2 * Copyright (C) 2006-2020 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
7 * Copyright (C) secunet Security Networks AG
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * @defgroup ike_sa ike_sa
28 typedef enum ike_extension_t ike_extension_t
;
29 typedef enum ike_condition_t ike_condition_t
;
30 typedef enum ike_sa_state_t ike_sa_state_t
;
31 typedef enum statistic_t statistic_t
;
32 typedef enum update_hosts_flag_t update_hosts_flag_t
;
33 typedef struct child_init_args_t child_init_args_t
;
34 typedef struct ike_sa_t ike_sa_t
;
37 #include <attributes/attribute_handler.h>
38 #include <encoding/message.h>
39 #include <encoding/payloads/proposal_substructure.h>
40 #include <encoding/payloads/configuration_attribute.h>
41 #include <sa/ike_sa_id.h>
42 #include <sa/child_sa.h>
44 #include <sa/task_manager.h>
45 #include <sa/keymat.h>
46 #include <config/peer_cfg.h>
47 #include <config/ike_cfg.h>
48 #include <credentials/auth_cfg.h>
49 #include <networking/packet.h>
52 * Timeout in seconds after that a half open IKE_SA gets deleted.
54 #define HALF_OPEN_IKE_SA_TIMEOUT 30
57 * Interval to send keepalives when NATed, in seconds.
59 #define KEEPALIVE_INTERVAL 20
62 * After which time rekeying should be retried if it failed, in seconds.
64 #define RETRY_INTERVAL 15
67 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
69 #define RETRY_JITTER 10
72 * Number of redirects allowed within REDIRECT_LOOP_DETECT_PERIOD.
74 #define MAX_REDIRECTS 5
77 * Time period in seconds in which at most MAX_REDIRECTS are allowed.
79 #define REDIRECT_LOOP_DETECT_PERIOD 300
82 * Extensions (or optional features) the peer supports
84 enum ike_extension_t
{
87 * peer supports NAT traversal as specified in RFC4306 or RFC3947
88 * including some RFC3947 drafts
93 * peer supports MOBIKE (RFC4555)
98 * peer supports HTTP cert lookups as specified in RFC4306
100 EXT_HASH_AND_URL
= (1<<2),
103 * peer supports multiple authentication exchanges, RFC4739
105 EXT_MULTIPLE_AUTH
= (1<<3),
108 * peer uses strongSwan, accept private use extensions
110 EXT_STRONGSWAN
= (1<<4),
113 * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
115 EXT_EAP_ONLY_AUTHENTICATION
= (1<<5),
118 * peer is probably a Windows RAS client
120 EXT_MS_WINDOWS
= (1<<6),
123 * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
128 * peer supports DPD detection, RFC 3706 (or IKEv2)
133 * peer supports Cisco Unity configuration attributes
135 EXT_CISCO_UNITY
= (1<<9),
138 * peer supports NAT traversal as specified in
139 * draft-ietf-ipsec-nat-t-ike-02 .. -03
141 EXT_NATT_DRAFT_02_03
= (1<<10),
144 * peer supports proprietary IKEv1 or standardized IKEv2 fragmentation
146 EXT_IKE_FRAGMENTATION
= (1<<11),
149 * Signature Authentication, RFC 7427
151 EXT_SIGNATURE_AUTH
= (1<<12),
154 * IKEv2 Redirect Mechanism, RFC 5685
156 EXT_IKE_REDIRECTION
= (1<<13),
159 * IKEv2 Message ID sync, RFC 6311
161 EXT_IKE_MESSAGE_ID_SYNC
= (1<<14),
164 * Postquantum Preshared Keys, draft-ietf-ipsecme-qr-ikev2
169 * Responder accepts childless IKE_SAs, RFC 6023
171 EXT_IKE_CHILDLESS
= (1<<16),
175 * Conditions of an IKE_SA, change during its lifetime
177 enum ike_condition_t
{
180 * Connection is natted (or faked) somewhere
182 COND_NAT_ANY
= (1<<0),
187 COND_NAT_HERE
= (1<<1),
190 * other is behind NAT
192 COND_NAT_THERE
= (1<<2),
195 * Faking NAT to enforce UDP encapsulation
197 COND_NAT_FAKE
= (1<<3),
