Support multiple virtual IPs on peer_cfg and ike_sa classes
[strongswan.git] / src / libcharon / sa / ike_sa.h
1 /*
2 * Copyright (C) 2006-2012 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup ike_sa ike_sa
21 * @{ @ingroup sa
22 */
23
24 #ifndef IKE_SA_H_
25 #define IKE_SA_H_
26
27 typedef enum ike_extension_t ike_extension_t;
28 typedef enum ike_condition_t ike_condition_t;
29 typedef enum ike_sa_state_t ike_sa_state_t;
30 typedef enum statistic_t statistic_t;
31 typedef struct ike_sa_t ike_sa_t;
32
33 #include <library.h>
34 #include <attributes/attribute_handler.h>
35 #include <encoding/message.h>
36 #include <encoding/payloads/proposal_substructure.h>
37 #include <encoding/payloads/configuration_attribute.h>
38 #include <sa/ike_sa_id.h>
39 #include <sa/child_sa.h>
40 #include <sa/task.h>
41 #include <sa/task_manager.h>
42 #include <sa/keymat.h>
43 #include <config/peer_cfg.h>
44 #include <config/ike_cfg.h>
45 #include <credentials/auth_cfg.h>
46 #include <utils/packet.h>
47
48 /**
49 * Timeout in seconds after that a half open IKE_SA gets deleted.
50 */
51 #define HALF_OPEN_IKE_SA_TIMEOUT 30
52
53 /**
54 * Interval to send keepalives when NATed, in seconds.
55 */
56 #define KEEPALIVE_INTERVAL 20
57
58 /**
59 * After which time rekeying should be retried if it failed, in seconds.
60 */
61 #define RETRY_INTERVAL 30
62
63 /**
64 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
65 */
66 #define RETRY_JITTER 20
67
68 /**
69 * Extensions (or optional features) the peer supports
70 */
71 enum ike_extension_t {
72
73 /**
74 * peer supports NAT traversal as specified in RFC4306 or RFC3947
75 */
76 EXT_NATT = (1<<0),
77
78 /**
79 * peer supports MOBIKE (RFC4555)
80 */
81 EXT_MOBIKE = (1<<1),
82
83 /**
84 * peer supports HTTP cert lookups as specified in RFC4306
85 */
86 EXT_HASH_AND_URL = (1<<2),
87
88 /**
89 * peer supports multiple authentication exchanges, RFC4739
90 */
91 EXT_MULTIPLE_AUTH = (1<<3),
92
93 /**
94 * peer uses strongSwan, accept private use extensions
95 */
96 EXT_STRONGSWAN = (1<<4),
97
98 /**
99 * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
100 */
101 EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
102
103 /**
104 * peer is probably a Windows 7 RAS client
105 */
106 EXT_MS_WINDOWS = (1<<6),
107
108 /**
109 * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
110 */
111 EXT_XAUTH = (1<<7),
112
113 /**
114 * peer supports DPD detection, RFC 3706 (or IKEv2)
115 */
116 EXT_DPD = (1<<8),
117
118 /**
119 * peer supports Cisco Unity configuration attributes
120 */
121 EXT_CISCO_UNITY = (1<<9),
122 };
123
124 /**
125 * Conditions of an IKE_SA, change during its lifetime
126 */
127 enum ike_condition_t {
128
129 /**
130 * Connection is natted (or faked) somewhere
131 */
132 COND_NAT_ANY = (1<<0),
133
134 /**
135 * we are behind NAT
136 */
137 COND_NAT_HERE = (1<<1),
138
139 /**
140 * other is behind NAT
141 */
142 COND_NAT_THERE = (1<<2),
143
144 /**
145 * Faking NAT to enforce UDP encapsulation
146 */
147 COND_NAT_FAKE = (1<<3),
148
149 /**
150 * peer has been authenticated using EAP at least once
151 */
152 COND_EAP_AUTHENTICATED = (1<<4),
153
154 /**
155 * received a certificate request from the peer
156 */
157 COND_CERTREQ_SEEN = (1<<5),
158
159 /**
160 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
161 */
162 COND_ORIGINAL_INITIATOR = (1<<6),
163
164 /**
165 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
166 */
167 COND_STALE = (1<<7),
168
169 /**
170 * Initial contact received
171 */
172 COND_INIT_CONTACT_SEEN = (1<<8),
173
174 /**
175 * Peer has been authenticated using XAuth
176 */
177 COND_XAUTH_AUTHENTICATED = (1<<9),
178 };
179
180 /**
181 * Timing information and statistics to query from an SA
182 */
183 enum statistic_t {
184 /** Timestamp of SA establishement */
185 STAT_ESTABLISHED = 0,
186 /** Timestamp of scheudled rekeying */
187 STAT_REKEY,
188 /** Timestamp of scheudled reauthentication */
189 STAT_REAUTH,
190 /** Timestamp of scheudled delete */
191 STAT_DELETE,
192 /** Timestamp of last inbound IKE packet */
193 STAT_INBOUND,
194 /** Timestamp of last outbound IKE packet */
195 STAT_OUTBOUND,
196
197 STAT_MAX
198 };
199
200 /**
201 * State of an IKE_SA.
