diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile
index 91f72947c..6865499f0 100644
--- a/net/strongswan/Makefile
+++ b/net/strongswan/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=strongswan
-PKG_VERSION:=5.3.4
-PKG_RELEASE:=2
+PKG_VERSION:=5.3.5
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/
-PKG_MD5SUM:=655a632a515c74a99f2e9cc337ab2f33
+PKG_MD5SUM:=a2f9ea185f27e7f8413d4cd2ee61efe4
 PKG_LICENSE:=GPL-2.0+
 PKG_MAINTAINER:=Steven Barth <cyrus@openwrt.org>
 
@@ -28,6 +28,7 @@ PKG_MOD_AVAILABLE:= \
 	ccm \
 	cmac \
 	constraints \
+	connmark \
 	coupling \
 	ctr \
 	curl \
@@ -144,6 +145,7 @@ $(call Package/strongswan/Default)
 	+strongswan-mod-ccm \
 	+strongswan-mod-cmac \
 	+strongswan-mod-constraints \
+	+strongswan-mod-connmark \
 	+strongswan-mod-coupling \
 	+strongswan-mod-ctr \
 	+strongswan-mod-curl \
@@ -221,6 +223,7 @@ $(call Package/strongswan/Default)
 	+strongswan-charon \
 	+strongswan-mod-aes \
 	+strongswan-mod-attr \
+	+strongswan-mod-connmark \
 	+strongswan-mod-constraints \
 	+strongswan-mod-des \
 	+strongswan-mod-dnskey \
@@ -504,6 +507,7 @@ $(eval $(call BuildPlugin,attr-sql,SQL based config,+strongswan-charon))
 $(eval $(call BuildPlugin,blowfish,Blowfish crypto,))
 $(eval $(call BuildPlugin,ccm,CCM AEAD wrapper crypto,))
 $(eval $(call BuildPlugin,cmac,CMAC crypto,))
+$(eval $(call BuildPlugin,connmark,netfilter connection marking,))
 $(eval $(call BuildPlugin,constraints,advanced X509 constraint checking,))
 $(eval $(call BuildPlugin,coupling,IKEv2 plugin to couple peer certificates permanently to authentication,))
 $(eval $(call BuildPlugin,ctr,Counter Mode wrapper crypto,))
diff --git a/net/strongswan/patches/001-fix-EINTR-crash.patch b/net/strongswan/patches/001-fix-EINTR-crash.patch
deleted file mode 100644
index ff4d9490b..000000000
--- a/net/strongswan/patches/001-fix-EINTR-crash.patch
+++ /dev/null
@@ -1,216 +0,0 @@
-From ea651877c0bb6e129f52eb592cea3b10b2e3347b Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 19 Nov 2015 11:21:48 +0100
-Subject: [PATCH] sigwaitinfo() may fail with EINTR if an unblocked signal not
- in the set is received
-
- #1213.
