]> git.ipfire.org Git - people/ms/strongswan.git/blob - src/charon/sa/ike_sa.h
projects / people / ms / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Store completed authentication rounds permanently on IKE_SA, with flush option
[people/ms/strongswan.git] / src / charon / sa / ike_sa.h
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup ike_sa ike_sa
21 * @{ @ingroup sa
22 */
23
24 #ifndef IKE_SA_H_
25 #define IKE_SA_H_
26
27 typedef enum ike_extension_t ike_extension_t;
28 typedef enum ike_condition_t ike_condition_t;
29 typedef enum ike_sa_state_t ike_sa_state_t;
30 typedef enum statistic_t statistic_t;
31 typedef struct ike_sa_t ike_sa_t;
32
33 #include <library.h>
34 #include <encoding/message.h>
35 #include <encoding/payloads/proposal_substructure.h>
36 #include <encoding/payloads/configuration_attribute.h>
37 #include <sa/ike_sa_id.h>
38 #include <sa/child_sa.h>
39 #include <sa/tasks/task.h>
40 #include <sa/keymat.h>
41 #include <config/peer_cfg.h>
42 #include <config/ike_cfg.h>
43 #include <config/auth_cfg.h>
44
45 /**
46 * Timeout in seconds after that a half open IKE_SA gets deleted.
47 */
48 #define HALF_OPEN_IKE_SA_TIMEOUT 30
49
50 /**
51 * Interval to send keepalives when NATed, in seconds.
52 */
53 #define KEEPALIVE_INTERVAL 20
54
55 /**
56 * After which time rekeying should be retried if it failed, in seconds.
57 */
58 #define RETRY_INTERVAL 30
59
60 /**
61 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
62 */
63 #define RETRY_JITTER 20
64
65 /**
66 * Extensions (or optional features) the peer supports
67 */
68 enum ike_extension_t {
69
70 /**
71 * peer supports NAT traversal as specified in RFC4306
72 */
73 EXT_NATT = (1<<0),
74
75 /**
76 * peer supports MOBIKE (RFC4555)
77 */
78 EXT_MOBIKE = (1<<1),
79
80 /**
81 * peer supports HTTP cert lookups as specified in RFC4306
82 */
83 EXT_HASH_AND_URL = (1<<2),
84
85 /**
86 * peer supports multiple authentication exchanges, RFC4739
87 */
88 EXT_MULTIPLE_AUTH = (1<<3),
89 };
90
91 /**
92 * Conditions of an IKE_SA, change during its lifetime
93 */
94 enum ike_condition_t {
95
96 /**
97 * Connection is natted (or faked) somewhere
98 */
99 COND_NAT_ANY = (1<<0),
100
101 /**
102 * we are behind NAT
103 */
104 COND_NAT_HERE = (1<<1),
105
106 /**
107 * other is behind NAT
108 */
109 COND_NAT_THERE = (1<<2),
110
111 /**
112 * Faking NAT to enforce UDP encapsulation
113 */
114 COND_NAT_FAKE = (1<<3),
115
116 /**
117 * peer has been authenticated using EAP at least once
118 */
119 COND_EAP_AUTHENTICATED = (1<<4),
120
121 /**
122 * received a certificate request from the peer
123 */
124 COND_CERTREQ_SEEN = (1<<5),
125
126 /**
127 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
128 */
129 COND_ORIGINAL_INITIATOR = (1<<6),
130
131 /**
132 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
133 */
134 COND_STALE = (1<<7),
135 };
136
137 /**
138 * Timing information and statistics to query from an SA
139 */
140 enum statistic_t {
141 /** Timestamp of SA establishement */
142 STAT_ESTABLISHED = 0,
143 /** Timestamp of scheudled rekeying */
144 STAT_REKEY,
145 /** Timestamp of scheudled reauthentication */
146 STAT_REAUTH,
147 /** Timestamp of scheudled delete */
148 STAT_DELETE,
149 /** Timestamp of last inbound IKE packet */
150 STAT_INBOUND,
151 /** Timestamp of last outbound IKE packet */
152 STAT_OUTBOUND,
153
154 STAT_MAX
155 };
156
157 /**
158 * State of an IKE_SA.
