projects / strongswan.git / blob
? search:


e3744b6c0cc62828e6938ac2a11001ac316e9c68
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2012 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <string.h>
20 #include <sys/stat.h>
21 #include <errno.h>
22 #include <time.h>
23
24 #include "ike_sa.h"
25
26 #include <library.h>
27 #include <hydra.h>
28 #include <daemon.h>
29 #include <utils/linked_list.h>
30 #include <utils/lexparser.h>
31 #include <processing/jobs/retransmit_job.h>
32 #include <processing/jobs/delete_ike_sa_job.h>
33 #include <processing/jobs/send_dpd_job.h>
34 #include <processing/jobs/send_keepalive_job.h>
35 #include <processing/jobs/rekey_ike_sa_job.h>
36 #include <processing/jobs/retry_initiate_job.h>
37 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
38
39 #ifdef ME
40 #include <sa/ikev2/tasks/ike_me.h>
41 #include <processing/jobs/initiate_mediation_job.h>
42 #endif
43
44 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
45 "CREATED",
46 "CONNECTING",
47 "ESTABLISHED",
48 "PASSIVE",
49 "REKEYING",
50 "DELETING",
51 "DESTROYING",
52 );
53
54 typedef struct private_ike_sa_t private_ike_sa_t;
55 typedef struct attribute_entry_t attribute_entry_t;
56
57 /**
58 * Private data of an ike_sa_t object.
59 */
60 struct private_ike_sa_t {
61
62 /**
63 * Public members
64 */
65 ike_sa_t public;
66
67 /**
68 * Identifier for the current IKE_SA.
69 */
70 ike_sa_id_t *ike_sa_id;
71
72 /**
73 * IKE version of this SA.
74 */
75 ike_version_t version;
76
77 /**
78 * unique numerical ID for this IKE_SA.
79 */
80 u_int32_t unique_id;
81
82 /**
83 * Current state of the IKE_SA
84 */
85 ike_sa_state_t state;
86
87 /**
88 * IKE configuration used to set up this IKE_SA
89 */
90 ike_cfg_t *ike_cfg;
91
92 /**
93 * Peer and authentication information to establish IKE_SA.
94 */
95 peer_cfg_t *peer_cfg;
96
97 /**
98 * currently used authentication ruleset, local (as auth_cfg_t)
99 */
100 auth_cfg_t *my_auth;
101
102 /**
103 * list of completed local authentication rounds
104 */
105 linked_list_t *my_auths;
106
107 /**
108 * list of completed remote authentication rounds
109 */
110 linked_list_t *other_auths;
111
112 /**
113 * currently used authentication constraints, remote (as auth_cfg_t)
114 */
115 auth_cfg_t *other_auth;
116
117 /**
118 * Selected IKE proposal
119 */
120 proposal_t *proposal;
121
122 /**
123 * Juggles tasks to process messages
124 */
125 task_manager_t *task_manager;
126
127 /**
128 * Address of local host
129 */
130 host_t *my_host;
131
132 /**
133 * Address of remote host
134 */
135 host_t *other_host;
136
137 #ifdef ME
138 /**
139 * Are we mediation server
140 */
141 bool is_mediation_server;
142
143 /**
144 * Server reflexive host
145 */
146 host_t *server_reflexive_host;
147
148 /**
149 * Connect ID
150 */
151 chunk_t connect_id;
152 #endif /* ME */
153
154 /**
155 * Identification used for us
156 */
157 identification_t *my_id;
158
159 /**
160 * Identification used for other
161 */
162 identification_t *other_id;
163
164 /**
165 * set of extensions the peer supports
166 */
167 ike_extension_t extensions;
168
169 /**
170 * set of condition flags currently enabled for this IKE_SA
171 */
172 ike_condition_t conditions;
173
174 /**
175 * Linked List containing the child sa's of the current IKE_SA.
176 */
177 linked_list_t *child_sas;
178
179 /**
180 * keymat of this IKE_SA
181 */
182 keymat_t *keymat;
183
184 /**
185 * Virtual IPs on local host
186 */
187 linked_list_t *my_vips;
188
189 /**
190 * Virtual IPs on remote host
191 */
192 linked_list_t *other_vips;
193
194 /**
195 * List of configuration attributes (attribute_entry_t)
196 */
197 linked_list_t *attributes;
198
199 /**
200 * list of peer's addresses, additional ones transmitted via MOBIKE
201 */
202 linked_list_t *peer_addresses;
203
204 /**
205 * previously value of received DESTINATION_IP hash
206 */
207 chunk_t nat_detection_dest;
208
209 /**
210 * number pending UPDATE_SA_ADDRESS (MOBIKE)
211 */
212 u_int32_t pending_updates;
213
214 /**
215 * NAT keep alive interval
216 */
217 u_int32_t keepalive_interval;
218
219 /**
220 * interval for retries during initiation (e.g. if DNS resolution failed),
221 * 0 to disable (default)
222 */
223 u_int32_t retry_initiate_interval;
224
225 /**
226 * TRUE if a retry_initiate_job has been queued
227 */
228 bool retry_initiate_queued;
229
230 /**
231 * Timestamps for this IKE_SA
232 */
233 u_int32_t stats[STAT_MAX];
234
235 /**
236 * how many times we have retried so far (keyingtries)
237 */
238 u_int32_t keyingtry;
239
240 /**
241 * local host address to be used for IKE, set via MIGRATE kernel message
242 */
243 host_t *local_host;
244
245 /**
246 * remote host address to be used for IKE, set via MIGRATE kernel message
247 */
248 host_t *remote_host;
249
250 /**
251 * Flush auth configs once established?
252 */
253 bool flush_auth_cfg;
254
255 /**
256 * TRUE if we are currently reauthenticating this IKE_SA
257 */
258 bool is_reauthenticating;
259 };
260
261 /**
262 * Entry to maintain install configuration attributes during IKE_SA lifetime
263 */
264 struct attribute_entry_t {
265 /** handler used to install this attribute */
266 attribute_handler_t *handler;
267 /** attribute type */
268 configuration_attribute_type_t type;
269 /** attribute data */
270 chunk_t data;
271 };
272
273 /**
274 * get the time of the latest traffic processed by the kernel
275 */
276 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
277 {
278 enumerator_t *enumerator;
279 child_sa_t *child_sa;
280 time_t use_time, current;
281
282 if (inbound)
283 {
284 use_time = this->stats[STAT_INBOUND];
285 }
286 else
287 {
288 use_time = this->stats[STAT_OUTBOUND];
289 }
290 enumerator = this->child_sas->create_enumerator(this->child_sas);
291 while (enumerator->enumerate(enumerator, &child_sa))
292 {
293 child_sa->get_usestats(child_sa, inbound, &current, NULL);
294 use_time = max(use_time, current);
295 }
296 enumerator->destroy(enumerator);
297
298 return use_time;
299 }
300
301 METHOD(ike_sa_t, get_unique_id, u_int32_t,
302 private_ike_sa_t *this)
303 {
304 return this->unique_id;
305 }
306
307 METHOD(ike_sa_t, get_name, char*,
308 private_ike_sa_t *this)
309 {
310 if (this->peer_cfg)
311 {
312 return this->peer_cfg->get_name(this->peer_cfg);
313 }
314 return "(unnamed)";
315 }
316
317 METHOD(ike_sa_t, get_statistic, u_int32_t,
318 private_ike_sa_t *this, statistic_t kind)
319 {
320 if (kind < STAT_MAX)
321 {
322 return this->stats[kind];
323 }
324 return 0;
325 }
326
327 METHOD(ike_sa_t, set_statistic, void,
328 private_ike_sa_t *this, statistic_t kind, u_int32_t value)
329 {
330 if (kind < STAT_MAX)
331 {
332 this->stats[kind] = value;
333 }
334 }
335
336 METHOD(ike_sa_t, get_my_host, host_t*,
337 private_ike_sa_t *this)
338 {
339 return this->my_host;
340 }
341
342 METHOD(ike_sa_t, set_my_host, void,
343 private_ike_sa_t *this, host_t *me)
344 {
345 DESTROY_IF(this->my_host);
346 this->my_host = me;
347 }
348
349 METHOD(ike_sa_t, get_other_host, host_t*,
350 private_ike_sa_t *this)
351 {
352 return this->other_host;
353 }
354
355 METHOD(ike_sa_t, set_other_host, void,
356 private_ike_sa_t *this, host_t *other)
357 {
358 DESTROY_IF(this->other_host);
359 this->other_host = other;
360 }
361
362 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
363 private_ike_sa_t *this)
364 {
365 return this->peer_cfg;
366 }
367
368 METHOD(ike_sa_t, set_peer_cfg, void,
369 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
370 {
371 peer_cfg->get_ref(peer_cfg);
372 DESTROY_IF(this->peer_cfg);
373 this->peer_cfg = peer_cfg;
374
375 if (this->ike_cfg == NULL)
376 {
377 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
378 this->ike_cfg->get_ref(this->ike_cfg);
379 }
380 }
381
382 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
383 private_ike_sa_t *this, bool local)
384 {
