Merge branch 'android-app'

This branch introduces a userland IPsec implementation (libipsec) and an
Android App which targets the VpnService API that is provided by Android 4+.

The implementation is based on the bachelor thesis 'Userland IPsec for
Android 4' by Giuliano Grassi and Ralf Sager.

20 files changed, 1478 insertions, 45 deletions

diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 8cba58816..3b2d7eaaa 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -20,13 +20,14 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
 database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
+ipsec/ipsec_types.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
-utils.c utils/host.c utils/identification.c utils/lexparser.c \
-utils/linked_list.c utils/hashtable.c utils/enumerator.c utils/optionsfrom.c \
-utils/capabilities.c utils/backtrace.c
+utils.c utils/host.c utils/packet.c utils/identification.c utils/lexparser.c \
+utils/linked_list.c utils/blocking_queue.c utils/hashtable.c utils/enumerator.c \
+utils/optionsfrom.c utils/capabilities.c utils/backtrace.c utils/tun_device.c
 
 # adding the plugin source files
 
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index dc849d6f2..a50d7fb90 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -18,13 +18,14 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
 database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
+ipsec/ipsec_types.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
-utils.c utils/host.c utils/identification.c utils/lexparser.c \
-utils/linked_list.c utils/hashtable.c utils/enumerator.c utils/optionsfrom.c \
-utils/capabilities.c utils/backtrace.c
+utils.c utils/host.c utils/packet.c utils/identification.c utils/lexparser.c \
+utils/linked_list.c utils/blocking_queue.c utils/hashtable.c utils/enumerator.c \
+utils/optionsfrom.c utils/capabilities.c utils/backtrace.c utils/tun_device.c
 
 if USE_DEV_HEADERS
 strongswan_includedir = ${dev_headers}
@@ -51,14 +52,16 @@ credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
 credentials/sets/mem_cred.h credentials/sets/callback_cred.h \
 credentials/auth_cfg.h credentials/credential_set.h credentials/cert_validator.h \
 database/database.h database/database_factory.h fetcher/fetcher.h \
-fetcher/fetcher_manager.h eap/eap.h pen/pen.h plugins/plugin_loader.h \
-plugins/plugin.h plugins/plugin_feature.h processing/jobs/job.h \
-processing/jobs/callback_job.h processing/processor.h processing/scheduler.h \
-selectors/traffic_selector.h threading/thread.h threading/thread_value.h \
+fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
+plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h
+processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h
+processing/scheduler.h selectors/traffic_selector.h \
+threading/thread.h threading/thread_value.h \
 threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \
 threading/rwlock.h threading/lock_profiler.h utils.h utils/host.h \
-utils/identification.h utils/lexparser.h utils/linked_list.h utils/hashtable.h \
-utils/enumerator.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h
+utils/packet.h utils/identification.h utils/lexparser.h utils/linked_list.h \
+utils/blocking_queue.h utils/hashtable.h utils/enumerator.h utils/optionsfrom.h \
+utils/capabilities.h utils/backtrace.h utils/tun_device.h
 endif
 
 library.lo :	$(top_builddir)/config.status
diff --git a/src/libstrongswan/bio/bio_reader.c b/src/libstrongswan/bio/bio_reader.c
index fce0d1aef..3a62bb541 100644
--- a/src/libstrongswan/bio/bio_reader.c
+++ b/src/libstrongswan/bio/bio_reader.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -47,8 +50,38 @@ METHOD(bio_reader_t, peek, chunk_t,
 	return this->buf;
 }
 
-METHOD(bio_reader_t, read_uint8, bool,
-	private_bio_reader_t *this, u_int8_t *res)
+/**
+ * A version of chunk_skip() that supports skipping from the end (i.e. simply
+ * reducing the size)
+ */
+static inline chunk_t chunk_skip_end(chunk_t chunk, size_t bytes, bool from_end)
+{
+	if (chunk.len > bytes)
+	{
+		if (!from_end)
+		{
+			chunk.ptr += bytes;
+		}
+		chunk.len -= bytes;
+		return chunk;
+	}
+	return chunk_empty;
+}
+
+/**
+ * Returns a pointer to the data to read, optionally from the end
+ */
+static inline u_char *get_ptr_end(private_bio_reader_t *this, u_int32_t len,
+								  bool from_end)
+{
+	return from_end ? this->buf.ptr + (this->buf.len - len) : this->buf.ptr;
+}
+
+/**
+ * Read an u_int8_t from the buffer, optionally from the end of the buffer
+ */
+static bool read_uint8_internal(private_bio_reader_t *this, u_int8_t *res,
+								bool from_end)
 {
 	if (this->buf.len < 1)
 	{
@@ -56,13 +89,16 @@ METHOD(bio_reader_t, read_uint8, bool,
 			 this->buf.len);
 		return FALSE;
 	}
-	*res = this->buf.ptr[0];
-	this->buf = chunk_skip(this->buf, 1);
+	*res = *get_ptr_end(this, 1, from_end);
+	this->buf = chunk_skip_end(this->buf, 1, from_end);
 	return TRUE;
 }
 
-METHOD(bio_reader_t, read_uint16, bool,
-	private_bio_reader_t *this, u_int16_t *res)
+/**
+ * Read an u_int16_t from the buffer, optionally from the end
+ */
+static bool read_uint16_internal(private_bio_reader_t *this, u_int16_t *res,
+								 bool from_end)
 {
 	if (this->buf.len < 2)
 	{
@@ -70,13 +106,16 @@ METHOD(bio_reader_t, read_uint16, bool,
 			 this->buf.len);
 		return FALSE;
 	}
-	*res = untoh16(this->buf.ptr);
-	this->buf = chunk_skip(this->buf, 2);
+	*res = untoh16(get_ptr_end(this, 2, from_end));
+	this->buf = chunk_skip_end(this->buf, 2, from_end);
 	return TRUE;
 }
 
-METHOD(bio_reader_t, read_uint24, bool,
-	private_bio_reader_t *this, u_int32_t *res)
+/**
+ * Read an u_int32_t (only 24-bit) from the buffer, optionally from the end
+ */
+static bool read_uint24_internal(private_bio_reader_t *this, u_int32_t *res,
+								 bool from_end)
 {
 	if (this->buf.len < 3)
 	{
@@ -84,13 +123,16 @@ METHOD(bio_reader_t, read_uint24, bool,
 			 this->buf.len);
 		return FALSE;
 	}
-	*res = untoh32(this->buf.ptr) >> 8;
-	this->buf = chunk_skip(this->buf, 3);
+	*res = untoh32(get_ptr_end(this, 3, from_end)) >> 8;
+	this->buf = chunk_skip_end(this->buf, 3, from_end);
 	return TRUE;
 }
 
