[thirdparty/strongswan.git] / src / libcharon / config / peer_cfg.h

/*
 * Copyright (C) 2007-2017 Tobias Brunner
 * Copyright (C) 2005-2009 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 * HSR Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup peer_cfg peer_cfg
 * @{ @ingroup config
 */

#ifndef PEER_CFG_H_
#define PEER_CFG_H_

typedef enum cert_policy_t cert_policy_t;
typedef enum unique_policy_t unique_policy_t;
typedef struct peer_cfg_t peer_cfg_t;
typedef struct peer_cfg_create_t peer_cfg_create_t;

#include <library.h>
#include <utils/identification.h>
#include <collections/enumerator.h>
#include <selectors/traffic_selector.h>
#include <crypto/proposal/proposal.h>
#include <config/ike_cfg.h>
#include <config/child_cfg.h>
#include <credentials/auth_cfg.h>

/**
 * Certificate sending policy. This is also used for certificate
 * requests when using this definition for the other peer. If
 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
 * included.
 *
 * @warning These definitions must be the same as in pluto/starter,
 * as they are sent over the stroke socket.
 */
enum cert_policy_t {
	/** always send certificates, even when not requested */
	CERT_ALWAYS_SEND =		0,
	/** send certificate upon cert request */
	CERT_SEND_IF_ASKED =	1,
	/** never send a certificate, even when requested */
	CERT_NEVER_SEND =		2,
};

/**
 * enum strings for cert_policy_t
 */
extern enum_name_t *cert_policy_names;

/**
 * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
 */
enum unique_policy_t {
	/** never check for client uniqueness */
	UNIQUE_NEVER,
	/** only check for client uniqueness when receiving an INITIAL_CONTACT */
	UNIQUE_NO,
	/** replace existing IKE_SAs when new ones get established by a client */
	UNIQUE_REPLACE,
	/** keep existing IKE_SAs, close the new ones on connection attempt */
	UNIQUE_KEEP,
};

/**
 * enum strings for unique_policy_t
 */
extern enum_name_t *unique_policy_names;

/**
 * Configuration of a peer, specified by IDs.
 *
 * The peer config defines a connection between two given IDs. It contains
 * exactly one ike_cfg_t, which is used for initiation. Additionally, it
 * contains multiple child_cfg_t defining which CHILD_SAs are allowed for this
 * peer.
 * @verbatim
                          +-------------------+        +---------------+
   +---------------+      |     peer_cfg      |      +---------------+ |
   |    ike_cfg    |      +-------------------+      |   child_cfg   | |
   +---------------+      | - ids             |      +---------------+ |
   | - hosts       | 1  1 | - cas             | 1  n | - proposals   | |
   | - proposals   |<-----| - auth info       |----->| - traffic sel | |
   | - ...         |      | - dpd config      |      | - ...         |-+
   +---------------+      | - ...             |      +---------------+
                          +-------------------+
                             | 1         0 |
                             |             |
                             v n         n V
             +-------------------+     +-------------------+
           +-------------------+ |   +-------------------+ |
           |     auth_cfg      | |   |     auth_cfg      | |
           +-------------------+ |   +-------------------+ |
           | - local rules     |-+   | - remote constr.  |-+
           +-------------------+     +-------------------+
   @endverbatim
 *
 * Each peer_cfg has two lists of authentication config attached. Local
 * authentication configs define how to authenticate ourself against the remote
 * peer. Each config is enforced using the multiple authentication extension
 * (RFC4739).
 * The remote authentication configs are handled as constraints. The peer has
 * to fulfill each of these rules (using multiple authentication, in any order)
 * to gain access to the configuration.
 */
struct peer_cfg_t {

	/**
	 * Get the name of the peer_cfg.
	 *
	 * Returned object is not getting cloned.
	 *
	 * @return				peer_cfg's name
	 */
	char* (*get_name) (peer_cfg_t *this);

