added .gitignore files to NM applet
[strongswan.git] / src / charon / sa / ike_sa.h
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup ike_sa ike_sa
21 * @{ @ingroup sa
22 */
23
24 #ifndef IKE_SA_H_
25 #define IKE_SA_H_
26
27 typedef enum ike_extension_t ike_extension_t;
28 typedef enum ike_condition_t ike_condition_t;
29 typedef enum ike_sa_state_t ike_sa_state_t;
30 typedef enum statistic_t statistic_t;
31 typedef struct ike_sa_t ike_sa_t;
32
33 #include <library.h>
34 #include <encoding/message.h>
35 #include <encoding/payloads/proposal_substructure.h>
36 #include <encoding/payloads/configuration_attribute.h>
37 #include <sa/ike_sa_id.h>
38 #include <sa/child_sa.h>
39 #include <sa/tasks/task.h>
40 #include <sa/keymat.h>
41 #include <config/peer_cfg.h>
42 #include <config/ike_cfg.h>
43 #include <config/auth_cfg.h>
44
45 /**
46 * Timeout in seconds after that a half open IKE_SA gets deleted.
47 */
48 #define HALF_OPEN_IKE_SA_TIMEOUT 30
49
50 /**
51 * Interval to send keepalives when NATed, in seconds.
52 */
53 #define KEEPALIVE_INTERVAL 20
54
55 /**
56 * After which time rekeying should be retried if it failed, in seconds.
57 */
58 #define RETRY_INTERVAL 30
59
60 /**
61 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
62 */
63 #define RETRY_JITTER 20
64
65 /**
66 * Extensions (or optional features) the peer supports
67 */
68 enum ike_extension_t {
69
70 /**
71 * peer supports NAT traversal as specified in RFC4306
72 */
73 EXT_NATT = (1<<0),
74
75 /**
76 * peer supports MOBIKE (RFC4555)
77 */
78 EXT_MOBIKE = (1<<1),
79
80 /**
81 * peer supports HTTP cert lookups as specified in RFC4306
82 */
83 EXT_HASH_AND_URL = (1<<2),
84
85 /**
86 * peer supports multiple authentication exchanges, RFC4739
87 */
88 EXT_MULTIPLE_AUTH = (1<<3),
89 };
90
91 /**
92 * Conditions of an IKE_SA, change during its lifetime
93 */
94 enum ike_condition_t {
95
96 /**
97 * Connection is natted (or faked) somewhere
98 */
99 COND_NAT_ANY = (1<<0),
100
101 /**
102 * we are behind NAT
103 */
104 COND_NAT_HERE = (1<<1),
105
106 /**
107 * other is behind NAT
108 */
109 COND_NAT_THERE = (1<<2),
110
111 /**
112 * Faking NAT to enforce UDP encapsulation
113 */
114 COND_NAT_FAKE = (1<<3),
115
116 /**
117 * peer has been authenticated using EAP at least once
118 */
119 COND_EAP_AUTHENTICATED = (1<<4),
120
121 /**
122 * received a certificate request from the peer
123 */
124 COND_CERTREQ_SEEN = (1<<5),
125
126 /**
127 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
128 */
129 COND_ORIGINAL_INITIATOR = (1<<6),
130 };
131
132 /**
133 * Timing information and statistics to query from an SA
134 */
135 enum statistic_t {
136 /** Timestamp of SA establishement */
137 STAT_ESTABLISHED = 0,
138 /** Timestamp of scheudled rekeying */
139 STAT_REKEY,
140 /** Timestamp of scheudled reauthentication */
141 STAT_REAUTH,
142 /** Timestamp of scheudled delete */
143 STAT_DELETE,
144 /** Timestamp of last inbound IKE packet */
145 STAT_INBOUND,
146 /** Timestamp of last outbound IKE packet */
147 STAT_OUTBOUND,
148
149 STAT_MAX
150 };
151
152 /**
153 * State of an IKE_SA.
