[strongSwan] libipsec design decision - using NFQUEUE vs virtual interfaces

Plevin phlevin at runbox.com
Thu Jul 7 14:32:30 CEST 2016


I have a need for a userspace IPsec stack along with Strongswan (IKEv2) for keying. While examining the libipsec 
implementation, I became curious about the decision to use virtual interfaces vs. using kernel mechanisms such as 
Netfilter and Netfilter Queues to divert traffic to a userspace IPsec datapath stack.

No doubt I'm unaware of some of the design constraints, so to simplify the question, I'd ask:

   "is there any reason one should *not* implement a userspace IPsec stack using Netfilter and NFQUEUEs in combination 
with Strongswan"?

Thank you in advance.


More information about the Users mailing list