-METHOD(bio_reader_t, read_uint32, bool,
-	private_bio_reader_t *this, u_int32_t *res)
+/**
+ * Read an u_int32_t from the buffer, optionally from the end
+ */
+static bool read_uint32_internal(private_bio_reader_t *this, u_int32_t *res,
+								 bool from_end)
 {
 	if (this->buf.len < 4)
 	{
@@ -98,13 +140,16 @@ METHOD(bio_reader_t, read_uint32, bool,
 			 this->buf.len);
 		return FALSE;
 	}
-	*res = untoh32(this->buf.ptr);
-	this->buf = chunk_skip(this->buf, 4);
+	*res = untoh32(get_ptr_end(this, 4, from_end));
+	this->buf = chunk_skip_end(this->buf, 4, from_end);
 	return TRUE;
 }
 
-METHOD(bio_reader_t, read_uint64, bool,
-	private_bio_reader_t *this, u_int64_t *res)
+/**
+ * Read an u_int64_t from the buffer, optionally from the end
+ */
+static bool read_uint64_internal(private_bio_reader_t *this, u_int64_t *res,
+								 bool from_end)
 {
 	if (this->buf.len < 8)
 	{
@@ -112,13 +157,16 @@ METHOD(bio_reader_t, read_uint64, bool,
 			 this->buf.len);
 		return FALSE;
 	}
-	*res = untoh64(this->buf.ptr);
-	this->buf = chunk_skip(this->buf, 8);
+	*res = untoh64(get_ptr_end(this, 8, from_end));
+	this->buf = chunk_skip_end(this->buf, 8, from_end);
 	return TRUE;
 }
 
-METHOD(bio_reader_t, read_data, bool,
-	private_bio_reader_t *this, u_int32_t len, chunk_t *res)
+/**
+ * Read a chunk of data from the buffer, optionally from the end
+ */
+static bool read_data_internal(private_bio_reader_t *this, u_int32_t len,
+							   chunk_t *res, bool from_end)
 {
 	if (this->buf.len < len)
 	{
@@ -126,11 +174,83 @@ METHOD(bio_reader_t, read_data, bool,
 			 this->buf.len, len);
 		return FALSE;
 	}
-	*res = chunk_create(this->buf.ptr, len);
-	this->buf = chunk_skip(this->buf, len);
+	*res = chunk_create(get_ptr_end(this, len, from_end), len);
+	this->buf = chunk_skip_end(this->buf, len, from_end);
 	return TRUE;
 }
 
+METHOD(bio_reader_t, read_uint8, bool,
+	private_bio_reader_t *this, u_int8_t *res)
+{
+	return read_uint8_internal(this, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_uint16, bool,
+	private_bio_reader_t *this, u_int16_t *res)
+{
+	return read_uint16_internal(this, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_uint24, bool,
+	private_bio_reader_t *this, u_int32_t *res)
+{
+	return read_uint24_internal(this, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_uint32, bool,
+	private_bio_reader_t *this, u_int32_t *res)
+{
+	return read_uint32_internal(this, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_uint64, bool,
+	private_bio_reader_t *this, u_int64_t *res)
+{
+	return read_uint64_internal(this, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_data, bool,
+	private_bio_reader_t *this, u_int32_t len, chunk_t *res)
+{
+	return read_data_internal(this, len, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_uint8_end, bool,
+	private_bio_reader_t *this, u_int8_t *res)
+{
+	return read_uint8_internal(this, res, TRUE);
+}
+
+METHOD(bio_reader_t, read_uint16_end, bool,
+	private_bio_reader_t *this, u_int16_t *res)
+{
+	return read_uint16_internal(this, res, TRUE);
+}
+
+METHOD(bio_reader_t, read_uint24_end, bool,
+	private_bio_reader_t *this, u_int32_t *res)
+{
+	return read_uint24_internal(this, res, TRUE);
+}
+
+METHOD(bio_reader_t, read_uint32_end, bool,
+	private_bio_reader_t *this, u_int32_t *res)
+{
+	return read_uint32_internal(this, res, TRUE);
+}
+
+METHOD(bio_reader_t, read_uint64_end, bool,
+	private_bio_reader_t *this, u_int64_t *res)
+{
+	return read_uint64_internal(this, res, TRUE);
+}
+
+METHOD(bio_reader_t, read_data_end, bool,
+	private_bio_reader_t *this, u_int32_t len, chunk_t *res)
+{
+	return read_data_internal(this, len, res, TRUE);
+}
+
 METHOD(bio_reader_t, read_data8, bool,
 	private_bio_reader_t *this, chunk_t *res)
 {
@@ -202,6 +322,12 @@ bio_reader_t *bio_reader_create(chunk_t data)
 			.read_uint32 = _read_uint32,
 			.read_uint64 = _read_uint64,
 			.read_data = _read_data,
+			.read_uint8_end = _read_uint8_end,
+			.read_uint16_end = _read_uint16_end,
+			.read_uint24_end = _read_uint24_end,
+			.read_uint32_end = _read_uint32_end,
+			.read_uint64_end = _read_uint64_end,
+			.read_data_end = _read_data_end,
 			.read_data8 = _read_data8,
 			.read_data16 = _read_data16,
 			.read_data24 = _read_data24,
diff --git a/src/libstrongswan/bio/bio_reader.h b/src/libstrongswan/bio/bio_reader.h
index 85434a784..3162f3eda 100644
--- a/src/libstrongswan/bio/bio_reader.h
+++ b/src/libstrongswan/bio/bio_reader.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -27,6 +30,8 @@ typedef struct bio_reader_t bio_reader_t;
 
 /**
  * Buffered input parser.
+ *
+ * @note Integers are returned in host byte order.
  */
 struct bio_reader_t {
 
@@ -94,6 +99,55 @@ struct bio_reader_t {
 	bool (*read_data)(bio_reader_t *this, u_int32_t len, chunk_t *res);
 
