using dpd actions to enforce connection state
[strongswan.git] / src / charon / config / peer_cfg.h
1 /*
2 * Copyright (C) 2007 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 /**
21 * @defgroup peer_cfg peer_cfg
22 * @{ @ingroup config
23 */
24
25 #ifndef PEER_CFG_H_
26 #define PEER_CFG_H_
27
28 typedef enum cert_policy_t cert_policy_t;
29 typedef struct peer_cfg_t peer_cfg_t;
30
31 #include <library.h>
32 #include <utils/identification.h>
33 #include <utils/enumerator.h>
34 #include <config/traffic_selector.h>
35 #include <config/proposal.h>
36 #include <config/ike_cfg.h>
37 #include <config/child_cfg.h>
38 #include <sa/authenticators/authenticator.h>
39 #include <sa/authenticators/eap/eap_method.h>
40 #include <credentials/auth_info.h>
41
42 /**
43 * Certificate sending policy. This is also used for certificate
44 * requests when using this definition for the other peer. If
45 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
46 * included.
47 *
48 * @warning These definitions must be the same as in pluto/starter,
49 * as they are sent over the stroke socket.
50 */
51 enum cert_policy_t {
52 /** always send certificates, even when not requested */
53 CERT_ALWAYS_SEND = 0,
54 /** send certificate upon cert request */
55 CERT_SEND_IF_ASKED = 1,
56 /** never send a certificate, even when requested */
57 CERT_NEVER_SEND = 2,
58 };
59
60 /**
61 * enum strings for cert_policy_t
62 */
63 extern enum_name_t *cert_policy_names;
64
65 /**
66 * Configuration of a peer, specified by IDs.
67 *
68 * The peer config defines a connection between two given IDs. It contains
69 * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
70 * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
71 * @verbatim
72
73 +-------------------+ +---------------+
74 +---------------+ | peer_cfg | +---------------+ |
75 | ike_cfg | +-------------------+ | child_cfg | |
76 +---------------+ | - ids | +---------------+ |
77 | - hosts | 1 1 | - cas | 1 n | - proposals | |
78 | - proposals |<------| - auth info |-------->| - traffic sel | |
79 | - ... | | - dpd config | | - ... |-+
80 +---------------+ | - ... | +---------------+
81 +-------------------+
82 ^
83 |
84 +-------------------+
85 | auth_info |
86 +-------------------+
87 | auth_items |
88 +-------------------+
89 @endverbatim
90 * The auth_info_t object associated to the peer_cfg holds additional
91 * authorization constraints. A peer who wants to use a config needs to fullfil
92 * the requirements defined in auth_info.
93 */
94 struct peer_cfg_t {
95
96 /**
97 * Get the name of the peer_cfg.
98 *
99 * Returned object is not getting cloned.
100 *
101 * @return peer_cfg's name
102 */
103 char* (*get_name) (peer_cfg_t *this);
104
105 /**
106 * Get the IKE version to use for initiating.
107 *
108 * @return IKE major version
109 */
110 u_int (*get_ike_version)(peer_cfg_t *this);
111
112 /**
113 * Get the IKE config to use for initiaton.
114 *
115 * @return the IKE config to use
116 */
117 ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
118
119 /**
120 * Attach a CHILD config.
121 *
122 * @param child_cfg CHILD config to add
123 */
124 void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
125
126 /**
127 * Detach a CHILD config, pointed to by an enumerator.
128 *
129 * @param enumerator enumerator indicating element position
130 */
131 void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
132
133 /**
134 * Create an enumerator for all attached CHILD configs.
135 *
136 * @return an enumerator over all CHILD configs.
137 */
138 enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
139
140 /**
141 * Select a CHILD config from traffic selectors.
142 *
143 * @param my_ts TS for local side
144 * @param other_ts TS for remote side
145 * @param my_host host to narrow down dynamic TS for local side
146 * @param other_host host to narrow down dynamic TS for remote side
147 * @return selected CHILD config, or NULL if no match found
148 */
149 child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
150 linked_list_t *other_ts, host_t *my_host,
151 host_t *other_host);
152
153 /**
154 * Get the authentication constraint items.
155 *
156 * @return auth_info object to manipulate requirements
157 */
158 auth_info_t* (*get_auth)(peer_cfg_t *this);
159
160 /**
161 * Get own ID.
162 *
163 * @return own id
164 */
165 identification_t* (*get_my_id)(peer_cfg_t *this);
166
167 /**
168 * Get peers ID.
169 *
170 * @return other id
171 */
172 identification_t* (*get_other_id)(peer_cfg_t *this);
173
174 /**
175 * Should be sent a certificate for this connection?
176 *
177 * @return certificate sending policy
178 */
179 cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
180
181 /**
182 * Get the authentication method to use to authenticate us.
183 *
184 * @return authentication method
185 */
186 auth_method_t (*get_auth_method) (peer_cfg_t *this);
187
188 /**
189 * Get the EAP type to use for peer authentication.
190 *
191 * If vendor specific types are used, a vendor ID != 0 is returned to
192 * to vendor argument. Then the returned type is specific for that
193 * vendor ID.
194 *
195 * @param vendor receives vendor specifier, 0 for predefined EAP types
196 * @return authentication method
197 */
198 eap_type_t (*get_eap_type) (peer_cfg_t *this, u_int32_t *vendor);
199
200 /**
201 * Get the max number of retries after timeout.
202 *
203 * @return max number retries
204 */
205 u_int32_t (*get_keyingtries) (peer_cfg_t *this);
206
207 /**
208 * Get a time to start rekeying (is randomized with jitter).
