Flush auth configs, if enabled, for both IKEv1 and IKEv2
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <string.h>
20 #include <sys/stat.h>
21 #include <errno.h>
22 #include <time.h>
23
24 #include "ike_sa.h"
25
26 #include <library.h>
27 #include <hydra.h>
28 #include <daemon.h>
29 #include <utils/linked_list.h>
30 #include <utils/lexparser.h>
31 #include <sa/tasks/ike_init.h>
32 #include <sa/tasks/ike_natd.h>
33 #include <sa/tasks/ike_mobike.h>
34 #include <sa/tasks/ike_auth.h>
35 #include <sa/tasks/ike_auth_lifetime.h>
36 #include <sa/tasks/ike_config.h>
37 #include <sa/tasks/ike_cert_pre.h>
38 #include <sa/tasks/ike_cert_pre_v1.h>
39 #include <sa/tasks/ike_cert_post.h>
40 #include <sa/tasks/ike_cert_post_v1.h>
41 #include <sa/tasks/ike_rekey.h>
42 #include <sa/tasks/ike_reauth.h>
43 #include <sa/tasks/ike_delete.h>
44 #include <sa/tasks/ike_dpd.h>
45 #include <sa/tasks/ike_vendor.h>
46 #include <sa/tasks/child_create.h>
47 #include <sa/tasks/child_delete.h>
48 #include <sa/tasks/child_rekey.h>
49 #include <sa/tasks/main_mode.h>
50 #include <sa/tasks/quick_mode.h>
51 #include <sa/tasks/quick_delete.h>
52 #include <sa/tasks/ike_natd_v1.h>
53 #include <sa/tasks/ike_vendor_v1.h>
54 #include <sa/tasks/isakmp_delete.h>
55 #include <processing/jobs/retransmit_job.h>
56 #include <processing/jobs/delete_ike_sa_job.h>
57 #include <processing/jobs/send_dpd_job.h>
58 #include <processing/jobs/send_keepalive_job.h>
59 #include <processing/jobs/rekey_ike_sa_job.h>
60
61 #ifdef ME
62 #include <sa/tasks/ike_me.h>
63 #include <processing/jobs/initiate_mediation_job.h>
64 #endif
65
66 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
67 "CREATED",
68 "CONNECTING",
69 "ESTABLISHED",
70 "PASSIVE",
71 "REKEYING",
72 "DELETING",
73 "DESTROYING",
74 );
75
76 typedef struct private_ike_sa_t private_ike_sa_t;
77 typedef struct attribute_entry_t attribute_entry_t;
78
79 /**
80 * Private data of an ike_sa_t object.
81 */
82 struct private_ike_sa_t {
83
84 /**
85 * Public members
86 */
87 ike_sa_t public;
88
89 /**
90 * Identifier for the current IKE_SA.
91 */
92 ike_sa_id_t *ike_sa_id;
93
94 /**
95 * IKE version of this SA.
96 */
97 ike_version_t version;
98
99 /**
100 * unique numerical ID for this IKE_SA.
101 */
102 u_int32_t unique_id;
103
104 /**
105 * Current state of the IKE_SA
106 */
107 ike_sa_state_t state;
108
109 /**
110 * IKE configuration used to set up this IKE_SA
111 */
112 ike_cfg_t *ike_cfg;
113
114 /**
115 * Peer and authentication information to establish IKE_SA.
116 */
117 peer_cfg_t *peer_cfg;
118
119 /**
120 * currently used authentication ruleset, local (as auth_cfg_t)
121 */
122 auth_cfg_t *my_auth;
123
124 /**
125 * list of completed local authentication rounds
126 */
127 linked_list_t *my_auths;
128
129 /**
130 * list of completed remote authentication rounds
131 */
132 linked_list_t *other_auths;
133
134 /**
135 * currently used authentication constraints, remote (as auth_cfg_t)
136 */
137 auth_cfg_t *other_auth;
138
139 /**
140 * Selected IKE proposal
141 */
142 proposal_t *proposal;
143
144 /**
145 * Juggles tasks to process messages
146 */
147 task_manager_t *task_manager;
148
149 /**
150 * Address of local host
151 */
152 host_t *my_host;
153
154 /**
155 * Address of remote host
156 */
157 host_t *other_host;
158
159 #ifdef ME
160 /**
161 * Are we mediation server
162 */
163 bool is_mediation_server;
164
165 /**
166 * Server reflexive host
167 */
168 host_t *server_reflexive_host;
169
170 /**
171 * Connect ID
172 */
173 chunk_t connect_id;
174 #endif /* ME */
175
176 /**
177 * Identification used for us
178 */
179 identification_t *my_id;
180
181 /**
182 * Identification used for other
183 */
184 identification_t *other_id;
185
186 /**
187 * set of extensions the peer supports
188 */
189 ike_extension_t extensions;
190
191 /**
192 * set of condition flags currently enabled for this IKE_SA
193 */
194 ike_condition_t conditions;
195
196 /**
197 * Linked List containing the child sa's of the current IKE_SA.
198 */
199 linked_list_t *child_sas;
200
201 /**
202 * keymat of this IKE_SA
203 */
204 keymat_t *keymat;
205
206 /**
207 * Virtual IP on local host, if any
208 */
209 host_t *my_virtual_ip;
210
211 /**
212 * Virtual IP on remote host, if any
213 */
214 host_t *other_virtual_ip;
215
216 /**
217 * List of configuration attributes (attribute_entry_t)
218 */
219 linked_list_t *attributes;
220
221 /**
222 * list of peers additional addresses, transmitted via MOBIKE
223 */
224 linked_list_t *additional_addresses;
225
226 /**
227 * previously value of received DESTINATION_IP hash
228 */
229 chunk_t nat_detection_dest;
230
231 /**
232 * number pending UPDATE_SA_ADDRESS (MOBIKE)
233 */
234 u_int32_t pending_updates;
235
236 /**
237 * NAT keep alive interval
238 */
239 u_int32_t keepalive_interval;
240
241 /**
242 * Timestamps for this IKE_SA
243 */
244 u_int32_t stats[STAT_MAX];
245
246 /**
247 * how many times we have retried so far (keyingtries)
248 */
249 u_int32_t keyingtry;
250
251 /**
252 * local host address to be used for IKE, set via MIGRATE kernel message
253 */
254 host_t *local_host;
255
256 /**
257 * remote host address to be used for IKE, set via MIGRATE kernel message
258 */
259 host_t *remote_host;
260
261 /**
262 * Flush auth configs once established?