154 *
155 * An IKE_SA passes various states in its lifetime. A newly created
156 * SA is in the state CREATED.
157 * @verbatim
158 +----------------+
159 ¦ SA_CREATED ¦
160 +----------------+
161 ¦
162 on initiate()---> ¦ <----- on IKE_SA_INIT received
163 V
164 +----------------+
165 ¦ SA_CONNECTING ¦
166 +----------------+
167 ¦
168 ¦ <----- on IKE_AUTH successfully completed
169 V
170 +----------------+
171 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
172 +----------------+ ¦
173 ¦ V
174 on delete()---> ¦ <----- on IKE_SA +-------------+
175 ¦ delete request ¦ SA_REKEYING ¦
176 ¦ received +-------------+
177 V ¦
178 +----------------+ ¦
179 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
180 +----------------+
181 ¦
182 ¦ <----- after delete() acknowledged
183 ¦
184 \V/
185 X
186 / \
187 @endverbatim
188 */
189 enum ike_sa_state_t {
190
191 /**
192 * IKE_SA just got created, but is not initiating nor responding yet.
193 */
194 IKE_CREATED,
195
196 /**
197 * IKE_SA gets initiated actively or passively
198 */
199 IKE_CONNECTING,
200
201 /**
202 * IKE_SA is fully established
203 */
204 IKE_ESTABLISHED,
205
206 /**
207 * IKE_SA is managed externally and does not process messages
208 */
209 IKE_PASSIVE,
210
211 /**
212 * IKE_SA rekeying in progress
213 */
214 IKE_REKEYING,
215
216 /**
217 * IKE_SA is in progress of deletion
218 */
219 IKE_DELETING,
220
221 /**
222 * IKE_SA object gets destroyed
223 */
224 IKE_DESTROYING,
225 };
226
227 /**
228 * enum names for ike_sa_state_t.
229 */
230 extern enum_name_t *ike_sa_state_names;
231
232 /**
233 * Class ike_sa_t representing an IKE_SA.
234 *
235 * An IKE_SA contains crypto information related to a connection
236 * with a peer. It contains multiple IPsec CHILD_SA, for which
237 * it is responsible. All traffic is handled by an IKE_SA, using
238 * the task manager and its tasks.
239 */
240 struct ike_sa_t {
241
242 /**
243 * Get the id of the SA.
244 *
245 * Returned ike_sa_id_t object is not getting cloned!
246 *
247 * @return ike_sa's ike_sa_id_t
248 */
249 ike_sa_id_t* (*get_id) (ike_sa_t *this);
250
251 /**
252 * Get the numerical ID uniquely defining this IKE_SA.
253 *
254 * @return unique ID
255 */
256 u_int32_t (*get_unique_id) (ike_sa_t *this);
257
258 /**
259 * Get the state of the IKE_SA.
260 *
261 * @return state of the IKE_SA
262 */
263 ike_sa_state_t (*get_state) (ike_sa_t *this);
264
265 /**
266 * Set the state of the IKE_SA.
267 *
268 * @param state state to set for the IKE_SA
269 */
270 void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
271
272 /**
273 * Get the name of the connection this IKE_SA uses.
274 *
275 * @return name
276 */
277 char* (*get_name) (ike_sa_t *this);
278
279 /**
280 * Get statistic values from the IKE_SA.
281 *
282 * @param kind kind of requested value
283 * @return value as integer
284 */
285 u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
286
287 /**
288 * Get the own host address.
289 *
290 * @return host address
291 */
292 host_t* (*get_my_host) (ike_sa_t *this);
293
294 /**
295 * Set the own host address.
296 *
297 * @param me host address
298 */
299 void (*set_my_host) (ike_sa_t *this, host_t *me);
300
301 /**
302 * Get the other peers host address.
303 *
304 * @return host address
305 */
306 host_t* (*get_other_host) (ike_sa_t *this);
307
308 /**
309 * Set the others host address.
