99d795fb2d86b99b8c75b6cc82da6591e36915ad
[strongswan.git] / src / charon / sa / ike_sa.h
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup ike_sa ike_sa
21 * @{ @ingroup sa
22 */
23
24 #ifndef IKE_SA_H_
25 #define IKE_SA_H_
26
27 typedef enum ike_extension_t ike_extension_t;
28 typedef enum ike_condition_t ike_condition_t;
29 typedef enum ike_sa_state_t ike_sa_state_t;
30 typedef enum statistic_t statistic_t;
31 typedef struct ike_sa_t ike_sa_t;
32
33 #include <library.h>
34 #include <encoding/message.h>
35 #include <encoding/payloads/proposal_substructure.h>
36 #include <encoding/payloads/configuration_attribute.h>
37 #include <sa/ike_sa_id.h>
38 #include <sa/child_sa.h>
39 #include <sa/tasks/task.h>
40 #include <sa/keymat.h>
41 #include <config/peer_cfg.h>
42 #include <config/ike_cfg.h>
43 #include <config/auth_cfg.h>
44
45 /**
46 * Timeout in seconds after that a half open IKE_SA gets deleted.
47 */
48 #define HALF_OPEN_IKE_SA_TIMEOUT 30
49
50 /**
51 * Interval to send keepalives when NATed, in seconds.
52 */
53 #define KEEPALIVE_INTERVAL 20
54
55 /**
56 * After which time rekeying should be retried if it failed, in seconds.
57 */
58 #define RETRY_INTERVAL 30
59
60 /**
61 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
62 */
63 #define RETRY_JITTER 20
64
65 /**
66 * Extensions (or optional features) the peer supports
67 */
68 enum ike_extension_t {
69
70 /**
71 * peer supports NAT traversal as specified in RFC4306
72 */
73 EXT_NATT = (1<<0),
74
75 /**
76 * peer supports MOBIKE (RFC4555)
77 */
78 EXT_MOBIKE = (1<<1),
79
80 /**
81 * peer supports HTTP cert lookups as specified in RFC4306
82 */
83 EXT_HASH_AND_URL = (1<<2),
84
85 /**
86 * peer supports multiple authentication exchanges, RFC4739
87 */
88 EXT_MULTIPLE_AUTH = (1<<3),
89 };
90
91 /**
92 * Conditions of an IKE_SA, change during its lifetime
93 */
94 enum ike_condition_t {
95
96 /**
97 * Connection is natted (or faked) somewhere
98 */
99 COND_NAT_ANY = (1<<0),
100
101 /**
102 * we are behind NAT
103 */
104 COND_NAT_HERE = (1<<1),
105
106 /**
107 * other is behind NAT
108 */
109 COND_NAT_THERE = (1<<2),
110
111 /**
112 * Faking NAT to enforce UDP encapsulation
113 */
114 COND_NAT_FAKE = (1<<3),
115
116 /**
117 * peer has been authenticated using EAP at least once
118 */
119 COND_EAP_AUTHENTICATED = (1<<4),
120
121 /**
122 * received a certificate request from the peer
123 */
124 COND_CERTREQ_SEEN = (1<<5),
125
126 /**
127 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
128 */
129 COND_ORIGINAL_INITIATOR = (1<<6),
130
131 /**
132 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
133 */
134 COND_STALE = (1<<7),
135 };
136
137 /**
138 * Timing information and statistics to query from an SA
139 */
140 enum statistic_t {
141 /** Timestamp of SA establishement */
142 STAT_ESTABLISHED = 0,
143 /** Timestamp of scheudled rekeying */
144 STAT_REKEY,
145 /** Timestamp of scheudled reauthentication */
146 STAT_REAUTH,
147 /** Timestamp of scheudled delete */
148 STAT_DELETE,
149 /** Timestamp of last inbound IKE packet */
150 STAT_INBOUND,
151 /** Timestamp of last outbound IKE packet */
152 STAT_OUTBOUND,
153
154 STAT_MAX
155 };
156
157 /**
158 * State of an IKE_SA.
