diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile
index 84cdaf1d2..b91f5e1b5 100644
--- a/net/strongswan/Makefile
+++ b/net/strongswan/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=strongswan
-PKG_VERSION:=5.3.5
+PKG_VERSION:=5.4.0
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/
-PKG_MD5SUM:=a2f9ea185f27e7f8413d4cd2ee61efe4
+PKG_MD5SUM:=9d7c77b0da9b69f859624897e5e9ebbf
 PKG_LICENSE:=GPL-2.0+
 PKG_MAINTAINER:=Steven Barth <cyrus@openwrt.org>
 
@@ -43,6 +43,7 @@ PKG_MOD_AVAILABLE:= \
 	eap-tls \
 	farp \
 	fips-prf \
+	forecast \
 	gcm \
 	gcrypt \
 	gmp \
@@ -160,6 +161,7 @@ $(call Package/strongswan/Default)
 	+strongswan-mod-eap-tls \
 	+strongswan-mod-farp \
 	+strongswan-mod-fips-prf \
+	+strongswan-mod-forecast \
 	+strongswan-mod-gcm \
 	+strongswan-mod-gcrypt \
 	+strongswan-mod-gmp \
@@ -397,7 +399,7 @@ define Package/strongswan/install
 	$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/ipsec.conf $(1)/etc/
 	$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/
 	$(INSTALL_DIR) $(1)/usr/lib/ipsec
-	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{libstrongswan.so.*,libhydra.so.*} $(1)/usr/lib/ipsec/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/
 	$(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/
 	$(INSTALL_CONF) ./files/ipsec.user $(1)/etc/
 	$(INSTALL_DIR) $(1)/etc/init.d
@@ -523,6 +525,7 @@ $(eval $(call BuildPlugin,eap-radius,EAP RADIUS auth,))
 $(eval $(call BuildPlugin,eap-tls,EAP TLS auth,+strongswan-libtls))
 $(eval $(call BuildPlugin,farp,fake arp respsonses,))
 $(eval $(call BuildPlugin,fips-prf,FIPS PRF crypto,+strongswan-mod-sha1))
+$(eval $(call BuildPlugin,forecast,forward multi/broadcast traffic,+kmod-ipt-conntrack-extra))
 $(eval $(call BuildPlugin,gcm,GCM AEAD wrapper crypto,))
 $(eval $(call BuildPlugin,gcrypt,libgcrypt,+PACKAGE_strongswan-mod-gcrypt:libgcrypt))
 $(eval $(call BuildPlugin,gmp,libgmp,+PACKAGE_strongswan-mod-gmp:libgmp))
@@ -559,7 +562,7 @@ $(eval $(call BuildPlugin,socket-dynamic,dynamic socket implementation for charo
 $(eval $(call BuildPlugin,sql,SQL database interface,))
 $(eval $(call BuildPlugin,sqlite,SQLite database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-sqlite:libsqlite3))
 $(eval $(call BuildPlugin,sshkey,SSH key decoding,))
-$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-utils))
+$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-charon +strongswan-utils))
 $(eval $(call BuildPlugin,test-vectors,crypto test vectors,))
 $(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci))
 $(eval $(call BuildPlugin,unity,Cisco Unity extension,))
diff --git a/net/strongswan/patches/101-musl-fixes.patch b/net/strongswan/patches/101-musl-fixes.patch
index 3b90e6cf2..a360d1cab 100644
--- a/net/strongswan/patches/101-musl-fixes.patch
+++ b/net/strongswan/patches/101-musl-fixes.patch
@@ -50,8 +50,8 @@
 +#undef blkcnt_t
 +#undef crypt
 +#undef encrypt
---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
-+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
 @@ -18,6 +18,8 @@
   * for more details.
   */
@@ -61,8 +61,8 @@
  #include <sys/types.h>
  #include <sys/socket.h>
  #include <stdint.h>
---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
-+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
 @@ -37,6 +37,8 @@
   * THE SOFTWARE.
   */
@@ -72,8 +72,8 @@
  #include <sys/socket.h>
  #include <sys/utsname.h>
  #include <linux/netlink.h>
---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
-+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
 @@ -15,6 +15,8 @@
   * for more details.
   */
diff --git a/net/strongswan/patches/201-kmodloader.patch b/net/strongswan/patches/201-kmodloader.patch
index 7d4615638..cd74f2711 100644
--- a/net/strongswan/patches/201-kmodloader.patch
+++ b/net/strongswan/patches/201-kmodloader.patch
@@ -1,6 +1,6 @@
 --- a/src/starter/netkey.c
 +++ b/src/starter/netkey.c
-@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
+@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
  		/* af_key module makes the netkey proc interface visible */
  		if (stat(PROC_MODULES, &stb) == 0)
  		{
@@ -9,7 +9,7 @@
  		}
  
  		/* now test again */
-@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
+@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
  	/* make sure that all required IPsec modules are loaded */
  	if (stat(PROC_MODULES, &stb) == 0)
  	{
diff --git a/net/strongswan/patches/210-sleep.patch b/net/strongswan/patches/210-sleep.patch
new file mode 100644
index 000000000..54b0efca5
--- /dev/null
+++ b/net/strongswan/patches/210-sleep.patch
@@ -0,0 +1,11 @@
+--- a/src/ipsec/_ipsec.in
++++ b/src/ipsec/_ipsec.in
+@@ -259,7 +259,7 @@ stop)
+			loop=110
+			while [ $loop -gt 0 ] ; do
+				kill -0 $spid 2>/dev/null || break
+-				sleep 0.1 2>/dev/null
++				sleep 1 2>/dev/null
+				if [ $? -ne 0 ]
+				then
+					sleep 1
diff --git a/net/strongswan/patches/305-minimal_dh_plugin.patch b/net/strongswan/patches/305-minimal_dh_plugin.patch
index e060ec36c..adf5fd8e7 100644
--- a/net/strongswan/patches/305-minimal_dh_plugin.patch
+++ b/net/strongswan/patches/305-minimal_dh_plugin.patch
@@ -8,7 +8,7 @@
  ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
  ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
  ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
-@@ -1312,6 +1313,7 @@ ADD_PLUGIN([gcrypt],               [s ch
+@@ -1325,6 +1326,7 @@ ADD_PLUGIN([gcrypt],               [s ch
  ADD_PLUGIN([af-alg],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
  ADD_PLUGIN([fips-prf],             [s charon nm cmd])
  ADD_PLUGIN([gmp],                  [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
@@ -16,7 +16,7 @@
  ADD_PLUGIN([agent],                [s charon nm cmd])
  ADD_PLUGIN([keychain],             [s charon cmd])
  ADD_PLUGIN([chapoly],              [s charon scripts nm cmd])
-@@ -1444,6 +1446,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = x
+@@ -1458,6 +1460,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = x
  AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue)
  AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
  AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
@@ -24,7 +24,7 @@
  AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
  AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
  AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
-@@ -1692,6 +1695,7 @@ AC_CONFIG_FILES([
+@@ -1707,6 +1710,7 @@ AC_CONFIG_FILES([
  	src/libstrongswan/plugins/sha3/Makefile
  	src/libstrongswan/plugins/fips_prf/Makefile
  	src/libstrongswan/plugins/gmp/Makefile
@@ -34,7 +34,7 @@
  	src/libstrongswan/plugins/random/Makefile
 --- a/src/libstrongswan/Makefile.am
 +++ b/src/libstrongswan/Makefile.am
-@@ -303,6 +303,13 @@ if MONOLITHIC
+@@ -305,6 +305,13 @@ if MONOLITHIC
  endif
  endif