-systemd
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__installdirs = "$(DESTDIR)$(sbindir)"
+PROGRAMS = $(sbin_PROGRAMS)
+am_charon_systemd_OBJECTS = charon_systemd-charon-systemd.$(OBJEXT)
+charon_systemd_OBJECTS = $(am_charon_systemd_OBJECTS)
+am__DEPENDENCIES_1 =
+charon_systemd_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_ at AM_V@)
+am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_ at AM_V@)
+am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(charon_systemd_SOURCES)
+DIST_SOURCES = $(charon_systemd_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+charon_systemd_SOURCES = \
+charon-systemd.c
+
+charon_systemd_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	$(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
+	-DPLUGINS=\""${charon_plugins}\""
+
+charon_systemd_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon-systemd/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon-systemd/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p \
+	 || test -f $$p1 \
+	  ; then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' \
+	    -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-sbinPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' \
+	`; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(sbindir)" && rm -f $$files
+
+clean-sbinPROGRAMS:
+	@list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+
+charon-systemd$(EXEEXT): $(charon_systemd_OBJECTS) $(charon_systemd_DEPENDENCIES) $(EXTRA_charon_systemd_DEPENDENCIES) 
+	@rm -f charon-systemd$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(charon_systemd_OBJECTS) $(charon_systemd_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/charon_systemd-charon-systemd.Po at am__quote@
+
+.c.o:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+ at am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+charon_systemd-charon-systemd.o: charon-systemd.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(charon_systemd_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT charon_systemd-charon-systemd.o -MD -MP -MF $(DEPDIR)/charon_systemd-charon-systemd.Tpo -c -o charon_systemd-charon-systemd.o `test -f 'charon-systemd.c' || echo '$(srcdir)/'`charon-systemd.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/charon_systemd-charon-systemd.Tpo $(DEPDIR)/charon_systemd-charon-systemd.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='charon-systemd.c' object='charon_systemd-charon-systemd.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(charon_systemd_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o charon_systemd-charon-systemd.o `test -f 'charon-systemd.c' || echo '$(srcdir)/'`charon-systemd.c
+
+charon_systemd-charon-systemd.obj: charon-systemd.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(charon_systemd_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT charon_systemd-charon-systemd.obj -MD -MP -MF $(DEPDIR)/charon_systemd-charon-systemd.Tpo -c -o charon_systemd-charon-systemd.obj `if test -f 'charon-systemd.c'; then $(CYGPATH_W) 'charon-systemd.c'; else $(CYGPATH_W) '$(srcdir)/charon-systemd.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/charon_systemd-charon-systemd.Tpo $(DEPDIR)/charon_systemd-charon-systemd.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='charon-systemd.c' object='charon_systemd-charon-systemd.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(charon_systemd_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o charon_systemd-charon-systemd.obj `if test -f 'charon-systemd.c'; then $(CYGPATH_W) 'charon-systemd.c'; else $(CYGPATH_W) '$(srcdir)/charon-systemd.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(sbindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am: install-sbinPROGRAMS
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-sbinPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-sbinPROGRAMS cscopelist-am ctags ctags-am \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-sbinPROGRAMS install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am uninstall-sbinPROGRAMS
+
+
+charon-systemd.o :	$(top_builddir)/config.status
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c
new file mode 100644
index 0000000..4a2136f
--- /dev/null
+++ b/src/charon-systemd/charon-systemd.c
@@ -0,0 +1,403 @@
+/*
+ * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2005-2014 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <signal.h>
+#include <stdio.h>
+#include <pthread.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+#include <unistd.h>
+#include <errno.h>
+
+/* won't make sense from our logging hook */
+#define SD_JOURNAL_SUPPRESS_LOCATION
+#include <systemd/sd-daemon.h>
+#include <systemd/sd-journal.h>
+
+#include <hydra.h>
+#include <daemon.h>
+
+#include <library.h>
+#include <utils/backtrace.h>
+#include <threading/thread.h>
+#include <threading/rwlock.h>
+
+/**
+ * hook in library for debugging messages
+ */
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
+
+/**
+ * Logging hook for library logs, using stderr output
+ */
+static void dbg_stderr(debug_t group, level_t level, char *fmt, ...)
+{
+	va_list args;
+
+	if (level <= 1)
+	{
+		va_start(args, fmt);
+		fprintf(stderr, "00[%N] ", debug_names, group);
+		vfprintf(stderr, fmt, args);
+		fprintf(stderr, "\n");
+		va_end(args);
+	}
+}
+
+typedef struct journal_logger_t journal_logger_t;
+
+/**
+ * Logger implementation using systemd-journal
+ */
+struct journal_logger_t {
+
+	/**
+	 * Implements logger_t
+	 */
+	logger_t logger;
+
+	/**
+	 * Configured loglevels
+	 */
+	level_t levels[DBG_MAX];
+
+	/**
+	 * Lock for levels
+	 */
+	rwlock_t *lock;
+};
+
+METHOD(logger_t, vlog, void,
+	journal_logger_t *this, debug_t group, level_t level, int thread,
+	ike_sa_t *ike_sa, const char *fmt, va_list args)
+{
+	char buf[4096], *msg = buf;
+	ssize_t len;
+	va_list copy;
+
+	va_copy(copy, args);
+	len = vsnprintf(msg, sizeof(buf), fmt, copy);
+	va_end(copy);
+
+	if (len >= sizeof(buf))
+	{
+		len++;
+		msg = malloc(len);
+		va_copy(copy, args);
+		len = vsnprintf(msg, len, fmt, copy);
+		va_end(copy);
+	}
+	if (len > 0)
+	{
+		char unique[64] = "", name[256] = "";
+		int priority;
+
+		if (ike_sa)
+		{
+			snprintf(unique, sizeof(unique), "IKE_SA_UNIQUE_ID=%u",
+					 ike_sa->get_unique_id(ike_sa));
+			if (ike_sa->get_peer_cfg(ike_sa))
+			{
+				snprintf(name, sizeof(name), "IKE_SA_NAME=%s",
+						 ike_sa->get_name(ike_sa));
+			}
+		}
+		switch (level)
+		{
+			case LEVEL_AUDIT:
+				priority = LOG_NOTICE;
+				break;
+			case LEVEL_CTRL:
+				priority = LOG_INFO;
+				break;
+			default:
+				priority = LOG_DEBUG;
+				break;
+		}
+		sd_journal_send(
+			"MESSAGE=%s", msg,
+			"MESSAGE_ID=57d2708c-d607-43bd-8c39-66bf%.8x",
+				chunk_hash_static(chunk_from_str((char*)fmt)),
+			"PRIORITY=%d", priority,
+			"GROUP=%N", debug_names, group,
+			"LEVEL=%d", level,
+			"THREAD=%d", thread,
+			unique[0] ? unique : NULL,
+			name[0] ? name : NULL,
+			NULL);
+	}
+	if (msg != buf)
+	{
+		free(msg);
+	}
+}
+
+METHOD(logger_t, get_level, level_t,
+	journal_logger_t *this, debug_t group)
+{
+	level_t level;
+
+	this->lock->read_lock(this->lock);
+	level = this->levels[group];
+	this->lock->unlock(this->lock);
+
+	return level;
+}
+
+/**
+ * Reload journal logger configuration
+ */
+CALLBACK(journal_reload, bool,
+	journal_logger_t **journal)
+{
+	journal_logger_t *this = *journal;
+	debug_t group;
+	level_t def;
+
+	def = lib->settings->get_int(lib->settings, "%s.journal.default", 1, lib->ns);
+
+	this->lock->write_lock(this->lock);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		this->levels[group] =
+			lib->settings->get_int(lib->settings,
+				"%s.journal.%N", def, lib->ns, debug_lower_names, group);
+	}
+	this->lock->unlock(this->lock);
+
+	charon->bus->add_logger(charon->bus, &this->logger);
+
+	return TRUE;
+}
+
+/**
+ * Initialize/deinitialize journal logger
+ */
+static bool journal_register(void *plugin, plugin_feature_t *feature,
+							 bool reg, journal_logger_t **logger)
+{
+	journal_logger_t *this;
+
+	if (reg)
+	{
+		INIT(this,
+			.logger = {
+				.vlog = _vlog,
+				.get_level = _get_level,
+			},
+			.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		);
+
+		journal_reload(&this);
+
+		*logger = this;
+		return TRUE;
+	}
+	else
+	{
+		this = *logger;
+
+		charon->bus->remove_logger(charon->bus, &this->logger);
+
+		this->lock->destroy(this->lock);
+		free(this);
+
+		return TRUE;
+	}
+}
+
+/**
+ * Run the daemon and handle unix signals
+ */
+static int run()
+{
+	sigset_t set;
+
+	sigemptyset(&set);
+	sigaddset(&set, SIGTERM);
+	sigprocmask(SIG_BLOCK, &set, NULL);
+
+	sd_notify(0, "READY=1\n");
+
+	while (TRUE)
+	{
+		int sig, error;
+
+		error = sigwait(&set, &sig);
+		if (error)
+		{
+			DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(error));
+			return SS_RC_INITIALIZATION_FAILED;
+		}
+		switch (sig)
+		{
+			case SIGTERM:
+			{
+				DBG1(DBG_DMN, "SIGTERM received, shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return 0;
+			}
+			default:
+			{
+				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
+				break;
+			}
+		}
+	}
+}
+
+/**
+ * lookup UID and GID
+ */
+static bool lookup_uid_gid()
+{
+#ifdef IPSEC_USER
+	if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
+	{
+		return FALSE;
+	}
+#endif /* IPSEC_USER */
+#ifdef IPSEC_GROUP
+	if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
+	{
+		return FALSE;
+	}
+#endif /* IPSEC_GROUP */
+	return TRUE;
+}
+
+/**
+ * Handle SIGSEGV/SIGILL signals raised by threads
+ */
+static void segv_handler(int signal)
+{
+	backtrace_t *backtrace;
+
+	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
+	backtrace = backtrace_create(2);
+	backtrace->log(backtrace, NULL, TRUE);
+	backtrace->log(backtrace, stderr, TRUE);
+	backtrace->destroy(backtrace);
+
+	DBG1(DBG_DMN, "killing ourself, received critical signal");
+	abort();
+}
+
+/**
+ * The journal logger instance
+ */
+static journal_logger_t *journal;
+
+/**
+ * Journal static features
+ */
+static plugin_feature_t features[] = {
+	PLUGIN_CALLBACK((plugin_feature_callback_t)journal_register, &journal),
+		PLUGIN_PROVIDE(CUSTOM, "systemd-journal"),
+};
+
+/**
+ * Main function, starts the daemon.
+ */
+int main(int argc, char *argv[])
+{
+	struct sigaction action;
+	struct utsname utsname;
+
+	dbg = dbg_stderr;
+
+	if (uname(&utsname) != 0)
+	{
+		memset(&utsname, 0, sizeof(utsname));
+	}
+
+	sd_notifyf(0, "STATUS=Starting charon-systemd, strongSwan %s, %s %s, %s",
+			   VERSION, utsname.sysname, utsname.release, utsname.machine);
+
+	atexit(library_deinit);
+	if (!library_init(NULL, "charon-systemd"))
+	{
+		sd_notifyf(0, "STATUS=libstrongswan initialization failed");
+		return SS_RC_INITIALIZATION_FAILED;
+	}
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "charon-systemd", argv[0]))
+	{
+		sd_notifyf(0, "STATUS=integrity check of charon-systemd failed");
+		return SS_RC_INITIALIZATION_FAILED;
+	}
+	atexit(libhydra_deinit);
+	if (!libhydra_init())
+	{
+		sd_notifyf(0, "STATUS=libhydra initialization failed");
+		return SS_RC_INITIALIZATION_FAILED;
+	}
+	atexit(libcharon_deinit);
+	if (!libcharon_init())
+	{
+		sd_notifyf(0, "STATUS=libcharon initialization failed");
+		return SS_RC_INITIALIZATION_FAILED;
+	}
+	if (!lookup_uid_gid())
+	{
+		sd_notifyf(0, "STATUS=unknown uid/gid");
+		return SS_RC_INITIALIZATION_FAILED;
+	}
+	charon->load_loggers(charon, NULL, FALSE);
+
+	lib->plugins->add_static_features(lib->plugins, lib->ns, features,
+							countof(features), TRUE, journal_reload, &journal);
+
+	if (!charon->initialize(charon, PLUGINS))
+	{
+		sd_notifyf(0, "STATUS=charon initialization failed");
+		return SS_RC_INITIALIZATION_FAILED;
+	}
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
+	if (!lib->caps->drop(lib->caps))
+	{
+		sd_notifyf(0, "STATUS=dropping capabilities failed");
+		return SS_RC_INITIALIZATION_FAILED;
+	}
+
+	/* add handler for SEGV and ILL,
+	 * INT, TERM and HUP are handled by sigwait() in run() */
+	action.sa_handler = segv_handler;
+	action.sa_flags = 0;
+	sigemptyset(&action.sa_mask);
+	sigaddset(&action.sa_mask, SIGINT);
+	sigaddset(&action.sa_mask, SIGTERM);
+	sigaddset(&action.sa_mask, SIGHUP);
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &action, NULL);
+
+	pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
+	charon->start(charon);
+
+	sd_notifyf(0, "STATUS=charon-systemd running, strongSwan %s, %s %s, %s",
+			   VERSION, utsname.sysname, utsname.release, utsname.machine);
+
+	return run();
+}
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index ca4cdbf..fe6606b 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -148,6 +148,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -208,6 +209,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -273,6 +275,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -320,6 +324,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 9a22f9a..a6770fc 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -296,7 +296,7 @@ int main(int argc, char *argv[])
 			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
 	};
 	lib->plugins->add_static_features(lib->plugins, "tkm-backend", features,
-			countof(features), TRUE);
+			countof(features), TRUE, NULL, NULL);
 
 	if (!register_dh_mapping())
 	{
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
index a34d0b1..67db5e6 100644
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -159,7 +159,8 @@ int register_dh_mapping()
 	}
 	enumerator->destroy(enumerator);
 
-	lib->plugins->add_static_features(lib->plugins, "tkm-dh", f, countof(f), TRUE);
+	lib->plugins->add_static_features(lib->plugins, "tkm-dh", f, countof(f),
+									  TRUE, NULL, NULL);
 
 	if (count > 0)
 	{
diff --git a/src/charon-tkm/tests/tests.c b/src/charon-tkm/tests/tests.c
index 18754c7..80894a1 100644
--- a/src/charon-tkm/tests/tests.c
+++ b/src/charon-tkm/tests/tests.c
@@ -64,7 +64,7 @@ static bool test_runner_init(bool init)
 				PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
 		};
 		lib->plugins->add_static_features(lib->plugins, "tkm-tests", features,
-										  countof(features), TRUE);
+										  countof(features), TRUE, NULL, NULL);
 
 		lib->settings->set_int(lib->settings, "%s.dh_mapping.%d", 1,
 							   lib->ns, MODP_3072_BIT);
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 0e8a49e..f4dcf4f 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -205,6 +205,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -265,6 +266,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -330,6 +332,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -377,6 +381,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 8afac3f..081e494 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -124,15 +124,12 @@ static void run()
 			{
 				DBG1(DBG_DMN, "signal of type SIGHUP received. Reloading "
 					 "configuration");
-#ifdef STRONGSWAN_CONF
-				if (lib->settings->load_files(lib->settings, STRONGSWAN_CONF,
-											  FALSE))
+				if (lib->settings->load_files(lib->settings, lib->conf, FALSE))
 				{
 					charon->load_loggers(charon, levels, !use_syslog);
 					lib->plugins->reload(lib->plugins, NULL);
 				}
 				else
-#endif
 				{
 					DBG1(DBG_DMN, "reloading config failed, keeping old");
 				}
@@ -468,4 +465,3 @@ deinit:
 	library_deinit();
 	return status;
 }
-
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index 821c517..b358699 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -81,11 +81,6 @@ if USE_IMCV
   libs += $(DESTDIR)$(ipseclibdir)/libimcv.so
 endif
 
-if USE_PTS
-  deps += $(top_builddir)/src/libpts/libpts.la
-  libs += $(DESTDIR)$(ipseclibdir)/libpts.so
-endif
-
 if USE_CHARON
   deps += $(top_builddir)/src/libcharon/libcharon.la
   libs += $(DESTDIR)$(ipseclibdir)/libcharon.so
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 697899e..86e7ca6 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -98,18 +98,16 @@ EXTRA_PROGRAMS = checksum_builder$(EXEEXT)
 @USE_SIMAKA_TRUE at am__append_17 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
 @USE_IMCV_TRUE at am__append_18 = $(top_builddir)/src/libimcv/libimcv.la
 @USE_IMCV_TRUE at am__append_19 = $(DESTDIR)$(ipseclibdir)/libimcv.so
- at USE_PTS_TRUE@am__append_20 = $(top_builddir)/src/libpts/libpts.la
- at USE_PTS_TRUE@am__append_21 = $(DESTDIR)$(ipseclibdir)/libpts.so
- at USE_CHARON_TRUE@am__append_22 = $(top_builddir)/src/libcharon/libcharon.la
- at USE_CHARON_TRUE@am__append_23 = $(DESTDIR)$(ipseclibdir)/libcharon.so
- at USE_CHARON_TRUE@am__append_24 = $(DESTDIR)$(ipsecdir)/charon
- at MONOLITHIC_FALSE@@USE_CHARON_TRUE at am__append_25 = -DC_PLUGINS=\""${c_plugins}\""
- at USE_CMD_TRUE@am__append_26 = $(DESTDIR)$(sbindir)/charon-cmd
- at USE_SCEPCLIENT_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/scepclient
- at USE_PKI_TRUE@am__append_28 = $(DESTDIR)$(bindir)/pki
- at USE_SWANCTL_TRUE@am__append_29 = $(DESTDIR)$(sbindir)/swanctl
- at USE_ATTR_SQL_TRUE@am__append_30 = $(DESTDIR)$(ipsecdir)/pool
- at USE_IMV_ATTESTATION_TRUE@am__append_31 = $(DESTDIR)$(ipsecdir)/attest
+ at USE_CHARON_TRUE@am__append_20 = $(top_builddir)/src/libcharon/libcharon.la
+ at USE_CHARON_TRUE@am__append_21 = $(DESTDIR)$(ipseclibdir)/libcharon.so
+ at USE_CHARON_TRUE@am__append_22 = $(DESTDIR)$(ipsecdir)/charon
+ at MONOLITHIC_FALSE@@USE_CHARON_TRUE at am__append_23 = -DC_PLUGINS=\""${c_plugins}\""
+ at USE_CMD_TRUE@am__append_24 = $(DESTDIR)$(sbindir)/charon-cmd
+ at USE_SCEPCLIENT_TRUE@am__append_25 = $(DESTDIR)$(ipsecdir)/scepclient
+ at USE_PKI_TRUE@am__append_26 = $(DESTDIR)$(bindir)/pki
+ at USE_SWANCTL_TRUE@am__append_27 = $(DESTDIR)$(sbindir)/swanctl
+ at USE_ATTR_SQL_TRUE@am__append_28 = $(DESTDIR)$(ipsecdir)/pool
+ at USE_IMV_ATTESTATION_TRUE@am__append_29 = $(DESTDIR)$(ipsecdir)/attest
 subdir = src/checksum
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -274,6 +272,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -334,6 +333,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -399,6 +399,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -446,6 +448,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
@@ -473,7 +479,7 @@ CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon \
 	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" $(am__append_1) \
-	$(am__append_4) $(am__append_15) $(am__append_25)
+	$(am__append_4) $(am__append_15) $(am__append_23)
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
 
@@ -484,15 +490,14 @@ AM_CFLAGS = \
 deps = $(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__append_2) $(am__append_5) $(am__append_7) \
 	$(am__append_9) $(am__append_11) $(am__append_13) \
-	$(am__append_16) $(am__append_18) $(am__append_20) \
-	$(am__append_22)
+	$(am__append_16) $(am__append_18) $(am__append_20)
 libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so $(am__append_3) \
 	$(am__append_6) $(am__append_8) $(am__append_10) \
 	$(am__append_12) $(am__append_14) $(am__append_17) \
-	$(am__append_19) $(am__append_21) $(am__append_23)
-exes = $(am__append_24) $(am__append_26) $(am__append_27) \
-	$(am__append_28) $(am__append_29) $(am__append_30) \
-	$(am__append_31)
+	$(am__append_19) $(am__append_21)
+exes = $(am__append_22) $(am__append_24) $(am__append_25) \
+	$(am__append_26) $(am__append_27) $(am__append_28) \
+	$(am__append_29)
 all: all-am
 
 .SUFFIXES:
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index edd07b8..e3c2e43 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -219,6 +219,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -279,6 +280,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -344,6 +346,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -391,6 +395,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/conftest/hooks/ike_auth_fill.c b/src/conftest/hooks/ike_auth_fill.c
index 5cdd5be..e3eabe2 100644
--- a/src/conftest/hooks/ike_auth_fill.c
+++ b/src/conftest/hooks/ike_auth_fill.c
@@ -19,7 +19,7 @@
 #include <netinet/udp.h>
 
 #include <encoding/payloads/cert_payload.h>
-#include <encoding/payloads/encryption_payload.h>
+#include <encoding/payloads/encrypted_payload.h>
 
 typedef struct private_ike_auth_fill_t private_ike_auth_fill_t;
 
diff --git a/src/conftest/hooks/reset_seq.c b/src/conftest/hooks/reset_seq.c
index a77b10e..717bcdb 100644
--- a/src/conftest/hooks/reset_seq.c
+++ b/src/conftest/hooks/reset_seq.c
@@ -108,7 +108,7 @@ static job_requeue_t reset_cb(struct reset_cb_data_t *data)
 
 	memset(&request, 0, sizeof(request));
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_REPLACE;
 	hdr->nlmsg_seq = 201;
 	hdr->nlmsg_pid = getpid();
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index fd4a5db..56ac344 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -240,6 +240,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -300,6 +301,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -365,6 +367,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -412,6 +416,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index ed755cb..042c46c 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -148,6 +148,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -208,6 +209,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -273,6 +275,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -320,6 +324,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index baa4532..526c7c4 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -182,6 +182,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -242,6 +243,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -307,6 +309,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -354,6 +358,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 3dcb03a..9ba9bd8 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.2.0" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.2.1" "strongSwan"
 .
 .SH NAME
 .
@@ -96,6 +96,11 @@ terminates IKE SA instance \fIn\fP of connection \fIname\fP.
 terminates all IKE SA instances of connection \fIname\fP.
 .
 .TP
+.BI "down-srcip <" start "> [<" end ">]"
+terminates all IKE SA instances with clients having virtual IPs in the range
+.IR start - end .
+.
+.TP
 .BI "route " name
 tells the IKE daemon to insert an IPsec policy in the kernel
 for connection \fIname\fP. The first payload packet matching the IPsec policy
@@ -118,6 +123,11 @@ returns detailed status information either on connection
 .SS LIST COMMANDS
 .
 .TP
+.BI "leases [<" poolname "> [<" address ">]]"
+returns the status of all or the selected IP address pool (or even a single
+virtual IP address).
+.
+.TP
 .B "listalgs"
 returns a list supported cryptographic algorithms usable for IKE, and their
 corresponding plugin.
@@ -242,7 +252,7 @@ resets global or connection specific counters.
 purges all cached certificates.
 .
 .TP
-.B "purgecrl"
+.B "purgecrls"
 purges all cached CRLs.
 .
 .TP
diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
index 250cf80..210d74e 100644
--- a/src/ipsec/_ipsec.8.in
+++ b/src/ipsec/_ipsec.8.in
@@ -96,6 +96,11 @@ terminates IKE SA instance \fIn\fP of connection \fIname\fP.
 terminates all IKE SA instances of connection \fIname\fP.
 .
 .TP
+.BI "down-srcip <" start "> [<" end ">]"
+terminates all IKE SA instances with clients having virtual IPs in the range
+.IR start - end .
+.
+.TP
 .BI "route " name
 tells the IKE daemon to insert an IPsec policy in the kernel
 for connection \fIname\fP. The first payload packet matching the IPsec policy
@@ -118,6 +123,11 @@ returns detailed status information either on connection
 .SS LIST COMMANDS
 .
 .TP
+.BI "leases [<" poolname "> [<" address ">]]"
+returns the status of all or the selected IP address pool (or even a single
+virtual IP address).
+.
+.TP
 .B "listalgs"
 returns a list supported cryptographic algorithms usable for IKE, and their
 corresponding plugin.
@@ -242,7 +252,7 @@ resets global or connection specific counters.
 purges all cached certificates.
 .
 .TP
-.B "purgecrl"
+.B "purgecrls"
 purges all cached CRLs.
 .
 .TP
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index e6725d0..0798830 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -15,7 +15,7 @@
 # for more details.
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@:@IPSEC_BINDIR@"
+PATH=${PATH:-"/sbin:/bin:/usr/sbin:/usr/bin"}
 export PATH
 
 # set daemon name
@@ -46,37 +46,36 @@ IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity o
 
 case "$1" in
 '')
-	echo "Usage: $IPSEC_SCRIPT command argument ..."
-	echo "Use --help for list of commands, or see $IPSEC_SCRIPT(8) manual "
-	echo "page or the $IPSEC_NAME documentation for names of the common "
-	echo "ones."
-	echo "See <http://www.strongswan.org> for more general info."
+	echo "$IPSEC_SCRIPT command [arguments]"
+	echo
+	echo "Use --help for a list of commands, or refer to the $IPSEC_SCRIPT(8) man page."
+	echo "See <http://www.strongswan.org> for more general information."
 	exit 0
 	;;
 --help)
-	echo "Usage: $IPSEC_SCRIPT command argument ..."
-	echo "where command is one of:"
-	echo "	start|restart  arguments..."
+	echo "$IPSEC_SCRIPT command [arguments]"
+	echo
+	echo "Commands:"
+	echo "	start|restart [arguments]"
 	echo "	update|reload|stop"
 	echo "	up|down|route|unroute <connectionname>"
+	echo "	down-srcip <start> [<end>]"
 	echo "	status|statusall [<connectionname>]"
 	echo "	listalgs|listpubkeys|listcerts [--utc]"
 	echo "	listcacerts|listaacerts|listocspcerts [--utc]"
 	echo "	listacerts|listgroups|listcainfos [--utc]"
-	echo "	listcrls|listocsp|listcards|listplugins|listall [--utc]"
+	echo "	listcrls|listocsp|listplugins|listall [--utc]"
 	echo "	listcounters|resetcounters [name]"
 	echo "	leases [<poolname> [<address>]]"
-	echo "	rereadsecrets|rereadgroups"
-	echo "	rereadcacerts|rereadaacerts|rereadocspcerts"
-	echo "	rereadacerts|rereadcrls|rereadall"
-	echo "	purgeocsp|purgecrls|purgecerts|purgeike"
-	echo "	scepclient"
-	echo "	secrets"
-	echo "	starter"
+	echo "	rereadsecrets|rereadcacerts|rereadaacerts"
+	echo "	rereadocspcerts|rereadacerts|rereadcrls|rereadall"
+	echo "	purgecerts|purgecrls|purgeike|purgeocsp"
+	echo "	scepclient|pki"
+	echo "	starter|stroke"
 	echo "	version"
-	echo "	stroke"
 	echo
-	echo "Some of these functions have their own manual pages, e.g. scepclient(8)."
+	echo "Refer to the $IPSEC_SCRIPT(8) man page for details."
+	echo "Some commands have their own man pages, e.g. pki(1) or scepclient(8)."
 	exit 0
 	;;
 --versioncode)
@@ -129,16 +128,6 @@ down-srcip)
 	fi
 	exit "$rc"
 	;;
-listcards|rereadgroups)
-	op="$1"
-	shift
-	if [ -e $IPSEC_CHARON_PID ]
-	then
-		exit 3
-	else
-		exit 7
-	fi
-	;;
 leases)
 	op="$1"
 	rc=7
@@ -340,12 +329,8 @@ path="$IPSEC_DIR/$cmd"
 
 if [ ! -x "$path" ]
 then
-    path="$IPSEC_DIR/$cmd"
-    if [ ! -x "$path" ]
-    then
 	echo "$0: unknown IPsec command \`$cmd' (\`$IPSEC_SCRIPT --help' for list)" >&2
 	exit 2
-    fi
 fi
 
 exec $path "$@"
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index a28b459..4212ee8 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -25,7 +25,8 @@ encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \
 encoding/payloads/delete_payload.c encoding/payloads/delete_payload.h \
 encoding/payloads/eap_payload.c encoding/payloads/eap_payload.h \
 encoding/payloads/encodings.c encoding/payloads/encodings.h \
-encoding/payloads/encryption_payload.c encoding/payloads/encryption_payload.h \
+encoding/payloads/encrypted_payload.c encoding/payloads/encrypted_payload.h \
+encoding/payloads/encrypted_fragment_payload.h \
 encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
 encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
 encoding/payloads/ke_payload.c  encoding/payloads/ke_payload.h \
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index e81c424..e98f5e1 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -23,7 +23,8 @@ encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \
 encoding/payloads/delete_payload.c encoding/payloads/delete_payload.h \
 encoding/payloads/eap_payload.c encoding/payloads/eap_payload.h \
 encoding/payloads/encodings.c encoding/payloads/encodings.h \
-encoding/payloads/encryption_payload.c encoding/payloads/encryption_payload.h \
+encoding/payloads/encrypted_payload.c encoding/payloads/encrypted_payload.h \
+encoding/payloads/encrypted_fragment_payload.h \
 encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
 encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
 encoding/payloads/ke_payload.c  encoding/payloads/ke_payload.h \
@@ -258,6 +259,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_EXT_AUTH
+  SUBDIRS += plugins/ext_auth
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/ext_auth/libstrongswan-ext-auth.la
+endif
+endif
+
 if USE_EAP_IDENTITY
   SUBDIRS += plugins/eap_identity
 if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 002da51..4d89794 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -162,106 +162,108 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE at am__append_27 = plugins/ipseckey/libstrongswan-ipseckey.la
 @USE_UPDOWN_TRUE at am__append_28 = plugins/updown
 @MONOLITHIC_TRUE@@USE_UPDOWN_TRUE at am__append_29 = plugins/updown/libstrongswan-updown.la
- at USE_EAP_IDENTITY_TRUE@am__append_30 = plugins/eap_identity
- at MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE at am__append_31 = plugins/eap_identity/libstrongswan-eap-identity.la
- at USE_EAP_SIM_TRUE@am__append_32 = plugins/eap_sim
- at MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE at am__append_33 = plugins/eap_sim/libstrongswan-eap-sim.la
- at USE_EAP_SIM_FILE_TRUE@am__append_34 = plugins/eap_sim_file
- at MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE at am__append_35 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
- at USE_EAP_SIM_PCSC_TRUE@am__append_36 = plugins/eap_sim_pcsc
- at MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE at am__append_37 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
- at USE_EAP_SIMAKA_SQL_TRUE@am__append_38 = plugins/eap_simaka_sql
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE at am__append_39 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
- at USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_40 = plugins/eap_simaka_pseudonym
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE at am__append_41 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
- at USE_EAP_SIMAKA_REAUTH_TRUE@am__append_42 = plugins/eap_simaka_reauth
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE at am__append_43 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
- at USE_EAP_AKA_TRUE@am__append_44 = plugins/eap_aka
- at MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE at am__append_45 = plugins/eap_aka/libstrongswan-eap-aka.la
- at USE_EAP_AKA_3GPP2_TRUE@am__append_46 = plugins/eap_aka_3gpp2
- at MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE at am__append_47 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
- at MONOLITHIC_TRUE@@USE_SIMAKA_TRUE at am__append_48 = $(top_builddir)/src/libsimaka/libsimaka.la
- at USE_EAP_MD5_TRUE@am__append_49 = plugins/eap_md5
- at MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE at am__append_50 = plugins/eap_md5/libstrongswan-eap-md5.la
- at USE_EAP_GTC_TRUE@am__append_51 = plugins/eap_gtc
- at MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE at am__append_52 = plugins/eap_gtc/libstrongswan-eap-gtc.la
- at USE_EAP_MSCHAPV2_TRUE@am__append_53 = plugins/eap_mschapv2
- at MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE at am__append_54 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
- at USE_EAP_DYNAMIC_TRUE@am__append_55 = plugins/eap_dynamic
- at MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE at am__append_56 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
- at USE_EAP_RADIUS_TRUE@am__append_57 = plugins/eap_radius
- at MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE at am__append_58 = plugins/eap_radius/libstrongswan-eap-radius.la
- at USE_EAP_TLS_TRUE@am__append_59 = plugins/eap_tls
- at MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE at am__append_60 = plugins/eap_tls/libstrongswan-eap-tls.la
- at USE_EAP_TTLS_TRUE@am__append_61 = plugins/eap_ttls
- at MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE at am__append_62 = plugins/eap_ttls/libstrongswan-eap-ttls.la
- at USE_EAP_PEAP_TRUE@am__append_63 = plugins/eap_peap
- at MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE at am__append_64 = plugins/eap_peap/libstrongswan-eap-peap.la
- at USE_EAP_TNC_TRUE@am__append_65 = plugins/eap_tnc
- at MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE at am__append_66 = plugins/eap_tnc/libstrongswan-eap-tnc.la
- at MONOLITHIC_TRUE@@USE_TLS_TRUE at am__append_67 = $(top_builddir)/src/libtls/libtls.la
- at MONOLITHIC_TRUE@@USE_RADIUS_TRUE at am__append_68 = $(top_builddir)/src/libradius/libradius.la
- at USE_TNC_IFMAP_TRUE@am__append_69 = plugins/tnc_ifmap
- at MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE at am__append_70 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
- at USE_TNC_PDP_TRUE@am__append_71 = plugins/tnc_pdp
- at MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE at am__append_72 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
- at MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE at am__append_73 = $(top_builddir)/src/libtnccs/libtnccs.la
- at USE_MEDSRV_TRUE@am__append_74 = plugins/medsrv
- at MONOLITHIC_TRUE@@USE_MEDSRV_TRUE at am__append_75 = plugins/medsrv/libstrongswan-medsrv.la
- at USE_MEDCLI_TRUE@am__append_76 = plugins/medcli
- at MONOLITHIC_TRUE@@USE_MEDCLI_TRUE at am__append_77 = plugins/medcli/libstrongswan-medcli.la
- at USE_DHCP_TRUE@am__append_78 = plugins/dhcp
- at MONOLITHIC_TRUE@@USE_DHCP_TRUE at am__append_79 = plugins/dhcp/libstrongswan-dhcp.la
- at USE_OSX_ATTR_TRUE@am__append_80 = plugins/osx_attr
- at MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE at am__append_81 = plugins/osx_attr/libstrongswan-osx-attr.la
- at USE_ANDROID_DNS_TRUE@am__append_82 = plugins/android_dns
- at MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE at am__append_83 = plugins/android_dns/libstrongswan-android-dns.la
- at USE_ANDROID_LOG_TRUE@am__append_84 = plugins/android_log
- at MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE at am__append_85 = plugins/android_log/libstrongswan-android-log.la
- at USE_MAEMO_TRUE@am__append_86 = plugins/maemo
- at MONOLITHIC_TRUE@@USE_MAEMO_TRUE at am__append_87 = plugins/maemo/libstrongswan-maemo.la
- at USE_HA_TRUE@am__append_88 = plugins/ha
- at MONOLITHIC_TRUE@@USE_HA_TRUE at am__append_89 = plugins/ha/libstrongswan-ha.la
- at USE_KERNEL_LIBIPSEC_TRUE@am__append_90 = plugins/kernel_libipsec
- at MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE at am__append_91 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
- at USE_KERNEL_WFP_TRUE@am__append_92 = plugins/kernel_wfp
- at MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE at am__append_93 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
- at USE_KERNEL_IPH_TRUE@am__append_94 = plugins/kernel_iph
- at MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE at am__append_95 = plugins/kernel_iph/libstrongswan-kernel-iph.la
- at USE_WHITELIST_TRUE@am__append_96 = plugins/whitelist
- at MONOLITHIC_TRUE@@USE_WHITELIST_TRUE at am__append_97 = plugins/whitelist/libstrongswan-whitelist.la
- at USE_LOOKIP_TRUE@am__append_98 = plugins/lookip
- at MONOLITHIC_TRUE@@USE_LOOKIP_TRUE at am__append_99 = plugins/lookip/libstrongswan-lookip.la
- at USE_ERROR_NOTIFY_TRUE@am__append_100 = plugins/error_notify
- at MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE at am__append_101 = plugins/error_notify/libstrongswan-error-notify.la
- at USE_CERTEXPIRE_TRUE@am__append_102 = plugins/certexpire
- at MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE at am__append_103 = plugins/certexpire/libstrongswan-certexpire.la
- at USE_SYSTIME_FIX_TRUE@am__append_104 = plugins/systime_fix
- at MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE at am__append_105 = plugins/systime_fix/libstrongswan-systime-fix.la
- at USE_LED_TRUE@am__append_106 = plugins/led
- at MONOLITHIC_TRUE@@USE_LED_TRUE at am__append_107 = plugins/led/libstrongswan-led.la
- at USE_DUPLICHECK_TRUE@am__append_108 = plugins/duplicheck
- at MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE at am__append_109 = plugins/duplicheck/libstrongswan-duplicheck.la
- at USE_COUPLING_TRUE@am__append_110 = plugins/coupling
- at MONOLITHIC_TRUE@@USE_COUPLING_TRUE at am__append_111 = plugins/coupling/libstrongswan-coupling.la
- at USE_RADATTR_TRUE@am__append_112 = plugins/radattr
- at MONOLITHIC_TRUE@@USE_RADATTR_TRUE at am__append_113 = plugins/radattr/libstrongswan-radattr.la
- at USE_UCI_TRUE@am__append_114 = plugins/uci
- at MONOLITHIC_TRUE@@USE_UCI_TRUE at am__append_115 = plugins/uci/libstrongswan-uci.la
- at USE_ADDRBLOCK_TRUE@am__append_116 = plugins/addrblock
- at MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE at am__append_117 = plugins/addrblock/libstrongswan-addrblock.la
- at USE_UNITY_TRUE@am__append_118 = plugins/unity
- at MONOLITHIC_TRUE@@USE_UNITY_TRUE at am__append_119 = plugins/unity/libstrongswan-unity.la
- at USE_UNIT_TESTS_TRUE@am__append_120 = plugins/unit_tester
- at MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE at am__append_121 = plugins/unit_tester/libstrongswan-unit-tester.la
- at USE_XAUTH_GENERIC_TRUE@am__append_122 = plugins/xauth_generic
- at MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE at am__append_123 = plugins/xauth_generic/libstrongswan-xauth-generic.la
- at USE_XAUTH_EAP_TRUE@am__append_124 = plugins/xauth_eap
- at MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE at am__append_125 = plugins/xauth_eap/libstrongswan-xauth-eap.la
- at USE_XAUTH_PAM_TRUE@am__append_126 = plugins/xauth_pam
- at MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE at am__append_127 = plugins/xauth_pam/libstrongswan-xauth-pam.la
- at USE_XAUTH_NOAUTH_TRUE@am__append_128 = plugins/xauth_noauth
- at MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE at am__append_129 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+ at USE_EXT_AUTH_TRUE@am__append_30 = plugins/ext_auth
+ at MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE at am__append_31 = plugins/ext_auth/libstrongswan-ext-auth.la
+ at USE_EAP_IDENTITY_TRUE@am__append_32 = plugins/eap_identity
+ at MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE at am__append_33 = plugins/eap_identity/libstrongswan-eap-identity.la
+ at USE_EAP_SIM_TRUE@am__append_34 = plugins/eap_sim
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE at am__append_35 = plugins/eap_sim/libstrongswan-eap-sim.la
+ at USE_EAP_SIM_FILE_TRUE@am__append_36 = plugins/eap_sim_file
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE at am__append_37 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+ at USE_EAP_SIM_PCSC_TRUE@am__append_38 = plugins/eap_sim_pcsc
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE at am__append_39 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
+ at USE_EAP_SIMAKA_SQL_TRUE@am__append_40 = plugins/eap_simaka_sql
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE at am__append_41 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+ at USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_42 = plugins/eap_simaka_pseudonym
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE at am__append_43 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+ at USE_EAP_SIMAKA_REAUTH_TRUE@am__append_44 = plugins/eap_simaka_reauth
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE at am__append_45 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+ at USE_EAP_AKA_TRUE@am__append_46 = plugins/eap_aka
+ at MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE at am__append_47 = plugins/eap_aka/libstrongswan-eap-aka.la
+ at USE_EAP_AKA_3GPP2_TRUE@am__append_48 = plugins/eap_aka_3gpp2
+ at MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE at am__append_49 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+ at MONOLITHIC_TRUE@@USE_SIMAKA_TRUE at am__append_50 = $(top_builddir)/src/libsimaka/libsimaka.la
+ at USE_EAP_MD5_TRUE@am__append_51 = plugins/eap_md5
+ at MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE at am__append_52 = plugins/eap_md5/libstrongswan-eap-md5.la
+ at USE_EAP_GTC_TRUE@am__append_53 = plugins/eap_gtc
+ at MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE at am__append_54 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+ at USE_EAP_MSCHAPV2_TRUE@am__append_55 = plugins/eap_mschapv2
+ at MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE at am__append_56 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+ at USE_EAP_DYNAMIC_TRUE@am__append_57 = plugins/eap_dynamic
+ at MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE at am__append_58 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
+ at USE_EAP_RADIUS_TRUE@am__append_59 = plugins/eap_radius
+ at MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE at am__append_60 = plugins/eap_radius/libstrongswan-eap-radius.la
+ at USE_EAP_TLS_TRUE@am__append_61 = plugins/eap_tls
+ at MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE at am__append_62 = plugins/eap_tls/libstrongswan-eap-tls.la
+ at USE_EAP_TTLS_TRUE@am__append_63 = plugins/eap_ttls
+ at MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE at am__append_64 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+ at USE_EAP_PEAP_TRUE@am__append_65 = plugins/eap_peap
+ at MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE at am__append_66 = plugins/eap_peap/libstrongswan-eap-peap.la
+ at USE_EAP_TNC_TRUE@am__append_67 = plugins/eap_tnc
+ at MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE at am__append_68 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+ at MONOLITHIC_TRUE@@USE_TLS_TRUE at am__append_69 = $(top_builddir)/src/libtls/libtls.la
+ at MONOLITHIC_TRUE@@USE_RADIUS_TRUE at am__append_70 = $(top_builddir)/src/libradius/libradius.la
+ at USE_TNC_IFMAP_TRUE@am__append_71 = plugins/tnc_ifmap
+ at MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE at am__append_72 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
+ at USE_TNC_PDP_TRUE@am__append_73 = plugins/tnc_pdp
+ at MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE at am__append_74 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
+ at MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE at am__append_75 = $(top_builddir)/src/libtnccs/libtnccs.la
+ at USE_MEDSRV_TRUE@am__append_76 = plugins/medsrv
+ at MONOLITHIC_TRUE@@USE_MEDSRV_TRUE at am__append_77 = plugins/medsrv/libstrongswan-medsrv.la
+ at USE_MEDCLI_TRUE@am__append_78 = plugins/medcli
+ at MONOLITHIC_TRUE@@USE_MEDCLI_TRUE at am__append_79 = plugins/medcli/libstrongswan-medcli.la
+ at USE_DHCP_TRUE@am__append_80 = plugins/dhcp
+ at MONOLITHIC_TRUE@@USE_DHCP_TRUE at am__append_81 = plugins/dhcp/libstrongswan-dhcp.la
+ at USE_OSX_ATTR_TRUE@am__append_82 = plugins/osx_attr
+ at MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE at am__append_83 = plugins/osx_attr/libstrongswan-osx-attr.la
+ at USE_ANDROID_DNS_TRUE@am__append_84 = plugins/android_dns
+ at MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE at am__append_85 = plugins/android_dns/libstrongswan-android-dns.la
+ at USE_ANDROID_LOG_TRUE@am__append_86 = plugins/android_log
+ at MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE at am__append_87 = plugins/android_log/libstrongswan-android-log.la
+ at USE_MAEMO_TRUE@am__append_88 = plugins/maemo
+ at MONOLITHIC_TRUE@@USE_MAEMO_TRUE at am__append_89 = plugins/maemo/libstrongswan-maemo.la
+ at USE_HA_TRUE@am__append_90 = plugins/ha
+ at MONOLITHIC_TRUE@@USE_HA_TRUE at am__append_91 = plugins/ha/libstrongswan-ha.la
+ at USE_KERNEL_LIBIPSEC_TRUE@am__append_92 = plugins/kernel_libipsec
+ at MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE at am__append_93 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+ at USE_KERNEL_WFP_TRUE@am__append_94 = plugins/kernel_wfp
+ at MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE at am__append_95 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
+ at USE_KERNEL_IPH_TRUE@am__append_96 = plugins/kernel_iph
+ at MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE at am__append_97 = plugins/kernel_iph/libstrongswan-kernel-iph.la
+ at USE_WHITELIST_TRUE@am__append_98 = plugins/whitelist
+ at MONOLITHIC_TRUE@@USE_WHITELIST_TRUE at am__append_99 = plugins/whitelist/libstrongswan-whitelist.la
+ at USE_LOOKIP_TRUE@am__append_100 = plugins/lookip
+ at MONOLITHIC_TRUE@@USE_LOOKIP_TRUE at am__append_101 = plugins/lookip/libstrongswan-lookip.la
+ at USE_ERROR_NOTIFY_TRUE@am__append_102 = plugins/error_notify
+ at MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE at am__append_103 = plugins/error_notify/libstrongswan-error-notify.la
+ at USE_CERTEXPIRE_TRUE@am__append_104 = plugins/certexpire
+ at MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE at am__append_105 = plugins/certexpire/libstrongswan-certexpire.la
+ at USE_SYSTIME_FIX_TRUE@am__append_106 = plugins/systime_fix
+ at MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE at am__append_107 = plugins/systime_fix/libstrongswan-systime-fix.la
+ at USE_LED_TRUE@am__append_108 = plugins/led
+ at MONOLITHIC_TRUE@@USE_LED_TRUE at am__append_109 = plugins/led/libstrongswan-led.la
+ at USE_DUPLICHECK_TRUE@am__append_110 = plugins/duplicheck
+ at MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE at am__append_111 = plugins/duplicheck/libstrongswan-duplicheck.la
+ at USE_COUPLING_TRUE@am__append_112 = plugins/coupling
+ at MONOLITHIC_TRUE@@USE_COUPLING_TRUE at am__append_113 = plugins/coupling/libstrongswan-coupling.la
+ at USE_RADATTR_TRUE@am__append_114 = plugins/radattr
+ at MONOLITHIC_TRUE@@USE_RADATTR_TRUE at am__append_115 = plugins/radattr/libstrongswan-radattr.la
+ at USE_UCI_TRUE@am__append_116 = plugins/uci
+ at MONOLITHIC_TRUE@@USE_UCI_TRUE at am__append_117 = plugins/uci/libstrongswan-uci.la
+ at USE_ADDRBLOCK_TRUE@am__append_118 = plugins/addrblock
+ at MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE at am__append_119 = plugins/addrblock/libstrongswan-addrblock.la
+ at USE_UNITY_TRUE@am__append_120 = plugins/unity
+ at MONOLITHIC_TRUE@@USE_UNITY_TRUE at am__append_121 = plugins/unity/libstrongswan-unity.la
+ at USE_UNIT_TESTS_TRUE@am__append_122 = plugins/unit_tester
+ at MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE at am__append_123 = plugins/unit_tester/libstrongswan-unit-tester.la
+ at USE_XAUTH_GENERIC_TRUE@am__append_124 = plugins/xauth_generic
+ at MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE at am__append_125 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+ at USE_XAUTH_EAP_TRUE@am__append_126 = plugins/xauth_eap
+ at MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE at am__append_127 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+ at USE_XAUTH_PAM_TRUE@am__append_128 = plugins/xauth_pam
+ at MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE at am__append_129 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+ at USE_XAUTH_NOAUTH_TRUE@am__append_130 = plugins/xauth_noauth
+ at MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE at am__append_131 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -323,12 +325,12 @@ libcharon_la_DEPENDENCIES =  \
 	$(am__append_29) $(am__append_31) $(am__append_33) \
 	$(am__append_35) $(am__append_37) $(am__append_39) \
 	$(am__append_41) $(am__append_43) $(am__append_45) \
-	$(am__append_47) $(am__append_48) $(am__append_50) \
+	$(am__append_47) $(am__append_49) $(am__append_50) \
 	$(am__append_52) $(am__append_54) $(am__append_56) \
 	$(am__append_58) $(am__append_60) $(am__append_62) \
-	$(am__append_64) $(am__append_66) $(am__append_67) \
-	$(am__append_68) $(am__append_70) $(am__append_72) \
-	$(am__append_73) $(am__append_75) $(am__append_77) \
+	$(am__append_64) $(am__append_66) $(am__append_68) \
+	$(am__append_69) $(am__append_70) $(am__append_72) \
+	$(am__append_74) $(am__append_75) $(am__append_77) \
 	$(am__append_79) $(am__append_81) $(am__append_83) \
 	$(am__append_85) $(am__append_87) $(am__append_89) \
 	$(am__append_91) $(am__append_93) $(am__append_95) \
@@ -337,7 +339,7 @@ libcharon_la_DEPENDENCIES =  \
 	$(am__append_109) $(am__append_111) $(am__append_113) \
 	$(am__append_115) $(am__append_117) $(am__append_119) \
 	$(am__append_121) $(am__append_123) $(am__append_125) \
-	$(am__append_127) $(am__append_129)
+	$(am__append_127) $(am__append_129) $(am__append_131)
 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/logger.h \
 	bus/listeners/file_logger.c bus/listeners/file_logger.h \
@@ -362,8 +364,9 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	encoding/payloads/eap_payload.c \
 	encoding/payloads/eap_payload.h encoding/payloads/encodings.c \
 	encoding/payloads/encodings.h \
-	encoding/payloads/encryption_payload.c \
-	encoding/payloads/encryption_payload.h \
+	encoding/payloads/encrypted_payload.c \
+	encoding/payloads/encrypted_payload.h \
+	encoding/payloads/encrypted_fragment_payload.h \
 	encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
 	encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
 	encoding/payloads/ke_payload.c encoding/payloads/ke_payload.h \
@@ -553,7 +556,7 @@ am_libcharon_la_OBJECTS = bus/bus.lo bus/listeners/file_logger.lo \
 	encoding/payloads/delete_payload.lo \
 	encoding/payloads/eap_payload.lo \
 	encoding/payloads/encodings.lo \
-	encoding/payloads/encryption_payload.lo \
+	encoding/payloads/encrypted_payload.lo \
 	encoding/payloads/id_payload.lo \
 	encoding/payloads/ike_header.lo \
 	encoding/payloads/ke_payload.lo \
@@ -676,22 +679,23 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/socket_dynamic plugins/socket_win plugins/farp \
 	plugins/stroke plugins/vici plugins/smp plugins/sql \
 	plugins/dnscert plugins/ipseckey plugins/updown \
-	plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \
-	plugins/eap_sim_pcsc plugins/eap_simaka_sql \
-	plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \
-	plugins/eap_aka plugins/eap_aka_3gpp2 plugins/eap_md5 \
-	plugins/eap_gtc plugins/eap_mschapv2 plugins/eap_dynamic \
-	plugins/eap_radius plugins/eap_tls plugins/eap_ttls \
-	plugins/eap_peap plugins/eap_tnc plugins/tnc_ifmap \
-	plugins/tnc_pdp plugins/medsrv plugins/medcli plugins/dhcp \
-	plugins/osx_attr plugins/android_dns plugins/android_log \
-	plugins/maemo plugins/ha plugins/kernel_libipsec \
-	plugins/kernel_wfp plugins/kernel_iph plugins/whitelist \
-	plugins/lookip plugins/error_notify plugins/certexpire \
-	plugins/systime_fix plugins/led plugins/duplicheck \
-	plugins/coupling plugins/radattr plugins/uci plugins/addrblock \
-	plugins/unity plugins/unit_tester plugins/xauth_generic \
-	plugins/xauth_eap plugins/xauth_pam plugins/xauth_noauth
+	plugins/ext_auth plugins/eap_identity plugins/eap_sim \
+	plugins/eap_sim_file plugins/eap_sim_pcsc \
+	plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \
+	plugins/eap_simaka_reauth plugins/eap_aka \
+	plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \
+	plugins/eap_mschapv2 plugins/eap_dynamic plugins/eap_radius \
+	plugins/eap_tls plugins/eap_ttls plugins/eap_peap \
+	plugins/eap_tnc plugins/tnc_ifmap plugins/tnc_pdp \
+	plugins/medsrv plugins/medcli plugins/dhcp plugins/osx_attr \
+	plugins/android_dns plugins/android_log plugins/maemo \
+	plugins/ha plugins/kernel_libipsec plugins/kernel_wfp \
+	plugins/kernel_iph plugins/whitelist plugins/lookip \
+	plugins/error_notify plugins/certexpire plugins/systime_fix \
+	plugins/led plugins/duplicheck plugins/coupling \
+	plugins/radattr plugins/uci plugins/addrblock plugins/unity \
+	plugins/unit_tester plugins/xauth_generic plugins/xauth_eap \
+	plugins/xauth_pam plugins/xauth_noauth
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -749,6 +753,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -809,6 +814,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -874,6 +880,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -921,6 +929,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
@@ -954,8 +966,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	encoding/payloads/eap_payload.c \
 	encoding/payloads/eap_payload.h encoding/payloads/encodings.c \
 	encoding/payloads/encodings.h \
-	encoding/payloads/encryption_payload.c \
-	encoding/payloads/encryption_payload.h \
+	encoding/payloads/encrypted_payload.c \
+	encoding/payloads/encrypted_payload.h \
+	encoding/payloads/encrypted_fragment_payload.h \
 	encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
 	encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
 	encoding/payloads/ke_payload.c encoding/payloads/ke_payload.h \
@@ -1043,12 +1056,12 @@ libcharon_la_LIBADD =  \
 	$(am__append_27) $(am__append_29) $(am__append_31) \
 	$(am__append_33) $(am__append_35) $(am__append_37) \
 	$(am__append_39) $(am__append_41) $(am__append_43) \
-	$(am__append_45) $(am__append_47) $(am__append_48) \
+	$(am__append_45) $(am__append_47) $(am__append_49) \
 	$(am__append_50) $(am__append_52) $(am__append_54) \
 	$(am__append_56) $(am__append_58) $(am__append_60) \
 	$(am__append_62) $(am__append_64) $(am__append_66) \
-	$(am__append_67) $(am__append_68) $(am__append_70) \
-	$(am__append_72) $(am__append_73) $(am__append_75) \
+	$(am__append_68) $(am__append_69) $(am__append_70) \
+	$(am__append_72) $(am__append_74) $(am__append_75) \
 	$(am__append_77) $(am__append_79) $(am__append_81) \
 	$(am__append_83) $(am__append_85) $(am__append_87) \
 	$(am__append_89) $(am__append_91) $(am__append_93) \
@@ -1057,7 +1070,8 @@ libcharon_la_LIBADD =  \
 	$(am__append_107) $(am__append_109) $(am__append_111) \
 	$(am__append_113) $(am__append_115) $(am__append_117) \
 	$(am__append_119) $(am__append_121) $(am__append_123) \
-	$(am__append_125) $(am__append_127) $(am__append_129)
+	$(am__append_125) $(am__append_127) $(am__append_129) \
+	$(am__append_131)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE at SUBDIRS = . $(am__append_6) $(am__append_8) \
 @MONOLITHIC_FALSE@	$(am__append_10) $(am__append_12) \
@@ -1069,13 +1083,13 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_34) $(am__append_36) \
 @MONOLITHIC_FALSE@	$(am__append_38) $(am__append_40) \
 @MONOLITHIC_FALSE@	$(am__append_42) $(am__append_44) \
- at MONOLITHIC_FALSE@	$(am__append_46) $(am__append_49) \
+ at MONOLITHIC_FALSE@	$(am__append_46) $(am__append_48) \
 @MONOLITHIC_FALSE@	$(am__append_51) $(am__append_53) \
 @MONOLITHIC_FALSE@	$(am__append_55) $(am__append_57) \
 @MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61) \
 @MONOLITHIC_FALSE@	$(am__append_63) $(am__append_65) \
- at MONOLITHIC_FALSE@	$(am__append_69) $(am__append_71) \
- at MONOLITHIC_FALSE@	$(am__append_74) $(am__append_76) \
+ at MONOLITHIC_FALSE@	$(am__append_67) $(am__append_71) \
+ at MONOLITHIC_FALSE@	$(am__append_73) $(am__append_76) \
 @MONOLITHIC_FALSE@	$(am__append_78) $(am__append_80) \
 @MONOLITHIC_FALSE@	$(am__append_82) $(am__append_84) \
 @MONOLITHIC_FALSE@	$(am__append_86) $(am__append_88) \
@@ -1088,7 +1102,8 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_114) $(am__append_116) \
 @MONOLITHIC_FALSE@	$(am__append_118) $(am__append_120) \
 @MONOLITHIC_FALSE@	$(am__append_122) $(am__append_124) \
- at MONOLITHIC_FALSE@	$(am__append_126) $(am__append_128)
+ at MONOLITHIC_FALSE@	$(am__append_126) $(am__append_128) \
+ at MONOLITHIC_FALSE@	$(am__append_130)
 
 # build optional plugins
 ########################
@@ -1102,13 +1117,13 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_34) $(am__append_36) \
 @MONOLITHIC_TRUE@	$(am__append_38) $(am__append_40) \
 @MONOLITHIC_TRUE@	$(am__append_42) $(am__append_44) \
- at MONOLITHIC_TRUE@	$(am__append_46) $(am__append_49) \
+ at MONOLITHIC_TRUE@	$(am__append_46) $(am__append_48) \
 @MONOLITHIC_TRUE@	$(am__append_51) $(am__append_53) \
 @MONOLITHIC_TRUE@	$(am__append_55) $(am__append_57) \
 @MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61) \
 @MONOLITHIC_TRUE@	$(am__append_63) $(am__append_65) \
- at MONOLITHIC_TRUE@	$(am__append_69) $(am__append_71) \
- at MONOLITHIC_TRUE@	$(am__append_74) $(am__append_76) \
+ at MONOLITHIC_TRUE@	$(am__append_67) $(am__append_71) \
+ at MONOLITHIC_TRUE@	$(am__append_73) $(am__append_76) \
 @MONOLITHIC_TRUE@	$(am__append_78) $(am__append_80) \
 @MONOLITHIC_TRUE@	$(am__append_82) $(am__append_84) \
 @MONOLITHIC_TRUE@	$(am__append_86) $(am__append_88) \
@@ -1121,7 +1136,8 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_114) $(am__append_116) \
 @MONOLITHIC_TRUE@	$(am__append_118) $(am__append_120) \
 @MONOLITHIC_TRUE@	$(am__append_122) $(am__append_124) \
- at MONOLITHIC_TRUE@	$(am__append_126) $(am__append_128)
+ at MONOLITHIC_TRUE@	$(am__append_126) $(am__append_128) \
+ at MONOLITHIC_TRUE@	$(am__append_130)
 all: all-recursive
 
 .SUFFIXES:
@@ -1267,7 +1283,7 @@ encoding/payloads/eap_payload.lo: encoding/payloads/$(am__dirstamp) \
 	encoding/payloads/$(DEPDIR)/$(am__dirstamp)
 encoding/payloads/encodings.lo: encoding/payloads/$(am__dirstamp) \
 	encoding/payloads/$(DEPDIR)/$(am__dirstamp)
-encoding/payloads/encryption_payload.lo:  \
+encoding/payloads/encrypted_payload.lo:  \
 	encoding/payloads/$(am__dirstamp) \
 	encoding/payloads/$(DEPDIR)/$(am__dirstamp)
 encoding/payloads/id_payload.lo: encoding/payloads/$(am__dirstamp) \
@@ -1619,7 +1635,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at encoding/payloads/$(DEPDIR)/delete_payload.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at encoding/payloads/$(DEPDIR)/eap_payload.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at encoding/payloads/$(DEPDIR)/encodings.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at encoding/payloads/$(DEPDIR)/encryption_payload.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at encoding/payloads/$(DEPDIR)/encrypted_payload.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at encoding/payloads/$(DEPDIR)/endpoint_notify.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at encoding/payloads/$(DEPDIR)/fragment_payload.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at encoding/payloads/$(DEPDIR)/hash_payload.Plo at am__quote@
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index d1c138c..cb59f97 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -755,7 +755,7 @@ METHOD(bus_t, ike_rekey, void,
 	this->mutex->unlock(this->mutex);
 }
 
-METHOD(bus_t, ike_reestablish, void,
+METHOD(bus_t, ike_reestablish_pre, void,
 	private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
 {
 	enumerator_t *enumerator;
@@ -766,12 +766,40 @@ METHOD(bus_t, ike_reestablish, void,
 	enumerator = this->listeners->create_enumerator(this->listeners);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->calling || !entry->listener->ike_reestablish)
+		if (entry->calling || !entry->listener->ike_reestablish_pre)
 		{
 			continue;
 		}
 		entry->calling++;
-		keep = entry->listener->ike_reestablish(entry->listener, old, new);
+		keep = entry->listener->ike_reestablish_pre(entry->listener, old, new);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(bus_t, ike_reestablish_post, void,
+	private_bus_t *this, ike_sa_t *old, ike_sa_t *new, bool initiated)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_reestablish_post)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_reestablish_post(entry->listener, old, new,
+													 initiated);
 		entry->calling--;
 		if (!keep)
 		{
@@ -978,7 +1006,8 @@ bus_t *bus_create()
 			.child_keys = _child_keys,
 			.ike_updown = _ike_updown,
 			.ike_rekey = _ike_rekey,
-			.ike_reestablish = _ike_reestablish,
+			.ike_reestablish_pre = _ike_reestablish_pre,
+			.ike_reestablish_post = _ike_reestablish_post,
 			.child_updown = _child_updown,
 			.child_rekey = _child_rekey,
 			.authorize = _authorize,
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index 1d708c5..e1d221c 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2014 Tobias Brunner
  * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -101,9 +101,11 @@ enum alert_t {
 	/** received IKE message with invalid body, argument is message_t*,
 	 *  followed by a status_t result returned by message_t.parse_body(). */
 	ALERT_PARSE_ERROR_BODY,
-	/** sending a retransmit for a message, argument is packet_t */
+	/** sending a retransmit for a message, argument is packet_t, if the message
+	 *  got fragmented only the first fragment is passed */
 	ALERT_RETRANSMIT_SEND,
-	/** sending retransmits timed out, argument is packet_t, if available */
+	/** sending retransmits timed out, argument is packet_t, if available and if
+	 *  the message got fragmented only the first fragment is passed */
 	ALERT_RETRANSMIT_SEND_TIMEOUT,
 	/** received a retransmit for a message, argument is message_t */
 	ALERT_RETRANSMIT_RECEIVE,
@@ -380,12 +382,23 @@ struct bus_t {
 	void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
 
 	/**
-	 * IKE_SA reestablishing hook.
+	 * IKE_SA reestablishing hook (before resolving hosts).
 	 *
 	 * @param old		reestablished and obsolete IKE_SA
 	 * @param new		new IKE_SA replacing old
 	 */
-	void (*ike_reestablish)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
+	void (*ike_reestablish_pre)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
+
+	/**
+	 * IKE_SA reestablishing hook (after configuring and initiating the new
+	 * IKE_SA).
+	 *
+	 * @param old		reestablished and obsolete IKE_SA
+	 * @param new		new IKE_SA replacing old
+	 * @param initiated	TRUE if initiated successfully, FALSE otherwise
+	 */
+	void (*ike_reestablish_post)(bus_t *this, ike_sa_t *old, ike_sa_t *new,
+								 bool initiated);
 
 	/**
 	 * CHILD_SA up/down hook.
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index abcc765..0910cb3 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2011-2014 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -129,14 +130,29 @@ struct listener_t {
 	/**
 	 * Hook called when an initiator reestablishes an IKE_SA.
 	 *
+	 * This is invoked right after creating the new IKE_SA and setting the
+	 * peer_cfg (and the old hosts), but before resolving the hosts anew.
+	 * It is not invoked on the responder.
+	 *
+	 * @param old		IKE_SA getting reestablished (is destroyed)
+	 * @param new		new IKE_SA replacing old (gets established)
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_reestablish_pre)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
+
+	/**
+	 * Hook called when an initiator reestablishes an IKE_SA.
+	 *
 	 * This is invoked right before the new IKE_SA is checked in after
 	 * initiating it.  It is not invoked on the responder.
 	 *
 	 * @param old		IKE_SA getting reestablished (is destroyed)
 	 * @param new		new IKE_SA replacing old (gets established)
+	 * @param initiated TRUE if initiation was successful, FALSE otherwise
 	 * @return			TRUE to stay registered, FALSE to unregister
 	 */
-	bool (*ike_reestablish)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
+	bool (*ike_reestablish_post)(listener_t *this, ike_sa_t *old,
+								 ike_sa_t *new, bool initiated);
 
 	/**
 	 * Hook called when a CHILD_SA gets up or down.
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 7e4a143..ed7c0d4 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -163,6 +163,11 @@ METHOD(child_cfg_t, add_proposal, void,
 	}
 }
 
+static bool match_proposal(proposal_t *item, proposal_t *proposal)
+{
+	return item->equals(item, proposal);
+}
+
 METHOD(child_cfg_t, get_proposals, linked_list_t*,
 	private_child_cfg_t *this, bool strip_dh)
 {
@@ -178,6 +183,12 @@ METHOD(child_cfg_t, get_proposals, linked_list_t*,
 		{
 			current->strip_dh(current, MODP_NONE);
 		}
+		if (proposals->find_first(proposals, (linked_list_match_t)match_proposal,
+								  NULL, current) == SUCCESS)
+		{
+			current->destroy(current);
+			continue;
+		}
 		proposals->insert_last(proposals, current);
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 4d881cd..50d3c6f 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -337,7 +337,7 @@ static bool algo_list_equals(private_proposal_t *this, proposal_t *other,
 			break;
 		}
 	}
-	if (e2->enumerate(e2, &alg2, ks2))
+	if (e2->enumerate(e2, &alg2, &ks2))
 	{
 		/* other has more algs */
 		equals = FALSE;
@@ -594,7 +594,7 @@ METHOD(proposal_t, destroy, void,
 }
 
 /*
- * Describtion in header-file
+ * Described in header
  */
 proposal_t *proposal_create(protocol_id_t protocol, u_int number)
 {
@@ -787,7 +787,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 }
 
 /*
- * Describtion in header-file
+ * Described in header
  */
 proposal_t *proposal_create_default(protocol_id_t protocol)
 {
@@ -826,7 +826,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
 }
 
 /*
- * Describtion in header-file
+ * Described in header
  */
 proposal_t *proposal_create_default_aead(protocol_id_t protocol)
 {
@@ -853,7 +853,7 @@ proposal_t *proposal_create_default_aead(protocol_id_t protocol)
 }
 
 /*
- * Describtion in header-file
+ * Described in header
  */
 proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs)
 {
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index a89995a..3ae7c4e 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -593,7 +593,7 @@ METHOD(daemon_t, initialize, bool,
 				PLUGIN_DEPENDS(CUSTOM, "socket"),
 	};
 	lib->plugins->add_static_features(lib->plugins, lib->ns, features,
-									  countof(features), TRUE);
+									  countof(features), TRUE, NULL, NULL);
 
 	/* load plugins, further infrastructure may need it */
 	if (!lib->plugins->load(lib->plugins, plugins))
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 0f5f40a..cb6c97f 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2013 Tobias Brunner
+ * Copyright (C) 2006-2014 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  * Copyright (C) 2006 Daniel Roethlisberger
@@ -23,6 +23,8 @@
 #include "message.h"
 
