Implemented post-authentication certificate handling for IKEv1
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <string.h>
20 #include <sys/stat.h>
21 #include <errno.h>
22 #include <time.h>
23
24 #include "ike_sa.h"
25
26 #include <library.h>
27 #include <hydra.h>
28 #include <daemon.h>
29 #include <utils/linked_list.h>
30 #include <utils/lexparser.h>
31 #include <sa/tasks/ike_init.h>
32 #include <sa/tasks/ike_natd.h>
33 #include <sa/tasks/ike_mobike.h>
34 #include <sa/tasks/ike_auth.h>
35 #include <sa/tasks/ike_auth_lifetime.h>
36 #include <sa/tasks/ike_config.h>
37 #include <sa/tasks/ike_cert_pre.h>
38 #include <sa/tasks/ike_cert_pre_v1.h>
39 #include <sa/tasks/ike_cert_post.h>
40 #include <sa/tasks/ike_cert_post_v1.h>
41 #include <sa/tasks/ike_rekey.h>
42 #include <sa/tasks/ike_reauth.h>
43 #include <sa/tasks/ike_delete.h>
44 #include <sa/tasks/ike_dpd.h>
45 #include <sa/tasks/ike_vendor.h>
46 #include <sa/tasks/child_create.h>
47 #include <sa/tasks/child_delete.h>
48 #include <sa/tasks/child_rekey.h>
49 #include <sa/tasks/main_mode.h>
50 #include <sa/tasks/quick_mode.h>
51 #include <sa/tasks/ike_natd_v1.h>
52 #include <sa/tasks/ike_vendor_v1.h>
53 #include <sa/tasks/xauth_request.h>
54 #include <processing/jobs/retransmit_job.h>
55 #include <processing/jobs/delete_ike_sa_job.h>
56 #include <processing/jobs/send_dpd_job.h>
57 #include <processing/jobs/send_keepalive_job.h>
58 #include <processing/jobs/rekey_ike_sa_job.h>
59
60 #ifdef ME
61 #include <sa/tasks/ike_me.h>
62 #include <processing/jobs/initiate_mediation_job.h>
63 #endif
64
65 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
66 "CREATED",
67 "CONNECTING",
68 "ESTABLISHED",
69 "PASSIVE",
70 "REKEYING",
71 "DELETING",
72 "DESTROYING",
73 );
74
75 typedef struct private_ike_sa_t private_ike_sa_t;
76 typedef struct attribute_entry_t attribute_entry_t;
77
78 /**
79 * Private data of an ike_sa_t object.
80 */
81 struct private_ike_sa_t {
82
83 /**
84 * Public members
85 */
86 ike_sa_t public;
87
88 /**
89 * Identifier for the current IKE_SA.
90 */
91 ike_sa_id_t *ike_sa_id;
92
93 /**
94 * IKE version of this SA.
95 */
96 ike_version_t version;
97
98 /**
99 * unique numerical ID for this IKE_SA.
100 */
101 u_int32_t unique_id;
102
103 /**
104 * Current state of the IKE_SA
105 */
106 ike_sa_state_t state;
107
108 /**
109 * IKE configuration used to set up this IKE_SA
110 */
111 ike_cfg_t *ike_cfg;
112
113 /**
114 * Peer and authentication information to establish IKE_SA.
115 */
116 peer_cfg_t *peer_cfg;
117
118 /**
119 * currently used authentication ruleset, local (as auth_cfg_t)
120 */
121 auth_cfg_t *my_auth;
122
123 /**
124 * list of completed local authentication rounds
125 */
126 linked_list_t *my_auths;
127
128 /**
129 * list of completed remote authentication rounds
130 */
131 linked_list_t *other_auths;
132
133 /**
134 * currently used authentication constraints, remote (as auth_cfg_t)
135 */
136 auth_cfg_t *other_auth;
137
138 /**
139 * Selected IKE proposal
140 */
141 proposal_t *proposal;
142
143 /**
144 * Juggles tasks to process messages
145 */
146 task_manager_t *task_manager;
147
148 /**
149 * Address of local host
150 */
151 host_t *my_host;
152
153 /**
154 * Address of remote host
155 */
156 host_t *other_host;
157
158 #ifdef ME
159 /**
160 * Are we mediation server
161 */
162 bool is_mediation_server;
163
164 /**
165 * Server reflexive host
166 */
167 host_t *server_reflexive_host;
168
169 /**
170 * Connect ID
171 */
172 chunk_t connect_id;
173 #endif /* ME */
174
175 /**
176 * Identification used for us
177 */
178 identification_t *my_id;
179
180 /**
181 * Identification used for other
182 */
183 identification_t *other_id;
184
185 /**
186 * set of extensions the peer supports
187 */
188 ike_extension_t extensions;
189
190 /**
191 * set of condition flags currently enabled for this IKE_SA
192 */
193 ike_condition_t conditions;
194
195 /**
196 * Linked List containing the child sa's of the current IKE_SA.
197 */
198 linked_list_t *child_sas;
199
200 /**
201 * keymat of this IKE_SA
202 */
203 keymat_t *keymat;
204
205 /**
206 * Virtual IP on local host, if any
207 */
208 host_t *my_virtual_ip;
209
210 /**
211 * Virtual IP on remote host, if any
212 */
213 host_t *other_virtual_ip;
214
215 /**
216 * List of configuration attributes (attribute_entry_t)
217 */
218 linked_list_t *attributes;
219
220 /**
221 * list of peers additional addresses, transmitted via MOBIKE
222 */
223 linked_list_t *additional_addresses;
224
225 /**
226 * previously value of received DESTINATION_IP hash
227 */
228 chunk_t nat_detection_dest;
229
230 /**
231 * number pending UPDATE_SA_ADDRESS (MOBIKE)
232 */
233 u_int32_t pending_updates;
234
235 /**
236 * NAT keep alive interval
237 */
238 u_int32_t keepalive_interval;
239
240 /**
241 * Timestamps for this IKE_SA
242 */
243 u_int32_t stats[STAT_MAX];
244
245 /**
246 * how many times we have retried so far (keyingtries)
247 */
248 u_int32_t keyingtry;
249
250 /**
251 * local host address to be used for IKE, set via MIGRATE kernel message
252 */
253 host_t *local_host;
254
255 /**
256 * remote host address to be used for IKE, set via MIGRATE kernel message
257 */
258 host_t *remote_host;
259 };
260
261 /**
262 * Entry to maintain install configuration attributes during IKE_SA lifetime
263 */
264 struct attribute_entry_t {
265 /** handler used to install this attribute */
266 attribute_handler_t *handler;
267 /** attribute type */
268 configuration_attribute_type_t type;
269 /** attribute data */
270 chunk_t data;
271 };
272
273 /**
274 * get the time of the latest traffic processed by the kernel
275 */
276 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
277 {
278 enumerator_t *enumerator;
279 child_sa_t *child_sa;
280 time_t use_time, current;
281
282 if (inbound)
283 {
284 use_time = this->stats[STAT_INBOUND];
285 }
286 else
287 {
288 use_time = this->stats[STAT_OUTBOUND];
289 }
290 enumerator = this->child_sas->create_enumerator(this->child_sas);
291 while (enumerator->enumerate(enumerator, &child_sa))
292 {
293 child_sa->get_usestats(child_sa, inbound, &current, NULL);
294 use_time = max(use_time, current);
295 }
296 enumerator->destroy(enumerator);
297
298 return use_time;
299 }
300
301 METHOD(ike_sa_t, get_unique_id, u_int32_t,
302 private_ike_sa_t *this)
303 {
304 return this->unique_id;
305 }
306
307 METHOD(ike_sa_t, get_name, char*,
308 private_ike_sa_t *this)
309 {
310 if (this->peer_cfg)
311 {
312 return this->peer_cfg->get_name(this->peer_cfg);
313 }
314 return "(unnamed)";
315 }
316
317 METHOD(ike_sa_t, get_statistic, u_int32_t,
318 private_ike_sa_t *this, statistic_t kind)
319 {
320 if (kind < STAT_MAX)
321 {
322 return this->stats[kind];
323 }
324 return 0;
325 }
326
327 METHOD(ike_sa_t, set_statistic, void,
328 private_ike_sa_t *this, statistic_t kind, u_int32_t value)
329 {
330 if (kind < STAT_MAX)
331 {
332 this->stats[kind] = value;
333 }
334 }
335
336 METHOD(ike_sa_t, get_my_host, host_t*,
337 private_ike_sa_t *this)
338 {
339 return this->my_host;
340 }
341
342 METHOD(ike_sa_t, set_my_host, void,
343 private_ike_sa_t *this, host_t *me)
344 {
345 DESTROY_IF(this->my_host);
346 this->my_host = me;
347 }
348
349 METHOD(ike_sa_t, get_other_host, host_t*,
350 private_ike_sa_t *this)
351 {
352 return this->other_host;
353 }
354
355 METHOD(ike_sa_t, set_other_host, void,
356 private_ike_sa_t *this, host_t *other)
357 {
358 DESTROY_IF(this->other_host);
359 this->other_host = other;
360 }
361
362 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