263 */
264 bool flush_auth_cfg;
265 };
266
267 /**
268 * Entry to maintain install configuration attributes during IKE_SA lifetime
269 */
270 struct attribute_entry_t {
271 /** handler used to install this attribute */
272 attribute_handler_t *handler;
273 /** attribute type */
274 configuration_attribute_type_t type;
275 /** attribute data */
276 chunk_t data;
277 };
278
279 /**
280 * get the time of the latest traffic processed by the kernel
281 */
282 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
283 {
284 enumerator_t *enumerator;
285 child_sa_t *child_sa;
286 time_t use_time, current;
287
288 if (inbound)
289 {
290 use_time = this->stats[STAT_INBOUND];
291 }
292 else
293 {
294 use_time = this->stats[STAT_OUTBOUND];
295 }
296 enumerator = this->child_sas->create_enumerator(this->child_sas);
297 while (enumerator->enumerate(enumerator, &child_sa))
298 {
299 child_sa->get_usestats(child_sa, inbound, &current, NULL);
300 use_time = max(use_time, current);
301 }
302 enumerator->destroy(enumerator);
303
304 return use_time;
305 }
306
307 METHOD(ike_sa_t, get_unique_id, u_int32_t,
308 private_ike_sa_t *this)
309 {
310 return this->unique_id;
311 }
312
313 METHOD(ike_sa_t, get_name, char*,
314 private_ike_sa_t *this)
315 {
316 if (this->peer_cfg)
317 {
318 return this->peer_cfg->get_name(this->peer_cfg);
319 }
320 return "(unnamed)";
321 }
322
323 METHOD(ike_sa_t, get_statistic, u_int32_t,
324 private_ike_sa_t *this, statistic_t kind)
325 {
326 if (kind < STAT_MAX)
327 {
328 return this->stats[kind];
329 }
330 return 0;
331 }
332
333 METHOD(ike_sa_t, set_statistic, void,
334 private_ike_sa_t *this, statistic_t kind, u_int32_t value)
335 {
336 if (kind < STAT_MAX)
337 {
338 this->stats[kind] = value;
339 }
340 }
341
342 METHOD(ike_sa_t, get_my_host, host_t*,
343 private_ike_sa_t *this)
344 {
345 return this->my_host;
346 }
347
348 METHOD(ike_sa_t, set_my_host, void,
349 private_ike_sa_t *this, host_t *me)
350 {
351 DESTROY_IF(this->my_host);
352 this->my_host = me;
353 }
354
355 METHOD(ike_sa_t, get_other_host, host_t*,
356 private_ike_sa_t *this)
357 {
358 return this->other_host;
359 }
360
361 METHOD(ike_sa_t, set_other_host, void,
362 private_ike_sa_t *this, host_t *other)
363 {
364 DESTROY_IF(this->other_host);
365 this->other_host = other;
366 }
367
368 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
369 private_ike_sa_t *this)
370 {
371 return this->peer_cfg;
372 }
373
374 METHOD(ike_sa_t, set_peer_cfg, void,
375 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
376 {
377 peer_cfg->get_ref(peer_cfg);
378 DESTROY_IF(this->peer_cfg);
379 this->peer_cfg = peer_cfg;
380
381 if (this->ike_cfg == NULL)
382 {
383 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
384 this->ike_cfg->get_ref(this->ike_cfg);
385 }
386 }
387
388 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
389 private_ike_sa_t *this, bool local)
390 {
391 if (local)
392 {
393 return this->my_auth;
394 }
395 return this->other_auth;
396 }
397
398 METHOD(ike_sa_t, add_auth_cfg, void,
399 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
400 {
401 if (local)
402 {
403 this->my_auths->insert_last(this->my_auths, cfg);
404 }
405 else
406 {
407 this->other_auths->insert_last(this->other_auths, cfg);
408 }
409 }
410
411 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
412 private_ike_sa_t *this, bool local)
413 {
414 if (local)
415 {
416 return this->my_auths->create_enumerator(this->my_auths);
417 }
418 return this->other_auths->create_enumerator(this->other_auths);
419 }
420
421 /**
422 * Flush the stored authentication round information
423 */
424 static void flush_auth_cfgs(private_ike_sa_t *this)
425 {
426 auth_cfg_t *cfg;
427
428 this->my_auth->purge(this->my_auth, FALSE);
429 this->other_auth->purge(this->other_auth, FALSE);
430
431 while (this->my_auths->remove_last(this->my_auths,
432 (void**)&cfg) == SUCCESS)
433 {
434 cfg->destroy(cfg);
435 }
436 while (this->other_auths->remove_last(this->other_auths,
437 (void**)&cfg) == SUCCESS)
438 {
439 cfg->destroy(cfg);
440 }
441 }
442
443 METHOD(ike_sa_t, get_proposal, proposal_t*,
444 private_ike_sa_t *this)
445 {
446 return this->proposal;
447 }
448
449 METHOD(ike_sa_t, set_proposal, void,
450 private_ike_sa_t *this, proposal_t *proposal)
451 {
452 DESTROY_IF(this->proposal);
453 this->proposal = proposal->clone(proposal);
454 }
455
456 METHOD(ike_sa_t, set_message_id, void,
457 private_ike_sa_t *this, bool initiate, u_int32_t mid)
458 {
459 if (initiate)
460 {
461 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
462 }
463 else
464 {
465 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
466 }
467 }
468
469 METHOD(ike_sa_t, send_keepalive, void,
470 private_ike_sa_t *this)
471 {
472 send_keepalive_job_t *job;
473 time_t last_out, now, diff;
474
475 if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
476 { /* disable keep alives if we are not NATed anymore */
477 return;
478 }
479
480 last_out = get_use_time(this, FALSE);
481 now = time_monotonic(NULL);
482
483 diff = now - last_out;
484
485 if (diff >= this->keepalive_interval)
486 {
487 packet_t *packet;
488 chunk_t data;
489
490 packet = packet_create();
491 packet->set_source(packet, this->my_host->clone(this->my_host));
492 packet->set_destination(packet, this->other_host->clone(this->other_host));
493 data.ptr = malloc(1);
494 data.ptr[0] = 0xFF;
495 data.len = 1;
496 packet->set_data(packet, data);
497 DBG1(DBG_IKE, "sending keep alive");
498 charon->sender->send(charon->sender, packet);
499 diff = 0;
500 }
501 job = send_keepalive_job_create(this->ike_sa_id);
502 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
503 this->keepalive_interval - diff);
504 }
505
506 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
507 private_ike_sa_t *this)
508 {
509 return this->ike_cfg;
510 }
511
512 METHOD(ike_sa_t, set_ike_cfg, void,
513 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
514 {
515 ike_cfg->get_ref(ike_cfg);
516 this->ike_cfg = ike_cfg;
517 }
518
519 METHOD(ike_sa_t, enable_extension, void,
520 private_ike_sa_t *this, ike_extension_t extension)
521 {
522 this->extensions |= extension;
523 }
524
525 METHOD(ike_sa_t, supports_extension, bool,
526 private_ike_sa_t *this, ike_extension_t extension)
527 {
528 return (this->extensions & extension) != FALSE;
529 }
530
531 METHOD(ike_sa_t, has_condition, bool,
532 private_ike_sa_t *this, ike_condition_t condition)
533 {
534 return (this->conditions & condition) != FALSE;
535 }
536
537 METHOD(ike_sa_t, set_condition, void,
538 private_ike_sa_t *this, ike_condition_t condition, bool enable)
539 {
540 if (has_condition(this, condition) != enable)
541 {
542 if (enable)
543 {
544 this->conditions |= condition;
545 switch (condition)
546 {
547 case COND_NAT_HERE:
548 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
549 this->conditions |= COND_NAT_ANY;
550 send_keepalive(this);
551 break;
552 case COND_NAT_THERE:
553 DBG1(DBG_IKE, "remote host is behind NAT");
554 this->conditions |= COND_NAT_ANY;
555 break;
556 case COND_NAT_FAKE:
557 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
558 this->conditions |= COND_NAT_ANY;
559 break;
560 default:
561 break;
562 }
563 }
564 else
565 {
566 this->conditions &= ~condition;
567 switch (condition)
568 {
569 case COND_NAT_HERE:
570 case COND_NAT_FAKE:
571 case COND_NAT_THERE:
572 set_condition(this, COND_NAT_ANY,
573 has_condition(this, COND_NAT_HERE) ||
574 has_condition(this, COND_NAT_THERE) ||
575 has_condition(this, COND_NAT_FAKE));
576 break;
577 default:
578 break;
579 }
580 }
581 }
582 }
583
584 METHOD(ike_sa_t, send_dpd, status_t,
585 private_ike_sa_t *this)
586 {
587 job_t *job;
588 time_t diff, delay;
589
590 delay = this->peer_cfg->get_dpd(this->peer_cfg);
591 if (this->task_manager->busy(this->task_manager))
592 {
593 /* an exchange is in the air, no need to start a DPD check */
594 diff = 0;
595 }
596 else
597 {
598 /* check if there was any inbound traffic */
599 time_t last_in, now;
