vpnengine/ikev1lib/src/ikev1negotiation.cpp
author Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
Mon, 18 Jan 2010 21:14:04 +0200
changeset 2 ef893827b4d1
parent 0 33413c0669b9
child 12 68dc8923de26
child 17 8962128a2656
permissions -rw-r--r--
Revision: 201001 Kit: 201003

/*
* Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies).
* All rights reserved.
* This component and the accompanying materials are made available
* under the terms of "Eclipse Public License v1.0"
* which accompanies this distribution, and is available
* at the URL "http://www.eclipse.org/legal/epl-v10.html".
*
* Initial Contributors:
* Nokia Corporation - initial contribution.
*
* Contributors:
*
* Description:   IKEv1/IPSEC SA negotiation 
*
*/

#include <x509cert.h>
#include <x500dn.h>
#include <random.h>
#include <vpnlogmessages.rsg>

#include "ikev1negotiation.h"
#include "ikedebug.h"
#include "ikev1isakmpstream.h"
#include "ikev1timeout.h"
#include "ikev1payload.h"
#include "ikev1plugin.h"
#include "ikev1crack.h"
#include "ikev1trans.h"
#include "ipsecsadata.h"
#include "ipsecsalifetime.h"
#include "pfkeymsg.h"
#include "kmdapi.h"
#include "ikev1pkiservice.h"
#include "ikev1crypto.h"
#include "ikev1natdiscovery.h"
#include "ikev1private.h"
#include "vpnapidefs.h"
#include "ikepkiutils.h"
#include "vpnclientuids.h"
#include "ikecalist.h"
#include "ikecaelem.h"
#include "ikecert.h"
#include "ikev1pluginsession.h"
#include "ikesocketdefs.h"
#include "kmdeventloggerif.h"
#include "pfkeyextdatautil.h"
#include "ipsecsalist.h"

const TInt KSubjectName              = 1;

/////////////////////////////////////////////////////////////////////////////////
// CIkev1Negotiation related stuff
/////////////////////////////////////////////////////////////////////////////////


//
//Proto negotiation to send a informational payload and be destroyed
//
CIkev1Negotiation* CIkev1Negotiation::NewL( CIkev1PluginSession* aPluginSession,
                                            CPFKeySocketIf& aPFKeySocketIf,
                                            MIkeDebug& aDebug,
                                            const TInetAddr& aRemote,
                                            const TCookie& aInitiator,
                                            const TCookie& aResponder )
    {   	
	CIkev1Negotiation* self = new ( ELeave ) CIkev1Negotiation( aPluginSession,
                                                                aPFKeySocketIf,
                                                                aDebug );
	CleanupStack::PushL( self );
	self->iRemoteAddr = aRemote;
	self->iCookie_I = aInitiator;
	self->iCookie_R = aResponder;     
	self->iExchange = ISAKMP_EXCHANGE_INFO;   
	self->iDOI = IPSEC_DOI;
	self->iTimer = CIkev1Timeout::NewL( *self );	
	CleanupStack::Pop( self );	
	return self;
    }

CIkev1Negotiation* CIkev1Negotiation::NewL( CIkev1PluginSession* aPluginSession,
                                            CPFKeySocketIf& aPFKeySocketIf,
                                            MIkeDebug& aDebug,
                                            const TInetAddr& aRemote,
                                            const TCookie& aInitiator,
                                            TBool aAutoLogin ) 
    {
	CIkev1Negotiation* self = new ( ELeave ) CIkev1Negotiation( aPluginSession,
                                                                aPFKeySocketIf,
	                                                            aDebug,
	                                                            aRemote,
	                                                            aInitiator );
	CleanupStack::PushL( self );
    self->ConstructL( aAutoLogin );
    CleanupStack::Pop( self );
	return self;
    }

CIkev1Negotiation* CIkev1Negotiation::NewL( CIkev1PluginSession* aPluginSession,
                                            CPFKeySocketIf& aPFKeySocketIf,
                                            MIkeDebug& aDebug,
                                            TIkev1SAData* aIkev1SAdata,
                                            TUint aRole,
                                            const TPfkeyMessage *aReq )
    {
    CIkev1Negotiation* self = new ( ELeave ) CIkev1Negotiation( aPluginSession,
                                                                aPFKeySocketIf,
                                                                aDebug );
    CleanupStack::PushL( self );
    self->ConstructL( aIkev1SAdata, aRole, aReq );
    CleanupStack::Pop( self );
    return self;
    }


CIkev1Negotiation* CIkev1Negotiation::NewL( CIkev1PluginSession* aPluginSession,
                                            CPFKeySocketIf& aPFKeySocketIf,
                                            MIkeDebug& aDebug,
                                            const TInetAddr& aRemote,
                                            TBool aAutoLogin ) 
    {
	CIkev1Negotiation* self = new ( ELeave ) CIkev1Negotiation( aPluginSession,
                                                                aPFKeySocketIf,
	                                                            aDebug,
	                                                            aRemote );
	CleanupStack::PushL( self );
    self->iCookie_I = self->CreateCookieL();
    self->ConstructL( aAutoLogin );
    CleanupStack::Pop( self );
	return self;
    }

CIkev1Negotiation* CIkev1Negotiation::NewL( CIkev1PluginSession* aPluginSession,
                                            CPFKeySocketIf& aPFKeySocketIf,
                                            MIkeDebug& aDebug,
                                            const TInetAddr& aRemote,
                                            const TPfkeyMessage& aReq )
    {    
    CIkev1Negotiation* self = new (  ELeave ) CIkev1Negotiation( aPluginSession,
                                                                 aPFKeySocketIf,
                                                                 aDebug,
                                                                 aRemote );
    CleanupStack::PushL( self );
    self->iCookie_I = self->CreateCookieL();
    self->ConstructL( aReq );
    CleanupStack::Pop( self );
    return self;
    }

//
// Destructor
//
CIkev1Negotiation::~CIkev1Negotiation()
    {
    DEBUG_LOG1( _L("CIkev1Negotiation::~CIkev1Negotiation this=0x%x"), this );
    
    
    if ( iRole == INITIATOR &&
         iAcquirePending )
        {
        // Response with error to pending Acquire.
        AcquireSAErrorResponse( KKmdIkeNegotFailed );
        }
    
    delete iIpsecSaSpiRetriever;
    delete iSavedIkeMsgBfr;
    
    if( iPluginSession )
        { 		
	    iPluginSession->RemoveNegotiation( this );  
        }
		
    iCookie_I.FillZ(ISAKMP_COOKIE_SIZE);
    
    if(iTimer)
        {
        iTimer->Cancel();
        delete iTimer;
        }

    delete iOwnCert;
    delete iPeerX509Cert;
    delete iPeerTrustedCA;  // Peer trusted CA name 
    delete iICA1;
    delete iICA2;

    delete iPkiService;     // Trusted CA certificate list

    delete iSAPayload;
    delete iPeerIdentPayload;
    delete iOwnIdentPayload;
    