----
- src/charon-cmd/charon-cmd.c               |  9 ++++-----
- src/charon-nm/charon-nm.c                 |  9 ++++-----
- src/charon-systemd/charon-systemd.c       |  9 ++++-----
- src/charon-tkm/src/charon-tkm.c           |  9 ++++-----
- src/charon/charon.c                       | 11 +++++------
- src/conftest/conftest.c                   |  2 +-
- src/frontends/osx/charon-xpc/charon-xpc.c |  7 ++++---
- src/libfast/fast_dispatcher.c             |  6 +++++-
- src/libstrongswan/utils/utils.c           |  5 ++++-
- 9 files changed, 35 insertions(+), 32 deletions(-)
-
-diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
-index b8f943f..d3b31cc 100644
---- a/src/charon-cmd/charon-cmd.c
-+++ b/src/charon-cmd/charon-cmd.c
-@@ -115,6 +115,10 @@ static int run()
-		sig = sigwaitinfo(&set, NULL);
-		if (sig == -1)
-		{
-+			if (errno == EINTR)
-+			{	/* ignore signals we didn't wait for */
-+				continue;
-+			}
-			DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno));
-			return 1;
-		}
-@@ -152,11 +156,6 @@ static int run()
-				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
-				return 1;
-			}
--			default:
--			{
--				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
--				break;
--			}
-		}
-	}
- }
-diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
-index 1773e7c..fb090e5 100644
---- a/src/charon-nm/charon-nm.c
-+++ b/src/charon-nm/charon-nm.c
-@@ -85,6 +85,10 @@ static void run()
-		sig = sigwaitinfo(&set, NULL);
-		if (sig == -1)
-		{
-+			if (errno == EINTR)
-+			{	/* ignore signals we didn't wait for */
-+				continue;
-+			}
-			DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno));
-			return;
-		}
-@@ -102,11 +106,6 @@ static void run()
-				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
-				return;
-			}
--			default:
--			{
--				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
--				break;
--			}
-		}
-	}
- }
-diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c
-index f302d45..4286cde 100644
---- a/src/charon-systemd/charon-systemd.c
-+++ b/src/charon-systemd/charon-systemd.c
-@@ -254,6 +254,10 @@ static int run()
-		sig = sigwaitinfo(&set, NULL);
-		if (sig == -1)
-		{
-+			if (errno == EINTR)
-+			{	/* ignore signals we didn't wait for */
-+				continue;
-+			}
-			DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno));
-			return SS_RC_INITIALIZATION_FAILED;
-		}
-@@ -265,11 +269,6 @@ static int run()
-				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
-				return 0;
-			}
--			default:
--			{
--				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
--				break;
--			}
-		}
-	}
- }
-diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
-index 52d82f3..3923c8a 100644
---- a/src/charon-tkm/src/charon-tkm.c
-+++ b/src/charon-tkm/src/charon-tkm.c
-@@ -104,6 +104,10 @@ static void run()
-		sig = sigwaitinfo(&set, NULL);
-		if (sig == -1)
-		{
-+			if (errno == EINTR)
-+			{	/* ignore signals we didn't wait for */
-+				continue;
-+			}
-			DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno));
-			return;
-		}
-@@ -121,11 +125,6 @@ static void run()
-				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
-				return;
-			}
--			default:
--			{
--				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
--				break;
--			}
-		}
-	}
- }
-diff --git a/src/charon/charon.c b/src/charon/charon.c
-index f03b6e1..4c2a9a4 100644
---- a/src/charon/charon.c
-+++ b/src/charon/charon.c
-@@ -98,7 +98,7 @@ static void run()
- {
-	sigset_t set;
-
--	/* handle SIGINT, SIGHUP ans SIGTERM in this handler */
-+	/* handle SIGINT, SIGHUP and SIGTERM in this handler */
-	sigemptyset(&set);
-	sigaddset(&set, SIGINT);
-	sigaddset(&set, SIGHUP);
-@@ -112,6 +112,10 @@ static void run()
-		sig = sigwaitinfo(&set, NULL);
-		if (sig == -1)
-		{
-+			if (errno == EINTR)
-+			{	/* ignore signals we didn't wait for */
-+				continue;
-+			}
-			DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno));
