]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/charon/sa/ike_sa.h
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Missing commas added.
[thirdparty/strongswan.git] / src / charon / sa / ike_sa.h
CommitLineData
7ba38761 1/*
9c2a905d 2 * Copyright (C) 2006-2008 Tobias Brunner
d5cc1758 3 * Copyright (C) 2006 Daniel Roethlisberger
a44bb934 4 * Copyright (C) 2005-2009 Martin Willi
c71d53ba 5 * Copyright (C) 2005 Jan Hutter
7ba38761
JH		 6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
552cc11b
MW		 17 */
18
19/**
20 * @defgroup ike_sa ike_sa
21 * @{ @ingroup sa
7ba38761
JH		 22 */
23
24#ifndef IKE_SA_H_
25#define IKE_SA_H_
26
3b04350a 27typedef enum ike_extension_t ike_extension_t;
17d92e97 28typedef enum ike_condition_t ike_condition_t;
382b4817 29typedef enum ike_sa_state_t ike_sa_state_t;
ee614711 30typedef enum statistic_t statistic_t;
382b4817
MW		 31typedef struct ike_sa_t ike_sa_t;
32
db7ef624 33#include <library.h>
4a962238 34#include <encoding/message.h>
b9d9f188 35#include <encoding/payloads/proposal_substructure.h>
7f56b494 36#include <encoding/payloads/configuration_attribute.h>
96f79ff1 37#include <sa/ike_sa_id.h>
30b5b412 38#include <sa/child_sa.h>
c60c7694 39#include <sa/tasks/task.h>
6a4ff35c 40#include <sa/keymat.h>
e0fe7651
MW		 41#include <config/peer_cfg.h>
42#include <config/ike_cfg.h>
a44bb934 43#include <config/auth_cfg.h>
8323a9c1 44
3b138b84 45/**
6554b5e4 46 * Timeout in seconds after that a half open IKE_SA gets deleted.
3b138b84 47 */
6554b5e4 48#define HALF_OPEN_IKE_SA_TIMEOUT 30
3b138b84
MW		 49
50/**
51 * Interval to send keepalives when NATed, in seconds.
3b138b84
MW		 52 */
53#define KEEPALIVE_INTERVAL 20
54
55/**
56 * After which time rekeying should be retried if it failed, in seconds.
3b138b84
MW		 57 */
58#define RETRY_INTERVAL 30
59
60/**
61 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
3b138b84
MW		 62 */
63#define RETRY_JITTER 20
64
3b04350a 65/**
552cc11b 66 * Extensions (or optional features) the peer supports
3b04350a
MW		 67 */
68enum ike_extension_t {
69
70 /**
71 * peer supports NAT traversal as specified in RFC4306
72 */
17d92e97 73 EXT_NATT = (1<<0),
3b04350a
MW		 74
75 /**
76 * peer supports MOBIKE (RFC4555)
77 */
17d92e97 78 EXT_MOBIKE = (1<<1),
6439267a
TB		 79
80 /**
81 * peer supports HTTP cert lookups as specified in RFC4306
82 */
83 EXT_HASH_AND_URL = (1<<2),
a44bb934
MW		 84
85 /**
86 * peer supports multiple authentication exchanges, RFC4739
87 */
88 EXT_MULTIPLE_AUTH = (1<<3),
17d92e97
MW		 89};
90
91/**
552cc11b 92 * Conditions of an IKE_SA, change during its lifetime
17d92e97
MW		 93 */
94enum ike_condition_t {
95
96 /**
9dae1bed 97 * Connection is natted (or faked) somewhere
17d92e97
MW		 98 */
99 COND_NAT_ANY = (1<<0),
100
101 /**
102 * we are behind NAT
103 */
104 COND_NAT_HERE = (1<<1),
105
106 /**
107 * other is behind NAT
108 */
109 COND_NAT_THERE = (1<<2),
9dae1bed
MW		 110
111 /**
112 * Faking NAT to enforce UDP encapsulation
113 */
114 COND_NAT_FAKE = (1<<3),
faf9569f 115
17d92e97 116 /**
a44bb934 117 * peer has been authenticated using EAP at least once