    //Keys
    delete iOwnKeys;        //structure containing the public and private keys
    delete iOwnPublicKey;   //Public Key

    //Phase_I Proposal
    TAttrib *attr;
    while ((attr = iProposal_I.iAttrList) != NULL)
    {
        iProposal_I.iAttrList = attr->iNext;
        delete attr;
    }

    delete iChosenProposal_I.iAttrList; //Only one transformation chosen

    //Phase_II proposals (include transformations)
    delete iProposal_IIList;

    //Phase_II chosen Proposal
    delete iChosenProp_IIList;
    delete iInboundSPIList;
    delete iCRACKneg;
    delete iTransactionNeg; // Transaction exchange 
    delete iInternalAddr;
    delete iNatDiscovery;
	delete iSARekeyInfo;
	delete iLastMsg;
}


//
// CIkev1Negotiation
//  Constructor for remote initiated negotiation
//
CIkev1Negotiation::CIkev1Negotiation( CIkev1PluginSession* aPluginSession,
                                      CPFKeySocketIf& aPFKeySocketIf,
                                      MIkeDebug& aDebug,
                                      const TInetAddr& aRemote,
                                      const TCookie& aInitiator )
 : iCookie_I( aInitiator ),
   iRemoteAddr( aRemote ),
   iPluginSession( aPluginSession ),
   iPFKeySocketIf( aPFKeySocketIf ),
   iDebug( aDebug )
{

    DEBUG_LOG1( _L("CIkev1Negotiation::CIkev1Negotiation, RESPONDER this=0x%x"), this );
    iCookie_R.FillZ(ISAKMP_COOKIE_SIZE);
    iSAId = iPluginSession->GetSAId();
    iPluginSession->LinkNegotiation(this);         
    iRole = RESPONDER;
    iStage = 1; //next phase for the responder is 2
}

//
//  Constructor for local initiated negotiation
//

CIkev1Negotiation::CIkev1Negotiation( CIkev1PluginSession* aPluginSession,
                                      CPFKeySocketIf& aPFKeySocketIf,
                                      MIkeDebug& aDebug,
                                      const TInetAddr& aRemote )
 : iRemoteAddr( aRemote ),
   iPluginSession( aPluginSession ),
   iPFKeySocketIf( aPFKeySocketIf ),
   iDebug( aDebug )
{
    DEBUG_LOG1( _L("CIkev1Negotiation::CIkev1Negotiation, INITIATOR this=0x%x"), this );
    iCookie_I.FillZ(ISAKMP_COOKIE_SIZE);
    iCookie_R.FillZ(ISAKMP_COOKIE_SIZE);
    iSAId = iPluginSession->GetSAId();
    iPluginSession->LinkNegotiation(this);     
    iRole = INITIATOR;
    iStage = 0;
}

//
//  Constructor for Phase II initiated negotiations
//

CIkev1Negotiation::CIkev1Negotiation( CIkev1PluginSession* aPluginSession,
                                      CPFKeySocketIf& aPFKeySocketIf,
                                      MIkeDebug& aDebug )
 : iPluginSession( aPluginSession ),
   iPFKeySocketIf( aPFKeySocketIf ),
   iDebug( aDebug )
{ 
    DEBUG_LOG1( _L("CIkev1Negotiation::CIkev1Negotiation, this=0x%x"), this );
    iCookie_I.FillZ(ISAKMP_COOKIE_SIZE);
    iCookie_R.FillZ(ISAKMP_COOKIE_SIZE);    
    iSAId = iPluginSession->GetSAId();
    iPluginSession->LinkNegotiation(this); 
}

//Used when creating a negotiation as a RESPONDER!
//Used also when Initiator (= Phase 1 negotiation stated by the policy activation)
//Leaves if error detected
void CIkev1Negotiation::ConstructL(TBool aAutoLogin)
{
    iIpsecSaSpiRetriever = CIpsecSaSpiRetriever::NewL( *this,
                                                       iPFKeySocketIf );

    iAutoLogin = aAutoLogin;
    CommonConstructL();
}


//Used when an Acquire is received
//Leaves if error detected
void CIkev1Negotiation::ConstructL(const TPfkeyMessage &aReq)
{
    iIpsecSaSpiRetriever = CIpsecSaSpiRetriever::NewL( *this,
                                                       iPFKeySocketIf );

    CommonConstructL();     
    GetAcquireDataL(aReq);
}

//Used when initiating a new Phase II negotiation from a negotiated ISAKMP SA.
void CIkev1Negotiation::ConstructL( TIkev1SAData* aSA,
                                    TUint aRole,
                                    const TPfkeyMessage *aReq )
{

    iIpsecSaSpiRetriever = CIpsecSaSpiRetriever::NewL( *this,
                                                       iPFKeySocketIf );

    iPhase = PHASE_II;

    //Almost like common construct
    iTimer = CIkev1Timeout::NewL(*this);    

    //Phase II proposal lists
    iProposal_IIList = new (ELeave) CProposal_IIList(1);

    iRemoteAddr.SetPort(IKE_PORT);

    iSeq = aSA->iSeq;
    iLocalAddr  = aSA->iLocalAddr;
    iRemoteAddr = aSA->iRemoteAddr;         // Remote Address from peer
    iLastRemoteAddr = aSA->iDestinAddr;     // Remote Address last transmitted
    
    iLastIKEMsgInfo = aSA->iLastIKEMsgInfo;
    iLastMsg = HBufC8::NewL(4096);
    if ( aSA->iLastMsg != NULL )
        {        
        *iLastMsg = *aSA->iLastMsg;        
        }
    
    iRole = aRole;          // If we are initiator or responder

    //Header Data
    iCookie_I = aSA->iCookie_I; // Initiator Cookie (Used with responder to create KEYID)
    iCookie_R = aSA->iCookie_R; // Responder Cookie
    iPrevExchange = aSA->iPrevExchange;
    iExchange = IKE_QUICK_MODE;

    iMessageId = RandomMessageId();

    iFlags = aSA->iFlags;           // Flags in the msg header
    
//  iNotifyMessageId = aSA->iHdr.iNotifyMessageId;   // Message Id. for Informational Exchanges

