[strongSwan] data path in strongswan android

Ravi Kanth Vanapalli vvnrk.vanapalli at gmail.com
Fri Dec 12 23:04:10 CET 2014

Dear Noel,

  Thank you for your reply. I went through the plugin code.
  I see that file kernel_libipsec_router.c  is handling the user space
plain text packets being written to the tunneling interface.
  line 176 of the above file, would queue the plain text packets for
further ESP encryption.

   Any input at what point, the packet is removed from the 'queue_outbound'
and processed would be really appreciated.

  So from what I see, all the ESP encryption/decryption is done on the user
space with your implementation of  'src/libipsec'   encryption libraries.
Also kernel-libipsec plugin implementation is from strongswan source and
not provided by standard linux kernel on android.     Kindly confirm if
this understanding is correct..

Also, is there any option available to disable this.kernel-libipsec in
androdi and start using 'ip xfrm'. ?? In my case, I was planning to run
charon daemon as a system daemon.


From: Noel Kuntze <noel at familie-kuntze.de>
Date: Fri, Dec 12, 2014 at 4:15 PM
Subject: Re: [strongSwan] data path in strongswan android
To: users at lists.strongswan.org

Hash: SHA256

Hello Ravi,

StrongSwan on Android uses a tun device and libipsec to make the tunnel
usable and do the en- and decryption
of esp and espinudp packets. Look at the libipsec code to find out how it
does it.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

On Fri, Dec 12, 2014 at 4:10 PM, Ravi Kanth Vanapalli <
vvnrk.vanapalli at gmail.com> wrote:
> Dear all,
>   How is the data path handled by charon daemon in android.   Strongswan
> VPN android can also be installed on the user binary.
> i) How would a user space application without root access, have access to
> installing kernel rules for doing ESP encryption or decryption. I am
> assuming strongswan android uses  linux 'ip xfrm' for doing
> encryption/decryption .
> ii)    I have a samsung phone. Using Basic VPN I connected to my corporate
> network.
>  I ran the commands 'ip -s xfrm state' and 'ip -s xfrm policy'   from adb
> shell. I see no rules in place.
>   Which portion of code handles ESP encryption/decrytpion in android.
>   When i capture the pcap traces on all interfaces, I see ESP packets
> being sent/received. ?
>   Does charon perform the ESP encryption/decryption.  I see a tunneling
> interface 'ipsec0' being created in this case.
> --
> Regards,
> RaviKanth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141212/01bbe2a1/attachment.html>

More information about the Users mailing list