diff --git a/strongswan-4.2.14-rpmlintrc b/strongswan-4.2.14-rpmlintrc
deleted file mode 100644
index 9db070f..0000000
--- a/strongswan-4.2.14-rpmlintrc
+++ /dev/null
@@ -1,3 +0,0 @@
-addFilter('strongswan.* shlib-policy-missing-suffix')
-addFilter("strongswan.* incoherent-init-script-name ipsec")
-addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins")
diff --git a/strongswan-4.2.14.tar.bz2 b/strongswan-4.2.14.tar.bz2
deleted file mode 100644
index b1ebaaf..0000000
--- a/strongswan-4.2.14.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4b9acc7a8d3f8b5b715472375d8f5baea92656a427352a9c40d898075230e09a
-size 2740464
diff --git a/strongswan-4.2.14.tar.bz2.sig b/strongswan-4.2.14.tar.bz2.sig
deleted file mode 100644
index bbbb85d..0000000
--- a/strongswan-4.2.14.tar.bz2.sig
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-iQCVAwUASc5e/tYbDnNAmVNZAQJZewP/Y6KYLbebalL3GNjqANG5hB7k/xSjIuSX
-txhYdqmYxKQhe9F4nd0/LGpuco+pBzT2d7evUoANUnytNPH4YBAq+6xKNnuCwAth
-LnqgfxFhp2Hn+IUrRDztD+Cl9wQqVzf3ld/mCGNY0epnMrvRvOhSPW+k8b2t3Hxn
-O5Jh906OVbI=
-=P088
------END PGP SIGNATURE-----
diff --git a/strongswan-4.3.2-rpmlintrc b/strongswan-4.3.2-rpmlintrc
new file mode 100644
index 0000000..deae116
--- /dev/null
+++ b/strongswan-4.3.2-rpmlintrc
@@ -0,0 +1,4 @@
+addFilter("strongswan.* incoherent-init-script-name ipsec")
+addFilter('strongswan.* shlib-policy-missing-suffix')
+#addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins")
+#addFilter("strongswan.* unstripped-binary-or-object")
diff --git a/strongswan-4.3.2.tar.bz2 b/strongswan-4.3.2.tar.bz2
new file mode 100644
index 0000000..8c2160d
--- /dev/null
+++ b/strongswan-4.3.2.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d2dc584596dda758c6d3d84b292a6aa80bfb53f6178ad08aec1b59519cf9d9e9
+size 2639343
diff --git a/strongswan-4.3.2.tar.bz2.sig b/strongswan-4.3.2.tar.bz2.sig
new file mode 100644
index 0000000..11aef66
--- /dev/null
+++ b/strongswan-4.3.2.tar.bz2.sig
@@ -0,0 +1,9 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+iQCVAwUASjtPmtYbDnNAmVNZAQIK4wQAqJnGiXmod2HenrCH9y1A/rinnVuLZ7TF
+s5/yBD3GN2xSnqQELlnPqkVxjNiLbTXhQs7mcmui1Zg9c53WRN09+oriGeHWhomf
+czxNDdsmbxgvR8SlRFr7cZOz0hs8FJ/wldASE6Nz54H7vUYFkxrYhk4lyN4GoolL
+S4dF7hGkTkY=
+=pMzJ
+-----END PGP SIGNATURE-----
diff --git a/strongswan-4.x.x-getline.patch b/strongswan-4.x.x-getline.patch
deleted file mode 100644
index a70ac9f..0000000
--- a/strongswan-4.x.x-getline.patch
+++ /dev/null
@@ -1,42 +0,0 @@
---- src/libfreeswan/optionsfrom.c
-+++ src/libfreeswan/optionsfrom.c
-@@ -31,7 +31,7 @@
- 
- static const char *dowork(const char *, int *, char ***, int);
- static const char *getanarg(FILE *, struct work *, char **);
--static char *getline(FILE *, char *, size_t);
-+static char *my_getline(FILE *, char *, size_t);
- 
- /*
-  - optionsfrom - add some options, taken from a file, to argc/argv
-@@ -149,7 +149,7 @@
- 	char *endp;
- 
- 	while (w->pending == NULL) {	/* no pending line */
--		if ((w->line = getline(f, w->buf, sizeof(w->buf))) == NULL)
-+		if ((w->line = my_getline(f, w->buf, sizeof(w->buf))) == NULL)
- 			return "error in line read";	/* caller checks EOF */
- 		if (w->line[0] != '#' &&
- 				*(w->line + strspn(w->line, " \t")) != '\0')
-@@ -171,7 +171,7 @@
- 			if (*linep == NULL)
- 				return "out of memory for new line";
- 			strcpy(*linep, p);
--		} else			/* getline already malloced it */
-+		} else			/* my_getline already malloced it */
- 			*linep = p;
- 		return NULL;
- 	}
-@@ -203,10 +203,10 @@
- }
- 
- /*
-- - getline - read a line from the file, trim newline off
-+ - my_getline - read a line from the file, trim newline off
-  */
- static char *			/* pointer to line, NULL for eof/error */
--getline(f, buf, bufsize)
-+my_getline(f, buf, bufsize)
- FILE *f;
- char *buf;			/* buffer to use, if convenient */
- size_t bufsize;			/* size of buf */
diff --git a/strongswan-4.x.x._swapped_ts_check.patch b/strongswan-4.x.x._swapped_ts_check.patch
deleted file mode 100644
index e903411..0000000
--- a/strongswan-4.x.x._swapped_ts_check.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-commit 0a3ca29021ffe389ae4f7400ee05f42dcf384d6b
-Author: Martin Willi <martin@strongswan.org>
-Date:   Tue May 12 17:13:09 2009 +0200
-
-    fixed cleanup of traffic selector lists
-
-diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
-index 382266f..6bf9e9d 100644
---- a/src/charon/sa/tasks/child_create.c
-+++ b/src/charon/sa/tasks/child_create.c
-@@ -1126,11 +1126,11 @@ static void destroy(private_child_create_t *this)
- {
- 	chunk_free(&this->my_nonce);
- 	chunk_free(&this->other_nonce);
--	if (this->tsi)
-+	if (this->tsr)
- 	{
- 		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
- 	}
--	if (this->tsr)
-+	if (this->tsi)
- 	{
- 		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
- 	}
diff --git a/strongswan-4.x.x_invalid_ike_state.patch b/strongswan-4.x.x_invalid_ike_state.patch
deleted file mode 100644
index 5c5645d..0000000
--- a/strongswan-4.x.x_invalid_ike_state.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-commit a627e31f463367d83be5814aff8ddbceb725f4ed
-Author: Martin Willi <martin@strongswan.org>
-Date:   Thu May 7 15:53:45 2009 +0200
-
-    properly delete IKE_SA if IKE_SA_INIT processing failed
-
-diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
-index b8e8213..126011e 100644
---- a/src/charon/sa/ike_sa.c
-+++ b/src/charon/sa/ike_sa.c
-@@ -1424,6 +1424,11 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
- 			 exchange_type_names, message->get_exchange_type(message),
- 			 message->get_request(message) ? "request" : "response",
- 			 message->get_message_id(message));
-+		
-+		if (this->state == IKE_CREATED)
-+		{	/* invalid initiation attempt, close SA */
-+			return DESTROY_ME;
-+		}
- 		return status;
- 	}
- 	else
diff --git a/strongswan.changes b/strongswan.changes
index 6b8f133..e8c3dd7 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,77 @@
+-------------------------------------------------------------------
+Wed Jun 10 11:04:44 CEST 2009 - mt@suse.de
+
+- Updated to strongSwan 4.3.2 release, that fixes two asn1 parser
+  DoS vulnerabilities and provides several new features, e.g.:
+  * The new gcrypt plugin provides symmetric cipher, hasher, RNG,
+  Diffie-Hellman and RSA crypto primitives using the LGPL licensed
+  GNU gcrypt library.