    //SA Data
    iDOI = IPSEC_DOI;
    
    iChosenProposal_I.iProtocol = PROTO_ISAKMP;
    iChosenProposal_I.iProposalNum = 0;
//    iChosenProposal_I.iSPI.Copy(aSA->iChosenProposal_I.iSPI);
    iChosenProposal_I.iNumTransforms = 1;
    iChosenProposal_I.iAttrList = new (ELeave) TAttrib; //allocated now and deleted when destroying the obj
//  *iChosenProposal_I.iAttrList = *aSA->iChosenProposal_I.iAttrList;
    iChosenProposal_I.iAttrList->iEncrAlg = aSA->iEncrAlg;
    iChosenProposal_I.iAttrList->iHashAlg = aSA->iHashAlg;
    iChosenProposal_I.iAttrList->iGroupDesc = aSA->iGroupDesc;
    iChosenProposal_I.iAttrList->iGroupType = aSA->iGroupType;
    iChosenProposal_I.iAttrList->iKeyLength = aSA->iKeyLength;  
    if ( aSA->iLifeTimeSecs )
       iChosenProposal_I.iAttrList->iLifeDurationSecs.Copy((TUint8 *)&aSA->iLifeTimeSecs, sizeof(TUint32)); 
    if ( aSA->iLifeTimeKB )
        iChosenProposal_I.iAttrList->iLifeDurationKBytes.Copy((TUint8 *)&aSA->iLifeTimeKB, sizeof(TUint32));    

 
    iHostData = aSA->iIkeData;
    if ( iHostData->iCAList && iHostData->iCAList->Count() )
    {
        iPkiService = CIkeV1PkiService::NewL(iHostData, iDebug);                                           
    }   
    
    if (aRole == INITIATOR)
    {
        GetAcquireDataL(*aReq); //Data needed from the acquire
    }
    else    //RESPONDER 
    {
        iAcquireSeq = 1;        //msg Seq. number
    }

    //
    //NAT Traversal data
    //
    iFamiliarPeer   = aSA->iFamiliarPeer;
    iNAT_T_Required = aSA->iNAT_T_Required;
    
    //
    //Copy an Internal address object (if exists) to the new negotiation 
    //
    if ( aSA->iVirtualIp )
    {
       iInternalAddr = CInternalAddress::NewL(*(aSA->iVirtualIp));    
    }

    iNAT_D_Flags  = aSA->iNAT_D_Flags;  
    if ( iNAT_D_Flags ) {
       //
       // Use IETF specified NAT traversal
       //
       iNatDiscovery = CIkev1NatDiscovery::NewL(aSA->iNAT_D_Flags);
    }
    
    //Keys  (DH Generated public value when own)
    iSKEYID.Copy(aSA->iSKEYID);
    iSKEYID_d.Copy(aSA->iSKEYID_d);
    iSKEYID_a.Copy(aSA->iSKEYID_a);
    iSKEYID_e.Copy(aSA->iSKEYID_e);
    
    //IV used by des_cbc and des3_cbc is 8 but digest returns 16 bytes for MDx and 20 for SHS (first 8 used)
    iIV = aSA->iIV;     //normal IV
    iIVSize = iIV.Length(); 

    iLastIV = aSA->iLastIV; //Saves the last IV of PHASE_I to compute iNotifIV everytime

    //Nonces
//    iNONCE_I = aSA->iNONCE_I;
//    iNONCE_R = aSA->iNONCE_R;
    //
    // If the ISAKMP SA (=aSA) has been originally negotiated due the policy activation (iAutoLogin = ETrue)
    // The iLocalAddr maybe then undefined in aSA.
    // If local end is acting as an initiator, method GetAcquireDataL updates iLocalAddr in CIkev1Negotiation object.
    // In that case take iLocalAddr value from there and store it to CIsakmpSa (aSA) object.
    // If local end is acting as a responder, resolve iLocalAddr value.
    //
    if ( aSA->iAutoLogin )
    {
        if ( aRole == INITIATOR)    
             iLocalAddr = aSA->iLocalAddr;
        else User::LeaveIfError( iPluginSession->GetLocalAddress( iLocalAddr ) );
    }
    iDPDSupported = aSA->iDPDSupported;
    
    iSAId = aSA->iSAId;    // Reference to existin ISAKMP SA
    iStage = 1; //if initiator the stage will be set in a subsequent call to InitPhase_IIL()
}

//Leaves if error detected
void CIkev1Negotiation::CommonConstructL()
{
    iPhase = PHASE_I;
    iTimer = CIkev1Timeout::NewL(*this);    

    //Phase II proposal lists
    iProposal_IIList = new (ELeave) CProposal_IIList(1);

    iRemoteAddr.SetPort(IKE_PORT);
    
    iHostData = &iPluginSession->IkeData();
    if (!iHostData)
    {
        DEBUG_LOG(_L("The host has no data. Negotiation aborted"));
        User::Leave(KKmdIkeNoPolicyErr);
    }   

	if ( iHostData->iCAList && iHostData->iCAList->Count() )
	{
		iPkiService = CIkeV1PkiService::NewL(iHostData, iDebug);
		TInt stat ( EFalse );
		stat=ReadCAsL(iHostData->iCAList);  // Build trusted CA list
		if ( !stat )
		{
			SetErrorStatus( KVpnErrInvalidCaCertFile );
			User::Leave(KVpnErrInvalidCaCertFile);
		}
	}	
    iSendCert = iHostData->iAlwaysSendCert; //If true will always be sent, otherwise only with a CR

    //Proposals
    if (!BuildProposals1L())
    {
        SetFinished();
        User::Leave(KKmdIkePolicyFileErr); //if any error returns
    }

    iEncoding = X509_CERT_SIG;  //Only type in use

    iChosenProposal_I.iAttrList = new (ELeave) TAttrib; //allocated now and deleted when destroying the obj   
    User::LeaveIfError( iPluginSession->GetLocalAddress( iLocalAddr ) );

    //PFKEY data (is overwritten if initiator because we use the data given in the acquire

    iAcquireSeq = 1;//msg Seq. number of acquire needed for the UPDATE
    iSeq = 1;       //Sequence number for pfkey messages

	iLastRemoteAddr = iRemoteAddr;   // Used as destination address when sending data
#ifdef _DEBUG	
	TBuf<40> txt_addr;
    iRemoteAddr.OutputWithScope(txt_addr);
#endif            
    
    iLastMsg = HBufC8::NewL(4096);
    
    DEBUG_LOG1( _L("New negotiation with Host %S"),
            &txt_addr );

    if ( !iHostData->iUseNatProbing && iHostData->iEspUdpPort == 0 )
	{
       //
       // Use IETF specified NAT traversal
       //
       iNatDiscovery = CIkev1NatDiscovery::NewL(0);   
    }
	
	if ( iRole == RESPONDER )
	{
	   //
	   // Get base value internal address (=VPN virtual IP)
	   //
	   iInternalAddr = iPluginSession->InternalAddressL();
	}	
}


TBool CIkev1Negotiation::ReadCAsL(CArrayFixFlat<TCertInfo*> *aCAList)
{

	TBool Status = iPkiService->ImportCACertsL(aCAList);

