- installing of child sa works

- need correct IP adresses to actually use IPsec

23 files changed, 766 insertions, 273 deletions

diff --git a/Source/charon/config/configuration_manager.c b/Source/charon/config/configuration_manager.c
index adbd0ddee..07eaf53e2 100644
--- a/Source/charon/config/configuration_manager.c
+++ b/Source/charon/config/configuration_manager.c
@@ -285,10 +285,8 @@ static void load_default_config (private_configuration_manager_t *this)
 	/* IKE proposals for alice */
 	proposal = proposal_create(1);
 	proposal->add_algorithm(proposal, IKE, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
-	POS;
-	proposal->add_algorithm(proposal, IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 16);
-	POS;
-	proposal->add_algorithm(proposal, IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 16);
+	proposal->add_algorithm(proposal, IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
+	proposal->add_algorithm(proposal, IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0);
 	proposal->add_algorithm(proposal, IKE, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
 	proposal->add_algorithm(proposal, IKE, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
 	init_config_a->add_proposal(init_config_a, proposal);
@@ -296,8 +294,8 @@ static void load_default_config (private_configuration_manager_t *this)
 	/* IKE proposals for bob */
 	proposal = proposal_create(1);
 	proposal->add_algorithm(proposal, IKE, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
-	proposal->add_algorithm(proposal, IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 16);
-	proposal->add_algorithm(proposal, IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 16);
+	proposal->add_algorithm(proposal, IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
+	proposal->add_algorithm(proposal, IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0);
 	proposal->add_algorithm(proposal, IKE, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
 	init_config_b->add_proposal(init_config_b, proposal);
  	
@@ -322,16 +320,17 @@ static void load_default_config (private_configuration_manager_t *this)
 	/* child proposal for alice */
 	proposal = proposal_create(1);
 	
-	proposal->add_algorithm(proposal, AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
-	proposal->add_algorithm(proposal, AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20);
-	proposal->add_algorithm(proposal, AH, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
-	proposal->add_algorithm(proposal, AH, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
-	proposal->add_algorithm(proposal, AH, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
+// 	proposal->add_algorithm(proposal, AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
+// 	proposal->add_algorithm(proposal, AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
+// 	proposal->add_algorithm(proposal, AH, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
+// 	proposal->add_algorithm(proposal, AH, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
+// 	proposal->add_algorithm(proposal, AH, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 
 	proposal->add_algorithm(proposal, ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
-	proposal->add_algorithm(proposal, ESP, ENCRYPTION_ALGORITHM, ENCR_3DES, 32);
-	proposal->add_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20);
-	proposal->add_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
+	proposal->add_algorithm(proposal, ESP, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
+	proposal->add_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
+	proposal->add_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
+	proposal->add_algorithm(proposal, ESP, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
 	proposal->add_algorithm(proposal, ESP, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
 	proposal->add_algorithm(proposal, ESP, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 	
@@ -340,12 +339,14 @@ static void load_default_config (private_configuration_manager_t *this)
 	/* child proposal for bob */
 	proposal = proposal_create(1);
 	
-	proposal->add_algorithm(proposal, AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
-	proposal->add_algorithm(proposal, AH, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
-	proposal->add_algorithm(proposal, AH, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
+// 	proposal->add_algorithm(proposal, AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
+// 	proposal->add_algorithm(proposal, AH, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
+// 	proposal->add_algorithm(proposal, AH, INTEGRITY_ALGORITHM, AUTH_DES_MAC, 0);
+// 	proposal->add_algorithm(proposal, AH, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
+// 	proposal->add_algorithm(proposal, AH, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 
 	proposal->add_algorithm(proposal, ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
-	proposal->add_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20);
+	proposal->add_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
 	proposal->add_algorithm(proposal, ESP, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
 	proposal->add_algorithm(proposal, ESP, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 	
diff --git a/Source/charon/config/proposal.c b/Source/charon/config/proposal.c
index 528cf9808..a547583d9 100644
--- a/Source/charon/config/proposal.c
+++ b/Source/charon/config/proposal.c
@@ -339,6 +339,7 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 	protocol_proposal_t *this_prop, *other_prop;
 	protocol_id_t proto;
 	bool add;
+	u_int64_t spi;
 	
 	/* empty proposal? no match */
 	if (this->protocol_proposals->get_count(this->protocol_proposals) == 0 ||
@@ -443,6 +444,19 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
 		}
 	}
 	iterator->destroy(iterator);
+	
+	/* apply spis from "other" */
+	spi = other->public.get_spi(&(other->public), AH);
+	if (spi)
+	{
+		selected->set_spi(selected, AH, spi);
+	}
+	spi = other->public.get_spi(&(other->public), ESP);
+	if (spi)
+	{
+		selected->set_spi(selected, ESP, spi);
+	}
+	
 	/* everything matched, return new proposal */
 	return selected;
 }
@@ -487,7 +501,7 @@ static void set_spi(private_proposal_t *this, protocol_id_t proto, u_int64_t spi
 	protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE);
 	if (proto_proposal)
 	{
-		if (proto == IKE)
+		if (proto == AH || proto == ESP)
 		{
 			*((u_int32_t*)proto_proposal->spi.ptr) = (u_int32_t)spi;
 		}
@@ -495,7 +509,6 @@ static void set_spi(private_proposal_t *this, protocol_id_t proto, u_int64_t spi
 		{
 			*((u_int64_t*)proto_proposal->spi.ptr) = spi;
 		}
-		
 	}
 }
 
@@ -507,7 +520,7 @@ static u_int64_t get_spi(private_proposal_t *this, protocol_id_t proto)
 	protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE);
 	if (proto_proposal)
 	{
-		if (proto == IKE)
+		if (proto == AH || proto == ESP)
 		{
 			return (u_int64_t)*((u_int32_t*)proto_proposal->spi.ptr);
 		}
diff --git a/Source/charon/encoding/generator.c b/Source/charon/encoding/generator.c
index a036b8ed4..ff72190dd 100644
--- a/Source/charon/encoding/generator.c
+++ b/Source/charon/encoding/generator.c
@@ -341,7 +341,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
 				u_int8_t low_val = *(this->out_position) & 0x0F;
 				/* highval is set, low_val is not changed */
 				*(this->out_position) = high_val | low_val;
-				this->logger->log(this->logger, RAW|LEVEL2, "   => 0x%x", *(this->out_position));
+				this->logger->log(this->logger, RAW|LEVEL2, "   => %d", *(this->out_position));
 				/* write position is not changed, just bit position is moved */
 				this->current_bit = 4;
 			}
@@ -352,7 +352,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
 				/* lowval of current byte in buffer has to be set to the new value*/
 				u_int low_val = *((u_int8_t *)(this->data_struct + offset)) & 0x0F;
 				*(this->out_position) = high_val | low_val;
-				this->logger->log(this->logger, RAW|LEVEL2, "   => 0x%x", *(this->out_position));
+				this->logger->log(this->logger, RAW|LEVEL2, "   => %d", *(this->out_position));
 				this->out_position++;
 				this->current_bit = 0;
 
@@ -370,7 +370,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
 		{
 			/* 8 bit values are written as they are */
 			*this->out_position = *((u_int8_t *)(this->data_struct + offset));
-			this->logger->log(this->logger, RAW|LEVEL2, "   => 0x%x", *(this->out_position));
+			this->logger->log(this->logger, RAW|LEVEL2, "   => %d", *(this->out_position));
 			this->out_position++;
 			break;
 
@@ -392,7 +392,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
 			int16_val = int16_val & 0xFF7F;
 			
 			int16_val = int16_val | attribute_format_flag;
-			this->logger->log(this->logger, RAW|LEVEL2, "   => 0x%x", int16_val);
+			this->logger->log(this->logger, RAW|LEVEL2, "   => %d", int16_val);
 			/* write bytes to buffer (set bit is overwritten)*/				
 			this->write_bytes_to_buffer(this,&int16_val,sizeof(u_int16_t));
 			this->current_bit = 0;
@@ -516,7 +516,7 @@ static void generate_flag (private_generator_t *this,u_int32_t offset)
 	*(this->out_position) = *(this->out_position) | flag;
 	
