1 files changed, 79 insertions, 33 deletions
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index f644fb547..97089e1b0 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -23,6 +23,7 @@
 #ifndef PEER_CFG_H_
 #define PEER_CFG_H_
 
+typedef enum ike_version_t ike_version_t;
 typedef enum cert_policy_t cert_policy_t;
 typedef enum unique_policy_t unique_policy_t;
 typedef struct peer_cfg_t peer_cfg_t;
@@ -34,11 +35,26 @@ typedef struct peer_cfg_t peer_cfg_t;
 #include <config/proposal.h>
 #include <config/ike_cfg.h>
 #include <config/child_cfg.h>
-#include <sa/authenticators/authenticator.h>
-#include <sa/authenticators/eap/eap_method.h>
 #include <credentials/auth_cfg.h>
 
 /**
+ * IKE version.
+ */
+enum ike_version_t {
+	/** any version */
+	IKE_ANY = 0,
+	/** IKE version 1 */
+	IKEV1 = 1,
+	/** IKE version 2 */
+	IKEV2 = 2,
+};
+
+/**
+ * enum strings fro ike_version_t
+ */
+extern enum_name_t *ike_version_names;
+
+/**
  * Certificate sending policy. This is also used for certificate
  * requests when using this definition for the other peer. If
  * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
@@ -65,11 +81,13 @@ extern enum_name_t *cert_policy_names;
  * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
  */
 enum unique_policy_t {
-	/** do not check for client uniqueness */
+	/** never check for client uniqueness */
+	UNIQUE_NEVER,
+	/** only check for client uniqueness when receiving an INITIAL_CONTACT */
 	UNIQUE_NO,
-	/** replace unique IKE_SAs if new ones get established */
+	/** replace existing IKE_SAs when new ones get established by a client */
 	UNIQUE_REPLACE,
-	/** keep existing IKE_SAs, close the new ones on connection attept */
+	/** keep existing IKE_SAs, close the new ones on connection attempt */
 	UNIQUE_KEEP,
 };
 
@@ -130,7 +148,7 @@ struct peer_cfg_t {
 	 *
 	 * @return				IKE major version
 	 */
-	u_int (*get_ike_version)(peer_cfg_t *this);
+	ike_version_t (*get_ike_version)(peer_cfg_t *this);
 
 	/**
 	 * Get the IKE config to use for initiaton.
@@ -165,13 +183,13 @@ struct peer_cfg_t {
 	 *
 	 * @param my_ts			TS for local side
 	 * @param other_ts		TS for remote side
-	 * @param my_host		host to narrow down dynamic TS for local side
-	 * @param other_host	host to narrow down dynamic TS for remote side
+	 * @param my_hosts		hosts to narrow down dynamic TS for local side
+	 * @param other_hosts	hosts to narrow down dynamic TS for remote side
 	 * @return				selected CHILD config, or NULL if no match found
 	 */
-	child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
-									  linked_list_t *other_ts, host_t *my_host,
-									  host_t *other_host);
+	child_cfg_t* (*select_child_cfg) (peer_cfg_t *this,
+							linked_list_t *my_ts, linked_list_t *other_ts,
+							linked_list_t *my_hosts, linked_list_t *other_hosts);
 
 	/**
 	 * Add an authentication config to the peer configuration.
@@ -211,18 +229,20 @@ struct peer_cfg_t {
 	u_int32_t (*get_keyingtries) (peer_cfg_t *this);
 
 	/**
-	 * Get a time to start rekeying (is randomized with jitter).
+	 * Get a time to start rekeying.
 	 *
+	 * @param jitter	remove a jitter value to randomize time
 	 * @return			time in s when to start rekeying, 0 disables rekeying
 	 */
-	u_int32_t (*get_rekey_time)(peer_cfg_t *this);
+	u_int32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
 
 	/**
-	 * Get a time to start reauthentication (is randomized with jitter).
+	 * Get a time to start reauthentication.
 	 *
+	 * @param jitter	remove a jitter value to randomize time
 	 * @return			time in s when to start reauthentication, 0 disables it
 	 */
-	u_int32_t (*get_reauth_time)(peer_cfg_t *this);
+	u_int32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
 
