Merge branch 'ike-redirect'
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2015 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /*
20 * Copyright (c) 2014 Volker RĂ¼melin
21 *
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
28 *
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
31 *
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38 * THE SOFTWARE.
39 */
40
41 #include <string.h>
42 #include <sys/stat.h>
43 #include <errno.h>
44 #include <time.h>
45
46 #include "ike_sa.h"
47
48 #include <library.h>
49 #include <daemon.h>
50 #include <collections/array.h>
51 #include <utils/lexparser.h>
52 #include <processing/jobs/retransmit_job.h>
53 #include <processing/jobs/delete_ike_sa_job.h>
54 #include <processing/jobs/send_dpd_job.h>
55 #include <processing/jobs/send_keepalive_job.h>
56 #include <processing/jobs/rekey_ike_sa_job.h>
57 #include <processing/jobs/retry_initiate_job.h>
58 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
59 #include <sa/ikev2/tasks/ike_reauth_complete.h>
60 #include <sa/ikev2/tasks/ike_redirect.h>
61
62 #ifdef ME
63 #include <sa/ikev2/tasks/ike_me.h>
64 #include <processing/jobs/initiate_mediation_job.h>
65 #endif
66
67 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
68 "CREATED",
69 "CONNECTING",
70 "ESTABLISHED",
71 "PASSIVE",
72 "REKEYING",
73 "DELETING",
74 "DESTROYING",
75 );
76
77 typedef struct private_ike_sa_t private_ike_sa_t;
78 typedef struct attribute_entry_t attribute_entry_t;
79
80 /**
81 * Private data of an ike_sa_t object.
82 */
83 struct private_ike_sa_t {
84
85 /**
86 * Public members
87 */
88 ike_sa_t public;
89
90 /**
91 * Identifier for the current IKE_SA.
92 */
93 ike_sa_id_t *ike_sa_id;
94
95 /**
96 * IKE version of this SA.
97 */
98 ike_version_t version;
99
100 /**
101 * unique numerical ID for this IKE_SA.
102 */
103 u_int32_t unique_id;
104
105 /**
106 * Current state of the IKE_SA
107 */
108 ike_sa_state_t state;
109
110 /**
111 * IKE configuration used to set up this IKE_SA
112 */
113 ike_cfg_t *ike_cfg;
114
115 /**
116 * Peer and authentication information to establish IKE_SA.
117 */
118 peer_cfg_t *peer_cfg;
119
120 /**
121 * currently used authentication ruleset, local
122 */
123 auth_cfg_t *my_auth;
124
125 /**
126 * currently used authentication constraints, remote
127 */
128 auth_cfg_t *other_auth;
129
130 /**
131 * Array of completed local authentication rounds (as auth_cfg_t)
132 */
133 array_t *my_auths;
134
135 /**
136 * Array of completed remote authentication rounds (as auth_cfg_t)
137 */
138 array_t *other_auths;
139
140 /**
141 * Selected IKE proposal
142 */
143 proposal_t *proposal;
144
145 /**
146 * Juggles tasks to process messages
147 */
148 task_manager_t *task_manager;
149
150 /**
151 * Address of local host
152 */
153 host_t *my_host;
154
155 /**
156 * Address of remote host
157 */
158 host_t *other_host;
159
160 #ifdef ME
161 /**
162 * Are we mediation server
163 */
164 bool is_mediation_server;
165
166 /**
167 * Server reflexive host
168 */
169 host_t *server_reflexive_host;
170
171 /**
172 * Connect ID
173 */
174 chunk_t connect_id;
175 #endif /* ME */
176
177 /**
178 * Identification used for us
179 */
180 identification_t *my_id;
181
182 /**
183 * Identification used for other
184 */
185 identification_t *other_id;
186
187 /**
188 * set of extensions the peer supports
189 */
190 ike_extension_t extensions;
191
192 /**
193 * set of condition flags currently enabled for this IKE_SA
194 */
195 ike_condition_t conditions;
196
197 /**
198 * Array containing the child sa's of the current IKE_SA.
199 */
200 array_t *child_sas;
201
202 /**
203 * keymat of this IKE_SA
204 */
205 keymat_t *keymat;
206
207 /**
208 * Virtual IPs on local host
209 */
210 array_t *my_vips;
211
212 /**
213 * Virtual IPs on remote host
214 */
215 array_t *other_vips;
216
217 /**
218 * List of configuration attributes (attribute_entry_t)
219 */
220 array_t *attributes;
221
222 /**
223 * list of peer's addresses, additional ones transmitted via MOBIKE
224 */
225 array_t *peer_addresses;
226
227 /**
228 * previously value of received DESTINATION_IP hash
229 */
230 chunk_t nat_detection_dest;
231
232 /**
233 * number pending UPDATE_SA_ADDRESS (MOBIKE)
234 */
235 u_int32_t pending_updates;
236
237 /**
238 * NAT keep alive interval
239 */
240 u_int32_t keepalive_interval;
241
242 /**
243 * The schedueld keep alive job, if any
244 */
245 send_keepalive_job_t *keepalive_job;
246
247 /**
248 * interval for retries during initiation (e.g. if DNS resolution failed),
249 * 0 to disable (default)
250 */
251 u_int32_t retry_initiate_interval;
252
253 /**
254 * TRUE if a retry_initiate_job has been queued
255 */
256 bool retry_initiate_queued;
257
258 /**
259 * Timestamps for this IKE_SA
260 */
261 u_int32_t stats[STAT_MAX];
262
263 /**
264 * how many times we have retried so far (keyingtries)
265 */
266 u_int32_t keyingtry;
267
268 /**
269 * local host address to be used for IKE, set via MIGRATE kernel message
270 */
271 host_t *local_host;
272
273 /**
274 * remote host address to be used for IKE, set via MIGRATE kernel message
275 */
276 host_t *remote_host;
277
278 /**
279 * Flush auth configs once established?
280 */
281 bool flush_auth_cfg;
282
283 /**
284 * Maximum length of a single fragment, 0 for address-specific defaults
285 */
286 size_t fragment_size;
287
288 /**
289 * Whether to follow IKEv2 redirects
290 */
291 bool follow_redirects;
292
293 /**
294 * Original gateway address from which we got redirected
295 */
296 host_t *redirected_from;
297
298 /**
299 * Timestamps of redirect attempts to handle loops
300 */
301 array_t *redirected_at;
302 };
303
304 /**
305 * Entry to maintain install configuration attributes during IKE_SA lifetime
306 */
307 struct attribute_entry_t {
308 /** handler used to install this attribute */
309 attribute_handler_t *handler;
310 /** attribute type */
311 configuration_attribute_type_t type;
312 /** attribute data */
313 chunk_t data;
314 };
315
316 /**
317 * get the time of the latest traffic processed by the kernel
318 */
319 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
320 {
321 enumerator_t *enumerator;
322 child_sa_t *child_sa;
323 time_t use_time, current;
324
325 if (inbound)
326 {
327 use_time = this->stats[STAT_INBOUND];
328 }
329 else
330 {
331 use_time = this->stats[STAT_OUTBOUND];
332 }
333
334 enumerator = array_create_enumerator(this->child_sas);
335 while (enumerator->enumerate(enumerator, &child_sa))
336 {
337 child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
338 use_time = max(use_time, current);
339 }
340 enumerator->destroy(enumerator);
341
342 return use_time;
343 }
344
345 METHOD(ike_sa_t, get_unique_id, u_int32_t,
346 private_ike_sa_t *this)
347 {
348 return this->unique_id;
349 }
350
351 METHOD(ike_sa_t, get_name, char*,
352 private_ike_sa_t *this)
353 {
354 if (this->peer_cfg)
355 {
356 return this->peer_cfg->get_name(this->peer_cfg);
357 }
358 return "(unnamed)";
359 }
360
361 METHOD(ike_sa_t, get_statistic, u_int32_t,
362 private_ike_sa_t *this, statistic_t kind)
363 {
364 if (kind < STAT_MAX)
365 {
366 return this->stats[kind];
367 }
368 return 0;
369 }
370
371 METHOD(ike_sa_t, set_statistic, void,
372 private_ike_sa_t *this, statistic_t kind, u_int32_t value)
373 {
374 if (kind < STAT_MAX)
375 {
376 this->stats[kind] = value;
377 }
378 }
379
380 METHOD(ike_sa_t, get_my_host, host_t*,
381 private_ike_sa_t *this)
382 {
383 return this->my_host;
384 }
385
386 METHOD(ike_sa_t, set_my_host, void,
387 private_ike_sa_t *this, host_t *me)
388 {
389 DESTROY_IF(this->my_host);
390 this->my_host = me;
391 }
392
393 METHOD(ike_sa_t, get_other_host, host_t*,
394 private_ike_sa_t *this)
395 {
396 return this->other_host;
397 }
398
399 METHOD(ike_sa_t, set_other_host, void,
400 private_ike_sa_t *this, host_t *other)
401 {
402 DESTROY_IF(this->other_host);
403 this->other_host = other;
404 }
405
406 METHOD(ike_sa_t, get_redirected_from, host_t*,
407 private_ike_sa_t *this)
408 {
409 return this->redirected_from;
410 }
411
412 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
413 private_ike_sa_t *this)
414 {
415 return this->peer_cfg;
416 }
417
418 METHOD(ike_sa_t, set_peer_cfg, void,
419 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
420 {
421 peer_cfg->get_ref(peer_cfg);
422 DESTROY_IF(this->peer_cfg);
423 this->peer_cfg = peer_cfg;
424
425 if (this->ike_cfg == NULL)
426 {
427 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
428 this->ike_cfg->get_ref(this->ike_cfg);
429 }
430 }
431
432 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
433 private_ike_sa_t *this, bool local)
434 {
435 if (local)
