IpSecManager
  public
  
  
  
  class
  IpSecManager
  
    extends Object
  
  
  
  
  
  
| java.lang.Object | |
| ↳ | android.net.IpSecManager | 
This class contains methods for managing IPsec sessions. Once configured, the kernel will apply confidentiality (encryption) and integrity (authentication) to IP traffic.
Note that not all aspects of IPsec are permitted by this API. Applications may create
 transport mode security associations and apply them to individual sockets. Applications looking
 to create an IPsec VPN should use VpnManager and Ikev2VpnProfile.
Summary
| Nested classes | |
|---|---|
| 
        
        
        
        
        class | IpSecManager.ResourceUnavailableExceptionThrown to indicate that an IPsec resource is unavailable. | 
| 
        
        
        
        
        class | IpSecManager.SecurityParameterIndexThis class represents a reserved SPI. | 
| 
        
        
        
        
        class | IpSecManager.SpiUnavailableExceptionThrown to indicate that a requested SPI is in use. | 
| 
        
        
        
        
        class | IpSecManager.UdpEncapsulationSocketThis class provides access to a UDP encapsulation Socket. | 
| Constants | |
|---|---|
| int | DIRECTION_INUsed when applying a transform to direct traffic through an  | 
| int | DIRECTION_OUTUsed when applying a transform to direct traffic through an  | 
| Public methods | |
|---|---|
| 
        
        
        
        
        
        IpSecManager.SecurityParameterIndex | 
      allocateSecurityParameterIndex(InetAddress destinationAddress)
      Reserve a random SPI for traffic bound to or from the specified destination address. | 
| 
        
        
        
        
        
        IpSecManager.SecurityParameterIndex | 
      allocateSecurityParameterIndex(InetAddress destinationAddress, int requestedSpi)
      Reserve the requested SPI for traffic bound to or from the specified destination address. | 
| 
        
        
        
        
        
        void | 
      applyTransportModeTransform(FileDescriptor socket, int direction, IpSecTransform transform)
      Apply an IPsec transform to a socket. | 
| 
        
        
        
        
        
        void | 
      applyTransportModeTransform(DatagramSocket socket, int direction, IpSecTransform transform)
      Apply an IPsec transform to a datagram socket. | 
| 
        
        
        
        
        
        void | 
      applyTransportModeTransform(Socket socket, int direction, IpSecTransform transform)
      Apply an IPsec transform to a stream socket. | 
| 
        
        
        
        
        
        IpSecManager.UdpEncapsulationSocket | 
      openUdpEncapsulationSocket(int port)
      Open a socket for UDP encapsulation and bind to the given port. | 
| 
        
        
        
        
        
        IpSecManager.UdpEncapsulationSocket | 
      openUdpEncapsulationSocket()
      Open a socket for UDP encapsulation. | 
| 
        
        
        
        
        
        void | 
      removeTransportModeTransforms(FileDescriptor socket)
      Remove an IPsec transform from a socket. | 
| 
        
        
        
        
        
        void | 
      removeTransportModeTransforms(DatagramSocket socket)
      Remove an IPsec transform from a datagram socket. | 
| 
        
        
        
        
        
        void | 
      removeTransportModeTransforms(Socket socket)
      Remove an IPsec transform from a stream socket. | 
| Inherited methods | |
|---|---|
Constants
DIRECTION_IN
public static final int DIRECTION_IN
Used when applying a transform to direct traffic through an IpSecTransform
 towards the host.
 
See applyTransportModeTransform(java.net.Socket, int, android.net.IpSecTransform).
Constant Value: 0 (0x00000000)
DIRECTION_OUT
public static final int DIRECTION_OUT
Used when applying a transform to direct traffic through an IpSecTransform
 away from the host.
 
