diff --git a/Source/charon/config/Makefile.config b/Source/charon/config/Makefile.config
index b575e1f9e..8076e4339 100644
--- a/Source/charon/config/Makefile.config
+++ b/Source/charon/config/Makefile.config
@@ -26,3 +26,7 @@ $(BUILD_DIR)init_config.o :					$(CONFIG_DIR)init_config.c $(CONFIG_DIR)init_con
 OBJS+= $(BUILD_DIR)sa_config.o
 $(BUILD_DIR)sa_config.o :					$(CONFIG_DIR)sa_config.c $(CONFIG_DIR)sa_config.h
 											$(CC) $(CFLAGS) -c -o $@ $<
+
+OBJS+= $(BUILD_DIR)traffic_selector.o
+$(BUILD_DIR)traffic_selector.o :			$(CONFIG_DIR)traffic_selector.c $(CONFIG_DIR)traffic_selector.h
+											$(CC) $(CFLAGS) -c -o $@ $<
diff --git a/Source/charon/config/sa_config.c b/Source/charon/config/sa_config.c
index cb553ff33..f306127a0 100644
--- a/Source/charon/config/sa_config.c
+++ b/Source/charon/config/sa_config.c
@@ -248,7 +248,8 @@ static bool proposal_equals(private_sa_config_t *this, child_proposal_t *first,
 static void add_traffic_selector(private_sa_config_t *this, traffic_selector_t *traffic_selector)
 {
 	/* clone ts, and add*/
-	this->ts->insert_last(this->ts, (void*)traffic_selector);
+	
+	this->ts->insert_last(this->ts, (void*)traffic_selector->clone(traffic_selector));
 }
 
 /**
diff --git a/Source/charon/config/traffic_selector.c b/Source/charon/config/traffic_selector.c
index 22ab2a91a..3a95c65c6 100644
--- a/Source/charon/config/traffic_selector.c
+++ b/Source/charon/config/traffic_selector.c
@@ -99,31 +99,26 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_
 		u_int16_t from_port, to_port;
 		private_traffic_selector_t *new_ts;
 		
+		/* calculate the maximum address range allowed for both */
 		from_addr = max(this->from_addr_ipv4, other->from_addr_ipv4);
 		to_addr = min(this->to_addr_ipv4, other->to_addr_ipv4);
-		
-		printf("FromAddr: policy: %u, request: %u, match: %u\n", this->from_addr_ipv4, other->from_addr_ipv4, from_addr);
-		printf("ToAddr  : policy: %u, request: %u, match: %u\n", this->to_addr_ipv4, other->to_addr_ipv4, to_addr);
 		if (from_addr > to_addr)
 		{
 			/* no match */
 			return NULL;	
 		}
+		
+		/* calculate the maximum port range allowed for both */
 		from_port = max(this->from_port, other->from_port);
 		to_port = min(this->to_port, other->to_port);
-		
-		printf("FromPort: policy: %u, request: %u, match: %u\n", this->from_port, other->from_port, from_port);
-		printf("ToPort:   policy: %u, request: %u, match: %u\n", this->to_port, other->to_port, to_port);
 		if (from_port > to_port)
 		{
 			/* no match */
 			return NULL;	
 		}
 		
-		
-		printf("got one\n");
+		/* got a match, return it */
 		new_ts = traffic_selector_create(this->protocol, this->type, from_port, to_port); 
-		
 		new_ts->from_addr_ipv4 = from_addr;
 		new_ts->to_addr_ipv4 = to_addr;
 		new_ts->type = TS_IPV4_ADDR_RANGE;
diff --git a/Source/charon/config/traffic_selector.h b/Source/charon/config/traffic_selector.h
index 9d00be5bc..f26406481 100644
--- a/Source/charon/config/traffic_selector.h
+++ b/Source/charon/config/traffic_selector.h
@@ -30,27 +30,87 @@
 typedef struct traffic_selector_t traffic_selector_t;
 
 /**
- * @brief 
- *
+ * @brief Object representing a traffic selector entry.
+ * 
+ * A traffic selector defines an range of addresses
+ * and a range of ports. 
  * 
  * @ingroup config
  */
 struct traffic_selector_t {
 	
+	/**
+	 * @brief Compare two traffic selectors, and create a new one
+	 * which is the largest subset of bouth (subnet & port).
+	 * 
+	 * Resulting traffic_selector is newly created and must be destroyed.
+	 * 
+	 * @param this		first to compare
+	 * @param other		second to compare
+	 * @return
+	 * 					- created subset of them
+	 * 					- or NULL if no match between this and other
+	 */
 	traffic_selector_t *(*get_subset) (traffic_selector_t *this, traffic_selector_t *other);
 	
+	/**
+	 * @brief Clone a traffic selector.
+	 *  
+	 * @param this		traffic selector to clone
+	 * @return			clone of it
+	 */
 	traffic_selector_t *(*clone) (traffic_selector_t *this);
 	
+	/**
+	 * @brief Get starting address of this ts as a chunk.
+	 * 
+	 * Data is in network order and represents the address.
+	 * Size depends on protocol.
+	 * 
+	 * Resulting chunk data is allocated and must be freed!
+	 *  
+	 * @param this		calling object
+	 * @return			chunk containing the address
+	 */
 	chunk_t (*get_from_address) (traffic_selector_t *this);
 	
