51 files changed, 1262 insertions, 234 deletions
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 7c5e139e4..1d27d13cd 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -106,13 +106,14 @@ AM_CFLAGS = -rdynamic \
   -DIPSEC_PIDDIR=\"${piddir}\" \
   -DIPSEC_PLUGINDIR=\"${plugindir}\" \
   -DSTRONGSWAN_CONF=\"${strongswan_conf}\"
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm -ldl
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB)
 
 EXTRA_DIST = config/proposal_keywords.txt
-MAINTAINERCLEANFILES = config/proposal_keywords.c
+BUILT_SOURCES = $(srcdir)/config/proposal_keywords.c
+MAINTAINERCLEANFILES = $(srcdir)/config/proposal_keywords.c
 
-config/proposal_keywords.c:	config/proposal_keywords.txt config/proposal_keywords.h
-		(cd `dirname $<` && $(GPERF) -C -G -c -t < `basename $<` > `basename $@` )
+$(srcdir)/config/proposal_keywords.c:	$(srcdir)/config/proposal_keywords.txt $(srcdir)/config/proposal_keywords.h
+		$(GPERF) -C -G -c -t -D < $(srcdir)/config/proposal_keywords.txt > $@
 
 # compile options
 #################
@@ -162,6 +163,11 @@ if USE_KERNEL_PFKEY
   PLUGINS += kernel-pfkey
 endif
 
+if USE_KERNEL_PFROUTE
+  SUBDIRS += plugins/kernel_pfroute
+  PLUGINS += kernel-pfroute
+endif
+
 if USE_KERNEL_KLIPS
   SUBDIRS += plugins/kernel_klips
   PLUGINS += kernel-klips
diff --git a/src/charon/config/auth_cfg.c b/src/charon/config/auth_cfg.c
index 87aca3813..c8566087c 100644
--- a/src/charon/config/auth_cfg.c
+++ b/src/charon/config/auth_cfg.c
@@ -340,7 +340,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 				if (!success && log_error)
 				{
 					DBG1(DBG_CFG, "constraint check failed: peer not "
-						 "authenticated by CA '%D'.", c1->get_subject(c1));
+						 "authenticated by CA '%Y'.", c1->get_subject(c1));
 				}
 				break;
 			}
@@ -356,7 +356,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 					if (log_error)
 					{
 						DBG1(DBG_CFG, "constraint check failed: peer not "
-							 "authenticated with peer cert '%D'.",
+							 "authenticated with peer cert '%Y'.",
 							 c1->get_subject(c1));
 					}
 				}
@@ -411,7 +411,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 					success = FALSE;
 					if (log_error)
 					{
-						DBG1(DBG_CFG, "constraint check failed: %sidentity '%D'"
+						DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'"
 							 " required ", t1 == AUTH_RULE_IDENTITY ? "" :
 							 "EAP ", id1);
 					}
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index 28e50ef0a..43d9594fe 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -339,7 +339,7 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
 		return enumerator;
 	}
 	
-	DBG1(DBG_CFG, "looking for peer configs matching %H[%D]...%H[%D]",
+	DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
 		 me, my_id, other, other_id);
 	
 	configs = linked_list_create();
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 3cd4e35ed..695022448 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -530,7 +530,7 @@ static bool verify_ocsp(private_credential_manager_t *this,
 	{
 		if (this->cache->issued_by(this->cache, subject, issuer))
 		{
-			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%D\"",
+			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
 						     issuer->get_subject(issuer));
 			verified = TRUE;
 			break;
@@ -756,7 +756,7 @@ static bool verify_crl(private_credential_manager_t *this, certificate_t *crl)
 	{
 		if (this->cache->issued_by(this->cache, crl, issuer))
 		{
-			DBG1(DBG_CFG, "  crl correctly signed by \"%D\"",
+			DBG1(DBG_CFG, "  crl correctly signed by \"%Y\"",
 						   issuer->get_subject(issuer));
 			verified = TRUE;
 			break;
@@ -966,7 +966,7 @@ static bool check_certificate(private_credential_manager_t *this,
 	{
 		if (ocsp || crl)
 		{
-			DBG1(DBG_CFG, "checking certificate status of \"%D\"",
+			DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
 						   subject->get_subject(subject));
 		}
 		if (ocsp)
@@ -1082,7 +1082,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			if (this->cache->issued_by(this->cache, issuer, issuer))
 			{
 				auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
-				DBG1(DBG_CFG, "  using trusted ca certificate \"%D\"",
+				DBG1(DBG_CFG, "  using trusted ca certificate \"%Y\"",
 					 issuer->get_subject(issuer));
 				trusted = TRUE;
 			}
@@ -1090,7 +1090,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			{
 				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
 				DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
-					 "\"%D\"", issuer->get_subject(issuer));
+					 "\"%Y\"", issuer->get_subject(issuer));
 			}
 		}
 		else
@@ -1100,18 +1100,18 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			{
 				if (current->equals(current, issuer))
 				{
-					DBG1(DBG_CFG, "  self-signed certificate \"%D\" is not trusted",
+					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not trusted",
 						 current->get_subject(current));
 					issuer->destroy(issuer);
 					break;
 				}
 				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
 				DBG1(DBG_CFG, "  using untrusted intermediate certificate "
-					 "\"%D\"", issuer->get_subject(issuer));
+					 "\"%Y\"", issuer->get_subject(issuer));
 			}
 			else
 			{
-				DBG1(DBG_CFG, "no issuer certificate found for \"%D\"", 
+				DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"", 
 					 current->get_subject(current));
 				break;
 			}
@@ -1197,7 +1197,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
 			{
 				this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
 								this->pretrusted->get_ref(this->pretrusted));
-				DBG1(DBG_CFG, "  using trusted certificate \"%D\"",
+				DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
 					 this->pretrusted->get_subject(this->pretrusted));
 				*cert = this->pretrusted;
 				if (auth)
@@ -1217,7 +1217,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
 			continue;
 		}
 	
-		DBG1(DBG_CFG, "  using certificate \"%D\"",
+		DBG1(DBG_CFG, "  using certificate \"%Y\"",
 			 current->get_subject(current));
 		if (verify_trust_chain(this->this, current, this->auth, FALSE,
 							   this->crl, this->ocsp))
diff --git a/src/charon/credentials/sets/auth_cfg_wrapper.c b/src/charon/credentials/sets/auth_cfg_wrapper.c
index 2e93cc53a..55f265513 100644
--- a/src/charon/credentials/sets/auth_cfg_wrapper.c
+++ b/src/charon/credentials/sets/auth_cfg_wrapper.c
@@ -96,7 +96,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator,
 		return FALSE;
 	}
 	
-	DBG1(DBG_CFG, "  fetched certificate \"%D\"", cert->get_subject(cert));
+	DBG1(DBG_CFG, "  fetched certificate \"%Y\"", cert->get_subject(cert));
 	charon->credentials->cache_cert(charon->credentials, cert);
 	
 	if (*rule == AUTH_HELPER_IM_HASH_URL)
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 6dcb39a89..339846a85 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -17,7 +17,9 @@
  */
 
 #include <stdio.h>
+#ifdef HAVE_PRCTL
 #include <sys/prctl.h>
+#endif
 #include <signal.h>
 #include <pthread.h>
 #include <sys/stat.h>
@@ -240,8 +242,10 @@ static void kill_daemon(private_daemon_t *this, char *reason)
  * drop daemon capabilities
  */
 static void drop_capabilities(private_daemon_t *this)
-{	
+{
+#ifdef HAVE_PRCTL
 	prctl(PR_SET_KEEPCAPS, 1);
+#endif
 
 	if (setgid(charon->gid) != 0)
 	{
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index fca149613..159831667 100644
--- a/src/charon/kernel/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -109,10 +109,10 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
 /**
  * Implementation of kernel_interface_t.del_sa
  */
-static status_t del_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t spi,
-				protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
+				u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
 {
-	return this->ipsec->del_sa(this->ipsec, dst, spi, protocol, cpi);
+	return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi);
 }
 
 /**
@@ -373,7 +373,7 @@ kernel_interface_t *kernel_interface_create()
 	this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h
index 85ba881cf..e1089a0de 100644
--- a/src/charon/kernel/kernel_interface.h
+++ b/src/charon/kernel/kernel_interface.h
@@ -145,14 +145,15 @@ struct kernel_interface_t {
 	/**
 	 * Delete a previously installed SA from the SAD.
 	 * 
+	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param cpi			CPI for IPComp or 0
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol, u_int16_t cpi);
+	status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
+						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
 	
 	/**
 	 * Add a policy to the SPD.
diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h
index 6360e5fd9..d0b15a4ad 100644
--- a/src/charon/kernel/kernel_ipsec.h
+++ b/src/charon/kernel/kernel_ipsec.h
@@ -35,17 +35,15 @@ typedef struct kernel_ipsec_t kernel_ipsec_t;
 #include <encoding/payloads/proposal_substructure.h>
 
 /**
- * Mode of an CHILD_SA.
- *
- * These are equal to those defined in XFRM, so don't change.
+ * Mode of a CHILD_SA.
  */
 enum ipsec_mode_t {
 	/** transport mode, no inner address */
-	MODE_TRANSPORT = 0,
+	MODE_TRANSPORT = 1,
 	/** tunnel mode, inner and outer addresses */
-	MODE_TUNNEL = 1,
+	MODE_TUNNEL,
 	/** BEET mode, tunnel mode but fixed, bound inner addresses */
-	MODE_BEET = 4,
+	MODE_BEET,
 };
 
 /**
@@ -177,14 +175,15 @@ struct kernel_ipsec_t {
 	/**
 	 * Delete a previusly installed SA from the SAD.
 	 * 
+	 * @param src			source address for this SA
 	 * @param dst			destination address for this SA
 	 * @param spi			SPI allocated by us or remote peer
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param cpi			CPI for IPComp or 0
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol, u_int16_t cpi);
+	status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
+						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
 	
 	/**
 	 * Add a policy to the SPD.
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index c43ba0207..d93a8d520 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -30,12 +30,11 @@
 #include <stdlib.h>
 #include <fcntl.h>
 #include <sys/ioctl.h>
+#include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 #include <netinet/udp.h>
-#include <linux/types.h>
-#include <linux/filter.h>
 #include <net/if.h>
 
 #include "socket.h"
@@ -54,10 +53,12 @@
 #define UDP_ENCAP_ESPINUDP 2
 #endif /*UDP_ENCAP_ESPINUDP*/
 
-/* needed for older kernel headers */
-#ifndef IPV6_2292PKTINFO
-#define IPV6_2292PKTINFO 2
-#endif /*IPV6_2292PKTINFO*/
+/* these are not defined on some platforms */
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#define SOL_IPV6 IPPROTO_IPV6
+#define SOL_UDP IPPROTO_UDP
+#endif
 
 typedef struct private_socket_t private_socket_t;
 
