]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/libcharon/sa/ike_sa.h
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ike-sa: Add property for interface ID
[thirdparty/strongswan.git] / src / libcharon / sa / ike_sa.h
CommitLineData
7ba38761 1/*
dec3c184 2 * Copyright (C) 2006-2019 Tobias Brunner
d5cc1758 3 * Copyright (C) 2006 Daniel Roethlisberger
a44bb934 4 * Copyright (C) 2005-2009 Martin Willi
c71d53ba 5 * Copyright (C) 2005 Jan Hutter
208678e6 6 * HSR Hochschule fuer Technik Rapperswil
7ba38761
JH		 7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
552cc11b
MW		 17 */
18
19/**
20 * @defgroup ike_sa ike_sa
21 * @{ @ingroup sa
7ba38761
JH		 22 */
23
24#ifndef IKE_SA_H_
25#define IKE_SA_H_
26
3b04350a 27typedef enum ike_extension_t ike_extension_t;
17d92e97 28typedef enum ike_condition_t ike_condition_t;
382b4817 29typedef enum ike_sa_state_t ike_sa_state_t;
ee614711 30typedef enum statistic_t statistic_t;
382b4817
MW		 31typedef struct ike_sa_t ike_sa_t;
32
db7ef624 33#include <library.h>
58f86d0f 34#include <attributes/attribute_handler.h>
4a962238 35#include <encoding/message.h>
b9d9f188 36#include <encoding/payloads/proposal_substructure.h>
7f56b494 37#include <encoding/payloads/configuration_attribute.h>
96f79ff1 38#include <sa/ike_sa_id.h>
30b5b412 39#include <sa/child_sa.h>
15a682f4 40#include <sa/task.h>
ea340ee8 41#include <sa/task_manager.h>
6a4ff35c 42#include <sa/keymat.h>
e0fe7651
MW		 43#include <config/peer_cfg.h>
44#include <config/ike_cfg.h>
2ccc02a4 45#include <credentials/auth_cfg.h>
fdee6b5f 46#include <networking/packet.h>
8323a9c1 47
3b138b84 48/**
6554b5e4 49 * Timeout in seconds after that a half open IKE_SA gets deleted.
3b138b84 50 */
6554b5e4 51#define HALF_OPEN_IKE_SA_TIMEOUT 30
3b138b84
MW		 52
53/**
54 * Interval to send keepalives when NATed, in seconds.
3b138b84
MW		 55 */
56#define KEEPALIVE_INTERVAL 20
57
58/**
59 * After which time rekeying should be retried if it failed, in seconds.
3b138b84 60 */
4e2e7d4f 61#define RETRY_INTERVAL 15
3b138b84
MW		 62
63/**
64 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
3b138b84 65 */
4e2e7d4f 66#define RETRY_JITTER 10
3b138b84 67
c6ebd033
TB		 68/**
69 * Number of redirects allowed within REDIRECT_LOOP_DETECT_PERIOD.
70 */
71#define MAX_REDIRECTS 5
72
73/**
74 * Time period in seconds in which at most MAX_REDIRECTS are allowed.
75 */
76#define REDIRECT_LOOP_DETECT_PERIOD 300
77
3b04350a 78/**
552cc11b 79 * Extensions (or optional features) the peer supports
3b04350a
MW		 80 */
81enum ike_extension_t {
7daf5226 82
3b04350a 83 /**
06d29be7 84 * peer supports NAT traversal as specified in RFC4306 or RFC3947
0ff8d20a 85 * including some RFC3947 drafts
3b04350a 86 */
17d92e97 87 EXT_NATT = (1<<0),
3b04350a
MW		 88
89 /**
90 * peer supports MOBIKE (RFC4555)
91 */
17d92e97 92 EXT_MOBIKE = (1<<1),
7daf5226 93
6439267a
TB		 94 /**
95 * peer supports HTTP cert lookups as specified in RFC4306
96 */
97 EXT_HASH_AND_URL = (1<<2),
7daf5226 98
a44bb934
MW		 99 /**
100 * peer supports multiple authentication exchanges, RFC4739
101 */
102 EXT_MULTIPLE_AUTH = (1<<3),
a5a0bcaa
MW		 103
104 /**
105 * peer uses strongSwan, accept private use extensions
106 */
107 EXT_STRONGSWAN = (1<<4),
12fca6cc
MW		 108
109 /**
110 * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
111 */
112 EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
61cf9f51
MW		 113
114 /**
05db0f97 115 * peer is probably a Windows RAS client
61cf9f51
MW		 116 */
117 EXT_MS_WINDOWS = (1<<6),
23f4e4b4
CO		 118
119 /**
120 * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
121 */
122 EXT_XAUTH = (1<<7),
11aadd77
MW		 123
124 /**
125 * peer supports DPD detection, RFC 3706 (or IKEv2)
126 */
127 EXT_DPD = (1<<8),
554a697a
AS		 128
129 /**
130 * peer supports Cisco Unity configuration attributes
131 */
132 EXT_CISCO_UNITY = (1<<9),
0ff8d20a
VR		 133
134 /**
135 * peer supports NAT traversal as specified in
136 * draft-ietf-ipsec-nat-t-ike-02 .. -03
137 */
138 EXT_NATT_DRAFT_02_03 = (1<<10),
667720c8
TB		 139
140 /**
34dc37f3 141 * peer supports proprietary IKEv1 or standardized IKEv2 fragmentation
667720c8
TB		 142 */
143 EXT_IKE_FRAGMENTATION = (1<<11),
f6329cae
TB		 144
145 /**
146 * Signature Authentication, RFC 7427
147 */
148 EXT_SIGNATURE_AUTH = (1<<12),
c6aa749c
TB		 149
150 /**
151 * IKEv2 Redirect Mechanism, RFC 5685
152 */
153 EXT_IKE_REDIRECTION = (1<<13),
d6ffa85f
TB		 154
155 /**
156 * IKEv2 Message ID sync, RFC 6311
157 */
158 EXT_IKE_MESSAGE_ID_SYNC = (1<<14),
83dcc1f4
TB		 159
160 /**
161 * Postquantum Preshared Keys, draft-ietf-ipsecme-qr-ikev2
162 */