 	
-	this->logger->log(this->logger, RAW|LEVEL2, "   => 0x0%x", *(this->out_position));
+	this->logger->log(this->logger, RAW|LEVEL2, "   => %d", *(this->out_position));
 
 	this->current_bit++;
 	if (this->current_bit >= 8)
@@ -1017,6 +1017,8 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				return;
 		}
 	}
+	this->logger->log(this->logger, CONTROL|LEVEL2, "generating %s payload finished.", 
+					  mapping_find(payload_type_m, payload_type));
 	this->logger->log_bytes(this->logger, RAW|LEVEL3, "generated data for this payload",
 							payload_start, this->out_position-payload_start);
 }
diff --git a/Source/charon/encoding/payloads/encryption_payload.c b/Source/charon/encoding/payloads/encryption_payload.c
index bd720ea4f..8cbf5566c 100644
--- a/Source/charon/encoding/payloads/encryption_payload.c
+++ b/Source/charon/encoding/payloads/encryption_payload.c
@@ -289,6 +289,7 @@ static status_t encrypt(private_encryption_payload_t *this)
 	this->generate(this);
 	
 	this->logger->log(this->logger, CONTROL|LEVEL2, "encrypting payloads");
+	this->logger->log_chunk(this->logger, RAW|LEVEL2, "data to encrypt", &this->decrypted);
 	
 	/* build padding */
 	block_size = this->crypter->get_block_size(this->crypter);
@@ -307,6 +308,8 @@ static status_t encrypt(private_encryption_payload_t *this)
 	iv.len = block_size;
 	randomizer->allocate_pseudo_random_bytes(randomizer, iv.len, &iv);
 	randomizer->destroy(randomizer);
+	
+	this->logger->log_chunk(this->logger, RAW|LEVEL2, "data before encryption with padding", &to_crypt);
 		
 	/* encrypt to_crypt chunk */
 	allocator_free(this->encrypted.ptr);
@@ -319,6 +322,8 @@ static status_t encrypt(private_encryption_payload_t *this)
 		allocator_free(iv.ptr);
 		return status;
 	}
+	this->logger->log_chunk(this->logger, RAW|LEVEL2, "data after encryption", &result);
+	
 	
 	/* build encrypted result with iv and signature */
 	this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
@@ -331,6 +336,8 @@ static status_t encrypt(private_encryption_payload_t *this)
 	
 	allocator_free(result.ptr);
 	allocator_free(iv.ptr);
+	this->logger->log_chunk(this->logger, RAW|LEVEL2, "data after encryption with IV and (invalid) signature", &this->encrypted);
+	
 	return SUCCESS;
 }
 
@@ -345,6 +352,8 @@ static status_t decrypt(private_encryption_payload_t *this)
 	
 	
 	this->logger->log(this->logger, CONTROL|LEVEL2, "decrypting encryption payload");
+	this->logger->log_chunk(this->logger, RAW|LEVEL2, "data before decryption with IV and (invalid) signature", &this->encrypted);
+	
 	
 	if (this->signer == NULL || this->crypter == NULL)
 	{
@@ -373,12 +382,16 @@ static status_t decrypt(private_encryption_payload_t *this)
 	/* free previus data, if any */
 	allocator_free(this->decrypted.ptr);
 	
+	this->logger->log_chunk(this->logger, RAW|LEVEL2, "data before decryption", &concatenated);
+	
 	status = this->crypter->decrypt(this->crypter, concatenated, iv, &(this->decrypted));
 	if (status != SUCCESS)
 	{
 		this->logger->log(this->logger, ERROR|LEVEL1, "could not decrypt, decryption failed");
 		return FAILED;
 	}
+	this->logger->log_chunk(this->logger, RAW|LEVEL2, "data after decryption with padding", &this->decrypted);
+	
 	
 	/* get padding length, sits just bevore signature */
 	padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
@@ -396,6 +409,7 @@ static status_t decrypt(private_encryption_payload_t *this)
 	
 	/* free padding */
 	this->decrypted.ptr = allocator_realloc(this->decrypted.ptr, this->decrypted.len);
+	this->logger->log_chunk(this->logger, RAW|LEVEL2, "data after decryption without padding", &this->decrypted);
 	this->logger->log(this->logger, CONTROL|LEVEL2, "decryption successful, trying to parse content");
 	return (this->parse(this));
 }
diff --git a/Source/charon/encoding/payloads/proposal_substructure.c b/Source/charon/encoding/payloads/proposal_substructure.c
index 2cf96fbb6..922dde40d 100644
--- a/Source/charon/encoding/payloads/proposal_substructure.c
+++ b/Source/charon/encoding/payloads/proposal_substructure.c
@@ -226,6 +226,7 @@ static void set_next_type(private_proposal_substructure_t *this,payload_type_t t
  */
 static size_t get_length(private_proposal_substructure_t *this)
 {
+	this->compute_length(this);
 	return this->proposal_length;
 }
 
@@ -384,9 +385,8 @@ static void compute_length (private_proposal_substructure_t *this)
 	iterator->destroy(iterator);
 	
 	length += this->spi.len;
-	this->transforms_count= transforms_count;
-	this->proposal_length = length;	
-
+	this->transforms_count = transforms_count;
+	this->proposal_length = length;
 }
 
 /**
@@ -411,8 +411,8 @@ static size_t get_spi_size (private_proposal_substructure_t *this)
 void add_to_proposal(private_proposal_substructure_t *this, proposal_t *proposal)
 {
 	iterator_t *iterator = this->transforms->create_iterator(this->transforms, TRUE);
+	u_int32_t spi;
 	
-	proposal->set_spi(proposal, this->protocol_id, *((u_int32_t*)this->spi.ptr));
 	
 	while (iterator->has_next(iterator))
 	{
@@ -430,6 +430,10 @@ void add_to_proposal(private_proposal_substructure_t *this, proposal_t *proposal
 		proposal->add_algorithm(proposal, this->protocol_id, transform_type, transform_id, key_length);
 	}
 	iterator->destroy(iterator);
+	
+	spi = *((u_int32_t*)this->spi.ptr);
+	
+	proposal->set_spi(proposal, this->protocol_id, spi);
 }
 
 /**
@@ -561,14 +565,6 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
 	algorithm_t *algo;
 	transform_substructure_t *transform;
 	
-	/* take over general infos */
-	this->spi_size = proto == IKE ? 8 : 4;
-	this->spi.len = this->spi_size;
-	this->spi.ptr = allocator_alloc(this->spi_size);
-	*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal, proto);
-	this->proposal_number = proposal->get_number(proposal);
-	this->protocol_id = proto;
-	
 	/* encryption algorithm is only availble in ESP */
 	iterator = proposal->create_algorithm_iterator(proposal, proto, ENCRYPTION_ALGORITHM);
 	while (iterator->has_next(iterator))
@@ -623,5 +619,13 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
 	}
 	iterator->destroy(iterator);
 	
+	/* take over general infos */
+	this->spi_size = proto == IKE ? 8 : 4;
+	this->spi.len = this->spi_size;
+	this->spi.ptr = allocator_alloc(this->spi_size);
+	*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal, proto);
+	this->proposal_number = proposal->get_number(proposal);
+	this->protocol_id = proto;
+	
 	return &(this->public);
 }
diff --git a/Source/charon/encoding/payloads/transform_substructure.c b/Source/charon/encoding/payloads/transform_substructure.c
index e2f368fd8..9b0bbf4ed 100644
--- a/Source/charon/encoding/payloads/transform_substructure.c
+++ b/Source/charon/encoding/payloads/transform_substructure.c
@@ -343,7 +343,6 @@ static void compute_length (private_transform_substructure_t *this)
 	iterator->destroy(iterator);
 	
 	this->transform_length = length;
-		
 }
 
 /**
@@ -476,20 +475,13 @@ transform_substructure_t *transform_substructure_create_type(transform_type_t tr
 	transform->set_transform_type(transform,transform_type);
 	transform->set_transform_id(transform,transform_id);
 	
-	switch (transform_type)
+	/* a keylength attribute is only created for AES encryption */
+	if (transform_type == ENCRYPTION_ALGORITHM &&
+		transform_id == ENCR_AES_CBC)
 	{
-		case ENCRYPTION_ALGORITHM:
-		case PSEUDO_RANDOM_FUNCTION:
-		case INTEGRITY_ALGORITHM:
-		{
-			transform_attribute_t *attribute = transform_attribute_create_key_length(key_length);
-			transform->add_transform_attribute(transform,attribute);
-			break;
-		}
-		default:
-		{
-			/* no keylength attribute is created */
-		}
-	}	
+		transform_attribute_t *attribute = transform_attribute_create_key_length(key_length);
+		transform->add_transform_attribute(transform,attribute);		
+	}
+
 	return transform;
 }
diff --git a/Source/charon/sa/child_sa.c b/Source/charon/sa/child_sa.c
index 2c4624310..6754e8022 100644
--- a/Source/charon/sa/child_sa.c
+++ b/Source/charon/sa/child_sa.c
@@ -39,14 +39,29 @@ struct private_child_sa_t {
 	child_sa_t public;
 	