600 last_in = get_use_time(this, TRUE);
601 now = time_monotonic(NULL);
602 diff = now - last_in;
603 if (!delay || diff >= delay)
604 {
605 /* to long ago, initiate dead peer detection */
606 task_t *task;
607 ike_mobike_t *mobike;
608
609 if (supports_extension(this, EXT_MOBIKE) &&
610 has_condition(this, COND_NAT_HERE))
611 {
612 /* use mobike enabled DPD to detect NAT mapping changes */
613 mobike = ike_mobike_create(&this->public, TRUE);
614 mobike->dpd(mobike);
615 task = &mobike->task;
616 }
617 else
618 {
619 task = (task_t*)ike_dpd_create(TRUE);
620 }
621 diff = 0;
622 DBG1(DBG_IKE, "sending DPD request");
623
624 this->task_manager->queue_task(this->task_manager, task);
625 this->task_manager->initiate(this->task_manager);
626 }
627 }
628 /* recheck in "interval" seconds */
629 if (delay)
630 {
631 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
632 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
633 }
634 return SUCCESS;
635 }
636
637 METHOD(ike_sa_t, get_state, ike_sa_state_t,
638 private_ike_sa_t *this)
639 {
640 return this->state;
641 }
642
643 METHOD(ike_sa_t, set_state, void,
644 private_ike_sa_t *this, ike_sa_state_t state)
645 {
646 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
647 get_name(this), this->unique_id,
648 ike_sa_state_names, this->state,
649 ike_sa_state_names, state);
650
651 switch (state)
652 {
653 case IKE_ESTABLISHED:
654 {
655 if (this->state == IKE_CONNECTING ||
656 this->state == IKE_PASSIVE)
657 {
658 job_t *job;
659 u_int32_t t;
660
661 /* calculate rekey, reauth and lifetime */
662 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
663
664 /* schedule rekeying if we have a time which is smaller than
665 * an already scheduled rekeying */
666 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
667 if (t && (this->stats[STAT_REKEY] == 0 ||
668 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
669 {
670 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
671 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
672 lib->scheduler->schedule_job(lib->scheduler, job, t);
673 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
674 }
675 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
676 if (t && (this->stats[STAT_REAUTH] == 0 ||
677 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
678 {
679 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
680 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
681 lib->scheduler->schedule_job(lib->scheduler, job, t);
682 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
683 }
684 t = this->peer_cfg->get_over_time(this->peer_cfg);
685 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
686 {
687 if (this->stats[STAT_REAUTH] == 0)
688 {
689 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
690 }
691 else if (this->stats[STAT_REKEY] == 0)
692 {
693 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
694 }
695 else
696 {
697 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
698 this->stats[STAT_REAUTH]);
699 }
700 this->stats[STAT_DELETE] += t;
701 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
702 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
703 lib->scheduler->schedule_job(lib->scheduler, job, t);
704 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
705 }
706
707 /* start DPD checks */
708 if (this->peer_cfg->get_dpd(this->peer_cfg))
709 {
710 send_dpd(this);
711 }
712 }
713 break;
714 }
715 case IKE_DELETING:
716 {
717 /* delete may fail if a packet gets lost, so set a timeout */
718 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
719 lib->scheduler->schedule_job(lib->scheduler, job,
720 HALF_OPEN_IKE_SA_TIMEOUT);
721 break;
722 }
723 default:
724 break;
725 }
726 charon->bus->ike_state_change(charon->bus, &this->public, state);
727 this->state = state;
728 }
729
730 METHOD(ike_sa_t, reset, void,
731 private_ike_sa_t *this)
732 {
733 /* the responder ID is reset, as peer may choose another one */
734 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
735 {
736 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
737 }
738
739 set_state(this, IKE_CREATED);
740
741 flush_auth_cfgs(this);
742
743 this->keymat->destroy(this->keymat);
744 this->keymat = keymat_create(this->version,
745 this->ike_sa_id->is_initiator(this->ike_sa_id));
746
747 this->task_manager->reset(this->task_manager, 0, 0);
748 }
749
750 METHOD(ike_sa_t, get_keymat, keymat_t*,
751 private_ike_sa_t *this)
752 {
753 return this->keymat;
754 }
755
756 METHOD(ike_sa_t, set_virtual_ip, void,
757 private_ike_sa_t *this, bool local, host_t *ip)
758 {
759 if (local)
760 {
761 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
762 if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip,
763 this->my_host) == SUCCESS)
764 {
765 if (this->my_virtual_ip)
766 {
767 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
768 hydra->kernel_interface->del_ip(hydra->kernel_interface,
769 this->my_virtual_ip);
770 }
771 DESTROY_IF(this->my_virtual_ip);
772 this->my_virtual_ip = ip->clone(ip);
773 }
774 else
775 {
776 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
777 this->my_virtual_ip = NULL;
778 }
779 }
780 else
781 {
782 DESTROY_IF(this->other_virtual_ip);
783 this->other_virtual_ip = ip->clone(ip);
784 }
785 }
786
787 METHOD(ike_sa_t, get_virtual_ip, host_t*,
788 private_ike_sa_t *this, bool local)
789 {
790 if (local)
791 {
792 return this->my_virtual_ip;
793 }
794 else
795 {
796 return this->other_virtual_ip;
797 }
798 }
799
800 METHOD(ike_sa_t, add_additional_address, void,
801 private_ike_sa_t *this, host_t *host)
802 {
803 this->additional_addresses->insert_last(this->additional_addresses, host);
804 }
805
806 METHOD(ike_sa_t, create_additional_address_enumerator, enumerator_t*,
807 private_ike_sa_t *this)
808 {
809 return this->additional_addresses->create_enumerator(
810 this->additional_addresses);
811 }
812
813 METHOD(ike_sa_t, remove_additional_addresses, void,
814 private_ike_sa_t *this)
815 {
816 enumerator_t *enumerator = create_additional_address_enumerator(this);
817 host_t *host;
818 while (enumerator->enumerate(enumerator, (void**)&host))
819 {
820 this->additional_addresses->remove_at(this->additional_addresses,
821 enumerator);
822 host->destroy(host);
823 }
824 enumerator->destroy(enumerator);
825 }
826
827 METHOD(ike_sa_t, has_mapping_changed, bool,
828 private_ike_sa_t *this, chunk_t hash)
829 {
830 if (this->nat_detection_dest.ptr == NULL)
831 {
832 this->nat_detection_dest = chunk_clone(hash);
833 return FALSE;
834 }
835 if (chunk_equals(hash, this->nat_detection_dest))
836 {
837 return FALSE;
838 }
839 free(this->nat_detection_dest.ptr);
840 this->nat_detection_dest = chunk_clone(hash);
841 return TRUE;
842 }
843
844 METHOD(ike_sa_t, set_pending_updates, void,
845 private_ike_sa_t *this, u_int32_t updates)
846 {
847 this->pending_updates = updates;
848 }
849
850 METHOD(ike_sa_t, get_pending_updates, u_int32_t,
851 private_ike_sa_t *this)
852 {
853 return this->pending_updates;
854 }
855
856 METHOD(ike_sa_t, float_ports, void,
857 private_ike_sa_t *this)
858 {
859 /* do not switch if we have a custom port from MOBIKE/NAT */
860 if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
861 {
862 this->my_host->set_port(this->my_host, IKEV2_NATT_PORT);
863 }
864 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
865 {
866 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
867 }
868 }
869
870 METHOD(ike_sa_t, update_hosts, void,
871 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
872 {
873 bool update = FALSE;
874
875 if (me == NULL)
876 {
877 me = this->my_host;
878 }
879 if (other == NULL)
880 {
881 other = this->other_host;
882 }
883
884 /* apply hosts on first received message */
885 if (this->my_host->is_anyaddr(this->my_host) ||
886 this->other_host->is_anyaddr(this->other_host))
887 {
888 set_my_host(this, me->clone(me));
889 set_other_host(this, other->clone(other));
890 update = TRUE;
891 }
892 else
893 {
894 /* update our address in any case */
