moved key derivation and management into keymat object
[strongswan.git] / src / charon / sa / ike_sa.h
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2008 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 /**
22 * @defgroup ike_sa ike_sa
23 * @{ @ingroup sa
24 */
25
26 #ifndef IKE_SA_H_
27 #define IKE_SA_H_
28
29 typedef enum ike_extension_t ike_extension_t;
30 typedef enum ike_condition_t ike_condition_t;
31 typedef enum ike_sa_state_t ike_sa_state_t;
32 typedef enum statistic_t statistic_t;
33 typedef struct ike_sa_t ike_sa_t;
34
35 #include <library.h>
36 #include <encoding/message.h>
37 #include <encoding/payloads/proposal_substructure.h>
38 #include <sa/ike_sa_id.h>
39 #include <sa/child_sa.h>
40 #include <sa/tasks/task.h>
41 #include <sa/keymat.h>
42 #include <config/peer_cfg.h>
43 #include <config/ike_cfg.h>
44 #include <credentials/auth_info.h>
45
46 /**
47 * Timeout in milliseconds after that a half open IKE_SA gets deleted.
48 */
49 #define HALF_OPEN_IKE_SA_TIMEOUT 30000
50
51 /**
52 * Interval to send keepalives when NATed, in seconds.
53 */
54 #define KEEPALIVE_INTERVAL 20
55
56 /**
57 * After which time rekeying should be retried if it failed, in seconds.
58 */
59 #define RETRY_INTERVAL 30
60
61 /**
62 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
63 */
64 #define RETRY_JITTER 20
65
66 /**
67 * Extensions (or optional features) the peer supports
68 */
69 enum ike_extension_t {
70
71 /**
72 * peer supports NAT traversal as specified in RFC4306
73 */
74 EXT_NATT = (1<<0),
75
76 /**
77 * peer supports MOBIKE (RFC4555)
78 */
79 EXT_MOBIKE = (1<<1),
80
81 /**
82 * peer supports HTTP cert lookups as specified in RFC4306
83 */
84 EXT_HASH_AND_URL = (1<<2),
85 };
86
87 /**
88 * Conditions of an IKE_SA, change during its lifetime
89 */
90 enum ike_condition_t {
91
92 /**
93 * Connection is natted (or faked) somewhere
94 */
95 COND_NAT_ANY = (1<<0),
96
97 /**
98 * we are behind NAT
99 */
100 COND_NAT_HERE = (1<<1),
101
102 /**
103 * other is behind NAT
104 */
105 COND_NAT_THERE = (1<<2),
106
107 /**
108 * Faking NAT to enforce UDP encapsulation
109 */
110 COND_NAT_FAKE = (1<<3),
111
112 /**
113 * peer has ben authenticated using EAP
114 */
115 COND_EAP_AUTHENTICATED = (1<<4),
116
117 /**
118 * received a certificate request from the peer
119 */
120 COND_CERTREQ_SEEN = (1<<5),
121 };
122
123 /**
124 * Timing information and statistics to query from an SA
125 */
126 enum statistic_t {
127 /** Timestamp of SA establishement */
128 STAT_ESTABLISHED = 0,
129 /** Timestamp of scheudled rekeying */
130 STAT_REKEY,
131 /** Timestamp of scheudled reauthentication */
132 STAT_REAUTH,
133 /** Timestamp of scheudled delete */
134 STAT_DELETE,
135 /** Timestamp of last inbound IKE packet */
136 STAT_INBOUND,
137 /** Timestamp of last outbound IKE packet */
138 STAT_OUTBOUND,
139
140 STAT_MAX
141 };
142
143 /**
144 * State of an IKE_SA.
145 *
146 * An IKE_SA passes various states in its lifetime. A newly created
147 * SA is in the state CREATED.