 #include <library.h>
+#include <bio/bio_writer.h>
+#include <collections/array.h>
 #include <daemon.h>
 #include <sa/ikev1/keymat_v1.h>
 #include <encoding/generator.h>
@@ -30,9 +32,11 @@
 #include <encoding/payloads/encodings.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/hash_payload.h>
-#include <encoding/payloads/encryption_payload.h>
+#include <encoding/payloads/encrypted_payload.h>
+#include <encoding/payloads/encrypted_fragment_payload.h>
 #include <encoding/payloads/unknown_payload.h>
 #include <encoding/payloads/cp_payload.h>
+#include <encoding/payloads/fragment_payload.h>
 
 /**
  * Max number of notify payloads per IKEv2 message
@@ -802,6 +806,30 @@ static message_rule_t message_rules[] = {
 #endif /* USE_IKEV1 */
 };
 
+/**
+ * Data for fragment reassembly.
+ */
+typedef struct {
+
+	/**
+	 * For IKEv1 the number of the last fragment (in case we receive them out
+	 * of order), since the first one starts with 1 this defines the number of
+	 * fragments we expect.
+	 * For IKEv2 we store the total number of fragment we received last.
+	 */
+	u_int16_t last;
+
+	/**
+	 * Length of all currently received fragments.
+	 */
+	size_t len;
+
+	/**
+	 * Maximum length of a fragmented packet.
+	 */
+	size_t max_packet;
+
+} fragment_data_t;
 
 typedef struct private_message_t private_message_t;
 
@@ -876,6 +904,12 @@ struct private_message_t {
 	packet_t *packet;
 
 	/**
+	 * Array of generated fragments (if any), as packet_t*.
+	 * If defragmenting (i.e. frag != NULL) this contains fragment_t*
+	 */
+	array_t *fragments;
+
+	/**
 	 * Linked List where payload data are stored in.
 	 */
 	linked_list_t *payloads;
@@ -889,9 +923,46 @@ struct private_message_t {
 	 * The message rule for this message instance
 	 */
 	message_rule_t *rule;
+
+	/**
+	 * Data used to reassemble a fragmented message
+	 */
+	fragment_data_t *frag;
 };
 
 /**
+ * Maximum number of fragments we will handle
+ */
+#define MAX_FRAGMENTS 255
+
+/**
+ * A single fragment within a fragmented message
+ */
+typedef struct {
+
+	/** fragment number */
+	u_int8_t num;
+
+	/** fragment data */
+	chunk_t data;
+
+} fragment_t;
+
+static void fragment_destroy(fragment_t *this)
+{
+	chunk_free(&this->data);
+	free(this);
+}
+
+static void reset_defrag(private_message_t *this)
+{
+	array_destroy_function(this->fragments, (void*)fragment_destroy, NULL);
+	this->fragments = NULL;
+	this->frag->last = 0;
+	this->frag->len = 0;
+}
+
+/**
  * Get the message rule that applies to this message
  */
 static message_rule_t* get_message_rule(private_message_t *this)
@@ -1049,6 +1120,12 @@ METHOD(message_t, is_encoded, bool,
 	return this->packet->get_data(this->packet).ptr != NULL;
 }
 
+METHOD(message_t, is_fragmented, bool,
+	private_message_t *this)
+{
+	return array_count(this->fragments) > 0;
+}
+
 METHOD(message_t, add_payload, void,
 	private_message_t *this, payload_t *payload)
 {
@@ -1330,6 +1407,12 @@ static char* get_string(private_message_t *this, char *buf, int len)
 	return buf;
 }
 
+METHOD(message_t, disable_sort, void,
+	private_message_t *this)
+{
+	this->sort_disabled = TRUE;
+}
+
 /**
  * reorder payloads depending on reordering rules
  */
@@ -1339,6 +1422,8 @@ static void order_payloads(private_message_t *this)
 	payload_t *payload;
 	int i;
 
+	DBG2(DBG_ENC, "order payloads in message");
+
 	/* move to temp list */
 	list = linked_list_create();
 	while (this->payloads->remove_last(this->payloads,
@@ -1392,29 +1477,42 @@ static void order_payloads(private_message_t *this)
 }
 
 /**
- * Wrap payloads in an encryption payload
+ * Wrap payloads in an encrypted payload
  */
-static encryption_payload_t* wrap_payloads(private_message_t *this)
+static encrypted_payload_t* wrap_payloads(private_message_t *this)
 {
-	encryption_payload_t *encryption;
+	encrypted_payload_t *encrypted = NULL;
 	linked_list_t *payloads;
 	payload_t *current;
 
-	/* copy all payloads in a temporary list */
+	/* move all payloads to a temporary list */
 	payloads = linked_list_create();
 	while (this->payloads->remove_first(this->payloads,
 										(void**)&current) == SUCCESS)
 	{
-		payloads->insert_last(payloads, current);
+		if (current->get_type(current) == PLV2_FRAGMENT)
+		{	/* treat encrypted fragment payload as encrypted payload */
+			encrypted = (encrypted_payload_t*)current;
+		}
+		else
+		{
+			payloads->insert_last(payloads, current);
+		}
+	}
+	if (encrypted)
+	{	/* simply adopt all the unencrypted payloads */
+		this->payloads->destroy(this->payloads);
+		this->payloads = payloads;
+		return encrypted;
 	}
 
 	if (this->is_encrypted)
 	{
-		encryption = encryption_payload_create(PLV1_ENCRYPTED);
+		encrypted = encrypted_payload_create(PLV1_ENCRYPTED);
 	}
 	else
 	{
-		encryption = encryption_payload_create(PLV2_ENCRYPTED);
+		encrypted = encrypted_payload_create(PLV2_ENCRYPTED);
 	}
 	while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
 	{
@@ -1432,7 +1530,7 @@ static encryption_payload_t* wrap_payloads(private_message_t *this)
 		{	/* encryption is forced for IKEv1 */
 			DBG2(DBG_ENC, "insert payload %N into encrypted payload",
 				 payload_type_names, type);
-			encryption->add_payload(encryption, current);
+			encrypted->add_payload(encrypted, current);
 		}
 		else
 		{
@@ -1443,31 +1541,71 @@ static encryption_payload_t* wrap_payloads(private_message_t *this)
 	}
 	payloads->destroy(payloads);
 
-	return encryption;
+	return encrypted;
 }
 
-METHOD(message_t, disable_sort, void,
-	private_message_t *this)
+/**
+ * Creates the IKE header for this message
+ */
+static ike_header_t *create_header(private_message_t *this)
 {
-	this->sort_disabled = TRUE;
+	ike_header_t *ike_header;
+	bool *reserved;
+	int i;
+
+	ike_header = ike_header_create_version(this->major_version,
+										   this->minor_version);
+	ike_header->set_exchange_type(ike_header, this->exchange_type);
+	ike_header->set_message_id(ike_header, this->message_id);
+	if (this->major_version == IKEV2_MAJOR_VERSION)
+	{
+		ike_header->set_response_flag(ike_header, !this->is_request);
+		ike_header->set_version_flag(ike_header, this->version_flag);
+		ike_header->set_initiator_flag(ike_header,
+						this->ike_sa_id->is_initiator(this->ike_sa_id));
+	}
+	else
+	{
+		ike_header->set_encryption_flag(ike_header, this->is_encrypted);
+	}
+	ike_header->set_initiator_spi(ike_header,
+						this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
+	ike_header->set_responder_spi(ike_header,
+						this->ike_sa_id->get_responder_spi(this->ike_sa_id));
+
+	for (i = 0; i < countof(this->reserved); i++)
+	{
+		reserved = payload_get_field(&ike_header->payload_interface,
+									 RESERVED_BIT, i);
+		if (reserved)
+		{
+			*reserved = this->reserved[i];
+		}
+	}
+	return ike_header;
 }
 
-METHOD(message_t, generate, status_t,
-	private_message_t *this, keymat_t *keymat, packet_t **packet)
+/**
+ * Generates the message, if needed, wraps the payloads in an encrypted payload.
+ *
+ * The generator and the possible enrypted payload are returned.  The latter
+ * is not yet encrypted (but the transform is set).  It is also not added to
+ * the payload list (so unless there are unencrypted payloads that list will
+ * be empty afterwards).
+ */
+static status_t generate_message(private_message_t *this, keymat_t *keymat,
+				generator_t **out_generator, encrypted_payload_t **encrypted)
 {
 	keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
 	generator_t *generator;
-	ike_header_t *ike_header;
-	payload_t *payload, *next;
-	encryption_payload_t *encryption = NULL;
 	payload_type_t next_type;
 	enumerator_t *enumerator;
 	aead_t *aead = NULL;
-	chunk_t chunk, hash = chunk_empty;
+	chunk_t hash = chunk_empty;
 	char str[BUF_LEN];
-	u_int32_t *lenpos;
-	bool encrypted = FALSE, *reserved;
-	int i;
+	ike_header_t *ike_header;
+	payload_t *payload, *next;
+	bool encrypting = FALSE;
 
 	if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
 	{
@@ -1493,6 +1631,7 @@ METHOD(message_t, generate, status_t,
 	{
 		order_payloads(this);
 	}
+
 	if (keymat && keymat->get_version(keymat) == IKEV1)
 	{
 		/* get a hash for this message, if any is required */
@@ -1505,16 +1644,17 @@ METHOD(message_t, generate, status_t,
 			this->payloads->insert_first(this->payloads, hash_payload);
 			if (this->exchange_type == INFORMATIONAL_V1)
 			{
-				this->is_encrypted = encrypted = TRUE;
+				this->is_encrypted = encrypting = TRUE;
 			}
 			chunk_free(&hash);
 		}
 	}
+
 	if (this->major_version == IKEV2_MAJOR_VERSION)
 	{
-		encrypted = this->rule->encrypted;
+		encrypting = this->rule->encrypted;
 	}
-	else if (!encrypted)
+	else if (!encrypting)
 	{
 		/* If at least one payload requires encryption, encrypt the message.
 		 * If no key material is available, the flag will be reset below. */
@@ -1526,7 +1666,7 @@ METHOD(message_t, generate, status_t,
 			rule = get_payload_rule(this, payload->get_type(payload));
 			if (rule && rule->encrypted)
 			{
-				this->is_encrypted = encrypted = TRUE;
+				this->is_encrypted = encrypting = TRUE;
 				break;
 			}
 		}
@@ -1539,9 +1679,10 @@ METHOD(message_t, generate, status_t,
 	{
 		aead = keymat->get_aead(keymat, FALSE);
 	}
-	if (aead && encrypted)
+	if (aead && encrypting)
 	{
-		encryption = wrap_payloads(this);
+		*encrypted = wrap_payloads(this);
+		(*encrypted)->set_transform(*encrypted, aead);
 	}
 	else
 	{
@@ -1549,39 +1690,9 @@ METHOD(message_t, generate, status_t,
 		this->is_encrypted = FALSE;
 	}
 
-	ike_header = ike_header_create_version(this->major_version,
-										   this->minor_version);
-	ike_header->set_exchange_type(ike_header, this->exchange_type);
-	ike_header->set_message_id(ike_header, this->message_id);
-	if (this->major_version == IKEV2_MAJOR_VERSION)
-	{
-		ike_header->set_response_flag(ike_header, !this->is_request);
-		ike_header->set_version_flag(ike_header, this->version_flag);
-		ike_header->set_initiator_flag(ike_header,
-						this->ike_sa_id->is_initiator(this->ike_sa_id));
-	}
-	else
-	{
-		ike_header->set_encryption_flag(ike_header, this->is_encrypted);
-	}
-	ike_header->set_initiator_spi(ike_header,
-						this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
-	ike_header->set_responder_spi(ike_header,
-						this->ike_sa_id->get_responder_spi(this->ike_sa_id));
-
-	for (i = 0; i < countof(this->reserved); i++)
-	{
-		reserved = payload_get_field(&ike_header->payload_interface,
-									 RESERVED_BIT, i);
-		if (reserved)
-		{
-			*reserved = this->reserved[i];
-		}
-	}
-
-	generator = generator_create();
-
 	/* generate all payloads with proper next type */
+	*out_generator = generator = generator_create();
+	ike_header = create_header(this);
 	payload = (payload_t*)ike_header;
 	enumerator = create_payload_enumerator(this);
 	while (enumerator->enumerate(enumerator, &next))
@@ -1591,53 +1702,71 @@ METHOD(message_t, generate, status_t,
 		payload = next;
 	}
 	enumerator->destroy(enumerator);
+
+	next_type = PL_NONE;
 	if (this->is_encrypted)
 	{	/* for encrypted IKEv1 messages */
-		next_type = encryption->payload_interface.get_next_type(
-														(payload_t*)encryption);
+		next_type = (*encrypted)->payload_interface.get_next_type(
+														(payload_t*)*encrypted);
 	}
-	else
-	{
-		next_type = encryption ? PLV2_ENCRYPTED : PL_NONE;
+	else if (*encrypted)
+	{	/* use proper IKEv2 encrypted (fragment) payload type */
+		next_type = (*encrypted)->payload_interface.get_type(
+														(payload_t*)*encrypted);
 	}
 	payload->set_next_type(payload, next_type);
 	generator->generate_payload(generator, payload);
 	ike_header->destroy(ike_header);
+	return SUCCESS;
+}
 
-	if (encryption)
-	{	/* set_transform() has to be called before get_length() */
-		encryption->set_transform(encryption, aead);
+/**
+ * Encrypts and adds the encrypted payload (if any) to the payload list and
+ * finalizes the message generation.  Destroys the given generator.
+ */
+static status_t finalize_message(private_message_t *this, keymat_t *keymat,
+						generator_t *generator, encrypted_payload_t *encrypted)
+{
+	keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
+	chunk_t chunk;
+	u_int32_t *lenpos;
+
+	if (encrypted)
+	{
 		if (this->is_encrypted)
 		{	/* for IKEv1 instead of associated data we provide the IV */
 			if (!keymat_v1->get_iv(keymat_v1, this->message_id, &chunk))
 			{
 				generator->destroy(generator);
+				encrypted->destroy(encrypted);
 				return FAILED;
 			}
 		}
 		else
-		{	/* build associated data (without header of encryption payload) */
+		{	/* build associated data (without header of encrypted payload) */
 			chunk = generator->get_chunk(generator, &lenpos);
-			/* fill in length, including encryption payload */
-			htoun32(lenpos, chunk.len + encryption->get_length(encryption));
+			/* fill in length, including encrypted payload */
+			htoun32(lenpos, chunk.len + encrypted->get_length(encrypted));
 		}
-		this->payloads->insert_last(this->payloads, encryption);
-		if (encryption->encrypt(encryption, this->message_id, chunk) != SUCCESS)
+		this->payloads->insert_last(this->payloads, encrypted);
+		if (encrypted->encrypt(encrypted, this->message_id, chunk) != SUCCESS)
 		{
 			generator->destroy(generator);
 			return INVALID_STATE;
 		}
-		generator->generate_payload(generator, &encryption->payload_interface);
+		generator->generate_payload(generator, &encrypted->payload_interface);
 	}
 	chunk = generator->get_chunk(generator, &lenpos);
 	htoun32(lenpos, chunk.len);
 	this->packet->set_data(this->packet, chunk_clone(chunk));
-	if (this->is_encrypted)
+	if (this->is_encrypted && this->exchange_type != INFORMATIONAL_V1)
 	{
 		/* update the IV for the next IKEv1 message */
 		chunk_t last_block;
+		aead_t *aead;
 		size_t bs;
 
+		aead = keymat->get_aead(keymat, FALSE);
 		bs = aead->get_block_size(aead);
 		last_block = chunk_create(chunk.ptr + chunk.len - bs, bs);
 		if (!keymat_v1->update_iv(keymat_v1, this->message_id, last_block) ||
@@ -1648,30 +1777,301 @@ METHOD(message_t, generate, status_t,
 		}
 	}
 	generator->destroy(generator);
-	*packet = this->packet->clone(this->packet);
 	return SUCCESS;
 }
 
-METHOD(message_t, get_packet, packet_t*,
-	private_message_t *this)
+METHOD(message_t, generate, status_t,
+	private_message_t *this, keymat_t *keymat, packet_t **packet)
 {
-	if (this->packet == NULL)
+	generator_t *generator = NULL;
+	encrypted_payload_t *encrypted = NULL;
+	status_t status;
+
+	status = generate_message(this, keymat, &generator, &encrypted);
+	if (status != SUCCESS)
 	{
-		return NULL;
+		DESTROY_IF(generator);
+		return status;
+	}
+	status = finalize_message(this, keymat, generator, encrypted);
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+	if (packet)
+	{
+		*packet = this->packet->clone(this->packet);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Creates a (basic) clone of the given message
+ */
+static message_t *clone_message(private_message_t *this)
+{
+	message_t *message;
+	host_t *src, *dst;
+
+	src = this->packet->get_source(this->packet);
+	dst = this->packet->get_destination(this->packet);
+
+	message = message_create(this->major_version, this->minor_version);
+	message->set_ike_sa_id(message, this->ike_sa_id);
+	message->set_message_id(message, this->message_id);
+	message->set_request(message, this->is_request);
+	message->set_source(message, src->clone(src));
+	message->set_destination(message, dst->clone(dst));
+	message->set_exchange_type(message, this->exchange_type);
+	memcpy(((private_message_t*)message)->reserved, this->reserved,
+		   sizeof(this->reserved));
+	return message;
+}
+
+/**
+ * Create a single fragment with the given data
+ */
+static message_t *create_fragment(private_message_t *this, payload_type_t next,
+								  u_int16_t num, u_int16_t count, chunk_t data)
+{
+	enumerator_t *enumerator;
+	payload_t *fragment, *payload;
+	message_t *message;
+	peer_cfg_t *peer_cfg;
+	ike_sa_t *ike_sa;
+
+	message = clone_message(this);
+	if (this->major_version == IKEV1_MAJOR_VERSION)
+	{
+		/* other implementations seem to just use 0 as message ID, so here we go */
+		message->set_message_id(message, 0);
+		/* always use the initial message type for fragments, even for quick mode
+		 * or transaction messages. */
+		ike_sa = charon->bus->get_sa(charon->bus);
+		if (ike_sa && (peer_cfg = ike_sa->get_peer_cfg(ike_sa)) &&
+			peer_cfg->use_aggressive(peer_cfg))
+		{
+			message->set_exchange_type(message, AGGRESSIVE);
+		}
+		else
+		{
+			message->set_exchange_type(message, ID_PROT);
+		}
+		fragment = (payload_t*)fragment_payload_create_from_data(
+													num, num == count, data);
+	}
+	else
+	{
+		fragment = (payload_t*)encrypted_fragment_payload_create_from_data(
+													num, count, data);
+		if (num == 1)
+		{
+			/* only in the first fragment is this set to the type of the first
+			 * payload in the encrypted payload */
+			fragment->set_next_type(fragment, next);
+			/* move unencrypted payloads to the first fragment */
+			enumerator = this->payloads->create_enumerator(this->payloads);
+			while (enumerator->enumerate(enumerator, &payload))
+			{
+				if (payload->get_type(payload) != PLV2_ENCRYPTED)
+				{
+					this->payloads->remove_at(this->payloads, enumerator);
+					message->add_payload(message, payload);
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+	message->add_payload(message, (payload_t*)fragment);
+	return message;
+}
+
+/**
+ * Destroy all fragments
+ */
+static void clear_fragments(private_message_t *this)
+{
+	array_destroy_offset(this->fragments, offsetof(packet_t, destroy));
+	this->fragments = NULL;
+}
+
+/**
+ * Reduce the fragment length but ensure it stays > 0
+ */
+#define REDUCE_FRAG_LEN(fl, amount) ({ \
+	fl = max(1, (ssize_t)fl - (amount)); \
+})
+
+METHOD(message_t, fragment, status_t,
+	private_message_t *this, keymat_t *keymat, size_t frag_len,
+	enumerator_t **fragments)
+{
+	encrypted_payload_t *encrypted = NULL;
+	generator_t *generator = NULL;
+	message_t *fragment;
+	packet_t *packet;
+	payload_type_t next = PL_NONE;
+	u_int16_t num, count;
+	host_t *src, *dst;
+	chunk_t data;
+	status_t status;
+	u_int32_t *lenpos;
+	size_t len;
+
+	src = this->packet->get_source(this->packet);
+	dst = this->packet->get_destination(this->packet);
+	if (!frag_len)
+	{
+		frag_len = (src->get_family(src) == AF_INET) ? 576 : 1280;
+	}
+	/* frag_len is the complete IP datagram length, account for overhead (we
+	 * assume no IP options/extension headers are used) */
+	REDUCE_FRAG_LEN(frag_len, (src->get_family(src) == AF_INET) ? 20 : 40);
+	/* 8 (UDP header) */
+	REDUCE_FRAG_LEN(frag_len, 8);
+	if (dst->get_port(dst) != IKEV2_UDP_PORT &&
+		src->get_port(src) != IKEV2_UDP_PORT)
+	{	/* reduce length due to non-ESP marker */
+		REDUCE_FRAG_LEN(frag_len, 4);
+	}
+
+	if (is_encoded(this))
+	{
+		if (this->major_version == IKEV2_MAJOR_VERSION)
+		{
+			encrypted = (encrypted_payload_t*)get_payload(this, PLV2_ENCRYPTED);
+		}
+		data = this->packet->get_data(this->packet);
+		len = data.len;
+	}
+	else
+	{
+		status = generate_message(this, keymat, &generator, &encrypted);
+		if (status != SUCCESS)
+		{
+			DESTROY_IF(generator);
+			return status;
+		}
+		data = generator->get_chunk(generator, &lenpos);
+		len = data.len + (encrypted ? encrypted->get_length(encrypted) : 0);
+	}
+
+	/* check if we actually need to fragment the message and if we have an
+	 * encrypted payload for IKEv2 */
+	if (len <= frag_len ||
+	   (this->major_version == IKEV2_MAJOR_VERSION && !encrypted))
+	{
+		if (generator)
+		{
+			status = finalize_message(this, keymat, generator, encrypted);
+			if (status != SUCCESS)
+			{
+				return status;
+			}
+		}
+		*fragments = enumerator_create_single(this->packet, NULL);
+		return SUCCESS;
+	}
+
+	/* frag_len denoted the maximum IKE message size so far, later on it will
+	 * denote the maximum content size of a fragment payload, therefore,
+	 * account for IKE header */
+	REDUCE_FRAG_LEN(frag_len, 28);
+
+	if (this->major_version == IKEV1_MAJOR_VERSION)
+	{
+		if (generator)
+		{
+			status = finalize_message(this, keymat, generator, encrypted);
+			if (status != SUCCESS)
+			{
+				return status;
+			}
+			data = this->packet->get_data(this->packet);
+			generator = NULL;
+		}
+		/* overhead for the fragmentation payload header */
+		REDUCE_FRAG_LEN(frag_len, 8);
 	}
+	else
+	{
+		aead_t *aead;
+
+		if (generator)
+		{
+			generator->destroy(generator);
+			generator = generator_create();
+		}
+		else
+		{	/* do not log again if it was generated previously */
+			generator = generator_create_no_dbg();
+		}
+		next = encrypted->payload_interface.get_next_type((payload_t*)encrypted);
+		encrypted->generate_payloads(encrypted, generator);
+		data = generator->get_chunk(generator, &lenpos);
+		if (!is_encoded(this))
+		{
+			encrypted->destroy(encrypted);
+		}
+		aead = keymat->get_aead(keymat, FALSE);
+		/* overhead for the encrypted fragment payload */
+		REDUCE_FRAG_LEN(frag_len, aead->get_iv_size(aead));
+		REDUCE_FRAG_LEN(frag_len, aead->get_icv_size(aead));
+		/* header */
+		REDUCE_FRAG_LEN(frag_len, 8);
+		/* padding and padding length */
+		frag_len = round_down(frag_len, aead->get_block_size(aead));
+		REDUCE_FRAG_LEN(frag_len, 1);
+		/* TODO-FRAG: if there are unencrypted payloads, should we account for
+		 * their length in the first fragment? we still would have to add
+		 * an encrypted fragment payload (albeit empty), even so we couldn't
+		 * prevent IP fragmentation in every case */
+	}
+
+	count = data.len / frag_len + (data.len % frag_len ? 1 : 0);
+	this->fragments = array_create(0, count);
+	DBG1(DBG_ENC, "splitting IKE message with length of %zu bytes into "
+		 "%hu fragments", len, count);
+	for (num = 1; num <= count; num++)
+	{
+		len = min(data.len, frag_len);
+		fragment = create_fragment(this, next, num, count,
+								   chunk_create(data.ptr, len));
+		status = fragment->generate(fragment, keymat, &packet);
+		fragment->destroy(fragment);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "failed to generate IKE fragment");
+			clear_fragments(this);
+			DESTROY_IF(generator);
+			return FAILED;
+		}
+		array_insert(this->fragments, ARRAY_TAIL, packet);
+		data = chunk_skip(data, len);
+	}
+	*fragments = array_create_enumerator(this->fragments);
+	DESTROY_IF(generator);
+	return SUCCESS;
+}
+
+METHOD(message_t, get_packet, packet_t*,
+	private_message_t *this)
+{
 	return this->packet->clone(this->packet);
 }
 
 METHOD(message_t, get_packet_data, chunk_t,
 	private_message_t *this)
 {
-	if (this->packet == NULL)
-	{
-		return chunk_empty;
-	}
 	return this->packet->get_data(this->packet);
 }
 
+METHOD(message_t, get_fragments, enumerator_t*,
+	private_message_t *this)
+{
+	return array_create_enumerator(this->fragments);
+}
+
 METHOD(message_t, parse_header, status_t,
 	private_message_t *this)
 {
@@ -1682,6 +2082,10 @@ METHOD(message_t, parse_header, status_t,
 
 	DBG2(DBG_ENC, "parsing header of message");
 
+	if (!this->parser)
+	{	/* reassembled IKEv2 message, header is inherited from fragments */
+		return SUCCESS;
+	}
 	this->parser->reset_context(this->parser);
 	status = this->parser->parse_payload(this->parser, PL_HEADER,
 										 (payload_t**)&ike_header);
@@ -1723,7 +2127,7 @@ METHOD(message_t, parse_header, status_t,
 	this->first_payload = ike_header->payload_interface.get_next_type(
 												&ike_header->payload_interface);
 	if (this->first_payload == PLV1_FRAGMENT && this->is_encrypted)
-	{	/* racoon sets the encryted bit when sending a fragment, but these
+	{	/* racoon sets the encrypted bit when sending a fragment, but these
 		 * messages are really not encrypted */
 		this->is_encrypted = FALSE;
 	}
@@ -1780,9 +2184,9 @@ static status_t parse_payloads(private_message_t *this)
 	status_t status;
 
 	if (this->is_encrypted)
-	{	/* wrap the whole encrypted IKEv1 message in a special encryption
+	{	/* wrap the whole encrypted IKEv1 message in a special encrypted
 		 * payload which is then handled just like a regular payload */
-		encryption_payload_t *encryption;
+		encrypted_payload_t *encryption;
 
 		status = this->parser->parse_payload(this->parser, PLV1_ENCRYPTED,
 											 (payload_t**)&encryption);
@@ -1824,9 +2228,9 @@ static status_t parse_payloads(private_message_t *this)
 			 payload_type_names, type);
 		this->payloads->insert_last(this->payloads, payload);
 
-		/* an encrypted payload is the last one, so STOP here. decryption is
-		 * done later */
-		if (type == PLV2_ENCRYPTED)
+		/* an encrypted (fragment) payload MUST be the last one, so STOP here.
+		 * decryption is done later */
+		if (type == PLV2_ENCRYPTED || type == PLV2_FRAGMENT)
 		{
 			DBG2(DBG_ENC, "%N payload found, stop parsing",
 				 payload_type_names, type);
@@ -1841,7 +2245,7 @@ static status_t parse_payloads(private_message_t *this)
  * Decrypt an encrypted payload and extract all contained payloads.
  */
 static status_t decrypt_and_extract(private_message_t *this, keymat_t *keymat,
-						payload_t *previous, encryption_payload_t *encryption)
+						payload_t *previous, encrypted_payload_t *encryption)
 {
 	payload_t *encrypted;
 	payload_type_t type;
@@ -1861,43 +2265,52 @@ static status_t decrypt_and_extract(private_message_t *this, keymat_t *keymat,
 		DBG1(DBG_ENC, "found encrypted payload, but no transform set");
 		return INVALID_ARG;
 	}
-	bs = aead->get_block_size(aead);
-	encryption->set_transform(encryption, aead);
-	chunk = this->packet->get_data(this->packet);
-	if (chunk.len < encryption->get_length(encryption) ||
-		chunk.len < bs)
+	if (!this->parser)
 	{
-		DBG1(DBG_ENC, "invalid payload length");
-		return VERIFY_ERROR;
+		/* reassembled IKEv2 messages are already decrypted, we still call
+		 * decrypt() to parse the contained payloads */
+		status = encryption->decrypt(encryption, chunk_empty);
 	}
-	if (keymat->get_version(keymat) == IKEV1)
-	{	/* instead of associated data we provide the IV, we also update
-		 * the IV with the last encrypted block */
-		keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
-		chunk_t iv;
-
-		if (keymat_v1->get_iv(keymat_v1, this->message_id, &iv))
+	else
+	{
+		bs = aead->get_block_size(aead);
+		encryption->set_transform(encryption, aead);
+		chunk = this->packet->get_data(this->packet);
+		if (chunk.len < encryption->get_length(encryption) ||
+			chunk.len < bs)
 		{
-			status = encryption->decrypt(encryption, iv);
-			if (status == SUCCESS)
+			DBG1(DBG_ENC, "invalid payload length");
+			return VERIFY_ERROR;
+		}
+		if (keymat->get_version(keymat) == IKEV1)
+		{	/* instead of associated data we provide the IV, we also update
+			 * the IV with the last encrypted block */
+			keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
+			chunk_t iv;
+
+			if (keymat_v1->get_iv(keymat_v1, this->message_id, &iv))
 			{
-				if (!keymat_v1->update_iv(keymat_v1, this->message_id,
-						chunk_create(chunk.ptr + chunk.len - bs, bs)))
+				status = encryption->decrypt(encryption, iv);
+				if (status == SUCCESS)
 				{
-					status = FAILED;
+					if (!keymat_v1->update_iv(keymat_v1, this->message_id,
+							chunk_create(chunk.ptr + chunk.len - bs, bs)))
+					{
+						status = FAILED;
+					}
 				}
 			}
+			else
+			{
+				status = FAILED;
+			}
 		}
 		else
 		{
-			status = FAILED;
+			chunk.len -= encryption->get_length(encryption);
+			status = encryption->decrypt(encryption, chunk);
 		}
 	}
-	else
-	{
-		chunk.len -= encryption->get_length(encryption);
-		status = encryption->decrypt(encryption, chunk);
-	}
 	if (status != SUCCESS)
 	{
 		return status;
@@ -1923,6 +2336,41 @@ static status_t decrypt_and_extract(private_message_t *this, keymat_t *keymat,
 }
 
 /**
+ * Decrypt an encrypted fragment payload.
+ */
+static status_t decrypt_fragment(private_message_t *this, keymat_t *keymat,
+								 encrypted_fragment_payload_t *fragment)
+{
+	encrypted_payload_t *encrypted = (encrypted_payload_t*)fragment;
+	chunk_t chunk;
+	aead_t *aead;
+	size_t bs;
+
+	if (!keymat)
+	{
+		DBG1(DBG_ENC, "found encrypted fragment payload, but no keymat");
+		return INVALID_ARG;
+	}
+	aead = keymat->get_aead(keymat, TRUE);
+	if (!aead)
+	{
+		DBG1(DBG_ENC, "found encrypted fragment payload, but no transform set");
+		return INVALID_ARG;
+	}
+	bs = aead->get_block_size(aead);
+	encrypted->set_transform(encrypted, aead);
+	chunk = this->packet->get_data(this->packet);
+	if (chunk.len < encrypted->get_length(encrypted) ||
+		chunk.len < bs)
+	{
+		DBG1(DBG_ENC, "invalid payload length");
+		return VERIFY_ERROR;
+	}
+	chunk.len -= encrypted->get_length(encrypted);
+	return encrypted->decrypt(encrypted, chunk);
+}
+
+/**
  * Do we accept unencrypted ID/HASH payloads in Main Mode, as seen from
  * some SonicWall boxes?
  */
@@ -1941,7 +2389,7 @@ static bool accept_unencrypted_mm(private_message_t *this, payload_type_t type)
 }
 
 /**
- * Decrypt payload from the encryption payload
+ * Decrypt payload from the encrypted payload
  */
 static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
 {
@@ -1950,7 +2398,7 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
 	payload_rule_t *rule;
 	payload_type_t type;
 	status_t status = SUCCESS;
-	bool was_encrypted = FALSE;
+	char *was_encrypted = NULL;
 
 	enumerator = this->payloads->create_enumerator(this->payloads);
 	while (enumerator->enumerate(enumerator, &payload))
@@ -1959,20 +2407,24 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
 
 		DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
 
-		if (type == PLV2_ENCRYPTED || type == PLV1_ENCRYPTED)
+		if (type == PLV2_ENCRYPTED || type == PLV1_ENCRYPTED ||
+			type == PLV2_FRAGMENT)
 		{
-			encryption_payload_t *encryption;
-
 			if (was_encrypted)
 			{
-				DBG1(DBG_ENC, "encrypted payload can't contain other payloads "
-					 "of type %N", payload_type_names, type);
+				DBG1(DBG_ENC, "%s can't contain other payloads of type %N",
+					 was_encrypted, payload_type_names, type);
 				status = VERIFY_ERROR;
 				break;
 			}
+		}
+
+		if (type == PLV2_ENCRYPTED || type == PLV1_ENCRYPTED)
+		{
+			encrypted_payload_t *encryption;
 
 			DBG2(DBG_ENC, "found an encrypted payload");
-			encryption = (encryption_payload_t*)payload;
+			encryption = (encrypted_payload_t*)payload;
 			this->payloads->remove_at(this->payloads, enumerator);
 
 			if (enumerator->enumerate(enumerator, NULL))
@@ -1988,7 +2440,27 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
 			{
 				break;
 			}
-			was_encrypted = TRUE;
+			was_encrypted = "encrypted payload";
+		}
+		else if (type == PLV2_FRAGMENT)
+		{
+			encrypted_fragment_payload_t *fragment;
+
+			DBG2(DBG_ENC, "found an encrypted fragment payload");
+			fragment = (encrypted_fragment_payload_t*)payload;
+
+			if (enumerator->enumerate(enumerator, NULL))
+			{
+				DBG1(DBG_ENC, "encrypted fragment payload is not last payload");
+				status = VERIFY_ERROR;
+				break;
+			}
+			status = decrypt_fragment(this, keymat, fragment);
+			if (status != SUCCESS)
+			{
+				break;
+			}
+			was_encrypted = "encrypted fragment payload";
 		}
 
 		if (payload_is_known(type) && !was_encrypted &&
@@ -2085,10 +2557,15 @@ METHOD(message_t, parse_body, status_t,
 		return NOT_SUPPORTED;
 	}
 
-	status = parse_payloads(this);
-	if (status != SUCCESS)
-	{	/* error is already logged */
-		return status;
+	/* reassembled IKEv2 messages are already parsed (except for the payloads
+	 * contained in the encrypted payload, which are handled below) */
+	if (this->parser)
+	{
+		status = parse_payloads(this);
+		if (status != SUCCESS)
+		{	/* error is already logged */
+			return status;
+		}
 	}
 
 	status = decrypt_payloads(this, keymat);
@@ -2142,7 +2619,7 @@ METHOD(message_t, parse_body, status_t,
 			}
 			chunk_free(&hash);
 		}
-		if (this->is_encrypted)
+		if (this->is_encrypted && this->exchange_type != INFORMATIONAL_V1)
 		{	/* message verified, confirm IV */
 			if (!keymat_v1->confirm_iv(keymat_v1, this->message_id))
 			{
@@ -2153,13 +2630,234 @@ METHOD(message_t, parse_body, status_t,
 	return SUCCESS;
 }
 
+/**
+ * Store the fragment data for the fragment with the given fragment number.
+ */
+static status_t add_fragment(private_message_t *this, u_int16_t num,
+							 chunk_t data)
+{
+	fragment_t *fragment;
+	int i, insert_at = -1;
+
+	for (i = 0; i < array_count(this->fragments); i++)
+	{
+		array_get(this->fragments, i, &fragment);
+		if (fragment->num == num)
+		{
+			/* ignore a duplicate fragment */
+			DBG1(DBG_ENC, "received duplicate fragment #%hu", num);
+			return NEED_MORE;
+		}
+		if (fragment->num > num)
+		{
+			insert_at = i;
+			break;
+		}
+	}
+	this->frag->len += data.len;
+	if (this->frag->len > this->frag->max_packet)
+	{
+		DBG1(DBG_ENC, "fragmented IKE message is too large");
+		reset_defrag(this);
+		return FAILED;
+	}
+	INIT(fragment,
+		.num = num,
+		.data = chunk_clone(data),
+	);
+	array_insert(this->fragments, insert_at, fragment);
+	return SUCCESS;
+}
+
+/**
+ * Merge the cached fragment data and resets the defragmentation state.
+ * Also updates the IP addresses to those of the last received fragment.
+ */
+static chunk_t merge_fragments(private_message_t *this, message_t *last)
+{
+	fragment_t *fragment;
+	bio_writer_t *writer;
+	host_t *src, *dst;
+	chunk_t data;
+	int i;
+
+	writer = bio_writer_create(this->frag->len);
+	for (i = 0; i < array_count(this->fragments); i++)
+	{
+		array_get(this->fragments, i, &fragment);
+		writer->write_data(writer, fragment->data);
+	}
+	data = writer->extract_buf(writer);
+	writer->destroy(writer);
+
+	/* set addresses to those of the last fragment we received */
+	src = last->get_source(last);
+	dst = last->get_destination(last);
+	this->packet->set_source(this->packet, src->clone(src));
+	this->packet->set_destination(this->packet, dst->clone(dst));
+
+	reset_defrag(this);
+	free(this->frag);
+	this->frag = NULL;
+	return data;
+}
+
+METHOD(message_t, add_fragment_v1, status_t,
+	private_message_t *this, message_t *message)
+{
+	fragment_payload_t *payload;
+	chunk_t data;
+	u_int8_t num;
+	status_t status;
+
+	if (!this->frag)
+	{
+		return INVALID_STATE;
+	}
+	payload = (fragment_payload_t*)message->get_payload(message, PLV1_FRAGMENT);
+	if (!payload)
+	{
+		return INVALID_ARG;
+	}
+	if (!this->fragments || this->message_id != payload->get_id(payload))
+	{
+		reset_defrag(this);
+		this->message_id = payload->get_id(payload);
+		/* we don't know the total number of fragments, assume something */
+		this->fragments = array_create(0, 4);
+	}
+
+	num = payload->get_number(payload);
+	data = payload->get_data(payload);
+	if (!this->frag->last && payload->is_last(payload))
+	{
+		this->frag->last = num;
+	}
+	status = add_fragment(this, num, data);
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+
+	if (array_count(this->fragments) != this->frag->last)
+	{
+		/* there are some fragments missing */
+		DBG1(DBG_ENC, "received fragment #%hhu, waiting for complete IKE "
+			 "message", num);
+		return NEED_MORE;
+	}
+
+	DBG1(DBG_ENC, "received fragment #%hhu, reassembling fragmented IKE "
+		 "message", num);
+
+	data = merge_fragments(this, message);
+	this->packet->set_data(this->packet, data);
+	this->parser = parser_create(data);
+
+	if (parse_header(this) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "failed to parse header of reassembled IKE message");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+METHOD(message_t, add_fragment_v2, status_t,
+	private_message_t *this, message_t *message)
+{
+	encrypted_fragment_payload_t *encrypted_fragment;
+	encrypted_payload_t *encrypted;
+	payload_t *payload;
+	enumerator_t *enumerator;
+	chunk_t data;
+	u_int16_t total, num;
+	status_t status;
+
+	if (!this->frag)
+	{
+		return INVALID_STATE;
+	}
+	payload = message->get_payload(message, PLV2_FRAGMENT);
+	if (!payload || this->message_id != message->get_message_id(message))
+	{
+		return INVALID_ARG;
+	}
+	encrypted_fragment = (encrypted_fragment_payload_t*)payload;
+	total = encrypted_fragment->get_total_fragments(encrypted_fragment);
+	if (total > MAX_FRAGMENTS)
+	{
+		DBG1(DBG_IKE, "maximum fragment count exceeded");
+		reset_defrag(this);
+		return FAILED;
+	}
+	if (!this->fragments || total > this->frag->last)
+	{
+		reset_defrag(this);
+		this->frag->last = total;
+		this->fragments = array_create(0, total);
+	}
+	num = encrypted_fragment->get_fragment_number(encrypted_fragment);
+	data = encrypted_fragment->get_content(encrypted_fragment);
+	status = add_fragment(this, num, data);
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+
+	if (num == 1)
+	{
+		/* the first fragment denotes the payload type of the first payload in
+		 * the original encrypted payload, cache that */
+		this->first_payload = payload->get_next_type(payload);
+		/* move all unencrypted payloads contained in the first fragment */
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			if (payload->get_type(payload) != PLV2_FRAGMENT)
+			{
+				message->remove_payload_at(message, enumerator);
+				this->payloads->insert_last(this->payloads, payload);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (array_count(this->fragments) != total)
+	{
+		/* there are some fragments missing */
+		DBG1(DBG_ENC, "received fragment #%hu of %hu, waiting for complete IKE "
+			 "message", num, total);
+		return NEED_MORE;
+	}
+
+	DBG1(DBG_ENC, "received fragment #%hu of %hu, reassembling fragmented IKE "
+		 "message", num, total);
+
+	data = merge_fragments(this, message);
+	encrypted = encrypted_payload_create_from_plain(this->first_payload, data);
+	this->payloads->insert_last(this->payloads, encrypted);
+	/* update next payload type (could be an unencrypted payload) */
+	this->payloads->get_first(this->payloads, (void**)&payload);
+	this->first_payload = payload->get_type(payload);
+	return SUCCESS;
+}
+
 METHOD(message_t, destroy, void,
 	private_message_t *this)
 {
 	DESTROY_IF(this->ike_sa_id);
+	DESTROY_IF(this->parser);
 	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
 	this->packet->destroy(this->packet);
-	this->parser->destroy(this->parser);
+	if (this->frag)
+	{
+		reset_defrag(this);
+		free(this->frag);
+	}
+	else
+	{
+		array_destroy_offset(this->fragments, offsetof(packet_t, destroy));
+	}
 	free(this);
 }
 
@@ -2195,6 +2893,9 @@ message_t *message_create_from_packet(packet_t *packet)
 			.disable_sort = _disable_sort,
 			.generate = _generate,
 			.is_encoded = _is_encoded,
+			.is_fragmented = _is_fragmented,
+			.fragment = _fragment,
+			.add_fragment = _add_fragment_v2,
 			.set_source = _set_source,
 			.get_source = _get_source,
 			.set_destination = _set_destination,
@@ -2207,6 +2908,7 @@ message_t *message_create_from_packet(packet_t *packet)
 			.parse_body = _parse_body,
 			.get_packet = _get_packet,
 			.get_packet_data = _get_packet_data,
+			.get_fragments = _get_fragments,
 			.destroy = _destroy,
 		},
 		.exchange_type = EXCHANGE_TYPE_UNDEFINED,
@@ -2232,3 +2934,34 @@ message_t *message_create(int major, int minor)
 
 	return this;
 }
+
+/*
+ * Described in header.
+ */
+message_t *message_create_defrag(message_t *fragment)
+{
+	private_message_t *this;
+
+	if (!fragment->get_payload(fragment, PLV1_FRAGMENT) &&
+		!fragment->get_payload(fragment, PLV2_FRAGMENT))
+	{
+		return NULL;
+	}
+	this = (private_message_t*)clone_message((private_message_t*)fragment);
+	/* we don't need a parser for IKEv2, the one for IKEv1 is created after
+	 * reassembling the original message */
+	this->parser->destroy(this->parser);
+	this->parser = NULL;
+	if (fragment->get_major_version(fragment) == IKEV1_MAJOR_VERSION)
+	{
+		/* we store the fragment ID in the message ID field, which should be
+		 * zero for fragments, but make sure */
+		this->message_id = 0;
+		this->public.add_fragment = _add_fragment_v1;
+	}
+	INIT(this->frag,
+		.max_packet = lib->settings->get_int(lib->settings,
+								"%s.max_packet", PACKET_MAX_DEFAULT, lib->ns),
+	);
+	return &this->public;
+}
diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h
index 7631a7c..a03aa8e 100644
--- a/src/libcharon/encoding/message.h
+++ b/src/libcharon/encoding/message.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2011 Tobias Brunner
+ * Copyright (C) 2006-2014 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -39,7 +39,7 @@ typedef struct message_t message_t;
  *
  * The message handles parsing and generation of payloads
  * via parser_t/generator_t. Encryption is done transparently
- * via the encryption_payload_t. A set of rules for messages
+ * via the encrypted_payload_t. A set of rules for messages
  * and payloads does check parsed messages.
  */
 struct message_t {
@@ -265,6 +265,53 @@ struct message_t {
 	bool (*is_encoded)(message_t *this);
 
 	/**
+	 * Generates the message split into fragments of the given size (total IP
+	 * datagram length).
+	 *
+	 * @param keymat	keymat to encrypt/sign message(s)
+	 * @param frag_len	fragment length (maximum total IP datagram length), 0
+	 *					for default value depending on address family
+	 * @param fragments	receives an enumerator with generated packet_t*,
+	 *					which are owned by the enumerator
+	 * @return
+	 *					- SUCCESS if message could be fragmented
+	 *					- FAILED if fragmentation failed
+	 *					- and the possible return values of generate()
+	 */
+	status_t (*fragment)(message_t *this, keymat_t *keymat, size_t frag_len,
+						 enumerator_t **fragments);
+
+	/**
+	 * Check if the message has been encoded and fragmented using fragment(),
+	 * and whether there actually resulted fragments (if not is_encoded() will
+	 * be TRUE).
+	 *
+	 * The packets of individual fragments can be retrieved with
+	 * get_fragments().
+	 *
+	 * @return			TRUE if message has been encoded and fragmented
+	 */
+	bool (*is_fragmented)(message_t *this);
+
+	/**
+	 * Add a fragment to the message if it was created with
+	 * message_create_defrag().
+	 *
+	 * Once the message is completed it should be processed like any other
+	 * inbound message.
+	 *
+	 * @param fragment	fragment to add
+	 * @return
+	 *					- SUCCESS if message was reassembled
+	 *					- NEED_MORE if not all fragments have yet been received
+	 *					- FAILED if reassembling failed
+	 *					- INVALID_ARG if fragment is invalid for some reason
+	 *					- INVALID_STATE if message was not created using
+	 *					  message_create_defrag()
+	 */
+	status_t (*add_fragment)(message_t *this, message_t *fragment);
+
+	/**
 	 * Gets the source host informations.
 	 *
 	 * @warning Returned host_t object is not getting cloned,
@@ -337,11 +384,11 @@ struct message_t {
 	notify_payload_t* (*get_notify)(message_t *this, notify_type_t type);
 
 	/**
-	 * Returns a clone of the internal stored packet_t object.
+	 * Returns a clone of the internally stored packet_t object.
 	 *
 	 * @return			packet_t object as clone of internal one
 	 */
-	packet_t * (*get_packet) (message_t *this);
+	packet_t *(*get_packet) (message_t *this);
 
 	/**
 	 * Returns a chunk pointing to internal packet_t data.
@@ -351,6 +398,13 @@ struct message_t {
 	chunk_t (*get_packet_data) (message_t *this);
 
 	/**
+	 * Returns internally stored packet_t* objects for each fragment.
+	 *
+	 * @return			enumerator internal packet_t* objects
+	 */
+	enumerator_t *(*get_fragments)(message_t *this);
+
+	/**
 	 * Destroys a message and all including objects.
 	 */
 	void (*destroy) (message_t *this);
@@ -380,4 +434,14 @@ message_t *message_create_from_packet(packet_t *packet);
  */
 message_t *message_create(int major, int minor);
 