#ifdef _DEBUG	
	if ( !Status )
	    {
	    DEBUG_LOG( _L("Trusted CA list creation failed!") );
	    }
#endif // _DEBUG
	
	return Status;
			   
}

TBool CIkev1Negotiation::ReadOwnCertL()
{
    //
    // Read own certificate from PKI store using own trusted CA as
    // specified issuer
    //
    TBool Status = EFalse;
    _LIT(KVpnApplUid, "101F7993");
    if ( iPkiService && iHostData->iCAList )
		{
       TCertInfo* CertInfo;
	   HBufC8* CAName = HBufC8::NewLC(256);  	   
       TInt i = 0;
       if ( iHostData->iCAList->At(0)->iData!=KVpnApplUid )
          {
	       while ( i < iHostData->iCAList->Count() )
			   {

	           CertInfo = iHostData->iCAList->At(i);
	           CAName->Des().Copy(CertInfo->iData); // Assure that CA name is in ASCII format
               if ( iPkiService->ReadUserCertWithNameL(CAName->Des(), iHostData, EFalse) == KErrNone )
				   {
				   Status = ETrue;			   
				   delete iOwnCert;  // delete old if exists			   
				   iOwnCert = iPkiService->GetCertificate();
				   delete iPeerTrustedCA;  // for sure
				   iPeerTrustedCA = iPkiService->GetTrustedCA();
                   CleanupStack::PopAndDestroy(CAName);   //CAName
                   CAName=NULL;
				   break;
				   }
               i ++;           
               }
              if (!Status)
                  {
                  CleanupStack::PopAndDestroy(CAName);
                  CAName=NULL;
                  }
           }
       else
           {
           CIkeCaList* trustedCaList = iPkiService->CaList();
           CleanupStack::PopAndDestroy(CAName);        
           CAName=NULL;
           while ( i < trustedCaList->Count() )
               {
               
               CIkeCaElem* CaElem = (*trustedCaList)[i];                     
               CAName = IkeCert::GetCertificateFieldDERL(CaElem->Certificate(), KSubjectName);
               if (CAName == NULL)
                  {
                   User::Leave(KErrArgument);
                  }
               CleanupStack::PushL(CAName);
               if ( iPkiService->ReadUserCertWithNameL(*CAName, iHostData, ETrue) == KErrNone)
                   {
                   Status = ETrue;             
                   delete iOwnCert;  // delete old if exists               
                   iOwnCert = iPkiService->GetCertificate();
                   delete iPeerTrustedCA;
                   iPeerTrustedCA = iPkiService->GetTrustedCA();
                   CleanupStack::PopAndDestroy(CAName);        
                   CAName=NULL;
                   
                   
                   break;
                   }
               i ++;
               
               CleanupStack::PopAndDestroy(CAName);
               CAName=NULL;
               } 
           }
       if ( !Status )
		   {	   
          DEBUG_LOG( _L("Error loading Own Certificate!") );
		   }		   
    }
    return Status;
}



void CIkev1Negotiation::GetAcquireDataL(const TPfkeyMessage &aReq)
{
    // ACQUIRE Contains: <Base, Addr(Src & Dest) (Addr(Proxy)), (Ident(S & D)), (Sensitivity), Proposal>
    
    iLocalAddr = *aReq.iSrcAddr.iAddr;    //Copies our own address because it's the only way to know it

    //Phase II proposals
    //Only one combination received so only one transform
    CProposal_II *prop_II = new (ELeave) CProposal_II();
    CleanupStack::PushL(prop_II);
    prop_II->ConstructL();
    iProposal_IIList->AppendL(prop_II);
    CleanupStack::Pop();            //prop_II safe in case of leave

    prop_II->iProposalNum   = FIRST_IPSEC_PROPOSAL;
    prop_II->iNumTransforms = 1;
    prop_II->iReplayWindowLength = aReq.iProposal.iExt->sadb_prop_replay;
    TAttrib_II *attr_II = new (ELeave) TAttrib_II();
    CleanupStack::PushL(attr_II);
    prop_II->iAttrList->AppendL(attr_II);   //added into the proposal so it's safe if function leaves
    CleanupStack::Pop();            //attr_II safe in case of leave

    attr_II->iTransformNum = FIRST_IPSEC_TRANSFORM;

    if (aReq.iBase.iMsg->sadb_msg_satype==SADB_SATYPE_AH)
    {
        prop_II->iProtocol = PROTO_IPSEC_AH;
        if (aReq.iProposal.iComb->sadb_comb_auth == SADB_AALG_MD5HMAC)
        {
            attr_II->iTransformID = AH_MD5;
            attr_II->iAuthAlg = DOI_HMAC_MD5;
        }
        else if (aReq.iProposal.iComb->sadb_comb_auth == SADB_AALG_SHA1HMAC)
        {
            attr_II->iTransformID=AH_SHA;
            attr_II->iAuthAlg = DOI_HMAC_SHA;
        }
        else
        {
            DEBUG_LOG(_L("Unsupported Authentication Algorithm in Acquire"));
			SetFinished();					
            return;
        }
        // No auth with variable encryption
    }
    else if (aReq.iBase.iMsg->sadb_msg_satype == SADB_SATYPE_ESP)
    {
        prop_II->iProtocol=PROTO_IPSEC_ESP;
        /* Request ESP from peer host */

        attr_II->iTransformID = aReq.iProposal.iComb->sadb_comb_encrypt;
		switch ( attr_II->iTransformID )
		{
			case ESP_DES_CBC:
			case ESP_3DES_CBC:
			case ESP_NULL:
				break;
				
			case ESP_AES_CBC:
				attr_II->iKeyLength = aReq.iProposal.iComb->sadb_comb_encrypt_maxbits;
				break;

			default:
				DEBUG_LOG(_L("IPsec Encryption algorithm is not implemented. Wrong algorithms file"));
				SetFinished();
				return;
				
		}	
        if (aReq.iProposal.iComb->sadb_comb_auth != SADB_AALG_NONE)
        {
            if (aReq.iProposal.iComb->sadb_comb_auth == SADB_AALG_MD5HMAC)
                attr_II->iAuthAlg = DOI_HMAC_MD5;
            else if (aReq.iProposal.iComb->sadb_comb_auth == SADB_AALG_SHA1HMAC)
                attr_II->iAuthAlg = DOI_HMAC_SHA;
            else
            {
                DEBUG_LOG(_L("Unsupported Authentication Algorithm in Acquire"));
				SetFinished();
				return;
            }
        }
    }
    