17d92e97 118 */
ee614711 119 COND_EAP_AUTHENTICATED = (1<<4),
faf9569f 120
552cc11b
MW		 121 /**
122 * received a certificate request from the peer
123 */
96926b00 124 COND_CERTREQ_SEEN = (1<<5),
faf9569f
MW		 125
126 /**
127 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
128 */
129 COND_ORIGINAL_INITIATOR = (1<<6),
7afd9d66
MW		 130
131 /**
132 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
133 */
134 COND_STALE = (1<<7),
ee614711
MW		 135};
136
137/**
85ac2fa5 138 * Timing information and statistics to query from an SA
ee614711
MW		 139 */
140enum statistic_t {
85ac2fa5
MW		 141 /** Timestamp of SA establishement */
142 STAT_ESTABLISHED = 0,
143 /** Timestamp of scheudled rekeying */
144 STAT_REKEY,
145 /** Timestamp of scheudled reauthentication */
146 STAT_REAUTH,
147 /** Timestamp of scheudled delete */
148 STAT_DELETE,
149 /** Timestamp of last inbound IKE packet */
150 STAT_INBOUND,
151 /** Timestamp of last outbound IKE packet */
152 STAT_OUTBOUND,
ee614711 153
85ac2fa5 154 STAT_MAX
3b04350a 155};
3b138b84 156
8323a9c1 157/**
552cc11b 158 * State of an IKE_SA.
cb5c41cd
MW		 159 *
160 * An IKE_SA passes various states in its lifetime. A newly created
161 * SA is in the state CREATED.
162 * @verbatim
163 +----------------+
3183006d 164 ¦ SA_CREATED ¦
cb5c41cd 165 +----------------+
3183006d
MW		 166 ¦
167 on initiate()---> ¦ <----- on IKE_SA_INIT received
168 V
cb5c41cd 169 +----------------+
3183006d 170 ¦ SA_CONNECTING ¦
cb5c41cd 171 +----------------+
3183006d
MW		 172 ¦
173 ¦ <----- on IKE_AUTH successfully completed
174 V
cb5c41cd 175 +----------------+
3183006d
MW		 176 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
177 +----------------+ ¦
178 ¦ V
179 on delete()---> ¦ <----- on IKE_SA +-------------+
180 ¦ delete request ¦ SA_REKEYING ¦
181 ¦ received +-------------+
182 V ¦
183 +----------------+ ¦
184 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
cb5c41cd 185 +----------------+
3183006d
MW		 186 ¦
187 ¦ <----- after delete() acknowledged
188 ¦
189 \V/
cb5c41cd
MW		 190 X
191 / \
192 @endverbatim
8323a9c1 193 */
3dd3c5f3
MW		 194enum ike_sa_state_t {
195
196 /**
197 * IKE_SA just got created, but is not initiating nor responding yet.
198 */
bcb95ced 199 IKE_CREATED,
3dd3c5f3
MW		 200
201 /**
202 * IKE_SA gets initiated actively or passively
203 */
bcb95ced 204 IKE_CONNECTING,
3dd3c5f3
MW		 205
206 /**
207 * IKE_SA is fully established
208 */
bcb95ced 209 IKE_ESTABLISHED,
3dd3c5f3 210
c610f424
MW		 211 /**
212 * IKE_SA is managed externally and does not process messages
213 */
214 IKE_PASSIVE,
215
3183006d
MW		 216 /**
217 * IKE_SA rekeying in progress
218 */
219 IKE_REKEYING,
220
3dd3c5f3
MW		 221 /**
222 * IKE_SA is in progress of deletion
223 */
bcb95ced 224 IKE_DELETING,
a985db3f
MW		 225
226 /**
227 * IKE_SA object gets destroyed
228 */
229 IKE_DESTROYING,
3dd3c5f3
MW		 230};
231
232/**
60356f33 233 * enum names for ike_sa_state_t.
3dd3c5f3 234 */
60356f33 235extern enum_name_t *ike_sa_state_names;
7ba38761
JH		 236
237/**
552cc11b 238 * Class ike_sa_t representing an IKE_SA.
