ecd6bcf831b78df7ce58e863c2774a2d814454fe
[strongswan.git] / src / charon / config / peer_cfg.h
1 /**
2 * @file peer_cfg.h
3 *
4 * @brief Interface of peer_cfg_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef PEER_CFG_H_
25 #define PEER_CFG_H_
26
27 typedef enum dpd_action_t dpd_action_t;
28 typedef enum cert_policy_t cert_policy_t;
29 typedef struct peer_cfg_t peer_cfg_t;
30
31 #include <library.h>
32 #include <utils/identification.h>
33 #include <utils/linked_list.h>
34 #include <config/traffic_selector.h>
35 #include <config/proposal.h>
36 #include <config/ike_cfg.h>
37 #include <config/child_cfg.h>
38 #include <sa/authenticators/authenticator.h>
39 #include <sa/authenticators/eap/eap_method.h>
40
41 /**
42 * Certificate sending policy. This is also used for certificate
43 * requests when using this definition for the other peer. If
44 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
45 * included.
46 *
47 * @ingroup config
48 *
49 * @warning These definitions must be the same as in pluto/starter,
50 * as they are sent over the stroke socket.
51 */
52 enum cert_policy_t {
53 /** always send certificates, even when not requested */
54 CERT_ALWAYS_SEND = 0,
55 /** send certificate upon cert request */
56 CERT_SEND_IF_ASKED = 1,
57 /** never send a certificate, even when requested */
58 CERT_NEVER_SEND = 2,
59 };
60
61 /**
62 * enum strings for cert_policy_t
63 *
64 * @ingroup config
65 */
66 extern enum_name_t *cert_policy_names;
67
68 /**
69 * @brief Actions to take when a peer does not respond (dead peer detected).
70 *
71 * These values are the same as in pluto/starter, so do not modify them!
72 *
73 * @ingroup config
74 */
75 enum dpd_action_t {
76 /** DPD disabled */
77 DPD_NONE,
78 /** remove CHILD_SAs without replacement */
79 DPD_CLEAR,
80 /** route the CHILD_SAs to resetup when needed */
81 DPD_ROUTE,
82 /** restart CHILD_SAs in a new IKE_SA, immediately */
83 DPD_RESTART,
84 };
85
86 /**
87 * enum names for dpd_action_t.
88 */
89 extern enum_name_t *dpd_action_names;
90
91 /**
92 * @brief Configuration of a peer, specified by IDs.
93 *
94 * The peer config defines a connection between two given IDs. It contains
95 * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
96 * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
97 * @verbatim
98
99 +-------------------+ +---------------+
100 +---------------+ | peer_cfg | +---------------+ |
101 | ike_cfg | +-------------------+ | child_cfg | |
102 +---------------+ | - ids | +---------------+ |
103 | - hosts | 1 1 | - cas | 1 n | - proposals | |
104 | - proposals |<------| - auth info |-------->| - traffic sel | |
105 | - ... | | - dpd config | | - ... |-+
106 +---------------+ | - ... | +---------------+
107 +-------------------+
108 @endverbatim
109 *
110 * @b Constructors:
111 * - peer_cfg_create()
112 *
113 * @ingroup config
114 */
115 struct peer_cfg_t {
116
117 /**
118 * @brief Get the name of the peer_cfg.
119 *
120 * Returned object is not getting cloned.
121 *
122 * @param this calling object
123 * @return peer_cfg's name
124 */
125 char* (*get_name) (peer_cfg_t *this);
126
127 /**
128 * @brief Get the IKE version to use for initiating.
129 *
130 * @param this calling object
131 * @return IKE major version
132 */
133 u_int (*get_ike_version)(peer_cfg_t *this);
134
135 /**
136 * @brief Get the IKE config to use for initiaton.
137 *
138 * @param this calling object
139 * @return the IKE config to use
140 */
141 ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
142
143 /**
144 * @brief Attach a CHILD config.
145 *
146 * @param this calling object
147 * @param child_cfg CHILD config to add
148 */
149 void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
150
151 /**
152 * @brief Create an iterator for all attached CHILD configs.
