Removed strayed code fragment
[strongswan.git] / src / charon / sa / ike_sa.h
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup ike_sa ike_sa
21 * @{ @ingroup sa
22 */
23
24 #ifndef IKE_SA_H_
25 #define IKE_SA_H_
26
27 typedef enum ike_extension_t ike_extension_t;
28 typedef enum ike_condition_t ike_condition_t;
29 typedef enum ike_sa_state_t ike_sa_state_t;
30 typedef enum statistic_t statistic_t;
31 typedef struct ike_sa_t ike_sa_t;
32
33 #include <library.h>
34 #include <encoding/message.h>
35 #include <encoding/payloads/proposal_substructure.h>
36 #include <encoding/payloads/configuration_attribute.h>
37 #include <sa/ike_sa_id.h>
38 #include <sa/child_sa.h>
39 #include <sa/tasks/task.h>
40 #include <sa/keymat.h>
41 #include <config/peer_cfg.h>
42 #include <config/ike_cfg.h>
43 #include <config/auth_cfg.h>
44
45 /**
46 * Timeout in seconds after that a half open IKE_SA gets deleted.
47 */
48 #define HALF_OPEN_IKE_SA_TIMEOUT 30
49
50 /**
51 * Interval to send keepalives when NATed, in seconds.
52 */
53 #define KEEPALIVE_INTERVAL 20
54
55 /**
56 * After which time rekeying should be retried if it failed, in seconds.
57 */
58 #define RETRY_INTERVAL 30
59
60 /**
61 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
62 */
63 #define RETRY_JITTER 20
64
65 /**
66 * Extensions (or optional features) the peer supports
67 */
68 enum ike_extension_t {
69
70 /**
71 * peer supports NAT traversal as specified in RFC4306
72 */
73 EXT_NATT = (1<<0),
74
75 /**
76 * peer supports MOBIKE (RFC4555)
77 */
78 EXT_MOBIKE = (1<<1),
79
80 /**
81 * peer supports HTTP cert lookups as specified in RFC4306
82 */
83 EXT_HASH_AND_URL = (1<<2),
84
85 /**
86 * peer supports multiple authentication exchanges, RFC4739
87 */
88 EXT_MULTIPLE_AUTH = (1<<3),
89
90 /**
91 * peer uses strongSwan, accept private use extensions
92 */
93 EXT_STRONGSWAN = (1<<4),
94
95 /**
96 * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
97 */
98 EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
99 };
100
101 /**
102 * Conditions of an IKE_SA, change during its lifetime
103 */
104 enum ike_condition_t {
105
106 /**
107 * Connection is natted (or faked) somewhere
108 */
109 COND_NAT_ANY = (1<<0),
110
111 /**
112 * we are behind NAT
113 */
114 COND_NAT_HERE = (1<<1),
115
116 /**
117 * other is behind NAT
118 */
119 COND_NAT_THERE = (1<<2),
120
121 /**
122 * Faking NAT to enforce UDP encapsulation
123 */
124 COND_NAT_FAKE = (1<<3),
125
126 /**
127 * peer has been authenticated using EAP at least once
128 */
129 COND_EAP_AUTHENTICATED = (1<<4),
130
131 /**
132 * received a certificate request from the peer
133 */
134 COND_CERTREQ_SEEN = (1<<5),
135
136 /**
137 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
138 */
139 COND_ORIGINAL_INITIATOR = (1<<6),
140
141 /**
142 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
143 */
144 COND_STALE = (1<<7),
145 };
146
147 /**
148 * Timing information and statistics to query from an SA
149 */
150 enum statistic_t {
151 /** Timestamp of SA establishement */
152 STAT_ESTABLISHED = 0,
153 /** Timestamp of scheudled rekeying */
154 STAT_REKEY,
155 /** Timestamp of scheudled reauthentication */
156 STAT_REAUTH,
157 /** Timestamp of scheudled delete */
158 STAT_DELETE,
159 /** Timestamp of last inbound IKE packet */
160 STAT_INBOUND,
161 /** Timestamp of last outbound IKE packet */
162 STAT_OUTBOUND,
163
164 STAT_MAX
165 };
166
167 /**
168 * State of an IKE_SA.