163 EXT_PPK = (1<<15),
17d92e97
MW		 164};
165
166/**
552cc11b 167 * Conditions of an IKE_SA, change during its lifetime
17d92e97
MW		 168 */
169enum ike_condition_t {
7daf5226 170
17d92e97 171 /**
9dae1bed 172 * Connection is natted (or faked) somewhere
17d92e97
MW		 173 */
174 COND_NAT_ANY = (1<<0),
7daf5226 175
17d92e97
MW		 176 /**
177 * we are behind NAT
178 */
179 COND_NAT_HERE = (1<<1),
7daf5226 180
17d92e97
MW		 181 /**
182 * other is behind NAT
183 */
184 COND_NAT_THERE = (1<<2),
7daf5226 185
9dae1bed
MW		 186 /**
187 * Faking NAT to enforce UDP encapsulation
188 */
189 COND_NAT_FAKE = (1<<3),
7daf5226 190
17d92e97 191 /**
a44bb934 192 * peer has been authenticated using EAP at least once
17d92e97 193 */
ee614711 194 COND_EAP_AUTHENTICATED = (1<<4),
7daf5226 195
552cc11b
MW		 196 /**
197 * received a certificate request from the peer
198 */
96926b00 199 COND_CERTREQ_SEEN = (1<<5),
7daf5226 200
faf9569f
MW		 201 /**
202 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
203 */
204 COND_ORIGINAL_INITIATOR = (1<<6),
7daf5226 205
7afd9d66
MW		 206 /**
207 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
208 */
209 COND_STALE = (1<<7),
a064eaa8
CO		 210
211 /**
212 * Initial contact received
213 */
214 COND_INIT_CONTACT_SEEN = (1<<8),
2da3ff7a
MW		 215
216 /**
217 * Peer has been authenticated using XAuth
218 */
219 COND_XAUTH_AUTHENTICATED = (1<<9),
873b63b7
TB		 220
221 /**
222 * This IKE_SA is currently being reauthenticated
223 */
224 COND_REAUTHENTICATING = (1<<10),
d68c05d2
TB		 225
226 /**
227 * This IKE_SA has been redirected
228 */
229 COND_REDIRECTED = (1<<11),
e19162a5
TB		 230
231 /**
232 * Online certificate revocation checking is suspended for this IKE_SA
233 */
234 COND_ONLINE_VALIDATION_SUSPENDED = (1<<12),
e4d85011
TB		 235
236 /**
237 * A Postquantum Preshared Key was used when this IKE_SA was created
238 */
239 COND_PPK = (1<<13),
ee614711
MW		 240};
241
242/**
85ac2fa5 243 * Timing information and statistics to query from an SA
ee614711
MW		 244 */
245enum statistic_t {
85ac2fa5
MW		 246 /** Timestamp of SA establishement */
247 STAT_ESTABLISHED = 0,
0ceb2888 248 /** Timestamp of scheduled rekeying */
85ac2fa5 249 STAT_REKEY,
0ceb2888 250 /** Timestamp of scheduled reauthentication */
85ac2fa5 251 STAT_REAUTH,
0ceb2888 252 /** Timestamp of scheduled delete */
85ac2fa5
MW		 253 STAT_DELETE,
254 /** Timestamp of last inbound IKE packet */
255 STAT_INBOUND,
256 /** Timestamp of last outbound IKE packet */
257 STAT_OUTBOUND,
7daf5226 258
85ac2fa5 259 STAT_MAX
3b04350a 260};
3b138b84 261
8323a9c1 262/**
552cc11b 263 * State of an IKE_SA.
cb5c41cd
MW		 264 *
265 * An IKE_SA passes various states in its lifetime. A newly created
266 * SA is in the state CREATED.
267 * @verbatim
268 +----------------+
3183006d 269 ¦ SA_CREATED ¦
cb5c41cd 270 +----------------+
3183006d 271 ¦
484a06bc 272 on initiate()---> ¦ <----- on IKE_SA_INIT received
3183006d 273 V
cb5c41cd 274 +----------------+
3183006d 275 ¦ SA_CONNECTING ¦
cb5c41cd 276 +----------------+
3183006d
MW		 277 ¦
278 ¦ <----- on IKE_AUTH successfully completed
279 V
cb5c41cd 280 +----------------+
3183006d
MW		 281 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
282 +----------------+ ¦
283 ¦ V
284 on delete()---> ¦ <----- on IKE_SA +-------------+
285 ¦ delete request ¦ SA_REKEYING ¦
286 ¦ received +-------------+
287 V ¦
288 +----------------+ ¦
289 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
cb5c41cd 290 +----------------+
3183006d
MW		 291 ¦
292 ¦ <----- after delete() acknowledged
293 ¦
294 \V/
cb5c41cd
MW		 295 X
296 / \
297 @endverbatim
8323a9c1 298 */
3dd3c5f3 299enum ike_sa_state_t {
7daf5226 300
3dd3c5f3
MW		 301 /**
302 * IKE_SA just got created, but is not initiating nor responding yet.
303 */
bcb95ced 304 IKE_CREATED,
7daf5226 305
3dd3c5f3
MW		 306 /**
307 * IKE_SA gets initiated actively or passively
308 */
bcb95ced 309 IKE_CONNECTING,
7daf5226 310
3dd3c5f3
MW		 311 /**
312 * IKE_SA is fully established
313 */
bcb95ced 314 IKE_ESTABLISHED,
7daf5226 315
c610f424
MW		 316 /**
317 * IKE_SA is managed externally and does not process messages
318 */
319 IKE_PASSIVE,
7daf5226 320
3183006d
MW		 321 /**
322 * IKE_SA rekeying in progress
323 */
324 IKE_REKEYING,
7daf5226 325
bb389973
TB		 326 /**
327 * IKE_SA has been rekeyed (or is redundant)
328 */
329 IKE_REKEYED,
330
3dd3c5f3
MW		 331 /**
332 * IKE_SA is in progress of deletion
333 */
bcb95ced 334 IKE_DELETING,
7daf5226 335
a985db3f
MW		 336 /**
337 * IKE_SA object gets destroyed
338 */
339 IKE_DESTROYING,
3dd3c5f3
MW		 340};
341
342/**
60356f33 343 * enum names for ike_sa_state_t.