+/**
+ * Creates a message_t object that is used to reassemble fragmented messages.
+ *
+ * Use add_fragment() to add fragments.
+ *
+ * @param fragment		initial fragment (is not added)
+ * @return				message_t object, NULL if fragment is not actually one
+ */
+message_t *message_create_defrag(message_t *fragment);
+
 #endif /** MESSAGE_H_ @}*/
diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c
index c33e30d..d6240fd 100644
--- a/src/libcharon/encoding/parser.c
+++ b/src/libcharon/encoding/parser.c
@@ -32,7 +32,7 @@
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/id_payload.h>
 #include <encoding/payloads/notify_payload.h>
-#include <encoding/payloads/encryption_payload.h>
+#include <encoding/payloads/encrypted_payload.h>
 #include <encoding/payloads/auth_payload.h>
 #include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/certreq_payload.h>
diff --git a/src/libcharon/encoding/payloads/encrypted_fragment_payload.h b/src/libcharon/encoding/payloads/encrypted_fragment_payload.h
new file mode 100644
index 0000000..1c2cc37
--- /dev/null
+++ b/src/libcharon/encoding/payloads/encrypted_fragment_payload.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup encrypted_fragment_payload encrypted_fragment_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef ENCRYPTED_FRAGMENT_PAYLOAD_H_
+#define ENCRYPTED_FRAGMENT_PAYLOAD_H_
+
+typedef struct encrypted_fragment_payload_t encrypted_fragment_payload_t;
+
+#include <encoding/payloads/encrypted_payload.h>
+
+/**
+ * The Encrypted Fragment Payload as described in RFC 7383
+ *
+ * The implementation is located in encrypted_payload.c as it is very similar.
+ */
+struct encrypted_fragment_payload_t {
+
+	/**
+	 * Implements payload_t interface.
+	 */
+	encrypted_payload_t encrypted;
+
+	/**
+	 * Get the fragment number.
+	 *
+	 * @return			fragment number
+	 */
+	u_int16_t (*get_fragment_number)(encrypted_fragment_payload_t *this);
+
+	/**
+	 * Get the total number of fragments.
+	 *
+	 * @return			total number of fragments
+	 */
+	u_int16_t (*get_total_fragments)(encrypted_fragment_payload_t *this);
+
+	/**
+	 * Get the (decrypted) content of this payload.
+	 *
+	 * @return			internal payload data
+	 */
+	chunk_t (*get_content)(encrypted_fragment_payload_t *this);
+
+	/**
+	 * Destroys an encrypted_fragment_payload_t object.
+	 */
+	void (*destroy)(encrypted_fragment_payload_t *this);
+};
+
+/**
+ * Creates an empty encrypted_fragment_payload_t object.
+ *
+ * @return			encrypted_fragment_payload_t object
+ */
+encrypted_fragment_payload_t *encrypted_fragment_payload_create();
+
+/**
+ * Creates an encrypted fragment payload from the given data.
+ *
+ * @param num		fragment number (first one should be 1)
+ * @param total		total number of fragments
+ * @param data		fragment data (gets cloned)
+ * @return			encrypted_fragment_payload_t object
+ */
+encrypted_fragment_payload_t *encrypted_fragment_payload_create_from_data(
+								u_int16_t num, u_int16_t total, chunk_t data);
+
+#endif /** ENCRYPTED_FRAGMENT_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c
new file mode 100644
index 0000000..5c574c3
--- /dev/null
+++ b/src/libcharon/encoding/payloads/encrypted_payload.c
@@ -0,0 +1,1022 @@
+/*
+ * Copyright (C) 2011-2014 Tobias Brunner
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+#include <string.h>
+
+#include "encrypted_payload.h"
+#include "encrypted_fragment_payload.h"
+
+#include <daemon.h>
+#include <encoding/payloads/encodings.h>
+#include <collections/linked_list.h>
+#include <encoding/parser.h>
+
+typedef struct private_encrypted_payload_t private_encrypted_payload_t;
+typedef struct private_encrypted_fragment_payload_t private_encrypted_fragment_payload_t;
+
+struct private_encrypted_payload_t {
+
+	/**
+	 * Public encrypted_payload_t interface.
+	 */
+	encrypted_payload_t public;
+
+	/**
+	 * There is no next payload for an encrypted payload,
+	 * since encrypted payload MUST be the last one.
+	 * next_payload means here the first payload of the
+	 * contained, encrypted payload.
+	 */
+	u_int8_t next_payload;
+
+	/**
+	 * Flags, including reserved bits
+	 */
+	u_int8_t flags;
+
+	/**
+	 * Length of this payload
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Chunk containing the IV, plain, padding and ICV.
+	 */
+	chunk_t encrypted;
+
+	/**
+	 * AEAD transform to use
+	 */
+	aead_t *aead;
+
+	/**
+	 * Contained payloads
+	 */
+	linked_list_t *payloads;
+
+	/**
+	 * Type of payload, PLV2_ENCRYPTED or PLV1_ENCRYPTED
+	 */
+	payload_type_t type;
+};
+
+struct private_encrypted_fragment_payload_t {
+
+	/**
+	 * Public interface.
+	 */
+	encrypted_fragment_payload_t public;
+
+	/**
+	 * The first fragment contains the type of the first payload contained in
+	 * the original encrypted payload, for all other fragments it MUST be set
+	 * to zero.
+	 */
+	u_int8_t next_payload;
+
+	/**
+	 * Flags, including reserved bits
+	 */
+	u_int8_t flags;
+
+	/**
+	 * Length of this payload
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Chunk containing the IV, plain, padding and ICV.
+	 */
+	chunk_t encrypted;
+
+	/**
+	 * Fragment number
+	 */
+	u_int16_t fragment_number;
+
+	/**
+	 * Total fragments
+	 */
+	u_int16_t total_fragments;
+
+	/**
+	 * AEAD transform to use
+	 */
+	aead_t *aead;
+
+	/**
+	 * Chunk containing the plain packet data.
+	 */
+	chunk_t plain;
+};
+
+/**
+ * Encoding rules to parse or generate a IKEv2-Encrypted Payload.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_encrypted_payload_t.
+ */
+static encoding_rule_t encodings_v2[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_encrypted_payload_t, next_payload)	},
+	/* Critical and 7 reserved bits, all stored for reconstruction */
+	{ U_INT_8,			offsetof(private_encrypted_payload_t, flags)			},
+	/* Length of the whole encrypted payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_encrypted_payload_t, payload_length)	},
+	/* encrypted data, stored in a chunk. contains iv, data, padding */
+	{ CHUNK_DATA,		offsetof(private_encrypted_payload_t, encrypted)		},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                     Initialization Vector                     !
+      !         (length is block size for encryption algorithm)       !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                    Encrypted IKE Payloads                     !
+      +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !               !             Padding (0-255 octets)            !
+      +-+-+-+-+-+-+-+-+                               +-+-+-+-+-+-+-+-+
+      !                                               !  Pad Length   !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ~                    Integrity Checksum Data                    ~
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Encoding rules to parse or generate a complete encrypted IKEv1 message.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_encrypted_payload_t.
+ */
+static encoding_rule_t encodings_v1[] = {
+	/* encrypted data, stored in a chunk */
+	{ ENCRYPTED_DATA,	offsetof(private_encrypted_payload_t, encrypted)		},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                    Encrypted IKE Payloads                     !
+      +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !               !             Padding (0-255 octets)            !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Encoding rules to parse or generate an IKEv2-Encrypted Fragment Payload.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_encrypted_payload_t.
+ */
+static encoding_rule_t encodings_fragment[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_encrypted_fragment_payload_t, next_payload)	},
+	/* Critical and 7 reserved bits, all stored for reconstruction */
+	{ U_INT_8,			offsetof(private_encrypted_fragment_payload_t, flags)			},
+	/* Length of the whole encryption payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_encrypted_fragment_payload_t, payload_length)	},
+	/* Fragment number */
+	{ U_INT_16,			offsetof(private_encrypted_fragment_payload_t, fragment_number)	},
+	/* Total number of fragments */
+	{ U_INT_16,			offsetof(private_encrypted_fragment_payload_t, total_fragments)	},
+	/* encrypted data, stored in a chunk. contains iv, data, padding */
+	{ CHUNK_DATA,		offsetof(private_encrypted_fragment_payload_t, encrypted)		},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !        Fragment Number        |        Total Fragments        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                     Initialization Vector                     !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                    Encrypted IKE Payloads                     !
+      +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !               !             Padding (0-255 octets)            !
+      +-+-+-+-+-+-+-+-+                               +-+-+-+-+-+-+-+-+
+      !                                               !  Pad Length   !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ~                    Integrity Checksum Data                    ~
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+METHOD(payload_t, verify, status_t,
+	private_encrypted_payload_t *this)
+{
+	return SUCCESS;
+}
+
+METHOD(payload_t, get_encoding_rules, int,
+	private_encrypted_payload_t *this, encoding_rule_t **rules)
+{
+	if (this->type == PLV2_ENCRYPTED)
+	{
+		*rules = encodings_v2;
+		return countof(encodings_v2);
+	}
+	*rules = encodings_v1;
+	return countof(encodings_v1);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_encrypted_payload_t *this)
+{
+	if (this->type == PLV2_ENCRYPTED)
+	{
+		return 4;
+	}
+	return 0;
+}
+
+METHOD(payload_t, get_type, payload_type_t,
+	private_encrypted_payload_t *this)
+{
+	return this->type;
+}
+
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_encrypted_payload_t *this)
+{
+	return this->next_payload;
+}
+
+METHOD(payload_t, set_next_type, void,
+	private_encrypted_payload_t *this, payload_type_t type)
+{
+	/* the next payload is set during add, still allow this for IKEv1 */
+	this->next_payload = type;
+}
+
+/**
+ * Get length of encryption/integrity overhead for the given plaintext length
+ */
+static size_t compute_overhead(aead_t *aead, size_t len)
+{
+	size_t bs, overhead;
+
+	/* padding */
+	bs = aead->get_block_size(aead);
+	overhead = bs - (len % bs);
+	/* add iv */
+	overhead += aead->get_iv_size(aead);
+	/* add icv */
+	overhead += aead->get_icv_size(aead);
+	return overhead;
+}
+
+/**
+ * Compute the length of the whole payload
+ */
+static void compute_length(private_encrypted_payload_t *this)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	size_t length = 0;
+
+	if (this->encrypted.len)
+	{
+		length = this->encrypted.len;
+	}
+	else
+	{
+		enumerator = this->payloads->create_enumerator(this->payloads);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			length += payload->get_length(payload);
+		}
+		enumerator->destroy(enumerator);
+
+		if (this->aead)
+		{
+			length += compute_overhead(this->aead, length);
+		}
+	}
+	length += get_header_length(this);
+	this->payload_length = length;
+}
+
+METHOD2(payload_t, encrypted_payload_t, get_length, size_t,
+	private_encrypted_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+METHOD(encrypted_payload_t, add_payload, void,
+	private_encrypted_payload_t *this, payload_t *payload)
+{
+	payload_t *last_payload;
+
+	if (this->payloads->get_count(this->payloads) > 0)
+	{
+		this->payloads->get_last(this->payloads, (void **)&last_payload);
+		last_payload->set_next_type(last_payload, payload->get_type(payload));
+	}
+	else
+	{
+		this->next_payload = payload->get_type(payload);
+	}
+	payload->set_next_type(payload, PL_NONE);
+	this->payloads->insert_last(this->payloads, payload);
+	compute_length(this);
+}
+
+METHOD(encrypted_payload_t, remove_payload, payload_t *,
+	private_encrypted_payload_t *this)
+{
+	payload_t *payload;
+
+	if (this->payloads->remove_first(this->payloads,
+									 (void**)&payload) == SUCCESS)
+	{
+		return payload;
+	}
+	return NULL;
+}
+
+/**
+ * Generate payload before encryption
+ */
+static chunk_t generate(private_encrypted_payload_t *this,
+						generator_t *generator)
+{
+	payload_t *current, *next;
+	enumerator_t *enumerator;
+	u_int32_t *lenpos;
+	chunk_t chunk = chunk_empty;
+
+	enumerator = this->payloads->create_enumerator(this->payloads);
+	if (enumerator->enumerate(enumerator, &current))
+	{
+		this->next_payload = current->get_type(current);
+
+		while (enumerator->enumerate(enumerator, &next))
+		{
+			current->set_next_type(current, next->get_type(next));
+			generator->generate_payload(generator, current);
+			current = next;
+		}
+		current->set_next_type(current, PL_NONE);
+		generator->generate_payload(generator, current);
+
+		chunk = generator->get_chunk(generator, &lenpos);
+		DBG2(DBG_ENC, "generated content in encrypted payload");
+	}
+	enumerator->destroy(enumerator);
+	return chunk;
+}
+
+METHOD(encrypted_payload_t, generate_payloads, void,
+	private_encrypted_payload_t *this, generator_t *generator)
+{
+	generate(this, generator);
+}
+
+/**
+ * Append the encrypted payload header to the associated data
+ */
+static chunk_t append_header(private_encrypted_payload_t *this, chunk_t assoc)
+{
+	struct {
+		u_int8_t next_payload;
+		u_int8_t flags;
+		u_int16_t length;
+	} __attribute__((packed)) header = {
+		.next_payload = this->next_payload,
+		.flags = this->flags,
+		.length = htons(get_length(this)),
+	};
+	return chunk_cat("cc", assoc, chunk_from_thing(header));
+}
+
+/**
+ * Encrypts the data in plain and returns it in an allocated chunk.
+ */
+static status_t encrypt_content(char *label, aead_t *aead, u_int64_t mid,
+							chunk_t plain, chunk_t assoc, chunk_t *encrypted)
+{
+	chunk_t iv, padding, icv, crypt;
+	iv_gen_t *iv_gen;
+	rng_t *rng;
+	size_t bs;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_ENC, "encrypting %s failed, no RNG found", label);
+		return NOT_SUPPORTED;
+	}
+
+	iv_gen = aead->get_iv_gen(aead);
+	if (!iv_gen)
+	{
+		DBG1(DBG_ENC, "encrypting %s failed, no IV generator", label);
+		return NOT_SUPPORTED;
+	}
+
+	bs = aead->get_block_size(aead);
+	/* we need at least one byte padding to store the padding length */
+	padding.len = bs - (plain.len % bs);
+	iv.len = aead->get_iv_size(aead);
+	icv.len = aead->get_icv_size(aead);
+
+	/* prepare data to authenticate-encrypt:
+	 * | IV | plain | padding | ICV |
+	 *       \____crypt______/   ^
+	 *              |           /
+	 *              v          /
+	 *     assoc -> + ------->/
+	 */
+	*encrypted = chunk_alloc(iv.len + plain.len + padding.len + icv.len);
+	iv.ptr = encrypted->ptr;
+	memcpy(iv.ptr + iv.len, plain.ptr, plain.len);
+	plain.ptr = iv.ptr + iv.len;
+	padding.ptr = plain.ptr + plain.len;
+	icv.ptr = padding.ptr + padding.len;
+	crypt = chunk_create(plain.ptr, plain.len + padding.len);
+
+	if (!iv_gen->get_iv(iv_gen, mid, iv.len, iv.ptr) ||
+		!rng->get_bytes(rng, padding.len - 1, padding.ptr))
+	{
+		DBG1(DBG_ENC, "encrypting %s failed, no IV or padding", label);
+		rng->destroy(rng);
+
+		return FAILED;
+	}
+	padding.ptr[padding.len - 1] = padding.len - 1;
+	rng->destroy(rng);
+
+	DBG3(DBG_ENC, "%s encryption:", label);
+	DBG3(DBG_ENC, "IV %B", &iv);
+	DBG3(DBG_ENC, "plain %B", &plain);
+	DBG3(DBG_ENC, "padding %B", &padding);
+	DBG3(DBG_ENC, "assoc %B", &assoc);
+
+	if (!aead->encrypt(aead, crypt, assoc, iv, NULL))
+	{
+		return FAILED;
+	}
+	DBG3(DBG_ENC, "encrypted %B", &crypt);
+	DBG3(DBG_ENC, "ICV %B", &icv);
+	return SUCCESS;
+}
+
+METHOD(encrypted_payload_t, encrypt, status_t,
+	private_encrypted_payload_t *this, u_int64_t mid, chunk_t assoc)
+{
+	generator_t *generator;
+	chunk_t plain;
+	status_t status;
+
+	if (this->aead == NULL)
+	{
+		DBG1(DBG_ENC, "encrypting encrypted payload failed, transform missing");
+		return INVALID_STATE;
+	}
+
+	free(this->encrypted.ptr);
+	generator = generator_create();
+	plain = generate(this, generator);
+	assoc = append_header(this, assoc);
+	status = encrypt_content("encrypted payload", this->aead, mid, plain, assoc,
+							 &this->encrypted);
+	generator->destroy(generator);
+	free(assoc.ptr);
+	return status;
+}
+
+METHOD(encrypted_payload_t, encrypt_v1, status_t,
+	private_encrypted_payload_t *this, u_int64_t mid, chunk_t iv)
+{
+	generator_t *generator;
+	chunk_t plain, padding;
+	size_t bs;
+
+	if (this->aead == NULL)
+	{
+		DBG1(DBG_ENC, "encryption failed, transform missing");
+		return INVALID_STATE;
+	}
+
+	generator = generator_create();
+	plain = generate(this, generator);
+	bs = this->aead->get_block_size(this->aead);
+	padding.len = bs - (plain.len % bs);
+
+	/* prepare data to encrypt:
+	 * | plain | padding | */
+	free(this->encrypted.ptr);
+	this->encrypted = chunk_alloc(plain.len + padding.len);
+	memcpy(this->encrypted.ptr, plain.ptr, plain.len);
+	plain.ptr = this->encrypted.ptr;
+	padding.ptr = plain.ptr + plain.len;
+	memset(padding.ptr, 0, padding.len);
+	generator->destroy(generator);
+
+	DBG3(DBG_ENC, "encrypting payloads:");
+	DBG3(DBG_ENC, "IV %B", &iv);
+	DBG3(DBG_ENC, "plain %B", &plain);
+	DBG3(DBG_ENC, "padding %B", &padding);
+
+	if (!this->aead->encrypt(this->aead, this->encrypted, chunk_empty, iv, NULL))
+	{
+		return FAILED;
+	}
+
+	DBG3(DBG_ENC, "encrypted %B", &this->encrypted);
+
+	return SUCCESS;
+}
+
+/**
+ * Parse the payloads after decryption.
+ */
+static status_t parse(private_encrypted_payload_t *this, chunk_t plain)
+{
+	parser_t *parser;
+	payload_type_t type;
+
+	parser = parser_create(plain);
+	type = this->next_payload;
+	while (type != PL_NONE)
+	{
+		payload_t *payload;
+
+		if (plain.len < 4 || untoh16(plain.ptr + 2) > plain.len)
+		{
+			DBG1(DBG_ENC, "invalid %N payload length, decryption failed?",
+				 payload_type_names, type);
+			parser->destroy(parser);
+			return PARSE_ERROR;
+		}
+		if (parser->parse_payload(parser, type, &payload) != SUCCESS)
+		{
+			parser->destroy(parser);
+			return PARSE_ERROR;
+		}
+		if (payload->verify(payload) != SUCCESS)
+		{
+			DBG1(DBG_ENC, "%N verification failed",
+				 payload_type_names, payload->get_type(payload));
+			payload->destroy(payload);
+			parser->destroy(parser);
+			return VERIFY_ERROR;
+		}
+		type = payload->get_next_type(payload);
+		this->payloads->insert_last(this->payloads, payload);
+	}
+	parser->destroy(parser);
+	DBG2(DBG_ENC, "parsed content of encrypted payload");
+	return SUCCESS;
+}
+
+/**
+ * Decrypts the given data in-place and returns a chunk pointing to the
+ * resulting plaintext.
+ */
+static status_t decrypt_content(char *label, aead_t *aead, chunk_t encrypted,
+								chunk_t assoc, chunk_t *plain)
+{
+	chunk_t iv, padding, icv, crypt;
+	size_t bs;
+
+	/* prepare data to authenticate-decrypt:
+	 * | IV | plain | padding | ICV |
+	 *       \____crypt______/   ^
+	 *              |           /
+	 *              v          /
+	 *     assoc -> + ------->/
+	 */
+	bs = aead->get_block_size(aead);
+	iv.len = aead->get_iv_size(aead);
+	iv.ptr = encrypted.ptr;
+	icv.len = aead->get_icv_size(aead);
+	icv.ptr = encrypted.ptr + encrypted.len - icv.len;
+	crypt.ptr = iv.ptr + iv.len;
+	crypt.len = encrypted.len - iv.len;
+
+	if (iv.len + icv.len > encrypted.len ||
+		(crypt.len - icv.len) % bs)
+	{
+		DBG1(DBG_ENC, "decrypting %s payload failed, invalid length", label);
+		return FAILED;
+	}
+
+	DBG3(DBG_ENC, "%s decryption:", label);
+	DBG3(DBG_ENC, "IV %B", &iv);
+	DBG3(DBG_ENC, "encrypted %B", &crypt);
+	DBG3(DBG_ENC, "ICV %B", &icv);
+	DBG3(DBG_ENC, "assoc %B", &assoc);
+
+	if (!aead->decrypt(aead, crypt, assoc, iv, NULL))
+	{
+		DBG1(DBG_ENC, "verifying %s integrity failed", label);
+		return FAILED;
+	}
+
+	*plain = chunk_create(crypt.ptr, crypt.len - icv.len);
+	padding.len = plain->ptr[plain->len - 1] + 1;
+	if (padding.len > plain->len)
+	{
+		DBG1(DBG_ENC, "decrypting %s failed, padding invalid %B", label,
+			 &crypt);
+		return PARSE_ERROR;
+	}
+	plain->len -= padding.len;
+	padding.ptr = plain->ptr + plain->len;
+
+	DBG3(DBG_ENC, "plain %B", plain);
+	DBG3(DBG_ENC, "padding %B", &padding);
+	return SUCCESS;
+}
+
+METHOD(encrypted_payload_t, decrypt, status_t,
+	private_encrypted_payload_t *this, chunk_t assoc)
+{
+	chunk_t plain;
+	status_t status;
+
+	if (this->aead == NULL)
+	{
+		DBG1(DBG_ENC, "decrypting encrypted payload failed, transform missing");
+		return INVALID_STATE;
+	}
+
+	assoc = append_header(this, assoc);
+	status = decrypt_content("encrypted payload", this->aead, this->encrypted,
+							 assoc, &plain);
+	free(assoc.ptr);
+
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+	return parse(this, plain);
+}
+
+METHOD(encrypted_payload_t, decrypt_plain, status_t,
+	private_encrypted_payload_t *this, chunk_t assoc)
+{
+	if (!this->encrypted.ptr)
+	{
+		return FAILED;
+	}
+	return parse(this, this->encrypted);
+}
+
+METHOD(encrypted_payload_t, decrypt_v1, status_t,
+	private_encrypted_payload_t *this, chunk_t iv)
+{
+	if (this->aead == NULL)
+	{
+		DBG1(DBG_ENC, "decryption failed, transform missing");
+		return INVALID_STATE;
+	}
+
+	/* data must be a multiple of block size */
+	if (iv.len != this->aead->get_block_size(this->aead) ||
+		this->encrypted.len < iv.len || this->encrypted.len % iv.len)
+	{
+		DBG1(DBG_ENC, "decryption failed, invalid length");
+		return FAILED;
+	}
+
+	DBG3(DBG_ENC, "decrypting payloads:");
+	DBG3(DBG_ENC, "encrypted %B", &this->encrypted);
+
+	if (!this->aead->decrypt(this->aead, this->encrypted, chunk_empty, iv, NULL))
+	{
+		return FAILED;
+	}
+
+	DBG3(DBG_ENC, "plain %B", &this->encrypted);
+
+	return parse(this, this->encrypted);
+}
+
+METHOD(encrypted_payload_t, set_transform, void,
+	private_encrypted_payload_t *this, aead_t* aead)
+{
+	this->aead = aead;
+}
+
+METHOD2(payload_t, encrypted_payload_t, destroy, void,
+	private_encrypted_payload_t *this)
+{
+	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
+	free(this->encrypted.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+encrypted_payload_t *encrypted_payload_create(payload_type_t type)
+{
+	private_encrypted_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_length = _get_length,
+			.add_payload = _add_payload,
+			.remove_payload = _remove_payload,
+			.generate_payloads = _generate_payloads,
+			.set_transform = _set_transform,
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.destroy = _destroy,
+		},
+		.next_payload = PL_NONE,
+		.payloads = linked_list_create(),
+		.type = type,
+	);
+	this->payload_length = get_header_length(this);
+
+	if (type == PLV1_ENCRYPTED)
+	{
+		this->public.encrypt = _encrypt_v1;
+		this->public.decrypt = _decrypt_v1;
+	}
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+encrypted_payload_t *encrypted_payload_create_from_plain(payload_type_t next,
+														 chunk_t plain)
+{
+	private_encrypted_payload_t *this;
+
+	this = (private_encrypted_payload_t*)encrypted_payload_create(PLV2_ENCRYPTED);
+	this->public.decrypt = _decrypt_plain;
+	this->next_payload = next;
+	this->encrypted = plain;
+	compute_length(this);
+
+	return &this->public;
+}
+
+METHOD(payload_t, frag_verify, status_t,
+	private_encrypted_fragment_payload_t *this)
+{
+	if (!this->fragment_number || !this->total_fragments ||
+		this->fragment_number > this->total_fragments)
+	{
+		DBG1(DBG_ENC, "invalid fragment number (%u) or total fragments (%u)",
+			 this->fragment_number, this->total_fragments);
+		return FAILED;
+	}
+	if (this->fragment_number > 1 && this->next_payload != 0)
+	{
+		DBG1(DBG_ENC, "invalid next payload (%u) for fragment %u, ignored",
+			 this->next_payload, this->fragment_number);
+		this->next_payload = 0;
+	}
+	return SUCCESS;
+}
+
+METHOD(payload_t, frag_get_encoding_rules, int,
+	private_encrypted_fragment_payload_t *this, encoding_rule_t **rules)
+{
+	*rules = encodings_fragment;
+	return countof(encodings_fragment);
+}
+
+METHOD(payload_t, frag_get_header_length, int,
+	private_encrypted_fragment_payload_t *this)
+{
+	return 8;
+}
+
+METHOD(payload_t, frag_get_type, payload_type_t,
+	private_encrypted_fragment_payload_t *this)
+{
+	return PLV2_FRAGMENT;
+}
+
+METHOD(payload_t, frag_get_next_type, payload_type_t,
+	private_encrypted_fragment_payload_t *this)
+{
+	return this->next_payload;
+}
+
+METHOD(payload_t, frag_set_next_type, void,
+	private_encrypted_fragment_payload_t *this, payload_type_t type)
+{
+	if (this->fragment_number == 1 && this->next_payload == PL_NONE)
+	{
+		this->next_payload = type;
+	}
+}
+
+METHOD2(payload_t, encrypted_payload_t, frag_get_length, size_t,
+	private_encrypted_fragment_payload_t *this)
+{
+	if (this->encrypted.len)
+	{
+		this->payload_length = this->encrypted.len;
+	}
+	else
+	{
+		this->payload_length = this->plain.len;
+
+		if (this->aead)
+		{
+			this->payload_length += compute_overhead(this->aead,
+													 this->payload_length);
+		}
+	}
+	this->payload_length += frag_get_header_length(this);
+	return this->payload_length;
+}
+
+METHOD(encrypted_fragment_payload_t, get_fragment_number, u_int16_t,
+	private_encrypted_fragment_payload_t *this)
+{
+	return this->fragment_number;
+}
+
+METHOD(encrypted_fragment_payload_t, get_total_fragments, u_int16_t,
+	private_encrypted_fragment_payload_t *this)
+{
+	return this->total_fragments;
+}
+
+METHOD(encrypted_fragment_payload_t, frag_get_content, chunk_t,
+	private_encrypted_fragment_payload_t *this)
+{
+	return this->plain;
+}
+
+METHOD(encrypted_payload_t, frag_add_payload, void,
+	private_encrypted_fragment_payload_t *this, payload_t* payload)
+{
+	payload->destroy(payload);
+}
+
+METHOD(encrypted_payload_t, frag_set_transform, void,
+	private_encrypted_fragment_payload_t *this, aead_t* aead)
+{
+	this->aead = aead;
+}
+
+/**
+ * Append the encrypted fragment payload header to the associated data
+ */
+static chunk_t append_header_frag(private_encrypted_fragment_payload_t *this,
+								  chunk_t assoc)
+{
+	struct {
+		u_int8_t next_payload;
+		u_int8_t flags;
+		u_int16_t length;
+		u_int16_t fragment_number;
+		u_int16_t total_fragments;
+	} __attribute__((packed)) header = {
+		.next_payload = this->next_payload,
+		.flags = this->flags,
+		.length = htons(frag_get_length(this)),
+		.fragment_number = htons(this->fragment_number),
+		.total_fragments = htons(this->total_fragments),
+	};
+	return chunk_cat("cc", assoc, chunk_from_thing(header));
+}
+
+METHOD(encrypted_payload_t, frag_encrypt, status_t,
+	private_encrypted_fragment_payload_t *this, u_int64_t mid, chunk_t assoc)
+{
+	status_t status;
+
+	if (!this->aead)
+	{
+		DBG1(DBG_ENC, "encrypting encrypted fragment payload failed, "
+			 "transform missing");
+		return INVALID_STATE;
+	}
+	free(this->encrypted.ptr);
+	assoc = append_header_frag(this, assoc);
+	status = encrypt_content("encrypted fragment payload", this->aead, mid,
+							 this->plain, assoc, &this->encrypted);
+	free(assoc.ptr);
+	return status;
+}
+
+METHOD(encrypted_payload_t, frag_decrypt, status_t,
+	private_encrypted_fragment_payload_t *this, chunk_t assoc)
+{
+	status_t status;
+
+	if (!this->aead)
+	{
+		DBG1(DBG_ENC, "decrypting encrypted fragment payload failed, "
+			 "transform missing");
+		return INVALID_STATE;
+	}
+	free(this->plain.ptr);
+	assoc = append_header_frag(this, assoc);
+	status = decrypt_content("encrypted fragment payload", this->aead,
+							 this->encrypted, assoc, &this->plain);
+	this->plain = chunk_clone(this->plain);
+	free(assoc.ptr);
+	return status;
+}
+
+METHOD2(payload_t, encrypted_payload_t, frag_destroy, void,
+	private_encrypted_fragment_payload_t *this)
+{
+	free(this->encrypted.ptr);
+	free(this->plain.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+encrypted_fragment_payload_t *encrypted_fragment_payload_create()
+{
+	private_encrypted_fragment_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypted = {
+				.payload_interface = {
+					.verify = _frag_verify,
+					.get_encoding_rules = _frag_get_encoding_rules,
+					.get_header_length = _frag_get_header_length,
+					.get_length = _frag_get_length,
+					.get_next_type = _frag_get_next_type,
+					.set_next_type = _frag_set_next_type,
+					.get_type = _frag_get_type,
+					.destroy = _frag_destroy,
+				},
+				.get_length = _frag_get_length,
+				.add_payload = _frag_add_payload,
+				.remove_payload = (void*)return_null,
+				.generate_payloads = nop,
+				.set_transform = _frag_set_transform,
+				.encrypt = _frag_encrypt,
+				.decrypt = _frag_decrypt,
+				.destroy = _frag_destroy,
+			},
+			.get_fragment_number = _get_fragment_number,
+			.get_total_fragments = _get_total_fragments,
+			.get_content = _frag_get_content,
+		},
+		.next_payload = PL_NONE,
+	);
+	this->payload_length = frag_get_header_length(this);
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+encrypted_fragment_payload_t *encrypted_fragment_payload_create_from_data(
+								u_int16_t num, u_int16_t total, chunk_t plain)
+{
+	private_encrypted_fragment_payload_t *this;
+
+	this = (private_encrypted_fragment_payload_t*)encrypted_fragment_payload_create();
+	this->fragment_number = num;
+	this->total_fragments = total;
+	this->plain = chunk_clone(plain);
+
+	return &this->public;
+}
diff --git a/src/libcharon/encoding/payloads/encrypted_payload.h b/src/libcharon/encoding/payloads/encrypted_payload.h
new file mode 100644
index 0000000..be59e3c
--- /dev/null
+++ b/src/libcharon/encoding/payloads/encrypted_payload.h
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup encrypted_payload encrypted_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef ENCRYPTED_PAYLOAD_H_
+#define ENCRYPTED_PAYLOAD_H_
+
+typedef struct encrypted_payload_t encrypted_payload_t;
+
+#include <library.h>
+#include <crypto/aead.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/generator.h>
+
+/**
+ * The encrypted payload as described in RFC section 3.14.
+ */
+struct encrypted_payload_t {
+
+	/**
+	 * Implements payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the payload length.
+	 *
+	 * @return			(expected) payload length
+	 */
+	size_t (*get_length)(encrypted_payload_t *this);
+
+	/**
+	 * Adds a payload to this encryption payload.
+	 *
+	 * @param payload		payload_t object to add
+	 */
+	void (*add_payload) (encrypted_payload_t *this, payload_t *payload);
+
+	/**
+	 * Remove the first payload in the list
+	 *
+	 * @param payload		removed payload
+	 * @return				payload, NULL if none left
+	 */
+	payload_t* (*remove_payload)(encrypted_payload_t *this);
+
+	/**
+	 * Uses the given generator to generate the contained payloads.
+	 *
+	 * @param generator		generator used to generate the contained payloads
+	 */
+	void (*generate_payloads)(encrypted_payload_t *this,
+							  generator_t *generator);
+
+	/**
+	 * Set the AEAD transform to use.
+	 *
+	 * @param aead		aead transform to use
+	 */
+	void (*set_transform) (encrypted_payload_t *this, aead_t *aead);
+
+	/**
+	 * Generate, encrypt and sign contained payloads.
+	 *
+	 * @param mid			message ID
+	 * @param assoc			associated data
+	 * @return
+	 * 						- SUCCESS if encryption successful
+	 * 						- FAILED if encryption failed
+	 * 						- INVALID_STATE if aead not supplied, but needed
+	 */
+	status_t (*encrypt) (encrypted_payload_t *this, u_int64_t mid,
+						 chunk_t assoc);
+
+	/**
+	 * Decrypt, verify and parse contained payloads.
+	 *
+	 * @param assoc			associated data
+	 * @return
+	 * 						- SUCCESS if parsing successful
+	 *						- PARSE_ERROR if sub-payload parsing failed
+	 * 						- VERIFY_ERROR if sub-payload verification failed
+	 * 						- FAILED if integrity check failed
+	 * 						- INVALID_STATE if aead not supplied, but needed
+	 */
+	status_t (*decrypt) (encrypted_payload_t *this, chunk_t assoc);
+
+	/**
+	 * Destroys an encrypted_payload_t object.
+	 */
+	void (*destroy) (encrypted_payload_t *this);
+};
+
+/**
+ * Creates an empty encrypted_payload_t object.
+ *
+ * @param type		PLV2_ENCRYPTED or PLV1_ENCRYPTED
+ * @return			encrypted_payload_t object
+ */
+encrypted_payload_t *encrypted_payload_create(payload_type_t type);
+
+/**
+ * Creates an encrypted payload with the given plain text data and next payload
+ * type.
+ *
+ * @param next		next payload type
+ * @param plain		plaintext data (gets adopted)
+ * @return			encrypted_payload_t object
+ */
+encrypted_payload_t *encrypted_payload_create_from_plain(payload_type_t next,
+														 chunk_t plain);
+
+#endif /** ENCRYPTED_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/encryption_payload.c b/src/libcharon/encoding/payloads/encryption_payload.c
deleted file mode 100644
index 5784562..0000000
--- a/src/libcharon/encoding/payloads/encryption_payload.c
+++ /dev/null
@@ -1,634 +0,0 @@
-/*
- * Copyright (C) 2005-2010 Martin Willi
- * Copyright (C) 2010 revosec AG
- * Copyright (C) 2011 Tobias Brunner
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-#include <string.h>
-
-#include "encryption_payload.h"
-
-#include <daemon.h>
-#include <encoding/payloads/encodings.h>
-#include <collections/linked_list.h>
-#include <encoding/generator.h>
-#include <encoding/parser.h>
-
-typedef struct private_encryption_payload_t private_encryption_payload_t;
-
-/**
- * Private data of an encryption_payload_t' Object.
- *
- */
-struct private_encryption_payload_t {
-
-	/**
-	 * Public encryption_payload_t interface.
-	 */
-	encryption_payload_t public;
-
-	/**
-	 * There is no next payload for an encryption payload,
-	 * since encryption payload MUST be the last one.
-	 * next_payload means here the first payload of the
-	 * contained, encrypted payload.
-	 */
-	u_int8_t next_payload;
-
-	/**
-	 * Flags, including reserved bits
-	 */
-	u_int8_t flags;
-
-	/**
-	 * Length of this payload
-	 */
-	u_int16_t payload_length;
-
-	/**
-	 * Chunk containing the IV, plain, padding and ICV.
-	 */
-	chunk_t encrypted;
-
-	/**
-	 * AEAD transform to use
-	 */
-	aead_t *aead;
-
-	/**
-	 * Contained payloads
-	 */
-	linked_list_t *payloads;
-
-	/**
-	 * Type of payload, PLV2_ENCRYPTED or PLV1_ENCRYPTED
-	 */
-	payload_type_t type;
-};
-
-/**
- * Encoding rules to parse or generate a IKEv2-Encryption Payload.
- *
- * The defined offsets are the positions in a object of type
- * private_encryption_payload_t.
- */
-static encoding_rule_t encodings_v2[] = {
-	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_encryption_payload_t, next_payload)	},
-	/* Critical and 7 reserved bits, all stored for reconstruction */
-	{ U_INT_8,			offsetof(private_encryption_payload_t, flags)			},
-	/* Length of the whole encryption payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_encryption_payload_t, payload_length)	},
-	/* encrypted data, stored in a chunk. contains iv, data, padding */
-	{ CHUNK_DATA,		offsetof(private_encryption_payload_t, encrypted)		},
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                     Initialization Vector                     !
-      !         (length is block size for encryption algorithm)       !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                    Encrypted IKE Payloads                     !
-      +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !               !             Padding (0-255 octets)            !
-      +-+-+-+-+-+-+-+-+                               +-+-+-+-+-+-+-+-+
-      !                                               !  Pad Length   !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ~                    Integrity Checksum Data                    ~
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-/**
- * Encoding rules to parse or generate a complete encrypted IKEv1 message.
- *
- * The defined offsets are the positions in a object of type
- * private_encryption_payload_t.
- */
-static encoding_rule_t encodings_v1[] = {
-	/* encrypted data, stored in a chunk */
-	{ ENCRYPTED_DATA,	offsetof(private_encryption_payload_t, encrypted)		},
-};
-
-/*
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                    Encrypted IKE Payloads                     !
-      +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !               !             Padding (0-255 octets)            !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-
-METHOD(payload_t, verify, status_t,
-	private_encryption_payload_t *this)
-{
-	return SUCCESS;
-}
-
-METHOD(payload_t, get_encoding_rules, int,
-	private_encryption_payload_t *this, encoding_rule_t **rules)
-{
-	if (this->type == PLV2_ENCRYPTED)
-	{
-		*rules = encodings_v2;
-		return countof(encodings_v2);
-	}
-	*rules = encodings_v1;
-	return countof(encodings_v1);
-}
-
-METHOD(payload_t, get_header_length, int,
-	private_encryption_payload_t *this)
-{
-	if (this->type == PLV2_ENCRYPTED)
-	{
-		return 4;
-	}
-	return 0;
-}
-
-METHOD(payload_t, get_type, payload_type_t,
-	private_encryption_payload_t *this)
-{
-	return this->type;
-}
-
-METHOD(payload_t, get_next_type, payload_type_t,
-	private_encryption_payload_t *this)
-{
-	return this->next_payload;
-}
-
-METHOD(payload_t, set_next_type, void,
-	private_encryption_payload_t *this, payload_type_t type)
-{
-	/* the next payload is set during add, still allow this for IKEv1 */
-	this->next_payload = type;
-}
-
-/**
- * Compute the length of the whole payload
- */
-static void compute_length(private_encryption_payload_t *this)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	size_t bs, length = 0;
-
-	if (this->encrypted.len)
-	{
-		length = this->encrypted.len;
-	}
-	else
-	{
-		enumerator = this->payloads->create_enumerator(this->payloads);
-		while (enumerator->enumerate(enumerator, &payload))
-		{
-			length += payload->get_length(payload);
-		}
-		enumerator->destroy(enumerator);
-
-		if (this->aead)
-		{
-			/* append padding */
-			bs = this->aead->get_block_size(this->aead);
-			length += bs - (length % bs);
-			/* add iv */
-			length += this->aead->get_iv_size(this->aead);
-			/* add icv */
-			length += this->aead->get_icv_size(this->aead);
-		}
-	}
-	length += get_header_length(this);
-	this->payload_length = length;
-}
-
-METHOD2(payload_t, encryption_payload_t, get_length, size_t,
-	private_encryption_payload_t *this)
-{
-	compute_length(this);
-	return this->payload_length;
-}
-
-METHOD(encryption_payload_t, add_payload, void,
-	private_encryption_payload_t *this, payload_t *payload)
-{
-	payload_t *last_payload;
-
-	if (this->payloads->get_count(this->payloads) > 0)
-	{
-		this->payloads->get_last(this->payloads, (void **)&last_payload);
-		last_payload->set_next_type(last_payload, payload->get_type(payload));
-	}
-	else
-	{
-		this->next_payload = payload->get_type(payload);
-	}
-	payload->set_next_type(payload, PL_NONE);
-	this->payloads->insert_last(this->payloads, payload);
-	compute_length(this);
-}
-
-METHOD(encryption_payload_t, remove_payload, payload_t *,
-	private_encryption_payload_t *this)
-{
-	payload_t *payload;
-
-	if (this->payloads->remove_first(this->payloads,
-									 (void**)&payload) == SUCCESS)
-	{
-		return payload;
-	}
-	return NULL;
-}
-
-/**
- * Generate payload before encryption
- */
-static chunk_t generate(private_encryption_payload_t *this,
-						generator_t *generator)
-{
-	payload_t *current, *next;
-	enumerator_t *enumerator;
-	u_int32_t *lenpos;
-	chunk_t chunk = chunk_empty;
-
-	enumerator = this->payloads->create_enumerator(this->payloads);
-	if (enumerator->enumerate(enumerator, &current))
-	{
-		this->next_payload = current->get_type(current);
-
-		while (enumerator->enumerate(enumerator, &next))
-		{
-			current->set_next_type(current, next->get_type(next));
-			generator->generate_payload(generator, current);
-			current = next;
-		}
-		current->set_next_type(current, PL_NONE);
-		generator->generate_payload(generator, current);
-
-		chunk = generator->get_chunk(generator, &lenpos);
-		DBG2(DBG_ENC, "generated content in encryption payload");
-	}
-	enumerator->destroy(enumerator);
-	return chunk;
-}
-
-/**
- * Append the encryption payload header to the associated data
- */
-static chunk_t append_header(private_encryption_payload_t *this, chunk_t assoc)
-{
-	struct {
-		u_int8_t next_payload;
-		u_int8_t flags;
-		u_int16_t length;
-	} __attribute__((packed)) header = {
-		.next_payload = this->next_payload,
-		.flags = this->flags,
-		.length = htons(get_length(this)),
-	};
-	return chunk_cat("cc", assoc, chunk_from_thing(header));
-}
-
-METHOD(encryption_payload_t, encrypt, status_t,
-	private_encryption_payload_t *this, u_int64_t mid, chunk_t assoc)
-{
-	chunk_t iv, plain, padding, icv, crypt;
-	generator_t *generator;
-	iv_gen_t *iv_gen;
-	rng_t *rng;
-	size_t bs;
-
-	if (this->aead == NULL)
-	{
-		DBG1(DBG_ENC, "encrypting encryption payload failed, transform missing");
-		return INVALID_STATE;
-	}
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_ENC, "encrypting encryption payload failed, no RNG found");
-		return NOT_SUPPORTED;
-	}
-
-	iv_gen = this->aead->get_iv_gen(this->aead);
-	if (!iv_gen)
-	{
-		DBG1(DBG_ENC, "encrypting encryption payload failed, no IV generator");
-		return NOT_SUPPORTED;
-	}
-
-	assoc = append_header(this, assoc);
-
-	generator = generator_create();
-	plain = generate(this, generator);
-	bs = this->aead->get_block_size(this->aead);
-	/* we need at least one byte padding to store the padding length */
-	padding.len = bs - (plain.len % bs);
-	iv.len = this->aead->get_iv_size(this->aead);
-	icv.len = this->aead->get_icv_size(this->aead);
-
-	/* prepare data to authenticate-encrypt:
-	 * | IV | plain | padding | ICV |
-	 *       \____crypt______/   ^
-	 *              |           /
-	 *              v          /
-	 *     assoc -> + ------->/
-	 */
-	free(this->encrypted.ptr);
-	this->encrypted = chunk_alloc(iv.len + plain.len + padding.len + icv.len);
-	iv.ptr = this->encrypted.ptr;
-	memcpy(iv.ptr + iv.len, plain.ptr, plain.len);
-	plain.ptr = iv.ptr + iv.len;
-	padding.ptr = plain.ptr + plain.len;
-	icv.ptr = padding.ptr + padding.len;
-	crypt = chunk_create(plain.ptr, plain.len + padding.len);
-	generator->destroy(generator);
-
-	if (!iv_gen->get_iv(iv_gen, mid, iv.len, iv.ptr) ||
-		!rng->get_bytes(rng, padding.len - 1, padding.ptr))
-	{
-		DBG1(DBG_ENC, "encrypting encryption payload failed, no IV or padding");
-		rng->destroy(rng);
-		free(assoc.ptr);
-		return FAILED;
-	}
-	padding.ptr[padding.len - 1] = padding.len - 1;
-	rng->destroy(rng);
-
-	DBG3(DBG_ENC, "encryption payload encryption:");
-	DBG3(DBG_ENC, "IV %B", &iv);
-	DBG3(DBG_ENC, "plain %B", &plain);
-	DBG3(DBG_ENC, "padding %B", &padding);
-	DBG3(DBG_ENC, "assoc %B", &assoc);
-
-	if (!this->aead->encrypt(this->aead, crypt, assoc, iv, NULL))
-	{
-		free(assoc.ptr);
-		return FAILED;
-	}
-
-	DBG3(DBG_ENC, "encrypted %B", &crypt);
-	DBG3(DBG_ENC, "ICV %B", &icv);
-
-	free(assoc.ptr);
-
-	return SUCCESS;
-}
-
-METHOD(encryption_payload_t, encrypt_v1, status_t,
-	private_encryption_payload_t *this, u_int64_t mid, chunk_t iv)
-{
-	generator_t *generator;
-	chunk_t plain, padding;
-	size_t bs;
-
-	if (this->aead == NULL)
-	{
-		DBG1(DBG_ENC, "encryption failed, transform missing");
-		return INVALID_STATE;
-	}
-
-	generator = generator_create();
-	plain = generate(this, generator);
-	bs = this->aead->get_block_size(this->aead);
-	padding.len = bs - (plain.len % bs);
-
-	/* prepare data to encrypt:
-	 * | plain | padding | */
-	free(this->encrypted.ptr);
-	this->encrypted = chunk_alloc(plain.len + padding.len);
-	memcpy(this->encrypted.ptr, plain.ptr, plain.len);
-	plain.ptr = this->encrypted.ptr;
-	padding.ptr = plain.ptr + plain.len;
-	memset(padding.ptr, 0, padding.len);
-	generator->destroy(generator);
-
-	DBG3(DBG_ENC, "encrypting payloads:");
-	DBG3(DBG_ENC, "plain %B", &plain);
-	DBG3(DBG_ENC, "padding %B", &padding);
-
-	if (!this->aead->encrypt(this->aead, this->encrypted, chunk_empty, iv, NULL))
-	{
-		return FAILED;
-	}
-
-	DBG3(DBG_ENC, "encrypted %B", &this->encrypted);
-
-	return SUCCESS;
-}
-
-/**
- * Parse the payloads after decryption.
- */
-static status_t parse(private_encryption_payload_t *this, chunk_t plain)
-{
-	parser_t *parser;
-	payload_type_t type;
-
-	parser = parser_create(plain);
-	type = this->next_payload;
-	while (type != PL_NONE)
-	{
-		payload_t *payload;
-
-		if (plain.len < 4 || untoh16(plain.ptr + 2) > plain.len)
-		{
-			DBG1(DBG_ENC, "invalid %N payload length, decryption failed?",
-				 payload_type_names, type);
-			parser->destroy(parser);
-			return PARSE_ERROR;
-		}
-		if (parser->parse_payload(parser, type, &payload) != SUCCESS)
-		{
-			parser->destroy(parser);
-			return PARSE_ERROR;
-		}
-		if (payload->verify(payload) != SUCCESS)
-		{
-			DBG1(DBG_ENC, "%N verification failed",
-				 payload_type_names, payload->get_type(payload));
-			payload->destroy(payload);
-			parser->destroy(parser);
-			return VERIFY_ERROR;
-		}
-		type = payload->get_next_type(payload);
-		this->payloads->insert_last(this->payloads, payload);
-	}
-	parser->destroy(parser);
-	DBG2(DBG_ENC, "parsed content of encryption payload");
-	return SUCCESS;
-}
-
-METHOD(encryption_payload_t, decrypt, status_t,
-	private_encryption_payload_t *this, chunk_t assoc)
-{
-	chunk_t iv, plain, padding, icv, crypt;
-	size_t bs;
-
-	if (this->aead == NULL)
-	{
-		DBG1(DBG_ENC, "decrypting encryption payload failed, transform missing");
-		return INVALID_STATE;
-	}
-
-	/* prepare data to authenticate-decrypt:
-	 * | IV | plain | padding | ICV |
-	 *       \____crypt______/   ^
-	 *              |           /
-	 *              v          /
-	 *     assoc -> + ------->/
-	 */
-
-	bs = this->aead->get_block_size(this->aead);
-	iv.len = this->aead->get_iv_size(this->aead);
-	iv.ptr = this->encrypted.ptr;
-	icv.len = this->aead->get_icv_size(this->aead);
-	icv.ptr = this->encrypted.ptr + this->encrypted.len - icv.len;
-	crypt.ptr = iv.ptr + iv.len;
-	crypt.len = this->encrypted.len - iv.len;
-
-	if (iv.len + icv.len > this->encrypted.len ||
-		(crypt.len - icv.len) % bs)
-	{
-		DBG1(DBG_ENC, "decrypting encryption payload failed, invalid length");
-		return FAILED;
-	}
-
-	assoc = append_header(this, assoc);
-
-	DBG3(DBG_ENC, "encryption payload decryption:");
-	DBG3(DBG_ENC, "IV %B", &iv);
-	DBG3(DBG_ENC, "encrypted %B", &crypt);
-	DBG3(DBG_ENC, "ICV %B", &icv);
-	DBG3(DBG_ENC, "assoc %B", &assoc);
-
-	if (!this->aead->decrypt(this->aead, crypt, assoc, iv, NULL))
-	{
-		DBG1(DBG_ENC, "verifying encryption payload integrity failed");
-		free(assoc.ptr);
-		return FAILED;
-	}
-	free(assoc.ptr);
-
-	plain = chunk_create(crypt.ptr, crypt.len - icv.len);
-	padding.len = plain.ptr[plain.len - 1] + 1;
-	if (padding.len > plain.len)
-	{
-		DBG1(DBG_ENC, "decrypting encryption payload failed, "
-			 "padding invalid %B", &crypt);
-		return PARSE_ERROR;
-	}
-	plain.len -= padding.len;
-	padding.ptr = plain.ptr + plain.len;
-
-	DBG3(DBG_ENC, "plain %B", &plain);
-	DBG3(DBG_ENC, "padding %B", &padding);
-
-	return parse(this, plain);
-}
-
-METHOD(encryption_payload_t, decrypt_v1, status_t,
-	private_encryption_payload_t *this, chunk_t iv)
-{
-	if (this->aead == NULL)
-	{
-		DBG1(DBG_ENC, "decryption failed, transform missing");
-		return INVALID_STATE;
-	}
-
-	/* data must be a multiple of block size */
-	if (iv.len != this->aead->get_block_size(this->aead) ||
-		this->encrypted.len < iv.len || this->encrypted.len % iv.len)
-	{
-		DBG1(DBG_ENC, "decryption failed, invalid length");
-		return FAILED;
-	}
-
-	DBG3(DBG_ENC, "decrypting payloads:");
-	DBG3(DBG_ENC, "encrypted %B", &this->encrypted);
-
-	if (!this->aead->decrypt(this->aead, this->encrypted, chunk_empty, iv, NULL))
-	{
-		return FAILED;
-	}
-
-	DBG3(DBG_ENC, "plain %B", &this->encrypted);
-
-	return parse(this, this->encrypted);
-}
-
-METHOD(encryption_payload_t, set_transform, void,
-	private_encryption_payload_t *this, aead_t* aead)
-{
-	this->aead = aead;
-}
-
-METHOD2(payload_t, encryption_payload_t, destroy, void,
-	private_encryption_payload_t *this)
-{
-	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
-	free(this->encrypted.ptr);
-	free(this);
-}
-
-/*
- * Described in header
- */
-encryption_payload_t *encryption_payload_create(payload_type_t type)
-{
-	private_encryption_payload_t *this;
-
-	INIT(this,
-		.public = {
-			.payload_interface = {
-				.verify = _verify,
-				.get_encoding_rules = _get_encoding_rules,
-				.get_header_length = _get_header_length,
-				.get_length = _get_length,
-				.get_next_type = _get_next_type,
-				.set_next_type = _set_next_type,
-				.get_type = _get_type,
-				.destroy = _destroy,
-			},
-			.get_length = _get_length,
-			.add_payload = _add_payload,
-			.remove_payload = _remove_payload,
-			.set_transform = _set_transform,
-			.encrypt = _encrypt,
-			.decrypt = _decrypt,
-			.destroy = _destroy,
-		},
-		.next_payload = PL_NONE,
-		.payloads = linked_list_create(),
-		.type = type,
-	);
-	this->payload_length = get_header_length(this);
-
-	if (type == PLV1_ENCRYPTED)
-	{
-		this->public.encrypt = _encrypt_v1;
-		this->public.decrypt = _decrypt_v1;
-	}
-
-	return &this->public;
-}
diff --git a/src/libcharon/encoding/payloads/encryption_payload.h b/src/libcharon/encoding/payloads/encryption_payload.h
deleted file mode 100644
index ee44c2d..0000000
--- a/src/libcharon/encoding/payloads/encryption_payload.h
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Copyright (C) 2005-2010 Martin Willi
- * Copyright (C) 2010 revosec AG
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup encryption_payload encryption_payload
- * @{ @ingroup payloads
- */
-
-#ifndef ENCRYPTION_PAYLOAD_H_
-#define ENCRYPTION_PAYLOAD_H_
-
-typedef struct encryption_payload_t encryption_payload_t;
-
-#include <library.h>
-#include <crypto/aead.h>
-#include <encoding/payloads/payload.h>
-
-/**
- * The encryption payload as described in RFC section 3.14.
- */
-struct encryption_payload_t {
-
-	/**
-	 * Implements payload_t interface.
-	 */
-	payload_t payload_interface;
-
-	/**
-	 * Get the payload length.
-	 *
-	 * @return			(expected) payload length
-	 */
-	size_t (*get_length)(encryption_payload_t *this);
-
-	/**
-	 * Adds a payload to this encryption payload.
-	 *
-	 * @param payload		payload_t object to add
-	 */
-	void (*add_payload) (encryption_payload_t *this, payload_t *payload);
-
-	/**
-	 * Remove the first payload in the list
-	 *
-	 * @param payload		removed payload
-	 * @return				payload, NULL if none left
-	 */
-	payload_t* (*remove_payload)(encryption_payload_t *this);
-
-	/**
-	 * Set the AEAD transform to use.
-	 *
-	 * @param aead		aead transform to use
-	 */
-	void (*set_transform) (encryption_payload_t *this, aead_t *aead);
-
-	/**
-	 * Generate, encrypt and sign contained payloads.
-	 *
-	 * @param mid			message ID
-	 * @param assoc			associated data
-	 * @return
-	 * 						- SUCCESS if encryption successful
-	 * 						- FAILED if encryption failed
-	 * 						- INVALID_STATE if aead not supplied, but needed
-	 */
-	status_t (*encrypt) (encryption_payload_t *this, u_int64_t mid,
-						 chunk_t assoc);
-
-	/**
-	 * Decrypt, verify and parse contained payloads.
-	 *
-	 * @param assoc			associated data
-	 * @return
-	 * 						- SUCCESS if parsing successful
-	 *						- PARSE_ERROR if sub-payload parsing failed
-	 * 						- VERIFY_ERROR if sub-payload verification failed
-	 * 						- FAILED if integrity check failed
-	 * 						- INVALID_STATE if aead not supplied, but needed
-	 */
-	status_t (*decrypt) (encryption_payload_t *this, chunk_t assoc);
-
-	/**
-	 * Destroys an encryption_payload_t object.
-	 */
-	void (*destroy) (encryption_payload_t *this);
-};
-
-/**
- * Creates an empty encryption_payload_t object.
- *
- * @param type		PLV2_ENCRYPTED or PLV1_ENCRYPTED
- * @return			encryption_payload_t object
- */
-encryption_payload_t *encryption_payload_create(payload_type_t type);
-
-#endif /** ENCRYPTION_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/ike_header.c b/src/libcharon/encoding/payloads/ike_header.c
index 7015667..c96738a 100644
--- a/src/libcharon/encoding/payloads/ike_header.c
+++ b/src/libcharon/encoding/payloads/ike_header.c
@@ -210,8 +210,9 @@ METHOD(payload_t, verify, status_t,
 		case TRANSACTION:
 		case QUICK_MODE:
 		case NEW_GROUP_MODE:
-			if (this->maj_version != IKEV1_MAJOR_VERSION)
+			if (this->maj_version == IKEV2_MAJOR_VERSION)
 			{
+				/* IKEv1 exchange type in IKEv2? */
 				return FAILED;
 			}
 			break;
@@ -223,14 +224,20 @@ METHOD(payload_t, verify, status_t,
 #ifdef ME
 		case ME_CONNECT:
 #endif /* ME */
-			if (this->maj_version != IKEV2_MAJOR_VERSION)
+			if (this->maj_version == IKEV1_MAJOR_VERSION)
 			{
+				/* IKEv2 exchange type in IKEv1? */
 				return FAILED;
 			}
 			break;
 		default:
-			/* unsupported exchange type */
-			return FAILED;
+			if (this->maj_version == IKEV1_MAJOR_VERSION ||
+				this->maj_version == IKEV2_MAJOR_VERSION)
+			{
+				/* unsupported exchange type for known version */
+				return FAILED;
+			}
+			break;
 	}
 	if (this->initiator_spi == 0)
 	{
@@ -501,4 +508,3 @@ ike_header_t *ike_header_create_version(int major, int minor)
 	}
 	return this;
 }
-
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index dd92e42..94723dd 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -65,7 +65,7 @@ ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_
 	"ME_CONNECT_FAILED");
 ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_NOTIFY_STATUS");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, IFOM_CAPABILITY, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_NOTIFY_STATUS,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -110,8 +110,10 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, IFOM_CAPABILITY, MS_NOTIFY_STATUS,
 	"PSK_PERSIST",
 	"PSK_CONFIRM",
 	"ERX_SUPPORTED",
-	"IFOM_CAPABILITY");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, IFOM_CAPABILITY,
+	"IFOM_CAPABILITY",
+	"SENDER_REQUEST_ID",
+	"FRAGMENTATION_SUPPORTED");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, FRAGMENTATION_SUPPORTED,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD_R_U_THERE",
@@ -128,7 +130,7 @@ ENUM_NEXT(notify_type_names, ME_MEDIATION, RADIUS_ATTRIBUTE, USE_BEET_MODE,
 	"ME_CONNECTKEY",
 	"ME_CONNECTAUTH",
 	"ME_RESPONSE",
-	"RADIUS_ATTRIBUTE",);
+	"RADIUS_ATTRIBUTE");
 ENUM_END(notify_type_names, RADIUS_ATTRIBUTE);
 
 
@@ -172,7 +174,7 @@ ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_S
 	"ME_CONN_FAIL");
 ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_STATUS");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, IFOM_CAPABILITY, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_NOTIFY_STATUS,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
@@ -217,8 +219,10 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, IFOM_CAPABILITY, MS_NOTIFY_S
 	"PSK_PST",
 	"PSK_CFM",
 	"ERX_SUP",
-	"IFOM_CAP");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, IFOM_CAPABILITY,
+	"IFOM_CAP",
+	"SENDER_REQ_ID",
+	"FRAG_SUP");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, FRAGMENTATION_SUPPORTED,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD",
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index 3c56f06..25521c2 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -147,6 +147,10 @@ enum notify_type_t {
 	ERX_SUPPORTED = 16427,
 	/* IFOM capability, 3GPP TS 24.303, annex B.2 */
 	IFOM_CAPABILITY = 16428,
+	/* SENDER_REQUEST_ID (draft-yeung-g-ikev2) */
+	SENDER_REQUEST_ID = 16429,
+	/* IKEv2 fragmentation supported, RFC 7383 */
+	FRAGMENTATION_SUPPORTED = 16430,
 	/* IKEv1 initial contact */
 	INITIAL_CONTACT_IKEV1 = 24578,
 	/* IKEv1 DPD */
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
index fd61662..600b6dd 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -28,7 +28,8 @@
 #include <encoding/payloads/auth_payload.h>
 #include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/certreq_payload.h>
-#include <encoding/payloads/encryption_payload.h>
+#include <encoding/payloads/encrypted_payload.h>
+#include <encoding/payloads/encrypted_fragment_payload.h>
 #include <encoding/payloads/ts_payload.h>
 #include <encoding/payloads/delete_payload.h>
 #include <encoding/payloads/vendor_id_payload.h>
@@ -59,7 +60,7 @@ ENUM_NEXT(payload_type_names, PLV1_SECURITY_ASSOCIATION, PLV1_CONFIGURATION, PL_
 ENUM_NEXT(payload_type_names, PLV1_NAT_D, PLV1_NAT_OA, PLV1_CONFIGURATION,
 	"NAT_D_V1",
 	"NAT_OA_V1");
-ENUM_NEXT(payload_type_names, PLV2_SECURITY_ASSOCIATION, PLV2_GSPM, PLV1_NAT_OA,
+ENUM_NEXT(payload_type_names, PLV2_SECURITY_ASSOCIATION, PLV2_FRAGMENT, PLV1_NAT_OA,
 	"SECURITY_ASSOCIATION",
 	"KEY_EXCHANGE",
 	"ID_INITIATOR",
@@ -76,16 +77,20 @@ ENUM_NEXT(payload_type_names, PLV2_SECURITY_ASSOCIATION, PLV2_GSPM, PLV1_NAT_OA,
 	"ENCRYPTED",
 	"CONFIGURATION",
 	"EAP",
-	"GSPM");
+	"GSPM",
+	"GROUP_ID",
+	"GROUP_SECURITY_ASSOCIATION",
+	"KEY_DOWNLOAD",
+	"ENCRYPTED_FRAGMENT");
 #ifdef ME
-ENUM_NEXT(payload_type_names, PLV2_ID_PEER, PLV2_ID_PEER, PLV2_GSPM,
+ENUM_NEXT(payload_type_names, PLV2_ID_PEER, PLV2_ID_PEER, PLV2_FRAGMENT,
 	"ID_PEER");
 ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_ID_PEER,
 	"NAT_D_DRAFT_V1",
 	"NAT_OA_DRAFT_V1",
 	"FRAGMENT");
 #else
-ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_GSPM,
+ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_FRAGMENT,
 	"NAT_D_DRAFT_V1",
 	"NAT_OA_DRAFT_V1",
 	"FRAGMENT");
@@ -125,7 +130,7 @@ ENUM_NEXT(payload_type_short_names, PLV1_SECURITY_ASSOCIATION, PLV1_CONFIGURATIO
 ENUM_NEXT(payload_type_short_names, PLV1_NAT_D, PLV1_NAT_OA, PLV1_CONFIGURATION,
 	"NAT-D",
 	"NAT-OA");
-ENUM_NEXT(payload_type_short_names, PLV2_SECURITY_ASSOCIATION, PLV2_GSPM, PLV1_NAT_OA,
+ENUM_NEXT(payload_type_short_names, PLV2_SECURITY_ASSOCIATION, PLV2_FRAGMENT, PLV1_NAT_OA,
 	"SA",
 	"KE",
 	"IDi",
@@ -142,16 +147,20 @@ ENUM_NEXT(payload_type_short_names, PLV2_SECURITY_ASSOCIATION, PLV2_GSPM, PLV1_N
 	"E",
 	"CP",
 	"EAP",
-	"GSPM");
+	"GSPM",
+	"IDg",
+	"GSA",
+	"KD",
+	"EF");
 #ifdef ME
-ENUM_NEXT(payload_type_short_names, PLV2_ID_PEER, PLV2_ID_PEER, PLV2_GSPM,
+ENUM_NEXT(payload_type_short_names, PLV2_ID_PEER, PLV2_ID_PEER, PLV2_FRAGMENT,
 	"IDp");
 ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_ID_PEER,
 	"NAT-D",
 	"NAT-OA",
 	"FRAG");
 #else
-ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_GSPM,
+ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_FRAGMENT,
 	"NAT-D",
 	"NAT-OA",
 	"FRAG");
@@ -244,9 +253,11 @@ payload_t *payload_create(payload_type_t type)
 			return (payload_t*)eap_payload_create();
 		case PLV2_ENCRYPTED:
 		case PLV1_ENCRYPTED:
-			return (payload_t*)encryption_payload_create(type);
+			return (payload_t*)encrypted_payload_create(type);
 		case PLV1_FRAGMENT:
 			return (payload_t*)fragment_payload_create();
+		case PLV2_FRAGMENT:
+			return (payload_t*)encrypted_fragment_payload_create();
 		default:
 			return (payload_t*)unknown_payload_create(type);
 	}
@@ -261,15 +272,19 @@ bool payload_is_known(payload_type_t type)
 	{
 		return TRUE;
 	}
-	if (type >= PLV2_SECURITY_ASSOCIATION && type <= PLV2_EAP)
+	if (type >= PLV1_SECURITY_ASSOCIATION && type <= PLV1_CONFIGURATION)
 	{
 		return TRUE;
 	}
-	if (type >= PLV1_SECURITY_ASSOCIATION && type <= PLV1_CONFIGURATION)
+	if (type >= PLV1_NAT_D && type <= PLV1_NAT_OA)
 	{
 		return TRUE;
 	}
-	if (type >= PLV1_NAT_D && type <= PLV1_NAT_OA)
+	if (type >= PLV2_SECURITY_ASSOCIATION && type <= PLV2_EAP)
+	{
+		return TRUE;
+	}
+	if (type == PLV2_FRAGMENT)
 	{
 		return TRUE;
 	}
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
index d9dd619..036cd42 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -193,7 +193,7 @@ enum payload_type_t {
 	PLV2_TS_RESPONDER = 45,
 
 	/**
-	 * Encryption payload, contains other payloads (E).
+	 * Encrypted payload, contains other payloads (E).
 	 */
 	PLV2_ENCRYPTED = 46,
 
@@ -212,6 +212,26 @@ enum payload_type_t {
 	 */
 	PLV2_GSPM = 49,
 
+	/**
+	 * Group Identification (draft-yeung-g-ikev2)
+	 */
+	PLV2_IDG = 50,
+
+	/**
+	 * Group Security Association (draft-yeung-g-ikev2)
+	 */
+	PLV2_GSA = 51,
+
+	/**
+	 * Key Download (draft-yeung-g-ikev2)
+	 */
+	PLV2_KD = 52,
+
+	/**
+	 * Encrypted fragment payload (SKF), RFC 7383
+	 */
+	PLV2_FRAGMENT = 53,
+
 #ifdef ME
 	/**
 	 * Identification payload for peers has a value from
@@ -231,7 +251,7 @@ enum payload_type_t {
 	PLV1_NAT_OA_DRAFT_00_03 = 131,
 
 	/**
-	 * IKE fragment (proprietary IKEv1 extension)
+	 * IKEv1 fragment (proprietary IKEv1 extension)
 	 */
 	PLV1_FRAGMENT = 132,
 
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
index 8e3a012..407038a 100644
--- a/src/libcharon/encoding/payloads/sa_payload.c
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2014 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -296,7 +296,7 @@ METHOD(sa_payload_t, get_proposals, linked_list_t*,
 	linked_list_t *substructs, *list;
 
 	if (this->type == PLV1_SECURITY_ASSOCIATION)
-	{	/* IKEv1 proposals start with 0 */
+	{	/* IKEv1 proposals may start with 0 or 1 (or any other number really) */
 		struct_number = ignore_struct_number = -1;
 	}
 
@@ -309,17 +309,22 @@ METHOD(sa_payload_t, get_proposals, linked_list_t*,
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	while (enumerator->enumerate(enumerator, &substruct))
 	{
+		int current_number = substruct->get_proposal_number(substruct);
+
 		/* check if a proposal has a single protocol */
-		if (substruct->get_proposal_number(substruct) == struct_number)
+		if (current_number == struct_number)
 		{
 			if (ignore_struct_number < struct_number)
-			{	/* remove an already added, if first of series */
+			{	/* remove an already added substruct, if first of series */
 				substructs->remove_last(substructs, (void**)&substruct);
 				ignore_struct_number = struct_number;
 			}
 			continue;
 		}
-		struct_number++;
+		/* for IKEv1 the numbers don't have to be consecutive, for IKEv2 they do
+		 * but since we don't really care for the actual number we accept them
+		 * anyway. we already verified that they increase monotonically. */
+		struct_number = current_number;
 		substructs->insert_last(substructs, substruct);
 	}
 	enumerator->destroy(enumerator);
@@ -364,7 +369,7 @@ METHOD(sa_payload_t, get_ipcomp_proposals, linked_list_t*,
 		}
 		if (proposal_number != current_proposal)
 		{	/* start of a new proposal */
-			if (espah && ipcomp)
+			if (espah && ipcomp && ipcomp->get_cpi(ipcomp, NULL))
 			{	/* previous proposal is valid */
 				break;
 			}
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index a2a3b1f..5ce9471 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -524,8 +524,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 #ifdef USE_IKEV2
 			send_notify(message, IKEV2_MAJOR_VERSION, INFORMATIONAL,
 						INVALID_MAJOR_VERSION, chunk_empty);
-#endif /* USE_IKEV2 */
-#ifdef USE_IKEV1
+#elif defined(USE_IKEV1)
 			send_notify(message, IKEV1_MAJOR_VERSION, INFORMATIONAL_V1,
 						INVALID_MAJOR_VERSION, chunk_empty);
 #endif /* USE_IKEV1 */
@@ -684,4 +683,3 @@ receiver_t *receiver_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 0655959..c3b014c 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 287c94a..50594a4 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 9fd5150..700a421 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index edda93e..08101d5 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 5670f43..679d2da 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index da364b0..768c2b3 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -233,6 +233,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -293,6 +294,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -358,6 +360,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -405,6 +409,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index d408cd2..3484e08 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index 97432f1..381d7a1 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -242,6 +242,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -302,6 +303,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -367,6 +369,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -414,6 +418,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 5b20fe5..3b0f876 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -236,6 +236,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -296,6 +297,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -361,6 +363,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -408,6 +412,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index d0ee198..839a379 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -237,6 +237,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -297,6 +298,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -362,6 +364,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -409,6 +413,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 78b66ac..fdbad62 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 7f18792..9675104 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -234,6 +234,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -294,6 +295,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -359,6 +361,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -406,6 +410,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 5275a34..0610b58 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 5dd623d..38c9d0b 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -234,6 +234,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -294,6 +295,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -359,6 +361,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -406,6 +410,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index c0e4219..f5dfd68 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 615a916..5ccd581 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -236,6 +236,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -296,6 +297,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -361,6 +363,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -408,6 +412,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index cd4355d..04cc422 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -237,6 +237,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -297,6 +298,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -362,6 +364,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -409,6 +413,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 6719497..60d12dc 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -414,6 +414,30 @@ static void add_unity_attribute(eap_radius_provider_t *provider, u_int32_t id,
 }
 
 /**
+ * Add a DNS/NBNS configuration attribute
+ */
+static void add_nameserver_attribute(eap_radius_provider_t *provider,
+									 u_int32_t id, int type, chunk_t data)
+{
+	/* these are from different vendors, but there is currently no conflict */
+	switch (type)
+	{
+		case  5: /* CVPN3000-Primary-DNS */
+		case  6: /* CVPN3000-Secondary-DNS */
+		case 28: /* MS-Primary-DNS-Server */
+		case 29: /* MS-Secondary-DNS-Server */
+			provider->add_attribute(provider, id, INTERNAL_IP4_DNS, data);
+			break;
+		case  7: /* CVPN3000-Primary-WINS */
+		case  8: /* CVPN3000-Secondary-WINS */
+		case 30: /* MS-Primary-NBNS-Server */
+		case 31: /* MS-Secondary-NBNS-Server */
+			provider->add_attribute(provider, id, INTERNAL_IP4_NBNS, data);
+			break;
+	}
+}
+
+/**
  * Add a UNITY_LOCAL_LAN or UNITY_SPLIT_INCLUDE attribute
  */
 static void add_unity_split_attribute(eap_radius_provider_t *provider,
@@ -515,6 +539,16 @@ static void process_cfg_attributes(radius_message_t *msg)
 			{
 				switch (type)
 				{
+					case  5: /* CVPN3000-Primary-DNS */
+					case  6: /* CVPN3000-Secondary-DNS */
+					case  7: /* CVPN3000-Primary-WINS */
+					case  8: /* CVPN3000-Secondary-WINS */
+						if (data.len == 4)
+						{
+							add_nameserver_attribute(provider,
+									ike_sa->get_unique_id(ike_sa), type, data);
+						}
+						break;
 					case 15: /* CVPN3000-IPSec-Banner1 */
 					case 28: /* CVPN3000-IPSec-Default-Domain */
 					case 29: /* CVPN3000-IPSec-Split-DNS-Names */
@@ -546,6 +580,22 @@ static void process_cfg_attributes(radius_message_t *msg)
 						break;
 				}
 			}
+			if (vendor == PEN_MICROSOFT)
+			{
+				switch (type)
+				{
+					case 28: /* MS-Primary-DNS-Server */
+					case 29: /* MS-Secondary-DNS-Server */
+					case 30: /* MS-Primary-NBNS-Server */
+					case 31: /* MS-Secondary-NBNS-Server */
+						if (data.len == 4)
+						{
+							add_nameserver_attribute(provider,
+									ike_sa->get_unique_id(ike_sa), type, data);
+						}
+						break;
+				}
+			}
 		}
 		enumerator->destroy(enumerator);
 
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 0020c5d..31c96d2 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -488,6 +488,16 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 	message->add(message, RAT_ACCT_SESSION_ID,
 				 chunk_create(entry->sid, strlen(entry->sid)));
 
+	if (!entry->interim.interval)
+	{
+		entry->interim.interval = lib->settings->get_time(lib->settings,
+					"%s.plugins.eap-radius.accounting_interval", 0, lib->ns);
+		if (entry->interim.interval)
+		{
+			DBG1(DBG_CFG, "scheduling RADIUS Interim-Updates every %us",
+				 entry->interim.interval);
+		}
+	}
 	schedule_interim(this, entry);
 	this->mutex->unlock(this->mutex);
 
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 494efd9..6a00ea7 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -236,6 +236,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -296,6 +297,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -361,6 +363,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -408,6 +412,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 82e7561..7a08f4e 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -237,6 +237,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -297,6 +298,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -362,6 +364,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -409,6 +413,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 9a7a190..a1ec7ad 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -238,6 +238,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -298,6 +299,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -363,6 +365,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -410,6 +414,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 886b0c5..bf99ab0 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -238,6 +238,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -298,6 +299,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -363,6 +365,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -410,6 +414,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 57c6424..ce46023 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -237,6 +237,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -297,6 +298,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -362,6 +364,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -409,6 +413,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index eb4d3fa..0c0b7fd 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -236,6 +236,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -296,6 +297,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -361,6 +363,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -408,6 +412,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index c63d56b..25696f5 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 97552df..2d5d658 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -236,6 +236,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -296,6 +297,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -361,6 +363,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -408,6 +412,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 70cc184..38c7632 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -237,6 +237,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -297,6 +298,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -362,6 +364,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -409,6 +413,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index 0782dde..d9fa454 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -243,6 +243,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -303,6 +304,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -368,6 +370,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -415,6 +419,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/ext_auth/Makefile.am b/src/libcharon/plugins/ext_auth/Makefile.am
new file mode 100644
index 0000000..d51ea88
--- /dev/null
+++ b/src/libcharon/plugins/ext_auth/Makefile.am
@@ -0,0 +1,18 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ext-auth.la
+else
+plugin_LTLIBRARIES = libstrongswan-ext-auth.la
+endif
+
+libstrongswan_ext_auth_la_SOURCES = ext_auth_plugin.h ext_auth_plugin.c \
+	ext_auth_listener.h ext_auth_listener.c
+
+libstrongswan_ext_auth_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in
new file mode 100644
index 0000000..a1b47dd
--- /dev/null
+++ b/src/libcharon/plugins/ext_auth/Makefile.in
@@ -0,0 +1,774 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/ext_auth
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ext_auth_la_LIBADD =
+am_libstrongswan_ext_auth_la_OBJECTS = ext_auth_plugin.lo \
+	ext_auth_listener.lo
+libstrongswan_ext_auth_la_OBJECTS =  \
+	$(am_libstrongswan_ext_auth_la_OBJECTS)
+AM_V_lt = $(am__v_lt_ at AM_V@)
+am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libstrongswan_ext_auth_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ext_auth_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+ at MONOLITHIC_FALSE@am_libstrongswan_ext_auth_la_rpath = -rpath \
+ at MONOLITHIC_FALSE@	$(plugindir)
+ at MONOLITHIC_TRUE@am_libstrongswan_ext_auth_la_rpath =
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_ at AM_V@)
+am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libstrongswan_ext_auth_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ext_auth_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+ at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ext-auth.la
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ext-auth.la
+libstrongswan_ext_auth_la_SOURCES = ext_auth_plugin.h ext_auth_plugin.c \
+	ext_auth_listener.h ext_auth_listener.c
+
+libstrongswan_ext_auth_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/ext_auth/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/ext_auth/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+libstrongswan-ext-auth.la: $(libstrongswan_ext_auth_la_OBJECTS) $(libstrongswan_ext_auth_la_DEPENDENCIES) $(EXTRA_libstrongswan_ext_auth_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_ext_auth_la_LINK) $(am_libstrongswan_ext_auth_la_rpath) $(libstrongswan_ext_auth_la_OBJECTS) $(libstrongswan_ext_auth_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ext_auth_listener.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/ext_auth_plugin.Plo at am__quote@
+
+.c.o:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+ at am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/ext_auth/ext_auth_listener.c b/src/libcharon/plugins/ext_auth/ext_auth_listener.c
new file mode 100644
index 0000000..06cec20
--- /dev/null
+++ b/src/libcharon/plugins/ext_auth/ext_auth_listener.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 2014 Vyronas Tsingaras (vtsingaras at it.auth.gr)
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/* for vasprintf() */
+#define _GNU_SOURCE
+#include "ext_auth_listener.h"
+
+#include <daemon.h>
+#include <utils/process.h>
+
+#include <stdio.h>
+#include <unistd.h>
+
+typedef struct private_ext_auth_listener_t private_ext_auth_listener_t;
+
+/**
+ * Private data of an ext_auth_listener_t object.
+ */
+struct private_ext_auth_listener_t {
+
+	/**
+	 * Public ext_auth_listener_listener_t interface.
+	 */
+	ext_auth_listener_t public;
+
+	/**
+	 * Path to authorization program
+	 */
+	char *script;
+};
+
+/**
+ * Allocate and push a format string to the environment
+ */
+static bool push_env(char *envp[], u_int count, char *fmt, ...)
+{
+	int i = 0;
+	char *str;
+	va_list args;
+
+	while (envp[i])
+	{
+		if (++i + 1 >= count)
+		{
+			return FALSE;
+		}
+	}
+	va_start(args, fmt);
+	if (vasprintf(&str, fmt, args) >= 0)
+	{
+		envp[i] = str;
+	}
+	va_end(args);
+	return envp[i] != NULL;
+}
+
+/**
+ * Free all allocated environment strings
+ */
+static void free_env(char *envp[])
+{
+	int i;
+
+	for (i = 0; envp[i]; i++)
+	{
+		free(envp[i]);
+	}
+}
+
+METHOD(listener_t, authorize, bool,
+	private_ext_auth_listener_t *this, ike_sa_t *ike_sa,
+	bool final, bool *success)
+{
+	if (final)
+	{
+		FILE *shell;
+		process_t *process;
+		char *envp[32] = {};
+		int out, retval;
+
+		*success = FALSE;
+
+		push_env(envp, countof(envp), "IKE_UNIQUE_ID=%u",
+				 ike_sa->get_unique_id(ike_sa));
+		push_env(envp, countof(envp), "IKE_NAME=%s",
+				 ike_sa->get_name(ike_sa));
+
+		push_env(envp, countof(envp), "IKE_LOCAL_HOST=%H",
+				 ike_sa->get_my_host(ike_sa));
+		push_env(envp, countof(envp), "IKE_REMOTE_HOST=%H",
+				 ike_sa->get_other_host(ike_sa));
+
+		push_env(envp, countof(envp), "IKE_LOCAL_ID=%Y",
+				 ike_sa->get_my_id(ike_sa));
+		push_env(envp, countof(envp), "IKE_REMOTE_ID=%Y",
+				 ike_sa->get_other_id(ike_sa));
+
+		if (ike_sa->has_condition(ike_sa, COND_EAP_AUTHENTICATED) ||
+			ike_sa->has_condition(ike_sa, COND_XAUTH_AUTHENTICATED))
+		{
+			push_env(envp, countof(envp), "IKE_REMOTE_EAP_ID=%Y",
+					 ike_sa->get_other_eap_id(ike_sa));
+		}
+
+		process = process_start_shell(envp, NULL, &out, NULL,
+									  "2>&1 %s", this->script);
+		if (process)
+		{
+			shell = fdopen(out, "r");
+			if (shell)
+			{
+				while (TRUE)
+				{
+					char resp[128], *e;
+
+					if (fgets(resp, sizeof(resp), shell) == NULL)
+					{
+						if (ferror(shell))
+						{
+							DBG1(DBG_CFG, "error reading from ext-auth script");
+						}
+						break;
+					}
+					else
+					{
+						e = resp + strlen(resp);
+						if (e > resp && e[-1] == '\n')
+						{
+							e[-1] = '\0';
+						}
+						DBG1(DBG_CHD, "ext-auth: %s", resp);
+					}
+				}
+				fclose(shell);
+			}
+			else
+			{
+				close(out);
+			}
+			if (process->wait(process, &retval))
+			{
+				if (retval == EXIT_SUCCESS)
+				{
+					*success = TRUE;
+				}
+				else
+				{
+					DBG1(DBG_CFG, "rejecting IKE_SA for ext-auth result: %d",
+						 retval);
+				}
+			}
+		}
+		free_env(envp);
+	}
+	return TRUE;
+}
+
+METHOD(ext_auth_listener_t, destroy, void,
+	private_ext_auth_listener_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+ext_auth_listener_t *ext_auth_listener_create(char *script)
+{
+	private_ext_auth_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.authorize = _authorize,
+			},
+			.destroy = _destroy,
+		},
+		.script = script,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/ext_auth/ext_auth_listener.h b/src/libcharon/plugins/ext_auth/ext_auth_listener.h
new file mode 100644
index 0000000..3fec830
--- /dev/null
+++ b/src/libcharon/plugins/ext_auth/ext_auth_listener.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2014 Vyronas Tsingaras (vtsingaras at it.auth.gr)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup ext_auth_listener ext_auth_listener
+ * @{ @ingroup ext_auth
+ */
+
+#ifndef EXT_AUTH_LISTENER_H_
+#define EXT_AUTH_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct ext_auth_listener_t ext_auth_listener_t;
+
+/**
+ * Listener using an external script to authorize connection
+ */
+struct ext_auth_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy the listener.
+	 */
+	void (*destroy)(ext_auth_listener_t *this);
+};
+
+/**
+ * Create ext_auth_listener instance.
+ *
+ * @param script		path to authorization script
+ * @return				listener instance
+ */
+ext_auth_listener_t *ext_auth_listener_create(char *script);
+
+#endif /** ext_auth_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/ext_auth/ext_auth_plugin.c b/src/libcharon/plugins/ext_auth/ext_auth_plugin.c
new file mode 100644
index 0000000..b3698c7
--- /dev/null
+++ b/src/libcharon/plugins/ext_auth/ext_auth_plugin.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (c) 2014 Vyronas Tsingaras (vtsingaras at it.auth.gr)
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "ext_auth_plugin.h"
+#include "ext_auth_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_ext_auth_plugin_t private_ext_auth_plugin_t;
+
+/**
+ * private data of ext_auth plugin
+ */
+struct private_ext_auth_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	ext_auth_plugin_t public;
+
+	/**
+	 * Listener verifying peers during authorization
+	 */
+	ext_auth_listener_t *listener;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_ext_auth_plugin_t *this)
+{
+	return "ext-auth";
+}
+
+/**
+ * Create a listener instance, NULL on error
+ */
+static ext_auth_listener_t* create_listener()
+{
+	char *script;
+
+	script = lib->settings->get_str(lib->settings,
+					"%s.plugins.ext-auth.script", NULL, lib->ns);
+	if (!script)
+	{
+		DBG1(DBG_CFG, "no script for ext-auth script defined, disabled");
+		return NULL;
+	}
+	DBG1(DBG_CFG, "using ext-auth script '%s'", script);
+	return ext_auth_listener_create(script);
+}
+
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_ext_auth_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		this->listener = create_listener();
+		if (!this->listener)
+		{
+			return FALSE;
+		}
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		if (this->listener)
+		{
+			charon->bus->remove_listener(charon->bus, &this->listener->listener);
+			this->listener->destroy(this->listener);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_ext_auth_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "ext_auth"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+
+METHOD(plugin_t, reload, bool,
+	private_ext_auth_plugin_t *this)
+{
+	ext_auth_listener_t *listener;
+
+	/* reload new listener overlapped */
+	listener = create_listener();
+	if (listener)
+	{
+		charon->bus->add_listener(charon->bus, &listener->listener);
+	}
+	if (this->listener)
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+		this->listener->destroy(this->listener);
+	}
+	this->listener = listener;
+
+	return TRUE;
+}
+
+METHOD(plugin_t, destroy, void,
+	private_ext_auth_plugin_t *this)
+{
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *ext_auth_plugin_create()
+{
+	private_ext_auth_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.reload = _reload,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/ext_auth/ext_auth_plugin.h b/src/libcharon/plugins/ext_auth/ext_auth_plugin.h
new file mode 100644
index 0000000..1288e24
--- /dev/null
+++ b/src/libcharon/plugins/ext_auth/ext_auth_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2014 Vyronas Tsingaras (vtsingaras at it.auth.gr)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup ext_auth ext_auth
+ * @ingroup cplugins
+ *
+ * @defgroup ext_auth_plugin ext_auth_plugin
+ * @{ @ingroup ext_auth
+ */
+
+#ifndef EXT_AUTH_PLUGIN_H_
+#define EXT_AUTH_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ext_auth_plugin_t ext_auth_plugin_t;
+
+/**
+ * Plugin using an external script to authorize connections.
+ */
+struct ext_auth_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EXT_AUTH_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 75ff158..2bfd38b 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -233,6 +233,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -293,6 +294,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -358,6 +360,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -405,6 +409,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index cec7362..aa5bdb7 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 6ff24c3..e20e872 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -437,11 +437,13 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 				pools->destroy(pools);
 			}
 		}
+#ifdef USE_IKEV1
 		if (ike_sa->get_version(ike_sa) == IKEV1)
 		{
 			lib->processor->queue_job(lib->processor, (job_t*)
 							adopt_children_job_create(ike_sa->get_id(ike_sa)));
 		}
+#endif /* USE_IKEV1 */
 		this->cache->cache(this->cache, ike_sa, message);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index da2e8d7..bd3fd63 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in
index 460c7b7..7e1f79b 100644
--- a/src/libcharon/plugins/kernel_iph/Makefile.in
+++ b/src/libcharon/plugins/kernel_iph/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index a4e5ba9..c961c0b 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -237,6 +237,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -297,6 +298,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -362,6 +364,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -409,6 +413,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in
index ff987f8..1c92e30 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.in
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.in
@@ -243,6 +243,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -303,6 +304,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -368,6 +370,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -415,6 +419,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 78ec666..db4552d 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -232,6 +232,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -292,6 +293,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -357,6 +359,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -404,6 +408,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index df75c0f..418dccb 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -245,6 +245,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -305,6 +306,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -370,6 +372,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -417,6 +421,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index deb517e..f0f2c75 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -241,6 +241,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -301,6 +302,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -366,6 +368,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -413,6 +417,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index aa3ade0..3a866e9 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -237,6 +237,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -297,6 +298,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -362,6 +364,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -409,6 +413,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 919b936..e0f70ce 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index ce81fb1..adb61e8 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index 870b427..a0c21c4 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index 35ebf99..14abba9 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -236,6 +236,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -296,6 +297,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -361,6 +363,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -408,6 +412,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 35e7f2a..7c5b030 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -233,6 +233,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -293,6 +294,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -358,6 +360,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -405,6 +409,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index bee1259..548524a 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index 081d3ef..9cc3995 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -45,9 +45,6 @@
 #include <daemon.h>
 #include <threading/thread.h>
 
