116 files changed, 0 insertions, 17695 deletions
diff --git a/programs/_confread/.cvsignore b/programs/_confread/.cvsignore
deleted file mode 100644
index 405492384..000000000
--- a/programs/_confread/.cvsignore
+++ /dev/null
@@ -1,7 +0,0 @@
-_confread
-ipsec.conf
-block
-clear
-private
-clear-or-private
-private-or-clear
diff --git a/programs/_confread/Makefile b/programs/_confread/Makefile
deleted file mode 100644
index 1bdc9a3f0..000000000
--- a/programs/_confread/Makefile
+++ /dev/null
@@ -1,27 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.2 2004/03/31 19:23:00 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_confread
-PROGRAMDIR=${LIBDIR}
-EXTRA5MAN=ipsec.conf.5
-CONFFILES=ipsec.conf
-
-CONFDSUBDIR=policies
-CONFDFILES=clear clear-or-private private-or-clear private block
-
-include ../Makefile.program
diff --git a/programs/_confread/README.conf.V2 b/programs/_confread/README.conf.V2
deleted file mode 100644
index 244e245c5..000000000
--- a/programs/_confread/README.conf.V2
+++ /dev/null
@@ -1,103 +0,0 @@
-Subject: [Design] changes to ipsec.conf
-# RCSID $Id: README.conf.V2,v 1.1 2004/03/15 20:35:27 as Exp $
-
-We are changing ipsec.conf for the 2.0 series of FreeS/WAN.
-
-OE is enabled by default.  This is accomplished by automatically
-defining a conn "OEself" UNLESS the sysadmin defines one with the same
-name:
-
-conn OEself
-	# authby=rsasig   # default
-	left=%defaultroute
-	leftrsasigkey=%dnsondemand	# default
-	right=%opportunistic
-	rightrsasigkey=%dnsondemand	# default
-	keyingtries=3
-	ikelifetime=1h
-	keylife=1h	# default
-	rekey=no
-	# disablearrivalcheck=no  # default
-	auto=route
-
-This will only work if %defaultroute works.
-The leftid will be the resulting IP address (won't work if
-you haven't filled in the reverse DNS entry).
-Unlike other conns, nothing in this implicit conn is changed by conn %default.
-
-We'd like a better name.  A conn name starting with % cannot be
-defined by the sysadmin, so that is out.  Names that haven't grabbed
-us: OEhost, OElocalhost, OEthishost, OEforself, OE4self.
-
-There is no requirement to have /etc/ipsec.conf.  If you do, the first
-significant line (non-blank, non-comment) must be (not indented):
-version 2.0
-This signifies that the file was intended for FreeS/WAN version 2.0.
-
-
-The following table shows most changes.  "-" means that the option
-doesn't exist.  "Recent Boilerplate" shows the effect of the "conn
-%default" in the automatically installed /etc/ipsec.conf (not
-installed if you already had one).
-
-Option		Old Default	Recent Boilerplate	New Default
-======		===========	==================	===========
-
-config setup:
-interfaces	""		%defaultroute		%defaultroute
-plutoload	""		%search			- [same as %search]
-plutostart	""		%search			- [same as %search]
-uniqueids	no		yes			yes
-rp_filter	-		-			0
-plutowait	yes		yes			no
-dump		no		no			- [use dumpdir]
-plutobackgroundload ignored	ignored			-
-no_eroute_pass	no		no			- [use packetdefault]
-
-conn %default:
-keyingtries	3		0			%forever [0 means this]
-disablearrivalcheck  yes	no			no
-authby		secret		rsasig			rsasig
-leftrsasigkey	""		%dnsondemand		%dnsondemand
-rightrsasigkey	""		%dnsondemand		%dnsondemand
-lifetime	==keylife	==keylife		- [use keylife]
-rekeystart	==rekeymargin	==rekeymargin		- [use rekeymargin]
-rekeytries	==keyingtries	==keyingtries		- [use keyingtries]
-
-======		===========	==================	===========
-Option		Old Default	Recent Boilerplate	New Default
-
-
-The auto= mechanism has been extended to support manual conns.  If you
-specify auto=manual in a conn, an "ipsec manual" will be performed on
-it at startup (ipsec setup start).
-
-
-There is a new config setup option "rp_filter".  It controls
-	/proc/sys/net/ipv4/conf/PHYS/rp_filter
-for each PHYSical IP interface used by FreeS/WAN.  Settings are:
-	%unchanged	do not touch (but warn if wrong)
-	0		set to 0; default; means: no filtering
-	1		set to 1; means: loose filter
-	2		set to 1; means: strict filter
-0 is often necessary for FreeS/WAN to function.  Some folks
-want other settings.  Shutting down FreeS/WAN does not restore
-the original value.
-
-Currently ikelife defaults to 1 hour and keylife defaults to 8 hours.
-There have been some rumblings that these are the wrong defaults, but
-it isn't clear what would be best.  Perhaps both should be closer.
-Any thoughts of what these should be?  Any Road Warrior or OE conn
-should probably have carefully thought-out values explicitly
-specified.  The settings don't matter much for VPN connections.
-
-keyingtries=%forever is the new improved notation for keyingtries=0.
-Eventually the 0 notation will be eliminated.
-
-Some options can now be set to %none to signify no setting.  Otherwise
-there would be no way for the user to override a default setting:
-	leftrsasigkey, rightrsasigkey [added in 1.98]
-	interfaces
-
-Hugh Redelmeier
-hugh@mimosa.com  voice: +1 416 482-8253
diff --git a/programs/_confread/_confread.8 b/programs/_confread/_confread.8
deleted file mode 100644
index 20d92a002..000000000
--- a/programs/_confread/_confread.8
+++ /dev/null
@@ -1,28 +0,0 @@
-.TH _CONFREAD 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _confread.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _confread \- internal routing to parse config file
-.SH DESCRIPTION
-.I _confread 
-is an internal script used for parsing /etc/ipsec.conf into a canonical format.
-.SH "SEE ALSO"
-ipsec(8), ipsec_conf(8)
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Program written by Henry Spencer.
-.\"
-.\" $Log: _confread.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.3  2002/09/16 01:28:43  dhr
-.\"
-.\" typo
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\"
-.\"
diff --git a/programs/_confread/_confread.in b/programs/_confread/_confread.in
deleted file mode 100755
index 4561af9fe..000000000
--- a/programs/_confread/_confread.in
+++ /dev/null
@@ -1,520 +0,0 @@
-#!/bin/sh
-# configuration-file reader utility
-# Copyright (C) 1999-2002  Henry Spencer.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _confread.in,v 1.15 2006/04/20 04:42:12 as Exp $
-#
-# Extract configuration info from /etc/ipsec.conf, repackage as assignments
-# to shell variables or tab-delimited fields.  Success or failure is reported
-# inline, as extra data, due to the vagaries of shell backquote handling.
-# In the absence of --varprefix, output is tab-separated fields, like:
-#	=	sectionname
-#	:	parameter	value
-#	!	status (empty for success, else complaint)
-# In the presence of (say) "--varprefix IPSEC", output is like:
-#	IPSEC_confreadsection="sectionname"
-#	IPSECparameter="value"
-#	IPSEC_confreadstatus="status" (same empty/complaint convention)
-#
-# The "--search parametername" option inverts the search:  instead of
-# yielding the parameters of the specified name(s), it yields the names
-# of sections with parameter <parametername> having (one of) the
-# specified value(s).  In this case, --varprefix output is a list of
-# names in the <prefix>_confreadnames variable.  Search values with
-# white space in them are currently not handled properly.
-#
-# Typical usage:
-# eval `ipsec _confread --varprefix IPSEC --type config setup`
-# if test " $IPSEC_confreadstatus" != " "
-# then
-#	echo "$0: $IPSEC_confreadstatus -- aborting" 2>&1
-#	exit 1
-# fi
-
-# absent default config file treated as empty
-config=${IPSEC_CONFS-@FINALCONFDIR@}/ipsec.conf
-if test ! -f "$config" ; then config=/dev/null ; fi
-
-include=yes
-type=conn
-fieldfmt=yes
-prefix=
-search=
-export=0
-version=
-optional=0
-me="ipsec _confread"
-
-for dummy
-do
-	case "$1" in
-	--config)	config="$2" ; shift	;;
-	--noinclude)	include=		;;
-	--type)		type="$2" ; shift	;;
-	--varprefix)	fieldfmt=
-			prefix="$2"
-			shift			;;
-	--export)	export=1		;;
-	--search)	search="$2" ; shift	;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-	--optional)	optional=1		;;
-	--)		shift ; break		;;
-	-*)		echo "$0: unknown option \`$1'" >&2 ; exit 2	;;
-	*)		break			;;
-	esac
-	shift
-done
-
-if test "$include"
-then
-	ipsec _include --inband $config
-else
-	cat $config
-fi |
-awk 'BEGIN {
-	type = "'"$type"'"
-	names = "'"$*"'"
-	prefix = "'"$prefix"'"
-	export = "'"$export"'"
-	optional = 0 + '"$optional"'
-	myid = "'"$IPSECmyid"'"
-	search = "'"$search"'"
-	searching = 0
-	if (search != "") {
-		searching = 1
-		searchpat = search "[ \t]*=[ \t]*"
-	}
-	fieldfmt = 0
-	if ("'"$fieldfmt"'" == "yes")
-		fieldfmt = 1
-	including = 0
-	if ("'"$include"'" == "yes")
-		including = 1
-	filename = "'"$config"'"
-	lineno = 0
-	originalfilename = filename
-	if (fieldfmt)
-		bq = eq = "\""
-	else
-		bq = eq = "\\\""
-	failed = 0
-	insection = 0
-	wrongtype = 0
-	indefault = 0
-	outputting = 0
-	sawnondefault = 0
-	OFS = "\t"
-	o_status = "!"
-	o_parm = ":"
-	o_section = "="
-	o_names = "%"
-	o_end = "."
-	n = split(names, na, " ")
-	if (n == 0)
-		fail("no section names supplied")
-	for (i = 1; i <= n; i++) {
-		if (na[i] in wanted)
-			fail("section " bq na[i] eq " requested more than once")
-		wanted[na[i]] = 1
-		pending[na[i]] = 1
-		if (!searching && na[i] !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/)
-			fail("invalid section name " bq na[i] eq)
-	}
-
-	good = "also alsoflip type auto authby _plutodevel"
-	left = " left leftsubnet leftnexthop leftfirewall lefthostaccess leftupdown"
-	akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz"
-	akey = akey " dpdaction dpddelay dpdtimeout"
-	akey = akey " pfsgroup compress"
-	akey = akey " keyingtries ikelifetime disablearrivalcheck failureshunt ike"
-	mkey = " spibase spi esp espenckey espauthkey espreplay_window"
-	left = left " leftespenckey leftespauthkey leftahkey"
-	left = left " leftespspi leftahspi leftid leftrsasigkey leftrsasigkey2"
-	left = left " leftsendcert leftcert leftca leftsubnetwithin leftprotoport"
-	left = left " leftgroups leftsourceip"
-	mkey = mkey " ah ahkey ahreplay_window"
-	right = left
-	gsub(/left/, "right", right)
-	n = split(good left right akey mkey, g)
-	for (i = 1; i <= n; i++)
-		goodnames["conn:" g[i]] = 1
-
-	good = "also interfaces forwardcontrol myid"
-	good = good " syslog klipsdebug plutodebug plutoopts plutostderrlog"
-	good = good " plutorestartoncrash"
-	good = good " dumpdir manualstart pluto"
-	good = good " plutowait prepluto postpluto"
-	good = good " fragicmp hidetos rp_filter uniqueids"
-	good = good " overridemtu pkcs11module pkcs11keepstate pkcs11proxy"
-	good = good " nocrsend strictcrlpolicy crlcheckinterval cachecrls"
-	good = good " nat_traversal keep_alive force_keepalive"
-	good = good " disable_port_floating virtual_private"
-
-	n = split(good, g)
-	for (i = 1; i <= n; i++)
-		goodnames["config:" g[i]] = 1
-
-	good = "auto cacert ldaphost ldapbase crluri crluri2 ocspuri"
-	good = good " strictcrlpolicy"
-
-	n = split(good, g)
-	for (i = 1; i <= n; i++)
-		goodnames["ca:" g[i]] = 1
-
-	goodtypes["conn"] = 1
-	goodtypes["config"] = 1
-	goodtypes["ca"] = 1
-
-	badchars = ""
-	for (i = 1; i < 32; i++)
-		badchars = badchars sprintf("%c", i)
-	for (i = 127; i < 128+32; i++)
-		badchars = badchars sprintf("%c", i)
-	badchar = "[" badchars "]"
-
-	# if searching, seen is set of sectionnames which match
-	# if not searching, seen is set of parameter names found
-	seen[""] = ""
-	defaults[""] = ""
-	usesdefault[""] = ""
-	orientation = 1
-}
-
-
-
-function output(code, v1, v2) {
-	if (code == o_parm) {
-		if (v2 == "")		# suppress empty parameters
-			return
-		if (privatename(v1))	# and private ones
-			return
-		if (v2 ~ badchar)
-			fail("parameter value " bq v2 eq " contains unprintable character")
-	}
-
-	if (fieldfmt) {
-		print code, v1, v2
-		return
-	}
-
-	if (code == o_status) {
-		v2 = v1
-		v1 = "_confreadstatus"
-	} else if (code == o_section) {
-		v2 = v1
-		v1 = "_confreadsection"
-	} else if (code == o_names) {
-		v2 = v1
-		v1 = "_confreadnames"
-	} else if (code != o_parm)
-		return		# currently no variable version of o_end
-
-	print prefix v1 "=\"" v2 "\""
-	if (export)
-		print "export " prefix v1
-}
-function searchfound(sectionname,    n, i, reflist) {
-	# a hit in x is a hit in everybody who refers to x too
-	n = split(refsto[sectionname], reflist, ";")
-	for (i = 1; i <= n; i++)
-		if (reflist[i] in seen)
-			fail("duplicated parameter " bq search eq)
-		else
-			seen[reflist[i]] = 1
-	seen[sectionname] = 1
-}
-function fail(msg) {
-	output(o_status, ("(" filename ", line " lineno ") " msg))
-	failed = 1
-	while ((getline junk) > 0)
-		continue
-	exit
-}
-function badname(n) {
-	if ((type ":" n) in goodnames)
-		return 0
-	if (privatename(n))
-		return 0
-	return 1
-}
-function privatename(n) {
-	if (n ~ /^[xX][-_]/)
-		return 1
-	return 0
-}
-function orient(n) {
-	if (orientation == -1) {
-		if (n ~ /left/)
-			gsub(/left/, "right", n)
-		else if (n ~ /right/)
-			gsub(/right/, "left", n)
-	}
-	return n
-}
-# in searching, referencing is transitive:  xyz->from->to
-function chainref(from, to,    i, reflist, listnum) {
-	if (from in refsto) {
-		listnum = split(refsto[from], reflist, ";")
-		for (i = 1; i <= listnum; i++)
-			chainref(reflist[i], to)
-	}
-	if (to in refsto)
-		refsto[to] = refsto[to] ";" from
-	else
-		refsto[to] = from
-}
-
-# start of rules
-
-{
-	lineno++
-	# lineno is now the number of this line
-
-	# we must remember indentation because comment stripping loses it
-	exdented = $0 !~ /^[ \t]/
-	sub(/^[ \t]+/, "")		# get rid of leading white space
-	sub(/[ \t]+$/, "")		# get rid of trailing white space
-}
-including && $0 ~ /^#[<>:]/ {
-	# _include control line
-	if ($1 ~ /^#[<>]$/) {
-		filename = $2
-		lineno = $3 - 1
-	} else if ($0 ~ /^#:/) {
-		msg = substr($0, 3)
-		gsub(/"/, "\\\"", msg)
-		fail(msg)
-	}
-	next
-}
-exdented {
-	# any non-leading-white-space line is a section end
-	### but not the end of relevant stuff, might be also= sections later
-	###if (insection && !indefault && !searching && outputting)
-	###	output(o_end)
-	insection = 0
-	wrongtype = 0
-	indefault = 0
-	outputting = 0
-}
-/[ \t]#/ {
-	# strip trailing comments including the leading whitespace
-	# tricky because we must respect quotes
-	q = 0
-	for (i = 1; i <= NF; i++) {
-		if ($i ~ /^#/ && q % 2 == 0) {
-			NF = i - 1;
-			break
-		}
-		# using $i in gsub loses whitespace?!?
-		junk = $i
-		q += gsub(/"/, "&", junk)
-	}
-}
-$0 == "" || $0 ~ /^#/ {
-	# empty lines and comments are ignored
-	next
-}
-exdented && NF != 2 {
-	# bad section header
-	fail("section header " bq $0 eq " has wrong number of fields (" NF ")")
-}
-exdented && $1 == "version" {
-	version = $2 + 0
-	if (version < 2.0 || 2.0 < version)
-		fail("we only support version 2.0 ipsec.conf files, not " bq version eq)
-	next
-}
-version == "" {
-	fail("we only support version 2 ipsec.conf files")
-}
-exdented && !($1 in goodtypes) {
-	# unknown section type
-	fail("section type " bq $1 eq " not recognized")
-}
-exdented && $1 != type {
-	# section header, but not of the type we want
-	insection = 1
-	wrongtype = 1
-	next
-}
-extented {
-	# type fits
-	wrongtype = 0
-}
-exdented && $1 == "config" && $2 != "setup" {
-	fail("unknown config section " bq $2 eq)
-}
-exdented && $2 != "%default" {
-	# non-default section header of our type
-	sawnondefault = 1
-}
-exdented && searching && $2 != "%default" {
-	# section header, during search
-	insection = 1
-	sectionname = $2
-	usesdefault[sectionname] = 1		# tentatively
-	next
-}
-exdented && !searching && $2 in wanted {
-	# one of our wanted section headers
-	if (!($2 in pending))
-		fail("duplicate " type " section " bq $2 eq)
-	delete pending[$2]
-	tag = bq type " " $2 eq
-	outputting = 1
-	insection = 1
-	orientation = wanted[$2]
-	output(o_section, $2)
-	next
-}
-exdented && $2 == "%default" {
-	# relevant default section header
-	if (sawnondefault)
-		fail(bq $1 " %default" eq " sections must precede non-default ones")
-	tag = bq type " " $2 eq
-	indefault = 1
-	next
-}
-exdented {
-	# section header, but not one we want
-	insection = 1
-	next
-}
-!insection && !indefault {
-	# starts with white space but not in a section... oops
-	fail("parameter is not within a section")
-}
-!wrongtype && searching && $0 ~ searchpat {
-	# search found the right parameter name
-	match($0, searchpat)
-	rest = substr($0, RLENGTH+1)
-	if (rest ~ /^".*"$/)
-		rest = substr(rest, 2, length(rest)-2)
-	if (!indefault) {
-		if (!usesdefault[sectionname])
-			fail("duplicated parameter " bq search eq)
-		usesdefault[sectionname] = 0
-	} else if (search in defaults)
-		fail("duplicated parameter " bq search eq)
-	if (rest in wanted) {	# a hit
-		if (indefault)
-			defaults[search] = rest
-		else
-			searchfound(sectionname)
-	} else {
-		# rather a kludge, but must check this somewhere
-		if (search == "auto" && rest !~ /^(add|route|start|ignore|manual)$/)
-			fail("illegal auto value " bq rest eq)
-	}
-	next
-}
-!searching && !outputting && !indefault {
-	# uninteresting line
-	next
-}
-$0 ~ /"/ && $0 !~ /^[^=]+=[ \t]*"[^"]*"$/ {
-	if (!searching)
-		fail("mismatched quotes in parameter value")
-	else
-		gsub(/"/, "", $0)
-}
-$0 !~ /^[a-zA-Z_][a-zA-Z0-9_-]*[ \t]*=/ {
-	if (searching)
-		next			# just ignore it
-	fail("syntax error or illegal parameter name")
-}
-{
-	sub(/[ \t]*=[ \t]*/, "=")	# get rid of white space around =
-}
-$0 ~ /^(also|alsoflip)=/ {
-	v = orientation
-	if ($0 ~ /^alsoflip/)
-		v = -v;
-	if (indefault)
-		fail("%default section may not contain " bq "also" eq " or " bq "alsoflip" eq " parameter")
-	sub(/^(also|alsoflip)=/, "")
-	if ($0 !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/)
-		fail("invalid section name " bq $0 eq)
-	if (!searching) {
-		if ($0 in wanted)
-			fail("section " bq $0 eq " requested more than once")
-		wanted[$0] = v
-		pending[$0] = 1
-	} else
-		chainref(sectionname, $0)
-	next
-}
-!outputting && !indefault {
-	# uninteresting line even for a search
-	next
-}
-{
-	equal = match($0, /[=]/)
-	name = substr($0, 1, equal-1)
-	if (badname(name))
-		fail("unknown parameter name " bq name eq)
-	value = substr($0, equal+1)
-	if (value ~ /^"/)
-		value = substr(value, 2, length(value)-2)
-	else if (value ~ /[ \t]/)
-		fail("white space within non-quoted parameter " bq name eq)
-}
-indefault {
-	if (name in defaults)
-		fail("duplicated default parameter " bq name eq)
-	defaults[name] = value
-	next
-}
-{
-	name = orient(name)
-	if (name in seen)
-		fail("duplicated parameter " bq name eq)
-	seen[name] = 1
-	output(o_parm, name, value)
-}
-END {
-	if (failed)
-		exit 1
-
-	filename = originalfilename
-	unseen = ""
-	for (i in pending)
-		unseen = unseen " " i
-	if (!optional && !searching && unseen != "")
-		fail("did not find " type " section(s) " bq substr(unseen, 2) eq)
-	if (!searching) {
-		for (name in defaults)
-			if (!(name in seen))
-				output(o_parm, name, defaults[name])
-	} else {
-		if (defaults[search] in wanted)
-			for (name in usesdefault)
-				if (usesdefault[name])
-					seen[name] = 1
-		delete seen[""]
-		if (fieldfmt)
-			for (name in seen)
-				output(o_section, name)
-		else {
-			outlist = ""
-			for (name in seen)
-				if (outlist == "")
-					outlist = name
-				else
-					outlist = outlist " " name
-			output(o_names, outlist)
-		}
-	}
-	output(o_status, "")
-}'
diff --git a/programs/_confread/block.in b/programs/_confread/block.in
deleted file mode 100644
index e3a4b2dd5..000000000
--- a/programs/_confread/block.in
+++ /dev/null
@@ -1,8 +0,0 @@
-# This file defines the set of CIDRs (network/mask-length) to which
-# communication should never be allowed.
-#
-# See @FINALDOCDIR@/policygroups.html for details.
-#
-# $Id: block.in,v 1.1 2004/03/15 20:35:27 as Exp $
-#
-
diff --git a/programs/_confread/clear-or-private.in b/programs/_confread/clear-or-private.in
deleted file mode 100644
index 800093d94..000000000
--- a/programs/_confread/clear-or-private.in
+++ /dev/null
@@ -1,8 +0,0 @@
-# This file defines the set of CIDRs (network/mask-length) to which
-# we will communicate in the clear, or, if the other side initiates IPSEC,
-# using encryption.  This behaviour is also called "Opportunistic Responder".
-#
-# See @FINALDOCDIR@/policygroups.html for details.
-#
-# $Id: clear-or-private.in,v 1.1 2004/03/15 20:35:27 as Exp $
-#
diff --git a/programs/_confread/clear.in b/programs/_confread/clear.in
deleted file mode 100644
index 46e63388e..000000000
--- a/programs/_confread/clear.in
+++ /dev/null
@@ -1,7 +0,0 @@
-# This file defines the set of CIDRs (network/mask-length) to which
-# communication should always be in the clear.
-#
-# See @FINALDOCDIR@/policygroups.html for details.
-#
-# $Id: clear.in,v 1.1 2004/03/15 20:35:27 as Exp $
-#
diff --git a/programs/_confread/ipsec.conf.5 b/programs/_confread/ipsec.conf.5
deleted file mode 100644
index af6fae6bd..000000000
--- a/programs/_confread/ipsec.conf.5
+++ /dev/null
@@ -1,1286 +0,0 @@
-.TH IPSEC.CONF 5 "20 Jan 2006"
-.\" RCSID $Id: ipsec.conf.5,v 1.2 2006/01/22 15:33:46 as Exp $
-.SH NAME
-ipsec.conf \- IPsec configuration and connections
-.SH DESCRIPTION
-The optional
-.I ipsec.conf
-file
-specifies most configuration and control information for the
-strongSwan IPsec subsystem.
-(The major exception is secrets for authentication;
-see
-.IR ipsec.secrets (5).)
-Its contents are not security-sensitive
-.I unless
-manual keying is being done for more than just testing,
-in which case the encryption/authentication keys in the
-descriptions for the manually-keyed connections are very sensitive
-(and those connection descriptions
-are probably best kept in a separate file,
-via the include facility described below).
-.PP
-The file is a text file, consisting of one or more
-.IR sections .
-White space followed by
-.B #
-followed by anything to the end of the line
-is a comment and is ignored,
-as are empty lines which are not within a section.
-.PP
-A line which contains
-.B include
-and a file name, separated by white space,
-is replaced by the contents of that file,
-preceded and followed by empty lines.
-If the file name is not a full pathname,
-it is considered to be relative to the directory containing the
-including file.
-Such inclusions can be nested.
-Only a single filename may be supplied, and it may not contain white space,
-but it may include shell wildcards (see
-.IR sh (1));
-for example:
-.PP
-.B include
-.B "ipsec.*.conf"
-.PP
-The intention of the include facility is mostly to permit keeping
-information on connections, or sets of connections,
-separate from the main configuration file.
-This permits such connection descriptions to be changed,
-copied to the other security gateways involved, etc.,
-without having to constantly extract them from the configuration
-file and then insert them back into it.
-Note also the
-.B also
-parameter (described below) which permits splitting a single logical
-section (e.g. a connection description) into several actual sections.
-.PP
-The first significant line of the file must specify the version
-of this specification that it conforms to:
-.PP
-\fBversion 2\fP
-.PP
-A section
-begins with a line of the form:
-.PP
-.I type
-.I name
-.PP
-where
-.I type
-indicates what type of section follows, and
-.I name
-is an arbitrary name which distinguishes the section from others
-of the same type.
-(Names must start with a letter and may contain only
-letters, digits, periods, underscores, and hyphens.)
-All subsequent non-empty lines
-which begin with white space are part of the section;
-comments within a section must begin with white space too.
-There may be only one section of a given type with a given name.
-.PP
-Lines within the section are generally of the form
-.PP
-\ \ \ \ \ \fIparameter\fB=\fIvalue\fR
-.PP
-(note the mandatory preceding white space).
-There can be white space on either side of the
-.BR = .
-Parameter names follow the same syntax as section names,
-and are specific to a section type.
-Unless otherwise explicitly specified,
-no parameter name may appear more than once in a section.
-.PP
-An empty
-.I value
-stands for the system default value (if any) of the parameter,
-i.e. it is roughly equivalent to omitting the parameter line entirely.
-A
-.I value
-may contain white space only if the entire
-.I value
-is enclosed in double quotes (\fB"\fR);
-a
-.I value
-cannot itself contain a double quote,
-nor may it be continued across more than one line.
-.PP
-Numeric values are specified to be either an ``integer''
-(a sequence of digits) or a ``decimal number''
-(sequence of digits optionally followed by `.' and another sequence of digits).
-.PP
-There is currently one parameter which is available in any type of
-section:
-.TP
-.B also
-the value is a section name;
-the parameters of that section are appended to this section,
-as if they had been written as part of it.
-The specified section must exist, must follow the current one,
-and must have the same section type.
-(Nesting is permitted,
-and there may be more than one
-.B also
-in a single section,
-although it is forbidden to append the same section more than once.)
-This allows, for example, keeping the encryption keys
-for a connection in a separate file
-from the rest of the description, by using both an
-.B also
-parameter and an
-.B include
-line.
-.PP
-Parameter names beginning with
-.B x-
-(or
-.BR X- ,
-or
-.BR x_ ,
-or
-.BR X_ )
-are reserved for user extensions and will never be assigned meanings
-by IPsec.
-Parameters with such names must still observe the syntax rules
-(limits on characters used in the name;
-no white space in a non-quoted value;
-no newlines or double quotes within the value).
-All other as-yet-unused parameter names are reserved for future IPsec
-improvements.
-.PP
-A section with name
-.B %default
-specifies defaults for sections of the same type.
-For each parameter in it,
-any section of that type which does not have a parameter of the same name
-gets a copy of the one from the
-.B %default
-section.
-There may be multiple
-.B %default
-sections of a given type,
-but only one default may be supplied for any specific parameter name,
-and all
-.B %default
-sections of a given type must precede all non-\c
-.B %default
-sections of that type.
-.B %default
-sections may not contain the
-.B also
-parameter.
-.PP
-Currently there are three types of sections:
-a
-.B config
-section specifies general configuration information for IPsec, a
-.B conn
-section specifies an IPsec connection, while a
-.B ca
-section specifies special properties a certification authority.
-.SH "CONN SECTIONS"
-A
-.B conn
-section contains a
-.IR "connection specification" ,
-defining a network connection to be made using IPsec.
-The name given is arbitrary, and is used to identify the connection to
-.IR ipsec_auto (8)
-and
-.IR ipsec_manual (8).
-Here's a simple example:
-.PP
-.ne 10
-.nf
-.ft B
-.ta 1c
-conn snt
-	left=10.11.11.1
-	leftsubnet=10.0.1.0/24
-	leftnexthop=172.16.55.66
-	right=192.168.22.1
-	rightsubnet=10.0.2.0/24
-	rightnexthop=172.16.88.99
-	keyingtries=%forever
-.ft
-.fi
-.PP
-A note on terminology...
-In automatic keying, there are two kinds of communications going on:
-transmission of user IP packets, and gateway-to-gateway negotiations for
-keying, rekeying, and general control.
-The data path (a set of ``IPsec SAs'') used for user packets is herein
-referred to as the ``connection'';
-the path used for negotiations (built with ``ISAKMP SAs'') is referred to as
-the ``keying channel''.
-.PP
-To avoid trivial editing of the configuration file to suit it to each system
-involved in a connection,
-connection specifications are written in terms of
-.I left
-and
-.I right
-participants,
-rather than in terms of local and remote.
-Which participant is considered
-.I left
-or
-.I right
-is arbitrary;
-IPsec figures out which one it is being run on based on internal information.
-This permits using identical connection specifications on both ends.
-There are cases where there is no symmetry; a good convention is to
-use
-.I left
-for the local side and
-.I right
-for the remote side (the first letters are a good mnemonic).
-.PP
-Many of the parameters relate to one participant or the other;
-only the ones for
-.I left
-are listed here, but every parameter whose name begins with
-.B left
-has a
-.B right
-counterpart,
-whose description is the same but with
-.B left
-and
-.B right
-reversed.
-.PP
-Parameters are optional unless marked ``(required)'';
-a parameter required for manual keying need not be included for
-a connection which will use only automatic keying, and vice versa.
-.SS "CONN PARAMETERS:  GENERAL"
-The following parameters are relevant to both automatic and manual keying.
-Unless otherwise noted,
-for a connection to work,
-in general it is necessary for the two ends to agree exactly
-on the values of these parameters.
-.TP 14
-.B type
-the type of the connection; currently the accepted values
-are
-.B tunnel
-(the default)
-signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
-.BR transport ,
-signifying host-to-host transport mode;
-.BR passthrough ,
-signifying that no IPsec processing should be done at all;
-.BR drop ,
-signifying that packets should be discarded; and
-.BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned.
-.TP
-.B left
-(required)
-the IP address of the left participant's public-network interface,
-in any form accepted by
-.IR ipsec_ttoaddr (3)
-or one of several magic values.
-If it is
-.BR %defaultroute ,
-and
-the
-.B config
-.B setup
-section's,
-.B interfaces
-specification contains
-.BR %defaultroute,
-.B left
-will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time);
-this also overrides any value supplied for
-.BR leftnexthop .
-(Either
-.B left
-or
-.B right
-may be
-.BR %defaultroute ,
-but not both.)
-The value
-.B %any
-signifies an address to be filled in (by automatic keying) during
-negotiation.
-The value
-.B %opportunistic
-signifies that both
-.B left
-and
-.B leftnexthop
-are to be filled in (by automatic keying) from DNS data for
-.BR left 's
-client.
-The values
-.B %group
-and
-.B %opportunisticgroup
-makes this a policy group conn: one that will be instantiated
-into a regular or opportunistic conn for each CIDR block listed in the
-policy group file with the same name as the conn.
-.TP
-.B leftsubnet
-private subnet behind the left participant, expressed as
-\fInetwork\fB/\fInetmask\fR
-(actually, any form acceptable to
-.IR ipsec_ttosubnet (3));
-if omitted, essentially assumed to be \fIleft\fB/32\fR,
-signifying that the left end of the connection goes to the left participant only
-.TP
-.B leftnexthop
-next-hop gateway IP address for the left participant's connection
-to the public network;
-defaults to
-.B %direct
-(meaning
-.IR right ).
-If the value is to be overridden by the
-.B left=%defaultroute
-method (see above),
-an explicit value must
-.I not
-be given.
-If that method is not being used,
-but
-.B leftnexthop
-is
-.BR %defaultroute ,
-and
-.B interfaces=%defaultroute
-is used in the
-.B config
-.B setup
-section,
-the next-hop gateway address of the default-route interface
-will be used.
-The magic value
-.B %direct
-signifies a value to be filled in (by automatic keying)
-with the peer's address.
-Relevant only locally, other end need not agree on it.
-.TP
-.B leftupdown
-what ``updown'' script to run to adjust routing and/or firewalling
-when the status of the connection
-changes (default
-.BR "ipsec _updown" ).
-May include positional parameters separated by white space
-(although this requires enclosing the whole string in quotes);
-including shell metacharacters is unwise.
-See
-.IR ipsec_pluto (8)
-for details.
-Relevant only locally, other end need not agree on it.
-.TP
-.B leftfirewall
-whether the left participant is doing forwarding-firewalling
-(including masquerading) for traffic from \fIleftsubnet\fR,
-which should be turned off (for traffic to the other subnet)
-once the connection is established;
-acceptable values are
-.B yes
-and (the default)
-.BR no .
-May not be used in the same connection description with
-.BR leftupdown .
-Implemented as a parameter to the default
-.I updown
-script.
-See notes below.
-Relevant only locally, other end need not agree on it.
-.PP
-If one or both security gateways are doing forwarding firewalling
-(possibly including masquerading),
-and this is specified using the firewall parameters,
-tunnels established with IPsec are exempted from it
-so that packets can flow unchanged through the tunnels.
-(This means that all subnets connected in this manner must have
-distinct, non-overlapping subnet address blocks.)
-This is done by the default
-.I updown
-script (see
-.IR ipsec_pluto (8)).
-.PP
-The implementation of this makes certain assumptions about firewall setup,
-notably the use of the old
-.I ipfwadm
-interface to the firewall.
-In situations calling for more control,
-it may be preferable for the user to supply his own
-.I updown
-script,
-which makes the appropriate adjustments for his system.
-.SS "CONN PARAMETERS:  AUTOMATIC KEYING"
-The following parameters are relevant only to automatic keying,
-and are ignored in manual keying.
-Unless otherwise noted,
-for a connection to work,
-in general it is necessary for the two ends to agree exactly
-on the values of these parameters.
-.TP 14
-.B auto
-what operation, if any, should be done automatically at IPsec startup;
-currently-accepted values are
-.B add
-(signifying an
-.B ipsec auto
-.BR \-\-add ),
-.B route
-(signifying that plus an
-.B ipsec auto
-.BR \-\-route ),
-.B start
-(signifying that plus an
-.B ipsec auto
-.BR \-\-up ),
-.B manual
-(signifying an
-.B ipsec
-.B manual
-.BR \-\-up ),
-and
-.B ignore
-(also the default) (signifying no automatic startup operation).
-See the
-.B config
-.B setup
-discussion below.
-Relevant only locally, other end need not agree on it
-(but in general, for an intended-to-be-permanent connection,
-both ends should use
-.B auto=start
-to ensure that any reboot causes immediate renegotiation).
-.TP
-.B auth
-whether authentication should be done as part of
-ESP encryption, or separately using the AH protocol;
-acceptable values are
-.B esp
-(the default) and
-.BR ah .
-.TP
-.B authby
-how the two security gateways should authenticate each other;
-acceptable values are
-.B secret
-for shared secrets,
-.B rsasig
-for RSA digital signatures (the default),
-.B secret|rsasig
-for either, and
-.B never
-if negotiation is never to be attempted or accepted (useful for shunt-only conns).
-Digital signatures are superior in every way to shared secrets.
-.TP
-.B compress
-whether IPComp compression of content is proposed on the connection
-(link-level compression does not work on encrypted data,
-so to be effective, compression must be done \fIbefore\fR encryption);
-acceptable values are
-.B yes
-and
-.B no
-(the default).
-The two ends need not agree.
-A value of
-.B yes
-causes IPsec to propose both compressed and uncompressed,
-and prefer compressed.
-A value of
-.B no
-prevents IPsec from proposing compression;
-a proposal to compress will still be accepted.
-.TP
-.B disablearrivalcheck
-whether KLIPS's normal tunnel-exit check
-(that a packet emerging from a tunnel has plausible addresses in its header)
-should be disabled;
-acceptable values are
-.B yes
-and
-.B no
-(the default).
-Tunnel-exit checks improve security and do not break any normal configuration.
-Relevant only locally, other end need not agree on it.
-.TP
-.B dpdaction
-controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
-R_U_THERE IKE notification messages are periodically sent in order to check the
-liveliness of the IPsec peer. The default is..
-.B none
-which disables the active sending of R_U_THERE notifications.
-Nevertheless pluto will always send the DPD Vendor ID during connection set up
-in order to signal the readiness to act passively as a responder if the peer
-wants to use DPD. The values
-.B clear
-and
-.B hold
-both activate DPD. If no activity is detected, all connections with a dead peer
-are stopped and unrouted (
-.B clear
-) or put in the hold state (
-.B hold
-).
-.TP
-.B dpddelay
-defines the period time interval with which R_U_THERE messages are sent to the peer.
-.TP
-.B dpdtimeout
-defines the timeout interval, after which all connections to a peer are deleted
-in case of inactivity.
-.TP
-.B failureshunt
-what to do with packets when negotiation fails.
-The default is
-.BR none :
-no shunt;
-.BR passthrough ,
-.BR drop ,
-and
-.B reject
-have the obvious meanings.
-.TP
-.B ikelifetime
-how long the keying channel of a connection (buzzphrase:  ``ISAKMP SA'')
-should last before being renegotiated;
-acceptable values as for
-.B keyexchange
-method of key exchange;
-the default and currently the only accepted value is
-.B ike
-.TP
-.B keylife
-(default set by
-.IR ipsec_pluto (8),
-currently
-.BR 3h ,
-maximum
-.BR 24h ).
-The two-ends-disagree case is similar to that of
-.BR keylife .
-.TP
-.B keyingtries
-how many attempts (a whole number or \fB%forever\fP) should be made to
-negotiate a connection, or a replacement for one, before giving up
-(default
-.BR %forever ).
-The value \fB%forever\fP
-means ``never give up'' (obsolete: this can be written \fB0\fP).
-Relevant only locally, other end need not agree on it.
-.TP
-.B keylife
-how long a particular instance of a connection
-(a set of encryption/authentication keys for user packets) should last,
-from successful negotiation to expiry;
-acceptable values are an integer optionally followed by
-.BR s
-(a time in seconds)
-or a decimal number followed by
-.BR m ,
-.BR h ,
-or
-.B d
-(a time
-in minutes, hours, or days respectively)
-(default
-.BR 1h ,
-maximum
-.BR 24h ).
-Normally, the connection is renegotiated (via the keying channel)
-before it expires.
-The two ends need not exactly agree on
-.BR keylife ,
-although if they do not,
-there will be some clutter of superseded connections on the end
-which thinks the lifetime is longer.
-.TP
-.B leftca
-the distinguished name of a certificate authority which is required to
-lie in the trust path going from the left participant's certificate up
-to the root certification authority. 
-.TP
-.B leftcert
-the path to the left participant's X.509 certificate. The file can be coded either in
-PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to
-.B /etc/ipsec.d/certs
-are accepted. By default
-.B leftcert
-sets 
-.B leftid
-to the distinguished name of the certificate's subject and
-.B leftca
-to the distinguished name of the certificate's issuer.
-The left participant's ID can be overriden by specifying a
-.B leftid
-value which must be certified by the certificate, though.
-.TP
-.B leftgroups
-a comma separated list of group names. If the
-.B leftgroups
-parameter is present then the peer must be a member of at least one
-of the groups defined by the parameter. Group membership must be certified
-by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts\fP thas has been
-issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts\fP.
-.TP
-.B leftid
-how
-the left participant
-should be identified for authentication;
-defaults to
-.BR left .
-Can be an IP address (in any
-.IR ipsec_ttoaddr (3)
-syntax)
-or a fully-qualified domain name preceded by
-.B @
-(which is used as a literal string and not resolved).
-The magic value
-.B %myid
-stands for the current setting of \fImyid\fP.
-This is set in \fBconfig setup\fP or by \fIipsec_whack\fP(8)), or, if not set,
-it is the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise
-it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
-.TP
-.B leftrsasigkey
-the left participant's
-public key for RSA signature authentication,
-in RFC 2537 format using
-.IR ipsec_ttodata (3)
-encoding.
-The magic value
-.B %none
-means the same as not specifying a value (useful to override a default).
-The value
-.B %cert
-(the default)
-means that the key is extracted from a certificate.
-The value
-.B %dnsondemand
-means the key is to be fetched from DNS at the time it is needed.
-The value
-.B %dnsonload
-means the key is to be fetched from DNS at the time
-the connection description is read from
-.IR ipsec.conf ;
-currently this will be treated as
-.B %none
-if
-.B right=%any
-or
-.BR right=%opportunistic .
-The value
-.B %dns
-is currently treated as
-.B %dnsonload
-but will change to
-.B %dnsondemand
-in the future.
-The identity used for the left participant
-must be a specific host, not
-.B %any
-or another magic value.
-.B Caution:
-if two connection descriptions
-specify different public keys for the same
-.BR leftid ,
-confusion and madness will ensue.
-.TP
-.B leftrsasigkey2
-if present, a second public key.
-Either key can authenticate the signature, allowing for key rollover.
-.TP
-.B leftsourceip
-.TP
-.B leftsubnetwithin
-.TP
-.B pfs
-whether Perfect Forward Secrecy of keys is desired on the connection's
-keying channel
-(with PFS, penetration of the key-exchange protocol
-does not compromise keys negotiated earlier);
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-.TP
-.B rekey
-whether a connection should be renegotiated when it is about to expire;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-The two ends need not agree,
-but while a value of
-.B no
-prevents Pluto from requesting renegotiation,
-it does not prevent responding to renegotiation requested from the other end,
-so
-.B no
-will be largely ineffective unless both ends agree on it.
-.TP
-.B rekeyfuzz
-maximum percentage by which
-.B rekeymargin
-should be randomly increased to randomize rekeying intervals
-(important for hosts with many connections);
-acceptable values are an integer,
-which may exceed 100,
-followed by a `%'
-(default set by
-.IR ipsec_pluto (8),
-currently
-.BR 100% ).
-The value of
-.BR rekeymargin ,
-after this random increase,
-must not exceed
-.BR keylife .
-The value
-.B 0%
-will suppress time randomization.
-Relevant only locally, other end need not agree on it.
-.TP
-.B rekeymargin
-how long before connection expiry or keying-channel expiry
-should attempts to
-negotiate a replacement
-begin; acceptable values as for
-.B keylife
-(default
-.BR 9m ).
-Relevant only locally, other end need not agree on it.
-.SS "CONN PARAMETERS:  MANUAL KEYING"
-The following parameters are relevant only to manual keying,
-and are ignored in automatic keying.
-Unless otherwise noted,
-for a connection to work,
-in general it is necessary for the two ends to agree exactly
-on the values of these parameters.
-A manually-keyed
-connection must specify at least one of AH or ESP.
-.TP 14
-.B spi
-(this or
-.B spibase
-required for manual keying)
-the SPI number to be used for the connection (see
-.IR ipsec_manual (8));
-must be of the form \fB0x\fIhex\fB\fR,
-where
-.I hex
-is one or more hexadecimal digits
-(note, it will generally be necessary to make
-.I spi
-at least
-.B 0x100
-to be acceptable to KLIPS,
-and use of SPIs in the range
-.BR 0x100 - 0xfff
-is recommended)
-.TP 14
-.B spibase
-(this or
-.B spi
-required for manual keying)
-the base number for the SPIs to be used for the connection (see
-.IR ipsec_manual (8));
-must be of the form \fB0x\fIhex\fB0\fR,
-where
-.I hex
-is one or more hexadecimal digits
-(note, it will generally be necessary to make
-.I spibase
-at least
-.B 0x100
-for the resulting SPIs
-to be acceptable to KLIPS,
-and use of numbers in the range
-.BR 0x100 - 0xff0
-is recommended)
-.TP
-.B esp
-ESP encryption/authentication algorithm to be used
-for the connection, e.g.
-.B 3des-md5-96
-(must be suitable as a value of
-.IR ipsec_spi (8)'s
-.B \-\-esp
-option);
-default is not to use ESP
-.TP
-.B espenckey
-ESP encryption key
-(must be suitable as a value of
-.IR ipsec_spi (8)'s
-.B \-\-enckey
-option)
-(may be specified separately for each direction using
-.B leftespenckey
-(leftward SA)
-and
-.B rightespenckey
-parameters)
-.TP
-.B espauthkey
-ESP authentication key
-(must be suitable as a value of
-.IR ipsec_spi (8)'s
-.B \-\-authkey
-option)
-(may be specified separately for each direction using
-.B leftespauthkey
-(leftward SA)
-and
-.B rightespauthkey
-parameters)
-.TP
-.B espreplay_window
-ESP replay-window setting,
-an integer from
-.B 0
-(the
-.IR ipsec_manual
-default, which turns off replay protection) to
-.BR 64 ;
-relevant only if ESP authentication is being used
-.TP
-.B leftespspi
-SPI to be used for the leftward ESP SA, overriding
-automatic assignment using
-.B spi
-or
-.BR spibase ;
-typically a hexadecimal number beginning with
-.B 0x
-.TP
-.B ah
-AH authentication algorithm to be used
-for the connection, e.g.
-.B hmac-md5-96
-(must be suitable as a value of
-.IR ipsec_spi (8)'s
-.B \-\-ah
-option);
-default is not to use AH
-.TP
-.B ahkey
-(required if
-.B ah
-is present) AH authentication key
-(must be suitable as a value of
-.IR ipsec_spi (8)'s
-.B \-\-authkey
-option)
-(may be specified separately for each direction using
-.B leftahkey
-(leftward SA)
-and
-.B rightahkey
-parameters)
-.TP
-.B ahreplay_window
-AH replay-window setting,
-an integer from
-.B 0
-(the
-.I ipsec_manual
-default, which turns off replay protection) to
-.B 64
-.TP
-.B leftahspi
-SPI to be used for the leftward AH SA, overriding
-automatic assignment using
-.B spi
-or
-.BR spibase ;
-typically a hexadecimal number beginning with
-.B 0x
-.SH "CA SECTIONS"
-This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
-.TP 10
-.B auto
-currently can have either the value
-.B ignore
-or
-.B add
-. 
-.TP
-.B cacert
-defines a path to the CA certificate either relative to 
-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
-.TP
-.B crluri
-defines a CRL distribution point (ldap, http, or file URI)
-.TP
-.B crluri2
-defines an alternative CRL distribution point (ldap, http, or file URI)
-.TP
-.B ldaphost
-defines an ldap host.
-.TP
-.B ocspuri
-defines an OCSP URI.
-.SH "CONFIG SECTIONS"
-At present, the only
-.B config
-section known to the IPsec software is the one named
-.BR setup ,
-which contains information used when the software is being started
-(see
-.IR ipsec_setup (8)).
-Here's an example:
-.PP
-.ne 8
-.nf
-.ft B
-.ta 1c
-config setup
-	interfaces="ipsec0=eth1 ipsec1=ppp0"
-	klipsdebug=none
-	plutodebug=all
-	manualstart=
-.ft
-.fi
-.PP
-Parameters are optional unless marked ``(required)''.
-The currently-accepted
-.I parameter
-names in a
-.B config
-.B setup
-section are:
-.TP 14
-.B myid
-the identity to be used for
-.BR %myid .
-.B %myid
-is used in the implicit policy group conns and can be used as
-an identity in explicit conns.
-If unspecified,
-.B %myid
-is set to the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise
-the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
-An explicit value generally starts with ``\fB@\fP''.
-.TP
-.B interfaces
-virtual and physical interfaces for IPsec to use:
-a single
-\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
-by white space, or
-.BR %none .
-One of the pairs may be written as
-.BR %defaultroute ,
-which means: find the interface \fId\fR that the default route points to,
-and then act as if the value was ``\fBipsec0=\fId\fR''.
-.B %defaultroute
-is the default;
-.B %none
-must be used to denote no interfaces.
-If
-.B %defaultroute
-is used (implicitly or explicitly)
-information about the default route and its interface is noted for
-use by
-.IR ipsec_manual (8)
-and
-.IR ipsec_auto (8).)
-.TP
-.B forwardcontrol
-whether
-.I setup
-should turn IP forwarding on
-(if it's not already on) as IPsec is started,
-and turn it off again (if it was off) as IPsec is stopped;
-acceptable values are
-.B yes
-and (the default)
-.BR no .
-For this to have full effect, forwarding must be
-disabled before the hardware interfaces are brought
-up (e.g.,
-.B "net.ipv4.ip_forward\ =\ 0"
-in Red Hat 6.x
-.IR /etc/sysctl.conf ),
-because IPsec doesn't get control early enough to do that.
-.TP
-.B rp_filter
-whether and how
-.I setup
-should adjust the reverse path filtering mechanism for the
-physical devices to be used.
-Values are \fB%unchanged\fP (to leave it alone)
-or \fB0\fP, \fB1\fP, \fB2\fP (values to set it to).
-\fI/proc/sys/net/ipv4/conf/PHYS/rp_filter\fP
-is badly documented; it must be \fB0\fP in many cases
-for ipsec to function.
-The default value for the parameter is \fB0\fP.
-.TP
-.B syslog
-the
-.IR syslog (2)
-``facility'' name and priority to use for
-startup/shutdown log messages,
-default
-.BR daemon.error .
-.TP
-.B klipsdebug
-how much KLIPS debugging output should be logged.
-An empty value,
-or the magic value
-.BR none ,
-means no debugging output (the default).
-The magic value
-.B all
-means full output.
-Otherwise only the specified types of output
-(a quoted list, names separated by white space) are enabled;
-for details on available debugging types, see
-.IR ipsec_klipsdebug (8).
-.TP
-.B plutodebug
-how much Pluto debugging output should be logged.
-An empty value,
-or the magic value
-.BR none ,
-means no debugging output (the default).
-The magic value
-.B all
-means full output.
-Otherwise only the specified types of output
-(a quoted list, names without the
-.B \-\-debug\-
-prefix,
-separated by white space) are enabled;
-for details on available debugging types, see
-.IR ipsec_pluto (8).
-.TP
-.B plutoopts
-additional options to pass to pluto upon startup. See
-.IR ipsec_pluto (8).
-.TP
-.B plutostderrlog
-do not use syslog, but rather log to stderr, and direct stderr to the
-argument file.
-.TP
-.B dumpdir
-in what directory should things started by
-.I setup
-(notably the Pluto daemon) be allowed to
-dump core?
-The empty value (the default) means they are not
-allowed to.
-.TP
-.B manualstart
-which manually-keyed connections to set up at startup
-(empty, a name, or a quoted list of names separated by white space);
-see
-.IR ipsec_manual (8).
-Default is none.
-.TP
-.B pluto
-whether to start Pluto or not;
-Values are
-.B yes
-(the default)
-or
-.B no
-(useful only in special circumstances).
-.TP
-.B plutowait
-should Pluto wait for each
-negotiation attempt that is part of startup to
-finish before proceeding with the next?
-Values are
-.B yes
-or
-.BR no
-(the default).
-.TP
-.B prepluto
-shell command to run before starting Pluto
-(e.g., to decrypt an encrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.B postpluto
-shell command to run after starting Pluto
-(e.g., to remove a decrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.B fragicmp
-whether a tunnel's need to fragment a packet should be reported
-back with an ICMP message,
-in an attempt to make the sender lower his PMTU estimate;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-.TP
-.B hidetos
-whether a tunnel packet's TOS field should be set to
-.B 0
-rather than copied from the user packet inside;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-.TP
-.B uniqueids
-whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-.TP
-.B overridemtu
-value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
-overriding IPsec's (large) default.
-This parameter is needed only in special situations.
-.TP
-.B nat_traversal
-.TP
-.B crlcheckinterval
-.TP
-.B strictcrlpolicy
-.TP
-.B pkcs11module
-.TP
-.B pkcs11keepstate
-
-.SH CHOOSING A CONNECTION
-.PP
-When choosing a connection to apply to an outbound packet caught with a 
-.BR %trap,
-the system prefers the one with the most specific eroute that
-includes the packet's source and destination IP addresses.
-Source subnets are examined before destination subnets.
-For initiating, only routed connections are considered. For responding,
-unrouted but added connections are considered.
-.PP
-When choosing a connection to use to respond to a negotiation which
-doesn't match an ordinary conn, an opportunistic connection
-may be instantiated. Eventually, its instance will be /32 -> /32, but
-for earlier stages of the negotiation, there will not be enough
-information about the client subnets to complete the instantiation.
-.SH FILES
-.nf
-/etc/ipsec.conf
-/etc/ipsec.d/cacerts
-/etc/ipsec.d/certs
-/etc/ipsec.d/crls
-/etc/ipsec.d/aacerts
-/etc/ipsec.d/acerts
-
-.SH SEE ALSO
-ipsec(8), ipsec_ttoaddr(8), ipsec_auto(8), ipsec_manual(8), ipsec_rsasigkey(8)
-.SH HISTORY
-Written  for  the  FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.  Extended for the strongSwan project
-<http://www.strongswan.org>
-by Andreas Steffen.
-.SH BUGS
-.PP
-When
-.B type
-or 
-.B failureshunt
-is set to
-.B drop
-or
-.BR reject,
-strongSwan blocks outbound packets using eroutes, but assumes inbound
-blocking is handled by the firewall. strongSwan offers firewall hooks 
-via an ``updown'' script.  However, the default 
-.B ipsec _updown
-provides no help in controlling a modern firewall.
-.PP
-Including attributes of the keying channel
-(authentication methods,
-.BR ikelifetime ,
-etc.)
-as an attribute of a connection,
-rather than of a participant pair, is dubious and incurs limitations.
-.PP
-.IR Ipsec_manual
-is not nearly as generous about the syntax of subnets,
-addresses, etc. as the usual strongSwan user interfaces.
-Four-component dotted-decimal must be used for all addresses.
-It
-.I is
-smart enough to translate bit-count netmasks to dotted-decimal form.
-.PP
-It would be good to have a line-continuation syntax,
-especially for the very long lines involved in
-RSA signature keys.
-.PP
-The ability to specify different identities,
-.BR authby ,
-and public keys for different automatic-keyed connections
-between the same participants is misleading;
-this doesn't work dependably because the identity of the participants
-is not known early enough.
-This is especially awkward for the ``Road Warrior'' case,
-where the remote IP address is specified as
-.BR 0.0.0.0 ,
-and that is considered to be the ``participant'' for such connections.
-.PP
-In principle it might be necessary to control MTU on an
-interface-by-interface basis,
-rather than with the single global override that
-.B overridemtu
-provides.
-.PP
-A number of features which \fIcould\fR be implemented in
-both manual and automatic keying
-actually are not yet implemented for manual keying.
-This is unlikely to be fixed any time soon.
-.PP
-If conns are to be added before DNS is available,
-\fBleft=\fP\fIFQDN\fP,
-\fBleftnextop=\fP\fIFQDN\fP,
-and
-.B leftrsasigkey=%dnsonload
-will fail.
-.IR ipsec_pluto (8)
-does not actually use the public key for our side of a conn but it
-isn't generally known at a add-time which side is ours (Road Warrior
-and Opportunistic conns are currently exceptions).
-.PP
-The \fBmyid\fP option does not affect explicit \fB ipsec auto \-\-add\fP or \fBipsec auto \-\-replace\fP commands for implicit conns.
diff --git a/programs/_confread/ipsec.conf.in b/programs/_confread/ipsec.conf.in
deleted file mode 100644
index 296986459..000000000
--- a/programs/_confread/ipsec.conf.in
+++ /dev/null
@@ -1,44 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# RCSID $Id: ipsec.conf.in,v 1.7 2006/01/31 13:09:10 as Exp $
-
-# Manual:    ipsec.conf.5
-# Help:      http://www.strongswan.org/docs/readme.htm
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-# basic configuration
-
-config setup
-	# Debug-logging controls: "none" for (almost) none, "all" for lots.
-	# plutodebug=all
-	# crlcheckinterval=600
-	# strictcrlpolicy=yes
-	# cachecrls=yes
-	# nat_traversal=yes
-
-# Uncomment to activate Opportunistic Encryption (OE)
-# include /etc/ipsec.d/examples/oe.conf
-
-# Add connections here.
-
-# Sample VPN connections
-
-#conn sample-self-signed
-#      left=%defaultroute
-#      leftsubnet=10.1.0.0/16
-#      leftcert=selfCert.der
-#      leftsendcert=never
-#      right=192.168.0.2
-#      rightsubnet=10.2.0.0/16
-#      rightcert=peerCert.der
-#      auto=start
-
-#conn sample-with-ca-cert
-#      left=%defaultroute
-#      leftsubnet=10.1.0.0/16
-#      leftcert=myCert.pem
-#      right=192.168.0.2
-#      rightsubnet=10.2.0.0/16
-#      rightid="C=CH, O=Linux strongSwan CN=peer name"
-#      auto=start
diff --git a/programs/_confread/private-or-clear.in b/programs/_confread/private-or-clear.in
deleted file mode 100644
index c66b1d29f..000000000
--- a/programs/_confread/private-or-clear.in
+++ /dev/null
@@ -1,14 +0,0 @@
-# This file defines the set of CIDRs (network/mask-length) to which
-# communication should be private, if possible, but in the clear otherwise.
-#
-# If the target has a TXT (later IPSECKEY) record that specifies
-# authentication material, we will require private (i.e. encrypted)
-# communications.  If no such record is found, communications will be
-# in the clear.
-#
-# See @FINALDOCDIR@/policygroups.html for details.
-#
-# $Id: private-or-clear.in,v 1.1 2004/03/15 20:35:27 as Exp $
-#
-
-0.0.0.0/0
diff --git a/programs/_confread/private.in b/programs/_confread/private.in
deleted file mode 100644
index 9d4bd6c67..000000000
--- a/programs/_confread/private.in
+++ /dev/null
@@ -1,6 +0,0 @@
-# This file defines the set of CIDRs (network/mask-length) to which
-# communication should always be private (i.e. encrypted).
-# See @FINALDOCDIR@/policygroups.html for details.
-#
-# $Id: private.in,v 1.1 2004/03/15 20:35:27 as Exp $
-#
diff --git a/programs/_confread/randomize b/programs/_confread/randomize
deleted file mode 100755
index 26d80a8f3..000000000
--- a/programs/_confread/randomize
+++ /dev/null
@@ -1,28 +0,0 @@
-#! /bin/sh
-# internal utility for putting random keys into sample configuration file
-# Copyright (C) 1998, 1999  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: randomize,v 1.1 2004/03/15 20:35:27 as Exp $
-
-awk '/`[0-9]+`/ {
-	match($0, /`[0-9]+`/)
-	n = substr($0, RSTART+1, RLENGTH-2)
-	cmd = "./ranbits --quick " n
-	cmd | getline key
-	cmd | getline eof
-	close(cmd)
-	sub(/`[0-9]+`/, key, $0)
-	print
-	next
-}
-{ print }' $*
diff --git a/programs/_include/.cvsignore b/programs/_include/.cvsignore
deleted file mode 100644
index ab6204115..000000000
--- a/programs/_include/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_include
diff --git a/programs/_include/Makefile b/programs/_include/Makefile
deleted file mode 100644
index 6b5f11682..000000000
--- a/programs/_include/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_include
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:11  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_include/_include.8 b/programs/_include/_include.8
deleted file mode 100644
index 56ffa0723..000000000
--- a/programs/_include/_include.8
+++ /dev/null
@@ -1,35 +0,0 @@
-.TH _INCLUDE 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _include.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _include \- internal script to process config files
-.SH DESCRIPTION
-.I _include
-is used by 
-.I _confread 
-to process 
-.B include 
-directives in /etc/ipsec.conf.
-.SH "SEE ALSO"
-ipsec(8), ipsec__confread(8)
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Program written by Henry Spencer.
-.\"
-.\" $Log: _include.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_include/_include.in b/programs/_include/_include.in
deleted file mode 100755
index 10a8a49e4..000000000
--- a/programs/_include/_include.in
+++ /dev/null
@@ -1,102 +0,0 @@
-#! /bin/sh
-# implements nested file inclusion for control files, including wildcarding
-# Copyright (C) 1998, 1999  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _include.in,v 1.2 2004/03/15 21:03:06 as Exp $
-#
-# Output includes marker lines for file changes:
-#	"#< filename lineno" signals entry into that file
-#	"#> filename lineno" signals return to that file
-# The lineno is the line number of the *next* line.
-#
-# Errors are reported with a "#:message" line rather than on stderr.
-#
-# Lines which look like marker and report lines are never passed through.
-
-IPSEC_NAME="strongSwan"
-
-usage="Usage: $0 file ..."
-me="ipsec _include"
-
-for dummy
-do
-	case "$1" in
-	--inband)				;;	# back compatibility
-	--help)		echo "$usage" ; exit 0	;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0		;;
-	--)		shift ; break		;;
-	-*)		echo "$0: unknown option \`$1'" >&2 ; exit 2	;;
-	*)		break			;;
-	esac
-	shift
-done
-
-case $# in
-0)	echo "$usage" >&2 ; exit 2	;;
-esac
-
-for f
-do
-	if test ! -r "$f"
-	then
-		if test ! "$f" = "/etc/ipsec.conf"
-		then
-			echo "#:cannot open configuration file \'$f\'"
-			if test "$f" = "/etc/ipsec.secrets"
-			then
-				echo "#:Your secrets file will be created when you start $IPSEC_NAME for the first time."
-			fi
-			exit 1
-		else
-			exit 1
-		fi
-	fi
-done
-
-awk 'BEGIN {
-	wasfile = ""
-}
-FNR == 1 {
-	print ""
-	print "#<", FILENAME, 1
-	lineno = 0
-	wasfile = FILENAME
-}
-{
-	lineno++
-	# lineno is now the number of this line
-}
-/^#[<>:]/ {
-	next
-}
-/^include[ \t]+/ {
-	orig = $0
-	sub(/[ \t]+#.*$/, "")
-	if (NF != 2) {
-		msg = "(" FILENAME ", line " lineno ")"
-		msg = msg " include syntax error in \"" orig "\""
-		print "#:" msg
-		exit 1
-	}
-	newfile = $2
-	if (newfile !~ /^\// && FILENAME ~ /\//) {
-		prefix = FILENAME
-		sub("[^/]+$", "", prefix)
-		newfile = prefix newfile
-	}
-	system("ipsec _include " newfile)
-	print ""
-	print "#>", FILENAME, lineno + 1
-	next
-}
-{ print }' $*
diff --git a/programs/_plutoload/.cvsignore b/programs/_plutoload/.cvsignore
deleted file mode 100644
index cbcf7e699..000000000
--- a/programs/_plutoload/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_plutoload
diff --git a/programs/_plutoload/Makefile b/programs/_plutoload/Makefile
deleted file mode 100644
index af9ffee18..000000000
--- a/programs/_plutoload/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_plutoload
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:19  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_plutoload/_plutoload.8 b/programs/_plutoload/_plutoload.8
deleted file mode 100644
index ba421b6c3..000000000
--- a/programs/_plutoload/_plutoload.8
+++ /dev/null
@@ -1,33 +0,0 @@
-.TH _PLUTOLOAD 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _plutoload.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _plutoload \- internal script to start pluto
-.SH DESCRIPTION
-.I _plutoload
-is called by 
-.B _plutorun
-to actually start the pluto executable.