895 if (!me->equals(me, this->my_host))
896 {
897 set_my_host(this, me->clone(me));
898 update = TRUE;
899 }
900
901 if (!other->equals(other, this->other_host))
902 {
903 /* update others address if we are NOT NATed */
904 if (force || !has_condition(this, COND_NAT_HERE))
905 {
906 set_other_host(this, other->clone(other));
907 update = TRUE;
908 }
909 }
910 }
911
912 /* update all associated CHILD_SAs, if required */
913 if (update)
914 {
915 enumerator_t *enumerator;
916 child_sa_t *child_sa;
917
918 enumerator = this->child_sas->create_enumerator(this->child_sas);
919 while (enumerator->enumerate(enumerator, (void**)&child_sa))
920 {
921 if (child_sa->update(child_sa, this->my_host,
922 this->other_host, this->my_virtual_ip,
923 has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
924 {
925 this->public.rekey_child_sa(&this->public,
926 child_sa->get_protocol(child_sa),
927 child_sa->get_spi(child_sa, TRUE));
928 }
929 }
930 enumerator->destroy(enumerator);
931 }
932 }
933
934 METHOD(ike_sa_t, generate_message, status_t,
935 private_ike_sa_t *this, message_t *message, packet_t **packet)
936 {
937 if (message->is_encoded(message))
938 { /* already done */
939 *packet = message->get_packet(message);
940 return SUCCESS;
941 }
942 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
943 message->set_ike_sa_id(message, this->ike_sa_id);
944 charon->bus->message(charon->bus, message, FALSE);
945 return message->generate(message, this->keymat, packet);
946 }
947
948 METHOD(ike_sa_t, set_kmaddress, void,
949 private_ike_sa_t *this, host_t *local, host_t *remote)
950 {
951 DESTROY_IF(this->local_host);
952 DESTROY_IF(this->remote_host);
953 this->local_host = local->clone(local);
954 this->remote_host = remote->clone(remote);
955 }
956
957 #ifdef ME
958 METHOD(ike_sa_t, act_as_mediation_server, void,
959 private_ike_sa_t *this)
960 {
961 charon->mediation_manager->update_sa_id(charon->mediation_manager,
962 this->other_id, this->ike_sa_id);
963 this->is_mediation_server = TRUE;
964 }
965
966 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
967 private_ike_sa_t *this)
968 {
969 return this->server_reflexive_host;
970 }
971
972 METHOD(ike_sa_t, set_server_reflexive_host, void,
973 private_ike_sa_t *this, host_t *host)
974 {
975 DESTROY_IF(this->server_reflexive_host);
976 this->server_reflexive_host = host;
977 }
978
979 METHOD(ike_sa_t, get_connect_id, chunk_t,
980 private_ike_sa_t *this)
981 {
982 return this->connect_id;
983 }
984
985 METHOD(ike_sa_t, respond, status_t,
986 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
987 {
988 ike_me_t *task = ike_me_create(&this->public, TRUE);
989 task->respond(task, peer_id, connect_id);
990 this->task_manager->queue_task(this->task_manager, (task_t*)task);
991 return this->task_manager->initiate(this->task_manager);
992 }
993
994 METHOD(ike_sa_t, callback, status_t,
995 private_ike_sa_t *this, identification_t *peer_id)
996 {
997 ike_me_t *task = ike_me_create(&this->public, TRUE);
998 task->callback(task, peer_id);
999 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1000 return this->task_manager->initiate(this->task_manager);
1001 }
1002
1003 METHOD(ike_sa_t, relay, status_t,
1004 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1005 chunk_t connect_key, linked_list_t *endpoints, bool response)
1006 {
1007 ike_me_t *task = ike_me_create(&this->public, TRUE);
1008 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1009 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1010 return this->task_manager->initiate(this->task_manager);
1011 }
1012
1013 METHOD(ike_sa_t, initiate_mediation, status_t,
1014 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1015 {
1016 ike_me_t *task = ike_me_create(&this->public, TRUE);
1017 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1018 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1019 return this->task_manager->initiate(this->task_manager);
1020 }
1021
1022 METHOD(ike_sa_t, initiate_mediated, status_t,
1023 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1024 {
1025 set_my_host(this, me->clone(me));
1026 set_other_host(this, other->clone(other));
1027 chunk_free(&this->connect_id);
1028 this->connect_id = chunk_clone(connect_id);
1029 return this->task_manager->initiate(this->task_manager);
1030 }
1031 #endif /* ME */
1032
1033 /**
1034 * Resolve DNS host in configuration
1035 */
1036 static void resolve_hosts(private_ike_sa_t *this)
1037 {
1038 host_t *host;
1039
1040 if (this->remote_host)
1041 {
1042 host = this->remote_host->clone(this->remote_host);
1043 host->set_port(host, IKEV2_UDP_PORT);
1044 }
1045 else
1046 {
1047 host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
1048 0, this->ike_cfg->get_other_port(this->ike_cfg));
1049 }
1050 if (host)
1051 {
1052 set_other_host(this, host);
1053 }
1054
1055 if (this->local_host)
1056 {
1057 host = this->local_host->clone(this->local_host);
1058 host->set_port(host, IKEV2_UDP_PORT);
1059 }
1060 else
1061 {
1062 int family = 0;
1063
1064 /* use same address family as for other */
1065 if (!this->other_host->is_anyaddr(this->other_host))
1066 {
1067 family = this->other_host->get_family(this->other_host);
1068 }
1069 host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
1070 family, this->ike_cfg->get_my_port(this->ike_cfg));
1071
1072 if (host && host->is_anyaddr(host) &&
1073 !this->other_host->is_anyaddr(this->other_host))
1074 {
1075 host->destroy(host);
1076 host = hydra->kernel_interface->get_source_addr(
1077 hydra->kernel_interface, this->other_host, NULL);
1078 if (host)
1079 {
1080 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1081 }
1082 else
1083 { /* fallback to address family specific %any(6), if configured */
1084 host = host_create_from_dns(
1085 this->ike_cfg->get_my_addr(this->ike_cfg),
1086 0, this->ike_cfg->get_my_port(this->ike_cfg));
1087 }
1088 }
1089 }
1090 if (host)
1091 {
1092 set_my_host(this, host);
1093 }
1094 }
1095
1096 METHOD(ike_sa_t, initiate, status_t,
1097 private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
1098 traffic_selector_t *tsi, traffic_selector_t *tsr)
1099 {
1100 task_t *task;
1101
1102 if (this->state == IKE_CREATED)
1103 {
1104 resolve_hosts(this);
1105
1106 if (this->other_host->is_anyaddr(this->other_host)
1107 #ifdef ME
1108 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1109 #endif /* ME */
1110 )
1111 {
1112 child_cfg->destroy(child_cfg);
1113 DBG1(DBG_IKE, "unable to initiate to %%any");
1114 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1115 return DESTROY_ME;
1116 }
1117
1118 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1119
1120 if (this->version == IKEV1)
1121 {
1122 task = (task_t*)ike_vendor_v1_create(&this->public, TRUE);
1123 this->task_manager->queue_task(this->task_manager, task);
1124 task = (task_t*)ike_cert_pre_v1_create(&this->public, TRUE);
1125 this->task_manager->queue_task(this->task_manager, task);
1126 task = (task_t*)main_mode_create(&this->public, TRUE);
1127 this->task_manager->queue_task(this->task_manager, task);
1128 task = (task_t*)ike_cert_post_v1_create(&this->public, TRUE);
1129 this->task_manager->queue_task(this->task_manager, task);
1130 task = (task_t*)ike_natd_v1_create(&this->public, TRUE);
1131 this->task_manager->queue_task(this->task_manager, task);
1132 }
1133 else
1134 {
1135 task = (task_t*)ike_vendor_create(&this->public, TRUE);
1136 this->task_manager->queue_task(this->task_manager, task);
1137 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1138 this->task_manager->queue_task(this->task_manager, task);
1139 task = (task_t*)ike_natd_create(&this->public, TRUE);
1140 this->task_manager->queue_task(this->task_manager, task);
1141 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1142 this->task_manager->queue_task(this->task_manager, task);
1143 task = (task_t*)ike_auth_create(&this->public, TRUE);
1144 this->task_manager->queue_task(this->task_manager, task);
