I am working with VoLTE capable android devices. When a device attaches to LTE it automatically gets PDN connectivity to APN1 , which is for Internet access. Immediately after that, the device requests PDN connectivity to the IMS APN (APN2). After this procedure completes, the device is connected to two different APNs simultaneously, has different IP addresses for the two APNs and can send traffic simultaneous on both "connections".

Q: I would like to understand how Android (4.1.2 in my case) actually implements this (?)

I assume that these are two different interfaces, but netcfg (adb shell) shows only one interface up, the one for APN1. The one for APN2 is nowhere to be found. It is, however, active and working because the device is sending IMS signalling on it (I am 100% sure of that). As a result, I cannot capture traffic (tcpdump) or add routing rules to ping specific IP addresses via APN2.

I think the reason why you can't see and access the IMS connection from your Android Application is probably clear but maybe not the mechanism that prevents you from seeing it.

The reason why the Operator would not want you to access the IMS connection is that this is used for call and session connection set up and take down in an IMS network. Allowing untrusted users direct access to this would open the door for lots of interesting and uncontrolled behaviour that could seriously compromise the operators network (denial of service attacks for instance).

How Android keeps visibility of this connection away from you is not as obvious. I think the best way to view it is to think of an LTE enabled Android device as being made up of two main components:

• An LTE phone/data terminal
• A linux based computer which is running the Android framework

The 'phone' part exposes certain functionality to the 'Android' part via defined interfaces - see the following link:

http://www.kandroid.org/online-pdk/guide/telephony.html

For obvious security reasons the 'phone' side in 2G and 3G devices exposes a relatively simple and very limited set of interfaces. For example, even though the 'phone' part itself contains all the functionality necessary to set up calls, negotiate radio resource usage etc, it does not provide an API to allow the Android application observe or manipulate these mechanisms or messages, beyond a limited set of defined interactions for basic call set up etc.

In the 3G world the detail of the mechanism to send a call setup message is thus hidden from the Android application - it can make a high level request to set up a call, but it can't actually control the GSM or 3G signalling to request rails resources, send the initial call message etc . In LTE to ensure this also stays hidden the Android application is not given access to the IMS connection and I think this is the observed behaviour you are probably referring to.

In LTE data & voice do behave a little differently than traditional 2G/3G NW. DATA - In LTE a Phone is always connected to the NW and receives IP address so that you can communicate over internet. This IP is changed only if you are switching the phone Off or putting it on Airplane mode. The APN through which user gets the IP Access is called as default APN, this APN is operator specific and same can be seen in any Android based phone through "settings" options.

Voice - As in LTE, there is no Circuit Switched NW (CS NW), Voice also rides over data connection but as Voice is real time traffic it need different Quality of Service...QoS. Hence to meet up the QoS requirement LTE comes up with a IMS NW (IP Multimedia Service) and this can be accessed by a separate NW.

So LTE Data & IMS APNs are active in parallel but exchanging data across two different IP Addresses.

The IMS APN is standard across all the operator and hardcoded in the VoLTE capable phone itself.

I have not seen the exchange of messages for IMS APN at phone, but from NW side...yes!. Phone sends SIP registration (IMS Signaling msg) over this APN and also RTP pkts (Voice call). IMS APN is to be used for Voice Calling, Video Calling & SMS. For a normal user perspective he never knows whether the voice call is going through traditional 2G/3G NW or LTE-IMS NW, except that IMS do support HD Voice & Video...

In Android,We have something called APN type under APN setting.Based on that Value the APN's are differentiated for the data use. Particular to IMS APN/PDN and Angular Internet APN/PDN,It is defined in the Android framework,based on that your APN PDN connection request will be initiated by the Phone once your primary Internet PDN is created. You will be getting 2 different IP for 2 different services,and will be marked with QCI [QOS Class Identifier]

I strongly believe that TCPdump can be used to capture both the IP transactions in same time.

if you share me exact thing you are trying ,i can help more on this