]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/libcharon/sa/ike_sa.h
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ike-init: Notify initiator if childless IKE_SAs are accepted
[thirdparty/strongswan.git] / src / libcharon / sa / ike_sa.h
CommitLineData
7ba38761 1/*
dec3c184 2 * Copyright (C) 2006-2019 Tobias Brunner
d5cc1758 3 * Copyright (C) 2006 Daniel Roethlisberger
a44bb934 4 * Copyright (C) 2005-2009 Martin Willi
c71d53ba 5 * Copyright (C) 2005 Jan Hutter
208678e6 6 * HSR Hochschule fuer Technik Rapperswil
7ba38761
JH		 7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
552cc11b
MW		 17 */
18
19/**
20 * @defgroup ike_sa ike_sa
21 * @{ @ingroup sa
7ba38761
JH		 22 */
23
24#ifndef IKE_SA_H_
25#define IKE_SA_H_
26
3b04350a 27typedef enum ike_extension_t ike_extension_t;
17d92e97 28typedef enum ike_condition_t ike_condition_t;
382b4817 29typedef enum ike_sa_state_t ike_sa_state_t;
ee614711 30typedef enum statistic_t statistic_t;
382b4817
MW		 31typedef struct ike_sa_t ike_sa_t;
32
db7ef624 33#include <library.h>
58f86d0f 34#include <attributes/attribute_handler.h>
4a962238 35#include <encoding/message.h>
b9d9f188 36#include <encoding/payloads/proposal_substructure.h>
7f56b494 37#include <encoding/payloads/configuration_attribute.h>
96f79ff1 38#include <sa/ike_sa_id.h>
30b5b412 39#include <sa/child_sa.h>
15a682f4 40#include <sa/task.h>
ea340ee8 41#include <sa/task_manager.h>
6a4ff35c 42#include <sa/keymat.h>
e0fe7651
MW		 43#include <config/peer_cfg.h>
44#include <config/ike_cfg.h>
2ccc02a4 45#include <credentials/auth_cfg.h>
fdee6b5f 46#include <networking/packet.h>
8323a9c1 47
3b138b84 48/**
6554b5e4 49 * Timeout in seconds after that a half open IKE_SA gets deleted.
3b138b84 50 */
6554b5e4 51#define HALF_OPEN_IKE_SA_TIMEOUT 30
3b138b84
MW		 52
53/**
54 * Interval to send keepalives when NATed, in seconds.
3b138b84
MW		 55 */
56#define KEEPALIVE_INTERVAL 20
57
58/**
59 * After which time rekeying should be retried if it failed, in seconds.
3b138b84 60 */
4e2e7d4f 61#define RETRY_INTERVAL 15
3b138b84
MW		 62
63/**
64 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
3b138b84 65 */
4e2e7d4f 66#define RETRY_JITTER 10
3b138b84 67
c6ebd033
TB		 68/**
69 * Number of redirects allowed within REDIRECT_LOOP_DETECT_PERIOD.
70 */
71#define MAX_REDIRECTS 5
72
73/**
74 * Time period in seconds in which at most MAX_REDIRECTS are allowed.
75 */
76#define REDIRECT_LOOP_DETECT_PERIOD 300
77
3b04350a 78/**
552cc11b 79 * Extensions (or optional features) the peer supports
3b04350a
MW		 80 */
81enum ike_extension_t {
7daf5226 82
3b04350a 83 /**
06d29be7 84 * peer supports NAT traversal as specified in RFC4306 or RFC3947
0ff8d20a 85 * including some RFC3947 drafts
3b04350a 86 */
17d92e97 87 EXT_NATT = (1<<0),
3b04350a
MW		 88
89 /**
90 * peer supports MOBIKE (RFC4555)
91 */
17d92e97 92 EXT_MOBIKE = (1<<1),
7daf5226 93
6439267a
TB		 94 /**
95 * peer supports HTTP cert lookups as specified in RFC4306
96 */
97 EXT_HASH_AND_URL = (1<<2),
7daf5226 98
a44bb934
MW		 99 /**
100 * peer supports multiple authentication exchanges, RFC4739
101 */
102 EXT_MULTIPLE_AUTH = (1<<3),
a5a0bcaa
MW		 103
104 /**
105 * peer uses strongSwan, accept private use extensions
106 */
107 EXT_STRONGSWAN = (1<<4),
12fca6cc
MW		 108
109 /**
110 * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
111 */
112 EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
61cf9f51
MW		 113
114 /**
05db0f97 115 * peer is probably a Windows RAS client
61cf9f51
MW		 116 */
117 EXT_MS_WINDOWS = (1<<6),
23f4e4b4
CO		 118
119 /**
120 * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
121 */
122 EXT_XAUTH = (1<<7),
11aadd77
MW		 123
124 /**
125 * peer supports DPD detection, RFC 3706 (or IKEv2)
126 */
127 EXT_DPD = (1<<8),
554a697a
AS		 128
129 /**
130 * peer supports Cisco Unity configuration attributes
131 */
132 EXT_CISCO_UNITY = (1<<9),
0ff8d20a
VR		 133
134 /**
135 * peer supports NAT traversal as specified in
136 * draft-ietf-ipsec-nat-t-ike-02 .. -03
137 */
138 EXT_NATT_DRAFT_02_03 = (1<<10),
667720c8
TB		 139
140 /**
34dc37f3 141 * peer supports proprietary IKEv1 or standardized IKEv2 fragmentation
667720c8
TB		 142 */
143 EXT_IKE_FRAGMENTATION = (1<<11),
f6329cae
TB		 144
145 /**
146 * Signature Authentication, RFC 7427
