Understanding IKEv2 Communication on Android Without Raw Sockets

I was exploring the IKEv2 StrongSwan client implementation for Android. What I fail to understand is that Android and Java do not support raw sockets, whilst the IKEv2/IPSec works below the transport layer, which seems counter-intuitive. How exactly does the communication happen after the CHILD_SA aka IPSec SA is established?

References:

  1. The official documentation for IKE Charon keying daemon does mention the use of ‘socket’ in the architecture diagram, but I was unable to find any further reference to it.
  2. I’m aware of the fact that StrongSwan’s Android client uses a user-space implementation of libipsec, but again how does libipsec communicate without raw sockets?

Answer:

The client only supports UDP-encapsulated ESP. These packets are sent/received over the same UDP sockets that are already used for IKEv2. This limitation is mentioned on the app’s wiki page.

Leave a Reply

Your email address will not be published. Required fields are marked *