kernel-libipsec plugin » History » Version 2

Version 1 (Tobias Brunner, 12.08.2013 18:43) → Version 2/7 (Tobias Brunner, 14.08.2013 14:17)

h1. kernel-libipsec plugin

The _kernel-libipsec_ plugin provides an IPsec backend that works entirely in userland, using TUN devices and our own IPsec implementation _libipsec_ (source:src/libipsec).

Both other kernel interfaces, _kernel-netlink_ (the default) and _kernel-pfkey_, install IPsec SAs in the operating system's IPsec stack. This plugin provides an alternative, for instance, if the OS implementation does not support a required algorithm (e.g. AES-GCM on Mac OS X).

To enable the plugin, add
<pre>--enable-kernel-libipsec</pre> to the [[InstallationDocumentation|./configure options]].

A network kernel backend is still required, so either the _kernel-netlink_ or the _kernel-pfroute_ plugin has to be enabled too.

It is available since [[5.1.0]].

h2. Behavior

With the plugin enabled a TUN device is created on startup that will be used to handle cleartext traffic from and to the host. For each IPsec SA routes get installed that direct traffic to the TUN device, from there the plugin reads the cleartext packets and encrypts them via _libipsec_. The resulting ESP packets will be sent over the UDP sockets the daemon uses for IKE traffic, which is why *the plugin currently only works with UDP encapsulation (NAT-T) enabled*. Encapsulated ESP packets that are received on the daemon's UDP socket are decrypted by _libipsec_ and then injected via TUN device.

On systems that use the _kernel-pfroute_ plugin ([[FreeBSD]], [[MacOSX|Mac OS X]]) a separate TUN device will be created for each [[VirtualIP|virtual IP]], on Linux this is not required.