209 *
210 * @return time in s when to start rekeying, 0 disables rekeying
211 */
212 u_int32_t (*get_rekey_time)(peer_cfg_t *this);
213
214 /**
215 * Get a time to start reauthentication (is randomized with jitter).
216 *
217 * @return time in s when to start reauthentication, 0 disables it
218 */
219 u_int32_t (*get_reauth_time)(peer_cfg_t *this);
220
221 /**
222 * Get the timeout of a rekeying/reauthenticating SA.
223 *
224 * @return timeout in s
225 */
226 u_int32_t (*get_over_time)(peer_cfg_t *this);
227
228 /**
229 * Use MOBIKE (RFC4555) if peer supports it?
230 *
231 * @return TRUE to enable MOBIKE support
232 */
233 bool (*use_mobike) (peer_cfg_t *this);
234
235 /**
236 * Get the DPD check interval.
237 *
238 * @return dpd_delay in seconds
239 */
240 u_int32_t (*get_dpd) (peer_cfg_t *this);
241
242 /**
243 * Get a virtual IP for the local peer.
244 *
245 * If no virtual IP should be used, NULL is returned. %any means to request
246 * a virtual IP using configuration payloads. A specific address is also
247 * used for a request and may be changed by the server.
248 *
249 * @param suggestion NULL, %any or specific
250 * @return virtual IP, %any or NULL
251 */
252 host_t* (*get_virtual_ip) (peer_cfg_t *this);
253
254 /**
255 * Get the name of the pool to acquire configuration attributes from.
256 *
257 * @return pool name, NULL if none defined
258 */
259 char* (*get_pool)(peer_cfg_t *this);
260
261 #ifdef ME
262 /**
263 * Is this a mediation connection?
264 *
265 * @return TRUE, if this is a mediation connection
266 */
267 bool (*is_mediation) (peer_cfg_t *this);
268
269 /**
270 * Get peer_cfg of the connection this one is mediated through.
271 *
272 * @return the peer_cfg of the mediation connection
273 */
274 peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
275
276 /**
277 * Get the id of the other peer at the mediation server.
278 *
279 * This is the leftid of the peer's connection with the mediation server.
280 *
281 * If it is not configured, it is assumed to be the same as the right id
282 * of this connection.
283 *
284 * @return the id of the other peer
285 */
286 identification_t* (*get_peer_id) (peer_cfg_t *this);
287 #endif /* ME */
288
289 /**
290 * Check if two peer configurations are equal.
291 *
292 * This method does not compare associated ike/child_cfg.
293 *
294 * @param other candidate to check for equality against this
295 * @return TRUE if peer_cfg and ike_cfg are equal
296 */
297 bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
298
299 /**
300 * Get a new reference.
301 *
302 * Get a new reference to this peer_cfg by increasing
303 * it's internal reference counter.
304 * Do not call get_ref or any other function until you
305 * already have a reference. Otherwise the object may get
306 * destroyed while calling get_ref(),
307 */
308 void (*get_ref) (peer_cfg_t *this);
309
310 /**
311 * Destroys the peer_cfg object.
312 *
313 * Decrements the internal reference counter and
314 * destroys the peer_cfg when it reaches zero.
315 */
316 void (*destroy) (peer_cfg_t *this);
317 };
318
319 /**
320 * Create a configuration object for IKE_AUTH and later.
321 *
322 * name-string gets cloned, ID's not.
323 * Virtual IPs are used if they are != NULL. A %any host means the virtual
324 * IP should be obtained from the other peer.
325 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
326 * same time, a jitter may be specified. Rekeying of an SA starts at
327 * (rekeylifetime - random(0, jitter)).
328 *
329 * @param name name of the peer_cfg
330 * @param ike_version which IKE version we sould use for this peer
331 * @param ike_cfg IKE config to use when acting as initiator
332 * @param my_id identification_t for ourselves
333 * @param other_id identification_t for the remote guy
334 * @param cert_policy should we send a certificate payload?
335 * @param auth_method auth method to use to authenticate us
336 * @param eap_type EAP type to use for peer authentication
337 * @param eap_vendor EAP vendor identifier, if vendor specific type is used
338 * @param keyingtries how many keying tries should be done before giving up
339 * @param rekey_time timeout before starting rekeying
340 * @param reauth_time timeout before starting reauthentication
341 * @param jitter_time timerange to randomly substract from rekey/reauth time
342 * @param over_time maximum overtime before closing a rekeying/reauth SA
343 * @param reauth sould be done reauthentication instead of rekeying?
344 * @param mobike use MOBIKE (RFC4555) if peer supports it
345 * @param dpd DPD check interval, 0 to disable
346 * @param virtual_ip virtual IP for local host, or NULL
347 * @param pool pool name to get configuration attributes from, or NULL
348 * @param mediation TRUE if this is a mediation connection
349 * @param mediated_by peer_cfg_t of the mediation connection to mediate through
350 * @param peer_id ID that identifies our peer at the mediation server
351 * @return peer_cfg_t object
352 */
353 peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
354 identification_t *my_id, identification_t *other_id,
355 cert_policy_t cert_policy,
356 auth_method_t auth_method, eap_type_t eap_type,
357 u_int32_t eap_vendor,
358 u_int32_t keyingtries, u_int32_t rekey_time,
359 u_int32_t reauth_time, u_int32_t jitter_time,
360 u_int32_t over_time, bool mobike, u_int32_t dpd,
361 host_t *virtual_ip, char *pool,
362 bool mediation, peer_cfg_t *mediated_by,
363 identification_t *peer_id);
364
365 #endif /* PEER_CFG_H_ @} */