support Cisco Unity VID
[strongswan.git] / src / libcharon / sa / ike_sa.h
1 /*
2 * Copyright (C) 2006-2012 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup ike_sa ike_sa
21 * @{ @ingroup sa
22 */
23
24 #ifndef IKE_SA_H_
25 #define IKE_SA_H_
26
27 typedef enum ike_extension_t ike_extension_t;
28 typedef enum ike_condition_t ike_condition_t;
29 typedef enum ike_sa_state_t ike_sa_state_t;
30 typedef enum statistic_t statistic_t;
31 typedef struct ike_sa_t ike_sa_t;
32
33 #include <library.h>
34 #include <attributes/attribute_handler.h>
35 #include <encoding/message.h>
36 #include <encoding/payloads/proposal_substructure.h>
37 #include <encoding/payloads/configuration_attribute.h>
38 #include <sa/ike_sa_id.h>
39 #include <sa/child_sa.h>
40 #include <sa/task.h>
41 #include <sa/task_manager.h>
42 #include <sa/keymat.h>
43 #include <config/peer_cfg.h>
44 #include <config/ike_cfg.h>
45 #include <credentials/auth_cfg.h>
46
47 /**
48 * Timeout in seconds after that a half open IKE_SA gets deleted.
49 */
50 #define HALF_OPEN_IKE_SA_TIMEOUT 30
51
52 /**
53 * Interval to send keepalives when NATed, in seconds.
54 */
55 #define KEEPALIVE_INTERVAL 20
56
57 /**
58 * After which time rekeying should be retried if it failed, in seconds.
59 */
60 #define RETRY_INTERVAL 30
61
62 /**
63 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
64 */
65 #define RETRY_JITTER 20
66
67 /**
68 * Extensions (or optional features) the peer supports
69 */
70 enum ike_extension_t {
71
72 /**
73 * peer supports NAT traversal as specified in RFC4306 or RFC3947
74 */
75 EXT_NATT = (1<<0),
76
77 /**
78 * peer supports MOBIKE (RFC4555)
79 */
80 EXT_MOBIKE = (1<<1),
81
82 /**
83 * peer supports HTTP cert lookups as specified in RFC4306
84 */
85 EXT_HASH_AND_URL = (1<<2),
86
87 /**
88 * peer supports multiple authentication exchanges, RFC4739
89 */
90 EXT_MULTIPLE_AUTH = (1<<3),
91
92 /**
93 * peer uses strongSwan, accept private use extensions
94 */
95 EXT_STRONGSWAN = (1<<4),
96
97 /**
98 * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
99 */
100 EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
101
102 /**
103 * peer is probably a Windows 7 RAS client
104 */
105 EXT_MS_WINDOWS = (1<<6),
106
107 /**
108 * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
109 */
110 EXT_XAUTH = (1<<7),
111
112 /**
113 * peer supports DPD detection, RFC 3706 (or IKEv2)
114 */
115 EXT_DPD = (1<<8),
116
117 /**
118 * peer supports Cisco Unity configuration attributes
119 */
120 EXT_CISCO_UNITY = (1<<9),
121 };
122
123 /**
124 * Conditions of an IKE_SA, change during its lifetime
125 */
126 enum ike_condition_t {
127
128 /**
129 * Connection is natted (or faked) somewhere
130 */
131 COND_NAT_ANY = (1<<0),
132
133 /**
134 * we are behind NAT
135 */
136 COND_NAT_HERE = (1<<1),
137
138 /**
139 * other is behind NAT
140 */
141 COND_NAT_THERE = (1<<2),
142
143 /**
144 * Faking NAT to enforce UDP encapsulation
145 */
146 COND_NAT_FAKE = (1<<3),
147
148 /**
149 * peer has been authenticated using EAP at least once
150 */
151 COND_EAP_AUTHENTICATED = (1<<4),
152
153 /**
154 * received a certificate request from the peer
155 */
156 COND_CERTREQ_SEEN = (1<<5),
157
158 /**
159 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
160 */
161 COND_ORIGINAL_INITIATOR = (1<<6),
162
163 /**
164 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
165 */
166 COND_STALE = (1<<7),
167
168 /**
169 * Initial contact received
170 */
171 COND_INIT_CONTACT_SEEN = (1<<8),
172
173 /**
174 * Peer has been authenticated using XAuth
175 */
176 COND_XAUTH_AUTHENTICATED = (1<<9),
177 };
178
179 /**
180 * Timing information and statistics to query from an SA
181 */
182 enum statistic_t {
183 /** Timestamp of SA establishement */
184 STAT_ESTABLISHED = 0,
185 /** Timestamp of scheudled rekeying */
186 STAT_REKEY,
187 /** Timestamp of scheudled reauthentication */
188 STAT_REAUTH,
189 /** Timestamp of scheudled delete */
190 STAT_DELETE,
191 /** Timestamp of last inbound IKE packet */
192 STAT_INBOUND,
193 /** Timestamp of last outbound IKE packet */
194 STAT_OUTBOUND,
195
196 STAT_MAX
197 };
198
199 /**
200 * State of an IKE_SA.
