UMSKT
/
xpmgr
mirror of https://github.com/UMSKT/xpmgr.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
xpmgr/BuildTools/Include/iketypes.idl

1179 lines
44 KiB
Plaintext
Raw Blame History

/*
Copyright (c) Microsoft Corporation
SYNOPSIS
Defines data types used by the IKE keying module.
*/
#include "winerror.h"
import "fwptypes.idl";
cpp_quote("#if _MSC_VER >= 800")
cpp_quote("#if _MSC_VER >= 1200")
cpp_quote("#pragma warning(push)")
cpp_quote("#endif")
cpp_quote("#pragma warning(disable:4201)")
cpp_quote("#endif")
typedef struct IPSEC_V4_UDP_ENCAPSULATION0_ IPSEC_V4_UDP_ENCAPSULATION0;
///////////////////////////////////////////////////////////////////////////////
//
// Definitions for building IKE, Authip policies.
//
///////////////////////////////////////////////////////////////////////////////
typedef [v1_enum] enum IKEEXT_KEY_MODULE_TYPE_
{
IKEEXT_KEY_MODULE_IKE,
IKEEXT_KEY_MODULE_AUTHIP,
IKEEXT_KEY_MODULE_IKEV2,
IKEEXT_KEY_MODULE_MAX
} IKEEXT_KEY_MODULE_TYPE;
// Type of authentication method
typedef [v1_enum] enum IKEEXT_AUTHENTICATION_METHOD_TYPE_
{
IKEEXT_PRESHARED_KEY,
IKEEXT_CERTIFICATE,
IKEEXT_KERBEROS,
IKEEXT_ANONYMOUS,
IKEEXT_SSL,
IKEEXT_NTLM_V2,
IKEEXT_IPV6_CGA,
IKEEXT_CERTIFICATE_ECDSA_P256,
IKEEXT_CERTIFICATE_ECDSA_P384,
IKEEXT_SSL_ECDSA_P256,
IKEEXT_SSL_ECDSA_P384,
IKEEXT_EAP,
IKEEXT_AUTHENTICATION_METHOD_TYPE_MAX
} IKEEXT_AUTHENTICATION_METHOD_TYPE;
// Type of impersonation to perform while authentication. Ike can only perform
// machine authentication, so this should be set to IKEEXT_IMPERSONATION_NONE
// when specifying IKE policy. For Authip policy, specify
// IKEEXT_IMPERSONATION_SOCKET_PRINCIPAL to enable impersonation.
typedef [v1_enum] enum IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE_
{
IKEEXT_IMPERSONATION_NONE,
IKEEXT_IMPERSONATION_SOCKET_PRINCIPAL,
IKEEXT_IMPERSONATION_MAX
} IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE;
// Stores information needed for preshared key authentication
typedef struct IKEEXT_PRESHARED_KEY_AUTHENTICATION0__
{
// The preshared key
FWP_BYTE_BLOB presharedKey;
} IKEEXT_PRESHARED_KEY_AUTHENTICATION0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Use PSK for authenticating local entity to remote entity only
cpp_quote("#define IKEEXT_PSK_FLAG_LOCAL_AUTH_ONLY (0x00000001)")
// Use PSK for authenticating remote entity to local entity only
cpp_quote("#define IKEEXT_PSK_FLAG_REMOTE_AUTH_ONLY (0x00000002)")
typedef struct IKEEXT_PRESHARED_KEY_AUTHENTICATION1__
{
// The preshared key
FWP_BYTE_BLOB presharedKey;
// Flags
UINT32 flags;
} IKEEXT_PRESHARED_KEY_AUTHENTICATION1;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
//////////
// Flags specifying certificate root characteristics.
//////////
// Enable certificate to account mapping for this root.
cpp_quote("#define IKEEXT_CERT_FLAG_ENABLE_ACCOUNT_MAPPING (0x00000001)")
// Do not send a Cert request payload for this root.
cpp_quote("#define IKEEXT_CERT_FLAG_DISABLE_REQUEST_PAYLOAD (0x00000002)")
// Enable NAP certificate handling
cpp_quote("#define IKEEXT_CERT_FLAG_USE_NAP_CERTIFICATE (0x00000004)")
// The corresponding CA could be an intermediate CA and need not be a ROOT CA.
// If this flag is not specified, the name will have to refer to a ROOT CA.
cpp_quote("#define IKEEXT_CERT_FLAG_INTERMEDIATE_CA (0x00000008)")
// If certificate to account mapping is enabled, this flag allows IKE to ignore
// mapping failures on initiator. Not applicable for Authip. Can be set only
// if IKEEXT_CERT_FLAG_ENABLE_ACCOUNT_MAPPING is also specified. By default IKE
// will not ignore cert-mapping failures even on initiator.
cpp_quote("#define IKEEXT_CERT_FLAG_IGNORE_INIT_CERT_MAP_FAILURE (0x00000010)")
//If this flag is specified, then NAP certs are preferred for
//local cert selection
cpp_quote("#define IKEEXT_CERT_FLAG_PREFER_NAP_CERTIFICATE_OUTBOUND (0x00000020)")
typedef struct IKEEXT_CERT_ROOT_CONFIG0_
{
// X509/ASN.1 encoded name of the certificate root. Should be empty when
// specifying Enterprise or trusted root store config.
FWP_BYTE_BLOB certData;
// Flags
UINT32 flags;
} IKEEXT_CERT_ROOT_CONFIG0;
//////////
// Flags specifying certificate authentication characteristics.
//////////
// Enable SSL one way authentication
cpp_quote("#define IKEEXT_CERT_AUTH_FLAG_SSL_ONE_WAY (0x00000001)")
// Disable CRL checking. By default weak CRL checking is enabled. Weak checking
// means that a certificate will be rejected if and only if CRL is successfully
// looked up and the certificate is found to be revoked.
cpp_quote("#define IKEEXT_CERT_AUTH_FLAG_DISABLE_CRL_CHECK (0x00000002)")
// Enable strong CRL checking. Strong checking means that a certificate will be
// rejected if certificate is found to be revoked, or if any other error
// (for ex: CRL could not be retrieved) takes place while performing the
// revokation checking. By default weak CRL checking is enabled.
cpp_quote("#define IKEEXT_CERT_AUTH_ENABLE_CRL_CHECK_STRONG (0x00000004)")
// SSL validation requires certain EKUs, like server auth EKU from a server.