3dd3c5f3 344 */
60356f33 345extern enum_name_t *ike_sa_state_names;
7ba38761
JH		 346
347/**
552cc11b 348 * Class ike_sa_t representing an IKE_SA.
3dd3c5f3
MW		 349 *
350 * An IKE_SA contains crypto information related to a connection
351 * with a peer. It contains multiple IPsec CHILD_SA, for which
352 * it is responsible. All traffic is handled by an IKE_SA, using
c60c7694 353 * the task manager and its tasks.
7ba38761 354 */
5796aa16 355struct ike_sa_t {
7ba38761
JH		 356
357 /**
552cc11b 358 * Get the id of the SA.
484a06bc 359 *
3dd3c5f3 360 * Returned ike_sa_id_t object is not getting cloned!
c3dc6f1a 361 *
4bbce1ef 362 * @return ike_sa's ike_sa_id_t
7ba38761 363 */
3dd3c5f3 364 ike_sa_id_t* (*get_id) (ike_sa_t *this);
7daf5226 365
0b611540
TB		 366 /**
367 * Gets the IKE version of the SA
368 */
369 ike_version_t (*get_version)(ike_sa_t *this);
370
c60c7694 371 /**
552cc11b 372 * Get the numerical ID uniquely defining this IKE_SA.
c60c7694 373 *
4bbce1ef 374 * @return unique ID
c60c7694 375 */
b12c53ce 376 uint32_t (*get_unique_id) (ike_sa_t *this);
7daf5226 377
3dd3c5f3 378 /**
552cc11b 379 * Get the state of the IKE_SA.
3dd3c5f3 380 *
3dd3c5f3
MW		 381 * @return state of the IKE_SA
382 */
383 ike_sa_state_t (*get_state) (ike_sa_t *this);
7daf5226 384
3dd3c5f3 385 /**
552cc11b 386 * Set the state of the IKE_SA.
3dd3c5f3 387 *
3dd3c5f3
MW		 388 * @param state state to set for the IKE_SA
389 */
0b611540 390 void (*set_state) (ike_sa_t *this, ike_sa_state_t state);
7daf5226 391
8dfbe71b 392 /**
552cc11b 393 * Get the name of the connection this IKE_SA uses.
8dfbe71b 394 *
8dfbe71b
MW		 395 * @return name
396 */
397 char* (*get_name) (ike_sa_t *this);
7daf5226 398
ee614711 399 /**
552cc11b 400 * Get statistic values from the IKE_SA.
ee614711 401 *
ee614711
MW		 402 * @param kind kind of requested value
403 * @return value as integer
404 */
b12c53ce 405 uint32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
7daf5226 406
44ff1153
TB		 407 /**
408 * Set statistic value of the IKE_SA.
409 *
410 * @param kind kind of value to update
411 * @param value value as integer
412 */
b12c53ce 413 void (*set_statistic)(ike_sa_t *this, statistic_t kind, uint32_t value);
44ff1153 414
8dfbe71b 415 /**
552cc11b 416 * Get the own host address.
484a06bc 417 *
8dfbe71b
MW		 418 * @return host address
419 */
420 host_t* (*get_my_host) (ike_sa_t *this);
7daf5226 421
fe04e93a 422 /**
552cc11b 423 * Set the own host address.
484a06bc 424 *
fe04e93a
MW		 425 * @param me host address
426 */
427 void (*set_my_host) (ike_sa_t *this, host_t *me);
7daf5226 428
8dfbe71b 429 /**
552cc11b 430 * Get the other peers host address.
484a06bc 431 *
8dfbe71b
MW		 432 * @return host address
433 */
434 host_t* (*get_other_host) (ike_sa_t *this);
7daf5226 435
fe04e93a 436 /**
552cc11b 437 * Set the others host address.
484a06bc 438 *
fe04e93a
MW		 439 * @param other host address
440 */
441 void (*set_other_host) (ike_sa_t *this, host_t *other);
7daf5226 442
277f02ce
TB		 443 /**
444 * Float to port 4500 (e.g. if a NAT is detected).
445 *
446 * The port of either endpoint is changed only if it is currently
447 * set to the default value of 500.
448 */
449 void (*float_ports)(ike_sa_t *this);
450
2b3100b5 451 /**
552cc11b 452 * Update the IKE_SAs host.
2b3100b5
MW		 453 *
454 * Hosts may be NULL to use current host.
455 *
2b3100b5
MW		 456 * @param me new local host address, or NULL
457 * @param other new remote host address, or NULL
2082417d 458 * @param force force update
2b3100b5 459 */
2082417d 460 void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force);
7daf5226 461
8dfbe71b 462 /**
552cc11b 463 * Get the own identification.
484a06bc 464 *
8dfbe71b
MW		 465 * @return identification
466 */
467 identification_t* (*get_my_id) (ike_sa_t *this);
7daf5226 468
8dfbe71b 469 /**
552cc11b 470 * Set the own identification.
484a06bc 471 *
8dfbe71b
MW		 472 * @param me identification
473 */
474 void (*set_my_id) (ike_sa_t *this, identification_t *me);
7daf5226 475
8dfbe71b 476 /**
552cc11b 477 * Get the other peer's identification.
484a06bc 478 *
8dfbe71b
MW		 479 * @return identification
480 */
481 identification_t* (*get_other_id) (ike_sa_t *this);
7daf5226 482
045833c7
MW		 483 /**
484 * Get the others peer identity, but prefer an EAP-Identity.