3dd3c5f3
MW		 239 *
240 * An IKE_SA contains crypto information related to a connection
241 * with a peer. It contains multiple IPsec CHILD_SA, for which
242 * it is responsible. All traffic is handled by an IKE_SA, using
c60c7694 243 * the task manager and its tasks.
7ba38761 244 */
5796aa16 245struct ike_sa_t {
7ba38761
JH		 246
247 /**
552cc11b 248 * Get the id of the SA.
3dd3c5f3
MW		 249 *
250 * Returned ike_sa_id_t object is not getting cloned!
c3dc6f1a 251 *
3dd3c5f3 252 * @return ike_sa's ike_sa_id_t
7ba38761 253 */
3dd3c5f3
MW		 254 ike_sa_id_t* (*get_id) (ike_sa_t *this);
255
c60c7694 256 /**
552cc11b 257 * Get the numerical ID uniquely defining this IKE_SA.
c60c7694 258 *
c60c7694
MW		 259 * @return unique ID
260 */
261 u_int32_t (*get_unique_id) (ike_sa_t *this);
262
3dd3c5f3 263 /**
552cc11b 264 * Get the state of the IKE_SA.
3dd3c5f3 265 *
3dd3c5f3
MW		 266 * @return state of the IKE_SA
267 */
268 ike_sa_state_t (*get_state) (ike_sa_t *this);
269
270 /**
552cc11b 271 * Set the state of the IKE_SA.
3dd3c5f3 272 *
3dd3c5f3
MW		 273 * @param state state to set for the IKE_SA
274 */
275 void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
8dfbe71b
MW		 276
277 /**
552cc11b 278 * Get the name of the connection this IKE_SA uses.
8dfbe71b 279 *
8dfbe71b
MW		 280 * @return name
281 */
282 char* (*get_name) (ike_sa_t *this);
283
ee614711 284 /**
552cc11b 285 * Get statistic values from the IKE_SA.
ee614711 286 *
ee614711
MW		 287 * @param kind kind of requested value
288 * @return value as integer
289 */
290 u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
291
8dfbe71b 292 /**
552cc11b 293 * Get the own host address.
8dfbe71b 294 *
8dfbe71b
MW		 295 * @return host address
296 */
297 host_t* (*get_my_host) (ike_sa_t *this);
298
fe04e93a 299 /**
552cc11b 300 * Set the own host address.
fe04e93a 301 *
fe04e93a
MW		 302 * @param me host address
303 */
304 void (*set_my_host) (ike_sa_t *this, host_t *me);
305
8dfbe71b 306 /**
552cc11b 307 * Get the other peers host address.
8dfbe71b 308 *
8dfbe71b
MW		 309 * @return host address
310 */
311 host_t* (*get_other_host) (ike_sa_t *this);
312
fe04e93a 313 /**
552cc11b 314 * Set the others host address.
fe04e93a 315 *
fe04e93a
MW		 316 * @param other host address
317 */
318 void (*set_other_host) (ike_sa_t *this, host_t *other);
319
2b3100b5 320 /**
552cc11b 321 * Update the IKE_SAs host.
2b3100b5
MW		 322 *
323 * Hosts may be NULL to use current host.
324 *
2b3100b5
MW		 325 * @param me new local host address, or NULL
326 * @param other new remote host address, or NULL
327 */
328 void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
329
8dfbe71b 330 /**
552cc11b 331 * Get the own identification.
8dfbe71b 332 *
8dfbe71b
MW		 333 * @return identification
334 */
335 identification_t* (*get_my_id) (ike_sa_t *this);
336
337 /**
552cc11b 338 * Set the own identification.
8dfbe71b 339 *
8dfbe71b
MW		 340 * @param me identification
341 */
342 void (*set_my_id) (ike_sa_t *this, identification_t *me);
343
344 /**
552cc11b 345 * Get the other peer's identification.
8dfbe71b 346 *
8dfbe71b
MW		 347 * @return identification
348 */
349 identification_t* (*get_other_id) (ike_sa_t *this);
350
351 /**
552cc11b 352 * Set the other peer's identification.