    //Check if PFS in use...
    if (aReq.iProposal.iComb->sadb_comb_flags & SADB_SAFLAGS_PFS)
    {
        iPFS=ETrue;
        switch (iHostData->iGroupDesc_II)
        {
        case IKE_PARSER_MODP_768:
            attr_II->iGroupDesc = MODP_768;
            break;
        case IKE_PARSER_MODP_1024:
            attr_II->iGroupDesc = MODP_1024;
            break;
        case IKE_PARSER_MODP_1536:
            attr_II->iGroupDesc = MODP_1536;
            break;
        case IKE_PARSER_MODP_2048:
            attr_II->iGroupDesc = MODP_2048;
            break;
        default:
            DEBUG_LOG(_L("ISAKMP Proposals error (Bad Group description)"));
			SetFinished();
			return;
        }
    }
    else
    {
        iPFS=EFalse;
        attr_II->iGroupDesc = 0;    //No group assigned because no PFS
    }

    if (aReq.iProposal.iComb->sadb_comb_flags & SADB_SAFLAGS_TUNNEL)
    {
        attr_II->iEncMode = DOI_TUNNEL;
    }
    else
    {
        attr_II->iEncMode = DOI_TRANSPORT;
    }

    iIDLocalPort = (TUint16)aReq.iSrcAddr.iAddr->Port();
    iIDRemotePort = (TUint16)aReq.iDstAddr.iAddr->Port();
    iIDProtocol = aReq.iDstAddr.iExt->sadb_address_proto;   //May be needed for phase II ID

    //Source Identity
    if (aReq.iSrcIdent.iExt)
    {
        if (aReq.iSrcIdent.iExt->sadb_ident_type == SADB_IDENTTYPE_PREFIX)
        {
			if ( !ProcessIdentityData(aReq.iSrcIdent.iData, &iLocalIDType_II,
								      &iLocalAddr1_ID_II, &iLocalAddr2_ID_II) )
			{
				SetFinished();
				return;
			}	
		}
        else    //Invalid identity type
        {
            DEBUG_LOG1(_L("Invalid Local identity type (%d)"), aReq.iSrcIdent.iExt->sadb_ident_type);
			SetFinished();
			return;
        }
    }
    else
    {
        //We need to assign a default address if other info is to be sent in the same payload
        if (attr_II->iEncMode == DOI_TUNNEL || iIDLocalPort != 0 || iIDRemotePort != 0 ||
            iIDProtocol != 0 || aReq.iDstIdent.iExt)
        {
            DEBUG_LOG(_L("Local Identity not defined and needed. Using Own address as local identity."));
            iLocalAddr1_ID_II = iLocalAddr;
            if ((iLocalAddr.Family() == KAfInet) || iLocalAddr.IsV4Mapped() )
                iLocalIDType_II = ID_IPV4_ADDR;
            else
                iLocalIDType_II = ID_IPV6_ADDR;
            iDefaultLocalID = ETrue;    //Must be sent but won't be used when updating the SAD
        }
    }

    //Destination Identity
    if (aReq.iDstIdent.iExt)
    {
        if (aReq.iDstIdent.iExt->sadb_ident_type == SADB_IDENTTYPE_PREFIX)
        {
			if ( !ProcessIdentityData(aReq.iDstIdent.iData, &iRemoteIDType_II,
									  &iRemoteAddr1_ID_II, &iRemoteAddr2_ID_II) )
			{
				SetFinished();
				return;
			}
        }
        else    //Invalid identity type
        {
            
            DEBUG_LOG1( _L("Invalid Destination identity type (%d)"), aReq.iDstIdent.iExt->sadb_ident_type );
			SetFinished();
			return;
        }
    }
    else
    {
        //
        // RemoteID_II is required only if LocalID_II already exists
		// If transports mode
        //      Build RemoteID_II for Quick mode negotiation from specified remote IP address
        // else Use subnet 0/0 as remote id
		//
        if ( iLocalIDType_II != 0 )
        {
		   if (	attr_II->iEncMode == DOI_TUNNEL ) {
			  if ( iLocalIDType_II == ID_IPV4_ADDR || iLocalIDType_II == ID_IPV4_ADDR_SUBNET ) {
				 iRemoteAddr1_ID_II.Init(KAfInet);
				 iRemoteAddr2_ID_II.Init(KAfInet); 				 
				 iRemoteIDType_II = ID_IPV4_ADDR_SUBNET;
			  }	   
			  else {
			     iRemoteAddr1_ID_II.Init(KAfInet6);
				 iRemoteAddr2_ID_II.Init(KAfInet6); 				 				 
				 iRemoteIDType_II = ID_IPV6_ADDR_SUBNET;
			  }	 
		   }
		   else {
              iRemoteAddr1_ID_II = *aReq.iDstAddr.iAddr;
			  if ( iRemoteAddr1_ID_II.Family() == KAfInet6 )			  
				   iRemoteIDType_II = ID_IPV6_ADDR;
			  else iRemoteIDType_II = ID_IPV4_ADDR;
		   }   
           iDefaultRemoteID = ETrue;  //Must be sent but won't be used when updating the SAD   
        }  
    }

    //Only Hard Lifetimes taken into account
    TInt64 lifetime64 = aReq.iProposal.iComb->sadb_comb_soft_addtime;
    iHardLifetime = aReq.iProposal.iComb->sadb_comb_hard_addtime;
    
    if ( lifetime64 == 0 )
        {
        lifetime64 = iHardLifetime;
        }
    
    TUint high = 0;
    TUint low = 0;
    if (lifetime64!=0)
    {
        high = ByteOrder::Swap32(I64HIGH(lifetime64));
        if (high > 0)
            attr_II->iLifeDurationSecs.Copy((TUint8 *)&high, sizeof(high));
        low = ByteOrder::Swap32(I64LOW(lifetime64));
        attr_II->iLifeDurationSecs.Append((TUint8 *)&low, sizeof(low));
    }

    //Bytes lifetime
    lifetime64 = aReq.iProposal.iComb->sadb_comb_soft_bytes;
    lifetime64 = (lifetime64/1024); //Bytes to KB
    if (lifetime64 != 0)
    {
        high = ByteOrder::Swap32(I64HIGH(lifetime64));      
        if (high > 0)
            attr_II->iLifeDurationKBytes.Copy((TUint8 *)&high, sizeof(high));
        low = ByteOrder::Swap32(I64LOW(lifetime64));        
        attr_II->iLifeDurationKBytes.Append((TUint8 *)&low, sizeof(low));
    }

    //Save some pf_key data to use later in PFKEY_UPDATE msg
    iAcquireSeq = aReq.iBase.iMsg->sadb_msg_seq;        //msg Seq. number
    iPfkeyAcquirePID = aReq.iBase.iMsg->sadb_msg_pid;   //msg PID.
    iAcquirePending = ETrue;
    DEBUG_LOG2( _L("Acq seq= %d , PID= %d"), iAcquireSeq, iPfkeyAcquirePID );
    