-.SH "SEE ALSO"
-ipsec(8), ipsec_setup(8), ipsec__realsetup(8), ipsec__plutorun(8)
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program by Henry Spencer.
-.\"
-.\" $Log: _plutoload.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_plutoload/_plutoload.in b/programs/_plutoload/_plutoload.in
deleted file mode 100755
index 73841197d..000000000
--- a/programs/_plutoload/_plutoload.in
+++ /dev/null
@@ -1,164 +0,0 @@
-#!/bin/sh
-# Pluto database-loading script
-# Copyright (C) 1998, 1999, 2001  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _plutoload.in,v 1.2 2004/03/31 16:15:10 as Exp $
-#
-# exit status is 13 for protocol violation, that of Pluto otherwise
-
-me='ipsec _plutoload'		# for messages
-
-for dummy
-do
-	case "$1" in
-	--load)	plutoload="$2" ; shift	;;
-	--start)	plutostart="$2" ; shift	;;
-	--wait)	plutowait="$2" ; shift	;;
-	--post)	postpluto="$2" ; shift	;;
-	--)	shift ; break	;;
-	-*)	echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
-	*)	break	;;
-	esac
-	shift
-done
-
-# load ca information
-eval `ipsec _confread --varprefix PLUTO --type ca --search auto add start`
-if test " $PLUTO_confreadstatus" != " "
-then
-	echo "auto=add/start search: $PLUTO_confreadstatus"
-	echo "unable to determine what ca information to add -- adding none"
-	caload=
-else
-	caload="$PLUTO_confreadnames"
-fi
-
-# searches, if needed
-# the way the searches were done ensures plutoload >= plutoroute >= plutostart
-
-# search for things to "ipsec auto --add": auto in "add" "route" "start"
-eval `ipsec _confread --varprefix PLUTO --search auto add route start`
-if test " $PLUTO_confreadstatus" != " "
-then
-	echo "auto=add/route/start search: $PLUTO_confreadstatus"
-	echo "unable to determine what conns to add -- adding none"
-	plutoload=
-else
-	plutoload="$PLUTO_confreadnames"
-fi
-
-# search for things to "ipsec auto --route": auto in  "route" "start"
-eval `ipsec _confread --varprefix PLUTO --search auto route start`
-if test " $PLUTO_confreadstatus" != " "
-then
-	echo "auto=route/start search: $PLUTO_confreadstatus"
-	echo "unable to determine what conns to route -- routing none"
-	plutoroute=
-else
-	plutoroute="$PLUTO_confreadnames"
-fi
-
-# search for things to "ipsec auto --up": auto in  "start"
-eval `ipsec _confread --varprefix PLUTO --search auto start`
-if test " $PLUTO_confreadstatus" != " "
-then
-	echo "auto=start search: $PLUTO_confreadstatus"
-	echo "unable to determine what conns to start -- starting none"
-	plutostart=
-else
-	plutostart="$PLUTO_confreadnames"
-fi
-
-# await Pluto's readiness (not likely to be an issue, but...)
-eofed=y
-while read saying
-do
-	case "$saying" in
-	'Pluto initialized')	eofed= ; break	;;	# NOTE BREAK OUT
-	*)	echo "pluto unexpectedly said \`$saying'"	;;
-	esac
-done
-if test "$eofed"
-then
-	echo "pluto died unexpectedly!?!"
-	exit 13
-fi
-
-# ca database load
-for tu in $caload
-do
-	ipsec auto --type ca --add $tu ||
-		echo "...could not add ca \"$tu\""
-done
-
-# conn database load
-for tu in $plutoload
-do
-	ipsec auto --add $tu ||
-		echo "...could not add conn \"$tu\""
-done
-
-# enable listening
-ipsec auto --ready
-
-# execute any post-startup cleanup
-if test " $postpluto" != " "
-then
-	$postpluto
-	st=$?
-	if test " $st" -ne 0
-	then
-		echo "...postpluto command exited with status $st"
-	fi
-fi
-
-# quickly establish routing
-for tu in $plutoroute
-do
-	ipsec auto --route $tu ||
-		echo "...could not route conn \"$tu\""
-done
-
-# tunnel initiation, which may take a while
-async=
-if test " $plutowait" = " no"
-then
-	async="--asynchronous"
-fi
-for tu in $plutostart
-do
-	ipsec auto --up $async $tu ||
-		echo "...could not start conn \"$tu\""
-done
-
-# report any further utterances, and watch for exit status
-eofed=y
-while read saying
-do
-	case "$saying" in
-	exit)	eofed= ; break	;;		# NOTE BREAK OUT
-	*)	echo "pluto unexpectedly says \`$saying'"	;;
-	esac
-done
-if test "$eofed"
-then
-	echo "pluto died without exit status!?!"
-	exit 13
-fi
-if read status
-then
-	exit $status
-else
-	echo "pluto yielded no exit status!?!"
-	exit 13
-fi
diff --git a/programs/_plutorun/.cvsignore b/programs/_plutorun/.cvsignore
deleted file mode 100644
index 13e0ae1a1..000000000
--- a/programs/_plutorun/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_plutorun
diff --git a/programs/_plutorun/Makefile b/programs/_plutorun/Makefile
deleted file mode 100644
index b0928797c..000000000
--- a/programs/_plutorun/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_plutorun
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:26  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_plutorun/_plutorun.8 b/programs/_plutorun/_plutorun.8
deleted file mode 100644
index 9de6927dc..000000000
--- a/programs/_plutorun/_plutorun.8
+++ /dev/null
@@ -1,37 +0,0 @@
-.TH _PLUTORUN 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _plutorun.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _plutorun \- internal script to start pluto
-.SH DESCRIPTION
-.I _plutorun
-is called by
-.B _realsetup
-to configure and bring up 
-.B ipsec_pluto(8).
-It calls 
-.B _plutoload
-to invoke pluto, and watches to makes sure that pluto is restarted if it fails.
-.SH "SEE ALSO"
-ipsec(8), ipsec_setup(8), ipsec__realsetup(8), ipsec__plutoload(8), ipsec_pluto(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program written by Henry Spencer.
-.\"
-.\" $Log: _plutorun.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_plutorun/_plutorun.in b/programs/_plutorun/_plutorun.in
deleted file mode 100755
index b02afeefb..000000000
--- a/programs/_plutorun/_plutorun.in
+++ /dev/null
@@ -1,281 +0,0 @@
-#!/bin/sh
-# Pluto control daemon
-# Copyright (C) 1998, 1999, 2001  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _plutorun.in,v 1.9 2005/10/16 13:28:15 as Exp $
-
-me='ipsec _plutorun'		# for messages
-
-info=/var/run/ipsec.info
-
-popts=
-stderrlog=
-plutorestartoncrash=true
-
-wherelog=daemon.error
-pidfile=/var/run/pluto.pid
-verb="Starting"
-for dummy
-do
-	case "$1" in
-	--re)	verb="Restarting"	;;
-	--plutorestartoncrash) plutorestartoncrash="$2"; shift ;;
-	--debug)	plutodebug="$2" ; shift	;;
-	--uniqueids)	uniqueids="$2" ; shift	;;
-	--nat_traversal)    nat_traversal="$2" ; shift  ;;
-	--keep_alive)   keep_alive="$2" ; shift ;;
-	--force_keepalive)   force_keepalive="$2" ; shift ;;
-	--disable_port_floating)    disable_port_floating="$2" ; shift  ;;
-	--virtual_private)  virtual_private="$2" ; shift ;; 	
-	--nocrsend)	nocrsend="$2" ; shift	;;
-	--strictcrlpolicy)	strictcrlpolicy="$2" ; shift ;;
-	--crlcheckinterval)	crlcheckinterval="$2"; shift ;;
-	--cachecrls)		cachecrls="$2" ; shift	;;
-	--pkcs11module)		pkcs11module="$2"; shift ;;
-	--pkcs11keepstate)	pkcs11keepstate="$2"; shift ;;
-	--pkcs11proxy)		pkcs11proxy="$2"; shift	;;
-	--dump)	dumpdir="$2" ; shift	;;
-	--opts)	popts="$2" ; shift	;;
-	--stderrlog) stderrlog="$2" ; shift	;;
-	--wait)	plutowait="$2" ; shift	;;
-	--pre)	prepluto="$2" ; shift	;;
-	--post)	postpluto="$2" ; shift	;;
-	--log)	wherelog="$2" ; shift	;;
-	--pid)	pidfile="$2" ; shift	;;
-	--)	shift ; break	;;
-	-*)	echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
-	*)	break	;;
-	esac
-	shift
-done
-
-# initially we are in the foreground, with parent looking after logging
-
-# precautions
-if test -f $pidfile
-then
-	echo "pluto appears to be running already (\`$pidfile' exists), will not start another"
-	exit 1
-fi
-if test ! -e /dev/urandom
-then
-	echo "cannot start Pluto, system lacks \`/dev/urandom'!?!"
-	exit 1
-fi
-
-# sort out options
-for d in $plutodebug
-do
-	popts="$popts --debug-$d"
-done
-case "$uniqueids" in
-yes)	popts="$popts --uniqueids"	;;
-no|'')				;;
-*)	echo "unknown uniqueids value (not yes/no) \`$IPSECuniqueids'"	;;
-esac
-case "$nocrsend" in
-yes)  popts="$popts --nocrsend"       ;;
-no|'')                                ;;
-*)    echo "unknown nocrsend value (not yes/no) \`$IPSECnocrsend'"    ;;
-esac
-case "$strictcrlpolicy" in
-yes)  popts="$popts --strictcrlpolicy"        ;;
-no|'')                                ;;
-*)    echo "unknown strictcrlpolicy value (not yes/no) \`$IPSECstrictcrlpolicy'"      ;;
-esac
-case "$cachecrls" in
-yes)  popts="$popts --cachecrls"        ;;
-no|'')                                ;;
-*)    echo "unknown cachecrls value (not yes/no) \`$IPSECcachecrls'"      ;;
-esac
-case "$nat_traversal" in
-yes)  popts="$popts --nat_traversal"  ;;
-no|'')                ;;
-*)    echo "unknown nat_traversal value (not yes/no) \`$IPSECnat_traversal'" ;;
-esac
-[ -n "$keep_alive" ] && popts="$popts --keep_alive $keep_alive"
-case "$force_keepalive" in
-yes)  popts="$popts --force_keepalive"  ;;
-no|'')                ;;
-*)    echo "unknown force_keepalive value (not yes/no) \`$IPSECforce_keepalive'" ;;
-esac
-case "$disable_port_floating" in
-yes)  popts="$popts --disable_port_floating"  ;;
-no|'')                ;;
-*)    echo "unknown disable_port_floating (not yes/no) \`$disable_port_floating'" ;;
-esac
-case "$pkcs11keepstate" in
-yes)  popts="$popts --pkcs11keepstate" ;;
-no|'')                ;;
-*)    echo "unknown pkcs11keepstate value (not yes/no) \`$IPSECpkcs11keepstate'" ;;
-esac
-case "$pkcs11proxy" in
-yes)  popts="$popts --pkcs11proxy" ;;
-no|'')                ;;
-*)    echo "unknown pkcs11proxy value (not yes/no) \`$IPSECpkcs11proxy'" ;;
-esac
-
-[ -n "$virtual_private" ] && popts="$popts --virtual_private $virtual_private"
-
-# add crl check interval
-if test ${crlcheckinterval:-0} -gt 0
-then
-	popts="$popts --crlcheckinterval $crlcheckinterval"
-fi
-
-if test -n "$pkcs11module"
-then
-	popts="$popts --pkcs11module $pkcs11module"
-fi
-
-if test -n "$stderrlog"
-then
-	popts="$popts --stderrlog 2>>$stderrlog"
-
-	if test -f $stderrlog
-	then
-		if test ! -w $stderrlog
-		then
-			echo Cannot write to \"$stderrlog\".
-			exit 1
-		fi
-	else
-		if test ! -w "`dirname $stderrlog`"
-		then
-			echo Cannot write to directory to create \"$stderrlog\".
-			exit 1
-		fi
-	fi
-
-	echo "Plutorun started on "`date` >$stderrlog
-fi
-
-# set up dump directory
-if test " $dumpdir" = " "
-then
-	ulimit -c 0			# preclude core dumps
-elif test ! -d "$dumpdir"
-then
-	echo "dumpdir \`$dumpdir' does not exist, ignored"
-	ulimit -c 0			# preclude core dumps
-elif cd $dumpdir			# put them where desired
-then
-	ulimit -c unlimited		# permit them
-else
-	echo "cannot cd to dumpdir \`$dumpdir', ignored"
-	ulimit -c 0			# preclude them
-fi
-
-# execute any preliminaries
-if test " $prepluto" != " "
-then
-	$prepluto
-	st=$?
-	if test " $st" -ne 0
-	then
-		echo "...prepluto command exited with status $st"
-	fi
-fi
-
-IPSEC_SECRETS=${IPSEC_CONFS}/ipsec.secrets
-if test ! -f "${IPSEC_SECRETS}"
-then
-    ( logger -p authpriv.info -t ipsec__plutorun No file ${IPSEC_SECRETS}, generating key.
-      ipsec scepclient --out pkcs1 --out cert-self --quiet
-      echo -e "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n" > ${IPSEC_SECRETS}
-      chmod 600 ${IPSEC_SECRETS}
-      echo ": RSA myKey.der" >> ${IPSEC_SECRETS}
-
-      # tell pluto to go re-read the file
-      ipsec auto --rereadsecrets
-    ) &
-fi
-
-# 
-# make sure that the isakmp port is open!
-#
-if test -f /etc/sysconfig/ipchains
-then
-    if egrep -q 500:500 /etc/sysconfig/ipchains
-    then
-	:
-    else
-	ipchains -I input 1 -p udp -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 500:500 -j ACCEPT
-	# if it redhat, then save the rules again.
-	if [ -f /etc/redhat-release ]
-	then
-	    sh /etc/rc.d/init.d/ipchains save
-	fi
-    fi
-fi
-
-# spin off into the background, with our own logging
-echo "$verb Pluto subsystem..." | logger -p authpriv.error -t ipsec__plutorun
-execdir=${IPSEC_EXECDIR-@IPSEC_EXECDIR@}
-libdir=${IPSEC_LIBDIR-@IPSEC_LIBDIR@}
-until (
-	if test -s $info
-	then
-		. $info
-		export defaultroutephys defaultroutevirt defaultrouteaddr defaultroutenexthop
-	fi
-	# eval allows $popts to contain redirection and other magic
-	eval $execdir/pluto --nofork --secretsfile "$IPSEC_SECRETS" --policygroupsdir "${IPSEC_CONFS}/ipsec.d/policies" $popts
-	status=$?
-	echo "exit"
-	echo $status
-	) | $libdir/_plutoload --wait "$plutowait" --post "$postpluto"
-do
-	status=$?
-	case "$status" in
-	13)	echo "internal failure in pluto scripts, impossible to carry on"
-		exit 1
-		;;
-	10)	echo "pluto apparently already running (?!?), giving up"
-		exit 1
-		;;
-	137)	echo "pluto killed by SIGKILL, terminating without restart or unlock"
-		exit 0
-		;;
-	143)	echo "pluto killed by SIGTERM, terminating without restart"
-		# pluto now does its own unlock for this
-		exit 0
-		;;
-	*)	st=$status
-	        if $plutorestartoncrash
-		then
-		    :
-		else
-		    exit 0
-		fi
-
-		if test $st -gt 128
-		then
-			st="$st (signal `expr $st - 128`)"
-		fi
-		echo "!pluto failure!:  exited with error status $st"
-		echo "restarting IPsec after pause..."
-		(
-			sleep 10
-			ipsec setup _autorestart
-		) </dev/null >/dev/null 2>&1 &
-		exit 1
-		###sleep 10
-		###rm -rf $pidfile
-		#### and go around the loop again
-		;;
-	esac
-done </dev/null 2>&1 |
-	logger -s -p $wherelog -t ipsec__plutorun >/dev/null 2>/dev/null &
-
-exit 0
diff --git a/programs/_realsetup/.cvsignore b/programs/_realsetup/.cvsignore
deleted file mode 100644
index 54941b8a3..000000000
--- a/programs/_realsetup/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_realsetup
diff --git a/programs/_realsetup/Makefile b/programs/_realsetup/Makefile
deleted file mode 100644
index c339007e0..000000000
--- a/programs/_realsetup/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_realsetup
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:34  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_realsetup/_realsetup.8 b/programs/_realsetup/_realsetup.8
deleted file mode 100644
index 51b647115..000000000
--- a/programs/_realsetup/_realsetup.8
+++ /dev/null
@@ -1,36 +0,0 @@
-.TH _REALSETUP 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _realsetup.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _realsetup \- internal routine to start FreeS/WAN.
-.SH DESCRIPTION
-.I _realsetup
-is called by the system init scripts to start the FreeS/WAN 
-system. It starts 
-.B KLIPS 
-(the kernel component) and 
-.B pluto 
-(the userspace keying component).
-.SH "SEE ALSO"
-ipsec(8), ipsec__klipsstart(8), ipsec__plutorun(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program by Henry Spencer.
-.\"
-.\" $Log: _realsetup.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_realsetup/_realsetup.in b/programs/_realsetup/_realsetup.in
deleted file mode 100755
index 91b6e98d3..000000000
--- a/programs/_realsetup/_realsetup.in
+++ /dev/null
@@ -1,456 +0,0 @@
-#!/bin/sh
-# IPsec startup and shutdown command
-# Copyright (C) 1998, 1999, 2001  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _realsetup.in,v 1.10 2005/09/25 21:30:52 as Exp $
-
-IPSEC_NAME=strongSwan
-
-me='ipsec setup'		# for messages
-
-# Misc. paths (some of this should perhaps be overrideable from ipsec.conf).
-plutopid=/var/run/pluto.pid
-subsyslock=/var/lock/subsys/ipsec
-lock=/var/run/ipsec_setup.pid
-info=/var/run/ipsec.info
-sysflags=/proc/sys/net/ipsec
-modules=/proc/modules
-ipforward=/proc/sys/net/ipv4/ip_forward
-ipsecversion=/proc/net/ipsec_version
-kamepfkey=/proc/net/pfkey
-
-# make sure output of (e.g.) ifconfig is in English
-unset LANG LANGUAGE LC_ALL LC_MESSAGES
-
-# check we were called properly
-if test " $IPSEC_confreadsection" != " setup"
-then
-	echo "$me: $0 must be called by ipsec_setup" >&2
-	exit 1
-fi
-# defaults for "config setup" items
-
-IPSECinterfaces=${IPSECinterfaces:-%defaultroute}
-	if test " $IPSECinterfaces" = " %none" ; then IPSECinterfaces= ; fi
-# IPSECforwardcontrol	"no"
-# IPSECsyslog	"daemon.error"
-# IPSECklipsdebug	"none"
-# IPSECplutodebug	"none"
-# IPSECdumpdir	"" (no dump)
-# IPSECmanualstart	""
-# IPSECpluto	"yes"
-IPSECplutowait=${IPSECplutowait:-no}
-# IPSECprepluto	""
-# IPSECpostpluto	""
-# IPSECfragicmp	"yes"
-# IPSEChidetos	"yes"
-IPSECrp_filter=${IPSECrp_filter:-0}
-IPSECuniqueids=${IPSECuniqueids:-yes}
-IPSECcrlcheckinterval=${IPSECcrlcheckinterval:-0}
-# IPSECpkcs11module	""
-# IPSECoverridemtu	""
-
-# Shall we trace?
-execute="true"
-display="false"
-for i in $IPSEC_setupflags
-do
-	case "$i" in
-	"--showonly")	execute="false" ; display=true ;;
-	"--show")	display=true ;;
-	esac
-done
-
-if $display
-then
-	echo "	" PATH="$PATH"
-fi
-
-perform() {
-	if $display
-	then
-		echo "	" "$*"
-	fi
-
-	if $execute
-	then
-		eval "$*"
-	fi
-}
-
-# function to set up manually-keyed connections
-manualconns() {
-	if test " $IPSECmanualstart" != " "
-	then
-		for tu in $IPSECmanualstart
-		do
-			perform ipsec manual --up $tu
-		done
-	fi
-
-	# search for things to "ipsec manual --up": auto == "manual"
-	eval `ipsec _confread --varprefix MANUALSTART --search auto manual`
-	if test " $MANUALSTART_confreadstatus" != " "
-	then
-		echo "auto=manual search: $MANUALSTART_confreadstatus"
-		echo "unable to determine what conns to manual --up; none done"
-	elif test " $MANUALSTART_confreadnames" != " "
-	then
-		for tu in $MANUALSTART_confreadnames
-		do
-			perform ipsec manual --up $tu
-		done
-	fi
-}
-
-# for no-stdout logging:
-LOGONLY="logger -p $IPSECsyslog -t ipsec_setup"
-
-# What an ugly string.
-# Must be a string, not a function, because it is nested
-# within another sequence (for plutorun).
-# Luckily there are NO substitutions in it.
-KILLKLIPS='ifl=` ifconfig | sed -n -e "/^ipsec/s/ .*//p" ` ;
-	test "X$ifl" != "X" &&
-	for i in  $ifl ;
-	do
-		ifconfig $i down ;
-		ipsec tncfg --detach --virtual $i ;
-	done ;
-	test -r /proc/net/ipsec_klipsdebug && ipsec klipsdebug --none ;
-	ipsec eroute --clear ;
-	ipsec spi --clear ;
-	for alg in aes serpent twofish blowfish sha2 ;
-	do
-		lsmod 2>&1 | grep "^ipsec_$alg" > /dev/null && rmmod ipsec_$alg ;
-	done ;
-	lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec'
-
-if test -f $kamepfkey
-then
-	KILLKLIPS='
-		if ip xfrm state > /dev/null 2>&1 ;
-		then
-			ip xfrm state flush ;
-			ip xfrm policy flush ;
-		elif type setkey > /dev/null 2>&1 ;
-		then
-			setkey -F ;
-			setkey -FP ;
-		fi'
-fi
-
-
-
-# do it
-case "$1" in
-  start|--start|_autostart)
-	# First, does it seem to be going already?
-	perform test ! -f $lock "||" "{" \
-		echo "\"$IPSEC_NAME IPsec apparently already running, start aborted\"" ";" \
-		exit 1 ";" \
-		"}"
-
-	# announcement
-	# (Warning, changes to this log message may affect barf.)
-	version="`ipsec --version | awk 'NR == 1 { print $(3) }' | sed -e 's/^U\(.*\)\/K(.*/\1/'`"
-	case "$1" in
-	start|--start)	perform echo "\"Starting $IPSEC_NAME IPsec $version...\""	;;
-	_autostart)	perform echo "\"Restarting $IPSEC_NAME IPsec $version...\""	;;
-	esac
-
-	# preliminaries
-	perform rm -f $lock
-
-	for f in /dev/random /dev/urandom
-	do
-		perform test -r $f "||" "{" \
-			echo "\"...unable to start $IPSEC_NAME IPsec, no $f!\"" ";" \
-			exit 1 ";" \
-			"}"
-	    done
-
-	# the meaning of $$ at a different runtime is questionable!
-	perform echo '$$' ">" $lock
-	perform test -s $lock "||" "{" \
-		echo "\"...unable to create $lock, aborting start!\"" ";" \
-		rm -f $lock ";" \
-		exit 1 ";" \
-		"}"
-
-	perform ">" $info
-
-	# here we go
-	perform ipsec _startklips \
-			--info $info \
-			--debug "\"$IPSECklipsdebug\"" \
-			--omtu "\"$IPSECoverridemtu\"" \
-			--fragicmp "\"$IPSECfragicmp\"" \
-			--hidetos "\"$IPSEChidetos\"" \
-			--rpfilter "\"$IPSECrp_filter\"" \
-			--log "\"$IPSECsyslog\"" \
-			$IPSECinterfaces "||" \
-		"{" rm -f $lock ";" exit 1 ";" "}"
-
-	perform test -f $ipsecversion "||" \
-		test -f $kamepfkey "||" "{" \
-		echo "\"OOPS, should have aborted!  Broken shell!\"" ";" \
-		exit 1 ";" \
-		"}"
-
-	# misc pre-Pluto setup
-
-	perform test -d `dirname $subsyslock` "&&" touch $subsyslock
-
-	if test " $IPSECforwardcontrol" = " yes"
-	then
-		perform grep '"^0"' $ipforward ">" /dev/null "&&" "{" \
-			echo "\"enabling IP forwarding:\"" "|" $LOGONLY ";" \
-			echo "\"ipforwardingwas=$fw\"" ">>" $info ";" \
-			echo 1 ">" $ipforward ";" \
-			"}"
-	fi
-	manualconns
-
-	plutorestartoncrash=""
-	case "$IPSECplutorestartoncrash" in
-	    true|[yY]|yes|restart) plutorestartoncrash="--plutorestartoncrash true";;
-	    false|[nN]|no|die) plutorestartoncrash="--plutorestartoncrash false" ;;
-        esac
-
-	# Pluto
-	case "$1" in
-	start|--start)	re=	;;
-	_autostart)	re=--re	;;
-	esac
-	if test " $IPSECpluto" != " no"
-	then
-		perform ipsec _plutorun $re \
-			--debug "\"$IPSECplutodebug\"" \
-			--uniqueids "\"$IPSECuniqueids\"" \
-			--nocrsend "\"$IPSECnocrsend\"" \
-			--strictcrlpolicy "\"$IPSECstrictcrlpolicy\"" \
-			--cachecrls "\"$IPSECcachecrls\"" \
-			--nat_traversal "\"$IPSECnat_traversal\"" \
-			--keep_alive "\"$IPSECkeep_alive\"" \
-			--force_keepalive "\"$IPSECforce_keepalive\"" \
-			--disable_port_floating "\"$IPSECdisable_port_floating\"" \
-			--virtual_private "\"$IPSECvirtual_private\"" \
-			--crlcheckinterval "\"$IPSECcrlcheckinterval\"" \
-			--pkcs11module "\"$IPSECpkcs11module\"" \
-			--pkcs11keepstate "\"$IPSECpkcs11keepstate\"" \
-			--pkcs11proxy "\"$IPSECpkcs11proxy\"" \
-			--dump "\"$IPSECdumpdir\"" \
-			--opts "\"$IPSECplutoopts\"" \
-			--stderrlog "\"$IPSECplutostderrlog\"" \
-			--wait "\"$IPSECplutowait\"" \
-			--pre "\"$IPSECprepluto\"" \
-			--post "\"$IPSECpostpluto\"" \
-			--log "\"$IPSECsyslog\"" $plutorestartoncrash \
-			--pid "\"$plutopid\"" "||" "{" \
-		    $KILLKLIPS ";" \
-		    rm -f $lock ";" \
-		    exit 1 ";" \
-		    "}"
-	fi
-
-	# done!
-	perform echo "\"...$IPSEC_NAME IPsec started\"" "|" $LOGONLY
-	;;
-
-  stop|--stop|_autostop)		# _autostop is same as stop
-	# Shut things down.
-	perform echo "\"Stopping $IPSEC_NAME IPsec...\""
-	perform \
-		if test -r $lock ";" \
-		then \
-			status=0 ";" \
-			. $info ";" \
-		else \
-			echo "\"stop ordered, but IPsec does not appear to be running!\"" ";" \
-			echo "\"doing cleanup anyway...\"" ";" \
-			status=1 ";" \
-		fi
-	if test " $IPSECforwardcontrol" = " yes"
-	then
-		perform test "\"X\$ipforwardingwas\"" = "\"X0\"" "&&" "{" \
-			echo "\"disabling IP forwarding:\"" "|" $LOGONLY ";" \
-			echo 0 ">" $ipforward ";" \
-			"}"
-	fi
-
-	perform test -f $plutopid "&&" "{" \
-		if ps -p '`' cat $plutopid '`' ">" /dev/null ";" \
-		then \
-			ipsec whack --shutdown "|" grep -v "^002" ";" \
-			sleep 1 ";" \
-			if test -s $plutopid ";" \
-			then \
-				echo "\"Attempt to shut Pluto down failed!  Trying kill:\"" ";" \
-				kill '`' cat $plutopid '`' ";" \
-				sleep 5 ";" \
-			fi ";" \
-		else \
-			echo "\"Removing orphaned $plutopid:\"" ";" \
-		fi ";" \
-		rm -f $plutopid ";" \
-		"}"
-
-	perform $KILLKLIPS
-
-	perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock
-
-	perform rm -f $info $lock
-	perform echo "...$IPSEC_NAME IPsec stopped" "|" $LOGONLY
-	perform exit \$status
-	;;
-
-  status|--status)
-	if test " $IPSEC_setupflags" != " "
-	then
-		echo "$me $1 does not support $IPSEC_setupflags"
-		exit 1
-	fi
-
-	if test -f $info
-	then
-		hasinfo=yes
-	fi
-
-	if test -f $lock
-	then
-		haslock=yes
-	fi
-
-	if test -f $subsyslock
-	then
-		hassublock=yes
-	fi
-
-	if test -s $plutopid
-	then
-		if ps -p `cat $plutopid` >/dev/null
-		then
-			plutokind=normal
-		elif ps -C pluto >/dev/null
-		then
-			plutokind=illicit
-		fi
-	elif ps -C pluto >/dev/null
-	then
-		plutokind=orphaned
-	else
-		plutokind=no
-	fi
-
-	if test -r /proc/net/ipsec_eroute
-	then
-		if test " `wc -l </proc/net/ipsec_eroute`" -gt 0
-		then
-			eroutes=yes
-		fi
-	fi
-
-	if test -r $ipsecversion
-	then
-		klips=yes
-	elif test -r $modules
-	then
-		klips=maybe
-	else
-		klips=none
-	fi
-		
-	if test "$haslock"
-	then
-		echo "IPsec running"
-		# might not be a subsystem lock dir, ignore that issue
-		if test "$plutokind" = "normal" -a "$klips" = "yes" -a "$hasinfo"
-		then
-			echo "pluto pid `cat $plutopid`"
-			exit 0
-		fi
-		echo "but..."
-		if test "$plutokind" != "normal"
-		then
-			echo "$plutokind Pluto running!"
-		fi
-		if test ! "$hasinfo"
-		then
-			echo "$info file missing!"
-		fi
-		case $klips in
-		maybe)	echo "KLIPS module is not loaded!"	;;
-		none)	echo "no KLIPS in kernel!"		;;
-		esac
-		if test "$eroutes"
-		then
-			echo "some eroutes exist"
-		fi
-		exit 1
-	else
-		echo "IPsec stopped"
-		if test ! "$hassublock" -a ! "$hasinfo" -a "$plutokind" = "no" \
-								-a ! "$eroutes"
-		then
-			exit 0
-		fi
-		echo "but..."
-		if test "$hassublock"
-		then
-			echo "has subsystem lock ($subsyslock)!"
-		fi
-		if test "$hasinfo"
-		then
-			echo "has $info file!"
-		fi
-		if test "$plutokind" != "normal"
-		then
-			echo "$plutokind Pluto is running!"
-		fi
-		if test "$eroutes"
-		then
-			echo "some eroutes exist!"
-		fi
-		exit 1
-	fi
-	;;
-
-  --version)
-	if test " $IPSEC_setupflags" != " "
-	then
-		echo "$me $1 does not support $IPSEC_setupflags"
-		exit 1
-	fi
-
-	echo "$me $IPSEC_VERSION"
-	exit 0
-	;;
-
-  --help)
-	if test " $IPSEC_setupflags" != " "
-	then
-		echo "$me $1 does not support $IPSEC_setupflags"
-		exit 1
-	fi
-
-	echo "Usage: $me {--start|--stop|--restart|--status}"
-	exit 0
-	;;
-
-  *)
-	echo "Usage: $me {--start|--stop|--restart|--status}" >&2
-	exit 2
-esac
-
-exit 0
diff --git a/programs/_startklips/.cvsignore b/programs/_startklips/.cvsignore
deleted file mode 100644
index a206fe65f..000000000
--- a/programs/_startklips/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_startklips
diff --git a/programs/_startklips/Makefile b/programs/_startklips/Makefile
deleted file mode 100644
index 9df701b0e..000000000
--- a/programs/_startklips/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_startklips
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:42  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_startklips/_startklips.8 b/programs/_startklips/_startklips.8
deleted file mode 100644
index 066699085..000000000
--- a/programs/_startklips/_startklips.8
+++ /dev/null
@@ -1,33 +0,0 @@
-.TH _STARTKLIPS 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _startklips.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _startklips \- internal script to bring up kernel components
-.SH DESCRIPTION
-.I _startklips
-brings up the FreeS/WAN kernel component. This involves loading any
-required modules, attaching and configuring the ipsecX pseudo-devices and
-attaching the pseudo-devices to the physical devices.
-.SH "SEE ALSO"
-ipsec(8), ipsec_tncfg(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program by Henry Spencer.
-.\"
-.\" $Log: _startklips.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_startklips/_startklips.in b/programs/_startklips/_startklips.in
deleted file mode 100755
index 7f85a94de..000000000
--- a/programs/_startklips/_startklips.in
+++ /dev/null
@@ -1,367 +0,0 @@
-#!/bin/sh
-# KLIPS startup script
-# Copyright (C) 1998, 1999, 2001, 2002  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _startklips.in,v 1.6 2005/05/06 22:11:33 as Exp $
-
-me='ipsec _startklips'		# for messages
-
-# KLIPS-related paths
-sysflags=/proc/sys/net/ipsec
-modules=/proc/modules
-# full rp_filter path is $rpfilter1/interface/$rpfilter2
-rpfilter1=/proc/sys/net/ipv4/conf
-rpfilter2=rp_filter
-# %unchanged or setting (0, 1, or 2)
-rpfiltercontrol=0
-ipsecversion=/proc/net/ipsec_version
-moduleplace=/lib/modules/`uname -r`/kernel/net/ipsec
-bareversion=`uname -r | sed -e 's/^\(2\.[0-9]\.[1-9][0-9]*-[1-9][0-9]*\(\.[0-9][0-9]*\)*\(\.x\)*\).*$/\1/'`
-moduleinstplace=/lib/modules/$bareversion/kernel/net/ipsec
-modulename=ipsec.o
-klips=true
-netkey=/proc/net/pfkey
-
-info=/dev/null
-log=daemon.error
-for dummy
-do
-	case "$1" in
-	--log)		log="$2" ; shift	;;
-	--info)		info="$2" ; shift	;;
-	--debug)	debug="$2" ; shift	;;
-	--omtu)		omtu="$2" ; shift	;;
-	--fragicmp)	fragicmp="$2" ; shift	;;
-	--hidetos)	hidetos="$2" ; shift	;;
-	--rpfilter)	rpfiltercontrol="$2" ; shift	;;
-	--)	shift ; break	;;
-	-*)	echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
-	*)	break	;;
-	esac
-	shift
-done
-
-
-
-# some shell functions, to clarify the actual code
-
-# set up a system flag based on a variable
-# sysflag value shortname default flagname
-sysflag() {
-	case "$1" in
-	'')	v="$3"	;;
-	*)	v="$1"	;;
-	esac
-	if test ! -f $sysflags/$4
-	then
-		if test " $v" != " $3"
-		then
-			echo "cannot do $2=$v, $sysflags/$4 does not exist"
-			exit 1
-		else
-			return	# can't set, but it's the default anyway
-		fi
-	fi
-	case "$v" in
-	yes|no)	;;
-	*)	echo "unknown (not yes/no) $2 value \`$1'"
-		exit 1
-		;;
-	esac
-	case "$v" in
-	yes)	echo 1 >$sysflags/$4	;;
-	no)	echo 0 >$sysflags/$4	;;
-	esac
-}
-
-# set up a Klips interface
-klipsinterface() {
-	# pull apart the interface spec
-	virt=`expr $1 : '\([^=]*\)=.*'`
-	phys=`expr $1 : '[^=]*=\(.*\)'`
-	case "$virt" in
-	ipsec[0-9])	;;
-	*)	echo "invalid interface \`$virt' in \`$1'" ; exit 1	;;
-	esac
-
-	# figure out ifconfig for interface
-	addr=
-	eval `ifconfig $phys |
-		awk '$1 == "inet" && $2 ~ /^addr:/ && $NF ~ /^Mask:/ {
-			gsub(/:/, " ", $0)
-			print "addr=" $3
-			other = $5
-			if ($4 == "Bcast")
-				print "type=broadcast"
-			else if ($4 == "P-t-P")
-				print "type=pointopoint"
-			else if (NF == 5) {
-				print "type="
-				other = ""
-			} else
-				print "type=unknown"
-			print "otheraddr=" other
-			print "mask=" $NF
-		}'`
-	if test " $addr" = " "
-	then
-		echo "unable to determine address of \`$phys'"
-		exit 1
-	fi
-	if test " $type" = " unknown"
-	then
-		echo "\`$phys' is of an unknown type"
-		exit 1
-	fi
-	if test " $omtu" != " "
-	then
-		mtu="mtu $omtu"
-	else
-		mtu=
-	fi
-	echo "KLIPS $virt on $phys $addr/$mask $type $otheraddr $mtu" | logonly
-
-	if $klips
-	then
-		# attach the interface and bring it up
-		ipsec tncfg --attach --virtual $virt --physical $phys
-		ifconfig $virt inet $addr $type $otheraddr netmask $mask $mtu
-	fi
-
-	# if %defaultroute, note the facts
-	if test " $2" != " "
-	then
-		(
-			echo "defaultroutephys=$phys"
-			echo "defaultroutevirt=$virt"
-			echo "defaultrouteaddr=$addr"
-			if test " $2" != " 0.0.0.0"
-			then
-				echo "defaultroutenexthop=$2"
-			fi
-		) >>$info
-	else
-		echo '#dr: no default route' >>$info
-	fi
-
-	# check for rp_filter trouble
-	checkif $phys			# thought to be a problem only on phys
-}
-
-# check an interface for problems
-checkif() {
-	$klips || return 0
-	rpf=$rpfilter1/$1/$rpfilter2
-	if test -f $rpf
-	then
-		r="`cat $rpf`"
-		if test " $r" != " 0"
-		then
-			case "$r-$rpfiltercontrol" in
-			0-%unchanged|0-0|1-1|2-2)
-				# happy state
-				;;
-			*-%unchanged)
-				echo "WARNING: $1 has route filtering turned on; KLIPS may not work ($rpf is $r)"
-				;;
-			[012]-[012])
-				echo "WARNING: changing route filtering on $1 (changing $rpf from $r to $rpfiltercontrol)"
-				echo "$rpfiltercontrol" >$rpf
-				;;
-			[012]-*)
-				echo "ERROR: unknown rpfilter setting: $rpfiltercontrol"
-				;;
-			*)
-				echo "ERROR: unknown $rpf value $r"
-				;;
-			esac
-		fi
-	fi
-}
-
-# interfaces=%defaultroute:  put ipsec0 on top of default route's interface
-defaultinterface() {
-	phys=`netstat -nr |
-		awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $NF }'`
-	if test " $phys" = " "
-	then
-		echo "no default route, %defaultroute cannot cope!!!"
-		exit 1
-	fi
-	if test `echo " $phys" | wc -l` -gt 1
-	then
-		echo "multiple default routes, %defaultroute cannot cope!!!"
-		exit 1
-	fi
-	next=`netstat -nr |
-		awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $2 }'`
-	klipsinterface "ipsec0=$phys" $next
-}
-
-# log only to syslog, not to stdout/stderr
-logonly() {
-	logger -p $log -t ipsec_setup
-}
-
-# sort out which module is appropriate, changing it if necessary
-setmodule() {
-        wantgoo="`ipsec calcgoo /proc/ksyms`"
-        module=$moduleplace/$modulename
-        if test -f $module
-        then
-                goo="`nm -ao $module | ipsec calcgoo`"
-                if test " $wantgoo" = " $goo"
-                then
-                        return          # looks right
-                fi
-        fi
-        if test -f $moduleinstplace/$wantgoo
-        then
-                echo "insmod failed, but found matching template module $wantgoo."
-                echo "Copying $moduleinstplace/$wantgoo to $module."
-                rm -f $module
-                mkdir -p $moduleplace
-                cp -p $moduleinstplace/$wantgoo $module
-                # "depmod -a" gets done by caller
-        fi
-}
-
-
-
-# main line
-
-# load module if possible
-if test ! -f $ipsecversion && test ! -f $netkey
-then
-    # statically compiled KLIPS not found; try to load the module
-    insmod ipsec
-fi
-
-if test ! -f $ipsecversion && test ! -f $netkey
-then
-	modprobe -v af_key
-fi
-
-if test -f $netkey
-then
-	klips=false
-	if test -f $modules
-	then
-		modprobe -qv ah4
-		modprobe -qv esp4
-		modprobe -qv ipcomp
-		modprobe -qv xfrm4_tunnel
-		modprobe -qv xfrm_user
-	fi
-fi
-
-if test ! -f $ipsecversion && $klips
-then
-        if test -r $modules             # kernel does have modules
-        then
-                setmodule
-                unset MODPATH MODULECONF        # no user overrides!
-                depmod -a >/dev/null 2>&1
-                modprobe -v ipsec
-        fi
-        if test ! -f $ipsecversion
-        then
-                echo "kernel appears to lack KLIPS"
-                exit 1
-        fi
-fi
-
-# load all compiled algo modules
-if $klips
-then
-	for alg in aes serpent twofish blowfish sha2
-	do
-		if test -f $moduleinstplace/alg/ipsec_$alg.o
-		then
-			modprobe ipsec_$alg
-		fi
-	done
-fi
-
-# figure out debugging flags
-case "$debug" in
-'')	debug=none	;;
-esac
-if test -r /proc/net/ipsec_klipsdebug
-then
-	echo "KLIPS debug \`$debug'" | logonly
-	case "$debug" in
-	none)	ipsec klipsdebug --none	;;
-	all)	ipsec klipsdebug --all	;;
-	*)	ipsec klipsdebug --none
-		for d in $debug
-		do
-			ipsec klipsdebug --set $d
-		done
-		;;
-	esac
-elif $klips
-then
-	if test " $debug" != " none"
-	then
-		echo "klipsdebug=\`$debug' ignored, KLIPS lacks debug facilities"
-	fi
-fi
-
-# figure out misc. kernel config
-if test -d $sysflags
-then
-	sysflag "$fragicmp" "fragicmp" yes icmp
-	echo 1 >$sysflags/inbound_policy_check		# no debate
-	sysflag no "no_eroute_pass" no no_eroute_pass	# obsolete parm
-	sysflag no "opportunistic" no opportunistic	# obsolete parm
-	sysflag "$hidetos" "hidetos" yes tos
-elif $klips
-then
-	echo "WARNING: cannot adjust KLIPS flags, no $sysflags directory!"
-	# carry on
-fi
-
-if $klips; then
-	# clear tables out in case dregs have been left over
-	ipsec eroute --clear
-	ipsec spi --clear
-elif test $netkey
-then
-	if ip xfrm state > /dev/null 2>&1
-	then
-		ip xfrm state flush
-		ip xfrm policy flush
-	elif type setkey > /dev/null 2>&1
-	then
-          	setkey -F
-          	setkey -FP
-	else
-        	echo "WARNING: cannot flush state/policy database -- \`$1'" |
-                	logger -s -p $log -t ipsec_setup
-  	fi
-fi
-
-# figure out interfaces
-for i
-do
-	case "$i" in
-	ipsec*=?*)	klipsinterface "$i"	;;
-	%defaultroute)	defaultinterface	;;
-	*)	echo "interface \`$i' not understood"
-		exit 1
-		;;
-	esac
-done
-
-exit 0
diff --git a/programs/auto/.cvsignore b/programs/auto/.cvsignore
deleted file mode 100644
index 865faf10c..000000000
--- a/programs/auto/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-auto
diff --git a/programs/auto/Makefile b/programs/auto/Makefile
deleted file mode 100644
index 035dbf708..000000000
--- a/programs/auto/Makefile
+++ /dev/null
@@ -1,21 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.2 2006/02/10 11:28:38 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=auto
-
-include ../Makefile.program
diff --git a/programs/auto/auto.8 b/programs/auto/auto.8
deleted file mode 100644
index 21b5fd11b..000000000
--- a/programs/auto/auto.8
+++ /dev/null
@@ -1,481 +0,0 @@
-.TH IPSEC_AUTO 8 "17 December 2004"
-.\" RCSID $Id: auto.8,v 1.6 2004/12/17 22:34:38 as Exp $
-.SH NAME
-ipsec auto \- control automatically-keyed IPsec connections
-.SH SYNOPSIS
-.B ipsec
-.B auto
-[
-.B \-\-show
-] [
-.B \-\-showonly
-] [
-.B \-\-asynchronous
-]
-.br
-\ \ \ [
-.B \-\-config
-configfile
-] [
-.B \-\-verbose
-] [
-.B \-\-type conn
-]
-.br
-\ \ \ operation
-connection
-.sp
-.B ipsec
-.B auto
-[
-.B \-\-show
-] [
-.B \-\-showonly
-]
-.br
-\ \ \ [
-.B \-\-config
-configfile
-] [
-.B \-\-verbose
-]
-.B \-\-type ca
-.br
-\ \ \ operation
-ca
-.sp
-.B ipsec
-.B auto
-[
-.B \-\-show
-] [
-.B \-\-showonly
-] operation
-.SH DESCRIPTION
-.I Auto
-manipulates automatically-keyed strongSwan IPsec connections,
-setting them up and shutting them down
-based on the information in the IPsec configuration file.
-In the normal usage,
-.I connection
-is the name of a connection specification in the configuration file;
-.I ca
-is the name of a Certification Authority (CA) specification in the configuration file;
-.I operation
-is
-.BR \-\-add ,
-.BR \-\-delete ,
-.BR \-\-replace ,
-.BR \-\-up ,
-.BR \-\-down ,
-.BR \-\-route ,
-or
-.BR \-\-unroute .
-The
-.BR \-\-status
-and
-.BR \-\-statusall
-.I operations
-may take a
-.I connection
-name.
-The
-.BR \-\-ready ,
-.BR \-\-rereadsecrets ,
-.BR \-\-rereadgroups ,
-.BR \-\-rereadcacerts ,
-.BR \-\-rereadaacerts ,
-.BR \-\-rereadocspcerts ,
-.BR \-\-rereadacerts ,
-.BR \-\-rereadcrls ,
-.BR \-\-rereadall ,
-.BR \-\-listalgs ,
-.BR \-\-listpubkeys ,
-.BR \-\-listcerts ,
-.BR \-\-listcacerts ,
-.BR \-\-listaacerts ,
-.BR \-\-listocspcerts ,
-.BR \-\-listacerts ,
-.BR \-\-listgroups ,
-.BR \-\-listcainfos ,
-.BR \-\-listcrls ,
-.BR \-\-listocsp ,
-.BR \-\-listcards ,
-.BR \-\-listall ,
-and
-.BR \-\-purgeocsp
-.I operations
-do not take a connection name.
-.I Auto
-generates suitable
-commands and feeds them to a shell for execution.
-.PP
-The
-.B \-\-add
-operation adds a connection or ca specification to the internal database
-within
-.IR pluto ;
-it will fail if
-.I pluto
-already has a specification by that name.
-The
-.B \-\-delete
-operation deletes a connection or ca specification from
-.IR pluto 's
-internal database (also tearing down any connections based on it);
-it will fail if the specification does not exist.
-The
-.B \-\-replace
-operation is equivalent to
-.B \-\-delete
-(if there is already a specification by the given name)
-followed by
-.BR \-\-add ,
-and is a convenience for updating
-.IR pluto 's
-internal specification to match an external one.
-(Note that a
-.B \-\-rereadsecrets
-may also be needed.)
-The
-.B \-\-rereadgroups
-operation causes any changes to the policy group files to take effect
-(this is currently a synonym for
-.BR \-\-ready ,
-but that may change).
-None of the other operations alters the internal database.
-.PP
-The
-.B \-\-up
-operation asks
-.I pluto
-to establish a connection based on an entry in its internal database.
-The
-.B \-\-down
-operation tells
-.I pluto
-to tear down such a connection.
-.PP
-Normally,
-.I pluto
-establishes a route to the destination specified for a connection as
-part of the
-.B \-\-up
-operation.
-However, the route and only the route can be established with the
-.B \-\-route
-operation.
-Until and unless an actual connection is established,
-this discards any packets sent there,
-which may be preferable to having them sent elsewhere based on a more
-general route (e.g., a default route).
-.PP
-Normally,
-.IR pluto 's
-route to a destination remains in place when a
-.B \-\-down
-operation is used to take the connection down
-(or if connection setup, or later automatic rekeying, fails).
-This permits establishing a new connection (perhaps using a
-different specification; the route is altered as necessary)
-without having a ``window'' in which packets might go elsewhere
-based on a more general route.
-Such a route can be removed using the
-.B \-\-unroute
-operation
-(and is implicitly removed by
-.BR \-\-delete ).
-.PP
-The
-.B \-\-ready
-operation tells
-.I pluto
-to listen for connection-setup requests from other hosts.
-Doing an
-.B \-\-up
-operation before doing
-.B \-\-ready
-on both ends is futile and will not work,
-although this is now automated as part of IPsec startup and
-should not normally be an issue.
-.PP
-The
-.B \-\-status
-operation asks
-.I pluto
-for current connection status either for all connections 
-(no connection argument) or a for specified
-.I connection
-name. For more detailed information use
-.B \-\-statusall
-\. The output format is ad-hoc and likely to change.
-.PP
-The
-.B \-\-rereadsecrets
-operation tells
-.I pluto
-to re-read the
-.I /etc/ipsec.secrets
-secret-keys file,
-which it normally reads only at startup time.
-(This is currently a synonym for
-.BR \-\-ready ,
-but that may change.)
-.PP
-The
-.B \-\-rereadcacerts
-operation reads all certificate files contained in the
-.IR /etc/ipsec.d/cacerts
-directory and adds them to
-.IR pluto 's
-list of Certification Authority (CA) certificates.
-.PP
-The
-.B \-\-rereadaacerts
-operation reads all certificate files contained in the
-.IR /etc/ipsec.d/aacerts
-directory and adds them to
-.IR pluto 's
-list of Authorization Authority (AA) certificates.
-.PP
-The
-.B \-\-rereadocspcerts
-operation reads all certificate files contained in the
-.IR /etc/ipsec.d/ocspcerts
-directory and adds them to
-.IR pluto 's
-list of OCSP signer certificates.
-.PP
-The
-.B \-\-rereadacerts
-operation reads all certificate files contained in the
-.IR /etc/ipsec.d/acerts
-directory and adds them to
-.IR pluto 's
-list of attribute certificates.
-.PP
-The
-.B \-\-rereadcrls
-operation reads all certificate revocation list (CRL) files
-contained in the
-.IR /etc/ipsec.d/crls
-directory and adds them to
-.IR pluto 's
-list of CRLs.
-.PP
-The
-.B \-\-rereadall
-operation is equivalent to the execution of
-.BR \-\-rereadsecrets ,
-.BR \-\-rereadcacerts ,
-.BR \-\-rereadaacerts ,
-.BR \-\-rereadocspcerts ,
-.BR \-\-rereadacerts ,
-and
-.BR \-\-rereadcrls .
-.PP
-The
-.B \-\-listalgs
-operation lists all registed IKE encryption and hash algorithms,
-that are available to
-.IR pluto ,
-as well as the Diffie-Hellman (DH) groups.
-.PP
-The
-.B \-\-listpubkeys
-operation lists all RSA public keys either received from peers
-via the IKE protocol embedded in authenticated certificate payloads
-or loaded locally using the
-.BR rightcert  \ /
-.BR leftcert
-or
-.BR rightrsasigkey \ /
-.BR leftrsasigkey
-parameters in
-.IR ipsec.conf (5).
-.PP
-The
-.B \-\-listcerts
-operation lists all X.509 and OpenPGP certificates loaded locally using the
-.BR rightcert
-and
-.BR leftcert
-parameters in
-.IR ipsec.conf (5).
-.PP
-The
-.B \-\-listcacerts
-operation lists all X.509 CA certificates either loaded locally from the
-.IR /etc/ipsec.d/cacerts
-directory or received in PKCS#7-wrapped certificate payloads via
-the IKE protocol.
-.PP
-The
-.B \-\-listaacerts
-operation lists all X.509 AA certificates loaded locally from the
-.IR /etc/ipsec.d/aacerts
-directory.
-.PP
-The
-.B \-\-listocspcerts
-operation lists all OCSP signer certificates either loaded locally from the
-.IR /etc/ipsec.d/ocspcerts
-directory or received via the Online Certificate Status Protocol
-from an OCSP server.
-.PP
-The
-.B \-\-listacerts
-operation lists all X.509 attribute certificates loaded locally from the
-.IR /etc/ipsec.d/acerts
-directory.
-.PP
-The
-.B \-\-listgropus
-operation lists all groups that are either used in connection definitions in
-.IR ipsec.conf (5)
-or are embedded in loaded X.509 attributes certificates.
-.PP
-The
-.B \-\-listcainfos
-operation lists the certification authority information specified in the ca
-sections of
-.IR ipsec.conf (5).
-.PP
-The
-.B \-\-listcrls
-operation lists all Certificate Revocation Lists (CRLs) either loaded
-locally from the
-.IR /etc/ipsec.d/crls
-directory or fetched dynamically from an HTTP or LDAP server.
-.PP
-The
-.B \-\-listocsp
-operation lists the certicates status information fetched from
-OCSP servers.
-.PP
-The
-.B \-\-purgeocsp
-operation deletes any cached certificate status information and pending
-OCSP fetch requests.
-.PP
-The
-.B \-\-listcards
-operation lists information about attached smartcards or crypto tokens.
-.PP
-The
-.B \-\-listall
-operation is equivalent to the execution of
-.BR \-\-listalgs ,
-.BR \-\-listpubkeys ,
-.BR \-\-listcerts ,
-.BR \-\-listcacerts ,
-.BR \-\-listaacerts ,
-.BR \-\-listocspcerts ,
-.BR \-\-listacerts ,
-.BR \-\-listgroups ,
-.BR \-\-listcainfos ,
-.BR \-\-listcrls ,
-.BR \-\-listocsp ,
-and
-.BR \-\-listcards .
-.PP
-The
-.B \-\-show
-option turns on the
-.B \-x
-option of the shell used to execute the commands,
-so each command is shown as it is executed.
-.PP
-The
-.B \-\-showonly
-option causes
-.I auto
-to show the commands it would run, on standard output,
-and not run them.
-.PP
-The
-.B \-\-asynchronous
-option, applicable only to the
-.B up
-operation,
-tells
-.I pluto
-to attempt to establish the connection,
-but does not delay to report results.
-This is especially useful to start multiple connections in parallel
-when network links are slow.
-.PP
-The
-.B \-\-verbose
-option instructs
-.I auto
-to pass through all output from
-.IR ipsec_whack (8),
-including log output that is normally filtered out as uninteresting.
-.PP
-The
-.B \-\-config
-option specifies a non-standard location for the IPsec
-configuration file (default
-.IR /etc/ipsec.conf ).
-.PP
-See
-.IR ipsec.conf (5)
-for details of the configuration file.
-Apart from the basic parameters which specify the endpoints and routing
-of a connection (\fBleft\fR
-and
-.BR right ,
-plus possibly
-.BR leftsubnet ,
-.BR leftnexthop ,
-.BR leftfirewall ,
-their
-.B right
-equivalents,
-and perhaps
-.BR type ),
-an
-.I auto
-connection almost certainly needs a
-.B keyingtries
-parameter (since the
-.B keyingtries
-default is poorly chosen).
-.SH FILES
-.ta \w'/var/run/ipsec.info'u+4n
-/etc/ipsec.conf	default IPSEC configuration file
-.br
-/var/run/ipsec.info	\fB%defaultroute\fR information
-.SH SEE ALSO
-ipsec.conf(5), ipsec(8), ipsec_pluto(8), ipsec_whack(8), ipsec_manual(8)
-.SH HISTORY
-Written for the FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
-Extended for the strongSwan project
-<http://www.strongswan.org>
-by Andreas Steffen.
-.SH BUGS
-Although an
-.B \-\-up
-operation does connection setup on both ends,
-.B \-\-down
-tears only one end of the connection down
-(although the orphaned end will eventually time out).
-.PP
-There is no support for
-.B passthrough
-connections.
-.PP
-A connection description which uses
-.B %defaultroute
-for one of its
-.B nexthop
-parameters but not the other may be falsely
-rejected as erroneous in some circumstances.
-.PP
-The exit status of
-.B \-\-showonly
-does not always reflect errors discovered during processing of the request.
-(This is fine for human inspection, but not so good for use in scripts.)
diff --git a/programs/auto/auto.in b/programs/auto/auto.in
deleted file mode 100755
index 05568f9b5..000000000
--- a/programs/auto/auto.in
+++ /dev/null
@@ -1,660 +0,0 @@
-#! /bin/sh
-# user interface to automatic keying and Pluto in general
-# Copyright (C) 1998, 1999, 2000  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: auto.in,v 1.17 2006/04/20 04:42:12 as Exp $
-
-me='ipsec auto'
-usage="Usage:
-	$me [--showonly] [--asynchronous] --up connectionname
-	$me [--showonly] [-- type conn|ca] --{add|delete|replace|down} name
-	$me [--showonly] --{route|unroute} connectionname
-	$me [--showonly] --ready
-	$me [--showonly] --{status|statusall} [connectionname]
-	$me [--showonly] --{rereadsecrets|rereadgroups}
-	$me [--showonly] --{rereadcacerts|rereadaacerts|rereadocspcerts}
-	$me [--showonly] --{rereadacerts|rereadcrls|rereadall}
-	$me [--showonly] [--utc] --{listalgs|listpubkeys|listcerts}
-	$me [--showonly] [--utc] --{listcacerts|listaacerts|listocspcerts}
-	$me [--showonly] [--utc] --{listacerts|listgroups|listcainfos}
-	$me [--showonly] [--utc] --{listcrls|listocsp|listcards|listall}
-	$me [--showonly] --purgeocsp
-
-	other options: [--config ipsecconfigfile] [--verbose] [--show]"
-
-showonly=
-config=
-info=/var/run/ipsec.info
-shopts=
-noinclude=
-async=
-logfilter='$1 != "002"'
-op=
-argc=
-utc=
-type="conn"
-name="--name"
-
-for dummy
-do
-	case "$1" in
-	--help)		echo "$usage" ; exit 0	;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-	--show)		shopts=-x		;;
-	--showonly)	showonly=yes		;;
-	--utc)		utc="$1"		;;
-	--config)	config="--config $2" ; shift	;;
-	--noinclude)	noinclude=--noinclude	;;
-	--asynchronous)	async="--asynchronous"	;;
-	--verbose)	logfilter='1'		;;
-	--type)		type="$2" ; shift	;;
-	--up|--down|--add|--delete|--replace|--route|--unroute)
-			if test " $op" != " "
-			then
-				echo "$usage" >&2
-				exit 2
-			fi
-			op="$1"
-			argc=1
-			if test "$type" = "ca"
-			then
-				name="--caname"
-				case "$op" in
-				--add|--delete|--replace) ;;
-				--*) echo "$op option not supported for --type ca";
-				     exit 3 ;;
-				esac
-			fi
-			;;
-	--status|--statusall)
-			if test " $op" != " "
-			then
-				echo "$usage" >&2
-				exit 2
-			fi
-			op="$1"
-			argc=1
-			if test $# -eq 1
-			then
-				argc=0; name=
-			fi
-			;;
-	--ready|--rereadsecrets|--rereadgroups|\
-	--rereadcacerts|--rereadaacerts|--rereadocspcerts|\
-	--rereadacerts|--rereadcrls|--rereadall|\
-	--listalgs|--listpubkeys|--listcerts|\
-	--listcacerts|--listaacerts|--listocspcerts|\
-	--listacerts|--listgroups|--listcainfos|\
-	--listcrls|--listocsp|--listcards|--listall|\
-	--purgeocsp)
-			if test " $op" != " "
-			then
-				echo "$usage" >&2
-				exit 2
-			fi
-			op="$1"
-			argc=0
-			;;
-	--)		shift ; break		;;
-	-*)		echo "$me: unknown option \`$1'" >&2 ; exit 2 ;;
-	*)		break			;;
-	esac
-	shift
-done
-
-names=
-case "$op" in
---*)		if test " $argc" -ne $#
-		then
-			echo "$usage" >&2
-			exit 2
-		fi
-		names="$*"
-		;;
-*)		echo "$usage" >&2 ; exit 2	;;
-esac
-
-
-runit() {
-	if test "$showonly"
-	then
-		cat
-	else
-		(
-			echo '('
-			cat
-			echo ')'
-			echo 'echo = $?'