159 *
160 * An IKE_SA passes various states in its lifetime. A newly created
161 * SA is in the state CREATED.
162 * @verbatim
163 +----------------+
164 ¦ SA_CREATED ¦
165 +----------------+
166 ¦
167 on initiate()---> ¦ <----- on IKE_SA_INIT received
168 V
169 +----------------+
170 ¦ SA_CONNECTING ¦
171 +----------------+
172 ¦
173 ¦ <----- on IKE_AUTH successfully completed
174 V
175 +----------------+
176 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
177 +----------------+ ¦
178 ¦ V
179 on delete()---> ¦ <----- on IKE_SA +-------------+
180 ¦ delete request ¦ SA_REKEYING ¦
181 ¦ received +-------------+
182 V ¦
183 +----------------+ ¦
184 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
185 +----------------+
186 ¦
187 ¦ <----- after delete() acknowledged
188 ¦
189 \V/
190 X
191 / \
192 @endverbatim
193 */
194 enum ike_sa_state_t {
195
196 /**
197 * IKE_SA just got created, but is not initiating nor responding yet.
198 */
199 IKE_CREATED,
200
201 /**
202 * IKE_SA gets initiated actively or passively
203 */
204 IKE_CONNECTING,
205
206 /**
207 * IKE_SA is fully established
208 */
209 IKE_ESTABLISHED,
210
211 /**
212 * IKE_SA is managed externally and does not process messages
213 */
214 IKE_PASSIVE,
215
216 /**
217 * IKE_SA rekeying in progress
218 */
219 IKE_REKEYING,
220
221 /**
222 * IKE_SA is in progress of deletion
223 */
224 IKE_DELETING,
225
226 /**
227 * IKE_SA object gets destroyed
228 */
229 IKE_DESTROYING,
230 };
231
232 /**
233 * enum names for ike_sa_state_t.
234 */
235 extern enum_name_t *ike_sa_state_names;
236
237 /**
238 * Class ike_sa_t representing an IKE_SA.
239 *
240 * An IKE_SA contains crypto information related to a connection
241 * with a peer. It contains multiple IPsec CHILD_SA, for which
242 * it is responsible. All traffic is handled by an IKE_SA, using
243 * the task manager and its tasks.
244 */
245 struct ike_sa_t {
246
247 /**
248 * Get the id of the SA.
249 *
250 * Returned ike_sa_id_t object is not getting cloned!
251 *
252 * @return ike_sa's ike_sa_id_t
253 */
254 ike_sa_id_t* (*get_id) (ike_sa_t *this);
255
256 /**
257 * Get the numerical ID uniquely defining this IKE_SA.
258 *
259 * @return unique ID
260 */
261 u_int32_t (*get_unique_id) (ike_sa_t *this);
262
263 /**
264 * Get the state of the IKE_SA.
265 *
266 * @return state of the IKE_SA
267 */
268 ike_sa_state_t (*get_state) (ike_sa_t *this);
269
270 /**
271 * Set the state of the IKE_SA.
272 *
273 * @param state state to set for the IKE_SA
274 */
275 void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
276
277 /**
278 * Get the name of the connection this IKE_SA uses.
279 *
280 * @return name
281 */
282 char* (*get_name) (ike_sa_t *this);
283
284 /**
285 * Get statistic values from the IKE_SA.
286 *
287 * @param kind kind of requested value
288 * @return value as integer
289 */
290 u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
291
292 /**
293 * Get the own host address.
294 *
295 * @return host address
296 */
297 host_t* (*get_my_host) (ike_sa_t *this);
298
299 /**
300 * Set the own host address.
301 *
302 * @param me host address
303 */
304 void (*set_my_host) (ike_sa_t *this, host_t *me);
305
306 /**
307 * Get the other peers host address.