}

//
//  CIkev1Negotiation::ExecuteL()
//  An ISAKMP message has been received belonging to this negotiation.
//  Process the message and advance the negotiation session to appropriate
//  next state/stage.
//
TBool CIkev1Negotiation::ExecuteL( const ThdrISAKMP& aHdr,
                                   const TInetAddr& aRemote,
                                   TInt aLocalPort )
{
    aLocalPort = aLocalPort;

    TBool ret=EFalse;
    const ThdrISAKMP *hdr;
    TUint8 *msg = NULL;   //to place the new msg
    TBuf8<IKEV1_MAX_IV_SIZE> tmp_IV(iIV);   //Temporal IV. Used to update the real one if the msg OK
    
    TLastIKEMsg msg_info(aHdr); //For retransmitted IKE msg detection
    if ( IsRetransmit(msg_info) ) {
       DEBUG_LOG(_L("Retransmitted IKE message received."));       
       TBool FloatedPort = EFalse; 
       if ( iNAT_D_Flags & (REMOTE_END_NAT + LOCAL_END_NAT) )
           FloatedPort = ETrue;
       TPtr8 lastMsg(iLastMsg->Des());
       iPluginSession->SendIkeMsgL(lastMsg, iLastRemoteAddr, FloatedPort);        
       return EFalse;              
    }

    if ( iPhase == PHASE_II &&
         aHdr.GetExchange() != IKE_QUICK_MODE )
    {
        DEBUG_LOG(_L("Bad packet (retransmission?)"));
#ifdef _DEBUG                    
        const TPtrC8 ikeMsgPtr( (TUint8 *)&aHdr, (TUint16)aHdr.GetLength() );
        TInetAddr dstAddr;
        iPluginSession->GetLocalAddress( dstAddr );
        dstAddr.SetPort( aLocalPort );
        TRACE_MSG_IKEV1( ikeMsgPtr, iRemoteAddr, dstAddr );
#endif // _DEBUG                            

        SetFinished();
        return EFalse;  //Bad packet, is a retransmission
    }    
    
	iLastRemoteAddr = aRemote;  //Save last remote address (used in NAT cases)	

    iLengthLeft = aHdr.GetLength(); //Used to check the size in the payload are OK

    DEBUG_LOG2( _L("---------- Phase %d - Stage %d ----------"), iPhase, iStage );

    if ((iStage==1) && (iPhase==PHASE_I))   //Only saved for the first message
        iExchange = aHdr.GetExchange();

    DEBUG_LOG1( _L("Exchange %d"), aHdr.GetExchange() );

    if (aHdr.GetFlags() & ISAKMP_HDR_EFLAG) //if encrypted
    {
        //before anything, prints the packet
        DEBUG_LOG(_L("Received message (encr)."));
        DEBUG_LOG(_L("Decrypting..."));
        msg = new (ELeave)(TUint8[aHdr.GetLength()]);    //to place the new msg
		CleanupStack::PushL(msg);
		
        Mem::Copy(msg,(TUint8 *)&aHdr,sizeof(aHdr));    //The header is not encrypted

        if ((iPhase==PHASE_II) && (iStage == 1))
        {
            iMessageId = aHdr.GetMessageId();   //Saves the ID to compute IV
            DEBUG_LOG(_L("Quick IV:"));
            ComputeIVL(iIV, iMessageId);
        }

        DecryptL((TUint8 *)aHdr.Next(),&msg[sizeof(aHdr)], aHdr.GetLength()-sizeof(aHdr),iIV, iSKEYID_e, iChosenProposal_I.iAttrList->iEncrAlg);
        if ((iStage == 6 && iExchange == ISAKMP_EXCHANGE_ID) || 
            (iStage == 3 && iExchange == ISAKMP_EXCHANGE_AGGR))
        {
            iLastIV.Copy(iIV);  //Saves last IV in Phase 1
            DEBUG_LOG(_L("Last IV Saved!"));
        }
        hdr=(ThdrISAKMP *)msg;  //decrypted msg

    }
    else if (iFlags & ISAKMP_HDR_EFLAG)  // IKE message SHOULD be encrypted
    {
        hdr=&aHdr;  //no encryption    
        DEBUG_LOG(_L("Received message."));
#ifdef _DEBUG                    
        const TPtrC8 ikeMsgPtr( (TUint8 *)hdr, (TUint16)hdr->GetLength() );
        TInetAddr dstAddr;
        iPluginSession->GetLocalAddress( dstAddr );
        dstAddr.SetPort( aLocalPort );
        TRACE_MSG_IKEV1( ikeMsgPtr, iRemoteAddr, dstAddr );
#endif // _DEBUG                            
        DEBUG_LOG(_L("The message is NOT encrypted (ignored)"));
        return EFalse;
    }
    else
        hdr=&aHdr;  //no encryption

    DEBUG_LOG(_L("Received message."));
#ifdef _DEBUG                    
    const TPtrC8 ikeMsgPtr( (TUint8 *)hdr, (TUint16)hdr->GetLength() );
    TInetAddr dstAddr;
    iPluginSession->GetLocalAddress( dstAddr );
    dstAddr.SetPort( aLocalPort );
    TRACE_MSG_IKEV1( ikeMsgPtr, iRemoteAddr, dstAddr );
#endif // _DEBUG                            

    if (iPhase==PHASE_I)
        ret = Phase_IExchangeL(*hdr);//MAIN MODE && AGGRESSIVE MODE
    else
    {
        ret = Phase_IIExchangeL(*hdr);//QUICK MODE 
    }
    if (!ret)   //Incorrect packet. Restore the IV
    {
        DEBUG_LOG(_L("Restoring previous IV"));
        iIV.Copy(tmp_IV);
    }
    else    //correct packet
    {
        SaveRetransmitInfo(msg_info); // store new last received IKE message info        
    }

    if ( msg )    //If used erase it (when encryption)
 	   CleanupStack::PopAndDestroy(); 

    return ret;
}

TBool CIkev1Negotiation::ExecutePhase2L( const ThdrISAKMP &aHdr,
                                         const TInetAddr &aRemote,
                                         TInt aLocalPort )
{
    return ExecuteL( aHdr, aRemote, aLocalPort );
}