-		) | sh $shopts |
-			awk "/^= / { exit \$2 } $logfilter { print }"
-	fi
-}
-
-case "$op" in
---ready)	   echo "ipsec whack --listen"		       | runit ; exit ;;
---rereadsecrets)   echo "ipsec whack --rereadsecrets"	       | runit ; exit ;;
---rereadgroups)	   echo "ipsec whack --listen"		       | runit ; exit ;;
---rereadcacerts)   echo "ipsec whack --rereadcacerts"          | runit ; exit ;;
---rereadaacerts)   echo "ipsec whack --rereadaacerts"          | runit ; exit ;;
---rereadocspcerts) echo "ipsec whack --rereadocspcerts"        | runit ; exit ;;
---rereadacerts)    echo "ipsec whack --rereadacerts"           | runit ; exit ;;
---rereadcrls)	   echo "ipsec whack --rereadcrls"	       | runit ; exit ;;
---rereadall)	   echo "ipsec whack --rereadall"	       | runit ; exit ;;
---listalgs)	   echo "ipsec whack --listalgs"               | runit ; exit ;;
---listpubkeys)	   echo "ipsec whack $utc --listpubkeys"       | runit ; exit ;;
---listcerts)	   echo "ipsec whack $utc --listcerts"         | runit ; exit ;;
---listcacerts)	   echo "ipsec whack $utc --listcacerts"       | runit ; exit ;;
---listaacerts)	   echo "ipsec whack $utc --listaacerts"       | runit ; exit ;;
---listocspcerts)   echo "ipsec whack $utc --listocspcerts"     | runit ; exit ;;
---listacerts)	   echo "ipsec whack $utc --listacerts"        | runit ; exit ;;
---listgroups)	   echo "ipsec whack $utc --listgroups"        | runit ; exit ;;
---listcainfos)	   echo "ipsec whack $utc --listcainfos"       | runit ; exit ;;
---listcrls)	   echo "ipsec whack $utc --listcrls"          | runit ; exit ;;
---listocsp)	   echo "ipsec whack $utc --listocsp"          | runit ; exit ;;
---listcards)	   echo "ipsec whack $utc --listcards"         | runit ; exit ;;
---listall)	   echo "ipsec whack $utc --listall"           | runit ; exit ;;
---purgeocsp)	   echo "ipsec whack $utc --purgeocsp"         | runit ; exit ;;
---up)	echo "ipsec whack $async --name $names --initiate"     | runit ; exit ;;
---down)	echo "ipsec whack --name $names --terminate"	       | runit ; exit ;;
---delete)	   echo "ipsec whack $name $names --delete"    | runit ; exit ;;
---route)	   echo "ipsec whack --name $names --route"    | runit ; exit ;;
---unroute)	   echo "ipsec whack --name $names --unroute"  | runit ; exit ;;
---status)	   echo "ipsec whack $name $names --status"    | runit ; exit ;;
---statusall)	   echo "ipsec whack $name $names --statusall" | runit ; exit ;;
-esac
-
-if test -s $info
-then
-	. $info
-fi
-
-ipsec _confread $config $noinclude --type $type $names |
-awk -v section="$type" '	BEGIN {
-		FS = "\t"
-		op = "'"$op"'"
-		err = "cat >&2"
-		draddr = "'"$defaultrouteaddr"'"
-		drnexthop = "'"$defaultroutenexthop"'"
-		failed = 0
-		s[""] = ""
-		init()
-		print "PATH=\"'"$PATH"'\""
-		print "export PATH"
-		flip["left"] = "right"
-		flip["right"] = "left"
-	}
-	function init(n) {
-		for (n in s)
-			delete s[n]
-		name = ""
-		seensome = 0
-	}
-	$1 == ":" {
-		s[$2] = $3
-		seensome = 1
-		next
-	}
-	$1 == "!" {
-		if ($2 != "")
-			fail($2)
-		next
-	}
-	$1 == "=" {
-		if (name == "")
-			name = $2
-		next
-	}
-	$1 == "." {
-		if (section == "ca")
-			output_ca()
-		else
-			output()
-		init()
-		next
-	}
-	{
-		fail("internal error, unknown type code " v($1))
-	}
-	function fail(m) {
-		print "ipsec_auto: fatal error in " v(name) ": " m |err
-		failed = 1
-		exit
-	}
-	function yesno(k) {
-		if ((k in s) && s[k] != "yes" && s[k] != "no")
-			fail("parameter " v(k) " must be \"yes\" or \"no\"")
-	}
-	function setdefault(k, val) {
-		if (!(k in s))
-			s[k] = val
-	}
-	function was(new, old) {
-		if (!(new in s) && (old in s))
-			s[new] = s[old]
-	}
-	function need(k) {
-		if (!(k in s))
-			fail("connection has no " v(k) " parameter specified")
-		if (s[k] == "")
-			fail("parameter " v(k) " value must be non-empty")
-	}
-	function integer(k) {
-		if (!(k in s))
-			return
-		if (s[k] !~ /^[0-9]+$/)
-			fail("parameter " v(k) " value must be integer")
-	}
-	function duration(k,   n, t) {
-		if (!(k in s))
-			return
-		t = s[k]
-		n = substr(t, 1, length(t)-1)
-		if (t ~ /^[0-9]+$/)
-			s[k] = t
-		else if (t ~ /^[0-9]+s$/)
-			s[k] = n
-		else if (t ~ /^[0-9]+(\.[0-9]+)?m$/)
-			s[k] = int(n*60)
-		else if (t ~ /^[0-9]+(\.[0-9]+)?h$/)
-			s[k] = int(n*3600)
-		else if (t ~ /^[0-9]+(\.[0-9]+)?d$/)
-			s[k] = int(n*3600*24)
-		else
-			fail("parameter " v(k) " not valid time, must be nnn[smhd]")
-	}
-	function nexthopset(dir, val,   k) {
-		k = dir "nexthop"
-		if (k in s)
-			fail("non-default value of " k " is being overridden")
-		if (val != "")
-			s[k] = val
-		else if (k in s)
-			delete s[k]
-	}
-	function id(dir,   k) {
-		k = dir "id"
-		if (!(k in s))
-			k = dir
-		return s[k]
-	}
-	function whackkey(dir, which, flag,   rk, n) {
-		if (id(dir) == "%opportunistic")
-			return
-		rk = s[dir which]
-		if (rk == "%dnsondemand")
-		{
-			kod="--dnskeyondemand"
-			return
-		}
-		if (rk == "" || rk == "%none" || rk == "%cert" || rk == "0x00")
-			return
-		n = "\"\\\"" name "\\\" " dir which"\""
-		if (rk == "%dns" || rk == "%dnsonload")
-		{
-			if (id(flip[dir]) == "%opportunistic" || s[flip[dir]] == "%any")
-				return
-			print "ipsec whack --label", n, flag,
-						"--keyid", q(id(dir)), "\\"
-		}
-		else
-		{
-			print "ipsec whack --label", n, flag,
-						"--keyid", q(id(dir)),
-						"--pubkeyrsa", q(rk), "\\"
-		}
-		print "\t|| exit $?"
-	}
-	function q(str) {	# quoting for shell
-		return "\"" str "\""
-	}
-	function qs(k) {	# utility abbreviation for q(s[k])
-		return q(s[k])
-	}
-	function v(str) {	# quoting for human viewing
-		return "\"" str "\""
-	}
-	function output() {
-		if (!seensome)
-			fail("internal error, output called inappropriately")
-
-		setdefault("type", "tunnel")
-		type_flags = ""
-		t = s["type"]
-		if (t == "tunnel") {
-			# do NOT default subnets to side/32, despite what
-			# the docs say...
-			type_flags = "--tunnel"
-		} else if (t == "transport") {
-			if ("leftsubnet" in s)
-				fail("type=transport incompatible with leftsubnet")
-			if ("rightsubnet" in s)
-				fail("type=transport incompatible with rightsubnet")
-			type_flags = ""
-		} else if (t == "passthrough") {
-			type_flags = "--pass"
-		} else if (t == "drop") {
-			type_flags = "--drop"
-		} else if (t == "reject") {
-			type_flags = "--reject"
-		} else
-			fail("unknown type " v(t))
-
-		setdefault("failureshunt", "none")
-		t = s["failureshunt"]
-		if (t == "passthrough")
-			type_flags = type_flags " --failpass";
-		else if (t == "drop")
-			type_flags = type_flags " --faildrop";
-		else if (t == "reject")
-			type_flags = type_flags " --failreject";
-		else if (t != "none")
-			fail("unknown failureshunt value " v(t))
-
-		need("left")
-		need("right")
-		if (s["left"] == "%defaultroute") {
-			if (s["right"] == "%defaultroute")
-				fail("left and right cannot both be %defaultroute")
-			if (draddr == "")
-				fail("%defaultroute requested but not known")
-			s["left"] = draddr
-			nexthopset("left", drnexthop)
-		} else if (s["right"] == "%defaultroute") {
-			if (draddr == "")
-				fail("%defaultroute requested but not known")
-			s["right"] = draddr
-			nexthopset("right", drnexthop)
-		}
-
-		setdefault("keyexchange", "ike")
-		if (s["keyexchange"] != "ike")
-			fail("only know how to do keyexchange=ike")
-		setdefault("auth", "esp")
-		if (("auth" in s) && s["auth"] != "esp" && s["auth"] != "ah")
-			fail("only know how to do auth=esp or auth=ah")
-		yesno("pfs")
-
-		setdefault("pfs", "yes")
-		duration("dpddelay")
-		duration("dpdtimeout")
-		if ("dpdaction" in s)
-		{
-			setdefault("dpddelay",30)
-			setdefault("dpdtimeout",120)
-		}
-		yesno("compress")
-		setdefault("compress", "no")
-		setdefault("keylife", "1h")
-		duration("keylife")
-		yesno("rekey")
-		setdefault("rekey", "yes")
-		setdefault("rekeymargin", "9m")
-		duration("rekeymargin")
-		setdefault("keyingtries", "%forever")
-		if (s["keyingtries"] == "%forever")
-			s["keyingtries"] = 0
-		integer("keyingtries")
-		if ("rekeyfuzz" in s) {
-			if (s["rekeyfuzz"] !~ /%$/)
-				fail("rekeyfuzz must be nnn%")
-			r = s["rekeyfuzz"]
-			s["rekeyfuzz"] = substr(r, 1, length(r)-1)
-			integer("rekeyfuzz")
-		}
-		duration("ikelifetime")
-		setdefault("disablearrivalcheck", "no")
-
-		setdefault("leftsendcert", "always")
-		setdefault("rightsendcert", "always")
-
-		setdefault("leftnexthop", "%direct")
-		setdefault("rightnexthop", "%direct")
-		if (s["leftnexthop"] == s["left"])
-			fail("left and leftnexthop must not be the same")
-		if (s["rightnexthop"] == s["right"])
-			fail("right and rightnexthop must not be the same")
-		if (s["leftnexthop"] == "%defaultroute") {
-			if (drnexthop == "")
-				fail("%defaultroute requested but not known")
-			s["leftnexthop"] = drnexthop
-		}
-		if (s["rightnexthop"] == "%defaultroute") {
-			if (drnexthop == "")
-				fail("%defaultroute requested but not known")
-			s["rightnexthop"] = drnexthop
-		}
-
-		if ("leftfirewall" in s && "leftupdown" in s)
-			fail("cannot have both leftfirewall and leftupdown")
-		if ("rightfirewall" in s && "rightupdown" in s)
-			fail("cannot have both rightfirewall and rightupdown")
-		setdefault("leftupdown", "ipsec _updown")
-		setdefault("rightupdown", "ipsec _updown")
-		setdefault("lefthostaccess", "no")
-		setdefault("righthostaccess", "no")
-		yesno("lefthostaccess")
-		yesno("righthostaccess")
-		lha = ""
-		if (s["lefthostaccess"] == "yes")
-			lha = "--hostaccess"
-		rha = ""
-		if (s["righthostaccess"] == "yes")
-			rha = "--hostaccess"
-		setdefault("leftfirewall", "no")
-		setdefault("rightfirewall", "no")
-		yesno("leftfirewall")
-		yesno("rightfirewall")
-		if (s["leftfirewall"] == "yes")
-			s["leftupdown"] = s["leftupdown"] " iptables"
-		if (s["rightfirewall"] == "yes")
-			s["rightupdown"] = s["rightupdown"] " iptables"
-
-		setdefault("authby", "rsasig")
-		t = s["authby"]
-		if (t == "rsasig" || t == "secret|rsasig" || t == "rsasig|secret") {
-			authtype = "--rsasig"
-			type_flags = "--encrypt " type_flags
-			if (!("leftcert" in s)) {
-				setdefault("leftrsasigkey", "%cert")
-				if (id("left") == "%any" &&
-				    !(s["leftrsasigkey"] == "%cert" ||
-				      s["leftrsasigkey"] == "0x00") )
-					fail("ID " v(id("left")) " cannot have RSA key")
-			}
-			if (!("rightcert" in s)) {
-				setdefault("rightrsasigkey", "%cert")
-				if (id("right") == "%any" &&
-				    !(s["rightrsasigkey"] == "%cert" ||
-				      s["rightrsasigkey"] == "0x00") )
-					fail("ID " v(id("right")) " cannot have RSA key")
-			}
-			if (t != "rsasig")
-				authtype = authtype " --psk"
- 		} else if (t == "secret") {
-			authtype = "--psk"
-			type_flags = "--encrypt " type_flags
-		} else if (t == "never") {
-			authtype = ""
-		} else {
-			fail("unknown authby value " v(t))
-		}
-
-		settings = type_flags
-		setdefault("ike", "3des-sha,3des-md5")
-		if (s["ike"] != "")
-			settings = settings " --ike " qs("ike")
-		setdefault("esp", "3des")
-		if (s["esp"] != "")
-			settings = settings " --esp " qs("esp")
-		if (s["auth"] == "ah")
-			settings = settings " --authenticate"
-		if (s["pfs"] == "yes") {
-			settings = settings " --pfs"
-			if (s["pfsgroup"] != "")
-				settings = settings " --pfsgroup " qs("pfsgroup")
-		}
-		
-		if (s["dpdaction"])
-			settings = settings " --dpdaction " qs("dpdaction")
-		if (s["dpddelay"])
-			settings = settings " --dpddelay " qs("dpddelay")
-		if (s["dpdtimeout"])
-			settings = settings " --dpdtimeout " qs("dpdtimeout")
-
-		if (s["compress"] == "yes")
-			settings = settings " --compress"
-		if (op == "--replace")
-			settings = settings " --delete"
-		if ("ikelifetime" in s)
-			settings = settings " --ikelifetime " qs("ikelifetime")
-		if (s["disablearrivalcheck"] == "yes")
-			settings = settings " --disablearrivalcheck"
-		settings = settings " " authtype
-
-		lc = ""
-		rc = ""
-		if ("leftsubnet" in s)
-			lc = "--client " qs("leftsubnet")
-		if ("rightsubnet" in s)
-			rc = "--client " qs("rightsubnet")
-		if ("leftsubnetwithin" in s)
-			lc = lc " --clientwithin " qs("leftsubnetwithin")
-		if ("rightsubnetwithin" in s)
-			rc = rc " --clientwithin " qs("rightsubnetwithin")
-		lp = ""
-		rp = ""
-		if ("leftprotoport" in s)
-			lp = "--clientprotoport " qs("leftprotoport")
-		if ("rightprotoport" in s)
-			rp = "--clientprotoport " qs("rightprotoport")
-		lud = "--updown " qs("leftupdown")
-		rud = "--updown " qs("rightupdown")
-		
-		lid = ""
-		if ("leftid" in s)
-			lid = "--id " qs("leftid")
-		rid = ""
-		if ("rightid" in s)
-			rid = "--id " qs("rightid")
-		lsip = ""
-		if ("leftsourceip" in s)
-		        lsip = "--srcip " qs("leftsourceip")
-		rsip = ""
-		if ("rightsourceip" in s)
-			rsip = "--srcip " qs("rightsourceip")
-		lscert = ""
-		if ("leftsendcert" in s)
-			lscert = "--sendcert " qs("leftsendcert")
-		rscert = ""
-		if ("rightsendcert" in s)
-			rscert = "--sendcert " qs("rightsendcert")
-		lcert = ""
-		if ("leftcert" in s)
-			lcert = "--cert " qs("leftcert")
-		rcert = ""
-		if ("rightcert" in s)
-			rcert = "--cert " qs("rightcert")
-		lca = ""
-		if ("leftca" in s)
-			lca = "--ca " qs("leftca")
-		rca = ""
-		if ("rightca" in s)
-			rca = "--ca " qs("rightca")
-		lgr = ""
-		if ("leftgroups" in s)
-			lgr = "--groups " qs("leftgroups")
-		rgr = ""
-		if ("rightgroups" in s)
-			rgr = "--groups " qs("rightgroups")
-		fuzz = ""
-		if ("rekeyfuzz" in s)
-			fuzz = "--rekeyfuzz " qs("rekeyfuzz")
-		rk = ""
-		if (s["rekey"] == "no")
-			rk = "--dontrekey"
-		pd = ""
-		if ("_plutodevel" in s)
-			pd = "--plutodevel " s["_plutodevel"]	# not qs()
-
-		lkod = ""
-		rkod = ""
-		if (authtype != "--psk") {
-			kod = ""
-			whackkey("left", "rsasigkey", "")
-			whackkey("left", "rsasigkey2", "--addkey")
-			lkod = kod
-			kod = ""
-			whackkey("right", "rsasigkey", "")
-			whackkey("right", "rsasigkey2", "--addkey")
-			rkod = kod
-		}
-		print "ipsec whack --name", name, settings, "\\"
-		print "\t--host", qs("left"), lc, lp, "--nexthop",
-			qs("leftnexthop"), lud, lha, lid, lkod, lscert, lcert, lca, lsip, lgr, "\\"
-		print "\t--to", "--host", qs("right"), rc, rp, "--nexthop",
-			qs("rightnexthop"), rud, rha, rid, rkod, rscert, rcert, rca, rsip, rgr, "\\"
-		print "\t--ipseclifetime", qs("keylife"),
-			"--rekeymargin", qs("rekeymargin"), "\\"
-		print "\t--keyingtries", qs("keyingtries"), fuzz, rk, pd, "\\"
-		print "\t|| exit $?"
-	}
-	function output_ca() {
-		if (!seensome)
-			fail("internal error, output called inappropriately")
-		settings = ""
-		if (op == "--replace")
-			settings = "--delete"
-		cacert = ""
-		if ("cacert" in s)
-			cacert = "--cacert " qs("cacert")
-		ldaphost = ""
-		if ("ldaphost" in s)
-			ldaphost = "--ldaphost " qs("ldaphost")
-		ldapbase = ""
-		if ("ldapbase" in s)
-			ldapbase = "--ldapbase " qs("ldapbase")
-		crluri = ""
-		if ("crluri" in s)
-			crluri = "--crluri " qs("crluri")
-		crluri2 = ""
-		if ("crluri2" in s)
-			crluri2 = "--crluri2 " qs("crluri2")
-		ocspuri = ""
-		if ("ocspuri" in s)
-			ocspuri = "--ocspuri " qs("ocspuri")
-		yesno("strictcrlpolicy")
-		setdefault("strictcrlpolicy", "no")
-		if (s["strictcrlpolicy"] == "yes")
-			settings = settings " --strictcrlpolicy"
-		yesno("cachecrls")
-		setdefault("cachecrls", "no")
-		if (s["cachecrls"] == "yes")
-			settings = settings " --cachecrls"
-
-		print "ipsec whack --caname", name, settings, cacert, ldaphost, ldapbase,
-			crluri, crluri2, ocspuri, "\\"
-		print "\t|| exit $?"
-	}
-	END {
-		if (failed) {
-			print "# fatal error discovered, force failure using \"false\" command"
-			print "false"
-			exit 1		# just on general principles
-		}
-		if (seensome) {
-			if (section == "ca")
-				output_ca()
-			else
-				output()
-		}
-	}' | runit
diff --git a/programs/eroute/.cvsignore b/programs/eroute/.cvsignore
deleted file mode 100644
index 133c4b456..000000000
--- a/programs/eroute/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-eroute
diff --git a/programs/eroute/Makefile b/programs/eroute/Makefile
deleted file mode 100644
index 6d8f68033..000000000
--- a/programs/eroute/Makefile
+++ /dev/null
@@ -1,52 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM:=eroute
-EXTRA5PROC=eroute.5
-
-LIBS:=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/eroute/eroute.5 b/programs/eroute/eroute.5
deleted file mode 100644
index 52b3f4d25..000000000
--- a/programs/eroute/eroute.5
+++ /dev/null
@@ -1,272 +0,0 @@
-.TH IPSEC_EROUTE 5 "20 Sep 2001"
-.\"
-.\" RCSID $Id: eroute.5,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec_eroute \- list of existing eroutes
-.SH SYNOPSIS
-.B ipsec
-.B eroute
-.PP
-.B cat
-.B /proc/net/ipsec_eroute
-.SH DESCRIPTION
-.I /proc/net/ipsec_eroute
-lists the IPSEC extended routing tables,
-which control what (if any) processing is applied
-to non-encrypted packets arriving for IPSEC processing and forwarding.
-At this point it is a read-only file.
-.PP
-A table entry consists of:
-.IP + 3
-packet count,
-.IP +
-source address with mask and source port (0 if all ports or not applicable)
-.IP +
-a '->' separator for visual and automated parsing between src and dst
-.IP +
-destination address with mask and destination port (0 if all ports or
-not applicable)
-.IP +
-a '=>' separator for visual and automated parsing between selection
-criteria and SAID to use
-.IP +
-SAID (Security Association IDentifier), comprised of:
-.IP + 6
-protocol
-(\fIproto\fR),
-.IP +
-address family
-(\fIaf\fR),
-where '.' stands for IPv4 and ':' for IPv6
-.IP +
-Security Parameters Index
-(\fISPI\fR),
-.IP +
-effective destination
-(\fIedst\fR),
-where the packet should be forwarded after processing
-(normally the other security gateway)
-together indicate which Security Association should be used to process
-the packet,
-.IP + 3
-a ':' separating the SAID from the transport protocol (0 if all protocols)
-.IP +
-source identity text string with no whitespace, in parens,
-.IP +
-destination identity text string with no whitespace, in parens
-.PP
-Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
-protocol is one of "ah", "esp", "comp" or "tun"
-and
-SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6
-.
-.PP
-SAIDs are written as "protoafSPI@edst".  There are also 5
-"magic" SAIDs which have special meaning:
-.IP + 3
-.B %drop
-means that matches are to be dropped
-.IP +
-.B %reject
-means that matches are to be dropped and an ICMP returned, if
-possible to inform
-.IP +
-.B %trap
-means that matches are to trigger an ACQUIRE message to the Key
-Management daemon(s) and a hold eroute will be put in place to
-prevent subsequent packets also triggering ACQUIRE messages.
-.IP +
-.B %hold
-means that matches are to stored until the eroute is replaced or
-until that eroute gets reaped
-.IP +
-.B %pass
-means that matches are to allowed to pass without IPSEC processing
-.br
-.ne 5
-.SH EXAMPLES
-.LP
-.B "1867     172.31.252.0/24:0  -> 0.0.0.0/0:0        => tun0x130@192.168.43.1:0 "
-.br
-.B "        ()	()"
-.LP
-means that 1,867 packets have been sent to an
-.BR eroute
-that has been set up to protect traffic between the subnet
-.BR 172.31.252.0
-with a subnet mask of
-.BR 24
-bits and the default address/mask represented by an address of
-.BR 0.0.0.0
-with a subnet mask of
-.BR 0
-bits using the local machine as a security gateway on this end of the
-tunnel and the machine
-.BR 192.168.43.1
-on the other end of the tunnel with a Security Association IDentifier of
-.BR tun0x130@192.168.43.1
-which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a
-Security Parameters Index of
-.BR 130
-in hexadecimal with no identies defined for either end.
-.LP
-.B "746     192.168.2.110/32:0  -> 192.168.2.120/32:25   => esp0x130@192.168.2.120:6 "
-.br
-.B "        ()	()"
-.LP
-means that 746 packets have been sent to an
-.BR eroute
-that has been set up to protect traffic sent from any port on the host
-.BR 192.168.2.110
-to the SMTP (TCP, port 25) port on the host
-.BR 192.168.2.120
-with a Security Association IDentifier of
-.BR tun0x130@192.168.2.120
-which means that it is a transport mode connection with a
-Security Parameters Index of
-.BR 130
-in hexadecimal with no identies defined for either end.
-.LP
-.B 125      3049:1::/64    -> 0:0/0          => tun:130@3058:4::5	()	()
-.LP
-means that 125 packets have been sent to an
-.BR eroute
-that has been set up to protect traffic between the subnet
-.BR 3049:1::
-with a subnet mask of
-.BR 64
-bits and the default address/mask represented by an address of
-.BR 0:0
-with a subnet mask of
-.BR 0
-bits using the local machine as a security gateway on this end of the
-tunnel and the machine
-.BR 3058:4::5
-on the other end of the tunnel with a Security Association IDentifier of
-.BR tun:130@3058:4::5
-which means that it is a tunnel mode connection with a
-Security Parameters Index of
-.BR 130
-in hexadecimal with no identies defined for either end.
-.LP
-.B 42         192.168.6.0/24:0   -> 192.168.7.0/24:0   => %passthrough
-.LP
-means that 42 packets have been sent to an
-.BR eroute
-that has been set up to pass the traffic from the subnet
-.BR 192.168.6.0
-with a subnet mask of
-.BR 24
-bits and to subnet
-.BR 192.168.7.0
-with a subnet mask of
-.BR 24
-bits without any IPSEC processing with no identies defined for either end.
-.LP
-.B 2112     192.168.8.55/32:0  -> 192.168.9.47/24:0  => %hold	(east)	()
-.LP
-means that 2112 packets have been sent to an
-.BR eroute
-that has been set up to hold the traffic from the host
-.BR 192.168.8.55
-and to host
-.BR 192.168.9.47
-until a key exchange from a Key Management daemon
-succeeds and puts in an SA or fails and puts in a pass
-or drop eroute depending on the default configuration with the local client
-defined as "east" and no identy defined for the remote end.
-.LP
-.B "2001     192.168.2.110/32:0  -> 192.168.2.120/32:0 => "
-.br
-.B "        esp0xe6de@192.168.2.120:0	()	()"
-.LP
-means that 2001 packets have been sent to an
-.BR eroute
-that has been set up to protect traffic between the host
-.BR 192.168.2.110
-and the host
-.BR 192.168.2.120
-using
-.BR 192.168.2.110
-as a security gateway on this end of the
-connection and the machine
-.BR 192.168.2.120
-on the other end of the connection with a Security Association IDentifier of
-.BR esp0xe6de@192.168.2.120
-which means that it is a transport mode connection with a Security
-Parameters Index of
-.BR e6de
-in hexadecimal using Encapsuation Security Payload protocol (50,
-IPPROTO_ESP) with no identies defined for either end.
-.LP
-.B "1984     3049:1::110/128   -> 3049:1::120/128   => "
-.br
-.B "        ah:f5ed@3049:1::120	()	()"
-.LP
-means that 1984 packets have been sent to an
-.BR eroute
-that has been set up to authenticate traffic between the host
-.BR 3049:1::110
-and the host
-.BR 3049:1::120
-using
-.BR 3049:1::110
-as a security gateway on this end of the
-connection and the machine
-.BR 3049:1::120
-on the other end of the connection with a Security Association IDentifier of
-.BR ah:f5ed@3049:1::120
-which means that it is a transport mode connection with a Security
-Parameters Index of
-.BR f5ed
-in hexadecimal using Authentication Header protocol (51,
-IPPROTO_AH) with no identies defined for either end.
-.SH FILES
-/proc/net/ipsec_eroute, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5),
-ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: eroute.5,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.9  2002/04/24 07:35:38  mcr
-.\" Moved from ./klips/utils/eroute.5,v
-.\"
-.\" Revision 1.8  2001/09/20 15:33:13  rgb
-.\" PF_KEYv2 ident extension output documentation.
-.\"
-.\" Revision 1.7  2001/05/29 05:15:31  rgb
-.\" Added packet count field at beginning of line.
-.\"
-.\" Revision 1.6  2001/02/26 19:58:32  rgb
-.\" Put SAID elements in order they appear in SAID.
-.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
-.\" of the new SPD and to support opportunistic.
-.\"
-.\" Revision 1.5  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.4  2000/09/13 15:54:31  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/28 12:44:11  henry
-.\" format touchup
-.\"
-.\" Revision 1.1  2000/06/28 05:43:00  rgb
-.\" Added manpages for all 5 klips utils.
-.\"
-.\"
-.\"
diff --git a/programs/eroute/eroute.8 b/programs/eroute/eroute.8
deleted file mode 100644
index d9449632b..000000000
--- a/programs/eroute/eroute.8
+++ /dev/null
@@ -1,354 +0,0 @@
-.TH IPSEC_EROUTE 8 "21 Jun 2000"
-.\"
-.\" RCSID $Id: eroute.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec eroute \- manipulate IPSEC extended routing tables
-.SH SYNOPSIS
-.B ipsec
-.B eroute
-.PP
-.B ipsec
-.B eroute
-.B \-\-add
-.B \-\-eraf (inet | inet6)
-.B \-\-src
-src/srcmaskbits|srcmask
-.B \-\-dst
-dst/dstmaskbits|dstmask
-[
-.B \-\-transport\-proto
-transport-protocol
-]
-[
-.B \-\-src\-port
-source-port
-]
-[
-.B \-\-dst\-port
-dest-port
-]
-<SAID>
-.PP
-.B ipsec
-.B eroute
-.B \-\-replace
-.B \-\-eraf (inet | inet6)
-.B \-\-src
-src/srcmaskbits|srcmask
-.B \-\-dst
-dst/dstmaskbits|dstmask
-[
-.B \-\-transport\-proto
-transport-protocol
-]
-[
-.B \-\-src\-port
-source-port
-]
-[
-.B \-\-dst\-port
-dest-port
-]
-<SAID>
-.PP
-.B ipsec
-.B eroute
-.B \-\-del
-.B \-\-eraf (inet | inet6)
-.B \-\-src
-src/srcmaskbits|srcmask
-.B \-\-dst
-dst/dstmaskbits|dstmask
-[
-.B \-\-transport\-proto
-transport-protocol
-]
-[
-.B \-\-src\-port
-source-port
-]
-[
-.B \-\-dst\-port
-dest-port
-]
-.PP
-.B ipsec
-.B eroute
-.B \-\-clear
-.PP
-.B ipsec
-.B eroute
-.B \-\-help
-.PP
-.B ipsec
-.B eroute
-.B \-\-version
-.PP
-Where <SAID> is
-.B \-\-af
-(inet | inet6)
-.B \-\-edst
-edst
-.B \-\-spi
-spi
-.B \-\-proto
-proto
-OR
-.B \-\-said
-said
-OR
-.B \-\-said
-.B (%passthrough | %passthrough4 | %passthrough6 | %drop | %reject | %trap | %hold | %pass )
-.SH DESCRIPTION
-.I Eroute
-manages the IPSEC extended routing tables,
-which control what (if any) processing is applied
-to non-encrypted packets arriving for IPSEC processing and forwarding.
-The form with no additional arguments lists the contents of
-/proc/net/ipsec_eroute.
-The
-.B \-\-add
-form adds a table entry, the
-.B \-\-replace
-form replaces a table entry, while the
-.B \-\-del
-form deletes one.  The
-.B \-\-clear
-form deletes the entire table.
-.PP
-A table entry consists of:
-.IP + 3
-source and destination addresses,
-with masks, source and destination ports and protocol
-for selection of packets.  The source and destination ports are only
-legal if the transport protocol is
-.BR TCP
-or
-.BR UDP.
-A port can be specified as either decimal, hexadecimal (leading 0x),
-octal (leading 0) or a name listed in the first column of /etc/services.
-A transport protocol can be specified as either decimal, hexadecimal
-(leading 0x), octal (leading 0) or a name listed in the first column
-of /etc/protocols.  If a transport protocol or port is not specified
-then it defaults to 0 which means all protocols or all ports
-respectively.
-.IP +
-Security Association IDentifier, comprised of:
-.IP + 6
-protocol
-(\fIproto\fR), indicating (together with the
-effective destination and the security parameters index)
-which Security Association should be used to process the packet
-.IP +
-address family
-(\fIaf\fR),
-.IP +
-Security Parameters Index
-(\fIspi\fR), indicating (together with the
-effective destination and protocol)
-which Security Association should be used to process the packet
-(must be larger than or equal to 0x100)
-.IP +
-effective destination
-(\fIedst\fR),
-where the packet should be forwarded after processing
-(normally the other security gateway)
-.IP + 3
-OR
-.IP + 6
-SAID
-(\fIsaid\fR), indicating 
-which Security Association should be used to process the packet
-.PP
-Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
-protocol is one of "ah", "esp", "comp" or "tun" and SPIs are
-prefixed hexadecimal numbers where '.' represents IPv4 and ':'
-stands for IPv6.
-.PP
-SAIDs are written as "protoafSPI@address".  There are also 5
-"magic" SAIDs which have special meaning:
-.IP + 3
-.B %drop
-means that matches are to be dropped
-.IP +
-.B %reject
-means that matches are to be dropped and an ICMP returned, if
-possible to inform
-.IP +
-.B %trap
-means that matches are to trigger an ACQUIRE message to the Key
-Management daemon(s) and a hold eroute will be put in place to
-prevent subsequent packets also triggering ACQUIRE messages.
-.IP +
-.B %hold
-means that matches are to stored until the eroute is replaced or
-until that eroute gets reaped
-.IP +
-.B %pass
-means that matches are to allowed to pass without IPSEC processing
-.PP
-The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).
-.br
-.ne 5
-.SH EXAMPLES
-.LP
-.B "ipsec eroute \-\-add \-\-eraf inet \-\-src 192.168.0.1/32 \e"
-.br
-.B "   \-\-dst 192.168.2.0/24 \-\-af inet \-\-edst 192.168.0.2 \e"
-.br
-.B "   \-\-spi 0x135 \-\-proto tun"
-.LP
-sets up an
-.BR eroute
-on a Security Gateway to protect traffic between the host
-.BR 192.168.0.1
-and the subnet
-.BR 192.168.2.0
-with
-.BR 24
-bits of subnet mask via Security Gateway
-.BR 192.168.0.2
-using the Security Association with address
-.BR 192.168.0.2 ,
-Security Parameters Index
-.BR 0x135
-and protocol
-.BR tun
-(50, IPPROTO_ESP).
-.LP
-.B "ipsec eroute \-\-add \-\-eraf inet6 \-\-src 3049:1::1/128 \e"
-.br
-.B "   \-\-dst 3049:2::/64 \-\-af inet6 \-\-edst 3049:1::2 \e"
-.br
-.B "   \-\-spi 0x145 \-\-proto tun"
-.LP
-sets up an
-.BR eroute
-on a Security Gateway to protect traffic between the host
-.BR 3049:1::1
-and the subnet
-.BR 3049:2::
-with
-.BR 64
-bits of subnet mask via Security Gateway
-.BR 3049:1::2
-using the Security Association with address
-.BR 3049:1::2 ,
-Security Parameters Index
-.BR 0x145
-and protocol
-.BR tun
-(50, IPPROTO_ESP).
-.LP
-.B "ipsec eroute \-\-replace \-\-eraf inet \-\-src company.com/24 \e"
-.br
-.B "   \-\-dst ftp.ngo.org/32 \-\-said tun.135@gw.ngo.org"
-.LP
-replaces an
-.BR eroute
-on a Security Gateway to protect traffic between the subnet
-.BR company.com 
-with
-.BR 24
-bits of subnet mask and the host
-.BR ftp.ngo.org
-via Security Gateway
-.BR gw.ngo.org
-using the Security Association with Security Association ID
-.BR tun0x135@gw.ngo.org
-.LP
-.B "ipsec eroute \-\-del \-\-eraf inet \-\-src company.com/24 \e"
-.br
-.B "   \-\-dst www.ietf.org/32 \-\-said %passthrough4"
-.LP
-deletes an
-.BR eroute
-on a Security Gateway that allowed traffic between the subnet
-.BR company.com 
-with
-.BR 24
-bits of subnet mask and the host
-.BR www.ietf.org
-to pass in the clear, unprocessed.
-.LP
-.B "ipsec eroute \-\-add \-\-eraf inet \-\-src company.com/24 \e"
-.br
-.B "   \-\-dst mail.ngo.org/32 \-\-transport-proto 6 \e"
-.br
-.B "   \-\-dst\-port 110 \-\-said tun.135@mail.ngo.org"
-.LP
-sets up an 
-.BR eroute
-on on a Security Gateway to protect only TCP traffic on port 110
-(pop3) between the subnet
-.BR company.com 
-with
-.BR 24
-bits of subnet mask and the host
-.BR ftp.ngo.org
-via Security Gateway
-.BR mail.ngo.org
-using the Security Association with Security Association ID
-.BR tun0x135@mail.ngo.org.
-Note that any other traffic bound for
-.BR mail.ngo.org
-that is routed via the ipsec device will be dropped.  If you wish to
-allow other traffic to pass through then you must add a %pass rule.
-For example the following rule when combined with the above will
-ensure that POP3 messages read from
-.BR mail.ngo.org
-will be encrypted but all other traffic to/from
-.BR mail.ngo.org
-will be in clear text.
-.LP
-.B "ipsec eroute \-\-add \-\-eraf inet \-\-src company.com/24 \e"
-.br
-.B "   \-\-dst mail.ngo.org/32 \-\-said %pass"
-.br
-.LP
-.SH FILES
-/proc/net/ipsec_eroute, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_spi(8),
-ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_eroute(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: eroute.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.25  2002/04/24 07:35:38  mcr
-.\" Moved from ./klips/utils/eroute.8,v
-.\"
-.\" Revision 1.24  2001/02/26 19:58:49  rgb
-.\" Added a comment on the restriction of spi > 0x100.
-.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
-.\" of the new SPD and to support opportunistic.
-.\"
-.\" Revision 1.23  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.22  2000/09/13 15:54:31  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.21  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.20  2000/06/21 16:54:57  rgb
-.\" Added 'no additional args' text for listing contents of
-.\" /proc/net/ipsec_* files.
-.\"
-.\" Revision 1.19  1999/07/19 18:47:24  henry
-.\" fix slightly-misformed comments
-.\"
-.\" Revision 1.18  1999/04/06 04:54:37  rgb
-.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-.\" patch shell fixes.
-.\"
-.\"
diff --git a/programs/eroute/eroute.c b/programs/eroute/eroute.c
deleted file mode 100644
index d1b2bff0a..000000000
--- a/programs/eroute/eroute.c
+++ /dev/null
@@ -1,1044 +0,0 @@
-/*
- * manipulate eroutes
- * Copyright (C) 1996  John Ioannidis.
- * Copyright (C) 1997, 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char eroute_c_version[] = "RCSID $Id: eroute.c,v 1.3 2005/02/24 20:03:46 as Exp $";
-
-
-#include <sys/types.h>
-#include <linux/types.h> /* new */
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h> /* system(), strtoul() */
-
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <netdb.h>
-
-
-#include <unistd.h>
-#include <freeswan.h>
-#if 0
-#include <linux/autoconf.h>	/* CONFIG_IPSEC_PFKEYv2 */
-#endif
-/* permanently turn it on since netlink support has been disabled */
-
-#include <signal.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-
-#include <stdio.h>
-#include <getopt.h>
-
-char *program_name;
-char me[] = "ipsec eroute";
-extern char *optarg;
-extern int optind, opterr, optopt;
-char *eroute_af_opt, *said_af_opt, *edst_opt, *spi_opt, *proto_opt, *said_opt, *dst_opt, *src_opt;
-char *transport_proto_opt, *src_port_opt, *dst_port_opt;
-int action_type = 0;
-
-int pfkey_sock;
-fd_set pfkey_socks;
-uint32_t pfkey_seq = 0;
-
-#define EMT_IFADDR	  1	/* set enc if addr */
-#define EMT_SETSPI	  2	/* Set SPI properties */
-#define EMT_DELSPI	  3	/* Delete an SPI */
-#define EMT_GRPSPIS	  4	/* Group SPIs (output order)  */
-#define EMT_SETEROUTE	  5	/* set an extended route */
-#define EMT_DELEROUTE	  6	/* del an extended route */
-#define EMT_TESTROUTE	  7	/* try to find route, print to console */
-#define EMT_SETDEBUG	  8	/* set debug level if active */
-#define EMT_UNGRPSPIS	  9	/* UnGroup SPIs (output order)  */
-#define EMT_CLREROUTE	 10	/* clear the extended route table */
-#define EMT_CLRSPIS	 11	/* clear the spi table */
-#define EMT_REPLACEROUTE 12	/* set an extended route */
-#define EMT_GETDEBUG	 13	/* get debug level if active */
-#define EMT_INEROUTE	 14	/* set incoming policy for IPIP on a chain */
-
-static void
-add_port(int af, ip_address * addr, short port)
-{
-    switch (af)
-    {
-    case AF_INET:
-	addr->u.v4.sin_port = port;
-	break;
-    case AF_INET6:
-	addr->u.v6.sin6_port = port;
-	break;
-    }
-}
-
-static void
-usage(char* arg)
-{
-    fprintf(stdout, "usage: %s --{add,addin,replace} --eraf <inet | inet6> --src <src>/<srcmaskbits>|<srcmask> --dst <dst>/<dstmaskbits>|<dstmask> [ --transport-proto <protocol> ] [ --src-port <source-port> ] [ --dst-port <dest-port> ] <SA>\n", arg);
-    fprintf(stdout, "            where <SA> is '--af <inet | inet6> --edst <edst> --spi <spi> --proto <proto>'\n");
-    fprintf(stdout, "                       OR '--said <said>'\n");
-    fprintf(stdout, "                       OR '--said <%%passthrough | %%passthrough4 | %%passthrough6 | %%drop | %%reject | %%trap | %%hold | %%pass>'.\n");
-    fprintf(stdout, "       %s --del --eraf <inet | inet6>--src <src>/<srcmaskbits>|<srcmask> --dst <dst>/<dstmaskbits>|<dstmask> [ --transport-proto <protocol> ] [ --src-port <source-port> ] [ --dst-port <dest-port> ]\n", arg);
-    fprintf(stdout, "       %s --clear\n", arg);
-    fprintf(stdout, "       %s --help\n", arg);
-    fprintf(stdout, "       %s --version\n", arg);
-    fprintf(stdout, "       %s\n", arg);
-    fprintf(stdout, "        [ --debug ] is optional to any %s command.\n", arg);
-    fprintf(stdout, "        [ --label <label> ] is optional to any %s command.\n", arg);
-    exit(1);
-}
-
-static struct option const longopts[] =
-{
-	{"dst", 1, 0, 'D'},
-	{"src", 1, 0, 'S'},
-	{"eraf", 1, 0, 'f'},
-	{"add", 0, 0, 'a'},
-	{"addin", 0, 0, 'A'},
-	{"replace", 0, 0, 'r'},
-	{"clear", 0, 0, 'c'},
-	{"del", 0, 0, 'd'},
-	{"af", 1, 0, 'i'},
-	{"edst", 1, 0, 'e'},
-	{"proto", 1, 0, 'p'},
-	{"transport-proto", 1, 0, 'P'},
-	{"src-port", 1, 0, 'Q'},
-	{"dst-port", 1, 0, 'R'},
-	{"help", 0, 0, 'h'},
-	{"spi", 1, 0, 's'},
-	{"said", 1, 0, 'I'},
-	{"version", 0, 0, 'v'},
-	{"label", 1, 0, 'l'},
-	{"optionsfrom", 1, 0, '+'},
-	{"debug", 0, 0, 'g'},
-	{0, 0, 0, 0}
-};
-
-int
-main(int argc, char **argv)
-{
-    /* int fd; */
-    char *endptr;
-    /* int ret; */
-    int c, previous = -1;
-    const char* error_s;
-    int debug = 0;
-
-    int error = 0;
-
-    char ipaddr_txt[ADDRTOT_BUF];
-    struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-    struct sadb_msg *pfkey_msg;
-    ip_address pfkey_address_s_ska;
-    /*struct sockaddr_in pfkey_address_d_ska;*/
-    ip_address pfkey_address_sflow_ska;
-    ip_address pfkey_address_dflow_ska;
-    ip_address pfkey_address_smask_ska;
-    ip_address pfkey_address_dmask_ska;
-
-    int transport_proto = 0;
-    int src_port = 0;
-    int dst_port = 0;
-    ip_said said;
-    ip_subnet s_subnet, d_subnet;
-    int eroute_af = 0;
-    int said_af = 0;
-
-    int argcount = argc;
-
-    const char permitted_options[] =
-	"%s: Only one of '--add', '--addin', '--replace', '--clear', or '--del' options permitted.\n";
-
-    program_name = argv[0];
-    eroute_af_opt = said_af_opt = edst_opt = spi_opt = proto_opt = said_opt = dst_opt = src_opt = NULL;
-
-    while((c = getopt_long(argc, argv, ""/*"acdD:e:i:hprs:S:f:vl:+:g"*/, longopts, 0)) != EOF)
-    {
-	switch(c)
-	{
-	case 'g':
-	    debug = 1;
-	    pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
-	    argcount--;
-	    break;
-	case 'a':
-	    if (action_type)
-	    {
-		fprintf(stderr, permitted_options, program_name);
-		exit(1);
-	    }
-	    action_type = EMT_SETEROUTE;
-	    break;
-	case 'A':
-	    if (action_type)
-	    {
-		fprintf(stderr, permitted_options, program_name);
-		exit(1);
-	    }
-	    action_type = EMT_INEROUTE;
-	    break;
-	case 'r':
-	    if (action_type)
-	    {
-		fprintf(stderr, permitted_options, program_name);
-		exit(1);
-	    }
-	    action_type = EMT_REPLACEROUTE;
-	    break;
-	case 'c':
-	    if (action_type)
-	    {
-		fprintf(stderr, permitted_options, program_name);
-		exit(1);
-	    }
-	    action_type = EMT_CLREROUTE;
-	    break;
-	case 'd':
-	    if (action_type)
-	    {
-		fprintf(stderr, permitted_options, program_name);
-		exit(1);
-	    }
-	    action_type = EMT_DELEROUTE;
-	    break;
-	case 'e':
-	    if (said_opt)
-	    {
-		fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n"
-				, program_name, optarg, said_opt);
-		exit (1);
-	    }
-	    if (edst_opt)
-	    {
-		fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, edst_opt);
-		exit (1);
-	    }
-	    error_s = ttoaddr(optarg, 0, said_af, &said.dst);
-	    if (error_s != NULL)
-	    {
-		fprintf(stderr, "%s: Error, %s converting --edst argument:%s\n"
-				, program_name, error_s, optarg);
-		exit (1);
-	    }
-	    edst_opt = optarg;
-	    break;
-	case 'h':
-	case '?':
-	    usage(program_name);
-	    exit(1);
-	case 's':
-	    if (said_opt)
-	    {
-		fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n"
-				, program_name, optarg, said_opt);
-		exit (1);
-	    }
-	    if (spi_opt)
-	    {
-		fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, spi_opt);
-		exit (1);
-	    }
-	    said.spi = htonl(strtoul(optarg, &endptr, 0));
-	    if (!(endptr == optarg + strlen(optarg)))
-	    {
-		fprintf(stderr, "%s: Invalid character in SPI parameter: %s\n"
-				, program_name, optarg);
-		exit (1);
-	    }
-	    if (ntohl(said.spi) < 0x100)
-	    {
-		fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than 0x100.\n"
-				, program_name, optarg, ntohl(said.spi));
-		exit(1);
-	    }
-	    spi_opt = optarg;
-	    break;
-	case 'p':
-	    if (said_opt)
-	    {
-		fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n"
-				, program_name, optarg, said_opt);
-		exit (1);
-	    }
-	    if (proto_opt)
-	    {
-		fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, proto_opt);
-		exit (1);
-	    }
-#if 0
-	    if (said.proto)
-	    {
-		fprintf(stderr, "%s: Warning, PROTO parameter redefined:%s\n"
-				, program_name, optarg);
-		exit (1);
-	    }
-#endif
-	    if (!strcmp(optarg, "ah"))
-		said.proto = SA_AH;
-	    if (!strcmp(optarg, "esp"))
-		said.proto = SA_ESP;
-	    if (!strcmp(optarg, "tun"))
-		said.proto = SA_IPIP;
-	    if (!strcmp(optarg, "comp"))
-		said.proto = SA_COMP;
-	    if (said.proto == 0)
-	    {
-		fprintf(stderr, "%s: Invalid PROTO parameter: %s\n"
-				, program_name, optarg);
-		exit (1);
-	    }
-	    proto_opt = optarg;
-	    break;
-	case 'I':
-	    if (said_opt)
-	    {
-		fprintf(stderr, "%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n"
-				, program_name, optarg, said_opt);
-		exit (1);
-	    }
-	    if (proto_opt)
-	    {
-		fprintf(stderr, "%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n"
-				, program_name, optarg, proto_opt);
-		exit (1);
-	    }
-	    if (edst_opt)
-	    {
-		fprintf(stderr, "%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n"
-				, program_name, optarg, edst_opt);
-		exit (1);
-	    }
-	    if (spi_opt)
-	    {
-		fprintf(stderr, "%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n"
-				, program_name, optarg, spi_opt);
-		exit (1);
-	    }
-	    if (said_af_opt)
-	    {
-		fprintf(stderr, "%s: Error, address family parameter redefined in SA:%s, already defined as:%s\n"
-				, program_name, optarg, said_af_opt);
-		exit (1);
-	    }
-	    error_s = ttosa(optarg, 0, &said);
-	    if (error_s != NULL)
-	    {
-		fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n"
-				, program_name, error_s, optarg);
-		exit (1);
-	    }
-	    else if (ntohl(said.spi) < 0x100)
-	    {
-		fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than or equal to 0x100.\n"
-				, program_name, optarg, said.spi);
-		exit(1);
-	    }
-	    said_af = addrtypeof(&said.dst);
-	    said_opt = optarg;
-	    break;
-	case 'v':
-	    fprintf(stdout, "%s %s\n", me, ipsec_version_code());
-	    fprintf(stdout, "See `ipsec --copyright' for copyright information.\n");
-	    exit(1);
-	case 'D':
-	    if (dst_opt)
-	    {
-		fprintf(stderr, "%s: Error, --dst parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, dst_opt);
-		exit (1);
-	    }
-	    error_s = ttosubnet(optarg, 0, eroute_af, &d_subnet);
-	    if (error_s != NULL)
-	    {
-		fprintf(stderr, "%s: Error, %s converting --dst argument: %s\n"
-				, program_name, error_s, optarg);
-		exit (1);
-	    }
-	    dst_opt = optarg;
-	    break;
-	case 'S':
-	    if (src_opt)
-	    {
-		fprintf(stderr, "%s: Error, --src parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, src_opt);
-		exit (1);
-	    }
-	    error_s = ttosubnet(optarg, 0, eroute_af, &s_subnet);
-	    if (error_s != NULL)
-	    {
-		fprintf(stderr, "%s: Error, %s converting --src argument: %s\n"
-				, program_name, error_s, optarg);
-		exit (1);
-	    }
-	    src_opt = optarg;
-	    break;
-	case 'P':
-	    if (transport_proto_opt)
-	    {
-		fprintf(stderr, "%s: Error, --transport-proto parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, transport_proto_opt);
-		exit(1);
-	    }
-	    transport_proto_opt = optarg;
-	    break;
-	case 'Q':
-	    if (src_port_opt)
-	    {
-		fprintf(stderr, "%s: Error, --src-port parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, src_port_opt);
-		exit(1);
-	    }
-	    src_port_opt = optarg;
-	    break;
-	case 'R':
-	    if (dst_port_opt)
-	    {
-		fprintf(stderr, "%s: Error, --dst-port parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, dst_port_opt);
-		exit(1);
-	    }
-	    dst_port_opt = optarg;
-	    break;
-	case 'l':
-	    program_name = malloc(strlen(argv[0])
-			+ 10 /* update this when changing the sprintf() */
-			+ strlen(optarg));
-	    sprintf(program_name, "%s --label %s", argv[0], optarg);
-	    argcount -= 2;
-	    break;
-	case 'i': /* specifies the address family of the SAID, stored in said_af */
-	    if (said_af_opt)
-	    {
-		fprintf(stderr, "%s: Error, address family of SAID redefined:%s, already defined as:%s\n"
-				, program_name, optarg, said_af_opt);
-		exit (1);
-	    }
-	    if (!strcmp(optarg, "inet"))
-		said_af = AF_INET;
-	    if (!strcmp(optarg, "inet6"))
-		said_af = AF_INET6;
-	    if (said_af == 0)
-	    {
-		fprintf(stderr, "%s: Invalid address family parameter for SAID: %s\n"
-				, program_name, optarg);
-		exit (1);
-	    }
-	    said_af_opt = optarg;
-	    break;
-	case 'f': /* specifies the address family of the eroute, stored in eroute_af */
-	    if (eroute_af_opt)
-	    {
-		fprintf(stderr, "%s: Error, address family of eroute redefined:%s, already defined as:%s\n"
-				, program_name, optarg, eroute_af_opt);
-		exit (1);
-	    }
-	    if (!strcmp(optarg, "inet"))
-		eroute_af = AF_INET;
-	    if (!strcmp(optarg, "inet6"))
-		eroute_af = AF_INET6;
-	    if (eroute_af == 0)
-	    {
-		fprintf(stderr, "%s: Invalid address family parameter for eroute: %s\n"
-				, program_name, optarg);
-		exit (1);
-	    }
-	    eroute_af_opt = optarg;
-	    break;
-	case '+': /* optionsfrom */
-	    optionsfrom(optarg, &argc, &argv, optind, stderr);
-	    /* no return on error */
-	    break;
-	default:
-	    break;
-	}
-	previous = c;
-    }
-
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: argc=%d\n", program_name, argc);
-    }
-	
-    if (argcount == 1)
-    {
-	system("cat /proc/net/ipsec_eroute");
-	exit(0);
-    }
-
-    /* Sanity checks */
-
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: action_type=%d\n", program_name, action_type);
-    }
-
-    if (transport_proto_opt != 0)
-    {
-	struct protoent * proto = getprotobyname(transport_proto_opt);
-
-	if (proto != 0)
-	{
-	    transport_proto = proto->p_proto;
-	}
-	else
-	{
-	    transport_proto = strtoul(transport_proto_opt, &endptr, 0);
-
-	    if ((*endptr != '\0')
-	    || (transport_proto == 0 && endptr == transport_proto_opt))
-	    {
-		fprintf(stderr, "%s: Invalid character in --transport-proto parameter: %s\n"
-				, program_name, transport_proto_opt);
-		exit (1);
-	    }
-	    if (transport_proto > 255)
-	    {
-		fprintf(stderr, "%s: --transport-proto parameter: %s must be in the range 0 to 255 inclusive\n"
-				, program_name, transport_proto_opt);
-		exit (1);
-	    }
-	}
-    }
-
-    if (src_port_opt != 0 || dst_port_opt != 0)
-    {
-	switch (transport_proto)
-	{
-	case IPPROTO_UDP:
-	case IPPROTO_TCP:
-	    break;
-	default:
-	    fprintf(stderr, "%s: --transport-proto with either UDP or TCP must be specified if --src-port or --dst-port is used\n"
-	    		, program_name);
-	    exit(1);
-	}
-    }
-
-    if (src_port_opt)
-    {
-	struct servent * ent = getservbyname(src_port_opt, 0);
-
-	if (ent != 0)
-	{
-	    src_port = ent->s_port;
-	}
-	else
-	{
-	    src_port = strtoul(src_port_opt, &endptr, 0);
-
-	    if ((*endptr != '\0')
-	    || (src_port == 0 && endptr == src_port_opt))
-	    {
-		fprintf(stderr, "%s: Invalid character in --src-port parameter: %s\n"
-				, program_name, src_port_opt);
-		exit (1);
-	    }
-	    if (src_port > 65535)
-	    {
-		fprintf(stderr, "%s: --src-port parameter: %s must be in the range 0 to 65535 inclusive\n"
-				, program_name, src_port_opt);
-	    }
-	    src_port = htons(src_port);
-	}
-    }
-
-    if (dst_port_opt)
-    {
-	struct servent * ent = getservbyname(dst_port_opt, 0);
-
-	if (ent != 0)
-	{
-	    dst_port = ent->s_port;
-	}
-	else
-	{
-	    dst_port = strtoul(dst_port_opt, &endptr, 0);
-
-	    if ((*endptr != '\0')
-	    || (dst_port == 0 && endptr == dst_port_opt))
-	    {
-		fprintf(stderr, "%s: Invalid character in --dst-port parameter: %s\n"
-				, program_name, dst_port_opt);
-		exit (1);
-	    }
-	    if (dst_port > 65535)
-	    {
-		fprintf(stderr, "%s: --dst-port parameter: %s must be in the range 0 to 65535 inclusive\n"
-				, program_name, dst_port_opt);
-	    }
-	    dst_port = htons(dst_port);
-	}
-    }
-
-    switch(action_type)
-    {
-    case EMT_SETEROUTE:
-    case EMT_REPLACEROUTE:
-    case EMT_INEROUTE:
-	if (!(said_af_opt && edst_opt && spi_opt && proto_opt) && !(said_opt))
-	{
-	    fprintf(stderr, "%s: add and addin options must have SA specified.\n"
-			, program_name);
-	    exit(1);
-	}
-    case EMT_DELEROUTE:
-	if (!src_opt)
-	{
-	    fprintf(stderr, "%s: Error -- %s option '--src' is required.\n"
-			, program_name, (action_type == EMT_SETEROUTE) ? "add" : "del");
-	    exit(1);
-	}
-	if (!dst_opt)
-	{
-	    fprintf(stderr, "%s: Error -- %s option '--dst' is required.\n"
-			, program_name, (action_type == EMT_SETEROUTE) ? "add" : "del");
-	    exit(1);
-	}
-    case EMT_CLREROUTE:
-	break;
-    default:
-	fprintf(stderr, "%s: exactly one of '--add', '--addin', '--replace', '--del' or '--clear' options must be specified.\n"
-			"Try %s --help' for usage information.\n"
-			, program_name, program_name);
-	exit(1);
-    }
-
-    if ((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0)
-    {
-	fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: "
-			, program_name);
-	switch(errno)
-	{
-	case ENOENT:
-	    fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-	    break;
-	case EACCES:
-	    fprintf(stderr, "access denied.  ");
-	    if (getuid() == 0)
-	    {
-		fprintf(stderr, "Check permissions.  Should be 600.\n");
-	    }
-	    else
-	    {
-		fprintf(stderr, "You must be root to open this file.\n");
-	    }
-	    break;
-	case EUNATCH:
-	    fprintf(stderr, "KLIPS not loaded.\n");
-	    break;
-	case ENODEV:
-	    fprintf(stderr, "KLIPS not loaded or enabled.\n");
-	    break;
-	case EBUSY:
-	    fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command. "
-	    		    "Please report as much detail as possible to development team.\n");
-	    break;
-	case EINVAL:
-	    fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
-	    break;
-	case ENOBUFS:
-	case ENOMEM:
-	case ENFILE:
-	    fprintf(stderr, "No kernel memory to allocate socket.\n");
-	    break;
-	case EMFILE:
-	    fprintf(stderr, "Process file table overflow.\n");
-	    break;
-	case ESOCKTNOSUPPORT:
-	    fprintf(stderr, "Socket type not supported.\n");
-	    break;
-	case EPROTONOSUPPORT:
-	    fprintf(stderr, "Protocol version not supported.\n");
-	    break;
-	case EAFNOSUPPORT:
-	    fprintf(stderr, "KLIPS not loaded or enabled.\n");
-	    break;
-	default:
-	    fprintf(stderr, "Unknown file open error %d.  Please report as much detail as possible to development team.\n"
-	    		, errno);
-	}
-	exit(1);
-    }
-
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: PFKEYv2 socket successfully openned=%d.\n"
-			, program_name, pfkey_sock);
-    }
-
-    /* Build an SADB_X_ADDFLOW or SADB_X_DELFLOW message to send down. */
-    /* It needs <base, SA, address(SD), flow(SD), mask(SD)> minimum. */
-    pfkey_extensions_init(extensions);
-
-    error = pfkey_msg_hdr_build(&extensions[0]
-		, (action_type == EMT_SETEROUTE || action_type == EMT_REPLACEROUTE
-		|| action_type == EMT_INEROUTE)? SADB_X_ADDFLOW : SADB_X_DELFLOW
-	    	, proto2satype(said.proto)
-		, 0
-		, ++pfkey_seq
-		, getpid()
-	    );
-
-    if (error)
-    {
-	fprintf(stderr, "%s: Trouble building message header, error=%d.\n"
-			, program_name, error);
-	pfkey_extensions_free(extensions);
-	exit(1);
-    }
-
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: pfkey_msg_hdr_build successfull.\n"
-			, program_name);
-    }
-
-    switch (action_type)
-    {
-    case EMT_SETEROUTE:
-    case EMT_REPLACEROUTE:
-    case EMT_INEROUTE:
-    case EMT_CLREROUTE:
-	error = pfkey_sa_build(&extensions[SADB_EXT_SA]
-		    , SADB_EXT_SA
-		    , said.spi /* in network order */
-		    , 0
-		    , 0
-		    , 0
-		    , 0
-		    , (action_type == EMT_CLREROUTE) ? SADB_X_SAFLAGS_CLEARFLOW : 0
-		);
-
-	if (error)
-	{
-	    fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n"
-			, program_name, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_sa_build successful.\n"
-	    		, program_name);
-	}
-    default:
-	break;
-    }
-
-    switch (action_type)
-    {
-    case EMT_SETEROUTE:
-    case EMT_REPLACEROUTE:
-    case EMT_INEROUTE:
-	anyaddr(said_af, &pfkey_address_s_ska);
-	error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC]
-			, SADB_EXT_ADDRESS_SRC
-			, 0
-			, 0
-			, sockaddrof(&pfkey_address_s_ska)
-		);
-	if (error)
-	{
-	    addrtot(&pfkey_address_s_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n"
-			, program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src.\n"
-	    		, program_name);
-	}
-
-	error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST]
-			, SADB_EXT_ADDRESS_DST
-			, 0
-			, 0
-			, sockaddrof(&said.dst)
-		);
-
-	if (error)
-	{
-	    addrtot(&said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n"
-			, program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst.\n"
-	    		, program_name);
-	}
-    default:
-	break;
-    }
-	
-    switch (action_type)
-    {
-    case EMT_SETEROUTE:
-    case EMT_REPLACEROUTE:
-    case EMT_INEROUTE:
-    case EMT_DELEROUTE:
-	networkof(&s_subnet, &pfkey_address_sflow_ska); /* src flow */
-	add_port(eroute_af, &pfkey_address_sflow_ska, src_port);
-
-	error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_SRC_FLOW]
-			, SADB_X_EXT_ADDRESS_SRC_FLOW
-			, 0
-			, 0
-			, sockaddrof(&pfkey_address_sflow_ska)
-		);
-
-	if (error)
-	{
-	    addrtot(&pfkey_address_sflow_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_sflow extension (%s), error=%d.\n",
-			program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src flow.\n"
-			, program_name);
-	}
-	
-	networkof(&d_subnet, &pfkey_address_dflow_ska); /* dst flow */
-	add_port(eroute_af, &pfkey_address_dflow_ska, dst_port);
-
-	error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_DST_FLOW]
-			, SADB_X_EXT_ADDRESS_DST_FLOW
-			, 0
-			, 0
-			, sockaddrof(&pfkey_address_dflow_ska)
-		);
-
-	if (error)
-	{
-	    addrtot(&pfkey_address_dflow_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_dflow extension (%s), error=%d.\n"
-			, program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst flow.\n"
-	    		, program_name);
-	}
-		
-	maskof(&s_subnet, &pfkey_address_smask_ska); /* src mask */
-	add_port(eroute_af, &pfkey_address_smask_ska, src_port ? ~0:0);
-
-	error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_SRC_MASK]
-			, SADB_X_EXT_ADDRESS_SRC_MASK
-			, 0
-			, 0
-			, sockaddrof(&pfkey_address_smask_ska)
-		);
-
-	if (error)
-	{
-	    addrtot(&pfkey_address_smask_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_smask extension (%s), error=%d.\n"
-			, program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src mask.\n"
-	    		, program_name);
-	}
-		
-	maskof(&d_subnet, &pfkey_address_dmask_ska); /* dst mask */
-	add_port(eroute_af, &pfkey_address_dmask_ska, dst_port ? ~0:0);
-
-	error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_DST_MASK]
-			, SADB_X_EXT_ADDRESS_DST_MASK
-			, 0
-			, 0
-			, sockaddrof(&pfkey_address_dmask_ska)
-		);
-
-	if (error)
-	{
-	    addrtot(&pfkey_address_dmask_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_dmask extension (%s), error=%d.\n"
-			, program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst mask.\n"
-	    		, program_name);
-	}
-    }
-	
-    if (transport_proto != 0)
-    {
-	error = pfkey_x_protocol_build(&extensions[SADB_X_EXT_PROTOCOL]
-			, transport_proto);
-	
-	if (error)
-	{
-	    fprintf(stderr, "%s: Trouble building transport protocol extension, error=%d.\n"
-			, program_name, error);
-	    exit(1);
-	}
-    }
-
-    error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN);
-     
-    if (error)
-    {
-	fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n"
-			, program_name, error);
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-	exit(1);
-    }
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: pfkey_msg_build successful.\n"
-			, program_name);
-    }
-
-    error = write(pfkey_sock
-		, pfkey_msg
-		, pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN
-	    )
-	    != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-	    
-    if (error)
-    {
-	fprintf(stderr, "%s: pfkey write failed, returning %d with errno=%d.\n"
-			, program_name, error, errno);
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-
-	switch (errno)
-	{
-	case EINVAL:
-	    fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-	    break;
-	case ENXIO:
-	    if (action_type == EMT_SETEROUTE || action_type == EMT_REPLACEROUTE)
-	    {
-		fprintf(stderr, "Invalid mask.\n");
-		break;
-	    }
-	    if (action_type == EMT_DELEROUTE)
-	    {
-		fprintf(stderr, "Mask not found.\n");
-		break;
-	    }
-	case EFAULT:
-	    if (action_type == EMT_SETEROUTE || action_type == EMT_REPLACEROUTE)
-	    {
-		fprintf(stderr, "Invalid address.\n");
-		break;
-	    }
-	    if (action_type == EMT_DELEROUTE)
-	    {
-		fprintf(stderr, "Address not found.\n");
-		break;
-	    }
-	case EACCES:
-	    fprintf(stderr, "access denied.  ");
-	    if (getuid() == 0)
-	    {
-		fprintf(stderr, "Check permissions.  Should be 600.\n");
-	    }
-	    else 
-	    {
-		fprintf(stderr, "You must be root to open this file.\n");
-	    }
-	    break;
-	case EUNATCH:
-	    fprintf(stderr, "KLIPS not loaded.\n");
-	    break;
-	case EBUSY:
-	    fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command. "
-			    "Please report as much detail as possible to development team.\n");
-	    break;
-	case ENODEV:
-	    fprintf(stderr, "KLIPS not loaded or enabled.\n");
-	    fprintf(stderr, "No device?!?\n");
-	    break;
-	case ENOBUFS:
-	    fprintf(stderr, "No kernel memory to allocate SA.\n");
-	    break;
-	case ESOCKTNOSUPPORT:
-	    fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-	    break;
-	case EEXIST:
-	    fprintf(stderr, "eroute already in use.  Delete old one first.\n");
-	    break;
-	case ENOENT:
-	    if (action_type == EMT_INEROUTE)
-	    {
-		fprintf(stderr, "non-existant IPIP SA.\n");
-		break;
-	    }
-	    fprintf(stderr, "eroute doesn't exist.  Can't delete.\n");
-	    break;
-	case ENOSPC:
-	    fprintf(stderr, "no room in kernel SAref table.  Cannot process request.\n");
-	    break;
-	case ESPIPE:
-	    fprintf(stderr, "kernel SAref table internal error.  Cannot process request.\n");
-	    break;
-	default:
-	    fprintf(stderr, "Unknown socket write error %d.  Please report as much detail as possible to development team.\n"
-	    		, errno);
-	}
-/*	fprintf(stderr, "%s: socket write returned errno %d\n",
-			program_name, errno);*/
-	exit(1);
-    }
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: pfkey write successful.\n"
-			, program_name);
-    }
-
-    if (pfkey_msg)
-    {
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-    }
-
-    (void) close(pfkey_sock);  /* close the socket */
-
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: write ok\n", program_name);
-    }
-
-    exit(0);
-}
diff --git a/programs/ikeping/.cvsignore b/programs/ikeping/.cvsignore
deleted file mode 100644
index 755295a5f..000000000
--- a/programs/ikeping/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-ikeping
diff --git a/programs/ikeping/Makefile b/programs/ikeping/Makefile
deleted file mode 100644
index 6c7b31d59..000000000
--- a/programs/ikeping/Makefile
+++ /dev/null
@@ -1,57 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=ikeping
-LIBS=${FREESWANLIB}
-
-ifeq ($(USE_IKEPING),false)
-NOINSTALL=true
-install:
-	# do nothing
-
-install_file_list:
-	# do nothing
-
-endif
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2003/06/29 21:34:49  mcr
-# 	added "NOINSTALL" to omit install: target from common
-# 	Makefile so that it can be overridden
-#
-# Revision 1.3  2003/06/25 03:57:45  mcr
-# 	build, but do not install "ikeping" even when we do not
-# 	want it as part of the system.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/ikeping/ikeping.8 b/programs/ikeping/ikeping.8
deleted file mode 100644
index a9b80b46d..000000000
--- a/programs/ikeping/ikeping.8
+++ /dev/null
@@ -1,71 +0,0 @@
-.TH IPSEC_IKEPING 8 "23 Feb 2002"
-.\" RCSID $Id: ikeping.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.SH NAME
-ipsec ikeping \- send/receive ISAKMP/IKE echo requests/replies
-.SH SYNOPSIS
-.B ipsec
-.B ikeping
-[
-.B \-\-listen
-] [
-.B \-\-verbose
-] [
-.B \-\-wait 
-time ] [
-.B \-\-exchangenum 
-num ] [
-.B \-\-ikeport 
-localport ] [
-.B \-\-ikeaddress 
-address ] [ 
-.B \-\-inet
-] [
-.B \-\-inet6
-] destaddr[/dstport] ...