-/* Maximum size of a packet */
-#define MAX_PACKET 10000
-
 /* these are not defined on some platforms */
 #ifndef SOL_IP
 #define SOL_IP IPPROTO_IP
@@ -739,7 +736,7 @@ socket_default_socket_t *socket_default_socket_create()
 		.natt = lib->settings->get_int(lib->settings,
 							"%s.port_nat_t", CHARON_NATT_PORT, lib->ns),
 		.max_packet = lib->settings->get_int(lib->settings,
-							"%s.max_packet", MAX_PACKET, lib->ns),
+							"%s.max_packet", PACKET_MAX_DEFAULT, lib->ns),
 		.set_source = lib->settings->get_bool(lib->settings,
 							"%s.plugins.socket-default.set_source", TRUE,
 							lib->ns),
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 073806d..892549c 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index 3161a70..b82a69e 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -42,9 +42,6 @@
 #include <threading/rwlock.h>
 #include <collections/hashtable.h>
 
-/* Maximum size of a packet */
-#define MAX_PACKET 10000
-
 /* these are not defined on some platforms */
 #ifndef SOL_IP
 #define SOL_IP IPPROTO_IP
@@ -668,7 +665,7 @@ socket_dynamic_socket_t *socket_dynamic_socket_create()
 		},
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.max_packet = lib->settings->get_int(lib->settings,
-										"%s.max_packet", MAX_PACKET, lib->ns),
+								"%s.max_packet", PACKET_MAX_DEFAULT, lib->ns),
 	);
 
 	if (pipe(this->notify) != 0)
diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in
index ff38e81..88b2ac3 100644
--- a/src/libcharon/plugins/socket_win/Makefile.in
+++ b/src/libcharon/plugins/socket_win/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/socket_win/socket_win_socket.c b/src/libcharon/plugins/socket_win/socket_win_socket.c
index 5ebe04a..fbfbeda 100644
--- a/src/libcharon/plugins/socket_win/socket_win_socket.c
+++ b/src/libcharon/plugins/socket_win/socket_win_socket.c
@@ -25,9 +25,6 @@
 
 #include <mswsock.h>
 
-/* Maximum size of a packet */
-#define MAX_PACKET 10000
-
 /* number of sockets in use */
 #define SOCKET_COUNT 2
 
@@ -458,7 +455,7 @@ socket_win_socket_t *socket_win_socket_create()
 							"%s.port_nat_t", CHARON_NATT_PORT, lib->ns),
 		},
 		.max_packet = lib->settings->get_int(lib->settings,
-							"%s.max_packet", MAX_PACKET, lib->ns),
+							"%s.max_packet", PACKET_MAX_DEFAULT, lib->ns),
 	);
 
 	for (i = 0; i < SOCKET_COUNT; i++)
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 208b900..3c13245 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -233,6 +233,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -293,6 +294,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -358,6 +360,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -405,6 +409,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 59a5983..d468018 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -237,6 +237,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -297,6 +298,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -362,6 +364,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -409,6 +413,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index f908219..83431d1 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -65,6 +65,11 @@ struct private_stroke_cred_t {
 	stroke_cred_t public;
 
 	/**
+	 * secrets file with credential information
+	 */
+	char *secrets_file;
+
+	/**
 	 * credentials
 	 */
 	mem_cred_t *creds;
@@ -1297,7 +1302,7 @@ METHOD(stroke_cred_t, reread, void,
 	if (msg->reread.flags & REREAD_SECRETS)
 	{
 		DBG1(DBG_CFG, "rereading secrets");
-		load_secrets(this, NULL, SECRETS_FILE, 0, prompt);
+		load_secrets(this, NULL, this->secrets_file, 0, prompt);
 	}
 	if (msg->reread.flags & REREAD_CACERTS)
 	{
@@ -1370,6 +1375,9 @@ stroke_cred_t *stroke_cred_create()
 			.cachecrl = _cachecrl,
 			.destroy = _destroy,
 		},
+		.secrets_file = lib->settings->get_str(lib->settings,
+								"%s.plugins.stroke.secrets_file", SECRETS_FILE,
+								lib->ns),
 		.creds = mem_cred_create(),
 	);
 
@@ -1380,7 +1388,7 @@ stroke_cred_t *stroke_cred_create()
 						FALSE, lib->ns);
 
 	load_certs(this);
-	load_secrets(this, NULL, SECRETS_FILE, 0, NULL);
+	load_secrets(this, NULL, this->secrets_file, 0, NULL);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index 769ad52..0e477f9 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 51d46a6..3f2952c 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -238,6 +238,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -298,6 +299,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -363,6 +365,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -410,6 +414,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index 531c00c..97c4796 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -239,6 +239,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -299,6 +300,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -364,6 +366,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -411,6 +415,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 948db7e..5e16c3c 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -233,6 +233,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -293,6 +294,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -358,6 +360,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -405,6 +409,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 6e4dbff..1aca319 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -238,6 +238,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -298,6 +299,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -363,6 +365,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -410,6 +414,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 4d411f6..1e04ebc 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -234,6 +234,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -294,6 +295,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -359,6 +361,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -406,6 +410,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
index 9f72a80..52a2c7f 100644
--- a/src/libcharon/plugins/unity/unity_narrow.c
+++ b/src/libcharon/plugins/unity/unity_narrow.c
@@ -139,6 +139,23 @@ static void narrow_responder_post(child_cfg_t *child_cfg, linked_list_t *local)
 	configured->destroy(configured);
 }
 
+/**
+ * Check if any Split-Include attributes are active on this IKE_SA
+ */
+static bool has_split_includes(private_unity_narrow_t *this, ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *ts;
+	bool has;
+
+	enumerator = this->handler->create_include_enumerator(this->handler,
+												ike_sa->get_unique_id(ike_sa));
+	has = enumerator->enumerate(enumerator, &ts);
+	enumerator->destroy(enumerator);
+
+	return has;
+}
+
 METHOD(listener_t, narrow, bool,
 	private_unity_narrow_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
 	narrow_hook_t type, linked_list_t *local, linked_list_t *remote)
@@ -146,23 +163,43 @@ METHOD(listener_t, narrow, bool,
 	if (ike_sa->get_version(ike_sa) == IKEV1 &&
 		ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
 	{
-		switch (type)
+		/* depending on who initiates a rekeying the hooks will not match the
+		 * roles in the IKE_SA */
+		if (ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
 		{
-			case NARROW_INITIATOR_PRE_AUTH:
-				narrow_pre(remote, "other");
-				break;
-			case NARROW_INITIATOR_POST_AUTH:
-				narrow_initiator(this, ike_sa,
-								 child_sa->get_config(child_sa), remote);
-				break;
-			case NARROW_RESPONDER:
-				narrow_pre(local, "us");
-				break;
-			case NARROW_RESPONDER_POST:
-				narrow_responder_post(child_sa->get_config(child_sa), local);
-				break;
-			default:
-				break;
+			switch (type)
+			{
+				case NARROW_INITIATOR_PRE_AUTH:
+				case NARROW_RESPONDER:
+					if (has_split_includes(this, ike_sa))
+					{
+						narrow_pre(remote, "other");
+					}
+					break;
+				case NARROW_INITIATOR_POST_AUTH:
+				case NARROW_RESPONDER_POST:
+					narrow_initiator(this, ike_sa,
+									 child_sa->get_config(child_sa), remote);
+					break;
+				default:
+					break;
+			}
+		}
+		else
+		{
+			switch (type)
+			{
+				case NARROW_INITIATOR_PRE_AUTH:
+				case NARROW_RESPONDER:
+					narrow_pre(local, "us");
+					break;
+				case NARROW_INITIATOR_POST_AUTH:
+				case NARROW_RESPONDER_POST:
+					narrow_responder_post(child_sa->get_config(child_sa), local);
+					break;
+				default:
+					break;
+			}
 		}
 	}
 	return TRUE;
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index b377110..834d373 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 200f298..1d15cc5 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -16,9 +16,11 @@
 
 #define _GNU_SOURCE
 #include <stdio.h>
+#include <unistd.h>
 
 #include "updown_listener.h"
 
+#include <utils/process.h>
 #include <hydra.h>
 #include <daemon.h>
 #include <config/child_cfg.h>
@@ -97,53 +99,84 @@ static char* uncache_iface(private_updown_listener_t *this, u_int32_t reqid)
 }
 
 /**
- * Create variables for handled DNS attributes
+ * Allocate and push a format string to the environment
  */
-static char *make_dns_vars(private_updown_listener_t *this, ike_sa_t *ike_sa)
+static bool push_env(char *envp[], u_int count, char *fmt, ...)
 {
-	enumerator_t *enumerator;
-	host_t *host;
-	int v4 = 0, v6 = 0;
-	char total[512] = "", current[64];
+	int i = 0;
+	char *str;
+	va_list args;
 
-	if (!this->handler)
+	while (envp[i])
 	{
-		return strdup("");
+		if (++i + 1 >= count)
+		{
+			return FALSE;
+		}
 	}
+	va_start(args, fmt);
+	if (vasprintf(&str, fmt, args) >= 0)
+	{
+		envp[i] = str;
+	}
+	va_end(args);
+	return envp[i] != NULL;
+}
 
-	enumerator = this->handler->create_dns_enumerator(this->handler,
-												ike_sa->get_unique_id(ike_sa));
-	while (enumerator->enumerate(enumerator, &host))
+/**
+ * Free all allocated environment strings
+ */
+static void free_env(char *envp[])
+{
+	int i;
+
+	for (i = 0; envp[i]; i++)
 	{
-		switch (host->get_family(host))
+		free(envp[i]);
+	}
+}
+
+/**
+ * Push variables for handled DNS attributes
+ */
+static void push_dns_env(private_updown_listener_t *this, ike_sa_t *ike_sa,
+						 char *envp[], u_int count)
+{
+	enumerator_t *enumerator;
+	host_t *host;
+	int v4 = 0, v6 = 0;
+
+	if (this->handler)
+	{
+		enumerator = this->handler->create_dns_enumerator(this->handler,
+											ike_sa->get_unique_id(ike_sa));
+		while (enumerator->enumerate(enumerator, &host))
 		{
-			case AF_INET:
-				snprintf(current, sizeof(current),
-						 "PLUTO_DNS4_%d='%H' ", ++v4, host);
-				break;
-			case AF_INET6:
-				snprintf(current, sizeof(current),
-						 "PLUTO_DNS6_%d='%H' ", ++v6, host);
-				break;
-			default:
-				continue;
+			switch (host->get_family(host))
+			{
+				case AF_INET:
+					push_env(envp, count, "PLUTO_DNS4_%d=%H", ++v4, host);
+					break;
+				case AF_INET6:
+					push_env(envp, count, "PLUTO_DNS6_%d=%H", ++v6, host);
+					break;
+				default:
+					continue;
+			}
 		}
-		strncat(total, current, sizeof(total) - strlen(total) - 1);
+		enumerator->destroy(enumerator);
 	}
-	enumerator->destroy(enumerator);
-
-	return strdup(total);
 }
 
 /**
- * Create variables for local virtual IPs
+ * Push variables for local virtual IPs
  */
-static char *make_vip_vars(private_updown_listener_t *this, ike_sa_t *ike_sa)
+static void push_vip_env(private_updown_listener_t *this, ike_sa_t *ike_sa,
+						 char *envp[], u_int count)
 {
 	enumerator_t *enumerator;
 	host_t *host;
 	int v4 = 0, v6 = 0;
-	char total[512] = "", current[64];
 	bool first = TRUE;
 
 	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
@@ -151,28 +184,22 @@ static char *make_vip_vars(private_updown_listener_t *this, ike_sa_t *ike_sa)
 	{
 		if (first)
 		{	/* legacy variable for first VIP */
-			snprintf(current, sizeof(current),
-						 "PLUTO_MY_SOURCEIP='%H' ", host);
-			strncat(total, current, sizeof(total) - strlen(total) - 1);
+			first = FALSE;
+			push_env(envp, count, "PLUTO_MY_SOURCEIP=%H", host);
 		}
 		switch (host->get_family(host))
 		{
 			case AF_INET:
-				snprintf(current, sizeof(current),
-						 "PLUTO_MY_SOURCEIP4_%d='%H' ", ++v4, host);
+				push_env(envp, count, "PLUTO_MY_SOURCEIP4_%d=%H", ++v4, host);
 				break;
 			case AF_INET6:
-				snprintf(current, sizeof(current),
-						 "PLUTO_MY_SOURCEIP6_%d='%H' ", ++v6, host);
+				push_env(envp, count, "PLUTO_MY_SOURCEIP6_%d=%H", ++v6, host);
 				break;
 			default:
 				continue;
 		}
-		strncat(total, current, sizeof(total) - strlen(total) - 1);
 	}
 	enumerator->destroy(enumerator);
-
-	return strdup(total);
 }
 
 /**
@@ -196,240 +223,182 @@ static u_int16_t get_port(traffic_selector_t *me,
 	return local ? me->get_from_port(me) : other->get_from_port(other);
 }
 
-METHOD(listener_t, child_updown, bool,
-	private_updown_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-	bool up)
+/**
+ * Invoke the updown script once for given traffic selectors
+ */
+static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
+						child_sa_t *child_sa, child_cfg_t *config, bool up,
+						traffic_selector_t *my_ts, traffic_selector_t *other_ts)
 {
-	traffic_selector_t *my_ts, *other_ts;
-	enumerator_t *enumerator;
-	child_cfg_t *config;
-	host_t *me, *other;
-	char *script;
+	host_t *me, *other, *host;
+	char *iface;
+	u_int8_t mask;
+	mark_t mark;
+	bool is_host, is_ipv6;
+	int out;
+	FILE *shell;
+	process_t *process;
+	char *envp[128] = {};
 
-	config = child_sa->get_config(child_sa);
-	script = config->get_updown(config);
 	me = ike_sa->get_my_host(ike_sa);
 	other = ike_sa->get_other_host(ike_sa);
 
-	if (script == NULL)
+	push_env(envp, countof(envp), "PLUTO_VERSION=1.1");
+	is_host = my_ts->is_host(my_ts, me);
+	if (is_host)
 	{
-		return TRUE;
+		is_ipv6 = me->get_family(me) == AF_INET6;
 	}
-
-	enumerator = child_sa->create_policy_enumerator(child_sa);
-	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+	else
 	{
-		char command[2048];
-		host_t *my_client, *other_client;
-		u_int8_t my_client_mask, other_client_mask;
-		char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc, *dns, *xauth;
-		mark_t mark;
-		bool is_host, is_ipv6, use_ipcomp;
-		FILE *shell;
-
-		my_ts->to_subnet(my_ts, &my_client, &my_client_mask);
-		other_ts->to_subnet(other_ts, &other_client, &other_client_mask);
-
-		virtual_ip = make_vip_vars(this, ike_sa);
-
-		/* check for the presence of an inbound mark */
-		mark = config->get_mark(config, TRUE);
-		if (mark.value)
-		{
-			if (asprintf(&mark_in, "PLUTO_MARK_IN='%u/0x%08x' ",
-						 mark.value, mark.mask ) < 0)
-			{
-				mark_in = NULL;
-			}
-		}
-		else
-		{
-			if (asprintf(&mark_in, "") < 0)
-			{
-				mark_in = NULL;
-			}
-		}
-
-		/* check for the presence of an outbound mark */
-		mark = config->get_mark(config, FALSE);
-		if (mark.value)
-		{
-			if (asprintf(&mark_out, "PLUTO_MARK_OUT='%u/0x%08x' ",
-						 mark.value, mark.mask ) < 0)
-			{
-				mark_out = NULL;
-			}
-		}
-		else
-		{
-			if (asprintf(&mark_out, "") < 0)
-			{
-				mark_out = NULL;
-			}
-		}
-
-		/* check for a NAT condition causing ESP_IN_UDP encapsulation */
-		if (ike_sa->has_condition(ike_sa, COND_NAT_ANY))
+		is_ipv6 = my_ts->get_type(my_ts) == TS_IPV6_ADDR_RANGE;
+	}
+	push_env(envp, countof(envp), "PLUTO_VERB=%s%s%s",
+			 up ? "up" : "down",
+			 is_host ? "-host" : "-client",
+			 is_ipv6 ? "-v6" : "");
+	push_env(envp, countof(envp), "PLUTO_CONNECTION=%s",
+			 config->get_name(config));
+	if (up)
+	{
+		if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
+												   me, &iface))
 		{
-			if (asprintf(&udp_enc, "PLUTO_UDP_ENC='%u' ",
-						 other->get_port(other)) < 0)
-			{
-				udp_enc = NULL;
-			}
-
+			cache_iface(this, child_sa->get_reqid(child_sa), iface);
 		}
 		else
 		{
-			if (asprintf(&udp_enc, "") < 0)
-			{
-				udp_enc = NULL;
-			}
-
+			iface = NULL;
 		}
+	}
+	else
+	{
+		iface = uncache_iface(this, child_sa->get_reqid(child_sa));
+	}
+	push_env(envp, countof(envp), "PLUTO_INTERFACE=%s",
+			 iface ? iface : "unknown");
+	push_env(envp, countof(envp), "PLUTO_REQID=%u",
+			 child_sa->get_reqid(child_sa));
+	push_env(envp, countof(envp), "PLUTO_PROTO=%s",
+			 child_sa->get_protocol(child_sa) == PROTO_ESP ? "esp" : "ah");
+	push_env(envp, countof(envp), "PLUTO_UNIQUEID=%u",
+			 ike_sa->get_unique_id(ike_sa));
+	push_env(envp, countof(envp), "PLUTO_ME=%H", me);
+	push_env(envp, countof(envp), "PLUTO_MY_ID=%Y", ike_sa->get_my_id(ike_sa));
+	if (my_ts->to_subnet(my_ts, &host, &mask))
+	{
+		push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
+		host->destroy(host);
+	}
+	push_env(envp, countof(envp), "PLUTO_MY_PORT=%u",
+			 get_port(my_ts, other_ts, TRUE));
+	push_env(envp, countof(envp), "PLUTO_MY_PROTOCOL=%u",
+			 my_ts->get_protocol(my_ts));
+	push_env(envp, countof(envp), "PLUTO_PEER=%H", other);
+	push_env(envp, countof(envp), "PLUTO_PEER_ID=%Y",
+			 ike_sa->get_other_id(ike_sa));
+	if (other_ts->to_subnet(other_ts, &host, &mask))
+	{
+		push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
+		host->destroy(host);
+	}
+	push_env(envp, countof(envp), "PLUTO_PEER_PORT=%u",
+			 get_port(my_ts, other_ts, FALSE));
+	push_env(envp, countof(envp), "PLUTO_PEER_PROTOCOL=%u",
+			 other_ts->get_protocol(other_ts));
+	if (ike_sa->has_condition(ike_sa, COND_EAP_AUTHENTICATED) ||
+		ike_sa->has_condition(ike_sa, COND_XAUTH_AUTHENTICATED))
+	{
+		push_env(envp, countof(envp), "PLUTO_XAUTH_ID=%Y",
+				 ike_sa->get_other_eap_id(ike_sa));
+	}
+	push_vip_env(this, ike_sa, envp, countof(envp));
+	mark = config->get_mark(config, TRUE);
+	if (mark.value)
+	{
+		push_env(envp, countof(envp), "PLUTO_MARK_IN=%u/0x%08x",
+				 mark.value, mark.mask);
+	}
+	mark = config->get_mark(config, FALSE);
+	if (mark.value)
+	{
+		push_env(envp, countof(envp), "PLUTO_MARK_OUT=%u/0x%08x",
+				 mark.value, mark.mask);
+	}
+	if (ike_sa->has_condition(ike_sa, COND_NAT_ANY))
+	{
+		push_env(envp, countof(envp), "PLUTO_UDP_ENC=%u",
+				 other->get_port(other));
+	}
+	if (child_sa->get_ipcomp(child_sa) != IPCOMP_NONE)
+	{
+		push_env(envp, countof(envp), "PLUTO_IPCOMP=1");
+	}
+	push_dns_env(this, ike_sa, envp, countof(envp));
+	if (config->get_hostaccess(config))
+	{
+		push_env(envp, countof(envp), "PLUTO_HOST_ACCESS=1");
+	}
 
-		if (ike_sa->has_condition(ike_sa, COND_EAP_AUTHENTICATED) ||
-			ike_sa->has_condition(ike_sa, COND_XAUTH_AUTHENTICATED))
-		{
-			if (asprintf(&xauth, "PLUTO_XAUTH_ID='%Y' ",
-						 ike_sa->get_other_eap_id(ike_sa)) < 0)
-			{
-				xauth = NULL;
-			}
-		}
-		else
+	process = process_start_shell(envp, NULL, &out, NULL, "2>&1 %s",
+								  config->get_updown(config));
+	if (process)
+	{
+		shell = fdopen(out, "r");
+		if (shell)
 		{
-			if (asprintf(&xauth, "") < 0)
+			while (TRUE)
 			{
-				xauth = NULL;
-			}
-		}
+				char resp[128];
 
-		if (up)
-		{
-			if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
-													   me, &iface))
-			{
-				cache_iface(this, child_sa->get_reqid(child_sa), iface);
-			}
-			else
-			{
-				iface = NULL;
+				if (fgets(resp, sizeof(resp), shell) == NULL)
+				{
+					if (ferror(shell))
+					{
+						DBG1(DBG_CHD, "error reading from updown script");
+					}
+					break;
+				}
+				else
+				{
+					char *e = resp + strlen(resp);
+					if (e > resp && e[-1] == '\n')
+					{
+						e[-1] = '\0';
+					}
+					DBG1(DBG_CHD, "updown: %s", resp);
+				}
 			}
+			fclose(shell);
 		}
 		else
 		{
-			iface = uncache_iface(this, child_sa->get_reqid(child_sa));
+			close(out);
 		}
+		process->wait(process, NULL);
+	}
+	free(iface);
+	free_env(envp);
+}
 
-		dns = make_dns_vars(this, ike_sa);
-
-		/* check for IPComp */
-		use_ipcomp = child_sa->get_ipcomp(child_sa) != IPCOMP_NONE;
-
-		/* determine IPv4/IPv6 and client/host situation */
-		is_host = my_ts->is_host(my_ts, me);
-		is_ipv6 = is_host ? (me->get_family(me) == AF_INET6) :
-							(my_ts->get_type(my_ts) == TS_IPV6_ADDR_RANGE);
-
-		/* build the command with all env variables.
-		 */
-		snprintf(command, sizeof(command),
-				 "2>&1 "
-				"PLUTO_VERSION='1.1' "
-				"PLUTO_VERB='%s%s%s' "
-				"PLUTO_CONNECTION='%s' "
-				"PLUTO_INTERFACE='%s' "
-				"PLUTO_REQID='%u' "
-				"PLUTO_PROTO='%s' "
-				"PLUTO_UNIQUEID='%u' "
-				"PLUTO_ME='%H' "
-				"PLUTO_MY_ID='%Y' "
-				"PLUTO_MY_CLIENT='%+H/%u' "
-				"PLUTO_MY_PORT='%u' "
-				"PLUTO_MY_PROTOCOL='%u' "
-				"PLUTO_PEER='%H' "
-				"PLUTO_PEER_ID='%Y' "
-				"PLUTO_PEER_CLIENT='%+H/%u' "
-				"PLUTO_PEER_PORT='%u' "
-				"PLUTO_PEER_PROTOCOL='%u' "
-				"%s"
-				"%s"
-				"%s"
-				"%s"
-				"%s"
-				"%s"
-				"%s"
-				"%s"
-				"%s",
-				 up ? "up" : "down",
-				 is_host ? "-host" : "-client",
-				 is_ipv6 ? "-v6" : "",
-				 config->get_name(config),
-				 iface ? iface : "unknown",
-				 child_sa->get_reqid(child_sa),
-				 child_sa->get_protocol(child_sa) == PROTO_ESP ? "esp" : "ah",
-				 ike_sa->get_unique_id(ike_sa),
-				 me, ike_sa->get_my_id(ike_sa),
-				 my_client, my_client_mask,
-				 get_port(my_ts, other_ts, TRUE),
-				 my_ts->get_protocol(my_ts),
-				 other, ike_sa->get_other_id(ike_sa),
-				 other_client, other_client_mask,
-				 get_port(my_ts, other_ts, FALSE),
-				 other_ts->get_protocol(other_ts),
-				 xauth,
-				 virtual_ip,
-				 mark_in,
-				 mark_out,
-				 udp_enc,
-				 use_ipcomp ? "PLUTO_IPCOMP='1' " : "",
-				 config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "",
-				 dns,
-				 script);
-		my_client->destroy(my_client);
-		other_client->destroy(other_client);
-		free(virtual_ip);
-		free(mark_in);
-		free(mark_out);
-		free(udp_enc);
-		free(dns);
-		free(iface);
-		free(xauth);
-
-		DBG3(DBG_CHD, "running updown script: %s", command);
-		shell = popen(command, "r");
-
-		if (shell == NULL)
-		{
-			DBG1(DBG_CHD, "could not execute updown script '%s'", script);
-			return TRUE;
-		}
+METHOD(listener_t, child_updown, bool,
+	private_updown_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	bool up)
+{
+	traffic_selector_t *my_ts, *other_ts;
+	enumerator_t *enumerator;
+	child_cfg_t *config;
 
-		while (TRUE)
+	config = child_sa->get_config(child_sa);
+	if (config->get_updown(config))
+	{
+		enumerator = child_sa->create_policy_enumerator(child_sa);
+		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 		{
-			char resp[128];
-
-			if (fgets(resp, sizeof(resp), shell) == NULL)
-			{
-				if (ferror(shell))
-				{
-					DBG1(DBG_CHD, "error reading output from updown script");
-				}
-				break;
-			}
-			else
-			{
-				char *e = resp + strlen(resp);
-				if (e > resp && e[-1] == '\n')
-				{	/* trim trailing '\n' */
-					e[-1] = '\0';
-				}
-				DBG1(DBG_CHD, "updown: %s", resp);
-			}
+			invoke_once(this, ike_sa, child_sa, config, up, my_ts, other_ts);
 		}
-		pclose(shell);
+		enumerator->destroy(enumerator);
 	}
-	enumerator->destroy(enumerator);
 	return TRUE;
 }
 
diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am
index 7e459c5..da71de3 100644
--- a/src/libcharon/plugins/vici/Makefile.am
+++ b/src/libcharon/plugins/vici/Makefile.am
@@ -67,3 +67,10 @@ vici_tests_LDFLAGS = @COVERAGE_LDFLAGS@
 vici_tests_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la
+
+
+SUBDIRS =
+
+if USE_RUBY_GEMS
+SUBDIRS += ruby
+endif
diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index e0a6a1b..34546b9 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -80,6 +80,7 @@ build_triplet = @build@
 host_triplet = @host@
 TESTS = vici_tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
+ at USE_RUBY_GEMS_TRUE@am__append_1 = ruby
 subdir = src/libcharon/plugins/vici
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -206,11 +207,27 @@ SOURCES = $(libstrongswan_vici_la_SOURCES) $(libvici_la_SOURCES) \
 	$(vici_tests_SOURCES)
 DIST_SOURCES = $(libstrongswan_vici_la_SOURCES) $(libvici_la_SOURCES) \
 	$(vici_tests_SOURCES)
+RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
+	ctags-recursive dvi-recursive html-recursive info-recursive \
+	install-data-recursive install-dvi-recursive \
+	install-exec-recursive install-html-recursive \
+	install-info-recursive install-pdf-recursive \
+	install-ps-recursive install-recursive installcheck-recursive \
+	installdirs-recursive pdf-recursive ps-recursive \
+	tags-recursive uninstall-recursive
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+am__recursive_targets = \
+  $(RECURSIVE_TARGETS) \
+  $(RECURSIVE_CLEAN_TARGETS) \
+  $(am__extra_recursive_targets)
+AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
+	distdir
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
 # Read a list of newline-separated strings from the standard input,
 # and print each of them once, without duplicates.  Input order is
@@ -252,7 +269,33 @@ am__tty_colors = { \
     std=''; \
   fi; \
 }
+DIST_SUBDIRS = ruby
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
@@ -284,6 +327,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -344,6 +388,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -409,6 +454,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -456,6 +503,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
@@ -520,7 +571,8 @@ vici_tests_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la
 
-all: all-am
+SUBDIRS = $(am__append_1)
+all: all-recursive
 
 .SUFFIXES:
 .SUFFIXES: .c .lo .o .obj
@@ -869,14 +921,61 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run 'make' without going through this Makefile.
+# To change the values of 'make' variables: instead of editing Makefiles,
+# (1) if the variable is set in 'config.status', edit 'config.status'
+#     (which will cause the Makefiles to be regenerated when you run 'make');
+# (2) otherwise, pass the desired values on the 'make' command line.
+$(am__recursive_targets):
+	@fail=; \
+	if $(am__make_keepgoing); then \
+	  failcom='fail=yes'; \
+	else \
+	  failcom='exit 1'; \
+	fi; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
 ID: $(am__tagged_files)
 	$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
+tags: tags-recursive
 TAGS: tags
 
 tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
 	set x; \
 	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
 	$(am__define_uniq_tagged_files); \
 	shift; \
 	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
@@ -889,7 +988,7 @@ tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
 	      $$unique; \
 	  fi; \
 	fi
-ctags: ctags-am
+ctags: ctags-recursive
 
 CTAGS: ctags
 ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
@@ -902,7 +1001,7 @@ GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
 	  && $(am__cd) $(top_srcdir) \
 	  && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
+cscopelist: cscopelist-recursive
 
 cscopelist-am: $(am__tagged_files)
 	list='$(am__tagged_files)'; \
@@ -1044,24 +1143,50 @@ distdir: $(DISTFILES)
 	    || exit 1; \
 	  fi; \
 	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+		am__skip_mode_fix=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
 check-am: all-am
 	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
 	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
-check: check-am
+check: check-recursive
 all-am: Makefile $(LTLIBRARIES)
-installdirs:
+installdirs: installdirs-recursive
+installdirs-am:
 	for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(plugindir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
 
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 
-installcheck: installcheck-am
+installcheck: installcheck-recursive
 install-strip:
 	if test -z '$(STRIP)'; then \
 	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
@@ -1085,96 +1210,97 @@ distclean-generic:
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
+clean: clean-recursive
 
 clean-am: clean-checkPROGRAMS clean-generic clean-ipseclibLTLIBRARIES \
 	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
 	mostlyclean-am
 
-distclean: distclean-am
+distclean: distclean-recursive
 	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
 
-dvi: dvi-am
+dvi: dvi-recursive
 
 dvi-am:
 
-html: html-am
+html: html-recursive
 
 html-am:
 
-info: info-am
+info: info-recursive
 
 info-am:
 
 install-data-am: install-ipseclibLTLIBRARIES install-pluginLTLIBRARIES
 
-install-dvi: install-dvi-am
+install-dvi: install-dvi-recursive
 
 install-dvi-am:
 
 install-exec-am:
 
-install-html: install-html-am
+install-html: install-html-recursive
 
 install-html-am:
 
-install-info: install-info-am
+install-info: install-info-recursive
 
 install-info-am:
 
 install-man:
 
-install-pdf: install-pdf-am
+install-pdf: install-pdf-recursive
 
 install-pdf-am:
 
-install-ps: install-ps-am
+install-ps: install-ps-recursive
 
 install-ps-am:
 
 installcheck-am:
 
-maintainer-clean: maintainer-clean-am
+maintainer-clean: maintainer-clean-recursive
 	-rm -rf ./$(DEPDIR) suites/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
-mostlyclean: mostlyclean-am
+mostlyclean: mostlyclean-recursive
 
 mostlyclean-am: mostlyclean-compile mostlyclean-generic \
 	mostlyclean-libtool
 
-pdf: pdf-am
+pdf: pdf-recursive
 
 pdf-am:
 
-ps: ps-am
+ps: ps-recursive
 
 ps-am:
 
 uninstall-am: uninstall-ipseclibLTLIBRARIES \
 	uninstall-pluginLTLIBRARIES
 
-.MAKE: check-am install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
-	clean-checkPROGRAMS clean-generic clean-ipseclibLTLIBRARIES \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	cscopelist-am ctags ctags-am distclean distclean-compile \
-	distclean-generic distclean-libtool distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-dvi install-dvi-am \
-	install-exec install-exec-am install-html install-html-am \
-	install-info install-info-am install-ipseclibLTLIBRARIES \
-	install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
+.MAKE: $(am__recursive_targets) check-am install-am install-strip
+
+.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
+	check-TESTS check-am clean clean-checkPROGRAMS clean-generic \
+	clean-ipseclibLTLIBRARIES clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES cscopelist-am \
+	ctags ctags-am distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-ipseclibLTLIBRARIES install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am \
 	uninstall-ipseclibLTLIBRARIES uninstall-pluginLTLIBRARIES
 
 
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index aeabbbd..2724910 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -84,12 +84,12 @@ The message encoding consists of a sequence of elements. Each element starts
 with the element type, optionally followed by an element name and/or an element
 value. Currently the following message element types are defined:
 
-* _SECTION_START = 0_: Begin a new section having a name
-* _SECTION_END = 1_: End a previously started section
-* _KEY_VALUE = 2_: Define a value for a named key in the current section
-* _LIST_START = 3_: Begin a named list for list items
-* _LIST_ITEM = 4_: Define an unnamed item value in the current list
-* _LIST_END = 5_: End a previously started list
+* _SECTION_START = 1_: Begin a new section having a name
+* _SECTION_END = 2_: End a previously started section
+* _KEY_VALUE = 3_: Define a value for a named key in the current section
+* _LIST_START = 4_: Begin a named list for list items
+* _LIST_ITEM = 5_: Define an unnamed item value in the current list
+* _LIST_END = 6_: End a previously started list
 
 Types are encoded as 8-bit values. Types having a name (SECTION_START,
 KEY_VALUE and LIST_START) have an ASCII string following the type, which itself
@@ -103,7 +103,8 @@ the length field itself.
 
 The interpretation of any value is not defined by the message format; it can
 take arbitrary blobs. The application may specify types for specific keys, such
-as strings or integer representations.
+as strings or integer representations. The vici plugin currently uses
+non-null terminated strings as values only; numbers get encoded as strings.
 
 ### Sections ###
 
@@ -165,6 +166,513 @@ the following C array:
 		1,
 	};
 
+## Client-initiated commands ##
+
+Based on the packet layer, VICI implements commands requested by the client
+and responded to by the server using named _CMD_REQUEST_ and _CMD_RESPONSE_
+packets wrapping messages. The request message may contain command arguments,
+the response message the reply.
+
+Some commands use response streaming, that is, a request triggers a series of
+events to consecutively stream data to the client before the response message
+completes the stream. A client must register for the appropriate event to
+receive the stream, and unregister after the response has been received.
+
+The following client issued commands with the appropriate command input and
+output messages are currently defined:
+
+### version() ###
+
+Returns daemon and system specific version information.
+
+	{} => {
+		daemon = <IKE daemon name>
+		version = <strongSwan version>
+		sysname = <operating system name>
+		release = <operating system release>
+		machine = <hardware identifier>
+	}
+
+### stats() ###
+
+Returns IKE daemon statistics and load information.
+
+	{} => {
+		uptime = {
+			running = <relative uptime in human-readable form>
+			since = <absolute startup time>
+		}
+		workers = {
+			total = <total number of worker threads>
+			idle = <worker threads currently idle>
+			active = {
+				critical = <threads processing "critical" priority jobs>
+				high = <threads processing "high" priority jobs>
+				medium = <threads processing "medium" priority jobs>
+				low = <threads processing "low" priority jobs>
+			}
+		}
+		queues = {
+			critical = <jobs queued with "critical" priority>
+			high = <jobs queued with "high" priority>
+			medium = <jobs queued with "medium" priority>
+			low = <jobs queued with "low" priority>
+		}
+		scheduled = <number of jobs scheduled for timed execution>
+		ikesas = {
+			total = <total number of IKE_SAs active>
+			half-open = <number of IKE_SAs in half-open state>
+		}
+		plugins = [
+			<names of loaded plugins>
+		]
+		mem = { # available if built with leak-detective or on Windows
+			total = <total heap memory usage in bytes>
+			allocs = <total heap allocation blocks>
+			<heap-name>* = { # on Windows only
+				total = <heap memory usage in bytes by this heap>
+				allocs = <allocated blocks for this heap>
+			}
+		}
+		mallinfo = { # available with mallinfo() support
+			sbrk = <non-mmaped space available>
+			mmap = <mmaped space available>
+			used = <total number of bytes used>
+			free = <available but unused bytes>
+		}
+	}
+
+### reload-settings() ###
+
+Reloads _strongswan.conf_ settings and all plugins supporting configuration
+reload.
+
+	{} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### initiate() ###
+
+Initiates an SA while streaming _control-log_ events.
+
+	{
+		child = <CHILD_SA configuration name to initiate>
+		timeout = <timeout in seconds before returning>
+		loglevel = <loglevel to issue "control-log" events for>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure or timeout>
+	}
+
+### terminate() ###
+
+Terminates an SA while streaming _control-log_ events.
+
+	{
+		child = <terminate a CHILD_SA by configuration name>
+		ike = <terminate an IKE_SA by configuration name>
+		child_id = <terminate a CHILD_SA by its reqid>
+		ike_id = <terminate an IKE_SA by its unique id>
+		timeout = <timeout in seconds before returning>
+		loglevel = <loglevel to issue "control-log" events for>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure or timeout>
+	}
+
+### install() ###
+
+Install a trap, drop or bypass policy defined by a CHILD_SA config.
+
+	{
+		child = <CHILD_SA configuration name to install>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### uninstall() ###
+
+Uninstall a trap, drop or bypass policy defined by a CHILD_SA config.
+
+	{
+		child = <CHILD_SA configuration name to install>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### list-sas() ###
+
+Lists currently active IKE_SAs and associated CHILD_SAs by streaming _list-sa_
+events.
+
+	{
+		noblock = <use non-blocking mode if key is set>
+		ike = <filter listed IKE_SAs by its name>
+		ike_id = <filter listed IKE_SA by its unique id>
+	} => {
+		# completes after streaming list-sa events
+	}
+
+### list-policies() ###
+
+List currently installed trap, drop and bypass policies by streaming
+_list-policy_ events.
+
+	{
+		drop = <set to yes to list drop policies>
+		pass = <set to yes to list bypass policies>
+		trap = <set to yes to list trap policies>
+		child = <filter by CHILD_SA configuration name>
+	} => {
+		# completes after streaming list-sa events
+	}
+
+### list-conns() ###
+
+List currently loaded connections by streaming _list-conn_ events. This
+call includes all connections known by the daemon, not only those loaded
+over vici.
+
+	{
+		ike = <list connections matching a given configuration name only>
+	} => {
+		# completes after streaming list-conn events
+	}
+
+### get-conns() ###
+
+Return a list of connection names loaded exclusively over vici, not including
+connections found in other backends.
+
+	{} => {
+		conns = [
+			<list of connection names>
+		]
+	}
+
+### list-certs() ###
+
+List currently loaded certificates by streaming _list-cert_ events. This
+call includes all certificates known by the daemon, not only those loaded
+over vici.
+
+	{
+		type = <certificate type to filter for, or ANY>
+		subject = <set to list only certificates having subject>
+	} => {
+		# completes after streaming list-cert events
+	}
+
+### load-conn() ###
+
+Load a single connection definition into the daemon. An existing connection
+with the same name gets updated or replaced.
+
+	{
+		<IKE_SA config name> = {
+			# IKE configuration parameters with authentication and CHILD_SA
+			# subsections. Refer to swanctl.conf(5) for details.
+		} => {
+			success = <yes or no>
+			errmsg = <error string on failure>
+		}
+	}
+
+### unload-conn() ###
+
+Unload a previously loaded connection definition by name.
+
+	{
+		name = <IKE_SA config name>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### load-cert() ###
+
+Load a certificate into the daemon.
+
+	{
+		type = <certificate type, X509|X509CA|X509AA|X509CRL|X509AC>
+		data = <PEM or DER encoded certificate data>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### load-key() ###
+
+Load a private key into the daemon.
+
+	{
+		type = <private key type, RSA|ECDSA>
+		data = <PEM or DER encoded key data>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### load-shared() ###
+
+Load a shared IKE PSK, EAP or XAuth secret into the daemon.
+
+	{
+		type = <private key type, IKE|EAP|XAUTH>
+		data = <raw shared key data>
+		owners = [
+			<list of shared key owner identities>
+		]
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### clear-creds() ###
+
+Clear all loaded certificate, private key and shared key credentials. This
+affects only credentials loaded over vici, but additionally flushes the
+credential cache.
+
+	{} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### load-pool() ###
+
+Load an in-memory virtual IP and configuration attribute pool. Existing
+pools with the same name get updated, if possible.
+
+	{
+		<pool name> = {
+			addrs = <subnet of virtual IP pool addresses>
+			<attribute type>* = [
+				# attribute type is one of address, dns, nbns, dhcp, netmask,
+				# server, subnet, split_include, split_exclude or a numerical
+				# attribute type identifier.
+				<list of attributes for type>
+			]
+		}
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### unload-pool() ###
+
+Unload a previously loaded virtual IP and configuration attribute pool.
+Unloading fails for pools with leases currently online.
+
+	{
+		name = <virtual IP address pool to delete>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### get-pools() ###
+
+List the currently loaded pools.
+
+	{} => {
+		<pool name>* = {
+			base = <virtual IP pool base address>
+			size = <total number of addresses in the pool>
+			online = <number of leases online>
+			offline = <number of leases offline>
+		}
+	}
+
+## Server-issued events ##
+
+Based on the packet layer, the vici plugin raises event messages using named
+EVENT packets wrapping messages. The message contains event details.
+
+### log ###
+
+The _log_ event is issued to registered clients for each debug log message.
+This event is not associated with a command.
+
+	{
+		group = <subsystem identifier for debug message>
+		level = <log level, 0-4>
+		thread = <numerical thread identifier issuing the log message>
+		ikesa-name = <name of IKE_SA, if log is associated with any>
+		ikesa-uniqued = <unique identifier of IKE_A, if log associated with any>
+		msg = <log message text>
+	}
+
+### control-log ###
+
+The _control-log_ event is issued for log events during active _initiate_ or
+_terminate_ commands. It is issued only to clients currently having such
+a command active.
+
+	{
+		group = <subsystem identifier for debug message>
+		level = <log level, 0-4>
+		ikesa-name = <name of IKE_SA, if log associated with any>
+		ikesa-uniqued = <unique identifier of IKE_A, if log associated with any>
+		msg = <log message text>
+	}
+
+### list-sa ###
+
+The _list-sa_ event is issued to stream IKE_SAs during an active _list-sas_
+command.
+
+	{
+		<IKE_SA config name> = {
+			uniqueid = <IKE_SA unique identifier>
+			version = <IKE version, 1 or 2>
+			state = <IKE_SA state name>
+			local-host = <local IKE endpoint address>
+			local-id = <local IKE identity>
+			remote-host = <remote IKE endpoint address>
+			remote-id = <remote IKE identity>
+			remote-xauth-id = <remote XAuth identity, if XAuth-authenticated>
+			remote-eap-id = <remote EAP identity, if EAP-authenticated>
+			initiator = <yes, if initiator of IKE_SA>
+			initiator-spi = <hex encoded initiator SPI / cookie>
+			responder-spi = <hex encoded responder SPI / cookie>
+			encr-alg = <IKE encryption algorithm string>
+			encr-keysize = <key size for encr-alg, if applicable>
+			integ-alg = <IKE integrity algorithm string>
+			integ-keysize = <key size for encr-alg, if applicable>
+			prf-alg = <IKE pseudo random function string>
+			dh-group = <IKE Diffie-Hellman group string>
+			established = <seconds the IKE_SA has been established>
+			rekey-time = <seconds before IKE_SA gets rekeyed>
+			reauth-time = <seconds before IKE_SA gets re-authenticated>
+			tasks-queued = [
+				<list of currently queued tasks for execution>
+			]
+			tasks-active = [
+				<list of tasks currently initiating actively>
+			]
+			tasks-passive = [
+				<list of tasks currently handling passively>
+			]
+			child-sas = {
+				<child-sa-name>* = {
+					reqid = <reqid of CHILD_SA>
+					state = <state string of CHILD_SA>
+					mode = <IPsec mode, tunnel|transport|beet>
+					protocol = <IPsec protocol AH|ESP>
+					encap = <yes if using UDP encapsulation>
+					spi-in = <hex encoded inbound SPI>
+					spi-out = <hex encoded outbound SPI>
+					cpi-in = <hex encoded inbound CPI, if using compression>
+					cpi-out = <hex encoded outbound CPI, if using compression>
+					encr-alg = <ESP encryption algorithm name, if any>
+					encr-keysize = <ESP encryption key size, if applicable>
+					integ-alg = <ESP or AH integrity algorithm name, if any>
+					integ-keysize = <ESP or AH integrity key size, if applicable>
+					prf-alg = <CHILD_SA pseudo random function name>
+					dh-group = <CHILD_SA PFS rekeying DH group name, if any>
+					esn = <1 if using extended sequence numbers>
+					bytes-in = <number of input bytes processed>
+					packets-in = <number of input packets processed>
+					use-in = <seconds since last inbound packet, if any>
+					bytes-out = <number of output bytes processed>
+					packets-out = <number of output packets processed>
+					use-out = <seconds since last outbound packet, if any>
+					rekey-time = <seconds before CHILD_SA gets rekeyed>
+					life-time = <seconds before CHILD_SA expires>
+					install-time = <seconds the CHILD_SA has been installed>
+					local-ts = [
+						<list of local traffic selectors>
+					]
+					remote-ts = [
+						<list of remote traffic selectors>
+					]
+				}
+			}
+		}
+	}
+
+### list-policy ###
+
+The _list-policy_ event is issued to stream installed policies during an active
+_list-policies_ command.
+
+	{
+		<child-sa-config-name> = {
+			mode = <policy mode, tunnel|transport|pass|drop>
+			local-ts = [
+				<list of local traffic selectors>
+			]
+			remote-ts = [
+				<list of remote traffic selectors>
+			]
+		}
+	}
+
+### list-conn ###
+
+The _list-conn_ event is issued to stream loaded connection during an active
+_list-conns_ command.
+
+	{
+		<IKE_SA connection name> = {
+			local_addrs = [
+				<list of valid local IKE endpoint addresses>
+			]
+			remote_addrs = [
+				<list of valid remote IKE endpoint addresses>
+			]
+			version = <IKE version as string, IKEv1|IKEv2 or 0 for any>
+
+			local*, remote* = { # multiple local and remote auth sections
+				class = <authentication type>
+				eap-type = <EAP type to authenticate if when using EAP>
+				eap-vendor = <EAP vendor for type, if any>
+				xauth = <xauth backend name>
+				revocation = <revocation policy>
+				id = <IKE identity>
+				aaa_id = <AAA authentication backend identity>
+				eap_id = <EAP identity for authentication>
+				xauth_id = <XAuth username for authentication>
+				groups = [
+					<group membership required to use connection>
+				]
+				certs = [
+					<certificates allowed for authentication>
+				]
+				cacerts = [
+					<CA certificates allowed for authentication>
+				]
+			}
+			children = {
+				<CHILD_SA config name>* = {
+					mode = <IPsec mode>
+					local-ts = [
+						<list of local traffic selectors>
+					]
+					remote-ts = [
+						<list of remote traffic selectors>
+					]
+				}
+			}
+		}
+	}
+
+### list-cert ###
+
+The _list-cert_ event is issued to stream loaded certificates during an active
+_list-certs_ command.
+
+	{
+		type = <certificate type>
+		has_privkey = <set if a private key for the certificate is available>
+		data = <ASN1 encoded certificate data>
+	}
+
+
 # libvici C client library #
 
 libvici is the reference implementation of a C client library implementing
@@ -172,5 +680,177 @@ the vici protocol. It builds upon libstrongswan, but provides a stable API
 to implement client applications in the C programming language. libvici uses
 the libstrongswan thread pool to deliver event messages asynchronously.
 
-More information about the libvici API is available in the libvici.h header
-file.
+## Connecting to the daemon ##
+
+This example shows how to connect to the daemon using the default URI, and
+then perform proper cleanup:
+
+	#include <stdio.h>
+	#include <errno.h>
+	#include <string.h>
+
+	#include <libvici.h>
+
+	int main(int argc, char *argv[])
+	{
+		vici_conn_t *conn;
+		int ret = 0;
+
+		vici_init();
+		conn = vici_connect(NULL);
+		if (conn)
+		{
+			/* do stuff */
+			vici_disconnect(conn);
+		}
+		else
+		{
+			ret = errno;
+			fprintf(stderr, "connecting failed: %s\n", strerror(errno));
+		}
+		vici_deinit();
+		return ret;
+	}
+
+## A simple client request ##
+
+In the following example, a simple _version_ request is issued to the daemon
+and the result is printed:
+
+	int get_version(vici_conn_t *conn)
+	{
+		vici_req_t *req;
+		vici_res_t *res;
+		int ret = 0;
+
+		req = vici_begin("version");
+		res = vici_submit(req, conn);
+		if (res)
+		{
+			printf("%s %s (%s, %s, %s)\n",
+				vici_find_str(res, "", "daemon"),
+				vici_find_str(res, "", "version"),
+				vici_find_str(res, "", "sysname"),
+				vici_find_str(res, "", "release"),
+				vici_find_str(res, "", "machine"));
+			vici_free_res(res);
+		}
+		else
+		{
+			ret = errno;
+			fprintf(stderr, "version request failed: %s\n", strerror(errno));
+		}
+		return ret;
+	}
+
+## A request with event streaming and callback parsing ##
+
+In this more advanced example, the _list-conns_ command is used to stream
+loaded connections with the _list-conn_ event. The event message is parsed
+with a simple callback to print the connection name:
+
+	int conn_cb(void *null, vici_res_t *res, char *name)
+	{
+		printf("%s\n", name);
+		return 0;
+	}
+
+	void list_cb(void *null, char *name, vici_res_t *res)
+	{
+		if (vici_parse_cb(res, conn_cb, NULL, NULL, NULL) != 0)
+		{
+			fprintf(stderr, "parsing failed: %s\n", strerror(errno));
+		}
+	}
+
+	int list_conns(vici_conn_t *conn)
+	{
+		vici_req_t *req;
+		vici_res_t *res;
+		int ret = 0;
+
+		if (vici_register(conn, "list-conn", list_cb, NULL) == 0)
+		{
+			req = vici_begin("list-conns");
+			res = vici_submit(req, conn);
+			if (res)
+			{
+				vici_free_res(res);
+			}
+			else
+			{
+				ret = errno;
+				fprintf(stderr, "request failed: %s\n", strerror(errno));
+			}
+			vici_register(conn, "list-conn", NULL, NULL);
+		}
+		else
+		{
+			ret = errno;
+			fprintf(stderr, "registration failed: %s\n", strerror(errno));
+		}
+		return ret;
+	}
+
+## API documentation ##
+
+More information about the libvici API is available in the _libvici.h_ header
+file or the generated Doxygen documentation.
+
+# vici ruby gem #
+
+The _vici ruby gem_ is a pure ruby implementation of the VICI protocol to
+implement client applications. It is provided in the _ruby_ subdirectory, and
+gets built and installed if strongSwan has been _./configure_'d with
+_--enable-vici_ and _--enable-ruby-gems_.
+
+The _Connection_ class from the _Vici_ module provides the high level interface,
+the underlying classes are usually not required to build ruby applications
+using VICI. The _Connection_ class provides methods for the supported VICI
+commands and an event listening mechanism.
+
+To represent the VICI message data tree, the gem converts the binary encoding
+to ruby data types. The _Connection_ class takes and returns ruby objects for
+the exchanged message data:
+ * Sections get encoded as Hash, containing other sections as Hash, or
+ * Key/Values, where the values are Strings as Hash values
+ * Lists get encoded as Arrays with String values
+Non-String values that are not a Hash nor an Array get converted with .to_s
+during encoding.
+
+## Connecting to the daemon ##
+
+To create a connection to the daemon, a socket must be passed to the
+_Connection_ constructor. There is no default, but on Unix systems usually
+a Unix socket over _/var/run/charon.vici_ is used:
+
+	require "vici"
+	require "socket"
+
+	v = Vici::Connection.new(UNIXSocket.new("/var/run/charon.vici"))
+
+## A simple client request ##
+
+An example to print the daemon version information is as simple as:
+
+	x = v.version
+	puts "%s %s (%s, %s, %s)" % [
+		x["daemon"], x["version"], x["sysname"], x["release"], x["machine"]
+	]
+
+## A request with closure invocation ##
+
+The _Connection_ class takes care of event streaming by invoking a closure
+for each event. The following example lists all loaded connections using the
+_list-conns_ command and implicitly the _list-conn_ event:
+
+	v.list_conns { |conn|
+		conn.each { |key, value|
+			puts key
+		}
+	}
+
+## API documentation ##
+
+For more details about the ruby gem refer to the comments in the gem source
+code or the generated documentation.
diff --git a/src/libcharon/plugins/vici/libvici.c b/src/libcharon/plugins/vici/libvici.c
index a2cbb30..c0205cc 100644
--- a/src/libcharon/plugins/vici/libvici.c
+++ b/src/libcharon/plugins/vici/libvici.c
@@ -438,7 +438,7 @@ void vici_free_req(vici_req_t *req)
 	free(req);
 }
 
-int vici_dump(vici_res_t *res, char *label, bool pretty, FILE *out)
+int vici_dump(vici_res_t *res, char *label, int pretty, FILE *out)
 {
 	if (res->message->dump(res->message, label, pretty, out))
 	{
@@ -754,11 +754,14 @@ void vici_init()
 	library_init(NULL, "vici");
 	if (lib->processor->get_total_threads(lib->processor) < 4)
 	{
+		dbg_default_set_level(0);
 		lib->processor->set_threads(lib->processor, 4);
+		dbg_default_set_level(1);
 	}
 }
 
 void vici_deinit()
 {
+	lib->processor->cancel(lib->processor);
 	library_deinit();
 }
diff --git a/src/libcharon/plugins/vici/libvici.h b/src/libcharon/plugins/vici/libvici.h
index 58595d8..641370e 100644
--- a/src/libcharon/plugins/vici/libvici.h
+++ b/src/libcharon/plugins/vici/libvici.h
@@ -75,8 +75,6 @@
 
 #include <stdio.h>
 
-#include <utils/utils.h>
-
 /**
  * Opaque vici connection contex.
  */
@@ -284,7 +282,7 @@ void vici_free_req(vici_req_t *req);
  * @param out		FILE to dump to
  * @return			0 if dumped complete message, 1 on error
  */
-int vici_dump(vici_res_t *res, char *label, bool pretty, FILE *out);
+int vici_dump(vici_res_t *res, char *label, int pretty, FILE *out);
 
 /**
  * Parse next element from a vici response message.
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.am b/src/libcharon/plugins/vici/ruby/Makefile.am
new file mode 100644
index 0000000..ce38e1c
--- /dev/null
+++ b/src/libcharon/plugins/vici/ruby/Makefile.am
@@ -0,0 +1,22 @@
+EXTRA_DIST = vici.gemspec.in lib/vici.rb
+
+vici.gemspec: $(srcdir)/vici.gemspec.in
+	$(AM_V_GEN) sed \
+	-e "s:@GEM_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/vici.gemspec.in > $@
+
+vici-$(PACKAGE_VERSION).gem: vici.gemspec
+	$(GEM) build vici.gemspec
+
+all-local: vici-$(PACKAGE_VERSION).gem
+
+clean-local:
+	rm -f vici.gemspec vici-$(PACKAGE_VERSION).gem
+
+install-data-local: vici-$(PACKAGE_VERSION).gem
+	$(GEM) install --install-dir $(DESTDIR)$(RUBYGEMDIR) \
+		vici-$(PACKAGE_VERSION).gem
+
+uninstall-local:
+	$(GEM) uninstall --install-dir $(DESTDIR)$(RUBYGEMDIR) \
+		--version $(PACKAGE_VERSION) vici
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
new file mode 100644
index 0000000..c8a8c11
--- /dev/null
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -0,0 +1,556 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/vici/ruby
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+EXTRA_DIST = vici.gemspec.in lib/vici.rb
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/vici/ruby/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/vici/ruby/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-local mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-data-local
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-local
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am all-local check check-am clean clean-generic \
+	clean-libtool clean-local cscopelist-am ctags-am distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-local install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
+	uninstall-am uninstall-local
+
+
+vici.gemspec: $(srcdir)/vici.gemspec.in
+	$(AM_V_GEN) sed \
+	-e "s:@GEM_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/vici.gemspec.in > $@
+
+vici-$(PACKAGE_VERSION).gem: vici.gemspec
+	$(GEM) build vici.gemspec
+
+all-local: vici-$(PACKAGE_VERSION).gem
+
+clean-local:
+	rm -f vici.gemspec vici-$(PACKAGE_VERSION).gem
+
+install-data-local: vici-$(PACKAGE_VERSION).gem
+	$(GEM) install --install-dir $(DESTDIR)$(RUBYGEMDIR) \
+		vici-$(PACKAGE_VERSION).gem
+
+uninstall-local:
+	$(GEM) uninstall --install-dir $(DESTDIR)$(RUBYGEMDIR) \
+		--version $(PACKAGE_VERSION) vici
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb
new file mode 100644
index 0000000..e8a9ddc
--- /dev/null
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@@ -0,0 +1,569 @@
+##
+# The Vici module implements a native ruby client side library for the
+# strongSwan VICI protocol. The Connection class provides a high-level
+# interface to issue requests or listen for events.
+#
+#  Copyright (C) 2014 Martin Willi
+#  Copyright (C) 2014 revosec AG
+#
+#  Permission is hereby granted, free of charge, to any person obtaining a copy
+#  of this software and associated documentation files (the "Software"), to deal
+#  in the Software without restriction, including without limitation the rights
+#  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+#  copies of the Software, and to permit persons to whom the Software is
+#  furnished to do so, subject to the following conditions:
+#
+#  The above copyright notice and this permission notice shall be included in
+#  all copies or substantial portions of the Software.
+#
+#  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+#  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+#  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+#  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+#  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+#  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+#  THE SOFTWARE.
+
+module Vici
+
+  ##
+  # Vici specific exception all others inherit from
+  class Error < StandardError
+  end
+
+  ##
+  # Error while parsing a vici message from the daemon
+  class ParseError < Error
+  end
+
+  ##
+  # Error while encoding a vici message from ruby data structures
+  class EncodeError < Error
+  end
+
+  ##
+  # Error while exchanging messages over the vici Transport layer
+  class TransportError < Error
+  end
+
+  ##
+  # Generic vici command execution error
+  class CommandError < Error
+  end
+
+  ##
+  # Error if an issued vici command is unknown by the daemon
+  class CommandUnknownError < CommandError
+  end
+
+  ##
+  # Error if a command failed to execute in the daemon
+  class CommandExecError < CommandError
+  end
+
+  ##
+  # Generic vici event handling error
+  class EventError < Error
+  end
+
+  ##
+  # Tried to register to / unregister from an unknown vici event
+  class EventUnknownError < EventError
+  end
+
+  ##
+  # Exception to raise from an event listening closure to stop listening
+  class StopEventListening < Exception
+  end
+
+
+  ##
+  # The Message class provides the low level encoding and decoding of vici
+  # protocol messages. Directly using this class is usually not required.
+  class Message
+
+    SECTION_START = 1
+    SECTION_END = 2
+    KEY_VALUE = 3
+    LIST_START = 4
+    LIST_ITEM = 5
+    LIST_END = 6
+
+    def initialize(data = "")
+      if data == nil
+        @root = Hash.new()
+      elsif data.is_a?(Hash)
+        @root = data
+      else
+        @encoded = data
+      end
+    end
+
+    ##
+    # Get the raw byte encoding of an on-the-wire message
+    def encoding
+      if @encoded == nil
+        @encoded = encode(@root)
+      end
+      @encoded
+    end
+
+    ##
+    # Get the root element of the parsed ruby data structures
+    def root
+      if @root == nil
+        @root = parse(@encoded)
+      end
+      @root
+    end
+
+    private
+
+    def encode_name(name)
+      [name.length].pack("c") << name
+    end
+
+    def encode_value(value)
+      if value.class != String
+        value = value.to_s
+      end
+      [value.length].pack("n") << value
+    end
+
+    def encode_kv(encoding, key, value)
+      encoding << KEY_VALUE << encode_name(key) << encode_value(value)
+    end
+
+    def encode_section(encoding, key, value)
+      encoding << SECTION_START << encode_name(key)
+      encoding << encode(value) << SECTION_END
+    end
+
+    def encode_list(encoding, key, value)
+      encoding << LIST_START << encode_name(key)
+      value.each do |item|
+        encoding << LIST_ITEM << encode_value(item)
+      end
+      encoding << LIST_END
+    end
+
+    def encode(node)
+      encoding = ""
+      node.each do |key, value|
+        case value.class
+          when String, Fixnum, true, false
+            encoding = encode_kv(encoding, key, value)
+          else
+            if value.is_a?(Hash)
+              encoding = encode_section(encoding, key, value)
+            elsif value.is_a?(Array)
+              encoding = encode_list(encoding, key, value)
+            else
+              encoding = encode_kv(encoding, key, value)
+            end
+        end
+      end
+      encoding
+    end
+
+    def parse_name(encoding)
+      len = encoding.unpack("c")[0]
+      name = encoding[1, len]
+      return encoding[(1 + len)..-1], name
+    end
+
+    def parse_value(encoding)
+      len = encoding.unpack("n")[0]
+      value = encoding[2, len]
+      return encoding[(2 + len)..-1], value
+    end
+
+    def parse(encoding)
+      stack = [Hash.new]
+      list = nil
+      while encoding.length != 0 do
+        type = encoding.unpack("c")[0]
+        encoding = encoding[1..-1]
+        case type
+          when SECTION_START
+            encoding, name = parse_name(encoding)
+            stack.push(stack[-1][name] = Hash.new)
+          when SECTION_END
+            if stack.length() == 1
+              raise ParseError, "unexpected section end"
+            end
+            stack.pop()
+          when KEY_VALUE
+            encoding, name = parse_name(encoding)
+            encoding, value = parse_value(encoding)
+            stack[-1][name] = value
+          when LIST_START
+            encoding, name = parse_name(encoding)
+            stack[-1][name] = []
+            list = name
+          when LIST_ITEM
+            raise ParseError, "unexpected list item" if list == nil
+            encoding, value = parse_value(encoding)
+            stack[-1][list].push(value)
+          when LIST_END
+            raise ParseError, "unexpected list end" if list == nil
+            list = nil
+          else
+            raise ParseError, "invalid type: #{type}"
+        end
+      end
+      if stack.length() > 1
+        raise ParseError, "unexpected message end"
+      end
+      stack[0]
+    end
+  end
+
+
+  ##
+  # The Transport class implements to low level segmentation of packets
+  # to the underlying transport stream.  Directly using this class is usually
+  # not required.
+  class Transport
+
+    CMD_REQUEST = 0
+    CMD_RESPONSE = 1
+    CMD_UNKNOWN = 2
+    EVENT_REGISTER = 3
+    EVENT_UNREGISTER = 4
+    EVENT_CONFIRM = 5
+    EVENT_UNKNOWN = 6
+    EVENT = 7
+
+    ##
+    # Create a transport layer using a provided socket for communication.
+    def initialize(socket)
+      @socket = socket
+      @events = Hash.new
+    end
+
+    ##
+    # Write a packet prefixed by its length over the transport socket. Type
+    # specifies the message, the optional label and message get appended.
+    def write(type, label, message)
+      encoding = ""
+      if label
+        encoding << label.length << label
+      end
+      if message
+        encoding << message.encoding
+      end
+      @socket.send([encoding.length + 1, type].pack("Nc") + encoding, 0)
+    end
+
+    ##
+    # Read a packet from the transport socket. Returns the packet type, and
+    # if available in the packet a label and the contained message.
+    def read
+      len = @socket.recv(4).unpack("N")[0]
+      encoding = @socket.recv(len)
+      type = encoding.unpack("c")[0]
+      len = 1
+      case type
+        when CMD_REQUEST, EVENT_REGISTER, EVENT_UNREGISTER, EVENT
+          label = encoding[2, encoding[1].unpack("c")[0]]
+          len += label.length + 1
+        when CMD_RESPONSE, CMD_UNKNOWN, EVENT_CONFIRM, EVENT_UNKNOWN
+          label = nil
+        else
+          raise TransportError, "invalid message: #{type}"
+      end
+      if encoding.length == len
+        return type, label, Message.new
+      end
+      return type, label, Message.new(encoding[len..-1])
+    end
+
+    def dispatch_event(name, message)
+      @events[name].each do |handler|
+        handler.call(name, message)
+      end
+    end
+
+    def read_and_dispatch_event
+      type, label, message = read
+      p
+      if type == EVENT
+        dispatch_event(label, message)
+      else
+        raise TransportError, "unexpected message: #{type}"
+      end
+    end
+
+    def read_and_dispatch_events
+      loop do
+        type, label, message = read
+        if type == EVENT
+          dispatch_event(label, message)
+        else
+          return type, label, message
+        end
+      end
+    end
+
+    ##
+    # Send a command with a given name, and optionally a message. Returns
+    # the reply message on success.
+    def request(name, message = nil)
+      write(CMD_REQUEST, name, message)
+      type, label, message = read_and_dispatch_events
+      case type
+        when CMD_RESPONSE
+          return message
+        when CMD_UNKNOWN
+          raise CommandUnknownError, name
+        else
+          raise CommandError, "invalid response for #{name}"
+      end
+    end
+
+    ##
+    # Register a handler method for the given event name
+    def register(name, handler)
+      write(EVENT_REGISTER, name, nil)
+      type, label, message = read_and_dispatch_events
+      case type
+        when EVENT_CONFIRM
+          if @events.has_key?(name)
+            @events[name] += [handler]
+          else
+            @events[name] = [handler];
+          end
+        when EVENT_UNKNOWN
+          raise EventUnknownError, name
+        else
+          raise EventError, "invalid response for #{name} register"
+      end
+    end
+
+    ##
+    # Unregister a handler method for the given event name
+    def unregister(name, handler)
+      write(EVENT_UNREGISTER, name, nil)
+      type, label, message = read_and_dispatch_events
+      case type
+        when EVENT_CONFIRM
+          @events[name] -= [handler]
+        when EVENT_UNKNOWN
+          raise EventUnknownError, name
+        else
+          raise EventError, "invalid response for #{name} unregister"
+      end
+    end
+  end
+
+
+  ##
+  # The Connection class provides the high-level interface to monitor, configure
+  # and control the IKE daemon. It takes a connected stream-oriented Socket for
+  # the communication with the IKE daemon.
+  #
+  # This class takes and returns ruby objects for the exchanged message data.
+  # * Sections get encoded as Hash, containing other sections as Hash, or
+  # * Key/Values, where the values are Strings as Hash values
+  # * Lists get encoded as Arrays with String values
+  # Non-String values that are not a Hash nor an Array get converted with .to_s
+  # during encoding.
+  class Connection
+
+    def initialize(socket)
+      @transp = Transport.new(socket)
+    end
+
+    ##
+    # List matching loaded connections. The provided closure is invoked
+    # for each matching connection.
+    def list_conns(match = nil, &block)
+      call_with_event("list-conns", Message.new(match), "list-conn", &block)
+    end
+
+    ##
+    # List matching active SAs. The provided closure is invoked for each
+    # matching SA.
+    def list_sas(match = nil, &block)
+      call_with_event("list-sas", Message.new(match), "list-sa", &block)
+    end
+
+    ##
+    # List matching installed policies. The provided closure is invoked
+    # for each matching policy.
+    def list_policies(match, &block)
+      call_with_event("list-policies", Message.new(match), "list-policy",
+                      &block)
+    end
+
+    ##
+    # List matching loaded certificates. The provided closure is invoked
+    # for each matching certificate definition.
+    def list_certs(match = nil, &block)
+      call_with_event("list-certs", Message.new(match), "list-cert", &block)
+    end
+
+    ##
+    # Load a connection into the daemon.
+    def load_conn(conn)
+      check_success(@transp.request("load-conn", Message.new(conn)))
+    end
+
+    ##
+    # Unload a connection from the daemon.
+    def unload_conn(conn)
+      check_success(@transp.request("unload-conn", Message.new(conn)))
+    end
+
+    ##
+    # Get the names of connections managed by vici.
+    def get_conns()
+      @transp.request("get-conns").root
+    end
+
+    ##
+    # Clear all loaded credentials.
+    def clear_creds()
+      check_success(@transp.request("clear-creds"))
+    end
+
+    ##
+    # Load a certificate into the daemon.
+    def load_cert(cert)
+      check_success(@transp.request("load-cert", Message.new(cert)))
+    end
+
+    ##
+    # Load a private key into the daemon.
+    def load_key(key)
+      check_success(@transp.request("load-key", Message.new(key)))
+    end
+
+    ##
+    # Load a shared key into the daemon.
+    def load_shared(shared)
+      check_success(@transp.request("load-shared", Message.new(shared)))
+    end
+
+    ##
+    # Load a virtual IP / attribute pool
+    def load_pool(pool)
+      check_success(@transp.request("load-pool", Message.new(pool)))
+    end
+
+    ##
+    # Unload a virtual IP / attribute pool
+    def unload_pool(pool)
+      check_success(@transp.request("unload-pool", Message.new(pool)))
+    end
+
+    ##
+    # Get the currently loaded pools.
+    def get_pools()
+      @transp.request("get-pools").root
+    end
+
+    ##
+    # Initiate a connection. The provided closure is invoked for each log line.
+    def initiate(options, &block)
+      check_success(call_with_event("initiate", Message.new(options),
+                    "control-log", &block))
+    end
+
+    ##
+    # Terminate a connection. The provided closure is invoked for each log line.
+    def terminate(options, &block)
+      check_success(call_with_event("terminate", Message.new(options),
+                    "control-log", &block))
+    end
+
+    ##
+    # Install a shunt/route policy.
+    def install(policy)
+      check_success(@transp.request("install", Message.new(policy)))
+    end
+
+    ##
+    # Uninstall a shunt/route policy.
+    def uninstall(policy)
+      check_success(@transp.request("uninstall", Message.new(policy)))
+    end
+
+    ##
+    # Reload strongswan.conf settings.
+    def reload_settings
+      check_success(@transp.request("reload-settings", nil))
+    end
+
+    ##
+    # Get daemon statistics and information.
+    def stats
+      @transp.request("stats", nil).root
+    end
+
+    ##
+    # Get daemon version information
+    def version
+      @transp.request("version", nil).root
+    end
+
+    ##
+    # Listen for a set of event messages. This call is blocking, and invokes
+    # the passed closure for each event received. The closure receives the
+    # event name and the event message as argument. To stop listening, the
+    # closure may raise a StopEventListening exception, the only catched
+    # exception.
+    def listen_events(events, &block)
+      self.class.instance_eval do
+        define_method(:listen_event) do |label, message|
+          block.call(label, message.root)
+        end
+      end
+      events.each do |event|
+        @transp.register(event, method(:listen_event))
+      end
+      begin
+        loop do
+          @transp.read_and_dispatch_event
+        end
+      rescue StopEventListening
+      ensure
+        events.each do |event|
+          @transp.unregister(event, method(:listen_event))
+        end
+      end
+    end
+
+    ##
+    # Issue a command request, but register for a specific event while the
+    # command is active. VICI uses this mechanism to stream potentially large
+    # data objects continuously. The provided closure is invoked for all
+    # event messages.
+    def call_with_event(command, request, event, &block)
+      self.class.instance_eval do
+        define_method(:call_event) do |label, message|
+          block.call(message.root)
+        end
+      end
+      @transp.register(event, method(:call_event))
+      begin
+        reply = @transp.request(command, request)
+      ensure
+        @transp.unregister(event, method(:call_event))
+      end
+      reply
+    end
+
+    ##
+    # Check if the reply of a command indicates "success", otherwise raise a
+    # CommandExecError exception
+    def check_success(reply)
+      root = reply.root
+      if root["success"] != "yes"
+        raise CommandExecError, root["errmsg"]
+      end
+      root
+    end
+  end
+end
diff --git a/src/libcharon/plugins/vici/ruby/vici.gemspec.in b/src/libcharon/plugins/vici/ruby/vici.gemspec.in
new file mode 100644
index 0000000..5ad61c0
--- /dev/null
+++ b/src/libcharon/plugins/vici/ruby/vici.gemspec.in
@@ -0,0 +1,16 @@
+Gem::Specification.new do |s|
+  s.name          = "vici"
+  s.version       = "@GEM_VERSION@"
+  s.authors       = ["Martin Willi"]
+  s.email         = ["martin at strongswan.ch"]
+  s.description   = %q{
+     The strongSwan VICI protocol allows external application to monitor,
+     configure and control the IKE daemon charon. This ruby gem provides a
+     native client side implementation of the VICI protocol, well suited to
+     script automated tasks in a relaible way.
+  }
+  s.summary       = "Native ruby interface for strongSwan VICI"
+  s.homepage      = "https://wiki.strongswan.org/projects/strongswan/wiki/Vici"
+  s.license       = "MIT"
+  s.files         = "lib/vici.rb"
+end
diff --git a/src/libcharon/plugins/vici/suites/test_message.c b/src/libcharon/plugins/vici/suites/test_message.c
index 2931173..e76d273 100644
--- a/src/libcharon/plugins/vici/suites/test_message.c
+++ b/src/libcharon/plugins/vici/suites/test_message.c
@@ -347,7 +347,7 @@ START_TEST(test_get_int)
 	ck_assert_int_eq(m->get_int(m, 2, "section1.key2"), 0x12);
 	ck_assert_int_eq(m->get_int(m, 2, "section1.section2.key3"), -1);
 	ck_assert_int_eq(m->get_int(m, 2, "section1.key4"), 2);
-	ck_assert_int_eq(m->get_int(m, 2, "key5"), 0);
+	ck_assert_int_eq(m->get_int(m, 2, "key5"), 2);
 	ck_assert_int_eq(m->get_int(m, 2, "nonexistent"), 2);
 	ck_assert_int_eq(m->get_int(m, 2, "n.o.n.e.x.i.s.t.e.n.t"), 2);
 