//
// CIkev1Negotiation::ExecuteTransactionL
// An ISAKMP Transaction exchange message received.
// Call CTransNegotiation::ExecuteL method and process returned status
//
TBool CIkev1Negotiation::ExecuteTransactionL( const ThdrISAKMP& aHdr,
                                              const TInetAddr& aRemote,
                                              TInt aLocalPort )
{
    TInt  status;
	TBool ret = ETrue;
    if ( iTransactionNeg ) {
       status = iTransactionNeg->ExecuteL( aHdr, aRemote, aLocalPort );
       if ( status == TRANSACTION_SUCCESS ) {
          //
          // XAUTH / CONFIG-MODE completed succesfully
          //
          IsakmpPhase1CompletedL(); 
       }
       else {
          if ( status == TRANSACTION_FAILED ) {
             //
             // XAUTH / CONFIG-MODE completed succesfully
             //
			 LOG_KMD_EVENT( MKmdEventLoggerIf::KLogError,
			                R_VPN_MSG_VPN_GW_AUTH_FAIL,
			                KKmdIkeAuthFailedErr,
			                iPluginSession->VpnIapId(),
			                &iRemoteAddr );
			 SendDeleteL( PROTO_ISAKMP );
			 SetErrorStatus( KKmdIkeAuthFailedErr );
          }
       }    
    }
	else ret = EFalse;

    return ret;
}


//
// CIkev1Negotiation::AuthDialogCompletedL
// Authentication dialog is completed. Check CAuthDialogInfo object ID
// and call eithet CIKECRACKNegotiation::ProcessUserResponseL or
// CTransNegotiation::ProcessUserResponseL to handle dialog data
//
void CIkev1Negotiation::AuthDialogCompletedL(CAuthDialogInfo *aUserInfo)
{
	if ( !aUserInfo || (!aUserInfo->iUsername && !aUserInfo->iSecret) ) 
	{
	   DEBUG_LOG(_L("Legacy authentication cancelled by user!"));		
	   SendDeleteL(PROTO_ISAKMP);		
	   LOG_KMD_EVENT( MKmdEventLoggerIf::KLogError,
	                  R_VPN_MSG_VPN_GW_AUTH_FAIL,
	                  KErrCancel,
	                  iPluginSession->VpnIapId(),
	                  &iRemoteAddr );
	   SetErrorStatus(KErrCancel);
	   return;
	}	
		
    TInt status;

    if ( aUserInfo->GetObjId() == XAUTH_DIALOG_ID ) 
    {
       if ( iTransactionNeg )
            status = iTransactionNeg->ProcessUserResponseL(aUserInfo);       
       else status = TRANSACTION_FAILED;
       
       if ( status == TRANSACTION_FAILED ) 
       {
         /*--------------------------------------------------------
          *
          *  XAUTH negotiation failed. Negotiation shall be deleted
          *
          *--------------------------------------------------------*/
		  LOG_KMD_EVENT( MKmdEventLoggerIf::KLogError,
		                 R_VPN_MSG_VPN_GW_AUTH_FAIL,
		                 status,
		                 iPluginSession->VpnIapId(),
		                 &iRemoteAddr );
		  SetErrorStatus(KKmdIkeAuthFailedErr);
          AcquireSAErrorResponse(KKmdIkeAuthFailedErr);
       }      
    }
    else 
    {
       if ( iCRACKneg )
            status = iCRACKneg->ProcessUserResponseL(aUserInfo);       
       else status = CRACK_FAILED;

       if ( status == CRACK_FAILED ) 
       {
         /*--------------------------------------------------------
          *
          *  Crack negotiation failed. Negotiation shall be deleted
          *
          *--------------------------------------------------------*/
		  LOG_KMD_EVENT( MKmdEventLoggerIf::KLogError,
		                 R_VPN_MSG_VPN_GW_AUTH_FAIL,
		                 status,
		                 iPluginSession->VpnIapId(),
		                 &iRemoteAddr );		   
		  SetErrorStatus(KKmdIkeAuthFailedErr);		  
          AcquireSAErrorResponse(KKmdIkeAuthFailedErr);
       }      
    }
}


//
// CIkev1Negotiation::StartCRACKAuthL
//      Start CRACK authentication phase of IKE phase I negotiation
//      - Create CIKECRACKNegotiation object and call it`s ConstructL
//      - Set iStage variable to 7 to indicate that CRACK authentication
//        is going
//
TBool CIkev1Negotiation::StartCRACKAuthL()
{
TInt status;    

    iStage = 7;
    
    if ( !iCRACKneg ) {
       iCRACKneg = new(ELeave) CIKECRACKNegotiation( iDebug );
	   TBuf<2> DummyDomain;
	   //
	   // If the IKE Id-type value is configured to value "Opaque
	   // String" and iFQDN length is larger than zero in the current
	   // policy ==> iFQDN value contains "Group name" value
	   // which shall be conveyed to the peer in CRACK "Domain name"
	   // attribute  
	   //
       iFlags |= ISAKMP_HDR_EFLAG; //From now on encryption is used    
	   
	   if ( (iHostData->iIdType == ID_KEY_ID) && (iHostData->iFQDN.Length() > 0 ) )
            status = iCRACKneg->ConstructL(iHostData->iCRACKLAMType, this, iHostData->iFQDN);
	   else status = iCRACKneg->ConstructL(iHostData->iCRACKLAMType, this, DummyDomain);
       if ( status == CRACK_FAILED ) {
          return EFalse;
       }
    }
    
    return ETrue;
}

//
// CIkev1Negotiation::IsakmpPhase1CompletedL
// This method is called when an ISAKMP phase 1 negotiation is succesfully
// completed. The following actions are taken:
// -- If either Extended authentication or/and Config mode required
//    If iTransactionNeg data member exists it means that XAUTH/CONFIG mode
//    has been succesfully completed.
//    If iTransactionNeg data member is NULL, XAUTH/CONFIG mode shall be initiated
// -- If No XAUTH/CONFIG mode (or if XAUTH/CONFIG mode already completed).
//    If iAutoLogin is TRUE save ISAKMP SA and deconstruct negotiation.
//    If iAutoLogin is False, save ISAKMP SA and;
//       if negotiation role is initiator continue with Quick mode exchange. 
//       if negotiation role is responder deconstruct negotiation.
//
TBool CIkev1Negotiation::IsakmpPhase1CompletedL()
{
    TBool Status;

    if ( iTransactionNeg ) {
       //
       // Try to get Internal address information and delete iTransactionNeg
       //
       delete iInternalAddr;  
       iInternalAddr = iTransactionNeg->GetInternalAddr();
       delete iTransactionNeg;
       iTransactionNeg = NULL;
    }
    else {
       if ( (iRole == INITIATOR) && (iHostData->iUseXauth || iHostData->iUseCfgMode) )
	   {
		  TBool useModeCfg;
		  if ( iSARekeyInfo )
		       useModeCfg = EFalse;  // Use existing virtual Ip, if any
		  else 
		      useModeCfg = iHostData->iUseCfgMode; 
		  
          iTransactionNeg = CTransNegotiation::NewL( iHostData->iUseXauth,
                                                     useModeCfg,
                                                     iPluginSession,
                                                     this,
                                                     iDebug );
          