310 *
311 * @param other host address
312 */
313 void (*set_other_host) (ike_sa_t *this, host_t *other);
314
315 /**
316 * Update the IKE_SAs host.
317 *
318 * Hosts may be NULL to use current host.
319 *
320 * @param me new local host address, or NULL
321 * @param other new remote host address, or NULL
322 */
323 void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
324
325 /**
326 * Get the own identification.
327 *
328 * @return identification
329 */
330 identification_t* (*get_my_id) (ike_sa_t *this);
331
332 /**
333 * Set the own identification.
334 *
335 * @param me identification
336 */
337 void (*set_my_id) (ike_sa_t *this, identification_t *me);
338
339 /**
340 * Get the other peer's identification.
341 *
342 * @return identification
343 */
344 identification_t* (*get_other_id) (ike_sa_t *this);
345
346 /**
347 * Set the other peer's identification.
348 *
349 * @param other identification
350 */
351 void (*set_other_id) (ike_sa_t *this, identification_t *other);
352
353 /**
354 * Get the peers EAP identity.
355 *
356 * The EAP identity is exchanged in a EAP-Identity exchange.
357 *
358 * @return identification, NULL if none set
359 */
360 identification_t* (*get_eap_identity) (ike_sa_t *this);
361
362 /**
363 * Set the peer's EAP identity.
364 *
365 * @param id identification
366 */
367 void (*set_eap_identity) (ike_sa_t *this, identification_t *id);
368
369 /**
370 * Get the config used to setup this IKE_SA.
371 *
372 * @return ike_config
373 */
374 ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
375
376 /**
377 * Set the config to setup this IKE_SA.
378 *
379 * @param config ike_config to use
380 */
381 void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
382
383 /**
384 * Get the peer config used by this IKE_SA.
385 *
386 * @return peer_config
387 */
388 peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
389
390 /**
391 * Set the peer config to use with this IKE_SA.
392 *
393 * @param config peer_config to use
394 */
395 void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
396
397 /**
398 * Get the authentication config with rules of the current auth round.
399 *
400 * @param local TRUE for local rules, FALSE for remote constraints
401 * @return current cfg
402 */
403 auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
404
405 /**
406 * Get the selected proposal of this IKE_SA.
407 *
408 * @return selected proposal
409 */
410 proposal_t* (*get_proposal)(ike_sa_t *this);
411
412 /**
413 * Set the proposal selected for this IKE_SA.
414 *
415 * @param selected proposal
416 */
417 void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
418
419 /**
420 * Set the message id of the IKE_SA.
421 *
422 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
423 * and one to respond to exchanges (expect).
424 *
425 * @param initiate TRUE to set message ID for initiating
426 * @param mid message id to set
427 */
428 void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
429
430 /**
431 * Add an additional address for the peer.
432 *
433 * In MOBIKE, a peer may transmit additional addresses where it is
434 * reachable. These are stored in the IKE_SA.
435 * The own list of addresses is not stored, they are queried from
436 * the kernel when required.
437 *
438 * @param host host to add to list
439 */
440 void (*add_additional_address)(ike_sa_t *this, host_t *host);
441
442 /**
443 * Create an iterator over all additional addresses of the peer.
444 *
445 * @return iterator over addresses
446 */
447 iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
448
449 /**
450 * Check if mappings have changed on a NAT for our source address.
451 *
452 * @param hash received DESTINATION_IP hash
453 * @return TRUE if mappings have changed
454 */
455 bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
456
457 /**
458 * Enable an extension the peer supports.
459 *
460 * If support for an IKE extension is detected, this method is called
461 * to enable that extension and behave accordingly.
462 *
463 * @param extension extension to enable
464 */
465 void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
466
467 /**
468 * Check if the peer supports an extension.
