moved force_encap to ike_config, enables responder to enforce udp encapsulation
[strongswan.git] / src / charon / config / peer_cfg.h
1 /**
2 * @file peer_cfg.h
3 *
4 * @brief Interface of peer_cfg_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef PEER_CFG_H_
25 #define PEER_CFG_H_
26
27 typedef enum dpd_action_t dpd_action_t;
28 typedef enum cert_policy_t cert_policy_t;
29 typedef struct peer_cfg_t peer_cfg_t;
30
31 #include <library.h>
32 #include <utils/identification.h>
33 #include <utils/linked_list.h>
34 #include <config/traffic_selector.h>
35 #include <config/proposal.h>
36 #include <config/ike_cfg.h>
37 #include <config/child_cfg.h>
38 #include <sa/authenticators/authenticator.h>
39 #include <sa/authenticators/eap/eap_method.h>
40
41 /**
42 * Certificate sending policy. This is also used for certificate
43 * requests when using this definition for the other peer. If
44 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
45 * included.
46 *
47 * @ingroup config
48 *
49 * @warning These definitions must be the same as in pluto/starter,
50 * as they are sent over the stroke socket.
51 */
52 enum cert_policy_t {
53 /** always send certificates, even when not requested */
54 CERT_ALWAYS_SEND = 0,
55 /** send certificate upon cert request */
56 CERT_SEND_IF_ASKED = 1,
57 /** never send a certificate, even when requested */
58 CERT_NEVER_SEND = 2,
59 };
60
61 /**
62 * enum strings for cert_policy_t
63 *
64 * @ingroup config
65 */
66 extern enum_name_t *cert_policy_names;
67
68 /**
69 * @brief Actions to take when a peer does not respond (dead peer detected).
70 *
71 * These values are the same as in pluto/starter, so do not modify them!
72 *
73 * @ingroup config
74 */
75 enum dpd_action_t {
76 /** DPD disabled */
77 DPD_NONE,
78 /** remove CHILD_SAs without replacement */
79 DPD_CLEAR,
80 /** route the CHILD_SAs to resetup when needed */
81 DPD_ROUTE,
82 /** restart CHILD_SAs in a new IKE_SA, immediately */
83 DPD_RESTART,
84 };
85
86 /**
87 * enum names for dpd_action_t.
88 */
89 extern enum_name_t *dpd_action_names;
90
91 /**
92 * @brief Configuration of a peer, specified by IDs.
93 *
94 * The peer config defines a connection between two given IDs. It contains
95 * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
96 * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
97 * @verbatim
98
99 +-------------------+ +---------------+
100 +---------------+ | peer_cfg | +---------------+ |
101 | ike_cfg | +-------------------+ | child_cfg | |
102 +---------------+ | - ids | +---------------+ |
103 | - hosts | 1 1 | - cas | 1 n | - proposals | |
104 | - proposals |<------| - auth info |-------->| - traffic sel | |
105 | - ... | | - dpd config | | - ... |-+
106 +---------------+ | - ... | +---------------+
107 +-------------------+
108 @endverbatim
109 *
110 * @b Constructors:
111 * - peer_cfg_create()
112 *
113 * @ingroup config
114 */
115 struct peer_cfg_t {
116
117 /**
118 * @brief Get the name of the peer_cfg.
119 *
120 * Returned object is not getting cloned.
121 *
122 * @param this calling object
123 * @return peer_cfg's name
124 */
125 char* (*get_name) (peer_cfg_t *this);
126
127 /**
128 * @brief Get the IKE version to use for initiating.
129 *
130 * @param this calling object
131 * @return IKE major version
132 */
133 u_int (*get_ike_version)(peer_cfg_t *this);
134
135 /**
136 * @brief Get the IKE config to use for initiaton.
137 *
138 * @param this calling object
139 * @return the IKE config to use
140 */
141 ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
142
143 /**
144 * @brief Attach a CHILD config.
145 *
146 * @param this calling object
147 * @param child_cfg CHILD config to add
148 */
149 void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
150
151 /**
152 * @brief Create an iterator for all attached CHILD configs.
