[Pkg-swan-devel] [strongswan] 01/07: New upstream version 5.5.2

Yves-Alexis Perez corsac at moszumanska.debian.org
Fri May 19 09:55:10 UTC 2017


This is an automated email from the git hooks/post-receive script.

corsac pushed a commit to branch master
in repository strongswan.

commit 05ddd767992d68bb38c7f16ece142e8c2e9ae016
Author: Yves-Alexis Perez <corsac at corsac.net>
Date:   Sat Apr 1 16:26:44 2017 +0200

    New upstream version 5.5.2
---
 Android.common.mk                                  |    2 +-
 Makefile.am                                        |    2 +-
 Makefile.in                                        |    4 +-
 NEWS                                               |   45 +-
 conf/Makefile.am                                   |    5 +-
 conf/Makefile.in                                   |    7 +-
 conf/options/aikpub2.conf                          |    7 -
 conf/options/aikpub2.opt                           |    2 -
 conf/options/charon.conf                           |    9 +
 conf/options/charon.opt                            |   20 +
 conf/plugins/addrblock.conf                        |   11 +
 conf/plugins/addrblock.opt                         |    8 +
 conf/plugins/bypass-lan.conf                       |   17 +
 conf/plugins/bypass-lan.opt                        |    8 +
 conf/plugins/kernel-netlink.conf                   |    6 +
 conf/plugins/kernel-netlink.opt                    |   17 +
 conf/plugins/pkcs11.conf                           |   16 +-
 conf/plugins/pkcs11.opt                            |   10 +-
 conf/plugins/revocation.conf                       |   14 +
 conf/plugins/revocation.opt                        |    7 +
 conf/plugins/tpm.conf                              |   11 +
 conf/plugins/tpm.opt                               |    2 +
 conf/strongswan.conf.5.main                        |   86 +-
 configure                                          |  775 +++---
 configure.ac                                       |   91 +-
 init/Makefile.in                                   |    2 +-
 init/systemd-swanctl/Makefile.in                   |    2 +-
 init/systemd-swanctl/strongswan-swanctl.service.in |    3 +-
 init/systemd/Makefile.in                           |    2 +-
 init/systemd/strongswan.service.in                 |    3 +-
 man/Makefile.in                                    |    2 +-
 man/ipsec.conf.5.in                                |   10 +-
 scripts/Makefile.in                                |    2 +-
 scripts/dh_speed.c                                 |   17 +-
 src/Makefile.am                                    |    4 -
 src/Makefile.in                                    |    7 +-
 src/_copyright/Makefile.in                         |    2 +-
 src/_updown/Makefile.in                            |    2 +-
 src/aikgen/Makefile.in                             |    2 +-
 src/aikpub2/Makefile.am                            |   15 -
 src/aikpub2/Makefile.in                            |  762 ------
 src/aikpub2/aikpub2.c                              |  305 ---
 src/charon-cmd/Makefile.in                         |    2 +-
 src/charon-cmd/charon-cmd.c                        |   11 +-
 src/charon-nm/Makefile.in                          |    2 +-
 src/charon-nm/charon-nm.c                          |    2 +-
 src/charon-svc/Makefile.in                         |    2 +-
 src/charon-svc/charon-svc.c                        |    3 +-
 src/charon-systemd/Makefile.in                     |    2 +-
 src/charon-systemd/charon-systemd.c                |   18 +-
 src/charon-tkm/Makefile.in                         |    2 +-
 src/charon-tkm/src/charon-tkm.c                    |    2 +-
 src/charon-tkm/src/tkm/tkm_keymat.c                |    3 +-
 src/charon-tkm/tests/tests.c                       |    2 +-
 src/charon/Makefile.in                             |    2 +-
 src/charon/charon.c                                |   17 +-
 src/checksum/Makefile.am                           |    4 +
 src/checksum/Makefile.in                           |   55 +-
 src/checksum/checksum_builder.c                    |    3 +
 src/conftest/Makefile.in                           |    2 +-
 src/conftest/hooks/pretend_auth.c                  |    3 +-
 src/conftest/hooks/rebuild_auth.c                  |    2 +-
 src/dumm/Makefile.in                               |    2 +-
 src/include/Makefile.in                            |    2 +-
 src/ipsec/Makefile.in                              |    2 +-
 src/ipsec/_ipsec.8                                 |    2 +-
 src/ipsec/_ipsec.in                                |   32 +-
 src/libcharon/Android.mk                           |    2 +
 src/libcharon/Makefile.am                          |    9 +
 src/libcharon/Makefile.in                          |  324 +--
 src/libcharon/bus/bus.c                            |   10 +-
 src/libcharon/config/child_cfg.c                   |   35 +-
 src/libcharon/config/ike_cfg.c                     |   37 +-
 src/libcharon/config/ike_cfg.h                     |   13 +-
 src/libcharon/config/peer_cfg.c                    |   13 +-
 src/libcharon/config/peer_cfg.h                    |   16 +-
 src/libcharon/config/proposal.c                    |   24 +-
 src/libcharon/config/proposal.h                    |    9 +-
 src/libcharon/control/controller.c                 |    1 -
 src/libcharon/daemon.c                             |   52 +-
 src/libcharon/daemon.h                             |   28 +-
 src/libcharon/kernel/kernel_interface.c            |   11 +
 src/libcharon/kernel/kernel_interface.h            |   17 +
 src/libcharon/kernel/kernel_net.h                  |   11 +
 src/libcharon/plugins/addrblock/Makefile.in        |    2 +-
 src/libcharon/plugins/addrblock/addrblock_narrow.c |   72 +-
 .../plugins/addrblock/addrblock_validator.c        |   14 +-
 src/libcharon/plugins/android_dns/Makefile.in      |    2 +-
 src/libcharon/plugins/android_log/Makefile.in      |    2 +-
 src/libcharon/plugins/attr/Makefile.in             |    2 +-
 src/libcharon/plugins/attr_sql/Makefile.in         |    2 +-
 src/libcharon/plugins/bypass_lan/Makefile.am       |   18 +
 src/libcharon/plugins/bypass_lan/Makefile.in       |  795 ++++++
 .../plugins/bypass_lan/bypass_lan_listener.c       |  295 +++
 .../plugins/bypass_lan/bypass_lan_listener.h       |   54 +
 .../plugins/bypass_lan/bypass_lan_plugin.c         |  109 +
 .../plugins/bypass_lan/bypass_lan_plugin.h         |   42 +
 src/libcharon/plugins/certexpire/Makefile.in       |    2 +-
 src/libcharon/plugins/connmark/Makefile.in         |    2 +-
 src/libcharon/plugins/connmark/connmark_plugin.c   |    6 +
 src/libcharon/plugins/coupling/Makefile.in         |    2 +-
 src/libcharon/plugins/dhcp/Makefile.in             |    2 +-
 src/libcharon/plugins/dnscert/Makefile.in          |    2 +-
 src/libcharon/plugins/duplicheck/Makefile.in       |    2 +-
 src/libcharon/plugins/eap_aka/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_aka_3gpp2/Makefile.in    |    2 +-
 src/libcharon/plugins/eap_dynamic/Makefile.in      |    2 +-
 src/libcharon/plugins/eap_dynamic/eap_dynamic.c    |   12 +
 src/libcharon/plugins/eap_gtc/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_identity/Makefile.in     |    2 +-
 src/libcharon/plugins/eap_md5/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_mschapv2/Makefile.in     |    2 +-
 src/libcharon/plugins/eap_peap/Makefile.in         |    2 +-
 src/libcharon/plugins/eap_radius/Makefile.in       |    2 +-
 src/libcharon/plugins/eap_sim/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_sim_file/Makefile.in     |    2 +-
 src/libcharon/plugins/eap_sim_pcsc/Makefile.in     |    2 +-
 .../plugins/eap_simaka_pseudonym/Makefile.in       |    2 +-
 .../plugins/eap_simaka_reauth/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_simaka_sql/Makefile.in   |    2 +-
 src/libcharon/plugins/eap_tls/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_tnc/Makefile.in          |    2 +-
 src/libcharon/plugins/eap_ttls/Makefile.in         |    2 +-
 src/libcharon/plugins/error_notify/Makefile.in     |    2 +-
 src/libcharon/plugins/ext_auth/Makefile.in         |    2 +-
 src/libcharon/plugins/farp/Makefile.in             |    2 +-
 src/libcharon/plugins/farp/farp_spoofer.c          |    2 +-
 src/libcharon/plugins/forecast/Makefile.in         |    2 +-
 src/libcharon/plugins/forecast/forecast_listener.c |    2 +-
 src/libcharon/plugins/ha/Makefile.in               |    2 +-
 src/libcharon/plugins/ha/ha_attribute.c            |    8 +-
 src/libcharon/plugins/ha/ha_ike.c                  |   15 +
 src/libcharon/plugins/ipseckey/Makefile.in         |    2 +-
 src/libcharon/plugins/kernel_iph/Makefile.in       |    2 +-
 src/libcharon/plugins/kernel_libipsec/Makefile.in  |    2 +-
 src/libcharon/plugins/kernel_netlink/Makefile.in   |    2 +-
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |   56 +-
 .../plugins/kernel_netlink/kernel_netlink_net.c    |  269 +-
 .../plugins/kernel_netlink/kernel_netlink_shared.c |   64 +-
 src/libcharon/plugins/kernel_pfkey/Makefile.in     |    2 +-
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c      |   45 +-
 src/libcharon/plugins/kernel_pfroute/Makefile.in   |    2 +-
 .../plugins/kernel_pfroute/kernel_pfroute_net.c    |  197 +-
 src/libcharon/plugins/kernel_wfp/Makefile.in       |    2 +-
 .../plugins/kernel_wfp/kernel_wfp_ipsec.c          |    4 +
 src/libcharon/plugins/led/Makefile.in              |    2 +-
 src/libcharon/plugins/load_tester/Makefile.in      |    2 +-
 src/libcharon/plugins/lookip/Makefile.in           |    2 +-
 src/libcharon/plugins/medcli/Makefile.in           |    2 +-
 src/libcharon/plugins/medcli/medcli_config.c       |   81 +-
 src/libcharon/plugins/medsrv/Makefile.in           |    2 +-
 src/libcharon/plugins/osx_attr/Makefile.in         |    2 +-
 src/libcharon/plugins/p_cscf/Makefile.in           |    2 +-
 src/libcharon/plugins/radattr/Makefile.in          |    2 +-
 src/libcharon/plugins/resolve/Makefile.in          |    2 +-
 src/libcharon/plugins/smp/Makefile.in              |    2 +-
 src/libcharon/plugins/socket_default/Makefile.in   |    2 +-
 src/libcharon/plugins/socket_dynamic/Makefile.in   |    2 +-
 src/libcharon/plugins/socket_win/Makefile.in       |    2 +-
 src/libcharon/plugins/sql/Makefile.in              |    2 +-
 src/libcharon/plugins/sql/sql_config.c             |   10 +-
 src/libcharon/plugins/stroke/Makefile.in           |    2 +-
 src/libcharon/plugins/stroke/stroke_config.c       |  124 +-
 src/libcharon/plugins/stroke/stroke_control.c      |   20 +-
 src/libcharon/plugins/stroke/stroke_cred.c         |   10 +-
 src/libcharon/plugins/stroke/stroke_list.c         |    2 +-
 src/libcharon/plugins/stroke/stroke_plugin.c       |    2 +
 src/libcharon/plugins/systime_fix/Makefile.in      |    2 +-
 src/libcharon/plugins/tnc_ifmap/Makefile.in        |    2 +-
 src/libcharon/plugins/tnc_pdp/Makefile.in          |    2 +-
 src/libcharon/plugins/uci/Makefile.in              |    2 +-
 src/libcharon/plugins/unity/Makefile.in            |    2 +-
 src/libcharon/plugins/unity/unity_handler.c        |    5 +-
 src/libcharon/plugins/updown/Makefile.in           |    2 +-
 src/libcharon/plugins/vici/Makefile.in             |    2 +-
 src/libcharon/plugins/vici/README.md               |  109 +-
 src/libcharon/plugins/vici/perl/Makefile.in        |    2 +-
 src/libcharon/plugins/vici/python/Makefile.in      |    2 +-
 src/libcharon/plugins/vici/python/vici/protocol.py |   13 +-
 src/libcharon/plugins/vici/python/vici/session.py  |    6 +-
 src/libcharon/plugins/vici/ruby/Makefile.in        |    2 +-
 src/libcharon/plugins/vici/ruby/lib/vici.rb        |    4 +-
 src/libcharon/plugins/vici/vici_attribute.c        |   12 +-
 src/libcharon/plugins/vici/vici_authority.c        |  107 +-
 src/libcharon/plugins/vici/vici_config.c           |  326 ++-
 src/libcharon/plugins/vici/vici_config.h           |    2 +-
 src/libcharon/plugins/vici/vici_control.c          |  141 +-
 src/libcharon/plugins/vici/vici_cred.c             |  210 +-
 src/libcharon/plugins/vici/vici_dispatcher.c       |    6 +-
 src/libcharon/plugins/vici/vici_logger.c           |    7 +
 src/libcharon/plugins/vici/vici_query.c            |   96 +-
 src/libcharon/plugins/whitelist/Makefile.in        |    2 +-
 src/libcharon/plugins/xauth_eap/Makefile.in        |    2 +-
 src/libcharon/plugins/xauth_generic/Makefile.in    |    2 +-
 src/libcharon/plugins/xauth_noauth/Makefile.in     |    2 +-
 src/libcharon/plugins/xauth_pam/Makefile.in        |    2 +-
 src/libcharon/processing/jobs/delete_ike_sa_job.c  |    3 +-
 .../processing/jobs/initiate_mediation_job.c       |   21 +-
 src/libcharon/processing/jobs/start_action_job.c   |    4 +-
 src/libcharon/sa/child_sa.c                        |   19 +-
 src/libcharon/sa/ike_sa.c                          |   45 +-
 src/libcharon/sa/ike_sa.h                          |   18 +-
 src/libcharon/sa/ike_sa_manager.c                  |    4 -
 .../sa/ikev1/authenticators/psk_v1_authenticator.c |    4 +-
 .../ikev1/authenticators/pubkey_v1_authenticator.c |    4 +-
 src/libcharon/sa/ikev1/iv_manager.c                |  355 +++
 src/libcharon/sa/ikev1/iv_manager.h                |  120 +
 src/libcharon/sa/ikev1/keymat_v1.c                 |  259 +-
 src/libcharon/sa/ikev1/keymat_v1.h                 |   33 +-
 src/libcharon/sa/ikev1/phase1.c                    |   70 +-
 src/libcharon/sa/ikev1/task_manager_v1.c           |   29 +-
 src/libcharon/sa/ikev1/tasks/quick_mode.c          |   21 +-
 .../sa/ikev2/authenticators/pubkey_authenticator.c |   39 +-
 src/libcharon/sa/ikev2/keymat_v2.c                 |    6 +-
 src/libcharon/sa/ikev2/keymat_v2.h                 |    6 +-
 src/libcharon/sa/ikev2/task_manager_v2.c           |   94 +-
 src/libcharon/sa/ikev2/tasks/ike_auth.c            |   10 +-
 src/libcharon/sa/ikev2/tasks/ike_init.c            |   32 +
 src/libcharon/sa/ikev2/tasks/ike_mid_sync.c        |  264 ++
 src/libcharon/sa/ikev2/tasks/ike_mid_sync.h        |   74 +
 src/libcharon/sa/shunt_manager.c                   |   90 +-
 src/libcharon/sa/shunt_manager.h                   |   13 +-
 src/libcharon/sa/task.c                            |    1 +
 src/libcharon/sa/task.h                            |    2 +
 src/libcharon/sa/task_manager.h                    |   10 +-
 src/libcharon/tests/Makefile.am                    |    1 +
 src/libcharon/tests/Makefile.in                    |   21 +-
 src/libcharon/tests/exchange_tests.h               |    1 +
 src/libcharon/tests/libcharon_tests.c              |    2 +-
 src/libcharon/tests/suites/test_ike_mid_sync.c     |  535 ++++
 src/libcharon/tests/suites/test_proposal.c         |   26 +-
 src/libcharon/tests/utils/exchange_test_helper.c   |    2 +-
 src/libfast/Makefile.in                            |    2 +-
 src/libimcv/Makefile.in                            |    2 +-
 src/libimcv/plugins/imc_attestation/Makefile.in    |    2 +-
 src/libimcv/plugins/imc_hcd/Makefile.in            |    2 +-
 src/libimcv/plugins/imc_os/Makefile.in             |    2 +-
 src/libimcv/plugins/imc_scanner/Makefile.in        |    2 +-
 src/libimcv/plugins/imc_swid/Makefile.in           |    2 +-
 src/libimcv/plugins/imc_test/Makefile.in           |    2 +-
 src/libimcv/plugins/imv_attestation/Makefile.in    |    2 +-
 src/libimcv/plugins/imv_hcd/Makefile.in            |    2 +-
 src/libimcv/plugins/imv_os/Makefile.in             |    2 +-
 src/libimcv/plugins/imv_scanner/Makefile.in        |    2 +-
 src/libimcv/plugins/imv_swid/Makefile.in           |    2 +-
 src/libimcv/plugins/imv_test/Makefile.in           |    2 +-
 src/libipsec/Makefile.am                           |    4 +
 src/libipsec/Makefile.in                           |   13 +-
 src/libipsec/esp_context.c                         |   19 +-
 src/libipsec/esp_packet.c                          |    2 +
 src/libipsec/ip_packet.c                           |   29 +
 src/libipsec/ipsec_policy.c                        |   22 +-
 src/libipsec/ipsec_processor.c                     |   12 +-
 src/libipsec/ipsec_sa_mgr.c                        |   21 +-
 src/libipsec/tests/Makefile.in                     |    2 +-
 src/libpttls/Makefile.in                           |    2 +-
 src/libradius/Makefile.in                          |    2 +-
 src/libsimaka/Makefile.in                          |    2 +-
 src/libstrongswan/Android.mk                       |    5 +
 src/libstrongswan/Makefile.am                      |    7 +
 src/libstrongswan/Makefile.in                      |  230 +-
 src/libstrongswan/asn1/asn1.c                      |    4 +-
 src/libstrongswan/asn1/oid.c                       |  215 +-
 src/libstrongswan/asn1/oid.h                       |  146 +-
 src/libstrongswan/asn1/oid.txt                     |    3 +
 src/libstrongswan/collections/linked_list.h        |    2 +-
 src/libstrongswan/credentials/auth_cfg.c           |   48 +-
 src/libstrongswan/credentials/builder.c            |    5 +-
 src/libstrongswan/credentials/builder.h            |    7 +-
 src/libstrongswan/credentials/cred_encoding.h      |    4 +
 src/libstrongswan/credentials/keys/public_key.c    |   36 +-
 src/libstrongswan/credentials/keys/public_key.h    |   21 +-
 src/libstrongswan/credentials/sets/cert_cache.c    |   41 +-
 src/libstrongswan/credentials/sets/mem_cred.c      |  113 +-
 src/libstrongswan/credentials/sets/mem_cred.h      |   40 +-
 src/libstrongswan/crypto/diffie_hellman.c          |   14 +-
 src/libstrongswan/crypto/diffie_hellman.h          |    3 +
 src/libstrongswan/crypto/hashers/hasher.c          |   40 +-
 src/libstrongswan/crypto/hashers/hasher.h          |    8 +-
 .../crypto/proposal/proposal_keywords_static.c     |  213 +-
 .../crypto/proposal/proposal_keywords_static.txt   |    2 +
 src/libstrongswan/math/libnttfft/Makefile.in       |    2 +-
 src/libstrongswan/math/libnttfft/tests/Makefile.in |    2 +-
 .../math/libnttfft/tests/suites/test_ntt_fft.c     |   10 +
 src/libstrongswan/networking/host.c                |    2 +-
 src/libstrongswan/plugins/acert/Makefile.in        |    2 +-
 src/libstrongswan/plugins/aes/Makefile.in          |    2 +-
 src/libstrongswan/plugins/aesni/Makefile.in        |    2 +-
 src/libstrongswan/plugins/af_alg/Makefile.in       |    2 +-
 src/libstrongswan/plugins/agent/Makefile.in        |    2 +-
 src/libstrongswan/plugins/bliss/Makefile.in        |    2 +-
 src/libstrongswan/plugins/bliss/tests/Makefile.in  |    2 +-
 .../bliss/tests/suites/test_bliss_sampler.c        |    4 +-
 src/libstrongswan/plugins/blowfish/Makefile.in     |    2 +-
 src/libstrongswan/plugins/ccm/Makefile.in          |    2 +-
 src/libstrongswan/plugins/chapoly/Makefile.in      |    2 +-
 src/libstrongswan/plugins/cmac/Makefile.in         |    2 +-
 src/libstrongswan/plugins/constraints/Makefile.in  |    2 +-
 src/libstrongswan/plugins/ctr/Makefile.in          |    2 +-
 src/libstrongswan/plugins/curl/Makefile.in         |    2 +-
 src/libstrongswan/plugins/curve25519/Makefile.am   |   23 +
 src/libstrongswan/plugins/curve25519/Makefile.in   |  822 ++++++
 .../plugins/curve25519/curve25519_dh.c             |  174 ++
 .../plugins/curve25519/curve25519_dh.h             |   47 +
 .../plugins/curve25519/curve25519_drv.c            |   41 +
 .../plugins/curve25519/curve25519_drv.h            |   66 +
 .../plugins/curve25519/curve25519_drv_portable.c   |  613 +++++
 .../plugins/curve25519/curve25519_drv_portable.h   |   31 +
 .../curve25519/curve25519_identity_hasher.c        |   25 +
 .../curve25519/curve25519_identity_hasher.h        |   47 +
 .../plugins/curve25519/curve25519_plugin.c         |  101 +
 .../plugins/curve25519/curve25519_plugin.h         |   42 +
 .../plugins/curve25519/curve25519_private_key.c    |  346 +++
 .../plugins/curve25519/curve25519_private_key.h    |   60 +
 .../plugins/curve25519/curve25519_public_key.c     |  331 +++
 .../plugins/curve25519/curve25519_public_key.h     |   74 +
 src/libstrongswan/plugins/curve25519/ref10/base.h  | 2121 +++++++++++++++
 src/libstrongswan/plugins/curve25519/ref10/base2.h |   73 +
 src/libstrongswan/plugins/curve25519/ref10/ref10.c | 2731 ++++++++++++++++++++
 src/libstrongswan/plugins/curve25519/ref10/ref10.h |   93 +
 src/libstrongswan/plugins/des/Makefile.in          |    2 +-
 src/libstrongswan/plugins/dnskey/Makefile.in       |    2 +-
 src/libstrongswan/plugins/files/Makefile.in        |    2 +-
 src/libstrongswan/plugins/fips_prf/Makefile.in     |    2 +-
 src/libstrongswan/plugins/gcm/Makefile.in          |    2 +-
 src/libstrongswan/plugins/gcrypt/Makefile.in       |    2 +-
 src/libstrongswan/plugins/gmp/Makefile.in          |    2 +-
 src/libstrongswan/plugins/hmac/Makefile.in         |    2 +-
 src/libstrongswan/plugins/keychain/Makefile.in     |    2 +-
 src/libstrongswan/plugins/ldap/Makefile.in         |    2 +-
 src/libstrongswan/plugins/md4/Makefile.in          |    2 +-
 src/libstrongswan/plugins/md5/Makefile.in          |    2 +-
 src/libstrongswan/plugins/mgf1/Makefile.in         |    2 +-
 src/libstrongswan/plugins/mysql/Makefile.in        |    2 +-
 src/libstrongswan/plugins/newhope/Makefile.in      |    2 +-
 .../plugins/newhope/tests/Makefile.in              |    2 +-
 src/libstrongswan/plugins/nonce/Makefile.in        |    2 +-
 src/libstrongswan/plugins/ntru/Makefile.in         |    2 +-
 src/libstrongswan/plugins/openssl/Makefile.in      |    2 +-
 .../plugins/openssl/openssl_ec_diffie_hellman.c    |    5 +-
 src/libstrongswan/plugins/padlock/Makefile.in      |    2 +-
 src/libstrongswan/plugins/pem/Makefile.in          |    2 +-
 src/libstrongswan/plugins/pem/pem_encoder.c        |   21 +-
 src/libstrongswan/plugins/pem/pem_plugin.c         |    7 +
 src/libstrongswan/plugins/pgp/Makefile.in          |    2 +-
 src/libstrongswan/plugins/pkcs1/Makefile.in        |    2 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_builder.c    |    9 +-
 src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c     |    3 +
 src/libstrongswan/plugins/pkcs11/Makefile.in       |    2 +-
 src/libstrongswan/plugins/pkcs12/Makefile.in       |    2 +-
 src/libstrongswan/plugins/pkcs7/Makefile.in        |    2 +-
 src/libstrongswan/plugins/pkcs8/Makefile.in        |    2 +-
 src/libstrongswan/plugins/pkcs8/pkcs8_builder.c    |   15 +-
 src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c     |    2 +
 src/libstrongswan/plugins/plugin_loader.c          |    4 +-
 src/libstrongswan/plugins/pubkey/Makefile.in       |    2 +-
 src/libstrongswan/plugins/random/Makefile.in       |    2 +-
 src/libstrongswan/plugins/rc2/Makefile.in          |    2 +-
 src/libstrongswan/plugins/rdrand/Makefile.in       |    2 +-
 src/libstrongswan/plugins/revocation/Makefile.in   |    2 +-
 .../plugins/revocation/revocation_validator.c      |  114 +-
 src/libstrongswan/plugins/sha1/Makefile.in         |    2 +-
 src/libstrongswan/plugins/sha2/Makefile.in         |    2 +-
 src/libstrongswan/plugins/sha3/Makefile.in         |    2 +-
 src/libstrongswan/plugins/soup/Makefile.in         |    2 +-
 src/libstrongswan/plugins/sqlite/Makefile.in       |    2 +-
 src/libstrongswan/plugins/sshkey/Makefile.in       |    2 +-
 src/libstrongswan/plugins/test_vectors/Makefile.am |    1 +
 src/libstrongswan/plugins/test_vectors/Makefile.in |    9 +-
 .../plugins/test_vectors/test_vectors.h            |    1 +
 .../plugins/test_vectors/test_vectors/curve25519.c |   34 +
 src/libstrongswan/plugins/unbound/Makefile.in      |    2 +-
 src/libstrongswan/plugins/winhttp/Makefile.in      |    2 +-
 src/libstrongswan/plugins/x509/Makefile.in         |    2 +-
 src/libstrongswan/plugins/x509/x509_cert.c         |  136 +-
 src/libstrongswan/plugins/xcbc/Makefile.in         |    2 +-
 src/libstrongswan/selectors/traffic_selector.c     |   35 +-
 src/libstrongswan/selectors/traffic_selector.h     |   64 +-
 src/libstrongswan/settings/settings.c              |    7 +-
 src/libstrongswan/settings/settings_types.c        |    2 +-
 src/libstrongswan/tests/Makefile.am                |    3 +-
 src/libstrongswan/tests/Makefile.in                |   25 +-
 src/libstrongswan/tests/suites/test_chunk.c        |   21 +-
 src/libstrongswan/tests/suites/test_crypter.c      |    3 +-
 src/libstrongswan/tests/suites/test_ed25519.c      |  527 ++++
 src/libstrongswan/tests/suites/test_hasher.c       |   78 +-
 src/libstrongswan/tests/suites/test_host.c         |   10 +-
 .../tests/suites/test_traffic_selector.c           |   12 +-
 src/libstrongswan/tests/test_suite.h               |    2 +
 src/libstrongswan/tests/tests.h                    |    2 +
 src/libstrongswan/utils/chunk.c                    |    8 +-
 src/libstrongswan/utils/compat/windows.h           |    7 +
 src/libtls/Makefile.in                             |    2 +-
 src/libtls/tests/Makefile.in                       |    2 +-
 src/libtls/tests/suites/test_socket.c              |  134 +-
 src/libtls/tls_fragmentation.c                     |    2 +-
 src/libtnccs/Makefile.in                           |    2 +-
 src/libtnccs/plugins/tnc_imc/Makefile.in           |    2 +-
 src/libtnccs/plugins/tnc_imv/Makefile.in           |    2 +-
 src/libtnccs/plugins/tnc_tnccs/Makefile.in         |    2 +-
 src/libtnccs/plugins/tnccs_11/Makefile.in          |    2 +-
 src/libtnccs/plugins/tnccs_20/Makefile.in          |    2 +-
 src/libtnccs/plugins/tnccs_dynamic/Makefile.in     |    2 +-
 src/libtncif/Makefile.in                           |    2 +-
 src/libtpmtss/Makefile.am                          |   27 +-
 src/libtpmtss/Makefile.in                          |  204 +-
 src/libtpmtss/plugins/tpm/Makefile.am              |   21 +
 src/libtpmtss/plugins/tpm/Makefile.in              |  799 ++++++
 src/libtpmtss/plugins/tpm/tpm_plugin.c             |   96 +
 src/libtpmtss/plugins/tpm/tpm_plugin.h             |   42 +
 src/libtpmtss/plugins/tpm/tpm_private_key.c        |  239 ++
 src/libtpmtss/plugins/tpm/tpm_private_key.h        |   49 +
 src/libtpmtss/plugins/tpm/tpm_rng.c                |   94 +
 src/libtpmtss/plugins/tpm/tpm_rng.h                |   47 +
 src/libtpmtss/tpm_tss.h                            |   24 +
 src/libtpmtss/tpm_tss_trousers.c                   |   17 +-
 src/libtpmtss/tpm_tss_tss2.c                       |  225 +-
 src/manager/Makefile.in                            |    2 +-
 src/medsrv/Makefile.in                             |    2 +-
 src/pki/Makefile.in                                |    2 +-
 src/pki/commands/acert.c                           |    4 +-
 src/pki/commands/gen.c                             |   11 +-
 src/pki/commands/issue.c                           |   28 +-
 src/pki/commands/keyid.c                           |   20 +-
 src/pki/commands/print.c                           |   10 +-
 src/pki/commands/pub.c                             |    4 +-
 src/pki/commands/req.c                             |   21 +-
 src/pki/commands/self.c                            |   29 +-
 src/pki/commands/signcrl.c                         |    5 +-
 src/pki/man/Makefile.in                            |    2 +-
 src/pki/man/pki---acert.1.in                       |    3 +-
 src/pki/man/pki---gen.1.in                         |    5 +-
 src/pki/man/pki---issue.1.in                       |   20 +-
 src/pki/man/pki---keyid.1.in                       |   10 +-
 src/pki/man/pki---print.1.in                       |    6 +-
 src/pki/man/pki---pub.1.in                         |    4 +
 src/pki/man/pki---req.1.in                         |   10 +-
 src/pki/man/pki---self.1.in                        |   18 +-
 src/pki/man/pki---signcrl.1.in                     |    3 +-
 src/pki/pki.c                                      |   22 +
 src/pki/pki.h                                      |    9 +
 src/pool/Makefile.in                               |    2 +-
 src/pt-tls-client/Makefile.in                      |    2 +-
 src/scepclient/Makefile.in                         |    2 +-
 src/starter/Makefile.in                            |    2 +-
 src/starter/confread.c                             |    2 +-
 src/starter/tests/Makefile.in                      |    2 +-
 src/stroke/Makefile.in                             |    2 +-
 src/swanctl/Makefile.am                            |    1 +
 src/swanctl/Makefile.in                            |   12 +-
 src/swanctl/command.h                              |    2 +-
 src/swanctl/commands/initiate.c                    |   12 +-
 src/swanctl/commands/install.c                     |   15 +-
 src/swanctl/commands/list_pools.c                  |   14 +-
 src/swanctl/commands/list_sas.c                    |   23 +-
 src/swanctl/commands/load_authorities.c            |    8 +-
 src/swanctl/commands/load_conns.c                  |   67 +-
 src/swanctl/commands/load_creds.c                  |  377 ++-
 src/swanctl/commands/rekey.c                       |  125 +
 src/swanctl/swanctl.8.in                           |    3 +
 src/swanctl/swanctl.conf                           |  123 +-
 src/swanctl/swanctl.conf.5.head.in                 |    3 +-
 src/swanctl/swanctl.conf.5.main                    |  253 +-
 src/swanctl/swanctl.opt                            |  223 +-
 testing/Makefile.in                                |    2 +-
 testing/config/kernel/config-4.10                  | 2524 ++++++++++++++++++
 testing/config/kernel/config-4.9                   | 2502 ++++++++++++++++++
 testing/do-tests                                   |   57 -
 testing/hosts/default/usr/local/bin/init_tnc       |   15 +
 .../etc/openssl/ed25519/newcerts/carolCert.pem     |   13 +
 .../etc/openssl/ed25519/newcerts/daveCert.pem      |   13 +
 .../etc/openssl/ed25519/newcerts/moonCert.pem      |   13 +
 .../etc/openssl/ed25519/newcerts/sunCert.pem       |   13 +
 .../etc/openssl/ed25519/newkeys/carolKey.pem       |    3 +
 .../etc/openssl/ed25519/newkeys/daveKey.pem        |    3 +
 .../etc/openssl/ed25519/newkeys/moonKey.pem        |    3 +
 .../etc/openssl/ed25519/newkeys/sunKey.pem         |    3 +
 .../etc/openssl/ed25519/strongswan_ed25519.crl     |  Bin 0 -> 252 bytes
 .../etc/openssl/ed25519/strongswan_ed25519Cert.pem |   11 +
 .../etc/openssl/ed25519/strongswan_ed25519Key.pem  |    3 +
 testing/hosts/winnetou/etc/openssl/generate-crl    |    3 +
 testing/hosts/winnetou/etc/openssl/index.txt       |    3 +-
 testing/hosts/winnetou/etc/openssl/index.txt.old   |    3 +-
 testing/hosts/winnetou/etc/openssl/newcerts/38.pem |   26 +
 testing/hosts/winnetou/etc/openssl/serial          |    2 +-
 testing/hosts/winnetou/etc/openssl/serial.old      |    2 +-
 testing/hosts/winnetou/etc/strongswan.conf         |    2 +-
 testing/scripts/build-guestkernel                  |    2 +-
 testing/scripts/load-testconfig                    |  119 +-
 testing/scripts/recipes/015_strongTNC.mk           |    2 +-
 testing/testing.conf                               |    6 +-
 .../active-passive/hosts/alice/etc/strongswan.conf |    3 +-
 .../active-passive/hosts/carol/etc/strongswan.conf |    2 +-
 .../active-passive/hosts/dave/etc/strongswan.conf  |    2 +-
 .../active-passive/hosts/moon/etc/strongswan.conf  |    3 +-
 .../ha/both-active/hosts/alice/etc/strongswan.conf |    3 +-
 .../ha/both-active/hosts/carol/etc/strongswan.conf |    2 +-
 .../ha/both-active/hosts/dave/etc/strongswan.conf  |    2 +-
 .../ha/both-active/hosts/moon/etc/strongswan.conf  |    3 +-
 .../ike/rw-cert/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ike/rw-cert/hosts/dave/etc/strongswan.conf     |    2 +-
 .../ike/rw-cert/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw_v1-net_v2/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw_v1-net_v2/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf |    2 +-
 .../alg-3des-md5/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-3des-md5/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |    3 +-
 .../alg-blowfish/hosts/dave/etc/strongswan.conf    |    3 +-
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 testing/tests/ikev1/alg-sha256/description.txt     |    2 +-
 testing/tests/ikev1/alg-sha256/evaltest.dat        |    8 +-
 .../ikev1/alg-sha256/hosts/carol/etc/ipsec.conf    |    4 +-
 .../alg-sha256/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ikev1/alg-sha256/hosts/moon/etc/ipsec.conf     |    4 +-
 .../alg-sha256/hosts/moon/etc/strongswan.conf      |    2 +-
 testing/tests/ikev1/alg-sha384/description.txt     |    2 +-
 testing/tests/ikev1/alg-sha384/evaltest.dat        |    8 +-
 .../ikev1/alg-sha384/hosts/carol/etc/ipsec.conf    |    4 +-
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ikev1/alg-sha384/hosts/moon/etc/ipsec.conf     |    4 +-
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ikev1/compress/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev1/compress/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../config-payload/hosts/carol/etc/strongswan.conf |    2 +-
 .../config-payload/hosts/dave/etc/strongswan.conf  |    2 +-
 .../config-payload/hosts/moon/etc/strongswan.conf  |    2 +-
 .../double-nat-net/hosts/alice/etc/strongswan.conf |    2 +-
 .../double-nat-net/hosts/bob/etc/strongswan.conf   |    2 +-
 .../double-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev1/double-nat/hosts/bob/etc/strongswan.conf |    2 +-
 .../dpd-clear/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev1/dpd-clear/hosts/moon/etc/strongswan.conf |    2 +-
 .../dpd-restart/hosts/carol/etc/strongswan.conf    |    2 +-
 .../dpd-restart/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../tests/ikev1/esp-alg-aes-ccm/description.txt    |    4 +-
 .../esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf     |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf      |    4 +-
 .../esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf |    2 +-
 .../tests/ikev1/esp-alg-aes-ctr/description.txt    |    2 +-
 .../esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf     |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf      |    4 +-
 .../esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf |    2 +-
 .../tests/ikev1/esp-alg-aes-gcm/description.txt    |    4 +-
 .../esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf     |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf      |    4 +-
 .../esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf |    2 +-
 .../tests/ikev1/esp-alg-aes-gmac/description.txt   |    2 +-
 .../esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf    |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf     |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf     |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 testing/tests/ikev1/esp-alg-null/evaltest.dat      |    8 +-
 .../ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf  |    4 +-
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf   |    4 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |    2 +-
 .../host2host-ah/hosts/moon/etc/strongswan.conf    |    2 +-
 .../host2host-ah/hosts/sun/etc/strongswan.conf     |    2 +-
 .../host2host-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../host2host-cert/hosts/sun/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ikev1/ip-pool/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev1/ip-pool/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev1/ip-pool/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../multi-level-ca/hosts/carol/etc/strongswan.conf |    2 +-
 .../multi-level-ca/hosts/dave/etc/strongswan.conf  |    2 +-
 .../multi-level-ca/hosts/moon/etc/strongswan.conf  |    2 +-
 .../ikev1/nat-rw/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ikev1/nat-rw/hosts/sun/etc/strongswan.conf     |    2 +-
 .../ikev1/nat-rw/hosts/venus/etc/strongswan.conf   |    2 +-
 .../nat-virtual-ip/hosts/moon/etc/strongswan.conf  |    2 +-
 .../nat-virtual-ip/hosts/sun/etc/strongswan.conf   |    2 +-
 testing/tests/ikev1/net2net-ah/description.txt     |    6 +-
 testing/tests/ikev1/net2net-ah/evaltest.dat        |    8 +-
 .../ikev1/net2net-ah/hosts/moon/etc/ipsec.conf     |    4 +-
 .../net2net-ah/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ikev1/net2net-ah/hosts/sun/etc/ipsec.conf      |    4 +-
 .../ikev1/net2net-ah/hosts/sun/etc/strongswan.conf |    2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    4 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |    4 +-
 testing/tests/ikev1/net2net-esn/description.txt    |    4 +-
 testing/tests/ikev1/net2net-esn/evaltest.dat       |   10 +-
 .../ikev1/net2net-esn/hosts/moon/etc/ipsec.conf    |    4 +-
 .../net2net-esn/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ikev1/net2net-esn/hosts/sun/etc/ipsec.conf     |    4 +-
 .../net2net-esn/hosts/sun/etc/strongswan.conf      |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../hosts/sun/etc/strongswan.conf                  |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../net2net-psk-fail/hosts/sun/etc/strongswan.conf |    2 +-
 .../net2net-psk/hosts/moon/etc/strongswan.conf     |    4 +-
 .../net2net-psk/hosts/sun/etc/strongswan.conf      |    4 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../rw-cert-unity/hosts/carol/etc/strongswan.conf  |    4 +-
 .../rw-cert-unity/hosts/moon/etc/strongswan.conf   |    4 +-
 .../ikev1/rw-cert/hosts/carol/etc/strongswan.conf  |    3 +-
 .../ikev1/rw-cert/hosts/dave/etc/strongswan.conf   |    3 +-
 .../ikev1/rw-cert/hosts/moon/etc/strongswan.conf   |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf    |    2 +-
 .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf     |    2 +-
 .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |    2 +-
 .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf     |    2 +-
 .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf     |    2 +-
 .../virtual-ip/hosts/carol/etc/strongswan.conf     |    2 +-
 .../virtual-ip/hosts/dave/etc/strongswan.conf      |    2 +-
 .../virtual-ip/hosts/moon/etc/strongswan.conf      |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../xauth-psk/hosts/carol/etc/strongswan.conf      |    4 +-
 .../ikev1/xauth-psk/hosts/dave/etc/strongswan.conf |    4 +-
 .../ikev1/xauth-psk/hosts/moon/etc/strongswan.conf |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../xauth-rsa/hosts/carol/etc/strongswan.conf      |    4 +-
 .../ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf |    4 +-
 .../ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf |    4 +-
 .../acert-cached/hosts/carol/etc/strongswan.conf   |    2 +-
 .../acert-cached/hosts/dave/etc/strongswan.conf    |    2 +-
 .../acert-cached/hosts/moon/etc/strongswan.conf    |    2 +-
 .../acert-fallback/hosts/carol/etc/strongswan.conf |    2 +-
 .../acert-fallback/hosts/moon/etc/strongswan.conf  |    2 +-
 .../acert-inline/hosts/carol/etc/strongswan.conf   |    2 +-
 .../acert-inline/hosts/dave/etc/strongswan.conf    |    2 +-
 .../acert-inline/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../alg-3des-md5/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-3des-md5/hosts/moon/etc/strongswan.conf    |    2 +-
 testing/tests/ikev2/alg-aes-ccm/description.txt    |    4 +-
 .../ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf   |    4 +-
 .../alg-aes-ccm/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf    |    4 +-
 .../alg-aes-ccm/hosts/moon/etc/strongswan.conf     |    2 +-
 testing/tests/ikev2/alg-aes-ctr/description.txt    |    4 +-
 .../ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf   |    4 +-
 .../alg-aes-ctr/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf    |    4 +-
 .../alg-aes-ctr/hosts/moon/etc/strongswan.conf     |    2 +-
 testing/tests/ikev2/alg-aes-gcm/description.txt    |    4 +-
 .../ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf   |    4 +-
 .../alg-aes-gcm/hosts/carol/etc/strongswan.conf    |    2 +-
 .../ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf    |    4 +-
 .../alg-aes-gcm/hosts/moon/etc/strongswan.conf     |    2 +-
 testing/tests/ikev2/alg-aes-xcbc/description.txt   |    2 +-
 testing/tests/ikev2/alg-aes-xcbc/evaltest.dat      |    4 +-
 .../ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf  |    4 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf   |    4 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-blowfish/hosts/carol/etc/strongswan.conf   |    3 +-
 .../alg-blowfish/hosts/dave/etc/strongswan.conf    |    3 +-
 .../alg-blowfish/hosts/moon/etc/strongswan.conf    |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 testing/tests/ikev2/alg-sha256-96/description.txt  |    2 +-
 testing/tests/ikev2/alg-sha256-96/evaltest.dat     |    4 +-
 .../ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf |    4 +-
 .../alg-sha256-96/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf  |    4 +-
 .../alg-sha256-96/hosts/moon/etc/strongswan.conf   |    2 +-
 testing/tests/ikev2/alg-sha256/description.txt     |    2 +-
 testing/tests/ikev2/alg-sha256/evaltest.dat        |    4 +-
 .../ikev2/alg-sha256/hosts/carol/etc/ipsec.conf    |    4 +-
 .../alg-sha256/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ikev2/alg-sha256/hosts/moon/etc/ipsec.conf     |    4 +-
 .../alg-sha256/hosts/moon/etc/strongswan.conf      |    2 +-
 testing/tests/ikev2/alg-sha384/description.txt     |    2 +-
 testing/tests/ikev2/alg-sha384/evaltest.dat        |    4 +-
 .../ikev2/alg-sha384/hosts/carol/etc/ipsec.conf    |    4 +-
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ikev2/alg-sha384/hosts/moon/etc/ipsec.conf     |    4 +-
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |    2 +-
 .../any-interface/hosts/alice/etc/strongswan.conf  |    2 +-
 .../any-interface/hosts/bob/etc/strongswan.conf    |    2 +-
 .../any-interface/hosts/moon/etc/strongswan.conf   |    2 +-
 .../any-interface/hosts/sun/etc/strongswan.conf    |    2 +-
 .../compress-nat/hosts/alice/etc/strongswan.conf   |    2 +-
 .../compress-nat/hosts/bob/etc/strongswan.conf     |    2 +-
 .../compress-nat/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ikev2/compress/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/compress/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../config-payload/hosts/carol/etc/strongswan.conf |    2 +-
 .../config-payload/hosts/dave/etc/strongswan.conf  |    2 +-
 .../config-payload/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../crl-from-cache/hosts/carol/etc/strongswan.conf |    2 +-
 .../crl-from-cache/hosts/moon/etc/strongswan.conf  |    2 +-
 .../ikev2/crl-ldap/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/crl-ldap/hosts/moon/etc/strongswan.conf  |    2 +-
 .../crl-revoked/hosts/carol/etc/strongswan.conf    |    2 +-
 .../crl-revoked/hosts/moon/etc/strongswan.conf     |    2 +-
 .../crl-to-cache/hosts/carol/etc/strongswan.conf   |    2 +-
 .../crl-to-cache/hosts/moon/etc/strongswan.conf    |    2 +-
 .../dhcp-dynamic/hosts/carol/etc/strongswan.conf   |    2 +-
 .../dhcp-dynamic/hosts/dave/etc/strongswan.conf    |    2 +-
 .../dhcp-dynamic/hosts/moon/etc/strongswan.conf    |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../dhcp-static-mac/hosts/dave/etc/strongswan.conf |    2 +-
 .../dhcp-static-mac/hosts/moon/etc/strongswan.conf |    3 +-
 .../double-nat-net/hosts/alice/etc/strongswan.conf |    2 +-
 .../double-nat-net/hosts/bob/etc/strongswan.conf   |    2 +-
 .../double-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/double-nat/hosts/bob/etc/strongswan.conf |    2 +-
 .../dpd-clear/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/dpd-clear/hosts/moon/etc/strongswan.conf |    2 +-
 .../ikev2/dpd-hold/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/dpd-hold/hosts/moon/etc/strongswan.conf  |    2 +-
 .../dpd-restart/hosts/carol/etc/strongswan.conf    |    2 +-
 .../dpd-restart/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    4 +-
 .../tests/ikev2/esp-alg-aes-gmac/description.txt   |    2 +-
 .../esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf    |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf     |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-md5-128/hosts/moon/etc/strongswan.conf |    2 +-
 testing/tests/ikev2/esp-alg-null/evaltest.dat      |    8 +-
 .../ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf  |    4 +-
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf   |    4 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |    2 +-
 .../esp-alg-sha1-160/hosts/carol/etc/ipsec.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../esp-alg-sha1-160/hosts/moon/etc/ipsec.conf     |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ikev2/farp/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ikev2/farp/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ikev2/farp/hosts/moon/etc/strongswan.conf      |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../force-udp-encaps/hosts/sun/etc/strongswan.conf |    2 +-
 .../ikev2/forecast/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/forecast/hosts/dave/etc/strongswan.conf  |    2 +-
 .../ikev2/forecast/hosts/moon/etc/strongswan.conf  |    3 +-
 .../host2host-ah/hosts/moon/etc/strongswan.conf    |    2 +-
 .../host2host-ah/hosts/sun/etc/strongswan.conf     |    2 +-
 .../host2host-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../host2host-cert/hosts/sun/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    5 +
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    5 +
 .../hosts/alice/etc/strongswan.conf                |    5 +
 .../hosts/sun/etc/strongswan.conf                  |    5 +
 .../hosts/venus/etc/strongswan.conf                |    5 +
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |    2 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ip-pool-wish/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ip-pool-wish/hosts/dave/etc/strongswan.conf    |    2 +-
 .../ip-pool-wish/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ikev2/ip-pool/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/ip-pool/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/ip-pool/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../ip-two-pools-db/hosts/dave/etc/strongswan.conf |    2 +-
 .../ip-two-pools-db/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ip-two-pools/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ip-two-pools/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ikev2/lookip/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ikev2/lookip/hosts/dave/etc/strongswan.conf    |    2 +-
 .../ikev2/lookip/hosts/moon/etc/strongswan.conf    |    2 +-
 .../mobike-nat/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/mobike-nat/hosts/sun/etc/strongswan.conf |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../ikev2/mobike/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ikev2/mobike/hosts/sun/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../multi-level-ca/hosts/carol/etc/strongswan.conf |    2 +-
 .../multi-level-ca/hosts/dave/etc/strongswan.conf  |    2 +-
 .../multi-level-ca/hosts/moon/etc/strongswan.conf  |    2 +-
 .../nat-rw-mark/hosts/alice/etc/strongswan.conf    |    2 +-
 .../nat-rw-mark/hosts/sun/etc/strongswan.conf      |    2 +-
 .../nat-rw-mark/hosts/venus/etc/strongswan.conf    |    2 +-
 .../nat-rw-psk/hosts/alice/etc/strongswan.conf     |    2 +-
 .../ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf |    2 +-
 .../nat-rw-psk/hosts/venus/etc/strongswan.conf     |    2 +-
 .../ikev2/nat-rw/hosts/alice/etc/strongswan.conf   |    2 +-
 .../ikev2/nat-rw/hosts/sun/etc/strongswan.conf     |    2 +-
 .../ikev2/nat-rw/hosts/venus/etc/strongswan.conf   |    2 +-
 .../nat-virtual-ip/hosts/moon/etc/strongswan.conf  |    2 +-
 .../nat-virtual-ip/hosts/sun/etc/strongswan.conf   |    2 +-
 testing/tests/ikev2/net2net-ah/description.txt     |    6 +-
 testing/tests/ikev2/net2net-ah/evaltest.dat        |    8 +-
 .../ikev2/net2net-ah/hosts/moon/etc/ipsec.conf     |    4 +-
 .../net2net-ah/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ikev2/net2net-ah/hosts/sun/etc/ipsec.conf      |    4 +-
 .../ikev2/net2net-ah/hosts/sun/etc/strongswan.conf |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |    2 +-
 .../net2net-dnscert/hosts/moon/etc/strongswan.conf |    2 +-
 .../net2net-dnscert/hosts/sun/etc/strongswan.conf  |    2 +-
 .../net2net-dnssec/hosts/moon/etc/strongswan.conf  |    2 +-
 .../net2net-dnssec/hosts/sun/etc/strongswan.conf   |    2 +-
 .../tests/ikev2/net2net-ed25519/description.txt    |    6 +
 testing/tests/ikev2/net2net-ed25519/evaltest.dat   |    9 +
 .../net2net-ed25519/hosts/moon/etc/ipsec.conf      |   24 +
 .../moon/etc/ipsec.d/cacerts/strongswanCert.pem    |   11 +
 .../hosts/moon/etc/ipsec.d/certs/moonCert.pem      |   13 +
 .../hosts/moon/etc/ipsec.d/private/moonKey.pem     |    3 +
 .../net2net-ed25519/hosts/moon/etc/ipsec.secrets   |    3 +
 .../net2net-ed25519/hosts/moon/etc/strongswan.conf |    6 +
 .../ikev2/net2net-ed25519/hosts/sun/etc/ipsec.conf |   24 +
 .../sun/etc/ipsec.d/cacerts/strongswanCert.pem     |   11 +
 .../hosts/sun/etc/ipsec.d/certs/sunCert.pem        |   13 +
 .../hosts/sun/etc/ipsec.d/private/sunKey.pem       |    3 +
 .../net2net-ed25519/hosts/sun/etc/ipsec.secrets    |    8 +
 .../net2net-ed25519/hosts/sun/etc/strongswan.conf  |    6 +
 testing/tests/ikev2/net2net-ed25519/posttest.dat   |    5 +
 testing/tests/ikev2/net2net-ed25519/pretest.dat    |    7 +
 testing/tests/ikev2/net2net-ed25519/test.conf      |   21 +
 testing/tests/ikev2/net2net-esn/description.txt    |    4 +-
 testing/tests/ikev2/net2net-esn/evaltest.dat       |    8 +-
 .../ikev2/net2net-esn/hosts/moon/etc/ipsec.conf    |    4 +-
 .../net2net-esn/hosts/moon/etc/strongswan.conf     |    2 +-
 .../ikev2/net2net-esn/hosts/sun/etc/ipsec.conf     |    4 +-
 .../net2net-esn/hosts/sun/etc/strongswan.conf      |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/sun/etc/strongswan.conf                  |    3 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../net2net-pgp-v3/hosts/moon/etc/strongswan.conf  |    2 +-
 .../net2net-pgp-v3/hosts/sun/etc/strongswan.conf   |    2 +-
 .../net2net-pgp-v4/hosts/moon/etc/strongswan.conf  |    2 +-
 .../net2net-pgp-v4/hosts/sun/etc/strongswan.conf   |    2 +-
 .../net2net-pkcs12/hosts/moon/etc/strongswan.conf  |    2 +-
 .../net2net-pkcs12/hosts/sun/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../net2net-psk-dscp/hosts/sun/etc/strongswan.conf |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../net2net-psk-fail/hosts/sun/etc/strongswan.conf |    2 +-
 .../net2net-psk/hosts/moon/etc/strongswan.conf     |    2 +-
 .../net2net-psk/hosts/sun/etc/strongswan.conf      |    2 +-
 .../net2net-pubkey/hosts/moon/etc/strongswan.conf  |    2 +-
 .../net2net-pubkey/hosts/sun/etc/strongswan.conf   |    2 +-
 .../net2net-rfc3779/hosts/moon/etc/strongswan.conf |    2 +-
 .../net2net-rfc3779/hosts/sun/etc/strongswan.conf  |    2 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |    2 +-
 .../net2net-rsa/hosts/moon/etc/strongswan.conf     |    2 +-
 .../net2net-rsa/hosts/sun/etc/strongswan.conf      |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../net2net-start/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-start/hosts/sun/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../ocsp-local-cert/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ocsp-revoked/hosts/carol/etc/strongswan.conf   |    2 +-
 .../ocsp-revoked/hosts/moon/etc/strongswan.conf    |    2 +-
 .../ocsp-root-cert/hosts/carol/etc/strongswan.conf |    2 +-
 .../ocsp-root-cert/hosts/moon/etc/strongswan.conf  |    2 +-
 .../carol/etc/ipsec.d/certs/carolCert-ocsp.pem     |  103 +-
 .../carol/etc/ipsec.d/private/carolKey-ocsp.pem    |   50 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../carol/etc/ipsec.d/certs/carolCert-ocsp.pem     |  103 +-
 .../carol/etc/ipsec.d/private/carolKey-ocsp.pem    |   50 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |    2 +-
 .../reauth-early/hosts/carol/etc/strongswan.conf   |    2 +-
 .../reauth-early/hosts/moon/etc/strongswan.conf    |    2 +-
 .../reauth-late/hosts/carol/etc/strongswan.conf    |    2 +-
 .../reauth-late/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../reauth-mbb/hosts/carol/etc/strongswan.conf     |    2 +-
 .../reauth-mbb/hosts/moon/etc/strongswan.conf      |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../redirect-active/hosts/dave/etc/strongswan.conf |    2 +-
 .../redirect-active/hosts/moon/etc/strongswan.conf |    2 +-
 testing/tests/ikev2/rw-cert/evaltest.dat           |    1 -
 .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../rw-dnssec/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf |    2 +-
 .../ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../rw-eap-dynamic/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-dynamic/hosts/dave/etc/strongswan.conf  |    2 +-
 .../rw-eap-dynamic/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-eap-peap-md5/hosts/dave/etc/strongswan.conf |    2 +-
 .../rw-eap-peap-md5/hosts/moon/etc/strongswan.conf |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../tests/ikev2/rw-eap-sim-only-radius/pretest.dat |    3 +
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf |    2 +-
 .../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    3 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    3 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../rw-hash-and-url/hosts/dave/etc/strongswan.conf |    2 +-
 .../rw-hash-and-url/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-mark-in-out/hosts/alice/etc/strongswan.conf |    2 +-
 .../rw-mark-in-out/hosts/sun/etc/strongswan.conf   |    2 +-
 .../rw-mark-in-out/hosts/venus/etc/strongswan.conf |    2 +-
 .../ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf  |    2 +-
 .../ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf  |    2 +-
 .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf    |    2 +-
 .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf     |    2 +-
 .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |    2 +-
 .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf     |    2 +-
 .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-psk-no-idr/hosts/carol/etc/strongswan.conf  |    2 +-
 .../rw-psk-no-idr/hosts/dave/etc/strongswan.conf   |    2 +-
 .../rw-psk-no-idr/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-sig-auth/hosts/carol/etc/strongswan.conf    |    2 +-
 .../rw-sig-auth/hosts/dave/etc/strongswan.conf     |    2 +-
 .../rw-sig-auth/hosts/moon/etc/strongswan.conf     |    2 +-
 .../rw-whitelist/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw-whitelist/hosts/dave/etc/strongswan.conf    |    2 +-
 .../rw-whitelist/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ikev2/trap-any/hosts/carol/etc/strongswan.conf |    2 +-
 .../ikev2/trap-any/hosts/dave/etc/strongswan.conf  |    2 +-
 .../ikev2/trap-any/hosts/moon/etc/strongswan.conf  |    2 +-
 .../ikev2/trap-any/hosts/sun/etc/strongswan.conf   |    2 +-
 .../two-certs/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/two-certs/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../virtual-ip/hosts/carol/etc/strongswan.conf     |    2 +-
 .../virtual-ip/hosts/dave/etc/strongswan.conf      |    2 +-
 .../virtual-ip/hosts/moon/etc/strongswan.conf      |    2 +-
 .../wildcards/hosts/carol/etc/strongswan.conf      |    2 +-
 .../ikev2/wildcards/hosts/dave/etc/strongswan.conf |    2 +-
 .../ikev2/wildcards/hosts/moon/etc/strongswan.conf |    2 +-
 .../host2host-ikev1/hosts/moon/etc/strongswan.conf |    2 +-
 .../host2host-ikev1/hosts/sun/etc/strongswan.conf  |    2 +-
 .../host2host-ikev2/hosts/moon/etc/strongswan.conf |    2 +-
 .../host2host-ikev2/hosts/sun/etc/strongswan.conf  |    2 +-
 .../net2net-ikev1/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-ikev1/hosts/sun/etc/strongswan.conf    |    2 +-
 .../net2net-ikev2/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-ikev2/hosts/sun/etc/strongswan.conf    |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf   |    2 +-
 .../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf  |    2 +-
 .../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf   |    2 +-
 .../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../rw-psk-ikev1/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw-psk-ikev1/hosts/dave/etc/strongswan.conf    |    2 +-
 .../rw-psk-ikev1/hosts/moon/etc/strongswan.conf    |    2 +-
 .../rw-psk-ikev2/hosts/carol/etc/strongswan.conf   |    2 +-
 .../rw-psk-ikev2/hosts/dave/etc/strongswan.conf    |    2 +-
 .../rw-psk-ikev2/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../transport-ikev1/hosts/moon/etc/strongswan.conf |    2 +-
 .../transport-ikev1/hosts/sun/etc/strongswan.conf  |    2 +-
 .../transport-ikev2/hosts/moon/etc/strongswan.conf |    2 +-
 .../transport-ikev2/hosts/sun/etc/strongswan.conf  |    2 +-
 .../host2host-cert/hosts/moon/etc/strongswan.conf  |    3 +-
 .../host2host-cert/hosts/sun/etc/strongswan.conf   |    3 +-
 testing/tests/libipsec/net2net-3des/evaltest.dat   |    4 +-
 .../net2net-3des/hosts/moon/etc/ipsec.conf         |    4 +-
 .../net2net-3des/hosts/moon/etc/strongswan.conf    |    2 +-
 .../libipsec/net2net-3des/hosts/sun/etc/ipsec.conf |    4 +-
 .../net2net-3des/hosts/sun/etc/strongswan.conf     |    2 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |    2 +-
 .../net2net-null/hosts/moon/etc/strongswan.conf    |    2 +-
 .../net2net-null/hosts/sun/etc/strongswan.conf     |    2 +-
 .../rw-suite-b/hosts/carol/etc/strongswan.conf     |    2 +-
 .../rw-suite-b/hosts/dave/etc/strongswan.conf      |    2 +-
 .../rw-suite-b/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ecdsa-certs/hosts/carol/etc/ipsec.conf         |    2 +
 .../ecdsa-certs/hosts/dave/etc/ipsec.conf          |    2 +
 .../ecdsa-certs/hosts/moon/etc/ipsec.conf          |    2 +
 .../critical-extension/hosts/moon/etc/ipsec.conf   |    2 +
 .../critical-extension/hosts/sun/etc/ipsec.conf    |    2 +
 .../ecdsa-certs/hosts/carol/etc/ipsec.conf         |    2 +
 .../ecdsa-certs/hosts/dave/etc/ipsec.conf          |    2 +
 .../ecdsa-certs/hosts/moon/etc/ipsec.conf          |    2 +
 .../ecdsa-pkcs8/hosts/carol/etc/ipsec.conf         |    2 +
 .../ecdsa-pkcs8/hosts/dave/etc/ipsec.conf          |    2 +
 .../ecdsa-pkcs8/hosts/moon/etc/ipsec.conf          |    2 +
 .../net2net-pgp-v3/hosts/moon/etc/ipsec.conf       |    5 +-
 .../net2net-pgp-v3/hosts/sun/etc/ipsec.conf        |    3 +
 .../net2net-pkcs12/hosts/moon/etc/ipsec.conf       |    2 +
 .../net2net-pkcs12/hosts/sun/etc/ipsec.conf        |    4 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../medsrv-psk/hosts/alice/etc/strongswan.conf     |    2 +-
 .../medsrv-psk/hosts/bob/etc/strongswan.conf       |    2 +-
 .../medsrv-psk/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf   |    2 +-
 .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf    |    2 +-
 .../alg-sha384/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha384/hosts/moon/etc/strongswan.conf      |    2 +-
 .../alg-sha512/hosts/carol/etc/strongswan.conf     |    2 +-
 .../alg-sha512/hosts/moon/etc/strongswan.conf      |    2 +-
 .../pfkey/compress/hosts/carol/etc/strongswan.conf |    2 +-
 .../pfkey/compress/hosts/moon/etc/strongswan.conf  |    2 +-
 .../esp-alg-null/hosts/carol/etc/strongswan.conf   |    2 +-
 .../esp-alg-null/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../pfkey/nat-rw/hosts/alice/etc/strongswan.conf   |    2 +-
 .../pfkey/nat-rw/hosts/sun/etc/strongswan.conf     |    2 +-
 .../pfkey/nat-rw/hosts/venus/etc/strongswan.conf   |    2 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |    2 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |    2 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../protoport-route/hosts/moon/etc/strongswan.conf |    2 +-
 .../pfkey/rw-cert/hosts/carol/etc/strongswan.conf  |    2 +-
 .../pfkey/rw-cert/hosts/dave/etc/strongswan.conf   |    2 +-
 .../pfkey/rw-cert/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 testing/tests/swanctl/config-payload/evaltest.dat  |    8 +-
 .../config-payload/hosts/carol/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../config-payload/hosts/dave/etc/strongswan.conf  |    2 +-
 .../hosts/dave/etc/swanctl/swanctl.conf            |    4 +-
 .../config-payload/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/moon/etc/swanctl/swanctl_base.conf       |    4 +-
 testing/tests/swanctl/dhcp-dynamic/evaltest.dat    |    8 +-
 .../dhcp-dynamic/hosts/carol/etc/strongswan.conf   |    2 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../dhcp-dynamic/hosts/dave/etc/strongswan.conf    |    2 +-
 .../hosts/dave/etc/swanctl/swanctl.conf            |    4 +-
 .../dhcp-dynamic/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 testing/tests/swanctl/ip-pool-db/evaltest.dat      |    8 +-
 .../ip-pool-db/hosts/carol/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../ip-pool-db/hosts/dave/etc/strongswan.conf      |    2 +-
 .../ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf |    4 +-
 .../ip-pool-db/hosts/moon/etc/strongswan.conf      |    2 +-
 .../ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf |    4 +-
 testing/tests/swanctl/ip-pool/evaltest.dat         |    8 +-
 .../ip-pool/hosts/carol/etc/strongswan.conf        |    2 +-
 .../ip-pool/hosts/carol/etc/swanctl/swanctl.conf   |    4 +-
 .../swanctl/ip-pool/hosts/dave/etc/strongswan.conf |    2 +-
 .../ip-pool/hosts/dave/etc/swanctl/swanctl.conf    |    4 +-
 .../swanctl/ip-pool/hosts/moon/etc/strongswan.conf |    2 +-
 .../ip-pool/hosts/moon/etc/swanctl/swanctl.conf    |    4 +-
 testing/tests/swanctl/manual-prio/evaltest.dat     |    8 +-
 .../manual-prio/hosts/carol/etc/strongswan.conf    |    2 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../manual-prio/hosts/dave/etc/strongswan.conf     |    2 +-
 .../hosts/dave/etc/swanctl/swanctl.conf            |    4 +-
 .../manual-prio/hosts/moon/etc/strongswan.conf     |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 .../swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat  |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/dave/etc/swanctl/swanctl.conf            |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 testing/tests/swanctl/net2net-cert/evaltest.dat    |    4 +-
 .../net2net-cert/hosts/moon/etc/strongswan.conf    |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 .../net2net-cert/hosts/sun/etc/strongswan.conf     |    2 +-
 .../hosts/sun/etc/swanctl/swanctl.conf             |    4 +-
 .../tests/swanctl/net2net-ed25519/description.txt  |    6 +
 testing/tests/swanctl/net2net-ed25519/evaltest.dat |    7 +
 .../net2net-ed25519/hosts/moon/etc/strongswan.conf |   22 +
 .../hosts/moon/etc/swanctl/pkcs8/moonKey.pem       |    3 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   33 +
 .../hosts/moon/etc/swanctl/x509/moonCert.pem       |   13 +
 .../moon/etc/swanctl/x509ca/strongswanCert.pem     |   11 +
 .../net2net-ed25519/hosts/sun/etc/strongswan.conf  |   22 +
 .../hosts/sun/etc/swanctl/pkcs8/sunKey.pem         |    3 +
 .../hosts/sun/etc/swanctl/swanctl.conf             |   33 +
 .../hosts/sun/etc/swanctl/x509/sunCert.pem         |   13 +
 .../sun/etc/swanctl/x509ca/strongswanCert.pem      |   11 +
 testing/tests/swanctl/net2net-ed25519/posttest.dat |    7 +
 testing/tests/swanctl/net2net-ed25519/pretest.dat  |    9 +
 testing/tests/swanctl/net2net-ed25519/test.conf    |   25 +
 testing/tests/swanctl/net2net-gw/evaltest.dat      |    4 +-
 .../net2net-gw/hosts/carol/etc/strongswan.conf     |    2 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../net2net-gw/hosts/moon/etc/strongswan.conf      |    2 +-
 .../net2net-gw/hosts/moon/etc/swanctl/swanctl.conf |    4 +-
 .../net2net-gw/hosts/sun/etc/strongswan.conf       |    2 +-
 .../net2net-gw/hosts/sun/etc/swanctl/swanctl.conf  |    4 +-
 .../tests/swanctl/net2net-multicast/evaltest.dat   |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/sun/etc/swanctl/swanctl.conf             |    4 +-
 testing/tests/swanctl/net2net-route/evaltest.dat   |    4 +-
 .../net2net-route/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 .../net2net-route/hosts/sun/etc/strongswan.conf    |    2 +-
 .../hosts/sun/etc/swanctl/swanctl.conf             |    4 +-
 .../swanctl/net2net-sha3-rsa-cert/evaltest.dat     |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/sun/etc/swanctl/swanctl.conf             |    4 +-
 testing/tests/swanctl/net2net-start/evaltest.dat   |    4 +-
 .../net2net-start/hosts/moon/etc/strongswan.conf   |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 .../net2net-start/hosts/sun/etc/strongswan.conf    |    2 +-
 .../hosts/sun/etc/swanctl/swanctl.conf             |    4 +-
 .../tests/swanctl/ocsp-disabled/description.txt    |   10 +
 testing/tests/swanctl/ocsp-disabled/evaltest.dat   |    8 +
 .../ocsp-disabled/hosts/carol/etc/strongswan.conf  |   16 +
 .../hosts/carol/etc/swanctl/rsa/carolKey.pem       |   27 +
 .../hosts/carol/etc/swanctl/swanctl.conf           |   35 +
 .../hosts/carol/etc/swanctl/x509/carolCert.pem     |   26 +
 .../ocsp-disabled/hosts/moon/etc/strongswan.conf   |   15 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   25 +
 testing/tests/swanctl/ocsp-disabled/posttest.dat   |    3 +
 testing/tests/swanctl/ocsp-disabled/pretest.dat    |    5 +
 testing/tests/swanctl/ocsp-disabled/test.conf      |   25 +
 .../tests/swanctl/ocsp-signer-cert/description.txt |   10 +
 .../tests/swanctl/ocsp-signer-cert/evaltest.dat    |   11 +
 .../hosts/carol/etc/strongswan.conf                |   11 +
 .../hosts/carol/etc/swanctl/rsa/carolKey.pem       |   27 +
 .../hosts/carol/etc/swanctl/swanctl.conf           |   35 +
 .../hosts/carol/etc/swanctl/x509/carolCert.pem     |   26 +
 .../hosts/moon/etc/strongswan.conf                 |   10 +
 .../hosts/moon/etc/swanctl/swanctl.conf            |   25 +
 .../tests/swanctl/ocsp-signer-cert/posttest.dat    |    3 +
 testing/tests/swanctl/ocsp-signer-cert/pretest.dat |    5 +
 testing/tests/swanctl/ocsp-signer-cert/test.conf   |   25 +
 testing/tests/swanctl/protoport-dual/evaltest.dat  |    4 +-
 .../protoport-dual/hosts/carol/etc/strongswan.conf |    2 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    6 +-
 .../protoport-dual/hosts/moon/etc/strongswan.conf  |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    6 +-
 testing/tests/swanctl/protoport-range/evaltest.dat |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    8 +-
 .../protoport-range/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    8 +-
 testing/tests/swanctl/rw-cert/evaltest.dat         |    8 +-
 .../rw-cert/hosts/carol/etc/strongswan.conf        |    2 +-
 .../rw-cert/hosts/carol/etc/swanctl/swanctl.conf   |    4 +-
 .../swanctl/rw-cert/hosts/dave/etc/strongswan.conf |    2 +-
 .../rw-cert/hosts/dave/etc/swanctl/swanctl.conf    |    4 +-
 .../swanctl/rw-cert/hosts/moon/etc/strongswan.conf |    2 +-
 .../rw-cert/hosts/moon/etc/swanctl/swanctl.conf    |    4 +-
 testing/tests/swanctl/rw-dnssec/evaltest.dat       |    8 +-
 .../rw-dnssec/hosts/carol/etc/strongswan.conf      |    2 +-
 .../rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf |    4 +-
 .../rw-dnssec/hosts/dave/etc/strongswan.conf       |    2 +-
 .../rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf  |    4 +-
 .../rw-dnssec/hosts/moon/etc/strongswan.conf       |    2 +-
 .../rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf  |    4 +-
 .../tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat |    8 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/dave/etc/swanctl/swanctl.conf            |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 testing/tests/swanctl/rw-hash-and-url/evaltest.dat |    8 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../rw-hash-and-url/hosts/dave/etc/strongswan.conf |    2 +-
 .../hosts/dave/etc/swanctl/swanctl.conf            |    4 +-
 .../rw-hash-and-url/hosts/moon/etc/strongswan.conf |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 .../swanctl/rw-multi-ciphers-ikev1/evaltest.dat    |    4 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../hosts/dave/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    6 +-
 .../hosts/carol/etc/strongswan.conf                |    2 +-
 .../hosts/dave/etc/strongswan.conf                 |    4 +-
 .../hosts/moon/etc/strongswan.conf                 |    2 +-
 testing/tests/swanctl/rw-psk-fqdn/evaltest.dat     |    8 +-
 .../rw-psk-fqdn/hosts/carol/etc/strongswan.conf    |    4 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../rw-psk-fqdn/hosts/dave/etc/strongswan.conf     |    4 +-
 .../hosts/dave/etc/swanctl/swanctl.conf            |    4 +-
 .../rw-psk-fqdn/hosts/moon/etc/strongswan.conf     |    4 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 testing/tests/swanctl/rw-psk-ikev1/evaltest.dat    |    8 +-
 .../rw-psk-ikev1/hosts/carol/etc/strongswan.conf   |    4 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../rw-psk-ikev1/hosts/dave/etc/strongswan.conf    |    4 +-
 .../hosts/dave/etc/swanctl/swanctl.conf            |    4 +-
 .../rw-psk-ikev1/hosts/moon/etc/strongswan.conf    |    4 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    8 +-
 testing/tests/swanctl/rw-psk-ipv4/evaltest.dat     |    8 +-
 .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf    |    4 +-
 .../hosts/carol/etc/swanctl/swanctl.conf           |    4 +-
 .../rw-psk-ipv4/hosts/dave/etc/strongswan.conf     |    4 +-
 .../hosts/dave/etc/swanctl/swanctl.conf            |    4 +-
 .../rw-psk-ipv4/hosts/moon/etc/strongswan.conf     |    4 +-
 .../hosts/moon/etc/swanctl/swanctl.conf            |    4 +-
 .../swanctl/shunt-policies-nat-rw/evaltest.dat     |    8 +-
 .../hosts/alice/etc/strongswan.conf                |    2 +-
 .../hosts/alice/etc/swanctl/swanctl.conf           |    4 +-
 .../hosts/sun/etc/strongswan.conf                  |    2 +-
 .../hosts/sun/etc/swanctl/swanctl.conf             |    4 +-
 .../hosts/venus/etc/strongswan.conf                |    2 +-
 .../hosts/venus/etc/swanctl/swanctl.conf           |    4 +-
 .../hosts/alice/etc/strongTNC/settings.ini         |    2 +-
 testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat     |    2 +-
 .../hosts/alice/etc/strongTNC/settings.ini         |    2 +-
 testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat  |    2 +-
 1427 files changed, 26630 insertions(+), 5087 deletions(-)

diff --git a/Android.common.mk b/Android.common.mk
index 3447d5b..56e5fd8 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.5.1"
+strongswan_VERSION := "5.5.2"
 
diff --git a/Makefile.am b/Makefile.am
index 64b858d..a02c576 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -54,7 +54,7 @@ cov-report:
 		@mkdir $(top_builddir)/coverage
 		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \
 			 --rc lcov_branch_coverage=1
-		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
+		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' '*/suites/*' '/usr*' \
 			 -o $(top_builddir)/coverage/coverage.cleaned.info \
 			 --rc lcov_branch_coverage=1
 		genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \
diff --git a/Makefile.in b/Makefile.in
index c85aa44..521c253 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -388,7 +388,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -423,6 +422,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -1031,7 +1031,7 @@ cov-reset-common:
 @COVERAGE_TRUE@		@mkdir $(top_builddir)/coverage
 @COVERAGE_TRUE@		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \
 @COVERAGE_TRUE@			 --rc lcov_branch_coverage=1
- at COVERAGE_TRUE@		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
+ at COVERAGE_TRUE@		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' '*/suites/*' '/usr*' \
 @COVERAGE_TRUE@			 -o $(top_builddir)/coverage/coverage.cleaned.info \
 @COVERAGE_TRUE@			 --rc lcov_branch_coverage=1
 @COVERAGE_TRUE@		genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \
diff --git a/NEWS b/NEWS
index 3a7aba8..aed5ee1d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,44 @@
+strongswan-5.5.2
+----------------
+
+- Support of Diffie-Hellman group 31 using Curve25519 for IKE as defined
+  by RFC 8031.
+
+- Support of Ed25519 digital signature algorithm for IKEv2 as defined by
+  draft-ietf-ipsecme-eddsa. Ed25519-based public key pairs, X.509 certificates
+  and CRLs can be generated and printed by the pki tool.
+
+- The new "tpm" libtpmtss plugin allows to use persistent private RSA and ECDSA
+  keys bound to a TPM 2.0 for both IKE and TLS authentication. Using the
+  TPM 2.0 object handle as keyid parameter, the pki --pub tool can extract
+  the public key from the TPM thereby replacing the aikpub2 tool. In a similar
+  fashion pki --req can generate a PKCS#10 certificate request signed with
+  the TPM private key.
+
+- The pki tool gained support for generating certificates with the RFC 3779
+  addrblock extension. The charon addrblock plugin now dynamically narrows
+  traffic selectors based on the certificate addrblocks instead of rejecting
+  non-matching selectors completely. This allows generic connections, where
+  the allowed selectors are defined by the used certificates only.
+
+- In-place update of cached base and delta CRLs does not leave dozens
+  of stale copies in cache memory.
+
+- Several new features for the VICI interface and the swanctl utility: Querying
+  specific pools, enumerating and unloading keys and shared secrets, loading
+  keys and certificates from PKCS#11 tokens, the ability to initiate, install
+  and uninstall connections and policies by their exact name (if multiple child
+  sections in different connections share the same name), a command to initiate
+  the rekeying of IKE and IPsec SAs, support for settings previously only
+  supported by the old config files (plain pubkeys, dscp, certificate policies,
+  IPv6 Transport Proxy Mode, NT Hash secrets, mediation extension).
+
+  Important:  Due to issues with VICI bindings that map sub-sections to
+  dictionaries the CHILD_SA sections returned via list-sas now have a unique
+  name, the original name of a CHILD_SA is returned in the "name" key of its
+  section.
+
+
 strongswan-5.5.1
 ----------------
 
@@ -1356,7 +1397,7 @@ strongswan-4.3.5
   correctly if the system time changes (e.g. when using NTP).
 
 - In addition to time based rekeying, charon supports IPsec SA lifetimes based
-  on processed volume or number of packets. They new ipsec.conf paramaters
+  on processed volume or number of packets. They new ipsec.conf parameters
   'lifetime' (an alias to 'keylife'), 'lifebytes' and 'lifepackets' handle
   SA timeouts, while the parameters 'margintime' (an alias to rekeymargin),
   'marginbytes' and 'marginpackets' trigger the rekeying before a SA expires.
@@ -1584,7 +1625,7 @@ strongswan-4.2.10
   counterparts with better lookup times.
 
 - Better parallelization to run charon on multiple cores. Due to improved
-  ressource locking and other optimizations the daemon can take full
+  resource locking and other optimizations the daemon can take full
   advantage of 16 or even more cores.
 
 - The load-tester plugin can use a NULL Diffie-Hellman group and simulate
diff --git a/conf/Makefile.am b/conf/Makefile.am
index 4588b09..eb5c9c2 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -9,7 +9,6 @@ pluginstemplatedir = $(templatesdir)/plugins
 
 options = \
 	options/aikgen.opt \
-	options/aikpub2.opt \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
@@ -28,10 +27,12 @@ options = \
 	options/tnc.opt
 
 plugins = \
+	plugins/addrblock.opt \
 	plugins/android_log.opt \
 	plugins/attr.opt \
 	plugins/attr-sql.opt \
 	plugins/bliss.opt \
+	plugins/bypass-lan.opt \
 	plugins/certexpire.opt \
 	plugins/coupling.opt \
 	plugins/dhcp.opt \
@@ -80,6 +81,7 @@ plugins = \
 	plugins/radattr.opt \
 	plugins/random.opt \
 	plugins/resolve.opt \
+	plugins/revocation.opt \
 	plugins/socket-default.opt \
 	plugins/sql.opt \
 	plugins/stroke.opt \
@@ -90,6 +92,7 @@ plugins = \
 	plugins/tnc-pdp.opt \
 	plugins/tnccs-11.opt \
 	plugins/tnccs-20.opt \
+	plugins/tpm.opt \
 	plugins/unbound.opt \
 	plugins/updown.opt \
 	plugins/vici.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index e6d66a2..70e1b01 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -312,7 +312,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -347,6 +346,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -407,7 +407,6 @@ optionstemplatedir = $(templatesdir)/strongswan.d
 pluginstemplatedir = $(templatesdir)/plugins
 options = \
 	options/aikgen.opt \
-	options/aikpub2.opt \
 	options/attest.opt \
 	options/charon.opt \
 	options/charon-logging.opt \
@@ -426,10 +425,12 @@ options = \
 	options/tnc.opt
 
 plugins = \
+	plugins/addrblock.opt \
 	plugins/android_log.opt \
 	plugins/attr.opt \
 	plugins/attr-sql.opt \
 	plugins/bliss.opt \
+	plugins/bypass-lan.opt \
 	plugins/certexpire.opt \
 	plugins/coupling.opt \
 	plugins/dhcp.opt \
@@ -478,6 +479,7 @@ plugins = \
 	plugins/radattr.opt \
 	plugins/random.opt \
 	plugins/resolve.opt \
+	plugins/revocation.opt \
 	plugins/socket-default.opt \
 	plugins/sql.opt \
 	plugins/stroke.opt \
@@ -488,6 +490,7 @@ plugins = \
 	plugins/tnc-pdp.opt \
 	plugins/tnccs-11.opt \
 	plugins/tnccs-20.opt \
+	plugins/tpm.opt \
 	plugins/unbound.opt \
 	plugins/updown.opt \
 	plugins/vici.opt \
diff --git a/conf/options/aikpub2.conf b/conf/options/aikpub2.conf
deleted file mode 100644
index fd48f2c..0000000
--- a/conf/options/aikpub2.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-aikpub2 {
-
-    # Plugins to load in aikpub2 tool.
-    # load =
-
-}
-
diff --git a/conf/options/aikpub2.opt b/conf/options/aikpub2.opt
deleted file mode 100644
index 6a755d2..0000000
--- a/conf/options/aikpub2.opt
+++ /dev/null
@@ -1,2 +0,0 @@
-aikpub2.load =
-	Plugins to load in aikpub2 tool.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index f72041e..1b5d52d 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -164,6 +164,9 @@ charon {
     # will be allocated.
     # port_nat_t = 4500
 
+    # Wether to prefer updating SAs to the path with the best route.
+    # prefer_best_path = no
+
     # Prefer locally configured proposals for IKE/IPsec over supplied ones as
     # responder (disabling this can avoid keying retries due to
     # INVALID_KE_PAYLOAD notifies).
@@ -236,6 +239,12 @@ charon {
     # Whether to enable constraints against IKEv2 signature schemes.
     # signature_authentication_constraints = yes
 
+    # The upper limit for SPIs requested from the kernel for IPsec SAs.
+    # spi_max = 0xcfffffff
+
+    # The lower limit for SPIs requested from the kernel for IPsec SAs.
+    # spi_min = 0xc0000000
+
     # Number of worker threads in charon.
     # threads = 16
 
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 6e0b37c..4c4311e 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -260,6 +260,16 @@ charon.port_nat_t = 4500
 	allocated.  Has to be different from **charon.port**, otherwise a random
 	port will be allocated.
 
+charon.prefer_best_path = no
+	Wether to prefer updating SAs to the path with the best route.
+
+	By default, charon keeps SAs on the routing path with addresses it
+	previously used if that path is still usable. By setting this option to
+	yes, it tries more aggressively to update SAs with MOBIKE on routing
+	priority changes using the cheapest path. This adds more noise, but allows
+	to dynamically adapt SAs to routing priority changes. This option has no
+	effect if MOBIKE is not supported or disabled.
+
 charon.prefer_configured_proposals = yes
 	Prefer locally configured proposals for	IKE/IPsec over supplied ones as
 	responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
@@ -340,6 +350,16 @@ charon.signature_authentication_constraints = yes
 	certificate chain, are also used as constraints against the signature scheme
 	used by peers during IKEv2.
 
+charon.spi_min = 0xc0000000
+	The lower limit for SPIs requested from the kernel for IPsec SAs.
+
+	The lower limit for SPIs requested from the kernel for IPsec SAs. Should not
+	be set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved
+	by IANA.
+
+charon.spi_max = 0xcfffffff
+	The upper limit for SPIs requested from the kernel for IPsec SAs.
+
 charon.start-scripts {}
 	Section containing a list of scripts (name = path) that are executed when
 	the daemon is started.
diff --git a/conf/plugins/addrblock.conf b/conf/plugins/addrblock.conf
new file mode 100644
index 0000000..2749613
--- /dev/null
+++ b/conf/plugins/addrblock.conf
@@ -0,0 +1,11 @@
+addrblock {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Whether to strictly require addrblock extension in subject certificates.
+    # strict = yes
+
+}
+
diff --git a/conf/plugins/addrblock.opt b/conf/plugins/addrblock.opt
new file mode 100644
index 0000000..e35e4c5
--- /dev/null
+++ b/conf/plugins/addrblock.opt
@@ -0,0 +1,8 @@
+charon.plugins.addrblock.strict = yes
+	Whether to strictly require addrblock extension in subject certificates.
+
+	If set to yes, a subject certificate without an addrblock extension is
+	rejected if the issuer certificate has such an addrblock extension. If set
+	to no, subject certificates issued without the addrblock extension are
+	accepted without any traffic selector checks and no policy is enforced
+	by the plugin.
diff --git a/conf/plugins/bypass-lan.conf b/conf/plugins/bypass-lan.conf
new file mode 100644
index 0000000..ad496db
--- /dev/null
+++ b/conf/plugins/bypass-lan.conf
@@ -0,0 +1,17 @@
+bypass-lan {
+
+    # A comma-separated list of network interfaces for which connected subnets
+    # should be ignored, if interfaces_use is specified this option has no
+    # effect.
+    # interfaces_ignore =
+
+    # A comma-separated list of network interfaces for which connected subnets
+    # should be considered. All other interfaces are ignored.
+    # interfaces_use =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/bypass-lan.opt b/conf/plugins/bypass-lan.opt
new file mode 100644
index 0000000..8c72fac
--- /dev/null
+++ b/conf/plugins/bypass-lan.opt
@@ -0,0 +1,8 @@
+charon.plugins.bypass-lan.interfaces_ignore
+	A comma-separated list of network interfaces for which connected subnets
+	should be ignored, if **interfaces_use** is specified this option has no
+	effect.
+
+charon.plugins.bypass-lan.interfaces_use
+	A comma-separated list of network interfaces for which connected subnets
+	should be considered. All other interfaces are ignored.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index 47f7d58..22d94ee 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -3,6 +3,9 @@ kernel-netlink {
     # Buffer size for received Netlink messages.
     # buflen = <min(PAGE_SIZE, 8192)>
 
+    # Force maximum Netlink receive buffer on Netlink socket.
+    # force_receive_buffer_size = no
+
     # Firewall mark to set on the routing rule that directs traffic to our
     # routing table.
     # fwmark =
@@ -32,6 +35,9 @@ kernel-netlink {
     # Whether to use port or socket based IKE XFRM bypass policies.
     # port_bypass = no
 
+    # Maximum Netlink socket receive buffer in bytes.
+    # receive_buffer_size = 0
+
     # Number of Netlink message retransmissions to send on timeout.
     # retries = 0
 
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 77ba6ea..1136af1 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -1,6 +1,14 @@
 charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)>
 	Buffer size for received Netlink messages.
 
+charon.plugins.kernel-netlink.force_receive_buffer_size = no
+	Force maximum Netlink receive buffer on Netlink socket.
+
+	If the maximum Netlink socket receive buffer in bytes set by
+	_receive_buffer_size_ exceeds the system-wide maximum from
+	/proc/sys/net/core/rmem_max, this option can be used to override the limit.
+	Enabling this option requires special priviliges (CAP_NET_ADMIN).
+
 charon.plugins.kernel-netlink.fwmark =
 	Firewall mark to set on the routing rule that directs traffic to our routing
 	table.
@@ -39,6 +47,15 @@ charon.plugins.kernel-netlink.port_bypass = no
 	port based policies use global XFRM bypass policies for the used IKE UDP
 	ports.
 
+charon.plugins.kernel-netlink.receive_buffer_size = 0
+	Maximum Netlink socket receive buffer in bytes.
+
+	Maximum Netlink socket receive buffer in bytes. This value controls how many
+	bytes of Netlink messages can be received on a Netlink socket. The default
+	value is set by /proc/sys/net/core/rmem_default. The specified value cannot
+	exceed the system-wide maximum from /proc/sys/net/core/rmem_max, unless
+	_force_receive_buffer_size_	is enabled.
+
 charon.plugins.kernel-netlink.roam_events = yes
 	Whether to trigger roam events when interfaces, addresses or routes change.
 
diff --git a/conf/plugins/pkcs11.conf b/conf/plugins/pkcs11.conf
index 35248c2..c786a9a 100644
--- a/conf/plugins/pkcs11.conf
+++ b/conf/plugins/pkcs11.conf
@@ -4,9 +4,6 @@ pkcs11 {
     # priority of this plugin.
     load = yes
 
-    # Whether to load certificates from tokens.
-    # load_certs = yes
-
     # Reload certificates from all tokens if charon receives a SIGHUP.
     # reload_certs = no
 
@@ -31,6 +28,19 @@ pkcs11 {
     # List of available PKCS#11 modules.
     modules {
 
+        <name> {
+
+            # Whether to automatically load certificates from tokens.
+            # load_certs = yes
+
+            # Whether OS locking should be enabled for this module.
+            # os_locking = no
+
+            # Full path to the shared object file of this PKCS#11 module.
+            # path =
+
+        }
+
     }
 
 }
diff --git a/conf/plugins/pkcs11.opt b/conf/plugins/pkcs11.opt
index f5a2028..8f328f0 100644
--- a/conf/plugins/pkcs11.opt
+++ b/conf/plugins/pkcs11.opt
@@ -1,8 +1,14 @@
 charon.plugins.pkcs11.modules {}
 	List of available PKCS#11 modules.
 
-charon.plugins.pkcs11.load_certs = yes
-	Whether to load certificates from tokens.
+charon.plugins.pkcs11.modules.<name>.path =
+	Full path to the shared object file of this PKCS#11 module.
+
+charon.plugins.pkcs11.modules.<name>.os_locking = no
+	Whether OS locking should be enabled for this module.
+
+charon.plugins.pkcs11.modules.<name>.load_certs = yes
+	Whether to automatically load certificates from tokens.
 
 charon.plugins.pkcs11.reload_certs = no
 	Reload certificates from all tokens if charon receives a SIGHUP.
diff --git a/conf/plugins/revocation.conf b/conf/plugins/revocation.conf
new file mode 100644
index 0000000..ca24a64
--- /dev/null
+++ b/conf/plugins/revocation.conf
@@ -0,0 +1,14 @@
+revocation {
+
+    # Whether CRL validation should be enabled.
+    # enable_crl = yes
+
+    # Whether OCSP validation should be enabled.
+    # enable_ocsp = yes
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/revocation.opt b/conf/plugins/revocation.opt
new file mode 100644
index 0000000..5d2b8c0
--- /dev/null
+++ b/conf/plugins/revocation.opt
@@ -0,0 +1,7 @@
+charon.plugins.revocation.enable_ocsp = yes
+	Whether OCSP validation should be enabled.
+
+charon.plugins.revocation.enable_crl = yes
+	Whether CRL validation should be enabled.
+
+
diff --git a/conf/plugins/tpm.conf b/conf/plugins/tpm.conf
new file mode 100644
index 0000000..222bb7b
--- /dev/null
+++ b/conf/plugins/tpm.conf
@@ -0,0 +1,11 @@
+tpm {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Whether the TPM should be used as RNG.
+    # use_rng = no
+
+}
+
diff --git a/conf/plugins/tpm.opt b/conf/plugins/tpm.opt
new file mode 100644
index 0000000..cd666dd
--- /dev/null
+++ b/conf/plugins/tpm.opt
@@ -0,0 +1,2 @@
+charon.plugins.tpm.use_rng = no
+	Whether the TPM should be used as RNG.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index c0ecbb7..72ab3a7 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -3,10 +3,6 @@
 Plugins to load in ipsec aikgen tool.
 
 .TP
-.BR aikpub2.load " []"
-Plugins to load in aikpub2 tool.
-
-.TP
 .BR attest.database " []"
 File measurement information database URI. If it contains a password, make sure
 to adjust the permissions of the config file accordingly.
@@ -402,6 +398,13 @@ WINS servers assigned to peer via configuration payload (CP).
 WINS servers assigned to peer via configuration payload (CP).
 
 .TP
+.BR charon.plugins.addrblock.strict " [yes]"
+If set to yes, a subject certificate without an addrblock extension is rejected
+if the issuer certificate has such an addrblock extension. If set to no, subject
+certificates issued without the addrblock extension are accepted without any
+traffic selector checks and no policy is enforced by the plugin.
+
+.TP
 .BR charon.plugins.android_log.loglevel " [1]"
 Loglevel for logging to Android specific logger.
 
@@ -442,6 +445,18 @@ Enable logging of SQL IP pool leases.
 Use the enhanced BLISS\-B key generation and signature algorithm.
 
 .TP
+.BR charon.plugins.bypass-lan.interfaces_ignore " []"
+A comma\-separated list of network interfaces for which connected subnets should
+be ignored, if
+.RB "" "interfaces_use" ""
+is specified this option has no effect.
+
+.TP
+.BR charon.plugins.bypass-lan.interfaces_use " []"
+A comma\-separated list of network interfaces for which connected subnets should
+be considered. All other interfaces are ignored.
+
+.TP
 .BR charon.plugins.certexpire.csv.cron " []"
 Cron style string specifying CSV export times.
 
@@ -922,6 +937,14 @@ to circumvent that problem.
 Buffer size for received Netlink messages.
 
 .TP
+.BR charon.plugins.kernel-netlink.force_receive_buffer_size " [no]"
+If the maximum Netlink socket receive buffer in bytes set by
+.RI "" "receive_buffer_size" ""
+exceeds the system\-wide maximum from
+/proc/sys/net/core/rmem_max, this option can be used to override the limit.
+Enabling this option requires special priviliges (CAP_NET_ADMIN).
+
+.TP
 .BR charon.plugins.kernel-netlink.fwmark " []"
 Firewall mark to set on the routing rule that directs traffic to our routing
 table. The format is [!]mark[/mask], where the optional exclamation mark inverts
@@ -962,6 +985,15 @@ based policies are directly tied to the IKE UDP sockets, port based policies use
 global XFRM bypass policies for the used IKE UDP ports.
 
 .TP
+.BR charon.plugins.kernel-netlink.receive_buffer_size " [0]"
+Maximum Netlink socket receive buffer in bytes. This value controls how many
+bytes of Netlink messages can be received on a Netlink socket. The default value
+is set by /proc/sys/net/core/rmem_default. The specified value cannot exceed the
+system\-wide maximum from /proc/sys/net/core/rmem_max, unless
+.RI "" "force_receive_buffer_size" ""
+is enabled.
+
+.TP
 .BR charon.plugins.kernel-netlink.retries " [0]"
 Number of Netlink message retransmissions to send on timeout.
 
@@ -1264,15 +1296,23 @@ server addresses.  Requests will be sent for addresses of the same families for
 which internal IPs are requested.
 
 .TP
-.BR charon.plugins.pkcs11.load_certs " [yes]"
-Whether to load certificates from tokens.
-
-.TP
 .B charon.plugins.pkcs11.modules
 .br
 List of available PKCS#11 modules.
 
 .TP
+.BR charon.plugins.pkcs11.modules.<name>.load_certs " [yes]"
+Whether to automatically load certificates from tokens.
+
+.TP
+.BR charon.plugins.pkcs11.modules.<name>.os_locking " [no]"
+Whether OS locking should be enabled for this module.
+
+.TP
+.BR charon.plugins.pkcs11.modules.<name>.path " []"
+Full path to the shared object file of this PKCS#11 module.
+
+.TP
 .BR charon.plugins.pkcs11.reload_certs " [no]"
 Reload certificates from all tokens if charon receives a SIGHUP.
 
@@ -1338,6 +1378,14 @@ should have a high priority according to the order defined in
 
 
 .TP
+.BR charon.plugins.revocation.enable_crl " [yes]"
+Whether CRL validation should be enabled.
+
+.TP
+.BR charon.plugins.revocation.enable_ocsp " [yes]"
+Whether OCSP validation should be enabled.
+
+.TP
 .BR charon.plugins.socket-default.fwmark " []"
 Firewall mark to set on outbound packets.
 
@@ -1523,6 +1571,10 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set.
 Send a PB\-TNC batch with a modified PB\-TNC version.
 