+	/**
+	 * @brief Get ending address of this ts as a chunk.
+	 * 
+	 * Data is in network order and represents the address.
+	 * Size depends on protocol.
+	 * 
+	 * Resulting chunk data is allocated and must be freed!
+	 *  
+	 * @param this		calling object
+	 * @return			chunk containing the address
+	 */
 	chunk_t (*get_to_address) (traffic_selector_t *this);
 	
+	/**
+	 * @brief Get starting port of this ts.
+	 * 
+	 * Port is in host order, since the parser converts it.
+	 * Size depends on protocol.
+	 *  
+	 * @param this		calling object
+	 * @return			port
+	 */
 	u_int16_t (*get_from_port) (traffic_selector_t *this);
 	
+	/**
+	 * @brief Get ending port of this ts.
+	 * 
+	 * Port is in host order, since the parser converts it.
+	 * Size depends on protocol.
+	 *  
+	 * @param this		calling object
+	 * @return			port
+	 */
 	u_int16_t (*get_to_port) (traffic_selector_t *this);
 	
 	/**
-	 * @brief Destroys the config object
+	 * @brief Destroys the ts object
 	 * 
 	 * 
 	 * @param this				calling object
@@ -59,16 +119,41 @@ struct traffic_selector_t {
 };
 
 /**
- * @brief 
+ * @brief Create a new traffic selector using human readable params.
  * 
- * @return 		created traffic_selector_t
+ * @param protocol 		protocol for this ts, such as TCP or UDP
+ * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
+ * @param from_addr		start of address range as string
+ * @param from_port		port number in host order
+ * @param to_addr		end of address range as string
+ * @param to_port		port number in host order
+ * @return
+ * 						- created traffic_selector_t
+ * 						- NULL if invalid address strings
  * 
  * @ingroup config
  */
 traffic_selector_t *traffic_selector_create_from_string(u_int8_t protocol, ts_type_t type, char *from_addr, u_int16_t from_port, char *to_addr, u_int16_t to_port);
 
+/**
+ * @brief Create a new traffic selector using data read from the net.
+ * 
+ * There exists a mix of network and host order in the params.
+ * But the parser gives us this data in this format, so we
+ * don't have to convert twice.
+ * 
+ * @param protocol 		protocol for this ts, such as TCP or UDP
+ * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
+ * @param from_addr		start of address range, network order
+ * @param from_port		port number, host order
+ * @param to_addr		end of address range as string, network
+ * @param to_port		port number, host order
+ * @return
+ * 						- created traffic_selector_t
+ * 						- NULL if invalid address strings
+ * 
+ * @ingroup config
+ */
 traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol, ts_type_t type, chunk_t from_address, int16_t from_port, chunk_t to_address, u_int16_t to_port);
 
 #endif //_TRAFFIC_SELECTOR_H_
-
-
diff --git a/Source/charon/testcases/Makefile.testcases b/Source/charon/testcases/Makefile.testcases
index d6027cb77..8463c1a00 100644
--- a/Source/charon/testcases/Makefile.testcases
+++ b/Source/charon/testcases/Makefile.testcases
@@ -111,3 +111,7 @@ $(BUILD_DIR)encryption_payload_test.o :	$(TESTCASES_DIR)encryption_payload_test.
 TEST_OBJS+= $(BUILD_DIR)init_config_test.o
 $(BUILD_DIR)init_config_test.o :	$(TESTCASES_DIR)init_config_test.c $(TESTCASES_DIR)init_config_test.h
 									$(CC) $(CFLAGS) -c -o $@ $<
+
+TEST_OBJS+= $(BUILD_DIR)sa_config_test.o
+$(BUILD_DIR)sa_config_test.o :		$(TESTCASES_DIR)sa_config_test.c $(TESTCASES_DIR)sa_config_test.h
+									$(CC) $(CFLAGS) -c -o $@ $<
diff --git a/Source/charon/testcases/testcases.c b/Source/charon/testcases/testcases.c
index 0d1a08664..341991567 100644
--- a/Source/charon/testcases/testcases.c
+++ b/Source/charon/testcases/testcases.c
@@ -57,6 +57,7 @@
 #include <testcases/hmac_signer_test.h>
 #include <testcases/encryption_payload_test.h>
 #include <testcases/init_config_test.h>
+#include <testcases/sa_config_test.h>
 
 /* output for test messages */
 extern FILE * stderr;
@@ -106,6 +107,7 @@ test_t hmac_signer_test1 = {test_hmac_md5_signer, "HMAC MD5 signer test"};
 test_t hmac_signer_test2 = {test_hmac_sha1_signer, "HMAC SHA1 signer test"};
 test_t encryption_payload_test = {test_encryption_payload, "encryption payload test"};
 test_t init_config_test = {test_init_config, "init_config_t test"};
+test_t sa_config_test = {test_sa_config, "sa_config_t test"};
 
 
 daemon_t* charon;
@@ -200,6 +202,7 @@ int main()
 		&hmac_signer_test2,
 		&encryption_payload_test,
 		&init_config_test,
+		&sa_config_test,
 		NULL
 	};
  
@@ -210,6 +213,7 @@ int main()
 	
 	tester_t *tester = tester_create(test_output, FALSE);
 	
+
 	tester->perform_tests(tester,all_tests);
 //	tester->perform_test(tester,&parser_test2);