153 *
154 * @param this calling object
155 * @return an iterator over all CHILD configs.
156 */
157 iterator_t* (*create_child_cfg_iterator) (peer_cfg_t *this);
158
159 /**
160 * @brief Select a CHILD config from traffic selectors.
161 *
162 * @param this calling object
163 * @param my_ts TS for local side
164 * @param other_ts TS for remote side
165 * @param my_host host to narrow down dynamic TS for local side
166 * @param other_host host to narrow down dynamic TS for remote side
167 * @return selected CHILD config, or NULL if no match found
168 */
169 child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
170 linked_list_t *other_ts, host_t *my_host,
171 host_t *other_host);
172
173 /**
174 * @brief Get own ID.
175 *
176 * @param this calling object
177 * @return own id
178 */
179 identification_t* (*get_my_id)(peer_cfg_t *this);
180
181 /**
182 * @brief Get peers ID.
183 *
184 * @param this calling object
185 * @return other id
186 */
187 identification_t* (*get_other_id)(peer_cfg_t *this);
188
189 /**
190 * @brief Get own CA.
191 *
192 * @param this calling object
193 * @return own ca
194 */
195 identification_t* (*get_my_ca)(peer_cfg_t *this);
196
197 /**
198 * @brief Get peer CA.
199 *
200 * @param this calling object
201 * @return other ca
202 */
203 identification_t* (*get_other_ca)(peer_cfg_t *this);
204
205 /**
206 * @brief Get list of group attributes.
207 *
208 * @param this calling object
209 * @return linked list of group attributes
210 */
211 linked_list_t* (*get_groups)(peer_cfg_t *this);
212
213 /**
214 * @brief Should be sent a certificate for this connection?
215 *
216 * @param this calling object
217 * @return certificate sending policy
218 */
219 cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
220
221 /**
222 * @brief Get the authentication method to use to authenticate us.
223 *
224 * @param this calling object
225 * @return authentication method
226 */
227 auth_method_t (*get_auth_method) (peer_cfg_t *this);
228
229 /**
230 * @brief Get the EAP type to use for peer authentication.
231 *
232 * @param this calling object
233 * @return authentication method
234 */
235 eap_type_t (*get_eap_type) (peer_cfg_t *this);
236
237 /**
238 * @brief Get the max number of retries after timeout.
239 *
240 * @param this calling object
241 * @return max number retries
242 */
243 u_int32_t (*get_keyingtries) (peer_cfg_t *this);
244
245 /**
246 * @brief Get the lifetime of a IKE_SA.
247 *
248 * If "rekey" is set to TRUE, a lifetime is returned before the first
249 * rekeying should be started. If it is FALSE, the actual lifetime is
250 * returned when the IKE_SA must be deleted.
251 * The rekey time automatically contains a jitter to avoid simlutaneous
252 * rekeying.
253 *
254 * @param this child_config
255 * @param rekey TRUE to get rekey time
256 * @return lifetime in seconds
257 */
258 u_int32_t (*get_lifetime) (peer_cfg_t *this, bool rekey);
259
260 /**
261 * @brief Should a full reauthentication be done instead of rekeying?
262 *
263 * @param this calling object
264 * @return TRUE to use full reauthentication
265 */
266 bool (*use_reauth) (peer_cfg_t *this);
267
268 /**
269 * @brief Use MOBIKE (RFC4555) if peer supports it?
270 *
271 * @param this calling object
272 * @return TRUE to enable MOBIKE support
273 */
274 bool (*use_mobike) (peer_cfg_t *this);
275
276 /**
277 * @brief Get the DPD check interval.
278 *
279 * @param this calling object
280 * @return dpd_delay in seconds
281 */
282 u_int32_t (*get_dpd_delay) (peer_cfg_t *this);
283
284 /**
285 * @brief What should be done with a CHILD_SA, when other peer does not respond.