8dfbe71b 353 *
8dfbe71b
MW		 354 * @param other identification
355 */
356 void (*set_other_id) (ike_sa_t *this, identification_t *other);
c60c7694 357
82290106
MW		 358 /**
359 * Get the peers EAP identity.
360 *
361 * The EAP identity is exchanged in a EAP-Identity exchange.
362 *
363 * @return identification, NULL if none set
364 */
365 identification_t* (*get_eap_identity) (ike_sa_t *this);
366
367 /**
368 * Set the peer's EAP identity.
369 *
370 * @param id identification
371 */
372 void (*set_eap_identity) (ike_sa_t *this, identification_t *id);
373
7d26a0ee 374 /**
552cc11b 375 * Get the config used to setup this IKE_SA.
7d26a0ee 376 *
e0fe7651 377 * @return ike_config
c60c7694 378 */
e0fe7651 379 ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
c60c7694
MW		 380
381 /**
552cc11b 382 * Set the config to setup this IKE_SA.
c60c7694 383 *
e0fe7651 384 * @param config ike_config to use
c60c7694 385 */
e0fe7651 386 void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
c60c7694
MW		 387
388 /**
552cc11b 389 * Get the peer config used by this IKE_SA.
c60c7694 390 *
e0fe7651 391 * @return peer_config
c60c7694 392 */
e0fe7651 393 peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
c60c7694
MW		 394
395 /**
552cc11b 396 * Set the peer config to use with this IKE_SA.
c60c7694 397 *
e0fe7651 398 * @param config peer_config to use
c60c7694 399 */
e0fe7651 400 void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
3b04350a
MW		 401
402 /**
a44bb934 403 * Get the authentication config with rules of the current auth round.
552cc11b 404 *
a44bb934
MW		 405 * @param local TRUE for local rules, FALSE for remote constraints
406 * @return current cfg
552cc11b 407 */
a44bb934 408 auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
552cc11b 409
5dffdea1
MW		 410 /**
411 * Get the selected proposal of this IKE_SA.
412 *
413 * @return selected proposal
414 */
415 proposal_t* (*get_proposal)(ike_sa_t *this);
416
417 /**
418 * Set the proposal selected for this IKE_SA.
419 *
420 * @param selected proposal
421 */
422 void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
423
b09ca747
MW		 424 /**
425 * Set the message id of the IKE_SA.
426 *
427 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
428 * and one to respond to exchanges (expect).
429 *
430 * @param initiate TRUE to set message ID for initiating
431 * @param mid message id to set
432 */
433 void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
434
552cc11b
MW		 435 /**
436 * Add an additional address for the peer.
17d92e97
MW		 437 *
438 * In MOBIKE, a peer may transmit additional addresses where it is
439 * reachable. These are stored in the IKE_SA.
440 * The own list of addresses is not stored, they are queried from
441 * the kernel when required.
3b04350a 442 *
17d92e97 443 * @param host host to add to list
3b04350a 444 */
17d92e97
MW		 445 void (*add_additional_address)(ike_sa_t *this, host_t *host);
446
447 /**
552cc11b 448 * Create an iterator over all additional addresses of the peer.
17d92e97 449 *
17d92e97
MW		 450 * @return iterator over addresses
451 */
452 iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
3b04350a 453
9d9a772e
MW		 454 /**
455 * Check if mappings have changed on a NAT for our source address.
456 *
457 * @param hash received DESTINATION_IP hash
458 * @return TRUE if mappings have changed
459 */
460 bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
461
3b04350a 462 /**
552cc11b 463 * Enable an extension the peer supports.
3b04350a
MW		 464 *
465 * If support for an IKE extension is detected, this method is called
466 * to enable that extension and behave accordingly.
467 *
3b04350a
MW		 468 * @param extension extension to enable
469 */
470 void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
471
17d92e97 472 /**
552cc11b 473 * Check if the peer supports an extension.
17d92e97 474 *
17d92e97
MW		 475 * @param extension extension to check for support
476 * @return TRUE if peer supports it, FALSE otherwise
477 */
478 bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
479
480 /**
552cc11b 481 * Enable/disable a condition flag for this IKE_SA.