 	/**
-	 * CHILD_SAs own logger
+	 * IP of this peer
 	 */
-	logger_t *logger;
+	host_t *me;
 	
 	/**
-	 * Protocols used in this SA
+	 * IP of other peer
 	 */
-	protocol_id_t protocols[2];
+	host_t *other;
+	
+	/**
+	 * Security parameter index for AH protocol, 0 if not used
+	 */
+	u_int32_t ah_spi;
+	
+	/**
+	 * Security parameter index for ESP protocol, 0 if not used
+	 */
+	u_int32_t esp_spi;
+	
+	/**
+	 * CHILD_SAs own logger
+	 */
+	logger_t *logger;
 };
 
 
@@ -59,65 +74,271 @@ static u_int32_t get_spi(private_child_sa_t *this)
 }
 
 /**
- * Implementation of child_sa_t.destroy.
+ * Implements child_sa_t.alloc
  */
-static void destroy(private_child_sa_t *this)
+static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
 {
-	charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
-	allocator_free(this);
+	protocol_id_t protocols[2];
+	iterator_t *iterator;
+	proposal_t *proposal;
+	status_t status;
+	u_int i;
+	
+	/* iterator through proposals */
+	iterator = proposals->create_iterator(proposals, TRUE);
+	while(iterator->has_next(iterator))
+	{
+		iterator->current(iterator, (void**)&proposal);
+		proposal->get_protocols(proposal, protocols);
+	
+		/* check all protocols */
+		for (i = 0; i<2; i++)
+		{
+			switch (protocols[i])
+			{
+				case AH:
+					/* do we already have an spi for AH?*/
+					if (this->ah_spi == 0)
+					{
+						/* nope, get one */
+						status = charon->kernel_interface->get_spi(
+											charon->kernel_interface,
+											this->me, this->other,
+											AH, FALSE,
+											&(this->ah_spi));
+					}
+					/* update proposal */
+					proposal->set_spi(proposal, AH, (u_int64_t)this->ah_spi);
+					break;
+				case ESP:
+					/* do we already have an spi for ESP?*/
+					if (this->esp_spi == 0)
+					{
+						/* nope, get one */
+						status = charon->kernel_interface->get_spi(
+											charon->kernel_interface,
+											this->me, this->other,
+											ESP, FALSE,
+											&(this->esp_spi));
+					}
+					/* update proposal */
+					proposal->set_spi(proposal, ESP, (u_int64_t)this->esp_spi);
+					break;
+				default:
+					break;
+			}
+			if (status != SUCCESS)
+			{
+				iterator->destroy(iterator);
+				return FAILED;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	return SUCCESS;
 }
 
-/*
- * Described in header.
- */
-child_sa_t * child_sa_create(proposal_t *proposal, prf_plus_t *prf_plus)
+static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus, bool mine)
 {
-	private_child_sa_t *this = allocator_alloc_thing(private_child_sa_t);
+	protocol_id_t protocols[2];
+	u_int32_t spi;
+	encryption_algorithm_t enc_algo;
+	integrity_algorithm_t int_algo;
+	chunk_t enc_key, int_key;
+	algorithm_t *algo;
+	crypter_t *crypter;
+	signer_t *signer;
+	size_t key_size;
+	host_t *src;
+	host_t *dst;
+	status_t status;
 	u_int i;
-
-	/* public functions */
-	this->public.get_spi = (u_int32_t(*)(child_sa_t*))get_spi;
-	this->public.destroy = (void(*)(child_sa_t*))destroy;
-
-	/* private data */
-	this->logger = charon->logger_manager->create_logger(charon->logger_manager, CHILD_SA, NULL);
-	proposal->get_protocols(proposal, this->protocols);
 	
-	/* derive keys */
+	/* we must assign the roles to correctly set up the SAs */
+ 	if (mine)
+ 	{
+ 		src = this->me;
+ 		dst = this->other;
+ 	}
+ 	else
+ 	{
+ 		dst = this->me;
+ 		src = this->other;
+ 	}
+	
+	proposal->get_protocols(proposal, protocols);
+	/* derive keys in order as protocols appear */
 	for (i = 0; i<2; i++)
 	{
-		if (this->protocols[i] != UNDEFINED_PROTOCOL_ID)
+		if (protocols[i] != UNDEFINED_PROTOCOL_ID)
 		{
-			algorithm_t *algo;
-			chunk_t key;
 			
-			/* get encryption key */
-			if (proposal->get_algorithm(proposal, this->protocols[i], ENCRYPTION_ALGORITHM, &algo))
+			/* now we have to decide which spi to use. Use self allocated, if "mine",
+			 * or the one in the proposal, if not "mine" (others). */
+			if (mine)
+			{
+				if (protocols[i] == AH)
+				{
+					spi = this->ah_spi;
+				}
+				else
+				{
+					spi = this->esp_spi;
+				}
+			}
+			else /* use proposals spi */
+			{
+				spi = proposal->get_spi(proposal, protocols[i]);
+			}
+			
+			/* derive encryption key first */
+			if (proposal->get_algorithm(proposal, protocols[i], ENCRYPTION_ALGORITHM, &algo))
 			{
-				this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s, ",
-								  mapping_find(protocol_id_m, this->protocols[i]),
+				enc_algo = algo->algorithm;
+				this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s, ",
+								  mapping_find(protocol_id_m, protocols[i]),
+								  mine ? "me" : "other",
 								  mapping_find(transform_type_m, ENCRYPTION_ALGORITHM),
-								  mapping_find(encryption_algorithm_m, algo->algorithm));
+								  mapping_find(encryption_algorithm_m, enc_algo));
 				
-				prf_plus->allocate_bytes(prf_plus, algo->key_size, &key);
-				this->logger->log_chunk(this->logger, PRIVATE, "key:", &key);
-				allocator_free_chunk(&key);
+				/* we must create a (unused) crypter, since its the only way to get the size
+				 * of the key. This is not so nice, since charon must support all algorithms
+				 * the kernel supports...
+				 * TODO: build something of a encryption algorithm lookup function 
+				 */
+				crypter = crypter_create(enc_algo, algo->key_size);
+				key_size = crypter->get_key_size(crypter);
+				crypter->destroy(crypter);
+				prf_plus->allocate_bytes(prf_plus, key_size, &enc_key);
+				this->logger->log_chunk(this->logger, PRIVATE, "key:", &enc_key);
+			}
+			else
+			{
+				enc_algo = ENCR_UNDEFINED;
 			}
 			
-			/* get integrity key */
-			if (proposal->get_algorithm(proposal, this->protocols[i], INTEGRITY_ALGORITHM, &algo))
+			/* derive integrity key */
+			if (proposal->get_algorithm(proposal, protocols[i], INTEGRITY_ALGORITHM, &algo))
 			{
-				this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s,",
-								  mapping_find(protocol_id_m, this->protocols[i]),
+				int_algo = algo->algorithm;
+				this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s,",
+								  mapping_find(protocol_id_m, protocols[i]),
+								  mine ? "me" : "other",
 								  mapping_find(transform_type_m, INTEGRITY_ALGORITHM),
 								  mapping_find(integrity_algorithm_m, algo->algorithm));
 				