	/**
	 * Get the IKE version to use for initiating.
	 *
	 * @return				IKE major version
	 */
	ike_version_t (*get_ike_version)(peer_cfg_t *this);

	/**
	 * Get the IKE config to use for initiaton.
	 *
	 * @return				the IKE config to use
	 */
	ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);

	/**
	 * Attach a CHILD config.
	 *
	 * @param child_cfg		CHILD config to add
	 */
	void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);

	/**
	 * Detach a CHILD config, pointed to by an enumerator.
	 *
	 * @param enumerator	enumerator indicating element position
	 */
	void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);

	/**
	 * Replace the CHILD configs with those in the given PEER config.
	 *
	 * Configs that are equal are not replaced.
	 *
	 * The enumerator enumerates the removed and added CHILD configs
	 * (child_cfg_t*, bool), where the flag is FALSE for removed configs and
	 * TRUE for added configs.
	 *
	 * @param other			other config to get CHILD configs from
	 * @return				an enumerator over removed/added CHILD configs
	 */
	enumerator_t* (*replace_child_cfgs)(peer_cfg_t *this, peer_cfg_t *other);

	/**
	 * Create an enumerator for all attached CHILD configs.
	 *
	 * @return				an enumerator over all CHILD configs.
	 */
	enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);

	/**
	 * Select a CHILD config from traffic selectors.
	 *
	 * @param my_ts			TS for local side
	 * @param other_ts		TS for remote side
	 * @param my_hosts		hosts to narrow down dynamic TS for local side
	 * @param other_hosts	hosts to narrow down dynamic TS for remote side
	 * @return				selected CHILD config, or NULL if no match found
	 */
	child_cfg_t* (*select_child_cfg) (peer_cfg_t *this,
							linked_list_t *my_ts, linked_list_t *other_ts,
							linked_list_t *my_hosts, linked_list_t *other_hosts);

	/**
	 * Add an authentication config to the peer configuration.
	 *
	 * @param cfg			config to add
	 * @param local			TRUE for local rules, FALSE for remote constraints
	 */
	void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);

	/**
	 * Create an enumerator over registered authentication configs.
	 *
	 * @param local			TRUE for local rules, FALSE for remote constraints
	 * @return				enumerator over auth_cfg_t*
	 */
	enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);

	/**
	 * Should a certificate be sent for this connection?
	 *
	 * @return			certificate sending policy
	 */
	cert_policy_t (*get_cert_policy) (peer_cfg_t *this);

	/**
	 * How to handle uniqueness of IKE_SAs?
	 *
	 * @return			unique policy
	 */
	unique_policy_t (*get_unique_policy) (peer_cfg_t *this);

	/**
	 * Get the max number of retries after timeout.
	 *
	 * @return			max number retries
	 */
	uint32_t (*get_keyingtries) (peer_cfg_t *this);

	/**
	 * Get a time to start rekeying.
	 *
	 * @param jitter	subtract a jitter value to randomize time
	 * @return			time in s when to start rekeying, 0 disables rekeying
	 */
	uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);

	/**
	 * Get a time to start reauthentication.
	 *
	 * @param jitter	subtract a jitter value to randomize time
	 * @return			time in s when to start reauthentication, 0 disables it
	 */
	uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);

	/**
	 * Get the timeout of a rekeying/reauthenticating SA.
	 *
	 * @return			timeout in s
	 */
	uint32_t (*get_over_time)(peer_cfg_t *this);

	/**
	 * Use MOBIKE (RFC4555) if peer supports it?
	 *
	 * @return			TRUE to enable MOBIKE support
	 */
	bool (*use_mobike) (peer_cfg_t *this);

	/**
	 * Use/Accept aggressive mode with IKEv1?.
	 *
	 * @return			TRUE to use aggressive mode
	 */
	bool (*use_aggressive)(peer_cfg_t *this);

	/**
	 * Use pull or push mode for mode config?
	 *
	 * @return			TRUE to use pull, FALSE to use push mode
	 */
	bool (*use_pull_mode)(peer_cfg_t *this);