201 *
202 * An IKE_SA passes various states in its lifetime. A newly created
203 * SA is in the state CREATED.
204 * @verbatim
205 +----------------+
206 ¦ SA_CREATED ¦
207 +----------------+
208 ¦
209 on initiate()---> ¦ <----- on IKE_SA_INIT received
210 V
211 +----------------+
212 ¦ SA_CONNECTING ¦
213 +----------------+
214 ¦
215 ¦ <----- on IKE_AUTH successfully completed
216 V
217 +----------------+
218 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
219 +----------------+ ¦
220 ¦ V
221 on delete()---> ¦ <----- on IKE_SA +-------------+
222 ¦ delete request ¦ SA_REKEYING ¦
223 ¦ received +-------------+
224 V ¦
225 +----------------+ ¦
226 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
227 +----------------+
228 ¦
229 ¦ <----- after delete() acknowledged
230 ¦
231 \V/
232 X
233 / \
234 @endverbatim
235 */
236 enum ike_sa_state_t {
237
238 /**
239 * IKE_SA just got created, but is not initiating nor responding yet.
240 */
241 IKE_CREATED,
242
243 /**
244 * IKE_SA gets initiated actively or passively
245 */
246 IKE_CONNECTING,
247
248 /**
249 * IKE_SA is fully established
250 */
251 IKE_ESTABLISHED,
252
253 /**
254 * IKE_SA is managed externally and does not process messages
255 */
256 IKE_PASSIVE,
257
258 /**
259 * IKE_SA rekeying in progress
260 */
261 IKE_REKEYING,
262
263 /**
264 * IKE_SA is in progress of deletion
265 */
266 IKE_DELETING,
267
268 /**
269 * IKE_SA object gets destroyed
270 */
271 IKE_DESTROYING,
272 };
273
274 /**
275 * enum names for ike_sa_state_t.
276 */
277 extern enum_name_t *ike_sa_state_names;
278
279 /**
280 * Class ike_sa_t representing an IKE_SA.
281 *
282 * An IKE_SA contains crypto information related to a connection
283 * with a peer. It contains multiple IPsec CHILD_SA, for which
284 * it is responsible. All traffic is handled by an IKE_SA, using
285 * the task manager and its tasks.
286 */
287 struct ike_sa_t {
288
289 /**
290 * Get the id of the SA.
291 *
292 * Returned ike_sa_id_t object is not getting cloned!
293 *
294 * @return ike_sa's ike_sa_id_t
295 */
296 ike_sa_id_t* (*get_id) (ike_sa_t *this);
297
298 /**
299 * Gets the IKE version of the SA
300 */
301 ike_version_t (*get_version)(ike_sa_t *this);
302
303 /**
304 * Get the numerical ID uniquely defining this IKE_SA.
305 *
306 * @return unique ID
307 */
308 u_int32_t (*get_unique_id) (ike_sa_t *this);
309
310 /**
311 * Get the state of the IKE_SA.