-				prf_plus->allocate_bytes(prf_plus, algo->key_size, &key);
-				this->logger->log_chunk(this->logger, PRIVATE, "key:", &key);
-				allocator_free_chunk(&key);
+				signer = signer_create(int_algo);
+				key_size = signer->get_key_size(signer);
+				signer->destroy(signer);
+				prf_plus->allocate_bytes(prf_plus, key_size, &int_key);
+				this->logger->log_chunk(this->logger, PRIVATE, "key:", &int_key);
+			}
+			else
+			{
+				int_algo = AUTH_UNDEFINED;
+			}
+			/* send keys down to kernel */
+			this->logger->log(this->logger, CONTROL|LEVEL1, 
+							  "installing 0x%.8x for %s, src %s dst %s",
+							  ntohl(spi), mapping_find(protocol_id_m, protocols[i]), 
+							  src->get_address(src), dst->get_address(dst));
+			status = charon->kernel_interface->add_sa(charon->kernel_interface,
+													  src, dst,
+													  spi, protocols[i], FALSE,
+													  enc_algo, enc_key,
+													  int_algo, int_key, mine);
+			/* clean up for next round */
+			if (enc_algo != ENCR_UNDEFINED)
+			{
+				allocator_free_chunk(&enc_key);
 			}
+			if (int_algo != AUTH_UNDEFINED)
+			{
+				allocator_free_chunk(&int_key);
+			}
+			
+			if (status != SUCCESS)
+			{
+				return FAILED;
+			}
+			
 		}
 	}
+	return SUCCESS;
+}
+
+static status_t add(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus)
+{
+	linked_list_t *list;
+	
+	/* install others (initiators) SAs*/
+	if (install(this, proposal, prf_plus, FALSE) != SUCCESS)
+	{
+		return FAILED;
+	}
+	
+	/* get SPIs for our SAs */
+	list = linked_list_create();
+	list->insert_last(list, proposal);
+	if (alloc(this, list) != SUCCESS)
+	{
+		list->destroy(list);
+		return FAILED;
+	}
+	list->destroy(list);
+	
+	/* install our (responders) SAs */
+	if (install(this, proposal, prf_plus, TRUE) != SUCCESS)
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+static status_t update(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus)
+{
+	/* install our (initator) SAs */
+	if (install(this, proposal, prf_plus, TRUE) != SUCCESS)
+	{
+		return FAILED;
+	}
+	/* install his (responder) SAs */
+	if (install(this, proposal, prf_plus, FALSE) != SUCCESS)
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of child_sa_t.destroy.
+ */
+static void destroy(private_child_sa_t *this)
+{
+	charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
+	allocator_free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_sa_t * child_sa_create(host_t *me, host_t* other)
+{
+	private_child_sa_t *this = allocator_alloc_thing(private_child_sa_t);
+
+	/* public functions */
+	this->public.get_spi = (u_int32_t(*)(child_sa_t*))get_spi;
+	this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
+	this->public.add = (status_t(*)(child_sa_t*,proposal_t*,prf_plus_t*))add;
+	this->public.update = (status_t(*)(child_sa_t*,proposal_t*,prf_plus_t*))update;
+	this->public.destroy = (void(*)(child_sa_t*))destroy;
+
+	/* private data */
+	this->logger = charon->logger_manager->create_logger(charon->logger_manager, CHILD_SA, NULL);
+	this->me = me;
+	this->other = other;
+	this->ah_spi = 0;
+	this->esp_spi = 0;
 	
 	return (&this->public);
 }
diff --git a/Source/charon/sa/child_sa.h b/Source/charon/sa/child_sa.h
index bde032b74..260c4f29c 100644
--- a/Source/charon/sa/child_sa.h
+++ b/Source/charon/sa/child_sa.h
@@ -50,6 +50,11 @@ struct child_sa_t {
 	 * @return 			4 Byte SPI value
 	 */
 	u_int32_t (*get_spi) (child_sa_t *this);
+	
+	
+	status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
+	status_t (*add)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
+	status_t (*update)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
 
 	/**
 	 * @brief Destroys a child_sa.
@@ -67,6 +72,6 @@ struct child_sa_t {
  * @return				child_sa_t object
  * @ingroup sa
  */
-child_sa_t * child_sa_create(proposal_t *proposal, prf_plus_t *prf_plus);
+child_sa_t * child_sa_create(host_t *me, host_t *other);
 
 #endif /*_CHILD_SA_H_*/
diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c
index ac617faef..55c03ef92 100644
--- a/Source/charon/sa/ike_sa.c
+++ b/Source/charon/sa/ike_sa.c
@@ -417,7 +417,7 @@ status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
  */
 static void set_new_state (private_ike_sa_t *this, state_t *state)
 {
-	this->logger->log(this->logger, CONTROL, "Change current state %s to %s",
+	this->logger->log(this->logger, CONTROL, "statechange: %s => %s",
 					  mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),
 					  mapping_find(ike_sa_state_m,state->get_state(state)));
 	this->current_state = state;
@@ -964,6 +964,14 @@ static ike_sa_state_t get_state (private_ike_sa_t *this)
 }
 
 /**
+ * Implementation of protected_ike_sa_t.get_state.
+ */
+static void add_child_sa (private_ike_sa_t *this, child_sa_t *child_sa)
+{
+	this->child_sas->insert_last(this->child_sas, child_sa);
+}
+
+/**
  * Implementation of protected_ike_sa_t.reset_message_buffers.
  */
 static void reset_message_buffers (private_ike_sa_t *this)
@@ -1008,21 +1016,17 @@ static void create_delete_established_ike_sa_job (private_ike_sa_t *this,u_int32
  */
 static void destroy (private_ike_sa_t *this)
 {
+	child_sa_t *child_sa;
+	
 	this->logger->log(this->logger, CONTROL|LEVEL2, "Going to destroy IKE SA %llu:%llu, role %s", 
 					  this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
 					  this->ike_sa_id->get_responder_spi(this->ike_sa_id),
 					  this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
 
 	/* destroy child sa's */
-	this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy all child_sa's");
-	while (this->child_sas->get_count(this->child_sas) > 0)
+	while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
 	{
-		void *child_sa;
-		if (this->child_sas->remove_first(this->child_sas, &child_sa) != SUCCESS)
-		{
-			break;
-		}
-		/* destroy child sa */
+		child_sa->destroy(child_sa);
 	}
 	this->child_sas->destroy(this->child_sas);
 	
@@ -1134,7 +1138,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->protected.get_child_prf = (prf_t *(*) (protected_ike_sa_t *)) get_child_prf;
 	this->protected.get_prf_auth_i = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_i;
 	this->protected.get_prf_auth_r = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_r;
-	this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;		
+	this->protected.add_child_sa = (void (*) (protected_ike_sa_t*,child_sa_t*)) add_child_sa;
+	this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;
 	this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config;
 	this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config;
 	this->protected.set_sa_config = (void (*) (protected_ike_sa_t *,sa_config_t *)) set_sa_config;
diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h
index f5591a00b..b15a8eaab 100644
--- a/Source/charon/sa/ike_sa.h
+++ b/Source/charon/sa/ike_sa.h
@@ -27,10 +27,11 @@
 #include <encoding/message.h>
 #include <encoding/payloads/proposal_substructure.h>
 #include <sa/ike_sa_id.h>
+#include <sa/child_sa.h>
+#include <sa/states/state.h>
 #include <config/configuration_manager.h>
 #include <utils/logger.h>
 #include <utils/randomizer.h>
-#include <sa/states/state.h>
 #include <transforms/prfs/prf.h>
 #include <transforms/crypters/crypter.h>
 #include <transforms/signers/signer.h>
@@ -388,6 +389,14 @@ struct protected_ike_sa_t {
 	prf_t *(*get_prf_auth_r) (protected_ike_sa_t *this);
 	
 	/**
+	 * @brief Associates a child SA to this IKE SA
+	 * 
+	 * @param this 				calling object
+	 * @param child_sa			child_sa to add
+	 */
+	void (*add_child_sa) (protected_ike_sa_t *this, child_sa_t *child_sa);
+	
+	/**
 	 * @brief Get the last responded message.
 	 *  
 	 * @param this 				calling object
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index e6559319c..328971579 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -71,6 +71,11 @@ struct private_ike_auth_requested_t {
 	 * IKE_SA_INIT-Request in binary form.
 	 */
 	chunk_t ike_sa_init_reply_data;
+	
+	/**
+	 * Child sa created in ike_sa_init_requested
+	 */
+	child_sa_t *child_sa;
 	 
 	/**
 	 * Assigned Logger.
@@ -136,6 +141,16 @@ struct private_ike_auth_requested_t {
 	 * 						- DELETE_ME
 	 */
 	status_t (*process_notify_payload) (private_ike_auth_requested_t *this, notify_payload_t *notify_payload);
+	
+	/**
+	 * Destroy function called internally of this class after state change to 
+	 * state IKE_SA_ESTABLISHED succeeded. 
+	 * 
+	 * This destroy function does not destroy objects which were passed to the new state.
+	 * 
+	 * @param this		calling object
+	 */
+	void (*destroy_after_state_change) (private_ike_auth_requested_t *this);
 };
 