	/**
	 * Get the DPD check interval.
	 *
	 * @return			dpd_delay in seconds
	 */
	uint32_t (*get_dpd) (peer_cfg_t *this);

	/**
	 * Get the DPD timeout interval (IKEv1 only)
	 *
	 * @return			dpd_timeout in seconds
	 */
	uint32_t (*get_dpd_timeout) (peer_cfg_t *this);

	/**
	 * Add a virtual IP to request as initiator.
	 *
	 * @param vip			virtual IP to request, may be %any or %any6
	 */
	void (*add_virtual_ip)(peer_cfg_t *this, host_t *vip);

	/**
	 * Create an enumerator over virtual IPs to request.
	 *
	 * The returned enumerator enumerates over IPs added with add_virtual_ip().
	 *
	 * @return				enumerator over host_t*
	 */
	enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this);

	/**
	 * Add a pool name this configuration uses to select virtual IPs.
	 *
	 * @param name			pool name to use for virtual IP lookup
	 */
	void (*add_pool)(peer_cfg_t *this, char *name);

	/**
	 * Create an enumerator over pool names of this config.
	 *
	 * @return				enumerator over char*
	 */
	enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this);

#ifdef ME
	/**
	 * Is this a mediation connection?
	 *
	 * @return				TRUE, if this is a mediation connection
	 */
	bool (*is_mediation)(peer_cfg_t *this);

	/**
	 * Get name of the connection this one is mediated through.
	 *
	 * @return				the name of the mediation connection
	 */
	char* (*get_mediated_by)(peer_cfg_t *this);

	/**
	 * Get the id of the other peer at the mediation server.
	 *
	 * This is the leftid of the peer's connection with the mediation server.
	 *
	 * If it is not configured, it is assumed to be the same as the right id
	 * of this connection.
	 *
	 * @return				the id of the other peer
	 */
	identification_t* (*get_peer_id)(peer_cfg_t *this);
#endif /* ME */

	/**
	 * Check if two peer configurations are equal.
	 *
	 * This method does not compare associated ike/child_cfg.
	 *
	 * @param other			candidate to check for equality against this
	 * @return				TRUE if peer_cfg and ike_cfg are equal
	 */
	bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);

	/**
	 * Increase reference count.
	 *
	 * @return				reference to this
	 */
	peer_cfg_t* (*get_ref) (peer_cfg_t *this);

	/**
	 * Destroys the peer_cfg object.
	 *
	 * Decrements the internal reference counter and
	 * destroys the peer_cfg when it reaches zero.
	 */
	void (*destroy) (peer_cfg_t *this);
};

/**
 * Data passed to the constructor of a peer_cfg_t object.
 */
struct peer_cfg_create_t {
	/** Whether to send a certificate payload */
	cert_policy_t cert_policy;
	/** Uniqueness of an IKE_SA */
	unique_policy_t unique;
	/** How many keying tries should be done before giving up */
	uint32_t keyingtries;
	/** Timeout in seconds before starting rekeying */
	uint32_t rekey_time;
	/** Timeout in seconds before starting reauthentication */
	uint32_t reauth_time;
	/** Time range in seconds to randomly subtract from rekey/reauth time */
	uint32_t jitter_time;
	/** Maximum overtime in seconds before closing a rekeying/reauth SA */
	uint32_t over_time;
	/** Disable MOBIKE (RFC4555) */
	bool no_mobike;
	/** Use/accept aggressive mode with IKEv1 */
	bool aggressive;
	/** TRUE to use modeconfig push, FALSE for pull */
	bool push_mode;
	/** DPD check interval, 0 to disable */
	uint32_t dpd;
	/** DPD timeout interval (IKEv1 only), if 0 default applies */
	uint32_t dpd_timeout;
#ifdef ME
	/** TRUE if this is a mediation connection */
	bool mediation;
	/** peer_cfg_t of the mediation connection to mediate through (cloned) */
	char *mediated_by;
	/** ID that identifies our peer at the mediation server (adopted) */
	identification_t *peer_id;
#endif /* ME */
};