169 *
170 * An IKE_SA passes various states in its lifetime. A newly created
171 * SA is in the state CREATED.
172 * @verbatim
173 +----------------+
174 ¦ SA_CREATED ¦
175 +----------------+
176 ¦
177 on initiate()---> ¦ <----- on IKE_SA_INIT received
178 V
179 +----------------+
180 ¦ SA_CONNECTING ¦
181 +----------------+
182 ¦
183 ¦ <----- on IKE_AUTH successfully completed
184 V
185 +----------------+
186 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
187 +----------------+ ¦
188 ¦ V
189 on delete()---> ¦ <----- on IKE_SA +-------------+
190 ¦ delete request ¦ SA_REKEYING ¦
191 ¦ received +-------------+
192 V ¦
193 +----------------+ ¦
194 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
195 +----------------+
196 ¦
197 ¦ <----- after delete() acknowledged
198 ¦
199 \V/
200 X
201 / \
202 @endverbatim
203 */
204 enum ike_sa_state_t {
205
206 /**
207 * IKE_SA just got created, but is not initiating nor responding yet.
208 */
209 IKE_CREATED,
210
211 /**
212 * IKE_SA gets initiated actively or passively
213 */
214 IKE_CONNECTING,
215
216 /**
217 * IKE_SA is fully established
218 */
219 IKE_ESTABLISHED,
220
221 /**
222 * IKE_SA is managed externally and does not process messages
223 */
224 IKE_PASSIVE,
225
226 /**
227 * IKE_SA rekeying in progress
228 */
229 IKE_REKEYING,
230
231 /**
232 * IKE_SA is in progress of deletion
233 */
234 IKE_DELETING,
235
236 /**
237 * IKE_SA object gets destroyed
238 */
239 IKE_DESTROYING,
240 };
241
242 /**
243 * enum names for ike_sa_state_t.
244 */
245 extern enum_name_t *ike_sa_state_names;
246
247 /**
248 * Class ike_sa_t representing an IKE_SA.
249 *
250 * An IKE_SA contains crypto information related to a connection
251 * with a peer. It contains multiple IPsec CHILD_SA, for which
252 * it is responsible. All traffic is handled by an IKE_SA, using
253 * the task manager and its tasks.
254 */
255 struct ike_sa_t {
256
257 /**
258 * Get the id of the SA.
259 *
260 * Returned ike_sa_id_t object is not getting cloned!
261 *
262 * @return ike_sa's ike_sa_id_t
263 */
264 ike_sa_id_t* (*get_id) (ike_sa_t *this);
265
266 /**
267 * Get the numerical ID uniquely defining this IKE_SA.
268 *
269 * @return unique ID
270 */
271 u_int32_t (*get_unique_id) (ike_sa_t *this);
272
273 /**
274 * Get the state of the IKE_SA.
275 *
276 * @return state of the IKE_SA
277 */
278 ike_sa_state_t (*get_state) (ike_sa_t *this);
279
280 /**
281 * Set the state of the IKE_SA.
282 *
283 * @param state state to set for the IKE_SA
284 */
285 void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
286
287 /**
288 * Get the name of the connection this IKE_SA uses.
289 *
290 * @return name
291 */
292 char* (*get_name) (ike_sa_t *this);
293
294 /**
295 * Get statistic values from the IKE_SA.
296 *
297 * @param kind kind of requested value
298 * @return value as integer
299 */
300 u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
301
302 /**
303 * Get the own host address.
304 *
305 * @return host address
306 */
307 host_t* (*get_my_host) (ike_sa_t *this);
308
309 /**
310 * Set the own host address.
311 *
312 * @param me host address
313 */
314 void (*set_my_host) (ike_sa_t *this, host_t *me);
315
316 /**
317 * Get the other peers host address.