148 * @verbatim
149 +----------------+
150 ¦ SA_CREATED ¦
151 +----------------+
152 ¦
153 on initiate()---> ¦ <----- on IKE_SA_INIT received
154 V
155 +----------------+
156 ¦ SA_CONNECTING ¦
157 +----------------+
158 ¦
159 ¦ <----- on IKE_AUTH successfully completed
160 V
161 +----------------+
162 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
163 +----------------+ ¦
164 ¦ V
165 on delete()---> ¦ <----- on IKE_SA +-------------+
166 ¦ delete request ¦ SA_REKEYING ¦
167 ¦ received +-------------+
168 V ¦
169 +----------------+ ¦
170 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
171 +----------------+
172 ¦
173 ¦ <----- after delete() acknowledged
174 ¦
175 \V/
176 X
177 / \
178 @endverbatim
179 */
180 enum ike_sa_state_t {
181
182 /**
183 * IKE_SA just got created, but is not initiating nor responding yet.
184 */
185 IKE_CREATED,
186
187 /**
188 * IKE_SA gets initiated actively or passively
189 */
190 IKE_CONNECTING,
191
192 /**
193 * IKE_SA is fully established
194 */
195 IKE_ESTABLISHED,
196
197 /**
198 * IKE_SA rekeying in progress
199 */
200 IKE_REKEYING,
201
202 /**
203 * IKE_SA is in progress of deletion
204 */
205 IKE_DELETING,
206
207 /**
208 * IKE_SA object gets destroyed
209 */
210 IKE_DESTROYING,
211 };
212
213 /**
214 * enum names for ike_sa_state_t.
215 */
216 extern enum_name_t *ike_sa_state_names;
217
218 /**
219 * Class ike_sa_t representing an IKE_SA.
220 *
221 * An IKE_SA contains crypto information related to a connection
222 * with a peer. It contains multiple IPsec CHILD_SA, for which
223 * it is responsible. All traffic is handled by an IKE_SA, using
224 * the task manager and its tasks.
225 */
226 struct ike_sa_t {
227
228 /**
229 * Get the id of the SA.
230 *
231 * Returned ike_sa_id_t object is not getting cloned!
232 *
233 * @return ike_sa's ike_sa_id_t
234 */
235 ike_sa_id_t* (*get_id) (ike_sa_t *this);
236
237 /**
238 * Get the numerical ID uniquely defining this IKE_SA.
239 *
240 * @return unique ID
241 */
242 u_int32_t (*get_unique_id) (ike_sa_t *this);
243
244 /**
245 * Get the state of the IKE_SA.
246 *
247 * @return state of the IKE_SA
248 */
249 ike_sa_state_t (*get_state) (ike_sa_t *this);
250
251 /**
252 * Set the state of the IKE_SA.
253 *
254 * @param state state to set for the IKE_SA
255 */
256 void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
257
258 /**
259 * Get the name of the connection this IKE_SA uses.
260 *
261 * @return name
262 */
263 char* (*get_name) (ike_sa_t *this);
264
265 /**
266 * Get statistic values from the IKE_SA.
267 *
268 * @param kind kind of requested value
269 * @return value as integer
270 */
271 u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
272
273 /**
274 * Get the own host address.
275 *
276 * @return host address
277 */
278 host_t* (*get_my_host) (ike_sa_t *this);
279
280 /**
281 * Set the own host address.
282 *
283 * @param me host address
284 */
285 void (*set_my_host) (ike_sa_t *this, host_t *me);
286
287 /**
288 * Get the other peers host address.
289 *
290 * @return host address
291 */
292 host_t* (*get_other_host) (ike_sa_t *this);
293
294 /**
295 * Set the others host address.
296 *
297 * @param other host address
298 */
299 void (*set_other_host) (ike_sa_t *this, host_t *other);
300
301 /**
302 * Update the IKE_SAs host.
303 *
304 * Hosts may be NULL to use current host.
305 *
306 * @param me new local host address, or NULL
307 * @param other new remote host address, or NULL
308 */
309 void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
310
311 /**
312 * Get the own identification.
