androidipsecstrongswan

How does IKEv2 work on Android without raw sockets


I was exploring the IKEv2 StrongSwan client implementation for Android. What I fail to understand is that Android and Java do not support raw sockets, whilst the IKEv2 / IPSec works below Transport layer, which seems counter-intuitive. How exactly does the communication happen after the CHILD_SA aka IPSec SA is established?

References:

  1. The official documentation for IKE Charon keying daemon does mention the use of socket in the architecture diagram, but I was unable to find any further reference to it.
  2. I'm aware of the fact that StrongSwan's Android client uses a user-space implementation of libipsec, but again how does libipsec communicate without raw sockets?

Any help to fill the gap in my understanding is much appreciated!


Solution

  • The client only supports UDP-encapsulated ESP. These packets are sent/received over the same UDP sockets that are already used for IKEv2. This limitation is mentioned on the app's wiki page.