@@ -201,7 +202,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 			}
 			
 			if (cmsgptr->cmsg_level == SOL_IPV6 &&
-				cmsgptr->cmsg_type == IPV6_2292PKTINFO)
+				cmsgptr->cmsg_type == IPV6_PKTINFO)
 			{
 				struct in6_pktinfo *pktinfo;
 				pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
@@ -214,14 +215,26 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
 			}
 			if (cmsgptr->cmsg_level == SOL_IP &&
-				cmsgptr->cmsg_type == IP_PKTINFO)
-			{			
+#ifdef IP_RECVDSTADDR
+				cmsgptr->cmsg_type == IP_RECVDSTADDR
+#else
+				cmsgptr->cmsg_type == IP_PKTINFO
+#endif
+				)
+			{
+				struct in_addr *addr;
+				struct sockaddr_in dst;	
+
+#ifdef IP_RECVDSTADDR
+				addr = (struct in_addr*)CMSG_DATA(cmsgptr);
+#else
 				struct in_pktinfo *pktinfo;
 				pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
-				struct sockaddr_in dst;
-				
+				addr = &pktinfo->ipi_addr;
+#endif
 				memset(&dst, 0, sizeof(dst));
-				memcpy(&dst.sin_addr, &pktinfo->ipi_addr, sizeof(dst.sin_addr));
+				memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
+				
 				dst.sin_family = AF_INET;
 				dst.sin_port = htons(port);
 				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
@@ -340,24 +353,35 @@ status_t sender(private_socket_t *this, packet_t *packet)
 	msg.msg_iovlen = 1;
 	msg.msg_flags = 0;
 	
-	if (!dst->is_anyaddr(dst))
+	if (!src->is_anyaddr(src))
 	{
 		if (family == AF_INET)
 		{
+			struct in_addr *addr;
+			struct sockaddr_in *sin;
+#ifdef IP_SENDSRCADDR
+			char buf[CMSG_SPACE(sizeof(struct in_addr))];
+#else
 			char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
 			struct in_pktinfo *pktinfo;
-			struct sockaddr_in *sin;
-			
+#endif
 			msg.msg_control = buf;
 			msg.msg_controllen = sizeof(buf);
 			cmsg = CMSG_FIRSTHDR(&msg);
 			cmsg->cmsg_level = SOL_IP;
+#ifdef IP_SENDSRCADDR
+			cmsg->cmsg_type = IP_SENDSRCADDR;
+			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
+			addr = (struct in_addr*)CMSG_DATA(cmsg);
+#else
 			cmsg->cmsg_type = IP_PKTINFO;
 			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
 			pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
 			memset(pktinfo, 0, sizeof(struct in_pktinfo));
+			addr = &pktinfo->ipi_spec_dst;
+#endif
 			sin = (struct sockaddr_in*)src->get_sockaddr(src);
-			memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
+			memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
 		}
 		else
 		{
@@ -369,7 +393,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
 			msg.msg_controllen = sizeof(buf);
 			cmsg = CMSG_FIRSTHDR(&msg);
 			cmsg->cmsg_level = SOL_IPV6;
-			cmsg->cmsg_type = IPV6_2292PKTINFO;
+			cmsg->cmsg_type = IPV6_PKTINFO;
 			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
 			pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
 			memset(pktinfo, 0, sizeof(struct in6_pktinfo));
@@ -389,13 +413,14 @@ status_t sender(private_socket_t *this, packet_t *packet)
 }
 
 /**
- * open a socket to send packets
+ * open a socket to send and receive packets
  */
 static int open_socket(private_socket_t *this, int family, u_int16_t port)
 {
 	int on = TRUE;
 	int type = UDP_ENCAP_ESPINUDP;
 	struct sockaddr_storage addr;
+	socklen_t addrlen;
 	u_int sol, pktinfo;
 	int skt;
 	
@@ -409,8 +434,13 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 			sin->sin_family = AF_INET;
 			sin->sin_addr.s_addr = INADDR_ANY;
 			sin->sin_port = htons(port);
+			addrlen = sizeof(struct sockaddr_in);
 			sol = SOL_IP;
+#ifdef IP_RECVDSTADDR
+			pktinfo = IP_RECVDSTADDR;
+#else
 			pktinfo = IP_PKTINFO;
+#endif
 			break;
 		}
 		case AF_INET6:
@@ -419,8 +449,9 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 			sin6->sin6_family = AF_INET6;
 			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
 			sin6->sin6_port = htons(port);
+			addrlen = sizeof(struct sockaddr_in6);
 			sol = SOL_IPV6;
-			pktinfo = IPV6_2292PKTINFO;
+			pktinfo = IPV6_RECVPKTINFO;
 			break;
 		}
 		default:
@@ -440,8 +471,8 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
 		return 0;
 	}
 	
-	/* bind the send socket */
-	if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	/* bind the socket */
+	if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
 	{
 		DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
 		close(skt);
diff --git a/src/charon/plugins/eap_aka/eap_aka.c b/src/charon/plugins/eap_aka/eap_aka.c
index da06d8059..da2adeb8a 100644
--- a/src/charon/plugins/eap_aka/eap_aka.c
+++ b/src/charon/plugins/eap_aka/eap_aka.c
@@ -880,7 +880,7 @@ static status_t server_initiate_challenge(private_eap_aka_t *this, chunk_t sqn,
 	/* Get the shared key K: */
 	if (load_key(this->server, this->peer, &this->k) != SUCCESS)
 	{
-		DBG1(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+		DBG1(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
 				"with EAP-AKA", this->server, this->peer);
 		return FAILED;
 	}
@@ -1202,7 +1202,7 @@ static status_t peer_process_challenge(private_eap_aka_t *this,
 	{
 	 	*out = build_aka_payload(this, EAP_RESPONSE, identifier,
 	 							 AKA_AUTHENTICATION_REJECT, AT_END);
-		DBG3(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+		DBG3(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
 			 "with EAP-AKA, sending %N", this->peer, this->server,
 			 aka_subtype_names, AKA_AUTHENTICATION_REJECT);
 		return NEED_MORE;
diff --git a/src/charon/plugins/eap_gtc/eap_gtc.c b/src/charon/plugins/eap_gtc/eap_gtc.c
index 0a93a90f6..9bcdbd686 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc.c
+++ b/src/charon/plugins/eap_gtc/eap_gtc.c
@@ -174,7 +174,7 @@ static status_t process_peer(private_eap_gtc_t *this,
 											 this->peer, this->server);
 	if (shared == NULL)
 	{
-		DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'",
+		DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'",
 			 this->peer, this->server);
 		return FAILED;
 	}
diff --git a/src/charon/plugins/eap_md5/eap_md5.c b/src/charon/plugins/eap_md5/eap_md5.c
index 533948000..47494388b 100644
--- a/src/charon/plugins/eap_md5/eap_md5.c
+++ b/src/charon/plugins/eap_md5/eap_md5.c
@@ -90,7 +90,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response)
 											 this->server, this->peer);
 	if (shared == NULL)
 	{
-		DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
 			 this->server, this->peer);
 		return NOT_FOUND;
 	}
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
index 9bbff817a..ef142c1cd 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -667,7 +667,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 										SHARED_EAP, this->peer, this->server);
 	if (shared == NULL)
 	{
-		DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
 			 this->server, this->peer);
 		return NOT_FOUND;
 	}
@@ -1019,14 +1019,14 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
 	name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255);
 	snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
 	userid = identification_create_from_string(buf);
-	DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%D'", userid);
+	DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
 	username = extract_username(userid);
 	
 	shared = charon->credentials->get_shared(charon->credentials,
 											 SHARED_EAP, this->server, userid);
 	if (shared == NULL)
 	{
-		DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+		DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
 					  this->server, userid);
 		/* FIXME: windows 7 always sends the username that is first entered in
 		 * the username box, even, if the user changes it during retries (probably
diff --git a/src/charon/plugins/eap_sim/eap_sim.c b/src/charon/plugins/eap_sim/eap_sim.c
index c2902b54b..fc33d6c93 100644
--- a/src/charon/plugins/eap_sim/eap_sim.c
+++ b/src/charon/plugins/eap_sim/eap_sim.c
@@ -571,7 +571,7 @@ static bool get_card_triplet(private_eap_sim_t *this,
 	enumerator->destroy(enumerator);
 	if (!card)
 	{
-		DBG1(DBG_IKE, "no SIM card found matching '%D'", this->peer);
+		DBG1(DBG_IKE, "no SIM card found matching '%Y'", this->peer);
 	}
 	return success;
 }
@@ -775,7 +775,7 @@ static bool get_provider_triplet(private_eap_sim_t *this,
 		tried++;
 	}
 	enumerator->destroy(enumerator);
-	DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%D'",
+	DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'",
 		 tried, this->peer);
 	return FALSE;
 }
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
index e130c0526..627857f3d 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -220,7 +220,7 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
 			continue;
 		}
 		
-		DBG2(DBG_CFG, "triplet: imsi %D\nrand %b\nsres %b\nkc %b",
+		DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b",
 			 triplet->imsi, triplet->rand, RAND_LEN,
 			 triplet->sres, SRES_LEN, triplet->kc, KC_LEN);
 			 
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
index 3d84805c8..1751ee807 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -1938,8 +1938,9 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *dst,
-					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src,
+					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
+					   u_int16_t cpi)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -2610,7 +2611,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index e3b683474..977740663 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -375,6 +375,24 @@ static protocol_id_t proto_kernel2ike(u_int8_t proto)
 }
 
 /**
+ * convert the general ipsec mode to the one defined in xfrm.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+	switch (mode)
+	{
+		case MODE_TRANSPORT:
+			return XFRM_MODE_TRANSPORT;
+		case MODE_TUNNEL:
+			return XFRM_MODE_TUNNEL;
+		case MODE_BEET:
+			return XFRM_MODE_BEET;
+		default:
+			return mode;
+	}
+}
+
+/**
  * convert a host_t to a struct xfrm_address
  */
 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
@@ -803,7 +821,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 	host2xfrm(src, &userspi->info.saddr);
 	host2xfrm(dst, &userspi->info.id.daddr);
 	userspi->info.id.proto = proto;
-	userspi->info.mode = TRUE; /* tunnel mode */
+	userspi->info.mode = XFRM_MODE_TUNNEL;
 	userspi->info.reqid = reqid;
 	userspi->info.family = src->get_family(src);
 	userspi->min = min;
@@ -941,7 +959,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 	sa->id.spi = spi;
 	sa->id.proto = proto_ike2kernel(protocol);
 	sa->family = src->get_family(src);
-	sa->mode = mode;
+	sa->mode = mode2kernel(mode);
 	if (mode == MODE_TUNNEL)
 	{
 		sa->flags |= XFRM_STATE_AF_UNSPEC;
@@ -1216,8 +1234,9 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
-					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
+					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
+					   u_int16_t cpi)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
@@ -1226,7 +1245,7 @@ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
 	/* if IPComp was used, we first delete the additional IPComp SA */
 	if (cpi)
 	{
-		del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
+		del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
 	}
 	
 	memset(&request, 0, sizeof(request));
@@ -1339,7 +1358,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
 	}
 	
