projects / strongswan.git / blob
? search:


0c4484252536fbb565d1e3a1f17cde13a7470876
[strongswan.git] / src / libcharon / config / ike_cfg.h
1 /*
2 * Copyright (C) 2005-2007 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 /**
18 * @defgroup ike_cfg ike_cfg
19 * @{ @ingroup config
20 */
21
22 #ifndef IKE_CFG_H_
23 #define IKE_CFG_H_
24
25 typedef enum ike_version_t ike_version_t;
26 typedef struct ike_cfg_t ike_cfg_t;
27
28 #include <library.h>
29 #include <networking/host.h>
30 #include <collections/linked_list.h>
31 #include <utils/identification.h>
32 #include <config/proposal.h>
33 #include <crypto/diffie_hellman.h>
34
35 /**
36 * IKE version.
37 */
38 enum ike_version_t {
39 /** any version */
40 IKE_ANY = 0,
41 /** IKE version 1 */
42 IKEV1 = 1,
43 /** IKE version 2 */
44 IKEV2 = 2,
45 };
46
47 /**
48 * enum strings fro ike_version_t
49 */
50 extern enum_name_t *ike_version_names;
51
52 /**
53 * An ike_cfg_t defines the rules to set up an IKE_SA.
54 *
55 * @see peer_cfg_t to get an overview over the configurations.
56 */
57 struct ike_cfg_t {
58
59 /**
60 * Get the IKE version to use with this configuration.
61 *
62 * @return IKE major version
63 */
64 ike_version_t (*get_version)(ike_cfg_t *this);
65
66 /**
67 * Get own address.
68 *
69 * @param allow_any allow any address to match
70 * @return string of address/DNS name
71 */
72 char* (*get_my_addr) (ike_cfg_t *this, bool *allow_any);
73
74 /**
75 * Get peer's address.
76 *
77 * @param allow_any allow any address to match
78 * @return string of address/DNS name
79 */
80 char* (*get_other_addr) (ike_cfg_t *this, bool *allow_any);
81
82 /**
83 * Get the port to use as our source port.
84 *
85 * @return source address port, host order
86 */
87 u_int16_t (*get_my_port)(ike_cfg_t *this);
88
89 /**
90 * Get the port to use as destination port.
91 *
92 * @return destination address, host order
93 */
94 u_int16_t (*get_other_port)(ike_cfg_t *this);
95
96 /**
97 * Adds a proposal to the list.
98 *
99 * The first added proposal has the highest priority, the last
100 * added the lowest.
101 *
102 * @param proposal proposal to add
103 */
104 void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
105
106 /**
107 * Returns a list of all supported proposals.
108 *
109 * Returned list and its proposals must be destroyed after use.
110 *
111 * @return list containing all the proposals
112 */
113 linked_list_t* (*get_proposals) (ike_cfg_t *this);
114
115 /**
116 * Select a proposed from suggested proposals.
117 *
118 * Returned proposal must be destroyed after use.
119 *
120 * @param proposals list of proposals to select from
121 * @param private accept algorithms from a private range
122 * @return selected proposal, or NULL if none matches.
123 */
124 proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
125 bool private);
126
127 /**
128 * Should we send a certificate request in IKE_SA_INIT?
129 *
130 * @return certificate request sending policy
131 */
132 bool (*send_certreq) (ike_cfg_t *this);
133
134 /**
135 * Enforce UDP encapsulation by faking NATD notifies?
136 *
137 * @return TRUE to enforce UDP encapsulation
138 */
139 bool (*force_encap) (ike_cfg_t *this);
140
141 /**
142 * Use proprietary IKEv1 fragmentation
143 *
144 * @return TRUE to use fragmentation
145 */
146 bool (*fragmentation) (ike_cfg_t *this);
147
148 /**
149 * Get the DH group to use for IKE_SA setup.
150 *
151 * @return dh group to use for initialization
152 */
153 diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
154
155 /**
156 * Check if two IKE configs are equal.
157 *
158 * @param other other to check for equality
159 * @return TRUE if other equal to this
160 */
161 bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
162
163 /**
164 * Increase reference count.
165 *
166 * @return reference to this
167 */
168 ike_cfg_t* (*get_ref) (ike_cfg_t *this);
169
170 /**
171 * Destroys a ike_cfg_t object.
172 *
173 * Decrements the internal reference counter and
174 * destroys the ike_cfg when it reaches zero.
175 */
176 void (*destroy) (ike_cfg_t *this);
177 };
178
179 /**
180 * Creates a ike_cfg_t object.
181 *
182 * Supplied hosts become owned by ike_cfg, the name gets cloned.
183 *
184 * @param version IKE major version to use for this config
185 * @param certreq TRUE to send a certificate request
186 * @param force_encap enforce UDP encapsulation by faking NATD notify
187 * @param me address/DNS name of local peer
188 * @param my_allow_any allow override of local address by any address
189 * @param my_port IKE port to use as source, 500 uses IKEv2 port floating
190 * @param other address/DNS name of remote peer
191 * @param other_allow_any allow override of remote address by any address
192 * @param other_port IKE port to use as dest, 500 uses IKEv2 port floating
193 * @param fragmentation use IKEv1 fragmentation
194 * @return ike_cfg_t object.
195 */
196 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
197 char *me, bool my_allow_any, u_int16_t my_port,
198 char *other, bool other_allow_any, u_int16_t other_port,
199 bool fragmentation);
200
201 #endif /** IKE_CFG_H_ @}*/
strongSwan - IPsec VPN