153 *
154 * @param this calling object
155 * @return an iterator over all CHILD configs.
156 */
157 iterator_t* (*create_child_cfg_iterator) (peer_cfg_t *this);
158
159 /**
160 * @brief Select a CHILD config from traffic selectors.
161 *
162 * @param this calling object
163 * @param my_ts TS for local side
164 * @param other_ts TS for remote side
165 * @param my_host host to narrow down dynamic TS for local side
166 * @param other_host host to narrow down dynamic TS for remote side
167 * @return selected CHILD config, or NULL if no match found
168 */
169 child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
170 linked_list_t *other_ts, host_t *my_host,
171 host_t *other_host);
172
173 /**
174 * @brief Get own ID.
175 *
176 * @param this calling object
177 * @return own id
178 */
179 identification_t* (*get_my_id)(peer_cfg_t *this);
180
181 /**
182 * @brief Get peers ID.
183 *
184 * @param this calling object
185 * @return other id
186 */
187 identification_t* (*get_other_id)(peer_cfg_t *this);
188
189 /**
190 * @brief Get own CA.
191 *
192 * @param this calling object
193 * @return own ca
194 */
195 identification_t* (*get_my_ca)(peer_cfg_t *this);
196
197 /**
198 * @brief Get peer CA.
199 *
200 * @param this calling object
201 * @return other ca
202 */
203 identification_t* (*get_other_ca)(peer_cfg_t *this);
204
205 /**
206 * @brief Get list of group attributes.
207 *
208 * @param this calling object
209 * @return linked list of group attributes
210 */
211 linked_list_t* (*get_groups)(peer_cfg_t *this);
212
213 /**
214 * @brief Should be sent a certificate for this connection?
215 *
216 * @param this calling object
217 * @return certificate sending policy
218 */
219 cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
220
221 /**
222 * @brief Get the authentication method to use to authenticate us.
223 *
224 * @param this calling object
225 * @return authentication method
226 */
227 auth_method_t (*get_auth_method) (peer_cfg_t *this);
228
229 /**
230 * @brief Get the EAP type to use for peer authentication.
231 *
232 * @param this calling object
233 * @return authentication method
234 */
235 eap_type_t (*get_eap_type) (peer_cfg_t *this);
236
237 /**
238 * @brief Get the max number of retries after timeout.
239 *
240 * @param this calling object
241 * @return max number retries
242 */
243 u_int32_t (*get_keyingtries) (peer_cfg_t *this);
244
245 /**
246 * @brief Get the lifetime of a IKE_SA.
247 *
248 * If "rekey" is set to TRUE, a lifetime is returned before the first
249 * rekeying should be started. If it is FALSE, the actual lifetime is
250 * returned when the IKE_SA must be deleted.
251 * The rekey time automatically contains a jitter to avoid simlutaneous
252 * rekeying.
253 *
254 * @param this child_config
255 * @param rekey TRUE to get rekey time
256 * @return lifetime in seconds
257 */
258 u_int32_t (*get_lifetime) (peer_cfg_t *this, bool rekey);
259
260 /**
261 * @brief Should a full reauthentication be done instead of rekeying?
262 *
263 * @param this calling object
264 * @return TRUE to use full reauthentication
265 */
266 bool (*use_reauth) (peer_cfg_t *this);
267
268 /**
269 * @brief Use MOBIKE (RFC4555) if peer supports it?
270 *
271 * @param this calling object
272 * @return TRUE to enable MOBIKE support
273 */
274 bool (*use_mobike) (peer_cfg_t *this);
275
276 /**
277 * @brief Enforce UDP encapsulation by faking NATD notifies?
278 *
279 * @param this calling object
280 * @return TRUE to enfoce UDP encapsulation
281 */
282 bool (*force_encap) (peer_cfg_t *this);
283
284 /**
285 * @brief Get the DPD check interval.
286 *
287 * @param this calling object
288 * @return dpd_delay in seconds
289 */
290 u_int32_t (*get_dpd_delay) (peer_cfg_t *this);
291
292 /**
293 * @brief What should be done with a CHILD_SA, when other peer does not respond.