-.SH DESCRIPTION
-.I Ikeping
-sends and receives ISAKMP/IKE echo request and echo reply packets. These
-packets are intended for diagnostics purposes, in a manner similar to 
-.IR ping (8)
-does for ICMP echo request/reply packets.
-.PP
-At the time of this writing, the ISAKMP echo request/reply exchange is still
-an internet-draft, and is therefore completely non-standard.
-.PP
-.I Ikeping
-will bind to the local address given by 
-.B \-\-ikeaddress
-and the port number given by
-.B \-\-ikeport
-defaulting to the wildcard address and the ISAKMP port 500. An ISAKMP
-exchange of type 244 (a private use number) is sent to each of the
-address/ports listed on the command line. The exchange number may be
-overridden by the  
-.B \-\-exchangenum 
-option.
-.PP
-.I Ikeping
-then listens for replies, printing them as they are received. Replies
-are of exchange type 245 or the specified exchange number plus 1.
-.I Ikeping 
-will keep listening until it either receives as many echo responses as it sent,
-or until the timeout period (10 seconds) has been reached. Receipt of a
-packet will reset the timer. The 
-.B \-\-wait
-option can be used to specify a different timeout period. 
-.PP
-If the 
-.B \-\-listen
-option is given, then 
-.I ikeping
-will not send any packets. Instead, it will listen for them and reply to
-each request received.
-.SH FILES
-no external files
-.SH SEE ALSO
-ping(8), ipsec_pluto(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Michael Richardson.
-.SH BUGS
diff --git a/programs/ikeping/ikeping.c b/programs/ikeping/ikeping.c
deleted file mode 100644
index 7efb26ad7..000000000
--- a/programs/ikeping/ikeping.c
+++ /dev/null
@@ -1,483 +0,0 @@
-/* send out an IKE "ping" packet.
- * Copyright (C) 2002 Michael Richardson
- * Copyright (C) 2002 D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ikeping.c,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <string.h>
-#include <ctype.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <getopt.h>
-#include <assert.h>
-#include <poll.h>
-
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/packet.h"
-
-#ifndef ISAKMP_XCHG_ECHOREQUEST
-#define ISAKMP_XCHG_ECHOREQUEST 30      /* Echo Request */
-#define ISAKMP_XCHG_ECHOREPLY   31      /* Echo Reply   */
-#endif
-
-#ifndef ISAKMP_XCGH_ECHOREQUEST_PRIV
-#define ISAKMP_XCHG_ECHOREQUEST_PRIV 244     /* Private Echo Request */
-#define ISAKMP_XCHG_ECHOREPLY_PRIV   245     /* Private Echo Reply   */
-#endif
-
-
-/* what exchange number to use for outgoing requests */
-static int exchange_number;
-
-static void
-help(void)
-{
-    fprintf(stderr,
-	"Usage:\n\n"
-	"ikeping"
-	    " [--listen]     causes IKEping to open a socket and reply to requests.\n"
-	    " [--verbose]    causes IKEping to hexdump all packets sent/received.\n"
-	    " [--ikeport <port-number>]      port to listen on/send from\n"
-	    " [--ikeaddress <address>]       address to listen on/send from\n"
-	    " [--inet]       just send/listen on IPv4 socket\n"
-	    " [--inet6]      just send/listen on IPv6 socket\n"
-	    " [--version]    just dump version number and exit\n"
-	    " [--exchangenum num]    use num instead of 244 for the exchange type.\n"
-	    " [--wait seconds]    time to wait for replies, defaults to 10 seconds.\n"
-	    " host/port ...\n\n"
-	"FreeS/WAN %s\n",
-	ipsec_version_code());
-}
-
-static void
-hton_ping(struct isakmp_hdr *ih)
-{
-	u_int32_t *ihp;
-
-	ihp=(u_int32_t *)ih;
-
-	/* put it in network byte order. */
-	/* cookies are byte viewed anyway */
-	ihp[4]=htonl(ihp[4]);
-	ih->isa_msgid  = htonl(ih->isa_msgid);
-	ih->isa_length = htonl(ih->isa_length);
-}
-
-static void
-ntoh_ping(struct isakmp_hdr *ih)
-{
-	u_int32_t *ihp;
-
-	ihp=(u_int32_t *)ih;
-
-	/* put it in network byte order. */
-	/* cookies are byte viewed anyway */
-	ihp[4]=ntohl(ihp[4]);
-	ih->isa_msgid  = ntohl(ih->isa_msgid);
-	ih->isa_length = ntohl(ih->isa_length);
-}
-
-
-/*
- * send an IKE ping
- *
- */
-static void
-send_ping(int afamily,
-	  int s,
-	  ip_address *raddr,
-	  int rport)
-{
-	struct isakmp_hdr ih;
-	int i, raddrlen;
-
-	raddrlen=0;
-
-	for(i=0; i<COOKIE_SIZE; i++) {
-		ih.isa_icookie[i]=rand()&0xff;		
-	}
-	     
-	for(i=0; i<COOKIE_SIZE; i++) {
-		ih.isa_rcookie[i]=rand()&0xff;		
-	}
-	     
-	ih.isa_np    = NOTHING_WRONG;
-	ih.isa_version = (1 << ISA_MAJ_SHIFT) | 0;
-	ih.isa_xchg  = (exchange_number ?
-			exchange_number : ISAKMP_XCHG_ECHOREQUEST_PRIV);
-	ih.isa_flags =0;
-	ih.isa_msgid =rand();
-	ih.isa_length=0;
-
-	switch(afamily) {
-	case AF_INET:
-		raddr->u.v4.sin_port = htons(rport);
-		raddrlen=sizeof(raddr->u.v4);
-		break;
-	  
-	case AF_INET6:
-		raddr->u.v6.sin6_port = htons(rport);
-		raddrlen=sizeof(raddr->u.v6);
-		break;
-	}
-
-	hton_ping(&ih);
-
-	if(sendto(s, &ih, sizeof(ih), 0, (struct sockaddr *)raddr, raddrlen) < 0) {
-		perror("sendto");
-		exit(5);
-	}
-}
-
-/*
- * send an IKE ping
- *
- */
-static void
-reply_packet(int afamily,
-	     int s,
-	     ip_address *dst_addr,
-	     int         dst_len,
-	     struct isakmp_hdr *op)
-{
-	int i, tmp;
-
-	tmp=afamily;  /* shut up compiler */
-
-	for(i=0; i<COOKIE_SIZE; i++) {
-		tmp=op->isa_icookie[i];
-		op->isa_icookie[i]=op->isa_rcookie[i];
-		op->isa_rcookie[i]=tmp;
-	}
-	     
-	op->isa_np    = NOTHING_WRONG;
-	op->isa_version = (1 << ISA_MAJ_SHIFT) | 0;
-	op->isa_xchg  = ISAKMP_XCHG_ECHOREPLY;
-	op->isa_flags =0;
-	op->isa_msgid =rand();
-	op->isa_length=0;
-
-	hton_ping(op);
-
-	if(sendto(s, op, sizeof(*op), 0, (struct sockaddr *)dst_addr, dst_len) < 0) {
-		perror("sendto");
-		exit(5);
-	}
-}
-
-/*
- * receive and decode packet.
- *
- */
-static void
-receive_ping(int afamily, int s, int reply)
-{
-	ip_address sender;
-	struct isakmp_hdr ih;
-	char   buf[64];
-	int n, rport, sendlen;
-	const char *xchg_name;
-	int xchg;
-
-	rport = 500;
-	xchg  = 0;
-	sendlen=sizeof(sender);
-	n = recvfrom(s, &ih, sizeof(ih), 0, (struct sockaddr *)&sender, &sendlen);
-
-	addrtot(&sender, 0, buf, sizeof(buf));
-	switch(afamily) {
-	case AF_INET:
-		rport = sender.u.v4.sin_port;
-		break;
-	  
-	case AF_INET6:
-		rport = sender.u.v6.sin6_port;
-		break;
-	}
-
-	if((unsigned int)n < sizeof(ih)) {
-		fprintf(stderr, "read short packet (%d) from %s/%d\n",
-			n, buf, rport);
-		return;
-	}
-
-	/* translate from network byte order */
-	ntoh_ping(&ih);
-
-
-	if(ih.isa_xchg == ISAKMP_XCHG_ECHOREQUEST       ||
-	   ih.isa_xchg == ISAKMP_XCHG_ECHOREQUEST_PRIV  ||
-	   (exchange_number!=0 && ih.isa_xchg == exchange_number)) {
-		xchg_name="echo-request";
-		xchg=ISAKMP_XCHG_ECHOREQUEST;
-	} else if(ih.isa_xchg == ISAKMP_XCHG_ECHOREPLY ||
-		  ih.isa_xchg == ISAKMP_XCHG_ECHOREPLY_PRIV ||
-		  (exchange_number!=0 && ih.isa_xchg == exchange_number+1)) {
-		xchg_name="echo-reply";
-	} else {
-		xchg_name="";
-	}
-
-	printf("received %d(%s) packet from %s/%d of len: %d\n",
-	       ih.isa_xchg, xchg_name, buf, ntohs(rport), n);
-	printf("\trcookie=%08x_%08x icookie=%08x_%08x msgid=%08x\n",
-	       *(u_int32_t *)(ih.isa_icookie), 
-	       *(u_int32_t *)(ih.isa_icookie+4), 
-	       *(u_int32_t *)(ih.isa_rcookie), 
-	       *(u_int32_t *)(ih.isa_rcookie+4),
-	       ih.isa_msgid);
-	printf("\tnp=%03d  version=%d.%d    xchg=%s(%d)\n",
-	       ih.isa_np,
-	       ih.isa_version >> ISA_MAJ_SHIFT,
-	       ih.isa_version & ISA_MIN_MASK,
-	       xchg_name,
-	       ih.isa_xchg);
-
-	if(reply && xchg==ISAKMP_XCHG_ECHOREQUEST) {
-		reply_packet(afamily, s, &sender, sendlen, &ih);
-	}
-}
-
-static const struct option long_opts[] = {
-    /* name, has_arg, flag, val */
-    { "help",        no_argument, NULL, 'h' },
-    { "version",     no_argument, NULL, 'V' },
-    { "verbose",     no_argument, NULL, 'v' },
-    { "listen",      no_argument, NULL, 's' },
-    { "ikeport",     required_argument, NULL, 'p' },
-    { "ikeaddress",  required_argument, NULL, 'b' },
-    { "inet",        no_argument, NULL, '4' },
-    { "inet6",       no_argument, NULL, '6' },
-    { "exchangenum", required_argument, NULL, 'n' },
-    { "wait",        required_argument, NULL, 'w' },
-    { 0,0,0,0 }
-};
-
-int
-main(int argc, char **argv)
-{
-  char *foo;
-  const char *errstr;
-  int   s;
-  int   listen_only;
-  int   lport,dport;
-  int   afamily;
-  int   pfamily;
-  int   c;
-  int   numSenders, numReceived, noDNS;
-  int   waitTime;
-  int   verbose, timedOut;
-  ip_address laddr, raddr;
-
-  afamily=AF_INET;
-  pfamily=PF_INET;
-  lport=500;
-  dport=500;
-  waitTime=10;
-  verbose=0;
-  listen_only=0;
-  noDNS=0;
-  bzero(&laddr, sizeof(laddr));
-
-  while((c = getopt_long(argc, argv, "hVnvsp:b:46E:w:", long_opts, 0))!=EOF) {
-    switch (c) {
-      case 'h':	        /* --help */
-	help();
-	return 0;	/* GNU coding standards say to stop here */
-	
-      case 'V':               /* --version */
-	fprintf(stderr, "FreeS/WAN %s\n", ipsec_version_code());
-	return 0;	/* GNU coding standards say to stop here */
-	
-      case 'v':	/* --label <string> */
-	verbose++;
-	continue;
-	
-      case 'n':
-	      noDNS=1;
-	      break;
-	
-      case 'E':
-	exchange_number=strtol(optarg, &foo, 0);
-	if(optarg==foo || exchange_number < 1 || exchange_number>255) {
-	  fprintf(stderr, "Invalid exchange number '%s' (should be 1<=x<255)\n",
-		  optarg);
-	  exit(1);
-	}
-	continue;
-	
-	
-      case 's':
-	listen_only++;
-	continue;
-	
-      case 'p':
-	lport=strtol(optarg, &foo, 0);
-	if(optarg==foo || lport <0 || lport>65535) {
-	  fprintf(stderr, "Invalid port number '%s' (should be 0<=x<65536)\n",
-		  optarg);
-	  exit(1);
-	}
-	continue;
-	
-      case 'w':
-	waitTime=strtol(optarg, &foo, 0);
-	if(optarg==foo || waitTime < 0) {
-	  fprintf(stderr, "Invalid waittime number '%s' (should be 0<=x)\n",
-		  optarg);
-	  exit(1);
-	}
-	continue;
-	
-      case 'b':
-	errstr = ttoaddr(optarg, strlen(optarg), afamily, &laddr);
-	if(errstr!=NULL) {
-	  fprintf(stderr, "Invalid local address '%s': %s\n",
-		  optarg, errstr);
-	  exit(1);
-	}
-	continue;
-	
-      case '4':
-	afamily=AF_INET;
-	pfamily=PF_INET;
-	continue;
-	
-      case '6':
-	afamily=AF_INET6;
-	pfamily=PF_INET6;
-	continue;
-	
-      default:
-	assert(FALSE);	/* unknown return value */
-    }
-  }
-
-  s=socket(pfamily, SOCK_DGRAM, IPPROTO_UDP);
-  if(s < 0) {
-    perror("socket");
-    exit(3);
-  }
-
-  switch(afamily) {
-  case AF_INET:
-	  laddr.u.v4.sin_port = htons(lport);
-	  if(bind(s, (struct sockaddr *)&laddr.u.v4, sizeof(laddr.u.v4)) < 0) {
-		  perror("v4 bind");
-		  exit(5);
-	  }
-	  break;
-	  
-  case AF_INET6:
-	  laddr.u.v6.sin6_port = htons(lport);
-	  if(bind(s, (struct sockaddr *)&laddr.u.v6, sizeof(laddr.u.v6)) < 0) {
-		  perror("v6 bind");
-		  exit(5);
-	  }
-	  break;
-  }
-
-  numSenders = 0;
-
-  if(!listen_only) {
-	  while(optind < argc) {
-		  char *port;
-		  char *host;
-		  char  namebuf[128];
-
-		  host = argv[optind];
-
-		  port = strchr(host, '/');
-		  dport=500;
-		  if(port) {
-			 *port='\0';
-			  port++;
-			  dport= strtol(port, &foo, 0);
-			  if(port==foo || dport < 0 || dport > 65535) {
-				  fprintf(stderr, "Invalid port number '%s' "
-					  "(should be 0<=x<65536)\n",
-					  port);
-				  exit(1);
-			  }
-		  }
-
-		  errstr = ttoaddr(host, strlen(host),
-				   afamily, &raddr);
-		  if(errstr!=NULL) {
-			  fprintf(stderr, "Invalid remote address '%s': %s\n",
-				  host, errstr);
-			  exit(1);
-		  }
-
-		  addrtot(&raddr, 0, namebuf, sizeof(namebuf));
-
-		  printf("Sending packet to %s/%d\n", namebuf, dport);
-			 
-		  send_ping(afamily, s, &raddr, dport);
-		  numSenders++;
-		  optind++;
-	  }
-  }
-
-  timedOut = 0;
-  numReceived=0;
-
-  /* really should catch ^C and print stats on exit */
-  while(numSenders > 0 || listen_only) {
-	  struct pollfd  ready;
-	  int n;
-
-	  ready.fd = s;
-	  ready.events = POLLIN;
-
-	  n = poll(&ready, 1, waitTime);
-	  if(n < 0) {
-		  perror("poll");
-		  exit(1);
-	  }
-	  
-	  if(n == 0 && !listen_only) {
-		  break;
-	  }
-
-	  if(n == 1) {
-		  numReceived++;
-		  receive_ping(afamily, s, listen_only);
-	  }
-  }
-
-  if(numReceived > 0) {
-    printf("%d packets sent, %d packets received. %d packet loss\n",
-  	   numSenders, numReceived, numSenders*100/numReceived);
-  }
-  exit(0);
-}
-
-/*
- * Local variables:
- * c-file-style: "linux"
- * c-basic-offset: 4
- * End:
- *
- */
diff --git a/programs/klipsdebug/.cvsignore b/programs/klipsdebug/.cvsignore
deleted file mode 100644
index 03c1d474c..000000000
--- a/programs/klipsdebug/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-klipsdebug
diff --git a/programs/klipsdebug/Makefile b/programs/klipsdebug/Makefile
deleted file mode 100644
index 6c98e7592..000000000
--- a/programs/klipsdebug/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM:=klipsdebug
-EXTRA5PROC=${PROGRAM}.5
-
-LIBS:=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/klipsdebug/klipsdebug.5 b/programs/klipsdebug/klipsdebug.5
deleted file mode 100644
index 8e5f985f0..000000000
--- a/programs/klipsdebug/klipsdebug.5
+++ /dev/null
@@ -1,138 +0,0 @@
-.TH IPSEC_KLIPSDEBUG 5 "26 Jun 2000"
-.\"
-.\" RCSID $Id: klipsdebug.5,v 1.1 2004/03/15 20:35:28 as Exp $
-.\"
-.SH NAME
-ipsec_klipsdebug \- list KLIPS (kernel IPSEC support) debug features and level
-.SH SYNOPSIS
-.B ipsec
-.B klipsdebug
-.PP
-.B cat
-.B /proc/net/ipsec_klipsdebug
-.SH DESCRIPTION
-.I /proc/net/ipsec_klipsdebug
-lists flags that control various parts of the debugging output of Klips
-(the kernel portion of FreeS/WAN IPSEC).
-At this point it is a read-only file.
-.PP
-A table entry consists of:
-.IP + 3
-a KLIPS debug variable
-.IP +
-a '=' separator for visual and automated parsing between the variable
-name and its current value
-.IP +
-hexadecimal bitmap of variable's flags.
-.PP
-The variable names roughly describe the scope of the debugging variable.
-Currently, no flags are documented or individually accessible yet except
-tunnel-xmit.
-.ne 5
-.PP
-The variable names are:
-.TP 8
-.B tunnel
-tunnelling code
-.TP
-.B netlink
-userspace communication code (obsolete)
-.TP
-.B xform
-transform selection and manipulation code
-.TP
-.B eroute
-eroute table manipulation code
-.TP
-.B spi
-SA table manipulation code
-.TP
-.B radij
-radij tree manipulation code
-.TP
-.B esp
-encryptions transforms code
-.TP
-.B ah
-authentication transforms code
-.TP
-.B rcv
-receive code
-.TP
-.B ipcomp
-ip compression transforms code
-.TP
-.B verbose
-give even more information, beware this will probably trample the 4k kernel printk buffer giving inaccurate output
-.PP
-All KLIPS debug output appears as
-.B kernel.info
-messages to
-.IR syslogd (8).
-Most systems are set up
-to log these messages to
-.IR /var/log/messages .
-.PP
-.SH EXAMPLES
-.LP
-.B debug_tunnel=00000010.
-.br
-.B debug_netlink=00000000.
-.br
-.B debug_xform=00000000.
-.br
-.B debug_eroute=00000000.
-.br
-.B debug_spi=00000000.
-.br
-.B debug_radij=00000000.
-.br
-.B debug_esp=00000000.
-.br
-.B debug_ah=00000000.
-.br
-.B debug_rcv=00000000.
-.br
-.B debug_pfkey=ffffffff.
-.LP
-means that one
-.B tunnel
-flag has been set (tunnel-xmit),
-full
-.B pfkey
-sockets debugging has been set and everything else is not set.
-.LP
-.SH FILES
-/proc/net/ipsec_klipsdebug, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
-ipsec_spi(8), ipsec_spigrp(8), ipsec_klipsdebug(5), ipsec_version(5),
-ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: klipsdebug.5,v $
-.\" Revision 1.1  2004/03/15 20:35:28  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.5  2002/04/24 07:35:38  mcr
-.\" Moved from ./klips/utils/klipsdebug.5,v
-.\"
-.\" Revision 1.4  2000/10/10 20:10:19  rgb
-.\" Added support for debug_ipcomp and debug_verbose to klipsdebug.
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/28 12:44:12  henry
-.\" format touchup
-.\"
-.\" Revision 1.1  2000/06/28 05:43:00  rgb
-.\" Added manpages for all 5 klips utils.
-.\"
-.\"
-.\"
diff --git a/programs/klipsdebug/klipsdebug.8 b/programs/klipsdebug/klipsdebug.8
deleted file mode 100644
index 60d018eec..000000000
--- a/programs/klipsdebug/klipsdebug.8
+++ /dev/null
@@ -1,164 +0,0 @@
-.TH IPSEC_KLIPSDEBUG 8 "21 Jun 2000"
-.\"
-.\" RCSID $Id: klipsdebug.8,v 1.1 2004/03/15 20:35:28 as Exp $
-.\"
-.SH NAME
-ipsec klipsdebug \- set KLIPS (kernel IPSEC support) debug features and level
-.SH SYNOPSIS
-.B ipsec
-.B klipsdebug
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-set
-flagname
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-clear
-flagname
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-all
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-none
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-help
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-version
-.SH DESCRIPTION
-.I Klipsdebug
-sets and clears flags that control
-various parts of the debugging output of Klips
-(the kernel portion of FreeS/WAN IPSEC).
-The form with no additional arguments lists the present contents of
-/proc/net/ipsec_klipsdebug.
-The
-.B \-\-set
-form turns the specified flag on,
-while the
-.B \-\-clear
-form turns the specified flag off.
-The 
-.B \-\-all
-form 
-turns all flags on except verbose, while the
-.B \-\-none
-form turns all flags off.
-.PP
-The current flag names are:
-.TP 8
-.B tunnel
-tunnelling code
-.TP
-.B tunnel-xmit
-tunnelling transmit only code
-.TP
-.B pfkey
-userspace communication code
-.TP
-.B xform
-transform selection and manipulation code
-.TP
-.B eroute
-eroute table manipulation code
-.TP
-.B spi
-SA table manipulation code
-.TP
-.B radij
-radij tree manipulation code
-.TP
-.B esp
-encryptions transforms code
-.TP
-.B ah
-authentication transforms code
-.B rcv
-receive code
-.TP
-.B ipcomp
-ip compression transforms code
-.TP
-.B verbose
-give even more information, BEWARE:
-a)this will print authentication and encryption keys in the logs
-b)this will probably trample the 4k kernel printk buffer giving inaccurate output
-.PP
-All Klips debug output appears as
-.B kernel.info
-messages to
-.IR syslogd (8).
-Most systems are set up
-to log these messages to
-.IR /var/log/messages .
-Beware that
-.B klipsdebug
-.B \-\-all
-produces a lot of output and the log file will grow quickly.
-.PP
-The file format for /proc/net/ipsec_klipsdebug is discussed in
-ipsec_klipsdebug(5).
-.SH EXAMPLES
-.TP
-.B klipsdebug \-\-all
-turns on all KLIPS debugging except verbose.
-.TP
-.B klipsdebug \-\-clear tunnel
-turns off only the
-.B tunnel
-debugging messages.
-.LP
-.SH FILES
-/proc/net/ipsec_klipsdebug, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
-ipsec_spi(8), ipsec_spigrp(8), ipsec_klipsdebug(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-It really ought to be possible to set or unset selective combinations
-of flags.
-.\"
-.\" $Log: klipsdebug.8,v $
-.\" Revision 1.1  2004/03/15 20:35:28  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.18  2002/04/24 07:35:39  mcr
-.\" Moved from ./klips/utils/klipsdebug.8,v
-.\"
-.\" Revision 1.17  2000/10/10 20:10:19  rgb
-.\" Added support for debug_ipcomp and debug_verbose to klipsdebug.
-.\"
-.\" Revision 1.16  2000/08/18 17:33:11  rgb
-.\" Updated obsolete netlink reference and added pfkey and tunnel-xmit.
-.\"
-.\" Revision 1.15  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.14  2000/06/28 05:53:09  rgb
-.\" Mention that netlink is obsolete.
-.\"
-.\" Revision 1.13  2000/06/21 16:54:58  rgb
-.\" Added 'no additional args' text for listing contents of
-.\" /proc/net/ipsec_* files.
-.\"
-.\" Revision 1.12  1999/07/19 18:47:24  henry
-.\" fix slightly-misformed comments
-.\"
-.\" Revision 1.11  1999/04/06 04:54:37  rgb
-.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-.\" patch shell fixes.
-.\"
-.\"
diff --git a/programs/klipsdebug/klipsdebug.c b/programs/klipsdebug/klipsdebug.c
deleted file mode 100644
index c205038a1..000000000
--- a/programs/klipsdebug/klipsdebug.c
+++ /dev/null
@@ -1,436 +0,0 @@
-/*
- * control KLIPS debugging options
- * Copyright (C) 1996  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
- *                                 2001  Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char klipsdebug_c_version[] = "RCSID $Id: klipsdebug.c,v 1.2 2004/06/07 15:16:34 as Exp $";
-
-
-#include <sys/types.h>
-#include <linux/types.h> /* new */
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h> /* system(), strtoul() */
-#include <sys/stat.h> /* open() */
-#include <fcntl.h> /* open() */
-
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-
-
-#include <unistd.h>
-#include <freeswan.h>
-#if 0
-#include <linux/autoconf.h>	/* CONFIG_IPSEC_PFKEYv2 */
-#endif
-
-/* permanently turn it on since netlink support has been disabled */
-#include <signal.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#ifndef CONFIG_IPSEC_DEBUG
-#define CONFIG_IPSEC_DEBUG
-#endif /* CONFIG_IPSEC_DEBUG */
-#include "freeswan/ipsec_tunnel.h"
-
-#include <stdio.h>
-#include <getopt.h>
-
-__u32 bigbuf[1024];
-char *program_name;
-
-int pfkey_sock;
-fd_set pfkey_socks;
-uint32_t pfkey_seq = 0;
-
-char copyright[] =
-"Copyright (C) 1999 Henry Spencer, Richard Guy Briggs, D. Hugh Redelmeier,\n\
-	Sandy Harris, Angelos D. Keromytis, John Ioannidis.\n\
-\n\
-   This program is free software; you can redistribute it and/or modify it\n\
-   under the terms of the GNU General Public License as published by the\n\
-   Free Software Foundation; either version 2 of the License, or (at your\n\
-   option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.\n\
-\n\
-   This program is distributed in the hope that it will be useful, but\n\
-   WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY\n\
-   or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License\n\
-   (file COPYING in the distribution) for more details.\n";
-
-static void
-usage(char * arg)
-{
-	fprintf(stdout, "usage: %s {--set|--clear} {tunnel|tunnel-xmit|netlink|xform|eroute|spi|radij|esp|ah|rcv|pfkey|ipcomp|verbose}\n", arg);
-	fprintf(stdout, "       %s {--all|--none}\n", arg);
-	fprintf(stdout, "       %s --help\n", arg);
-	fprintf(stdout, "       %s --version\n", arg);
-	fprintf(stdout, "       %s\n", arg);
-	fprintf(stdout, "        [ --debug ] is optional to any %s command\n", arg);
-	fprintf(stdout, "        [ --label <label> ] is optional to any %s command.\n", arg);
-	exit(1);
-}
-
-static struct option const longopts[] =
-{
-	{"set", 1, 0, 's'},
-	{"clear", 1, 0, 'c'},
-	{"all", 0, 0, 'a'},
-	{"none", 0, 0, 'n'},
-	{"help", 0, 0, 'h'},
-	{"version", 0, 0, 'v'},
-	{"label", 1, 0, 'l'},
-	{"optionsfrom", 1, 0, '+'},
-	{"debug", 0, 0, 'd'},
-	{0, 0, 0, 0}
-};
-
-int
-main(int argc, char **argv)
-{
-/*	int fd; */
-	unsigned char action = 0;
-	int c, previous = -1;
-	
-	int debug = 0;
-	int error = 0;
-	int argcount = argc;
-	int em_db_tn, em_db_nl, em_db_xf, em_db_er, em_db_sp;
-	int em_db_rj, em_db_es, em_db_ah, em_db_rx, em_db_ky;
-	int em_db_gz, em_db_vb;
-
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-	
-	em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
-	em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
-	em_db_gz=em_db_vb=0;
-
-
-	program_name = argv[0];
-
-	while((c = getopt_long(argc, argv, ""/*"s:c:anhvl:+:d"*/, longopts, 0)) != EOF) {
-		switch(c) {
-		case 'd':
-			debug = 1;
-			pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
-			argcount--;
-			break;
-		case 's':
-			if(action) {
-				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			action = 's';
-			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
-			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
-			em_db_gz=em_db_vb=0;
-			if(strcmp(optarg, "tunnel") == 0) {
-				em_db_tn = -1L;
-			} else if(strcmp(optarg, "tunnel-xmit") == 0) {
-				em_db_tn = DB_TN_XMIT;
-			} else if(strcmp(optarg, "netlink") == 0) {
-				em_db_nl = -1L;
-			} else if(strcmp(optarg, "xform") == 0) {
-				em_db_xf = -1L;
-			} else if(strcmp(optarg, "eroute") == 0) {
-				em_db_er = -1L;
-			} else if(strcmp(optarg, "spi") == 0) {
-				em_db_sp = -1L;
-			} else if(strcmp(optarg, "radij") == 0) {
-				em_db_rj = -1L;
-			} else if(strcmp(optarg, "esp") == 0) {
-				em_db_es = -1L;
-			} else if(strcmp(optarg, "ah") == 0) {
-				em_db_ah = -1L;
-			} else if(strcmp(optarg, "rcv") == 0) {
-				em_db_rx = -1L;
-			} else if(strcmp(optarg, "pfkey") == 0) {
-				em_db_ky = -1L;
-			} else if(strcmp(optarg, "comp") == 0) {
-				em_db_gz = -1L;
-			} else if(strcmp(optarg, "verbose") == 0) {
-				em_db_vb = -1L;
-			} else {
-				usage(program_name);
-			}
-			em_db_nl |= 1 << (sizeof(em_db_nl) * 8 -1);
-			break;
-		case 'c':
-			if(action) {
-				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=-1;
-			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=-1;
-			em_db_gz=em_db_vb=-1;
-
-			action = 'c';
-			if(strcmp(optarg, "tunnel") == 0) {
-				em_db_tn = 0;
-			} else if(strcmp(optarg, "tunnel-xmit") == 0) {
-				em_db_tn = ~DB_TN_XMIT;
-			} else if(strcmp(optarg, "netlink") == 0) {
-				em_db_nl = 0;
-			} else if(strcmp(optarg, "xform") == 0) {
-				em_db_xf = 0;
-			} else if(strcmp(optarg, "eroute") == 0) {
-				em_db_er = 0;
-			} else if(strcmp(optarg, "spi") == 0) {
-				em_db_sp = 0;
-			} else if(strcmp(optarg, "radij") == 0) {
-				em_db_rj = 0;
-			} else if(strcmp(optarg, "esp") == 0) {
-				em_db_es = 0;
-			} else if(strcmp(optarg, "ah") == 0) {
-				em_db_ah = 0;
-			} else if(strcmp(optarg, "rcv") == 0) {
-				em_db_rx = 0;
-			} else if(strcmp(optarg, "pfkey") == 0) {
-				em_db_ky = 0;
-			} else if(strcmp(optarg, "comp") == 0) {
-				em_db_gz = 0;
-			} else if(strcmp(optarg, "verbose") == 0) {
-				em_db_vb = 0;
-			} else {
-				usage(program_name);
-			}
-			em_db_nl &= ~(1 << (sizeof(em_db_nl) * 8 -1));
-			break;
-		case 'a':
-			if(action) {
-				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			action = 'a';
-			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=-1;
-			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=-1;
-			em_db_gz=-1;
-			em_db_vb= 0;
-			break;
-		case 'n':
-			if(action) {
-				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			action = 'n';
-			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
-			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
-			em_db_gz=em_db_vb=0;
-			break;
-		case 'h':
-		case '?':
-			usage(program_name);
-			exit(1);
-		case 'v':
-			fprintf(stdout, "klipsdebug (Linux FreeS/WAN %s) %s\n",
-				ipsec_version_code(), klipsdebug_c_version);
-			fputs(copyright, stdout);
-			exit(0);
-		case 'l':
-			program_name = malloc(strlen(argv[0])
-					      + 10 /* update this when changing the sprintf() */
-					      + strlen(optarg));
-			sprintf(program_name, "%s --label %s",
-				argv[0],
-				optarg);
-			argcount -= 2;
-			break;
-		case '+': /* optionsfrom */
-			optionsfrom(optarg, &argc, &argv, optind, stderr);
-			/* no return on error */
-			break;
-		default:
-			break;
-		}
-		previous = c;
-	}
-
-	if(argcount == 1) {
-		system("cat /proc/net/ipsec_klipsdebug");
-		exit(0);
-	}
-
-	if(!action) {
-		usage(program_name);
-	}
-
-	if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
-		fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: ",
-			program_name);
-		switch(errno) {
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENXIO:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case EAFNOSUPPORT:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown file open error %d.  Please report as much detail as possible to development team.\n", errno);
-		}
-		exit(1);
-	}
-
-	pfkey_extensions_init(extensions);
-
-	if((error = pfkey_msg_hdr_build(&extensions[0],
-					SADB_X_DEBUG,
-					0,
-					0,
-					++pfkey_seq,
-					getpid()))) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		exit(1);
-	}
-	
-	if((error = pfkey_x_debug_build(&extensions[SADB_X_EXT_DEBUG],
-					em_db_tn,
-					em_db_nl,
-					em_db_xf,
-					em_db_er,
-					em_db_sp,
-					em_db_rj,
-					em_db_es,
-					em_db_ah,
-					em_db_rx,
-					em_db_ky,
-					em_db_gz,
-					em_db_vb))) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		exit(1);
-	}
-	
-	if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
-		fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-	
-	if((error = write(pfkey_sock,
-			  pfkey_msg,
-			  pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) !=
-	   (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-		fprintf(stderr,
-			"%s: pfkey write failed, tried to write %u octets, returning %d with errno=%d.\n",
-			program_name,
-			(unsigned)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN),
-			error,
-			errno);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		switch(errno) {
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			fprintf(stderr, "No device?!?\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case ENXIO:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case ENOSPC:
-			fprintf(stderr, "no room in kernel SAref table.  Cannot process request.\n");
-			break;
-		case ESPIPE:
-			fprintf(stderr, "kernel SAref table internal error.  Cannot process request.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown socket write error %d.  Please report as much detail as possible to development team.\n", errno);
-		}
-		exit(1);
-	}
-
-	if(pfkey_msg) {
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-	}
-
-	(void) close(pfkey_sock);  /* close the socket */
-	exit(0);
-}
diff --git a/programs/look/.cvsignore b/programs/look/.cvsignore
deleted file mode 100644
index 6f094f8d7..000000000
--- a/programs/look/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-look
diff --git a/programs/look/Makefile b/programs/look/Makefile
deleted file mode 100644
index e66ca60c1..000000000
--- a/programs/look/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=look
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/look/look.8 b/programs/look/look.8
deleted file mode 100644
index fc2d53eca..000000000
--- a/programs/look/look.8
+++ /dev/null
@@ -1,45 +0,0 @@
-.TH look 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: look.8,v 1.1 2004/03/15 20:35:28 as Exp $
-.\"
-.SH NAME
-ipsec look \- get a quick summary of FreeS/WAN status
-.SH SYNOPSIS
-.I look
-is used to get a quick overview of what the status of FreeSWAN is.
-It is equivalent to:
-\ \ \ ipsec eroute
-
-\ \ \ ipsec spigrp
-
-\ \ \ ipsec tncfg
-
-\ \ \ ipsec spi
-
-\ \ \ netstat -rn
-
-.LP
-However a bit of processing is done to combine the outputs.
-.SH "SEE ALSO"
-ipsec(8), ipsec_tncfg(8), ipsec_spi(8), ipsec_spigrp(8), ipsec_eroute(5),
-netstat(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program written by Henry Spencer.
-.\"
-.\" $Log: look.8,v $
-.\" Revision 1.1  2004/03/15 20:35:28  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/look/look.in b/programs/look/look.in
deleted file mode 100755
index a5331c03b..000000000
--- a/programs/look/look.in
+++ /dev/null
@@ -1,87 +0,0 @@
-#! /bin/sh
-# quick look at current connections and related information
-# Copyright (C) 1998, 1999  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: look.in,v 1.1 2004/03/15 20:35:28 as Exp $
-
-info=/var/run/ipsec.info
-me="ipsec look"
-
-case "$1" in
---help)		echo "Usage: ipsec look" ; exit 0	;;
---version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-esac
-
-# clear out variables that have strange effects on sort etc.
-unset LANG LANGUAGE LC_ALL LC_MESSAGES
-
-# Pick up IPsec configuration etc.
-eval `ipsec _confread --varprefix IPSEC --optional --type config setup`
-if test " $IPSEC_confreadstatus" != " "
-then
-	echo "$IPSEC_confreadstatus -- aborting" |
-		logger -s -p daemon.error -t ipsec_look
-	exit 1
-fi
-if test -s $info
-then
-	. $info
-fi
-
-# label it just to be sure
-echo "`hostname` `date`"
-
-# combine spigrp and eroute
-cat /proc/net/ipsec_spigrp /proc/net/ipsec_eroute |
-	awk '
-		function pad(subnet) {
-			sub("/", ".", subnet)
-			split(subnet, d, ".")
-			return sprintf("%03s%03s%03s%03s%03s", d[1], d[2],
-							d[3], d[4], d[5])
-		}
-		$2 == "->" {
-			printf "%s:%-18s -> %-18s => %s\n",
-				(pad($1) pad($3)),
-				$1, $3, (($5 in tun) ? tun[$5] : $5)
-			next
-		}
-		$3 == "->" {
-			printf "%s:%-18s -> %-18s => %s (%s)\n",
-				(pad($2) pad($4)),
-				$2, $4, (($6 in tun) ? tun[$6] : $6), $1
-			next
-		}
-		{ tun[$1] = $0 }
-	' | sort | sed 's/^[^:]*://'
-
-# tncfg (mostly as a divider line)
-egrep -v 'NULL[ \t]+mtu=0\(0\)[ \t]+->[ \t]+0' /proc/net/ipsec_tncfg |
-	paste -d % | sed 's/%/   /g' | sed 's/ -> /->/g'
-
-# SAs
-sort /proc/net/ipsec_spi
-
-# relevant routing information, including header line (which is good
-# enough as a separator, no need for another bar)
-pat="^Dest"
-if test " $defaultroutephys" != " "
-then
-	pat="$pat|$defaultroutephys\$|$defaultroutevirt\$"
-else
-	for i in `echo "$IPSECinterfaces" | tr '=' ' '`
-	do
-		pat="$pat|$i\$"
-	done
-fi
-netstat -nr | egrep "$pat" | sed '/^Dest/s/^/ /' | sort | sed '/^ Dest/s/ //'
diff --git a/programs/mailkey/.cvsignore b/programs/mailkey/.cvsignore
deleted file mode 100644
index 5af485234..000000000
--- a/programs/mailkey/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-mailkey
diff --git a/programs/mailkey/Makefile b/programs/mailkey/Makefile
deleted file mode 100644
index 4b0385823..000000000
--- a/programs/mailkey/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=mailkey
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.1  2003/02/22 03:26:55  sam
-# remaining pieces of mailkey
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/mailkey/mailkey.8 b/programs/mailkey/mailkey.8
deleted file mode 100644
index be6b4ff93..000000000
--- a/programs/mailkey/mailkey.8
+++ /dev/null
@@ -1,47 +0,0 @@
-.TH IPSEC_MAILKEY 8 "21 Feb 2002"
-.\" RCSID $Id: mailkey.8,v 1.1 2004/03/15 20:35:28 as Exp $
-.SH NAME
-ipsec mailkey \- mail DNS records for Opportunistic Encryption
-.SH SYNOPSIS
-.B ipsec
-.B mailkey
-\-\-me
-my@address.tld
-[
-.B \-\-reverse
-1.2.3.4
-] [
-.B \-\-forward
-hostname.domain.tld
-]
-.SH DESCRIPTION
-.I mailkey
-is a meta-program. It generates a script which will attempt to mail the TXT 
-records required to enable Opportunistic Encryption (OE).
-.PP
-An e-mail address for the domain's DNS administrator is derived from SOA records. 
-The mail body and destination address are freely editable in the script.
-.PP
-If no administrator can be located, the output file will not be executable.
-.PP
-.TP
-\fB\-\-me\fP\ \fImy@address.tld\fP
-set the Reply-To: address of the mail to be sent.
-.TP
-\fB\-\-forward\fP\ \fIhostname.domain.tld\fP
-the domain name to be used for initator-only OE.  
-.TP
-\fB\-\-reverse\fP\ \fI1.2.3.4\fP
-the IP address to be used for full Opportunistic Encryption.
-.PP
-Only one of --forward or --reverse may be specified.
-.SH FILES
-.nf
-/etc/ipsec.secrets
-.fi
-.SH SEE ALSO
-ipsec_showhostkey(8), host(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Sam Sgro.
-.SH BUGS
-May produce indeterminate results when processing non-routable IPs.
diff --git a/programs/mailkey/mailkey.in b/programs/mailkey/mailkey.in
deleted file mode 100755
index fecdcf62c..000000000
--- a/programs/mailkey/mailkey.in
+++ /dev/null
@@ -1,241 +0,0 @@
-#! /bin/sh
-# mail OE DNS RR info to relevent administrator
-#
-# Copyright (C) 2003 Sam Sgro <sam@freeswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: mailkey.in,v 1.1 2004/03/15 20:35:28 as Exp $
-
-me="ipsec mailkey"
-
-PATH=/sbin:/usr/bin:/usr/local/sbin:@IPSEC_SBINDIR@:$PATH export PATH
-
-reverse=0
-forward=0
-mymail=""
-usage="Usage:
-        $me --me my@address.tld --forward hostname.domain.tld
-        $me --me my@address.tld --reverse 1.2.3.4"
-
-for dummy
-do
-        case "$1" in
-        --help)         echo "$usage" ; exit 0  ;;
-        --forward)      forward=1 ; reverse=0 ; hostname="$2" ; shift	;;
-        --reverse)      reverse=1 ; forward=0 ; reverseip="$2" ; shift	;;
-        --me)           mymail="$2" ; shift	;;
-        --)             shift ; break           ;;
-        -*)             echo "$0: unknown option \`$1'" >&2 ; exit 2    ;;
-        *)              break                   ;;
-        esac
-        shift
-done
-
-# only do one of iOE || (pOE/rOE/fOE/insert acronym here) at a time
-# but you have to choose one. Plus, if ya ain't specified your mail address...
-if [ "$forward" -eq "$reverse" ] || [ ! "$mymail" ]
-then
-{ 
-echo "$usage"; exit 0;
-}
-fi 
-
-# Test to see if there is a key to process in the first place.
-test1st=`ipsec showhostkey --txt 1.2.3.4 2>&1`
-test2nd=`echo $test1st | grep TXT`
-if [ ! "$test2nd" ]
-then
-{
-echo "Our attempt to retrieve your RSA key using 'ipsec showhostkey' failed
-with the following error:
-
-"$test1st"
-
-Common concerns: This account must be able to read /etc/ipsec.secrets. 
-If you haven't generated your key yet, please run 'ipsec newhostkey'." 
-exit 0
-}
-fi
-
-
-# This is where we will save the script.
-save_mail_file=~/"OE_mail_""$reverseip$hostname"
-
-# RSA/SOA processing functions.
-# takes two arguments - the IP address/hostname to be used, and an attempt to guess the
-# beginning of the DNS record for the administrator
-txtprocess(){
-ipsec showhostkey --txt $1 | sed "s/^.*	IN	TXT/$2.	IN	TXT/" | grep TXT
-}
-
-# Find the hostmaster part of the SOA.
-# This only works with the "net" portion of in-addr.arpa. commands - 20.168.192.in-addr.arpa. -
-# or the domain portion of FQDNs. The data is prepped using host_data in the individual sections
-# for $forward and $reverse.
-# Note: I've experienced it returning SOAs for non-routeable IP addresses! This needs to be
-# addressed.
-hostprocess(){
-host -t soa $1 | grep SOA | while read a b c d e
-do 
-echo $d | sed -e "s/\(^[a-zA-Z0-9-]*\)\.\([a-zA-Z0-9-\.]*\).$/\1@\2/"
-done
-}
-
-# generate the pieces that go into the template, which are dependent on the type of OE.
-if [ "$reverse" -eq 1 ]; then
-{
-# convert the reverse ip to something appropriate for a DNS record.
-arpaip=`echo $reverseip | sed -e "s/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\4.\3.\2.\1.in-addr.arpa/"`
-# prepare data for hostprocess()
-host_data=`echo $arpaip | sed -e "s/^[0-9]*\.\(.*\)/\1/"`
-
-firstsub="  I'm contacting you in your role as the administrator of the domain
-\"$arpaip\" as listed in its SOA record.
-
-  My network security software, which employs IPSec, requires the
-below keying information to be published as a RR in the DNS domain 
-which you are responsible for.
-
-"
-
-txt=`txtprocess $reverseip $arpaip`
-secondsub="  To this end, I need you to publish the following TXT record:
-
---DNS_RESOURCE_RECORDS--
-
-"$txt"
-
---DNS_RESOURCE_RECORDS--"
-
-thirdsub="to enable full Opportunistic Encryption using the IP address: 
-
-"$reverseip
-
-fourthsub="and TXT records are"
-
-proposed_email=`hostprocess $host_data`
-}
-elif [ "$forward" -eq 1 ]; then
-{
-# prepare data for hostprocess()
-# leave only the domain name
-domain_data=`echo $hostname | sed -e "s/.*\.\([a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$\)/\1/"`
-# leave only the host name
-host_data=`echo $hostname | sed -e "s/\(.*\)\.[a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$/\1/"`
-
-firstsub="  I'm contacting you in your role as the administrator of the domain
-\"$hostname\" as listed in its SOA record.
-
-  My network security software, which employs IPSec, requires the
-below keying information to be published as a RR in the DNS domain
-which you are responsible for.
-
-"
-
-txt=`txtprocess @$hostname $host_data`
-secondsub="  To this end, please publish the following TXT record for the hostname 
-$hostname:
-
-
---DNS_RESOURCE_RECORDS--
-
-$txt
-
---DNS_RESOURCE_RECORDS--"
-thirdsub="to allow me to use the hostname: 
-
-"$hostname" 
-
-for initiator-only Opportunistic Encryption."
-fourthsub="record is"
-
-proposed_email=`hostprocess $domain_data`
-}
-fi
-
-# Create the template used for the body of the e-mail.
-
-mailbody=$firstsub$secondsub"
-
-
-  Please be careful to preserve the spaces and/or quotation marks as written. 
-These are important for the RSA key to survive DNS processing.
-
-  Thanks for your help in securing the 'net!
-
-	$mymail
-	(Generated by '$me' for $mymail)
-
-
-
-Opportunistic Encryption (OE) is the result of ongoing effort by the FreeS/WAN
-project (www.freeswan.org). It allows for the creation of dynamic IPSec 
-connections between hosts without pre-arrangement, authenticated via RSA keys 
-stored in DNS records.
-
-Technical information on OE can be found in this RFC draft:
-
-http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/draft-richardson-ipsec-opportunistic.txt
-
-If you have any questions about these TXT records, or about OE in general, 
-please direct them to the FreeS/WAN support lists: 
-
-users@lists.freeswan.org
-"
-
-# If we managed to find a hostmaster, make the appropriate modifications to the mail's body and 
-# our instructions to the user.
-if [ "$proposed_email" ]; then
-{
-
-# This is now converting the mail test into an executable script. 
-# Most users will have reached this stage; they can edit the contact_email
-# if they know better than us.
-# -s - Subject line. By extending it, we can "hack" the mail program to
-# include a customized Reply-To header.
-
-mailbody="#!/bin/sh
-#
-# Edit this variable to send this message to an alternate destination
-contact_email=$proposed_email
-
-mail \$contact_email -s 'DNS records for Opportunistic Encryption ($hostname$reverseip) 
-Reply-To: $mymail' <<EOF
-
-"$mailbody"
-
-EOF
-"
-
-screenoutput="Executable mail file saved to:  "$save_mail_file
-}
-else
-{
-# Slightly different instructions if we have nothing to tell the user.
-
-screenoutput="$me: error: Unable to locate SOA record for this domain. Not generating executable file.
-Sample mail file saved to:  "$save_mail_file
-}
-fi
-
-# Create the output that has been prepared.
-echo "$mailbody" > $save_mail_file
-
-# Only make it executable if we've guessed a destination e-mail address.
-if [ "$proposed_email" ]; then
-{
-chmod u+x $save_mail_file
-}
-fi
-
-# Tell the user what'sgoing on.
-echo "$screenoutput"
diff --git a/programs/manual/.cvsignore b/programs/manual/.cvsignore
deleted file mode 100644
index 2905494b6..000000000
--- a/programs/manual/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-manual
diff --git a/programs/manual/Makefile b/programs/manual/Makefile
deleted file mode 100644
index 68cfb9110..000000000
--- a/programs/manual/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=manual
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/manual/manual.8 b/programs/manual/manual.8
deleted file mode 100644
index a439544da..000000000
--- a/programs/manual/manual.8
+++ /dev/null
@@ -1,267 +0,0 @@
-.TH IPSEC_MANUAL 8 "17 July 2001"
-.\" RCSID $Id: manual.8,v 1.1 2004/03/15 20:35:28 as Exp $
-.SH NAME
-ipsec manual \- take manually-keyed IPsec connections up and down
-.SH SYNOPSIS
-.B ipsec
-.B manual
-[
-.B \-\-show
-] [
-.B \-\-showonly
-] [
-.B \-\-other
-]
-.br
-\ \ \ [
-.B \-\-iam
-.RB address "@" interface
-] [
-.B \-\-config
-configfile
-]
-.br
-\ \ \ operation connection
-.sp 0.5
-.B ipsec
-.B manual
-[
-.I options
-]
-.B \-\-union
-operation part ...
-.SH DESCRIPTION
-.I Manual
-manipulates manually-keyed FreeS/WAN IPsec connections,
-setting them up and shutting them down,
-based on the information in the IPsec configuration file.
-In the normal usage,
-.I connection
-is the name of a connection specification in the configuration file;
-.I operation
-is
-.BR \-\-up ,
-.BR \-\-down ,
-.BR \-\-route ,
-or
-.BR \-\-unroute .
-.I Manual
-generates setup (\c
-.BR \-\-route
-or
-.BR \-\-up )
-or
-teardown (\c
-.BR \-\-down
-or
-.BR \-\-unroute )
-commands for the connection and feeds them to a shell for execution.
-.PP
-The
-.B \-\-up
-operation brings the specified connection up, including establishing a
-suitable route for it if necessary.
-.PP
-The
-.B \-\-route
-operation just establishes the route for a connection.
-Unless and until an
-.B \-\-up
-operation is done, packets routed by that route will simply be discarded.
-.PP
-The
-.B \-\-down
-operation tears the specified connection down,
-.I except
-that it leaves the route in place.
-Unless and until an
-.B \-\-unroute
-operation is done, packets routed by that route will simply be discarded.
-This permits establishing another connection to the same destination
-without any ``window'' in which packets can pass without encryption.
-.PP
-The
-.B \-\-unroute
-operation (and only the
-.B \-\-unroute
-operation) deletes any route established for a connection.
-.PP
-In the
-.B \-\-union
-usage, each
-.I part
-is the name of a partial connection specification in the configuration file,
-and the union of all the partial specifications is the
-connection specification used.
-The effect is as if the contents of the partial specifications were
-concatenated together;
-restrictions on duplicate parameters, etc., do apply to the result.
-(The same effect can now be had, more gracefully, using the
-.B also
-parameter in connection descriptions;
-see
-.IR ipsec.conf (5)
-for details.)
-.PP
-The
-.B \-\-show
-option turns on the
-.B \-x
-option of the shell used to execute the commands,
-so each command is shown as it is executed.
-.PP
-The
-.B \-\-showonly
-option causes
-.I manual
-to show the commands it would run, on standard output,
-and not run them.
-.PP
-The
-.B \-\-other
-option causes
-.I manual
-to pretend it is the other end of the connection.
-This is probably not useful except in combination with
-.BR \-\-showonly .
-.PP
-The
-.B \-\-iam
-option causes
-.I manual
-to believe it is running on the host with the specified IP
-.IR address ,
-and that it should use the specified
-.I interface
-(normally it determines all this automatically,
-based on what IPsec interfaces are up and how they are configured).
-.PP
-The
-.B \-\-config
-option specifies a non-standard location for the FreeS/WAN IPsec
-configuration file (default
-.IR /etc/ipsec.conf ).
-.PP
-See
-.IR ipsec.conf (5)
-for details of the configuration file.
-Apart from the basic parameters which specify the endpoints and routing
-of a connection (\fBleft\fR
-and
-.BR right ,
-plus possibly
-.BR leftsubnet ,
-.BR leftnexthop ,
-.BR leftfirewall ,
-their
-.B right
-equivalents,
-and perhaps
-.BR type ),
-a non-\fBpassthrough\fR
-.I manual
-connection needs an
-.B spi
-or
-.B spibase
-parameter and some parameters specifying encryption, authentication, or
-both, most simply
-.BR esp ,
-.BR espenckey ,
-and
-.BR espauthkey .
-Moderately-secure keys can be obtained from
-.IR ipsec_ranbits (8).
-For production use of manually-keyed connections,
-it is strongly recommended that the keys be kept in a separate file
-(with permissions
-.BR rw\-\-\-\-\-\-\- )
-using the
-.B include
-and
-.B also
-facilities of the configuration file (see
-.IR ipsec.conf (5)).
-.PP
-If an
-.B spi
-parameter is given,
-.I manual
-uses that value as the SPI number for all the SAs
-(which are in separate number spaces anyway).
-If an
-.B spibase
-parameter is given instead,
-.I manual
-assigns SPI values by altering the bottom digit
-of that value;
-SAs going from left to right get even digits starting at 0,
-SAs going from right to left get odd digits starting at 1.
-Either way, it is suggested that manually-keyed connections use
-three-digit SPIs with the first digit non-zero,
-i.e. in the range
-.B 0x100
-through
-.BR 0xfff ;
-FreeS/WAN reserves those for manual keying and will not
-attempt to use them for automatic keying (unless requested to,
-presumably by a non-FreeS/WAN other end).
-.SH FILES
-.ta \w'/var/run/ipsec.nexthop'u+4n
-/etc/ipsec.conf	default IPsec configuration file
-.br
-/var/run/ipsec.info	\fB%defaultroute\fR information
-.SH SEE ALSO
-ipsec(8), ipsec.conf(5), ipsec_spi(8), ipsec_eroute(8), ipsec_spigrp(8),
-route(8)
-.SH HISTORY
-Written for the FreeS/WAN project
-<http://www.freeswan.org/>
-by Henry Spencer.
-.SH BUGS
-It's not nearly as generous about the syntax of subnets,
-addresses, etc. as the usual FreeS/WAN user interfaces.
-Four-component dotted-decimal must be used for all addresses.
-It
-.I is
-smart enough to translate bit-count netmasks to dotted-decimal form.
-.PP
-If the connection specification for a connection is changed between an
-.B \-\-up
-and the ensuing
-.BR \-\-down ,
-chaos may ensue.
-.PP
-The
-.B \-\-up
-operation is not smart enough to notice whether the connection is already up.
-.PP
-.I Manual
-is not smart enough to reject insecure combinations of algorithms,
-e.g. encryption with no authentication at all.
-.PP
-Any non-IPsec route to the other end which is replaced by the
-.B \-\-up
-or
-.B \-\-route
-operation will not be re-established by
-.BR \-\-unroute .
-Whether this is a feature or a bug depends on your viewpoint.
-.PP
-The optional parameters which
-override the automatic
-.BR spibase -based
-SPI assignment are a messy area of the code and bugs are likely.
-.PP
-``Road warrior'' handling,
-and other special forms of setup which
-require negotiation between the two security gateways,
-inherently cannot be done with
-.IR manual .
-.PP
-.I Manual
-generally lags behind
-.I auto
-in support of various features,
-even when implementation \fIwould\fR be possible.
-For example, currently it does not do IPComp content compression.
diff --git a/programs/manual/manual.in b/programs/manual/manual.in
deleted file mode 100755
index bda4bafa0..000000000
--- a/programs/manual/manual.in
+++ /dev/null
@@ -1,637 +0,0 @@
-#! /bin/sh
-# user interface to manual keying
-# Copyright (C) 1998, 1999  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: manual.in,v 1.1 2004/03/15 20:35:28 as Exp $
-
-me='ipsec manual'
-usage="Usage:
-  $me [--showonly] --{up|down|route|unroute} name
-  $me [--showonly] --{up|down|route|unroute} --union partname ... 