385 if (local)
386 {
387 return this->my_auth;
388 }
389 return this->other_auth;
390 }
391
392 METHOD(ike_sa_t, add_auth_cfg, void,
393 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
394 {
395 if (local)
396 {
397 this->my_auths->insert_last(this->my_auths, cfg);
398 }
399 else
400 {
401 this->other_auths->insert_last(this->other_auths, cfg);
402 }
403 }
404
405 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
406 private_ike_sa_t *this, bool local)
407 {
408 if (local)
409 {
410 return this->my_auths->create_enumerator(this->my_auths);
411 }
412 return this->other_auths->create_enumerator(this->other_auths);
413 }
414
415 /**
416 * Flush the stored authentication round information
417 */
418 static void flush_auth_cfgs(private_ike_sa_t *this)
419 {
420 auth_cfg_t *cfg;
421
422 this->my_auth->purge(this->my_auth, FALSE);
423 this->other_auth->purge(this->other_auth, FALSE);
424
425 while (this->my_auths->remove_last(this->my_auths,
426 (void**)&cfg) == SUCCESS)
427 {
428 cfg->destroy(cfg);
429 }
430 while (this->other_auths->remove_last(this->other_auths,
431 (void**)&cfg) == SUCCESS)
432 {
433 cfg->destroy(cfg);
434 }
435 }
436
437 METHOD(ike_sa_t, get_proposal, proposal_t*,
438 private_ike_sa_t *this)
439 {
440 return this->proposal;
441 }
442
443 METHOD(ike_sa_t, set_proposal, void,
444 private_ike_sa_t *this, proposal_t *proposal)
445 {
446 DESTROY_IF(this->proposal);
447 this->proposal = proposal->clone(proposal);
448 }
449
450 METHOD(ike_sa_t, set_message_id, void,
451 private_ike_sa_t *this, bool initiate, u_int32_t mid)
452 {
453 if (initiate)
454 {
455 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
456 }
457 else
458 {
459 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
460 }
461 }
462
463 METHOD(ike_sa_t, send_keepalive, void,
464 private_ike_sa_t *this)
465 {
466 send_keepalive_job_t *job;
467 time_t last_out, now, diff;
468
469 if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
470 { /* disable keep alives if we are not NATed anymore */
471 return;
472 }
473
474 last_out = get_use_time(this, FALSE);
475 now = time_monotonic(NULL);
476
477 diff = now - last_out;
478
479 if (diff >= this->keepalive_interval)
480 {
481 packet_t *packet;
482 chunk_t data;
483
484 packet = packet_create();
485 packet->set_source(packet, this->my_host->clone(this->my_host));
486 packet->set_destination(packet, this->other_host->clone(this->other_host));
487 data.ptr = malloc(1);
488 data.ptr[0] = 0xFF;
489 data.len = 1;
490 packet->set_data(packet, data);
491 DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
492 charon->sender->send_no_marker(charon->sender, packet);
493 diff = 0;
494 }
495 job = send_keepalive_job_create(this->ike_sa_id);
496 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
497 this->keepalive_interval - diff);
498 }
499
500 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
501 private_ike_sa_t *this)
502 {
503 return this->ike_cfg;
504 }
505
506 METHOD(ike_sa_t, set_ike_cfg, void,
507 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
508 {
509 ike_cfg->get_ref(ike_cfg);
510 this->ike_cfg = ike_cfg;
511 }
512
513 METHOD(ike_sa_t, enable_extension, void,
514 private_ike_sa_t *this, ike_extension_t extension)
515 {
516 this->extensions |= extension;
517 }
518
519 METHOD(ike_sa_t, supports_extension, bool,
520 private_ike_sa_t *this, ike_extension_t extension)
521 {
522 return (this->extensions & extension) != FALSE;
523 }
524
525 METHOD(ike_sa_t, has_condition, bool,
526 private_ike_sa_t *this, ike_condition_t condition)
527 {
528 return (this->conditions & condition) != FALSE;
529 }
530
531 METHOD(ike_sa_t, set_condition, void,
532 private_ike_sa_t *this, ike_condition_t condition, bool enable)
533 {
534 if (has_condition(this, condition) != enable)
535 {
536 if (enable)
537 {
538 this->conditions |= condition;
539 switch (condition)
540 {
541 case COND_NAT_HERE:
542 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
543 this->conditions |= COND_NAT_ANY;
544 send_keepalive(this);
545 break;
546 case COND_NAT_THERE:
547 DBG1(DBG_IKE, "remote host is behind NAT");
548 this->conditions |= COND_NAT_ANY;
549 break;
550 case COND_NAT_FAKE:
551 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
552 this->conditions |= COND_NAT_ANY;
553 break;
554 default:
555 break;
556 }
557 }
558 else
559 {
560 this->conditions &= ~condition;
561 switch (condition)
562 {
563 case COND_NAT_HERE:
564 case COND_NAT_FAKE:
565 case COND_NAT_THERE:
566 set_condition(this, COND_NAT_ANY,
567 has_condition(this, COND_NAT_HERE) ||
568 has_condition(this, COND_NAT_THERE) ||
569 has_condition(this, COND_NAT_FAKE));
570 break;
571 default:
572 break;
573 }
574 }
575 }
576 }
577
578 METHOD(ike_sa_t, send_dpd, status_t,
579 private_ike_sa_t *this)
580 {
581 job_t *job;
582 time_t diff, delay;
583
584 if (this->state == IKE_PASSIVE)
585 {
586 return INVALID_STATE;
587 }
588 delay = this->peer_cfg->get_dpd(this->peer_cfg);
589 if (this->task_manager->busy(this->task_manager))
590 {
591 /* an exchange is in the air, no need to start a DPD check */
592 diff = 0;
593 }
594 else
595 {
596 /* check if there was any inbound traffic */
597 time_t last_in, now;
598 last_in = get_use_time(this, TRUE);
599 now = time_monotonic(NULL);
600 diff = now - last_in;
601 if (!delay || diff >= delay)
602 {
603 /* to long ago, initiate dead peer detection */
604 DBG1(DBG_IKE, "sending DPD request");
605 this->task_manager->queue_dpd(this->task_manager);
606 diff = 0;
607 }
608 }
609 /* recheck in "interval" seconds */
610 if (delay)
611 {
612 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
613 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
614 }
615 return this->task_manager->initiate(this->task_manager);
616 }
617
618 METHOD(ike_sa_t, get_state, ike_sa_state_t,
619 private_ike_sa_t *this)
620 {
621 return this->state;
622 }
623
624 METHOD(ike_sa_t, set_state, void,
625 private_ike_sa_t *this, ike_sa_state_t state)
626 {
627 bool trigger_dpd = FALSE;
628
629 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
630 get_name(this), this->unique_id,
631 ike_sa_state_names, this->state,
632 ike_sa_state_names, state);
633
634 switch (state)
635 {
636 case IKE_ESTABLISHED:
637 {
638 if (this->state == IKE_CONNECTING ||
639 this->state == IKE_PASSIVE)
640 {
641 job_t *job;
642 u_int32_t t;
643
644 /* calculate rekey, reauth and lifetime */
645 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
646
647 /* schedule rekeying if we have a time which is smaller than
648 * an already scheduled rekeying */
649 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
650 if (t && (this->stats[STAT_REKEY] == 0 ||
651 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
652 {
653 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
654 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
655 lib->scheduler->schedule_job(lib->scheduler, job, t);
656 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
657 }
658 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
659 if (t && (this->stats[STAT_REAUTH] == 0 ||
660 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
661 {
662 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
663 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
664 lib->scheduler->schedule_job(lib->scheduler, job, t);
665 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
666 }
667 t = this->peer_cfg->get_over_time(this->peer_cfg);
668 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
669 {
670 if (this->stats[STAT_REAUTH] == 0)
671 {
672 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
673 }
674 else if (this->stats[STAT_REKEY] == 0)
675 {
676 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
677 }
678 else
679 {
680 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
681 this->stats[STAT_REAUTH]);
682 }
683 this->stats[STAT_DELETE] += t;
