kernel-libipsec plugin » History » Version 1
The kernel-libipsec plugin provides an IPsec backend that works entirely in userland, using TUN devices and our own IPsec implementation libipsec (source:src/libipsec).
Both other kernel interfaces, kernel-netlink (the default) and kernel-pfkey, install IPsec SAs in the operating system's IPsec stack. This plugin provides an alternative, for instance, if the OS implementation does not support a required algorithm (e.g. AES-GCM on Mac OS X).
To enable the plugin, add
--enable-kernel-libipsecto the ./configure options.
It is available since 5.1.0.
With the plugin enabled a TUN device is created on startup that will be used to handle cleartext traffic from and to the host. For each IPsec SA routes get installed that direct traffic to the TUN device, from there the plugin reads the cleartext packets and encrypts them via libipsec. The resulting ESP packets will be sent over the UDP sockets the daemon uses for IKE traffic, which is why the plugin currently only works with UDP encapsulation (NAT-T) enabled. Encapsulated ESP packets that are received on the daemon's UDP socket are decrypted by libipsec and then injected via TUN device.