485 *
486 * @return EAP or IKEv2 identity
487 */
488 identification_t* (*get_other_eap_id)(ike_sa_t *this);
489
8dfbe71b 490 /**
552cc11b 491 * Set the other peer's identification.
484a06bc 492 *
8dfbe71b
MW		 493 * @param other identification
494 */
495 void (*set_other_id) (ike_sa_t *this, identification_t *other);
7daf5226 496
7d26a0ee 497 /**
552cc11b 498 * Get the config used to setup this IKE_SA.
484a06bc 499 *
e0fe7651 500 * @return ike_config
c60c7694 501 */
e0fe7651 502 ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
7daf5226 503
c60c7694 504 /**
552cc11b 505 * Set the config to setup this IKE_SA.
484a06bc 506 *
e0fe7651 507 * @param config ike_config to use
c60c7694 508 */
e0fe7651 509 void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
c60c7694
MW		 510
511 /**
552cc11b 512 * Get the peer config used by this IKE_SA.
484a06bc 513 *
e0fe7651 514 * @return peer_config
c60c7694 515 */
e0fe7651 516 peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
7daf5226 517
c60c7694 518 /**
552cc11b 519 * Set the peer config to use with this IKE_SA.
484a06bc 520 *
e0fe7651 521 * @param config peer_config to use
c60c7694 522 */
e0fe7651 523 void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
7daf5226 524
3b04350a 525 /**
a44bb934 526 * Get the authentication config with rules of the current auth round.
552cc11b 527 *
a44bb934
MW		 528 * @param local TRUE for local rules, FALSE for remote constraints
529 * @return current cfg
552cc11b 530 */
a44bb934 531 auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
7daf5226 532
44ce7493
MW		 533 /**
534 * Insert a completed authentication round.
535 *
536 * @param local TRUE for own rules, FALSE for others constraints
537 * @param cfg auth config to append
538 */
539 void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
540
541 /**
542 * Create an enumerator over added authentication rounds.
543 *
544 * @param local TRUE for own rules, FALSE for others constraints
545 * @return enumerator over auth_cfg_t
546 */
547 enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
548
1b9c1ae0
TB		 549 /**
550 * Verify the trustchains (validity, revocation) in completed public key
551 * auth rounds.
552 *
553 * @return TRUE if certificates were valid, FALSE otherwise
554 */
555 bool (*verify_peer_certificate)(ike_sa_t *this);
556
5dffdea1
MW		 557 /**
558 * Get the selected proposal of this IKE_SA.
559 *
560 * @return selected proposal
561 */
562 proposal_t* (*get_proposal)(ike_sa_t *this);
7daf5226 563
5dffdea1
MW		 564 /**
565 * Set the proposal selected for this IKE_SA.
566 *
567 * @param selected proposal
568 */
569 void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
7daf5226 570
b09ca747 571 /**
347c403c 572 * Set the message ID of the IKE_SA.
b09ca747
MW		 573 *
574 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
575 * and one to respond to exchanges (expect).
576 *
577 * @param initiate TRUE to set message ID for initiating
578 * @param mid message id to set
579 */
b12c53ce 580 void (*set_message_id)(ike_sa_t *this, bool initiate, uint32_t mid);
7daf5226 581
347c403c
TB		 582 /**
583 * Get the message ID of the IKE_SA.
584 *
585 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
586 * and one to respond to exchanges (expect).
587 *
588 * @param initiate TRUE to get message ID for initiating
589 * @return current message
590 */
591 uint32_t (*get_message_id)(ike_sa_t *this, bool initiate);
592
552cc11b
MW		 593 /**
594 * Add an additional address for the peer.
17d92e97
MW		 595 *
596 * In MOBIKE, a peer may transmit additional addresses where it is
597 * reachable. These are stored in the IKE_SA.
598 * The own list of addresses is not stored, they are queried from
599 * the kernel when required.
3b04350a 600 *
17d92e97 601 * @param host host to add to list
3b04350a 602 */
94bbc602 603 void (*add_peer_address)(ike_sa_t *this, host_t *host);
7daf5226 604
17d92e97 605 /**
94bbc602 606 * Create an enumerator over all known addresses of the peer.
17d92e97 607 *
572abc6c 608 * @return enumerator over addresses
17d92e97 609 */
94bbc602 610 enumerator_t* (*create_peer_address_enumerator)(ike_sa_t *this);
572abc6c
TB		 611
612 /**
94bbc602 613 * Remove all known addresses of the peer.
572abc6c 614 */
94bbc602 615 void (*clear_peer_addresses)(ike_sa_t *this);
7daf5226 616
9d9a772e
MW		 617 /**
618 * Check if mappings have changed on a NAT for our source address.
619 *
620 * @param hash received DESTINATION_IP hash
621 * @return TRUE if mappings have changed
622 */
623 bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
7daf5226 624
3b04350a 625 /**
552cc11b 626 * Enable an extension the peer supports.
3b04350a
MW		 627 *
628 * If support for an IKE extension is detected, this method is called
629 * to enable that extension and behave accordingly.
630 *
3b04350a
MW		 631 * @param extension extension to enable
632 */
633 void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
7daf5226 634
17d92e97 635 /**
552cc11b 636 * Check if the peer supports an extension.
17d92e97 637 *
17d92e97
MW		 638 * @param extension extension to check for support
639 * @return TRUE if peer supports it, FALSE otherwise
640 */
641 bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
7daf5226 642
17d92e97 643 /**
552cc11b 644 * Enable/disable a condition flag for this IKE_SA.
17d92e97 645 *
17d92e97
MW		 646 * @param condition condition to enable/disable
647 * @param enable TRUE to enable condition, FALSE to disable
648 */
649 void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
650
651 /**
552cc11b 652 * Check if a condition flag is set.