 	/**
+	 * Read a 8-bit integer from the end of the buffer, reduce remaining.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint8_end)(bio_reader_t *this, u_int8_t *res);
+
+	/**
+	 * Read a 16-bit integer from the end of the buffer, reduce remaining.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint16_end)(bio_reader_t *this, u_int16_t *res);
+
+	/**
+	 * Read a 24-bit integer from the end of the buffer, reduce remaining.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint24_end)(bio_reader_t *this, u_int32_t *res);
+
+	/**
+	 * Read a 32-bit integer from the end of the buffer, reduce remaining.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint32_end)(bio_reader_t *this, u_int32_t *res);
+
+	/**
+	 * Read a 64-bit integer from the end of the buffer, reduce remaining.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint64_end)(bio_reader_t *this, u_int64_t *res);
+
+	/**
+	 * Read a chunk of len bytes from the end of the buffer, reduce remaining.
+	 *
+	 * @param len		number of bytes to read
+	 * @param res		ponter to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data_end)(bio_reader_t *this, u_int32_t len, chunk_t *res);
+
+	/**
 	 * Read a chunk of bytes with a 8-bit length header, advance.
 	 *
 	 * @param res		pointer to result, not cloned
diff --git a/src/libstrongswan/bio/bio_writer.c b/src/libstrongswan/bio/bio_writer.c
index bf373d6ac..8576843ee 100644
--- a/src/libstrongswan/bio/bio_writer.c
+++ b/src/libstrongswan/bio/bio_writer.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -199,12 +202,35 @@ METHOD(bio_writer_t, wrap32, void,
 	this->used += 4;
 }
 
+METHOD(bio_writer_t, skip, chunk_t,
+	private_bio_writer_t *this, size_t len)
+{
+	chunk_t skipped;
+
+	while (this->used + len > this->buf.len)
+	{
+		increase(this);
+	}
+	skipped = chunk_create(this->buf.ptr + this->used, len);
+	this->used += len;
+	return skipped;
+}
+
 METHOD(bio_writer_t, get_buf, chunk_t,
 	private_bio_writer_t *this)
 {
 	return chunk_create(this->buf.ptr, this->used);
 }
 
+METHOD(bio_writer_t, extract_buf, chunk_t,
+	private_bio_writer_t *this)
+{
+	chunk_t buf = get_buf(this);
+	this->buf = chunk_empty;
+	this->used = 0;
+	return buf;
+}
+
 METHOD(bio_writer_t, destroy, void,
 	private_bio_writer_t *this)
 {
@@ -235,7 +261,9 @@ bio_writer_t *bio_writer_create(u_int32_t bufsize)
 			.wrap16 = _wrap16,
 			.wrap24 = _wrap24,
 			.wrap32 = _wrap32,
+			.skip = _skip,
 			.get_buf = _get_buf,
+			.extract_buf = _extract_buf,
 			.destroy = _destroy,
 		},
 		.increase = bufsize ? max(bufsize, 4) : 32,
diff --git a/src/libstrongswan/bio/bio_writer.h b/src/libstrongswan/bio/bio_writer.h
index 0b50f7882..57a5c3d38 100644
--- a/src/libstrongswan/bio/bio_writer.h
+++ b/src/libstrongswan/bio/bio_writer.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -27,6 +30,8 @@ typedef struct bio_writer_t bio_writer_t;
 
 /**
  * Buffered output generator.
+ *
+ * @note Integers are converted to network byte order before writing.
  */
 struct bio_writer_t {
 
@@ -121,6 +126,15 @@ struct bio_writer_t {
 	void (*wrap32)(bio_writer_t *this);
 
 	/**
+	 * Skips len bytes in the buffer before the next data is written, returns
+	 * a chunk covering the skipped bytes.
+	 *
+	 * @param len		number of bytes to skip
+	 * @return			chunk pointing to skipped bytes in the internal buffer
+	 */
+	chunk_t (*skip)(bio_writer_t *this, size_t len);
+
+	/**
 	 * Get the encoded data buffer.
 	 *
 	 * @return			chunk to internal buffer
@@ -128,6 +142,14 @@ struct bio_writer_t {
 	chunk_t (*get_buf)(bio_writer_t *this);
 