159 *
160 * An IKE_SA passes various states in its lifetime. A newly created
161 * SA is in the state CREATED.
162 * @verbatim
163 +----------------+
164 ¦ SA_CREATED ¦
165 +----------------+
166 ¦
167 on initiate()---> ¦ <----- on IKE_SA_INIT received
168 V
169 +----------------+
170 ¦ SA_CONNECTING ¦
171 +----------------+
172 ¦
173 ¦ <----- on IKE_AUTH successfully completed
174 V
175 +----------------+
176 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
177 +----------------+ ¦
178 ¦ V
179 on delete()---> ¦ <----- on IKE_SA +-------------+
180 ¦ delete request ¦ SA_REKEYING ¦
181 ¦ received +-------------+
182 V ¦
183 +----------------+ ¦
184 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
185 +----------------+
186 ¦
187 ¦ <----- after delete() acknowledged
188 ¦
189 \V/
190 X
191 / \
192 @endverbatim
193 */
194 enum ike_sa_state_t {
195
196 /**
197 * IKE_SA just got created, but is not initiating nor responding yet.
198 */
199 IKE_CREATED,
200
201 /**
202 * IKE_SA gets initiated actively or passively
203 */
204 IKE_CONNECTING,
205
206 /**
207 * IKE_SA is fully established
208 */
209 IKE_ESTABLISHED,
210
211 /**
212 * IKE_SA is managed externally and does not process messages
213 */
214 IKE_PASSIVE,
215
216 /**
217 * IKE_SA rekeying in progress
218 */
219 IKE_REKEYING,
220
221 /**
222 * IKE_SA is in progress of deletion
223 */
224 IKE_DELETING,
225
226 /**
227 * IKE_SA object gets destroyed
228 */
229 IKE_DESTROYING,
230 };
231
232 /**
233 * enum names for ike_sa_state_t.
234 */
235 extern enum_name_t *ike_sa_state_names;
236
237 /**
238 * Class ike_sa_t representing an IKE_SA.
239 *
240 * An IKE_SA contains crypto information related to a connection
241 * with a peer. It contains multiple IPsec CHILD_SA, for which
242 * it is responsible. All traffic is handled by an IKE_SA, using
243 * the task manager and its tasks.
244 */
245 struct ike_sa_t {
246
247 /**
248 * Get the id of the SA.
249 *
250 * Returned ike_sa_id_t object is not getting cloned!
251 *
252 * @return ike_sa's ike_sa_id_t
253 */
254 ike_sa_id_t* (*get_id) (ike_sa_t *this);
255
256 /**
257 * Get the numerical ID uniquely defining this IKE_SA.
258 *
259 * @return unique ID
260 */
261 u_int32_t (*get_unique_id) (ike_sa_t *this);
262
263 /**
264 * Get the state of the IKE_SA.
265 *
266 * @return state of the IKE_SA
267 */
268 ike_sa_state_t (*get_state) (ike_sa_t *this);
269
270 /**
271 * Set the state of the IKE_SA.
272 *
273 * @param state state to set for the IKE_SA
274 */
275 void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
276
277 /**
278 * Get the name of the connection this IKE_SA uses.
279 *
280 * @return name
281 */
282 char* (*get_name) (ike_sa_t *this);
283
284 /**
285 * Get statistic values from the IKE_SA.
286 *
287 * @param kind kind of requested value
288 * @return value as integer
289 */
290 u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
291
292 /**
293 * Get the own host address.
294 *
295 * @return host address
296 */
297 host_t* (*get_my_host) (ike_sa_t *this);
298
299 /**
300 * Set the own host address.
301 *
302 * @param me host address
303 */
304 void (*set_my_host) (ike_sa_t *this, host_t *me);
305
306 /**
307 * Get the other peers host address.
