2 * Copyright (C) 2007-2008 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 * @defgroup peer_cfg peer_cfg
26 typedef enum cert_policy_t cert_policy_t
;
27 typedef enum unique_policy_t unique_policy_t
;
28 typedef struct peer_cfg_t peer_cfg_t
;
31 #include <utils/identification.h>
32 #include <collections/enumerator.h>
33 #include <selectors/traffic_selector.h>
34 #include <config/proposal.h>
35 #include <config/ike_cfg.h>
36 #include <config/child_cfg.h>
37 #include <credentials/auth_cfg.h>
40 * Certificate sending policy. This is also used for certificate
41 * requests when using this definition for the other peer. If
42 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
45 * @warning These definitions must be the same as in pluto/starter,
46 * as they are sent over the stroke socket.
49 /** always send certificates, even when not requested */
51 /** send certificate upon cert request */
52 CERT_SEND_IF_ASKED
= 1,
53 /** never send a certificate, even when requested */
58 * enum strings for cert_policy_t
60 extern enum_name_t
*cert_policy_names
;
63 * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
65 enum unique_policy_t
{
66 /** never check for client uniqueness */
68 /** only check for client uniqueness when receiving an INITIAL_CONTACT */
70 /** replace existing IKE_SAs when new ones get established by a client */
72 /** keep existing IKE_SAs, close the new ones on connection attempt */
77 * enum strings for unique_policy_t
79 extern enum_name_t
*unique_policy_names
;
82 * Configuration of a peer, specified by IDs.
84 * The peer config defines a connection between two given IDs. It contains
85 * exactly one ike_cfg_t, which is used for initiation. Additionally, it
86 * contains multiple child_cfg_t defining which CHILD_SAs are allowed for this
89 +-------------------+ +---------------+
90 +---------------+ | peer_cfg | +---------------+ |
91 | ike_cfg | +-------------------+ | child_cfg | |
92 +---------------+ | - ids | +---------------+ |
93 | - hosts | 1 1 | - cas | 1 n | - proposals | |
94 | - proposals |<-----| - auth info |----->| - traffic sel | |
95 | - ... | | - dpd config | | - ... |-+
96 +---------------+ | - ... | +---------------+
101 +-------------------+ +-------------------+
102 +-------------------+ | +-------------------+ |
103 | auth_cfg | | | auth_cfg | |
104 +-------------------+ | +-------------------+ |
105 | - local rules |-+ | - remote constr. |-+
106 +-------------------+ +-------------------+
109 * Each peer_cfg has two lists of authentication config attached. Local
110 * authentication configs define how to authenticate ourself against the remote
111 * peer. Each config is enforced using the multiple authentication extension
113 * The remote authentication configs are handled as constraints. The peer has
114 * to fulfill each of these rules (using multiple authentication, in any order)
115 * to gain access to the configuration.
120 * Get the name of the peer_cfg.
122 * Returned object is not getting cloned.
124 * @return peer_cfg's name
126 char* (*get_name
) (peer_cfg_t
*this);
129 * Get the IKE version to use for initiating.
131 * @return IKE major version
133 ike_version_t (*get_ike_version
)(peer_cfg_t
*this);
136 * Get the IKE config to use for initiaton.
138 * @return the IKE config to use
140 ike_cfg_t
* (*get_ike_cfg
) (peer_cfg_t
*this);
143 * Attach a CHILD config.
145 * @param child_cfg CHILD config to add
147 void (*add_child_cfg
) (peer_cfg_t
*this, child_cfg_t
*child_cfg
);
150 * Detach a CHILD config, pointed to by an enumerator.
152 * @param enumerator enumerator indicating element position
154 void (*remove_child_cfg
)(peer_cfg_t
*this, enumerator_t
*enumerator
);
157 * Create an enumerator for all attached CHILD configs.
159 * @return an enumerator over all CHILD configs.
161 enumerator_t
* (*create_child_cfg_enumerator
) (peer_cfg_t
*this);
164 * Select a CHILD config from traffic selectors.
166 * @param my_ts TS for local side
167 * @param other_ts TS for remote side
168 * @param my_hosts hosts to narrow down dynamic TS for local side
169 * @param other_hosts hosts to narrow down dynamic TS for remote side
170 * @return selected CHILD config, or NULL if no match found
172 child_cfg_t
* (*select_child_cfg
) (peer_cfg_t
*this,
173 linked_list_t
*my_ts
, linked_list_t
*other_ts
,
174 linked_list_t
*my_hosts
, linked_list_t
*other_hosts
);
177 * Add an authentication config to the peer configuration.
179 * @param cfg config to add
180 * @param local TRUE for local rules, FALSE for remote constraints
182 void (*add_auth_cfg
)(peer_cfg_t
*this, auth_cfg_t
*cfg
, bool local
);
185 * Create an enumerator over registered authentication configs.
187 * @param local TRUE for local rules, FALSE for remote constraints
188 * @return enumerator over auth_cfg_t*
190 enumerator_t
* (*create_auth_cfg_enumerator
)(peer_cfg_t
*this, bool local
);
193 * Should a certificate be sent for this connection?
195 * @return certificate sending policy
197 cert_policy_t (*get_cert_policy
) (peer_cfg_t
*this);
200 * How to handle uniqueness of IKE_SAs?
202 * @return unique policy
204 unique_policy_t (*get_unique_policy
) (peer_cfg_t
*this);
207 * Get the max number of retries after timeout.
209 * @return max number retries
211 u_int32_t (*get_keyingtries
) (peer_cfg_t
*this);
214 * Get a time to start rekeying.