 	/**
+	 * Return the encoded data buffer and detach it from the writer (resets
+	 * the internal buffer).
+	 *
+	 * @return			chunk to internal buffer (has to be freed)
+	 */
+	chunk_t (*extract_buf)(bio_writer_t *this);
+
+	/**
 	 * Destroy a bio_writer_t.
 	 */
 	void (*destroy)(bio_writer_t *this);
@@ -136,6 +158,9 @@ struct bio_writer_t {
 /**
  * Create a bio_writer instance.
  *
+ * The size of the internal buffer is increased automatically by bufsize (or a
+ * default if not given) if the initial size does not suffice.
+ *
  * @param bufsize		initially allocated buffer size
  */
 bio_writer_t *bio_writer_create(u_int32_t bufsize);
diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c
new file mode 100644
index 000000000..e4e927313
--- /dev/null
+++ b/src/libstrongswan/ipsec/ipsec_types.c
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec_types.h"
+
+ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_DROP,
+	"TRANSPORT",
+	"TUNNEL",
+	"BEET",
+	"PASS",
+	"DROP"
+);
+
+ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
+	"in",
+	"out",
+	"fwd"
+);
+
+ENUM(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_LZJH,
+	"IPCOMP_NONE",
+	"IPCOMP_OUI",
+	"IPCOMP_DEFLATE",
+	"IPCOMP_LZS",
+	"IPCOMP_LZJH"
+);
diff --git a/src/libstrongswan/ipsec/ipsec_types.h b/src/libstrongswan/ipsec/ipsec_types.h
new file mode 100644
index 000000000..32e55bc50
--- /dev/null
+++ b/src/libstrongswan/ipsec/ipsec_types.h
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_types ipsec_types
+ * @{ @ingroup ipsec
+ */
+
+#ifndef IPSEC_TYPES_H_
+#define IPSEC_TYPES_H_
+
+typedef enum ipsec_mode_t ipsec_mode_t;
+typedef enum policy_dir_t policy_dir_t;
+typedef enum policy_type_t policy_type_t;
+typedef enum policy_priority_t policy_priority_t;
+typedef enum ipcomp_transform_t ipcomp_transform_t;
+typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
+typedef struct lifetime_cfg_t lifetime_cfg_t;
+typedef struct mark_t mark_t;
+
+#include <library.h>
+
+/**
+ * Mode of an IPsec SA.
+ */
+enum ipsec_mode_t {
+	/** not using any encapsulation */
+	MODE_NONE = 0,
+	/** transport mode, no inner address */
+	MODE_TRANSPORT = 1,
+	/** tunnel mode, inner and outer addresses */
+	MODE_TUNNEL,
+	/** BEET mode, tunnel mode but fixed, bound inner addresses */
+	MODE_BEET,
+	/** passthrough policy for traffic without an IPsec SA */
+	MODE_PASS,
+	/** drop policy discarding traffic */
+	MODE_DROP
+};
+
+/**
+ * enum names for ipsec_mode_t.
+ */
+extern enum_name_t *ipsec_mode_names;
+
+/**
+ * Direction of a policy. These are equal to those
+ * defined in xfrm.h, but we want to stay implementation
+ * neutral here.
+ */
+enum policy_dir_t {
+	/** Policy for inbound traffic */
+	POLICY_IN = 0,
+	/** Policy for outbound traffic */
+	POLICY_OUT = 1,
+	/** Policy for forwarded traffic */
+	POLICY_FWD = 2,
+};
+
+/**
+ * enum names for policy_dir_t.
+ */
+extern enum_name_t *policy_dir_names;
+
+/**
+ * Type of a policy.
+ */
+enum policy_type_t {
+	/** Normal IPsec policy */
+	POLICY_IPSEC = 1,
+	/** Passthrough policy (traffic is ignored by IPsec) */
+	POLICY_PASS,
+	/** Drop policy (traffic is discarded) */
+	POLICY_DROP,
+};
+
+/**
+ * High-level priority of a policy.
+ */
+enum policy_priority_t {
+	/** Default priority */
+	POLICY_PRIORITY_DEFAULT,
+	/** Priority for trap policies */
+	POLICY_PRIORITY_ROUTED,
+	/** Priority for fallback drop policies */
+	POLICY_PRIORITY_FALLBACK,
+};
+
+/**
+ * IPComp transform IDs, as in RFC 4306
+ */
+enum ipcomp_transform_t {
+	IPCOMP_NONE = 0,
+	IPCOMP_OUI = 1,
+	IPCOMP_DEFLATE = 2,
+	IPCOMP_LZS = 3,
+	IPCOMP_LZJH = 4,
+};
+
+/**
+ * enum strings for ipcomp_transform_t.
+ */
+extern enum_name_t *ipcomp_transform_names;
+
+/**
+ * This struct contains details about IPsec SA(s) tied to a policy.
+ */
+struct ipsec_sa_cfg_t {
+	/** mode of SA (tunnel, transport) */
+	ipsec_mode_t mode;
+	/** unique ID */
+	u_int32_t reqid;
+	/** details about ESP/AH */
+	struct {
+		/** TRUE if this protocol is used */
+		bool use;
+		/** SPI for ESP/AH */
+		u_int32_t spi;
+	} esp, ah;
+	/** details about IPComp */
+	struct {
+		/** the IPComp transform used */
+		u_int16_t transform;
+		/** CPI for IPComp */
+		u_int16_t cpi;
+	} ipcomp;
+};
+
+/**
+ * A lifetime_cfg_t defines the lifetime limits of an SA.
+ *
+ * Set any of these values to 0 to ignore.
+ */
+struct lifetime_cfg_t {
+	struct {
+		/** Limit before the SA gets invalid. */
+		u_int64_t	life;
+		/** Limit before the SA gets rekeyed. */
+		u_int64_t	rekey;
+		/** The range of a random value subtracted from rekey. */
+		u_int64_t	jitter;
+	} time, bytes, packets;
+};
+
+/**
+ * A mark_t defines an optional mark in an IPsec SA.
+ */
+struct mark_t {
+	/** Mark value */
+	u_int32_t value;
+	/** Mark mask */
+	u_int32_t mask;
+};
+
+/**
+ * Special mark value that uses the reqid of the CHILD_SA as mark
+ */
+#define MARK_REQID (0xFFFFFFFF)
+
+#endif /** IPSEC_TYPES_H_ @}*/
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index d357ddf5a..634128fe9 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -43,6 +43,9 @@
  * @defgroup fetcher fetcher
  * @ingroup libstrongswan
  *
+ * @defgroup ipsec ipsec
+ * @ingroup libstrongswan
+ *
  * @defgroup plugins plugins
  * @ingroup libstrongswan
  *
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c
index 2ae804380..8bd513c05 100644
--- a/src/libstrongswan/printf_hook.c
+++ b/src/libstrongswan/printf_hook.c
@@ -93,6 +93,7 @@ static int custom_print(FILE *stream, const struct printf_info *info,
 	};
 
 	spec.hash = info->alt;
+	spec.plus = info->showsign;
 	spec.minus = info->left;
 	spec.width = info->width;
 
@@ -164,6 +165,7 @@ static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec)
 	}
 
 	spec.hash = fmt_spec->fmt_hash;
+	spec.plus = fmt_spec->fmt_plus;
 	spec.minus = fmt_spec->fmt_minus;
 	spec.width = fmt_spec->fmt_field_width;
 
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h
index 6beb4fef1..b162e6d97 100644
--- a/src/libstrongswan/printf_hook.h
+++ b/src/libstrongswan/printf_hook.h
@@ -194,6 +194,11 @@ struct printf_hook_spec_t {
 	int minus;
 
 	/**
+	 * TRUE if a '+' was used in the format specifier
+	 */
+	int plus;
+
+	/**
 	 * The width as given in the format specifier.
 	 */
 	int width;
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index 49a1b8430..9ef514ebc 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -114,7 +114,7 @@ typedef struct {
 /**
  * Next thread ID.
  */
-static u_int next_id = 1;
+static u_int next_id;
 
 /**
  * Mutex to safely access the next thread ID.
@@ -452,6 +452,7 @@ void threads_init()
 
 	dummy1 = thread_value_create(NULL);
 