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 3cd0081..292a400 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -450,6 +450,17 @@ CALLBACK(uninstall, vici_message_t*,
 	return send_reply(this, "policy '%s' not found", child);
 }
 
+CALLBACK(reload_settings, vici_message_t*,
+	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
+{
+	if (lib->settings->load_files(lib->settings, lib->conf, FALSE))
+	{
+		lib->plugins->reload(lib->plugins, NULL);
+		return send_reply(this, NULL);
+	}
+	return send_reply(this, "reloading '%s' failed", lib->conf);
+}
+
 static void manage_command(private_vici_control_t *this,
 						   char *name, vici_command_cb_t cb, bool reg)
 {
@@ -466,6 +477,7 @@ static void manage_commands(private_vici_control_t *this, bool reg)
 	manage_command(this, "terminate", terminate, reg);
 	manage_command(this, "install", install, reg);
 	manage_command(this, "uninstall", uninstall, reg);
+	manage_command(this, "reload-settings", reload_settings, reg);
 	this->dispatcher->manage_event(this->dispatcher, "control-log", reg);
 }
 
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index cc6434b..d4c02de 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -270,13 +270,10 @@ CALLBACK(load_shared, vici_message_t*,
 CALLBACK(clear_creds, vici_message_t*,
 	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
-	vici_builder_t *builder;
-
 	this->creds->clear(this->creds);
 	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
 
-	builder = vici_builder_create();
-	return builder->finalize(builder);
+	return create_reply(NULL);
 }
 
 static void manage_command(private_vici_cred_t *this,
diff --git a/src/libcharon/plugins/vici/vici_message.c b/src/libcharon/plugins/vici/vici_message.c
index dcc175f..e79fbc8 100644
--- a/src/libcharon/plugins/vici/vici_message.c
+++ b/src/libcharon/plugins/vici/vici_message.c
@@ -355,6 +355,10 @@ METHOD(vici_message_t, vget_int, int,
 	found = find_value(this, &value, fmt, args);
 	if (found)
 	{
+		if (value.len == 0)
+		{
+			return def;
+		}
 		if (chunk_printable(value, NULL, 0))
 		{
 			snprintf(buf, sizeof(buf), "%.*s", (int)value.len, value.ptr);
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 8a714a9..b1cc1d1 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -242,6 +242,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -302,6 +303,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -367,6 +369,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -414,6 +418,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index 26bb6fb..e393ee1 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index f06fdb5..f0e7727 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index 72f3dc6..a4c1aae 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 9af015e..296ccaa 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
index f99c0b9..fb480ee 100644
--- a/src/libcharon/processing/jobs/adopt_children_job.c
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -17,6 +17,7 @@
 
 #include <daemon.h>
 #include <hydra.h>
+#include <collections/array.h>
 
 typedef struct private_adopt_children_job_t private_adopt_children_job_t;
 
@@ -34,11 +35,17 @@ struct private_adopt_children_job_t {
 	 * IKE_SA id to adopt children from
 	 */
 	ike_sa_id_t *id;
+
+	/**
+	 * Tasks queued for execution
+	 */
+	array_t *tasks;
 };
 
 METHOD(job_t, destroy, void,
 	private_adopt_children_job_t *this)
 {
+	array_destroy_offset(this->tasks, offsetof(task_t, destroy));
 	this->id->destroy(this->id);
 	free(this);
 }
@@ -149,6 +156,32 @@ METHOD(job_t, execute, job_requeue_t,
 			}
 		}
 		children->destroy_offset(children, offsetof(child_sa_t, destroy));
+
+		if (array_count(this->tasks))
+		{
+			ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+													  this->id);
+			if (ike_sa)
+			{
+				task_t *task;
+
+				while (array_remove(this->tasks, ARRAY_HEAD, &task))
+				{
+					task->migrate(task, ike_sa);
+					ike_sa->queue_task(ike_sa, task);
+				}
+				if (ike_sa->initiate(ike_sa, NULL, 0, NULL, NULL) == DESTROY_ME)
+				{
+					charon->ike_sa_manager->checkin_and_destroy(
+											charon->ike_sa_manager, ike_sa);
+				}
+				else
+				{
+					charon->ike_sa_manager->checkin(charon->ike_sa_manager,
+													ike_sa);
+				}
+			}
+		}
 	}
 	return JOB_REQUEUE_NONE;
 }
@@ -159,6 +192,12 @@ METHOD(job_t, get_priority, job_priority_t,
 	return JOB_PRIO_HIGH;
 }
 
+METHOD(adopt_children_job_t, queue_task, void,
+	private_adopt_children_job_t *this, task_t *task)
+{
+	array_insert_create(&this->tasks, ARRAY_TAIL, task);
+}
+
 /**
  * See header
  */
@@ -173,6 +212,7 @@ adopt_children_job_t *adopt_children_job_create(ike_sa_id_t *id)
 				.get_priority = _get_priority,
 				.destroy = _destroy,
 			},
+			.queue_task = _queue_task,
 		},
 		.id = id->clone(id),
 	);
diff --git a/src/libcharon/processing/jobs/adopt_children_job.h b/src/libcharon/processing/jobs/adopt_children_job.h
index 073504a..ee99ee4 100644
--- a/src/libcharon/processing/jobs/adopt_children_job.h
+++ b/src/libcharon/processing/jobs/adopt_children_job.h
@@ -24,6 +24,7 @@
 #include <library.h>
 #include <processing/jobs/job.h>
 #include <sa/ike_sa_id.h>
+#include <sa/task.h>
 
 typedef struct adopt_children_job_t adopt_children_job_t;
 
@@ -36,6 +37,13 @@ struct adopt_children_job_t {
 	 * Implements job_t.
 	 */
 	job_t job_interface;
+
+	/**
+	 * Queue a job for execution after completing migration.
+	 *
+	 * @param task			task to queue for execution
+	 */
+	void (*queue_task)(adopt_children_job_t *this, task_t *task);
 };
 
 /**
diff --git a/src/libcharon/processing/jobs/update_sa_job.c b/src/libcharon/processing/jobs/update_sa_job.c
index 6943185..e6d7da2 100644
--- a/src/libcharon/processing/jobs/update_sa_job.c
+++ b/src/libcharon/processing/jobs/update_sa_job.c
@@ -63,12 +63,7 @@ METHOD(job_t, execute, job_requeue_t,
 	}
 	else
 	{
-		/* we update only if other host is NATed, but not our */
-		if (ike_sa->has_condition(ike_sa, COND_NAT_THERE) &&
-			!ike_sa->has_condition(ike_sa, COND_NAT_HERE))
-		{
-			ike_sa->update_hosts(ike_sa, NULL, this->new, FALSE);
-		}
+		ike_sa->update_hosts(ike_sa, NULL, this->new, FALSE);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
 	return JOB_REQUEUE_NONE;
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index c338cda..d92b9df 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2013 Tobias Brunner
+ * Copyright (C) 2006-2014 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -16,6 +16,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (c) 2014 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include <string.h>
 #include <sys/stat.h>
 #include <errno.h>
@@ -251,6 +273,11 @@ struct private_ike_sa_t {
 	 * Flush auth configs once established?
 	 */
 	bool flush_auth_cfg;
+
+	/**
+	 * Maximum length of a single fragment, 0 for address-specific defaults
+	 */
+	size_t fragment_size;
 };
 
 /**
@@ -909,11 +936,14 @@ METHOD(ike_sa_t, update_hosts, void,
 			update = TRUE;
 		}
 
-		if (!other->equals(other, this->other_host))
+		if (!other->equals(other, this->other_host) &&
+			(force || has_condition(this, COND_NAT_THERE)))
 		{
-			/* update others address if we are NOT NATed */
-			if ((has_condition(this, COND_NAT_THERE) &&
-				 !has_condition(this, COND_NAT_HERE)) || force )
+			/* only update other's address if we are behind a static NAT,
+			 * which we assume is the case if we are not initiator */
+			if (force ||
+				(!has_condition(this, COND_NAT_HERE) ||
+				 !has_condition(this, COND_ORIGINAL_INITIATOR)))
 			{
 				set_other_host(this, other->clone(other));
 				update = TRUE;
@@ -994,6 +1024,69 @@ METHOD(ike_sa_t, generate_message, status_t,
 	return status;
 }
 
+static bool filter_fragments(private_ike_sa_t *this, packet_t **fragment,
+							 packet_t **packet)
+{
+	*packet = (*fragment)->clone(*fragment);
+	set_dscp(this, *packet);
+	return TRUE;
+}
+
+METHOD(ike_sa_t, generate_message_fragmented, status_t,
+	private_ike_sa_t *this, message_t *message, enumerator_t **packets)
+{
+	enumerator_t *fragments;
+	packet_t *packet;
+	status_t status;
+	bool use_frags = FALSE;
+
+	if (this->ike_cfg)
+	{
+		switch (this->ike_cfg->fragmentation(this->ike_cfg))
+		{
+			case FRAGMENTATION_FORCE:
+				use_frags = TRUE;
+				break;
+			case FRAGMENTATION_YES:
+				use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION);
+				if (use_frags && this->version == IKEV1 &&
+					supports_extension(this, EXT_MS_WINDOWS))
+				{
+					/* It seems Windows 7 and 8 peers only accept proprietary
+					 * fragmented messages if they expect certificates. */
+					use_frags = message->get_payload(message,
+													 PLV1_CERTIFICATE) != NULL;
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	if (!use_frags)
+	{
+		status = generate_message(this, message, &packet);
+		if (status != SUCCESS)
+		{
+			return status;
+		}
+		*packets = enumerator_create_single(packet, NULL);
+		return SUCCESS;
+	}
+
+	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
+	message->set_ike_sa_id(message, this->ike_sa_id);
+	charon->bus->message(charon->bus, message, FALSE, TRUE);
+	status = message->fragment(message, this->keymat, this->fragment_size,
+							   &fragments);
+	if (status == SUCCESS)
+	{
+		charon->bus->message(charon->bus, message, FALSE, FALSE);
+		*packets = enumerator_create_filter(fragments, (void*)filter_fragments,
+											this, NULL);
+	}
+	return status;
+}
+
 METHOD(ike_sa_t, set_kmaddress, void,
 	private_ike_sa_t *this, host_t *local, host_t *remote)
 {
@@ -1487,6 +1580,14 @@ METHOD(ike_sa_t, reauth, status_t,
 	{
 		return INVALID_STATE;
 	}
+	if (this->state == IKE_CONNECTING)
+	{
+		DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
+			 get_name(this), this->unique_id);
+		reset(this);
+		this->task_manager->queue_ike(this->task_manager);
+		return this->task_manager->initiate(this->task_manager);
+	}
 	/* we can't reauthenticate as responder when we use EAP or virtual IPs.
 	 * If the peer does not support RFC4478, there is no way to keep the
 	 * IKE_SA up. */
@@ -1650,6 +1751,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 	new->set_other_host(new, host->clone(host));
 	host = this->my_host;
 	new->set_my_host(new, host->clone(host));
+	charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
 	/* resolve hosts but use the old addresses above as fallback */
 	resolve_hosts((private_ike_sa_t*)new);
 	/* if we already have a virtual IP, we reuse it */
@@ -1734,12 +1836,15 @@ METHOD(ike_sa_t, reestablish, status_t,
 
 	if (status == DESTROY_ME)
 	{
+		charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
+										  FALSE);
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
 		status = FAILED;
 	}
 	else
 	{
-		charon->bus->ike_reestablish(charon->bus, &this->public, new);
+		charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
+										  TRUE);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
 		status = SUCCESS;
 	}
@@ -1899,11 +2004,29 @@ static bool is_any_path_valid(private_ike_sa_t *this)
 	bool valid = FALSE;
 	enumerator_t *enumerator;
 	host_t *src = NULL, *addr;
+	int family = AF_UNSPEC;
+
+	switch (charon->socket->supported_families(charon->socket))
+	{
+		case SOCKET_FAMILY_IPV4:
+			family = AF_INET;
+			break;
+		case SOCKET_FAMILY_IPV6:
+			family = AF_INET6;
+			break;
+		case SOCKET_FAMILY_BOTH:
+		case SOCKET_FAMILY_NONE:
+			break;
+	}
 
 	DBG1(DBG_IKE, "old path is not available anymore, try to find another");
 	enumerator = create_peer_address_enumerator(this);
 	while (enumerator->enumerate(enumerator, &addr))
 	{
+		if (family != AF_UNSPEC && addr->get_family(addr) != family)
+		{
+			continue;
+		}
 		DBG1(DBG_IKE, "looking for a route to %H ...", addr);
 		src = hydra->kernel_interface->get_source_addr(
 										hydra->kernel_interface, addr, NULL);
@@ -2332,6 +2455,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 			.inherit_pre = _inherit_pre,
 			.inherit_post = _inherit_post,
 			.generate_message = _generate_message,
+			.generate_message_fragmented = _generate_message_fragmented,
 			.reset = _reset,
 			.get_unique_id = _get_unique_id,
 			.add_virtual_ip = _add_virtual_ip,
@@ -2377,6 +2501,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 								"%s.retry_initiate_interval", 0, lib->ns),
 		.flush_auth_cfg = lib->settings->get_bool(lib->settings,
 								"%s.flush_auth_cfg", FALSE, lib->ns),
+		.fragment_size = lib->settings->get_int(lib->settings,
+								"%s.fragment_size", 0, lib->ns),
 	);
 
 	if (version == IKEV2)
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 15fb474..c72d873 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2014 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -102,7 +102,7 @@ enum ike_extension_t {
 	EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
 
 	/**
-	 * peer is probably a Windows 7 RAS client
+	 * peer is probably a Windows RAS client
 	 */
 	EXT_MS_WINDOWS = (1<<6),
 
@@ -128,7 +128,7 @@ enum ike_extension_t {
 	EXT_NATT_DRAFT_02_03 = (1<<10),
 
 	/**
-	 * peer support proprietary IKE fragmentation
+	 * peer supports proprietary IKEv1 or standardized IKEv2 fragmentation
 	 */
 	EXT_IKE_FRAGMENTATION = (1<<11),
 };
@@ -756,7 +756,7 @@ struct ike_sa_t {
 	status_t (*roam)(ike_sa_t *this, bool address);
 
 	/**
-	 * Processes a incoming IKEv2-Message.
+	 * Processes an incoming IKE message.
 	 *
 	 * Message processing may fail. If a critical failure occurs,
 	 * process_message() return DESTROY_ME. Then the caller must
@@ -768,10 +768,10 @@ struct ike_sa_t {
 	 *						- FAILED
 	 *						- DESTROY_ME if this IKE_SA MUST be deleted
 	 */
-	status_t (*process_message) (ike_sa_t *this, message_t *message);
+	status_t (*process_message)(ike_sa_t *this, message_t *message);
 
 	/**
-	 * Generate a IKE message to send it to the peer.
+	 * Generate an IKE message to send it to the peer.
 	 *
 	 * This method generates all payloads in the message and encrypts/signs
 	 * the packet.
@@ -783,8 +783,26 @@ struct ike_sa_t {
 	 *						- FAILED
 	 *						- DESTROY_ME if this IKE_SA MUST be deleted
 	 */
-	status_t (*generate_message) (ike_sa_t *this, message_t *message,
-								  packet_t **packet);
+	status_t (*generate_message)(ike_sa_t *this, message_t *message,
+								 packet_t **packet);
+
+	/**
+	 * Generate an IKE message to send it to the peer. If enabled and supported
+	 * it will be fragmented.
+	 *
+	 * This method generates all payloads in the message and encrypts/signs
+	 * the packet/fragments.
+	 *
+	 * @param message		message to generate
+	 * @param packets		enumerator of generated packet_t* (are not destroyed
+	 *						with the enumerator)
+	 * @return
+	 *						- SUCCESS
+	 *						- FAILED
+	 *						- DESTROY_ME if this IKE_SA MUST be deleted
+	 */
+	status_t (*generate_message_fragmented)(ike_sa_t *this, message_t *message,
+											enumerator_t **packets);
 
 	/**
 	 * Retransmits a request.
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 8e68e7b..bdabc59 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -384,11 +384,6 @@ struct private_ike_sa_manager_t {
 	rng_t *rng;
 
 	/**
-	 * SHA1 hasher for IKE_SA_INIT retransmit detection
-	 */
-	hasher_t *hasher;
-
-	/**
 	 * reuse existing IKE_SAs in checkout_by_config
 	 */
 	bool reuse_ikesa;
@@ -962,49 +957,39 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this)
  *
  * @returns TRUE on success
  */
-static bool get_init_hash(private_ike_sa_manager_t *this, message_t *message,
-						  chunk_t *hash)
+static bool get_init_hash(hasher_t *hasher, message_t *message, chunk_t *hash)
 {
 	host_t *src;
 
-	if (!this->hasher)
-	{	/* this might be the case when flush() has been called */
-		return FALSE;
-	}
 	if (message->get_first_payload_type(message) == PLV1_FRAGMENT)
 	{	/* only hash the source IP, port and SPI for fragmented init messages */
 		u_int16_t port;
 		u_int64_t spi;
 
 		src = message->get_source(message);
-		if (!this->hasher->allocate_hash(this->hasher,
-										 src->get_address(src), NULL))
+		if (!hasher->allocate_hash(hasher, src->get_address(src), NULL))
 		{
 			return FALSE;
 		}
 		port = src->get_port(src);
-		if (!this->hasher->allocate_hash(this->hasher,
-										 chunk_from_thing(port), NULL))
+		if (!hasher->allocate_hash(hasher, chunk_from_thing(port), NULL))
 		{
 			return FALSE;
 		}
 		spi = message->get_initiator_spi(message);
-		return this->hasher->allocate_hash(this->hasher,
-										   chunk_from_thing(spi), hash);
+		return hasher->allocate_hash(hasher, chunk_from_thing(spi), hash);
 	}
 	if (message->get_exchange_type(message) == ID_PROT)
 	{	/* include the source for Main Mode as the hash will be the same if
 		 * SPIs are reused by two initiators that use the same proposal */
 		src = message->get_source(message);
 
-		if (!this->hasher->allocate_hash(this->hasher,
-										 src->get_address(src), NULL))
+		if (!hasher->allocate_hash(hasher, src->get_address(src), NULL))
 		{
 			return FALSE;
 		}
 	}
-	return this->hasher->allocate_hash(this->hasher,
-									   message->get_packet_data(message), hash);
+	return hasher->allocate_hash(hasher, message->get_packet_data(message), hash);
 }
 
 /**
@@ -1227,15 +1212,19 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 
 	if (is_init)
 	{
+		hasher_t *hasher;
 		u_int64_t our_spi;
 		chunk_t hash;
 
-		if (!get_init_hash(this, message, &hash))
+		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+		if (!hasher || !get_init_hash(hasher, message, &hash))
 		{
 			DBG1(DBG_MGR, "ignoring message, failed to hash message");
+			DESTROY_IF(hasher);
 			id->destroy(id);
 			return NULL;
 		}
+		hasher->destroy(hasher);
 
 		/* ensure this is not a retransmit of an already handled init message */
 		switch (check_and_put_init_hash(this, hash, &our_spi))
@@ -1313,8 +1302,9 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 
 			ike_id = entry->ike_sa->get_id(entry->ike_sa);
 			entry->checked_out = TRUE;
-			if (message->get_first_payload_type(message) != PLV1_FRAGMENT)
-			{
+			if (message->get_first_payload_type(message) != PLV1_FRAGMENT &&
+				message->get_first_payload_type(message) != PLV2_FRAGMENT)
+			{	/* TODO-FRAG: this fails if there are unencrypted payloads */
 				entry->processing = get_message_id_or_hash(message);
 			}
 			if (ike_id->get_responder_spi(ike_id) == 0)
@@ -2058,8 +2048,6 @@ METHOD(ike_sa_manager_t, flush, void,
 
 	this->rng->destroy(this->rng);
 	this->rng = NULL;
-	this->hasher->destroy(this->hasher);
-	this->hasher = NULL;
 }
 
 METHOD(ike_sa_manager_t, destroy, void,
@@ -2134,18 +2122,10 @@ ike_sa_manager_t *ike_sa_manager_create()
 		},
 	);
 
-	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (this->hasher == NULL)
-	{
-		DBG1(DBG_MGR, "manager initialization failed, no hasher supported");
-		free(this);
-		return NULL;
-	}
 	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (this->rng == NULL)
 	{
 		DBG1(DBG_MGR, "manager initialization failed, no RNG supported");
-		this->hasher->destroy(this->hasher);
 		free(this);
 		return NULL;
 	}
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index 114b8a3..d01a831 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -536,6 +536,7 @@ METHOD(phase1_t, select_config, peer_cfg_t*,
 	enumerator_t *enumerator;
 	peer_cfg_t *current;
 	host_t *me, *other;
+	int unusable = 0;
 
 	if (this->peer_cfg)
 	{	/* try to find an alternative config */
@@ -571,6 +572,10 @@ METHOD(phase1_t, select_config, peer_cfg_t*,
 				this->candidates->insert_last(this->candidates, current);
 			}
 		}
+		else
+		{
+			unusable++;
+		}
 	}
 	enumerator->destroy(enumerator);
 
@@ -580,6 +585,13 @@ METHOD(phase1_t, select_config, peer_cfg_t*,
 			 this->peer_cfg->get_name(this->peer_cfg));
 		return this->peer_cfg->get_ref(this->peer_cfg);
 	}
+	if (unusable)
+	{
+		DBG1(DBG_IKE, "found %d matching config%s, but none allows %N "
+			 "authentication using %s Mode", unusable, unusable > 1 ? "s" : "",
+			 auth_method_names, method, aggressive ? "Aggressive" : "Main");
+		return NULL;
+	}
 	DBG1(DBG_IKE, "no peer config found");
 	return NULL;
 }
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 97812a5..0f8e8bc 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2013 Tobias Brunner
+ * Copyright (C) 2007-2014 Tobias Brunner
  * Copyright (C) 2007-2011 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -38,8 +38,7 @@
 #include <processing/jobs/dpd_timeout_job.h>
 #include <processing/jobs/process_message_job.h>
 
-#include <encoding/payloads/fragment_payload.h>
-#include <bio/bio_writer.h>
+#include <collections/array.h>
 
 /**
  * Number of old messages hashes we keep for retransmission.
@@ -51,20 +50,6 @@
 #define MAX_OLD_HASHES 2
 
 /**
- * Maximum packet size for fragmented packets (same as in sockets)
- */
-#define MAX_PACKET 10000
-
-/**
- * Maximum size of fragment data when sending packets (currently the same is
- * used for IPv4 and IPv6, even though the latter has a higher minimum datagram
- * size).  576 (= min. IPv4) - 20 (= IP header) - 8 (= UDP header) -
- *  - 28 (= IKE header) - 8 (= fragment header) = 512
- * This is reduced by 4 in case of NAT-T (due to the non-ESP marker).
- */
-#define MAX_FRAGMENT_SIZE 512
-
-/**
  * First sequence number of responding packets.
  *
  * To distinguish retransmission jobs for initiating and responding packets,
@@ -127,9 +112,9 @@ struct private_task_manager_t {
 		u_int32_t hash;
 
 		/**
-		 * packet for retransmission
+		 * packet(s) for retransmission
 		 */
-		packet_t *packet;
+		array_t *packets;
 
 		/**
 		 * Sequence number of the last sent message
@@ -173,9 +158,9 @@ struct private_task_manager_t {
 		u_int retransmitted;
 
 		/**
-		 * packet for retransmission
+		 * packet(s) for retransmission
 		 */
-		packet_t *packet;
+		array_t *packets;
 
 		/**
 		 * type of the initiated exchange
@@ -185,50 +170,9 @@ struct private_task_manager_t {
 	} initiating;
 
 	/**
-	 * Data used to reassemble a fragmented message
+	 * Message we are currently defragmenting, if any (only one at a time)
 	 */
-	struct {
-
-		/**
-		 * Fragment ID (currently only one is supported at a time)
-		 */
-		u_int16_t id;
-
-		/**
-		 * The number of the last fragment (in case we receive the fragments out
-		 * of order), since the first starts with 1 this defines the number of
-		 * fragments we expect
-		 */
-		u_int8_t last;
-
-		/**
-		 * List of fragments (fragment_t*)
-		 */
-		linked_list_t *list;
-
-		/**
-		 * Length of all currently received fragments
-		 */
-		size_t len;
-
-		/**
-		 * Maximum length of a fragmented packet
-		 */
-		size_t max_packet;
-
-		/**
-		 * Maximum length of a single fragment (when sending)
-		 */
-		size_t size;
-
-		/**
-		 * The exchange type we use for fragments. Always the initial type even
-		 * for fragmented quick mode or transaction messages (i.e. either
-		 * ID_PROT or AGGRESSIVE)
-		 */
-		exchange_type_t exchange;
-
-	} frag;
+	message_t *defrag;
 
 	/**
 	 * List of queued tasks not yet in action
@@ -277,31 +221,16 @@ struct private_task_manager_t {
 };
 
 /**
- * A single fragment within a fragmented message
+ * Reset retransmission packet list
  */
-typedef struct {
-
-	/** fragment number */
-	u_int8_t num;
-
-	/** fragment data */
-	chunk_t data;
-
-} fragment_t;
-
-static void fragment_destroy(fragment_t *this)
+static void clear_packets(array_t *array)
 {
-	chunk_free(&this->data);
-	free(this);
-}
+	packet_t *packet;
 
-static void clear_fragments(private_task_manager_t *this, u_int16_t id)
-{
-	DESTROY_FUNCTION_IF(this->frag.list, (void*)fragment_destroy);
-	this->frag.list = NULL;
-	this->frag.last = 0;
-	this->frag.len = 0;
-	this->frag.id = id;
+	while (array_remove(array, ARRAY_TAIL, &packet))
+	{
+		packet->destroy(packet);
+	}
 }
 
 METHOD(task_manager_t, flush_queue, void,
@@ -321,8 +250,7 @@ METHOD(task_manager_t, flush_queue, void,
 			list = this->active_tasks;
 			/* cancel pending retransmits */
 			this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-			DESTROY_IF(this->initiating.packet);
-			this->initiating.packet = NULL;
+			clear_packets(this->initiating.packets);
 			break;
 		case TASK_QUEUE_PASSIVE:
 			list = this->passive_tasks;
@@ -373,110 +301,53 @@ static bool activate_task(private_task_manager_t *this, task_type_t type)
 }
 
 /**
- * Send a single fragment with the given data
+ * Send packets in the given array (they get cloned)
  */
-static bool send_fragment(private_task_manager_t *this, bool request,
-					host_t *src, host_t *dst, fragment_payload_t *fragment)
+static void send_packets(private_task_manager_t *this, array_t *packets)
 {
-	message_t *message;
+	enumerator_t *enumerator;
 	packet_t *packet;
-	status_t status;
 
-	message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
-	/* other implementations seem to just use 0 as message ID, so here we go */
-	message->set_message_id(message, 0);
-	message->set_request(message, request);
-	message->set_source(message, src->clone(src));
-	message->set_destination(message, dst->clone(dst));
-	message->set_exchange_type(message, this->frag.exchange);
-	message->add_payload(message, (payload_t*)fragment);
-
-	status = this->ike_sa->generate_message(this->ike_sa, message, &packet);
-	if (status != SUCCESS)
+	enumerator = array_create_enumerator(packets);
+	while (enumerator->enumerate(enumerator, &packet))
 	{
-		DBG1(DBG_IKE, "failed to generate IKE fragment");
-		message->destroy(message);
-		return FALSE;
+		charon->sender->send(charon->sender, packet->clone(packet));
 	}
-	charon->sender->send(charon->sender, packet);
-	message->destroy(message);
-	return TRUE;
+	enumerator->destroy(enumerator);
 }
 
 /**
- * Send a packet, if supported and required do so in fragments
+ * Generates the given message and stores packet(s) in the given array
  */
-static bool send_packet(private_task_manager_t *this, bool request,
-						packet_t *packet)
+static bool generate_message(private_task_manager_t *this, message_t *message,
+							 array_t **packets)
 {
-	bool use_frags = FALSE;
-	ike_cfg_t *ike_cfg;
-	chunk_t data;
+	enumerator_t *fragments;
+	packet_t *fragment;
 
-	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
-	if (ike_cfg)
+	if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
+												  &fragments) != SUCCESS)
 	{
-		switch (ike_cfg->fragmentation(ike_cfg))
-		{
-			case FRAGMENTATION_FORCE:
-				use_frags = TRUE;
-				break;
-			case FRAGMENTATION_YES:
-				use_frags = this->ike_sa->supports_extension(this->ike_sa,
-														EXT_IKE_FRAGMENTATION);
-				break;
-			default:
-				break;
-		}
+		return FALSE;
 	}
-	data = packet->get_data(packet);
-	if (data.len > this->frag.size && use_frags)
+	while (fragments->enumerate(fragments, &fragment))
 	{
-		fragment_payload_t *fragment;
-		u_int8_t num, count;
-		size_t len, frag_size;
-		host_t *src, *dst;
-
-		src = packet->get_source(packet);
-		dst = packet->get_destination(packet);
-
-		frag_size = this->frag.size;
-		if (dst->get_port(dst) != IKEV2_UDP_PORT &&
-			src->get_port(src) != IKEV2_UDP_PORT)
-		{	/* reduce size due to non-ESP marker */
-			frag_size -= 4;
-		}
-		count = data.len / frag_size + (data.len % frag_size ? 1 : 0);
-
-		DBG1(DBG_IKE, "sending IKE message with length of %zu bytes in "
-			 "%hhu fragments", data.len, count);
-		for (num = 1; num <= count; num++)
-		{
-			len = min(data.len, frag_size);
-			fragment = fragment_payload_create_from_data(num, num == count,
-												chunk_create(data.ptr, len));
-			if (!send_fragment(this, request, src, dst, fragment))
-			{
-				packet->destroy(packet);
-				return FALSE;
-			}
-			data = chunk_skip(data, len);
-		}
-		packet->destroy(packet);
-		return TRUE;
+		array_insert_create(packets, ARRAY_TAIL, fragment);
 	}
-	charon->sender->send(charon->sender, packet);
+	fragments->destroy(fragments);
 	return TRUE;
 }
 
 /**
- * Retransmit a packet, either as initiator or as responder
+ * Retransmit a packet (or its fragments)
  */
-static status_t retransmit_packet(private_task_manager_t *this, bool request,
-			u_int32_t seqnr, u_int mid, u_int retransmitted, packet_t *packet)
+static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
+							u_int mid, u_int retransmitted, array_t *packets)
 {
+	packet_t *packet;
 	u_int32_t t;
 
+	array_get(packets, 0, &packet);
 	if (retransmitted > this->retransmit_tries)
 	{
 		DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1);
@@ -492,10 +363,7 @@ static status_t retransmit_packet(private_task_manager_t *this, bool request,
 			 mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
 		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
 	}
-	if (!send_packet(this, request, packet->clone(packet)))
-	{
-		return DESTROY_ME;
-	}
+	send_packets(this, packets);
 	lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
 			retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
 	return NEED_MORE;
@@ -506,20 +374,22 @@ METHOD(task_manager_t, retransmit, status_t,
 {
 	status_t status = SUCCESS;
 
-	if (seqnr == this->initiating.seqnr && this->initiating.packet)
+	if (seqnr == this->initiating.seqnr &&
+		array_count(this->initiating.packets))
 	{
-		status = retransmit_packet(this, TRUE, seqnr, this->initiating.mid,
-					this->initiating.retransmitted, this->initiating.packet);
+		status = retransmit_packet(this, seqnr, this->initiating.mid,
+					this->initiating.retransmitted, this->initiating.packets);
 		if (status == NEED_MORE)
 		{
 			this->initiating.retransmitted++;
 			status = SUCCESS;
 		}
 	}
-	if (seqnr == this->responding.seqnr && this->responding.packet)
+	if (seqnr == this->responding.seqnr &&
+		array_count(this->responding.packets))
 	{
-		status = retransmit_packet(this, FALSE, seqnr, this->responding.mid,
-					this->responding.retransmitted, this->responding.packet);
+		status = retransmit_packet(this, seqnr, this->responding.mid,
+					this->responding.retransmitted, this->responding.packets);
 		if (status == NEED_MORE)
 		{
 			this->responding.retransmitted++;
@@ -586,7 +456,6 @@ METHOD(task_manager_t, initiate, status_t,
 	task_t *task;
 	message_t *message;
 	host_t *me, *other;
-	status_t status;
 	exchange_type_t exchange = EXCHANGE_TYPE_UNDEFINED;
 	bool new_mid = FALSE, expect_response = FALSE, cancelled = FALSE, keep = FALSE;
 
@@ -790,10 +659,8 @@ METHOD(task_manager_t, initiate, status_t,
 		return initiate(this);
 	}
 
-	DESTROY_IF(this->initiating.packet);
-	status = this->ike_sa->generate_message(this->ike_sa, message,
-											&this->initiating.packet);
-	if (status != SUCCESS)
+	clear_packets(this->initiating.packets);
+	if (!generate_message(this, message, &this->initiating.packets))
 	{
 		/* message generation failed. There is nothing more to do than to
 		 * close the SA */
@@ -811,13 +678,12 @@ METHOD(task_manager_t, initiate, status_t,
 	}
 	if (keep)
 	{	/* keep the packet for retransmission, the responder might request it */
-		send_packet(this, TRUE,
-					this->initiating.packet->clone(this->initiating.packet));
+		send_packets(this, this->initiating.packets);
 	}
 	else
 	{
-		send_packet(this, TRUE, this->initiating.packet);
-		this->initiating.packet = NULL;
+		send_packets(this, this->initiating.packets);
+		clear_packets(this->initiating.packets);
 	}
 	message->destroy(message);
 
@@ -848,7 +714,6 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	message_t *message;
 	host_t *me, *other;
 	bool delete = FALSE, cancelled = FALSE, expect_request = FALSE;
-	status_t status;
 
 	me = request->get_destination(request);
 	other = request->get_source(request);
@@ -900,28 +765,25 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	}
 	enumerator->destroy(enumerator);
 
-	DESTROY_IF(this->responding.packet);
-	this->responding.packet = NULL;
+	clear_packets(this->responding.packets);
 	if (cancelled)
 	{
 		message->destroy(message);
 		return initiate(this);
 	}
-	status = this->ike_sa->generate_message(this->ike_sa, message,
-											&this->responding.packet);
-	message->destroy(message);
-	if (status != SUCCESS)
+	if (!generate_message(this, message, &this->responding.packets))
 	{
+		message->destroy(message);
 		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 		return DESTROY_ME;
 	}
+	message->destroy(message);
 
 	if (expect_request && !delete)
 	{
 		return retransmit(this, this->responding.seqnr);
 	}
-	send_packet(this, FALSE,
-				this->responding.packet->clone(this->responding.packet));
+	send_packets(this, this->responding.packets);
 	if (delete)
 	{
 		return DESTROY_ME;
@@ -937,7 +799,7 @@ static void send_notify(private_task_manager_t *this, message_t *request,
 						notify_type_t type)
 {
 	message_t *response;
-	packet_t *packet;
+	array_t *packets = NULL;
 	host_t *me, *other;
 	u_int32_t mid;
 
@@ -973,11 +835,12 @@ static void send_notify(private_task_manager_t *this, message_t *request,
 	}
 	response->set_source(response, me->clone(me));
 	response->set_destination(response, other->clone(other));
-	if (this->ike_sa->generate_message(this->ike_sa, response,
-									   &packet) == SUCCESS)
+	if (generate_message(this, response, &packets))
 	{
-		send_packet(this, TRUE, packet);
+		send_packets(this, packets);
 	}
+	clear_packets(packets);
+	array_destroy(packets);
 	response->destroy(response);
 }
 
@@ -1075,7 +938,6 @@ static status_t process_request(private_task_manager_t *this,
 				this->passive_tasks->insert_last(this->passive_tasks, task);
 				task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
 				this->passive_tasks->insert_last(this->passive_tasks, task);
-				this->frag.exchange = AGGRESSIVE;
 				break;
 			case QUICK_MODE:
 				if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
@@ -1164,8 +1026,7 @@ static status_t process_request(private_task_manager_t *this,
 	else
 	{	/* We don't send a response, so don't retransmit one if we get
 		 * the same message again. */
-		DESTROY_IF(this->responding.packet);
-		this->responding.packet = NULL;
+		clear_packets(this->responding.packets);
 	}
 	if (this->passive_tasks->get_count(this->passive_tasks) == 0 &&
 		this->queued_tasks->get_count(this->queued_tasks) > 0)
@@ -1237,8 +1098,7 @@ static status_t process_response(private_task_manager_t *this,
 	enumerator->destroy(enumerator);
 
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-	DESTROY_IF(this->initiating.packet);
-	this->initiating.packet = NULL;
+	clear_packets(this->initiating.packets);
 
 	if (this->queued && this->active_tasks->get_count(this->active_tasks) == 0)
 	{
@@ -1258,107 +1118,23 @@ static status_t process_response(private_task_manager_t *this,
 
 static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
 {
-	fragment_payload_t *payload;
-	enumerator_t *enumerator;
-	fragment_t *fragment;
-	status_t status = SUCCESS;
-	chunk_t data;
-	u_int8_t num;
-
-	payload = (fragment_payload_t*)msg->get_payload(msg, PLV1_FRAGMENT);
-	if (!payload)
-	{
-		return FAILED;
-	}
-
-	if (!this->frag.list || this->frag.id != payload->get_id(payload))
-	{
-		clear_fragments(this, payload->get_id(payload));
-		this->frag.list = linked_list_create();
-	}
-
-	num = payload->get_number(payload);
-	if (!this->frag.last && payload->is_last(payload))
-	{
-		this->frag.last = num;
-	}
+	status_t status;
 
-	enumerator = this->frag.list->create_enumerator(this->frag.list);
-	while (enumerator->enumerate(enumerator, &fragment))
+	if (!this->defrag)
 	{
-		if (fragment->num == num)
-		{	/* ignore a duplicate fragment */
-			DBG1(DBG_IKE, "received duplicate fragment #%hhu", num);
-			enumerator->destroy(enumerator);
-			return NEED_MORE;
-		}
-		if (fragment->num > num)
+		this->defrag = message_create_defrag(msg);
+		if (!this->defrag)
 		{
-			break;
+			return FAILED;
 		}
 	}
-
-	data = payload->get_data(payload);
-	this->frag.len += data.len;
-	if (this->frag.len > this->frag.max_packet)
-	{
-		DBG1(DBG_IKE, "fragmented IKE message is too large");
-		enumerator->destroy(enumerator);
-		clear_fragments(this, 0);
-		return FAILED;
-	}
-
-	INIT(fragment,
-		.num = num,
-		.data = chunk_clone(data),
-	);
-
-	this->frag.list->insert_before(this->frag.list, enumerator, fragment);
-	enumerator->destroy(enumerator);
-
-	if (this->frag.list->get_count(this->frag.list) == this->frag.last)
+	status = this->defrag->add_fragment(this->defrag, msg);
+	if (status == SUCCESS)
 	{
-		message_t *message;
-		packet_t *pkt;
-		host_t *src, *dst;
-		bio_writer_t *writer;
-
-		writer = bio_writer_create(this->frag.len);
-		DBG1(DBG_IKE, "received fragment #%hhu, reassembling fragmented IKE "
-			 "message", num);
-		enumerator = this->frag.list->create_enumerator(this->frag.list);
-		while (enumerator->enumerate(enumerator, &fragment))
-		{
-			writer->write_data(writer, fragment->data);
-		}
-		enumerator->destroy(enumerator);
-
-		src = msg->get_source(msg);
-		dst = msg->get_destination(msg);
-		pkt = packet_create_from_data(src->clone(src), dst->clone(dst),
-									  writer->extract_buf(writer));
-		writer->destroy(writer);
-
-		message = message_create_from_packet(pkt);
-		if (message->parse_header(message) != SUCCESS)
-		{
-			DBG1(DBG_IKE, "failed to parse header of reassembled IKE message");
-			message->destroy(message);
-			status = FAILED;
-		}
-		else
-		{
-			lib->processor->queue_job(lib->processor,
-								(job_t*)process_message_job_create(message));
-			status = NEED_MORE;
-
-		}
-		clear_fragments(this, 0);
-	}
-	else
-	{	/* there are some fragments missing */
-		DBG1(DBG_IKE, "received fragment #%hhu, waiting for complete IKE "
-			 "message", num);
+		lib->processor->queue_job(lib->processor,
+							(job_t*)process_message_job_create(this->defrag));
+		this->defrag = NULL;
+		/* do not process the last fragment */
 		status = NEED_MORE;
 	}
 	return status;
@@ -1435,15 +1211,14 @@ METHOD(task_manager_t, process_message, status_t,
 	{
 		if (this->initiating.old_hashes[i] == hash)
 		{
-			if (this->initiating.packet &&
+			if (array_count(this->initiating.packets) &&
 				i == (this->initiating.old_hash_pos % MAX_OLD_HASHES) &&
 				(msg->get_exchange_type(msg) == QUICK_MODE ||
 				 msg->get_exchange_type(msg) == AGGRESSIVE))
 			{
 				DBG1(DBG_IKE, "received retransmit of response with ID %u, "
 					 "resending last request", mid);
-				send_packet(this, TRUE,
-					this->initiating.packet->clone(this->initiating.packet));
+				send_packets(this, this->initiating.packets);
 				return SUCCESS;
 			}
 			DBG1(DBG_IKE, "received retransmit of response with ID %u, "
@@ -1484,20 +1259,18 @@ METHOD(task_manager_t, process_message, status_t,
 	{
 		if (hash == this->responding.hash)
 		{
-			if (this->responding.packet)
+			if (array_count(this->responding.packets))
 			{
 				DBG1(DBG_IKE, "received retransmit of request with ID %u, "
 					 "retransmitting response", mid);
-				send_packet(this, FALSE,
-						this->responding.packet->clone(this->responding.packet));
+				send_packets(this, this->responding.packets);
 			}
-			else if (this->initiating.packet &&
+			else if (array_count(this->initiating.packets) &&
 					 this->initiating.type == INFORMATIONAL_V1)
 			{
 				DBG1(DBG_IKE, "received retransmit of DPD request, "
 					 "retransmitting response");
-				send_packet(this, TRUE,
-						this->initiating.packet->clone(this->initiating.packet));
+				send_packets(this, this->initiating.packets);
 			}
 			else
 			{
@@ -1593,13 +1366,6 @@ METHOD(task_manager_t, process_message, status_t,
 	return SUCCESS;
 }
 
-METHOD(task_manager_t, queue_task, void,
-	private_task_manager_t *this, task_t *task)
-{
-	DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
-	this->queued_tasks->insert_last(this->queued_tasks, task);
-}
-
 /**
  * Check if a given task has been queued already
  */
@@ -1622,6 +1388,28 @@ static bool has_queued(private_task_manager_t *this, task_type_t type)
 	return found;
 }
 
+METHOD(task_manager_t, queue_task, void,
+	private_task_manager_t *this, task_t *task)
+{
+	task_type_t type = task->get_type(task);
+
+	switch (type)
+	{
+		case TASK_MODE_CONFIG:
+		case TASK_XAUTH:
+			if (has_queued(this, type))
+			{
+				task->destroy(task);
+				return;
+			}
+			break;
+		default:
+			break;
+	}
+	DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
+	this->queued_tasks->insert_last(this->queued_tasks, task);
+}
+
 METHOD(task_manager_t, queue_ike, void,
 	private_task_manager_t *this)
 {
@@ -1642,7 +1430,6 @@ METHOD(task_manager_t, queue_ike, void,
 		{
 			queue_task(this, (task_t*)aggressive_mode_create(this->ike_sa, TRUE));
 		}
-		this->frag.exchange = AGGRESSIVE;
 	}
 	else
 	{
@@ -1969,17 +1756,16 @@ METHOD(task_manager_t, reset, void,
 	task_t *task;
 
 	/* reset message counters and retransmit packets */
-	DESTROY_IF(this->responding.packet);
-	DESTROY_IF(this->initiating.packet);
-	this->responding.packet = NULL;
+	clear_packets(this->responding.packets);
+	clear_packets(this->initiating.packets);
 	this->responding.seqnr = RESPONDING_SEQ;
 	this->responding.retransmitted = 0;
-	this->initiating.packet = NULL;
 	this->initiating.mid = 0;
 	this->initiating.seqnr = 0;
 	this->initiating.retransmitted = 0;
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-	clear_fragments(this, 0);
+	DESTROY_IF(this->defrag);
+	this->defrag = NULL;
 	if (initiate != UINT_MAX)
 	{
 		this->dpd_send = initiate;
@@ -2030,11 +1816,13 @@ METHOD(task_manager_t, destroy, void,
 	this->active_tasks->destroy(this->active_tasks);
 	this->queued_tasks->destroy(this->queued_tasks);
 	this->passive_tasks->destroy(this->passive_tasks);
-	clear_fragments(this, 0);
+	DESTROY_IF(this->defrag);
 
 	DESTROY_IF(this->queued);
-	DESTROY_IF(this->responding.packet);
-	DESTROY_IF(this->initiating.packet);
+	clear_packets(this->responding.packets);
+	array_destroy(this->responding.packets);
+	clear_packets(this->initiating.packets);
+	array_destroy(this->initiating.packets);
 	DESTROY_IF(this->rng);
 	free(this);
 }
@@ -2079,13 +1867,6 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 		.responding = {
 			.seqnr = RESPONDING_SEQ,
 		},
-		.frag = {
-			.exchange = ID_PROT,
-			.max_packet = lib->settings->get_int(lib->settings,
-						"%s.max_packet", MAX_PACKET, lib->ns),
-			.size = lib->settings->get_int(lib->settings,
-						"%s.fragment_size", MAX_FRAGMENT_SIZE, lib->ns),
-		},
 		.ike_sa = ike_sa,
 		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
 		.queued_tasks = linked_list_create(),
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 7009ae9..710bf1c 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -475,6 +475,9 @@ METHOD(task_t, process_r, status_t,
 		}
 		case AM_AUTH:
 		{
+			adopt_children_job_t *job = NULL;
+			xauth_t *xauth = NULL;
+
 			while (TRUE)
 			{
 				if (this->ph1->verify_auth(this->ph1, this->method, message,
@@ -504,8 +507,8 @@ METHOD(task_t, process_r, status_t,
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
-					this->ike_sa->queue_task(this->ike_sa,
-									(task_t*)xauth_create(this->ike_sa, TRUE));
+					xauth = xauth_create(this->ike_sa, TRUE);
+					this->ike_sa->queue_task(this->ike_sa, (task_t*)xauth);
 					break;
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
@@ -524,9 +527,8 @@ METHOD(task_t, process_r, status_t,
 					{
 						return send_delete(this);
 					}
-					lib->processor->queue_job(lib->processor, (job_t*)
-									adopt_children_job_create(
-										this->ike_sa->get_id(this->ike_sa)));
+					job = adopt_children_job_create(
+											this->ike_sa->get_id(this->ike_sa));
 					break;
 			}
 			/* check for and prepare mode config push/pull */
@@ -542,10 +544,26 @@ METHOD(task_t, process_r, status_t,
 			{
 				if (!this->peer_cfg->use_pull_mode(this->peer_cfg))
 				{
-					this->ike_sa->queue_task(this->ike_sa,
-						(task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
+					if (job)
+					{
+						job->queue_task(job, (task_t*)
+								mode_config_create(this->ike_sa, TRUE, FALSE));
+					}
+					else if (xauth)
+					{
+						xauth->queue_mode_config_push(xauth);
+					}
+					else
+					{
+						this->ike_sa->queue_task(this->ike_sa, (task_t*)
+								mode_config_create(this->ike_sa, TRUE, FALSE));
+					}
 				}
 			}
+			if (job)
+			{
+				lib->processor->queue_job(lib->processor, (job_t*)job);
+			}
 			return SUCCESS;
 		}
 		default:
diff --git a/src/libcharon/sa/ikev1/tasks/informational.c b/src/libcharon/sa/ikev1/tasks/informational.c
index b742dbe..2798978 100644
--- a/src/libcharon/sa/ikev1/tasks/informational.c
+++ b/src/libcharon/sa/ikev1/tasks/informational.c
@@ -112,16 +112,16 @@ METHOD(task_t, process_r, status_t,
 													  IKEV2_UDP_PORT);
 					if (redirect)
 					{	/* treat the redirect as reauthentication */
-						DBG1(DBG_IKE, "received %N notify. redirected to %H",
+						DBG1(DBG_IKE, "received %N notify, redirected to %H",
 							 notify_type_names, type, redirect);
 						/* Cisco boxes reject the first message from 4500 */
 						me = this->ike_sa->get_my_host(this->ike_sa);
 						me->set_port(me, charon->socket->get_port(
 														charon->socket, FALSE));
 						this->ike_sa->set_other_host(this->ike_sa, redirect);
-						this->ike_sa->reauth(this->ike_sa);
+						status = this->ike_sa->reauth(this->ike_sa);
 						enumerator->destroy(enumerator);
-						return DESTROY_ME;
+						return status;
 					}
 					else
 					{
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index 426c4bd..0162fd8 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -15,7 +15,7 @@
  */
 
 /*
- * Copyright (C) 2012 Volker Rümelin
+ * Copyright (C) 2012-2014 Volker Rümelin
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -106,10 +106,15 @@ static struct {
 	  "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"},
 
 	/* Proprietary IKE fragmentation extension. Capabilities are handled
-	 * specially on receipt of this VID. */
+	 * specially on receipt of this VID. Windows peers send this VID
+	 * without capabilities, but accept it with and without capabilities. */
 	{ "FRAGMENTATION", EXT_IKE_FRAGMENTATION, FALSE, 20,
 	  "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3\x80\x00\x00\x00"},
 
+	/* Windows peers send this VID and a version number */
+	{ "MS NT5 ISAKMPOAKLEY", EXT_MS_WINDOWS, FALSE, 20,
+	  "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x00"},
+
 }, vendor_natt_ids[] = {
 
 	/* NAT-Traversal VIDs ordered by preference */
@@ -167,15 +172,27 @@ static struct {
  */
 static const u_int32_t fragmentation_ike = 0x80000000;
 
-/**
- * Check if the given vendor ID indicate support for fragmentation
- */
-static bool fragmentation_supported(chunk_t data, int i)
+static bool is_known_vid(chunk_t data, int i)
 {
-	if (vendor_ids[i].extension  == EXT_IKE_FRAGMENTATION &&
-		data.len == 20 && memeq(data.ptr, vendor_ids[i].id, 16))
+	switch (vendor_ids[i].extension)
 	{
-		return untoh32(&data.ptr[16]) & fragmentation_ike;
+		case EXT_IKE_FRAGMENTATION:
+			if (data.len >= 16 && memeq(data.ptr, vendor_ids[i].id, 16))
+			{
+				switch (data.len)
+				{
+					case 16:
+						return TRUE;
+					case 20:
+						return untoh32(&data.ptr[16]) & fragmentation_ike;
+				}
+			}
+			break;
+		case EXT_MS_WINDOWS:
+			return data.len == 20 && memeq(data.ptr, vendor_ids[i].id, 16);
+		default:
+			return chunk_equals(data, chunk_create(vendor_ids[i].id,
+												   vendor_ids[i].len));
 	}
 	return FALSE;
 }
@@ -251,9 +268,7 @@ static void process(private_isakmp_vendor_t *this, message_t *message)
 
 			for (i = 0; i < countof(vendor_ids); i++)
 			{
-				if (chunk_equals(data, chunk_create(vendor_ids[i].id,
-													vendor_ids[i].len)) ||
-					fragmentation_supported(data, i))
+				if (is_known_vid(data, i))
 				{
 					DBG1(DBG_IKE, "received %s vendor ID", vendor_ids[i].desc);
 					if (vendor_ids[i].extension)
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 8a5d9ae..2fb4c69 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -479,6 +479,8 @@ METHOD(task_t, build_r, status_t,
 		{
 			id_payload_t *id_payload;
 			identification_t *id;
+			adopt_children_job_t *job = NULL;
+			xauth_t *xauth = NULL;
 
 			id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
 			if (!id)
@@ -502,8 +504,8 @@ METHOD(task_t, build_r, status_t,
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
-					this->ike_sa->queue_task(this->ike_sa,
-									(task_t*)xauth_create(this->ike_sa, TRUE));
+					xauth = xauth_create(this->ike_sa, TRUE);
+					this->ike_sa->queue_task(this->ike_sa, (task_t*)xauth);
 					break;
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
@@ -522,9 +524,8 @@ METHOD(task_t, build_r, status_t,
 					{
 						return send_notify(this, AUTHENTICATION_FAILED);
 					}
-					lib->processor->queue_job(lib->processor, (job_t*)
-									adopt_children_job_create(
-										this->ike_sa->get_id(this->ike_sa)));
+					job = adopt_children_job_create(
+											this->ike_sa->get_id(this->ike_sa));
 					break;
 			}
 			if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
@@ -539,10 +540,26 @@ METHOD(task_t, build_r, status_t,
 			{
 				if (!this->peer_cfg->use_pull_mode(this->peer_cfg))
 				{
-					this->ike_sa->queue_task(this->ike_sa,
-						(task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
+					if (job)
+					{
+						job->queue_task(job, (task_t*)
+								mode_config_create(this->ike_sa, TRUE, FALSE));
+					}
+					else if (xauth)
+					{
+						xauth->queue_mode_config_push(xauth);
+					}
+					else
+					{
+						this->ike_sa->queue_task(this->ike_sa, (task_t*)
+								mode_config_create(this->ike_sa, TRUE, FALSE));
+					}
 				}
 			}
+			if (job)
+			{
+				lib->processor->queue_job(lib->processor, (job_t*)job);
+			}
 			return SUCCESS;
 		}
 		default:
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index e627368..1133aab 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1030,7 +1030,8 @@ METHOD(task_t, process_r, status_t,
 			}
 			tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
 			tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
-			if (!this->config || !this->tsi || !this->tsr)
+			if (!this->config || !this->tsi || !this->tsr ||
+				this->mode != this->config->get_mode(this->config))
 			{
 				DBG1(DBG_IKE, "no matching CHILD_SA config found");
 				return send_notify(this, INVALID_ID_INFORMATION);
@@ -1117,11 +1118,22 @@ METHOD(task_t, process_r, status_t,
 		}
 		case QM_NEGOTIATED:
 		{
-			if (message->get_exchange_type(message) == INFORMATIONAL_V1 ||
-				has_notify_errors(this, message))
+			if (has_notify_errors(this, message))
 			{
 				return SUCCESS;
 			}
+			if (message->get_exchange_type(message) == INFORMATIONAL_V1)
+			{
+				if (message->get_payload(message, PLV1_DELETE))
+				{
+					/* If the DELETE for a Quick Mode follows immediately
+					 * after rekeying, we might receive it before the
+					 * third completing Quick Mode message. Ignore it, as
+					 * it gets handled by a separately queued delete task. */
+					return NEED_MORE;
+				}
+				return SUCCESS;
+			}
 			if (!install(this))
 			{
 				ike_sa_t *ike_sa = this->ike_sa;
@@ -1198,6 +1210,14 @@ METHOD(task_t, build_r, status_t,
 			this->state = QM_NEGOTIATED;
 			return NEED_MORE;
 		}
+		case QM_NEGOTIATED:
+			if (message->get_exchange_type(message) == INFORMATIONAL_V1)
+			{
+				/* skip INFORMATIONAL response if we received a INFORMATIONAL
+				 * delete, see process_r() */
+				return ALREADY_DONE;
+			}
+			/* fall */
 		default:
 			return FAILED;
 	}
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index bdc5d67..a770e90 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -19,6 +19,7 @@
 #include <hydra.h>
 #include <encoding/payloads/cp_payload.h>
 #include <processing/jobs/adopt_children_job.h>
+#include <sa/ikev1/tasks/mode_config.h>
 
 typedef struct private_xauth_t private_xauth_t;
 
@@ -74,6 +75,11 @@ struct private_xauth_t {
 	 * status of Xauth exchange
 	 */
 	xauth_status_t status;
+
+	/**
+	 * Queue a Mode Config Push mode after completing XAuth?
+	 */
+	bool mode_config_push;
 };
 
 /**
@@ -290,6 +296,7 @@ METHOD(task_t, process_i_status, status_t,
 	private_xauth_t *this, message_t *message)
 {
 	cp_payload_t *cp;
+	adopt_children_job_t *job;
 
 	cp = (cp_payload_t*)message->get_payload(message, PLV1_CONFIGURATION);
 	if (!cp || cp->get_type(cp) != CFG_ACK)
@@ -307,8 +314,13 @@ METHOD(task_t, process_i_status, status_t,
 		return FAILED;
 	}
 	this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
-	lib->processor->queue_job(lib->processor, (job_t*)
-				adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
+	job = adopt_children_job_create(this->ike_sa->get_id(this->ike_sa));
+	if (this->mode_config_push)
+	{
+		job->queue_task(job,
+				(task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
+	}
+	lib->processor->queue_job(lib->processor, (job_t*)job);
 	return SUCCESS;
 }
 
@@ -511,6 +523,12 @@ METHOD(task_t, migrate, void,
 	}
 }
 
+METHOD(xauth_t, queue_mode_config_push, void,
+	private_xauth_t *this)
+{
+	this->mode_config_push = TRUE;
+}
+
 METHOD(task_t, destroy, void,
 	private_xauth_t *this)
 {
@@ -533,6 +551,7 @@ xauth_t *xauth_create(ike_sa_t *ike_sa, bool initiator)
 				.migrate = _migrate,
 				.destroy = _destroy,
 			},
+			.queue_mode_config_push = _queue_mode_config_push,
 		},
 		.initiator = initiator,
 		.ike_sa = ike_sa,
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.h b/src/libcharon/sa/ikev1/tasks/xauth.h
index 303eb31..ffaf32a 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.h
+++ b/src/libcharon/sa/ikev1/tasks/xauth.h
@@ -36,6 +36,11 @@ struct xauth_t {
 	 * Implements the task_t interface
 	 */
 	task_t task;
+
+	/**
+	 * Queue a Mode Config in Push mode after completing XAuth.
+	 */
+	void (*queue_mode_config_push)(xauth_t *this);
 };
 
 /**
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index ada798b..eb7df35 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2011 Tobias Brunner
+ * Copyright (C) 2007-2014 Tobias Brunner
  * Copyright (C) 2007-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -90,9 +90,14 @@ struct private_task_manager_t {
 		u_int32_t mid;
 
 		/**
-		 * packet for retransmission
+		 * packet(s) for retransmission
 		 */
-		packet_t *packet;
+		array_t *packets;
+
+		/**
+		 * Helper to defragment the request
+		 */
+		message_t *defrag;
 
 	} responding;
 
@@ -111,15 +116,25 @@ struct private_task_manager_t {
 		u_int retransmitted;
 
 		/**
-		 * packet for retransmission
+		 * packet(s) for retransmission
 		 */
-		packet_t *packet;
+		array_t *packets;
 
 		/**
 		 * type of the initated exchange
 		 */
 		exchange_type_t type;
 
+		/**
+		 * TRUE if exchange was deferred because no path was available
+		 */
+		bool deferred;
+
+		/**
+		 * Helper to defragment the response
+		 */
+		message_t *defrag;
+
 	} initiating;
 
 	/**
@@ -158,6 +173,19 @@ struct private_task_manager_t {
 	double retransmit_base;
 };
 