312 *
313 * @return state of the IKE_SA
314 */
315 ike_sa_state_t (*get_state) (ike_sa_t *this);
316
317 /**
318 * Set the state of the IKE_SA.
319 *
320 * @param state state to set for the IKE_SA
321 */
322 void (*set_state) (ike_sa_t *this, ike_sa_state_t state);
323
324 /**
325 * Get the name of the connection this IKE_SA uses.
326 *
327 * @return name
328 */
329 char* (*get_name) (ike_sa_t *this);
330
331 /**
332 * Get statistic values from the IKE_SA.
333 *
334 * @param kind kind of requested value
335 * @return value as integer
336 */
337 u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
338
339 /**
340 * Set statistic value of the IKE_SA.
341 *
342 * @param kind kind of value to update
343 * @param value value as integer
344 */
345 void (*set_statistic)(ike_sa_t *this, statistic_t kind, u_int32_t value);
346
347 /**
348 * Get the own host address.
349 *
350 * @return host address
351 */
352 host_t* (*get_my_host) (ike_sa_t *this);
353
354 /**
355 * Set the own host address.
356 *
357 * @param me host address
358 */
359 void (*set_my_host) (ike_sa_t *this, host_t *me);
360
361 /**
362 * Get the other peers host address.
363 *
364 * @return host address
365 */
366 host_t* (*get_other_host) (ike_sa_t *this);
367
368 /**
369 * Set the others host address.
370 *
371 * @param other host address
372 */
373 void (*set_other_host) (ike_sa_t *this, host_t *other);
374
375 /**
376 * Float to port 4500 (e.g. if a NAT is detected).
377 *
378 * The port of either endpoint is changed only if it is currently
379 * set to the default value of 500.
380 */
381 void (*float_ports)(ike_sa_t *this);
382
383 /**
384 * Update the IKE_SAs host.
385 *
386 * Hosts may be NULL to use current host.
387 *
388 * @param me new local host address, or NULL
389 * @param other new remote host address, or NULL
390 * @param force force update
391 */
392 void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force);
393
394 /**
395 * Get the own identification.
396 *
397 * @return identification
398 */
399 identification_t* (*get_my_id) (ike_sa_t *this);
400
401 /**
402 * Set the own identification.
403 *
404 * @param me identification
405 */
406 void (*set_my_id) (ike_sa_t *this, identification_t *me);
407
408 /**
409 * Get the other peer's identification.
410 *
411 * @return identification
412 */
413 identification_t* (*get_other_id) (ike_sa_t *this);
414
415 /**
416 * Get the others peer identity, but prefer an EAP-Identity.
417 *
418 * @return EAP or IKEv2 identity
419 */
420 identification_t* (*get_other_eap_id)(ike_sa_t *this);
421
422 /**
423 * Set the other peer's identification.
424 *
425 * @param other identification
426 */
427 void (*set_other_id) (ike_sa_t *this, identification_t *other);
428
429 /**
430 * Get the config used to setup this IKE_SA.
431 *
432 * @return ike_config
433 */
434 ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
435
436 /**
437 * Set the config to setup this IKE_SA.
438 *
439 * @param config ike_config to use
440 */
441 void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
442
443 /**
444 * Get the peer config used by this IKE_SA.
445 *
446 * @return peer_config
447 */
448 peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
449
450 /**
451 * Set the peer config to use with this IKE_SA.
452 *
453 * @param config peer_config to use
454 */
455 void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
456
457 /**
458 * Get the authentication config with rules of the current auth round.
459 *
460 * @param local TRUE for local rules, FALSE for remote constraints
461 * @return current cfg
462 */
463 auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
464
465 /**
466 * Insert a completed authentication round.
467 *
468 * @param local TRUE for own rules, FALSE for others constraints
469 * @param cfg auth config to append
470 */
471 void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
472
473 /**
474 * Create an enumerator over added authentication rounds.