308 *
309 * @return host address
310 */
311 host_t* (*get_other_host) (ike_sa_t *this);
312
313 /**
314 * Set the others host address.
315 *
316 * @param other host address
317 */
318 void (*set_other_host) (ike_sa_t *this, host_t *other);
319
320 /**
321 * Update the IKE_SAs host.
322 *
323 * Hosts may be NULL to use current host.
324 *
325 * @param me new local host address, or NULL
326 * @param other new remote host address, or NULL
327 */
328 void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
329
330 /**
331 * Get the own identification.
332 *
333 * @return identification
334 */
335 identification_t* (*get_my_id) (ike_sa_t *this);
336
337 /**
338 * Set the own identification.
339 *
340 * @param me identification
341 */
342 void (*set_my_id) (ike_sa_t *this, identification_t *me);
343
344 /**
345 * Get the other peer's identification.
346 *
347 * @return identification
348 */
349 identification_t* (*get_other_id) (ike_sa_t *this);
350
351 /**
352 * Set the other peer's identification.
353 *
354 * @param other identification
355 */
356 void (*set_other_id) (ike_sa_t *this, identification_t *other);
357
358 /**
359 * Get the config used to setup this IKE_SA.
360 *
361 * @return ike_config
362 */
363 ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
364
365 /**
366 * Set the config to setup this IKE_SA.
367 *
368 * @param config ike_config to use
369 */
370 void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
371
372 /**
373 * Get the peer config used by this IKE_SA.
374 *
375 * @return peer_config
376 */
377 peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
378
379 /**
380 * Set the peer config to use with this IKE_SA.
381 *
382 * @param config peer_config to use
383 */
384 void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
385
386 /**
387 * Get the authentication config with rules of the current auth round.
388 *
389 * @param local TRUE for local rules, FALSE for remote constraints
390 * @return current cfg
391 */
392 auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
393
394 /**
395 * Get the selected proposal of this IKE_SA.
396 *
397 * @return selected proposal
398 */
399 proposal_t* (*get_proposal)(ike_sa_t *this);
400
401 /**
402 * Set the proposal selected for this IKE_SA.
403 *
404 * @param selected proposal
405 */
406 void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
407
408 /**
409 * Set the message id of the IKE_SA.
410 *
411 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
412 * and one to respond to exchanges (expect).
413 *
414 * @param initiate TRUE to set message ID for initiating
415 * @param mid message id to set
416 */
417 void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
418
419 /**
420 * Add an additional address for the peer.
421 *
422 * In MOBIKE, a peer may transmit additional addresses where it is
423 * reachable. These are stored in the IKE_SA.
424 * The own list of addresses is not stored, they are queried from
425 * the kernel when required.
426 *
427 * @param host host to add to list
428 */
429 void (*add_additional_address)(ike_sa_t *this, host_t *host);
430
431 /**
432 * Create an iterator over all additional addresses of the peer.
433 *
434 * @return iterator over addresses
435 */
436 iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
437
438 /**
439 * Check if mappings have changed on a NAT for our source address.
440 *
441 * @param hash received DESTINATION_IP hash
442 * @return TRUE if mappings have changed
443 */
444 bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
445
446 /**
447 * Enable an extension the peer supports.
448 *
449 * If support for an IKE extension is detected, this method is called
450 * to enable that extension and behave accordingly.
451 *
452 * @param extension extension to enable
453 */
454 void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
455
456 /**
457 * Check if the peer supports an extension.
458 *
459 * @param extension extension to check for support
460 * @return TRUE if peer supports it, FALSE otherwise
461 */
462 bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
463
464 /**
465 * Enable/disable a condition flag for this IKE_SA.
466 *
467 * @param condition condition to enable/disable
468 * @param enable TRUE to enable condition, FALSE to disable
469 */
470 void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
471
472 /**
473 * Check if a condition flag is set.