 
@@ -288,7 +303,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
 						
 	this->ike_sa->create_delete_established_ike_sa_job(this->ike_sa,this->sa_config->get_ike_sa_lifetime(this->sa_config));
 	this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
-	this->public.state_interface.destroy(&(this->public.state_interface));
+	this->destroy_after_state_change(this);
 	return SUCCESS;
 }
 
@@ -328,7 +343,6 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
 {
 	proposal_t *proposal, *proposal_tmp;
 	linked_list_t *proposal_list;
-	child_sa_t *child_sa;
 	chunk_t seed;
 	prf_plus_t *prf_plus;
 	
@@ -377,10 +391,19 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
 	prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
 	allocator_free_chunk(&seed);
 	
-	child_sa = child_sa_create(proposal, prf_plus);
-	prf_plus->destroy(prf_plus);
-	child_sa->destroy(child_sa);
+	if (this->child_sa)
+	{
+		if (this->child_sa->update(this->child_sa, proposal, prf_plus) != SUCCESS)
+		{
+			this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA");
+			prf_plus->destroy(prf_plus);
+			proposal->destroy(proposal);
+			return DELETE_ME;
+		}
+		this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
+	}
 	
+	prf_plus->destroy(prf_plus);
 	proposal->destroy(proposal);
 	
 	return SUCCESS;
@@ -524,6 +547,20 @@ static void destroy(private_ike_auth_requested_t *this)
 {
 	allocator_free_chunk(&(this->received_nonce));
 	allocator_free_chunk(&(this->sent_nonce));
+	allocator_free_chunk(&(this->ike_sa_init_reply_data));
+	if (this->child_sa)
+	{
+		this->child_sa->destroy(this->child_sa);
+	}
+	allocator_free(this);
+}
+/**
+ * Implements protected_ike_sa_t.destroy_after_state_change
+ */
+static void destroy_after_state_change(private_ike_auth_requested_t *this)
+{
+	allocator_free_chunk(&(this->received_nonce));
+	allocator_free_chunk(&(this->sent_nonce));
 	allocator_free_chunk(&(this->ike_sa_init_reply_data));	
 	allocator_free(this);
 }
@@ -531,7 +568,7 @@ static void destroy(private_ike_auth_requested_t *this)
 /* 
  * Described in header.
  */
-ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_reply_data)
+ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_reply_data, child_sa_t *child_sa)
 {
 	private_ike_auth_requested_t *this = allocator_alloc_thing(private_ike_auth_requested_t);
 
@@ -541,12 +578,12 @@ ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk
 	this->public.state_interface.destroy  = (void (*) (state_t *)) destroy;
 	
 	/* private functions */
-	
 	this->process_idr_payload = process_idr_payload;
 	this->process_sa_payload = process_sa_payload;
 	this->process_auth_payload = process_auth_payload;
 	this->process_ts_payload = process_ts_payload;
 	this->process_notify_payload = process_notify_payload;
+	this->destroy_after_state_change = destroy_after_state_change;
 	
 	/* private data */
 	this->ike_sa = ike_sa;
@@ -554,6 +591,7 @@ ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk
 	this->sent_nonce = sent_nonce;
 	this->ike_sa_init_reply_data = ike_sa_init_reply_data;
 	this->logger = this->ike_sa->get_logger(this->ike_sa);
+	this->child_sa = child_sa;
 	
 	return &(this->public);
 }
diff --git a/Source/charon/sa/states/ike_auth_requested.h b/Source/charon/sa/states/ike_auth_requested.h
index 34b948856..a8eef014c 100644
--- a/Source/charon/sa/states/ike_auth_requested.h
+++ b/Source/charon/sa/states/ike_auth_requested.h
@@ -41,8 +41,6 @@ typedef struct ike_auth_requested_t ike_auth_requested_t;
  * 
  * @todo handle certificate payloads
  * 
- * @todo setup child SAs, if requested
- * 
  * @ingroup states
  */
 struct ike_auth_requested_t {
@@ -60,6 +58,7 @@ struct ike_auth_requested_t {
  * @param sent_nonce				Sent nonce value in IKE_SA_INIT request
  * @param received_nonce			Received nonce value in IKE_SA_INIT response
  * @param ike_sa_init_reply_data	binary representation of IKE_SA_INIT reply 
+ * @param child_sa					opened but not completed child_sa
  * @return							created ike_auth_requested_t object
  * 
  * @ingroup states
@@ -67,6 +66,7 @@ struct ike_auth_requested_t {
 ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,
 												chunk_t sent_nonce,
 												chunk_t received_nonce,
-												chunk_t ike_sa_init_reply_data);
+												chunk_t ike_sa_init_reply_data,
+												child_sa_t *child_sa);
 
 #endif /*IKE_AUTH_REQUESTED_H_*/
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index 327eb2d7c..55f38883f 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -80,6 +80,11 @@ struct private_ike_sa_init_requested_t {
 	chunk_t ike_sa_init_request_data;
 	
 	/**
+	 * Created child sa, if any
+	 */
+	child_sa_t *child_sa;
+	
+	/**
 	 * Assigned logger
 	 * 
 	 * Is logger of ike_sa!
@@ -187,8 +192,6 @@ struct private_ike_sa_init_requested_t {
 	 * Destroy function called internally of this class after state change to 
 	 * state IKE_AUTH_REQUESTED succeeded. 
 	 * 
-	 * In case of state change to INITIATOR_INIT the default destroy function gets called.
-	 * 
 	 * This destroy function does not destroy objects which were passed to the new state.
 	 * 
 	 * @param this		calling object
@@ -383,7 +386,8 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 	ike_sa_init_reply_data = ike_sa_init_reply->get_packet_data(ike_sa_init_reply);
 
 	/* state can now be changed */
-	next_state = ike_auth_requested_create(this->ike_sa,this->sent_nonce,this->received_nonce,ike_sa_init_reply_data);
+	next_state = ike_auth_requested_create(this->ike_sa, this->sent_nonce, this->received_nonce,
+										   ike_sa_init_reply_data, this->child_sa);
 	this->ike_sa->set_new_state(this->ike_sa,(state_t *) next_state);
 
 	this->destroy_after_state_change(this);
@@ -512,10 +516,22 @@ static status_t build_sa_payload (private_ike_sa_init_requested_t *this, message
 	/* get proposals form config, add to payload */
 	sa_config = this->ike_sa->get_sa_config(this->ike_sa);
 	proposal_list = sa_config->get_proposals(sa_config);
+	/* build child sa */
+	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
+									 this->ike_sa->get_other_host(this->ike_sa));
+	if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
+	{
+		this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA");
+		return DELETE_ME;
+	}
+	
+	/* TODO:
+	 * Huston, we've got a problem here. Since SPIs are stored in
+	 * the proposal, and these proposals are shared across configs,
+	 * there may be some threading issues... fix it!
+	 */
 	sa_payload = sa_payload_create_from_proposal_list(proposal_list);
 
-	/* TODO child sa stuff */
-
 	this->logger->log(this->logger, CONTROL|LEVEL2, "Add SA payload to message");
 	request->add_payload(request,(payload_t *) sa_payload);
 	
@@ -705,6 +721,10 @@ static void destroy(private_ike_sa_init_requested_t *this)
 	allocator_free(this->sent_nonce.ptr);
 	allocator_free(this->received_nonce.ptr);
 	allocator_free_chunk(&(this->ike_sa_init_request_data));
+	if (this->child_sa)
+	{
+		this->child_sa->destroy(this->child_sa);
+	}
 	if (this->proposal)
 	{
 		this->proposal->destroy(this->proposal);
@@ -743,6 +763,7 @@ ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa
 	this->diffie_hellman = diffie_hellman;
 	this->proposal = NULL;
 	this->sent_nonce = sent_nonce;
+	this->child_sa = NULL;
 	this->ike_sa_init_request_data = ike_sa_init_request_data;
 	
 	return &(this->public);
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index 536041d0d..70baa5143 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -425,10 +425,6 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
 		return DELETE_ME;	
 	}
 	