-
-  other options: [--config ipsecconfigfile] [--other] [--show]
-			[--iam ipaddress@interface]"
-
-# make sure outputs of (e.g.) ifconfig are in English
-unset LANG LANGUAGE LC_ALL LC_MESSAGES
-
-showonly=
-config=
-info=/var/run/ipsec.info
-shopts=
-other=0
-union=0
-noinclude=
-interfs=
-op=
-
-for dummy
-do
-	case "$1" in
-	--help)		echo "$usage" ; exit 0	;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-	--show)		shopts=-x		;;
-	--showonly)	showonly=yes		;;
-	--other)	other=1			;;
-	--union)	union=1			;;
-	--config)	config="--config $2" ; shift	;;
-	--noinclude)	noinclude=--noinclude	;;
-	--iam)		interfs="$2" ; shift	;;
-	--up|--down|--route|--unroute)
-			if test " $op" != " "
-			then
-				echo "$usage" >&2
-				exit 2
-			fi
-			op="$1"
-			;;
-	--)		shift ; break		;;
-	-*)		echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
-	*)		break			;;
-	esac
-	shift
-done
-
-case "$op$#:$union" in
-[01]:*)		echo "$usage" >&2 ; exit 2	;;
-2:0)		echo "$me: warning: obsolete command syntax used" >&2
-		op="--$2"
-		names="$1"
-		;;
-[0-9]*:1)	;;
---*)		if test $# -eq 0
-		then
-			echo "$usage" >&2
-			exit 2
-		fi
-		names="$*"
-		;;
-*)		echo "$usage" >&2 ; exit 2	;;
-esac
-if test " $op" = " "
-then
-	# --union obsolete-syntax case, op is last argument
-	echo "$me: warning: obsolete command syntax used" >&2
-	names=
-	prev=
-	for arg
-	do
-		names="$names $prev"
-		prev="$arg"
-	done
-	op="--$prev"
-fi
-case "$op" in
---up|--down|--route|--unroute)		;;
-*)	echo "$usage" >&2 ; exit 2	;;
-esac
-
-case "$interfs" in
-'')	interfs="`ifconfig |
-		awk '	/^ipsec/ { interf = $1 ; next }
-			/^[^ \t]/ { interf = "" ; next }
-			/^[ \t]*inet addr/ {
-				sub(/:/, " ", $0)
-				if (interf != "")
-					print $3 "@" interf
-			 }' | tr '\n' ' '`"
-	;;
-esac
-
-if test -s $info
-then
-	. $info
-fi
-
-ipsec _confread $config $noinclude $names |
-awk '	BEGIN {
-		FS = "\t"
-		myname = "'"$me"'"
-		err = "cat >&2"
-		op = "'"$op"'"
-		other = '"$other"'
-		names = "'"$names"'"
-		interfs = "'"$interfs"'"
-		ni = split(interfs, terfs, " ")
-		if (ni == 0)
-			fail("no IPsec-enabled interfaces found")
-		for (i = 1; i <= ni; i++) {
-			nc = split(terfs[i], cpts, "@")
-			if (nc != 2)
-				fail("internal error on " terfs[i])
-			interface[cpts[1]] = cpts[2]
-		}
-		draddr = "'"$defaultrouteaddr"'"
-		drnexthop = "'"$defaultroutenexthop"'"
-		s[""] = ""
-		nlspi = 0
-		nrspi = 0
-		failed = 0
-		maskbits[0] = "0.0.0.0"
-		maskbits[1] = "128.0.0.0"
-		maskbits[2] = "192.0.0.0"
-		maskbits[3] = "224.0.0.0"
-		maskbits[4] = "240.0.0.0"
-		maskbits[5] = "248.0.0.0"
-		maskbits[6] = "252.0.0.0"
-		maskbits[7] = "254.0.0.0"
-		maskbits[8] = "255.0.0.0"
-		maskbits[9] = "255.128.0.0"
-		maskbits[10] = "255.192.0.0"
-		maskbits[11] = "255.224.0.0"
-		maskbits[12] = "255.240.0.0"
-		maskbits[13] = "255.248.0.0"
-		maskbits[14] = "255.252.0.0"
-		maskbits[15] = "255.254.0.0"
-		maskbits[16] = "255.255.0.0"
-		maskbits[17] = "255.255.128.0"
-		maskbits[18] = "255.255.192.0"
-		maskbits[19] = "255.255.224.0"
-		maskbits[20] = "255.255.240.0"
-		maskbits[21] = "255.255.248.0"
-		maskbits[22] = "255.255.252.0"
-		maskbits[23] = "255.255.254.0"
-		maskbits[24] = "255.255.255.0"
-		maskbits[25] = "255.255.255.128"
-		maskbits[26] = "255.255.255.192"
-		maskbits[27] = "255.255.255.224"
-		maskbits[28] = "255.255.255.240"
-		maskbits[29] = "255.255.255.248"
-		maskbits[30] = "255.255.255.252"
-		maskbits[31] = "255.255.255.254"
-		maskbits[32] = "255.255.255.255"
-	}
-	$1 == "=" {
-		next
-	}
-	$1 == "!" {
-		if ($2 != "")
-			fail($2)
-		next
-	}
-	$1 != ":" {
-		fail("internal error, unknown type code \"" $1 "\"")
-	}
-	{ s[$2] = $3 }
-	function q(s) {
-		return "\"" s "\""
-	}
-	function fail(m) {
-		print myname ": fatal error in " q(names) ": " m   |err
-		failed = 1
-		exit
-	}
-	function swap(k,   t, l, r) {
-		l = "left" k
-		r = "right" k
-		if ((l in s) && (r in s)) {
-			t = s[l]
-			s[l] = s[r]
-			s[r] = t
-		} else if (l in s) {	# but not r
-			s[r] = s[l]
-			delete s[l]
-		} else if (r in s) {	# but not l
-			s[l] = s[r]
-			delete s[r]
-		}
-	}
-	function yesno(k) {
-		if ((k in s) && s[k] != "yes" && s[k] != "no")
-			fail("parameter \"" k "\" must be \"yes\" or \"no\"")
-	}
-	function default(k, v) {
-		if (!(k in s))
-			s[k] = v
-	}
-	function need(k) {
-		if (!(k in s))
-			fail("connection has no \"" k "\" parameter specified")
-		if (s[k] == "")
-			fail("parameter \"" k "\" value must be non-empty")
-	}
-	function integer(k) {
-		if (!(k in s))
-			return
-		if (s[k] !~ /^[0-9]+$/)
-			fail("parameter \"" k "\" value must be integer")
-	}
-	function nexthopset(dir, val,   k) {
-		k = dir "nexthop"
-		if (k in s)
-			fail("non-default value of " k " is being overridden")
-		if (val != "")
-			s[k] = val
-		else if (k in s)
-			delete s[k]
-	}
-	function leftward(   t) {
-		nlspi++
-		if ("spi" in s)
-			return s["spi"]
-		t = spibase spil
-		spil += 2
-		return t
-	}
-	function rightward(   t) {
-		nrspi++
-		if ("spi" in s)
-			return s["spi"]
-		t = spibase spir
-		spir += 2
-		return t
-	}
-	function netfix(dir,   n, t) {
-		n = s[dir "subnet"]
-		if (n == "%default")
-			n = "0.0.0.0/0"
-		if (n !~ /\//)
-			fail(dir "subnet=" n " has no mask specified")
-		t = split(n, netfixarray, "/")
-		if (t != 2)
-			fail("bad syntax in " dir "subnet=" n)
-		s[dir "net"] = netfixarray[1]
-		s[dir "mask"] = mask(netfixarray[2])
-	}
-	function mask(m) {
-		if (m ~ /\./)
-			return m
-		if (!(m in maskbits))
-			fail("unknown mask syntax \"" m "\"")
-		return maskbits[m]
-	}
-	function bidir(name,   l, r) {
-		l = "left" name
-		r = "right" name
-		if (!(l in s) && (name in s))
-			s[l] = s[name]
-		if (!(r in s) && (name in s))
-			s[r] = s[name]
-		if ((l in s) != (r in s))
-			fail("must give both or neither \"" l "\" and \"" \
-									r "\"")
-	}
-	function espspi(src, dest, spi,   dir) {
-		if (!("esp" in s))
-			return
-		dir = (dest == me) ? "left" : "right"
-		print "ipsec spi --label", q(names), "--af inet",
-			"--said", ("esp" spi "@" dest), "\\"
-		print "\t--esp", s["esp"], "--src", src, "\\"
-		if ((dir "espauthkey") in s)
-			print "\t--authkey", s[dir "espauthkey"], "\\"
-		if ("espreplay_window" in s)
-			print "\t--replay_window", s["espreplay_window"], "\\"
-		if ((dir "espenckey") in s)
-			print "\t--enckey", s[dir "espenckey"], "&&"
-		else
-			print "\t&&"
-	}
-	function ahspi(src, dest, spi,   dir) {
-		if (!("ah" in s))
-			return
-		dir = (dest == me) ? "left" : "right"
-		if (!((dir "ahkey") in s))
-			fail("AH specified but no ahkey= given")
-		print "ipsec spi --label", q(names), "--af inet",
-			"--said", ("ah" spi "@" dest), "\\"
-		print "\t--ah", s["ah"], "--src", src, "\\"
-		if ("ahreplay_window" in s)
-			print "\t--replay_window", s["ahreplay_window"], "\\"
-		print "\t--authkey", s[dir "ahkey"], "&&"
-	}
-	# issue a suitable invocation of updown command
-	function updown(verb, suffix,   cmd) {
-		if ("leftupdown" in s) {
-			cmd = s["leftupdown"]
-			if (s["leftfirewall"] == "yes")
-				fail("cannot specify both updown and firewall")
-		} else {
-			cmd = "ipsec _updown"
-			if (s["leftfirewall"] == "yes")
-				cmd = cmd " ipfwadm"
-		}
-		print "PLUTO_VERB=" verb verbsuf " " cmd " " suffix
-	}
-	END {
-	#########
-	if (failed)
-		exit 1
-	default("type", "tunnel")
-	type = s["type"]
-	shunt = 0
-	if (type == "transport") {
-		if ("leftsubnet" in s)
-			fail("type=transport incompatible with leftsubnet")
-		if ("rightsubnet" in s)
-			fail("type=transport incompatible with rightsubnet")
-	} else if (type == "passthrough") {
-		shunt = 1;
-		p = "%pass"
-	} else if (type == "drop" || type == "reject") {
-		shunt = 1;
-		p = "%" type
-	} else if (type != "tunnel")
-		fail("only know how to do types tunnel/transport/passthrough")
-	if (shunt) {
-		if (("ah" in s) || ("esp" in s))
-			fail(type " connection may not specify AH or ESP")
-	} else {
-		if (!("ah" in s) && !("esp" in s))
-			fail("neither AH nor ESP specified for connection")
-	}
-
-	need("left")
-	need("right")
-	if (s["left"] == "%defaultroute") {
-		if (s["right"] == "%defaultroute")
-			fail("left and right cannot both be %defaultroute")
-		if (draddr == "")
-			fail("%defaultroute requested but not known")
-		s["left"] = draddr
-		nexthopset("left", drnexthop)
-	} else if (s["right"] == "%defaultroute") {
-		if (draddr == "")
-			fail("%defaultroute requested but not known")
-		s["right"] = draddr
-		nexthopset("right", drnexthop)
-	}
-
-	leftsub = ("leftsubnet" in s) ? 1 : 0
-	default("leftsubnet", s["left"] "/32")
-	rightsub = ("rightsubnet" in s) ? 1 : 0
-	default("rightsubnet", s["right"] "/32")
-	default("leftfirewall", "no")
-	default("rightfirewall", "no")
-	yesno("leftfirewall")
-	yesno("rightfirewall")
-	integer("espreplay_window")
-	if (("espreplay_window" in s) && s["espreplay_window"] == 0)
-		delete s["espreplay_window"]
-	integer("ahreplay_window")
-	if (("ahreplay_window" in s) && s["ahreplay_window"] == 0)
-		delete s["ahreplay_window"]
-	netfix("left")
-	netfix("right")
-
-	default("leftnexthop", s["right"])
-	default("rightnexthop", s["left"])
-	if (s["leftnexthop"] == s["left"])
-		fail("left and leftnexthop must not be the same")
-	if (s["rightnexthop"] == s["right"])
-		fail("right and rightnexthop must not be the same")
-
-	bidir("espenckey")
-	bidir("espauthkey")
-	bidir("ahkey")
-	if ("spi" in s && "spibase" in s)
-		fail("cannot specify both spi and spibase")
-	if (!shunt) {
-		if ("spibase" in s) {
-			b = s["spibase"]
-			if (b !~ /^0x[0-9a-fA-F]+0$/)
-				fail("bad syntax in spibase -- must be 0x...0")
-			spibase = substr(b, 1, length(b)-1)
-		} else {
-			need("spi")
-			if (s["spi"] !~ /^0x[0-9a-fA-F]+$/)
-				fail("bad syntax in spi -- must be 0x...")
-		}
-	}
-	spir = 0
-	spil = 1
-
-	# who am I?
-	me = ""
-	for (addr in interface) {
-		if (addr == s["left"] || addr == s["right"]) {
-			if (me != "")
-				fail("ambiguous:  could be on \"" iface \
-					"\" or \"" interface[addr] "\"")
-			me = addr
-			iface = interface[addr]
-		}
-	}
-	if (me == "")
-		fail("cannot find interface for " s["left"] " or " s["right"])
-	if (other) {
-		if (s["left"] == me)
-			me = s["right"]
-		else if (s["right"] == me)
-			me = s["left"]
-	}
-	havesubnet = leftsubnet
-	if (s["right"] == me) {
-		swap("")		# swaps "left" and "right"
-		swap("subnet")
-		swap("nexthop")
-		swap("net")
-		swap("mask")
-		swap("firewall")
-		swap("espspi")
-		swap("ahspi")
-		swap("espenckey")
-		swap("espauthkey")
-		swap("ahkey")
-		swap("updown")
-		t = spil
-		spil = spir
-		spir = t
-		havesubnet = rightsubnet
-	}
-	him = s["right"]
-
-	if (s["leftnexthop"] == "%defaultroute") {
-		if (drnexthop == "")
-			fail("%defaultroute requested but not known")
-		s["leftnexthop"] = drnexthop
-	}
-
-	tspi = rightward()
-	if (type == "tunnel") {
-		espi = rightward()
-		intspi = leftward()
-	} else
-		espi = tspi
-	if (s["rightespspi"] != "")
-		espi = s["rightespspi"]
-	respi = leftward()
-	if (s["leftespspi"] != "")
-		respi = s["leftespspi"]
-	if ("ah" in s) {
-		if ("esp" in s) {
-			aspi = rightward()
-			raspi = leftward()
-		} else {
-			aspi = espi
-			raspi = respi
-		}
-		if (s["rightahspi"] != "")
-			aspi = s["rightahspi"]
-		if (s["leftahspi"] != "")
-			raspi = s["leftahspi"]
-	}
-	routeid = "-net " s["rightnet"] " netmask " s["rightmask"]
-	if (s["rightmask"] == "255.255.255.255")
-		routeid = "-host " s["rightnet"]
-
-	print "PATH=\"'"$PATH"'\""
-	print "export PATH"
-	print "PLUTO_VERSION=1.1"
-	verbsuf = (havesubnet) ? "-client" : "-host"
-	print "PLUTO_CONNECTION=" q(names)
-	print "PLUTO_NEXT_HOP=" s["leftnexthop"]
-	print "PLUTO_INTERFACE=" iface
-	print "PLUTO_ME=" me
-	print "PLUTO_MY_CLIENT=" s["leftsubnet"]
-	print "PLUTO_MY_CLIENT_NET=" s["leftnet"]
-	print "PLUTO_MY_CLIENT_MASK=" s["leftmask"]
-	print "PLUTO_PEER=" him
-	print "PLUTO_PEER_CLIENT=" s["rightsubnet"]
-	print "PLUTO_PEER_CLIENT_NET=" s["rightnet"]
-	print "PLUTO_PEER_CLIENT_MASK=" s["rightmask"]
-	print "export PLUTO_VERSION PLUTO_CONNECTION PLUTO_NEXT_HOP"
-	print "export PLUTO_INTERFACE PLUTO_ME PLUTO_MY_CLIENT"
-	print "export PLUTO_MY_CLIENT_NET PLUTO_MY_CLIENT_MASK PLUTO_PEER"
-	print "export PLUTO_PEER_CLIENT PLUTO_PEER_CLIENT_NET"
-	print "export PLUTO_PEER_CLIENT_MASK"
-
-	if (op == "--up") {
-		print "{"
-		# first, the outbound SAs
-		if (type == "tunnel") {
-			print "ipsec spi --label", q(names), "--af inet",
-					"--said", ("tun" tspi "@" him), "\\"
-			print "\t--ip4", "--src", me, "--dst", him, "&&"
-		}
-		espspi(me, him, espi)
-		ahspi(me, him, aspi)
-		if (nrspi > 1) {
-			# group them
-			printf "ipsec spigrp --label %s --said ", q(names)
-			if (type == "tunnel")
-				printf "tun%s@%s ", tspi, him
-			if (("esp" in s))
-				printf "esp%s@%s ", espi, him
-			if ("ah" in s)
-				printf "ah%s@%s ", aspi, him
-			printf " &&\n"
-		}
-		# inbound SAs
-		if (type == "tunnel") {
-			print "ipsec spi --label", q(names), "--af inet",
-					"--said", ("tun" intspi "@" me), "\\"
-			print "\t--ip4", "--src", him, "--dst", me, "&&"
-		}
-		espspi(him, me, respi)
-		ahspi(him, me, raspi)
-		if (nlspi > 1) {
-			# group them
-			printf "ipsec spigrp --label %s --said ", q(names)
-			if (type == "tunnel")
-				printf "tun%s@%s ", intspi, me
-			if (("esp" in s))
-				printf "esp%s@%s ", respi, me
-			if ("ah" in s)
-				printf "ah%s@%s ", raspi, me
-			printf " &&\n"
-		}
-		# with the SAs in place, eroute to them
-		print "ipsec eroute --label", q(names),
-						"--eraf inet --replace", "\\"
-		if (!shunt) {
-			if (type == "tunnel")
-				p = "tun"
-			else if (("esp" in s))
-				p = "esp"
-			else
-				p = "ah"
-			p = p tspi "@" him
-		}
-		print "\t--src", s["leftsubnet"], "--dst", s["rightsubnet"],
-							"--said", p, "&&"
-		# with the eroute in place, NOW we can route to it
-		#print "{ route del", routeid, "2>/dev/null ; true ; } &&"
-		updown("prepare", "&&")
-		#print "route add", routeid, "dev", iface, "gw",
-		#					s["leftnexthop"], "&&"
-		updown("route", "&&")
-		# and with all processing in place, we can penetrate firewall
-		#if (s["leftfirewall"] == "yes") {
-		#	print "ipfwadm -F -i accept -b -S", s["leftsubnet"],
-		#				"-D", s["rightsubnet"], "&&"
-		#}
-		updown("up", "&&")
-		print "true"
-		print "} || {"
-	} else if (op == "--route") {
-		#print "{ route del", routeid, "2>/dev/null ; true ; } &&"
-		updown("prepare", "&&")
-		#print "route add", routeid, "dev", iface, "gw",
-		#					s["leftnexthop"]
-		updown("route")
-		exit 0
-	} else if (op == "--unroute") {
-		#print "route del", routeid, "dev", iface, "gw",
-		#					s["leftnexthop"]
-		updown("unroute")
-		exit 0
-	} else			# down
-		print "{"
-
-	# now do "down", unconditionally, since the desired output for "up"
-	# is { up && up && up && true } || { down ; down ; down }
-	# tear things down in fairly strict reverse order
-	#if (s["leftfirewall"] == "yes")
-	#	print "ipfwadm -F -d accept -b -S", s["leftsubnet"],
-	#					"-D", s["rightsubnet"]
-	updown("down")
-	#print "route del", routeid, "dev", iface, "gw", s["leftnexthop"]
-	print "# do not delete route"
-	print "ipsec eroute --label", q(names), "--eraf inet --del", "\\"
-	print "\t--src", s["leftsubnet"], "--dst", s["rightsubnet"]
-	#if ("ah" in s) {
-	#	print "ipsec spi --label", q(names), "--af inet", "--del",
-	#		"--said", ("ah" raspi "@" me)
-	#}
-	#if ("esp" in s) {
-	#	print "ipsec spi --label", q(names), "--af inet", "--del",
-	#		"--said", ("esp" respi "@" me)
-	#}
-	if (!shunt) {
-		if (type == "tunnel")
-			p = "tun"
-		else if (("esp" in s))
-			p = "esp"
-		else
-			p = "ah"
-		print "ipsec spi --label", q(names), "--af inet", "--del",
-				"--said", (p tspi "@" him),
-				"  # outbound"
-		print "ipsec spi --label", q(names), "--af inet", "--del",
-				"--said", (p intspi "@" me),
-				"  # inbound"
-	}
-
-	if (op == "--up")
-		print "} 2>/dev/null"
-	else
-		print "}"
-	#########
-	}' |
-if test $showonly
-then
-	cat
-else
-	sh $shopts
-fi
diff --git a/programs/pf_key/.cvsignore b/programs/pf_key/.cvsignore
deleted file mode 100644
index 323068235..000000000
--- a/programs/pf_key/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-pf_key
diff --git a/programs/pf_key/Makefile b/programs/pf_key/Makefile
deleted file mode 100644
index 6af45c8d1..000000000
--- a/programs/pf_key/Makefile
+++ /dev/null
@@ -1,49 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM:=pf_key
-EXTRA5MAN=${PROGRAM}.5
-
-LIBS:=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/pf_key/pf_key.5 b/programs/pf_key/pf_key.5
deleted file mode 100644
index f5eab9a96..000000000
--- a/programs/pf_key/pf_key.5
+++ /dev/null
@@ -1,122 +0,0 @@
-.TH IPSEC_PF_KEY 5 "29 Jun 2000"
-.\"
-.\" RCSID $Id: pf_key.5,v 1.1 2004/03/15 20:35:28 as Exp $
-.\"
-.SH NAME
-ipsec_pf_key \- lists PF_KEY sockets registered with KLIPS
-.SH SYNOPSIS
-.B cat
-.B /proc/net/pf_key
-.SH DESCRIPTION
-.I /proc/net/pf_key
-is a read-only file which lists the presently open PF_KEY sockets on the
-local system and their parameters.
-.PP
-Each line lists one PF_KEY socket.
-A table entry consists of:
-.IP + 3
-sock pointer (sock)
-.IP +
-PID of the socket owner (pid)
-.IP +
-flag to indicate if the socket is dead (d)
-.IP +
-socket wait queue (sleep)
-.IP +
-socket pointer (socket)
-.IP +
-next socket in chain (next)
-.IP +
-previous socket in chain (prev)
-.IP +
-last socket error (e)
-.IP +
-pointer to destruct routine (destruct)
-.IP +
-is this a reused socket (r)
-.IP +
-has this socket been zapped (z)
-.IP +
-socket family to which this socket belongs (fa)
-.IP +
-local port number (n)
-.IP +
-protocol version number (p)
-.IP +
-Receive queue bytes committed (r)
-.IP +
-Transmit queue bytes committed (w)
-.IP +
-option memory allocations (o)
-.IP +
-size of send buffer in bytes (sndbf)
-.IP +
-timestamp in seconds (stamp)
-.IP +
-socket flags (Flags)
-.IP +
-socket type (Type)
-.IP +
-connection state (St)
-.BR 
-.SH EXAMPLES
-.TP
-.\".B "sock     pid  d sleep    socket   next     prev     e destruct r z fa n p r w o sndbf stamp    Flags    Type     St"
-.TP
-.B c3b8c140 3553 0 c0599818 c05997fc        0        0 0        0 1 0 15 0 2 0 0 0 65535 0.103232 00000000 00000003 01
-.LP
-shows that there is one pf_key socket set up that starts at
-.BR c3b8c140 ,
-whose owning process has PID
-.BR 3553 ,
-the socket is not dead, its wait queue is at
-.BR c0599818 ,
-whose owning socket is at
-.BR c05997fc ,
-with no other sockets in the chain, no errors, no destructor, it is a
-reused socket which has not been zapped, from protocol family
-.BR 15
-(PF_KEY), local port number
-.BR 0 ,
-protocol socket version
-.BR 2 ,
-no memory allocated to transmit, receive or option queues, a send buffer
-of almost
-.BR 64kB ,
-a timestamp of
-.BR 0.103232 ,
-no flags set, type
-.BR 3 ,
-in state
-.BR 1 .
-.SH "FILES"
-/proc/net/pf_key
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_eroute(5), ipsec_spi(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_tncfg(8), ipsec_version(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: pf_key.5,v $
-.\" Revision 1.1  2004/03/15 20:35:28  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.4  2002/04/24 07:35:39  mcr
-.\" Moved from ./klips/utils/pf_key.5,v
-.\"
-.\" Revision 1.3  2001/01/23 23:51:49  rgb
-.\" Fix outdated references to /proc/net/ipsec_pf_key.
-.\"
-.\" Revision 1.2  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.1  2000/06/30 06:19:27  rgb
-.\" manpages for the last two /proc/net/ipsec* files that don't have a
-.\" corresponding utility.
-.\"
-.\"
-.\"
diff --git a/programs/pf_key/pf_key.8 b/programs/pf_key/pf_key.8
deleted file mode 100644
index dd42bf541..000000000
--- a/programs/pf_key/pf_key.8
+++ /dev/null
@@ -1,73 +0,0 @@
-.TH IPSEC_PF_KEY 8 "17 Oct 2001"
-.\"
-.\" RCSID $Id: pf_key.8,v 1.2 2005/07/07 19:07:43 as Exp $
-.\"
-.SH NAME
-pf_key \- shows pfkey messages emitted by the kernel
-.SH SYNOPSIS
-.B pf_key
-.B \-\-ah
-.B \-\-esp
-.B \-\-ipip
-.B \-\-ipcomp
-.B \-\-daemon 
-.I file
-.BR hmac-md5-96 | hmac-sha1-96
-.SH DESCRIPTION
-.B pf_key
-is a program to open a PF_KEY socket and print all messages that are received
-from it. With no options, it will register itself to receive key requests for
-AH, ESP, IPIP and IPCOMP security associations. If given more specific
-options, then it will listen only to those protocols which are listed.
-.PP
-If the messages are recognized, the messages will be decoded.
-.PP
-If the option 
-.B \-\-daemon
-is provided, then after doing the registrations, the program will fork
-into the background. The provided file will be opened and the process ID of
-the background process will be written to it. This option is present to
-present race conditions in regression testing.
-.SH EXAMPLES
-.TP
-.\".B "pfkey v.2 msg. type 3 seq=20 len=2 errno=22 satype=3"
-.SH "FILES"
-/proc/net/pf_key
-.SH "SEE ALSO"
-pf_key(5), ipsec(8), ipsec_manual(8), ipsec_eroute(5), ipsec_spi(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_tncfg(8), ipsec_version(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Michael Richardson <mcr@freeswan.org>
-.\"
-.\" $Log: pf_key.8,v $
-.\" Revision 1.2  2005/07/07 19:07:43  as
-.\" fixed man page type
-.\"
-.\" Revision 1.1  2004/03/15 20:35:28  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.4  2002/07/16 02:53:42  mcr
-.\" 	added --daemon <pidfile> to "ipsec pf_key" command.
-.\" 	this is used in *-trap-* tests to avoid race conditions between
-.\" 	registration of PF_KEY listeners and arrival of first test packet.
-.\"
-.\" Revision 1.3  2002/04/24 07:35:39  mcr
-.\" Moved from ./klips/utils/pf_key.8,v
-.\"
-.\" Revision 1.2  2001/11/23 07:23:14  mcr
-.\" 	pulled up klips2 Makefile and pf_key code.
-.\"
-.\" Revision 1.1.2.1  2001/10/23 18:49:12  mcr
-.\" 	renamed man page to section 8.
-.\" 	added --ah, --esp, --ipcomp and --ipip to control which
-.\" 	protocols are printed.
-.\" 	incomplete messages which include at least an sadb header are printed.
-.\"
-.\" Revision 1.1.2.1  2001/10/17 23:25:37  mcr
-.\" 	added "pk_key" program to dump raw kernel pf messages.
-.\" 	(program is still skeletal)
-.\"
-.\"
-.\"
diff --git a/programs/pf_key/pf_key.c b/programs/pf_key/pf_key.c
deleted file mode 100644
index af7365d65..000000000
--- a/programs/pf_key/pf_key.c
+++ /dev/null
@@ -1,353 +0,0 @@
-/*
- * @(#) pfkey socket manipulator/observer
- *
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: pf_key.c,v 1.2 2004/04/20 21:23:25 as Exp $
- *
- */
-
-/* 
- * This program opens a pfkey socket and prints all messages that it sees.
- *
- * This can be used to diagnose problems.
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <getopt.h>
-#include <errno.h>
-#include <setjmp.h>
-#include <signal.h>
-
-#include <sys/socket.h>
-
-#include <sys/types.h>
-#include <stdint.h>
-#include <freeswan.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-char *progname;
-uint32_t pfkey_seq = 0;
-int pfkey_sock;
-
-static void
-Usage(char *progname)
-{
-	fprintf(stderr, "%s: Usage: %s [--help]\n"
-		"\tby default listens for AH, ESP, IPIP and IPCOMP\n"
-		"\t--daemon <file>  fork before printing, stuffing the PID in the file\n"
-		"\t--ah       listen for AH messages\n"
-		"\t--esp      listen for ESP messages\n"
-		"\t--ipip     listen for IPIP messages\n"
-		"\t--ipcomp   listen for IPCOMP messages\n",
-		progname, progname);
-	exit(1);
-}
-
-void
-pfkey_register(uint8_t satype) {
-	/* for registering SA types that can be negotiated */
-	int error = 0;
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-
-	pfkey_extensions_init(extensions);
-	if((error = pfkey_msg_hdr_build(&extensions[0],
-					SADB_REGISTER,
-					satype,
-					0,
-					++pfkey_seq,
-					getpid()))) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			progname, error);
-		pfkey_extensions_free(extensions);
-		exit(1);
-	}
-	if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
-		fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-			progname, error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-	if(write(pfkey_sock, pfkey_msg,
-		 pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) !=
-	   (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-		/* cleanup code here */
-		fprintf(stderr, "%s: Trouble writing to channel PF_KEY.\n", progname);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-}
-
-int dienow;
-
-void controlC(int foo)
-{
-	fflush(stdout);
-	printf("%s: Exiting on signal 15\n", progname);
-	fflush(stderr);
-	exit(0);
-}
-
-int
-main(int argc, char *argv[])
-{
-	int opt;
-	ssize_t readlen;
-	unsigned char pfkey_buf[256];
-	struct sadb_msg *msg;
-	int fork_after_register;
-	char *pidfilename;
-
-	static int ah_register;
-	static int esp_register;
-	static int ipip_register;
-	static int ipcomp_register;
-
-	static struct option long_options[] =
-	{
-		{"help",        no_argument, 0, 'h'},
-		{"daemon",      required_argument, 0, 'f'},
-		{"ah",          no_argument, &ah_register, 1},
-		{"esp",         no_argument, &esp_register, 1},
-		{"ipip",        no_argument, &ipip_register, 1},
-		{"ipcomp",      no_argument, &ipcomp_register, 1},
-	};
-
-	ah_register   = 0;
-	esp_register  = 0;
-	ipip_register = 0;
-	ipcomp_register=0;
-	dienow = 0;
-	fork_after_register=0;
-	pidfilename=NULL;
-	
-	progname = argv[0];
-	if(strrchr(progname, '/')) {
-		progname=strrchr(progname, '/')+1;
-	}
-	
-	while((opt = getopt_long(argc, argv, "hf:",
-				 long_options, NULL)) !=  EOF) {
-		switch(opt) {
-		case 'f':
-			pidfilename=optarg;
-			fork_after_register=1;
-			break;
-		case 'h':
-			Usage(progname);
-			break;
-		case '0':
-			/* it was a long option with a flag */
-			break;
-		}
-	}
-	
-	if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
-		fprintf(stderr, "%s: failed to open PF_KEY family socket: %s\n",
-			progname, strerror(errno));
-		exit(1);
-	}
-
-	if(ah_register == 0 &&
-	   esp_register== 0 &&
-	   ipip_register==0 &&
-	   ipcomp_register==0) {
-		ah_register=1;
-		esp_register=1;
-		ipip_register=1;
-		ipcomp_register=1;
-	}
-
-	if(ah_register) {
-		pfkey_register(SADB_SATYPE_AH);
-	}
-	if(esp_register) {
-		pfkey_register(SADB_SATYPE_ESP);
-	}
-	if(ipip_register) {
-		pfkey_register(SADB_X_SATYPE_IPIP);
-	}
-	if(ipcomp_register) {
-		pfkey_register(SADB_X_SATYPE_COMP);
-	}
-
-	if(fork_after_register) {
-		/*
-		 * to aid in regression testing, we offer to register 
-		 * everything first, and then we fork. As part of this
-		 * we write the PID of the new process to a file
-		 * provided.
-		 */
-		int pid;
-		FILE *pidfile;
-		
-		fflush(stdout);
-		fflush(stderr);
-
-		pid=fork();
-		if(pid!=0) {
-			/* in parent! */
-			exit(0);
-		}
-		
-		if((pidfile=fopen(pidfilename, "w"))==NULL) {
-			perror(pidfilename);
-		} else {
-			fprintf(pidfile, "%d", getpid());
-			fclose(pidfile);
-		}
-	}
-			
-	signal(SIGINT,  controlC);
-	signal(SIGTERM, controlC);
-
-	while((readlen = read(pfkey_sock, pfkey_buf, sizeof(pfkey_buf))) > 0) {
-		struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-		msg = (struct sadb_msg *)pfkey_buf;
-		
-		/* first, see if we got enough for an sadb_msg */
-		if((size_t)readlen < sizeof(struct sadb_msg)) {
-			printf("%s: runt packet of size: %d (<%lu)\n",
-			       progname, (int)readlen, (unsigned long)sizeof(struct sadb_msg));
-			continue;
-		}
-		
-		/* okay, we got enough for a message, print it out */
-		printf("\npfkey v%d msg. type=%d(%s) seq=%d len=%d pid=%d errno=%d satype=%d(%s)\n",
-		       msg->sadb_msg_version,
-		       msg->sadb_msg_type,
-		       pfkey_v2_sadb_type_string(msg->sadb_msg_type),
-		       msg->sadb_msg_seq,
-		       msg->sadb_msg_len,
-		       msg->sadb_msg_pid,
-		       msg->sadb_msg_errno,
-		       msg->sadb_msg_satype,
-		       satype2name(msg->sadb_msg_satype));
-		
-		if((size_t)readlen != msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)
-		{
-			printf("%s: packet size read from socket=%d doesn't equal sadb_msg_len %d * %u; message not decoded\n",
-			       progname,
-			       (int)readlen,
-			       msg->sadb_msg_len,
-			       (int) IPSEC_PFKEYv2_ALIGN);
-			continue;
-		}
-		
-		pfkey_lib_debug = PF_KEY_DEBUG_PARSE_STRUCT;
-		if (pfkey_msg_parse(msg, NULL, extensions, EXT_BITS_OUT)) {
-			printf("%s: unparseable PF_KEY message.\n",
-			       progname);
-		} else {
-			printf("%s: parseable PF_KEY message.\n",
-			       progname);
-		}
-	}
-	printf("%s: exited normally\n", progname);
-	exit(0);
-}
-	
-/*
- * $Log: pf_key.c,v $
- * Revision 1.2  2004/04/20 21:23:25  as
- * int cast fix for 64 bit platforms
- *
- * Revision 1.1  2004/03/15 20:35:28  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.15  2003/09/10 00:01:30  mcr
- * 	fixes for gcc 3.3 from Matthias Bethke <Matthias.Bethke@gmx.net>
- *
- * Revision 1.14  2002/10/09 03:12:05  dhr
- *
- * [kenb+dhr] 64-bit fixes
- *
- * Revision 1.13  2002/09/20 05:02:15  rgb
- * Cleaned up pfkey_lib_debug usage.
- *
- * Revision 1.12  2002/09/13 23:02:23  rgb
- * Type fiddling to tame ia64 compiler.
- * Added text labels to elucidate numeric values presented.
- *
- * Revision 1.11  2002/08/26 03:05:25  mcr
- * 	duh, pf_key much catch SIGTERM as well as SIGINT...
- *
- * Revision 1.10  2002/08/13 19:01:27  mcr
- * 	patches from kenb to permit compilation of FreeSWAN on ia64.
- * 	des library patched to use proper DES_LONG type for ia64.
- *
- * Revision 1.9  2002/07/16 02:53:42  mcr
- * 	added --daemon <pidfile> to "ipsec pf_key" command.
- * 	this is used in *-trap-* tests to avoid race conditions between
- * 	registration of PF_KEY listeners and arrival of first test packet.
- *
- * Revision 1.8  2002/06/17 04:32:55  mcr
- * 	exit nicely from pf_key when SIGINT (^C) is sent.
- * 	This is needed so that the stdout will flush properly.
- *
- * Revision 1.7  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.6  2002/04/24 07:35:39  mcr
- * Moved from ./klips/utils/pf_key.c,v
- *
- * Revision 1.5  2002/03/08 21:44:04  rgb
- * Update for all GNU-compliant --version strings.
- *
- * Revision 1.4  2001/11/27 05:19:06  mcr
- * 	added extra newline between packets.
- * 	set pfkey_lib_debug to enum rather than just to "1".
- *
- * Revision 1.3  2001/11/27 03:35:29  rgb
- * Added stdlib *again*.
- *
- * Revision 1.2  2001/11/23 07:23:14  mcr
- * 	pulled up klips2 Makefile and pf_key code.
- *
- * Revision 1.1.2.5  2001/10/23 18:49:12  mcr
- * 	renamed man page to section 8.
- * 	added --ah, --esp, --ipcomp and --ipip to control which
- * 	protocols are printed.
- * 	incomplete messages which include at least an sadb header are printed.
- *
- * Revision 1.1.2.4  2001/10/22 21:50:51  rgb
- * Added pfkey register for AH, ESP, IPIP and COMP.
- *
- * Revision 1.1.2.3  2001/10/21 21:51:06  rgb
- * Bug fixes to get working.
- *
- * Revision 1.1.2.2  2001/10/20 22:45:31  rgb
- * Added check for exact length and a call to message parser to get some
- * idea of the contents of each extension.
- *
- * Revision 1.1.2.1  2001/10/17 23:25:37  mcr
- * 	added "pk_key" program to dump raw kernel pf messages.
- * 	(program is still skeletal)
- *
- *
- * Local variables:
- * c-file-style: "linux"
- * End:
- *
- */
diff --git a/programs/proc/Makefile b/programs/proc/Makefile
deleted file mode 100644
index 023356440..000000000
--- a/programs/proc/Makefile
+++ /dev/null
@@ -1,51 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:30 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-EXTRA5PROC:=version.5 trap_count.5 trap_sendcount.5
-
-LIBS:=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:30  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.5  2003/06/20 02:56:20  mcr
-# 	added documentation for /proc/net/ipsec/stats/trap_* and
-# 	amendments to test cases.
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/05/05 23:09:49  mcr
-# 	EXTRA35MAN should have the extensions on it.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/proc/trap_count.5 b/programs/proc/trap_count.5
deleted file mode 100644
index e4cfd5871..000000000
--- a/programs/proc/trap_count.5
+++ /dev/null
@@ -1,35 +0,0 @@
-.TH IPSEC_TRAP_COUNT 5 "19 Jun 2003"
-.\"
-.\" RCSID $Id: trap_count.5,v 1.1 2004/03/15 20:35:30 as Exp $
-.\"
-.SH NAME
-trap_count \- KLIPS statistic on number of ACQUIREs
-.SH SYNOPSIS
-.B cat
-.B /proc/net/ipsec/stats/trap_count
-.SH DESCRIPTION
-.I /proc/net/ipsec/stats/trap_count
-is a read-only file. It contains a hexadecimal number which records the
-number of attempts to send PF_ACQUIRE messages. Only those recorded by
-trap_sendcount were actually successfully passed to userland. Note that the
-userland may still have lost them on its own.
-.LP
-.SH "FILES"
-/proc/net/ipsec/stats/trap_sendcount
-.SH "SEE ALSO"
-ipsec(8), ipsec_pf_key(5), trap_sendcount(5), pluto(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Michael C. Richardson <mcr@freeswan.org>
-.\"
-.\" $Log: trap_count.5,v $
-.\" Revision 1.1  2004/03/15 20:35:30  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.1  2003/06/20 02:56:20  mcr
-.\" 	added documentation for /proc/net/ipsec/stats/trap_* and
-.\" 	amendments to test cases.
-.\"
-.\"
-.\"
diff --git a/programs/proc/trap_sendcount.5 b/programs/proc/trap_sendcount.5
deleted file mode 100644
index 27090b52b..000000000
--- a/programs/proc/trap_sendcount.5
+++ /dev/null
@@ -1,33 +0,0 @@
-.TH IPSEC_TRAP_SENDCOUNT 5 "19 Jun 2003"
-.\"
-.\" RCSID $Id: trap_sendcount.5,v 1.1 2004/03/15 20:35:30 as Exp $
-.\"
-.SH NAME
-trap_sendcount \- KLIPS statistic on number of successful ACQUIREs
-.SH SYNOPSIS
-.B cat
-.B /proc/net/ipsec/stats/trap_sendcount
-.SH DESCRIPTION
-.I /proc/net/ipsec/stats/trap_sendcount
-is a read-only file. It contains a hexadecimal number which records the
-number of successful PF_ACQUIRE messages that were sent.
-.LP
-.SH "FILES"
-/proc/net/ipsec/stats/trap_sendcount
-.SH "SEE ALSO"
-ipsec(8), ipsec_pf_key(5), trap_count(5), pluto(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Michael C. Richardson <mcr@freeswan.org>
-.\"
-.\" $Log: trap_sendcount.5,v $
-.\" Revision 1.1  2004/03/15 20:35:30  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.1  2003/06/20 02:56:20  mcr
-.\" 	added documentation for /proc/net/ipsec/stats/trap_* and
-.\" 	amendments to test cases.
-.\"
-.\"
-.\"
diff --git a/programs/proc/version.5 b/programs/proc/version.5
deleted file mode 100644
index c763d6d17..000000000
--- a/programs/proc/version.5
+++ /dev/null
@@ -1,54 +0,0 @@
-.TH IPSEC_VERSION 5 "29 Jun 2000"
-.\"
-.\" RCSID $Id: version.5,v 1.1 2004/03/15 20:35:30 as Exp $
-.\"
-.SH NAME
-ipsec_version \- lists KLIPS version information
-.SH SYNOPSIS
-.B cat
-.B /proc/net/ipsec_version
-.SH DESCRIPTION
-.I /proc/net/ipsec_version
-is a read-only file which lists the currently running KLIPS version
-information.
-.PP
-.SH EXAMPLES
-.TP
-.B FreeS/WAN version: 1.4
-.LP
-shows that the currently loaded
-.B KLIPS
-is from
-.B FreeS/WAN 1.4.
-.LP
-.SH "FILES"
-/proc/net/ipsec_version
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_eroute(5), ipsec_spi(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_tncfg(8), ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: version.5,v $
-.\" Revision 1.1  2004/03/15 20:35:30  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.4  2002/04/24 07:35:41  mcr
-.\" Moved from ./klips/utils/version.5,v
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/30 06:22:22  rgb
-.\" Fix SYNOPSIS since there is no 'ipsec version' command.
-.\"
-.\" Revision 1.1  2000/06/30 06:19:26  rgb
-.\" manpages for the last two /proc/net/ipsec* files that don't have a
-.\" corresponding utility.
-.\"
-.\"
-.\"
diff --git a/programs/ranbits/.cvsignore b/programs/ranbits/.cvsignore
deleted file mode 100644
index 910103faa..000000000
--- a/programs/ranbits/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-ranbits
diff --git a/programs/ranbits/Makefile b/programs/ranbits/Makefile
deleted file mode 100644
index 558318e8e..000000000
--- a/programs/ranbits/Makefile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:30 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=ranbits
-LIBS=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:30  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/ranbits/ranbits.8 b/programs/ranbits/ranbits.8
deleted file mode 100644
index 5a99a088f..000000000
--- a/programs/ranbits/ranbits.8
+++ /dev/null
@@ -1,77 +0,0 @@
-.TH IPSEC_RANBITS 8 "22 Aug 2000"
-.\" RCSID $Id: ranbits.8,v 1.1 2004/03/15 20:35:30 as Exp $
-.SH NAME
-ipsec ranbits \- generate random bits in ASCII form
-.SH SYNOPSIS
-.B ipsec
-.B ranbits
-[
-.B \-\-quick
-] [
-.B \-\-continuous
-] [
-.B \-\-bytes
-] nbits
-.SH DESCRIPTION
-.I Ranbits
-obtains
-.I nbits
-(rounded up to the nearest byte)
-high-quality random bits from
-.IR random (4),
-and emits them on standard output as an ASCII string.
-The default output format is
-.IR datatot (3)
-.B h
-format:
-lowercase hexadecimal with a
-.B 0x
-prefix and an underscore every 32 bits.
-.PP
-The
-.B \-\-quick
-option produces quick-and-dirty random bits:
-instead of using the high-quality random bits from
-.IR /dev/random ,
-which may take some time to supply the necessary bits if
-.I nbits
-is large,
-.I ranbits
-uses
-.IR /dev/urandom ,
-which yields prompt results but lower-quality randomness.
-.PP
-The
-.B \-\-continuous
-option uses
-.IR datatot (3)
-.B x
-output format, like
-.B h
-but without the underscores.
-.PP
-The
-.B \-\-bytes
-option causes
-.I nbits
-to be interpreted as a byte count rather than a bit count.
-.SH FILES
-/dev/random, /dev/urandom
-.SH SEE ALSO
-ipsec_datatot(3), random(4)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
-.SH BUGS
-There is an internal limit on
-.IR nbits ,
-currently 20000.
-.PP
-Without
-.BR \-\-quick ,
-.IR ranbits 's
-run time is difficult to predict.
-A request for a large number of bits,
-at a time when the system's entropy pool is low on randomness,
-may take quite a while to satisfy.
diff --git a/programs/ranbits/ranbits.c b/programs/ranbits/ranbits.c
deleted file mode 100644
index 7b9a0f76e..000000000
--- a/programs/ranbits/ranbits.c
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * random bit generation for scripts, control files, etc.
- * Copyright (C) 1998, 1999, 2000  Henry Spencer.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ranbits.c,v 1.1 2004/03/15 20:35:30 as Exp $
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <stdio.h>
-#include <limits.h>
-#include <errno.h>
-#include <string.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <getopt.h>
-#include <fcntl.h>
-#include <netinet/in.h>
-#include <freeswan.h>
-
-#ifndef DEVICE
-#define	DEVICE	"/dev/random"
-#endif
-#ifndef QDEVICE
-#define	QDEVICE	"/dev/urandom"
-#endif
-#ifndef MAXBITS
-#define	MAXBITS	20000
-#endif
-
-char usage[] = "Usage: ranbits [--quick] [--continuous] [--bytes] nbits";
-struct option opts[] = {
-  {"quick",	0,	NULL,	'q',},
-  {"continuous",	0,	NULL,	'c',},
-  {"bytes",	0,	NULL,	'b',},
-  {"help",		0,	NULL,	'h',},
-  {"version",	0,	NULL,	'v',},
-  {0,		0,	NULL,	0,}
-};
-int quick = 0;			/* quick and dirty? */
-char format = 'h';		/* datatot() format code */
-int isbytes = 0;		/* byte count rather than bits? */
-
-char me[] = "ipsec ranbits";	/* for messages */
-
-char buf[MAXBITS/CHAR_BIT];
-char outbuf[3*sizeof(buf)];
-
-int main(int argc, char *argv[])
-{
-	int opt;
-	extern int optind;
-	int errflg = 0;
-	int nbits;
-	size_t nbytes;
-	char *devname;
-	int dev;
-	size_t ndone;
-	size_t nneeded;
-	ssize_t got;
-
-	while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF)
-		switch (opt) {
-		case 'q':	/* quick and dirty randomness */
-			quick = 1;
-			break;
-		case 'c':	/* continuous hex, no underscores */
-			format = 'x';
-			break;
-		case 'b':	/* byte count, not bit count */
-			isbytes = 1;
-			break;
-		case 'h':	/* help */
-			printf("%s\n", usage);
-			exit(0);
-			break;
-		case 'v':	/* version */
-			printf("%s %s\n", me, ipsec_version_code());
-			exit(0);
-			break;
-		case '?':
-		default:
-			errflg = 1;
-			break;
-		}
-	if (errflg || optind != argc-1) {
-		fprintf(stderr, "%s\n", usage);
-		exit(2);
-	}
-
-	nbits = atoi(argv[optind]);
-	if (isbytes)
-		nbits *= CHAR_BIT;
-	if (nbits <= 0) {
-		fprintf(stderr, "%s: invalid bit count (%d)\n", me, nbits);
-		exit(1);
-	}
-	if (nbits > MAXBITS) {
-		fprintf(stderr, "%s: overlarge bit count (max %d)\n", me,
-								MAXBITS);
-		exit(1);
-	}
-	nbytes = (size_t)(nbits + CHAR_BIT - 1) / CHAR_BIT;
-
-	devname = (quick) ? QDEVICE : DEVICE;
-	dev = open(devname, 0);
-	if (dev < 0) {
-		fprintf(stderr, "%s: could not open %s (%s)\n", me,
-						devname, strerror(errno));
-		exit(1);
-	}
-
-	ndone = 0;
-	while (ndone < nbytes) {
-		got = read(dev, buf + ndone, nbytes - ndone);
-		if (got < 0) {
-			fprintf(stderr, "%s: read error on %s (%s)\n", me,
-						devname, strerror(errno));
-			exit(1);
-		}
-		if (got == 0) {
-			fprintf(stderr, "%s: eof on %s!?!\n", me, devname);
-			exit(1);
-		}
-		ndone += got;
-	}
-
-	nneeded = datatot(buf, nbytes, format, outbuf, sizeof(outbuf));
-	if (nneeded > sizeof(outbuf)) {
-		fprintf(stderr, "%s: buffer overflow (need %ld bytes)?!?\n",
-						me, (long)nneeded);
-		exit(1);
-	}
-	printf("%s\n", outbuf);
-	exit(0);
-}
diff --git a/programs/rsasigkey/.cvsignore b/programs/rsasigkey/.cvsignore
deleted file mode 100644
index f9e610b4d..000000000
--- a/programs/rsasigkey/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-rsasigkey
diff --git a/programs/rsasigkey/Makefile b/programs/rsasigkey/Makefile
deleted file mode 100644
index c2b82e5c8..000000000
--- a/programs/rsasigkey/Makefile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:30 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=rsasigkey
-LIBS=${FREESWANLIB} -lgmp
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:30  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/rsasigkey/rsasigkey.8 b/programs/rsasigkey/rsasigkey.8
deleted file mode 100644
index c64dd46bd..000000000
--- a/programs/rsasigkey/rsasigkey.8
+++ /dev/null
@@ -1,259 +0,0 @@
-.TH IPSEC_RSASIGKEY 8 "22 July 2001"
-.\" RCSID $Id: rsasigkey.8,v 1.1 2004/03/15 20:35:30 as Exp $
-.SH NAME
-ipsec rsasigkey \- generate RSA signature key
-.SH SYNOPSIS
-.B ipsec
-.B rsasigkey
-[
-.B \-\-verbose
-] [
-.B \-\-random
-filename
-]
-.B \e
-.br
-\ \ \ [
-.B \-\-rounds
-nr
-] [
-.B \-\-hostname
-host ] [
-.B \-\-noopt
-] nbits
-.br
-.B ipsec
-.B rsasigkey
-[
-.B \-\-verbose
-] [
-.B \-\-hostname
-host ]
-.B \e
-.br
-\ \ \ 
-[
-.B \-\-noopt
-]
-.B \-\-oldkey
-file
-.SH DESCRIPTION
-.I Rsasigkey
-generates an RSA public/private key pair,
-suitable for digital signatures,
-of (exactly)
-.I nbits
-bits (that is, two primes each of exactly
-.IR nbits /2
-bits,
-and related numbers)
-and emits it on standard output as ASCII (mostly hex) data.
-.I nbits
-must be a multiple of 16.
-.PP
-The public exponent is forced to the value
-.BR 3 ,
-which has important speed advantages for signature checking.
-Beware that the resulting keys have known weaknesses as encryption keys
-\fIand should not be used for that purpose\fR.
-.PP
-The
-.B \-\-verbose
-option makes
-.I rsasigkey
-give a running commentary on standard error.
-By default, it works in silence until it is ready to generate output.
-.PP
-The
-.B \-\-random
-option specifies a source for random bits.
-The default is
-.I /dev/random
-(see
-.IR random (4)).
-Normally,
-.I rsasigkey
-reads exactly
-.I nbits
-random bits from the source;
-in extremely-rare circumstances it may need more.
-.PP
-The
-.B \-\-rounds
-option specifies the number of rounds to be done by the
-.I mpz_probab_prime_p
-probabilistic primality checker.
-The default, 30, is fairly rigorous and should not normally
-have to be overridden.
-.PP
-The
-.B \-\-hostname
-option specifies what host name to use in
-the first line of the output (see below);
-the default is what
-.IR gethostname (2)
-returns.
-.PP
-The
-.B \-\-noopt
-option suppresses an optimization of the private key
-(to be precise, setting of the decryption exponent to
-.B lcm(p\-1,q\-1)
-rather than
-.BR (p\-1)*(q\-1) )
-which speeds up operations on it slightly
-but can cause it to flunk a validity check in old RSA implementations
-(notably, obsolete versions of
-.IR ipsec_pluto (8)).
-.PP
-The
-.B \-\-oldkey
-option specifies that rather than generate a new key,
-.I rsasigkey
-should read an old key from the
-.I file
-(the name
-.B \-
-means ``standard input'')
-and use that to generate its output.
-Input lines which do not look like
-.I rsasigkey
-output are silently ignored.
-This permits updating old keys to the current format.
-.PP
-The output format looks like this (with long numbers trimmed down
-for clarity):
-.PP
-.ne 15
-.nf
-	# RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
-	# for signatures only, UNSAFE FOR ENCRYPTION
-	#pubkey=0sAQOF8tZ2NZt...Y1P+buFuFn/
-	Modulus: 0xcc2a86fcf440...cf1011abb82d1
-	PublicExponent: 0x03
-	# everything after this point is secret
-	PrivateExponent: 0x881c59fdf8...ab05c8c77d23
-	Prime1: 0xf49fd1f779...46504c7bf3
-	Prime2: 0xd5a9108453...321d43cb2b
-	Exponent1: 0xa31536a4fb...536d98adda7f7
-	Exponent2: 0x8e70b5ad8d...9142168d7dcc7
-	Coefficient: 0xafb761d001...0c13e98d98
-.fi
-.PP
-The first (comment) line,
-indicating the nature and date of the key,
-and giving a host name,
-is used by
-.IR ipsec_showhostkey (8)
-when generating some forms of key output.
-.PP
-The commented-out
-.B pubkey=
-line contains the public key\(emthe public exponent and the modulus\(emcombined
-in approximately RFC 2537 format
-(the one deviation is that the combined value is given with a
-.B 0s
-prefix, rather than in unadorned base-64),
-suitable for use in the
-.I ipsec.conf
-file.
-.PP
-The
-.BR Modulus ,
-.BR PublicExponent ,
-and
-.B PrivateExponent
-lines give the basic signing and verification data.
-.PP
-The
-.B Prime1
-and
-.B Prime2
-lines give the primes themselves (aka
-.I p
-and
-.IR q ),
-largest first.
-The
-.B Exponent1
-and
-.B Exponent2
-lines give
-the private exponent mod
-.IR p\-1
-and
-.IR q\-1
-respectively.
-The
-.B Coefficient
-line gives the Chinese Remainder Theorem coefficient,
-which is the inverse of
-.IR q ,
-mod
-.IR p .
-These additional numbers (which must all be kept as secret as the
-private exponent) are precomputed aids to rapid signature generation.
-.PP
-No attempt is made to break long lines.
-.PP
-The US patent on the RSA algorithm expired 20 Sept 2000.
-.SH EXAMPLES
-.TP
-.B "ipsec rsasigkey \-\-verbose 2192 >mykey"
-generates a 2192-bit signature key and puts it in the file
-.IR mykey ,
-with running commentary on standard error.
-The file contents can be inserted verbatim into a suitable entry in the
-.I ipsec.secrets
-file (see
-.IR ipsec.secrets (5)),
-and the public key can then be extracted and edited into the
-.I ipsec.conf
-file (see
-.IR ipsec.conf (5)).
-.TP
-.B "ipsec rsasigkey \-\-verbose \-\-oldkey oldie >latest"
-takes the old signature key from file
-.I oldie
-and puts a version in the current format into the file
-.IR latest ,
-with running commentary on standard error.
-.SH FILES
-/dev/random
-.SH SEE ALSO
-random(4), ipsec_showhostkey(8)
-.br
-\fIApplied Cryptography\fR, 2nd. ed., by Bruce Schneier, Wiley 1996.
-.br
-RFCs 2537, 2313.
-.br
-\fIGNU MP, the GNU multiple precision arithmetic library, edition 2.0.2\fR,
-by Torbj Granlund.
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
-.SH BUGS
-There is an internal limit on
-.IR nbits ,
-currently 20000.
-.PP
-.IR Rsasigkey 's
-run time is difficult to predict,
-since
-.I /dev/random
-output can be arbitrarily delayed if
-the system's entropy pool is low on randomness,
-and the time taken by the search for primes is also somewhat unpredictable.
-A reasonably typical time for a 1024-bit key on a quiet 200MHz Pentium MMX
-with plenty of randomness available is 20 seconds,
-almost all of it in the prime searches.
-Generating a 2192-bit key on the same system usually takes several minutes.
-A 4096-bit key took an hour and a half of CPU time.
-.PP
-The
-.B \-\-oldkey
-option does not check its input format as rigorously as it might.
-Corrupted
-.I rsasigkey
-output may confuse it.
diff --git a/programs/rsasigkey/rsasigkey.c b/programs/rsasigkey/rsasigkey.c
deleted file mode 100644
index b55dbb889..000000000
--- a/programs/rsasigkey/rsasigkey.c
+++ /dev/null
@@ -1,573 +0,0 @@
-/*
- * RSA signature key generation
- * Copyright (C) 1999, 2000, 2001  Henry Spencer.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: rsasigkey.c,v 1.2 2005/08/11 10:35:58 as Exp $
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <time.h>
-#include <limits.h>
-#include <errno.h>
-#include <string.h>
-#include <assert.h>
-#include <getopt.h>
-#include <freeswan.h>
-#include "gmp.h"
-
-#ifndef DEVICE
-#define	DEVICE	"/dev/random"
-#endif
-#ifndef MAXBITS
-#define	MAXBITS	20000
-#endif
-
-/* the code in getoldkey() knows about this */
-#define	E	3		/* standard public exponent */
-
-char usage[] = "rsasigkey [--verbose] [--random device] nbits";
-char usage2[] = "rsasigkey [--verbose] --oldkey filename";
-struct option opts[] = {
-  {"verbose",	0,	NULL,	'v',},
-  {"random",	1,	NULL,	'r',},
-  {"rounds",	1,	NULL,	'p',},
-  {"oldkey",	1,	NULL,	'o',},
-  {"hostname",	1,	NULL,	'H',},
-  {"noopt",	0,	NULL,	'n',},
-  {"help",	0,	NULL,	'h',},
-  {"version",	0,	NULL,	'V',},
-  {0,		0,	NULL,	0,}
-};
-int verbose = 0;		/* narrate the action? */
-char *device = DEVICE;		/* where to get randomness */
-int nrounds = 30;		/* rounds of prime checking; 25 is good */
-mpz_t prime1;			/* old key's prime1 */
-mpz_t prime2;			/* old key's prime2 */
-char outputhostname[1024];	/* hostname for output */
-int do_lcm = 1;			/* use lcm(p-1, q-1), not (p-1)*(q-1) */
-
-char me[] = "ipsec rsasigkey";	/* for messages */
-
-/* forwards */
-int getoldkey(char *filename);
-void rsasigkey(int nbits, int useoldkey);
-void initprime(mpz_t var, int nbits, int eval);
-void initrandom(mpz_t var, int nbits);
-void getrandom(size_t nbytes, char *buf);
-char *bundle(int e, mpz_t n, size_t *sizep);
-char *conv(char *bits, size_t nbytes, int format);
-char *hexout(mpz_t var);
-void report(char *msg);
-
-/*
- - main - mostly argument parsing
- */
-int main(int argc, char *argv[])
-{
-	int opt;
-	extern int optind;
-	extern char *optarg;
-	int errflg = 0;
-	int i;
-	int nbits;
-	char *oldkeyfile = NULL;
-
-	while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF)
-		switch (opt) {
-		case 'v':	/* verbose description */
-			verbose = 1;
-			break;
-		case 'r':	/* nonstandard /dev/random */
-			device = optarg;
-			break;
-		case 'p':	/* number of prime-check rounds */
-			nrounds = atoi(optarg);
-			if (nrounds <= 0) {
-				fprintf(stderr, "%s: rounds must be > 0\n", me);
-				exit(2);
-			}
-			break;
-		case 'o':	/* reformat old key */
-			oldkeyfile = optarg;
-			break;
-		case 'H':	/* set hostname for output */
-			strcpy(outputhostname, optarg);
-			break;
-		case 'n':	/* don't optimize the private key */
-			do_lcm = 0;
-			break;
-		case 'h':	/* help */
-			printf("Usage:\t%s\n", usage);
-			printf("\tor\n");
-			printf("\t%s\n", usage2);
-			exit(0);
-			break;
-		case 'V':	/* version */
-			printf("%s %s\n", me, ipsec_version_code());
-			exit(0);
-			break;
-		case '?':
-		default:
-			errflg = 1;
-			break;
-		}
-	if (errflg || optind != ((oldkeyfile != NULL) ? argc : argc-1)) {
-		printf("Usage:\t%s\n", usage);
-		printf("\tor\n");
-		printf("\t%s\n", usage2);
-		exit(2);
-	}
-
-	if (outputhostname[0] == '\0') {
-		i = gethostname(outputhostname, sizeof(outputhostname));
-		if (i < 0) {
-			fprintf(stderr, "%s: gethostname failed (%s)\n",
-				me,
-				strerror(errno));
-			exit(1);
-		}
-	}
-
-	if (oldkeyfile == NULL) {
-		assert(argv[optind] != NULL);
-		nbits = atoi(argv[optind]);
-	} else
-		nbits = getoldkey(oldkeyfile);
-
-	if (nbits <= 0) {
-		fprintf(stderr, "%s: invalid bit count (%d)\n", me, nbits);
-		exit(1);
-	} else if (nbits > MAXBITS) {
-		fprintf(stderr, "%s: overlarge bit count (max %d)\n", me,
-								MAXBITS);
-		exit(1);
-	} else if (nbits % (CHAR_BIT*2) != 0) {	/* *2 for nbits/2-bit primes */
-		fprintf(stderr, "%s: bit count (%d) not multiple of %d\n", me,
-						nbits, (int)CHAR_BIT*2);
-		exit(1);
-	}
-
-	rsasigkey(nbits, (oldkeyfile == NULL) ? 0 : 1);
-	exit(0);
-}
-
-/*
- - getoldkey - fetch an old key's primes
- */
-int				/* nbits */
-getoldkey(filename)
-char *filename;
-{
-	FILE *f;
-	char line[MAXBITS/2];
-	char *p;
-	char *value;
-	static char pube[] = "PublicExponent:";
-	static char pubevalue[] = "0x03";
-	static char pr1[] = "Prime1:";
-	static char pr2[] = "Prime2:";
-#	define	STREQ(a, b)	(strcmp(a, b) == 0)
-	int sawpube = 0;
-	int sawpr1 = 0;
-	int sawpr2 = 0;
-	int nbits;
-
-	nbits = 0;
- 
-	if (STREQ(filename, "-"))
-		f = stdin;
-	else
-		f = fopen(filename, "r");
-	if (f == NULL) {
-		fprintf(stderr, "%s: unable to open file `%s' (%s)\n", me,
-						filename, strerror(errno));
-		exit(1);
-	}
-	if (verbose)
-		fprintf(stderr, "getting old key from %s...\n", filename);
-
-	while (fgets(line, sizeof(line), f) != NULL) {
-		p = line + strlen(line) - 1;
-		if (*p != '\n') {
-			fprintf(stderr, "%s: over-long line in file `%s'\n",
-							me, filename);
-			exit(1);
-		}
-		*p = '\0';
-
-		p = line + strspn(line, " \t");		/* p -> first word */
-		value = strpbrk(p, " \t");		/* value -> after it */
-		if (value != NULL) {
-			*value++ = '\0';
-			value += strspn(value, " \t");
-			/* value -> second word if any */
-		}
-
-		if (value == NULL || *value == '\0') {
-			/* wrong format */
-		} else if (STREQ(p, pube)) {
-			sawpube = 1;
-			if (!STREQ(value, pubevalue)) {
-				fprintf(stderr, "%s: wrong public exponent (`%s') in old key\n",
-					me, value);
-				exit(1);
-			}
-		} else if (STREQ(p, pr1)) {
-			if (sawpr1) {
-				fprintf(stderr, "%s: duplicate `%s' lines in `%s'\n",
-					me, pr1, filename);
-				exit(1);
-			}
-			sawpr1 = 1;
-			nbits = (strlen(value) - 2) * 4 * 2;
-			if (mpz_init_set_str(prime1, value, 0) < 0) {
-				fprintf(stderr, "%s: conversion error in reading old prime1\n",
-					me);
-				exit(1);
-			}
-		} else if (STREQ(p, pr2)) {
-			if (sawpr2) {
-				fprintf(stderr, "%s: duplicate `%s' lines in `%s'\n",
-					me, pr2, filename);
-				exit(1);
-			}
-			sawpr2 = 1;
-			if (mpz_init_set_str(prime2, value, 0) < 0) {
-				fprintf(stderr, "%s: conversion error in reading old prime2\n",
-					me);
-				exit(1);
-			}
-		}
-	}
-	
-	if (f != stdin)
-		fclose(f);
-
-	if (!sawpube || !sawpr1 || !sawpr2) {
-		fprintf(stderr, "%s: old key missing or incomplete\n", me);
-		exit(1);
-	}
-
-	assert(sawpr1);		/* and thus nbits is known */
-	return(nbits);
-}
-
-/*
- - rsasigkey - generate an RSA signature key
- * e is fixed at 3, without discussion.  That would not be wise if these
- * keys were to be used for encryption, but for signatures there are some
- * real speed advantages.