363 private_ike_sa_t *this)
364 {
365 return this->peer_cfg;
366 }
367
368 METHOD(ike_sa_t, set_peer_cfg, void,
369 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
370 {
371 peer_cfg->get_ref(peer_cfg);
372 DESTROY_IF(this->peer_cfg);
373 this->peer_cfg = peer_cfg;
374
375 if (this->ike_cfg == NULL)
376 {
377 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
378 this->ike_cfg->get_ref(this->ike_cfg);
379 }
380 }
381
382 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
383 private_ike_sa_t *this, bool local)
384 {
385 if (local)
386 {
387 return this->my_auth;
388 }
389 return this->other_auth;
390 }
391
392 METHOD(ike_sa_t, add_auth_cfg, void,
393 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
394 {
395 if (local)
396 {
397 this->my_auths->insert_last(this->my_auths, cfg);
398 }
399 else
400 {
401 this->other_auths->insert_last(this->other_auths, cfg);
402 }
403 }
404
405 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
406 private_ike_sa_t *this, bool local)
407 {
408 if (local)
409 {
410 return this->my_auths->create_enumerator(this->my_auths);
411 }
412 return this->other_auths->create_enumerator(this->other_auths);
413 }
414
415 /**
416 * Flush the stored authentication round information
417 */
418 static void flush_auth_cfgs(private_ike_sa_t *this)
419 {
420 auth_cfg_t *cfg;
421
422 while (this->my_auths->remove_last(this->my_auths,
423 (void**)&cfg) == SUCCESS)
424 {
425 cfg->destroy(cfg);
426 }
427 while (this->other_auths->remove_last(this->other_auths,
428 (void**)&cfg) == SUCCESS)
429 {
430 cfg->destroy(cfg);
431 }
432 }
433
434 METHOD(ike_sa_t, get_proposal, proposal_t*,
435 private_ike_sa_t *this)
436 {
437 return this->proposal;
438 }
439
440 METHOD(ike_sa_t, set_proposal, void,
441 private_ike_sa_t *this, proposal_t *proposal)
442 {
443 DESTROY_IF(this->proposal);
444 this->proposal = proposal->clone(proposal);
445 }
446
447 METHOD(ike_sa_t, set_message_id, void,
448 private_ike_sa_t *this, bool initiate, u_int32_t mid)
449 {
450 if (initiate)
451 {
452 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
453 }
454 else
455 {
456 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
457 }
458 }
459
460 METHOD(ike_sa_t, send_keepalive, void,
461 private_ike_sa_t *this)
462 {
463 send_keepalive_job_t *job;
464 time_t last_out, now, diff;
465
466 if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
467 { /* disable keep alives if we are not NATed anymore */
468 return;
469 }
470
471 last_out = get_use_time(this, FALSE);
472 now = time_monotonic(NULL);
473
474 diff = now - last_out;
475
476 if (diff >= this->keepalive_interval)
477 {
478 packet_t *packet;
479 chunk_t data;
480
481 packet = packet_create();
482 packet->set_source(packet, this->my_host->clone(this->my_host));
483 packet->set_destination(packet, this->other_host->clone(this->other_host));
484 data.ptr = malloc(1);
485 data.ptr[0] = 0xFF;
486 data.len = 1;
487 packet->set_data(packet, data);
488 DBG1(DBG_IKE, "sending keep alive");
489 charon->sender->send(charon->sender, packet);
490 diff = 0;
491 }
492 job = send_keepalive_job_create(this->ike_sa_id);
493 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
494 this->keepalive_interval - diff);
495 }
496
497 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
498 private_ike_sa_t *this)
499 {
500 return this->ike_cfg;
501 }
502
503 METHOD(ike_sa_t, set_ike_cfg, void,
504 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
505 {
506 ike_cfg->get_ref(ike_cfg);
507 this->ike_cfg = ike_cfg;
508 }
509
510 METHOD(ike_sa_t, enable_extension, void,
511 private_ike_sa_t *this, ike_extension_t extension)
512 {
513 this->extensions |= extension;
514 }
515
516 METHOD(ike_sa_t, supports_extension, bool,
517 private_ike_sa_t *this, ike_extension_t extension)
518 {
519 return (this->extensions & extension) != FALSE;
520 }
521
522 METHOD(ike_sa_t, has_condition, bool,
523 private_ike_sa_t *this, ike_condition_t condition)
524 {
525 return (this->conditions & condition) != FALSE;
526 }
527
528 METHOD(ike_sa_t, set_condition, void,
529 private_ike_sa_t *this, ike_condition_t condition, bool enable)
530 {
531 if (has_condition(this, condition) != enable)
532 {
533 if (enable)
534 {
535 this->conditions |= condition;
536 switch (condition)
537 {
538 case COND_NAT_HERE:
539 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
540 this->conditions |= COND_NAT_ANY;
541 send_keepalive(this);
542 break;
543 case COND_NAT_THERE:
544 DBG1(DBG_IKE, "remote host is behind NAT");
545 this->conditions |= COND_NAT_ANY;
546 break;
547 case COND_NAT_FAKE:
548 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
549 this->conditions |= COND_NAT_ANY;
550 break;
551 default:
552 break;
553 }
554 }
555 else
556 {
557 this->conditions &= ~condition;
558 switch (condition)
559 {
560 case COND_NAT_HERE:
561 case COND_NAT_FAKE:
562 case COND_NAT_THERE:
563 set_condition(this, COND_NAT_ANY,
564 has_condition(this, COND_NAT_HERE) ||
565 has_condition(this, COND_NAT_THERE) ||
566 has_condition(this, COND_NAT_FAKE));
567 break;
568 default:
569 break;
570 }
571 }
572 }
573 }
574
575 METHOD(ike_sa_t, send_dpd, status_t,
576 private_ike_sa_t *this)
577 {
578 job_t *job;
579 time_t diff, delay;
580
581 delay = this->peer_cfg->get_dpd(this->peer_cfg);
582 if (this->task_manager->busy(this->task_manager))
583 {
584 /* an exchange is in the air, no need to start a DPD check */
585 diff = 0;
586 }
587 else
588 {
589 /* check if there was any inbound traffic */
590 time_t last_in, now;
591 last_in = get_use_time(this, TRUE);
592 now = time_monotonic(NULL);
593 diff = now - last_in;
594 if (!delay || diff >= delay)
595 {
596 /* to long ago, initiate dead peer detection */
597 task_t *task;
598 ike_mobike_t *mobike;
599
600 if (supports_extension(this, EXT_MOBIKE) &&
601 has_condition(this, COND_NAT_HERE))
602 {
603 /* use mobike enabled DPD to detect NAT mapping changes */
604 mobike = ike_mobike_create(&this->public, TRUE);
605 mobike->dpd(mobike);
606 task = &mobike->task;
607 }
608 else
609 {
610 task = (task_t*)ike_dpd_create(TRUE);
611 }
612 diff = 0;
613 DBG1(DBG_IKE, "sending DPD request");
614
615 this->task_manager->queue_task(this->task_manager, task);
616 this->task_manager->initiate(this->task_manager);
617 }
618 }
619 /* recheck in "interval" seconds */
620 if (delay)
621 {
622 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
623 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
624 }
625 return SUCCESS;
626 }
627
628 METHOD(ike_sa_t, get_state, ike_sa_state_t,
629 private_ike_sa_t *this)
630 {
631 return this->state;
632 }
633
634 METHOD(ike_sa_t, set_state, void,
635 private_ike_sa_t *this, ike_sa_state_t state)
636 {
637 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
638 get_name(this), this->unique_id,
639 ike_sa_state_names, this->state,
640 ike_sa_state_names, state);
641
642 switch (state)
643 {
644 case IKE_ESTABLISHED:
645 {
646 if (this->state == IKE_CONNECTING ||
647 this->state == IKE_PASSIVE)
648 {
649 job_t *job;
650 u_int32_t t;
651
652 /* calculate rekey, reauth and lifetime */
653 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
654
655 /* schedule rekeying if we have a time which is smaller than
656 * an already scheduled rekeying */
657 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
658 if (t && (this->stats[STAT_REKEY] == 0 ||
659 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
660 {
661 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
