e5035645178b4fcce45aec95acb6f0f324555eb4
[strongswan.git] / src / libcharon / sa / ike_sa.h
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup ike_sa ike_sa
21 * @{ @ingroup sa
22 */
23
24 #ifndef IKE_SA_H_
25 #define IKE_SA_H_
26
27 typedef enum ike_extension_t ike_extension_t;
28 typedef enum ike_condition_t ike_condition_t;
29 typedef enum ike_sa_state_t ike_sa_state_t;
30 typedef enum statistic_t statistic_t;
31 typedef struct ike_sa_t ike_sa_t;
32
33 #include <library.h>
34 #include <attributes/attribute_handler.h>
35 #include <encoding/message.h>
36 #include <encoding/payloads/proposal_substructure.h>
37 #include <encoding/payloads/configuration_attribute.h>
38 #include <sa/ike_sa_id.h>
39 #include <sa/child_sa.h>
40 #include <sa/task.h>
41 #include <sa/task_manager.h>
42 #include <sa/keymat.h>
43 #include <config/peer_cfg.h>
44 #include <config/ike_cfg.h>
45 #include <credentials/auth_cfg.h>
46
47 /**
48 * Timeout in seconds after that a half open IKE_SA gets deleted.
49 */
50 #define HALF_OPEN_IKE_SA_TIMEOUT 30
51
52 /**
53 * Interval to send keepalives when NATed, in seconds.
54 */
55 #define KEEPALIVE_INTERVAL 20
56
57 /**
58 * After which time rekeying should be retried if it failed, in seconds.
59 */
60 #define RETRY_INTERVAL 30
61
62 /**
63 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
64 */
65 #define RETRY_JITTER 20
66
67 /**
68 * Extensions (or optional features) the peer supports
69 */
70 enum ike_extension_t {
71
72 /**
73 * peer supports NAT traversal as specified in RFC4306 or RFC3947
74 */
75 EXT_NATT = (1<<0),
76
77 /**
78 * peer supports MOBIKE (RFC4555)
79 */
80 EXT_MOBIKE = (1<<1),
81
82 /**
83 * peer supports HTTP cert lookups as specified in RFC4306
84 */
85 EXT_HASH_AND_URL = (1<<2),
86
87 /**
88 * peer supports multiple authentication exchanges, RFC4739
89 */
90 EXT_MULTIPLE_AUTH = (1<<3),
91
92 /**
93 * peer uses strongSwan, accept private use extensions
94 */
95 EXT_STRONGSWAN = (1<<4),
96
97 /**
98 * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
99 */
100 EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
101
102 /**
103 * peer is probably a Windows 7 RAS client
104 */
105 EXT_MS_WINDOWS = (1<<6),
106
107 /**
108 * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
109 */
110 EXT_XAUTH = (1<<7),
111 };
112
113 /**
114 * Conditions of an IKE_SA, change during its lifetime
115 */
116 enum ike_condition_t {
117
118 /**
119 * Connection is natted (or faked) somewhere
120 */
121 COND_NAT_ANY = (1<<0),
122
123 /**
124 * we are behind NAT
125 */
126 COND_NAT_HERE = (1<<1),
127
128 /**
129 * other is behind NAT
130 */
131 COND_NAT_THERE = (1<<2),
132
133 /**
134 * Faking NAT to enforce UDP encapsulation
135 */
136 COND_NAT_FAKE = (1<<3),
137
138 /**
139 * peer has been authenticated using EAP at least once
140 */
141 COND_EAP_AUTHENTICATED = (1<<4),
142
143 /**
144 * received a certificate request from the peer
145 */
146 COND_CERTREQ_SEEN = (1<<5),
147
148 /**
149 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
150 */
151 COND_ORIGINAL_INITIATOR = (1<<6),
152
153 /**
154 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
155 */
156 COND_STALE = (1<<7),
157
158 /**
159 * Initial contact received
160 */
161 COND_INIT_CONTACT_SEEN = (1<<8),
162 };
163
164 /**
165 * Timing information and statistics to query from an SA
166 */
167 enum statistic_t {
168 /** Timestamp of SA establishement */
169 STAT_ESTABLISHED = 0,
170 /** Timestamp of scheudled rekeying */
171 STAT_REKEY,
172 /** Timestamp of scheudled reauthentication */
173 STAT_REAUTH,
174 /** Timestamp of scheudled delete */
175 STAT_DELETE,
176 /** Timestamp of last inbound IKE packet */
177 STAT_INBOUND,
178 /** Timestamp of last outbound IKE packet */
179 STAT_OUTBOUND,
180
181 STAT_MAX
182 };
183
184 /**
185 * State of an IKE_SA.