202 *
203 * An IKE_SA passes various states in its lifetime. A newly created
204 * SA is in the state CREATED.
205 * @verbatim
206 +----------------+
207 ¦ SA_CREATED ¦
208 +----------------+
209 ¦
210 on initiate()---> ¦ <----- on IKE_SA_INIT received
211 V
212 +----------------+
213 ¦ SA_CONNECTING ¦
214 +----------------+
215 ¦
216 ¦ <----- on IKE_AUTH successfully completed
217 V
218 +----------------+
219 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
220 +----------------+ ¦
221 ¦ V
222 on delete()---> ¦ <----- on IKE_SA +-------------+
223 ¦ delete request ¦ SA_REKEYING ¦
224 ¦ received +-------------+
225 V ¦
226 +----------------+ ¦
227 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
228 +----------------+
229 ¦
230 ¦ <----- after delete() acknowledged
231 ¦
232 \V/
233 X
234 / \
235 @endverbatim
236 */
237 enum ike_sa_state_t {
238
239 /**
240 * IKE_SA just got created, but is not initiating nor responding yet.
241 */
242 IKE_CREATED,
243
244 /**
245 * IKE_SA gets initiated actively or passively
246 */
247 IKE_CONNECTING,
248
249 /**
250 * IKE_SA is fully established
251 */
252 IKE_ESTABLISHED,
253
254 /**
255 * IKE_SA is managed externally and does not process messages
256 */
257 IKE_PASSIVE,
258
259 /**
260 * IKE_SA rekeying in progress
261 */
262 IKE_REKEYING,
263
264 /**
265 * IKE_SA is in progress of deletion
266 */
267 IKE_DELETING,
268
269 /**
270 * IKE_SA object gets destroyed
271 */
272 IKE_DESTROYING,
273 };
274
275 /**
276 * enum names for ike_sa_state_t.
277 */
278 extern enum_name_t *ike_sa_state_names;
279
280 /**
281 * Class ike_sa_t representing an IKE_SA.
282 *
283 * An IKE_SA contains crypto information related to a connection
284 * with a peer. It contains multiple IPsec CHILD_SA, for which
285 * it is responsible. All traffic is handled by an IKE_SA, using
286 * the task manager and its tasks.
287 */
288 struct ike_sa_t {
289
290 /**
291 * Get the id of the SA.
292 *
293 * Returned ike_sa_id_t object is not getting cloned!
294 *
295 * @return ike_sa's ike_sa_id_t
296 */
297 ike_sa_id_t* (*get_id) (ike_sa_t *this);
298
299 /**
300 * Gets the IKE version of the SA
301 */
302 ike_version_t (*get_version)(ike_sa_t *this);
303
304 /**
305 * Get the numerical ID uniquely defining this IKE_SA.
306 *
307 * @return unique ID
308 */
309 u_int32_t (*get_unique_id) (ike_sa_t *this);
310
311 /**
312 * Get the state of the IKE_SA.