436 {
437 return this->my_auth;
438 }
439 return this->other_auth;
440 }
441
442 METHOD(ike_sa_t, add_auth_cfg, void,
443 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
444 {
445 if (local)
446 {
447 array_insert(this->my_auths, ARRAY_TAIL, cfg);
448 }
449 else
450 {
451 array_insert(this->other_auths, ARRAY_TAIL, cfg);
452 }
453 }
454
455 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
456 private_ike_sa_t *this, bool local)
457 {
458 if (local)
459 {
460 return array_create_enumerator(this->my_auths);
461 }
462 return array_create_enumerator(this->other_auths);
463 }
464
465 /**
466 * Flush the stored authentication round information
467 */
468 static void flush_auth_cfgs(private_ike_sa_t *this)
469 {
470 auth_cfg_t *cfg;
471
472 this->my_auth->purge(this->my_auth, FALSE);
473 this->other_auth->purge(this->other_auth, FALSE);
474
475 while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
476 {
477 cfg->destroy(cfg);
478 }
479 while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
480 {
481 cfg->destroy(cfg);
482 }
483 }
484
485 METHOD(ike_sa_t, get_proposal, proposal_t*,
486 private_ike_sa_t *this)
487 {
488 return this->proposal;
489 }
490
491 METHOD(ike_sa_t, set_proposal, void,
492 private_ike_sa_t *this, proposal_t *proposal)
493 {
494 DESTROY_IF(this->proposal);
495 this->proposal = proposal->clone(proposal);
496 }
497
498 METHOD(ike_sa_t, set_message_id, void,
499 private_ike_sa_t *this, bool initiate, u_int32_t mid)
500 {
501 if (initiate)
502 {
503 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
504 }
505 else
506 {
507 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
508 }
509 }
510
511 METHOD(ike_sa_t, send_keepalive, void,
512 private_ike_sa_t *this, bool scheduled)
513 {
514 time_t last_out, now, diff;
515
516 if (scheduled)
517 {
518 this->keepalive_job = NULL;
519 }
520 if (!this->keepalive_interval || this->state == IKE_PASSIVE)
521 { /* keepalives disabled either by configuration or for passive IKE_SAs */
522 return;
523 }
524 if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
525 { /* disable keepalives if we are not NATed anymore, or the SA is stale */
526 return;
527 }
528
529 last_out = get_use_time(this, FALSE);
530 now = time_monotonic(NULL);
531
532 diff = now - last_out;
533
534 if (diff >= this->keepalive_interval)
535 {
536 packet_t *packet;
537 chunk_t data;
538
539 packet = packet_create();
540 packet->set_source(packet, this->my_host->clone(this->my_host));
541 packet->set_destination(packet, this->other_host->clone(this->other_host));
542 data.ptr = malloc(1);
543 data.ptr[0] = 0xFF;
544 data.len = 1;
545 packet->set_data(packet, data);
546 DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
547 charon->sender->send_no_marker(charon->sender, packet);
548 diff = 0;
549 }
550 if (!this->keepalive_job)
551 {
552 this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
553 lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
554 this->keepalive_interval - diff);
555 }
556 }
557
558 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
559 private_ike_sa_t *this)
560 {
561 return this->ike_cfg;
562 }
563
564 METHOD(ike_sa_t, set_ike_cfg, void,
565 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
566 {
567 ike_cfg->get_ref(ike_cfg);
568 this->ike_cfg = ike_cfg;
569 }
570
571 METHOD(ike_sa_t, enable_extension, void,
572 private_ike_sa_t *this, ike_extension_t extension)
573 {
574 this->extensions |= extension;
575 }
576
577 METHOD(ike_sa_t, supports_extension, bool,
578 private_ike_sa_t *this, ike_extension_t extension)
579 {
580 return (this->extensions & extension) != FALSE;
581 }
582
583 METHOD(ike_sa_t, has_condition, bool,
584 private_ike_sa_t *this, ike_condition_t condition)
585 {
586 return (this->conditions & condition) != FALSE;
587 }
588
589 METHOD(ike_sa_t, set_condition, void,
590 private_ike_sa_t *this, ike_condition_t condition, bool enable)
591 {
592 if (has_condition(this, condition) != enable)
593 {
594 if (enable)
595 {
596 this->conditions |= condition;
597 switch (condition)
598 {
599 case COND_NAT_HERE:
600 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
601 this->conditions |= COND_NAT_ANY;
602 send_keepalive(this, FALSE);
603 break;
604 case COND_NAT_THERE:
605 DBG1(DBG_IKE, "remote host is behind NAT");
606 this->conditions |= COND_NAT_ANY;
607 break;
608 case COND_NAT_FAKE:
609 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
610 this->conditions |= COND_NAT_ANY;
611 break;
612 default:
613 break;
614 }
615 }
616 else
617 {
618 this->conditions &= ~condition;
619 switch (condition)
620 {
621 case COND_NAT_HERE:
622 case COND_NAT_FAKE:
623 case COND_NAT_THERE:
624 set_condition(this, COND_NAT_ANY,
625 has_condition(this, COND_NAT_HERE) ||
626 has_condition(this, COND_NAT_THERE) ||
627 has_condition(this, COND_NAT_FAKE));
628 break;
629 case COND_STALE:
630 send_keepalive(this, FALSE);
631 break;
632 default:
633 break;
634 }
635 }
636 }
637 }
638
639 METHOD(ike_sa_t, send_dpd, status_t,
640 private_ike_sa_t *this)
641 {
642 job_t *job;
643 time_t diff, delay;
644 bool task_queued = FALSE;
645
646 if (this->state == IKE_PASSIVE)
647 {
648 return INVALID_STATE;
649 }
650 delay = this->peer_cfg->get_dpd(this->peer_cfg);
651 if (this->task_manager->busy(this->task_manager))
652 {
653 /* an exchange is in the air, no need to start a DPD check */
654 diff = 0;
655 }
656 else
657 {
658 /* check if there was any inbound traffic */
659 time_t last_in, now;
660 last_in = get_use_time(this, TRUE);
661 now = time_monotonic(NULL);
662 diff = now - last_in;
663 if (!delay || diff >= delay)
664 {
665 /* too long ago, initiate dead peer detection */
666 DBG1(DBG_IKE, "sending DPD request");
667 this->task_manager->queue_dpd(this->task_manager);
668 task_queued = TRUE;
669 diff = 0;
670 }
671 }
672 /* recheck in "interval" seconds */
673 if (delay)
674 {
675 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
676 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
677 }
678 if (task_queued)
679 {
680 return this->task_manager->initiate(this->task_manager);
681 }
682 return SUCCESS;
683 }
684
685 METHOD(ike_sa_t, get_state, ike_sa_state_t,
686 private_ike_sa_t *this)
687 {
688 return this->state;
689 }
690
691 METHOD(ike_sa_t, set_state, void,
692 private_ike_sa_t *this, ike_sa_state_t state)
693 {
694 bool trigger_dpd = FALSE, keepalives = FALSE;
695
696 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
697 get_name(this), this->unique_id,
698 ike_sa_state_names, this->state,
699 ike_sa_state_names, state);
700
701 switch (state)
702 {
703 case IKE_ESTABLISHED:
704 {
705 if (this->state == IKE_CONNECTING ||
706 this->state == IKE_PASSIVE)
707 {
708 job_t *job;
709 u_int32_t t;
710
711 /* calculate rekey, reauth and lifetime */
712 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
713
714 /* schedule rekeying if we have a time which is smaller than
715 * an already scheduled rekeying */
716 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
717 if (t && (this->stats[STAT_REKEY] == 0 ||
718 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
719 {
720 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
721 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
722 lib->scheduler->schedule_job(lib->scheduler, job, t);
723 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
724 }
725 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
726 if (t && (this->stats[STAT_REAUTH] == 0 ||
727 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
728 {
729 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
730 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
731 lib->scheduler->schedule_job(lib->scheduler, job, t);
732 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
733 }
734 t = this->peer_cfg->get_over_time(this->peer_cfg);
735 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
736 {
737 if (this->stats[STAT_REAUTH] == 0)
738 {
739 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
740 }
741 else if (this->stats[STAT_REKEY] == 0)
742 {
743 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
744 }
745 else
746 {
747 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
748 this->stats[STAT_REAUTH]);
749 }
750 this->stats[STAT_DELETE] += t;
751 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
752 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
753 lib->scheduler->schedule_job(lib->scheduler, job, t);
754 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
755 }
756 trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
757 if (trigger_dpd)
758 {
759 /* Some peers delay the DELETE after rekeying an IKE_SA.