475 *
476 * @param local TRUE for own rules, FALSE for others constraints
477 * @return enumerator over auth_cfg_t
478 */
479 enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
480
481 /**
482 * Get the selected proposal of this IKE_SA.
483 *
484 * @return selected proposal
485 */
486 proposal_t* (*get_proposal)(ike_sa_t *this);
487
488 /**
489 * Set the proposal selected for this IKE_SA.
490 *
491 * @param selected proposal
492 */
493 void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
494
495 /**
496 * Set the message id of the IKE_SA.
497 *
498 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
499 * and one to respond to exchanges (expect).
500 *
501 * @param initiate TRUE to set message ID for initiating
502 * @param mid message id to set
503 */
504 void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
505
506 /**
507 * Add an additional address for the peer.
508 *
509 * In MOBIKE, a peer may transmit additional addresses where it is
510 * reachable. These are stored in the IKE_SA.
511 * The own list of addresses is not stored, they are queried from
512 * the kernel when required.
513 *
514 * @param host host to add to list
515 */
516 void (*add_peer_address)(ike_sa_t *this, host_t *host);
517
518 /**
519 * Create an enumerator over all known addresses of the peer.
520 *
521 * @return enumerator over addresses
522 */
523 enumerator_t* (*create_peer_address_enumerator)(ike_sa_t *this);
524
525 /**
526 * Remove all known addresses of the peer.
527 */
528 void (*clear_peer_addresses)(ike_sa_t *this);
529
530 /**
531 * Check if mappings have changed on a NAT for our source address.
532 *
533 * @param hash received DESTINATION_IP hash
534 * @return TRUE if mappings have changed
535 */
536 bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
537
538 /**
539 * Enable an extension the peer supports.
540 *
541 * If support for an IKE extension is detected, this method is called
542 * to enable that extension and behave accordingly.
543 *
544 * @param extension extension to enable
545 */
546 void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
547
548 /**
549 * Check if the peer supports an extension.
550 *
551 * @param extension extension to check for support
552 * @return TRUE if peer supports it, FALSE otherwise
553 */
554 bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
555
556 /**
557 * Enable/disable a condition flag for this IKE_SA.
558 *
559 * @param condition condition to enable/disable
560 * @param enable TRUE to enable condition, FALSE to disable
561 */
562 void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
563
564 /**
565 * Check if a condition flag is set.
566 *
567 * @param condition condition to check
568 * @return TRUE if condition flag set, FALSE otherwise
569 */
570 bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
571
572 /**
573 * Get the number of queued MOBIKE address updates.
574 *
575 * @return number of pending updates
576 */
577 u_int32_t (*get_pending_updates)(ike_sa_t *this);
578
579 /**
580 * Set the number of queued MOBIKE address updates.
581 *
582 * @param updates number of pending updates
583 */
584 void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
585
586 #ifdef ME
587 /**
588 * Activate mediation server functionality for this IKE_SA.
589 */
590 void (*act_as_mediation_server) (ike_sa_t *this);
591
592 /**
593 * Get the server reflexive host.
594 *
595 * @return server reflexive host
596 */
597 host_t* (*get_server_reflexive_host) (ike_sa_t *this);
598
599 /**
600 * Set the server reflexive host.
601 *
602 * @param host server reflexive host
603 */
604 void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
605
606 /**
607 * Get the connect ID.
608 *
609 * @return connect ID
610 */
611 chunk_t (*get_connect_id) (ike_sa_t *this);
612
613 /**
614 * Initiate the mediation of a mediated connection (i.e. initiate a
615 * ME_CONNECT exchange to a mediation server).
616 *
617 * @param mediated_cfg peer_cfg of the mediated connection
618 * @return
619 * - SUCCESS if initialization started
620 * - DESTROY_ME if initialization failed
621 */
622 status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
623
624 /**
625 * Initiate the mediated connection
626 *
627 * @param me local endpoint (gets cloned)
628 * @param other remote endpoint (gets cloned)
629 * @param connect_id connect ID (gets cloned)
630 * @return
631 * - SUCCESS if initialization started
632 * - DESTROY_ME if initialization failed
633 */
634 status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
635 chunk_t connect_id);
636
637 /**
638 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
639 * to a peer).