147 */
148 EXT_SIGNATURE_AUTH = (1<<12),
c6aa749c
TB		 149
150 /**
151 * IKEv2 Redirect Mechanism, RFC 5685
152 */
153 EXT_IKE_REDIRECTION = (1<<13),
d6ffa85f
TB		 154
155 /**
156 * IKEv2 Message ID sync, RFC 6311
157 */
158 EXT_IKE_MESSAGE_ID_SYNC = (1<<14),
83dcc1f4
TB		 159
160 /**
161 * Postquantum Preshared Keys, draft-ietf-ipsecme-qr-ikev2
162 */
163 EXT_PPK = (1<<15),
93104d0f
TB		 164
165 /**
166 * Responder accepts childless IKE_SAs, RFC 6023
167 */
168 EXT_IKE_CHILDLESS = (1<<16),
17d92e97
MW		 169};
170
171/**
552cc11b 172 * Conditions of an IKE_SA, change during its lifetime
17d92e97
MW		 173 */
174enum ike_condition_t {
7daf5226 175
17d92e97 176 /**
9dae1bed 177 * Connection is natted (or faked) somewhere
17d92e97
MW		 178 */
179 COND_NAT_ANY = (1<<0),
7daf5226 180
17d92e97
MW		 181 /**
182 * we are behind NAT
183 */
184 COND_NAT_HERE = (1<<1),
7daf5226 185
17d92e97
MW		 186 /**
187 * other is behind NAT
188 */
189 COND_NAT_THERE = (1<<2),
7daf5226 190
9dae1bed
MW		 191 /**
192 * Faking NAT to enforce UDP encapsulation
193 */
194 COND_NAT_FAKE = (1<<3),
7daf5226 195
17d92e97 196 /**
a44bb934 197 * peer has been authenticated using EAP at least once
17d92e97 198 */
ee614711 199 COND_EAP_AUTHENTICATED = (1<<4),
7daf5226 200
552cc11b
MW		 201 /**
202 * received a certificate request from the peer
203 */
96926b00 204 COND_CERTREQ_SEEN = (1<<5),
7daf5226 205
faf9569f
MW		 206 /**
207 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
208 */
209 COND_ORIGINAL_INITIATOR = (1<<6),
7daf5226 210
7afd9d66
MW		 211 /**
212 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
213 */
214 COND_STALE = (1<<7),
a064eaa8
CO		 215
216 /**
217 * Initial contact received
218 */
219 COND_INIT_CONTACT_SEEN = (1<<8),
2da3ff7a
MW		 220
221 /**
222 * Peer has been authenticated using XAuth
223 */
224 COND_XAUTH_AUTHENTICATED = (1<<9),
873b63b7
TB		 225
226 /**
227 * This IKE_SA is currently being reauthenticated
228 */
229 COND_REAUTHENTICATING = (1<<10),
d68c05d2
TB		 230
231 /**
232 * This IKE_SA has been redirected
233 */
234 COND_REDIRECTED = (1<<11),
e19162a5
TB		 235
236 /**
237 * Online certificate revocation checking is suspended for this IKE_SA
238 */
239 COND_ONLINE_VALIDATION_SUSPENDED = (1<<12),
e4d85011
TB		 240
241 /**
242 * A Postquantum Preshared Key was used when this IKE_SA was created
243 */
244 COND_PPK = (1<<13),
ee614711
MW		 245};
246
247/**
85ac2fa5 248 * Timing information and statistics to query from an SA
ee614711
MW		 249 */
250enum statistic_t {
85ac2fa5
MW		 251 /** Timestamp of SA establishement */
252 STAT_ESTABLISHED = 0,
0ceb2888 253 /** Timestamp of scheduled rekeying */
85ac2fa5 254 STAT_REKEY,
0ceb2888 255 /** Timestamp of scheduled reauthentication */
85ac2fa5 256 STAT_REAUTH,
0ceb2888 257 /** Timestamp of scheduled delete */
85ac2fa5
MW		 258 STAT_DELETE,
259 /** Timestamp of last inbound IKE packet */
260 STAT_INBOUND,
261 /** Timestamp of last outbound IKE packet */
262 STAT_OUTBOUND,
7daf5226 263
85ac2fa5 264 STAT_MAX
3b04350a 265};
3b138b84 266
8323a9c1 267/**
552cc11b 268 * State of an IKE_SA.
cb5c41cd
MW		 269 *
270 * An IKE_SA passes various states in its lifetime. A newly created
271 * SA is in the state CREATED.
272 * @verbatim
273 +----------------+
3183006d 274 ¦ SA_CREATED ¦
cb5c41cd 275 +----------------+
3183006d 276 ¦
484a06bc 277 on initiate()---> ¦ <----- on IKE_SA_INIT received
3183006d 278 V
cb5c41cd 279 +----------------+
3183006d 280 ¦ SA_CONNECTING ¦
cb5c41cd 281 +----------------+
3183006d
MW		 282 ¦
283 ¦ <----- on IKE_AUTH successfully completed
284 V
cb5c41cd 285 +----------------+
3183006d
MW		 286 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
287 +----------------+ ¦
288 ¦ V
289 on delete()---> ¦ <----- on IKE_SA +-------------+
290 ¦ delete request ¦ SA_REKEYING ¦
291 ¦ received +-------------+
292 V ¦
293 +----------------+ ¦
294 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
cb5c41cd 295 +----------------+
3183006d
MW		 296 ¦
297 ¦ <----- after delete() acknowledged
298 ¦
299 \V/
cb5c41cd
MW		 300 X
301 / \
302 @endverbatim
8323a9c1 303 */
3dd3c5f3 304enum ike_sa_state_t {
7daf5226 305
3dd3c5f3
MW		 306 /**
307 * IKE_SA just got created, but is not initiating nor responding yet.