313 *
314 * @return state of the IKE_SA
315 */
316 ike_sa_state_t (*get_state) (ike_sa_t *this);
317
318 /**
319 * Set the state of the IKE_SA.
320 *
321 * @param state state to set for the IKE_SA
322 */
323 void (*set_state) (ike_sa_t *this, ike_sa_state_t state);
324
325 /**
326 * Get the name of the connection this IKE_SA uses.
327 *
328 * @return name
329 */
330 char* (*get_name) (ike_sa_t *this);
331
332 /**
333 * Get statistic values from the IKE_SA.
334 *
335 * @param kind kind of requested value
336 * @return value as integer
337 */
338 u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
339
340 /**
341 * Set statistic value of the IKE_SA.
342 *
343 * @param kind kind of value to update
344 * @param value value as integer
345 */
346 void (*set_statistic)(ike_sa_t *this, statistic_t kind, u_int32_t value);
347
348 /**
349 * Get the own host address.
350 *
351 * @return host address
352 */
353 host_t* (*get_my_host) (ike_sa_t *this);
354
355 /**
356 * Set the own host address.
357 *
358 * @param me host address
359 */
360 void (*set_my_host) (ike_sa_t *this, host_t *me);
361
362 /**
363 * Get the other peers host address.
364 *
365 * @return host address
366 */
367 host_t* (*get_other_host) (ike_sa_t *this);
368
369 /**
370 * Set the others host address.
371 *
372 * @param other host address
373 */
374 void (*set_other_host) (ike_sa_t *this, host_t *other);
375
376 /**
377 * Float to port 4500 (e.g. if a NAT is detected).
378 *
379 * The port of either endpoint is changed only if it is currently
380 * set to the default value of 500.
381 */
382 void (*float_ports)(ike_sa_t *this);
383
384 /**
385 * Update the IKE_SAs host.
386 *
387 * Hosts may be NULL to use current host.
388 *
389 * @param me new local host address, or NULL
390 * @param other new remote host address, or NULL
391 * @param force force update
392 */
393 void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force);
394
395 /**
396 * Get the own identification.
397 *
398 * @return identification
399 */
400 identification_t* (*get_my_id) (ike_sa_t *this);
401
402 /**
403 * Set the own identification.
404 *
405 * @param me identification
406 */
407 void (*set_my_id) (ike_sa_t *this, identification_t *me);
408
409 /**
410 * Get the other peer's identification.
411 *
412 * @return identification
413 */
414 identification_t* (*get_other_id) (ike_sa_t *this);
415
416 /**
417 * Get the others peer identity, but prefer an EAP-Identity.
418 *
419 * @return EAP or IKEv2 identity
420 */
421 identification_t* (*get_other_eap_id)(ike_sa_t *this);
422
423 /**
424 * Set the other peer's identification.
425 *
426 * @param other identification
427 */
428 void (*set_other_id) (ike_sa_t *this, identification_t *other);
429
430 /**
431 * Get the config used to setup this IKE_SA.
432 *
433 * @return ike_config
434 */
435 ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
436
437 /**
438 * Set the config to setup this IKE_SA.
439 *
440 * @param config ike_config to use
441 */
442 void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
443
444 /**
445 * Get the peer config used by this IKE_SA.
446 *
447 * @return peer_config
448 */
449 peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
450
451 /**
452 * Set the peer config to use with this IKE_SA.
453 *
454 * @param config peer_config to use
455 */
456 void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
457
458 /**
459 * Get the authentication config with rules of the current auth round.
460 *
461 * @param local TRUE for local rules, FALSE for remote constraints
462 * @return current cfg
463 */
464 auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
465
466 /**
467 * Insert a completed authentication round.
468 *
469 * @param local TRUE for own rules, FALSE for others constraints
470 * @param cfg auth config to append
471 */
472 void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
473
474 /**
475 * Create an enumerator over added authentication rounds.