640 *
641 * Data is cloned.
642 *
643 * @param requester ID of the requesting peer
644 * @param connect_id data of the ME_CONNECTID payload
645 * @param connect_key data of the ME_CONNECTKEY payload
646 * @param endpoints endpoints
647 * @param response TRUE if this is a response
648 * @return
649 * - SUCCESS if relay started
650 * - DESTROY_ME if relay failed
651 */
652 status_t (*relay) (ike_sa_t *this, identification_t *requester,
653 chunk_t connect_id, chunk_t connect_key,
654 linked_list_t *endpoints, bool response);
655
656 /**
657 * Send a callback to a peer.
658 *
659 * Data is cloned.
660 *
661 * @param peer_id ID of the other peer
662 * @return
663 * - SUCCESS if response started
664 * - DESTROY_ME if response failed
665 */
666 status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
667
668 /**
669 * Respond to a ME_CONNECT request.
670 *
671 * Data is cloned.
672 *
673 * @param peer_id ID of the other peer
674 * @param connect_id the connect ID supplied by the initiator
675 * @return
676 * - SUCCESS if response started
677 * - DESTROY_ME if response failed
678 */
679 status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
680 chunk_t connect_id);
681 #endif /* ME */
682
683 /**
684 * Initiate a new connection.
685 *
686 * The configs are owned by the IKE_SA after the call. If the initiate
687 * is triggered by a packet, traffic selectors of the packet can be added
688 * to the CHILD_SA.
689 *
690 * @param child_cfg child config to create CHILD from
691 * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
692 * @param tsi source of triggering packet
693 * @param tsr destination of triggering packet.
694 * @return
695 * - SUCCESS if initialization started
696 * - DESTROY_ME if initialization failed
697 */
698 status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
699 u_int32_t reqid, traffic_selector_t *tsi,
700 traffic_selector_t *tsr);
701
702 /**
703 * Retry initiation of this IKE_SA after it got deferred previously.
704 *
705 * @return
706 * - SUCCESS if initiation deferred or started
707 * - DESTROY_ME if initiation failed
708 */
709 status_t (*retry_initiate) (ike_sa_t *this);
710
711 /**
712 * Initiates the deletion of an IKE_SA.
713 *
714 * Sends a delete message to the remote peer and waits for
715 * its response. If the response comes in, or a timeout occurs,
716 * the IKE SA gets deleted.
717 *
718 * @return
719 * - SUCCESS if deletion is initialized
720 * - DESTROY_ME, if the IKE_SA is not in
721 * an established state and can not be
722 * deleted (but destroyed).
723 */
724 status_t (*delete) (ike_sa_t *this);
725
726 /**
727 * Update IKE_SAs after network interfaces have changed.
728 *
729 * Whenever the network interface configuration changes, the kernel
730 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
731 * the new network config requires changes, and handles appropriate.
732 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
733 * restarted.
734 *
735 * @param address TRUE if address list changed, FALSE otherwise
736 * @return SUCCESS, FAILED, DESTROY_ME
737 */
738 status_t (*roam)(ike_sa_t *this, bool address);
739
740 /**
741 * Processes a incoming IKEv2-Message.
742 *
743 * Message processing may fail. If a critical failure occurs,
744 * process_message() return DESTROY_ME. Then the caller must
745 * destroy the IKE_SA immediately, as it is unusable.
746 *
747 * @param message message to process
748 * @return
749 * - SUCCESS
750 * - FAILED
751 * - DESTROY_ME if this IKE_SA MUST be deleted
752 */
753 status_t (*process_message) (ike_sa_t *this, message_t *message);
754
755 /**
756 * Generate a IKE message to send it to the peer.
757 *
758 * This method generates all payloads in the message and encrypts/signs
759 * the packet.