186 *
187 * An IKE_SA passes various states in its lifetime. A newly created
188 * SA is in the state CREATED.
189 * @verbatim
190 +----------------+
191 ¦ SA_CREATED ¦
192 +----------------+
193 ¦
194 on initiate()---> ¦ <----- on IKE_SA_INIT received
195 V
196 +----------------+
197 ¦ SA_CONNECTING ¦
198 +----------------+
199 ¦
200 ¦ <----- on IKE_AUTH successfully completed
201 V
202 +----------------+
203 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
204 +----------------+ ¦
205 ¦ V
206 on delete()---> ¦ <----- on IKE_SA +-------------+
207 ¦ delete request ¦ SA_REKEYING ¦
208 ¦ received +-------------+
209 V ¦
210 +----------------+ ¦
211 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
212 +----------------+
213 ¦
214 ¦ <----- after delete() acknowledged
215 ¦
216 \V/
217 X
218 / \
219 @endverbatim
220 */
221 enum ike_sa_state_t {
222
223 /**
224 * IKE_SA just got created, but is not initiating nor responding yet.
225 */
226 IKE_CREATED,
227
228 /**
229 * IKE_SA gets initiated actively or passively
230 */
231 IKE_CONNECTING,
232
233 /**
234 * IKE_SA is fully established
235 */
236 IKE_ESTABLISHED,
237
238 /**
239 * IKE_SA is managed externally and does not process messages
240 */
241 IKE_PASSIVE,
242
243 /**
244 * IKE_SA rekeying in progress
245 */
246 IKE_REKEYING,
247
248 /**
249 * IKE_SA is in progress of deletion
250 */
251 IKE_DELETING,
252
253 /**
254 * IKE_SA object gets destroyed
255 */
256 IKE_DESTROYING,
257 };
258
259 /**
260 * enum names for ike_sa_state_t.
261 */
262 extern enum_name_t *ike_sa_state_names;
263
264 /**
265 * Class ike_sa_t representing an IKE_SA.
266 *
267 * An IKE_SA contains crypto information related to a connection
268 * with a peer. It contains multiple IPsec CHILD_SA, for which
269 * it is responsible. All traffic is handled by an IKE_SA, using
270 * the task manager and its tasks.
271 */
272 struct ike_sa_t {
273
274 /**
275 * Get the id of the SA.
276 *
277 * Returned ike_sa_id_t object is not getting cloned!
278 *
279 * @return ike_sa's ike_sa_id_t
280 */
281 ike_sa_id_t* (*get_id) (ike_sa_t *this);
282
283 /**
284 * Gets the IKE version of the SA
285 */
286 ike_version_t (*get_version)(ike_sa_t *this);
287
288 /**
289 * Get the numerical ID uniquely defining this IKE_SA.
290 *
291 * @return unique ID
292 */
293 u_int32_t (*get_unique_id) (ike_sa_t *this);
294
295 /**
296 * Get the state of the IKE_SA.
297 *
298 * @return state of the IKE_SA
299 */
300 ike_sa_state_t (*get_state) (ike_sa_t *this);
301
302 /**
303 * Set the state of the IKE_SA.
304 *
305 * @param state state to set for the IKE_SA
306 */
307 void (*set_state) (ike_sa_t *this, ike_sa_state_t state);
308
309 /**
310 * Get the name of the connection this IKE_SA uses.
311 *
312 * @return name
313 */
314 char* (*get_name) (ike_sa_t *this);
315
316 /**
317 * Get statistic values from the IKE_SA.
318 *
319 * @param kind kind of requested value
320 * @return value as integer
321 */
322 u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
323
324 /**
325 * Set statistic value of the IKE_SA.
326 *
327 * @param kind kind of value to update
328 * @param value value as integer
329 */
330 void (*set_statistic)(ike_sa_t *this, statistic_t kind, u_int32_t value);
331
332 /**
333 * Get the own host address.
334 *
335 * @return host address
336 */
337 host_t* (*get_my_host) (ike_sa_t *this);
338
339 /**
340 * Set the own host address.
341 *
342 * @param me host address
343 */
344 void (*set_my_host) (ike_sa_t *this, host_t *me);
345
346 /**
347 * Get the other peers host address.