286 *
287 * @param this calling object
288 * @return dpd action
289 */
290 dpd_action_t (*get_dpd_action) (peer_cfg_t *this);
291
292 /**
293 * @brief Get a virtual IP for the local peer.
294 *
295 * If no virtual IP should be used, NULL is returned. %any means to request
296 * a virtual IP using configuration payloads. A specific address is also
297 * used for a request and may be changed by the server.
298 *
299 * @param this peer_cfg
300 * @param suggestion NULL, %any or specific
301 * @return clone of an IP, %any or NULL
302 */
303 host_t* (*get_my_virtual_ip) (peer_cfg_t *this);
304
305 /**
306 * @brief Get a virtual IP for the remote peer.
307 *
308 * An IP may be supplied, if one was requested by the initiator. However,
309 * the suggestion is not more as it says, any address may be returned, even
310 * NULL to not use virtual IPs.
311 *
312 * @param this peer_cfg
313 * @param suggestion NULL, %any or specific
314 * @return clone of an IP to use
315 */
316 host_t* (*get_other_virtual_ip) (peer_cfg_t *this, host_t *suggestion);
317
318 /**
319 * @brief Get a new reference.
320 *
321 * Get a new reference to this peer_cfg by increasing
322 * it's internal reference counter.
323 * Do not call get_ref or any other function until you
324 * already have a reference. Otherwise the object may get
325 * destroyed while calling get_ref(),
326 *
327 * @param this calling object
328 */
329 void (*get_ref) (peer_cfg_t *this);
330
331 /**
332 * @brief Destroys the peer_cfg object.
333 *
334 * Decrements the internal reference counter and
335 * destroys the peer_cfg when it reaches zero.
336 *
337 * @param this calling object
338 */
339 void (*destroy) (peer_cfg_t *this);
340 };
341
342 /**
343 * @brief Create a configuration object for IKE_AUTH and later.
344 *
345 * name-string gets cloned, ID's not.
346 * Virtual IPs are used if they are != NULL. A %any host means the virtual
347 * IP should be obtained from the other peer.
348 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
349 * same time, a jitter may be specified. Rekeying of an SA starts at
350 * (rekeylifetime - random(0, jitter)).
351 *
352 * @param name name of the peer_cfg
353 * @param ike_version which IKE version we sould use for this peer
354 * @param ike_cfg IKE config to use when acting as initiator
355 * @param my_id identification_t for ourselves
356 * @param other_id identification_t for the remote guy
357 * @param my_ca CA to use for us
358 * @param other_ca CA to use for other
359 * @param groups list of group memberships
360 * @param cert_policy should we send a certificate payload?
361 * @param auth_method auth method to use to authenticate us
362 * @param eap_type EAP type to use for peer authentication
363 * @param keyingtries how many keying tries should be done before giving up
364 * @param lifetime lifetime before deleting an SA
365 * @param rekeytime lifetime before rekeying an SA
366 * @param jitter range of random to substract from rekeytime
367 * @param reauth sould be done reauthentication instead of rekeying?
368 * @param mobike use MOBIKE (RFC4555) if peer supports it
369 * @param dpd_delay after how many seconds of inactivity to check DPD
370 * @param dpd_action what to do with CHILD_SAs when detected a dead peer
371 * @param my_virtual_ip virtual IP for local host, or NULL
372 * @param other_virtual_ip virtual IP for remote host, or NULL
373 * @return peer_cfg_t object
374 *
375 * @ingroup config
376 */
377 peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
378 identification_t *my_id, identification_t *other_id,
379 identification_t *my_ca, identification_t *other_ca,
380 linked_list_t *groups, cert_policy_t cert_policy,
381 auth_method_t auth_method, eap_type_t eap_type,
382 u_int32_t keyingtries, u_int32_t lifetime,
383 u_int32_t rekeytime, u_int32_t jitter,
384 bool reauth, bool mobike,
385 u_int32_t dpd_delay, dpd_action_t dpd_action,
386 host_t *my_virtual_ip, host_t *other_virtual_ip);
387
388 #endif /* PEER_CFG_H_ */