 .TP
+.BR charon.plugins.tpm.use_rng " [no]"
+Whether the TPM should be used as RNG.
+
+.TP
 .BR charon.plugins.unbound.dlv_anchors " []"
 File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
 the same format as
@@ -1588,6 +1640,15 @@ otherwise a random port
 will be allocated.
 
 .TP
+.BR charon.prefer_best_path " [no]"
+By default, charon keeps SAs on the routing path with addresses it previously
+used if that path is still usable. By setting this option to yes, it tries more
+aggressively to update SAs with MOBIKE on routing priority changes using the
+cheapest path. This adds more noise, but allows to dynamically adapt SAs to
+routing priority changes. This option has no effect if MOBIKE is not supported
+or disabled.
+
+.TP
 .BR charon.prefer_configured_proposals " [yes]"
 Prefer locally configured proposals for IKE/IPsec over supplied ones as
 responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
@@ -1695,6 +1756,15 @@ are also used as constraints against the signature scheme used by peers during
 IKEv2.
 
 .TP
+.BR charon.spi_max " [0xcfffffff]"
+The upper limit for SPIs requested from the kernel for IPsec SAs.
+
+.TP
+.BR charon.spi_min " [0xc0000000]"
+The lower limit for SPIs requested from the kernel for IPsec SAs. Should not be
+set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved by IANA.
+
+.TP
 .B charon.start-scripts
 .br
 Section containing a list of scripts (name = path) that are executed when the
diff --git a/configure b/configure
index 52a1971..bdf0dfe 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.5.1.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.5.2.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.5.1'
-PACKAGE_STRING='strongSwan 5.5.1'
+PACKAGE_VERSION='5.5.2'
+PACKAGE_STRING='strongSwan 5.5.2'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -649,8 +649,6 @@ USE_SVC_FALSE
 USE_SVC_TRUE
 USE_SWANCTL_FALSE
 USE_SWANCTL_TRUE
-USE_AIKPUB2_FALSE
-USE_AIKPUB2_TRUE
 USE_AIKGEN_FALSE
 USE_AIKGEN_TRUE
 USE_CMD_FALSE
@@ -755,6 +753,8 @@ USE_FORECAST_FALSE
 USE_FORECAST_TRUE
 USE_CONNMARK_FALSE
 USE_CONNMARK_TRUE
+USE_BYPASS_LAN_FALSE
+USE_BYPASS_LAN_TRUE
 USE_SOCKET_WIN_FALSE
 USE_SOCKET_WIN_TRUE
 USE_SOCKET_DYNAMIC_FALSE
@@ -927,6 +927,8 @@ USE_CTR_FALSE
 USE_CTR_TRUE
 USE_CHAPOLY_FALSE
 USE_CHAPOLY_TRUE
+USE_TPM_FALSE
+USE_TPM_TRUE
 USE_PKCS11_FALSE
 USE_PKCS11_TRUE
 USE_KEYCHAIN_FALSE
@@ -983,6 +985,8 @@ USE_AESNI_FALSE
 USE_AESNI_TRUE
 USE_RDRAND_FALSE
 USE_RDRAND_TRUE
+USE_CURVE25519_FALSE
+USE_CURVE25519_TRUE
 USE_GMP_FALSE
 USE_GMP_TRUE
 USE_FIPS_PRF_FALSE
@@ -1023,7 +1027,7 @@ USE_TEST_VECTORS_FALSE
 USE_TEST_VECTORS_TRUE
 t_plugins
 s_plugins
-h_plugins
+p_plugins
 c_plugins
 aikgen_plugins
 cmd_plugins
@@ -1306,6 +1310,7 @@ enable_fips_prf
 enable_gcm
 enable_gcrypt
 enable_gmp
+enable_curve25519
 enable_hmac
 enable_md4
 enable_md5
@@ -1369,6 +1374,7 @@ enable_ext_auth
 enable_ipseckey
 enable_keychain
 enable_pkcs11
+enable_tpm
 enable_revocation
 enable_whitelist
 enable_xauth_generic
@@ -1417,6 +1423,7 @@ enable_tnccs_11
 enable_tnccs_20
 enable_tnccs_dynamic
 enable_android_log
+enable_bypass_lan
 enable_certexpire
 enable_connmark
 enable_forecast
@@ -1432,7 +1439,6 @@ enable_systime_fix
 enable_test_vectors
 enable_updown
 enable_aikgen
-enable_aikpub2
 enable_charon
 enable_cmd
 enable_conftest
@@ -2072,7 +2078,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.5.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.5.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -2143,7 +2149,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.5.1:";;
+     short | recursive ) echo "Configuration of strongSwan 5.5.2:";;
    esac
   cat <<\_ACEOF
 
@@ -2167,6 +2173,7 @@ Optional Features:
   --enable-gcrypt         enables the libgcrypt plugin.
   --disable-gmp           disable GNU MP (libgmp) based crypto implementation
                           plugin.
+  --disable-curve25519    disable Curve25519 Diffie-Hellman plugin.
   --disable-hmac          disable HMAC crypto implementation plugin.
   --enable-md4            enable MD4 software implementation plugin.
   --disable-md5           disable MD5 software implementation plugin.
@@ -2246,6 +2253,7 @@ Optional Features:
   --enable-ipseckey       enable IPSECKEY authentication plugin.
   --enable-keychain       enables OS X Keychain Services credential set.
   --enable-pkcs11         enables the PKCS11 token support plugin.
+  --enable-tpm            enables the TPM plugin.
   --disable-revocation    disable X509 CRL/OCSP revocation check plugin.
   --enable-whitelist      enable peer identity whitelisting plugin.
   --disable-xauth-generic disable generic XAuth backend.
@@ -2306,6 +2314,8 @@ Optional Features:
   --enable-tnccs-20       enable TNCCS 2.0 protocol module.
   --enable-tnccs-dynamic  enable dynamic TNCCS protocol discovery module.
   --enable-android-log    enable Android specific logger plugin.
+  --enable-bypass-lan     enable plugin to install bypass policies for local
+                          subnets.
   --enable-certexpire     enable CSV export of expiration dates of used
                           certificates.
   --enable-connmark       enable connmark plugin using conntrack based marks
@@ -2330,7 +2340,6 @@ Optional Features:
   --enable-test-vectors   enable plugin providing crypto test vectors.
   --disable-updown        disable updown firewall script plugin.
   --enable-aikgen         enable AIK generator for TPM 1.2.
-  --enable-aikpub2        enable AIK extractor for TPM 2.0.
   --disable-charon        disable the IKEv1/IKEv2 keying daemon charon.
   --enable-cmd            enable the command line IKE client charon-cmd.
   --enable-conftest       enforce Suite B conformance test framework.
@@ -2604,7 +2613,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.5.1
+strongSwan configure 5.5.2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3126,7 +3135,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.5.1, which was
+It was created by strongSwan $as_me 5.5.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3989,7 +3998,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.5.1'
+ VERSION='5.5.2'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -5040,6 +5049,22 @@ fi
 
 	enabled_by_default=${enabled_by_default}" gmp"
 
+# Check whether --enable-curve25519 was given.
+if test "${enable_curve25519+set}" = set; then :
+  enableval=$enable_curve25519; curve25519_given=true
+		if test x$enableval = xyes; then
+			curve25519=true
+		 else
+			curve25519=false
+		fi
+else
+  curve25519=true
+		curve25519_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" curve25519"
+
 # Check whether --enable-hmac was given.
 if test "${enable_hmac+set}" = set; then :
   enableval=$enable_hmac; hmac_given=true
@@ -6052,6 +6077,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" pkcs11"
 
+# Check whether --enable-tpm was given.
+if test "${enable_tpm+set}" = set; then :
+  enableval=$enable_tpm; tpm_given=true
+		if test x$enableval = xyes; then
+			tpm=true
+		 else
+			tpm=false
+		fi
+else
+  tpm=false
+		tpm_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" tpm"
+
 # Check whether --enable-revocation was given.
 if test "${enable_revocation+set}" = set; then :
   enableval=$enable_revocation; revocation_given=true
@@ -6825,6 +6866,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" android_log"
 
+# Check whether --enable-bypass-lan was given.
+if test "${enable_bypass_lan+set}" = set; then :
+  enableval=$enable_bypass_lan; bypass_lan_given=true
+		if test x$enableval = xyes; then
+			bypass_lan=true
+		 else
+			bypass_lan=false
+		fi
+else
+  bypass_lan=false
+		bypass_lan_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" bypass_lan"
+
 # Check whether --enable-certexpire was given.
 if test "${enable_certexpire+set}" = set; then :
   enableval=$enable_certexpire; certexpire_given=true
@@ -7066,22 +7123,6 @@ fi
 
 	disabled_by_default=${disabled_by_default}" aikgen"
 
-# Check whether --enable-aikpub2 was given.
-if test "${enable_aikpub2+set}" = set; then :
-  enableval=$enable_aikpub2; aikpub2_given=true
-		if test x$enableval = xyes; then
-			aikpub2=true
-		 else
-			aikpub2=false
-		fi
-else
-  aikpub2=false
-		aikpub2_given=false
-
-fi
-
-	disabled_by_default=${disabled_by_default}" aikpub2"
-
 # Check whether --enable-charon was given.
 if test "${enable_charon+set}" = set; then :
   enableval=$enable_charon; charon_given=true
@@ -18008,10 +18049,6 @@ if test x$aikgen = xtrue; then
 	tss_trousers=true
 fi
 
-if test x$aikpub2 = xtrue; then
-	tss_tss2=true
-fi
-
 if test x$ntru = xtrue -o x$bliss = xtrue; then
 	mgf1=true
 fi
@@ -19659,9 +19696,9 @@ fi
 
 
 if test x$printf_hooks = xvstr; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lvstr" >&5
-$as_echo_n "checking for main in -lvstr... " >&6; }
-if ${ac_cv_lib_vstr_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for vstr_init in -lvstr" >&5
+$as_echo_n "checking for vstr_init in -lvstr... " >&6; }
+if ${ac_cv_lib_vstr_vstr_init+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -19669,27 +19706,33 @@ LIBS="-lvstr  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char vstr_init ();
 int
 main ()
 {
-return main ();
+return vstr_init ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_vstr_main=yes
+  ac_cv_lib_vstr_vstr_init=yes
 else
-  ac_cv_lib_vstr_main=no
+  ac_cv_lib_vstr_vstr_init=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_vstr_main" >&5
-$as_echo "$ac_cv_lib_vstr_main" >&6; }
-if test "x$ac_cv_lib_vstr_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_vstr_vstr_init" >&5
+$as_echo "$ac_cv_lib_vstr_vstr_init" >&6; }
+if test "x$ac_cv_lib_vstr_vstr_init" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "Vstr string library not found" "$LINENO" 5
@@ -19708,9 +19751,9 @@ fi
 
 if test x$gmp = xtrue; then
 	saved_LIBS=$LIBS
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgmp" >&5
-$as_echo_n "checking for main in -lgmp... " >&6; }
-if ${ac_cv_lib_gmp_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for __gmpz_init in -lgmp" >&5
+$as_echo_n "checking for __gmpz_init in -lgmp... " >&6; }
+if ${ac_cv_lib_gmp___gmpz_init+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -19718,27 +19761,33 @@ LIBS="-lgmp  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char __gmpz_init ();
 int
 main ()
 {
-return main ();
+return __gmpz_init ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_gmp_main=yes
+  ac_cv_lib_gmp___gmpz_init=yes
 else
-  ac_cv_lib_gmp_main=no
+  ac_cv_lib_gmp___gmpz_init=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp_main" >&5
-$as_echo "$ac_cv_lib_gmp_main" >&6; }
-if test "x$ac_cv_lib_gmp_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp___gmpz_init" >&5
+$as_echo "$ac_cv_lib_gmp___gmpz_init" >&6; }
+if test "x$ac_cv_lib_gmp___gmpz_init" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBGMP 1
 _ACEOF
@@ -19808,9 +19857,9 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test x$ldap = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lldap" >&5
-$as_echo_n "checking for main in -lldap... " >&6; }
-if ${ac_cv_lib_ldap_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_init in -lldap" >&5
+$as_echo_n "checking for ldap_init in -lldap... " >&6; }
+if ${ac_cv_lib_ldap_ldap_init+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -19818,35 +19867,41 @@ LIBS="-lldap  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ldap_init ();
 int
 main ()
 {
-return main ();
+return ldap_init ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_ldap_main=yes
+  ac_cv_lib_ldap_ldap_init=yes
 else
-  ac_cv_lib_ldap_main=no
+  ac_cv_lib_ldap_ldap_init=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_main" >&5
-$as_echo "$ac_cv_lib_ldap_main" >&6; }
-if test "x$ac_cv_lib_ldap_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_ldap_init" >&5
+$as_echo "$ac_cv_lib_ldap_ldap_init" >&6; }
+if test "x$ac_cv_lib_ldap_ldap_init" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "LDAP library ldap not found" "$LINENO" 5
 fi
 
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -llber" >&5
-$as_echo_n "checking for main in -llber... " >&6; }
-if ${ac_cv_lib_lber_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ber_free in -llber" >&5
+$as_echo_n "checking for ber_free in -llber... " >&6; }
+if ${ac_cv_lib_lber_ber_free+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -19854,27 +19909,33 @@ LIBS="-llber  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ber_free ();
 int
 main ()
 {
-return main ();
+return ber_free ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_lber_main=yes
+  ac_cv_lib_lber_ber_free=yes
 else
-  ac_cv_lib_lber_main=no
+  ac_cv_lib_lber_ber_free=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lber_main" >&5
-$as_echo "$ac_cv_lib_lber_main" >&6; }
-if test "x$ac_cv_lib_lber_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lber_ber_free" >&5
+$as_echo "$ac_cv_lib_lber_ber_free" >&6; }
+if test "x$ac_cv_lib_lber_ber_free" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "LDAP library lber not found" "$LINENO" 5
@@ -19891,9 +19952,9 @@ fi
 fi
 
 if test x$curl = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcurl" >&5
-$as_echo_n "checking for main in -lcurl... " >&6; }
-if ${ac_cv_lib_curl_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for curl_global_init in -lcurl" >&5
+$as_echo_n "checking for curl_global_init in -lcurl... " >&6; }
+if ${ac_cv_lib_curl_curl_global_init+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -19901,27 +19962,33 @@ LIBS="-lcurl  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char curl_global_init ();
 int
 main ()
 {
-return main ();
+return curl_global_init ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_curl_main=yes
+  ac_cv_lib_curl_curl_global_init=yes
 else
-  ac_cv_lib_curl_main=no
+  ac_cv_lib_curl_curl_global_init=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_main" >&5
-$as_echo "$ac_cv_lib_curl_main" >&6; }
-if test "x$ac_cv_lib_curl_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_curl_global_init" >&5
+$as_echo "$ac_cv_lib_curl_curl_global_init" >&6; }
+if test "x$ac_cv_lib_curl_curl_global_init" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "CURL library curl not found" "$LINENO" 5
@@ -19938,9 +20005,9 @@ fi
 fi
 
 if test x$unbound = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lldns" >&5
-$as_echo_n "checking for main in -lldns... " >&6; }
-if ${ac_cv_lib_ldns_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldns_rr_get_type in -lldns" >&5
+$as_echo_n "checking for ldns_rr_get_type in -lldns... " >&6; }
+if ${ac_cv_lib_ldns_ldns_rr_get_type+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -19948,27 +20015,33 @@ LIBS="-lldns  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ldns_rr_get_type ();
 int
 main ()
 {
-return main ();
+return ldns_rr_get_type ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_ldns_main=yes
+  ac_cv_lib_ldns_ldns_rr_get_type=yes
 else
-  ac_cv_lib_ldns_main=no
+  ac_cv_lib_ldns_ldns_rr_get_type=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldns_main" >&5
-$as_echo "$ac_cv_lib_ldns_main" >&6; }
-if test "x$ac_cv_lib_ldns_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldns_ldns_rr_get_type" >&5
+$as_echo "$ac_cv_lib_ldns_ldns_rr_get_type" >&6; }
+if test "x$ac_cv_lib_ldns_ldns_rr_get_type" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "UNBOUND library ldns not found" "$LINENO" 5
@@ -19982,9 +20055,9 @@ else
 fi
 
 
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lunbound" >&5
-$as_echo_n "checking for main in -lunbound... " >&6; }
-if ${ac_cv_lib_unbound_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ub_ctx_create in -lunbound" >&5
+$as_echo_n "checking for ub_ctx_create in -lunbound... " >&6; }
+if ${ac_cv_lib_unbound_ub_ctx_create+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -19992,27 +20065,33 @@ LIBS="-lunbound  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ub_ctx_create ();
 int
 main ()
 {
-return main ();
+return ub_ctx_create ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_unbound_main=yes
+  ac_cv_lib_unbound_ub_ctx_create=yes
 else
-  ac_cv_lib_unbound_main=no
+  ac_cv_lib_unbound_ub_ctx_create=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unbound_main" >&5
-$as_echo "$ac_cv_lib_unbound_main" >&6; }
-if test "x$ac_cv_lib_unbound_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unbound_ub_ctx_create" >&5
+$as_echo "$ac_cv_lib_unbound_ub_ctx_create" >&6; }
+if test "x$ac_cv_lib_unbound_ub_ctx_create" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "UNBOUND library libunbound not found" "$LINENO" 5
@@ -20677,9 +20756,9 @@ fi
 fi
 
 if test x$tss_trousers = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ltspi" >&5
-$as_echo_n "checking for main in -ltspi... " >&6; }
-if ${ac_cv_lib_tspi_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Tspi_Context_Create in -ltspi" >&5
+$as_echo_n "checking for Tspi_Context_Create in -ltspi... " >&6; }
+if ${ac_cv_lib_tspi_Tspi_Context_Create+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -20687,27 +20766,33 @@ LIBS="-ltspi  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char Tspi_Context_Create ();
 int
 main ()
 {
-return main ();
+return Tspi_Context_Create ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_tspi_main=yes
+  ac_cv_lib_tspi_Tspi_Context_Create=yes
 else
-  ac_cv_lib_tspi_main=no
+  ac_cv_lib_tspi_Tspi_Context_Create=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tspi_main" >&5
-$as_echo "$ac_cv_lib_tspi_main" >&6; }
-if test "x$ac_cv_lib_tspi_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tspi_Tspi_Context_Create" >&5
+$as_echo "$ac_cv_lib_tspi_Tspi_Context_Create" >&6; }
+if test "x$ac_cv_lib_tspi_Tspi_Context_Create" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "TrouSerS library libtspi not found" "$LINENO" 5
@@ -21289,87 +21374,73 @@ done
 fi
 
 if test x$fast = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_cgi" >&5
-$as_echo_n "checking for main in -lneo_cgi... " >&6; }
-if ${ac_cv_lib_neo_cgi_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for hdf_init in -lneo_utl" >&5
+$as_echo_n "checking for hdf_init in -lneo_utl... " >&6; }
+if ${ac_cv_lib_neo_utl_hdf_init+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lneo_cgi  $LIBS"
+LIBS="-lneo_utl  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char hdf_init ();
 int
 main ()
 {
-return main ();
+return hdf_init ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_neo_cgi_main=yes
+  ac_cv_lib_neo_utl_hdf_init=yes
 else
-  ac_cv_lib_neo_cgi_main=no
+  ac_cv_lib_neo_utl_hdf_init=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_cgi_main" >&5
-$as_echo "$ac_cv_lib_neo_cgi_main" >&6; }
-if test "x$ac_cv_lib_neo_cgi_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_utl_hdf_init" >&5
+$as_echo "$ac_cv_lib_neo_utl_hdf_init" >&6; }
+if test "x$ac_cv_lib_neo_utl_hdf_init" = xyes; then :
   LIBS="$LIBS"
 else
-  as_fn_error $? "ClearSilver library neo_cgi not found!" "$LINENO" 5
+  as_fn_error $? "ClearSilver library neo_utl not found!" "$LINENO" 5
 fi
 
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_utl" >&5
-$as_echo_n "checking for main in -lneo_utl... " >&6; }
-if ${ac_cv_lib_neo_utl_main+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lneo_utl  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -lneo_cgi and dependencies" >&5
+$as_echo_n "checking for -lneo_cgi and dependencies... " >&6; }
+	saved_CFLAGS=$CFLAGS
+	saved_LIBS=$LIBS
+	LIBS="-lneo_cgi -lneo_cs -lneo_utl"
+	CFLAGS="-I/usr/include/ClearSilver"
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-
-
+#include <cgi/cgi.h>
 int
 main ()
 {
-return main ();
+NEOERR *err = cgi_display(NULL, NULL);
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_neo_utl_main=yes
-else
-  ac_cv_lib_neo_utl_main=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_utl_main" >&5
-$as_echo "$ac_cv_lib_neo_utl_main" >&6; }
-if test "x$ac_cv_lib_neo_utl_main" = xyes; then :
-  LIBS="$LIBS"
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
 else
-  as_fn_error $? "ClearSilver library neo_utl not found!" "$LINENO" 5
-fi
-
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking ClearSilver requires zlib" >&5
-$as_echo_n "checking ClearSilver requires zlib... " >&6; }
-	saved_CFLAGS=$CFLAGS
-	saved_LIBS=$LIBS
-	LIBS="-lneo_cgi -lneo_cs -lneo_utl"
-	CFLAGS="-I/usr/include/ClearSilver"
-	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  LIBS="$LIBS -lz";
+		 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-#include <ClearSilver.h>
+#include <cgi/cgi.h>
 int
 main ()
 {
@@ -21379,24 +21450,26 @@ NEOERR *err = cgi_display(NULL, NULL);
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }; clearsilver_LIBS="$LIBS"
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, zlib required" >&5
+$as_echo "yes, zlib required" >&6; }
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; clearsilver_LIBS="$LIBS -lz"
+  as_fn_error $? "not found" "$LINENO" 5
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
+	clearsilver_LIBS="$LIBS"
 
 	LIBS=$saved_LIBS
 	CFLAGS=$saved_CFLAGS
-# autoconf does not like CamelCase!? How to fix this?
-#	AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
 
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lfcgi" >&5
-$as_echo_n "checking for main in -lfcgi... " >&6; }
-if ${ac_cv_lib_fcgi_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for FCGX_Init in -lfcgi" >&5
+$as_echo_n "checking for FCGX_Init in -lfcgi... " >&6; }
+if ${ac_cv_lib_fcgi_FCGX_Init+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -21404,27 +21477,33 @@ LIBS="-lfcgi  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char FCGX_Init ();
 int
 main ()
 {
-return main ();
+return FCGX_Init ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_fcgi_main=yes
+  ac_cv_lib_fcgi_FCGX_Init=yes
 else
-  ac_cv_lib_fcgi_main=no
+  ac_cv_lib_fcgi_FCGX_Init=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_fcgi_main" >&5
-$as_echo "$ac_cv_lib_fcgi_main" >&6; }
-if test "x$ac_cv_lib_fcgi_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_fcgi_FCGX_Init" >&5
+$as_echo "$ac_cv_lib_fcgi_FCGX_Init" >&6; }
+if test "x$ac_cv_lib_fcgi_FCGX_Init" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "FastCGI library fcgi not found!" "$LINENO" 5
@@ -21450,9 +21529,9 @@ else
 fi
 
 
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lmysql" >&5
-$as_echo_n "checking for main in -lmysql... " >&6; }
-if ${ac_cv_lib_mysql_main+:} false; then :
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql_database_init in -lmysql" >&5
+$as_echo_n "checking for mysql_database_init in -lmysql... " >&6; }
+if ${ac_cv_lib_mysql_mysql_database_init+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -21460,27 +21539,33 @@ LIBS="-lmysql  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char mysql_database_init ();
 int
 main ()
 {
-return main ();
+return mysql_database_init ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_mysql_main=yes
+  ac_cv_lib_mysql_mysql_database_init=yes
 else
-  ac_cv_lib_mysql_main=no
+  ac_cv_lib_mysql_mysql_database_init=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysql_main" >&5
-$as_echo "$ac_cv_lib_mysql_main" >&6; }
-if test "x$ac_cv_lib_mysql_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysql_mysql_database_init" >&5
+$as_echo "$ac_cv_lib_mysql_mysql_database_init" >&6; }
+if test "x$ac_cv_lib_mysql_mysql_database_init" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "MySQL library not found!" "$LINENO" 5
@@ -21541,9 +21626,9 @@ fi
 fi
 
 if test x$sqlite = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lsqlite3" >&5
-$as_echo_n "checking for main in -lsqlite3... " >&6; }
-if ${ac_cv_lib_sqlite3_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sqlite3_open in -lsqlite3" >&5
+$as_echo_n "checking for sqlite3_open in -lsqlite3... " >&6; }
+if ${ac_cv_lib_sqlite3_sqlite3_open+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -21551,27 +21636,33 @@ LIBS="-lsqlite3  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char sqlite3_open ();
 int
 main ()
 {
-return main ();
+return sqlite3_open ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_sqlite3_main=yes
+  ac_cv_lib_sqlite3_sqlite3_open=yes
 else
-  ac_cv_lib_sqlite3_main=no
+  ac_cv_lib_sqlite3_sqlite3_open=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sqlite3_main" >&5
-$as_echo "$ac_cv_lib_sqlite3_main" >&6; }
-if test "x$ac_cv_lib_sqlite3_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sqlite3_sqlite3_open" >&5
+$as_echo "$ac_cv_lib_sqlite3_sqlite3_open" >&6; }
+if test "x$ac_cv_lib_sqlite3_sqlite3_open" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "SQLite library sqlite3 not found" "$LINENO" 5
@@ -21638,9 +21729,9 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test x$openssl = xtrue; then
-	as_ac_Lib=`$as_echo "ac_cv_lib_$openssl_lib''_main" | $as_tr_sh`
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -l$openssl_lib" >&5
-$as_echo_n "checking for main in -l$openssl_lib... " >&6; }
+	as_ac_Lib=`$as_echo "ac_cv_lib_$openssl_lib''_EVP_CIPHER_CTX_new" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -l$openssl_lib" >&5
+$as_echo_n "checking for EVP_CIPHER_CTX_new in -l$openssl_lib... " >&6; }
 if eval \${$as_ac_Lib+:} false; then :
   $as_echo_n "(cached) " >&6
 else
@@ -21649,11 +21740,17 @@ LIBS="-l$openssl_lib $DLLIB $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char EVP_CIPHER_CTX_new ();
 int
 main ()
 {
-return main ();
+return EVP_CIPHER_CTX_new ();
   ;
   return 0;
 }
@@ -21687,9 +21784,9 @@ fi
 fi
 
 if test x$gcrypt = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgcrypt" >&5
-$as_echo_n "checking for main in -lgcrypt... " >&6; }
-if ${ac_cv_lib_gcrypt_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcry_control in -lgcrypt" >&5
+$as_echo_n "checking for gcry_control in -lgcrypt... " >&6; }
+if ${ac_cv_lib_gcrypt_gcry_control+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -21697,27 +21794,33 @@ LIBS="-lgcrypt -lgpg-error $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char gcry_control ();
 int
 main ()
 {
-return main ();
+return gcry_control ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_gcrypt_main=yes
+  ac_cv_lib_gcrypt_gcry_control=yes
 else
-  ac_cv_lib_gcrypt_main=no
+  ac_cv_lib_gcrypt_gcry_control=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gcrypt_main" >&5
-$as_echo "$ac_cv_lib_gcrypt_main" >&6; }
-if test "x$ac_cv_lib_gcrypt_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gcrypt_gcry_control" >&5
+$as_echo "$ac_cv_lib_gcrypt_gcry_control" >&6; }
+if test "x$ac_cv_lib_gcrypt_gcry_control" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "gcrypt library not found" "$LINENO" 5
@@ -21759,9 +21862,9 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test x$uci = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5
-$as_echo_n "checking for main in -luci... " >&6; }
-if ${ac_cv_lib_uci_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uci_alloc_context in -luci" >&5
+$as_echo_n "checking for uci_alloc_context in -luci... " >&6; }
+if ${ac_cv_lib_uci_uci_alloc_context+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -21769,27 +21872,33 @@ LIBS="-luci  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char uci_alloc_context ();
 int
 main ()
 {
-return main ();
+return uci_alloc_context ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_uci_main=yes
+  ac_cv_lib_uci_uci_alloc_context=yes
 else
-  ac_cv_lib_uci_main=no
+  ac_cv_lib_uci_uci_alloc_context=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_uci_main" >&5
-$as_echo "$ac_cv_lib_uci_main" >&6; }
-if test "x$ac_cv_lib_uci_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_uci_uci_alloc_context" >&5
+$as_echo "$ac_cv_lib_uci_uci_alloc_context" >&6; }
+if test "x$ac_cv_lib_uci_uci_alloc_context" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "UCI library libuci not found" "$LINENO" 5
@@ -21806,9 +21915,9 @@ fi
 fi
 
 if test x$android_dns = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcutils" >&5
-$as_echo_n "checking for main in -lcutils... " >&6; }
-if ${ac_cv_lib_cutils_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for property_get in -lcutils" >&5
+$as_echo_n "checking for property_get in -lcutils... " >&6; }
+if ${ac_cv_lib_cutils_property_get+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -21816,27 +21925,33 @@ LIBS="-lcutils  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char property_get ();
 int
 main ()
 {
-return main ();
+return property_get ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_cutils_main=yes
+  ac_cv_lib_cutils_property_get=yes
 else
-  ac_cv_lib_cutils_main=no
+  ac_cv_lib_cutils_property_get=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cutils_main" >&5
-$as_echo "$ac_cv_lib_cutils_main" >&6; }
-if test "x$ac_cv_lib_cutils_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cutils_property_get" >&5
+$as_echo "$ac_cv_lib_cutils_property_get" >&6; }
+if test "x$ac_cv_lib_cutils_property_get" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "Android library libcutils not found" "$LINENO" 5
@@ -22149,9 +22264,9 @@ fi
 fi
 
 if test x$xauth_pam = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpam" >&5
-$as_echo_n "checking for main in -lpam... " >&6; }
-if ${ac_cv_lib_pam_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
+$as_echo_n "checking for pam_start in -lpam... " >&6; }
+if ${ac_cv_lib_pam_pam_start+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -22159,27 +22274,33 @@ LIBS="-lpam  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pam_start ();
 int
 main ()
 {
-return main ();
+return pam_start ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pam_main=yes
+  ac_cv_lib_pam_pam_start=yes
 else
-  ac_cv_lib_pam_main=no
+  ac_cv_lib_pam_pam_start=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_main" >&5
-$as_echo "$ac_cv_lib_pam_main" >&6; }
-if test "x$ac_cv_lib_pam_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_start" >&5
+$as_echo "$ac_cv_lib_pam_pam_start" >&6; }
+if test "x$ac_cv_lib_pam_pam_start" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "PAM library not found" "$LINENO" 5
@@ -22321,9 +22442,9 @@ $as_echo "#define CAPABILITIES_NATIVE /**/" >>confdefs.h
 fi
 
 if test x$capabilities = xlibcap; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcap" >&5
-$as_echo_n "checking for main in -lcap... " >&6; }
-if ${ac_cv_lib_cap_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for cap_init in -lcap" >&5
+$as_echo_n "checking for cap_init in -lcap... " >&6; }
+if ${ac_cv_lib_cap_cap_init+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -22331,27 +22452,33 @@ LIBS="-lcap  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char cap_init ();
 int
 main ()
 {
-return main ();
+return cap_init ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_cap_main=yes
+  ac_cv_lib_cap_cap_init=yes
 else
-  ac_cv_lib_cap_main=no
+  ac_cv_lib_cap_cap_init=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_main" >&5
-$as_echo "$ac_cv_lib_cap_main" >&6; }
-if test "x$ac_cv_lib_cap_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_cap_init" >&5
+$as_echo "$ac_cv_lib_cap_cap_init" >&6; }
+if test "x$ac_cv_lib_cap_cap_init" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "libcap library not found" "$LINENO" 5
@@ -22424,9 +22551,9 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test x$bfd_backtraces = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lbfd" >&5
-$as_echo_n "checking for main in -lbfd... " >&6; }
-if ${ac_cv_lib_bfd_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for bfd_init in -lbfd" >&5
+$as_echo_n "checking for bfd_init in -lbfd... " >&6; }
+if ${ac_cv_lib_bfd_bfd_init+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -22434,27 +22561,33 @@ LIBS="-lbfd  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char bfd_init ();
 int
 main ()
 {
-return main ();
+return bfd_init ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_bfd_main=yes
+  ac_cv_lib_bfd_bfd_init=yes
 else
-  ac_cv_lib_bfd_main=no
+  ac_cv_lib_bfd_bfd_init=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bfd_main" >&5
-$as_echo "$ac_cv_lib_bfd_main" >&6; }
-if test "x$ac_cv_lib_bfd_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bfd_bfd_init" >&5
+$as_echo "$ac_cv_lib_bfd_bfd_init" >&6; }
+if test "x$ac_cv_lib_bfd_bfd_init" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "binutils libbfd not found!" "$LINENO" 5
@@ -22475,9 +22608,9 @@ fi
 fi
 
 if test x$unwind_backtraces = xtrue; then
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lunwind" >&5
-$as_echo_n "checking for main in -lunwind... " >&6; }
-if ${ac_cv_lib_unwind_main+:} false; then :
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for unw_backtrace in -lunwind" >&5
+$as_echo_n "checking for unw_backtrace in -lunwind... " >&6; }
+if ${ac_cv_lib_unwind_unw_backtrace+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -22485,27 +22618,33 @@ LIBS="-lunwind  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char unw_backtrace ();
 int
 main ()
 {
-return main ();
+return unw_backtrace ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_unwind_main=yes
+  ac_cv_lib_unwind_unw_backtrace=yes
 else
-  ac_cv_lib_unwind_main=no
+  ac_cv_lib_unwind_unw_backtrace=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unwind_main" >&5
-$as_echo "$ac_cv_lib_unwind_main" >&6; }
-if test "x$ac_cv_lib_unwind_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unwind_unw_backtrace" >&5
+$as_echo "$ac_cv_lib_unwind_unw_backtrace" >&6; }
+if test "x$ac_cv_lib_unwind_unw_backtrace" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "libunwind not found!" "$LINENO" 5
@@ -22888,10 +23027,11 @@ cmd_plugins=
 aikgen_plugins=
 
 # location specific lists for checksumming,
-# for src/libcharon, src/libstrongswan and src/libtnccs
+# for src/libcharon, src/libstrongswan, src/libtnccs and src/libtpmtss
 c_plugins=
 s_plugins=
 t_plugins=
+p_plugins=
 
 if test x$test_vectors = xtrue; then
 		s_plugins=${s_plugins}" test-vectors"
@@ -22927,6 +23067,15 @@ if test x$pkcs11 = xtrue; then
 
 	fi
 
+if test x$tpm = xtrue; then
+		p_plugins=${p_plugins}" tpm"
+		charon_plugins=${charon_plugins}" tpm"
+		pki_plugins=${pki_plugins}" tpm"
+		nm_plugins=${nm_plugins}" tpm"
+		cmd_plugins=${cmd_plugins}" tpm"
+
+	fi
+
 if test x$aesni = xtrue; then
 		s_plugins=${s_plugins}" aesni"
 		charon_plugins=${charon_plugins}" aesni"
@@ -23319,6 +23468,15 @@ if test x$gmp = xtrue; then
 
 	fi
 
+if test x$curve25519 = xtrue; then
+		s_plugins=${s_plugins}" curve25519"
+		charon_plugins=${charon_plugins}" curve25519"
+		scripts_plugins=${scripts_plugins}" curve25519"
+		nm_plugins=${nm_plugins}" curve25519"
+		cmd_plugins=${cmd_plugins}" curve25519"
+
+	fi
+
 if test x$agent = xtrue; then
 		s_plugins=${s_plugins}" agent"
 		charon_plugins=${charon_plugins}" agent"
@@ -23576,6 +23734,14 @@ if test x$socket_win = xtrue; then
 
 	fi
 
+if test x$bypass_lan = xtrue; then
+		c_plugins=${c_plugins}" bypass-lan"
+		charon_plugins=${charon_plugins}" bypass-lan"
+		nm_plugins=${nm_plugins}" bypass-lan"
+		cmd_plugins=${cmd_plugins}" bypass-lan"
+
+	fi
+
 if test x$connmark = xtrue; then
 		c_plugins=${c_plugins}" connmark"
 		charon_plugins=${charon_plugins}" connmark"
@@ -24124,6 +24290,14 @@ else
   USE_GMP_FALSE=
 fi
 
+ if test x$curve25519 = xtrue; then
+  USE_CURVE25519_TRUE=
+  USE_CURVE25519_FALSE='#'
+else
+  USE_CURVE25519_TRUE='#'
+  USE_CURVE25519_FALSE=
+fi
+
  if test x$rdrand = xtrue; then
   USE_RDRAND_TRUE=
   USE_RDRAND_FALSE='#'
@@ -24348,6 +24522,14 @@ else
   USE_PKCS11_FALSE=
 fi
 
+ if test x$tpm = xtrue; then
+  USE_TPM_TRUE=
+  USE_TPM_FALSE='#'
+else
+  USE_TPM_TRUE='#'
+  USE_TPM_FALSE=
+fi
+
  if test x$chapoly = xtrue; then
   USE_CHAPOLY_TRUE=
   USE_CHAPOLY_FALSE='#'
@@ -25039,6 +25221,14 @@ else
   USE_SOCKET_WIN_FALSE=
 fi
 
+ if test x$bypass_lan = xtrue; then
+  USE_BYPASS_LAN_TRUE=
+  USE_BYPASS_LAN_FALSE='#'
+else
+  USE_BYPASS_LAN_TRUE='#'
+  USE_BYPASS_LAN_FALSE=
+fi
+
  if test x$connmark = xtrue; then
   USE_CONNMARK_TRUE=
   USE_CONNMARK_FALSE='#'
@@ -25250,7 +25440,7 @@ else
   USE_CONFTEST_FALSE=
 fi
 
- if test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$aikpub2 = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then
+ if test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then
   USE_LIBSTRONGSWAN_TRUE=
   USE_LIBSTRONGSWAN_FALSE='#'
 else
@@ -25306,7 +25496,7 @@ else
   USE_LIBPTTLS_FALSE=
 fi
 
- if test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$aikgen = xtrue -o x$aikpub2 = xtrue -o x$imcv = xtrue; then
+ if test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm -o x$aikgen = xtrue -o x$imcv = xtrue; then
   USE_LIBTPMTSS_TRUE=
   USE_LIBTPMTSS_FALSE='#'
 else
@@ -25458,14 +25648,6 @@ else
   USE_AIKGEN_FALSE=
 fi
 
- if test x$aikpub2 = xtrue; then
-  USE_AIKPUB2_TRUE=
-  USE_AIKPUB2_FALSE='#'
-else
-  USE_AIKPUB2_TRUE='#'
-  USE_AIKPUB2_FALSE=
-fi
-
  if test x$swanctl = xtrue; then
   USE_SWANCTL_TRUE=
   USE_SWANCTL_FALSE='#'
@@ -25575,9 +25757,6 @@ strongswan_options=
 if test -z "$USE_AIKGEN_TRUE"; then :
   strongswan_options=${strongswan_options}" aikgen"
 fi
-if test -z "$USE_AIKPUB2_TRUE"; then :
-  strongswan_options=${strongswan_options}" aikpub2"
-fi
 if test -z "$USE_ATTR_SQL_TRUE"; then :
   strongswan_options=${strongswan_options}" pool"
 fi
@@ -25621,7 +25800,7 @@ fi
 #  build Makefiles
 # =================
 
-ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/math/libnttfft/Makefile src/libstrongswan/math/libnttfft/tests/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/ [...]
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/math/libnttfft/Makefile src/libstrongswan/math/libnttfft/tests/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/ [...]
 
 
 # =================
@@ -25869,6 +26048,10 @@ if test -z "${USE_GMP_TRUE}" && test -z "${USE_GMP_FALSE}"; then
   as_fn_error $? "conditional \"USE_GMP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_CURVE25519_TRUE}" && test -z "${USE_CURVE25519_FALSE}"; then
+  as_fn_error $? "conditional \"USE_CURVE25519\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_RDRAND_TRUE}" && test -z "${USE_RDRAND_FALSE}"; then
   as_fn_error $? "conditional \"USE_RDRAND\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -25981,6 +26164,10 @@ if test -z "${USE_PKCS11_TRUE}" && test -z "${USE_PKCS11_FALSE}"; then
   as_fn_error $? "conditional \"USE_PKCS11\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_TPM_TRUE}" && test -z "${USE_TPM_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TPM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_CHAPOLY_TRUE}" && test -z "${USE_CHAPOLY_FALSE}"; then
   as_fn_error $? "conditional \"USE_CHAPOLY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -26325,6 +26512,10 @@ if test -z "${USE_SOCKET_WIN_TRUE}" && test -z "${USE_SOCKET_WIN_FALSE}"; then
   as_fn_error $? "conditional \"USE_SOCKET_WIN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_BYPASS_LAN_TRUE}" && test -z "${USE_BYPASS_LAN_FALSE}"; then
+  as_fn_error $? "conditional \"USE_BYPASS_LAN\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_CONNMARK_TRUE}" && test -z "${USE_CONNMARK_FALSE}"; then
   as_fn_error $? "conditional \"USE_CONNMARK\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -26533,10 +26724,6 @@ if test -z "${USE_AIKGEN_TRUE}" && test -z "${USE_AIKGEN_FALSE}"; then
   as_fn_error $? "conditional \"USE_AIKGEN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_AIKPUB2_TRUE}" && test -z "${USE_AIKPUB2_FALSE}"; then
-  as_fn_error $? "conditional \"USE_AIKPUB2\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_SWANCTL_TRUE}" && test -z "${USE_SWANCTL_FALSE}"; then
   as_fn_error $? "conditional \"USE_SWANCTL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -26966,7 +27153,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.5.1, which was
+This file was extended by strongSwan $as_me 5.5.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -27032,7 +27219,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.5.1
+strongSwan config.status 5.5.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -27471,6 +27658,7 @@ do
     "src/libstrongswan/plugins/mgf1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mgf1/Makefile" ;;
     "src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;;
     "src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;;
+    "src/libstrongswan/plugins/curve25519/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curve25519/Makefile" ;;
     "src/libstrongswan/plugins/rdrand/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rdrand/Makefile" ;;
     "src/libstrongswan/plugins/aesni/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/aesni/Makefile" ;;
     "src/libstrongswan/plugins/random/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/random/Makefile" ;;
@@ -27578,6 +27766,7 @@ do
     "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;;
     "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;;
     "src/libcharon/plugins/socket_win/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_win/Makefile" ;;
+    "src/libcharon/plugins/bypass_lan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/bypass_lan/Makefile" ;;
     "src/libcharon/plugins/connmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/connmark/Makefile" ;;
     "src/libcharon/plugins/forecast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/forecast/Makefile" ;;
     "src/libcharon/plugins/farp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/farp/Makefile" ;;
@@ -27624,6 +27813,7 @@ do
     "src/libcharon/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/attr_sql/Makefile" ;;
     "src/libcharon/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/tests/Makefile" ;;
     "src/libtpmtss/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtpmtss/Makefile" ;;
+    "src/libtpmtss/plugins/tpm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtpmtss/plugins/tpm/Makefile" ;;
     "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
     "src/ipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/ipsec/Makefile" ;;
     "src/starter/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/Makefile" ;;
@@ -27632,7 +27822,6 @@ do
     "src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;;
     "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
     "src/aikgen/Makefile") CONFIG_FILES="$CONFIG_FILES src/aikgen/Makefile" ;;
-    "src/aikpub2/Makefile") CONFIG_FILES="$CONFIG_FILES src/aikpub2/Makefile" ;;
     "src/pki/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/Makefile" ;;
     "src/pki/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/man/Makefile" ;;
     "src/pool/Makefile") CONFIG_FILES="$CONFIG_FILES src/pool/Makefile" ;;
@@ -28956,5 +29145,7 @@ $as_echo "libstrongswan:$s_plugins" >&6; }
 $as_echo "libcharon:    $c_plugins" >&6; }
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: libtnccs:     $t_plugins" >&5
 $as_echo "libtnccs:     $t_plugins" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: libtpmtss:    $p_plugins" >&5
+$as_echo "libtpmtss:    $p_plugins" >&6; }
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
 $as_echo "" >&6; }
diff --git a/configure.ac b/configure.ac
index 622c79a..29988d3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.5.1])
+AC_INIT([strongSwan],[5.5.2])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -133,6 +133,7 @@ ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin
 ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
 ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
+ARG_DISBL_SET([curve25519],     [disable Curve25519 Diffie-Hellman plugin.])
 ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
 ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
 ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
@@ -200,6 +201,7 @@ ARG_ENABL_SET([ext-auth],       [enable plugin calling an external authorization
 ARG_ENABL_SET([ipseckey],       [enable IPSECKEY authentication plugin.])
 ARG_ENABL_SET([keychain],       [enables OS X Keychain Services credential set.])
 ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
+ARG_ENABL_SET([tpm],            [enables the TPM plugin.])
 ARG_DISBL_SET([revocation],     [disable X509 CRL/OCSP revocation check plugin.])
 ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
 ARG_DISBL_SET([xauth-generic],  [disable generic XAuth backend.])
@@ -253,6 +255,7 @@ ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
 ARG_ENABL_SET([tnccs-dynamic],  [enable dynamic TNCCS protocol discovery module.])
 # misc plugins
 ARG_ENABL_SET([android-log],    [enable Android specific logger plugin.])
+ARG_ENABL_SET([bypass-lan],     [enable plugin to install bypass policies for local subnets.])
 ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
 ARG_ENABL_SET([connmark],       [enable connmark plugin using conntrack based marks to select return path SA.])
 ARG_ENABL_SET([forecast],       [enable forecast plugin forwarding broadcast/multicast messages.])
@@ -269,7 +272,6 @@ ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
 ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
 # programs/components
 ARG_ENABL_SET([aikgen],         [enable AIK generator for TPM 1.2.])
-ARG_ENABL_SET([aikpub2],        [enable AIK extractor for TPM 2.0.])
 ARG_DISBL_SET([charon],         [disable the IKEv1/IKEv2 keying daemon charon.])
 ARG_ENABL_SET([cmd],            [enable the command line IKE client charon-cmd.])
 ARG_ENABL_SET([conftest],       [enforce Suite B conformance test framework.])
@@ -462,10 +464,6 @@ if test x$aikgen = xtrue; then
 	tss_trousers=true
 fi
 
-if test x$aikpub2 = xtrue; then
-	tss_tss2=true
-fi
-
 if test x$ntru = xtrue -o x$bliss = xtrue; then
 	mgf1=true
 fi
@@ -898,7 +896,7 @@ AC_COMPILE_IFELSE(
 AM_CONDITIONAL(USE_X86X64, [test "x$x86x64" = xtrue])
 
 if test x$printf_hooks = xvstr; then
-	AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
+	AC_CHECK_LIB([vstr],[vstr_init],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
 	AC_DEFINE([USE_VSTR], [], [use Vstr string library for printf hooks])
 fi
 
@@ -908,7 +906,7 @@ fi
 
 if test x$gmp = xtrue; then
 	saved_LIBS=$LIBS
-	AC_CHECK_LIB([gmp],[main],[],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])],[])
+	AC_CHECK_LIB([gmp],[__gmpz_init],[],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])],[])
 	AC_MSG_CHECKING([mpz_powm_sec])
 	if test x$mpz_powm_sec = xyes; then
 		AC_COMPILE_IFELSE(
@@ -937,20 +935,20 @@ if test x$gmp = xtrue; then
 fi
 
 if test x$ldap = xtrue; then
-	AC_CHECK_LIB([ldap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])],[])
-	AC_CHECK_LIB([lber],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])],[])
+	AC_CHECK_LIB([ldap],[ldap_init],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])],[])
+	AC_CHECK_LIB([lber],[ber_free],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])],[])
 	AC_CHECK_HEADER([ldap.h],,[AC_MSG_ERROR([LDAP header ldap.h not found!])])
 fi
 
 if test x$curl = xtrue; then
-	AC_CHECK_LIB([curl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])],[])
+	AC_CHECK_LIB([curl],[curl_global_init],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])],[])
 	AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])])
 fi
 
 if test x$unbound = xtrue; then
-	AC_CHECK_LIB([ldns],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library ldns not found])],[])
+	AC_CHECK_LIB([ldns],[ldns_rr_get_type],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library ldns not found])],[])
 	AC_CHECK_HEADER([ldns/ldns.h],,[AC_MSG_ERROR([UNBOUND header ldns/ldns.h not found!])])
-	AC_CHECK_LIB([unbound],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library libunbound not found])],[])
+	AC_CHECK_LIB([unbound],[ub_ctx_create],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library libunbound not found])],[])
 	AC_CHECK_HEADER([unbound.h],,[AC_MSG_ERROR([UNBOUND header unbound.h not found!])])
 fi
 
@@ -987,7 +985,7 @@ if test x$systemd = xtrue; then
 fi
 
 if test x$tss_trousers = xtrue; then
-	AC_CHECK_LIB([tspi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])],[])
+	AC_CHECK_LIB([tspi],[Tspi_Context_Create],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])],[])
 	AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
 	AC_DEFINE([TSS_TROUSERS], [], [use TrouSerS library libtspi])
 fi
@@ -1046,34 +1044,39 @@ if test x$dumm = xtrue; then
 fi
 
 if test x$fast = xtrue; then
-	AC_CHECK_LIB([neo_cgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])],[])
-	AC_CHECK_LIB([neo_utl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])],[])
-	AC_MSG_CHECKING([ClearSilver requires zlib])
+	AC_CHECK_LIB([neo_utl],[hdf_init],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])],[])
+	AC_MSG_CHECKING([for -lneo_cgi and dependencies])
 	saved_CFLAGS=$CFLAGS
 	saved_LIBS=$LIBS
 	LIBS="-lneo_cgi -lneo_cs -lneo_utl"
 	CFLAGS="-I/usr/include/ClearSilver"
 	AC_LINK_IFELSE(
 		[AC_LANG_PROGRAM(
-			[[#include <ClearSilver.h>]],
+			[[#include <cgi/cgi.h>]],
 			[[NEOERR *err = cgi_display(NULL, NULL);]])],
-		[AC_MSG_RESULT([no]); clearsilver_LIBS="$LIBS"],
-		[AC_MSG_RESULT([yes]); clearsilver_LIBS="$LIBS -lz"]
+		[AC_MSG_RESULT([yes])],
+		[LIBS="$LIBS -lz";
+		 AC_LINK_IFELSE(
+			[AC_LANG_PROGRAM(
+				[[#include <cgi/cgi.h>]],
+				[[NEOERR *err = cgi_display(NULL, NULL);]])],
+			[AC_MSG_RESULT([yes, zlib required])],
+			[AC_MSG_ERROR([not found])]
+		 )]
 	)
+	clearsilver_LIBS="$LIBS"
 	AC_SUBST(clearsilver_LIBS)
 	LIBS=$saved_LIBS
 	CFLAGS=$saved_CFLAGS
-# autoconf does not like CamelCase!? How to fix this?
-#	AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
 
-	AC_CHECK_LIB([fcgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])],[])
+	AC_CHECK_LIB([fcgi],[FCGX_Init],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])],[])
 	AC_CHECK_HEADER([fcgiapp.h],,[AC_MSG_ERROR([FastCGI header file fcgiapp.h not found!])])
 fi
 
 if test x$mysql = xtrue; then
 	if test "x$windows" = xtrue; then
 		AC_CHECK_HEADER([mysql.h],,[AC_MSG_ERROR([MySQL header file mysql.h not found!])])
-		AC_CHECK_LIB([mysql],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([MySQL library not found!])],[])
+		AC_CHECK_LIB([mysql],[mysql_database_init],[LIBS="$LIBS"],[AC_MSG_ERROR([MySQL library not found!])],[])
 		AC_SUBST(MYSQLLIB, -lmysql)
 	else
 		AC_PATH_PROG([MYSQLCONFIG], [mysql_config], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
@@ -1086,7 +1089,7 @@ if test x$mysql = xtrue; then
 fi
 
 if test x$sqlite = xtrue; then
-	AC_CHECK_LIB([sqlite3],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])],[])
+	AC_CHECK_LIB([sqlite3],[sqlite3_open],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])],[])
 	AC_CHECK_HEADER([sqlite3.h],,[AC_MSG_ERROR([SQLite header sqlite3.h not found!])])
 	AC_MSG_CHECKING([sqlite3_prepare_v2])
 	AC_COMPILE_IFELSE(
@@ -1111,13 +1114,13 @@ if test x$sqlite = xtrue; then
 fi
 
 if test x$openssl = xtrue; then
-	AC_CHECK_LIB([$openssl_lib],[main],[LIBS="$LIBS"],
+	AC_CHECK_LIB([$openssl_lib],[EVP_CIPHER_CTX_new],[LIBS="$LIBS"],
 				 [AC_MSG_ERROR([OpenSSL lib$openssl_lib not found])],[$DLLIB])
 	AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
 fi
 
 if test x$gcrypt = xtrue; then
-	AC_CHECK_LIB([gcrypt],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
+	AC_CHECK_LIB([gcrypt],[gcry_control],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
 	AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
 	AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
 	AC_COMPILE_IFELSE(
@@ -1131,12 +1134,12 @@ if test x$gcrypt = xtrue; then
 fi
 
 if test x$uci = xtrue; then
-	AC_CHECK_LIB([uci],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
+	AC_CHECK_LIB([uci],[uci_alloc_context],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
 	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
 fi
 
 if test x$android_dns = xtrue; then
-	AC_CHECK_LIB([cutils],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
+	AC_CHECK_LIB([cutils],[property_get],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
 	AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
 	# we have to force the use of libdl here because the autodetection
 	# above does not work correctly when cross-compiling for android.
@@ -1160,7 +1163,7 @@ if test x$nm = xtrue; then
 fi
 
 if test x$xauth_pam = xtrue; then
-	AC_CHECK_LIB([pam],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])],[])
+	AC_CHECK_LIB([pam],[pam_start],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])],[])
 	AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
 fi
 
@@ -1180,7 +1183,7 @@ if test x$capabilities = xnative; then
 fi
 
 if test x$capabilities = xlibcap; then
-	AC_CHECK_LIB([cap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])],[])
+	AC_CHECK_LIB([cap],[cap_init],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])],[])
 	AC_CHECK_HEADER([sys/capability.h],
 		[AC_DEFINE([HAVE_SYS_CAPABILITY_H], [], [have sys/capability.h])],
 		[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
@@ -1211,7 +1214,7 @@ if test x$integrity_test = xtrue; then
 fi
 
 if test x$bfd_backtraces = xtrue; then
-	AC_CHECK_LIB([bfd],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])],[])
+	AC_CHECK_LIB([bfd],[bfd_init],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])],[])
 	AC_CHECK_HEADER([bfd.h],[AC_DEFINE([HAVE_BFD_H],,[have binutils bfd.h])],
 		[AC_MSG_ERROR([binutils bfd.h header not found!])])
 	BFDLIB="-lbfd"
@@ -1219,7 +1222,7 @@ if test x$bfd_backtraces = xtrue; then
 fi
 
 if test x$unwind_backtraces = xtrue; then
-	AC_CHECK_LIB([unwind],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libunwind not found!])],[])
+	AC_CHECK_LIB([unwind],[unw_backtrace],[LIBS="$LIBS"],[AC_MSG_ERROR([libunwind not found!])],[])
 	AC_CHECK_HEADER([libunwind.h],[AC_DEFINE([HAVE_LIBUNWIND_H],,[have libunwind.h])],
 		[AC_MSG_ERROR([libunwind.h header not found!])])
 	UNWINDLIB="-lunwind"
@@ -1313,15 +1316,17 @@ cmd_plugins=
 aikgen_plugins=
 
 # location specific lists for checksumming,
-# for src/libcharon, src/libstrongswan and src/libtnccs
+# for src/libcharon, src/libstrongswan, src/libtnccs and src/libtpmtss
 c_plugins=
 s_plugins=
 t_plugins=
+p_plugins=
 
 ADD_PLUGIN([test-vectors],         [s charon scepclient pki])
 ADD_PLUGIN([unbound],              [s charon scripts])
 ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm cmd])
 ADD_PLUGIN([pkcs11],               [s charon pki nm cmd])
+ADD_PLUGIN([tpm],                  [p charon pki nm cmd])
 ADD_PLUGIN([aesni],                [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([aes],                  [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([des],                  [s charon scepclient pki scripts nm cmd])
@@ -1357,6 +1362,7 @@ ADD_PLUGIN([gcrypt],               [s charon scepclient pki scripts manager meds
 ADD_PLUGIN([af-alg],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([fips-prf],             [s charon nm cmd])
 ADD_PLUGIN([gmp],                  [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([curve25519],           [s charon scripts nm cmd])
 ADD_PLUGIN([agent],                [s charon nm cmd])
 ADD_PLUGIN([keychain],             [s charon cmd])
 ADD_PLUGIN([chapoly],              [s charon scripts nm cmd])
@@ -1388,6 +1394,7 @@ ADD_PLUGIN([resolve],              [c charon cmd])
 ADD_PLUGIN([socket-default],       [c charon nm cmd])
 ADD_PLUGIN([socket-dynamic],       [c charon cmd])
 ADD_PLUGIN([socket-win],           [c charon])
+ADD_PLUGIN([bypass-lan],           [c charon nm cmd])
 ADD_PLUGIN([connmark],             [c charon])
 ADD_PLUGIN([forecast],             [c charon])
 ADD_PLUGIN([farp],                 [c charon])
@@ -1462,7 +1469,7 @@ AC_SUBST(cmd_plugins)
 AC_SUBST(aikgen_plugins)
 
 AC_SUBST(c_plugins)
-AC_SUBST(h_plugins)
+AC_SUBST(p_plugins)
 AC_SUBST(s_plugins)
 AC_SUBST(t_plugins)
 
@@ -1491,6 +1498,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue)
 AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue)
 AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
 AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
+AM_CONDITIONAL(USE_CURVE25519, test x$curve25519 = xtrue)
 AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
 AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
 AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
@@ -1519,6 +1527,7 @@ AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
 AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
 AM_CONDITIONAL(USE_KEYCHAIN, test x$keychain = xtrue)
 AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
+AM_CONDITIONAL(USE_TPM, test x$tpm = xtrue)
 AM_CONDITIONAL(USE_CHAPOLY, test x$chapoly = xtrue)
 AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
 AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
@@ -1608,6 +1617,7 @@ AM_CONDITIONAL(USE_IMV_HCD, test x$imv_hcd = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
 AM_CONDITIONAL(USE_SOCKET_WIN, test x$socket_win = xtrue)
+AM_CONDITIONAL(USE_BYPASS_LAN, test x$bypass_lan = xtrue)
 AM_CONDITIONAL(USE_CONNMARK, test x$connmark = xtrue)
 AM_CONDITIONAL(USE_FORECAST, test x$forecast = xtrue)
 AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
@@ -1637,14 +1647,14 @@ AM_CONDITIONAL(USE_PKI, test x$pki = xtrue)
 AM_CONDITIONAL(USE_SCEPCLIENT, test x$scepclient = xtrue)
 AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
 AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$aikpub2 = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
 AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
 AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
 AM_CONDITIONAL(USE_LIBNTTFFT, test x$bliss = xtrue -o x$newhope = xtrue)
 AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
 AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
 AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
-AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$aikgen = xtrue -o x$aikpub2 = xtrue -o x$imcv = xtrue)
+AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm -o x$aikgen = xtrue -o x$imcv = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
 AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue)
 AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
@@ -1663,7 +1673,6 @@ AM_CONDITIONAL(USE_DBGHELP, test x$dbghelp_backtraces = xtrue)
 AM_CONDITIONAL(USE_TKM, test x$tkm = xtrue)
 AM_CONDITIONAL(USE_CMD, test x$cmd = xtrue)
 AM_CONDITIONAL(USE_AIKGEN, test x$aikgen = xtrue)
-AM_CONDITIONAL(USE_AIKPUB2, test x$aikpub2 = xtrue)
 AM_CONDITIONAL(USE_SWANCTL, test x$swanctl = xtrue)
 AM_CONDITIONAL(USE_SVC, test x$svc = xtrue)
 AM_CONDITIONAL(USE_SYSTEMD, test x$systemd = xtrue)
@@ -1703,7 +1712,6 @@ fi
 strongswan_options=
 
 AM_COND_IF([USE_AIKGEN], [strongswan_options=${strongswan_options}" aikgen"])
-AM_COND_IF([USE_AIKPUB2], [strongswan_options=${strongswan_options}" aikpub2"])
 AM_COND_IF([USE_ATTR_SQL], [strongswan_options=${strongswan_options}" pool"])
 AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging"])
 AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"])
@@ -1748,6 +1756,7 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/mgf1/Makefile
 	src/libstrongswan/plugins/fips_prf/Makefile
 	src/libstrongswan/plugins/gmp/Makefile
+	src/libstrongswan/plugins/curve25519/Makefile
 	src/libstrongswan/plugins/rdrand/Makefile
 	src/libstrongswan/plugins/aesni/Makefile
 	src/libstrongswan/plugins/random/Makefile
@@ -1855,6 +1864,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/socket_default/Makefile
 	src/libcharon/plugins/socket_dynamic/Makefile
 	src/libcharon/plugins/socket_win/Makefile
+	src/libcharon/plugins/bypass_lan/Makefile
 	src/libcharon/plugins/connmark/Makefile
 	src/libcharon/plugins/forecast/Makefile
 	src/libcharon/plugins/farp/Makefile
@@ -1901,6 +1911,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/attr_sql/Makefile
 	src/libcharon/tests/Makefile
 	src/libtpmtss/Makefile
+	src/libtpmtss/plugins/tpm/Makefile
 	src/stroke/Makefile
 	src/ipsec/Makefile
 	src/starter/Makefile
@@ -1909,7 +1920,6 @@ AC_CONFIG_FILES([
 	src/_copyright/Makefile
 	src/scepclient/Makefile
 	src/aikgen/Makefile
-	src/aikpub2/Makefile
 	src/pki/Makefile
 	src/pki/man/Makefile
 	src/pool/Makefile
@@ -1968,4 +1978,5 @@ AC_MSG_RESULT([-----------------------------------------------------])
 AC_MSG_RESULT([libstrongswan:$s_plugins])
 AC_MSG_RESULT([libcharon:    $c_plugins])
 AC_MSG_RESULT([libtnccs:     $t_plugins])
+AC_MSG_RESULT([libtpmtss:    $p_plugins])
 AC_MSG_RESULT([])
diff --git a/init/Makefile.in b/init/Makefile.in
index 9ae5e47..e1600d0 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -336,7 +336,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -371,6 +370,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/init/systemd-swanctl/Makefile.in b/init/systemd-swanctl/Makefile.in
index 190eb8f..adb2809 100644
--- a/init/systemd-swanctl/Makefile.in
+++ b/init/systemd-swanctl/Makefile.in
@@ -304,7 +304,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -339,6 +338,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/init/systemd-swanctl/strongswan-swanctl.service.in b/init/systemd-swanctl/strongswan-swanctl.service.in
index 944101f..e53c0c6 100644
--- a/init/systemd-swanctl/strongswan-swanctl.service.in
+++ b/init/systemd-swanctl/strongswan-swanctl.service.in
@@ -1,12 +1,13 @@
 [Unit]
 Description=strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
-After=network.target
+After=network-online.target
 
 [Service]
 Type=notify
 ExecStart=@SBINDIR@/charon-systemd
 ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt
 ExecReload=@SBINDIR@/swanctl --reload
+Restart=on-abnormal
 
 [Install]
 WantedBy=multi-user.target
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index 325a4e3..593727d 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -304,7 +304,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -339,6 +338,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/init/systemd/strongswan.service.in b/init/systemd/strongswan.service.in
index 49c1cd0..474284a 100644
--- a/init/systemd/strongswan.service.in
+++ b/init/systemd/strongswan.service.in
@@ -1,10 +1,11 @@
 [Unit]
 Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
-After=syslog.target network.target
+After=syslog.target network-online.target
 
 [Service]
 ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
 StandardOutput=syslog
+Restart=on-abnormal
 
 [Install]
 WantedBy=multi-user.target
diff --git a/man/Makefile.in b/man/Makefile.in
index 4d04d25..61f825c 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -310,7 +310,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -345,6 +344,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 6f80709..5d1c639 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -554,6 +554,11 @@ If
 .B %any
 is used for the remote endpoint it literally means any IP address.
 
+If an
+.B FQDN
+is assigned it is resolved every time a configuration lookup is done. If DNS
+resolution times out, the lookup is delayed for that time.
+
 To limit the connection to a  specific range of hosts, a range (
 .BR 10.1.0.0-10.2.255.255
 ) or a subnet (
@@ -908,7 +913,9 @@ the greatest common subnet. In IKEv1, this may lead to problems with other
 implementations, make sure to configure identical subnets in such
 configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
 interprets the first subnet of such a definition, unless the Cisco Unity
-extension plugin is enabled.
+extension plugin is enabled. This is due to a limitation of the IKEv1 protocol,
+which only allows a single pair of subnets per CHILD_SA. So to tunnel several
+subnets a conn entry has to be defined and brought up for each pair of subnets.
 
 The optional part after each subnet enclosed in square brackets specifies a
 protocol/port to restrict the selector for that subnet.
@@ -1053,6 +1060,7 @@ and
 .B pull
 (the default).
 Push mode is currently not supported with IKEv2.
+The setting must be the same on both sides.
 .TP
 .BR reauth " = " yes " | no"
 whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 606efcf..6b8319c 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -418,7 +418,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -453,6 +452,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index 0643ea9..c2cac02 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -46,6 +46,7 @@ struct {
 	{"ecp521",			ECP_521_BIT},
 	{"ecp192",			ECP_192_BIT},
 	{"ecp224",			ECP_224_BIT},
+	{"curve25519",		CURVE_25519},
 };
 
 static void start_timing(struct timespec *start)
@@ -65,7 +66,7 @@ static double end_timing(struct timespec *start)
 static void run_test(diffie_hellman_group_t group, int rounds)
 {
 	diffie_hellman_t *l[rounds], *r;
-	chunk_t chunk;
+	chunk_t chunk, chunks[rounds], lsecrets[rounds], rsecrets[rounds];
 	struct timespec timing;
 	int round;
 
@@ -77,21 +78,21 @@ static void run_test(diffie_hellman_group_t group, int rounds)
 		return;
 	}
 
-	printf("%N:\t",
-			diffie_hellman_group_names, group);
+	printf("%N:\t", diffie_hellman_group_names, group);
 
 	start_timing(&timing);
 	for (round = 0; round < rounds; round++)
 	{
 		l[round] = lib->crypto->create_dh(lib->crypto, group);
+		assert(l[round]->get_my_public_value(l[round], &chunks[round]));
 	}
 	printf("A = g^a/s: %8.1f", rounds / end_timing(&timing));
 
 	for (round = 0; round < rounds; round++)
 	{
-		assert(l[round]->get_my_public_value(l[round], &chunk));
-		assert(r->set_other_public_value(r, chunk));
-		chunk_free(&chunk);
+		assert(r->set_other_public_value(r, chunks[round]));
+		assert(r->get_shared_secret(r, &rsecrets[round]));
+		chunk_free(&chunks[round]);
 	}
 
 	assert(r->get_my_public_value(r, &chunk));
@@ -99,12 +100,16 @@ static void run_test(diffie_hellman_group_t group, int rounds)
 	for (round = 0; round < rounds; round++)
 	{
 		assert(l[round]->set_other_public_value(l[round], chunk));
+		assert(l[round]->get_shared_secret(l[round], &lsecrets[round]));
 	}
 	printf(" | S = B^a/s: %8.1f\n", rounds / end_timing(&timing));
 	chunk_free(&chunk);
 
 	for (round = 0; round < rounds; round++)
 	{
+		assert(chunk_equals(rsecrets[round], lsecrets[round]));
+		free(lsecrets[round].ptr);
+		free(rsecrets[round].ptr);
 		l[round]->destroy(l[round]);
 	}
 	r->destroy(r);
diff --git a/src/Makefile.am b/src/Makefile.am
index 938335e..df171b2 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -135,7 +135,3 @@ endif
 if USE_AIKGEN
   SUBDIRS += aikgen
 endif
-
-if USE_AIKPUB2
-  SUBDIRS += aikpub2
-endif
diff --git a/src/Makefile.in b/src/Makefile.in
index 16b1d28..b102370 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -121,7 +121,6 @@ host_triplet = @host@
 @USE_LIBPTTLS_TRUE at am__append_32 = pt-tls-client
 @USE_INTEGRITY_TEST_TRUE at am__append_33 = checksum
 @USE_AIKGEN_TRUE at am__append_34 = aikgen
- at USE_AIKPUB2_TRUE@am__append_35 = aikpub2
 subdir = src
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -200,7 +199,7 @@ DIST_SUBDIRS = . include libstrongswan libipsec libsimaka libtls \
 	libcharon starter ipsec _copyright charon charon-systemd \
 	charon-nm stroke _updown scepclient pki swanctl conftest dumm \
 	libfast manager medsrv pool charon-tkm charon-cmd charon-svc \
-	pt-tls-client checksum aikgen aikpub2
+	pt-tls-client checksum aikgen
 am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
@@ -374,7 +373,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -409,6 +407,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -469,7 +468,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_25) $(am__append_26) $(am__append_27) \
 	$(am__append_28) $(am__append_29) $(am__append_30) \
 	$(am__append_31) $(am__append_32) $(am__append_33) \
-	$(am__append_34) $(am__append_35)
+	$(am__append_34)
 all: all-recursive
 
 .SUFFIXES:
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index ce9ce1f..aa94c55 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -326,7 +326,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -361,6 +360,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 37a57af..46b81cb 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -304,7 +304,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -339,6 +338,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in
index 149e739..6b19041 100644
--- a/src/aikgen/Makefile.in
+++ b/src/aikgen/Makefile.in
@@ -327,7 +327,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -362,6 +361,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/aikpub2/Makefile.am b/src/aikpub2/Makefile.am
deleted file mode 100644
index a9ab138..0000000
--- a/src/aikpub2/Makefile.am
+++ /dev/null
@@ -1,15 +0,0 @@
-bin_PROGRAMS = aikpub2
-
-aikpub2_SOURCES = aikpub2.c
-
-aikpub2_LDADD = \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libtpmtss/libtpmtss.la
-
-aikpub2.o :	$(top_builddir)/config.status
-
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libtpmtss \
-	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
-	-DPLUGINS=\""${aikgen_plugins}\""
diff --git a/src/aikpub2/Makefile.in b/src/aikpub2/Makefile.in
deleted file mode 100644
index 62be867..0000000
--- a/src/aikpub2/Makefile.in
+++ /dev/null
@@ -1,762 +0,0 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
- at SET_MAKE@
-
-VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-bin_PROGRAMS = aikpub2$(EXEEXT)
-subdir = src/aikpub2
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/split-package-version.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)"
-PROGRAMS = $(bin_PROGRAMS)
-am_aikpub2_OBJECTS = aikpub2.$(OBJEXT)
-aikpub2_OBJECTS = $(am_aikpub2_OBJECTS)
-aikpub2_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libtpmtss/libtpmtss.la
-AM_V_lt = $(am__v_lt_ at AM_V@)
-am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 = 
-AM_V_P = $(am__v_P_ at AM_V@)
-am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_ at AM_V@)
-am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_ at AM_V@)
-am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_ at AM_V@)
-am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
-am__v_CC_0 = @echo "  CC      " $@;
-am__v_CC_1 = 
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo "  CCLD    " $@;
-am__v_CCLD_1 = 
-SOURCES = $(aikpub2_SOURCES)
-DIST_SOURCES = $(aikpub2_SOURCES)
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates.  Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
-  BEGIN { nonempty = 0; } \
-  { items[$$0] = 1; nonempty = 1; } \
-  END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique.  This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
-  list='$(am__tagged_files)'; \
-  unique=`for i in $$list; do \
-    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-  done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
-am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AR = @AR@
-ATOMICLIB = @ATOMICLIB@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BFDLIB = @BFDLIB@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
-COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-EASY_INSTALL = @EASY_INSTALL@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GEM = @GEM@
-GENHTML = @GENHTML@
-GPERF = @GPERF@
-GPRBUILD = @GPRBUILD@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LCOV = @LCOV@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OPENSSL_LIB = @OPENSSL_LIB@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
-PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
-PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
-PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
-PTHREADLIB = @PTHREADLIB@
-PYTHON = @PYTHON@
-PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
-PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
-PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
-PYTHON_PLATFORM = @PYTHON_PLATFORM@
-PYTHON_PREFIX = @PYTHON_PREFIX@
-PYTHON_VERSION = @PYTHON_VERSION@
-PY_TEST = @PY_TEST@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYGEMDIR = @RUBYGEMDIR@
-RUBYINCLUDE = @RUBYINCLUDE@
-RUBYLIB = @RUBYLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-UNWINDLIB = @UNWINDLIB@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-aikgen_plugins = @aikgen_plugins@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-charon_natt_port = @charon_natt_port@
-charon_plugins = @charon_plugins@
-charon_udp_port = @charon_udp_port@
-clearsilver_LIBS = @clearsilver_LIBS@
-cmd_plugins = @cmd_plugins@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dev_headers = @dev_headers@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-fips_mode = @fips_mode@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsec_script = @ipsec_script@
-ipsec_script_upper = @ipsec_script_upper@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-json_CFLAGS = @json_CFLAGS@
-json_LIBS = @json_LIBS@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libiptc_CFLAGS = @libiptc_CFLAGS@
-libiptc_LIBS = @libiptc_LIBS@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-nm_plugins = @nm_plugins@
-oldincludedir = @oldincludedir@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pkgpyexecdir = @pkgpyexecdir@
-pkgpythondir = @pkgpythondir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-pyexecdir = @pyexecdir@
-pythondir = @pythondir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-runstatedir = @runstatedir@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-strongswan_options = @strongswan_options@
-swanctldir = @swanctldir@
-sysconfdir = @sysconfdir@
-systemd_CFLAGS = @systemd_CFLAGS@
-systemd_LIBS = @systemd_LIBS@
-systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
-systemd_daemon_LIBS = @systemd_daemon_LIBS@
-systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
-systemd_journal_LIBS = @systemd_journal_LIBS@
-systemdsystemunitdir = @systemdsystemunitdir@
-t_plugins = @t_plugins@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-tss2_CFLAGS = @tss2_CFLAGS@
-tss2_LIBS = @tss2_LIBS@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-aikpub2_SOURCES = aikpub2.c
-aikpub2_LDADD = \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libtpmtss/libtpmtss.la
-
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libtpmtss \
-	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
-	-DPLUGINS=\""${aikgen_plugins}\""
-
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/aikpub2/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/aikpub2/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-binPROGRAMS: $(bin_PROGRAMS)
-	@$(NORMAL_INSTALL)
-	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
-	fi; \
-	for p in $$list; do echo "$$p $$p"; done | \
-	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p \
-	 || test -f $$p1 \
-	  ; then echo "$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n;h' \
-	    -e 's|.*|.|' \
-	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
-	sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
-	    else { print "f", $$3 "/" $$4, $$1; } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	    test -z "$$files" || { \
-	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
-	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
-	    } \
-	; done
-
-uninstall-binPROGRAMS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' \
-	`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(bindir)" && rm -f $$files
-
-clean-binPROGRAMS:
-	@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-
-aikpub2$(EXEEXT): $(aikpub2_OBJECTS) $(aikpub2_DEPENDENCIES) $(EXTRA_aikpub2_DEPENDENCIES) 
-	@rm -f aikpub2$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(aikpub2_OBJECTS) $(aikpub2_LDADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/aikpub2.Po at am__quote@
-
-.c.o:
- at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
- at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
- at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
- at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
- at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
- at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
- at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
- at am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
- at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(am__tagged_files)
-	$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	set x; \
-	here=`pwd`; \
-	$(am__define_uniq_tagged_files); \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: ctags-am
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	$(am__define_uniq_tagged_files); \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
-
-cscopelist-am: $(am__tagged_files)
-	list='$(am__tagged_files)'; \
-	case "$(srcdir)" in \
-	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
-	  *) sdir=$(subdir)/$(srcdir) ;; \
-	esac; \
-	for i in $$list; do \
-	  if test -f "$$i"; then \
-	    echo "$(subdir)/$$i"; \
-	  else \
-	    echo "$$sdir/$$i"; \
-	  fi; \
-	done >> $(top_builddir)/cscope.files
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(PROGRAMS)
-installdirs:
-	for dir in "$(DESTDIR)$(bindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am:
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am: install-binPROGRAMS
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-binPROGRAMS
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \
-	clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \
-	ctags ctags-am distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-binPROGRAMS \
-	install-data install-data-am install-dvi install-dvi-am \
-	install-exec install-exec-am install-html install-html-am \
-	install-info install-info-am install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-am uninstall uninstall-am uninstall-binPROGRAMS
-
-.PRECIOUS: Makefile
-
-
-aikpub2.o :	$(top_builddir)/config.status
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/aikpub2/aikpub2.c b/src/aikpub2/aikpub2.c
deleted file mode 100644
index fea58ed..0000000
--- a/src/aikpub2/aikpub2.c
+++ /dev/null
@@ -1,305 +0,0 @@
-/*
- * Copyright (C) 2016 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "tpm_tss.h"
-
-#include <library.h>
-#include <utils/debug.h>
-#include <utils/optionsfrom.h>
-
-#include <syslog.h>
-#include <getopt.h>
-#include <errno.h>
-
-/* default directory where AIK keys are stored */
-#define AIK_DIR							IPSEC_CONFDIR "/pts/"
-
-/* default name of AIK public key blob */
-#define DEFAULT_FILENAME_AIKPUBKEY		AIK_DIR "aikPub.der"
-
-/* logging */
-static bool log_to_stderr = TRUE;
-static bool log_to_syslog = TRUE;
-static level_t default_loglevel = 1;
-
-/* options read by optionsfrom */
-options_t *options;
-
-chunk_t aik_pubkey;
-chunk_t aik_keyid;
-
-/**
- * logging function for aikpub2
- */
-static void aikpub2_dbg(debug_t group, level_t level, char *fmt, ...)
-{
-	char buffer[8192];
-	char *current = buffer, *next;
-	va_list args;
-
-	if (level <= default_loglevel)
-	{
-		if (log_to_stderr)
-		{
-			va_start(args, fmt);
-			vfprintf(stderr, fmt, args);
-			va_end(args);
-			fprintf(stderr, "\n");
-		}
-		if (log_to_syslog)
-		{
-			/* write in memory buffer first */
-			va_start(args, fmt);
-			vsnprintf(buffer, sizeof(buffer), fmt, args);
-			va_end(args);
-
-			/* do a syslog with every line */
-			while (current)
-			{
-				next = strchr(current, '\n');
-				if (next)
-				{
-					*(next++) = '\0';
-				}
-				syslog(LOG_INFO, "%s\n", current);
-				current = next;
-			}
-		}
-	}
-}
-
-/**
- * Initialize logging to stderr/syslog
- */
-static void init_log(const char *program)
-{
-	dbg = aikpub2_dbg;
-
-	if (log_to_stderr)
-	{
-		setbuf(stderr, NULL);
-	}
-	if (log_to_syslog)
-	{
-		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
-	}
-}
-
-/**
- * @brief exit aikgen
- *
- * @param status 0 = OK, -1 = general discomfort
- */
-static void exit_aikpub2(err_t message, ...)
-{
-	int status = 0;
-
-	free(aik_pubkey.ptr);
-	free(aik_keyid.ptr);
-	options->destroy(options);
-
-	/* print any error message to stderr */
-	if (message != NULL && *message != '\0')
-	{
-		va_list args;
-		char m[8192];
-
-		va_start(args, message);
-		vsnprintf(m, sizeof(m), message, args);
-		va_end(args);
-
-		fprintf(stderr, "aikpub2 error: %s\n", m);
-		status = -1;
-	}
-	library_deinit();
-	exit(status);
-}
-
-/**
- * @brief prints the usage of the program to the stderr output
- *
- * If message is set, program is exited with 1 (error)
- * @param message message in case of an error
- */
-static void usage(const char *message)
-{
-	fprintf(stderr,
-		"Usage: aikpub2  --handle <handle> --out <filename>\n"
-		"               [--force] [--quiet] [--debug <level>]\n"
-		"       aikpub2  --help\n"
-		"\n"
-		"Options:\n"
-		" --handle (-H)     TSS 2.0 AIK object handle\n"
-		" --out (-o)        AIK public key in PKCS #1 format\n"
-		" --force (-f)      force to overwrite existing files\n"
-		" --help (-h)       show usage and exit\n"
-		"\n"
-		"Debugging output:\n"
-		" --debug (-l)      changes the log level (-1..4, default: 1)\n"
-		" --quiet (-q)      do not write log output to stderr\n"
-		);
-	exit_aikpub2(message);
-}
-
-
-/**
- * @brief main of aikpub2 which extracts an Attestation Identity Key (AIK)
- *
- * @param argc number of arguments
- * @param argv pointer to the argument values
- */
-int main(int argc, char *argv[])
-{
-	/* external values */
-	extern char * optarg;
-	extern int optind;
-
-	char *aik_out_filename = DEFAULT_FILENAME_AIKPUBKEY;
-	uint32_t aik_handle = 0;
-	bool force = FALSE;
-	hasher_t *hasher;
-	tpm_tss_t *tpm;
-
-	atexit(library_deinit);
-	if (!library_init(NULL, "aikpub2"))
-	{
-		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
-	}
-	if (lib->integrity &&
-		!lib->integrity->check_file(lib->integrity, "aikpub2", argv[0]))
-	{
-		fprintf(stderr, "integrity check of aikpub2 failed\n");
-		exit(SS_RC_DAEMON_INTEGRITY);
-	}
-
-	/* initialize global variables */
-	options = options_create();
-
-	for (;;)
-	{
-		static const struct option long_opts[] = {
-			/* name, has_arg, flag, val */
-			{ "help", no_argument, NULL, 'h' },
-			{ "optionsfrom", required_argument, NULL, '+' },
-			{ "handle", required_argument, NULL, 'H' },
-			{ "in", required_argument, NULL, 'i' },
-			{ "out", required_argument, NULL, 'o' },
-			{ "force", no_argument, NULL, 'f' },
-			{ "quiet", no_argument, NULL, 'q' },
-			{ "debug", required_argument, NULL, 'l' },
-			{ 0,0,0,0 }
-		};
-
-		/* parse next option */
-		int c = getopt_long(argc, argv, "h+:H:i:o:fql:", long_opts, NULL);
-
-		switch (c)
-		{
-			case EOF:       /* end of flags */
-				break;
-
-			case 'h':       /* --help */
-				usage(NULL);
-
-			case '+':       /* --optionsfrom <filename> */
-				if (!options->from(options, optarg, &argc, &argv, optind))
-				{
-					exit_aikpub2("optionsfrom failed");
-				}
-				continue;
-
-			case 'H':       /* --handle <handle> */
-				aik_handle = strtoll(optarg, NULL, 16);
-				continue;
-
-			case 'o':       /* --out <filename> */
-				aik_out_filename = optarg;
-				continue;
-
-			case 'f':       /* --force */
-				force = TRUE;
-				continue;
-
-			case 'q':       /* --quiet */
-				log_to_stderr = FALSE;
-				continue;
-
-			case 'l':		/* --debug <level> */
-				default_loglevel = atoi(optarg);
-				continue;
-
-			default:
-				usage("unknown option");
-		}
-		/* break from loop */
-		break;
-	}
-
-	init_log("aikpub2");
-
-	if (!lib->plugins->load(lib->plugins,
-			lib->settings->get_str(lib->settings, "aikpub2.load", PLUGINS)))
-	{
-		exit_aikpub2("plugin loading failed");
-	}
-	if (!aik_handle)
-	{
-		usage("--handle option is required");
-	}
-
-	/* try to find a TPM 2.0 */
-	tpm = tpm_tss_probe(TPM_VERSION_2_0);
-	if (!tpm)
-	{
-		exit_aikpub2("no TPM 2.0 found");	
-	}
-
-	/* get AIK public key from TPM */
-	aik_pubkey = tpm->get_public(tpm, aik_handle);
-	tpm->destroy(tpm);
-
-	/* exit if AIK public key retrieval failed */
-	if (aik_pubkey.len == 0)
-	{
-		exit_aikpub2("retrieval of AIK public key failed");
-	}
-
-	/* store AIK subjectPublicKeyInfo to file */
-	if (!chunk_write(aik_pubkey, aik_out_filename, 0022, force))
-	{
-		exit_aikpub2("could not write AIK public key file '%s': %s",
-					  aik_out_filename, strerror(errno));
-	}
-	DBG1(DBG_LIB, "AIK public key written to '%s' (%u bytes)",
-				   aik_out_filename, aik_pubkey.len);
-
-	/* AIK keyid derived from subjectPublicKeyInfo encoding */
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (!hasher)
-	{
-		exit_aikpub2("SHA1 hash algorithm not supported");
-	}
-	if (!hasher->allocate_hash(hasher, aik_pubkey, &aik_keyid))
-	{
-		hasher->destroy(hasher);
-		exit_aikpub2("computing SHA1 fingerprint failed");
-	}
-	hasher->destroy(hasher);
-
-	DBG1(DBG_LIB, "AIK keyid: %#B", &aik_keyid);
-
-	exit_aikpub2(NULL);
-	return -1; /* should never be reached */
-}
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index fb43e4e..3a5f028 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -364,7 +364,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -399,6 +398,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index f350198..7934964 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -40,11 +40,6 @@
 static level_t default_loglevel = LEVEL_CTRL;
 
 /**
- * Loglevel configuration
- */
-static level_t levels[DBG_MAX];
-
-/**
  * Connection to initiate
  */
 static cmd_connection_t *conn;
@@ -129,7 +124,7 @@ static int run()
 					 "configuration");
 				if (lib->settings->load_files(lib->settings, lib->conf, FALSE))
 				{
-					charon->load_loggers(charon, levels, TRUE);
+					charon->load_loggers(charon);
 					lib->plugins->reload(lib->plugins, NULL);
 				}
 				else
@@ -311,6 +306,7 @@ int main(int argc, char *argv[])
 {
 	struct sigaction action;
 	struct utsname utsname;
+	level_t levels[DBG_MAX];
 	int group;
 
 	/* handle simple arguments */
@@ -338,7 +334,8 @@ int main(int argc, char *argv[])
 	{
 		levels[group] = default_loglevel;
 	}
-	charon->load_loggers(charon, levels, TRUE);
+	charon->set_default_loggers(charon, levels, TRUE);
+	charon->load_loggers(charon);
 
 	if (!lookup_uid_gid())
 	{
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 7f05b35..90cdb8c 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index cbbed7a..ca12db8 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -192,7 +192,7 @@ int main(int argc, char *argv[])
 	lib->settings->set_int(lib->settings, "charon-nm.syslog.daemon.default",
 		lib->settings->get_int(lib->settings,
 							   "charon-nm.syslog.daemon.default", 1));
-	charon->load_loggers(charon, NULL, FALSE);
+	charon->load_loggers(charon);
 
 	/* use random ports to avoid conflicts with regular charon */
 	lib->settings->set_int(lib->settings, "charon-nm.port", 0);
diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in
index e9cb266..7dd0fb6 100644
--- a/src/charon-svc/Makefile.in
+++ b/src/charon-svc/Makefile.in
@@ -327,7 +327,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -362,6 +361,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/charon-svc/charon-svc.c b/src/charon-svc/charon-svc.c
index 823b366..7201fae 100644
--- a/src/charon-svc/charon-svc.c
+++ b/src/charon-svc/charon-svc.c
@@ -220,7 +220,8 @@ static void init_and_run(DWORD dwArgc, LPTSTR *lpszArgv, int (*wait)())
 			update_status(SERVICE_START_PENDING);
 			if (libcharon_init())
 			{
-				charon->load_loggers(charon, levels, TRUE);
+				charon->set_default_loggers(charon, levels, TRUE);
+				charon->load_loggers(charon);
 				print_version();
 				update_status(SERVICE_START_PENDING);
 				if (charon->initialize(charon, PLUGINS))
diff --git a/src/charon-systemd/Makefile.in b/src/charon-systemd/Makefile.in
index c1aa833..1959818 100644
--- a/src/charon-systemd/Makefile.in
+++ b/src/charon-systemd/Makefile.in
@@ -331,7 +331,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -366,6 +365,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c
index 5c7bbd7..60e509f 100644
--- a/src/charon-systemd/charon-systemd.c
+++ b/src/charon-systemd/charon-systemd.c
@@ -241,6 +241,7 @@ static int run()
 	sigset_t set;
 
 	sigemptyset(&set);
+	sigaddset(&set, SIGHUP);
 	sigaddset(&set, SIGTERM);
 	sigprocmask(SIG_BLOCK, &set, NULL);
 
@@ -262,6 +263,21 @@ static int run()
 		}
 		switch (sig)
 		{
+			case SIGHUP:
+			{
+				DBG1(DBG_DMN, "signal of type SIGHUP received. Reloading "
+					 "configuration");
+				if (lib->settings->load_files(lib->settings, lib->conf, FALSE))
+				{
+					charon->load_loggers(charon);
+					lib->plugins->reload(lib->plugins, NULL);
+				}
+				else
+				{
+					DBG1(DBG_DMN, "reloading config failed, keeping old");
+				}
+				break;
+			}
 			case SIGTERM:
 			{
 				DBG1(DBG_DMN, "SIGTERM received, shutting down");
@@ -374,7 +390,7 @@ int main(int argc, char *argv[])
 		sd_notifyf(0, "STATUS=unknown uid/gid");
 		return SS_RC_INITIALIZATION_FAILED;
 	}
-	charon->load_loggers(charon, NULL, FALSE);
+	charon->load_loggers(charon);
 
 	lib->plugins->add_static_features(lib->plugins, lib->ns, features,
 							countof(features), TRUE, journal_reload, &journal);
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index 30a3ac8..538335b 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -274,7 +274,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -309,6 +308,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 4a6d2ae..a4d4d0c 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -275,7 +275,7 @@ int main(int argc, char *argv[])
 	lib->settings->set_int(lib->settings, "%s.syslog.daemon.default",
 			lib->settings->get_int(lib->settings, "%s.syslog.daemon.default", 1,
 								   dmn_name), dmn_name);
-	charon->load_loggers(charon, NULL, FALSE);
+	charon->load_loggers(charon);
 
 	DBG1(DBG_DMN, "Starting charon with TKM backend (strongSwan "VERSION")");
 
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index a7cce0f..a247604 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -378,7 +378,8 @@ METHOD(keymat_t, get_aead, aead_t*,
 
 METHOD(keymat_v2_t, get_auth_octets, bool,
 	private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
-	chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
+	chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets,
+	array_t *schemes)
 {
 	sign_info_t *sign;
 
diff --git a/src/charon-tkm/tests/tests.c b/src/charon-tkm/tests/tests.c
index e3cd2d9..3d57599 100644
--- a/src/charon-tkm/tests/tests.c
+++ b/src/charon-tkm/tests/tests.c
@@ -52,7 +52,7 @@ static bool test_runner_init(bool init)
 		libcharon_init();
 		lib->settings->set_int(lib->settings,
 							   "test-runner.filelog.stdout.default", 0);
-		charon->load_loggers(charon, NULL, FALSE);
+		charon->load_loggers(charon);
 
 		/* Register TKM specific plugins */
 		static plugin_feature_t features[] = {
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index d07ea5c..8cf782f 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -330,7 +330,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -365,6 +364,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 116ce7e..520cb3c 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -59,16 +59,6 @@
 static FILE *pidfile = NULL;
 
 /**
- * Log levels as defined via command line arguments
- */
-static level_t levels[DBG_MAX];
-
-/**
- * Whether to only use syslog when logging
- */
-static bool use_syslog = FALSE;
-
-/**
  * hook in library for debugging messages
  */
 extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
@@ -126,7 +116,7 @@ static void run()
 					 "configuration");
 				if (lib->settings->load_files(lib->settings, lib->conf, FALSE))
 				{
-					charon->load_loggers(charon, levels, !use_syslog);
+					charon->load_loggers(charon);
 					lib->plugins->reload(lib->plugins, NULL);
 				}
 				else
@@ -289,6 +279,8 @@ int main(int argc, char *argv[])
 	struct sigaction action;
 	int group, status = SS_RC_INITIALIZATION_FAILED;
 	struct utsname utsname;
+	level_t levels[DBG_MAX];
+	bool use_syslog = FALSE;
 
 	/* logging for library during initialization, as we have no bus yet */
 	dbg = dbg_stderr;
@@ -382,7 +374,8 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
-	charon->load_loggers(charon, levels, !use_syslog);
+	charon->set_default_loggers(charon, levels, !use_syslog);
+	charon->load_loggers(charon);
 
 	if (uname(&utsname) != 0)
 	{
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index 8821090..5db5b79 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -61,6 +61,10 @@ endif
 if USE_LIBTPMTSS
   deps += $(top_builddir)/src/libtpmtss/libtpmtss.la
   libs += $(DESTDIR)$(ipseclibdir)/libtpmtss.so
+if !MONOLITHIC
+  AM_CPPFLAGS += -DP_PLUGINS=\""${p_plugins}\""
+endif
+
 endif
 
 if USE_LIBTNCCS
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 7644e1b..5e7a4ca 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -102,24 +102,25 @@ EXTRA_PROGRAMS = checksum_builder$(EXEEXT)
 @USE_LIBPTTLS_TRUE at am__append_11 = $(DESTDIR)$(ipseclibdir)/libpttls.so
 @USE_LIBTPMTSS_TRUE at am__append_12 = $(top_builddir)/src/libtpmtss/libtpmtss.la
 @USE_LIBTPMTSS_TRUE at am__append_13 = $(DESTDIR)$(ipseclibdir)/libtpmtss.so
- at USE_LIBTNCCS_TRUE@am__append_14 = $(top_builddir)/src/libtnccs/libtnccs.la
- at USE_LIBTNCCS_TRUE@am__append_15 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
- at MONOLITHIC_FALSE@@USE_LIBTNCCS_TRUE at am__append_16 = -DT_PLUGINS=\""${t_plugins}\""
- at USE_SIMAKA_TRUE@am__append_17 = $(top_builddir)/src/libsimaka/libsimaka.la
- at USE_SIMAKA_TRUE@am__append_18 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
- at USE_IMCV_TRUE@am__append_19 = $(top_builddir)/src/libimcv/libimcv.la
- at USE_IMCV_TRUE@am__append_20 = $(DESTDIR)$(ipseclibdir)/libimcv.so
- at USE_CHARON_TRUE@am__append_21 = $(top_builddir)/src/libcharon/libcharon.la
- at USE_CHARON_TRUE@am__append_22 = $(DESTDIR)$(ipseclibdir)/libcharon.so
- at USE_CHARON_TRUE@am__append_23 = $(DESTDIR)$(ipsecdir)/charon
- at MONOLITHIC_FALSE@@USE_CHARON_TRUE at am__append_24 = -DC_PLUGINS=\""${c_plugins}\""
- at USE_CMD_TRUE@am__append_25 = $(DESTDIR)$(sbindir)/charon-cmd
- at USE_SYSTEMD_TRUE@am__append_26 = $(DESTDIR)$(sbindir)/charon-systemd
- at USE_SCEPCLIENT_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/scepclient
- at USE_PKI_TRUE@am__append_28 = $(DESTDIR)$(bindir)/pki
- at USE_SWANCTL_TRUE@am__append_29 = $(DESTDIR)$(sbindir)/swanctl
- at USE_ATTR_SQL_TRUE@am__append_30 = $(DESTDIR)$(ipsecdir)/pool
- at USE_IMV_ATTESTATION_TRUE@am__append_31 = $(DESTDIR)$(ipsecdir)/attest
+ at MONOLITHIC_FALSE@@USE_LIBTPMTSS_TRUE at am__append_14 = -DP_PLUGINS=\""${p_plugins}\""
+ at USE_LIBTNCCS_TRUE@am__append_15 = $(top_builddir)/src/libtnccs/libtnccs.la
+ at USE_LIBTNCCS_TRUE@am__append_16 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
+ at MONOLITHIC_FALSE@@USE_LIBTNCCS_TRUE at am__append_17 = -DT_PLUGINS=\""${t_plugins}\""
+ at USE_SIMAKA_TRUE@am__append_18 = $(top_builddir)/src/libsimaka/libsimaka.la
+ at USE_SIMAKA_TRUE@am__append_19 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
+ at USE_IMCV_TRUE@am__append_20 = $(top_builddir)/src/libimcv/libimcv.la
+ at USE_IMCV_TRUE@am__append_21 = $(DESTDIR)$(ipseclibdir)/libimcv.so
+ at USE_CHARON_TRUE@am__append_22 = $(top_builddir)/src/libcharon/libcharon.la
+ at USE_CHARON_TRUE@am__append_23 = $(DESTDIR)$(ipseclibdir)/libcharon.so
+ at USE_CHARON_TRUE@am__append_24 = $(DESTDIR)$(ipsecdir)/charon
+ at MONOLITHIC_FALSE@@USE_CHARON_TRUE at am__append_25 = -DC_PLUGINS=\""${c_plugins}\""
+ at USE_CMD_TRUE@am__append_26 = $(DESTDIR)$(sbindir)/charon-cmd
+ at USE_SYSTEMD_TRUE@am__append_27 = $(DESTDIR)$(sbindir)/charon-systemd
+ at USE_SCEPCLIENT_TRUE@am__append_28 = $(DESTDIR)$(ipsecdir)/scepclient
+ at USE_PKI_TRUE@am__append_29 = $(DESTDIR)$(bindir)/pki
+ at USE_SWANCTL_TRUE@am__append_30 = $(DESTDIR)$(sbindir)/swanctl
+ at USE_ATTR_SQL_TRUE@am__append_31 = $(DESTDIR)$(ipsecdir)/pool
+ at USE_IMV_ATTESTATION_TRUE@am__append_32 = $(DESTDIR)$(ipsecdir)/attest
 subdir = src/checksum
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -398,7 +399,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -433,6 +433,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -499,7 +500,7 @@ CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" $(am__append_1) \
-	$(am__append_16) $(am__append_24)
+	$(am__append_14) $(am__append_17) $(am__append_25)
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
 
