How does IKEv2 work on Android without raw sockets

I was exploring the IKEv2 StrongSwan client implementation for Android. What I fail to understand is that Android and Java do not support raw sockets, whilst the IKEv2 / IPSec works below Transport layer, which seems counter-intuitive. How exactly does the communication happen after the CHILD_SA aka IPSec SA is established?

References:

1. The official documentation for IKE Charon keying daemon does mention the use of socket in the architecture diagram, but I was unable to find any further reference to it.
2. I'm aware of the fact that StrongSwan's Android client uses a user-space implementation of libipsec, but again how does libipsec communicate without raw sockets?

Any help to fill the gap in my understanding is much appreciated!

The client only supports UDP-encapsulated ESP. These packets are sent/received over the same UDP sockets that are already used for IKEv2. This limitation is mentioned on the app's wiki page.