308 */
bcb95ced 309 IKE_CREATED,
7daf5226 310
3dd3c5f3
MW		 311 /**
312 * IKE_SA gets initiated actively or passively
313 */
bcb95ced 314 IKE_CONNECTING,
7daf5226 315
3dd3c5f3
MW		 316 /**
317 * IKE_SA is fully established
318 */
bcb95ced 319 IKE_ESTABLISHED,
7daf5226 320
c610f424
MW		 321 /**
322 * IKE_SA is managed externally and does not process messages
323 */
324 IKE_PASSIVE,
7daf5226 325
3183006d
MW		 326 /**
327 * IKE_SA rekeying in progress
328 */
329 IKE_REKEYING,
7daf5226 330
bb389973
TB		 331 /**
332 * IKE_SA has been rekeyed (or is redundant)
333 */
334 IKE_REKEYED,
335
3dd3c5f3
MW		 336 /**
337 * IKE_SA is in progress of deletion
338 */
bcb95ced 339 IKE_DELETING,
7daf5226 340
a985db3f
MW		 341 /**
342 * IKE_SA object gets destroyed
343 */
344 IKE_DESTROYING,
3dd3c5f3
MW		 345};
346
347/**
60356f33 348 * enum names for ike_sa_state_t.
3dd3c5f3 349 */
60356f33 350extern enum_name_t *ike_sa_state_names;
7ba38761
JH		 351
352/**
552cc11b 353 * Class ike_sa_t representing an IKE_SA.
3dd3c5f3
MW		 354 *
355 * An IKE_SA contains crypto information related to a connection
356 * with a peer. It contains multiple IPsec CHILD_SA, for which
357 * it is responsible. All traffic is handled by an IKE_SA, using
c60c7694 358 * the task manager and its tasks.
7ba38761 359 */
5796aa16 360struct ike_sa_t {
7ba38761
JH		 361
362 /**
552cc11b 363 * Get the id of the SA.
484a06bc 364 *
3dd3c5f3 365 * Returned ike_sa_id_t object is not getting cloned!
c3dc6f1a 366 *
4bbce1ef 367 * @return ike_sa's ike_sa_id_t
7ba38761 368 */
3dd3c5f3 369 ike_sa_id_t* (*get_id) (ike_sa_t *this);
7daf5226 370
0b611540
TB		 371 /**
372 * Gets the IKE version of the SA
373 */
374 ike_version_t (*get_version)(ike_sa_t *this);
375
c60c7694 376 /**
552cc11b 377 * Get the numerical ID uniquely defining this IKE_SA.
c60c7694 378 *
4bbce1ef 379 * @return unique ID
c60c7694 380 */
b12c53ce 381 uint32_t (*get_unique_id) (ike_sa_t *this);
7daf5226 382
3dd3c5f3 383 /**
552cc11b 384 * Get the state of the IKE_SA.
3dd3c5f3 385 *
3dd3c5f3
MW		 386 * @return state of the IKE_SA
387 */
388 ike_sa_state_t (*get_state) (ike_sa_t *this);
7daf5226 389
3dd3c5f3 390 /**
552cc11b 391 * Set the state of the IKE_SA.
3dd3c5f3 392 *
3dd3c5f3
MW		 393 * @param state state to set for the IKE_SA
394 */
0b611540 395 void (*set_state) (ike_sa_t *this, ike_sa_state_t state);
7daf5226 396
8dfbe71b 397 /**
552cc11b 398 * Get the name of the connection this IKE_SA uses.
8dfbe71b 399 *
8dfbe71b
MW		 400 * @return name
401 */
402 char* (*get_name) (ike_sa_t *this);
7daf5226 403
ee614711 404 /**
552cc11b 405 * Get statistic values from the IKE_SA.
ee614711 406 *
ee614711
MW		 407 * @param kind kind of requested value
408 * @return value as integer
409 */
b12c53ce 410 uint32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
7daf5226 411
44ff1153
TB		 412 /**
413 * Set statistic value of the IKE_SA.
414 *
415 * @param kind kind of value to update
416 * @param value value as integer
417 */
b12c53ce 418 void (*set_statistic)(ike_sa_t *this, statistic_t kind, uint32_t value);
44ff1153 419
8dfbe71b 420 /**
552cc11b 421 * Get the own host address.
484a06bc 422 *
8dfbe71b
MW		 423 * @return host address
424 */
425 host_t* (*get_my_host) (ike_sa_t *this);
7daf5226 426
fe04e93a 427 /**
552cc11b 428 * Set the own host address.
484a06bc 429 *
fe04e93a
MW		 430 * @param me host address
431 */
432 void (*set_my_host) (ike_sa_t *this, host_t *me);
7daf5226 433
8dfbe71b 434 /**
552cc11b 435 * Get the other peers host address.
484a06bc 436 *
8dfbe71b
MW		 437 * @return host address
438 */
439 host_t* (*get_other_host) (ike_sa_t *this);
7daf5226 440
fe04e93a 441 /**
552cc11b 442 * Set the others host address.
484a06bc 443 *
fe04e93a
MW		 444 * @param other host address
445 */
446 void (*set_other_host) (ike_sa_t *this, host_t *other);
7daf5226 447
277f02ce
TB		 448 /**
449 * Float to port 4500 (e.g. if a NAT is detected).
450 *
451 * The port of either endpoint is changed only if it is currently
452 * set to the default value of 500.
453 */
454 void (*float_ports)(ike_sa_t *this);
455
2b3100b5 456 /**
552cc11b 457 * Update the IKE_SAs host.
2b3100b5
MW		 458 *
459 * Hosts may be NULL to use current host.
460 *
2b3100b5
MW		 461 * @param me new local host address, or NULL
462 * @param other new remote host address, or NULL
2082417d 463 * @param force force update
2b3100b5 464 */
2082417d 465 void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force);
7daf5226 466
8dfbe71b 467 /**
552cc11b 468 * Get the own identification.
484a06bc 469 *
8dfbe71b
MW		 470 * @return identification
471 */
472 identification_t* (*get_my_id) (ike_sa_t *this);
7daf5226 473
8dfbe71b 474 /**
552cc11b 475 * Set the own identification.
484a06bc 476 *
8dfbe71b
MW		 477 * @param me identification
478 */
479 void (*set_my_id) (ike_sa_t *this, identification_t *me);
7daf5226 480
8dfbe71b 481 /**
552cc11b 482 * Get the other peer's identification.