200 * peer has been authenticated using EAP at least once
202 COND_EAP_AUTHENTICATED
= (1<<4),
205 * received a certificate request from the peer
207 COND_CERTREQ_SEEN
= (1<<5),
210 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
212 COND_ORIGINAL_INITIATOR
= (1<<6),
215 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
220 * Initial contact received
222 COND_INIT_CONTACT_SEEN
= (1<<8),
225 * Peer has been authenticated using XAuth
227 COND_XAUTH_AUTHENTICATED
= (1<<9),
230 * This IKE_SA is currently being reauthenticated
232 COND_REAUTHENTICATING
= (1<<10),
235 * This IKE_SA has been redirected
237 COND_REDIRECTED
= (1<<11),
240 * Online certificate revocation checking is suspended for this IKE_SA
242 COND_ONLINE_VALIDATION_SUSPENDED
= (1<<12),
245 * A Postquantum Preshared Key was used when this IKE_SA was created
251 * Timing information and statistics to query from an SA
254 /** Timestamp of SA establishment */
255 STAT_ESTABLISHED
= 0,
256 /** Timestamp of scheduled rekeying */
258 /** Timestamp of scheduled reauthentication */
260 /** Timestamp of scheduled delete */
262 /** Timestamp of last inbound IKE packet */
264 /** Timestamp of last outbound IKE packet */
271 * Flags used when updating addresses
273 enum update_hosts_flag_t
{
274 /** Force updating the local address (otherwise not updated if an address
275 * is already set). */
276 UPDATE_HOSTS_FORCE_LOCAL
= (1<<0),
277 /** Force updating the remote address (otherwise only updated if peer is
279 UPDATE_HOSTS_FORCE_REMOTE
= (1<<1),
280 /** Force updating both addresses. */
281 UPDATE_HOSTS_FORCE_ADDRS
= UPDATE_HOSTS_FORCE_LOCAL
|UPDATE_HOSTS_FORCE_REMOTE
,
282 /** Force updating the CHILD_SAs even if no addresses changed, useful if
283 * NAT state may have changed. */
284 UPDATE_HOSTS_FORCE_CHILDREN
= (1<<2),
285 /** Force updating everything. */
286 UPDATE_HOSTS_FORCE_ALL
= UPDATE_HOSTS_FORCE_ADDRS
|UPDATE_HOSTS_FORCE_CHILDREN
,
290 * State of an IKE_SA.
292 * An IKE_SA passes various states in its lifetime. A newly created
293 * SA is in the state CREATED.
299 on initiate()---> ¦ <----- on IKE_SA_INIT received
305 ¦ <----- on IKE_AUTH successfully completed
308 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
309 +----------------+ ¦
311 on delete()---> ¦ <----- on IKE_SA +-------------+
312 ¦ delete request ¦ SA_REKEYING ¦
313 ¦ received +-------------+
315 +----------------+ ¦
316 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
319 ¦ <----- after delete() acknowledged
326 enum ike_sa_state_t
{
329 * IKE_SA just got created, but is not initiating nor responding yet.
334 * IKE_SA gets initiated actively or passively
339 * IKE_SA is fully established
344 * IKE_SA is managed externally and does not process messages
349 * IKE_SA rekeying in progress
354 * IKE_SA has been rekeyed (or is redundant)
359 * IKE_SA is in progress of deletion
364 * IKE_SA object gets destroyed
370 * enum names for ike_sa_state_t.
372 extern enum_name_t
*ike_sa_state_names
;
375 * Optional arguments passed when initiating a CHILD_SA.
377 struct child_init_args_t
{
378 /** Reqid to use for CHILD_SA, 0 to assign automatically */
380 /** Optional source of triggering packet */
381 traffic_selector_t
*src
;
382 /** Optional destination of triggering packet */
383 traffic_selector_t
*dst
;
384 /** Optional security label of triggering packet */
389 * Class ike_sa_t representing an IKE_SA.