313 *
314 * @return identification
315 */
316 identification_t* (*get_my_id) (ike_sa_t *this);
317
318 /**
319 * Set the own identification.
320 *
321 * @param me identification
322 */
323 void (*set_my_id) (ike_sa_t *this, identification_t *me);
324
325 /**
326 * Get the other peer's identification.
327 *
328 * @return identification
329 */
330 identification_t* (*get_other_id) (ike_sa_t *this);
331
332 /**
333 * Set the other peer's identification.
334 *
335 * @param other identification
336 */
337 void (*set_other_id) (ike_sa_t *this, identification_t *other);
338
339 /**
340 * Get the peers EAP identity.
341 *
342 * The EAP identity is exchanged in a EAP-Identity exchange.
343 *
344 * @return identification, NULL if none set
345 */
346 identification_t* (*get_eap_identity) (ike_sa_t *this);
347
348 /**
349 * Set the peer's EAP identity.
350 *
351 * @param id identification
352 */
353 void (*set_eap_identity) (ike_sa_t *this, identification_t *id);
354
355 /**
356 * Get the config used to setup this IKE_SA.
357 *
358 * @return ike_config
359 */
360 ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
361
362 /**
363 * Set the config to setup this IKE_SA.
364 *
365 * @param config ike_config to use
366 */
367 void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
368
369 /**
370 * Get the peer config used by this IKE_SA.
371 *
372 * @return peer_config
373 */
374 peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
375
376 /**
377 * Set the peer config to use with this IKE_SA.
378 *
379 * @param config peer_config to use
380 */
381 void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
382
383 /**
384 * Get authentication/authorization info for local peer.
385 *
386 * @return auth_info for me
387 */
388 auth_info_t* (*get_my_auth)(ike_sa_t *this);
389
390 /**
391 * Get authentication/authorization info for remote peer.
392 *
393 * @return auth_info for me
394 */
395 auth_info_t* (*get_other_auth)(ike_sa_t *this);
396
397 /**
398 * Add an additional address for the peer.
399 *
400 * In MOBIKE, a peer may transmit additional addresses where it is
401 * reachable. These are stored in the IKE_SA.
402 * The own list of addresses is not stored, they are queried from
403 * the kernel when required.
404 *
405 * @param host host to add to list
406 */
407 void (*add_additional_address)(ike_sa_t *this, host_t *host);
408
409 /**
410 * Create an iterator over all additional addresses of the peer.
411 *
412 * @return iterator over addresses
413 */
414 iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
415
416 /**
417 * Check if mappings have changed on a NAT for our source address.
418 *
419 * @param hash received DESTINATION_IP hash
420 * @return TRUE if mappings have changed
421 */
422 bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
423
424 /**
425 * Enable an extension the peer supports.
426 *
427 * If support for an IKE extension is detected, this method is called
428 * to enable that extension and behave accordingly.
429 *
430 * @param extension extension to enable
431 */
432 void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
433
434 /**
435 * Check if the peer supports an extension.
436 *
437 * @param extension extension to check for support
438 * @return TRUE if peer supports it, FALSE otherwise
439 */
440 bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
441
442 /**
443 * Enable/disable a condition flag for this IKE_SA.
444 *
445 * @param condition condition to enable/disable
446 * @param enable TRUE to enable condition, FALSE to disable
447 */
448 void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
449
450 /**
451 * Check if a condition flag is set.
452 *
453 * @param condition condition to check
454 * @return TRUE if condition flag set, FALSE otherwise
455 */
456 bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
457
458 /**
459 * Get the number of queued MOBIKE address updates.
460 *
461 * @return number of pending updates
462 */
463 u_int32_t (*get_pending_updates)(ike_sa_t *this);
464
465 /**
466 * Set the number of queued MOBIKE address updates.
467 *
468 * @param updates number of pending updates
469 */
470 void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
471
472 /**
473 * Check if we are the original initiator of this IKE_SA (rekeying does not
474 * change this flag).