476 *
477 * @param local TRUE for own rules, FALSE for others constraints
478 * @return enumerator over auth_cfg_t
479 */
480 enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
481
482 /**
483 * Get the selected proposal of this IKE_SA.
484 *
485 * @return selected proposal
486 */
487 proposal_t* (*get_proposal)(ike_sa_t *this);
488
489 /**
490 * Set the proposal selected for this IKE_SA.
491 *
492 * @param selected proposal
493 */
494 void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
495
496 /**
497 * Set the message id of the IKE_SA.
498 *
499 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
500 * and one to respond to exchanges (expect).
501 *
502 * @param initiate TRUE to set message ID for initiating
503 * @param mid message id to set
504 */
505 void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
506
507 /**
508 * Add an additional address for the peer.
509 *
510 * In MOBIKE, a peer may transmit additional addresses where it is
511 * reachable. These are stored in the IKE_SA.
512 * The own list of addresses is not stored, they are queried from
513 * the kernel when required.
514 *
515 * @param host host to add to list
516 */
517 void (*add_peer_address)(ike_sa_t *this, host_t *host);
518
519 /**
520 * Create an enumerator over all known addresses of the peer.
521 *
522 * @return enumerator over addresses
523 */
524 enumerator_t* (*create_peer_address_enumerator)(ike_sa_t *this);
525
526 /**
527 * Remove all known addresses of the peer.
528 */
529 void (*clear_peer_addresses)(ike_sa_t *this);
530
531 /**
532 * Check if mappings have changed on a NAT for our source address.
533 *
534 * @param hash received DESTINATION_IP hash
535 * @return TRUE if mappings have changed
536 */
537 bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
538
539 /**
540 * Enable an extension the peer supports.
541 *
542 * If support for an IKE extension is detected, this method is called
543 * to enable that extension and behave accordingly.
544 *
545 * @param extension extension to enable
546 */
547 void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
548
549 /**
550 * Check if the peer supports an extension.
551 *
552 * @param extension extension to check for support
553 * @return TRUE if peer supports it, FALSE otherwise
554 */
555 bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
556
557 /**
558 * Enable/disable a condition flag for this IKE_SA.
559 *
560 * @param condition condition to enable/disable
561 * @param enable TRUE to enable condition, FALSE to disable
562 */
563 void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
564
565 /**
566 * Check if a condition flag is set.
567 *
568 * @param condition condition to check
569 * @return TRUE if condition flag set, FALSE otherwise
570 */
571 bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
572
573 /**
574 * Get the number of queued MOBIKE address updates.
575 *
576 * @return number of pending updates
577 */
578 u_int32_t (*get_pending_updates)(ike_sa_t *this);
579
580 /**
581 * Set the number of queued MOBIKE address updates.
582 *
583 * @param updates number of pending updates
584 */
585 void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
586
587 #ifdef ME
588 /**
589 * Activate mediation server functionality for this IKE_SA.
590 */
591 void (*act_as_mediation_server) (ike_sa_t *this);
592
593 /**
594 * Get the server reflexive host.
595 *
596 * @return server reflexive host
597 */
598 host_t* (*get_server_reflexive_host) (ike_sa_t *this);
599
600 /**
601 * Set the server reflexive host.
602 *
603 * @param host server reflexive host
604 */
605 void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
606
607 /**
608 * Get the connect ID.
609 *
610 * @return connect ID
611 */
612 chunk_t (*get_connect_id) (ike_sa_t *this);
613
614 /**
615 * Initiate the mediation of a mediated connection (i.e. initiate a
616 * ME_CONNECT exchange to a mediation server).
617 *
618 * @param mediated_cfg peer_cfg of the mediated connection
619 * @return
620 * - SUCCESS if initialization started
621 * - DESTROY_ME if initialization failed
622 */
623 status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
624
625 /**
626 * Initiate the mediated connection
627 *
628 * @param me local endpoint (gets cloned)
629 * @param other remote endpoint (gets cloned)
630 * @param connect_id connect ID (gets cloned)
631 * @return
632 * - SUCCESS if initialization started
633 * - DESTROY_ME if initialization failed
634 */
635 status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
636 chunk_t connect_id);
637
638 /**
639 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
640 * to a peer).
