2 * Copyright (C) 2007-2008 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 * @defgroup peer_cfg peer_cfg
26 typedef enum ike_version_t ike_version_t
;
27 typedef enum cert_policy_t cert_policy_t
;
28 typedef enum unique_policy_t unique_policy_t
;
29 typedef struct peer_cfg_t peer_cfg_t
;
32 #include <utils/identification.h>
33 #include <utils/enumerator.h>
34 #include <selectors/traffic_selector.h>
35 #include <config/proposal.h>
36 #include <config/ike_cfg.h>
37 #include <config/child_cfg.h>
38 #include <credentials/auth_cfg.h>
53 * enum strings fro ike_version_t
55 extern enum_name_t
*ike_version_names
;
58 * Certificate sending policy. This is also used for certificate
59 * requests when using this definition for the other peer. If
60 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
63 * @warning These definitions must be the same as in pluto/starter,
64 * as they are sent over the stroke socket.
67 /** always send certificates, even when not requested */
69 /** send certificate upon cert request */
70 CERT_SEND_IF_ASKED
= 1,
71 /** never send a certificate, even when requested */
76 * enum strings for cert_policy_t
78 extern enum_name_t
*cert_policy_names
;
81 * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
83 enum unique_policy_t
{
84 /** do not check for client uniqueness */
86 /** replace unique IKE_SAs if new ones get established */
88 /** keep existing IKE_SAs, close the new ones on connection attept */
93 * enum strings for unique_policy_t
95 extern enum_name_t
*unique_policy_names
;
98 * Configuration of a peer, specified by IDs.
100 * The peer config defines a connection between two given IDs. It contains
101 * exactly one ike_cfg_t, which is used for initiation. Additionally, it
102 * contains multiple child_cfg_t defining which CHILD_SAs are allowed for this
105 +-------------------+ +---------------+
106 +---------------+ | peer_cfg | +---------------+ |
107 | ike_cfg | +-------------------+ | child_cfg | |
108 +---------------+ | - ids | +---------------+ |
109 | - hosts | 1 1 | - cas | 1 n | - proposals | |
110 | - proposals |<-----| - auth info |----->| - traffic sel | |
111 | - ... | | - dpd config | | - ... |-+
112 +---------------+ | - ... | +---------------+
113 +-------------------+
117 +-------------------+ +-------------------+
118 +-------------------+ | +-------------------+ |
119 | auth_cfg | | | auth_cfg | |
120 +-------------------+ | +-------------------+ |
121 | - local rules |-+ | - remote constr. |-+
122 +-------------------+ +-------------------+
125 * Each peer_cfg has two lists of authentication config attached. Local
126 * authentication configs define how to authenticate ourself against the remote
127 * peer. Each config is enforced using the multiple authentication extension
129 * The remote authentication configs are handled as constraints. The peer has
130 * to fulfill each of these rules (using multiple authentication, in any order)
131 * to gain access to the configuration.
136 * Get the name of the peer_cfg.
138 * Returned object is not getting cloned.
140 * @return peer_cfg's name
142 char* (*get_name
) (peer_cfg_t
*this);
145 * Get the IKE version to use for initiating.
147 * @return IKE major version
149 ike_version_t (*get_ike_version
)(peer_cfg_t
*this);
152 * Get the IKE config to use for initiaton.
154 * @return the IKE config to use
156 ike_cfg_t
* (*get_ike_cfg
) (peer_cfg_t
*this);
159 * Attach a CHILD config.
161 * @param child_cfg CHILD config to add
163 void (*add_child_cfg
) (peer_cfg_t
*this, child_cfg_t
*child_cfg
);
166 * Detach a CHILD config, pointed to by an enumerator.
168 * @param enumerator enumerator indicating element position
170 void (*remove_child_cfg
)(peer_cfg_t
*this, enumerator_t
*enumerator
);
173 * Create an enumerator for all attached CHILD configs.
175 * @return an enumerator over all CHILD configs.
177 enumerator_t
* (*create_child_cfg_enumerator
) (peer_cfg_t
*this);
180 * Select a CHILD config from traffic selectors.
182 * @param my_ts TS for local side
183 * @param other_ts TS for remote side
184 * @param my_host host to narrow down dynamic TS for local side
185 * @param other_host host to narrow down dynamic TS for remote side
186 * @return selected CHILD config, or NULL if no match found
188 child_cfg_t
* (*select_child_cfg
) (peer_cfg_t
*this, linked_list_t
*my_ts
,
189 linked_list_t
*other_ts
, host_t
*my_host
,
193 * Add an authentication config to the peer configuration.
195 * @param config config to add
196 * @param local TRUE for local rules, FALSE for remote constraints
198 void (*add_auth_cfg
)(peer_cfg_t
*this, auth_cfg_t
*cfg
, bool local
);
201 * Create an enumerator over registered authentication configs.
203 * @param local TRUE for local rules, FALSE for remote constraints
204 * @return enumerator over auth_cfg_t*
206 enumerator_t
* (*create_auth_cfg_enumerator
)(peer_cfg_t
*this, bool local
);
209 * Should be sent a certificate for this connection?
211 * @return certificate sending policy
213 cert_policy_t (*get_cert_policy
) (peer_cfg_t
*this);
216 * How to handle uniqueness of IKE_SAs?
218 * @return unique policy
220 unique_policy_t (*get_unique_policy
) (peer_cfg_t
*this);
223 * Get the max number of retries after timeout.
225 * @return max number retries
227 u_int32_t (*get_keyingtries
) (peer_cfg_t
*this);
230 * Get a time to start rekeying.