/**
 * Create a configuration object for IKE_AUTH and later.
 *
 * @param name				name of the peer_cfg (cloned)
 * @param ike_cfg			IKE config to use when acting as initiator (adopted)
 * @param data				data for this peer_cfg
 * @return					peer_cfg_t object
 */
peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
							peer_cfg_create_t *data);

#endif /** PEER_CFG_H_ @}*/
Commit	Line	Data
e0fe7651	1	/*
ed96fe72	2	* Copyright (C) 2007-2017 Tobias Brunner
a44bb934	3	* Copyright (C) 2005-2009 Martin Willi
e0fe7651	4	* Copyright (C) 2005 Jan Hutter
2ba5dadb	5	* HSR Hochschule fuer Technik Rapperswil
e0fe7651 MW	6	*
	7	* This program is free software; you can redistribute it and/or modify it
	8	* under the terms of the GNU General Public License as published by the
	9	* Free Software Foundation; either version 2 of the License, or (at your
	10	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	11	*
	12	* This program is distributed in the hope that it will be useful, but
	13	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	14	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	15	* for more details.
552cc11b MW	16	*/
	17
	18	/**
	19	* @defgroup peer_cfg peer_cfg
	20	* @{ @ingroup config
e0fe7651 MW	21	*/
	22
	23	#ifndef PEER_CFG_H_
	24	#define PEER_CFG_H_
	25
e0fe7651	26	typedef enum cert_policy_t cert_policy_t;
0644ebd3	27	typedef enum unique_policy_t unique_policy_t;
e0fe7651	28	typedef struct peer_cfg_t peer_cfg_t;
2ba5dadb	29	typedef struct peer_cfg_create_t peer_cfg_create_t;
e0fe7651 MW	30
	31	#include <library.h>
	32	#include <utils/identification.h>
12642a68	33	#include <collections/enumerator.h>
1125a0be	34	#include <selectors/traffic_selector.h>
2307bffe	35	#include <crypto/proposal/proposal.h>
e0fe7651 MW	36	#include <config/ike_cfg.h>
e0fe7651 MW	37	#include <config/child_cfg.h>
2ccc02a4	38	#include <credentials/auth_cfg.h>
e0fe7651 MW	39
	40	/**
	41	* Certificate sending policy. This is also used for certificate
	42	* requests when using this definition for the other peer. If
	43	* it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
	44	* included.
484a06bc	45	*
e0fe7651 MW	46	* @warning These definitions must be the same as in pluto/starter,
	47	* as they are sent over the stroke socket.
	48	*/
	49	enum cert_policy_t {
	50	/** always send certificates, even when not requested */
323f9f99	51	CERT_ALWAYS_SEND = 0,
e0fe7651	52	/** send certificate upon cert request */
323f9f99	53	CERT_SEND_IF_ASKED = 1,
e0fe7651	54	/** never send a certificate, even when requested */
323f9f99	55	CERT_NEVER_SEND = 2,
e0fe7651 MW	56	};
	57
	58	/**
	59	* enum strings for cert_policy_t
e0fe7651 MW	60	*/
	61	extern enum_name_t *cert_policy_names;
	62
0644ebd3 MW	63	/**
	64	* Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
	65	*/
	66	enum unique_policy_t {
f4cc7ea1 TB	67	/** never check for client uniqueness */
	68	UNIQUE_NEVER,
	69	/** only check for client uniqueness when receiving an INITIAL_CONTACT */
0644ebd3	70	UNIQUE_NO,
f4cc7ea1	71	/** replace existing IKE_SAs when new ones get established by a client */
0644ebd3	72	UNIQUE_REPLACE,
