kernel-libipsec plugin » History » Version 1
Tobias Brunner, 12.08.2013 18:43
| 1 | 1 | Tobias Brunner | h1. kernel-libipsec plugin |
|---|---|---|---|
| 2 | 1 | Tobias Brunner | |
| 3 | 1 | Tobias Brunner | The _kernel-libipsec_ plugin provides an IPsec backend that works entirely in userland, using TUN devices and our own IPsec implementation _libipsec_ (source:src/libipsec). |
| 4 | 1 | Tobias Brunner | |
| 5 | 1 | Tobias Brunner | Both other kernel interfaces, _kernel-netlink_ (the default) and _kernel-pfkey_, install IPsec SAs in the operating system's IPsec stack. This plugin provides an alternative, for instance, if the OS implementation does not support a required algorithm (e.g. AES-GCM on Mac OS X). |
| 6 | 1 | Tobias Brunner | |
| 7 | 1 | Tobias Brunner | To enable the plugin, add |
| 8 | 1 | Tobias Brunner | <pre>--enable-kernel-libipsec</pre> to the [[InstallationDocumentation|./configure options]]. |
| 9 | 1 | Tobias Brunner | |
| 10 | 1 | Tobias Brunner | It is available since [[5.1.0]]. |
| 11 | 1 | Tobias Brunner | |
| 12 | 1 | Tobias Brunner | h2. Behavior |
| 13 | 1 | Tobias Brunner | |
| 14 | 1 | Tobias Brunner | With the plugin enabled a TUN device is created on startup that will be used to handle cleartext traffic from and to the host. For each IPsec SA routes get installed that direct traffic to the TUN device, from there the plugin reads the cleartext packets and encrypts them via _libipsec_. The resulting ESP packets will be sent over the UDP sockets the daemon uses for IKE traffic, which is why *the plugin currently only works with UDP encapsulation (NAT-T) enabled*. Encapsulated ESP packets that are received on the daemon's UDP socket are decrypted by _libipsec_ and then injected via TUN device. |
| 15 | 1 | Tobias Brunner | |
| 16 | 1 | Tobias Brunner | On systems that use the _kernel-pfroute_ plugin ([[FreeBSD]], [[MacOSX|Mac OS X]]) a separate TUN device will be created for each [[VirtualIP|virtual IP]], on Linux this is not required. |