 	/* delete the old SA (without affecting the IPComp SA) */
-	if (del_sa(this, dst, spi, protocol, 0) != SUCCESS)
+	if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
 		free(out);
@@ -1526,7 +1545,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 		tmpl->reqid = reqid;
 		tmpl->id.proto = IPPROTO_COMP;
 		tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-		tmpl->mode = mode;
+		tmpl->mode = mode2kernel(mode);
 		tmpl->optional = direction != POLICY_OUT;
 		tmpl->family = src->get_family(src);
 		
@@ -1547,7 +1566,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 	tmpl->reqid = reqid;
 	tmpl->id.proto = proto_ike2kernel(protocol);
 	tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-	tmpl->mode = mode;
+	tmpl->mode = mode2kernel(mode);
 	tmpl->family = src->get_family(src);
 	
 	host2xfrm(src, &tmpl->saddr);
@@ -1871,7 +1890,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
index f18a5359c..9090e3215 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1175,7 +1175,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty
 /**
  * Implementation of kernel_net_t.add_route.
  */
-status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
 		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
 	return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
@@ -1185,7 +1185,7 @@ status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
 /**
  * Implementation of kernel_net_t.del_route.
  */
-status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
 		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
 	return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 6ef5b52a2..95932eb9c 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2008 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
@@ -18,10 +18,32 @@
 
 #include <sys/types.h>
 #include <sys/socket.h>
+
+#ifdef HAVE_NET_PFKEYV2_H
+#include <net/pfkeyv2.h>
+#else
 #include <stdint.h>
-#include <linux/ipsec.h>
 #include <linux/pfkeyv2.h>
+#endif
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+#define HAVE_NATT
+#endif
+
+#ifdef HAVE_NETIPSEC_IPSEC_H
+#include <netipsec/ipsec.h>
+#else
+#include <linux/ipsec.h>
+#endif
+
+#ifdef HAVE_NATT
+#ifdef HAVE_NETINET_UDP_H
+#include <netinet/udp.h>
+#else
 #include <linux/udp.h>
+#endif /*HAVE_NETINET_UDP_H*/
+#endif /*HAVE_NATT*/
+
 #include <unistd.h>
 #include <pthread.h>
 #include <errno.h>
@@ -38,6 +60,30 @@
 #include <processing/jobs/delete_child_sa_job.h>
 #include <processing/jobs/update_sa_job.h>
 
+/** non linux specific */
+#ifndef IPPROTO_COMP
+#define IPPROTO_COMP IPPROTO_IPCOMP
+#endif
+
+#ifndef SADB_X_AALG_SHA2_256HMAC
+#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
+#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
+#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
+#endif
+
+#ifndef SADB_X_EALG_AESCBC
+#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
+#endif
+
+#ifndef SADB_X_EALG_CASTCBC
+#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
+#endif
+
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+
 /** from linux/in.h */
 #ifndef IP_IPSEC_POLICY
 #define IP_IPSEC_POLICY 16
@@ -46,7 +92,7 @@
 /* missing on uclibc */
 #ifndef IPV6_IPSEC_POLICY
 #define IPV6_IPSEC_POLICY 34
-#endif /*IPV6_IPSEC_POLICY*/
+#endif
 
 /** default priority of installed policies */
 #define PRIO_LOW 3000
@@ -160,8 +206,8 @@ struct route_entry_t {
 static void route_entry_destroy(route_entry_t *this)
 {
 	free(this->if_name);
-	this->src_ip->destroy(this->src_ip);
-	this->gateway->destroy(this->gateway);
+	DESTROY_IF(this->src_ip);
+	DESTROY_IF(this->gateway);
 	chunk_free(&this->dst_net);
 	free(this);
 }
@@ -217,7 +263,7 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
 	
 	/* src or dest proto may be "any" (0), use more restrictive one */
 	policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
-	policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; 
+	policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
 	policy->dst.proto = policy->src.proto;
 	
 	return policy;
@@ -268,7 +314,6 @@ struct pfkey_msg_t
 	 */
 	struct sadb_msg *msg;
 	
-	
 	/**
 	 * PF_KEY message extensions
 	 */
@@ -305,7 +350,7 @@ struct pfkey_msg_t
 	};
 };
 
-ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
+ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
 	"SADB_EXT_RESERVED",
 	"SADB_EXT_SA",
 	"SADB_EXT_LIFETIME_CURRENT",
@@ -333,6 +378,7 @@ ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
 	"SADB_X_EXT_SEC_CTX",
 	"SADB_X_EXT_KMADDRESS"
 );
+
 /**
  * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
  */
@@ -396,8 +442,10 @@ static u_int8_t mode2kernel(ipsec_mode_t mode)
 			return IPSEC_MODE_TRANSPORT;
 		case MODE_TUNNEL:
 			return IPSEC_MODE_TUNNEL;
+#ifdef IPSEC_MODE_BEET
 		case MODE_BEET:
 			return IPSEC_MODE_BEET;
+#endif
 		default:
 			return mode;
 	}
@@ -414,13 +462,16 @@ static u_int8_t dir2kernel(policy_dir_t dir)
 			return IPSEC_DIR_INBOUND;
 		case POLICY_OUT:
 			return IPSEC_DIR_OUTBOUND;
+#ifdef IPSEC_DIR_FWD
 		case POLICY_FWD:
 			return IPSEC_DIR_FWD;
+#endif
 		default:
 			return dir;
 	}
 }
 
+#ifdef SADB_X_MIGRATE
 /**
  * convert the policy direction in ipsec.h to the general one.
  */
@@ -432,12 +483,16 @@ static policy_dir_t kernel2dir(u_int8_t  dir)
 			return POLICY_IN;
 		case IPSEC_DIR_OUTBOUND:
 			return POLICY_OUT;
+#ifdef IPSEC_DIR_FWD
 		case IPSEC_DIR_FWD:
 			return POLICY_FWD;
+#endif
 		default:
 			return dir;
 	}
 }
+#endif /*SADB_X_MIGRATE*/
+
 typedef struct kernel_algorithm_t kernel_algorithm_t;
 
 /**
@@ -461,32 +516,32 @@ struct kernel_algorithm_t {
  * Algorithms for encryption
  */
 static kernel_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64, 			0							}, */
-	{ENCR_DES, 					SADB_EALG_DESCBC			},
-	{ENCR_3DES, 				SADB_EALG_3DESCBC			},
-/*	{ENCR_RC5, 					0							}, */
-/*	{ENCR_IDEA, 				0							}, */
-	{ENCR_CAST, 				SADB_X_EALG_CASTCBC			},
-	{ENCR_BLOWFISH, 			SADB_X_EALG_BLOWFISHCBC		},
-/*	{ENCR_3IDEA, 				0							}, */
-/*	{ENCR_DES_IV32, 			0							}, */
-	{ENCR_NULL, 				SADB_EALG_NULL				},
-	{ENCR_AES_CBC,	 			SADB_X_EALG_AESCBC			},
-/*	{ENCR_AES_CTR, 				SADB_X_EALG_AESCTR			}, */
+/*	{ENCR_DES_IV64,				0							}, */
+	{ENCR_DES,					SADB_EALG_DESCBC			},
+	{ENCR_3DES,					SADB_EALG_3DESCBC			},
+/*	{ENCR_RC5,					0							}, */
+/*	{ENCR_IDEA,					0							}, */
+	{ENCR_CAST,					SADB_X_EALG_CASTCBC			},
+	{ENCR_BLOWFISH,				SADB_X_EALG_BLOWFISHCBC		},
+/*	{ENCR_3IDEA,				0							}, */
+/*	{ENCR_DES_IV32,				0							}, */
+	{ENCR_NULL,					SADB_EALG_NULL				},
+	{ENCR_AES_CBC,				SADB_X_EALG_AESCBC			},
+/*	{ENCR_AES_CTR,				SADB_X_EALG_AESCTR			}, */
 /*  {ENCR_AES_CCM_ICV8,			SADB_X_EALG_AES_CCM_ICV8	}, */
 /*	{ENCR_AES_CCM_ICV12,		SADB_X_EALG_AES_CCM_ICV12	}, */
 /*	{ENCR_AES_CCM_ICV16,		SADB_X_EALG_AES_CCM_ICV16	}, */
 /*	{ENCR_AES_GCM_ICV8,			SADB_X_EALG_AES_GCM_ICV8	}, */
 /*	{ENCR_AES_GCM_ICV12,		SADB_X_EALG_AES_GCM_ICV12	}, */
 /*	{ENCR_AES_GCM_ICV16,		SADB_X_EALG_AES_GCM_ICV16	}, */
-	{END_OF_LIST, 				0							},
+	{END_OF_LIST,				0							},
 };
 
 /**
  * Algorithms for integrity protection
  */
 static kernel_algorithm_t integrity_algs[] = {
-	{AUTH_HMAC_MD5_96, 			SADB_AALG_MD5HMAC			},
+	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
 	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
 	{AUTH_HMAC_SHA2_256_128,	SADB_X_AALG_SHA2_256HMAC	},
 	{AUTH_HMAC_SHA2_384_192,	SADB_X_AALG_SHA2_384HMAC	},
@@ -494,7 +549,7 @@ static kernel_algorithm_t integrity_algs[] = {
 /*	{AUTH_DES_MAC,				0,							}, */
 /*	{AUTH_KPDK_MD5,				0,							}, */
 	{AUTH_AES_XCBC_96,			SADB_X_AALG_AES_XCBC_MAC,	},
-	{END_OF_LIST, 				0,							},
+	{END_OF_LIST,				0,							},
 };
 
 #if 0
@@ -502,11 +557,11 @@ static kernel_algorithm_t integrity_algs[] = {
  * Algorithms for IPComp, unused yet
  */
 static kernel_algorithm_t compression_algs[] = {
-/*	{IPCOMP_OUI, 				0							}, */
+/*	{IPCOMP_OUI,				0							}, */
 	{IPCOMP_DEFLATE,			SADB_X_CALG_DEFLATE			},
 	{IPCOMP_LZS,				SADB_X_CALG_LZS				},
 	{IPCOMP_LZJH,				SADB_X_CALG_LZJH			},
-	{END_OF_LIST, 				0							},
+	{END_OF_LIST,				0							},
 };
 #endif
 
@@ -533,8 +588,11 @@ static void host2ext(host_t *host, struct sadb_address *ext)
 {
 	sockaddr_t *host_addr = host->get_sockaddr(host);
 	socklen_t *len = host->get_sockaddr_len(host);
- 	memcpy((char*)(ext + 1), host_addr, *len);
- 	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	host_addr->sa_len = *len;
+#endif
+	memcpy((char*)(ext + 1), host_addr, *len);
+	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
 }
 
 /**
@@ -562,10 +620,14 @@ static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
 	addr->sadb_address_exttype = type;
 	sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
 	saddr->sa_family = family;
- 	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	saddr->sa_len = len;
+#endif
+	addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
 	PFKEY_EXT_ADD(msg, addr);
 }
 
