[strongSwan] Path of Execution

Martin Willi martin at strongswan.org
Mon Jul 16 09:34:00 CEST 2012

Hi Chris,

> So over the past few weeks, I've been perusing through the StrongSwan
> source, trying to get a better understanding of how a packet actually
> gets encrypted, and then transmitted.

> As of now, I'm only concerned with ESP.

As Nagaraj already said, strongSwan itself does not process ESP packets.
It negotiates security associations and installs them in the kernel. On
Linux, this is usually done with Netlink. The XFRM framework in the
kernel processes ESP packets, as explained by Nagaraj.

> I'm still working in a *BSD environment

On BSD, the configuration is done using the PF_KEY interface. The ESP
packet processing takes place completely in the kernel, but I don't know
much about the inner workings of the BSD networking stacks.

> - What libraries are called first to initiate encryption?
> - In BSD, Kernel-Pfkey is responsible for interfacing with the kernel,
> but where are the calls to kernel level encryption functions?

Probably depends on your *BSD, but it is all handled in the kernel. To
understand the in-kernel packet flow of *BSD, they probably can help you
better on their mailing list.

Kind regards

More information about the Users mailing list