391 * An IKE_SA contains crypto information related to a connection
392 * with a peer. It contains multiple IPsec CHILD_SA, for which
393 * it is responsible. All traffic is handled by an IKE_SA, using
394 * the task manager and its tasks.
399 * Get the id of the SA.
401 * Returned ike_sa_id_t object is not getting cloned!
403 * @return ike_sa's ike_sa_id_t
405 ike_sa_id_t
* (*get_id
) (ike_sa_t
*this);
408 * Gets the IKE version of the SA
410 ike_version_t (*get_version
)(ike_sa_t
*this);
413 * Get the numerical ID uniquely defining this IKE_SA.
417 uint32_t (*get_unique_id
) (ike_sa_t
*this);
420 * Get the state of the IKE_SA.
422 * @return state of the IKE_SA
424 ike_sa_state_t (*get_state
) (ike_sa_t
*this);
427 * Set the state of the IKE_SA.
429 * @param state state to set for the IKE_SA
431 void (*set_state
) (ike_sa_t
*this, ike_sa_state_t state
);
434 * Get the name of the connection this IKE_SA uses.
438 char* (*get_name
) (ike_sa_t
*this);
441 * Get statistic values from the IKE_SA.
443 * @param kind kind of requested value
444 * @return value as integer
446 uint32_t (*get_statistic
)(ike_sa_t
*this, statistic_t kind
);
449 * Set statistic value of the IKE_SA.
451 * @param kind kind of value to update
452 * @param value value as integer
454 void (*set_statistic
)(ike_sa_t
*this, statistic_t kind
, uint32_t value
);
457 * Get the own host address.
459 * @return host address
461 host_t
* (*get_my_host
) (ike_sa_t
*this);
464 * Set the own host address.
466 * @param me host address
468 void (*set_my_host
) (ike_sa_t
*this, host_t
*me
);
471 * Get the other peers host address.
473 * @return host address
475 host_t
* (*get_other_host
) (ike_sa_t
*this);
478 * Set the others host address.
480 * @param other host address
482 void (*set_other_host
) (ike_sa_t
*this, host_t
*other
);
485 * Float to port 4500 (e.g. if a NAT is detected).
487 * The port of either endpoint is changed only if it is currently
488 * set to the default value of 500.
490 void (*float_ports
)(ike_sa_t
*this);
493 * Update the IKE_SAs host and CHILD_SAs.
495 * Hosts may be NULL to use current host.
497 * @param me new local host address, or NULL
498 * @param other new remote host address, or NULL
499 * @param flags flags to force certain updates
501 void (*update_hosts
)(ike_sa_t
*this, host_t
*me
, host_t
*other
,
502 update_hosts_flag_t flags
);
505 * Get the own identification.
507 * @return identification
509 identification_t
* (*get_my_id
) (ike_sa_t
*this);
512 * Set the own identification.
514 * @param me identification
516 void (*set_my_id
) (ike_sa_t
*this, identification_t
*me
);
519 * Get the other peer's identification.
521 * @return identification
523 identification_t
* (*get_other_id
) (ike_sa_t
*this);
526 * Get the others peer identity, but prefer an EAP-Identity.
528 * @return EAP or IKEv2 identity
530 identification_t
* (*get_other_eap_id
)(ike_sa_t
*this);
533 * Set the other peer's identification.
535 * @param other identification
537 void (*set_other_id
) (ike_sa_t
*this, identification_t
*other
);
540 * Get the config used to setup this IKE_SA.
544 ike_cfg_t
* (*get_ike_cfg
) (ike_sa_t
*this);
547 * Set the config to setup this IKE_SA.
549 * @param config ike_config to use
551 void (*set_ike_cfg
) (ike_sa_t
*this, ike_cfg_t
* config
);
554 * Get the peer config used by this IKE_SA.
556 * @return peer_config
558 peer_cfg_t
* (*get_peer_cfg
) (ike_sa_t
*this);
561 * Set the peer config to use with this IKE_SA.
563 * @param config peer_config to use
565 void (*set_peer_cfg
) (ike_sa_t
*this, peer_cfg_t
*config
);
568 * Get the authentication config with rules of the current auth round.