@@ -510,15 +511,15 @@ AM_CFLAGS = \
 deps = $(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__append_2) $(am__append_4) $(am__append_6) \
 	$(am__append_8) $(am__append_10) $(am__append_12) \
-	$(am__append_14) $(am__append_17) $(am__append_19) \
-	$(am__append_21)
+	$(am__append_15) $(am__append_18) $(am__append_20) \
+	$(am__append_22)
 libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so $(am__append_3) \
 	$(am__append_5) $(am__append_7) $(am__append_9) \
-	$(am__append_11) $(am__append_13) $(am__append_15) \
-	$(am__append_18) $(am__append_20) $(am__append_22)
-exes = $(am__append_23) $(am__append_25) $(am__append_26) \
-	$(am__append_27) $(am__append_28) $(am__append_29) \
-	$(am__append_30) $(am__append_31)
+	$(am__append_11) $(am__append_13) $(am__append_16) \
+	$(am__append_19) $(am__append_21) $(am__append_23)
+exes = $(am__append_24) $(am__append_26) $(am__append_27) \
+	$(am__append_28) $(am__append_29) $(am__append_30) \
+	$(am__append_31) $(am__append_32)
 all: all-am
 
 .SUFFIXES:
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index e8998d5..a360146 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -157,6 +157,9 @@ int main(int argc, char* argv[])
 #ifdef S_PLUGINS
 	build_plugin_checksums(S_PLUGINS);
 #endif
+#ifdef P_PLUGINS
+	build_plugin_checksums(P_PLUGINS);
+#endif
 #ifdef T_PLUGINS
 	build_plugin_checksums(T_PLUGINS);
 #endif
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 9c55b50..14b8351 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -344,7 +344,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -379,6 +378,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c
index 54957b0..d80196e 100644
--- a/src/conftest/hooks/pretend_auth.c
+++ b/src/conftest/hooks/pretend_auth.c
@@ -238,7 +238,8 @@ static bool build_auth(private_pretend_auth_t *this,
 	}
 	keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
 	if (!keymat->get_auth_octets(keymat, TRUE, this->ike_init,
-								 this->nonce, this->id, this->reserved, &octets))
+								 this->nonce, this->id, this->reserved,
+								 &octets, NULL))
 	{
 		private->destroy(private);
 		return FALSE;
diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c
index 42a9cb4..b2df278 100644
--- a/src/conftest/hooks/rebuild_auth.c
+++ b/src/conftest/hooks/rebuild_auth.c
@@ -137,7 +137,7 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
 	}
 	keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
 	if (!keymat->get_auth_octets(keymat, FALSE, this->ike_init,
-								 this->nonce, id, reserved, &octets))
+								 this->nonce, id, reserved, &octets, NULL))
 	{
 		private->destroy(private);
 		id->destroy(id);
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 38681f4..dc1e3dc 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -365,7 +365,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -400,6 +399,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 4fa90fd..068cae1 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -274,7 +274,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -309,6 +308,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 7512472..faf7c76 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -307,7 +307,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -342,6 +341,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 388a492..1ae6375 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.5.1dr3" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.5.2dr4" "strongSwan"
 .
 .SH NAME
 .
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index a002614..ea399b8 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -44,6 +44,8 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCR
 
 IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
 
+command_dir="$IPSEC_DIR"
+
 case "$1" in
 '')
 	echo "$IPSEC_SCRIPT command [arguments]"
@@ -94,10 +96,6 @@ case "$1" in
 	echo "$IPSEC_PIDDIR"
 	exit 0
 	;;
-copyright|--copyright)
-	set _copyright
-	# and fall through, invoking "ipsec _copyright"
-	;;
 down)
 	shift
 	if [ "$#" -ne 1 ]
@@ -307,13 +305,19 @@ update)
 		exit 7
 	fi
 	;;
-pki)
-	shift
-	exec $IPSEC_BINDIR/pki "$@"
+aikgen|pki)
+	# programs in BINDIR may be called directly, these two are listed for legacy reasons
+	command_dir="$IPSEC_BINDIR"
+	# fall through
 	;;
-aikgen)
-	shift
-	exec $IPSEC_BINDIR/aikgen "$@"
+attest|conftest|dumm|irdumm|pacman|pool|pt-tls-client|scepclient|stroke|\
+duplicheck|error-notify|imv_policy_manager|load-tester|lookip|whitelist|\
+_updown|_imv_policy)
+	# fall through
+	;;
+copyright|--copyright)
+	set _copyright
+	# fall through
 	;;
 version|--version)
 	printf "$OS_NAME $IPSEC_NAME $IPSEC_VERSION\n"
@@ -325,16 +329,20 @@ version|--version)
 	echo "$0: unknown option \`$1' (perhaps command name was omitted?)" >&2
 	exit 2
 	;;
+*)
+	echo "$0: unknown command \`$1' (\`$IPSEC_SCRIPT --help' for list)" >&2
+	exit 2
+	;;
 esac
 
 cmd="$1"
 shift
 
-path="$IPSEC_DIR/$cmd"
+path="$command_dir/$cmd"
 
 if [ ! -x "$path" ]
 then
-	echo "$0: unknown IPsec command \`$cmd' (\`$IPSEC_SCRIPT --help' for list)" >&2
+	echo "$0: unknown command \`$cmd' (\`$IPSEC_SCRIPT --help' for list)" >&2
 	exit 2
 fi
 
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 4f3d78c..1a8e068 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -106,6 +106,7 @@ sa/ikev2/tasks/ike_delete.c sa/ikev2/tasks/ike_delete.h \
 sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
 sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
 sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+sa/ikev2/tasks/ike_mid_sync.c sa/ikev2/tasks/ike_mid_sync.h \
 sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
@@ -117,6 +118,7 @@ sa/ikev2/tasks/ike_verify_peer_cert.c sa/ikev2/tasks/ike_verify_peer_cert.h
 
 libcharon_la_SOURCES += \
 sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
+sa/ikev1/iv_manager.c sa/ikev1/iv_manager.h \
 sa/ikev1/task_manager_v1.c sa/ikev1/task_manager_v1.h \
 sa/ikev1/authenticators/psk_v1_authenticator.c sa/ikev1/authenticators/psk_v1_authenticator.h \
 sa/ikev1/authenticators/pubkey_v1_authenticator.c sa/ikev1/authenticators/pubkey_v1_authenticator.h \
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index e530205..8461d62 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -105,6 +105,7 @@ sa/ikev2/tasks/ike_delete.c sa/ikev2/tasks/ike_delete.h \
 sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
 sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
 sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+sa/ikev2/tasks/ike_mid_sync.c sa/ikev2/tasks/ike_mid_sync.h \
 sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
@@ -118,6 +119,7 @@ endif
 if USE_IKEV1
 libcharon_la_SOURCES += \
 sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
+sa/ikev1/iv_manager.c sa/ikev1/iv_manager.h \
 sa/ikev1/task_manager_v1.c sa/ikev1/task_manager_v1.h \
 sa/ikev1/authenticators/psk_v1_authenticator.c sa/ikev1/authenticators/psk_v1_authenticator.h \
 sa/ikev1/authenticators/pubkey_v1_authenticator.c sa/ikev1/authenticators/pubkey_v1_authenticator.h \
@@ -226,6 +228,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_BYPASS_LAN
+  SUBDIRS += plugins/bypass_lan
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/bypass_lan/libstrongswan-bypass-lan.la
+endif
+endif
+
 if USE_FORECAST
   SUBDIRS += plugins/forecast
 if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index e82e67b..8f6dc89 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -105,6 +105,7 @@ host_triplet = @host@
 @USE_IKEV2_TRUE at sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
 @USE_IKEV2_TRUE at sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
 @USE_IKEV2_TRUE at sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+ at USE_IKEV2_TRUE@sa/ikev2/tasks/ike_mid_sync.c sa/ikev2/tasks/ike_mid_sync.h \
 @USE_IKEV2_TRUE at sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 @USE_IKEV2_TRUE at sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 @USE_IKEV2_TRUE at sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
@@ -116,6 +117,7 @@ host_triplet = @host@
 
 @USE_IKEV1_TRUE at am__append_2 = \
 @USE_IKEV1_TRUE at sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
+ at USE_IKEV1_TRUE@sa/ikev1/iv_manager.c sa/ikev1/iv_manager.h \
 @USE_IKEV1_TRUE at sa/ikev1/task_manager_v1.c sa/ikev1/task_manager_v1.h \
 @USE_IKEV1_TRUE at sa/ikev1/authenticators/psk_v1_authenticator.c sa/ikev1/authenticators/psk_v1_authenticator.h \
 @USE_IKEV1_TRUE at sa/ikev1/authenticators/pubkey_v1_authenticator.c sa/ikev1/authenticators/pubkey_v1_authenticator.h \
@@ -161,136 +163,138 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE at am__append_13 = plugins/socket_win/libstrongswan-socket-win.la
 @USE_CONNMARK_TRUE at am__append_14 = plugins/connmark
 @MONOLITHIC_TRUE@@USE_CONNMARK_TRUE at am__append_15 = plugins/connmark/libstrongswan-connmark.la
- at USE_FORECAST_TRUE@am__append_16 = plugins/forecast
- at MONOLITHIC_TRUE@@USE_FORECAST_TRUE at am__append_17 = plugins/forecast/libstrongswan-forecast.la
- at USE_FARP_TRUE@am__append_18 = plugins/farp
- at MONOLITHIC_TRUE@@USE_FARP_TRUE at am__append_19 = plugins/farp/libstrongswan-farp.la
- at USE_STROKE_TRUE@am__append_20 = plugins/stroke
- at MONOLITHIC_TRUE@@USE_STROKE_TRUE at am__append_21 = plugins/stroke/libstrongswan-stroke.la
- at USE_VICI_TRUE@am__append_22 = plugins/vici
- at MONOLITHIC_TRUE@@USE_VICI_TRUE at am__append_23 = plugins/vici/libstrongswan-vici.la
- at USE_SMP_TRUE@am__append_24 = plugins/smp
- at MONOLITHIC_TRUE@@USE_SMP_TRUE at am__append_25 = plugins/smp/libstrongswan-smp.la
- at USE_SQL_TRUE@am__append_26 = plugins/sql
- at MONOLITHIC_TRUE@@USE_SQL_TRUE at am__append_27 = plugins/sql/libstrongswan-sql.la
- at USE_DNSCERT_TRUE@am__append_28 = plugins/dnscert
- at MONOLITHIC_TRUE@@USE_DNSCERT_TRUE at am__append_29 = plugins/dnscert/libstrongswan-dnscert.la
- at USE_IPSECKEY_TRUE@am__append_30 = plugins/ipseckey
- at MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE at am__append_31 = plugins/ipseckey/libstrongswan-ipseckey.la
- at USE_UPDOWN_TRUE@am__append_32 = plugins/updown
- at MONOLITHIC_TRUE@@USE_UPDOWN_TRUE at am__append_33 = plugins/updown/libstrongswan-updown.la
- at USE_EXT_AUTH_TRUE@am__append_34 = plugins/ext_auth
- at MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE at am__append_35 = plugins/ext_auth/libstrongswan-ext-auth.la
- at USE_EAP_IDENTITY_TRUE@am__append_36 = plugins/eap_identity
- at MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE at am__append_37 = plugins/eap_identity/libstrongswan-eap-identity.la
- at USE_EAP_SIM_TRUE@am__append_38 = plugins/eap_sim
- at MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE at am__append_39 = plugins/eap_sim/libstrongswan-eap-sim.la
- at USE_EAP_SIM_FILE_TRUE@am__append_40 = plugins/eap_sim_file
- at MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE at am__append_41 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
- at USE_EAP_SIM_PCSC_TRUE@am__append_42 = plugins/eap_sim_pcsc
- at MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE at am__append_43 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
- at USE_EAP_SIMAKA_SQL_TRUE@am__append_44 = plugins/eap_simaka_sql
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE at am__append_45 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
- at USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_46 = plugins/eap_simaka_pseudonym
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE at am__append_47 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
- at USE_EAP_SIMAKA_REAUTH_TRUE@am__append_48 = plugins/eap_simaka_reauth
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE at am__append_49 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
- at USE_EAP_AKA_TRUE@am__append_50 = plugins/eap_aka
- at MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE at am__append_51 = plugins/eap_aka/libstrongswan-eap-aka.la
- at USE_EAP_AKA_3GPP2_TRUE@am__append_52 = plugins/eap_aka_3gpp2
- at MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE at am__append_53 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
- at MONOLITHIC_TRUE@@USE_SIMAKA_TRUE at am__append_54 = $(top_builddir)/src/libsimaka/libsimaka.la
- at USE_EAP_MD5_TRUE@am__append_55 = plugins/eap_md5
- at MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE at am__append_56 = plugins/eap_md5/libstrongswan-eap-md5.la
- at USE_EAP_GTC_TRUE@am__append_57 = plugins/eap_gtc
- at MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE at am__append_58 = plugins/eap_gtc/libstrongswan-eap-gtc.la
- at USE_EAP_MSCHAPV2_TRUE@am__append_59 = plugins/eap_mschapv2
- at MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE at am__append_60 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
- at USE_EAP_DYNAMIC_TRUE@am__append_61 = plugins/eap_dynamic
- at MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE at am__append_62 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
- at USE_EAP_RADIUS_TRUE@am__append_63 = plugins/eap_radius
- at MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE at am__append_64 = plugins/eap_radius/libstrongswan-eap-radius.la
- at USE_EAP_TLS_TRUE@am__append_65 = plugins/eap_tls
- at MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE at am__append_66 = plugins/eap_tls/libstrongswan-eap-tls.la
- at USE_EAP_TTLS_TRUE@am__append_67 = plugins/eap_ttls
- at MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE at am__append_68 = plugins/eap_ttls/libstrongswan-eap-ttls.la
- at USE_EAP_PEAP_TRUE@am__append_69 = plugins/eap_peap
- at MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE at am__append_70 = plugins/eap_peap/libstrongswan-eap-peap.la
- at USE_EAP_TNC_TRUE@am__append_71 = plugins/eap_tnc
- at MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE at am__append_72 = plugins/eap_tnc/libstrongswan-eap-tnc.la
- at MONOLITHIC_TRUE@@USE_TLS_TRUE at am__append_73 = $(top_builddir)/src/libtls/libtls.la
- at MONOLITHIC_TRUE@@USE_RADIUS_TRUE at am__append_74 = $(top_builddir)/src/libradius/libradius.la
- at USE_TNC_IFMAP_TRUE@am__append_75 = plugins/tnc_ifmap
- at MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE at am__append_76 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
- at USE_TNC_PDP_TRUE@am__append_77 = plugins/tnc_pdp
- at MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE at am__append_78 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
- at MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE at am__append_79 = $(top_builddir)/src/libtnccs/libtnccs.la
- at USE_MEDSRV_TRUE@am__append_80 = plugins/medsrv
- at MONOLITHIC_TRUE@@USE_MEDSRV_TRUE at am__append_81 = plugins/medsrv/libstrongswan-medsrv.la
- at USE_MEDCLI_TRUE@am__append_82 = plugins/medcli
- at MONOLITHIC_TRUE@@USE_MEDCLI_TRUE at am__append_83 = plugins/medcli/libstrongswan-medcli.la
- at USE_DHCP_TRUE@am__append_84 = plugins/dhcp
- at MONOLITHIC_TRUE@@USE_DHCP_TRUE at am__append_85 = plugins/dhcp/libstrongswan-dhcp.la
- at USE_OSX_ATTR_TRUE@am__append_86 = plugins/osx_attr
- at MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE at am__append_87 = plugins/osx_attr/libstrongswan-osx-attr.la
- at USE_P_CSCF_TRUE@am__append_88 = plugins/p_cscf
- at MONOLITHIC_TRUE@@USE_P_CSCF_TRUE at am__append_89 = plugins/p_cscf/libstrongswan-p-cscf.la
- at USE_ANDROID_DNS_TRUE@am__append_90 = plugins/android_dns
- at MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE at am__append_91 = plugins/android_dns/libstrongswan-android-dns.la
- at USE_ANDROID_LOG_TRUE@am__append_92 = plugins/android_log
- at MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE at am__append_93 = plugins/android_log/libstrongswan-android-log.la
- at USE_HA_TRUE@am__append_94 = plugins/ha
- at MONOLITHIC_TRUE@@USE_HA_TRUE at am__append_95 = plugins/ha/libstrongswan-ha.la
- at USE_KERNEL_PFKEY_TRUE@am__append_96 = plugins/kernel_pfkey
- at MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE at am__append_97 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
- at USE_KERNEL_PFROUTE_TRUE@am__append_98 = plugins/kernel_pfroute
- at MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE at am__append_99 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
- at USE_KERNEL_NETLINK_TRUE@am__append_100 = plugins/kernel_netlink
- at MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE at am__append_101 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
- at USE_KERNEL_LIBIPSEC_TRUE@am__append_102 = plugins/kernel_libipsec
- at MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE at am__append_103 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
- at USE_KERNEL_WFP_TRUE@am__append_104 = plugins/kernel_wfp
- at MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE at am__append_105 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
- at USE_KERNEL_IPH_TRUE@am__append_106 = plugins/kernel_iph
- at MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE at am__append_107 = plugins/kernel_iph/libstrongswan-kernel-iph.la
- at USE_WHITELIST_TRUE@am__append_108 = plugins/whitelist
- at MONOLITHIC_TRUE@@USE_WHITELIST_TRUE at am__append_109 = plugins/whitelist/libstrongswan-whitelist.la
- at USE_LOOKIP_TRUE@am__append_110 = plugins/lookip
- at MONOLITHIC_TRUE@@USE_LOOKIP_TRUE at am__append_111 = plugins/lookip/libstrongswan-lookip.la
- at USE_ERROR_NOTIFY_TRUE@am__append_112 = plugins/error_notify
- at MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE at am__append_113 = plugins/error_notify/libstrongswan-error-notify.la
- at USE_CERTEXPIRE_TRUE@am__append_114 = plugins/certexpire
- at MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE at am__append_115 = plugins/certexpire/libstrongswan-certexpire.la
- at USE_SYSTIME_FIX_TRUE@am__append_116 = plugins/systime_fix
- at MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE at am__append_117 = plugins/systime_fix/libstrongswan-systime-fix.la
- at USE_LED_TRUE@am__append_118 = plugins/led
- at MONOLITHIC_TRUE@@USE_LED_TRUE at am__append_119 = plugins/led/libstrongswan-led.la
- at USE_DUPLICHECK_TRUE@am__append_120 = plugins/duplicheck
- at MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE at am__append_121 = plugins/duplicheck/libstrongswan-duplicheck.la
- at USE_COUPLING_TRUE@am__append_122 = plugins/coupling
- at MONOLITHIC_TRUE@@USE_COUPLING_TRUE at am__append_123 = plugins/coupling/libstrongswan-coupling.la
- at USE_RADATTR_TRUE@am__append_124 = plugins/radattr
- at MONOLITHIC_TRUE@@USE_RADATTR_TRUE at am__append_125 = plugins/radattr/libstrongswan-radattr.la
- at USE_UCI_TRUE@am__append_126 = plugins/uci
- at MONOLITHIC_TRUE@@USE_UCI_TRUE at am__append_127 = plugins/uci/libstrongswan-uci.la
- at USE_ADDRBLOCK_TRUE@am__append_128 = plugins/addrblock
- at MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE at am__append_129 = plugins/addrblock/libstrongswan-addrblock.la
- at USE_UNITY_TRUE@am__append_130 = plugins/unity
- at MONOLITHIC_TRUE@@USE_UNITY_TRUE at am__append_131 = plugins/unity/libstrongswan-unity.la
- at USE_XAUTH_GENERIC_TRUE@am__append_132 = plugins/xauth_generic
- at MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE at am__append_133 = plugins/xauth_generic/libstrongswan-xauth-generic.la
- at USE_XAUTH_EAP_TRUE@am__append_134 = plugins/xauth_eap
- at MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE at am__append_135 = plugins/xauth_eap/libstrongswan-xauth-eap.la
- at USE_XAUTH_PAM_TRUE@am__append_136 = plugins/xauth_pam
- at MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE at am__append_137 = plugins/xauth_pam/libstrongswan-xauth-pam.la
- at USE_XAUTH_NOAUTH_TRUE@am__append_138 = plugins/xauth_noauth
- at MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE at am__append_139 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
- at USE_RESOLVE_TRUE@am__append_140 = plugins/resolve
- at MONOLITHIC_TRUE@@USE_RESOLVE_TRUE at am__append_141 = plugins/resolve/libstrongswan-resolve.la
- at USE_ATTR_TRUE@am__append_142 = plugins/attr
- at MONOLITHIC_TRUE@@USE_ATTR_TRUE at am__append_143 = plugins/attr/libstrongswan-attr.la
- at USE_ATTR_SQL_TRUE@am__append_144 = plugins/attr_sql
- at MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE at am__append_145 = plugins/attr_sql/libstrongswan-attr-sql.la
+ at USE_BYPASS_LAN_TRUE@am__append_16 = plugins/bypass_lan
+ at MONOLITHIC_TRUE@@USE_BYPASS_LAN_TRUE at am__append_17 = plugins/bypass_lan/libstrongswan-bypass-lan.la
+ at USE_FORECAST_TRUE@am__append_18 = plugins/forecast
+ at MONOLITHIC_TRUE@@USE_FORECAST_TRUE at am__append_19 = plugins/forecast/libstrongswan-forecast.la
+ at USE_FARP_TRUE@am__append_20 = plugins/farp
+ at MONOLITHIC_TRUE@@USE_FARP_TRUE at am__append_21 = plugins/farp/libstrongswan-farp.la
+ at USE_STROKE_TRUE@am__append_22 = plugins/stroke
+ at MONOLITHIC_TRUE@@USE_STROKE_TRUE at am__append_23 = plugins/stroke/libstrongswan-stroke.la
+ at USE_VICI_TRUE@am__append_24 = plugins/vici
+ at MONOLITHIC_TRUE@@USE_VICI_TRUE at am__append_25 = plugins/vici/libstrongswan-vici.la
+ at USE_SMP_TRUE@am__append_26 = plugins/smp
+ at MONOLITHIC_TRUE@@USE_SMP_TRUE at am__append_27 = plugins/smp/libstrongswan-smp.la
+ at USE_SQL_TRUE@am__append_28 = plugins/sql
+ at MONOLITHIC_TRUE@@USE_SQL_TRUE at am__append_29 = plugins/sql/libstrongswan-sql.la
+ at USE_DNSCERT_TRUE@am__append_30 = plugins/dnscert
+ at MONOLITHIC_TRUE@@USE_DNSCERT_TRUE at am__append_31 = plugins/dnscert/libstrongswan-dnscert.la
+ at USE_IPSECKEY_TRUE@am__append_32 = plugins/ipseckey
+ at MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE at am__append_33 = plugins/ipseckey/libstrongswan-ipseckey.la
+ at USE_UPDOWN_TRUE@am__append_34 = plugins/updown
+ at MONOLITHIC_TRUE@@USE_UPDOWN_TRUE at am__append_35 = plugins/updown/libstrongswan-updown.la
+ at USE_EXT_AUTH_TRUE@am__append_36 = plugins/ext_auth
+ at MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE at am__append_37 = plugins/ext_auth/libstrongswan-ext-auth.la
+ at USE_EAP_IDENTITY_TRUE@am__append_38 = plugins/eap_identity
+ at MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE at am__append_39 = plugins/eap_identity/libstrongswan-eap-identity.la
+ at USE_EAP_SIM_TRUE@am__append_40 = plugins/eap_sim
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE at am__append_41 = plugins/eap_sim/libstrongswan-eap-sim.la
+ at USE_EAP_SIM_FILE_TRUE@am__append_42 = plugins/eap_sim_file
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE at am__append_43 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+ at USE_EAP_SIM_PCSC_TRUE@am__append_44 = plugins/eap_sim_pcsc
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE at am__append_45 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
+ at USE_EAP_SIMAKA_SQL_TRUE@am__append_46 = plugins/eap_simaka_sql
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE at am__append_47 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+ at USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_48 = plugins/eap_simaka_pseudonym
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE at am__append_49 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+ at USE_EAP_SIMAKA_REAUTH_TRUE@am__append_50 = plugins/eap_simaka_reauth
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE at am__append_51 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+ at USE_EAP_AKA_TRUE@am__append_52 = plugins/eap_aka
+ at MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE at am__append_53 = plugins/eap_aka/libstrongswan-eap-aka.la
+ at USE_EAP_AKA_3GPP2_TRUE@am__append_54 = plugins/eap_aka_3gpp2
+ at MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE at am__append_55 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+ at MONOLITHIC_TRUE@@USE_SIMAKA_TRUE at am__append_56 = $(top_builddir)/src/libsimaka/libsimaka.la
+ at USE_EAP_MD5_TRUE@am__append_57 = plugins/eap_md5
+ at MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE at am__append_58 = plugins/eap_md5/libstrongswan-eap-md5.la
+ at USE_EAP_GTC_TRUE@am__append_59 = plugins/eap_gtc
+ at MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE at am__append_60 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+ at USE_EAP_MSCHAPV2_TRUE@am__append_61 = plugins/eap_mschapv2
+ at MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE at am__append_62 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+ at USE_EAP_DYNAMIC_TRUE@am__append_63 = plugins/eap_dynamic
+ at MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE at am__append_64 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
+ at USE_EAP_RADIUS_TRUE@am__append_65 = plugins/eap_radius
+ at MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE at am__append_66 = plugins/eap_radius/libstrongswan-eap-radius.la
+ at USE_EAP_TLS_TRUE@am__append_67 = plugins/eap_tls
+ at MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE at am__append_68 = plugins/eap_tls/libstrongswan-eap-tls.la
+ at USE_EAP_TTLS_TRUE@am__append_69 = plugins/eap_ttls
+ at MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE at am__append_70 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+ at USE_EAP_PEAP_TRUE@am__append_71 = plugins/eap_peap
+ at MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE at am__append_72 = plugins/eap_peap/libstrongswan-eap-peap.la
+ at USE_EAP_TNC_TRUE@am__append_73 = plugins/eap_tnc
+ at MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE at am__append_74 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+ at MONOLITHIC_TRUE@@USE_TLS_TRUE at am__append_75 = $(top_builddir)/src/libtls/libtls.la
+ at MONOLITHIC_TRUE@@USE_RADIUS_TRUE at am__append_76 = $(top_builddir)/src/libradius/libradius.la
+ at USE_TNC_IFMAP_TRUE@am__append_77 = plugins/tnc_ifmap
+ at MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE at am__append_78 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
+ at USE_TNC_PDP_TRUE@am__append_79 = plugins/tnc_pdp
+ at MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE at am__append_80 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
+ at MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE at am__append_81 = $(top_builddir)/src/libtnccs/libtnccs.la
+ at USE_MEDSRV_TRUE@am__append_82 = plugins/medsrv
+ at MONOLITHIC_TRUE@@USE_MEDSRV_TRUE at am__append_83 = plugins/medsrv/libstrongswan-medsrv.la
+ at USE_MEDCLI_TRUE@am__append_84 = plugins/medcli
+ at MONOLITHIC_TRUE@@USE_MEDCLI_TRUE at am__append_85 = plugins/medcli/libstrongswan-medcli.la
+ at USE_DHCP_TRUE@am__append_86 = plugins/dhcp
+ at MONOLITHIC_TRUE@@USE_DHCP_TRUE at am__append_87 = plugins/dhcp/libstrongswan-dhcp.la
+ at USE_OSX_ATTR_TRUE@am__append_88 = plugins/osx_attr
+ at MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE at am__append_89 = plugins/osx_attr/libstrongswan-osx-attr.la
+ at USE_P_CSCF_TRUE@am__append_90 = plugins/p_cscf
+ at MONOLITHIC_TRUE@@USE_P_CSCF_TRUE at am__append_91 = plugins/p_cscf/libstrongswan-p-cscf.la
+ at USE_ANDROID_DNS_TRUE@am__append_92 = plugins/android_dns
+ at MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE at am__append_93 = plugins/android_dns/libstrongswan-android-dns.la
+ at USE_ANDROID_LOG_TRUE@am__append_94 = plugins/android_log
+ at MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE at am__append_95 = plugins/android_log/libstrongswan-android-log.la
+ at USE_HA_TRUE@am__append_96 = plugins/ha
+ at MONOLITHIC_TRUE@@USE_HA_TRUE at am__append_97 = plugins/ha/libstrongswan-ha.la
+ at USE_KERNEL_PFKEY_TRUE@am__append_98 = plugins/kernel_pfkey
+ at MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE at am__append_99 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+ at USE_KERNEL_PFROUTE_TRUE@am__append_100 = plugins/kernel_pfroute
+ at MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE at am__append_101 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+ at USE_KERNEL_NETLINK_TRUE@am__append_102 = plugins/kernel_netlink
+ at MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE at am__append_103 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+ at USE_KERNEL_LIBIPSEC_TRUE@am__append_104 = plugins/kernel_libipsec
+ at MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE at am__append_105 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+ at USE_KERNEL_WFP_TRUE@am__append_106 = plugins/kernel_wfp
+ at MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE at am__append_107 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
+ at USE_KERNEL_IPH_TRUE@am__append_108 = plugins/kernel_iph
+ at MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE at am__append_109 = plugins/kernel_iph/libstrongswan-kernel-iph.la
+ at USE_WHITELIST_TRUE@am__append_110 = plugins/whitelist
+ at MONOLITHIC_TRUE@@USE_WHITELIST_TRUE at am__append_111 = plugins/whitelist/libstrongswan-whitelist.la
+ at USE_LOOKIP_TRUE@am__append_112 = plugins/lookip
+ at MONOLITHIC_TRUE@@USE_LOOKIP_TRUE at am__append_113 = plugins/lookip/libstrongswan-lookip.la
+ at USE_ERROR_NOTIFY_TRUE@am__append_114 = plugins/error_notify
+ at MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE at am__append_115 = plugins/error_notify/libstrongswan-error-notify.la
+ at USE_CERTEXPIRE_TRUE@am__append_116 = plugins/certexpire
+ at MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE at am__append_117 = plugins/certexpire/libstrongswan-certexpire.la
+ at USE_SYSTIME_FIX_TRUE@am__append_118 = plugins/systime_fix
+ at MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE at am__append_119 = plugins/systime_fix/libstrongswan-systime-fix.la
+ at USE_LED_TRUE@am__append_120 = plugins/led
+ at MONOLITHIC_TRUE@@USE_LED_TRUE at am__append_121 = plugins/led/libstrongswan-led.la
+ at USE_DUPLICHECK_TRUE@am__append_122 = plugins/duplicheck
+ at MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE at am__append_123 = plugins/duplicheck/libstrongswan-duplicheck.la
+ at USE_COUPLING_TRUE@am__append_124 = plugins/coupling
+ at MONOLITHIC_TRUE@@USE_COUPLING_TRUE at am__append_125 = plugins/coupling/libstrongswan-coupling.la
+ at USE_RADATTR_TRUE@am__append_126 = plugins/radattr
+ at MONOLITHIC_TRUE@@USE_RADATTR_TRUE at am__append_127 = plugins/radattr/libstrongswan-radattr.la
+ at USE_UCI_TRUE@am__append_128 = plugins/uci
+ at MONOLITHIC_TRUE@@USE_UCI_TRUE at am__append_129 = plugins/uci/libstrongswan-uci.la
+ at USE_ADDRBLOCK_TRUE@am__append_130 = plugins/addrblock
+ at MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE at am__append_131 = plugins/addrblock/libstrongswan-addrblock.la
+ at USE_UNITY_TRUE@am__append_132 = plugins/unity
+ at MONOLITHIC_TRUE@@USE_UNITY_TRUE at am__append_133 = plugins/unity/libstrongswan-unity.la
+ at USE_XAUTH_GENERIC_TRUE@am__append_134 = plugins/xauth_generic
+ at MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE at am__append_135 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+ at USE_XAUTH_EAP_TRUE@am__append_136 = plugins/xauth_eap
+ at MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE at am__append_137 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+ at USE_XAUTH_PAM_TRUE@am__append_138 = plugins/xauth_pam
+ at MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE at am__append_139 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+ at USE_XAUTH_NOAUTH_TRUE@am__append_140 = plugins/xauth_noauth
+ at MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE at am__append_141 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+ at USE_RESOLVE_TRUE@am__append_142 = plugins/resolve
+ at MONOLITHIC_TRUE@@USE_RESOLVE_TRUE at am__append_143 = plugins/resolve/libstrongswan-resolve.la
+ at USE_ATTR_TRUE@am__append_144 = plugins/attr
+ at MONOLITHIC_TRUE@@USE_ATTR_TRUE at am__append_145 = plugins/attr/libstrongswan-attr.la
+ at USE_ATTR_SQL_TRUE@am__append_146 = plugins/attr_sql
+ at MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE at am__append_147 = plugins/attr_sql/libstrongswan-attr-sql.la
 subdir = src/libcharon
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -352,12 +356,12 @@ libcharon_la_DEPENDENCIES =  \
 	$(am__append_35) $(am__append_37) $(am__append_39) \
 	$(am__append_41) $(am__append_43) $(am__append_45) \
 	$(am__append_47) $(am__append_49) $(am__append_51) \
-	$(am__append_53) $(am__append_54) $(am__append_56) \
+	$(am__append_53) $(am__append_55) $(am__append_56) \
 	$(am__append_58) $(am__append_60) $(am__append_62) \
 	$(am__append_64) $(am__append_66) $(am__append_68) \
-	$(am__append_70) $(am__append_72) $(am__append_73) \
-	$(am__append_74) $(am__append_76) $(am__append_78) \
-	$(am__append_79) $(am__append_81) $(am__append_83) \
+	$(am__append_70) $(am__append_72) $(am__append_74) \
+	$(am__append_75) $(am__append_76) $(am__append_78) \
+	$(am__append_80) $(am__append_81) $(am__append_83) \
 	$(am__append_85) $(am__append_87) $(am__append_89) \
 	$(am__append_91) $(am__append_93) $(am__append_95) \
 	$(am__append_97) $(am__append_99) $(am__append_101) \
@@ -368,7 +372,7 @@ libcharon_la_DEPENDENCIES =  \
 	$(am__append_127) $(am__append_129) $(am__append_131) \
 	$(am__append_133) $(am__append_135) $(am__append_137) \
 	$(am__append_139) $(am__append_141) $(am__append_143) \
-	$(am__append_145)
+	$(am__append_145) $(am__append_147)
 am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	attributes/attributes.h attributes/attribute_provider.h \
 	attributes/attribute_handler.h attributes/attribute_manager.c \
@@ -492,6 +496,7 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
 	sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
 	sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+	sa/ikev2/tasks/ike_mid_sync.c sa/ikev2/tasks/ike_mid_sync.h \
 	sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 	sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 	sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
@@ -503,7 +508,8 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	sa/ikev2/tasks/ike_vendor.h \
 	sa/ikev2/tasks/ike_verify_peer_cert.c \
 	sa/ikev2/tasks/ike_verify_peer_cert.h sa/ikev1/keymat_v1.c \
-	sa/ikev1/keymat_v1.h sa/ikev1/task_manager_v1.c \
+	sa/ikev1/keymat_v1.h sa/ikev1/iv_manager.c \
+	sa/ikev1/iv_manager.h sa/ikev1/task_manager_v1.c \
 	sa/ikev1/task_manager_v1.h \
 	sa/ikev1/authenticators/psk_v1_authenticator.c \
 	sa/ikev1/authenticators/psk_v1_authenticator.h \
@@ -557,6 +563,7 @@ am__dirstamp = $(am__leading_dot)dirstamp
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_dpd.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_init.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_natd.lo \
+ at USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_mid_sync.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_mobike.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_rekey.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_reauth.lo \
@@ -566,6 +573,7 @@ am__dirstamp = $(am__leading_dot)dirstamp
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_vendor.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_verify_peer_cert.lo
 @USE_IKEV1_TRUE at am__objects_2 = sa/ikev1/keymat_v1.lo \
+ at USE_IKEV1_TRUE@	sa/ikev1/iv_manager.lo \
 @USE_IKEV1_TRUE@	sa/ikev1/task_manager_v1.lo \
 @USE_IKEV1_TRUE@	sa/ikev1/authenticators/psk_v1_authenticator.lo \
 @USE_IKEV1_TRUE@	sa/ikev1/authenticators/pubkey_v1_authenticator.lo \
@@ -733,10 +741,11 @@ ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/socket_dynamic plugins/socket_win plugins/connmark \
-	plugins/forecast plugins/farp plugins/stroke plugins/vici \
-	plugins/smp plugins/sql plugins/dnscert plugins/ipseckey \
-	plugins/updown plugins/ext_auth plugins/eap_identity \
-	plugins/eap_sim plugins/eap_sim_file plugins/eap_sim_pcsc \
+	plugins/bypass_lan plugins/forecast plugins/farp \
+	plugins/stroke plugins/vici plugins/smp plugins/sql \
+	plugins/dnscert plugins/ipseckey plugins/updown \
+	plugins/ext_auth plugins/eap_identity plugins/eap_sim \
+	plugins/eap_sim_file plugins/eap_sim_pcsc \
 	plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \
 	plugins/eap_simaka_reauth plugins/eap_aka \
 	plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \
@@ -927,7 +936,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -962,6 +970,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -1140,11 +1149,11 @@ libcharon_la_LIBADD =  \
 	$(am__append_37) $(am__append_39) $(am__append_41) \
 	$(am__append_43) $(am__append_45) $(am__append_47) \
 	$(am__append_49) $(am__append_51) $(am__append_53) \
-	$(am__append_54) $(am__append_56) $(am__append_58) \
+	$(am__append_55) $(am__append_56) $(am__append_58) \
 	$(am__append_60) $(am__append_62) $(am__append_64) \
 	$(am__append_66) $(am__append_68) $(am__append_70) \
-	$(am__append_72) $(am__append_73) $(am__append_74) \
-	$(am__append_76) $(am__append_78) $(am__append_79) \
+	$(am__append_72) $(am__append_74) $(am__append_75) \
+	$(am__append_76) $(am__append_78) $(am__append_80) \
 	$(am__append_81) $(am__append_83) $(am__append_85) \
 	$(am__append_87) $(am__append_89) $(am__append_91) \
 	$(am__append_93) $(am__append_95) $(am__append_97) \
@@ -1155,7 +1164,8 @@ libcharon_la_LIBADD =  \
 	$(am__append_123) $(am__append_125) $(am__append_127) \
 	$(am__append_129) $(am__append_131) $(am__append_133) \
 	$(am__append_135) $(am__append_137) $(am__append_139) \
-	$(am__append_141) $(am__append_143) $(am__append_145)
+	$(am__append_141) $(am__append_143) $(am__append_145) \
+	$(am__append_147)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE at SUBDIRS = . $(am__append_6) $(am__append_8) \
 @MONOLITHIC_FALSE@	$(am__append_10) $(am__append_12) \
@@ -1169,12 +1179,12 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_42) $(am__append_44) \
 @MONOLITHIC_FALSE@	$(am__append_46) $(am__append_48) \
 @MONOLITHIC_FALSE@	$(am__append_50) $(am__append_52) \
- at MONOLITHIC_FALSE@	$(am__append_55) $(am__append_57) \
+ at MONOLITHIC_FALSE@	$(am__append_54) $(am__append_57) \
 @MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61) \
 @MONOLITHIC_FALSE@	$(am__append_63) $(am__append_65) \
 @MONOLITHIC_FALSE@	$(am__append_67) $(am__append_69) \
- at MONOLITHIC_FALSE@	$(am__append_71) $(am__append_75) \
- at MONOLITHIC_FALSE@	$(am__append_77) $(am__append_80) \
+ at MONOLITHIC_FALSE@	$(am__append_71) $(am__append_73) \
+ at MONOLITHIC_FALSE@	$(am__append_77) $(am__append_79) \
 @MONOLITHIC_FALSE@	$(am__append_82) $(am__append_84) \
 @MONOLITHIC_FALSE@	$(am__append_86) $(am__append_88) \
 @MONOLITHIC_FALSE@	$(am__append_90) $(am__append_92) \
@@ -1190,7 +1200,8 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_130) $(am__append_132) \
 @MONOLITHIC_FALSE@	$(am__append_134) $(am__append_136) \
 @MONOLITHIC_FALSE@	$(am__append_138) $(am__append_140) \
- at MONOLITHIC_FALSE@	$(am__append_142) $(am__append_144) tests
+ at MONOLITHIC_FALSE@	$(am__append_142) $(am__append_144) \
+ at MONOLITHIC_FALSE@	$(am__append_146) tests
 
 # build optional plugins
 ########################
@@ -1206,12 +1217,12 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_42) $(am__append_44) \
 @MONOLITHIC_TRUE@	$(am__append_46) $(am__append_48) \
 @MONOLITHIC_TRUE@	$(am__append_50) $(am__append_52) \
- at MONOLITHIC_TRUE@	$(am__append_55) $(am__append_57) \
+ at MONOLITHIC_TRUE@	$(am__append_54) $(am__append_57) \
 @MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61) \
 @MONOLITHIC_TRUE@	$(am__append_63) $(am__append_65) \
 @MONOLITHIC_TRUE@	$(am__append_67) $(am__append_69) \
- at MONOLITHIC_TRUE@	$(am__append_71) $(am__append_75) \
- at MONOLITHIC_TRUE@	$(am__append_77) $(am__append_80) \
+ at MONOLITHIC_TRUE@	$(am__append_71) $(am__append_73) \
+ at MONOLITHIC_TRUE@	$(am__append_77) $(am__append_79) \
 @MONOLITHIC_TRUE@	$(am__append_82) $(am__append_84) \
 @MONOLITHIC_TRUE@	$(am__append_86) $(am__append_88) \
 @MONOLITHIC_TRUE@	$(am__append_90) $(am__append_92) \
@@ -1227,7 +1238,8 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_130) $(am__append_132) \
 @MONOLITHIC_TRUE@	$(am__append_134) $(am__append_136) \
 @MONOLITHIC_TRUE@	$(am__append_138) $(am__append_140) \
- at MONOLITHIC_TRUE@	$(am__append_142) $(am__append_144) . tests
+ at MONOLITHIC_TRUE@	$(am__append_142) $(am__append_144) \
+ at MONOLITHIC_TRUE@	$(am__append_146) . tests
 all: all-recursive
 
 .SUFFIXES:
@@ -1594,6 +1606,8 @@ sa/ikev2/tasks/ike_init.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_natd.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
+sa/ikev2/tasks/ike_mid_sync.lo: sa/ikev2/tasks/$(am__dirstamp) \
+	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_mobike.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_rekey.lo: sa/ikev2/tasks/$(am__dirstamp) \
@@ -1619,6 +1633,8 @@ sa/ikev1/$(DEPDIR)/$(am__dirstamp):
 	@: > sa/ikev1/$(DEPDIR)/$(am__dirstamp)
 sa/ikev1/keymat_v1.lo: sa/ikev1/$(am__dirstamp) \
 	sa/ikev1/$(DEPDIR)/$(am__dirstamp)
+sa/ikev1/iv_manager.lo: sa/ikev1/$(am__dirstamp) \
+	sa/ikev1/$(DEPDIR)/$(am__dirstamp)
 sa/ikev1/task_manager_v1.lo: sa/ikev1/$(am__dirstamp) \
 	sa/ikev1/$(DEPDIR)/$(am__dirstamp)
 sa/ikev1/authenticators/$(am__dirstamp):
@@ -1824,6 +1840,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at sa/$(DEPDIR)/trap_manager.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at sa/eap/$(DEPDIR)/eap_manager.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at sa/eap/$(DEPDIR)/eap_method.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at sa/ikev1/$(DEPDIR)/iv_manager.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at sa/ikev1/$(DEPDIR)/keymat_v1.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at sa/ikev1/$(DEPDIR)/phase1.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at sa/ikev1/$(DEPDIR)/task_manager_v1.Plo at am__quote@
@@ -1862,6 +1879,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_dpd.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_init.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_me.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_mid_sync.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_mobike.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_natd.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_reauth.Plo at am__quote@
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index 6b3cea8..f4bba87 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -233,6 +233,7 @@ static inline void unregister_logger(private_bus_t *this, logger_t *logger)
 	enumerator_t *enumerator;
 	linked_list_t *loggers;
 	log_entry_t *entry, *found = NULL;
+	debug_t group;
 
 	loggers = this->loggers[DBG_MAX];
 	enumerator = loggers->create_enumerator(loggers);
@@ -249,17 +250,16 @@ static inline void unregister_logger(private_bus_t *this, logger_t *logger)
 
 	if (found)
 	{
-		level_t level = LEVEL_SILENT, vlevel = LEVEL_SILENT;
-		debug_t group;
-
 		for (group = 0; group < DBG_MAX; group++)
 		{
 			if (found->levels[group] > LEVEL_SILENT)
 			{
+				level_t level = LEVEL_SILENT, vlevel = LEVEL_SILENT;
+
 				loggers = this->loggers[group];
 				loggers->remove(loggers, found, NULL);
-				loggers->find_first(loggers, (linked_list_match_t)find_max_levels, NULL,
-									&group, &level, &vlevel);
+				loggers->find_first(loggers, (linked_list_match_t)find_max_levels,
+									NULL, &group, &level, &vlevel);
 				set_level(&this->max_level[group], level);
 				set_level(&this->max_vlevel[group], vlevel);
 			}
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 6a9c342..3c6dd51 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -249,7 +249,7 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
 			{
 				proposal->strip_dh(proposal, MODP_NONE);
 			}
-			selected = proposal->select(proposal, match, private);
+			selected = proposal->select(proposal, match, prefer_self, private);
 			if (selected)
 			{
 				DBG2(DBG_CFG, "received proposals: %#P", proposals);
@@ -306,25 +306,30 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
 	{
 		e1 = this->other_ts->create_enumerator(this->other_ts);
 	}
-	/* In a first step, replace "dynamic" TS with the host list */
+	/* in a first step, replace "dynamic" TS with the host list */
 	while (e1->enumerate(e1, &ts1))
 	{
-		if (hosts && hosts->get_count(hosts) &&
-			ts1->is_dynamic(ts1))
-		{
-			e2 = hosts->create_enumerator(hosts);
-			while (e2->enumerate(e2, &host))
+		if (hosts && hosts->get_count(hosts))
+		{	/* set hosts if TS is dynamic or as initiator in transport mode */
+			bool dynamic = ts1->is_dynamic(ts1);
+			if (dynamic || (this->mode == MODE_TRANSPORT && !this->proxy_mode &&
+							!supplied))
 			{
-				ts2 = ts1->clone(ts1);
-				ts2->set_address(ts2, host);
-				derived->insert_last(derived, ts2);
+				e2 = hosts->create_enumerator(hosts);
+				while (e2->enumerate(e2, &host))
+				{
+					ts2 = ts1->clone(ts1);
+					if (dynamic || !host->is_anyaddr(host))
+					{	/* don't make regular TS larger than they were */
+						ts2->set_address(ts2, host);
+					}
+					derived->insert_last(derived, ts2);
+				}
+				e2->destroy(e2);
+				continue;
 			}
-			e2->destroy(e2);
-		}
-		else
-		{
-			derived->insert_last(derived, ts1->clone(ts1));
 		}
+		derived->insert_last(derived, ts1->clone(ts1));
 	}
 	e1->destroy(e1);
 
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index 7d52ac8..480dd37 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2016 Tobias Brunner
+ * Copyright (C) 2012-2017 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -339,7 +339,7 @@ METHOD(ike_cfg_t, select_proposal, proposal_t*,
 		}
 		while (match_enum->enumerate(match_enum, (void**)&match))
 		{
-			selected = proposal->select(proposal, match, private);
+			selected = proposal->select(proposal, match, prefer_self, private);
 			if (selected)
 			{
 				DBG2(DBG_CFG, "received proposals: %#P", proposals);
@@ -559,6 +559,39 @@ int ike_cfg_get_family(ike_cfg_t *cfg, bool local)
 /**
  * Described in header.
  */
+bool ike_cfg_has_address(ike_cfg_t *cfg, host_t *addr, bool local)
+{
+	private_ike_cfg_t *this = (private_ike_cfg_t*)cfg;
+	enumerator_t *enumerator;
+	host_t *host;
+	char *str;
+	bool found = FALSE;
+
+	if (local)
+	{
+		enumerator = this->my_hosts->create_enumerator(this->my_hosts);
+	}
+	else
+	{
+		enumerator = this->other_hosts->create_enumerator(this->other_hosts);
+	}
+	while (enumerator->enumerate(enumerator, &str))
+	{
+		host = host_create_from_string(str, 0);
+		if (host && addr->ip_equals(addr, host))
+		{
+			found = TRUE;
+			break;
+		}
+		DESTROY_IF(host);
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Described in header.
+ */
 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
 						  char *me, uint16_t my_port,
 						  char *other, uint16_t other_port,
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index afcb772..4d37264 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2016 Tobias Brunner
+ * Copyright (C) 2012-2017 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -266,4 +266,15 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
  */
 int ike_cfg_get_family(ike_cfg_t *this, bool local);
 
+/**
+ * Determine if the given address was explicitly configured as local or remote
+ * address.
+ *
+ * @param this				ike config to check
+ * @param addr				address to check
+ * @param local				TRUE to check local addresses, FALSE for remote
+ * @return					TRUE if address was configured
+ */
+bool ike_cfg_has_address(ike_cfg_t *this, host_t *addr, bool local);
+
 #endif /** IKE_CFG_H_ @}*/
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index 6463c7a..5d7ab07 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2016 Tobias Brunner
+ * Copyright (C) 2007-2017 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * HSR Hochschule fuer Technik Rapperswil
@@ -164,7 +164,7 @@ struct private_peer_cfg_t {
 	/**
 	 * Name of the mediation connection to mediate through
 	 */
-	peer_cfg_t *mediated_by;
+	char *mediated_by;
 
 	/**
 	 * ID of our peer at the mediation server (= leftid of the peer's conn with
@@ -235,6 +235,7 @@ METHOD(enumerator_t, child_cfgs_replace_enumerate, bool,
 		{
 			break;
 		}
+		this->wrapped->destroy(this->wrapped);
 		this->wrapped = this->added->create_enumerator(this->added);
 		this->add = TRUE;
 	}
@@ -579,7 +580,7 @@ METHOD(peer_cfg_t, is_mediation, bool,
 	return this->mediation;
 }
 
-METHOD(peer_cfg_t, get_mediated_by, peer_cfg_t*,
+METHOD(peer_cfg_t, get_mediated_by, char*,
 	private_peer_cfg_t *this)
 {
 	return this->mediated_by;
@@ -682,7 +683,7 @@ METHOD(peer_cfg_t, equals, bool,
 		auth_cfg_equal(this, other)
 #ifdef ME
 		&& this->mediation == other->mediation &&
-		this->mediated_by == other->mediated_by &&
+		streq(this->mediated_by, other->mediated_by) &&
 		(this->peer_id == other->peer_id ||
 		 (this->peer_id && other->peer_id &&
 		  this->peer_id->equals(this->peer_id, other->peer_id)))
@@ -712,8 +713,8 @@ METHOD(peer_cfg_t, destroy, void,
 		this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
 		this->pools->destroy_function(this->pools, free);
 #ifdef ME
-		DESTROY_IF(this->mediated_by);
 		DESTROY_IF(this->peer_id);
+		free(this->mediated_by);
 #endif /* ME */
 		this->mutex->destroy(this->mutex);
 		free(this->name);
@@ -801,7 +802,7 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
 		.refcount = 1,
 #ifdef ME
 		.mediation = data->mediation,
-		.mediated_by = data->mediated_by,
+		.mediated_by = strdupnull(data->mediated_by),
 		.peer_id = data->peer_id,
 #endif /* ME */
 	);
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 8e4d533..b294ae7 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2016 Tobias Brunner
+ * Copyright (C) 2007-2017 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * HSR Hochschule fuer Technik Rapperswil
@@ -319,14 +319,14 @@ struct peer_cfg_t {
 	 *
 	 * @return				TRUE, if this is a mediation connection
 	 */
-	bool (*is_mediation) (peer_cfg_t *this);
+	bool (*is_mediation)(peer_cfg_t *this);
 
 	/**
-	 * Get peer_cfg of the connection this one is mediated through.
+	 * Get name of the connection this one is mediated through.
 	 *
-	 * @return				the peer_cfg of the mediation connection
+	 * @return				the name of the mediation connection
 	 */
-	peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
+	char* (*get_mediated_by)(peer_cfg_t *this);
 
 	/**
 	 * Get the id of the other peer at the mediation server.
@@ -338,7 +338,7 @@ struct peer_cfg_t {
 	 *
 	 * @return				the id of the other peer
 	 */
-	identification_t* (*get_peer_id) (peer_cfg_t *this);
+	identification_t* (*get_peer_id)(peer_cfg_t *this);
 #endif /* ME */
 
 	/**
@@ -398,8 +398,8 @@ struct peer_cfg_create_t {
 #ifdef ME
 	/** TRUE if this is a mediation connection */
 	bool mediation;
-	/** peer_cfg_t of the mediation connection to mediate through (adopted) */
-	peer_cfg_t *mediated_by;
+	/** peer_cfg_t of the mediation connection to mediate through (cloned) */
+	char *mediated_by;
 	/** ID that identifies our peer at the mediation server (adopted) */
 	identification_t *peer_id;
 #endif /* ME */
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 011c0b8..a2dc113 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -273,7 +273,8 @@ static bool select_algo(private_proposal_t *this, proposal_t *other,
 }
 
 METHOD(proposal_t, select_proposal, proposal_t*,
-	private_proposal_t *this, proposal_t *other, bool private)
+	private_proposal_t *this, proposal_t *other, bool other_remote,
+	bool private)
 {
 	proposal_t *selected;
 
@@ -285,7 +286,17 @@ METHOD(proposal_t, select_proposal, proposal_t*,
 		return NULL;
 	}
 
-	selected = proposal_create(this->protocol, other->get_number(other));
+	if (other_remote)
+	{
+		selected = proposal_create(this->protocol, other->get_number(other));
+		selected->set_spi(selected, other->get_spi(other));
+	}
+	else
+	{
+		selected = proposal_create(this->protocol, this->number);
+		selected->set_spi(selected, this->spi);
+
+	}
 
 	if (!select_algo(this, other, selected, ENCRYPTION_ALGORITHM, private) ||
 		!select_algo(this, other, selected, PSEUDO_RANDOM_FUNCTION, private) ||
@@ -298,7 +309,6 @@ METHOD(proposal_t, select_proposal, proposal_t*,
 	}
 
 	DBG2(DBG_CFG, "  proposal matches");
-	selected->set_spi(selected, other->get_spi(other));
 	return selected;
 }
 
@@ -915,6 +925,8 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			case ECP_256_BP:
 			case ECP_384_BP:
 			case ECP_512_BP:
+			case CURVE_25519:
+			case CURVE_448:
 			case NTRU_128_BIT:
 			case NTRU_192_BIT:
 			case NTRU_256_BIT:
@@ -956,9 +968,12 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			case MODP_768_BIT:
 				/* weak */
 				break;
+			case MODP_1024_160:
 			case MODP_2048_224:
+			case MODP_2048_256:
+				/* RFC 5114 primes are of questionable source */
+				break;
 			case MODP_1536_BIT:
-			case MODP_1024_160:
 			case ECP_224_BIT:
 			case ECP_224_BP:
 			case ECP_192_BIT:
@@ -966,7 +981,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 				/* rarely used */
 				break;
 			case MODP_2048_BIT:
-			case MODP_2048_256:
 			case MODP_1024_BIT:
 				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
 				break;
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
index f9f2778..2bdf345 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libcharon/config/proposal.h
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2009-2016 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -124,10 +125,14 @@ struct proposal_t {
 	 * in common, a resulting proposal of this kind is created.
 	 *
 	 * @param other			proposal to compare against
+	 * @param other_remote	whether other is the remote proposal from which to
+	 *						copy SPI and proposal number to the result,
+	 *						otherwise copy from this proposal
 	 * @param private		accepts algorithms allocated in a private range
 	 * @return				selected proposal, NULL if proposals don't match
 	 */
-	proposal_t *(*select) (proposal_t *this, proposal_t *other, bool private);
+	proposal_t *(*select)(proposal_t *this, proposal_t *other,
+						  bool other_remote, bool private);
 
 	/**
 	 * Get the protocol ID of the proposal.
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 93ff70b..8e7816b 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -588,7 +588,6 @@ METHOD(controller_t, terminate_ike, status_t,
 		.listener = {
 			.public = {
 				.ike_state_change = _ike_state_change_terminate,
-				.child_state_change = _child_state_change_terminate,
 			},
 			.logger = {
 				.public = {
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 532d081..eadc10a 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2016 Tobias Brunner
+ * Copyright (C) 2006-2017 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -87,6 +87,16 @@ struct private_daemon_t {
 	linked_list_t *loggers;
 
 	/**
+	 * Cached log levels for default loggers
+	 */
+	level_t *levels;
+
+	/**
+	 * Whether to log to stdout/err by default
+	 */
+	bool to_stderr;
+
+	/**
 	 * Identifier used for syslog (in the openlog call)
 	 */
 	char *syslog_identifier;
@@ -532,7 +542,7 @@ static void load_custom_logger(private_daemon_t *this,
 }
 
 METHOD(daemon_t, load_loggers, void,
-	private_daemon_t *this, level_t levels[DBG_MAX], bool to_stderr)
+	private_daemon_t *this)
 {
 	enumerator_t *enumerator;
 	linked_list_t *current_loggers;
@@ -564,7 +574,7 @@ METHOD(daemon_t, load_loggers, void,
 		load_custom_logger(this, &custom_loggers[i], current_loggers);
 	}
 
-	if (!this->loggers->get_count(this->loggers) && levels)
+	if (!this->loggers->get_count(this->loggers) && this->levels)
 	{	/* setup legacy style default loggers configured via command-line */
 		file_logger_t *file_logger;
 		sys_logger_t *sys_logger;
@@ -578,11 +588,11 @@ METHOD(daemon_t, load_loggers, void,
 		{
 			if (sys_logger)
 			{
-				sys_logger->set_level(sys_logger, group, levels[group]);
+				sys_logger->set_level(sys_logger, group, this->levels[group]);
 			}
-			if (to_stderr)
+			if (this->to_stderr)
 			{
-				file_logger->set_level(file_logger, group, levels[group]);
+				file_logger->set_level(file_logger, group, this->levels[group]);
 			}
 		}
 		if (sys_logger)
@@ -604,13 +614,39 @@ METHOD(daemon_t, load_loggers, void,
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(daemon_t, set_default_loggers, void,
+	private_daemon_t *this, level_t levels[DBG_MAX], bool to_stderr)
+{
+	debug_t group;
+
+	this->mutex->lock(this->mutex);
+	if (!levels)
+	{
+		free(this->levels);
+		this->levels = NULL;
+	}
+	else
+	{
+		if (!this->levels)
+		{
+			this->levels = calloc(sizeof(level_t), DBG_MAX);
+		}
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			this->levels[group] = levels[group];
+		}
+		this->to_stderr = to_stderr;
+	}
+	this->mutex->unlock(this->mutex);
+}
+
 METHOD(daemon_t, set_level, void,
 	private_daemon_t *this, debug_t group, level_t level)
 {
 	enumerator_t *enumerator;
 	logger_entry_t *entry;
 
-	/* we set the loglevel on ALL sys- and file-loggers */
+	/* we set the loglevel on ALL loggers */
 	this->mutex->lock(this->mutex);
 	enumerator = this->loggers->create_enumerator(this->loggers);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -694,6 +730,7 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.bus);
 	this->loggers->destroy_function(this->loggers, (void*)logger_entry_destroy);
 	this->mutex->destroy(this->mutex);
+	free(this->levels);
 	free(this);
 }
 
@@ -879,6 +916,7 @@ private_daemon_t *daemon_create()
 			.initialize = _initialize,
 			.start = _start,
 			.load_loggers = _load_loggers,
+			.set_default_loggers = _set_default_loggers,
 			.set_level = _set_level,
 			.bus = bus_create(),
 		},
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 48b9c7e..a37a314 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2017 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -169,7 +169,7 @@
  * IKE_SA.
  *
  * The controller, credential_manager, bus and backend_manager (config) are
- * places where a plugin ca register itself to privide information or observe
+ * places where a plugin ca register itself to provide information or observe
  * and control the daemon.
  */
 
@@ -338,17 +338,27 @@ struct daemon_t {
 	/**
 	 * Load/Reload loggers defined in strongswan.conf
 	 *
-	 * @param levels	optional debug levels used to create default loggers
-	 * 					if none are defined in strongswan.conf
+	 * If none are defined in strongswan.conf default loggers configured via
+	 * set_default_loggers() are loaded.
+	 */
+	void (*load_loggers)(daemon_t *this);
+
+	/**
+	 * Configure default loggers if none are defined in strongswan.conf
+	 *
+	 * @param levels	debug levels used to create default loggers if none are
+	 *					defined in strongswan.conf (NULL to disable)
 	 * @param to_stderr	TRUE to log to stderr/stdout if no loggers are defined
-	 * 					in strongswan.conf
+	 * 					in strongswan.conf (logging to syslog is always enabled)
 	 */
-	void (*load_loggers)(daemon_t *this, level_t levels[DBG_MAX],
-						 bool to_stderr);
+	void (*set_default_loggers)(daemon_t *this, level_t levels[DBG_MAX],
+								bool to_stderr);
 
 	/**
-	 * Set the log level for the given log group for all configured file-,
-	 * syslog and custom-loggers.
+	 * Set the log level for the given log group for all loaded loggers.
+	 *
+	 * This change is not persistent and gets reset if loggers are reloaded
+	 * via load_loggers().
 	 *
 	 * @param group		log group
 	 * @param level		log level
diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c
index 7b39a02..ea5af9e 100644
--- a/src/libcharon/kernel/kernel_interface.c
+++ b/src/libcharon/kernel/kernel_interface.c
@@ -554,6 +554,16 @@ METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*,
 	return this->net->create_address_enumerator(this->net, which);
 }
 
+METHOD(kernel_interface_t, create_local_subnet_enumerator, enumerator_t*,
+	private_kernel_interface_t *this)
+{
+	if (!this->net || !this->net->create_local_subnet_enumerator)
+	{
+		return enumerator_create_empty();
+	}
+	return this->net->create_local_subnet_enumerator(this->net);
+}
+
 METHOD(kernel_interface_t, add_ip, status_t,
 	private_kernel_interface_t *this, host_t *virtual_ip, int prefix,
 	char *iface)
@@ -1005,6 +1015,7 @@ kernel_interface_t *kernel_interface_create()
 			.get_nexthop = _get_nexthop,
 			.get_interface = _get_interface,
 			.create_address_enumerator = _create_address_enumerator,
+			.create_local_subnet_enumerator = _create_local_subnet_enumerator,
 			.add_ip = _add_ip,
 			.del_ip = _del_ip,
 			.add_route = _add_route,
diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h
index 225b409..d601ebd 100644
--- a/src/libcharon/kernel/kernel_interface.h
+++ b/src/libcharon/kernel/kernel_interface.h
@@ -57,6 +57,12 @@ typedef enum kernel_feature_t kernel_feature_t;
 #include <kernel/kernel_net.h>
 
 /**
+ * Default range for SPIs requested from kernels
+ */
+#define KERNEL_SPI_MIN 0xc0000000
+#define KERNEL_SPI_MAX 0xcfffffff
+
+/**
  * Bitfield of optional features a kernel backend supports.
  *
  * This feature-set is for both, kernel_ipsec_t and kernel_net_t. Each
@@ -316,6 +322,17 @@ struct kernel_interface_t {
 												kernel_address_type_t which);
 
 	/**
+	 * Creates an enumerator over all local subnets.
+	 *
+	 * Local subnets are subnets the host is directly connected to.
+	 *
+	 * The enumerator returns the network, subnet mask and interface.
+	 *
+	 * @return				enumerator over host_t*, uint8_t, char*
+	 */
+	enumerator_t *(*create_local_subnet_enumerator)(kernel_interface_t *this);
+
+	/**
 	 * Add a virtual IP to an interface.
 	 *
 	 * Virtual IPs are attached to an interface. If an IP is added multiple
diff --git a/src/libcharon/kernel/kernel_net.h b/src/libcharon/kernel/kernel_net.h
index 1d78d6e..12475b1 100644
--- a/src/libcharon/kernel/kernel_net.h
+++ b/src/libcharon/kernel/kernel_net.h
@@ -119,6 +119,17 @@ struct kernel_net_t {
 												kernel_address_type_t which);
 
 	/**
+	 * Creates an enumerator over all local subnets.
+	 *
+	 * Local subnets are subnets the host is directly connected to.
+	 *
+	 * The enumerator returns the network, subnet mask and interface.
+	 *
+	 * @return				enumerator over host_t*, uint8_t, char*
+	 */
+	enumerator_t *(*create_local_subnet_enumerator)(kernel_net_t *this);
+
+	/**
 	 * Add a virtual IP to an interface.
 	 *
 	 * Virtual IPs are attached to an interface. If an IP is added multiple
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 7917d45..f5dfc14 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.c b/src/libcharon/plugins/addrblock/addrblock_narrow.c
index f85fa78..3b3b72f 100644
--- a/src/libcharon/plugins/addrblock/addrblock_narrow.c
+++ b/src/libcharon/plugins/addrblock/addrblock_narrow.c
@@ -33,17 +33,15 @@ struct private_addrblock_narrow_t {
 	addrblock_narrow_t public;
 };
 
-/**
- * Check if the negotiated TS list is acceptable by X509 ipAddrBlock constraints
- */
-static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list)
+static void narrow_addrblock(private_addrblock_narrow_t *this, ike_sa_t *ike_sa,
+							 linked_list_t *list)
 {
-	auth_cfg_t *auth;
-	enumerator_t *auth_enum;
 	certificate_t *cert = NULL;
+	enumerator_t *enumerator;
+	auth_cfg_t *auth;
 
-	auth_enum = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
-	while (auth_enum->enumerate(auth_enum, &auth))
+	enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &auth))
 	{
 		cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
 		if (cert)
@@ -51,7 +49,7 @@ static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list)
 			break;
 		}
 	}
-	auth_enum->destroy(auth_enum);
+	enumerator->destroy(enumerator);
 
 	if (cert && cert->get_type(cert) == CERT_X509)
 	{
@@ -59,54 +57,45 @@ static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list)
 
 		if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
 		{
-			enumerator_t *enumerator, *block_enum;
-			traffic_selector_t *ts, *block_ts;
+			traffic_selector_t *ts, *block, *subset;
+			linked_list_t *original;
+
+			original = linked_list_create();
+			while (list->remove_last(list, (void**)&ts) == SUCCESS)
+			{
+				original->insert_first(original, ts);
+			}
 
 			DBG1(DBG_IKE, "checking certificate-based traffic selector "
-						  "constraints [RFC 3779]");
-			enumerator = list->create_enumerator(list);
-			while (enumerator->enumerate(enumerator, &ts))
+				 "constraints [RFC 3779]");
+			while (original->remove_first(original, (void**)&ts) == SUCCESS)
 			{
 				bool contained = FALSE;
 
-				block_enum = x509->create_ipAddrBlock_enumerator(x509);
-				while (block_enum->enumerate(block_enum, &block_ts))
+				enumerator = x509->create_ipAddrBlock_enumerator(x509);
+				while (enumerator->enumerate(enumerator, &block))
 				{
-					if (ts->is_contained_in(ts, block_ts))
+					subset = ts->get_subset(ts, block);
+					if (subset)
 					{
 						DBG1(DBG_IKE, "  TS %R is contained in address block"
-									  " constraint %R", ts, block_ts);
+							 " constraint %R (subset %R)", ts, block, subset);
+						list->insert_last(list, subset);
 						contained = TRUE;
-						break;
 					}
 				}
-				block_enum->destroy(block_enum);
+				enumerator->destroy(enumerator);
 
 				if (!contained)
 				{
 					DBG1(DBG_IKE, "  TS %R is not contained in any"
-								  " address block constraint", ts);
-					enumerator->destroy(enumerator);
-					return FALSE;
+						 " address block constraint", ts);
 				}
+				ts->destroy(ts);
 			}
-			enumerator->destroy(enumerator);
+			original->destroy(original);
 		}
 	}
-	return TRUE;
-}
-
-/**
- * Delete all traffic selectors in a list
- */
-static void flush_ts_list(linked_list_t *list)
-{
-	traffic_selector_t *ts;
-
-	while (list->remove_last(list, (void**)&ts) == SUCCESS)
-	{
-		ts->destroy(ts);
-	}
 }
 
 METHOD(listener_t, narrow, bool,
@@ -116,13 +105,10 @@ METHOD(listener_t, narrow, bool,
 	switch (type)
 	{
 		case NARROW_RESPONDER:
+		case NARROW_INITIATOR_PRE_AUTH:
 		case NARROW_INITIATOR_POST_AUTH:
 		case NARROW_INITIATOR_POST_NOAUTH:
-			if (!check_constraints(ike_sa, remote))
-			{
-				flush_ts_list(local);
-				flush_ts_list(remote);
-			}
+			narrow_addrblock(this, ike_sa, remote);
 			break;
 		default:
 			break;
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c
index 372c978..d16a117 100644
--- a/src/libcharon/plugins/addrblock/addrblock_validator.c
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@@ -30,12 +30,18 @@ struct private_addrblock_validator_t {
 	 * Public addrblock_validator_t interface.
 	 */
 	addrblock_validator_t public;
+
+	/**
+	 * Whether to reject subject certificates not having a addrBlock extension
+	 */
+	bool strict;
 };
 
 /**
  * Do the addrblock check for two x509 plugins
  */
-static bool check_addrblock(x509_t *subject, x509_t *issuer)
+static bool check_addrblock(private_addrblock_validator_t *this,
+							x509_t *subject, x509_t *issuer)
 {
 	bool subject_const, issuer_const, contained = TRUE;
 	enumerator_t *subject_enumerator, *issuer_enumerator;
@@ -51,7 +57,7 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer)
 	if (!subject_const)
 	{
 		DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
-		return FALSE;
+		return !this->strict;
 	}
 	if (!issuer_const)
 	{
@@ -94,7 +100,7 @@ METHOD(cert_validator_t, validate, bool,
 	if (subject->get_type(subject) == CERT_X509 &&
 		issuer->get_type(issuer) == CERT_X509)
 	{
-		if (!check_addrblock((x509_t*)subject, (x509_t*)issuer))
+		if (!check_addrblock(this, (x509_t*)subject, (x509_t*)issuer))
 		{
 			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
 									subject);
@@ -124,6 +130,8 @@ addrblock_validator_t *addrblock_validator_create()
 			},
 			.destroy = _destroy,
 		},
+		.strict = lib->settings->get_bool(lib->settings,
+						"%s.plugins.addrblock.strict", TRUE, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 3560d36..d79c753 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 9d3f2f5..65cdcff 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in
index 4b900d1..217a42a 100644
--- a/src/libcharon/plugins/attr/Makefile.in
+++ b/src/libcharon/plugins/attr/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in
index 077e2f3..668e23f 100644
--- a/src/libcharon/plugins/attr_sql/Makefile.in
+++ b/src/libcharon/plugins/attr_sql/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/bypass_lan/Makefile.am b/src/libcharon/plugins/bypass_lan/Makefile.am
new file mode 100644
index 0000000..c1313f6
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/Makefile.am
@@ -0,0 +1,18 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-bypass-lan.la
+else
+plugin_LTLIBRARIES = libstrongswan-bypass-lan.la
+endif
+
+libstrongswan_bypass_lan_la_SOURCES = \
+	bypass_lan_plugin.h bypass_lan_plugin.c \
+	bypass_lan_listener.h bypass_lan_listener.c
+
+libstrongswan_bypass_lan_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/bypass_lan/Makefile.in b/src/libcharon/plugins/bypass_lan/Makefile.in
new file mode 100644
index 0000000..9f1dc71
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/Makefile.in
@@ -0,0 +1,795 @@
+# Makefile.in generated by automake 1.15 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/bypass_lan
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_bypass_lan_la_LIBADD =
+am_libstrongswan_bypass_lan_la_OBJECTS = bypass_lan_plugin.lo \
+	bypass_lan_listener.lo
+libstrongswan_bypass_lan_la_OBJECTS =  \
+	$(am_libstrongswan_bypass_lan_la_OBJECTS)
+AM_V_lt = $(am__v_lt_ at AM_V@)
+am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libstrongswan_bypass_lan_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_bypass_lan_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+ at MONOLITHIC_FALSE@am_libstrongswan_bypass_lan_la_rpath = -rpath \
+ at MONOLITHIC_FALSE@	$(plugindir)
+ at MONOLITHIC_TRUE@am_libstrongswan_bypass_lan_la_rpath =
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_ at AM_V@)
+am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libstrongswan_bypass_lan_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_bypass_lan_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+ATOMICLIB = @ATOMICLIB@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+ at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-bypass-lan.la
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-bypass-lan.la
+libstrongswan_bypass_lan_la_SOURCES = \
+	bypass_lan_plugin.h bypass_lan_plugin.c \
+	bypass_lan_listener.h bypass_lan_listener.c
+
+libstrongswan_bypass_lan_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/bypass_lan/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/bypass_lan/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+libstrongswan-bypass-lan.la: $(libstrongswan_bypass_lan_la_OBJECTS) $(libstrongswan_bypass_lan_la_DEPENDENCIES) $(EXTRA_libstrongswan_bypass_lan_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_bypass_lan_la_LINK) $(am_libstrongswan_bypass_lan_la_rpath) $(libstrongswan_bypass_lan_la_OBJECTS) $(libstrongswan_bypass_lan_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bypass_lan_listener.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bypass_lan_plugin.Plo at am__quote@
+
+.c.o:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+ at am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pluginLTLIBRARIES
+
+.PRECIOUS: Makefile
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
new file mode 100644
index 0000000..e690028
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
@@ -0,0 +1,295 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bypass_lan_listener.h"
+
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
+#include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
+
+#include <daemon.h>
+
+typedef struct private_bypass_lan_listener_t private_bypass_lan_listener_t;
+
+/**
+ * Private data
+ */
+struct private_bypass_lan_listener_t {
+
+	/**
+	 * Public interface.
+	 */
+	bypass_lan_listener_t public;
+
+	/**
+	 * Currently installed bypass policies, bypass_policy_t*.
+	 */
+	hashtable_t *policies;
+
+	/**
+	 * Mutex to access list of policies.
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * List of interface names to include or exclude (char*), NULL if interfaces
+	 * are not filtered.
+	 */
+	linked_list_t *ifaces_filter;
+
+	/**
+	 * TRUE to exclude interfaces listed in ifaces_filter, FALSE to consider
+	 * only those listed there.
+	 */
+	bool ifaces_exclude;
+};
+
+/**
+ * Data for bypass policies
+ */
+typedef struct {
+	private_bypass_lan_listener_t *listener;
+	host_t *net;
+	uint8_t mask;
+	child_cfg_t *cfg;
+} bypass_policy_t;
+
+/**
+ * Destroy a bypass policy
+ */
+static void bypass_policy_destroy(bypass_policy_t *this)
+{
+	traffic_selector_t *ts;
+
+	if (this->cfg)
+	{
+		ts = traffic_selector_create_from_subnet(this->net->clone(this->net),
+												 this->mask, 0, 0, 65535);
+		DBG1(DBG_IKE, "uninstalling bypass policy for %R", ts);
+		charon->shunts->uninstall(charon->shunts, "bypass-lan",
+								  this->cfg->get_name(this->cfg));
+		this->cfg->destroy(this->cfg);
+		ts->destroy(ts);
+	}
+	this->net->destroy(this->net);
+	free(this);
+}
+
+/**
+ * Hash a bypass policy
+ */
+static u_int policy_hash(bypass_policy_t *policy)
+{
+	return chunk_hash_inc(policy->net->get_address(policy->net),
+						  chunk_hash(chunk_from_thing(policy->mask)));
+}
+
+/**
+ * Compare bypass policy
+ */
+static bool policy_equals(bypass_policy_t *a, bypass_policy_t *b)
+{
+	return a->mask == b->mask && a->net->equals(a->net, b->net);
+}
+
+/**
+ * Check if an interface should be considered
+ */
+static bool consider_interface(private_bypass_lan_listener_t *this, char *iface)
+{
+	status_t expected;
+
+	if (!iface || !this->ifaces_filter)
+	{
+		return TRUE;
+	}
+	expected = this->ifaces_exclude ? NOT_FOUND : SUCCESS;
+	return this->ifaces_filter->find_first(this->ifaces_filter, (void*)streq,
+										   NULL, iface) == expected;
+}
+
+/**
+ * Job updating bypass policies
+ */
+static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
+{
+	enumerator_t *enumerator;
+	hashtable_t *seen;
+	bypass_policy_t *found, *lookup;
+	host_t *net;
+	uint8_t mask;
+	char *iface;
+
+	seen = hashtable_create((hashtable_hash_t)policy_hash,
+							(hashtable_equals_t)policy_equals, 4);
+
+	this->mutex->lock(this->mutex);
+
+	enumerator = charon->kernel->create_local_subnet_enumerator(charon->kernel);
+	while (enumerator->enumerate(enumerator, &net, &mask, &iface))
+	{
+		if (!consider_interface(this, iface))
+		{
+			continue;
+		}
+
+		INIT(lookup,
+			.net = net->clone(net),
+			.mask = mask,
+		);
+		found = seen->put(seen, lookup, lookup);
+		if (found)
+		{	/* in case the same subnet is on multiple interfaces */
+			bypass_policy_destroy(found);
+		}
+
+		found = this->policies->get(this->policies, lookup);
+		if (!found)
+		{
+			child_cfg_create_t child = {
+				.mode = MODE_PASS,
+			};
+			child_cfg_t *cfg;
+			traffic_selector_t *ts;
+			char name[128];
+
+			ts = traffic_selector_create_from_subnet(net->clone(net), mask,
+													 0, 0, 65535);
+			snprintf(name, sizeof(name), "Bypass LAN %R", ts);
+
+			cfg = child_cfg_create(name, &child);
+			cfg->add_traffic_selector(cfg, FALSE, ts->clone(ts));
+			cfg->add_traffic_selector(cfg, TRUE, ts);
+			charon->shunts->install(charon->shunts, "bypass-lan", cfg);
+			DBG1(DBG_IKE, "installed bypass policy for %R", ts);
+
+			INIT(found,
+				.net = net->clone(net),
+				.mask = mask,
+				.cfg = cfg,
+			);
+			this->policies->put(this->policies, found, found);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->policies->create_enumerator(this->policies);
+	while (enumerator->enumerate(enumerator, NULL, &lookup))
+	{
+		if (!seen->get(seen, lookup))
+		{
+			this->policies->remove_at(this->policies, enumerator);
+			bypass_policy_destroy(lookup);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	seen->destroy_function(seen, (void*)bypass_policy_destroy);
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(kernel_listener_t, roam, bool,
+	private_bypass_lan_listener_t *this, bool address)
+{
+	lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+									NULL, (callback_job_cancel_t)return_false));
+	return TRUE;
+}
+
+METHOD(bypass_lan_listener_t, reload_interfaces, void,
+	private_bypass_lan_listener_t *this)
+{
+	char *ifaces;
+
+	this->mutex->lock(this->mutex);
+	DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free);
+	this->ifaces_filter = NULL;
+	this->ifaces_exclude = FALSE;
+
+	ifaces = lib->settings->get_str(lib->settings,
+					"%s.plugins.bypass-lan.interfaces_use", NULL, lib->ns);
+	if (!ifaces)
+	{
+		this->ifaces_exclude = TRUE;
+		ifaces = lib->settings->get_str(lib->settings,
+					"%s.plugins.bypass-lan.interfaces_ignore", NULL, lib->ns);
+	}
+	if (ifaces)
+	{
+		enumerator_t *enumerator;
+		char *iface;
+
+		enumerator = enumerator_create_token(ifaces, ",", " ");
+		while (enumerator->enumerate(enumerator, &iface))
+		{
+			if (!this->ifaces_filter)
+			{
+				this->ifaces_filter = linked_list_create();
+			}
+			this->ifaces_filter->insert_last(this->ifaces_filter,
+											 strdup(iface));
+		}
+		enumerator->destroy(enumerator);
+	}
+	this->mutex->unlock(this->mutex);
+	lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+									NULL, (callback_job_cancel_t)return_false));
+}
+
+METHOD(bypass_lan_listener_t, destroy, void,
+	private_bypass_lan_listener_t *this)
+{
+	enumerator_t *enumerator;
+	bypass_policy_t *policy;
+
+	enumerator = this->policies->create_enumerator(this->policies);
+	while (enumerator->enumerate(enumerator, NULL, &policy))
+	{
+		bypass_policy_destroy(policy);
+	}
+	enumerator->destroy(enumerator);
+	DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free);
+	this->policies->destroy(this->policies);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * See header
+ */
+bypass_lan_listener_t *bypass_lan_listener_create()
+{
+	private_bypass_lan_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.roam = _roam,
+			},
+			.reload_interfaces = _reload_interfaces,
+			.destroy = _destroy,
+		},
+		.policies = hashtable_create((hashtable_hash_t)policy_hash,
+									 (hashtable_equals_t)policy_equals, 4),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	reload_interfaces(this);
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.h b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.h
new file mode 100644
index 0000000..737230d
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bypass_lan_listener bypass_lan_listener
+ * @{ @ingroup bypass_lan
+ */
+
+#ifndef BYPASS_LAN_LISTENER_H_
+#define BYPASS_LAN_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct bypass_lan_listener_t bypass_lan_listener_t;
+
+/**
+ * Listener to install bypass policies
+ */
+struct bypass_lan_listener_t {
+
+	/**
+	 * Implements kernel_listener_t interface.
+	 */
+	kernel_listener_t listener;
+
+	/**
+	 * Reload ignored/used interface names from config.
+	 */
+	void (*reload_interfaces)(bypass_lan_listener_t *this);
+
+	/**
+	 * Destroy a bypass_lan_listener_t.
+	 */
+	void (*destroy)(bypass_lan_listener_t *this);
+};
+
+/**
+ * Create a bypass_lan_listener instance.
+ */
+bypass_lan_listener_t *bypass_lan_listener_create();
+
+#endif /** BYPASS_LAN_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.c b/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.c
new file mode 100644
index 0000000..ccc05f0
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bypass_lan_plugin.h"
+#include "bypass_lan_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_bypass_lan_plugin_t private_bypass_lan_plugin_t;
+
+/**
+ * Private data
+ */
+struct private_bypass_lan_plugin_t {
+
+	/**
+	 * Public interface
+	 */
+	bypass_lan_plugin_t public;
+
+	/**
+	 * Listener installing bypass policies
+	 */
+	bypass_lan_listener_t *listener;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_bypass_lan_plugin_t *this)
+{
+	return "bypass-lan";
+}
+
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_bypass_lan_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->kernel->add_listener(charon->kernel,
+									 &this->listener->listener);
+	}
+	else
+	{
+		charon->kernel->remove_listener(charon->kernel,
+										&this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_bypass_lan_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "bypass-lan"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, reload, bool,
+	private_bypass_lan_plugin_t *this)
+{
+	this->listener->reload_interfaces(this->listener);
+	return TRUE;
+}
+
+METHOD(plugin_t, destroy, void,
+	private_bypass_lan_plugin_t *this)
+{
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *bypass_lan_plugin_create()
+{
+	private_bypass_lan_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.reload = _reload,
+				.destroy = _destroy,
+			},
+		},
+		.listener = bypass_lan_listener_create(),
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.h b/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.h
new file mode 100644
index 0000000..934bf0c
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bypass_lan bypass_lan
+ * @ingroup cplugins
+ *
+ * @defgroup bypass_lan_plugin bypass_lan_plugin
+ * @{ @ingroup bypass_lan
+ */
+
+#ifndef BYPASS_LAN_PLUGIN_H_
+#define BYPASS_LAN_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct bypass_lan_plugin_t bypass_lan_plugin_t;
+
+/**
+ * Plugin installing bypass policies for locally attached subnets.
+ */
+struct bypass_lan_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** BYPASS_LAN_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 30873fa..ffde2d7 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/connmark/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in
index 3c9ba80..140f1b6 100644
--- a/src/libcharon/plugins/connmark/Makefile.in
+++ b/src/libcharon/plugins/connmark/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/connmark/connmark_plugin.c b/src/libcharon/plugins/connmark/connmark_plugin.c
index 3f276f9..ad44eba 100644
--- a/src/libcharon/plugins/connmark/connmark_plugin.c
+++ b/src/libcharon/plugins/connmark/connmark_plugin.c
@@ -90,6 +90,12 @@ plugin_t *connmark_plugin_create()
 		return NULL;
 	}
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+	{
+		DBG1(DBG_NET, "connmark plugin requires CAP_NET_RAW capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 61dd852..3910e4e 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 856ebaa..6033c6e 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index fd47162..cd66af8 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index 866af82..e4b60e6 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -367,7 +367,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -402,6 +401,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 6ff71c2..20c0ddb 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index eabe0b4..f4fb8ec 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index e6877f7..2dbc05f 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
index d0f0595..83ccd3a 100644
--- a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
@@ -94,6 +94,13 @@ static eap_method_t *load_method(private_eap_dynamic_t *this,
 	return method;
 }
 
+METHOD(eap_method_t, get_auth, auth_cfg_t*,
+	private_eap_dynamic_t *this)
+{
+	/* get_auth() is only registered if the EAP method supports it */
+	return this->method->get_auth(this->method);
+}
+
 /**
  * Select the first method we can instantiate and is supported by both peers.
  */
@@ -135,6 +142,10 @@ static void select_method(private_eap_dynamic_t *this)
 		this->method = load_method(this, entry->type, entry->vendor);
 		if (this->method)
 		{
+			if (this->method->get_auth)
+			{
+				this->public.interface.get_auth = _get_auth;
+			}
 			if (entry->vendor)
 			{
 				DBG1(DBG_IKE, "vendor specific EAP method %d-%d selected",
@@ -211,6 +222,7 @@ METHOD(eap_method_t, process, status_t,
 		/* restart with a different method */
 		this->method->destroy(this->method);
 		this->method = NULL;
+		this->public.interface.get_auth = NULL;
 		return initiate(this, out);
 	}
 	if (!this->other_types)
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index a1ebc2b..01d509e 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index e2431fe..cc1f21e 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 2a47218..939bbf9 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 42c0795..1e1936c 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 23d9d1d..b83a80f 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 7d0614d..29a2f38 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index ba20c08..b4abce9 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 5d93852..914c8c0 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 8d0cd71..48ef921 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 60b7ef3..5f12e2e 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 8608587..45e2b74 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 4cf739e..8c134cf 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index d125c13..a9a2ded 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index c32671a..cda1728 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 20a3dd8..a72b005 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index 96c6a63..33862f0 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -368,7 +368,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -403,6 +402,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in
index 1178d65..de83d83 100644
--- a/src/libcharon/plugins/ext_auth/Makefile.in
+++ b/src/libcharon/plugins/ext_auth/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index f37ca65..daee657 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c
index c2715bd..5753f79 100644
--- a/src/libcharon/plugins/farp/farp_spoofer.c
+++ b/src/libcharon/plugins/farp/farp_spoofer.c
@@ -143,7 +143,7 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener)
 		BPF_STMT(BPF_LD+BPF_B+BPF_ABS, offsetof(arp_t, hardware_size)),
 		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 6, 0, 7),
 		BPF_STMT(BPF_LD+BPF_B+BPF_ABS, offsetof(arp_t, protocol_size)),
-		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 4, 0, 4),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 4, 0, 5),
 		BPF_STMT(BPF_LD+BPF_H+BPF_ABS, offsetof(arp_t, opcode)),
 		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPOP_REQUEST, 0, 3),
 		BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0),
diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in
index 2f78e77..5254bca 100644
--- a/src/libcharon/plugins/forecast/Makefile.in
+++ b/src/libcharon/plugins/forecast/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c
index 3f252db..2024c26 100644
--- a/src/libcharon/plugins/forecast/forecast_listener.c
+++ b/src/libcharon/plugins/forecast/forecast_listener.c
@@ -212,7 +212,7 @@ static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
 	ADD_STRUCT(pos, struct xt_udp,
 		.spts = {
 			entry->rhost->get_port(entry->rhost),
-			entry->rhost->get_port(entry->lhost)
+			entry->rhost->get_port(entry->rhost)
 		},
 		.dpts = {
 			entry->lhost->get_port(entry->lhost),
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 2be7ee4..dd2a7a9 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index b20ef87..34d6efc 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -215,8 +215,12 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 		}
 		if (offset == -1)
 		{
-			DBG1(DBG_CFG, "no address left in HA pool '%s' belonging to"
-				 "a responsible segment", name);
+			DBG1(DBG_CFG, "no address belonging to a responsible segment left "
+				 "in HA pool '%s'", name);
+		}
+		else
+		{
+			break;
 		}
 	}
 	this->mutex->unlock(this->mutex);
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index 992ccb0..0e83b16 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -237,6 +237,20 @@ METHOD(listener_t, ike_rekey, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, alert, bool,
+	private_ha_ike_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args)
+{
+	switch (alert)
+	{
+		case ALERT_HALF_OPEN_TIMEOUT:
+			ike_updown(this, ike_sa, FALSE);
+			break;
+		default:
+			break;
+	}
+	return TRUE;
+}
+
 METHOD(listener_t, ike_state_change, bool,
 	private_ha_ike_t *this, ike_sa_t *ike_sa, ike_sa_state_t new)
 {
@@ -393,6 +407,7 @@ ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
 	INIT(this,
 		.public = {
 			.listener = {
+				.alert = _alert,
 				.ike_keys = _ike_keys,
 				.ike_updown = _ike_updown,
 				.ike_rekey = _ike_rekey,
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index 971b72c..025a1a2 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in
index a2c8d22..fb8e42e 100644
--- a/src/libcharon/plugins/kernel_iph/Makefile.in
+++ b/src/libcharon/plugins/kernel_iph/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index 011ec3f..4d5e460 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in
index b2df52a..26a7090 100644
--- a/src/libcharon/plugins/kernel_netlink/Makefile.in
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.in
@@ -399,7 +399,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -434,6 +433,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index f3846ec..becf6b5 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2016 Tobias Brunner
+ * Copyright (C) 2006-2017 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2008-2016 Andreas Steffen
  * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
@@ -76,7 +76,7 @@
 #endif
 
 /** Base priority for installed policies */
-#define PRIO_BASE 100000
+#define PRIO_BASE 200000
 
 /** Default lifetime of an acquire XFRM state (in seconds) */
 #define DEFAULT_ACQUIRE_LIFETIME 165
@@ -117,7 +117,7 @@ struct kernel_algorithm_t {
 	/**
 	 * Name of the algorithm in linux crypto API
 	 */
-	char *name;
+	const char *name;
 };
 
 ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
@@ -221,6 +221,7 @@ static kernel_algorithm_t integrity_algs[] = {
 /*	{AUTH_DES_MAC,				"***"				}, */
 /*	{AUTH_KPDK_MD5,				"***"				}, */
 	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
+	{AUTH_AES_CMAC_96,			"cmac(aes)"			},
 };
 
 /**
@@ -236,7 +237,7 @@ static kernel_algorithm_t compression_algs[] = {
 /**
  * Look up a kernel algorithm name and its key size
  */
-static char* lookup_algorithm(transform_type_t type, int ikev2)
+static const char* lookup_algorithm(transform_type_t type, int ikev2)
 {
 	kernel_algorithm_t *list;
 	int i, count;
@@ -652,14 +653,15 @@ static inline uint32_t port_mask_bits(uint16_t port_mask)
 /**
  * Calculate the priority of a policy
  *
- * bits 0-0:  restriction to network interface (0..1)   1 bit
- * bits 1-6:  src + dst port mask bits (2 * 0..16)      6 bits
- * bits 7-7:  restriction to protocol (0..1)            1 bit
- * bits 8-16: src + dst network mask bits (2 * 0..128)  9 bits
- *                                                     17 bits
+ * bits 0-0:  separate trap and regular policies (0..1) 1 bit
+ * bits 1-1:  restriction to network interface (0..1)   1 bit
+ * bits 2-7:  src + dst port mask bits (2 * 0..16)      6 bits
+ * bits 8-8:  restriction to protocol (0..1)            1 bit
+ * bits 9-17: src + dst network mask bits (2 * 0..128)  9 bits
+ *                                                     18 bits
  *
- * smallest value: 000000000 0 000000 0:      0, lowest priority = 100'000
- * largest value : 100000000 1 100000 1: 65'729, highst priority =  34'271
+ * smallest value: 000000000 0 000000 0 0:       0, lowest priority = 200'000
+ * largest value : 100000000 1 100000 1 1: 131'459, highst priority =  68'541
  */
 static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio,
 							 char *interface)
@@ -672,8 +674,6 @@ static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio,
 			priority += PRIO_BASE;
 			/* fall-through to next case */
 		case POLICY_PRIORITY_ROUTED:
-			priority += PRIO_BASE;
-			/* fall-through to next case */
 		case POLICY_PRIORITY_DEFAULT:
 			priority += PRIO_BASE;
 			/* fall-through to next case */
@@ -684,10 +684,11 @@ static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio,
 	dport_mask_bits = port_mask_bits(policy->sel.dport_mask);
 
 	/* calculate priority */
-	priority -= (policy->sel.prefixlen_s + policy->sel.prefixlen_d) * 256;
-	priority -=  policy->sel.proto ? 128 : 0;
-	priority -= (sport_mask_bits + dport_mask_bits) * 2;
-	priority -= (interface != NULL);
+	priority -= (policy->sel.prefixlen_s + policy->sel.prefixlen_d) * 512;
+	priority -=  policy->sel.proto ? 256 : 0;
+	priority -= (sport_mask_bits + dport_mask_bits) * 4;
+	priority -= (interface != NULL) * 2;
+	priority -= (prio != POLICY_PRIORITY_ROUTED);
 
 	return priority;
 }
@@ -1210,8 +1211,15 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
 	uint8_t protocol, uint32_t *spi)
 {
-	if (get_spi_internal(this, src, dst, protocol,
-						 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
+	uint32_t spi_min, spi_max;
+
+	spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
+									 KERNEL_SPI_MIN, lib->ns);
+	spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
+									 KERNEL_SPI_MAX, lib->ns);
+
+	if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max),
+						 max(spi_min, spi_max), spi) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to get SPI");
 		return FAILED;
@@ -1276,7 +1284,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	kernel_ipsec_add_sa_t *data)
 {
 	netlink_buf_t request;
-	char *alg_name, markstr[32] = "";
+	const char *alg_name;
+	char markstr[32] = "";
 	struct nlmsghdr *hdr;
 	struct xfrm_usersa_info *sa;
 	uint16_t icv_size = 64, ipcomp = data->ipcomp;
@@ -1367,6 +1376,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		default:
 			break;
 	}
+	if (id->proto == IPPROTO_AH && sa->family == AF_INET)
+	{	/* use alignment to 4 bytes for IPv4 instead of the incorrect 8 byte
+		 * alignment that's used by default but is only valid for IPv6 */
+		sa->flags |= XFRM_STATE_ALIGN4;
+	}
 
 	sa->reqid = data->reqid;
 	sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey);
@@ -2523,7 +2537,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	{	/* we don't update the policy if the priority is lower than that of
 		 * the currently installed one */
 		policy_change_done(this, policy);
-		DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u,"
+		DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u, "
 			 "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names,
 			 id->dir, markstr, cur_priority, use_count);
 		return SUCCESS;
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
index 0132f72..2dc76d9 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -476,6 +476,11 @@ struct private_kernel_netlink_net_t {
 	bool roam_events;
 