+	next_id = 1;
 	main_thread->id = 0;
 	main_thread->thread_id = pthread_self();
 	current_thread = thread_value_create(NULL);
@@ -482,4 +483,3 @@ void threads_deinit()
 	current_thread->destroy(current_thread);
 	id_mutex->destroy(id_mutex);
 }
-
diff --git a/src/libstrongswan/utils/blocking_queue.c b/src/libstrongswan/utils/blocking_queue.c
new file mode 100644
index 000000000..c70184198
--- /dev/null
+++ b/src/libstrongswan/utils/blocking_queue.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "blocking_queue.h"
+
+#include <threading/mutex.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <utils/linked_list.h>
+
+typedef struct private_blocking_queue_t private_blocking_queue_t;
+
+/**
+ * Private data of a blocking_queue_t object.
+ */
+struct private_blocking_queue_t {
+
+	/**
+	 * Public part
+	 */
+	blocking_queue_t public;
+
+	/**
+	 * Linked list containing all items in the queue
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Mutex used to synchronize access to the queue
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar used to wait for items
+	 */
+	condvar_t *condvar;
+
+};
+
+METHOD(blocking_queue_t, enqueue, void,
+	private_blocking_queue_t *this, void *item)
+{
+	this->mutex->lock(this->mutex);
+	this->list->insert_first(this->list, item);
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(blocking_queue_t, dequeue, void*,
+	private_blocking_queue_t *this)
+{
+	bool oldstate;
+	void *item;
+
+
+	this->mutex->lock(this->mutex);
+	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+	/* ensure that a canceled thread does not dequeue any items */
+	thread_cancellation_point();
+	while (this->list->remove_last(this->list, &item) != SUCCESS)
+	{
+		oldstate = thread_cancelability(TRUE);
+		this->condvar->wait(this->condvar, this->mutex);
+		thread_cancelability(oldstate);
+	}
+	thread_cleanup_pop(TRUE);
+	return item;
+}
+
+METHOD(blocking_queue_t, destroy, void,
+	private_blocking_queue_t *this)
+{
+	this->list->destroy(this->list);
+	this->condvar->destroy(this->condvar);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+METHOD(blocking_queue_t, destroy_offset, void,
+	private_blocking_queue_t *this, size_t offset)
+{
+	this->list->invoke_offset(this->list, offset);
+	destroy(this);
+}
+
+METHOD(blocking_queue_t, destroy_function, void,
+	private_blocking_queue_t *this, void (*fn)(void*))
+{
+	this->list->invoke_function(this->list, (linked_list_invoke_t)fn);
+	destroy(this);
+}
+
+/*
+ * Described in header.
+ */
+blocking_queue_t *blocking_queue_create()
+{
+	private_blocking_queue_t *this;
+
+	INIT(this,
+		.public = {
+			.enqueue = _enqueue,
+			.dequeue = _dequeue,
+			.destroy = _destroy,
+			.destroy_offset = _destroy_offset,
+			.destroy_function = _destroy_function,
+		},
+		.list = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/utils/blocking_queue.h b/src/libstrongswan/utils/blocking_queue.h
new file mode 100644
index 000000000..cf2712cf4
--- /dev/null
+++ b/src/libstrongswan/utils/blocking_queue.h
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup blocking_queue blocking_queue
+ * @{ @ingroup utils
+ */
+
+#ifndef BLOCKING_QUEUE_H_
+#define BLOCKING_QUEUE_H_
+
+typedef struct blocking_queue_t blocking_queue_t;
+
+#include <library.h>
+
+/**
+ * Class implementing a synchronized blocking queue based on linked_list_t
+ */
+struct blocking_queue_t {
+
+	/**
+	 * Inserts a new item at the tail of the queue
+	 *
+	 * @param item		item to insert in queue
+	 */
+	void (*enqueue)(blocking_queue_t *this, void *item);
+
+	/**
+	 * Removes the first item in the queue and returns its value.
+	 * If the queue is empty, this call blocks until a new item is inserted.
+	 *
+	 * @note This is a thread cancellation point
+	 *
+	 * @return			removed item
+	 */
+	void *(*dequeue)(blocking_queue_t *this);
+
+	/**
+	 * Destroys a blocking_queue_t object.
+	 *
+	 * @note No thread must wait in dequeue() when this function is called
+	 */
+	void (*destroy)(blocking_queue_t *this);
+
+	/**
+	 * Destroys a queue and its objects using the given destructor.
+	 *
+	 * If a queue and the contained objects should be destroyed, use
+	 * destroy_offset. The supplied offset specifies the destructor to
+	 * call on each object. The offset may be calculated using the offsetof
+	 * macro, e.g.: queue->destroy_offset(queue, offsetof(object_t, destroy));
+	 *
+	 * @note No thread must wait in dequeue() when this function is called
+	 *
+	 * @param offset	offset of the objects destructor
+	 */
+	void (*destroy_offset)(blocking_queue_t *this, size_t offset);
+
+	/**
+	 * Destroys a queue and its objects using a cleanup function.
+	 *
+	 * If a queue and its contents should get destroyed using a specific
+	 * cleanup function, use destroy_function. This is useful when the
+	 * list contains malloc()-ed blocks which should get freed,
+	 * e.g.: queue->destroy_function(queue, free);
+	 *
+	 * @note No thread must wait in dequeue() when this function is called
+	 *
+	 * @param function	function to call on each object
+	 */
+	void (*destroy_function)(blocking_queue_t *this, void (*)(void*));
+
+};
+
+/**
+ * Creates an empty queue object.
+ *
+ * @return		blocking_queue_t object.
+ */
+blocking_queue_t *blocking_queue_create();
+
+#endif /** BLOCKING_QUEUE_H_ @}*/
+
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index 0f40a0dd4..3a16138a4 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -110,7 +110,7 @@ int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 	{
 		snprintf(buffer, sizeof(buffer), "(null)");
 	}
-	else if (is_anyaddr(this))
+	else if (is_anyaddr(this) && !spec->plus)
 	{
 		snprintf(buffer, sizeof(buffer), "%%any%s",
 				 this->address.sa_family == AF_INET6 ? "6" : "");
diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h
index 444878524..a8b010544 100644
--- a/src/libstrongswan/utils/host.h
+++ b/src/libstrongswan/utils/host.h
@@ -155,7 +155,7 @@ struct host_t {
  *
  * @param string		string of an address, such as "152.96.193.130"
  * @param port			port number
- * @return 				host_t, NULL if string not an address.
+ * @return				host_t, NULL if string not an address.
  */
 host_t *host_create_from_string(char *string, u_int16_t port);
 