760 * If this delay is longer than our DPD delay, we would
761 * send a DPD request here. The IKE_SA is not ready to do
762 * so yet, so prevent that. */
763 this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
764 }
765 if (this->state == IKE_PASSIVE)
766 {
767 keepalives = TRUE;
768 }
769 DESTROY_IF(this->redirected_from);
770 this->redirected_from = NULL;
771 }
772 break;
773 }
774 default:
775 break;
776 }
777 charon->bus->ike_state_change(charon->bus, &this->public, state);
778 this->state = state;
779
780 if (trigger_dpd)
781 {
782 if (supports_extension(this, EXT_DPD))
783 {
784 send_dpd(this);
785 }
786 else
787 {
788 DBG1(DBG_IKE, "DPD not supported by peer, disabled");
789 }
790 }
791 if (keepalives)
792 {
793 send_keepalive(this, FALSE);
794 }
795 }
796
797 METHOD(ike_sa_t, reset, void,
798 private_ike_sa_t *this)
799 {
800 /* the responder ID is reset, as peer may choose another one */
801 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
802 {
803 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
804 }
805
806 set_state(this, IKE_CREATED);
807
808 flush_auth_cfgs(this);
809
810 this->keymat->destroy(this->keymat);
811 this->keymat = keymat_create(this->version,
812 this->ike_sa_id->is_initiator(this->ike_sa_id));
813
814 this->task_manager->reset(this->task_manager, 0, 0);
815 }
816
817 METHOD(ike_sa_t, get_keymat, keymat_t*,
818 private_ike_sa_t *this)
819 {
820 return this->keymat;
821 }
822
823 METHOD(ike_sa_t, add_virtual_ip, void,
824 private_ike_sa_t *this, bool local, host_t *ip)
825 {
826 if (local)
827 {
828 char *iface;
829
830 if (charon->kernel->get_interface(charon->kernel, this->my_host,
831 &iface))
832 {
833 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
834 if (charon->kernel->add_ip(charon->kernel, ip, -1,
835 iface) == SUCCESS)
836 {
837 array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
838 }
839 else
840 {
841 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
842 }
843 free(iface);
844 }
845 else
846 {
847 DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
848 }
849 }
850 else
851 {
852 array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
853 }
854 }
855
856
857 METHOD(ike_sa_t, clear_virtual_ips, void,
858 private_ike_sa_t *this, bool local)
859 {
860 array_t *vips;
861 host_t *vip;
862
863 vips = local ? this->my_vips : this->other_vips;
864 if (!local && array_count(vips))
865 {
866 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
867 }
868 while (array_remove(vips, ARRAY_HEAD, &vip))
869 {
870 if (local)
871 {
872 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
873 }
874 vip->destroy(vip);
875 }
876 }
877
878 METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
879 private_ike_sa_t *this, bool local)
880 {
881 if (local)
882 {
883 return array_create_enumerator(this->my_vips);
884 }
885 return array_create_enumerator(this->other_vips);
886 }
887
888 METHOD(ike_sa_t, add_peer_address, void,
889 private_ike_sa_t *this, host_t *host)
890 {
891 array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
892 }
893
894 METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
895 private_ike_sa_t *this)
896 {
897 if (this->peer_addresses)
898 {
899 return array_create_enumerator(this->peer_addresses);
900 }
901 /* in case we don't have MOBIKE */
902 return enumerator_create_single(this->other_host, NULL);
903 }
904
905 METHOD(ike_sa_t, clear_peer_addresses, void,
906 private_ike_sa_t *this)
907 {
908 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
909 this->peer_addresses = NULL;
910 }
911
912 METHOD(ike_sa_t, has_mapping_changed, bool,
913 private_ike_sa_t *this, chunk_t hash)
914 {
915 if (this->nat_detection_dest.ptr == NULL)
916 {
917 this->nat_detection_dest = chunk_clone(hash);
918 return FALSE;
919 }
920 if (chunk_equals(hash, this->nat_detection_dest))
921 {
922 return FALSE;
923 }
924 free(this->nat_detection_dest.ptr);
925 this->nat_detection_dest = chunk_clone(hash);
926 return TRUE;
927 }
928
929 METHOD(ike_sa_t, set_pending_updates, void,
930 private_ike_sa_t *this, u_int32_t updates)
931 {
932 this->pending_updates = updates;
933 }
934
935 METHOD(ike_sa_t, get_pending_updates, u_int32_t,
936 private_ike_sa_t *this)
937 {
938 return this->pending_updates;
939 }
940
941 METHOD(ike_sa_t, float_ports, void,
942 private_ike_sa_t *this)
943 {
944 /* do not switch if we have a custom port from MOBIKE/NAT */
945 if (this->my_host->get_port(this->my_host) ==
946 charon->socket->get_port(charon->socket, FALSE))
947 {
948 this->my_host->set_port(this->my_host,
949 charon->socket->get_port(charon->socket, TRUE));
950 }
951 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
952 {
953 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
954 }
955 }
956
957 METHOD(ike_sa_t, update_hosts, void,
958 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
959 {
960 bool update = FALSE;
961
962 if (me == NULL)
963 {
964 me = this->my_host;
965 }
966 if (other == NULL)
967 {
968 other = this->other_host;
969 }
970
971 /* apply hosts on first received message */
972 if (this->my_host->is_anyaddr(this->my_host) ||
973 this->other_host->is_anyaddr(this->other_host))
974 {
975 set_my_host(this, me->clone(me));
976 set_other_host(this, other->clone(other));
977 update = TRUE;
978 }
979 else
980 {
981 /* update our address in any case */
982 if (force && !me->equals(me, this->my_host))
983 {
984 charon->bus->ike_update(charon->bus, &this->public, TRUE, me);
985 set_my_host(this, me->clone(me));
986 update = TRUE;
987 }
988
989 if (!other->equals(other, this->other_host) &&
990 (force || has_condition(this, COND_NAT_THERE)))
991 {
992 /* only update other's address if we are behind a static NAT,
993 * which we assume is the case if we are not initiator */
994 if (force ||
995 (!has_condition(this, COND_NAT_HERE) ||
996 !has_condition(this, COND_ORIGINAL_INITIATOR)))
997 {
998 charon->bus->ike_update(charon->bus, &this->public, FALSE, other);
999 set_other_host(this, other->clone(other));
1000 update = TRUE;
1001 }
1002 }
1003 }
1004
1005 /* update all associated CHILD_SAs, if required */
1006 if (update)
1007 {
1008 enumerator_t *enumerator;
1009 child_sa_t *child_sa;
1010 linked_list_t *vips;
1011
1012 vips = linked_list_create_from_enumerator(
1013 array_create_enumerator(this->my_vips));
1014
1015 enumerator = array_create_enumerator(this->child_sas);
1016 while (enumerator->enumerate(enumerator, &child_sa))
1017 {
1018 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
1019 charon->child_sa_manager->add(charon->child_sa_manager,
1020 child_sa, &this->public);
1021
1022 if (child_sa->update(child_sa, this->my_host, this->other_host,
1023 vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
1024 {
1025 this->public.rekey_child_sa(&this->public,
1026 child_sa->get_protocol(child_sa),
1027 child_sa->get_spi(child_sa, TRUE));
1028 }
1029
1030 }
1031 enumerator->destroy(enumerator);
1032
1033 vips->destroy(vips);
1034 }
1035 }
1036
1037 /**
1038 * Set configured DSCP value on packet
1039 */
1040 static void set_dscp(private_ike_sa_t *this, packet_t *packet)
1041 {
1042 ike_cfg_t *ike_cfg;
1043
1044 /* prefer IKE config on peer_cfg, as its selection is more accurate
1045 * then the initial IKE config */
1046 if (this->peer_cfg)
1047 {
1048 ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
1049 }
1050 else
1051 {
1052 ike_cfg = this->ike_cfg;
1053 }
1054 if (ike_cfg)
1055 {
1056 packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
1057 }
1058 }
1059
1060 METHOD(ike_sa_t, generate_message, status_t,
1061 private_ike_sa_t *this, message_t *message, packet_t **packet)
1062 {
1063 status_t status;
1064
1065 if (message->is_encoded(message))
1066 { /* already encoded in task, but set DSCP value */
1067 *packet = message->get_packet(message);
1068 set_dscp(this, *packet);
1069 return SUCCESS;
1070 }
1071 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1072 message->set_ike_sa_id(message, this->ike_sa_id);
1073 charon->bus->message(charon->bus, message, FALSE, TRUE);
1074 status = message->generate(message, this->keymat, packet);
1075 if (status == SUCCESS)
1076 {
1077 set_dscp(this, *packet);
1078 charon->bus->message(charon->bus, message, FALSE, FALSE);
1079 }
1080 return status;
1081 }
1082
1083 static bool filter_fragments(private_ike_sa_t *this, packet_t **fragment,
1084 packet_t **packet)
1085 {
1086 *packet = (*fragment)->clone(*fragment);
1087 set_dscp(this, *packet);
1088 return TRUE;
1089 }
1090
1091 METHOD(ike_sa_t, generate_message_fragmented, status_t,
1092 private_ike_sa_t *this, message_t *message, enumerator_t **packets)
1093 {
1094 enumerator_t *fragments;
1095 packet_t *packet;
1096 status_t status;
1097 bool use_frags = FALSE;
1098
1099 if (this->ike_cfg)
1100 {
1101 switch (this->ike_cfg->fragmentation(this->ike_cfg))
1102 {
1103 case FRAGMENTATION_FORCE:
1104 use_frags = TRUE;
1105 break;
1106 case FRAGMENTATION_YES:
1107 use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION);
1108 if (use_frags && this->version == IKEV1 &&
1109 supports_extension(this, EXT_MS_WINDOWS))
1110 {
1111 /* It seems Windows 7 and 8 peers only accept proprietary
1112 * fragmented messages if they expect certificates. */
1113 use_frags = message->get_payload(message,
1114 PLV1_CERTIFICATE) != NULL;
1115 }
1116 break;
1117 default:
1118 break;
1119 }
1120 }
1121 if (!use_frags)
1122 {
1123 status = generate_message(this, message, &packet);
1124 if (status != SUCCESS)
1125 {
1126 return status;
1127 }
1128 *packets = enumerator_create_single(packet, NULL);
1129 return SUCCESS;
1130 }
1131
1132 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1133 message->set_ike_sa_id(message, this->ike_sa_id);
1134 charon->bus->message(charon->bus, message, FALSE, TRUE);
1135 status = message->fragment(message, this->keymat, this->fragment_size,
1136 &fragments);
1137 if (status == SUCCESS)
1138 {
1139 charon->bus->message(charon->bus, message, FALSE, FALSE);
1140 *packets = enumerator_create_filter(fragments, (void*)filter_fragments,
1141 this, NULL);
1142 }
1143 return status;
1144 }
1145
1146 METHOD(ike_sa_t, set_kmaddress, void,
1147 private_ike_sa_t *this, host_t *local, host_t *remote)
1148 {
1149 DESTROY_IF(this->local_host);
1150 DESTROY_IF(this->remote_host);
1151 this->local_host = local->clone(local);
1152 this->remote_host = remote->clone(remote);
1153 }
1154
1155 #ifdef ME
1156 METHOD(ike_sa_t, act_as_mediation_server, void,
1157 private_ike_sa_t *this)
1158 {
1159 charon->mediation_manager->update_sa_id(charon->mediation_manager,
1160 this->other_id, this->ike_sa_id);
1161 this->is_mediation_server = TRUE;
1162 }
1163
1164 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
1165 private_ike_sa_t *this)
1166 {
1167 return this->server_reflexive_host;
1168 }
1169
1170 METHOD(ike_sa_t, set_server_reflexive_host, void,
1171 private_ike_sa_t *this, host_t *host)
1172 {
1173 DESTROY_IF(this->server_reflexive_host);
