]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/starter/confread.h
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Added an option that allows to force IKEv1 fragmentation
[thirdparty/strongswan.git] / src / starter / confread.h
1 /* strongSwan IPsec config file parser
2 * Copyright (C) 2001-2002 Mathieu Lafon
3 * Arkoon Network Security
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #ifndef _IPSEC_CONFREAD_H_
17 #define _IPSEC_CONFREAD_H_
18
19 #include <kernel/kernel_ipsec.h>
20
21 #include "ipsec-parser.h"
22
23 /** to mark seen keywords */
24 typedef u_int64_t seen_t;
25 #define SEEN_NONE 0;
26 #define SEEN_KW(kw, base) ((seen_t)1 << ((kw) - (base)))
27
28 typedef enum {
29 STARTUP_NO,
30 STARTUP_ADD,
31 STARTUP_ROUTE,
32 STARTUP_START
33 } startup_t;
34
35 typedef enum {
36 STATE_IGNORE,
37 STATE_TO_ADD,
38 STATE_ADDED,
39 STATE_REPLACED,
40 STATE_INVALID
41 } starter_state_t;
42
43 typedef enum {
44 /* shared with ike_version_t */
45 KEY_EXCHANGE_IKE = 0,
46 KEY_EXCHANGE_IKEV1 = 1,
47 KEY_EXCHANGE_IKEV2 = 2,
48 } keyexchange_t;
49
50 typedef enum {
51 STRICT_NO,
52 STRICT_YES,
53 STRICT_IFURI,
54 } strict_t;
55
56 typedef enum {
57 CERT_ALWAYS_SEND,
58 CERT_SEND_IF_ASKED,
59 CERT_NEVER_SEND,
60 CERT_YES_SEND, /* synonym for CERT_ALWAYS_SEND */
61 CERT_NO_SEND, /* synonym for CERT_NEVER_SEND */
62 } certpolicy_t;
63
64 typedef enum {
65 DPD_ACTION_NONE,
66 DPD_ACTION_CLEAR,
67 DPD_ACTION_HOLD,
68 DPD_ACTION_RESTART,
69 DPD_ACTION_UNKNOW,
70 } dpd_action_t;
71
72 typedef enum {
73 /* same as in ike_cfg.h */
74 FRAGMENTATION_NO,
75 FRAGMENTATION_YES,
76 FRAGMENTATION_FORCE,
77 } fragmentation_t;
78
79 typedef enum {
80 /* IPsec options */
81 SA_OPTION_AUTHENTICATE = 1 << 0, /* use AH instead of ESP? */
82 SA_OPTION_COMPRESS = 1 << 1, /* use IPComp */
83
84 /* IKE and other other options */
85 SA_OPTION_DONT_REKEY = 1 << 2, /* don't rekey state either Phase */
86 SA_OPTION_DONT_REAUTH = 1 << 3, /* don't reauthenticate on rekeying, IKEv2 only */
87 SA_OPTION_MODECFG_PUSH = 1 << 4, /* is modecfg pushed by server? */
88 SA_OPTION_XAUTH_SERVER = 1 << 5, /* are we an XAUTH server? */
89 SA_OPTION_MOBIKE = 1 << 6, /* enable MOBIKE for IKEv2 */
90 SA_OPTION_FORCE_ENCAP = 1 << 7, /* force UDP encapsulation */
91 } sa_option_t;
92
93 typedef struct starter_end starter_end_t;
94
95 struct starter_end {
96 seen_t seen;
97 char *auth;
98 char *auth2;
99 char *id;
100 char *id2;
101 char *rsakey;
102 char *cert;
103 char *cert2;
104 char *ca;
105 char *ca2;
106 char *groups;
107 char *groups2;
108 char *cert_policy;
109 char *host;
110 u_int ikeport;
111 char *subnet;
112 bool modecfg;
113 certpolicy_t sendcert;
114 bool firewall;
115 bool hostaccess;
116 bool allow_any;
117 char *updown;
118 u_int16_t port;
119 u_int8_t protocol;
120 char *sourceip;
121 char *dns;
122 };
123
124 typedef struct also also_t;
125
126 struct also {
127 char *name;
128 bool included;
129 also_t *next;
130 };
131
132 typedef struct starter_conn starter_conn_t;
133
134 struct starter_conn {
135 seen_t seen;
136 char *name;
137 also_t *also;
138 kw_list_t *kw;
139 u_int visit;
140 startup_t startup;
141 starter_state_t state;
142
143 keyexchange_t keyexchange;
144 char *eap_identity;
145 char *aaa_identity;
146 char *xauth_identity;
147 char *authby;
148 ipsec_mode_t mode;
149 bool proxy_mode;
150 fragmentation_t fragmentation;
151 sa_option_t options;
152 time_t sa_ike_life_seconds;
153 time_t sa_ipsec_life_seconds;
154 time_t sa_rekey_margin;
155 u_int64_t sa_ipsec_life_bytes;
156 u_int64_t sa_ipsec_margin_bytes;
157 u_int64_t sa_ipsec_life_packets;
158 u_int64_t sa_ipsec_margin_packets;
159 unsigned long sa_keying_tries;
160 unsigned long sa_rekey_fuzz;
161 u_int32_t reqid;
162 mark_t mark_in;
163 mark_t mark_out;
164 u_int32_t tfc;
165 bool install_policy;
166 bool aggressive;
167 starter_end_t left, right;
168
169 unsigned long id;
170
171 char *esp;
172 char *ike;
173
174 time_t dpd_delay;
175 time_t dpd_timeout;
176 dpd_action_t dpd_action;
177 int dpd_count;
178
179 dpd_action_t close_action;
180
181 time_t inactivity;
182
183 bool me_mediation;
184 char *me_mediated_by;
185 char *me_peerid;
186
187 starter_conn_t *next;
188 };
189
190 typedef struct starter_ca starter_ca_t;
191
192 struct starter_ca {
193 seen_t seen;
194 char *name;
195 also_t *also;
196 kw_list_t *kw;
197 u_int visit;
198 startup_t startup;
199 starter_state_t state;
200
201 char *cacert;
202 char *crluri;
203 char *crluri2;
204 char *ocspuri;
205 char *ocspuri2;
206 char *certuribase;
207
208 bool strict;
209
210 starter_ca_t *next;
211 };
212
213 typedef struct starter_config starter_config_t;
214
215 struct starter_config {
216 struct {
217 seen_t seen;
218 bool charonstart;
219 char *charondebug;
220 bool uniqueids;
221 bool cachecrls;
222 strict_t strictcrlpolicy;
223 } setup;
224
225 /* number of encountered parsing errors */
226 u_int err;
227 u_int non_fatal_err;
228
229 /* do we parse also statements */
230 bool parse_also;
231
232 /* ca %default */
233 starter_ca_t ca_default;
234
235 /* connections list (without %default) */
236 starter_ca_t *ca_first, *ca_last;
237
238 /* conn %default */
239 starter_conn_t conn_default;
240
241 /* connections list (without %default) */
242 starter_conn_t *conn_first, *conn_last;
243 };
244
245 extern starter_config_t *confread_load(const char *file);
246 extern void confread_free(starter_config_t *cfg);
247
248 #endif /* _IPSEC_CONFREAD_H_ */
249
Unnamed repository; edit this file 'description' to name the repository.