17d92e97 482 *
17d92e97
MW		 483 * @param condition condition to enable/disable
484 * @param enable TRUE to enable condition, FALSE to disable
485 */
486 void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
487
488 /**
552cc11b 489 * Check if a condition flag is set.
17d92e97 490 *
17d92e97
MW		 491 * @param condition condition to check
492 * @return TRUE if condition flag set, FALSE otherwise
493 */
494 bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
495
3bc62fe7 496 /**
552cc11b 497 * Get the number of queued MOBIKE address updates.
3bc62fe7 498 *
3bc62fe7
MW		 499 * @return number of pending updates
500 */
501 u_int32_t (*get_pending_updates)(ike_sa_t *this);
502
503 /**
552cc11b 504 * Set the number of queued MOBIKE address updates.
3bc62fe7 505 *
3bc62fe7
MW		 506 * @param updates number of pending updates
507 */
508 void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
4a035181 509
dc04b7c7 510#ifdef ME
22452f70
TB		 511 /**
512 * Activate mediation server functionality for this IKE_SA.
513 */
514 void (*act_as_mediation_server) (ike_sa_t *this);
515
d5cc1758 516 /**
552cc11b 517 * Get the server reflexive host.
d5cc1758 518 *
d5cc1758
TB		 519 * @return server reflexive host
520 */
521 host_t* (*get_server_reflexive_host) (ike_sa_t *this);
522
523 /**
552cc11b 524 * Set the server reflexive host.
d5cc1758 525 *
d5cc1758
TB		 526 * @param host server reflexive host
527 */
528 void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
529
9c2a905d
TB		 530 /**
531 * Get the connect ID.
532 *
533 * @return connect ID
534 */
535 chunk_t (*get_connect_id) (ike_sa_t *this);
536
d5cc1758 537 /**
552cc11b 538 * Initiate the mediation of a mediated connection (i.e. initiate a
dc04b7c7 539 * ME_CONNECT exchange).
d5cc1758 540 *
d5cc1758
TB		 541 * @param mediated_cfg peer_cfg of the mediated connection
542 * @return
552cc11b
MW		 543 * - SUCCESS if initialization started
544 * - DESTROY_ME if initialization failed
d5cc1758
TB		 545 */
546 status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
547
548 /**
552cc11b 549 * Initiate the mediated connection
d5cc1758 550 *
d5cc1758
TB		 551 * @param me local endpoint (gets cloned)
552 * @param other remote endpoint (gets cloned)
9c2a905d 553 * @param connect_id connect ID (gets cloned)
d5cc1758 554 * @return
552cc11b
MW		 555 * - SUCCESS if initialization started
556 * - DESTROY_ME if initialization failed
d5cc1758
TB		 557 */
558 status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
4a6474c2 559 chunk_t connect_id);
d5cc1758
TB		 560
561 /**
552cc11b 562 * Relay data from one peer to another (i.e. initiate a
dc04b7c7 563 * ME_CONNECT exchange).
d5cc1758
TB		 564 *
565 * Data is cloned.
566 *
d5cc1758 567 * @param requester ID of the requesting peer
dc04b7c7
TB		 568 * @param connect_id data of the ME_CONNECTID payload
569 * @param connect_key data of the ME_CONNECTKEY payload
d5cc1758
TB		 570 * @param endpoints endpoints
571 * @param response TRUE if this is a response
572 * @return
552cc11b
MW		 573 * - SUCCESS if relay started
574 * - DESTROY_ME if relay failed
d5cc1758 575 */
dc04b7c7
TB		 576 status_t (*relay) (ike_sa_t *this, identification_t *requester, chunk_t connect_id,
577 chunk_t connect_key, linked_list_t *endpoints, bool response);
d5cc1758
TB		 578
579 /**
552cc11b 580 * Send a callback to a peer.
d5cc1758
TB		 581 *
582 * Data is cloned.
583 *
d5cc1758
TB		 584 * @param peer_id ID of the other peer
585 * @return
552cc11b
MW		 586 * - SUCCESS if response started
587 * - DESTROY_ME if response failed
d5cc1758
TB		 588 */
589 status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
590
591 /**
dc04b7c7 592 * Respond to a ME_CONNECT request.
d5cc1758
TB		 593 *
594 * Data is cloned.