474 *
475 * @param condition condition to check
476 * @return TRUE if condition flag set, FALSE otherwise
477 */
478 bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
479
480 /**
481 * Get the number of queued MOBIKE address updates.
482 *
483 * @return number of pending updates
484 */
485 u_int32_t (*get_pending_updates)(ike_sa_t *this);
486
487 /**
488 * Set the number of queued MOBIKE address updates.
489 *
490 * @param updates number of pending updates
491 */
492 void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
493
494 #ifdef ME
495 /**
496 * Activate mediation server functionality for this IKE_SA.
497 */
498 void (*act_as_mediation_server) (ike_sa_t *this);
499
500 /**
501 * Get the server reflexive host.
502 *
503 * @return server reflexive host
504 */
505 host_t* (*get_server_reflexive_host) (ike_sa_t *this);
506
507 /**
508 * Set the server reflexive host.
509 *
510 * @param host server reflexive host
511 */
512 void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
513
514 /**
515 * Get the connect ID.
516 *
517 * @return connect ID
518 */
519 chunk_t (*get_connect_id) (ike_sa_t *this);
520
521 /**
522 * Initiate the mediation of a mediated connection (i.e. initiate a
523 * ME_CONNECT exchange to a mediation server).
524 *
525 * @param mediated_cfg peer_cfg of the mediated connection
526 * @return
527 * - SUCCESS if initialization started
528 * - DESTROY_ME if initialization failed
529 */
530 status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
531
532 /**
533 * Initiate the mediated connection
534 *
535 * @param me local endpoint (gets cloned)
536 * @param other remote endpoint (gets cloned)
537 * @param connect_id connect ID (gets cloned)
538 * @return
539 * - SUCCESS if initialization started
540 * - DESTROY_ME if initialization failed
541 */
542 status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
543 chunk_t connect_id);
544
545 /**
546 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
547 * to a peer).
548 *
549 * Data is cloned.
550 *
551 * @param requester ID of the requesting peer
552 * @param connect_id data of the ME_CONNECTID payload
553 * @param connect_key data of the ME_CONNECTKEY payload
554 * @param endpoints endpoints
555 * @param response TRUE if this is a response
556 * @return
557 * - SUCCESS if relay started
558 * - DESTROY_ME if relay failed
559 */
560 status_t (*relay) (ike_sa_t *this, identification_t *requester,
561 chunk_t connect_id, chunk_t connect_key,
562 linked_list_t *endpoints, bool response);
563
564 /**
565 * Send a callback to a peer.
566 *
567 * Data is cloned.
568 *
569 * @param peer_id ID of the other peer
570 * @return
571 * - SUCCESS if response started
572 * - DESTROY_ME if response failed
573 */
574 status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
575
576 /**
577 * Respond to a ME_CONNECT request.
578 *
579 * Data is cloned.
580 *
581 * @param peer_id ID of the other peer
582 * @param connect_id the connect ID supplied by the initiator
583 * @return
584 * - SUCCESS if response started
585 * - DESTROY_ME if response failed
586 */
587 status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
588 chunk_t connect_id);
589 #endif /* ME */
590
591 /**
592 * Initiate a new connection.
593 *
594 * The configs are owned by the IKE_SA after the call. If the initiate
595 * is triggered by a packet, traffic selectors of the packet can be added
596 * to the CHILD_SA.
597 *
598 * @param child_cfg child config to create CHILD from
599 * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
600 * @param tsi source of triggering packet
601 * @param tsr destination of triggering packet.
602 * @return
603 * - SUCCESS if initialization started
604 * - DESTROY_ME if initialization failed
605 */
606 status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
607 u_int32_t reqid, traffic_selector_t *tsi,
608 traffic_selector_t *tsr);
609
610 /**
611 * Initiates the deletion of an IKE_SA.