469 *
470 * @param extension extension to check for support
471 * @return TRUE if peer supports it, FALSE otherwise
472 */
473 bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
474
475 /**
476 * Enable/disable a condition flag for this IKE_SA.
477 *
478 * @param condition condition to enable/disable
479 * @param enable TRUE to enable condition, FALSE to disable
480 */
481 void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
482
483 /**
484 * Check if a condition flag is set.
485 *
486 * @param condition condition to check
487 * @return TRUE if condition flag set, FALSE otherwise
488 */
489 bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
490
491 /**
492 * Get the number of queued MOBIKE address updates.
493 *
494 * @return number of pending updates
495 */
496 u_int32_t (*get_pending_updates)(ike_sa_t *this);
497
498 /**
499 * Set the number of queued MOBIKE address updates.
500 *
501 * @param updates number of pending updates
502 */
503 void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
504
505 #ifdef ME
506 /**
507 * Activate mediation server functionality for this IKE_SA.
508 */
509 void (*act_as_mediation_server) (ike_sa_t *this);
510
511 /**
512 * Get the server reflexive host.
513 *
514 * @return server reflexive host
515 */
516 host_t* (*get_server_reflexive_host) (ike_sa_t *this);
517
518 /**
519 * Set the server reflexive host.
520 *
521 * @param host server reflexive host
522 */
523 void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
524
525 /**
526 * Get the connect ID.
527 *
528 * @return connect ID
529 */
530 chunk_t (*get_connect_id) (ike_sa_t *this);
531
532 /**
533 * Initiate the mediation of a mediated connection (i.e. initiate a
534 * ME_CONNECT exchange).
535 *
536 * @param mediated_cfg peer_cfg of the mediated connection
537 * @return
538 * - SUCCESS if initialization started
539 * - DESTROY_ME if initialization failed
540 */
541 status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
542
543 /**
544 * Initiate the mediated connection
545 *
546 * @param me local endpoint (gets cloned)
547 * @param other remote endpoint (gets cloned)
548 * @param connect_id connect ID (gets cloned)
549 * @return
550 * - SUCCESS if initialization started
551 * - DESTROY_ME if initialization failed
552 */
553 status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
554 chunk_t connect_id);
555
556 /**
557 * Relay data from one peer to another (i.e. initiate a
558 * ME_CONNECT exchange).
559 *
560 * Data is cloned.
561 *
562 * @param requester ID of the requesting peer
563 * @param connect_id data of the ME_CONNECTID payload
564 * @param connect_key data of the ME_CONNECTKEY payload
565 * @param endpoints endpoints
566 * @param response TRUE if this is a response
567 * @return
568 * - SUCCESS if relay started
569 * - DESTROY_ME if relay failed
570 */
571 status_t (*relay) (ike_sa_t *this, identification_t *requester, chunk_t connect_id,
572 chunk_t connect_key, linked_list_t *endpoints, bool response);
573
574 /**
575 * Send a callback to a peer.
576 *
577 * Data is cloned.
578 *
579 * @param peer_id ID of the other peer
580 * @return
581 * - SUCCESS if response started
582 * - DESTROY_ME if response failed
583 */
584 status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
585
586 /**
587 * Respond to a ME_CONNECT request.
588 *
589 * Data is cloned.
590 *
591 * @param peer_id ID of the other peer
592 * @param connect_id the connect ID supplied by the initiator
593 * @return
594 * - SUCCESS if response started
595 * - DESTROY_ME if response failed
596 */
597 status_t (*respond) (ike_sa_t *this, identification_t *peer_id, chunk_t connect_id);
598 #endif /* ME */
599
600 /**
601 * Initiate a new connection.
602 *
603 * The configs are owned by the IKE_SA after the call.
604 *
605 * @param child_cfg child config to create CHILD from
606 * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
607 * @return
608 * - SUCCESS if initialization started
609 * - DESTROY_ME if initialization failed
610 */
611 status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
612 u_int32_t reqid);
613
614 /**
615 * Initiates the deletion of an IKE_SA.