-	/* create payload with selected propsal */
-	sa_response = sa_payload_create_from_proposal(proposal);
-	response->add_payload(response, (payload_t*)sa_response);
-	
 	/* install child SAs for AH and esp */
 	seed = allocator_alloc_as_chunk(this->received_nonce.len + this->sent_nonce.len);
 	memcpy(seed.ptr, this->received_nonce.ptr, this->received_nonce.len);
@@ -436,10 +432,22 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
 	prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
 	allocator_free_chunk(&seed);
 	
-	child_sa = child_sa_create(proposal, prf_plus);
-	prf_plus->destroy(prf_plus);
-	child_sa->destroy(child_sa);
+	child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
+							   this->ike_sa->get_other_host(this->ike_sa));
+	if (child_sa->add(child_sa, proposal, prf_plus) != SUCCESS)
+	{
+		this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA");
+		prf_plus->destroy(prf_plus);
+		proposal->destroy(proposal);
+		return DELETE_ME;
+	}
+	this->ike_sa->add_child_sa(this->ike_sa, child_sa);
+	
+	/* create payload with selected propsal */
+	sa_response = sa_payload_create_from_proposal(proposal);
+	response->add_payload(response, (payload_t*)sa_response);
 	
+	prf_plus->destroy(prf_plus);
 	proposal->destroy(proposal);	
 	return SUCCESS;
 }
diff --git a/Source/charon/testcases/Makefile.testcases b/Source/charon/testcases/Makefile.testcases
index a459e3221..e21b5c258 100644
--- a/Source/charon/testcases/Makefile.testcases
+++ b/Source/charon/testcases/Makefile.testcases
@@ -127,4 +127,8 @@ $(BUILD_DIR)rsa_test.o :			$(TESTCASES_DIR)rsa_test.c $(TESTCASES_DIR)rsa_test.h
 TEST_OBJS+= $(BUILD_DIR)kernel_interface_test.o
 $(BUILD_DIR)kernel_interface_test.o :	$(TESTCASES_DIR)kernel_interface_test.c $(TESTCASES_DIR)kernel_interface_test.h
 									$(CC) $(CFLAGS) -c -o $@ $<
+
+TEST_OBJS+= $(BUILD_DIR)child_sa_test.o
+$(BUILD_DIR)child_sa_test.o :		$(TESTCASES_DIR)child_sa_test.c $(TESTCASES_DIR)child_sa_test.h
+									$(CC) $(CFLAGS) -c -o $@ $<
 									
\ No newline at end of file
diff --git a/Source/charon/testcases/child_sa_test.c b/Source/charon/testcases/child_sa_test.c
new file mode 100644
index 000000000..09b49b78a
--- /dev/null
+++ b/Source/charon/testcases/child_sa_test.c
@@ -0,0 +1,102 @@
+/**
+ * @file child_sa_test.c
+ *
+ * @brief Tests for the child_sa_t class.
+ *
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_sa_test.h"
+
+#include <daemon.h>
+#include <sa/child_sa.h>
+#include <utils/allocator.h>
+#include <utils/logger.h>
+
+
+/**
+ * Described in header.
+ */
+void test_child_sa(protected_tester_t *tester)
+{
+	proposal_t *proposal1, *proposal2;
+	linked_list_t *list;
+	host_t *local_me, *remote_me;
+	host_t *local_other, *remote_other;
+	child_sa_t *local_sa, *remote_sa;
+	prf_plus_t *local_prf_plus, *remote_prf_plus;
+	prf_t *local_prf, *remote_prf;
+	u_int8_t key_buffer[] = {0x01,0x02,0x03,0x04};
+	chunk_t key = {key_buffer, sizeof(key_buffer)};
+	status_t status;
+	
+	/* setup test data */
+	local_me = host_create(AF_INET, "192.168.0.1", 0);
+	local_other = host_create(AF_INET, "192.168.0.2", 0);
+	remote_me = host_create(AF_INET, "192.168.0.3", 0);
+	remote_other = host_create(AF_INET, "192.168.0.4", 0);
+	
+	local_sa = child_sa_create(local_me, local_other);
+	remote_sa = child_sa_create(remote_me, remote_other);
+	
+	proposal1 = proposal_create(1);
+	proposal1->add_algorithm(proposal1, ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
+	
+	proposal2 = proposal_create(2);
+	proposal2->add_algorithm(proposal2, AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
+	
+	list = linked_list_create();
+	list->insert_last(list, proposal1);
+	list->insert_last(list, proposal2);
+	
+	local_prf = prf_create(PRF_HMAC_SHA1);
+	remote_prf = prf_create(PRF_HMAC_SHA1);
+	local_prf->set_key(local_prf, key);
+	remote_prf->set_key(remote_prf, key);
+	local_prf_plus = prf_plus_create(local_prf, key);
+	remote_prf_plus = prf_plus_create(remote_prf, key);
+	
+	/* 
+	 * local plays initiator 
+	 ***********************
+	*/
+	status = local_sa->alloc(local_sa, list);
+	tester->assert_true(tester, status == SUCCESS, "spi allocation");
+	
+	status = remote_sa->add(remote_sa, proposal1, remote_prf_plus);
+	tester->assert_true(tester, status == SUCCESS, "sa add");
+	
+	status = local_sa->update(local_sa, proposal1, local_prf_plus);
+	tester->assert_true(tester, status == SUCCESS, "sa update");
+	
+	/* cleanup */
+	proposal1->destroy(proposal1);
+	proposal2->destroy(proposal2);
+	list->destroy(list);
+	local_prf->destroy(local_prf);
+	local_prf_plus->destroy(local_prf_plus);
+	remote_prf->destroy(remote_prf);
+	remote_prf_plus->destroy(remote_prf_plus);
+	local_sa->destroy(local_sa);
+	remote_sa->destroy(remote_sa);
+	local_me->destroy(local_me);
+	local_other->destroy(local_other);
+	remote_me->destroy(remote_me);
+	remote_other->destroy(remote_other);
+	
+	
+}
diff --git a/Source/charon/testcases/child_sa_test.h b/Source/charon/testcases/child_sa_test.h
new file mode 100644
index 000000000..00e4db163
--- /dev/null
+++ b/Source/charon/testcases/child_sa_test.h
@@ -0,0 +1,42 @@
+/**
+ * @file child_sa_test.h
+ *
+ * @brief Tests for the child_sa_t class.
+ *
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#ifndef CHILD_SA_TEST_H_
+#define CHILD_SA_TEST_H_
+
+#include <utils/tester.h>
+
+/**
+ * @brief Test function used to test the child_sa_t functionality.
+ *
+ * @param tester associated protected_tester_t object
+ * 
+ * @ingroup testcases
+ */
+void test_child_sa(protected_tester_t *tester);
+
+#endif //CHILD_SA_TEST_H_
+
+
+
+
diff --git a/Source/charon/testcases/init_config_test.c b/Source/charon/testcases/init_config_test.c
index 5e4506ab5..d75b00e66 100644
--- a/Source/charon/testcases/init_config_test.c
+++ b/Source/charon/testcases/init_config_test.c
@@ -32,9 +32,9 @@
 void test_init_config(protected_tester_t *tester)
 {
 	init_config_t *init_config = init_config_create("192.168.0.1","192.168.0.2",500,500);
-	proposal_t *prop1, *prop2, *prop3, *prop4, *selected_one;
+	proposal_t *prop1, *prop2, *prop3, *prop4;//, *selected_one;
 	linked_list_t *list;
-	status_t status;
+	//status_t status;
 
 	prop1 = proposal_create(1);
 	prop1->add_algorithm(prop1, IKE, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 20);
diff --git a/Source/charon/testcases/kernel_interface_test.c b/Source/charon/testcases/kernel_interface_test.c
index 2f26c807a..8eb2d5f52 100644
--- a/Source/charon/testcases/kernel_interface_test.c
+++ b/Source/charon/testcases/kernel_interface_test.c
@@ -65,10 +65,10 @@ void test_kernel_interface(protected_tester_t *tester)
 
 
 
-	//status = kernel_interface->get_spi(kernel_interface, me, other, 50, TRUE, &spi);
-	//tester->assert_true(tester, status == SUCCESS, "spi get");
+	status = kernel_interface->get_spi(kernel_interface, me, other, 50, FALSE, &spi);
+	tester->assert_true(tester, status == SUCCESS, "spi get");
 