308 *
309 * @return host address
310 */
311 host_t* (*get_other_host) (ike_sa_t *this);
312
313 /**
314 * Set the others host address.
315 *
316 * @param other host address
317 */
318 void (*set_other_host) (ike_sa_t *this, host_t *other);
319
320 /**
321 * Update the IKE_SAs host.
322 *
323 * Hosts may be NULL to use current host.
324 *
325 * @param me new local host address, or NULL
326 * @param other new remote host address, or NULL
327 */
328 void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
329
330 /**
331 * Get the own identification.
332 *
333 * @return identification
334 */
335 identification_t* (*get_my_id) (ike_sa_t *this);
336
337 /**
338 * Set the own identification.
339 *
340 * @param me identification
341 */
342 void (*set_my_id) (ike_sa_t *this, identification_t *me);
343
344 /**
345 * Get the other peer's identification.
346 *
347 * @return identification
348 */
349 identification_t* (*get_other_id) (ike_sa_t *this);
350
351 /**
352 * Set the other peer's identification.
353 *
354 * @param other identification
355 */
356 void (*set_other_id) (ike_sa_t *this, identification_t *other);
357
358 /**
359 * Get the config used to setup this IKE_SA.
360 *
361 * @return ike_config
362 */
363 ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
364
365 /**
366 * Set the config to setup this IKE_SA.
367 *
368 * @param config ike_config to use
369 */
370 void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
371
372 /**
373 * Get the peer config used by this IKE_SA.
374 *
375 * @return peer_config
376 */
377 peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
378
379 /**
380 * Set the peer config to use with this IKE_SA.
381 *
382 * @param config peer_config to use
383 */
384 void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
385
386 /**
387 * Get the authentication config with rules of the current auth round.
388 *
389 * @param local TRUE for local rules, FALSE for remote constraints
390 * @return current cfg
391 */
392 auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
393
394 /**
395 * Insert a completed authentication round.
396 *
397 * @param local TRUE for own rules, FALSE for others constraints
398 * @param cfg auth config to append
399 */
400 void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
401
402 /**
403 * Create an enumerator over added authentication rounds.
404 *
405 * @param local TRUE for own rules, FALSE for others constraints
406 * @return enumerator over auth_cfg_t
407 */
408 enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
409
410 /**
411 * Get the selected proposal of this IKE_SA.
412 *
413 * @return selected proposal
414 */
415 proposal_t* (*get_proposal)(ike_sa_t *this);
416
417 /**
418 * Set the proposal selected for this IKE_SA.
419 *
420 * @param selected proposal
421 */
422 void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
423
424 /**
425 * Set the message id of the IKE_SA.
426 *
427 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
428 * and one to respond to exchanges (expect).
429 *
430 * @param initiate TRUE to set message ID for initiating
431 * @param mid message id to set
432 */
433 void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
434
435 /**
436 * Add an additional address for the peer.
437 *
438 * In MOBIKE, a peer may transmit additional addresses where it is
439 * reachable. These are stored in the IKE_SA.
440 * The own list of addresses is not stored, they are queried from
441 * the kernel when required.
442 *
443 * @param host host to add to list
444 */
445 void (*add_additional_address)(ike_sa_t *this, host_t *host);
446
447 /**
448 * Create an iterator over all additional addresses of the peer.
449 *
450 * @return iterator over addresses
451 */
452 iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
453
454 /**
455 * Check if mappings have changed on a NAT for our source address.
456 *
457 * @param hash received DESTINATION_IP hash
458 * @return TRUE if mappings have changed
459 */
460 bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
461
462 /**
463 * Enable an extension the peer supports.
464 *
465 * If support for an IKE extension is detected, this method is called
466 * to enable that extension and behave accordingly.
467 *
468 * @param extension extension to enable
469 */
470 void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
471
472 /**
473 * Check if the peer supports an extension.
474 *
475 * @param extension extension to check for support
476 * @return TRUE if peer supports it, FALSE otherwise
477 */
478 bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
479
480 /**
481 * Enable/disable a condition flag for this IKE_SA.