616 *
617 * Sends a delete message to the remote peer and waits for
618 * its response. If the response comes in, or a timeout occurs,
619 * the IKE SA gets deleted.
620 *
621 * @return
622 * - SUCCESS if deletion is initialized
623 * - DESTROY_ME, if the IKE_SA is not in
624 * an established state and can not be
625 * deleted (but destroyed).
626 */
627 status_t (*delete) (ike_sa_t *this);
628
629 /**
630 * Update IKE_SAs after network interfaces have changed.
631 *
632 * Whenever the network interface configuration changes, the kernel
633 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
634 * the new network config requires changes, and handles appropriate.
635 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
636 * restarted.
637 *
638 * @param address TRUE if address list changed, FALSE otherwise
639 * @return SUCCESS, FAILED, DESTROY_ME
640 */
641 status_t (*roam)(ike_sa_t *this, bool address);
642
643 /**
644 * Processes a incoming IKEv2-Message.
645 *
646 * Message processing may fail. If a critical failure occurs,
647 * process_message() return DESTROY_ME. Then the caller must
648 * destroy the IKE_SA immediatly, as it is unusable.
649 *
650 * @param message message to process
651 * @return
652 * - SUCCESS
653 * - FAILED
654 * - DESTROY_ME if this IKE_SA MUST be deleted
655 */
656 status_t (*process_message) (ike_sa_t *this, message_t *message);
657
658 /**
659 * Generate a IKE message to send it to the peer.
660 *
661 * This method generates all payloads in the message and encrypts/signs
662 * the packet.
663 *
664 * @param message message to generate
665 * @param packet generated output packet
666 * @return
667 * - SUCCESS
668 * - FAILED
669 * - DESTROY_ME if this IKE_SA MUST be deleted
670 */
671 status_t (*generate_message) (ike_sa_t *this, message_t *message,
672 packet_t **packet);
673
674 /**
675 * Retransmits a request.
676 *
677 * @param message_id ID of the request to retransmit
678 * @return
679 * - SUCCESS
680 * - NOT_FOUND if request doesn't have to be retransmited
681 */
682 status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
683
684 /**
685 * Sends a DPD request to the peer.
686 *
687 * To check if a peer is still alive, periodic
688 * empty INFORMATIONAL messages are sent if no
689 * other traffic was received.
690 *
691 * @return
692 * - SUCCESS
693 * - DESTROY_ME, if peer did not respond
694 */
695 status_t (*send_dpd) (ike_sa_t *this);
696
697 /**
698 * Sends a keep alive packet.
699 *
700 * To refresh NAT tables in a NAT router
701 * between the peers, periodic empty
702 * UDP packets are sent if no other traffic
703 * was sent.
704 */
705 void (*send_keepalive) (ike_sa_t *this);
706
707 /**
708 * Get the keying material of this IKE_SA.
709 *
710 * @return per IKE_SA keymat instance
711 */
712 keymat_t* (*get_keymat)(ike_sa_t *this);
713
714 /**
715 * Associates a child SA to this IKE SA
716 *
717 * @param child_sa child_sa to add
718 */
719 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
720
721 /**
722 * Get a CHILD_SA identified by protocol and SPI.
723 *
724 * @param protocol protocol of the SA
725 * @param spi SPI of the CHILD_SA
726 * @param inbound TRUE if SPI is inbound, FALSE if outbound
727 * @return child_sa, or NULL if none found
728 */
729 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
730 u_int32_t spi, bool inbound);
731
732 /**
733 * Create an iterator over all CHILD_SAs.
734 *
735 * @return iterator
736 */
737 iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
738
739 /**
740 * Rekey the CHILD SA with the specified reqid.
741 *
742 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
743 *
744 * @param protocol protocol of the SA
745 * @param spi inbound SPI of the CHILD_SA
746 * @return
747 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
748 * - SUCCESS, if rekeying initiated
749 */
750 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
751
752 /**
753 * Close the CHILD SA with the specified protocol/SPI.