+#ifdef HAVE_NATT
 /**
  * add udp encap extensions to a sadb_msg
  */
@@ -592,6 +654,7 @@ static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
 	nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
 	PFKEY_EXT_ADD(msg, nat_port);
 }
+#endif /*HAVE_NATT*/
 
 /**
  * Convert a sadb_address to a traffic_selector
@@ -606,7 +669,7 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
      */
 	host = host_create_from_sockaddr((sockaddr_t*)&address[1])	;
 	ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
- 				address->sadb_address_proto, host->get_port(host));
+				address->sadb_address_proto, host->get_port(host));
 	return ts;
 }
 
@@ -645,7 +708,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
 		
 		if (out->ext[ext->sadb_ext_type])
 		{
-			DBG1(DBG_KNL, "duplicate %N extension",			
+			DBG1(DBG_KNL, "duplicate %N extension",
 						   sadb_ext_type_names, ext->sadb_ext_type);
 			break;
 		}
@@ -699,7 +762,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
 	}
 	
 	while (TRUE)
-	{	
+	{
 		msg = (struct sadb_msg*)buf;
 		
 		len = recv(socket, buf, sizeof(buf), 0);
@@ -757,7 +820,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
 	*out_len = len;
 	*out = (struct sadb_msg*)malloc(len);
 	memcpy(*out, buf, len);
-		
+	
 	this->mutex_pfkey->unlock(this->mutex_pfkey);
 	
 	return SUCCESS;
@@ -868,8 +931,9 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	charon->processor->queue_job(charon->processor, job);
 }
 
+#ifdef SADB_X_MIGRATE
 /**
- * Process a SADB_MIGRATE message from the kernel
+ * Process a SADB_X_MIGRATE message from the kernel
  */
 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
 {
@@ -893,7 +957,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	DBG2(DBG_KNL, "  policy %R === %R %N, id %u", src_ts, dst_ts,
 					 policy_dir_names, dir);
 	
-	/* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */   
+	/* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
 	if (response.x_kmaddress)
 	{
 		sockaddr_t *local_addr, *remote_addr;
@@ -924,7 +988,9 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 		DESTROY_IF(remote);
 	}
 }
+#endif /*SADB_X_MIGRATE*/
 
+#ifdef HAVE_NATT
 /**
  * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
  */
@@ -980,6 +1046,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 		}
 	}
 }
+#endif /*HAVE_NATT*/
 
 /**
  * Receives events from kernel
@@ -991,7 +1058,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 	int len, oldstate;
 	
 	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-	len = recv(this->socket_events, buf, sizeof(buf), 0);
+	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
 	pthread_setcancelstate(oldstate, NULL);
 	
 	if (len < 0)
@@ -1035,12 +1102,16 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 		case SADB_EXPIRE:
 			process_expire(this, msg);
 			break;
+#ifdef SADB_X_MIGRATE
 		case SADB_X_MIGRATE:
 			process_migrate(this, msg);
 			break;
+#endif /*SADB_X_MIGRATE*/
+#ifdef HAVE_NATT
 		case SADB_X_NAT_T_NEW_MAPPING:
 			process_mapping(this, msg);
 			break;
+#endif /*HAVE_NATT*/
 		default:
 			break;
 	}
@@ -1051,8 +1122,8 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 /**
  * Implementation of kernel_interface_t.get_spi.
  */
-static status_t get_spi(private_kernel_pfkey_ipsec_t *this, 
-						host_t *src, host_t *dst, 
+static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
+						host_t *src, host_t *dst,
 						protocol_id_t protocol, u_int32_t reqid,
 						u_int32_t *spi)
 {
@@ -1099,7 +1170,7 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
 		{
 			received_spi = response.sa->sadb_sa_spi;
 		}
-		free(out);	
+		free(out);
 	}
 	
 	if (received_spi == 0)
@@ -1114,8 +1185,8 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.get_cpi.
  */
-static status_t get_cpi(private_kernel_pfkey_ipsec_t *this, 
-						host_t *src, host_t *dst, 
+static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
+						host_t *src, host_t *dst,
 						u_int32_t reqid, u_int16_t *cpi)
 {
 	return FAILED;
@@ -1226,11 +1297,13 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 	{
 		/*TODO*/
 	}
-	
+
+#ifdef HAVE_NATT
 	if (encap)
 	{
 		add_encap_ext(msg, src, dst);
 	}
+#endif /*HAVE_NATT*/
 	
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
@@ -1346,11 +1419,13 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 	{
 		PFKEY_EXT_COPY(msg, response.key_auth);
 	}
-	
+
+#ifdef HAVE_NATT
 	if (new_encap)
 	{
 		add_encap_ext(msg, new_src, new_dst);
 	}
+#endif /*HAVE_NATT*/
 	
 	free(out);
 	
@@ -1374,8 +1449,9 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
-					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
+					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
+					   u_int16_t cpi)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1398,9 +1474,8 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
 	sa->sadb_sa_spi = spi;
 	PFKEY_EXT_ADD(msg, sa);
 	
-	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
-	 * it is not used for anything. */
-	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+	/* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
 	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
 	
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
@@ -1424,7 +1499,7 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
 /**
  * Implementation of kernel_interface_t.add_policy.
  */
-static status_t add_policy(private_kernel_pfkey_ipsec_t *this, 
+static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 						   host_t *src, host_t *dst,
 						   traffic_selector_t *src_ts,
 						   traffic_selector_t *dst_ts,
@@ -1463,7 +1538,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 		this->policies->insert_last(this->policies, policy);
 		policy->refcount = 1;
 	}
-		
+	
 	memset(&request, 0, sizeof(request));
 	
 	DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
@@ -1480,12 +1555,14 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 	pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
 	pol->sadb_x_policy_id = 0;
 	pol->sadb_x_policy_dir = dir2kernel(direction);
+	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
 	/* calculate priority based on source selector size, small size = high prio */
 	pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
 	pol->sadb_x_policy_priority -= policy->src.mask * 10;
 	pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
 	pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
-	pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#endif
 	
 	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
 	req = (struct sadb_x_ipsecrequest*)(pol + 1);
@@ -1599,9 +1676,9 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
 		{
 			free(route);
 		}
-	}	
+	}
 	
-	this->mutex->unlock(this->mutex);	
+	this->mutex->unlock(this->mutex);
 	
 	return SUCCESS;
 }
@@ -1610,7 +1687,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
  * Implementation of kernel_interface_t.query_policy.
  */
 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
-							 traffic_selector_t *src_ts, 
+							 traffic_selector_t *src_ts,
 							 traffic_selector_t *dst_ts,
 							 policy_dir_t direction, u_int32_t *use_time)
 {
@@ -1689,7 +1766,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
 	*use_time = response.lft_current->sadb_lifetime_usetime;
 	
 	free(out);
-			
+	
 	return SUCCESS;
 }
 
@@ -1697,7 +1774,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
  * Implementation of kernel_interface_t.del_policy.
  */
 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
-						   traffic_selector_t *src_ts, 
+						   traffic_selector_t *src_ts,
 						   traffic_selector_t *dst_ts,
 						   policy_dir_t direction, bool unrouted)
 {
@@ -1722,7 +1799,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 		if (--found->refcount > 0)
 		{
 			/* is used by more SAs, keep in kernel */
-			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");	
+			DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
 			policy_entry_destroy(policy);
 			this->mutex->unlock(this->mutex);
 			return SUCCESS;
@@ -1741,7 +1818,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 		return NOT_FOUND;
 	}
 	this->mutex->unlock(this->mutex);
-		
+	
 	memset(&request, 0, sizeof(request));
 	
 	msg = (struct sadb_msg*)request;
@@ -1791,7 +1868,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
 			DBG1(DBG_KNL, "error uninstalling route installed with "
 						  "policy %R === %R %N", src_ts, dst_ts,
 						   policy_dir_names, direction);
-		}		
+		}
 		route_entry_destroy(route);
 	}
 	
@@ -1863,22 +1940,26 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
 		switch (family)
 		{
 			case AF_INET:
+			{
 				sol = SOL_IP;
 				ipsec_policy = IP_IPSEC_POLICY;
 				break;
+			}
 			case AF_INET6:
 			{
 				sol = SOL_IPV6;
 				ipsec_policy = IPV6_IPSEC_POLICY;
 				break;
 			}
+			default:
+				continue;
 		}
 		