-			return;
-		}
-@@ -144,11 +148,6 @@ static void run()
-				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
-				return;
-			}
--			default:
--			{
--				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
--				break;
--			}
-		}
-	}
- }
-diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
-index 9348b64..edfe0ca 100644
---- a/src/conftest/conftest.c
-+++ b/src/conftest/conftest.c
-@@ -565,7 +565,7 @@ int main(int argc, char *argv[])
-	sigaddset(&set, SIGTERM);
-	sigprocmask(SIG_BLOCK, &set, NULL);
-
--	while ((sig = sigwaitinfo(&set, NULL)) != -1)
-+	while ((sig = sigwaitinfo(&set, NULL)) != -1 || errno == EINTR)
-	{
-		switch (sig)
-		{
-diff --git a/src/libfast/fast_dispatcher.c b/src/libfast/fast_dispatcher.c
-index b4c6ce3..66a2ee5 100644
---- a/src/libfast/fast_dispatcher.c
-+++ b/src/libfast/fast_dispatcher.c
-@@ -21,6 +21,7 @@
- #include <fcgiapp.h>
- #include <signal.h>
- #include <unistd.h>
-+#include <errno.h>
-
- #include <utils/debug.h>
- #include <threading/thread.h>
-@@ -389,7 +390,10 @@ METHOD(fast_dispatcher_t, waitsignal, void,
-	sigaddset(&set, SIGTERM);
-	sigaddset(&set, SIGHUP);
-	sigprocmask(SIG_BLOCK, &set, NULL);
--	sigwaitinfo(&set, NULL);
-+	while (sigwaitinfo(&set, NULL) == -1 && errno == EINTR)
-+	{
-+		/* wait for signal */
-+	}
- }
-
- METHOD(fast_dispatcher_t, destroy, void,
-diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c
-index 4e86165..40cb43d 100644
---- a/src/libstrongswan/utils/utils.c
-+++ b/src/libstrongswan/utils/utils.c
-@@ -124,7 +124,10 @@ void wait_sigint()
-	sigaddset(&set, SIGTERM);
-
-	sigprocmask(SIG_BLOCK, &set, NULL);
--	sigwaitinfo(&set, NULL);
-+	while (sigwaitinfo(&set, NULL) == -1 && errno == EINTR)
-+	{
-+		/* wait for signal */
-+	}
- }
-
- #ifndef HAVE_SIGWAITINFO
diff --git a/net/strongswan/patches/305-minimal_dh_plugin.patch b/net/strongswan/patches/305-minimal_dh_plugin.patch
index d143c1610..e060ec36c 100644
--- a/net/strongswan/patches/305-minimal_dh_plugin.patch
+++ b/net/strongswan/patches/305-minimal_dh_plugin.patch
@@ -8,7 +8,7 @@
  ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
  ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
  ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
-@@ -1310,6 +1311,7 @@ ADD_PLUGIN([gcrypt],               [s ch
+@@ -1312,6 +1313,7 @@ ADD_PLUGIN([gcrypt],               [s ch
  ADD_PLUGIN([af-alg],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
  ADD_PLUGIN([fips-prf],             [s charon nm cmd])
  ADD_PLUGIN([gmp],                  [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
@@ -16,16 +16,16 @@
  ADD_PLUGIN([agent],                [s charon nm cmd])
  ADD_PLUGIN([keychain],             [s charon cmd])
  ADD_PLUGIN([chapoly],              [s charon scripts nm cmd])
-@@ -1441,6 +1443,7 @@ AM_CONDITIONAL(USE_SHA1, test x$sha1 = x
- AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue)
+@@ -1444,6 +1446,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = x
+ AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue)
  AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
  AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
 +AM_CONDITIONAL(USE_GMPDH, test x$gmpdh = xtrue)
  AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
  AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
  AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
-@@ -1688,6 +1691,7 @@ AC_CONFIG_FILES([
- 	src/libstrongswan/plugins/sha2/Makefile
+@@ -1692,6 +1695,7 @@ AC_CONFIG_FILES([
+ 	src/libstrongswan/plugins/sha3/Makefile
  	src/libstrongswan/plugins/fips_prf/Makefile
  	src/libstrongswan/plugins/gmp/Makefile
 +	src/libstrongswan/plugins/gmpdh/Makefile
@@ -34,7 +34,7 @@
  	src/libstrongswan/plugins/random/Makefile
 --- a/src/libstrongswan/Makefile.am
 +++ b/src/libstrongswan/Makefile.am
-@@ -295,6 +295,13 @@ if MONOLITHIC
+@@ -303,6 +303,13 @@ if MONOLITHIC
  endif
  endif