348 *
349 * @return host address
350 */
351 host_t* (*get_other_host) (ike_sa_t *this);
352
353 /**
354 * Set the others host address.
355 *
356 * @param other host address
357 */
358 void (*set_other_host) (ike_sa_t *this, host_t *other);
359
360 /**
361 * Float to port 4500 (e.g. if a NAT is detected).
362 *
363 * The port of either endpoint is changed only if it is currently
364 * set to the default value of 500.
365 */
366 void (*float_ports)(ike_sa_t *this);
367
368 /**
369 * Update the IKE_SAs host.
370 *
371 * Hosts may be NULL to use current host.
372 *
373 * @param me new local host address, or NULL
374 * @param other new remote host address, or NULL
375 * @param force force update
376 */
377 void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force);
378
379 /**
380 * Get the own identification.
381 *
382 * @return identification
383 */
384 identification_t* (*get_my_id) (ike_sa_t *this);
385
386 /**
387 * Set the own identification.
388 *
389 * @param me identification
390 */
391 void (*set_my_id) (ike_sa_t *this, identification_t *me);
392
393 /**
394 * Get the other peer's identification.
395 *
396 * @return identification
397 */
398 identification_t* (*get_other_id) (ike_sa_t *this);
399
400 /**
401 * Get the others peer identity, but prefer an EAP-Identity.
402 *
403 * @return EAP or IKEv2 identity
404 */
405 identification_t* (*get_other_eap_id)(ike_sa_t *this);
406
407 /**
408 * Set the other peer's identification.
409 *
410 * @param other identification
411 */
412 void (*set_other_id) (ike_sa_t *this, identification_t *other);
413
414 /**
415 * Get the config used to setup this IKE_SA.
416 *
417 * @return ike_config
418 */
419 ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
420
421 /**
422 * Set the config to setup this IKE_SA.
423 *
424 * @param config ike_config to use
425 */
426 void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
427
428 /**
429 * Get the peer config used by this IKE_SA.
430 *
431 * @return peer_config
432 */
433 peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
434
435 /**
436 * Set the peer config to use with this IKE_SA.
437 *
438 * @param config peer_config to use
439 */
440 void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
441
442 /**
443 * Get the authentication config with rules of the current auth round.
444 *
445 * @param local TRUE for local rules, FALSE for remote constraints
446 * @return current cfg
447 */
448 auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
449
450 /**
451 * Insert a completed authentication round.
452 *
453 * @param local TRUE for own rules, FALSE for others constraints
454 * @param cfg auth config to append
455 */
456 void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
457
458 /**
459 * Create an enumerator over added authentication rounds.
460 *
461 * @param local TRUE for own rules, FALSE for others constraints
462 * @return enumerator over auth_cfg_t
463 */
464 enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
465
466 /**
467 * Get the selected proposal of this IKE_SA.
468 *
469 * @return selected proposal
470 */
471 proposal_t* (*get_proposal)(ike_sa_t *this);
472
473 /**
474 * Set the proposal selected for this IKE_SA.
475 *
476 * @param selected proposal
477 */
478 void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
479
480 /**
481 * Set the message id of the IKE_SA.
482 *
483 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
484 * and one to respond to exchanges (expect).
485 *
486 * @param initiate TRUE to set message ID for initiating
487 * @param mid message id to set
488 */
489 void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
490
491 /**
492 * Add an additional address for the peer.
493 *
494 * In MOBIKE, a peer may transmit additional addresses where it is
495 * reachable. These are stored in the IKE_SA.
496 * The own list of addresses is not stored, they are queried from
497 * the kernel when required.
498 *
499 * @param host host to add to list
500 */
501 void (*add_additional_address)(ike_sa_t *this, host_t *host);
502
503 /**
504 * Create an enumerator over all additional addresses of the peer.
505 *
506 * @return enumerator over addresses
507 */
508 enumerator_t* (*create_additional_address_enumerator)(ike_sa_t *this);
509
510 /**
511 * Remove all additional addresses of the peer.
512 */
513 void (*remove_additional_addresses)(ike_sa_t *this);
514
515 /**
516 * Check if mappings have changed on a NAT for our source address.
517 *
518 * @param hash received DESTINATION_IP hash
519 * @return TRUE if mappings have changed
520 */
521 bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
522
523 /**
524 * Enable an extension the peer supports.