612 *
613 * Sends a delete message to the remote peer and waits for
614 * its response. If the response comes in, or a timeout occurs,
615 * the IKE SA gets deleted.
616 *
617 * @return
618 * - SUCCESS if deletion is initialized
619 * - DESTROY_ME, if the IKE_SA is not in
620 * an established state and can not be
621 * deleted (but destroyed).
622 */
623 status_t (*delete) (ike_sa_t *this);
624
625 /**
626 * Update IKE_SAs after network interfaces have changed.
627 *
628 * Whenever the network interface configuration changes, the kernel
629 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
630 * the new network config requires changes, and handles appropriate.
631 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
632 * restarted.
633 *
634 * @param address TRUE if address list changed, FALSE otherwise
635 * @return SUCCESS, FAILED, DESTROY_ME
636 */
637 status_t (*roam)(ike_sa_t *this, bool address);
638
639 /**
640 * Processes a incoming IKEv2-Message.
641 *
642 * Message processing may fail. If a critical failure occurs,
643 * process_message() return DESTROY_ME. Then the caller must
644 * destroy the IKE_SA immediatly, as it is unusable.
645 *
646 * @param message message to process
647 * @return
648 * - SUCCESS
649 * - FAILED
650 * - DESTROY_ME if this IKE_SA MUST be deleted
651 */
652 status_t (*process_message) (ike_sa_t *this, message_t *message);
653
654 /**
655 * Generate a IKE message to send it to the peer.
656 *
657 * This method generates all payloads in the message and encrypts/signs
658 * the packet.
659 *
660 * @param message message to generate
661 * @param packet generated output packet
662 * @return
663 * - SUCCESS
664 * - FAILED
665 * - DESTROY_ME if this IKE_SA MUST be deleted
666 */
667 status_t (*generate_message) (ike_sa_t *this, message_t *message,
668 packet_t **packet);
669
670 /**
671 * Retransmits a request.
672 *
673 * @param message_id ID of the request to retransmit
674 * @return
675 * - SUCCESS
676 * - NOT_FOUND if request doesn't have to be retransmited
677 */
678 status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
679
680 /**
681 * Sends a DPD request to the peer.
682 *
683 * To check if a peer is still alive, periodic
684 * empty INFORMATIONAL messages are sent if no
685 * other traffic was received.
686 *
687 * @return
688 * - SUCCESS
689 * - DESTROY_ME, if peer did not respond
690 */
691 status_t (*send_dpd) (ike_sa_t *this);
692
693 /**
694 * Sends a keep alive packet.
695 *
696 * To refresh NAT tables in a NAT router
697 * between the peers, periodic empty
698 * UDP packets are sent if no other traffic
699 * was sent.
700 */
701 void (*send_keepalive) (ike_sa_t *this);
702
703 /**
704 * Get the keying material of this IKE_SA.
705 *
706 * @return per IKE_SA keymat instance
707 */
708 keymat_t* (*get_keymat)(ike_sa_t *this);
709
710 /**
711 * Associates a child SA to this IKE SA
712 *
713 * @param child_sa child_sa to add
714 */
715 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
716
717 /**
718 * Get a CHILD_SA identified by protocol and SPI.
719 *
720 * @param protocol protocol of the SA
721 * @param spi SPI of the CHILD_SA
722 * @param inbound TRUE if SPI is inbound, FALSE if outbound
723 * @return child_sa, or NULL if none found
724 */
725 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
726 u_int32_t spi, bool inbound);
727
728 /**
729 * Create an iterator over all CHILD_SAs.
730 *
731 * @return iterator
732 */
733 iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
734
735 /**
736 * Rekey the CHILD SA with the specified reqid.
737 *
738 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
739 *
740 * @param protocol protocol of the SA
741 * @param spi inbound SPI of the CHILD_SA
742 * @return
743 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
744 * - SUCCESS, if rekeying initiated
745 */
746 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
747
748 /**
749 * Close the CHILD SA with the specified protocol/SPI.
