[strongSwan] kernel-libipsec charon plugin and Android VPN Client

Noel Kuntze noel at familie-kuntze.de
Wed Aug 3 23:06:44 CEST 2016

Hello Brian,

On 03.08.2016 22:51, Brian O'Connor wrote:
> Hello,
> I have recently been doing some tests with an Android tablet version of
> strongSwan.  It appears that the Android app uses the kernel-libipsec
> charon plugin to avoid limitations imposed by the app running in a very
> restricted user environment in the tablet.  My tablet is not rooted.
> What I am seeing on the tablet is that it uses routing table 60, creates
> interface tun0 and some routing policy database rules.  My tablet will
> not let me access the iptables or ip xfrm commands. This is why I
> suspect the Android strongSwan app, presumably running in a very
> tightly constrained userspace environment, uses the charon
> kernel-libipsec plugin. Is there a way to access iptables and ip  xfrm
> functionality on a non-rooted tablet?
No. libipsec works purely in the charon process (the app).
> Given my assumption above, is it correct that the libipsec plugin
> also does SNAT on outgoing encrypted packets?  The ip rule
> command shows 100: from all fwmark 0x3c lookup 60.
No. It gets packets from the tun device and handles them according to the policies and states,
then sends them out of the socket that is also used to send the IKE packets.

> The kernel netfilter packet flow diagram at [1] documents how
> IPSec interacts with the xfrm process for IPSec encapsulation
> and decapsulation, and iptables for SNAT.  Is there a diagram
> somewhere that shows how the charon kernel-libipsec plugin
> interacts  with diagram [1], please?  I sort of expect the charon
> plugin operates entirely in the application layer, forward path,
> local process, part of this diagram and that it also performs SNAT.
The app (and hence libipsec, too) are simple applications.
> If not, how does a non-rooted Android tablet that cannot use
> iptables to do SNAT and the xfrm process for IPSec processing
> operate, please?
It doesn't do SNAT. The routing table chooses the correct source IP.
No SNAT needed. XFRM is also not needed, because IPsec processing is done in the application itself.

> I am not a programmer and have not been able to find much on
> the inner workings of the charon plugin.
>  [1]  inai.de/images/nf-packet-flow.png <http://inai.de/images/nf-packet-flow.png>
> Regards,
> Brian
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160803/8c5a027d/attachment.sig>

More information about the Users mailing list