484a06bc 483 *
8dfbe71b
MW		 484 * @return identification
485 */
486 identification_t* (*get_other_id) (ike_sa_t *this);
7daf5226 487
045833c7
MW		 488 /**
489 * Get the others peer identity, but prefer an EAP-Identity.
490 *
491 * @return EAP or IKEv2 identity
492 */
493 identification_t* (*get_other_eap_id)(ike_sa_t *this);
494
8dfbe71b 495 /**
552cc11b 496 * Set the other peer's identification.
484a06bc 497 *
8dfbe71b
MW		 498 * @param other identification
499 */
500 void (*set_other_id) (ike_sa_t *this, identification_t *other);
7daf5226 501
7d26a0ee 502 /**
552cc11b 503 * Get the config used to setup this IKE_SA.
484a06bc 504 *
e0fe7651 505 * @return ike_config
c60c7694 506 */
e0fe7651 507 ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
7daf5226 508
c60c7694 509 /**
552cc11b 510 * Set the config to setup this IKE_SA.
484a06bc 511 *
e0fe7651 512 * @param config ike_config to use
c60c7694 513 */
e0fe7651 514 void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
c60c7694
MW		 515
516 /**
552cc11b 517 * Get the peer config used by this IKE_SA.
484a06bc 518 *
e0fe7651 519 * @return peer_config
c60c7694 520 */
e0fe7651 521 peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
7daf5226 522
c60c7694 523 /**
552cc11b 524 * Set the peer config to use with this IKE_SA.
484a06bc 525 *
e0fe7651 526 * @param config peer_config to use
c60c7694 527 */
e0fe7651 528 void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
7daf5226 529
3b04350a 530 /**
a44bb934 531 * Get the authentication config with rules of the current auth round.
552cc11b 532 *
a44bb934
MW		 533 * @param local TRUE for local rules, FALSE for remote constraints
534 * @return current cfg
552cc11b 535 */
a44bb934 536 auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
7daf5226 537
44ce7493
MW		 538 /**
539 * Insert a completed authentication round.
540 *
541 * @param local TRUE for own rules, FALSE for others constraints
542 * @param cfg auth config to append
543 */
544 void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
545
546 /**
547 * Create an enumerator over added authentication rounds.
548 *
549 * @param local TRUE for own rules, FALSE for others constraints
550 * @return enumerator over auth_cfg_t
551 */
552 enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
553
1b9c1ae0
TB		 554 /**
555 * Verify the trustchains (validity, revocation) in completed public key
556 * auth rounds.
557 *
558 * @return TRUE if certificates were valid, FALSE otherwise
559 */
560 bool (*verify_peer_certificate)(ike_sa_t *this);
561
5dffdea1
MW		 562 /**
563 * Get the selected proposal of this IKE_SA.
564 *
565 * @return selected proposal
566 */
567 proposal_t* (*get_proposal)(ike_sa_t *this);
7daf5226 568
5dffdea1
MW		 569 /**
570 * Set the proposal selected for this IKE_SA.
571 *
572 * @param selected proposal
573 */
574 void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
7daf5226 575
b09ca747 576 /**
347c403c 577 * Set the message ID of the IKE_SA.
b09ca747
MW		 578 *
579 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
580 * and one to respond to exchanges (expect).
581 *
582 * @param initiate TRUE to set message ID for initiating
583 * @param mid message id to set
584 */
b12c53ce 585 void (*set_message_id)(ike_sa_t *this, bool initiate, uint32_t mid);
7daf5226 586
347c403c
TB		 587 /**
588 * Get the message ID of the IKE_SA.
589 *
590 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
591 * and one to respond to exchanges (expect).
592 *
593 * @param initiate TRUE to get message ID for initiating
594 * @return current message
595 */
596 uint32_t (*get_message_id)(ike_sa_t *this, bool initiate);
597
552cc11b
MW		 598 /**
599 * Add an additional address for the peer.
17d92e97
MW		 600 *
601 * In MOBIKE, a peer may transmit additional addresses where it is
602 * reachable. These are stored in the IKE_SA.
603 * The own list of addresses is not stored, they are queried from
604 * the kernel when required.
3b04350a 605 *
17d92e97 606 * @param host host to add to list
3b04350a 607 */
94bbc602 608 void (*add_peer_address)(ike_sa_t *this, host_t *host);
7daf5226 609
17d92e97 610 /**
94bbc602 611 * Create an enumerator over all known addresses of the peer.
17d92e97 612 *
572abc6c 613 * @return enumerator over addresses
17d92e97 614 */
94bbc602 615 enumerator_t* (*create_peer_address_enumerator)(ike_sa_t *this);
572abc6c
TB		 616
617 /**
94bbc602 618 * Remove all known addresses of the peer.
572abc6c 619 */
94bbc602 620 void (*clear_peer_addresses)(ike_sa_t *this);
7daf5226 621
9d9a772e
MW		 622 /**
623 * Check if mappings have changed on a NAT for our source address.
624 *
625 * @param hash received DESTINATION_IP hash
626 * @return TRUE if mappings have changed
627 */
628 bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
7daf5226 629
3b04350a 630 /**
552cc11b 631 * Enable an extension the peer supports.
3b04350a
MW		 632 *
633 * If support for an IKE extension is detected, this method is called
634 * to enable that extension and behave accordingly.
635 *
3b04350a
MW		 636 * @param extension extension to enable
637 */
638 void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
7daf5226 639
17d92e97 640 /**
552cc11b 641 * Check if the peer supports an extension.
17d92e97 642 *
17d92e97
MW		 643 * @param extension extension to check for support
644 * @return TRUE if peer supports it, FALSE otherwise
645 */
646 bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
7daf5226 647
17d92e97 648 /**
552cc11b 649 * Enable/disable a condition flag for this IKE_SA.
17d92e97 650 *
17d92e97
MW		 651 * @param condition condition to enable/disable
652 * @param enable TRUE to enable condition, FALSE to disable
653 */
654 void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
655
656 /**
552cc11b 657 * Check if a condition flag is set.