641 *
642 * Data is cloned.
643 *
644 * @param requester ID of the requesting peer
645 * @param connect_id data of the ME_CONNECTID payload
646 * @param connect_key data of the ME_CONNECTKEY payload
647 * @param endpoints endpoints
648 * @param response TRUE if this is a response
649 * @return
650 * - SUCCESS if relay started
651 * - DESTROY_ME if relay failed
652 */
653 status_t (*relay) (ike_sa_t *this, identification_t *requester,
654 chunk_t connect_id, chunk_t connect_key,
655 linked_list_t *endpoints, bool response);
656
657 /**
658 * Send a callback to a peer.
659 *
660 * Data is cloned.
661 *
662 * @param peer_id ID of the other peer
663 * @return
664 * - SUCCESS if response started
665 * - DESTROY_ME if response failed
666 */
667 status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
668
669 /**
670 * Respond to a ME_CONNECT request.
671 *
672 * Data is cloned.
673 *
674 * @param peer_id ID of the other peer
675 * @param connect_id the connect ID supplied by the initiator
676 * @return
677 * - SUCCESS if response started
678 * - DESTROY_ME if response failed
679 */
680 status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
681 chunk_t connect_id);
682 #endif /* ME */
683
684 /**
685 * Initiate a new connection.
686 *
687 * The configs are owned by the IKE_SA after the call. If the initiate
688 * is triggered by a packet, traffic selectors of the packet can be added
689 * to the CHILD_SA.
690 *
691 * @param child_cfg child config to create CHILD from
692 * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
693 * @param tsi source of triggering packet
694 * @param tsr destination of triggering packet.
695 * @return
696 * - SUCCESS if initialization started
697 * - DESTROY_ME if initialization failed
698 */
699 status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
700 u_int32_t reqid, traffic_selector_t *tsi,
701 traffic_selector_t *tsr);
702
703 /**
704 * Retry initiation of this IKE_SA after it got deferred previously.
705 *
706 * @return
707 * - SUCCESS if initiation deferred or started
708 * - DESTROY_ME if initiation failed
709 */
710 status_t (*retry_initiate) (ike_sa_t *this);
711
712 /**
713 * Initiates the deletion of an IKE_SA.
714 *
715 * Sends a delete message to the remote peer and waits for
716 * its response. If the response comes in, or a timeout occurs,
717 * the IKE SA gets deleted.
718 *
719 * @return
720 * - SUCCESS if deletion is initialized
721 * - DESTROY_ME, if the IKE_SA is not in
722 * an established state and can not be
723 * deleted (but destroyed).
724 */
725 status_t (*delete) (ike_sa_t *this);
726
727 /**
728 * Update IKE_SAs after network interfaces have changed.
729 *
730 * Whenever the network interface configuration changes, the kernel
731 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
732 * the new network config requires changes, and handles appropriate.
733 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
734 * restarted.
735 *
736 * @param address TRUE if address list changed, FALSE otherwise
737 * @return SUCCESS, FAILED, DESTROY_ME
738 */
739 status_t (*roam)(ike_sa_t *this, bool address);
740
741 /**
742 * Processes a incoming IKEv2-Message.
743 *
744 * Message processing may fail. If a critical failure occurs,
745 * process_message() return DESTROY_ME. Then the caller must
746 * destroy the IKE_SA immediately, as it is unusable.
747 *
748 * @param message message to process
749 * @return
750 * - SUCCESS
751 * - FAILED
752 * - DESTROY_ME if this IKE_SA MUST be deleted
753 */
754 status_t (*process_message) (ike_sa_t *this, message_t *message);
755
756 /**
757 * Generate a IKE message to send it to the peer.
758 *
759 * This method generates all payloads in the message and encrypts/signs
760 * the packet.