570 * @param local TRUE for local rules, FALSE for remote constraints
571 * @return current cfg
573 auth_cfg_t
* (*get_auth_cfg
)(ike_sa_t
*this, bool local
);
576 * Insert a completed authentication round.
578 * @param local TRUE for own rules, FALSE for others constraints
579 * @param cfg auth config to append
581 void (*add_auth_cfg
)(ike_sa_t
*this, bool local
, auth_cfg_t
*cfg
);
584 * Create an enumerator over added authentication rounds.
586 * @param local TRUE for own rules, FALSE for others constraints
587 * @return enumerator over auth_cfg_t
589 enumerator_t
* (*create_auth_cfg_enumerator
)(ike_sa_t
*this, bool local
);
592 * Verify the trustchains (validity, revocation) in completed public key
595 * @return TRUE if certificates were valid, FALSE otherwise
597 bool (*verify_peer_certificate
)(ike_sa_t
*this);
600 * Get the selected proposal of this IKE_SA.
602 * @return selected proposal
604 proposal_t
* (*get_proposal
)(ike_sa_t
*this);
607 * Set the proposal selected for this IKE_SA.
609 * @param selected proposal
611 void (*set_proposal
)(ike_sa_t
*this, proposal_t
*proposal
);
614 * Set the message ID of the IKE_SA.
616 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
617 * and one to respond to exchanges (expect).
619 * @param initiate TRUE to set message ID for initiating
620 * @param mid message id to set
622 void (*set_message_id
)(ike_sa_t
*this, bool initiate
, uint32_t mid
);
625 * Get the message ID of the IKE_SA.
627 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
628 * and one to respond to exchanges (expect).
630 * @param initiate TRUE to get message ID for initiating
631 * @return current message
633 uint32_t (*get_message_id
)(ike_sa_t
*this, bool initiate
);
636 * Add an additional address for the peer.
638 * In MOBIKE, a peer may transmit additional addresses where it is
639 * reachable. These are stored in the IKE_SA.
640 * The own list of addresses is not stored, they are queried from
641 * the kernel when required.
643 * @param host host to add to list
645 void (*add_peer_address
)(ike_sa_t
*this, host_t
*host
);
648 * Create an enumerator over all known addresses of the peer.
650 * @return enumerator over addresses
652 enumerator_t
* (*create_peer_address_enumerator
)(ike_sa_t
*this);
655 * Remove all known addresses of the peer.
657 void (*clear_peer_addresses
)(ike_sa_t
*this);
660 * Check if mappings have changed on a NAT for our source address.
662 * @param hash received DESTINATION_IP hash
663 * @return TRUE if mappings have changed
665 bool (*has_mapping_changed
)(ike_sa_t
*this, chunk_t hash
);
668 * Enable an extension the peer supports.
670 * If support for an IKE extension is detected, this method is called
671 * to enable that extension and behave accordingly.
673 * @param extension extension to enable
675 void (*enable_extension
)(ike_sa_t
*this, ike_extension_t extension
);
678 * Check if the peer supports an extension.
680 * @param extension extension to check for support
681 * @return TRUE if peer supports it, FALSE otherwise
683 bool (*supports_extension
)(ike_sa_t
*this, ike_extension_t extension
);
686 * Enable/disable a condition flag for this IKE_SA.
688 * @param condition condition to enable/disable
689 * @param enable TRUE to enable condition, FALSE to disable
691 void (*set_condition
) (ike_sa_t
*this, ike_condition_t condition
, bool enable
);
694 * Check if a condition flag is set.
696 * @param condition condition to check
697 * @return TRUE if condition flag set, FALSE otherwise
699 bool (*has_condition
) (ike_sa_t
*this, ike_condition_t condition
);
703 * Activate mediation server functionality for this IKE_SA.
705 void (*act_as_mediation_server
) (ike_sa_t
*this);
708 * Get the server reflexive host.
710 * @return server reflexive host
712 host_t
* (*get_server_reflexive_host
) (ike_sa_t
*this);
715 * Set the server reflexive host.
717 * @param host server reflexive host
719 void (*set_server_reflexive_host
) (ike_sa_t
*this, host_t
*host
);
722 * Get the connect ID.