1145 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1146 this->task_manager->queue_task(this->task_manager, task);
1147 task = (task_t*)ike_config_create(&this->public, TRUE);
1148 this->task_manager->queue_task(this->task_manager, task);
1149 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1150 this->task_manager->queue_task(this->task_manager, task);
1151 if (this->peer_cfg->use_mobike(this->peer_cfg))
1152 {
1153 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1154 this->task_manager->queue_task(this->task_manager, task);
1155 }
1156 #ifdef ME
1157 task = (task_t*)ike_me_create(&this->public, TRUE);
1158 this->task_manager->queue_task(this->task_manager, task);
1159 #endif /* ME */
1160 }
1161 }
1162
1163 #ifdef ME
1164 if (this->peer_cfg->is_mediation(this->peer_cfg))
1165 {
1166 if (this->state == IKE_ESTABLISHED)
1167 {
1168 /* mediation connection is already established, retrigger state
1169 * change to notify bus listeners */
1170 DBG1(DBG_IKE, "mediation connection is already up");
1171 set_state(this, IKE_ESTABLISHED);
1172 }
1173 DESTROY_IF(child_cfg);
1174 }
1175 else
1176 #endif /* ME */
1177 {
1178 /* normal IKE_SA with CHILD_SA */
1179 if (this->version == IKEV2)
1180 {
1181 task = (task_t*)child_create_create(&this->public, child_cfg, FALSE,
1182 tsi, tsr);
1183 if (reqid)
1184 {
1185 child_create_t *child_create = (child_create_t*)task;
1186 child_create->use_reqid(child_create, reqid);
1187 }
1188 }
1189 else
1190 {
1191 task = (task_t*)quick_mode_create(&this->public, child_cfg,
1192 tsi, tsr);
1193 }
1194 this->task_manager->queue_task(this->task_manager, task);
1195
1196 #ifdef ME
1197 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1198 {
1199 /* mediated connection, initiate mediation process */
1200 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1201 lib->processor->queue_job(lib->processor, job);
1202 return SUCCESS;
1203 }
1204 #endif /* ME */
1205 }
1206
1207 return this->task_manager->initiate(this->task_manager);
1208 }
1209
1210 METHOD(ike_sa_t, process_message, status_t,
1211 private_ike_sa_t *this, message_t *message)
1212 {
1213 status_t status;
1214
1215 if (this->state == IKE_PASSIVE)
1216 { /* do not handle messages in passive state */
1217 return FAILED;
1218 }
1219 status = this->task_manager->process_message(this->task_manager, message);
1220 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1221 {
1222 /* authentication completed */
1223 this->flush_auth_cfg = FALSE;
1224 flush_auth_cfgs(this);
1225 }
1226 return status;
1227 }
1228
1229 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1230 private_ike_sa_t *this)
1231 {
1232 return this->ike_sa_id;
1233 }
1234
1235 METHOD(ike_sa_t, get_version, ike_version_t,
1236 private_ike_sa_t *this)
1237 {
1238 return this->version;
1239 }
1240
1241 METHOD(ike_sa_t, get_my_id, identification_t*,
1242 private_ike_sa_t *this)
1243 {
1244 return this->my_id;
1245 }
1246
1247 METHOD(ike_sa_t, set_my_id, void,
1248 private_ike_sa_t *this, identification_t *me)
1249 {
1250 DESTROY_IF(this->my_id);
1251 this->my_id = me;
1252 }
1253
1254 METHOD(ike_sa_t, get_other_id, identification_t*,
1255 private_ike_sa_t *this)
1256 {
1257 return this->other_id;
1258 }
1259
1260 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1261 private_ike_sa_t *this)
1262 {
1263 identification_t *id = NULL, *current;
1264 enumerator_t *enumerator;
1265 auth_cfg_t *cfg;
1266
1267 enumerator = this->other_auths->create_enumerator(this->other_auths);
1268 while (enumerator->enumerate(enumerator, &cfg))
1269 {
1270 /* prefer EAP-Identity of last round */
1271 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1272 if (!current || current->get_type(current) == ID_ANY)
1273 {
1274 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1275 }
1276 if (current && current->get_type(current) != ID_ANY)
1277 {
1278 id = current;
1279 continue;
1280 }
1281 }
1282 enumerator->destroy(enumerator);
1283 if (id)
1284 {
1285 return id;
1286 }
1287 return this->other_id;
1288 }
1289
1290 METHOD(ike_sa_t, set_other_id, void,
1291 private_ike_sa_t *this, identification_t *other)
1292 {
1293 DESTROY_IF(this->other_id);
1294 this->other_id = other;
1295 }
1296
1297 METHOD(ike_sa_t, add_child_sa, void,
1298 private_ike_sa_t *this, child_sa_t *child_sa)
1299 {
1300 this->child_sas->insert_last(this->child_sas, child_sa);
1301 }
1302
1303 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1304 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
1305 {
1306 enumerator_t *enumerator;
1307 child_sa_t *current, *found = NULL;
1308
1309 enumerator = this->child_sas->create_enumerator(this->child_sas);
1310 while (enumerator->enumerate(enumerator, (void**)&current))
1311 {
1312 if (current->get_spi(current, inbound) == spi &&
1313 current->get_protocol(current) == protocol)
1314 {
1315 found = current;
1316 }
1317 }
1318 enumerator->destroy(enumerator);
1319 return found;
1320 }
1321
1322 METHOD(ike_sa_t, get_child_count, int,
1323 private_ike_sa_t *this)
1324 {
1325 return this->child_sas->get_count(this->child_sas);
1326 }
1327
1328 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1329 private_ike_sa_t *this)
1330 {
1331 return this->child_sas->create_enumerator(this->child_sas);
1332 }
1333
1334 METHOD(ike_sa_t, remove_child_sa, void,
1335 private_ike_sa_t *this, enumerator_t *enumerator)
1336 {
1337 this->child_sas->remove_at(this->child_sas, enumerator);
1338 }
1339
1340 METHOD(ike_sa_t, rekey_child_sa, status_t,
1341 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1342 {
1343 child_rekey_t *child_rekey;
1344
1345 child_rekey = child_rekey_create(&this->public, protocol, spi);
1346 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1347 return this->task_manager->initiate(this->task_manager);
1348 }
1349
1350 METHOD(ike_sa_t, delete_child_sa, status_t,
1351 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1352 {
1353 task_t *task;
1354
1355 if (this->version == IKEV1)
1356 {
1357 task = (task_t*)quick_delete_create(&this->public, protocol, spi);
1358 }
1359 else
1360 {
1361 task = (task_t*)child_delete_create(&this->public, protocol, spi);
1362 }
1363 this->task_manager->queue_task(this->task_manager, task);
1364 return this->task_manager->initiate(this->task_manager);
1365 }
1366
1367 METHOD(ike_sa_t, destroy_child_sa, status_t,
1368 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1369 {
1370 enumerator_t *enumerator;
1371 child_sa_t *child_sa;
1372 status_t status = NOT_FOUND;
1373
1374 enumerator = this->child_sas->create_enumerator(this->child_sas);
1375 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1376 {
1377 if (child_sa->get_protocol(child_sa) == protocol &&
1378 child_sa->get_spi(child_sa, TRUE) == spi)
1379 {
1380 this->child_sas->remove_at(this->child_sas, enumerator);
1381 child_sa->destroy(child_sa);
1382 status = SUCCESS;
1383 break;
1384 }
1385 }
1386 enumerator->destroy(enumerator);
1387 return status;
1388 }
1389
1390 METHOD(ike_sa_t, delete_, status_t,
1391 private_ike_sa_t *this)
1392 {
1393 task_t *task;
1394
1395 switch (this->state)
1396 {
1397 case IKE_ESTABLISHED:
1398 case IKE_REKEYING:
1399 if (this->version == IKEV1)
1400 {
1401 task = (task_t*)isakmp_delete_create(&this->public, TRUE);
1402 }
1403 else
1404 {
1405 task = (task_t*)ike_delete_create(&this->public, TRUE);
1406 }
1407 this->task_manager->queue_task(this->task_manager, task);
1408 return this->task_manager->initiate(this->task_manager);
1409 case IKE_CREATED:
1410 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1411 break;
1412 case IKE_PASSIVE:
1413 break;
1414 default:
1415 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1416 "without notification", ike_sa_state_names, this->state);
1417 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1418 break;
1419 }
1420 return DESTROY_ME;
1421 }
1422
1423 METHOD(ike_sa_t, rekey, status_t,
1424 private_ike_sa_t *this)
1425 {
1426 ike_rekey_t *ike_rekey;
1427