525 *
526 * If support for an IKE extension is detected, this method is called
527 * to enable that extension and behave accordingly.
528 *
529 * @param extension extension to enable
530 */
531 void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
532
533 /**
534 * Check if the peer supports an extension.
535 *
536 * @param extension extension to check for support
537 * @return TRUE if peer supports it, FALSE otherwise
538 */
539 bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
540
541 /**
542 * Enable/disable a condition flag for this IKE_SA.
543 *
544 * @param condition condition to enable/disable
545 * @param enable TRUE to enable condition, FALSE to disable
546 */
547 void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
548
549 /**
550 * Check if a condition flag is set.
551 *
552 * @param condition condition to check
553 * @return TRUE if condition flag set, FALSE otherwise
554 */
555 bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
556
557 /**
558 * Get the number of queued MOBIKE address updates.
559 *
560 * @return number of pending updates
561 */
562 u_int32_t (*get_pending_updates)(ike_sa_t *this);
563
564 /**
565 * Set the number of queued MOBIKE address updates.
566 *
567 * @param updates number of pending updates
568 */
569 void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
570
571 #ifdef ME
572 /**
573 * Activate mediation server functionality for this IKE_SA.
574 */
575 void (*act_as_mediation_server) (ike_sa_t *this);
576
577 /**
578 * Get the server reflexive host.
579 *
580 * @return server reflexive host
581 */
582 host_t* (*get_server_reflexive_host) (ike_sa_t *this);
583
584 /**
585 * Set the server reflexive host.
586 *
587 * @param host server reflexive host
588 */
589 void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
590
591 /**
592 * Get the connect ID.
593 *
594 * @return connect ID
595 */
596 chunk_t (*get_connect_id) (ike_sa_t *this);
597
598 /**
599 * Initiate the mediation of a mediated connection (i.e. initiate a
600 * ME_CONNECT exchange to a mediation server).
601 *
602 * @param mediated_cfg peer_cfg of the mediated connection
603 * @return
604 * - SUCCESS if initialization started
605 * - DESTROY_ME if initialization failed
606 */
607 status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
608
609 /**
610 * Initiate the mediated connection
611 *
612 * @param me local endpoint (gets cloned)
613 * @param other remote endpoint (gets cloned)
614 * @param connect_id connect ID (gets cloned)
615 * @return
616 * - SUCCESS if initialization started
617 * - DESTROY_ME if initialization failed
618 */
619 status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
620 chunk_t connect_id);
621
622 /**
623 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
624 * to a peer).
625 *
626 * Data is cloned.
627 *
628 * @param requester ID of the requesting peer
629 * @param connect_id data of the ME_CONNECTID payload
630 * @param connect_key data of the ME_CONNECTKEY payload
631 * @param endpoints endpoints
632 * @param response TRUE if this is a response
633 * @return
634 * - SUCCESS if relay started
635 * - DESTROY_ME if relay failed
636 */
637 status_t (*relay) (ike_sa_t *this, identification_t *requester,
638 chunk_t connect_id, chunk_t connect_key,
639 linked_list_t *endpoints, bool response);
640
641 /**
642 * Send a callback to a peer.
643 *
644 * Data is cloned.
645 *
646 * @param peer_id ID of the other peer
647 * @return
648 * - SUCCESS if response started
649 * - DESTROY_ME if response failed
650 */
651 status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
652
653 /**
654 * Respond to a ME_CONNECT request.
655 *
656 * Data is cloned.
657 *
658 * @param peer_id ID of the other peer
659 * @param connect_id the connect ID supplied by the initiator
660 * @return
661 * - SUCCESS if response started
662 * - DESTROY_ME if response failed
663 */
664 status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
665 chunk_t connect_id);
666 #endif /* ME */
667
668 /**
669 * Initiate a new connection.
670 *
671 * The configs are owned by the IKE_SA after the call. If the initiate
672 * is triggered by a packet, traffic selectors of the packet can be added
673 * to the CHILD_SA.
674 *
675 * @param child_cfg child config to create CHILD from
676 * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
677 * @param tsi source of triggering packet
678 * @param tsr destination of triggering packet.
679 * @return
680 * - SUCCESS if initialization started
681 * - DESTROY_ME if initialization failed
682 */
683 status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
684 u_int32_t reqid, traffic_selector_t *tsi,
685 traffic_selector_t *tsr);
686
687 /**
688 * Initiates the deletion of an IKE_SA.
