3 @section design strongSwans overall design
5 IKEv1 and IKEv2 is handled in different keying daemons. The ole IKEv1 stuff is
6 completely handled in pluto, as it was all the times. IKEv2 is handled in the
7 new keying daemon, which is called #charon.
8 Daemon control is done over unix sockets. Pluto uses whack, as it did for years.
9 Charon uses another socket interface, called stroke. Stroke uses another
10 format as whack and therefore is not compatible to whack. The starter utility,
11 wich does fast configuration parsing, speaks both the protocols, whack and
12 stroke. It also handles daemon startup and termination.
13 Pluto uses starter for some commands, for other it uses the whack utility. To be
14 as close to pluto as possible, charon has the same split up of commands to
15 starter and stroke. All commands are wrapped together in the ipsec script, which
16 allows transparent control of both daemons.
19 +-----------------------------------------+
21 +-----+--------------+---------------+----+
25 +-----+----+ | | +-----+----+
27 | stroke | | | | whack |
29 +------+---+ | | +--+-------+
31 +---+------+ | | +------+--+
33 | charon +----+ +----+ pluto |
35 +-----+----+ +----+----+
41 +-----+----+ +----+----+
42 | RAW Sock | | UDP/500 |
43 +----------+ +---------+
46 Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port
47 500. Under Linux, there is no clean way to set up two sockets at the same port.
48 To reslove this problem, charon uses a RAW socket, as they are used in network
49 sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
50 traffic. Pluto receives any IKE message, independant of charons behavior.
51 Therefore plutos behavior is changed to discard any IKEv2 traffic silently.
53 To gain some reusability of the code, generic crypto and utility functions are
54 separeted in a shared library, libstrongswan.
projects / people / ms / strongswan.git / blob