 	/**
+	 * whether to install IPsec policy routes
+	 */
+	bool install_routes;
+
+	/**
 	 * whether to actually install virtual IPs
 	 */
 	bool install_virtual_ip;
@@ -795,6 +800,68 @@ static u_char get_scope(host_t *ip)
 }
 
 /**
+ * Determine the label of the given unicast IP address.
+ *
+ * We currently only support the default table given in RFC 6724:
+ *
+ *  Prefix        Precedence Label
+ *  ::1/128               50     0
+ *  ::/0                  40     1
+ *  ::ffff:0:0/96         35     4
+ *  2002::/16             30     2
+ *  2001::/32              5     5
+ *  fc00::/7               3    13
+ *  ::/96                  1     3
+ *  fec0::/10              1    11
+ *  3ffe::/16              1    12
+ */
+static u_char get_label(host_t *ip)
+{
+	struct {
+		chunk_t net;
+		u_char prefix;
+		u_char label;
+	} priorities[] = {
+		/* priority table ordered by prefix */
+		/* ::1/128 */
+		{ chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+						   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01), 128, 0 },
+		/* ::ffff:0:0/96 */
+		{ chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+						   0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00), 96, 4 },
+		/* ::/96 */
+		{ chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+						   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 96, 3 },
+		/* 2001::/32 */
+		{ chunk_from_chars(0x20, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+						   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 32, 5 },
+		/* 2002::/16 */
+		{ chunk_from_chars(0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+						   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 16, 2 },
+		/* 3ffe::/16 */
+		{ chunk_from_chars(0x3f, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+						   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 16, 12 },
+		/* fec0::/10 */
+		{ chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+						   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 10, 11 },
+		/* fc00::/7 */
+		{ chunk_from_chars(0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+						   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 7, 13 },
+	};
+	int i;
+
+	for (i = 0; i < countof(priorities); i++)
+	{
+		if (host_in_subnet(ip, priorities[i].net, priorities[i].prefix))
+		{
+			return priorities[i].label;
+		}
+	}
+	/* ::/0 */
+	return 1;
+}
+
+/**
  * Returns the length of the common prefix in bits up to the length of a's
  * prefix, defined by RFC 6724 as the portion of the address not including the
  * interface ID, which is 64-bit for most unicast addresses (see RFC 4291).
@@ -829,7 +896,7 @@ static u_char common_prefix(host_t *a, host_t *b)
 static bool is_address_better(private_kernel_netlink_net_t *this,
 							  addr_entry_t *a, addr_entry_t *b, host_t *d)
 {
-	u_char sa, sb, sd, pa, pb;
+	u_char sa, sb, sd, la, lb, ld, pa, pb;
 
 	/* rule 2: prefer appropriate scope */
 	if (d)
@@ -858,9 +925,22 @@ static bool is_address_better(private_kernel_netlink_net_t *this,
 	/* rule 4 is not applicable as we don't know if an address is a home or
 	 * care-of addresses.
 	 * rule 5 does not apply as we only compare addresses from one interface
-	 * rule 6 requires a policy table (optionally configurable) to match
-	 * configurable labels
 	 */
+	/* rule 6: prefer matching label */
+	if (d)
+	{
+		la = get_label(a->ip);
+		lb = get_label(b->ip);
+		ld = get_label(d);
+		if (la == ld && lb != ld)
+		{
+			return FALSE;
+		}
+		else if (lb == ld && la != ld)
+		{
+			return TRUE;
+		}
+	}
 	/* rule 7: prefer temporary addresses (WE REVERSE THIS BY DEFAULT!) */
 	if ((a->flags & IFA_F_TEMPORARY) != (b->flags & IFA_F_TEMPORARY))
 	{
@@ -1795,12 +1875,22 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 	{	/* kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes.
 		 * as we want to ignore routes with virtual IPs we cannot use DUMP
 		 * if these routes are not installed in a separate table */
-		hdr->nlmsg_flags |= NLM_F_DUMP;
+		if (this->install_routes)
+		{
+			hdr->nlmsg_flags |= NLM_F_DUMP;
+		}
 	}
 	if (candidate)
 	{
 		chunk = candidate->get_address(candidate);
-		netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+		if (hdr->nlmsg_flags & NLM_F_DUMP)
+		{
+			netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+		}
+		else
+		{
+			netlink_add_attribute(hdr, RTA_SRC, chunk, sizeof(request));
+		}
 	}
 	/* we use this below to match against the routes */
 	chunk = dest->get_address(dest);
@@ -2050,6 +2140,146 @@ METHOD(kernel_net_t, get_nexthop, host_t*,
 	return get_route(this, dest, prefix, TRUE, src, iface, 0);
 }
 
+/** enumerator over subnets */
+typedef struct {
+	enumerator_t public;
+	private_kernel_netlink_net_t *private;
+	/** message from the kernel */
+	struct nlmsghdr *msg;
+	/** current message from the kernel */
+	struct nlmsghdr *current;
+	/** remaining length */
+	size_t len;
+	/** last subnet enumerated */
+	host_t *net;
+	/** interface of current net */
+	char ifname[IFNAMSIZ];
+} subnet_enumerator_t;
+
+METHOD(enumerator_t, destroy_subnet_enumerator, void,
+	subnet_enumerator_t *this)
+{
+	DESTROY_IF(this->net);
+	free(this->msg);
+	free(this);
+}
+
+METHOD(enumerator_t, enumerate_subnets, bool,
+	subnet_enumerator_t *this, host_t **net, uint8_t *mask, char **ifname)
+{
+	if (!this->current)
+	{
+		this->current = this->msg;
+	}
+	else
+	{
+		this->current = NLMSG_NEXT(this->current, this->len);
+		DESTROY_IF(this->net);
+		this->net = NULL;
+	}
+
+	while (NLMSG_OK(this->current, this->len))
+	{
+		switch (this->current->nlmsg_type)
+		{
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWROUTE:
+			{
+				struct rtmsg *msg;
+				struct rtattr *rta;
+				size_t rtasize;
+				chunk_t dst = chunk_empty;
+				uint32_t oif = 0;
+
+				msg = NLMSG_DATA(this->current);
+
+				if (!route_usable(this->current))
+				{
+					break;
+				}
+				else if (msg->rtm_table && (
+							msg->rtm_table == RT_TABLE_LOCAL ||
+							msg->rtm_table == this->private->routing_table))
+				{	/* ignore our own and the local routing tables */
+					break;
+				}
+
+				rta = RTM_RTA(msg);
+				rtasize = RTM_PAYLOAD(this->current);
+				while (RTA_OK(rta, rtasize))
+				{
+					switch (rta->rta_type)
+					{
+						case RTA_DST:
+							dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+							break;
+						case RTA_OIF:
+							if (RTA_PAYLOAD(rta) == sizeof(oif))
+							{
+								oif = *(uint32_t*)RTA_DATA(rta);
+							}
+							break;
+					}
+					rta = RTA_NEXT(rta, rtasize);
+				}
+
+				if (dst.ptr && oif && if_indextoname(oif, this->ifname))
+				{
+					this->net = host_create_from_chunk(msg->rtm_family, dst, 0);
+					*net = this->net;
+					*mask = msg->rtm_dst_len;
+					*ifname = this->ifname;
+					return TRUE;
+				}
+				break;
+			}
+			default:
+				break;
+		}
+		this->current = NLMSG_NEXT(this->current, this->len);
+	}
+	return FALSE;
+}
+
+METHOD(kernel_net_t, create_local_subnet_enumerator, enumerator_t*,
+	private_kernel_netlink_net_t *this)
+{
+	netlink_buf_t request;
+	struct nlmsghdr *hdr, *out;
+	struct rtmsg *msg;
+	size_t len;
+	subnet_enumerator_t *enumerator;
+
+	memset(&request, 0, sizeof(request));
+
+	hdr = &request.hdr;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = RTM_GETROUTE;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+	hdr->nlmsg_flags |= NLM_F_DUMP;
+
+	msg = NLMSG_DATA(hdr);
+	msg->rtm_scope = RT_SCOPE_LINK;
+
+	if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
+	{
+		DBG2(DBG_KNL, "enumerating local subnets failed");
+		return enumerator_create_empty();
+	}
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate_subnets,
+			.destroy = _destroy_subnet_enumerator,
+		},
+		.private = this,
+		.msg = out,
+		.len = len,
+	);
+	return &enumerator->public;
+}
+
 /**
  * Manages the creation and deletion of ip addresses on an interface.
  * By setting the appropriate nlmsg_type, the ip will be set or unset.
@@ -2080,16 +2310,22 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
 
 	netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
 
-	if (ip->get_family(ip) == AF_INET6 && this->rta_prefsrc_for_ipv6)
-	{	/* if source routes are possible we let the virtual IP get deprecated
-		 * immediately (but mark it as valid forever) so it gets only used if
-		 * forced by our route, and not by the default IPv6 address selection */
-		struct ifa_cacheinfo cache = {
-			.ifa_valid = 0xFFFFFFFF,
-			.ifa_prefered = 0,
-		};
-		netlink_add_attribute(hdr, IFA_CACHEINFO, chunk_from_thing(cache),
-							  sizeof(request));
+	if (ip->get_family(ip) == AF_INET6)
+	{
+		msg->ifa_flags |= IFA_F_NODAD;
+		if (this->rta_prefsrc_for_ipv6)
+		{
+			/* if source routes are possible we let the virtual IP get
+			 * deprecated immediately (but mark it as valid forever) so it gets
+			 * only used if forced by our route, and not by the default IPv6
+			 * address selection */
+			struct ifa_cacheinfo cache = {
+				.ifa_valid = 0xFFFFFFFF,
+				.ifa_prefered = 0,
+			};
+			netlink_add_attribute(hdr, IFA_CACHEINFO, chunk_from_thing(cache),
+								  sizeof(request));
+		}
 	}
 	return this->socket->send_ack(this->socket, hdr);
 }
@@ -2680,6 +2916,7 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 			.interface = {
 				.get_interface = _get_interface_name,
 				.create_address_enumerator = _create_address_enumerator,
+				.create_local_subnet_enumerator = _create_local_subnet_enumerator,
 				.get_source_addr = _get_source_addr,
 				.get_nexthop = _get_nexthop,
 				.add_ip = _add_ip,
@@ -2715,6 +2952,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 						"%s.routing_table_prio", ROUTING_TABLE_PRIO, lib->ns),
 		.process_route = lib->settings->get_bool(lib->settings,
 						"%s.process_route", TRUE, lib->ns),
+		.install_routes = lib->settings->get_bool(lib->settings,
+						"%s.install_routes", TRUE, lib->ns),
 		.install_virtual_ip = lib->settings->get_bool(lib->settings,
 						"%s.install_virtual_ip", TRUE, lib->ns),
 		.install_virtual_ip_on = lib->settings->get_str(lib->settings,
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
index 7165b65..da54031 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -15,6 +15,29 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2016 secunet Security Networks AG
+ * Copyright (C) 2016 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include <sys/socket.h>
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>
@@ -281,8 +304,9 @@ static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in,
 						  uintptr_t seq, struct nlmsghdr **out, size_t *out_len)
 {
 	struct nlmsghdr *hdr;
-	chunk_t result = {};
 	entry_t *entry;
+	u_char *ptr;
+	int i;
 
 	in->nlmsg_seq = seq;
 	in->nlmsg_pid = getpid();
@@ -343,6 +367,14 @@ static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in,
 		return OUT_OF_RES;
 	}
 
+	for (i = 0, *out_len = 0; i < array_count(entry->hdrs); i++)
+	{
+		array_get(entry->hdrs, i, &hdr);
+		*out_len += hdr->nlmsg_len;
+	}
+	ptr = malloc(*out_len);
+	*out = (struct nlmsghdr*)ptr;
+
 	while (array_remove(entry->hdrs, ARRAY_HEAD, &hdr))
 	{
 		if (this->names)
@@ -350,14 +382,11 @@ static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in,
 			DBG3(DBG_KNL, "received %N %u: %b", this->names, hdr->nlmsg_type,
 				 hdr->nlmsg_seq, hdr, hdr->nlmsg_len);
 		}
-		result = chunk_cat("mm", result,
-						   chunk_create((char*)hdr, hdr->nlmsg_len));
+		memcpy(ptr, hdr, hdr->nlmsg_len);
+		ptr += hdr->nlmsg_len;
+		free(hdr);
 	}
 	destroy_entry(entry);
-
-	*out_len = result.len;
-	*out = (struct nlmsghdr*)result.ptr;
-
 	return SUCCESS;
 }
 
@@ -557,6 +586,8 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
 	struct sockaddr_nl addr = {
 		.nl_family = AF_NETLINK,
 	};
+	bool force_buf = FALSE;
+	int rcvbuf_size = 0;
 
 	INIT(this,
 		.public = {
@@ -606,6 +637,25 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
 		destroy(this);
 		return NULL;
 	}
+	rcvbuf_size = lib->settings->get_int(lib->settings,
+						"%s.plugins.kernel-netlink.receive_buffer_size",
+						rcvbuf_size, lib->ns);
+	if (rcvbuf_size)
+	{
+		int optname;
+
+		force_buf = lib->settings->get_bool(lib->settings,
+						"%s.plugins.kernel-netlink.force_receive_buffer_size",
+						force_buf, lib->ns);
+		optname = force_buf ? SO_RCVBUFFORCE : SO_RCVBUF;
+
+		if (setsockopt(this->socket, SOL_SOCKET, optname, &rcvbuf_size,
+					   sizeof(rcvbuf_size)) == -1)
+		{
+			DBG1(DBG_KNL, "failed to %supdate receive buffer size to %d: %s",
+					force_buf ? "forcibly " : "", rcvbuf_size, strerror(errno));
+		}
+	}
 	if (this->parallel)
 	{
 		lib->watcher->add(lib->watcher, this->socket, WATCHER_READ, watch, this);
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in
index d00e8b3..b138a96 100644
--- a/src/libcharon/plugins/kernel_pfkey/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 1b22ea5..1787814 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2017 Tobias Brunner
  * Copyright (C) 2008 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -142,7 +142,7 @@
 #endif
 
 /** Base priority for installed policies */
-#define PRIO_BASE 100000
+#define PRIO_BASE 200000
 
 #ifdef __APPLE__
 /** from xnu/bsd/net/pfkeyv2.h */
@@ -597,17 +597,18 @@ static inline bool policy_entry_match_byindex(policy_entry_t *current,
  * This is the same formula we use in the kernel-netlink interface, but some
  * features are currently not or only partially supported by PF_KEY.
  *
- * bits 0-0:  reserved for interface restriction (0..1)     1 bit
- * bits 1-6:  src + dst port mask bits (2 * 0..16)          6 bits
- * bits 7-7:  restriction to protocol (0..1)                1 bit
- * bits 8-16: src + dst network mask bits (2 * 0..128)      9 bits
- *                                                         17 bits
+ * bits 0-0:  separate trap and regular policies (0..1)     1 bit
+ * bits 1-1:  reserved for interface restriction (0..1)     1 bit
+ * bits 2-7:  src + dst port mask bits (2 * 0..16)          6 bits
+ * bits 8-8:  restriction to protocol (0..1)                1 bit
+ * bits 9-17: src + dst network mask bits (2 * 0..128)      9 bits
+ *                                                         18 bits
  *
- * smallest value: 000000000 0 000000 0:      0, lowest priority = 100'000
- * largest value : 100000000 1 100000 0: 65'728, highst priority =  34'272
+ * smallest value: 000000000 0 000000 0 0:       0, lowest priority = 100'000
+ * largest value : 100000000 1 100000 0 1: 131'457, highst priority =  68'543
  */
 static inline uint32_t get_priority(policy_entry_t *policy,
-									 policy_priority_t prio)
+									policy_priority_t prio)
 {
 	uint32_t priority = PRIO_BASE;
 
@@ -617,8 +618,6 @@ static inline uint32_t get_priority(policy_entry_t *policy,
 			priority += PRIO_BASE;
 			/* fall-through */
 		case POLICY_PRIORITY_ROUTED:
-			priority += PRIO_BASE;
-			/* fall-through */
 		case POLICY_PRIORITY_DEFAULT:
 			priority += PRIO_BASE;
 			/* fall-through */
@@ -627,10 +626,11 @@ static inline uint32_t get_priority(policy_entry_t *policy,
 	}
 
 	/* calculate priority */
-	priority -= (policy->src.mask + policy->dst.mask) * 256;
-	priority -=  policy->src.proto != IPSEC_PROTO_ANY ? 128 : 0;
-	priority -= policy->src.net->get_port(policy->src.net) ? 32 : 0;
-	priority -= policy->dst.net->get_port(policy->dst.net) ? 32 : 0;
+	priority -= (policy->src.mask + policy->dst.mask) * 512;
+	priority -=  policy->src.proto != IPSEC_PROTO_ANY ? 256 : 0;
+	priority -= policy->src.net->get_port(policy->src.net) ? 64 : 0;
+	priority -= policy->dst.net->get_port(policy->dst.net) ? 64 : 0;
+	priority -= (prio != POLICY_PRIORITY_ROUTED);
 	return priority;
 }
 
@@ -1586,8 +1586,15 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
 	uint8_t protocol, uint32_t *spi)
 {
-	if (get_spi_internal(this, src, dst, protocol,
-						 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
+	uint32_t spi_min, spi_max;
+
+	spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
+									 KERNEL_SPI_MIN, lib->ns);
+	spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
+									 KERNEL_SPI_MAX, lib->ns);
+
+	if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max),
+						 max(spi_min, spi_max), spi) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to get SPI");
 		return FAILED;
@@ -1717,6 +1724,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(len);
 	sa->sadb_sa_spi = id->spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
 	if (id->proto == IPPROTO_COMP)
 	{
 		sa->sadb_sa_encrypt = lookup_algorithm(COMPRESSION_ALGORITHM,
@@ -1889,6 +1897,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	sa->sadb_sa_exttype = SADB_EXT_SA;
 	sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
 	sa->sadb_sa_spi = id->spi;
+	sa->sadb_sa_state = SADB_SASTATE_MATURE;
 	PFKEY_EXT_ADD(msg, sa);
 
 	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in
index fb1520d..1e4b3e2 100644
--- a/src/libcharon/plugins/kernel_pfroute/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
index 236e341..efcf1c2 100644
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -15,6 +15,7 @@
 
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <sys/sysctl.h>
 #include <net/if.h>
 #include <net/if_dl.h>
 #include <ifaddrs.h>
@@ -1448,7 +1449,8 @@ static status_t manage_route(private_kernel_pfroute_net_t *this, int op,
 				}
 				break;
 			case RTAX_GATEWAY:
-				if (gateway)
+				if (gateway &&
+					gateway->get_family(gateway) == dst->get_family(dst))
 				{
 					add_rt_addr(&msg.hdr, RTA_GATEWAY, gateway);
 				}
@@ -1704,6 +1706,198 @@ METHOD(kernel_net_t, get_nexthop, host_t*,
 }
 
 /**
+ * Get the number of set bits in the given netmask
+ */
+static uint8_t sockaddr_to_netmask(sockaddr_t *sockaddr, host_t *dst)
+{
+	uint8_t len = 0, i, byte, mask = 0;
+	struct sockaddr_storage ss;
+	char *addr;
+
+	/* at least some older FreeBSD versions send us shorter sockaddrs
+	 * with the family set to -1 (255) */
+	if (sockaddr->sa_family == 255)
+	{
+		memset(&ss, 0, sizeof(ss));
+		memcpy(&ss, sockaddr, sockaddr->sa_len);
+		/* use the address family and length of the destination as hint */
+		ss.ss_len = *dst->get_sockaddr_len(dst);
+		ss.ss_family = dst->get_family(dst);
+		sockaddr = (sockaddr_t*)&ss;
+	}
+
+	switch (sockaddr->sa_family)
+	{
+		case AF_INET:
+			len = 4;
+			addr = (char*)&((struct sockaddr_in*)sockaddr)->sin_addr;
+			break;
+		case AF_INET6:
+			len = 16;
+			addr = (char*)&((struct sockaddr_in6*)sockaddr)->sin6_addr;
+			break;
+		default:
+			break;
+	}
+
+	for (i = 0; i < len; i++)
+	{
+		byte = addr[i];
+
+		if (byte == 0x00)
+		{
+			break;
+		}
+		if (byte == 0xff)
+		{
+			mask += 8;
+		}
+		else
+		{
+			while (byte & 0x80)
+			{
+				mask++;
+				byte <<= 1;
+			}
+		}
+	}
+	return mask;
+}
+
+/** enumerator over subnets */
+typedef struct {
+	enumerator_t public;
+	/** sysctl result */
+	char *buf;
+	/** length of the complete result */
+	size_t len;
+	/** start of the current route entry */
+	char *current;
+	/** last subnet enumerated */
+	host_t *net;
+	/** interface of current net */
+	char *ifname;
+} subnet_enumerator_t;
+
+METHOD(enumerator_t, destroy_subnet_enumerator, void,
+	subnet_enumerator_t *this)
+{
+	DESTROY_IF(this->net);
+	free(this->ifname);
+	free(this->buf);
+	free(this);
+}
+
+METHOD(enumerator_t, enumerate_subnets, bool,
+	subnet_enumerator_t *this, host_t **net, uint8_t *mask, char **ifname)
+{
+	enumerator_t *enumerator;
+	struct rt_msghdr *rtm;
+	struct sockaddr *addr;
+	int type;
+
+	if (!this->current)
+	{
+		this->current = this->buf;
+	}
+	else
+	{
+		rtm = (struct rt_msghdr*)this->current;
+		this->current += rtm->rtm_msglen;
+		DESTROY_IF(this->net);
+		this->net = NULL;
+		free(this->ifname);
+		this->ifname = NULL;
+	}
+
+	for (; this->current < this->buf + this->len;
+		 this->current += rtm->rtm_msglen)
+	{
+		struct sockaddr *netmask;
+		uint8_t netbits = 0;
+
+		rtm = (struct rt_msghdr*)this->current;
+
+		if (rtm->rtm_version != RTM_VERSION)
+		{
+			continue;
+		}
+		if (rtm->rtm_flags & RTF_GATEWAY ||
+			rtm->rtm_flags & RTF_HOST ||
+			rtm->rtm_flags & RTF_REJECT)
+		{
+			continue;
+		}
+		enumerator = create_rtmsg_enumerator(rtm);
+		while (enumerator->enumerate(enumerator, &type, &addr))
+		{
+			if (type == RTAX_DST)
+			{
+				this->net = this->net ?: host_create_from_sockaddr(addr);
+			}
+			if (type == RTAX_NETMASK)
+			{
+				netmask = addr;
+			}
+			if (type == RTAX_IFP && addr->sa_family == AF_LINK)
+			{
+				struct sockaddr_dl *sdl = (struct sockaddr_dl*)addr;
+				free(this->ifname);
+				this->ifname = strndup(sdl->sdl_data, sdl->sdl_nlen);
+			}
+		}
+		if (this->net)
+		{
+			netbits = sockaddr_to_netmask(netmask, this->net);
+		}
+		enumerator->destroy(enumerator);
+
+		if (this->net && this->ifname)
+		{
+			*net = this->net;
+			*mask = netbits ?: this->net->get_address(this->net).len * 8;
+			*ifname = this->ifname;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(kernel_net_t, create_local_subnet_enumerator, enumerator_t*,
+	private_kernel_pfroute_net_t *this)
+{
+	subnet_enumerator_t *enumerator;
+	char *buf;
+	size_t len;
+	int mib[7] = {
+		CTL_NET, PF_ROUTE, 0, AF_UNSPEC, NET_RT_DUMP, 0, 0
+	};
+
+	if (sysctl(mib, countof(mib), NULL, &len, NULL, 0) < 0)
+	{
+		DBG2(DBG_KNL, "enumerating local subnets failed");
+		return enumerator_create_empty();
+	}
+	buf = malloc(len);
+	if (sysctl(mib, countof(mib), buf, &len, NULL, 0) < 0)
+	{
+		DBG2(DBG_KNL, "enumerating local subnets failed");
+		free(buf);
+		return enumerator_create_empty();
+	}
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate_subnets,
+			.destroy = _destroy_subnet_enumerator,
+		},
+		.buf = buf,
+		.len = len,
+	);
+	return &enumerator->public;
+}
+
+/**
  * Initialize a list of local addresses.
  */
 static status_t init_address_list(private_kernel_pfroute_net_t *this)
@@ -1848,6 +2042,7 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 				.get_features = _get_features,
 				.get_interface = _get_interface_name,
 				.create_address_enumerator = _create_address_enumerator,
+				.create_local_subnet_enumerator = _create_local_subnet_enumerator,
 				.get_source_addr = _get_source_addr,
 				.get_nexthop = _get_nexthop,
 				.add_ip = _add_ip,
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in
index 2adb924..a3368d5 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.in
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.in
@@ -368,7 +368,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -403,6 +402,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index 6ad26b7..774fcf5 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -25,8 +25,12 @@
 #include <collections/hashtable.h>
 #include <processing/jobs/callback_job.h>
 
+#ifndef IPPROTO_IPIP
 #define IPPROTO_IPIP 4
+#endif
+#ifndef IPPROTO_IPV6
 #define IPPROTO_IPV6 41
+#endif
 
 typedef struct private_kernel_wfp_ipsec_t private_kernel_wfp_ipsec_t;
 
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 857e629..f16304d 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index f5f3df6..c6e17fb 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -370,7 +370,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -405,6 +404,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index 00258c3..9190604 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -366,7 +366,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -401,6 +400,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index eb7efd2..4db68a3 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index 4452739..78159c8 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -24,6 +24,11 @@
 typedef struct private_medcli_config_t private_medcli_config_t;
 
 /**
+ * Name of the mediation connection
+ */
+#define MEDIATION_CONN_NAME "medcli-mediation"
+
+/**
  * Private data of an medcli_config_t object
  */
 struct private_medcli_config_t {
@@ -72,36 +77,19 @@ static traffic_selector_t *ts_from_string(char *str)
 	return traffic_selector_create_dynamic(0, 0, 65535);
 }
 
-METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
-	private_medcli_config_t *this, char *name)
+/**
+ * Build a mediation config
+ */
+static peer_cfg_t *build_mediation_config(private_medcli_config_t *this,
+										  peer_cfg_create_t *defaults)
 {
 	enumerator_t *e;
-	peer_cfg_t *peer_cfg, *med_cfg;
 	auth_cfg_t *auth;
 	ike_cfg_t *ike_cfg;
-	child_cfg_t *child_cfg;
+	peer_cfg_t *med_cfg;
+	peer_cfg_create_t peer = *defaults;
 	chunk_t me, other;
-	char *address, *local_net, *remote_net;
-	peer_cfg_create_t peer = {
-		.cert_policy = CERT_NEVER_SEND,
-		.unique = UNIQUE_REPLACE,
-		.keyingtries = 1,
-		.rekey_time = this->rekey * 60,
-		.jitter_time = this->rekey * 5,
-		.over_time = this->rekey * 3,
-		.dpd = this->dpd,
-		.mediation = TRUE,
-	};
-	child_cfg_create_t child = {
-		.lifetime = {
-			.time = {
-				.life = this->rekey * 60 + this->rekey,
-				.rekey = this->rekey,
-				.jitter = this->rekey
-			},
-		},
-		.mode = MODE_TUNNEL,
-	};
+	char *address;
 
 	/* query mediation server config:
 	 * - build ike_cfg/peer_cfg for mediation connection on-the-fly
@@ -120,7 +108,9 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 							 address, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
-	med_cfg = peer_cfg_create("mediation", ike_cfg, &peer);
+
+	peer.mediation = TRUE;
+	med_cfg = peer_cfg_create(MEDIATION_CONN_NAME, ike_cfg, &peer);
 	e->destroy(e);
 
 	auth = auth_cfg_create();
@@ -133,6 +123,42 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 	auth->add(auth, AUTH_RULE_IDENTITY,
 			  identification_create_from_encoding(ID_KEY_ID, other));
 	med_cfg->add_auth_cfg(med_cfg, auth, FALSE);
+	return med_cfg;
+}
+
+METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
+	private_medcli_config_t *this, char *name)
+{
+	enumerator_t *e;
+	auth_cfg_t *auth;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	chunk_t me, other;
+	char *local_net, *remote_net;
+	peer_cfg_create_t peer = {
+		.cert_policy = CERT_NEVER_SEND,
+		.unique = UNIQUE_REPLACE,
+		.keyingtries = 1,
+		.rekey_time = this->rekey * 60,
+		.jitter_time = this->rekey * 5,
+		.over_time = this->rekey * 3,
+		.dpd = this->dpd,
+	};
+	child_cfg_create_t child = {
+		.lifetime = {
+			.time = {
+				.life = this->rekey * 60 + this->rekey,
+				.rekey = this->rekey,
+				.jitter = this->rekey
+			},
+		},
+		.mode = MODE_TUNNEL,
+	};
+
+	if (streq(name, "medcli-mediation"))
+	{
+		return build_mediation_config(this, &peer);
+	}
 
 	/* query mediated config:
 	 * - use any-any ike_cfg
@@ -150,8 +176,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 		DESTROY_IF(e);
 		return NULL;
 	}
-	peer.mediation = FALSE;
-	peer.mediated_by = med_cfg;
+	peer.mediated_by = MEDIATION_CONN_NAME;
 	peer.peer_id = identification_create_from_encoding(ID_KEY_ID, other);
 	peer_cfg = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer);
 
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 3dd849b..ceb06de 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index 83850fc..ab9ece5 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/p_cscf/Makefile.in b/src/libcharon/plugins/p_cscf/Makefile.in
index 619bff1..7b3cb2f 100644
--- a/src/libcharon/plugins/p_cscf/Makefile.in
+++ b/src/libcharon/plugins/p_cscf/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index 9d227a1..1fe3033 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in
index 53af31f..f8b62ed 100644
--- a/src/libcharon/plugins/resolve/Makefile.in
+++ b/src/libcharon/plugins/resolve/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index d08a6f4..bf0791c 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index dd1da8b..f66ae16 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index b6152af..3d07b54 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in
index ed0af93..6924898 100644
--- a/src/libcharon/plugins/socket_win/Makefile.in
+++ b/src/libcharon/plugins/socket_win/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 0a4000e..581225b 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index bbc20dc..88cac7f 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -381,12 +381,14 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 		ike = get_ike_cfg_by_id(this, ike_cfg);
 
 #ifdef ME
-		mediated_cfg = mediated_by ? get_peer_cfg_by_id(this, mediated_by) : NULL;
+		mediated_cfg = mediated_by ? get_peer_cfg_by_id(this, mediated_by)
+								   : NULL;
 		if (p_type)
 		{
 			peer_id = identification_create_from_encoding(p_type, p_data);
 		}
-#endif
+#endif /* ME */
+
 		if (virtual)
 		{
 			vip = host_create_from_string(virtual, 0);
@@ -405,7 +407,8 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 				.dpd = dpd_delay,
 #ifdef ME
 				.mediation = mediation,
-				.mediated_by = mediated_cfg,
+				.mediated_by = mediated_cfg ?
+									mediated_cfg->get_name(mediated_cfg) : NULL,
 				.peer_id = peer_id,
 #endif /* ME */
 			};
@@ -443,6 +446,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 			}
 			peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 			add_child_cfgs(this, peer_cfg, id);
+			DESTROY_IF(mediated_cfg);
 			return peer_cfg;
 		}
 		DESTROY_IF(ike);
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 7eacc51..50a6d59 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index f2d1104..bbdc211 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -642,28 +642,9 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 		/* force unique connections for mediation connections */
 		msg->add_conn.unique = 1;
 	}
-
-	if (msg->add_conn.ikeme.mediated_by)
+	else if (msg->add_conn.ikeme.mediated_by)
 	{
-		peer_cfg_t *mediated_by;
-
-		mediated_by = charon->backends->get_peer_cfg_by_name(
-							charon->backends, msg->add_conn.ikeme.mediated_by);
-		if (!mediated_by)
-		{
-			DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
-				 msg->add_conn.ikeme.mediated_by);
-			return NULL;
-		}
-		if (!mediated_by->is_mediation(mediated_by))
-		{
-			DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is "
-				 "no mediation connection, aborting",
-				 msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
-			mediated_by->destroy(mediated_by);
-			return NULL;
-		}
-		peer.mediated_by = mediated_by;
+		peer.mediated_by = msg->add_conn.ikeme.mediated_by;
 		if (msg->add_conn.ikeme.peerid)
 		{
 			peer.peer_id = identification_create_from_string(
@@ -982,73 +963,60 @@ static void add_ts(private_stroke_config_t *this,
 				   stroke_end_t *end, child_cfg_t *child_cfg, bool local)
 {
 	traffic_selector_t *ts;
+	bool ts_added = FALSE;
 
-	if (end->tohost)
-	{
-		ts = traffic_selector_create_dynamic(end->protocol,
-											 end->from_port, end->to_port);
-		child_cfg->add_traffic_selector(child_cfg, local, ts);
-	}
-	else
+	if (end->subnets)
 	{
-		if (!end->subnets)
-		{
-			host_t *net;
+		enumerator_t *enumerator;
+		char *subnet, *pos;
+		uint16_t from_port, to_port;
+		uint8_t proto;
 
-			net = host_create_from_string(end->address, 0);
-			if (net)
-			{
-				ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
-												end->from_port, end->to_port);
-				child_cfg->add_traffic_selector(child_cfg, local, ts);
-			}
-		}
-		else
+		enumerator = enumerator_create_token(end->subnets, ",", " ");
+		while (enumerator->enumerate(enumerator, &subnet))
 		{
-			enumerator_t *enumerator;
-			char *subnet, *pos;
-			uint16_t from_port, to_port;
-			uint8_t proto;
+			from_port = end->from_port;
+			to_port = end->to_port;
+			proto = end->protocol;
 
-			enumerator = enumerator_create_token(end->subnets, ",", " ");
-			while (enumerator->enumerate(enumerator, &subnet))
+			pos = strchr(subnet, '[');
+			if (pos)
 			{
-				from_port = end->from_port;
-				to_port = end->to_port;
-				proto = end->protocol;
-
-				pos = strchr(subnet, '[');
-				if (pos)
-				{
-					*(pos++) = '\0';
-					if (!parse_protoport(pos, &from_port, &to_port, &proto))
-					{
-						DBG1(DBG_CFG, "invalid proto/port: %s, skipped subnet",
-							 pos);
-						continue;
-					}
-				}
-				if (streq(subnet, "%dynamic"))
+				*(pos++) = '\0';
+				if (!parse_protoport(pos, &from_port, &to_port, &proto))
 				{
-					ts = traffic_selector_create_dynamic(proto,
-														 from_port, to_port);
-				}
-				else
-				{
-					ts = traffic_selector_create_from_cidr(subnet, proto,
-														   from_port, to_port);
-				}
-				if (ts)
-				{
-					child_cfg->add_traffic_selector(child_cfg, local, ts);
-				}
-				else
-				{
-					DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet);
+					DBG1(DBG_CFG, "invalid proto/port: %s, skipped subnet",
+						 pos);
+					continue;
 				}
 			}
-			enumerator->destroy(enumerator);
+			if (streq(subnet, "%dynamic"))
+			{
+				ts = traffic_selector_create_dynamic(proto,
+													 from_port, to_port);
+			}
+			else
+			{
+				ts = traffic_selector_create_from_cidr(subnet, proto,
+													   from_port, to_port);
+			}
+			if (ts)
+			{
+				child_cfg->add_traffic_selector(child_cfg, local, ts);
+				ts_added = TRUE;
+			}
+			else
+			{
+				DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet);
+			}
 		}
+		enumerator->destroy(enumerator);
+	}
+	if (!ts_added)
+	{
+		ts = traffic_selector_create_dynamic(end->protocol,
+											 end->from_port, end->to_port);
+		child_cfg->add_traffic_selector(child_cfg, local, ts);
 	}
 }
 
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index fb60d39..ee83067 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -641,7 +641,8 @@ static void charon_route(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 	mode = child_cfg->get_mode(child_cfg);
 	if (mode == MODE_PASS || mode == MODE_DROP)
 	{
-		if (charon->shunts->install(charon->shunts, child_cfg))
+		if (charon->shunts->install(charon->shunts,
+									peer_cfg->get_name(peer_cfg), child_cfg))
 		{
 			fprintf(out, "'%s' shunt %N policy installed\n",
 					name, ipsec_mode_names, mode);
@@ -729,15 +730,30 @@ METHOD(stroke_control_t, route, void,
 METHOD(stroke_control_t, unroute, void,
 	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
+	child_cfg_t *child_cfg;
 	child_sa_t *child_sa;
 	enumerator_t *enumerator;
+	char *ns, *found = NULL;
 	uint32_t id = 0;
 
-	if (charon->shunts->uninstall(charon->shunts, msg->unroute.name))
+	enumerator = charon->shunts->create_enumerator(charon->shunts);
+	while (enumerator->enumerate(enumerator, &ns, &child_cfg))
 	{
+		if (ns && streq(msg->unroute.name, child_cfg->get_name(child_cfg)))
+		{
+			found = strdup(ns);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (found && charon->shunts->uninstall(charon->shunts, found,
+										   msg->unroute.name))
+	{
+		free(found);
 		fprintf(out, "shunt policy '%s' uninstalled\n", msg->unroute.name);
 		return;
 	}
+	free(found);
 
 	enumerator = charon->traps->create_enumerator(charon->traps);
 	while (enumerator->enumerate(enumerator, NULL, &child_sa))
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 77911c7..9b61afb 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -1310,7 +1310,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 			break;
 		}
 		if (match("RSA", &token) || match("ECDSA", &token) ||
-			match("BLISS", &token))
+			match("BLISS", &token) || match("PKCS8", &token))
 		{
 			if (match("RSA", &token))
 			{
@@ -1320,10 +1320,14 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 			{
 				key_type = KEY_ECDSA;
 			}
-			else
+			else if (match("BLISS", &token))
 			{
 				key_type = KEY_BLISS;
 			}
+			else
+			{
+				key_type = KEY_ANY;
+			}
 			if (!load_private(secrets, line, line_nr, prompt, key_type))
 			{
 				break;
@@ -1356,7 +1360,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 		else
 		{
 			DBG1(DBG_CFG, "line %d: token must be either RSA, ECDSA, BLISS, "
-						  "P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
+						  "PKCS8 P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
 			break;
 		}
 	}
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index cec2657..92e3686 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -603,7 +603,7 @@ METHOD(stroke_list_t, status, void,
 	/* Enumerate shunt policies */
 	first = TRUE;
 	enumerator = charon->shunts->create_enumerator(charon->shunts);
-	while (enumerator->enumerate(enumerator, &child_cfg))
+	while (enumerator->enumerate(enumerator, NULL, &child_cfg))
 	{
 		if (name && !streq(name, child_cfg->get_name(child_cfg)))
 		{
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index f64b99f..62095e3 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -70,6 +70,8 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
 				PLUGIN_SDEPEND(PRIVKEY, KEY_DSA),
 				PLUGIN_SDEPEND(PRIVKEY, KEY_BLISS),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_ED25519),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_ED448),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL),
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index e219159..78fd6e8 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 60618c0..7ec4eaa 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index 2b6c34c..215e3b3 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -364,7 +364,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -399,6 +398,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 2f79391..64b4bca 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index fc9bff7..6811eb7 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
index 5707278..25e0756 100644
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -235,7 +235,7 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 		enumerator->destroy(enumerator);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 
-		charon->shunts->install(charon->shunts, child_cfg);
+		charon->shunts->install(charon->shunts, "unity", child_cfg);
 		child_cfg->destroy(child_cfg);
 
 		DBG1(DBG_IKE, "installed %N bypass policy for %R",
@@ -310,7 +310,8 @@ static bool remove_exclude(private_unity_handler_t *this, chunk_t data)
 		DBG1(DBG_IKE, "uninstalling %N bypass policy for %R",
 			 configuration_attribute_type_names, UNITY_LOCAL_LAN, ts);
 		ts->destroy(ts);
-		success = charon->shunts->uninstall(charon->shunts, name) && success;
+		success = charon->shunts->uninstall(charon->shunts, "unity",
+											name) && success;
 	}
 	list->destroy(list);
 	return success;
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index a2dd067..1a44e55 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index ce15204..cdefbff 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -456,7 +456,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -491,6 +490,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 18a3ef7..9bda949 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -1,8 +1,8 @@
 # The Versatile IKE Control Interface (VICI) protocol #
 
-The vici plugin implements the server side of an IPC protocol to configure,
-monitor and control the IKE daemon charon. It uses request/response and event
-messages to communicate over a reliable stream based transport.
+The vici _[ˈvitʃi]_ plugin implements the server side of an IPC protocol to
+configure, monitor and control the IKE daemon charon. It uses request/response
+and event messages to communicate over a reliable stream based transport.
 
 ## Transport protocol ##
 
@@ -258,7 +258,7 @@ Initiates an SA while streaming _control-log_ events.
 
 	{
 		child = <CHILD_SA configuration name to initiate>
-		ike = <optional IKE_SA configuraiton name to find child under>
+		ike = <optional IKE_SA configuration name to find child under>
 		timeout = <timeout in ms before returning>
 		init-limits = <whether limits may prevent initiating the CHILD_SA>
 		loglevel = <loglevel to issue "control-log" events for>
@@ -283,12 +283,29 @@ Terminates an SA while streaming _control-log_ events.
 		loglevel = <loglevel to issue "control-log" events for>
 	} => {
 		success = <yes or no>
+		matches = <number of matched SAs>
+		terminated = <number of terminated SAs>
 		errmsg = <error string on failure or timeout>
 	}
 
 The default timeout of 0 waits indefinitely for a result, and a timeout value
 of -1 returns a result immediately.
 
+### rekey() ###
+
+Initiate the rekeying of an SA.
+
+	{
+		child = <rekey a CHILD_SA by configuration name>
+		ike = <rekey an IKE_SA by configuration name>
+		child-id = <rekey a CHILD_SA by its reqid>
+		ike-id = <rekey an IKE_SA by its unique id>
+	} => {
+		success = <yes or no>
+		matches = <number of matched SAs>
+		errmsg = <error string on failure>
+	}
+
 ### redirect() ###
 
 Redirect a client-initiated IKE_SA to another gateway.  Only for IKEv2 and if
@@ -303,6 +320,7 @@ supported by the peer.
 				   wildcards>
 	} => {
 		success = <yes or no>
+		matches = <number of matched SAs>
 		errmsg = <error string on failure>
 	}
 
@@ -312,7 +330,7 @@ Install a trap, drop or bypass policy defined by a CHILD_SA config.
 
 	{
 		child = <CHILD_SA configuration name to install>
-		ike = <optional IKE_SA configuraiton name to find child under>
+		ike = <optional IKE_SA configuration name to find child under>
 	} => {
 		success = <yes or no>
 		errmsg = <error string on failure>
@@ -324,6 +342,8 @@ Uninstall a trap, drop or bypass policy defined by a CHILD_SA config.
 
 	{
 		child = <CHILD_SA configuration name to install>
+		ike = <optional IKE_SA configuration name to find child under,
+			   if not given the first policy matching child is removed>
 	} => {
 		success = <yes or no>
 		errmsg = <error string on failure>
@@ -352,6 +372,7 @@ _list-policy_ events.
 		pass = <set to yes to list bypass policies>
 		trap = <set to yes to list trap policies>
 		child = <filter by CHILD_SA configuration name>
+		ike = <filter by IKE_SA configuration name>
 	} => {
 		# completes after streaming list-sa events
 	}
@@ -466,12 +487,53 @@ Load a private key into the daemon.
 		errmsg = <error string on failure>
 	}
 
+### unload-key() ###
+
+Unload the private key with the given key identifier.
+
+	{
+		id = <hex-encoded SHA-1 key identifier of the private key to unload>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### get-keys() ###
+
+Return a list of identifiers of private keys loaded exclusively over vici, not
+including keys found in other backends.
+
+	{} => {
+		keys = [
+			<list of hex-encoded SHA-1 key identifiers>
+		]
+	}
+
+### load-token() ###
+
+Load a private key located on a token into the daemon.  Such keys may be listed
+and unloaded using the _get-keys_ and _unload-key_ commands, respectively (based
+on the key identifier derived from the public key).
+
+	{
+		handle = <hex-encoded CKA_ID of the private key on token>
+		slot = <optional slot number>
+		module = <optional PKCS#11 module>
+		pin = <optional PIN to access the key, has to be provided via other
+			   means if not given>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+		id = <hex-encoded SHA-1 key identifier of the public key on success>
+	}
+
 ### load-shared() ###
 
 Load a shared IKE PSK, EAP or XAuth secret into the daemon.
 
 	{
-		type = <private key type, IKE|EAP|XAUTH>
+		id = <optional unique identifier of this shared key>
+		type = <shared key type, IKE|EAP|XAUTH>
 		data = <raw shared key data>
 		owners = [
 			<list of shared key owner identities>
@@ -481,6 +543,29 @@ Load a shared IKE PSK, EAP or XAuth secret into the daemon.
 		errmsg = <error string on failure>
 	}
 
+### unload-shared() ###
+
+Unload a previously loaded shared IKE PSK, EAP or XAuth secret by its unique
+identifier.
+
+	{
+		id = <unique identifier of the shared key to unload>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### get-shared() ###
+
+Return a list of unique identifiers of shared keys loaded exclusively over vici,
+not including keys found in other backends.
+
+	{} => {
+		keys = [
+			<list of unique identifiers>
+		]
+	}
+
 ### flush-certs() ###
 
 Flushes the certificate cache. The optional type argument allows to flush
@@ -569,6 +654,7 @@ List the currently loaded pools.
 
 	{
 		leases = <set to yes to include leases>
+		name = <optional name of the pool to query>
 	} => {
 		<pool name>* = {
 			base = <virtual IP pool base address>
@@ -678,7 +764,8 @@ command.
 				<list of tasks currently handling passively>
 			]
 			child-sas = {
-				<child-sa-name>* = {
+				<unique child-sa-name>* = {
+					name = <name of the CHILD_SA>
 					uniqueid = <unique CHILD_SA identifier>
 					reqid = <reqid of CHILD_SA>
 					state = <state string of CHILD_SA>
@@ -689,6 +776,10 @@ command.
 					spi-out = <hex encoded outbound SPI>
 					cpi-in = <hex encoded inbound CPI, if using compression>
 					cpi-out = <hex encoded outbound CPI, if using compression>
+					mark-in = <hex encoded inbound Netfilter mark value>
+					mark-mask-in = <hex encoded inbound Netfilter mark mask>
+					mark-out = <hex encoded outbound Netfilter mark value>
+					mark-mask-out = <hex encoded outbound Netfilter mark mask>
 					encr-alg = <ESP encryption algorithm name, if any>
 					encr-keysize = <ESP encryption key size, if applicable>
 					integ-alg = <ESP or AH integrity algorithm name, if any>
@@ -722,7 +813,9 @@ The _list-policy_ event is issued to stream installed policies during an active
 _list-policies_ command.
 
 	{
-		<child-sa-config-name> = {
+		<ike-sa-config-name/child-sa-config-name> = {
+			child = <CHILD_SA configuration name>
+			ike = <IKE_SA configuration name or namespace, if available>
 			mode = <policy mode, tunnel|transport|pass|drop>
 			local-ts = [
 				<list of local traffic selectors>
diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in
index 523868c..385aa97 100644
--- a/src/libcharon/plugins/vici/perl/Makefile.in
+++ b/src/libcharon/plugins/vici/perl/Makefile.in
@@ -274,7 +274,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -309,6 +308,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in
index 4f1a917..f783d70 100644
--- a/src/libcharon/plugins/vici/python/Makefile.in
+++ b/src/libcharon/plugins/vici/python/Makefile.in
@@ -296,7 +296,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -331,6 +330,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/vici/python/vici/protocol.py b/src/libcharon/plugins/vici/python/vici/protocol.py
index 4951817..919231d 100644
--- a/src/libcharon/plugins/vici/python/vici/protocol.py
+++ b/src/libcharon/plugins/vici/python/vici/protocol.py
@@ -33,7 +33,10 @@ class Transport(object):
         """Ensure to read count bytes from the socket"""
         data = b""
         while len(data) < count:
-            data += self.socket.recv(count - len(data))
+            buf = self.socket.recv(count - len(data))
+            if not buf:
+                raise socket.error('Connection closed')
+            data += buf
         return data
 
 
@@ -59,7 +62,7 @@ class Packet(object):
 
     @classmethod
     def _named_request(cls, request_type, request, message=None):
-        request = request.encode()
+        requestdata = request.encode("UTF-8")
         payload = struct.pack("!BB", request_type, len(request)) + request
         if message is not None:
             return payload + message
@@ -102,12 +105,12 @@ class Message(object):
     @classmethod
     def serialize(cls, message):
         def encode_named_type(marker, name):
-            name = name.encode()
+            name = name.encode("UTF-8")
             return struct.pack("!BB", marker, len(name)) + name
 
         def encode_blob(value):
             if not isinstance(value, bytes):
-                value = str(value).encode()
+                value = str(value).encode("UTF-8")
             return struct.pack("!H", len(value)) + value
 
         def serialize_list(lst):
@@ -144,7 +147,7 @@ class Message(object):
     def deserialize(cls, stream):
         def decode_named_type(stream):
             length, = struct.unpack("!B", stream.read(1))
-            return stream.read(length).decode()
+            return stream.read(length).decode("UTF-8")
 
         def decode_blob(stream):
             length, = struct.unpack("!H", stream.read(2))
diff --git a/src/libcharon/plugins/vici/python/vici/session.py b/src/libcharon/plugins/vici/python/vici/session.py
index 5bd4b7c..1383fa7 100644
--- a/src/libcharon/plugins/vici/python/vici/session.py
+++ b/src/libcharon/plugins/vici/python/vici/session.py
@@ -208,13 +208,15 @@ class Session(object):
         """
         self.handler.request("unload-pool", pool_name)
 
-    def get_pools(self):
+    def get_pools(self, options):
         """Retrieve loaded pools.
 
+        :param options: filter by name and/or retrieve leases (optional)
+        :type options: dict
         :return: loaded pools
         :rtype: dict
         """
-        return self.handler.request("get-pools")
+        return self.handler.request("get-pools", options)
 
     def listen(self, event_types):
         """Register and listen for the given events.
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index e176285..125f44e 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -274,7 +274,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -309,6 +308,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb
index 1a95fc3..bcf1a17 100644
--- a/src/libcharon/plugins/vici/ruby/lib/vici.rb
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@@ -492,8 +492,8 @@ module Vici
 
     ##
     # Get the currently loaded pools.
-    def get_pools()
-      @transp.request("get-pools").root
+    def get_pools(options)
+      @transp.request("get-pools", Message.new(options)).root
     end
 
     ##
diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c
index e0d9b4a..4e1fa97 100644
--- a/src/libcharon/plugins/vici/vici_attribute.c
+++ b/src/libcharon/plugins/vici/vici_attribute.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2014-2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2014-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
@@ -668,10 +668,11 @@ CALLBACK(get_pools, vici_message_t*,
 	identification_t *uid;
 	host_t *lease;
 	bool list_leases, on;
-	char buf[32];
+	char buf[32], *filter;
 	int i;
 
 	list_leases = message->get_bool(message, FALSE, "leases");
+	filter = message->get_str(message, NULL, "name");
 
 	builder = vici_builder_create();
 
@@ -679,6 +680,11 @@ CALLBACK(get_pools, vici_message_t*,
 	enumerator = this->pools->create_enumerator(this->pools);
 	while (enumerator->enumerate(enumerator, &name, &pool))
 	{
+		if (filter && !streq(name, filter))
+		{
+			continue;
+		}
+
 		vips = pool->vips;
 
 		builder->begin_section(builder, name);
diff --git a/src/libcharon/plugins/vici/vici_authority.c b/src/libcharon/plugins/vici/vici_authority.c
index 94a7f68..0fa158b 100644
--- a/src/libcharon/plugins/vici/vici_authority.c
+++ b/src/libcharon/plugins/vici/vici_authority.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -199,9 +200,28 @@ typedef struct {
 typedef struct {
 	request_data_t *request;
 	authority_t *authority;
+	char *handle;
+	uint32_t slot;
+	char *module;
+	char *file;
 } load_data_t;
 
 /**
+ * Clean up data associated with an authority load
+ */
+static void free_load_data(load_data_t *data)
+{
+	if (data->authority)
+	{
+		authority_destroy(data->authority);
+	}
+	free(data->handle);
+	free(data->module);
+	free(data->file);
+	free(data);
+}
+
+/**
  * Parse a string
  */
 CALLBACK(parse_string, bool,
@@ -217,6 +237,28 @@ CALLBACK(parse_string, bool,
 }
 
 /**
+ * Parse a uint32_t
+ */
+CALLBACK(parse_uint32, bool,
+	uint32_t *out, chunk_t v)
+{
+	char buf[16], *end;
+	u_long l;
+
+	if (!vici_stringify(v, buf, sizeof(buf)))
+	{
+		return FALSE;
+	}
+	l = strtoul(buf, &end, 0);
+	if (*end == 0)
+	{
+		*out = l;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
  * Parse list of URIs
  */
 CALLBACK(parse_uris, bool,
@@ -266,8 +308,12 @@ CALLBACK(authority_kv, bool,
 	load_data_t *data, vici_message_t *message, char *name, chunk_t value)
 {
 	parse_rule_t rules[] = {
-		{ "cacert",			parse_cacert, &data->authority->cert	      },
-		{ "cert_uri_base",	parse_string, &data->authority->cert_uri_base },
+		{ "cacert",			parse_cacert, &data->authority->cert			},
+		{ "file",			parse_string, &data->file						},
+		{ "handle",			parse_string, &data->handle						},
+		{ "slot",			parse_uint32, &data->slot						},
+		{ "module",			parse_string, &data->module						},
+		{ "cert_uri_base",	parse_string, &data->authority->cert_uri_base	},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
@@ -341,21 +387,60 @@ CALLBACK(authority_sn, bool,
 	linked_list_t *authorities;
 	authority_t *authority;
 	vici_cred_t *cred;
+	load_data_t *data;
+	chunk_t handle;
 
-	load_data_t data = {
+	INIT(data,
 		.request = request,
 		.authority = authority_create(name),
-	};
+		.slot = -1,
+	);
 
 	DBG2(DBG_CFG, " authority %s:", name);
 
-	if (!message->parse(message, ctx, NULL, authority_kv, authority_li, &data) ||
-		!data.authority->cert)
+	if (!message->parse(message, ctx, NULL, authority_kv, authority_li, data))
+	{
+		free_load_data(data);
+		return FALSE;
+	}
+	if (!data->authority->cert)
+	{
+		if (data->file)
+		{
+			data->authority->cert = lib->creds->create(lib->creds,
+										CRED_CERTIFICATE, CERT_X509,
+										BUILD_FROM_FILE, data->file, BUILD_END);
+		}
+		else if (data->handle)
+		{
+			handle = chunk_from_hex(chunk_from_str(data->handle), NULL);
+			if (data->slot != -1)
+			{
+				data->authority->cert = lib->creds->create(lib->creds,
+								CRED_CERTIFICATE, CERT_X509,
+								BUILD_PKCS11_KEYID, handle,
+								BUILD_PKCS11_SLOT, data->slot,
+								data->module ? BUILD_PKCS11_MODULE : BUILD_END,
+								data->module, BUILD_END);
+			}
+			else
+			{
+				data->authority->cert = lib->creds->create(lib->creds,
+								CRED_CERTIFICATE, CERT_X509,
+								BUILD_PKCS11_KEYID, handle,
+								data->module ? BUILD_PKCS11_MODULE : BUILD_END,
+								data->module, BUILD_END);
+			}
+			chunk_free(&handle);
+		}
+	}
+	if (!data->authority->cert)
 	{
-		authority_destroy(data.authority);
+		request->reply = create_reply("CA certificate missing: %s", name);
+		free_load_data(data);
 		return FALSE;
 	}
-	log_authority_data(data.authority);
+	log_authority_data(data->authority);
 
 	request->this->lock->write_lock(request->this->lock);
 
@@ -372,12 +457,14 @@ CALLBACK(authority_sn, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
-	authorities->insert_last(authorities, data.authority);
+	authorities->insert_last(authorities, data->authority);
 
 	cred = request->this->cred;
-	data.authority->cert = cred->add_cert(cred, data.authority->cert);
+	data->authority->cert = cred->add_cert(cred, data->authority->cert);
+	data->authority = NULL;
 
 	request->this->lock->unlock(request->this->lock);
+	free_load_data(data);
 
 	return TRUE;
 }
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 2110fd3..12497ec 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015-2016 Tobias Brunner
+ * Copyright (C) 2015-2017 Tobias Brunner
  * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -247,6 +247,28 @@ typedef struct {
 } request_data_t;
 
 /**
+ * Certificate data
+ */
+typedef struct {
+	request_data_t *request;
+	char *handle;
+	uint32_t slot;
+	char *module;
+	char *file;
+} cert_data_t;
+
+/**
+ * Clean up certificate data
+ */
+static void free_cert_data(cert_data_t *data)
+{
+	free(data->handle);
+	free(data->module);
+	free(data->file);
+	free(data);
+}
+
+/**
  * Auth config data
  */
 typedef struct {
@@ -295,6 +317,12 @@ typedef struct {
 	uint64_t rekey_time;
 	uint64_t over_time;
 	uint64_t rand_time;
+	uint8_t dscp;
+#ifdef ME
+	bool mediation;
+	char *mediated_by;
+	identification_t *peer_id;
+#endif /* ME */
 } peer_data_t;
 
 /**
@@ -370,6 +398,7 @@ static void log_peer_data(peer_data_t *data)
 	DBG2(DBG_CFG, "  send_cert = %N", cert_policy_names, data->send_cert);
 	DBG2(DBG_CFG, "  mobike = %u", data->mobike);
 	DBG2(DBG_CFG, "  aggressive = %u", data->aggressive);
+	DBG2(DBG_CFG, "  dscp = 0x%.2x", data->dscp);
 	DBG2(DBG_CFG, "  encap = %u", data->encap);
 	DBG2(DBG_CFG, "  dpd_delay = %llu", data->dpd_delay);
 	DBG2(DBG_CFG, "  dpd_timeout = %llu", data->dpd_timeout);
@@ -381,6 +410,14 @@ static void log_peer_data(peer_data_t *data)
 	DBG2(DBG_CFG, "  over_time = %llu", data->over_time);
 	DBG2(DBG_CFG, "  rand_time = %llu", data->rand_time);
 	DBG2(DBG_CFG, "  proposals = %#P", data->proposals);
+#ifdef ME
+	DBG2(DBG_CFG, "  mediation = %u", data->mediation);
+	if (data->mediated_by)
+	{
+		DBG2(DBG_CFG, "  mediated_by = %s", data->mediated_by);
+		DBG2(DBG_CFG, "  mediation_peer = %Y", data->peer_id);
+	}
+#endif /* ME */
 
 	if (data->vips->get_count(data->vips))
 	{
@@ -425,6 +462,10 @@ static void free_peer_data(peer_data_t *data)
 	free(data->pools);
 	free(data->local_addrs);
 	free(data->remote_addrs);
+#ifdef ME
+	free(data->mediated_by);
+	DESTROY_IF(data->peer_id);
+#endif /* ME */
 }
 
 /**
@@ -461,7 +502,8 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   updown = %s", cfg->updown);
 	DBG2(DBG_CFG, "   hostaccess = %u", cfg->hostaccess);
 	DBG2(DBG_CFG, "   ipcomp = %u", cfg->ipcomp);
-	DBG2(DBG_CFG, "   mode = %N", ipsec_mode_names, cfg->mode);
+	DBG2(DBG_CFG, "   mode = %N%s", ipsec_mode_names, cfg->mode,
+		 cfg->proxy_mode ? "_PROXY" : "");
 	DBG2(DBG_CFG, "   policies = %u", data->policies);
 	DBG2(DBG_CFG, "   policies_fwd_out = %u", data->policies_fwd_out);
 	if (data->replay_window != REPLAY_UNDEFINED)
@@ -770,20 +812,22 @@ CALLBACK(parse_bool, bool,
  * Parse a ipsec_mode_t
  */
 CALLBACK(parse_mode, bool,
-	ipsec_mode_t *out, chunk_t v)
+	child_cfg_create_t *cfg, chunk_t v)
 {
 	enum_map_t map[] = {
-		{ "tunnel",		MODE_TUNNEL		},
-		{ "transport",	MODE_TRANSPORT	},
-		{ "beet",		MODE_BEET		},
-		{ "drop",		MODE_DROP		},
-		{ "pass",		MODE_PASS		},
+		{ "tunnel",				MODE_TUNNEL		},
+		{ "transport",			MODE_TRANSPORT	},
+		{ "transport_proxy",	MODE_TRANSPORT	},
+		{ "beet",				MODE_BEET		},
+		{ "drop",				MODE_DROP		},
+		{ "pass",				MODE_PASS		},
 	};
 	int d;
 
 	if (parse_map(map, countof(map), &d, v))
 	{
-		*out = d;
+		cfg->mode = d;
+		cfg->proxy_mode = (d == MODE_TRANSPORT) && (v.len > 9);
 		return TRUE;
 	}
 	return FALSE;
@@ -814,10 +858,9 @@ CALLBACK(parse_action, bool,
 }
 
 /**
- * Parse a uint32_t
+ * Parse a uint32_t with the given base
  */
-CALLBACK(parse_uint32, bool,
-	uint32_t *out, chunk_t v)
+static bool parse_uint32_base(uint32_t *out, chunk_t v, int base)
 {
 	char buf[16], *end;
 	u_long l;
@@ -826,7 +869,7 @@ CALLBACK(parse_uint32, bool,
 	{
 		return FALSE;
 	}
-	l = strtoul(buf, &end, 0);
+	l = strtoul(buf, &end, base);
 	if (*end == 0)
 	{
 		*out = l;
@@ -836,6 +879,24 @@ CALLBACK(parse_uint32, bool,
 }
 
 /**
+ * Parse a uint32_t
+ */
+CALLBACK(parse_uint32, bool,
+	uint32_t *out, chunk_t v)
+{
+	return parse_uint32_base(out, v, 0);
+}
+
+/**
+ * Parse a uint32_t in binary encoding
+ */
+CALLBACK(parse_uint32_bin, bool,
+	uint32_t *out, chunk_t v)
+{
+	return parse_uint32_base(out, v, 2);
+}
+
+/**
  * Parse a uint64_t
  */
 CALLBACK(parse_uint64, bool,
@@ -984,6 +1045,20 @@ CALLBACK(parse_tfc, bool,
 }
 
 /**
+ * Parse 6-bit DSCP value
+ */
+CALLBACK(parse_dscp, bool,
+	uint8_t *out, chunk_t v)
+{
+	if (parse_uint32_bin(out, v))
+	{
+		*out = *out & 0x3f;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
  * Parse authentication config
  */
 CALLBACK(parse_auth, bool,
@@ -1109,27 +1184,52 @@ CALLBACK(parse_group, bool,
 }
 
 /**
- * Parse a certificate; add as auth rule to config
+ * Parse certificate policy
  */
-static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
+CALLBACK(parse_cert_policy, bool,
+	auth_cfg_t *cfg, chunk_t v)
+{
+	char buf[BUF_LEN];
+
+	if (!vici_stringify(v, buf, sizeof(buf)))
+	{
+		return FALSE;
+	}
+	cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(buf));
+	return TRUE;
+}
+
+/**
+ * Add a certificate as auth rule to config
+ */
+static bool add_cert(auth_data_t *auth, auth_rule_t rule, certificate_t *cert)
 {
 	vici_authority_t *authority;
 	vici_cred_t *cred;
+
+	if (rule == AUTH_RULE_SUBJECT_CERT)
+	{
+		authority = auth->request->this->authority;
+		authority->check_for_hash_and_url(authority, cert);
+	}
+	cred = auth->request->this->cred;
+	cert = cred->add_cert(cred, cert);
+	auth->cfg->add(auth->cfg, rule, cert);
+	return TRUE;
+}
+
+/**
+ * Parse a certificate; add as auth rule to config
+ */
+static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
+{
 	certificate_t *cert;
 
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 							  BUILD_BLOB_PEM, v, BUILD_END);
 	if (cert)
 	{
-		if (rule == AUTH_RULE_SUBJECT_CERT)
-		{
-			authority = auth->request->this->authority;
-			authority->check_for_hash_and_url(authority, cert);
-		}
-		cred = auth->request->this->cred;
-		cert = cred->add_cert(cred, cert);
-		auth->cfg->add(auth->cfg, rule, cert);
-		return TRUE;
+		return add_cert(auth, rule, cert);
 	}
 	return FALSE;
 }
@@ -1314,6 +1414,38 @@ CALLBACK(parse_hosts, bool,
 	return TRUE;
 }
 
+#ifdef ME
+/**
+ * Parse peer ID
+ */
+CALLBACK(parse_peer_id, bool,
+	identification_t **out, chunk_t v)
+{
+	char buf[BUF_LEN];
+
+	if (!vici_stringify(v, buf, sizeof(buf)))
+	{
+		return FALSE;
+	}
+	*out = identification_create_from_string(buf);
+	return TRUE;
+}
+#endif /* ME */
+
+CALLBACK(cert_kv, bool,
+	cert_data_t *cert, vici_message_t *message, char *name, chunk_t value)
+{
+	parse_rule_t rules[] = {
+		{ "handle",			parse_string,		&cert->handle				},
+		{ "slot",			parse_uint32,		&cert->slot					},
+		{ "module",			parse_string,		&cert->module				},
+		{ "file",			parse_string,		&cert->file					},
+	};
+
+	return parse_rules(rules, countof(rules), name, value,
+					   &cert->request->reply);
+}
+
 CALLBACK(child_li, bool,
 	child_data_t *child, vici_message_t *message, char *name, chunk_t value)
 {
@@ -1334,7 +1466,7 @@ CALLBACK(child_kv, bool,
 	parse_rule_t rules[] = {
 		{ "updown",				parse_string,		&child->cfg.updown					},
 		{ "hostaccess",			parse_bool,			&child->cfg.hostaccess				},
-		{ "mode",				parse_mode,			&child->cfg.mode					},
+		{ "mode",				parse_mode,			&child->cfg							},
 		{ "policies",			parse_bool,			&child->policies					},
 		{ "policies_fwd_out",	parse_bool,			&child->policies_fwd_out			},
 		{ "replay_window",		parse_uint32,		&child->replay_window				},
@@ -1369,6 +1501,7 @@ CALLBACK(auth_li, bool,
 {
 	parse_rule_t rules[] = {
 		{ "groups",			parse_group,		auth->cfg					},
+		{ "cert_policy",	parse_cert_policy,	auth						},
 		{ "certs",			parse_certs,		auth						},
 		{ "cacerts",		parse_cacerts,		auth						},
 		{ "pubkeys",		parse_pubkeys,		auth						},
@@ -1417,6 +1550,7 @@ CALLBACK(peer_kv, bool,
 		{ "version",		parse_uint32,		&peer->version				},
 		{ "aggressive",		parse_bool,			&peer->aggressive			},
 		{ "pull",			parse_bool,			&peer->pull					},
+		{ "dscp",			parse_dscp,			&peer->dscp					},
 		{ "encap",			parse_bool,			&peer->encap				},
 		{ "mobike",			parse_bool,			&peer->mobike				},
 		{ "dpd_delay",		parse_time,			&peer->dpd_delay			},
@@ -1432,12 +1566,94 @@ CALLBACK(peer_kv, bool,
 		{ "rekey_time",		parse_time,			&peer->rekey_time			},
 		{ "over_time",		parse_time,			&peer->over_time			},
 		{ "rand_time",		parse_time,			&peer->rand_time			},
+#ifdef ME
+		{ "mediation",		parse_bool,			&peer->mediation			},
+		{ "mediated_by",	parse_string,		&peer->mediated_by			},
+		{ "mediation_peer",	parse_peer_id,		&peer->peer_id				},
+#endif /* ME */
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
 					   &peer->request->reply);
 }
 
+CALLBACK(auth_sn, bool,
+	auth_data_t *auth, vici_message_t *message, vici_parse_context_t *ctx,
+	char *name)
+{
+	if (strcasepfx(name, "cert") ||
+		strcasepfx(name, "cacert"))
+	{
+		cert_data_t *data;
+		auth_rule_t rule;
+		certificate_t *cert;
+		chunk_t handle;
+
+		INIT(data,
+			.request = auth->request,
+			.slot = -1,
+		);
+
+		if (!message->parse(message, ctx, NULL, cert_kv, NULL, data))
+		{
+			free_cert_data(data);
+			return FALSE;
+		}
+		if  (!data->handle && !data->file)
+		{
+			auth->request->reply = create_reply("handle or file path missing: "
+												"%s", name);
+			free_cert_data(data);
+			return FALSE;
+		}
+		else if (data->handle && data->file)
+		{
+			auth->request->reply = create_reply("handle and file path given: "
+												"%s", name);
+			free_cert_data(data);
+			return FALSE;
+		}
+
+		if (data->file)
+		{
+			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								BUILD_FROM_FILE, data->file, BUILD_END);
+		}
+		else
+		{
+			handle = chunk_from_hex(chunk_from_str(data->handle), NULL);
+			if (data->slot != -1)
+			{
+				cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+								CERT_X509, BUILD_PKCS11_KEYID, handle,
+								BUILD_PKCS11_SLOT, data->slot,
+								data->module ? BUILD_PKCS11_MODULE : BUILD_END,
+								data->module, BUILD_END);
+			}
+			else
+			{
+				cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+								CERT_X509, BUILD_PKCS11_KEYID, handle,
+								data->module ? BUILD_PKCS11_MODULE : BUILD_END,
+								data->module, BUILD_END);
+			}
+			chunk_free(&handle);
+		}
+		free_cert_data(data);
+		if (!cert)
+		{
+			auth->request->reply = create_reply("unable to load certificate: "
+												"%s", name);
+			return FALSE;
+		}
+		rule = strcasepfx(name, "cert") ? AUTH_RULE_SUBJECT_CERT
+										: AUTH_RULE_CA_CERT;
+		return add_cert(auth, rule, cert);
+	}
+	auth->request->reply = create_reply("invalid section: %s", name);
+	return FALSE;
+}
+
 /**
  * Check and update lifetimes
  */
@@ -1600,7 +1816,7 @@ CALLBACK(peer_sn, bool,
 			.cfg = auth_cfg_create(),
 		);
 
-		if (!message->parse(message, ctx, NULL, auth_kv, auth_li, auth))
+		if (!message->parse(message, ctx, auth_sn, auth_kv, auth_li, auth))
 		{
 			free_auth_data(auth);
 			return FALSE;
@@ -1703,7 +1919,8 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
 			{
 				case MODE_PASS:
 				case MODE_DROP:
-					charon->shunts->install(charon->shunts, child_cfg);
+					charon->shunts->install(charon->shunts,
+									peer_cfg->get_name(peer_cfg), child_cfg);
 					break;
 				default:
 					charon->traps->install(charon->traps, peer_cfg, child_cfg,
@@ -1724,6 +1941,7 @@ static void clear_start_action(private_vici_config_t *this, char *peer_name,
 {
 	enumerator_t *enumerator, *children;
 	child_sa_t *child_sa;
+	peer_cfg_t *peer_cfg;
 	ike_sa_t *ike_sa;
 	uint32_t id = 0, others;
 	array_t *ids = NULL, *ikeids = NULL;
@@ -1811,13 +2029,15 @@ static void clear_start_action(private_vici_config_t *this, char *peer_name,
 			{
 				case MODE_PASS:
 				case MODE_DROP:
-					charon->shunts->uninstall(charon->shunts, name);
+					charon->shunts->uninstall(charon->shunts, peer_name, name);
 					break;
 				default:
 					enumerator = charon->traps->create_enumerator(charon->traps);
-					while (enumerator->enumerate(enumerator, NULL, &child_sa))
+					while (enumerator->enumerate(enumerator, &peer_cfg,
+												 &child_sa))
 					{
-						if (streq(name, child_sa->get_name(child_sa)))
+						if (streq(peer_name, peer_cfg->get_name(peer_cfg)) &&
+							streq(name, child_sa->get_name(child_sa)))
 						{
 							id = child_sa->get_reqid(child_sa);
 							break;
@@ -2080,12 +2300,48 @@ CALLBACK(config_sn, bool,
 		peer.rand_time = min(peer.over_time, peer.rand_time / 2);
 	}
 
+#ifdef ME
+	if (peer.mediation && peer.mediated_by)
+	{
+		DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection "
+			 "at the same time, config discarded");
+		free_peer_data(&peer);
+		return FALSE;
+	}
+	if (peer.mediation)
+	{	/* force unique connections for mediation connections */
+		peer.unique = UNIQUE_REPLACE;
+	}
+	else if (peer.mediated_by)
+	{	/* fallback to remote identity of first auth round if peer_id is not
+		 * given explicitly */
+		auth_cfg_t *cfg;
+
+		if (!peer.peer_id &&
+			peer.remote->get_first(peer.remote, (void**)&cfg) == SUCCESS)
+		{
+			peer.peer_id = cfg->get(cfg, AUTH_RULE_IDENTITY);
+			if (peer.peer_id)
+			{
+				peer.peer_id = peer.peer_id->clone(peer.peer_id);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "mediation peer missing for mediated connection, "
+					 "config discarded");
+				free_peer_data(&peer);
+				return FALSE;
+			}
+		}
+	}
+#endif /* ME */
+
 	log_peer_data(&peer);
 
 	ike_cfg = ike_cfg_create(peer.version, peer.send_certreq, peer.encap,
 						peer.local_addrs, peer.local_port,
 						peer.remote_addrs, peer.remote_port,
-						peer.fragmentation, 0);
+						peer.fragmentation, peer.dscp);
 
 	cfg = (peer_cfg_create_t){
 		.cert_policy = peer.send_cert,
@@ -2101,6 +2357,14 @@ CALLBACK(config_sn, bool,
 		.dpd = peer.dpd_delay,
 		.dpd_timeout = peer.dpd_timeout,
 	};
+#ifdef ME
+	cfg.mediation = peer.mediation;
+	if (peer.mediated_by)
+	{
+		cfg.mediated_by = peer.mediated_by;
+		cfg.peer_id = peer.peer_id->clone(peer.peer_id);
+	}
+#endif /* ME */
 	peer_cfg = peer_cfg_create(name, ike_cfg, &cfg);
 
 	while (peer.local->remove_first(peer.local,
diff --git a/src/libcharon/plugins/vici/vici_config.h b/src/libcharon/plugins/vici/vici_config.h
index 0c237e7..6bff41c 100644
--- a/src/libcharon/plugins/vici/vici_config.h
+++ b/src/libcharon/plugins/vici/vici_config.h
@@ -38,7 +38,7 @@ typedef struct vici_config_t vici_config_t;
 struct vici_config_t {
 
 	/**
-	 * Implements a configuraiton backend.
+	 * Implements a configuration backend.
 	 */
 	backend_t backend;
 
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 4400381..afee649 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015-2017 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
@@ -23,6 +23,8 @@
 
 #include <daemon.h>
 #include <collections/array.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
 #include <processing/jobs/redirect_job.h>
 
 typedef struct private_vici_control_t private_vici_control_t;
@@ -360,6 +362,100 @@ CALLBACK(terminate, vici_message_t*,
 	return builder->finalize(builder);
 }
 
+CALLBACK(rekey, vici_message_t*,
+	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
+{
+	enumerator_t *isas, *csas;
+	char *child, *ike, *errmsg = NULL;
+	u_int child_id, ike_id, found = 0;
+	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
+	vici_builder_t *builder;
+
+	child = request->get_str(request, NULL, "child");
+	ike = request->get_str(request, NULL, "ike");
+	child_id = request->get_int(request, 0, "child-id");
+	ike_id = request->get_int(request, 0, "ike-id");
+
+	if (!child && !ike && !ike_id && !child_id)
+	{
+		return send_reply(this, "missing rekey selector");
+	}
+
+	if (ike_id)
+	{
+		DBG1(DBG_CFG, "vici rekey IKE_SA #%d", ike_id);
+	}
+	if (child_id)
+	{
+		DBG1(DBG_CFG, "vici rekey CHILD_SA #%d", child_id);
+	}
+	if (ike)
+	{
+		DBG1(DBG_CFG, "vici rekey IKE_SA '%s'", ike);
+	}
+	if (child)
+	{
+		DBG1(DBG_CFG, "vici rekey CHILD_SA '%s'", child);
+	}
+
+	isas = charon->controller->create_ike_sa_enumerator(charon->controller, TRUE);
+	while (isas->enumerate(isas, &ike_sa))
+	{
+		if (child || child_id)
+		{
+			if (ike && !streq(ike, ike_sa->get_name(ike_sa)))
+			{
+				continue;
+			}
+			if (ike_id && ike_id != ike_sa->get_unique_id(ike_sa))
+			{
+				continue;
+			}
+			csas = ike_sa->create_child_sa_enumerator(ike_sa);
+			while (csas->enumerate(csas, &child_sa))
+			{
+				if (child && !streq(child, child_sa->get_name(child_sa)))
+				{
+					continue;
+				}
+				if (child_id && child_sa->get_unique_id(child_sa) != child_id)
+				{
+					continue;
+				}
+				lib->processor->queue_job(lib->processor,
+						(job_t*)rekey_child_sa_job_create(
+											child_sa->get_protocol(child_sa),
+											child_sa->get_spi(child_sa, TRUE),
+											ike_sa->get_my_host(ike_sa)));
+				found++;
+			}
+			csas->destroy(csas);
+		}
+		else if ((ike && streq(ike, ike_sa->get_name(ike_sa))) ||
+				 (ike_id && ike_id == ike_sa->get_unique_id(ike_sa)))
+		{
+			lib->processor->queue_job(lib->processor,
+				(job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE));
+			found++;
+		}
+	}
+	isas->destroy(isas);
+
+	builder = vici_builder_create();
+	if (!found)
+	{
+		errmsg = "no matching SAs to rekey found";
+	}
+	builder->add_kv(builder, "success", errmsg ? "no" : "yes");
+	builder->add_kv(builder, "matches", "%u", found);
+	if (errmsg)
+	{
+		builder->add_kv(builder, "errmsg", "%s", errmsg);
+	}
+	return builder->finalize(builder);
+}
+
 /**
  * Parse a peer-ip specified, which can be a subnet in CIDR notation, a range
  * or a single IP address.
@@ -494,6 +590,7 @@ CALLBACK(redirect, vici_message_t*,
 		errmsg = "no matching SAs to redirect found";
 	}
 	builder->add_kv(builder, "success", errmsg ? "no" : "yes");
+	builder->add_kv(builder, "matches", "%u", found);
 	if (errmsg)
 	{
 		builder->add_kv(builder, "errmsg", "%s", errmsg);
@@ -565,7 +662,8 @@ CALLBACK(install, vici_message_t*,
 	{
 		case MODE_PASS:
 		case MODE_DROP:
-			ok = charon->shunts->install(charon->shunts, child_cfg);
+			ok = charon->shunts->install(charon->shunts,
+									peer_cfg->get_name(peer_cfg), child_cfg);
 			break;
 		default:
 			ok = charon->traps->install(charon->traps, peer_cfg, child_cfg,
@@ -581,12 +679,15 @@ CALLBACK(install, vici_message_t*,
 CALLBACK(uninstall, vici_message_t*,
 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
 {
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
 	child_sa_t *child_sa;
 	enumerator_t *enumerator;
 	uint32_t reqid = 0;
-	char *child;
+	char *child, *ike, *ns;
 
 	child = request->get_str(request, NULL, "child");
+	ike = request->get_str(request, NULL, "ike");
 	if (!child)
 	{
 		return send_reply(this, "missing configuration name");
@@ -594,15 +695,39 @@ CALLBACK(uninstall, vici_message_t*,
 
 	DBG1(DBG_CFG, "vici uninstall '%s'", child);
 
-	if (charon->shunts->uninstall(charon->shunts, child))
+	if (!ike)
+	{
+		enumerator = charon->shunts->create_enumerator(charon->shunts);
+		while (enumerator->enumerate(enumerator, &ns, &child_cfg))
+		{
+			if (ns && streq(child, child_cfg->get_name(child_cfg)))
+			{
+				ike = strdup(ns);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		if (ike)
+		{
+			if (charon->shunts->uninstall(charon->shunts, ike, child))
+			{
+				free(ike);
+				return send_reply(this, NULL);
+			}
+			free(ike);
+			return send_reply(this, "uninstalling policy '%s' failed", child);
+		}
+	}
+	else if (charon->shunts->uninstall(charon->shunts, ike, child))
 	{
 		return send_reply(this, NULL);
 	}
 
 	enumerator = charon->traps->create_enumerator(charon->traps);
-	while (enumerator->enumerate(enumerator, NULL, &child_sa))
+	while (enumerator->enumerate(enumerator, &peer_cfg, &child_sa))
 	{
-		if (streq(child, child_sa->get_name(child_sa)))
+		if ((!ike || streq(ike, peer_cfg->get_name(peer_cfg))) &&
+			streq(child, child_sa->get_name(child_sa)))
 		{
 			reqid = child_sa->get_reqid(child_sa);
 			break;
@@ -626,6 +751,7 @@ CALLBACK(reload_settings, vici_message_t*,
 {
 	if (lib->settings->load_files(lib->settings, lib->conf, FALSE))
 	{
+		charon->load_loggers(charon);
 		lib->plugins->reload(lib->plugins, NULL);
 		return send_reply(this, NULL);
 	}
@@ -646,6 +772,7 @@ static void manage_commands(private_vici_control_t *this, bool reg)
 {
 	manage_command(this, "initiate", initiate, reg);
 	manage_command(this, "terminate", terminate, reg);
+	manage_command(this, "rekey", rekey, reg);
 	manage_command(this, "redirect", redirect, reg);
 	manage_command(this, "install", install, reg);
 	manage_command(this, "uninstall", uninstall, reg);
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index baf285f..6c7c194 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -1,9 +1,11 @@
 /*
+ * Copyright (C) 2015-2016 Andreas Steffen
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015-2016 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -55,6 +57,11 @@ struct private_vici_cred_t {
 	mem_cred_t *creds;
 
 	/**
+	 * separate credential set for token PINs
+	 */
+	mem_cred_t *pins;
+
+	/**
 	 * cache CRLs to disk?
 	 */
 	bool cachecrl;
@@ -249,6 +256,139 @@ CALLBACK(load_key, vici_message_t*,
 	return create_reply(NULL);
 }
 
+CALLBACK(unload_key, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	chunk_t keyid;
+	char buf[BUF_LEN], *hex, *msg = NULL;
+
+	hex = message->get_str(message, NULL, "id");
+	if (!hex)
+	{
+		return create_reply("key id missing");
+	}
+	keyid = chunk_from_hex(chunk_from_str(hex), NULL);
+	snprintf(buf, sizeof(buf), "%+B", &keyid);
+	DBG1(DBG_CFG, "unloaded private key with id %s", buf);
+	if (this->creds->remove_key(this->creds, keyid))
+	{	/* also remove any potential PIN associated with this id */
+		this->pins->remove_shared_unique(this->pins, buf);
+	}
+	else
+	{
+		msg = "key not found";
+	}
+	chunk_free(&keyid);
+	return create_reply(msg);
+}
+
+CALLBACK(get_keys, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	vici_builder_t *builder;
+	enumerator_t *enumerator;
+	private_key_t *private;
+	chunk_t keyid;
+
+	builder = vici_builder_create();
+	builder->begin_list(builder, "keys");
+
+	enumerator = this->creds->set.create_private_enumerator(&this->creds->set,
+															KEY_ANY, NULL);
+	while (enumerator->enumerate(enumerator, &private))
+	{
+		if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &keyid))
+		{
+			builder->add_li(builder, "%+B", &keyid);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	builder->end_list(builder);
+	return builder->finalize(builder);
+}
+
+CALLBACK(load_token, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	vici_builder_t *builder;
+	private_key_t *key;
+	shared_key_t *shared = NULL;
+	identification_t *owner;
+	mem_cred_t *set = NULL;
+	chunk_t handle, fp;
+	char buf[BUF_LEN], *hex, *module, *pin, *unique = NULL;
+	int slot;
+
+	hex = message->get_str(message, NULL, "handle");
+	if (!hex)
+	{
+		return create_reply("keyid missing");
+	}
+	handle = chunk_from_hex(chunk_from_str(hex), NULL);
+	slot = message->get_int(message, -1, "slot");
+	module = message->get_str(message, NULL, "module");
+	pin = message->get_str(message, NULL, "pin");
+
+	if (pin)
+	{	/* provide the pin in a temporary credential set to access the key */
+		shared = shared_key_create(SHARED_PIN, chunk_clone(chunk_from_str(pin)));
+		owner = identification_create_from_encoding(ID_KEY_ID, handle);
+		set = mem_cred_create();
+		set->add_shared(set, shared->get_ref(shared), owner, NULL);
+		lib->credmgr->add_local_set(lib->credmgr, &set->set, FALSE);
+	}
+	if (slot >= 0)
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+						BUILD_PKCS11_KEYID, handle,
+						BUILD_PKCS11_SLOT, slot,
+						module ? BUILD_PKCS11_MODULE : BUILD_END, module,
+						BUILD_END);
+	}
+	else
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+						BUILD_PKCS11_KEYID, handle,
+						module ? BUILD_PKCS11_MODULE : BUILD_END, module,
+						BUILD_END);
+	}
+	if (set)
+	{
+		lib->credmgr->remove_local_set(lib->credmgr, &set->set);
+		set->destroy(set);
+	}
+	if (!key)
+	{
+		chunk_free(&handle);
+		DESTROY_IF(shared);
+		return create_reply("loading private key from token failed");
+	}
+	builder = vici_builder_create();
+	builder->add_kv(builder, "success", "yes");
+	if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp))
+	{
+		snprintf(buf, sizeof(buf), "%+B", &fp);
+		builder->add_kv(builder, "id", "%s", buf);
+		unique = buf;
+	}
+	if (shared && unique)
+	{	/* use the handle as owner, but the key identifier as unique ID */
+		owner = identification_create_from_encoding(ID_KEY_ID, handle);
+		this->pins->add_shared_unique(this->pins, unique, shared,
+									linked_list_create_with_items(owner, NULL));
+	}
+	else
+	{
+		DESTROY_IF(shared);
+	}
+	DBG1(DBG_CFG, "loaded %N private key from token", key_type_names,
+		 key->get_type(key));
+	this->creds->add_key(this->creds, key);
+	chunk_free(&handle);
+	return builder->finalize(builder);
+}
+
 CALLBACK(shared_owners, bool,
 	linked_list_t *owners, vici_message_t *message, char *name, chunk_t value)
 {
@@ -271,11 +411,12 @@ CALLBACK(load_shared, vici_message_t*,
 	shared_key_type_t type;
 	linked_list_t *owners;
 	chunk_t data;
-	char *str, buf[512] = "";
+	char *unique, *str, buf[512] = "";
 	enumerator_t *enumerator;
 	identification_t *owner;
 	int len;
 
+	unique = message->get_str(message, NULL, "id");
 	str = message->get_str(message, NULL, "type");
 	if (!str)
 	{
@@ -289,6 +430,10 @@ CALLBACK(load_shared, vici_message_t*,
 	{
 		type = SHARED_EAP;
 	}
+	else if (strcaseeq(str, "ntlm"))
+	{
+		type = SHARED_NT_HASH;
+	}
 	else
 	{
 		return create_reply("invalid shared key type: %s", str);
@@ -322,15 +467,59 @@ CALLBACK(load_shared, vici_message_t*,
 	}
 	enumerator->destroy(enumerator);
 
-	DBG1(DBG_CFG, "loaded %N shared key for: %s",
-		 shared_key_type_names, type, buf);
+	if (unique)
+	{
+		DBG1(DBG_CFG, "loaded %N shared key with id '%s' for: %s",
+			 shared_key_type_names, type, unique, buf);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "loaded %N shared key for: %s",
+			 shared_key_type_names, type, buf);
+	}
 
-	this->creds->add_shared_list(this->creds,
+	this->creds->add_shared_unique(this->creds, unique,
 						shared_key_create(type, chunk_clone(data)), owners);
 
 	return create_reply(NULL);
 }
 
+CALLBACK(unload_shared, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	char *unique;
+
+	unique = message->get_str(message, NULL, "id");
+	if (!unique)
+	{
+		return create_reply("unique identifier missing");
+	}
+	DBG1(DBG_CFG, "unloaded shared key with id '%s'", unique);
+	this->creds->remove_shared_unique(this->creds, unique);
+	return create_reply(NULL);
+}
+
+CALLBACK(get_shared, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	vici_builder_t *builder;
+	enumerator_t *enumerator;
+	char *unique;
+
+	builder = vici_builder_create();
+	builder->begin_list(builder, "keys");
+
+	enumerator = this->creds->create_unique_shared_enumerator(this->creds);
+	while (enumerator->enumerate(enumerator, &unique))
+	{
+		builder->add_li(builder, "%s", unique);
+	}
+	enumerator->destroy(enumerator);
+
+	builder->end_list(builder);
+	return builder->finalize(builder);
+}
+
 CALLBACK(clear_creds, vici_message_t*,
 	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
@@ -374,7 +563,12 @@ static void manage_commands(private_vici_cred_t *this, bool reg)
 	manage_command(this, "flush-certs", flush_certs, reg);
 	manage_command(this, "load-cert", load_cert, reg);
 	manage_command(this, "load-key", load_key, reg);
+	manage_command(this, "unload-key", unload_key, reg);
+	manage_command(this, "get-keys", get_keys, reg);
+	manage_command(this, "load-token", load_token, reg);
 	manage_command(this, "load-shared", load_shared, reg);
+	manage_command(this, "unload-shared", unload_shared, reg);
+	manage_command(this, "get-shared", get_shared, reg);
 }
 
 METHOD(vici_cred_t, add_cert, certificate_t*,
@@ -390,6 +584,8 @@ METHOD(vici_cred_t, destroy, void,
 
 	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
 	this->creds->destroy(this->creds);
+	lib->credmgr->remove_set(lib->credmgr, &this->pins->set);
+	this->pins->destroy(this->pins);
 	free(this);
 }
 
@@ -414,6 +610,7 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 		},
 		.dispatcher = dispatcher,
 		.creds = mem_cred_create(),
+		.pins = mem_cred_create(),
 	);
 
 	if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
@@ -422,6 +619,7 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 		DBG1(DBG_CFG, "crl caching to %s enabled", CRL_DIR);
 	}
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+	lib->credmgr->add_set(lib->credmgr, &this->pins->set);
 
 	manage_commands(this, TRUE);
 
diff --git a/src/libcharon/plugins/vici/vici_dispatcher.c b/src/libcharon/plugins/vici/vici_dispatcher.c
index ffe0d61..596255b 100644
--- a/src/libcharon/plugins/vici/vici_dispatcher.c
+++ b/src/libcharon/plugins/vici/vici_dispatcher.c
@@ -471,15 +471,17 @@ METHOD(vici_dispatcher_t, manage_event, void,
 METHOD(vici_dispatcher_t, has_event_listeners, bool,
 	private_vici_dispatcher_t *this, char *name)
 {
+	event_t *event;
 	bool retval = FALSE;
 
 	this->mutex->lock(this->mutex);
-	if (this->events->get(this->events, name))
+	event = this->events->get(this->events, name);
+	if (event)
 	{
 		/* the entry might be getting destroyed, but returning
 		 * false positive is not a problem as a later raise_event
 		 * will check things again. */
-		retval = TRUE;
+		retval = array_count(event->clients);
 	}
 	this->mutex->unlock(this->mutex);
 
diff --git a/src/libcharon/plugins/vici/vici_logger.c b/src/libcharon/plugins/vici/vici_logger.c
index 6d3584e..8e7bcfa 100644
--- a/src/libcharon/plugins/vici/vici_logger.c
+++ b/src/libcharon/plugins/vici/vici_logger.c
@@ -95,6 +95,11 @@ METHOD(logger_t, log_, void,
 	private_vici_logger_t *this, debug_t group, level_t level, int thread,
 	ike_sa_t* ike_sa, const char *msg)
 {
+	if (!this->dispatcher->has_event_listeners(this->dispatcher, "log"))
+	{
+		return;
+	}
+
 	this->mutex->lock(this->mutex);
 
 	/* avoid recursive invocations by the vici subsystem */
@@ -130,6 +135,8 @@ METHOD(logger_t, log_, void,
 METHOD(logger_t, get_level, level_t,
 	private_vici_logger_t *this, debug_t group)
 {
+	/* anything higher might produce a loop as sending messages or listening
+	 * for clients might cause log messages itself */
 	return LEVEL_CTRL;
 }
 
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 828b619..c0f4e2d 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -79,6 +79,42 @@ struct private_vici_query_t {
 	time_t uptime;
 };
 
+static void add_mark(vici_builder_t *b, mark_t mark,
+					 char *label, char *mask_label)
+{
+	if (mark.value | mark.mask)
+	{
+		b->add_kv(b, label, "%.8x", mark.value);
+		if (~mark.mask)
+		{
+			b->add_kv(b, mask_label, "%.8x", mark.mask);
+		}
+	}
+}
+
+/**
+ * List the mode of a CHILD_SA or config
+ */
+static void list_mode(vici_builder_t *b, child_sa_t *child, child_cfg_t *cfg)
+{
+	ipsec_mode_t mode;
+	char *sub_mode = "";
+
+	if (child || cfg)
+	{
+		if (!cfg)
+		{
+			cfg = child->get_config(child);
+		}
+		mode = child ? child->get_mode(child) : cfg->get_mode(cfg);
+		if (mode == MODE_TRANSPORT && cfg->use_proxy_mode(cfg))
+		{	/* only report this if the negotiated mode is actually TRANSPORT */
+			sub_mode = "_PROXY";
+		}
+		b->add_kv(b, "mode", "%N%s", ipsec_mode_names, mode, sub_mode);
+	}
+}
+
 /**
  * List details of a CHILD_SA
  */
@@ -92,10 +128,11 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
 
+	b->add_kv(b, "name", "%s", child->get_name(child));
 	b->add_kv(b, "uniqueid", "%u", child->get_unique_id(child));
 	b->add_kv(b, "reqid", "%u", child->get_reqid(child));
 	b->add_kv(b, "state", "%N", child_sa_state_names, child->get_state(child));
-	b->add_kv(b, "mode", "%N", ipsec_mode_names, child->get_mode(child));
+	list_mode(b, child, NULL);
 	if (child->get_state(child) == CHILD_INSTALLED ||
 		child->get_state(child) == CHILD_REKEYING ||
 		child->get_state(child) == CHILD_REKEYED)
@@ -114,6 +151,8 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 			b->add_kv(b, "cpi-in", "%.4x", ntohs(child->get_cpi(child, TRUE)));
 			b->add_kv(b, "cpi-out", "%.4x", ntohs(child->get_cpi(child, FALSE)));
 		}
+		add_mark(b, child->get_mark(child, TRUE), "mark-in", "mark-mask-in");
+		add_mark(b, child->get_mark(child, FALSE), "mark-out", "mark-mask-out");
 		proposal = child->get_proposal(child);
 		if (proposal)
 		{
@@ -382,6 +421,7 @@ CALLBACK(list_sas, vici_message_t*,
 	char *ike;
 	u_int ike_id;
 	bool bl;
+	char buf[BUF_LEN];
 
 	bl = request->get_str(request, NULL, "noblock") == NULL;
 	ike = request->get_str(request, NULL, "ike");
@@ -410,7 +450,9 @@ CALLBACK(list_sas, vici_message_t*,
 		csas = ike_sa->create_child_sa_enumerator(ike_sa);
 		while (csas->enumerate(csas, &child_sa))
 		{
-			b->begin_section(b, child_sa->get_name(child_sa));
+			snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
+					 child_sa->get_unique_id(child_sa));
+			b->begin_section(b, buf);
 			list_child(this, b, child_sa, now);
 			b->end_section(b);
 		}
@@ -431,16 +473,21 @@ CALLBACK(list_sas, vici_message_t*,
 /**
  * Raise a list-policy event for given CHILD_SA
  */
-static void raise_policy(private_vici_query_t *this, u_int id, child_sa_t *child)
+static void raise_policy(private_vici_query_t *this, u_int id, char *ike,
+						 child_sa_t *child)
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
 	vici_builder_t *b;
+	char buf[BUF_LEN];
 
 	b = vici_builder_create();
-	b->begin_section(b, child->get_name(child));
+	snprintf(buf, sizeof(buf), "%s/%s", ike, child->get_name(child));
+	b->begin_section(b, buf);
+	b->add_kv(b, "child", "%s", child->get_name(child));
+	b->add_kv(b, "ike", "%s", ike);
 