f4cc7ea1	73	/** keep existing IKE_SAs, close the new ones on connection attempt */
0644ebd3 MW	74	UNIQUE_KEEP,
	75	};
	76
	77	/**
	78	* enum strings for unique_policy_t
	79	*/
	80	extern enum_name_t *unique_policy_names;
	81
e0fe7651	82	/**
552cc11b	83	* Configuration of a peer, specified by IDs.
e0fe7651	84	*
3b138b84	85	* The peer config defines a connection between two given IDs. It contains
6b444c59 TB	86	* exactly one ike_cfg_t, which is used for initiation. Additionally, it
	87	* contains multiple child_cfg_t defining which CHILD_SAs are allowed for this
	88	* peer.
3b138b84	89	* @verbatim
a44bb934 MW	90	+-------------------+ +---------------+
	91	+---------------+ \| peer_cfg \| +---------------+ \|
	92	\| ike_cfg \| +-------------------+ \| child_cfg \| \|
	93	+---------------+ \| - ids \| +---------------+ \|
	94	\| - hosts \| 1 1 \| - cas \| 1 n \| - proposals \| \|
	95	\| - proposals \|<-----\| - auth info \|----->\| - traffic sel \| \|
	96	\| - ... \| \| - dpd config \| \| - ... \|-+
	97	+---------------+ \| - ... \| +---------------+
	98	+-------------------+
	99	\| 1 0 \|
	100	\| \|
	101	v n n V
	102	+-------------------+ +-------------------+
	103	+-------------------+ \| +-------------------+ \|
	104	\| auth_cfg \| \| \| auth_cfg \| \|
	105	+-------------------+ \| +-------------------+ \|
	106	\| - local rules \|-+ \| - remote constr. \|-+
	107	+-------------------+ +-------------------+
3b138b84	108	@endverbatim
a44bb934 MW	109	*
	110	* Each peer_cfg has two lists of authentication config attached. Local
	111	* authentication configs define how to authenticate ourself against the remote
	112	* peer. Each config is enforced using the multiple authentication extension
484a06bc	113	* (RFC4739).
a44bb934	114	* The remote authentication configs are handled as constraints. The peer has
f3bb1bd0	115	* to fulfill each of these rules (using multiple authentication, in any order)
a44bb934	116	* to gain access to the configuration.
e0fe7651 MW	117	*/
e0fe7651 MW	118	struct peer_cfg_t {
7daf5226	119
e0fe7651	120	/**
552cc11b	121	* Get the name of the peer_cfg.
484a06bc	122	*
e0fe7651	123	* Returned object is not getting cloned.
484a06bc	124	*
e0fe7651 MW	125	* @return peer_cfg's name
	126	*/
	127	char* (get_name) (peer_cfg_t this);
7daf5226	128
e0fe7651	129	/**
552cc11b	130	* Get the IKE version to use for initiating.
e0fe7651	131	*
6b444c59	132	* @return IKE major version
e0fe7651	133	*/
f7a8fced	134	ike_version_t (get_ike_version)(peer_cfg_t this);
7daf5226	135
e0fe7651	136	/**
552cc11b	137	* Get the IKE config to use for initiaton.
484a06bc	138	*
e0fe7651 MW	139	* @return the IKE config to use
	140	*/
	141	ike_cfg_t* (get_ike_cfg) (peer_cfg_t this);
7daf5226	142
e0fe7651	143	/**
552cc11b	144	* Attach a CHILD config.
484a06bc	145	*
e0fe7651 MW	146	* @param child_cfg CHILD config to add
	147	*/
	148	void (add_child_cfg) (peer_cfg_t this, child_cfg_t *child_cfg);
7daf5226	149
e0fe7651	150	/**
552cc11b MW	151	* Detach a CHILD config, pointed to by an enumerator.
	152	*
	153	* @param enumerator enumerator indicating element position
	154	*/
	155	void (remove_child_cfg)(peer_cfg_t this, enumerator_t *enumerator);