595 *
d5cc1758 596 * @param peer_id ID of the other peer
dc04b7c7 597 * @param connect_id the connect ID supplied by the initiator
d5cc1758 598 * @return
552cc11b
MW		 599 * - SUCCESS if response started
600 * - DESTROY_ME if response failed
d5cc1758 601 */
dc04b7c7
TB		 602 status_t (*respond) (ike_sa_t *this, identification_t *peer_id, chunk_t connect_id);
603#endif /* ME */
3bc62fe7 604
2c220249 605 /**
552cc11b 606 * Initiate a new connection.
3dd3c5f3 607 *
a13c013b
MW		 608 * The configs are owned by the IKE_SA after the call. If the initiate
609 * is triggered by a packet, traffic selectors of the packet can be added
610 * to the CHILD_SA.
2c220249 611 *
e0fe7651 612 * @param child_cfg child config to create CHILD from
c3626c2c 613 * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
a13c013b
MW		 614 * @param tsi source of triggering packet
615 * @param tsr destination of triggering packet.
8dfbe71b
MW		 616 * @return
617 * - SUCCESS if initialization started
e0fe7651 618 * - DESTROY_ME if initialization failed
8dfbe71b 619 */
c3626c2c 620 status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
a13c013b
MW		 621 u_int32_t reqid, traffic_selector_t *tsi,
622 traffic_selector_t *tsr);
5534ee84 623
1396815a 624 /**
552cc11b 625 * Initiates the deletion of an IKE_SA.
3dd3c5f3
MW		 626 *
627 * Sends a delete message to the remote peer and waits for
628 * its response. If the response comes in, or a timeout occurs,
629 * the IKE SA gets deleted.
1396815a 630 *
1396815a 631 * @return
3dd3c5f3 632 * - SUCCESS if deletion is initialized
58464dd7 633 * - DESTROY_ME, if the IKE_SA is not in
3dd3c5f3 634 * an established state and can not be
58464dd7 635 * deleted (but destroyed).
1396815a 636 */
3dd3c5f3
MW		 637 status_t (*delete) (ike_sa_t *this);
638
17d92e97 639 /**
552cc11b 640 * Update IKE_SAs after network interfaces have changed.
17d92e97
MW		 641 *
642 * Whenever the network interface configuration changes, the kernel
643 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
644 * the new network config requires changes, and handles appropriate.
645 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
646 * restarted.
647 *
3bc62fe7
MW		 648 * @param address TRUE if address list changed, FALSE otherwise
649 * @return SUCCESS, FAILED, DESTROY_ME
17d92e97 650 */
3bc62fe7 651 status_t (*roam)(ike_sa_t *this, bool address);
17d92e97 652
13e4a62f 653 /**
552cc11b 654 * Processes a incoming IKEv2-Message.
13e4a62f 655 *
3dd3c5f3
MW		 656 * Message processing may fail. If a critical failure occurs,
657 * process_message() return DESTROY_ME. Then the caller must
658 * destroy the IKE_SA immediatly, as it is unusable.
e168ee17 659 *
552cc11b 660 * @param message message to process
3dd3c5f3
MW		 661 * @return
662 * - SUCCESS
663 * - FAILED
664 * - DESTROY_ME if this IKE_SA MUST be deleted
e168ee17 665 */
698d7749 666 status_t (*process_message) (ike_sa_t *this, message_t *message);
e314700c 667
bcb95ced 668 /**
552cc11b 669 * Generate a IKE message to send it to the peer.
c60c7694
MW		 670 *
671 * This method generates all payloads in the message and encrypts/signs
672 * the packet.
673 *
c60c7694
MW		 674 * @param message message to generate
675 * @param packet generated output packet
676 * @return
677 * - SUCCESS
678 * - FAILED
679 * - DESTROY_ME if this IKE_SA MUST be deleted
bcb95ced 680 */
c60c7694
MW		 681 status_t (*generate_message) (ike_sa_t *this, message_t *message,
682 packet_t **packet);
bcb95ced 683
1396815a 684 /**
552cc11b 685 * Retransmits a request.