See applyTransportModeTransform(java.net.Socket, int, android.net.IpSecTransform).
Constant Value: 1 (0x00000001)
Public methods
allocateSecurityParameterIndex
public IpSecManager.SecurityParameterIndex allocateSecurityParameterIndex (InetAddress destinationAddress)
Reserve a random SPI for traffic bound to or from the specified destination address.
If successful, this SPI is guaranteed available until released by a call to IpSecManager.SecurityParameterIndex.close().
| Parameters | |
|---|---|
| destinationAddress | InetAddress: the destination address for traffic bearing the requested SPI.
     For inbound traffic, the destination should be an address currently assigned on-device.
 This value cannot benull. | 
| Returns | |
|---|---|
| IpSecManager.SecurityParameterIndex | the reserved SecurityParameterIndex
 This value cannot be null. | 
| Throws | |
|---|---|
| IpSecManager.ResourceUnavailableException | indicating that too many SPIs are currently allocated for this user | 
allocateSecurityParameterIndex
public IpSecManager.SecurityParameterIndex allocateSecurityParameterIndex (InetAddress destinationAddress, int requestedSpi)
Reserve the requested SPI for traffic bound to or from the specified destination address.
If successful, this SPI is guaranteed available until released by a call to IpSecManager.SecurityParameterIndex.close().
| Parameters | |
|---|---|
| destinationAddress | InetAddress: the destination address for traffic bearing the requested SPI.
     For inbound traffic, the destination should be an address currently assigned on-device.
 This value cannot benull. | 
| requestedSpi | int: the requested SPI. The range 1-255 is reserved and may not be used. See
     RFC 4303 Section 2.1. | 
| Returns | |
|---|---|
| IpSecManager.SecurityParameterIndex | the reserved SecurityParameterIndex
 This value cannot be null. | 
| Throws | |
|---|---|
| IpSecManager.ResourceUnavailableException | indicating that too many SPIs are currently allocated for this user | 
| IpSecManager.SpiUnavailableException | indicating that the requested SPI could not be reserved | 
applyTransportModeTransform
public void applyTransportModeTransform (FileDescriptor socket, int direction, IpSecTransform transform)
Apply an IPsec transform to a socket.
This applies transport mode encapsulation to the given socket. Once applied, I/O on the
 socket will be encapsulated according to the parameters of the IpSecTransform. When
 the transform is removed from the socket by calling removeTransportModeTransforms(FileDescriptor),
 unprotected traffic can resume on that socket.
 
For security reasons, the destination address of any traffic on the socket must match the
 remote InetAddress of the IpSecTransform. Attempts to send traffic to any
 other IP address will result in an IOException. In addition, reads and writes on the socket
 will throw IOException if the user deactivates the transform (by calling IpSecTransform.close()) without calling removeTransportModeTransforms(FileDescriptor).
 
Note that when applied to TCP sockets, calling IpSecTransform.close() on an
 applied transform before completion of graceful shutdown may result in the shutdown sequence
 failing to complete. As such, applications requiring graceful shutdown MUST close the socket
 prior to deactivating the applied transform. Socket closure may be performed asynchronously
 (in batches), so the returning of a close function does not guarantee shutdown of a socket.
 Setting an SO_LINGER timeout results in socket closure being performed synchronously, and is
 sufficient to ensure shutdown.
 Specifically, if the transform is deactivated (by calling IpSecTransform.close()),
 prior to the socket being closed, the standard [FIN - FIN/ACK - ACK], or the reset [RST]
 packets are dropped due to the lack of a valid Transform. Similarly, if a socket without the
 SO_LINGER option set is closed, the delayed/batched FIN packets may be dropped.
 