7daf5226	156
622c2b2c TB	157	/**
	158	* Replace the CHILD configs with those in the given PEER config.
	159	*
	160	* Configs that are equal are not replaced.
	161	*
	162	* The enumerator enumerates the removed and added CHILD configs
	163	* (child_cfg_t*, bool), where the flag is FALSE for removed configs and
	164	* TRUE for added configs.
	165	*
	166	* @param other other config to get CHILD configs from
	167	* @return an enumerator over removed/added CHILD configs
	168	*/
	169	enumerator_t* (replace_child_cfgs)(peer_cfg_t this, peer_cfg_t *other);
	170
552cc11b MW	171	/**
552cc11b MW	172	* Create an enumerator for all attached CHILD configs.
484a06bc	173	*
552cc11b	174	* @return an enumerator over all CHILD configs.
e0fe7651	175	*/
552cc11b	176	enumerator_t* (create_child_cfg_enumerator) (peer_cfg_t this);
7daf5226	177
e0fe7651	178	/**
552cc11b	179	* Select a CHILD config from traffic selectors.
484a06bc	180	*
e0fe7651 MW	181	* @param my_ts TS for local side
e0fe7651 MW	182	* @param other_ts TS for remote side
7ee37114 MW	183	* @param my_hosts hosts to narrow down dynamic TS for local side
7ee37114 MW	184	* @param other_hosts hosts to narrow down dynamic TS for remote side
e0fe7651 MW	185	* @return selected CHILD config, or NULL if no match found
e0fe7651 MW	186	*/
7ee37114 MW	187	child_cfg_t* (select_child_cfg) (peer_cfg_t this,
	188	linked_list_t my_ts, linked_list_t other_ts,
	189	linked_list_t my_hosts, linked_list_t other_hosts);
7daf5226	190
e0fe7651	191	/**
a44bb934	192	* Add an authentication config to the peer configuration.
552cc11b	193	*
0ceb2888	194	* @param cfg config to add
a44bb934	195	* @param local TRUE for local rules, FALSE for remote constraints
552cc11b	196	*/
a44bb934	197	void (add_auth_cfg)(peer_cfg_t this, auth_cfg_t *cfg, bool local);
7daf5226	198
e0fe7651	199	/**
a44bb934 MW	200	* Create an enumerator over registered authentication configs.
	201	*
	202	* @param local TRUE for local rules, FALSE for remote constraints
	203	* @return enumerator over auth_cfg_t*
e0fe7651	204	*/
a44bb934	205	enumerator_t* (create_auth_cfg_enumerator)(peer_cfg_t this, bool local);
15a9d460	206
e0fe7651	207	/**
0ceb2888	208	* Should a certificate be sent for this connection?
e0fe7651	209	*
e0fe7651 MW	210	* @return certificate sending policy
	211	*/
	212	cert_policy_t (get_cert_policy) (peer_cfg_t this);
	213
0644ebd3 MW	214	/**
	215	* How to handle uniqueness of IKE_SAs?
	216	*
	217	* @return unique policy
	218	*/
	219	unique_policy_t (get_unique_policy) (peer_cfg_t this);
7daf5226	220
e0fe7651	221	/**
552cc11b	222	* Get the max number of retries after timeout.
e0fe7651	223	*
e0fe7651 MW	224	* @return max number retries
e0fe7651 MW	225	*/
b12c53ce	226	uint32_t (get_keyingtries) (peer_cfg_t this);
7daf5226	227
e0fe7651	228	/**
d08269c7	229	* Get a time to start rekeying.
e0fe7651	230	*
b1df6312	231	* @param jitter subtract a jitter value to randomize time
ee614711	232	* @return time in s when to start rekeying, 0 disables rekeying
e0fe7651	233	*/
b12c53ce	234	uint32_t (get_rekey_time)(peer_cfg_t this, bool jitter);
7daf5226	235
e0fe7651	236	/**