216 * @param jitter remove a jitter value to randomize time
217 * @return time in s when to start rekeying, 0 disables rekeying
219 u_int32_t (*get_rekey_time
)(peer_cfg_t
*this, bool jitter
);
222 * Get a time to start reauthentication.
224 * @param jitter remove a jitter value to randomize time
225 * @return time in s when to start reauthentication, 0 disables it
227 u_int32_t (*get_reauth_time
)(peer_cfg_t
*this, bool jitter
);
230 * Get the timeout of a rekeying/reauthenticating SA.
232 * @return timeout in s
234 u_int32_t (*get_over_time
)(peer_cfg_t
*this);
237 * Use MOBIKE (RFC4555) if peer supports it?
239 * @return TRUE to enable MOBIKE support
241 bool (*use_mobike
) (peer_cfg_t
*this);
244 * Use/Accept aggressive mode with IKEv1?.
246 * @return TRUE to use aggressive mode
248 bool (*use_aggressive
)(peer_cfg_t
*this);
251 * Use pull or push mode for mode config?
253 * @return TRUE to use pull, FALSE to use push mode
255 bool (*use_pull_mode
)(peer_cfg_t
*this);
258 * Get the DPD check interval.
260 * @return dpd_delay in seconds
262 u_int32_t (*get_dpd
) (peer_cfg_t
*this);
265 * Get the DPD timeout interval (IKEv1 only)
267 * @return dpd_timeout in seconds
269 u_int32_t (*get_dpd_timeout
) (peer_cfg_t
*this);
272 * Add a virtual IP to request as initiator.
274 * @param vip virtual IP to request, may be %any or %any6
276 void (*add_virtual_ip
)(peer_cfg_t
*this, host_t
*vip
);
279 * Create an enumerator over virtual IPs to request.
281 * The returned enumerator enumerates over IPs added with add_virtual_ip().
283 * @return enumerator over host_t*
285 enumerator_t
* (*create_virtual_ip_enumerator
)(peer_cfg_t
*this);
288 * Add a pool name this configuration uses to select virtual IPs.
290 * @param name pool name to use for virtual IP lookup
292 void (*add_pool
)(peer_cfg_t
*this, char *name
);
295 * Create an enumerator over pool names of this config.
297 * @return enumerator over char*
299 enumerator_t
* (*create_pool_enumerator
)(peer_cfg_t
*this);
303 * Is this a mediation connection?
305 * @return TRUE, if this is a mediation connection
307 bool (*is_mediation
) (peer_cfg_t
*this);
310 * Get peer_cfg of the connection this one is mediated through.
312 * @return the peer_cfg of the mediation connection
314 peer_cfg_t
* (*get_mediated_by
) (peer_cfg_t
*this);
317 * Get the id of the other peer at the mediation server.
319 * This is the leftid of the peer's connection with the mediation server.
321 * If it is not configured, it is assumed to be the same as the right id
322 * of this connection.
324 * @return the id of the other peer
326 identification_t
* (*get_peer_id
) (peer_cfg_t
*this);
330 * Check if two peer configurations are equal.
332 * This method does not compare associated ike/child_cfg.
334 * @param other candidate to check for equality against this
335 * @return TRUE if peer_cfg and ike_cfg are equal
337 bool (*equals
)(peer_cfg_t
*this, peer_cfg_t
*other
);
340 * Increase reference count.
342 * @return reference to this
344 peer_cfg_t
* (*get_ref
) (peer_cfg_t
*this);
347 * Destroys the peer_cfg object.
349 * Decrements the internal reference counter and
350 * destroys the peer_cfg when it reaches zero.
352 void (*destroy
) (peer_cfg_t
*this);
356 * Create a configuration object for IKE_AUTH and later.
358 * name-string gets cloned, ID's not.
359 * Virtual IPs are used if they are != NULL. A %any host means the virtual
360 * IP should be obtained from the other peer.
361 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
362 * same time, a jitter may be specified. Rekeying of an SA starts at
363 * (rekeylifetime - random(0, jitter)).
365 * @param name name of the peer_cfg
366 * @param ike_cfg IKE config to use when acting as initiator
367 * @param cert_policy should we send a certificate payload?
368 * @param unique uniqueness of an IKE_SA
369 * @param keyingtries how many keying tries should be done before giving up
370 * @param rekey_time timeout before starting rekeying
371 * @param reauth_time timeout before starting reauthentication
372 * @param jitter_time timerange to randomly subtract from rekey/reauth time
373 * @param over_time maximum overtime before closing a rekeying/reauth SA
374 * @param mobike use MOBIKE (RFC4555) if peer supports it
375 * @param aggressive use/accept aggressive mode with IKEv1
376 * @param pullmode TRUE to use modeconfig pull, FALSE for push
377 * @param dpd DPD check interval, 0 to disable
378 * @param dpd_timeout DPD timeout interval (IKEv1 only), if 0 default applies
379 * @param mediation TRUE if this is a mediation connection
380 * @param mediated_by peer_cfg_t of the mediation connection to mediate through
381 * @param peer_id ID that identifies our peer at the mediation server
382 * @return peer_cfg_t object
384 peer_cfg_t
*peer_cfg_create(char *name
,
385 ike_cfg_t
*ike_cfg
, cert_policy_t cert_policy
,
386 unique_policy_t unique
, u_int32_t keyingtries
,
387 u_int32_t rekey_time
, u_int32_t reauth_time
,
388 u_int32_t jitter_time
, u_int32_t over_time
,
389 bool mobike
, bool aggressive
, bool pull_mode
,
390 u_int32_t dpd
, u_int32_t dpd_timeout
,
391 bool mediation
, peer_cfg_t
*mediated_by
,
392 identification_t
*peer_id
);
394 #endif /** PEER_CFG_H_ @}*/