 	/**
 	 * Get the timeout of a rekeying/reauthenticating SA.
@@ -239,6 +259,13 @@ struct peer_cfg_t {
 	bool (*use_mobike) (peer_cfg_t *this);
 
 	/**
+	 * Use/Accept aggressive mode with IKEv1?.
+	 *
+	 * @return			TRUE to use aggressive mode
+	 */
+	bool (*use_aggressive)(peer_cfg_t *this);
+
+	/**
 	 * Get the DPD check interval.
 	 *
 	 * @return			dpd_delay in seconds
@@ -246,23 +273,41 @@ struct peer_cfg_t {
 	u_int32_t (*get_dpd) (peer_cfg_t *this);
 
 	/**
-	 * Get a virtual IP for the local peer.
+	 * Get the DPD timeout interval (IKEv1 only)
 	 *
-	 * If no virtual IP should be used, NULL is returned. %any means to request
-	 * a virtual IP using configuration payloads. A specific address is also
-	 * used for a request and may be changed by the server.
+	 * @return			dpd_timeout in seconds
+	 */
+	u_int32_t (*get_dpd_timeout) (peer_cfg_t *this);
+
+	/**
+	 * Add a virtual IP to request as initiator.
+	 *
+	 * @param vip			virtual IP to request, may be %any or %any6
+	 */
+	void (*add_virtual_ip)(peer_cfg_t *this, host_t *vip);
+
+	/**
+	 * Create an enumerator over virtual IPs to request.
+	 *
+	 * The returned enumerator enumerates over IPs added with add_virtual_ip().
+	 *
+	 * @return				enumerator over host_t*
+	 */
+	enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this);
+
+	/**
+	 * Add a pool name this configuration uses to select virtual IPs.
 	 *
-	 * @param suggestion	NULL, %any or specific
-	 * @return				virtual IP, %any or NULL
+	 * @param name			pool name to use for virtual IP lookup
 	 */
-	host_t* (*get_virtual_ip) (peer_cfg_t *this);
+	void (*add_pool)(peer_cfg_t *this, char *name);
 
 	/**
-	 * Get the name of the pool to acquire configuration attributes from.
+	 * Create an enumerator over pool names of this config.
 	 *
-	 * @return				pool name, NULL if none defined
+	 * @return				enumerator over char*
 	 */
-	char* (*get_pool)(peer_cfg_t *this);
+	enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this);
 
 #ifdef ME
 	/**
@@ -339,20 +384,21 @@ struct peer_cfg_t {
  * @param jitter_time		timerange to randomly subtract from rekey/reauth time
  * @param over_time			maximum overtime before closing a rekeying/reauth SA
  * @param mobike			use MOBIKE (RFC4555) if peer supports it
+ * @param aggressive		use/accept aggressive mode with IKEv1
  * @param dpd				DPD check interval, 0 to disable
- * @param virtual_ip		virtual IP for local host, or NULL
- * @param pool				pool name to get configuration attributes from, or NULL
+ * @param dpd_timeout		DPD timeout interval (IKEv1 only), if 0 default applies
  * @param mediation			TRUE if this is a mediation connection
  * @param mediated_by		peer_cfg_t of the mediation connection to mediate through
  * @param peer_id			ID that identifies our peer at the mediation server
  * @return					peer_cfg_t object
  */
-peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
-							cert_policy_t cert_policy, unique_policy_t unique,
-							u_int32_t keyingtries, u_int32_t rekey_time,
-							u_int32_t reauth_time, u_int32_t jitter_time,
-							u_int32_t over_time, bool mobike, u_int32_t dpd,
-							host_t *virtual_ip, char *pool,
+peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
+							ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
+							unique_policy_t unique, u_int32_t keyingtries,
+							u_int32_t rekey_time, u_int32_t reauth_time,
+							u_int32_t jitter_time, u_int32_t over_time,
+							bool mobike, bool aggressive, u_int32_t dpd,
+							u_int32_t dpd_timeout,
 							bool mediation, peer_cfg_t *mediated_by,
 							identification_t *peer_id);