482 *
483 * @param condition condition to enable/disable
484 * @param enable TRUE to enable condition, FALSE to disable
485 */
486 void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
487
488 /**
489 * Check if a condition flag is set.
490 *
491 * @param condition condition to check
492 * @return TRUE if condition flag set, FALSE otherwise
493 */
494 bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
495
496 /**
497 * Get the number of queued MOBIKE address updates.
498 *
499 * @return number of pending updates
500 */
501 u_int32_t (*get_pending_updates)(ike_sa_t *this);
502
503 /**
504 * Set the number of queued MOBIKE address updates.
505 *
506 * @param updates number of pending updates
507 */
508 void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
509
510 #ifdef ME
511 /**
512 * Activate mediation server functionality for this IKE_SA.
513 */
514 void (*act_as_mediation_server) (ike_sa_t *this);
515
516 /**
517 * Get the server reflexive host.
518 *
519 * @return server reflexive host
520 */
521 host_t* (*get_server_reflexive_host) (ike_sa_t *this);
522
523 /**
524 * Set the server reflexive host.
525 *
526 * @param host server reflexive host
527 */
528 void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
529
530 /**
531 * Get the connect ID.
532 *
533 * @return connect ID
534 */
535 chunk_t (*get_connect_id) (ike_sa_t *this);
536
537 /**
538 * Initiate the mediation of a mediated connection (i.e. initiate a
539 * ME_CONNECT exchange to a mediation server).
540 *
541 * @param mediated_cfg peer_cfg of the mediated connection
542 * @return
543 * - SUCCESS if initialization started
544 * - DESTROY_ME if initialization failed
545 */
546 status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
547
548 /**
549 * Initiate the mediated connection
550 *
551 * @param me local endpoint (gets cloned)
552 * @param other remote endpoint (gets cloned)
553 * @param connect_id connect ID (gets cloned)
554 * @return
555 * - SUCCESS if initialization started
556 * - DESTROY_ME if initialization failed
557 */
558 status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
559 chunk_t connect_id);
560
561 /**
562 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
563 * to a peer).
564 *
565 * Data is cloned.
566 *
567 * @param requester ID of the requesting peer
568 * @param connect_id data of the ME_CONNECTID payload
569 * @param connect_key data of the ME_CONNECTKEY payload
570 * @param endpoints endpoints
571 * @param response TRUE if this is a response
572 * @return
573 * - SUCCESS if relay started
574 * - DESTROY_ME if relay failed
575 */
576 status_t (*relay) (ike_sa_t *this, identification_t *requester,
577 chunk_t connect_id, chunk_t connect_key,
578 linked_list_t *endpoints, bool response);
579
580 /**
581 * Send a callback to a peer.
582 *
583 * Data is cloned.
584 *
585 * @param peer_id ID of the other peer
586 * @return
587 * - SUCCESS if response started
588 * - DESTROY_ME if response failed
589 */
590 status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
591
592 /**
593 * Respond to a ME_CONNECT request.
594 *
595 * Data is cloned.
596 *
597 * @param peer_id ID of the other peer
598 * @param connect_id the connect ID supplied by the initiator
599 * @return
600 * - SUCCESS if response started
601 * - DESTROY_ME if response failed
602 */
603 status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
604 chunk_t connect_id);
605 #endif /* ME */
606
607 /**
608 * Initiate a new connection.
609 *
610 * The configs are owned by the IKE_SA after the call. If the initiate
611 * is triggered by a packet, traffic selectors of the packet can be added
612 * to the CHILD_SA.
613 *
614 * @param child_cfg child config to create CHILD from
615 * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
616 * @param tsi source of triggering packet
617 * @param tsr destination of triggering packet.
618 * @return
619 * - SUCCESS if initialization started
620 * - DESTROY_ME if initialization failed
621 */
622 status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
623 u_int32_t reqid, traffic_selector_t *tsi,
624 traffic_selector_t *tsr);
625
626 /**
627 * Initiates the deletion of an IKE_SA.