-	b->add_kv(b, "mode", "%N", ipsec_mode_names, child->get_mode(child));
+	list_mode(b, child, NULL);
 
 	b->begin_list(b, "local-ts");
 	enumerator = child->create_ts_enumerator(child, TRUE);
@@ -469,18 +516,26 @@ static void raise_policy(private_vici_query_t *this, u_int id, child_sa_t *child
 /**
  * Raise a list-policy event for given CHILD_SA config
  */
-static void raise_policy_cfg(private_vici_query_t *this, u_int id,
+static void raise_policy_cfg(private_vici_query_t *this, u_int id, char *ike,
 							 child_cfg_t *cfg)
 {
 	enumerator_t *enumerator;
 	linked_list_t *list;
 	traffic_selector_t *ts;
 	vici_builder_t *b;
+	char buf[BUF_LEN];
 
 	b = vici_builder_create();
-	b->begin_section(b, cfg->get_name(cfg));
+	snprintf(buf, sizeof(buf), "%s%s%s", ike ? ike : "", ike ? "/" : "",
+			 cfg->get_name(cfg));
+	b->begin_section(b, buf);
+	b->add_kv(b, "child", "%s", cfg->get_name(cfg));
+	if (ike)
+	{
+		b->add_kv(b, "ike", "%s", ike);
+	}
 
-	b->add_kv(b, "mode", "%N", ipsec_mode_names, cfg->get_mode(cfg));
+	list_mode(b, NULL, cfg);
 
 	b->begin_list(b, "local-ts");
 	list = cfg->get_traffic_selectors(cfg, TRUE, NULL, NULL);
@@ -516,25 +571,28 @@ CALLBACK(list_policies, vici_message_t*,
 	enumerator_t *enumerator;
 	vici_builder_t *b;
 	child_sa_t *child_sa;
+	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
 	bool drop, pass, trap;
-	char *child;
+	char *child, *ike, *ns;
 
 	drop = request->get_str(request, NULL, "drop") != NULL;
 	pass = request->get_str(request, NULL, "pass") != NULL;
 	trap = request->get_str(request, NULL, "trap") != NULL;
 	child = request->get_str(request, NULL, "child");
+	ike = request->get_str(request, NULL, "ike");
 
 	if (trap)
 	{
 		enumerator = charon->traps->create_enumerator(charon->traps);
-		while (enumerator->enumerate(enumerator, NULL, &child_sa))
+		while (enumerator->enumerate(enumerator, &peer_cfg, &child_sa))
 		{
-			if (child && !streq(child, child_sa->get_name(child_sa)))
+			if ((ike && !streq(ike, peer_cfg->get_name(peer_cfg))) ||
+				(child && !streq(child, child_sa->get_name(child_sa))))
 			{
 				continue;
 			}
-			raise_policy(this, id, child_sa);
+			raise_policy(this, id, peer_cfg->get_name(peer_cfg), child_sa);
 		}
 		enumerator->destroy(enumerator);
 	}
@@ -542,9 +600,10 @@ CALLBACK(list_policies, vici_message_t*,
 	if (drop || pass)
 	{
 		enumerator = charon->shunts->create_enumerator(charon->shunts);
-		while (enumerator->enumerate(enumerator, &child_cfg))
+		while (enumerator->enumerate(enumerator, &ns, &child_cfg))
 		{
-			if (child && !streq(child, child_cfg->get_name(child_cfg)))
+			if ((ike && !streq(ike, ns)) ||
+				(child && !streq(child, child_cfg->get_name(child_cfg))))
 			{
 				continue;
 			}
@@ -553,13 +612,13 @@ CALLBACK(list_policies, vici_message_t*,
 				case MODE_DROP:
 					if (drop)
 					{
-						raise_policy_cfg(this, id, child_cfg);
+						raise_policy_cfg(this, id, ns, child_cfg);
 					}
 					break;
 				case MODE_PASS:
 					if (pass)
 					{
-						raise_policy_cfg(this, id, child_cfg);
+						raise_policy_cfg(this, id, ns, child_cfg);
 					}
 					break;
 				default:
@@ -731,6 +790,8 @@ CALLBACK(list_conns, vici_message_t*,
 			peer_cfg->get_reauth_time(peer_cfg, FALSE));
 		b->add_kv(b, "rekey_time", "%u",
 			peer_cfg->get_rekey_time(peer_cfg, FALSE));
+		b->add_kv(b, "unique", "%N", unique_policy_names,
+			peer_cfg->get_unique_policy(peer_cfg));
 
 		build_auth_cfgs(peer_cfg, TRUE, b);
 		build_auth_cfgs(peer_cfg, FALSE, b);
@@ -742,8 +803,7 @@ CALLBACK(list_conns, vici_message_t*,
 		{
 			b->begin_section(b, child_cfg->get_name(child_cfg));
 
-			b->add_kv(b, "mode", "%N", ipsec_mode_names,
-				child_cfg->get_mode(child_cfg));
+			list_mode(b, NULL, child_cfg);
 
 			lft = child_cfg->get_lifetime(child_cfg, FALSE);
 			b->add_kv(b, "rekey_time",    "%"PRIu64, lft->time.rekey);
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 2e7bf02..b859613 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -367,7 +367,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -402,6 +401,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index 541bec9..a6554d6 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 50a6c80..87d627b 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index e2353a4..13fb71a 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 048e4d5..821d46e 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c
index a394e9d..53a1705 100644
--- a/src/libcharon/processing/jobs/delete_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c
@@ -93,7 +93,8 @@ METHOD(job_t, execute, job_requeue_t,
 			}
 			else
 			{
-				DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
+				DBG1(DBG_JOB, "deleting half open IKE_SA with %H after "
+					 "timeout", ike_sa->get_other_host(ike_sa));
 				charon->bus->alert(charon->bus, ALERT_HALF_OPEN_TIMEOUT);
 				charon->ike_sa_manager->checkin_and_destroy(
 												charon->ike_sa_manager, ike_sa);
diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
index 6c01ffe..1082eae 100644
--- a/src/libcharon/processing/jobs/initiate_mediation_job.c
+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
@@ -82,8 +82,25 @@ METHOD(job_t, initiate, job_requeue_t,
 
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediated_sa);
 
-		mediation_cfg = mediated_cfg->get_mediated_by(mediated_cfg);
-		mediation_cfg->get_ref(mediation_cfg);
+		mediation_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
+								mediated_cfg->get_mediated_by(mediated_cfg));
+		if (!mediation_cfg)
+		{
+			DBG1(DBG_IKE, "mediation connection '%s' not found, aborting",
+				 mediated_cfg->get_mediated_by(mediated_cfg));
+			mediated_cfg->destroy(mediated_cfg);
+			return JOB_REQUEUE_NONE;
+		}
+		if (!mediation_cfg->is_mediation(mediation_cfg))
+		{
+			DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is no "
+				 "mediation connection, aborting",
+				 mediated_cfg->get_mediated_by(mediated_cfg),
+				 mediated_cfg->get_name(mediated_cfg));
+			mediated_cfg->destroy(mediated_cfg);
+			mediation_cfg->destroy(mediation_cfg);
+			return JOB_REQUEUE_NONE;
+		}
 
 		enumerator = mediation_cfg->create_auth_cfg_enumerator(mediation_cfg,
 															   TRUE);
diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
index 5e88ac2..654ec6a 100644
--- a/src/libcharon/processing/jobs/start_action_job.c
+++ b/src/libcharon/processing/jobs/start_action_job.c
@@ -68,7 +68,9 @@ METHOD(job_t, execute, job_requeue_t,
 					mode = child_cfg->get_mode(child_cfg);
 					if (mode == MODE_PASS || mode == MODE_DROP)
 					{
-						charon->shunts->install(charon->shunts, child_cfg);
+						charon->shunts->install(charon->shunts,
+												peer_cfg->get_name(peer_cfg),
+												child_cfg);
 					}
 					else
 					{
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index e4364de..b9dd59b 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -1,5 +1,5 @@
 /*
- * Coypright (C) 2016 Andreas Steffen
+ * Copyright (C) 2016 Andreas Steffen
  * Copyright (C) 2006-2016 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
@@ -479,7 +479,6 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 				.dst = this->my_addr,
 				.spi = this->my_spi,
 				.proto = proto_ike2ip(this->protocol),
-				.mark = this->mark_in,
 			};
 			kernel_ipsec_query_sa_t query = {};
 
@@ -495,9 +494,11 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 					{
 						this->my_usetime = time;
 					}
-					return SUCCESS;
 				}
-				return FAILED;
+				else
+				{
+					status = FAILED;
+				}
 			}
 		}
 	}
@@ -526,9 +527,11 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 					{
 						this->other_usetime = time;
 					}
-					return SUCCESS;
 				}
-				return FAILED;
+				else
+				{
+					status = FAILED;
+				}
 			}
 		}
 	}
@@ -797,7 +800,7 @@ METHOD(child_sa_t, install, status_t,
 		.dst = dst,
 		.spi = spi,
 		.proto = proto_ike2ip(this->protocol),
-		.mark = inbound ? this->mark_in : this->mark_out,
+		.mark = inbound ? (mark_t){} : this->mark_out,
 	};
 	sa = (kernel_ipsec_add_sa_t){
 		.reqid = this->reqid,
@@ -1144,7 +1147,6 @@ METHOD(child_sa_t, update, status_t,
 				.dst = this->my_addr,
 				.spi = this->my_spi,
 				.proto = proto_ike2ip(this->protocol),
-				.mark = this->mark_in,
 			};
 			kernel_ipsec_update_sa_t sa = {
 				.cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
@@ -1319,7 +1321,6 @@ METHOD(child_sa_t, destroy, void,
 			.dst = this->my_addr,
 			.spi = this->my_spi,
 			.proto = proto_ike2ip(this->protocol),
-			.mark = this->mark_in,
 		};
 		kernel_ipsec_del_sa_t sa = {
 			.cpi = this->my_cpi,
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 7b87918..76e1069 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -617,6 +617,12 @@ METHOD(ike_sa_t, set_message_id, void,
 	}
 }
 
+METHOD(ike_sa_t, get_message_id, uint32_t,
+	private_ike_sa_t *this, bool initiate)
+{
+	return this->task_manager->get_mid(this->task_manager, initiate);
+}
+
 METHOD(ike_sa_t, send_keepalive, void,
 	private_ike_sa_t *this, bool scheduled)
 {
@@ -756,6 +762,10 @@ METHOD(ike_sa_t, send_dpd, status_t,
 	{
 		return INVALID_STATE;
 	}
+	if (this->version == IKEV1 && this->state == IKE_REKEYING)
+	{	/* don't send DPDs for rekeyed IKEv1 SAs */
+		return SUCCESS;
+	}
 	delay = this->peer_cfg->get_dpd(this->peer_cfg);
 	if (this->task_manager->busy(this->task_manager))
 	{
@@ -2436,6 +2446,25 @@ static bool is_current_path_valid(private_ike_sa_t *this)
 {
 	bool valid = FALSE;
 	host_t *src;
+
+	if (supports_extension(this, EXT_MOBIKE) &&
+		lib->settings->get_bool(lib->settings,
+								"%s.prefer_best_path", FALSE, lib->ns))
+	{
+		/* check if the current path is the best path; migrate otherwise */
+		src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
+											  NULL);
+		if (src)
+		{
+			valid = src->ip_equals(src, this->my_host);
+			src->destroy(src);
+		}
+		if (!valid)
+		{
+			DBG1(DBG_IKE, "old path is not preferred anymore");
+		}
+		return valid;
+	}
 	src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
 										  this->my_host);
 	if (src)
@@ -2446,6 +2475,10 @@ static bool is_current_path_valid(private_ike_sa_t *this)
 		}
 		src->destroy(src);
 	}
+	if (!valid)
+	{
+		DBG1(DBG_IKE, "old path is not available anymore, try to find another");
+	}
 	return valid;
 }
 
@@ -2472,7 +2505,6 @@ static bool is_any_path_valid(private_ike_sa_t *this)
 			break;
 	}
 
-	DBG1(DBG_IKE, "old path is not available anymore, try to find another");
 	enumerator = create_peer_address_enumerator(this);
 	while (enumerator->enumerate(enumerator, &addr))
 	{
@@ -2511,6 +2543,16 @@ METHOD(ike_sa_t, roam, status_t,
 			break;
 	}
 
+	/* ignore roam events if MOBIKE is not supported/enabled and the local
+	 * address is statically configured */
+	if (this->version == IKEV2 && !supports_extension(this, EXT_MOBIKE) &&
+		ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE))
+	{
+		DBG2(DBG_IKE, "keeping statically configured path %H - %H",
+			 this->my_host, this->other_host);
+		return SUCCESS;
+	}
+
 	/* keep existing path if possible */
 	if (is_current_path_valid(this))
 	{
@@ -2885,6 +2927,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 			.get_other_host = _get_other_host,
 			.set_other_host = _set_other_host,
 			.set_message_id = _set_message_id,
+			.get_message_id = _get_message_id,
 			.float_ports = _float_ports,
 			.update_hosts = _update_hosts,
 			.get_my_id = _get_my_id,
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 6f5040d..c8ba2fd 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -151,6 +151,11 @@ enum ike_extension_t {
 	 * IKEv2 Redirect Mechanism, RFC 5685
 	 */
 	EXT_IKE_REDIRECTION = (1<<13),
+
+	/**
+	 * IKEv2 Message ID sync, RFC 6311
+	 */
+	EXT_IKE_MESSAGE_ID_SYNC = (1<<14),
 };
 
 /**
@@ -554,7 +559,7 @@ struct ike_sa_t {
 	void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
 
 	/**
-	 * Set the message id of the IKE_SA.
+	 * Set the message ID of the IKE_SA.
 	 *
 	 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
 	 * and one to respond to exchanges (expect).
@@ -565,6 +570,17 @@ struct ike_sa_t {
 	void (*set_message_id)(ike_sa_t *this, bool initiate, uint32_t mid);
 
 	/**
+	 * Get the message ID of the IKE_SA.
+	 *
+	 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
+	 * and one to respond to exchanges (expect).
+	 *
+	 * @param initiate		TRUE to get message ID for initiating
+	 * @return				current message
+	 */
+	uint32_t (*get_message_id)(ike_sa_t *this, bool initiate);
+
+	/**
 	 * Add an additional address for the peer.
 	 *
 	 * In MOBIKE, a peer may transmit additional addresses where it is
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index ce44207..6bd49a0 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -2303,7 +2303,6 @@ ike_sa_manager_t *ike_sa_manager_create()
 	for (i = 0; i < this->segment_count; i++)
 	{
 		this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-		this->segments[i].count = 0;
 	}
 
 	/* we use the same table parameters for the table to track half-open SAs */
@@ -2312,7 +2311,6 @@ ike_sa_manager_t *ike_sa_manager_create()
 	for (i = 0; i < this->segment_count; i++)
 	{
 		this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-		this->half_open_segments[i].count = 0;
 	}
 
 	/* also for the hash table used for duplicate tests */
@@ -2321,7 +2319,6 @@ ike_sa_manager_t *ike_sa_manager_create()
 	for (i = 0; i < this->segment_count; i++)
 	{
 		this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-		this->connected_peers_segments[i].count = 0;
 	}
 
 	/* and again for the table of hashes of seen initial IKE messages */
@@ -2330,7 +2327,6 @@ ike_sa_manager_t *ike_sa_manager_create()
 	for (i = 0; i < this->segment_count; i++)
 	{
 		this->init_hashes_segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-		this->init_hashes_segments[i].count = 0;
 	}
 
 	this->reuse_ikesa = lib->settings->get_bool(lib->settings,
diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
index 5debeeb..ddb8c65 100644
--- a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
@@ -81,7 +81,7 @@ METHOD(authenticator_t, build, status_t,
 	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
 	if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
 					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
-					this->id_payload, &hash))
+					this->id_payload, &hash, NULL))
 	{
 		free(dh.ptr);
 		return FAILED;
@@ -118,7 +118,7 @@ METHOD(authenticator_t, process, status_t,
 	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
 	if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
 					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
-					this->id_payload, &hash))
+					this->id_payload, &hash, NULL))
 	{
 		free(dh.ptr);
 		return FAILED;
diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
index eee7dd1..344c1bf 100644
--- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
@@ -102,7 +102,7 @@ METHOD(authenticator_t, build, status_t,
 	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
 	if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
 					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
-					this->id_payload, &hash))
+					this->id_payload, &hash, &scheme))
 	{
 		private->destroy(private);
 		free(dh.ptr);
@@ -163,7 +163,7 @@ METHOD(authenticator_t, process, status_t,
 	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
 	if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
 					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
-					this->id_payload, &hash))
+					this->id_payload, &hash, &scheme))
 	{
 		free(dh.ptr);
 		return FAILED;
diff --git a/src/libcharon/sa/ikev1/iv_manager.c b/src/libcharon/sa/ikev1/iv_manager.c
new file mode 100644
index 0000000..c9f737c
--- /dev/null
+++ b/src/libcharon/sa/ikev1/iv_manager.c
@@ -0,0 +1,355 @@
+/*
+ * Copyright (C) 2011-2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "iv_manager.h"
+
+#include <collections/linked_list.h>
+
+/**
+ * Max. number of IVs/QMs to track.
+ */
+#define MAX_EXCHANGES_DEFAULT 3
+
+typedef struct private_iv_manager_t private_iv_manager_t;
+typedef struct iv_data_t iv_data_t;
+typedef struct qm_data_t qm_data_t;
+
+/**
+ * Data stored for IVs.
+ */
+struct iv_data_t {
+	/**
+	 * message ID
+	 */
+	uint32_t mid;
+
+	/**
+	 * current IV
+	 */
+	chunk_t iv;
+
+	/**
+	 * last block of encrypted message
+	 */
+	chunk_t last_block;
+};
+
+/**
+ * Private data of a iv_manager_t object.
+ */
+struct private_iv_manager_t {
+	/**
+	 * Implement public interface.
+	 */
+	iv_manager_t public;
+
+	/**
+	 * Phase 1 IV.
+	 */
+	iv_data_t phase1_iv;
+
+	/**
+	 * Keep track of IVs for exchanges after phase 1. We store only a limited
+	 * number of IVs in an MRU sort of way. Stores iv_data_t objects.
+	 */
+	linked_list_t *ivs;
+
+	/**
+	 * Keep track of Nonces during Quick Mode exchanges. Only a limited number
+	 * of QMs are tracked at the same time. Stores qm_data_t objects.
+	 */
+	linked_list_t *qms;
+
+	/**
+	 * Max. number of IVs/Quick Modes to track.
+	 */
+	int max_exchanges;
+
+	/**
+	 * Hasher used for IV generation.
+	 */
+	hasher_t *hasher;
+
+	/*
+	 * Encryption algorithm the block size.
+	 */
+	size_t block_size;
+};
+
+/**
+ * Data stored for Quick Mode exchanges.
+ */
+struct qm_data_t {
+	/**
+	 * Message ID.
+	 */
+	uint32_t mid;
+
+	/**
+	 * Ni_b (Nonce from first message).
+	 */
+	chunk_t n_i;
+
+	/**
+	 * Nr_b (Nonce from second message).
+	 */
+	chunk_t n_r;
+};
+
+/**
+ * Destroy an iv_data_t object.
+ */
+static void iv_data_destroy(iv_data_t *this)
+{
+	chunk_free(&this->last_block);
+	chunk_free(&this->iv);
+	free(this);
+}
+
+/**
+ * Destroy a qm_data_t object.
+ */
+static void qm_data_destroy(qm_data_t *this)
+{
+	chunk_free(&this->n_i);
+	chunk_free(&this->n_r);
+	free(this);
+}
+
+/**
+ * Generate an IV.
+ */
+static bool generate_iv(private_iv_manager_t *this, iv_data_t *iv)
+{
+	if (iv->mid == 0 || iv->iv.ptr)
+	{	/* use last block of previous encrypted message */
+		chunk_free(&iv->iv);
+		iv->iv = iv->last_block;
+		iv->last_block = chunk_empty;
+	}
+	else
+	{
+		/* initial phase 2 IV = hash(last_phase1_block | mid) */
+		uint32_t net;;
+		chunk_t data;
+
+		net = htonl(iv->mid);
+		data = chunk_cata("cc", this->phase1_iv.iv, chunk_from_thing(net));
+		if (!this->hasher->allocate_hash(this->hasher, data, &iv->iv))
+		{
+			return FALSE;
+		}
+		if (iv->iv.len > this->block_size)
+		{
+			iv->iv.len = this->block_size;
+		}
+	}
+	DBG4(DBG_IKE, "next IV for MID %u %B", iv->mid, &iv->iv);
+	return TRUE;
+}
+
+/**
+ * Try to find an IV for the given message ID, if not found, generate it.
+ */
+static iv_data_t *lookup_iv(private_iv_manager_t *this, uint32_t mid)
+{
+	enumerator_t *enumerator;
+	iv_data_t *iv, *found = NULL;
+
+	if (mid == 0)
+	{
+		return &this->phase1_iv;
+	}
+
+	enumerator = this->ivs->create_enumerator(this->ivs);
+	while (enumerator->enumerate(enumerator, &iv))
+	{
+		if (iv->mid == mid)
+		{	/* IV gets moved to the front of the list */
+			this->ivs->remove_at(this->ivs, enumerator);
+			found = iv;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		INIT(found,
+			.mid = mid,
+		);
+		if (!generate_iv(this, found))
+		{
+			iv_data_destroy(found);
+			return NULL;
+		}
+	}
+	this->ivs->insert_first(this->ivs, found);
+	/* remove least recently used IV if maximum reached */
+	if (this->ivs->get_count(this->ivs) > this->max_exchanges &&
+		this->ivs->remove_last(this->ivs, (void**)&iv) == SUCCESS)
+	{
+		iv_data_destroy(iv);
+	}
+	return found;
+}
+
+METHOD(iv_manager_t, init_iv_chain, bool,
+	private_iv_manager_t *this, chunk_t data, hasher_t *hasher,
+	size_t block_size)
+{
+	this->hasher = hasher;
+	this->block_size = block_size;
+
+	if (!this->hasher->allocate_hash(this->hasher, data, &this->phase1_iv.iv))
+	{
+		return FALSE;
+	}
+	if (this->phase1_iv.iv.len > this->block_size)
+	{
+		this->phase1_iv.iv.len = this->block_size;
+	}
+	DBG4(DBG_IKE, "initial IV %B", &this->phase1_iv.iv);
+	return TRUE;
+}
+
+METHOD(iv_manager_t, get_iv, bool,
+	private_iv_manager_t *this, uint32_t mid, chunk_t *out)
+{
+	iv_data_t *iv;
+
+	iv = lookup_iv(this, mid);
+	if (iv)
+	{
+		*out = iv->iv;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(iv_manager_t, update_iv, bool,
+	private_iv_manager_t *this, uint32_t mid, chunk_t last_block)
+{
+	iv_data_t *iv = lookup_iv(this, mid);
+	if (iv)
+	{	/* update last block */
+		chunk_free(&iv->last_block);
+		iv->last_block = chunk_clone(last_block);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(iv_manager_t, confirm_iv, bool,
+	private_iv_manager_t *this, uint32_t mid)
+{
+	iv_data_t *iv = lookup_iv(this, mid);
+	if (iv)
+	{
+		return generate_iv(this, iv);
+	}
+	return FALSE;
+}
+
+METHOD(iv_manager_t, lookup_quick_mode, void,
+	private_iv_manager_t *this, uint32_t mid, chunk_t **n_i, chunk_t **n_r)
+{
+	enumerator_t *enumerator;
+	qm_data_t *qm, *found = NULL;
+
+	enumerator = this->qms->create_enumerator(this->qms);
+	while (enumerator->enumerate(enumerator, &qm))
+	{
+		if (qm->mid == mid)
+		{	/* state gets moved to the front of the list */
+			this->qms->remove_at(this->qms, enumerator);
+			found = qm;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		INIT(found,
+			.mid = mid,
+		);
+	}
+
+	*n_i = &found->n_i;
+	*n_r = &found->n_r;
+
+	this->qms->insert_first(this->qms, found);
+	/* remove least recently used state if maximum reached */
+	if (this->qms->get_count(this->qms) > this->max_exchanges &&
+		this->qms->remove_last(this->qms, (void**)&qm) == SUCCESS)
+	{
+		qm_data_destroy(qm);
+	}
+}
+
+METHOD(iv_manager_t, remove_quick_mode, void,
+	private_iv_manager_t *this, uint32_t mid)
+{
+	enumerator_t *enumerator;
+	qm_data_t *qm;
+
+	enumerator = this->qms->create_enumerator(this->qms);
+	while (enumerator->enumerate(enumerator, &qm))
+	{
+		if (qm->mid == mid)
+		{
+			this->qms->remove_at(this->qms, enumerator);
+			qm_data_destroy(qm);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(iv_manager_t, destroy, void,
+	private_iv_manager_t *this)
+{
+	chunk_free(&this->phase1_iv.iv);
+	chunk_free(&this->phase1_iv.last_block);
+	this->ivs->destroy_function(this->ivs, (void*)iv_data_destroy);
+	this->qms->destroy_function(this->qms, (void*)qm_data_destroy);
+	free(this);
+}
+
+iv_manager_t *iv_manager_create(int max_exchanges)
+{
+	private_iv_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.init_iv_chain = _init_iv_chain,
+			.get_iv = _get_iv,
+			.update_iv = _update_iv,
+			.confirm_iv = _confirm_iv,
+			.lookup_quick_mode = _lookup_quick_mode,
+			.remove_quick_mode = _remove_quick_mode,
+			.destroy = _destroy,
+		},
+		.ivs = linked_list_create(),
+		.qms = linked_list_create(),
+		.max_exchanges = max_exchanges,
+	);
+
+	if (!this->max_exchanges)
+	{
+		this->max_exchanges = lib->settings->get_int(lib->settings,
+					"%s.max_ikev1_exchanges", MAX_EXCHANGES_DEFAULT, lib->ns);
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/iv_manager.h b/src/libcharon/sa/ikev1/iv_manager.h
new file mode 100644
index 0000000..c5273fe
--- /dev/null
+++ b/src/libcharon/sa/ikev1/iv_manager.h
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2011-2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup iv_manager iv_manager
+ * @{ @ingroup ikev1
+ */
+
+#ifndef IV_MANAGER_H_
+#define IV_MANAGER_H_
+
+#include <utils/chunk.h>
+#include <crypto/hashers/hasher.h>
+
+typedef struct iv_manager_t iv_manager_t;
+
+/**
+ * IV and QM managing instance for IKEv1. Keeps track of phase 2 exchanges
+ * and IV, as well as the phase 1 IV.
+ */
+struct iv_manager_t {
+
+	/**
+	 * Set the value of the first phase1 IV.
+	 *
+	 * @param data			input to calc initial IV from (g^xi | g^xr)
+	 * @param hasher		hasher to be used for IV calculation
+	 * 						(shared with keymat, must not be destroyed here)
+	 * @param block_size	cipher block size of aead
+	 * @return				TRUE for success, FALSE otherwise
+	 */
+	bool (*init_iv_chain)(iv_manager_t *this, chunk_t data, hasher_t *hasher,
+						  size_t block_size);
+
+	/**
+	 * Returns the IV for a message with the given message ID.
+	 *
+	 * The return chunk contains internal data and is valid until the next
+	 * get_iv/udpate_iv/confirm_iv() call.
+	 *
+	 * @param mid			message ID
+	 * @param iv			chunk receiving IV, internal data
+	 * @return				TRUE if IV allocated successfully
+	 */
+	bool (*get_iv)(iv_manager_t *this, uint32_t mid, chunk_t *iv);
+
+	/**
+	 * Updates the IV for the next message with the given message ID.
+	 *
+	 * A call of confirm_iv() is required in order to actually make the IV
+	 * available.  This is needed for the inbound case where we store the last
+	 * block of the encrypted message but want to update the IV only after
+	 * verification of the decrypted message.
+	 *
+	 * @param mid			message ID
+	 * @param last_block	last block of encrypted message (gets cloned)
+	 * @return				TRUE if IV updated successfully
+	 */
+	bool (*update_iv)(iv_manager_t *this, uint32_t mid, chunk_t last_block);
+
+	/**
+	 * Confirms the updated IV for the given message ID.
+	 *
+	 * To actually make the new IV available via get_iv() this method has to
+	 * be called after update_iv().
+	 *
+	 * @param mid			message ID
+	 * @return				TRUE if IV confirmed successfully
+	 */
+	bool (*confirm_iv)(iv_manager_t *this, uint32_t mid);
+
+	/**
+	 * Try to find a QM for the given message ID, if not found, generate it.
+	 * The nonces shall be assigned by the caller if they are not set yet.
+	 *
+	 * @param mid			message ID
+	 * @param n_i			chunk pointer to contain Ni_b (Nonce from first
+	 * 						message)
+	 * @param n_r			chunk pointer to contain Nr_b (Nonce from second
+	 * 						message)
+	 */
+	void (*lookup_quick_mode)(iv_manager_t *this, uint32_t mid, chunk_t **n_i,
+							  chunk_t **n_r);
+
+	/**
+	 * Remove the QM for the given message ID.
+	 *
+	 * @param mid			message ID
+	 */
+	void (*remove_quick_mode)(iv_manager_t *this, uint32_t mid);
+
+	/*
+	 * Destroy a iv_manager_t.
+	 */
+	void (*destroy)(iv_manager_t *this);
+};
+
+/**
+ * Create an IV and QM manager which is able to store up to max_exchanges
+ * initialization vectors and quick modes.
+ *
+ * @param max_exchanges		maximum number of IVs and QMs to be stored, set
+ * 							to 0 to use default (3, or as configured)
+ * @return					IV and QM manager instance
+ */
+iv_manager_t *iv_manager_create(int max_exchanges);
+
+#endif /** IV_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index d1d4cbd..673a7a1 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -16,30 +16,13 @@
 #include "keymat_v1.h"
 
 #include <daemon.h>
+#include <sa/ikev1/iv_manager.h>
 #include <encoding/generator.h>
 #include <encoding/payloads/nonce_payload.h>
-#include <collections/linked_list.h>
 
 typedef struct private_keymat_v1_t private_keymat_v1_t;
 
 /**
- * Max. number of IVs/QMs to track.
- */
-#define MAX_EXCHANGES_DEFAULT 3
-
-/**
- * Data stored for IVs
- */
-typedef struct {
-	/** message ID */
-	uint32_t mid;
-	/** current IV */
-	chunk_t iv;
-	/** last block of encrypted message */
-	chunk_t last_block;
-} iv_data_t;
-
-/**
  * Private data of an keymat_t object.
  */
 struct private_keymat_v1_t {
@@ -85,61 +68,11 @@ struct private_keymat_v1_t {
 	chunk_t skeyid_a;
 
 	/**
-	 * Phase 1 IV
-	 */
-	iv_data_t phase1_iv;
-
-	/**
-	 * Keep track of IVs for exchanges after phase 1. We store only a limited
-	 * number of IVs in an MRU sort of way. Stores iv_data_t objects.
-	 */
-	linked_list_t *ivs;
-
-	/**
-	 * Keep track of Nonces during Quick Mode exchanges. Only a limited number
-	 * of QMs are tracked at the same time. Stores qm_data_t objects.
+	 * IV and QM manager
 	 */
-	linked_list_t *qms;
-
-	/**
-	 * Max. number of IVs/Quick Modes to track.
-	 */
-	int max_exchanges;
+	iv_manager_t *iv_manager;
 };
 
-
-/**
- * Destroy an iv_data_t object.
- */
-static void iv_data_destroy(iv_data_t *this)
-{
-	chunk_free(&this->last_block);
-	chunk_free(&this->iv);
-	free(this);
-}
-
-/**
- * Data stored for Quick Mode exchanges
- */
-typedef struct {
-	/** message ID */
-	uint32_t mid;
-	/** Ni_b (Nonce from first message) */
-	chunk_t n_i;
-	/** Nr_b (Nonce from second message) */
-	chunk_t n_r;
-} qm_data_t;
-
-/**
- * Destroy a qm_data_t object.
- */
-static void qm_data_destroy(qm_data_t *this)
-{
-	chunk_free(&this->n_i);
-	chunk_free(&this->n_r);
-	free(this);
-}
-
 /**
  * Constants used in key derivation.
  */
@@ -567,17 +500,8 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
 	/* initial IV = hash(g^xi | g^xr) */
 	data = chunk_cata("cc", g_xi, g_xr);
 	chunk_free(&dh_me);
-	if (!this->hasher->allocate_hash(this->hasher, data, &this->phase1_iv.iv))
-	{
-		return FALSE;
-	}
-	if (this->phase1_iv.iv.len > this->aead->get_block_size(this->aead))
-	{
-		this->phase1_iv.iv.len = this->aead->get_block_size(this->aead);
-	}
-	DBG4(DBG_IKE, "initial IV %B", &this->phase1_iv.iv);
-
-	return TRUE;
+	return this->iv_manager->init_iv_chain(this->iv_manager, data, this->hasher,
+										this->aead->get_block_size(this->aead));
 }
 
 METHOD(keymat_v1_t, derive_child_keys, bool,
@@ -748,7 +672,8 @@ METHOD(keymat_v1_t, get_hasher, hasher_t*,
 
 METHOD(keymat_v1_t, get_hash, bool,
 	private_keymat_v1_t *this, bool initiator, chunk_t dh, chunk_t dh_other,
-	ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash)
+	ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash,
+	signature_scheme_t *scheme)
 {
 	chunk_t data;
 	uint64_t spi, spi_other;
@@ -843,47 +768,11 @@ static chunk_t get_message_data(message_t *message, generator_t *generator)
 	return generator->get_chunk(generator, &lenpos);
 }
 
-/**
- * Try to find data about a Quick Mode with the given message ID,
- * if none is found, state is generated.
- */
-static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, uint32_t mid)
-{
-	enumerator_t *enumerator;
-	qm_data_t *qm, *found = NULL;
-
-	enumerator = this->qms->create_enumerator(this->qms);
-	while (enumerator->enumerate(enumerator, &qm))
-	{
-		if (qm->mid == mid)
-		{	/* state gets moved to the front of the list */
-			this->qms->remove_at(this->qms, enumerator);
-			found = qm;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!found)
-	{
-		INIT(found,
-			.mid = mid,
-		);
-	}
-	this->qms->insert_first(this->qms, found);
-	/* remove least recently used state if maximum reached */
-	if (this->qms->get_count(this->qms) > this->max_exchanges &&
-		this->qms->remove_last(this->qms, (void**)&qm) == SUCCESS)
-	{
-		qm_data_destroy(qm);
-	}
-	return found;
-}
-
 METHOD(keymat_v1_t, get_hash_phase2, bool,
 	private_keymat_v1_t *this, message_t *message, chunk_t *hash)
 {
 	uint32_t mid, mid_n;
-	chunk_t data = chunk_empty;
+	chunk_t data = chunk_empty, *n_i, *n_r;
 	bool add_message = TRUE;
 	char *name = "Hash";
 
@@ -907,34 +796,34 @@ METHOD(keymat_v1_t, get_hash_phase2, bool,
 	{
 		case QUICK_MODE:
 		{
-			qm_data_t *qm = lookup_quick_mode(this, mid);
-			if (!qm->n_i.ptr)
+			this->iv_manager->lookup_quick_mode(this->iv_manager, mid, &n_i,
+												&n_r);
+			if (!n_i->ptr)
 			{	/* Hash(1) = prf(SKEYID_a, M-ID | Message after HASH payload) */
 				name = "Hash(1)";
-				if (!get_nonce(message, &qm->n_i))
+				if (!get_nonce(message, n_i))
 				{
 					return FALSE;
 				}
 				data = chunk_from_thing(mid_n);
 			}
-			else if (!qm->n_r.ptr)
+			else if (!n_r->ptr)
 			{	/* Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH) */
 				name = "Hash(2)";
-				if (!get_nonce(message, &qm->n_r))
+				if (!get_nonce(message, n_r))
 				{
 					return FALSE;
 				}
-				data = chunk_cata("cc", chunk_from_thing(mid_n), qm->n_i);
+				data = chunk_cata("cc", chunk_from_thing(mid_n), *n_i);
 			}
 			else
 			{	/* Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
 				name = "Hash(3)";
 				data = chunk_cata("cccc", octet_0, chunk_from_thing(mid_n),
-								  qm->n_i, qm->n_r);
+								  *n_i, *n_r);
 				add_message = FALSE;
 				/* we don't need the state anymore */
-				this->qms->remove(this->qms, qm, NULL);
-				qm_data_destroy(qm);
+				this->iv_manager->remove_quick_mode(this->iv_manager, mid);
 			}
 			break;
 		}
@@ -976,119 +865,22 @@ METHOD(keymat_v1_t, get_hash_phase2, bool,
 	return TRUE;
 }
 
-/**
- * Generate an IV
- */
-static bool generate_iv(private_keymat_v1_t *this, iv_data_t *iv)
-{
-	if (iv->mid == 0 || iv->iv.ptr)
-	{	/* use last block of previous encrypted message */
-		chunk_free(&iv->iv);
-		iv->iv = iv->last_block;
-		iv->last_block = chunk_empty;
-	}
-	else
-	{
-		/* initial phase 2 IV = hash(last_phase1_block | mid) */
-		uint32_t net;;
-		chunk_t data;
-
-		net = htonl(iv->mid);
-		data = chunk_cata("cc", this->phase1_iv.iv, chunk_from_thing(net));
-		if (!this->hasher->allocate_hash(this->hasher, data, &iv->iv))
-		{
-			return FALSE;
-		}
-		if (iv->iv.len > this->aead->get_block_size(this->aead))
-		{
-			iv->iv.len = this->aead->get_block_size(this->aead);
-		}
-	}
-	DBG4(DBG_IKE, "next IV for MID %u %B", iv->mid, &iv->iv);
-	return TRUE;
-}
-
-/**
- * Try to find an IV for the given message ID, if not found, generate it.
- */
-static iv_data_t *lookup_iv(private_keymat_v1_t *this, uint32_t mid)
-{
-	enumerator_t *enumerator;
-	iv_data_t *iv, *found = NULL;
-
-	if (mid == 0)
-	{
-		return &this->phase1_iv;
-	}
-
-	enumerator = this->ivs->create_enumerator(this->ivs);
-	while (enumerator->enumerate(enumerator, &iv))
-	{
-		if (iv->mid == mid)
-		{	/* IV gets moved to the front of the list */
-			this->ivs->remove_at(this->ivs, enumerator);
-			found = iv;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!found)
-	{
-		INIT(found,
-			.mid = mid,
-		);
-		if (!generate_iv(this, found))
-		{
-			iv_data_destroy(found);
-			return NULL;
-		}
-	}
-	this->ivs->insert_first(this->ivs, found);
-	/* remove least recently used IV if maximum reached */
-	if (this->ivs->get_count(this->ivs) > this->max_exchanges &&
-		this->ivs->remove_last(this->ivs, (void**)&iv) == SUCCESS)
-	{
-		iv_data_destroy(iv);
-	}
-	return found;
-}
-
 METHOD(keymat_v1_t, get_iv, bool,
 	private_keymat_v1_t *this, uint32_t mid, chunk_t *out)
 {
-	iv_data_t *iv;
-
-	iv = lookup_iv(this, mid);
-	if (iv)
-	{
-		*out = iv->iv;
-		return TRUE;
-	}
-	return FALSE;
+	return this->iv_manager->get_iv(this->iv_manager, mid, out);
 }
 
 METHOD(keymat_v1_t, update_iv, bool,
 	private_keymat_v1_t *this, uint32_t mid, chunk_t last_block)
 {
-	iv_data_t *iv = lookup_iv(this, mid);
-	if (iv)
-	{	/* update last block */
-		chunk_free(&iv->last_block);
-		iv->last_block = chunk_clone(last_block);
-		return TRUE;
-	}
-	return FALSE;
+	return this->iv_manager->update_iv(this->iv_manager, mid, last_block);
 }
 
 METHOD(keymat_v1_t, confirm_iv, bool,
 	private_keymat_v1_t *this, uint32_t mid)
 {
-	iv_data_t *iv = lookup_iv(this, mid);
-	if (iv)
-	{
-		return generate_iv(this, iv);
-	}
-	return FALSE;
+	return this->iv_manager->confirm_iv(this->iv_manager, mid);
 }
 
 METHOD(keymat_t, get_version, ike_version_t,
@@ -1124,10 +916,7 @@ METHOD(keymat_t, destroy, void,
 	DESTROY_IF(this->hasher);
 	chunk_clear(&this->skeyid_d);
 	chunk_clear(&this->skeyid_a);
-	chunk_free(&this->phase1_iv.iv);
-	chunk_free(&this->phase1_iv.last_block);
-	this->ivs->destroy_function(this->ivs, (void*)iv_data_destroy);
-	this->qms->destroy_function(this->qms, (void*)qm_data_destroy);
+	this->iv_manager->destroy(this->iv_manager);
 	free(this);
 }
 
@@ -1157,12 +946,8 @@ keymat_v1_t *keymat_v1_create(bool initiator)
 			.update_iv = _update_iv,
 			.confirm_iv = _confirm_iv,
 		},
-		.ivs = linked_list_create(),
-		.qms = linked_list_create(),
 		.initiator = initiator,
-		.max_exchanges = lib->settings->get_int(lib->settings,
-					"%s.max_ikev1_exchanges", MAX_EXCHANGES_DEFAULT, lib->ns),
+		.iv_manager = iv_manager_create(0),
 	);
-
 	return &this->public;
 }
diff --git a/src/libcharon/sa/ikev1/keymat_v1.h b/src/libcharon/sa/ikev1/keymat_v1.h
index 46eeea8..ada5bdb 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.h
+++ b/src/libcharon/sa/ikev1/keymat_v1.h
@@ -102,11 +102,14 @@ struct keymat_v1_t {
 	 * @param sa_i			encoded SA payload of initiator
 	 * @param id			encoded IDii payload for HASH_I (IDir for HASH_R)
 	 * @param hash			chunk receiving allocated HASH data
+	 * @param scheme		pointer to signature scheme in case it needs to be
+	 * 						modified by the keymat implementation
 	 * @return				TRUE if hash allocated successfully
 	 */
 	bool (*get_hash)(keymat_v1_t *this, bool initiator,
 						chunk_t dh, chunk_t dh_other, ike_sa_id_t *ike_sa_id,
-						chunk_t sa_i, chunk_t id, chunk_t *hash);
+						chunk_t sa_i, chunk_t id, chunk_t *hash,
+						signature_scheme_t *scheme);
 
 	/**
 	 * Get HASH data for integrity/authentication in Phase 2 exchanges.
@@ -118,39 +121,17 @@ struct keymat_v1_t {
 	bool (*get_hash_phase2)(keymat_v1_t *this, message_t *message, chunk_t *hash);
 
 	/**
-	 * Returns the IV for a message with the given message ID.
-	 *
-	 * The return chunk contains internal data and is valid until the next
-	 * get_iv/udpate_iv/confirm_iv call.
-	 *
-	 * @param mid			message ID
-	 * @param iv			chunk receiving IV, internal data
-	 * @return				TRUE if IV allocated successfully
+	 * @see iv_manager_t.get_iv
 	 */
 	bool (*get_iv)(keymat_v1_t *this, uint32_t mid, chunk_t *iv);
 
 	/**
-	 * Updates the IV for the next message with the given message ID.
-	 *
-	 * A call of confirm_iv() is required in order to actually make the IV
-	 * available.  This is needed for the inbound case where we store the last
-	 * block of the encrypted message but want to update the IV only after
-	 * verification of the decrypted message.
-	 *
-	 * @param mid			message ID
-	 * @param last_block	last block of encrypted message (gets cloned)
-	 * @return				TRUE if IV updated successfully
+	 * @see iv_manager_t.update_iv
 	 */
 	bool (*update_iv)(keymat_v1_t *this, uint32_t mid, chunk_t last_block);
 
 	/**
-	 * Confirms the updated IV for the given message ID.
-	 *
-	 * To actually make the new IV available via get_iv this method has to
-	 * be called after update_iv.
-	 *
-	 * @param mid			message ID
-	 * @return				TRUE if IV confirmed successfully
+	 * @see iv_manager_t.confirm_iv
 	 */
 	bool (*confirm_iv)(keymat_v1_t *this, uint32_t mid);
 };
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index c968b2a..adce59f 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -113,22 +113,8 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this,
 	auth_cfg_t *my_auth, *other_auth;
 	enumerator_t *enumerator;
 
-	/* try to get a PSK for IP addresses */
 	me = this->ike_sa->get_my_host(this->ike_sa);
 	other = this->ike_sa->get_other_host(this->ike_sa);
-	my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
-	other_id = identification_create_from_sockaddr(other->get_sockaddr(other));
-	if (my_id && other_id)
-	{
-		shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
-											  my_id, other_id);
-	}
-	DESTROY_IF(my_id);
-	DESTROY_IF(other_id);
-	if (shared_key)
-	{
-		return shared_key;
-	}
 
 	if (peer_cfg)
 	{	/* as initiator or aggressive responder, use identities */
@@ -156,39 +142,51 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this,
 				}
 			}
 		}
-		return shared_key;
 	}
-	/* as responder, we try to find a config by IP */
-	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
-												me, other, NULL, NULL, IKEV1);
-	while (enumerator->enumerate(enumerator, &peer_cfg))
-	{
-		my_auth = get_auth_cfg(peer_cfg, TRUE);
-		other_auth = get_auth_cfg(peer_cfg, FALSE);
-		if (my_auth && other_auth)
+	else
+	{	/* as responder, we try to find a config by IP addresses and use the
+		 * configured identities to find the PSK */
+		enumerator = charon->backends->create_peer_cfg_enumerator(
+								charon->backends, me, other, NULL, NULL, IKEV1);
+		while (enumerator->enumerate(enumerator, &peer_cfg))
 		{
-			my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY);
-			other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
-			if (my_id)
+			my_auth = get_auth_cfg(peer_cfg, TRUE);
+			other_auth = get_auth_cfg(peer_cfg, FALSE);
+			if (my_auth && other_auth)
 			{
-				shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
-													  my_id, other_id);
-				if (shared_key)
-				{
-					break;
-				}
-				else
+				my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY);
+				other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
+				if (my_id)
 				{
+					shared_key = lib->credmgr->get_shared(lib->credmgr,
+												SHARED_IKE, my_id, other_id);
+					if (shared_key)
+					{
+						break;
+					}
 					DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
 						 my_id, me, other_id, other);
 				}
 			}
 		}
+		enumerator->destroy(enumerator);
 	}
-	enumerator->destroy(enumerator);
 	if (!shared_key)
-	{
-		DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
+	{	/* try to get a PSK for IP addresses */
+		my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
+		other_id = identification_create_from_sockaddr(
+													other->get_sockaddr(other));
+		if (my_id && other_id)
+		{
+			shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
+												  my_id, other_id);
+		}
+		DESTROY_IF(my_id);
+		DESTROY_IF(other_id);
+		if (!shared_key)
+		{
+			DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
+		}
 	}
 	return shared_key;
 }
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 3b0c1cf..1da17ee 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -367,7 +367,7 @@ static status_t retransmit_packet(private_task_manager_t *this, uint32_t seqnr,
 	send_packets(this, packets);
 	lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
 			retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
-	return NEED_MORE;
+	return SUCCESS;
 }
 
 METHOD(task_manager_t, retransmit, status_t,
@@ -380,10 +380,9 @@ METHOD(task_manager_t, retransmit, status_t,
 	{
 		status = retransmit_packet(this, seqnr, this->initiating.mid,
 					this->initiating.retransmitted, this->initiating.packets);
-		if (status == NEED_MORE)
+		if (status == SUCCESS)
 		{
 			this->initiating.retransmitted++;
-			status = SUCCESS;
 		}
 	}
 	if (seqnr == this->responding.seqnr &&
@@ -391,10 +390,9 @@ METHOD(task_manager_t, retransmit, status_t,
 	{
 		status = retransmit_packet(this, seqnr, this->responding.mid,
 					this->responding.retransmitted, this->responding.packets);
-		if (status == NEED_MORE)
+		if (status == SUCCESS)
 		{
 			this->responding.retransmitted++;
-			status = SUCCESS;
 		}
 	}
 	return status;
@@ -554,6 +552,12 @@ METHOD(task_manager_t, initiate, status_t,
 					new_mid = TRUE;
 					break;
 				}
+				if (activate_task(this, TASK_ISAKMP_DPD))
+				{
+					exchange = INFORMATIONAL_V1;
+					new_mid = TRUE;
+					break;
+				}
 				break;
 			default:
 				break;
@@ -685,13 +689,9 @@ METHOD(task_manager_t, initiate, status_t,
 		message->destroy(message);
 		return retransmit(this, this->initiating.seqnr);
 	}
-	if (keep)
-	{	/* keep the packet for retransmission, the responder might request it */
-		send_packets(this, this->initiating.packets);
-	}
-	else
+	send_packets(this, this->initiating.packets);
+	if (!keep)
 	{
-		send_packets(this, this->initiating.packets);
 		clear_packets(this->initiating.packets);
 	}
 	message->destroy(message);
@@ -1902,6 +1902,12 @@ METHOD(task_manager_t, incr_mid, void,
 {
 }
 
+METHOD(task_manager_t, get_mid, uint32_t,
+	private_task_manager_t *this, bool initiate)
+{
+	return initiate ? this->initiating.mid : this->responding.mid;
+}
+
 METHOD(task_manager_t, reset, void,
 	private_task_manager_t *this, uint32_t initiate, uint32_t respond)
 {
@@ -2005,6 +2011,7 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 				.initiate = _initiate,
 				.retransmit = _retransmit,
 				.incr_mid = _incr_mid,
+				.get_mid = _get_mid,
 				.reset = _reset,
 				.adopt_tasks = _adopt_tasks,
 				.adopt_child_tasks = _adopt_child_tasks,
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 6b89641..bbb8858 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -703,25 +703,30 @@ static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message)
 {
 	identification_t *id;
 	id_payload_t *nat_oa;
-	host_t *src, *dst;
+	host_t *init, *resp;
 	payload_type_t nat_oa_payload_type;
 
-	src = message->get_source(message);
-	dst = message->get_destination(message);
-
-	src = this->initiator ? src : dst;
-	dst = this->initiator ? dst : src;
+	if (this->initiator)
+	{
+		init = message->get_source(message);
+		resp = message->get_destination(message);
+	}
+	else
+	{
+		init = message->get_destination(message);
+		resp = message->get_source(message);
+	}
 
 	nat_oa_payload_type = get_nat_oa_payload_type(this->ike_sa);
 
 	/* first NAT-OA is the initiator's address */
-	id = identification_create_from_sockaddr(src->get_sockaddr(src));
+	id = identification_create_from_sockaddr(init->get_sockaddr(init));
 	nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
 	message->add_payload(message, (payload_t*)nat_oa);
 	id->destroy(id);
 
 	/* second NAT-OA is that of the responder */
-	id = identification_create_from_sockaddr(dst->get_sockaddr(dst));
+	id = identification_create_from_sockaddr(resp->get_sockaddr(resp));
 	nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
 	message->add_payload(message, (payload_t*)nat_oa);
 	id->destroy(id);
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 592f497..19ea72d 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -217,7 +217,8 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
 	}
 
 	if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
-								this->nonce, id, this->reserved, &octets))
+								this->nonce, id, this->reserved, &octets,
+								schemes))
 	{
 		enumerator = array_create_enumerator(schemes);
 		while (enumerator->enumerate(enumerator, &schemep))
@@ -247,6 +248,32 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
 }
 
 /**
+ * Get the auth octets and the signature scheme (in case it is changed by the
+ * keymat).
+ */
+static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this,
+								   bool verify, identification_t *id,
+								   chunk_t *octets, signature_scheme_t *scheme)
+{
+	keymat_v2_t *keymat;
+	array_t *schemes;
+	bool success = FALSE;
+
+	schemes = array_create(sizeof(signature_scheme_t), 0);
+	array_insert(schemes, ARRAY_TAIL, scheme);
+
+	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
+	if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce,
+								id, this->reserved, octets, schemes) &&
+		array_get(schemes, 0, &scheme))
+	{
+		success = TRUE;
+	}
+	array_destroy(schemes);
+	return success;
+}
+
+/**
  * Create a classic IKEv2 signature
  */
 static status_t sign_classic(private_pubkey_authenticator_t *this,
@@ -255,7 +282,6 @@ static status_t sign_classic(private_pubkey_authenticator_t *this,
 							 chunk_t *auth_data)
 {
 	signature_scheme_t scheme;
-	keymat_v2_t *keymat;
 	chunk_t octets = chunk_empty;
 	status_t status = FAILED;
 
@@ -293,9 +319,7 @@ static status_t sign_classic(private_pubkey_authenticator_t *this,
 			return FAILED;
 	}
 
-	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-	if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
-								this->nonce, id, this->reserved, &octets) &&
+	if (get_auth_octets_scheme(this, FALSE, id, &octets, &scheme) &&
 		private->sign(private, scheme, octets, auth_data))
 	{
 		status = SUCCESS;
@@ -363,7 +387,6 @@ METHOD(authenticator_t, process, status_t,
 	key_type_t key_type = KEY_ECDSA;
 	signature_scheme_t scheme;
 	status_t status = NOT_FOUND;
-	keymat_v2_t *keymat;
 	const char *reason = "unsupported";
 	bool online;
 
@@ -402,9 +425,7 @@ METHOD(authenticator_t, process, status_t,
 			return INVALID_ARG;
 	}
 	id = this->ike_sa->get_other_id(this->ike_sa);
-	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-	if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
-								 this->nonce, id, this->reserved, &octets))
+	if (!get_auth_octets_scheme(this, TRUE, id, &octets, &scheme))
 	{
 		return FAILED;
 	}
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 58efdba..70dacd1 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -629,7 +629,8 @@ METHOD(keymat_t, get_aead, aead_t*,
 
 METHOD(keymat_v2_t, get_auth_octets, bool,
 	private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
-	chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
+	chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets,
+	array_t *schemes)
 {
 	chunk_t chunk, idx;
 	chunk_t skp;
@@ -669,7 +670,8 @@ METHOD(keymat_v2_t, get_psk_sig, bool,
 	{	/* EAP uses SK_p if no MSK has been established */
 		secret = verify ? this->skp_verify : this->skp_build;
 	}
-	if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, &octets))
+	if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved,
+						 &octets, NULL))
 	{
 		return FALSE;
 	}
diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h
index 927b62b..36bf149 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.h
+++ b/src/libcharon/sa/ikev2/keymat_v2.h
@@ -22,6 +22,7 @@
 #define KEYMAT_V2_H_
 
 #include <sa/keymat.h>
+#include <collections/array.h>
 
 typedef struct keymat_v2_t keymat_v2_t;
 
@@ -100,11 +101,14 @@ struct keymat_v2_t {
 	 * @param id			identity
 	 * @param reserved		reserved bytes of id_payload
 	 * @param octests		chunk receiving allocated auth octets
+	 * @param schemes		array containing signature schemes in case they
+	 * 						need to be modified by the keymat implementation
 	 * @return				TRUE if octets created successfully
 	 */
 	bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
 							chunk_t nonce, identification_t *id,
-							char reserved[3], chunk_t *octets);
+							char reserved[3], chunk_t *octets,
+							array_t *schemes);
 	/**
 	 * Build the shared secret signature used for PSK and EAP authentication.
 	 *
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 60a262f..e4a16fa 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -34,6 +34,7 @@
 #include <sa/ikev2/tasks/ike_delete.h>
 #include <sa/ikev2/tasks/ike_config.h>
 #include <sa/ikev2/tasks/ike_dpd.h>
+#include <sa/ikev2/tasks/ike_mid_sync.h>
 #include <sa/ikev2/tasks/ike_vendor.h>
 #include <sa/ikev2/tasks/ike_verify_peer_cert.h>
 #include <sa/ikev2/tasks/child_create.h>
@@ -817,7 +818,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	task_t *task;
 	message_t *message;
 	host_t *me, *other;
-	bool delete = FALSE, hook = FALSE;
+	bool delete = FALSE, hook = FALSE, mid_sync = FALSE;
 	ike_sa_id_t *id = NULL;
 	uint64_t responder_spi = 0;
 	bool result;
@@ -836,6 +837,10 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	enumerator = array_create_enumerator(this->passive_tasks);
 	while (enumerator->enumerate(enumerator, (void*)&task))
 	{
+		if (task->get_type(task) == TASK_IKE_MID_SYNC)
+		{
+			mid_sync = TRUE;
+		}
 		switch (task->build(task, message))
 		{
 			case SUCCESS:
@@ -908,6 +913,15 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 		}
 		return DESTROY_ME;
 	}
+	else if (mid_sync)
+	{
+		/* we don't want to resend messages to sync MIDs if requests with the
+		 * previous MID arrive */
+		clear_packets(this->responding.packets);
+		/* avoid increasing the expected message ID after handling a message
+		 * to sync MIDs with MID 0 */
+		return NEED_MORE;
+	}
 
 	array_compress(this->passive_tasks);
 
@@ -1069,6 +1083,10 @@ static status_t process_request(private_task_manager_t *this,
 									task = (task_t*)ike_redirect_create(
 															this->ike_sa, NULL);
 									break;
+								case IKEV2_MESSAGE_ID_SYNC:
+									task = (task_t*)ike_mid_sync_create(
+																 this->ike_sa);
+									break;
 								default:
 									break;
 							}
@@ -1200,6 +1218,12 @@ METHOD(task_manager_t, incr_mid, void,
 	}
 }
 
+METHOD(task_manager_t, get_mid, uint32_t,
+	private_task_manager_t *this, bool initiate)
+{
+	return initiate ? this->initiating.mid : this->responding.mid;
+}
+
 /**
  * Handle the given IKE fragment, if it is one.
  *
@@ -1373,6 +1397,64 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
 	return status;
 }
 
+/**
+ * Check if a message with message ID 0 looks like it is used to synchronize
+ * the message IDs.
+ */
+static bool looks_like_mid_sync(private_task_manager_t *this, message_t *msg,
+								bool strict)
+{
+	enumerator_t *enumerator;
+	notify_payload_t *notify;
+	payload_t *payload;
+	bool found = FALSE, other = FALSE;
+
+	if (msg->get_exchange_type(msg) == INFORMATIONAL)
+	{
+		enumerator = msg->create_payload_enumerator(msg);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			if (payload->get_type(payload) == PLV2_NOTIFY)
+			{
+				notify = (notify_payload_t*)payload;
+				switch (notify->get_notify_type(notify))
+				{
+					case IKEV2_MESSAGE_ID_SYNC:
+					case IPSEC_REPLAY_COUNTER_SYNC:
+						found = TRUE;
+						continue;
+					default:
+						break;
+				}
+			}
+			if (strict)
+			{
+				other = TRUE;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return found && !other;
+}
+
+/**
+ * Check if a message with message ID 0 looks like it is used to synchronize
+ * the message IDs and we are prepared to process it.
+ *
+ * Note: This is not called if the responder never sent a message before (i.e.
+ * we expect MID 0).
+ */
+static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
+{
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED &&
+		this->ike_sa->supports_extension(this->ike_sa,
+										 EXT_IKE_MESSAGE_ID_SYNC))
+	{
+		return looks_like_mid_sync(this, msg, TRUE);
+	}
+	return FALSE;
+}
 
 METHOD(task_manager_t, process_message, status_t,
 	private_task_manager_t *this, message_t *msg)
@@ -1421,7 +1503,7 @@ METHOD(task_manager_t, process_message, status_t,
 	mid = msg->get_message_id(msg);
 	if (msg->get_request(msg))
 	{
-		if (mid == this->responding.mid)
+		if (mid == this->responding.mid || (mid == 0 && is_mid_sync(this, msg)))
 		{
 			/* reject initial messages if not received in specific states,
 			 * after rekeying we only expect a DELETE in an INFORMATIONAL */
@@ -1462,7 +1544,8 @@ METHOD(task_manager_t, process_message, status_t,
 			}
 		}
 		else if ((mid == this->responding.mid - 1) &&
-				 array_count(this->responding.packets))
+				 array_count(this->responding.packets) &&
+				 !(mid == 0 && looks_like_mid_sync(this, msg, FALSE)))
 		{
 			status = handle_fragment(this, &this->responding.defrag, msg);
 			if (status != SUCCESS)
@@ -1477,7 +1560,7 @@ METHOD(task_manager_t, process_message, status_t,
 		}
 		else
 		{
-			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
+			DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
 				 mid, this->responding.mid);
 		}
 	}
@@ -1515,7 +1598,7 @@ METHOD(task_manager_t, process_message, status_t,
 		}
 		else
 		{
-			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
+			DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
 				 mid, this->initiating.mid);
 			return SUCCESS;
 		}
@@ -2046,6 +2129,7 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 				.initiate = _initiate,
 				.retransmit = _retransmit,
 				.incr_mid = _incr_mid,
+				.get_mid = _get_mid,
 				.reset = _reset,
 				.adopt_tasks = _adopt_tasks,
 				.adopt_child_tasks = _adopt_child_tasks,
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 036910d..53daaf2 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -417,6 +417,9 @@ METHOD(task_t, build_i, status_t,
 		/* indicate support for EAP-only authentication */
 		message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
 							chunk_empty);
+		/* indicate support for RFC 6311 Message ID synchronization */
+		message->add_notify(message, FALSE, IKEV2_MESSAGE_ID_SYNC_SUPPORTED,
+							chunk_empty);
 	}
 
 	if (!this->do_another_auth && !this->my_auth)
@@ -466,7 +469,8 @@ METHOD(task_t, build_i, status_t,
 		get_reserved_id_bytes(this, id_payload);
 		message->add_payload(message, (payload_t*)id_payload);
 
-		if (idr && message->get_message_id(message) == 1 &&
+		if (idr && !idr->contains_wildcards(idr) &&
+			message->get_message_id(message) == 1 &&
 			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
 			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
 		{
@@ -991,6 +995,10 @@ METHOD(task_t, process_i, status_t,
 						DBG1(DBG_IKE, "received invalid REDIRECT notify");
 					}
 					break;
+				case IKEV2_MESSAGE_ID_SYNC_SUPPORTED:
+					this->ike_sa->enable_extension(this->ike_sa,
+												   EXT_IKE_MESSAGE_ID_SYNC);
+					break;
 				default:
 				{
 					if (type <= 16383)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index d82e206..58b7106 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -159,6 +159,10 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
 	auth_cfg_t *auth;
 	auth_rule_t rule;
 	uintptr_t config;
+	int written;
+	size_t len = BUF_LEN;
+	char buf[len];
+	char *pos = buf;
 	char *plugin_name;
 
 	algos = hash_algorithm_set_create();
@@ -205,11 +209,23 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
 		while (enumerator->enumerate(enumerator, &hash))
 		{
 			writer->write_uint16(writer, hash);
+
+			/* generate debug output */
+			written = snprintf(pos, len, " %N", hash_algorithm_short_names,
+							   hash);
+			if (written > 0 && written < len)
+			{
+				pos += written;
+				len -= written;
+			}
 		}
 		enumerator->destroy(enumerator);
 		message->add_notify(message, FALSE, SIGNATURE_HASH_ALGORITHMS,
 							writer->get_buf(writer));
 		writer->destroy(writer);
+
+		*pos = '\0';
+		DBG2(DBG_CFG, "sending supported signature hash algorithms:%s", buf);
 	}
 	algos->destroy(algos);
 }
@@ -222,6 +238,10 @@ static void handle_supported_hash_algorithms(private_ike_init_t *this,
 {
 	bio_reader_t *reader;
 	uint16_t algo;
+	int written;
+	size_t len = BUF_LEN;
+	char buf[len];
+	char *pos = buf;
 	bool added = FALSE;
 
 	reader = bio_reader_create(notify->get_notification_data(notify));
@@ -231,10 +251,22 @@ static void handle_supported_hash_algorithms(private_ike_init_t *this,
 		{
 			this->keymat->add_hash_algorithm(this->keymat, algo);
 			added = TRUE;
+
+			/* generate debug output */
+			written = snprintf(pos, len, " %N", hash_algorithm_short_names,
+							   algo);
+			if (written > 0 && written < len)
+			{
+				pos += written;
+				len -= written;
+			}
 		}
 	}
 	reader->destroy(reader);
 
+	*pos = '\0';
+	DBG2(DBG_CFG, "received supported signature hash algorithms:%s", buf);
+
 	if (added)
 	{
 		this->ike_sa->enable_extension(this->ike_sa, EXT_SIGNATURE_AUTH);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c
new file mode 100644
index 0000000..24cf276
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+/*
+ * Copyright (C) 2016 Stephen J. Bevan
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "ike_mid_sync.h"
+
+#include <daemon.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <encoding/payloads/notify_payload.h>
+
+typedef struct private_ike_mid_sync_t private_ike_mid_sync_t;
+
+/**
+ * Private members
+ */
+struct private_ike_mid_sync_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_mid_sync_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Nonce sent by the peer and expected to be returned
+	 */
+	chunk_t nonce;
+
+	/**
+	 * Expected next sender message ID
+	 */
+	uint32_t send;
+
+	/**
+	 * Expected received message ID
+	 */
+	uint32_t recv;
+};
+
+/*
+ * Encoding of IKEV2_MESSAGE_SYNC_ID notify, RFC 6311
+ *
+ *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Next Payload  |C|  RESERVED   |         Payload Length        |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |Protocol ID(=0)| SPI Size (=0) |      Notify Message Type      |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |             Nonce Data                                        |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |             EXPECTED_SEND_REQ_MESSAGE_ID                      |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |             EXPECTED_RECV_REQ_MESSAGE_ID                      |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/*
+ * RFC 6311 section 5.1
+ *
+ *  o  The peer MUST silently drop any received synchronization message
+ *     if M1 is lower than or equal to the highest value it has seen from
+ *     the cluster.  This includes any previous received synchronization
+ *     messages.
+ */
+METHOD(task_t, pre_process, status_t,
+	private_ike_mid_sync_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	bio_reader_t *reader;
+	chunk_t nonce;
+	uint32_t resp;
+
+	if (message->get_message_id(message) != 0)
+	{	/* ignore the notify if it was contained in an INFORMATIONAL with
+		 * unexpected message ID */
+		return SUCCESS;
+	}
+	if (!this->ike_sa->supports_extension(this->ike_sa,
+										  EXT_IKE_MESSAGE_ID_SYNC))
+	{
+		DBG1(DBG_ENC, "unexpected %N notify, ignored", notify_type_names,
+			 IKEV2_MESSAGE_ID_SYNC);
+		return FAILED;
+	}
+	notify = message->get_notify(message, IKEV2_MESSAGE_ID_SYNC);
+
+	reader = bio_reader_create(notify->get_notification_data(notify));
+	if (!reader->read_data(reader, 4, &nonce) ||
+		!reader->read_uint32(reader, &this->send) ||
+		!reader->read_uint32(reader, &this->recv))
+	{
+		reader->destroy(reader);
+		DBG1(DBG_ENC, "received invalid %N notify",
+			 notify_type_names, IKEV2_MESSAGE_ID_SYNC);
+		return FAILED;
+	}
+	reader->destroy(reader);
+	resp = this->ike_sa->get_message_id(this->ike_sa, FALSE);
+	if (this->send < resp)
+	{
+		DBG1(DBG_ENC, "ignore %N notify with lower (%d) than expected (%d) "
+			 "sender MID", notify_type_names, IKEV2_MESSAGE_ID_SYNC, this->send,
+			 resp);
+		return FAILED;
+	}
+	this->nonce = chunk_clone(nonce);
+	return SUCCESS;
+}
+
+/**
+ * Check if there are any active tasks, indicating that we already
+ * used the currents message ID and are waiting for a response.
+ */
+static bool has_active_tasks(private_ike_mid_sync_t *this)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+	bool active;
+
+	enumerator = this->ike_sa->create_task_enumerator(this->ike_sa,
+													  TASK_QUEUE_ACTIVE);
+	active = enumerator->enumerate(enumerator, &task);
+	enumerator->destroy(enumerator);
+	return active;
+}
+
+/*
+ * RFC 6311 section 5.1
+ *
+ *  o  M2 MUST be at least the higher of the received M1, and one more
+ *     than the highest sender value received from the cluster.  This
+ *     includes any previous received synchronization messages.
+ *
+ *  o  P2 MUST be the higher of the received P1 value, and one more than
+ *     the highest sender value used by the peer.
+ *
+ * M1 is this->send, P1 is this->recv
+ */
+METHOD(task_t, process, status_t,
+	private_ike_mid_sync_t *this, message_t *message)
+{
+	uint32_t resp, init, m2, p2;
+
+	if (message->get_message_id(message) != 0)
+	{	/* ignore the notify if it was contained in an INFORMATIONAL with
+		 * unexpected message id */
+		return SUCCESS;
+	}
+	resp = this->ike_sa->get_message_id(this->ike_sa, FALSE);
+	m2 = max(this->send, resp);
+	if (resp != m2)
+	{
+		this->ike_sa->set_message_id(this->ike_sa, FALSE, m2);
+	}
+	init = this->ike_sa->get_message_id(this->ike_sa, TRUE);
+	p2 = max(this->recv, has_active_tasks(this) ? init + 1 : init);
+	if (init != p2)
+	{
+		this->ike_sa->set_message_id(this->ike_sa, TRUE, p2);
+	}
+	DBG1(DBG_IKE, "responder requested MID sync: initiating %d[%d], "
+		 "responding %d[%d]", p2, init, m2, resp);
+	this->send = p2;
+	this->recv = m2;
+	return NEED_MORE;
+}
+
+METHOD(task_t, build, status_t,
+	private_ike_mid_sync_t *this, message_t *message)
+{
+	bio_writer_t *writer;
+
+	writer = bio_writer_create(12);
+	writer->write_data(writer, this->nonce);
+	writer->write_uint32(writer, this->send);
+	writer->write_uint32(writer, this->recv);
+
+	message->set_message_id(message, 0);
+	message->add_notify(message, FALSE, IKEV2_MESSAGE_ID_SYNC,
+						writer->get_buf(writer));
+
+	writer->destroy(writer);
+	return SUCCESS;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_ike_mid_sync_t *this)
+{
+	return TASK_IKE_MID_SYNC;
+}
+
+METHOD(task_t, migrate, void,
+	private_ike_mid_sync_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	chunk_free(&this->nonce);
+}
+
+METHOD(task_t, destroy, void,
+	private_ike_mid_sync_t *this)
+{
+	chunk_free(&this->nonce);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_mid_sync_t *ike_mid_sync_create(ike_sa_t *ike_sa)
+{
+	private_ike_mid_sync_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.build = _build,
+				.pre_process = _pre_process,
+				.process = _process,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+	);
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mid_sync.h b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.h
new file mode 100644
index 0000000..9dd46f9
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+/*
+ * Copyright (C) 2016 Stephen J. Bevan
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup ike_mid_sync ike_mid_sync
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_MID_SYNC_H_
+#define IKE_MID_SYNC_H_
+
+typedef struct ike_mid_sync_t ike_mid_sync_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type TASK_IKE_MID_SYNC, implements RFC 6311 responder.
+ *
+ * This task handles an IKEV2_MESSAGE_ID_SYNC notify sent by a peer
+ * and if acceptable updates the SA MIDs and replies with the updated
+ * MID values.
+ */
+struct ike_mid_sync_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new TASK_IKE_MID_SYNC task.
+ *
+ * @param ike_sa	IKE_SA this task works for
+ * @return			task to handle by the task_manager
+ */
+ike_mid_sync_t *ike_mid_sync_create(ike_sa_t *ike_sa);
+
+#endif /** IKE_MID_SYNC_H_ @}*/
diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
index 40e291b..b016275 100644
--- a/src/libcharon/sa/shunt_manager.c
+++ b/src/libcharon/sa/shunt_manager.c
@@ -36,7 +36,7 @@ struct private_shunt_manager_t {
 	shunt_manager_t public;
 
 	/**
-	 * Installed shunts, as child_cfg_t
+	 * Installed shunts, as entry_t
 	 */
 	linked_list_t *shunts;
 
@@ -57,6 +57,32 @@ struct private_shunt_manager_t {
 };
 
 /**
+ * Config entry for a shunt
+ */
+typedef struct {
+	/**
+	 * Configured namespace
+	 */
+	char *ns;
+
+	/**
+	 * Child config
+	 */
+	child_cfg_t *cfg;
+
+} entry_t;
+
+/**
+ * Destroy a config entry
+ */
+static void entry_destroy(entry_t *this)
+{
+	this->cfg->destroy(this->cfg);
+	free(this->ns);
+	free(this);
+}
+
+/**
  * Install in and out shunt policies in the kernel
  */
 static bool install_shunt_policy(child_cfg_t *child)
@@ -162,10 +188,10 @@ static bool install_shunt_policy(child_cfg_t *child)
 }
 
 METHOD(shunt_manager_t, install, bool,
-	private_shunt_manager_t *this, child_cfg_t *child)
+	private_shunt_manager_t *this, char *ns, child_cfg_t *cfg)
 {
 	enumerator_t *enumerator;
-	child_cfg_t *child_cfg;
+	entry_t *entry;
 	bool found = FALSE, success;
 
 	/* check if not already installed */
@@ -176,9 +202,10 @@ METHOD(shunt_manager_t, install, bool,
 		return FALSE;
 	}
 	enumerator = this->shunts->create_enumerator(this->shunts);
-	while (enumerator->enumerate(enumerator, &child_cfg))
+	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (streq(child_cfg->get_name(child_cfg), child->get_name(child)))
+		if (streq(ns, entry->ns) &&
+			streq(cfg->get_name(cfg), entry->cfg->get_name(entry->cfg)))
 		{
 			found = TRUE;
 			break;
@@ -188,21 +215,25 @@ METHOD(shunt_manager_t, install, bool,
 	if (found)
 	{
 		DBG1(DBG_CFG, "shunt %N policy '%s' already installed",
-			 ipsec_mode_names, child->get_mode(child), child->get_name(child));
+			 ipsec_mode_names, cfg->get_mode(cfg), cfg->get_name(cfg));
 		this->lock->unlock(this->lock);
 		return TRUE;
 	}
-	this->shunts->insert_last(this->shunts, child->get_ref(child));
+	INIT(entry,
+		.ns = strdupnull(ns),
+		.cfg = cfg->get_ref(cfg),
+	);
+	this->shunts->insert_last(this->shunts, entry);
 	this->installing++;
 	this->lock->unlock(this->lock);
 
-	success = install_shunt_policy(child);
+	success = install_shunt_policy(cfg);
 
 	this->lock->write_lock(this->lock);
 	if (!success)
 	{
-		this->shunts->remove(this->shunts, child, NULL);
-		child->destroy(child);
+		this->shunts->remove(this->shunts, entry, NULL);
+		entry_destroy(entry);
 	}
 	this->installing--;
 	this->condvar->signal(this->condvar);
@@ -320,19 +351,20 @@ static void uninstall_shunt_policy(child_cfg_t *child)
 }
 
 METHOD(shunt_manager_t, uninstall, bool,
-	private_shunt_manager_t *this, char *name)
+	private_shunt_manager_t *this, char *ns, char *name)
 {
 	enumerator_t *enumerator;
-	child_cfg_t *child, *found = NULL;
+	entry_t *entry, *found = NULL;
 
 	this->lock->write_lock(this->lock);
 	enumerator = this->shunts->create_enumerator(this->shunts);
-	while (enumerator->enumerate(enumerator, &child))
+	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (streq(name, child->get_name(child)))
+		if (streq(ns, entry->ns) &&
+			streq(name, entry->cfg->get_name(entry->cfg)))
 		{
 			this->shunts->remove_at(this->shunts, enumerator);
-			found = child;
+			found = entry;
 			break;
 		}
 	}
@@ -343,8 +375,19 @@ METHOD(shunt_manager_t, uninstall, bool,
 	{
 		return FALSE;
 	}
-	uninstall_shunt_policy(child);
-	child->destroy(child);
+	uninstall_shunt_policy(found->cfg);
+	entry_destroy(found);
+	return TRUE;
+}
+
+CALLBACK(filter_entries, bool,
+	void *unused, entry_t **entry, char **ns, void **in, child_cfg_t **cfg)
+{
+	if (ns)
+	{
+		*ns = (*entry)->ns;
+	}
+	*cfg = (*entry)->cfg;
 	return TRUE;
 }
 
@@ -352,25 +395,26 @@ METHOD(shunt_manager_t, create_enumerator, enumerator_t*,
 	private_shunt_manager_t *this)
 {
 	this->lock->read_lock(this->lock);
-	return enumerator_create_cleaner(
+	return enumerator_create_filter(
 							this->shunts->create_enumerator(this->shunts),
-							(void*)this->lock->unlock, this->lock);
+							(void*)filter_entries, this->lock,
+							(void*)this->lock->unlock);
 }
 
 METHOD(shunt_manager_t, flush, void,
 	private_shunt_manager_t *this)
 {
-	child_cfg_t *child;
+	entry_t *entry;
 
 	this->lock->write_lock(this->lock);
 	while (this->installing)
 	{
 		this->condvar->wait(this->condvar, this->lock);
 	}
-	while (this->shunts->remove_last(this->shunts, (void**)&child) == SUCCESS)
+	while (this->shunts->remove_last(this->shunts, (void**)&entry) == SUCCESS)
 	{
-		uninstall_shunt_policy(child);
-		child->destroy(child);
+		uninstall_shunt_policy(entry->cfg);
+		entry_destroy(entry);
 	}
 	this->installing = INSTALL_DISABLED;
 	this->lock->unlock(this->lock);
diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h
index c43f5db..f2b7210 100644
--- a/src/libcharon/sa/shunt_manager.h
+++ b/src/libcharon/sa/shunt_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015 Tobias Brunner
+ * Copyright (C) 2015-2016 Tobias Brunner
  * Copyright (C) 2011 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -36,23 +36,26 @@ struct shunt_manager_t {
 	/**
 	 * Install a policy as a shunt.
 	 *
-	 * @param child 	child configuration to install as a shunt
+	 * @param ns		optional namespace (e.g. name of a connection or
+	 *					plugin), cloned
+	 * @param child		child configuration to install as a shunt
 	 * @return			TRUE if installed successfully
 	 */
-	bool (*install)(shunt_manager_t *this, child_cfg_t *child);
+	bool (*install)(shunt_manager_t *this, char *ns, child_cfg_t *child);
 
 	/**
 	 * Uninstall a shunt policy.
 	 *
+	 * @param ns		namespace (same as given during installation)
 	 * @param name	 	name of child configuration to uninstall as a shunt
 	 * @return			TRUE if uninstalled successfully
 	 */
-	bool (*uninstall)(shunt_manager_t *this, char *name);
+	bool (*uninstall)(shunt_manager_t *this, char *ns, char *name);
 
 	/**
 	 * Create an enumerator over all installed shunts.
 	 *
-	 * @return			enumerator over (child_sa_t)
+	 * @return			enumerator over (char*, child_cfg_t*)
 	 */
 	enumerator_t* (*create_enumerator)(shunt_manager_t *this);
 
diff --git a/src/libcharon/sa/task.c b/src/libcharon/sa/task.c
index 405eda6..30de08c 100644
--- a/src/libcharon/sa/task.c
+++ b/src/libcharon/sa/task.c
@@ -30,6 +30,7 @@ ENUM(task_type_names, TASK_IKE_INIT, TASK_ISAKMP_CERT_POST,
 	"IKE_REAUTH_COMPLETE",
 	"IKE_REDIRECT",
 	"IKE_VERIFY_PEER_CERT",
+	"IKE_MID_SYNC",
 	"IKE_DELETE",
 	"IKE_DPD",
 	"IKE_VENDOR",
diff --git a/src/libcharon/sa/task.h b/src/libcharon/sa/task.h
index 31d70fb..5f77149 100644
--- a/src/libcharon/sa/task.h
+++ b/src/libcharon/sa/task.h
@@ -61,6 +61,8 @@ enum task_type_t {
 	TASK_IKE_REDIRECT,
 	/** verify a peer's certificate */
 	TASK_IKE_VERIFY_PEER_CERT,
+	/** synchronize message IDs, RFC6311 */
+	TASK_IKE_MID_SYNC,
 	/** delete an IKE_SA */
 	TASK_IKE_DELETE,
 	/** liveness check */
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index 86077d3..7e92622 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -240,6 +240,14 @@ struct task_manager_t {
 	void (*incr_mid)(task_manager_t *this, bool initiate);
 
 	/**
+	 * Get the current message ID counter, in- or outbound.
+	 *
+	 * @param initiate		TRUE to get the initiating ID
+	 * @return				current message ID
+	 */
+	uint32_t (*get_mid)(task_manager_t *this, bool initiate);
+
+	/**
 	 * Reset message ID counters of the task manager.
 	 *
 	 * The IKEv2 protocol requires to restart exchanges with message IDs
@@ -253,7 +261,7 @@ struct task_manager_t {
 	 * @param initiate		message ID / DPD seq to initiate exchanges (send)
 	 * @param respond		message ID / DPD seq to respond to exchanges (expect)
 	 */
-	void (*reset) (task_manager_t *this, uint32_t initiate, uint32_t respond);
+	void (*reset)(task_manager_t *this, uint32_t initiate, uint32_t respond);
 
 	/**
 	 * Check if we are currently waiting for a reply.
diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am
index b867024..8f762a2 100644
--- a/src/libcharon/tests/Makefile.am
+++ b/src/libcharon/tests/Makefile.am
@@ -29,6 +29,7 @@ exchange_tests_SOURCES = \
   suites/test_child_delete.c \
   suites/test_child_rekey.c \
   suites/test_ike_delete.c \
+  suites/test_ike_mid_sync.c \
   suites/test_ike_rekey.c \
   utils/exchange_test_asserts.h utils/exchange_test_asserts.c \
   utils/exchange_test_helper.h utils/exchange_test_helper.c \
diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in
index 7b6beae..e922a71 100644
--- a/src/libcharon/tests/Makefile.in
+++ b/src/libcharon/tests/Makefile.in
@@ -115,6 +115,7 @@ am_exchange_tests_OBJECTS =  \
 	suites/exchange_tests-test_child_delete.$(OBJEXT) \
 	suites/exchange_tests-test_child_rekey.$(OBJEXT) \
 	suites/exchange_tests-test_ike_delete.$(OBJEXT) \
+	suites/exchange_tests-test_ike_mid_sync.$(OBJEXT) \
 	suites/exchange_tests-test_ike_rekey.$(OBJEXT) \
 	utils/exchange_tests-exchange_test_asserts.$(OBJEXT) \
 	utils/exchange_tests-exchange_test_helper.$(OBJEXT) \
@@ -381,7 +382,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -416,6 +416,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -491,6 +492,7 @@ exchange_tests_SOURCES = \
   suites/test_child_delete.c \
   suites/test_child_rekey.c \
   suites/test_ike_delete.c \
+  suites/test_ike_mid_sync.c \
   suites/test_ike_rekey.c \
   utils/exchange_test_asserts.h utils/exchange_test_asserts.c \
   utils/exchange_test_helper.h utils/exchange_test_helper.c \
@@ -572,6 +574,8 @@ suites/exchange_tests-test_child_rekey.$(OBJEXT):  \
 	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
 suites/exchange_tests-test_ike_delete.$(OBJEXT):  \
 	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/exchange_tests-test_ike_mid_sync.$(OBJEXT):  \
+	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
 suites/exchange_tests-test_ike_rekey.$(OBJEXT):  \
 	suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
 utils/$(am__dirstamp):
@@ -623,6 +627,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/exchange_tests-test_child_delete.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/exchange_tests-test_child_rekey.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/exchange_tests-test_ike_delete.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po at am__quote@
@@ -715,6 +720,20 @@ suites/exchange_tests-test_ike_delete.obj: suites/test_ike_delete.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_ike_delete.obj `if test -f 'suites/test_ike_delete.c'; then $(CYGPATH_W) 'suites/test_ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_delete.c'; fi`
 
+suites/exchange_tests-test_ike_mid_sync.o: suites/test_ike_mid_sync.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_ike_mid_sync.o -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Tpo -c -o suites/exchange_tests-test_ike_mid_sync.o `test -f 'suites/test_ike_mid_sync.c' || echo '$(srcdir)/'`suites/test_ike_mid_sync.c
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Tpo suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ike_mid_sync.c' object='suites/exchange_tests-test_ike_mid_sync.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_ike_mid_sync.o `test -f 'suites/test_ike_mid_sync.c' || echo '$(srcdir)/'`suites/test_ike_mid_sync.c
+
+suites/exchange_tests-test_ike_mid_sync.obj: suites/test_ike_mid_sync.c
+ at am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_ike_mid_sync.obj -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Tpo -c -o suites/exchange_tests-test_ike_mid_sync.obj `if test -f 'suites/test_ike_mid_sync.c'; then $(CYGPATH_W) 'suites/test_ike_mid_sync.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_mid_sync.c'; fi`
+ at am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Tpo suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_ike_mid_sync.c' object='suites/exchange_tests-test_ike_mid_sync.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_ike_mid_sync.obj `if test -f 'suites/test_ike_mid_sync.c'; then $(CYGPATH_W) 'suites/test_ike_mid_sync.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_mid_sync.c'; fi`
+
 suites/exchange_tests-test_ike_rekey.o: suites/test_ike_rekey.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_ike_rekey.o -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Tpo -c -o suites/exchange_tests-test_ike_rekey.o `test -f 'suites/test_ike_rekey.c' || echo '$(srcdir)/'`suites/test_ike_rekey.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Tpo suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Po
diff --git a/src/libcharon/tests/exchange_tests.h b/src/libcharon/tests/exchange_tests.h
index 3008672..6b35ea5 100644
--- a/src/libcharon/tests/exchange_tests.h
+++ b/src/libcharon/tests/exchange_tests.h
@@ -14,6 +14,7 @@
  */
 
 TEST_SUITE(ike_delete_suite_create)
+TEST_SUITE(ike_mid_sync_suite_create)
 TEST_SUITE(ike_rekey_suite_create)
 TEST_SUITE(child_create_suite_create)
 TEST_SUITE(child_delete_suite_create)
diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libcharon/tests/libcharon_tests.c
index 1ef13e9..3fe5b0e 100644
--- a/src/libcharon/tests/libcharon_tests.c
+++ b/src/libcharon/tests/libcharon_tests.c
@@ -45,7 +45,7 @@ static void initialize_logging()
 	lib->settings->set_int(lib->settings, "%s.filelog.stderr.default",
 			lib->settings->get_int(lib->settings, "%s.filelog.stderr.default",
 								   level, lib->ns), lib->ns);
-	charon->load_loggers(charon, NULL, TRUE);
+	charon->load_loggers(charon);
 }
 
 static bool test_runner_init(bool init)
diff --git a/src/libcharon/tests/suites/test_ike_mid_sync.c b/src/libcharon/tests/suites/test_ike_mid_sync.c
new file mode 100644
index 0000000..3776f39
--- /dev/null
+++ b/src/libcharon/tests/suites/test_ike_mid_sync.c
@@ -0,0 +1,535 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <tests/utils/exchange_test_helper.h>
+#include <tests/utils/exchange_test_asserts.h>
+#include <tests/utils/sa_asserts.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+
+/**
+ * FIXME: Since we don't have the server side yet, this is kind of a hack!!!
+ */
+
+/**
+ * Add the IKEV2_MESSAGE_ID_SYNC_SUPPORTED notify to the IKE_AUTH response
+ */
+static bool add_notify(listener_t *listener, ike_sa_t *ike_sa,
+					   message_t *message, bool incoming, bool plain)
+{
+	if (plain && !incoming && message->get_exchange_type(message) == IKE_AUTH &&
+		!message->get_request(message))
+	{
+		message->add_notify(message, FALSE, IKEV2_MESSAGE_ID_SYNC_SUPPORTED,
+							chunk_empty);
+		return FALSE;
+	}
+	return TRUE;
+}
+#define add_notify_to_ike_auth() ({ \
+	listener_t _notify_listener = { \
+		.message = add_notify, \
+	}; \
+	exchange_test_helper->add_listener(exchange_test_helper, &_notify_listener); \
+})
+
+/**
+ * Handle IKEV2_MESSAGE_ID_SYNC notifies
+ */
+typedef struct {
+	listener_t listener;
+	struct {
+		chunk_t nonce;
+		uint32_t send;
+		uint32_t recv;
+	} init, resp;
+} mid_sync_listener_t;
+
+static bool handle_mid(listener_t *listener,
+				ike_sa_t *ike_sa, message_t *message, bool incoming, bool plain)
+{
+	mid_sync_listener_t *this = (mid_sync_listener_t*)listener;
+
+	if (!plain || incoming)
+	{
+		return TRUE;
+	}
+
+	if (message->get_exchange_type(message) == INFORMATIONAL)
+	{
+		if (streq("resp", ike_sa->get_name(ike_sa)))
+		{
+			bio_writer_t *writer;
+			rng_t *rng;
+
+			rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+			ignore_result(rng->allocate_bytes(rng, 4, &this->init.nonce));
+			rng->destroy(rng);
+			writer = bio_writer_create(12);
+			writer->write_data(writer, this->init.nonce);
+			writer->write_uint32(writer, this->init.send);
+			writer->write_uint32(writer, this->init.recv);
+			message->set_message_id(message, 0);
+			message->add_notify(message, FALSE, IKEV2_MESSAGE_ID_SYNC,
+								writer->get_buf(writer));
+			writer->destroy(writer);
+		}
+		else
+		{
+			notify_payload_t *notify;
+			bio_reader_t *reader;
+
+			notify = message->get_notify(message, IKEV2_MESSAGE_ID_SYNC);
+			reader = bio_reader_create(notify->get_notification_data(notify));
+			chunk_clear(&this->resp.nonce);
+			reader->read_data(reader, 4, &this->resp.nonce);
+			this->resp.nonce = chunk_clone(this->resp.nonce);
+			reader->read_uint32(reader, &this->resp.send);
+			reader->read_uint32(reader, &this->resp.recv);
+			reader->destroy(reader);
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Send a MESSAGE_ID_SYNC notify in an INFORMATIONAL.  We reset the state
+ * afterwards so this seems as if nothing happened.
+ */
+static void send_mid_sync(ike_sa_t *sa, uint32_t send, uint32_t recv)
+{
+	call_ikesa(sa, send_dpd);
+	sa->set_message_id(sa, TRUE, send);
+	sa->set_message_id(sa, FALSE, recv);
+	sa->flush_queue(sa, TASK_QUEUE_QUEUED);
+}
+
+/**
+ * Send a regular DPD from one IKE_SA to another
+ */
+static void send_dpd(ike_sa_t *from, ike_sa_t *to)
+{
+	uint32_t send, recv;
+
+	send = from->get_message_id(from, TRUE);
+	recv = to->get_message_id(to, FALSE);
+	call_ikesa(from, send_dpd);
+	exchange_test_helper->process_message(exchange_test_helper, to, NULL);
+	exchange_test_helper->process_message(exchange_test_helper, from, NULL);
+	ck_assert_int_eq(send + 1, from->get_message_id(from, TRUE));
+	ck_assert_int_eq(recv + 1, to->get_message_id(to, FALSE));
+}
+
+/**
+ * Send a number of DPDs from on IKE_SA to the other
+ */
+static void send_dpds(ike_sa_t *from, ike_sa_t *to, int count)
+{
+	while (count--)
+	{
+		send_dpd(from, to);
+	}
+}
+
+static struct {
+	int dpds_a, dpds_b;
+	uint32_t send, recv;
+} data[] = {
+	{ 0, 0, 0, 2 },
+	{ 0, 0, 1, 3 },
+	{ 1, 0, 0, 3 },
+	{ 1, 0, 5, 8 },
+	{ 0, 1, 1, 2 },
+	{ 0, 1, 2, 2 },
+	{ 1, 1, 1, 3 },
+	{ 1, 1, 2, 4 },
+	{ 1, 2, 2, 4 },
+};
+
+/**
+ * The responder syncs message IDs with the initiator
+ */
+START_TEST(test_responder)
+{
+	ike_sa_t *a, *b;
+	mid_sync_listener_t mid = {
+		.listener = { .message = (void*)handle_mid, },
+		.init = {
+			.send = data[_i].send,
+			.recv = data[_i].recv,
+		},
+	};
+
+	add_notify_to_ike_auth();
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	send_dpds(a, b, data[_i].dpds_a);
+	send_dpds(b, a, data[_i].dpds_b);
+
+	exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+	send_mid_sync(b, data[_i].send, data[_i].recv);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_chunk_eq(mid.init.nonce, mid.resp.nonce);
+	ck_assert_int_eq(data[_i].recv, mid.resp.send);
+	ck_assert_int_eq(data[_i].send, mid.resp.recv);
+	ck_assert_int_eq(data[_i].recv, a->get_message_id(a, TRUE));
+	ck_assert_int_eq(data[_i].send, a->get_message_id(a, FALSE));
+	/* this currently won't be handled */
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	charon->bus->remove_listener(charon->bus, &mid.listener);
+
+	send_dpd(a, b);
+	send_dpd(b, a);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+	chunk_free(&mid.init.nonce);
+	chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+/**
+ * Make sure a retransmit is handled properly.
+ */
+START_TEST(test_retransmit)
+{
+	ike_sa_t *a, *b;
+	mid_sync_listener_t mid = {
+		.listener = { .message = (void*)handle_mid, },
+		.init = {
+			.send = data[_i].send,
+			.recv = data[_i].recv,
+		},
+	};
+	message_t *msg, *retransmit;
+
+	add_notify_to_ike_auth();
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	send_dpds(a, b, data[_i].dpds_a);
+	send_dpds(b, a, data[_i].dpds_b);
+
+	exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+	send_mid_sync(b, data[_i].send, data[_i].recv);
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+	retransmit = message_create_from_packet(msg->get_packet(msg));
+	retransmit->parse_header(retransmit);
+	exchange_test_helper->process_message(exchange_test_helper, a, msg);
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+	msg->destroy(msg);
+	exchange_test_helper->process_message(exchange_test_helper, a, retransmit);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	charon->bus->remove_listener(charon->bus, &mid.listener);
+
+	send_dpd(a, b);
+	send_dpd(b, a);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+	chunk_free(&mid.init.nonce);
+	chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+/**
+ * Make sure a replayed or delayed notify is ignored.
+ */
+START_TEST(test_replay)
+{
+	ike_sa_t *a, *b;
+	mid_sync_listener_t mid = {
+		.listener = { .message = (void*)handle_mid, },
+		.init = {
+			.send = data[_i].send,
+			.recv = data[_i].recv,
+		},
+	};
+	message_t *msg, *replay;
+
+	add_notify_to_ike_auth();
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	send_dpds(a, b, data[_i].dpds_a);
+	send_dpds(b, a, data[_i].dpds_b);
+
+	exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+	send_mid_sync(b, data[_i].send, data[_i].recv);
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+	replay = message_create_from_packet(msg->get_packet(msg));
+	replay->parse_header(replay);
+	exchange_test_helper->process_message(exchange_test_helper, a, msg);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	charon->bus->remove_listener(charon->bus, &mid.listener);
+
+	send_dpd(a, b);
+	send_dpd(b, a);
+
+	exchange_test_helper->process_message(exchange_test_helper, a, replay);
+	ck_assert(!exchange_test_helper->sender->dequeue(exchange_test_helper->sender));
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+	chunk_free(&mid.init.nonce);
+	chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+/**
+ * Make sure the notify is ignored if the extension is not enabled.
+ */
+START_TEST(test_disabled)
+{
+	ike_sa_t *a, *b;
+	mid_sync_listener_t mid = {
+		.listener = { .message = (void*)handle_mid, },
+		.init = {
+			.send = data[_i].send,
+			.recv = data[_i].recv,
+		},
+	};
+
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	send_dpds(a, b, data[_i].dpds_a);
+	send_dpds(b, a, data[_i].dpds_b);
+
+	exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+	send_mid_sync(b, data[_i].dpds_b, UINT_MAX);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	/* we don't expect a response and unchanged MIDs */
+	ck_assert(!exchange_test_helper->sender->dequeue(exchange_test_helper->sender));
+	ck_assert_int_eq(2 + data[_i].dpds_a, a->get_message_id(a, TRUE));
+	ck_assert_int_eq(data[_i].dpds_b, a->get_message_id(a, FALSE));
+	charon->bus->remove_listener(charon->bus, &mid.listener);
+
+	send_dpd(a, b);
+	send_dpd(b, a);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+	chunk_free(&mid.init.nonce);
+	chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+static struct {
+	int dpds_a, dpds_b;
+	uint32_t send, recv;
+} data_too_low[] = {
+	{ 0, 1, 0, 2 },
+	{ 1, 2, 0, 0 },
+	{ 1, 2, 1, 3 },
+};
+
+/**
+ * The responder syncs message IDs with the initiator but uses too low sender
+ * MIDs so the initiator ignores the notify.
+ */
+START_TEST(test_sender_too_low)
+{
+	ike_sa_t *a, *b;
+	mid_sync_listener_t mid = {
+		.listener = { .message = (void*)handle_mid, },
+		.init = {
+			.send = data_too_low[_i].send,
+			.recv = data_too_low[_i].recv,
+		},
+	};
+
+	add_notify_to_ike_auth();
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	send_dpds(a, b, data_too_low[_i].dpds_a);
+	send_dpds(b, a, data_too_low[_i].dpds_b);
+
+	exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+	send_mid_sync(b, data_too_low[_i].dpds_b, UINT_MAX);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	/* we don't expect a response and unchanged MIDs */
+	ck_assert(!exchange_test_helper->sender->dequeue(exchange_test_helper->sender));
+	ck_assert_int_eq(2 + data_too_low[_i].dpds_a, a->get_message_id(a, TRUE));
+	ck_assert_int_eq(data_too_low[_i].dpds_b, a->get_message_id(a, FALSE));
+	charon->bus->remove_listener(charon->bus, &mid.listener);
+
+	send_dpd(a, b);
+	send_dpd(b, a);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+	chunk_free(&mid.init.nonce);
+}
+END_TEST
+
+static struct {
+	int dpds_a, dpds_b;
+	uint32_t send, recv;
+	/* reversed so the table below is clearer */
+	uint32_t recv_exp, send_exp;
+} data_recv_update[] = {
+	{ 0, 0, 0, 0, 0, 2 },
+	{ 0, 0, 0, 1, 0, 2 },
+	{ 0, 0, 1, 1, 1, 2 },
+	{ 1, 0, 0, 1, 0, 3 },
+	{ 1, 0, 5, 2, 5, 3 },
+};
+
+/**
+ * The responder syncs message IDs with the initiator but uses too low receiver
+ * MID, which is updated by the initiator in the response.
+ */
+START_TEST(test_recv_update)
+{
+	ike_sa_t *a, *b;
+	mid_sync_listener_t mid = {
+		.listener = { .message = (void*)handle_mid, },
+		.init = {
+			.send = data_recv_update[_i].send,
+			.recv = data_recv_update[_i].recv,
+		},
+	};
+
+	add_notify_to_ike_auth();
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	send_dpds(a, b, data_recv_update[_i].dpds_a);
+	send_dpds(b, a, data_recv_update[_i].dpds_b);
+
+	exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+	send_mid_sync(b, data_recv_update[_i].send, data_recv_update[_i].recv);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_chunk_eq(mid.init.nonce, mid.resp.nonce);
+	ck_assert_int_eq(data_recv_update[_i].send_exp, mid.resp.send);
+	ck_assert_int_eq(data_recv_update[_i].recv_exp, mid.resp.recv);
+	ck_assert_int_eq(data_recv_update[_i].send_exp, a->get_message_id(a, TRUE));
+	ck_assert_int_eq(data_recv_update[_i].recv_exp, a->get_message_id(a, FALSE));
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	charon->bus->remove_listener(charon->bus, &mid.listener);
+	/* fake the receipt of the notify */
+	b->set_message_id(b, TRUE, data_recv_update[_i].recv_exp);
+	b->set_message_id(b, FALSE, data_recv_update[_i].send_exp);
+
+	send_dpd(a, b);
+	send_dpd(b, a);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+	chunk_free(&mid.init.nonce);
+	chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+static struct {
+	int dpds_a, dpds_b;
+	uint32_t send, recv;
+	/* reversed so the table below is clearer */
+	uint32_t recv_exp, send_exp;
+} data_active[] = {
+	{ 0, 0, 0, 2, 0, 3 },
+	{ 0, 0, 1, 3, 1, 3 },
+	{ 1, 0, 0, 3, 0, 4 },
+	{ 1, 0, 5, 8, 5, 8 },
+	{ 0, 1, 1, 2, 1, 3 },
+	{ 0, 1, 2, 2, 2, 2 },
+	{ 1, 1, 1, 3, 1, 4 },
+	{ 1, 1, 2, 4, 2, 4 },
+};
+
+/**
+ * The responder syncs message IDs with the initiator that waits for the
+ * response for an active task.
+ */
+START_TEST(test_active)
+{
+	ike_sa_t *a, *b;
+	mid_sync_listener_t mid = {
+		.listener = { .message = (void*)handle_mid, },
+		.init = {
+			.send = data_active[_i].send,
+			.recv = data_active[_i].recv,
+		},
+	};
+	message_t *msg;
+
+	add_notify_to_ike_auth();
+	exchange_test_helper->establish_sa(exchange_test_helper,
+									   &a, &b, NULL);
+
+	send_dpds(a, b, data_active[_i].dpds_a);
+	send_dpds(b, a, data_active[_i].dpds_b);
+
+	call_ikesa(a, send_dpd);
+	msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+	msg->destroy(msg);
+
+	exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+	send_mid_sync(b, data_active[_i].recv_exp, data_active[_i].send_exp);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	ck_assert_chunk_eq(mid.init.nonce, mid.resp.nonce);
+	ck_assert_int_eq(data_active[_i].send_exp, mid.resp.send);
+	ck_assert_int_eq(data_active[_i].recv_exp, mid.resp.recv);
+	ck_assert_int_eq(data_active[_i].send_exp, a->get_message_id(a, TRUE));
+	ck_assert_int_eq(data_active[_i].recv_exp, a->get_message_id(a, FALSE));
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	charon->bus->remove_listener(charon->bus, &mid.listener);
+
+	/* the active task was queued again */
+	call_ikesa(a, initiate, NULL, 0, NULL, NULL);
+	exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+	exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+	send_dpd(b, a);
+
+	call_ikesa(a, destroy);
+	call_ikesa(b, destroy);
+	chunk_free(&mid.init.nonce);
+	chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+Suite *ike_mid_sync_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("ike MID sync");
+
+	tc = tcase_create("responder");
+	tcase_add_loop_test(tc, test_responder, 0, countof(data));
+	tcase_add_loop_test(tc, test_retransmit, 0, countof(data));
+	tcase_add_loop_test(tc, test_replay, 0, countof(data));
+	tcase_add_loop_test(tc, test_disabled, 0, countof(data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("sender MID too low");
+	tcase_add_loop_test(tc, test_sender_too_low, 0, countof(data_too_low));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("receiver MID updated");
+	tcase_add_loop_test(tc, test_recv_update, 0, countof(data_recv_update));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("active task");
+	tcase_add_loop_test(tc, test_active, 0, countof(data_active));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libcharon/tests/suites/test_proposal.c b/src/libcharon/tests/suites/test_proposal.c
index 19f4cd1..f159179 100644
--- a/src/libcharon/tests/suites/test_proposal.c
+++ b/src/libcharon/tests/suites/test_proposal.c
@@ -108,7 +108,7 @@ START_TEST(test_select)
 									   select_data[_i].self);
 	other = proposal_create_from_string(select_data[_i].proto,
 										select_data[_i].other);
-	selected = self->select(self, other, FALSE);
+	selected = self->select(self, other, TRUE, FALSE);
 	if (select_data[_i].expected)
 	{
 		expected = proposal_create_from_string(select_data[_i].proto,
@@ -128,6 +128,29 @@ START_TEST(test_select)
 }
 END_TEST
 
