1 /* information about connections between hosts and clients
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * RCSID $Id: connections.h,v 1.59 2002/03/31 20:42:04 dhr Exp $
17 /* There are two kinds of connections:
18 * - ISAKMP connections, between hosts (for IKE communication)
19 * - IPsec connections, between clients (for secure IP communication)
21 * An ISAKMP connection looks like:
24 * An IPsec connection looks like:
25 * client-subnet<-->host<->nexthop<--->nexthop<->host<-->client-subnet
27 * For the connection to be relevant to this instance of Pluto,
28 * exactly one of the hosts must be a public interface of our machine
29 * known to this instance.
31 * The client subnet might simply be the host -- this is a
32 * representation of "host mode".
34 * Each nexthop defaults to the neighbouring host's IP address.
35 * The nexthop is a property of the pair of hosts, not each
36 * individually. It is only needed for IPsec because of the
37 * way IPsec is mixed into the kernel routing logic. Furthermore,
38 * only this end's nexthop is actually used. Eventually, nexthop
39 * will be unnecessary.
41 * Other information represented:
42 * - each connection has a name: a chunk of uninterpreted text
43 * that is unique for each connection.
44 * - security requirements (currently just the "policy" flags from
45 * the whack command to initiate the connection, but eventually
46 * much more. Different for ISAKMP and IPsec connections.
47 * - rekeying parameters:
48 * + time an SA may live
49 * + time before SA death that a rekeying should be attempted
50 * (only by the initiator)
51 * + number of times to attempt rekeying
52 * - With the current KLIPS, we must route packets for a client
53 * subnet through the ipsec interface (ipsec0). Only one
54 * gateway can get traffic for a specific (client) subnet.
55 * Furthermore, if the routing isn't in place, packets will
56 * be sent in the clear.
57 * "routing" indicates whether the routing has been done for
58 * this connection. Note that several connections may claim
59 * the same routing, as long as they agree about where the
60 * packets are to be sent.
61 * - With the current KLIPS, only one outbound IPsec SA bundle can be
62 * used for a particular client. This is due to a limitation
63 * of using only routing for selection. So only one IPsec state (SA)
64 * may "own" the eroute. "eroute_owner" is the serial number of
65 * this state, SOS_NOBODY if there is none. "routing" indicates
66 * what kind of erouting has been done for this connection, if any.
68 * Operations on Connections:
70 * - add a new connection (with all details) [whack command]
71 * - delete a connection (by name) [whack command]
72 * - initiate a connection (by name) [whack command]
73 * - find a connection (by IP addresses of hosts)
74 * [response to peer request; finding ISAKMP connection for IPsec connection]
76 * Some connections are templates, missing the address of the peer
77 * (represented by INADDR_ANY). These are always arranged so that the
78 * missing end is "that" (there can only be one missing end). These can
79 * be instantiated (turned into real connections) by Pluto in one of two
80 * different ways: Road Warrior Instantiation or Opportunistic
81 * Instantiation. A template connection is marked for Opportunistic
82 * Instantiation by specifying the peer client as 0.0.0.0/32 (or the IPV6
83 * equivalent). Otherwise, it is suitable for Road Warrior Instantiation.
85 * Instantiation creates a new temporary connection, with the missing
86 * details filled in. The resulting template lasts only as long as there
87 * is a state that uses it.