662 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
663 lib->scheduler->schedule_job(lib->scheduler, job, t);
664 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
665 }
666 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
667 if (t && (this->stats[STAT_REAUTH] == 0 ||
668 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
669 {
670 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
671 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
672 lib->scheduler->schedule_job(lib->scheduler, job, t);
673 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
674 }
675 t = this->peer_cfg->get_over_time(this->peer_cfg);
676 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
677 {
678 if (this->stats[STAT_REAUTH] == 0)
679 {
680 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
681 }
682 else if (this->stats[STAT_REKEY] == 0)
683 {
684 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
685 }
686 else
687 {
688 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
689 this->stats[STAT_REAUTH]);
690 }
691 this->stats[STAT_DELETE] += t;
692 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
693 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
694 lib->scheduler->schedule_job(lib->scheduler, job, t);
695 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
696 }
697
698 /* start DPD checks */
699 if (this->peer_cfg->get_dpd(this->peer_cfg))
700 {
701 send_dpd(this);
702 }
703 }
704 break;
705 }
706 case IKE_DELETING:
707 {
708 /* delete may fail if a packet gets lost, so set a timeout */
709 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
710 lib->scheduler->schedule_job(lib->scheduler, job,
711 HALF_OPEN_IKE_SA_TIMEOUT);
712 break;
713 }
714 default:
715 break;
716 }
717 charon->bus->ike_state_change(charon->bus, &this->public, state);
718 this->state = state;
719 }
720
721 METHOD(ike_sa_t, reset, void,
722 private_ike_sa_t *this)
723 {
724 /* the responder ID is reset, as peer may choose another one */
725 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
726 {
727 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
728 }
729
730 set_state(this, IKE_CREATED);
731
732 flush_auth_cfgs(this);
733
734 this->keymat->destroy(this->keymat);
735 this->keymat = keymat_create(this->version,
736 this->ike_sa_id->is_initiator(this->ike_sa_id));
737
738 this->task_manager->reset(this->task_manager, 0, 0);
739 }
740
741 METHOD(ike_sa_t, get_keymat, keymat_t*,
742 private_ike_sa_t *this)
743 {
744 return this->keymat;
745 }
746
747 METHOD(ike_sa_t, set_virtual_ip, void,
748 private_ike_sa_t *this, bool local, host_t *ip)
749 {
750 if (local)
751 {
752 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
753 if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip,
754 this->my_host) == SUCCESS)
755 {
756 if (this->my_virtual_ip)
757 {
758 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
759 hydra->kernel_interface->del_ip(hydra->kernel_interface,
760 this->my_virtual_ip);
761 }
762 DESTROY_IF(this->my_virtual_ip);
763 this->my_virtual_ip = ip->clone(ip);
764 }
765 else
766 {
767 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
768 this->my_virtual_ip = NULL;
769 }
770 }
771 else
772 {
773 DESTROY_IF(this->other_virtual_ip);
774 this->other_virtual_ip = ip->clone(ip);
775 }
776 }
777
778 METHOD(ike_sa_t, get_virtual_ip, host_t*,
779 private_ike_sa_t *this, bool local)
780 {
781 if (local)
782 {
783 return this->my_virtual_ip;
784 }
785 else
786 {
787 return this->other_virtual_ip;
788 }
789 }
790
791 METHOD(ike_sa_t, add_additional_address, void,
792 private_ike_sa_t *this, host_t *host)
793 {
794 this->additional_addresses->insert_last(this->additional_addresses, host);
795 }
796
797 METHOD(ike_sa_t, create_additional_address_enumerator, enumerator_t*,
798 private_ike_sa_t *this)
799 {
800 return this->additional_addresses->create_enumerator(
801 this->additional_addresses);
802 }
803
804 METHOD(ike_sa_t, remove_additional_addresses, void,
805 private_ike_sa_t *this)
806 {
807 enumerator_t *enumerator = create_additional_address_enumerator(this);
808 host_t *host;
809 while (enumerator->enumerate(enumerator, (void**)&host))
810 {
811 this->additional_addresses->remove_at(this->additional_addresses,
812 enumerator);
813 host->destroy(host);
814 }
815 enumerator->destroy(enumerator);
816 }
817
818 METHOD(ike_sa_t, has_mapping_changed, bool,
819 private_ike_sa_t *this, chunk_t hash)
820 {
821 if (this->nat_detection_dest.ptr == NULL)
822 {
823 this->nat_detection_dest = chunk_clone(hash);
824 return FALSE;
825 }
826 if (chunk_equals(hash, this->nat_detection_dest))
827 {
828 return FALSE;
829 }
830 free(this->nat_detection_dest.ptr);
831 this->nat_detection_dest = chunk_clone(hash);
832 return TRUE;
833 }
834
835 METHOD(ike_sa_t, set_pending_updates, void,
836 private_ike_sa_t *this, u_int32_t updates)
837 {
838 this->pending_updates = updates;
839 }
840
841 METHOD(ike_sa_t, get_pending_updates, u_int32_t,
842 private_ike_sa_t *this)
843 {
844 return this->pending_updates;
845 }
846
847 METHOD(ike_sa_t, float_ports, void,
848 private_ike_sa_t *this)
849 {
850 /* do not switch if we have a custom port from MOBIKE/NAT */
851 if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
852 {
853 this->my_host->set_port(this->my_host, IKEV2_NATT_PORT);
854 }
855 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
856 {
857 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
858 }
859 }
860
861 METHOD(ike_sa_t, update_hosts, void,
862 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
863 {
864 bool update = FALSE;
865
866 if (me == NULL)
867 {
868 me = this->my_host;
869 }
870 if (other == NULL)
871 {
872 other = this->other_host;
873 }
874
875 /* apply hosts on first received message */
876 if (this->my_host->is_anyaddr(this->my_host) ||
877 this->other_host->is_anyaddr(this->other_host))
878 {
879 set_my_host(this, me->clone(me));
880 set_other_host(this, other->clone(other));
881 update = TRUE;
882 }
883 else
884 {
885 /* update our address in any case */
886 if (!me->equals(me, this->my_host))
887 {
888 set_my_host(this, me->clone(me));
889 update = TRUE;
890 }
891
892 if (!other->equals(other, this->other_host))
893 {
894 /* update others address if we are NOT NATed */
895 if (force || !has_condition(this, COND_NAT_HERE))
896 {
897 set_other_host(this, other->clone(other));
898 update = TRUE;
899 }
900 }
901 }
902
903 /* update all associated CHILD_SAs, if required */
904 if (update)
905 {
906 enumerator_t *enumerator;
907 child_sa_t *child_sa;
908
909 enumerator = this->child_sas->create_enumerator(this->child_sas);
910 while (enumerator->enumerate(enumerator, (void**)&child_sa))
911 {
912 if (child_sa->update(child_sa, this->my_host,
913 this->other_host, this->my_virtual_ip,
914 has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
915 {
916 this->public.rekey_child_sa(&this->public,
917 child_sa->get_protocol(child_sa),
918 child_sa->get_spi(child_sa, TRUE));
919 }
920 }
921 enumerator->destroy(enumerator);
922 }
923 }
924
925 METHOD(ike_sa_t, generate_message, status_t,
926 private_ike_sa_t *this, message_t *message, packet_t **packet)
927 {
928 if (message->is_encoded(message))
929 { /* already done */
930 *packet = message->get_packet(message);
931 return SUCCESS;
932 }
933 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
934 message->set_ike_sa_id(message, this->ike_sa_id);
935 charon->bus->message(charon->bus, message, FALSE);
936 return message->generate(message, this->keymat, packet);
937 }
938
939 METHOD(ike_sa_t, set_kmaddress, void,
