[strongSwan] Path of Execution

Shukla, Sanjay Sanjay.Shukla at ipc.com
Wed Jul 18 06:08:11 CEST 2012

Are there parameters for debugging and tuning the XFRM framework ?


Please consider the environment before printing this email.

-----Original Message-----
From: users-bounces+sanjay.shukla=ipc.com at lists.strongswan.org [mailto:users-bounces+sanjay.shukla=ipc.com at lists.strongswan.org] On Behalf Of Martin Willi
Sent: Monday, July 16, 2012 3:34 AM
To: Chris Rogers
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Path of Execution

Hi Chris,

> So over the past few weeks, I've been perusing through the StrongSwan
> source, trying to get a better understanding of how a packet actually
> gets encrypted, and then transmitted.

> As of now, I'm only concerned with ESP.

As Nagaraj already said, strongSwan itself does not process ESP packets.
It negotiates security associations and installs them in the kernel. On Linux, this is usually done with Netlink. The XFRM framework in the kernel processes ESP packets, as explained by Nagaraj.

> I'm still working in a *BSD environment

On BSD, the configuration is done using the PF_KEY interface. The ESP packet processing takes place completely in the kernel, but I don't know much about the inner workings of the BSD networking stacks.

> - What libraries are called first to initiate encryption?
> - In BSD, Kernel-Pfkey is responsible for interfacing with the kernel,
> but where are the calls to kernel level encryption functions?

Probably depends on your *BSD, but it is all handled in the kernel. To understand the in-kernel packet flow of *BSD, they probably can help you better on their mailing list.

Kind regards

Users mailing list
Users at lists.strongswan.org

More information about the Users mailing list