1428 ike_rekey = ike_rekey_create(&this->public, TRUE);
1429
1430 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1431 return this->task_manager->initiate(this->task_manager);
1432 }
1433
1434 METHOD(ike_sa_t, reauth, status_t,
1435 private_ike_sa_t *this)
1436 {
1437 task_t *task;
1438
1439 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1440 * If the peer does not support RFC4478, there is no way to keep the
1441 * IKE_SA up. */
1442 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1443 {
1444 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1445 if (this->other_virtual_ip != NULL ||
1446 has_condition(this, COND_EAP_AUTHENTICATED)
1447 #ifdef ME
1448 /* as mediation server we too cannot reauth the IKE_SA */
1449 || this->is_mediation_server
1450 #endif /* ME */
1451 )
1452 {
1453 time_t now = time_monotonic(NULL);
1454
1455 DBG1(DBG_IKE, "IKE_SA will timeout in %V",
1456 &now, &this->stats[STAT_DELETE]);
1457 return FAILED;
1458 }
1459 else
1460 {
1461 DBG1(DBG_IKE, "reauthenticating actively");
1462 }
1463 }
1464 task = (task_t*)ike_reauth_create(&this->public);
1465 this->task_manager->queue_task(this->task_manager, task);
1466
1467 return this->task_manager->initiate(this->task_manager);
1468 }
1469
1470 METHOD(ike_sa_t, reestablish, status_t,
1471 private_ike_sa_t *this)
1472 {
1473 ike_sa_t *new;
1474 host_t *host;
1475 action_t action;
1476 enumerator_t *enumerator;
1477 child_sa_t *child_sa;
1478 child_cfg_t *child_cfg;
1479 bool restart = FALSE;
1480 status_t status = FAILED;
1481
1482 /* check if we have children to keep up at all */
1483 enumerator = this->child_sas->create_enumerator(this->child_sas);
1484 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1485 {
1486 if (this->state == IKE_DELETING)
1487 {
1488 action = child_sa->get_close_action(child_sa);
1489 }
1490 else
1491 {
1492 action = child_sa->get_dpd_action(child_sa);
1493 }
1494 switch (action)
1495 {
1496 case ACTION_RESTART:
1497 restart = TRUE;
1498 break;
1499 case ACTION_ROUTE:
1500 charon->traps->install(charon->traps, this->peer_cfg,
1501 child_sa->get_config(child_sa));
1502 break;
1503 default:
1504 break;
1505 }
1506 }
1507 enumerator->destroy(enumerator);
1508 #ifdef ME
1509 /* mediation connections have no children, keep them up anyway */
1510 if (this->peer_cfg->is_mediation(this->peer_cfg))
1511 {
1512 restart = TRUE;
1513 }
1514 #endif /* ME */
1515 if (!restart)
1516 {
1517 return FAILED;
1518 }
1519
1520 /* check if we are able to reestablish this IKE_SA */
1521 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1522 (this->other_virtual_ip != NULL ||
1523 has_condition(this, COND_EAP_AUTHENTICATED)
1524 #ifdef ME
1525 || this->is_mediation_server
1526 #endif /* ME */
1527 ))
1528 {
1529 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
1530 return FAILED;
1531 }
1532
1533 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1534 this->version, TRUE);
1535 new->set_peer_cfg(new, this->peer_cfg);
1536 host = this->other_host;
1537 new->set_other_host(new, host->clone(host));
1538 host = this->my_host;
1539 new->set_my_host(new, host->clone(host));
1540 /* if we already have a virtual IP, we reuse it */
1541 host = this->my_virtual_ip;
1542 if (host)
1543 {
1544 new->set_virtual_ip(new, TRUE, host);
1545 }
1546
1547 #ifdef ME
1548 if (this->peer_cfg->is_mediation(this->peer_cfg))
1549 {
1550 status = new->initiate(new, NULL, 0, NULL, NULL);
1551 }
1552 else
1553 #endif /* ME */
1554 {
1555 enumerator = this->child_sas->create_enumerator(this->child_sas);
1556 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1557 {
1558 if (this->state == IKE_DELETING)
1559 {
1560 action = child_sa->get_close_action(child_sa);
1561 }
1562 else
1563 {
1564 action = child_sa->get_dpd_action(child_sa);
1565 }
1566 switch (action)
1567 {
1568 case ACTION_RESTART:
1569 child_cfg = child_sa->get_config(child_sa);
1570 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1571 child_cfg->get_name(child_cfg));
1572 child_cfg->get_ref(child_cfg);
1573 status = new->initiate(new, child_cfg, 0, NULL, NULL);
1574 break;
1575 default:
1576 continue;
1577 }
1578 if (status == DESTROY_ME)
1579 {
1580 break;
1581 }
1582 }
1583 enumerator->destroy(enumerator);
1584 }
1585
1586 if (status == DESTROY_ME)
1587 {
1588 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1589 status = FAILED;
1590 }
1591 else
1592 {
1593 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1594 status = SUCCESS;
1595 }
1596 charon->bus->set_sa(charon->bus, &this->public);
1597 return status;
1598 }
1599
1600 /**
1601 * Requeue the IKE_SA_INIT tasks for initiation, if required
1602 */
1603 static void requeue_init_tasks(private_ike_sa_t *this)
1604 {
1605 enumerator_t *enumerator;
1606 bool has_init = FALSE;
1607 task_t *task;
1608
1609 /* if we have advanced to IKE_AUTH, the IKE_INIT and related tasks
1610 * have already completed. Recreate them if necessary. */
1611 enumerator = this->task_manager->create_task_enumerator(
1612 this->task_manager, TASK_QUEUE_QUEUED);
1613 while (enumerator->enumerate(enumerator, &task))
1614 {
1615 if (task->get_type(task) == TASK_IKE_INIT)
1616 {
1617 has_init = TRUE;
1618 break;
1619 }
1620 }
1621 enumerator->destroy(enumerator);
1622
1623 if (!has_init)
1624 {
1625 task = (task_t*)ike_vendor_create(&this->public, TRUE);
1626 this->task_manager->queue_task(this->task_manager, task);
1627 task = (task_t*)ike_natd_create(&this->public, TRUE);
1628 this->task_manager->queue_task(this->task_manager, task);
1629 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1630 this->task_manager->queue_task(this->task_manager, task);
1631 }
1632 }
1633
1634 METHOD(ike_sa_t, retransmit, status_t,
1635 private_ike_sa_t *this, u_int32_t message_id)
1636 {
1637 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1638 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1639 {
1640 /* send a proper signal to brief interested bus listeners */
1641 switch (this->state)
1642 {
1643 case IKE_CONNECTING:
1644 {
1645 /* retry IKE_SA_INIT if we have multiple keyingtries */
1646 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1647 this->keyingtry++;
1648 if (tries == 0 || tries > this->keyingtry)
1649 {
1650 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1651 this->keyingtry + 1, tries);
1652 reset(this);
1653 requeue_init_tasks(this);
1654 return this->task_manager->initiate(this->task_manager);
1655 }
1656 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1657 break;
1658 }
1659 case IKE_DELETING:
1660 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1661 break;
1662 case IKE_REKEYING:
1663 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1664 /* FALL */
1665 default:
1666 reestablish(this);
1667 break;
1668 }
1669 return DESTROY_ME;
1670 }
1671 return SUCCESS;
1672 }
1673
1674 METHOD(ike_sa_t, set_auth_lifetime, void,
1675 private_ike_sa_t *this, u_int32_t lifetime)
1676 {
1677 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1678 u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction;
1679
1680 if (lifetime < reduction)
1681 {
1682 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1683 lifetime);
1684 lib->processor->queue_job(lib->processor,
1685 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
1686 }
1687 else if (this->stats[STAT_REAUTH] == 0 ||
1688 this->stats[STAT_REAUTH] > reauth_time)
1689 {
1690 this->stats[STAT_REAUTH] = reauth_time;
1691 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1692 " in %ds", lifetime, lifetime - reduction);
1693 lib->scheduler->schedule_job(lib->scheduler,
1694 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
1695 lifetime - reduction);
1696 }
1697 else
1698 {
1699 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
1700 "reauthentication already scheduled in %ds", lifetime,
1701 this->stats[STAT_REAUTH] - time_monotonic(NULL));
1702 }
1703 }
1704
1705 /**
1706 * Check if the current combination of source and destination address is still
1707 * valid.