+  * libstrongswan features an integrated crypto selftest framework
+  for registered algorithms. The test-vector plugin provides a first
+  set of test vectors and allows pluto and charon to rely on tested
+  crypto algorithms.
+  * pluto can now use all libstrongswan plugins with the exception
+  of x509 and xcbc. Thanks to the openssl plugin, the ECP Diffie-
+  Hellman groups 19, 20, 21, 25, and 26 as well as ECDSA-256,
+  ECDSA-384, and ECDSA-521 authentication can be used with IKEv1.
+  * Applying their fuzzing tool, the Orange Labs vulnerability
+  research team found another two DoS vulnerabilities, one in the
+  rather old ASN.1 parser of Relative Distinguished Names (RDNs)
+  and a second one in the conversion of ASN.1 UTCTIME and
+  GENERALIZEDTIME strings to a time_t value.
+  * The nm plugin now passes DNS/NBNS server information to
+  NetworkManager, allowing a gateway administrator to set DNS/NBNS
+  configuration on clients dynamically.
+  * The nm plugin also accepts CA certificates for gateway
+  authentication. If a CA certificate is configured, strongSwan uses
+  the entered gateway address as its idenitity, requiring the gateways
+  certificate to contain the same as subjectAltName.
+  This allows a gateway administrator to deploy the same
+  certificates to Windows 7 and NetworkManager clients.
+  * The command ipsec purgeike deletes IKEv2 SAs that don't have a
+  CHILD SA.
+  The command ipsec down <conn>{n} deletes CHILD SA instance n of
+  connection <conn> whereas ipsec down <conn>{*} deletes all CHILD
+  SA instances.
+  The command ipsec down <conn>[n] deletes IKE SA instance n of
+  connection <conn> plus dependent CHILD SAs whereas ipsec down
+  <conn>[*] deletes all IKE SA instances of connection <conn>.
+  * Fixed a regression introduced in 4.3.0 where EAP authentication
+  calculated the AUTH payload incorrectly. Further, the EAP-MSCHAPv2
+  MSK key derivation has been updated to be compatible with the
+  Windows 7 Release Candidate.
+  * Refactored installation of triggering policies. Routed policies
+  are handled outside of IKE_SAs to keep them installed in any case.
+  A tunnel gets established only once, even if initiation is delayed
+  due network outages.
+  * Improved the handling of multiple acquire signals triggered by
+  the kernel.
+  * Fixed two DoS vulnerabilities in the charon daemon that were
+  discovered by fuzzing techniques:
+  1) Sending a malformed IKE_SA_INIT request leaved an incomplete
+  state which caused a null pointer dereference if a subsequent
+  CREATE_CHILD_SA request was sent.
+  2) Sending an IKE_AUTH request with either a missing TSi or TSr
+  payload caused a null pointer derefence because the checks for
+  TSi and TSr were interchanged.
+  The IKEv2 fuzzer used was developped by the Orange Labs
+  vulnerability research team.  The tool was initially written
+  by Gabriel Campana and is now maintained by Laurent Butti.
+  * Added support for AES counter mode in ESP in IKEv2 using the
+  proposal keywords aes128ctr, aes192ctr and aes256ctr.
+  * Further progress in refactoring pluto: Use of the curl and ldap
+  plugins for fetching crls and OCSP. Use of the random plugin to
+  get keying material from /dev/random or /dev/urandom. Use of the
+  openssl plugin as an alternative to the aes, des, sha1, sha2, and
+  md5 plugins. The blowfish, twofish, and serpent encryption plugins
+  are now optional and are not enabled by default.
+- Enabled new gcrypt plugin
+- Adopted spec file and modprobe to syslog patch
+- Removed obsolete getline glibc collision patch
+- Added patch to avoid library version for plugins (rpmlint).
+- Replaced update-dns-server patch with a --with-resolv-conf.
+- Removed restart_on_update from spec file (see bnc#450390).
+
 -------------------------------------------------------------------
 Mon Jun  8 00:21:13 CEST 2009 - ro@suse.de
 
diff --git a/strongswan.spec b/strongswan.spec
index 8bb550b..e6aa3f0 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -1,5 +1,5 @@
 #
-# spec file for package strongswan (Version 4.2.14)
+# spec file for package strongswan (Version 4.3.2)
 #
 # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -19,10 +19,10 @@
 
 
 Name:           strongswan
-%define         upstream_version 4.2.14
+%define         upstream_version 4.3.2
 %define         strongswan_docdir %{_docdir}/%{name}
-Version:        4.2.14
-Release:        3
+Version:        4.3.2
+Release:        1
 License:        GPL v2 or later
 Group:          Productivity/Networking/Security
 Summary:        StrongSwan -- OpenSource IPsec-based VPN Solution
@@ -37,22 +37,15 @@ Source0:        http://download.strongswan.org/strongswan-%{upstream_version}.ta
 Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
 Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
-Patch1:         %{name}_modprobe_syslog.dif
-Patch2:         %{name}_update-dns-server.dif
-Patch3:         %{name}-4.x.x_invalid_ike_state.patch
-Patch4:         %{name}-4.x.x._swapped_ts_check.patch
-Patch5:         strongswan-4.x.x-getline.patch
+Patch1:         %{name}_modprobe_syslog.patch
+Patch2:         %{name}_no_plugin_version.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
-%if 0%{?suse_version} >= 1030
-BuildRequires:  libopenssl-devel libpcap-devel
-%else
-BuildRequires:  libpcap openssl-devel
-%endif
-#               --enable-curl
-BuildRequires:  curl-devel
-#               --enable-ldap
+BuildRequires:  libcap-devel
+BuildRequires:  libopenssl-devel
+BuildRequires:  libgcrypt-devel
 BuildRequires:  openldap2-devel
+BuildRequires:  curl-devel
 
 %description
 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -137,10 +130,13 @@ Authors:
 %prep
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
+# => no_plugin_version.patch creation cmd:
+#
+#find . -type f -name Makefile.am -exec \
+#     grep -l 'la_LDFLAGS.*-module' \{\} \; | \
+#     xargs -r sed -e "s/\(.*la_LDFLAGS.*-module.*\)/\1 -avoid-version/g" -i
+#
 %patch2 -p0
-%patch3 -p1
-%patch4 -p1
-%patch5
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -152,11 +148,15 @@ libtoolize --force
 %{?suse_update_config:%{suse_update_config -f}}
 autoreconf
 %configure \
-	--enable-smartcard --with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \
-	--enable-cisco-quirks	\
-	--enable-openssl	\
-	--enable-curl		\
-	--enable-ldap
+	--with-capabilities=libcap \
+	--with-resolv-conf=%{_localstatedir}/run/strongswan/resolv.conf \
+	--enable-smartcard \
+	--with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \
+	--enable-cisco-quirks \
+	--enable-openssl \
+	--enable-gcrypt \
+	--enable-ldap \
+	--enable-curl
 make %{?_smp_mflags:%_smp_mflags}
 
 %install
@@ -186,6 +186,7 @@ find  $RPM_BUILD_ROOT%{_libdir}/ipsec \
 install -m755 -d ${RPM_BUILD_ROOT}%{strongswan_docdir}/
 install -m644 TODO NEWS README COPYING CREDITS \
                  ${RPM_BUILD_ROOT}%{strongswan_docdir}/
+install -m755 -d $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan
 
 %clean
 if [ -n "$RPM_BUILD_ROOT" ] && [ "$RPM_BUILD_ROOT" != "/" ] ; then
@@ -207,7 +208,6 @@ fi
 
 %postun
 %{run_ldconfig}
-%{restart_on_update ipsec}
 %{insserv_cleanup}
 
 %files
@@ -235,6 +235,7 @@ fi
 %{_mandir}/man5/ipsec.conf.5*
 %{_mandir}/man5/ipsec.secrets.5*
 %{_mandir}/man8/ipsec.8*
+%dir %{_localstatedir}/run/strongswan
 
 %files doc
 %defattr(-,root,root)
@@ -253,7 +254,6 @@ fi
 %{_mandir}/man3/initaddr.3*
 %{_mandir}/man3/initsubnet.3*
 %{_mandir}/man3/keyblobtoid.3*
-%{_mandir}/man3/optionsfrom.3*
 %{_mandir}/man3/portof.3*
 %{_mandir}/man3/prng.3*
 %{_mandir}/man3/rangetosubnet.3*
@@ -263,7 +263,6 @@ fi
 %{_mandir}/man3/ttodata.3*
 %{_mandir}/man3/ttosa.3*
 %{_mandir}/man3/ttoul.3*
-%{_mandir}/man3/version.3*
 %{_mandir}/man8/_copyright.8*
 %{_mandir}/man8/_updown.8*
 %{_mandir}/man8/_updown_espmark.8*
@@ -273,207 +272,3 @@ fi
 %{_mandir}/man8/starter.8*
 
 %changelog
-* Mon Jun 08 2009 ro@suse.de
-- rename getline to my_getline to avoid collision with function
-  from glibc
-* Tue Jun 02 2009 mt@suse.de
-- Applied fix for a Denial-of-Service vulnerability where receiving
-  a malformed IKE_SA_INIT request leaves an incomplete state which
-  causes a crash of the IKEv2 charon while dereferencing a NULL
-  pointer if a subsequent CREATE_CHILD_SA is received (bnc#507742).
-- Applied fix for a Denial-of-Service vulnerability where receiving
-  a malformed IKE_AUTH request with either a missing TSi or TSr
-  traffic selector payload causes a crash of the IKEv2 charon while
-  dereferencing a NULL pointer because the NULL pointer checks of
-  TSi and TSr before destruction were erroneously swapped
-  (bnc#507742).
-* Tue Mar 31 2009 mt@suse.de
-- Updated to strongSwan 4.2.14 release that fixes a grave DPD
-  denial of service vulnerability registered as CVE-2009-0790,
-  that had been slumbering in the code for many years:
-  * A vulnerability in the Dead Peer Detection (RFC 3706) code
-  was found by Gerd v. Egidy <gerd.von.egidy@intra2net.com> of
-  Intra2net AG affecting all Openswan and strongSwan releases.
-  A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK
-  Dead Peer Detection packet can cause the pluto IKE daemon to
-  crash and restart. No authentication or encryption is required
-  to trigger this bug. One spoofed UDP packet can cause the pluto
-  IKE daemon to restart and be unresponsive for a few seconds
-  while restarting. This DPD null state vulnerability has been
-  officially registered as CVE-2009-0790 and is fixed by this
-  release.
-  * The new server-side EAP RADIUS plugin (--enable-eap-radius)
-  relays EAP messages to and from a RADIUS server. Succesfully
-  tested with with a freeradius server using EAP-MD5 and EAP-SIM.
-  * ASN.1 to time_t conversion caused a time wrap-around for dates
-  after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
-  As a workaround such dates are set to the maximum representable
-  time, i.e. Jan 19 03:14:07 UTC 2038.
-  * Distinguished Names containing wildcards (*) are not sent in the
-  IDr payload anymore.
-* Mon Oct 20 2008 mt@suse.de
-- Updated to 4.2.8 release:
-  * IKEv2 charon daemon supports authentication based on raw public
-  keys stored in the SQL database backend. The ipsec listpubkeys
-  command lists the available raw public keys via the stroke
-  interface.
-  * Several MOBIKE improvements: Detect changes in NAT mappings in
-  DPD exchanges, handle events if kernel detects NAT mapping changes
-  in UDP-encapsulated ESP packets (requires kernel patch), reuse old
-  addesses in MOBIKE updates as long as possible and other fixes.
-  * Fixed a bug in addr_in_subnet() which caused insertion of wrong
-  source routes for destination subnets having netwmasks not being a
-  multiple of 8 bits.  Thanks go to Wolfgang Steudel, TU Ilmenau for
-  reporting this bug.
-* Tue Oct 14 2008 mt@suse.de
-- Applied fix for addr_in_subnet() extracted from strongswan-4.2.8
-  which caused insertion of wrong source routes for destination
-  subnets having netwmasks not being a multiple of 8 bits.
-  Thanks go to Wolfgang Steudel, TU Ilmenau for reporting this bug.
-  (bnc#435200)
-* Fri Oct 10 2008 mt@suse.de
-- Applied fix for a Denial-of-Service vulnerability where an
-  IKE_SA_INIT message with a KE payload containing zeroes only can
-  cause a crash of the IKEv2 charon daemon due to a NULL pointer
-  returned by the mpz_export() function of the GNU Multi Precision
-  (GMP) library. Thanks go to Mu Dynamics Research Labs for making
-  us aware of this problem. (bnc#435194)
-* Thu Aug 28 2008 mt@suse.de
-- Fixed to use --enable-curl instead of --enable-http as before
-- Enabled the OpenSSL crypto plugin in the spec file.
-* Thu Aug 28 2008 mt@suse.de
-- Updated to 4.2.6 release, fixing bugs and offering a lot of new
-  features comparing to the last version provided by this package.
-  Most important are:
-  * A NetworkManager plugin allows GUI-based configuration of
-  road-warrior clients in a simple way. It features X509 based
-  gateway authentication and EAP client authentication, tunnel
-  setup/teardown and storing passwords in the Gnome Keyring.
-  * A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt
-  and allows username/password authentication against any PAM
-  service on the gateway. The new EAP method interacts nicely with
-  the NetworkManager plugin and allows client authentication against
-  e.g. LDAP.
-  * Improved support for the EAP-Identity method. The new ipsec.conf
-  eap_identity parameter defines an additional identity to pass to
-  the server in EAP authentication.
-  * Fixed two multithreading deadlocks occurring when starting up
-  several hundred tunnels concurrently.
-  * Fixed the --enable-integrity-test configure option which
-  computes a SHA-1 checksum over the libstrongswan library.
-  * Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
-  * Improved the performance of the SQL-based virtual IP address pool
-  by introducing an additional addresses table. The leases table
-  storing only history information has become optional and can be
-  disabled by setting charon.plugins.sql.lease_history = no in
-  strongswan.conf.
-  * The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6
-  and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels.
-  * management of different virtual IP pools for different network
-  interfaces have become possible.
-  * fixed a bug which prevented the assignment of more than 256
-  virtual IP addresses from a pool managed by an sql database.
-  * fixed a bug which did not delete own IPCOMP SAs in the kernel.
-  * The openssl plugin supports the elliptic curve Diffie-Hellman
-  groups 19, 20, 21, 25, and 26 and ECDSA authentication using
-  elliptic curve X.509 certificates.
-  * Fixed a bug in stroke which caused multiple charon threads to
-  close the file descriptors during packet transfers over the stroke
-  socket.
-  * ESP sequence numbers are now migrated in IPsec SA updates handled
-  by MOBIKE. Works only with Linux kernels >= 2.6.17.
-  * Fixed a number of minor bugs that where discovered during the 4th
-  IKEv2 interoperability workshop in San Antonio, TX.
-  * Plugins for libstrongswan and charon can optionally be loaded
-  according to a configuration in strongswan.conf. Most components
-  provide a "load = " option followed by a space separated list of
-  plugins to load. This allows e.g. the fallback from a hardware
-  crypto accelerator to to software-based crypto plugins.
-  * Charons SQL plugin has been extended by a virtual IP address pool.
-  Configurations with a rightsourceip=%%poolname setting query a
-  SQLite or MySQL database for leases. The "ipsec pool" command helps
-  in administrating the pool database. See ipsec pool --help for the
-  available options
-  * The Authenticated Encryption Algorithms AES-CCM-8/12/16 and
-  AES-GCM-8/12/16 for ESP are now supported starting with the Linux
-  2.6.25 kernel. The syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16.
-- Added patch disabling direct modifications of resolv.conf; has to
-  be replaced by a netconfig call.
-- Added patch adding a missed file name argument in printf call in the
-  scripts/thread_analysis.c file -- resulting binary is not installed.
-- Removed obsolete patches crash_badcfg_reload and old-caps-version.
-* Mon Jun 30 2008 mt@suse.de
-- Added fix that explicitly enables version 1 linux capabilities
-  on version 2 systems to aviod that the charon and pluto daemons
-  exit because of failed capset call (bnc#404989).
-* Mon May 19 2008 mt@suse.de
-- Applied fix (strongswan_crash_badcfg_reload.dif) to avoid
-  a crash after reloading with bad config (bnc#392062).
-* Wed Apr 23 2008 mt@suse.de
-- Updated to 4.2.1 release. A lot of code refactoring in the 4.2
-  release provides much more modularity and therefore much more
-  extensiblity and offers the following new features:
-  * libstrongswan has been modularized to attach crypto algorithms,
-  credential implementations (secret and private keys, certificates)
-  and http/ldap fetchers dynamically through plugins.
-  * A relational database API that uses pluggable database providers
-  was added to libstrongswan including plugins for MySQL and SQLite.
-  * The IKEv2 keying charon daemon has become more extensible. Generic
-  plugins can provide arbitrary interfaces to credential stores and
-  connection management interfaces. Also any EAP method can be added.
-  * The authentication and credential framework in charon has been
-  heavily refactored to support modular credential providers, proper
-  CERTREQ/CERT payload exchanges and extensible authorization rules.
-  * Support for "Hash and URL" encoded certificate payloads has been
-  implemented in the IKEv2 daemon charon.
-  * The IKEv2 daemon charon now supports the "uniqueids" option to
-  close multiple IKE_SAs with the same peer.
-  * The crypto factory in libstrongswan additionally supports random
-  number generators. Plugins may provide other sources of randomness.
-  * Extended the credential framework by a caching option to allow
-  plugins persistent caching of fetched credentials.
-  * The new trust chain verification introduced in 4.2.0 has been
-  parallelized. Threads fetching CRL or OCSP information no longer
-  block other threads.
-  * A new IKEv2 configuration attribute framework has been introduced
-  allowing plugins to provide virtual IP addresses, and in the future,
-  other configuration attribute services (e.g. DNS/WINS servers).
-  * The stroke plugin has been extended to provide virtual IP addresses
-  from a simple pool defined in ipsec.conf.
-  * Fixed compilation on uClibc and a couple of other minor bugs.
-  * The IKEv1 pluto daemon now supports the ESP encryption algorithm
-  CAMELLIA with key lengths of 128, 192, and 256 bits, as well as the
-  authentication algorithm AES_XCBC_MAC.
-- Applied a small patch defining _GNU_SOURCE for struct in6_pktinfo
-  and adding inclusion of limits.h for PATH_MAX availability.
-- Added rpmlintrc file and a libtoolize call to the spec file.
-* Tue Feb 19 2008 mt@suse.de
-- Updated to 4.1.11 maintenance release, providing following fixes:
-  * IKE rekeying in NAT situations did not inherit the NAT conditions
-  to the rekeyed IKE_SA so that the UDP encapsulation was lost with
-  the next CHILD_SA rekeying.
-  * Wrong type definition of the next_payload variable in id_payload.c
-  caused an INVALID_SYNTAX error on PowerPC platforms.
-  * Implemented IKEv2 EAP-SIM server and client test modules that use
-  triplets stored in a file. For details on the configuration see
-  the scenario 'ikev2/rw-eap-sim-rsa'.
-- The 4.1.10 final version, declared upstream as "Fully tested support
-  of IPv6 IPsec tunnel connections", fixes ordering error in oscp cache,
-  IPv6 defaults of the nexthop parameter, adds support for new EAP
-  modules [disabled in this build] and obsoletes our strongswan_path
-  and strongswan_ipsec_script_msg patches.
-- Removed a sed call from init script.
-* Sat Dec 08 2007 mt@suse.de
-- Updated to 4.1.9 final, including all our patches.
-- Changed init script to use ipsec cmd using LSB codes now.
-- Added strongswan_path.dif setting a PATH in scripts (updown).
-- Added strongswan_ipsec_script_msg.dif for consistent look of
-  ipsec script messages.
-- Added strongswan_modprobe_syslog.dif redirecting modprobe
-  output to syslog.
-* Mon Nov 26 2007 mt@suse.de
-- Renamed charon plugins to avoid rpm conflicts with existing
-  libraries (libstroke). Patch: strongswan-libconflicts.dif
-- Added init script. Template file: strongswan.init.in
-* Thu Nov 22 2007 mt@suse.de
-- Initial, unfinished package
diff --git a/strongswan_modprobe_syslog.dif b/strongswan_modprobe_syslog.dif
deleted file mode 100644
index 4593aa8..0000000
--- a/strongswan_modprobe_syslog.dif
+++ /dev/null
@@ -1,52 +0,0 @@
---- src/starter/klips.c
-+++ src/starter/klips.c	2009/03/23 10:46:01
-@@ -36,7 +36,7 @@ starter_klips_init(void)
- 	/* ipsec module makes the pf_key proc interface visible */
- 	if (stat(PROC_MODULES, &stb) == 0)
- 	{
--	    ignore_result(system("modprobe -qv ipsec"));
-+	    ignore_result(system("modprobe -a ipsec"));
- 	}
- 
- 	/* now test again */
-@@ -50,9 +50,9 @@ starter_klips_init(void)
-     }
-     
-     /* load crypto algorithm modules */
--    ignore_result(system("modprobe -qv ipsec_aes"));
--    ignore_result(system("modprobe -qv ipsec_blowfish"));
--    ignore_result(system("modprobe -qv ipsec_sha2"));
-+    ignore_result(system("modprobe -s ipsec_aes"));
-+    ignore_result(system("modprobe -s ipsec_blowfish"));
-+    ignore_result(system("modprobe -s ipsec_sha2"));
- 
-     DBG(DBG_CONTROL,
- 	DBG_log("Found KLIPS IPsec stack")
---- src/starter/netkey.c
-+++ src/starter/netkey.c	2009/03/23 10:46:34
-@@ -36,7 +36,7 @@ starter_netkey_init(void)
- 	/* af_key module makes the netkey proc interface visible */
- 	if (stat(PROC_MODULES, &stb) == 0)
- 	{
--	    ignore_result(system("modprobe -qv af_key"));
-+	    ignore_result(system("modprobe -s af_key"));
- 	}
- 
- 	/* now test again */
-@@ -52,11 +52,11 @@ starter_netkey_init(void)
-     /* make sure that all required IPsec modules are loaded */
-     if (stat(PROC_MODULES, &stb) == 0)
-     {
--	ignore_result(system("modprobe -qv ah4"));
--	ignore_result(system("modprobe -qv esp4"));
--	ignore_result(system("modprobe -qv ipcomp"));
--	ignore_result(system("modprobe -qv xfrm4_tunnel"));
--	ignore_result(system("modprobe -qv xfrm_user"));
-+	ignore_result(system("modprobe -s ah4"));
-+	ignore_result(system("modprobe -s esp4"));
-+	ignore_result(system("modprobe -s ipcomp"));
-+	ignore_result(system("modprobe -s xfrm4_tunnel"));
-+	ignore_result(system("modprobe -s xfrm_user"));
-     }
- 
-     DBG(DBG_CONTROL,
diff --git a/strongswan_modprobe_syslog.patch b/strongswan_modprobe_syslog.patch
new file mode 100644
index 0000000..638a943
--- /dev/null
+++ b/strongswan_modprobe_syslog.patch
@@ -0,0 +1,52 @@
+--- src/starter/klips.c
++++ src/starter/klips.c
+@@ -34,7 +34,7 @@ starter_klips_init(void)
+ 		/* ipsec module makes the pf_key proc interface visible */
+ 		if (stat(PROC_MODULES, &stb) == 0)
+ 		{
+-			ignore_result(system("modprobe -qv ipsec"));
++			ignore_result(system("modprobe -s ipsec"));
+ 		}
+ 
+ 		/* now test again */
+@@ -48,9 +48,9 @@ starter_klips_init(void)
+ 	}
+ 	
+ 	/* load crypto algorithm modules */
+-	ignore_result(system("modprobe -qv ipsec_aes"));
+-	ignore_result(system("modprobe -qv ipsec_blowfish"));
+-	ignore_result(system("modprobe -qv ipsec_sha2"));
++	ignore_result(system("modprobe -s ipsec_aes"));
++	ignore_result(system("modprobe -s ipsec_blowfish"));
++	ignore_result(system("modprobe -s ipsec_sha2"));
+ 
+ 	DBG(DBG_CONTROL,
+ 		DBG_log("Found KLIPS IPsec stack")
+--- src/starter/netkey.c
++++ src/starter/netkey.c
+@@ -34,7 +34,7 @@ starter_netkey_init(void)
+ 		/* af_key module makes the netkey proc interface visible */
+ 		if (stat(PROC_MODULES, &stb) == 0)
+ 		{
+-			ignore_result(system("modprobe -qv af_key"));
++			ignore_result(system("modprobe -s af_key"));
+ 		}
+ 
+ 		/* now test again */
+@@ -50,11 +50,11 @@ starter_netkey_init(void)
+ 	/* make sure that all required IPsec modules are loaded */
+ 	if (stat(PROC_MODULES, &stb) == 0)
+ 	{
+-		ignore_result(system("modprobe -qv ah4"));
+-		ignore_result(system("modprobe -qv esp4"));
+-		ignore_result(system("modprobe -qv ipcomp"));
+-		ignore_result(system("modprobe -qv xfrm4_tunnel"));
+-		ignore_result(system("modprobe -qv xfrm_user"));
++		ignore_result(system("modprobe -s ah4"));
++		ignore_result(system("modprobe -s esp4"));
++		ignore_result(system("modprobe -s ipcomp"));
++		ignore_result(system("modprobe -s xfrm4_tunnel"));
++		ignore_result(system("modprobe -s xfrm_user"));
+ 	}
+ 
+ 	DBG(DBG_CONTROL,
diff --git a/strongswan_no_plugin_version.patch b/strongswan_no_plugin_version.patch
new file mode 100644
index 0000000..1f83138
--- /dev/null
+++ b/strongswan_no_plugin_version.patch
@@ -0,0 +1,432 @@
+--- src/charon/plugins/attr/Makefile.am
++++ src/charon/plugins/attr/Makefile.am
+@@ -6,4 +6,4 @@
+ plugin_LTLIBRARIES = libstrongswan-attr.la
+ libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
+   attr_provider.h attr_provider.c
+-libstrongswan_attr_la_LDFLAGS = -module
++libstrongswan_attr_la_LDFLAGS = -module -avoid-version
+--- src/charon/plugins/eap_aka/Makefile.am
++++ src/charon/plugins/eap_aka/Makefile.am
+@@ -6,6 +6,6 @@
+ plugin_LTLIBRARIES = libstrongswan-eapaka.la
+ 
+ libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c
+-libstrongswan_eapaka_la_LDFLAGS = -module
++libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version
+ libstrongswan_eapaka_la_LIBADD = -lgmp
+ 
+--- src/charon/plugins/eap_gtc/Makefile.am
++++ src/charon/plugins/eap_gtc/Makefile.am
+@@ -6,5 +6,5 @@
+ plugin_LTLIBRARIES = libstrongswan-eapgtc.la
+ 
+ libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
+-libstrongswan_eapgtc_la_LDFLAGS = -module -lpam
++libstrongswan_eapgtc_la_LDFLAGS = -module -lpam -avoid-version
+ 
+--- src/charon/plugins/eap_identity/Makefile.am
++++ src/charon/plugins/eap_identity/Makefile.am
+@@ -6,5 +6,5 @@
+ plugin_LTLIBRARIES = libstrongswan-eapidentity.la
+ libstrongswan_eapidentity_la_SOURCES = \
+   eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
+-libstrongswan_eapidentity_la_LDFLAGS = -module
++libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version
+ 
+--- src/charon/plugins/eap_md5/Makefile.am
++++ src/charon/plugins/eap_md5/Makefile.am
+@@ -6,5 +6,5 @@
+ plugin_LTLIBRARIES = libstrongswan-eapmd5.la
+ 
+ libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
+-libstrongswan_eapmd5_la_LDFLAGS = -module
++libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version
+ 
+--- src/charon/plugins/eap_mschapv2/Makefile.am
++++ src/charon/plugins/eap_mschapv2/Makefile.am
+@@ -8,5 +8,5 @@
+ libstrongswan_eapmschapv2_la_SOURCES = \
+ 	eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
+ 	eap_mschapv2.h eap_mschapv2.c
+-libstrongswan_eapmschapv2_la_LDFLAGS = -module
++libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version
+ 
+--- src/charon/plugins/eap_radius/Makefile.am
++++ src/charon/plugins/eap_radius/Makefile.am
+@@ -10,5 +10,5 @@
+   eap_radius.h eap_radius.c \
+   radius_client.h radius_client.c \
+   radius_message.h radius_message.c
+-libstrongswan_eapradius_la_LDFLAGS = -module
++libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version
+ 
+--- src/charon/plugins/eap_sim/Makefile.am
++++ src/charon/plugins/eap_sim/Makefile.am
+@@ -7,5 +7,5 @@
+ 
+ libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \
+   eap_sim_plugin.h eap_sim_plugin.c
+-libstrongswan_eapsim_la_LDFLAGS = -module
++libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version
+ 
+--- src/charon/plugins/eap_sim_file/Makefile.am
++++ src/charon/plugins/eap_sim_file/Makefile.am
+@@ -10,5 +10,5 @@
+   eap_sim_file_card.h eap_sim_file_card.c \
+   eap_sim_file_provider.h eap_sim_file_provider.c \
+   eap_sim_file_triplets.h eap_sim_file_triplets.c
+-libstrongswan_eapsim_file_la_LDFLAGS = -module
++libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version
+ 
+--- src/charon/plugins/kernel_klips/Makefile.am
++++ src/charon/plugins/kernel_klips/Makefile.am
+@@ -7,4 +7,4 @@
+ 
+ libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
+ 	kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
+-libstrongswan_kernel_klips_la_LDFLAGS = -module
++libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
+--- src/charon/plugins/kernel_netlink/Makefile.am
++++ src/charon/plugins/kernel_netlink/Makefile.am
+@@ -8,4 +8,4 @@
+ libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \
+ 	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
+ 	kernel_netlink_shared.h kernel_netlink_shared.c
+-libstrongswan_kernel_netlink_la_LDFLAGS = -module
++libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
+--- src/charon/plugins/kernel_pfkey/Makefile.am
++++ src/charon/plugins/kernel_pfkey/Makefile.am
+@@ -7,4 +7,4 @@
+ 
+ libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
+ 	kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
+-libstrongswan_kernel_pfkey_la_LDFLAGS = -module
++libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
+--- src/charon/plugins/kernel_pfroute/Makefile.am
++++ src/charon/plugins/kernel_pfroute/Makefile.am
+@@ -7,4 +7,4 @@
+ 
+ libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+ 	kernel_pfroute_net.h kernel_pfroute_net.c
+-libstrongswan_kernel_pfroute_la_LDFLAGS = -module
++libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
+--- src/charon/plugins/load_tester/Makefile.am
++++ src/charon/plugins/load_tester/Makefile.am
+@@ -13,5 +13,5 @@
+   load_tester_listener.c load_tester_listener.h \
+   load_tester_diffie_hellman.c load_tester_diffie_hellman.h
+ 
+-libstrongswan_load_tester_la_LDFLAGS = -module
++libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
+ 
+--- src/charon/plugins/medcli/Makefile.am
++++ src/charon/plugins/medcli/Makefile.am
+@@ -8,5 +8,5 @@
+ 			      medcli_creds.h medcli_creds.c \
+ 			      medcli_config.h medcli_config.c \
+ 			      medcli_listener.h medcli_listener.c
+-libstrongswan_medcli_la_LDFLAGS = -module
++libstrongswan_medcli_la_LDFLAGS = -module -avoid-version
+ 
+--- src/charon/plugins/medsrv/Makefile.am
++++ src/charon/plugins/medsrv/Makefile.am
+@@ -7,5 +7,5 @@
+ libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \
+ 			      medsrv_creds.h medsrv_creds.c \
+ 			      medsrv_config.h medsrv_config.c
+-libstrongswan_medsrv_la_LDFLAGS = -module
++libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version
+ 
+--- src/charon/plugins/nm/Makefile.am
++++ src/charon/plugins/nm/Makefile.am
+@@ -9,5 +9,5 @@
+   nm_service.h nm_service.c \
+   nm_creds.h nm_creds.c \
+   nm_handler.h nm_handler.c
+-libstrongswan_nm_la_LDFLAGS = -module
++libstrongswan_nm_la_LDFLAGS = -module -avoid-version
+ libstrongswan_nm_la_LIBADD = ${nm_LIBS}
+--- src/charon/plugins/resolv_conf/Makefile.am
++++ src/charon/plugins/resolv_conf/Makefile.am
+@@ -8,6 +8,6 @@
+ libstrongswan_resolv_conf_la_SOURCES = \
+   resolv_conf_plugin.h resolv_conf_plugin.c \
+   resolv_conf_handler.h resolv_conf_handler.c 
+-libstrongswan_resolv_conf_la_LDFLAGS = -module
++libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version
+ 
+ 
+--- src/charon/plugins/smp/Makefile.am
++++ src/charon/plugins/smp/Makefile.am
+@@ -5,6 +5,6 @@
+ 
+ plugin_LTLIBRARIES = libstrongswan-smp.la
+ libstrongswan_smp_la_SOURCES = smp.h smp.c
+-libstrongswan_smp_la_LDFLAGS = -module
++libstrongswan_smp_la_LDFLAGS = -module -avoid-version
+ libstrongswan_smp_la_LIBADD = ${xml_LIBS}
+ 
+--- src/charon/plugins/sql/Makefile.am
++++ src/charon/plugins/sql/Makefile.am
+@@ -10,7 +10,7 @@
+ libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \
+   sql_config.h sql_config.c sql_cred.h sql_cred.c \
+   sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c
+-libstrongswan_sql_la_LDFLAGS = -module
++libstrongswan_sql_la_LDFLAGS = -module -avoid-version
+ 
+ ipsec_PROGRAMS = pool
+ pool_SOURCES = pool.c
+--- src/charon/plugins/stroke/Makefile.am
++++ src/charon/plugins/stroke/Makefile.am
+@@ -18,5 +18,5 @@
+   stroke_list.h stroke_list.c \
+   stroke_shared_key.h stroke_shared_key.c
+ 
+-libstrongswan_stroke_la_LDFLAGS = -module
++libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
+ 
+--- src/charon/plugins/uci/Makefile.am
++++ src/charon/plugins/uci/Makefile.am
+@@ -8,7 +8,7 @@
+   uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \
+   uci_config.h uci_config.c uci_creds.h uci_creds.c \
+   uci_control.h uci_control.c
+-libstrongswan_uci_la_LDFLAGS = -module
++libstrongswan_uci_la_LDFLAGS = -module -avoid-version
+ libstrongswan_uci_la_LIBADD = -luci
+ 
+ 
+--- src/charon/plugins/unit_tester/Makefile.am
++++ src/charon/plugins/unit_tester/Makefile.am
+@@ -20,5 +20,5 @@
+   tests/test_agent.c \
+   tests/test_id.c
+ 
+-libstrongswan_unit_tester_la_LDFLAGS = -module
++libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
+ 
+--- src/charon/plugins/updown/Makefile.am
++++ src/charon/plugins/updown/Makefile.am
+@@ -7,6 +7,6 @@
+ libstrongswan_updown_la_SOURCES = \
+   updown_plugin.h updown_plugin.c \
+   updown_listener.h updown_listener.c 
+-libstrongswan_updown_la_LDFLAGS = -module
++libstrongswan_updown_la_LDFLAGS = -module -avoid-version
+ 
+ 
+--- src/libstrongswan/plugins/aes/Makefile.am
++++ src/libstrongswan/plugins/aes/Makefile.am
+@@ -6,5 +6,5 @@
+ plugin_LTLIBRARIES = libstrongswan-aes.la
+ 
+ libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
+-libstrongswan_aes_la_LDFLAGS = -module
++libstrongswan_aes_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/agent/Makefile.am
++++ src/libstrongswan/plugins/agent/Makefile.am
+@@ -8,5 +8,5 @@
+ libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
+   agent_private_key.c agent_private_key.h
+ 
+-libstrongswan_agent_la_LDFLAGS = -module
++libstrongswan_agent_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/blowfish/Makefile.am
++++ src/libstrongswan/plugins/blowfish/Makefile.am
+@@ -8,5 +8,5 @@
+ libstrongswan_blowfish_la_SOURCES = \
+ blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
+ bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c 
+-libstrongswan_blowfish_la_LDFLAGS = -module
++libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/curl/Makefile.am
++++ src/libstrongswan/plugins/curl/Makefile.am
+@@ -6,6 +6,6 @@
+ plugin_LTLIBRARIES = libstrongswan-curl.la
+ 
+ libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
+-libstrongswan_curl_la_LDFLAGS = -module
++libstrongswan_curl_la_LDFLAGS = -module -avoid-version
+ libstrongswan_curl_la_LIBADD  = -lcurl
+ 
+--- src/libstrongswan/plugins/des/Makefile.am
++++ src/libstrongswan/plugins/des/Makefile.am
+@@ -6,5 +6,5 @@
+ plugin_LTLIBRARIES = libstrongswan-des.la
+ 
+ libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
+-libstrongswan_des_la_LDFLAGS = -module
++libstrongswan_des_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/fips_prf/Makefile.am
++++ src/libstrongswan/plugins/fips_prf/Makefile.am
+@@ -6,5 +6,5 @@
+ plugin_LTLIBRARIES = libstrongswan-fips-prf.la
+ 
+ libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
+-libstrongswan_fips_prf_la_LDFLAGS = -module
++libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/gcrypt/Makefile.am
++++ src/libstrongswan/plugins/gcrypt/Makefile.am
+@@ -13,5 +13,5 @@
+ 	gcrypt_crypter.h gcrypt_crypter.c \
+ 	gcrypt_hasher.h gcrypt_hasher.c
+ 
+-libstrongswan_gcrypt_la_LDFLAGS = -module
++libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
+ libstrongswan_gcrypt_la_LIBADD  = $(LIBGCRYPT_LIBS)
+--- src/libstrongswan/plugins/gmp/Makefile.am
++++ src/libstrongswan/plugins/gmp/Makefile.am
+@@ -10,6 +10,6 @@
+   gmp_rsa_private_key.c gmp_rsa_private_key.h \
+   gmp_rsa_public_key.c gmp_rsa_public_key.h
+ 
+-libstrongswan_gmp_la_LDFLAGS = -module
++libstrongswan_gmp_la_LDFLAGS = -module -avoid-version
+ libstrongswan_gmp_la_LIBADD = -lgmp
+ 
+--- src/libstrongswan/plugins/hmac/Makefile.am
++++ src/libstrongswan/plugins/hmac/Makefile.am
+@@ -7,5 +7,5 @@
+ 
+ libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
+ 	hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
+-libstrongswan_hmac_la_LDFLAGS = -module
++libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/ldap/Makefile.am
++++ src/libstrongswan/plugins/ldap/Makefile.am
+@@ -6,6 +6,6 @@
+ plugin_LTLIBRARIES = libstrongswan-ldap.la
+ 
+ libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
+-libstrongswan_ldap_la_LDFLAGS = -module
++libstrongswan_ldap_la_LDFLAGS = -module -avoid-version
+ libstrongswan_ldap_la_LIBADD  = -lldap -llber
+ 
+--- src/libstrongswan/plugins/md4/Makefile.am
++++ src/libstrongswan/plugins/md4/Makefile.am
+@@ -6,5 +6,5 @@
+ plugin_LTLIBRARIES = libstrongswan-md4.la
+ 
+ libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
+-libstrongswan_md4_la_LDFLAGS = -module
++libstrongswan_md4_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/md5/Makefile.am
++++ src/libstrongswan/plugins/md5/Makefile.am
+@@ -6,5 +6,5 @@
+ plugin_LTLIBRARIES = libstrongswan-md5.la
+ 
+ libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
+-libstrongswan_md5_la_LDFLAGS = -module
++libstrongswan_md5_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/mysql/Makefile.am
++++ src/libstrongswan/plugins/mysql/Makefile.am
+@@ -7,6 +7,6 @@
+ 
+ libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c  \
+ 	mysql_database.h mysql_database.c
+-libstrongswan_mysql_la_LDFLAGS = -module
++libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
+ libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
+ 
+--- src/libstrongswan/plugins/openssl/Makefile.am
++++ src/libstrongswan/plugins/openssl/Makefile.am
+@@ -16,6 +16,6 @@
+ 	openssl_ec_private_key.c openssl_ec_private_key.h \
+ 	openssl_ec_public_key.c openssl_ec_public_key.h
+ 
+-libstrongswan_openssl_la_LDFLAGS = -module
++libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
+ libstrongswan_openssl_la_LIBADD  = -lcrypto
+ 
+--- src/libstrongswan/plugins/padlock/Makefile.am
++++ src/libstrongswan/plugins/padlock/Makefile.am
+@@ -9,5 +9,5 @@
+ 	padlock_aes_crypter.c padlock_aes_crypter.h \
+ 	padlock_sha1_hasher.c padlock_sha1_hasher.h \
+ 	padlock_rng.c padlock_rng.h
+-libstrongswan_padlock_la_LDFLAGS = -module
++libstrongswan_padlock_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/pubkey/Makefile.am
++++ src/libstrongswan/plugins/pubkey/Makefile.am
+@@ -9,5 +9,5 @@
+   pubkey_cert.h pubkey_cert.c\
+   pubkey_public_key.h pubkey_public_key.c
+ 
+-libstrongswan_pubkey_la_LDFLAGS = -module
++libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/random/Makefile.am
++++ src/libstrongswan/plugins/random/Makefile.am
+@@ -7,5 +7,5 @@
+ 
+ libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
+   random_rng.c random_rng.h
+-libstrongswan_random_la_LDFLAGS = -module
++libstrongswan_random_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/sha1/Makefile.am
++++ src/libstrongswan/plugins/sha1/Makefile.am
+@@ -7,5 +7,5 @@
+ 
+ libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
+ 	sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
+-libstrongswan_sha1_la_LDFLAGS = -module
++libstrongswan_sha1_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/sha2/Makefile.am
++++ src/libstrongswan/plugins/sha2/Makefile.am
+@@ -6,5 +6,5 @@
+ plugin_LTLIBRARIES = libstrongswan-sha2.la
+ 
+ libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
+-libstrongswan_sha2_la_LDFLAGS = -module
++libstrongswan_sha2_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/sqlite/Makefile.am
++++ src/libstrongswan/plugins/sqlite/Makefile.am
+@@ -7,6 +7,6 @@
+ 
+ libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c  \
+ 	sqlite_database.h sqlite_database.c
+-libstrongswan_sqlite_la_LDFLAGS = -module
++libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
+ libstrongswan_sqlite_la_LIBADD = -lsqlite3
+ 
+--- src/libstrongswan/plugins/test_vectors/Makefile.am
++++ src/libstrongswan/plugins/test_vectors/Makefile.am
+@@ -29,5 +29,5 @@
+ 	test_vectors/sha2_hmac.c \
+ 	test_vectors/fips_prf.c \
+ 	test_vectors/rng.c
+-libstrongswan_test_vectors_la_LDFLAGS = -module
++libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/x509/Makefile.am
++++ src/libstrongswan/plugins/x509/Makefile.am
+@@ -12,5 +12,5 @@
+   x509_ocsp_request.h x509_ocsp_request.c \
+   x509_ocsp_response.h x509_ocsp_response.c \
+   ietf_attr_list.h ietf_attr_list.c
+-libstrongswan_x509_la_LDFLAGS = -module
++libstrongswan_x509_la_LDFLAGS = -module -avoid-version
+ 
+--- src/libstrongswan/plugins/xcbc/Makefile.am
++++ src/libstrongswan/plugins/xcbc/Makefile.am
+@@ -7,5 +7,5 @@
+ 
+ libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
+ 	xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
+-libstrongswan_xcbc_la_LDFLAGS = -module
++libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
+ 
diff --git a/strongswan_update-dns-server.dif b/strongswan_update-dns-server.dif
deleted file mode 100644
index 50d225e..0000000
--- a/strongswan_update-dns-server.dif
+++ /dev/null
@@ -1,43 +0,0 @@
---- src/charon/sa/ike_sa.c
-+++ src/charon/sa/ike_sa.c	2008/08/28 07:31:59
-@@ -2316,6 +2316,11 @@
-  */
- static void remove_dns_servers(private_ike_sa_t *this)
- {
-+	(void)this;
-+#if 0
-+	/*
-+	** TODO: don't change resolv.conf => use netconfig
-+	*/
- 	FILE *file;
- 	struct stat stats;
- 	chunk_t contents, line, orig_line, token;
-@@ -2391,6 +2396,7 @@
- 	}
- 	iterator->destroy(iterator);
- 	fclose(file);
-+#endif
- }
- 
- /**
-@@ -2398,6 +2404,12 @@
-  */
- static void add_dns_server(private_ike_sa_t *this, host_t *dns)
- {
-+	(void)this;
-+	(void)dns;
-+#if 0
-+	/*
-+	** TODO: don't change resolv.conf => use netconfig 
-+	*/
- 	FILE *file;
- 	struct stat stats;
- 	chunk_t contents;
-@@ -2442,6 +2454,7 @@
- 	fwrite(contents.ptr, contents.len, 1, file);
- 	
- 	fclose(file);	
-+#endif
- }
- 
- /**