689 *
690 * Sends a delete message to the remote peer and waits for
691 * its response. If the response comes in, or a timeout occurs,
692 * the IKE SA gets deleted.
693 *
694 * @return
695 * - SUCCESS if deletion is initialized
696 * - DESTROY_ME, if the IKE_SA is not in
697 * an established state and can not be
698 * deleted (but destroyed).
699 */
700 status_t (*delete) (ike_sa_t *this);
701
702 /**
703 * Update IKE_SAs after network interfaces have changed.
704 *
705 * Whenever the network interface configuration changes, the kernel
706 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
707 * the new network config requires changes, and handles appropriate.
708 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
709 * restarted.
710 *
711 * @param address TRUE if address list changed, FALSE otherwise
712 * @return SUCCESS, FAILED, DESTROY_ME
713 */
714 status_t (*roam)(ike_sa_t *this, bool address);
715
716 /**
717 * Processes a incoming IKEv2-Message.
718 *
719 * Message processing may fail. If a critical failure occurs,
720 * process_message() return DESTROY_ME. Then the caller must
721 * destroy the IKE_SA immediately, as it is unusable.
722 *
723 * @param message message to process
724 * @return
725 * - SUCCESS
726 * - FAILED
727 * - DESTROY_ME if this IKE_SA MUST be deleted
728 */
729 status_t (*process_message) (ike_sa_t *this, message_t *message);
730
731 /**
732 * Generate a IKE message to send it to the peer.
733 *
734 * This method generates all payloads in the message and encrypts/signs
735 * the packet.
736 *
737 * @param message message to generate
738 * @param packet generated output packet
739 * @return
740 * - SUCCESS
741 * - FAILED
742 * - DESTROY_ME if this IKE_SA MUST be deleted
743 */
744 status_t (*generate_message) (ike_sa_t *this, message_t *message,
745 packet_t **packet);
746
747 /**
748 * Retransmits a request.
749 *
750 * @param message_id ID of the request to retransmit
751 * @return
752 * - SUCCESS
753 * - NOT_FOUND if request doesn't have to be retransmited
754 */
755 status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
756
757 /**
758 * Sends a DPD request to the peer.
759 *
760 * To check if a peer is still alive, periodic
761 * empty INFORMATIONAL messages are sent if no
762 * other traffic was received.
763 *
764 * @return
765 * - SUCCESS
766 * - DESTROY_ME, if peer did not respond
767 */
768 status_t (*send_dpd) (ike_sa_t *this);
769
770 /**
771 * Sends a keep alive packet.
772 *
773 * To refresh NAT tables in a NAT router
774 * between the peers, periodic empty
775 * UDP packets are sent if no other traffic
776 * was sent.
777 */
778 void (*send_keepalive) (ike_sa_t *this);
779
780 /**
781 * Get the keying material of this IKE_SA.
782 *
783 * @return per IKE_SA keymat instance
784 */
785 keymat_t* (*get_keymat)(ike_sa_t *this);
786
787 /**
788 * Associates a child SA to this IKE SA
789 *
790 * @param child_sa child_sa to add
791 */
792 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
793
794 /**
795 * Get a CHILD_SA identified by protocol and SPI.
796 *
797 * @param protocol protocol of the SA
798 * @param spi SPI of the CHILD_SA
799 * @param inbound TRUE if SPI is inbound, FALSE if outbound
800 * @return child_sa, or NULL if none found
801 */
802 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
803 u_int32_t spi, bool inbound);
804
805 /**
806 * Get the number of CHILD_SAs.
807 *
808 * @return number of CHILD_SAs
809 */
810 int (*get_child_count) (ike_sa_t *this);
811
812 /**
813 * Create an enumerator over all CHILD_SAs.
814 *
815 * @return enumerator
816 */
817 enumerator_t* (*create_child_sa_enumerator) (ike_sa_t *this);
818
819 /**
820 * Remove the CHILD_SA the given enumerator points to from this IKE_SA.
821 *
822 * @param enumerator enumerator pointing to CHILD_SA
823 */
824 void (*remove_child_sa) (ike_sa_t *this, enumerator_t *enumerator);
825
826 /**
827 * Rekey the CHILD SA with the specified reqid.
828 *
829 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
830 *
831 * @param protocol protocol of the SA
832 * @param spi inbound SPI of the CHILD_SA
833 * @return
834 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
835 * - SUCCESS, if rekeying initiated
836 */
837 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
838
839 /**
840 * Close the CHILD SA with the specified protocol/SPI.