684 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
685 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
686 lib->scheduler->schedule_job(lib->scheduler, job, t);
687 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
688 }
689 trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
690 }
691 break;
692 }
693 default:
694 break;
695 }
696 charon->bus->ike_state_change(charon->bus, &this->public, state);
697 this->state = state;
698
699 if (trigger_dpd)
700 {
701 if (supports_extension(this, EXT_DPD))
702 {
703 send_dpd(this);
704 }
705 else
706 {
707 DBG1(DBG_IKE, "DPD not supported by peer, disabled");
708 }
709 }
710 }
711
712 METHOD(ike_sa_t, reset, void,
713 private_ike_sa_t *this)
714 {
715 /* the responder ID is reset, as peer may choose another one */
716 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
717 {
718 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
719 }
720
721 set_state(this, IKE_CREATED);
722
723 flush_auth_cfgs(this);
724
725 this->keymat->destroy(this->keymat);
726 this->keymat = keymat_create(this->version,
727 this->ike_sa_id->is_initiator(this->ike_sa_id));
728
729 this->task_manager->reset(this->task_manager, 0, 0);
730 }
731
732 METHOD(ike_sa_t, get_keymat, keymat_t*,
733 private_ike_sa_t *this)
734 {
735 return this->keymat;
736 }
737
738 METHOD(ike_sa_t, add_virtual_ip, void,
739 private_ike_sa_t *this, bool local, host_t *ip)
740 {
741 if (local)
742 {
743 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
744 if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip,
745 this->my_host) == SUCCESS)
746 {
747 this->my_vips->insert_last(this->my_vips, ip->clone(ip));
748 }
749 else
750 {
751 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
752 }
753 }
754 else
755 {
756 this->other_vips->insert_last(this->other_vips, ip->clone(ip));
757 }
758 }
759
760
761 METHOD(ike_sa_t, clear_virtual_ips, void,
762 private_ike_sa_t *this, bool local)
763 {
764 linked_list_t *vips = local ? this->my_vips : this->other_vips;
765 host_t *vip;
766
767 while (vips->remove_first(vips, (void**)&vip) == SUCCESS)
768 {
769 if (local)
770 {
771 hydra->kernel_interface->del_ip(hydra->kernel_interface, vip);
772 }
773 vip->destroy(vip);
774 }
775 }
776
777 METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
778 private_ike_sa_t *this, bool local)
779 {
780 if (local)
781 {
782 return this->my_vips->create_enumerator(this->my_vips);
783 }
784 return this->other_vips->create_enumerator(this->other_vips);
785 }
786
787 METHOD(ike_sa_t, add_peer_address, void,
788 private_ike_sa_t *this, host_t *host)
789 {
790 this->peer_addresses->insert_last(this->peer_addresses, host);
791 }
792
793 METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
794 private_ike_sa_t *this)
795 {
796 if (this->peer_addresses->get_count(this->peer_addresses))
797 {
798 return this->peer_addresses->create_enumerator(this->peer_addresses);
799 }
800 /* in case we don't have MOBIKE */
801 return enumerator_create_single(this->other_host, NULL);
802 }
803
804 METHOD(ike_sa_t, clear_peer_addresses, void,
805 private_ike_sa_t *this)
806 {
807 enumerator_t *enumerator;
808 host_t *host;
809
810 enumerator = this->peer_addresses->create_enumerator(this->peer_addresses);
811 while (enumerator->enumerate(enumerator, (void**)&host))
812 {
813 this->peer_addresses->remove_at(this->peer_addresses,
814 enumerator);
815 host->destroy(host);
816 }
817 enumerator->destroy(enumerator);
818 }
819
820 METHOD(ike_sa_t, has_mapping_changed, bool,
821 private_ike_sa_t *this, chunk_t hash)
822 {
823 if (this->nat_detection_dest.ptr == NULL)
824 {
825 this->nat_detection_dest = chunk_clone(hash);
826 return FALSE;
827 }
828 if (chunk_equals(hash, this->nat_detection_dest))
829 {
830 return FALSE;
831 }
832 free(this->nat_detection_dest.ptr);
833 this->nat_detection_dest = chunk_clone(hash);
834 return TRUE;
835 }
836
837 METHOD(ike_sa_t, set_pending_updates, void,
838 private_ike_sa_t *this, u_int32_t updates)
839 {
840 this->pending_updates = updates;
841 }
842
843 METHOD(ike_sa_t, get_pending_updates, u_int32_t,
844 private_ike_sa_t *this)
845 {
846 return this->pending_updates;
847 }
848
849 METHOD(ike_sa_t, float_ports, void,
850 private_ike_sa_t *this)
851 {
852 /* do not switch if we have a custom port from MOBIKE/NAT */
853 if (this->my_host->get_port(this->my_host) ==
854 charon->socket->get_port(charon->socket, FALSE))
855 {
856 this->my_host->set_port(this->my_host,
857 charon->socket->get_port(charon->socket, TRUE));
858 }
859 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
860 {
861 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
862 }
863 }
864
865 METHOD(ike_sa_t, update_hosts, void,
866 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
867 {
868 bool update = FALSE;
869
870 if (me == NULL)
871 {
872 me = this->my_host;
873 }
874 if (other == NULL)
875 {
876 other = this->other_host;
877 }
878
879 /* apply hosts on first received message */
880 if (this->my_host->is_anyaddr(this->my_host) ||
881 this->other_host->is_anyaddr(this->other_host))
882 {
883 set_my_host(this, me->clone(me));
884 set_other_host(this, other->clone(other));
885 update = TRUE;
886 }
887 else
888 {
889 /* update our address in any case */
890 if (!me->equals(me, this->my_host))
891 {
892 set_my_host(this, me->clone(me));
893 update = TRUE;
894 }
895
896 if (!other->equals(other, this->other_host))
897 {
898 /* update others address if we are NOT NATed */
899 if (force || !has_condition(this, COND_NAT_HERE))
900 {
901 set_other_host(this, other->clone(other));
902 update = TRUE;
903 }
904 }
905 }
906
907 /* update all associated CHILD_SAs, if required */
908 if (update)
909 {
910 enumerator_t *enumerator;
911 child_sa_t *child_sa;
912
913 enumerator = this->child_sas->create_enumerator(this->child_sas);
914 while (enumerator->enumerate(enumerator, (void**)&child_sa))
915 {
916 if (child_sa->update(child_sa, this->my_host,
917 this->other_host, this->my_vips,
918 has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
919 {
920 this->public.rekey_child_sa(&this->public,
921 child_sa->get_protocol(child_sa),
922 child_sa->get_spi(child_sa, TRUE));
923 }
924 }
925 enumerator->destroy(enumerator);
926 }
927 }
928
929 METHOD(ike_sa_t, generate_message, status_t,
930 private_ike_sa_t *this, message_t *message, packet_t **packet)
931 {
932 status_t status;
933
934 if (message->is_encoded(message))
935 { /* already done */
936 *packet = message->get_packet(message);
937 return SUCCESS;
938 }
939 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
940 message->set_ike_sa_id(message, this->ike_sa_id);
941 charon->bus->message(charon->bus, message, FALSE, TRUE);
942 status = message->generate(message, this->keymat, packet);
943 if (status == SUCCESS)
944 {
945 charon->bus->message(charon->bus, message, FALSE, FALSE);
946 }
947 return status;
948 }
949
950 METHOD(ike_sa_t, set_kmaddress, void,
951 private_ike_sa_t *this, host_t *local, host_t *remote)
952 {
953 DESTROY_IF(this->local_host);
954 DESTROY_IF(this->remote_host);
955 this->local_host = local->clone(local);
956 this->remote_host = remote->clone(remote);
957 }
958
959 #ifdef ME
960 METHOD(ike_sa_t, act_as_mediation_server, void,
961 private_ike_sa_t *this)
962 {
963 charon->mediation_manager->update_sa_id(charon->mediation_manager,
964 this->other_id, this->ike_sa_id);
965 this->is_mediation_server = TRUE;
966 }
967
968 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
969 private_ike_sa_t *this)
970 {
971 return this->server_reflexive_host;
972 }
973
974 METHOD(ike_sa_t, set_server_reflexive_host, void,
975 private_ike_sa_t *this, host_t *host)
976 {
977 DESTROY_IF(this->server_reflexive_host);
978 this->server_reflexive_host = host;
979 }
980
981 METHOD(ike_sa_t, get_connect_id, chunk_t,
982 private_ike_sa_t *this)