726 chunk_t (*get_connect_id
) (ike_sa_t
*this);
729 * Initiate the mediation of a mediated connection (i.e. initiate a
730 * ME_CONNECT exchange to a mediation server).
732 * @param mediated_cfg peer_cfg of the mediated connection
734 * - SUCCESS if initialization started
735 * - DESTROY_ME if initialization failed
737 status_t (*initiate_mediation
) (ike_sa_t
*this, peer_cfg_t
*mediated_cfg
);
740 * Initiate the mediated connection
742 * @param me local endpoint (gets cloned)
743 * @param other remote endpoint (gets cloned)
744 * @param connect_id connect ID (gets cloned)
746 * - SUCCESS if initialization started
747 * - DESTROY_ME if initialization failed
749 status_t (*initiate_mediated
) (ike_sa_t
*this, host_t
*me
, host_t
*other
,
753 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
758 * @param requester ID of the requesting peer
759 * @param connect_id data of the ME_CONNECTID payload
760 * @param connect_key data of the ME_CONNECTKEY payload
761 * @param endpoints endpoints
762 * @param response TRUE if this is a response
764 * - SUCCESS if relay started
765 * - DESTROY_ME if relay failed
767 status_t (*relay
) (ike_sa_t
*this, identification_t
*requester
,
768 chunk_t connect_id
, chunk_t connect_key
,
769 linked_list_t
*endpoints
, bool response
);
772 * Send a callback to a peer.
776 * @param peer_id ID of the other peer
778 * - SUCCESS if response started
779 * - DESTROY_ME if response failed
781 status_t (*callback
) (ike_sa_t
*this, identification_t
*peer_id
);
784 * Respond to a ME_CONNECT request.
788 * @param peer_id ID of the other peer
789 * @param connect_id the connect ID supplied by the initiator
791 * - SUCCESS if response started
792 * - DESTROY_ME if response failed
794 status_t (*respond
) (ike_sa_t
*this, identification_t
*peer_id
,
799 * Initiate a new connection.
801 * The configs are owned by the IKE_SA after the call. If the initiate
802 * is triggered by a packet, traffic selectors of the packet can be added
805 * @param child_cfg child config to create CHILD from
806 * @param args optional arguments for the CHILD initiation
808 * - SUCCESS if initialization started
809 * - DESTROY_ME if initialization failed
811 status_t (*initiate
) (ike_sa_t
*this, child_cfg_t
*child_cfg
,
812 child_init_args_t
*args
);
815 * Retry initiation of this IKE_SA after it got deferred previously.
818 * - SUCCESS if initiation deferred or started
819 * - DESTROY_ME if initiation failed
821 status_t (*retry_initiate
) (ike_sa_t
*this);
824 * Initiates the deletion of an IKE_SA.
826 * Sends a delete message to the remote peer and waits for
827 * its response. If the response comes in, or a timeout occurs,
828 * the IKE SA gets destroyed, unless force is TRUE then the IKE_SA is
829 * destroyed immediately without waiting for a response.
831 * @param force whether to immediately destroy the IKE_SA afterwards
832 * without waiting for a response
834 * - SUCCESS if deletion is initialized
835 * - DESTROY_ME, if destroying is forced, or the IKE_SA
836 * is not in an established state and can not be
837 * deleted (but destroyed)
839 status_t (*delete) (ike_sa_t
*this, bool force
);
842 * Update IKE_SAs after network interfaces have changed.
844 * Whenever the network interface configuration changes, the kernel
845 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
846 * the new network config requires changes, and handles appropriate.
847 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
850 * @param address TRUE if address list changed, FALSE otherwise
851 * @return SUCCESS, FAILED, DESTROY_ME
853 status_t (*roam
)(ike_sa_t
*this, bool address
);
856 * Processes an incoming IKE message.
858 * Message processing may fail. If a critical failure occurs,
859 * process_message() return DESTROY_ME. Then the caller must
860 * destroy the IKE_SA immediately, as it is unusable.
862 * @param message message to process
866 * - DESTROY_ME if this IKE_SA MUST be deleted
868 status_t (*process_message
)(ike_sa_t
*this, message_t
*message
);
871 * Generate an IKE message to send it to the peer.
