自 2025 年 3 月 27 日起,我们建议您使用 android-latest-release
而非 aosp-main
构建 AOSP 并为其做出贡献。如需了解详情,请参阅 AOSP 的变更。
IPsec/IKEv2 库
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
IPsec/IKEv2 库模块提供了一种机制来协商互通无线 LAN (IWLAN) 和 VPN 等新的和现有 Android 功能的安全参数(密钥、算法和隧道配置)。此模块是可更新的,这意味着它可在 Android 常规发布周期外的时间接收功能更新。
IPsec/IKEv2 库模块具有以下优势。
支持 IMS、IWLAN 和现代化的 VPN。IP 多媒体子系统 (IMS) 和 IWLAN 需要 IKEv2 来安全可靠地完成密钥交换。在 Android 11 中,IPsec/IKEv2 库模块的 IKEv2 协商库是平台的默认 IKEv2 客户端实现,支持初始建立、定期重新生成密钥、失效对端检测和移交。此外,该模块还支持弃用和替换基于 racoon 的 IKEv1 VPN 库,该库用作 Android 10 及更低版本中的默认内置 VPN 客户端。
生态系统一致性。将 IPsec/IKEv2 协商库用作平台的默认库可以促进整个生态系统的一致性、降低对闭源实现的依赖性,并提高可维护性和可更新性。应具备客户端专用实现,让其在 Android IPsec API 的基础上运行,这样可释放 Linux IPsec 支持的能力,而无需 IKEv2 守护程序所需的提升权限。IKEv2 库采用 Java 语言编写而成,可避免在 C 或 C++ 实现中发现的安全问题。
快速解决安全性和互操作性问题。IPsec/IKEv2 是安全关键型代码,支持 VPN 来保护用户数据。许多客户端和服务器实现 IKEv2 协议的方式略有不同,从而导致 IKEv2 库与其他 IKEv2 服务器之间存在潜在的互操作性问题。借助模块可更新性,Android 团队能够快速应对安全漏洞并快速修复互操作性错误,同时尽可能减少生态系统合作伙伴的工作量。
模块边界
IPsec/IKEv2 库模块位于 packages/modules/IPsec
中。
IPsec/IKEv2 库模块 (com.android.ipsec
) 采用 APEX 格式,适用于搭载 Android 11 或更高版本的设备。
自定义
IPsec/IKEv2 库模块不支持自定义。
测试
Android 兼容性测试套件 (CTS) 通过对每个模块版本运行一套全面的 CTS 测试来验证 IPsec/IKEv2 库模块的功能。此外,您也可以使用 atest FrameworksIkeTests
命令运行 IPsec/IKEv2 库模块单元测试。
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-03-26。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["没有我需要的信息","missingTheInformationINeed","thumb-down"],["太复杂/步骤太多","tooComplicatedTooManySteps","thumb-down"],["内容需要更新","outOfDate","thumb-down"],["翻译问题","translationIssue","thumb-down"],["示例/代码问题","samplesCodeIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-03-26。"],[],[],null,["# IPsec/IKEv2 Library\n\nThe IPsec/IKEv2 Library module provides a mechanism for negotiating security\nparameters (keys, algorithms, tunnel configurations) for new and existing\nAndroid features such as Interworking Wireless LAN (IWLAN) and VPNs. This module\nis updatable, meaning it can receive updates to functionality outside of the\nnormal Android release cycle.\n\nThe IPsec/IKEv2 Library module provides the following benefits.\n\n- **Support for IMS, IWLAN, and modernized VPNs.** IP Multimedia Subsystem (IMS)\n and IWLAN require IKEv2 to complete key exchanges securely and reliably. In\n Android 11, the IPsec/IKEv2 Library module's IKEv2\n negotiation library is the platform's default implementation of an IKEv2\n client, supporting initial establishment, periodic re-key, dead peer\n detection, and handoff. The module also enables deprecation and replacement of\n the racoon-based IKEv1 VPN library used as the default built-in VPN client in\n Android 10 and lower.\n\n- **Ecosystem consistency.** Using the IPsec/IKEv2 negotiation library as the\n platform's default library encourages ecosystem-wide consistency, reduces\n dependencies on closed source implementations, and improves maintainability\n and updatability. Having a client-only implementation that works on top of\n Android's IPsec API unlocks the power of Linux IPsec support without requiring\n the elevated privileges needed by an IKEv2 daemon. The IKEv2 library is\n written in Java to avoid security issues found in C or C++ implementations.\n\n- **Quick fixes for security and interoperability issues.** IPsec/IKEv2 is\n security-critical code that supports VPNs in securing user data. Many clients\n and servers implement IKEv2 protocol slightly differently, resulting in\n potential interoperability issues between the IKEv2 library and other IKEv2\n servers. Module updatability allows the Android team to respond to security\n vulnerabilities quickly and to fix interoperability bugs quickly while\n minimizing work for ecosystem partners.\n\nModule boundary\n---------------\n\nThe IPsec/IKEv2 Library module is in `packages/modules/IPsec`.\n\nModule format\n-------------\n\nThe IPsec/IKEv2 Library module (`com.android.ipsec`) is in\n[APEX](/docs/core/ota/apex) format and is available for devices\nrunning Android 11 or higher.\n\nCustomization\n-------------\n\nThe IPsec/IKEv2 library module doesn't support customization.\n\nTesting\n-------\n\nThe Android Compatibility Test Suite (CTS) verifies the IPsec/IKEv2\nlibrary module's functionality by running a comprehensive set of CTS\ntests on every module release. You can also run IPsec/IKEv2 Library module unit\ntests using the command `atest FrameworksIkeTests`."]]