760 *
761 * @param message message to generate
762 * @param packet generated output packet
763 * @return
764 * - SUCCESS
765 * - FAILED
766 * - DESTROY_ME if this IKE_SA MUST be deleted
767 */
768 status_t (*generate_message) (ike_sa_t *this, message_t *message,
769 packet_t **packet);
770
771 /**
772 * Retransmits a request.
773 *
774 * @param message_id ID of the request to retransmit
775 * @return
776 * - SUCCESS
777 * - NOT_FOUND if request doesn't have to be retransmited
778 */
779 status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
780
781 /**
782 * Sends a DPD request to the peer.
783 *
784 * To check if a peer is still alive, periodic
785 * empty INFORMATIONAL messages are sent if no
786 * other traffic was received.
787 *
788 * @return
789 * - SUCCESS
790 * - DESTROY_ME, if peer did not respond
791 */
792 status_t (*send_dpd) (ike_sa_t *this);
793
794 /**
795 * Sends a keep alive packet.
796 *
797 * To refresh NAT tables in a NAT router
798 * between the peers, periodic empty
799 * UDP packets are sent if no other traffic
800 * was sent.
801 */
802 void (*send_keepalive) (ike_sa_t *this);
803
804 /**
805 * Get the keying material of this IKE_SA.
806 *
807 * @return per IKE_SA keymat instance
808 */
809 keymat_t* (*get_keymat)(ike_sa_t *this);
810
811 /**
812 * Associates a child SA to this IKE SA
813 *
814 * @param child_sa child_sa to add
815 */
816 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
817
818 /**
819 * Get a CHILD_SA identified by protocol and SPI.
820 *
821 * @param protocol protocol of the SA
822 * @param spi SPI of the CHILD_SA
823 * @param inbound TRUE if SPI is inbound, FALSE if outbound
824 * @return child_sa, or NULL if none found
825 */
826 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
827 u_int32_t spi, bool inbound);
828
829 /**
830 * Get the number of CHILD_SAs.
831 *
832 * @return number of CHILD_SAs
833 */
834 int (*get_child_count) (ike_sa_t *this);
835
836 /**
837 * Create an enumerator over all CHILD_SAs.
838 *
839 * @return enumerator
840 */
841 enumerator_t* (*create_child_sa_enumerator) (ike_sa_t *this);
842
843 /**
844 * Remove the CHILD_SA the given enumerator points to from this IKE_SA.
845 *
846 * @param enumerator enumerator pointing to CHILD_SA
847 */
848 void (*remove_child_sa) (ike_sa_t *this, enumerator_t *enumerator);
849
850 /**
851 * Rekey the CHILD SA with the specified reqid.
852 *
853 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
854 *
855 * @param protocol protocol of the SA
856 * @param spi inbound SPI of the CHILD_SA
857 * @return
858 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
859 * - SUCCESS, if rekeying initiated
860 */
861 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
862
863 /**
864 * Close the CHILD SA with the specified protocol/SPI.
865 *
866 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
867 * notify's the remote peer about the delete. The associated
868 * states and policies in the kernel get deleted, if they exist.
869 *
870 * @param protocol protocol of the SA
871 * @param spi inbound SPI of the CHILD_SA
872 * @param expired TRUE if CHILD_SA is expired
873 * @return
874 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
875 * - SUCCESS, if delete message sent
876 */
877 status_t (*delete_child_sa)(ike_sa_t *this, protocol_id_t protocol,
878 u_int32_t spi, bool expired);
879
880 /**
881 * Destroy a CHILD SA with the specified protocol/SPI.
882 *
883 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
884 *
885 * @param protocol protocol of the SA
886 * @param spi inbound SPI of the CHILD_SA
887 * @return
888 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
889 * - SUCCESS
890 */
891 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
892
893 /**
894 * Rekey the IKE_SA.
895 *
896 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
897 *
898 * @return - SUCCESS, if IKE_SA rekeying initiated
899 */
900 status_t (*rekey) (ike_sa_t *this);
901
902 /**
903 * Reauthenticate the IKE_SA.