750 *
751 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
752 * notify's the remote peer about the delete. The associated
753 * states and policies in the kernel get deleted, if they exist.
754 *
755 * @param protocol protocol of the SA
756 * @param spi inbound SPI of the CHILD_SA
757 * @return
758 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
759 * - SUCCESS, if delete message sent
760 */
761 status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
762
763 /**
764 * Destroy a CHILD SA with the specified protocol/SPI.
765 *
766 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
767 *
768 * @param protocol protocol of the SA
769 * @param spi inbound SPI of the CHILD_SA
770 * @return
771 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
772 * - SUCCESS
773 */
774 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
775
776 /**
777 * Rekey the IKE_SA.
778 *
779 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
780 *
781 * @return - SUCCESS, if IKE_SA rekeying initiated
782 */
783 status_t (*rekey) (ike_sa_t *this);
784
785 /**
786 * Reauthenticate the IKE_SA.
787 *
788 * Create a completely new IKE_SA with authentication, recreates all children
789 * within the IKE_SA, closes this IKE_SA.
790 *
791 * @return DESTROY_ME to destroy the IKE_SA
792 */
793 status_t (*reauth) (ike_sa_t *this);
794
795 /**
796 * Restablish the IKE_SA.
797 *
798 * Reestablish an IKE_SA after it has been closed.
799 *
800 * @return DESTROY_ME to destroy the IKE_SA
801 */
802 status_t (*reestablish) (ike_sa_t *this);
803
804 /**
805 * Set the lifetime limit received from a AUTH_LIFETIME notify.
806 *
807 * @param lifetime lifetime in seconds
808 */
809 void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
810
811 /**
812 * Set the virtual IP to use for this IKE_SA and its children.
813 *
814 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
815 * lifetime as the IKE_SA.
816 *
817 * @param local TRUE to set local address, FALSE for remote
818 * @param ip IP to set as virtual IP
819 */
820 void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
821
822 /**
823 * Get the virtual IP configured.
824 *
825 * @param local TRUE to get local virtual IP, FALSE for remote
826 * @return host_t *virtual IP
827 */
828 host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
829
830 /**
831 * Register a configuration attribute to the IKE_SA.
832 *
833 * If an IRAS sends a configuration attribute it is installed and
834 * registered at the IKE_SA. Attributes are inherit()ed and get released
835 * when the IKE_SA is closed.
836 *
837 * @param handler handler installed the attribute, use for release()
838 * @param type configuration attribute type
839 * @param data associated attribute data
840 */
841 void (*add_configuration_attribute)(ike_sa_t *this,
842 attribute_handler_t *handler,
843 configuration_attribute_type_t type, chunk_t data);
844
845 /**
846 * Set local and remote host addresses to be used for IKE.
847 *
848 * These addresses are communicated via the KMADDRESS field of a MIGRATE
849 * message sent via the NETLINK or PF _KEY kernel socket interface.
850 *
851 * @param local local kmaddress
852 * @param remote remote kmaddress
853 */
854 void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
855
856 /**
857 * Inherit all attributes of other to this after rekeying.
858 *
859 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
860 * outstanding tasks are moved from other to this.
861 * As this call may initiate inherited tasks, a status is returned.
862 *
863 * @param other other task to inherit from
864 * @return DESTROY_ME if initiation of inherited task failed
865 */
866 status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
867
868 /**
869 * Reset the IKE_SA, useable when initiating fails
870 */
871 void (*reset) (ike_sa_t *this);
872
873 /**
874 * Destroys a ike_sa_t object.
875 */
876 void (*destroy) (ike_sa_t *this);
877 };
878
879 /**
880 * Creates an ike_sa_t object with a specific ID.
881 *
882 * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA
883 * @return ike_sa_t object
884 */
885 ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
886
887 #endif /** IKE_SA_H_ @}*/