// This disables the server auth EKU check, but still performs the other
// IKE-style certificate verification
cpp_quote("#define IKEEXT_CERT_AUTH_DISABLE_SSL_CERT_VALIDATION (0x00000008)")
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Allow lookup of peer certificate information from an HTTP URL. Only supported
// by IKEv2.
cpp_quote("#define IKEEXT_CERT_AUTH_ALLOW_HTTP_CERT_LOOKUP (0x00000010)")
// The URL specified in the certificate authentication policy points to an
// encoded certificate-bundle. If this flag is not specifed, IKEv2 will assume
// that the URL points to an encoded certificate. Only supported by IKEv2.
cpp_quote("#define IKEEXT_CERT_AUTH_URL_CONTAINS_BUNDLE (0x00000020)")
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
// Type of certificate configuration
typedef [v1_enum] enum IKEEXT_CERT_CONFIG_TYPE_
{
// Use an explicit trust list for authentication
IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST,
// Use the enterprise store as the trust list for authentication
IKEEXT_CERT_CONFIG_ENTERPRISE_STORE,
// Use the trusted root CA store as the trust list for authentication
IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE,
// No Cert auth in direction (inbound/outbound) in which config applies
IKEEXT_CERT_CONFIG_UNSPECIFIED,
// Not a valid type -- used for parameter validation only.
IKEEXT_CERT_CONFIG_TYPE_MAX
} IKEEXT_CERT_CONFIG_TYPE;
// Type used to specify various parameters for authentication with certificates.
typedef struct IKEEXT_CERTIFICATE_AUTHENTICATION0_
{
// Certificate configuration type for inbound peer cert verification.
IKEEXT_CERT_CONFIG_TYPE inboundConfigType;
// Configuration for inbound peer cert verification. It is a union of
// explicit trust list, enterprise store, or trusted root store config
// depending on the configType.
[switch_type(IKEEXT_CERT_CONFIG_TYPE), switch_is(inboundConfigType)]
union
{
[case(IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST)]
// Explicit trust list for verifying the peer certificate chain.
struct
{
UINT32 inboundRootArraySize;
[size_is(inboundRootArraySize), unique]
IKEEXT_CERT_ROOT_CONFIG0* inboundRootArray;
};
[case(IKEEXT_CERT_CONFIG_ENTERPRISE_STORE)]
// Enterprise store config for verifying the peer certificate chain.
[unique] IKEEXT_CERT_ROOT_CONFIG0* inboundEnterpriseStoreConfig;
[case(IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE)]
// Trusted root store config for verifying the peer certificate chain.
[unique] IKEEXT_CERT_ROOT_CONFIG0* inboundTrustedRootStoreConfig;
};
// Certificate configuration type for outbound local cert selection.
IKEEXT_CERT_CONFIG_TYPE outboundConfigType;
// Configuration for outbound local cert selection. It is a union of
// explicit trust list, enterprise store, or trusted root store config
// depending on the configType.
[switch_type(IKEEXT_CERT_CONFIG_TYPE), switch_is(outboundConfigType)]
union
{
[case(IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST)]
// Explicit trust list for selecting a certificate chain to send to the
// peer.
struct
{
UINT32 outboundRootArraySize;
[size_is(outboundRootArraySize), unique]
IKEEXT_CERT_ROOT_CONFIG0* outboundRootArray;
};
[case(IKEEXT_CERT_CONFIG_ENTERPRISE_STORE)]
// Enterprise store config for selecting a certificate chain to send to
// the peer.
[unique] IKEEXT_CERT_ROOT_CONFIG0* outboundEnterpriseStoreConfig;
[case(IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE)]
// Trusted root store config for selecting a certificate chain to send
// to the peer.
[unique] IKEEXT_CERT_ROOT_CONFIG0* outboundTrustedRootStoreConfig;
};
// Flags
UINT32 flags;
} IKEEXT_CERTIFICATE_AUTHENTICATION0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Version-1 of type used to specify various parameters for authentication with
// certificates.
typedef struct IKEEXT_CERTIFICATE_AUTHENTICATION1_
{
// Certificate configuration type for inbound peer cert verification.
IKEEXT_CERT_CONFIG_TYPE inboundConfigType;
// Configuration for inbound peer cert verification. It is a union of
// explicit trust list, enterprise store, or trusted root store config
// depending on the configType.
[switch_type(IKEEXT_CERT_CONFIG_TYPE), switch_is(inboundConfigType)]
union
{
[case(IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST)]
// Explicit trust list for verifying the peer certificate chain.
struct
{
UINT32 inboundRootArraySize;
[size_is(inboundRootArraySize), unique]
IKEEXT_CERT_ROOT_CONFIG0* inboundRootArray;
};
[case(IKEEXT_CERT_CONFIG_ENTERPRISE_STORE)]
// Enterprise store config for verifying the peer certificate chain.
[unique] IKEEXT_CERT_ROOT_CONFIG0* inboundEnterpriseStoreConfig;
[case(IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE)]
// Trusted root store config for verifying the peer certificate chain.
[unique] IKEEXT_CERT_ROOT_CONFIG0* inboundTrustedRootStoreConfig;
[case(IKEEXT_CERT_CONFIG_UNSPECIFIED)];
};
// Certificate configuration type for outbound local cert selection.
IKEEXT_CERT_CONFIG_TYPE outboundConfigType;
// Configuration for outbound local cert selection. It is a union of
// explicit trust list, enterprise store, or trusted root store config
// depending on the configType.
[switch_type(IKEEXT_CERT_CONFIG_TYPE), switch_is(outboundConfigType)]
union
{
[case(IKEEXT_CERT_CONFIG_EXPLICIT_TRUST_LIST)]
// Explicit trust list for selecting a certificate chain to send to the
// peer.
struct
{
UINT32 outboundRootArraySize;
[size_is(outboundRootArraySize), unique]
IKEEXT_CERT_ROOT_CONFIG0* outboundRootArray;
};
[case(IKEEXT_CERT_CONFIG_ENTERPRISE_STORE)]
// Enterprise store config for selecting a certificate chain to send to
// the peer.
[unique] IKEEXT_CERT_ROOT_CONFIG0* outboundEnterpriseStoreConfig;
[case(IKEEXT_CERT_CONFIG_TRUSTED_ROOT_STORE)]
// Trusted root store config for selecting a certificate chain to send
// to the peer.