983 {
984 return this->connect_id;
985 }
986
987 METHOD(ike_sa_t, respond, status_t,
988 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
989 {
990 ike_me_t *task = ike_me_create(&this->public, TRUE);
991 task->respond(task, peer_id, connect_id);
992 this->task_manager->queue_task(this->task_manager, (task_t*)task);
993 return this->task_manager->initiate(this->task_manager);
994 }
995
996 METHOD(ike_sa_t, callback, status_t,
997 private_ike_sa_t *this, identification_t *peer_id)
998 {
999 ike_me_t *task = ike_me_create(&this->public, TRUE);
1000 task->callback(task, peer_id);
1001 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1002 return this->task_manager->initiate(this->task_manager);
1003 }
1004
1005 METHOD(ike_sa_t, relay, status_t,
1006 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1007 chunk_t connect_key, linked_list_t *endpoints, bool response)
1008 {
1009 ike_me_t *task = ike_me_create(&this->public, TRUE);
1010 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1011 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1012 return this->task_manager->initiate(this->task_manager);
1013 }
1014
1015 METHOD(ike_sa_t, initiate_mediation, status_t,
1016 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1017 {
1018 ike_me_t *task = ike_me_create(&this->public, TRUE);
1019 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1020 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1021 return this->task_manager->initiate(this->task_manager);
1022 }
1023
1024 METHOD(ike_sa_t, initiate_mediated, status_t,
1025 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1026 {
1027 set_my_host(this, me->clone(me));
1028 set_other_host(this, other->clone(other));
1029 chunk_free(&this->connect_id);
1030 this->connect_id = chunk_clone(connect_id);
1031 return this->task_manager->initiate(this->task_manager);
1032 }
1033 #endif /* ME */
1034
1035 /**
1036 * Resolve DNS host in configuration
1037 */
1038 static void resolve_hosts(private_ike_sa_t *this)
1039 {
1040 host_t *host;
1041
1042 if (this->remote_host)
1043 {
1044 host = this->remote_host->clone(this->remote_host);
1045 host->set_port(host, IKEV2_UDP_PORT);
1046 }
1047 else
1048 {
1049 char *other_addr;
1050 u_int16_t other_port;
1051
1052 other_addr = this->ike_cfg->get_other_addr(this->ike_cfg, NULL);
1053 other_port = this->ike_cfg->get_other_port(this->ike_cfg);
1054 host = host_create_from_dns(other_addr, 0, other_port);
1055 }
1056 if (host)
1057 {
1058 set_other_host(this, host);
1059 }
1060
1061 if (this->local_host)
1062 {
1063 host = this->local_host->clone(this->local_host);
1064 host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
1065 }
1066 else
1067 {
1068 char *my_addr;
1069 u_int16_t my_port;
1070 int family = 0;
1071
1072 /* use same address family as for other */
1073 if (!this->other_host->is_anyaddr(this->other_host))
1074 {
1075 family = this->other_host->get_family(this->other_host);
1076 }
1077 my_addr = this->ike_cfg->get_my_addr(this->ike_cfg, NULL);
1078 my_port = this->ike_cfg->get_my_port(this->ike_cfg);
1079 host = host_create_from_dns(my_addr, family, my_port);
1080
1081 if (host && host->is_anyaddr(host) &&
1082 !this->other_host->is_anyaddr(this->other_host))
1083 {
1084 host->destroy(host);
1085 host = hydra->kernel_interface->get_source_addr(
1086 hydra->kernel_interface, this->other_host, NULL);
1087 if (host)
1088 {
1089 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1090 }
1091 else
1092 { /* fallback to address family specific %any(6), if configured */
1093 host = host_create_from_dns(my_addr, 0, my_port);
1094 }
1095 }
1096 }
1097 if (host)
1098 {
1099 set_my_host(this, host);
1100 }
1101 }
1102
1103 METHOD(ike_sa_t, initiate, status_t,
1104 private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
1105 traffic_selector_t *tsi, traffic_selector_t *tsr)
1106 {
1107 bool defer_initiate = FALSE;
1108
1109 if (this->state == IKE_CREATED)
1110 {
1111 if (this->my_host->is_anyaddr(this->my_host) ||
1112 this->other_host->is_anyaddr(this->other_host))
1113 {
1114 resolve_hosts(this);
1115 }
1116
1117 if (this->other_host->is_anyaddr(this->other_host)
1118 #ifdef ME
1119 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1120 #endif /* ME */
1121 )
1122 {
1123 char *addr = this->ike_cfg->get_other_addr(this->ike_cfg, NULL);
1124 bool is_anyaddr = streq(addr, "%any") || streq(addr, "%any6");
1125
1126 if (is_anyaddr || !this->retry_initiate_interval)
1127 {
1128 if (is_anyaddr)
1129 {
1130 DBG1(DBG_IKE, "unable to initiate to %s", addr);
1131 }
1132 else
1133 {
1134 DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
1135 addr);
1136 }
1137 DESTROY_IF(child_cfg);
1138 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1139 return DESTROY_ME;
1140 }
1141 DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
1142 addr, this->retry_initiate_interval);
1143 defer_initiate = TRUE;
1144 }
1145
1146 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1147 this->task_manager->queue_ike(this->task_manager);
1148 }
1149
1150 #ifdef ME
1151 if (this->peer_cfg->is_mediation(this->peer_cfg))
1152 {
1153 if (this->state == IKE_ESTABLISHED)
1154 {
1155 /* mediation connection is already established, retrigger state
1156 * change to notify bus listeners */
1157 DBG1(DBG_IKE, "mediation connection is already up");
1158 set_state(this, IKE_ESTABLISHED);
1159 }
1160 DESTROY_IF(child_cfg);
1161 }
1162 else
1163 #endif /* ME */
1164 if (child_cfg)
1165 {
1166 /* normal IKE_SA with CHILD_SA */
1167 this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1168 tsi, tsr);
1169 #ifdef ME
1170 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1171 {
1172 /* mediated connection, initiate mediation process */
1173 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1174 lib->processor->queue_job(lib->processor, job);
1175 return SUCCESS;
1176 }
1177 #endif /* ME */
1178 }
1179
1180 if (defer_initiate)
1181 {
1182 if (!this->retry_initiate_queued)
1183 {
1184 job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
1185 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
1186 this->retry_initiate_interval);
1187 this->retry_initiate_queued = TRUE;
1188 }
1189 return SUCCESS;
1190 }
1191 this->retry_initiate_queued = FALSE;
1192 return this->task_manager->initiate(this->task_manager);
1193 }
1194
1195 METHOD(ike_sa_t, retry_initiate, status_t,
1196 private_ike_sa_t *this)
1197 {
1198 if (this->retry_initiate_queued)
1199 {
1200 this->retry_initiate_queued = FALSE;
1201 return initiate(this, NULL, 0, NULL, NULL);
1202 }
1203 return SUCCESS;
1204 }
1205
1206 METHOD(ike_sa_t, process_message, status_t,
1207 private_ike_sa_t *this, message_t *message)
1208 {
1209 status_t status;
1210
1211 if (this->state == IKE_PASSIVE)
1212 { /* do not handle messages in passive state */
1213 return FAILED;
1214 }
1215 switch (message->get_exchange_type(message))
1216 {
1217 case ID_PROT:
1218 case AGGRESSIVE:
1219 case IKE_SA_INIT:
1220 case IKE_AUTH:
1221 if (this->state != IKE_CREATED &&
1222 this->state != IKE_CONNECTING)
1223 {
1224 DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
1225 exchange_type_names, message->get_exchange_type(message));
1226 return FAILED;
1227 }
1228 break;
1229 default:
1230 break;
1231 }
1232 if (message->get_major_version(message) != this->version)
1233 {
1234 DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1235 exchange_type_names, message->get_exchange_type(message),
1236 message->get_major_version(message),
1237 ike_version_names, this->version);
1238 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1239 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1240 return FAILED;
1241 }
1242 status = this->task_manager->process_message(this->task_manager, message);
1243 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1244 {
