IPsec/IKEv2 Library

The IPsec/IKEv2 Library module provides a mechanism for negotiating security parameters (keys, algorithms, tunnel configurations) for new and existing Android features such as Interworking Wireless LAN (IWLAN) and VPNs. This module is updatable, meaning it can receive updates to functionality outside of the normal Android release cycle.

The IPsec/IKEv2 Library module provides the following benefits.

  • Support for IMS, IWLAN, and modernized VPNs. IP Multimedia Subsystem (IMS) and IWLAN require IKEv2 to complete key exchanges securely and reliably. In Android 11, the IPsec/IKEv2 Library module's IKEv2 negotiation library is the platform's default implementation of an IKEv2 client, supporting initial establishment, periodic re-key, dead peer detection, and handoff. The module also enables deprecation and replacement of the racoon-based IKEv1 VPN library used as the default built-in VPN client in Android 10 and lower.

  • Ecosystem consistency. Using the IPsec/IKEv2 negotiation library as the platform's default library encourages ecosystem-wide consistency, reduces dependencies on closed source implementations, and improves maintainability and updatability. Having a client-only implementation that works on top of Android's IPsec API unlocks the power of Linux IPsec support without requiring the elevated privileges needed by an IKEv2 daemon. The IKEv2 library is written in Java to avoid security issues found in C or C++ implementations.

  • Quick fixes for security and interoperability issues. IPsec/IKEv2 is security-critical code that supports VPNs in securing user data. Many clients and servers implement IKEv2 protocol slightly differently, resulting in potential interoperability issues between the IKEv2 library and other IKEv2 servers. Module updatability allows the Android team to respond to security vulnerabilities quickly and to fix interoperability bugs quickly while minimizing work for ecosystem partners.

Module boundary

The IPsec/IKEv2 Library module is in packages/modules/IPsec.

Module format

The IPsec/IKEv2 Library module (com.android.ipsec) is in APEX format and is available for devices running Android 11 or higher.

Customization

The IPsec/IKEv2 library module doesn't support customization.

Testing

The Android Compatibility Test Suite (CTS) verifies the IPsec/IKEv2 library module's functionality by running a comprehensive set of CTS tests on every module release. You can also run IPsec/IKEv2 Library module unit tests using the command atest FrameworksIkeTests.