17d92e97 653 *
17d92e97
MW		 654 * @param condition condition to check
655 * @return TRUE if condition flag set, FALSE otherwise
656 */
657 bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
7daf5226 658
dc04b7c7 659#ifdef ME
22452f70
TB		 660 /**
661 * Activate mediation server functionality for this IKE_SA.
662 */
663 void (*act_as_mediation_server) (ike_sa_t *this);
7daf5226 664
d5cc1758 665 /**
552cc11b 666 * Get the server reflexive host.
484a06bc 667 *
d5cc1758
TB		 668 * @return server reflexive host
669 */
670 host_t* (*get_server_reflexive_host) (ike_sa_t *this);
7daf5226 671
d5cc1758 672 /**
552cc11b 673 * Set the server reflexive host.
484a06bc 674 *
d5cc1758
TB		 675 * @param host server reflexive host
676 */
677 void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
7daf5226 678
9c2a905d
TB		 679 /**
680 * Get the connect ID.
484a06bc 681 *
9c2a905d
TB		 682 * @return connect ID
683 */
684 chunk_t (*get_connect_id) (ike_sa_t *this);
7daf5226 685
d5cc1758 686 /**
552cc11b 687 * Initiate the mediation of a mediated connection (i.e. initiate a
484a06bc
TB		 688 * ME_CONNECT exchange to a mediation server).
689 *
690 * @param mediated_cfg peer_cfg of the mediated connection
691 * @return
4bbce1ef
TB		 692 * - SUCCESS if initialization started
693 * - DESTROY_ME if initialization failed
d5cc1758
TB		 694 */
695 status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
7daf5226 696
d5cc1758 697 /**
552cc11b 698 * Initiate the mediated connection
484a06bc
TB		 699 *
700 * @param me local endpoint (gets cloned)
701 * @param other remote endpoint (gets cloned)
702 * @param connect_id connect ID (gets cloned)
703 * @return
4bbce1ef
TB		 704 * - SUCCESS if initialization started
705 * - DESTROY_ME if initialization failed
d5cc1758
TB		 706 */
707 status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
484a06bc 708 chunk_t connect_id);
7daf5226 709
d5cc1758 710 /**
484a06bc
TB		 711 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
712 * to a peer).
d5cc1758
TB		 713 *
714 * Data is cloned.
484a06bc
TB		 715 *
716 * @param requester ID of the requesting peer
717 * @param connect_id data of the ME_CONNECTID payload
718 * @param connect_key data of the ME_CONNECTKEY payload
719 * @param endpoints endpoints
720 * @param response TRUE if this is a response
721 * @return
4bbce1ef
TB		 722 * - SUCCESS if relay started
723 * - DESTROY_ME if relay failed
d5cc1758 724 */
484a06bc
TB		 725 status_t (*relay) (ike_sa_t *this, identification_t *requester,
726 chunk_t connect_id, chunk_t connect_key,
727 linked_list_t *endpoints, bool response);
7daf5226 728
d5cc1758 729 /**
552cc11b 730 * Send a callback to a peer.
484a06bc 731 *
d5cc1758 732 * Data is cloned.
484a06bc
TB		 733 *
734 * @param peer_id ID of the other peer
d5cc1758 735 * @return
4bbce1ef
TB		 736 * - SUCCESS if response started
737 * - DESTROY_ME if response failed
d5cc1758
TB		 738 */
739 status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
7daf5226 740
d5cc1758 741 /**
dc04b7c7 742 * Respond to a ME_CONNECT request.
484a06bc 743 *
d5cc1758 744 * Data is cloned.
484a06bc
TB		 745 *
746 * @param peer_id ID of the other peer
747 * @param connect_id the connect ID supplied by the initiator
d5cc1758 748 * @return
4bbce1ef
TB		 749 * - SUCCESS if response started
750 * - DESTROY_ME if response failed
d5cc1758 751 */
484a06bc
TB		 752 status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
753 chunk_t connect_id);
dc04b7c7 754#endif /* ME */
7daf5226 755
2c220249 756 /**
552cc11b 757 * Initiate a new connection.
3dd3c5f3 758 *
a13c013b
MW		 759 * The configs are owned by the IKE_SA after the call. If the initiate
760 * is triggered by a packet, traffic selectors of the packet can be added
761 * to the CHILD_SA.
484a06bc 762 *
e0fe7651 763 * @param child_cfg child config to create CHILD from
c3626c2c 764 * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
a13c013b
MW		 765 * @param tsi source of triggering packet
766 * @param tsr destination of triggering packet.
484a06bc 767 * @return
4bbce1ef
TB		 768 * - SUCCESS if initialization started
769 * - DESTROY_ME if initialization failed
8dfbe71b 770 */
c3626c2c 771 status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
b12c53ce 772 uint32_t reqid, traffic_selector_t *tsi,
a13c013b 773 traffic_selector_t *tsr);
7daf5226 774
77e42826
TB		 775 /**
776 * Retry initiation of this IKE_SA after it got deferred previously.
777 *
778 * @return
779 * - SUCCESS if initiation deferred or started
780 * - DESTROY_ME if initiation failed
781 */
782 status_t (*retry_initiate) (ike_sa_t *this);
783
1396815a 784 /**
552cc11b 785 * Initiates the deletion of an IKE_SA.
484a06bc 786 *
3dd3c5f3
MW		 787 * Sends a delete message to the remote peer and waits for
788 * its response. If the response comes in, or a timeout occurs,
a79d5103
TB		 789 * the IKE SA gets destroyed, unless force is TRUE then the IKE_SA is
790 * destroyed immediately without waiting for a response.
484a06bc 791 *
a79d5103
TB		 792 * @param force whether to immediately destroy the IKE_SA afterwards
793 * without waiting for a response
1396815a 794 * @return
4bbce1ef 795 * - SUCCESS if deletion is initialized
a79d5103
TB		 796 * - DESTROY_ME, if destroying is forced, or the IKE_SA
797 * is not in an established state and can not be
798 * deleted (but destroyed)
1396815a 799 */
a79d5103 800 status_t (*delete) (ike_sa_t *this, bool force);
7daf5226 801
17d92e97 802 /**
552cc11b 803 * Update IKE_SAs after network interfaces have changed.