1708 */
1709 static bool is_current_path_valid(private_ike_sa_t *this)
1710 {
1711 bool valid = FALSE;
1712 host_t *src;
1713 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
1714 this->other_host, this->my_host);
1715 if (src)
1716 {
1717 if (src->ip_equals(src, this->my_host))
1718 {
1719 valid = TRUE;
1720 }
1721 src->destroy(src);
1722 }
1723 return valid;
1724 }
1725
1726 /**
1727 * Check if we have any path avialable for this IKE SA.
1728 */
1729 static bool is_any_path_valid(private_ike_sa_t *this)
1730 {
1731 bool valid = FALSE;
1732 enumerator_t *enumerator;
1733 host_t *src, *addr;
1734 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
1735 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
1736 this->other_host, NULL);
1737 if (!src)
1738 {
1739 enumerator = this->additional_addresses->create_enumerator(
1740 this->additional_addresses);
1741 while (enumerator->enumerate(enumerator, &addr))
1742 {
1743 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
1744 src = hydra->kernel_interface->get_source_addr(
1745 hydra->kernel_interface, addr, NULL);
1746 if (src)
1747 {
1748 break;
1749 }
1750 }
1751 enumerator->destroy(enumerator);
1752 }
1753 if (src)
1754 {
1755 valid = TRUE;
1756 src->destroy(src);
1757 }
1758 return valid;
1759 }
1760
1761 METHOD(ike_sa_t, roam, status_t,
1762 private_ike_sa_t *this, bool address)
1763 {
1764 ike_mobike_t *mobike;
1765
1766 switch (this->state)
1767 {
1768 case IKE_CREATED:
1769 case IKE_DELETING:
1770 case IKE_DESTROYING:
1771 case IKE_PASSIVE:
1772 return SUCCESS;
1773 default:
1774 break;
1775 }
1776
1777 /* keep existing path if possible */
1778 if (is_current_path_valid(this))
1779 {
1780 DBG2(DBG_IKE, "keeping connection path %H - %H",
1781 this->my_host, this->other_host);
1782 set_condition(this, COND_STALE, FALSE);
1783
1784 if (supports_extension(this, EXT_MOBIKE) && address)
1785 { /* if any addresses changed, send an updated list */
1786 DBG1(DBG_IKE, "sending address list update using MOBIKE");
1787 mobike = ike_mobike_create(&this->public, TRUE);
1788 mobike->addresses(mobike);
1789 this->task_manager->queue_task(this->task_manager,
1790 (task_t*)mobike);
1791 return this->task_manager->initiate(this->task_manager);
1792 }
1793 return SUCCESS;
1794 }
1795
1796 if (!is_any_path_valid(this))
1797 {
1798 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
1799 this->other_host);
1800 set_condition(this, COND_STALE, TRUE);
1801 return SUCCESS;
1802 }
1803 set_condition(this, COND_STALE, FALSE);
1804
1805 /* update addresses with mobike, if supported ... */
1806 if (supports_extension(this, EXT_MOBIKE))
1807 {
1808 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1809 { /* responder updates the peer about changed address config */
1810 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
1811 "implicitly requesting an address change");
1812 address = TRUE;
1813 }
1814 else
1815 {
1816 DBG1(DBG_IKE, "requesting address change using MOBIKE");
1817 }
1818 mobike = ike_mobike_create(&this->public, TRUE);
1819 mobike->roam(mobike, address);
1820 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
1821 return this->task_manager->initiate(this->task_manager);
1822 }
1823
1824 /* ... reauth if not */
1825 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1826 { /* responder does not reauthenticate */
1827 set_condition(this, COND_STALE, TRUE);
1828 return SUCCESS;
1829 }
1830 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
1831 return reauth(this);
1832 }
1833
1834 METHOD(ike_sa_t, add_configuration_attribute, void,
1835 private_ike_sa_t *this, attribute_handler_t *handler,
1836 configuration_attribute_type_t type, chunk_t data)
1837 {
1838 attribute_entry_t *entry = malloc_thing(attribute_entry_t);
1839
1840 entry->handler = handler;
1841 entry->type = type;
1842 entry->data = chunk_clone(data);
1843
1844 this->attributes->insert_last(this->attributes, entry);
1845 }
1846
1847 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
1848 private_ike_sa_t *this, task_queue_t queue)
1849 {
1850 return this->task_manager->create_task_enumerator(this->task_manager, queue);
1851 }
1852
1853 METHOD(ike_sa_t, queue_task, void,
1854 private_ike_sa_t *this, task_t *task)
1855 {
1856 this->task_manager->queue_task(this->task_manager, task);
1857 }
1858
1859 METHOD(ike_sa_t, inherit, void,
1860 private_ike_sa_t *this, ike_sa_t *other_public)
1861 {
1862 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
1863 child_sa_t *child_sa;
1864 attribute_entry_t *entry;
1865 enumerator_t *enumerator;
1866 auth_cfg_t *cfg;
1867
1868 /* apply hosts and ids */
1869 this->my_host->destroy(this->my_host);
1870 this->other_host->destroy(this->other_host);
1871 this->my_id->destroy(this->my_id);
1872 this->other_id->destroy(this->other_id);
1873 this->my_host = other->my_host->clone(other->my_host);
1874 this->other_host = other->other_host->clone(other->other_host);
1875 this->my_id = other->my_id->clone(other->my_id);
1876 this->other_id = other->other_id->clone(other->other_id);
1877
1878 /* apply virtual assigned IPs... */
1879 if (other->my_virtual_ip)
1880 {
1881 this->my_virtual_ip = other->my_virtual_ip;
1882 other->my_virtual_ip = NULL;
1883 }
1884 if (other->other_virtual_ip)
1885 {
1886 this->other_virtual_ip = other->other_virtual_ip;
1887 other->other_virtual_ip = NULL;
1888 }
1889
1890 /* authentication information */
1891 enumerator = other->my_auths->create_enumerator(other->my_auths);
1892 while (enumerator->enumerate(enumerator, &cfg))
1893 {
1894 this->my_auths->insert_last(this->my_auths, cfg->clone(cfg));
1895 }
1896 enumerator->destroy(enumerator);
1897 enumerator = other->other_auths->create_enumerator(other->other_auths);
1898 while (enumerator->enumerate(enumerator, &cfg))
1899 {
1900 this->other_auths->insert_last(this->other_auths, cfg->clone(cfg));
1901 }
1902 enumerator->destroy(enumerator);
1903
1904 /* ... and configuration attributes */
1905 while (other->attributes->remove_last(other->attributes,
1906 (void**)&entry) == SUCCESS)
1907 {
1908 this->attributes->insert_first(this->attributes, entry);
1909 }
1910
1911 /* inherit all conditions */
1912 this->conditions = other->conditions;
1913 if (this->conditions & COND_NAT_HERE)
1914 {
1915 send_keepalive(this);
1916 }
1917
1918 #ifdef ME
1919 if (other->is_mediation_server)
1920 {
1921 act_as_mediation_server(this);
1922 }
1923 else if (other->server_reflexive_host)
1924 {
1925 this->server_reflexive_host = other->server_reflexive_host->clone(
1926 other->server_reflexive_host);
1927 }
1928 #endif /* ME */
1929
1930 /* adopt all children */
1931 while (other->child_sas->remove_last(other->child_sas,
1932 (void**)&child_sa) == SUCCESS)
1933 {
1934 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
1935 }
1936
1937 /* move pending tasks to the new IKE_SA */
1938 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
1939
1940 /* reauthentication timeout survives a rekeying */
1941 if (other->stats[STAT_REAUTH])
1942 {
1943 time_t reauth, delete, now = time_monotonic(NULL);
1944
1945 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
1946 reauth = this->stats[STAT_REAUTH] - now;
1947 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
1948 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
1949 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