318 *
319 * @return host address
320 */
321 host_t* (*get_other_host) (ike_sa_t *this);
322
323 /**
324 * Set the others host address.
325 *
326 * @param other host address
327 */
328 void (*set_other_host) (ike_sa_t *this, host_t *other);
329
330 /**
331 * Update the IKE_SAs host.
332 *
333 * Hosts may be NULL to use current host.
334 *
335 * @param me new local host address, or NULL
336 * @param other new remote host address, or NULL
337 */
338 void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
339
340 /**
341 * Get the own identification.
342 *
343 * @return identification
344 */
345 identification_t* (*get_my_id) (ike_sa_t *this);
346
347 /**
348 * Set the own identification.
349 *
350 * @param me identification
351 */
352 void (*set_my_id) (ike_sa_t *this, identification_t *me);
353
354 /**
355 * Get the other peer's identification.
356 *
357 * @return identification
358 */
359 identification_t* (*get_other_id) (ike_sa_t *this);
360
361 /**
362 * Set the other peer's identification.
363 *
364 * @param other identification
365 */
366 void (*set_other_id) (ike_sa_t *this, identification_t *other);
367
368 /**
369 * Get the config used to setup this IKE_SA.
370 *
371 * @return ike_config
372 */
373 ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
374
375 /**
376 * Set the config to setup this IKE_SA.
377 *
378 * @param config ike_config to use
379 */
380 void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
381
382 /**
383 * Get the peer config used by this IKE_SA.
384 *
385 * @return peer_config
386 */
387 peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
388
389 /**
390 * Set the peer config to use with this IKE_SA.
391 *
392 * @param config peer_config to use
393 */
394 void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
395
396 /**
397 * Get the authentication config with rules of the current auth round.
398 *
399 * @param local TRUE for local rules, FALSE for remote constraints
400 * @return current cfg
401 */
402 auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
403
404 /**
405 * Insert a completed authentication round.
406 *
407 * @param local TRUE for own rules, FALSE for others constraints
408 * @param cfg auth config to append
409 */
410 void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
411
412 /**
413 * Create an enumerator over added authentication rounds.
414 *
415 * @param local TRUE for own rules, FALSE for others constraints
416 * @return enumerator over auth_cfg_t
417 */
418 enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
419
420 /**
421 * Get the selected proposal of this IKE_SA.
422 *
423 * @return selected proposal
424 */
425 proposal_t* (*get_proposal)(ike_sa_t *this);
426
427 /**
428 * Set the proposal selected for this IKE_SA.
429 *
430 * @param selected proposal
431 */
432 void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
433
434 /**
435 * Set the message id of the IKE_SA.
436 *
437 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
438 * and one to respond to exchanges (expect).
439 *
440 * @param initiate TRUE to set message ID for initiating
441 * @param mid message id to set
442 */
443 void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
444
445 /**
446 * Add an additional address for the peer.
447 *
448 * In MOBIKE, a peer may transmit additional addresses where it is
449 * reachable. These are stored in the IKE_SA.
450 * The own list of addresses is not stored, they are queried from
451 * the kernel when required.
452 *
453 * @param host host to add to list
454 */
455 void (*add_additional_address)(ike_sa_t *this, host_t *host);
456
457 /**
458 * Create an iterator over all additional addresses of the peer.
459 *
460 * @return iterator over addresses
461 */
462 iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
463
464 /**
465 * Check if mappings have changed on a NAT for our source address.
466 *
467 * @param hash received DESTINATION_IP hash
468 * @return TRUE if mappings have changed
469 */
470 bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
471
472 /**
473 * Enable an extension the peer supports.
474 *
475 * If support for an IKE extension is detected, this method is called
476 * to enable that extension and behave accordingly.
477 *
478 * @param extension extension to enable
479 */
480 void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
481
482 /**
483 * Check if the peer supports an extension.