940 private_ike_sa_t *this, host_t *local, host_t *remote)
941 {
942 DESTROY_IF(this->local_host);
943 DESTROY_IF(this->remote_host);
944 this->local_host = local->clone(local);
945 this->remote_host = remote->clone(remote);
946 }
947
948 #ifdef ME
949 METHOD(ike_sa_t, act_as_mediation_server, void,
950 private_ike_sa_t *this)
951 {
952 charon->mediation_manager->update_sa_id(charon->mediation_manager,
953 this->other_id, this->ike_sa_id);
954 this->is_mediation_server = TRUE;
955 }
956
957 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
958 private_ike_sa_t *this)
959 {
960 return this->server_reflexive_host;
961 }
962
963 METHOD(ike_sa_t, set_server_reflexive_host, void,
964 private_ike_sa_t *this, host_t *host)
965 {
966 DESTROY_IF(this->server_reflexive_host);
967 this->server_reflexive_host = host;
968 }
969
970 METHOD(ike_sa_t, get_connect_id, chunk_t,
971 private_ike_sa_t *this)
972 {
973 return this->connect_id;
974 }
975
976 METHOD(ike_sa_t, respond, status_t,
977 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
978 {
979 ike_me_t *task = ike_me_create(&this->public, TRUE);
980 task->respond(task, peer_id, connect_id);
981 this->task_manager->queue_task(this->task_manager, (task_t*)task);
982 return this->task_manager->initiate(this->task_manager);
983 }
984
985 METHOD(ike_sa_t, callback, status_t,
986 private_ike_sa_t *this, identification_t *peer_id)
987 {
988 ike_me_t *task = ike_me_create(&this->public, TRUE);
989 task->callback(task, peer_id);
990 this->task_manager->queue_task(this->task_manager, (task_t*)task);
991 return this->task_manager->initiate(this->task_manager);
992 }
993
994 METHOD(ike_sa_t, relay, status_t,
995 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
996 chunk_t connect_key, linked_list_t *endpoints, bool response)
997 {
998 ike_me_t *task = ike_me_create(&this->public, TRUE);
999 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1000 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1001 return this->task_manager->initiate(this->task_manager);
1002 }
1003
1004 METHOD(ike_sa_t, initiate_mediation, status_t,
1005 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1006 {
1007 ike_me_t *task = ike_me_create(&this->public, TRUE);
1008 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1009 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1010 return this->task_manager->initiate(this->task_manager);
1011 }
1012
1013 METHOD(ike_sa_t, initiate_mediated, status_t,
1014 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1015 {
1016 set_my_host(this, me->clone(me));
1017 set_other_host(this, other->clone(other));
1018 chunk_free(&this->connect_id);
1019 this->connect_id = chunk_clone(connect_id);
1020 return this->task_manager->initiate(this->task_manager);
1021 }
1022 #endif /* ME */
1023
1024 METHOD(ike_sa_t, initiate_xauth, status_t,
1025 private_ike_sa_t *this, bool initiate)
1026 {
1027 xauth_request_t *task = xauth_request_create(&this->public, TRUE);
1028 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1029 if(initiate)
1030 {
1031 return this->task_manager->initiate(this->task_manager);
1032 }
1033 return SUCCESS;
1034 }
1035
1036 /**
1037 * Resolve DNS host in configuration
1038 */
1039 static void resolve_hosts(private_ike_sa_t *this)
1040 {
1041 host_t *host;
1042
1043 if (this->remote_host)
1044 {
1045 host = this->remote_host->clone(this->remote_host);
1046 host->set_port(host, IKEV2_UDP_PORT);
1047 }
1048 else
1049 {
1050 host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
1051 0, this->ike_cfg->get_other_port(this->ike_cfg));
1052 }
1053 if (host)
1054 {
1055 set_other_host(this, host);
1056 }
1057
1058 if (this->local_host)
1059 {
1060 host = this->local_host->clone(this->local_host);
1061 host->set_port(host, IKEV2_UDP_PORT);
1062 }
1063 else
1064 {
1065 int family = 0;
1066
1067 /* use same address family as for other */
1068 if (!this->other_host->is_anyaddr(this->other_host))
1069 {
1070 family = this->other_host->get_family(this->other_host);
1071 }
1072 host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
1073 family, this->ike_cfg->get_my_port(this->ike_cfg));
1074
1075 if (host && host->is_anyaddr(host) &&
1076 !this->other_host->is_anyaddr(this->other_host))
1077 {
1078 host->destroy(host);
1079 host = hydra->kernel_interface->get_source_addr(
1080 hydra->kernel_interface, this->other_host, NULL);
1081 if (host)
1082 {
1083 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1084 }
1085 else
1086 { /* fallback to address family specific %any(6), if configured */
1087 host = host_create_from_dns(
1088 this->ike_cfg->get_my_addr(this->ike_cfg),
1089 0, this->ike_cfg->get_my_port(this->ike_cfg));
1090 }
1091 }
1092 }
1093 if (host)
1094 {
1095 set_my_host(this, host);
1096 }
1097 }
1098
1099 METHOD(ike_sa_t, initiate, status_t,
1100 private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
1101 traffic_selector_t *tsi, traffic_selector_t *tsr)
1102 {
1103 task_t *task;
1104
1105 if (this->state == IKE_CREATED)
1106 {
1107 resolve_hosts(this);
1108
1109 if (this->other_host->is_anyaddr(this->other_host)
1110 #ifdef ME
1111 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1112 #endif /* ME */
1113 )
1114 {
1115 child_cfg->destroy(child_cfg);
1116 DBG1(DBG_IKE, "unable to initiate to %%any");
1117 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1118 return DESTROY_ME;
1119 }
1120
1121 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1122
1123 if (this->version == IKEV1)
1124 {
1125 task = (task_t*)ike_vendor_v1_create(&this->public, TRUE);
1126 this->task_manager->queue_task(this->task_manager, task);
1127 task = (task_t*)ike_cert_pre_v1_create(&this->public, TRUE);
1128 this->task_manager->queue_task(this->task_manager, task);
1129 task = (task_t*)main_mode_create(&this->public, TRUE);
1130 this->task_manager->queue_task(this->task_manager, task);
1131 task = (task_t*)ike_cert_post_v1_create(&this->public, TRUE);
1132 this->task_manager->queue_task(this->task_manager, task);
1133 task = (task_t*)ike_natd_v1_create(&this->public, TRUE);
1134 this->task_manager->queue_task(this->task_manager, task);
1135 }
1136 else
1137 {
1138 task = (task_t*)ike_vendor_create(&this->public, TRUE);
1139 this->task_manager->queue_task(this->task_manager, task);
1140 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1141 this->task_manager->queue_task(this->task_manager, task);
1142 task = (task_t*)ike_natd_create(&this->public, TRUE);
1143 this->task_manager->queue_task(this->task_manager, task);
1144 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1145 this->task_manager->queue_task(this->task_manager, task);
1146 task = (task_t*)ike_auth_create(&this->public, TRUE);
1147 this->task_manager->queue_task(this->task_manager, task);
1148 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1149 this->task_manager->queue_task(this->task_manager, task);
1150 task = (task_t*)ike_config_create(&this->public, TRUE);
1151 this->task_manager->queue_task(this->task_manager, task);
1152 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1153 this->task_manager->queue_task(this->task_manager, task);
1154 if (this->peer_cfg->use_mobike(this->peer_cfg))
1155 {
1156 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1157 this->task_manager->queue_task(this->task_manager, task);
1158 }
1159 #ifdef ME
1160 task = (task_t*)ike_me_create(&this->public, TRUE);
1161 this->task_manager->queue_task(this->task_manager, task);
1162 #endif /* ME */
1163 }
1164 }
1165