+START_TEST(test_select_spi)
+{
+	proposal_t *self, *other, *selected;
+
+	self = proposal_create_from_string(PROTO_ESP, "aes128-sha256-modp3072");
+	other = proposal_create_from_string(PROTO_ESP, "aes128-sha256-modp3072");
+	other->set_spi(other, 0x12345678);
+
+	selected = self->select(self, other, TRUE, FALSE);
+	ck_assert(selected);
+	ck_assert_int_eq(selected->get_spi(selected), other->get_spi(other));
+	selected->destroy(selected);
+
+	selected = self->select(self, other, FALSE, FALSE);
+	ck_assert(selected);
+	ck_assert_int_eq(selected->get_spi(selected), self->get_spi(self));
+	selected->destroy(selected);
+
+	other->destroy(other);
+	self->destroy(self);
+}
+END_TEST
+
 Suite *proposal_suite_create()
 {
 	Suite *s;
@@ -141,6 +164,7 @@ Suite *proposal_suite_create()
 
 	tc = tcase_create("select");
 	tcase_add_loop_test(tc, test_select, 0, countof(select_data));
+	tcase_add_test(tc, test_select_spi);
 	suite_add_tcase(s, tc);
 
 	return s;
diff --git a/src/libcharon/tests/utils/exchange_test_helper.c b/src/libcharon/tests/utils/exchange_test_helper.c
index f32906d..fce0cce 100644
--- a/src/libcharon/tests/utils/exchange_test_helper.c
+++ b/src/libcharon/tests/utils/exchange_test_helper.c
@@ -282,7 +282,7 @@ static void initialize_logging()
 								   level, lib->ns), lib->ns);
 	lib->settings->set_bool(lib->settings, "%s.filelog.stderr.ike_name", TRUE,
 							lib->ns);
-	charon->load_loggers(charon, NULL, TRUE);
+	charon->load_loggers(charon);
 }
 
 /**
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 79a9d74..c3512b6 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 4e5be54..b0b55fb 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -532,7 +532,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -567,6 +566,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in
index f5c73ef..0475cee 100644
--- a/src/libimcv/plugins/imc_attestation/Makefile.in
+++ b/src/libimcv/plugins/imc_attestation/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_hcd/Makefile.in b/src/libimcv/plugins/imc_hcd/Makefile.in
index ffc5710..e2f1dc5 100644
--- a/src/libimcv/plugins/imc_hcd/Makefile.in
+++ b/src/libimcv/plugins/imc_hcd/Makefile.in
@@ -355,7 +355,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -390,6 +389,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 4d6eff5..0fa0d19 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -355,7 +355,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -390,6 +389,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index 7e18b3c..1b776b2 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -356,7 +356,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -391,6 +390,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in
index f97a7ba..13d1924 100644
--- a/src/libimcv/plugins/imc_swid/Makefile.in
+++ b/src/libimcv/plugins/imc_swid/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 95acd4b..7a4149e 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -355,7 +355,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -390,6 +389,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in
index 2be4e15..9782757 100644
--- a/src/libimcv/plugins/imv_attestation/Makefile.in
+++ b/src/libimcv/plugins/imv_attestation/Makefile.in
@@ -369,7 +369,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -404,6 +403,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_hcd/Makefile.in b/src/libimcv/plugins/imv_hcd/Makefile.in
index 1c3d0ac..62bd827 100644
--- a/src/libimcv/plugins/imv_hcd/Makefile.in
+++ b/src/libimcv/plugins/imv_hcd/Makefile.in
@@ -355,7 +355,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -390,6 +389,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index b119559..efefdc8 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 22eb4ae..535e28f 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in
index 21bbe4a..1150f12 100644
--- a/src/libimcv/plugins/imv_swid/Makefile.in
+++ b/src/libimcv/plugins/imv_swid/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index a32a465..055d6fd 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -356,7 +356,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -391,6 +390,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
index 90b4561..a35aba2 100644
--- a/src/libipsec/Makefile.am
+++ b/src/libipsec/Makefile.am
@@ -16,6 +16,10 @@ ipsec_sa_mgr.c ipsec_sa_mgr.h
 libipsec_la_LIBADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
+if USE_WINDOWS
+  libipsec_la_LIBADD += -lws2_32
+endif
+
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan
 
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index ea73c60..7d514fd 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -88,6 +88,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
+ at USE_WINDOWS_TRUE@am__append_1 = -lws2_32
 subdir = src/libipsec
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -136,8 +137,10 @@ am__uninstall_files_from_dir = { \
   }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
 libipsec_la_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1)
 am_libipsec_la_OBJECTS = ipsec.lo esp_context.lo esp_packet.lo \
 	ip_packet.lo ipsec_event_relay.lo ipsec_policy.lo \
 	ipsec_policy_mgr.lo ipsec_processor.lo ipsec_sa.lo \
@@ -397,7 +400,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -432,6 +434,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -495,9 +498,9 @@ ipsec_processor.c ipsec_processor.h \
 ipsec_sa.c ipsec_sa.h \
 ipsec_sa_mgr.c ipsec_sa_mgr.h
 
-libipsec_la_LIBADD = \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
-
+libipsec_la_LIBADD =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__append_1)
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan
 
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
index 6c7e9a1..c014e68 100644
--- a/src/libipsec/esp_context.c
+++ b/src/libipsec/esp_context.c
@@ -210,19 +210,32 @@ METHOD(esp_context_t, destroy, void,
 static bool create_aead(private_esp_context_t *this, int alg,
 						chunk_t key)
 {
+	size_t salt = 0;
+
 	switch (alg)
 	{
 		case ENCR_AES_GCM_ICV8:
 		case ENCR_AES_GCM_ICV12:
 		case ENCR_AES_GCM_ICV16:
 		case ENCR_CHACHA20_POLY1305:
-			/* the key includes a 4 byte salt */
-			this->aead = lib->crypto->create_aead(lib->crypto, alg,
-												  key.len - 4, 4);
+			salt = 4;
+			break;
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_CCM_ICV16:
+		case ENCR_CAMELLIA_CCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV16:
+			salt = 3;
 			break;
 		default:
 			break;
 	}
+	if (salt)
+	{
+		this->aead = lib->crypto->create_aead(lib->crypto, alg,
+											  key.len - salt, salt);
+	}
 	if (!this->aead)
 	{
 		DBG1(DBG_ESP, "failed to create ESP context: unsupported AEAD "
diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c
index 50bc8b4..2c52177 100644
--- a/src/libipsec/esp_packet.c
+++ b/src/libipsec/esp_packet.c
@@ -25,7 +25,9 @@
 #include <bio/bio_reader.h>
 #include <bio/bio_writer.h>
 
+#ifndef WIN32
 #include <netinet/in.h>
+#endif
 
 typedef struct private_esp_packet_t private_esp_packet_t;
 
diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
index 0fdd5d3..78b4c40 100644
--- a/src/libipsec/ip_packet.c
+++ b/src/libipsec/ip_packet.c
@@ -20,11 +20,40 @@
 #include <utils/debug.h>
 
 #include <sys/types.h>
+
+#ifndef WIN32
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #ifdef HAVE_NETINET_IP6_H
 #include <netinet/ip6.h>
 #endif
+#else
+struct ip {
+#if BYTE_ORDER == LITTLE_ENDIAN
+	uint8_t ip_hl: 4;
+	uint8_t ip_v: 4;
+#elif BYTE_ORDER == BIG_ENDIAN
+	uint8_t ip_v: 4;
+	uint8_t ip_hl: 4;
+#endif
+	uint8_t ip_tos;
+	uint16_t ip_len;
+	uint16_t ip_id;
+	uint16_t ip_off;
+	uint8_t ip_ttl;
+	uint8_t ip_p;
+	uint16_t ip_sum;
+	struct in_addr ip_src, ip_dst;
+} __attribute__((packed));
+struct ip6_hdr {
+	uint32_t ip6_flow; /* 4 bit version, 8 bit TC, 20 bit flow label */
+	uint16_t ip6_plen;
+	uint8_t ip6_nxt;
+	uint8_t ip6_hlim;
+	struct in6_addr ip6_src, ip6_dst;
+} __attribute__((packed));
+#define HAVE_NETINET_IP6_H /* not really, but we only need the struct above */
+#endif
 
 /**
  * TCP header, defined here because platforms disagree regarding member names
diff --git a/src/libipsec/ipsec_policy.c b/src/libipsec/ipsec_policy.c
index 8077d3c..98201b8 100644
--- a/src/libipsec/ipsec_policy.c
+++ b/src/libipsec/ipsec_policy.c
@@ -101,6 +101,24 @@ METHOD(ipsec_policy_t, match, bool,
 			this->dst_ts->equals(this->dst_ts, dst_ts));
 }
 
+/**
+ * Match the port of the given host against the given traffic selector.
+ */
+static inline bool match_port(traffic_selector_t *ts, host_t *host)
+{
+	uint16_t from, to, port;
+
+	from = ts->get_from_port(ts);
+	to = ts->get_to_port(ts);
+	if ((from == 0 && to == 0xffff) ||
+		(from == 0xffff && to == 0))
+	{
+		return TRUE;
+	}
+	port = host->get_port(host);
+	return from <= port && port <= to;
+}
+
 METHOD(ipsec_policy_t, match_packet, bool,
 	private_ipsec_policy_t *this, ip_packet_t *packet)
 {
@@ -110,7 +128,9 @@ METHOD(ipsec_policy_t, match_packet, bool,
 
 	return (!this->protocol || this->protocol == proto) &&
 		   this->src_ts->includes(this->src_ts, src) &&
-		   this->dst_ts->includes(this->dst_ts, dst);
+		   match_port(this->src_ts, src) &&
+		   this->dst_ts->includes(this->dst_ts, dst) &&
+		   match_port(this->dst_ts, dst);
 }
 
 METHOD(ipsec_policy_t, get_source_ts, traffic_selector_t*,
diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
index af79707..23b8ad2 100644
--- a/src/libipsec/ipsec_processor.c
+++ b/src/libipsec/ipsec_processor.c
@@ -148,9 +148,10 @@ static job_requeue_t process_inbound(private_ipsec_processor_t *this)
 				policy->destroy(policy);
 				break;
 			}
-			DBG1(DBG_ESP, "discarding inbound IP packet %H == %H due to "
-				 "policy", ip_packet->get_source(ip_packet),
-				 ip_packet->get_destination(ip_packet));
+			DBG1(DBG_ESP, "discarding inbound IP packet %#H == %#H [%hhu] due "
+				 "to policy", ip_packet->get_source(ip_packet),
+				 ip_packet->get_destination(ip_packet),
+				 ip_packet->get_next_header(ip_packet));
 			/* no matching policy found, fall-through */
 		}
 		case IPPROTO_NONE:
@@ -198,8 +199,9 @@ static job_requeue_t process_outbound(private_ipsec_processor_t *this)
 	policy = ipsec->policies->find_by_packet(ipsec->policies, packet, FALSE, 0);
 	if (!policy)
 	{
-		DBG2(DBG_ESP, "no matching outbound IPsec policy for %H == %H",
-			 packet->get_source(packet), packet->get_destination(packet));
+		DBG2(DBG_ESP, "no matching outbound IPsec policy for %#H == %#H [%hhu]",
+			 packet->get_source(packet), packet->get_destination(packet),
+			 packet->get_next_header(packet));
 		packet->destroy(packet);
 		return JOB_REQUEUE_DIRECT;
 	}
diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
index ec35c6e..a1fa23e 100644
--- a/src/libipsec/ipsec_sa_mgr.c
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2017 Tobias Brunner
  * Copyright (C) 2012 Giuliano Grassi
  * Copyright (C) 2012 Ralf Sager
  * Hochschule fuer Technik Rapperswil
@@ -398,7 +398,21 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
 	private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, uint8_t protocol,
 	uint32_t *spi)
 {
-	uint32_t spi_new;
+	uint32_t spi_min, spi_max, spi_new;
+
+	spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
+									 0x00000100, lib->ns);
+	spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
+									 0xffffffff, lib->ns);
+	if (spi_min > spi_max)
+	{
+		spi_new = spi_min;
+		spi_min = spi_max;
+		spi_max = spi_new;
+	}
+	/* make sure the SPI is valid (not in range 0-255) */
+	spi_min = max(spi_min, 0x00000100);
+	spi_max = max(spi_max, 0x00000100);
 
 	this->mutex->lock(this->mutex);
 	if (!this->rng)
@@ -421,8 +435,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
 			DBG1(DBG_ESP, "failed to allocate SPI");
 			return FAILED;
 		}
-		/* make sure the SPI is valid (not in range 0-255) */
-		spi_new |= 0x00000100;
+		spi_new = spi_min + spi_new % (spi_max - spi_min + 1);
 		spi_new = htonl(spi_new);
 	}
 	while (!allocate_spi(this, spi_new));
diff --git a/src/libipsec/tests/Makefile.in b/src/libipsec/tests/Makefile.in
index 0c1d858..e81d6fc 100644
--- a/src/libipsec/tests/Makefile.in
+++ b/src/libipsec/tests/Makefile.in
@@ -353,7 +353,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -388,6 +387,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index 14e4a6b..fd3e763 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index 8106295..8f91275 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -353,7 +353,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -388,6 +387,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index ea053a3..6af66e3 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -356,7 +356,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -391,6 +390,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 0e8f7f3..a5e6b72 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -64,12 +64,17 @@ LOCAL_SRC_FILES := $(libstrongswan_la_SOURCES)
 
 LOCAL_SRC_FILES += $(call add_plugin, aes)
 
+LOCAL_SRC_FILES += $(call add_plugin, chapoly)
+
 LOCAL_SRC_FILES += $(call add_plugin, curl)
 ifneq ($(call plugin_enabled, curl),)
 LOCAL_C_INCLUDES += $(libcurl_PATH)
 LOCAL_SHARED_LIBRARIES += libcurl
 endif
 
+LOCAL_SRC_FILES += $(call add_plugin, curve25519)
+LOCAL_SRC_FILES += $(call add_plugin_subdirs, curve25519, ref10)
+
 LOCAL_SRC_FILES += $(call add_plugin, des)
 
 LOCAL_SRC_FILES += $(call add_plugin, fips-prf)
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 52ae7c6..f6d6f54 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -313,6 +313,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_CURVE25519
+  SUBDIRS += plugins/curve25519
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/curve25519/libstrongswan-curve25519.la
+endif
+endif
+
 if USE_RDRAND
   SUBDIRS += plugins/rdrand
 if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 3eec966..99bb115 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -152,97 +152,99 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_SHA3_TRUE at am__append_38 = plugins/sha3/libstrongswan-sha3.la
 @USE_GMP_TRUE at am__append_39 = plugins/gmp
 @MONOLITHIC_TRUE@@USE_GMP_TRUE at am__append_40 = plugins/gmp/libstrongswan-gmp.la
- at USE_RDRAND_TRUE@am__append_41 = plugins/rdrand
- at MONOLITHIC_TRUE@@USE_RDRAND_TRUE at am__append_42 = plugins/rdrand/libstrongswan-rdrand.la
- at USE_AESNI_TRUE@am__append_43 = plugins/aesni
- at MONOLITHIC_TRUE@@USE_AESNI_TRUE at am__append_44 = plugins/aesni/libstrongswan-aesni.la
- at USE_RANDOM_TRUE@am__append_45 = plugins/random
- at MONOLITHIC_TRUE@@USE_RANDOM_TRUE at am__append_46 = plugins/random/libstrongswan-random.la
- at USE_NONCE_TRUE@am__append_47 = plugins/nonce
- at MONOLITHIC_TRUE@@USE_NONCE_TRUE at am__append_48 = plugins/nonce/libstrongswan-nonce.la
- at USE_HMAC_TRUE@am__append_49 = plugins/hmac
- at MONOLITHIC_TRUE@@USE_HMAC_TRUE at am__append_50 = plugins/hmac/libstrongswan-hmac.la
- at USE_CMAC_TRUE@am__append_51 = plugins/cmac
- at MONOLITHIC_TRUE@@USE_CMAC_TRUE at am__append_52 = plugins/cmac/libstrongswan-cmac.la
- at USE_XCBC_TRUE@am__append_53 = plugins/xcbc
- at MONOLITHIC_TRUE@@USE_XCBC_TRUE at am__append_54 = plugins/xcbc/libstrongswan-xcbc.la
- at USE_X509_TRUE@am__append_55 = plugins/x509
- at MONOLITHIC_TRUE@@USE_X509_TRUE at am__append_56 = plugins/x509/libstrongswan-x509.la
- at USE_REVOCATION_TRUE@am__append_57 = plugins/revocation
- at MONOLITHIC_TRUE@@USE_REVOCATION_TRUE at am__append_58 = plugins/revocation/libstrongswan-revocation.la
- at USE_CONSTRAINTS_TRUE@am__append_59 = plugins/constraints
- at MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE at am__append_60 = plugins/constraints/libstrongswan-constraints.la
- at USE_ACERT_TRUE@am__append_61 = plugins/acert
- at MONOLITHIC_TRUE@@USE_ACERT_TRUE at am__append_62 = plugins/acert/libstrongswan-acert.la
- at USE_PUBKEY_TRUE@am__append_63 = plugins/pubkey
- at MONOLITHIC_TRUE@@USE_PUBKEY_TRUE at am__append_64 = plugins/pubkey/libstrongswan-pubkey.la
- at USE_PKCS1_TRUE@am__append_65 = plugins/pkcs1
- at MONOLITHIC_TRUE@@USE_PKCS1_TRUE at am__append_66 = plugins/pkcs1/libstrongswan-pkcs1.la
- at USE_PKCS7_TRUE@am__append_67 = plugins/pkcs7
- at MONOLITHIC_TRUE@@USE_PKCS7_TRUE at am__append_68 = plugins/pkcs7/libstrongswan-pkcs7.la
- at USE_PKCS8_TRUE@am__append_69 = plugins/pkcs8
- at MONOLITHIC_TRUE@@USE_PKCS8_TRUE at am__append_70 = plugins/pkcs8/libstrongswan-pkcs8.la
- at USE_PKCS12_TRUE@am__append_71 = plugins/pkcs12
- at MONOLITHIC_TRUE@@USE_PKCS12_TRUE at am__append_72 = plugins/pkcs12/libstrongswan-pkcs12.la
- at USE_PGP_TRUE@am__append_73 = plugins/pgp
- at MONOLITHIC_TRUE@@USE_PGP_TRUE at am__append_74 = plugins/pgp/libstrongswan-pgp.la
- at USE_DNSKEY_TRUE@am__append_75 = plugins/dnskey
- at MONOLITHIC_TRUE@@USE_DNSKEY_TRUE at am__append_76 = plugins/dnskey/libstrongswan-dnskey.la
- at USE_SSHKEY_TRUE@am__append_77 = plugins/sshkey
- at MONOLITHIC_TRUE@@USE_SSHKEY_TRUE at am__append_78 = plugins/sshkey/libstrongswan-sshkey.la
- at USE_PEM_TRUE@am__append_79 = plugins/pem
- at MONOLITHIC_TRUE@@USE_PEM_TRUE at am__append_80 = plugins/pem/libstrongswan-pem.la
- at USE_CURL_TRUE@am__append_81 = plugins/curl
- at MONOLITHIC_TRUE@@USE_CURL_TRUE at am__append_82 = plugins/curl/libstrongswan-curl.la
- at USE_FILES_TRUE@am__append_83 = plugins/files
- at MONOLITHIC_TRUE@@USE_FILES_TRUE at am__append_84 = plugins/files/libstrongswan-files.la
- at USE_WINHTTP_TRUE@am__append_85 = plugins/winhttp
- at MONOLITHIC_TRUE@@USE_WINHTTP_TRUE at am__append_86 = plugins/winhttp/libstrongswan-winhttp.la
- at USE_UNBOUND_TRUE@am__append_87 = plugins/unbound
- at MONOLITHIC_TRUE@@USE_UNBOUND_TRUE at am__append_88 = plugins/unbound/libstrongswan-unbound.la
- at USE_SOUP_TRUE@am__append_89 = plugins/soup
- at MONOLITHIC_TRUE@@USE_SOUP_TRUE at am__append_90 = plugins/soup/libstrongswan-soup.la
- at USE_LDAP_TRUE@am__append_91 = plugins/ldap
- at MONOLITHIC_TRUE@@USE_LDAP_TRUE at am__append_92 = plugins/ldap/libstrongswan-ldap.la
- at USE_MYSQL_TRUE@am__append_93 = plugins/mysql
- at MONOLITHIC_TRUE@@USE_MYSQL_TRUE at am__append_94 = plugins/mysql/libstrongswan-mysql.la
- at USE_SQLITE_TRUE@am__append_95 = plugins/sqlite
- at MONOLITHIC_TRUE@@USE_SQLITE_TRUE at am__append_96 = plugins/sqlite/libstrongswan-sqlite.la
- at USE_PADLOCK_TRUE@am__append_97 = plugins/padlock
- at MONOLITHIC_TRUE@@USE_PADLOCK_TRUE at am__append_98 = plugins/padlock/libstrongswan-padlock.la
- at USE_OPENSSL_TRUE@am__append_99 = plugins/openssl
- at MONOLITHIC_TRUE@@USE_OPENSSL_TRUE at am__append_100 = plugins/openssl/libstrongswan-openssl.la
- at USE_GCRYPT_TRUE@am__append_101 = plugins/gcrypt
- at MONOLITHIC_TRUE@@USE_GCRYPT_TRUE at am__append_102 = plugins/gcrypt/libstrongswan-gcrypt.la
- at USE_FIPS_PRF_TRUE@am__append_103 = plugins/fips_prf
- at MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE at am__append_104 = plugins/fips_prf/libstrongswan-fips-prf.la
- at USE_AGENT_TRUE@am__append_105 = plugins/agent
- at MONOLITHIC_TRUE@@USE_AGENT_TRUE at am__append_106 = plugins/agent/libstrongswan-agent.la
- at USE_KEYCHAIN_TRUE@am__append_107 = plugins/keychain
- at MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE at am__append_108 = plugins/keychain/libstrongswan-keychain.la
- at USE_PKCS11_TRUE@am__append_109 = plugins/pkcs11
- at MONOLITHIC_TRUE@@USE_PKCS11_TRUE at am__append_110 = plugins/pkcs11/libstrongswan-pkcs11.la
- at USE_CHAPOLY_TRUE@am__append_111 = plugins/chapoly
- at MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE at am__append_112 = plugins/chapoly/libstrongswan-chapoly.la
- at USE_CTR_TRUE@am__append_113 = plugins/ctr
- at MONOLITHIC_TRUE@@USE_CTR_TRUE at am__append_114 = plugins/ctr/libstrongswan-ctr.la
- at USE_CCM_TRUE@am__append_115 = plugins/ccm
- at MONOLITHIC_TRUE@@USE_CCM_TRUE at am__append_116 = plugins/ccm/libstrongswan-ccm.la
- at USE_GCM_TRUE@am__append_117 = plugins/gcm
- at MONOLITHIC_TRUE@@USE_GCM_TRUE at am__append_118 = plugins/gcm/libstrongswan-gcm.la
- at USE_MGF1_TRUE@am__append_119 = plugins/mgf1
- at MONOLITHIC_TRUE@@USE_MGF1_TRUE at am__append_120 = plugins/mgf1/libstrongswan-mgf1.la
- at USE_NTRU_TRUE@am__append_121 = plugins/ntru
- at MONOLITHIC_TRUE@@USE_NTRU_TRUE at am__append_122 = plugins/ntru/libstrongswan-ntru.la
- at USE_BLISS_TRUE@am__append_123 = plugins/bliss
- at MONOLITHIC_TRUE@@USE_BLISS_TRUE at am__append_124 = plugins/bliss/libstrongswan-bliss.la
- at USE_NEWHOPE_TRUE@am__append_125 = plugins/newhope
- at MONOLITHIC_TRUE@@USE_NEWHOPE_TRUE at am__append_126 = plugins/newhope/libstrongswan-newhope.la
- at USE_TEST_VECTORS_TRUE@am__append_127 = plugins/test_vectors
- at MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE at am__append_128 = plugins/test_vectors/libstrongswan-test-vectors.la
- at USE_LIBNTTFFT_TRUE@am__append_129 = math/libnttfft/tests
- at USE_BLISS_TRUE@am__append_130 = plugins/bliss/tests
- at USE_NEWHOPE_TRUE@am__append_131 = plugins/newhope/tests
+ at USE_CURVE25519_TRUE@am__append_41 = plugins/curve25519
+ at MONOLITHIC_TRUE@@USE_CURVE25519_TRUE at am__append_42 = plugins/curve25519/libstrongswan-curve25519.la
+ at USE_RDRAND_TRUE@am__append_43 = plugins/rdrand
+ at MONOLITHIC_TRUE@@USE_RDRAND_TRUE at am__append_44 = plugins/rdrand/libstrongswan-rdrand.la
+ at USE_AESNI_TRUE@am__append_45 = plugins/aesni
+ at MONOLITHIC_TRUE@@USE_AESNI_TRUE at am__append_46 = plugins/aesni/libstrongswan-aesni.la
+ at USE_RANDOM_TRUE@am__append_47 = plugins/random
+ at MONOLITHIC_TRUE@@USE_RANDOM_TRUE at am__append_48 = plugins/random/libstrongswan-random.la
+ at USE_NONCE_TRUE@am__append_49 = plugins/nonce
+ at MONOLITHIC_TRUE@@USE_NONCE_TRUE at am__append_50 = plugins/nonce/libstrongswan-nonce.la
+ at USE_HMAC_TRUE@am__append_51 = plugins/hmac
+ at MONOLITHIC_TRUE@@USE_HMAC_TRUE at am__append_52 = plugins/hmac/libstrongswan-hmac.la
+ at USE_CMAC_TRUE@am__append_53 = plugins/cmac
+ at MONOLITHIC_TRUE@@USE_CMAC_TRUE at am__append_54 = plugins/cmac/libstrongswan-cmac.la
+ at USE_XCBC_TRUE@am__append_55 = plugins/xcbc
+ at MONOLITHIC_TRUE@@USE_XCBC_TRUE at am__append_56 = plugins/xcbc/libstrongswan-xcbc.la
+ at USE_X509_TRUE@am__append_57 = plugins/x509
+ at MONOLITHIC_TRUE@@USE_X509_TRUE at am__append_58 = plugins/x509/libstrongswan-x509.la
+ at USE_REVOCATION_TRUE@am__append_59 = plugins/revocation
+ at MONOLITHIC_TRUE@@USE_REVOCATION_TRUE at am__append_60 = plugins/revocation/libstrongswan-revocation.la
+ at USE_CONSTRAINTS_TRUE@am__append_61 = plugins/constraints
+ at MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE at am__append_62 = plugins/constraints/libstrongswan-constraints.la
+ at USE_ACERT_TRUE@am__append_63 = plugins/acert
+ at MONOLITHIC_TRUE@@USE_ACERT_TRUE at am__append_64 = plugins/acert/libstrongswan-acert.la
+ at USE_PUBKEY_TRUE@am__append_65 = plugins/pubkey
+ at MONOLITHIC_TRUE@@USE_PUBKEY_TRUE at am__append_66 = plugins/pubkey/libstrongswan-pubkey.la
+ at USE_PKCS1_TRUE@am__append_67 = plugins/pkcs1
+ at MONOLITHIC_TRUE@@USE_PKCS1_TRUE at am__append_68 = plugins/pkcs1/libstrongswan-pkcs1.la
+ at USE_PKCS7_TRUE@am__append_69 = plugins/pkcs7
+ at MONOLITHIC_TRUE@@USE_PKCS7_TRUE at am__append_70 = plugins/pkcs7/libstrongswan-pkcs7.la
+ at USE_PKCS8_TRUE@am__append_71 = plugins/pkcs8
+ at MONOLITHIC_TRUE@@USE_PKCS8_TRUE at am__append_72 = plugins/pkcs8/libstrongswan-pkcs8.la
+ at USE_PKCS12_TRUE@am__append_73 = plugins/pkcs12
+ at MONOLITHIC_TRUE@@USE_PKCS12_TRUE at am__append_74 = plugins/pkcs12/libstrongswan-pkcs12.la
+ at USE_PGP_TRUE@am__append_75 = plugins/pgp
+ at MONOLITHIC_TRUE@@USE_PGP_TRUE at am__append_76 = plugins/pgp/libstrongswan-pgp.la
+ at USE_DNSKEY_TRUE@am__append_77 = plugins/dnskey
+ at MONOLITHIC_TRUE@@USE_DNSKEY_TRUE at am__append_78 = plugins/dnskey/libstrongswan-dnskey.la
+ at USE_SSHKEY_TRUE@am__append_79 = plugins/sshkey
+ at MONOLITHIC_TRUE@@USE_SSHKEY_TRUE at am__append_80 = plugins/sshkey/libstrongswan-sshkey.la
+ at USE_PEM_TRUE@am__append_81 = plugins/pem
+ at MONOLITHIC_TRUE@@USE_PEM_TRUE at am__append_82 = plugins/pem/libstrongswan-pem.la
+ at USE_CURL_TRUE@am__append_83 = plugins/curl
+ at MONOLITHIC_TRUE@@USE_CURL_TRUE at am__append_84 = plugins/curl/libstrongswan-curl.la
+ at USE_FILES_TRUE@am__append_85 = plugins/files
+ at MONOLITHIC_TRUE@@USE_FILES_TRUE at am__append_86 = plugins/files/libstrongswan-files.la
+ at USE_WINHTTP_TRUE@am__append_87 = plugins/winhttp
+ at MONOLITHIC_TRUE@@USE_WINHTTP_TRUE at am__append_88 = plugins/winhttp/libstrongswan-winhttp.la
+ at USE_UNBOUND_TRUE@am__append_89 = plugins/unbound
+ at MONOLITHIC_TRUE@@USE_UNBOUND_TRUE at am__append_90 = plugins/unbound/libstrongswan-unbound.la
+ at USE_SOUP_TRUE@am__append_91 = plugins/soup
+ at MONOLITHIC_TRUE@@USE_SOUP_TRUE at am__append_92 = plugins/soup/libstrongswan-soup.la
+ at USE_LDAP_TRUE@am__append_93 = plugins/ldap
+ at MONOLITHIC_TRUE@@USE_LDAP_TRUE at am__append_94 = plugins/ldap/libstrongswan-ldap.la
+ at USE_MYSQL_TRUE@am__append_95 = plugins/mysql
+ at MONOLITHIC_TRUE@@USE_MYSQL_TRUE at am__append_96 = plugins/mysql/libstrongswan-mysql.la
+ at USE_SQLITE_TRUE@am__append_97 = plugins/sqlite
+ at MONOLITHIC_TRUE@@USE_SQLITE_TRUE at am__append_98 = plugins/sqlite/libstrongswan-sqlite.la
+ at USE_PADLOCK_TRUE@am__append_99 = plugins/padlock
+ at MONOLITHIC_TRUE@@USE_PADLOCK_TRUE at am__append_100 = plugins/padlock/libstrongswan-padlock.la
+ at USE_OPENSSL_TRUE@am__append_101 = plugins/openssl
+ at MONOLITHIC_TRUE@@USE_OPENSSL_TRUE at am__append_102 = plugins/openssl/libstrongswan-openssl.la
+ at USE_GCRYPT_TRUE@am__append_103 = plugins/gcrypt
+ at MONOLITHIC_TRUE@@USE_GCRYPT_TRUE at am__append_104 = plugins/gcrypt/libstrongswan-gcrypt.la
+ at USE_FIPS_PRF_TRUE@am__append_105 = plugins/fips_prf
+ at MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE at am__append_106 = plugins/fips_prf/libstrongswan-fips-prf.la
+ at USE_AGENT_TRUE@am__append_107 = plugins/agent
+ at MONOLITHIC_TRUE@@USE_AGENT_TRUE at am__append_108 = plugins/agent/libstrongswan-agent.la
+ at USE_KEYCHAIN_TRUE@am__append_109 = plugins/keychain
+ at MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE at am__append_110 = plugins/keychain/libstrongswan-keychain.la
+ at USE_PKCS11_TRUE@am__append_111 = plugins/pkcs11
+ at MONOLITHIC_TRUE@@USE_PKCS11_TRUE at am__append_112 = plugins/pkcs11/libstrongswan-pkcs11.la
+ at USE_CHAPOLY_TRUE@am__append_113 = plugins/chapoly
+ at MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE at am__append_114 = plugins/chapoly/libstrongswan-chapoly.la
+ at USE_CTR_TRUE@am__append_115 = plugins/ctr
+ at MONOLITHIC_TRUE@@USE_CTR_TRUE at am__append_116 = plugins/ctr/libstrongswan-ctr.la
+ at USE_CCM_TRUE@am__append_117 = plugins/ccm
+ at MONOLITHIC_TRUE@@USE_CCM_TRUE at am__append_118 = plugins/ccm/libstrongswan-ccm.la
+ at USE_GCM_TRUE@am__append_119 = plugins/gcm
+ at MONOLITHIC_TRUE@@USE_GCM_TRUE at am__append_120 = plugins/gcm/libstrongswan-gcm.la
+ at USE_MGF1_TRUE@am__append_121 = plugins/mgf1
+ at MONOLITHIC_TRUE@@USE_MGF1_TRUE at am__append_122 = plugins/mgf1/libstrongswan-mgf1.la
+ at USE_NTRU_TRUE@am__append_123 = plugins/ntru
+ at MONOLITHIC_TRUE@@USE_NTRU_TRUE at am__append_124 = plugins/ntru/libstrongswan-ntru.la
+ at USE_BLISS_TRUE@am__append_125 = plugins/bliss
+ at MONOLITHIC_TRUE@@USE_BLISS_TRUE at am__append_126 = plugins/bliss/libstrongswan-bliss.la
+ at USE_NEWHOPE_TRUE@am__append_127 = plugins/newhope
+ at MONOLITHIC_TRUE@@USE_NEWHOPE_TRUE at am__append_128 = plugins/newhope/libstrongswan-newhope.la
+ at USE_TEST_VECTORS_TRUE@am__append_129 = plugins/test_vectors
+ at MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE at am__append_130 = plugins/test_vectors/libstrongswan-test-vectors.la
+ at USE_LIBNTTFFT_TRUE@am__append_131 = math/libnttfft/tests
+ at USE_BLISS_TRUE@am__append_132 = plugins/bliss/tests
+ at USE_NEWHOPE_TRUE@am__append_133 = plugins/newhope/tests
 subdir = src/libstrongswan
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -320,7 +322,8 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_106) $(am__append_108) $(am__append_110) \
 	$(am__append_112) $(am__append_114) $(am__append_116) \
 	$(am__append_118) $(am__append_120) $(am__append_122) \
-	$(am__append_124) $(am__append_126) $(am__append_128)
+	$(am__append_124) $(am__append_126) $(am__append_128) \
+	$(am__append_130)
 am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
 	bio/bio_writer.c collections/blocking_queue.c \
@@ -641,19 +644,19 @@ CTAGS = ctags
 DIST_SUBDIRS = . math/libnttfft plugins/af_alg plugins/aes plugins/des \
 	plugins/blowfish plugins/rc2 plugins/md4 plugins/md5 \
 	plugins/sha1 plugins/sha2 plugins/sha3 plugins/gmp \
-	plugins/rdrand plugins/aesni plugins/random plugins/nonce \
-	plugins/hmac plugins/cmac plugins/xcbc plugins/x509 \
-	plugins/revocation plugins/constraints plugins/acert \
-	plugins/pubkey plugins/pkcs1 plugins/pkcs7 plugins/pkcs8 \
-	plugins/pkcs12 plugins/pgp plugins/dnskey plugins/sshkey \
-	plugins/pem plugins/curl plugins/files plugins/winhttp \
-	plugins/unbound plugins/soup plugins/ldap plugins/mysql \
-	plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \
-	plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \
-	plugins/chapoly plugins/ctr plugins/ccm plugins/gcm \
-	plugins/mgf1 plugins/ntru plugins/bliss plugins/newhope \
-	plugins/test_vectors tests math/libnttfft/tests \
-	plugins/bliss/tests plugins/newhope/tests
+	plugins/curve25519 plugins/rdrand plugins/aesni plugins/random \
+	plugins/nonce plugins/hmac plugins/cmac plugins/xcbc \
+	plugins/x509 plugins/revocation plugins/constraints \
+	plugins/acert plugins/pubkey plugins/pkcs1 plugins/pkcs7 \
+	plugins/pkcs8 plugins/pkcs12 plugins/pgp plugins/dnskey \
+	plugins/sshkey plugins/pem plugins/curl plugins/files \
+	plugins/winhttp plugins/unbound plugins/soup plugins/ldap \
+	plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
+	plugins/gcrypt plugins/fips_prf plugins/agent plugins/keychain \
+	plugins/pkcs11 plugins/chapoly plugins/ctr plugins/ccm \
+	plugins/gcm plugins/mgf1 plugins/ntru plugins/bliss \
+	plugins/newhope plugins/test_vectors tests \
+	math/libnttfft/tests plugins/bliss/tests plugins/newhope/tests
 am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp \
 	$(top_srcdir)/ylwrap settings/settings_lexer.c \
 	settings/settings_parser.c settings/settings_parser.h
@@ -829,7 +832,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -864,6 +866,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -1052,7 +1055,8 @@ libstrongswan_la_LIBADD = $(DLLIB) $(ATOMICLIB) $(BTLIB) $(SOCKLIB) \
 	$(am__append_106) $(am__append_108) $(am__append_110) \
 	$(am__append_112) $(am__append_114) $(am__append_116) \
 	$(am__append_118) $(am__append_120) $(am__append_122) \
-	$(am__append_124) $(am__append_126) $(am__append_128)
+	$(am__append_124) $(am__append_126) $(am__append_128) \
+	$(am__append_130)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
 	-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
 	-DPLUGINDIR=\"${plugindir}\" \
@@ -1109,9 +1113,9 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_FALSE@	$(am__append_113) $(am__append_115) \
 @MONOLITHIC_FALSE@	$(am__append_117) $(am__append_119) \
 @MONOLITHIC_FALSE@	$(am__append_121) $(am__append_123) \
- at MONOLITHIC_FALSE@	$(am__append_125) $(am__append_127) tests \
- at MONOLITHIC_FALSE@	$(am__append_129) $(am__append_130) \
- at MONOLITHIC_FALSE@	$(am__append_131)
+ at MONOLITHIC_FALSE@	$(am__append_125) $(am__append_127) \
+ at MONOLITHIC_FALSE@	$(am__append_129) tests $(am__append_131) \
+ at MONOLITHIC_FALSE@	$(am__append_132) $(am__append_133)
 
 # build unit tests
 ##################
@@ -1142,9 +1146,9 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
 @MONOLITHIC_TRUE@	$(am__append_113) $(am__append_115) \
 @MONOLITHIC_TRUE@	$(am__append_117) $(am__append_119) \
 @MONOLITHIC_TRUE@	$(am__append_121) $(am__append_123) \
- at MONOLITHIC_TRUE@	$(am__append_125) $(am__append_127) . tests \
- at MONOLITHIC_TRUE@	$(am__append_129) $(am__append_130) \
- at MONOLITHIC_TRUE@	$(am__append_131)
+ at MONOLITHIC_TRUE@	$(am__append_125) $(am__append_127) \
+ at MONOLITHIC_TRUE@	$(am__append_129) . tests $(am__append_131) \
+ at MONOLITHIC_TRUE@	$(am__append_132) $(am__append_133)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 2ee414a..5ce8403 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006 Martin Will
- * Copyright (C) 2000-2008 Andreas Steffen
+ * Copyright (C) 2000-2016 Andreas Steffen
  *
  * Hochschule fuer Technik Rapperswil
  *
@@ -47,6 +47,8 @@ chunk_t asn1_algorithmIdentifier(int oid)
 		case OID_ECDSA_WITH_SHA256:
 		case OID_ECDSA_WITH_SHA384:
 		case OID_ECDSA_WITH_SHA512:
+		case OID_ED25519:
+		case OID_ED448:
 			parameters = chunk_empty;
 			break;
 		default:
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 4017444..bb423dc 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -201,7 +201,7 @@ const oid_t oid_names[] = {
  {              0x02,         189, 0,  7, "ecdsa-with-SHA256"               }, /* 188 */
  {              0x03,         190, 0,  7, "ecdsa-with-SHA384"               }, /* 189 */
  {              0x04,           0, 0,  7, "ecdsa-with-SHA512"               }, /* 190 */
- {0x2B,                       418, 1,  0, ""                                }, /* 191 */
+ {0x2B,                       421, 1,  0, ""                                }, /* 191 */
  {  0x06,                     332, 1,  1, "dod"                             }, /* 192 */
  {    0x01,                     0, 1,  2, "internet"                        }, /* 193 */
  {      0x04,                 283, 1,  3, "private"                         }, /* 194 */
@@ -394,109 +394,112 @@ const oid_t oid_names[] = {
  {                0x0C,       382, 0,  8, "brainpoolP384t1"                 }, /* 381 */
  {                0x0D,       383, 0,  8, "brainpoolP512r1"                 }, /* 382 */
  {                0x0E,         0, 0,  8, "brainpoolP512t1"                 }, /* 383 */
- {  0x81,                       0, 1,  1, ""                                }, /* 384 */
- {    0x04,                     0, 1,  2, "Certicom"                        }, /* 385 */
- {      0x00,                   0, 1,  3, "curve"                           }, /* 386 */
- {        0x01,               388, 0,  4, "sect163k1"                       }, /* 387 */
- {        0x02,               389, 0,  4, "sect163r1"                       }, /* 388 */
- {        0x03,               390, 0,  4, "sect239k1"                       }, /* 389 */
- {        0x04,               391, 0,  4, "sect113r1"                       }, /* 390 */
- {        0x05,               392, 0,  4, "sect113r2"                       }, /* 391 */
- {        0x06,               393, 0,  4, "secp112r1"                       }, /* 392 */
- {        0x07,               394, 0,  4, "secp112r2"                       }, /* 393 */
- {        0x08,               395, 0,  4, "secp160r1"                       }, /* 394 */
- {        0x09,               396, 0,  4, "secp160k1"                       }, /* 395 */
- {        0x0A,               397, 0,  4, "secp256k1"                       }, /* 396 */
- {        0x0F,               398, 0,  4, "sect163r2"                       }, /* 397 */
- {        0x10,               399, 0,  4, "sect283k1"                       }, /* 398 */
- {        0x11,               400, 0,  4, "sect283r1"                       }, /* 399 */
- {        0x16,               401, 0,  4, "sect131r1"                       }, /* 400 */
- {        0x17,               402, 0,  4, "sect131r2"                       }, /* 401 */
- {        0x18,               403, 0,  4, "sect193r1"                       }, /* 402 */
- {        0x19,               404, 0,  4, "sect193r2"                       }, /* 403 */
- {        0x1A,               405, 0,  4, "sect233k1"                       }, /* 404 */
- {        0x1B,               406, 0,  4, "sect233r1"                       }, /* 405 */
- {        0x1C,               407, 0,  4, "secp128r1"                       }, /* 406 */
- {        0x1D,               408, 0,  4, "secp128r2"                       }, /* 407 */
- {        0x1E,               409, 0,  4, "secp160r2"                       }, /* 408 */
- {        0x1F,               410, 0,  4, "secp192k1"                       }, /* 409 */
- {        0x20,               411, 0,  4, "secp224k1"                       }, /* 410 */
- {        0x21,               412, 0,  4, "secp224r1"                       }, /* 411 */
- {        0x22,               413, 0,  4, "secp384r1"                       }, /* 412 */
- {        0x23,               414, 0,  4, "secp521r1"                       }, /* 413 */
- {        0x24,               415, 0,  4, "sect409k1"                       }, /* 414 */
- {        0x25,               416, 0,  4, "sect409r1"                       }, /* 415 */
- {        0x26,               417, 0,  4, "sect571k1"                       }, /* 416 */
- {        0x27,                 0, 0,  4, "sect571r1"                       }, /* 417 */
- {0x60,                       481, 1,  0, ""                                }, /* 418 */
- {  0x86,                       0, 1,  1, ""                                }, /* 419 */
- {    0x48,                     0, 1,  2, ""                                }, /* 420 */
- {      0x01,                   0, 1,  3, "organization"                    }, /* 421 */
- {        0x65,               457, 1,  4, "gov"                             }, /* 422 */
- {          0x03,               0, 1,  5, "csor"                            }, /* 423 */
- {            0x04,             0, 1,  6, "nistalgorithm"                   }, /* 424 */
- {              0x01,         435, 1,  7, "aes"                             }, /* 425 */
- {                0x02,       427, 0,  8, "id-aes128-CBC"                   }, /* 426 */
- {                0x06,       428, 0,  8, "id-aes128-GCM"                   }, /* 427 */
- {                0x07,       429, 0,  8, "id-aes128-CCM"                   }, /* 428 */
- {                0x16,       430, 0,  8, "id-aes192-CBC"                   }, /* 429 */
- {                0x1A,       431, 0,  8, "id-aes192-GCM"                   }, /* 430 */
- {                0x1B,       432, 0,  8, "id-aes192-CCM"                   }, /* 431 */
- {                0x2A,       433, 0,  8, "id-aes256-CBC"                   }, /* 432 */
- {                0x2E,       434, 0,  8, "id-aes256-GCM"                   }, /* 433 */
- {                0x2F,         0, 0,  8, "id-aes256-CCM"                   }, /* 434 */
- {              0x02,         448, 1,  7, "hashAlgs"                        }, /* 435 */
- {                0x01,       437, 0,  8, "id-sha256"                       }, /* 436 */
- {                0x02,       438, 0,  8, "id-sha384"                       }, /* 437 */
- {                0x03,       439, 0,  8, "id-sha512"                       }, /* 438 */
- {                0x04,       440, 0,  8, "id-sha224"                       }, /* 439 */
- {                0x05,       441, 0,  8, "id-sha512-224"                   }, /* 440 */
- {                0x06,       442, 0,  8, "id-sha512-256"                   }, /* 441 */
- {                0x07,       443, 0,  8, "id-sha3-224"                     }, /* 442 */
- {                0x08,       444, 0,  8, "id-sha3-256"                     }, /* 443 */
- {                0x09,       445, 0,  8, "id-sha3-384"                     }, /* 444 */
- {                0x0A,       446, 0,  8, "id-sha3-512"                     }, /* 445 */
- {                0x0B,       447, 0,  8, "id-shake128"                     }, /* 446 */
- {                0x0C,         0, 0,  8, "id-shake256"                     }, /* 447 */
- {              0x03,           0, 1,  7, "sigAlgs"                         }, /* 448 */
- {                0x09,       450, 0,  8, "id-ecdsa-with-sha3-224"          }, /* 449 */
- {                0x0A,       451, 0,  8, "id-ecdsa-with-sha3-256"          }, /* 450 */
- {                0x0B,       452, 0,  8, "id-ecdsa-with-sha3-384"          }, /* 451 */
- {                0x0C,       453, 0,  8, "id-ecdsa-with-sha3-512"          }, /* 452 */
- {                0x0D,       454, 0,  8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 453 */
- {                0x0E,       455, 0,  8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 454 */
- {                0x0F,       456, 0,  8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 455 */
- {                0x10,         0, 0,  8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 456 */
- {        0x86,                 0, 1,  4, ""                                }, /* 457 */
- {          0xf8,               0, 1,  5, ""                                }, /* 458 */
- {            0x42,           471, 1,  6, "netscape"                        }, /* 459 */
- {              0x01,         466, 1,  7, ""                                }, /* 460 */
- {                0x01,       462, 0,  8, "nsCertType"                      }, /* 461 */
- {                0x03,       463, 0,  8, "nsRevocationUrl"                 }, /* 462 */
- {                0x04,       464, 0,  8, "nsCaRevocationUrl"               }, /* 463 */
- {                0x08,       465, 0,  8, "nsCaPolicyUrl"                   }, /* 464 */
- {                0x0d,         0, 0,  8, "nsComment"                       }, /* 465 */
- {              0x03,         469, 1,  7, "directory"                       }, /* 466 */
- {                0x01,         0, 1,  8, ""                                }, /* 467 */
- {                  0x03,       0, 0,  9, "employeeNumber"                  }, /* 468 */
- {              0x04,           0, 1,  7, "policy"                          }, /* 469 */
- {                0x01,         0, 0,  8, "nsSGC"                           }, /* 470 */
- {            0x45,             0, 1,  6, "verisign"                        }, /* 471 */
- {              0x01,           0, 1,  7, "pki"                             }, /* 472 */
- {                0x09,         0, 1,  8, "attributes"                      }, /* 473 */
- {                  0x02,     475, 0,  9, "messageType"                     }, /* 474 */
- {                  0x03,     476, 0,  9, "pkiStatus"                       }, /* 475 */
- {                  0x04,     477, 0,  9, "failInfo"                        }, /* 476 */
- {                  0x05,     478, 0,  9, "senderNonce"                     }, /* 477 */
- {                  0x06,     479, 0,  9, "recipientNonce"                  }, /* 478 */
- {                  0x07,     480, 0,  9, "transID"                         }, /* 479 */
- {                  0x08,       0, 0,  9, "extensionReq"                    }, /* 480 */
- {0x67,                         0, 1,  0, ""                                }, /* 481 */
- {  0x81,                       0, 1,  1, ""                                }, /* 482 */
- {    0x05,                     0, 1,  2, ""                                }, /* 483 */
- {      0x02,                   0, 1,  3, "tcg-attribute"                   }, /* 484 */
- {        0x01,               486, 0,  4, "tcg-at-tpmManufacturer"          }, /* 485 */
- {        0x02,               487, 0,  4, "tcg-at-tpmModel"                 }, /* 486 */
- {        0x03,               488, 0,  4, "tcg-at-tpmVersion"               }, /* 487 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"               }  /* 488 */
+ {  0x65,                     387, 1,  1, "Thawte"                          }, /* 384 */
+ {    0x70,                   386, 0,  2, "id-Ed25519"                      }, /* 385 */
+ {    0x71,                     0, 0,  2, "id-Ed448"                        }, /* 386 */
+ {  0x81,                       0, 1,  1, ""                                }, /* 387 */
+ {    0x04,                     0, 1,  2, "Certicom"                        }, /* 388 */
+ {      0x00,                   0, 1,  3, "curve"                           }, /* 389 */
+ {        0x01,               391, 0,  4, "sect163k1"                       }, /* 390 */
+ {        0x02,               392, 0,  4, "sect163r1"                       }, /* 391 */
+ {        0x03,               393, 0,  4, "sect239k1"                       }, /* 392 */
+ {        0x04,               394, 0,  4, "sect113r1"                       }, /* 393 */
+ {        0x05,               395, 0,  4, "sect113r2"                       }, /* 394 */
+ {        0x06,               396, 0,  4, "secp112r1"                       }, /* 395 */
+ {        0x07,               397, 0,  4, "secp112r2"                       }, /* 396 */
+ {        0x08,               398, 0,  4, "secp160r1"                       }, /* 397 */
+ {        0x09,               399, 0,  4, "secp160k1"                       }, /* 398 */
+ {        0x0A,               400, 0,  4, "secp256k1"                       }, /* 399 */
+ {        0x0F,               401, 0,  4, "sect163r2"                       }, /* 400 */
+ {        0x10,               402, 0,  4, "sect283k1"                       }, /* 401 */
+ {        0x11,               403, 0,  4, "sect283r1"                       }, /* 402 */
+ {        0x16,               404, 0,  4, "sect131r1"                       }, /* 403 */
+ {        0x17,               405, 0,  4, "sect131r2"                       }, /* 404 */
+ {        0x18,               406, 0,  4, "sect193r1"                       }, /* 405 */
+ {        0x19,               407, 0,  4, "sect193r2"                       }, /* 406 */
+ {        0x1A,               408, 0,  4, "sect233k1"                       }, /* 407 */
+ {        0x1B,               409, 0,  4, "sect233r1"                       }, /* 408 */
+ {        0x1C,               410, 0,  4, "secp128r1"                       }, /* 409 */
+ {        0x1D,               411, 0,  4, "secp128r2"                       }, /* 410 */
+ {        0x1E,               412, 0,  4, "secp160r2"                       }, /* 411 */
+ {        0x1F,               413, 0,  4, "secp192k1"                       }, /* 412 */
+ {        0x20,               414, 0,  4, "secp224k1"                       }, /* 413 */
+ {        0x21,               415, 0,  4, "secp224r1"                       }, /* 414 */
+ {        0x22,               416, 0,  4, "secp384r1"                       }, /* 415 */
+ {        0x23,               417, 0,  4, "secp521r1"                       }, /* 416 */
+ {        0x24,               418, 0,  4, "sect409k1"                       }, /* 417 */
+ {        0x25,               419, 0,  4, "sect409r1"                       }, /* 418 */
+ {        0x26,               420, 0,  4, "sect571k1"                       }, /* 419 */
+ {        0x27,                 0, 0,  4, "sect571r1"                       }, /* 420 */
+ {0x60,                       484, 1,  0, ""                                }, /* 421 */
+ {  0x86,                       0, 1,  1, ""                                }, /* 422 */
+ {    0x48,                     0, 1,  2, ""                                }, /* 423 */
+ {      0x01,                   0, 1,  3, "organization"                    }, /* 424 */
+ {        0x65,               460, 1,  4, "gov"                             }, /* 425 */
+ {          0x03,               0, 1,  5, "csor"                            }, /* 426 */
+ {            0x04,             0, 1,  6, "nistalgorithm"                   }, /* 427 */
+ {              0x01,         438, 1,  7, "aes"                             }, /* 428 */
+ {                0x02,       430, 0,  8, "id-aes128-CBC"                   }, /* 429 */
+ {                0x06,       431, 0,  8, "id-aes128-GCM"                   }, /* 430 */
+ {                0x07,       432, 0,  8, "id-aes128-CCM"                   }, /* 431 */
+ {                0x16,       433, 0,  8, "id-aes192-CBC"                   }, /* 432 */
+ {                0x1A,       434, 0,  8, "id-aes192-GCM"                   }, /* 433 */
+ {                0x1B,       435, 0,  8, "id-aes192-CCM"                   }, /* 434 */
+ {                0x2A,       436, 0,  8, "id-aes256-CBC"                   }, /* 435 */
+ {                0x2E,       437, 0,  8, "id-aes256-GCM"                   }, /* 436 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"                   }, /* 437 */
+ {              0x02,         451, 1,  7, "hashAlgs"                        }, /* 438 */
+ {                0x01,       440, 0,  8, "id-sha256"                       }, /* 439 */
+ {                0x02,       441, 0,  8, "id-sha384"                       }, /* 440 */
+ {                0x03,       442, 0,  8, "id-sha512"                       }, /* 441 */
+ {                0x04,       443, 0,  8, "id-sha224"                       }, /* 442 */
+ {                0x05,       444, 0,  8, "id-sha512-224"                   }, /* 443 */
+ {                0x06,       445, 0,  8, "id-sha512-256"                   }, /* 444 */
+ {                0x07,       446, 0,  8, "id-sha3-224"                     }, /* 445 */
+ {                0x08,       447, 0,  8, "id-sha3-256"                     }, /* 446 */
+ {                0x09,       448, 0,  8, "id-sha3-384"                     }, /* 447 */
+ {                0x0A,       449, 0,  8, "id-sha3-512"                     }, /* 448 */
+ {                0x0B,       450, 0,  8, "id-shake128"                     }, /* 449 */
+ {                0x0C,         0, 0,  8, "id-shake256"                     }, /* 450 */
+ {              0x03,           0, 1,  7, "sigAlgs"                         }, /* 451 */
+ {                0x09,       453, 0,  8, "id-ecdsa-with-sha3-224"          }, /* 452 */
+ {                0x0A,       454, 0,  8, "id-ecdsa-with-sha3-256"          }, /* 453 */
+ {                0x0B,       455, 0,  8, "id-ecdsa-with-sha3-384"          }, /* 454 */
+ {                0x0C,       456, 0,  8, "id-ecdsa-with-sha3-512"          }, /* 455 */
+ {                0x0D,       457, 0,  8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 456 */
+ {                0x0E,       458, 0,  8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 457 */
+ {                0x0F,       459, 0,  8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 458 */
+ {                0x10,         0, 0,  8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 459 */
+ {        0x86,                 0, 1,  4, ""                                }, /* 460 */
+ {          0xf8,               0, 1,  5, ""                                }, /* 461 */
+ {            0x42,           474, 1,  6, "netscape"                        }, /* 462 */
+ {              0x01,         469, 1,  7, ""                                }, /* 463 */
+ {                0x01,       465, 0,  8, "nsCertType"                      }, /* 464 */
+ {                0x03,       466, 0,  8, "nsRevocationUrl"                 }, /* 465 */
+ {                0x04,       467, 0,  8, "nsCaRevocationUrl"               }, /* 466 */
+ {                0x08,       468, 0,  8, "nsCaPolicyUrl"                   }, /* 467 */
+ {                0x0d,         0, 0,  8, "nsComment"                       }, /* 468 */
+ {              0x03,         472, 1,  7, "directory"                       }, /* 469 */
+ {                0x01,         0, 1,  8, ""                                }, /* 470 */
+ {                  0x03,       0, 0,  9, "employeeNumber"                  }, /* 471 */
+ {              0x04,           0, 1,  7, "policy"                          }, /* 472 */
+ {                0x01,         0, 0,  8, "nsSGC"                           }, /* 473 */
+ {            0x45,             0, 1,  6, "verisign"                        }, /* 474 */
+ {              0x01,           0, 1,  7, "pki"                             }, /* 475 */
+ {                0x09,         0, 1,  8, "attributes"                      }, /* 476 */
+ {                  0x02,     478, 0,  9, "messageType"                     }, /* 477 */
+ {                  0x03,     479, 0,  9, "pkiStatus"                       }, /* 478 */
+ {                  0x04,     480, 0,  9, "failInfo"                        }, /* 479 */
+ {                  0x05,     481, 0,  9, "senderNonce"                     }, /* 480 */
+ {                  0x06,     482, 0,  9, "recipientNonce"                  }, /* 481 */
+ {                  0x07,     483, 0,  9, "transID"                         }, /* 482 */
+ {                  0x08,       0, 0,  9, "extensionReq"                    }, /* 483 */
+ {0x67,                         0, 1,  0, ""                                }, /* 484 */
+ {  0x81,                       0, 1,  1, ""                                }, /* 485 */
+ {    0x05,                     0, 1,  2, ""                                }, /* 486 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"                   }, /* 487 */
+ {        0x01,               489, 0,  4, "tcg-at-tpmManufacturer"          }, /* 488 */
+ {        0x02,               490, 0,  4, "tcg-at-tpmModel"                 }, /* 489 */
+ {        0x03,               491, 0,  4, "tcg-at-tpmVersion"               }, /* 490 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"               }  /* 491 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index bca2999..f316c0c 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -192,78 +192,80 @@ extern const oid_t oid_names[];
 #define OID_ECGDSA_SIG_WITH_SHA256			362
 #define OID_ECGDSA_SIG_WITH_SHA384			363
 #define OID_ECGDSA_SIG_WITH_SHA512			364
-#define OID_SECT163K1						387
-#define OID_SECT163R1						388
-#define OID_SECT239K1						389
-#define OID_SECT113R1						390
-#define OID_SECT113R2						391
-#define OID_SECT112R1						392
-#define OID_SECT112R2						393
-#define OID_SECT160R1						394
-#define OID_SECT160K1						395
-#define OID_SECT256K1						396
-#define OID_SECT163R2						397
-#define OID_SECT283K1						398
-#define OID_SECT283R1						399
-#define OID_SECT131R1						400
-#define OID_SECT131R2						401
-#define OID_SECT193R1						402
-#define OID_SECT193R2						403
-#define OID_SECT233K1						404
-#define OID_SECT233R1						405
-#define OID_SECT128R1						406
-#define OID_SECT128R2						407
-#define OID_SECT160R2						408
-#define OID_SECT192K1						409
-#define OID_SECT224K1						410
-#define OID_SECT224R1						411
-#define OID_SECT384R1						412
-#define OID_SECT521R1						413
-#define OID_SECT409K1						414
-#define OID_SECT409R1						415
-#define OID_SECT571K1						416
-#define OID_SECT571R1						417
-#define OID_AES128_CBC						426
-#define OID_AES128_GCM						427
-#define OID_AES128_CCM						428
-#define OID_AES192_CBC						429
-#define OID_AES192_GCM						430
-#define OID_AES192_CCM						431
-#define OID_AES256_CBC						432
-#define OID_AES256_GCM						433
-#define OID_AES256_CCM						434
-#define OID_SHA256							436
-#define OID_SHA384							437
-#define OID_SHA512							438
-#define OID_SHA224							439
-#define OID_SHA3_224						442
-#define OID_SHA3_256						443
-#define OID_SHA3_384						444
-#define OID_SHA3_512						445
-#define OID_ECDSA_WITH_SHA3_224				449
-#define OID_ECDSA_WITH_SHA3_256				450
-#define OID_ECDSA_WITH_SHA3_384				451
-#define OID_ECDSA_WITH_SHA3_512				452
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_224	453
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_256	454
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_384	455
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_512	456
-#define OID_NS_REVOCATION_URL				462
-#define OID_NS_CA_REVOCATION_URL			463
-#define OID_NS_CA_POLICY_URL				464
-#define OID_NS_COMMENT						465
-#define OID_EMPLOYEE_NUMBER					468
-#define OID_PKI_MESSAGE_TYPE				474
-#define OID_PKI_STATUS						475
-#define OID_PKI_FAIL_INFO					476
-#define OID_PKI_SENDER_NONCE				477
-#define OID_PKI_RECIPIENT_NONCE				478
-#define OID_PKI_TRANS_ID					479
-#define OID_TPM_MANUFACTURER				485
-#define OID_TPM_MODEL						486
-#define OID_TPM_VERSION						487
-#define OID_TPM_ID_LABEL					488
+#define OID_ED25519							385
+#define OID_ED448							386
+#define OID_SECT163K1						390
+#define OID_SECT163R1						391
+#define OID_SECT239K1						392
+#define OID_SECT113R1						393
+#define OID_SECT113R2						394
+#define OID_SECT112R1						395
+#define OID_SECT112R2						396
+#define OID_SECT160R1						397
+#define OID_SECT160K1						398
+#define OID_SECT256K1						399
+#define OID_SECT163R2						400
+#define OID_SECT283K1						401
+#define OID_SECT283R1						402
+#define OID_SECT131R1						403
+#define OID_SECT131R2						404
+#define OID_SECT193R1						405
+#define OID_SECT193R2						406
+#define OID_SECT233K1						407
+#define OID_SECT233R1						408
+#define OID_SECT128R1						409
+#define OID_SECT128R2						410
+#define OID_SECT160R2						411
+#define OID_SECT192K1						412
+#define OID_SECT224K1						413
+#define OID_SECT224R1						414
+#define OID_SECT384R1						415
+#define OID_SECT521R1						416
+#define OID_SECT409K1						417
+#define OID_SECT409R1						418
+#define OID_SECT571K1						419
+#define OID_SECT571R1						420
+#define OID_AES128_CBC						429
+#define OID_AES128_GCM						430
+#define OID_AES128_CCM						431
+#define OID_AES192_CBC						432
+#define OID_AES192_GCM						433
+#define OID_AES192_CCM						434
+#define OID_AES256_CBC						435
+#define OID_AES256_GCM						436
+#define OID_AES256_CCM						437
+#define OID_SHA256							439
+#define OID_SHA384							440
+#define OID_SHA512							441
+#define OID_SHA224							442
+#define OID_SHA3_224						445
+#define OID_SHA3_256						446
+#define OID_SHA3_384						447
+#define OID_SHA3_512						448
+#define OID_ECDSA_WITH_SHA3_224				452
+#define OID_ECDSA_WITH_SHA3_256				453
+#define OID_ECDSA_WITH_SHA3_384				454
+#define OID_ECDSA_WITH_SHA3_512				455
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_224	456
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_256	457
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_384	458
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_512	459
+#define OID_NS_REVOCATION_URL				465
+#define OID_NS_CA_REVOCATION_URL			466
+#define OID_NS_CA_POLICY_URL				467
+#define OID_NS_COMMENT						468
+#define OID_EMPLOYEE_NUMBER					471
+#define OID_PKI_MESSAGE_TYPE				477
+#define OID_PKI_STATUS						478
+#define OID_PKI_FAIL_INFO					479
+#define OID_PKI_SENDER_NONCE				480
+#define OID_PKI_RECIPIENT_NONCE				481
+#define OID_PKI_TRANS_ID					482
+#define OID_TPM_MANUFACTURER				488
+#define OID_TPM_MODEL						489
+#define OID_TPM_VERSION						490
+#define OID_TPM_ID_LABEL					491
 
-#define OID_MAX								489
+#define OID_MAX								492
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 761a38a..a0c2aad 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -382,6 +382,9 @@
                 0x0C         "brainpoolP384t1"
                 0x0D         "brainpoolP512r1"
                 0x0E         "brainpoolP512t1"
+  0x65                       "Thawte"
+    0x70                     "id-Ed25519"				OID_ED25519
+    0x71                     "id-Ed448"					OID_ED448
   0x81                       ""
     0x04                     "Certicom"
       0x00                   "curve"
diff --git a/src/libstrongswan/collections/linked_list.h b/src/libstrongswan/collections/linked_list.h
index 5edaa07..0b73079 100644
--- a/src/libstrongswan/collections/linked_list.h
+++ b/src/libstrongswan/collections/linked_list.h
@@ -212,7 +212,7 @@ struct linked_list_t {
 	/**
 	 * Clones a list and its objects using the objects' clone method.
 	 *
-	 * @param offset	offset ot the objects clone function
+	 * @param offset	offset to the objects clone function
 	 * @return			cloned list
 	 */
 	linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset);
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 3ec9491..8a3e659 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
- * Copyright (C) 2016 Andreas Steffeb
+ * Copyright (C) 2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -547,22 +547,24 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
 			signature_scheme_t scheme;
 			key_type_t key;
 		} schemes[] = {
-			{ "md5",		SIGN_RSA_EMSA_PKCS1_MD5,		KEY_RSA,	},
-			{ "sha1",		SIGN_RSA_EMSA_PKCS1_SHA1,		KEY_RSA,	},
-			{ "sha224",		SIGN_RSA_EMSA_PKCS1_SHA2_224,	KEY_RSA,	},
-			{ "sha256",		SIGN_RSA_EMSA_PKCS1_SHA2_256,	KEY_RSA,	},
-			{ "sha384",		SIGN_RSA_EMSA_PKCS1_SHA2_384,	KEY_RSA,	},
-			{ "sha512",		SIGN_RSA_EMSA_PKCS1_SHA2_512,	KEY_RSA,	},
-			{ "sha1",		SIGN_ECDSA_WITH_SHA1_DER,		KEY_ECDSA,	},
-			{ "sha256",		SIGN_ECDSA_WITH_SHA256_DER,		KEY_ECDSA,	},
-			{ "sha384",		SIGN_ECDSA_WITH_SHA384_DER,		KEY_ECDSA,	},
-			{ "sha512",		SIGN_ECDSA_WITH_SHA512_DER,		KEY_ECDSA,	},
-			{ "sha256",		SIGN_ECDSA_256,					KEY_ECDSA,	},
-			{ "sha384",		SIGN_ECDSA_384,					KEY_ECDSA,	},
-			{ "sha512",		SIGN_ECDSA_521,					KEY_ECDSA,	},
-			{ "sha256",		SIGN_BLISS_WITH_SHA2_256,		KEY_BLISS,	},
-			{ "sha384",		SIGN_BLISS_WITH_SHA2_384,		KEY_BLISS,	},
-			{ "sha512",		SIGN_BLISS_WITH_SHA2_512,		KEY_BLISS,	},
+			{ "md5",		SIGN_RSA_EMSA_PKCS1_MD5,		KEY_RSA,	 },
+			{ "sha1",		SIGN_RSA_EMSA_PKCS1_SHA1,		KEY_RSA,	 },
+			{ "sha224",		SIGN_RSA_EMSA_PKCS1_SHA2_224,	KEY_RSA,	 },
+			{ "sha256",		SIGN_RSA_EMSA_PKCS1_SHA2_256,	KEY_RSA,	 },
+			{ "sha384",		SIGN_RSA_EMSA_PKCS1_SHA2_384,	KEY_RSA,	 },
+			{ "sha512",		SIGN_RSA_EMSA_PKCS1_SHA2_512,	KEY_RSA,	 },
+			{ "sha1",		SIGN_ECDSA_WITH_SHA1_DER,		KEY_ECDSA,	 },
+			{ "sha256",		SIGN_ECDSA_WITH_SHA256_DER,		KEY_ECDSA,	 },
+			{ "sha384",		SIGN_ECDSA_WITH_SHA384_DER,		KEY_ECDSA,	 },
+			{ "sha512",		SIGN_ECDSA_WITH_SHA512_DER,		KEY_ECDSA,	 },
+			{ "sha256",		SIGN_ECDSA_256,					KEY_ECDSA,	 },
+			{ "sha384",		SIGN_ECDSA_384,					KEY_ECDSA,	 },
+			{ "sha512",		SIGN_ECDSA_521,					KEY_ECDSA,	 },
+			{ "sha256",		SIGN_BLISS_WITH_SHA2_256,		KEY_BLISS,	 },
+			{ "sha384",		SIGN_BLISS_WITH_SHA2_384,		KEY_BLISS,	 },
+			{ "sha512",		SIGN_BLISS_WITH_SHA2_512,		KEY_BLISS,	 },
+			{ "identity",	SIGN_ED25519,					KEY_ED25519, },
+			{ "identity",	SIGN_ED448,						KEY_ED448,	 },
 		};
 
 		if (expected_strength != AUTH_RULE_MAX)
@@ -592,6 +594,18 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
 			is_ike = strpfx(token, "ike:");
 			continue;
 		}
+		if (streq(token, "ed25519") || streq(token, "ike:ed25519"))
+		{
+			expected_type = KEY_ED25519;
+			is_ike = strpfx(token, "ike:");
+			continue;
+		}
+		if (streq(token, "ed448") || streq(token, "ike:ed448"))
+		{
+			expected_type = KEY_ED448;
+			is_ike = strpfx(token, "ike:");
+			continue;
+		}
 		if (streq(token, "bliss") || streq(token, "ike:bliss"))
 		{
 			expected_type = KEY_BLISS;
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index ddb64ef..baa17c4 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -44,6 +45,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_CRL_DISTRIBUTION_POINTS",
 	"BUILD_OCSP_ACCESS_LOCATIONS",
 	"BUILD_PATHLEN",
+	"BUILD_ADDRBLOCKS",
 	"BUILD_PERMITTED_NAME_CONSTRAINTS",
 	"BUILD_EXCLUDED_NAME_CONSTRAINTS",
 	"BUILD_CERTIFICATE_POLICIES",
@@ -70,5 +72,6 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_SAFE_PRIMES",
 	"BUILD_SHARES",
 	"BUILD_THRESHOLD",
+	"BUILD_EDDSA_PRIV_ASN1_DER",
 	"BUILD_END",
 );
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 627e093..1c6f500 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -99,6 +100,8 @@ enum builder_part_t {
 	BUILD_OCSP_ACCESS_LOCATIONS,
 	/** certificate path length constraint */
 	BUILD_PATHLEN,
+	/** RFC3779 addressBlock, linked_list_t* of traffic_selector_t* */
+	BUILD_ADDRBLOCKS,
 	/** permitted X509 name constraints, linked_list_t* of identification_t* */
 	BUILD_PERMITTED_NAME_CONSTRAINTS,
 	/** excluded X509 name constraints, linked_list_t* of identification_t* */
@@ -151,6 +154,8 @@ enum builder_part_t {
 	BUILD_SHARES,
 	/** minimum number of participating private key shares */
 	BUILD_THRESHOLD,
+	/** DER encoded ASN.1 EdDSA private key */
+	BUILD_EDDSA_PRIV_ASN1_DER,
 	/** end of variable argument builder list */
 	BUILD_END,
 };
diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h
index b4d1f4c..0b65364 100644
--- a/src/libstrongswan/credentials/cred_encoding.h
+++ b/src/libstrongswan/credentials/cred_encoding.h
@@ -144,6 +144,10 @@ enum cred_encoding_part_t {
 	CRED_PART_PKCS10_ASN1_DER,
 	/** a PGP encoded certificate */
 	CRED_PART_PGP_CERT,
+	/** a DER encoded EdDSA public key */
+	CRED_PART_EDDSA_PUB_ASN1_DER,
+	/** a DER encoded EdDSA private key */
+	CRED_PART_EDDSA_PRIV_ASN1_DER,
 	/** a DER encoded BLISS public key */
 	CRED_PART_BLISS_PUB_ASN1_DER,
 	/** a DER encoded BLISS private key */
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index 03f93b1..2c76ad6 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -24,6 +24,8 @@ ENUM(key_type_names, KEY_ANY, KEY_BLISS,
 	"RSA",
 	"ECDSA",
 	"DSA",
+	"ED25519",
+	"ED448",
 	"BLISS"
 );
 
@@ -48,6 +50,8 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA3_512,
 	"ECDSA-256",
 	"ECDSA-384",
 	"ECDSA-521",
+	"ED25519",
+	"ED448",
 	"BLISS_WITH_SHA2_256",
 	"BLISS_WITH_SHA2_384",
 	"BLISS_WITH_SHA2_512",
@@ -151,6 +155,10 @@ signature_scheme_t signature_scheme_from_oid(int oid)
 			return SIGN_ECDSA_WITH_SHA384_DER;
 		case OID_ECDSA_WITH_SHA512:
 			return SIGN_ECDSA_WITH_SHA512_DER;
+		case OID_ED25519:
+			return SIGN_ED25519;
+		case OID_ED448:
+			return SIGN_ED448;
 		case OID_BLISS_PUBLICKEY:
 		case OID_BLISS_WITH_SHA2_512:
 			return SIGN_BLISS_WITH_SHA2_512;
@@ -210,6 +218,10 @@ int signature_scheme_to_oid(signature_scheme_t scheme)
 			return OID_ECDSA_WITH_SHA384;
 		case SIGN_ECDSA_WITH_SHA512_DER:
 			return OID_ECDSA_WITH_SHA512;
+		case SIGN_ED25519:
+			return OID_ED25519;
+		case SIGN_ED448:
+			return OID_ED448;
 		case SIGN_BLISS_WITH_SHA2_256:
 			return OID_BLISS_WITH_SHA2_256;
 		case SIGN_BLISS_WITH_SHA2_384:
@@ -236,15 +248,17 @@ static struct {
 	key_type_t type;
 	int max_keysize;
 } scheme_map[] = {
-	{ SIGN_RSA_EMSA_PKCS1_SHA2_256, KEY_RSA, 3072 },
-	{ SIGN_RSA_EMSA_PKCS1_SHA2_384, KEY_RSA, 7680 },
-	{ SIGN_RSA_EMSA_PKCS1_SHA2_512, KEY_RSA, 0 },
-	{ SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 },
-	{ SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 },
-	{ SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 },
-	{ SIGN_BLISS_WITH_SHA2_256,   KEY_BLISS, 128 },
-	{ SIGN_BLISS_WITH_SHA2_384,   KEY_BLISS, 192 },
-	{ SIGN_BLISS_WITH_SHA2_512,   KEY_BLISS, 0 }
+	{ SIGN_RSA_EMSA_PKCS1_SHA2_256, KEY_RSA,  3072 },
+	{ SIGN_RSA_EMSA_PKCS1_SHA2_384, KEY_RSA,  7680 },
+	{ SIGN_RSA_EMSA_PKCS1_SHA2_512, KEY_RSA,     0 },
+	{ SIGN_ECDSA_WITH_SHA256_DER,   KEY_ECDSA, 256 },
+	{ SIGN_ECDSA_WITH_SHA384_DER,   KEY_ECDSA, 384 },
+	{ SIGN_ECDSA_WITH_SHA512_DER,   KEY_ECDSA,   0 },
+	{ SIGN_ED25519,                 KEY_ED25519, 0 },
+	{ SIGN_ED448,                   KEY_ED448,   0 },
+	{ SIGN_BLISS_WITH_SHA2_256,     KEY_BLISS, 128 },
+	{ SIGN_BLISS_WITH_SHA2_384,     KEY_BLISS, 192 },
+	{ SIGN_BLISS_WITH_SHA2_512,     KEY_BLISS,   0 }
 };
 
 /**
@@ -323,6 +337,10 @@ key_type_t key_type_from_signature_scheme(signature_scheme_t scheme)
 		case SIGN_ECDSA_384:
 		case SIGN_ECDSA_521:
 			return KEY_ECDSA;
+		case SIGN_ED25519:
+			return KEY_ED25519;
+		case SIGN_ED448:
+			return KEY_ED448;
 		case SIGN_BLISS_WITH_SHA2_256:
 		case SIGN_BLISS_WITH_SHA2_384:
 		case SIGN_BLISS_WITH_SHA2_512:
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index 2361282..06c1aa4 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
- * Copyright (C) 2014-2016 Andreas Steffen
+ * Copyright (C) 2014-2017 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -37,16 +37,19 @@ typedef enum encryption_scheme_t encryption_scheme_t;
  */
 enum key_type_t {
 	/** key type wildcard */
-	KEY_ANY   = 0,
+	KEY_ANY     = 0,
 	/** RSA crypto system as in PKCS#1 */
-	KEY_RSA   = 1,
+	KEY_RSA     = 1,
 	/** ECDSA as in ANSI X9.62 */
-	KEY_ECDSA = 2,
+	KEY_ECDSA   = 2,
 	/** DSA */
-	KEY_DSA   = 3,
+	KEY_DSA     = 3,
+	/** Ed25519 PureEdDSA instance as in RFC 8032 */
+	KEY_ED25519 = 4,
+	/** Ed448   PureEdDSA instance as in RFC 8032 */
+	KEY_ED448   = 5,
 	/** BLISS */
-	KEY_BLISS = 4,
-	/** ElGamal, ... */
+	KEY_BLISS = 6,
 };
 
 /**
@@ -102,6 +105,10 @@ enum signature_scheme_t {
 	SIGN_ECDSA_384,
 	/** ECDSA on the P-521 curve with SHA-512 as in RFC 4754           */
 	SIGN_ECDSA_521,
+	/** PureEdDSA on Curve25519 as in draft-ietf-curdle-pkix (RFC TBA) */
+	SIGN_ED25519,
+	/** PureEdDSA on Curve448 as in draft-ietf-curdle-pkix (RFC TBA)   */
+	SIGN_ED448,
 	/** BLISS with SHA-2_256                                           */
 	SIGN_BLISS_WITH_SHA2_256,
 	/** BLISS with SHA-2_384                                           */
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 60720dc..24fdb19 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -20,6 +21,7 @@
 #include <library.h>
 #include <threading/rwlock.h>
 #include <collections/linked_list.h>
+#include <credentials/certificates/crl.h>
 
 /** cache size, a power of 2 for fast modulo */
 #define CACHE_SIZE 32
@@ -88,6 +90,43 @@ static void cache(private_cert_cache_t *this,
 	int i, offset, try;
 	u_int total_hits = 0;
 
+	/* cache a CRL by replacing a previous CRL cache entry if present */
+	if (subject->get_type(subject) == CERT_X509_CRL)
+	{
+		crl_t *crl, *cached_crl;
+
+		/* cache a delta CRL ? */
+		crl = (crl_t*)subject;
+
+		for (i = 0; i < CACHE_SIZE; i++)
+		{
+			rel = &this->relations[i];
+
+			if (rel->subject &&
+				rel->subject->get_type(rel->subject) == CERT_X509_CRL &&
+				rel->lock->try_write_lock(rel->lock))
+			{
+				/* double-check having lock */
+				if (rel->subject->get_type(rel->subject) == CERT_X509_CRL &&
+					rel->issuer->equals(rel->issuer, issuer))
+				{
+					cached_crl = (crl_t*)rel->subject;
+
+					if (cached_crl->is_delta_crl(cached_crl, NULL) ==
+							   crl->is_delta_crl(crl, NULL) &&
+						crl_is_newer(crl, cached_crl))
+					{
+						rel->subject->destroy(rel->subject);
+						rel->subject = subject->get_ref(subject);
+						rel->scheme = scheme;
+						return rel->lock->unlock(rel->lock);
+					}
+				}
+				rel->lock->unlock(rel->lock);
+			}
+		}
+	}
+
 	/* check for a unused relation slot first */
 	for (i = 0; i < CACHE_SIZE; i++)
 	{
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index 0f8bff2..53e035f 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -370,14 +370,42 @@ METHOD(mem_cred_t, add_key, void,
 	this->lock->unlock(this->lock);
 }
 
+METHOD(mem_cred_t, remove_key, bool,
+	private_mem_cred_t *this, chunk_t fp)
+{
+	enumerator_t *enumerator;
+	private_key_t *current;
+	bool found = FALSE;
+
+	this->lock->write_lock(this->lock);
+
+	enumerator = this->keys->create_enumerator(this->keys);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current->has_fingerprint(current, fp))
+		{
+			this->keys->remove_at(this->keys, enumerator);
+			current->destroy(current);
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	this->lock->unlock(this->lock);
+	return found;
+}
+
 /**
  * Shared key entry
  */
 typedef struct {
-	/* shared key */
+	/** shared key */
 	shared_key_t *shared;
-	/* list of owners, identification_t */
+	/** list of owners, identification_t */
 	linked_list_t *owners;
+	/** optional unique identifier */
+	char *id;
 } shared_entry_t;
 
 /**
@@ -388,11 +416,12 @@ static void shared_entry_destroy(shared_entry_t *entry)
 	entry->owners->destroy_offset(entry->owners,
 								  offsetof(identification_t, destroy));
 	entry->shared->destroy(entry->shared);
+	free(entry->id);
 	free(entry);
 }
 
 /**
- * Check if two shared key entries equal
+ * Check if two shared key entries are equal (ignoring the unique identifier)
  */
 static bool shared_entry_equals(shared_entry_t *a, shared_entry_t *b)
 {
@@ -528,8 +557,9 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
 						(void*)shared_filter, data, (void*)shared_data_destroy);
 }
 
-METHOD(mem_cred_t, add_shared_list, void,
-	private_mem_cred_t *this, shared_key_t *shared, linked_list_t* owners)
+METHOD(mem_cred_t, add_shared_unique, void,
+	private_mem_cred_t *this, char *id, shared_key_t *shared,
+	linked_list_t* owners)
 {
 	shared_entry_t *current, *new;
 	enumerator_t *enumerator;
@@ -537,6 +567,7 @@ METHOD(mem_cred_t, add_shared_list, void,
 	INIT(new,
 		.shared = shared,
 		.owners = owners,
+		.id = strdupnull(id),
 	);
 
 	this->lock->write_lock(this->lock);
@@ -544,7 +575,10 @@ METHOD(mem_cred_t, add_shared_list, void,
 	enumerator = this->shared->create_enumerator(this->shared);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (shared_entry_equals(current, new))
+		/* always replace keys with the same unique identifier, only compare
+		 * them if both have no unique id assigned */
+		if ((id && streq(id, current->id)) ||
+			(!id && !current->id && shared_entry_equals(current, new)))
 		{
 			this->shared->remove_at(this->shared, enumerator);
 			shared_entry_destroy(current);
@@ -558,6 +592,12 @@ METHOD(mem_cred_t, add_shared_list, void,
 	this->lock->unlock(this->lock);
 }
 
+METHOD(mem_cred_t, add_shared_list, void,
+	private_mem_cred_t *this, shared_key_t *shared, linked_list_t* owners)
+{
+	add_shared_unique(this, NULL, shared, owners);
+}
+
 METHOD(mem_cred_t, add_shared, void,
 	private_mem_cred_t *this, shared_key_t *shared, ...)
 {
@@ -580,6 +620,63 @@ METHOD(mem_cred_t, add_shared, void,
 	add_shared_list(this, shared, owners);
 }
 
+METHOD(mem_cred_t, remove_shared_unique, void,
+	private_mem_cred_t *this, char *id)
+{
+	enumerator_t *enumerator;
+	shared_entry_t *current;
+
+	if (!id)
+	{
+		return;
+	}
+
+	this->lock->write_lock(this->lock);
+
+	enumerator = this->shared->create_enumerator(this->shared);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (streq(id, current->id))
+		{
+			this->shared->remove_at(this->shared, enumerator);
+			shared_entry_destroy(current);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Filter unique ids of shared keys (ingore secrets without unique id)
+ */
+static bool unique_filter(void *unused,
+						  shared_entry_t **in, char **id)
+{
+	shared_entry_t *entry = *in;
+
+	if (!entry->id)
+	{
+		return FALSE;
+	}
+	if (id)
+	{
+		*id = entry->id;
+	}
+	return TRUE;
+}
+
+METHOD(mem_cred_t, create_unique_shared_enumerator, enumerator_t*,
+	private_mem_cred_t *this)
+{
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(
+								this->shared->create_enumerator(this->shared),
+								(void*)unique_filter, this->lock,
+								(void*)this->lock->unlock);
+}
+
 /**
  * Certificate distribution point
  */
@@ -817,8 +914,12 @@ mem_cred_t *mem_cred_create()
 			.get_cert_ref = _get_cert_ref,
 			.add_crl = _add_crl,
 			.add_key = _add_key,
+			.remove_key = _remove_key,
 			.add_shared = _add_shared,
 			.add_shared_list = _add_shared_list,
+			.add_shared_unique = _add_shared_unique,
+			.remove_shared_unique = _remove_shared_unique,
+			.create_unique_shared_enumerator = _create_unique_shared_enumerator,
 			.add_cdp = _add_cdp,
 			.replace_certs = _replace_certs,
 			.replace_secrets = _replace_secrets,
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index 51f0b8c..1355152 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2010-2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -87,6 +88,14 @@ struct mem_cred_t {
 	void (*add_key)(mem_cred_t *this, private_key_t *key);
 
 	/**
+	 * Remove a private key from the credential set.
+	 *
+	 * @param fp			fingerprint of the key to remove
+	 * @return				TRUE if the key was found and removed
+	 */
+	bool (*remove_key)(mem_cred_t *this, chunk_t fp);
+
+	/**
 	 * Add a shared key to the credential set.
 	 *
 	 * @param shared		shared key to add, gets owned by set
@@ -104,6 +113,33 @@ struct mem_cred_t {
 							linked_list_t *owners);
 
 	/**
+	 * Add a shared key to the credential set, associated with the given unique
+	 * identifier.
+	 *
+	 * If a shared key with the same id already exists it is replaced.
+	 *
+	 * @param id			unique identifier of this key (cloned)
+	 * @param shared		shared key to add, gets owned by set
+	 * @param ...			NULL terminated list of owners (identification_t*)
+	 */
+	void (*add_shared_unique)(mem_cred_t *this, char *id, shared_key_t *shared,
+							  linked_list_t *owners);
+
+	/**
+	 * Remove a shared key by its unique identifier.
+	 *
+	 * @param id			unique identifier of this key
+	 */
+	void (*remove_shared_unique)(mem_cred_t *this, char *id);
+
+	/**
+	 * Create an enumerator over the unique identifiers of shared keys.
+	 *
+	 * @return			enumerator over char*
+	 */
+	enumerator_t *(*create_unique_shared_enumerator)(mem_cred_t *this);
+
+	/**
 	 * Add a certificate distribution point to the set.
 	 *
 	 * @param type			type of the certificate
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 6dcb6cb..820b8d1 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -32,7 +32,7 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_2048_BIT, ECP_521_BIT, MODP_1536_BIT,
 	"ECP_256",
 	"ECP_384",
 	"ECP_521");
-ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
+ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, CURVE_448, ECP_521_BIT,
 	"MODP_1024_160",
 	"MODP_2048_224",
 	"MODP_2048_256",
@@ -41,8 +41,10 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
 	"ECP_224_BP",
 	"ECP_256_BP",
 	"ECP_384_BP",
-	"ECP_512_BP");
-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP,
+	"ECP_512_BP",
+	"CURVE_25519",
+	"CURVE_448");
+ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, CURVE_448,
 	"MODP_NULL");
 ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL,
 	"NTRU_112",
@@ -552,6 +554,12 @@ bool diffie_hellman_verify_value(diffie_hellman_group_t group, chunk_t value)
 		case ECP_521_BIT:
 			valid = value.len == 132;
 			break;
+		case CURVE_25519:
+			valid = value.len == 32;
+			break;
+		case CURVE_448:
+			valid = value.len == 56;
+			break;
 		case NTRU_112_BIT:
 		case NTRU_128_BIT:
 		case NTRU_192_BIT:
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index f457153..1a8110a 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -37,6 +37,7 @@ typedef struct diffie_hellman_params_t diffie_hellman_params_t;
  *
  * ECP groups are defined in RFC 4753 and RFC 5114.
  * ECC Brainpool groups are defined in RFC 6954.
+ * Curve25519 and Curve448 groups are defined in RFC 8031.
  */
 enum diffie_hellman_group_t {
 	MODP_NONE     =  0,
@@ -60,6 +61,8 @@ enum diffie_hellman_group_t {
 	ECP_256_BP    = 28,
 	ECP_384_BP    = 29,
 	ECP_512_BP    = 30,
+	CURVE_25519   = 31,
+	CURVE_448     = 32,
 	/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
 	MODP_NULL = 1024,
 	/** MODP group with custom generator/prime */
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index d136799..26aab0c 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2012-2015 Tobias Brunner
- * Copyright (C) 2015-2016 Andreas Steffen
+ * Copyright (C) 2015-2017 Andreas Steffen
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * HSR Hochschule fuer Technik Rapperswil
@@ -20,12 +20,13 @@
 