484 *
485 * @param extension extension to check for support
486 * @return TRUE if peer supports it, FALSE otherwise
487 */
488 bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
489
490 /**
491 * Enable/disable a condition flag for this IKE_SA.
492 *
493 * @param condition condition to enable/disable
494 * @param enable TRUE to enable condition, FALSE to disable
495 */
496 void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
497
498 /**
499 * Check if a condition flag is set.
500 *
501 * @param condition condition to check
502 * @return TRUE if condition flag set, FALSE otherwise
503 */
504 bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
505
506 /**
507 * Get the number of queued MOBIKE address updates.
508 *
509 * @return number of pending updates
510 */
511 u_int32_t (*get_pending_updates)(ike_sa_t *this);
512
513 /**
514 * Set the number of queued MOBIKE address updates.
515 *
516 * @param updates number of pending updates
517 */
518 void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
519
520 #ifdef ME
521 /**
522 * Activate mediation server functionality for this IKE_SA.
523 */
524 void (*act_as_mediation_server) (ike_sa_t *this);
525
526 /**
527 * Get the server reflexive host.
528 *
529 * @return server reflexive host
530 */
531 host_t* (*get_server_reflexive_host) (ike_sa_t *this);
532
533 /**
534 * Set the server reflexive host.
535 *
536 * @param host server reflexive host
537 */
538 void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
539
540 /**
541 * Get the connect ID.
542 *
543 * @return connect ID
544 */
545 chunk_t (*get_connect_id) (ike_sa_t *this);
546
547 /**
548 * Initiate the mediation of a mediated connection (i.e. initiate a
549 * ME_CONNECT exchange to a mediation server).
550 *
551 * @param mediated_cfg peer_cfg of the mediated connection
552 * @return
553 * - SUCCESS if initialization started
554 * - DESTROY_ME if initialization failed
555 */
556 status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
557
558 /**
559 * Initiate the mediated connection
560 *
561 * @param me local endpoint (gets cloned)
562 * @param other remote endpoint (gets cloned)
563 * @param connect_id connect ID (gets cloned)
564 * @return
565 * - SUCCESS if initialization started
566 * - DESTROY_ME if initialization failed
567 */
568 status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
569 chunk_t connect_id);
570
571 /**
572 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
573 * to a peer).
574 *
575 * Data is cloned.
576 *
577 * @param requester ID of the requesting peer
578 * @param connect_id data of the ME_CONNECTID payload
579 * @param connect_key data of the ME_CONNECTKEY payload
580 * @param endpoints endpoints
581 * @param response TRUE if this is a response
582 * @return
583 * - SUCCESS if relay started
584 * - DESTROY_ME if relay failed
585 */
586 status_t (*relay) (ike_sa_t *this, identification_t *requester,
587 chunk_t connect_id, chunk_t connect_key,
588 linked_list_t *endpoints, bool response);
589
590 /**
591 * Send a callback to a peer.
592 *
593 * Data is cloned.
594 *
595 * @param peer_id ID of the other peer
596 * @return
597 * - SUCCESS if response started
598 * - DESTROY_ME if response failed
599 */
600 status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
601
602 /**
603 * Respond to a ME_CONNECT request.
604 *
605 * Data is cloned.
606 *
607 * @param peer_id ID of the other peer
608 * @param connect_id the connect ID supplied by the initiator
609 * @return
610 * - SUCCESS if response started
611 * - DESTROY_ME if response failed
612 */
613 status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
614 chunk_t connect_id);
615 #endif /* ME */
616
617 /**
618 * Initiate a new connection.
619 *
620 * The configs are owned by the IKE_SA after the call. If the initiate
621 * is triggered by a packet, traffic selectors of the packet can be added
622 * to the CHILD_SA.
623 *
624 * @param child_cfg child config to create CHILD from
625 * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
626 * @param tsi source of triggering packet
627 * @param tsr destination of triggering packet.
628 * @return
629 * - SUCCESS if initialization started
630 * - DESTROY_ME if initialization failed
631 */
632 status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
633 u_int32_t reqid, traffic_selector_t *tsi,
634 traffic_selector_t *tsr);
635
636 /**
637 * Initiates the deletion of an IKE_SA.