[unique] IKEEXT_CERT_ROOT_CONFIG0* outboundTrustedRootStoreConfig;
[case(IKEEXT_CERT_CONFIG_UNSPECIFIED)];
};
// Flags
UINT32 flags;
// HTTP URL pointing to an encoded certificate or certificate-bundle, that
// will be used by IKEv2 for authenticating local machine to a peer.
// Only supported by IKEv2.
FWP_BYTE_BLOB localCertLocationUrl;
} IKEEXT_CERTIFICATE_AUTHENTICATION1;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
// Type used to specify various parameters for IPV6 CGA authentication.
typedef struct IKEEXT_IPV6_CGA_AUTHENTICATION0_
{
// Key container name of the public key/private key pair that was used to
// generate the CGA. Same semantics as CRYPT_KEY_PROV_INFO->pwszContainerName
[string, ref] wchar_t* keyContainerName;
// Name of the CSP that stores the key container. If NULL, default provider
// will be used. Same semantics as CRYPT_KEY_PROV_INFO->pwszProvName.
[string, unique] wchar_t* cspName;
// Type of the CSP that stores the key container. Same semantics as
// CRYPT_KEY_PROV_INFO->dwProvType
UINT32 cspType;
// Modifier used during CGA generation. See CGA RFC for more information.
FWP_BYTE_ARRAY16 cgaModifier;
// Collision count used during CGA generation. See CGA RFC for more information.
BYTE cgaCollisionCount;
} IKEEXT_IPV6_CGA_AUTHENTICATION0;
// Disable initiator generation of peer token from the peer's name string
cpp_quote("#define IKEEXT_KERB_AUTH_DISABLE_INITIATOR_TOKEN_GENERATION (0x00000001)")
// Refuse connections if the peer is using explicit credentials
cpp_quote("#define IKEEXT_KERB_AUTH_DONT_ACCEPT_EXPLICIT_CREDENTIALS (0x00000002)")
// Stores information needed for kerberos authentication
typedef struct IKEEXT_KERBEROS_AUTHENTICATION0__
{
UINT32 flags;
} IKEEXT_KERBEROS_AUTHENTICATION0;
// Refuse connections if the peer is using explicit credentials
cpp_quote("#define IKEEXT_NTLM_V2_AUTH_DONT_ACCEPT_EXPLICIT_CREDENTIALS (0x00000001)")
// Stores information needed for ntlmV2 authentication
typedef struct IKEEXT_NTLM_V2_AUTHENTICATION0__
{
UINT32 flags;
} IKEEXT_NTLM_V2_AUTHENTICATION0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Use EAP for authenticating local entity to remote entity only
cpp_quote("#define IKEEXT_EAP_FLAG_LOCAL_AUTH_ONLY (0x00000001)")
// Use EAP for authenticating remote entity to local entity only
cpp_quote("#define IKEEXT_EAP_FLAG_REMOTE_AUTH_ONLY (0x00000002)")
// Stores information needed for EAP authentication
typedef struct IKEEXT_EAP_AUTHENTICATION0__
{
UINT32 flags;
} IKEEXT_EAP_AUTHENTICATION0;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
// Type specifying various parameters for IKE/Authip authentication
typedef struct IKEEXT_AUTHENTICATION_METHOD0_
{
// Type of authentication method
IKEEXT_AUTHENTICATION_METHOD_TYPE authenticationMethodType;
// Tagged union containing parameters specific to the authentication method
// type.
[switch_type(IKEEXT_AUTHENTICATION_METHOD_TYPE),
switch_is(authenticationMethodType)]
union
{
[case(IKEEXT_PRESHARED_KEY)]
IKEEXT_PRESHARED_KEY_AUTHENTICATION0 presharedKeyAuthentication;
[case(IKEEXT_CERTIFICATE,
IKEEXT_CERTIFICATE_ECDSA_P256,
IKEEXT_CERTIFICATE_ECDSA_P384)]
IKEEXT_CERTIFICATE_AUTHENTICATION0 certificateAuthentication;
[case(IKEEXT_KERBEROS)]
IKEEXT_KERBEROS_AUTHENTICATION0 kerberosAuthentication;
[case(IKEEXT_NTLM_V2)]
IKEEXT_NTLM_V2_AUTHENTICATION0 ntlmV2Authentication;
[case(IKEEXT_ANONYMOUS)];
[case(IKEEXT_SSL,
IKEEXT_SSL_ECDSA_P256,
IKEEXT_SSL_ECDSA_P384)]
IKEEXT_CERTIFICATE_AUTHENTICATION0 sslAuthentication;
[case(IKEEXT_IPV6_CGA)]
IKEEXT_IPV6_CGA_AUTHENTICATION0 cgaAuthentication;
};
} IKEEXT_AUTHENTICATION_METHOD0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Version-1 of type specifying various parameters for IKE/Authip authentication
typedef struct IKEEXT_AUTHENTICATION_METHOD1_
{
// Type of authentication method
IKEEXT_AUTHENTICATION_METHOD_TYPE authenticationMethodType;
// Tagged union containing parameters specific to the authentication method
// type.