 #include <asn1/oid.h>
 
-ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_SHA512,
+ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_IDENTITY,
 	"HASH_SHA1",
 	"HASH_SHA256",
 	"HASH_SHA384",
-	"HASH_SHA512");
-ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512,
+	"HASH_SHA512",
+	"HASH_IDENTITY");
+ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
 	"HASH_UNKNOWN",
 	"HASH_MD2",
 	"HASH_MD4",
@@ -37,12 +38,13 @@ ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512,
 	"HASH_SHA3_512");
 ENUM_END(hash_algorithm_names, HASH_SHA3_512);
 
-ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_SHA512,
+ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_IDENTITY,
 	"sha1",
 	"sha256",
 	"sha384",
-	"sha512");
-ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512,
+	"sha512",
+	"identity");
+ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
 	"unknown",
 	"md2",
 	"md4",
@@ -94,6 +96,9 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
 		case OID_SHA3_512:
 		case OID_RSASSA_PKCS1V15_WITH_SHA3_512:
 			return HASH_SHA3_512;
+		case OID_ED25519:
+		case OID_ED448:
+			return HASH_IDENTITY;
 		default:
 			return HASH_UNKNOWN;
 	}
@@ -267,6 +272,7 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
 		case HASH_SHA3_256:
 		case HASH_SHA3_384:
 		case HASH_SHA3_512:
+		case HASH_IDENTITY:
 		case HASH_UNKNOWN:
 			break;
 	}
@@ -280,6 +286,7 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg)
 {
 	switch (alg)
 	{
+		case HASH_IDENTITY:
 		case HASH_SHA1:
 		case HASH_SHA256:
 		case HASH_SHA384:
@@ -396,6 +403,22 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
 				default:
 					return OID_UNKNOWN;
 			}
+		case KEY_ED25519:
+			switch (alg)
+			{
+				case HASH_IDENTITY:
+					return OID_ED25519;
+				default:
+					return OID_UNKNOWN;
+			}
+		case KEY_ED448:
+			switch (alg)
+			{
+				case HASH_IDENTITY:
+					return OID_ED448;
+				default:
+					return OID_UNKNOWN;
+			}
 		case KEY_BLISS:
 			switch (alg)
 			{
@@ -430,6 +453,9 @@ hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme)
 		case SIGN_RSA_EMSA_PKCS1_NULL:
 		case SIGN_ECDSA_WITH_NULL:
 			break;
+		case SIGN_ED25519:
+		case SIGN_ED448:
+			return HASH_IDENTITY;
 		case SIGN_RSA_EMSA_PKCS1_MD5:
 			return HASH_MD5;
 		case SIGN_RSA_EMSA_PKCS1_SHA1:
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 2d28b20..ec0c632 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -1,8 +1,9 @@
 /*
+ * Copyright (C) 2016-2017 Andreas Steffen
  * Copyright (C) 2012-2015 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -32,13 +33,16 @@ typedef struct hasher_t hasher_t;
 #include <credentials/keys/public_key.h>
 
 /**
- * Hash algorithms as defined for IKEv2 by RFC 7427
+ * Hash algorithms as defined for IKEv2
  */
 enum hash_algorithm_t {
+	/* RFC 7427 */
 	HASH_SHA1 			= 1,
 	HASH_SHA256			= 2,
 	HASH_SHA384			= 3,
 	HASH_SHA512			= 4,
+	/* draft-ietf-ipsecme-eddsa (RFC TBA) */
+	HASH_IDENTITY		= 5,
 	/* use private use range for algorithms not defined/permitted by RFC 7427 */
 	HASH_UNKNOWN 		= 1024,
 	HASH_MD2 			= 1025,
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
index b058ad2..420a66d 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
@@ -59,12 +59,12 @@ struct proposal_token {
 	uint16_t          keysize;
 };
 
-#define TOTAL_KEYWORDS 141
+#define TOTAL_KEYWORDS 143
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
 #define MIN_HASH_VALUE 7
-#define MAX_HASH_VALUE 282
-/* maximum key range = 276, duplicates = 0 */
+#define MAX_HASH_VALUE 259
+/* maximum key range = 253, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -80,32 +80,32 @@ hash (str, len)
 {
   static const unsigned short asso_values[] =
     {
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283,  75,   2,
-       16,  16,  30,  26,   8,  35,   3,   1, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283,  29, 283,  10,   2,  16,
-       46,   1,  23,  78,   4,   4, 283, 283,   1,   9,
-        5,   2, 124, 117,  77, 106,  85,  27, 283, 283,
-        1, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
-      283, 283, 283, 283, 283, 283, 283
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260,  73,   2,
+       16,  40,  30,  26,   8,  15,   3,   1, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 106, 260,   2,   2,  16,
+       46,  75,   1,  78,   2,   4, 260, 260,   1,  18,
+        7,   2, 164,   5,  94, 116,  23,  41, 260, 260,
+        1,   2, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+      260, 260, 260, 260, 260, 260, 260
     };
   register int hval = len;
 
@@ -145,19 +145,25 @@ hash (str, len)
 static const struct proposal_token wordlist[] =
   {
     {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0},
+    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
+    {"x25519",           DIFFIE_HELLMAN_GROUP, CURVE_25519,               0},
+    {"prfsha1",          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0},
     {"noesn",            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0},
-    {"modpnone",         DIFFIE_HELLMAN_GROUP, MODP_NONE,                 0},
+    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
+    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
     {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
-    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
     {"ntru128",          DIFFIE_HELLMAN_GROUP, NTRU_128_BIT,              0},
     {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
     {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
     {"md5_128",          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0},
+    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
     {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
+    {"prfsha256",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0},
+    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
     {"ntru192",          DIFFIE_HELLMAN_GROUP, NTRU_192_BIT,              0},
     {"ntru112",          DIFFIE_HELLMAN_GROUP, NTRU_112_BIT,              0},
-    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
-    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
+    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
     {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
     {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
     {"aes192ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
@@ -168,17 +174,18 @@ static const struct proposal_token wordlist[] =
     {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
     {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
     {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
+    {"prfsha512",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0},
     {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
-    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
-    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
+    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
     {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
-    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
+    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
     {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
     {"ntru256",          DIFFIE_HELLMAN_GROUP, NTRU_256_BIT,              0},
     {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
     {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
+    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
+    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
     {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
     {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
     {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
@@ -189,29 +196,29 @@ static const struct proposal_token wordlist[] =
     {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
     {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
     {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
+    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
     {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
+    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
     {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
     {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+    {"prfsha384",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0},
     {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
     {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
-    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
+    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
     {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
     {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
     {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
     {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
-    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
     {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
     {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
     {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
     {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
     {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
     {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
-    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"modpnone",         DIFFIE_HELLMAN_GROUP, MODP_NONE,                 0},
     {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
-    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
-    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"prfmd5",           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0},
     {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
     {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
     {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
@@ -221,103 +228,95 @@ static const struct proposal_token wordlist[] =
     {"aes192gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
     {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
     {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
-    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
+    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
     {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
-    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
-    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
     {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
     {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
     {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
     {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
     {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
     {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
-    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
     {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
     {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
     {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
     {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
-    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
+    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
     {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
-    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
+    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
     {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
-    {"prfsha1",          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0},
     {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
-    {"newhope128",       DIFFIE_HELLMAN_GROUP, NH_128_BIT,                0},
+    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
     {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
     {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
-    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
+    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
+    {"prfcamelliaxcbc",  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0},
+    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
+    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
     {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
-    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
-    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
+    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
     {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
     {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"prfsha256",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0},
+    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
+    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"curve25519",       DIFFIE_HELLMAN_GROUP, CURVE_25519,               0},
+    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
+    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
     {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
     {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
-    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
+    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
+    {"chacha20poly1305", ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305,  256},
+    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
+    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
     {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
-    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
     {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"ecp512bp",         DIFFIE_HELLMAN_GROUP, ECP_512_BP,                0},
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
     {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
-    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
-    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"prfsha512",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0},
+    {"ecp512bp",         DIFFIE_HELLMAN_GROUP, ECP_512_BP,                0},
+    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
     {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
-    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
-    {"prfsha384",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0},
-    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
-    {"prfcamelliaxcbc",  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0},
     {"ecp384bp",         DIFFIE_HELLMAN_GROUP, ECP_384_BP,                0},
     {"ecp256bp",         DIFFIE_HELLMAN_GROUP, ECP_256_BP,                0},
-    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
-    {"chacha20poly1305", ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305,  256},
-    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
-    {"ecp224bp",         DIFFIE_HELLMAN_GROUP, ECP_224_BP,                0},
+    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
     {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
-    {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
-    {"prfmd5",           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0},
+    {"ecp224bp",         DIFFIE_HELLMAN_GROUP, ECP_224_BP,                0},
     {"prfaesxcbc",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0},
-    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"prfaescmac",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0}
+    {"prfaescmac",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0},
+    {"newhope128",       DIFFIE_HELLMAN_GROUP, NH_128_BIT,                0}
   };
 
 static const short lookup[] =
   {
      -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,   1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,   2,  -1,  -1,  -1,
-      3,   4,  -1,   5,   6,   7,   8,  -1,  -1,  -1,
-     -1,   9,  -1,  -1,  10,  11,  -1,  12,  -1,  13,
-     14,  15,  16,  17,  18,  19,  20,  21,  22,  23,
-     24,  25,  26,  -1,  27,  28,  29,  30,  31,  32,
-     33,  34,  35,  36,  37,  38,  -1,  39,  40,  41,
-     42,  43,  44,  45,  46,  -1,  47,  48,  -1,  49,
-     50,  51,  52,  53,  54,  -1,  55,  56,  57,  58,
-     59,  60,  61,  62,  63,  64,  -1,  65,  -1,  -1,
-     66,  67,  68,  69,  70,  71,  72,  73,  74,  75,
-     76,  77,  78,  79,  -1,  80,  81,  82,  83,  -1,
-     84,  85,  86,  87,  88,  89,  90,  91,  92,  93,
-     94,  95,  96,  97,  98,  99, 100,  -1, 101,  -1,
-     -1,  -1, 102,  -1, 103, 104, 105, 106,  -1, 107,
-     -1, 108, 109, 110, 111, 112, 113, 114,  -1, 115,
-     -1, 116, 117,  -1,  -1, 118, 119, 120,  -1, 121,
-     -1,  -1, 122, 123, 124,  -1, 125, 126, 127,  -1,
-    128, 129, 130,  -1, 131, 132,  -1,  -1,  -1,  -1,
-     -1,  -1, 133, 134,  -1,  -1,  -1, 135,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 136,  -1,
-     -1, 137,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1, 138, 139,  -1,
+     -1,   1,   2,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+      3,   4,  -1,  -1,  -1,  -1,  -1,   5,   6,   7,
+      8,  -1,  -1,   9,  -1,  -1,  10,  11,  12,  -1,
+     13,  14,  15,  16,  17,  18,  -1,  -1,  -1,  19,
+     20,  21,  22,  23,  24,  25,  26,  27,  28,  29,
+     30,  31,  32,  33,  34,  35,  36,  37,  38,  39,
+     40,  41,  42,  43,  44,  45,  -1,  46,  47,  48,
+     49,  50,  51,  52,  53,  54,  55,  56,  57,  58,
+     59,  60,  61,  62,  63,  -1,  64,  65,  -1,  66,
+     67,  68,  69,  70,  71,  -1,  72,  73,  -1,  74,
+     -1,  -1,  75,  76,  77,  78,  79,  80,  81,  82,
+     83,  84,  85,  -1,  -1,  -1,  86,  87,  88,  -1,
+     89,  90,  91,  -1,  92,  93,  94,  95,  96,  97,
+     98,  99,  -1, 100, 101,  -1, 102, 103, 104,  -1,
+    105, 106,  -1,  -1, 107, 108, 109,  -1, 110, 111,
+     -1, 112, 113, 114,  -1, 115,  -1, 116,  -1,  -1,
+    117,  -1, 118,  -1,  -1, 119, 120,  -1,  -1, 121,
+    122, 123, 124, 125, 126, 127, 128, 129,  -1, 130,
+     -1, 131,  -1, 132, 133,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1, 134,  -1,  -1, 135, 136,
+    137,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+    138, 139,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 140,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1, 140
+     -1,  -1,  -1,  -1, 141,  -1,  -1,  -1,  -1, 142
   };
 
 #ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
index 3ac7729..c44ed96 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@@ -163,6 +163,8 @@ ecp224bp,         DIFFIE_HELLMAN_GROUP, ECP_224_BP,                0
 ecp256bp,         DIFFIE_HELLMAN_GROUP, ECP_256_BP,                0
 ecp384bp,         DIFFIE_HELLMAN_GROUP, ECP_384_BP,                0
 ecp512bp,         DIFFIE_HELLMAN_GROUP, ECP_512_BP,                0
+curve25519,       DIFFIE_HELLMAN_GROUP, CURVE_25519,               0
+x25519,           DIFFIE_HELLMAN_GROUP, CURVE_25519,               0
 ntru112,          DIFFIE_HELLMAN_GROUP, NTRU_112_BIT,              0
 ntru128,          DIFFIE_HELLMAN_GROUP, NTRU_128_BIT,              0
 ntru192,          DIFFIE_HELLMAN_GROUP, NTRU_192_BIT,              0
diff --git a/src/libstrongswan/math/libnttfft/Makefile.in b/src/libstrongswan/math/libnttfft/Makefile.in
index 1a56213..ff41f9b 100644
--- a/src/libstrongswan/math/libnttfft/Makefile.in
+++ b/src/libstrongswan/math/libnttfft/Makefile.in
@@ -351,7 +351,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -386,6 +385,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/math/libnttfft/tests/Makefile.in b/src/libstrongswan/math/libnttfft/tests/Makefile.in
index 54e02ed..4f85449 100644
--- a/src/libstrongswan/math/libnttfft/tests/Makefile.in
+++ b/src/libstrongswan/math/libnttfft/tests/Makefile.in
@@ -355,7 +355,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -390,6 +389,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/math/libnttfft/tests/suites/test_ntt_fft.c b/src/libstrongswan/math/libnttfft/tests/suites/test_ntt_fft.c
index d827718..2a0f3bd 100644
--- a/src/libstrongswan/math/libnttfft/tests/suites/test_ntt_fft.c
+++ b/src/libstrongswan/math/libnttfft/tests/suites/test_ntt_fft.c
@@ -130,6 +130,12 @@ START_TEST(test_ntt_fft_speed)
 }
 END_TEST
 
+START_TEST(test_ntt_fft_init)
+{
+	libnttfft_init();
+}
+END_TEST
+
 Suite *ntt_fft_suite_create()
 {
 	Suite *s;
@@ -137,6 +143,10 @@ Suite *ntt_fft_suite_create()
 
 	s = suite_create("ntt_fft");
 
+	tc = tcase_create("init");
+	tcase_add_test(tc, test_ntt_fft_init);
+	suite_add_tcase(s, tc);
+
 	tc = tcase_create("impulse");
 	tcase_add_loop_test(tc, test_ntt_fft_impulse, 0, countof(fft_params));
 	suite_add_tcase(s, tc);
diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c
index b71d2da..9537204 100644
--- a/src/libstrongswan/networking/host.c
+++ b/src/libstrongswan/networking/host.c
@@ -139,7 +139,7 @@ int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 					snprintf(buffer, sizeof(buffer),
 							 "(address conversion failed)");
 				}
-				else if (spec->hash)
+				else if (spec->hash && port)
 				{
 					len = strlen(buffer);
 					snprintf(buffer + len, sizeof(buffer) - len,
diff --git a/src/libstrongswan/plugins/acert/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in
index 210d7c2..ee69a89 100644
--- a/src/libstrongswan/plugins/acert/Makefile.in
+++ b/src/libstrongswan/plugins/acert/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 9e926ac..0a8046b 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/aesni/Makefile.in b/src/libstrongswan/plugins/aesni/Makefile.in
index ea41ab3..ceb8676 100644
--- a/src/libstrongswan/plugins/aesni/Makefile.in
+++ b/src/libstrongswan/plugins/aesni/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index aa3be42..bad31ca 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 4441558..cd9036b 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/bliss/Makefile.in b/src/libstrongswan/plugins/bliss/Makefile.in
index 746709b..918a018 100644
--- a/src/libstrongswan/plugins/bliss/Makefile.in
+++ b/src/libstrongswan/plugins/bliss/Makefile.in
@@ -382,7 +382,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -417,6 +416,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.in b/src/libstrongswan/plugins/bliss/tests/Makefile.in
index 05f95dc..1964f19 100644
--- a/src/libstrongswan/plugins/bliss/tests/Makefile.in
+++ b/src/libstrongswan/plugins/bliss/tests/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
index 26c5b60..8770e07 100644
--- a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
@@ -70,7 +70,7 @@ START_TEST(test_bliss_sampler_gaussian)
 	sampler->destroy(sampler);
 	free(seed.ptr);
 
-	DBG1(DBG_LIB, "histogram");	
+	DBG1(DBG_LIB, "histogram");
 	for (k = 0; k < 8; k++)
 	{
 		DBG1(DBG_LIB, "%d %7d", k, hist[k]);
@@ -89,7 +89,7 @@ Suite *bliss_sampler_suite_create()
 	s = suite_create("bliss_sampler");
 
 	tc = tcase_create("sampler_gaussian");
-	tcase_set_timeout(tc, 10);
+	tcase_set_timeout(tc, 30);
 	tcase_add_loop_test(tc, test_bliss_sampler_gaussian, 0, countof(key_size));
 	suite_add_tcase(s, tc);
 