+/**
+ * Reset retransmission packet list
+ */
+static void clear_packets(array_t *array)
+{
+	packet_t *packet;
+
+	while (array_remove(array, ARRAY_TAIL, &packet))
+	{
+		packet->destroy(packet);
+	}
+}
+
 METHOD(task_manager_t, flush_queue, void,
 	private_task_manager_t *this, task_queue_t queue)
 {
@@ -217,10 +245,60 @@ static bool activate_task(private_task_manager_t *this, task_type_t type)
 	return found;
 }
 
+/**
+ * Send packets in the given array (they get cloned). Optionally, the
+ * source and destination addresses are changed before sending it.
+ */
+static void send_packets(private_task_manager_t *this, array_t *packets,
+						 host_t *src, host_t *dst)
+{
+	packet_t *packet, *clone;
+	int i;
+
+	for (i = 0; i < array_count(packets); i++)
+	{
+		array_get(packets, i, &packet);
+		clone = packet->clone(packet);
+		if (src)
+		{
+			clone->set_source(clone, src->clone(src));
+		}
+		if (dst)
+		{
+			clone->set_destination(clone, dst->clone(dst));
+		}
+		charon->sender->send(charon->sender, clone);
+	}
+}
+
+/**
+ * Generates the given message and stores packet(s) in the given array
+ */
+static bool generate_message(private_task_manager_t *this, message_t *message,
+							 array_t **packets)
+{
+	enumerator_t *fragments;
+	packet_t *fragment;
+
+	if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
+												  &fragments) != SUCCESS)
+	{
+		return FALSE;
+	}
+	while (fragments->enumerate(fragments, &fragment))
+	{
+		array_insert_create(packets, ARRAY_TAIL, fragment);
+	}
+	fragments->destroy(fragments);
+	array_compress(*packets);
+	return TRUE;
+}
+
 METHOD(task_manager_t, retransmit, status_t,
 	private_task_manager_t *this, u_int32_t message_id)
 {
-	if (this->initiating.packet && message_id == this->initiating.mid)
+	if (message_id == this->initiating.mid &&
+		array_count(this->initiating.packets))
 	{
 		u_int32_t timeout;
 		job_t *job;
@@ -229,23 +307,24 @@ METHOD(task_manager_t, retransmit, status_t,
 		task_t *task;
 		ike_mobike_t *mobike = NULL;
 
+		array_get(this->initiating.packets, 0, &packet);
+
 		/* check if we are retransmitting a MOBIKE routability check */
-		enumerator = array_create_enumerator(this->active_tasks);
-		while (enumerator->enumerate(enumerator, (void*)&task))
+		if (this->initiating.type == INFORMATIONAL)
 		{
-			if (task->get_type(task) == TASK_IKE_MOBIKE)
+			enumerator = array_create_enumerator(this->active_tasks);
+			while (enumerator->enumerate(enumerator, (void*)&task))
 			{
-				mobike = (ike_mobike_t*)task;
-				if (!mobike->is_probing(mobike))
+				if (task->get_type(task) == TASK_IKE_MOBIKE)
 				{
-					mobike = NULL;
+					mobike = (ike_mobike_t*)task;
+					break;
 				}
-				break;
 			}
+			enumerator->destroy(enumerator);
 		}
-		enumerator->destroy(enumerator);
 
-		if (mobike == NULL)
+		if (!mobike || !mobike->is_probing(mobike))
 		{
 			if (this->initiating.retransmitted <= this->retransmit_tries)
 			{
@@ -257,7 +336,7 @@ METHOD(task_manager_t, retransmit, status_t,
 				DBG1(DBG_IKE, "giving up after %d retransmits",
 					 this->initiating.retransmitted - 1);
 				charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
-								   this->initiating.packet);
+								   packet);
 				return DESTROY_ME;
 			}
 
@@ -265,11 +344,29 @@ METHOD(task_manager_t, retransmit, status_t,
 			{
 				DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
 					 this->initiating.retransmitted, message_id);
-				charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND,
-								   this->initiating.packet);
+				charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
+			}
+			if (!mobike)
+			{
+				send_packets(this, this->initiating.packets,
+							 this->ike_sa->get_my_host(this->ike_sa),
+							 this->ike_sa->get_other_host(this->ike_sa));
+			}
+			else
+			{
+				if (!mobike->transmit(mobike, packet))
+				{
+					DBG1(DBG_IKE, "no route found to reach peer, MOBIKE update "
+						 "deferred");
+					this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
+					this->initiating.deferred = TRUE;
+					return SUCCESS;
+				}
+				else if (mobike->is_probing(mobike))
+				{
+					timeout = ROUTEABILITY_CHECK_INTERVAL;
+				}
 			}
-			packet = this->initiating.packet->clone(this->initiating.packet);
-			charon->sender->send(charon->sender, packet);
 		}
 		else
 		{	/* for routeability checks, we use a more aggressive behavior */
@@ -289,7 +386,16 @@ METHOD(task_manager_t, retransmit, status_t,
 				DBG1(DBG_IKE, "path probing attempt %d",
 					 this->initiating.retransmitted);
 			}
-			mobike->transmit(mobike, this->initiating.packet);
+			/* TODO-FRAG: presumably these small packets are not fragmented,
+			 * we should maybe ensure this is the case when generating them */
+			if (!mobike->transmit(mobike, packet))
+			{
+				DBG1(DBG_IKE, "no route found to reach peer, path probing "
+					 "deferred");
+				this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
+				this->initiating.deferred = TRUE;
+				return SUCCESS;
+			}
 		}
 
 		this->initiating.retransmitted++;
@@ -307,7 +413,6 @@ METHOD(task_manager_t, initiate, status_t,
 	task_t *task;
 	message_t *message;
 	host_t *me, *other;
-	status_t status;
 	exchange_type_t exchange = 0;
 
 	if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
@@ -315,6 +420,12 @@ METHOD(task_manager_t, initiate, status_t,
 		DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
 				exchange_type_names, this->initiating.type);
 		/* do not initiate if we already have a message in the air */
+		if (this->initiating.deferred)
+		{	/* re-initiate deferred exchange */
+			this->initiating.deferred = FALSE;
+			this->initiating.retransmitted = 0;
+			return retransmit(this, this->initiating.mid);
+		}
 		return SUCCESS;
 	}
 
@@ -347,39 +458,39 @@ METHOD(task_manager_t, initiate, status_t,
 				}
 				break;
 			case IKE_ESTABLISHED:
-				if (activate_task(this, TASK_CHILD_CREATE))
+				if (activate_task(this, TASK_IKE_MOBIKE))
 				{
-					exchange = CREATE_CHILD_SA;
+					exchange = INFORMATIONAL;
 					break;
 				}
-				if (activate_task(this, TASK_CHILD_DELETE))
+				if (activate_task(this, TASK_IKE_DELETE))
 				{
 					exchange = INFORMATIONAL;
 					break;
 				}
-				if (activate_task(this, TASK_CHILD_REKEY))
+				if (activate_task(this, TASK_CHILD_DELETE))
 				{
-					exchange = CREATE_CHILD_SA;
+					exchange = INFORMATIONAL;
 					break;
 				}
-				if (activate_task(this, TASK_IKE_DELETE))
+				if (activate_task(this, TASK_IKE_REAUTH))
 				{
 					exchange = INFORMATIONAL;
 					break;
 				}
-				if (activate_task(this, TASK_IKE_REKEY))
+				if (activate_task(this, TASK_CHILD_CREATE))
 				{
 					exchange = CREATE_CHILD_SA;
 					break;
 				}
-				if (activate_task(this, TASK_IKE_REAUTH))
+				if (activate_task(this, TASK_CHILD_REKEY))
 				{
-					exchange = INFORMATIONAL;
+					exchange = CREATE_CHILD_SA;
 					break;
 				}
-				if (activate_task(this, TASK_IKE_MOBIKE))
+				if (activate_task(this, TASK_IKE_REKEY))
 				{
-					exchange = INFORMATIONAL;
+					exchange = CREATE_CHILD_SA;
 					break;
 				}
 				if (activate_task(this, TASK_IKE_DPD))
@@ -458,6 +569,7 @@ METHOD(task_manager_t, initiate, status_t,
 	message->set_exchange_type(message, exchange);
 	this->initiating.type = exchange;
 	this->initiating.retransmitted = 0;
+	this->initiating.deferred = FALSE;
 
 	enumerator = array_create_enumerator(this->active_tasks);
 	while (enumerator->enumerate(enumerator, &task))
@@ -493,9 +605,7 @@ METHOD(task_manager_t, initiate, status_t,
 	/* update exchange type if a task changed it */
 	this->initiating.type = message->get_exchange_type(message);
 
-	status = this->ike_sa->generate_message(this->ike_sa, message,
-											&this->initiating.packet);
-	if (status != SUCCESS)
+	if (!generate_message(this, message, &this->initiating.packets))
 	{
 		/* message generation failed. There is nothing more to do than to
 		 * close the SA */
@@ -567,8 +677,7 @@ static status_t process_response(private_task_manager_t *this,
 
 	this->initiating.mid++;
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-	this->initiating.packet->destroy(this->initiating.packet);
-	this->initiating.packet = NULL;
+	clear_packets(this->initiating.packets);
 
 	array_compress(this->active_tasks);
 
@@ -636,8 +745,8 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	host_t *me, *other;
 	bool delete = FALSE, hook = FALSE;
 	ike_sa_id_t *id = NULL;
-	u_int64_t responder_spi;
-	status_t status;
+	u_int64_t responder_spi = 0;
+	bool result;
 
 	me = request->get_destination(request);
 	other = request->get_source(request);
@@ -699,23 +808,20 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	}
 
 	/* message complete, send it */
-	DESTROY_IF(this->responding.packet);
-	this->responding.packet = NULL;
-	status = this->ike_sa->generate_message(this->ike_sa, message,
-											&this->responding.packet);
+	clear_packets(this->responding.packets);
+	result = generate_message(this, message, &this->responding.packets);
 	message->destroy(message);
 	if (id)
 	{
 		id->set_responder_spi(id, responder_spi);
 	}
-	if (status != SUCCESS)
+	if (!result)
 	{
 		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
 		return DESTROY_ME;
 	}
 
-	charon->sender->send(charon->sender,
-						 this->responding.packet->clone(this->responding.packet));
+	send_packets(this, this->responding.packets, NULL, NULL);
 	if (delete)
 	{
 		if (hook)
@@ -964,6 +1070,48 @@ METHOD(task_manager_t, incr_mid, void,
 }
 
 /**
+ * Handle the given IKE fragment, if it is one.
+ *
+ * Returns SUCCESS if the message is not a fragment, and NEED_MORE if it was
+ * handled properly.  Error states are  returned if the fragment was invalid or
+ * the reassembled message could not have been processed properly.
+ */
+static status_t handle_fragment(private_task_manager_t *this,
+								message_t **defrag, message_t *msg)
+{
+	message_t *reassembled;
+	status_t status;
+
+	if (!msg->get_payload(msg, PLV2_FRAGMENT))
+	{
+		return SUCCESS;
+	}
+	if (!*defrag)
+	{
+		*defrag = message_create_defrag(msg);
+		if (!*defrag)
+		{
+			return FAILED;
+		}
+	}
+	status = (*defrag)->add_fragment(*defrag, msg);
+	if (status == SUCCESS)
+	{
+		/* reinject the reassembled message */
+		reassembled = *defrag;
+		*defrag = NULL;
+		status = this->ike_sa->process_message(this->ike_sa, reassembled);
+		if (status == SUCCESS)
+		{
+			/* avoid processing the last fragment */
+			status = NEED_MORE;
+		}
+		reassembled->destroy(reassembled);
+	}
+	return status;
+}
+
+/**
  * Send a notify back to the sender
  */
 static void send_notify_response(private_task_manager_t *this,
@@ -1156,6 +1304,11 @@ METHOD(task_manager_t, process_message, status_t,
 			{	/* with MOBIKE, we do no implicit updates */
 				this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
 			}
+			status = handle_fragment(this, &this->responding.defrag, msg);
+			if (status != SUCCESS)
+			{
+				return status;
+			}
 			charon->bus->message(charon->bus, msg, TRUE, TRUE);
 			if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
 			{	/* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
@@ -1168,20 +1321,19 @@ METHOD(task_manager_t, process_message, status_t,
 			}
 			this->responding.mid++;
 		}
-		else if ((mid == this->responding.mid - 1) && this->responding.packet)
+		else if ((mid == this->responding.mid - 1) &&
+				 array_count(this->responding.packets))
 		{
-			packet_t *clone;
-			host_t *host;
-
+			status = handle_fragment(this, &this->responding.defrag, msg);
+			if (status != SUCCESS)
+			{
+				return status;
+			}
 			DBG1(DBG_IKE, "received retransmit of request with ID %d, "
 				 "retransmitting response", mid);
 			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
-			clone = this->responding.packet->clone(this->responding.packet);
-			host = msg->get_destination(msg);
-			clone->set_source(clone, host->clone(host));
-			host = msg->get_source(msg);
-			clone->set_destination(clone, host->clone(host));
-			charon->sender->send(charon->sender, clone);
+			send_packets(this, this->responding.packets,
+						 msg->get_destination(msg), msg->get_source(msg));
 		}
 		else
 		{
@@ -1209,6 +1361,11 @@ METHOD(task_manager_t, process_message, status_t,
 					this->ike_sa->update_hosts(this->ike_sa, NULL, other, FALSE);
 				}
 			}
+			status = handle_fragment(this, &this->initiating.defrag, msg);
+			if (status != SUCCESS)
+			{
+				return status;
+			}
 			charon->bus->message(charon->bus, msg, TRUE, TRUE);
 			if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
 			{	/* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
@@ -1368,7 +1525,25 @@ METHOD(task_manager_t, queue_mobike, void,
 	mobike = ike_mobike_create(this->ike_sa, TRUE);
 	if (roam)
 	{
+		enumerator_t *enumerator;
+		task_t *current;
+
 		mobike->roam(mobike, address);
+
+		/* enable path probing for a currently active MOBIKE task.  This might
+		 * not be the case if an address appeared on a new interface while the
+		 * current address is not working but has not yet disappeared. */
+		enumerator = array_create_enumerator(this->active_tasks);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (current->get_type(current) == TASK_IKE_MOBIKE)
+			{
+				ike_mobike_t *active = (ike_mobike_t*)current;
+				active->enable_probing(active);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
 	}
 	else
 	{
@@ -1485,10 +1660,12 @@ METHOD(task_manager_t, reset, void,
 	task_t *task;
 
 	/* reset message counters and retransmit packets */
-	DESTROY_IF(this->responding.packet);
-	DESTROY_IF(this->initiating.packet);
-	this->responding.packet = NULL;
-	this->initiating.packet = NULL;
+	clear_packets(this->responding.packets);
+	clear_packets(this->initiating.packets);
+	DESTROY_IF(this->responding.defrag);
+	DESTROY_IF(this->initiating.defrag);
+	this->responding.defrag = NULL;
+	this->initiating.defrag = NULL;
 	if (initiate != UINT_MAX)
 	{
 		this->initiating.mid = initiate;
@@ -1542,8 +1719,12 @@ METHOD(task_manager_t, destroy, void,
 	array_destroy(this->queued_tasks);
 	array_destroy(this->passive_tasks);
 
-	DESTROY_IF(this->responding.packet);
-	DESTROY_IF(this->initiating.packet);
+	clear_packets(this->responding.packets);
+	array_destroy(this->responding.packets);
+	clear_packets(this->initiating.packets);
+	array_destroy(this->initiating.packets);
+	DESTROY_IF(this->responding.defrag);
+	DESTROY_IF(this->initiating.defrag);
 	free(this);
 }
 
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index e3c18ea..71c5f22 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -161,6 +161,19 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
 		message->add_payload(message, (payload_t*)ke_payload);
 		message->add_payload(message, (payload_t*)nonce_payload);
 	}
+
+	/* negotiate fragmentation if we are not rekeying */
+	if (!this->old_sa &&
+		 this->config->fragmentation(this->config) != FRAGMENTATION_NO)
+	{
+		if (this->initiator ||
+			this->ike_sa->supports_extension(this->ike_sa,
+											 EXT_IKE_FRAGMENTATION))
+		{
+			message->add_notify(message, FALSE, FRAGMENTATION_SUPPORTED,
+								chunk_empty);
+		}
+	}
 }
 
 /**
@@ -220,6 +233,16 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 				this->other_nonce = nonce_payload->get_nonce(nonce_payload);
 				break;
 			}
+			case PLV2_NOTIFY:
+			{
+				notify_payload_t *notify = (notify_payload_t*)payload;
+
+				if (notify->get_notify_type(notify) == FRAGMENTATION_SUPPORTED)
+				{
+					this->ike_sa->enable_extension(this->ike_sa,
+												   EXT_IKE_FRAGMENTATION);
+				}
+			}
 			default:
 				break;
 		}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
index 00ca615..d91fa58 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Tobias Brunner
+ * Copyright (C) 2010-2014 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -77,6 +77,11 @@ struct private_ike_mobike_t {
 	 * additional addresses got updated
 	 */
 	bool addresses_updated;
+
+	/**
+	 * whether the pending updates counter was increased
+	 */
+	bool pending_update;
 };
 
 /**
@@ -301,35 +306,61 @@ static void apply_port(host_t *host, host_t *old, u_int16_t port, bool local)
 	host->set_port(host, port);
 }
 
-METHOD(ike_mobike_t, transmit, void,
+METHOD(ike_mobike_t, transmit, bool,
 	   private_ike_mobike_t *this, packet_t *packet)
 {
 	host_t *me, *other, *me_old, *other_old;
 	enumerator_t *enumerator;
 	ike_cfg_t *ike_cfg;
 	packet_t *copy;
+	int family = AF_UNSPEC;
+	bool found = FALSE;
+
+	me_old = this->ike_sa->get_my_host(this->ike_sa);
+	other_old = this->ike_sa->get_other_host(this->ike_sa);
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 
 	if (!this->check)
 	{
-		return;
+		me = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+													  other_old, me_old);
+		if (me)
+		{
+			if (me->ip_equals(me, me_old))
+			{
+				charon->sender->send(charon->sender, packet->clone(packet));
+				me->destroy(me);
+				return TRUE;
+			}
+			me->destroy(me);
+		}
+		this->check = TRUE;
 	}
 
-	me_old = this->ike_sa->get_my_host(this->ike_sa);
-	other_old = this->ike_sa->get_other_host(this->ike_sa);
-	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+	switch (charon->socket->supported_families(charon->socket))
+	{
+		case SOCKET_FAMILY_IPV4:
+			family = AF_INET;
+			break;
+		case SOCKET_FAMILY_IPV6:
+			family = AF_INET6;
+			break;
+		case SOCKET_FAMILY_BOTH:
+		case SOCKET_FAMILY_NONE:
+			break;
+	}
 
 	enumerator = this->ike_sa->create_peer_address_enumerator(this->ike_sa);
 	while (enumerator->enumerate(enumerator, (void**)&other))
 	{
+		if (family != AF_UNSPEC && other->get_family(other) != family)
+		{
+			continue;
+		}
 		me = hydra->kernel_interface->get_source_addr(
 										hydra->kernel_interface, other, NULL);
 		if (me)
 		{
-			if (me->get_family(me) != other->get_family(other))
-			{
-				me->destroy(me);
-				continue;
-			}
 			/* reuse port for an active address, 4500 otherwise */
 			apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg), TRUE);
 			other = other->clone(other);
@@ -339,9 +370,11 @@ METHOD(ike_mobike_t, transmit, void,
 			copy->set_source(copy, me);
 			copy->set_destination(copy, other);
 			charon->sender->send(charon->sender, copy);
+			found = TRUE;
 		}
 	}
 	enumerator->destroy(enumerator);
+	return found;
 }
 
 METHOD(task_t, build_i, status_t,
@@ -481,9 +514,7 @@ METHOD(task_t, process_i, status_t,
 	}
 	else if (message->get_exchange_type(message) == INFORMATIONAL)
 	{
-		u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
-		this->ike_sa->set_pending_updates(this->ike_sa, updates);
-		if (updates > 0)
+		if (this->ike_sa->get_pending_updates(this->ike_sa) > 1)
 		{
 			/* newer update queued, ignore this one */
 			return SUCCESS;
@@ -560,7 +591,6 @@ METHOD(task_t, process_i, status_t,
 					this->natd = ike_natd_create(this->ike_sa, this->initiator);
 				}
 				this->check = FALSE;
-				this->ike_sa->set_pending_updates(this->ike_sa, 1);
 				return NEED_MORE;
 			}
 		}
@@ -573,8 +603,12 @@ METHOD(ike_mobike_t, addresses, void,
 	   private_ike_mobike_t *this)
 {
 	this->address = TRUE;
-	this->ike_sa->set_pending_updates(this->ike_sa,
+	if (!this->pending_update)
+	{
+		this->pending_update = TRUE;
+		this->ike_sa->set_pending_updates(this->ike_sa,
 						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+	}
 }
 
 METHOD(ike_mobike_t, roam, void,
@@ -582,8 +616,12 @@ METHOD(ike_mobike_t, roam, void,
 {
 	this->check = TRUE;
 	this->address = address;
-	this->ike_sa->set_pending_updates(this->ike_sa,
+	if (!this->pending_update)
+	{
+		this->pending_update = TRUE;
+		this->ike_sa->set_pending_updates(this->ike_sa,
 						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+	}
 }
 
 METHOD(ike_mobike_t, dpd, void,
@@ -593,8 +631,12 @@ METHOD(ike_mobike_t, dpd, void,
 	{
 		this->natd = ike_natd_create(this->ike_sa, this->initiator);
 	}
-	this->ike_sa->set_pending_updates(this->ike_sa,
+	if (!this->pending_update)
+	{
+		this->pending_update = TRUE;
+		this->ike_sa->set_pending_updates(this->ike_sa,
 						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+	}
 }
 
 METHOD(ike_mobike_t, is_probing, bool,
@@ -603,6 +645,12 @@ METHOD(ike_mobike_t, is_probing, bool,
 	return this->check;
 }
 
+METHOD(ike_mobike_t, enable_probing, void,
+	private_ike_mobike_t *this)
+{
+	this->check = TRUE;
+}
+
 METHOD(task_t, get_type, task_type_t,
 	   private_ike_mobike_t *this)
 {
@@ -618,11 +666,21 @@ METHOD(task_t, migrate, void,
 	{
 		this->natd->task.migrate(&this->natd->task, ike_sa);
 	}
+	if (this->pending_update)
+	{
+		this->ike_sa->set_pending_updates(this->ike_sa,
+						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+	}
 }
 
 METHOD(task_t, destroy, void,
 	   private_ike_mobike_t *this)
 {
+	if (this->pending_update)
+	{
+		this->ike_sa->set_pending_updates(this->ike_sa,
+						this->ike_sa->get_pending_updates(this->ike_sa) - 1);
+	}
 	chunk_free(&this->cookie2);
 	if (this->natd)
 	{
@@ -650,6 +708,7 @@ ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
 			.dpd = _dpd,
 			.transmit = _transmit,
 			.is_probing = _is_probing,
+			.enable_probing = _enable_probing,
 		},
 		.ike_sa = ike_sa,
 		.initiator = initiator,
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.h b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
index b145a9a..bb2318c 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
@@ -70,8 +70,9 @@ struct ike_mobike_t {
 	 * probing.
 	 *
 	 * @param packet		the packet to transmit
+	 * @return				TRUE if transmitted, FALSE if no path found
 	 */
-	void (*transmit)(ike_mobike_t *this, packet_t *packet);
+	bool (*transmit)(ike_mobike_t *this, packet_t *packet);
 
 	/**
 	 * Check if this task is probing for routability.
@@ -79,6 +80,11 @@ struct ike_mobike_t {
 	 * @return				TRUE if task is probing
 	 */
 	bool (*is_probing)(ike_mobike_t *this);
+
+	/**
+	 * Enable probing for routability.
+	 */
+	void (*enable_probing)(ike_mobike_t *this);
 };
 
 /**
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index cc4f6f7..f0e9cbe 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -236,6 +236,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -296,6 +297,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -361,6 +363,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -408,6 +412,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am
index 0c8ecda..510f2a1 100644
--- a/src/libhydra/Makefile.am
+++ b/src/libhydra/Makefile.am
@@ -21,8 +21,7 @@ endif
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DPLUGINDIR=\"${plugindir}\" \
-	-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+	-DPLUGINDIR=\"${plugindir}\"
 
 AM_LDFLAGS = \
   -no-undefined
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index 0b494b3..e3ff198 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -291,6 +291,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -351,6 +352,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -416,6 +418,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -463,6 +467,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
@@ -492,8 +500,7 @@ libhydra_la_LIBADD =  \
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DPLUGINDIR=\"${plugindir}\" \
-	-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+	-DPLUGINDIR=\"${plugindir}\"
 
 AM_LDFLAGS = \
   -no-undefined
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index ddf2a44..50ea066 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -232,6 +232,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -292,6 +293,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -357,6 +359,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -404,6 +408,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 6f27bf3..076e1f8 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index 2a67bd5..a9b523e 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -236,6 +236,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -296,6 +297,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -361,6 +363,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -408,6 +412,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index d9b55cf..dfd71f3 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -310,6 +310,12 @@ struct private_kernel_netlink_ipsec_t {
 	bool install_routes;
 
 	/**
+	 * Whether to set protocol and ports on selector installed with transport
+	 * mode IPsec SAs
+	 */
+	bool proto_port_transport;
+
+	/**
 	 * Whether to track the history of a policy
 	 */
 	bool policy_history;
@@ -810,7 +816,7 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this,
 	u_int32_t reqid = 0;
 	int proto = 0;
 
-	acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
+	acquire = NLMSG_DATA(hdr);
 	rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
 	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
 
@@ -856,7 +862,7 @@ static void process_expire(private_kernel_netlink_ipsec_t *this,
 	u_int32_t spi, reqid;
 	u_int8_t protocol;
 
-	expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
+	expire = NLMSG_DATA(hdr);
 	protocol = expire->state.id.proto;
 	spi = expire->state.id.spi;
 	reqid = expire->state.reqid;
@@ -890,7 +896,7 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this,
 	u_int32_t reqid = 0;
 	policy_dir_t dir;
 
-	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	policy_id = NLMSG_DATA(hdr);
 	rta     = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
 	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
 
@@ -957,7 +963,7 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
 	struct xfrm_user_mapping *mapping;
 	u_int32_t spi, reqid;
 
-	mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
+	mapping = NLMSG_DATA(hdr);
 	spi = mapping->id.spi;
 	reqid = mapping->reqid;
 
@@ -1059,12 +1065,12 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 
 	memset(&request, 0, sizeof(request));
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
 
-	userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
+	userspi = NLMSG_DATA(hdr);
 	host2xfrm(src, &userspi->info.saddr);
 	host2xfrm(dst, &userspi->info.id.daddr);
 	userspi->info.id.proto = proto;
@@ -1208,12 +1214,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}  (mark "
 				  "%u/0x%08x)", ntohl(spi), reqid, mark.value, mark.mask);
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
 
-	sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
+	sa = NLMSG_DATA(hdr);
 	host2xfrm(src, &sa->saddr);
 	host2xfrm(dst, &sa->id.daddr);
 	sa->id.spi = spi;
@@ -1235,12 +1241,15 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			if (src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
-				/* don't install proto/port on SA. This would break
-				 * potential secondary SAs for the same address using a
-				 * different prot/port. */
-				sa->sel.proto = 0;
-				sa->sel.dport = sa->sel.dport_mask = 0;
-				sa->sel.sport = sa->sel.sport_mask = 0;
+				if (!this->proto_port_transport)
+				{
+					/* don't install proto/port on SA. This would break
+					 * potential secondary SAs for the same address using a
+					 * different prot/port. */
+					sa->sel.proto = 0;
+					sa->sel.dport = sa->sel.dport_mask = 0;
+					sa->sel.sport = sa->sel.sport_mask = 0;
+				}
 			}
 			break;
 		default:
@@ -1512,7 +1521,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	status = SUCCESS;
 
 failed:
-	memwipe(request, sizeof(request));
+	memwipe(&request, sizeof(request));
 	return status;
 }
 
@@ -1540,12 +1549,12 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 	DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x",
 				   ntohl(spi));
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETAE;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
 
-	aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
+	aevent_id = NLMSG_DATA(hdr);
 	aevent_id->flags = XFRM_AE_RVAL;
 
 	host2xfrm(dst, &aevent_id->sa_id.daddr);
@@ -1632,12 +1641,12 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x  (mark %u/0x%08x)",
 				   ntohl(spi), mark.value, mark.mask);
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
 
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	sa_id = NLMSG_DATA(hdr);
 	host2xfrm(dst, &sa_id->daddr);
 	sa_id->spi = spi;
 	sa_id->proto = protocol;
@@ -1657,7 +1666,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 			{
 				case XFRM_MSG_NEWSA:
 				{
-					sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
+					sa = NLMSG_DATA(hdr);
 					break;
 				}
 				case NLMSG_ERROR:
@@ -1735,12 +1744,12 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x  (mark %u/0x%08x)",
 				   ntohl(spi), mark.value, mark.mask);
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_DELSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
 
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	sa_id = NLMSG_DATA(hdr);
 	host2xfrm(dst, &sa_id->daddr);
 	sa_id->spi = spi;
 	sa_id->proto = protocol;
@@ -1804,12 +1813,12 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
 
 	/* query the existing SA first */
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
 
-	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	sa_id = NLMSG_DATA(hdr);
 	host2xfrm(dst, &sa_id->daddr);
 	sa_id->spi = spi;
 	sa_id->proto = protocol;
@@ -1867,7 +1876,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
 				   ntohl(spi), src, dst, new_src, new_dst);
 	/* copy over the SA from out to request */
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_NEWSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
@@ -1958,7 +1967,7 @@ failed:
 	free(replay);
 	free(replay_esn);
 	memwipe(out, len);
-	memwipe(request, sizeof(request));
+	memwipe(&request, sizeof(request));
 	free(out);
 
 	return status;
@@ -1975,12 +1984,12 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
 
 	DBG2(DBG_KNL, "flushing all SAD entries");
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_FLUSHSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush));
 
-	flush = (struct xfrm_usersa_flush*)NLMSG_DATA(hdr);
+	flush = NLMSG_DATA(hdr);
 	flush->proto = IPSEC_PROTO_ANY;
 
 	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
@@ -2011,12 +2020,12 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 	memcpy(&clone, policy, sizeof(policy_entry_t));
 
 	memset(&request, 0, sizeof(request));
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = update ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
 
-	policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
+	policy_info = NLMSG_DATA(hdr);
 	policy_info->sel = policy->sel;
 	policy_info->dir = policy->direction;
 
@@ -2335,12 +2344,12 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 				   src_ts, dst_ts, policy_dir_names, direction,
 				   mark.value, mark.mask);
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
 
-	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	policy_id = NLMSG_DATA(hdr);
 	policy_id->sel = ts2selector(src_ts, dst_ts);
 	policy_id->dir = direction;
 
@@ -2358,7 +2367,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 			{
 				case XFRM_MSG_NEWPOLICY:
 				{
-					policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
+					policy = NLMSG_DATA(hdr);
 					break;
 				}
 				case NLMSG_ERROR:
@@ -2492,12 +2501,12 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 
 	memset(&request, 0, sizeof(request));
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
 
-	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	policy_id = NLMSG_DATA(hdr);
 	policy_id->sel = current->sel;
 	policy_id->dir = direction;
 
@@ -2551,7 +2560,7 @@ METHOD(kernel_ipsec_t, flush_policies, status_t,
 
 	DBG2(DBG_KNL, "flushing all policies from SPD");
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_FLUSHPOLICY;
 	hdr->nlmsg_len = NLMSG_LENGTH(0); /* no data associated */
@@ -2683,6 +2692,9 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		.policy_history = TRUE,
 		.install_routes = lib->settings->get_bool(lib->settings,
 							"%s.install_routes", TRUE, lib->ns),
+		.proto_port_transport = lib->settings->get_bool(lib->settings,
+						"%s.plugins.kernel-netlink.set_proto_port_transport_sa",
+						FALSE, lib->ns),
 	);
 
 	if (streq(lib->ns, "starter"))
@@ -2699,7 +2711,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		fclose(f);
 	}
 
-	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
+	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names);
 	if (!this->socket_xfrm)
 	{
 		destroy(this);
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index 82b637d..9d9f159 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -78,6 +78,27 @@
 #define ROUTING_TABLE_PRIO 0
 #endif
 
+ENUM(rt_msg_names, RTM_NEWLINK, RTM_GETRULE,
+	"RTM_NEWLINK",
+	"RTM_DELLINK",
+	"RTM_GETLINK",
+	"RTM_SETLINK",
+	"RTM_NEWADDR",
+	"RTM_DELADDR",
+	"RTM_GETADDR",
+	"31",
+	"RTM_NEWROUTE",
+	"RTM_DELROUTE",
+	"RTM_GETROUTE",
+	"35",
+	"RTM_NEWNEIGH",
+	"RTM_DELNEIGH",
+	"RTM_GETNEIGH",
+	"RTM_NEWRULE",
+	"RTM_DELRULE",
+	"RTM_GETRULE",
+);
+
 typedef struct addr_entry_t addr_entry_t;
 
 /**
@@ -478,6 +499,16 @@ struct private_kernel_netlink_net_t {
 	 * list with routing tables to be excluded from route lookup
 	 */
 	linked_list_t *rt_exclude;
+
+	/**
+	 * MTU to set on installed routes
+	 */
+	u_int32_t mtu;
+
+	/**
+	 * MSS to set on installed routes
+	 */
+	u_int32_t mss;
 };
 
 /**
@@ -928,7 +959,7 @@ static void addr_entry_unregister(addr_entry_t *addr, iface_entry_t *iface,
 static void process_link(private_kernel_netlink_net_t *this,
 						 struct nlmsghdr *hdr, bool event)
 {
-	struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
+	struct ifinfomsg* msg = NLMSG_DATA(hdr);
 	struct rtattr *rta = IFLA_RTA(msg);
 	size_t rtasize = IFLA_PAYLOAD (hdr);
 	enumerator_t *enumerator;
@@ -1030,7 +1061,7 @@ static void process_link(private_kernel_netlink_net_t *this,
 static void process_addr(private_kernel_netlink_net_t *this,
 						 struct nlmsghdr *hdr, bool event)
 {
-	struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
+	struct ifaddrmsg* msg = NLMSG_DATA(hdr);
 	struct rtattr *rta = IFA_RTA(msg);
 	size_t rtasize = IFA_PAYLOAD (hdr);
 	host_t *host = NULL;
@@ -1173,7 +1204,7 @@ static void process_addr(private_kernel_netlink_net_t *this,
  */
 static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr)
 {
-	struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr));
+	struct rtmsg* msg = NLMSG_DATA(hdr);
 	struct rtattr *rta = RTM_RTA(msg);
 	size_t rtasize = RTM_PAYLOAD(hdr);
 	u_int32_t rta_oif = 0;
@@ -1530,7 +1561,7 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
 	struct rtmsg *msg;
 	size_t rtasize;
 
-	msg = (struct rtmsg*)(NLMSG_DATA(hdr));
+	msg = NLMSG_DATA(hdr);
 	rta = RTM_RTA(msg);
 	rtasize = RTM_PAYLOAD(hdr);
 
@@ -1615,7 +1646,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 	memset(&request, 0, sizeof(request));
 
 	family = dest->get_family(dest);
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	if (family == AF_INET || this->rta_prefsrc_for_ipv6 ||
 		this->routing_table || match_net)
@@ -1627,7 +1658,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 	hdr->nlmsg_type = RTM_GETROUTE;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
 
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg = NLMSG_DATA(hdr);
 	msg->rtm_family = family;
 	if (candidate)
 	{
@@ -1854,12 +1885,12 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
 
 	chunk = ip->get_address(ip);
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
 	hdr->nlmsg_type = nlmsg_type;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
 
-	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
+	msg = NLMSG_DATA(hdr);
 	msg->ifa_family = ip->get_family(ip);
 	msg->ifa_flags = 0;
 	msg->ifa_prefixlen = prefix < 0 ? chunk.len * 8 : prefix;
@@ -2055,6 +2086,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this,
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct rtmsg *msg;
+	struct rtattr *rta;
 	int ifindex;
 	chunk_t chunk;
 
@@ -2081,12 +2113,12 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this,
 
 	memset(&request, 0, sizeof(request));
 
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
 	hdr->nlmsg_type = nlmsg_type;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
 
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg = NLMSG_DATA(hdr);
 	msg->rtm_family = src_ip->get_family(src_ip);
 	msg->rtm_dst_len = prefixlen;
 	msg->rtm_table = this->routing_table;
@@ -2107,6 +2139,30 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this,
 	chunk.len = sizeof(ifindex);
 	netlink_add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
 
+	if (this->mtu || this->mss)
+	{
+		chunk = chunk_alloca(RTA_LENGTH((sizeof(struct rtattr) +
+										 sizeof(u_int32_t)) * 2));
+		chunk.len = 0;
+		rta = (struct rtattr*)chunk.ptr;
+		if (this->mtu)
+		{
+			rta->rta_type = RTAX_MTU;
+			rta->rta_len = RTA_LENGTH(sizeof(u_int32_t));
+			memcpy(RTA_DATA(rta), &this->mtu, sizeof(u_int32_t));
+			chunk.len = rta->rta_len;
+		}
+		if (this->mss)
+		{
+			rta = (struct rtattr*)(chunk.ptr + RTA_ALIGN(chunk.len));
+			rta->rta_type = RTAX_ADVMSS;
+			rta->rta_len = RTA_LENGTH(sizeof(u_int32_t));
+			memcpy(RTA_DATA(rta), &this->mss, sizeof(u_int32_t));
+			chunk.len = RTA_ALIGN(chunk.len) + rta->rta_len;
+		}
+		netlink_add_attribute(hdr, RTA_METRICS, chunk, sizeof(request));
+	}
+
 	return this->socket->send_ack(this->socket, hdr);
 }
 
@@ -2186,10 +2242,10 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
 
 	memset(&request, 0, sizeof(request));
 
-	in = (struct nlmsghdr*)&request;
+	in = &request.hdr;
 	in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
 	in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
-	msg = (struct rtgenmsg*)NLMSG_DATA(in);
+	msg = NLMSG_DATA(in);
 	msg->rtgen_family = AF_UNSPEC;
 
 	/* get all links */
@@ -2273,7 +2329,7 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
 	char *fwmark;
 
 	memset(&request, 0, sizeof(request));
-	hdr = (struct nlmsghdr*)request;
+	hdr = &request.hdr;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = nlmsg_type;
 	if (nlmsg_type == RTM_NEWRULE)
@@ -2282,7 +2338,7 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
 	}
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
 
-	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg = NLMSG_DATA(hdr);
 	msg->rtm_table = table;
 	msg->rtm_family = family;
 	msg->rtm_protocol = RTPROT_BOOT;
@@ -2434,7 +2490,7 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 				.destroy = _destroy,
 			},
 		},
-		.socket = netlink_socket_create(NETLINK_ROUTE),
+		.socket = netlink_socket_create(NETLINK_ROUTE, rt_msg_names),
 		.rt_exclude = linked_list_create(),
 		.routes = hashtable_create((hashtable_hash_t)route_entry_hash,
 								   (hashtable_equals_t)route_entry_equals, 16),
@@ -2466,6 +2522,10 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 						"%s.prefer_temporary_addrs", FALSE, lib->ns),
 		.roam_events = lib->settings->get_bool(lib->settings,
 						"%s.plugins.kernel-netlink.roam_events", TRUE, lib->ns),
+		.mtu = lib->settings->get_int(lib->settings,
+						"%s.plugins.kernel-netlink.mtu", 0, lib->ns),
+		.mss = lib->settings->get_int(lib->settings,
+						"%s.plugins.kernel-netlink.mss", 0, lib->ns),
 	);
 	timerclear(&this->last_route_reinstall);
 	timerclear(&this->next_roam);
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
index fd00c23..b4cece7 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -46,14 +46,14 @@ struct private_netlink_socket_t {
 	int seq;
 
 	/**
-	 * netlink socket protocol
+	 * netlink socket
 	 */
-	int protocol;
+	int socket;
 
 	/**
-	 * netlink socket
+	 * Enum names for Netlink messages
 	 */
-	int socket;
+	enum_name_t *names;
 };
 
 /**
@@ -65,10 +65,13 @@ METHOD(netlink_socket_t, netlink_send, status_t,
 	private_netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out,
 	size_t *out_len)
 {
-	int len, addr_len;
+	union {
+		struct nlmsghdr hdr;
+		u_char bytes[4096];
+	} response;
 	struct sockaddr_nl addr;
-	chunk_t result = chunk_empty, tmp;
-	struct nlmsghdr *msg, peek;
+	chunk_t result = chunk_empty;
+	int len;
 
 	this->mutex->lock(this->mutex);
 
@@ -80,13 +83,11 @@ METHOD(netlink_socket_t, netlink_send, status_t,
 	addr.nl_pid = 0;
 	addr.nl_groups = 0;
 
-	if (this->protocol == NETLINK_XFRM)
+	if (this->names)
 	{
-		chunk_t in_chunk = { (u_char*)in, in->nlmsg_len };
-
-		DBG3(DBG_KNL, "sending %N: %B", xfrm_msg_names, in->nlmsg_type, &in_chunk);
+		DBG3(DBG_KNL, "sending %N: %b",
+			 this->names, in->nlmsg_type, in, in->nlmsg_len);
 	}
-
 	while (TRUE)
 	{
 		len = sendto(this->socket, in, in->nlmsg_len, 0,
@@ -108,20 +109,7 @@ METHOD(netlink_socket_t, netlink_send, status_t,
 
 	while (TRUE)
 	{
-		char buf[4096];
-		tmp.len = sizeof(buf);
-		tmp.ptr = buf;
-		msg = (struct nlmsghdr*)tmp.ptr;
-
-		memset(&addr, 0, sizeof(addr));
-		addr.nl_family = AF_NETLINK;
-		addr.nl_pid = getpid();
-		addr.nl_groups = 0;
-		addr_len = sizeof(addr);
-
-		len = recvfrom(this->socket, tmp.ptr, tmp.len, 0,
-					   (struct sockaddr*)&addr, &addr_len);
-
+		len = recv(this->socket, &response, sizeof(response), 0);
 		if (len < 0)
 		{
 			if (errno == EINTR)
@@ -135,17 +123,17 @@ METHOD(netlink_socket_t, netlink_send, status_t,
 			free(result.ptr);
 			return FAILED;
 		}
-		if (!NLMSG_OK(msg, len))
+		if (!NLMSG_OK(&response.hdr, len))
 		{
 			DBG1(DBG_KNL, "received corrupted netlink message");
 			this->mutex->unlock(this->mutex);
 			free(result.ptr);
 			return FAILED;
 		}
-		if (msg->nlmsg_seq != this->seq)
+		if (response.hdr.nlmsg_seq != this->seq)
 		{
 			DBG1(DBG_KNL, "received invalid netlink sequence number");
-			if (msg->nlmsg_seq < this->seq)
+			if (response.hdr.nlmsg_seq < this->seq)
 			{
 				continue;
 			}
@@ -154,17 +142,13 @@ METHOD(netlink_socket_t, netlink_send, status_t,
 			return FAILED;
 		}
 
-		tmp.len = len;
-		result.ptr = realloc(result.ptr, result.len + tmp.len);
-		memcpy(result.ptr + result.len, tmp.ptr, tmp.len);
-		result.len += tmp.len;
+		result = chunk_cat("mc", result, chunk_create(response.bytes, len));
 
 		/* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
 		 * numbers to detect multi header messages */
-		len = recvfrom(this->socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
-					   (struct sockaddr*)&addr, &addr_len);
-
-		if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
+		len = recv(this->socket, &response.hdr, sizeof(response.hdr),
+				   MSG_PEEK | MSG_DONTWAIT);
+		if (len == sizeof(response.hdr) && response.hdr.nlmsg_seq == this->seq)
 		{
 			/* seems to be multipart */
 			continue;
@@ -197,7 +181,7 @@ METHOD(netlink_socket_t, netlink_send_ack, status_t,
 		{
 			case NLMSG_ERROR:
 			{
-				struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
+				struct nlmsgerr* err = NLMSG_DATA(hdr);
 
 				if (err->error)
 				{
@@ -235,7 +219,7 @@ METHOD(netlink_socket_t, netlink_send_ack, status_t,
 METHOD(netlink_socket_t, destroy, void,
 	private_netlink_socket_t *this)
 {
-	if (this->socket > 0)
+	if (this->socket != -1)
 	{
 		close(this->socket);
 	}
@@ -246,10 +230,12 @@ METHOD(netlink_socket_t, destroy, void,
 /**
  * Described in header.
  */
-netlink_socket_t *netlink_socket_create(int protocol)
+netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names)
 {
 	private_netlink_socket_t *this;
-	struct sockaddr_nl addr;
+	struct sockaddr_nl addr = {
+		.nl_family = AF_NETLINK,
+	};
 
 	INIT(this,
 		.public = {
@@ -259,21 +245,16 @@ netlink_socket_t *netlink_socket_create(int protocol)
 		},
 		.seq = 200,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.protocol = protocol,
+		.socket = socket(AF_NETLINK, SOCK_RAW, protocol),
+		.names = names,
 	);
 
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-
-	this->socket = socket(AF_NETLINK, SOCK_RAW, protocol);
-	if (this->socket < 0)
+	if (this->socket == -1)
 	{
 		DBG1(DBG_KNL, "unable to create netlink socket");
 		destroy(this);
 		return NULL;
 	}
-
-	addr.nl_groups = 0;
 	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)))
 	{
 		DBG1(DBG_KNL, "unable to bind netlink socket");
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
index 8be935b..069f746 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -26,7 +26,10 @@
  * 1024 byte is currently sufficient for all operations. Some platform
  * require an enforced aligment to four bytes (e.g. ARM).
  */
-typedef u_char netlink_buf_t[1024] __attribute__((aligned(RTA_ALIGNTO)));
+typedef union {
+	struct nlmsghdr hdr;
+	u_char bytes[1024];
+} netlink_buf_t __attribute__((aligned(RTA_ALIGNTO)));
 
 typedef struct netlink_socket_t netlink_socket_t;
 
@@ -61,9 +64,10 @@ struct netlink_socket_t {
 /**
  * Create a netlink_socket_t object.
  *
- * @param	protocol	protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE)
+ * @param protocol	protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE)
+ * @param names		optional enum names for Netlink messages
  */
-netlink_socket_t *netlink_socket_create(int protocol);
+netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names);
 
 /**
  * Creates an rtattr and adds it to the given netlink message.
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index 7677696..821ad77 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index e1a58aa..00ab5ab 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1978,8 +1978,8 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	}
 	if (packets)
 	{
-		/* not supported by PF_KEY */
-		*packets = 0;
+		/* at least on Linux and FreeBSD this contains the number of packets */
+		*packets = response.lft_current->sadb_lifetime_allocations;
 	}
 	if (time)
 	{
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 7938a3d..662f2fd 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index c4e8664..26fae0d 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -875,6 +875,41 @@ static void process_link(private_kernel_pfroute_net_t *this,
 	}
 }
 
+#ifdef HAVE_RTM_IFANNOUNCE
+
+/**
+ * Process an RTM_IFANNOUNCE message from the kernel
+ */
+static void process_announce(private_kernel_pfroute_net_t *this,
+							 struct if_announcemsghdr *msg)
+{
+	enumerator_t *enumerator;
+	iface_entry_t *iface;
+
+	if (msg->ifan_what != IFAN_DEPARTURE)
+	{
+		/* we handle new interfaces in process_link() */
+		return;
+	}
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->ifaces->create_enumerator(this->ifaces);
+	while (enumerator->enumerate(enumerator, &iface))
+	{
+		if (iface->ifindex == msg->ifan_index)
+		{
+			DBG1(DBG_KNL, "interface %s disappeared", iface->ifname);
+			this->ifaces->remove_at(this->ifaces, enumerator);
+			iface_entry_destroy(iface);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+#endif /* HAVE_RTM_IFANNOUNCE */
+
 /**
  * Process an RTM_*ROUTE message from the kernel
  */
@@ -895,6 +930,9 @@ static bool receive_events(private_kernel_pfroute_net_t *this, int fd,
 			struct rt_msghdr rtm;
 			struct if_msghdr ifm;
 			struct ifa_msghdr ifam;
+#ifdef HAVE_RTM_IFANNOUNCE
+			struct if_announcemsghdr ifanm;
+#endif
 		};
 		char buf[sizeof(struct sockaddr_storage) * RTAX_MAX];
 	} msg;
@@ -935,6 +973,11 @@ static bool receive_events(private_kernel_pfroute_net_t *this, int fd,
 		case RTM_IFINFO:
 			hdrlen = sizeof(msg.ifm);
 			break;
+#ifdef HAVE_RTM_IFANNOUNCE
+		case RTM_IFANNOUNCE:
+			hdrlen = sizeof(msg.ifanm);
+			break;
+#endif /* HAVE_RTM_IFANNOUNCE */
 		case RTM_ADD:
 		case RTM_DELETE:
 		case RTM_GET:
@@ -957,6 +1000,11 @@ static bool receive_events(private_kernel_pfroute_net_t *this, int fd,
 		case RTM_IFINFO:
 			process_link(this, &msg.ifm);
 			break;
+#ifdef HAVE_RTM_IFANNOUNCE
+		case RTM_IFANNOUNCE:
+			process_announce(this, &msg.ifanm);
+			break;
+#endif /* HAVE_RTM_IFANNOUNCE */
 		case RTM_ADD:
 		case RTM_DELETE:
 			process_route(this, &msg.rtm);
@@ -1518,8 +1566,7 @@ retry:
 			{	/* timed out? */
 				break;
 			}
-			if (this->reply->rtm_msglen < sizeof(*this->reply) ||
-				msg.hdr.rtm_seq != this->reply->rtm_seq)
+			if (!this->reply)
 			{
 				continue;
 			}
@@ -1559,6 +1606,8 @@ retry:
 	{
 		failed = TRUE;
 	}
+	free(this->reply);
+	this->reply = NULL;
 	/* signal completion of query to a waiting thread */
 	this->waiting_seq = 0;
 	this->condvar->signal(this->condvar);
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index 32eed61..5b4c7bc 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -235,6 +235,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -295,6 +296,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -360,6 +362,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -407,6 +411,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libimcv/Android.mk b/src/libimcv/Android.mk
index 4253fe2..8269d72 100644
--- a/src/libimcv/Android.mk
+++ b/src/libimcv/Android.mk
@@ -41,7 +41,62 @@ libimcv_la_SOURCES := \
 	os_info/os_info.h os_info/os_info.c \
 	pa_tnc/pa_tnc_attr.h \
 	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
-	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c
+	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c \
+	pts/pts.h pts/pts.c \
+	pts/pts_error.h pts/pts_error.c \
+	pts/pts_pcr.h pts/pts_pcr.c \
+	pts/pts_proto_caps.h \
+	pts/pts_req_func_comp_evid.h \
+	pts/pts_simple_evid_final.h \
+	pts/pts_creds.h pts/pts_creds.c \
+	pts/pts_database.h pts/pts_database.c \
+	pts/pts_dh_group.h pts/pts_dh_group.c \
+	pts/pts_file_meas.h pts/pts_file_meas.c \
+	pts/pts_file_meta.h pts/pts_file_meta.c \
+	pts/pts_file_type.h pts/pts_file_type.c \
+	pts/pts_ima_bios_list.h pts/pts_ima_bios_list.c \
+	pts/pts_ima_event_list.h pts/pts_ima_event_list.c \
+	pts/pts_meas_algo.h pts/pts_meas_algo.c \
+	pts/components/pts_component.h \
+	pts/components/pts_component_manager.h pts/components/pts_component_manager.c \
+	pts/components/pts_comp_evidence.h pts/components/pts_comp_evidence.c \
+	pts/components/pts_comp_func_name.h pts/components/pts_comp_func_name.c \
+	pts/components/ita/ita_comp_func_name.h pts/components/ita/ita_comp_func_name.c \
+	pts/components/ita/ita_comp_ima.h pts/components/ita/ita_comp_ima.c \
+	pts/components/ita/ita_comp_tboot.h pts/components/ita/ita_comp_tboot.c \
+	pts/components/ita/ita_comp_tgrub.h pts/components/ita/ita_comp_tgrub.c \
+	pts/components/tcg/tcg_comp_func_name.h pts/components/tcg/tcg_comp_func_name.c \
+	seg/seg_contract.h seg/seg_contract.c \
+	seg/seg_contract_manager.h seg/seg_contract_manager.c \
+	seg/seg_env.h seg/seg_env.c \
+	swid/swid_error.h swid/swid_error.c \
+	swid/swid_inventory.h swid/swid_inventory.c \
+	swid/swid_tag.h swid/swid_tag.c \
+	swid/swid_tag_id.h swid/swid_tag_id.c \
+	tcg/tcg_attr.h tcg/tcg_attr.c \
+	tcg/pts/tcg_pts_attr_proto_caps.h tcg/pts/tcg_pts_attr_proto_caps.c \
+	tcg/pts/tcg_pts_attr_dh_nonce_params_req.h tcg/pts/tcg_pts_attr_dh_nonce_params_req.c \
+	tcg/pts/tcg_pts_attr_dh_nonce_params_resp.h tcg/pts/tcg_pts_attr_dh_nonce_params_resp.c \
+	tcg/pts/tcg_pts_attr_dh_nonce_finish.h tcg/pts/tcg_pts_attr_dh_nonce_finish.c \
+	tcg/pts/tcg_pts_attr_meas_algo.h tcg/pts/tcg_pts_attr_meas_algo.c \
+	tcg/pts/tcg_pts_attr_get_tpm_version_info.h tcg/pts/tcg_pts_attr_get_tpm_version_info.c \
+	tcg/pts/tcg_pts_attr_tpm_version_info.h tcg/pts/tcg_pts_attr_tpm_version_info.c \
+	tcg/pts/tcg_pts_attr_get_aik.h tcg/pts/tcg_pts_attr_get_aik.c \
+	tcg/pts/tcg_pts_attr_aik.h tcg/pts/tcg_pts_attr_aik.c \
+	tcg/pts/tcg_pts_attr_req_func_comp_evid.h tcg/pts/tcg_pts_attr_req_func_comp_evid.c \
+	tcg/pts/tcg_pts_attr_gen_attest_evid.h tcg/pts/tcg_pts_attr_gen_attest_evid.c \
+	tcg/pts/tcg_pts_attr_simple_comp_evid.h tcg/pts/tcg_pts_attr_simple_comp_evid.c \
+	tcg/pts/tcg_pts_attr_simple_evid_final.h tcg/pts/tcg_pts_attr_simple_evid_final.c \
+	tcg/pts/tcg_pts_attr_req_file_meas.h tcg/pts/tcg_pts_attr_req_file_meas.c \
+	tcg/pts/tcg_pts_attr_file_meas.h tcg/pts/tcg_pts_attr_file_meas.c \
+	tcg/pts/tcg_pts_attr_req_file_meta.h tcg/pts/tcg_pts_attr_req_file_meta.c \
+	tcg/pts/tcg_pts_attr_unix_file_meta.h tcg/pts/tcg_pts_attr_unix_file_meta.c \
+	tcg/seg/tcg_seg_attr_max_size.h tcg/seg/tcg_seg_attr_max_size.c \
+	tcg/seg/tcg_seg_attr_seg_env.h tcg/seg/tcg_seg_attr_seg_env.c \
+	tcg/seg/tcg_seg_attr_next_seg.h tcg/seg/tcg_seg_attr_next_seg.c \
+	tcg/swid/tcg_swid_attr_req.h tcg/swid/tcg_swid_attr_req.c \
+	tcg/swid/tcg_swid_attr_tag_id_inv.h tcg/swid/tcg_swid_attr_tag_id_inv.c \
+	tcg/swid/tcg_swid_attr_tag_inv.h tcg/swid/tcg_swid_attr_tag_inv.c
 
 LOCAL_SRC_FILES := $(filter %.c,$(libimcv_la_SOURCES))
 
diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am
index 4bed3bf..d9a5cd5 100644
--- a/src/libimcv/Makefile.am
+++ b/src/libimcv/Makefile.am
@@ -1,6 +1,7 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libtncif
+	-I$(top_srcdir)/src/libtncif \
+	-DIPSEC_SCRIPT=\"${ipsec_script}\"
 
 ipseclib_LTLIBRARIES = libimcv.la
 
@@ -11,6 +12,10 @@ libimcv_la_LIBADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libtncif/libtncif.la
 
+if USE_TROUSERS
+  libimcv_la_LIBADD += -ltspi
+endif
+
 if USE_WINDOWS
   libimcv_la_LIBADD += -lws2_32
 endif
@@ -54,7 +59,62 @@ libimcv_la_SOURCES = \
 	os_info/os_info.h os_info/os_info.c \
 	pa_tnc/pa_tnc_attr.h \
 	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
-	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c
+	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c \
+	pts/pts.h pts/pts.c \
+	pts/pts_error.h pts/pts_error.c \
+	pts/pts_pcr.h pts/pts_pcr.c \
+	pts/pts_proto_caps.h \
+	pts/pts_req_func_comp_evid.h \
+	pts/pts_simple_evid_final.h \
+	pts/pts_creds.h pts/pts_creds.c \
+	pts/pts_database.h pts/pts_database.c \
+	pts/pts_dh_group.h pts/pts_dh_group.c \
+	pts/pts_file_meas.h pts/pts_file_meas.c \
+	pts/pts_file_meta.h pts/pts_file_meta.c \
+	pts/pts_file_type.h pts/pts_file_type.c \
+	pts/pts_ima_bios_list.h pts/pts_ima_bios_list.c \
+	pts/pts_ima_event_list.h pts/pts_ima_event_list.c \
+	pts/pts_meas_algo.h pts/pts_meas_algo.c \
+	pts/components/pts_component.h \
+	pts/components/pts_component_manager.h pts/components/pts_component_manager.c \
+	pts/components/pts_comp_evidence.h pts/components/pts_comp_evidence.c \
+	pts/components/pts_comp_func_name.h pts/components/pts_comp_func_name.c \
+	pts/components/ita/ita_comp_func_name.h pts/components/ita/ita_comp_func_name.c \
+	pts/components/ita/ita_comp_ima.h pts/components/ita/ita_comp_ima.c \
+	pts/components/ita/ita_comp_tboot.h pts/components/ita/ita_comp_tboot.c \
+	pts/components/ita/ita_comp_tgrub.h pts/components/ita/ita_comp_tgrub.c \
+	pts/components/tcg/tcg_comp_func_name.h pts/components/tcg/tcg_comp_func_name.c \
+	seg/seg_contract.h seg/seg_contract.c \
+	seg/seg_contract_manager.h seg/seg_contract_manager.c \
+	seg/seg_env.h seg/seg_env.c \
+	swid/swid_error.h swid/swid_error.c \
+	swid/swid_inventory.h swid/swid_inventory.c \
+	swid/swid_tag.h swid/swid_tag.c \
+	swid/swid_tag_id.h swid/swid_tag_id.c \
+	tcg/tcg_attr.h tcg/tcg_attr.c \
+	tcg/pts/tcg_pts_attr_proto_caps.h tcg/pts/tcg_pts_attr_proto_caps.c \
+	tcg/pts/tcg_pts_attr_dh_nonce_params_req.h tcg/pts/tcg_pts_attr_dh_nonce_params_req.c \
+	tcg/pts/tcg_pts_attr_dh_nonce_params_resp.h tcg/pts/tcg_pts_attr_dh_nonce_params_resp.c \
+	tcg/pts/tcg_pts_attr_dh_nonce_finish.h tcg/pts/tcg_pts_attr_dh_nonce_finish.c \
+	tcg/pts/tcg_pts_attr_meas_algo.h tcg/pts/tcg_pts_attr_meas_algo.c \
+	tcg/pts/tcg_pts_attr_get_tpm_version_info.h tcg/pts/tcg_pts_attr_get_tpm_version_info.c \
+	tcg/pts/tcg_pts_attr_tpm_version_info.h tcg/pts/tcg_pts_attr_tpm_version_info.c \
+	tcg/pts/tcg_pts_attr_get_aik.h tcg/pts/tcg_pts_attr_get_aik.c \
+	tcg/pts/tcg_pts_attr_aik.h tcg/pts/tcg_pts_attr_aik.c \
+	tcg/pts/tcg_pts_attr_req_func_comp_evid.h tcg/pts/tcg_pts_attr_req_func_comp_evid.c \
+	tcg/pts/tcg_pts_attr_gen_attest_evid.h tcg/pts/tcg_pts_attr_gen_attest_evid.c \
+	tcg/pts/tcg_pts_attr_simple_comp_evid.h tcg/pts/tcg_pts_attr_simple_comp_evid.c \
+	tcg/pts/tcg_pts_attr_simple_evid_final.h tcg/pts/tcg_pts_attr_simple_evid_final.c \
+	tcg/pts/tcg_pts_attr_req_file_meas.h tcg/pts/tcg_pts_attr_req_file_meas.c \
+	tcg/pts/tcg_pts_attr_file_meas.h tcg/pts/tcg_pts_attr_file_meas.c \
+	tcg/pts/tcg_pts_attr_req_file_meta.h tcg/pts/tcg_pts_attr_req_file_meta.c \
+	tcg/pts/tcg_pts_attr_unix_file_meta.h tcg/pts/tcg_pts_attr_unix_file_meta.c \
+	tcg/seg/tcg_seg_attr_max_size.h tcg/seg/tcg_seg_attr_max_size.c \
+	tcg/seg/tcg_seg_attr_seg_env.h tcg/seg/tcg_seg_attr_seg_env.c \
+	tcg/seg/tcg_seg_attr_next_seg.h tcg/seg/tcg_seg_attr_next_seg.c \
+	tcg/swid/tcg_swid_attr_req.h tcg/swid/tcg_swid_attr_req.c \
+	tcg/swid/tcg_swid_attr_tag_id_inv.h tcg/swid/tcg_swid_attr_tag_id_inv.c \
+	tcg/swid/tcg_swid_attr_tag_inv.h tcg/swid/tcg_swid_attr_tag_inv.c
 
 ipsec_SCRIPTS = imv/_imv_policy
 EXTRA_DIST = imv/_imv_policy Android.mk
@@ -95,3 +155,45 @@ endif
 if USE_IMV_OS
   SUBDIRS += plugins/imv_os
 endif
+
+if USE_IMC_ATTESTATION
+  SUBDIRS += plugins/imc_attestation
+endif
+
+if USE_IMV_ATTESTATION
+  SUBDIRS += plugins/imv_attestation
+endif
+
+if USE_IMC_SWID
+  SUBDIRS += plugins/imc_swid
+endif
+
+if USE_IMV_SWID
+  SUBDIRS += plugins/imv_swid
+endif
+
+TESTS = imcv_tests
+
+check_PROGRAMS = $(TESTS)
+
+imcv_tests_SOURCES = \
+	ita/ita_attr_command.c \
+	pa_tnc/pa_tnc_attr_manager.c \
+	seg/seg_env.c seg/seg_contract.c \
+	seg/seg_contract_manager.c \
+	suites/test_imcv_seg.c \
+	ietf/ietf_attr_pa_tnc_error.c \
+	tcg/seg/tcg_seg_attr_seg_env.c \
+	imcv.c imcv_tests.h imcv_tests.c
+
+imcv_tests_CFLAGS = \
+	-I$(top_srcdir)/src/libimcv \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/tests \
+	@COVERAGE_CFLAGS@
+
+imcv_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+imcv_tests_LDADD = \
+	$(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 4614dd6..239e62a 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -81,14 +81,21 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
- at USE_WINDOWS_TRUE@am__append_1 = -lws2_32
+ at USE_TROUSERS_TRUE@am__append_1 = -ltspi
+ at USE_WINDOWS_TRUE@am__append_2 = -lws2_32
 ipsec_PROGRAMS = imv_policy_manager$(EXEEXT)
- at USE_IMC_TEST_TRUE@am__append_2 = plugins/imc_test
- at USE_IMV_TEST_TRUE@am__append_3 = plugins/imv_test
- at USE_IMC_SCANNER_TRUE@am__append_4 = plugins/imc_scanner
- at USE_IMV_SCANNER_TRUE@am__append_5 = plugins/imv_scanner
- at USE_IMC_OS_TRUE@am__append_6 = plugins/imc_os
- at USE_IMV_OS_TRUE@am__append_7 = plugins/imv_os
+ at USE_IMC_TEST_TRUE@am__append_3 = plugins/imc_test
+ at USE_IMV_TEST_TRUE@am__append_4 = plugins/imv_test
+ at USE_IMC_SCANNER_TRUE@am__append_5 = plugins/imc_scanner
+ at USE_IMV_SCANNER_TRUE@am__append_6 = plugins/imv_scanner
+ at USE_IMC_OS_TRUE@am__append_7 = plugins/imc_os
+ at USE_IMV_OS_TRUE@am__append_8 = plugins/imv_os
+ at USE_IMC_ATTESTATION_TRUE@am__append_9 = plugins/imc_attestation
+ at USE_IMV_ATTESTATION_TRUE@am__append_10 = plugins/imv_attestation
+ at USE_IMC_SWID_TRUE@am__append_11 = plugins/imc_swid
+ at USE_IMV_SWID_TRUE@am__append_12 = plugins/imv_swid
+TESTS = imcv_tests$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
 subdir = src/libimcv
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp $(dist_templates_DATA)
@@ -142,7 +149,8 @@ LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libimcv_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libtncif/libtncif.la $(am__DEPENDENCIES_1)
+	$(top_builddir)/src/libtncif/libtncif.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
 am__dirstamp = $(am__leading_dot)dirstamp
 am_libimcv_la_OBJECTS = imcv.lo imc/imc_agent.lo imc/imc_msg.lo \
 	imc/imc_os_info.lo imv/imv_agent.lo imv/imv_database.lo \
@@ -163,7 +171,42 @@ am_libimcv_la_OBJECTS = imcv.lo imc/imc_agent.lo imc/imc_msg.lo \
 	ita/ita_attr_get_settings.lo ita/ita_attr_settings.lo \
 	ita/ita_attr_angel.lo ita/ita_attr_device_id.lo \
 	os_info/os_info.lo pa_tnc/pa_tnc_msg.lo \
-	pa_tnc/pa_tnc_attr_manager.lo
+	pa_tnc/pa_tnc_attr_manager.lo pts/pts.lo pts/pts_error.lo \
+	pts/pts_pcr.lo pts/pts_creds.lo pts/pts_database.lo \
+	pts/pts_dh_group.lo pts/pts_file_meas.lo pts/pts_file_meta.lo \
+	pts/pts_file_type.lo pts/pts_ima_bios_list.lo \
+	pts/pts_ima_event_list.lo pts/pts_meas_algo.lo \
+	pts/components/pts_component_manager.lo \
+	pts/components/pts_comp_evidence.lo \
+	pts/components/pts_comp_func_name.lo \
+	pts/components/ita/ita_comp_func_name.lo \
+	pts/components/ita/ita_comp_ima.lo \
+	pts/components/ita/ita_comp_tboot.lo \
+	pts/components/ita/ita_comp_tgrub.lo \
+	pts/components/tcg/tcg_comp_func_name.lo seg/seg_contract.lo \
+	seg/seg_contract_manager.lo seg/seg_env.lo swid/swid_error.lo \
+	swid/swid_inventory.lo swid/swid_tag.lo swid/swid_tag_id.lo \
+	tcg/tcg_attr.lo tcg/pts/tcg_pts_attr_proto_caps.lo \
+	tcg/pts/tcg_pts_attr_dh_nonce_params_req.lo \
+	tcg/pts/tcg_pts_attr_dh_nonce_params_resp.lo \
+	tcg/pts/tcg_pts_attr_dh_nonce_finish.lo \
+	tcg/pts/tcg_pts_attr_meas_algo.lo \
+	tcg/pts/tcg_pts_attr_get_tpm_version_info.lo \
+	tcg/pts/tcg_pts_attr_tpm_version_info.lo \
+	tcg/pts/tcg_pts_attr_get_aik.lo tcg/pts/tcg_pts_attr_aik.lo \
+	tcg/pts/tcg_pts_attr_req_func_comp_evid.lo \
+	tcg/pts/tcg_pts_attr_gen_attest_evid.lo \
+	tcg/pts/tcg_pts_attr_simple_comp_evid.lo \
+	tcg/pts/tcg_pts_attr_simple_evid_final.lo \
+	tcg/pts/tcg_pts_attr_req_file_meas.lo \
+	tcg/pts/tcg_pts_attr_file_meas.lo \
+	tcg/pts/tcg_pts_attr_req_file_meta.lo \
+	tcg/pts/tcg_pts_attr_unix_file_meta.lo \
+	tcg/seg/tcg_seg_attr_max_size.lo \
+	tcg/seg/tcg_seg_attr_seg_env.lo \
+	tcg/seg/tcg_seg_attr_next_seg.lo tcg/swid/tcg_swid_attr_req.lo \
+	tcg/swid/tcg_swid_attr_tag_id_inv.lo \
+	tcg/swid/tcg_swid_attr_tag_inv.lo
 libimcv_la_OBJECTS = $(am_libimcv_la_OBJECTS)
 AM_V_lt = $(am__v_lt_ at AM_V@)
 am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
@@ -172,7 +215,24 @@ am__v_lt_1 =
 libimcv_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libimcv_la_LDFLAGS) $(LDFLAGS) -o $@
+am__EXEEXT_1 = imcv_tests$(EXEEXT)
 PROGRAMS = $(ipsec_PROGRAMS)
+am_imcv_tests_OBJECTS = ita/imcv_tests-ita_attr_command.$(OBJEXT) \
+	pa_tnc/imcv_tests-pa_tnc_attr_manager.$(OBJEXT) \
+	seg/imcv_tests-seg_env.$(OBJEXT) \
+	seg/imcv_tests-seg_contract.$(OBJEXT) \
+	seg/imcv_tests-seg_contract_manager.$(OBJEXT) \
+	suites/imcv_tests-test_imcv_seg.$(OBJEXT) \
+	ietf/imcv_tests-ietf_attr_pa_tnc_error.$(OBJEXT) \
+	tcg/seg/imcv_tests-tcg_seg_attr_seg_env.$(OBJEXT) \
+	imcv_tests-imcv.$(OBJEXT) imcv_tests-imcv_tests.$(OBJEXT)
+imcv_tests_OBJECTS = $(am_imcv_tests_OBJECTS)
+imcv_tests_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
+imcv_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(imcv_tests_CFLAGS) \
+	$(CFLAGS) $(imcv_tests_LDFLAGS) $(LDFLAGS) -o $@
 am_imv_policy_manager_OBJECTS = imv/imv_policy_manager.$(OBJEXT) \
 	imv/imv_policy_manager_usage.$(OBJEXT)
 imv_policy_manager_OBJECTS = $(am_imv_policy_manager_OBJECTS)
@@ -213,8 +273,10 @@ AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(libimcv_la_SOURCES) $(imv_policy_manager_SOURCES)
-DIST_SOURCES = $(libimcv_la_SOURCES) $(imv_policy_manager_SOURCES)
+SOURCES = $(libimcv_la_SOURCES) $(imcv_tests_SOURCES) \
+	$(imv_policy_manager_SOURCES)
+DIST_SOURCES = $(libimcv_la_SOURCES) $(imcv_tests_SOURCES) \
+	$(imv_policy_manager_SOURCES)
 RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
 	ctags-recursive dvi-recursive html-recursive info-recursive \
 	install-data-recursive install-dvi-recursive \
@@ -256,8 +318,32 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__tty_colors_dummy = \
+  mgn= red= grn= lgn= blu= brg= std=; \
+  am__color_tests=no
+am__tty_colors = { \
+  $(am__tty_colors_dummy); \
+  if test "X$(AM_COLOR_TESTS)" = Xno; then \
+    am__color_tests=no; \
+  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+    am__color_tests=yes; \
+  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+    am__color_tests=yes; \
+  fi; \
+  if test $$am__color_tests = yes; then \
+    red=''; \
+    grn=''; \
+    lgn=''; \
+    blu=''; \
+    mgn=''; \
+    brg=''; \
+    std=''; \
+  fi; \
+}
 DIST_SUBDIRS = . plugins/imc_test plugins/imv_test plugins/imc_scanner \
-	plugins/imv_scanner plugins/imc_os plugins/imv_os
+	plugins/imv_scanner plugins/imc_os plugins/imv_os \
+	plugins/imc_attestation plugins/imv_attestation \
+	plugins/imc_swid plugins/imv_swid
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -315,6 +401,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -375,6 +462,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -440,6 +528,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -487,6 +577,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
@@ -498,7 +592,8 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libtncif
+	-I$(top_srcdir)/src/libtncif \
+	-DIPSEC_SCRIPT=\"${ipsec_script}\"
 