628 *
629 * Sends a delete message to the remote peer and waits for
630 * its response. If the response comes in, or a timeout occurs,
631 * the IKE SA gets deleted.
632 *
633 * @return
634 * - SUCCESS if deletion is initialized
635 * - DESTROY_ME, if the IKE_SA is not in
636 * an established state and can not be
637 * deleted (but destroyed).
638 */
639 status_t (*delete) (ike_sa_t *this);
640
641 /**
642 * Update IKE_SAs after network interfaces have changed.
643 *
644 * Whenever the network interface configuration changes, the kernel
645 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
646 * the new network config requires changes, and handles appropriate.
647 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
648 * restarted.
649 *
650 * @param address TRUE if address list changed, FALSE otherwise
651 * @return SUCCESS, FAILED, DESTROY_ME
652 */
653 status_t (*roam)(ike_sa_t *this, bool address);
654
655 /**
656 * Processes a incoming IKEv2-Message.
657 *
658 * Message processing may fail. If a critical failure occurs,
659 * process_message() return DESTROY_ME. Then the caller must
660 * destroy the IKE_SA immediatly, as it is unusable.
661 *
662 * @param message message to process
663 * @return
664 * - SUCCESS
665 * - FAILED
666 * - DESTROY_ME if this IKE_SA MUST be deleted
667 */
668 status_t (*process_message) (ike_sa_t *this, message_t *message);
669
670 /**
671 * Generate a IKE message to send it to the peer.
672 *
673 * This method generates all payloads in the message and encrypts/signs
674 * the packet.
675 *
676 * @param message message to generate
677 * @param packet generated output packet
678 * @return
679 * - SUCCESS
680 * - FAILED
681 * - DESTROY_ME if this IKE_SA MUST be deleted
682 */
683 status_t (*generate_message) (ike_sa_t *this, message_t *message,
684 packet_t **packet);
685
686 /**
687 * Retransmits a request.
688 *
689 * @param message_id ID of the request to retransmit
690 * @return
691 * - SUCCESS
692 * - NOT_FOUND if request doesn't have to be retransmited
693 */
694 status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
695
696 /**
697 * Sends a DPD request to the peer.
698 *
699 * To check if a peer is still alive, periodic
700 * empty INFORMATIONAL messages are sent if no
701 * other traffic was received.
702 *
703 * @return
704 * - SUCCESS
705 * - DESTROY_ME, if peer did not respond
706 */
707 status_t (*send_dpd) (ike_sa_t *this);
708
709 /**
710 * Sends a keep alive packet.
711 *
712 * To refresh NAT tables in a NAT router
713 * between the peers, periodic empty
714 * UDP packets are sent if no other traffic
715 * was sent.
716 */
717 void (*send_keepalive) (ike_sa_t *this);
718
719 /**
720 * Get the keying material of this IKE_SA.
721 *
722 * @return per IKE_SA keymat instance
723 */
724 keymat_t* (*get_keymat)(ike_sa_t *this);
725
726 /**
727 * Associates a child SA to this IKE SA
728 *
729 * @param child_sa child_sa to add
730 */
731 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
732
733 /**
734 * Get a CHILD_SA identified by protocol and SPI.
735 *
736 * @param protocol protocol of the SA
737 * @param spi SPI of the CHILD_SA
738 * @param inbound TRUE if SPI is inbound, FALSE if outbound
739 * @return child_sa, or NULL if none found
740 */
741 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
742 u_int32_t spi, bool inbound);
743
744 /**
745 * Create an iterator over all CHILD_SAs.
746 *
747 * @return iterator
748 */
749 iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
750
751 /**
752 * Rekey the CHILD SA with the specified reqid.
753 *
754 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
755 *
756 * @param protocol protocol of the SA
757 * @param spi inbound SPI of the CHILD_SA
758 * @return
759 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
760 * - SUCCESS, if rekeying initiated
761 */
762 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
763
764 /**
765 * Close the CHILD SA with the specified protocol/SPI.