638 *
639 * Sends a delete message to the remote peer and waits for
640 * its response. If the response comes in, or a timeout occurs,
641 * the IKE SA gets deleted.
642 *
643 * @return
644 * - SUCCESS if deletion is initialized
645 * - DESTROY_ME, if the IKE_SA is not in
646 * an established state and can not be
647 * deleted (but destroyed).
648 */
649 status_t (*delete) (ike_sa_t *this);
650
651 /**
652 * Update IKE_SAs after network interfaces have changed.
653 *
654 * Whenever the network interface configuration changes, the kernel
655 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
656 * the new network config requires changes, and handles appropriate.
657 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
658 * restarted.
659 *
660 * @param address TRUE if address list changed, FALSE otherwise
661 * @return SUCCESS, FAILED, DESTROY_ME
662 */
663 status_t (*roam)(ike_sa_t *this, bool address);
664
665 /**
666 * Processes a incoming IKEv2-Message.
667 *
668 * Message processing may fail. If a critical failure occurs,
669 * process_message() return DESTROY_ME. Then the caller must
670 * destroy the IKE_SA immediatly, as it is unusable.
671 *
672 * @param message message to process
673 * @return
674 * - SUCCESS
675 * - FAILED
676 * - DESTROY_ME if this IKE_SA MUST be deleted
677 */
678 status_t (*process_message) (ike_sa_t *this, message_t *message);
679
680 /**
681 * Generate a IKE message to send it to the peer.
682 *
683 * This method generates all payloads in the message and encrypts/signs
684 * the packet.
685 *
686 * @param message message to generate
687 * @param packet generated output packet
688 * @return
689 * - SUCCESS
690 * - FAILED
691 * - DESTROY_ME if this IKE_SA MUST be deleted
692 */
693 status_t (*generate_message) (ike_sa_t *this, message_t *message,
694 packet_t **packet);
695
696 /**
697 * Retransmits a request.
698 *
699 * @param message_id ID of the request to retransmit
700 * @return
701 * - SUCCESS
702 * - NOT_FOUND if request doesn't have to be retransmited
703 */
704 status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
705
706 /**
707 * Sends a DPD request to the peer.
708 *
709 * To check if a peer is still alive, periodic
710 * empty INFORMATIONAL messages are sent if no
711 * other traffic was received.
712 *
713 * @return
714 * - SUCCESS
715 * - DESTROY_ME, if peer did not respond
716 */
717 status_t (*send_dpd) (ike_sa_t *this);
718
719 /**
720 * Sends a keep alive packet.
721 *
722 * To refresh NAT tables in a NAT router
723 * between the peers, periodic empty
724 * UDP packets are sent if no other traffic
725 * was sent.
726 */
727 void (*send_keepalive) (ike_sa_t *this);
728
729 /**
730 * Get the keying material of this IKE_SA.
731 *
732 * @return per IKE_SA keymat instance
733 */
734 keymat_t* (*get_keymat)(ike_sa_t *this);
735
736 /**
737 * Associates a child SA to this IKE SA
738 *
739 * @param child_sa child_sa to add
740 */
741 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
742
743 /**
744 * Get a CHILD_SA identified by protocol and SPI.
745 *
746 * @param protocol protocol of the SA
747 * @param spi SPI of the CHILD_SA
748 * @param inbound TRUE if SPI is inbound, FALSE if outbound
749 * @return child_sa, or NULL if none found
750 */
751 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
752 u_int32_t spi, bool inbound);
753
754 /**
755 * Create an iterator over all CHILD_SAs.
756 *
757 * @return iterator
758 */
759 iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
760
761 /**
762 * Rekey the CHILD SA with the specified reqid.
763 *
764 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
765 *
766 * @param protocol protocol of the SA
767 * @param spi inbound SPI of the CHILD_SA
768 * @return
769 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
770 * - SUCCESS, if rekeying initiated
771 */
772 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
773
774 /**
775 * Close the CHILD SA with the specified protocol/SPI.