873 * This method generates all payloads in the message and encrypts/signs
876 * @param message message to generate
877 * @param packet generated output packet
881 * - DESTROY_ME if this IKE_SA MUST be deleted
883 status_t (*generate_message
)(ike_sa_t
*this, message_t
*message
,
887 * Generate an IKE message to send it to the peer. If enabled and supported
888 * it will be fragmented.
890 * This method generates all payloads in the message and encrypts/signs
891 * the packet/fragments.
893 * @param message message to generate
894 * @param packets enumerator of generated packet_t* (are not destroyed
895 * with the enumerator)
899 * - DESTROY_ME if this IKE_SA MUST be deleted
901 status_t (*generate_message_fragmented
)(ike_sa_t
*this, message_t
*message
,
902 enumerator_t
**packets
);
905 * Retransmits a request.
907 * @param message_id ID of the request to retransmit
909 * - SUCCESS if retransmit was sent
910 * - INVALID_STATE if no retransmit required
911 * - DESTROY_ME if this IKE_SA MUST be deleted
913 status_t (*retransmit
)(ike_sa_t
*this, uint32_t message_id
);
916 * Sends a DPD request to the peer.
918 * To check if a peer is still alive, periodic
919 * empty INFORMATIONAL messages are sent if no
920 * other traffic was received.
924 * - DESTROY_ME, if peer did not respond
926 status_t (*send_dpd
) (ike_sa_t
*this);
929 * Sends a keep alive packet.
931 * To refresh NAT tables in a NAT router between the peers, periodic empty
932 * UDP packets are sent if no other traffic was sent.
934 * @param scheduled if this is a scheduled keepalive
936 void (*send_keepalive
) (ike_sa_t
*this, bool scheduled
);
939 * Redirect an active IKE_SA.
941 * @param gateway gateway ID (IP or FQDN) of the target
942 * @return state, including DESTROY_ME, if this IKE_SA MUST be
945 status_t (*redirect
)(ike_sa_t
*this, identification_t
*gateway
);
948 * Handle a redirect request.
950 * The behavior is different depending on the state of the IKE_SA.
952 * @param gateway gateway ID (IP or FQDN) of the target
953 * @return FALSE if redirect not possible, TRUE otherwise
955 bool (*handle_redirect
)(ike_sa_t
*this, identification_t
*gateway
);
958 * Get the address of the gateway that redirected us.
960 * @return original gateway address
962 host_t
*(*get_redirected_from
)(ike_sa_t
*this);
965 * Get the keying material of this IKE_SA.
967 * @return per IKE_SA keymat instance
969 keymat_t
* (*get_keymat
)(ike_sa_t
*this);
972 * Associates a child SA to this IKE SA
974 * @param child_sa child_sa to add
976 void (*add_child_sa
) (ike_sa_t
*this, child_sa_t
*child_sa
);
979 * Get a CHILD_SA identified by protocol and SPI.
981 * @param protocol protocol of the SA
982 * @param spi SPI of the CHILD_SA
983 * @param inbound TRUE if SPI is inbound, FALSE if outbound
984 * @return child_sa, or NULL if none found
986 child_sa_t
* (*get_child_sa
) (ike_sa_t
*this, protocol_id_t protocol
,
987 uint32_t spi
, bool inbound
);
990 * Get the number of CHILD_SAs.
992 * @return number of CHILD_SAs
994 int (*get_child_count
) (ike_sa_t
*this);
997 * Create an enumerator over all CHILD_SAs.
1001 enumerator_t
* (*create_child_sa_enumerator
) (ike_sa_t
*this);
1004 * Remove the CHILD_SA the given enumerator points to from this IKE_SA.
1006 * @param enumerator enumerator pointing to CHILD_SA
1008 void (*remove_child_sa
) (ike_sa_t
*this, enumerator_t
*enumerator
);
1011 * Rekey the CHILD SA with the specified reqid.
1013 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
1015 * @param protocol protocol of the SA
1016 * @param spi inbound SPI of the CHILD_SA
1018 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
1019 * - SUCCESS, if rekeying initiated
1021 status_t (*rekey_child_sa
) (ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
);
1024 * Close the CHILD SA with the specified protocol/SPI.
