kernel-libipsec plugin » History » Version 2

Tobias Brunner, 14.08.2013 14:17

1 1 Tobias Brunner
h1. kernel-libipsec plugin
2 1 Tobias Brunner
3 1 Tobias Brunner
The _kernel-libipsec_ plugin provides an IPsec backend that works entirely in userland, using TUN devices and our own IPsec implementation _libipsec_ (source:src/libipsec).
4 1 Tobias Brunner
5 1 Tobias Brunner
Both other kernel interfaces, _kernel-netlink_ (the default) and _kernel-pfkey_, install IPsec SAs in the operating system's IPsec stack. This plugin provides an alternative, for instance, if the OS implementation does not support a required algorithm (e.g. AES-GCM on Mac OS X).
6 1 Tobias Brunner
7 1 Tobias Brunner
To enable the plugin, add
8 1 Tobias Brunner
<pre>--enable-kernel-libipsec</pre> to the [[InstallationDocumentation|./configure options]].
9 1 Tobias Brunner
10 2 Tobias Brunner
11 2 Tobias Brunner
A network kernel backend is still required, so either the _kernel-netlink_ or the _kernel-pfroute_ plugin has to be enabled too.
12 2 Tobias Brunner
13 1 Tobias Brunner
It is available since [[5.1.0]].
14 1 Tobias Brunner
15 1 Tobias Brunner
h2. Behavior
16 1 Tobias Brunner
17 1 Tobias Brunner
With the plugin enabled a TUN device is created on startup that will be used to handle cleartext traffic from and to the host. For each IPsec SA routes get installed that direct traffic to the TUN device, from there the plugin reads the cleartext packets and encrypts them via _libipsec_. The resulting ESP packets will be sent over the UDP sockets the daemon uses for IKE traffic, which is why *the plugin currently only works with UDP encapsulation (NAT-T) enabled*.  Encapsulated ESP packets that are received on the daemon's UDP socket are decrypted by _libipsec_ and then injected via TUN device.
18 1 Tobias Brunner
19 1 Tobias Brunner
On systems that use the _kernel-pfroute_ plugin ([[FreeBSD]], [[MacOSX|Mac OS X]]) a separate TUN device will be created for each [[VirtualIP|virtual IP]], on Linux this is not required.