d08269c7	237	* Get a time to start reauthentication.
ee614711	238	*
b1df6312	239	* @param jitter subtract a jitter value to randomize time
ee614711 MW	240	* @return time in s when to start reauthentication, 0 disables it
ee614711 MW	241	*/
b12c53ce	242	uint32_t (get_reauth_time)(peer_cfg_t this, bool jitter);
7daf5226	243
ee614711	244	/**
552cc11b	245	* Get the timeout of a rekeying/reauthenticating SA.
ee614711	246	*
ee614711	247	* @return timeout in s
e0fe7651	248	*/
b12c53ce	249	uint32_t (get_over_time)(peer_cfg_t this);
7daf5226	250
9164e49a	251	/**
552cc11b	252	* Use MOBIKE (RFC4555) if peer supports it?
484a06bc	253	*
9164e49a MW	254	* @return TRUE to enable MOBIKE support
	255	*/
	256	bool (use_mobike) (peer_cfg_t this);
7daf5226	257
5ce59d4c MW	258	/**
	259	* Use/Accept aggressive mode with IKEv1?.
	260	*
	261	* @return TRUE to use aggressive mode
	262	*/
	263	bool (use_aggressive)(peer_cfg_t this);
	264
9aeaa739 MW	265	/**
	266	* Use pull or push mode for mode config?
	267	*
	268	* @return TRUE to use pull, FALSE to use push mode
	269	*/
	270	bool (use_pull_mode)(peer_cfg_t this);
	271
e0fe7651	272	/**
552cc11b	273	* Get the DPD check interval.
484a06bc	274	*
e0fe7651 MW	275	* @return dpd_delay in seconds
e0fe7651 MW	276	*/
b12c53ce	277	uint32_t (get_dpd) (peer_cfg_t this);
7daf5226	278
80c5b17d AS	279	/**
	280	* Get the DPD timeout interval (IKEv1 only)
	281	*
	282	* @return dpd_timeout in seconds
	283	*/
b12c53ce	284	uint32_t (get_dpd_timeout) (peer_cfg_t this);
80c5b17d	285
e0fe7651	286	/**
101d26ba	287	* Add a virtual IP to request as initiator.
16878f68	288	*
101d26ba MW	289	* @param vip virtual IP to request, may be %any or %any6
	290	*/
	291	void (add_virtual_ip)(peer_cfg_t this, host_t *vip);
	292
	293	/**
	294	* Create an enumerator over virtual IPs to request.
	295	*
	296	* The returned enumerator enumerates over IPs added with add_virtual_ip().
16878f68	297	*
101d26ba	298	* @return enumerator over host_t*
16878f68	299	*/
101d26ba	300	enumerator_t* (create_virtual_ip_enumerator)(peer_cfg_t this);
7daf5226	301
16878f68	302	/**
497ce2cf	303	* Add a pool name this configuration uses to select virtual IPs.
16878f68	304	*
497ce2cf	305	* @param name pool name to use for virtual IP lookup
e0fe7651	306	*/
497ce2cf MW	307	void (add_pool)(peer_cfg_t this, char *name);
	308
	309	/**
	310	* Create an enumerator over pool names of this config.
	311	*
	312	* @return enumerator over char*
	313	*/
	314	enumerator_t* (create_pool_enumerator)(peer_cfg_t this);
7daf5226	315
dc04b7c7	316	#ifdef ME
d5cc1758	317	/**
552cc11b	318	* Is this a mediation connection?
484a06bc	319	*
d5cc1758 TB	320	* @return TRUE, if this is a mediation connection
d5cc1758 TB	321	*/
ed96fe72	322	bool (is_mediation)(peer_cfg_t this);
7daf5226	323
d5cc1758	324	/**
ed96fe72	325	* Get name of the connection this one is mediated through.
484a06bc	326	*
ed96fe72	327	* @return the name of the mediation connection
d5cc1758	328	*/
ed96fe72	329	char* (get_mediated_by)(peer_cfg_t this);
7daf5226	330
d5cc1758	331	/**
552cc11b	332	* Get the id of the other peer at the mediation server.
484a06bc	333	*