17d92e97
MW		 804 *
805 * Whenever the network interface configuration changes, the kernel
806 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
807 * the new network config requires changes, and handles appropriate.
808 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
809 * restarted.
810 *
3bc62fe7
MW		 811 * @param address TRUE if address list changed, FALSE otherwise
812 * @return SUCCESS, FAILED, DESTROY_ME
17d92e97 813 */
3bc62fe7 814 status_t (*roam)(ike_sa_t *this, bool address);
7daf5226 815
13e4a62f 816 /**
40bab9a1 817 * Processes an incoming IKE message.
13e4a62f 818 *
484a06bc
TB		 819 * Message processing may fail. If a critical failure occurs,
820 * process_message() return DESTROY_ME. Then the caller must
f3bb1bd0 821 * destroy the IKE_SA immediately, as it is unusable.
484a06bc 822 *
4bbce1ef 823 * @param message message to process
484a06bc 824 * @return
4bbce1ef
TB		 825 * - SUCCESS
826 * - FAILED
827 * - DESTROY_ME if this IKE_SA MUST be deleted
e168ee17 828 */
40bab9a1 829 status_t (*process_message)(ike_sa_t *this, message_t *message);
7daf5226 830
bcb95ced 831 /**
40bab9a1 832 * Generate an IKE message to send it to the peer.
484a06bc 833 *
c60c7694
MW		 834 * This method generates all payloads in the message and encrypts/signs
835 * the packet.
484a06bc 836 *
4bbce1ef 837 * @param message message to generate
c60c7694 838 * @param packet generated output packet
484a06bc 839 * @return
4bbce1ef
TB		 840 * - SUCCESS
841 * - FAILED
842 * - DESTROY_ME if this IKE_SA MUST be deleted
bcb95ced 843 */
40bab9a1
TB		 844 status_t (*generate_message)(ike_sa_t *this, message_t *message,
845 packet_t **packet);
846
847 /**
848 * Generate an IKE message to send it to the peer. If enabled and supported
849 * it will be fragmented.
850 *
851 * This method generates all payloads in the message and encrypts/signs
852 * the packet/fragments.
853 *
854 * @param message message to generate
855 * @param packets enumerator of generated packet_t* (are not destroyed
856 * with the enumerator)
857 * @return
858 * - SUCCESS
859 * - FAILED
860 * - DESTROY_ME if this IKE_SA MUST be deleted
861 */
862 status_t (*generate_message_fragmented)(ike_sa_t *this, message_t *message,
863 enumerator_t **packets);
7daf5226 864
1396815a 865 /**
552cc11b 866 * Retransmits a request.
484a06bc 867 *
c60c7694
MW		 868 * @param message_id ID of the request to retransmit
869 * @return
4bbce1ef 870 * - SUCCESS
2db6d5b8 871 * - NOT_FOUND if request doesn't have to be retransmitted
397f3448 872 */
b12c53ce 873 status_t (*retransmit) (ike_sa_t *this, uint32_t message_id);
7daf5226 874
1396815a 875 /**
552cc11b 876 * Sends a DPD request to the peer.
1396815a 877 *
3dd3c5f3
MW		 878 * To check if a peer is still alive, periodic
879 * empty INFORMATIONAL messages are sent if no
880 * other traffic was received.
484a06bc 881 *
3dd3c5f3 882 * @return
4bbce1ef
TB		 883 * - SUCCESS
884 * - DESTROY_ME, if peer did not respond
2f89902d 885 */
3dd3c5f3 886 status_t (*send_dpd) (ike_sa_t *this);
7daf5226 887
2f89902d 888 /**
552cc11b 889 * Sends a keep alive packet.
2f89902d 890 *
0ceb2888
TB		 891 * To refresh NAT tables in a NAT router between the peers, periodic empty
892 * UDP packets are sent if no other traffic was sent.
efd7fa7b
TB		 893 *
894 * @param scheduled if this is a scheduled keepalive
1396815a 895 */
efd7fa7b 896 void (*send_keepalive) (ike_sa_t *this, bool scheduled);
7daf5226 897
71c70705
TB		 898 /**
899 * Redirect an active IKE_SA.
900 *
901 * @param gateway gateway ID (IP or FQDN) of the target
902 * @return state, including DESTROY_ME, if this IKE_SA MUST be
903 * destroyed
904 */
905 status_t (*redirect)(ike_sa_t *this, identification_t *gateway);
906
c126ddd0
TB		 907 /**
908 * Handle a redirect request.
909 *
910 * The behavior is different depending on the state of the IKE_SA.
911 *
912 * @param gateway gateway ID (IP or FQDN) of the target
913 * @return FALSE if redirect not possible, TRUE otherwise
914 */
915 bool (*handle_redirect)(ike_sa_t *this, identification_t *gateway);
916
e4af6e6b
TB		 917 /**
918 * Get the address of the gateway that redirected us.
919 *
920 * @return original gateway address
921 */
922 host_t *(*get_redirected_from)(ike_sa_t *this);
923
bc997f65 924 /**
6a4ff35c 925 * Get the keying material of this IKE_SA.
bc997f65 926 *
6a4ff35c 927 * @return per IKE_SA keymat instance
695723d4 928 */
6a4ff35c 929 keymat_t* (*get_keymat)(ike_sa_t *this);
7daf5226 930
695723d4 931 /**
552cc11b 932 * Associates a child SA to this IKE SA
484a06bc 933 *
698d7749 934 * @param child_sa child_sa to add
695723d4 935 */
698d7749 936 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
7daf5226 937
971218c3 938 /**
552cc11b 939 * Get a CHILD_SA identified by protocol and SPI.