1245 /* authentication completed */
1246 this->flush_auth_cfg = FALSE;
1247 flush_auth_cfgs(this);
1248 }
1249 return status;
1250 }
1251
1252 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1253 private_ike_sa_t *this)
1254 {
1255 return this->ike_sa_id;
1256 }
1257
1258 METHOD(ike_sa_t, get_version, ike_version_t,
1259 private_ike_sa_t *this)
1260 {
1261 return this->version;
1262 }
1263
1264 METHOD(ike_sa_t, get_my_id, identification_t*,
1265 private_ike_sa_t *this)
1266 {
1267 return this->my_id;
1268 }
1269
1270 METHOD(ike_sa_t, set_my_id, void,
1271 private_ike_sa_t *this, identification_t *me)
1272 {
1273 DESTROY_IF(this->my_id);
1274 this->my_id = me;
1275 }
1276
1277 METHOD(ike_sa_t, get_other_id, identification_t*,
1278 private_ike_sa_t *this)
1279 {
1280 return this->other_id;
1281 }
1282
1283 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1284 private_ike_sa_t *this)
1285 {
1286 identification_t *id = NULL, *current;
1287 enumerator_t *enumerator;
1288 auth_cfg_t *cfg;
1289
1290 enumerator = this->other_auths->create_enumerator(this->other_auths);
1291 while (enumerator->enumerate(enumerator, &cfg))
1292 {
1293 /* prefer EAP-Identity of last round */
1294 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1295 if (!current || current->get_type(current) == ID_ANY)
1296 {
1297 current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1298 }
1299 if (!current || current->get_type(current) == ID_ANY)
1300 {
1301 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1302 }
1303 if (current && current->get_type(current) != ID_ANY)
1304 {
1305 id = current;
1306 continue;
1307 }
1308 }
1309 enumerator->destroy(enumerator);
1310 if (id)
1311 {
1312 return id;
1313 }
1314 return this->other_id;
1315 }
1316
1317 METHOD(ike_sa_t, set_other_id, void,
1318 private_ike_sa_t *this, identification_t *other)
1319 {
1320 DESTROY_IF(this->other_id);
1321 this->other_id = other;
1322 }
1323
1324 METHOD(ike_sa_t, add_child_sa, void,
1325 private_ike_sa_t *this, child_sa_t *child_sa)
1326 {
1327 this->child_sas->insert_last(this->child_sas, child_sa);
1328 }
1329
1330 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1331 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
1332 {
1333 enumerator_t *enumerator;
1334 child_sa_t *current, *found = NULL;
1335
1336 enumerator = this->child_sas->create_enumerator(this->child_sas);
1337 while (enumerator->enumerate(enumerator, (void**)&current))
1338 {
1339 if (current->get_spi(current, inbound) == spi &&
1340 current->get_protocol(current) == protocol)
1341 {
1342 found = current;
1343 }
1344 }
1345 enumerator->destroy(enumerator);
1346 return found;
1347 }
1348
1349 METHOD(ike_sa_t, get_child_count, int,
1350 private_ike_sa_t *this)
1351 {
1352 return this->child_sas->get_count(this->child_sas);
1353 }
1354
1355 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1356 private_ike_sa_t *this)
1357 {
1358 return this->child_sas->create_enumerator(this->child_sas);
1359 }
1360
1361 METHOD(ike_sa_t, remove_child_sa, void,
1362 private_ike_sa_t *this, enumerator_t *enumerator)
1363 {
1364 this->child_sas->remove_at(this->child_sas, enumerator);
1365 }
1366
1367 METHOD(ike_sa_t, rekey_child_sa, status_t,
1368 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1369 {
1370 if (this->state == IKE_PASSIVE)
1371 {
1372 return INVALID_STATE;
1373 }
1374 this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1375 return this->task_manager->initiate(this->task_manager);
1376 }
1377
1378 METHOD(ike_sa_t, delete_child_sa, status_t,
1379 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool expired)
1380 {
1381 if (this->state == IKE_PASSIVE)
1382 {
1383 return INVALID_STATE;
1384 }
1385 this->task_manager->queue_child_delete(this->task_manager,
1386 protocol, spi, expired);
1387 return this->task_manager->initiate(this->task_manager);
1388 }
1389
1390 METHOD(ike_sa_t, destroy_child_sa, status_t,
1391 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1392 {
1393 enumerator_t *enumerator;
1394 child_sa_t *child_sa;
1395 status_t status = NOT_FOUND;
1396
1397 enumerator = this->child_sas->create_enumerator(this->child_sas);
1398 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1399 {
1400 if (child_sa->get_protocol(child_sa) == protocol &&
1401 child_sa->get_spi(child_sa, TRUE) == spi)
1402 {
1403 this->child_sas->remove_at(this->child_sas, enumerator);
1404 child_sa->destroy(child_sa);
1405 status = SUCCESS;
1406 break;
1407 }
1408 }
1409 enumerator->destroy(enumerator);
1410 return status;
1411 }
1412
1413 METHOD(ike_sa_t, delete_, status_t,
1414 private_ike_sa_t *this)
1415 {
1416 switch (this->state)
1417 {
1418 case IKE_REKEYING:
1419 if (this->version == IKEV1)
1420 { /* SA has been reauthenticated, delete */
1421 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1422 break;
1423 }
1424 /* FALL */
1425 case IKE_ESTABLISHED:
1426 this->task_manager->queue_ike_delete(this->task_manager);
1427 return this->task_manager->initiate(this->task_manager);
1428 case IKE_CREATED:
1429 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1430 break;
1431 case IKE_PASSIVE:
1432 break;
1433 default:
1434 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1435 "without notification", ike_sa_state_names, this->state);
1436 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1437 break;
1438 }
1439 return DESTROY_ME;
1440 }
1441
1442 METHOD(ike_sa_t, rekey, status_t,
1443 private_ike_sa_t *this)
1444 {
1445 if (this->state == IKE_PASSIVE)
1446 {
1447 return INVALID_STATE;
1448 }
1449 this->task_manager->queue_ike_rekey(this->task_manager);
1450 return this->task_manager->initiate(this->task_manager);
1451 }
1452
1453 METHOD(ike_sa_t, reauth, status_t,
1454 private_ike_sa_t *this)
1455 {
1456 if (this->state == IKE_PASSIVE)
1457 {
1458 return INVALID_STATE;
1459 }
1460 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1461 * If the peer does not support RFC4478, there is no way to keep the
1462 * IKE_SA up. */
1463 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1464 {
1465 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1466 if (this->other_vips->get_count(this->other_vips) != 0 ||
1467 has_condition(this, COND_XAUTH_AUTHENTICATED) ||
1468 has_condition(this, COND_EAP_AUTHENTICATED)
1469 #ifdef ME
1470 /* as mediation server we too cannot reauth the IKE_SA */
1471 || this->is_mediation_server
1472 #endif /* ME */
1473 )
1474 {
1475 time_t del, now;
1476
1477 del = this->stats[STAT_DELETE];
1478 now = time_monotonic(NULL);
1479 DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V",
1480 get_name(this), this->unique_id, &now, &del);
1481 return FAILED;
1482 }
1483 else
1484 {
1485 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively",
1486 get_name(this), this->unique_id);
1487 }
1488 }
1489 else
1490 {
1491 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
1492 get_name(this), this->unique_id);
1493 }
1494 this->is_reauthenticating = TRUE;
1495 this->task_manager->queue_ike_reauth(this->task_manager);
1496 return this->task_manager->initiate(this->task_manager);
1497 }
1498
1499 METHOD(ike_sa_t, reestablish, status_t,
1500 private_ike_sa_t *this)
1501 {
1502 ike_sa_t *new;
1503 host_t *host;
1504 action_t action;
1505 enumerator_t *enumerator;
1506 child_sa_t *child_sa;
1507 child_cfg_t *child_cfg;
1508 bool restart = FALSE;
1509 status_t status = FAILED;
1510
1511 if (this->is_reauthenticating)
1512 { /* only reauthenticate if we have children */
1513 if (this->child_sas->get_count(this->child_sas) == 0
1514 #ifdef ME
1515 /* allow reauth of mediation connections without CHILD_SAs */
1516 && !this->peer_cfg->is_mediation(this->peer_cfg)
1517 #endif /* ME */
1518 )
1519 {
1520 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
1521 "to recreate");
1522 }
1523 else
1524 {
1525 restart = TRUE;
1526 }