1166 #ifdef ME
1167 if (this->peer_cfg->is_mediation(this->peer_cfg))
1168 {
1169 if (this->state == IKE_ESTABLISHED)
1170 {
1171 /* mediation connection is already established, retrigger state
1172 * change to notify bus listeners */
1173 DBG1(DBG_IKE, "mediation connection is already up");
1174 set_state(this, IKE_ESTABLISHED);
1175 }
1176 DESTROY_IF(child_cfg);
1177 }
1178 else
1179 #endif /* ME */
1180 {
1181 /* normal IKE_SA with CHILD_SA */
1182 if (this->version == IKEV2)
1183 {
1184 task = (task_t*)child_create_create(&this->public, child_cfg, FALSE,
1185 tsi, tsr);
1186 if (reqid)
1187 {
1188 child_create_t *child_create = (child_create_t*)task;
1189 child_create->use_reqid(child_create, reqid);
1190 }
1191 }
1192 else
1193 {
1194 task = (task_t*)quick_mode_create(&this->public, child_cfg,
1195 tsi, tsr);
1196 }
1197 this->task_manager->queue_task(this->task_manager, task);
1198
1199 #ifdef ME
1200 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1201 {
1202 /* mediated connection, initiate mediation process */
1203 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1204 lib->processor->queue_job(lib->processor, job);
1205 return SUCCESS;
1206 }
1207 #endif /* ME */
1208 }
1209
1210 return this->task_manager->initiate(this->task_manager);
1211 }
1212
1213 METHOD(ike_sa_t, process_message, status_t,
1214 private_ike_sa_t *this, message_t *message)
1215 {
1216 status_t status;
1217 if (this->state == IKE_PASSIVE)
1218 { /* do not handle messages in passive state */
1219 return FAILED;
1220 }
1221 status = this->task_manager->process_message(this->task_manager, message);
1222 if (message->get_exchange_type(message) == IKE_AUTH &&
1223 this->state == IKE_ESTABLISHED &&
1224 lib->settings->get_bool(lib->settings,
1225 "charon.flush_auth_cfg", FALSE))
1226 { /* authentication completed */
1227 flush_auth_cfgs(this);
1228 }
1229 return status;
1230 }
1231
1232 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1233 private_ike_sa_t *this)
1234 {
1235 return this->ike_sa_id;
1236 }
1237
1238 METHOD(ike_sa_t, get_version, ike_version_t,
1239 private_ike_sa_t *this)
1240 {
1241 return this->version;
1242 }
1243
1244 METHOD(ike_sa_t, get_my_id, identification_t*,
1245 private_ike_sa_t *this)
1246 {
1247 return this->my_id;
1248 }
1249
1250 METHOD(ike_sa_t, set_my_id, void,
1251 private_ike_sa_t *this, identification_t *me)
1252 {
1253 DESTROY_IF(this->my_id);
1254 this->my_id = me;
1255 }
1256
1257 METHOD(ike_sa_t, get_other_id, identification_t*,
1258 private_ike_sa_t *this)
1259 {
1260 return this->other_id;
1261 }
1262
1263 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1264 private_ike_sa_t *this)
1265 {
1266 identification_t *id = NULL, *current;
1267 enumerator_t *enumerator;
1268 auth_cfg_t *cfg;
1269
1270 enumerator = this->other_auths->create_enumerator(this->other_auths);
1271 while (enumerator->enumerate(enumerator, &cfg))
1272 {
1273 /* prefer EAP-Identity of last round */
1274 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1275 if (!current || current->get_type(current) == ID_ANY)
1276 {
1277 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1278 }
1279 if (current && current->get_type(current) != ID_ANY)
1280 {
1281 id = current;
1282 continue;
1283 }
1284 }
1285 enumerator->destroy(enumerator);
1286 if (id)
1287 {
1288 return id;
1289 }
1290 return this->other_id;
1291 }
1292
1293 METHOD(ike_sa_t, set_other_id, void,
1294 private_ike_sa_t *this, identification_t *other)
1295 {
1296 DESTROY_IF(this->other_id);
1297 this->other_id = other;
1298 }
1299
1300 METHOD(ike_sa_t, add_child_sa, void,
1301 private_ike_sa_t *this, child_sa_t *child_sa)
1302 {
1303 this->child_sas->insert_last(this->child_sas, child_sa);
1304 }
1305
1306 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1307 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
1308 {
1309 enumerator_t *enumerator;
1310 child_sa_t *current, *found = NULL;
1311
1312 enumerator = this->child_sas->create_enumerator(this->child_sas);
1313 while (enumerator->enumerate(enumerator, (void**)&current))
1314 {
1315 if (current->get_spi(current, inbound) == spi &&
1316 current->get_protocol(current) == protocol)
1317 {
1318 found = current;
1319 }
1320 }
1321 enumerator->destroy(enumerator);
1322 return found;
1323 }
1324
1325 METHOD(ike_sa_t, get_child_count, int,
1326 private_ike_sa_t *this)
1327 {
1328 return this->child_sas->get_count(this->child_sas);
1329 }
1330
1331 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1332 private_ike_sa_t *this)
1333 {
1334 return this->child_sas->create_enumerator(this->child_sas);
1335 }
1336
1337 METHOD(ike_sa_t, remove_child_sa, void,
1338 private_ike_sa_t *this, enumerator_t *enumerator)
1339 {
1340 this->child_sas->remove_at(this->child_sas, enumerator);
1341 }
1342
1343 METHOD(ike_sa_t, rekey_child_sa, status_t,
1344 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1345 {
1346 child_rekey_t *child_rekey;
1347
1348 child_rekey = child_rekey_create(&this->public, protocol, spi);
1349 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1350 return this->task_manager->initiate(this->task_manager);
1351 }
1352
1353 METHOD(ike_sa_t, delete_child_sa, status_t,
1354 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1355 {
1356 child_delete_t *child_delete;
1357
1358 child_delete = child_delete_create(&this->public, protocol, spi);
1359 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1360 return this->task_manager->initiate(this->task_manager);
1361 }
1362
1363 METHOD(ike_sa_t, destroy_child_sa, status_t,
1364 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1365 {
1366 enumerator_t *enumerator;
1367 child_sa_t *child_sa;
1368 status_t status = NOT_FOUND;
1369
1370 enumerator = this->child_sas->create_enumerator(this->child_sas);
1371 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1372 {
1373 if (child_sa->get_protocol(child_sa) == protocol &&
1374 child_sa->get_spi(child_sa, TRUE) == spi)
1375 {
1376 this->child_sas->remove_at(this->child_sas, enumerator);
1377 child_sa->destroy(child_sa);
1378 status = SUCCESS;
1379 break;
1380 }
1381 }
1382 enumerator->destroy(enumerator);
1383 return status;
1384 }
1385
1386 METHOD(ike_sa_t, delete_, status_t,
1387 private_ike_sa_t *this)
1388 {
1389 ike_delete_t *ike_delete;
1390
1391 switch (this->state)
1392 {
1393 case IKE_ESTABLISHED:
1394 case IKE_REKEYING:
1395 ike_delete = ike_delete_create(&this->public, TRUE);
1396 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1397 return this->task_manager->initiate(this->task_manager);
1398 case IKE_CREATED:
1399 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1400 break;
1401 case IKE_PASSIVE:
1402 break;
1403 default:
1404 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1405 "without notification", ike_sa_state_names, this->state);
1406 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1407 break;
1408 }
1409 return DESTROY_ME;
1410 }
1411
1412 METHOD(ike_sa_t, rekey, status_t,
1413 private_ike_sa_t *this)
1414 {
1415 ike_rekey_t *ike_rekey;
1416
1417 ike_rekey = ike_rekey_create(&this->public, TRUE);
1418
1419 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1420 return this->task_manager->initiate(this->task_manager);
1421 }
1422
1423 METHOD(ike_sa_t, reauth, status_t,
1424 private_ike_sa_t *this)
1425 {
1426 task_t *task;
1427
1428 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1429 * If the peer does not support RFC4478, there is no way to keep the
1430 * IKE_SA up. */