[switch_type(IKEEXT_AUTHENTICATION_METHOD_TYPE),
switch_is(authenticationMethodType)]
union
{
[case(IKEEXT_PRESHARED_KEY)]
IKEEXT_PRESHARED_KEY_AUTHENTICATION1 presharedKeyAuthentication;
[case(IKEEXT_CERTIFICATE,
IKEEXT_CERTIFICATE_ECDSA_P256,
IKEEXT_CERTIFICATE_ECDSA_P384)]
IKEEXT_CERTIFICATE_AUTHENTICATION1 certificateAuthentication;
[case(IKEEXT_KERBEROS)]
IKEEXT_KERBEROS_AUTHENTICATION0 kerberosAuthentication;
[case(IKEEXT_NTLM_V2)]
IKEEXT_NTLM_V2_AUTHENTICATION0 ntlmV2Authentication;
[case(IKEEXT_ANONYMOUS)];
[case(IKEEXT_SSL,
IKEEXT_SSL_ECDSA_P256,
IKEEXT_SSL_ECDSA_P384)]
IKEEXT_CERTIFICATE_AUTHENTICATION1 sslAuthentication;
[case(IKEEXT_IPV6_CGA)]
IKEEXT_IPV6_CGA_AUTHENTICATION0 cgaAuthentication;
[case(IKEEXT_EAP)]
IKEEXT_EAP_AUTHENTICATION0 eapAuthentication;
};
} IKEEXT_AUTHENTICATION_METHOD1;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
// Type of encryption algorithm used for encrypting the IKE/Authip messages
typedef [v1_enum] enum IKEEXT_CIPHER_TYPE_
{
IKEEXT_CIPHER_DES,
IKEEXT_CIPHER_3DES,
IKEEXT_CIPHER_AES_128,
IKEEXT_CIPHER_AES_192,
IKEEXT_CIPHER_AES_256,
IKEEXT_CIPHER_TYPE_MAX
} IKEEXT_CIPHER_TYPE;
// Stores information about the IKE/Authip encryption algorithm
typedef struct IKEEXT_CIPHER_ALGORITHM0_
{
// The type of encryption algorithm
IKEEXT_CIPHER_TYPE algoIdentifier;
// length of the encryption key
UINT32 keyLen;
// Number of rounds in the encryption algorithm
UINT32 rounds;
} IKEEXT_CIPHER_ALGORITHM0;
// Type of hash algorithm used for integrity protection of IKE/Authip messages
typedef [v1_enum] enum IKEEXT_INTEGRITY_TYPE_
{
IKEEXT_INTEGRITY_MD5,
IKEEXT_INTEGRITY_SHA1,
IKEEXT_INTEGRITY_SHA_256,
IKEEXT_INTEGRITY_SHA_384,
IKEEXT_INTEGRITY_TYPE_MAX
} IKEEXT_INTEGRITY_TYPE;
// Stores the IKE/Authip hash algorithm
typedef struct IKEEXT_INTEGRITY_ALGORITHM0_
{
// The type of hash algorithm
IKEEXT_INTEGRITY_TYPE algoIdentifier;
} IKEEXT_INTEGRITY_ALGORITHM0;
// Type of Diffie Hellman group used for IKE/Authip key generation
typedef [v1_enum] enum IKEEXT_DH_GROUP_
{
IKEEXT_DH_GROUP_NONE,
IKEEXT_DH_GROUP_1,
IKEEXT_DH_GROUP_2,
IKEEXT_DH_GROUP_2048,
IKEEXT_DH_ECP_256,
IKEEXT_DH_ECP_384,
IKEEXT_DH_GROUP_MAX
} IKEEXT_DH_GROUP;
// Type used to store an IKE/Authip main mode proposal. The proposal describes
// the various parameters of the IKE/Authip main mode SA that is potentially
// generated from this proposal.
typedef struct IKEEXT_PROPOSAL0_
{
// Parameters for the encryption algorithm
IKEEXT_CIPHER_ALGORITHM0 cipherAlgorithm;
// Parameters for the hash algorithm
IKEEXT_INTEGRITY_ALGORITHM0 integrityAlgorithm;
// Main mode SA Lifetime in seconds
UINT32 maxLifetimeSeconds;
// The Diffie Hellman group
IKEEXT_DH_GROUP dhGroup;
// Maximum number of IPsec quick mode SAs that can be generated from this
// main mode SA. O means infinite.
UINT32 quickModeLimit;
} IKEEXT_PROPOSAL0;
//////////
// Flags specifying IKE/Authip main mode policy characteristics.
//////////
// Disable special diagnostics mode for IKE/Authip. This will prevent IKE, AuthIp
// from accepting unauthenticated notifies from peer, or sending MS_STATUS
// notifies to peer.
cpp_quote("#define IKEEXT_POLICY_FLAG_DISABLE_DIAGNOSTICS (0x00000001)")
// Disable SA verification of machine LUID
cpp_quote("#define IKEEXT_POLICY_FLAG_NO_MACHINE_LUID_VERIFY (0x00000002)")
// Disable SA verification of machine impersonation LUID
cpp_quote("#define IKEEXT_POLICY_FLAG_NO_IMPERSONATION_LUID_VERIFY (0x00000004)")
// AuthIP only: allow responder to accept any DH proposal (including NO dh)
// regardless of what is configured in policy
cpp_quote("#define IKEEXT_POLICY_FLAG_ENABLE_OPTIONAL_DH (0x00000008)")
// Type used to store the IKE/Authip main mode negotiation policy
typedef struct IKEEXT_POLICY0_
{
// Lifetime in seconds of the IPsec soft SA
UINT32 softExpirationTime;
// number of authentication methods
UINT32 numAuthenticationMethods;
// Array of acceptable authentication methods
[size_is(numAuthenticationMethods), ref]
IKEEXT_AUTHENTICATION_METHOD0* authenticationMethods;
// Type of impersonation. Applies only to Authip.
IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE initiatorImpersonationType;
// Number of main mode proposals
UINT32 numIkeProposals;
// Array of main mode proposals
[size_is(numIkeProposals), ref] IKEEXT_PROPOSAL0* ikeProposals;
// Flags
UINT32 flags;
// Maximum number of dynamic IPsec filters (per remote IP address and per
// transport layer) that is allowed to be added for any SA negotiated using
// this policy. This throttle prevents an attacker from making IKE, Authip
// add too many dynamic filters. If this is set to 0, then dynamic filter
// addition will be disabled.
UINT32 maxDynamicFilters;
} IKEEXT_POLICY0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Version-1 of type used to store the IKE/Authip main mode negotiation policy
typedef struct IKEEXT_POLICY1_
{
// Lifetime in seconds of the IPsec soft SA
UINT32 softExpirationTime;
// number of authentication methods
UINT32 numAuthenticationMethods;
// Array of acceptable authentication methods
[size_is(numAuthenticationMethods), ref]
IKEEXT_AUTHENTICATION_METHOD1* authenticationMethods;
// Type of impersonation. Applies only to Authip.
IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE initiatorImpersonationType;
// Number of main mode proposals
UINT32 numIkeProposals;
// Array of main mode proposals
[size_is(numIkeProposals), ref] IKEEXT_PROPOSAL0* ikeProposals;
// Flags
UINT32 flags;
// Maximum number of dynamic IPsec filters (per remote IP address and per
// transport layer) that is allowed to be added for any SA negotiated using
// this policy. This throttle prevents an attacker from making IKE, Authip
// add too many dynamic filters. If this is set to 0, then dynamic filter
// addition will be disabled.
UINT32 maxDynamicFilters;
// Duration of time (in seconds) IKEv2 request will be retransmitted before giving up
// Must be set to atleast 120 seconds (or 2mins)
// Applies to IkeV2 only.