776 *
777 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
778 * notify's the remote peer about the delete. The associated
779 * states and policies in the kernel get deleted, if they exist.
780 *
781 * @param protocol protocol of the SA
782 * @param spi inbound SPI of the CHILD_SA
783 * @return
784 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
785 * - SUCCESS, if delete message sent
786 */
787 status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
788
789 /**
790 * Destroy a CHILD SA with the specified protocol/SPI.
791 *
792 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
793 *
794 * @param protocol protocol of the SA
795 * @param spi inbound SPI of the CHILD_SA
796 * @return
797 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
798 * - SUCCESS
799 */
800 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
801
802 /**
803 * Rekey the IKE_SA.
804 *
805 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
806 *
807 * @return - SUCCESS, if IKE_SA rekeying initiated
808 */
809 status_t (*rekey) (ike_sa_t *this);
810
811 /**
812 * Reauthenticate the IKE_SA.
813 *
814 * Create a completely new IKE_SA with authentication, recreates all children
815 * within the IKE_SA, closes this IKE_SA.
816 *
817 * @return DESTROY_ME to destroy the IKE_SA
818 */
819 status_t (*reauth) (ike_sa_t *this);
820
821 /**
822 * Restablish the IKE_SA.
823 *
824 * Reestablish an IKE_SA after it has been closed.
825 *
826 * @return DESTROY_ME to destroy the IKE_SA
827 */
828 status_t (*reestablish) (ike_sa_t *this);
829
830 /**
831 * Set the lifetime limit received from a AUTH_LIFETIME notify.
832 *
833 * @param lifetime lifetime in seconds
834 */
835 void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
836
837 /**
838 * Set the virtual IP to use for this IKE_SA and its children.
839 *
840 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
841 * lifetime as the IKE_SA.
842 *
843 * @param local TRUE to set local address, FALSE for remote
844 * @param ip IP to set as virtual IP
845 */
846 void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
847
848 /**
849 * Get the virtual IP configured.
850 *
851 * @param local TRUE to get local virtual IP, FALSE for remote
852 * @return host_t *virtual IP
853 */
854 host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
855
856 /**
857 * Register a configuration attribute to the IKE_SA.
858 *
859 * If an IRAS sends a configuration attribute it is installed and
860 * registered at the IKE_SA. Attributes are inherit()ed and get released
861 * when the IKE_SA is closed.
862 *
863 * @param handler handler installed the attribute, use for release()
864 * @param type configuration attribute type
865 * @param data associated attribute data
866 */
867 void (*add_configuration_attribute)(ike_sa_t *this,
868 attribute_handler_t *handler,
869 configuration_attribute_type_t type, chunk_t data);
870
871 /**
872 * Set local and remote host addresses to be used for IKE.
873 *
874 * These addresses are communicated via the KMADDRESS field of a MIGRATE
875 * message sent via the NETLINK or PF _KEY kernel socket interface.
876 *
877 * @param local local kmaddress
878 * @param remote remote kmaddress
879 */
880 void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
881
882 /**
883 * Inherit all attributes of other to this after rekeying.
884 *
885 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
886 * outstanding tasks are moved from other to this.
887 * As this call may initiate inherited tasks, a status is returned.
888 *
889 * @param other other task to inherit from
890 * @return DESTROY_ME if initiation of inherited task failed
891 */
892 status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
893
894 /**
895 * Reset the IKE_SA, useable when initiating fails
896 */
897 void (*reset) (ike_sa_t *this);
898
899 /**
900 * Destroys a ike_sa_t object.
901 */
902 void (*destroy) (ike_sa_t *this);
903 };
904
905 /**
906 * Creates an ike_sa_t object with a specific ID.
907 *
908 * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA
909 * @return ike_sa_t object
910 */
911 ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
912
913 #endif /** IKE_SA_H_ @}*/