-	status = kernel_interface->add_sa(kernel_interface, me, other, spi, 50, TRUE, ENCR_AES_CBC, enc_key,AUTH_HMAC_MD5_96,inc_key,TRUE);	
+	status = kernel_interface->add_sa(kernel_interface, me, other, spi, 50, FALSE, ENCR_AES_CBC, enc_key,AUTH_UNDEFINED,inc_key,TRUE);	
 	tester->assert_true(tester, status == SUCCESS, "build sa");
 	
 
diff --git a/Source/charon/testcases/testcases.c b/Source/charon/testcases/testcases.c
index af539cb4f..8c391ca33 100644
--- a/Source/charon/testcases/testcases.c
+++ b/Source/charon/testcases/testcases.c
@@ -61,6 +61,7 @@
 #include <testcases/proposal_test.h>
 #include <testcases/rsa_test.h>
 #include <testcases/kernel_interface_test.h>
+#include <testcases/child_sa_test.h>
 
 /* output for test messages */
 extern FILE * stderr;
@@ -126,6 +127,7 @@ test_t sa_config_test = {test_sa_config, "sa_config_t test"};
 test_t proposal_test = {test_proposal, "proposal_t test"};
 test_t rsa_test = {test_rsa, "RSA private/public key test"};
 test_t kernel_interface_test = {test_kernel_interface, "Kernel Interface"};
+test_t child_sa_test = {test_child_sa, "Child SA"};
 
 
 daemon_t* charon;
@@ -138,6 +140,7 @@ static void daemon_kill(daemon_t *this, char* none)
 	this->job_queue->destroy(this->job_queue);
 	this->event_queue->destroy(this->event_queue);
 	this->send_queue->destroy(this->send_queue);
+	this->kernel_interface->destroy(this->kernel_interface);
 	//this->configuration_manager->destroy(this->configuration_manager);
 	allocator_free(charon);
 }
@@ -160,6 +163,7 @@ daemon_t *daemon_create()
 	charon->job_queue = job_queue_create();
 	charon->event_queue = event_queue_create();
 	charon->send_queue = send_queue_create();
+	charon->kernel_interface = kernel_interface_create();
 	//charon->configuration_manager = configuration_manager_create(RETRANSMIT_TIMEOUT,MAX_RETRANSMIT_COUNT,HALF_OPEN_IKE_SA_TIMEOUT);
 	charon->sender = NULL;
 	charon->receiver = NULL;
@@ -237,6 +241,8 @@ int main()
 		&rsa_test,
 		NULL
 	};
+	/* get rid of compiler warning ;-) */
+	*all_tests = *all_tests;
 	
 	/* allocator needs initialization */
 	allocator_init();
@@ -244,13 +250,14 @@ int main()
 	daemon_create();
  
 	charon->logger_manager->disable_logger_level(charon->logger_manager,TESTER,FULL);
+	charon->logger_manager->enable_logger_level(charon->logger_manager,CHILD_SA,FULL);
 	/* charon->logger_manager->enable_logger_level(charon->logger_manager,TESTER,RAW); */
 	
 	tester_t *tester = tester_create(test_output, FALSE);
 	
 
-	tester->perform_tests(tester,all_tests);
-	//tester->perform_test(tester,&kernel_interface_test);
+	//tester->perform_tests(tester,all_tests);
+	tester->perform_test(tester,&child_sa_test);
 	
 	
 	tester->destroy(tester);
diff --git a/Source/charon/threads/kernel_interface.c b/Source/charon/threads/kernel_interface.c
index 4fba85cbd..f5273e100 100644
--- a/Source/charon/threads/kernel_interface.c
+++ b/Source/charon/threads/kernel_interface.c
@@ -40,6 +40,10 @@
 #include <utils/linked_list.h>
 
 
+#define KERNEL_ESP 50
+#define KERNEL_AH 51
+
+
 typedef struct netlink_message_t netlink_message_t;
 
 /**
@@ -83,48 +87,48 @@ struct private_kernel_interface_t {
 	/**
 	 * Public part of the kernel_interface_t object.
 	 */
- 	kernel_interface_t public;
- 	
- 	/**
- 	 * Netlink communication socket.
- 	 */
- 	int socket;
-
+	kernel_interface_t public;
+	
+	/**
+	 * Netlink communication socket.
+	 */
+	int socket;
+	
 	pid_t pid;
- 	/**
- 	 * Sequence number for messages.
- 	 */
- 	u_int32_t seq;
- 	
- 	/** 
- 	 * List of responded messages.
- 	 */
- 	linked_list_t *responses;
- 	
- 	/**
- 	 * Thread which receives messages.
- 	 */
- 	pthread_t thread;
- 	
- 	/**
- 	 * Mutex locks access to replies list.
- 	 */
- 	pthread_mutex_t mutex;
- 	
- 	/**
- 	 * Condvar allows signaling of threads waiting for a reply.
- 	 */
- 	pthread_cond_t condvar;
- 	
- 	/**
- 	 * Function for the thread, receives messages.
- 	 */
- 	void (*receive_messages) (private_kernel_interface_t *this);
- 	
- 	/**
- 	 * Sends a netlink_message_t down to the kernel and wait for reply.
- 	 */
- 	status_t (*send_message) (private_kernel_interface_t *this, netlink_message_t *request, netlink_message_t **response);
+	/**
+	 * Sequence number for messages.
+	 */
+	u_int32_t seq;
+	
+	/** 
+	 * List of responded messages.
+	 */
+	linked_list_t *responses;
+	
+	/**
+	 * Thread which receives messages.
+	 */
+	pthread_t thread;
+	
+	/**
+	 * Mutex locks access to replies list.
+	 */
+	pthread_mutex_t mutex;
+	
+	/**
+	 * Condvar allows signaling of threads waiting for a reply.
+	 */
+	pthread_cond_t condvar;
+	
+	/**
+	 * Function for the thread, receives messages.
+	 */
+	void (*receive_messages) (private_kernel_interface_t *this);
+	
+	/**
+	 * Sends a netlink_message_t down to the kernel and wait for reply.
+	 */
+	status_t (*send_message) (private_kernel_interface_t *this, netlink_message_t *request, netlink_message_t **response);
 };
 
 mapping_t kernel_encryption_algs_m[] = {
@@ -157,41 +161,42 @@ static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *d
 {
 	netlink_message_t request, *response;
 	
-    memset(&request, 0, sizeof(request));
-    request.hdr.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(request.spi)));
-    request.hdr.nlmsg_flags = NLM_F_REQUEST;
-    request.hdr.nlmsg_type = XFRM_MSG_ALLOCSPI;
+	memset(&request, 0, sizeof(request));
+	request.hdr.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(request.spi)));
+	request.hdr.nlmsg_flags = NLM_F_REQUEST;
+	request.hdr.nlmsg_type = XFRM_MSG_ALLOCSPI;
 	request.spi.info.saddr = src->get_xfrm_addr(src);
 	request.spi.info.id.daddr = dest->get_xfrm_addr(dest);
-    request.spi.info.mode = tunnel_mode;
-    request.spi.info.id.proto = protocol;
-    request.spi.info.family = PF_INET;
-    request.spi.min = 100;
-    request.spi.max = 200;
-
-   	if (this->send_message(this, &request, &response) != SUCCESS)
-   	{
-   		return FAILED;
-   	}
-    
-    if (response->hdr.nlmsg_type == NLMSG_ERROR)
-    {
-    	return FAILED;
-    }
-    
-    if (response->hdr.nlmsg_type != XFRM_MSG_NEWSA)
-    {
-    	return FAILED;
-    }
-    else if (response->hdr.nlmsg_len < NLMSG_LENGTH(sizeof(response->sa)))
-    {
+	request.spi.info.mode = tunnel_mode;
+	/* TODO: this should be done with getprotobyname() */
+	request.spi.info.id.proto = (protocol == ESP) ? KERNEL_ESP : KERNEL_AH;
+	request.spi.info.family = PF_INET;
+	request.spi.min = 100;
+	request.spi.max = 200;
+	
+	if (this->send_message(this, &request, &response) != SUCCESS)
+	{
 		return FAILED;
-    }
+	}
+	
+	if (response->hdr.nlmsg_type == NLMSG_ERROR)
+	{
+		return FAILED;
+	}
+	
+	if (response->hdr.nlmsg_type != XFRM_MSG_NEWSA)
+	{
+		return FAILED;
+	}
+	else if (response->hdr.nlmsg_len < NLMSG_LENGTH(sizeof(response->sa)))
+	{
+		return FAILED;
+	}
 	