841 *
842 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
843 * notify's the remote peer about the delete. The associated
844 * states and policies in the kernel get deleted, if they exist.
845 *
846 * @param protocol protocol of the SA
847 * @param spi inbound SPI of the CHILD_SA
848 * @return
849 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
850 * - SUCCESS, if delete message sent
851 */
852 status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
853
854 /**
855 * Destroy a CHILD SA with the specified protocol/SPI.
856 *
857 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
858 *
859 * @param protocol protocol of the SA
860 * @param spi inbound SPI of the CHILD_SA
861 * @return
862 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
863 * - SUCCESS
864 */
865 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
866
867 /**
868 * Rekey the IKE_SA.
869 *
870 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
871 *
872 * @return - SUCCESS, if IKE_SA rekeying initiated
873 */
874 status_t (*rekey) (ike_sa_t *this);
875
876 /**
877 * Reauthenticate the IKE_SA.
878 *
879 * Create a completely new IKE_SA with authentication, recreates all children
880 * within the IKE_SA, closes this IKE_SA.
881 *
882 * @return DESTROY_ME to destroy the IKE_SA
883 */
884 status_t (*reauth) (ike_sa_t *this);
885
886 /**
887 * Restablish the IKE_SA.
888 *
889 * Reestablish an IKE_SA after it has been closed.
890 *
891 * @return DESTROY_ME to destroy the IKE_SA
892 */
893 status_t (*reestablish) (ike_sa_t *this);
894
895 /**
896 * Set the lifetime limit received from a AUTH_LIFETIME notify.
897 *
898 * @param lifetime lifetime in seconds
899 */
900 void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
901
902 /**
903 * Set the virtual IP to use for this IKE_SA and its children.
904 *
905 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
906 * lifetime as the IKE_SA.
907 *
908 * @param local TRUE to set local address, FALSE for remote
909 * @param ip IP to set as virtual IP
910 */
911 void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
912
913 /**
914 * Get the virtual IP configured.
915 *
916 * @param local TRUE to get local virtual IP, FALSE for remote
917 * @return host_t *virtual IP
918 */
919 host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
920
921 /**
922 * Register a configuration attribute to the IKE_SA.
923 *
924 * If an IRAS sends a configuration attribute it is installed and
925 * registered at the IKE_SA. Attributes are inherit()ed and get released
926 * when the IKE_SA is closed.
927 *
928 * @param handler handler installed the attribute, use for release()
929 * @param type configuration attribute type
930 * @param data associated attribute data
931 */
932 void (*add_configuration_attribute)(ike_sa_t *this,
933 attribute_handler_t *handler,
934 configuration_attribute_type_t type, chunk_t data);
935
936 /**
937 * Set local and remote host addresses to be used for IKE.
938 *
939 * These addresses are communicated via the KMADDRESS field of a MIGRATE
940 * message sent via the NETLINK or PF _KEY kernel socket interface.
941 *
942 * @param local local kmaddress
943 * @param remote remote kmaddress
944 */
945 void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
946
947 /**
948 * Create enumerator over a task queue of this IKE_SA.
949 *
950 * @param queue type to enumerate
951 * @return enumerator over task_t
952 */
953 enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue);
954
955 /**
956 * Queue a task for initiaton to the task manager.
957 *
958 * @param task task to queue
959 */
960 void (*queue_task)(ike_sa_t *this, task_t *task);
961
962 /**
963 * Inherit all attributes of other to this after rekeying.
964 *
965 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
966 * outstanding tasks are moved from other to this.
967 * As this call may initiate inherited tasks, a status is returned.
968 *
969 * @param other other task to inherit from
970 */
971 void (*inherit) (ike_sa_t *this, ike_sa_t *other);
972
973 /**
974 * Reset the IKE_SA, useable when initiating fails
975 */
976 void (*reset) (ike_sa_t *this);
977
978 /**
979 * Destroys a ike_sa_t object.
980 */
981 void (*destroy) (ike_sa_t *this);
982 };
983
984 /**
985 * Creates an ike_sa_t object with a specific ID and IKE version.
986 *
987 * @param ike_sa_id ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA
988 * @param initiator TRUE to create this IKE_SA as initiator
989 * @param version IKE version of this SA
990 * @return ike_sa_t object
991 */
992 ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
993 ike_version_t version);
994
995 #endif /** IKE_SA_H_ @}*/