1431 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1432 {
1433 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1434 if (this->other_virtual_ip != NULL ||
1435 has_condition(this, COND_EAP_AUTHENTICATED)
1436 #ifdef ME
1437 /* as mediation server we too cannot reauth the IKE_SA */
1438 || this->is_mediation_server
1439 #endif /* ME */
1440 )
1441 {
1442 time_t now = time_monotonic(NULL);
1443
1444 DBG1(DBG_IKE, "IKE_SA will timeout in %V",
1445 &now, &this->stats[STAT_DELETE]);
1446 return FAILED;
1447 }
1448 else
1449 {
1450 DBG1(DBG_IKE, "reauthenticating actively");
1451 }
1452 }
1453 task = (task_t*)ike_reauth_create(&this->public);
1454 this->task_manager->queue_task(this->task_manager, task);
1455
1456 return this->task_manager->initiate(this->task_manager);
1457 }
1458
1459 METHOD(ike_sa_t, reestablish, status_t,
1460 private_ike_sa_t *this)
1461 {
1462 ike_sa_t *new;
1463 host_t *host;
1464 action_t action;
1465 enumerator_t *enumerator;
1466 child_sa_t *child_sa;
1467 child_cfg_t *child_cfg;
1468 bool restart = FALSE;
1469 status_t status = FAILED;
1470
1471 /* check if we have children to keep up at all */
1472 enumerator = this->child_sas->create_enumerator(this->child_sas);
1473 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1474 {
1475 if (this->state == IKE_DELETING)
1476 {
1477 action = child_sa->get_close_action(child_sa);
1478 }
1479 else
1480 {
1481 action = child_sa->get_dpd_action(child_sa);
1482 }
1483 switch (action)
1484 {
1485 case ACTION_RESTART:
1486 restart = TRUE;
1487 break;
1488 case ACTION_ROUTE:
1489 charon->traps->install(charon->traps, this->peer_cfg,
1490 child_sa->get_config(child_sa));
1491 break;
1492 default:
1493 break;
1494 }
1495 }
1496 enumerator->destroy(enumerator);
1497 #ifdef ME
1498 /* mediation connections have no children, keep them up anyway */
1499 if (this->peer_cfg->is_mediation(this->peer_cfg))
1500 {
1501 restart = TRUE;
1502 }
1503 #endif /* ME */
1504 if (!restart)
1505 {
1506 return FAILED;
1507 }
1508
1509 /* check if we are able to reestablish this IKE_SA */
1510 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1511 (this->other_virtual_ip != NULL ||
1512 has_condition(this, COND_EAP_AUTHENTICATED)
1513 #ifdef ME
1514 || this->is_mediation_server
1515 #endif /* ME */
1516 ))
1517 {
1518 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
1519 return FAILED;
1520 }
1521
1522 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1523 this->version, TRUE);
1524 new->set_peer_cfg(new, this->peer_cfg);
1525 host = this->other_host;
1526 new->set_other_host(new, host->clone(host));
1527 host = this->my_host;
1528 new->set_my_host(new, host->clone(host));
1529 /* if we already have a virtual IP, we reuse it */
1530 host = this->my_virtual_ip;
1531 if (host)
1532 {
1533 new->set_virtual_ip(new, TRUE, host);
1534 }
1535
1536 #ifdef ME
1537 if (this->peer_cfg->is_mediation(this->peer_cfg))
1538 {
1539 status = new->initiate(new, NULL, 0, NULL, NULL);
1540 }
1541 else
1542 #endif /* ME */
1543 {
1544 enumerator = this->child_sas->create_enumerator(this->child_sas);
1545 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1546 {
1547 if (this->state == IKE_DELETING)
1548 {
1549 action = child_sa->get_close_action(child_sa);
1550 }
1551 else
1552 {
1553 action = child_sa->get_dpd_action(child_sa);
1554 }
1555 switch (action)
1556 {
1557 case ACTION_RESTART:
1558 child_cfg = child_sa->get_config(child_sa);
1559 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1560 child_cfg->get_name(child_cfg));
1561 child_cfg->get_ref(child_cfg);
1562 status = new->initiate(new, child_cfg, 0, NULL, NULL);
1563 break;
1564 default:
1565 continue;
1566 }
1567 if (status == DESTROY_ME)
1568 {
1569 break;
1570 }
1571 }
1572 enumerator->destroy(enumerator);
1573 }
1574
1575 if (status == DESTROY_ME)
1576 {
1577 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1578 status = FAILED;
1579 }
1580 else
1581 {
1582 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1583 status = SUCCESS;
1584 }
1585 charon->bus->set_sa(charon->bus, &this->public);
1586 return status;
1587 }
1588
1589 /**
1590 * Requeue the IKE_SA_INIT tasks for initiation, if required
1591 */
1592 static void requeue_init_tasks(private_ike_sa_t *this)
1593 {
1594 enumerator_t *enumerator;
1595 bool has_init = FALSE;
1596 task_t *task;
1597
1598 /* if we have advanced to IKE_AUTH, the IKE_INIT and related tasks
1599 * have already completed. Recreate them if necessary. */
1600 enumerator = this->task_manager->create_task_enumerator(
1601 this->task_manager, TASK_QUEUE_QUEUED);
1602 while (enumerator->enumerate(enumerator, &task))
1603 {
1604 if (task->get_type(task) == TASK_IKE_INIT)
1605 {
1606 has_init = TRUE;
1607 break;
1608 }
1609 }
1610 enumerator->destroy(enumerator);
1611
1612 if (!has_init)
1613 {
1614 task = (task_t*)ike_vendor_create(&this->public, TRUE);
1615 this->task_manager->queue_task(this->task_manager, task);
1616 task = (task_t*)ike_natd_create(&this->public, TRUE);
1617 this->task_manager->queue_task(this->task_manager, task);
1618 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1619 this->task_manager->queue_task(this->task_manager, task);
1620 }
1621 }
1622
1623 METHOD(ike_sa_t, retransmit, status_t,
1624 private_ike_sa_t *this, u_int32_t message_id)
1625 {
1626 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1627 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1628 {
1629 /* send a proper signal to brief interested bus listeners */
1630 switch (this->state)
1631 {
1632 case IKE_CONNECTING:
1633 {
1634 /* retry IKE_SA_INIT if we have multiple keyingtries */
1635 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1636 this->keyingtry++;
1637 if (tries == 0 || tries > this->keyingtry)
1638 {
1639 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1640 this->keyingtry + 1, tries);
1641 reset(this);
1642 requeue_init_tasks(this);
1643 return this->task_manager->initiate(this->task_manager);
1644 }
1645 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1646 break;
1647 }
1648 case IKE_DELETING:
1649 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1650 break;
1651 case IKE_REKEYING:
1652 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1653 /* FALL */
1654 default:
1655 reestablish(this);
1656 break;
1657 }
1658 return DESTROY_ME;
1659 }
1660 return SUCCESS;
1661 }
1662
1663 METHOD(ike_sa_t, set_auth_lifetime, void,
1664 private_ike_sa_t *this, u_int32_t lifetime)
1665 {
1666 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1667 u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction;
1668
1669 if (lifetime < reduction)
1670 {
1671 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1672 lifetime);
1673 lib->processor->queue_job(lib->processor,
1674 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
1675 }
1676 else if (this->stats[STAT_REAUTH] == 0 ||
1677 this->stats[STAT_REAUTH] > reauth_time)
1678 {
1679 this->stats[STAT_REAUTH] = reauth_time;
1680 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1681 " in %ds", lifetime, lifetime - reduction);
1682 lib->scheduler->schedule_job(lib->scheduler,
1683 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
1684 lifetime - reduction);
1685 }
1686 else
1687 {
1688 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
1689 "reauthentication already scheduled in %ds", lifetime,
1690 this->stats[STAT_REAUTH] - time_monotonic(NULL));
1691 }
1692 }
1693
1694 /**
1695 * Check if the current combination of source and destination address is still
1696 * valid.