1026 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
1027 * notify's the remote peer about the delete. The associated
1028 * states and policies in the kernel get deleted, if they exist.
1030 * @param protocol protocol of the SA
1031 * @param spi inbound SPI of the CHILD_SA
1032 * @param expired TRUE if CHILD_SA is expired
1034 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
1035 * - SUCCESS, if delete message sent
1037 status_t (*delete_child_sa
)(ike_sa_t
*this, protocol_id_t protocol
,
1038 uint32_t spi
, bool expired
);
1041 * Destroy a CHILD SA with the specified protocol/SPI.
1043 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
1045 * @param protocol protocol of the SA
1046 * @param spi inbound SPI of the CHILD_SA
1048 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
1051 status_t (*destroy_child_sa
) (ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
);
1056 * Sets up a new IKE_SA, moves all CHILD_SAs to it and deletes this IKE_SA.
1058 * @return - SUCCESS, if IKE_SA rekeying initiated
1060 status_t (*rekey
) (ike_sa_t
*this);
1063 * Reauthenticate the IKE_SA.
1065 * Triggers a new IKE_SA that replaces this one. IKEv1 implicitly inherits
1066 * all Quick Modes, while IKEv2 recreates all active and queued CHILD_SAs
1067 * in the new IKE_SA.
1069 * @return DESTROY_ME to destroy the IKE_SA
1071 status_t (*reauth
) (ike_sa_t
*this);
1074 * Reestablish the IKE_SA.
1076 * Reestablish an IKE_SA after it has been closed.
1078 * @return DESTROY_ME to destroy the IKE_SA
1080 status_t (*reestablish
) (ike_sa_t
*this);
1083 * Set the lifetime limit received/to send in a AUTH_LIFETIME notify.
1085 * If the IKE_SA is already ESTABLISHED, an INFORMATIONAL is sent with
1086 * an AUTH_LIFETIME notify. The call never fails on unestablished SAs.
1088 * @param lifetime lifetime in seconds
1089 * @return DESTROY_ME to destroy the IKE_SA
1091 status_t (*set_auth_lifetime
)(ike_sa_t
*this, uint32_t lifetime
);
1094 * Add a virtual IP to use for this IKE_SA and its children.
1096 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
1097 * lifetime as the IKE_SA.
1099 * @param local TRUE to set local address, FALSE for remote
1100 * @param ip IP to set as virtual IP
1102 void (*add_virtual_ip
) (ike_sa_t
*this, bool local
, host_t
*ip
);
1105 * Clear all virtual IPs stored on this IKE_SA.
1107 * @param local TRUE to clear local addresses, FALSE for remote
1109 void (*clear_virtual_ips
) (ike_sa_t
*this, bool local
);
1112 * Get interface ID to use as default for children of this IKE_SA.
1114 * @param inbound TRUE for inbound interface ID
1115 * @return interface ID
1117 uint32_t (*get_if_id
)(ike_sa_t
*this, bool inbound
);
1120 * Create an enumerator over virtual IPs.
1122 * @param local TRUE to get local virtual IP, FALSE for remote
1123 * @return enumerator over host_t*
1125 enumerator_t
* (*create_virtual_ip_enumerator
) (ike_sa_t
*this, bool local
);
1128 * Register a configuration attribute to the IKE_SA.
1130 * If an IRAS sends a configuration attribute it is installed and
1131 * registered at the IKE_SA. Attributes are inherit()ed and get released
1132 * when the IKE_SA is closed.
1134 * Unhandled attributes are passed as well, but with a NULL handler. They
1135 * do not get released.
1137 * @param handler handler installed the attribute, use for release()
1138 * @param type configuration attribute type
1139 * @param data associated attribute data
1141 void (*add_configuration_attribute
)(ike_sa_t
*this,
1142 attribute_handler_t
*handler
,
1143 configuration_attribute_type_t type
, chunk_t data
);
1146 * Create an enumerator over received configuration attributes.