 		memset(&policy, 0, sizeof(policy));
 		policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
 		policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 		policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-	
+		
 		policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
 		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 		{
@@ -1890,7 +1971,7 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
 		policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
 		if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 		{
-			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", 
+			DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
 				 strerror(errno));
 			status = FALSE;
 			break;
@@ -1912,7 +1993,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am
new file mode 100644
index 000000000..3ad445c09
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+
+libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+	kernel_pfroute_net.h kernel_pfroute_net.c
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
new file mode 100644
index 000000000..7805b6354
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -0,0 +1,715 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#include <ifaddrs.h>
+#include <net/route.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <errno.h>
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <utils/mutex.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/roam_job.h>
+
+#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
+#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
+#endif
+
+/** delay before firing roam jobs (ms) */
+#define ROAM_DELAY 100
+
+/** buffer size for PF_ROUTE messages */
+#define PFROUTE_BUFFER_SIZE 4096
+
+typedef struct addr_entry_t addr_entry_t;
+
+/**
+ * IP address in an inface_entry_t
+ */
+struct addr_entry_t {
+	
+	/** The ip address */
+	host_t *ip;
+	
+	/** virtual IP managed by us */
+	bool virtual;
+	
+	/** Number of times this IP is used, if virtual */
+	u_int refcount;
+};
+
+/**
+ * destroy a addr_entry_t object
+ */
+static void addr_entry_destroy(addr_entry_t *this)
+{
+	this->ip->destroy(this->ip);
+	free(this);
+}
+
+typedef struct iface_entry_t iface_entry_t;
+
+/**
+ * A network interface on this system, containing addr_entry_t's
+ */
+struct iface_entry_t {
+	
+	/** interface index */
+	int ifindex;
+	
+	/** name of the interface */
+	char ifname[IFNAMSIZ];
+	
+	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
+	u_int flags;
+	
+	/** list of addresses as host_t */
+	linked_list_t *addrs;
+};
+
+/**
+ * destroy an interface entry
+ */
+static void iface_entry_destroy(iface_entry_t *this)
+{
+	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
+	free(this);
+}
+
+
+typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t;
+
+/**
+ * Private variables and functions of kernel_pfroute class.
+ */
+struct private_kernel_pfroute_net_t
+{
+	/**
+	 * Public part of the kernel_pfroute_t object.
+	 */
+	kernel_pfroute_net_t public;
+	
+	/**
+	 * mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+	
+	/**
+	 * Cached list of interfaces and their addresses (iface_entry_t)
+	 */
+	linked_list_t *ifaces;
+	
+	/**
+	 * job receiving PF_ROUTE events
+	 */
+	callback_job_t *job;
+	
+	/**
+	 * mutex to lock access to the PF_ROUTE socket
+	 */
+	mutex_t *mutex_pfroute;
+	
+	/**
+	 * PF_ROUTE socket to communicate with the kernel
+	 */
+	int socket;
+	
+	/**
+	 * PF_ROUTE socket to receive events
+	 */
+	int socket_events;
+	
+	/**
+	 * sequence number for messages sent to the kernel
+	 */
+	int seq;
+	
+	/**
+	 * time of last roam job
+	 */
+	struct timeval last_roam;
+};
+
+/**
+ * Start a roaming job. We delay it a bit and fire only one job
+ * for multiple events. Otherwise we would create too many jobs.
+ */
+static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
+{
+	struct timeval now;
+	
+	if (gettimeofday(&now, NULL) == 0)
+	{
+		if (timercmp(&now, &this->last_roam, >))
+		{
+			now.tv_usec += ROAM_DELAY * 1000;
+			while (now.tv_usec > 1000000)
+			{
+				now.tv_sec++;
+				now.tv_usec -= 1000000;
+			}
+			this->last_roam = now;
+			charon->scheduler->schedule_job_ms(charon->scheduler,
+				(job_t*)roam_job_create(address), ROAM_DELAY);
+		}
+	}
+}
+
+/**
+ * Process an RTM_*ADDR message from the kernel
+ */
+static void process_addr(private_kernel_pfroute_net_t *this,
+						 struct rt_msghdr *msg)
+{
+	struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg;
+	sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1);
+	host_t *host = NULL;
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	bool found = FALSE, changed = FALSE, roam = FALSE;
+	int i;
+	
+	for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
+	{
+		if (ifa->ifam_addrs & i)
+		{
+			if (RTA_IFA & i)
+			{
+				host = host_create_from_sockaddr(sockaddr);
+				break;
+			}
+			sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
+		}
+	}
+	
+	if (!host)
+	{
+		return;
+	}
+	
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->ifindex == ifa->ifam_index)
+		{
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, &addr))
+			{
+				if (host->ip_equals(host, addr->ip))
+				{
+					found = TRUE;
+					if (ifa->ifam_type == RTM_DELADDR)
+					{
+						iface->addrs->remove_at(iface->addrs, addrs);
+						if (!addr->virtual)
+						{
+							changed = TRUE;
+							DBG1(DBG_KNL, "%H disappeared from %s",
+								 host, iface->ifname);
+						}
+						addr_entry_destroy(addr);
+					}
+					else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual)
+					{
+						addr->refcount = 1;
+					}
+				}
+			}
+			addrs->destroy(addrs);
+			
+			if (!found && ifa->ifam_type == RTM_NEWADDR)
+			{
+				changed = TRUE;
+				addr = malloc_thing(addr_entry_t);
+				addr->ip = host->clone(host);
+				addr->virtual = FALSE;
+				addr->refcount = 1;
+				iface->addrs->insert_last(iface->addrs, addr);
+				DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+			}
+			
+			if (changed && (iface->flags & IFF_UP))
+			{
+				roam = TRUE;
+			}
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	host->destroy(host);
+	
+	if (roam)
+	{
+		fire_roam_job(this, TRUE);
+	}
+}
+
+/**
+ * Process an RTM_IFINFO message from the kernel
+ */
+static void process_link(private_kernel_pfroute_net_t *this,
+						 struct rt_msghdr *hdr)
+{
+	struct if_msghdr *msg = (struct if_msghdr*)hdr;
+	enumerator_t *enumerator;
+	iface_entry_t *iface;
+	bool roam = FALSE;
+	
+	if (msg->ifm_flags & IFF_LOOPBACK)
+	{	/* ignore loopback interfaces */
+		return;
+	}
+	
+	this->mutex->lock(this->mutex);
+	enumerator = this->ifaces->create_enumerator(this->ifaces);
+	while (enumerator->enumerate(enumerator, &iface))
+	{
+		if (iface->ifindex == msg->ifm_index)
+		{
+			if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
+			{
+				roam = TRUE;
+				DBG1(DBG_KNL, "interface %s activated", iface->ifname);
+			}
+			else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
+			{
+				roam = TRUE;
+				DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
+			}
+			iface->flags = msg->ifm_flags;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+	
+	if (roam)
+	{
+		fire_roam_job(this, TRUE);
+	}
+}
+
+/**
+ * Process an RTM_*ROUTE message from the kernel
+ */
+static void process_route(private_kernel_pfroute_net_t *this,
+						  struct rt_msghdr *msg)
+{
+
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
+{
+	unsigned char buf[PFROUTE_BUFFER_SIZE];
+	struct rt_msghdr *msg = (struct rt_msghdr*)buf;
+	int len, oldstate;
+	
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
+	pthread_setcancelstate(oldstate, NULL);
+	
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
+		}
+	}
+	
+	if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
+		msg->rtm_version != RTM_VERSION)
+	{
+		DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
+		return JOB_REQUEUE_DIRECT;
+	}
+	
+	switch (msg->rtm_type)
+	{
+		case RTM_NEWADDR:
+		case RTM_DELADDR:
+			process_addr(this, msg);
+			break;
+		case RTM_IFINFO:
+		/*case RTM_IFANNOUNCE <- what about this*/
+			process_link(this, msg);
+			break;
+		case RTM_ADD:
+		case RTM_DELETE:
+			process_route(this, msg);
+		default:
+			break;
+	}
+	
+	return JOB_REQUEUE_DIRECT;
+}
+
+
+/** enumerator over addresses */
+typedef struct {
+	private_kernel_pfroute_net_t* this;
+	/** whether to enumerate down interfaces */
+	bool include_down_ifaces;
+	/** whether to enumerate virtual ip addresses */
+	bool include_virtual_ips;
+} address_enumerator_t;
+
+/**
+ * cleanup function for address enumerator
+ */
+static void address_enumerator_destroy(address_enumerator_t *data)
+{
+	data->this->mutex->unlock(data->this->mutex);
+	free(data);
+}
+
+/**
+ * filter for addresses
+ */
+static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+{
+	host_t *ip;
+	if (!data->include_virtual_ips && (*in)->virtual)
+	{   /* skip virtual interfaces added by us */
+		return FALSE;
+	}
+	ip = (*in)->ip;
+	if (ip->get_family(ip) == AF_INET6)
+	{
+		struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip);
+		if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+		{   /* skip addresses with a unusable scope */
+			return FALSE;
+		}
+	}
+	*out = ip;
+	return TRUE;
+}
+
+/**
+ * enumerator constructor for interfaces
+ */
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+{
+	return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
+									(void*)filter_addresses, data, NULL);
+}
+
+/**
+ * filter for interfaces
+ */
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+{
+	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
+	{   /* skip interfaces not up */
+		return FALSE;
+	}
+	*out = *in;
+	return TRUE;
+}
+
+/**
+ * implementation of kernel_net_t.create_address_enumerator
+ */
+static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this,
+		bool include_down_ifaces, bool include_virtual_ips)
+{
+	address_enumerator_t *data = malloc_thing(address_enumerator_t);
+	data->this = this;
+	data->include_down_ifaces = include_down_ifaces;
+	data->include_virtual_ips = include_virtual_ips;
+
+	this->mutex->lock(this->mutex);
+	return enumerator_create_nested(
+				enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
+						(void*)filter_interfaces, data, NULL),
+				(void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+}
+
+/**
+ * implementation of kernel_net_t.get_interface_name
+ */
+static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
+{
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	char *name = NULL;
+
+	DBG2(DBG_KNL, "getting interface name for %H", ip);
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		addrs = iface->addrs->create_enumerator(iface->addrs);
+		while (addrs->enumerate(addrs, &addr))
+		{
+			if (ip->ip_equals(ip, addr->ip))
+			{
+				name = strdup(iface->ifname);
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (name)
+		{
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	
+	if (name)
+	{
+		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+	}
+	else
+	{
+		DBG2(DBG_KNL, "%H is not a local address", ip);
+	}
+	return name;
+}
+
+/**
+ * Implementation of kernel_net_t.get_source_addr.
+ */
+static host_t* get_source_addr(private_kernel_pfroute_net_t *this,
+							   host_t *dest, host_t *src)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.get_nexthop.
+ */
+static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.add_ip.
+ */
+static status_t add_ip(private_kernel_pfroute_net_t *this,
+						host_t *virtual_ip, host_t *iface_ip)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_ip.
+ */
+static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.add_route.
+ */
+static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_route.
+ */
+static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+		u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+	return FAILED;
+}
+
+/**
+ * Initialize a list of local addresses.
+ */
+static status_t init_address_list(private_kernel_pfroute_net_t *this)
+{
+	struct ifaddrs *ifap, *ifa;
+	iface_entry_t *iface, *current;
+	addr_entry_t *addr;
+	enumerator_t *ifaces, *addrs;
+	
+	DBG1(DBG_KNL, "listening on interfaces:");
+	
+	if (getifaddrs(&ifap) < 0)
+	{
+		DBG1(DBG_KNL, "  failed to get interfaces!");
+		return FAILED;
+	}
+	
+	for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
+	{
+		if (ifa->ifa_addr == NULL)
+		{
+			continue;
+		}
+		switch(ifa->ifa_addr->sa_family)
+		{
+			case AF_LINK:
+			case AF_INET:
+			case AF_INET6:
+			{
+				if (ifa->ifa_flags & IFF_LOOPBACK)
+				{	/* ignore loopback interfaces */
+					continue;
+				}
+				
+				iface = NULL;
+				ifaces = this->ifaces->create_enumerator(this->ifaces);
+				while (ifaces->enumerate(ifaces, &current))
+				{
+					if (streq(current->ifname, ifa->ifa_name))
+					{
+						iface = current;
+						break;
+					}
+				}
+				ifaces->destroy(ifaces);
+				
+				if (!iface)
+				{
+					iface = malloc_thing(iface_entry_t);
+					memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
+					iface->ifindex = if_nametoindex(ifa->ifa_name);
+					iface->flags = ifa->ifa_flags;
+					iface->addrs = linked_list_create();
+					this->ifaces->insert_last(this->ifaces, iface);
+				}
+				
+				if (ifa->ifa_addr->sa_family != AF_LINK)
+				{
+					addr = malloc_thing(addr_entry_t);
+					addr->ip = host_create_from_sockaddr(ifa->ifa_addr);
+					addr->virtual = FALSE;
+					addr->refcount = 1;
+					iface->addrs->insert_last(iface->addrs, addr);
+				}
+			}
+		}
+	}
+	freeifaddrs(ifap);
+	
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->flags & IFF_UP)
+		{
+			DBG1(DBG_KNL, "  %s", iface->ifname);
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, (void**)&addr))
+			{
+				DBG1(DBG_KNL, "    %H", addr->ip);
+			}
+			addrs->destroy(addrs);
+		}
+	}
+	ifaces->destroy(ifaces);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_netlink_net_t.destroy.
+ */
+static void destroy(private_kernel_pfroute_net_t *this)
+{
+	this->job->cancel(this->job);
+	close(this->socket);
+	close(this->socket_events);
+	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+	this->mutex->destroy(this->mutex);
+	this->mutex_pfroute->destroy(this->mutex_pfroute);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create()
+{
+	private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
+	
+	/* public functions */
+	this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
+	this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
+	this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
+	this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
+	this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
+	this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
+	this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
+	this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
+	
+	this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
+	
+	/* private members */
+	this->ifaces = linked_list_create();
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex_pfroute = mutex_create(MUTEX_DEFAULT);
+	
+	this->seq = 0;
+	
+	/* create a PF_ROUTE socket to communicate with the kernel */
+	this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+	if (this->socket <= 0)
+	{
+		charon->kill(charon, "unable to create PF_ROUTE socket");
+	}
+	
+	/* create a PF_ROUTE socket to receive events */
+	this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+	if (this->socket_events <= 0)
+	{
+		charon->kill(charon, "unable to create PF_ROUTE event socket");
+	}
+	
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	
+	if (init_address_list(this) != SUCCESS)
+	{
+		charon->kill(charon, "unable to get interface list");
+	}
+	
+	return &this->public;
+}
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h
new file mode 100644
index 000000000..9138befc1
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup kernel_pfroute_net_i kernel_pfroute_net
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_NET_H_
+#define KERNEL_PFROUTE_NET_H_
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_pfroute_net_t kernel_pfroute_net_t;
+
+/**
+ * Implementation of the kernel net interface using PF_ROUTE.
+ */
+struct kernel_pfroute_net_t {
+
+	/**
+	 * Implements kernel_net_t interface
+	 */
+	kernel_net_t interface;
+};
+
+/**
+ * Create a PF_ROUTE kernel net interface instance.
+ *
+ * @return			kernel_pfroute_net_t instance
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create();
+
+#endif /** KERNEL_PFROUTE_NET_H_ @}*/
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
new file mode 100644
index 000000000..a6d95283b
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+
+#include "kernel_pfroute_plugin.h"
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
+
+/**
+ * private data of kernel PF_ROUTE plugin
+ */
+struct private_kernel_pfroute_plugin_t {
+	/**
+	 * implements plugin interface
+	 */
+	kernel_pfroute_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_pfroute_plugin_t *this)
+{
+	charon->kernel_interface->remove_net_interface(charon->kernel_interface,
+						(kernel_net_constructor_t)kernel_pfroute_net_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+	private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
+	
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	
+	charon->kernel_interface->add_net_interface(charon->kernel_interface,
+						(kernel_net_constructor_t)kernel_pfroute_net_create);
+	
+	return &this->public.plugin;
+}
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
new file mode 100644
index 000000000..f8ae1a96a
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup kernel_pfroute kernel_pfroute
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_PLUGIN_H_
+#define KERNEL_PFROUTE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t;
+
+/**
+ * PF_ROUTE kernel interface plugin
+ */
+struct kernel_pfroute_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a kernel_pfroute_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c
index 9abd65195..66ebd07c4 100644
--- a/src/charon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.c
@@ -88,8 +88,9 @@ static status_t update_sa(private_load_tester_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_load_tester_ipsec_t *this, host_t *dst,
-					   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src,
+					   host_t *dst, u_int32_t spi, protocol_id_t protocol,
+					   u_int16_t cpi)
 {
 	return SUCCESS;
 }
@@ -152,7 +153,7 @@ load_tester_ipsec_t *load_tester_ipsec_create()
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
 	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
 	this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
 	this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/medcli/medcli_creds.c b/src/charon/plugins/medcli/medcli_creds.c
index 1e99f6990..2a4972046 100644
--- a/src/charon/plugins/medcli/medcli_creds.c
+++ b/src/charon/plugins/medcli/medcli_creds.c
@@ -96,7 +96,7 @@ static enumerator_t* create_private_enumerator(private_medcli_creds_t *this,
 	if ((type != KEY_RSA && type != KEY_ANY) ||
 		id == NULL || id->get_type(id) != ID_KEY_ID)
 	{
-		DBG1(DBG_CFG, "%N - %D", key_type_names, type, id);
+		DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id);
 		return NULL;
 	}
 	