 ipseclib_LTLIBRARIES = libimcv.la
 libimcv_la_LDFLAGS = \
@@ -506,7 +601,8 @@ libimcv_la_LDFLAGS = \
 
 libimcv_la_LIBADD =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libtncif/libtncif.la $(am__append_1)
+	$(top_builddir)/src/libtncif/libtncif.la $(am__append_1) \
+	$(am__append_2)
 libimcv_la_SOURCES = \
 	imcv.h imcv.c \
 	imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \
@@ -546,7 +642,62 @@ libimcv_la_SOURCES = \
 	os_info/os_info.h os_info/os_info.c \
 	pa_tnc/pa_tnc_attr.h \
 	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
-	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c
+	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c \
+	pts/pts.h pts/pts.c \
+	pts/pts_error.h pts/pts_error.c \
+	pts/pts_pcr.h pts/pts_pcr.c \
+	pts/pts_proto_caps.h \
+	pts/pts_req_func_comp_evid.h \
+	pts/pts_simple_evid_final.h \
+	pts/pts_creds.h pts/pts_creds.c \
+	pts/pts_database.h pts/pts_database.c \
+	pts/pts_dh_group.h pts/pts_dh_group.c \
+	pts/pts_file_meas.h pts/pts_file_meas.c \
+	pts/pts_file_meta.h pts/pts_file_meta.c \
+	pts/pts_file_type.h pts/pts_file_type.c \
+	pts/pts_ima_bios_list.h pts/pts_ima_bios_list.c \
+	pts/pts_ima_event_list.h pts/pts_ima_event_list.c \
+	pts/pts_meas_algo.h pts/pts_meas_algo.c \
+	pts/components/pts_component.h \
+	pts/components/pts_component_manager.h pts/components/pts_component_manager.c \
+	pts/components/pts_comp_evidence.h pts/components/pts_comp_evidence.c \
+	pts/components/pts_comp_func_name.h pts/components/pts_comp_func_name.c \
+	pts/components/ita/ita_comp_func_name.h pts/components/ita/ita_comp_func_name.c \
+	pts/components/ita/ita_comp_ima.h pts/components/ita/ita_comp_ima.c \
+	pts/components/ita/ita_comp_tboot.h pts/components/ita/ita_comp_tboot.c \
+	pts/components/ita/ita_comp_tgrub.h pts/components/ita/ita_comp_tgrub.c \
+	pts/components/tcg/tcg_comp_func_name.h pts/components/tcg/tcg_comp_func_name.c \
+	seg/seg_contract.h seg/seg_contract.c \
+	seg/seg_contract_manager.h seg/seg_contract_manager.c \
+	seg/seg_env.h seg/seg_env.c \
+	swid/swid_error.h swid/swid_error.c \
+	swid/swid_inventory.h swid/swid_inventory.c \
+	swid/swid_tag.h swid/swid_tag.c \
+	swid/swid_tag_id.h swid/swid_tag_id.c \
+	tcg/tcg_attr.h tcg/tcg_attr.c \
+	tcg/pts/tcg_pts_attr_proto_caps.h tcg/pts/tcg_pts_attr_proto_caps.c \
+	tcg/pts/tcg_pts_attr_dh_nonce_params_req.h tcg/pts/tcg_pts_attr_dh_nonce_params_req.c \
+	tcg/pts/tcg_pts_attr_dh_nonce_params_resp.h tcg/pts/tcg_pts_attr_dh_nonce_params_resp.c \
+	tcg/pts/tcg_pts_attr_dh_nonce_finish.h tcg/pts/tcg_pts_attr_dh_nonce_finish.c \
+	tcg/pts/tcg_pts_attr_meas_algo.h tcg/pts/tcg_pts_attr_meas_algo.c \
+	tcg/pts/tcg_pts_attr_get_tpm_version_info.h tcg/pts/tcg_pts_attr_get_tpm_version_info.c \
+	tcg/pts/tcg_pts_attr_tpm_version_info.h tcg/pts/tcg_pts_attr_tpm_version_info.c \
+	tcg/pts/tcg_pts_attr_get_aik.h tcg/pts/tcg_pts_attr_get_aik.c \
+	tcg/pts/tcg_pts_attr_aik.h tcg/pts/tcg_pts_attr_aik.c \
+	tcg/pts/tcg_pts_attr_req_func_comp_evid.h tcg/pts/tcg_pts_attr_req_func_comp_evid.c \
+	tcg/pts/tcg_pts_attr_gen_attest_evid.h tcg/pts/tcg_pts_attr_gen_attest_evid.c \
+	tcg/pts/tcg_pts_attr_simple_comp_evid.h tcg/pts/tcg_pts_attr_simple_comp_evid.c \
+	tcg/pts/tcg_pts_attr_simple_evid_final.h tcg/pts/tcg_pts_attr_simple_evid_final.c \
+	tcg/pts/tcg_pts_attr_req_file_meas.h tcg/pts/tcg_pts_attr_req_file_meas.c \
+	tcg/pts/tcg_pts_attr_file_meas.h tcg/pts/tcg_pts_attr_file_meas.c \
+	tcg/pts/tcg_pts_attr_req_file_meta.h tcg/pts/tcg_pts_attr_req_file_meta.c \
+	tcg/pts/tcg_pts_attr_unix_file_meta.h tcg/pts/tcg_pts_attr_unix_file_meta.c \
+	tcg/seg/tcg_seg_attr_max_size.h tcg/seg/tcg_seg_attr_max_size.c \
+	tcg/seg/tcg_seg_attr_seg_env.h tcg/seg/tcg_seg_attr_seg_env.c \
+	tcg/seg/tcg_seg_attr_next_seg.h tcg/seg/tcg_seg_attr_next_seg.c \
+	tcg/swid/tcg_swid_attr_req.h tcg/swid/tcg_swid_attr_req.c \
+	tcg/swid/tcg_swid_attr_tag_id_inv.h tcg/swid/tcg_swid_attr_tag_id_inv.c \
+	tcg/swid/tcg_swid_attr_tag_inv.h tcg/swid/tcg_swid_attr_tag_inv.c
 
 ipsec_SCRIPTS = imv/_imv_policy
 EXTRA_DIST = imv/_imv_policy Android.mk
@@ -560,8 +711,32 @@ imv_policy_manager_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
 #imv/imv_policy_manager.o :	$(top_builddir)/config.status
-SUBDIRS = . $(am__append_2) $(am__append_3) $(am__append_4) \
-	$(am__append_5) $(am__append_6) $(am__append_7)
+SUBDIRS = . $(am__append_3) $(am__append_4) $(am__append_5) \
+	$(am__append_6) $(am__append_7) $(am__append_8) \
+	$(am__append_9) $(am__append_10) $(am__append_11) \
+	$(am__append_12)
+imcv_tests_SOURCES = \
+	ita/ita_attr_command.c \
+	pa_tnc/pa_tnc_attr_manager.c \
+	seg/seg_env.c seg/seg_contract.c \
+	seg/seg_contract_manager.c \
+	suites/test_imcv_seg.c \
+	ietf/ietf_attr_pa_tnc_error.c \
+	tcg/seg/tcg_seg_attr_seg_env.c \
+	imcv.c imcv_tests.h imcv_tests.c
+
+imcv_tests_CFLAGS = \
+	-I$(top_srcdir)/src/libimcv \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libstrongswan/tests \
+	@COVERAGE_CFLAGS@
+
+imcv_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+imcv_tests_LDADD = \
+	$(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libstrongswan/tests/libtest.la
+
 all: all-recursive
 
 .SUFFIXES:
@@ -728,9 +903,176 @@ pa_tnc/pa_tnc_msg.lo: pa_tnc/$(am__dirstamp) \
 	pa_tnc/$(DEPDIR)/$(am__dirstamp)
 pa_tnc/pa_tnc_attr_manager.lo: pa_tnc/$(am__dirstamp) \
 	pa_tnc/$(DEPDIR)/$(am__dirstamp)
+pts/$(am__dirstamp):
+	@$(MKDIR_P) pts
+	@: > pts/$(am__dirstamp)
+pts/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) pts/$(DEPDIR)
+	@: > pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts.lo: pts/$(am__dirstamp) pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts_error.lo: pts/$(am__dirstamp) pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts_pcr.lo: pts/$(am__dirstamp) pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts_creds.lo: pts/$(am__dirstamp) pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts_database.lo: pts/$(am__dirstamp) pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts_dh_group.lo: pts/$(am__dirstamp) pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts_file_meas.lo: pts/$(am__dirstamp) \
+	pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts_file_meta.lo: pts/$(am__dirstamp) \
+	pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts_file_type.lo: pts/$(am__dirstamp) \
+	pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts_ima_bios_list.lo: pts/$(am__dirstamp) \
+	pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts_ima_event_list.lo: pts/$(am__dirstamp) \
+	pts/$(DEPDIR)/$(am__dirstamp)
+pts/pts_meas_algo.lo: pts/$(am__dirstamp) \
+	pts/$(DEPDIR)/$(am__dirstamp)
+pts/components/$(am__dirstamp):
+	@$(MKDIR_P) pts/components
+	@: > pts/components/$(am__dirstamp)
+pts/components/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) pts/components/$(DEPDIR)
+	@: > pts/components/$(DEPDIR)/$(am__dirstamp)
+pts/components/pts_component_manager.lo:  \
+	pts/components/$(am__dirstamp) \
+	pts/components/$(DEPDIR)/$(am__dirstamp)
+pts/components/pts_comp_evidence.lo: pts/components/$(am__dirstamp) \
+	pts/components/$(DEPDIR)/$(am__dirstamp)
+pts/components/pts_comp_func_name.lo: pts/components/$(am__dirstamp) \
+	pts/components/$(DEPDIR)/$(am__dirstamp)
+pts/components/ita/$(am__dirstamp):
+	@$(MKDIR_P) pts/components/ita
+	@: > pts/components/ita/$(am__dirstamp)
+pts/components/ita/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) pts/components/ita/$(DEPDIR)
+	@: > pts/components/ita/$(DEPDIR)/$(am__dirstamp)
+pts/components/ita/ita_comp_func_name.lo:  \
+	pts/components/ita/$(am__dirstamp) \
+	pts/components/ita/$(DEPDIR)/$(am__dirstamp)
+pts/components/ita/ita_comp_ima.lo:  \
+	pts/components/ita/$(am__dirstamp) \
+	pts/components/ita/$(DEPDIR)/$(am__dirstamp)
+pts/components/ita/ita_comp_tboot.lo:  \
+	pts/components/ita/$(am__dirstamp) \
+	pts/components/ita/$(DEPDIR)/$(am__dirstamp)
+pts/components/ita/ita_comp_tgrub.lo:  \
+	pts/components/ita/$(am__dirstamp) \
+	pts/components/ita/$(DEPDIR)/$(am__dirstamp)
+pts/components/tcg/$(am__dirstamp):
+	@$(MKDIR_P) pts/components/tcg
+	@: > pts/components/tcg/$(am__dirstamp)
+pts/components/tcg/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) pts/components/tcg/$(DEPDIR)
+	@: > pts/components/tcg/$(DEPDIR)/$(am__dirstamp)
+pts/components/tcg/tcg_comp_func_name.lo:  \
+	pts/components/tcg/$(am__dirstamp) \
+	pts/components/tcg/$(DEPDIR)/$(am__dirstamp)
+seg/$(am__dirstamp):
+	@$(MKDIR_P) seg
+	@: > seg/$(am__dirstamp)
+seg/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) seg/$(DEPDIR)
+	@: > seg/$(DEPDIR)/$(am__dirstamp)
+seg/seg_contract.lo: seg/$(am__dirstamp) seg/$(DEPDIR)/$(am__dirstamp)
+seg/seg_contract_manager.lo: seg/$(am__dirstamp) \
+	seg/$(DEPDIR)/$(am__dirstamp)
+seg/seg_env.lo: seg/$(am__dirstamp) seg/$(DEPDIR)/$(am__dirstamp)
+swid/$(am__dirstamp):
+	@$(MKDIR_P) swid
+	@: > swid/$(am__dirstamp)
+swid/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) swid/$(DEPDIR)
+	@: > swid/$(DEPDIR)/$(am__dirstamp)
+swid/swid_error.lo: swid/$(am__dirstamp) \
+	swid/$(DEPDIR)/$(am__dirstamp)
+swid/swid_inventory.lo: swid/$(am__dirstamp) \
+	swid/$(DEPDIR)/$(am__dirstamp)
+swid/swid_tag.lo: swid/$(am__dirstamp) swid/$(DEPDIR)/$(am__dirstamp)
+swid/swid_tag_id.lo: swid/$(am__dirstamp) \
+	swid/$(DEPDIR)/$(am__dirstamp)
+tcg/$(am__dirstamp):
+	@$(MKDIR_P) tcg
+	@: > tcg/$(am__dirstamp)
+tcg/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) tcg/$(DEPDIR)
+	@: > tcg/$(DEPDIR)/$(am__dirstamp)
+tcg/tcg_attr.lo: tcg/$(am__dirstamp) tcg/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/$(am__dirstamp):
+	@$(MKDIR_P) tcg/pts
+	@: > tcg/pts/$(am__dirstamp)
+tcg/pts/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) tcg/pts/$(DEPDIR)
+	@: > tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_proto_caps.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_dh_nonce_params_req.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_dh_nonce_params_resp.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_dh_nonce_finish.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_meas_algo.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_get_tpm_version_info.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_tpm_version_info.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_get_aik.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_aik.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_req_func_comp_evid.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_gen_attest_evid.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_simple_comp_evid.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_simple_evid_final.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_req_file_meas.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_file_meas.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_req_file_meta.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/pts/tcg_pts_attr_unix_file_meta.lo: tcg/pts/$(am__dirstamp) \
+	tcg/pts/$(DEPDIR)/$(am__dirstamp)
+tcg/seg/$(am__dirstamp):
+	@$(MKDIR_P) tcg/seg
+	@: > tcg/seg/$(am__dirstamp)
+tcg/seg/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) tcg/seg/$(DEPDIR)
+	@: > tcg/seg/$(DEPDIR)/$(am__dirstamp)
+tcg/seg/tcg_seg_attr_max_size.lo: tcg/seg/$(am__dirstamp) \
+	tcg/seg/$(DEPDIR)/$(am__dirstamp)
+tcg/seg/tcg_seg_attr_seg_env.lo: tcg/seg/$(am__dirstamp) \
+	tcg/seg/$(DEPDIR)/$(am__dirstamp)
+tcg/seg/tcg_seg_attr_next_seg.lo: tcg/seg/$(am__dirstamp) \
+	tcg/seg/$(DEPDIR)/$(am__dirstamp)
+tcg/swid/$(am__dirstamp):
+	@$(MKDIR_P) tcg/swid
+	@: > tcg/swid/$(am__dirstamp)
+tcg/swid/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) tcg/swid/$(DEPDIR)
+	@: > tcg/swid/$(DEPDIR)/$(am__dirstamp)
+tcg/swid/tcg_swid_attr_req.lo: tcg/swid/$(am__dirstamp) \
+	tcg/swid/$(DEPDIR)/$(am__dirstamp)
+tcg/swid/tcg_swid_attr_tag_id_inv.lo: tcg/swid/$(am__dirstamp) \
+	tcg/swid/$(DEPDIR)/$(am__dirstamp)
+tcg/swid/tcg_swid_attr_tag_inv.lo: tcg/swid/$(am__dirstamp) \
+	tcg/swid/$(DEPDIR)/$(am__dirstamp)
 
 libimcv.la: $(libimcv_la_OBJECTS) $(libimcv_la_DEPENDENCIES) $(EXTRA_libimcv_la_DEPENDENCIES) 
 	$(AM_V_CCLD)$(libimcv_la_LINK) -rpath $(ipseclibdir) $(libimcv_la_OBJECTS) $(libimcv_la_LIBADD) $(LIBS)
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
@@ -780,6 +1122,32 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
+ita/imcv_tests-ita_attr_command.$(OBJEXT): ita/$(am__dirstamp) \
+	ita/$(DEPDIR)/$(am__dirstamp)
+pa_tnc/imcv_tests-pa_tnc_attr_manager.$(OBJEXT):  \
+	pa_tnc/$(am__dirstamp) pa_tnc/$(DEPDIR)/$(am__dirstamp)
+seg/imcv_tests-seg_env.$(OBJEXT): seg/$(am__dirstamp) \
+	seg/$(DEPDIR)/$(am__dirstamp)
+seg/imcv_tests-seg_contract.$(OBJEXT): seg/$(am__dirstamp) \
+	seg/$(DEPDIR)/$(am__dirstamp)
+seg/imcv_tests-seg_contract_manager.$(OBJEXT): seg/$(am__dirstamp) \
+	seg/$(DEPDIR)/$(am__dirstamp)
+suites/$(am__dirstamp):
+	@$(MKDIR_P) suites
+	@: > suites/$(am__dirstamp)
+suites/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) suites/$(DEPDIR)
+	@: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/imcv_tests-test_imcv_seg.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
+ietf/imcv_tests-ietf_attr_pa_tnc_error.$(OBJEXT):  \
+	ietf/$(am__dirstamp) ietf/$(DEPDIR)/$(am__dirstamp)
+tcg/seg/imcv_tests-tcg_seg_attr_seg_env.$(OBJEXT):  \
+	tcg/seg/$(am__dirstamp) tcg/seg/$(DEPDIR)/$(am__dirstamp)
+
+imcv_tests$(EXEEXT): $(imcv_tests_OBJECTS) $(imcv_tests_DEPENDENCIES) $(EXTRA_imcv_tests_DEPENDENCIES) 
+	@rm -f imcv_tests$(EXEEXT)
+	$(AM_V_CCLD)$(imcv_tests_LINK) $(imcv_tests_OBJECTS) $(imcv_tests_LDADD) $(LIBS)
 imv/imv_policy_manager.$(OBJEXT): imv/$(am__dirstamp) \
 	imv/$(DEPDIR)/$(am__dirstamp)
 imv/imv_policy_manager_usage.$(OBJEXT): imv/$(am__dirstamp) \
@@ -838,11 +1206,34 @@ mostlyclean-compile:
 	-rm -f os_info/*.lo
 	-rm -f pa_tnc/*.$(OBJEXT)
 	-rm -f pa_tnc/*.lo
+	-rm -f pts/*.$(OBJEXT)
+	-rm -f pts/*.lo
+	-rm -f pts/components/*.$(OBJEXT)
+	-rm -f pts/components/*.lo
+	-rm -f pts/components/ita/*.$(OBJEXT)
+	-rm -f pts/components/ita/*.lo
+	-rm -f pts/components/tcg/*.$(OBJEXT)
+	-rm -f pts/components/tcg/*.lo
+	-rm -f seg/*.$(OBJEXT)
+	-rm -f seg/*.lo
+	-rm -f suites/*.$(OBJEXT)
+	-rm -f swid/*.$(OBJEXT)
+	-rm -f swid/*.lo
+	-rm -f tcg/*.$(OBJEXT)
+	-rm -f tcg/*.lo
+	-rm -f tcg/pts/*.$(OBJEXT)
+	-rm -f tcg/pts/*.lo
+	-rm -f tcg/seg/*.$(OBJEXT)
+	-rm -f tcg/seg/*.lo
+	-rm -f tcg/swid/*.$(OBJEXT)
+	-rm -f tcg/swid/*.lo
 
 distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/imcv.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/imcv_tests-imcv.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/imcv_tests-imcv_tests.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ietf/$(DEPDIR)/ietf_attr.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ietf/$(DEPDIR)/ietf_attr_assess_result.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ietf/$(DEPDIR)/ietf_attr_attr_request.Plo at am__quote@
@@ -856,6 +1247,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at ietf/$(DEPDIR)/ietf_attr_product_info.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ietf/$(DEPDIR)/ietf_attr_remediation_instr.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ietf/$(DEPDIR)/ietf_attr_string_version.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ietf/$(DEPDIR)/imcv_tests-ietf_attr_pa_tnc_error.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at imc/$(DEPDIR)/imc_agent.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at imc/$(DEPDIR)/imc_msg.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at imc/$(DEPDIR)/imc_os_info.Plo at am__quote@
@@ -871,6 +1263,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at imv/$(DEPDIR)/imv_session.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at imv/$(DEPDIR)/imv_session_manager.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at imv/$(DEPDIR)/imv_workitem.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ita/$(DEPDIR)/imcv_tests-ita_attr_command.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ita/$(DEPDIR)/ita_attr.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ita/$(DEPDIR)/ita_attr_angel.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ita/$(DEPDIR)/ita_attr_command.Plo at am__quote@
@@ -879,8 +1272,65 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at ita/$(DEPDIR)/ita_attr_get_settings.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ita/$(DEPDIR)/ita_attr_settings.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at os_info/$(DEPDIR)/os_info.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pa_tnc/$(DEPDIR)/imcv_tests-pa_tnc_attr_manager.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at pa_tnc/$(DEPDIR)/pa_tnc_attr_manager.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at pa_tnc/$(DEPDIR)/pa_tnc_msg.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts_creds.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts_database.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts_dh_group.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts_error.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts_file_meas.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts_file_meta.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts_file_type.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts_ima_bios_list.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts_ima_event_list.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts_meas_algo.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/$(DEPDIR)/pts_pcr.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/components/$(DEPDIR)/pts_comp_evidence.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/components/$(DEPDIR)/pts_comp_func_name.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/components/$(DEPDIR)/pts_component_manager.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/components/ita/$(DEPDIR)/ita_comp_func_name.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/components/ita/$(DEPDIR)/ita_comp_ima.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/components/ita/$(DEPDIR)/ita_comp_tboot.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/components/ita/$(DEPDIR)/ita_comp_tgrub.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at pts/components/tcg/$(DEPDIR)/tcg_comp_func_name.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at seg/$(DEPDIR)/imcv_tests-seg_contract.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at seg/$(DEPDIR)/imcv_tests-seg_contract_manager.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at seg/$(DEPDIR)/imcv_tests-seg_env.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at seg/$(DEPDIR)/seg_contract.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at seg/$(DEPDIR)/seg_contract_manager.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at seg/$(DEPDIR)/seg_env.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/imcv_tests-test_imcv_seg.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at swid/$(DEPDIR)/swid_error.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at swid/$(DEPDIR)/swid_inventory.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at swid/$(DEPDIR)/swid_tag.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at swid/$(DEPDIR)/swid_tag_id.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/$(DEPDIR)/tcg_attr.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_aik.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_file_meas.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_gen_attest_evid.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_get_aik.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_meas_algo.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_proto_caps.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_req_file_meas.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_req_file_meta.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_simple_comp_evid.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_simple_evid_final.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_tpm_version_info.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/pts/$(DEPDIR)/tcg_pts_attr_unix_file_meta.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/seg/$(DEPDIR)/imcv_tests-tcg_seg_attr_seg_env.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/seg/$(DEPDIR)/tcg_seg_attr_max_size.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/seg/$(DEPDIR)/tcg_seg_attr_next_seg.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/seg/$(DEPDIR)/tcg_seg_attr_seg_env.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/swid/$(DEPDIR)/tcg_swid_attr_req.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/swid/$(DEPDIR)/tcg_swid_attr_tag_id_inv.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at tcg/swid/$(DEPDIR)/tcg_swid_attr_tag_inv.Plo at am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -906,6 +1356,146 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
+ita/imcv_tests-ita_attr_command.o: ita/ita_attr_command.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT ita/imcv_tests-ita_attr_command.o -MD -MP -MF ita/$(DEPDIR)/imcv_tests-ita_attr_command.Tpo -c -o ita/imcv_tests-ita_attr_command.o `test -f 'ita/ita_attr_command.c' || echo '$(srcdir)/'`ita/ita_attr_command.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) ita/$(DEPDIR)/imcv_tests-ita_attr_command.Tpo ita/$(DEPDIR)/imcv_tests-ita_attr_command.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_command.c' object='ita/imcv_tests-ita_attr_command.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o ita/imcv_tests-ita_attr_command.o `test -f 'ita/ita_attr_command.c' || echo '$(srcdir)/'`ita/ita_attr_command.c
+
+ita/imcv_tests-ita_attr_command.obj: ita/ita_attr_command.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT ita/imcv_tests-ita_attr_command.obj -MD -MP -MF ita/$(DEPDIR)/imcv_tests-ita_attr_command.Tpo -c -o ita/imcv_tests-ita_attr_command.obj `if test -f 'ita/ita_attr_command.c'; then $(CYGPATH_W) 'ita/ita_attr_command.c'; else $(CYGPATH_W) '$(srcdir)/ita/ita_attr_command.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) ita/$(DEPDIR)/imcv_tests-ita_attr_command.Tpo ita/$(DEPDIR)/imcv_tests-ita_attr_command.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_command.c' object='ita/imcv_tests-ita_attr_command.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o ita/imcv_tests-ita_attr_command.obj `if test -f 'ita/ita_attr_command.c'; then $(CYGPATH_W) 'ita/ita_attr_command.c'; else $(CYGPATH_W) '$(srcdir)/ita/ita_attr_command.c'; fi`
+
+pa_tnc/imcv_tests-pa_tnc_attr_manager.o: pa_tnc/pa_tnc_attr_manager.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT pa_tnc/imcv_tests-pa_tnc_attr_manager.o -MD -MP -MF pa_tnc/$(DEPDIR)/imcv_tests-pa_tnc_attr_manager.Tpo -c -o pa_tnc/imcv_tests-pa_tnc_attr_manager.o `test -f 'pa_tnc/pa_tnc_attr_manager.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_attr_manager.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) pa_tnc/$(DEPDIR)/imcv_tests-pa_tnc_attr_manager.Tpo pa_tnc/$(DEPDIR)/imcv_tests-pa_tnc_attr_manager.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pa_tnc/pa_tnc_attr_manager.c' object='pa_tnc/imcv_tests-pa_tnc_attr_manager.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o pa_tnc/imcv_tests-pa_tnc_attr_manager.o `test -f 'pa_tnc/pa_tnc_attr_manager.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_attr_manager.c
+
+pa_tnc/imcv_tests-pa_tnc_attr_manager.obj: pa_tnc/pa_tnc_attr_manager.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT pa_tnc/imcv_tests-pa_tnc_attr_manager.obj -MD -MP -MF pa_tnc/$(DEPDIR)/imcv_tests-pa_tnc_attr_manager.Tpo -c -o pa_tnc/imcv_tests-pa_tnc_attr_manager.obj `if test -f 'pa_tnc/pa_tnc_attr_manager.c'; then $(CYGPATH_W) 'pa_tnc/pa_tnc_attr_manager.c'; else $(CYGPATH_W) '$(srcdir)/pa_tnc/pa_tnc_attr_manager.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) pa_tnc/$(DEPDIR)/imcv_tests-pa_tnc_attr_manager.Tpo pa_tnc/$(DEPDIR)/imcv_tests-pa_tnc_attr_manager.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pa_tnc/pa_tnc_attr_manager.c' object='pa_tnc/imcv_tests-pa_tnc_attr_manager.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o pa_tnc/imcv_tests-pa_tnc_attr_manager.obj `if test -f 'pa_tnc/pa_tnc_attr_manager.c'; then $(CYGPATH_W) 'pa_tnc/pa_tnc_attr_manager.c'; else $(CYGPATH_W) '$(srcdir)/pa_tnc/pa_tnc_attr_manager.c'; fi`
+
+seg/imcv_tests-seg_env.o: seg/seg_env.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT seg/imcv_tests-seg_env.o -MD -MP -MF seg/$(DEPDIR)/imcv_tests-seg_env.Tpo -c -o seg/imcv_tests-seg_env.o `test -f 'seg/seg_env.c' || echo '$(srcdir)/'`seg/seg_env.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) seg/$(DEPDIR)/imcv_tests-seg_env.Tpo seg/$(DEPDIR)/imcv_tests-seg_env.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='seg/seg_env.c' object='seg/imcv_tests-seg_env.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o seg/imcv_tests-seg_env.o `test -f 'seg/seg_env.c' || echo '$(srcdir)/'`seg/seg_env.c
+
+seg/imcv_tests-seg_env.obj: seg/seg_env.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT seg/imcv_tests-seg_env.obj -MD -MP -MF seg/$(DEPDIR)/imcv_tests-seg_env.Tpo -c -o seg/imcv_tests-seg_env.obj `if test -f 'seg/seg_env.c'; then $(CYGPATH_W) 'seg/seg_env.c'; else $(CYGPATH_W) '$(srcdir)/seg/seg_env.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) seg/$(DEPDIR)/imcv_tests-seg_env.Tpo seg/$(DEPDIR)/imcv_tests-seg_env.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='seg/seg_env.c' object='seg/imcv_tests-seg_env.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o seg/imcv_tests-seg_env.obj `if test -f 'seg/seg_env.c'; then $(CYGPATH_W) 'seg/seg_env.c'; else $(CYGPATH_W) '$(srcdir)/seg/seg_env.c'; fi`
+
+seg/imcv_tests-seg_contract.o: seg/seg_contract.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT seg/imcv_tests-seg_contract.o -MD -MP -MF seg/$(DEPDIR)/imcv_tests-seg_contract.Tpo -c -o seg/imcv_tests-seg_contract.o `test -f 'seg/seg_contract.c' || echo '$(srcdir)/'`seg/seg_contract.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) seg/$(DEPDIR)/imcv_tests-seg_contract.Tpo seg/$(DEPDIR)/imcv_tests-seg_contract.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='seg/seg_contract.c' object='seg/imcv_tests-seg_contract.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o seg/imcv_tests-seg_contract.o `test -f 'seg/seg_contract.c' || echo '$(srcdir)/'`seg/seg_contract.c
+
+seg/imcv_tests-seg_contract.obj: seg/seg_contract.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT seg/imcv_tests-seg_contract.obj -MD -MP -MF seg/$(DEPDIR)/imcv_tests-seg_contract.Tpo -c -o seg/imcv_tests-seg_contract.obj `if test -f 'seg/seg_contract.c'; then $(CYGPATH_W) 'seg/seg_contract.c'; else $(CYGPATH_W) '$(srcdir)/seg/seg_contract.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) seg/$(DEPDIR)/imcv_tests-seg_contract.Tpo seg/$(DEPDIR)/imcv_tests-seg_contract.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='seg/seg_contract.c' object='seg/imcv_tests-seg_contract.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o seg/imcv_tests-seg_contract.obj `if test -f 'seg/seg_contract.c'; then $(CYGPATH_W) 'seg/seg_contract.c'; else $(CYGPATH_W) '$(srcdir)/seg/seg_contract.c'; fi`
+
+seg/imcv_tests-seg_contract_manager.o: seg/seg_contract_manager.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT seg/imcv_tests-seg_contract_manager.o -MD -MP -MF seg/$(DEPDIR)/imcv_tests-seg_contract_manager.Tpo -c -o seg/imcv_tests-seg_contract_manager.o `test -f 'seg/seg_contract_manager.c' || echo '$(srcdir)/'`seg/seg_contract_manager.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) seg/$(DEPDIR)/imcv_tests-seg_contract_manager.Tpo seg/$(DEPDIR)/imcv_tests-seg_contract_manager.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='seg/seg_contract_manager.c' object='seg/imcv_tests-seg_contract_manager.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o seg/imcv_tests-seg_contract_manager.o `test -f 'seg/seg_contract_manager.c' || echo '$(srcdir)/'`seg/seg_contract_manager.c
+
+seg/imcv_tests-seg_contract_manager.obj: seg/seg_contract_manager.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT seg/imcv_tests-seg_contract_manager.obj -MD -MP -MF seg/$(DEPDIR)/imcv_tests-seg_contract_manager.Tpo -c -o seg/imcv_tests-seg_contract_manager.obj `if test -f 'seg/seg_contract_manager.c'; then $(CYGPATH_W) 'seg/seg_contract_manager.c'; else $(CYGPATH_W) '$(srcdir)/seg/seg_contract_manager.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) seg/$(DEPDIR)/imcv_tests-seg_contract_manager.Tpo seg/$(DEPDIR)/imcv_tests-seg_contract_manager.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='seg/seg_contract_manager.c' object='seg/imcv_tests-seg_contract_manager.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o seg/imcv_tests-seg_contract_manager.obj `if test -f 'seg/seg_contract_manager.c'; then $(CYGPATH_W) 'seg/seg_contract_manager.c'; else $(CYGPATH_W) '$(srcdir)/seg/seg_contract_manager.c'; fi`
+
+suites/imcv_tests-test_imcv_seg.o: suites/test_imcv_seg.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT suites/imcv_tests-test_imcv_seg.o -MD -MP -MF suites/$(DEPDIR)/imcv_tests-test_imcv_seg.Tpo -c -o suites/imcv_tests-test_imcv_seg.o `test -f 'suites/test_imcv_seg.c' || echo '$(srcdir)/'`suites/test_imcv_seg.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/imcv_tests-test_imcv_seg.Tpo suites/$(DEPDIR)/imcv_tests-test_imcv_seg.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_imcv_seg.c' object='suites/imcv_tests-test_imcv_seg.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o suites/imcv_tests-test_imcv_seg.o `test -f 'suites/test_imcv_seg.c' || echo '$(srcdir)/'`suites/test_imcv_seg.c
+
+suites/imcv_tests-test_imcv_seg.obj: suites/test_imcv_seg.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT suites/imcv_tests-test_imcv_seg.obj -MD -MP -MF suites/$(DEPDIR)/imcv_tests-test_imcv_seg.Tpo -c -o suites/imcv_tests-test_imcv_seg.obj `if test -f 'suites/test_imcv_seg.c'; then $(CYGPATH_W) 'suites/test_imcv_seg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_imcv_seg.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/imcv_tests-test_imcv_seg.Tpo suites/$(DEPDIR)/imcv_tests-test_imcv_seg.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_imcv_seg.c' object='suites/imcv_tests-test_imcv_seg.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o suites/imcv_tests-test_imcv_seg.obj `if test -f 'suites/test_imcv_seg.c'; then $(CYGPATH_W) 'suites/test_imcv_seg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_imcv_seg.c'; fi`
+
+ietf/imcv_tests-ietf_attr_pa_tnc_error.o: ietf/ietf_attr_pa_tnc_error.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT ietf/imcv_tests-ietf_attr_pa_tnc_error.o -MD -MP -MF ietf/$(DEPDIR)/imcv_tests-ietf_attr_pa_tnc_error.Tpo -c -o ietf/imcv_tests-ietf_attr_pa_tnc_error.o `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) ietf/$(DEPDIR)/imcv_tests-ietf_attr_pa_tnc_error.Tpo ietf/$(DEPDIR)/imcv_tests-ietf_attr_pa_tnc_error.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_pa_tnc_error.c' object='ietf/imcv_tests-ietf_attr_pa_tnc_error.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o ietf/imcv_tests-ietf_attr_pa_tnc_error.o `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
+
+ietf/imcv_tests-ietf_attr_pa_tnc_error.obj: ietf/ietf_attr_pa_tnc_error.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT ietf/imcv_tests-ietf_attr_pa_tnc_error.obj -MD -MP -MF ietf/$(DEPDIR)/imcv_tests-ietf_attr_pa_tnc_error.Tpo -c -o ietf/imcv_tests-ietf_attr_pa_tnc_error.obj `if test -f 'ietf/ietf_attr_pa_tnc_error.c'; then $(CYGPATH_W) 'ietf/ietf_attr_pa_tnc_error.c'; else $(CYGPATH_W) '$(srcdir)/ietf/ietf_attr_pa_tnc_error.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) ietf/$(DEPDIR)/imcv_tests-ietf_attr_pa_tnc_error.Tpo ietf/$(DEPDIR)/imcv_tests-ietf_attr_pa_tnc_error.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_pa_tnc_error.c' object='ietf/imcv_tests-ietf_attr_pa_tnc_error.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o ietf/imcv_tests-ietf_attr_pa_tnc_error.obj `if test -f 'ietf/ietf_attr_pa_tnc_error.c'; then $(CYGPATH_W) 'ietf/ietf_attr_pa_tnc_error.c'; else $(CYGPATH_W) '$(srcdir)/ietf/ietf_attr_pa_tnc_error.c'; fi`
+
+tcg/seg/imcv_tests-tcg_seg_attr_seg_env.o: tcg/seg/tcg_seg_attr_seg_env.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT tcg/seg/imcv_tests-tcg_seg_attr_seg_env.o -MD -MP -MF tcg/seg/$(DEPDIR)/imcv_tests-tcg_seg_attr_seg_env.Tpo -c -o tcg/seg/imcv_tests-tcg_seg_attr_seg_env.o `test -f 'tcg/seg/tcg_seg_attr_seg_env.c' || echo '$(srcdir)/'`tcg/seg/tcg_seg_attr_seg_env.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) tcg/seg/$(DEPDIR)/imcv_tests-tcg_seg_attr_seg_env.Tpo tcg/seg/$(DEPDIR)/imcv_tests-tcg_seg_attr_seg_env.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/seg/tcg_seg_attr_seg_env.c' object='tcg/seg/imcv_tests-tcg_seg_attr_seg_env.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o tcg/seg/imcv_tests-tcg_seg_attr_seg_env.o `test -f 'tcg/seg/tcg_seg_attr_seg_env.c' || echo '$(srcdir)/'`tcg/seg/tcg_seg_attr_seg_env.c
+
+tcg/seg/imcv_tests-tcg_seg_attr_seg_env.obj: tcg/seg/tcg_seg_attr_seg_env.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT tcg/seg/imcv_tests-tcg_seg_attr_seg_env.obj -MD -MP -MF tcg/seg/$(DEPDIR)/imcv_tests-tcg_seg_attr_seg_env.Tpo -c -o tcg/seg/imcv_tests-tcg_seg_attr_seg_env.obj `if test -f 'tcg/seg/tcg_seg_attr_seg_env.c'; then $(CYGPATH_W) 'tcg/seg/tcg_seg_attr_seg_env.c'; else $(CYGPATH_W) '$(srcdir)/tcg/seg/tcg_seg_attr_seg_env.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) tcg/seg/$(DEPDIR)/imcv_tests-tcg_seg_attr_seg_env.Tpo tcg/seg/$(DEPDIR)/imcv_tests-tcg_seg_attr_seg_env.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/seg/tcg_seg_attr_seg_env.c' object='tcg/seg/imcv_tests-tcg_seg_attr_seg_env.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o tcg/seg/imcv_tests-tcg_seg_attr_seg_env.obj `if test -f 'tcg/seg/tcg_seg_attr_seg_env.c'; then $(CYGPATH_W) 'tcg/seg/tcg_seg_attr_seg_env.c'; else $(CYGPATH_W) '$(srcdir)/tcg/seg/tcg_seg_attr_seg_env.c'; fi`
+
+imcv_tests-imcv.o: imcv.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT imcv_tests-imcv.o -MD -MP -MF $(DEPDIR)/imcv_tests-imcv.Tpo -c -o imcv_tests-imcv.o `test -f 'imcv.c' || echo '$(srcdir)/'`imcv.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imcv_tests-imcv.Tpo $(DEPDIR)/imcv_tests-imcv.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imcv.c' object='imcv_tests-imcv.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o imcv_tests-imcv.o `test -f 'imcv.c' || echo '$(srcdir)/'`imcv.c
+
+imcv_tests-imcv.obj: imcv.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT imcv_tests-imcv.obj -MD -MP -MF $(DEPDIR)/imcv_tests-imcv.Tpo -c -o imcv_tests-imcv.obj `if test -f 'imcv.c'; then $(CYGPATH_W) 'imcv.c'; else $(CYGPATH_W) '$(srcdir)/imcv.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imcv_tests-imcv.Tpo $(DEPDIR)/imcv_tests-imcv.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imcv.c' object='imcv_tests-imcv.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o imcv_tests-imcv.obj `if test -f 'imcv.c'; then $(CYGPATH_W) 'imcv.c'; else $(CYGPATH_W) '$(srcdir)/imcv.c'; fi`
+
+imcv_tests-imcv_tests.o: imcv_tests.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT imcv_tests-imcv_tests.o -MD -MP -MF $(DEPDIR)/imcv_tests-imcv_tests.Tpo -c -o imcv_tests-imcv_tests.o `test -f 'imcv_tests.c' || echo '$(srcdir)/'`imcv_tests.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imcv_tests-imcv_tests.Tpo $(DEPDIR)/imcv_tests-imcv_tests.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imcv_tests.c' object='imcv_tests-imcv_tests.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o imcv_tests-imcv_tests.o `test -f 'imcv_tests.c' || echo '$(srcdir)/'`imcv_tests.c
+
+imcv_tests-imcv_tests.obj: imcv_tests.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -MT imcv_tests-imcv_tests.obj -MD -MP -MF $(DEPDIR)/imcv_tests-imcv_tests.Tpo -c -o imcv_tests-imcv_tests.obj `if test -f 'imcv_tests.c'; then $(CYGPATH_W) 'imcv_tests.c'; else $(CYGPATH_W) '$(srcdir)/imcv_tests.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imcv_tests-imcv_tests.Tpo $(DEPDIR)/imcv_tests-imcv_tests.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imcv_tests.c' object='imcv_tests-imcv_tests.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(imcv_tests_CFLAGS) $(CFLAGS) -c -o imcv_tests-imcv_tests.obj `if test -f 'imcv_tests.c'; then $(CYGPATH_W) 'imcv_tests.c'; else $(CYGPATH_W) '$(srcdir)/imcv_tests.c'; fi`
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -917,6 +1507,16 @@ clean-libtool:
 	-rm -rf ita/.libs ita/_libs
 	-rm -rf os_info/.libs os_info/_libs
 	-rm -rf pa_tnc/.libs pa_tnc/_libs
+	-rm -rf pts/.libs pts/_libs
+	-rm -rf pts/components/.libs pts/components/_libs
+	-rm -rf pts/components/ita/.libs pts/components/ita/_libs
+	-rm -rf pts/components/tcg/.libs pts/components/tcg/_libs
+	-rm -rf seg/.libs seg/_libs
+	-rm -rf swid/.libs swid/_libs
+	-rm -rf tcg/.libs tcg/_libs
+	-rm -rf tcg/pts/.libs tcg/pts/_libs
+	-rm -rf tcg/seg/.libs tcg/seg/_libs
+	-rm -rf tcg/swid/.libs tcg/swid/_libs
 install-dist_templatesDATA: $(dist_templates_DATA)
 	@$(NORMAL_INSTALL)
 	@list='$(dist_templates_DATA)'; test -n "$(templatesdir)" || list=; \
@@ -1038,6 +1638,99 @@ cscopelist-am: $(am__tagged_files)
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
+	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
+	    else \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
 distdir: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -1094,6 +1787,8 @@ distdir: $(DISTFILES)
 	  fi; \
 	done
 check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
 check: check-recursive
 all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) $(DATA)
 installdirs: installdirs-recursive
@@ -1139,17 +1834,39 @@ distclean-generic:
 	-rm -f os_info/$(am__dirstamp)
 	-rm -f pa_tnc/$(DEPDIR)/$(am__dirstamp)
 	-rm -f pa_tnc/$(am__dirstamp)
+	-rm -f pts/$(DEPDIR)/$(am__dirstamp)
+	-rm -f pts/$(am__dirstamp)
+	-rm -f pts/components/$(DEPDIR)/$(am__dirstamp)
+	-rm -f pts/components/$(am__dirstamp)
+	-rm -f pts/components/ita/$(DEPDIR)/$(am__dirstamp)
+	-rm -f pts/components/ita/$(am__dirstamp)
+	-rm -f pts/components/tcg/$(DEPDIR)/$(am__dirstamp)
+	-rm -f pts/components/tcg/$(am__dirstamp)
+	-rm -f seg/$(DEPDIR)/$(am__dirstamp)
+	-rm -f seg/$(am__dirstamp)
+	-rm -f suites/$(DEPDIR)/$(am__dirstamp)
+	-rm -f suites/$(am__dirstamp)
+	-rm -f swid/$(DEPDIR)/$(am__dirstamp)
+	-rm -f swid/$(am__dirstamp)
+	-rm -f tcg/$(DEPDIR)/$(am__dirstamp)
+	-rm -f tcg/$(am__dirstamp)
+	-rm -f tcg/pts/$(DEPDIR)/$(am__dirstamp)
+	-rm -f tcg/pts/$(am__dirstamp)
+	-rm -f tcg/seg/$(DEPDIR)/$(am__dirstamp)
+	-rm -f tcg/seg/$(am__dirstamp)
+	-rm -f tcg/swid/$(DEPDIR)/$(am__dirstamp)
+	-rm -f tcg/swid/$(am__dirstamp)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-recursive
 
-clean-am: clean-generic clean-ipsecPROGRAMS clean-ipseclibLTLIBRARIES \
-	clean-libtool mostlyclean-am
+clean-am: clean-checkPROGRAMS clean-generic clean-ipsecPROGRAMS \
+	clean-ipseclibLTLIBRARIES clean-libtool mostlyclean-am
 
 distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR) ietf/$(DEPDIR) imc/$(DEPDIR) imv/$(DEPDIR) ita/$(DEPDIR) os_info/$(DEPDIR) pa_tnc/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) ietf/$(DEPDIR) imc/$(DEPDIR) imv/$(DEPDIR) ita/$(DEPDIR) os_info/$(DEPDIR) pa_tnc/$(DEPDIR) pts/$(DEPDIR) pts/components/$(DEPDIR) pts/components/ita/$(DEPDIR) pts/components/tcg/$(DEPDIR) seg/$(DEPDIR) suites/$(DEPDIR) swid/$(DEPDIR) tcg/$(DEPDIR) tcg/pts/$(DEPDIR) tcg/seg/$(DEPDIR) tcg/swid/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -1196,7 +1913,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR) ietf/$(DEPDIR) imc/$(DEPDIR) imv/$(DEPDIR) ita/$(DEPDIR) os_info/$(DEPDIR) pa_tnc/$(DEPDIR)
+	-rm -rf ./$(DEPDIR) ietf/$(DEPDIR) imc/$(DEPDIR) imv/$(DEPDIR) ita/$(DEPDIR) os_info/$(DEPDIR) pa_tnc/$(DEPDIR) pts/$(DEPDIR) pts/components/$(DEPDIR) pts/components/ita/$(DEPDIR) pts/components/tcg/$(DEPDIR) seg/$(DEPDIR) suites/$(DEPDIR) swid/$(DEPDIR) tcg/$(DEPDIR) tcg/pts/$(DEPDIR) tcg/seg/$(DEPDIR) tcg/swid/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
@@ -1216,17 +1933,17 @@ ps-am:
 uninstall-am: uninstall-dist_templatesDATA uninstall-ipsecPROGRAMS \
 	uninstall-ipsecSCRIPTS uninstall-ipseclibLTLIBRARIES
 
-.MAKE: $(am__recursive_targets) install-am install-strip
+.MAKE: $(am__recursive_targets) check-am install-am install-strip
 
 .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
-	check-am clean clean-generic clean-ipsecPROGRAMS \
-	clean-ipseclibLTLIBRARIES clean-libtool cscopelist-am ctags \
-	ctags-am distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dist_templatesDATA install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am \
+	check-TESTS check-am clean clean-checkPROGRAMS clean-generic \
+	clean-ipsecPROGRAMS clean-ipseclibLTLIBRARIES clean-libtool \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dist_templatesDATA \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-html install-html-am install-info install-info-am \
 	install-ipsecPROGRAMS install-ipsecSCRIPTS \
 	install-ipseclibLTLIBRARIES install-man install-pdf \
 	install-pdf-am install-ps install-ps-am install-strip \
diff --git a/src/libimcv/ietf/ietf_attr.c b/src/libimcv/ietf/ietf_attr.c
index 2f38198..67269af 100644
--- a/src/libimcv/ietf/ietf_attr.c
+++ b/src/libimcv/ietf/ietf_attr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -47,34 +47,35 @@ ENUM(ietf_attr_names, IETF_ATTR_TESTING, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED,
 /**
  * See header
  */
-pa_tnc_attr_t* ietf_attr_create_from_data(u_int32_t type, chunk_t value)
+pa_tnc_attr_t* ietf_attr_create_from_data(u_int32_t type, size_t length,
+										  chunk_t value)
 {
 	switch (type)
 	{
 		case IETF_ATTR_ATTRIBUTE_REQUEST:
-			return ietf_attr_attr_request_create_from_data(value);
+			return ietf_attr_attr_request_create_from_data(length, value);
 		case IETF_ATTR_PRODUCT_INFORMATION:
-			return ietf_attr_product_info_create_from_data(value);
+			return ietf_attr_product_info_create_from_data(length, value);
 		case IETF_ATTR_NUMERIC_VERSION:
-			return ietf_attr_numeric_version_create_from_data(value);
+			return ietf_attr_numeric_version_create_from_data(length, value);
 		case IETF_ATTR_STRING_VERSION:
-			return ietf_attr_string_version_create_from_data(value);
+			return ietf_attr_string_version_create_from_data(length, value);
 		case IETF_ATTR_OPERATIONAL_STATUS:
-			return ietf_attr_op_status_create_from_data(value);
+			return ietf_attr_op_status_create_from_data(length, value);
 		case IETF_ATTR_PORT_FILTER:
-			return ietf_attr_port_filter_create_from_data(value);
+			return ietf_attr_port_filter_create_from_data(length, value);
 		case IETF_ATTR_INSTALLED_PACKAGES:
-			return ietf_attr_installed_packages_create_from_data(value);
+			return ietf_attr_installed_packages_create_from_data(length, value);
 		case IETF_ATTR_PA_TNC_ERROR:
-			return ietf_attr_pa_tnc_error_create_from_data(value);
+			return ietf_attr_pa_tnc_error_create_from_data(length, value);
 		case IETF_ATTR_ASSESSMENT_RESULT:
-			return ietf_attr_assess_result_create_from_data(value);
+			return ietf_attr_assess_result_create_from_data(length, value);
 		case IETF_ATTR_REMEDIATION_INSTRUCTIONS:
-			return ietf_attr_remediation_instr_create_from_data(value);
+			return ietf_attr_remediation_instr_create_from_data(length, value);
 		case IETF_ATTR_FORWARDING_ENABLED:
-			return ietf_attr_fwd_enabled_create_from_data(value);
+			return ietf_attr_fwd_enabled_create_from_data(length, value);
 		case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
-			return ietf_attr_default_pwd_enabled_create_from_data(value);
+			return ietf_attr_default_pwd_enabled_create_from_data(length, value);
 		case IETF_ATTR_TESTING:
 		case IETF_ATTR_RESERVED:
 		default:
diff --git a/src/libimcv/ietf/ietf_attr.h b/src/libimcv/ietf/ietf_attr.h
index d22175d..169ed78 100644
--- a/src/libimcv/ietf/ietf_attr.h
+++ b/src/libimcv/ietf/ietf_attr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -56,8 +56,10 @@ extern enum_name_t *ietf_attr_names;
  * Create an IETF PA-TNC attribute from data
  *
  * @param type				attribute type
- * @param value				attribute value
+ * @param length			attribute length
+ * @param value				attribute value or segment
  */
-pa_tnc_attr_t* ietf_attr_create_from_data(u_int32_t type, chunk_t value);
+pa_tnc_attr_t* ietf_attr_create_from_data(u_int32_t type, size_t length,
+										  chunk_t value);
 
 #endif /** IETF_ATTR_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_assess_result.c b/src/libimcv/ietf/ietf_attr_assess_result.c
index 55226e3..1cffdca 100644
--- a/src/libimcv/ietf/ietf_attr_assess_result.c
+++ b/src/libimcv/ietf/ietf_attr_assess_result.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -50,7 +50,12 @@ struct private_ietf_attr_assess_result_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Attribute value or segment
 	 */
 	chunk_t value;
 
@@ -107,6 +112,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(ASSESS_RESULT_SIZE);
 	writer->write_uint32(writer, this->result);
 	this->value = writer->extract_buf(writer);
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
@@ -115,10 +121,15 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 
+	*offset = 0;
+
+	if (this->value.len < this->length)
+	{
+		return NEED_MORE;
+	}
 	if (this->value.len < ASSESS_RESULT_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for IETF assessment result");
-		*offset = 0;
 		return FAILED;
 	}
 	reader = bio_reader_create(this->value);
@@ -128,6 +139,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	return SUCCESS;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_assess_result_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("mc", this->value, segment);
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_assess_result_t *this)
 {
@@ -167,6 +184,7 @@ pa_tnc_attr_t *ietf_attr_assess_result_create(u_int32_t result)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -183,7 +201,8 @@ pa_tnc_attr_t *ietf_attr_assess_result_create(u_int32_t result)
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_assess_result_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_assess_result_create_from_data(size_t length,
+														chunk_t data)
 {
 	private_ietf_attr_assess_result_t *this;
 
@@ -196,12 +215,14 @@ pa_tnc_attr_t *ietf_attr_assess_result_create_from_data(chunk_t data)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
 			.get_result = _get_result,
 		},
 		.type = { PEN_IETF, IETF_ATTR_ASSESSMENT_RESULT },
+		.length = length,
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libimcv/ietf/ietf_attr_assess_result.h b/src/libimcv/ietf/ietf_attr_assess_result.h
index e94b57b..b1a5166 100644
--- a/src/libimcv/ietf/ietf_attr_assess_result.h
+++ b/src/libimcv/ietf/ietf_attr_assess_result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -56,8 +56,10 @@ pa_tnc_attr_t* ietf_attr_assess_result_create(u_int32_t result);
 /**
  * Creates an ietf_attr_assess_result_t object from received data
  *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_assess_result_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_assess_result_create_from_data(size_t length,
+														chunk_t value);
 
 #endif /** IETF_ATTR_ASSESS_RESULT_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.c b/src/libimcv/ietf/ietf_attr_attr_request.c
index 3b4fd26..3862a0a 100644
--- a/src/libimcv/ietf/ietf_attr_attr_request.c
+++ b/src/libimcv/ietf/ietf_attr_attr_request.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -59,7 +59,12 @@ struct private_ietf_attr_attr_request_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Attribute value or segment
 	 */
 	chunk_t value;
 
@@ -126,6 +131,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	enumerator->destroy(enumerator);
 
 	this->value = writer->extract_buf(writer);
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
@@ -150,11 +156,17 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int8_t reserved;
 	int count;
 
+	*offset = 0;
+
+	if (this->value.len < this->length)
+	{
+		return NEED_MORE;
+	}
+
 	count = this->value.len / ATTR_REQUEST_ENTRY_SIZE;
 	if (this->value.len != ATTR_REQUEST_ENTRY_SIZE * count)
 	{
 		DBG1(DBG_TNC, "incorrect attribute length for IETF attribute request");
-		*offset = 0;
 		return FAILED;
 	}
 
@@ -184,6 +196,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	return SUCCESS;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_attr_request_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("mc", this->value, segment);
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_attr_request_t *this)
 {
@@ -224,6 +242,7 @@ pa_tnc_attr_t *ietf_attr_attr_request_create(pen_t vendor_id, u_int32_t type)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -246,7 +265,8 @@ pa_tnc_attr_t *ietf_attr_attr_request_create(pen_t vendor_id, u_int32_t type)
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_attr_request_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_attr_request_create_from_data(size_t length,
+													   chunk_t data)
 {
 	private_ietf_attr_attr_request_t *this;
 
@@ -259,6 +279,7 @@ pa_tnc_attr_t *ietf_attr_attr_request_create_from_data(chunk_t data)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -266,6 +287,7 @@ pa_tnc_attr_t *ietf_attr_attr_request_create_from_data(chunk_t data)
 			.create_enumerator = _create_enumerator,
 		},
 		.type = { PEN_IETF, IETF_ATTR_ATTRIBUTE_REQUEST },
+		.length = length,
 		.value = chunk_clone(data),
 		.list = linked_list_create(),
 		.ref = 1,
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.h b/src/libimcv/ietf/ietf_attr_attr_request.h
index fc9e086..47b0386 100644
--- a/src/libimcv/ietf/ietf_attr_attr_request.h
+++ b/src/libimcv/ietf/ietf_attr_attr_request.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -62,10 +62,10 @@ struct ietf_attr_attr_request_t {
 pa_tnc_attr_t* ietf_attr_attr_request_create(pen_t vendor_id, u_int32_t type);
 
 /**
- * Creates an ietf_attr_attr_request_t object from received data
- *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_attr_request_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_attr_request_create_from_data(size_t length,
+													   chunk_t value);
 
 #endif /** IETF_ATTR_ATTR_REQUEST_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
index 2c6b3d5..ee5864d 100644
--- a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
+++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -50,7 +50,12 @@ struct private_ietf_attr_default_pwd_enabled_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Attribute value or segment
 	 */
 	chunk_t value;
 
@@ -107,6 +112,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint32(writer, this->status);
 
 	this->value = writer->extract_buf(writer);
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
@@ -118,6 +124,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
 	*offset = 0;
 
+	if (this->value.len < this->length)
+	{
+		return NEED_MORE;
+	}
 	if (this->value.len != DEFAULT_PWD_ENABLED_SIZE)
 	{
 		DBG1(DBG_TNC, "incorrect size for IETF factory default password "
@@ -139,6 +149,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	return SUCCESS;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_default_pwd_enabled_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("mc", this->value, segment);
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_default_pwd_enabled_t *this)
 {
@@ -178,6 +194,7 @@ pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create(bool status)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -194,7 +211,8 @@ pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create(bool status)
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create_from_data(size_t length,
+															  chunk_t data)
 {
 	private_ietf_attr_default_pwd_enabled_t *this;
 
@@ -207,12 +225,14 @@ pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create_from_data(chunk_t data)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
 			.get_status = _get_status,
 		},
 		.type = { PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED },
+		.length = length,
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
index 6fe1a02..3999590 100644
--- a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
+++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
@@ -56,8 +56,10 @@ pa_tnc_attr_t* ietf_attr_default_pwd_enabled_create(bool status);
 /**
  * Creates an ietf_attr_default_pwd_enabled_t object from received data
  *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_default_pwd_enabled_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_default_pwd_enabled_create_from_data(size_t length,
+															  chunk_t value);
 
 #endif /** IETF_ATTR_PWD_ENABLED_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.c b/src/libimcv/ietf/ietf_attr_fwd_enabled.c
index a906b22..c00a5ef 100644
--- a/src/libimcv/ietf/ietf_attr_fwd_enabled.c
+++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -50,7 +50,12 @@ struct private_ietf_attr_fwd_enabled_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Attribute value or segment
 	 */
 	chunk_t value;
 
@@ -107,6 +112,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint32(writer, this->fwd_status);
 
 	this->value = writer->extract_buf(writer);
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
@@ -118,6 +124,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
 	*offset = 0;
 
+	if (this->value.len < this->length)
+	{
+		return NEED_MORE;
+	}
 	if (this->value.len != FORWARDING_ENABLED_SIZE)
 	{
 		DBG1(DBG_TNC, "incorrect size for IETF forwarding enabled attribute");
@@ -138,6 +148,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	return SUCCESS;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_fwd_enabled_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("mc", this->value, segment);
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_fwd_enabled_t *this)
 {
@@ -177,6 +193,7 @@ pa_tnc_attr_t *ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -193,7 +210,8 @@ pa_tnc_attr_t *ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status)
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_fwd_enabled_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_fwd_enabled_create_from_data(size_t length,
+													  chunk_t data)
 {
 	private_ietf_attr_fwd_enabled_t *this;
 
@@ -206,12 +224,14 @@ pa_tnc_attr_t *ietf_attr_fwd_enabled_create_from_data(chunk_t data)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
 			.get_status = _get_status,
 		},
 		.type = { PEN_IETF, IETF_ATTR_FORWARDING_ENABLED },
+		.length = length,
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.h b/src/libimcv/ietf/ietf_attr_fwd_enabled.h
index 4171438..c4b6c15 100644
--- a/src/libimcv/ietf/ietf_attr_fwd_enabled.h
+++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-14 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -57,8 +57,10 @@ pa_tnc_attr_t* ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status);
 /**
  * Creates an ietf_attr_fwd_enabled_t object from received data
  *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_fwd_enabled_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_fwd_enabled_create_from_data(size_t length,
+													  chunk_t value);
 
 #endif /** IETF_ATTR_FWD_ENABLED_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.c b/src/libimcv/ietf/ietf_attr_installed_packages.c
index f33f643..39eea55 100644
--- a/src/libimcv/ietf/ietf_attr_installed_packages.c
+++ b/src/libimcv/ietf/ietf_attr_installed_packages.c
@@ -57,16 +57,36 @@ struct private_ietf_attr_installed_packages_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Offset up to which attribute value has been processed
+	 */
+	size_t offset;
+
+	/**
+	 * Current position of attribute value pointer
 	 */
 	chunk_t value;
 
 	/**
+	 * Contains complete attribute or current segment
+	 */
+	chunk_t segment;
+
+	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
 
 	/**
+	 * Number of Installed Packages in attribute
+	 */
+	uint16_t count;
+
+	/**
 	 * List of Installed Package entries
 	 */
 	linked_list_t *packages;
@@ -143,6 +163,8 @@ METHOD(pa_tnc_attr_t, build, void,
 	enumerator->destroy(enumerator);
 
 	this->value = writer->extract_buf(writer);
+	this->segment = this->value;
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
@@ -151,72 +173,91 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	package_entry_t *entry;
-	status_t status = FAILED;
+	status_t status = NEED_MORE;
 	chunk_t name, version;
-	u_int16_t reserved, count;
+	u_int16_t reserved;
 	u_char *pos;
 
-	*offset = 0;
-
-	if (this->value.len < IETF_INSTALLED_PACKAGES_MIN_SIZE)
-	{
-		DBG1(DBG_TNC, "insufficient data for IETF installed packages");
-		return FAILED;
+	if (this->offset == 0)
+	{	
+		if (this->length < IETF_INSTALLED_PACKAGES_MIN_SIZE)
+		{
+			DBG1(DBG_TNC, "insufficient data for %N/%N", pen_names, PEN_IETF,
+						   ietf_attr_names, this->type.type);
+			*offset = this->offset;
+			return FAILED;
+		}
+		if (this->value.len < IETF_INSTALLED_PACKAGES_MIN_SIZE)
+		{
+			return NEED_MORE;
+		}
+		reader = bio_reader_create(this->value);
+		reader->read_uint16(reader, &reserved);
+		reader->read_uint16(reader, &this->count);
+		this->offset = IETF_INSTALLED_PACKAGES_MIN_SIZE;
+		this->value = reader->peek(reader);
+		reader->destroy(reader);
 	}
+
 	reader = bio_reader_create(this->value);
-	reader->read_uint16(reader, &reserved);
-	reader->read_uint16(reader, &count);
-	*offset = IETF_INSTALLED_PACKAGES_MIN_SIZE;
 