Rekey Procedure
When applying a new tranform to a socket in the outbound direction, the previous transform
 will be removed and the new transform will take effect immediately, sending all traffic on
 the new transform; however, when applying a transform in the inbound direction, traffic
 on the old transform will continue to be decrypted and delivered until that transform is
 deallocated by calling IpSecTransform.close(). This overlap allows lossless rekey
 procedures where both transforms are valid until both endpoints are using the new transform
 and all in-flight packets have been received.
| Parameters | |
|---|---|
| socket | FileDescriptor: a socket file descriptor
 This value cannot benull. | 
| direction | int: the direction in which the transform should be applied
 Value isDIRECTION_IN, orDIRECTION_OUT | 
| transform | IpSecTransform: a transport modeIpSecTransformThis value cannot benull. | 
| Throws | |
|---|---|
| IOException | indicating that the transform could not be applied | 
applyTransportModeTransform
public void applyTransportModeTransform (DatagramSocket socket, int direction, IpSecTransform transform)
Apply an IPsec transform to a datagram socket.
This applies transport mode encapsulation to the given socket. Once applied, I/O on the
 socket will be encapsulated according to the parameters of the IpSecTransform. When
 the transform is removed from the socket by calling removeTransportModeTransforms(FileDescriptor),
 unprotected traffic can resume on that socket.
 
For security reasons, the destination address of any traffic on the socket must match the
 remote InetAddress of the IpSecTransform. Attempts to send traffic to any
 other IP address will result in an IOException. In addition, reads and writes on the socket
 will throw IOException if the user deactivates the transform (by calling IpSecTransform.close()) without calling removeTransportModeTransforms(FileDescriptor).
 
Rekey Procedure
When applying a new tranform to a socket in the outbound direction, the previous transform
 will be removed and the new transform will take effect immediately, sending all traffic on
 the new transform; however, when applying a transform in the inbound direction, traffic
 on the old transform will continue to be decrypted and delivered until that transform is
 deallocated by calling IpSecTransform.close(). This overlap allows lossless rekey
 procedures where both transforms are valid until both endpoints are using the new transform
 and all in-flight packets have been received.
| Parameters | |
|---|---|
| socket | DatagramSocket: a datagram socket
 This value cannot benull. | 
| direction | int: the direction in which the transform should be applied
 Value isDIRECTION_IN, orDIRECTION_OUT | 
| transform | IpSecTransform: a transport modeIpSecTransformThis value cannot benull. | 
| Throws | |
|---|---|
| IOException | indicating that the transform could not be applied | 
applyTransportModeTransform
public void applyTransportModeTransform (Socket socket, int direction, IpSecTransform transform)
Apply an IPsec transform to a stream socket.
This applies transport mode encapsulation to the given socket. Once applied, I/O on the
 socket will be encapsulated according to the parameters of the IpSecTransform. When
 the transform is removed from the socket by calling removeTransportModeTransforms(FileDescriptor),
 unprotected traffic can resume on that socket.
 
For security reasons, the destination address of any traffic on the socket must match the
 remote InetAddress of the IpSecTransform. Attempts to send traffic to any
 other IP address will result in an IOException. In addition, reads and writes on the socket
 will throw IOException if the user deactivates the transform (by calling IpSecTransform.close()) without calling removeTransportModeTransforms(FileDescriptor).
 
Note that when applied to TCP sockets, calling IpSecTransform.close() on an
 applied transform before completion of graceful shutdown may result in the shutdown sequence
 failing to complete. As such, applications requiring graceful shutdown MUST close the socket
 prior to deactivating the applied transform. Socket closure may be performed asynchronously
 (in batches), so the returning of a close function does not guarantee shutdown of a socket.
 Setting an SO_LINGER timeout results in socket closure being performed synchronously, and is
 sufficient to ensure shutdown.
 Specifically, if the transform is deactivated (by calling IpSecTransform.close()),
 prior to the socket being closed, the standard [FIN - FIN/ACK - ACK], or the reset [RST]
 packets are dropped due to the lack of a valid Transform. Similarly, if a socket without the
 SO_LINGER option set is closed, the delayed/batched FIN packets may be dropped.
 