- */
-void
-rsasigkey(nbits, useoldkey)
-int nbits;
-int useoldkey;			/* take primes from old key? */
-{
-	mpz_t p;
-	mpz_t q;
-	mpz_t n;
-	mpz_t e;
-	mpz_t d;
-	mpz_t q1;			/* temporary */
-	mpz_t m;			/* internal modulus, (p-1)*(q-1) */
-	mpz_t t;			/* temporary */
-	mpz_t exp1;
-	mpz_t exp2;
-	mpz_t coeff;
-	char *bundp;
-	size_t bs;
-	int success;
-	time_t now = time((time_t *)NULL);
-
-	/* the easy stuff */
-	if (useoldkey) {
-		mpz_init_set(p, prime1);
-		mpz_init_set(q, prime2);
-	} else {
-		initprime(p, nbits/2, E);
-		initprime(q, nbits/2, E);
-	}
-	mpz_init(t);
-	if (mpz_cmp(p, q) < 0) {
-		report("swapping primes so p is the larger...");
-		mpz_set(t, p);
-		mpz_set(p, q);
-		mpz_set(q, t);
-	}
-	report("computing modulus...");
-	mpz_init(n);
-	mpz_mul(n, p, q);		/* n = p*q */
-	mpz_init_set_ui(e, E);
-
-	/* internal modulus */
-	report("computing lcm(p-1, q-1)...");
-	mpz_init_set(m, p);
-	mpz_sub_ui(m, m, 1);
-	mpz_init_set(q1, q);
-	mpz_sub_ui(q1, q1, 1);
-	mpz_gcd(t, m, q1);		/* t = gcd(p-1, q-1) */
-	mpz_mul(m, m, q1);		/* m = (p-1)*(q-1) */
-	if (do_lcm)
-		mpz_divexact(m, m, t);		/* m = lcm(p-1, q-1) */
-	mpz_gcd(t, m, e);
-	assert(mpz_cmp_ui(t, 1) == 0);	/* m and e relatively prime */
-
-	/* decryption key */
-	report("computing d...");
-	mpz_init(d);
-	success = mpz_invert(d, e, m);
-	assert(success);		/* e has an inverse mod m */
-	if (mpz_cmp_ui(d, 0) < 0)
-		mpz_add(d, d, m);
-	assert(mpz_cmp(d, m) < 0);
-
-	/* the speedup hacks */
-	report("computing exp1, exp1, coeff...");
-	mpz_init(exp1);
-	mpz_sub_ui(t, p, 1);
-	mpz_mod(exp1, d, t);		/* exp1 = d mod p-1 */
-	mpz_init(exp2);
-	mpz_sub_ui(t, q, 1);
-	mpz_mod(exp2, d, t);		/* exp2 = d mod q-1 */
-	mpz_init(coeff);
-	mpz_invert(coeff, q, p);	/* coeff = q^-1 mod p */
-	if (mpz_cmp_ui(coeff, 0) < 0)
-		mpz_add(coeff, coeff, p);
-	assert(mpz_cmp(coeff, p) < 0);
-
-	/* and the output */
-	/* note, getoldkey() knows about some of this */
-	report("output...\n");		/* deliberate extra newline */
-	printf("\t# RSA %d bits   %s   %s", nbits, outputhostname, ctime(&now));
-							/* ctime provides \n */
-	printf("\t# for signatures only, UNSAFE FOR ENCRYPTION\n");
-	bundp = bundle(E, n, &bs);
-	printf("\t#pubkey=%s\n", conv(bundp, bs, 's'));	/* RFC2537ish format */
-	printf("\tModulus: %s\n", hexout(n));
-	printf("\tPublicExponent: %s\n", hexout(e));
-	printf("\t# everything after this point is secret\n");
-	printf("\tPrivateExponent: %s\n", hexout(d));
-	printf("\tPrime1: %s\n", hexout(p));
-	printf("\tPrime2: %s\n", hexout(q));
-	printf("\tExponent1: %s\n", hexout(exp1));
-	printf("\tExponent2: %s\n", hexout(exp2));
-	printf("\tCoefficient: %s\n", hexout(coeff));
-}
-
-/*
- - initprime - initialize an mpz_t to a random prime of specified size
- * Efficiency tweak:  we reject candidates that are 1 higher than a multiple
- * of e, since they will make the internal modulus not relatively prime to e.
- */
-void
-initprime(var, nbits, eval)
-mpz_t var;
-int nbits;			/* known to be a multiple of CHAR_BIT */
-int eval;			/* value of e; 0 means don't bother w. tweak */
-{
-	unsigned long tries;
-	size_t len;
-#	define	OKAY(p)	(eval == 0 || mpz_fdiv_ui(p, eval) != 1)
-
-	initrandom(var, nbits);
-	assert(mpz_fdiv_ui(var, 2) == 1);	/* odd number */
-
-	report("looking for a prime starting there (can take a while)...");
-	tries = 1;
-	while (!( OKAY(var) && mpz_probab_prime_p(var, nrounds) )) {
-		mpz_add_ui(var, var, 2);
-		tries++;
-	}
-
-	len = mpz_sizeinbase(var, 2);
-	assert(len == (size_t)nbits || len == (size_t)(nbits+1));
-	if (len == (size_t)(nbits+1)) {
-		report("carry out occurred (!), retrying...");
-		mpz_clear(var);
-		initprime(var, nbits, eval);
-		return;
-	}
-	if (verbose)
-		fprintf(stderr, "found it after %lu tries.\n", tries);
-}
-
-/*
- - initrandom - initialize an mpz_t to a random number, specified bit count
- * Converting via hex is a bit weird, but it's the best route GMP gives us.
- * Note that highmost and lowmost bits are forced on -- highmost to give a
- * number of exactly the specified length, lowmost so it is an odd number.
- */
-void
-initrandom(var, nbits)
-mpz_t var;
-int nbits;			/* known to be a multiple of CHAR_BIT */
-{
-	size_t nbytes = (size_t)(nbits / CHAR_BIT);
-	static char bitbuf[MAXBITS/CHAR_BIT];
-	static char hexbuf[2 + MAXBITS/4 + 1];
-	size_t hsize = sizeof(hexbuf);
-
-	assert(nbytes <= sizeof(bitbuf));
-	getrandom(nbytes, bitbuf);
-	bitbuf[0] |= 01 << (CHAR_BIT-1);	/* force high bit on */
-	bitbuf[nbytes-1] |= 01;			/* force low bit on */
-	if (datatot(bitbuf, nbytes, 'x', hexbuf, hsize) > hsize) {
-		fprintf(stderr, "%s: can't-happen buffer overflow\n", me);
-		exit(1);
-	}
-	if (mpz_init_set_str(var, hexbuf, 0) < 0) {
-		fprintf(stderr, "%s: can't-happen hex conversion error\n", me);
-		exit(1);
-	}
-}
-
-/*
- - getrandom - get some random bytes from /dev/random (or wherever)
- */
-void
-getrandom(nbytes, buf)
-size_t nbytes;
-char *buf;			/* known to be big enough */
-{
-	size_t ndone;
-	int dev;
-	size_t got;
-
-	dev = open(device, 0);
-	if (dev < 0) {
-		fprintf(stderr, "%s: could not open %s (%s)\n", me,
-						device, strerror(errno));
-		exit(1);
-	}
-
-	ndone = 0;
-	if (verbose)
-		fprintf(stderr, "getting %d random bytes from %s...\n", (int) nbytes,
-							device);
-	while (ndone < nbytes) {
-		got = read(dev, buf + ndone, nbytes - ndone);
-		if (got < 0) {
-			fprintf(stderr, "%s: read error on %s (%s)\n", me,
-						device, strerror(errno));
-			exit(1);
-		}
-		if (got == 0) {
-			fprintf(stderr, "%s: eof on %s!?!\n", me, device);
-			exit(1);
-		}
-		ndone += got;
-	}
-
-	close(dev);
-}
-
-/*
- - hexout - prepare hex output, guaranteeing even number of digits
- * (The current FreeS/WAN conversion routines want an even digit count,
- * but mpz_get_str doesn't promise one.)
- */
-char *				/* pointer to static buffer (ick) */
-hexout(var)
-mpz_t var;
-{
-	static char hexbuf[3 + MAXBITS/4 + 1];
-	char *hexp;
-
-	mpz_get_str(hexbuf+3, 16, var);
-	if (strlen(hexbuf+3)%2 == 0)	/* even number of hex digits */
-		hexp = hexbuf+1;
-	else {				/* odd, must pad */
-		hexp = hexbuf;
-		hexp[2] = '0';
-	}
-	hexp[0] = '0';
-	hexp[1] = 'x';
-
-	return hexp;
-}
-
-/*
- - bundle - bundle e and n into an RFC2537-format lump
- * Note, calls hexout.
- */
-char *				/* pointer to static buffer (ick) */
-bundle(e, n, sizep)
-int e;
-mpz_t n;
-size_t *sizep;
-{
-	char *hexp = hexout(n);
-	static char bundbuf[2 + MAXBITS/8];
-	const char *er;
-	size_t size;
-
-	assert(e <= 255);
-	bundbuf[0] = 1;
-	bundbuf[1] = e;
-	er = ttodata(hexp, 0, 0, bundbuf+2, sizeof(bundbuf)-2, &size);
-	if (er != NULL) {
-		fprintf(stderr, "%s: can't-happen bundle convert error `%s'\n",
-								me, er);
-		exit(1);
-	}
-	if (size > sizeof(bundbuf)-2) {
-		fprintf(stderr, "%s: can't-happen bundle overflow (need %d)\n",
-								me, (int) size);
-		exit(1);
-	}
-	if (sizep != NULL)
-		*sizep = size + 2;
-	return bundbuf;
-}
-
-/*
- - conv - convert bits to output in specified format
- */
-char *				/* pointer to static buffer (ick) */
-conv(bits, nbytes, format)
-char *bits;
-size_t nbytes;
-int format;			/* datatot() code */
-{
-	static char convbuf[MAXBITS/4 + 50];	/* enough for hex */
-	size_t n;
-
-	n = datatot(bits, nbytes, format, convbuf, sizeof(convbuf));
-	if (n == 0) {
-		fprintf(stderr, "%s: can't-happen convert error\n", me);
-		exit(1);
-	}
-	if (n > sizeof(convbuf)) {
-		fprintf(stderr, "%s: can't-happen convert overflow (need %d)\n",
-								me, (int) n);
-		exit(1);
-	}
-	return convbuf;
-}
-
-/*
- - report - report progress, if indicated
- */
-void
-report(msg)
-char *msg;
-{
-	if (!verbose)
-		return;
-	fprintf(stderr, "%s\n", msg);
-}
diff --git a/programs/send-pr/.cvsignore b/programs/send-pr/.cvsignore
deleted file mode 100644
index 953bfcf5a..000000000
--- a/programs/send-pr/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-send-pr
diff --git a/programs/send-pr/Makefile b/programs/send-pr/Makefile
deleted file mode 100644
index db7d51929..000000000
--- a/programs/send-pr/Makefile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=send-pr
-LIBFILES=ipsec_pr.template
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/send-pr/ipsec_pr.template b/programs/send-pr/ipsec_pr.template
deleted file mode 100644
index 3e809a677..000000000
--- a/programs/send-pr/ipsec_pr.template
+++ /dev/null
@@ -1,54 +0,0 @@
-SEND-PR: -*- send-pr -*-
-SEND-PR: Lines starting with `SEND-PR' will be removed automatically, as
-SEND-PR: will all comments (text enclosed in `<' and `>').
-SEND-PR: 
-SEND-PR: Please consult the send-pr man page `send-pr(1)' or the Texinfo
-SEND-PR: manual if you are not sure how to fill out a problem report.
-SEND-PR: Note that the Synopsis field is mandatory.  The Subject (for
-SEND-PR: the mail) will be made the same as Synopsis unless explicitly
-SEND-PR: changed.
-SEND-PR:
-SEND-PR: Choose from the following categories:
-SEND-PR: 
-SEND-PR: pluto	- Problems with IKE daemon
-SEND-PR: klips  - Problems with kernel code
-SEND-PR: startup- Problems with start/configuration code
-SEND-PR: doc    - Problems with documentation
-SEND-PR: interop- Problems with interoperability
-SEND-PR: source - source code patches/contributions
-SEND-PR: admin  - Problems with freeswan.org machines
-SEND-PR:
-To: gnats-bugs@freeswan.org
-Subject: 
-From: <FROM>
-Reply-To: <REPLYTO>
-Cc: 
-X-send-pr-version: 4.0-alpha
-X-GNATS-Notify: 
-
->Submitter-Id: <SUBMITTER>
->Originator:   <DEFAULT_ORIGINATOR>
->Organization:
-	unknown
->Synopsis:     <One-line summary of the PR (one line)>
->Confidential: <[ yes | no ] (one line)>
->Severity:     <[ critical | serious | non-critical ] (one line)>
->Priority:     <[ high | medium | low ] (one line)>
->Category:     <choose from a category listed above (one line)>
->Class:        <[ sw-bug | dos | interop | mtu | log | doc-bug | support | change-request | mistaken | duplicate ] (one line)>
->Release:      <DEFAULT_VERSION>
->Environment:  
-        <DEFAULT_ENVIRONMENT>
-
->IPsec-barf-location:	<DEFAULT_BARF>
-	<some URL with the output of ipsec barf.>
-
->Description:  
-        <Precise description of the problem (multiple lines)>
->How-To-Repeat:
-        <code/input/activities to reproduce the problem (multiple lines)>
->Fix:          
-        <How to correct or work around the problem, if known (multiple lines)>
-
->IPsec-look:
-
diff --git a/programs/send-pr/send-pr.8 b/programs/send-pr/send-pr.8
deleted file mode 100644
index 73a5bbf3c..000000000
--- a/programs/send-pr/send-pr.8
+++ /dev/null
@@ -1,291 +0,0 @@
-.\" -*- nroff -*-
-.\" ---------------------------------------------------------------------------
-.\"    man page for send-pr (by Heinz G. Seidl, hgs@cygnus.com)
-.\"    updated Feb 1993 for GNATS 3.00 by Jeffrey Osier, jeffrey@cygnus.com
-.\"
-.\"    This file is part of the Problem Report Management System (GNATS)
-.\"    Copyright 1992 Cygnus Support
-.\"
-.\"    This program is free software; you can redistribute it and/or
-.\"    modify it under the terms of the GNU General Public
-.\"    License as published by the Free Software Foundation; either
-.\"    version 2 of the License, or (at your option) any later version.
-.\"
-.\"    This program is distributed in the hope that it will be useful,
-.\"    but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\"    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-.\"    General Public License for more details.
-.\"
-.\"    You should have received a copy of the GNU Library General Public
-.\"    License along with this program; if not, write to the Free
-.\"    Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
-.\"
-.\" ---------------------------------------------------------------------------
-.nh
-.TH SEND-PR 8 xVERSIONx "February 1993"
-.SH NAME
-ipsec send-pr \- send problem report (PR) to a central support site
-.SH SYNOPSIS
-.B ipsec send-pr
-[
-.I site
-]
-[
-.B \-f
-.I problem-report
-]
-[
-.B \-t
-.I mail-address
-]
-.br
-.in +0.8i
-[
-.B \-P
-]
-[
-.B \-L
-]
-[
-.B \-s
-.I severity
-]
-[
-.B \-c
-.I address
-]
-.br
-[
-.B \-\-request-id
-]
-[
-.B \-V
-]
-.SH DESCRIPTION
-.B ipsec send-pr
-is a tool used to submit 
-.I problem reports 
-.\" SITE ADMINISTRATORS - change this if you use a local default
-(PRs) to a central support site.  In most cases the correct 
-.I site
-will be the default.  This argument indicates the support site which
-is responsible for the category of problem involved.  Some sites may
-use a local address as a default.  
-.I site
-values are defined by using the 
-.BR aliases (5).
-.LP
-.B ipsec send-pr
-invokes an editor on a problem report template (after trying to fill
-in some fields with reasonable default values).  When you exit the
-editor,
-.B ipsec send-pr 
-sends the completed form to the
-.I Problem Report Management System
-(\fBGNATS\fR) at a central support site.  At the support site, the PR
-is assigned a unique number and is stored in the \fBGNATS\fR database
-according to its category and submitter-id.  \fBGNATS\fR automatically
-replies with an acknowledgement, citing the category and the PR
-number.
-.LP
-To ensure that a PR is handled promptly, it should contain your (unique)
-\fIsubmitter-id\fR and one of the available \fIcategories\fR to identify the
-problem area.  (Use
-.B `ipsec send-pr -L'
-to see a list of categories.)
-.LP
-The
-.B ipsec send-pr
-template at your site should already be customized with your
-submitter-id (running `\|\fBinstall-sid\fP \fIsubmitter-id\fP\|' to
-accomplish this is part of the installation procedures for
-.BR ipsec send-pr ).
-If this hasn't been done, see your system administrator for your
-submitter-id, or request one from your support site by invoking
-.B `ipsec send-pr \-\-request\-id'.
-If your site does not distinguish between different user sites, or if
-you are not affiliated with the support site, use
-.B `net'
-for this field.
-.LP
-The more precise your problem description and the more complete your
-information, the faster your support team can solve your problems.
-.SH OPTIONS
-.TP
-.BI \-f " problem-report"
-specify a file (\fIproblem-report\fR) which already contains a
-complete problem report.
-.B ipsec send-pr
-sends the contents of the file without invoking the editor.  If 
-the value for 
-.I problem-report
-is
-.BR `\|\-\|' ,
-then
-.B ipsec send-pr
-reads from standard input.
-.TP
-.BI \-s " severity"
-Give the problem report the severity
-.IR severity .
-.TP
-.BI \-t " mail-address"
-Change mail address at the support site for problem reports.  The
-default 
-.I mail-address
-is the address used for the default 
-.IR site .  
-Use the
-.I site
-argument rather than this option in nearly all cases.
-.TP
-.BI \-c " address"
-Put
-.I address
-in the 
-.B Cc:
-header of the message.
-.TP
-.B \-P
-print the form specified by the environment variable 
-.B PR_FORM 
-on standard output.  If 
-.B PR_FORM
-is not set, print the standard blank PR template.  No mail is sent.
-.TP
-.B -L
-print the list of available categories.  No mail is sent.
-.TP
-.B \-\-request\-id
-sends mail to the default support site, or
-.I site
-if specified, with a request for your 
-.IR submitter-id . 
-If you are
-not affiliated with 
-.IR site ,
-use a
-.I submitter-id
-of
-.BR net \|'.
-.TP
-.B \-V
-Display the 
-.B ipsec send-pr
-version number.
-.LP
-Note: use
-.B ipsec send-pr
-to submit problem reports rather than mailing them directly.  Using
-both the template and
-.B ipsec send-pr
-itself will help ensure all necessary information will reach the
-support site.
-.SH ENVIRONMENT
-The environment variable 
-.B EDITOR
-specifies the editor to invoke on the template.
-.br
-default:
-.B vi
-.sp
-If the environment variable 
-.B PR_FORM
-is set, then its value is used as the file name of the template for
-your problem-report editing session.  You can use this to start with a
-partially completed form (for example, a form with the identification
-fields already completed).
-.SH "HOW TO FILL OUT A PROBLEM REPORT"
-Problem reports have to be in a particular form so that a program can
-easily manage them.  Please remember the following guidelines:
-.IP \(bu 3m 
-describe only 
-.B one problem
-with each problem report.
-.IP \(bu 3m
-For follow-up mail, use the same subject line as the one in the automatic
-acknowledgent. It consists of category, PR number and the original synopsis
-line.  This allows the support site to relate several mail messages to a
-particular PR and to record them automatically.
-.IP \(bu 3m 
-Please try to be as accurate as possible in the subject and/or synopsis line.
-.IP \(bu 3m 
-The subject and the synopsis line are not confidential.  This is
-because open-bugs lists are compiled from them.  Avoid confidential
-information there.
-.LP
-See the GNU 
-.B Info 
-file
-.B send-pr.info
-or the document \fIReporting Problems With send-pr\fR\ for detailed
-information on reporting problems
-.SH "HOW TO SUBMIT TEST CASES, CODE, ETC."
-Submit small code samples with the PR.  Contact the support site for
-instructions on submitting larger test cases and problematic source
-code.
-.SH FILES
-.ta \w'/tmp/pbad$$  'u
-/tmp/p$$	copy of PR used in editing session
-.br
-/tmp/pf$$	copy of empty PR form, for testing purposes
-.br
-/tmp/pbad$$	file for rejected PRs
-.br 
-@IPSEC_DIR@/send-pr.conf	script to customize send-pr.
-.SH EMACS USER INTERFACE
-An Emacs user interface for 
-.B send-pr
-with completion of field values is part of the 
-.B send-pr
-distribution (invoked with
-.BR "M-x send-pr" ).
-See the file
-.B send-pr.info
-or the ASCII file
-.B INSTALL
-in the top level directory of the distribution for configuration and
-installation information.  The Emacs LISP template file is 
-.B send-pr-el.in
-and is installed as
-.BR send-pr.el .
-.SH INSTALLATION AND CONFIGURATION
-See 
-.B send-pr.info
-or
-.B INSTALL
-for installation instructions.
-.SH SEE ALSO
-.I Reporting Problems Using send-pr
-(also installed as the GNU Info file
-.BR send-pr.info ).
-.LP
-.BR gnats (l),
-.BR query-pr (1),
-.BR edit-pr (1),
-.BR gnats (8),
-.BR queue-pr (8),
-.BR at-pr (8),
-.BR mkcat (8),
-.BR mkdist (8).
-.SH AUTHORS
-Jeffrey Osier, Brendan Kehoe, Jason Merrill, Heinz G. Seidl (Cygnus
-Support)
-.SH COPYING
-Copyright (c) 1992, 1993 Free Software Foundation, Inc.
-.PP
-Permission is granted to make and distribute verbatim copies of
-this manual provided the copyright notice and this permission notice
-are preserved on all copies.
-.PP
-Permission is granted to copy and distribute modified versions of this
-manual under the conditions for verbatim copying, provided that the
-entire resulting derived work is distributed under the terms of a
-permission notice identical to this one.
-.PP
-Permission is granted to copy and distribute translations of this
-manual into another language, under the above conditions for modified
-versions, except that this permission notice may be included in
-translations approved by the Free Software Foundation instead of in
-the original English.
-
diff --git a/programs/send-pr/send-pr.in b/programs/send-pr/send-pr.in
deleted file mode 100755
index 6cd202470..000000000
--- a/programs/send-pr/send-pr.in
+++ /dev/null
@@ -1,643 +0,0 @@
-#!/bin/sh
-# Submit a problem report to a GNATS site.
-# Copyright (C) 2001 Milan Zamazal
-# Copyright (C) 1993, 2001 Free Software Foundation, Inc.
-# Contributed by Brendan Kehoe (brendan@cygnus.com), based on a
-# version written by Heinz G. Seidl (hgs@cygnus.com).
-# Further edited by Milan Zamazal (pdm@zamazal.org).
-# mktemp support by Yngve Svendsen (yngve.svendsen@clustra.com).
-#
-# This file is part of GNU GNATS.
-#
-# GNU GNATS is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# GNU GNATS is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with GNU GNATS; see the file COPYING.  If not, write to
-# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
-
-#
-# $Id: send-pr.in,v 1.1 2004/03/15 20:35:31 as Exp $
-#
-
-# The version of this send-pr.
-VERSION=4.0-alpha
-
-#SWAN_VERSION=
-
-# The submitter-id for your site.
-SUBMITTER=net
-
-# The place where our usual binaries live.
-BINDIR=@IPSEC_DIR@
-
-# The place where the builtin binaries are located.
-LIBDIR=@IPSEC_LIBDIR@
-LIBEXECDIR=@IPSEC_EXECDIR@
-
-# The default release for this host.
-DEFAULT_RELEASE="gnats-4.0-alpha"
-
-# The default organization.
-DEFAULT_ORGANIZATION="net"
-
-# How to read the passwd database.
-PASSWD="cat /etc/passwd"
-
-# Is the mktemp command available?
-MKTEMP="yes"
-
-ECHON=bsd
-
-# By default send-pr connects directly to the database.  However, it
-# can be configured to use an existing template file by setting the
-# TEMPLATE variable below to point to a PR template generated from
-# "send-pr -P".
-TEMPLATE="$LIBDIR/ipsec_pr.template"
-
-# send-pr can use mail to submit PRs, instead of connecting to the
-# database directly.  MAILPROG needs to point to a compatible mailer
-# (sendmail will work).  If MAILPROG needs to have the address that
-# the mail is being sent to specified on the command line, it should
-# be specified here as well (for example, the command
-# MAILPROG="mail bugs@foo.bar.com"
-# should work).  If sendmail is used, this should be set to
-# MAILPROG="/usr/lib/sendmail -oi -t"
-MAILPROG="/usr/sbin/sendmail -oi -t"
-
-# The address that PRs are sent to.  Normally this can be left as "bugs";
-# however, if using mail to submit PRs, this should be set to the address
-# where PRs should be sent.
-MAILADDR="freeswan-bugs@freeswan.org"
-
-if [ $ECHON = bsd ] ; then
-  ECHON1="echo -n"
-  ECHON2=
-elif [ $ECHON = sysv ] ; then
-  ECHON1=echo
-  ECHON2='\c'
-else
-  ECHON1=echo
-  ECHON2=
-fi
-
-# Configuration file to be read.  It must be a shell script that can redefine
-# the variables above to fit a local configuration.
-CONFIGFILE=@IPSEC_DIR@/send-pr.conf
-
-if [ -r $CONFIGFILE ]; then
-  . $CONFIGFILE
-fi
-
-#
-
-if [ -z "$TMPDIR" ]; then
-  TMPDIR=/tmp
-else
-  if [ "`echo $TMPDIR | grep '/$'`" != "" ]; then
-    TMPDIR="`echo $TMPDIR | sed -e 's,/$,,'`"
-  fi
-fi
-
-# TEMP:   Temporary copy of the PR, to be edited by the user.
-# BAD:    The PR will end up here if the user aborts.
-# REF:    The 'reference' copy of the PR template, used to verify that the user
-#         actually did edit the template.
-# FIXFIL: A sed script used to remove comments from the template before
-#         processing.
-if [ $MKTEMP = yes ]; then
-  TEMP=`mktemp $TMPDIR/pXXXXXX` || exit 1
-  BAD=`mktemp $TMPDIR/pbadXXXXXX` || exit 1
-  REF=`mktemp $TMPDIR/pfXXXXXX` || exit 1
-  FIXFIL=`mktemp $TMPDIR/fixXXXXXX` || exit 1
-else
-  TEMP=$TMPDIR/p$$
-  BAD=$TMPDIR/pbad$$
-  REF=$TMPDIR/pf$$
-  FIXFIL=$TMPDIR/fix$$
-  bad_temp=0
-  : > $TEMP || bad_temp=1
-  : > $BAD || bad_temp=1
-  : > $REF || bad_temp=1
-  : > $FIXFIL || bad_temp=1
-  if [ $bad_temp = 1 ]; then
-      rm -f $TEMP $BAD $REF $FIXFIL
-      exit 1;
-  fi
-fi
-REMOVE_TEMP="rm -f $TEMP $BAD $REF"
-
-# find a user name
-if [ "$LOGNAME" = "" ]; then
-	if [ "$USER" != "" ]; then
-		LOGNAME="$USER"
-	else
-		LOGNAME="UNKNOWN"
-	fi
-fi
-
-FROM="$LOGNAME"
-REPLYTO="${REPLY_TO:-${REPLYTO:-$LOGNAME}}"
-if [ "x$MAILPROG" != "x" ]
-then
-    RESP_ALIAS="`query-pr --adm-field responsible --adm-key $LOGNAME --adm-subfield alias 2>/dev/null`"
-else
-    RESP_ALIAS=""
-fi
-
-# Find out the name of the originator of this PR.
-if [ -n "$NAME" ]; then
-  DEFAULT_ORIGINATOR="$NAME"
-elif [ -f $HOME/.fullname ]; then
-  DEFAULT_ORIGINATOR="`sed -e '1q' $HOME/.fullname`"
-else
-  # Must use temp file due to incompatibilities in quoting behavior
-  # and to protect shell metacharacters in the expansion of $LOGNAME
-  $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP
-  if [ "x$RESP_ALIAS" != "x" ]
-  then
-    DEFAULT_ORIGINATOR="$RESP_ALIAS (`cat $TEMP`)"
-  else
-    DEFAULT_ORIGINATOR="$FROM (`cat $TEMP`)"
-  fi
-  rm -f $TEMP
-fi
-
-if [ -z "$ORGANIZATION" ]
-then
-  ORGANIZATION="$DEFAULT_ORGANIZATION";
-fi
-
-if [ -n "$ORGANIZATION" -a "x$ORGANIZATION" != "xunknown" ]; then
-  if [ -f "$ORGANIZATION" ]; then
-    ORGANIZATION="`cat $ORGANIZATION`"
-  fi
-  if [ -n "$ORGANIZATION" ]; then
-    ORGANIZATION="$ORGANIZATION"
-  elif [ -f $HOME/.organization ]; then
-    ORGANIZATION="`cat $HOME/.organization`"
-  fi
-fi
-
-if [ "x$ORGANIZATION" = "xunknown" ]; then
-  cat <<__EOF__
-It seems that send-pr is not installed with your organization set to a useful
-value.  To fix this, you need to edit the configuration file
-$CONFIGFILE
-and fill in the organization with the correct value.
-
-__EOF__
-  ORGANIZATION="";
-fi 1>&2
-
-# If they don't have a preferred editor set, then use
-if [ -z "$VISUAL" ]; then
-  if [ -z "$EDITOR" ]; then
-    EDIT=vi
-  else
-    EDIT="$EDITOR"
-  fi
-else
-  EDIT="$VISUAL"
-fi
-
-# Find out some information.
-SYSTEM=`( [ -f /bin/uname ] && /bin/uname -a ) || \
-        ( [ -f /usr/bin/uname ] && /usr/bin/uname -a ) || echo "" | sed -e 's,|,\\|,'`
-
-# Our base command name.
-COMMAND=`echo $0 | sed -e 's,.*/,,'`
-USAGE="Usage: $COMMAND [OPTION]...
-
-  -b --batch              run without printing most messages
-     --barf               include a full barf inline rather than just look
-  -c --cc=LINE            put LINE to the CC header
-  -d --database=DATABASE  submit PR to DATABASE
-  -f --file=FILE          read the PR template from FILE (\`-' for stdin)
-  -p --print              just print the template and exit
-     --request-id         send a request for a user id
-  -s --severity=SEVERITY  PR severity
-  
-  -h --help               display this help and exit
-  -V --version            output version information and exit
-"
-REMOVE=
-BATCH=
-CC=
-DEFAULT_SEVERITY=
-BARF=${BARF-false}
-
-if [ "$SYSTEM" != "" ]
-then
-    DEFAULT_ENVIRONMENT="System: $SYSTEM"
-fi
-
-if [ "$SWAN_VERSION" != "" ]
-then
-    DEFAULT_VERSION="$SWAN_VERSION";
-else
-    DEFAULT_VERSION=`ipsec --versioncode`
-fi
-DEFAULT_VERSION=`echo $DEFAULT_VERSION | sed -e 's,\/,\\\/,'`
-
-while [ $# -gt 0 ]; do
-  case "$1" in
-    -r) ;; 		# Ignore for backward compat.
-    -f | --file) if [ $# -eq 1 ]; then echo "$USAGE"; exit 1; fi
-	shift ; IN_FILE="$1"
-	if [ "$IN_FILE" != "-" -a ! -r "$IN_FILE" ]; then
-	  echo "$COMMAND: cannot read $IN_FILE"
-	  exit 1
-	fi
-	;;
-    -b | --batch) BATCH=true ;;
-    --barf) BARF=true ;;
-    -c | --cc) if [ $# -eq 1 ]; then echo "$USAGE"; exit 1; fi
-	shift ; CC="$1"
-	;;
-    -d | --database) if [ $# -eq 1 ]; then echo "$USAGE"; exit 1; fi
-        shift; GNATSDB="$1"; export GNATSDB
-    ;;
-    -s | --severity) if [ $# -eq 1 ]; then echo "$USAGE"; exit 1; fi
-	shift ; DEFAULT_SEVERITY="$1"
-	;;
-    -p | -P | --print) PRINT=true ;;
-    --request-id) REQUEST_ID=true ;;
-    -h | --help) echo "$USAGE"; exit 0 ;;
-    -V | --version) echo "$VERSION"; exit 0 ;;
-    -*) echo "$USAGE" ; exit 1 ;;
-    *)  echo "$USAGE" ; exit 1 ;;
- esac
- shift
-done
-
-if [ "x$SUBMITTER" = "x" ]
-then
-  SUBMITTER="unknown"
-fi
-
-if [ "x$SUBMITTER" = "xunknown" -a -z "$REQUEST_ID" -a -z "$IN_FILE" ]; then
-  cat << '__EOF__'
-It seems that send-pr is not installed with your unique submitter-id.
-You need to run
-
-          install-sid YOUR-SID
-
-where YOUR-SID is the identification code you received with `send-pr'.
-`send-pr' will automatically insert this value into the template field
-`>Submitter-Id'.  If you've downloaded `send-pr' from the Net, use `net'
-for this value.  If you do not know your id, run `send-pr --request-id' to 
-get one from your support site.
-__EOF__
-  exit 1
-fi
-
-# So the template generation code finds it.
-DEFAULT_SUBMITTERID=${SUBMITTER}
-
-# Catch some signals. ($xs kludge needed by Sun /bin/sh)
-xs=0
-trap 'rm -f $REF $TEMP $FIXFIL; exit $xs' 0
-trap 'echo "$COMMAND: Aborting ..."; rm -f $REF $TEMP $FIXFIL; xs=1; exit' 1 3 13 15
-
-if [ "x$PRINT" = "xtrue" ]; then
-  FROM="<FROM>"
-  REPLYTO="<REPLYTO>"
-  DEFAULT_ORIGINATOR="<DEFAULT_ORIGINATOR>"
-  DEFAULT_SUBMITTERID="<SUBMITTER>"
-fi
-
-# If they told us to use a specific file, then do so.
-if [ -n "$IN_FILE" ]; then
-  if [ "$IN_FILE" = "-" ]; then
-    # The PR is coming from the standard input.
-    cat > $TEMP
-  else
-    # Use the file they named.
-    cat $IN_FILE > $TEMP
-  fi
-else
-  if [ -n "$TEMPLATE" -a -z "$PRINT_INTERN" ]; then
-    # If their TEMPLATE points to a bogus entry, then bail.
-    if [ ! -f "$TEMPLATE" -o ! -r "$TEMPLATE" -o ! -s "$TEMPLATE" ]; then
-      echo "$COMMAND: can't seem to read your template file (\`$TEMPLATE'), ignoring TEMPLATE"
-      sleep 1
-      PRINT_INTERN=bad_prform
-    fi
-  fi
-
-  if [ -n "$TEMPLATE" -a -z "$PRINT_INTERN" ]; then
-    sed "s/<FROM>/$FROM/;s/<REPLYTO>/$REPLYTO/;s/<DEFAULT_ORIGINATOR>/$DEFAULT_ORIGINATOR/;s/<SUBMITTER>/$DEFAULT_SUBMITTERID/;s|<DEFAULT_ENVIRONMENT>|$DEFAULT_ENVIRONMENT|;s/<DEFAULT_BARF>/$DEFAULT_BARF/;s/<DEFAULT_VERSION>/$DEFAULT_VERSION/;" < $TEMPLATE > $TEMP ||
-      ( echo "$COMMAND: could not copy $TEMPLATE" ; xs=1; exit )
-  else
-    # Which genius thought of iterating through this loop twice, when the
-    # cp command would suffice?
-    for file in $TEMP ; do
-      cat  > $file << '__EOF__'
-SEND-PR: -*- send-pr -*-
-SEND-PR: Lines starting with `SEND-PR' will be removed automatically, as
-SEND-PR: will all comments (text enclosed in `<' and `>').
-SEND-PR: 
-SEND-PR: Please consult the send-pr man page `send-pr(1)' or the Texinfo
-SEND-PR: manual if you are not sure how to fill out a problem report.
-SEND-PR: Note that the Synopsis field is mandatory.  The Subject (for
-SEND-PR: the mail) will be made the same as Synopsis unless explicitly
-SEND-PR: changed.
-SEND-PR:
-SEND-PR: Choose from the following categories:
-SEND-PR:
-__EOF__
-
-      # Format the categories so they fit onto lines.
-        CATEGORIES=`${BINDIR}/query-pr --valid-values Category`;
-	l=`echo "$CATEGORIES" | \
-	awk 'BEGIN {max = 0; } { if (length($0) > max) { max = length($0); } }
-	     END {print max + 1;}'`
-	c=`expr 61 / $l`
-	if [ $c -eq 0 ]; then c=1; fi
-	echo "$CATEGORIES" | \
-        awk 'BEGIN {printf "SEND-PR: "; i = 0 }
-          { printf ("%-'$l'.'$l's", $0);
-	    if ((++i % '$c') == 0) { printf "\nSEND-PR: " } }
-            END { printf "\nSEND-PR:\n"; }' >> $file
-
-	cat >> $file << __EOF__
-To: $MAILADDR
-Subject: 
-From: $FROM
-Reply-To: $REPLYTO
-Cc: $CC
-X-send-pr-version: $VERSION
-X-GNATS-Notify: 
-
-
-__EOF__
-
-	#
-	# Iterate through the list of input fields.  fieldname is the
-	# name of the field.  fmtname is the formatted name of the field,
-	# with >, : and extra spaces to cause the field contents to be
-	# aligned.
-	#
-	${BINDIR}/query-pr --list-input-fields | awk '{a[NR]=$1""; mnr = NR+1; len = length($1) + 2; if (mlen < len) mlen = len; } END { for (x = 1; x < mnr; x++) { b = ">"a[x]":"; printf ("%s %-"mlen"s&\n", a[x], b); } }' |  while read fieldname fmtname
-	do
-	    fmtname="`echo "$fmtname" | sed 's/[&]$//;'`"
-	    upname="`echo $fieldname | sed 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/;s/-//g;'`"
-	    # Grab the default value for this field.
-	    eval 'default_val="$DEFAULT_'${upname}'"'
-	    # What's stored in the field?
-	    type=`${BINDIR}/query-pr --field-type $fieldname | sed 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'`
-	    case $type in
-		enum)
-		    if [ "$default_val" != "" ]
-		    then
-			desc=$default_val;
-		    else
-			if [ "$fieldname" != "Category" ]
-			then
-			    values=`${BINDIR}/query-pr --valid-values $fieldname | tr '\n' ' ' | sed 's/ *$//g;s/ / | /g;s/^/[ /;s/$/ ]/;'`
-			    valslen=`echo "$values" | wc -c`
-			else
-			    values="choose from a category listed above"
-			    valslen=1;
-			fi
-			if [ "$valslen" -gt 160 ]
-			then
-				desc="<`${BINDIR}/query-pr --field-description $fieldname` (one line)>";
-			else
-				desc="<${values} (one line)>";
-			fi
-			dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
-			echo "/^>${fieldname}:/ s/${dpat}//" >> $FIXFIL
-		    fi
-		    echo "${fmtname}${desc}" >> $file
-		    ;;
-		multitext)
-		    if [ "$default_val" != "" ]
-		    then
-			desc="	$default_val";
-		    else
-		        desc="	<`${BINDIR}/query-pr --field-description $fieldname` (multiple lines)>";
-			dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
-			echo "s/^${dpat}//" >> $FIXFIL
-		    fi
-		    echo "${fmtname}" >> $file;
-		    echo "$desc" >> $file;
-		    ;;
-		*)
-		    if [ "$default_val" != "" ]
-		    then
-			desc="${default_val}"
-		    else
-			desc="<`${BINDIR}/query-pr --field-description $fieldname` (one line)>"
-			dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
-			echo "/^>${fieldname}:/ s/${dpat}//" >> $FIXFIL
-		    fi
-		    echo "${fmtname}${desc}" >> $file
-		    ;;
-	    esac
-	done
-    done
-  fi
-
-  if [ "$PRINT" = true -o "$PRINT_INTERN" = true ]; then
-    cat $TEMP
-    xs=0; exit
-  fi
-
-  if $BARF
-  then
-    ipsec barf >>$TEMP
-  else
-    ipsec look >>$TEMP
-  fi
-
-  cp $TEMP $REF
-
-  chmod u+w $TEMP
-  if [ -z "$REQUEST_ID" ]; then
-    eval $EDIT $TEMP
-  else
-    ed -s $TEMP << '__EOF__'
-/^Subject/s/^Subject:.*/Subject: request for a customer id/
-/^>Category/s/^>Category:.*/>Category: send-pr/
-w
-q
-__EOF__
-  fi
-
-  if cmp -s $REF $TEMP ; then
-    echo "$COMMAND: problem report not filled out, therefore not sent"
-    xs=1; exit
-  fi
-fi
-
-# TEMP is the PR that we are editing.  When we're done, REF will contain
-# the final PR to be sent.
-
-while [ -z "$REQUEST_ID" ]; do
-  CNT=0
-
-  #
-  #	Remove comments.
-  #
-  echo '/^SEND-PR:/d' >> $FIXFIL
-  sed -f $FIXFIL $TEMP > $REF
-
-  # REF now has the actual PR that we want to send.
-
-  #
-  # Check that synopsis is not empty.
-  #
-  if grep "^>Synopsis:[ 	]*$" $REF > /dev/null
-  then
-    echo "$COMMAND: Synopsis must not be empty."
-    CNT=`expr $CNT + 1`
-  fi
-
-  if [ "x$MAILPROG" = "x" ]
-  then
-    # Since we're not using mail, use pr-edit to check the PR.  We can't
-    # do much checking otherwise, sorry.
-    $LIBEXECDIR/pr-edit --check-initial < $REF || CNT=`expr $CNT + 1`
-  fi
-
-  [ $CNT -gt 0 -a -z "$BATCH" ] && 
-    echo "Errors were found with the problem report."
-
-  while true; do
-    if [ -z "$BATCH" ]; then
-      $ECHON1 "a)bort, e)dit or s)end? $ECHON2"
-      read input
-    else
-      if [ $CNT -eq 0 ]; then
-        input=s
-      else
-        input=a
-      fi
-    fi
-    case "$input" in
-      a*)
-	if [ -z "$BATCH" ]; then
-	  echo "$COMMAND: the problem report remains in $BAD and is not sent."
-	  mv $TEMP $BAD
-        else
-	  echo "$COMMAND: the problem report is not sent."
-	fi
-	xs=1; exit
-	;;
-      e*)
-        eval $EDIT $TEMP
-	continue 2
-	;;
-      s*)
-	break 2
-	;;
-    esac
-  done
-done
-
-#
-# Make sure the mail has got a Subject.  If not, use the same as
-# in Synopsis.
-#
-
-if grep '^Subject:[ 	]*$' $REF > /dev/null
-then
-  SYNOPSIS=`grep '^>Synopsis:' $REF | sed -e 's/^>Synopsis:[ 	]*//'`
-  ed -s $REF << __EOF__
-/^Subject:/s/:.*\$/: $SYNOPSIS/
-w
-q
-__EOF__
-fi
-
-while :
-do
-  if [ "x$MAILPROG" != "x" ]
-  then
-    # Use mail to send the PR.
-    if $MAILPROG < $REF
-    then
-       echo "$COMMAND: problem report mailed"
-       xs=0; exit
-    else
-       echo "$MAILPROG failed!"
-    fi
-  else
-    if $LIBEXECDIR/pr-edit --submit < $REF; then
-      echo "$COMMAND: problem report filed"
-      xs=0; exit
-    else
-      echo "$COMMAND: the problem report is not sent."
-    fi
-  fi
-  while true
-  do
-    if [ -z "$BATCH" ]; then
-      $ECHON1 "a)bort or s)end? (file=$REF) $ECHON2"
-      read input
-      case "$input" in
-        a*)
-	  break 2 ;;
-        s*)
-	  break ;;
-      esac
-    else
-      break 2;
-    fi
-  done
-done
-
-if [ -z "$BATCH" ]; then
-  echo "$COMMAND: the problem report remains in $BAD and is not sent."
-  mv $TEMP $BAD
-else
-  echo "$COMMAND: the problem report is not sent, is in $REF."
-fi
-
-xs=1; exit;
-
-#
-# $Log: send-pr.in,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.10  2003/07/14 12:26:17  mcr
-# 	use | as delimitor for $DEFAULT_ENVIRONMENT.
-# 	switch | to \\| when in $DEFAULT_ENVIRONMENT.
-# 	this is due to PR#236 where the "uname" output
-# 	says GNU/Linux, screwing up sed.
-#
-# Revision 1.9  2003/02/03 21:51:06  mcr
-# 	if MAILPROG fails, then offer to try again.
-#
-# Revision 1.8  2002/12/10 02:28:13  mcr
-# 	adjusted template to use gnats-bugs@freeswan.org
-# 	fix sed script to deal with version sanitizer.
-#
-# Revision 1.7  2002/12/10 02:17:34  mcr
-# 	need to init variables first
-#
-# Revision 1.6  2002/12/10 02:16:23  mcr
-# 	adjusted send-pr to look at LIBDIR, not LIBEXECDIR
-#
-# Revision 1.5  2002/09/30 16:04:05  mcr
-# 	fix for sed bug in "send-pr"
-#
-# Revision 1.4  2002/04/24 07:36:10  mcr
-# Moved from ./utils/send-pr.sh,v
-#
-# Revision 1.3  2001/11/27 15:02:55  mcr
-# 	added rcsids.
-# 	fixed submission address to be freeswan-bugs@freeswan.org
-# 	use new ipsec --versioncode to get version info.
-#
-#
diff --git a/programs/setup/.cvsignore b/programs/setup/.cvsignore
deleted file mode 100644
index 146f275e0..000000000
--- a/programs/setup/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-setup
diff --git a/programs/setup/Makefile b/programs/setup/Makefile
deleted file mode 100644
index f12d452b2..000000000
--- a/programs/setup/Makefile
+++ /dev/null
@@ -1,22 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.3 2006/02/10 11:28:15 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=setup
-EXTRA8MAN=setup.8
-
-include ../Makefile.program
diff --git a/programs/setup/setup.8 b/programs/setup/setup.8
deleted file mode 100644
index e2980ee74..000000000
--- a/programs/setup/setup.8
+++ /dev/null
@@ -1,142 +0,0 @@
-.TH IPSEC_SETUP 8 "23 July 2001"
-.\" RCSID $Id: setup.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.SH NAME
-ipsec setup \- control IPsec subsystem
-.SH SYNOPSIS
-.B ipsec
-.B setup
-[
-.B \-\-show
-|
-.B \-\-showonly
-]
-command
-.SH DESCRIPTION
-.I Setup
-controls the FreeS/WAN IPsec subsystem,
-including both the Klips kernel code and the Pluto key-negotiation daemon.
-(It is a synonym for the ``rc'' script for the subsystem;
-the system runs the equivalent of
-.B "ipsec setup start"
-at boot time,
-and
-.B "ipsec setup stop"
-at shutdown time, more or less.)
-.PP
-The action taken depends on the specific
-.IR command ,
-and on the contents of the
-.B config
-.B setup
-section of the
-IPsec configuration file (\c
-.IR /etc/ipsec.conf ,
-see
-.IR ipsec.conf (5)).
-Current
-.IR command s
-are:
-.TP 10
-.B start
-start Klips and Pluto,
-including setting up Klips to do crypto operations on the 
-interface(s) specified in the configuration file,
-and (if the configuration file so specifies)
-setting up manually-keyed connections and/or
-asking Pluto to negotiate automatically-keyed connections
-to other security gateways
-.TP
-.B stop
-shut down Klips and Pluto,
-including tearing down all existing crypto connections
-.TP
-.B restart
-equivalent to
-.B stop
-followed by
-.B start
-.TP
-.B status
-report the status of the subsystem;
-normally just reports
-.B "IPsec running"
-and
-.BR "pluto pid \fInnn\fP" ,
-or
-.BR "IPsec stopped" ,
-and exits with status 0,
-but will go into more detail (and exit with status 1)
-if something strange is found.
-(An ``illicit'' Pluto is one that does not match the process ID in
-Pluto's lock file;
-an ``orphaned'' Pluto is one with no lock file.)
-.PP
-The
-.B stop
-operation tries to clean up properly even if assorted accidents
-have occurred,
-e.g. Pluto having died without removing its lock file.
-If
-.B stop
-discovers that the subsystem is (supposedly) not running,
-it will complain,
-but will do its cleanup anyway before exiting with status 1.
-.PP
-Although a number of configuration-file parameters influence
-.IR setup 's
-operations, the key one is the
-.B interfaces
-parameter, which must be right or chaos will ensue.
-.PP
-The
-.B \-\-show
-and
-.B \-\-showonly
-options cause
-.I setup
-to display the shell commands that it would execute.
-.B \-\-showonly
-suppresses their execution.
-Only
-.BR start ,
-.BR stop ,
-and
-.B restart
-commands recognize these flags.
-.SH FILES
-.ta \w'/proc/sys/net/ipv4/ip_forward'u+2n
-/etc/rc.d/init.d/ipsec	the script itself
-.br
-/etc/init.d/ipsec	alternate location for the script
-.br
-/etc/ipsec.conf	IPsec configuration file
-.br
-/proc/sys/net/ipv4/ip_forward	forwarding control
-.br
-/var/run/ipsec.info	saved information
-.br
-/var/run/pluto.pid	Pluto lock file
-.br
-/var/run/ipsec_setup.pid	IPsec lock file
-.SH SEE ALSO
-ipsec.conf(5), ipsec(8), ipsec_manual(8), ipsec_auto(8), route(8)
-.SH DIAGNOSTICS
-All output from the commands
-.B start
-and
-.B stop
-goes both to standard
-output and to
-.IR syslogd (8),
-via
-.IR logger (1).
-Selected additional information is logged only to
-.IR syslogd (8).
-.SH HISTORY
-Written for the FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
-.SH BUGS
-Old versions of
-.IR logger (1)
-inject spurious extra newlines onto standard output.
diff --git a/programs/setup/setup.in b/programs/setup/setup.in
deleted file mode 100755
index 1e43d0d67..000000000
--- a/programs/setup/setup.in
+++ /dev/null
@@ -1,162 +0,0 @@
-#!/bin/sh
-# IPsec startup and shutdown script
-# Copyright (C) 1998, 1999, 2001  Henry Spencer.
-# Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: setup.in,v 1.1 2004/03/15 20:35:31 as Exp $
-#
-# ipsec         init.d script for starting and stopping
-#               the IPsec security subsystem (KLIPS and Pluto).
-#
-# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
-# and is also accessible as "ipsec setup" (the preferred route for human
-# invocation).
-#
-# The startup and shutdown times are a difficult compromise (in particular,
-# it is almost impossible to reconcile them with the insanely early/late
-# times of NFS filesystem startup/shutdown).  Startup is after startup of
-# syslog and pcmcia support; shutdown is just before shutdown of syslog.
-#
-# chkconfig: 2345 47 68
-# description: IPsec provides encrypted and authenticated communications; \
-# KLIPS is the kernel half of it, Pluto is the user-level management daemon.
-
-me='ipsec setup'		# for messages
-
-
-# where the private directory and the config files are
-IPSEC_EXECDIR="${IPSEC_EXECDIR-@IPSEC_EXECDIR@}"
-IPSEC_LIBDIR="${IPSEC_LIBDIR-@IPSEC_LIBDIR@}"
-IPSEC_SBINDIR="${IPSEC_SBINDIR-@IPSEC_SBINDIR@}"
-IPSEC_CONFS="${IPSEC_CONFS-@IPSEC_CONFS@}"
-
-if test " $IPSEC_DIR" = " "	# if we were not called by the ipsec command
-then
-    # we must establish a suitable PATH ourselves
-    PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
-    export PATH
-
-    IPSEC_DIR="$IPSEC_LIBDIR"
-    export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
-fi
-
-# Check that the ipsec command is available.
-found=
-for dir in `echo $PATH | tr ':' ' '`
-do
-	if test -f $dir/ipsec -a -x $dir/ipsec
-	then
-		found=yes
-		break			# NOTE BREAK OUT
-	fi
-done
-if ! test "$found"
-then
-	echo "cannot find ipsec command -- \`$1' aborted" |
-		logger -s -p daemon.error -t ipsec_setup
-	exit 1
-fi
-
-# accept a few flags
-
-export IPSEC_setupflags
-IPSEC_setupflags=""
-
-config=""
-
-for dummy
-do
-	case "$1" in
-	--showonly|--show)  IPSEC_setupflags="$1" ;;
-	--config)  config="--config $2" ; shift	;;
-	*) break ;;
-	esac
-	shift
-done
-
-
-# Pick up IPsec configuration (until we have done this, successfully, we
-# do not know where errors should go, hence the explicit "daemon.error"s.)
-# Note the "--export", which exports the variables created.
-eval `ipsec _confread $config --optional --varprefix IPSEC --export --type config setup`
-if test " $IPSEC_confreadstatus" != " "
-then
-	echo "$IPSEC_confreadstatus -- \`$1' aborted" |
-		logger -s -p daemon.error -t ipsec_setup
-	exit 1
-fi
-
-IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
-export IPSEC_confreadsection
-
-IPSECsyslog=${IPSECsyslog-daemon.error}
-export IPSECsyslog
-
-# misc setup
-umask 022
-
-
-# do it
-case "$1" in
-  start|--start|stop|--stop|_autostop|_autostart)
-	if test " `id -u`" != " 0"
-	then
-		echo "permission denied (must be superuser)" |
-			logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
-		exit 1
-	fi
-	tmp=/var/run/ipsec_setup.st
-	(
-		ipsec _realsetup $1
-		echo "$?" >$tmp
-	) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
-	st=$?
-	if test -f $tmp
-	then
-		st=`cat $tmp`
-		rm -f $tmp
-	fi
-	exit $st
-	;;
-
-  restart|--restart|force-reload)
-	$0 $IPSEC_setupflags stop
-	$0 $IPSEC_setupflags start
-	;;
-
-  _autorestart)			# for internal use only
-	$0 $IPSEC_setupflags _autostop
-	$0 $IPSEC_setupflags _autostart
-	;;
-
-  status|--status)
-	ipsec _realsetup $1
-	exit
-	;;
-
-  --version)
-	echo "$me $IPSEC_VERSION"
-	exit 0
-	;;
-
-  --help)
-	echo "Usage: $me {--start|--stop|--restart|--status}"
-	exit 0
-	;;
-
-  *)
-	echo "Usage: $me {--start|--stop|--restart|--status}" >&2
-	exit 2
-esac
-
-exit 0
diff --git a/programs/showdefaults/.cvsignore b/programs/showdefaults/.cvsignore
deleted file mode 100644
index 609b55e81..000000000
--- a/programs/showdefaults/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-showdefaults
diff --git a/programs/showdefaults/Makefile b/programs/showdefaults/Makefile
deleted file mode 100644
index d2c8f9be8..000000000
--- a/programs/showdefaults/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=showdefaults
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/showdefaults/showdefaults.8 b/programs/showdefaults/showdefaults.8
deleted file mode 100644
index 4a8db9c49..000000000
--- a/programs/showdefaults/showdefaults.8
+++ /dev/null
@@ -1,34 +0,0 @@
-.TH IPSEC_SHOWDEFAULTS 8 "23 Jan 2000"
-.\" RCSID $Id: showdefaults.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.SH NAME
-ipsec showdefaults \- show %defaultroute defaults
-.SH SYNOPSIS
-.B ipsec
-.B showdefaults
-.SH DESCRIPTION
-.I Showdefaults
-outputs (on standard output) a terse description of the defaults
-used by the
-.B %defaultroute
-facilities in
-.IR ipsec_auto (8)
-and
-.IR ipsec_manual (8).
-.PP
-Beware that the exact output format is subject to change.
-.SH DIAGNOSTICS
-Normal exit status is 0.
-If no defaults are available,
-i.e. the
-.B interfaces
-parameter in
-.B "config setup"
-is not
-.BR %defaultroute ,
-produces a message on standard error and exits with status 1.
-.SH FILES
-/var/run/ipsec.info
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
diff --git a/programs/showdefaults/showdefaults.in b/programs/showdefaults/showdefaults.in
deleted file mode 100755
index 67daf7fd8..000000000
--- a/programs/showdefaults/showdefaults.in
+++ /dev/null
@@ -1,33 +0,0 @@
-#! /bin/sh
-# show defaults for %defaultroute
-# Copyright (C) 2000  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: showdefaults.in,v 1.1 2004/03/15 20:35:31 as Exp $
-
-info=/var/run/ipsec.info
-me="ipsec showdefaults"
-
-case "$1" in
---help)		echo "Usage: ipsec showdefaults" ; exit 0	;;
---version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-esac
-
-# Pick up the info.
-if test -s $info
-then
-	sed -n '/^defaultroute/s/default//p' $info
-	sed -n '/^#dr:/s/dr://p' $info
-else
-	echo "$me: cannot find defaults file \`$info'" >&2
-	exit 1
-fi
diff --git a/programs/showhostkey/.cvsignore b/programs/showhostkey/.cvsignore
deleted file mode 100644
index 8496cd633..000000000
--- a/programs/showhostkey/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-showhostkey
diff --git a/programs/showhostkey/Makefile b/programs/showhostkey/Makefile
deleted file mode 100644
index db819c906..000000000
--- a/programs/showhostkey/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=showhostkey
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/showhostkey/showhostkey.8 b/programs/showhostkey/showhostkey.8
deleted file mode 100644
index 2c0043fca..000000000
--- a/programs/showhostkey/showhostkey.8
+++ /dev/null
@@ -1,168 +0,0 @@
-.TH IPSEC_SHOWHOSTKEY 8 "5 March 2002"
-.\" RCSID $Id: showhostkey.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.SH NAME
-ipsec showhostkey \- show host's authentication key
-.SH SYNOPSIS
-.B ipsec
-.B showhostkey
-[
-.B \-\-key
-] [
-.B \-\-left
-] [
-.B \-\-right
-] [
-.B \-\-txt
-gateway
-] [
-.B \-\-dhclient
-] [
-.B \-\-file
-secretfile
-] [
-.B \-\-id
-identity
-]
-.SH DESCRIPTION
-.I Showhostkey
-outputs (on standard output) a public key suitable for this host,
-in the format specified,
-using the host key information stored in
-.IR /etc/ipsec.secrets .
-In general only the super-user can run this command,
-since only he can read
-.IR ipsec.secrets .
-.PP
-The
-.B \-\-txt
-option causes the output to be in opportunistic-encryption DNS TXT record
-format,
-with the specified
-.I gateway
-value.
-If information about how the key was generated is available,
-that is provided as a DNS-file comment.
-For example,
-.B "\-\-txt 10.11.12.13"
-might give (with the key data trimmed for clarity):
-.PP
-.nf
-  ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
-      IN TXT  "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"
-.fi
-.PP
-No name is supplied in the TXT record
-because there are too many possibilities,
-depending on how it will be used.
-If the text string is longer than 255 bytes,
-it is split up into multiple strings (matching the restrictions of
-the DNS TXT binary format).
-If any split is needed, the first split will be at the start of the key:
-this increases the chances that later hand editing will work.
-.PP
-The
-.B \-\-left
-and
-.B \-\-right
-options cause the output to be in
-.IR ipsec.conf (5)
-format, as a
-.B leftrsasigkey
-or
-.B rightrsasigkey
-parameter respectively.
-Again, generation information is included if available.
-For example,
-.B \-\-left
-might give (with the key data trimmed down for clarity):
-.PP
-.nf
-  # RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
-  leftrsasigkey=0sAQOF8tZ2...+buFuFn/
-.fi
-.PP
-The
-.B \-\-dhclient
-option cause the output to be suitable for inclusion in
-.IR dhclient.conf (5)
-as part of configuring WAVEsec.
-See <http://www.wavesec.org>.
-.PP
-If
-.B \-\-key
-is specified,
-the output format is the text form of a DNS KEY record;
-the host name is the one included in the key information
-(or, if that is not available,
-the output of
-.BR "hostname\ \-\-fqdn" ),
-with a
-.B \&.
-appended.
-Again, generation information is included if available.
-For example (with the key data trimmed down for clarity):
-.PP
-.nf
-  ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
-  xy.example.com.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/
-.fi
-.PP
-Normally, the default key for this host
-(the one with no host identities specified for it) is the one extracted.
-The
-.B \-\-id
-option overrides this,
-causing extraction of the key labeled with the specified
-.IR identity ,
-if any.
-The specified
-.I identity
-must
-.I exactly
-match the identity in the file;
-in particular, the comparison is case-sensitive.
-.PP
-The
-.B \-\-file
-option overrides the default for where the key information should be
-found, and takes it from the specified
-.IR secretfile .
-.SH DIAGNOSTICS
-A complaint about ``no pubkey line found'' indicates that the
-host has a key but it was generated with an old version of FreeS/WAN
-and does not contain the information that
-.I showhostkey
-needs.
-.SH FILES
-/etc/ipsec.secrets
-.SH SEE ALSO
-ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
-.SH BUGS
-Arguably,
-rather than just reporting the no-IN-KEY-line-found problem,
-.I showhostkey
-should be smart enough to run the existing key through
-.I rsasigkey
-with the
-.B \-\-oldkey
-option, to generate a suitable output line.
-.PP
-The need to specify the gateway address (etc.) for
-.B \-\-txt
-is annoying, but there is no good way to determine it automatically.
-.PP
-There should be a way to specify the priority value for TXT records;
-currently it is hardwired to
-.BR 10 .