754 *
755 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
756 * notify's the remote peer about the delete. The associated
757 * states and policies in the kernel get deleted, if they exist.
758 *
759 * @param protocol protocol of the SA
760 * @param spi inbound SPI of the CHILD_SA
761 * @return
762 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
763 * - SUCCESS, if delete message sent
764 */
765 status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
766
767 /**
768 * Destroy a CHILD SA with the specified protocol/SPI.
769 *
770 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
771 *
772 * @param protocol protocol of the SA
773 * @param spi inbound SPI of the CHILD_SA
774 * @return
775 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
776 * - SUCCESS
777 */
778 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
779
780 /**
781 * Rekey the IKE_SA.
782 *
783 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
784 *
785 * @return - SUCCESS, if IKE_SA rekeying initiated
786 */
787 status_t (*rekey) (ike_sa_t *this);
788
789 /**
790 * Reauthenticate the IKE_SA.
791 *
792 * Create a completely new IKE_SA with authentication, recreates all children
793 * within the IKE_SA, closes this IKE_SA.
794 *
795 * @return DESTROY_ME to destroy the IKE_SA
796 */
797 status_t (*reauth) (ike_sa_t *this);
798
799 /**
800 * Restablish the IKE_SA.
801 *
802 * Reestablish an IKE_SA after it has been closed.
803 *
804 * @return DESTROY_ME to destroy the IKE_SA
805 */
806 status_t (*reestablish) (ike_sa_t *this);
807
808 /**
809 * Set the lifetime limit received from a AUTH_LIFETIME notify.
810 *
811 * @param lifetime lifetime in seconds
812 */
813 void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
814
815 /**
816 * Set the virtual IP to use for this IKE_SA and its children.
817 *
818 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
819 * lifetime as the IKE_SA.
820 *
821 * @param local TRUE to set local address, FALSE for remote
822 * @param ip IP to set as virtual IP
823 */
824 void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
825
826 /**
827 * Get the virtual IP configured.
828 *
829 * @param local TRUE to get local virtual IP, FALSE for remote
830 * @return host_t *virtual IP
831 */
832 host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
833
834 /**
835 * Register a configuration attribute to the IKE_SA.
836 *
837 * If an IRAS sends a configuration attribute it is installed and
838 * registered at the IKE_SA. Attributes are inherit()ed and get released
839 * when the IKE_SA is closed.
840 *
841 * @param handler handler installed the attribute, use for release()
842 * @param type configuration attribute type
843 * @param data associated attribute data
844 */
845 void (*add_configuration_attribute)(ike_sa_t *this,
846 configuration_attribute_type_t type, chunk_t data);
847
848 /**
849 * Set local and remote host addresses to be used for IKE.
850 *
851 * These addresses are communicated via the KMADDRESS field of a MIGRATE
852 * message sent via the NETLINK or PF _KEY kernel socket interface.
853 *
854 * @param local local kmaddress
855 * @param remote remote kmaddress
856 */
857 void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
858
859 /**
860 * Inherit all attributes of other to this after rekeying.
861 *
862 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
863 * outstanding tasks are moved from other to this.
864 * As this call may initiate inherited tasks, a status is returned.
865 *
866 * @param other other task to inherit from
867 * @return DESTROY_ME if initiation of inherited task failed
868 */
869 status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
870
871 /**
872 * Reset the IKE_SA, useable when initiating fails
873 */
874 void (*reset) (ike_sa_t *this);
875
876 /**
877 * Destroys a ike_sa_t object.
878 */
879 void (*destroy) (ike_sa_t *this);
880 };
881
882 /**
883 * Creates an ike_sa_t object with a specific ID.
884 *
885 * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA
886 * @return ike_sa_t object
887 */
888 ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
889
890 #endif /** IKE_SA_H_ @}*/