Understanding IKEv2 Communication on Android Without Raw Sockets
I was exploring the IKEv2 StrongSwan client implementation for Android. What I fail to understand is that Android and Java do not support raw sockets, whilst the IKEv2/IPSec works below the transport layer, which seems counter-intuitive. How exactly does the communication happen after the CHILD_SA
aka IPSec SA is established?
References:
- The official documentation for IKE Charon keying daemon does mention the use of ‘socket’ in the architecture diagram, but I was unable to find any further reference to it.
- I’m aware of the fact that StrongSwan’s Android client uses a user-space implementation of
libipsec
, but again how doeslibipsec
communicate without raw sockets?
Answer:
The client only supports UDP-encapsulated ESP. These packets are sent/received over the same UDP sockets that are already used for IKEv2. This limitation is mentioned on the app’s wiki page.