232 * @param jitter remove a jitter value to randomize time
233 * @return time in s when to start rekeying, 0 disables rekeying
235 u_int32_t (*get_rekey_time
)(peer_cfg_t
*this, bool jitter
);
238 * Get a time to start reauthentication.
240 * @param jitter remove a jitter value to randomize time
241 * @return time in s when to start reauthentication, 0 disables it
243 u_int32_t (*get_reauth_time
)(peer_cfg_t
*this, bool jitter
);
246 * Get the timeout of a rekeying/reauthenticating SA.
248 * @return timeout in s
250 u_int32_t (*get_over_time
)(peer_cfg_t
*this);
253 * Use MOBIKE (RFC4555) if peer supports it?
255 * @return TRUE to enable MOBIKE support
257 bool (*use_mobike
) (peer_cfg_t
*this);
260 * Use/Accept aggressive mode with IKEv1?.
262 * @return TRUE to use aggressive mode
264 bool (*use_aggressive
)(peer_cfg_t
*this);
267 * Get the DPD check interval.
269 * @return dpd_delay in seconds
271 u_int32_t (*get_dpd
) (peer_cfg_t
*this);
274 * Get the DPD timeout interval (IKEv1 only)
276 * @return dpd_timeout in seconds
278 u_int32_t (*get_dpd_timeout
) (peer_cfg_t
*this);
281 * Add a virtual IP to request as initiator.
283 * @param vip virtual IP to request, may be %any or %any6
285 void (*add_virtual_ip
)(peer_cfg_t
*this, host_t
*vip
);
288 * Create an enumerator over virtual IPs to request.
290 * The returned enumerator enumerates over IPs added with add_virtual_ip().
292 * @return enumerator over host_t*
294 enumerator_t
* (*create_virtual_ip_enumerator
)(peer_cfg_t
*this);
297 * Add a pool name this configuration uses to select virtual IPs.
299 * @param name pool name to use for virtual IP lookup
301 void (*add_pool
)(peer_cfg_t
*this, char *name
);
304 * Create an enumerator over pool names of this config.
306 * @return enumerator over char*
308 enumerator_t
* (*create_pool_enumerator
)(peer_cfg_t
*this);
312 * Is this a mediation connection?
314 * @return TRUE, if this is a mediation connection
316 bool (*is_mediation
) (peer_cfg_t
*this);
319 * Get peer_cfg of the connection this one is mediated through.
321 * @return the peer_cfg of the mediation connection
323 peer_cfg_t
* (*get_mediated_by
) (peer_cfg_t
*this);
326 * Get the id of the other peer at the mediation server.
328 * This is the leftid of the peer's connection with the mediation server.
330 * If it is not configured, it is assumed to be the same as the right id
331 * of this connection.
333 * @return the id of the other peer
335 identification_t
* (*get_peer_id
) (peer_cfg_t
*this);
339 * Check if two peer configurations are equal.
341 * This method does not compare associated ike/child_cfg.
343 * @param other candidate to check for equality against this
344 * @return TRUE if peer_cfg and ike_cfg are equal
346 bool (*equals
)(peer_cfg_t
*this, peer_cfg_t
*other
);
349 * Increase reference count.
351 * @return reference to this
353 peer_cfg_t
* (*get_ref
) (peer_cfg_t
*this);
356 * Destroys the peer_cfg object.
358 * Decrements the internal reference counter and
359 * destroys the peer_cfg when it reaches zero.
361 void (*destroy
) (peer_cfg_t
*this);
365 * Create a configuration object for IKE_AUTH and later.
367 * name-string gets cloned, ID's not.
368 * Virtual IPs are used if they are != NULL. A %any host means the virtual
369 * IP should be obtained from the other peer.
370 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
371 * same time, a jitter may be specified. Rekeying of an SA starts at
372 * (rekeylifetime - random(0, jitter)).
374 * @param name name of the peer_cfg
375 * @param ike_version which IKE version we should use for this peer
376 * @param ike_cfg IKE config to use when acting as initiator
377 * @param cert_policy should we send a certificate payload?
378 * @param unique uniqueness of an IKE_SA
379 * @param keyingtries how many keying tries should be done before giving up
380 * @param rekey_time timeout before starting rekeying
381 * @param reauth_time timeout before starting reauthentication
382 * @param jitter_time timerange to randomly subtract from rekey/reauth time
383 * @param over_time maximum overtime before closing a rekeying/reauth SA
384 * @param mobike use MOBIKE (RFC4555) if peer supports it
385 * @param aggressive use/accept aggressive mode with IKEv1
386 * @param dpd DPD check interval, 0 to disable
387 * @param dpd_timeout DPD timeout interval (IKEv1 only), if 0 default applies
388 * @param mediation TRUE if this is a mediation connection
389 * @param mediated_by peer_cfg_t of the mediation connection to mediate through
390 * @param peer_id ID that identifies our peer at the mediation server
391 * @return peer_cfg_t object
393 peer_cfg_t
*peer_cfg_create(char *name
, ike_version_t ike_version
,
394 ike_cfg_t
*ike_cfg
, cert_policy_t cert_policy
,
395 unique_policy_t unique
, u_int32_t keyingtries
,
396 u_int32_t rekey_time
, u_int32_t reauth_time
,
397 u_int32_t jitter_time
, u_int32_t over_time
,
398 bool mobike
, bool aggressive
, u_int32_t dpd
,
399 u_int32_t dpd_timeout
,
400 bool mediation
, peer_cfg_t
*mediated_by
,
401 identification_t
*peer_id
);
403 #endif /** PEER_CFG_H_ @}*/