[strongSwan] How to bypass the strongSwan's IPsec Linux kernel interface

Chinmaya Dwibedy ckdwibedy at yahoo.com
Fri Sep 6 09:45:50 CEST 2013

Hi All,
What I understand, the libhydra library contains daemon-specific code and plugins
used by the Charon daemon. The kernel_ipsec_t structure is an interface to the
ipsec subsystem of the kernel. This interface handles the communication with
the kernel for SA and policy management e.g. adds an SA/SP to the SAD/SPD. It
communicates with the native IPsec stack of the Linux 2.6 kernel via a Netlink
socket which speaks the XFRM protocol. IPsec SAs can be inserted and deleted
and status information on the active tunnels can be retrieved from the kernel
which does the actual ESP encryption and decryption work. 
During the IKEv2 Charon daemon initialization,
1)     It calls libhydra_init () function, which
initializes kernel interfaces specific to 'starter' for the kernel.
2)    It subscribes to XFRM events generated by the Linux
kernel which are triggered by IPsec XFRM state limits and get processed in
process-expire() ( defined in libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c).
I do have my own IPsec implementation (which will maintain the SAD & SPD,ESP encryption and decryption, authentication)  thus want to bypass the
1)     Linux kernel-netlink plugin which implements
configuration and management of IPsec Policies and SAs via XFRM.
2)    Installing, updating, querying and deleting IPsec
Policies and SAs in Linux kernel.
Do I just need to comment out all the hydra->kernel_interface
function calls and replace with ours? Please suggest and correct me if I am
Thanks in advance for yours support and response
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130906/dc975fb3/attachment.html>

More information about the Users mailing list