-.PP
-The
-.B \-\-id
-option assumes that the
-.I identity
-appears on the same line as the
-.B ":\ RSA\ {"
-that begins the key proper.
diff --git a/programs/showhostkey/showhostkey.in b/programs/showhostkey/showhostkey.in
deleted file mode 100755
index 7194363e8..000000000
--- a/programs/showhostkey/showhostkey.in
+++ /dev/null
@@ -1,180 +0,0 @@
-#! /bin/sh
-# show key for this host, in DNS (or other) format
-# Copyright (C) 2000, 2001  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: showhostkey.in,v 1.1 2004/03/15 20:35:31 as Exp $
-
-me="ipsec showhostkey"
-usage="Usage: $me [--file secrets] [--left] [--right] [--txt gateway] [--id id]
-                  [--dhclient]"
-
-file=/etc/ipsec.secrets
-fmt=""
-gw=
-id=
-for dummy
-do
-	case "$1" in
-	--key)	fmt="dns"		;;
-	--file)	file="$2" ; shift	;;
-	--left)	fmt="left"		;;
-	--right)	fmt="right"	;;
-	--dhclient)	fmt="dhclient"	;;
-	--txt)	fmt="txt" ; gw="$2" ; shift	;;
-	--wavesec) fmt="wavesec" ;;
-	--id)	id="$2" ; shift		;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-	--help)	echo "$usage" ; exit 0	;;
-	--)	shift ; break		;;
-	-*)	echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
-	*)	break			;;
-	esac
-	shift
-done
-if test " $fmt" = " "
-then
-	echo "$me: must specify a format for the result" >&2
-	exit 2
-fi
-if test " $fmt" = " txt" -a " $gw" = " "
-then
-	echo "$me: --txt gateway value cannot be empty" >&2
-	exit 2
-fi
-
-if test ! -f $file
-then
-	echo "$me: file \`$file' does not exist" >&2
-	exit 1
-elif test ! -r $file
-then
-	echo "$me: permission denied (cannot read \`$file')" >&2
-	exit 1
-fi
-
-host="`hostname --fqdn`"
-
-awk '	BEGIN {
-		inkey = 0
-		seenkey = 0
-		nfound = 0
-		err = "cat >&2"
-		me = "'"$me"'"
-		host = "'"$host"'"
-		file = "'"$file"'"
-		fmt = "'"$fmt"'"
-		gw = "'"$gw"'"
-		id = "'"$id"'"
-		comment = ""
-		s = "[ \t]+"
-		os = "[ \t]*"
-		x = "[^ \t]+"
-		oc = "(#.*)?"
-		suffix = ":" os "[rR][sS][aA]" os "{" os oc "$"
-		if (id == "") {
-			pat = "^" suffix
-			printid = "default"
-		} else {
-			pat = "^(" x s ")*" id "(" s x ")*" os suffix
-			printid = quote(id)
-		}
-		paydirt = "^[ \t]+#pubkey=0s"
-		status = 0
-	}
-	$0 ~ pat {
-		inkey = 1
-		seenkey = 1
-	}
-	/^[ \t]+}$/ {
-		inkey = 0
-	}
-	inkey && $0 ~ /^[ \t]+# RSA [0-9]+ bits/ {
-		comment = $0
-		if (fmt == "dns" || fmt == "txt" || fmt == "dhclient")
-			sub(/^[ \t]+#/, "#", comment)
-		host = $5
-	}
-	inkey && $0 ~ /^[ \t]+#pubkey=0s/ {
-		
-	}
-	inkey && fmt == "dns" && $0 ~ paydirt {
-		out = $0
-		sub(paydirt, (host ".\tIN\tKEY\t0x4200 4 1 "), out)
-		nfound++
-	}
-	inkey && fmt == "dhclient" && $0 ~ paydirt {
-		# NOT YET ADJUSTED TO KEY RR elimination
-		boilerplate = "option oe-key code 159 = string;\n" \
-			"option oe-gateway code 160 = ip-address;\n" \
-			"send oe-key = "
-		out = $0
-		sub(paydirt, "0x4200 4 1 ", out)
-		out = "option oe-key code 159 = string;\n" \
-			"option oe-gateway code 160 = ip-address;\n" \
-			"send oe-key = " quote(out) ";"
-		nfound++
-	}
-	inkey && fmt == "txt" && $0 ~ paydirt {
-		if (gw !~ /^@/ && gw !~ /^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$/ )
-		{
-			grump("gateway must be @FQDN or IPv4 address, not " quote(gw))
-			exit(status)
-		}
-		out = $0
-		gsub(/[ \t]+/, " ", out)
-		sub(paydirt, "", out)
-		out = " " out
-		str = "X-IPsec-Server(10)=" gw 
-		if (length(str) < 255 && length(str) + length(out) > 255) {
-			str = " " quote(str)
-		} else {
-			out = str out
-			str = ""
-		}
-		while (length(out) > 255) {
-			str = str " " quote(substr(out, 1, 255))
-			out = substr(out, 256)
-		}
-		if (length(out) > 0)
-			str = str " " quote(out)
-		out = "\tIN\tTXT\t" substr(str, 2)
-		nfound++
-	}
-	inkey && (fmt == "left" || fmt == "right") && $0 ~ /^[ \t]+#pubkey=/ {
-		out = $0
-		sub(/^[ \t]+#pubkey=/, ("\t" fmt "rsasigkey="), out)
-		nfound++
-	}
-	function quote(s) {
-		return "\"" s "\""
-	}
-	function grump(s) {
-		print me ": " s |err
-		status = 1
-	}
-	END {
-		if (status != 0)
-			exit(status)
-		if (!seenkey)
-			grump("no " printid " key in " quote(file))
-		else if (nfound == 0) {
-			grump("no pubkey line found -- key information old?")
-		} else if (nfound > 1)
-			grump("multiple " printid " keys found!?!")
-		else {
-			if (comment != "")
-				print comment
-			print out
-		}
-		exit(status)
-	}' $file
diff --git a/programs/showpolicy/.cvsignore b/programs/showpolicy/.cvsignore
deleted file mode 100644
index e4fad4e23..000000000
--- a/programs/showpolicy/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-showpolicy
diff --git a/programs/showpolicy/Makefile b/programs/showpolicy/Makefile
deleted file mode 100644
index b3ea5a0a8..000000000
--- a/programs/showpolicy/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 2003	Michael Richardson <mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=showpolicy
-EXTRA5PROC=${PROGRAM}.8
-
-LIBS=${POLICYLIB} ${FREESWANLIB} 
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2003/05/14 02:12:27  mcr
-# 	addition of CGI-focused interface to policy lookup interface
-#
-# Revision 1.1  2003/05/11 00:45:08  mcr
-# 	program to interogate ipsec policy of stdin.
-# 	run this from inetd.
-#
-#
diff --git a/programs/showpolicy/showpolicy.8 b/programs/showpolicy/showpolicy.8
deleted file mode 100644
index 4fbc2e40e..000000000
--- a/programs/showpolicy/showpolicy.8
+++ /dev/null
@@ -1,41 +0,0 @@
-.TH IPSEC_SHOWPOLICY 8 "7 May 2003"
-.\"
-.\" RCSID $Id: showpolicy.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec showpolicy \- dump policy of socket found as stdin
-.SH SYNOPSIS
-.PP
-.B ipsec
-.B showpolicy
-.PP
-.SH DESCRIPTION
-.I showpolicy
-calls the 
-.IR ipsec_policy_lookup (3) 
-function on the file description which is its stdin.
-.PP
-It then dumps the resulting query in a human readable form.
-.PP
-This is a test program. One might run it from inetd, via:
-.TP
-discard stream tcp nowait nobody /usr/local/libexec/ipsec/showpolicy showpolicy
-.SH FILES
-/var/run/ipsecpolicy.ctl
-.SH "SEE ALSO"
-ipsec(8), ipsec_policy_query(3), ipsec_pluto(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Michael Richardson
-.SH BUGS
-.\"
-.\" $Log: showpolicy.8,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.1  2003/05/11 00:45:08  mcr
-.\" 	program to interogate ipsec policy of stdin.
-.\" 	run this from inetd.
-.\"
-.\"
diff --git a/programs/showpolicy/showpolicy.c b/programs/showpolicy/showpolicy.c
deleted file mode 100644
index 114cc3936..000000000
--- a/programs/showpolicy/showpolicy.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/*
- * A program to dump the IPsec status of the socket found on stdin.
- * Run me from inetd, for instance.
- * Copyright (C) 2003                Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char showpolicy_version[] = "RCSID $Id: showpolicy.c,v 1.1 2004/03/15 20:35:31 as Exp $";
-
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <sys/socket.h>
-#include <getopt.h>
-#include "freeswan.h"
-#include "freeswan/ipsec_policy.h"
-
-char *program_name;
-
-static void
-help(void)
-{
-    fprintf(stderr,
-	"Usage:\n\n"
-	"showpolicy"
-	    " [--cgi]        lookup the particulars from CGI variables.\n"
-	    " [--socket]     lookup the particulars from the socket on stdin.\n"
-	    " [--textual]    dump output in human friendly form\n"
-	    " [--plaintext X]    string to dump if no security\n"
-	    " [--vpntext X]      string to dump if VPN configured tunnel\n"
-	    " [--privacytext X]  string to dump if just plain DNS OE\n"
-	    " [--dnssectext X]   string to dump if just DNSSEC OE\n"
-            "\n\n"
-	"FreeS/WAN %s\n",
-	ipsec_version_code());
-}
-
-static const struct option long_opts[] = {
-    /* name, has_arg, flag, val */
-    { "help",        no_argument, NULL, 'h' },
-    { "version",     no_argument, NULL, 'V' },
-    { "socket",      no_argument, NULL, 'i' },
-    { "cgi",         no_argument, NULL, 'g' },
-    { "textual",     no_argument, NULL, 't' },
-    { "plaintext",   required_argument, NULL, 'c' },
-    { "vpntext",     required_argument, NULL, 'v' },
-    { "privacytext", required_argument, NULL, 'p' },
-    { "dnssectext",  required_argument, NULL, 's' },
-    { 0,0,0,0 }
-};
-
-void dump_policyreply(struct ipsec_policy_cmd_query *q)
-{
-  char src[ADDRTOT_BUF], dst[ADDRTOT_BUF];
-
-  /* now print it! */
-  addrtot(&q->query_local,  0, src, sizeof(src));
-  addrtot(&q->query_remote, 0, dst, sizeof(dst));
-  
-  printf("Results of query on %s -> %s with seq %d\n",
-	 src, dst, q->head.ipm_msg_seq);
-  
-  printf("Received reply of %d bytes.\n", q->head.ipm_msg_len);
-
-  printf("Strength:   %d\n", q->strength);
-  printf("Bandwidth:  %d\n", q->bandwidth);
-  printf("authdetail: %d\n", q->auth_detail);
-  printf("esp_detail: %d\n", q->esp_detail);
-  printf("comp_detail: %d\n",q->comp_detail);
-  
-  printf("credentials: %d\n", q->credential_count);
-  if(q->credential_count > 0) {
-    int c;
-
-    for(c=0; c<q->credential_count; c++) {
-      switch(q->credentials[c].ii_format) {
-      case CERT_DNS_SIGNED_KEY:
-	printf("\tDNSSEC identity: %s (SIG %s)\n",
-	       q->credentials[c].ii_credential.ipsec_dns_signed.fqdn,
-	       q->credentials[c].ii_credential.ipsec_dns_signed.dns_sig);
-	break;
-	
-      case CERT_RAW_RSA:
-	printf("\tlocal identity: %s\n",
-	       q->credentials[c].ii_credential.ipsec_raw_key.id_name);
-
-      case CERT_NONE:
-	printf("\tDNS identity: %s\n",
-	       q->credentials[c].ii_credential.ipsec_dns_signed.fqdn);
-	break;
-	
-      default:
-	printf("\tUnknown identity type %d", q->credentials[c].ii_format);
-	break;
-      }
-    }
-  }
-}
-
-
-int main(int argc, char *argv[])
-{
-  struct ipsec_policy_cmd_query q;
-  err_t ret;
-  int   c;
-
-  /* set the defaults */
-  char lookup_style = 'i';
-  char output_style = 's';
-  
-  char *plaintext   = "clear";
-  char *vpntext     = "vpn";
-  char *privacytext = "private";
-  char *dnssectext  = "secure";
-
-  while((c = getopt_long(argc, argv, "hVighc:v:p:s:", long_opts, 0))!=EOF) {
-    switch (c) {
-    default:
-    case 'h':	        /* --help */
-      help();
-      return 0;	/* GNU coding standards say to stop here */
-      
-    case 'V':               /* --version */
-      fprintf(stderr, "FreeS/WAN %s\n", ipsec_version_code());
-      return 0;	/* GNU coding standards say to stop here */
-      
-    case 'i':
-      if(isatty(0)) {
-	printf("please run this connected to a socket\n");
-	exit(1);
-      }
-      
-      lookup_style = 'i';
-      break;
-
-    case 'g':
-      lookup_style = 'g';
-      break;
-      
-    case 't':
-      output_style = 't';
-      break;
-
-    case 'c':
-      plaintext = optarg;
-      break;
-
-    case 'v':
-      vpntext = optarg;
-      break;
-
-    case 'p':
-      privacytext = optarg;
-      break;
-      
-    case 's':
-      dnssectext = optarg;
-      break;
-    }
-  }
-	
-  if((ret = ipsec_policy_init()) != NULL) {
-    perror(ret);
-    exit(2);
-  }
-
-  switch(lookup_style) {
-  case 'i':
-    if((ret = ipsec_policy_lookup(0, &q)) != NULL) {
-      perror(ret);
-      exit(3);
-    }
-    break;
-    
-  case 'g':
-    if((ret = ipsec_policy_cgilookup(&q)) != NULL) {
-      perror(ret);
-      exit(3);
-    }
-    break;
-    
-  default:
-    abort();
-    break;
-  }
-
-
-  if(output_style == 't') {
-    dump_policyreply(&q);
-  } else {
-    /* start by seeing if there was any crypto */
-    if(q.strength < IPSEC_PRIVACY_PRIVATE) {
-      /* no, so say clear */
-      puts(plaintext);
-      exit(0);
-    }
-
-    /* we now it is crypto, but authentic is it? */
-    if(q.credential_count == 0) {
-      puts(vpntext);
-      exit(0);
-    }
-
-    switch(q.credentials[0].ii_format) {
-    case CERT_DNS_SIGNED_KEY:
-      puts(dnssectext);
-      exit(0);
-
-    case CERT_RAW_RSA:
-      puts(vpntext);
-      exit(0);
-      
-    default:
-      puts(privacytext);
-      exit(0);
-    }
-  }
-  
-  exit(0);
-}
-
-/*
- * $Log: showpolicy.c,v $
- * Revision 1.1  2004/03/15 20:35:31  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.4  2003/05/14 15:46:44  mcr
- * 	switch statement was missing break statements and was running on.
- *
- * Revision 1.3  2003/05/14 02:12:27  mcr
- * 	addition of CGI-focused interface to policy lookup interface
- *
- * Revision 1.2  2003/05/13 03:25:34  mcr
- * 	print credentials, if any were provided.
- *
- * Revision 1.1  2003/05/11 00:45:08  mcr
- * 	program to interogate ipsec policy of stdin.
- * 	run this from inetd.
- *
- *
- *
- */
diff --git a/programs/spi/.cvsignore b/programs/spi/.cvsignore
deleted file mode 100644
index c928c4b77..000000000
--- a/programs/spi/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-spi
diff --git a/programs/spi/Makefile b/programs/spi/Makefile
deleted file mode 100644
index 10a1eaa9c..000000000
--- a/programs/spi/Makefile
+++ /dev/null
@@ -1,69 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.2 2004/03/22 21:53:21 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=spi
-EXTRA5PROC=${PROGRAM}.5
-
-LIBS=${FREESWANLIB}
-
-OBJS=constants.o alg_info.o kernel_alg.o
-
-include ../Makefile.program
-
-constants.o : ../pluto/constants.c ../pluto/constants.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-alg_info.o : ../pluto/alg_info.c ../pluto/alg_info.h
-	$(CC) $(CFLAGS) -DNO_PLUTO -c -o $@ $<
-
-kernel_alg.o : ../pluto/kernel_alg.c ../pluto/kernel_alg.h
-	$(CC) $(CFLAGS) -DNO_PLUTO -c -o $@ $<
-
-#
-# $Log: Makefile,v $
-# Revision 1.2  2004/03/22 21:53:21  as
-# merged alg-0.8.1 branch with HEAD
-#
-# Revision 1.1.4.1  2004/03/16 09:48:22  as
-# alg-0.8.1rc12 patch merged
-#
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/spi/spi.5 b/programs/spi/spi.5
deleted file mode 100644
index a8faebee4..000000000
--- a/programs/spi/spi.5
+++ /dev/null
@@ -1,213 +0,0 @@
-.TH IPSEC_SPI 5 "26 Jun 2000"
-.\"
-.\" RCSID $Id: spi.5,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec_spi \- list IPSEC Security Associations
-.SH SYNOPSIS
-.B ipsec
-.B spi
-.PP
-.B cat
-.B /proc/net/ipsec_spi
-.PP
-.SH DESCRIPTION
-.I /proc/net/ipsec_spi
-is a read-only file that lists the current IPSEC Security Associations.
-A Security Association (SA) is a transform through which packet contents
-are to be processed before being forwarded.  A transform can be an
-IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation, an IPSEC Authentication Header (authentication
-with no encryption), or an IPSEC Encapsulation Security Payload
-(encryption, possibly including authentication).
-.PP
-When a packet is passed from a higher networking layer through an IPSEC
-virtual interface, a search in the extended routing table (see
-.IR ipsec_eroute (5))
-yields
-a IP protocol number
-,
-a Security Parameters Index (SPI)
-and
-an effective destination address
-.
-When an IPSEC packet arrives from the network,
-its ostensible destination, an SPI and an IP protocol
-specified by its outermost IPSEC header are used.
-The destination/SPI/protocol combination is used to select a relevant SA.
-(See
-.IR ipsec_spigrp (5)
-for discussion of how multiple transforms are combined.)
-.PP
-An
-.I spi ,
-.I proto, 
-.I daddr
-and
-.IR address_family
-arguments specify an SAID.
-.I Proto
-is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
-.I Spi
-is a number, preceded by '.' indicating hexadecimal and IPv4 or by ':' indicating hexadecimal and IPv6,
-where each hexadecimal digit represents 4 bits,
-between
-.B 0x100
-and
-.BR 0xffffffff ;
-values from
-.B 0x0
-to
-.B 0xff
-are reserved.
-.I Daddr
-is a dotted-decimal IPv4 destination address or a coloned hex IPv6 destination address.
-.PP
-An
-.I SAID
-combines the three parameters above, such as: "tun.101@1.2.3.4" for IPv4 or "tun:101@3049:1::1" for IPv6
-.PP
-A table entry consists of:
-.IP + 3
-.BR SAID
-.IP +
-<transform name (proto,encalg,authalg)>:
-.IP +
-direction (dir=)
-.IP +
-source address (src=)
-.IP +
-source and destination addresses and masks for inner header policy check
-addresses (policy=), as dotted-quads or coloned hex, separated by '->',
-for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only
-.IP +
-initialisation vector length and value (iv_bits=, iv=) if non-zero
-.IP +
-out-of-order window size, number of out-of-order errors, sequence
-number, recently received packet bitmask, maximum difference between
-sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=) if SA
-is AH or ESP and if individual items are non-zero
-.IP +
-extra flags (flags=) if any are set
-.IP +
-authenticator length in bits (alen=) if non-zero
-.IP +
-authentication key length in bits (aklen=) if non-zero
-.IP +
-authentication errors (auth_errs=) if non-zero
-.IP +
-encryption key length in bits (eklen=) if non-zero
-.IP +
-encryption size errors (encr_size_errs=) if non-zero
-.IP +
-encryption padding error warnings (encr_pad_errs=) if non-zero
-.IP +
-lifetimes legend, c=Current status, s=Soft limit when exceeded will
-initiate rekeying, h=Hard limit will cause termination of SA (life(c,s,h)=)
-.IP + 6
-number of connections to which the SA is allocated (c), that will cause a
-rekey (s), that will cause an expiry (h) (alloc=), if any value is non-zero
-.IP +
-number of bytes processesd by this SA (c), that will cause a rekey (s), that
-will cause an expiry (h) (bytes=), if any value is non-zero
-.IP +
-time since the SA was added (c), until rekey (s), until expiry (h), in seconds (add=)
-.IP +
-time since the SA was first used (c), until rekey (s), until expiry (h), in seconds (used=),
-if any value is non-zero
-.IP +
-number of packets processesd by this SA (c), that will cause a rekey (s), that
-will cause an expiry (h) (packets=), if any value is non-zero
-.IP + 3
-time since the last packet was processed, in seconds (idle=), if SA has
-been used
-.IP
-average compression ratio (ratio=)
-.SH EXAMPLES
-.B "tun.12a@192.168.43.1 IPIP: dir=out src=192.168.43.2"
-.br
-.B "      life(c,s,h)=bytes(14073,0,0)add(269,0,0)"
-.br
-.B "      use(149,0,0)packets(14,0,0)"
-.br
-.B "      idle=23
-.LP
-is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between machines
-192.168.43.2 and 192.168.43.1 with an SPI of 12a in hexadecimal that has
-passed about 14 kilobytes of traffic in 14 packets since it was created,
-269 seconds ago, first used 149 seconds ago and has been idle for 23
-seconds.
-.LP
-.B "esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5:"
-.br
-.B "      dir=in src=9a35fc02@3049:1::2"
-.br
-.B "      ooowin=32 seq=7149 bit=0xffffffff"
-.br
-.B "      alen=128 aklen=128 eklen=192"
-.br
-.B "      life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)"
-.br
-.B "      use(3858,0,0)packets(7149,0,0)"
-.br
-.B "      idle=23"
-.LP
-is an inbound Encapsulating Security Payload (protocol 50) SA on machine
-3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryption
-cipher, HMAC MD5 as the authentication algorithm, an out-of-order
-window of 32 packets, a present sequence number of 7149, every one of
-the last 32 sequence numbers was received, the authenticator length and
-keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES
-since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in
-7149 packets, was added 4593 seconds ago, first used
-3858 seconds ago and has been idle for 23 seconds.
-.LP
-.SH FILES
-/proc/net/ipsec_spi, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_spi(8), ipsec_version(5),
-ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-The add and use times are awkward, displayed in seconds since machine
-start.  It would be better to display them in seconds before now for
-human readability.
-.\"
-.\" $Log: spi.5,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.9  2002/04/24 07:35:39  mcr
-.\" Moved from ./klips/utils/spi.5,v
-.\"
-.\" Revision 1.8  2001/08/01 23:22:44  rgb
-.\" Fix inconsistancies between manpage and output.
-.\"
-.\" Revision 1.7  2000/11/30 16:47:28  rgb
-.\" Added src= to /proc/net/ipsec_spi manpage.
-.\"
-.\" Revision 1.6  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.5  2000/09/13 15:54:32  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.4  2000/07/05 17:24:03  rgb
-.\" Updated for relative, rather than absolute values for addtime and
-.\" usetime.
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/28 12:44:12  henry
-.\" format touchup
-.\"
-.\" Revision 1.1  2000/06/28 05:43:00  rgb
-.\" Added manpages for all 5 klips utils.
-.\"
-.\"
diff --git a/programs/spi/spi.8 b/programs/spi/spi.8
deleted file mode 100644
index fe6537c07..000000000
--- a/programs/spi/spi.8
+++ /dev/null
@@ -1,525 +0,0 @@
-.TH IPSEC_SPI 8 "23 Oct 2001"
-.\"
-.\" RCSID $Id: spi.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec spi \- manage IPSEC Security Associations
-.SH SYNOPSIS
-.br
-Note: In the following,
-.br
-.B <SA>
-means:
-.B \-\-af
-(inet | inet6)
-.B \-\-edst
-daddr
-.B \-\-spi
-spi
-.B \-\-proto
-proto OR 
-.B \-\-said
-said,
-.br
-.B <life>
-means:
-.B \-\-life
-(soft | hard)\-(allocations | bytes | addtime | usetime | packets)=value[,...]
-.PP
-.B ipsec
-.B spi
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-ah
-.BR hmac-md5-96 | hmac-sha1-96
-[
-.B \-\-replay_window
-replayw ]
-[
-.B <life>
-]
-.B \-\-authkey
-akey
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-esp
-.BR 3des
-[
-.B \-\-replay_window
-replayw ]
-[
-.B <life>
-]
-.B \-\-enckey
-ekey
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-esp
-.BR 3des-md5-96 | 3des-sha1-96
-[
-.B \-\-replay_window
-replayw ]
-[
-.B <life>
-]
-.B \-\-enckey
-ekey
-.B \-\-authkey
-akey
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-comp
-.BR deflate
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-ip4
-.B \-\-src
-encap-src
-.B \-\-dst
-encap-dst
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-ip6
-.B \-\-src
-encap-src
-.B \-\-dst
-encap-dst
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-del
-.PP
-.B ipsec
-.B spi
-.B \-\-help
-.PP
-.B ipsec
-.B spi
-.B \-\-version
-.PP
-.B ipsec
-.B spi
-.B \-\-clear
-.PP
-.SH DESCRIPTION
-.I Spi
-creates and deletes IPSEC Security Associations.
-A Security Association (SA) is a transform through which packet
-contents are to be processed before being forwarded.
-A transform can be an IPv4-in-IPv4 or an IPv6-in-IPv6 encapsulation,
-an IPSEC Authentication Header (authentication with no encryption),
-or an IPSEC Encapsulation Security Payload (encryption, possibly
-including authentication).
-.PP
-When a packet is passed from a higher networking layer
-through an IPSEC virtual interface,
-a search in the extended routing table (see
-.IR ipsec_eroute (8))
-yields an effective destination address, a
-Security Parameters Index (SPI) and a IP protocol number.
-When an IPSEC packet arrives from the network,
-its ostensible destination, an SPI and an IP protocol
-specified by its outermost IPSEC header are used.
-The destination/SPI/protocol combination is used to select a relevant SA.
-(See
-.IR ipsec_spigrp (8)
-for discussion of how multiple transforms are combined.)
-.PP
-The
-.IR af ,
-.IR daddr ,
-.I spi
-and
-.I proto
-arguments specify the SA to be created or deleted.
-.I af
-is the address family (inet for IPv4, inet6 for IPv6).
-.I Daddr
-is a destination address
-in dotted-decimal notation for IPv4 
-or in a coloned hex notation for IPv6.
-.I Spi
-is a number, preceded by '0x' for hexadecimal,
-between
-.B 0x100
-and
-.BR 0xffffffff ;
-values from
-.B 0x0
-to
-.B 0xff
-are reserved.
-.I Proto
-is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
-The protocol must agree with the algorithm selected.
-.PP
-Alternatively, the
-.I said
-argument can also specify an SA to be created or deleted.
-.I Said
-combines the three parameters above, such as: "tun.101@1.2.3.4" or "tun:101@1:2::3:4",
-where the address family is specified by "." for IPv4 and ":" for IPv6. The address
-family indicators substitute the "0x" for hexadecimal.
-.PP
-The source address,
-.IR src ,
-must also be provided for the inbound policy check to
-function.  The source address does not need to be included if inbound
-policy checking has been disabled.
-.PP
-Keys vectors must be entered as hexadecimal or base64 numbers.
-They should be cryptographically strong random numbers.
-.PP
-All hexadecimal numbers are entered as strings of hexadecimal digits
-(0-9 and a-f), without spaces, preceded by '0x', where each hexadecimal
-digit represents 4 bits.
-All base64 numbers are entered as strings of base64 digits
- (0-9, A-Z, a-z, '+' and '/'), without spaces, preceded by '0s',
-where each hexadecimal digit represents 6 bits and '=' is used for padding.
-.PP
-The deletion of an SA which has been grouped will result in the entire chain
-being deleted.
-.PP
-The form with no additional arguments lists the contents of
-/proc/net/ipsec_spi.  The format of /proc/net/ipsec_spi is discussed in
-ipsec_spi(5).
-.PP
-The lifetime severity of
-.B soft
-sets a limit when the key management daemons are asked to rekey the SA.
-The lifetime severity of
-.B hard
-sets a limit when the SA must expire.
-The lifetime type
-.B allocations
-tells the system when to expire the SA because it is being shared by too many
-eroutes (not currently used).  The lifetime type of
-.B bytes
-tells the system to expire the SA after a certain number of bytes have been
-processed with that SA.  The lifetime type of
-.B addtime
-tells the system to expire the SA a certain number of seconds after the SA was
-installed.  The lifetime type of
-.B usetime
-tells the system to expire the SA a certain number of seconds after that SA has
-processed its first packet.  The lifetime type of
-.B packets
-tells the system to expire the SA after a certain number of packets have been
-processed with that SA.
-.SH OPTIONS
-.TP 10
-.B \-\-af
-specifies the address family (inet for IPv4, inet6 for IPv6)
-.TP
-.B \-\-edst
-specifies the effective destination
-.I daddr
-of the Security Association
-.TP
-.B \-\-spi
-specifies the Security Parameters Index
-.I spi
-of the Security Association
-.TP
-.B \-\-proto
-specifies the IP protocol
-.I proto
-of the Security Association
-.TP
-.B \-\-said
-specifies the Security Association in monolithic format
-.TP
-.B \-\-ah
-add an SA for an IPSEC Authentication Header,
-specified by the following transform identifier
-(\c
-.BR hmac-md5-96
-or
-.BR hmac-sha1-96 )
-(RFC2402, obsoletes RFC1826)
-.TP
-.B hmac-md5-96
-transform following the HMAC and MD5 standards,
-using a 128-bit
-.I key
-to produce a 96-bit authenticator (RFC2403)
-.TP
-.B hmac-sha1-96
-transform following the HMAC and SHA1 standards,
-using a 160-bit
-.I key
-to produce a 96-bit authenticator (RFC2404)
-.TP
-.B \-\-esp
-add an SA for an IPSEC Encapsulation Security Payload,
-specified by the following
-transform identifier (\c
-.BR 3des ,
-or
-.BR 3des-md5-96 )
-(RFC2406, obsoletes RFC1827)
-.TP
-.B 3des
-encryption transform following the Triple-DES standard in
-Cipher-Block-Chaining mode using a 64-bit
-.I iv
-(internally generated) and a 192-bit 3DES
-.I ekey
-(RFC2451)
-.TP
-.B 3des-md5-96
-encryption transform following the Triple-DES standard in
-Cipher-Block-Chaining mode with authentication provided by
-HMAC and MD5
-(96-bit authenticator),
-using a 64-bit
-.IR iv
-(internally generated), a 192-bit 3DES
-.I ekey
-and a 128-bit HMAC-MD5
-.I akey
-(RFC2451, RFC2403)
-.TP
-.B 3des-sha1-96
-encryption transform following the Triple-DES standard in
-Cipher-Block-Chaining mode with authentication provided by
-HMAC and SHA1
-(96-bit authenticator),
-using a 64-bit
-.IR iv
-(internally generated), a 192-bit 3DES
-.I ekey
-and a 160-bit HMAC-SHA1
-.I akey
-(RFC2451, RFC2404)
-.TP
-.BR \-\-replay_window " replayw"
-sets the replay window size; valid values are decimal, 1 to 64
-.TP
-.BR \-\-life " life_param[,life_param]"
-sets the lifetime expiry; the format of
-.B life_param
-consists of a comma-separated list of lifetime specifications without spaces;
-a lifetime specification is comprised of a severity of
-.BR soft " or " hard
-followed by a '-', followed by a lifetime type of
-.BR allocations ", " bytes ", " addtime ", " usetime " or " packets
-followed by an '=' and finally by a value
-.TP
-.B \-\-comp
-add an SA for IPSEC IP Compression,
-specified by the following
-transform identifier (\c
-.BR deflate )
-(RFC2393)
-.TP
-.B deflate
-compression transform following the patent-free Deflate compression algorithm
-(RFC2394)
-.TP
-.B \-\-ip4
-add an SA for an IPv4-in-IPv4
-tunnel from
-.I encap-src
-to
-.I encap-dst
-.TP
-.B \-\-ip6
-add an SA for an IPv6-in-IPv6
-tunnel from
-.I encap-src
-to
-.I encap-dst
-.TP
-.B \-\-src
-specify the source end of an IP-in-IP tunnel from
-.I encap-src
-to
-.I encap-dst
-and also specifies the source address of the Security Association to be
-used in inbound policy checking and must be the same address
-family as
-.I af
-and
-.I edst
-.TP
-.B \-\-dst
-specify the destination end of an IP-in-IP tunnel from
-.I encap-src
-to
-.I encap-dst
-.TP
-.B \-\-del
-delete the specified SA
-.TP
-.BR \-\-clear
-clears the table of
-.BR SA s
-.TP
-.BR \-\-help
-display synopsis
-.TP
-.BR \-\-version
-display version information
-.SH EXAMPLES
-To keep line lengths down and reduce clutter,
-some of the long keys in these examples have been abbreviated
-by replacing part of their text with
-.RI `` ... ''.
-Keys used when the programs are actually run must,
-of course, be the full length required for the particular algorithm.
-.LP
-.B "ipsec spi \-\-af inet \-\-edst gw2 \-\-spi 0x125 \-\-proto esp \e"
-.br
-.B "   \-\-src gw1 \e"
-.br
-.B "   \-\-esp 3des\-md5\-96 \e"
-.br
-.BI "\ \ \ \-\-enckey\ 0x6630" "..." "97ce\ \e"
-.br
-.BI "   \-\-authkey 0x9941" "..." "71df"
-.LP
-sets up an SA from
-.BR gw1
-to
-.BR gw2
-with an SPI of 
-.BR 0x125
-and protocol
-.BR ESP
-(50) using
-.BR 3DES
-encryption with integral
-.BR MD5-96
-authentication transform, using an encryption key of
-.BI 0x6630 ... 97ce
-and an authentication key of
-.BI 0x9941 ... 71df
-(see note above about abbreviated keys).
-.LP
-.B "ipsec spi \-\-af inet6 \-\-edst 3049:9::9000:3100 \-\-spi 0x150 \-\-proto ah \e"
-.br
-.B "   \-\-src 3049:9::9000:3101 \e"
-.br
-.B "   \-\-ah hmac\-md5\-96 \e"
-.br
-.BI "\ \ \ \-\-authkey\ 0x1234" "..." "2eda\ \e"
-.LP
-sets up an SA from
-.BR 3049:9::9000:3101
-to
-.BR 3049:9::9000:3100
-with an SPI of 
-.BR 0x150
-and protocol
-.BR AH
-(50) using
-.BR MD5-96
-authentication transform, using an authentication key of
-.BI 0x1234 ... 2eda
-(see note above about abbreviated keys).
-.LP
-.B "ipsec spi \-\-said tun.987@192.168.100.100 \-\-del "
-.LP
-deletes an SA to
-.BR 192.168.100.100
-with an SPI of 
-.BR 0x987
-and protocol
-.BR IPv4-in-IPv4
-(4).
-.LP
-.B "ipsec spi \-\-said tun:500@3049:9::1000:1 \-\-del "
-.LP
-deletes an SA to
-.BR 3049:9::1000:1
-with an SPI of 
-.BR 0x500
-and protocol
-.BR IPv6-in-IPv6
-(4).
-.LP
-.SH FILES
-/proc/net/ipsec_spi, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
-ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_spi(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-The syntax is messy and the transform naming needs work.
-.\"
-.\" $Log: spi.8,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.32  2002/04/24 07:35:40  mcr
-.\" Moved from ./klips/utils/spi.8,v
-.\"
-.\" Revision 1.31  2001/11/06 20:18:47  rgb
-.\" Added lifetime parameters.
-.\"
-.\" Revision 1.30  2001/10/24 03:23:32  rgb
-.\" Added lifetime option and parameters.
-.\"
-.\" Revision 1.29  2001/05/30 08:14:04  rgb
-.\" Removed vestiges of esp-null transforms.
-.\"
-.\" Revision 1.28  2000/11/29 19:15:20  rgb
-.\" Add --src requirement for inbound policy routing.
-.\"
-.\" Revision 1.27  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.26  2000/09/13 15:54:32  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.25  2000/09/12 22:36:45  rgb
-.\" Gerhard's IPv6 support.
-.\"
-.\" Revision 1.24  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.23  2000/06/21 16:54:57  rgb
-.\" Added 'no additional args' text for listing contents of
-.\" /proc/net/ipsec_* files.
-.\"
-.\" Revision 1.22  1999/08/11 08:35:16  rgb
-.\" Update, deleting references to obsolete and insecure algorithms.
-.\"
-.\" Revision 1.21  1999/07/19 18:53:55  henry
-.\" improve font usage in key abbreviations
-.\"
-.\" Revision 1.20  1999/07/19 18:50:09  henry
-.\" fix slightly-misformed comments
-.\" abbreviate long keys to avoid long-line complaints
-.\"
-.\" Revision 1.19  1999/04/06 04:54:38  rgb
-.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-.\" patch shell fixes.
-.\"
diff --git a/programs/spi/spi.c b/programs/spi/spi.c
deleted file mode 100644
index 369d556c7..000000000
--- a/programs/spi/spi.c
+++ /dev/null
@@ -1,1689 +0,0 @@
-/*
- * All-in-one program to set Security Association parameters
- * Copyright (C) 1996  John Ioannidis.
- * Copyright (C) 1997, 1998, 1999, 2000, 2001, 2002  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char spi_c_version[] = "RCSID $Id: spi.c,v 1.7 2004/10/14 20:03:26 as Exp $";
-
-#include <asm/types.h>
-#include <sys/types.h>
-#include <sys/ioctl.h>
-/* #include <linux/netdevice.h> */
-#include <net/if.h>
-/* #include <linux/types.h> */ /* new */
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <string.h>
-#include <errno.h>
-
-/* #include <sys/socket.h> */
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-/* #include <linux/ip.h> */
-#include <netdb.h>
-
-#include <unistd.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <freeswan.h>
-#if 0
-#include <linux/autoconf.h>    /* CONFIG_IPSEC_PFKEYv2 */
-#endif
-     #include <signal.h>
-     #include <sys/socket.h>
-     #include <pfkeyv2.h>
-     #include <pfkey.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_ipe4.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-#include "freeswan/ipsec_sa.h"  /* IPSEC_SAREF_NULL */
-
-/* 	
- * 	Manual conn support for ipsec_alg (modular algos).
- * 	Rather ugly to include from pluto dir but avoids
- * 	code duplication.
- */
-#ifndef NO_KERNEL_ALG
-#include "../pluto/alg_info.h"
-#include "../pluto/constants.h"
-struct connection;
-#include "../pluto/kernel_alg.h"
-#endif /* NO_KERNEL_ALG */
-
-char *program_name;
-int debug = 0;
-int saref = 0;
-char *command;
-extern char *optarg;
-extern int optind, opterr, optopt;
-char scratch[2];
-char *iv = NULL, *enckey = NULL, *authkey = NULL;
-size_t ivlen = 0, enckeylen = 0, authkeylen = 0;
-ip_address edst, dst, src;
-int address_family = 0;
-unsigned char proto = 0;
-int alg = 0;
-
-#ifndef NO_KERNEL_ALG
-/* 
- * 	Manual connection support for modular algos (ipsec_alg) --Juanjo.
- */
-#define XF_OTHER_ALG (XF_CLR-1)	/* define magic XF_ symbol for alg_info's */
-#include <assert.h>
-const char *alg_string = NULL;	/* algorithm string */
-struct alg_info_esp *alg_info = NULL;	/* algorithm info got from string */
-struct esp_info *esp_info = NULL;	/* esp info from 1st (only) element */
-const char *alg_err;		/* auxiliar for parsing errors */
-int proc_read_ok = 0;		/* /proc/net/pf_key_support read ok */
-#endif /* NO_KERNEL_ALG */
-
-int replay_window = 0;
-char sa[SATOT_BUF];
-
-extern unsigned int pfkey_lib_debug; /* used by libfreeswan/pfkey_v2_build */
-int pfkey_sock;
-fd_set pfkey_socks;
-uint32_t pfkey_seq = 0;
-enum life_severity {
-	life_soft = 0,
-	life_hard = 1,
-	life_maxsever = 2
-};
-enum life_type {
-	life_alloc = 0,
-	life_bytes = 1,
-	life_addtime = 2,
-	life_usetime = 3,
-	life_packets = 4,
-	life_maxtype = 5
-};
-
-#define streql(_a,_b) (!strcmp((_a),(_b)))
-
-static const char *usage_string = "\
-Usage:\n\
-	in the following, <SA> is: --af <inet | inet6> --edst <dstaddr> --spi <spi> --proto <proto>\n\
-                               OR: --said <proto><.|:><spi>@<dstaddr>\n\
-	                  <life> is: --life <soft|hard>-<allocations|bytes|addtime|usetime|packets>=<value>[,...]\n\
-spi --clear\n\
-spi --help\n\
-spi --version\n\
-spi\n\
-spi --del <SA>\n\
-spi --ip4 <SA> --src <encap-src> --dst <encap-dst>\n\
-spi --ip6 <SA> --src <encap-src> --dst <encap-dst>\n\
-spi --ah <algo> <SA> [<life> ][ --replay_window <replay_window> ] --authkey <key>\n\
-	where <algo> is one of:	hmac-md5-96 | hmac-sha1-96\n\
-spi --esp <algo> <SA> [<life> ][ --replay_window <replay-window> ] --enckey <ekey> --authkey <akey>\n\
-	where <algo> is one of:	3des-md5-96 | 3des-sha1-96\n\
-spi --esp <algo> <SA> [<life> ][ --replay_window <replay-window> ] --enckey <ekey>\n\
-	where <algo> is:	3des\n\
-spi --comp <algo> <SA>\n\
-	where <algo> is:	deflate\n\
-[ --debug ] is optional to any spi command.\n\
-[ --label <label> ] is optional to any spi command.\n\
-[ --listenreply ]   is optional, and causes the command to stick\n\
-                    around and listen to what the PF_KEY socket says.\n\
-";
-
-
-static void
-usage(char *s, FILE *f)
-{
-	/* s argument is actually ignored, at present */
-	fprintf(f, "%s:%s", s, usage_string);
-	exit(-1);
-}
-
-int
-parse_life_options(uint32_t life[life_maxsever][life_maxtype],
-		   char *life_opt[life_maxsever][life_maxtype],
-		   char *optarg)
-{
-	char *optargp = optarg;
-	char *endptr;
-	
-	do {
-		int life_severity, life_type;
-		char *optargt = optargp;
-		
-		if(strncmp(optargp, "soft", sizeof("soft")-1) == 0) {
-			life_severity = life_soft;
-			optargp += sizeof("soft")-1;
-		} else if(strncmp(optargp, "hard", sizeof("hard")-1) == 0) {
-			life_severity = life_hard;
-			optargp += sizeof("hard")-1;
-		} else {
-			fprintf(stderr,
-				"%s: missing lifetime severity in %s, optargt=0p%p, optargp=0p%p, sizeof(\"soft\")=%d\n",
-				program_name,
-				optargt,
-				optargt,
-				optargp,
-				(int)sizeof("soft"));
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: life_severity=%d, optargt=0p%p=\"%s\", optargp=0p%p=\"%s\", sizeof(\"soft\")=%d\n",
-				program_name,
-				life_severity,
-				optargt,
-				optargt,
-				optargp,
-				optargp,
-				(int)sizeof("soft"));
-		}
-		if(*(optargp++) != '-') {
-			fprintf(stderr,
-				"%s: expected '-' after severity of lifetime parameter to --life option.\n",
-				program_name);
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: optargt=0p%p=\"%s\", optargp=0p%p=\"%s\", strlen(optargt)=%d, strlen(optargp)=%d, strncmp(optargp, \"addtime\", sizeof(\"addtime\")-1)=%d\n",
-				program_name,
-				optargt,
-				optargt,
-				optargp,
-				optargp,
-				(int)strlen(optargt),
-				(int)strlen(optargp),
-				strncmp(optargp, "addtime", sizeof("addtime")-1));
-		}
-		if(strncmp(optargp, "allocations", sizeof("allocations")-1) == 0) {
-			life_type = life_alloc;
-			optargp += sizeof("allocations")-1;
-		} else if(strncmp(optargp, "bytes", sizeof("bytes")-1) == 0) {
-			life_type = life_bytes;
-			optargp += sizeof("bytes")-1;
-		} else if(strncmp(optargp, "addtime", sizeof("addtime")-1) == 0) {
-			life_type = life_addtime;
-			optargp += sizeof("addtime")-1;
-		} else if(strncmp(optargp, "usetime", sizeof("usetime")-1) == 0) {
-			life_type = life_usetime;
-			optargp += sizeof("usetime")-1;
-		} else if(strncmp(optargp, "packets", sizeof("packets")-1) == 0) {
-			life_type = life_packets;
-			optargp += sizeof("packets")-1;
-		} else {
-			fprintf(stderr,
-				"%s: missing lifetime type after '-' in %s\n",
-				program_name,
-				optargt);
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: life_type=%d\n",
-				program_name,
-				life_type);
-		}
-		if(life_opt[life_severity][life_type] != NULL) {
-			fprintf(stderr,
-				"%s: Error, lifetime parameter redefined:%s, already defined as:0p%p\n",
-				program_name,
-				optargt,
-				life_opt[life_severity][life_type]);
-			return(1);
-		}
-		if(*(optargp++) != '=') {
-			fprintf(stderr,
-				"%s: expected '=' after type of lifetime parameter to --life option.\n",
-				program_name);
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: optargt=0p%p, optargt+strlen(optargt)=0p%p, optargp=0p%p, strlen(optargp)=%d\n",
-				program_name,
-				optargt,
-				optargt+strlen(optargt),
-				optargp,
-				(int)strlen(optargp));
-		}
-		if(strlen(optargp) == 0) {
-			fprintf(stderr,
-				"%s: expected value after '=' in --life option. optargt=0p%p, optargt+strlen(optargt)=0p%p, optargp=0p%p\n",
-				program_name,
-				optargt,
-				optargt+strlen(optargt),
-				optargp);
-			usage(program_name, stderr);
-			return(1);
-		}
-		life[life_severity][life_type] = strtoul(optargp, &endptr, 0);
-
-		if(!((endptr == optargp + strlen(optargp)) || (endptr == optargp + strcspn(optargp, ", ")))) {
-			fprintf(stderr,
-				"%s: Invalid character='%c' at offset %d in lifetime option parameter: '%s', parameter string is %d characters long, %d valid value characters found.\n",
-				program_name,
-				*endptr,
-				(int)(endptr - optarg),
-				optarg,
-				(int)strlen(optarg),
-				(int)(strcspn(optargp, ", ") - 1));
-			return(1);
-		}
-		life_opt[life_severity][life_type] = optargt;
-		if(debug) {
-			fprintf(stdout, "%s lifetime %s set to %d.\n",
-				program_name, optargt, life[life_severity][life_type]);
-		}
-		optargp=endptr+1;
-	} while(*endptr==',' || isspace(*endptr));
-	
-	return(0);
-}
-
-int
-pfkey_register(uint8_t satype) {
-	/* for registering SA types that can be negotiated */
-	int error;
-	ssize_t wlen;
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-
-	pfkey_extensions_init(extensions);
-	error = pfkey_msg_hdr_build(&extensions[0],
-				    SADB_REGISTER,
-				    satype,
-				    0,
-				    ++pfkey_seq,
-				    getpid());
-	if(error != 0) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		return(1);
-	}
-
-	error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN);
-	if(error != 0) {
-		fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		return(1);
-	}
-	wlen = write(pfkey_sock, pfkey_msg,
-		     pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-	if(wlen != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-		/* cleanup code here */
-		if(wlen < 0)
-			fprintf(stderr, "%s: Trouble writing to channel PF_KEY: %s\n",
-				program_name,
-				strerror(errno));
-		else
-			fprintf(stderr, "%s: write to channel PF_KEY truncated.\n",
-				program_name);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		return(1);
-	}
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-	
-	return(0);
-}
-
-static struct option const longopts[] =
-{
-	{"ah", 1, 0, 'H'},
-	{"esp", 1, 0, 'P'},
-	{"comp", 1, 0, 'Z'},
-	{"ip4", 0, 0, '4'},
-	{"ip6", 0, 0, '6'},
-	{"del", 0, 0, 'd'},
-
-	{"authkey", 1, 0, 'A'},
-	{"enckey", 1, 0, 'E'},
-	{"edst", 1, 0, 'e'},
-	{"spi", 1, 0, 's'},
-	{"proto", 1, 0, 'p'},
-	{"af", 1, 0, 'a'},
-	{"replay_window", 1, 0, 'w'},
-	{"iv", 1, 0, 'i'},
-	{"dst", 1, 0, 'D'},
-	{"src", 1, 0, 'S'},
-	{"said", 1, 0, 'I'},
-
-	{"help", 0, 0, 'h'},
-	{"version", 0, 0, 'v'},
-	{"clear", 0, 0, 'c'},
-	{"label", 1, 0, 'l'},
-	{"debug", 0, 0, 'g'},
-	{"optionsfrom", 1, 0, '+'},
-	{"life", 1, 0, 'f'},
-	{"saref", 0, 0, 'r'},
-	{"listenreply", 0, 0, 'R'},
-	{0, 0, 0, 0}
-};
-
-int
-main(int argc, char *argv[])
-{
-	char *endptr;
-	__u32 spi = 0;
-	int c, previous = -1;
-/*	int ret; */
-	ip_said said;
-	size_t sa_len;
-	const char* error_s;
-	char ipaddr_txt[ADDRTOT_BUF];
-	char ipsaid_txt[SATOT_BUF];
-
-	int error = 0;
-	ssize_t io_error;
-	int argcount = argc;
-	pid_t mypid;
-	int listenreply = 0;
-
-	unsigned char authalg, encryptalg;
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-	char *iv_opt, *akey_opt, *ekey_opt, *alg_opt, *edst_opt, *spi_opt, *proto_opt, *af_opt, *said_opt, *dst_opt, *src_opt;
-#if 0
-	ip_address pfkey_address_p_ska;
-	ip_address pfkey_ident_s_ska;
-	ip_address pfkey_ident_d_ska;
-#endif
-	uint32_t life[life_maxsever][life_maxtype];
-	char *life_opt[life_maxsever][life_maxtype];
-	
-	program_name = argv[0];
-	mypid = getpid();
-
-	memset(&said, 0, sizeof(said));
-	iv_opt = akey_opt = ekey_opt = alg_opt = edst_opt = spi_opt = proto_opt = af_opt = said_opt = dst_opt = src_opt = NULL;
-	{
-		int i,j;
-		for(i = 0; i < life_maxsever; i++) {
-			for(j = 0; j < life_maxtype; j++) {
-				life_opt[i][j] = NULL;
-				life[i][j] = 0;
-			}
-		}
-	}
-
-	while((c = getopt_long(argc, argv, ""/*"H:P:Z:46dcA:E:e:s:a:w:i:D:S:hvgl:+:f:"*/, longopts, 0)) != EOF) {
-		switch(c) {
-		case 'g':
-			debug = 1;
-			pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
-			argcount--;
-			break;
-
-		case 'R':
-			listenreply = 1;
-			argcount--;
-			break;
-
-		case 'r':
-			saref = 1;
-			argcount--;
-			break;
-
-		case 'l':
-			program_name = malloc(strlen(argv[0])
-					      + 10 /* update this when changing the sprintf() */
-					      + strlen(optarg));
-			sprintf(program_name, "%s --label %s",
-				argv[0],
-				optarg);
-			argcount -= 2;
-			break;
-		case 'H':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			if       (!strcmp(optarg, "hmac-md5-96")) {
-				alg = XF_AHHMACMD5;
-			} else if(!strcmp(optarg, "hmac-sha1-96")) {
-				alg = XF_AHHMACSHA1;
-			} else {
-				fprintf(stderr, "%s: Unknown authentication algorithm '%s' follows '--ah' option.\n",
-					program_name, optarg);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'P':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			if       (!strcmp(optarg, "3des-md5-96")) {
-				alg = XF_ESP3DESMD596;
-			} else if(!strcmp(optarg, "3des-sha1-96")) {
-				alg = XF_ESP3DESSHA196;
-			} else if(!strcmp(optarg, "3des")) {
-				alg = XF_ESP3DES;
-#ifndef NO_KERNEL_ALG
-			} else if((alg_info=alg_info_esp_create_from_str(optarg, &alg_err))) {
-				int esp_ealg_id, esp_aalg_id;
-				alg = XF_OTHER_ALG;
-				if (alg_info->alg_info_cnt>1) {
-					fprintf(stderr, "%s: Invalid encryption algorithm '%s' "
-						"follows '--esp' option: lead too many(%d) "
-						"transforms\n",
-						program_name, optarg, alg_info->alg_info_cnt);
-					exit(1);
-				}
-				alg_string=optarg;
-				esp_info=&alg_info->esp[0];
-				if (debug) {
-					fprintf(stdout, "%s: alg_info: cnt=%d ealg[0]=%d aalg[0]=%d\n",
-						program_name, 
-						alg_info->alg_info_cnt,
-						esp_info->encryptalg,
-						esp_info->authalg);
-				}
-				esp_ealg_id=esp_info->esp_ealg_id;
-				esp_aalg_id=esp_info->esp_aalg_id;
-				if (kernel_alg_proc_read()==0) {
-					proc_read_ok++;
-					if (!kernel_alg_esp_enc_ok(esp_ealg_id, 0, 0))
-					{
-						fprintf(stderr, "%s: ESP encryptalg=%d (\"%s\") "
-								"not present\n",
-							program_name,
-							esp_ealg_id,
-							enum_name(&esp_transformid_names, esp_ealg_id));
-						exit(1);
-					}
-					if (!kernel_alg_esp_auth_ok(esp_aalg_id, 0))
-					{
-						fprintf(stderr, "%s: ESP authalg=%d (\"%s\")"
-								"not present\n",
-							program_name,
-							esp_aalg_id,
-							enum_name(&auth_alg_names, esp_aalg_id));
-						exit(1);
-					}
-				}
-#endif /* NO_KERNEL_ALG */
-			} else {
-				fprintf(stderr, "%s: Invalid encryption algorithm '%s' follows '--esp' option.\n",
-					program_name, optarg);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'Z':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			if       (!strcmp(optarg, "deflate")) {
-				alg = XF_COMPDEFLATE;
-			} else {
-				fprintf(stderr, "%s: Unknown compression algorithm '%s' follows '--comp' option.\n",
-					program_name, optarg);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case '4':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-		       	alg = XF_IP4;
-			address_family = AF_INET;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case '6':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-		       	alg = XF_IP6;
-			address_family = AF_INET6;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'd':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			alg = XF_DEL;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'c':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			alg = XF_CLR;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'e':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(edst_opt) {
-				fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, edst_opt);
-				exit (1);
-			}
-			error_s = ttoaddr(optarg, 0, address_family, &edst);
-			if(error_s != NULL) {
-				if(error_s) {
-					fprintf(stderr, "%s: Error, %s converting --edst argument:%s\n",
-						program_name, error_s, optarg);
-					exit (1);
-				}
-			}
-			edst_opt = optarg;
-			if(debug) {
-				addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stdout, "%s: edst=%s.\n",
-					program_name,
-					ipaddr_txt);
-			}
-			break;
-		case 's':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(spi_opt) {
-				fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, spi_opt);
-				exit (1);
-			}				
-			spi = strtoul(optarg, &endptr, 0);
-			if(!(endptr == optarg + strlen(optarg))) {
-				fprintf(stderr, "%s: Invalid character in SPI parameter: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			if(spi < 0x100) {
-				fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than 0x100.\n",
-					program_name, optarg, spi);
-				exit(1);
-			}
-			spi_opt = optarg;
-			break;
-		case 'p':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(proto_opt) {
-				fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, proto_opt);
-				exit (1);
-			}
-			if(!strcmp(optarg, "ah"))
-				proto = SA_AH;
-			if(!strcmp(optarg, "esp"))
-				proto = SA_ESP;
-			if(!strcmp(optarg, "tun"))
-				proto = SA_IPIP;
-			if(!strcmp(optarg, "comp"))
-				proto = SA_COMP;
-			if(proto == 0) {
-				fprintf(stderr, "%s: Invalid PROTO parameter: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			proto_opt = optarg;
-			break;
-		case 'a':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(af_opt) {
-				fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, af_opt);
-				exit (1);
-			}
-			if(strcmp(optarg, "inet") == 0) {
-				address_family = AF_INET;
-				/* currently we ensure that all addresses belong to the same address family */
-				anyaddr(address_family, &dst);
-				anyaddr(address_family, &edst);
-				anyaddr(address_family, &src);
-			}
-			if(strcmp(optarg, "inet6") == 0) {
-				address_family = AF_INET6;
-				/* currently we ensure that all addresses belong to the same address family */
-				anyaddr(address_family, &dst);
-				anyaddr(address_family, &edst);
-				anyaddr(address_family, &src);
-			}
-			if((strcmp(optarg, "inet") != 0) && (strcmp(optarg, "inet6") != 0)) {
-				fprintf(stderr, "%s: Invalid ADDRESS FAMILY parameter: %s.\n",
-					program_name, optarg);
-				exit (1);
-			}
-			af_opt = optarg;
-			break;
-		case 'I':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(proto_opt) {
-				fprintf(stderr, "%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n",
-					program_name, optarg, proto_opt);
-				exit (1);
-			}
-			if(edst_opt) {
-				fprintf(stderr, "%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n",
-					program_name, optarg, edst_opt);
-				exit (1);
-			}
-			if(spi_opt) {
-				fprintf(stderr, "%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n",
-					program_name, optarg, spi_opt);
-				exit (1);
-			}
-			error_s = ttosa(optarg, 0, &said);
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n",
-					program_name, error_s, optarg);
-				exit (1);
-			}
-			if(debug) {
-				satot(&said, 0, ipsaid_txt, sizeof(ipsaid_txt));
-				fprintf(stdout, "%s: said=%s.\n",
-					program_name,
-					ipsaid_txt);
-			}
-			/* init the src and dst with the same address family */
-			if(address_family == 0) {
-				address_family = addrtypeof(&said.dst);
-			} else if(address_family != addrtypeof(&said.dst)) {
-				fprintf(stderr, "%s: Error, specified address family (%d) is different that of SAID: %s\n",
-					program_name, address_family, optarg);
-				exit (1);
-			}
-			anyaddr(address_family, &dst);
-			anyaddr(address_family, &edst);
-			anyaddr(address_family, &src);
-			said_opt = optarg;
-			break;
-		case 'A':
-			if(optarg[0] == '0') {
-				switch(optarg[1]) {
-				case 't':
-				case 'x':
-				case 's':
-					break;
-				default:
-					fprintf(stderr, "%s: Authentication key must have a '0x', '0t' or '0s' prefix to select the format: %s\n",
-						program_name, optarg);
-					exit(1);
-				}
-			}
-			authkeylen = atodata(optarg, 0, NULL, 0);
-			if(!authkeylen) {
-				fprintf(stderr, "%s: unknown format or syntax error in authentication key: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			authkey = malloc(authkeylen);
-			if(authkey == NULL) {
-				fprintf(stderr, "%s: Memory allocation error.\n", program_name);
-				exit(1);
-			}
-			memset(authkey, 0, authkeylen);
-			authkeylen = atodata(optarg, 0, authkey, authkeylen);
-			akey_opt = optarg;
-			break;
-		case 'E':
-			if(optarg[0] == '0') {
-				switch(optarg[1]) {
-				case 't':
-				case 'x':
-				case 's':
-					break;
-				default:
-					fprintf(stderr, "%s: Encryption key must have a '0x', '0t' or '0s' prefix to select the format: %s\n",
-						program_name, optarg);
-					exit(1);
-				}
-			}
-			enckeylen = atodata(optarg, 0, NULL, 0);
-			if(!enckeylen) {
-				fprintf(stderr, "%s: unknown format or syntax error in encryption key: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			enckey = malloc(enckeylen);
-			if(enckey == NULL) {
-				fprintf(stderr, "%s: Memory allocation error.\n", program_name);
-				exit(1);
-			}
-			memset(enckey, 0, enckeylen);
-			enckeylen = atodata(optarg, 0, enckey, enckeylen);
-			ekey_opt = optarg;
-			break;
-		case 'w':
-			replay_window = strtoul(optarg, &endptr, 0);
-			if(!(endptr == optarg + strlen(optarg))) {
-				fprintf(stderr, "%s: Invalid character in replay_window parameter: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			if((replay_window < 0x1) || (replay_window > 64)) {
-				fprintf(stderr, "%s: Failed -- Illegal window size: arg=%s, replay_window=%d, must be 1 <= size <= 64.\n",
-					program_name, optarg, replay_window);
-				exit(1);
-			}
-			break;
-		case 'i':
-			if(optarg[0] == '0') {
-				switch(optarg[1]) {
-				case 't':
-				case 'x':
-				case 's':
-					break;
-				default:
-					fprintf(stderr, "%s: IV must have a '0x', '0t' or '0s' prefix to select the format, found '%c'.\n",
-						program_name, optarg[1]);
-					exit(1);
-				}
-			}
-			ivlen = atodata(optarg, 0, NULL, 0);
-			if(!ivlen) {
-				fprintf(stderr, "%s: unknown format or syntax error in IV: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			iv = malloc(ivlen);
-			if(iv == NULL) {
-				fprintf(stderr, "%s: Memory allocation error.\n", program_name);
-				exit(1);
-			}
-			memset(iv, 0, ivlen);
-			ivlen = atodata(optarg, 0, iv, ivlen);
-			iv_opt = optarg;
-			break;
-		case 'D':
-			if(dst_opt) {
-				fprintf(stderr, "%s: Error, DST parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, dst_opt);
-				exit (1);
-			}				
-			error_s = ttoaddr(optarg, 0, address_family, &dst);
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting --dst argument:%s\n",
-					program_name, error_s, optarg);
-				exit (1);
-			}
-			dst_opt = optarg;
-			if(debug) {
-				addrtot(&dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stdout, "%s: dst=%s.\n",
-					program_name,
-					ipaddr_txt);
-			}
-			break;
-		case 'S':
-			if(src_opt) {
-				fprintf(stderr, "%s: Error, SRC parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, src_opt);
-				exit (1);
-			}				
-			error_s = ttoaddr(optarg, 0, address_family, &src);
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting --src argument:%s\n",
-					program_name, error_s, optarg);
-				exit (1);
-			}
-			src_opt = optarg;
-			if(debug) {
-				addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stdout, "%s: src=%s.\n",
-					program_name,
-					ipaddr_txt);
-			}
-			break;
-		case 'h':
-			usage(program_name, stdout);
-			exit(0);
-		case '?':
-			usage(program_name, stderr);
-			exit(1);
-		case 'v':
-			fprintf(stdout, "%s, %s\n", program_name, spi_c_version);
-			exit(1);
-		case '+': /* optionsfrom */
-			optionsfrom(optarg, &argc, &argv, optind, stderr);
-			/* no return on error */
-			break;
-		case 'f':
-			if(parse_life_options(life,
-					   life_opt,
-					   optarg) != 0) {
-				exit(1);
-			};
-			break;
-		default:
-			fprintf(stderr, "%s: unrecognized option '%c', update option processing.\n",
-				program_name, c);
-			exit(1);
-		}
-		previous = c;
-	}
-	if(debug) {
-		fprintf(stdout, "%s: All options processed.\n",
-				program_name);
-	}
-
-	if(argcount == 1) {
-		system("cat /proc/net/ipsec_spi");
-		exit(0);
-	}
-
-	switch(alg) {
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG: 
-		/* validate keysizes */
-		if (proc_read_ok) {
-		       const struct sadb_alg *alg_p;
-		       size_t keylen, minbits, maxbits;
-
-		       alg_p=kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,SADB_EXT_SUPPORTED_ENCRYPT, 
-				       esp_info->encryptalg);
-		       assert(alg_p);
-		       keylen=enckeylen * 8;
-
-		       if (alg_p->sadb_alg_id==ESP_3DES || alg_p->sadb_alg_id==ESP_DES) {