397f3448 686 *
c60c7694
MW		 687 * @param message_id ID of the request to retransmit
688 * @return
689 * - SUCCESS
690 * - NOT_FOUND if request doesn't have to be retransmited
397f3448 691 */
c60c7694
MW		 692 status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
693
1396815a 694 /**
552cc11b 695 * Sends a DPD request to the peer.
1396815a 696 *
3dd3c5f3
MW		 697 * To check if a peer is still alive, periodic
698 * empty INFORMATIONAL messages are sent if no
699 * other traffic was received.
700 *
3dd3c5f3
MW		 701 * @return
702 * - SUCCESS
703 * - DESTROY_ME, if peer did not respond
2f89902d 704 */
3dd3c5f3
MW		 705 status_t (*send_dpd) (ike_sa_t *this);
706
2f89902d 707 /**
552cc11b 708 * Sends a keep alive packet.
2f89902d 709 *
3dd3c5f3
MW		 710 * To refresh NAT tables in a NAT router
711 * between the peers, periodic empty
712 * UDP packets are sent if no other traffic
713 * was sent.
1396815a 714 */
3dd3c5f3 715 void (*send_keepalive) (ike_sa_t *this);
0fdc3c7f 716
bc997f65 717 /**
6a4ff35c 718 * Get the keying material of this IKE_SA.
bc997f65 719 *
6a4ff35c 720 * @return per IKE_SA keymat instance
695723d4 721 */
6a4ff35c 722 keymat_t* (*get_keymat)(ike_sa_t *this);
695723d4
MW		 723
724 /**
552cc11b 725 * Associates a child SA to this IKE SA
695723d4 726 *
698d7749 727 * @param child_sa child_sa to add
695723d4 728 */
698d7749
MW		 729 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
730
971218c3 731 /**
552cc11b 732 * Get a CHILD_SA identified by protocol and SPI.
ae3012a0 733 *
698d7749
MW		 734 * @param protocol protocol of the SA
735 * @param spi SPI of the CHILD_SA
736 * @param inbound TRUE if SPI is inbound, FALSE if outbound
737 * @return child_sa, or NULL if none found
3dd3c5f3 738 */
698d7749
MW		 739 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
740 u_int32_t spi, bool inbound);
1396815a 741
3183006d 742 /**
552cc11b 743 * Create an iterator over all CHILD_SAs.
3183006d 744 *
3183006d
MW		 745 * @return iterator
746 */
747 iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
748
1396815a 749 /**
552cc11b 750 * Rekey the CHILD SA with the specified reqid.
1396815a 751 *
3dd3c5f3 752 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
1396815a 753 *
698d7749
MW		 754 * @param protocol protocol of the SA
755 * @param spi inbound SPI of the CHILD_SA
3dd3c5f3
MW		 756 * @return
757 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
758 * - SUCCESS, if rekeying initiated
1396815a 759 */
698d7749
MW		 760 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
761
1396815a 762 /**
552cc11b 763 * Close the CHILD SA with the specified protocol/SPI.
698d7749
MW		 764 *
765 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
766 * notify's the remote peer about the delete. The associated
767 * states and policies in the kernel get deleted, if they exist.
768 *
698d7749
MW		 769 * @param protocol protocol of the SA
770 * @param spi inbound SPI of the CHILD_SA
771 * @return
772 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
773 * - SUCCESS, if delete message sent
1396815a 774 */
698d7749
MW		 775 status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
776
1396815a 777 /**
552cc11b 778 * Destroy a CHILD SA with the specified protocol/SPI.
698d7749
MW		 779 *
780 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
781 *
698d7749
MW		 782 * @param protocol protocol of the SA
783 * @param spi inbound SPI of the CHILD_SA
784 * @return
785 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
786 * - SUCCESS
1396815a 787 */
698d7749 788 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
fe04e93a 789
fe04e93a 790 /**
552cc11b 791 * Rekey the IKE_SA.
fe04e93a
MW		 792 *
793 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
794 *
fe04e93a
MW		 795 * @return - SUCCESS, if IKE_SA rekeying initiated
796 */
797 status_t (*rekey) (ike_sa_t *this);
798
6fe03b0a 799 /**
96926b00 800 * Reauthenticate the IKE_SA.