904 *
905 * Create a completely new IKE_SA with authentication, recreates all children
906 * within the IKE_SA, closes this IKE_SA.
907 *
908 * @return DESTROY_ME to destroy the IKE_SA
909 */
910 status_t (*reauth) (ike_sa_t *this);
911
912 /**
913 * Restablish the IKE_SA.
914 *
915 * Reestablish an IKE_SA after it has been closed.
916 *
917 * @return DESTROY_ME to destroy the IKE_SA
918 */
919 status_t (*reestablish) (ike_sa_t *this);
920
921 /**
922 * Set the lifetime limit received/to send in a AUTH_LIFETIME notify.
923 *
924 * If the IKE_SA is already ESTABLISHED, an INFORMATIONAL is sent with
925 * an AUTH_LIFETIME notify. The call never fails on unestablished SAs.
926 *
927 * @param lifetime lifetime in seconds
928 * @return DESTROY_ME to destroy the IKE_SA
929 */
930 status_t (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
931
932 /**
933 * Set the virtual IP to use for this IKE_SA and its children.
934 *
935 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
936 * lifetime as the IKE_SA.
937 *
938 * @param local TRUE to set local address, FALSE for remote
939 * @param ip IP to set as virtual IP
940 */
941 void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
942
943 /**
944 * Get the virtual IP configured.
945 *
946 * @param local TRUE to get local virtual IP, FALSE for remote
947 * @return host_t *virtual IP
948 */
949 host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
950
951 /**
952 * Register a configuration attribute to the IKE_SA.
953 *
954 * If an IRAS sends a configuration attribute it is installed and
955 * registered at the IKE_SA. Attributes are inherit()ed and get released
956 * when the IKE_SA is closed.
957 *
958 * @param handler handler installed the attribute, use for release()
959 * @param type configuration attribute type
960 * @param data associated attribute data
961 */
962 void (*add_configuration_attribute)(ike_sa_t *this,
963 attribute_handler_t *handler,
964 configuration_attribute_type_t type, chunk_t data);
965
966 /**
967 * Set local and remote host addresses to be used for IKE.
968 *
969 * These addresses are communicated via the KMADDRESS field of a MIGRATE
970 * message sent via the NETLINK or PF _KEY kernel socket interface.
971 *
972 * @param local local kmaddress
973 * @param remote remote kmaddress
974 */
975 void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
976
977 /**
978 * Create enumerator over a task queue of this IKE_SA.
979 *
980 * @param queue type to enumerate
981 * @return enumerator over task_t
982 */
983 enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue);
984
985 /**
986 * Flush a task queue, cancelling all tasks in it.
987 *
988 * @param queue queue type to flush
989 */
990 void (*flush_queue)(ike_sa_t *this, task_queue_t queue);
991
992 /**
993 * Queue a task for initiaton to the task manager.
994 *
995 * @param task task to queue
996 */
997 void (*queue_task)(ike_sa_t *this, task_t *task);
998
999 /**
1000 * Inherit all attributes of other to this after rekeying.
1001 *
1002 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
1003 * outstanding tasks are moved from other to this.
1004 * As this call may initiate inherited tasks, a status is returned.
1005 *
1006 * @param other other task to inherit from
1007 */
1008 void (*inherit) (ike_sa_t *this, ike_sa_t *other);
1009
1010 /**
1011 * Reset the IKE_SA, useable when initiating fails
1012 */
1013 void (*reset) (ike_sa_t *this);
1014
1015 /**
1016 * Destroys a ike_sa_t object.
1017 */
1018 void (*destroy) (ike_sa_t *this);
1019 };
1020
1021 /**
1022 * Creates an ike_sa_t object with a specific ID and IKE version.
1023 *
1024 * @param ike_sa_id ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA
1025 * @param initiator TRUE to create this IKE_SA as initiator
1026 * @param version IKE version of this SA
1027 * @return ike_sa_t object
1028 */
1029 ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
1030 ike_version_t version);
1031
1032 #endif /** IKE_SA_H_ @}*/