1174 this->server_reflexive_host = host;
1175 }
1176
1177 METHOD(ike_sa_t, get_connect_id, chunk_t,
1178 private_ike_sa_t *this)
1179 {
1180 return this->connect_id;
1181 }
1182
1183 METHOD(ike_sa_t, respond, status_t,
1184 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
1185 {
1186 ike_me_t *task = ike_me_create(&this->public, TRUE);
1187 task->respond(task, peer_id, connect_id);
1188 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1189 return this->task_manager->initiate(this->task_manager);
1190 }
1191
1192 METHOD(ike_sa_t, callback, status_t,
1193 private_ike_sa_t *this, identification_t *peer_id)
1194 {
1195 ike_me_t *task = ike_me_create(&this->public, TRUE);
1196 task->callback(task, peer_id);
1197 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1198 return this->task_manager->initiate(this->task_manager);
1199 }
1200
1201 METHOD(ike_sa_t, relay, status_t,
1202 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1203 chunk_t connect_key, linked_list_t *endpoints, bool response)
1204 {
1205 ike_me_t *task = ike_me_create(&this->public, TRUE);
1206 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1207 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1208 return this->task_manager->initiate(this->task_manager);
1209 }
1210
1211 METHOD(ike_sa_t, initiate_mediation, status_t,
1212 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1213 {
1214 ike_me_t *task = ike_me_create(&this->public, TRUE);
1215 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1216 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1217 return this->task_manager->initiate(this->task_manager);
1218 }
1219
1220 METHOD(ike_sa_t, initiate_mediated, status_t,
1221 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1222 {
1223 set_my_host(this, me->clone(me));
1224 set_other_host(this, other->clone(other));
1225 chunk_free(&this->connect_id);
1226 this->connect_id = chunk_clone(connect_id);
1227 return this->task_manager->initiate(this->task_manager);
1228 }
1229 #endif /* ME */
1230
1231 /**
1232 * Resolve DNS host in configuration
1233 */
1234 static void resolve_hosts(private_ike_sa_t *this)
1235 {
1236 host_t *host;
1237 int family = AF_UNSPEC;
1238
1239 switch (charon->socket->supported_families(charon->socket))
1240 {
1241 case SOCKET_FAMILY_IPV4:
1242 family = AF_INET;
1243 break;
1244 case SOCKET_FAMILY_IPV6:
1245 family = AF_INET6;
1246 break;
1247 case SOCKET_FAMILY_BOTH:
1248 case SOCKET_FAMILY_NONE:
1249 break;
1250 }
1251
1252 /* if an IP address is set locally, use the same family to resolve remote */
1253 if (family == AF_UNSPEC && !this->remote_host)
1254 {
1255 if (this->local_host)
1256 {
1257 family = this->local_host->get_family(this->local_host);
1258 }
1259 else
1260 {
1261 family = ike_cfg_get_family(this->ike_cfg, TRUE);
1262 }
1263 }
1264
1265 if (this->remote_host)
1266 {
1267 host = this->remote_host->clone(this->remote_host);
1268 host->set_port(host, IKEV2_UDP_PORT);
1269 }
1270 else
1271 {
1272 host = this->ike_cfg->resolve_other(this->ike_cfg, family);
1273 }
1274 if (host)
1275 {
1276 if (!host->is_anyaddr(host) ||
1277 this->other_host->is_anyaddr(this->other_host))
1278 { /* don't set to %any if we currently have an address, but the
1279 * address family might have changed */
1280 set_other_host(this, host);
1281 }
1282 else
1283 { /* reuse the original port as some implementations might not like
1284 * initial IKE messages on other ports */
1285 this->other_host->set_port(this->other_host, host->get_port(host));
1286 host->destroy(host);
1287 }
1288 }
1289
1290 if (this->local_host)
1291 {
1292 host = this->local_host->clone(this->local_host);
1293 host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
1294 }
1295 else
1296 {
1297 /* use same address family as for other */
1298 if (!this->other_host->is_anyaddr(this->other_host))
1299 {
1300 family = this->other_host->get_family(this->other_host);
1301 }
1302 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1303
1304 if (host && host->is_anyaddr(host) &&
1305 !this->other_host->is_anyaddr(this->other_host))
1306 {
1307 host->destroy(host);
1308 host = charon->kernel->get_source_addr(charon->kernel,
1309 this->other_host, NULL);
1310 if (host)
1311 {
1312 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1313 }
1314 else
1315 { /* fallback to address family specific %any(6), if configured */
1316 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1317 }
1318 }
1319 }
1320 if (host)
1321 {
1322 set_my_host(this, host);
1323 }
1324 }
1325
1326 METHOD(ike_sa_t, initiate, status_t,
1327 private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
1328 traffic_selector_t *tsi, traffic_selector_t *tsr)
1329 {
1330 bool defer_initiate = FALSE;
1331
1332 if (this->state == IKE_CREATED)
1333 {
1334 if (this->my_host->is_anyaddr(this->my_host) ||
1335 this->other_host->is_anyaddr(this->other_host))
1336 {
1337 resolve_hosts(this);
1338 }
1339
1340 if (this->other_host->is_anyaddr(this->other_host)
1341 #ifdef ME
1342 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1343 #endif /* ME */
1344 )
1345 {
1346 char *addr;
1347
1348 addr = this->ike_cfg->get_other_addr(this->ike_cfg);
1349 if (!this->retry_initiate_interval)
1350 {
1351 DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
1352 addr);
1353 DESTROY_IF(child_cfg);
1354 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1355 return DESTROY_ME;
1356 }
1357 DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
1358 addr, this->retry_initiate_interval);
1359 defer_initiate = TRUE;
1360 }
1361
1362 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1363 this->task_manager->queue_ike(this->task_manager);
1364 }
1365
1366 #ifdef ME
1367 if (this->peer_cfg->is_mediation(this->peer_cfg))
1368 {
1369 if (this->state == IKE_ESTABLISHED)
1370 {
1371 /* mediation connection is already established, retrigger state
1372 * change to notify bus listeners */
1373 DBG1(DBG_IKE, "mediation connection is already up");
1374 set_state(this, IKE_ESTABLISHED);
1375 }
1376 DESTROY_IF(child_cfg);
1377 }
1378 else
1379 #endif /* ME */
1380 if (child_cfg)
1381 {
1382 /* normal IKE_SA with CHILD_SA */
1383 this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1384 tsi, tsr);
1385 #ifdef ME
1386 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1387 {
1388 /* mediated connection, initiate mediation process */
1389 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1390 lib->processor->queue_job(lib->processor, job);
1391 return SUCCESS;
1392 }
1393 #endif /* ME */
1394 }
1395
1396 if (defer_initiate)
1397 {
1398 if (!this->retry_initiate_queued)
1399 {
1400 job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
1401 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
1402 this->retry_initiate_interval);
1403 this->retry_initiate_queued = TRUE;
1404 }
1405 return SUCCESS;
1406 }
1407 this->retry_initiate_queued = FALSE;
1408 return this->task_manager->initiate(this->task_manager);
1409 }
1410
1411 METHOD(ike_sa_t, retry_initiate, status_t,
1412 private_ike_sa_t *this)
1413 {
1414 if (this->retry_initiate_queued)
1415 {
1416 this->retry_initiate_queued = FALSE;
1417 return initiate(this, NULL, 0, NULL, NULL);
1418 }
1419 return SUCCESS;
1420 }
1421
1422 METHOD(ike_sa_t, process_message, status_t,
1423 private_ike_sa_t *this, message_t *message)
1424 {
1425 status_t status;
1426
1427 if (this->state == IKE_PASSIVE)
1428 { /* do not handle messages in passive state */
1429 return FAILED;
1430 }
1431 if (message->get_major_version(message) != this->version)
1432 {
1433 DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1434 exchange_type_names, message->get_exchange_type(message),
1435 message->get_major_version(message),
1436 ike_version_names, this->version);
1437 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1438 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1439 return FAILED;
1440 }
1441 status = this->task_manager->process_message(this->task_manager, message);
1442 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1443 {
1444 /* authentication completed */
1445 this->flush_auth_cfg = FALSE;
1446 flush_auth_cfgs(this);
1447 }
1448 return status;
1449 }
1450
1451 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1452 private_ike_sa_t *this)
1453 {
1454 return this->ike_sa_id;
1455 }
1456
1457 METHOD(ike_sa_t, get_version, ike_version_t,
1458 private_ike_sa_t *this)
1459 {
1460 return this->version;
1461 }
1462
1463 METHOD(ike_sa_t, get_my_id, identification_t*,
1464 private_ike_sa_t *this)
1465 {
1466 return this->my_id;
1467 }
1468
1469 METHOD(ike_sa_t, set_my_id, void,
1470 private_ike_sa_t *this, identification_t *me)
1471 {
1472 DESTROY_IF(this->my_id);
1473 this->my_id = me;
1474 }
1475
1476 METHOD(ike_sa_t, get_other_id, identification_t*,
1477 private_ike_sa_t *this)
1478 {
1479 return this->other_id;
1480 }
1481
1482 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1483 private_ike_sa_t *this)
1484 {
1485 identification_t *id = NULL, *current;
1486 enumerator_t *enumerator;
1487 auth_cfg_t *cfg;
1488
1489 enumerator = array_create_enumerator(this->other_auths);
1490 while (enumerator->enumerate(enumerator, &cfg))
1491 {
1492 /* prefer EAP-Identity of last round */
1493 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1494 if (!current || current->get_type(current) == ID_ANY)
1495 {
1496 current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1497 }
1498 if (!current || current->get_type(current) == ID_ANY)
1499 {
1500 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1501 }
1502 if (current && current->get_type(current) != ID_ANY)
1503 {
1504 id = current;
1505 continue;
1506 }
1507 }
1508 enumerator->destroy(enumerator);
1509 if (id)
1510 {
1511 return id;
1512 }
1513 return this->other_id;
1514 }
1515
1516 METHOD(ike_sa_t, set_other_id, void,
1517 private_ike_sa_t *this, identification_t *other)
1518 {
1519 DESTROY_IF(this->other_id);
1520 this->other_id = other;
1521 }
1522
1523 METHOD(ike_sa_t, add_child_sa, void,
1524 private_ike_sa_t *this, child_sa_t *child_sa)
1525 {
1526 array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
1527 charon->child_sa_manager->add(charon->child_sa_manager,
1528 child_sa, &this->public);
1529 }
1530
1531 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1532 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
1533 {
1534 enumerator_t *enumerator;
1535 child_sa_t *current, *found = NULL;
1536
1537 enumerator = array_create_enumerator(this->child_sas);
1538 while (enumerator->enumerate(enumerator, (void**)&current))
1539 {
1540 if (current->get_spi(current, inbound) == spi &&
1541 current->get_protocol(current) == protocol)
1542 {
1543 found = current;
1544 }
1545 }
1546 enumerator->destroy(enumerator);
1547 return found;
1548 }
1549
1550 METHOD(ike_sa_t, get_child_count, int,
1551 private_ike_sa_t *this)
1552 {
1553 return array_count(this->child_sas);