@@ -165,7 +165,7 @@ host_t *host_create_from_string(char *string, u_int16_t port);
  * @param string		hostname to resolve
  * @param family		family to prefer, 0 for first match
  * @param port			port number
- * @return 				host_t, NULL lookup failed
+ * @return				host_t, NULL lookup failed
  */
 host_t *host_create_from_dns(char *string, int family, u_int16_t port);
 
@@ -174,10 +174,10 @@ host_t *host_create_from_dns(char *string, int family, u_int16_t port);
  *
  * If family is AF_UNSPEC, it is guessed using address.len.
  *
- * @param family 		Address family, such as AF_INET or AF_INET6
+ * @param family		Address family, such as AF_INET or AF_INET6
  * @param address		address as chunk_t in network order
  * @param port			port number
- * @return 				host_t, NULL if family not supported/chunk invalid
+ * @return				host_t, NULL if family not supported/chunk invalid
  */
 host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port);
 
@@ -185,7 +185,7 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port);
  * Constructor to create a host_t object from a sockaddr struct
  *
  * @param sockaddr		sockaddr struct which contains family, address and port
- * @return 				host_t, NULL if family not supported
+ * @return				host_t, NULL if family not supported
  */
 host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
 
@@ -202,7 +202,7 @@ host_t *host_create_from_subnet(char *string, int *bits);
  * Create a host without an address, a "any" host.
  *
  * @param family		family of the any host
- * @return 				host_t, NULL if family not supported
+ * @return				host_t, NULL if family not supported
  */
 host_t *host_create_any(int family);
 