-	while (reader->remaining(reader))
+	while (this->count)
 	{
-		if (!reader->read_data8(reader, &name))
+		if (!reader->read_data8(reader, &name) ||
+			!reader->read_data8(reader, &version))
 		{
-			DBG1(DBG_TNC, "insufficient data for IETF installed package name");
 			goto end;
 		}
 		pos = memchr(name.ptr, '\0', name.len);
 		if (pos)
 		{
 			DBG1(DBG_TNC, "nul termination in IETF installed package name");
-			*offset += 1 + (pos - name.ptr);
-			goto end;
-		}
-		*offset += 1 + name.len;
-
-		if (!reader->read_data8(reader, &version))
-		{
-			DBG1(DBG_TNC, "insufficient data for IETF installed package version");
+			*offset = this->offset + 1 + (pos - name.ptr);
+			status = FAILED;
 			goto end;
 		}
 		pos = memchr(version.ptr, '\0', version.len);
 		if (pos)
 		{
 			DBG1(DBG_TNC, "nul termination in IETF installed package version");
-			*offset += 1 + (pos - version.ptr);
+			*offset = this->offset + 1 + name.len + 1 + (pos - version.ptr);
+			status = FAILED;
 			goto end;
 		}
-		*offset += 1 + version.len;
+		this->offset += this->value.len - reader->remaining(reader);
+		this->value = reader->peek(reader);
 
 		entry = malloc_thing(package_entry_t);
 		entry->name = chunk_clone(name);
 		entry->version = chunk_clone(version);
 		this->packages->insert_last(this->packages, entry);
+
+		/* at least one tag ID was processed */
+		status = SUCCESS;
+		this->count--;
 	}
 
-	if (count != this->packages->get_count(this->packages))
+	if (this->length != this->offset)
 	{
-		DBG1(DBG_TNC, "IETF installed package count unequal to "
-					  "number of included packages");
-		goto end;
+		DBG1(DBG_TNC, "inconsistent length for %N/%N", pen_names, PEN_IETF,
+					   ietf_attr_names, this->type.type);
+		*offset = this->offset;
+		status = FAILED;
 	}
-	status = SUCCESS;
 
 end:
 	reader->destroy(reader);
 	return status;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_installed_packages_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("cc", this->value, segment);
+	chunk_free(&this->segment);
+	this->segment = this->value;
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_installed_packages_t *this)
 {
@@ -230,7 +271,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 	if (ref_put(&this->ref))
 	{
 		this->packages->destroy_function(this->packages, (void*)free_package_entry);
-		free(this->value.ptr);
+		free(this->segment.ptr);
 		free(this);
 	}
 }
@@ -269,6 +310,23 @@ METHOD(ietf_attr_installed_packages_t, create_enumerator, enumerator_t*,
 						(void*)package_filter, NULL, NULL);
 }
 
+METHOD(ietf_attr_installed_packages_t, get_count, uint16_t,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return this->count;
+}
+
+METHOD(ietf_attr_installed_packages_t, clear_packages, void,
+	private_ietf_attr_installed_packages_t *this)
+{
+	package_entry_t *entry;
+
+	while (this->packages->remove_first(this->packages,(void**)&entry) == SUCCESS)
+	{
+		free_package_entry(entry);
+	}
+}
+
 /**
  * Described in header.
  */
@@ -285,11 +343,14 @@ pa_tnc_attr_t *ietf_attr_installed_packages_create(void)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
 			.add = _add,
 			.create_enumerator = _create_enumerator,
+			.get_count = _get_count,
+			.clear_packages = _clear_packages,
 		},
 		.type = { PEN_IETF, IETF_ATTR_INSTALLED_PACKAGES },
 		.packages = linked_list_create(),
@@ -300,9 +361,11 @@ pa_tnc_attr_t *ietf_attr_installed_packages_create(void)
 }
 
 /**
- * Described in header.
+ * Described in header.		.length = length,
+
  */
-pa_tnc_attr_t *ietf_attr_installed_packages_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_installed_packages_create_from_data(size_t length,
+															 chunk_t data)
 {
 	private_ietf_attr_installed_packages_t *this;
 
@@ -315,18 +378,25 @@ pa_tnc_attr_t *ietf_attr_installed_packages_create_from_data(chunk_t data)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
 			.add = _add,
 			.create_enumerator = _create_enumerator,
+			.get_count = _get_count,
+			.clear_packages = _clear_packages,
 		},
 		.type = {PEN_IETF, IETF_ATTR_INSTALLED_PACKAGES },
-		.value = chunk_clone(data),
+		.length = length,
+		.segment = chunk_clone(data),
 		.packages = linked_list_create(),
 		.ref = 1,
 	);
 
+	/* received either complete attribute value or first segment */
+	this->value = this->segment;
+
 	return &this->public.pa_tnc_attribute;
 }
 
diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.h b/src/libimcv/ietf/ietf_attr_installed_packages.h
index e19d0f4..9f7b7cb 100644
--- a/src/libimcv/ietf/ietf_attr_installed_packages.h
+++ b/src/libimcv/ietf/ietf_attr_installed_packages.h
@@ -56,6 +56,18 @@ struct ietf_attr_installed_packages_t {
 	 */
 	enumerator_t* (*create_enumerator)(ietf_attr_installed_packages_t *this);
 
+	/**
+	 * Number of Installed Packages still missing
+	 *
+	 * @return				Number of missing installed packages
+	 */
+	uint16_t (*get_count)(ietf_attr_installed_packages_t *this);
+
+	/**
+	 * Remove all Installed Packages from list
+	 */
+	void (*clear_packages)(ietf_attr_installed_packages_t *this);
+
 };
 
 /**
@@ -67,8 +79,10 @@ pa_tnc_attr_t* ietf_attr_installed_packages_create(void);
 /**
  * Creates an ietf_attr_installed_packages_t object from received data
  *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_installed_packages_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_installed_packages_create_from_data(size_t length,
+															 chunk_t value);
 
 #endif /** IETF_ATTR_INSTALLED_PACKAGES_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.c b/src/libimcv/ietf/ietf_attr_numeric_version.c
index 7392564..c8fd6c1 100644
--- a/src/libimcv/ietf/ietf_attr_numeric_version.c
+++ b/src/libimcv/ietf/ietf_attr_numeric_version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -56,7 +56,12 @@ struct private_ietf_attr_numeric_version_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Attribute value or segment
 	 */
 	chunk_t value;
 
@@ -138,6 +143,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, this->service_pack_minor);
 
 	this->value = writer->extract_buf(writer);
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
@@ -146,10 +152,15 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 
+	*offset = 0;
+
+	if (this->value.len < this->length)
+	{
+		return NEED_MORE;
+	}
 	if (this->value.len < NUMERIC_VERSION_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for IETF numeric version");
-		*offset = 0;
 		return FAILED;
 	}
 	reader = bio_reader_create(this->value);
@@ -163,6 +174,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	return SUCCESS;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_numeric_version_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("mc", this->value, segment);
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_numeric_version_t *this)
 {
@@ -231,6 +248,7 @@ pa_tnc_attr_t *ietf_attr_numeric_version_create(u_int32_t major, u_int32_t minor
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -253,7 +271,8 @@ pa_tnc_attr_t *ietf_attr_numeric_version_create(u_int32_t major, u_int32_t minor
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_numeric_version_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_numeric_version_create_from_data(size_t length,
+														  chunk_t data)
 {
 	private_ietf_attr_numeric_version_t *this;
 
@@ -266,6 +285,7 @@ pa_tnc_attr_t *ietf_attr_numeric_version_create_from_data(chunk_t data)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -274,6 +294,7 @@ pa_tnc_attr_t *ietf_attr_numeric_version_create_from_data(chunk_t data)
 			.get_service_pack = _get_service_pack,
 		},
 		.type = { PEN_IETF, IETF_ATTR_NUMERIC_VERSION },
+		.length = length,
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.h b/src/libimcv/ietf/ietf_attr_numeric_version.h
index bbda6b8..34393c6 100644
--- a/src/libimcv/ietf/ietf_attr_numeric_version.h
+++ b/src/libimcv/ietf/ietf_attr_numeric_version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-14 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -77,8 +77,10 @@ pa_tnc_attr_t* ietf_attr_numeric_version_create(u_int32_t major, u_int32_t minor
 /**
  * Creates an ietf_attr_numeric_version_t object from received data
  *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_numeric_version_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_numeric_version_create_from_data(size_t length,
+														  chunk_t value);
 
 #endif /** IETF_ATTR_NUMERIC_VERSION_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_op_status.c b/src/libimcv/ietf/ietf_attr_op_status.c
index 2353068..d061a52 100644
--- a/src/libimcv/ietf/ietf_attr_op_status.c
+++ b/src/libimcv/ietf/ietf_attr_op_status.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -76,7 +76,12 @@ struct private_ietf_attr_op_status_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Attribute value or segment
 	 */
 	chunk_t value;
 
@@ -154,6 +159,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_data  (writer, chunk_create(last_use, 20));
 
 	this->value = writer->extract_buf(writer);
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
@@ -167,6 +173,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
 	*offset = 0;
 
+	if (this->value.len < this->length)
+	{
+		return NEED_MORE;
+	}
 	if (this->value.len != OP_STATUS_SIZE)
 	{
 		DBG1(DBG_TNC, "incorrect size for IETF operational status");
@@ -212,6 +222,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	return SUCCESS;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_op_status_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("mc", this->value, segment);
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_op_status_t *this)
 {
@@ -264,6 +280,7 @@ pa_tnc_attr_t *ietf_attr_op_status_create(u_int8_t status, u_int8_t result,
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -284,7 +301,7 @@ pa_tnc_attr_t *ietf_attr_op_status_create(u_int8_t status, u_int8_t result,
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_op_status_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_op_status_create_from_data(size_t length, chunk_t data)
 {
 	private_ietf_attr_op_status_t *this;
 
@@ -297,6 +314,7 @@ pa_tnc_attr_t *ietf_attr_op_status_create_from_data(chunk_t data)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
diff --git a/src/libimcv/ietf/ietf_attr_op_status.h b/src/libimcv/ietf/ietf_attr_op_status.h
index b70fab6..f19185f 100644
--- a/src/libimcv/ietf/ietf_attr_op_status.h
+++ b/src/libimcv/ietf/ietf_attr_op_status.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-14 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -100,8 +100,10 @@ pa_tnc_attr_t* ietf_attr_op_status_create(u_int8_t status, u_int8_t result,
 /**
  * Creates an ietf_attr_op_status_t object from received data
  *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_op_status_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_op_status_create_from_data(size_t length,
+													chunk_t value);
 
 #endif /** IETF_ATTR_OP_STATUS_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
index 5f20f89..0dbb4aa 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -113,7 +113,12 @@ struct private_ietf_attr_pa_tnc_error_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Attribute value or segment
 	 */
 	chunk_t value;
 
@@ -133,14 +138,19 @@ struct private_ietf_attr_pa_tnc_error_t {
 	chunk_t msg_info;
 
 	/**
-	 * First 8 bytes of unsupported PA-TNC attribute
+	 * Flags of unsupported PA-TNC attribute
+	 */
+	uint8_t flags;
+
+	/**
+	 * Vendor ID and type of unsupported PA-TNC attribute
 	 */
-	chunk_t attr_info;
+	pen_type_t unsupported_type;
 
 	/**
 	 * PA-TNC error offset
 	 */
-	u_int32_t error_offset;
+	uint32_t error_offset;
 
 	/**
 	 * Reference count
@@ -200,26 +210,35 @@ METHOD(pa_tnc_attr_t, build, void,
 				writer->write_uint16(writer, PA_ERROR_VERSION_RESERVED);
 				break;
 			case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
-				writer->write_data(writer, this->attr_info);
+				writer->write_uint8 (writer, this->flags);
+				writer->write_uint24(writer, this->unsupported_type.vendor_id);
+				writer->write_uint32(writer, this->unsupported_type.type);
 				break;
 			default:
 				break;
 		}
 	}
 	this->value = writer->extract_buf(writer);
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
 METHOD(pa_tnc_attr_t, process, status_t,
-	private_ietf_attr_pa_tnc_error_t *this, u_int32_t *offset)
+	private_ietf_attr_pa_tnc_error_t *this, uint32_t *offset)
 {
 	bio_reader_t *reader;
-	u_int8_t reserved;
+	uint8_t reserved;
+	uint32_t vendor_id, type;
 
+	*offset = 0;
+
+	if (this->value.len < this->length)
+	{
+		return NEED_MORE;
+	}
 	if (this->value.len < PA_ERROR_HEADER_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for PA-TNC error header");
-		*offset = 0;
 		return FAILED;
 	}
 	reader = bio_reader_create(this->value);
@@ -250,8 +269,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 				}
 				break;
 			case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
-				if (!reader->read_data(reader, PA_ERROR_ATTR_INFO_SIZE,
-											   &this->attr_info))
+				if (reader->remaining(reader) < PA_ERROR_ATTR_INFO_SIZE)
 				{
 					reader->destroy(reader);
 					DBG1(DBG_TNC, "insufficient data for unsupported attribute "
@@ -259,7 +277,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 					*offset = PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE;
 					return FAILED;
 				}
-				this->attr_info = chunk_clone(this->attr_info);
+				reader->read_uint8 (reader, &this->flags);
+				reader->read_uint24(reader, &vendor_id);
+				reader->read_uint32(reader, &type);
+				this->unsupported_type = pen_type_create(vendor_id, type);
 				break;
 			default:
 				break;
@@ -275,6 +296,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	return SUCCESS;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_pa_tnc_error_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("mc", this->value, segment);
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_pa_tnc_error_t *this)
 {
@@ -289,7 +316,6 @@ METHOD(pa_tnc_attr_t, destroy, void,
 	{
 		free(this->value.ptr);
 		free(this->msg_info.ptr);
-		free(this->attr_info.ptr);
 		free(this);
 	}
 }
@@ -306,19 +332,24 @@ METHOD(ietf_attr_pa_tnc_error_t, get_msg_info, chunk_t,
 	return this->msg_info;
 }
 
-METHOD(ietf_attr_pa_tnc_error_t, get_attr_info, chunk_t,
-	private_ietf_attr_pa_tnc_error_t *this)
+METHOD(ietf_attr_pa_tnc_error_t, get_unsupported_attr, pen_type_t,
+	private_ietf_attr_pa_tnc_error_t *this, uint8_t *flags)
 {
-	return this->attr_info;
+	if (flags)
+	{
+		*flags = this->flags;
+	}
+	return this->unsupported_type;
 }
 
-METHOD(ietf_attr_pa_tnc_error_t, set_attr_info, void,
-	private_ietf_attr_pa_tnc_error_t *this, chunk_t attr_info)
+METHOD(ietf_attr_pa_tnc_error_t, set_unsupported_attr, void,
+	private_ietf_attr_pa_tnc_error_t *this, uint8_t flags, pen_type_t type)
 {
-	this->attr_info = chunk_clone(attr_info);
+	this->flags = flags;
+	this->unsupported_type = type;
 }
 
-METHOD(ietf_attr_pa_tnc_error_t, get_offset, u_int32_t,
+METHOD(ietf_attr_pa_tnc_error_t, get_offset, uint32_t,
 	private_ietf_attr_pa_tnc_error_t *this)
 {
 	return this->error_offset;
@@ -340,13 +371,14 @@ static private_ietf_attr_pa_tnc_error_t* create_generic()
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
 			.get_error_code = _get_error_code,
 			.get_msg_info = _get_msg_info,
-			.get_attr_info = _get_attr_info,
-			.set_attr_info = _set_attr_info,
+			.get_unsupported_attr = _get_unsupported_attr,
+			.set_unsupported_attr = _set_unsupported_attr,
 			.get_offset = _get_offset,
 		},
 		.type = { PEN_IETF, IETF_ATTR_PA_TNC_ERROR },
@@ -385,7 +417,7 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_type_t error_code,
  */
 pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_with_offset(pen_type_t error_code,
 														 chunk_t msg_info,
-														 u_int32_t error_offset)
+														 uint32_t error_offset)
 {
 	private_ietf_attr_pa_tnc_error_t *this;
 
@@ -403,11 +435,13 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_with_offset(pen_type_t error_code,
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(size_t length,
+													   chunk_t data)
 {
 	private_ietf_attr_pa_tnc_error_t *this;
 
 	this = create_generic();
+	this->length = length;
 	this->value = chunk_clone(data);
 
 	return &this->public.pa_tnc_attribute;
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
index faa38f8..b1df194 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -69,25 +69,29 @@ struct ietf_attr_pa_tnc_error_t {
 	chunk_t (*get_msg_info)(ietf_attr_pa_tnc_error_t *this);
 
 	/**
-	 * Get first 8 bytes of unsupported PA-TNC attribute
+	 * Get flags, vendor ID and type of unsupported PA-TNC attribute
 	 *
-	 * @return				PA-TNC attribute info
+	 * @param flags			PA-TNC attribute flags
+	 * @return				PA-TNC attribute vendor ID and type
 	 */
-	chunk_t (*get_attr_info)(ietf_attr_pa_tnc_error_t *this);
+	pen_type_t (*get_unsupported_attr)(ietf_attr_pa_tnc_error_t *this,
+									   uint8_t *flags);
 
 	/**
-	 * Set first 8 bytes of unsupported PA-TNC attribute
+	 * Set flags, vendor ID and type of unsupported PA-TNC attribute
 	 *
-	 * @param attr_info		PA-TNC message info
+	 * @param flags			PA-TNC attribute flags
+	 * @param attr_info		PA-TNC attribute vendor ID and type
 	 */
-	void (*set_attr_info)(ietf_attr_pa_tnc_error_t *this, chunk_t attr_info);
+	void (*set_unsupported_attr)(ietf_attr_pa_tnc_error_t *this, uint8_t flags,
+								 pen_type_t type);
 
 	/**
 	 * Get the PA-TNC error offset
 	 *
 	 * @return				PA-TNC error offset
 	 */
-	u_int32_t (*get_offset)(ietf_attr_pa_tnc_error_t *this);
+	uint32_t (*get_offset)(ietf_attr_pa_tnc_error_t *this);
 
 };
 
@@ -111,13 +115,15 @@ pa_tnc_attr_t* ietf_attr_pa_tnc_error_create(pen_type_t error_code,
  */
 pa_tnc_attr_t* ietf_attr_pa_tnc_error_create_with_offset(pen_type_t error_code,
 														 chunk_t header,
-														 u_int32_t error_offset);
+														 uint32_t error_offset);
 
 /**
  * Creates an ietf_attr_pa_tnc_error_t object from received data
  *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_pa_tnc_error_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_pa_tnc_error_create_from_data(size_t length,
+													   chunk_t value);
 
 #endif /** IETF_ATTR_PA_TNC_ERROR_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_port_filter.c b/src/libimcv/ietf/ietf_attr_port_filter.c
index 1d516a5..4682440 100644
--- a/src/libimcv/ietf/ietf_attr_port_filter.c
+++ b/src/libimcv/ietf/ietf_attr_port_filter.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -63,7 +64,12 @@ struct private_ietf_attr_port_filter_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Attribute value or segment
 	 */
 	chunk_t value;
 
@@ -131,6 +137,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	enumerator->destroy(enumerator);
 
 	this->value = writer->extract_buf(writer);
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
@@ -141,11 +148,16 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	port_entry_t *entry;
 	u_int8_t blocked;
 
+	*offset = 0;
+
+	if (this->value.len < this->length)
+	{
+		return NEED_MORE;
+	}
 	if (this->value.len % PORT_FILTER_ENTRY_SIZE)
 	{
 		DBG1(DBG_TNC, "ietf port filter attribute value is not a multiple of %d",
 			 PORT_FILTER_ENTRY_SIZE);
-		*offset = 0;
 		return FAILED;
 	}
 	reader = bio_reader_create(this->value);
@@ -164,6 +176,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	return SUCCESS;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_port_filter_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("mc", this->value, segment);
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_port_filter_t *this)
 {
@@ -231,6 +249,7 @@ pa_tnc_attr_t *ietf_attr_port_filter_create(void)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -248,7 +267,8 @@ pa_tnc_attr_t *ietf_attr_port_filter_create(void)
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_port_filter_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_port_filter_create_from_data(size_t length,
+													  chunk_t data)
 {
 	private_ietf_attr_port_filter_t *this;
 
@@ -261,6 +281,7 @@ pa_tnc_attr_t *ietf_attr_port_filter_create_from_data(chunk_t data)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -268,6 +289,7 @@ pa_tnc_attr_t *ietf_attr_port_filter_create_from_data(chunk_t data)
 			.create_port_enumerator = _create_port_enumerator,
 		},
 		.type = {PEN_IETF, IETF_ATTR_PORT_FILTER },
+		.length = length,
 		.value = chunk_clone(data),
 		.ports = linked_list_create(),
 		.ref = 1,
diff --git a/src/libimcv/ietf/ietf_attr_port_filter.h b/src/libimcv/ietf/ietf_attr_port_filter.h
index 93b696e..d383b19 100644
--- a/src/libimcv/ietf/ietf_attr_port_filter.h
+++ b/src/libimcv/ietf/ietf_attr_port_filter.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -67,8 +67,10 @@ pa_tnc_attr_t* ietf_attr_port_filter_create(void);
 /**
  * Creates an ietf_attr_port_filter_t object from received data
  *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_port_filter_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_port_filter_create_from_data(size_t length,
+													  chunk_t value);
 
 #endif /** IETF_ATTR_PORT_FILTER_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_product_info.c b/src/libimcv/ietf/ietf_attr_product_info.c
index a107c27..37c89e9 100644
--- a/src/libimcv/ietf/ietf_attr_product_info.c
+++ b/src/libimcv/ietf/ietf_attr_product_info.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -51,7 +52,12 @@ struct private_ietf_attr_product_info_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Attribute value or segment
 	 */
 	chunk_t value;
 
@@ -120,6 +126,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_data  (writer, this->product_name);
 
 	this->value = writer->extract_buf(writer);
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
@@ -129,10 +136,15 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	bio_reader_t *reader;
 	chunk_t product_name;
 
+	*offset = 0;
+
+	if (this->value.len < this->length)
+	{
+		return NEED_MORE;
+	}
 	if (this->value.len < PRODUCT_INFO_MIN_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for IETF product information");
-		*offset = 0;
 		return FAILED;
 	}
 	reader = bio_reader_create(this->value);
@@ -153,6 +165,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	return SUCCESS;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_product_info_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("mc", this->value, segment);
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_product_info_t *this)
 {
@@ -202,6 +220,7 @@ pa_tnc_attr_t *ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -220,7 +239,8 @@ pa_tnc_attr_t *ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_product_info_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_product_info_create_from_data(size_t length,
+													   chunk_t data)
 {
 	private_ietf_attr_product_info_t *this;
 
@@ -233,12 +253,14 @@ pa_tnc_attr_t *ietf_attr_product_info_create_from_data(chunk_t data)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
 			.get_info = _get_info,
 		},
 		.type = { PEN_IETF, IETF_ATTR_PRODUCT_INFORMATION },
+		.length = length,
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libimcv/ietf/ietf_attr_product_info.h b/src/libimcv/ietf/ietf_attr_product_info.h
index d0b2d2a..5151b58 100644
--- a/src/libimcv/ietf/ietf_attr_product_info.h
+++ b/src/libimcv/ietf/ietf_attr_product_info.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -60,8 +60,10 @@ pa_tnc_attr_t* ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
 /**
  * Creates an ietf_attr_product_info_t object from received data
  *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_product_info_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_product_info_create_from_data(size_t length,
+													   chunk_t value);
 
 #endif /** IETF_ATTR_PRODUCT_INFO_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.c b/src/libimcv/ietf/ietf_attr_remediation_instr.c
index 5d85e5d..6407037 100644
--- a/src/libimcv/ietf/ietf_attr_remediation_instr.c
+++ b/src/libimcv/ietf/ietf_attr_remediation_instr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -79,7 +79,12 @@ struct private_ietf_attr_remediation_instr_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Attribute value or segment
 	 */
 	chunk_t value;
 
@@ -155,6 +160,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_data  (writer, this->parameters);
 
 	this->value = writer->extract_buf(writer);
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
@@ -168,6 +174,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
 	*offset = 0;
 
+	if (this->value.len < this->length)
+	{
+		return NEED_MORE;
+	}
 	if (this->value.len < REMEDIATION_INSTR_MIN_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for IETF remediation instructions");
@@ -218,6 +228,12 @@ end:
 	return status;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_remediation_instr_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("mc", this->value, segment);
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_remediation_instr_t *this)
 {
@@ -275,6 +291,7 @@ pa_tnc_attr_t *ietf_attr_remediation_instr_create(pen_type_t parameters_type,
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -328,7 +345,8 @@ pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_string(chunk_t string,
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_data(size_t length,
+															chunk_t data)
 {
 	private_ietf_attr_remediation_instr_t *this;
 
@@ -341,6 +359,7 @@ pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_data(chunk_t data)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -350,6 +369,7 @@ pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_data(chunk_t data)
 			.get_string = _get_string,
 		},
 		.type = { PEN_IETF, IETF_ATTR_REMEDIATION_INSTRUCTIONS },
+		.length = length,
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.h b/src/libimcv/ietf/ietf_attr_remediation_instr.h
index 5c7c889..bc03e99 100644
--- a/src/libimcv/ietf/ietf_attr_remediation_instr.h
+++ b/src/libimcv/ietf/ietf_attr_remediation_instr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -102,8 +102,10 @@ pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_string(chunk_t string,
 /**
  * Creates an ietf_attr_remediation_instr_t object from received data
  *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_data(size_t length,
+															chunk_t value);
 
 #endif /** IETF_ATTR_REMEDIATION_INSTR_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_string_version.c b/src/libimcv/ietf/ietf_attr_string_version.c
index 68adde6..c46200b 100644
--- a/src/libimcv/ietf/ietf_attr_string_version.c
+++ b/src/libimcv/ietf/ietf_attr_string_version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -54,7 +54,12 @@ struct private_ietf_attr_string_version_t {
 	pen_type_t type;
 
 	/**
-	 * Attribute value
+	 * Length of attribute value
+	 */
+	size_t length;
+
+	/**
+	 * Attribute value or segment
 	 */
 	chunk_t value;
 
@@ -124,6 +129,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_data8(writer, this->config);
 
 	this->value = writer->extract_buf(writer);
+	this->length = this->value.len;
 	writer->destroy(writer);
 }
 
@@ -137,6 +143,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
 	*offset = 0;
 
+	if (this->value.len < this->length)
+	{
+		return NEED_MORE;
+	}
 	if (this->value.len < STRING_VERSION_MIN_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for IETF string version");
@@ -198,6 +208,12 @@ end:
 	return status;
 }
 
+METHOD(pa_tnc_attr_t, add_segment, void,
+	private_ietf_attr_string_version_t *this, chunk_t segment)
+{
+	this->value = chunk_cat("mc", this->value, segment);
+}
+
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
 	private_ietf_attr_string_version_t *this)
 {
@@ -254,6 +270,7 @@ pa_tnc_attr_t *ietf_attr_string_version_create(chunk_t version, chunk_t build,
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
@@ -272,7 +289,8 @@ pa_tnc_attr_t *ietf_attr_string_version_create(chunk_t version, chunk_t build,
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_string_version_create_from_data(chunk_t data)
+pa_tnc_attr_t *ietf_attr_string_version_create_from_data(size_t length,
+														 chunk_t data)
 {
 	private_ietf_attr_string_version_t *this;
 
@@ -285,12 +303,14 @@ pa_tnc_attr_t *ietf_attr_string_version_create_from_data(chunk_t data)
 				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
+				.add_segment = _add_segment,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
 			.get_version = _get_version,
 		},
 		.type = { PEN_IETF, IETF_ATTR_STRING_VERSION },
+		.length = length,
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libimcv/ietf/ietf_attr_string_version.h b/src/libimcv/ietf/ietf_attr_string_version.h
index 9ccc1f0..432ed4a 100644
--- a/src/libimcv/ietf/ietf_attr_string_version.h
+++ b/src/libimcv/ietf/ietf_attr_string_version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -60,8 +60,10 @@ pa_tnc_attr_t* ietf_attr_string_version_create(chunk_t version, chunk_t build,
 /**
  * Creates an ietf_attr_string_version_t object from received data
  *
- * @param value				unparsed attribute value
+ * @param length			Total length of attribute value
+ * @param value				Unparsed attribute value (might be a segment)
  */
-pa_tnc_attr_t* ietf_attr_string_version_create_from_data(chunk_t value);
+pa_tnc_attr_t* ietf_attr_string_version_create_from_data(size_t length,
+														 chunk_t value);
 
 #endif /** IETF_ATTR_STRING_VERSION_H_ @}*/
diff --git a/src/libimcv/imc/imc_agent.c b/src/libimcv/imc/imc_agent.c
index 5331517..0d622f1 100644
--- a/src/libimcv/imc/imc_agent.c
+++ b/src/libimcv/imc/imc_agent.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -59,6 +59,11 @@ struct private_imc_agent_t {
 	linked_list_t *additional_ids;
 
 	/**
+	 * list of non-fatal unsupported PA-TNC attribute types
+	 */
+	linked_list_t *non_fatal_attr_types;
+
+	/**
 	 * list of TNCC connection entries
 	 */
 	linked_list_t *connections;
@@ -510,11 +515,29 @@ METHOD(imc_agent_t, create_id_enumerator, enumerator_t*,
 	return this->additional_ids->create_enumerator(this->additional_ids);
 }
 
+METHOD(imc_agent_t, add_non_fatal_attr_type, void,
+	private_imc_agent_t *this, pen_type_t type)
+{
+	pen_type_t *type_p;
+
+	type_p = malloc_thing(pen_type_t);
+	*type_p = type;
+	this->non_fatal_attr_types->insert_last(this->non_fatal_attr_types, type_p);
+}
+
+METHOD(imc_agent_t, get_non_fatal_attr_types, linked_list_t*,
+	private_imc_agent_t *this)
+{
+	return this->non_fatal_attr_types;
+}
+
 METHOD(imc_agent_t, destroy, void,
 	private_imc_agent_t *this)
 {
 	DBG1(DBG_IMC, "IMC %u \"%s\" terminated", this->id, this->name);
 	this->additional_ids->destroy(this->additional_ids);
+	this->non_fatal_attr_types->destroy_function(this->non_fatal_attr_types,
+												 free);
 	this->connections->destroy_function(this->connections, free);
 	this->connection_lock->destroy(this->connection_lock);
 	free(this);
@@ -550,6 +573,8 @@ imc_agent_t *imc_agent_create(const char *name,
 			.reserve_additional_ids = _reserve_additional_ids,
 			.count_additional_ids = _count_additional_ids,
 			.create_id_enumerator = _create_id_enumerator,
+			.add_non_fatal_attr_type = _add_non_fatal_attr_type,
+			.get_non_fatal_attr_types = _get_non_fatal_attr_types,
 			.destroy = _destroy,
 		},
 		.name = name,
@@ -557,6 +582,7 @@ imc_agent_t *imc_agent_create(const char *name,
 		.type_count = type_count,
 		.id = id,
 		.additional_ids = linked_list_create(),
+		.non_fatal_attr_types = linked_list_create(),
 		.connections = linked_list_create(),
 		.connection_lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
diff --git a/src/libimcv/imc/imc_agent.h b/src/libimcv/imc/imc_agent.h
index 0a1638f..8bdfb6c 100644
--- a/src/libimcv/imc/imc_agent.h
+++ b/src/libimcv/imc/imc_agent.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -172,6 +172,16 @@ struct imc_agent_t {
 	enumerator_t* (*create_id_enumerator)(imc_agent_t *this);
 
 	/**
+	 * Add an item to the list of non-fatal unsupported PA-TNC attribute types
+	 */
+	void (*add_non_fatal_attr_type)(imc_agent_t *this, pen_type_t type);
+
+	/**
+	 * Get a list of non-fatal unsupported PA-TNC attribute types
+	 */
+	linked_list_t* (*get_non_fatal_attr_types)(imc_agent_t *this);
+
+	/**
 	 * Destroys an imc_agent_t object
 	 */
 	void (*destroy)(imc_agent_t *this);
diff --git a/src/libimcv/imc/imc_msg.c b/src/libimcv/imc/imc_msg.c
index 1cf81c7..83337cf 100644
--- a/src/libimcv/imc/imc_msg.c
+++ b/src/libimcv/imc/imc_msg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,8 +18,12 @@
 #include "ietf/ietf_attr.h"
 #include "ietf/ietf_attr_assess_result.h"
 #include "ietf/ietf_attr_remediation_instr.h"
+#include "tcg/seg/tcg_seg_attr_max_size.h"
+#include "tcg/seg/tcg_seg_attr_seg_env.h"
+#include "tcg/seg/tcg_seg_attr_next_seg.h"
 
 #include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
 #include <collections/linked_list.h>
@@ -104,11 +108,18 @@ METHOD(imc_msg_t, send_, TNC_Result,
 	pa_tnc_attr_t *attr;
 	TNC_UInt32 msg_flags;
 	TNC_MessageType msg_type;
-	bool attr_added;
+	bool attr_added, oversize;
 	chunk_t msg;
+	seg_contract_t *contract;
+	seg_contract_manager_t *contracts;
 	enumerator_t *enumerator;
 	TNC_Result result = TNC_RESULT_SUCCESS;
 
+	/* Get IF-M segmentation contract for this subtype if any */
+	contracts = this->state->get_contracts(this->state);
+	contract = contracts->get_contract(contracts, this->msg_type,
+									   FALSE, this->dst_id);
+
 	while (this->attr_list->get_count(this->attr_list))
 	{
 		pa_tnc_msg = pa_tnc_msg_create(this->state->get_max_msg_len(this->state));
@@ -117,6 +128,17 @@ METHOD(imc_msg_t, send_, TNC_Result,
 		enumerator = this->attr_list->create_enumerator(this->attr_list);
 		while (enumerator->enumerate(enumerator, &attr))
 		{
+			if (contract && contract->check_size(contract, attr, &oversize))
+			{
+				if (oversize)
+				{
+					/* TODO generate SWID error msg */
+				}
+				else
+				{
+					attr = contract->first_segment(contract, attr);
+				}
+			}
 			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
 			{
 				attr_added = TRUE;
@@ -208,8 +230,9 @@ static void print_assessment_trailer(bool first)
 }
 
 METHOD(imc_msg_t, receive, TNC_Result,
-	private_imc_msg_t *this, bool *fatal_error)
+	private_imc_msg_t *this, imc_msg_t *out_msg, bool *fatal_error)
 {
+	linked_list_t *non_fatal_types;
 	TNC_UInt32 target_imc_id;
 	enumerator_t *enumerator;
 	pa_tnc_attr_t *attr;
@@ -251,26 +274,14 @@ METHOD(imc_msg_t, receive, TNC_Result,
 			break;
 		case VERIFY_ERROR:
 		{
-			imc_msg_t *error_msg;
-			TNC_Result result;
-
-			error_msg = imc_msg_create_as_reply(&this->public);
-
 			/* extract and copy by reference all error attributes */
 			enumerator = this->pa_msg->create_error_enumerator(this->pa_msg);
 			while (enumerator->enumerate(enumerator, &attr))
 			{
-				error_msg->add_attribute(error_msg, attr->get_ref(attr));
+				out_msg->add_attribute(out_msg, attr->get_ref(attr));
 			}
 			enumerator->destroy(enumerator);
-
-			/*
-			 * send the PA-TNC message containing all error attributes
-			 * with the excl flag set
-			 */
-			result = error_msg->send(error_msg, TRUE);
-			error_msg->destroy(error_msg);
-			return result;
+			return TNC_RESULT_SUCCESS;
 		}
 		case FAILED:
 		default:
@@ -281,8 +292,192 @@ METHOD(imc_msg_t, receive, TNC_Result,
 	target_imc_id = (this->dst_id != TNC_IMCID_ANY) ?
 					 this->dst_id : this->agent->get_id(this->agent);
 
+	/* process any IF-M segmentation contracts */
+	enumerator = this->pa_msg->create_attribute_enumerator(this->pa_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		uint32_t max_attr_size, max_seg_size, my_max_attr_size, my_max_seg_size;
+		seg_contract_t *contract;
+		seg_contract_manager_t *contracts;
+		char buf[BUF_LEN];
+		pen_type_t type;
+
+		type = attr->get_type(attr);
+
+		contracts = this->state->get_contracts(this->state);
+
+		if (type.vendor_id != PEN_TCG)
+		{
+			continue;
+		}
+
+		switch (type.type)
+		{
+			case TCG_SEG_MAX_ATTR_SIZE_REQ:
+			{
+				tcg_seg_attr_max_size_t *attr_cast;
+
+				attr_cast = (tcg_seg_attr_max_size_t*)attr;
+				attr_cast->get_attr_size(attr_cast, &max_attr_size,
+													&max_seg_size);
+				contract = contracts->get_contract(contracts, this->msg_type,
+												   FALSE, this->src_id);
+				if (contract)
+				{
+					contract->set_max_size(contract, max_attr_size,
+													 max_seg_size);
+				}
+				else
+				{
+					contract = seg_contract_create(this->msg_type, max_attr_size,
+									max_seg_size, FALSE, this->src_id, TRUE);
+					contract->set_responder(contract, target_imc_id);
+					contracts->add_contract(contracts, contract);
+				}
+				contract->get_info_string(contract, buf, BUF_LEN, TRUE);
+				DBG2(DBG_IMC, "%s", buf);
+
+				/* Determine maximum PA-TNC attribute segment size */
+				my_max_seg_size = this->state->get_max_msg_len(this->state)
+									- PA_TNC_HEADER_SIZE
+									- PA_TNC_ATTR_HEADER_SIZE
+									- TCG_SEG_ATTR_SEG_ENV_HEADER
+									- PA_TNC_ATTR_HEADER_SIZE
+									- TCG_SEG_ATTR_MAX_SIZE_SIZE;
+
+				/* If segmentation is possible select lower segment size */
+				if (max_seg_size != SEG_CONTRACT_NO_FRAGMENTATION &&
+					max_seg_size > my_max_seg_size)
+				{
+					max_seg_size = my_max_seg_size;
+					contract->set_max_size(contract, max_attr_size,
+													 max_seg_size);
+					DBG2(DBG_IMC, "  lowered maximum segment size to %u bytes",
+						 max_seg_size);
+				}
+
+				/* Add Maximum Attribute Size Response attribute */
+				attr = tcg_seg_attr_max_size_create(max_attr_size,
+													max_seg_size, FALSE);
+				out_msg->add_attribute(out_msg, attr);
+				break;
+			}
+			case TCG_SEG_MAX_ATTR_SIZE_RESP:
+			{
+				tcg_seg_attr_max_size_t *attr_cast;
+
+				attr_cast = (tcg_seg_attr_max_size_t*)attr;
+				attr_cast->get_attr_size(attr_cast, &max_attr_size,
+													&max_seg_size);
+				contract = contracts->get_contract(contracts, this->msg_type,
+												   TRUE, this->src_id);
+				if (!contract)
+				{
+					contract = contracts->get_contract(contracts, this->msg_type,
+													   TRUE, TNC_IMCID_ANY);
+					if (contract)
+					{
+						contract = contract->clone(contract);
+						contract->set_responder(contract, this->src_id);
+						contracts->add_contract(contracts, contract);
+					}
+				}
+				if (contract)
+				{
+					contract->get_max_size(contract, &my_max_attr_size,
+													 &my_max_seg_size);
+					if (my_max_seg_size != SEG_CONTRACT_NO_FRAGMENTATION &&
+						my_max_seg_size > max_seg_size)
+					{
+						my_max_seg_size = max_seg_size;
+						contract->set_max_size(contract, my_max_attr_size,
+														 my_max_seg_size);
+					}
+					contract->get_info_string(contract, buf, BUF_LEN, FALSE);
+					DBG2(DBG_IMC, "%s", buf);
+				}
+				else
+				{
+					/* TODO no request pending */
+					DBG1(DBG_IMC, "no contract for this PA message type found");
+				}
+				break;
+			}
+			case TCG_SEG_ATTR_SEG_ENV:
+			{
+				tcg_seg_attr_seg_env_t *seg_env_attr;
+				pa_tnc_attr_t *error;
+				uint32_t base_attr_id;
+				bool more;
+
+				seg_env_attr = (tcg_seg_attr_seg_env_t*)attr;
+				base_attr_id = seg_env_attr->get_base_attr_id(seg_env_attr);
+
+				contract = contracts->get_contract(contracts, this->msg_type,
+												   TRUE, this->src_id);
+				if (!contract)
+				{
+					DBG2(DBG_IMC, "no contract for received attribute segment "
+						 "with base attribute ID %u", base_attr_id);
+					continue;
+				}
+				attr = contract->add_segment(contract, attr, &error, &more);
+				if (error)
+				{
+					out_msg->add_attribute(out_msg, error);
+				}
+				if (attr)
+				{
+					this->pa_msg->add_attribute(this->pa_msg, attr);
+				}
+				if (more)
+				{
+					/* Send Next Segment Request */
+					attr = tcg_seg_attr_next_seg_create(base_attr_id, FALSE);
+					out_msg->add_attribute(out_msg, attr);
+				}
+				break;
+			}
+			case TCG_SEG_NEXT_SEG_REQ:
+			{
+				tcg_seg_attr_next_seg_t *attr_cast;
+				uint32_t base_attr_id;
+
+				attr_cast = (tcg_seg_attr_next_seg_t*)attr;
+				base_attr_id = attr_cast->get_base_attr_id(attr_cast);
+
+				contract = contracts->get_contract(contracts, this->msg_type,
+												   FALSE, this->src_id);
+				if (!contract)
+				{
+					/* TODO no contract - generate error message */
+					DBG1(DBG_IMC, "no contract for received next segment "
+						 "request with base attribute ID %u", base_attr_id);
+					continue;
+				}
+				attr = contract->next_segment(contract, base_attr_id);
+				if (attr)
+				{
+					out_msg->add_attribute(out_msg, attr);
+				}
+				else
+				{
+					/* TODO no more segments - generate error message */
+					DBG1(DBG_IMC, "no more segments found for "
+						 "base attribute ID %u", base_attr_id);
+				}
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
 	/* preprocess any received IETF standard error attributes */
-	*fatal_error = this->pa_msg->process_ietf_std_errors(this->pa_msg);
+	non_fatal_types = this->agent->get_non_fatal_attr_types(this->agent);
+	*fatal_error = this->pa_msg->process_ietf_std_errors(this->pa_msg,
+														 non_fatal_types);
 
 	/* preprocess any received IETF assessment result attribute */
 	enumerator = this->pa_msg->create_attribute_enumerator(this->pa_msg);
@@ -297,16 +492,16 @@ METHOD(imc_msg_t, receive, TNC_Result,
 		if (attr_type.type == IETF_ATTR_ASSESSMENT_RESULT)
 		{
 			ietf_attr_assess_result_t *attr_cast;
-			TNC_IMV_Evaluation_Result result;
+			TNC_IMV_Evaluation_Result res;
 
 			attr_cast = (ietf_attr_assess_result_t*)attr;
-			result =  attr_cast->get_result(attr_cast);
-			this->state->set_result(this->state, target_imc_id, result);
+			res =  attr_cast->get_result(attr_cast);
+			this->state->set_result(this->state, target_imc_id, res);
 
 			print_assessment_header(this->agent->get_name(this->agent),
 									target_imc_id, this->src_id, &first);
 			DBG1(DBG_IMC, "assessment result is '%N'",
-				 TNC_IMV_Evaluation_Result_names, result);
+				 TNC_IMV_Evaluation_Result_names, res);
 		}
 		else if (attr_type.type == IETF_ATTR_REMEDIATION_INSTRUCTIONS)
 		{
diff --git a/src/libimcv/imc/imc_msg.h b/src/libimcv/imc/imc_msg.h
index 588225d..a8c4d3c 100644
--- a/src/libimcv/imc/imc_msg.h
+++ b/src/libimcv/imc/imc_msg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -65,10 +65,12 @@ struct imc_msg_t {
 	/**
 	 * Processes a received PA-TNC message
 	 *
+	 * @param out_msg			outgoing PA-TN message
 	 * @param fatal_error		TRUE if IMV sent a fatal error message
 	 * @return					TNC result code
 	 */
-	TNC_Result (*receive)(imc_msg_t *this, bool *fatal_error);
+	TNC_Result (*receive)(imc_msg_t *this, imc_msg_t *out_msg,
+						  bool *fatal_error);
 
 	/**
 	 * Add a PA-TNC attribute to the send queue
diff --git a/src/libimcv/imc/imc_os_info.h b/src/libimcv/imc/imc_os_info.h
index a6db443..6bb0e96 100644
--- a/src/libimcv/imc/imc_os_info.h
+++ b/src/libimcv/imc/imc_os_info.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup imc_os_info imc_os_info
- * @{ @ingroup libimcv
+ * @{ @ingroup libimcv_imc
  */
 
 #ifndef IMC_OS_INFO_H_
diff --git a/src/libimcv/imc/imc_state.h b/src/libimcv/imc/imc_state.h
index 7e763fb..efcf567 100644
--- a/src/libimcv/imc/imc_state.h
+++ b/src/libimcv/imc/imc_state.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -22,6 +22,8 @@
 #ifndef IMC_STATE_H_
 #define IMC_STATE_H_
 
+#include "seg/seg_contract_manager.h"
+
 #include <tncif.h>
 #include <tncifimv.h>
 #include <tncifimc.h>
@@ -80,6 +82,13 @@ struct imc_state_t {
 	u_int32_t (*get_max_msg_len)(imc_state_t *this);
 
 	/**
+	 * Get attribute segmentation contracts associated with TNCCS Connection
+	 *
+	 * @return				contracts associated with TNCCS Connection
+	 */
+	seg_contract_manager_t* (*get_contracts)(imc_state_t *this);
+
+	/**
 	 * Change the connection state
 	 *
 	 * @param new_state		new connection state
diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c
index 30679a3..bd4156c 100644
--- a/src/libimcv/imcv.c
+++ b/src/libimcv/imcv.c
@@ -15,6 +15,14 @@
 #include "imcv.h"
 #include "ietf/ietf_attr.h"
 #include "ita/ita_attr.h"
+#include "tcg/tcg_attr.h"
+#include "pts/components/pts_component.h"
+#include "pts/components/pts_component_manager.h"
+#include "pts/components/tcg/tcg_comp_func_name.h"
+#include "pts/components/ita/ita_comp_func_name.h"
+#include "pts/components/ita/ita_comp_ima.h"
+#include "pts/components/ita/ita_comp_tboot.h"
+#include "pts/components/ita/ita_comp_tgrub.h"
 
 #include <utils/debug.h>
 #include <utils/utils.h>
@@ -24,8 +32,12 @@
 #include <syslog.h>
 #endif
 
+#ifndef IPSEC_SCRIPT
+#define IPSEC_SCRIPT "ipsec"
+#endif
+
 #define IMCV_DEBUG_LEVEL			1
-#define IMCV_DEFAULT_POLICY_SCRIPT	"ipsec _imv_policy"
+#define IMCV_DEFAULT_POLICY_SCRIPT	IPSEC_SCRIPT " _imv_policy"
 
 
 /**
@@ -44,6 +56,11 @@ imv_session_manager_t *imcv_sessions;
 imv_database_t *imcv_db;
 
 /**
+ * PTS Functional Component manager
+ */
+pts_component_manager_t *imcv_pts_components;
+
+/**
  * Reference count for libimcv
  */
 static refcount_t libimcv_ref = 0;
@@ -162,7 +179,26 @@ bool libimcv_init(bool is_imv)
 							ietf_attr_create_from_data, ietf_attr_names);
 		imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_ITA,
 							ita_attr_create_from_data, ita_attr_names);
-
+		imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_TCG,
+							tcg_attr_create_from_data, tcg_attr_names);
+
+		imcv_pts_components = pts_component_manager_create();
+		imcv_pts_components->add_vendor(imcv_pts_components, PEN_TCG,
+					pts_tcg_comp_func_names, PTS_TCG_QUALIFIER_TYPE_SIZE,
+					pts_tcg_qualifier_flag_names, pts_tcg_qualifier_type_names);
+		imcv_pts_components->add_vendor(imcv_pts_components, PEN_ITA,
+					pts_ita_comp_func_names, PTS_ITA_QUALIFIER_TYPE_SIZE,
+					pts_ita_qualifier_flag_names, pts_ita_qualifier_type_names);
+
+		imcv_pts_components->add_component(imcv_pts_components, PEN_ITA,
+									  PTS_ITA_COMP_FUNC_NAME_TGRUB,
+									  pts_ita_comp_tgrub_create);
+		imcv_pts_components->add_component(imcv_pts_components, PEN_ITA,
+									  PTS_ITA_COMP_FUNC_NAME_TBOOT,
+									  pts_ita_comp_tboot_create);
+		imcv_pts_components->add_component(imcv_pts_components, PEN_ITA,
+									  PTS_ITA_COMP_FUNC_NAME_IMA,
+									  pts_ita_comp_ima_create);
 		if (is_imv)
 		{
 			/* instantiate global IMV session manager */
@@ -193,8 +229,13 @@ void libimcv_deinit(void)
 {
 	if (ref_put(&libimcv_ref))
 	{
+		imcv_pts_components->remove_vendor(imcv_pts_components, PEN_TCG);
+		imcv_pts_components->remove_vendor(imcv_pts_components, PEN_ITA);
+		imcv_pts_components->destroy(imcv_pts_components);
+
 		imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_IETF);
 		imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_ITA);
+		imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_TCG);
 		DESTROY_IF(imcv_pa_tnc_attributes);
 		imcv_pa_tnc_attributes = NULL;
 		DESTROY_IF(imcv_db);
diff --git a/src/libimcv/imcv.h b/src/libimcv/imcv.h
index 7710388..31536ec 100644
--- a/src/libimcv/imcv.h
+++ b/src/libimcv/imcv.h
@@ -27,6 +27,12 @@
  * @defgroup libimcv_plugins plugins
  * @ingroup libimcv
  *
+ * @defgroup libimcv_seg seg
+ * @ingroup libimcv
+ *
+ * @defgroup libimcv_swid swid
+ * @ingroup libimcv
+ *
  * @addtogroup libimcv
  * @{
  */
@@ -37,6 +43,7 @@
 #include "pa_tnc/pa_tnc_attr_manager.h"
 #include "imv/imv_database.h"
 #include "imv/imv_session_manager.h"
+#include "pts/components/pts_component_manager.h"
 
 #include <library.h>
 
@@ -68,4 +75,9 @@ extern imv_database_t* imcv_db;
  */
 extern imv_session_manager_t* imcv_sessions;
 
+/**
+ * PTS Functional Component manager
+ */
+extern pts_component_manager_t* imcv_pts_components;
+
 #endif /** IMCV_H_ @}*/
diff --git a/src/libimcv/imcv_tests.c b/src/libimcv/imcv_tests.c
new file mode 100644
index 0000000..e9bb303
--- /dev/null
+++ b/src/libimcv/imcv_tests.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+
+#include <library.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#include "imcv_tests.h"
+#undef TEST_SUITE
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+	{ .suite = x, },
+#include "imcv_tests.h"
+	{ .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+	if (!init)
+	{
+		lib->processor->set_threads(lib->processor, 0);
+		lib->processor->cancel(lib->processor);
+	}
+	return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+	return test_runner_run("libimcv", tests, test_runner_init);
+}
diff --git a/src/libimcv/imcv_tests.h b/src/libimcv/imcv_tests.h
new file mode 100644
index 0000000..d3ea24b
--- /dev/null
+++ b/src/libimcv/imcv_tests.h
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+TEST_SUITE(imcv_seg_suite_create)
+
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index b45cad4..425748f 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -306,6 +306,23 @@ INSERT INTO products (			/* 51 */
  'Android 4.4.4'
 );
 
+INSERT INTO products (			/* 52 */
+  name
+) VALUES (
+ 'Debian 7.6 i686'
+);
+
+INSERT INTO products (			/* 53 */
+  name
+) VALUES (
+ 'Debian 7.6 x86_64'
+);
+INSERT INTO products (			/* 54 */
+  name
+) VALUES (
+ 'Debian 7.6 armv6l'
+);
+
 /* Directories */
 
 INSERT INTO directories (		/*  1 */
@@ -777,6 +794,12 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  4, 52
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   5, 2
 );
 
@@ -825,6 +848,12 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  5, 53
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   6, 9
 );
 
@@ -1026,6 +1055,12 @@ INSERT INTO groups_product_defaults (
   14, 48
 );
 
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  14, 54
+);
+
 /* Policies */
 
 INSERT INTO policies (			/*  1 */
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index a46455d..6b24f4b 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -65,6 +65,11 @@ struct private_imv_agent_t {
 	linked_list_t *additional_ids;
 
 	/**
+	 * list of non-fatal unsupported PA-TNC attribute types
+	 */
+	linked_list_t *non_fatal_attr_types;
+
+	/**
 	 * list of TNCS connection entries
 	 */
 	linked_list_t *connections;
@@ -772,11 +777,29 @@ METHOD(imv_agent_t, provide_recommendation, TNC_Result,
 	return this->provide_recommendation(this->id, connection_id, rec, eval);
 }
 
+METHOD(imv_agent_t, add_non_fatal_attr_type, void,
+	private_imv_agent_t *this, pen_type_t type)
+{
+	pen_type_t *type_p;
+
+	type_p = malloc_thing(pen_type_t);
+	*type_p = type;
+	this->non_fatal_attr_types->insert_last(this->non_fatal_attr_types, type_p);
+}
+
+METHOD(imv_agent_t, get_non_fatal_attr_types, linked_list_t*,
+	private_imv_agent_t *this)
+{
+	return this->non_fatal_attr_types;
+}
+
 METHOD(imv_agent_t, destroy, void,
 	private_imv_agent_t *this)
 {
 	DBG1(DBG_IMV, "IMV %u \"%s\" terminated", this->id, this->name);
 	this->additional_ids->destroy(this->additional_ids);
+	this->non_fatal_attr_types->destroy_function(this->non_fatal_attr_types,
+												 free);
 	this->connections->destroy_offset(this->connections,
 									  offsetof(imv_state_t, destroy));
 	this->connection_lock->destroy(this->connection_lock);
@@ -815,6 +838,8 @@ imv_agent_t *imv_agent_create(const char *name,
 			.create_id_enumerator = _create_id_enumerator,
 			.create_language_enumerator = _create_language_enumerator,
 			.provide_recommendation = _provide_recommendation,
+			.add_non_fatal_attr_type = _add_non_fatal_attr_type,
+			.get_non_fatal_attr_types = _get_non_fatal_attr_types,
 			.destroy = _destroy,
 		},
 		.name = name,
@@ -822,6 +847,7 @@ imv_agent_t *imv_agent_create(const char *name,
 		.type_count = type_count,
 		.id = id,
 		.additional_ids = linked_list_create(),
+		.non_fatal_attr_types = linked_list_create(),
 		.connections = linked_list_create(),
 		.connection_lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h
index 47ce770..1f6a10b 100644
--- a/src/libimcv/imv/imv_agent.h
+++ b/src/libimcv/imv/imv_agent.h
@@ -189,6 +189,16 @@ struct imv_agent_t {
 	TNC_Result (*provide_recommendation)(imv_agent_t *this, imv_state_t* state);
 
 	/**
+	 * Add an item to the list of non-fatal unsupported PA-TNC attribute types
+	 */
+	void (*add_non_fatal_attr_type)(imv_agent_t *this, pen_type_t type);
+
+	/**
+	 * Get a list of non-fatal unsupported PA-TNC attribute types
+	 */
+	linked_list_t* (*get_non_fatal_attr_types)(imv_agent_t *this);
+
+	/**
 	 * Destroys an imv_agent_t object
 	 */
 	void (*destroy)(imv_agent_t *this);
diff --git a/src/libimcv/imv/imv_msg.c b/src/libimcv/imv/imv_msg.c
index e718175..fdf6332 100644
--- a/src/libimcv/imv/imv_msg.c
+++ b/src/libimcv/imv/imv_msg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,8 +18,12 @@
 #include "ietf/ietf_attr.h"
 #include "ietf/ietf_attr_assess_result.h"
 #include "ietf/ietf_attr_remediation_instr.h"
+#include "tcg/seg/tcg_seg_attr_max_size.h"
+#include "tcg/seg/tcg_seg_attr_seg_env.h"
+#include "tcg/seg/tcg_seg_attr_next_seg.h"
 
 #include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
 #include <collections/linked_list.h>
@@ -121,11 +125,18 @@ METHOD(imv_msg_t, send_, TNC_Result,
 	pa_tnc_attr_t *attr;
 	TNC_UInt32 msg_flags;
 	TNC_MessageType msg_type;
-	bool attr_added;
+	bool attr_added, oversize;
 	chunk_t msg;
+	seg_contract_t *contract;
+	seg_contract_manager_t *contracts;
 	enumerator_t *enumerator;
 	TNC_Result result = TNC_RESULT_SUCCESS;
 
+	/* Get IF-M segmentation contract for this subtype if any */
+	contracts = this->state->get_contracts(this->state);
+	contract = contracts->get_contract(contracts, this->msg_type,
+									   FALSE, this->dst_id);
+
 	while (this->attr_list->get_count(this->attr_list))
 	{
 		pa_tnc_msg = pa_tnc_msg_create(this->state->get_max_msg_len(this->state));
@@ -134,6 +145,17 @@ METHOD(imv_msg_t, send_, TNC_Result,
 		enumerator = this->attr_list->create_enumerator(this->attr_list);
 		while (enumerator->enumerate(enumerator, &attr))
 		{
+			if (contract && contract->check_size(contract, attr, &oversize))
+			{
+				if (oversize)
+				{
+					/* TODO generate SWID error msg */
+				}
+				else
+				{
+					attr = contract->first_segment(contract, attr);
+				}
+			}
 			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
 			{
 				attr_added = TRUE;
@@ -246,8 +268,11 @@ METHOD(imv_msg_t, send_assessment, TNC_Result,
 }
 
 METHOD(imv_msg_t, receive, TNC_Result,
-	private_imv_msg_t *this, bool *fatal_error)
+	private_imv_msg_t *this, imv_msg_t *out_msg, bool *fatal_error)
 {
+	TNC_Result result = TNC_RESULT_SUCCESS;
+	TNC_UInt32 target_imv_id;
+	linked_list_t *non_fatal_types;
 	enumerator_t *enumerator;
 	pa_tnc_attr_t *attr;
 	chunk_t msg;
@@ -286,36 +311,211 @@ METHOD(imv_msg_t, receive, TNC_Result,
 			break;
 		case VERIFY_ERROR:
 		{
-			imv_msg_t *error_msg;
-			TNC_Result result;
-
-			error_msg = imv_msg_create_as_reply(&this->public);
-
 			/* extract and copy by reference all error attributes */
 			enumerator = this->pa_msg->create_error_enumerator(this->pa_msg);
 			while (enumerator->enumerate(enumerator, &attr))
 			{
-				error_msg->add_attribute(error_msg, attr->get_ref(attr));
+				out_msg->add_attribute(out_msg, attr->get_ref(attr));
 			}
 			enumerator->destroy(enumerator);
-
-			/*
-			 * send the PA-TNC message containing all error attributes
-			 * with the excl flag set
-			 */
-			result = error_msg->send(error_msg, TRUE);
-			error_msg->destroy(error_msg);
-			return result;
 		}
 		case FAILED:
 		default:
 			return TNC_RESULT_FATAL;
 	}
 
+	/* determine target IMV ID */
+	target_imv_id = (this->dst_id != TNC_IMVID_ANY) ?
+					 this->dst_id : this->agent->get_id(this->agent);
+
+	/* process IF-M segmentation attributes */
+	enumerator = this->pa_msg->create_attribute_enumerator(this->pa_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		uint32_t max_attr_size, max_seg_size, my_max_attr_size, my_max_seg_size;
+		seg_contract_manager_t *contracts;
+		seg_contract_t *contract;
+		char buf[BUF_LEN];
+		pen_type_t type;
+
+		type = attr->get_type(attr);
+
+		if (type.vendor_id != PEN_TCG)
+		{
+			continue;
+		}
+
+		contracts = this->state->get_contracts(this->state);
+
+		switch (type.type)
+		{
+			case TCG_SEG_MAX_ATTR_SIZE_REQ:
+			{
+				tcg_seg_attr_max_size_t *attr_cast;
+
+				attr_cast = (tcg_seg_attr_max_size_t*)attr;
+				attr_cast->get_attr_size(attr_cast, &max_attr_size,
+													&max_seg_size);
+				contract = contracts->get_contract(contracts, this->msg_type,
+												   FALSE, this->src_id);
+				if (contract)
+				{
+					contract->set_max_size(contract, max_attr_size,
+													 max_seg_size);
+				}
+				else
+				{
+					contract = seg_contract_create(this->msg_type, max_attr_size,
+									max_seg_size, FALSE, this->src_id, FALSE);
+					contract->set_responder(contract, target_imv_id);
+					contracts->add_contract(contracts, contract);
+				}
+				contract->get_info_string(contract, buf, BUF_LEN, TRUE);
+				DBG2(DBG_IMV, "%s", buf);
+
+				/* Determine maximum PA-TNC attribute segment size */
+				my_max_seg_size = this->state->get_max_msg_len(this->state)
+									- PA_TNC_HEADER_SIZE
+									- PA_TNC_ATTR_HEADER_SIZE
+									- TCG_SEG_ATTR_SEG_ENV_HEADER
+									- PA_TNC_ATTR_HEADER_SIZE
+									- TCG_SEG_ATTR_MAX_SIZE_SIZE;
+
+				/* If segmentation is possible select lower segment size */
+				if (max_seg_size != SEG_CONTRACT_NO_FRAGMENTATION &&
+					max_seg_size > my_max_seg_size)
+				{
+					max_seg_size = my_max_seg_size;
+					contract->set_max_size(contract, max_attr_size,
+													 max_seg_size);
+					DBG2(DBG_IMV, "  lowered maximum segment size to %u bytes",
+						 max_seg_size);
+				}
+
+				/* Add Maximum Attribute Size Response attribute */
+				attr = tcg_seg_attr_max_size_create(max_attr_size,
+													max_seg_size, FALSE);
+				out_msg->add_attribute(out_msg, attr);
+				break;
+			}
+			case TCG_SEG_MAX_ATTR_SIZE_RESP:
+			{
+				tcg_seg_attr_max_size_t *attr_cast;
+
+				attr_cast = (tcg_seg_attr_max_size_t*)attr;
+				attr_cast->get_attr_size(attr_cast, &max_attr_size,
+													&max_seg_size);
+				contract = contracts->get_contract(contracts, this->msg_type,
+												   TRUE, this->src_id);
+				if (!contract)
+				{
+					contract = contracts->get_contract(contracts, this->msg_type,
+												   TRUE, TNC_IMCID_ANY);
+					if (contract)
+					{
+						contract = contract->clone(contract);
+						contract->set_responder(contract, this->src_id);
+						contracts->add_contract(contracts, contract);
+					}
+				}
+				if (contract)
+				{
+					contract->get_max_size(contract, &my_max_attr_size,
+													 &my_max_seg_size);
+					if (my_max_seg_size != SEG_CONTRACT_NO_FRAGMENTATION &&
+						my_max_seg_size > max_seg_size)
+					{
+						my_max_seg_size = max_seg_size;
+						contract->set_max_size(contract, my_max_attr_size,
+														 my_max_seg_size);
+					}
+					contract->get_info_string(contract, buf, BUF_LEN, FALSE);
+					DBG2(DBG_IMV, "%s", buf);
+				}
+				else
+				{
+					/* TODO no request pending */
+					DBG1(DBG_IMV, "no contract for this PA message type found");
+				}
+				break;
+			}
+			case TCG_SEG_ATTR_SEG_ENV:
+			{
+				tcg_seg_attr_seg_env_t *seg_env_attr;
+				pa_tnc_attr_t *error;
+				uint32_t base_attr_id;
+				bool more;
+
+				seg_env_attr = (tcg_seg_attr_seg_env_t*)attr;
+				base_attr_id = seg_env_attr->get_base_attr_id(seg_env_attr);
+
+				contract = contracts->get_contract(contracts, this->msg_type,
+												   TRUE, this->src_id);
+				if (!contract)
+				{
+					DBG2(DBG_IMV, "no contract for received attribute segment "
+						 "with base attribute ID %u", base_attr_id);
+					continue;
+				}
+				attr = contract->add_segment(contract, attr, &error, &more);
+				if (error)
+				{
+					out_msg->add_attribute(out_msg, error);
+				}
+				if (attr)
+				{
+					this->pa_msg->add_attribute(this->pa_msg, attr);
+				}
+				if (more)
+				{
+					/* Send Next Segment Request */
+					attr = tcg_seg_attr_next_seg_create(base_attr_id, FALSE);
+					out_msg->add_attribute(out_msg, attr);
+				}
+				break;
+			}
+			case TCG_SEG_NEXT_SEG_REQ:
+			{
+				tcg_seg_attr_next_seg_t *attr_cast;
+				uint32_t base_attr_id;
+
+				attr_cast = (tcg_seg_attr_next_seg_t*)attr;
+				base_attr_id = attr_cast->get_base_attr_id(attr_cast);
+
+				contract = contracts->get_contract(contracts, this->msg_type,
+												   FALSE, this->src_id);
+				if (!contract)
+				{
+					/* TODO no contract - generate error message */
+					DBG1(DBG_IMV, "no contract for received next segment "
+						 "request with base attribute ID %u", base_attr_id);
+					continue;
+				}
+				attr = contract->next_segment(contract, base_attr_id);
+				if (attr)
+				{
+					out_msg->add_attribute(out_msg, attr);
+				}
+				else
+				{
+					/* TODO no more segments - generate error message */
+					DBG1(DBG_IMV, "no more segments found for "
+						 "base attribute ID %u", base_attr_id);
+				}
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
 	/* preprocess any received IETF standard error attributes */
-	*fatal_error = this->pa_msg->process_ietf_std_errors(this->pa_msg);
+	non_fatal_types = this->agent->get_non_fatal_attr_types(this->agent);
+	*fatal_error = this->pa_msg->process_ietf_std_errors(this->pa_msg,
+														 non_fatal_types);
 
-	return TNC_RESULT_SUCCESS;
+	return result;
 }
 
 METHOD(imv_msg_t, get_attribute_count, int,
diff --git a/src/libimcv/imv/imv_msg.h b/src/libimcv/imv/imv_msg.h
index dfec169..43b91e9 100644
--- a/src/libimcv/imv/imv_msg.h
+++ b/src/libimcv/imv/imv_msg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Andreas Steffen
+ * Copyright (C) 2012-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -79,10 +79,12 @@ struct imv_msg_t {
 	/**
 	 * Processes a received PA-TNC message
 	 *
+	 * @param out_msg			outgoing PA-TN message
 	 * @param fatal_error		TRUE if IMC sent a fatal error message
 	 * @return					TNC result code
 	 */
-	TNC_Result (*receive)(imv_msg_t *this, bool *fatal_error);
+	TNC_Result (*receive)(imv_msg_t *this, imv_msg_t *out_msg,
+						  bool *fatal_error);
 
 	/**
 	 * Add a PA-TNC attribute to the send queue
diff --git a/src/libimcv/imv/imv_os_info.h b/src/libimcv/imv/imv_os_info.h
index b68a17e..7cd609a 100644
--- a/src/libimcv/imv/imv_os_info.h
+++ b/src/libimcv/imv/imv_os_info.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup imv_os_info imv_os_info
- * @{ @ingroup libimcv
+ * @{ @ingroup libimcv_imv
  */
 
 #ifndef IMV_OS_INFO_H_
diff --git a/src/libimcv/imv/imv_state.h b/src/libimcv/imv/imv_state.h
index d11d15e..30ed612 100644
--- a/src/libimcv/imv/imv_state.h
+++ b/src/libimcv/imv/imv_state.h
@@ -23,6 +23,7 @@
 #define IMV_STATE_H_
 
 #include "imv_session.h"
+#include "seg/seg_contract_manager.h"
 
 #include <tncifimv.h>
 
@@ -108,6 +109,13 @@ struct imv_state_t {
 	imv_session_t* (*get_session)(imv_state_t *this);
 
 	/**
+	 * Get attribute segmentation contracts associated with TNCCS Connection
+	 *
+	 * @return				Contracts associated with TNCCS Conn