17d92e97 658 *
17d92e97
MW		 659 * @param condition condition to check
660 * @return TRUE if condition flag set, FALSE otherwise
661 */
662 bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
7daf5226 663
dc04b7c7 664#ifdef ME
22452f70
TB		 665 /**
666 * Activate mediation server functionality for this IKE_SA.
667 */
668 void (*act_as_mediation_server) (ike_sa_t *this);
7daf5226 669
d5cc1758 670 /**
552cc11b 671 * Get the server reflexive host.
484a06bc 672 *
d5cc1758
TB		 673 * @return server reflexive host
674 */
675 host_t* (*get_server_reflexive_host) (ike_sa_t *this);
7daf5226 676
d5cc1758 677 /**
552cc11b 678 * Set the server reflexive host.
484a06bc 679 *
d5cc1758
TB		 680 * @param host server reflexive host
681 */
682 void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
7daf5226 683
9c2a905d
TB		 684 /**
685 * Get the connect ID.
484a06bc 686 *
9c2a905d
TB		 687 * @return connect ID
688 */
689 chunk_t (*get_connect_id) (ike_sa_t *this);
7daf5226 690
d5cc1758 691 /**
552cc11b 692 * Initiate the mediation of a mediated connection (i.e. initiate a
484a06bc
TB		 693 * ME_CONNECT exchange to a mediation server).
694 *
695 * @param mediated_cfg peer_cfg of the mediated connection
696 * @return
4bbce1ef
TB		 697 * - SUCCESS if initialization started
698 * - DESTROY_ME if initialization failed
d5cc1758
TB		 699 */
700 status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
7daf5226 701
d5cc1758 702 /**
552cc11b 703 * Initiate the mediated connection
484a06bc
TB		 704 *
705 * @param me local endpoint (gets cloned)
706 * @param other remote endpoint (gets cloned)
707 * @param connect_id connect ID (gets cloned)
708 * @return
4bbce1ef
TB		 709 * - SUCCESS if initialization started
710 * - DESTROY_ME if initialization failed
d5cc1758
TB		 711 */
712 status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
484a06bc 713 chunk_t connect_id);
7daf5226 714
d5cc1758 715 /**
484a06bc
TB		 716 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
717 * to a peer).
d5cc1758
TB		 718 *
719 * Data is cloned.
484a06bc
TB		 720 *
721 * @param requester ID of the requesting peer
722 * @param connect_id data of the ME_CONNECTID payload
723 * @param connect_key data of the ME_CONNECTKEY payload
724 * @param endpoints endpoints
725 * @param response TRUE if this is a response
726 * @return
4bbce1ef
TB		 727 * - SUCCESS if relay started
728 * - DESTROY_ME if relay failed
d5cc1758 729 */
484a06bc
TB		 730 status_t (*relay) (ike_sa_t *this, identification_t *requester,
731 chunk_t connect_id, chunk_t connect_key,
732 linked_list_t *endpoints, bool response);
7daf5226 733
d5cc1758 734 /**
552cc11b 735 * Send a callback to a peer.
484a06bc 736 *
d5cc1758 737 * Data is cloned.
484a06bc
TB		 738 *
739 * @param peer_id ID of the other peer
d5cc1758 740 * @return
4bbce1ef
TB		 741 * - SUCCESS if response started
742 * - DESTROY_ME if response failed
d5cc1758
TB		 743 */
744 status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
7daf5226 745
d5cc1758 746 /**
dc04b7c7 747 * Respond to a ME_CONNECT request.
484a06bc 748 *
d5cc1758 749 * Data is cloned.
484a06bc
TB		 750 *
751 * @param peer_id ID of the other peer
752 * @param connect_id the connect ID supplied by the initiator
d5cc1758 753 * @return
4bbce1ef
TB		 754 * - SUCCESS if response started
755 * - DESTROY_ME if response failed
d5cc1758 756 */
484a06bc
TB		 757 status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
758 chunk_t connect_id);
dc04b7c7 759#endif /* ME */
7daf5226 760
2c220249 761 /**
552cc11b 762 * Initiate a new connection.
3dd3c5f3 763 *
a13c013b
MW		 764 * The configs are owned by the IKE_SA after the call. If the initiate
765 * is triggered by a packet, traffic selectors of the packet can be added
766 * to the CHILD_SA.
484a06bc 767 *
e0fe7651 768 * @param child_cfg child config to create CHILD from
c3626c2c 769 * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
a13c013b
MW		 770 * @param tsi source of triggering packet
771 * @param tsr destination of triggering packet.
484a06bc 772 * @return
4bbce1ef
TB		 773 * - SUCCESS if initialization started
774 * - DESTROY_ME if initialization failed
8dfbe71b 775 */
c3626c2c 776 status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
b12c53ce 777 uint32_t reqid, traffic_selector_t *tsi,
a13c013b 778 traffic_selector_t *tsr);
7daf5226 779
77e42826
TB		 780 /**
781 * Retry initiation of this IKE_SA after it got deferred previously.
782 *
783 * @return
784 * - SUCCESS if initiation deferred or started
785 * - DESTROY_ME if initiation failed
786 */
787 status_t (*retry_initiate) (ike_sa_t *this);
788
1396815a 789 /**
552cc11b 790 * Initiates the deletion of an IKE_SA.
484a06bc 791 *
3dd3c5f3
MW		 792 * Sends a delete message to the remote peer and waits for
793 * its response. If the response comes in, or a timeout occurs,
a79d5103
TB		 794 * the IKE SA gets destroyed, unless force is TRUE then the IKE_SA is
795 * destroyed immediately without waiting for a response.
484a06bc 796 *
a79d5103
TB		 797 * @param force whether to immediately destroy the IKE_SA afterwards
798 * without waiting for a response
1396815a 799 * @return
4bbce1ef 800 * - SUCCESS if deletion is initialized
a79d5103
TB		 801 * - DESTROY_ME, if destroying is forced, or the IKE_SA
802 * is not in an established state and can not be
803 * deleted (but destroyed)
1396815a 804 */
a79d5103 805 status_t (*delete) (ike_sa_t *this, bool force);
7daf5226 806
17d92e97 807 /**
552cc11b 808 * Update IKE_SAs after network interfaces have changed.
