[strongSwan-dev] StrongSwan Implementation Modification

Nasir Bhutta mnmbhutta1 at gmail.com
Wed May 2 11:27:58 CEST 2012

Thanks Martin for your response. That will save lot of time for us.

Just one short question, Does all the open source IPsec
implementations have the same behaviour that ESP processing and SPD
are maintained in Linux kernel ? .

with thanks

kind regards,

On Wed, May 2, 2012 at 9:39 AM, Martin Willi <martin at strongswan.org> wrote:
> Hello Nasir,
>> 1- Security Policy Database: We want to modify the classes who access
>> the database to reflect our own changes in the database.
>> 2- ESP Header: We need to modify the ESP header.
>> 3- We also need to modify the inbound and outbound processing as needed.
> strongSwan itself provides the userland parts of the IPsec key exchange
> (IKEv1 and IKEv2), but does not process the ESP packets nor maintain a
> SPD.
> These parts are usually handled by the (Linux) kernel. Using the Netkey
> IPsec stack, this is done by XFRM (see net/xfrm/ in the Linux sources).
> Unfortunately there is not much documentation, so you should start
> having a look at these sources.
> Regards
> Martin

More information about the Dev mailing list