UINT32 retransmitDurationSecs;
} IKEEXT_POLICY1;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
// Type used to store Authip's extended mode negotiation policy.
typedef struct IKEEXT_EM_POLICY0_
{
// Number of authentication methods in the array
UINT32 numAuthenticationMethods;
// Array of acceptable authentication methods
[size_is(numAuthenticationMethods), ref]
IKEEXT_AUTHENTICATION_METHOD0* authenticationMethods;
// Type of impersonation. Applies only to Authip.
IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE initiatorImpersonationType;
} IKEEXT_EM_POLICY0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Version-1 of type used to store Authip's extended mode negotiation policy.
typedef struct IKEEXT_EM_POLICY1_
{
// Number of authentication methods in the array
UINT32 numAuthenticationMethods;
// Array of acceptable authentication methods
[size_is(numAuthenticationMethods), ref]
IKEEXT_AUTHENTICATION_METHOD1* authenticationMethods;
// Type of impersonation. Applies only to Authip.
IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE initiatorImpersonationType;
} IKEEXT_EM_POLICY1;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
///////////////////////////////////////////////////////////////////////////////
//
// Definitions for retrieving IKE statistics.
//
///////////////////////////////////////////////////////////////////////////////
//Number of WinError failure codes specific to IKE
cpp_quote("#define IKEEXT_ERROR_CODE_COUNT \
(ERROR_IPSEC_IKE_NEG_STATUS_END - ERROR_IPSEC_IKE_NEG_STATUS_BEGIN)")
#define IKEEXT_ERROR_CODE_COUNT \
(ERROR_IPSEC_IKE_NEG_STATUS_END - ERROR_IPSEC_IKE_NEG_STATUS_BEGIN)
// Various statistics specific to the keying module (IKE or Authip) and
// specific to the IP version
typedef struct IKEEXT_IP_VERSION_SPECIFIC_KEYMODULE_STATISTICS0_
{
// Following statistics are Main Mode specific
// Current number of active Main Mode SAs
UINT32 currentActiveMainModes;
// Total number of Main Mode negotiations.
UINT32 totalMainModesStarted;
// Total number of successful Main Mode negotiations
UINT32 totalSuccessfulMainModes;
// Total number of failed Main Mode negotiations
UINT32 totalFailedMainModes;
// Total number of Main Mode negotiations that were externally intiated by
// a peer (responder)
UINT32 totalResponderMainModes;
// Current number of newly created responder Main Modes that are still in
// the initial state.
UINT32 currentNewResponderMainModes;
// Following statistics are Quick Mode specific
// Current number of active Quick Mode SAs
UINT32 currentActiveQuickModes;
// Total number of Quick Mode negotiations.
UINT32 totalQuickModesStarted;
// Total number of successful Quick Mode negotiations
UINT32 totalSuccessfulQuickModes;
// Total number of failed Quick Mode negotiations
UINT32 totalFailedQuickModes;
// Total number of acquires received from BFE.
UINT32 totalAcquires;
// Total number of acquires that were internally reinitiated.
UINT32 totalReinitAcquires;
// Following statistics are applicable only to Authip
// Current number of active extended mode SAs
UINT32 currentActiveExtendedModes;
// Total number of extended mode negotiations.
UINT32 totalExtendedModesStarted;
// Total number of successful extended mode negotiations.
UINT32 totalSuccessfulExtendedModes;
// Total number of failed extended mode negotiations.
UINT32 totalFailedExtendedModes;
// Total number of successful extended mode negotiations that used
// impersonation
UINT32 totalImpersonationExtendedModes;
// Total number of successful Main Mode negotiations that used impersonation
UINT32 totalImpersonationMainModes;
} IKEEXT_IP_VERSION_SPECIFIC_KEYMODULE_STATISTICS0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Various statistics specific to the keying module (IKE,Authip and IkeV2) and
// specific to the IP version
typedef struct IKEEXT_IP_VERSION_SPECIFIC_KEYMODULE_STATISTICS1_
{
// Following statistics are Main Mode specific
// Current number of active Main Mode SAs
UINT32 currentActiveMainModes;
// Total number of Main Mode negotiations.
UINT32 totalMainModesStarted;
// Total number of successful Main Mode negotiations
UINT32 totalSuccessfulMainModes;
// Total number of failed Main Mode negotiations
UINT32 totalFailedMainModes;
// Total number of Main Mode negotiations that were externally intiated by
// a peer (responder)
UINT32 totalResponderMainModes;
// Current number of newly created responder Main Modes that are still in
// the initial state.
UINT32 currentNewResponderMainModes;
// Following statistics are Quick Mode specific
// Current number of active Quick Mode SAs
UINT32 currentActiveQuickModes;
// Total number of Quick Mode negotiations.
UINT32 totalQuickModesStarted;
// Total number of successful Quick Mode negotiations
UINT32 totalSuccessfulQuickModes;
// Total number of failed Quick Mode negotiations
UINT32 totalFailedQuickModes;
// Total number of acquires received from BFE.
UINT32 totalAcquires;
// Total number of acquires that were internally reinitiated.
UINT32 totalReinitAcquires;
// Following statistics are applicable only to Authip
// Current number of active extended mode SAs
UINT32 currentActiveExtendedModes;
// Total number of extended mode negotiations.
UINT32 totalExtendedModesStarted;
// Total number of successful extended mode negotiations.
UINT32 totalSuccessfulExtendedModes;
// Total number of failed extended mode negotiations.
UINT32 totalFailedExtendedModes;
// Total number of successful extended mode negotiations that used
// impersonation
UINT32 totalImpersonationExtendedModes;
// Total number of successful Main Mode negotiations that used impersonation
UINT32 totalImpersonationMainModes;
} IKEEXT_IP_VERSION_SPECIFIC_KEYMODULE_STATISTICS1;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
// Various statistics specific to the keying module (IKE or Authip)
typedef struct IKEEXT_KEYMODULE_STATISTICS0_
{
// IPv4 specific statistics
IKEEXT_IP_VERSION_SPECIFIC_KEYMODULE_STATISTICS0 v4Statistics;
// IPv6 specific statistics
IKEEXT_IP_VERSION_SPECIFIC_KEYMODULE_STATISTICS0 v6Statistics;
// Table containing the frequencies of various IKE Win32 error codes
// (ranging from ERROR_IPSEC_IKE_NEG_STATUS_BEGIN to
// ERROR_IPSEC_IKE_NEG_STATUS_END) encountered during negotiations.