1527 }
1528 else
1529 { /* check if we have children to keep up at all */
1530 enumerator = this->child_sas->create_enumerator(this->child_sas);
1531 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1532 {
1533 if (this->state == IKE_DELETING)
1534 {
1535 action = child_sa->get_close_action(child_sa);
1536 }
1537 else
1538 {
1539 action = child_sa->get_dpd_action(child_sa);
1540 }
1541 switch (action)
1542 {
1543 case ACTION_RESTART:
1544 restart = TRUE;
1545 break;
1546 case ACTION_ROUTE:
1547 charon->traps->install(charon->traps, this->peer_cfg,
1548 child_sa->get_config(child_sa));
1549 break;
1550 default:
1551 break;
1552 }
1553 }
1554 enumerator->destroy(enumerator);
1555 #ifdef ME
1556 /* mediation connections have no children, keep them up anyway */
1557 if (this->peer_cfg->is_mediation(this->peer_cfg))
1558 {
1559 restart = TRUE;
1560 }
1561 #endif /* ME */
1562 }
1563 if (!restart)
1564 {
1565 return FAILED;
1566 }
1567
1568 /* check if we are able to reestablish this IKE_SA */
1569 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1570 (this->other_vips->get_count(this->other_vips) != 0 ||
1571 has_condition(this, COND_EAP_AUTHENTICATED)
1572 #ifdef ME
1573 || this->is_mediation_server
1574 #endif /* ME */
1575 ))
1576 {
1577 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
1578 return FAILED;
1579 }
1580
1581 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1582 this->version, TRUE);
1583 if (!new)
1584 {
1585 return FAILED;
1586 }
1587 new->set_peer_cfg(new, this->peer_cfg);
1588 host = this->other_host;
1589 new->set_other_host(new, host->clone(host));
1590 host = this->my_host;
1591 new->set_my_host(new, host->clone(host));
1592 /* if we already have a virtual IP, we reuse it */
1593 enumerator = this->my_vips->create_enumerator(this->my_vips);
1594 while (enumerator->enumerate(enumerator, &host))
1595 {
1596 new->add_virtual_ip(new, TRUE, host);
1597 }
1598 enumerator->destroy(enumerator);
1599
1600 #ifdef ME
1601 if (this->peer_cfg->is_mediation(this->peer_cfg))
1602 {
1603 status = new->initiate(new, NULL, 0, NULL, NULL);
1604 }
1605 else
1606 #endif /* ME */
1607 {
1608 enumerator = this->child_sas->create_enumerator(this->child_sas);
1609 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1610 {
1611 if (this->is_reauthenticating)
1612 {
1613 switch (child_sa->get_state(child_sa))
1614 {
1615 case CHILD_ROUTED:
1616 { /* move routed child directly */
1617 this->child_sas->remove_at(this->child_sas, enumerator);
1618 new->add_child_sa(new, child_sa);
1619 action = ACTION_NONE;
1620 break;
1621 }
1622 default:
1623 { /* initiate/queue all other CHILD_SAs */
1624 action = ACTION_RESTART;
1625 break;
1626 }
1627 }
1628 }
1629 else
1630 { /* only restart CHILD_SAs that are configured accordingly */
1631 if (this->state == IKE_DELETING)
1632 {
1633 action = child_sa->get_close_action(child_sa);
1634 }
1635 else
1636 {
1637 action = child_sa->get_dpd_action(child_sa);
1638 }
1639 }
1640 switch (action)
1641 {
1642 case ACTION_RESTART:
1643 child_cfg = child_sa->get_config(child_sa);
1644 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1645 child_cfg->get_name(child_cfg));
1646 child_cfg->get_ref(child_cfg);
1647 status = new->initiate(new, child_cfg, 0, NULL, NULL);
1648 break;
1649 default:
1650 continue;
1651 }
1652 if (status == DESTROY_ME)
1653 {
1654 break;
1655 }
1656 }
1657 enumerator->destroy(enumerator);
1658 }
1659
1660 if (status == DESTROY_ME)
1661 {
1662 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1663 status = FAILED;
1664 }
1665 else
1666 {
1667 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1668 status = SUCCESS;
1669 }
1670 charon->bus->set_sa(charon->bus, &this->public);
1671 return status;
1672 }
1673
1674 METHOD(ike_sa_t, retransmit, status_t,
1675 private_ike_sa_t *this, u_int32_t message_id)
1676 {
1677 if (this->state == IKE_PASSIVE)
1678 {
1679 return INVALID_STATE;
1680 }
1681 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1682 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1683 {
1684 /* send a proper signal to brief interested bus listeners */
1685 switch (this->state)
1686 {
1687 case IKE_CONNECTING:
1688 {
1689 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
1690 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1691 this->keyingtry++;
1692 if (tries == 0 || tries > this->keyingtry)
1693 {
1694 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1695 this->keyingtry + 1, tries);
1696 reset(this);
1697 resolve_hosts(this);
1698 this->task_manager->queue_ike(this->task_manager);
1699 return this->task_manager->initiate(this->task_manager);
1700 }
1701 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1702 break;
1703 }
1704 case IKE_DELETING:
1705 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1706 if (this->is_reauthenticating)
1707 {
1708 DBG1(DBG_IKE, "delete during reauthentication failed, "
1709 "trying to reestablish IKE_SA anyway");
1710 reestablish(this);
1711 }
1712 break;
1713 case IKE_REKEYING:
1714 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1715 /* FALL */
1716 default:
1717 reestablish(this);
1718 break;
1719 }
1720 return DESTROY_ME;
1721 }
1722 return SUCCESS;
1723 }
1724
1725 METHOD(ike_sa_t, set_auth_lifetime, status_t,
1726 private_ike_sa_t *this, u_int32_t lifetime)
1727 {
1728 u_int32_t diff, hard, soft, now;
1729 ike_auth_lifetime_t *task;
1730 bool send_update;
1731
1732 diff = this->peer_cfg->get_over_time(this->peer_cfg);
1733 now = time_monotonic(NULL);
1734 hard = now + lifetime;
1735 soft = hard - diff;
1736
1737 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
1738 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
1739 send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
1740 !has_condition(this, COND_ORIGINAL_INITIATOR) &&
1741 (this->other_vips->get_count(this->other_vips) != 0 ||
1742 has_condition(this, COND_EAP_AUTHENTICATED));
1743
1744 if (lifetime < diff)
1745 {
1746 this->stats[STAT_REAUTH] = now;
1747
1748 if (!send_update)
1749 {
1750 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
1751 "starting reauthentication", lifetime);
1752 lib->processor->queue_job(lib->processor,
1753 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
1754 }
1755 }
1756 else if (this->stats[STAT_REAUTH] == 0 ||
1757 this->stats[STAT_REAUTH] > soft)
1758 {
1759 this->stats[STAT_REAUTH] = soft;
1760 if (!send_update)
1761 {
1762 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling "
1763 "reauthentication in %ds", lifetime, lifetime - diff);
1764 lib->scheduler->schedule_job(lib->scheduler,
1765 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
1766 lifetime - diff);
1767 }
1768 }
1769 else
1770 {
1771 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
1772 "reauthentication already scheduled in %ds", lifetime,
1773 this->stats[STAT_REAUTH] - time_monotonic(NULL));
1774 send_update = FALSE;
1775 }
1776 /* give at least some seconds to reauthenticate */
1777 this->stats[STAT_DELETE] = max(hard, now + 10);
1778
1779 if (send_update)
1780 {
1781 task = ike_auth_lifetime_create(&this->public, TRUE);
1782 this->task_manager->queue_task(this->task_manager, &task->task);
1783 return this->task_manager->initiate(this->task_manager);
1784 }
1785 return SUCCESS;
1786 }
1787
1788 /**
1789 * Check if the current combination of source and destination address is still
1790 * valid.
1791 */
1792 static bool is_current_path_valid(private_ike_sa_t *this)
1793 {
1794 bool valid = FALSE;
1795 host_t *src;
1796 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
1797 this->other_host, this->my_host);
1798 if (src)
1799 {
1800 if (src->ip_equals(src, this->my_host))
1801 {
1802 valid = TRUE;
1803 }
1804 src->destroy(src);
1805 }
1806 return valid;
1807 }
1808
1809 /**
1810 * Check if we have any path avialable for this IKE SA.