89 #ifndef _CONNECTIONS_H
90 #define _CONNECTIONS_H
102 u_int16_t port; /* host order */
106 bool has_client_wildcard;
108 u_int16_t host_port; /* host order */
111 struct virtual_t *virt;
119 time_t sa_ike_life_seconds;
120 time_t sa_ipsec_life_seconds;
121 time_t sa_rekey_margin;
122 unsigned long sa_rekey_fuzz;
123 unsigned long sa_keying_tries;
136 /* internal fields: */
138 enum connection_kind kind;
139 const struct iface *interface; /* filled in iff oriented */
140 enum routing_t routing; /* level of routing in place */
143 so_serial_t /* state object serial number */
149 unsigned int extra_debugging;
152 /* note: if the client is the gateway, the following must be equal */
153 sa_family_t addr_family; /* between gateways */
154 sa_family_t tunnel_addr_family; /* between clients */
156 struct gw_info *gw_info;
157 struct alg_info_esp *alg_info_esp;
158 struct alg_info_ike *alg_info_ike;
160 int retransmit_trigger;
162 struct host_pair *host_pair;
163 struct connection *hp_next; /* host pair list link */
165 struct connection *ac_next; /* all connections list link */
168 #define oriented(c) ((c).interface != NULL)
169 extern bool orient(struct connection *c);
171 extern struct connection *
172 find_host_connection_mode(const ip_address *myaddr, u_int16_t myport
173 , const ip_address *hisaddr, u_int16_t hisport, bool main);
175 extern bool same_peer_ids(const struct connection *c
176 , const struct connection *d, const struct id *his_id);
178 extern size_t format_end(char *buf, size_t buf_len
179 , const struct end *this, const struct end *that, bool is_left);
181 struct whack_message; /* forward declaration of tag whack_msg */
182 extern void add_connection(const struct whack_message *wm);
183 extern void initiate_connection(const char *name, int whackfd);
184 extern void initiate_connections_by_peer(struct connection *c);
185 extern void initiate_opportunistic(const ip_address *our_client
186 , const ip_address *peer_client, bool held, int whackfd);
187 extern void terminate_connection(const char *nm);
188 extern void terminate_connections_by_peer(struct connection *c);
189 extern void release_connection(struct connection *c);
190 extern void delete_connection(struct connection *c);
191 extern void delete_every_connection(void);
192 extern void release_dead_interfaces(void);
193 extern void check_orientations(void);
194 extern struct connection *route_owner(struct connection *c
195 , struct connection **erop);
196 extern struct connection *shunt_owner(const ip_subnet *ours
197 , const ip_subnet *his);
199 extern bool uniqueIDs; /* --uniqueids? */
200 extern void ISAKMP_SA_established(struct connection *c, so_serial_t serial);
202 #define his_id_was_instantiated(c) ((c)->kind == CK_INSTANCE \
203 && id_is_ipaddr(&(c)->that.id) \
204 && sameaddr(&(c)->that.id.ip_addr, &(c)->that.host_addr))
206 /* for Opportunism */
207 extern bool HasWildcardClient(const struct connection *c);
208 extern const ip_subnet *EffectivePeerClient(const struct connection *c);
210 /* for Aggressive Mode */
211 #define HasWildcardIP(c) (is_NO_IP((c).that.host_addr))
212 extern struct connection
213 *rw_connection(const struct connection *c, ip_address *him);
215 struct state; /* forward declaration of tag (defined in state.h) */
216 extern struct connection
217 *con_by_name(const char *nm, bool strict),
218 *find_host_connection(const ip_address *me, u_int16_t my_port
219 , const ip_address *him, u_int16_t his_port),
220 *refine_host_connection(const struct state *st, const struct id *id
221 , bool initiator, bool aggrmode),
222 *find_client_connection(struct connection *c
223 , const ip_subnet *our_net
224 , const ip_subnet *peer_net
225 , const u_int8_t our_protocol
226 , const u_int16_t out_port
227 , const u_int8_t peer_protocol
228 , const u_int16_t peer_port);
230 /* instantiating routines
231 * Note: connection_discard() is in state.h because all its work
232 * is looking through state objects.
234 struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
235 struct alg_info; /* forward declaration of tag (defined in alg_info.h) */
236 extern struct connection
237 *rw_instantiate(const struct connection *c, const ip_address *him
242 , const ip_subnet *his_net
244 , const struct id *his_id),
245 *oppo_instantiate(const struct connection *c, const ip_address *him
246 , const struct id *his_id, struct gw_info *gw
247 , const ip_address *our_client, const ip_address *peer_client),
248 *build_outgoing_opportunistic_connection(struct gw_info *gw
249 , const ip_address *our_client, const ip_address *peer_client);
251 #define CONN_INST_BUF (ADDRTOT_BUF+1 + SUBNETTOT_BUF+1)
252 extern void fmt_conn_instance(const struct connection *c
253 , char buf[CONN_INST_BUF]);
255 /* operations on "pending", the structure representing Quick Mode
256 * negotiations delayed until a Keying Channel has been negotiated.
259 struct pending; /* forward declaration (opaque outside connections.c) */
261 extern void add_pending(int whack_sock
262 , struct state *isakmp_sa
263 , struct connection *c
266 , so_serial_t replacing);
268 extern void release_pending_whacks(struct state *st, err_t story);
269 extern void unpend(struct state *st);
270 extern void update_pending(struct state *os, struct state *ns);
271 extern void flush_pending_by_state(struct state *st);
273 extern void connection_discard(struct connection *c);
275 /* print connection status */
277 extern void show_connections_status(void);
281 update_host_pair(const char *why, struct connection *c,
282 const ip_address *myaddr, u_int16_t myport ,
283 const ip_address *hisaddr, u_int16_t hisport);
284 #endif /* NAT_TRAVERSAL */