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c
index c76222f28..1eab8f2c0 100644
--- a/src/charon/plugins/resolv_conf/resolv_conf_handler.c
+++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.c
@@ -79,7 +79,7 @@ static bool handle(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa,
 	if (out)
 	{
 		addr = host_create_from_chunk(family, data, 0);
-		fprintf(out, "nameserver %H   # by strongSwan, from %D\n",
+		fprintf(out, "nameserver %H   # by strongSwan, from %Y\n",
 				addr, ike_sa->get_other_id(ike_sa));
 		DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
 		addr->destroy(addr);
@@ -140,7 +140,7 @@ static void release(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa,
 		{
 			addr = host_create_from_chunk(family, data, 0);
 			snprintf(matcher, sizeof(matcher),
-					 "nameserver %H   # by strongSwan, from %D\n",
+					 "nameserver %H   # by strongSwan, from %Y\n",
 					 addr, ike_sa->get_other_id(ike_sa));
 			
 			/* copy all, but matching line */
diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c
index 33a2bb491..40eeefc74 100644
--- a/src/charon/plugins/smp/smp.c
+++ b/src/charon/plugins/smp/smp.c
@@ -109,7 +109,7 @@ static void write_id(xmlTextWriterPtr writer, char *element, identification_t *i
 					break;
 			}
 			xmlTextWriterWriteAttribute(writer, "type", type);
-			xmlTextWriterWriteFormatString(writer, "%D", id);
+			xmlTextWriterWriteFormatString(writer, "%Y", id);
 			break;
 		}
 		default:
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
index a1c67c691..28cd038c9 100644
--- a/src/charon/plugins/sql/pool.c
+++ b/src/charon/plugins/sql/pool.c
@@ -562,7 +562,7 @@ static void leases(char *filter, bool utc)
 				printf("    ");
 			}
 		}
-		printf("%D\n", identity);
+		printf("%Y\n", identity);
 		DESTROY_IF(address);
 		identity->destroy(identity);
 	}
diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c
index a3beb3a62..56237694e 100644
--- a/src/charon/plugins/stroke/stroke_attribute.c
+++ b/src/charon/plugins/stroke/stroke_attribute.c
@@ -223,7 +223,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 			id = pool->ids->get(pool->ids, id);
 			if (id)
 			{
-				DBG1(DBG_CFG, "reassigning offline lease to %D", id);
+				DBG1(DBG_CFG, "reassigning offline lease to %Y", id);
 				pool->online->put(pool->online, id, (void*)offset);
 				break;
 			}
@@ -233,7 +233,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 		offset = (uintptr_t)pool->online->get(pool->online, id);
 		if (offset && offset == host2offset(pool, requested))
 		{
-			DBG1(DBG_CFG, "reassigning online lease to %D", id);
+			DBG1(DBG_CFG, "reassigning online lease to %Y", id);
 			break;
 		}
 		
@@ -245,7 +245,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 			id = id->clone(id);
 			pool->ids->put(pool->ids, id, id);
 			pool->online->put(pool->online, id, (void*)offset);
-			DBG1(DBG_CFG, "assigning new lease to %D", id);
+			DBG1(DBG_CFG, "assigning new lease to %Y", id);
 			break;
 		}
 		/* no more addresses, replace the first found offline lease */
@@ -257,7 +257,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
 			{
 				/* destroy reference to old ID */
 				old_id = pool->ids->remove(pool->ids, old_id);
-				DBG1(DBG_CFG, "reassigning existing offline lease of %D to %D",
+				DBG1(DBG_CFG, "reassigning existing offline lease of %Y to %Y",
 					 old_id, id);
 				if (old_id)
 				{
@@ -305,7 +305,7 @@ static bool release_address(private_stroke_attribute_t *this,
 				id = pool->ids->get(pool->ids, id);
 				if (id)
 				{
-					DBG1(DBG_CFG, "lease %H of %D went offline", address, id);
+					DBG1(DBG_CFG, "lease %H of %Y went offline", address, id);
 					pool->offline->put(pool->offline, id, (void*)offset);
 					found = TRUE;
 				}
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
index 54356436f..dffa8e235 100644
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ b/src/charon/plugins/stroke/stroke_ca.c
@@ -398,14 +398,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 			first = FALSE;
 		}
 		fprintf(out, "\n");
-		fprintf(out, "  authname:    \"%D\"\n", cert->get_subject(cert));
+		fprintf(out, "  authname:    \"%Y\"\n", cert->get_subject(cert));
 
 		/* list authkey and keyid */
 		if (public)
 		{
-			fprintf(out, "  authkey:      %D\n",
+			fprintf(out, "  authkey:      %Y\n",
 					public->get_id(public, ID_PUBKEY_SHA1));
-			fprintf(out, "  keyid:        %D\n",
+			fprintf(out, "  keyid:        %Y\n",
 					public->get_id(public, ID_PUBKEY_INFO_SHA1));
 			public->destroy(public);
 		}
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index 4a0b1ff42..21e2fd2f2 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -386,8 +386,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			if (identity->get_type(identity) == ID_ANY ||
 				!certificate->has_subject(certificate, identity))
 			{
-				DBG1(DBG_CFG, "  peerid %D not confirmed by certificate, "
-					 "defaulting to subject DN: %D", identity,
+				DBG1(DBG_CFG, "  peerid %Y not confirmed by certificate, "
+					 "defaulting to subject DN: %Y", identity,
 					 certificate->get_subject(certificate));
 				identity->destroy(identity);
 				identity = certificate->get_subject(certificate);
diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c
index 08d50519c..634a89d1d 100644
--- a/src/charon/plugins/stroke/stroke_control.c
+++ b/src/charon/plugins/stroke/stroke_control.c
@@ -249,7 +249,7 @@ static void terminate_srcip(private_stroke_control_t *this,
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
 	host_t *start = NULL, *end = NULL, *vip;
-	chunk_t chunk_start, chunk_end, chunk_vip;
+	chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip;
 	
 	if (msg->terminate_srcip.start)
 	{
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 066591c9d..689e463b4 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -74,7 +74,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 		fprintf(out, " %V ago", &now, &established);
 	}
 	
-	fprintf(out, ", %H[%D]...%H[%D]\n",
+	fprintf(out, ", %H[%Y]...%H[%Y]\n",
 			ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
 			ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
 	
@@ -266,7 +266,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 	enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
 	while (enumerator->enumerate(enumerator, &auth))
 	{
-		fprintf(out, "%12s:   %s [%D] uses ", name,	local ? "local: " : "remote:",
+		fprintf(out, "%12s:   %s [%Y] uses ", name,	local ? "local: " : "remote:",
 				auth->get(auth, AUTH_RULE_IDENTITY));
 
 		auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
@@ -297,7 +297,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 			id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
 			if (id)
 			{
-				fprintf(out, " with EAP identity '%D'", id);
+				fprintf(out, " with EAP identity '%Y'", id);
 			}
 			fprintf(out, "\n");
 		}
@@ -305,19 +305,19 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 		cert = auth->get(auth, AUTH_RULE_CA_CERT);
 		if (cert)
 		{
-			fprintf(out, "%12s:    ca:    \"%D\"\n", name, cert->get_subject(cert));
+			fprintf(out, "%12s:    ca:    \"%Y\"\n", name, cert->get_subject(cert));
 		}
 
 		cert = auth->get(auth, AUTH_RULE_IM_CERT);
 		if (cert)
 		{
-			fprintf(out, "%12s:    im-ca: \"%D\"\n", name, cert->get_subject(cert));
+			fprintf(out, "%12s:    im-ca: \"%Y\"\n", name, cert->get_subject(cert));
 		}
 