UINT32 errorFrequencyTable[IKEEXT_ERROR_CODE_COUNT];
// Current Main Mode negotiation time (in msecs)
UINT32 mainModeNegotiationTime;
// Current Quick Mode negotiation time (in msecs)
UINT32 quickModeNegotiationTime;
// Current extended mode negotiation time (in msecs) (applicable to Authip
// only)
UINT32 extendedModeNegotiationTime;
} IKEEXT_KEYMODULE_STATISTICS0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Various statistics specific to the keying module (IKE, Authip or IkeV2)
typedef struct IKEEXT_KEYMODULE_STATISTICS1_
{
// IPv4 specific statistics
IKEEXT_IP_VERSION_SPECIFIC_KEYMODULE_STATISTICS1 v4Statistics;
// IPv6 specific statistics
IKEEXT_IP_VERSION_SPECIFIC_KEYMODULE_STATISTICS1 v6Statistics;
// Table containing the frequencies of various IKE Win32 error codes
// (ranging from ERROR_IPSEC_IKE_NEG_STATUS_BEGIN to
// ERROR_IPSEC_IKE_NEG_STATUS_END) encountered during negotiations.
UINT32 errorFrequencyTable[IKEEXT_ERROR_CODE_COUNT];
// Current Main Mode negotiation time (in msecs)
UINT32 mainModeNegotiationTime;
// Current Quick Mode negotiation time (in msecs)
UINT32 quickModeNegotiationTime;
// Current extended mode negotiation time (in msecs) (applicable to Authip
// only)
UINT32 extendedModeNegotiationTime;
} IKEEXT_KEYMODULE_STATISTICS1;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
// Various statistics common to IKE and Authip and specific to the protocol
// (IPv4 or IPv6)
typedef struct IKEEXT_IP_VERSION_SPECIFIC_COMMON_STATISTICS0_
{
// Total number of UDP 500/4500 socket receive failures.
UINT32 totalSocketReceiveFailures;
// Total number of UDP 500/4500 socket send failures.
UINT32 totalSocketSendFailures;
} IKEEXT_IP_VERSION_SPECIFIC_COMMON_STATISTICS0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Various statistics common to IKE ,Authip and IkeV1 specific to the protocol
// (IPv4 or IPv6)
typedef struct IKEEXT_IP_VERSION_SPECIFIC_COMMON_STATISTICS1_
{
// Total number of UDP 500/4500 socket receive failures.
UINT32 totalSocketReceiveFailures;
// Total number of UDP 500/4500 socket send failures.
UINT32 totalSocketSendFailures;
} IKEEXT_IP_VERSION_SPECIFIC_COMMON_STATISTICS1;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
// Various statistics common to IKE and Authip.
typedef struct IKEEXT_COMMON_STATISTICS0_
{
// IPv4 specific common statistics
IKEEXT_IP_VERSION_SPECIFIC_COMMON_STATISTICS0 v4Statistics;
// IPv6 specific common statistics
IKEEXT_IP_VERSION_SPECIFIC_COMMON_STATISTICS0 v6Statistics;
// Total number of packets received.
UINT32 totalPacketsReceived;
// Total number of invalid packets received.
UINT32 totalInvalidPacketsReceived;
// Current number of workitems that are queued and waiting to be processed.
UINT32 currentQueuedWorkitems;
} IKEEXT_COMMON_STATISTICS0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Various statistics common to IKE ,Authip and IkeV2.
typedef struct IKEEXT_COMMON_STATISTICS1_
{
// IPv4 specific common statistics
IKEEXT_IP_VERSION_SPECIFIC_COMMON_STATISTICS1 v4Statistics;
// IPv6 specific common statistics
IKEEXT_IP_VERSION_SPECIFIC_COMMON_STATISTICS1 v6Statistics;
// Total number of packets received.
UINT32 totalPacketsReceived;
// Total number of invalid packets received.
UINT32 totalInvalidPacketsReceived;
// Current number of workitems that are queued and waiting to be processed.
UINT32 currentQueuedWorkitems;
} IKEEXT_COMMON_STATISTICS1;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
// Various statistics for IKE and Authip together
typedef struct IKEEXT_STATISTICS0_
{
// Statistics specific to IKE
IKEEXT_KEYMODULE_STATISTICS0 ikeStatistics;
// Statistics specific to Authip
IKEEXT_KEYMODULE_STATISTICS0 authipStatistics;
// Statistics common to IKE and Authip
IKEEXT_COMMON_STATISTICS0 commonStatistics;
} IKEEXT_STATISTICS0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Various statistics for IKE ,Authip and IkeV2 together
typedef struct IKEEXT_STATISTICS1_
{
// Statistics specific to IKE
IKEEXT_KEYMODULE_STATISTICS1 ikeStatistics;
// Statistics specific to Authip
IKEEXT_KEYMODULE_STATISTICS1 authipStatistics;
// Statistics specific to IkeV2
IKEEXT_KEYMODULE_STATISTICS1 ikeV2Statistics;
// Statistics common to IKE and Authip
IKEEXT_COMMON_STATISTICS1 commonStatistics;
} IKEEXT_STATISTICS1;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
///////////////////////////////////////////////////////////////////////////////
//
// Definitions for retrieving IKE SA details.
//
///////////////////////////////////////////////////////////////////////////////
// Type describing the IKE/Authip traffic
typedef struct IKEEXT_TRAFFIC0_
{
// IP version
FWP_IP_VERSION ipVersion;
// Tagged union containing the local address of the traffic
[switch_type(FWP_IP_VERSION), switch_is(ipVersion)] union
{
[case(FWP_IP_VERSION_V4)]
UINT32 localV4Address;
[case(FWP_IP_VERSION_V6)]
UINT8 localV6Address[16];
};
// Tagged union containing the remote address of the traffic
[switch_type(FWP_IP_VERSION), switch_is(ipVersion)] union
{
[case(FWP_IP_VERSION_V4)]
UINT32 remoteV4Address;
[case(FWP_IP_VERSION_V6)]
UINT8 remoteV6Address[16];
};
// Filter ID from QM policy of matching EM filter
// FWPM_LAYER_IPSEC_XX
UINT64 authIpFilterId;
} IKEEXT_TRAFFIC0;
// Type used to store an IKE/Authip cookie
typedef UINT64 IKEEXT_COOKIE;
// Type used to store a pair of IKE/Authip cookies
typedef struct IKEEXT_COOKIE_PAIR0_
{
// Initiator cookie
IKEEXT_COOKIE initiator;
// Responder cookie
IKEEXT_COOKIE responder;
} IKEEXT_COOKIE_PAIR0;
// Certificate is a NAP (health) certificate
cpp_quote("#define IKEEXT_CERT_CREDENTIAL_FLAG_NAP_CERT (0x00000001)")
// Type used to store credential information specific to certificate
// authentication
typedef struct IKEEXT_CERTIFICATE_CREDENTIAL0_
{
// Encoded subject name of the certificate used for authentication
FWP_BYTE_BLOB subjectName;
// SHA thumbprint of the certificate
FWP_BYTE_BLOB certHash;
// Flags
UINT32 flags;
} IKEEXT_CERTIFICATE_CREDENTIAL0;
// Type used to store credential name information
typedef struct IKEEXT_NAME_CREDENTIAL0_
{
// Name of the principal
[string, ref] wchar_t* principalName;
} IKEEXT_NAME_CREDENTIAL0;
// Type used to store credential information used for the authentication
typedef struct IKEEXT_CREDENTIAL0_
{
// Type of authentication method
IKEEXT_AUTHENTICATION_METHOD_TYPE authenticationMethodType;
// Tagged union containing credential information specific to the
// authentication method type.