766 *
767 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
768 * notify's the remote peer about the delete. The associated
769 * states and policies in the kernel get deleted, if they exist.
770 *
771 * @param protocol protocol of the SA
772 * @param spi inbound SPI of the CHILD_SA
773 * @return
774 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
775 * - SUCCESS, if delete message sent
776 */
777 status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
778
779 /**
780 * Destroy a CHILD SA with the specified protocol/SPI.
781 *
782 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
783 *
784 * @param protocol protocol of the SA
785 * @param spi inbound SPI of the CHILD_SA
786 * @return
787 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
788 * - SUCCESS
789 */
790 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
791
792 /**
793 * Rekey the IKE_SA.
794 *
795 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
796 *
797 * @return - SUCCESS, if IKE_SA rekeying initiated
798 */
799 status_t (*rekey) (ike_sa_t *this);
800
801 /**
802 * Reauthenticate the IKE_SA.
803 *
804 * Create a completely new IKE_SA with authentication, recreates all children
805 * within the IKE_SA, closes this IKE_SA.
806 *
807 * @return DESTROY_ME to destroy the IKE_SA
808 */
809 status_t (*reauth) (ike_sa_t *this);
810
811 /**
812 * Restablish the IKE_SA.
813 *
814 * Reestablish an IKE_SA after it has been closed.
815 *
816 * @return DESTROY_ME to destroy the IKE_SA
817 */
818 status_t (*reestablish) (ike_sa_t *this);
819
820 /**
821 * Set the lifetime limit received from a AUTH_LIFETIME notify.
822 *
823 * @param lifetime lifetime in seconds
824 */
825 void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
826
827 /**
828 * Set the virtual IP to use for this IKE_SA and its children.
829 *
830 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
831 * lifetime as the IKE_SA.
832 *
833 * @param local TRUE to set local address, FALSE for remote
834 * @param ip IP to set as virtual IP
835 */
836 void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
837
838 /**
839 * Get the virtual IP configured.
840 *
841 * @param local TRUE to get local virtual IP, FALSE for remote
842 * @return host_t *virtual IP
843 */
844 host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
845
846 /**
847 * Register a configuration attribute to the IKE_SA.
848 *
849 * If an IRAS sends a configuration attribute it is installed and
850 * registered at the IKE_SA. Attributes are inherit()ed and get released
851 * when the IKE_SA is closed.
852 *
853 * @param handler handler installed the attribute, use for release()
854 * @param type configuration attribute type
855 * @param data associated attribute data
856 */
857 void (*add_configuration_attribute)(ike_sa_t *this,
858 attribute_handler_t *handler,
859 configuration_attribute_type_t type, chunk_t data);
860
861 /**
862 * Set local and remote host addresses to be used for IKE.
863 *
864 * These addresses are communicated via the KMADDRESS field of a MIGRATE
865 * message sent via the NETLINK or PF _KEY kernel socket interface.
866 *
867 * @param local local kmaddress
868 * @param remote remote kmaddress
869 */
870 void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
871
872 /**
873 * Inherit all attributes of other to this after rekeying.
874 *
875 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
876 * outstanding tasks are moved from other to this.
877 * As this call may initiate inherited tasks, a status is returned.
878 *
879 * @param other other task to inherit from
880 * @return DESTROY_ME if initiation of inherited task failed
881 */
882 status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
883
884 /**
885 * Reset the IKE_SA, useable when initiating fails
886 */
887 void (*reset) (ike_sa_t *this);
888
889 /**
890 * Destroys a ike_sa_t object.
891 */
892 void (*destroy) (ike_sa_t *this);
893 };
894
895 /**
896 * Creates an ike_sa_t object with a specific ID.
897 *
898 * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA
899 * @return ike_sa_t object
900 */
901 ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
902
903 #endif /** IKE_SA_H_ @}*/
Michael's strongswan development tree