761 *
762 * @param message message to generate
763 * @param packet generated output packet
764 * @return
765 * - SUCCESS
766 * - FAILED
767 * - DESTROY_ME if this IKE_SA MUST be deleted
768 */
769 status_t (*generate_message) (ike_sa_t *this, message_t *message,
770 packet_t **packet);
771
772 /**
773 * Retransmits a request.
774 *
775 * @param message_id ID of the request to retransmit
776 * @return
777 * - SUCCESS
778 * - NOT_FOUND if request doesn't have to be retransmited
779 */
780 status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
781
782 /**
783 * Sends a DPD request to the peer.
784 *
785 * To check if a peer is still alive, periodic
786 * empty INFORMATIONAL messages are sent if no
787 * other traffic was received.
788 *
789 * @return
790 * - SUCCESS
791 * - DESTROY_ME, if peer did not respond
792 */
793 status_t (*send_dpd) (ike_sa_t *this);
794
795 /**
796 * Sends a keep alive packet.
797 *
798 * To refresh NAT tables in a NAT router
799 * between the peers, periodic empty
800 * UDP packets are sent if no other traffic
801 * was sent.
802 */
803 void (*send_keepalive) (ike_sa_t *this);
804
805 /**
806 * Get the keying material of this IKE_SA.
807 *
808 * @return per IKE_SA keymat instance
809 */
810 keymat_t* (*get_keymat)(ike_sa_t *this);
811
812 /**
813 * Associates a child SA to this IKE SA
814 *
815 * @param child_sa child_sa to add
816 */
817 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
818
819 /**
820 * Get a CHILD_SA identified by protocol and SPI.
821 *
822 * @param protocol protocol of the SA
823 * @param spi SPI of the CHILD_SA
824 * @param inbound TRUE if SPI is inbound, FALSE if outbound
825 * @return child_sa, or NULL if none found
826 */
827 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
828 u_int32_t spi, bool inbound);
829
830 /**
831 * Get the number of CHILD_SAs.
832 *
833 * @return number of CHILD_SAs
834 */
835 int (*get_child_count) (ike_sa_t *this);
836
837 /**
838 * Create an enumerator over all CHILD_SAs.
839 *
840 * @return enumerator
841 */
842 enumerator_t* (*create_child_sa_enumerator) (ike_sa_t *this);
843
844 /**
845 * Remove the CHILD_SA the given enumerator points to from this IKE_SA.
846 *
847 * @param enumerator enumerator pointing to CHILD_SA
848 */
849 void (*remove_child_sa) (ike_sa_t *this, enumerator_t *enumerator);
850
851 /**
852 * Rekey the CHILD SA with the specified reqid.
853 *
854 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
855 *
856 * @param protocol protocol of the SA
857 * @param spi inbound SPI of the CHILD_SA
858 * @return
859 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
860 * - SUCCESS, if rekeying initiated
861 */
862 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
863
864 /**
865 * Close the CHILD SA with the specified protocol/SPI.
866 *
867 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
868 * notify's the remote peer about the delete. The associated
869 * states and policies in the kernel get deleted, if they exist.
870 *
871 * @param protocol protocol of the SA
872 * @param spi inbound SPI of the CHILD_SA
873 * @param expired TRUE if CHILD_SA is expired
874 * @return
875 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
876 * - SUCCESS, if delete message sent
877 */
878 status_t (*delete_child_sa)(ike_sa_t *this, protocol_id_t protocol,
879 u_int32_t spi, bool expired);
880
881 /**
882 * Destroy a CHILD SA with the specified protocol/SPI.
883 *
884 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
885 *
886 * @param protocol protocol of the SA
887 * @param spi inbound SPI of the CHILD_SA
888 * @return
889 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
890 * - SUCCESS
891 */
892 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
893
894 /**
895 * Rekey the IKE_SA.
896 *
897 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
898 *
899 * @return - SUCCESS, if IKE_SA rekeying initiated
900 */
901 status_t (*rekey) (ike_sa_t *this);
902
903 /**
904 * Reauthenticate the IKE_SA.
905 *
906 * Create a completely new IKE_SA with authentication, recreates all children
907 * within the IKE_SA, closes this IKE_SA.