// Type of impersonation.
IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE impersonationType;
[switch_type(IKEEXT_AUTHENTICATION_METHOD_TYPE),
switch_is(authenticationMethodType)] union
{
[case(IKEEXT_PRESHARED_KEY)]
[unique] IKEEXT_PRESHARED_KEY_AUTHENTICATION0* presharedKey;
[case(IKEEXT_CERTIFICATE,
IKEEXT_CERTIFICATE_ECDSA_P256,
IKEEXT_CERTIFICATE_ECDSA_P384,
IKEEXT_SSL,
IKEEXT_SSL_ECDSA_P256,
IKEEXT_SSL_ECDSA_P384,
IKEEXT_IPV6_CGA
)]
[unique] IKEEXT_CERTIFICATE_CREDENTIAL0* certificate;
[case(IKEEXT_KERBEROS,
IKEEXT_EAP,
IKEEXT_NTLM_V2)]
[unique] IKEEXT_NAME_CREDENTIAL0* name;
[case(IKEEXT_ANONYMOUS)];
};
} IKEEXT_CREDENTIAL0;
// Type used to store credential information used for the authentication
typedef struct IKEEXT_CREDENTIAL_PAIR0_
{
// Local credentials used for authentication
IKEEXT_CREDENTIAL0 localCredentials;
// Peer credentials used for authentication
IKEEXT_CREDENTIAL0 peerCredentials;
} IKEEXT_CREDENTIAL_PAIR0;
// Used to store multiple credential pairs. IKE has only 1 pair. AuthIp
// will have 1 or 2. IKEv2 can also have 1 or 2 (depending on if EAP was
// enabled). The MM auth is always index 0. EM auth, if it occurs is index 1.
typedef struct IKEEXT_CREDENTIALS0_
{
UINT32 numCredentials;
[size_is(numCredentials), ref] IKEEXT_CREDENTIAL_PAIR0* credentials;
} IKEEXT_CREDENTIALS0;
// Type used to store information returned when enumerating IKE, Authip SAs.
typedef struct IKEEXT_SA_DETAILS0_
{
// LUID identifying the SA.
UINT64 saId;
// Key module type
IKEEXT_KEY_MODULE_TYPE keyModuleType;
// IP version
FWP_IP_VERSION ipVersion;
// If a NAT was detected, this stores the UDP ports corresponding to the
// main mode.
[switch_type(FWP_IP_VERSION), switch_is(ipVersion)] union
{
[case(FWP_IP_VERSION_V4)]
[unique] IPSEC_V4_UDP_ENCAPSULATION0* v4UdpEncapsulation;
[case(FWP_IP_VERSION_V6)];
};
// The traffic corresponding to this SA
IKEEXT_TRAFFIC0 ikeTraffic;
// The main mode proposal corresponding to this SA
IKEEXT_PROPOSAL0 ikeProposal;
// SA cookies
IKEEXT_COOKIE_PAIR0 cookiePair;
// Credential information for the SA
IKEEXT_CREDENTIALS0 ikeCredentials;
// GUID of the main mode policy provider context corresponding to this SA.
GUID ikePolicyKey;
// ID/Handle to virtual interface tunneling state. Currently this is specific
// to IKEv2.
UINT64 virtualIfTunnelId;
} IKEEXT_SA_DETAILS0;
cpp_quote("#if (NTDDI_VERSION >= NTDDI_WIN7)")
// Type used to store credential information specific to certificate
// authentication
typedef struct IKEEXT_CERTIFICATE_CREDENTIAL1_
{
// Encoded subject name of the certificate used for authentication
FWP_BYTE_BLOB subjectName;
// SHA thumbprint of the certificate
FWP_BYTE_BLOB certHash;
// Flags
UINT32 flags;
// Encoded certificate
FWP_BYTE_BLOB certificate;
} IKEEXT_CERTIFICATE_CREDENTIAL1;
// Type used to store credential information used for the authentication
typedef struct IKEEXT_CREDENTIAL1_
{
// Type of authentication method
IKEEXT_AUTHENTICATION_METHOD_TYPE authenticationMethodType;
// Tagged union containing credential information specific to the
// authentication method type.
// Type of impersonation.
IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE impersonationType;
[switch_type(IKEEXT_AUTHENTICATION_METHOD_TYPE),
switch_is(authenticationMethodType)] union
{
[case(IKEEXT_PRESHARED_KEY)]
[unique] IKEEXT_PRESHARED_KEY_AUTHENTICATION1* presharedKey;
[case(IKEEXT_CERTIFICATE,
IKEEXT_CERTIFICATE_ECDSA_P256,
IKEEXT_CERTIFICATE_ECDSA_P384,
IKEEXT_SSL,
IKEEXT_SSL_ECDSA_P256,
IKEEXT_SSL_ECDSA_P384,
IKEEXT_IPV6_CGA
)]
[unique] IKEEXT_CERTIFICATE_CREDENTIAL1* certificate;
[case(IKEEXT_KERBEROS,
IKEEXT_EAP,
IKEEXT_NTLM_V2)]
[unique] IKEEXT_NAME_CREDENTIAL0* name;
[case(IKEEXT_ANONYMOUS)];
};
} IKEEXT_CREDENTIAL1;
// Type used to store credential information used for the authentication
typedef struct IKEEXT_CREDENTIAL_PAIR1_
{
// Local credentials used for authentication
IKEEXT_CREDENTIAL1 localCredentials;
// Peer credentials used for authentication
IKEEXT_CREDENTIAL1 peerCredentials;
} IKEEXT_CREDENTIAL_PAIR1;
// Used to store multiple credential pairs. IKE has only 1 pair. AuthIp
// will have 1 or 2. IKEv2 can also have 1 or 2 (depending on if EAP was
// enabled). The MM auth is always index 0. EM auth, if it occurs is index 1.
typedef struct IKEEXT_CREDENTIALS1_
{
UINT32 numCredentials;
[size_is(numCredentials), ref] IKEEXT_CREDENTIAL_PAIR1* credentials;
} IKEEXT_CREDENTIALS1;
// Type used to store information returned when enumerating IKE, Authip SAs.
typedef struct IKEEXT_SA_DETAILS1_
{
// LUID identifying the SA.