475 */
476 bool (*is_ike_initiator)(ike_sa_t *this);
477
478
479 #ifdef ME
480 /**
481 * Activate mediation server functionality for this IKE_SA.
482 */
483 void (*act_as_mediation_server) (ike_sa_t *this);
484
485 /**
486 * Get the server reflexive host.
487 *
488 * @return server reflexive host
489 */
490 host_t* (*get_server_reflexive_host) (ike_sa_t *this);
491
492 /**
493 * Set the server reflexive host.
494 *
495 * @param host server reflexive host
496 */
497 void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
498
499 /**
500 * Get the connect ID.
501 *
502 * @return connect ID
503 */
504 chunk_t (*get_connect_id) (ike_sa_t *this);
505
506 /**
507 * Initiate the mediation of a mediated connection (i.e. initiate a
508 * ME_CONNECT exchange).
509 *
510 * @param mediated_cfg peer_cfg of the mediated connection
511 * @return
512 * - SUCCESS if initialization started
513 * - DESTROY_ME if initialization failed
514 */
515 status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
516
517 /**
518 * Initiate the mediated connection
519 *
520 * @param me local endpoint (gets cloned)
521 * @param other remote endpoint (gets cloned)
522 * @param connect_id connect ID (gets cloned)
523 * @return
524 * - SUCCESS if initialization started
525 * - DESTROY_ME if initialization failed
526 */
527 status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
528 chunk_t connect_id);
529
530 /**
531 * Relay data from one peer to another (i.e. initiate a
532 * ME_CONNECT exchange).
533 *
534 * Data is cloned.
535 *
536 * @param requester ID of the requesting peer
537 * @param connect_id data of the ME_CONNECTID payload
538 * @param connect_key data of the ME_CONNECTKEY payload
539 * @param endpoints endpoints
540 * @param response TRUE if this is a response
541 * @return
542 * - SUCCESS if relay started
543 * - DESTROY_ME if relay failed
544 */
545 status_t (*relay) (ike_sa_t *this, identification_t *requester, chunk_t connect_id,
546 chunk_t connect_key, linked_list_t *endpoints, bool response);
547
548 /**
549 * Send a callback to a peer.
550 *
551 * Data is cloned.
552 *
553 * @param peer_id ID of the other peer
554 * @return
555 * - SUCCESS if response started
556 * - DESTROY_ME if response failed
557 */
558 status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
559
560 /**
561 * Respond to a ME_CONNECT request.
562 *
563 * Data is cloned.
564 *
565 * @param peer_id ID of the other peer
566 * @param connect_id the connect ID supplied by the initiator
567 * @return
568 * - SUCCESS if response started
569 * - DESTROY_ME if response failed
570 */
571 status_t (*respond) (ike_sa_t *this, identification_t *peer_id, chunk_t connect_id);
572 #endif /* ME */
573
574 /**
575 * Initiate a new connection.
576 *
577 * The configs are owned by the IKE_SA after the call.
578 *
579 * @param child_cfg child config to create CHILD from
580 * @return
581 * - SUCCESS if initialization started
582 * - DESTROY_ME if initialization failed
583 */
584 status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg);
585
586 /**
587 * Route a policy in the kernel.
588 *
589 * Installs the policies in the kernel. If traffic matches,
590 * the kernel requests connection setup from the IKE_SA via acquire().
591 *
592 * @param child_cfg child config to route
593 * @return
594 * - SUCCESS if routed successfully
595 * - FAILED if routing failed
596 */
597 status_t (*route) (ike_sa_t *this, child_cfg_t *child_cfg);
598
599 /**
600 * Unroute a policy in the kernel previously routed.
601 *
602 * @param reqid reqid of CHILD_SA to unroute
603 * @return
604 * - SUCCESS if route removed
605 * - NOT_FOUND if CHILD_SA not found
606 * - DESTROY_ME if last CHILD_SA was unrouted
607 */
608 status_t (*unroute) (ike_sa_t *this, u_int32_t reqid);
609
610 /**
611 * Acquire connection setup for an installed kernel policy.