1148 * The resulting enumerator is over the configuration_attribute_type_t type,
1149 * a value chunk_t followed by a bool flag. The boolean flag indicates if
1150 * the attribute has been handled by an attribute handler.
1152 * @return enumerator over type, value and the "handled" flag.
1154 enumerator_t
* (*create_attribute_enumerator
)(ike_sa_t
*this);
1157 * Set local and remote host addresses to be used for IKE.
1159 * These addresses are communicated via the KMADDRESS field of a MIGRATE
1160 * message sent via the NETLINK or PF _KEY kernel socket interface.
1162 * @param local local kmaddress
1163 * @param remote remote kmaddress
1165 void (*set_kmaddress
) (ike_sa_t
*this, host_t
*local
, host_t
*remote
);
1168 * Create enumerator over a task queue of this IKE_SA.
1170 * @param queue type to enumerate
1171 * @return enumerator over task_t
1173 enumerator_t
* (*create_task_enumerator
)(ike_sa_t
*this, task_queue_t queue
);
1176 * Remove the task the given enumerator points to.
1178 * @note This should be used with caution, in particular, for tasks in the
1179 * active and passive queues.
1181 * @param enumerator enumerator created with the method above
1183 void (*remove_task
)(ike_sa_t
*this, enumerator_t
*enumerator
);
1186 * Flush a task queue, canceling all tasks in it.
1188 * @param queue queue type to flush
1190 void (*flush_queue
)(ike_sa_t
*this, task_queue_t queue
);
1193 * Queue a task for initiation to the task manager.
1195 * @param task task to queue
1197 void (*queue_task
)(ike_sa_t
*this, task_t
*task
);
1200 * Queue a task in the manager, but delay its initiation for at least the
1201 * given number of seconds.
1203 * @param task task to queue
1204 * @param delay minimum delay in s before initiating the task
1206 void (*queue_task_delayed
)(ike_sa_t
*this, task_t
*task
, uint32_t delay
);
1209 * Adopt child creating tasks from the given IKE_SA.
1211 * @param other other IKE_SA to adopt tasks from
1213 void (*adopt_child_tasks
)(ike_sa_t
*this, ike_sa_t
*other
);
1216 * Inherit required attributes to new SA before rekeying.
1218 * Some properties of the SA must be applied before starting IKE_SA
1219 * rekeying, such as the configuration or support extensions.
1221 * @param other other IKE_SA to inherit from
1223 void (*inherit_pre
)(ike_sa_t
*this, ike_sa_t
*other
);
1226 * Inherit all attributes of other to this after rekeying.
1228 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
1229 * outstanding tasks are moved from other to this.
1231 * @param other other IKE SA to inherit from
1233 void (*inherit_post
) (ike_sa_t
*this, ike_sa_t
*other
);
1236 * Reset the IKE_SA, usable when initiating fails.
1238 * @param new_spi TRUE to allocate a new initiator SPI
1240 void (*reset
) (ike_sa_t
*this, bool new_spi
);
1243 * Destroys a ike_sa_t object.
1245 void (*destroy
) (ike_sa_t
*this);
1249 * Creates an ike_sa_t object with a specific ID and IKE version.
1251 * @param ike_sa_id ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA
1252 * @param initiator TRUE to create this IKE_SA as initiator
1253 * @param version IKE version of this SA
1254 * @return ike_sa_t object
1256 ike_sa_t
*ike_sa_create(ike_sa_id_t
*ike_sa_id
, bool initiator
,
1257 ike_version_t version
);
1260 * Check if the given IKE_SA can be reauthenticated actively or if config
1261 * parameters or the authentication method prevent it.
1263 * @param this IKE_SA to check
1264 * @return TRUE if active reauthentication is possible
1266 bool ike_sa_can_reauthenticate(ike_sa_t
*this);
1269 * Get hosts, virtual or physical, for deriving dynamic traffic selectors.
1271 * @param this IKE_SA to retrieve addresses from
1272 * @param local TRUE to get local hosts
1273 * @return list of hosts (internal objects)
1275 linked_list_t
*ike_sa_get_dynamic_hosts(ike_sa_t
*this, bool local
);
1277 #endif /** IKE_SA_H_ @}*/