1554 }
1555
1556 /**
1557 * Private data of a create_child_sa_enumerator()
1558 */
1559 typedef struct {
1560 /** implements enumerator */
1561 enumerator_t public;
1562 /** inner array enumerator */
1563 enumerator_t *inner;
1564 /** current item */
1565 child_sa_t *current;
1566 } child_enumerator_t;
1567
1568 METHOD(enumerator_t, child_enumerate, bool,
1569 child_enumerator_t *this, child_sa_t **child_sa)
1570 {
1571 if (this->inner->enumerate(this->inner, &this->current))
1572 {
1573 *child_sa = this->current;
1574 return TRUE;
1575 }
1576 return FALSE;
1577 }
1578
1579 METHOD(enumerator_t, child_enumerator_destroy, void,
1580 child_enumerator_t *this)
1581 {
1582 this->inner->destroy(this->inner);
1583 free(this);
1584 }
1585
1586 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1587 private_ike_sa_t *this)
1588 {
1589 child_enumerator_t *enumerator;
1590
1591 INIT(enumerator,
1592 .public = {
1593 .enumerate = (void*)_child_enumerate,
1594 .destroy = _child_enumerator_destroy,
1595 },
1596 .inner = array_create_enumerator(this->child_sas),
1597 );
1598 return &enumerator->public;
1599 }
1600
1601 METHOD(ike_sa_t, remove_child_sa, void,
1602 private_ike_sa_t *this, enumerator_t *enumerator)
1603 {
1604 child_enumerator_t *ce = (child_enumerator_t*)enumerator;
1605
1606 charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
1607 array_remove_at(this->child_sas, ce->inner);
1608 }
1609
1610 METHOD(ike_sa_t, rekey_child_sa, status_t,
1611 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1612 {
1613 if (this->state == IKE_PASSIVE)
1614 {
1615 return INVALID_STATE;
1616 }
1617 this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1618 return this->task_manager->initiate(this->task_manager);
1619 }
1620
1621 METHOD(ike_sa_t, delete_child_sa, status_t,
1622 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool expired)
1623 {
1624 if (this->state == IKE_PASSIVE)
1625 {
1626 return INVALID_STATE;
1627 }
1628 this->task_manager->queue_child_delete(this->task_manager,
1629 protocol, spi, expired);
1630 return this->task_manager->initiate(this->task_manager);
1631 }
1632
1633 METHOD(ike_sa_t, destroy_child_sa, status_t,
1634 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1635 {
1636 enumerator_t *enumerator;
1637 child_sa_t *child_sa;
1638 status_t status = NOT_FOUND;
1639
1640 enumerator = create_child_sa_enumerator(this);
1641 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1642 {
1643 if (child_sa->get_protocol(child_sa) == protocol &&
1644 child_sa->get_spi(child_sa, TRUE) == spi)
1645 {
1646 remove_child_sa(this, enumerator);
1647 child_sa->destroy(child_sa);
1648 status = SUCCESS;
1649 break;
1650 }
1651 }
1652 enumerator->destroy(enumerator);
1653 return status;
1654 }
1655
1656 METHOD(ike_sa_t, delete_, status_t,
1657 private_ike_sa_t *this)
1658 {
1659 switch (this->state)
1660 {
1661 case IKE_REKEYING:
1662 if (this->version == IKEV1)
1663 { /* SA has been reauthenticated, delete */
1664 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1665 break;
1666 }
1667 /* FALL */
1668 case IKE_ESTABLISHED:
1669 if (time_monotonic(NULL) >= this->stats[STAT_DELETE])
1670 { /* IKE_SA hard lifetime hit */
1671 charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
1672 }
1673 this->task_manager->queue_ike_delete(this->task_manager);
1674 return this->task_manager->initiate(this->task_manager);
1675 case IKE_CREATED:
1676 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1677 break;
1678 case IKE_PASSIVE:
1679 break;
1680 default:
1681 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1682 "without notification", ike_sa_state_names, this->state);
1683 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1684 break;
1685 }
1686 return DESTROY_ME;
1687 }
1688
1689 METHOD(ike_sa_t, rekey, status_t,
1690 private_ike_sa_t *this)
1691 {
1692 if (this->state == IKE_PASSIVE)
1693 {
1694 return INVALID_STATE;
1695 }
1696 this->task_manager->queue_ike_rekey(this->task_manager);
1697 return this->task_manager->initiate(this->task_manager);
1698 }
1699
1700 METHOD(ike_sa_t, reauth, status_t,
1701 private_ike_sa_t *this)
1702 {
1703 if (this->state == IKE_PASSIVE)
1704 {
1705 return INVALID_STATE;
1706 }
1707 if (this->state == IKE_CONNECTING)
1708 {
1709 DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
1710 get_name(this), this->unique_id);
1711 reset(this);
1712 this->task_manager->queue_ike(this->task_manager);
1713 return this->task_manager->initiate(this->task_manager);
1714 }
1715 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1716 * If the peer does not support RFC4478, there is no way to keep the
1717 * IKE_SA up. */
1718 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1719 {
1720 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1721 if (array_count(this->other_vips) != 0 ||
1722 has_condition(this, COND_XAUTH_AUTHENTICATED) ||
1723 has_condition(this, COND_EAP_AUTHENTICATED)
1724 #ifdef ME
1725 /* as mediation server we too cannot reauth the IKE_SA */
1726 || this->is_mediation_server
1727 #endif /* ME */
1728 )
1729 {
1730 time_t del, now;
1731
1732 del = this->stats[STAT_DELETE];
1733 now = time_monotonic(NULL);
1734 DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V",
1735 get_name(this), this->unique_id, &now, &del);
1736 return FAILED;
1737 }
1738 else
1739 {
1740 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively",
1741 get_name(this), this->unique_id);
1742 }
1743 }
1744 else
1745 {
1746 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
1747 get_name(this), this->unique_id);
1748 }
1749 set_condition(this, COND_REAUTHENTICATING, TRUE);
1750 this->task_manager->queue_ike_reauth(this->task_manager);
1751 return this->task_manager->initiate(this->task_manager);
1752 }
1753
1754 /**
1755 * Check if tasks to create CHILD_SAs are queued in the given queue
1756 */
1757 static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
1758 {
1759 enumerator_t *enumerator;
1760 task_t *task;
1761 bool found = FALSE;
1762
1763 enumerator = this->task_manager->create_task_enumerator(this->task_manager,
1764 queue);
1765 while (enumerator->enumerate(enumerator, &task))
1766 {
1767 if (task->get_type(task) == TASK_CHILD_CREATE ||
1768 task->get_type(task) == TASK_QUICK_MODE)
1769 {
1770 found = TRUE;
1771 break;
1772 }
1773 }
1774 enumerator->destroy(enumerator);
1775 return found;
1776 }
1777
1778 /**
1779 * Reestablish CHILD_SAs and migrate queued tasks.
1780 *
1781 * If force is true all SAs are restarted, otherwise their close/dpd_action
1782 * is followed.
1783 */
1784 static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
1785 bool force)
1786 {
1787 enumerator_t *enumerator;
1788 child_sa_t *child_sa;
1789 child_cfg_t *child_cfg;
1790 action_t action;
1791 status_t status = FAILED;
1792
1793 /* handle existing CHILD_SAs */
1794 enumerator = create_child_sa_enumerator(this);
1795 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1796 {
1797 if (force)
1798 {
1799 switch (child_sa->get_state(child_sa))
1800 {
1801 case CHILD_ROUTED:
1802 { /* move routed child directly */
1803 remove_child_sa(this, enumerator);
1804 new->add_child_sa(new, child_sa);
1805 action = ACTION_NONE;
1806 break;
1807 }
1808 default:
1809 { /* initiate/queue all other CHILD_SAs */
1810 action = ACTION_RESTART;
1811 break;
1812 }
1813 }
1814 }
1815 else
1816 { /* only restart CHILD_SAs that are configured accordingly */
1817 if (this->state == IKE_DELETING)
1818 {
1819 action = child_sa->get_close_action(child_sa);
1820 }
1821 else
1822 {
1823 action = child_sa->get_dpd_action(child_sa);
1824 }
1825 }
1826 switch (action)
1827 {
1828 case ACTION_RESTART:
1829 child_cfg = child_sa->get_config(child_sa);
1830 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1831 child_cfg->get_name(child_cfg));
1832 child_cfg->get_ref(child_cfg);
1833 status = new->initiate(new, child_cfg,
1834 child_sa->get_reqid(child_sa), NULL, NULL);
1835 break;
1836 default:
1837 continue;
1838 }
1839 if (status == DESTROY_ME)
1840 {
1841 break;
1842 }
1843 }
1844 enumerator->destroy(enumerator);
1845 /* adopt any active or queued CHILD-creating tasks */
1846 if (status != DESTROY_ME)
1847 {
1848 task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
1849 other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
1850 if (new->get_state(new) == IKE_CREATED)
1851 {
1852 status = new->initiate(new, NULL, 0, NULL, NULL);
1853 }
1854 }
1855 return status;
1856 }
1857
1858 METHOD(ike_sa_t, reestablish, status_t,
1859 private_ike_sa_t *this)
1860 {
1861 ike_sa_t *new;
1862 host_t *host;
1863 action_t action;
1864 enumerator_t *enumerator;
1865 child_sa_t *child_sa;
1866 bool restart = FALSE;
1867 status_t status = FAILED;
1868
1869 if (has_condition(this, COND_REAUTHENTICATING))
1870 { /* only reauthenticate if we have children */
1871 if (array_count(this->child_sas) == 0
1872 #ifdef ME
1873 /* allow reauth of mediation connections without CHILD_SAs */
1874 && !this->peer_cfg->is_mediation(this->peer_cfg)
1875 #endif /* ME */
1876 )
1877 {
1878 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
1879 "to recreate");
1880 }
1881 else
1882 {
1883 restart = TRUE;
1884 }
1885 }
1886 else
1887 { /* check if we have children to keep up at all */
1888 enumerator = array_create_enumerator(this->child_sas);
1889 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1890 {
1891 if (this->state == IKE_DELETING)
1892 {
1893 action = child_sa->get_close_action(child_sa);
1894 }
1895 else
1896 {
1897 action = child_sa->get_dpd_action(child_sa);
1898 }
1899 switch (action)
1900 {
1901 case ACTION_RESTART:
1902 restart = TRUE;
1903 break;
1904 case ACTION_ROUTE:
1905 charon->traps->install(charon->traps, this->peer_cfg,
1906 child_sa->get_config(child_sa),
1907 child_sa->get_reqid(child_sa));
1908 break;
1909 default:
1910 break;
1911 }
1912 }
1913 enumerator->destroy(enumerator);
1914 /* check if we have tasks that recreate children */
1915 if (!restart)
1916 {
1917 restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
1918 is_child_queued(this, TASK_QUEUE_QUEUED);
1919 }
1920 #ifdef ME
1921 /* mediation connections have no children, keep them up anyway */
1922 if (this->peer_cfg->is_mediation(this->peer_cfg))
1923 {
1924 restart = TRUE;
1925 }
1926 #endif /* ME */
1927 }
1928 if (!restart)
1929 {
1930 return FAILED;
1931 }
1932
1933 /* check if we are able to reestablish this IKE_SA */
1934 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1935 (array_count(this->other_vips) != 0 ||
1936 has_condition(this, COND_EAP_AUTHENTICATED)
1937 #ifdef ME
1938 || this->is_mediation_server
1939 #endif /* ME */
1940 ))
1941 {
1942 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
1943 return FAILED;
1944 }
1945
1946 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1947 this->version, TRUE);
1948 if (!new)
1949 {
1950 return FAILED;
1951 }
1952 new->set_peer_cfg(new, this->peer_cfg);