 	*spi = response->sa.id.spi;
 	allocator_free(response);
-
-    return SUCCESS;
+	
+	return SUCCESS;
 }
 
 static status_t add_sa(	private_kernel_interface_t *this,
@@ -206,45 +211,46 @@ static status_t add_sa(	private_kernel_interface_t *this,
 						chunk_t integrity_key,
 						bool replace)
 {
-    netlink_message_t request, *response;
-	POS;
-    memset(&request, 0, sizeof(request));
-    
-    request.hdr.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-    request.hdr.nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
-
-    request.sa.saddr = me->get_xfrm_addr(me);
-    request.sa.id.daddr = other->get_xfrm_addr(other);
-
-    request.sa.id.spi = spi;
-    request.sa.id.proto = protocol;
-    request.sa.family = me->get_family(me);
-    request.sa.mode = tunnel_mode;
-    request.sa.replay_window = 0; //sa->replay_window; ???
-    request.sa.reqid = 0; //sa->reqid; ???
-    request.sa.lft.soft_byte_limit = XFRM_INF;
-    request.sa.lft.soft_packet_limit = XFRM_INF;
-    request.sa.lft.hard_byte_limit = XFRM_INF;
-    request.sa.lft.hard_packet_limit = XFRM_INF;
-
-    request.hdr.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(request.sa)));
-
-    if (enc_alg != ENCR_UNDEFINED)
-    {
+	netlink_message_t request, *response;
+	memset(&request, 0, sizeof(request));
+	
+	
+	request.hdr.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	request.hdr.nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
+	
+	request.sa.saddr = me->get_xfrm_addr(me);
+	request.sa.id.daddr = other->get_xfrm_addr(other);
+	
+	request.sa.id.spi = spi;
+	/* TODO: this should be done with getprotobyname() */
+	request.sa.id.proto = (protocol == ESP) ? KERNEL_ESP : KERNEL_AH;
+	request.sa.family = me->get_family(me);
+	request.sa.mode = tunnel_mode;
+	request.sa.replay_window = 0; //sa->replay_window; ???
+	request.sa.reqid = 0; //sa->reqid; ???
+	request.sa.lft.soft_byte_limit = XFRM_INF;
+	request.sa.lft.soft_packet_limit = XFRM_INF;
+	request.sa.lft.hard_byte_limit = XFRM_INF;
+	request.sa.lft.hard_packet_limit = XFRM_INF;
+	
+	request.hdr.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(request.sa)));
+	
+	if (enc_alg != ENCR_UNDEFINED)
+	{
 		netlink_algo_t *nla = (netlink_algo_t*)(((u_int8_t*)&request) + request.hdr.nlmsg_len);
-    	
-    	nla->type = XFRMA_ALG_CRYPT;
+		
+		nla->type = XFRMA_ALG_CRYPT;
 		nla->length = sizeof(netlink_algo_t) + encryption_key.len;
 		nla->algo.alg_key_len = encryption_key.len * 8;
 		
 		strcpy(nla->algo.alg_name, mapping_find(kernel_encryption_algs_m, enc_alg));
 		memcpy(nla->algo.alg_key, encryption_key.ptr, encryption_key.len);
-
+	
 		request.hdr.nlmsg_len += nla->length;
-    }
-
-    if (int_alg != AUTH_UNDEFINED)
-    {
+	}
+	
+	if (int_alg != AUTH_UNDEFINED)
+	{
 		netlink_algo_t *nla = (netlink_algo_t*)(((u_int8_t*)&request) + request.hdr.nlmsg_len);
 		
 		nla->type = XFRMA_ALG_AUTH;
@@ -252,20 +258,20 @@ static status_t add_sa(	private_kernel_interface_t *this,
 		nla->algo.alg_key_len = integrity_key.len * 8;
 		strcpy(nla->algo.alg_name, mapping_find(kernel_integrity_algs_m, int_alg));
 		memcpy(nla->algo.alg_key, integrity_key.ptr, integrity_key.len);
-
+	
 		request.hdr.nlmsg_len += nla->length;
-    }
-    
-	/* add IPComp */
-    
-    if (this->send_message(this, &request, &response) != SUCCESS)
-    {
-    	allocator_free(response);
-    	return FAILED;	
-    }
-	
-    allocator_free(response);
-    return SUCCESS;
+	}
+	
+	/* add IPComp here*/
+	
+	if (this->send_message(this, &request, &response) != SUCCESS)
+	{
+		allocator_free(response);
+		return FAILED;	
+	}
+	
+	allocator_free(response);
+	return SUCCESS;
 }
 
 
@@ -276,7 +282,7 @@ static status_t send_message(private_kernel_interface_t *this, netlink_message_t
 	
 	request->hdr.nlmsg_seq = ++this->seq;
 	request->hdr.nlmsg_pid = this->pid;
-
+	
 	memset(&addr, 0, sizeof(struct sockaddr_nl));
 	addr.nl_family = AF_NETLINK;
 	addr.nl_pid = 0;
@@ -308,17 +314,17 @@ static status_t send_message(private_kernel_interface_t *this, netlink_message_t
 			if (listed_response->hdr.nlmsg_seq == request->hdr.nlmsg_seq)
 			{
 				/* matches our request, this is the reply */
-	 			*response = listed_response;
-	 			found = TRUE;
-	 			break;
- 			}
- 		}
- 		iterator->destroy(iterator);
- 		
- 		if (found)
- 		{
- 			break;	
- 		}
+				*response = listed_response;
+				found = TRUE;
+				break;
+			}
+		}
+		iterator->destroy(iterator);
+		
+		if (found)
+		{
+			break;
+		}
 		/* we should time out, if something goes wrong */
 		pthread_cond_wait(&(this->condvar), &(this->mutex));
 	}
@@ -330,16 +336,16 @@ static status_t send_message(private_kernel_interface_t *this, netlink_message_t
 
 
 static void receive_messages(private_kernel_interface_t *this)
-{	
+{
 	while(TRUE) 
 	{
 		netlink_message_t response, *listed_response;
 		while (TRUE)
 		{
-	    	struct sockaddr_nl addr;
+			struct sockaddr_nl addr;
 			socklen_t addr_length;
 			size_t length;
-	
+			
 			addr_length = sizeof(addr);
 			
 			response.hdr.nlmsg_type = XFRM_MSG_NEWSA;
@@ -347,11 +353,11 @@ static void receive_messages(private_kernel_interface_t *this)
 			if (length < 0)
 			{
 				if (errno == EINTR)
-		    	{
-		    		/* interrupted, try again */
+				{
+					/* interrupted, try again */
 					continue;
-		    	}
-		    	charon->kill(charon, "receiving from netlink socket failed");
+				}
+				charon->kill(charon, "receiving from netlink socket failed");
 			}
 			if (!NLMSG_OK(&response.hdr, length))
 			{
@@ -361,7 +367,7 @@ static void receive_messages(private_kernel_interface_t *this)
 			if (addr.nl_pid != 0)
 			{
 				/* not from kernel. not interested, try another one */
-			    continue;
+				continue;
 			}
 			break;
 		}
diff --git a/Source/charon/threads/kernel_interface.h b/Source/charon/threads/kernel_interface.h
index eeebbcdf8..7f57a04d6 100644
--- a/Source/charon/threads/kernel_interface.h
+++ b/Source/charon/threads/kernel_interface.h
@@ -54,8 +54,8 @@ struct kernel_interface_t {
 	 * @todo Cleanup method params
 	 */
 	status_t (*add_sa)(kernel_interface_t *this,
-				host_t *me,
-				host_t *other,
+				host_t *src,
+				host_t *dst,
 				u_int32_t spi,
 				int protocol,
 				bool tunnel_mode,
diff --git a/Source/charon/utils/logger_manager.c b/Source/charon/utils/logger_manager.c
index 036024180..fb832efdf 100644
--- a/Source/charon/utils/logger_manager.c
+++ b/Source/charon/utils/logger_manager.c
@@ -175,11 +175,10 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
 			log_thread_ids = TRUE;
 			break;
 		case IKE_SA:
-			logger_level |= LEVEL1;
 			log_thread_ids = TRUE;
 			break;
 		case CHILD_SA:
-			logger_level |= LEVEL1|PRIVATE;
+			logger_level |= LEVEL1;
 			log_thread_ids = TRUE;
 			break;
 		case CONFIGURATION_MANAGER: