diff --git a/src/libhydra/kernel/kernel_ipsec.c b/src/libhydra/kernel/kernel_ipsec.c
index 9b38297cc..1a32ab4e7 100644
--- a/src/libhydra/kernel/kernel_ipsec.c
+++ b/src/libhydra/kernel/kernel_ipsec.c
@@ -17,28 +17,6 @@
 
 #include <hydra.h>
 
-ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_DROP,
-	"TRANSPORT",
-	"TUNNEL",
-	"BEET",
-	"PASS",
-	"DROP"
-);
-
-ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
-	"in",
-	"out",
-	"fwd"
-);
-
-ENUM(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_LZJH,
-	"IPCOMP_NONE",
-	"IPCOMP_OUI",
-	"IPCOMP_DEFLATE",
-	"IPCOMP_LZS",
-	"IPCOMP_LZJH"
-);
-
 /**
  * See header
  */
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index 500a77cad..ee0ade2aa 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -24,158 +24,13 @@
 #ifndef KERNEL_IPSEC_H_
 #define KERNEL_IPSEC_H_
 
-typedef enum ipsec_mode_t ipsec_mode_t;
-typedef enum policy_dir_t policy_dir_t;
-typedef enum policy_type_t policy_type_t;
-typedef enum policy_priority_t policy_priority_t;
-typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef struct kernel_ipsec_t kernel_ipsec_t;
-typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
-typedef struct lifetime_cfg_t lifetime_cfg_t;
-typedef struct mark_t mark_t;
 
 #include <utils/host.h>
-#include <crypto/prf_plus.h>
+#include <ipsec/ipsec_types.h>
 #include <selectors/traffic_selector.h>
 #include <plugins/plugin.h>
 
-/**
- * Mode of an IPsec SA.
- */
-enum ipsec_mode_t {
-	/** not using any encapsulation */
-	MODE_NONE = 0,
-	/** transport mode, no inner address */
-	MODE_TRANSPORT = 1,
-	/** tunnel mode, inner and outer addresses */
-	MODE_TUNNEL,
-	/** BEET mode, tunnel mode but fixed, bound inner addresses */
-	MODE_BEET,
-	/** passthrough policy for traffic without an IPsec SA */
-	MODE_PASS,
-	/** drop policy discarding traffic */
-	MODE_DROP
-};
-
-/**
- * enum names for ipsec_mode_t.
- */
-extern enum_name_t *ipsec_mode_names;
-
-/**
- * Direction of a policy. These are equal to those
- * defined in xfrm.h, but we want to stay implementation
- * neutral here.
- */
-enum policy_dir_t {
-	/** Policy for inbound traffic */
-	POLICY_IN = 0,
-	/** Policy for outbound traffic */
-	POLICY_OUT = 1,
-	/** Policy for forwarded traffic */
-	POLICY_FWD = 2,
-};
-
-/**
- * enum names for policy_dir_t.
- */
-extern enum_name_t *policy_dir_names;
-
-/**
- * Type of a policy.
- */
-enum policy_type_t {
-	/** Normal IPsec policy */
-	POLICY_IPSEC = 1,
-	/** Passthrough policy (traffic is ignored by IPsec) */
-	POLICY_PASS,
-	/** Drop policy (traffic is discarded) */
-	POLICY_DROP,
-};
-
-/**
- * High-level priority of a policy.
- */
-enum policy_priority_t {
-	/** Default priority */
-	POLICY_PRIORITY_DEFAULT,
-	/** Priority for trap policies */
-	POLICY_PRIORITY_ROUTED,
-	/** Priority for fallback drop policies */
-	POLICY_PRIORITY_FALLBACK,
-};
-
-/**
- * IPComp transform IDs, as in RFC 4306
- */
-enum ipcomp_transform_t {
-	IPCOMP_NONE = 0,
-	IPCOMP_OUI = 1,
-	IPCOMP_DEFLATE = 2,
-	IPCOMP_LZS = 3,
-	IPCOMP_LZJH = 4,
-};
-
-/**
- * enum strings for ipcomp_transform_t.
- */
-extern enum_name_t *ipcomp_transform_names;
-
-/**
- * This struct contains details about IPsec SA(s) tied to a policy.
- */
-struct ipsec_sa_cfg_t {
-	/** mode of SA (tunnel, transport) */
-	ipsec_mode_t mode;
-	/** unique ID */
-	u_int32_t reqid;
-	/** details about ESP/AH */
-	struct {
-		/** TRUE if this protocol is used */
-		bool use;
-		/** SPI for ESP/AH */
-		u_int32_t spi;
-	} esp, ah;
-	/** details about IPComp */
-	struct {
-		/** the IPComp transform used */
-		u_int16_t transform;
-		/** CPI for IPComp */
-		u_int16_t cpi;
-	} ipcomp;
-};
-
-/**
- * A lifetime_cfg_t defines the lifetime limits of an SA.
- *
- * Set any of these values to 0 to ignore.
- */
-struct lifetime_cfg_t {
-	struct {
-		/** Limit before the SA gets invalid. */
-		u_int64_t	life;
-		/** Limit before the SA gets rekeyed. */
-		u_int64_t	rekey;
-		/** The range of a random value subtracted from rekey. */
-		u_int64_t	jitter;
-	} time, bytes, packets;
-};
-
-/**
- * A mark_t defines an optional mark in an IPsec SA.
- */
-struct mark_t {
-	/** Mark value */
-	u_int32_t value;
-	/** Mark mask */
-	u_int32_t mask;
-};
-
-/**
- * Special mark value that uses the reqid of the CHILD_SA as mark
- */
-#define MARK_REQID (0xFFFFFFFF)
-
 /**
  * Interface to the ipsec subsystem of the kernel.
  *
diff --git a/src/libipsec/Android.mk b/src/libipsec/Android.mk
index 7292bff59..c4cf92d39 100644
--- a/src/libipsec/Android.mk
+++ b/src/libipsec/Android.mk
@@ -12,7 +12,6 @@ esp_packet.c esp_packet.h
 LOCAL_C_INCLUDES += \
 	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/include \
-	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libstrongswan
 
 LOCAL_CFLAGS := $(strongswan_CFLAGS)
@@ -25,7 +24,7 @@ LOCAL_ARM_MODE := arm
 
 LOCAL_PRELINK_MODULE := false
 
-LOCAL_SHARED_LIBRARIES += libstrongswan libhydra
+LOCAL_SHARED_LIBRARIES += libstrongswan
 
 include $(BUILD_SHARED_LIBRARY)
 
diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
index ce07e3cad..128de7a1f 100644
--- a/src/libipsec/Makefile.am
+++ b/src/libipsec/Makefile.am
@@ -8,8 +8,7 @@ esp_packet.c esp_packet.h
 libipsec_la_LIBADD =
 
 INCLUDES = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libstrongswan
 
 EXTRA_DIST = Android.mk
 
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 398e371e8..389120e73 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -20,6 +20,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
 database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
+ipsec/ipsec_types.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 383efc8b8..1f27f01ec 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -18,6 +18,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
 credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
 database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
+ipsec/ipsec_types.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
@@ -51,10 +52,11 @@ credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
 credentials/sets/mem_cred.h credentials/sets/callback_cred.h \
 credentials/auth_cfg.h credentials/credential_set.h credentials/cert_validator.h \
 database/database.h database/database_factory.h fetcher/fetcher.h \
-fetcher/fetcher_manager.h eap/eap.h pen/pen.h plugins/plugin_loader.h \
-plugins/plugin.h plugins/plugin_feature.h processing/jobs/job.h \
-processing/jobs/callback_job.h processing/processor.h processing/scheduler.h \
-selectors/traffic_selector.h threading/thread.h threading/thread_value.h \
+fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
+plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h
+processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h
+processing/scheduler.h selectors/traffic_selector.h \
+threading/thread.h threading/thread_value.h \
 threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \
 threading/rwlock.h threading/lock_profiler.h utils.h utils/host.h \
 utils/packet.h utils/identification.h utils/lexparser.h utils/linked_list.h \
diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c
new file mode 100644
index 000000000..e4e927313
--- /dev/null
+++ b/src/libstrongswan/ipsec/ipsec_types.c
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec_types.h"
+
+ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_DROP,
+	"TRANSPORT",
+	"TUNNEL",
+	"BEET",
+	"PASS",
+	"DROP"
+);
+
+ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
+	"in",
+	"out",
+	"fwd"
+);
+
+ENUM(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_LZJH,
+	"IPCOMP_NONE",
+	"IPCOMP_OUI",
+	"IPCOMP_DEFLATE",
+	"IPCOMP_LZS",
+	"IPCOMP_LZJH"
+);
diff --git a/src/libstrongswan/ipsec/ipsec_types.h b/src/libstrongswan/ipsec/ipsec_types.h
new file mode 100644
index 000000000..32e55bc50
--- /dev/null
+++ b/src/libstrongswan/ipsec/ipsec_types.h
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_types ipsec_types
+ * @{ @ingroup ipsec
+ */
+
+#ifndef IPSEC_TYPES_H_
+#define IPSEC_TYPES_H_
+
+typedef enum ipsec_mode_t ipsec_mode_t;
+typedef enum policy_dir_t policy_dir_t;
+typedef enum policy_type_t policy_type_t;
+typedef enum policy_priority_t policy_priority_t;
+typedef enum ipcomp_transform_t ipcomp_transform_t;
+typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
+typedef struct lifetime_cfg_t lifetime_cfg_t;
+typedef struct mark_t mark_t;
+
+#include <library.h>
+
+/**
+ * Mode of an IPsec SA.
+ */
+enum ipsec_mode_t {
+	/** not using any encapsulation */
+	MODE_NONE = 0,
+	/** transport mode, no inner address */
+	MODE_TRANSPORT = 1,
+	/** tunnel mode, inner and outer addresses */
+	MODE_TUNNEL,
+	/** BEET mode, tunnel mode but fixed, bound inner addresses */
+	MODE_BEET,
+	/** passthrough policy for traffic without an IPsec SA */
+	MODE_PASS,
+	/** drop policy discarding traffic */
+	MODE_DROP
+};
+
+/**
+ * enum names for ipsec_mode_t.
+ */
+extern enum_name_t *ipsec_mode_names;
+
+/**
+ * Direction of a policy. These are equal to those
+ * defined in xfrm.h, but we want to stay implementation
+ * neutral here.
+ */
+enum policy_dir_t {
+	/** Policy for inbound traffic */
+	POLICY_IN = 0,
+	/** Policy for outbound traffic */
+	POLICY_OUT = 1,
+	/** Policy for forwarded traffic */
+	POLICY_FWD = 2,
+};
+
+/**
+ * enum names for policy_dir_t.
+ */
+extern enum_name_t *policy_dir_names;
+
+/**
+ * Type of a policy.
+ */
+enum policy_type_t {
+	/** Normal IPsec policy */
+	POLICY_IPSEC = 1,
+	/** Passthrough policy (traffic is ignored by IPsec) */
+	POLICY_PASS,
+	/** Drop policy (traffic is discarded) */
+	POLICY_DROP,
+};
+
+/**
+ * High-level priority of a policy.
+ */
+enum policy_priority_t {
+	/** Default priority */
+	POLICY_PRIORITY_DEFAULT,
+	/** Priority for trap policies */
+	POLICY_PRIORITY_ROUTED,
+	/** Priority for fallback drop policies */
+	POLICY_PRIORITY_FALLBACK,
+};
+
+/**
+ * IPComp transform IDs, as in RFC 4306
+ */
+enum ipcomp_transform_t {
+	IPCOMP_NONE = 0,
+	IPCOMP_OUI = 1,
+	IPCOMP_DEFLATE = 2,
+	IPCOMP_LZS = 3,
+	IPCOMP_LZJH = 4,
+};
+
+/**
+ * enum strings for ipcomp_transform_t.
+ */
+extern enum_name_t *ipcomp_transform_names;
+
+/**
+ * This struct contains details about IPsec SA(s) tied to a policy.
+ */
+struct ipsec_sa_cfg_t {
+	/** mode of SA (tunnel, transport) */
+	ipsec_mode_t mode;
+	/** unique ID */
+	u_int32_t reqid;
+	/** details about ESP/AH */
+	struct {
+		/** TRUE if this protocol is used */
+		bool use;
+		/** SPI for ESP/AH */
+		u_int32_t spi;
+	} esp, ah;
+	/** details about IPComp */
+	struct {
+		/** the IPComp transform used */
+		u_int16_t transform;
+		/** CPI for IPComp */
+		u_int16_t cpi;
+	} ipcomp;
+};
+
+/**
+ * A lifetime_cfg_t defines the lifetime limits of an SA.
+ *
+ * Set any of these values to 0 to ignore.
+ */
+struct lifetime_cfg_t {
+	struct {
+		/** Limit before the SA gets invalid. */
+		u_int64_t	life;
+		/** Limit before the SA gets rekeyed. */
+		u_int64_t	rekey;
+		/** The range of a random value subtracted from rekey. */
+		u_int64_t	jitter;
+	} time, bytes, packets;
+};
+
+/**
+ * A mark_t defines an optional mark in an IPsec SA.
+ */
+struct mark_t {
+	/** Mark value */
+	u_int32_t value;
+	/** Mark mask */
+	u_int32_t mask;
+};
+
+/**
+ * Special mark value that uses the reqid of the CHILD_SA as mark
+ */
+#define MARK_REQID (0xFFFFFFFF)
+
+#endif /** IPSEC_TYPES_H_ @}*/
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index d357ddf5a..634128fe9 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -43,6 +43,9 @@
  * @defgroup fetcher fetcher
  * @ingroup libstrongswan
  *
+ * @defgroup ipsec ipsec
+ * @ingroup libstrongswan
+ *
  * @defgroup plugins plugins
  * @ingroup libstrongswan
  *