17d92e97
MW		 809 *
810 * Whenever the network interface configuration changes, the kernel
811 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
812 * the new network config requires changes, and handles appropriate.
813 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
814 * restarted.
815 *
3bc62fe7
MW		 816 * @param address TRUE if address list changed, FALSE otherwise
817 * @return SUCCESS, FAILED, DESTROY_ME
17d92e97 818 */
3bc62fe7 819 status_t (*roam)(ike_sa_t *this, bool address);
7daf5226 820
13e4a62f 821 /**
40bab9a1 822 * Processes an incoming IKE message.
13e4a62f 823 *
484a06bc
TB		 824 * Message processing may fail. If a critical failure occurs,
825 * process_message() return DESTROY_ME. Then the caller must
f3bb1bd0 826 * destroy the IKE_SA immediately, as it is unusable.
484a06bc 827 *
4bbce1ef 828 * @param message message to process
484a06bc 829 * @return
4bbce1ef
TB		 830 * - SUCCESS
831 * - FAILED
832 * - DESTROY_ME if this IKE_SA MUST be deleted
e168ee17 833 */
40bab9a1 834 status_t (*process_message)(ike_sa_t *this, message_t *message);
7daf5226 835
bcb95ced 836 /**
40bab9a1 837 * Generate an IKE message to send it to the peer.
484a06bc 838 *
c60c7694
MW		 839 * This method generates all payloads in the message and encrypts/signs
840 * the packet.
484a06bc 841 *
4bbce1ef 842 * @param message message to generate
c60c7694 843 * @param packet generated output packet
484a06bc 844 * @return
4bbce1ef
TB		 845 * - SUCCESS
846 * - FAILED
847 * - DESTROY_ME if this IKE_SA MUST be deleted
bcb95ced 848 */
40bab9a1
TB		 849 status_t (*generate_message)(ike_sa_t *this, message_t *message,
850 packet_t **packet);
851
852 /**
853 * Generate an IKE message to send it to the peer. If enabled and supported
854 * it will be fragmented.
855 *
856 * This method generates all payloads in the message and encrypts/signs
857 * the packet/fragments.
858 *
859 * @param message message to generate
860 * @param packets enumerator of generated packet_t* (are not destroyed
861 * with the enumerator)
862 * @return
863 * - SUCCESS
864 * - FAILED
865 * - DESTROY_ME if this IKE_SA MUST be deleted
866 */
867 status_t (*generate_message_fragmented)(ike_sa_t *this, message_t *message,
868 enumerator_t **packets);
7daf5226 869
1396815a 870 /**
552cc11b 871 * Retransmits a request.
484a06bc 872 *
c60c7694
MW		 873 * @param message_id ID of the request to retransmit
874 * @return
4bbce1ef 875 * - SUCCESS
2db6d5b8 876 * - NOT_FOUND if request doesn't have to be retransmitted
397f3448 877 */
b12c53ce 878 status_t (*retransmit) (ike_sa_t *this, uint32_t message_id);
7daf5226 879
1396815a 880 /**
552cc11b 881 * Sends a DPD request to the peer.
1396815a 882 *
3dd3c5f3
MW		 883 * To check if a peer is still alive, periodic
884 * empty INFORMATIONAL messages are sent if no
885 * other traffic was received.
484a06bc 886 *
3dd3c5f3 887 * @return
4bbce1ef
TB		 888 * - SUCCESS
889 * - DESTROY_ME, if peer did not respond
2f89902d 890 */
3dd3c5f3 891 status_t (*send_dpd) (ike_sa_t *this);
7daf5226 892
2f89902d 893 /**
552cc11b 894 * Sends a keep alive packet.
2f89902d 895 *
0ceb2888
TB		 896 * To refresh NAT tables in a NAT router between the peers, periodic empty
897 * UDP packets are sent if no other traffic was sent.
efd7fa7b
TB		 898 *
899 * @param scheduled if this is a scheduled keepalive
1396815a 900 */
efd7fa7b 901 void (*send_keepalive) (ike_sa_t *this, bool scheduled);
7daf5226 902
71c70705
TB		 903 /**
904 * Redirect an active IKE_SA.
905 *
906 * @param gateway gateway ID (IP or FQDN) of the target
907 * @return state, including DESTROY_ME, if this IKE_SA MUST be
908 * destroyed
909 */
910 status_t (*redirect)(ike_sa_t *this, identification_t *gateway);
911
c126ddd0
TB		 912 /**
913 * Handle a redirect request.
914 *
915 * The behavior is different depending on the state of the IKE_SA.
916 *
917 * @param gateway gateway ID (IP or FQDN) of the target
918 * @return FALSE if redirect not possible, TRUE otherwise
919 */
920 bool (*handle_redirect)(ike_sa_t *this, identification_t *gateway);
921
e4af6e6b
TB		 922 /**
923 * Get the address of the gateway that redirected us.
924 *
925 * @return original gateway address
926 */
927 host_t *(*get_redirected_from)(ike_sa_t *this);
928
bc997f65 929 /**
6a4ff35c 930 * Get the keying material of this IKE_SA.
bc997f65 931 *
6a4ff35c 932 * @return per IKE_SA keymat instance
695723d4 933 */
6a4ff35c 934 keymat_t* (*get_keymat)(ike_sa_t *this);
7daf5226 935
695723d4 936 /**
552cc11b 937 * Associates a child SA to this IKE SA
484a06bc 938 *
698d7749 939 * @param child_sa child_sa to add
695723d4 940 */
698d7749 941 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
7daf5226 942
971218c3 943 /**
552cc11b 944 * Get a CHILD_SA identified by protocol and SPI.