@@ -212,6 +212,7 @@ host_t *host_create_any(int family);
  * Arguments are:
  *	host_t *host
  * Use #-modifier to include port number
+ * Use +-modifier to force numeric representation (instead of e.g. %any)
  */
 int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 					 const void *const *args);
diff --git a/src/libstrongswan/utils/packet.c b/src/libstrongswan/utils/packet.c
new file mode 100644
index 000000000..a2c329d60
--- /dev/null
+++ b/src/libstrongswan/utils/packet.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "packet.h"
+
+typedef struct private_packet_t private_packet_t;
+
+/**
+ * Private data of an packet_t object.
+ */
+struct private_packet_t {
+
+	/**
+	 * Public part of a packet_t object.
+	 */
+	packet_t public;
+
+	/**
+	 * source address
+	 */
+	host_t *source;
+
+	/**
+	 * destination address
+	 */
+	host_t *destination;
+
+	 /**
+	  * message data
+	  */
+	chunk_t data;
+
+	/**
+	 * actual chunk returned from get_data, adjusted when skip_bytes is called
+	 */
+	chunk_t adjusted_data;
+};
+
+METHOD(packet_t, set_source, void,
+	private_packet_t *this, host_t *source)
+{
+	DESTROY_IF(this->source);
+	this->source = source;
+}
+
+METHOD(packet_t, set_destination, void,
+	private_packet_t *this, host_t *destination)
+{
+	DESTROY_IF(this->destination);
+	this->destination = destination;
+}
+
+METHOD(packet_t, get_source, host_t*,
+	private_packet_t *this)
+{
+	return this->source;
+}
+
+METHOD(packet_t, get_destination, host_t*,
+	private_packet_t *this)
+{
+	return this->destination;
+}
+
+METHOD(packet_t, get_data, chunk_t,
+	private_packet_t *this)
+{
+	return this->adjusted_data;
+}
+
+METHOD(packet_t, set_data, void,
+	private_packet_t *this, chunk_t data)
+{
+	free(this->data.ptr);
+	this->adjusted_data = this->data = data;
+}
+
+METHOD(packet_t, skip_bytes, void,
+	private_packet_t *this, size_t bytes)
+{
+	this->adjusted_data = chunk_skip(this->adjusted_data, bytes);
+}
+
+METHOD(packet_t, destroy, void,
+	private_packet_t *this)
+{
+	DESTROY_IF(this->source);
+	DESTROY_IF(this->destination);
+	free(this->data.ptr);
+	free(this);
+}
+
+METHOD(packet_t, clone_, packet_t*,
+	private_packet_t *this)
+{
+	packet_t *other;
+
+	other = packet_create();
+	if (this->destination)
+	{
+		other->set_destination(other,
+							   this->destination->clone(this->destination));
+	}
+	if (this->source)
+	{
+		other->set_source(other, this->source->clone(this->source));
+	}
+	if (this->data.ptr)
+	{
+		other->set_data(other, chunk_clone(this->adjusted_data));
+	}
+	return other;
+}
+
+/**
+ * Described in header.
+ */
+packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data)
+{
+	private_packet_t *this;
+
+	INIT(this,
+		.public = {
+			.set_data = _set_data,
+			.get_data = _get_data,
+			.set_source = _set_source,
+			.get_source = _get_source,
+			.set_destination = _set_destination,
+			.get_destination = _get_destination,
+			.skip_bytes = _skip_bytes,
+			.clone = _clone_,
+			.destroy = _destroy,
+		},
+		.source = src,
+		.destination = dst,
+		.adjusted_data = data,
+		.data = data,
+	);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+packet_t *packet_create()
+{
+	return packet_create_from_data(NULL, NULL, chunk_empty);
+}
diff --git a/src/libstrongswan/utils/packet.h b/src/libstrongswan/utils/packet.h
new file mode 100644
index 000000000..5c4440115
--- /dev/null
+++ b/src/libstrongswan/utils/packet.h
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup packet packet
+ * @{ @ingroup utils
+ */
+
+#ifndef PACKET_H_
+#define PACKET_H_
+
+typedef struct packet_t packet_t;
+
+#include <library.h>
+#include <utils/host.h>
+
+/**
+ * Abstraction of an IP/UDP-Packet, contains data, sender and receiver.
+ */
+struct packet_t {
+
+	/**
+	 * Set the source address.
+	 *
+	 * @param source	address to set as source (gets owned)
+	 */
+	void (*set_source)(packet_t *packet, host_t *source);
+
+	/**
+	 * Set the destination address.
+	 *
+	 * @param source	address to set as destination (gets owned)
+	 */
+	void (*set_destination)(packet_t *packet, host_t *destination);
+
+	/**
+	 * Get the source address.
+	 *
+	 * @return			source address (internal data)
+	 */
+	host_t *(*get_source)(packet_t *packet);
+
+	/**
+	 * Get the destination address.
+	 *
+	 * @return			destination address (internal data)
+	 */
+	host_t *(*get_destination)(packet_t *packet);
+
+	/**
+	 * Get the data from the packet.
+	 *
+	 * @return			chunk containing the data (internal data)
+	 */
+	chunk_t (*get_data)(packet_t *packet);
+
+	/**
+	 * Set the data in the packet.
+	 *
+	 * @param data		chunk with data to set (gets owned)
+	 */
+	void (*set_data)(packet_t *packet, chunk_t data);
+
+	/**
+	 * Increase the offset where the actual packet data starts.
+	 *
+	 * The total offset applies to future calls of get_data() and clone().
+	 *
+	 * @note The offset is reset to 0 when set_data() is called.
+	 *
+	 * @param bytes		the number of additional bytes to skip
+	 */
+	void (*skip_bytes)(packet_t *packet, size_t bytes);
+
+	/**
+	 * Clones a packet_t object.
+	 *
+	 * @note Data is cloned without skipped bytes.
+	 *
+	 * @param clone		clone of the packet
+	 */
+	packet_t* (*clone)(packet_t *packet);
+
+	/**
+	 * Destroy the packet, freeing contained data.
+	 */
+	void (*destroy)(packet_t *packet);
+};
+
+/**
+ * Create an empty packet
+ *
+ * @return packet_t object
+ */
+packet_t *packet_create();
+
+/**
+ * Create a packet from the supplied data
+ *
+ * @param src			source address (gets owned)
+ * @param dst			destination address (gets owned)
+ * @param data			packet data (gets owned)
+ * @return packet_t object
+ */
+packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data);
+
+#endif /** PACKET_H_ @}*/
diff --git a/src/libstrongswan/utils/tun_device.c b/src/libstrongswan/utils/tun_device.c
new file mode 100644
index 000000000..889fe6247
--- /dev/null
+++ b/src/libstrongswan/utils/tun_device.c
@@ -0,0 +1,353 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <netinet/in.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <linux/if.h>
+#include <linux/if_tun.h>
+
+#include "tun_device.h"
+
+#include <library.h>
+#include <debug.h>
+#include <threading/thread.h>
+
+#define TUN_DEFAULT_MTU 1500
+
+typedef struct private_tun_device_t private_tun_device_t;
+
+struct private_tun_device_t {
+
+	/**
+	 * Public interface
+	 */
+	tun_device_t public;
+
+	/**
+	 * The TUN device's file descriptor
+	 */
+	int tunfd;
+
+	/**
+	 * Name of the TUN device
+	 */
+	char if_name[IFNAMSIZ];
+
+	/**
+	 * Socket used for ioctl() to set interface addr, ...
+	 */
+	int sock;
+
+	/**
+	 * The current MTU
+	 */
+	int mtu;
+};
+
+/**
+ * Set the sockaddr_t from the given netmask
+ */
+static void set_netmask(struct ifreq *ifr, int family, u_int8_t netmask)
+{
+	int len, bytes, bits;
+	char *target;
+
+	switch (family)
+	{
+		case AF_INET:
+		{
+			struct sockaddr_in *addr = (struct sockaddr_in*)&ifr->ifr_addr;
+			addr->sin_family = AF_INET;
+			target = (char*)&addr->sin_addr;
+			len = 4;
+			break;
+		}
+		case AF_INET6:
+		{
+			struct sockaddr_in6 *addr = (struct sockaddr_in6*)&ifr->ifr_addr;
+			addr->sin6_family = AF_INET6;
+			target = (char*)&addr->sin6_addr;
+			len = 16;
+			break;
+		}
+		default:
+			return;
+	}
+
+	bytes = (netmask + 7) / 8;
+	bits = (bytes * 8) - netmask;
+
+	memset(target, 0xff, bytes);
+	memset(target + bytes, 0x00, len - bytes);
+	target[bytes - 1] = bits ? (u_int8_t)(0xff << bits) : 0xff;