1953 host = this->other_host;
1954 new->set_other_host(new, host->clone(host));
1955 host = this->my_host;
1956 new->set_my_host(new, host->clone(host));
1957 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
1958 if (!has_condition(this, COND_REAUTHENTICATING))
1959 { /* reauthenticate to the same addresses, but resolve hosts if
1960 * reestablishing (old addresses serve as fallback) */
1961 resolve_hosts((private_ike_sa_t*)new);
1962 }
1963 /* if we already have a virtual IP, we reuse it */
1964 enumerator = array_create_enumerator(this->my_vips);
1965 while (enumerator->enumerate(enumerator, &host))
1966 {
1967 new->add_virtual_ip(new, TRUE, host);
1968 }
1969 enumerator->destroy(enumerator);
1970
1971 #ifdef ME
1972 if (this->peer_cfg->is_mediation(this->peer_cfg))
1973 {
1974 status = new->initiate(new, NULL, 0, NULL, NULL);
1975 }
1976 else
1977 #endif /* ME */
1978 {
1979 status = reestablish_children(this, new,
1980 has_condition(this, COND_REAUTHENTICATING));
1981 }
1982
1983 if (status == DESTROY_ME)
1984 {
1985 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
1986 FALSE);
1987 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1988 status = FAILED;
1989 }
1990 else
1991 {
1992 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
1993 TRUE);
1994 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1995 status = SUCCESS;
1996 }
1997 charon->bus->set_sa(charon->bus, &this->public);
1998 return status;
1999 }
2000
2001 /**
2002 * Resolve the given gateway ID
2003 */
2004 static host_t *resolve_gateway_id(identification_t *gateway)
2005 {
2006 char gw[BUF_LEN];
2007 host_t *addr;
2008
2009 snprintf(gw, sizeof(gw), "%Y", gateway);
2010 gw[sizeof(gw)-1] = '\0';
2011 addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT);
2012 if (!addr)
2013 {
2014 DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed",
2015 gateway);
2016 }
2017 return addr;
2018 }
2019
2020 /**
2021 * Redirect the current SA to the given target host
2022 */
2023 static bool redirect_established(private_ike_sa_t *this, identification_t *to)
2024 {
2025 private_ike_sa_t *new_priv;
2026 ike_sa_t *new;
2027 host_t *other;
2028 time_t redirect;
2029
2030 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
2031 this->version, TRUE);
2032 if (!new)
2033 {
2034 return FALSE;
2035 }
2036 new_priv = (private_ike_sa_t*)new;
2037 new->set_peer_cfg(new, this->peer_cfg);
2038 new_priv->redirected_from = this->other_host->clone(this->other_host);
2039 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2040 other = resolve_gateway_id(to);
2041 if (other)
2042 {
2043 set_my_host(new_priv, this->my_host->clone(this->my_host));
2044 /* this allows us to force the remote address while we still properly
2045 * resolve the local address */
2046 new_priv->remote_host = other;
2047 resolve_hosts(new_priv);
2048 new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2049 while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect))
2050 {
2051 array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect);
2052 }
2053 if (reestablish_children(this, new, TRUE) != DESTROY_ME)
2054 {
2055 #ifdef USE_IKEV2
2056 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
2057 this->ike_sa_id));
2058 #endif
2059 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2060 TRUE);
2061 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2062 charon->bus->set_sa(charon->bus, &this->public);
2063 return TRUE;
2064 }
2065 }
2066 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2067 FALSE);
2068 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2069 charon->bus->set_sa(charon->bus, &this->public);
2070 return FALSE;
2071 }
2072
2073 /**
2074 * Redirect the current connecting SA to the given target host
2075 */
2076 static bool redirect_connecting(private_ike_sa_t *this, identification_t *to)
2077 {
2078 host_t *other;
2079
2080 other = resolve_gateway_id(to);
2081 if (!other)
2082 {
2083 return FALSE;
2084 }
2085 reset(this);
2086 DESTROY_IF(this->redirected_from);
2087 this->redirected_from = this->other_host->clone(this->other_host);
2088 DESTROY_IF(this->remote_host);
2089 /* this allows us to force the remote address while we still properly
2090 * resolve the local address */
2091 this->remote_host = other;
2092 resolve_hosts(this);
2093 return TRUE;
2094 }
2095
2096 /**
2097 * Check if the current redirect exceeds the limits for redirects
2098 */
2099 static bool redirect_count_exceeded(private_ike_sa_t *this)
2100 {
2101 time_t now, redirect;
2102
2103 now = time_monotonic(NULL);
2104 /* remove entries outside the defined period */
2105 while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) &&
2106 now - redirect >= REDIRECT_LOOP_DETECT_PERIOD)
2107 {
2108 array_remove(this->redirected_at, ARRAY_HEAD, NULL);
2109 }
2110 if (array_count(this->redirected_at) < MAX_REDIRECTS)
2111 {
2112 if (!this->redirected_at)
2113 {
2114 this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2115 }
2116 array_insert(this->redirected_at, ARRAY_TAIL, &now);
2117 return FALSE;
2118 }
2119 return TRUE;
2120 }
2121
2122 METHOD(ike_sa_t, handle_redirect, bool,
2123 private_ike_sa_t *this, identification_t *gateway)
2124 {
2125 DBG1(DBG_IKE, "redirected to %Y", gateway);
2126 if (!this->follow_redirects)
2127 {
2128 DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
2129 return FALSE;
2130 }
2131 if (redirect_count_exceeded(this))
2132 {
2133 DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds",
2134 MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD);
2135 return FALSE;
2136 }
2137
2138 switch (this->state)
2139 {
2140 case IKE_CONNECTING:
2141 return redirect_connecting(this, gateway);
2142 case IKE_ESTABLISHED:
2143 return redirect_established(this, gateway);
2144 default:
2145 DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N",
2146 ike_sa_state_names, this->state);
2147 return FALSE;
2148 }
2149 }
2150
2151 METHOD(ike_sa_t, redirect, status_t,
2152 private_ike_sa_t *this, identification_t *gateway)
2153 {
2154 switch (this->state)
2155 {
2156 case IKE_CONNECTING:
2157 case IKE_ESTABLISHED:
2158 case IKE_REKEYING:
2159 if (has_condition(this, COND_REDIRECTED))
2160 { /* IKE_SA already got redirected */
2161 return SUCCESS;
2162 }
2163 if (has_condition(this, COND_ORIGINAL_INITIATOR))
2164 {
2165 DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator");
2166 return FAILED;
2167 }
2168 if (this->version == IKEV1)
2169 {
2170 DBG1(DBG_IKE, "unable to redirect IKEv1 SA");
2171 return FAILED;
2172 }
2173 if (!supports_extension(this, EXT_IKE_REDIRECTION))
2174 {
2175 DBG1(DBG_IKE, "client does not support IKE redirection");
2176 return FAILED;
2177 }
2178 #ifdef USE_IKEV2
2179 this->task_manager->queue_task(this->task_manager,
2180 (task_t*)ike_redirect_create(&this->public, gateway));
2181 #endif
2182 return this->task_manager->initiate(this->task_manager);
2183 default:
2184 DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N",
2185 ike_sa_state_names, this->state);
2186 return INVALID_STATE;
2187 }
2188 }
2189
2190 METHOD(ike_sa_t, retransmit, status_t,
2191 private_ike_sa_t *this, u_int32_t message_id)
2192 {
2193 if (this->state == IKE_PASSIVE)
2194 {
2195 return INVALID_STATE;
2196 }
2197 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
2198 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
2199 {
2200 /* send a proper signal to brief interested bus listeners */
2201 switch (this->state)
2202 {
2203 case IKE_CONNECTING:
2204 {
2205 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
2206 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
2207 charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
2208 this->keyingtry);
2209 this->keyingtry++;
2210 if (tries == 0 || tries > this->keyingtry)
2211 {
2212 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
2213 this->keyingtry + 1, tries);
2214 reset(this);
2215 resolve_hosts(this);
2216 this->task_manager->queue_ike(this->task_manager);
2217 return this->task_manager->initiate(this->task_manager);
2218 }
2219 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
2220 break;
2221 }
2222 case IKE_DELETING:
2223 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
2224 if (has_condition(this, COND_REAUTHENTICATING))
2225 {
2226 DBG1(DBG_IKE, "delete during reauthentication failed, "
2227 "trying to reestablish IKE_SA anyway");
2228 reestablish(this);
2229 }
2230 break;
2231 case IKE_REKEYING:
2232 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
2233 /* FALL */
2234 default:
2235 reestablish(this);
2236 break;
2237 }
2238 if (this->state != IKE_CONNECTING)
2239 {
2240 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
2241 }
2242 return DESTROY_ME;
2243 }
2244 return SUCCESS;
2245 }
2246
2247 METHOD(ike_sa_t, set_auth_lifetime, status_t,
2248 private_ike_sa_t *this, u_int32_t lifetime)
2249 {
2250 u_int32_t diff, hard, soft, now;
2251 bool send_update;
2252
2253 diff = this->peer_cfg->get_over_time(this->peer_cfg);
2254 now = time_monotonic(NULL);
2255 hard = now + lifetime;
2256 soft = hard - diff;
2257
2258 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2259 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2260 send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
2261 !has_condition(this, COND_ORIGINAL_INITIATOR) &&
2262 (array_count(this->other_vips) != 0 ||
2263 has_condition(this, COND_EAP_AUTHENTICATED));
2264
2265 if (lifetime < diff)
2266 {
2267 this->stats[STAT_REAUTH] = now;
2268
2269 if (!send_update)
2270 {
2271 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2272 "starting reauthentication", lifetime);
2273 lib->processor->queue_job(lib->processor,
2274 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
2275 }
2276 }
2277 else if (this->stats[STAT_REAUTH] == 0 ||
2278 this->stats[STAT_REAUTH] > soft)
2279 {
2280 this->stats[STAT_REAUTH] = soft;
2281 if (!send_update)
2282 {
2283 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling "
2284 "reauthentication in %ds", lifetime, lifetime - diff);
2285 lib->scheduler->schedule_job(lib->scheduler,
2286 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2287 lifetime - diff);
2288 }
2289 }
2290 else
2291 {
2292 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2293 "reauthentication already scheduled in %ds", lifetime,
2294 this->stats[STAT_REAUTH] - time_monotonic(NULL));
2295 send_update = FALSE;
2296 }
2297 /* give at least some seconds to reauthenticate */
2298 this->stats[STAT_DELETE] = max(hard, now + 10);
2299
2300 #ifdef USE_IKEV2
2301 if (send_update)
2302 {
2303 ike_auth_lifetime_t *task;
2304
2305 task = ike_auth_lifetime_create(&this->public, TRUE);
2306 this->task_manager->queue_task(this->task_manager, &task->task);
2307 return this->task_manager->initiate(this->task_manager);
2308 }
2309 #endif
2310 return SUCCESS;
2311 }
2312
2313 /**
2314 * Check if the current combination of source and destination address is still
2315 * valid.