1811 */
1812 static bool is_any_path_valid(private_ike_sa_t *this)
1813 {
1814 bool valid = FALSE;
1815 enumerator_t *enumerator;
1816 host_t *src = NULL, *addr;
1817
1818 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
1819 enumerator = create_peer_address_enumerator(this);
1820 while (enumerator->enumerate(enumerator, &addr))
1821 {
1822 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
1823 src = hydra->kernel_interface->get_source_addr(
1824 hydra->kernel_interface, addr, NULL);
1825 if (src)
1826 {
1827 break;
1828 }
1829 }
1830 enumerator->destroy(enumerator);
1831 if (src)
1832 {
1833 valid = TRUE;
1834 src->destroy(src);
1835 }
1836 return valid;
1837 }
1838
1839 METHOD(ike_sa_t, roam, status_t,
1840 private_ike_sa_t *this, bool address)
1841 {
1842 switch (this->state)
1843 {
1844 case IKE_CREATED:
1845 case IKE_DELETING:
1846 case IKE_DESTROYING:
1847 case IKE_PASSIVE:
1848 return SUCCESS;
1849 default:
1850 break;
1851 }
1852
1853 /* keep existing path if possible */
1854 if (is_current_path_valid(this))
1855 {
1856 DBG2(DBG_IKE, "keeping connection path %H - %H",
1857 this->my_host, this->other_host);
1858 set_condition(this, COND_STALE, FALSE);
1859
1860 if (supports_extension(this, EXT_MOBIKE) && address)
1861 { /* if any addresses changed, send an updated list */
1862 DBG1(DBG_IKE, "sending address list update using MOBIKE");
1863 this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
1864 return this->task_manager->initiate(this->task_manager);
1865 }
1866 return SUCCESS;
1867 }
1868
1869 if (!is_any_path_valid(this))
1870 {
1871 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
1872 this->other_host);
1873 set_condition(this, COND_STALE, TRUE);
1874 return SUCCESS;
1875 }
1876 set_condition(this, COND_STALE, FALSE);
1877
1878 /* update addresses with mobike, if supported ... */
1879 if (supports_extension(this, EXT_MOBIKE))
1880 {
1881 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1882 { /* responder updates the peer about changed address config */
1883 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
1884 "implicitly requesting an address change");
1885 address = TRUE;
1886 }
1887 else
1888 {
1889 DBG1(DBG_IKE, "requesting address change using MOBIKE");
1890 }
1891 this->task_manager->queue_mobike(this->task_manager, TRUE, address);
1892 return this->task_manager->initiate(this->task_manager);
1893 }
1894
1895 /* ... reauth if not */
1896 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1897 { /* responder does not reauthenticate */
1898 set_condition(this, COND_STALE, TRUE);
1899 return SUCCESS;
1900 }
1901 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
1902 /* since our previous path is not valid anymore, try and find a new one */
1903 resolve_hosts(this);
1904 return reauth(this);
1905 }
1906
1907 METHOD(ike_sa_t, add_configuration_attribute, void,
1908 private_ike_sa_t *this, attribute_handler_t *handler,
1909 configuration_attribute_type_t type, chunk_t data)
1910 {
1911 attribute_entry_t *entry = malloc_thing(attribute_entry_t);
1912
1913 entry->handler = handler;
1914 entry->type = type;
1915 entry->data = chunk_clone(data);
1916
1917 this->attributes->insert_last(this->attributes, entry);
1918 }
1919
1920 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
1921 private_ike_sa_t *this, task_queue_t queue)
1922 {
1923 return this->task_manager->create_task_enumerator(this->task_manager, queue);
1924 }
1925
1926 METHOD(ike_sa_t, flush_queue, void,
1927 private_ike_sa_t *this, task_queue_t queue)
1928 {
1929 this->task_manager->flush_queue(this->task_manager, queue);
1930 }
1931
1932 METHOD(ike_sa_t, queue_task, void,
1933 private_ike_sa_t *this, task_t *task)
1934 {
1935 this->task_manager->queue_task(this->task_manager, task);
1936 }
1937
1938 METHOD(ike_sa_t, inherit, void,
1939 private_ike_sa_t *this, ike_sa_t *other_public)
1940 {
1941 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
1942 child_sa_t *child_sa;
1943 attribute_entry_t *entry;
1944 enumerator_t *enumerator;
1945 auth_cfg_t *cfg;
1946 host_t *vip;
1947
1948 /* apply hosts and ids */
1949 this->my_host->destroy(this->my_host);
1950 this->other_host->destroy(this->other_host);
1951 this->my_id->destroy(this->my_id);
1952 this->other_id->destroy(this->other_id);
1953 this->my_host = other->my_host->clone(other->my_host);
1954 this->other_host = other->other_host->clone(other->other_host);
1955 this->my_id = other->my_id->clone(other->my_id);
1956 this->other_id = other->other_id->clone(other->other_id);
1957
1958 /* apply assigned virtual IPs... */
1959 while (this->my_vips->remove_last(this->my_vips, (void**)&vip) == SUCCESS)
1960 {
1961 other->my_vips->insert_first(other->my_vips, vip);
1962 }
1963 while (this->other_vips->remove_last(this->other_vips,
1964 (void**)&vip) == SUCCESS)
1965 {
1966 other->other_vips->insert_first(other->other_vips, vip);
1967 }
1968
1969 /* authentication information */
1970 enumerator = other->my_auths->create_enumerator(other->my_auths);
1971 while (enumerator->enumerate(enumerator, &cfg))
1972 {
1973 this->my_auths->insert_last(this->my_auths, cfg->clone(cfg));
1974 }
1975 enumerator->destroy(enumerator);
1976 enumerator = other->other_auths->create_enumerator(other->other_auths);
1977 while (enumerator->enumerate(enumerator, &cfg))
1978 {
1979 this->other_auths->insert_last(this->other_auths, cfg->clone(cfg));
1980 }
1981 enumerator->destroy(enumerator);
1982
1983 /* ... and configuration attributes */
1984 while (other->attributes->remove_last(other->attributes,
1985 (void**)&entry) == SUCCESS)
1986 {
1987 this->attributes->insert_first(this->attributes, entry);
1988 }
1989
1990 /* inherit all conditions */
1991 this->conditions = other->conditions;
1992 if (this->conditions & COND_NAT_HERE)
1993 {
1994 send_keepalive(this);
1995 }
1996
1997 #ifdef ME
1998 if (other->is_mediation_server)
1999 {
2000 act_as_mediation_server(this);
2001 }
2002 else if (other->server_reflexive_host)
2003 {
2004 this->server_reflexive_host = other->server_reflexive_host->clone(
2005 other->server_reflexive_host);
2006 }
2007 #endif /* ME */
2008
2009 /* adopt all children */
2010 while (other->child_sas->remove_last(other->child_sas,
2011 (void**)&child_sa) == SUCCESS)
2012 {
2013 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2014 }
2015
2016 /* move pending tasks to the new IKE_SA */
2017 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2018
2019 /* reauthentication timeout survives a rekeying */
2020 if (other->stats[STAT_REAUTH])
2021 {
2022 time_t reauth, delete, now = time_monotonic(NULL);
2023
2024 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2025 reauth = this->stats[STAT_REAUTH] - now;
2026 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2027 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2028 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2029 "lifetime reduced to %ds", reauth, delete);
2030 lib->scheduler->schedule_job(lib->scheduler,
2031 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2032 lib->scheduler->schedule_job(lib->scheduler,
2033 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2034 }
2035 }
2036
2037 METHOD(ike_sa_t, destroy, void,
2038 private_ike_sa_t *this)
2039 {
2040 attribute_entry_t *entry;
2041 host_t *vip;
2042
2043 charon->bus->set_sa(charon->bus, &this->public);
2044
2045 set_state(this, IKE_DESTROYING);
2046 DESTROY_IF(this->task_manager);
2047
2048 /* remove attributes first, as we pass the IKE_SA to the handler */
2049 while (this->attributes->remove_last(this->attributes,
2050 (void**)&entry) == SUCCESS)
2051 {
2052 hydra->attributes->release(hydra->attributes, entry->handler,
2053 this->other_id, entry->type, entry->data);
2054 free(entry->data.ptr);
2055 free(entry);
2056 }
2057 this->attributes->destroy(this->attributes);
2058
2059 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2060
2061 /* unset SA after here to avoid usage by the listeners */
2062 charon->bus->set_sa(charon->bus, NULL);
2063
2064 DESTROY_IF(this->keymat);
2065
2066 while (this->my_vips->remove_last(this->my_vips, (void**)&vip) == SUCCESS)
2067 {
2068 hydra->kernel_interface->del_ip(hydra->kernel_interface, vip);
2069 vip->destroy(vip);
2070 }
2071 this->my_vips->destroy(this->my_vips);
2072 while (this->other_vips->remove_last(this->other_vips,
2073 (void**)&vip) == SUCCESS)
2074 {
2075 if (this->peer_cfg)
2076 {
2077 enumerator_t *enumerator;
2078 char *pool;
2079
2080 enumerator = this->peer_cfg->create_pool_enumerator(this->peer_cfg);
2081 while (enumerator->enumerate(enumerator, &pool))
2082 {
2083 if (hydra->attributes->release_address(hydra->attributes, pool,
2084 vip, get_other_eap_id(this)))
2085 {
2086 break;
2087 }
2088 }
2089 enumerator->destroy(enumerator);
2090 }
2091 vip->destroy(vip);
2092 }
2093 this->other_vips->destroy(this->other_vips);
2094 this->peer_addresses->destroy_offset(this->peer_addresses,
2095 offsetof(host_t, destroy));
2096 #ifdef ME
2097 if (this->is_mediation_server)
2098 {
2099 charon->mediation_manager->remove(charon->mediation_manager,
2100 this->ike_sa_id);
2101 }
2102 DESTROY_IF(this->server_reflexive_host);
2103 chunk_free(&this->connect_id);
2104 #endif /* ME */
2105 free(this->nat_detection_dest.ptr);
2106
2107 DESTROY_IF(this->my_host);
2108 DESTROY_IF(this->other_host);
2109 DESTROY_IF(this->my_id);
2110 DESTROY_IF(this->other_id);
2111 DESTROY_IF(this->local_host);
2112 DESTROY_IF(this->remote_host);
2113
2114 DESTROY_IF(this->ike_cfg);
2115 DESTROY_IF(this->peer_cfg);
2116 DESTROY_IF(this->proposal);
2117 this->my_auth->destroy(this->my_auth);
2118 this->other_auth->destroy(this->other_auth);
2119 this->my_auths->destroy_offset(this->my_auths,
2120 offsetof(auth_cfg_t, destroy));
2121 this->other_auths->destroy_offset(this->other_auths,
2122 offsetof(auth_cfg_t, destroy));
2123
2124 this->ike_sa_id->destroy(this->ike_sa_id);
2125 free(this);
2126 }
2127
2128 /*
2129 * Described in header.