6fe03b0a
MW		 801 *
802 * Create a completely new IKE_SA with authentication, recreates all children
26424f03 803 * within the IKE_SA, closes this IKE_SA.
6fe03b0a 804 *
26424f03 805 * @return DESTROY_ME to destroy the IKE_SA
6fe03b0a 806 */
96926b00
MW		 807 status_t (*reauth) (ike_sa_t *this);
808
809 /**
810 * Restablish the IKE_SA.
811 *
812 * Reestablish an IKE_SA after it has been closed.
813 *
814 * @return DESTROY_ME to destroy the IKE_SA
815 */
26424f03 816 status_t (*reestablish) (ike_sa_t *this);
c60c7694 817
ee614711 818 /**
552cc11b 819 * Set the lifetime limit received from a AUTH_LIFETIME notify.
ee614711 820 *
ee614711
MW		 821 * @param lifetime lifetime in seconds
822 */
823 void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
824
3183006d 825 /**
552cc11b 826 * Set the virtual IP to use for this IKE_SA and its children.
c60c7694
MW		 827 *
828 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
829 * lifetime as the IKE_SA.
3183006d 830 *
552cc11b
MW		 831 * @param local TRUE to set local address, FALSE for remote
832 * @param ip IP to set as virtual IP
3183006d 833 */
c60c7694
MW		 834 void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
835
3183006d 836 /**
552cc11b 837 * Get the virtual IP configured.
3183006d 838 *
c60c7694 839 * @param local TRUE to get local virtual IP, FALSE for remote
552cc11b 840 * @return host_t *virtual IP
3183006d 841 */
c60c7694
MW		 842 host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
843
844 /**
7f56b494 845 * Register a configuration attribute to the IKE_SA.
c60c7694 846 *
7f56b494
MW		 847 * If an IRAS sends a configuration attribute it is installed and
848 * registered at the IKE_SA. Attributes are inherit()ed and get released
849 * when the IKE_SA is closed.
c60c7694 850 *
7f56b494
MW		 851 * @param handler handler installed the attribute, use for release()
852 * @param type configuration attribute type
853 * @param data associated attribute data
c60c7694 854 */
7f56b494
MW		 855 void (*add_configuration_attribute)(ike_sa_t *this,
856 configuration_attribute_type_t type, chunk_t data);
c60c7694 857
d487b4b7
AS		 858 /**
859 * Set local and remote host addresses to be used for IKE.
860 *
861 * These addresses are communicated via the KMADDRESS field of a MIGRATE
862 * message sent via the NETLINK or PF _KEY kernel socket interface.
863 *
864 * @param local local kmaddress
865 * @param remote remote kmaddress
866 */
867 void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
7f56b494 868
fe04e93a 869 /**
552cc11b 870 * Inherit all attributes of other to this after rekeying.
fe04e93a 871 *
c60c7694
MW		 872 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
873 * outstanding tasks are moved from other to this.
e23a59f6 874 * As this call may initiate inherited tasks, a status is returned.
c60c7694 875 *
e23a59f6
MW		 876 * @param other other task to inherit from
877 * @return DESTROY_ME if initiation of inherited task failed
c60c7694 878 */
e23a59f6 879 status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
c60c7694
MW		 880
881 /**
552cc11b 882 * Reset the IKE_SA, useable when initiating fails
fe04e93a 883 */
c60c7694 884 void (*reset) (ike_sa_t *this);
3dd3c5f3 885
1396815a 886 /**
552cc11b 887 * Destroys a ike_sa_t object.
1396815a 888 */
3dd3c5f3 889 void (*destroy) (ike_sa_t *this);
8323a9c1
JH		 890};
891
7ba38761 892/**
552cc11b 893 * Creates an ike_sa_t object with a specific ID.
c3dc6f1a 894 *
698d7749
MW		 895 * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA
896 * @return ike_sa_t object
7ba38761 897 */
3dd3c5f3 898ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
7ba38761 899
1490ff4d 900#endif /** IKE_SA_H_ @}*/
Unnamed repository; edit this file 'description' to name the repository.