2316 */
2317 static bool is_current_path_valid(private_ike_sa_t *this)
2318 {
2319 bool valid = FALSE;
2320 host_t *src;
2321 src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2322 this->my_host);
2323 if (src)
2324 {
2325 if (src->ip_equals(src, this->my_host))
2326 {
2327 valid = TRUE;
2328 }
2329 src->destroy(src);
2330 }
2331 return valid;
2332 }
2333
2334 /**
2335 * Check if we have any path avialable for this IKE SA.
2336 */
2337 static bool is_any_path_valid(private_ike_sa_t *this)
2338 {
2339 bool valid = FALSE;
2340 enumerator_t *enumerator;
2341 host_t *src = NULL, *addr;
2342 int family = AF_UNSPEC;
2343
2344 switch (charon->socket->supported_families(charon->socket))
2345 {
2346 case SOCKET_FAMILY_IPV4:
2347 family = AF_INET;
2348 break;
2349 case SOCKET_FAMILY_IPV6:
2350 family = AF_INET6;
2351 break;
2352 case SOCKET_FAMILY_BOTH:
2353 case SOCKET_FAMILY_NONE:
2354 break;
2355 }
2356
2357 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
2358 enumerator = create_peer_address_enumerator(this);
2359 while (enumerator->enumerate(enumerator, &addr))
2360 {
2361 if (family != AF_UNSPEC && addr->get_family(addr) != family)
2362 {
2363 continue;
2364 }
2365 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
2366 src = charon->kernel->get_source_addr(charon->kernel, addr, NULL);
2367 if (src)
2368 {
2369 break;
2370 }
2371 }
2372 enumerator->destroy(enumerator);
2373 if (src)
2374 {
2375 valid = TRUE;
2376 src->destroy(src);
2377 }
2378 return valid;
2379 }
2380
2381 METHOD(ike_sa_t, roam, status_t,
2382 private_ike_sa_t *this, bool address)
2383 {
2384 switch (this->state)
2385 {
2386 case IKE_CREATED:
2387 case IKE_DELETING:
2388 case IKE_DESTROYING:
2389 case IKE_PASSIVE:
2390 return SUCCESS;
2391 default:
2392 break;
2393 }
2394
2395 /* keep existing path if possible */
2396 if (is_current_path_valid(this))
2397 {
2398 DBG2(DBG_IKE, "keeping connection path %H - %H",
2399 this->my_host, this->other_host);
2400 set_condition(this, COND_STALE, FALSE);
2401
2402 if (supports_extension(this, EXT_MOBIKE) && address)
2403 { /* if any addresses changed, send an updated list */
2404 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2405 this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
2406 return this->task_manager->initiate(this->task_manager);
2407 }
2408 return SUCCESS;
2409 }
2410
2411 if (!is_any_path_valid(this))
2412 {
2413 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
2414 this->other_host);
2415 set_condition(this, COND_STALE, TRUE);
2416 return SUCCESS;
2417 }
2418 set_condition(this, COND_STALE, FALSE);
2419
2420 /* update addresses with mobike, if supported ... */
2421 if (supports_extension(this, EXT_MOBIKE))
2422 {
2423 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2424 { /* responder updates the peer about changed address config */
2425 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
2426 "implicitly requesting an address change");
2427 address = TRUE;
2428 }
2429 else
2430 {
2431 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2432 }
2433 this->task_manager->queue_mobike(this->task_manager, TRUE, address);
2434 return this->task_manager->initiate(this->task_manager);
2435 }
2436
2437 /* ... reauth if not */
2438 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2439 { /* responder does not reauthenticate */
2440 set_condition(this, COND_STALE, TRUE);
2441 return SUCCESS;
2442 }
2443 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2444 /* since our previous path is not valid anymore, try and find a new one */
2445 resolve_hosts(this);
2446 return reauth(this);
2447 }
2448
2449 METHOD(ike_sa_t, add_configuration_attribute, void,
2450 private_ike_sa_t *this, attribute_handler_t *handler,
2451 configuration_attribute_type_t type, chunk_t data)
2452 {
2453 attribute_entry_t entry = {
2454 .handler = handler,
2455 .type = type,
2456 .data = chunk_clone(data),
2457 };
2458 array_insert(this->attributes, ARRAY_TAIL, &entry);
2459 }
2460
2461 /**
2462 * Enumerator filter for attributes
2463 */
2464 static bool filter_attribute(void *null, attribute_entry_t **in,
2465 configuration_attribute_type_t *type, void *in2,
2466 chunk_t *data, void *in3, bool *handled)
2467 {
2468 *type = (*in)->type;
2469 *data = (*in)->data;
2470 *handled = (*in)->handler != NULL;
2471 return TRUE;
2472 }
2473
2474 METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*,
2475 private_ike_sa_t *this)
2476 {
2477 return enumerator_create_filter(array_create_enumerator(this->attributes),
2478 (void*)filter_attribute, NULL, NULL);
2479 }
2480
2481 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
2482 private_ike_sa_t *this, task_queue_t queue)
2483 {
2484 return this->task_manager->create_task_enumerator(this->task_manager, queue);
2485 }
2486
2487 METHOD(ike_sa_t, flush_queue, void,
2488 private_ike_sa_t *this, task_queue_t queue)
2489 {
2490 this->task_manager->flush_queue(this->task_manager, queue);
2491 }
2492
2493 METHOD(ike_sa_t, queue_task, void,
2494 private_ike_sa_t *this, task_t *task)
2495 {
2496 this->task_manager->queue_task(this->task_manager, task);
2497 }
2498
2499 METHOD(ike_sa_t, inherit_pre, void,
2500 private_ike_sa_t *this, ike_sa_t *other_public)
2501 {
2502 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2503
2504 /* apply config and hosts */
2505 set_peer_cfg(this, other->peer_cfg);
2506 set_my_host(this, other->my_host->clone(other->my_host));
2507 set_other_host(this, other->other_host->clone(other->other_host));
2508
2509 /* apply extensions and conditions with a few exceptions */
2510 this->extensions = other->extensions;
2511 this->conditions = other->conditions;
2512 this->conditions &= ~COND_STALE;
2513 this->conditions &= ~COND_REAUTHENTICATING;
2514 }
2515
2516 METHOD(ike_sa_t, inherit_post, void,
2517 private_ike_sa_t *this, ike_sa_t *other_public)
2518 {
2519 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2520 child_sa_t *child_sa;
2521 enumerator_t *enumerator;
2522 attribute_entry_t entry;
2523 auth_cfg_t *cfg;
2524 host_t *vip;
2525
2526 /* apply hosts and ids */
2527 this->my_host->destroy(this->my_host);
2528 this->other_host->destroy(this->other_host);
2529 this->my_id->destroy(this->my_id);
2530 this->other_id->destroy(this->other_id);
2531 this->my_host = other->my_host->clone(other->my_host);
2532 this->other_host = other->other_host->clone(other->other_host);
2533 this->my_id = other->my_id->clone(other->my_id);
2534 this->other_id = other->other_id->clone(other->other_id);
2535
2536 /* apply assigned virtual IPs... */
2537 while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
2538 {
2539 array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
2540 }
2541 while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
2542 {
2543 array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
2544 }
2545
2546 /* MOBIKE additional addresses */
2547 while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
2548 {
2549 array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
2550 }
2551
2552 /* authentication information */
2553 enumerator = array_create_enumerator(other->my_auths);
2554 while (enumerator->enumerate(enumerator, &cfg))
2555 {
2556 array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
2557 }
2558 enumerator->destroy(enumerator);
2559 enumerator = array_create_enumerator(other->other_auths);
2560 while (enumerator->enumerate(enumerator, &cfg))
2561 {
2562 array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
2563 }
2564 enumerator->destroy(enumerator);
2565
2566 /* ... and configuration attributes */
2567 while (array_remove(other->attributes, ARRAY_HEAD, &entry))
2568 {
2569 array_insert(this->attributes, ARRAY_TAIL, &entry);
2570 }
2571
2572 /* inherit all conditions */
2573 this->conditions = other->conditions;
2574 if (this->conditions & COND_NAT_HERE)
2575 {
2576 send_keepalive(this, FALSE);
2577 }
2578
2579 #ifdef ME
2580 if (other->is_mediation_server)
2581 {
2582 act_as_mediation_server(this);
2583 }
2584 else if (other->server_reflexive_host)
2585 {
2586 this->server_reflexive_host = other->server_reflexive_host->clone(
2587 other->server_reflexive_host);
2588 }
2589 #endif /* ME */
2590
2591 /* adopt all children */
2592 while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
2593 {
2594 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2595 add_child_sa(this, child_sa);
2596 }
2597
2598 /* move pending tasks to the new IKE_SA */
2599 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2600
2601 /* reauthentication timeout survives a rekeying */
2602 if (other->stats[STAT_REAUTH])
2603 {
2604 time_t reauth, delete, now = time_monotonic(NULL);
2605
2606 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2607 reauth = this->stats[STAT_REAUTH] - now;
2608 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2609 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2610 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2611 "lifetime reduced to %ds", reauth, delete);
2612 lib->scheduler->schedule_job(lib->scheduler,