-			       maxbits=minbits=alg_p->sadb_alg_minbits * 8 /7;
-		       } else {
-			       minbits=alg_p->sadb_alg_minbits;
-			       maxbits=alg_p->sadb_alg_maxbits;
-		       }
-		       /* 
-			* if explicit keylen told in encrypt algo, eg "aes128"
-			* check actual keylen "equality"
-			*/
-		       if (esp_info->esp_ealg_keylen &&
-			       esp_info->esp_ealg_keylen!=keylen) {
-			       fprintf(stderr, "%s: invalid encryption keylen=%d, "
-					       "required %d by encrypt algo string=\"%s\"\n",
-				       program_name, 
-				       (int)keylen,
-				       (int)esp_info->esp_ealg_keylen,
-				       alg_string);
-			       exit(1);
-
-		       }
-		       /* thanks DES for this sh*t */
-
-		       if (minbits > keylen || maxbits < keylen) {
-			       fprintf(stderr, "%s: invalid encryption keylen=%d, "
-					       "must be between %d and %d bits\n",
-					       program_name, 
-					       (int)keylen, (int)minbits, (int)maxbits);
-			       exit(1);
-		       }
-		       alg_p=kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,SADB_EXT_SUPPORTED_AUTH, 
-				       esp_info->authalg);
-		       assert(alg_p);
-		       keylen=authkeylen * 8;
-		       minbits=alg_p->sadb_alg_minbits;
-		       maxbits=alg_p->sadb_alg_maxbits;
-		       if (minbits > keylen || maxbits < keylen) {
-			       fprintf(stderr, "%s: invalid auth keylen=%d, "
-					       "must be between %d and %d bits\n",
-					       program_name, 
-					       (int)keylen, (int)minbits, (int)maxbits);
-			       exit(1);
-		       }
-
-		}
-#endif /* NO_KERNEL_ALG */
-	case XF_IP4:
-	case XF_IP6:
-	case XF_DEL:
-	case XF_AHHMACMD5:
-	case XF_AHHMACSHA1:
-	case XF_ESP3DESMD596:
-	case XF_ESP3DESSHA196:
-	case XF_ESP3DES:
-	case XF_COMPDEFLATE:
-		if(!said_opt) {
-			if(isanyaddr(&edst)) {
-				fprintf(stderr, "%s: SA destination not specified.\n",
-					program_name);
-				exit(1);
-			}
-			if(!spi) {
-				fprintf(stderr, "%s: SA SPI not specified.\n",
-					program_name);
-				exit(1);
-			}
-			if(!proto) {
-				fprintf(stderr, "%s: SA PROTO not specified.\n",
-					program_name);
-				exit(1);
-			}
-			initsaid(&edst, htonl(spi), proto, &said);
-		} else {
-			proto = said.proto;
-			spi = ntohl(said.spi);
-			edst = said.dst;
-		}
-		if((address_family != 0) && (address_family != addrtypeof(&said.dst))) {
-			fprintf(stderr, "%s: Defined address family and address family of SA missmatch.\n",
-				program_name);
-			exit(1);
-		}
-		sa_len = satot(&said, 0, sa, sizeof(sa));
-
-		if(debug) {
-			fprintf(stdout, "%s: SA valid.\n",
-				program_name);
-		}
-		break;
-	case XF_CLR:
-		break;
-	default:
-		fprintf(stderr, "%s: No action chosen.  See '%s --help' for usage.\n",
-			program_name, program_name);
-		exit(1);
-	}
-
-	switch(alg) {
-	case XF_CLR:
-	case XF_DEL:
-	case XF_IP4:
-	case XF_IP6:
-	case XF_AHHMACMD5:
-	case XF_AHHMACSHA1:
-	case XF_ESP3DESMD596:
-	case XF_ESP3DESSHA196:
-	case XF_ESP3DES:
-	case XF_COMPDEFLATE:
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG:
-#endif /* NO_KERNEL_ALG */
-		break;
-	default:
-		fprintf(stderr, "%s: No action chosen.  See '%s --help' for usage.\n",
-			program_name, program_name);
-		exit(1);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: Algorithm ok.\n",
-			program_name);
-	}
-
-	if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
-		fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: ",
-			program_name);
-		switch(errno) {
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENXIO:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case EAFNOSUPPORT:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown file open error %d.  Please report as much detail as possible to development team.\n", errno);
-		}
-		exit(1);
-	}
-
-#ifdef MANUAL_IS_NOT_ABLE_TO_NEGOTIATE
-	/* for registering SA types that can be negotiated */
-	if(pfkey_register(SADB_SATYPE_AH) != 0) {
-		exit(1);
-	}
-	if(pfkey_register(SADB_SATYPE_ESP) != 0) {
-		exit(1);
-	}
-	if(pfkey_register(SADB_X_SATYPE_IPIP) != 0) {
-		exit(1);
-	}
-	if(pfkey_register(SADB_X_SATYPE_COMP) != 0) {
-		exit(1);
-	}
-#endif /* MANUAL_IS_NOT_ABLE_TO_NEGOTIATE */
-
-	/* Build an SADB_ADD message to send down. */
-	/* It needs <base, SA, address(SD), key(AE)> minimum. */
-	/*   Lifetime(HS) could be added before addresses. */
-	pfkey_extensions_init(extensions);
-	if(debug) {
-		fprintf(stdout, "%s: extensions=0p%p &extensions=0p%p extensions[0]=0p%p &extensions[0]=0p%p cleared.\n",
-			program_name,
-			extensions,
-			&extensions,
-			extensions[0],
-			&extensions[0]);
-	}
-	if((error = pfkey_msg_hdr_build(&extensions[0],
-					(alg == XF_DEL ? SADB_DELETE : alg == XF_CLR ? SADB_FLUSH : SADB_ADD),
-					proto2satype(proto),
-					0,
-					++pfkey_seq,
-					mypid))) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		exit(1);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: extensions=0p%p &extensions=0p%p extensions[0]=0p%p &extensions[0]=0p%p set w/msghdr.\n",
-			program_name,
-			extensions,
-			&extensions,
-			extensions[0],
-			&extensions[0]);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: base message assembled.\n", program_name);
-	}
-	
-	switch(alg) {
-	case XF_AHHMACMD5:
-	case XF_ESP3DESMD596:
-		authalg = SADB_AALG_MD5_HMAC;
-		break;
-	case XF_AHHMACSHA1:
-	case XF_ESP3DESSHA196:
-		authalg = SADB_AALG_SHA1_HMAC;
-		break;
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG:
-		authalg= esp_info->authalg;
-		if(debug) {
-			fprintf(stdout, "%s: debug: authalg=%d\n",
-				program_name, authalg);
-		}
-		break;
-#endif /* NO_KERNEL_ALG */
-	case XF_ESP3DESMD5:
-	default:
-		authalg = SADB_AALG_NONE;
-	}
-	switch(alg) {
-	case XF_ESP3DES:
-	case XF_ESP3DESMD596:
-	case XF_ESP3DESSHA196:
-		encryptalg = SADB_EALG_3DES_CBC;
-		break;
-	case XF_COMPDEFLATE:
-		encryptalg = SADB_X_CALG_DEFLATE;
-		break;
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG:
-		encryptalg= esp_info->encryptalg;
-		if(debug) {
-			fprintf(stdout, "%s: debug: encryptalg=%d\n",
-				program_name, encryptalg);
-		}
-		break;
-#endif /* NO_KERNEL_ALG */
-	default:
-		encryptalg = SADB_EALG_NONE;
-	}
-	if(!(alg == XF_CLR /* IE: pfkey_msg->sadb_msg_type == SADB_FLUSH */)) {
-		if((error = pfkey_sa_build(&extensions[SADB_EXT_SA],
-					   SADB_EXT_SA,
-					   htonl(spi), /* in network order */
-					   replay_window,
-					   SADB_SASTATE_MATURE,
-					   authalg,
-					   encryptalg,
-					   0))) {
-			fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			fprintf(stdout, "%s: extensions[0]=0p%p previously set with msg_hdr.\n",
-				program_name,
-				extensions[0]);
-		}
-		if(debug) {
-			fprintf(stdout, "%s: assembled SA extension, pfkey msg authalg=%d encalg=%d.\n",
-				program_name,
-				authalg,
-				encryptalg);
-		}
-		
-		if(debug) {
-			int i,j;
-			for(i = 0; i < life_maxsever; i++) {
-				for(j = 0; j < life_maxtype; j++) {
-					fprintf(stdout, "%s: i=%d, j=%d, life_opt[%d][%d]=0p%p, life[%d][%d]=%d\n",
-						program_name,
-						i, j, i, j, life_opt[i][j], i, j, life[i][j]);
-				}
-			}
-		}
-		if(life_opt[life_soft][life_alloc] != NULL ||
-		   life_opt[life_soft][life_bytes] != NULL ||
-		   life_opt[life_soft][life_addtime] != NULL ||
-		   life_opt[life_soft][life_usetime] != NULL ||
-		   life_opt[life_soft][life_packets] != NULL) {
-			if((error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_SOFT],
-							 SADB_EXT_LIFETIME_SOFT,
-							 life[life_soft][life_alloc],/*-1,*/		/*allocations*/
-							 life[life_soft][life_bytes],/*-1,*/		/*bytes*/
-							 life[life_soft][life_addtime],/*-1,*/		/*addtime*/
-							 life[life_soft][life_usetime],/*-1,*/		/*usetime*/
-							 life[life_soft][life_packets]/*-1*/))) {	/*packets*/
-				fprintf(stderr, "%s: Trouble building lifetime_s extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: lifetime_s extension assembled.\n",
-					program_name);
-			}
-		}
-
-		if(life_opt[life_hard][life_alloc] != NULL ||
-		   life_opt[life_hard][life_bytes] != NULL ||
-		   life_opt[life_hard][life_addtime] != NULL ||
-		   life_opt[life_hard][life_usetime] != NULL ||
-		   life_opt[life_hard][life_packets] != NULL) {
-			if((error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_HARD],
-							 SADB_EXT_LIFETIME_HARD,
-							 life[life_hard][life_alloc],/*-1,*/		/*allocations*/
-							 life[life_hard][life_bytes],/*-1,*/		/*bytes*/
-							 life[life_hard][life_addtime],/*-1,*/		/*addtime*/
-							 life[life_hard][life_usetime],/*-1,*/		/*usetime*/
-							 life[life_hard][life_packets]/*-1*/))) {	/*packets*/
-				fprintf(stderr, "%s: Trouble building lifetime_h extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: lifetime_h extension assembled.\n",
-					program_name);
-			}
-		}
-		
-		if(debug) {
-                	addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: assembling address_s extension (%s).\n",
-				program_name, ipaddr_txt);
-		}
-	
-		if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
-						SADB_EXT_ADDRESS_SRC,
-						0,
-						0,
-						sockaddrof(&src)))) {
-                	addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n",
-				program_name, ipaddr_txt, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			ip_address temp_addr;
-			
-			switch(address_family) {
-				case AF_INET:
-					initaddr((const unsigned char *)&(((struct sockaddr_in*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_SRC])) + 1))->sin_addr),
-						sockaddrlenof(&src), address_family, &temp_addr);
-					break;
-				case AF_INET6:
-					initaddr((const unsigned char *)&(((struct sockaddr_in6*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_SRC])) + 1))->sin6_addr),
-						sockaddrlenof(&src), address_family, &temp_addr);
-					break;
-				default:
-					fprintf(stdout, "%s: unknown address family (%d).\n",
-						program_name, address_family);
-					exit(1);
-			}
-                	addrtot(&temp_addr, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: address_s extension assembled (%s).\n",
-				program_name, ipaddr_txt);
-		}
-	
-		if(debug) {
-                	addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: assembling address_d extension (%s).\n",
-				program_name, ipaddr_txt);
-		}
-	
-		if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
-						SADB_EXT_ADDRESS_DST,
-						0,
-						0,
-						sockaddrof(&edst)))) {
-                	addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n",
-				program_name, ipaddr_txt, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			ip_address temp_addr;
-			switch(address_family) {
-				case AF_INET:
-					initaddr((const unsigned char *)&(((struct sockaddr_in*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_DST])) + 1))->sin_addr),
-						4, address_family, &temp_addr);
-					break;
-				case AF_INET6:
-					initaddr((const unsigned char *)&(((struct sockaddr_in6*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_DST])) + 1))->sin6_addr),
-						16, address_family, &temp_addr);
-					break;
-				default:
-					fprintf(stdout, "%s: unknown address family (%d).\n",
-						program_name, address_family);
-					exit(1);
-			}
-                	addrtot(&temp_addr, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: address_d extension assembled (%s).\n",
-				program_name, ipaddr_txt);
-		}
-
-#if PFKEY_PROXY
-		anyaddr(address_family, &pfkey_address_p_ska);
-		if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_PROXY],
-						SADB_EXT_ADDRESS_PROXY,
-						0,
-						0,
-						sockaddrof(&pfkey_address_p_ska)))) {
-			fprintf(stderr, "%s: Trouble building address_p extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			fprintf(stdout, "%s: address_p extension assembled.\n", program_name);
-		}
-#endif /* PFKEY_PROXY */
-		
-		switch(alg) {
-#ifndef NO_KERNEL_ALG
-		/*	Allow no auth ... after all is local root decision 8)  */
-		case XF_OTHER_ALG:
-			if (!authalg)
-				break;
-#endif /* NO_KERNEL_ALG */
-		case XF_AHHMACMD5:
-		case XF_ESP3DESMD596:
-		case XF_AHHMACSHA1:
-		case XF_ESP3DESSHA196:
-			if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH],
-						    SADB_EXT_KEY_AUTH,
-						    authkeylen * 8,
-						    authkey))) {
-				fprintf(stderr, "%s: Trouble building key_a extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: key_a extension assembled.\n",
-					program_name);
-			}
-			break;
-		default:
-			break;
-		}
-		
-		switch(alg) {
-		case XF_ESP3DES:
-		case XF_ESP3DESMD596:
-		case XF_ESP3DESSHA196:
-#ifndef NO_KERNEL_ALG
-		case XF_OTHER_ALG:
-#endif /* NO_KERNEL_ALG */
-			if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT],
-						    SADB_EXT_KEY_ENCRYPT,
-						    enckeylen * 8,
-						    enckey))) {
-				fprintf(stderr, "%s: Trouble building key_e extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: key_e extension assembled.\n",
-					program_name);
-			}
-			break;
-		default:
-			break;
-		}
-		
-#ifdef PFKEY_IDENT /* GG: looks wierd, not touched */
-		if((pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_SRC],
-				      SADB_EXT_IDENTITY_SRC,
-				      SADB_IDENTTYPE_PREFIX,
-				      0,
-				      strlen(pfkey_ident_s_ska),
-				      pfkey_ident_s_ska))) {
-			fprintf(stderr, "%s: Trouble building ident_s extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(subnettoa(addr, mask, format, pfkey_ident_s_ska,
-			     sizeof(pfkey_ident_s_ska) ) !=
-		   sizeof(pfkey_ident_s_ska) ) {
-			exit (1);
-		}
-		
-		if((error = pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_DST],
-					      SADB_EXT_IDENTITY_DST,
-					      SADB_IDENTTYPE_PREFIX,
-					      0,
-					      strlen(pfkey_ident_d_ska),
-					      pfkey_ident_d_ska))) {
-			fprintf(stderr, "%s: Trouble building ident_d extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(subnettoa(addr, mask, format, pfkey_ident_d_ska,
-			     sizeof(pfkey_ident_d_ska) ) !=
-		   sizeof(pfkey_ident_d_ska) ) {
-			exit (1);
-		}
-
-		if(debug) {
-			fprintf(stdout, "%s: ident extensions assembled.\n",
-				program_name);
-		}
-#endif /* PFKEY_IDENT */
-	}
-	
-	if(debug) {
-		fprintf(stdout, "%s: assembling pfkey msg....\n",
-			program_name);
-	}
-	if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
-		fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: assembled.\n",
-			program_name);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: writing pfkey msg.\n",
-			program_name);
-	}
-	io_error = write(pfkey_sock,
-			 pfkey_msg,
-			 pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-	if(io_error < 0) {
-		fprintf(stderr, "%s: pfkey write failed (errno=%d): ",
-			program_name, errno);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		switch(errno) {
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			fprintf(stderr, "No device?!?\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case ENXIO:
-		case ESRCH:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case ENOSPC:
-			fprintf(stderr, "no room in kernel SAref table.  Cannot process request.\n");
-			break;
-		case ESPIPE:
-			fprintf(stderr, "kernel SAref table internal error.  Cannot process request.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown socket write error %d (%s).  Please report as much detail as possible to development team.\n",
-				errno, strerror(errno));
-		}
-		exit(1);
-	} else if (io_error != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-		fprintf(stderr, "%s: pfkey write truncated to %d bytes\n",
-			program_name, (int)io_error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-
-	if(debug) {
-		fprintf(stdout, "%s: pfkey command written to socket.\n",
-			program_name);
-	}
-
-	if(pfkey_msg) {
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: pfkey message buffer freed.\n",
-			program_name);
-	}
-	if(authkey) {
-		memset((caddr_t)authkey, 0, authkeylen);
-		free(authkey);
-	}
-	if(enckey) {
-		memset((caddr_t)enckey, 0, enckeylen);
-		free(enckey);
-	}
-	if(iv) {
-		memset((caddr_t)iv, 0, ivlen);
-		free(iv);
-	}
-
-	if(listenreply || saref) {
-		ssize_t readlen;
-		unsigned char pfkey_buf[PFKEYv2_MAX_MSGSIZE];
-		
-		while((readlen = read(pfkey_sock, pfkey_buf, sizeof(pfkey_buf))) > 0) {
-			struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-			pfkey_extensions_init(extensions);
-			pfkey_msg = (struct sadb_msg *)pfkey_buf;
-			
-			/* first, see if we got enough for an sadb_msg */
-			if((size_t)readlen < sizeof(struct sadb_msg)) {
-				if(debug) {
-					printf("%s: runt packet of size: %ld (<%lu)\n",
-					       program_name, (long)readlen, (unsigned long)sizeof(struct sadb_msg));
-				}
-				continue;
-			}
-			
-			/* okay, we got enough for a message, print it out */
-			if(debug) {
-				printf("%s: pfkey v%d msg received. type=%d(%s) seq=%d len=%d pid=%d errno=%d satype=%d(%s)\n",
-				       program_name,
-				       pfkey_msg->sadb_msg_version,
-				       pfkey_msg->sadb_msg_type,
-				       pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
-				       pfkey_msg->sadb_msg_seq,
-				       pfkey_msg->sadb_msg_len,
-				       pfkey_msg->sadb_msg_pid,
-				       pfkey_msg->sadb_msg_errno,
-				       pfkey_msg->sadb_msg_satype,
-				       satype2name(pfkey_msg->sadb_msg_satype));
-			}
-			
-			if(readlen != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN))
-			{
-				if(debug) {
-					printf("%s: packet size read from socket=%d doesn't equal sadb_msg_len %u * %u; message not decoded\n",
-					       program_name,
-					       (int)readlen, 
-					       (unsigned)pfkey_msg->sadb_msg_len,
-					       (unsigned)IPSEC_PFKEYv2_ALIGN);
-				}
-				continue;
-			}
-			
-			if (pfkey_msg_parse(pfkey_msg, NULL, extensions, EXT_BITS_OUT)) {
-				if(debug) {
-					printf("%s: unparseable PF_KEY message.\n",
-					       program_name);
-				}
-				continue;
-			} else {
-				if(debug) {
-					printf("%s: parseable PF_KEY message.\n",
-					       program_name);
-				}
-			}
-			if((pid_t)pfkey_msg->sadb_msg_pid == mypid) {
-				if(saref) {
-					printf("%s: saref=%d\n",
-					       program_name,
-					       (extensions[SADB_EXT_SA] != NULL)
-					       ? ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_x_sa_ref
-					       : IPSEC_SAREF_NULL);
-				}
-				break;
-			}
-		}
-	}
-	(void) close(pfkey_sock);  /* close the socket */
-	if(debug || listenreply) {
-		printf("%s: exited normally\n", program_name);
-	}
-	exit(0);
-}
diff --git a/programs/spigrp/.cvsignore b/programs/spigrp/.cvsignore
deleted file mode 100644
index 4fee1abcf..000000000
--- a/programs/spigrp/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-spigrp
diff --git a/programs/spigrp/Makefile b/programs/spigrp/Makefile
deleted file mode 100644
index df8899eaf..000000000
--- a/programs/spigrp/Makefile
+++ /dev/null
@@ -1,52 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=spigrp
-EXTRA5PROC=${PROGRAM}.5
-
-LIBS=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/spigrp/spigrp.5 b/programs/spigrp/spigrp.5
deleted file mode 100644
index b00d7ae73..000000000
--- a/programs/spigrp/spigrp.5
+++ /dev/null
@@ -1,116 +0,0 @@
-.TH IPSEC_SPIGRP 5 "27 Jun 2000"
-.\"
-.\" RCSID $Id: spigrp.5,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec_spigrp \- list IPSEC Security Association groupings
-.SH SYNOPSIS
-.B ipsec
-.B spigrp
-.PP
-.B cat
-.B /proc/net/ipsec_spigrp
-.PP
-.SH DESCRIPTION
-.I /proc/net/ipsec_spigrp
-is a read-only file that lists groups of IPSEC Security Associations
-(SAs).
-.PP
-An entry in the IPSEC extended routing table can only point (via an
-SAID) to one SA.  If more than one transform must be applied to a given
-type of packet, this can be accomplished by setting up several SAs with
-the same destination address but potentially different SPIs and
-protocols, and grouping them with
-.IR ipsec_spigrp(8) .
-.PP
-The SA groups are listed, one line per connection/group, as a sequence
-of SAs to be applied (or that should have been applied, in the case of
-an incoming packet) from inside to outside the packet.  An SA is
-identified by its SAID, which consists of protocol ("ah", "esp", "comp" or
-"tun"), SPI (with '.' for IPv4 or ':' for IPv6 prefixed hexadecimal number ) and destination address
-(IPv4 dotted quad or IPv6 coloned hex) prefixed by '@', in the format <proto><af><spi>@<dest>.
-.SH EXAMPLES
-.TP
-.B tun.3d0@192.168.2.110
-.B comp.3d0@192.168.2.110
-.B esp.187a101b@192.168.2.110
-.B ah.187a101a@192.168.2.110 
-.LP
-is a group of 3 SAs, destined for 
-.BR 192.168.2.110
-with an IPv4-in-IPv4 tunnel SA applied first with an SPI of
-.BR 3d0
-in hexadecimal, followed by a Deflate compression header to compress
-the packet with CPI of
-.BR 3d0
-in hexadecimal, followed by an Encapsulating Security Payload header to
-encrypt the packet with SPI
-.BR 187a101b
-in hexadecimal, followed by an Authentication Header to authenticate the
-packet with SPI
-.BR 187a101a
-in hexadecimal, applied from inside to outside the packet.  This could
-be an incoming or outgoing group, depending on the address of the local
-machine.
-.LP
-.TP
-.B tun:3d0@3049:1::2
-.B comp:3d0@3049:1::2
-.B esp:187a101b@3049:1::2
-.B ah:187a101a@3049:1::2 
-.LP
-is a group of 3 SAs, destined for 
-.BR 3049:1::2
-with an IPv6-in-IPv6 tunnel SA applied first with an SPI of
-.BR 3d0
-in hexadecimal, followed by a Deflate compression header to compress
-the packet with CPI of
-.BR 3d0
-in hexadecimal, followed by an Encapsulating Security Payload header to
-encrypt the packet with SPI
-.BR 187a101b
-in hexadecimal, followed by an Authentication Header to authenticate the
-packet with SPI
-.BR 187a101a
-in hexadecimal, applied from inside to outside the packet.  This could
-be an incoming or outgoing group, depending on the address of the local
-machine.
-.LP
-.SH FILES
-/proc/net/ipsec_spigrp, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
-ipsec_spi(5), ipsec_klipsdebug(5), ipsec_spigrp(8), ipsec_version(5),
-ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-:-)
-.\"
-.\" $Log: spigrp.5,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.6  2002/04/24 07:35:40  mcr
-.\" Moved from ./klips/utils/spigrp.5,v
-.\"
-.\" Revision 1.5  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.4  2000/09/13 15:54:32  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/28 12:44:12  henry
-.\" format touchup
-.\"
-.\" Revision 1.1  2000/06/28 05:43:00  rgb
-.\" Added manpages for all 5 klips utils.
-.\"
-.\"
diff --git a/programs/spigrp/spigrp.8 b/programs/spigrp/spigrp.8
deleted file mode 100644
index 418ed5c3e..000000000
--- a/programs/spigrp/spigrp.8
+++ /dev/null
@@ -1,174 +0,0 @@
-.TH IPSEC_SPIGRP 8 "21 Jun 2000"
-.\"
-.\" RCSID $Id: spigrp.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec spigrp \- group/ungroup IPSEC Security Associations
-.SH SYNOPSIS
-.B ipsec
-.B spigrp
-.PP
-.B ipsec
-.B spigrp
-[
-.B \-\-label
-label ]
-af1 dst1 spi1 proto1 [ af2 dst2 spi2 proto2 [ af3 dst3 spi3 proto3 [ af4 dst4 spi4 proto4 ] ] ] 
-.PP
-.B ipsec
-.B spigrp
-[
-.B \-\-label
-label ]
-.B \-\-said
-SA1 [ SA2 [ SA3 [ SA4 ] ] ] 
-.PP
-.B ipsec
-.B spigrp
-.B \-\-help
-.PP
-.B ipsec
-.B spigrp
-.B \-\-version
-.PP
-.SH DESCRIPTION
-.I Spigrp
-groups IPSEC Security Associations (SAs) together or ungroups
-previously grouped SAs.
-An entry in the IPSEC extended
-routing table can only point
-(via a destination address, a Security Parameters Index (SPI) and
-a protocol identifier) to one SA.
-If more than one transform must be applied to a given type of packet,
-this can be accomplished by setting up several SAs
-with the same destination address but potentially different SPIs and protocols,
-and grouping them with
-.IR spigrp .
-.PP
-The SAs to be grouped,
-specified by destination address (DNS name lookup, IPv4 dotted quad or IPv6 coloned hex), SPI
-('0x'-prefixed hexadecimal number) and protocol ("ah", "esp", "comp" or "tun"),
-are listed from the inside transform to the
-outside;
-in other words, the transforms are applied in
-the order of the command line and removed in the reverse
-order.
-The resulting SA group is referred to by its first SA (by
-.IR af1 ,
-.IR dst1 ,
-.IR spi1
-and
-.IR proto1 ).
-.PP
-The \-\-said option indicates that the SA IDs are to be specified as
-one argument each, in the format <proto><af><spi>@<dest>.  The SA IDs must
-all be specified as separate parameters without the \-\-said option or
-all as monolithic parameters after the \-\-said option.
-.PP
-The SAs must already exist and must not already
-be part of a group.
-.PP
-If
-.I spigrp
-is invoked with only one SA specification,
-it ungroups the previously-grouped set of SAs containing
-the SA specified.
-.PP
-The \-\-label option identifies all responses from that command
-invocation with a user-supplied label, provided as an argument to the
-label option.  This can be helpful for debugging one invocation of the
-command out of a large number.
-.PP
-The command form with no additional arguments lists the contents of
-/proc/net/ipsec_spigrp.  The format of /proc/net/ipsec_spigrp is
-discussed in ipsec_spigrp(5).
-.SH EXAMPLES
-.TP
-.B ipsec spigrp inet gw2 0x113 tun inet gw2 0x115 esp inet gw2 0x116 ah
-groups 3 SAs together, all destined for
-.BR gw2 ,
-but with an IPv4-in-IPv4 tunnel SA applied first with SPI
-.BR 0x113 ,
-then an ESP header to encrypt the packet with SPI
-.BR 0x115 ,
-and finally an AH header to authenticate the packet with SPI
-.BR 0x116 .
-.LP
-.TP
-.B ipsec spigrp --said tun.113@gw2 esp.115@gw2 ah.116@gw2 
-groups 3 SAs together, all destined for
-.BR gw2 ,
-but with an IPv4-in-IPv4 tunnel SA applied first with SPI
-.BR 0x113 ,
-then an ESP header to encrypt the packet with SPI
-.BR 0x115 ,
-and finally an AH header to authenticate the packet with SPI
-.BR 0x116 .
-.LP
-.TP
-.B ipsec spigrp --said tun:233@3049:1::1 esp:235@3049:1::1 ah:236@3049:1::1 
-groups 3 SAs together, all destined for
-.BR 3049:1::1,
-but with an IPv6-in-IPv6 tunnel SA applied first with SPI
-.BR 0x233 ,
-then an ESP header to encrypt the packet with SPI
-.BR 0x235 ,
-and finally an AH header to authenticate the packet with SPI
-.BR 0x236 .
-.LP
-.TP
-.B ipsec spigrp inet6 3049:1::1 0x233 tun inet6 3049:1::1 0x235 esp inet6 3049:1::1 0x236 ah
-groups 3 SAs together, all destined for
-.BR 3049:1::1,
-but with an IPv6-in-IPv6 tunnel SA applied first with SPI
-.BR 0x233 ,
-then an ESP header to encrypt the packet with SPI
-.BR 0x235 ,
-and finally an AH header to authenticate the packet with SPI
-.BR 0x236 .
-.LP
-.SH FILES
-/proc/net/ipsec_spigrp, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
-ipsec_spi(8), ipsec_klipsdebug(8), ipsec_spigrp(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-Yes, it really is limited to a maximum of four SAs,
-although admittedly it's hard to see why you would need more.
-.\"
-.\" $Log: spigrp.8,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.20  2002/04/24 07:35:41  mcr
-.\" Moved from ./klips/utils/spigrp.8,v
-.\"
-.\" Revision 1.19  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.18  2000/09/13 15:54:32  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.17  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.16  2000/06/21 16:54:57  rgb
-.\" Added 'no additional args' text for listing contents of
-.\" /proc/net/ipsec_* files.
-.\"
-.\" Revision 1.15  2000/02/14 21:08:30  rgb
-.\" Added description of --said option.
-.\"
-.\" Revision 1.14  1999/07/19 18:47:25  henry
-.\" fix slightly-misformed comments
-.\"
-.\" Revision 1.13  1999/04/06 04:54:39  rgb
-.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-.\" patch shell fixes.
-.\"
diff --git a/programs/spigrp/spigrp.c b/programs/spigrp/spigrp.c
deleted file mode 100644
index 4cbac304d..000000000
--- a/programs/spigrp/spigrp.c
+++ /dev/null
@@ -1,491 +0,0 @@
-/*
- * SA grouping
- * Copyright (C) 1996  John Ioannidis.
- * Copyright (C) 1997, 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char spigrp_c_version[] = "RCSID $Id: spigrp.c,v 1.2 2004/06/07 15:16:34 as Exp $";
-
-
-#include <sys/types.h>
-#include <linux/types.h> /* new */
-#include <string.h>
-#include <errno.h>
-#include <sys/stat.h> /* open() */
-#include <fcntl.h> /* open() */
-#include <stdlib.h> /* system(), strtoul() */
-
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-/* #include <linux/ip.h> */
-
-#include <unistd.h>
-#include <stdio.h>
-#include <netdb.h>
-#include <freeswan.h>
-#if 0
-#include <linux/autoconf.h>	/* CONFIG_IPSEC_PFKEYv2 */
-#endif
-
-#include <signal.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_ah.h"
-
-
-char *program_name;
-
-int pfkey_sock;
-fd_set pfkey_socks;
-uint32_t pfkey_seq = 0;
- 
-struct said_af {
- 	int af;
- 	ip_said said;
-}; /* to store the given saids and their address families in an array */
- /* XXX: Note that we do *not* check if the address families of all SAID?s are the same.
-  *      This can make it possible to group SAs for IPv4 addresses with SAs for
-  *      IPv6 addresses (perhaps some kind of IPv4-over-secIPv6 or vice versa).
-  *      Do not know, if this is a bug or feature */
-
-static void
-usage(char *s)
-{
-	fprintf(stdout, "usage: Note: position of options and arguments is important!\n");
-	fprintf(stdout, "usage: %s [ --debug ] [ --label <label> ] af1 dst1 spi1 proto1 [ af2 dst2 spi2 proto2 [ af3 dst3 spi3 proto3 [ af4 dst4 spi4 proto4 ] ] ]\n", s);
-	fprintf(stdout, "usage: %s [ --debug ] [ --label <label> ] --said <SA1> [ <SA2> [ <SA3> [ <SA4> ] ] ]\n", s);
-	fprintf(stdout, "usage: %s --help\n", s);
-	fprintf(stdout, "usage: %s --version\n", s);
-	fprintf(stdout, "usage: %s\n", s);
-	fprintf(stdout, "        [ --debug ] is optional to any %s command.\n", s);
-	fprintf(stdout, "        [ --label <label> ] is optional to any %s command.\n", s);
-}
-
-	
-int
-main(int argc, char **argv)
-{
-	int i, nspis;
-	char *endptr;
-	int said_opt = 0;
-
-	const char* error_s = NULL;
-	char ipaddr_txt[ADDRTOT_BUF];
-	int debug = 0;
-	int j;
-	struct said_af said_af_array[4];
-
-	int error = 0;
-
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-#if 0
-	ip_address pfkey_address_s_ska;
-#endif
-	
-	program_name = argv[0];
-	for(i = 0; i < 4; i++) {
-		memset(&said_af_array[i], 0, sizeof(struct said_af));
-	}
-
-        if(argc > 1 && strcmp(argv[1], "--debug") == 0) {
-		debug = 1;
-		if(debug) {
-			fprintf(stdout, "\"--debug\" option requested.\n");
-		}
-		argv += 1;
-		argc -= 1;
-		pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
-        }
-
-	if(debug) {
-		fprintf(stdout, "argc=%d (%d incl. --debug option).\n",
-			argc,
-			argc + 1);
-	}
-
-        if(argc > 1 && strcmp(argv[1], "--label") == 0) {
-		if(argc > 2) {
-			program_name = malloc(strlen(argv[0])
-					      + 10 /* update this when changing the sprintf() */
-					      + strlen(argv[2]));
-			sprintf(program_name, "%s --label %s",
-				argv[0],
-				argv[2]);
-			if(debug) {
-				fprintf(stdout, "using \"%s\" as a label.\n", program_name);
-			}
-			argv += 2;
-			argc -= 2;
-		} else {
-			fprintf(stderr, "%s: --label option requires an argument.\n",
-				program_name);
-			exit(1);
-		}
-        }
-  
-	if(debug) {
-		fprintf(stdout, "...After check for --label option.\n");
-	}
-
-	if(argc == 1) {
-		system("cat /proc/net/ipsec_spigrp");
-		exit(0);
-	}
-
-	if(debug) {
-		fprintf(stdout, "...After check for no option to print /proc/net/ipsec_spigrp.\n");
-	}
-
-        if(strcmp(argv[1], "--help") == 0) {
-		if(debug) {
-			fprintf(stdout, "\"--help\" option requested.\n");
-		}
-                usage(program_name);
-                exit(1);
-        }
-
-	if(debug) {
-		fprintf(stdout, "...After check for --help option.\n");
-	}
-
-        if(strcmp(argv[1], "--version") == 0) {
-		if(debug) {
-			fprintf(stdout, "\"--version\" option requested.\n");
-		}
-                fprintf(stderr, "%s, %s\n", program_name, spigrp_c_version);
-                exit(1);
-        }
-
-	if(debug) {
-		fprintf(stdout, "...After check for --version option.\n");
-	}
-
-        if(strcmp(argv[1], "--said") == 0) {
-		if(debug) {
-			fprintf(stdout, "processing %d args with --said flag.\n", argc);
-		}
-		said_opt = 1;
-        }
-	
-	if(debug) {
-		fprintf(stdout, "...After check for --said option.\n");
-	}
-
-	if(said_opt) {
-		if (argc < 3 /*|| argc > 5*/) {
-			fprintf(stderr, "expecting 3 or more args with --said, got %d.\n", argc);
-			usage(program_name);
-                	exit(1);
-		}
-		nspis = argc - 2;
-	} else {
-		if ((argc < 5) || (argc > 17) || ((argc % 4) != 1)) {
-			fprintf(stderr, "expecting 5 or more args without --said, got %d.\n", argc);
-			usage(program_name);
-                	exit(1);
-		}
-		nspis = argc / 4;
-	}
-
-	if(debug) {
-		fprintf(stdout, "processing %d nspis.\n", nspis);
-	}
-
-	for(i = 0; i < nspis; i++) {
-		if(debug) {
-			fprintf(stdout, "processing spi #%d.\n", i);
-		}
-
-		if(said_opt) {
-			error_s = ttosa((const char *)argv[i+2], 0, (ip_said*)&(said_af_array[i].said));
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n",
-					program_name, error_s, argv[i+2]);
-				exit (1);
-			}
-			said_af_array[i].af = addrtypeof(&(said_af_array[i].said.dst));
-			if(debug) {
-				addrtot(&said_af_array[i].said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stdout, "said[%d].dst=%s.\n", i, ipaddr_txt);
-			}
-		} else {
-			if(!strcmp(argv[i*4+4], "ah")) {
-				said_af_array[i].said.proto = SA_AH;
-			}
-			if(!strcmp(argv[i*4+4], "esp")) {
-				said_af_array[i].said.proto = SA_ESP;
-			}
-			if(!strcmp(argv[i*4+4], "tun")) {
-				said_af_array[i].said.proto = SA_IPIP;
-			}
-			if(!strcmp(argv[i*4+4], "comp")) {
-				said_af_array[i].said.proto = SA_COMP;
-			}
-			if(said_af_array[i].said.proto == 0) {
-				fprintf(stderr, "%s: Badly formed proto: %s\n",
-					program_name, argv[i*4+4]);
-				exit(1);
-			}
-			said_af_array[i].said.spi = htonl(strtoul(argv[i*4+3], &endptr, 0));
-			if(!(endptr == argv[i*4+3] + strlen(argv[i*4+3]))) {
-				fprintf(stderr, "%s: Badly formed spi: %s\n",
-					program_name, argv[i*4+3]);
-				exit(1);
-			}
-			if(!strcmp(argv[i*4+1], "inet")) {
-				said_af_array[i].af = AF_INET;
-			}
-			if(!strcmp(argv[i*4+1], "inet6")) {
-				said_af_array[i].af = AF_INET6;
-			}
-			if((said_af_array[i].af != AF_INET) && (said_af_array[i].af != AF_INET6)) {
-				fprintf(stderr, "%s: Address family %s not supported\n",
-					program_name, argv[i*4+1]);
-				exit(1);
-			}
-			error_s = ttoaddr(argv[i*4+2], 0, said_af_array[i].af, &(said_af_array[i].said.dst));
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting %dth address argument:%s\n",
-					program_name, error_s, i, argv[i*4+2]);
-				exit (1);
-			}
-		}
-		if(debug) {
-			fprintf(stdout, "SA %d contains: ", i+1);
-			fprintf(stdout, "\n");
-			fprintf(stdout, "proto = %d\n", said_af_array[i].said.proto);
-			fprintf(stdout, "spi = %08x\n", said_af_array[i].said.spi);
-			addrtot(&said_af_array[i].said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "edst = %s\n", ipaddr_txt);
-		}
-	}	
-
-	if(debug) {
-		fprintf(stdout, "Opening pfkey socket.\n");
-	}
-
-	if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
-		fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: ",
-			program_name);
-		switch(errno) {
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENXIO:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case EAFNOSUPPORT:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown file open error %d.  Please report as much detail as possible to development team.\n", errno);
-		}
-		exit(1);
-	}
-
-	for(i = 0; i < (((nspis - 1) < 2) ? 1 : (nspis - 1)); i++) {
-		if(debug) {
-			fprintf(stdout, "processing %dth pfkey message.\n", i);
-		}
-
-		pfkey_extensions_init(extensions);
-		for(j = 0; j < ((nspis == 1) ? 1 : 2); j++) {
-			if(debug) {
-				fprintf(stdout, "processing %dth said of %dth pfkey message.\n", j, i);
-			}
-
-			/* Build an SADB_X_GRPSA message to send down. */
-			/* It needs <base, SA, SA2, address(D,D2) > minimum. */
-			if(!j) {
-				if((error = pfkey_msg_hdr_build(&extensions[0],
-								SADB_X_GRPSA,
-								proto2satype(said_af_array[i].said.proto),
-								0,
-								++pfkey_seq,
-								getpid()))) {
-					fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-						program_name, error);
-					pfkey_extensions_free(extensions);
-					exit(1);
-				}
-			} else {
-				if(debug) {
-					fprintf(stdout, "setting x_satype proto=%d satype=%d\n",
-						said_af_array[i+j].said.proto,
-						proto2satype(said_af_array[i+j].said.proto)
-						);
-				}
-
-				if((error = pfkey_x_satype_build(&extensions[SADB_X_EXT_SATYPE2],
-								 proto2satype(said_af_array[i+j].said.proto)
-					))) {
-					fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-						program_name, error);
-					pfkey_extensions_free(extensions);
-					exit(1);
-				}
-			}
-
-			if((error = pfkey_sa_build(&extensions[!j ? SADB_EXT_SA : SADB_X_EXT_SA2],
-						   !j ? SADB_EXT_SA : SADB_X_EXT_SA2,
-						   said_af_array[i+j].said.spi, /* in network order */
-						   0,
-						   0,
-						   0,
-						   0,
-						   0))) {
-				fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			
-#if 0
-			if(!j) {
-				anyaddr(said_af_array[i].af, &pfkey_address_s_ska); /* Is the address family correct ?? */
-				if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
-								SADB_EXT_ADDRESS_SRC,
-								0,
-								0,
-								sockaddrof(&pfkey_address_s_ska)))) {
-					addrtot(&pfkey_address_s_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-					fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n",
-						program_name, ipaddr_txt, error);
-					pfkey_extensions_free(extensions);
-					exit(1);
-				}
-			}
-#endif			
-			if((error = pfkey_address_build(&extensions[!j ? SADB_EXT_ADDRESS_DST : SADB_X_EXT_ADDRESS_DST2],
-							!j ? SADB_EXT_ADDRESS_DST : SADB_X_EXT_ADDRESS_DST2,
-							0,
-							0,
-							sockaddrof(&said_af_array[i+j].said.dst)))) {
-				addrtot(&said_af_array[i+j].said.dst,
-					0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n",
-					program_name, ipaddr_txt, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			
-		}
-
-		if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
-			fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			pfkey_msg_free(&pfkey_msg);
-			exit(1);
-		}
-		
-		if((error = write(pfkey_sock,
-				  pfkey_msg,
-				  pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) !=
-		   (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-			fprintf(stderr, "%s: pfkey write failed, returning %d with errno=%d.\n",
-				program_name, error, errno);
-			pfkey_extensions_free(extensions);
-			pfkey_msg_free(&pfkey_msg);
-			switch(errno) {
-			case EACCES:
-				fprintf(stderr, "access denied.  ");
-				if(getuid() == 0) {
-					fprintf(stderr, "Check permissions.  Should be 600.\n");
-				} else {
-					fprintf(stderr, "You must be root to open this file.\n");
-				}
-				break;
-			case EUNATCH:
-				fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-				break;
-			case EBUSY:
-				fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-				break;
-			case EINVAL:
-				fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-				break;
-			case ENODEV:
-				fprintf(stderr, "KLIPS not loaded or enabled.\n");
-				fprintf(stderr, "No device?!?\n");
-				break;
-			case ENOBUFS:
-				fprintf(stderr, "No kernel memory to allocate SA.\n");
-				break;
-			case ESOCKTNOSUPPORT:
-				fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-				break;
-			case EEXIST:
-				fprintf(stderr, "SA already in use.  Delete old one first.\n");
-				break;
-			case ENOENT:
-				fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-				break;
-			case ENXIO:
-				fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-				break;
-			case ENOSPC:
-				fprintf(stderr, "no room in kernel SAref table.  Cannot process request.\n");
-				break;
-			case ESPIPE:
-				fprintf(stderr, "kernel SAref table internal error.  Cannot process request.\n");
-				break;
-			default:
-				fprintf(stderr, "Unknown socket write error %d.  Please report as much detail as possible to development team.\n", errno);
-			}
-			exit(1);
-		}
-		if(pfkey_msg) {
-			pfkey_extensions_free(extensions);
-			pfkey_msg_free(&pfkey_msg);
-		}
-	}
-
-	(void) close(pfkey_sock);  /* close the socket */
-	exit(0);
-}
diff --git a/programs/tncfg/.cvsignore b/programs/tncfg/.cvsignore
deleted file mode 100644
index c05ca8d9a..000000000
--- a/programs/tncfg/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-tncfg
diff --git a/programs/tncfg/Makefile b/programs/tncfg/Makefile
deleted file mode 100644
index ded364dbf..000000000
--- a/programs/tncfg/Makefile
+++ /dev/null
@@ -1,52 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM:=tncfg
-EXTRA5PROC=${PROGRAM}.5
-
-LIBS:=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/tncfg/tncfg.5 b/programs/tncfg/tncfg.5
deleted file mode 100644
index e4de862c6..000000000
--- a/programs/tncfg/tncfg.5
+++ /dev/null
@@ -1,109 +0,0 @@
-.TH IPSEC_TNCFG 5 "27 Jun 2000"
-.\"
-.\" RCSID $Id: tncfg.5,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec_tncfg \- lists IPSEC virtual interfaces attached to real interfaces
-.SH SYNOPSIS
-.B ipsec
-.B tncfg
-.PP
-.B cat
-.B /proc/net/ipsec_tncfg
-.SH DESCRIPTION
-.I /proc/net/ipsec_tncfg
-is a read-only file which lists which IPSEC virtual interfaces are
-attached to which real interfaces, through which packets will be
-forwarded once processed by IPSEC.
-.PP
-Each line lists one ipsec I/F.
-A table entry consists of:
-.IP + 3
-an ipsec virtual I/F name
-.IP +
-a visual and machine parsable separator '->', separating the virtual I/F
-and the physical I/F,
-.IP +
-a physical I/F name, to which the ipsec virtual I/F is attached or NULL
-if it is not attached,
-.IP +
-the keyword
-.BR mtu= ,
-.IP +
-the MTU of the ipsec virtual I/F,
-.IP +
-the automatically adjusted effective MTU for PMTU discovery, in brackets,
-.IP +
-a visual and machine parsable separator '->', separating the virtual I/F
-MTU and the physical I/F MTU,
-.IP +
-the MTU of the attached physical I/F.
-.BR 
-.SH EXAMPLES
-.TP
-.B ipsec2 -> eth3 mtu=16260(1443) -> 1500
-.LP
-shows that virtual device
-.B ipsec2
-with an MTU of
-.B 16260
-is connected to physical device
-.B eth3
-with an MTU of
-.B 1500
-and that the effective MTU as a result of PMTU discovery has been
-automatically set to
-.BR 1443.
-.TP
-.B ipsec0 \-> wvlan0 mtu=1400(16260) \-> 1500
-.LP
-shows that virtual device
-.B ipsec0
-with an MTU of
-.B 1400
-is connected to physical device
-.B wvlan0
-with an MTU of
-.B 1500
-and no PMTU packets have gotten far enough to bump down the effective MTU
-from its default of 16260.
-.TP
-.B ipsec3 \-> NULL mtu=0(0) \-> 0
-.LP
-shows that virtual device
-.B ipsec3
-is not connected to any physical device.
-.LP
-.SH "FILES"
-/proc/net/ipsec_tncfg, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_eroute(5), ipsec_spi(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_tncfg(8), ipsec_version(5),
-ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: tncfg.5,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.5  2002/04/24 07:35:41  mcr
-.\" Moved from ./klips/utils/tncfg.5,v
-.\"
-.\" Revision 1.4  2001/05/29 05:15:53  rgb
-.\" Added PMTU to output format.
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/28 12:44:12  henry
-.\" format touchup
-.\"
-.\" Revision 1.1  2000/06/28 05:43:01  rgb
-.\" Added manpages for all 5 klips utils.
-.\"
-.\"
diff --git a/programs/tncfg/tncfg.8 b/programs/tncfg/tncfg.8
deleted file mode 100644
index f888f2539..000000000
--- a/programs/tncfg/tncfg.8
+++ /dev/null
@@ -1,113 +0,0 @@
-.TH IPSEC_TNCFG 8 "21 Jun 2000"
-.\"
-.\" RCSID $Id: tncfg.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec tncfg \- associate IPSEC virtual interface with physical interface
-.SH SYNOPSIS
-.B ipsec
-.B tncfg
-.PP
-.B ipsec
-.B tncfg
-.B \-\-attach
-.B \-\-virtual
-virtual
-.B \-\-physical
-physical
-.PP
-.B ipsec
-.B tncfg
-.B \-\-detach
-.B \-\-virtual
-virtual
-.PP
-.B ipsec
-.B tncfg
-.B \-\-clear
-.PP
-.B ipsec
-.B tncfg
-.B \-\-version
-.PP
-.B ipsec
-.B tncfg
-.B \-\-help
-.SH DESCRIPTION
-.I Tncfg
-attaches/detaches IPSEC virtual interfaces to/from
-physical interfaces,
-through which packets will be forwarded once processed by IPSEC.
-.PP
-The form with no additional arguments lists the contents of
-/proc/net/ipsec_tncfg.  The format of /proc/net/ipsec_tncfg is discussed
-in ipsec_tncfg(5).
-The
-.B \-\-attach
-form attaches the
-.I virtual
-interface to the
-.I physical
-one.
-The
-.B \-\-detach
-form detaches the
-.I virtual
-interface from whichever physical interface it is attached to.
-The
-.B \-\-clear
-form clears all the
-.I virtual
-interfaces from whichever physical interfaces they were attached to.
-.PP
-Virtual interfaces typically have names like
-.BR ipsec0 ,
-while physical interfaces typically have names like
-.B eth0
-or
-.BR ppp0 .
-.SH EXAMPLES
-.TP
-.B ipsec tncfg \-\-attach \-\-virtual ipsec0 \-\-physical eth0
-attaches the
-.B ipsec0
-virtual device to the
-.B eth0
-physical device.
-.LP
-.SH "FILES"
-/proc/net/ipsec_tncfg, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_eroute(8), ipsec_spi(8),
-ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_tncfg(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: tncfg.8,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.15  2002/04/24 07:35:41  mcr
-.\" Moved from ./klips/utils/tncfg.8,v
-.\"
-.\" Revision 1.14  2000/09/12 13:09:04  rgb
-.\" Fixed real/physical discrepancy between tncfg.8 and tncfg.c.
-.\"
-.\" Revision 1.13  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.12  2000/06/21 16:54:58  rgb
-.\" Added 'no additional args' text for listing contents of
-.\" /proc/net/ipsec_* files.
-.\"
-.\" Revision 1.11  1999/07/19 18:47:25  henry
-.\" fix slightly-misformed comments
-.\"
-.\" Revision 1.10  1999/04/06 04:54:39  rgb
-.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-.\" patch shell fixes.
-.\"
diff --git a/programs/tncfg/tncfg.c b/programs/tncfg/tncfg.c
deleted file mode 100644
index f6aeae0e2..000000000
--- a/programs/tncfg/tncfg.c
+++ /dev/null
@@ -1,393 +0,0 @@
-/*
- * IPSEC interface configuration
- * Copyright (C) 1996  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char tncfg_c_version[] = "RCSID $Id: tncfg.c,v 1.1 2004/03/15 20:35:31 as Exp $";
-
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h> /* system(), strtoul() */
-#include <unistd.h> /* getuid() */
-#include <linux/types.h>
-#include <sys/ioctl.h> /* ioctl() */
-
-#include <freeswan.h>
-#ifdef NET_21 /* from freeswan.h */
-#include <linux/sockios.h>
-#include <sys/socket.h>
-#endif /* NET_21 */ /* from freeswan.h */
-
-#if 0
-#include <linux/if.h>
-#else
-#include <net/if.h>
-#endif
-#include <sys/types.h>
-#include <errno.h>
-#include <getopt.h>
-
-#include "freeswan/ipsec_tunnel.h"
-
-static void
-usage(char *name)
-{	
-	fprintf(stdout,"%s --attach --virtual <virtual-device> --physical <physical-device>\n",
-		name);
-	fprintf(stdout,"%s --detach --virtual <virtual-device>\n",
-		name);
-	fprintf(stdout,"%s --clear\n",
-		name);
-	fprintf(stdout,"%s --help\n",
-		name);
-	fprintf(stdout,"%s --version\n",
-		name);
-	fprintf(stdout,"%s\n",
-		name);
-	fprintf(stdout, "        [ --debug ] is optional to any %s command.\n", name);
-	fprintf(stdout, "        [ --label <label> ] is optional to any %s command.\n", name);
-	exit(1);
-}
-
-static struct option const longopts[] =
-{
-	{"virtual", 1, 0, 'V'},
-	{"physical", 1, 0, 'P'},
-	{"attach", 0, 0, 'a'},
-	{"detach", 0, 0, 'd'},
-	{"clear", 0, 0, 'c'},
-	{"help", 0, 0, 'h'},
-	{"version", 0, 0, 'v'},
-	{"label", 1, 0, 'l'},
-	{"optionsfrom", 1, 0, '+'},
-	{"debug", 0, 0, 'g'},
-	{0, 0, 0, 0}
-};
-
-int
-main(int argc, char *argv[])
-{
-	struct ifreq ifr;
-	struct ipsectunnelconf *shc=(struct ipsectunnelconf *)&ifr.ifr_data;
-	int s;
-	int c, previous = -1;
-	char *program_name;
-	int debug = 0;
-	int argcount = argc;
-     
-	memset(&ifr, 0, sizeof(ifr));
-	program_name = argv[0];
-
-	while((c = getopt_long_only(argc, argv, ""/*"adchvV:P:l:+:"*/, longopts, 0)) != EOF) {
-		switch(c) {
-		case 'g':
-			debug = 1;
-			argcount--;
-			break;
-		case 'a':
-			if(shc->cf_cmd) {
-				fprintf(stderr, "%s: exactly one of '--attach', '--detach' or '--clear' options must be specified.\n",	program_name);
-				exit(1);
-			}
-			shc->cf_cmd = IPSEC_SET_DEV;
-			break;
-		case 'd':
-			if(shc->cf_cmd) {
-				fprintf(stderr, "%s: exactly one of '--attach', '--detach' or '--clear' options must be specified.\n",	program_name);
-				exit(1);
-			}
-			shc->cf_cmd = IPSEC_DEL_DEV;
-			break;
-		case 'c':
-			if(shc->cf_cmd) {
-				fprintf(stderr, "%s: exactly one of '--attach', '--detach' or '--clear' options must be specified.\n",	program_name);
-				exit(1);
-			}
-			shc->cf_cmd = IPSEC_CLR_DEV;
-			break;
-		case 'h':
-			usage(program_name);
-			break;
-		case 'v':
-			if(optarg) {
-				fprintf(stderr, "%s: warning; '-v' and '--version' options don't expect arguments, arg '%s' found, perhaps unintended.\n",
-					program_name, optarg);
-			}
-			fprintf(stdout, "%s, %s\n", program_name, tncfg_c_version);
-			exit(1);
-			break;
-		case 'V':
-			strcpy(ifr.ifr_name, optarg);
-			break;
-		case 'P':
-			strcpy(shc->cf_name, optarg);
-			break;
-		case 'l':
-			program_name = malloc(strlen(argv[0])
-					      + 10 /* update this when changing the sprintf() */
-					      + strlen(optarg));
-			sprintf(program_name, "%s --label %s",
-				argv[0],
-				optarg);
-			argcount -= 2;
-			break;
-		case '+': /* optionsfrom */
-			optionsfrom(optarg, &argc, &argv, optind, stderr);
-			/* no return on error */
-			break;
-		default:
-			usage(program_name);
-			break;
-		}
-		previous = c;
-	}
-
-	if(argcount == 1) {
-		system("cat /proc/net/ipsec_tncfg");
-		exit(0);
-	}
-
-	switch(shc->cf_cmd) {
-	case IPSEC_SET_DEV:
-		if(!shc->cf_name) {
-			fprintf(stderr, "%s: physical I/F parameter missing.\n",
-				program_name);
-			exit(1);
-		}
-	case IPSEC_DEL_DEV:
-		if(!ifr.ifr_name) {
-			fprintf(stderr, "%s: virtual I/F parameter missing.\n",
-				program_name);
-			exit(1);
-		}
-		break;
-	case IPSEC_CLR_DEV:
-		strcpy(ifr.ifr_name, "ipsec0");
-		break;
-	default:
-		fprintf(stderr, "%s: exactly one of '--attach', '--detach' or '--clear' options must be specified.\n"
-			"Try %s --help' for usage information.\n",
-			program_name, program_name);
-		exit(1);
-	}
-
-	s=socket(AF_INET, SOCK_DGRAM,0);
-	if(s==-1)
-	{
-		fprintf(stderr, "%s: Socket creation failed -- ", program_name);
-		switch(errno)
-		{
-		case EACCES:
-			if(getuid()==0)
-				fprintf(stderr, "Root denied permission!?!\n");
-			else
-				fprintf(stderr, "Run as root user.\n");
-			break;
-		case EPROTONOSUPPORT:
-			fprintf(stderr, "Internet Protocol not enabled");
-			break;
-		case EMFILE:
-		case ENFILE:
-		case ENOBUFS:
-			fprintf(stderr, "Insufficient system resources.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "No such device.  Is the virtual device valid?  Is the ipsec module linked into the kernel or loaded as a module?\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown socket error %d.\n", errno);
-		}
-		exit(1);
-	}
-	if(ioctl(s, shc->cf_cmd, &ifr)==-1)
-	{
-		if(shc->cf_cmd == IPSEC_SET_DEV) {
-			fprintf(stderr, "%s: Socket ioctl failed on attach -- ", program_name);
-			switch(errno)
-			{
-			case EINVAL:
-				fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-				break;
-			case ENODEV:
-				fprintf(stderr, "No such device.  Is the virtual device valid?  Is the ipsec module linked into the kernel or loaded as a module?\n");
-				break;
-			case ENXIO:
-				fprintf(stderr, "No such device.  Is the physical device valid?\n");
-				break;
-			case EBUSY:
-				fprintf(stderr, "Device busy.  Virtual device %s is already attached to a physical device -- Use detach first.\n",
-				       ifr.ifr_name);
-				break;
-			default:
-				fprintf(stderr, "Unknown socket error %d.\n", errno);
-			}
-			exit(1);
-		}
-		if(shc->cf_cmd == IPSEC_DEL_DEV) {
-			fprintf(stderr, "%s: Socket ioctl failed on detach -- ", program_name);
-			switch(errno)
-			{
-			case EINVAL:
-				fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-				break;
-			case ENODEV:
-				fprintf(stderr, "No such device.  Is the virtual device valid?  The ipsec module may not be linked into the kernel or loaded as a module.\n");
-				break;
-			case ENXIO:
-				fprintf(stderr, "Device requested is not linked to any physical device.\n");
-				break;
-			default:
-				fprintf(stderr, "Unknown socket error %d.\n", errno);
-			}
-			exit(1);
-		}
-		if(shc->cf_cmd == IPSEC_CLR_DEV) {
-			fprintf(stderr, "%s: Socket ioctl failed on clear -- ", program_name);
-			switch(errno)
-			{
-			case EINVAL:
-				fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-				break;
-			case ENODEV:
-				fprintf(stderr, "Failed.  Is the ipsec module linked into the kernel or loaded as a module?.\n");
-				break;
-			default:
-				fprintf(stderr, "Unknown socket error %d.\n", errno);
-			}
-			exit(1);
-		}
-	}
-	exit(0);
-}
-	
-/*
- * $Log: tncfg.c,v $
- * Revision 1.1  2004/03/15 20:35:31  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.30  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.29  2002/04/24 07:35:41  mcr
- * Moved from ./klips/utils/tncfg.c,v
- *
- * Revision 1.28  2002/03/08 21:44:05  rgb
- * Update for all GNU-compliant --version strings.
- *
- * Revision 1.27  2001/06/14 19:35:15  rgb
- * Update copyright date.
- *
- * Revision 1.26  2001/05/21 02:02:55  rgb
- * Eliminate 1-letter options.
- *
- * Revision 1.25  2001/05/16 05:07:20  rgb
- * Fixed --label option in KLIPS manual utils to add the label to the
- * command name rather than replace it in error text.
- * Fix 'print table' non-option in KLIPS manual utils to deal with --label
- * and --debug options.
- *
- * Revision 1.24  2000/09/12 13:09:05  rgb
- * Fixed real/physical discrepancy between tncfg.8 and tncfg.c.
- *
- * Revision 1.23  2000/08/27 01:48:30  rgb
- * Update copyright.
- *
- * Revision 1.22  2000/07/26 03:41:46  rgb
- * Changed all printf's to fprintf's.  Fixed tncfg's usage to stderr.
- *
- * Revision 1.21  2000/06/21 16:51:27  rgb
- * Added no additional argument option to usage text.
- *
- * Revision 1.20  2000/01/21 06:26:31  rgb
- * Added --debug switch to command line.
- *
- * Revision 1.19  1999/12/08 20:32:41  rgb
- * Cleaned out unused cruft.
- * Changed include file, limiting scope, to avoid conflicts in 2.0.xx
- * kernels.
- *
- * Revision 1.18  1999/12/07 18:27:10  rgb
- * Added headers to silence fussy compilers.
- * Converted local functions to static to limit scope.
- *
- * Revision 1.17  1999/11/18 04:09:21  rgb
- * Replaced all kernel version macros to shorter, readable form.
- *
- * Revision 1.16  1999/05/25 01:45:36  rgb
- * Fix version macros for 2.0.x as a module.
- *
- * Revision 1.15  1999/05/05 22:02:34  rgb
- * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
- *
- * Revision 1.14  1999/04/15 15:37:28  rgb
- * Forward check changes from POST1_00 branch.
- *
- * Revision 1.10.6.2  1999/04/13 20:58:10  rgb
- * Add argc==1 --> /proc/net/ipsec_*.
- *
- * Revision 1.10.6.1  1999/03/30 17:01:36  rgb
- * Make main() return type explicit.
- *
- * Revision 1.13  1999/04/11 00:12:09  henry
- * GPL boilerplate
- *
- * Revision 1.12  1999/04/06 04:54:39  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.11  1999/03/17 15:40:54  rgb
- * Make explicit main() return type of int.
- *
- * Revision 1.10  1998/11/12 21:08:04  rgb
- * Add --label option to identify caller from scripts.
- *
- * Revision 1.9  1998/10/09 18:47:30  rgb
- * Add 'optionfrom' to get more options from a named file.
- *
- * Revision 1.8  1998/10/09 04:36:55  rgb
- * Changed help output from stderr to stdout.
- * Deleted old commented out cruft.
- *
- * Revision 1.7  1998/08/28 03:15:14  rgb
- * Add some manual long options to the usage text.
- *
- * Revision 1.6  1998/08/05 22:29:00  rgb
- * Change includes to accomodate RH5.x.
- * Force long option names.
- * Add ENXIO error return code to narrow down error reporting.
- *
- * Revision 1.5  1998/07/29 21:45:28  rgb
- * Convert to long option names.
- *
- * Revision 1.4  1998/07/09 18:14:11  rgb
- * Added error checking to IP's and keys.
- * Made most error messages more specific rather than spamming usage text.
- * Added more descriptive kernel error return codes and messages.
- * Converted all spi translations to unsigned.
- * Removed all invocations of perror.
- *
- * Revision 1.3  1998/05/27 18:48:20  rgb
- * Adding --help and --version directives.
- *
- * Revision 1.2  1998/04/23 21:11:39  rgb
- * Fixed 0 argument usage case to prevent sigsegv.
- *
- * Revision 1.1.1.1  1998/04/08 05:35:09  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.5  1997/06/03 04:31:55  ji
- * New file.
- *
- */