Rekey Procedure
When applying a new tranform to a socket in the outbound direction, the previous transform
 will be removed and the new transform will take effect immediately, sending all traffic on
 the new transform; however, when applying a transform in the inbound direction, traffic
 on the old transform will continue to be decrypted and delivered until that transform is
 deallocated by calling IpSecTransform.close(). This overlap allows lossless rekey
 procedures where both transforms are valid until both endpoints are using the new transform
 and all in-flight packets have been received.
| Parameters | |
|---|---|
| socket | Socket: a stream socket
 This value cannot benull. | 
| direction | int: the direction in which the transform should be applied
 Value isDIRECTION_IN, orDIRECTION_OUT | 
| transform | IpSecTransform: a transport modeIpSecTransformThis value cannot benull. | 
| Throws | |
|---|---|
| IOException | indicating that the transform could not be applied | 
openUdpEncapsulationSocket
public IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket (int port)
Open a socket for UDP encapsulation and bind to the given port.
See UdpEncapsulationSocket for the proper way to close the returned socket.
| Parameters | |
|---|---|
| port | int: a local UDP port | 
| Returns | |
|---|---|
| IpSecManager.UdpEncapsulationSocket | a socket that is bound to the given port
 This value cannot be null. | 
| Throws | |
|---|---|
| IOException | indicating that the socket could not be opened or bound | 
| IpSecManager.ResourceUnavailableException | indicating that too many encapsulation sockets are open | 
openUdpEncapsulationSocket
public IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket ()
Open a socket for UDP encapsulation.
See UdpEncapsulationSocket for the proper way to close the returned socket.
 
The local port of the returned socket can be obtained by calling IpSecManager.UdpEncapsulationSocket.getPort().
| Returns | |
|---|---|
| IpSecManager.UdpEncapsulationSocket | a socket that is bound to a local port
 This value cannot be null. | 
| Throws | |
|---|---|
| IOException | indicating that the socket could not be opened or bound | 
| IpSecManager.ResourceUnavailableException | indicating that too many encapsulation sockets are open | 
removeTransportModeTransforms
public void removeTransportModeTransforms (FileDescriptor socket)
Remove an IPsec transform from a socket.
Once removed, traffic on the socket will not be encrypted. Removing transforms from a socket allows the socket to be reused for communication in the clear.
If an IpSecTransform object applied to this socket was deallocated by calling
 IpSecTransform.close(), then communication on the socket will fail until this method
 is called.
| Parameters | |
|---|---|
| socket | FileDescriptor: a socket that previously had a transform applied to it
 This value cannot benull. | 
| Throws | |
|---|---|
| IOException | indicating that the transform could not be removed from the socket | 
removeTransportModeTransforms
public void removeTransportModeTransforms (DatagramSocket socket)
Remove an IPsec transform from a datagram socket.
Once removed, traffic on the socket will not be encrypted. Removing transforms from a socket allows the socket to be reused for communication in the clear.
If an IpSecTransform object applied to this socket was deallocated by calling
 IpSecTransform.close(), then communication on the socket will fail until this method
 is called.
| Parameters | |
|---|---|
| socket | DatagramSocket: a socket that previously had a transform applied to it
 This value cannot benull. | 
| Throws | |
|---|---|
| IOException | indicating that the transform could not be removed from the socket | 
removeTransportModeTransforms
public void removeTransportModeTransforms (Socket socket)
Remove an IPsec transform from a stream socket.
Once removed, traffic on the socket will not be encrypted. Removing transforms from a socket allows the socket to be reused for communication in the clear.
If an IpSecTransform object applied to this socket was deallocated by calling
 IpSecTransform.close(), then communication on the socket will fail until this method
 is called.
| Parameters | |
|---|---|
| socket | Socket: a socket that previously had a transform applied to it
 This value cannot benull. | 
| Throws | |
|---|---|
| IOException | indicating that the transform could not be removed from the socket | 
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2025-02-10 UTC.