1950 "lifetime reduced to %ds", reauth, delete);
1951 lib->scheduler->schedule_job(lib->scheduler,
1952 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
1953 lib->scheduler->schedule_job(lib->scheduler,
1954 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
1955 }
1956 }
1957
1958 METHOD(ike_sa_t, destroy, void,
1959 private_ike_sa_t *this)
1960 {
1961 attribute_entry_t *entry;
1962
1963 charon->bus->set_sa(charon->bus, &this->public);
1964
1965 set_state(this, IKE_DESTROYING);
1966 this->task_manager->destroy(this->task_manager);
1967
1968 /* remove attributes first, as we pass the IKE_SA to the handler */
1969 while (this->attributes->remove_last(this->attributes,
1970 (void**)&entry) == SUCCESS)
1971 {
1972 hydra->attributes->release(hydra->attributes, entry->handler,
1973 this->other_id, entry->type, entry->data);
1974 free(entry->data.ptr);
1975 free(entry);
1976 }
1977 this->attributes->destroy(this->attributes);
1978
1979 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
1980
1981 /* unset SA after here to avoid usage by the listeners */
1982 charon->bus->set_sa(charon->bus, NULL);
1983
1984 this->keymat->destroy(this->keymat);
1985
1986 if (this->my_virtual_ip)
1987 {
1988 hydra->kernel_interface->del_ip(hydra->kernel_interface,
1989 this->my_virtual_ip);
1990 this->my_virtual_ip->destroy(this->my_virtual_ip);
1991 }
1992 if (this->other_virtual_ip)
1993 {
1994 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
1995 {
1996 hydra->attributes->release_address(hydra->attributes,
1997 this->peer_cfg->get_pool(this->peer_cfg),
1998 this->other_virtual_ip, get_other_eap_id(this));
1999 }
2000 this->other_virtual_ip->destroy(this->other_virtual_ip);
2001 }
2002 this->additional_addresses->destroy_offset(this->additional_addresses,
2003 offsetof(host_t, destroy));
2004 #ifdef ME
2005 if (this->is_mediation_server)
2006 {
2007 charon->mediation_manager->remove(charon->mediation_manager,
2008 this->ike_sa_id);
2009 }
2010 DESTROY_IF(this->server_reflexive_host);
2011 chunk_free(&this->connect_id);
2012 #endif /* ME */
2013 free(this->nat_detection_dest.ptr);
2014
2015 DESTROY_IF(this->my_host);
2016 DESTROY_IF(this->other_host);
2017 DESTROY_IF(this->my_id);
2018 DESTROY_IF(this->other_id);
2019 DESTROY_IF(this->local_host);
2020 DESTROY_IF(this->remote_host);
2021
2022 DESTROY_IF(this->ike_cfg);
2023 DESTROY_IF(this->peer_cfg);
2024 DESTROY_IF(this->proposal);
2025 this->my_auth->destroy(this->my_auth);
2026 this->other_auth->destroy(this->other_auth);
2027 this->my_auths->destroy_offset(this->my_auths,
2028 offsetof(auth_cfg_t, destroy));
2029 this->other_auths->destroy_offset(this->other_auths,
2030 offsetof(auth_cfg_t, destroy));
2031
2032 this->ike_sa_id->destroy(this->ike_sa_id);
2033 free(this);
2034 }
2035
2036 /*
2037 * Described in header.
2038 */
2039 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
2040 ike_version_t version)
2041 {
2042 private_ike_sa_t *this;
2043 static u_int32_t unique_id = 0;
2044
2045 INIT(this,
2046 .public = {
2047 .get_version = _get_version,
2048 .get_state = _get_state,
2049 .set_state = _set_state,
2050 .get_name = _get_name,
2051 .get_statistic = _get_statistic,
2052 .set_statistic = _set_statistic,
2053 .process_message = _process_message,
2054 .initiate = _initiate,
2055 .get_ike_cfg = _get_ike_cfg,
2056 .set_ike_cfg = _set_ike_cfg,
2057 .get_peer_cfg = _get_peer_cfg,
2058 .set_peer_cfg = _set_peer_cfg,
2059 .get_auth_cfg = _get_auth_cfg,
2060 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
2061 .add_auth_cfg = _add_auth_cfg,
2062 .get_proposal = _get_proposal,
2063 .set_proposal = _set_proposal,
2064 .get_id = _get_id,
2065 .get_my_host = _get_my_host,
2066 .set_my_host = _set_my_host,
2067 .get_other_host = _get_other_host,
2068 .set_other_host = _set_other_host,
2069 .set_message_id = _set_message_id,
2070 .float_ports = _float_ports,
2071 .update_hosts = _update_hosts,
2072 .get_my_id = _get_my_id,
2073 .set_my_id = _set_my_id,
2074 .get_other_id = _get_other_id,
2075 .set_other_id = _set_other_id,
2076 .get_other_eap_id = _get_other_eap_id,
2077 .enable_extension = _enable_extension,
2078 .supports_extension = _supports_extension,
2079 .set_condition = _set_condition,
2080 .has_condition = _has_condition,
2081 .set_pending_updates = _set_pending_updates,
2082 .get_pending_updates = _get_pending_updates,
2083 .create_additional_address_enumerator = _create_additional_address_enumerator,
2084 .add_additional_address = _add_additional_address,
2085 .remove_additional_addresses = _remove_additional_addresses,
2086 .has_mapping_changed = _has_mapping_changed,
2087 .retransmit = _retransmit,
2088 .delete = _delete_,
2089 .destroy = _destroy,
2090 .send_dpd = _send_dpd,
2091 .send_keepalive = _send_keepalive,
2092 .get_keymat = _get_keymat,
2093 .add_child_sa = _add_child_sa,
2094 .get_child_sa = _get_child_sa,
2095 .get_child_count = _get_child_count,
2096 .create_child_sa_enumerator = _create_child_sa_enumerator,
2097 .remove_child_sa = _remove_child_sa,
2098 .rekey_child_sa = _rekey_child_sa,
2099 .delete_child_sa = _delete_child_sa,
2100 .destroy_child_sa = _destroy_child_sa,
2101 .rekey = _rekey,
2102 .reauth = _reauth,
2103 .reestablish = _reestablish,
2104 .set_auth_lifetime = _set_auth_lifetime,
2105 .roam = _roam,
2106 .inherit = _inherit,
2107 .generate_message = _generate_message,
2108 .reset = _reset,
2109 .get_unique_id = _get_unique_id,
2110 .set_virtual_ip = _set_virtual_ip,
2111 .get_virtual_ip = _get_virtual_ip,
2112 .add_configuration_attribute = _add_configuration_attribute,
2113 .set_kmaddress = _set_kmaddress,
2114 .create_task_enumerator = _create_task_enumerator,
2115 .queue_task = _queue_task,
2116 #ifdef ME
2117 .act_as_mediation_server = _act_as_mediation_server,
2118 .get_server_reflexive_host = _get_server_reflexive_host,
2119 .set_server_reflexive_host = _set_server_reflexive_host,
2120 .get_connect_id = _get_connect_id,
2121 .initiate_mediation = _initiate_mediation,
2122 .initiate_mediated = _initiate_mediated,
2123 .relay = _relay,
2124 .callback = _callback,
2125 .respond = _respond,
2126 #endif /* ME */
2127 },
2128 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
2129 .version = version,
2130 .child_sas = linked_list_create(),
2131 .my_host = host_create_any(AF_INET),
2132 .other_host = host_create_any(AF_INET),
2133 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2134 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2135 .keymat = keymat_create(version, initiator),
2136 .state = IKE_CREATED,
2137 .stats[STAT_INBOUND] = time_monotonic(NULL),
2138 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
2139 .my_auth = auth_cfg_create(),
2140 .other_auth = auth_cfg_create(),
2141 .my_auths = linked_list_create(),
2142 .other_auths = linked_list_create(),
2143 .unique_id = ++unique_id,
2144 .additional_addresses = linked_list_create(),
2145 .attributes = linked_list_create(),
2146 .keepalive_interval = lib->settings->get_time(lib->settings,
2147 "charon.keep_alive", KEEPALIVE_INTERVAL),
2148 .flush_auth_cfg = lib->settings->get_bool(lib->settings,
2149 "charon.flush_auth_cfg", FALSE),
2150 );
2151
2152 this->task_manager = task_manager_create(&this->public);
2153 this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
2154
2155 return &this->public;
2156 }