strongSwan Architecture¶
History¶
The IKEv1 part of strongSwan is a fork from the discontinued FreeS/WAN project. The keying daemon pluto has been extended by the strongSwan project in the 2.x series.
When development of IKEv2 started, integration of the new protocol into pluto was considered to be to complicated. Therefore a new daemon was built from scratch. Some code was borrowed from pluto, but the design is fundamental new. charon is multithreaded and uses object oriented design principles, but is still written in plain C.
The 4.0.x releases contained both daemons, but it was the unstable branch. 4.x became the default stable branch with the release of 4.1.0.
Current Design¶
IKEv1 and IKEv2 is handled in different keying daemons. The ole IKEv1 stuff is
completely handled in pluto, as it was all the times. IKEv2 is handled in the
new keying daemon, which is called charon.
Daemon control is done over unix sockets. pluto uses whack, as it did for years.
charon uses another socket interface, called stroke. Stroke uses another
format as whack and therefore is not compatible to whack. The starter utility,
wich does fast configuration parsing, speaks both the protocols, whack and
stroke. It also handles daemon startup and termination.
pluto uses starter for some commands, for other it uses the whack utility. To be
as close to pluto as possible, charon has the same split up of commands to
starter and stroke. All commands are wrapped together in the ipsec script, which
allows transparent control of both daemons.
+-----------------------------------------+
| ipsec |
+-----+--------------+---------------+----+
| | |
| | |
| +-----+-----+ |
+-----+----+ | | +-----+----+
| | | starter | | |
| stroke | | | | whack |
| | +---+--+----+ | |
+------+---+ | | +--+-------+
| | | |
+---+------+ | | +------+--+
| | | | | |
| charon +----+ +----+ pluto |
| | | |
+-----+----+ +----+----+
| |
+-----+----+ |
| LSF | |
+-----+----+ |
| |
+-----+----+ +----+----+
| RAW Sock | | UDP/500 |
+----------+ +---------+
Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port
500. Under Linux, there is no clean way to set up two sockets at the same port.
To reslove this problem, charon uses a RAW socket, as they are used in network
sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
traffic. pluto receives any IKE message, independent of charons behavior.
Therefore plutos behavior is changed to discard any IKEv2 traffic silently.
Future Development¶
The current design has some disadvantages. While we managed to gain good screen level integration,
internals are implemented twice, configuration is stored in two daemons and communication between
them is currently not possible (e.g. for version negotiation).
As the adoption of IKEv2 goes rather slow, porting the IKEv1 functionality in the new daemon seems
reasonable. This would simplify extensions usable for both protocols.