2130 */
2131 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
2132 ike_version_t version)
2133 {
2134 private_ike_sa_t *this;
2135 static u_int32_t unique_id = 0;
2136
2137 if (version == IKE_ANY)
2138 { /* prefer IKEv2 if protocol not specified */
2139 #ifdef USE_IKEV2
2140 version = IKEV2;
2141 #else
2142 version = IKEV1;
2143 #endif
2144 }
2145
2146 INIT(this,
2147 .public = {
2148 .get_version = _get_version,
2149 .get_state = _get_state,
2150 .set_state = _set_state,
2151 .get_name = _get_name,
2152 .get_statistic = _get_statistic,
2153 .set_statistic = _set_statistic,
2154 .process_message = _process_message,
2155 .initiate = _initiate,
2156 .retry_initiate = _retry_initiate,
2157 .get_ike_cfg = _get_ike_cfg,
2158 .set_ike_cfg = _set_ike_cfg,
2159 .get_peer_cfg = _get_peer_cfg,
2160 .set_peer_cfg = _set_peer_cfg,
2161 .get_auth_cfg = _get_auth_cfg,
2162 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
2163 .add_auth_cfg = _add_auth_cfg,
2164 .get_proposal = _get_proposal,
2165 .set_proposal = _set_proposal,
2166 .get_id = _get_id,
2167 .get_my_host = _get_my_host,
2168 .set_my_host = _set_my_host,
2169 .get_other_host = _get_other_host,
2170 .set_other_host = _set_other_host,
2171 .set_message_id = _set_message_id,
2172 .float_ports = _float_ports,
2173 .update_hosts = _update_hosts,
2174 .get_my_id = _get_my_id,
2175 .set_my_id = _set_my_id,
2176 .get_other_id = _get_other_id,
2177 .set_other_id = _set_other_id,
2178 .get_other_eap_id = _get_other_eap_id,
2179 .enable_extension = _enable_extension,
2180 .supports_extension = _supports_extension,
2181 .set_condition = _set_condition,
2182 .has_condition = _has_condition,
2183 .set_pending_updates = _set_pending_updates,
2184 .get_pending_updates = _get_pending_updates,
2185 .create_peer_address_enumerator = _create_peer_address_enumerator,
2186 .add_peer_address = _add_peer_address,
2187 .clear_peer_addresses = _clear_peer_addresses,
2188 .has_mapping_changed = _has_mapping_changed,
2189 .retransmit = _retransmit,
2190 .delete = _delete_,
2191 .destroy = _destroy,
2192 .send_dpd = _send_dpd,
2193 .send_keepalive = _send_keepalive,
2194 .get_keymat = _get_keymat,
2195 .add_child_sa = _add_child_sa,
2196 .get_child_sa = _get_child_sa,
2197 .get_child_count = _get_child_count,
2198 .create_child_sa_enumerator = _create_child_sa_enumerator,
2199 .remove_child_sa = _remove_child_sa,
2200 .rekey_child_sa = _rekey_child_sa,
2201 .delete_child_sa = _delete_child_sa,
2202 .destroy_child_sa = _destroy_child_sa,
2203 .rekey = _rekey,
2204 .reauth = _reauth,
2205 .reestablish = _reestablish,
2206 .set_auth_lifetime = _set_auth_lifetime,
2207 .roam = _roam,
2208 .inherit = _inherit,
2209 .generate_message = _generate_message,
2210 .reset = _reset,
2211 .get_unique_id = _get_unique_id,
2212 .add_virtual_ip = _add_virtual_ip,
2213 .clear_virtual_ips = _clear_virtual_ips,
2214 .create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
2215 .add_configuration_attribute = _add_configuration_attribute,
2216 .set_kmaddress = _set_kmaddress,
2217 .create_task_enumerator = _create_task_enumerator,
2218 .flush_queue = _flush_queue,
2219 .queue_task = _queue_task,
2220 #ifdef ME
2221 .act_as_mediation_server = _act_as_mediation_server,
2222 .get_server_reflexive_host = _get_server_reflexive_host,
2223 .set_server_reflexive_host = _set_server_reflexive_host,
2224 .get_connect_id = _get_connect_id,
2225 .initiate_mediation = _initiate_mediation,
2226 .initiate_mediated = _initiate_mediated,
2227 .relay = _relay,
2228 .callback = _callback,
2229 .respond = _respond,
2230 #endif /* ME */
2231 },
2232 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
2233 .version = version,
2234 .child_sas = linked_list_create(),
2235 .my_host = host_create_any(AF_INET),
2236 .other_host = host_create_any(AF_INET),
2237 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2238 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2239 .keymat = keymat_create(version, initiator),
2240 .state = IKE_CREATED,
2241 .stats[STAT_INBOUND] = time_monotonic(NULL),
2242 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
2243 .my_auth = auth_cfg_create(),
2244 .other_auth = auth_cfg_create(),
2245 .my_auths = linked_list_create(),
2246 .other_auths = linked_list_create(),
2247 .unique_id = ++unique_id,
2248 .peer_addresses = linked_list_create(),
2249 .my_vips = linked_list_create(),
2250 .other_vips = linked_list_create(),
2251 .attributes = linked_list_create(),
2252 .keepalive_interval = lib->settings->get_time(lib->settings,
2253 "%s.keep_alive", KEEPALIVE_INTERVAL, charon->name),
2254 .retry_initiate_interval = lib->settings->get_time(lib->settings,
2255 "%s.retry_initiate_interval", 0, charon->name),
2256 .flush_auth_cfg = lib->settings->get_bool(lib->settings,
2257 "%s.flush_auth_cfg", FALSE, charon->name),
2258 );
2259
2260 if (version == IKEV2)
2261 { /* always supported with IKEv2 */
2262 enable_extension(this, EXT_DPD);
2263 }
2264
2265 this->task_manager = task_manager_create(&this->public);
2266 this->my_host->set_port(this->my_host,
2267 charon->socket->get_port(charon->socket, FALSE));
2268
2269 if (!this->task_manager || !this->keymat)
2270 {
2271 DBG1(DBG_IKE, "IKE version %d not supported", this->version);
2272 destroy(this);
2273 return NULL;
2274 }
2275 return &this->public;
2276 }
strongSwan - IPsec VPN