484a06bc 940 *
698d7749
MW		 941 * @param protocol protocol of the SA
942 * @param spi SPI of the CHILD_SA
943 * @param inbound TRUE if SPI is inbound, FALSE if outbound
944 * @return child_sa, or NULL if none found
3dd3c5f3 945 */
484a06bc 946 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
b12c53ce 947 uint32_t spi, bool inbound);
7daf5226 948
3183006d 949 /**
4bbce1ef 950 * Get the number of CHILD_SAs.
484a06bc 951 *
4bbce1ef 952 * @return number of CHILD_SAs
3183006d 953 */
4bbce1ef
TB		 954 int (*get_child_count) (ike_sa_t *this);
955
956 /**
957 * Create an enumerator over all CHILD_SAs.
958 *
959 * @return enumerator
960 */
961 enumerator_t* (*create_child_sa_enumerator) (ike_sa_t *this);
962
963 /**
964 * Remove the CHILD_SA the given enumerator points to from this IKE_SA.
965 *
966 * @param enumerator enumerator pointing to CHILD_SA
967 */
968 void (*remove_child_sa) (ike_sa_t *this, enumerator_t *enumerator);
7daf5226 969
1396815a 970 /**
552cc11b 971 * Rekey the CHILD SA with the specified reqid.
1396815a 972 *
3dd3c5f3 973 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
1396815a 974 *
698d7749
MW		 975 * @param protocol protocol of the SA
976 * @param spi inbound SPI of the CHILD_SA
3dd3c5f3 977 * @return
4bbce1ef
TB		 978 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
979 * - SUCCESS, if rekeying initiated
1396815a 980 */
b12c53ce 981 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi);
698d7749 982
1396815a 983 /**
552cc11b 984 * Close the CHILD SA with the specified protocol/SPI.
698d7749
MW		 985 *
986 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
987 * notify's the remote peer about the delete. The associated
988 * states and policies in the kernel get deleted, if they exist.
989 *
698d7749
MW		 990 * @param protocol protocol of the SA
991 * @param spi inbound SPI of the CHILD_SA
3a925f74 992 * @param expired TRUE if CHILD_SA is expired
698d7749 993 * @return
4bbce1ef
TB		 994 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
995 * - SUCCESS, if delete message sent
1396815a 996 */
3a925f74 997 status_t (*delete_child_sa)(ike_sa_t *this, protocol_id_t protocol,
b12c53ce 998 uint32_t spi, bool expired);
698d7749 999
1396815a 1000 /**
552cc11b 1001 * Destroy a CHILD SA with the specified protocol/SPI.
698d7749
MW		 1002 *
1003 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
1004 *
698d7749
MW		 1005 * @param protocol protocol of the SA
1006 * @param spi inbound SPI of the CHILD_SA
1007 * @return
4bbce1ef
TB		 1008 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
1009 * - SUCCESS
1396815a 1010 */
b12c53ce 1011 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi);
fe04e93a 1012
fe04e93a 1013 /**
552cc11b 1014 * Rekey the IKE_SA.
fe04e93a 1015 *
527b3f0c 1016 * Sets up a new IKE_SA, moves all CHILD_SAs to it and deletes this IKE_SA.
fe04e93a 1017 *
fe04e93a
MW		 1018 * @return - SUCCESS, if IKE_SA rekeying initiated
1019 */
1020 status_t (*rekey) (ike_sa_t *this);
1021
6fe03b0a 1022 /**
96926b00 1023 * Reauthenticate the IKE_SA.
6fe03b0a 1024 *
349f7f24
MW		 1025 * Triggers a new IKE_SA that replaces this one. IKEv1 implicitly inherits
1026 * all Quick Modes, while IKEv2 recreates all active and queued CHILD_SAs
1027 * in the new IKE_SA.
6fe03b0a 1028 *
26424f03 1029 * @return DESTROY_ME to destroy the IKE_SA
6fe03b0a 1030 */
96926b00
MW		 1031 status_t (*reauth) (ike_sa_t *this);
1032
1033 /**
1034 * Restablish the IKE_SA.
1035 *
1036 * Reestablish an IKE_SA after it has been closed.
1037 *
1038 * @return DESTROY_ME to destroy the IKE_SA
1039 */
26424f03 1040 status_t (*reestablish) (ike_sa_t *this);
7daf5226 1041
ee614711 1042 /**
a07b6973
MW		 1043 * Set the lifetime limit received/to send in a AUTH_LIFETIME notify.
1044 *
1045 * If the IKE_SA is already ESTABLISHED, an INFORMATIONAL is sent with
1046 * an AUTH_LIFETIME notify. The call never fails on unestablished SAs.
ee614711 1047 *
ee614711 1048 * @param lifetime lifetime in seconds
a07b6973 1049 * @return DESTROY_ME to destroy the IKE_SA
ee614711 1050 */
b12c53ce 1051 status_t (*set_auth_lifetime)(ike_sa_t *this, uint32_t lifetime);
7daf5226 1052
3183006d 1053 /**
101d26ba 1054 * Add a virtual IP to use for this IKE_SA and its children.
c60c7694
MW		 1055 *
1056 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
1057 * lifetime as the IKE_SA.
3183006d 1058 *
552cc11b
MW		 1059 * @param local TRUE to set local address, FALSE for remote
1060 * @param ip IP to set as virtual IP
3183006d 1061 */
101d26ba 1062 void (*add_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
7daf5226 1063
d2e8f20d
TB		 1064 /**
1065 * Clear all virtual IPs stored on this IKE_SA.
1066 *
1067 * @param local TRUE to clear local addresses, FALSE for remote
1068 */
1069 void (*clear_virtual_ips) (ike_sa_t *this, bool local);
1070
dec3c184
TB		 1071 /**
1072 * Get interface ID to use as default for children of this IKE_SA.
1073 *
1074 * @param inbound TRUE for inbound interface ID
1075 * @return interface ID
1076 */
1077 uint32_t (*get_if_id)(ike_sa_t *this, bool inbound);
1078
3183006d 1079 /**
101d26ba 1080 * Create an enumerator over virtual IPs.