612 *
613 * If an installed policy raises an acquire, the kernel calls
614 * this function to establish the CHILD_SA (and maybe the IKE_SA).
615 *
616 * @param reqid reqid of the CHILD_SA the policy belongs to.
617 * @return
618 * - SUCCESS if initialization started
619 * - DESTROY_ME if initialization failed
620 */
621 status_t (*acquire) (ike_sa_t *this, u_int32_t reqid);
622
623 /**
624 * Initiates the deletion of an IKE_SA.
625 *
626 * Sends a delete message to the remote peer and waits for
627 * its response. If the response comes in, or a timeout occurs,
628 * the IKE SA gets deleted.
629 *
630 * @return
631 * - SUCCESS if deletion is initialized
632 * - INVALID_STATE, if the IKE_SA is not in
633 * an established state and can not be
634 * delete (but destroyed).
635 */
636 status_t (*delete) (ike_sa_t *this);
637
638 /**
639 * Update IKE_SAs after network interfaces have changed.
640 *
641 * Whenever the network interface configuration changes, the kernel
642 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
643 * the new network config requires changes, and handles appropriate.
644 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
645 * restarted.
646 *
647 * @param address TRUE if address list changed, FALSE otherwise
648 * @return SUCCESS, FAILED, DESTROY_ME
649 */
650 status_t (*roam)(ike_sa_t *this, bool address);
651
652 /**
653 * Processes a incoming IKEv2-Message.
654 *
655 * Message processing may fail. If a critical failure occurs,
656 * process_message() return DESTROY_ME. Then the caller must
657 * destroy the IKE_SA immediatly, as it is unusable.
658 *
659 * @param message message to process
660 * @return
661 * - SUCCESS
662 * - FAILED
663 * - DESTROY_ME if this IKE_SA MUST be deleted
664 */
665 status_t (*process_message) (ike_sa_t *this, message_t *message);
666
667 /**
668 * Generate a IKE message to send it to the peer.
669 *
670 * This method generates all payloads in the message and encrypts/signs
671 * the packet.
672 *
673 * @param message message to generate
674 * @param packet generated output packet
675 * @return
676 * - SUCCESS
677 * - FAILED
678 * - DESTROY_ME if this IKE_SA MUST be deleted
679 */
680 status_t (*generate_message) (ike_sa_t *this, message_t *message,
681 packet_t **packet);
682
683 /**
684 * Retransmits a request.
685 *
686 * @param message_id ID of the request to retransmit
687 * @return
688 * - SUCCESS
689 * - NOT_FOUND if request doesn't have to be retransmited
690 */
691 status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
692
693 /**
694 * Sends a DPD request to the peer.
695 *
696 * To check if a peer is still alive, periodic
697 * empty INFORMATIONAL messages are sent if no
698 * other traffic was received.
699 *
700 * @return
701 * - SUCCESS
702 * - DESTROY_ME, if peer did not respond
703 */
704 status_t (*send_dpd) (ike_sa_t *this);
705
706 /**
707 * Sends a keep alive packet.
708 *
709 * To refresh NAT tables in a NAT router
710 * between the peers, periodic empty
711 * UDP packets are sent if no other traffic
712 * was sent.
713 */
714 void (*send_keepalive) (ike_sa_t *this);
715
716 /**
717 * Get the keying material of this IKE_SA.
718 *
719 * @return per IKE_SA keymat instance
720 */
721 keymat_t* (*get_keymat)(ike_sa_t *this);
722
723 /**
724 * Associates a child SA to this IKE SA
725 *
726 * @param child_sa child_sa to add
727 */
728 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
729
730 /**
731 * Get a CHILD_SA identified by protocol and SPI.