+}
+
+METHOD(tun_device_t, set_address, bool,
+	private_tun_device_t *this, host_t *addr, u_int8_t netmask)
+{
+	struct ifreq ifr;
+	int family;
+
+	family = addr->get_family(addr);
+	if ((netmask > 32 && family == AF_INET) || netmask > 128)
+	{
+		DBG1(DBG_LIB, "failed to set address on %s: invalid netmask",
+			 this->if_name);
+		return FALSE;
+	}
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+	memcpy(&ifr.ifr_addr, addr->get_sockaddr(addr), sizeof(sockaddr_t));
+
+	if (ioctl(this->sock, SIOCSIFADDR, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set address on %s: %s",
+			 this->if_name, strerror(errno));
+		return FALSE;
+	}
+
+	set_netmask(&ifr, family, netmask);
+
+	if (ioctl(this->sock, SIOCSIFNETMASK, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set netmask on %s: %s",
+			 this->if_name, strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tun_device_t, up, bool,
+	private_tun_device_t *this)
+{
+	struct ifreq ifr;
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+
+	if (ioctl(this->sock, SIOCGIFFLAGS, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to get interface flags for %s: %s", this->if_name,
+			 strerror(errno));
+		return FALSE;
+	}
+
+	ifr.ifr_flags |= IFF_RUNNING | IFF_UP;
+
+	if (ioctl(this->sock, SIOCSIFFLAGS, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set interface flags on %s: %s", this->if_name,
+			 strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tun_device_t, set_mtu, bool,
+	private_tun_device_t *this, int mtu)
+{
+	struct ifreq ifr;
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+	ifr.ifr_mtu = mtu;
+
+	if (ioctl(this->sock, SIOCSIFMTU, &ifr) < 0)
+	{
+		return FALSE;
+	}
+	this->mtu = mtu;
+	return TRUE;
+}
+
+METHOD(tun_device_t, get_mtu, int,
+	private_tun_device_t *this)
+{
+	struct ifreq ifr;
+
+	if (this->mtu > 0)
+	{
+		return this->mtu;
+	}
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+	this->mtu = TUN_DEFAULT_MTU;
+
+	if (ioctl(this->sock, SIOCGIFMTU, &ifr) == 0)
+	{
+		this->mtu = ifr.ifr_mtu;
+	}
+	return this->mtu;
+}
+
+METHOD(tun_device_t, get_name, char*,
+	private_tun_device_t *this)
+{
+	return this->if_name;
+}
+
+METHOD(tun_device_t, write_packet, bool,
+	private_tun_device_t *this, chunk_t packet)
+{
+	ssize_t s;
+
+	s = write(this->tunfd, packet.ptr, packet.len);
+	if (s < 0)
+	{
+		DBG1(DBG_LIB, "failed to write packet to TUN device %s: %s",
+			 this->if_name, strerror(errno));
+		return FALSE;
+	}
+	else if (s != packet.len)
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tun_device_t, read_packet, bool,
+	private_tun_device_t *this, chunk_t *packet)
+{
+	ssize_t len;
+	fd_set set;
+	bool old;
+
+	FD_ZERO(&set);
+	FD_SET(this->tunfd, &set);
+
+	old = thread_cancelability(TRUE);
+	len = select(this->tunfd + 1, &set, NULL, NULL, NULL);
+	thread_cancelability(old);
+
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "select on TUN device %s failed: %s", this->if_name,
+			 strerror(errno));
+		return FALSE;
+	}
+	/* FIXME: this is quite expensive for lots of small packets, copy from
+	 * local buffer instead? */
+	*packet = chunk_alloc(get_mtu(this));
+	len = read(this->tunfd, packet->ptr, packet->len);
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "reading from TUN device %s failed: %s", this->if_name,
+			 strerror(errno));
+		chunk_free(packet);
+		return FALSE;
+	}
+	packet->len = len;
+	return TRUE;
+}
+
+METHOD(tun_device_t, destroy, void,
+	private_tun_device_t *this)
+{
+	if (this->tunfd > 0)
+	{
+		close(this->tunfd);
+	}
+	if (this->sock > 0)
+	{
+		close(this->sock);
+	}
+	free(this);
+}
+
+/**
+ * Allocate a TUN device
+ */
+static int tun_alloc(char dev[IFNAMSIZ])
+{
+	struct ifreq ifr;
+	int fd;
+
+	fd = open("/dev/net/tun", O_RDWR);
+	if (fd < 0)
+	{
+		DBG1(DBG_LIB, "failed to open /dev/net/tun: %s", strerror(errno));
+		return fd;
+	}
+
+	memset(&ifr, 0, sizeof(ifr));
+
+	/* TUN device, no packet info */
+	ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
+
+	strncpy(ifr.ifr_name, dev, IFNAMSIZ);
+
+	if (ioctl(fd, TUNSETIFF, (void*)&ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to configure TUN device: %s", strerror(errno));
+		close(fd);
+		return -1;
+	}
+	strncpy(dev, ifr.ifr_name, IFNAMSIZ);
+	return fd;
+}
+
+/*
+ * Described in header
+ */
+tun_device_t *tun_device_create(const char *name_tmpl)
+{
+	private_tun_device_t *this;
+
+	INIT(this,
+		.public = {
+			.read_packet = _read_packet,
+			.write_packet = _write_packet,
+			.get_mtu = _get_mtu,
+			.set_mtu = _set_mtu,
+			.get_name = _get_name,
+			.set_address = _set_address,
+			.up = _up,
+			.destroy = _destroy,
+		},
+		.tunfd = -1,
+		.sock = -1,
+	);
+
+	strncpy(this->if_name, name_tmpl ?: "tun%d", IFNAMSIZ);
+	this->if_name[IFNAMSIZ-1] = '\0';
+
+	this->tunfd = tun_alloc(this->if_name);
+	if (this->tunfd < 0)
+	{
+		destroy(this);
+		return NULL;
+	}
+	DBG1(DBG_LIB, "created TUN device: %s", this->if_name);
+
+	this->sock = socket(AF_INET, SOCK_DGRAM, 0);
+	if (this->sock < 0)
+	{
+		DBG1(DBG_LIB, "failed to open socket to configure TUN device");
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/utils/tun_device.h b/src/libstrongswan/utils/tun_device.h
new file mode 100644
index 000000000..71af0386b
--- /dev/null
+++ b/src/libstrongswan/utils/tun_device.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tun_device tun_device
+ * @{ @ingroup utils
+ */
+
+#ifndef TUN_DEVICE_H_
+#define TUN_DEVICE_H_
+
+#include <library.h>
+#include <utils/host.h>
+
+typedef struct tun_device_t tun_device_t;
+
+/**
+ * Class to create TUN devices
+ *
+ * Creating such a device requires the CAP_NET_ADMIN capability.
+ *
+ * @note The implementation is currently very Linux specific
+ */
+struct tun_device_t {
+
+	/**
+	 * Read a packet from the TUN device
+	 *
+	 * @note This call blocks until a packet is available. It is a thread
+	 * cancellation point.
+	 *
+	 * @param packet		the packet read from the device
+	 * @return				TRUE if successful
+	 */
+	bool (*read_packet)(tun_device_t *this, chunk_t *packet);
+
+	/**
+	 * Write a packet to the TUN device
+	 *
+	 * @param packet		the packet to write to the TUN device
+	 * @return				TRUE if successful
+	 */
+	bool (*write_packet)(tun_device_t *this, chunk_t packet);
+
+	/**
+	 * Set the IP address of the device
+	 *
+	 * @param addr			the desired interface address
+	 * @param netmask		the netmask to use
+	 * @return				TRUE if operation successful
+	 */
+	bool (*set_address)(tun_device_t *this, host_t *addr, u_int8_t netmask);
+
+	/**
+	 * Bring the TUN device up
+	 *
+	 * @return				TRUE if operation successful
+	 */
+	bool (*up)(tun_device_t *this);
+
+	/**
+	 * Set the MTU for this TUN device
+	 *
+	 * @param mtu			new MTU
+	 * @return				TRUE if operation successful
+	 */
+	bool (*set_mtu)(tun_device_t *this, int mtu);
+
+	/**
+	 * Get the current MTU for this TUN device
+	 *
+	 * @return				current MTU
+	 */
+	int (*get_mtu)(tun_device_t *this);
+
+	/**
+	 * Get the interface name of this device
+	 *
+	 * @return				interface name
+	 */
+	char *(*get_name)(tun_device_t *this);
+
+	/**
+	 * Destroy a tun_device_t
+	 */
+	void (*destroy)(tun_device_t *this);
+
+};
+
+/**
+ * Create a TUN device using the given name template.
+ *
+ * @param name_tmpl			name template, defaults to "tun%d" if not given
+ * @return					TUN device
+ */
+tun_device_t *tun_device_create(const char *name_tmpl);
+
+#endif /** TUN_DEVICE_H_ @}*/