 		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
 		if (cert)
 		{
-			fprintf(out, "%12s:    cert:  \"%D\"\n", name,
+			fprintf(out, "%12s:    cert:  \"%Y\"\n", name,
 					cert->get_subject(cert));
 		}
 
@@ -340,7 +340,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 		{
 			if (rule == AUTH_RULE_AC_GROUP)
 			{
-				fprintf(out, "%12s:    group: %D\n", name, id);
+				fprintf(out, "%12s:    group: %Y\n", name, id);
 			}
 		}
 		rules->destroy(rules);
@@ -593,8 +593,8 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
 					key_type_names, public->get_type(public),
 					public->get_keysize(public) * 8,
 					private ? ", has private key" : "");
-			fprintf(out, "  keyid:     %D\n", keyid);
-			fprintf(out, "  subjkey:   %D\n", id);
+			fprintf(out, "  keyid:     %Y\n", keyid);
+			fprintf(out, "  subjkey:   %Y\n", id);
 			DESTROY_IF(private);
 			public->destroy(public);
 		}
@@ -650,7 +650,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 				{
 					fprintf(out, ", ");
 				}
-				fprintf(out, "%D", altName);
+				fprintf(out, "%Y", altName);
 			}
 			if (!first_altName)
 			{
@@ -658,8 +658,8 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 			}
 			enumerator->destroy(enumerator);
 
-			fprintf(out, "  subject:  \"%D\"\n", cert->get_subject(cert));
-			fprintf(out, "  issuer:   \"%D\"\n", cert->get_issuer(cert));
+			fprintf(out, "  subject:  \"%Y\"\n", cert->get_subject(cert));
+			fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
 			fprintf(out, "  serial:    %#B\n", &serial);
 
 			/* list validity */
@@ -704,8 +704,8 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 						key_type_names, public->get_type(public),
 						public->get_keysize(public) * 8,
 						private ? ", has private key" : "");
-				fprintf(out, "  keyid:     %D\n", keyid);
-				fprintf(out, "  subjkey:   %D\n", id);
+				fprintf(out, "  keyid:     %Y\n", keyid);
+				fprintf(out, "  subjkey:   %Y\n", id);
 				DESTROY_IF(private);
 				public->destroy(public);
 			}
@@ -713,7 +713,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 			/* list optional authorityKeyIdentifier */
 			if (authkey)
 			{
-				fprintf(out, "  authkey:   %D\n", authkey);
+				fprintf(out, "  authkey:   %Y\n", authkey);
 			}
 		}
 	}
@@ -749,17 +749,17 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 
 		if (entityName)
 		{
-			fprintf(out, "  holder:   \"%D\"\n", entityName);
+			fprintf(out, "  holder:   \"%Y\"\n", entityName);
 		}
 		if (holderIssuer)
 		{
-			fprintf(out, "  hissuer:  \"%D\"\n", holderIssuer);
+			fprintf(out, "  hissuer:  \"%Y\"\n", holderIssuer);
 		}
 		if (holderSerial.ptr)
 		{
 			fprintf(out, "  hserial:   %#B\n", &holderSerial);
 		}
-		fprintf(out, "  issuer:   \"%D\"\n", cert->get_issuer(cert));
+		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
 		fprintf(out, "  serial:    %#B\n", &serial);
 
 		/* list validity */
@@ -783,7 +783,7 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 		/* list optional authorityKeyIdentifier */
 		if (authkey)
 		{
-			fprintf(out, "  authkey:   %D\n", authkey);
+			fprintf(out, "  authkey:   %Y\n", authkey);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -813,7 +813,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 		}
 		fprintf(out, "\n");
 
-		fprintf(out, "  issuer:   \"%D\"\n", cert->get_issuer(cert));
+		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
 
 		/* list optional crlNumber */
 		if (serial.ptr)
@@ -856,7 +856,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 		/* list optional authorityKeyIdentifier */
 		if (authkey)
 		{
-			fprintf(out, "  authkey:   %D\n", authkey);
+			fprintf(out, "  authkey:   %Y\n", authkey);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -881,7 +881,7 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
 			first = FALSE;
 		}
 
-		fprintf(out, "  signer:   \"%D\"\n", cert->get_issuer(cert));
+		fprintf(out, "  signer:   \"%Y\"\n", cert->get_issuer(cert));
 	}
 	enumerator->destroy(enumerator);
 }
@@ -1024,7 +1024,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
 	{
 		if (!address || address->ip_equals(address, lease))
 		{
-			fprintf(out, "  %15H   %s   '%D'\n",
+			fprintf(out, "  %15H   %s   '%Y'\n",
 					lease, on ? "online" : "offline", id);
 			found++;
 		}
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index d8cc69c20..e1c3e58ab 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -571,8 +571,11 @@ static job_requeue_t receive(private_stroke_socket_t *this)
  */
 static bool open_socket(private_stroke_socket_t *this)
 {
-	struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET};
+	struct sockaddr_un socket_addr;
 	mode_t old;
+
+	socket_addr.sun_family = AF_UNIX;
+	strcpy(socket_addr.sun_path, STROKE_SOCKET);
 	
 	/* set up unix socket */
 	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
diff --git a/src/charon/plugins/updown/updown_listener.c b/src/charon/plugins/updown/updown_listener.c
index 7dfb874cb..4feffd9c4 100644
--- a/src/charon/plugins/updown/updown_listener.c
+++ b/src/charon/plugins/updown/updown_listener.c
@@ -188,14 +188,14 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
 				"PLUTO_INTERFACE='%s' "
 				"PLUTO_REQID='%u' "
 				"PLUTO_ME='%H' "
-				"PLUTO_MY_ID='%D' "
+				"PLUTO_MY_ID='%Y' "
 				"PLUTO_MY_CLIENT='%s/%s' "
 				"PLUTO_MY_CLIENT_NET='%s' "
 				"PLUTO_MY_CLIENT_MASK='%s' "
 				"PLUTO_MY_PORT='%u' "
 				"PLUTO_MY_PROTOCOL='%u' "
 				"PLUTO_PEER='%H' "
-				"PLUTO_PEER_ID='%D' "
+				"PLUTO_PEER_ID='%Y' "
 				"PLUTO_PEER_CLIENT='%s/%s' "
 				"PLUTO_PEER_CLIENT_NET='%s' "
 				"PLUTO_PEER_CLIENT_MASK='%s' "
diff --git a/src/charon/processing/jobs/mediation_job.c b/src/charon/processing/jobs/mediation_job.c
index 5894b6aab..607286b01 100644
--- a/src/charon/processing/jobs/mediation_job.c
+++ b/src/charon/processing/jobs/mediation_job.c
@@ -101,7 +101,7 @@ static void execute(private_mediation_job_t *this)
 				/* send callback to a peer */
 				if (target_sa->callback(target_sa, this->source) != SUCCESS)
 				{
-					DBG1(DBG_JOB, "callback for '%D' to '%D' failed",
+					DBG1(DBG_JOB, "callback for '%Y' to '%Y' failed",
 							this->source, this->target);
 					charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
 					destroy(this);
@@ -114,7 +114,7 @@ static void execute(private_mediation_job_t *this)
 				if (target_sa->relay(target_sa, this->source, this->connect_id,
 						this->connect_key, this->endpoints, this->response) != SUCCESS)
 				{
-					DBG1(DBG_JOB, "mediation between '%D' and '%D' failed",
+					DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed",
 							this->source, this->target);
 					charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
 					/* FIXME: notify the initiator */
@@ -127,13 +127,13 @@ static void execute(private_mediation_job_t *this)
 		}
 		else
 		{
-			DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: "
+			DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
 					"SA not found", this->source, this->target);
 		}
 	}
 	else
 	{
-		DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: "
+		DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
 				"peer is not online anymore", this->source, this->target);
 	}
 	destroy(this);
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
index 876cb7b74..27cec2d72 100644
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -217,7 +217,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 				{
 					snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
 					this->eap_identity = identification_create_from_string(buf);
-					DBG1(DBG_IKE, "received EAP identity '%D'",
+					DBG1(DBG_IKE, "received EAP identity '%Y'",
 						 this->eap_identity);
 				}
 				/* restart EAP exchange, but with real method */
@@ -254,12 +254,12 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 			if (vendor)
 			{
 				DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
-					 "peer %D", type, vendor, 
+					 "peer %Y", type, vendor, 
 					 this->ike_sa->get_other_id(this->ike_sa));
 			}
 			else
 			{
-				DBG1(DBG_IKE, "EAP method %N failed for peer %D",
+				DBG1(DBG_IKE, "EAP method %N failed for peer %Y",
 					 eap_type_names, type,
 					 this->ike_sa->get_other_id(this->ike_sa));
 			}
@@ -290,7 +290,7 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
 		{
 			id = this->ike_sa->get_my_id(this->ike_sa);
 		}
-		DBG1(DBG_IKE, "server requested %N, sending '%D'",
+		DBG1(DBG_IKE, "server requested %N, sending '%Y'",
 			 eap_type_names, type, id);
 		this->eap_identity = id->clone(id);
 		
@@ -380,7 +380,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message)
 	}
 	chunk_free(&auth_data);
 	
-	DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+	DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
 		 other_id, auth_class_names, AUTH_CLASS_EAP);
 	this->auth_complete = TRUE;
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
@@ -401,7 +401,7 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message)
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	
-	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
+	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
 		 my_id, auth_class_names, AUTH_CLASS_EAP);
 	
 	auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c
index 45baa8e9c..5ce919355 100644
--- a/src/charon/sa/authenticators/psk_authenticator.c
+++ b/src/charon/sa/authenticators/psk_authenticator.c
@@ -63,13 +63,13 @@ static status_t build(private_psk_authenticator_t *this, message_t *message)
 	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
-	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
+	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
 		 my_id, auth_method_names, AUTH_PSK);
 	key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
 										  my_id, other_id);
 	if (key == NULL)
 	{
-		DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+		DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
 		return NOT_FOUND;
 	}
 	auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
@@ -119,7 +119,7 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
 									this->nonce, key->get_key(key), other_id);
 		if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
 		{
-			DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
 				 other_id, auth_method_names, AUTH_PSK);
 			authenticated = TRUE;
 		}
@@ -131,10 +131,10 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
 	{
 		if (keys_found == 0)
 		{
-			DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+			DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
 			return NOT_FOUND;
 		}
-		DBG1(DBG_IKE, "tried %d shared key%s for '%D' - '%D', but MAC mismatched",
+		DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched",
 			 keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
 		return FAILED;
 	}
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.c b/src/charon/sa/authenticators/pubkey_authenticator.c
index 482d6b91d..b8335a69d 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.c
+++ b/src/charon/sa/authenticators/pubkey_authenticator.c
@@ -71,7 +71,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 											   id, auth);
 	if (private == NULL)
 	{
-		DBG1(DBG_IKE, "no private key found for '%D'", id);
+		DBG1(DBG_IKE, "no private key found for '%Y'", id);
 		return NOT_FOUND;
 	}
 	