3183006d 1081 *
c60c7694 1082 * @param local TRUE to get local virtual IP, FALSE for remote
101d26ba 1083 * @return enumerator over host_t*
3183006d 1084 */
101d26ba 1085 enumerator_t* (*create_virtual_ip_enumerator) (ike_sa_t *this, bool local);
7daf5226 1086
c60c7694 1087 /**
7f56b494 1088 * Register a configuration attribute to the IKE_SA.
c60c7694 1089 *
7f56b494
MW		 1090 * If an IRAS sends a configuration attribute it is installed and
1091 * registered at the IKE_SA. Attributes are inherit()ed and get released
1092 * when the IKE_SA is closed.
c60c7694 1093 *
5ae32210
MW		 1094 * Unhandled attributes are passed as well, but with a NULL handler. They
1095 * do not get released.
1096 *
7f56b494
MW		 1097 * @param handler handler installed the attribute, use for release()
1098 * @param type configuration attribute type
1099 * @param data associated attribute data
c60c7694 1100 */
7f56b494 1101 void (*add_configuration_attribute)(ike_sa_t *this,
b5a2055f 1102 attribute_handler_t *handler,
7f56b494 1103 configuration_attribute_type_t type, chunk_t data);
7daf5226 1104
9d257034
MW		 1105 /**
1106 * Create an enumerator over received configuration attributes.
1107 *
1108 * The resulting enumerator is over the configuration_attribute_type_t type,
1109 * a value chunk_t followed by a bool flag. The boolean flag indicates if
1110 * the attribute has been handled by an attribute handler.
1111 *
1112 * @return enumerator over type, value and the "handled" flag.
1113 */
1114 enumerator_t* (*create_attribute_enumerator)(ike_sa_t *this);
1115
d487b4b7
AS		 1116 /**
1117 * Set local and remote host addresses to be used for IKE.
1118 *
1119 * These addresses are communicated via the KMADDRESS field of a MIGRATE
1120 * message sent via the NETLINK or PF _KEY kernel socket interface.
1121 *
1122 * @param local local kmaddress
1123 * @param remote remote kmaddress
1124 */
1125 void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
7daf5226 1126
ea340ee8
MW		 1127 /**
1128 * Create enumerator over a task queue of this IKE_SA.
1129 *
1130 * @param queue type to enumerate
1131 * @return enumerator over task_t
1132 */
1133 enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue);
1134
b7160401
TB		 1135 /**
1136 * Remove the task the given enumerator points to.
1137 *
1138 * @note This should be used with caution, in partciular, for tasks in the
1139 * active and passive queues.
1140 *
1141 * @param enumerator enumerator created with the method above
1142 */
1143 void (*remove_task)(ike_sa_t *this, enumerator_t *enumerator);
1144
cbc1a20f
MW		 1145 /**
1146 * Flush a task queue, cancelling all tasks in it.
1147 *
1148 * @param queue queue type to flush
1149 */
1150 void (*flush_queue)(ike_sa_t *this, task_queue_t queue);
1151
69adeb5b
MW		 1152 /**
1153 * Queue a task for initiaton to the task manager.
1154 *
1155 * @param task task to queue
1156 */
1157 void (*queue_task)(ike_sa_t *this, task_t *task);
1158
208678e6
TB		 1159 /**
1160 * Queue a task in the manager, but delay its initiation for at least the
1161 * given number of seconds.
1162 *
1163 * @param task task to queue
1164 * @param delay minimum delay in s before initiating the task
1165 */
1166 void (*queue_task_delayed)(ike_sa_t *this, task_t *task, uint32_t delay);
1167
00c889f4
TB		 1168 /**
1169 * Adopt child creating tasks from the given IKE_SA.
1170 *
1171 * @param other other IKE_SA to adopt tasks from
1172 */
1173 void (*adopt_child_tasks)(ike_sa_t *this, ike_sa_t *other);
1174
713a1122
MW		 1175 /**
1176 * Inherit required attributes to new SA before rekeying.
1177 *
1178 * Some properties of the SA must be applied before starting IKE_SA
1179 * rekeying, such as the configuration or support extensions.
1180 *
1181 * @param other other IKE_SA to inherit from
1182 */
1183 void (*inherit_pre)(ike_sa_t *this, ike_sa_t *other);
1184
fe04e93a 1185 /**
552cc11b 1186 * Inherit all attributes of other to this after rekeying.
fe04e93a 1187 *
c60c7694
MW		 1188 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
1189 * outstanding tasks are moved from other to this.
1190 *
cf3c72c4 1191 * @param other other IKE SA to inherit from
c60c7694 1192 */
713a1122 1193 void (*inherit_post) (ike_sa_t *this, ike_sa_t *other);
7daf5226 1194
c60c7694 1195 /**
2db6d5b8 1196 * Reset the IKE_SA, usable when initiating fails.
c3539961
TB		 1197 *
1198 * @param new_spi TRUE to allocate a new initiator SPI
fe04e93a 1199 */
c3539961 1200 void (*reset) (ike_sa_t *this, bool new_spi);
7daf5226 1201
1396815a 1202 /**
552cc11b 1203 * Destroys a ike_sa_t object.
1396815a 1204 */
3dd3c5f3 1205 void (*destroy) (ike_sa_t *this);
8323a9c1
JH		 1206};
1207
7ba38761 1208/**
0b611540 1209 * Creates an ike_sa_t object with a specific ID and IKE version.
c3dc6f1a 1210 *
0b611540 1211 * @param ike_sa_id ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA
17ec1c74 1212 * @param initiator TRUE to create this IKE_SA as initiator
0b611540 1213 * @param version IKE version of this SA
4bbce1ef 1214 * @return ike_sa_t object
7ba38761 1215 */
17ec1c74
MW		 1216ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
1217 ike_version_t version);
7ba38761 1218
1490ff4d 1219#endif /** IKE_SA_H_ @}*/
Unnamed repository; edit this file 'description' to name the repository.