[strongSwan] kernel-libipsec charon plugin and Android VPN Client

Brian O'Connor vk4gtw at bigpond.com
Wed Aug 3 22:51:39 CEST 2016


I have recently been doing some tests with an Android tablet version of
strongSwan.  It appears that the Android app uses the kernel-libipsec
charon plugin to avoid limitations imposed by the app running in a very
restricted user environment in the tablet.  My tablet is not rooted.

What I am seeing on the tablet is that it uses routing table 60, creates
interface tun0 and some routing policy database rules.  My tablet will
not let me access the iptables or ip xfrm commands. This is why I
suspect the Android strongSwan app, presumably running in a very
tightly constrained userspace environment, uses the charon
kernel-libipsec plugin. Is there a way to access iptables and ip  xfrm
functionality on a non-rooted tablet?

Given my assumption above, is it correct that the libipsec plugin
also does SNAT on outgoing encrypted packets?  The ip rule
command shows 100: from all fwmark 0x3c lookup 60.

The kernel netfilter packet flow diagram at [1] documents how
IPSec interacts with the xfrm process for IPSec encapsulation
and decapsulation, and iptables for SNAT.  Is there a diagram
somewhere that shows how the charon kernel-libipsec plugin
interacts  with diagram [1], please?  I sort of expect the charon
plugin operates entirely in the application layer, forward path,
local process, part of this diagram and that it also performs SNAT.

If not, how does a non-rooted Android tablet that cannot use
iptables to do SNAT and the xfrm process for IPSec processing
operate, please?

I am not a programmer and have not been able to find much on
the inner workings of the charon plugin.

 [1]  inai.de/images/nf-packet-flow.png <http://inai.de/images/nf-packet-flow.png>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160804/0bd86d77/attachment.html>

More information about the Users mailing list