d5cc1758	334	* This is the leftid of the peer's connection with the mediation server.
484a06bc	335	*
d5cc1758	336	* If it is not configured, it is assumed to be the same as the right id
484a06bc TB	337	* of this connection.
484a06bc TB	338	*
d5cc1758 TB	339	* @return the id of the other peer
d5cc1758 TB	340	*/
ed96fe72	341	identification_t* (get_peer_id)(peer_cfg_t this);
dc04b7c7	342	#endif /* ME */
3c7e72f5 MW	343
	344	/**
	345	* Check if two peer configurations are equal.
	346	*
	347	* This method does not compare associated ike/child_cfg.
	348	*
	349	* @param other candidate to check for equality against this
	350	* @return TRUE if peer_cfg and ike_cfg are equal
	351	*/
	352	bool (equals)(peer_cfg_t this, peer_cfg_t *other);
7daf5226	353
e0fe7651	354	/**
ff683671	355	* Increase reference count.
e0fe7651	356	*
ff683671	357	* @return reference to this
e0fe7651	358	*/
ff683671	359	peer_cfg_t* (get_ref) (peer_cfg_t this);
7daf5226	360
e0fe7651	361	/**
552cc11b	362	* Destroys the peer_cfg object.
e0fe7651 MW	363	*
	364	* Decrements the internal reference counter and
	365	* destroys the peer_cfg when it reaches zero.
e0fe7651 MW	366	*/
	367	void (destroy) (peer_cfg_t this);
	368	};
	369
2ba5dadb TB	370	/**
	371	* Data passed to the constructor of a peer_cfg_t object.
	372	*/
	373	struct peer_cfg_create_t {
	374	/** Whether to send a certificate payload */
	375	cert_policy_t cert_policy;
	376	/** Uniqueness of an IKE_SA */
	377	unique_policy_t unique;
	378	/** How many keying tries should be done before giving up */
	379	uint32_t keyingtries;
	380	/** Timeout in seconds before starting rekeying */
	381	uint32_t rekey_time;
	382	/** Timeout in seconds before starting reauthentication */
	383	uint32_t reauth_time;
	384	/** Time range in seconds to randomly subtract from rekey/reauth time */
	385	uint32_t jitter_time;
	386	/** Maximum overtime in seconds before closing a rekeying/reauth SA */
	387	uint32_t over_time;
	388	/** Disable MOBIKE (RFC4555) */
	389	bool no_mobike;
	390	/** Use/accept aggressive mode with IKEv1 */
	391	bool aggressive;
	392	/** TRUE to use modeconfig push, FALSE for pull */
	393	bool push_mode;
	394	/** DPD check interval, 0 to disable */
	395	uint32_t dpd;
	396	/** DPD timeout interval (IKEv1 only), if 0 default applies */
	397	uint32_t dpd_timeout;
	398	#ifdef ME
	399	/** TRUE if this is a mediation connection */
	400	bool mediation;
ed96fe72 TB	401	/** peer_cfg_t of the mediation connection to mediate through (cloned) */
ed96fe72 TB	402	char *mediated_by;
2ba5dadb TB	403	/** ID that identifies our peer at the mediation server (adopted) */
	404	identification_t *peer_id;
	405	#endif /* ME */
	406	};
	407
e0fe7651	408	/**
552cc11b	409	* Create a configuration object for IKE_AUTH and later.
484a06bc	410	*
2ba5dadb TB	411	* @param name name of the peer_cfg (cloned)
	412	* @param ike_cfg IKE config to use when acting as initiator (adopted)
	413	* @param data data for this peer_cfg
6b444c59	414	* @return peer_cfg_t object
e0fe7651	415	*/
2ba5dadb TB	416	peer_cfg_t peer_cfg_create(char name, ike_cfg_t *ike_cfg,
2ba5dadb TB	417	peer_cfg_create_t *data);
e0fe7651	418
1490ff4d	419	#endif /** PEER_CFG_H_ @}*/