1697 */
1698 static bool is_current_path_valid(private_ike_sa_t *this)
1699 {
1700 bool valid = FALSE;
1701 host_t *src;
1702 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
1703 this->other_host, this->my_host);
1704 if (src)
1705 {
1706 if (src->ip_equals(src, this->my_host))
1707 {
1708 valid = TRUE;
1709 }
1710 src->destroy(src);
1711 }
1712 return valid;
1713 }
1714
1715 /**
1716 * Check if we have any path avialable for this IKE SA.
1717 */
1718 static bool is_any_path_valid(private_ike_sa_t *this)
1719 {
1720 bool valid = FALSE;
1721 enumerator_t *enumerator;
1722 host_t *src, *addr;
1723 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
1724 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
1725 this->other_host, NULL);
1726 if (!src)
1727 {
1728 enumerator = this->additional_addresses->create_enumerator(
1729 this->additional_addresses);
1730 while (enumerator->enumerate(enumerator, &addr))
1731 {
1732 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
1733 src = hydra->kernel_interface->get_source_addr(
1734 hydra->kernel_interface, addr, NULL);
1735 if (src)
1736 {
1737 break;
1738 }
1739 }
1740 enumerator->destroy(enumerator);
1741 }
1742 if (src)
1743 {
1744 valid = TRUE;
1745 src->destroy(src);
1746 }
1747 return valid;
1748 }
1749
1750 METHOD(ike_sa_t, roam, status_t,
1751 private_ike_sa_t *this, bool address)
1752 {
1753 ike_mobike_t *mobike;
1754
1755 switch (this->state)
1756 {
1757 case IKE_CREATED:
1758 case IKE_DELETING:
1759 case IKE_DESTROYING:
1760 case IKE_PASSIVE:
1761 return SUCCESS;
1762 default:
1763 break;
1764 }
1765
1766 /* keep existing path if possible */
1767 if (is_current_path_valid(this))
1768 {
1769 DBG2(DBG_IKE, "keeping connection path %H - %H",
1770 this->my_host, this->other_host);
1771 set_condition(this, COND_STALE, FALSE);
1772
1773 if (supports_extension(this, EXT_MOBIKE) && address)
1774 { /* if any addresses changed, send an updated list */
1775 DBG1(DBG_IKE, "sending address list update using MOBIKE");
1776 mobike = ike_mobike_create(&this->public, TRUE);
1777 mobike->addresses(mobike);
1778 this->task_manager->queue_task(this->task_manager,
1779 (task_t*)mobike);
1780 return this->task_manager->initiate(this->task_manager);
1781 }
1782 return SUCCESS;
1783 }
1784
1785 if (!is_any_path_valid(this))
1786 {
1787 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
1788 this->other_host);
1789 set_condition(this, COND_STALE, TRUE);
1790 return SUCCESS;
1791 }
1792 set_condition(this, COND_STALE, FALSE);
1793
1794 /* update addresses with mobike, if supported ... */
1795 if (supports_extension(this, EXT_MOBIKE))
1796 {
1797 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1798 { /* responder updates the peer about changed address config */
1799 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
1800 "implicitly requesting an address change");
1801 address = TRUE;
1802 }
1803 else
1804 {
1805 DBG1(DBG_IKE, "requesting address change using MOBIKE");
1806 }
1807 mobike = ike_mobike_create(&this->public, TRUE);
1808 mobike->roam(mobike, address);
1809 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
1810 return this->task_manager->initiate(this->task_manager);
1811 }
1812
1813 /* ... reauth if not */
1814 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1815 { /* responder does not reauthenticate */
1816 set_condition(this, COND_STALE, TRUE);
1817 return SUCCESS;
1818 }
1819 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
1820 return reauth(this);
1821 }
1822
1823 METHOD(ike_sa_t, add_configuration_attribute, void,
1824 private_ike_sa_t *this, attribute_handler_t *handler,
1825 configuration_attribute_type_t type, chunk_t data)
1826 {
1827 attribute_entry_t *entry = malloc_thing(attribute_entry_t);
1828
1829 entry->handler = handler;
1830 entry->type = type;
1831 entry->data = chunk_clone(data);
1832
1833 this->attributes->insert_last(this->attributes, entry);
1834 }
1835
1836 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
1837 private_ike_sa_t *this, task_queue_t queue)
1838 {
1839 return this->task_manager->create_task_enumerator(this->task_manager, queue);
1840 }
1841
1842 METHOD(ike_sa_t, inherit, void,
1843 private_ike_sa_t *this, ike_sa_t *other_public)
1844 {
1845 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
1846 child_sa_t *child_sa;
1847 attribute_entry_t *entry;
1848 enumerator_t *enumerator;
1849 auth_cfg_t *cfg;
1850
1851 /* apply hosts and ids */
1852 this->my_host->destroy(this->my_host);
1853 this->other_host->destroy(this->other_host);
1854 this->my_id->destroy(this->my_id);
1855 this->other_id->destroy(this->other_id);
1856 this->my_host = other->my_host->clone(other->my_host);
1857 this->other_host = other->other_host->clone(other->other_host);
1858 this->my_id = other->my_id->clone(other->my_id);
1859 this->other_id = other->other_id->clone(other->other_id);
1860
1861 /* apply virtual assigned IPs... */
1862 if (other->my_virtual_ip)
1863 {
1864 this->my_virtual_ip = other->my_virtual_ip;
1865 other->my_virtual_ip = NULL;
1866 }
1867 if (other->other_virtual_ip)
1868 {
1869 this->other_virtual_ip = other->other_virtual_ip;
1870 other->other_virtual_ip = NULL;
1871 }
1872
1873 /* authentication information */
1874 enumerator = other->my_auths->create_enumerator(other->my_auths);
1875 while (enumerator->enumerate(enumerator, &cfg))
1876 {
1877 this->my_auths->insert_last(this->my_auths, cfg->clone(cfg));
1878 }
1879 enumerator->destroy(enumerator);
1880 enumerator = other->other_auths->create_enumerator(other->other_auths);
1881 while (enumerator->enumerate(enumerator, &cfg))
1882 {
1883 this->other_auths->insert_last(this->other_auths, cfg->clone(cfg));
1884 }
1885 enumerator->destroy(enumerator);
1886
1887 /* ... and configuration attributes */
1888 while (other->attributes->remove_last(other->attributes,
1889 (void**)&entry) == SUCCESS)
1890 {
1891 this->attributes->insert_first(this->attributes, entry);
1892 }
1893
1894 /* inherit all conditions */
1895 this->conditions = other->conditions;
1896 if (this->conditions & COND_NAT_HERE)
1897 {
1898 send_keepalive(this);
1899 }
1900
1901 #ifdef ME
1902 if (other->is_mediation_server)
1903 {
1904 act_as_mediation_server(this);
1905 }
1906 else if (other->server_reflexive_host)
1907 {
1908 this->server_reflexive_host = other->server_reflexive_host->clone(
1909 other->server_reflexive_host);
1910 }
1911 #endif /* ME */
1912
1913 /* adopt all children */
1914 while (other->child_sas->remove_last(other->child_sas,
1915 (void**)&child_sa) == SUCCESS)
1916 {
1917 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
1918 }
1919
1920 /* move pending tasks to the new IKE_SA */
1921 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
1922
1923 /* reauthentication timeout survives a rekeying */
1924 if (other->stats[STAT_REAUTH])
1925 {
1926 time_t reauth, delete, now = time_monotonic(NULL);
1927
1928 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
1929 reauth = this->stats[STAT_REAUTH] - now;
1930 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
1931 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
1932 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
1933 "lifetime reduced to %ds", reauth, delete);