484a06bc 945 *
698d7749
MW		 946 * @param protocol protocol of the SA
947 * @param spi SPI of the CHILD_SA
948 * @param inbound TRUE if SPI is inbound, FALSE if outbound
949 * @return child_sa, or NULL if none found
3dd3c5f3 950 */
484a06bc 951 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
b12c53ce 952 uint32_t spi, bool inbound);
7daf5226 953
3183006d 954 /**
4bbce1ef 955 * Get the number of CHILD_SAs.
484a06bc 956 *
4bbce1ef 957 * @return number of CHILD_SAs
3183006d 958 */
4bbce1ef
TB		 959 int (*get_child_count) (ike_sa_t *this);
960
961 /**
962 * Create an enumerator over all CHILD_SAs.
963 *
964 * @return enumerator
965 */
966 enumerator_t* (*create_child_sa_enumerator) (ike_sa_t *this);
967
968 /**
969 * Remove the CHILD_SA the given enumerator points to from this IKE_SA.
970 *
971 * @param enumerator enumerator pointing to CHILD_SA
972 */
973 void (*remove_child_sa) (ike_sa_t *this, enumerator_t *enumerator);
7daf5226 974
1396815a 975 /**
552cc11b 976 * Rekey the CHILD SA with the specified reqid.
1396815a 977 *
3dd3c5f3 978 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
1396815a 979 *
698d7749
MW		 980 * @param protocol protocol of the SA
981 * @param spi inbound SPI of the CHILD_SA
3dd3c5f3 982 * @return
4bbce1ef
TB		 983 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
984 * - SUCCESS, if rekeying initiated
1396815a 985 */
b12c53ce 986 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi);
698d7749 987
1396815a 988 /**
552cc11b 989 * Close the CHILD SA with the specified protocol/SPI.
698d7749
MW		 990 *
991 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
992 * notify's the remote peer about the delete. The associated
993 * states and policies in the kernel get deleted, if they exist.
994 *
698d7749
MW		 995 * @param protocol protocol of the SA
996 * @param spi inbound SPI of the CHILD_SA
3a925f74 997 * @param expired TRUE if CHILD_SA is expired
698d7749 998 * @return
4bbce1ef
TB		 999 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
1000 * - SUCCESS, if delete message sent
1396815a 1001 */
3a925f74 1002 status_t (*delete_child_sa)(ike_sa_t *this, protocol_id_t protocol,
b12c53ce 1003 uint32_t spi, bool expired);
698d7749 1004
1396815a 1005 /**
552cc11b 1006 * Destroy a CHILD SA with the specified protocol/SPI.
698d7749
MW		 1007 *
1008 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
1009 *
698d7749
MW		 1010 * @param protocol protocol of the SA
1011 * @param spi inbound SPI of the CHILD_SA
1012 * @return
4bbce1ef
TB		 1013 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
1014 * - SUCCESS
1396815a 1015 */
b12c53ce 1016 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi);
fe04e93a 1017
fe04e93a 1018 /**
552cc11b 1019 * Rekey the IKE_SA.
fe04e93a 1020 *
527b3f0c 1021 * Sets up a new IKE_SA, moves all CHILD_SAs to it and deletes this IKE_SA.
fe04e93a 1022 *
fe04e93a
MW		 1023 * @return - SUCCESS, if IKE_SA rekeying initiated
1024 */
1025 status_t (*rekey) (ike_sa_t *this);
1026
6fe03b0a 1027 /**
96926b00 1028 * Reauthenticate the IKE_SA.
6fe03b0a 1029 *
349f7f24
MW		 1030 * Triggers a new IKE_SA that replaces this one. IKEv1 implicitly inherits
1031 * all Quick Modes, while IKEv2 recreates all active and queued CHILD_SAs
1032 * in the new IKE_SA.
6fe03b0a 1033 *
26424f03 1034 * @return DESTROY_ME to destroy the IKE_SA
6fe03b0a 1035 */
96926b00
MW		 1036 status_t (*reauth) (ike_sa_t *this);
1037
1038 /**
1039 * Restablish the IKE_SA.
1040 *
1041 * Reestablish an IKE_SA after it has been closed.
1042 *
1043 * @return DESTROY_ME to destroy the IKE_SA
1044 */
26424f03 1045 status_t (*reestablish) (ike_sa_t *this);
7daf5226 1046
ee614711 1047 /**
a07b6973
MW		 1048 * Set the lifetime limit received/to send in a AUTH_LIFETIME notify.
1049 *
1050 * If the IKE_SA is already ESTABLISHED, an INFORMATIONAL is sent with
1051 * an AUTH_LIFETIME notify. The call never fails on unestablished SAs.
ee614711 1052 *
ee614711 1053 * @param lifetime lifetime in seconds
a07b6973 1054 * @return DESTROY_ME to destroy the IKE_SA
ee614711 1055 */
b12c53ce 1056 status_t (*set_auth_lifetime)(ike_sa_t *this, uint32_t lifetime);
7daf5226 1057
3183006d 1058 /**
101d26ba 1059 * Add a virtual IP to use for this IKE_SA and its children.
c60c7694
MW		 1060 *
1061 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
1062 * lifetime as the IKE_SA.
3183006d 1063 *
552cc11b
MW		 1064 * @param local TRUE to set local address, FALSE for remote
1065 * @param ip IP to set as virtual IP
3183006d 1066 */
101d26ba 1067 void (*add_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
7daf5226 1068
d2e8f20d
TB		 1069 /**
1070 * Clear all virtual IPs stored on this IKE_SA.
1071 *
1072 * @param local TRUE to clear local addresses, FALSE for remote
1073 */
1074 void (*clear_virtual_ips) (ike_sa_t *this, bool local);
1075
dec3c184
TB		 1076 /**
1077 * Get interface ID to use as default for children of this IKE_SA.
1078 *
1079 * @param inbound TRUE for inbound interface ID
1080 * @return interface ID
1081 */
1082 uint32_t (*get_if_id)(ike_sa_t *this, bool inbound);
1083
3183006d 1084 /**
101d26ba 1085 * Create an enumerator over virtual IPs.