UINT64 saId;
// Key module type
IKEEXT_KEY_MODULE_TYPE keyModuleType;
// IP version
FWP_IP_VERSION ipVersion;
// If a NAT was detected, this stores the UDP ports corresponding to the
// main mode.
[switch_type(FWP_IP_VERSION), switch_is(ipVersion)] union
{
[case(FWP_IP_VERSION_V4)]
[unique] IPSEC_V4_UDP_ENCAPSULATION0* v4UdpEncapsulation;
[case(FWP_IP_VERSION_V6)];
};
// The traffic corresponding to this SA
IKEEXT_TRAFFIC0 ikeTraffic;
// The main mode proposal corresponding to this SA
IKEEXT_PROPOSAL0 ikeProposal;
// SA cookies
IKEEXT_COOKIE_PAIR0 cookiePair;
// Credential information for the SA
IKEEXT_CREDENTIALS1 ikeCredentials;
// GUID of the main mode policy provider context corresponding to this SA.
GUID ikePolicyKey;
// ID/Handle to virtual interface tunneling state. Currently this is specific
// to IKEv2.
UINT64 virtualIfTunnelId;
// Key derived from authentications so external apps can cryptographically bind
// their exchanges with the this SA
FWP_BYTE_BLOB correlationKey;
} IKEEXT_SA_DETAILS1;
cpp_quote("#endif // (NTDDI_VERSION >= NTDDI_WIN7)")
// Enumeration template used for enumerating IKE SAs
typedef struct IKEEXT_SA_ENUM_TEMPLATE0_
{
// If not empty, only SAs whose local address is on the specified subnet
// will be returned. May be of type FWP_UINT32, FWP_BYTE_ARRAY16_TYPE,
// FWP_V4_ADDR_MASK, or FWP_V6_ADDR_MASK.
FWP_CONDITION_VALUE0 localSubNet;
// If not empty, only SAs whose remote address is on the specified subnet
// will be returned. May be of type FWP_UINT32, FWP_BYTE_ARRAY16_TYPE,
// FWP_V4_ADDR_MASK, or FWP_V6_ADDR_MASK.
FWP_CONDITION_VALUE0 remoteSubNet;
// If not zero-length, only SAs with a matching local main mode SHA
// thumbprint will be returned.
FWP_BYTE_BLOB localMainModeCertHash;
} IKEEXT_SA_ENUM_TEMPLATE0;
// IKE main mode states
typedef [v1_enum] enum IKEEXT_MM_SA_STATE_
{
// Initial state. No MM packets have been sent to the peer yet.
IKEEXT_MM_SA_STATE_NONE,
// First roundtrip packet has been sent to the peer.
IKEEXT_MM_SA_STATE_SA_SENT,
// Second roundtrip packet has been sent to the peer, for SSPI auth.
IKEEXT_MM_SA_STATE_SSPI_SENT,
// Second roundtrip packet has been sent to the peer.
IKEEXT_MM_SA_STATE_FINAL,
// Final roundtrip packet has been sent to the peer.
IKEEXT_MM_SA_STATE_FINAL_SENT,
// MM has been completed.
IKEEXT_MM_SA_STATE_COMPLETE,
// Invalid value.
IKEEXT_MM_SA_STATE_MAX
} IKEEXT_MM_SA_STATE;
// IKE quick mode states
typedef [v1_enum] enum IKEEXT_QM_SA_STATE_
{
// Initial state. No QM packets have been sent to the peer yet.
IKEEXT_QM_SA_STATE_NONE,
// State corresponding to the first QM roundtrip
IKEEXT_QM_SA_STATE_INITIAL,
// State corresponding to the final QM roundtrip
IKEEXT_QM_SA_STATE_FINAL,
// QM has been completed.
IKEEXT_QM_SA_STATE_COMPLETE,
// Invalid value.
IKEEXT_QM_SA_STATE_MAX
} IKEEXT_QM_SA_STATE;
// IKE extended mode states
typedef [v1_enum] enum IKEEXT_EM_SA_STATE_
{
// Initial state. No EM packets have been sent to the peer yet.
IKEEXT_EM_SA_STATE_NONE,
// State corresponding to the first EM roundtrip
IKEEXT_EM_SA_STATE_SENT_ATTS,
// State corresponding to the second EM roundtrip
IKEEXT_EM_SA_STATE_SSPI_SENT,
// State corresponding to the final EM roundtrip
IKEEXT_EM_SA_STATE_AUTH_COMPLETE,
// State corresponding to the final EM roundtrip
IKEEXT_EM_SA_STATE_FINAL,
// EM has been completed
IKEEXT_EM_SA_STATE_COMPLETE,
// Invalid value.
IKEEXT_EM_SA_STATE_MAX
} IKEEXT_EM_SA_STATE;
// IKE main mode or quick mode SA role
typedef [v1_enum] enum IKEEXT_SA_ROLE_
{
// SA is initiator
IKEEXT_SA_ROLE_INITIATOR,
// SA is responder
IKEEXT_SA_ROLE_RESPONDER,
// Invalid value.
IKEEXT_SA_ROLE_MAX
} IKEEXT_SA_ROLE;
cpp_quote("#if _MSC_VER >= 800")
cpp_quote("#if _MSC_VER >= 1200")
cpp_quote("#pragma warning(pop)")
cpp_quote("#else")
cpp_quote("#pragma warning(default:4201)")
cpp_quote("#endif")
cpp_quote("#endif")
Reference in New Issue View Git Blame Copy Permalink