1934 lib->scheduler->schedule_job(lib->scheduler,
1935 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
1936 lib->scheduler->schedule_job(lib->scheduler,
1937 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
1938 }
1939 }
1940
1941 METHOD(ike_sa_t, destroy, void,
1942 private_ike_sa_t *this)
1943 {
1944 attribute_entry_t *entry;
1945
1946 charon->bus->set_sa(charon->bus, &this->public);
1947
1948 set_state(this, IKE_DESTROYING);
1949 this->task_manager->destroy(this->task_manager);
1950
1951 /* remove attributes first, as we pass the IKE_SA to the handler */
1952 while (this->attributes->remove_last(this->attributes,
1953 (void**)&entry) == SUCCESS)
1954 {
1955 hydra->attributes->release(hydra->attributes, entry->handler,
1956 this->other_id, entry->type, entry->data);
1957 free(entry->data.ptr);
1958 free(entry);
1959 }
1960 this->attributes->destroy(this->attributes);
1961
1962 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
1963
1964 /* unset SA after here to avoid usage by the listeners */
1965 charon->bus->set_sa(charon->bus, NULL);
1966
1967 this->keymat->destroy(this->keymat);
1968
1969 if (this->my_virtual_ip)
1970 {
1971 hydra->kernel_interface->del_ip(hydra->kernel_interface,
1972 this->my_virtual_ip);
1973 this->my_virtual_ip->destroy(this->my_virtual_ip);
1974 }
1975 if (this->other_virtual_ip)
1976 {
1977 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
1978 {
1979 hydra->attributes->release_address(hydra->attributes,
1980 this->peer_cfg->get_pool(this->peer_cfg),
1981 this->other_virtual_ip, get_other_eap_id(this));
1982 }
1983 this->other_virtual_ip->destroy(this->other_virtual_ip);
1984 }
1985 this->additional_addresses->destroy_offset(this->additional_addresses,
1986 offsetof(host_t, destroy));
1987 #ifdef ME
1988 if (this->is_mediation_server)
1989 {
1990 charon->mediation_manager->remove(charon->mediation_manager,
1991 this->ike_sa_id);
1992 }
1993 DESTROY_IF(this->server_reflexive_host);
1994 chunk_free(&this->connect_id);
1995 #endif /* ME */
1996 free(this->nat_detection_dest.ptr);
1997
1998 DESTROY_IF(this->my_host);
1999 DESTROY_IF(this->other_host);
2000 DESTROY_IF(this->my_id);
2001 DESTROY_IF(this->other_id);
2002 DESTROY_IF(this->local_host);
2003 DESTROY_IF(this->remote_host);
2004
2005 DESTROY_IF(this->ike_cfg);
2006 DESTROY_IF(this->peer_cfg);
2007 DESTROY_IF(this->proposal);
2008 this->my_auth->destroy(this->my_auth);
2009 this->other_auth->destroy(this->other_auth);
2010 this->my_auths->destroy_offset(this->my_auths,
2011 offsetof(auth_cfg_t, destroy));
2012 this->other_auths->destroy_offset(this->other_auths,
2013 offsetof(auth_cfg_t, destroy));
2014
2015 this->ike_sa_id->destroy(this->ike_sa_id);
2016 free(this);
2017 }
2018
2019 /*
2020 * Described in header.
2021 */
2022 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
2023 ike_version_t version)
2024 {
2025 private_ike_sa_t *this;
2026 static u_int32_t unique_id = 0;
2027
2028 INIT(this,
2029 .public = {
2030 .get_version = _get_version,
2031 .get_state = _get_state,
2032 .set_state = _set_state,
2033 .get_name = _get_name,
2034 .get_statistic = _get_statistic,
2035 .set_statistic = _set_statistic,
2036 .process_message = _process_message,
2037 .initiate = _initiate,
2038 .get_ike_cfg = _get_ike_cfg,
2039 .set_ike_cfg = _set_ike_cfg,
2040 .get_peer_cfg = _get_peer_cfg,
2041 .set_peer_cfg = _set_peer_cfg,
2042 .get_auth_cfg = _get_auth_cfg,
2043 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
2044 .add_auth_cfg = _add_auth_cfg,
2045 .get_proposal = _get_proposal,
2046 .set_proposal = _set_proposal,
2047 .get_id = _get_id,
2048 .get_my_host = _get_my_host,
2049 .set_my_host = _set_my_host,
2050 .get_other_host = _get_other_host,
2051 .set_other_host = _set_other_host,
2052 .set_message_id = _set_message_id,
2053 .float_ports = _float_ports,
2054 .update_hosts = _update_hosts,
2055 .get_my_id = _get_my_id,
2056 .set_my_id = _set_my_id,
2057 .get_other_id = _get_other_id,
2058 .set_other_id = _set_other_id,
2059 .get_other_eap_id = _get_other_eap_id,
2060 .enable_extension = _enable_extension,
2061 .supports_extension = _supports_extension,
2062 .set_condition = _set_condition,
2063 .has_condition = _has_condition,
2064 .set_pending_updates = _set_pending_updates,
2065 .get_pending_updates = _get_pending_updates,
2066 .create_additional_address_enumerator = _create_additional_address_enumerator,
2067 .add_additional_address = _add_additional_address,
2068 .remove_additional_addresses = _remove_additional_addresses,
2069 .has_mapping_changed = _has_mapping_changed,
2070 .retransmit = _retransmit,
2071 .delete = _delete_,
2072 .destroy = _destroy,
2073 .send_dpd = _send_dpd,
2074 .send_keepalive = _send_keepalive,
2075 .get_keymat = _get_keymat,
2076 .add_child_sa = _add_child_sa,
2077 .get_child_sa = _get_child_sa,
2078 .get_child_count = _get_child_count,
2079 .create_child_sa_enumerator = _create_child_sa_enumerator,
2080 .remove_child_sa = _remove_child_sa,
2081 .rekey_child_sa = _rekey_child_sa,
2082 .delete_child_sa = _delete_child_sa,
2083 .destroy_child_sa = _destroy_child_sa,
2084 .rekey = _rekey,
2085 .reauth = _reauth,
2086 .reestablish = _reestablish,
2087 .set_auth_lifetime = _set_auth_lifetime,
2088 .roam = _roam,
2089 .inherit = _inherit,
2090 .generate_message = _generate_message,
2091 .reset = _reset,
2092 .get_unique_id = _get_unique_id,
2093 .set_virtual_ip = _set_virtual_ip,
2094 .get_virtual_ip = _get_virtual_ip,
2095 .add_configuration_attribute = _add_configuration_attribute,
2096 .set_kmaddress = _set_kmaddress,
2097 .create_task_enumerator = _create_task_enumerator,
2098 #ifdef ME
2099 .act_as_mediation_server = _act_as_mediation_server,
2100 .get_server_reflexive_host = _get_server_reflexive_host,
2101 .set_server_reflexive_host = _set_server_reflexive_host,
2102 .get_connect_id = _get_connect_id,
2103 .initiate_mediation = _initiate_mediation,
2104 .initiate_mediated = _initiate_mediated,
2105 .relay = _relay,
2106 .callback = _callback,
2107 .respond = _respond,
2108 #endif /* ME */
2109 .initiate_xauth = _initiate_xauth,
2110 },
2111 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
2112 .version = version,
2113 .child_sas = linked_list_create(),
2114 .my_host = host_create_any(AF_INET),
2115 .other_host = host_create_any(AF_INET),
2116 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2117 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2118 .keymat = keymat_create(version, initiator),
2119 .state = IKE_CREATED,
2120 .stats[STAT_INBOUND] = time_monotonic(NULL),
2121 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
2122 .my_auth = auth_cfg_create(),
2123 .other_auth = auth_cfg_create(),
2124 .my_auths = linked_list_create(),
2125 .other_auths = linked_list_create(),
2126 .unique_id = ++unique_id,
2127 .additional_addresses = linked_list_create(),
2128 .attributes = linked_list_create(),
2129 .keepalive_interval = lib->settings->get_time(lib->settings,
2130 "charon.keep_alive", KEEPALIVE_INTERVAL),
2131 );
2132
2133 this->task_manager = task_manager_create(&this->public);
2134 this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
2135
2136 return &this->public;
2137 }