3183006d 1086 *
c60c7694 1087 * @param local TRUE to get local virtual IP, FALSE for remote
101d26ba 1088 * @return enumerator over host_t*
3183006d 1089 */
101d26ba 1090 enumerator_t* (*create_virtual_ip_enumerator) (ike_sa_t *this, bool local);
7daf5226 1091
c60c7694 1092 /**
7f56b494 1093 * Register a configuration attribute to the IKE_SA.
c60c7694 1094 *
7f56b494
MW		 1095 * If an IRAS sends a configuration attribute it is installed and
1096 * registered at the IKE_SA. Attributes are inherit()ed and get released
1097 * when the IKE_SA is closed.
c60c7694 1098 *
5ae32210
MW		 1099 * Unhandled attributes are passed as well, but with a NULL handler. They
1100 * do not get released.
1101 *
7f56b494
MW		 1102 * @param handler handler installed the attribute, use for release()
1103 * @param type configuration attribute type
1104 * @param data associated attribute data
c60c7694 1105 */
7f56b494 1106 void (*add_configuration_attribute)(ike_sa_t *this,
b5a2055f 1107 attribute_handler_t *handler,
7f56b494 1108 configuration_attribute_type_t type, chunk_t data);
7daf5226 1109
9d257034
MW		 1110 /**
1111 * Create an enumerator over received configuration attributes.
1112 *
1113 * The resulting enumerator is over the configuration_attribute_type_t type,
1114 * a value chunk_t followed by a bool flag. The boolean flag indicates if
1115 * the attribute has been handled by an attribute handler.
1116 *
1117 * @return enumerator over type, value and the "handled" flag.
1118 */
1119 enumerator_t* (*create_attribute_enumerator)(ike_sa_t *this);
1120
d487b4b7
AS		 1121 /**
1122 * Set local and remote host addresses to be used for IKE.
1123 *
1124 * These addresses are communicated via the KMADDRESS field of a MIGRATE
1125 * message sent via the NETLINK or PF _KEY kernel socket interface.
1126 *
1127 * @param local local kmaddress
1128 * @param remote remote kmaddress
1129 */
1130 void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
7daf5226 1131
ea340ee8
MW		 1132 /**
1133 * Create enumerator over a task queue of this IKE_SA.
1134 *
1135 * @param queue type to enumerate
1136 * @return enumerator over task_t
1137 */
1138 enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue);
1139
b7160401
TB		 1140 /**
1141 * Remove the task the given enumerator points to.
1142 *
1143 * @note This should be used with caution, in partciular, for tasks in the
1144 * active and passive queues.
1145 *
1146 * @param enumerator enumerator created with the method above
1147 */
1148 void (*remove_task)(ike_sa_t *this, enumerator_t *enumerator);
1149
cbc1a20f
MW		 1150 /**
1151 * Flush a task queue, cancelling all tasks in it.
1152 *
1153 * @param queue queue type to flush
1154 */
1155 void (*flush_queue)(ike_sa_t *this, task_queue_t queue);
1156
69adeb5b
MW		 1157 /**
1158 * Queue a task for initiaton to the task manager.
1159 *
1160 * @param task task to queue
1161 */
1162 void (*queue_task)(ike_sa_t *this, task_t *task);
1163
208678e6
TB		 1164 /**
1165 * Queue a task in the manager, but delay its initiation for at least the
1166 * given number of seconds.
1167 *
1168 * @param task task to queue
1169 * @param delay minimum delay in s before initiating the task
1170 */
1171 void (*queue_task_delayed)(ike_sa_t *this, task_t *task, uint32_t delay);
1172
00c889f4
TB		 1173 /**
1174 * Adopt child creating tasks from the given IKE_SA.
1175 *
1176 * @param other other IKE_SA to adopt tasks from
1177 */
1178 void (*adopt_child_tasks)(ike_sa_t *this, ike_sa_t *other);
1179
713a1122
MW		 1180 /**
1181 * Inherit required attributes to new SA before rekeying.
1182 *
1183 * Some properties of the SA must be applied before starting IKE_SA
1184 * rekeying, such as the configuration or support extensions.
1185 *
1186 * @param other other IKE_SA to inherit from
1187 */
1188 void (*inherit_pre)(ike_sa_t *this, ike_sa_t *other);
1189
fe04e93a 1190 /**
552cc11b 1191 * Inherit all attributes of other to this after rekeying.
fe04e93a 1192 *
c60c7694
MW		 1193 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
1194 * outstanding tasks are moved from other to this.
1195 *
cf3c72c4 1196 * @param other other IKE SA to inherit from
c60c7694 1197 */
713a1122 1198 void (*inherit_post) (ike_sa_t *this, ike_sa_t *other);
7daf5226 1199
c60c7694 1200 /**
2db6d5b8 1201 * Reset the IKE_SA, usable when initiating fails.
c3539961
TB		 1202 *
1203 * @param new_spi TRUE to allocate a new initiator SPI
fe04e93a 1204 */
c3539961 1205 void (*reset) (ike_sa_t *this, bool new_spi);
7daf5226 1206
1396815a 1207 /**
552cc11b 1208 * Destroys a ike_sa_t object.
1396815a 1209 */
3dd3c5f3 1210 void (*destroy) (ike_sa_t *this);
8323a9c1
JH		 1211};
1212
7ba38761 1213/**
0b611540 1214 * Creates an ike_sa_t object with a specific ID and IKE version.
c3dc6f1a 1215 *
0b611540 1216 * @param ike_sa_id ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA
17ec1c74 1217 * @param initiator TRUE to create this IKE_SA as initiator
0b611540 1218 * @param version IKE version of this SA
4bbce1ef 1219 * @return ike_sa_t object
7ba38761 1220 */
17ec1c74
MW		 1221ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
1222 ike_version_t version);
7ba38761 1223
1490ff4d 1224#endif /** IKE_SA_H_ @}*/
Unnamed repository; edit this file 'description' to name the repository.