@@ -122,7 +122,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 		message->add_payload(message, (payload_t*)auth_payload);
 		status = SUCCESS;
 	}
-	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", id,
+	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
 		 auth_method_names, auth_method, 
 		 (status == SUCCESS)? "successful":"failed");
 	chunk_free(&octets);
@@ -186,7 +186,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message
 	{
 		if (public->verify(public, scheme, octets, auth_data))
 		{
-			DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
 						   id, auth_method_names, auth_method);
 			status = SUCCESS;
 			auth->merge(auth, current_auth, FALSE);
@@ -203,7 +203,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message
 	chunk_free(&octets);
 	if (status == NOT_FOUND)
 	{
-		DBG1(DBG_IKE, "no trusted %N public key found for '%D'",
+		DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
 			 key_type_names, key_type, id);
 	}
 	return status;
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index 092210bb2..1ea9539b0 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -724,14 +724,14 @@ static void destroy(private_child_sa_t *this)
 	if (this->my_spi)
 	{
 		charon->kernel_interface->del_sa(charon->kernel_interface,
-					this->my_addr, this->my_spi, this->protocol,
-					this->my_cpi);
+					this->other_addr, this->my_addr, this->my_spi,
+					this->protocol, this->my_cpi);
 	}
 	if (this->other_spi)
 	{
 		charon->kernel_interface->del_sa(charon->kernel_interface,
-					this->other_addr, this->other_spi, this->protocol,
-					this->other_cpi);
+					this->my_addr, this->other_addr, this->other_spi,
+					this->protocol, this->other_cpi);
 	}
 	
 	if (this->config->install_policy(this->config))
diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c
index 4574ea3a9..89d8882bf 100644
--- a/src/charon/sa/connect_manager.c
+++ b/src/charon/sa/connect_manager.c
@@ -1196,8 +1196,8 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli
 		}
 		else
 		{
-			DBG1(DBG_IKE, "there is no mediated connection waiting between '%D' "
-					"and '%D'", checklist->initiator.id, checklist->responder.id);
+			DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y' "
+					"and '%Y'", checklist->initiator.id, checklist->responder.id);
 		}
 	}
 }
@@ -1396,7 +1396,7 @@ static bool check_and_register(private_connect_manager_t *this,
 
 	if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
 	{
-		DBG2(DBG_IKE, "registered waiting mediated connection with '%D'", peer_id);
+		DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'", peer_id);
 		initiated = initiated_create(id, peer_id);
 		this->initiated->insert_last(this->initiated, initiated);
 		already_there = FALSE;
@@ -1425,7 +1425,7 @@ static void check_and_initiate(private_connect_manager_t *this, ike_sa_id_t *med
 
 	if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
 	{
-		DBG2(DBG_IKE, "no waiting mediated connections with '%D'", peer_id);
+		DBG2(DBG_IKE, "no waiting mediated connections with '%Y'", peer_id);
 		this->mutex->unlock(this->mutex);
 		return;
 	}
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index f6abb0c35..311b18c8c 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -1436,7 +1436,7 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 					{
 						case UNIQUE_REPLACE:
 							DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
-									"'%D' due to uniqueness policy", other);
+									"'%Y' due to uniqueness policy", other);
 							status = duplicate->delete(duplicate);
 							break;
 						case UNIQUE_KEEP:
diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c
index fbdf3ad58..b652c29e6 100644
--- a/src/charon/sa/mediation_manager.c
+++ b/src/charon/sa/mediation_manager.c
@@ -227,12 +227,12 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe
 	
 	if (!found)
 	{
-		DBG2(DBG_IKE, "adding peer '%D'", peer_id);
+		DBG2(DBG_IKE, "adding peer '%Y'", peer_id);
 		peer = peer_create(peer_id, NULL);
 		this->peers->insert_last(this->peers, peer);
 	}
 
-	DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%D'", peer_id);			
+	DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id);			
 	peer->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
 	
 	/* send callbacks to registered peers */
@@ -284,7 +284,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
 
 	if (get_peer_by_id(this, peer_id, &peer) != SUCCESS)
 	{
-		DBG2(DBG_IKE, "adding peer %D", peer_id);
+		DBG2(DBG_IKE, "adding peer %Y", peer_id);
 		peer = peer_create(peer_id, NULL);
 		this->peers->insert_last(this->peers, peer);
 	}
@@ -292,7 +292,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
 	if (!peer->ike_sa_id)
 	{
 		/* the peer is not online */
-		DBG2(DBG_IKE, "requested peer '%D' is offline, registering peer '%D'", peer_id, requester);
+		DBG2(DBG_IKE, "requested peer '%Y' is offline, registering peer '%Y'", peer_id, requester);
 		register_peer(peer, requester);
 		this->mutex->unlock(this->mutex);
 		return NULL;
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index d594e3baa..b5ef17ab8 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -642,7 +642,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 		{	/* IDr received, check if it matches configuration */
 			if (id_cfg && !id->matches(id, id_cfg))
 			{
-				DBG1(DBG_CFG, "received IDr %D, but require %D", id, id_cfg);
+				DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
 				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
 									chunk_empty);
 				return FAILED;
@@ -730,7 +730,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 			return FAILED;
 		}
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 			 this->ike_sa->get_name(this->ike_sa),
 			 this->ike_sa->get_unique_id(this->ike_sa),
 			 this->ike_sa->get_my_host(this->ike_sa),
@@ -907,7 +907,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 			return FAILED;
 		}
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 			 this->ike_sa->get_name(this->ike_sa),
 			 this->ike_sa->get_unique_id(this->ike_sa),
 			 this->ike_sa->get_my_host(this->ike_sa),
diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c
index da3ee4dce..3ef1cafc4 100644
--- a/src/charon/sa/tasks/ike_cert_post.c
+++ b/src/charon/sa/tasks/ike_cert_post.c
@@ -140,7 +140,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 			{
 				break;
 			}
-			DBG1(DBG_IKE, "sending end entity cert \"%D\"",
+			DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
 				 cert->get_subject(cert));
 			message->add_payload(message, (payload_t*)payload);
 			
@@ -152,7 +152,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 					payload = cert_payload_create_from_cert(cert);
 					if (payload)
 					{
-						DBG1(DBG_IKE, "sending issuer cert \"%D\"",
+						DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
 							 cert->get_subject(cert));
 						message->add_payload(message, (payload_t*)payload);
 					}
diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c
index 0ec7004c2..db9e7bcc6 100644
--- a/src/charon/sa/tasks/ike_cert_pre.c
+++ b/src/charon/sa/tasks/ike_cert_pre.c
@@ -95,14 +95,14 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
 											CERT_X509, KEY_ANY, id, TRUE);
 					if (cert)
 					{
-						DBG1(DBG_IKE, "received cert request for \"%D\"",
+						DBG1(DBG_IKE, "received cert request for \"%Y\"",
 							 cert->get_subject(cert));
 						auth->add(auth, AUTH_RULE_CA_CERT, cert);
 					}
 					else
 					{
 						DBG1(DBG_IKE, "received cert request for unknown ca "
-									  "with keyid %D", id);
+									  "with keyid %Y", id);
 					}
 					id->destroy(id);
 				}
@@ -211,14 +211,14 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
 					{
 						if (first)
 						{	/* the first is an end entity certificate */
-							DBG1(DBG_IKE, "received end entity cert \"%D\"",
+							DBG1(DBG_IKE, "received end entity cert \"%Y\"",
 								 cert->get_subject(cert));
 							auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
 							first = FALSE;
 						}
 						else
 						{
-							DBG1(DBG_IKE, "received issuer cert \"%D\"",
+							DBG1(DBG_IKE, "received issuer cert \"%Y\"",
 								 cert->get_subject(cert));
 							auth->add(auth, AUTH_HELPER_IM_CERT, cert);
 						}
@@ -300,7 +300,7 @@ static void add_certreq(certreq_payload_t **req, certificate_t *cert)
 			keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
 			(*req)->add_keyid(*req, keyid->get_encoding(keyid));
 			public->destroy(public);
-			DBG1(DBG_IKE, "sending cert request for \"%D\"",
+			DBG1(DBG_IKE, "sending cert request for \"%Y\"",
 				 cert->get_subject(cert));
 			break;
 		}
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
index 7ff969044..185010040 100644
--- a/src/charon/sa/tasks/ike_delete.c
+++ b/src/charon/sa/tasks/ike_delete.c
@@ -56,7 +56,7 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
 {
 	delete_payload_t *delete_payload;
 
-	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
 		 this->ike_sa->get_name(this->ike_sa),
 		 this->ike_sa->get_unique_id(this->ike_sa),
 		 this->ike_sa->get_my_host(this->ike_sa),
@@ -95,7 +95,7 @@ static status_t process_r(private_ike_delete_t *this, message_t *message)
 	DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
 		 this->ike_sa->get_name(this->ike_sa),
 		 this->ike_sa->get_unique_id(this->ike_sa));
-	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
 		 this->ike_sa->get_name(this->ike_sa),
 		 this->ike_sa->get_unique_id(this->ike_sa),
 		 this->ike_sa->get_my_host(this->ike_sa),
diff --git a/src/charon/sa/tasks/ike_me.c b/src/charon/sa/tasks/ike_me.c
index 07dfb20a5..bb6f4f41e 100644
--- a/src/charon/sa/tasks/ike_me.c
+++ b/src/charon/sa/tasks/ike_me.c
@@ -339,7 +339,7 @@ static status_t process_r(private_ike_me_t *this, message_t *message)
 			
 			if (this->callback)
 			{
-				DBG1(DBG_IKE, "received ME_CALLBACK for '%D'", this->peer_id);
+				DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id);
 				break;
 			}			
 			
@@ -471,7 +471,7 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
 			
 			if (this->failed)
 			{
-				DBG1(DBG_IKE, "peer '%D' is not online", this->peer_id);
+				DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id);
 				/* FIXME: notify the mediated connection (job?) */
 			}
 			else
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index ef6e4721a..f564012e7 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -177,7 +177,7 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
 	
 	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
 	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
-	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 		 this->new_sa->get_name(this->new_sa),
 		 this->new_sa->get_unique_id(this->new_sa),
 		 this->ike_sa->get_my_host(this->ike_sa),
@@ -246,7 +246,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 	}
 	
 	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
-	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 		 this->new_sa->get_name(this->new_sa),
 		 this->new_sa->get_unique_id(this->new_sa),
 		 this->ike_sa->get_my_host(this->ike_sa),