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 895af62..c2bc5ac 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 39caacd..f0065d0 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/chapoly/Makefile.in b/src/libstrongswan/plugins/chapoly/Makefile.in
index c0de9d8..3e1d634 100644
--- a/src/libstrongswan/plugins/chapoly/Makefile.in
+++ b/src/libstrongswan/plugins/chapoly/Makefile.in
@@ -372,7 +372,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -407,6 +406,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 24702df..77d68bd 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 56b4835..edd519f 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 16d177e..a9d0b2e 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 7aad683..996d258 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/curve25519/Makefile.am b/src/libstrongswan/plugins/curve25519/Makefile.am
new file mode 100644
index 0000000..f3e1e92
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/Makefile.am
@@ -0,0 +1,23 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-curve25519.la
+else
+plugin_LTLIBRARIES = libstrongswan-curve25519.la
+endif
+
+libstrongswan_curve25519_la_SOURCES = \
+	curve25519_dh.h curve25519_dh.c \
+	curve25519_drv.h curve25519_drv.c \
+	curve25519_drv_portable.h curve25519_drv_portable.c \
+	curve25519_identity_hasher.h curve25519_identity_hasher.c \
+	curve25519_plugin.h curve25519_plugin.c \
+	curve25519_private_key.h curve25519_private_key.c \
+	curve25519_public_key.h curve25519_public_key.c \
+	ref10/ref10.h ref10/ref10.c ref10/base.h ref10/base2.h
+
+libstrongswan_curve25519_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/curve25519/Makefile.in b/src/libstrongswan/plugins/curve25519/Makefile.in
new file mode 100644
index 0000000..1fa2b17
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/Makefile.in
@@ -0,0 +1,822 @@
+# Makefile.in generated by automake 1.15 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/curve25519
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_curve25519_la_LIBADD =
+am__dirstamp = $(am__leading_dot)dirstamp
+am_libstrongswan_curve25519_la_OBJECTS = curve25519_dh.lo \
+	curve25519_drv.lo curve25519_drv_portable.lo \
+	curve25519_identity_hasher.lo curve25519_plugin.lo \
+	curve25519_private_key.lo curve25519_public_key.lo \
+	ref10/ref10.lo
+libstrongswan_curve25519_la_OBJECTS =  \
+	$(am_libstrongswan_curve25519_la_OBJECTS)
+AM_V_lt = $(am__v_lt_ at AM_V@)
+am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libstrongswan_curve25519_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_curve25519_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+ at MONOLITHIC_FALSE@am_libstrongswan_curve25519_la_rpath = -rpath \
+ at MONOLITHIC_FALSE@	$(plugindir)
+ at MONOLITHIC_TRUE@am_libstrongswan_curve25519_la_rpath =
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_ at AM_V@)
+am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libstrongswan_curve25519_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_curve25519_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+ATOMICLIB = @ATOMICLIB@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+ at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-curve25519.la
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-curve25519.la
+libstrongswan_curve25519_la_SOURCES = \
+	curve25519_dh.h curve25519_dh.c \
+	curve25519_drv.h curve25519_drv.c \
+	curve25519_drv_portable.h curve25519_drv_portable.c \
+	curve25519_identity_hasher.h curve25519_identity_hasher.c \
+	curve25519_plugin.h curve25519_plugin.c \
+	curve25519_private_key.h curve25519_private_key.c \
+	curve25519_public_key.h curve25519_public_key.c \
+	ref10/ref10.h ref10/ref10.c ref10/base.h ref10/base2.h
+
+libstrongswan_curve25519_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/curve25519/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/curve25519/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+ref10/$(am__dirstamp):
+	@$(MKDIR_P) ref10
+	@: > ref10/$(am__dirstamp)
+ref10/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) ref10/$(DEPDIR)
+	@: > ref10/$(DEPDIR)/$(am__dirstamp)
+ref10/ref10.lo: ref10/$(am__dirstamp) ref10/$(DEPDIR)/$(am__dirstamp)
+
+libstrongswan-curve25519.la: $(libstrongswan_curve25519_la_OBJECTS) $(libstrongswan_curve25519_la_DEPENDENCIES) $(EXTRA_libstrongswan_curve25519_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_curve25519_la_LINK) $(am_libstrongswan_curve25519_la_rpath) $(libstrongswan_curve25519_la_OBJECTS) $(libstrongswan_curve25519_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+	-rm -f ref10/*.$(OBJEXT)
+	-rm -f ref10/*.lo
+
+distclean-compile:
+	-rm -f *.tab.c
+
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_dh.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_drv.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_drv_portable.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_identity_hasher.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_plugin.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_private_key.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_public_key.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ref10/$(DEPDIR)/ref10.Plo at am__quote@
+
+.c.o:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+ at am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+ at am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+ at am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@	$(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+	-rm -rf ref10/.libs ref10/_libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f ref10/$(DEPDIR)/$(am__dirstamp)
+	-rm -f ref10/$(am__dirstamp)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR) ref10/$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR) ref10/$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pluginLTLIBRARIES
+
+.PRECIOUS: Makefile
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_dh.c b/src/libstrongswan/plugins/curve25519/curve25519_dh.c
new file mode 100644
index 0000000..c550263
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_dh.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <stdint.h>
+
+#include "curve25519_dh.h"
+#include "curve25519_drv.h"
+
+typedef struct private_curve25519_dh_t private_curve25519_dh_t;
+
+/**
+ * Private data of an curve25519_dh_t object.
+ */
+struct private_curve25519_dh_t {
+
+	/**
+	 * Public curve25519_dh_t interface.
+	 */
+	curve25519_dh_t public;
+
+	/**
+	 * Shared key, if computed
+	 */
+	u_char shared[CURVE25519_KEY_SIZE];
+
+	/**
+	 * TRUE if shared secret is computed
+	 */
+	bool computed;
+
+	/**
+	 * Curve25519 backend
+	 */
+	curve25519_drv_t *drv;
+};
+
+/**
+ * Generate a valid Curve25519 key
+ */
+static bool generate_key(private_curve25519_dh_t *this)
+{
+	u_char key[CURVE25519_KEY_SIZE];
+	rng_t *rng;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	if (!rng)
+	{
+		DBG1(DBG_LIB, "no RNG found for quality %N",
+			 rng_quality_names, RNG_STRONG);
+		return FALSE;
+	}
+	if (!rng->get_bytes(rng, CURVE25519_KEY_SIZE, key))
+	{
+		rng->destroy(rng);
+		return FALSE;
+	}
+	rng->destroy(rng);
+
+	return this->drv->set_key(this->drv, key);
+}
+
+METHOD(diffie_hellman_t, set_other_public_value, bool,
+	private_curve25519_dh_t *this, chunk_t value)
+{
+	if (value.len == CURVE25519_KEY_SIZE)
+	{
+		if (this->drv->curve25519(this->drv, value.ptr, this->shared))
+		{
+			this->computed = TRUE;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(diffie_hellman_t, get_my_public_value, bool,
+	private_curve25519_dh_t *this, chunk_t *value)
+{
+	u_char basepoint[CURVE25519_KEY_SIZE] = { 9 };
+
+	*value = chunk_alloc(CURVE25519_KEY_SIZE);
+	if (this->drv->curve25519(this->drv, basepoint, value->ptr))
+	{
+		return TRUE;
+	}
+	free(value->ptr);
+	return FALSE;
+}
+
+METHOD(diffie_hellman_t, set_private_value, bool,
+	private_curve25519_dh_t *this, chunk_t value)
+{
+	if (value.len != CURVE25519_KEY_SIZE)
+	{
+		return FALSE;
+	}
+	return this->drv->set_key(this->drv, value.ptr);
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, bool,
+	private_curve25519_dh_t *this, chunk_t *secret)
+{
+	if (!this->computed)
+	{
+		return FALSE;
+	}
+	*secret = chunk_clone(chunk_from_thing(this->shared));
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_curve25519_dh_t *this)
+{
+	return CURVE_25519;
+}
+
+METHOD(diffie_hellman_t, destroy, void,
+	private_curve25519_dh_t *this)
+{
+	this->drv->destroy(this->drv);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+curve25519_dh_t *curve25519_dh_create(diffie_hellman_group_t group)
+{
+	private_curve25519_dh_t *this;
+
+	if (group != CURVE_25519)
+	{
+		return FALSE;
+	}
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.set_private_value = _set_private_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.drv = curve25519_drv_probe(),
+	);
+
+	if (!this->drv)
+	{
+		free(this);
+		return NULL;
+	}
+	if (!generate_key(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_dh.h b/src/libstrongswan/plugins/curve25519/curve25519_dh.h
new file mode 100644
index 0000000..40bc6d1
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_dh.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_dh curve25519_dh
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_DH_H_
+#define CURVE25519_DH_H_
+
+typedef struct curve25519_dh_t curve25519_dh_t;
+
+#include <library.h>
+
+/**
+ * Diffie-Hellman implementation using Curve25519.
+ */
+struct curve25519_dh_t {
+
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+};
+
+/**
+ * Creates a new curve25519_dh_t object.
+ *
+ * @param group			DH group, CURVE_25519
+ * @return				curve25519_dh_t object, NULL on error
+ */
+curve25519_dh_t *curve25519_dh_create(diffie_hellman_group_t group);
+
+#endif /** CURVE25519_DH_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_drv.c b/src/libstrongswan/plugins/curve25519/curve25519_drv.c
new file mode 100644
index 0000000..df39e71
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_drv.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_drv.h"
+#include "curve25519_drv_portable.h"
+
+typedef curve25519_drv_t*(*curve25519_drv_create)();
+
+/**
+ * See header.
+ */
+curve25519_drv_t *curve25519_drv_probe()
+{
+	curve25519_drv_create drivers[] = {
+		curve25519_drv_portable_create,
+	};
+	curve25519_drv_t *driver;
+	int i;
+
+	for (i = 0; i < countof(drivers); i++)
+	{
+		driver = drivers[i]();
+		if (driver)
+		{
+			return driver;
+		}
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_drv.h b/src/libstrongswan/plugins/curve25519/curve25519_drv.h
new file mode 100644
index 0000000..bdf0c4c
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_drv.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_drv curve25519_drv
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_DRV_H_
+#define CURVE25519_DRV_H_
+
+typedef struct curve25519_drv_t curve25519_drv_t;
+
+#include <library.h>
+
+/**
+ * Private key size of Curve25519
+ */
+#define CURVE25519_KEY_SIZE 32
+
+/**
+ * Backend driver abstraction for Curve25519.
+ */
+struct curve25519_drv_t {
+
+	/**
+	 * Set the private key.
+	 *
+	 * @param key		32 byte private key, clamped
+	 * @return			TRUE if key set
+	 */
+	bool (*set_key)(curve25519_drv_t *this, u_char *key);
+
+	/**
+	 * Calculate Curve25519 for the set key.
+	 *
+	 * @param in		input data, 32 bytes
+	 * @param out		output data, 32 bytes
+	 * @return			TRUE if calculated
+	 */
+	bool (*curve25519)(curve25519_drv_t *this, u_char *in, u_char *out);
+
+	/**
+	 * Destroy a curve25519_drv_t.
+	 */
+	void (*destroy)(curve25519_drv_t *this);
+};
+
+/**
+ * Create a curve25519_drv instance.
+ */
+curve25519_drv_t *curve25519_drv_probe();
+
+#endif /** CURVE25519_DRV_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.c b/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.c
new file mode 100644
index 0000000..9182de5
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.c
@@ -0,0 +1,613 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * Based on public domain code by Andrew Moon (curve22519-donna).
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_drv_portable.h"
+
+typedef struct private_curve25519_drv_t private_curve25519_drv_t;
+
+/**
+ * Private data of an curve25519_drv_portable_t object.
+ */
+struct private_curve25519_drv_t {
+
+	/**
+	 * Public curve25519_drv_t interface.
+	 */
+	curve25519_drv_t public;
+
+	/**
+	 * Private key
+	 */
+	u_char key[CURVE25519_KEY_SIZE];
+};
+
+METHOD(curve25519_drv_t, set_key, bool,
+	private_curve25519_drv_t *this, u_char *key)
+{
+	memcpy(this->key, key, sizeof(this->key));
+
+	this->key[0] &= 0xf8;
+	this->key[31] &= 0x7f;
+	this->key[31] |= 0x40;
+	return TRUE;
+}
+
+/**
+ * OR a 32-bit integer to an unaligned little-endian
+ */
+static inline void horule32(void *p, uint32_t x)
+{
+	uint32_t r;
+
+	memcpy(&r, p, sizeof(r));
+	r |= htole32(x);
+	memcpy(p, &r, sizeof(r));
+}
+
+/**
+ * Reduce a 32-bit integer to 26 bits
+ */
+static inline uint32_t rdc26(uint32_t v)
+{
+	return v & ((1 << 26) - 1);
+}
+
+/**
+ * Reduce a 32-bit integer to 25 bits
+ */
+static inline uint32_t rdc25(uint32_t v)
+{
+	return v & ((1 << 25) - 1);
+}
+
+/**
+ * Shift right a 64-bit integer by 26 bits
+ */
+static inline uint32_t sr26(uint64_t v)
+{
+	return v >> 26;
+}
+
+/**
+ * Shift right a 64-bit integer by 25 bits
+ */
+static inline uint32_t sr25(uint64_t v)
+{
+	return v >> 25;
+}
+
+/**
+ * Multiply a 64-bit integer with a 32-bit integer
+ */
+static inline uint64_t mul64(uint64_t a, uint32_t b)
+{
+	return a * b;
+}
+
+/**
+ * out = a + b
+ */
+static inline void add(uint32_t out[10], uint32_t a[10], uint32_t b[10])
+{
+	out[0] = a[0] + b[0];
+	out[1] = a[1] + b[1];
+	out[2] = a[2] + b[2];
+	out[3] = a[3] + b[3];
+	out[4] = a[4] + b[4];
+	out[5] = a[5] + b[5];
+	out[6] = a[6] + b[6];
+	out[7] = a[7] + b[7];
+	out[8] = a[8] + b[8];
+	out[9] = a[9] + b[9];
+}
+
+/**
+ * out = a - b
+ */
+static inline void sub(uint32_t out[10], uint32_t a[10], uint32_t b[10])
+{
+	uint32_t x;
+
+	x = 0x7ffffda + a[0] - b[0];           out[0] = rdc26(x);
+	x = 0x3fffffe + a[1] - b[1] + sr26(x); out[1] = rdc25(x);
+	x = 0x7fffffe + a[2] - b[2] + sr25(x); out[2] = rdc26(x);
+	x = 0x3fffffe + a[3] - b[3] + sr26(x); out[3] = rdc25(x);
+	x = 0x7fffffe + a[4] - b[4] + sr25(x); out[4] = rdc26(x);
+	x = 0x3fffffe + a[5] - b[5] + sr26(x); out[5] = rdc25(x);
+	x = 0x7fffffe + a[6] - b[6] + sr25(x); out[6] = rdc26(x);
+	x = 0x3fffffe + a[7] - b[7] + sr26(x); out[7] = rdc25(x);
+	x = 0x7fffffe + a[8] - b[8] + sr25(x); out[8] = rdc26(x);
+	x = 0x3fffffe + a[9] - b[9] + sr26(x); out[9] = rdc25(x);
+	                    out[0] += sr25(x) * 19;
+}
+
+/**
+ * out = in * scalar
+ */
+static void scalar_product(uint32_t out[10], uint32_t in[10], uint32_t scalar)
+{
+	uint64_t x;
+
+	x = mul64(in[0], scalar);           out[0] = rdc26(x);
+	x = mul64(in[1], scalar) + sr26(x); out[1] = rdc25(x);
+	x = mul64(in[2], scalar) + sr25(x); out[2] = rdc26(x);
+	x = mul64(in[3], scalar) + sr26(x); out[3] = rdc25(x);
+	x = mul64(in[4], scalar) + sr25(x); out[4] = rdc26(x);
+	x = mul64(in[5], scalar) + sr26(x); out[5] = rdc25(x);
+	x = mul64(in[6], scalar) + sr25(x); out[6] = rdc26(x);
+	x = mul64(in[7], scalar) + sr26(x); out[7] = rdc25(x);
+	x = mul64(in[8], scalar) + sr25(x); out[8] = rdc26(x);
+	x = mul64(in[9], scalar) + sr26(x); out[9] = rdc25(x);
+	                 out[0] += sr25(x) * 19;
+}
+
+/**
+ * out = a * b
+ */
+static inline void mul(uint32_t out[10], uint32_t a[10], uint32_t b[10])
+{
+	uint32_t r0, r1, r2, r3, r4, r5, r6, r7, r8, r9;
+	uint32_t s0, s1, s2, s3, s4, s5, s6, s7, s8, s9;
+	uint64_t m0, m1, m2, m3, m4, m5, m6, m7, m8, m9;
+
+	r0 = b[0];
+	r1 = b[1];
+	r2 = b[2];
+	r3 = b[3];
+	r4 = b[4];
+	r5 = b[5];
+	r6 = b[6];
+	r7 = b[7];
+	r8 = b[8];
+	r9 = b[9];
+
+	s0 = a[0];
+	s1 = a[1];
+	s2 = a[2];
+	s3 = a[3];
+	s4 = a[4];
+	s5 = a[5];
+	s6 = a[6];
+	s7 = a[7];
+	s8 = a[8];
+	s9 = a[9];
+
+	m1 = mul64(r0, s1) + mul64(r1, s0);
+	m3 = mul64(r0, s3) + mul64(r1, s2) + mul64(r2, s1) + mul64(r3, s0);
+	m5 = mul64(r0, s5) + mul64(r1, s4) + mul64(r2, s3) + mul64(r3, s2)
+	   + mul64(r4, s1) + mul64(r5, s0);
+	m7 = mul64(r0, s7) + mul64(r1, s6) + mul64(r2, s5) + mul64(r3, s4)
+	   + mul64(r4, s3) + mul64(r5, s2) + mul64(r6, s1) + mul64(r7, s0);
+	m9 = mul64(r0, s9) + mul64(r1, s8) + mul64(r2, s7) + mul64(r3, s6)
+	   + mul64(r4, s5) + mul64(r5, s4) + mul64(r6, s3) + mul64(r7, s2)
+	   + mul64(r8, s1) + mul64(r9, s0);
+
+	r1 *= 2;
+	r3 *= 2;
+	r5 *= 2;
+	r7 *= 2;
+
+	m0 = mul64(r0, s0);
+	m2 = mul64(r0, s2) + mul64(r1, s1) + mul64(r2, s0);
+	m4 = mul64(r0, s4) + mul64(r1, s3) + mul64(r2, s2) + mul64(r3, s1)
+	   + mul64(r4, s0);
+	m6 = mul64(r0, s6) + mul64(r1, s5) + mul64(r2, s4) + mul64(r3, s3)
+	   + mul64(r4, s2) + mul64(r5, s1) + mul64(r6, s0);
+	m8 = mul64(r0, s8) + mul64(r1, s7) + mul64(r2, s6) + mul64(r3, s5)
+	   + mul64(r4, s4) + mul64(r5, s3) + mul64(r6, s2) + mul64(r7, s1)
+	   + mul64(r8, s0);
+
+	r1 *= 19;
+	r2 *= 19;
+	r3 = (r3 / 2) * 19;
+	r4 *= 19;
+	r5 = (r5 / 2) * 19;
+	r6 *= 19;
+	r7 = (r7 / 2) * 19;
+	r8 *= 19;
+	r9 *= 19;
+
+	m1 += mul64(r9, s2) + mul64(r8, s3) + mul64(r7, s4) + mul64(r6, s5)
+	   +  mul64(r5, s6) + mul64(r4, s7) + mul64(r3, s8) + mul64(r2, s9);
+	m3 += mul64(r9, s4) + mul64(r8, s5) + mul64(r7, s6) + mul64(r6, s7)
+	   +  mul64(r5, s8) + mul64(r4, s9);
+	m5 += mul64(r9, s6) + mul64(r8, s7) + mul64(r7, s8) + mul64(r6, s9);
+	m7 += mul64(r9, s8) + mul64(r8, s9);
+
+	r3 *= 2;
+	r5 *= 2;
+	r7 *= 2;
+	r9 *= 2;
+
+	m0 += mul64(r9, s1) + mul64(r8, s2) + mul64(r7, s3) + mul64(r6, s4)
+	   +  mul64(r5, s5) + mul64(r4, s6) + mul64(r3, s7) + mul64(r2, s8)
+	   +  mul64(r1, s9);
+	m2 += mul64(r9, s3) + mul64(r8, s4) + mul64(r7, s5) + mul64(r6, s6)
+	   +  mul64(r5, s7) + mul64(r4, s8) + mul64(r3, s9);
+	m4 += mul64(r9, s5) + mul64(r8, s6) + mul64(r7, s7) + mul64(r6, s8)
+	   +  mul64(r5, s9);
+	m6 += mul64(r9, s7) + mul64(r8, s8) + mul64(r7, s9);
+	m8 += mul64(r9, s9);
+
+	m1 += m0 >> 26; r1 = rdc25(m1);
+	m2 += m1 >> 25; r2 = rdc26(m2);
+	m3 += m2 >> 26; r3 = rdc25(m3);
+	m4 += m3 >> 25; r4 = rdc26(m4);
+	m5 += m4 >> 26; r5 = rdc25(m5);
+	m6 += m5 >> 25; r6 = rdc26(m6);
+	m7 += m6 >> 26; r7 = rdc25(m7);
+	m8 += m7 >> 25; r8 = rdc26(m8);
+	m9 += m8 >> 26; r9 = rdc25(m9);
+	m0 = rdc26(m0) + mul64(m9 >> 25, 19);
+	r0 = rdc26(m0); r1 += m0 >> 26;
+
+	out[0] = r0;
+	out[1] = r1;
+	out[2] = r2;
+	out[3] = r3;
+	out[4] = r4;
+	out[5] = r5;
+	out[6] = r6;
+	out[7] = r7;
+	out[8] = r8;
+	out[9] = r9;
+}
+
+/**
+ * out = in^(2 * count), inlining
+ */
+static inline void square_times(uint32_t out[10], uint32_t in[10], int count)
+{
+	uint32_t r0, r1, r2, r3, r4, r5, r6, r7, r8, r9;
+	uint32_t d6, d7, d8, d9;
+	uint64_t m0, m1, m2, m3, m4, m5, m6, m7, m8, m9;
+
+	r0 = in[0];
+	r1 = in[1];
+	r2 = in[2];
+	r3 = in[3];
+	r4 = in[4];
+	r5 = in[5];
+	r6 = in[6];
+	r7 = in[7];
+	r8 = in[8];
+	r9 = in[9];
+
+	while (count--)
+	{
+		m0 = mul64(r0, r0    );
+		r0 *= 2;
+		m1 = mul64(r0, r1    );
+		m2 = mul64(r0, r2    ) + mul64(r1, r1 * 2);
+		r1 *= 2;
+		m3 = mul64(r0, r3    ) + mul64(r1, r2    );
+		m4 = mul64(r0, r4    ) + mul64(r1, r3 * 2) + mul64(r2, r2);
+		r2 *= 2;
+		m5 = mul64(r0, r5    ) + mul64(r1, r4    ) + mul64(r2, r3);
+		m6 = mul64(r0, r6    ) + mul64(r1, r5 * 2) + mul64(r2, r4)
+		   + mul64(r3, r3 * 2);
+		r3 *= 2;
+		m7 = mul64(r0, r7    ) + mul64(r1, r6    ) + mul64(r2, r5)
+		   + mul64(r3, r4    );
+		m8 = mul64(r0, r8    ) + mul64(r1, r7 * 2) + mul64(r2, r6)
+		   + mul64(r3, r5 * 2) + mul64(r4, r4    );
+		m9 = mul64(r0, r9    ) + mul64(r1, r8    ) + mul64(r2, r7)
+		   + mul64(r3, r6    ) + mul64(r4, r5 * 2);
+
+		d6 = r6 * 19;
+		d7 = r7 * 2 * 19;
+		d8 = r8 * 19;
+		d9 = r9 * 2 * 19;
+
+		m0 += mul64(d9, r1    ) + mul64(d8, r2    ) + mul64(d7, r3    )
+		   +  mul64(d6, r4 * 2) + mul64(r5, r5 * 2 * 19);
+		m1 += mul64(d9, r2 / 2) + mul64(d8, r3    ) + mul64(d7, r4    )
+		   +  mul64(d6, r5 * 2);
+		m2 += mul64(d9, r3    ) + mul64(d8, r4 * 2) + mul64(d7, r5 * 2)
+		   +  mul64(d6, r6    );
+		m3 += mul64(d9, r4    ) + mul64(d8, r5 * 2) + mul64(d7, r6    );
+		m4 += mul64(d9, r5 * 2) + mul64(d8, r6 * 2) + mul64(d7, r7    );
+		m5 += mul64(d9, r6    ) + mul64(d8, r7 * 2);
+		m6 += mul64(d9, r7 * 2) + mul64(d8, r8    );
+		m7 += mul64(d9, r8    );
+		m8 += mul64(d9, r9    );
+
+		m1 += m0 >> 26; r1 = rdc25(m1);
+		m2 += m1 >> 25; r2 = rdc26(m2);
+		m3 += m2 >> 26; r3 = rdc25(m3);
+		m4 += m3 >> 25; r4 = rdc26(m4);
+		m5 += m4 >> 26; r5 = rdc25(m5);
+		m6 += m5 >> 25; r6 = rdc26(m6);
+		m7 += m6 >> 26; r7 = rdc25(m7);
+		m8 += m7 >> 25; r8 = rdc26(m8);
+		m9 += m8 >> 26; r9 = rdc25(m9);
+		m0 = rdc26(m0) + mul64(sr25(m9), 19);
+		r0 = rdc26(m0); r1 += sr26(m0);
+	}
+
+	out[0] = r0;
+	out[1] = r1;
+	out[2] = r2;
+	out[3] = r3;
+	out[4] = r4;
+	out[5] = r5;
+	out[6] = r6;
+	out[7] = r7;
+	out[8] = r8;
+	out[9] = r9;
+}
+
+/**
+ * out = in * in
+ */
+static void square(uint32_t out[10], uint32_t in[10])
+{
+	return square_times(out, in, 1);
+}
+
+/**
+ * Take a little-endian, 32-byte number and expand it into polynomial form
+ */
+static void expand(uint32_t out[10], u_char *in)
+{
+	uint32_t x0, x1, x2, x3, x4, x5, x6, x7;
+
+	x0 = uletoh32(in + 0);
+	x1 = uletoh32(in + 4);
+	x2 = uletoh32(in + 8);
+	x3 = uletoh32(in + 12);
+	x4 = uletoh32(in + 16);
+	x5 = uletoh32(in + 20);
+	x6 = uletoh32(in + 24);
+	x7 = uletoh32(in + 28);
+
+	out[0] = rdc26(                         x0       );
+	out[1] = rdc25((((uint64_t)x1 << 32) | x0) >> 26);
+	out[2] = rdc26((((uint64_t)x2 << 32) | x1) >> 19);
+	out[3] = rdc25((((uint64_t)x3 << 32) | x2) >> 13);
+	out[4] = rdc26((                        x3) >>  6);
+	out[5] = rdc25(                         x4       );
+	out[6] = rdc26((((uint64_t)x5 << 32) | x4) >> 25);
+	out[7] = rdc25((((uint64_t)x6 << 32) | x5) >> 19);
+	out[8] = rdc26((((uint64_t)x7 << 32) | x6) >> 12);
+	out[9] = rdc25((                        x7) >>  6);
+}
+
+/**
+ * Propagate carries in f
+ */
+static inline void carry(uint32_t f[10])
+{
+	f[1] += f[0] >> 26; f[0] = rdc26(f[0]);
+	f[2] += f[1] >> 25; f[1] = rdc25(f[1]);
+	f[3] += f[2] >> 26; f[2] = rdc26(f[2]);
+	f[4] += f[3] >> 25; f[3] = rdc25(f[3]);
+	f[5] += f[4] >> 26; f[4] = rdc26(f[4]);
+	f[6] += f[5] >> 25; f[5] = rdc25(f[5]);
+	f[7] += f[6] >> 26; f[6] = rdc26(f[6]);
+	f[8] += f[7] >> 25; f[7] = rdc25(f[7]);
+	f[9] += f[8] >> 26; f[8] = rdc26(f[8]);
+}
+
+/**
+ * Take a fully reduced polynomial form number and contract it into a
+ * little-endian, 32-byte array
+ */
+static void contract(u_char *out, uint32_t f[10])
+{
+	carry(f);
+	f[0] += 19 * (f[9] >> 25); f[9] = rdc25(f[9]);
+	carry(f);
+	f[0] += 19 * (f[9] >> 25); f[9] = rdc25(f[9]);
+
+	/* now t is between 0 and 2^255-1, properly carried.
+	 * case 1: between 0 and 2^255-20.
+	 * case 2: between 2^255-19 and 2^255-1.
+	 */
+	f[0] += 19;
+	carry(f);
+	f[0] += 19 * (f[9] >> 25); f[9] = rdc25(f[9]);
+
+	/* now between 19 and 2^255-1 in both cases, and offset by 19. */
+	f[0] += (1 << 26) - 19;
+	f[1] += (1 << 25) - 1;
+	f[2] += (1 << 26) - 1;
+	f[3] += (1 << 25) - 1;
+	f[4] += (1 << 26) - 1;
+	f[5] += (1 << 25) - 1;
+	f[6] += (1 << 26) - 1;
+	f[7] += (1 << 25) - 1;
+	f[8] += (1 << 26) - 1;
+	f[9] += (1 << 25) - 1;
+
+	/* now between 2^255 and 2^256-20, and offset by 2^255. */
+	carry(f);
+	f[9] = rdc25(f[9]);
+
+	f[1] <<= 2;
+	f[2] <<= 3;
+	f[3] <<= 5;
+	f[4] <<= 6;
+	f[6] <<= 1;
+	f[7] <<= 3;
+	f[8] <<= 4;
+	f[9] <<= 6;
+
+	memset(out, 0, 32);
+	horule32(out +  0, f[0]);
+	horule32(out +  3, f[1]);
+	horule32(out +  6, f[2]);
+	horule32(out +  9, f[3]);
+	horule32(out + 12, f[4]);
+	horule32(out + 16, f[5]);
+	horule32(out + 19, f[6]);
+	horule32(out + 22, f[7]);
+	horule32(out + 25, f[8]);
+	horule32(out + 28, f[9]);
+}
+
+/**
+ * Swap the contents of x and q if swap is non-zero
+ */
+static void swap_conditional(uint32_t a[10], uint32_t b[10], uint32_t swap)
+{
+	uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9;
+
+	swap = -swap;
+
+	x0 = swap & (a[0] ^ b[0]); a[0] ^= x0; b[0] ^= x0;
+	x1 = swap & (a[1] ^ b[1]); a[1] ^= x1; b[1] ^= x1;
+	x2 = swap & (a[2] ^ b[2]); a[2] ^= x2; b[2] ^= x2;
+	x3 = swap & (a[3] ^ b[3]); a[3] ^= x3; b[3] ^= x3;
+	x4 = swap & (a[4] ^ b[4]); a[4] ^= x4; b[4] ^= x4;
+	x5 = swap & (a[5] ^ b[5]); a[5] ^= x5; b[5] ^= x5;
+	x6 = swap & (a[6] ^ b[6]); a[6] ^= x6; b[6] ^= x6;
+	x7 = swap & (a[7] ^ b[7]); a[7] ^= x7; b[7] ^= x7;
+	x8 = swap & (a[8] ^ b[8]); a[8] ^= x8; b[8] ^= x8;
+	x9 = swap & (a[9] ^ b[9]); a[9] ^= x9; b[9] ^= x9;
+}
+
+/*
+ * In:  b =   2^5 - 2^0
+ * Out: b = 2^250 - 2^0
+ */
+static void pow_two5mtwo0_two250mtwo0(uint32_t b[10])
+{
+	uint32_t t0[10], c[10];
+
+	/* 2^5  - 2^0 */ /* b */
+	/* 2^10 - 2^5 */ square_times(t0, b, 5);
+	/* 2^10 - 2^0 */ mul(b, t0, b);
+	/* 2^20 - 2^10 */ square_times(t0, b, 10);
+	/* 2^20 - 2^0 */ mul(c, t0, b);
+	/* 2^40 - 2^20 */ square_times(t0, c, 20);
+	/* 2^40 - 2^0 */ mul(t0, t0, c);
+	/* 2^50 - 2^10 */ square_times(t0, t0, 10);
+	/* 2^50 - 2^0 */ mul(b, t0, b);
+	/* 2^100 - 2^50 */ square_times(t0, b, 50);
+	/* 2^100 - 2^0 */ mul(c, t0, b);
+	/* 2^200 - 2^100 */ square_times(t0, c, 100);
+	/* 2^200 - 2^0 */ mul(t0, t0, c);
+	/* 2^250 - 2^50 */ square_times(t0, t0, 50);
+	/* 2^250 - 2^0 */ mul(b, t0, b);
+}
+
+/*
+ * z^(p - 2) = z(2^255 - 21)
+ */
+static void recip(uint32_t out[10], uint32_t z[10])
+{
+	uint32_t a[10], t0[10], b[10];
+
+	/* 2 */ square(a, z); /* a = 2 */
+	/* 8 */ square_times(t0, a, 2);
+	/* 9 */ mul(b, t0, z); /* b = 9 */
+	/* 11 */ mul(a, b, a); /* a = 11 */
+	/* 22 */ square(t0, a);
+	/* 2^5 - 2^0 = 31 */ mul(b, t0, b);
+	/* 2^250 - 2^0 */ pow_two5mtwo0_two250mtwo0(b);
+	/* 2^255 - 2^5 */ square_times(b, b, 5);
+	/* 2^255 - 21 */ mul(out, b, a);
+}
+
+METHOD(curve25519_drv_t, curve25519, bool,
+	private_curve25519_drv_t *this, u_char *in, u_char *out)
+{
+	uint32_t nqpqx[10] = {1}, nqpqz[10] = {0}, nqz[10] = {1}, nqx[10];
+	uint32_t q[10], qx[10], qpqx[10], qqx[10], zzz[10], zmone[10];
+	uint32_t bit, lastbit, i;
+
+	expand(q, in);
+	memcpy(nqx, q, sizeof(nqx));
+
+	/* bit 255 is always 0, and bit 254 is always 1, so skip bit 255 and
+	 * start pre-swapped on bit 254 */
+	lastbit = 1;
+
+	/* we are doing bits 254..3 in the loop, but are swapping in bits 253..2 */
+	for (i = 253; i >= 2; i--)
+	{
+		add(qx, nqx, nqz);
+		sub(nqz, nqx, nqz);
+		add(qpqx, nqpqx, nqpqz);
+		sub(nqpqz, nqpqx, nqpqz);
+		mul(nqpqx, qpqx, nqz);
+		mul(nqpqz, qx, nqpqz);
+		add(qqx, nqpqx, nqpqz);
+		sub(nqpqz, nqpqx, nqpqz);
+		square(nqpqz, nqpqz);
+		square(nqpqx, qqx);
+		mul(nqpqz, nqpqz, q);
+		square(qx, qx);
+		square(nqz, nqz);
+		mul(nqx, qx, nqz);
+		sub(nqz, qx, nqz);
+		scalar_product(zzz, nqz, 121665);
+		add(zzz, zzz, qx);
+		mul(nqz, nqz, zzz);
+
+		bit = (this->key[i/8] >> (i & 7)) & 1;
+		swap_conditional(nqx, nqpqx, bit ^ lastbit);
+		swap_conditional(nqz, nqpqz, bit ^ lastbit);
+		lastbit = bit;
+	}
+
+	/* the final 3 bits are always zero, so we only need to double */
+	for (i = 0; i < 3; i++)
+	{
+		add(qx, nqx, nqz);
+		sub(nqz, nqx, nqz);
+		square(qx, qx);
+		square(nqz, nqz);
+		mul(nqx, qx, nqz);
+		sub(nqz, qx, nqz);
+		scalar_product(zzz, nqz, 121665);
+		add(zzz, zzz, qx);
+		mul(nqz, nqz, zzz);
+	}
+
+	recip(zmone, nqz);
+	mul(nqz, nqx, zmone);
+	contract(out, nqz);
+
+	return TRUE;
+}
+
+METHOD(curve25519_drv_t, destroy, void,
+	private_curve25519_drv_t *this)
+{
+	memwipe(this->key, sizeof(this->key));
+	free(this);
+}
+
+/**
+ * See header
+ */
+curve25519_drv_t *curve25519_drv_portable_create()
+{
+	private_curve25519_drv_t *this;
+
+	INIT(this,
+		.public = {
+			.set_key = _set_key,
+			.curve25519 = _curve25519,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.h b/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.h
new file mode 100644
index 0000000..f0de0bd
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_drv_portable curve25519_drv_portable
+ * @{ @ingroup curve25519_p
+ */
+
+#include "curve25519_drv.h"
+
+#ifndef CURVE25519_DRV_PORTABLE_H_
+#define CURVE25519_DRV_PORTABLE_H_
+
+/**
+ * Create a curve25519_drv_portable instance.
+ */
+curve25519_drv_t *curve25519_drv_portable_create();
+
+#endif /** CURVE25519_DRV_PORTABLE_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.c b/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.c
new file mode 100644
index 0000000..a7ffdb1
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.c
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_identity_hasher.h"
+
+/*
+ * Described in header.
+ */
+curve25519_identity_hasher_t *curve25519_identity_hasher_create(hash_algorithm_t algo)
+{
+	/* since the identity hasher is never actually used, always return NULL */
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.h b/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.h
new file mode 100644
index 0000000..bf643b5
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_identity_hasher curve25519_identity_hasher
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_IDENTITY_HASHER_H_
+#define CURVE25519_IDENTITY_HASHER_H_
+
+typedef struct curve25519_identity_hasher_t curve25519_identity_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of hasher_t interface using the Identity algorithm.
+ */
+struct curve25519_identity_hasher_t {
+
+	/**
+	 * Implements hasher_t interface.
+	 */
+	hasher_t hasher_interface;
+};
+
+/**
+ * Creates a new curve25519_identity_hasher_t.
+ *
+ * @param algo		algorithm, must be HASH_IDENTITY
+ * @return			curve25519_identity_hasher_t object
+ */
+curve25519_identity_hasher_t *curve25519_identity_hasher_create(hash_algorithm_t algo);
+
+#endif /** CURVE25519_IDENTITY_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_plugin.c b/src/libstrongswan/plugins/curve25519/curve25519_plugin.c
new file mode 100644
index 0000000..48ca43a
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_plugin.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_plugin.h"
+#include "curve25519_dh.h"
+#include "curve25519_private_key.h"
+#include "curve25519_public_key.h"
+#include "curve25519_identity_hasher.h"
+
+#include <library.h>
+
+typedef struct private_curve25519_plugin_t private_curve25519_plugin_t;
+
+/**
+ * private data of curve25519_plugin
+ */
+struct private_curve25519_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	curve25519_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_curve25519_plugin_t *this)
+{
+	return "curve25519";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_curve25519_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		/* X25519 DH group */
+		PLUGIN_REGISTER(DH, curve25519_dh_create),
+			PLUGIN_PROVIDE(DH, CURVE_25519),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+		/* Ed25519 private/public keys */
+		PLUGIN_REGISTER(PRIVKEY, curve25519_private_key_load, TRUE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+		PLUGIN_REGISTER(PRIVKEY_GEN, curve25519_private_key_gen, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
+				PLUGIN_DEPENDS(RNG, RNG_TRUE),
+				PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+		PLUGIN_REGISTER(PUBKEY, curve25519_public_key_load, TRUE),
+			PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+		/* Ed25519 signature scheme, private */
+		PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+		/* Ed25519 signature verification scheme, public */
+		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
+			PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+		/* register a pro forma identity hasher */
+		PLUGIN_REGISTER(HASHER, curve25519_identity_hasher_create),
+			PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_curve25519_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *curve25519_plugin_create()
+{
+	private_curve25519_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_plugin.h b/src/libstrongswan/plugins/curve25519/curve25519_plugin.h
new file mode 100644
index 0000000..94f2e48
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_p curve25519
+ * @ingroup plugins
+ *
+ * @defgroup curve25519_plugin curve25519_plugin
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_PLUGIN_H_
+#define CURVE25519_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct curve25519_plugin_t curve25519_plugin_t;
+
+/**
+ * Plugin providing a Curve25519 DH implementation
+ */
+struct curve25519_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** CURVE25519_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_private_key.c b/src/libstrongswan/plugins/curve25519/curve25519_private_key.c
new file mode 100644
index 0000000..2a7303c
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_private_key.c
@@ -0,0 +1,346 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_private_key.h"
+#include "curve25519_public_key.h"
+#include "ref10/ref10.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+#define _GNU_SOURCE
+#include <stdlib.h>
+
+typedef struct private_curve25519_private_key_t private_curve25519_private_key_t;
+
+/**
+ * Private data of a curve25519_private_key_t object.
+ */
+struct private_curve25519_private_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	curve25519_private_key_t public;
+
+	/**
+	 * Secret scalar s derived from private key.
+	 */
+	uint8_t s[HASH_SIZE_SHA512];
+
+	/**
+	 * Ed25519 private key
+	 */
+	chunk_t key;
+
+	/**
+	 * Ed25519 public key
+	 */
+	chunk_t pubkey;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_curve25519_private_key_t *this)
+{
+	return KEY_ED25519;
+}
+
+METHOD(private_key_t, sign, bool,
+	private_curve25519_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
+{
+	uint8_t r[HASH_SIZE_SHA512], k[HASH_SIZE_SHA512], sig[HASH_SIZE_SHA512];
+	hasher_t *hasher;
+	chunk_t prefix;
+	ge_p3 R;
+	bool success = FALSE;
+
+	if (scheme != SIGN_ED25519)
+	{
+		DBG1(DBG_LIB, "signature scheme %N not supported by Ed25519",
+			 signature_scheme_names, scheme);
+		return FALSE;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+	prefix = chunk_create(this->s + 32, 32);
+
+	if (!hasher->get_hash(hasher, prefix, NULL) ||
+		!hasher->get_hash(hasher, data, r))
+	{
+		goto end;
+	}
+	sc_reduce(r);
+	ge_scalarmult_base(&R, r);
+	ge_p3_tobytes(sig, &R);
+
+	if (!hasher->get_hash(hasher, chunk_create(sig, 32), NULL) ||
+		!hasher->get_hash(hasher, this->pubkey, NULL) ||
+		!hasher->get_hash(hasher, data, k))
+	{
+		goto end;
+	}
+	sc_reduce(k);
+	sc_muladd(sig + 32, k, this->s, r);
+
+	*signature = chunk_clone(chunk_create(sig, sizeof(sig)));
+	success = TRUE;
+
+end:
+	hasher->destroy(hasher);
+	return success;
+}
+
+METHOD(private_key_t, decrypt, bool,
+	private_curve25519_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
+{
+	DBG1(DBG_LIB, "encryption scheme %N not supported", encryption_scheme_names,
+		 scheme);
+	return FALSE;
+}
+
+METHOD(private_key_t, get_keysize, int,
+	private_curve25519_private_key_t *this)
+{
+	return 8 * ED25519_KEY_LEN;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_curve25519_private_key_t *this)
+{
+	public_key_t *public;
+	chunk_t pubkey;
+
+	pubkey = curve25519_public_key_info_encode(this->pubkey);
+	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
+								BUILD_BLOB_ASN1_DER, pubkey, BUILD_END);
+	free(pubkey.ptr);
+
+	return public;
+}
+
+METHOD(private_key_t, get_encoding, bool,
+	private_curve25519_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	switch (type)
+	{
+		case PRIVKEY_ASN1_DER:
+		case PRIVKEY_PEM:
+		{
+			bool success = TRUE;
+
+			*encoding = asn1_wrap(ASN1_SEQUENCE, "cms",
+							ASN1_INTEGER_0,
+							asn1_algorithmIdentifier(OID_ED25519),
+							asn1_wrap(ASN1_OCTET_STRING, "s",
+								asn1_simple_object(ASN1_OCTET_STRING, this->key)
+							)
+						);
+			if (type == PRIVKEY_PEM)
+			{
+				chunk_t asn1_encoding = *encoding;
+
+				success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM,
+								NULL, encoding, CRED_PART_EDDSA_PRIV_ASN1_DER,
+								asn1_encoding, CRED_PART_END);
+				chunk_clear(&asn1_encoding);
+			}
+			return success;
+		}
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+	private_curve25519_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fp)
+{
+	bool success;
+
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
+	}
+	success = curve25519_public_key_fingerprint(this->pubkey, type, fp);
+	if (success)
+	{
+		lib->encoding->cache(lib->encoding, type, this, *fp);
+	}
+	return success;
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_curve25519_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(private_key_t, destroy, void,
+	private_curve25519_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this);
+		memwipe(this->s, HASH_SIZE_SHA512);
+		chunk_clear(&this->key);
+		chunk_free(&this->pubkey);
+		free(this);
+	}
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_curve25519_private_key_t *curve25519_private_key_create(chunk_t key)
+{
+	private_curve25519_private_key_t *this;
+	hasher_t *hasher;
+	ge_p3 A;
+
+	/* derive public key from private key */
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+	if (!hasher)
+	{
+		chunk_clear(&key);
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.key = key,
+		.pubkey = chunk_alloc(ED25519_KEY_LEN),
+		.ref = 1,
+	);
+
+	/* derive secret scalar s from private key */
+	if (!hasher->get_hash(hasher, key, this->s))
+	{
+		destroy(this);
+		hasher->destroy(hasher);
+		return NULL;
+	}
+	hasher->destroy(hasher);
+
+	this->s[0]  &= 0xf8;
+	this->s[31] &= 0x3f;
+	this->s[31] |= 0x40;
+
+	/* derive public key */
+	ge_scalarmult_base(&A, this->s);
+	ge_p3_tobytes(this->pubkey.ptr, &A);
+
+	return this;
+}
+
+/**
+ * See header.
+ */
+curve25519_private_key_t *curve25519_private_key_gen(key_type_t type,
+													 va_list args)
+{
+	private_curve25519_private_key_t *this;
+	chunk_t key;
+	rng_t *rng;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_KEY_SIZE:
+				/* key_size argument is not needed */
+				va_arg(args, u_int);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	/* generate 256 bit true random private key */
+	rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
+	if (!rng || !rng->allocate_bytes(rng, ED25519_KEY_LEN, &key))
+	{
+		DESTROY_IF(rng);
+		return NULL;
+	}
+	rng->destroy(rng);
+
+	this = curve25519_private_key_create(key);
+
+	return this ? &this->public : NULL;
+}
+
+/**
+ * See header.
+ */
+curve25519_private_key_t *curve25519_private_key_load(key_type_t type,
+													  va_list args)
+{
+	private_curve25519_private_key_t *this;
+	chunk_t key = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_EDDSA_PRIV_ASN1_DER:
+				key = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (!asn1_parse_simple_object(&key, ASN1_OCTET_STRING, 0, "EdPrivateKey") ||
+		key.len != ED25519_KEY_LEN)
+	{
+		return NULL;
+	}
+	this = curve25519_private_key_create(chunk_clone(key));
+
+	return this ? &this->public : NULL;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_private_key.h b/src/libstrongswan/plugins/curve25519/curve25519_private_key.h
new file mode 100644
index 0000000..26f474f
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_private_key.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_private_key curve25519_private_key
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_PRIVATE_KEY_H_
+#define CURVE25519_PRIVATE_KEY_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+typedef struct curve25519_private_key_t curve25519_private_key_t;
+
+/**
+ * Private_key_t implementation of Ed25519 signature algorithm.
+ */
+struct curve25519_private_key_t {
+
+	/**
+	 * Implements private_key_t interface
+	 */
+	private_key_t key;
+};
+
+/**
+ * Generate an Ed25519 private key.
+ *
+ * @param type		type of the key, must be KEY_ED25519
+ * @param args		builder_part_t argument list
+ * @return 			generated key, NULL on failure
+ */
+curve25519_private_key_t *curve25519_private_key_gen(key_type_t type,
+													 va_list args);
+
+/**
+ * Load an Ed25519 private key.
+ *
+ * @param type		type of the key, must be KEY_ED25519
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+curve25519_private_key_t *curve25519_private_key_load(key_type_t type,
+													  va_list args);
+
+#endif /** CURVE25519_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c
new file mode 100644
index 0000000..d077763
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c
@@ -0,0 +1,331 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_public_key.h"
+#include "ref10/ref10.h"
+
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+
+typedef struct private_curve25519_public_key_t private_curve25519_public_key_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_curve25519_public_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	curve25519_public_key_t public;
+
+	/**
+	 * Ed25519 public key
+	 */
+	chunk_t pubkey;
+
+	/**
+	 * Reference counter
+	 */
+	refcount_t ref;
+};
+
+METHOD(public_key_t, get_type, key_type_t,
+	private_curve25519_public_key_t *this)
+{
+	return KEY_ED25519;
+}
+
+METHOD(public_key_t, verify, bool,
+	private_curve25519_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
+{
+	hasher_t *hasher;
+	uint8_t d = 0, k[HASH_SIZE_SHA512], r[32], *sig;
+	int i;
+	ge_p3 A;
+	ge_p2 R;
+
+	if (scheme != SIGN_ED25519)
+	{
+		DBG1(DBG_LIB, "signature scheme %N not supported by Ed25519",
+			 signature_scheme_names, scheme);
+		return FALSE;
+	}
+
+	if (signature.len != 64)
+	{
+		DBG1(DBG_LIB, "size of Ed25519 signature is not 64 bytes");
+		return FALSE;
+	}
+	sig = signature.ptr;
+
+	if (sig[63] & 0xe0)
+	{
+		DBG1(DBG_LIB, "the three most significant bits of Ed25519 signature "
+			 "are not zero");
+		return FALSE;
+	}
+
+	if (ge_frombytes_negate_vartime(&A, this->pubkey.ptr) != 0)
+	{
+		return FALSE;
+	}
+
+	/* check for all-zeroes public key */
+	for (i = 0; i < 32; i++)
+	{
+		d |= this->pubkey.ptr[i];
+	}
+	if (!d)
+	{
+		return FALSE;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+	if (!hasher)
+	{
+		return FALSE;
+	}
+	if (!hasher->get_hash(hasher, chunk_create(sig, 32), NULL) ||
+		!hasher->get_hash(hasher, this->pubkey, NULL) ||
+		!hasher->get_hash(hasher, data, k))
+	{
+		hasher->destroy(hasher);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+
+	sc_reduce(k);
+	ge_double_scalarmult_vartime(&R, k, &A, sig + 32);
+	ge_tobytes(r, &R);
+
+	return memeq_const(sig, r, 32);
+}
+
+METHOD(public_key_t, encrypt_, bool,
+	private_curve25519_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypto)
+{
+	DBG1(DBG_LIB, "encryption scheme %N not supported", encryption_scheme_names,
+		 scheme);
+	return FALSE;
+}
+
+METHOD(public_key_t, get_keysize, int,
+	private_curve25519_public_key_t *this)
+{
+	return 8 * ED25519_KEY_LEN;
+}
+
+METHOD(public_key_t, get_encoding, bool,
+	private_curve25519_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	bool success = TRUE;
+
+	*encoding = curve25519_public_key_info_encode(this->pubkey);
+
+	if (type != PUBKEY_SPKI_ASN1_DER)
+	{
+		chunk_t asn1_encoding = *encoding;
+
+		success = lib->encoding->encode(lib->encoding, type,
+						NULL, encoding, CRED_PART_EDDSA_PUB_ASN1_DER,
+						asn1_encoding, CRED_PART_END);
+		chunk_clear(&asn1_encoding);
+	}
+	return success;
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+	private_curve25519_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fp)
+{
+	bool success;
+
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
+	}
+	success = curve25519_public_key_fingerprint(this->pubkey, type, fp);
+	if (success)
+	{
+		lib->encoding->cache(lib->encoding, type, this, *fp);
+	}
+	return success;
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_curve25519_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(public_key_t, destroy, void,
+	private_curve25519_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this);
+		free(this->pubkey.ptr);
+		free(this);
+	}
+}
+
+/**
+ * ASN.1 definition of an Ed25519 public key
+ */
+static const asn1Object_t pubkeyObjects[] = {
+	{ 0, "subjectPublicKeyInfo",ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "algorithm",			ASN1_EOC,			ASN1_RAW  }, /*  1 */
+	{ 1,   "subjectPublicKey",	ASN1_BIT_STRING,	ASN1_BODY }, /*  2 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT }
+};
+
+#define ED25519_SUBJECT_PUBLIC_KEY_ALGORITHM	1
+#define ED25519_SUBJECT_PUBLIC_KEY				2
+
+/**
+ * See header.
+ */
+curve25519_public_key_t *curve25519_public_key_load(key_type_t type,
+													va_list args)
+{
+	private_curve25519_public_key_t *this;
+	chunk_t blob = chunk_empty, object;
+	asn1_parser_t *parser;
+	bool success = FALSE;
+	int objectID, oid;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt_,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
+
+	parser = asn1_parser_create(pubkeyObjects, blob);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case ED25519_SUBJECT_PUBLIC_KEY_ALGORITHM:
+			{
+				oid = asn1_parse_algorithmIdentifier(object,
+										parser->get_level(parser) + 1, NULL);
+				if (oid != OID_ED25519)
+				{
+					goto end;
+				}
+				break;
+			}
+			case ED25519_SUBJECT_PUBLIC_KEY:
+			{
+				/* encoded as an ASN1 BIT STRING */
+				if (object.len != 1 + ED25519_KEY_LEN)
+				{
+					goto end;
+				}
+				this->pubkey = chunk_clone(chunk_skip(object, 1));
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	if (!success)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/**
+ * See header.
+ */
+chunk_t curve25519_public_key_info_encode(chunk_t pubkey)
+{
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+					asn1_wrap(ASN1_SEQUENCE, "m",
+						asn1_build_known_oid(OID_ED25519)),
+					asn1_bitstring("c", pubkey));
+}
+
+/**
+ * See header.
+ */
+bool curve25519_public_key_fingerprint(chunk_t pubkey,
+									   cred_encoding_type_t type, chunk_t *fp)
+{
+	hasher_t *hasher;
+	chunk_t key;
+
+	switch (type)
+	{
+		case KEYID_PUBKEY_SHA1:
+			key = chunk_clone(pubkey);
+			break;
+		case KEYID_PUBKEY_INFO_SHA1:
+			key = curve25519_public_key_info_encode(pubkey);
+			break;
+		default:
+			return FALSE;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher || !hasher->allocate_hash(hasher, key, fp))
+	{
+		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, "
+			 "fingerprinting failed");
+		DESTROY_IF(hasher);
+		free(key.ptr);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+	free(key.ptr);
+	return TRUE;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_public_key.h b/src/libstrongswan/plugins/curve25519/curve25519_public_key.h
new file mode 100644
index 0000000..5f6ae17
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_public_key.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_public_key curve25519_public_key
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_PUBLIC_KEY_H_
+#define CURVE25519_PUBLIC_KEY_H_
+
+#include <credentials/builder.h>
+#include <credentials/cred_encoding.h>
+#include <credentials/keys/public_key.h>
+
+typedef struct curve25519_public_key_t curve25519_public_key_t;
+
+#define ED25519_KEY_LEN		32
+
+/**
+ * public_key_t implementation of Ed25519 signature algorithm
+ */
+struct curve25519_public_key_t {
+
+	/**
+	 * Implements the public_key_t interface
+	 */
+	public_key_t key;
+};
+
+/**
+ * Load an Ed25519 public key.
+ *
+ * @param type		type of the key, must be KEY_ED25519
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+curve25519_public_key_t *curve25519_public_key_load(key_type_t type,
+													va_list args);
+
+/* The following functions are shared with the curve25519_private_key class */
+
+/**
+ * Encode a Ed25519 subjectPublicKeyInfo record in ASN.1 DER format
+ *
+ * @param pubkey	Ed25519 public key
+ * @result			ASN.1 encoded subjectPublicKeyInfo record
+ */
+chunk_t curve25519_public_key_info_encode(chunk_t pubkey);
+
+/**
+ * Generate a Ed25519 public key fingerprint
+ *
+ * @param pubkey	Ed25519 public key
+ * @param type		type of fingerprint to be generated
+ * @param fp		generated fingerprint (must be freed by caller)
+ * @result			TRUE if generation was successful
+ */
+bool curve25519_public_key_fingerprint(chunk_t pubkey,
+									   cred_encoding_type_t type, chunk_t *fp);
+
+#endif /** CURVE25519_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/ref10/base.h b/src/libstrongswan/plugins/curve25519/ref10/base.h
new file mode 100644
index 0000000..d3f60ca
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/ref10/base.h
@@ -0,0 +1,2121 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Based on the public domain libsodium adaptation by Frank Denis
+ * of the SUPERCOP ref10 implementation by  Daniel J. Bernstein,
+ * Niels Duif, Peter Schwabe, Tanja Lange and Bo-Yin Yang.
+ */
+
+	{
+		{
+			{  25967493, -14356035,  29566456,   3660896, -12694345,
+			    4014787,  27544626, -11754271,  -6079156,   2047605 },
+			{ -12545711,    934262,  -2722910,   3049990,   -727428,
+			    9406986,  12720692,   5043384,  19500929, -15469378 },
+			{  -8738181,   4489570,   9688441, -14785194,  10184609,
+			  -12363380,  29287919,  11864899, -24514362,  -4438546 }
+		},
+		{
+			{ -12815894, -12976347, -21581243,  11784320, -25355658,
+			   -2750717, -11717903,  -3814571,   -358445, -10211303 },
+			{ -21703237,   6903825,  27185491,   6451973, -29577724,
+			   -9554005, -15616551,  11189268, -26829678,  -5319081 },
+			{  26966642,  11152617,  32442495,  15396054,  14353839,
+			  -12752335,  -3128826,  -9541118, -15472047,  -4166697 }
+		},
+		{
+			{  15636291,  -9688557,  24204773,  -7912398,    616977,
+			  -16685262,  27787600, -14772189,  28944400,  -1550024 },
+			{  16568933,   4717097, -11556148,  -1102322,  15682896,
+			  -11807043,  16354577, -11775962,   7689662,  11199574 },
+			{  30464156,  -5976125, -11779434, -15670865,  23220365,
+			   15915852,   7512774,  10017326, -17749093,  -9920357 }
+		},
+		{
+			{ -17036878,  13921892,  10945806,  -6033431,  27105052,
+			  -16084379, -28926210,  15006023,   3284568,  -6276540 },
+			{  23599295,  -8306047, -11193664,  -7687416,  13236774,
+			   10506355,   7464579,   9656445,  13059162,  10374397 },
+			{   7798556,  16710257,   3033922,   2874086,  28997861,
+			    2835604,  32406664,  -3839045,   -641708,   -101325 }
+		},
+		{
+			{  10861363,  11473154,  27284546,   1981175, -30064349,
+			   12577861,  32867885,  14515107, -15438304,  10819380 },
+			{   4708026,   6336745,  20377586,   9066809, -11272109,
+			    6594696, -25653668,  12483688, -12668491,   5581306 },
+			{  19563160,  16186464, -29386857,   4097519,  10237984,
+			   -4348115,  28542350,  13850243, -23678021, -15815942 }
+		},
+		{
+			{ -15371964, -12862754,  32573250,   4720197, -26436522,
+			    5875511, -19188627, -15224819,  -9818940, -12085777 },
+			{  -8549212,    109983,  15149363,   2178705,  22900618,
+			    4543417,   3044240, -15689887,   1762328,  14866737 },
+			{ -18199695, -15951423, -10473290,   1707278, -17185920,
+			    3916101, -28236412,   3959421,  27914454,   4383652 }
+		},
+		{
+			{   5153746,   9909285,   1723747,  -2777874,  30523605,
+			    5516873,  19480852,   5230134, -23952439, -15175766 },
+			{ -30269007,  -3463509,   7665486,  10083793,  28475525,
+			    1649722,  20654025,  16520125,  30598449,   7715701 },
+			{  28881845,  14381568,   9657904,   3680757, -20181635,
+			    7843316, -31400660,   1370708,  29794553,  -1409300 }
+		},
+		{
+			{  14499471,  -2729599, -33191113,  -4254652,  28494862,
+			   14271267,  30290735,  10876454, -33154098,   2381726 },
+			{  -7195431,  -2655363, -14730155,    462251, -27724326,
+			    3941372,  -6236617,   3696005, -32300832,  15351955 },
+			{  27431194,   8222322,  16448760,  -3907995, -18707002,
+			   11938355, -32961401,  -2970515,  29551813,  10109425 }
+		}
+	},
+	{
+		{
+			{ -13657040, -13155431, -31283750,  11777098,  21447386,
+			    6519384,  -2378284,  -1627556,  10092783,  -4764171 },
+			{  27939166,  14210322,   4677035,  16277044, -22964462,
+			  -12398139, -32508754,  12005538, -17810127,  12803510 },
+			{  17228999, -15661624,  -1233527,    300140,  -1224870,
+			  -11714777,  30364213,  -9038194,  18016357,   4397660 }
+		},
+		{
+			{ -10958843,  -7690207,   4776341, -14954238,  27850028,
+			  -15602212, -26619106,  14544525, -17477504,    982639 },
+			{  29253598,  15796703,  -2863982,  -9908884,  10057023,
+			    3163536,   7332899,  -4120128, -21047696,   9934963 },
+			{   5793303,  16271923, -24131614, -10116404,  29188560,
+			    1206517, -14747930,   4559895, -30123922, -10897950 }
+		},
+		{
+			{ -27643952, -11493006,  16282657, -11036493,  28414021,
+			  -15012264,  24191034,   4541697, -13338309,   5500568 },
+			{  12650548,  -1497113,   9052871,  11355358, -17680037,
+			   -8400164, -17430592,  12264343,  10874051,  13524335 },
+			{  25556948,  -3045990,    714651,   2510400,  23394682,
+			  -10415330,  33119038,   5080568, -22528059,   5376628 }
+		},
+		{
+			{ -26088264,  -4011052, -17013699,  -3537628,  -6726793,
+			    1920897, -22321305,  -9447443,   4535768,   1569007 },
+			{  -2255422,  14606630, -21692440,  -8039818,  28430649,
+			    8775819, -30494562,   3044290,  31848280,  12543772 },
+			{ -22028579,   2943893, -31857513,   6777306,  13784462,
+			   -4292203, -27377195,  -2062731,   7718482,  14474653 }
+		},
+		{
+			{   2385315,   2454213, -22631320,     46603,  -4437935,
+			  -15680415,    656965,  -7236665,  24316168,  -5253567 },
+			{  13741529,  10911568, -33233417,  -8603737, -20177830,
+			   -1033297,  33040651, -13424532, -20729456,   8321686 },
+			{  21060490,  -2212744,  15712757,  -4336099,   1639040,
+			   10656336,  23845965, -11874838,  -9984458,    608372 }
+		},
+		{
+			{ -13672732, -15087586, -10889693,  -7557059,  -6036909,
+			   11305547,   1123968,  -6780577,  27229399,     23887 },
+			{ -23244140,   -294205, -11744728,  14712571, -29465699,
+			   -2029617,  12797024,  -6440308,  -1633405,  16678954 },
+			{ -29500620,   4770662, -16054387,  14001338,   7830047,
+			    9564805,  -1508144,  -4795045, -17169265,   4904953 }
+		},
+		{
+			{  24059557,  14617003,  19037157, -15039908,  19766093,
+			  -14906429,   5169211,  16191880,   2128236,  -4326833 },
+			{ -16981152,   4124966,  -8540610, -10653797,  30336522,
+			  -14105247, -29806336,    916033,  -6882542,  -2986532 },
+			{ -22630907,  12419372,  -7134229,  -7473371, -16478904,
+			   16739175,    285431,   2763829,  15736322,   4143876 }
+		},
+		{
+			{   2379352,  11839345,  -4110402,  -5988665,  11274298,
+			     794957,    212801, -14594663,  23527084, -16458268 },
+			{  33431127, -11130478, -17838966, -15626900,   8909499,
+			    8376530, -32625340,   4087881, -15188911, -14416214 },
+			{   1767683,   7197987, -13205226,  -2022635, -13091350,
+			     448826,   5799055,   4357868,  -4774191, -16323038 }
+		}
+	},
+	{
+		{
+			{   6721966,  13833823, -23523388,  -1551314,  26354293,
+			  -11863321,  23365147,  -3949732,   7390890,   2759800 },
+			{   4409041,   2052381,  23373853,  10530217,   7676779,
+			  -12885954,  21302353,  -4264057,   1244380, -12919645 },
+			{  -4421239,   7169619,   4982368,  -2957590,  30256825,
+			   -2777540,  14086413,   9208236,  15886429,  16489664 }
+		},
+		{
+			{   1996075,  10375649,  14346367,  13311202,  -6874135,
+			  -16438411, -13693198,    398369, -30606455,   -712933 },
+			{ -25307465,   9795880,  -2777414,  14878809, -33531835,
+			   14780363,  13348553,  12076947, -30836462,   5113182 },
+			{ -17770784,  11797796,  31950843,  13929123, -25888302,
+			   12288344, -30341101,  -7336386,  13847711,   5387222 }
+		},
+		{
+			{ -18582163,  -3416217,  17824843,  -2340966,  22744343,
+			  -10442611,   8763061,   3617786, -19600662,  10370991 },
+			{  20246567, -14369378,  22358229,   -543712,  18507283,
+			  -10413996,  14554437,  -8746092,  32232924,  16763880 },
+			{   9648505,  10094563,  26416693,  14745928, -30374318,
+			   -6472621,  11094161,  15689506,   3140038, -16510092 }
+		},
+		{
+			{ -16160072,   5472695,  31895588,   4744994,   8823515,
+			   10365685, -27224800,   9448613, -28774454,    366295 },
+			{  19153450,  11523972, -11096490,  -6503142, -24647631,
+			    5420647,  28344573,   8041113,    719605,  11671788 },
+			{   8678025,   2694440,  -6808014,   2517372,   4964326,
+			   11152271, -15432916, -15266516,  27000813, -10195553 }
+		},
+		{
+			{ -15157904,   7134312,   8639287,  -2814877,  -7235688,
+			   10421742,    564065,   5336097,   6750977, -14521026 },
+			{  11836410,  -3979488,  26297894,  16080799,  23455045,
+			   15735944,   1695823,  -8819122,   8169720,  16220347 },
+			{ -18115838,   8653647,  17578566,  -6092619,  -8025777,
+			  -16012763, -11144307,  -2627664,  -5990708, -14166033 }
+		},
+		{
+			{ -23308498, -10968312,  15213228, -10081214, -30853605,
+			  -11050004,  27884329,   2847284,   2655861,   1738395 },
+			{ -27537433, -14253021, -25336301,  -8002780,  -9370762,
+			    8129821,  21651608,  -3239336, -19087449, -11005278 },
+			{   1533110,   3437855,  23735889,    459276,  29970501,
+			   11335377,  26030092,   5821408,  10478196,   8544890 }
+		},
+		{
+			{  32173121, -16129311,  24896207,   3921497,  22579056,
+			   -3410854,  19270449,  12217473,  17789017,  -3395995 },
+			{ -30552961,  -2228401, -15578829, -10147201,  13243889,
+			     517024,  15479401,  -3853233,  30460520,   1052596 },
+			{ -11614875,  13323618,  32618793,   8175907, -15230173,
+			   12596687,  27491595,  -4612359,   3179268,  -9478891 }
+		},
+		{
+			{  31947069, -14366651,  -4640583, -15339921, -15125977,
+			   -6039709, -14756777, -16411740,  19072640,  -9511060 },
+			{  11685058,  11822410,   3158003, -13952594,  33402194,
+			   -4165066,   5977896,  -5215017,    473099,   5040608 },
+			{ -20290863,   8198642, -27410132,  11602123,   1290375,
+			   -2799760,  28326862,   1721092, -19558642,  -3131606 }
+		}
+	},
+	{
+		{
+			{   7881532,  10687937,   7578723,   7738378, -18951012,
+			   -2553952,  21820786,   8076149, -27868496,  11538389 },
+			{ -19935666,   3899861,  18283497,  -6801568, -15728660,
+			  -11249211,   8754525,   7446702,  -5676054,   5797016 },
+			{ -11295600,  -3793569, -15782110,  -7964573,  12708869,
+			   -8456199,   2014099,  -9050574,  -2369172,  -5877341 }
+		},
+		{
+			{ -22472376, -11568741, -27682020,   1146375,  18956691,
+			   16640559,   1192730,  -3714199,  15123619,  10811505 },
+			{  14352098,  -3419715, -18942044,  10822655,  32750596,
+			    4699007,    -70363,  15776356, -28886779, -11974553 },
+			{ -28241164,  -8072475,  -4978962,  -5315317,  29416931,
+			    1847569, -20654173, -16484855,   4714547,  -9600655 }
+		},
+		{
+			{  15200332,   8368572,  19679101,  15970074, -31872674,
+			    1959451,  24611599,  -4543832, -11745876,  12340220 },
+			{  12876937, -10480056,  33134381,   6590940,  -6307776,
+			   14872440,   9613953,   8241152,  15370987,   9608631 },
+			{  -4143277, -12014408,   8446281,   -391603,   4407738,
+			   13629032,  -7724868,  15866074, -28210621,  -8814099 }
+		},
+		{
+			{  26660628, -15677655,   8393734,    358047,  -7401291,
+			     992988, -23904233,    858697,  20571223,   8420556 },
+			{  14620715,  13067227, -15447274,   8264467,  14106269,
+			   15080814,  33531827,  12516406, -21574435, -12476749 },
+			{    236881,  10476226,     57258, -14677024,   6472998,
+			    2466984,  17258519,   7256740,   8791136,  15069930 }
+		},
+		{
+			{   1276410,  -9371918,  22949635, -16322807, -23493039,
+			   -5702186,  14711875,   4874229, -30663140,  -2331391 },
+			{   5855666,   4990204, -13711848,   7294284,  -7804282,
+			    1924647,  -1423175,  -7912378, -33069337,   9234253 },
+			{  20590503,  -9018988,  31529744,  -7352666,  -2706834,
+			   10650548,  31559055, -11609587,  18979186,  13396066 }
+		},
+		{
+			{  24474287,   4968103,  22267082,   4407354,  24063882,
+			   -8325180, -18816887,  13594782,  33514650,   7021958 },
+			{ -11566906,  -6565505, -21365085,  15928892, -26158305,
+			    4315421, -25948728,  -3916677, -21480480,  12868082 },
+			{ -28635013,  13504661,  19988037,  -2132761,  21078225,
+			    6443208, -21446107,   2244500, -12455797,  -8089383 }
+		},
+		{
+			{ -30595528,  13793479,  -5852820,    319136, -25723172,
+			   -6263899,  33086546,   8957937, -15233648,   5540521 },
+			{ -11630176, -11503902,  -8119500,  -7643073,   2620056,
+			    1022908, -23710744,  -1568984, -16128528, -14962807 },
+			{  23152971,    775386,  27395463,  14006635,  -9701118,
+			    4649512,   1689819,    892185, -11513277, -15205948 }
+		},
+		{
+			{   9770129,   9586738,  26496094,   4324120,   1556511,
+			   -3550024,  27453819,   4763127, -19179614,   5867134 },
+			{ -32765025,   1927590,  31726409,  -4753295,  23962434,
+			  -16019500,  27846559,   5931263, -29749703, -16108455 },
+			{  27461885,  -2977536,  22380810,   1815854, -23033753,
+			   -3031938,   7283490, -15148073, -19526700,   7734629 }
+		}
+	},
+	{
+		{
+			{  -8010264,  -9590817, -11120403,   6196038,  29344158,
+			  -13430885,   7585295,  -3176626,  18549497,  15302069 },
+			{ -32658337,  -6171222,  -7672793, -11051681,   6258878,
+			   13504381,  10458790,  -6418461,  -8872242,   8424746 },
+			{  24687205,   8613276, -30667046,  -3233545,   1863892,
+			   -1830544,  19206234,   7134917, -11284482,   -828919 }
+		},
+		{
+			{  11334899,  -9218022,   8025293,  12707519,  17523892,
+			  -10476071,  10243738, -14685461,  -5066034,  16498837 },
+			{   8911542,   6887158,  -9584260,  -6958590,  11145641,
+			   -9543680,  17303925, -14124238,   6536641,  10543906 },
+			{ -28946384,  15479763, -17466835,    568876,  -1497683,
+			   11223454,  -2669190, -16625574, -27235709,   8876771 }
+		},
+		{
+			{ -25742899, -12566864, -15649966,   -846607, -33026686,
+			    -796288, -33481822,  15824474,   -604426,  -9039817 },
+			{  10330056,     70051,   7957388,  -9002667,   9764902,
+			   15609756,  27698697,  -4890037,   1657394,   3084098 },
+			{  10477963,  -7470260,  12119566, -13250805,  29016247,
+			   -5365589,  31280319,  14396151, -30233575,  15272409 }
+		},
+		{
+			{ -12288309,   3169463,  28813183,  16658753,  25116432,
+			   -5630466, -25173957, -12636138, -25014757,   1950504 },
+			{ -26180358,   9489187,  11053416, -14746161, -31053720,
+			    5825630,  -8384306,  -8767532,  15341279,   8373727 },
+			{  28685821,   7759505, -14378516, -12002860, -31971820,
+			    4079242,    298136, -10232602,  -2878207,  15190420 }
+		},
+		{
+			{ -32932876,  13806336, -14337485, -15794431, -24004620,
+			   10940928,   8669718,   2742393, -26033313,  -6875003 },
+			{  -1580388, -11729417, -25979658, -11445023, -17411874,
+			  -10912854,   9291594, -16247779, -12154742,   6048605 },
+			{ -30305315,  14843444,   1539301,  11864366,  20201677,
+			    1900163,  13934231,   5128323,  11213262,   9168384 }
+		},
+		{
+			{ -26280513,  11007847,  19408960,   -940758, -18592965,
+			   -4328580,  -5088060, -11105150,  20470157, -16398701 },
+			{ -23136053,   9282192,  14855179, -15390078,  -7362815,
+			  -14408560, -22783952,  14461608,  14042978,   5230683 },
+			{  29969567,  -2741594, -16711867,  -8552442,   9175486,
+			   -2468974,  21556951,   3506042,  -5933891, -12449708 }
+		},
+		{
+			{  -3144746,   8744661,  19704003,   4581278, -20430686,
+			    6830683, -21284170,   8971513, -28539189,  15326563 },
+			{ -19464629,  10110288, -17262528,  -3503892, -23500387,
+			    1355669, -15523050,  15300988, -20514118,   9168260 },
+			{  -5353335,   4488613, -23803248,  16314347,   7780487,
+			  -15638939, -28948358,   9601605,  33087103,  -9011387 }
+		},
+		{
+			{ -19443170, -15512900, -20797467, -12445323, -29824447,
+			   10229461, -27444329, -15000531,  -5996870,  15664672 },
+			{  23294591, -16632613, -22650781,  -8470978,  27844204,
+			   11461195,  13099750,  -2460356,  18151676,  13417686 },
+			{ -24722913,  -4176517, -31150679,   5988919, -26858785,
+			    6685065,   1661597, -12551441,  15271676, -15452665 }
+		}
+	},
+	{
+		{
+			{  11433042, -13228665,   8239631,  -5279517,  -1985436,
+			    -725718, -18698764,   2167544,  -6921301, -13440182 },
+			{ -31436171,  15575146,  30436815,  12192228, -22463353,
+			    9395379,  -9917708,  -8638997,  12215110,  12028277 },
+			{  14098400,   6555944,  23007258,   5757252, -15427832,
+			  -12950502,  30123440,   4617780, -16900089,   -655628 }
+		},
+		{
+			{  -4026201, -15240835,  11893168,  13718664, -14809462,
+			    1847385, -15819999,  10154009,  23973261, -12684474 },
+			{ -26531820,  -3695990,  -1908898,   2534301, -31870557,
+			  -16550355,  18341390, -11419951,  32013174, -10103539 },
+			{ -25479301,  10876443, -11771086, -14625140, -12369567,
+			    1838104,  21911214,   6354752,   4425632,   -837822 }
+		},
+		{
+			{ -10433389, -14612966,  22229858,  -3091047, -13191166,
+			     776729, -17415375, -12020462,   4725005,  14044970 },
+			{  19268650,  -7304421,   1555349,   8692754, -21474059,
+			   -9910664,   6347390,  -1411784, -19522291, -16109756 },
+			{ -24864089,  12986008, -10898878,  -5558584, -11312371,
+			    -148526,  19541418,   8180106,   9282262,  10282508 }
+		},
+		{
+			{ -26205082,   4428547,  -8661196, -13194263,   4098402,
+			  -14165257,  15522535,   8372215,   5542595, -10702683 },
+			{ -10562541,  14895633,  26814552, -16673850, -17480754,
+			   -2489360,  -2781891,   6993761, -18093885,  10114655 },
+			{ -20107055,   -929418,  31422704,  10427861,  -7110749,
+			    6150669, -29091755, -11529146,  25953725,   -106158 }
+		},
+		{
+			{  -4234397,  -8039292,  -9119125,   3046000,   2101609,
+			  -12607294,  19390020,   6094296,  -3315279,  12831125 },
+			{ -15998678,   7578152,   5310217,  14408357, -33548620,
+			    -224739,  31575954,   6326196,   7381791,  -2421839 },
+			{ -20902779,   3296811,  24736065, -16328389,  18374254,
+			    7318640,   6295303,   8082724, -15362489,  12339664 }
+		},
+		{
+			{  27724736,   2291157,   6088201, -14184798,   1792727,
+			    5857634,  13848414,  15768922,  25091167,  14856294 },
+			{ -18866652,   8331043,  24373479,   8541013,   -701998,
+			   -9269457,  12927300, -12695493, -22182473,  -9012899 },
+			{ -11423429,  -5421590,  11632845,   3405020,  30536730,
+			  -11674039, -27260765,  13866390,  30146206,   9142070 }
+		},
+		{
+			{   3924129, -15307516, -13817122, -10054960,  12291820,
+			    -668366, -27702774,   9326384,  -8237858,   4171294 },
+			{ -15921940,  16037937,   6713787,  16606682, -21612135,
+			    2790944,  26396185,   3731949,    345228,  -5462949 },
+			{ -21327538,  13448259,  25284571,   1143661,  20614966,
+			   -8849387,   2031539, -12391231, -16253183, -13582083 }
+		},
+		{
+			{  31016211, -16722429,  26371392, -14451233,  -5027349,
+			   14854137,  17477601,   3842657,  28012650, -16405420 },
+			{  -5075835,   9368966,  -8562079,  -4600902, -15249953,
+			    6970560,  -9189873,  16292057,  -8867157,   3507940 },
+			{  29439664,   3537914,  23333589,   6997794, -17555561,
+			  -11018068, -15209202, -15051267,  -9164929,   6580396 }
+		}
+	},
+	{
+		{
+			{ -12185861,  -7679788,  16438269,  10826160,  -8696817,
+			   -6235611,  17860444,  -9273846,  -2095802,   9304567 },
+			{  20714564,  -4336911,  29088195,   7406487,  11426967,
+			   -5095705,  14792667, -14608617,   5289421,   -477127 },
+			{ -16665533, -10650790,  -6160345, -13305760,   9192020,
+			   -1802462,  17271490,  12349094,  26939669,  -3752294 }
+		},
+		{
+			{ -12889898,   9373458,  31595848,  16374215,  21471720,
+			   13221525, -27283495, -12348559,  -3698806,    117887 },
+			{  22263325,  -6560050,   3984570, -11174646, -15114008,
+			    -566785,  28311253,   5358056, -23319780,    541964 },
+			{  16259219,   3261970,   2309254, -15534474, -16885711,
+			   -4581916,  24134070, -16705829, -13337066, -13552195 }
+		},
+		{
+			{   9378160, -13140186, -22845982, -12745264,  28198281,
+			   -7244098,  -2399684,   -717351,    690426,  14876244 },
+			{  24977353,   -314384,  -8223969, -13465086,  28432343,
+			   -1176353, -13068804, -12297348, -22380984,   6618999 },
+			{  -1538174,  11685646,  12944378,  13682314, -24389511,
+			  -14413193,   8044829, -13817328,  32239829,  -5652762 }
+		},
+		{
+			{ -18603066,   4762990,   -926250,   8885304, -28412480,
+			   -3187315,   9781647, -10350059,  32779359,   5095274 },
+			{ -33008130,  -5214506, -32264887,  -3685216,   9460461,
+			   -9327423, -24601656,  14506724,  21639561,  -2630236 },
+			{ -16400943, -13112215,  25239338,  15531969,   3987758,
+			   -4499318,  -1289502,  -6863535,  17874574,    558605 }
+		},
+		{
+			{ -13600129,  10240081,   9171883,  16131053, -20869254,
+			    9599700,  33499487,   5080151,   2085892,   5119761 },
+			{ -22205145,  -2519528, -16381601,    414691, -25019550,
+			    2170430,  30634760,  -8363614, -31999993,  -5759884 },
+			{  -6845704,  15791202,   8550074,  -1312654,  29928809,
+			  -12092256,  27534430,  -7192145, -22351378,  12961482 }
+		},
+		{
+			{ -24492060,  -9570771,  10368194,  11582341, -23397293,
+			   -2245287,  16533930,   8206996, -30194652,  -5159638 },
+			{ -11121496,  -3382234,   2307366,   6362031,   -135455,
+			    8868177, -16835630,   7031275,   7589640,   8945490 },
+			{ -32152748,   8917967,   6661220, -11677616,  -1192060,
+			  -15793393,   7251489, -11182180,  24099109, -14456170 }
+		},
+		{
+			{   5019558,  -7907470,   4244127, -14714356, -26933272,
+			    6453165, -19118182, -13289025,  -6231896, -10280736 },
+			{  10853594,  10721687,  26480089,   5861829, -22995819,
+			    1972175,  -1866647, -10557898,  -3363451,  -6441124 },
+			{ -17002408,   5906790,    221599,  -6563147,   7828208,
+			  -13248918,  24362661,  -2008168, -13866408,   7421392 }
+		},
+		{
+			{   8139927,  -6546497,  32257646,  -5890546,  30375719,
+			    1886181, -21175108,  15441252,  28826358,  -4123029 },
+			{   6267086,   9695052,   7709135, -16603597, -32869068,
+			   -1886135,  14795160,  -7840124,  13746021,  -1742048 },
+			{  28584902,   7787108,  -6732942, -15050729,  22846041,
+			   -7571236,  -3181936,   -363524,   4771362,  -8419958 }
+		}
+	},
+	{
+		{
+			{  24949256,   6376279, -27466481,  -8174608, -18646154,
+			   -9930606,  33543569, -12141695,   3569627,  11342593 },
+			{  26514989,   4740088,  27912651,   3697550,  19331575,
+			  -11472339,   6809886,   4608608,   7325975, -14801071 },
+			{ -11618399, -14554430, -24321212,   7655128,  -1369274,
+			    5214312, -27400540,  10258390, -17646694,  -8186692 }
+		},
+		{
+			{  11431204,  15823007,  26570245,  14329124,  18029990,
+			    4796082, -31446179,  15580664,   9280358,  -3973687 },
+			{   -160783, -10326257, -22855316,  -4304997, -20861367,
+			  -13621002, -32810901, -11181622, -15545091,   4387441 },
+			{ -20799378,  12194512,   3937617,  -5805892, -27154820,
+			    9340370, -24513992,   8548137,  20617071,  -7482001 }
+		},
+		{
+			{   -938825,  -3930586,  -8714311,  16124718,  24603125,
+			   -6225393, -13775352, -11875822,  24345683,  10325460 },
+			{ -19855277,  -1568885, -22202708,   8714034,  14007766,
+			    6928528,  16318175,  -1010689,   4766743,   3552007 },
+			{ -21751364, -16730916,   1351763,   -803421,  -4009670,
+			    3950935,   3217514,  14481909,  10988822,  -3994762 }
+		},
+		{
+			{  15564307, -14311570,   3101243,   5684148,  30446780,
+			   -8051356,  12677127,  -6505343,  -8295852,  13296005 },
+			{  -9442290,   6624296, -30298964, -11913677,  -4670981,
+			   -2057379,  31521204,   9614054, -30000824,  12074674 },
+			{   4771191,   -135239,  14290749, -13089852,  27992298,
+			   14998318,  -1413936,  -1556716,  29832613, -16391035 }
+		},
+		{
+			{   7064884,  -7541174, -19161962,  -5067537, -18891269,
+			   -2912736,  25825242,   5293297, -27122660,  13101590 },
+			{  -2298563,   2439670,  -7466610,   1719965, -27267541,
+			  -16328445,  32512469,  -5317593, -30356070,  -4190957 },
+			{ -30006540,  10162316, -33180176,   3981723, -16482138,
+			  -13070044,  14413974,   9515896,  19568978,   9628812 }
+		},
+		{
+			{  33053803,    199357,  15894591,   1583059,  27380243,
+			   -4580435, -17838894,  -6106839,  -6291786,   3437740 },
+			{ -18978877,   3884493,  19469877,  12726490,  15913552,
+			   13614290, -22961733,     70104,   7463304,   4176122 },
+			{ -27124001,  10659917,  11482427, -16070381,  12771467,
+			   -6635117, -32719404,  -5322751,  24216882,   5944158 }
+		},
+		{
+			{   8894125,   7450974,  -2664149,  -9765752, -28080517,
+			  -12389115,  19345746,  14680796,  11632993,   5847885 },
+			{  26942781,  -2315317,   9129564,  -4906607,  26024105,
+			   11769399, -11518837,   6367194,  -9727230,   4782140 },
+			{  19916461,  -4828410, -22910704, -11414391,  25606324,
+			   -5972441,  33253853,   8220911,   6358847,  -1873857 }
+		},
+		{
+			{    801428,  -2081702,  16569428,  11065167,  29875704,
+			      96627,   7908388,  -4480480, -13538503,   1387155 },
+			{  19646058,   5720633, -11416706,  12814209,  11607948,
+			   12749789,  14147075,  15156355, -21866831,  11835260 },
+			{  19299512,   1155910,  28703737,  14890794,   2925026,
+			    7269399,  26121523,  15467869, -26560550,   5052483 }
+		}
+	},
+	{
+		{
+			{  -3017432,  10058206,   1980837,   3964243,  22160966,
+			   12322533,  -6431123, -12618185,  12228557,  -7003677 },
+			{  32944382,  14922211, -22844894,   5188528,  21913450,
+			   -8719943,   4001465,  13238564,  -6114803,   8653815 },
+			{  22865569,  -4652735,  27603668, -12545395,  14348958,
+			    8234005,  24808405,   5719875,  28483275,   2841751 }
+		},
+		{
+			{ -16420968,  -1113305,   -327719, -12107856,  21886282,
+			  -15552774,  -1887966,   -315658,  19932058, -12739203 },
+			{ -11656086,  10087521,  -8864888,  -5536143, -19278573,
+			   -3055912,   3999228,  13239134,  -4777469, -13910208 },
+			{   1382174, -11694719,  17266790,   9194690, -13324356,
+			    9720081,  20403944,  11284705, -14013818,   3093230 }
+		},
+		{
+			{  16650921, -11037932,  -1064178,   1570629,  -8329746,
+			    7352753,   -302424,  16271225, -24049421,  -6691850 },
+			{ -21911077,  -5927941,  -4611316,  -5560156, -31744103,
+			  -10785293,  24123614,  15193618, -21652117, -16739389 },
+			{  -9935934,  -4289447, -25279823,   4372842,   2087473,
+			   10399484,  31870908,  14690798,  17361620,  11864968 }
+		},
+		{
+			{ -11307610,   6210372,  13206574,   5806320, -29017692,
+			  -13967200, -12331205,  -7486601, -25578460, -16240689 },
+			{  14668462, -12270235,  26039039,  15305210,  25515617,
+			    4542480,  10453892,   6577524,   9145645,  -6443880 },
+			{   5974874,   3053895,  -9433049, -10385191, -31865124,
+			    3225009,  -7972642,   3936128,  -5652273,  -3050304 }
+		},
+		{
+			{  30625386,  -4729400, -25555961, -12792866, -20484575,
+			    7695099,  17097188, -16303496, -27999779,   1803632 },
+			{  -3553091,   9865099,  -5228566,   4272701,  -5673832,
+			  -16689700,  14911344,  12196514, -21405489,   7047412 },
+			{  20093277,   9920966, -11138194,  -5343857,  13161587,
+			   12044805, -32856851,   4124601, -32343828, -10257566 }
+		},
+		{
+			{ -20788824,  14084654, -13531713,   7842147,  19119038,
+			  -13822605,   4752377,  -8714640, -21679658,   2288038 },
+			{ -26819236,  -3283715,  29965059,   3039786, -14473765,
+			    2540457,  29457502,  14625692, -24819617,  12570232 },
+			{  -1063558, -11551823,  16920318,  12494842,   1278292,
+			   -5869109, -21159943,  -3498680, -11974704,   4724943 }
+		},
+		{
+			{  17960970, -11775534,  -4140968,  -9702530,  -8876562,
+			   -1410617, -12907383,  -8659932, -29576300,   1903856 },
+			{  23134274, -14279132, -10681997,  -1611936,  20684485,
+			   15770816, -12989750,   3190296,  26955097,  14109738 },
+			{  15308788,   5320727, -30113809, -14318877,  22902008,
+			    7767164,  29425325, -11277562,  31960942,  11934971 }
+		},
+		{
+			{ -27395711,   8435796,   4109644,  12222639, -24627868,
+			   14818669,  20638173,   4875028,  10491392,   1379718 },
+			{ -13159415,   9197841,   3875503,  -8936108,  -1383712,
+			   -5879801,  33518459,  16176658,  21432314,  12180697 },
+			{ -11787308,  11500838,  13787581, -13832590, -22430679,
+			   10140205,   1465425,  12689540, -10301319, -13872883 }
+		}
+	},
+	{
+		{
+			{   5414091, -15386041, -21007664,   9643570,  12834970,
+			    1186149,  -2622916,  -1342231,  26128231,   6032912 },
+			{ -26337395, -13766162,  32496025, -13653919,  17847801,
+			  -12669156,   3604025,   8316894, -25875034, -10437358 },
+			{   3296484,   6223048,  24680646, -12246460, -23052020,
+			    5903205,  -8862297,  -4639164,  12376617,   3188849 }
+		},
+		{
+			{  29190488, -14659046,  27549113,  -1183516,   3520066,
+			  -10697301,  32049515,  -7309113, -16109234,  -9852307 },
+			{ -14744486,  -9309156,    735818,   -598978, -20407687,
+			   -5057904,  25246078, -15795669,  18640741,   -960977 },
+			{  -6928835, -16430795,  10361374,   5642961,   4910474,
+			   12345252, -31638386,   -494430,  10530747,   1053335 }
+		},
+		{
+			{ -29265967, -14186805, -13538216, -12117373, -19457059,
+			  -10655384, -31462369,  -2948985,  24018831,  15026644 },
+			{ -22592535,  -3145277,  -2289276,   5953843, -13440189,
+			    9425631,  25310643,  13003497,  -2314791, -15145616 },
+			{ -27419985,   -603321,  -8043984,  -1669117, -26092265,
+			   13987819, -27297622,    187899, -23166419,  -2531735 }
+		},
+		{
+			{ -21744398, -13810475,   1844840,   5021428, -10434399,
+			  -15911473,   9716667,  16266922,  -5070217,    726099 },
+			{  29370922,  -6053998,   7334071, -15342259,   9385287,
+			    2247707, -13661962,  -4839461,  30007388, -15823341 },
+			{   -936379,  16086691,  23751945,   -543318,  -1167538,
+			   -5189036,   9137109,    730663,   9835848,   4555336 }
+		},
+		{
+			{ -23376435,   1410446, -22253753, -12899614,  30867635,
+			   15826977,  17693930,    544696, -11985298,  12422646 },
+			{  31117226, -12215734, -13502838,   6561947,  -9876867,
+			  -12757670,  -5118685,  -4096706,  29120153,  13924425 },
+			{ -17400879, -14233209,  19675799,  -2734756, -11006962,
+			   -5858820,  -9383939, -11317700,   7240931,   -237388 }
+		},
+		{
+			{ -31361739, -11346780, -15007447,  -5856218, -22453340,
+			  -12152771,   1222336,   4389483,   3293637, -15551743 },
+			{ -16684801, -14444245,  11038544,  11054958, -13801175,
+			   -3338533, -24319580,   7733547,  12796905,  -6335822 },
+			{  -8759414, -10817836, -25418864,  10783769, -30615557,
+			   -9746811, -28253339,   3647836,   3222231, -11160462 }
+		},
+		{
+			{  18606113,   1693100, -25448386, -15170272,   4112353,
+			   10045021,  23603893,  -2048234,  -7550776,   2484985 },
+			{   9255317,  -3131197, -12156162,  -1004256,  13098013,
+			   -9214866,  16377220,  -2102812, -19802075,  -3034702 },
+			{ -22729289,   7496160,  -5742199,  11329249,  19991973,
+			   -3347502, -31718148,   9936966, -30097688, -10618797 }
+		},
+		{
+			{  21878590,  -5001297,   4338336,  13643897,  -3036865,
+			   13160960,  19708896,   5415497,  -7360503,  -4109293 },
+			{  27736861,  10103576,  12500508,   8502413,  -3413016,
+			   -9633558,  10436918,  -1550276, -23659143,  -8132100 },
+			{  19492550, -12104365, -29681976,   -852630,  -3208171,
+			   12403437,  30066266,   8367329,  13243957,   8709688 }
+		}
+	},
+	{
+		{
+			{  12015105,   2801261,  28198131,  10151021,  24818120,
+			   -4743133, -11194191,  -5645734,   5150968,   7274186 },
+			{   2831366, -12492146,   1478975,   6122054,  23825128,
+			  -12733586,  31097299,   6083058,  31021603,  -9793610 },
+			{  -2529932,  -2229646,    445613,  10720828, -13849527,
+			  -11505937, -23507731,  16354465,  15067285, -14147707 }
+		},
+		{
+			{   7840942,  14037873, -33364863,  15934016,   -728213,
+			   -3642706,  21403988,   1057586, -19379462, -12403220 },
+			{    915865, -16469274,  15608285,  -8789130, -24357026,
+			    6060030, -17371319,   8410997,  -7220461,  16527025 },
+			{  32922597,   -556987,  20336074, -16184568,  10903705,
+			   -5384487,  16957574,     52992,  23834301,   6588044 }
+		},
+		{
+			{  32752030,  11232950,   3381995,  -8714866,  22652988,
+			  -10744103,  17159699,  16689107, -20314580,  -1305992 },
+			{  -4689649,   9166776, -25710296, -10847306,  11576752,
+			   12733943,   7924251,  -2752281,   1976123,  -7249027 },
+			{  21251222,  16309901,  -2983015,  -6783122,  30810597,
+			   12967303,    156041,  -3371252,  12331345,  -8237197 }
+		},
+		{
+			{   8651614,  -4477032, -16085636,  -4996994,  13002507,
+			    2950805,  29054427,  -5106970,  10008136,  -4667901 },
+			{  31486080,  15114593, -14261250,  12951354,  14369431,
+			   -7387845,  16347321, -13662089,   8684155, -10532952 },
+			{  19443825,  11385320,  24468943,  -9659068, -23919258,
+			    2187569, -26263207,  -6086921,  31316348,  14219878 }
+		},
+		{
+			{ -28594490,   1193785,  32245219,  11392485,  31092169,
+			   15722801,  27146014,   6992409,  29126555,   9207390 },
+			{  32382935,   1110093,  18477781,  11028262, -27411763,
+			   -7548111,  -4980517,  10843782,  -7957600, -14435730 },
+			{   2814918,   7836403,  27519878,  -7868156, -20894015,
+			  -11553689, -21494559,   8550130,  28346258,   1994730 }
+		},
+		{
+			{ -19578299,   8085545, -14000519,  -3948622,   2785838,
+			  -16231307, -19516951,   7174894,  22628102,   8115180 },
+			{ -30405132,    955511, -11133838, -15078069, -32447087,
+			  -13278079, -25651578,   3317160,  -9943017,    930272 },
+			{ -15303681,  -6833769,  28856490,   1357446,  23421993,
+			    1057177,  24091212,  -1388970, -22765376, -10650715 }
+		},
+		{
+			{ -22751231,  -5303997, -12907607, -12768866, -15811511,
+			   -7797053, -14839018, -16554220,  -1867018,   8398970 },
+			{ -31969310,   2106403,  -4736360,   1362501,  12813763,
+			   16200670,  22981545,  -6291273,  18009408, -15772772 },
+			{ -17220923,  -9545221, -27784654,  14166835,  29815394,
+			    7444469,  29551787,  -3727419,  19288549,   1325865 }
+		},
+		{
+			{  15100157, -15835752, -23923978,  -1005098, -26450192,
+			   15509408,  12376730,  -3479146,  33166107,  -8042750 },
+			{  20909231,  13023121,  -9209752,  16251778,  -5778415,
+			   -8094914,  12412151,  10018715,   2213263, -13878373 },
+			{  32529814, -11074689,  30361439, -16689753,  -9135940,
+			    1513226,  22922121,   6382134,  -5766928,   8371348 }
+		}
+	},
+	{
+		{
+			{   9923462,  11271500,  12616794,   3544722, -29998368,
+			   -1721626,  12891687,  -8193132, -26442943,  10486144 },
+			{ -22597207,  -7012665,   8587003,  -8257861,   4084309,
+			  -12970062,    361726,   2610596, -23921530, -11455195 },
+			{   5408411,  -1136691,  -4969122,  10561668,  24145918,
+			   14240566,  31319731,  -4235541,  19985175,  -3436086 }
+		},
+		{
+			{ -13994457,  16616821,  14549246,   3341099,  32155958,
+			   13648976, -17577068,   8849297,     65030,   8370684 },
+			{  -8320926, -12049626,  31204563,   5839400, -20627288,
+			   -1057277, -19442942,   6922164,  12743482,  -9800518 },
+			{  -2361371,  12678785,  28815050,   4759974, -23893047,
+			    4884717,  23783145,  11038569,  18800704,    255233 }
+		},
+		{
+			{  -5269658,  -1773886,  13957886,   7990715,  23132995,
+			     728773,  13393847,   9066957,  19258688, -14753793 },
+			{  -2936654, -10827535, -10432089,  14516793,  -3640786,
+			    4372541, -31934921,   2209390,  -1524053,   2055794 },
+			{    580882,  16705327,   5468415,  -2683018, -30926419,
+			  -14696000,  -7203346,  -8994389, -30021019,   7394435 }
+		},
+		{
+			{  23838809,   1822728, -15738443,  15242727,   8318092,
+			   -3733104, -21672180,  -3492205,  -4821741,  14799921 },
+			{  13345610,   9759151,   3371034, -16137791,  16353039,
+			    8577942,  31129804,  13496856,  -9056018,   7402518 },
+			{   2286874,  -4435931, -20042458,  -2008336, -13696227,
+			    5038122,  11006906, -15760352,   8205061,   1607563 }
+		},
+		{
+			{  14414086,  -8002132,   3331830,  -3208217,  22249151,
+			   -5594188,  18364661,  -2906958,  30019587,  -9029278 },
+			{ -27688051,   1585953, -10775053,    931069, -29120221,
+			  -11002319, -14410829,  12029093,   9944378,      8024 },
+			{   4368715,  -3709630,  29874200, -15022983, -20230386,
+			  -11410704, -16114594,   -999085,  -8142388,   5640030 }
+		},
+		{
+			{  10299610,  13746483,  11661824,  16234854,   7630238,
+			    5998374,   9809887, -16694564,  15219798, -14327783 },
+			{  27425505,  -5719081,   3055006,  10660664,  23458024,
+			     595578, -15398605,  -1173195, -18342183,   9742717 },
+			{   6744077,   2427284,  26042789,   2720740,   -847906,
+			    1118974,  32324614,   7406442,  12420155,   1994844 }
+		},
+		{
+			{  14012521,  -5024720, -18384453,  -9578469, -26485342,
+			   -3936439, -13033478, -10909803,  24319929,  -6446333 },
+			{  16412690,  -4507367,  10772641,  15929391, -17068788,
+			   -4658621,  10555945, -10484049, -30102368,  -4739048 },
+			{  22397382,  -7767684,  -9293161, -12792868,  17166287,
+			   -9755136, -27333065,   6199366,  21880021, -12250760 }
+		},
+		{
+			{  -4283307,   5368523, -31117018,   8163389, -30323063,
+			    3209128,  16557151,   8890729,   8840445,   4957760 },
+			{ -15447727,    709327,  -6919446, -10870178, -29777922,
+			    6522332, -21720181,  12130072, -14796503,   5005757 },
+			{  -2114751, -14308128,  23019042,  15765735, -25269683,
+			    6002752,  10183197, -13239326, -16395286,  -2176112 }
+		}
+	},
+	{
+		{
+			{ -19025756,   1632005,  13466291,  -7995100, -23640451,
+			   16573537, -32013908,  -3057104,  22208662,   2000468 },
+			{   3065073,  -1412761, -25598674,   -361432, -17683065,
+			   -5703415,  -8164212,  11248527,  -3691214,  -7414184 },
+			{  10379208,  -6045554,   8877319,   1473647, -29291284,
+			  -12507580,  16690915,   2553332,  -3132688,  16400289 }
+		},
+		{
+			{  15716668,   1254266, -18472690,   7446274,  -8448918,
+			    6344164, -22097271,  -7285580,  26894937,   9132066 },
+			{  24158887,  12938817,  11085297,  -8177598, -28063478,
+			   -4457083, -30576463,     64452,  -6817084,  -2692882 },
+			{  13488534,   7794716,  22236231,   5989356,  25426474,
+			  -12578208,   2350710,  -3418511,  -4688006,   2364226 }
+		},
+		{
+			{  16335052,   9132434,  25640582,   6678888,   1725628,
+			    8517937, -11807024, -11697457,  15445875,  -7798101 },
+			{  29004207,  -7867081,  28661402,   -640412, -12794003,
+			   -7943086,  31863255,  -4135540,   -278050, -15759279 },
+			{  -6122061, -14866665, -28614905,  14569919, -10857999,
+			   -3591829,  10343412,  -6976290, -29828287, -10815811 }
+		},
+		{
+			{  27081650,   3463984,  14099042,  -4517604,   1616303,
+			   -6205604,  29542636,  15372179,  17293797,    960709 },
+			{  20263915,  11434237,  -5765435,  11236810,  13505955,
+			  -10857102, -16111345,   6493122, -19384511,   7639714 },
+			{  -2830798, -14839232,  25403038,  -8215196,  -8317012,
+			  -16173699,  18006287, -16043750,  29994677, -15808121 }
+		},
+		{
+			{   9769828,   5202651, -24157398, -13631392, -28051003,
+			  -11561624, -24613141, -13860782, -31184575,    709464 },
+			{  12286395,  13076066, -21775189,  -1176622, -25003198,
+			    4057652, -32018128,  -8890874,  16102007,  13205847 },
+			{  13733362,   5599946,  10557076,   3195751,  -5557991,
+			    8536970, -25540170,   8525972,  10151379,  10394400 }
+		},
+		{
+			{   4024660, -16137551,  22436262,  12276534,  -9099015,
+			   -2686099,  19698229,  11743039, -33302334,   8934414 },
+			{ -15879800,  -4525240,  -8580747,  -2934061,  14634845,
+			    -698278,  -9449077,   3137094, -11536886,  11721158 },
+			{  17555939,  -5013938,   8268606,   2331751, -22738815,
+			    9761013,   9319229,   8835153,  -9205489,  -1280045 }
+		},
+		{
+			{   -461409,  -7830014,  20614118,  16688288,  -7514766,
+			   -4807119,  22300304,    505429,   6108462,  -6183415 },
+			{  -5070281,  12367917, -30663534,   3234473,  32617080,
+			   -8422642,  29880583, -13483331, -26898490,  -7867459 },
+			{ -31975283,   5726539,  26934134,  10237677,  -3173717,
+			    -605053,  24199304,   3795095,   7592688, -14992079 }
+		},
+		{
+			{  21594432, -14964228,  17466408,  -4077222,  32537084,
+			    2739898,   6407723,  12018833, -28256052,   4298412 },
+			{ -20650503, -11961496, -27236275,    570498,   3767144,
+			   -1717540,  13891942,  -1569194,  13717174,  10805743 },
+			{ -14676630, -15644296,  15287174,  11927123,  24177847,
+			   -8175568,   -796431,  14860609, -26938930,  -5863836 }
+		}
+	},
+	{
+		{
+			{  12962541,   5311799, -10060768,  11658280,  18855286,
+			   -7954201,  13286263, -12808704,  -4381056,   9882022 },
+			{  18512079,  11319350, -20123124,  15090309,  18818594,
+			    5271736, -22727904,   3666879, -23967430,  -3299429 },
+			{  -6789020,  -3146043,  16192429,  13241070,  15898607,
+			  -14206114, -10084880,  -6661110,  -2403099,   5276065 }
+		},
+		{
+			{  30169808,  -5317648,  26306206, -11750859,  27814964,
+			    7069267,   7152851,   3684982,   1449224,  13082861 },
+			{  10342826,   3098505,   2119311,    193222,  25702612,
+			   12233820,  23697382,  15056736, -21016438,  -8202000 },
+			{ -33150110,   3261608,  22745853,   7948688,  19370557,
+			  -15177665, -26171976,   6482814, -10300080, -11060101 }
+		},
+		{
+			{  32869458,  -5408545,  25609743,  15678670, -10687769,
+			  -15471071,  26112421,   2521008, -22664288,   6904815 },
+			{  29506923,   4457497,   3377935,  -9796444, -30510046,
+			   12935080,   1561737,   3841096, -29003639,  -6657642 },
+			{  10340844,  -6630377, -18656632,  -2278430,  12621151,
+			  -13339055,  30878497, -11824370, -25584551,   5181966 }
+		},
+		{
+			{  25940115, -12658025,  17324188, -10307374,  -8671468,
+			   15029094,  24396252, -16450922,  -2322852, -12388574 },
+			{ -21765684,   9916823,  -1300409,   4079498,  -1028346,
+			   11909559,   1782390,  12641087,  20603771,  -6561742 },
+			{ -18882287, -11673380,  24849422,  11501709,  13161720,
+			   -4768874,   1925523,  11914390,   4662781,   7820689 }
+		},
+		{
+			{  12241050,   -425982,   8132691,   9393934,  32846760,
+			   -1599620,  29749456,  12172924,  16136752,  15264020 },
+			{ -10349955, -14680563,  -8211979,   2330220, -17662549,
+			  -14545780,  10658213,   6671822,  19012087,   3772772 },
+			{   3753511,  -3421066,  10617074,   2028709,  14841030,
+			   -6721664,  28718732, -15762884,  20527771,  12988982 }
+		},
+		{
+			{ -14822485,  -5797269,  -3707987,  12689773,   -898983,
+			  -10914866, -24183046, -10564943,   3299665, -12424953 },
+			{ -16777703, -15253301,  -9642417,   4978983,   3308785,
+			    8755439,   6943197,   6461331, -25583147,   8991218 },
+			{ -17226263,   1816362,  -1673288,  -6086439,  31783888,
+			   -8175991, -32948145,   7417950, -30242287,   1507265 }
+		},
+		{
+			{  29692663,   6829891, -10498800,   4334896,  20945975,
+			  -11906496, -28887608,   8209391,  14606362, -10647073 },
+			{  -3481570,   8707081,  32188102,   5672294,  22096700,
+			    1711240, -33020695,   9761487,   4170404,  -2085325 },
+			{ -11587470,  14855945,  -4127778,  -1531857, -26649089,
+			   15084046,  22186522,  16002000, -14276837,  -8400798 }
+		},
+		{
+			{  -4811456,  13761029, -31703877,  -2483919,  -3312471,
+			    7869047,  -7113572,  -9620092,  13240845,  10965870 },
+			{  -7742563,  -8256762, -14768334, -13656260, -23232383,
+			   12387166,   4498947,  14147411,  29514390,   4302863 },
+			{ -13413405, -12407859,  20757302, -13801832,  14785143,
+			    8976368,  -5061276,  -2144373,  17846988, -13971927 }
+		}
+	},
+	{
+		{
+			{  -2244452,   -754728,  -4597030,  -1066309,  -6247172,
+			    1455299, -21647728,  -9214789,  -5222701,  12650267 },
+			{  -9906797, -16070310,  21134160,  12198166, -27064575,
+			     708126,    387813,  13770293, -19134326,  10958663 },
+			{  22470984,  12369526,  23446014,  -5441109, -21520802,
+			   -9698723, -11772496, -11574455, -25083830,   4271862 }
+		},
+		{
+			{ -25169565, -10053642, -19909332,  15361595,  -5984358,
+			    2159192,     75375,  -4278529, -32526221,   8469673 },
+			{  15854970,   4148314,  -8893890,   7259002,  11666551,
+			   13824734, -30531198,   2697372,  24154791,  -9460943 },
+			{  15446137, -15806644,  29759747,  14019369,  30811221,
+			   -9610191, -31582008,  12840104,  24913809,   9815020 }
+		},
+		{
+			{  -4709286,  -5614269, -31841498, -12288893, -14443537,
+			   10799414,  -9103676,  13438769,  18735128,   9466238 },
+			{  11933045,   9281483,   5081055,  -5183824,  -2628162,
+			   -4905629,  -7727821, -10896103, -22728655,  16199064 },
+			{  14576810,    379472, -26786533,  -8317236, -29426508,
+			  -10812974,   -102766,   1876699,  30801119,   2164795 }
+		},
+		{
+			{  15995086,   3199873,  13672555,  13712240, -19378835,
+			   -4647646, -13081610, -15496269, -13492807,   1268052 },
+			{ -10290614,  -3659039,  -3286592,  10948818,  23037027,
+			    3794475,  -3470338, -12600221, -17055369,   3565904 },
+			{  29210088,  -9419337,  -5919792,  -4952785,  10834811,
+			  -13327726, -16512102, -10820713, -27162222, -14030531 }
+		},
+		{
+			{ -13161890,  15508588,  16663704,  -8156150, -28349942,
+			    9019123, -29183421,  -3769423,   2244111, -14001979 },
+			{  -5152875,  -3800936,  -9306475,  -6071583,  16243069,
+			   14684434, -25673088, -16180800,  13491506,   4641841 },
+			{  10813417,    643330, -19188515,   -728916,  30292062,
+			  -16600078,  27548447,  -7721242,  14476989, -12767431 }
+		},
+		{
+			{  10292079,   9984945,   6481436,   8279905,  -7251514,
+			    7032743,  27282937,  -1644259, -27912810,  12651324 },
+			{ -31185513,   -813383,  22271204,  11835308,  10201545,
+			   15351028,  17099662,   3988035,  21721536,  -3148940 },
+			{  10202177,  -6545839, -31373232,  -9574638, -32150642,
+			   -8119683, -12906320,   3852694,  13216206,  14842320 }
+		},
+		{
+			{ -15815640, -10601066,  -6538952,  -7258995,  -6984659,
+			   -6581778, -31500847,  13765824, -27434397,   9900184 },
+			{  14465505, -13833331, -32133984, -14738873, -27443187,
+			   12990492,  33046193,  15796406,  -7051866,  -8040114 },
+			{  30924417,  -8279620,   6359016, -12816335,  16508377,
+			    9071735, -25488601,  15413635,   9524356,  -7018878 }
+		},
+		{
+			{  12274201, -13175547,  32627641,  -1785326,   6736625,
+			   13267305,   5237659,  -5109483,  15663516,   4035784 },
+			{  -2951309,   8903985,  17349946,    601635, -16432815,
+			   -4612556, -13732739, -15889334, -22258478,   4659091 },
+			{ -16916263,  -4952973, -30393711, -15158821,  20774812,
+			   15897498,   5736189,  15026997,  -2178256, -13455585 }
+		}
+	},
+	{
+		{
+			{  -8858980,  -2219056,  28571666, -10155518,   -474467,
+			  -10105698,  -3801496,    278095,  23440562,   -290208 },
+			{  10226241,  -5928702,  15139956,    120818, -14867693,
+			    5218603,  32937275,  11551483, -16571960,  -7442864 },
+			{  17932739, -12437276, -24039557,  10749060,  11316803,
+			    7535897,  22503767,   5561594,  -3646624,   3898661 }
+		},
+		{
+			{   7749907,   -969567, -16339731,    -16464, -25018111,
+			   15122143,  -1573531,   7152530,  21831162,   1245233 },
+			{  26958459, -14658026,   4314586,   8346991,  -5677764,
+			   11960072, -32589295,   -620035, -30402091, -16716212 },
+			{ -12165896,   9166947,  33491384,  13673479,  29787085,
+			   13096535,   6280834,  14587357, -22338025,  13987525 }
+		},
+		{
+			{ -24349909,   7778775,  21116000,  15572597,  -4833266,
+			   -5357778,  -4300898,  -5124639,  -7469781,  -2858068 },
+			{   9681908,  -6737123, -31951644,  13591838,  -6883821,
+			     386950,  31622781,   6439245, -14581012,   4091397 },
+			{  -8426427,   1470727, -28109679,  -1596990,   3978627,
+			   -5123623, -19622683,  12092163,  29077877, -14741988 }
+		},
+		{
+			{   5269168,  -6859726, -13230211,  -8020715,  25932563,
+			    1763552,  -5606110,  -5505881, -20017847,   2357889 },
+			{  32264008, -15407652,  -5387735,  -1160093,  -2091322,
+			   -3946900,  23104804, -12869908,   5727338,    189038 },
+			{  14609123,  -8954470,  -6000566, -16622781, -14577387,
+			   -7743898, -26745169,  10942115, -25888931, -14884697 }
+		},
+		{
+			{  20513500,   5557931, -15604613,   7829531,  26413943,
+			   -2019404, -21378968,   7471781,  13913677,  -5137875 },
+			{ -25574376,  11967826,  29233242,  12948236,  -6754465,
+			    4713227,  -8940970,  14059180,  12878652,   8511905 },
+			{ -25656801,   3393631,  -2955415,  -7075526,  -2250709,
+			    9366908, -30223418,   6812974,   5568676,  -3127656 }
+		},
+		{
+			{  11630004,  12144454,   2116339,  13606037,  27378885,
+			   15676917, -17408753, -13504373, -14395196,   8070818 },
+			{  27117696, -10007378, -31282771,  -5570088,   1127282,
+			   12772488, -29845906,  10483306, -11552749,  -1028714 },
+			{  10637467,  -5688064,   5674781,   1072708, -26343588,
+			   -6982302,  -1683975,   9177853, -27493162,  15431203 }
+		},
+		{
+			{  20525145,  10892566, -12742472,  12779443, -29493034,
+			   16150075, -28240519,  14943142, -15056790,  -7935931 },
+			{ -30024462,   5626926,   -551567,  -9981087,    753598,
+			   11981191,  25244767,  -3239766,  -3356550,   9594024 },
+			{ -23752644,   2636870,  -5163910, -10103818,    585134,
+			    7877383,  11345683,  -6492290,  13352335, -10977084 }
+		},
+		{
+			{  -1931799,  -5407458,   3304649, -12884869,  17015806,
+			   -4877091, -29783850,  -7752482, -13215537,   -319204 },
+			{  20239939,   6607058,   6203985,   3483793, -18386976,
+			    -779229, -20723742,  15077870, -22750759,  14523817 },
+			{  27406042,  -6041657,  27423596,  -4497394,   4996214,
+			   10002360, -28842031,  -4545494, -30172742,  -4805667 }
+		}
+	},
+	{
+		{
+			{  11374242,  12660715,  17861383, -12540833,  10935568,
+			    1099227, -13886076,  -9091740, -27727044,  11358504 },
+			{ -12730809,  10311867,   1510375,  10778093,  -2119455,
+			   -9145702,  32676003,  11149336, -26123651,   4985768 },
+			{ -19096303,    341147,  -6197485,   -239033,  15756973,
+			   -8796662,   -983043,  13794114, -19414307, -15621255 }
+		},
+		{
+			{   6490081,  11940286,  25495923,  -7726360,   8668373,
+			   -8751316,   3367603,   6970005,  -1691065,  -9004790 },
+			{   1656497,  13457317,  15370807,   6364910,  13605745,
+			    8362338, -19174622,  -5475723, -16796596,  -5031438 },
+			{ -22273315, -13524424,    -64685,  -4334223, -18605636,
+			  -10921968, -20571065,  -7007978,    -99853, -10237333 }
+		},
+		{
+			{  17747465,  10039260,  19368299,  -4050591, -20630635,
+			  -16041286,  31992683, -15857976, -29260363,  -5511971 },
+			{  31932027,  -4986141, -19612382,  16366580,  22023614,
+			      88450,  11371999,  -3744247,   4882242, -10626905 },
+			{  29796507,     37186,  19818052,  10115756, -11829032,
+			    3352736,  18551198,   3272828,  -5190932,  -4162409 }
+		},
+		{
+			{  12501286,   4044383,  -8612957, -13392385, -32430052,
+			    5136599, -19230378,  -3529697,    330070,  -3659409 },
+			{   6384877,   2899513,  17807477,   7663917,  -2358888,
+			   12363165,  25366522,  -8573892,   -271295,  12071499 },
+			{  -8365515,  -4042521,  25133448,  -4517355,  -6211027,
+			    2265927, -32769618,   1936675,  -5159697,   3829363 }
+		},
+		{
+			{  28425966,  -5835433,   -577090,  -4697198, -14217555,
+			    6870930,   7921550,  -6567787,  26333140,  14267664 },
+			{ -11067219,  11871231,  27385719, -10559544,  -4585914,
+			  -11189312,  10004786,  -8709488, -21761224,   8930324 },
+			{ -21197785, -16396035,  25654216,  -1725397,  12282012,
+			   11008919,   1541940,   4757911, -26491501, -16408940 }
+		},
+		{
+			{  13537262,  -7759490, -20604840,  10961927,  -5922820,
+			  -13218065, -13156584,   6217254, -15943699,  13814990 },
+			{ -17422573,  15157790,  18705543,     29619,  24409717,
+			    -260476,  27361681,   9257833,  -1956526,  -1776914 },
+			{ -25045300, -10191966,  15366585,  15166509, -13105086,
+			    8423556, -29171540,  12361135, -18685978,   4578290 }
+		},
+		{
+			{  24579768,   3711570,   1342322, -11180126, -27005135,
+			   14124956, -22544529,  14074919,  21964432,   8235257 },
+			{  -6528613,  -2411497,   9442966,  -5925588,  12025640,
+			   -1487420,  -2981514,  -1669206,  13006806,   2355433 },
+			{ -16304899, -13605259,  -6632427,  -5142349,  16974359,
+			  -10911083,  27202044,   1719366,   1141648, -12796236 }
+		},
+		{
+			{ -12863944, -13219986,  -8318266, -11018091,  -6810145,
+			   -4843894,  13475066,  -3133972,  32674895,  13715045 },
+			{  11423335,  -5468059,  32344216,   8962751,  24989809,
+			    9241752, -13265253,  16086212, -28740881, -15642093 },
+			{  -1409668,  12530728,  -6368726,  10847387,  19531186,
+			  -14132160, -11709148,   7791794, -27245943,   4383347 }
+		}
+	},
+	{
+		{
+			{ -28970898,   5271447,  -1266009,  -9736989, -12455236,
+			   16732599,  -4862407,  -4906449,  27193557,   6245191 },
+			{ -15193956,   5362278,  -1783893,   2695834,   4960227,
+			   12840725,  23061898,   3260492,  22510453,   8577507 },
+			{ -12632451,  11257346, -32692994,  13548177,   -721004,
+			   10879011,  31168030,  13952092, -29571492,  -3635906 }
+		},
+		{
+			{   3877321,  -9572739,  32416692,   5405324, -11004407,
+			  -13656635,   3759769,  11935320,   5611860,   8164018 },
+			{ -16275802,  14667797,  15906460,  12155291, -22111149,
+			   -9039718,  32003002,  -8832289,   5773085,  -8422109 },
+			{ -23788118,  -8254300,   1950875,   8937633,  18686727,
+			   16459170,   -905725,  12376320,  31632953,    190926 }
+		},
+		{
+			{ -24593607, -16138885,  -8423991,  13378746,  14162407,
+			    6901328,  -8288749,   4508564, -25341555,  -3627528 },
+			{   8884438,  -5884009,   6023974,  10104341,  -6881569,
+			   -4941533,  18722941, -14786005,  -1672488,    827625 },
+			{ -32720583, -16289296, -32503547,   7101210,  13354605,
+			    2659080,  -1800575, -14108036, -24878478,   1541286 }
+		},
+		{
+			{   2901347,  -1117687,   3880376, -10059388, -17620940,
+			   -3612781, -21802117,  -3567481,  20456845,  -1885033 },
+			{  27019610,  12299467, -13658288,  -1603234, -12861660,
+			   -4861471, -19540150,  -5016058,  29439641,  15138866 },
+			{  21536104,  -6626420, -32447818, -10690208, -22408077,
+			    5175814,  -5420040, -16361163,   7779328,    109896 }
+		},
+		{
+			{  30279744,  14648750,  -8044871,   6425558,  13639621,
+			    -743509,  28698390,  12180118,  23177719,   -554075 },
+			{  26572847,   3405927, -31701700,  12890905, -19265668,
+			    5335866,  -6493768,   2378492,   4439158, -13279347 },
+			{ -22716706,   3489070,  -9225266,   -332753,  18875722,
+			   -1140095,  14819434, -12731527, -17717757,  -5461437 }
+		},
+		{
+			{  -5056483,  16566551,  15953661,   3767752, -10436499,
+			   15627060,   -820954,   2177225,   8550082, -15114165 },
+			{ -18473302,  16596775,   -381660,  15663611,  22860960,
+			   15585581, -27844109,  -3582739, -23260460,  -8428588 },
+			{ -32480551,  15707275,  -8205912,  -5652081,  29464558,
+			    2713815, -22725137,  15860482, -21902570,   1494193 }
+		},
+		{
+			{ -19562091, -14087393, -25583872,  -9299552,  13127842,
+			     759709,  21923482,  16529112,   8742704,  12967017 },
+			{ -28464899,   1553205,  32536856, -10473729, -24691605,
+			    -406174,  -8914625,  -2933896, -29903758,  15553883 },
+			{  21877909,   3230008,   9881174,  10539357,  -4797115,
+			    2841332,  11543572,  14513274,  19375923, -12647961 }
+		},
+		{
+			{   8832269, -14495485,  13253511,   5137575,   5037871,
+			    4078777,  24880818,  -6222716,   2862653,   9455043 },
+			{  29306751,   5123106,  20245049, -14149889,   9592566,
+			    8447059,  -2077124,  -2990080,  15511449,   4789663 },
+			{ -20679756,   7004547,   8824831,  -9434977,  -4045704,
+			   -3750736,  -5754762,    108893,  23513200,  16652362 }
+		}
+	},
+	{
+		{
+			{ -33256173,   4144782,  -4476029,  -6579123,  10770039,
+			   -7155542,  -6650416, -12936300, -18319198,  10212860 },
+			{   2756081,   8598110,   7383731,  -6859892,  22312759,
+			   -1105012,  21179801,   2600940,  -9988298, -12506466 },
+			{ -24645692,  13317462, -30449259, -15653928,  21365574,
+			  -10869657,  11344424,    864440,  -2499677, -16710063 }
+		},
+		{
+			{ -26432803,   6148329, -17184412, -14474154,  18782929,
+			    -275997, -22561534,    211300,   2719757,   4940997 },
+			{  -1323882,   3911313,  -6948744,  14759765, -30027150,
+			    7851207,  21690126,   8518463,  26699843,   5276295 },
+			{ -13149873,  -6429067,   9396249,    365013,  24703301,
+			  -10488939,   1321586,    149635, -15452774,   7159369 }
+		},
+		{
+			{   9987780,  -3404759,  17507962,   9505530,   9731535,
+			   -2165514,  22356009,   8312176,  22477218,  -8403385 },
+			{  18155857, -16504990,  19744716,   9006923,  15154154,
+			  -10538976,  24256460,  -4864995, -22548173,   9334109 },
+			{   2986088,  -4911893,  10776628,  -3473844,  10620590,
+			   -7083203, -21413845,  14253545, -22587149,    536906 }
+		},
+		{
+			{   4377756,   8115836,  24567078,  15495314,  11625074,
+			   13064599,   7390551,  10589625,  10838060, -15420424 },
+			{ -19342404,    867880,   9277171,  -3218459, -14431572,
+			   -1986443,  19295826, -15796950,   6378260,    699185 },
+			{   7895026,   4057113,  -7081772, -13077756, -17886831,
+			    -323126,   -716039,  15693155,  -5045064, -13373962 }
+		},
+		{
+			{  -7737563,  -5869402, -14566319,  -7406919,  11385654,
+			   13201616,  31730678, -10962840,  -3918636,  -9669325 },
+			{  10188286, -15770834,  -7336361,  13427543,  22223443,
+			   14896287,  30743455,   7116568, -21786507,   5427593 },
+			{    696102,  13206899,  27047647, -10632082,  15285305,
+			   -9853179,  10798490,  -4578720,  19236243,  12477404 }
+		},
+		{
+			{ -11229439,  11243796, -17054270,  -8040865,   -788228,
+			   -8167967,  -3897669,  11180504, -23169516,   7733644 },
+			{  17800790, -14036179, -27000429, -11766671,  23887827,
+			    3149671,  23466177, -10538171,  10322027,  15313801 },
+			{  26246234,  11968874,  32263343,  -5468728,   6830755,
+			  -13323031, -15794704,   -101982, -24449242,  10890804 }
+		},
+		{
+			{ -31365647,  10271363, -12660625,  -6267268,  16690207,
+			  -13062544, -14982212,  16484931,  25180797,  -5334884 },
+			{   -586574,  10376444, -32586414, -11286356,  19801893,
+			   10997610,   2276632,   9482883,    316878,  13820577 },
+			{  -9882808,  -4510367,  -2115506,  16457136, -11100081,
+			   11674996,  30756178,  -7515054,  30696930,  -3712849 }
+		},
+		{
+			{  32988917,  -9603412,  12499366,   7910787, -10617257,
+			  -11931514,  -7342816,  -9985397, -32349517,   7392473 },
+			{  -8855661,  15927861,   9866406,  -3649411,  -2396914,
+			  -16655781, -30409476,  -9134995,  25112947,  -2926644 },
+			{  -2504044,   -436966,  25621774,  -5678772,  15085042,
+			   -5479877, -24884878, -13526194,   5537438, -13914319 }
+		}
+	},
+	{
+		{
+			{ -11225584,   2320285,  -9584280,  10149187, -33444663,
+			    5808648, -14876251,  -1729667,  31234590,   6090599 },
+			{  -9633316,    116426,  26083934,   2897444,  -6364437,
+			   -2688086,    609721,  15878753,  -6970405,  -9034768 },
+			{ -27757857,    247744, -15194774,  -9002551,  23288161,
+			  -10011936, -23869595,   6503646,  20650474,   1804084 }
+		},
+		{
+			{ -27589786,  15456424,   8972517,   8469608,  15640622,
+			    4439847,   3121995, -10329713,  27842616,   -202328 },
+			{ -15306973,   2839644,  22530074,  10026331,   4602058,
+			    5048462,  28248656,   5031932, -11375082,  12714369 },
+			{  20807691,  -7270825,  29286141,  11421711, -27876523,
+			  -13868230, -21227475,   1035546, -19733229,  12796920 }
+		},
+		{
+			{  12076899, -14301286,  -8785001, -11848922, -25012791,
+			   16400684, -17591495, -12899438,   3480665, -15182815 },
+			{ -32361549,   5457597,  28548107,   7833186,   7303070,
+			  -11953545, -24363064, -15921875, -33374054,   2771025 },
+			{ -21389266,    421932,  26597266,   6860826,  22486084,
+			   -6737172, -17137485,  -4210226, -24552282,  15673397 }
+		},
+		{
+			{ -20184622,   2338216,  19788685,  -9620956,  -4001265,
+			   -8740893, -20271184,   4733254,   3727144, -12934448 },
+			{   6120119,    814863, -11794402,   -622716,   6812205,
+			  -15747771,   2019594,   7975683,  31123697, -10958981 },
+			{  30069250, -11435332,  30434654,   2958439,  18399564,
+			    -976289,  12296869,   9204260, -16432438,   9648165 }
+		},
+		{
+			{  32705432,  -1550977,  30705658,   7451065, -11805606,
+			    9631813,   3305266,   5248604, -26008332, -11377501 },
+			{  17219865,   2375039, -31570947,  -5575615, -19459679,
+			    9219903,    294711,  15298639,   2662509, -16297073 },
+			{  -1172927,  -7558695,  -4366770,  -4287744, -21346413,
+			   -8434326,  32087529,  -1222777,  32247248, -14389861 }
+		},
+		{
+			{  14312628,   1221556,  17395390,  -8700143,  -4945741,
+			   -8684635, -28197744,  -9637817, -16027623, -13378845 },
+			{  -1428825,  -9678990,  -9235681,   6549687,  -7383069,
+			    -468664,  23046502,   9803137,  17597934,   2346211 },
+			{  18510800,  15337574,  26171504,    981392, -22241552,
+			    7827556, -23491134, -11323352,   3059833, -11782870 }
+		},
+		{
+			{  10141598,   6082907,  17829293,  -1947643,   9830092,
+			   13613136, -25556636,  -5544586, -33502212,   3592096 },
+			{  33114168, -15889352, -26525686, -13343397,  33076705,
+			    8716171,   1151462,   1521897,   -982665,  -6837803 },
+			{ -32939165,  -4255815,  23947181,   -324178, -33072974,
+			  -12305637, -16637686,   3891704,  26353178,    693168 }
+		},
+		{
+			{  30374239,   1595580, -16884039,  13186931,   4600344,
+			     406904,   9585294,   -400668,  31375464,  14369965 },
+			{ -14370654,  -7772529,   1510301,   6434173, -18784789,
+			   -6262728,  32732230, -13108839,  17901441,  16011505 },
+			{  18171223, -11934626, -12500402,  15197122, -11038147,
+			  -15230035, -19172240, -16046376,   8764035,  12309598 }
+		}
+	},
+	{
+		{
+			{   5975908,  -5243188, -19459362,  -9681747, -11541277,
+			   14015782, -23665757,   1228319,  17544096, -10593782 },
+			{   5811932,  -1715293,   3442887,  -2269310, -18367348,
+			   -8359541, -18044043, -15410127,  -5565381,  12348900 },
+			{ -31399660,  11407555,  25755363,   6891399,  -3256938,
+			   14872274, -24849353,   8141295, -10632534,   -585479 }
+		},
+		{
+			{ -12675304,    694026,  -5076145,  13300344,  14015258,
+			  -14451394,  -9698672, -11329050,  30944593,   1130208 },
+			{   8247766,  -6710942, -26562381,  -7709309, -14401939,
+			  -14648910,   4652152,   2488540,  23550156,   -271232 },
+			{  17294316,  -3788438,   7026748,  15626851,  22990044,
+			     113481,   2267737,  -5908146,   -408818,   -137719 }
+		},
+		{
+			{  16091085, -16253926,  18599252,   7340678,   2137637,
+			   -1221657,  -3364161,  14550936,   3260525,  -7166271 },
+			{  -4910104, -13332887,  18550887,  10864893, -16459325,
+			   -7291596, -23028869, -13204905, -12748722,   2701326 },
+			{  -8574695,  16099415,   4629974, -16340524, -20786213,
+			   -6005432, -10018363,   9276971,  11329923,   1862132 }
+		},
+		{
+			{  14763076, -15903608, -30918270,   3689867,   3511892,
+			   10313526, -21951088,  12219231,  -9037963,   -940300 },
+			{   8894987,  -3446094,   6150753,   3013931,    301220,
+			   15693451, -31981216,  -2909717, -15438168,  11595570 },
+			{  15214962,   3537601, -26238722, -14058872,   4418657,
+			  -15230761,  13947276,  10730794, -13489462,  -4363670 }
+		},
+		{
+			{  -2538306,   7682793,  32759013,    263109, -29984731,
+			   -7955452, -22332124, -10188635,    977108,    699994 },
+			{ -12466472,   4195084,  -9211532,    550904, -15565337,
+			   12917920,  19118110,   -439841, -30534533, -14337913 },
+			{  31788461, -14507657,   4799989,   7372237,   8808585,
+			  -14747943,   9408237, -10051775,  12493932,  -5409317 }
+		},
+		{
+			{ -25680606,   5260744, -19235809,  -6284470,  -3695942,
+			   16566087,  27218280,   2607121,  29375955,   6024730 },
+			{    842132,  -2794693,  -4763381,  -8722815,  26332018,
+			  -12405641,  11831880,   6985184,  -9940361,   2854096 },
+			{  -4847262,  -7969331,   2516242,  -5847713,   9695691,
+			   -7221186,  16512645,    960770,  12121869,  16648078 }
+		},
+		{
+			{ -15218652,  14667096, -13336229,   2013717,  30598287,
+			    -464137, -31504922,  -7882064,  20237806,   2838411 },
+			{ -19288047,   4453152,  15298546, -16178388,  22115043,
+			  -15972604,  12544294, -13470457,   1068881, -12499905 },
+			{  -9558883, -16518835,  33238498,  13506958,  30505848,
+			   -1114596,  -8486907,  -2630053,  12521378,   4845654 }
+		},
+		{
+			{ -28198521,  10744108,  -2958380,  10199664,   7759311,
+			  -13088600,   3409348,   -873400,  -6482306, -12885870 },
+			{ -23561822,   6230156, -20382013,  10655314, -24040585,
+			  -11621172,  10477734,  -1240216,  -3113227,  13974498 },
+			{  12966261,  15550616, -32038948,  -1615346,  21025980,
+			    -629444,   5642325,   7188737,  18895762,  12629579 }
+		}
+	},
+	{
+		{
+			{  14741879, -14946887,  22177208, -11721237,   1279741,
+			    8058600,  11758140,    789443,  32195181,   3895677 },
+			{  10758205,  15755439,  -4509950,   9243698,  -4879422,
+			    6879879,  -2204575,  -3566119,  -8982069,   4429647 },
+			{  -2453894,  15725973, -20436342, -10410672,  -5803908,
+			  -11040220,  -7135870, -11642895,  18047436, -15281743 }
+		},
+		{
+			{ -25173001, -11307165,  29759956,  11776784, -22262383,
+			  -15820455,  10993114, -12850837, -17620701,  -9408468 },
+			{  21987233,    700364, -24505048,  14972008,  -7774265,
+			   -5718395,  32155026,   2581431, -29958985,   8773375 },
+			{ -25568350,    454463, -13211935,  16126715,  25240068,
+			    8594567,  20656846,  12017935,  -7874389, -13920155 }
+		},
+		{
+			{   6028182,   6263078, -31011806, -11301710,   -818919,
+			    2461772, -31841174,  -5468042,  -1721788,  -2776725 },
+			{ -12278994,  16624277,    987579,  -5922598,  32908203,
+			    1248608,   7719845,  -4166698,  28408820,   6816612 },
+			{ -10358094,  -8237829,  19549651, -12169222,  22082623,
+			   16147817,  20613181,  13982702, -10339570,   5067943 }
+		},
+		{
+			{ -30505967,  -3821767,  12074681,  13582412, -19877972,
+			    2443951, -19719286,  12746132,   5331210, -10105944 },
+			{  30528811,   3601899,  -1957090,   4619785, -27361822,
+			  -15436388,  24180793, -12570394,  27679908,  -1648928 },
+			{   9402404, -13957065,  32834043,  10838634, -26580150,
+			  -13237195,  26653274,  -8685565,  22611444, -12715406 }
+		},
+		{
+			{  22190590,   1118029,  22736441,  15130463, -30460692,
+			   -5991321,  19189625,  -4648942,   4854859,   6622139 },
+			{  -8310738,  -2953450,  -8262579,  -3388049, -10401731,
+			    -271929,  13424426,  -3567227,  26404409,  13001963 },
+			{ -31241838, -15415700,  -2994250,   8939346,  11562230,
+			  -12840670, -26064365, -11621720, -15405155,  11020693 }
+		},
+		{
+			{   1866042,  -7949489,  -7898649, -10301010,  12483315,
+			   13477547,   3175636, -12424163,  28761762,   1406734 },
+			{   -448555,  -1777666,  13018551,   3194501,  -9580420,
+			  -11161737,  24760585,  -4347088,  25577411, -13378680 },
+			{ -24290378,   4759345,   -690653,  -1852816,   2066747,
+			   10693769, -29595790,   9884936,  -9368926,   4745410 }
+		},
+		{
+			{  -9141284,   6049714, -19531061,  -4341411, -31260798,
+			    9944276, -15462008, -11311852,  10931924, -11931931 },
+			{ -16561513,  14112680,  -8012645,   4817318,  -8040464,
+			  -11414606, -22853429,  10856641, -20470770,  13434654 },
+			{  22759489, -10073434, -16766264,  -1871422,  13637442,
+			  -10168091,   1765144, -12654326,  28445307,  -5364710 }
+		},
+		{
+			{  29875063,  12493613,   2795536,  -3786330,   1710620,
+			   15181182, -10195717,  -8788675,   9074234,   1167180 },
+			{ -26205683,  11014233,  -9842651,  -2635485, -26908120,
+			    7532294, -18716888,  -9535498,   3843903,   9367684 },
+			{ -10969595,  -6403711,   9591134,   9582310,  11349256,
+			     108879,  16235123,   8601684,   -139197,   4242895 }
+		}
+	},
+	{
+		{
+			{  22092954, -13191123,  -2042793, -11968512,  32186753,
+			  -11517388,  -6574341,   2470660, -27417366,  16625501 },
+			{ -11057722,   3042016,  13770083,  -9257922,    584236,
+			    -544855,  -7770857,   2602725, -27351616,  14247413 },
+			{   6314175, -10264892, -32772502,  15957557, -10157730,
+			     168750,  -8618807,  14290061,  27108877,  -1180880 }
+		},
+		{
+			{  -8586597,  -7170966,  13241782,  10960156, -32991015,
+			  -13794596,  33547976, -11058889, -27148451,    981874 },
+			{  22833440,   9293594, -32649448, -13618667,  -9136966,
+			   14756819, -22928859, -13970780, -10479804, -16197962 },
+			{  -7768587,   3326786, -28111797,  10783824,  19178761,
+			   14905060,  22680049,  13906969, -15933690,   3797899 }
+		},
+		{
+			{  21721356,  -4212746, -12206123,   9310182,  -3882239,
+			  -13653110,  23740224,  -2709232,  20491983,  -8042152 },
+			{   9209270, -15135055, -13256557,  -6167798,   -731016,
+			   15289673,  25947805,  15286587,  30997318,  -6703063 },
+			{   7392032,  16618386,  23946583,  -8039892, -13265164,
+			   -1533858, -14197445,  -2321576,  17649998,   -250080 }
+		},
+		{
+			{  -9301088, -14193827,  30609526,  -3049543, -25175069,
+			   -1283752, -15241566,  -9525724,  -2233253,   7662146 },
+			{ -17558673,   1763594, -33114336,  15908610, -30040870,
+			  -12174295,   7335080,  -8472199,  -3174674,   3440183 },
+			{ -19889700,  -5977008, -24111293,  -9688870,  10799743,
+			  -16571957,     40450,  -4431835,   4862400,      1133 }
+		},
+		{
+			{ -32856209,  -7873957,  -5422389,  14860950, -16319031,
+			    7956142,   7258061,    311861, -30594991,  -7379421 },
+			{  -3773428,  -1565936,  28985340,   7499440,  24445838,
+			    9325937,  29727763,  16527196,  18278453,  15405622 },
+			{  -4381906,   8508652, -19898366,  -3674424,  -5984453,
+			   15149970, -13313598,    843523, -21875062,  13626197 }
+		},
+		{
+			{   2281448, -13487055, -10915418,  -2609910,   1879358,
+			   16164207, -10783882,   3953792,  13340839,  15928663 },
+			{  31727126,  -7179855, -18437503,  -8283652,   2875793,
+			  -16390330, -25269894,  -7014826, -23452306,   5964753 },
+			{   4100420,  -5959452, -17179337,   6017714, -18705837,
+			   12227141, -26684835,  11344144,   2538215,  -7570755 }
+		},
+		{
+			{  -9433605,   6123113,  11159803,  -2156608,  30016280,
+			   14966241, -20474983,   1485421,   -629256, -15958862 },
+			{ -26804558,   4260919,  11851389,   9658551, -32017107,
+			   16367492, -20205425, -13191288,  11659922, -11115118 },
+			{  26180396,  10015009, -30844224,  -8581293,   5418197,
+			    9480663,   2231568, -10170080,  33100372,  -1306171 }
+		},
+		{
+			{  15121113,  -5201871, -10389905,  15427821, -27509937,
+			  -15992507,  21670947,   4486675,  -5931810, -14466380 },
+			{  16166486,  -9483733, -11104130,   6023908, -31926798,
+			   -1364923,   2340060, -16254968, -10735770, -10039824 },
+			{  28042865,  -3557089, -12126526,  12259706,  -3717498,
+			   -6945899,   6766453,  -8689599,  18036436,   5803270 }
+		}
+	},
+	{
+		{
+			{   -817581,   6763912,  11803561,   1585585,  10958447,
+			   -2671165,  23855391,   4598332,  -6159431, -14117438 },
+			{ -31031306, -14256194,  17332029,  -2383520,  31312682,
+			   -5967183,    696309,     50292, -20095739,  11763584 },
+			{   -594563,  -2514283, -32234153,  12643980,  12650761,
+			   14811489,    665117, -12613632, -19773211, -10713562 }
+		},
+		{
+			{  30464590, -11262872,  -4127476, -12734478,  19835327,
+			   -7105613, -24396175,   2075773, -17020157,    992471 },
+			{  18357185,  -6994433,   7766382,  16342475, -29324918,
+			     411174,  14578841,   8080033, -11574335, -10601610 },
+			{  19598397,  10334610,  12555054,   2555664,  18821899,
+			  -10339780,  21873263,  16014234,  26224780,  16452269 }
+		},
+		{
+			{ -30223925,   5145196,   5944548,  16385966,   3976735,
+			    2009897, -11377804,  -7618186, -20533829,   3698650 },
+			{  14187449,   3448569, -10636236, -10810935, -22663880,
+			   -3433596,   7268410, -10890444,  27394301,  12015369 },
+			{  19695761,  16087646,  28032085,  12999827,   6817792,
+			   11427614,  20244189,  -1312777, -13259127,  -3402461 }
+		},
+		{
+			{  30860103,  12735208,  -1888245,  -4699734, -16974906,
+			    2256940,  -8166013,  12298312,  -8550524, -10393462 },
+			{  -5719826, -11245325,  -1910649,  15569035,  26642876,
+			   -7587760,  -5789354, -15118654,  -4976164,  12651793 },
+			{  -2848395,   9953421,  11531313,  -5282879,  26895123,
+			  -12697089, -13118820, -16517902,   9768698,  -2533218 }
+		},
+		{
+			{ -24719459,   1894651,   -287698,  -4704085,  15348719,
+			   -8156530,  32767513,  12765450,   4940095,  10678226 },
+			{  18860224,  15980149, -18987240,  -1562570, -26233012,
+			  -11071856,  -7843882,  13944024, -24372348,  16582019 },
+			{ -15504260,   4970268, -29893044,   4175593, -20993212,
+			   -2199756, -11704054,  15444560, -11003761,   7989037 }
+		},
+		{
+			{  31490452,   5568061,  -2412803,   2182383, -32336847,
+			    4531686, -32078269,   6200206, -19686113, -14800171 },
+			{ -17308668, -15879940, -31522777,     -2831, -32887382,
+			   16375549,   8680158, -16371713,  28550068,  -6857132 },
+			{ -28126887,  -5688091,  16837845,  -1820458,  -6850681,
+			   12700016, -30039981,   4364038,   1155602,   5988841 }
+		},
+		{
+			{  21890435, -13272907, -12624011,  12154349,  -7831873,
+			   15300496,  23148983,  -4470481,  24618407,   8283181 },
+			{ -33136107, -10512751,   9975416,   6841041, -31559793,
+			   16356536,   3070187,  -7025928,   1466169,  10740210 },
+			{  -1509399, -15488185, -13503385, -10655916,  32799044,
+			     909394, -13938903,  -5779719, -32164649, -15327040 }
+		},
+		{
+			{   3960823, -14267803, -28026090, -15918051, -19404858,
+			   13146868,  15567327,    951507,  -3260321,   -573935 },
+			{  24740841,   5052253, -30094131,   8961361,  25877428,
+			    6165135, -24368180,  14397372,  -7380369,  -6144105 },
+			{ -28888365,   3510803, -28103278,  -1158478, -11238128,
+			  -10631454, -15441463, -14453128,  -1625486,  -6494814 }
+		}
+	},
+	{
+		{
+			{    793299,  -9230478,   8836302,  -6235707, -27360908,
+			   -2369593,  33152843,  -4885251,  -9906200,   -621852 },
+			{   5666233,    525582,  20782575,  -8038419, -24538499,
+			   14657740,  16099374,   1468826,  -6171428, -15186581 },
+			{  -4859255,  -3779343,  -2917758,  -6748019,   7778750,
+			   11688288, -30404353,  -9871238,  -1558923,  -9863646 }
+		},
+		{
+			{  10896332,  -7719704,    824275,    472601, -19460308,
+			    3009587,  25248958,  14783338, -30581476, -15757844 },
+			{  10566929,  12612572, -31944212,  11118703, -12633376,
+			   12362879,  21752402,   8822496,  24003793,  14264025 },
+			{  27713862,  -7355973, -11008240,   9227530,  27050101,
+			    2504721,  23886875, -13117525,  13958495,  -5732453 }
+		},
+		{
+			{ -23481610,   4867226, -27247128,   3900521,  29838369,
+			   -8212291, -31889399, -10041781,   7340521, -15410068 },
+			{   4646514,  -8011124, -22766023, -11532654,  23184553,
+			    8566613,  31366726,  -1381061, -15066784, -10375192 },
+			{ -17270517,  12723032, -16993061,  14878794,  21619651,
+			   -6197576,  27584817,   3093888,  -8843694,   3849921 }
+		},
+		{
+			{  -9064912,   2103172,  25561640, -15125738,  -5239824,
+			    9582958,  32477045,  -9017955,   5002294, -15550259 },
+			{ -12057553, -11177906,  21115585, -13365155,   8808712,
+			  -12030708,  16489530,  13378448, -25845716,  12741426 },
+			{  -5946367,  10645103, -30911586,  15390284,  -3286982,
+			   -7118677,  24306472,  15852464,  28834118,  -7646072 }
+		},
+		{
+			{ -17335748,  -9107057, -24531279,   9434953,  -8472084,
+			    -583362, -13090771,    455841,  20461858,   5491305 },
+			{  13669248, -16095482, -12481974, -10203039, -14569770,
+			  -11893198, -24995986,  11293807, -28588204,  -9421832 },
+			{  28497928,   6272777, -33022994,  14470570,   8906179,
+			   -1225630,  18504674, -14165166,  29867745,  -8795943 }
+		},
+		{
+			{ -16207023,  13517196, -27799630, -13697798,  24009064,
+			   -6373891,  -6367600, -13175392,  22853429,  -4012011 },
+			{  24191378,  16712145, -13931797,  15217831,  14542237,
+			    1646131,  18603514, -11037887,  12876623,  -2112447 },
+			{  17902668,   4518229,   -411702,  -2829247,  26878217,
+			    5258055, -12860753,    608397,  16031844,   3723494 }
+		},
+		{
+			{ -28632773,  12763728, -20446446,   7577504,  33001348,
+			  -13017745,  17558842,  -7872890,  23896954,  -4314245 },
+			{ -20005381, -12011952,  31520464,    605201,   2543521,
+			    5991821,  -2945064,   7229064,  -9919646,  -8826859 },
+			{  28816045,    298879, -28165016, -15920938,  19000928,
+			   -1665890, -12680833,  -2949325, -18051778,  -2082915 }
+		},
+		{
+			{  16000882,   -344896,   3493092, -11447198, -29504595,
+			  -13159789,  12577740,  16041268, -19715240,   7847707 },
+			{  10151868,  10572098,  27312476,   7922682,  14825339,
+			    4723128, -32855931,  -6519018, -10020567,   3852848 },
+			{ -11430470,  15697596, -21121557,  -4420647,   5386314,
+			   15063598,  16514493, -15932110,  29330899, -15076224 }
+		}
+	},
+	{
+		{
+			{ -25499735,  -4378794, -15222908,  -6901211,  16615731,
+			    2051784,   3303702,     15490, -27548796,  12314391 },
+			{  15683520,  -6003043,  18109120,  -9980648,  15337968,
+			   -5997823, -16717435,  15921866,  16103996,  -3731215 },
+			{ -23169824, -10781249,  13588192,  -1628807,  -3798557,
+			   -1074929, -19273607,   5402699, -29815713,  -9841101 }
+		},
+		{
+			{  23190676,   2384583, -32714340,   3462154, -29903655,
+			   -1529132, -11266856,   8911517, -25205859,   2739713 },
+			{  21374101,  -3554250, -33524649,   9874411,  15377179,
+			   11831242, -33529904,   6134907,   4931255,  11987849 },
+			{     -7732,  -2978858, -16223486,   7277597,    105524,
+			    -322051, -31480539,  13861388, -30076310,  10117930 }
+		},
+		{
+			{ -29501170, -10744872, -26163768,  13051539, -25625564,
+			    5089643,  -6325503,   6704079,  12890019,  15728940 },
+			{ -21972360, -11771379,   -951059,  -4418840,  14704840,
+			    2695116,    903376, -10428139,  12885167,   8311031 },
+			{ -17516482,   5352194,  10384213, -13811658,   7506451,
+			   13453191,  26423267,   4384730,   1888765,  -5435404 }
+		},
+		{
+			{ -25817338,  -3107312, -13494599,  -3182506,  30896459,
+			  -13921729, -32251644, -12707869, -19464434,  -3340243 },
+			{ -23607977,  -2665774,   -526091,   4651136,   5765089,
+			    4618330,   6092245,  14845197,  17151279,  -9854116 },
+			{ -24830458, -12733720, -15165978,  10367250, -29530908,
+			    -265356,  22825805,  -7087279, -16866484,  16176525 }
+		},
+		{
+			{ -23583256,   6564961,  20063689,   3798228,  -4740178,
+			    7359225,   2006182, -10363426, -28746253, -10197509 },
+			{ -10626600,  -4486402, -13320562,  -5125317,   3432136,
+			   -6393229,  23632037,  -1940610,  32808310,   1099883 },
+			{  15030977,   5768825, -27451236,  -2887299,  -6427378,
+			  -15361371, -15277896,  -6809350,   2051441, -15225865 }
+		},
+		{
+			{  -3362323,  -7239372,   7517890,   9824992,  23555850,
+			     295369,   5148398, -14154188, -22686354,  16633660 },
+			{   4577086, -16752288,  13249841, -15304328,  19958763,
+			  -14537274,  18559670, -10759549,   8402478,  -9864273 },
+			{ -28406330,  -1051581, -26790155,   -907698, -17212414,
+			  -11030789,   9453451, -14980072,  17983010,   9967138 }
+		},
+		{
+			{ -25762494,   6524722,  26585488,   9969270,  24709298,
+			    1220360,  -1677990,   7806337,  17507396,   3651560 },
+			{ -10420457,  -4118111,  14584639,  15971087, -15768321,
+			    8861010,  26556809,  -5574557, -18553322, -11357135 },
+			{   2839101,  14284142,   4029895,   3472686,  14402957,
+			   12689363, -26642121,   8459447,  -5605463,  -7621941 }
+		},
+		{
+			{  -4839289,  -3535444,   9744961,   2871048,  25113978,
+			    3187018, -25110813,   -849066,  17258084,  -7977739 },
+			{  18164541, -10595176, -17154882,  -1542417,  19237078,
+			   -9745295,  23357533, -15217008,  26908270,  12150756 },
+			{ -30264870,  -7647865,   5112249,  -7036672,  -1499807,
+			   -6974257,     43168,  -5537701, -32302074,  16215819 }
+		}
+	},
+	{
+		{
+			{  -6898905,   9824394, -12304779,  -4401089, -31397141,
+			   -6276835,  32574489,  12532905,  -7503072,  -8675347 },
+			{ -27343522, -16515468, -27151524, -10722951,    946346,
+			   16291093,    254968,   7168080,  21676107,  -1943028 },
+			{  21260961,  -8424752, -16831886, -11920822, -23677961,
+			    3968121,  -3651949,  -6215466,  -3556191,  -7913075 }
+		},
+		{
+			{  16544754,  13250366, -16804428,  15546242,  -4583003,
+			   12757258,  -2462308,  -8680336, -18907032,  -9662799 },
+			{  -2415239, -15577728,  18312303,   4964443, -15272530,
+			  -12653564,  26820651,  16690659,  25459437,  -4564609 },
+			{ -25144690,  11425020,  28423002, -11020557,  -6144921,
+			  -15826224,   9142795,  -2391602,  -6432418,  -1644817 }
+		},
+		{
+			{ -23104652,   6253476,  16964147,  -3768872, -25113972,
+			  -12296437, -27457225, -16344658,   6335692,   7249989 },
+			{ -30333227,  13979675,   7503222, -12368314, -11956721,
+			   -4621693, -30272269,   2682242,  25993170, -12478523 },
+			{   4364628,   5930691,  32304656, -10044554,  -8054781,
+			   15091131,  22857016, -10598955,  31820368,  15075278 }
+		},
+		{
+			{  31879134,  -8918693,  17258761,     90626,  -8041836,
+			   -4917709,  24162788,  -9650886, -17970238,  12833045 },
+			{  19073683,  14851414, -24403169, -11860168,   7625278,
+			   11091125, -19619190,   2074449,  -9413939,  14905377 },
+			{  24483667, -11935567,  -2518866, -11547418,  -1553130,
+			   15355506, -25282080,   9253129,  27628530,  -7555480 }
+		},
+		{
+			{  17597607,   8340603,  19355617,    552187,  26198470,
+			   -3176583,   4593324,  -9157582, -14110875,  15297016 },
+			{    510886,  14337390, -31785257,  16638632,   6328095,
+			    2713355, -20217417, -11864220,   8683221,   2921426 },
+			{  18606791,  11874196,  27155355,  -5281482, -24031742,
+			    6265446, -25178240,  -1278924,   4674690,  13890525 }
+		},
+		{
+			{  13609624,  13069022, -27372361, -13055908,  24360586,
+			    9592974,  14977157,   9835105,   4389687,    288396 },
+			{   9922506,   -519394,  13613107,   5883594, -18758345,
+			    -434263, -12304062,   8317628,  23388070,  16052080 },
+			{  12720016,  11937594, -31970060,  -5028689,  26900120,
+			    8561328, -20155687, -11632979, -14754271, -10812892 }
+		},
+		{
+			{  15961858,  14150409,  26716931,   -665832, -22794328,
+			   13603569,  11829573,   7467844, -28822128,    929275 },
+			{  11038231, -11582396, -27310482,  -7316562, -10498527,
+			  -16307831, -23479533,  -9371869, -21393143,   2465074 },
+			{  20017163,  -4323226,  27915242,   1529148,  12396362,
+			   15675764,  13817261,  -9658066,   2463391,  -4622140 }
+		},
+		{
+			{ -16358878, -12663911, -12065183,   4996454,  -1256422,
+			    1073572,   9583558,  12851107,   4003896,  12673717 },
+			{  -1731589, -15155870,  -3262930,  16143082,  19294135,
+			   13385325,  14741514,  -9103726,   7903886,   2348101 },
+			{  24536016, -16515207,  12715592,  -3862155,   1511293,
+			   10047386,  -3842346,  -7129159, -28377538,  10048127 }
+		}
+	},
+	{
+		{
+			{ -12622226,  -6204820,  30718825,   2591312, -10617028,
+			   12192840,  18873298,  -7297090, -32297756,  15221632 },
+			{ -26478122, -11103864,  11546244,  -1852483,   9180880,
+			    7656409, -21343950,   2095755,  29769758,   6593415 },
+			{ -31994208,  -2907461,   4176912,   3264766,  12538965,
+			    -868111,  26312345,  -6118678,  30958054,   8292160 }
+		},
+		{
+			{  31429822, -13959116,  29173532,  15632448,  12174511,
+			   -2760094,  32808831,   3977186,  26143136,  -3148876 },
+			{  22648901,   1402143, -22799984,  13746059,   7936347,
+			     365344,  -8668633,  -1674433,  -3758243,  -2304625 },
+			{ -15491917,   8012313,  -2514730, -12702462, -23965846,
+			  -10254029,  -1612713,  -1535569, -16664475,   8194478 }
+		},
+		{
+			{  27338066,  -7507420,  -7414224,  10140405, -19026427,
+			   -6589889,  27277191,   8855376,  28572286,   3005164 },
+			{  26287124,   4821776,  25476601,  -4145903,  -3764513,
+			  -15788984, -18008582,   1182479, -26094821, -13079595 },
+			{  -7171154,   3178080,  23970071,   6201893, -17195577,
+			   -4489192, -21876275, -13982627,  32208683,  -1198248 }
+		},
+		{
+			{ -16657702,   2817643, -10286362,  14811298,   6024667,
+			   13349505, -27315504, -10497842, -27672585, -11539858 },
+			{  15941029,  -9405932, -21367050,   8062055,  31876073,
+			    -238629, -15278393,  -1444429,  15397331,  -4130193 },
+			{   8934485, -13485467, -23286397, -13423241, -32446090,
+			   14047986,  31170398,  -1441021, -27505566,  15087184 }
+		},
+		{
+			{ -18357243,  -2156491,  24524913, -16677868,  15520427,
+			   -6360776, -15502406,  11461896,  16788528,  -5868942 },
+			{  -1947386,  16013773,  21750665,   3714552, -17401782,
+			  -16055433,  -3770287, -10323320,  31322514, -11615635 },
+			{  21426655,  -5650218, -13648287,  -5347537, -28812189,
+			   -4920970, -18275391, -14621414,  13040862, -12112948 }
+		},
+		{
+			{  11293895,  12478086, -27136401,  15083750, -29307421,
+			   14748872,  14555558, -13417103,   1613711,   4896935 },
+			{ -25894883,  15323294,  -8489791,  -8057900,  25967126,
+			  -13425460,   2825960,  -4897045, -23971776, -11267415 },
+			{ -15924766,  -5229880, -17443532,   6410664,   3622847,
+			   10243618,  20615400,  12405433, -23753030,  -8436416 }
+		},
+		{
+			{  -7091295,  12556208, -20191352,   9025187, -17072479,
+			    4333801,   4378436,   2432030,  23097949,   -566018 },
+			{   4565804, -16025654,  20084412,  -7842817,   1724999,
+			     189254,  24767264,  10103221, -18512313,   2424778 },
+			{    366633, -11976806,   8173090,  -6890119,  30788634,
+			    5745705,  -7168678,   1344109,  -3642553,  12412659 }
+		},
+		{
+			{ -24001791,   7690286,  14929416,   -168257, -32210835,
+			  -13412986,  24162697, -15326504,  -3141501,  11179385 },
+			{  18289522, -14724954,   8056945,  16430056, -21729724,
+			    7842514,  -6001441,  -1486897, -18684645, -11443503 },
+			{    476239,   6601091,  -6152790,  -9723375,  17503545,
+			   -4863900,  27672959,  13403813,  11052904,   5219329 }
+		}
+	},
+	{
+		{
+			{  20678546,  -8375738, -32671898,   8849123,  -5009758,
+			   14574752,  31186971,  -3973730,   9014762,  -8579056 },
+			{ -13644050, -10350239, -15962508,   5075808,  -1514661,
+			  -11534600, -33102500,   9160280,   8473550,  -3256838 },
+			{  24900749,  14435722,  17209120, -15292541, -22592275,
+			    9878983,  -7689309, -16335821, -24568481,  11788948 }
+		},
+		{
+			{  -3118155, -11395194, -13802089,  14797441,   9652448,
+			   -6845904, -20037437,  10410733, -24568470,  -1458691 },
+			{ -15659161,  16736706, -22467150,  10215878,  -9097177,
+			    7563911,  11871841, -12505194, -18513325,   8464118 },
+			{ -23400612,   8348507, -14585951,   -861714,  -3950205,
+			   -6373419,  14325289,   8628612,  33313881,  -8370517 }
+		},
+		{
+			{ -20186973,  -4967935,  22367356,   5271547,  -1097117,
+			   -4788838, -24805667, -10236854,  -8940735,  -5818269 },
+			{  -6948785,  -1795212, -32625683, -16021179,  32635414,
+			   -7374245,  15989197, -12838188,  28358192,  -4253904 },
+			{ -23561781,  -2799059, -32351682,  -1661963,  -9147719,
+			   10429267, -16637684,   4072016,  -5351664,   5596589 }
+		},
+		{
+			{ -28236598,  -3390048,  12312896,   6213178,   3117142,
+			   16078565,  29266239,   2557221,   1768301,  15373193 },
+			{  -7243358,  -3246960,  -4593467,  -7553353,   -127927,
+			    -912245,  -1090902,  -4504991, -24660491,   3442910 },
+			{ -30210571,   5124043,  14181784,   8197961,  18964734,
+			  -11939093,  22597931,   7176455, -18585478,  13365930 }
+		},
+		{
+			{  -7877390,  -1499958,   8324673,   4690079,   6261860,
+			     890446,  24538107,  -8570186,  -9689599,  -3031667 },
+			{  25008904, -10771599,  -4305031,  -9638010,  16265036,
+			   15721635,    683793, -11823784,  15723479, -15163481 },
+			{  -9660625,  12374379, -27006999,  -7026148,  -7724114,
+			  -12314514,  11879682,   5400171,    519526,  -1235876 }
+		},
+		{
+			{  22258397, -16332233,  -7869817,  14613016, -22520255,
+			   -2950923, -20353881,   7315967,  16648397,   7605640 },
+			{  -8081308,  -8464597,  -8223311,   9719710,  19259459,
+			  -15348212,  23994942,  -5281555,  -9468848,   4763278 },
+			{ -21699244,   9220969, -15730624,   1084137, -25476107,
+			   -2852390,  31088447,  -7764523, -11356529,    728112 }
+		},
+		{
+			{  26047220, -11751471,  -6900323, -16521798,  24092068,
+			    9158119,  -4273545, -12555558, -29365436,  -5498272 },
+			{  17510331,   -322857,   5854289,   8403524,  17133918,
+			   -3112612, -28111007,  12327945,  10750447,  10014012 },
+			{ -10312768,   3936952,   9156313,  -8897683,  16498692,
+			    -994647, -27481051,   -666732,   3424691,   7540221 }
+		},
+		{
+			{  30322361,  -6964110,  11361005,  -4143317,   7433304,
+			    4989748,  -7071422, -16317219,  -9244265,  15258046 },
+			{  13054562,  -2779497,  19155474,    469045, -12482797,
+			    4566042,   5631406,   2711395,   1062915,  -5136345 },
+			{ -19240248, -11254599, -29509029,  -7499965,  -5835763,
+			   13005411,  -6066489,  12194497,  32960380,   1459310 }
+		}
+	},
+	{
+		{
+			{  19852034,   7027924,  23669353,  10020366,   8586503,
+			   -6657907,    394197,  -6101885,  18638003, -11174937 },
+			{  31395534,  15098109,  26581030,   8030562, -16527914,
+			   -5007134,   9012486,  -7584354,  -6643087,  -5442636 },
+			{  -9192165,  -2347377,  -1997099,   4529534,  25766844,
+			     607986,    -13222,   9677543, -32294889,  -6456008 }
+		},
+		{
+			{  -2444496,   -149937,  29348902,   8186665,   1873760,
+			   12489863, -30934579,  -7839692,  -7852844,  -8138429 },
+			{ -15236356, -15433509,   7766470,    746860,  26346930,
+			  -10221762, -27333451,  10754588,  -9431476,   5203576 },
+			{  31834314,  14135496,   -770007,   5159118,  20917671,
+			  -16768096,  -7467973,  -7337524,  31809243,   7347066 }
+		},
+		{
+			{  -9606723, -11874240,  20414459,  13033986,  13716524,
+			  -11691881,  19797970, -12211255,  15192876,  -2087490 },
+			{ -12663563,  -2181719,   1168162,  -3804809,  26747877,
+			  -14138091,  10609330,  12694420,  33473243, -13382104 },
+			{  33184999,  11180355,  15832085, -11385430,  -1633671,
+			     225884,  15089336, -11023903,  -6135662,  14480053 }
+		},
+		{
+			{  31308717,  -5619998,  31030840,  -1897099,  15674547,
+			   -6582883,   5496208,  13685227,  27595050,   8737275 },
+			{ -20318852, -15150239,  10933843, -16178022,   8335352,
+			   -7546022, -31008351, -12610604,  26498114,     66511 },
+			{  22644454,  -8761729, -16671776,   4884562,  -3105614,
+			  -13559366,  30540766,  -4286747, -13327787,  -7515095 }
+		},
+		{
+			{ -28017847,   9834845,  18617207,  -2681312,  -3401956,
+			  -13307506,   8205540,  13585437, -17127465,  15115439 },
+			{  23711543,   -672915,  31206561,  -8362711,   6164647,
+			   -9709987, -33535882,  -1426096,   8236921,  16492939 },
+			{ -23910559, -13515526, -26299483,  -4503841,  25005590,
+			   -7687270,  19574902,  10071562,   6708380,  -6222424 }
+		},
+		{
+			{   2101391,  -4930054,  19702731,   2367575, -15427167,
+			    1047675,   5301017,   9328700,  29955601, -11678310 },
+			{   3096359,   9271816, -21620864, -15521844, -14847996,
+			   -7592937, -25892142, -12635595,  -9917575,   6216608 },
+			{ -32615849,    338663, -25195611,   2510422, -29213566,
+			  -13820213,  24822830,  -6146567, -26767480,   7525079 }
+		},
+		{
+			{ -23066649, -13985623,  16133487,  -7896178,  -3389565,
+			     778788,   -910336,  -2782495, -19386633,  11994101 },
+			{  21691500, -13624626,   -641331, -14367021,   3285881,
+			   -3483596, -25064666,   9718258,  -7477437,  13381418 },
+			{  18445390,  -4202236,  14979846,  11622458,  -1727110,
+			   -3582980,  23111648,  -6375247,  28535282,  15779576 }
+		},
+		{
+			{  30098053,   3089662,  -9234387,  16662135, -21306940,
+			   11308411, -14068454,  12021730,   9955285, -16303356 },
+			{   9734894, -14576830,  -7473633,  -9138735,   2060392,
+			   11313496, -18426029,   9924399,  20194861,  13380996 },
+			{ -26378102,  -7965207, -22167821,  15789297, -18055342,
+			   -6168792,  -1984914,  15707771,  26342023,  10146099 }
+		}
+	},
+	{
+		{
+			{ -26016874,   -219943,  21339191,    -41388,  19745256,
+			   -2878700, -29637280,   2227040,  21612326,   -545728 },
+			{ -13077387,   1184228,  23562814,  -5970442, -20351244,
+			   -6348714,  25764461,  12243797, -20856566,  11649658 },
+			{ -10031494,  11262626,  27384172,   2271902,  26947504,
+			  -15997771,     39944,   6114064,  33514190,   2333242 }
+		},
+		{
+			{ -21433588, -12421821,   8119782,   7219913, -21830522,
+			   -9016134,  -6679750, -12670638,  24350578, -13450001 },
+			{  -4116307, -11271533, -23886186,   4843615, -30088339,
+			     690623, -31536088, -10406836,   8317860,  12352766 },
+			{  18200138, -14475911, -33087759,  -2696619, -23702521,
+			   -9102511, -23552096,  -2287550,  20712163,   6719373 }
+		},
+		{
+			{  26656208,   6075253,  -7858556,   1886072, -28344043,
+			    4262326,  11117530,  -3763210,  26224235,  -3297458 },
+			{ -17168938, -14854097,  -3395676, -16369877, -19954045,
+			   14050420,  21728352,   9493610,  18620611, -16428628 },
+			{ -13323321,  13325349,  11432106,   5964811,  18609221,
+			    6062965,  -5269471,  -9725556, -30701573, -16479657 }
+		},
+		{
+			{ -23860538, -11233159,  26961357,   1640861, -32413112,
+			  -16737940,  12248509,  -5240639,  13735342,   1934062 },
+			{  25089769,   6742589,  17081145, -13406266,  21909293,
+			  -16067981, -15136294,  -3765346, -21277997,   5473616 },
+			{  31883677,  -7961101,   1083432, -11572403,  22828471,
+			   13290673,  -7125085,  12469656,  29111212,  -5451014 }
+		},
+		{
+			{  24244947, -15050407, -26262976,   2791540, -14997599,
+			   16666678,  24367466,   6388839, -10295587,    452383 },
+			{ -25640782,  -3417841,   5217916,  16224624,  19987036,
+			   -4082269, -24236251,  -5915248,  15766062,   8407814 },
+			{ -20406999,  13990231,  15495425,  16395525,   5377168,
+			   15166495,  -8917023,  -4388953,  -8067909,   2276718 }
+		},
+		{
+			{  30157918,  12924066, -17712050,   9245753,  19895028,
+			    3368142, -23827587,   5096219,  22740376,  -7303417 },
+			{   2041139, -14256350,   7783687,  13876377, -25946985,
+			  -13352459,  24051124,  13742383, -15637599,  13295222 },
+			{  33338237,  -8505733,  12532113,   7977527,   9106186,
+			   -1715251, -17720195,  -4612972,  -4451357, -14669444 }
+		},
+		{
+			{ -20045281,   5454097, -14346548,   6447146,  28862071,
+			    1883651,  -2469266,  -4141880,   7770569,   9620597 },
+			{  23208068,   7979712,  33071466,   8149229,   1758231,
+			  -10834995,  30945528,  -1694323, -33502340, -14767970 },
+			{   1439958, -16270480,  -1079989,   -793782,   4625402,
+			   10647766,  -5043801,   1220118,  30494170, -11440799 }
+		},
+		{
+			{  -5037580, -13028295,  -2970559,  -3061767,  15640974,
+			   -6701666, -26739026,    926050,  -1684339, -13333647 },
+			{  13908495,  -3549272,  30919928,  -6273825, -21521863,
+			    7989039,   9021034,   9078865,   3353509,   4033511 },
+			{ -29663431, -15113610,  32259991,   -344482,  24295849,
+			  -12912123,  23161163,   8839127,  27485041,   7356032 }
+		}
+	},
+	{
+		{
+			{   9661027,    705443,  11980065,  -5370154,  -1628543,
+			   14661173,  -6346142,   2625015,  28431036, -16771834 },
+			{ -23839233,  -8311415, -25945511,   7480958, -17681669,
+			   -8354183, -22545972,  14150565,  15970762,   4099461 },
+			{  29262576,  16756590,  26350592,  -8793563,   8529671,
+			  -11208050,  13617293,  -9937143,  11465739,   8317062 }
+		},
+		{
+			{ -25493081,  -6962928,  32500200,  -9419051, -23038724,
+			   -2302222,  14898637,   3848455,  20969334,  -5157516 },
+			{ -20384450, -14347713, -18336405,  13884722, -33039454,
+			    2842114, -21610826,  -3649888,  11177095,  14989547 },
+			{ -24496721, -11716016,  16959896,   2278463,  12066309,
+			   10137771,  13515641,   2581286, -28487508,   9930240 }
+		},
+		{
+			{ -17751622,  -2097826,  16544300, -13009300, -15914807,
+			  -14949081,  18345767, -13403753,  16291481,  -5314038 },
+			{ -33229194,   2553288,  32678213,   9875984,   8534129,
+			    6889387,  -9676774,   6957617,   4368891,   9788741 },
+			{  16660756,   7281060, -10830758,  12911820,  20108584,
+			   -8101676, -21722536,  -8613148,  16250552, -11111103 }
+		},
+		{
+			{ -19765507,   2390526, -16551031,  14161980,   1905286,
+			    6414907,   4689584,  10604807, -30190403,   4782747 },
+			{  -1354539,  14736941,  -7367442, -13292886,   7710542,
+			  -14155590,  -9981571,   4383045,  22546403,    437323 },
+			{  31665577, -12180464, -16186830,   1491339, -18368625,
+			    3294682,  27343084,   2786261, -30633590, -14097016 }
+		},
+		{
+			{ -14467279,   -683715, -33374107,   7448552,  19294360,
+			   14334329, -19690631,   2355319, -19284671,  -6114373 },
+			{  15121312, -15796162,   6377020,  -6031361, -10798111,
+			  -12957845,  18952177,  15496498, -29380133,  11754228 },
+			{  -2637277, -13483075,   8488727, -14303896,  12728761,
+			   -1622493,   7141596,  11724556,  22761615, -10134141 }
+		},
+		{
+			{  16918416,  11729663, -18083579,   3022987, -31015732,
+			  -13339659, -28741185, -12227393,  32851222,  11717399 },
+			{  11166634,   7338049,  -6722523,   4531520, -29468672,
+			   -7302055,  31474879,   3483633,  -1193175,  -4030831 },
+			{   -185635,   9921305,  31456609, -13536438, -12013818,
+			   13348923,  33142652,   6546660, -19985279,  -3948376 }
+		},
+		{
+			{ -32460596,  11266712, -11197107,  -7899103,  31703694,
+			    3855903,  -8537131, -12833048, -30772034, -15486313 },
+			{ -18006477,  12709068,   3991746,  -6479188, -21491523,
+			  -10550425, -31135347, -16049879,  10928917,   3011958 },
+			{  -6957757, -15594337,  31696059,    334240,  29576716,
+			   14796075, -30831056, -12805180,  18008031,  10258577 }
+		},
+		{
+			{ -22448644,  15655569,   7018479,  -4410003, -30314266,
+			   -1201591,  -1853465,   1367120,  25127874,   6671743 },
+			{  29701166, -1437