732 *
733 * @param protocol protocol of the SA
734 * @param spi SPI of the CHILD_SA
735 * @param inbound TRUE if SPI is inbound, FALSE if outbound
736 * @return child_sa, or NULL if none found
737 */
738 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
739 u_int32_t spi, bool inbound);
740
741 /**
742 * Create an iterator over all CHILD_SAs.
743 *
744 * @return iterator
745 */
746 iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
747
748 /**
749 * Rekey the CHILD SA with the specified reqid.
750 *
751 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
752 *
753 * @param protocol protocol of the SA
754 * @param spi inbound SPI of the CHILD_SA
755 * @return
756 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
757 * - SUCCESS, if rekeying initiated
758 */
759 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
760
761 /**
762 * Close the CHILD SA with the specified protocol/SPI.
763 *
764 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
765 * notify's the remote peer about the delete. The associated
766 * states and policies in the kernel get deleted, if they exist.
767 *
768 * @param protocol protocol of the SA
769 * @param spi inbound SPI of the CHILD_SA
770 * @return
771 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
772 * - SUCCESS, if delete message sent
773 */
774 status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
775
776 /**
777 * Destroy a CHILD SA with the specified protocol/SPI.
778 *
779 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
780 *
781 * @param protocol protocol of the SA
782 * @param spi inbound SPI of the CHILD_SA
783 * @return
784 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
785 * - SUCCESS
786 */
787 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
788
789 /**
790 * Rekey the IKE_SA.
791 *
792 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
793 *
794 * @return - SUCCESS, if IKE_SA rekeying initiated
795 */
796 status_t (*rekey) (ike_sa_t *this);
797
798 /**
799 * Reauthenticate the IKE_SA.
800 *
801 * Create a completely new IKE_SA with authentication, recreates all children
802 * within the IKE_SA, closes this IKE_SA.
803 *
804 * @return DESTROY_ME to destroy the IKE_SA
805 */
806 status_t (*reauth) (ike_sa_t *this);
807
808 /**
809 * Restablish the IKE_SA.
810 *
811 * Reestablish an IKE_SA after it has been closed.
812 *
813 * @return DESTROY_ME to destroy the IKE_SA
814 */
815 status_t (*reestablish) (ike_sa_t *this);
816
817 /**
818 * Set the lifetime limit received from a AUTH_LIFETIME notify.
819 *
820 * @param lifetime lifetime in seconds
821 */
822 void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
823
824 /**
825 * Set the virtual IP to use for this IKE_SA and its children.
826 *
827 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
828 * lifetime as the IKE_SA.
829 *
830 * @param local TRUE to set local address, FALSE for remote
831 * @param ip IP to set as virtual IP
832 */
833 void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
834
835 /**
836 * Get the virtual IP configured.
837 *
838 * @param local TRUE to get local virtual IP, FALSE for remote
839 * @return host_t *virtual IP
840 */
841 host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
842
843 /**
844 * Add a DNS server to the system.
845 *
846 * An IRAS may send a DNS server. To use it, it is installed on the
847 * system. The DNS entry has a lifetime until the IKE_SA gets closed.
848 *
849 * @param dns DNS server to install on the system
850 */
851 void (*add_dns_server) (ike_sa_t *this, host_t *dns);
852
853 /**
854 * Inherit all attributes of other to this after rekeying.
855 *
856 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
857 * outstanding tasks are moved from other to this.
858 * As this call may initiate inherited tasks, a status is returned.
859 *
860 * @param other other task to inherit from
861 * @return DESTROY_ME if initiation of inherited task failed
862 */
863 status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
864
865 /**
866 * Reset the IKE_SA, useable when initiating fails
867 */
868 void (*reset) (ike_sa_t *this);
869
870 /**
871 * Destroys a ike_sa_t object.
872 */
873 void (*destroy) (ike_sa_t *this);
874 };
875
876 /**
877 * Creates an ike_sa_t object with a specific ID.
878 *
879 * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA
880 * @return ike_sa_t object
881 */
882 ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
883
884 #endif /* IKE_SA_H_ @} */