kernel-libipsec plugin » History » Version 1

Version 1/7 - Next » - Current version
Tobias Brunner, 12.08.2013 18:43

kernel-libipsec plugin

The kernel-libipsec plugin provides an IPsec backend that works entirely in userland, using TUN devices and our own IPsec implementation libipsec (source:src/libipsec).

Both other kernel interfaces, kernel-netlink (the default) and kernel-pfkey, install IPsec SAs in the operating system's IPsec stack. This plugin provides an alternative, for instance, if the OS implementation does not support a required algorithm (e.g. AES-GCM on Mac OS X).

To enable the plugin, add

to the ./configure options.

It is available since 5.1.0.


With the plugin enabled a TUN device is created on startup that will be used to handle cleartext traffic from and to the host. For each IPsec SA routes get installed that direct traffic to the TUN device, from there the plugin reads the cleartext packets and encrypts them via libipsec. The resulting ESP packets will be sent over the UDP sockets the daemon uses for IKE traffic, which is why the plugin currently only works with UDP encapsulation (NAT-T) enabled. Encapsulated ESP packets that are received on the daemon's UDP socket are decrypted by libipsec and then injected via TUN device.

On systems that use the kernel-pfroute plugin (FreeBSD, Mac OS X) a separate TUN device will be created for each virtual IP, on Linux this is not required.