2613 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2614 lib->scheduler->schedule_job(lib->scheduler,
2615 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2616 }
2617 }
2618
2619 METHOD(ike_sa_t, destroy, void,
2620 private_ike_sa_t *this)
2621 {
2622 attribute_entry_t entry;
2623 child_sa_t *child_sa;
2624 host_t *vip;
2625
2626 charon->bus->set_sa(charon->bus, &this->public);
2627
2628 set_state(this, IKE_DESTROYING);
2629 if (this->task_manager)
2630 {
2631 this->task_manager->flush(this->task_manager);
2632 }
2633
2634 /* remove attributes first, as we pass the IKE_SA to the handler */
2635 charon->bus->handle_vips(charon->bus, &this->public, FALSE);
2636 while (array_remove(this->attributes, ARRAY_TAIL, &entry))
2637 {
2638 if (entry.handler)
2639 {
2640 charon->attributes->release(charon->attributes, entry.handler,
2641 &this->public, entry.type, entry.data);
2642 }
2643 free(entry.data.ptr);
2644 }
2645 /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
2646 * routes that the CHILD_SA tries to uninstall. */
2647 while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
2648 {
2649 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2650 child_sa->destroy(child_sa);
2651 }
2652 while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
2653 {
2654 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
2655 vip->destroy(vip);
2656 }
2657 if (array_count(this->other_vips))
2658 {
2659 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
2660 }
2661 while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
2662 {
2663 if (this->peer_cfg)
2664 {
2665 linked_list_t *pools;
2666
2667 pools = linked_list_create_from_enumerator(
2668 this->peer_cfg->create_pool_enumerator(this->peer_cfg));
2669 charon->attributes->release_address(charon->attributes,
2670 pools, vip, &this->public);
2671 pools->destroy(pools);
2672 }
2673 vip->destroy(vip);
2674 }
2675
2676 /* unset SA after here to avoid usage by the listeners */
2677 charon->bus->set_sa(charon->bus, NULL);
2678
2679 array_destroy(this->child_sas);
2680 DESTROY_IF(this->task_manager);
2681 DESTROY_IF(this->keymat);
2682 array_destroy(this->attributes);
2683 array_destroy(this->my_vips);
2684 array_destroy(this->other_vips);
2685 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
2686 #ifdef ME
2687 if (this->is_mediation_server)
2688 {
2689 charon->mediation_manager->remove(charon->mediation_manager,
2690 this->ike_sa_id);
2691 }
2692 DESTROY_IF(this->server_reflexive_host);
2693 chunk_free(&this->connect_id);
2694 #endif /* ME */
2695 free(this->nat_detection_dest.ptr);
2696
2697 DESTROY_IF(this->my_host);
2698 DESTROY_IF(this->other_host);
2699 DESTROY_IF(this->my_id);
2700 DESTROY_IF(this->other_id);
2701 DESTROY_IF(this->local_host);
2702 DESTROY_IF(this->remote_host);
2703 DESTROY_IF(this->redirected_from);
2704 array_destroy(this->redirected_at);
2705
2706 DESTROY_IF(this->ike_cfg);
2707 DESTROY_IF(this->peer_cfg);
2708 DESTROY_IF(this->proposal);
2709 this->my_auth->destroy(this->my_auth);
2710 this->other_auth->destroy(this->other_auth);
2711 array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
2712 array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
2713
2714 this->ike_sa_id->destroy(this->ike_sa_id);
2715 free(this);
2716 }
2717
2718 /*
2719 * Described in header.
2720 */
2721 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
2722 ike_version_t version)
2723 {
2724 private_ike_sa_t *this;
2725 static refcount_t unique_id = 0;
2726
2727 if (version == IKE_ANY)
2728 { /* prefer IKEv2 if protocol not specified */
2729 #ifdef USE_IKEV2
2730 version = IKEV2;
2731 #else
2732 version = IKEV1;
2733 #endif
2734 }
2735
2736 INIT(this,
2737 .public = {
2738 .get_version = _get_version,
2739 .get_state = _get_state,
2740 .set_state = _set_state,
2741 .get_name = _get_name,
2742 .get_statistic = _get_statistic,
2743 .set_statistic = _set_statistic,
2744 .process_message = _process_message,
2745 .initiate = _initiate,
2746 .retry_initiate = _retry_initiate,
2747 .get_ike_cfg = _get_ike_cfg,
2748 .set_ike_cfg = _set_ike_cfg,
2749 .get_peer_cfg = _get_peer_cfg,
2750 .set_peer_cfg = _set_peer_cfg,
2751 .get_auth_cfg = _get_auth_cfg,
2752 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
2753 .add_auth_cfg = _add_auth_cfg,
2754 .get_proposal = _get_proposal,
2755 .set_proposal = _set_proposal,
2756 .get_id = _get_id,
2757 .get_my_host = _get_my_host,
2758 .set_my_host = _set_my_host,
2759 .get_other_host = _get_other_host,
2760 .set_other_host = _set_other_host,
2761 .set_message_id = _set_message_id,
2762 .float_ports = _float_ports,
2763 .update_hosts = _update_hosts,
2764 .get_my_id = _get_my_id,
2765 .set_my_id = _set_my_id,
2766 .get_other_id = _get_other_id,
2767 .set_other_id = _set_other_id,
2768 .get_other_eap_id = _get_other_eap_id,
2769 .enable_extension = _enable_extension,
2770 .supports_extension = _supports_extension,
2771 .set_condition = _set_condition,
2772 .has_condition = _has_condition,
2773 .set_pending_updates = _set_pending_updates,
2774 .get_pending_updates = _get_pending_updates,
2775 .create_peer_address_enumerator = _create_peer_address_enumerator,
2776 .add_peer_address = _add_peer_address,
2777 .clear_peer_addresses = _clear_peer_addresses,
2778 .has_mapping_changed = _has_mapping_changed,
2779 .retransmit = _retransmit,
2780 .delete = _delete_,
2781 .destroy = _destroy,
2782 .send_dpd = _send_dpd,
2783 .send_keepalive = _send_keepalive,
2784 .redirect = _redirect,
2785 .handle_redirect = _handle_redirect,
2786 .get_redirected_from = _get_redirected_from,
2787 .get_keymat = _get_keymat,
2788 .add_child_sa = _add_child_sa,
2789 .get_child_sa = _get_child_sa,
2790 .get_child_count = _get_child_count,
2791 .create_child_sa_enumerator = _create_child_sa_enumerator,
2792 .remove_child_sa = _remove_child_sa,
2793 .rekey_child_sa = _rekey_child_sa,
2794 .delete_child_sa = _delete_child_sa,
2795 .destroy_child_sa = _destroy_child_sa,
2796 .rekey = _rekey,
2797 .reauth = _reauth,
2798 .reestablish = _reestablish,
2799 .set_auth_lifetime = _set_auth_lifetime,
2800 .roam = _roam,
2801 .inherit_pre = _inherit_pre,
2802 .inherit_post = _inherit_post,
2803 .generate_message = _generate_message,
2804 .generate_message_fragmented = _generate_message_fragmented,
2805 .reset = _reset,
2806 .get_unique_id = _get_unique_id,
2807 .add_virtual_ip = _add_virtual_ip,
2808 .clear_virtual_ips = _clear_virtual_ips,
2809 .create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
2810 .add_configuration_attribute = _add_configuration_attribute,
2811 .create_attribute_enumerator = _create_attribute_enumerator,
2812 .set_kmaddress = _set_kmaddress,
2813 .create_task_enumerator = _create_task_enumerator,
2814 .flush_queue = _flush_queue,
2815 .queue_task = _queue_task,
2816 #ifdef ME
2817 .act_as_mediation_server = _act_as_mediation_server,
2818 .get_server_reflexive_host = _get_server_reflexive_host,
2819 .set_server_reflexive_host = _set_server_reflexive_host,
2820 .get_connect_id = _get_connect_id,
2821 .initiate_mediation = _initiate_mediation,
2822 .initiate_mediated = _initiate_mediated,
2823 .relay = _relay,
2824 .callback = _callback,
2825 .respond = _respond,
2826 #endif /* ME */
2827 },
2828 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
2829 .version = version,
2830 .my_host = host_create_any(AF_INET),
2831 .other_host = host_create_any(AF_INET),
2832 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2833 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2834 .keymat = keymat_create(version, initiator),
2835 .state = IKE_CREATED,
2836 .stats[STAT_INBOUND] = time_monotonic(NULL),
2837 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
2838 .my_auth = auth_cfg_create(),
2839 .other_auth = auth_cfg_create(),
2840 .my_auths = array_create(0, 0),
2841 .other_auths = array_create(0, 0),
2842 .attributes = array_create(sizeof(attribute_entry_t), 0),
2843 .unique_id = ref_get(&unique_id),
2844 .keepalive_interval = lib->settings->get_time(lib->settings,
2845 "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
2846 .retry_initiate_interval = lib->settings->get_time(lib->settings,
2847 "%s.retry_initiate_interval", 0, lib->ns),
2848 .flush_auth_cfg = lib->settings->get_bool(lib->settings,
2849 "%s.flush_auth_cfg", FALSE, lib->ns),
2850 .fragment_size = lib->settings->get_int(lib->settings,
2851 "%s.fragment_size", 0, lib->ns),
2852 .follow_redirects = lib->settings->get_bool(lib->settings,
2853 "%s.follow_redirects", TRUE, lib->ns),
2854 );
2855
2856 if (version == IKEV2)
2857 { /* always supported with IKEv2 */
2858 enable_extension(this, EXT_DPD);
2859 }
2860
2861 this->task_manager = task_manager_create(&this->public);
2862 this->my_host->set_port(this->my_host,
2863 charon->socket->get_port(charon->socket, FALSE));
2864
2865 if (!this->task_manager || !this->keymat)
2866 {
2867 DBG1(DBG_IKE, "IKE version %d not supported", this->version);
2868 destroy(this);
2869 return NULL;
2870 }
2871 return &this->public;
2872 }