294 *
295 * @param this calling object
296 * @return dpd action
297 */
298 dpd_action_t (*get_dpd_action) (peer_cfg_t *this);
299
300 /**
301 * @brief Get a virtual IP for the local peer.
302 *
303 * If no virtual IP should be used, NULL is returned. %any means to request
304 * a virtual IP using configuration payloads. A specific address is also
305 * used for a request and may be changed by the server.
306 *
307 * @param this peer_cfg
308 * @param suggestion NULL, %any or specific
309 * @return clone of an IP, %any or NULL
310 */
311 host_t* (*get_my_virtual_ip) (peer_cfg_t *this);
312
313 /**
314 * @brief Get a virtual IP for the remote peer.
315 *
316 * An IP may be supplied, if one was requested by the initiator. However,
317 * the suggestion is not more as it says, any address may be returned, even
318 * NULL to not use virtual IPs.
319 *
320 * @param this peer_cfg
321 * @param suggestion NULL, %any or specific
322 * @return clone of an IP to use
323 */
324 host_t* (*get_other_virtual_ip) (peer_cfg_t *this, host_t *suggestion);
325
326 /**
327 * @brief Get a new reference.
328 *
329 * Get a new reference to this peer_cfg by increasing
330 * it's internal reference counter.
331 * Do not call get_ref or any other function until you
332 * already have a reference. Otherwise the object may get
333 * destroyed while calling get_ref(),
334 *
335 * @param this calling object
336 */
337 void (*get_ref) (peer_cfg_t *this);
338
339 /**
340 * @brief Destroys the peer_cfg object.
341 *
342 * Decrements the internal reference counter and
343 * destroys the peer_cfg when it reaches zero.
344 *
345 * @param this calling object
346 */
347 void (*destroy) (peer_cfg_t *this);
348 };
349
350 /**
351 * @brief Create a configuration object for IKE_AUTH and later.
352 *
353 * name-string gets cloned, ID's not.
354 * Virtual IPs are used if they are != NULL. A %any host means the virtual
355 * IP should be obtained from the other peer.
356 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
357 * same time, a jitter may be specified. Rekeying of an SA starts at
358 * (rekeylifetime - random(0, jitter)).
359 *
360 * @param name name of the peer_cfg
361 * @param ike_version which IKE version we sould use for this peer
362 * @param ike_cfg IKE config to use when acting as initiator
363 * @param my_id identification_t for ourselves
364 * @param other_id identification_t for the remote guy
365 * @param my_ca CA to use for us
366 * @param other_ca CA to use for other
367 * @param groups list of group memberships
368 * @param cert_policy should we send a certificate payload?
369 * @param auth_method auth method to use to authenticate us
370 * @param eap_type EAP type to use for peer authentication
371 * @param keyingtries how many keying tries should be done before giving up
372 * @param lifetime lifetime before deleting an SA
373 * @param rekeytime lifetime before rekeying an SA
374 * @param jitter range of random to substract from rekeytime
375 * @param reauth sould be done reauthentication instead of rekeying?
376 * @param mobike use MOBIKE (RFC4555) if peer supports it
377 * @param force_encap enforce UDP encapsulation by faking NATD notify
378 * @param dpd_delay after how many seconds of inactivity to check DPD
379 * @param dpd_action what to do with CHILD_SAs when detected a dead peer
380 * @param my_virtual_ip virtual IP for local host, or NULL
381 * @param other_virtual_ip virtual IP for remote host, or NULL
382 * @return peer_cfg_t object
383 *
384 * @ingroup config
385 */
386 peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
387 identification_t *my_id, identification_t *other_id,
388 identification_t *my_ca, identification_t *other_ca,
389 linked_list_t *groups, cert_policy_t cert_policy,
390 auth_method_t auth_method, eap_type_t eap_type,
391 u_int32_t keyingtries, u_int32_t lifetime,
392 u_int32_t rekeytime, u_int32_t jitter,
393 bool reauth, bool mobike, bool force_encap,
394 u_int32_t dpd_delay, dpd_action_t dpd_action,
395 host_t *my_virtual_ip, host_t *other_virtual_ip);
396
397 #endif /* PEER_CFG_H_ */