]>
Commit | Line | Data |
---|---|---|
fcfeb322 MW |
1 | /** @mainpage |
2 | ||
3 | @section design strongSwans overall design | |
86c5fe9d MW |
4 | |
5 | IKEv1 and IKEv2 is handled in different keying daemons. The ole IKEv1 stuff is | |
6 | completely handled in pluto, as it was all the times. IKEv2 is handled in the | |
fcfeb322 | 7 | new keying daemon, which is called #charon. |
efadbf79 MW |
8 | Daemon control is done over unix sockets. Pluto uses whack, as it did for years. |
9 | Charon uses another socket interface, called stroke. Stroke uses another | |
86c5fe9d MW |
10 | format as whack and therefore is not compatible to whack. The starter utility, |
11 | wich does fast configuration parsing, speaks both the protocols, whack and | |
12 | stroke. It also handles daemon startup and termination. | |
f2ee13a7 | 13 | Pluto uses starter for some commands, for other it uses the whack utility. To be |
86c5fe9d MW |
14 | as close to pluto as possible, charon has the same split up of commands to |
15 | starter and stroke. All commands are wrapped together in the ipsec script, which | |
16 | allows transparent control of both daemons. | |
fcfeb322 | 17 | @verbatim |
86c5fe9d MW |
18 | |
19 | +-----------------------------------------+ | |
f2ee13a7 | 20 | | ipsec | |
86c5fe9d | 21 | +-----+--------------+---------------+----+ |
f2ee13a7 MW |
22 | | | | |
23 | | | | | |
24 | | +-----+-----+ | | |
25 | +-----+----+ | | +-----+----+ | |
26 | | | | starter | | | | |
27 | | stroke | | | | whack | | |
28 | | | +---+--+----+ | | | |
29 | +------+---+ | | +--+-------+ | |
30 | | | | | | |
31 | +---+------+ | | +------+--+ | |
32 | | | | | | | | |
33 | | charon +----+ +----+ pluto | | |
34 | | | | | | |
86c5fe9d | 35 | +-----+----+ +----+----+ |
f2ee13a7 MW |
36 | | | |
37 | +-----+----+ | | |
38 | | LSF | | | |
39 | +-----+----+ | | |
40 | | | | |
86c5fe9d | 41 | +-----+----+ +----+----+ |
f2ee13a7 | 42 | | RAW Sock | | UDP/500 | |
86c5fe9d MW |
43 | +----------+ +---------+ |
44 | ||
fcfeb322 | 45 | @endverbatim |
86c5fe9d MW |
46 | Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port |
47 | 500. Under Linux, there is no clean way to set up two sockets at the same port. | |
48 | To reslove this problem, charon uses a RAW socket, as they are used in network | |
49 | sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2 | |
50 | traffic. Pluto receives any IKE message, independant of charons behavior. | |
51 | Therefore plutos behavior is changed to discard any IKEv2 traffic silently. | |
52 | ||
fcfeb322 MW |
53 | To gain some reusability of the code, generic crypto and utility functions are |
54 | separeted in a shared library, libstrongswan. | |
86c5fe9d | 55 | |
fcfeb322 | 56 | */ |