908 *
909 * @return DESTROY_ME to destroy the IKE_SA
910 */
911 status_t (*reauth) (ike_sa_t *this);
912
913 /**
914 * Restablish the IKE_SA.
915 *
916 * Reestablish an IKE_SA after it has been closed.
917 *
918 * @return DESTROY_ME to destroy the IKE_SA
919 */
920 status_t (*reestablish) (ike_sa_t *this);
921
922 /**
923 * Set the lifetime limit received/to send in a AUTH_LIFETIME notify.
924 *
925 * If the IKE_SA is already ESTABLISHED, an INFORMATIONAL is sent with
926 * an AUTH_LIFETIME notify. The call never fails on unestablished SAs.
927 *
928 * @param lifetime lifetime in seconds
929 * @return DESTROY_ME to destroy the IKE_SA
930 */
931 status_t (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
932
933 /**
934 * Add a virtual IP to use for this IKE_SA and its children.
935 *
936 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
937 * lifetime as the IKE_SA.
938 *
939 * @param local TRUE to set local address, FALSE for remote
940 * @param ip IP to set as virtual IP
941 */
942 void (*add_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
943
944 /**
945 * Create an enumerator over virtual IPs.
946 *
947 * @param local TRUE to get local virtual IP, FALSE for remote
948 * @return enumerator over host_t*
949 */
950 enumerator_t* (*create_virtual_ip_enumerator) (ike_sa_t *this, bool local);
951
952 /**
953 * Register a configuration attribute to the IKE_SA.
954 *
955 * If an IRAS sends a configuration attribute it is installed and
956 * registered at the IKE_SA. Attributes are inherit()ed and get released
957 * when the IKE_SA is closed.
958 *
959 * @param handler handler installed the attribute, use for release()
960 * @param type configuration attribute type
961 * @param data associated attribute data
962 */
963 void (*add_configuration_attribute)(ike_sa_t *this,
964 attribute_handler_t *handler,
965 configuration_attribute_type_t type, chunk_t data);
966
967 /**
968 * Set local and remote host addresses to be used for IKE.
969 *
970 * These addresses are communicated via the KMADDRESS field of a MIGRATE
971 * message sent via the NETLINK or PF _KEY kernel socket interface.
972 *
973 * @param local local kmaddress
974 * @param remote remote kmaddress
975 */
976 void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
977
978 /**
979 * Create enumerator over a task queue of this IKE_SA.
980 *
981 * @param queue type to enumerate
982 * @return enumerator over task_t
983 */
984 enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue);
985
986 /**
987 * Flush a task queue, cancelling all tasks in it.
988 *
989 * @param queue queue type to flush
990 */
991 void (*flush_queue)(ike_sa_t *this, task_queue_t queue);
992
993 /**
994 * Queue a task for initiaton to the task manager.
995 *
996 * @param task task to queue
997 */
998 void (*queue_task)(ike_sa_t *this, task_t *task);
999
1000 /**
1001 * Inherit all attributes of other to this after rekeying.
1002 *
1003 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
1004 * outstanding tasks are moved from other to this.
1005 * As this call may initiate inherited tasks, a status is returned.
1006 *
1007 * @param other other task to inherit from
1008 */
1009 void (*inherit) (ike_sa_t *this, ike_sa_t *other);
1010
1011 /**
1012 * Reset the IKE_SA, useable when initiating fails
1013 */
1014 void (*reset) (ike_sa_t *this);
1015
1016 /**
1017 * Destroys a ike_sa_t object.
1018 */
1019 void (*destroy) (ike_sa_t *this);
1020 };
1021
1022 /**
1023 * Creates an ike_sa_t object with a specific ID and IKE version.
1024 *
1025 * @param ike_sa_id ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA
1026 * @param initiator TRUE to create this IKE_SA as initiator
1027 * @param version IKE version of this SA
1028 * @return ike_sa_t object
1029 */
1030 ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
1031 ike_version_t version);
1032
1033 #endif /** IKE_SA_H_ @}*/