          // If only MODE_CFG is needed a request is sent
          if(useModeCfg && !iHostData->iUseXauth)
              iTransactionNeg->BuildConfigRequestL();
          
          iStage = 8;                    
          return ETrue; 
       }       
    }   

	SaveISAKMPSAL();

    if ( iAutoLogin ) {
       //
       // ISAKMP Phase 1 completed. Quick mode is NOT started because there is no acquire pending
       // but phase 1 negotiation is started by the policy activation.   
       //
       CInternalAddress* internalAddr = NULL;
       if ( iInternalAddr != NULL )
           {
           internalAddr = CInternalAddress::NewL(*iInternalAddr);        
           }
       iPluginSession->IkeSaCompleted(KErrNone, internalAddr);
	   SetFinished(); // Causes negotiation object destruction	   
	   iAutoLogin = EFalse; 	   
       Status     = EFalse;
    }
    else {
	   if ( iRole == INITIATOR ) {
	      TBool internalAddressChanged = EFalse;
		  if ( iInternalAddr ) {
		     //
		     // Report internal IP address changed event
		     //
	         internalAddressChanged = iPluginSession->InternalAddressChangedL(*iInternalAddr);
		  }
		  if ( (!iSARekeyInfo ||
		       iPhaseIIAfterIkeSaRekey) &&
		       !internalAddressChanged )
		  {	  
             iPhaseIIAfterIkeSaRekey = EFalse;
             iPrevExchange = iExchange;  //Needed to know how to begin Phase II (Sending or receiving)
		     iExchange  = IKE_QUICK_MODE;
		     iPhase     = PHASE_II;
		     iStage     = 1;
 	         Status     = ETrue;
             iMessageId = RandomMessageId(); 
             InitPhase2L();  //Immediately inits PHASE_II. No reply expected.
		  }
		  else {
			  //
			  // Rekeyed IKE SA or internal address changed. No IKE quick mode started
		      // Pending acquire will be failed, if internal address has changed.
			  //
			  SetFinished(); 
			  Status    = EFalse;
		  }	  
	   }
	   else {
	      SetFinished(); // Causes negotiation object destruction
		  Status    = EFalse;
	   }	   
    }
	
	LOG_KMD_EVENT( MKmdEventLoggerIf::KLogInfo,
	               R_VPN_MSG_VPN_GW_AUTH_OK,
	               KErrNone,
	               iPluginSession->VpnIapId(),
	               &iRemoteAddr );

	TInt NatStatus = iNAT_D_Flags;   // Record "IETF" NAT status  
	if ( NatStatus == 0 )
	{	
	   if ( iNAT_T_Required )
			NatStatus = 4;           // Local end is NAT:ted (discovered via "Nokia" NAT-T)    
	   else if ( !iHostData->iUseNatProbing )
		       NatStatus = iHostData->iEspUdpPort; // "Forced" ESP UDP encapsulation ?
	}

	TInetAddr localAddr;
	iPluginSession->GetLocalAddress( localAddr );
    LOG_KMD_EVENT2( MKmdEventLoggerIf::KLogInfo,
                    R_VPN_MSG_ADDR_INFO_FOR_VPN_AP,
                    NatStatus, iPluginSession->VpnIapId(),
                    (iInternalAddr ? &iInternalAddr->iClientIntAddr : NULL),
                    &localAddr );	

    return Status;
}   


//Sends the initial IKE packets to start the negotiation. PHASE I
void CIkev1Negotiation::InitNegotiationL()   //Equiv. to stage 1
{
    TIkev1IsakmpStream* msg = SaveIkeMsgBfr( new (ELeave) TIkev1IsakmpStream(iDebug) );
	
    TInt  vendor_id_type;

    //Main mode stage 1

    switch (iHostData->iMode)
    {
        case IKE_PARSER_MAIN:
            iExchange = ISAKMP_EXCHANGE_ID;     // Identity Protection (Main mode in IKE)
            DEBUG_LOG(_L("IKE: Initiating negotiation (Main Mode)"));
            break;
        case IKE_PARSER_AGGRESSIVE:
            iExchange = ISAKMP_EXCHANGE_AGGR;   // Agressive
            DEBUG_LOG(_L("IKE: Initiating negotiation (Aggressive Mode)"));
            break;
        default:
            DEBUG_LOG1(_L("Bad Mode used (%d)"), iHostData->iMode);
            return;
    }
    iStage = 1;
    DEBUG_LOG2(_L("---------- Phase %d - Stage %d ----------"),iPhase, iStage);

    iCookie_R.FillZ(ISAKMP_COOKIE_SIZE);  //Set responder Cookie to 0

    iDOI = IPSEC_DOI;
    iEncoding = X509_CERT_SIG;  //Only cert Allowed
    msg->IsakmpInit(this);
    msg->IsakmpSa();

    const TUint8 *ptr = msg->iBuf.Ptr() + sizeof(ThdrISAKMP);
    const TSAISAKMP *sa = (TSAISAKMP*)ptr;
    //Generic payload NOT included
    iSAPayloadSize = sa->GetLength() - sizeof(TPayloadISAKMP);
    delete iSAPayload;
	iSAPayload = NULL;
    iSAPayload = new (ELeave) TUint8[iSAPayloadSize];   
    ptr += sizeof(TPayloadISAKMP);  
    Mem::Copy(iSAPayload, ptr,iSAPayloadSize);

    TBool cert_required = EFalse;   //If any proposal requires a cert to send a CR if needed
    TBool preshared_key = EFalse;   //Preshared key authentication        
    TBool crack_used = EFalse;
    
    TAttrib *transf = iProposal_I.iAttrList;
    for (TInt i=0; (i < iProposal_I.iNumTransforms) && (!cert_required); i++)
    {
        switch (transf->iAuthMethod)
        {
        case RSA_SIG:   //Proposals involving certificates
        case DSS_SIG:
            cert_required = ETrue;
            break;
        case IKE_A_CRACK:           
            cert_required = ETrue;
            crack_used = ETrue;
            break;
        default:    // No cert involved
            preshared_key = ETrue;
            transf = transf->iNext;
        }
    }
    
    if (crack_used &&
        !iHostData->iCRACKLAMUserName && 
        !iHostData->iCRACKLAMPassword)
        {
        TBuf<256> UserName;
        TBuf<64> Password;
        CIkev1Dialog* Dialog = CIkev1Dialog::NewL(iPluginSession, iPluginSession->DialogAnchor(), iDebug);                     
        if (KErrNone != Dialog->GetSyncUNPWCacheDialog(UserName, Password))
            {
            DEBUG_LOG(_L("Failed to get credentials for crack auth!"));
            SetFinished();
            delete Dialog;
            return;
            }
        iHostData->iCRACKLAMUserName = TStringData::NewL(UserName);
        iHostData->iCRACKLAMPassword = TStringData::NewL(Password);
        delete Dialog;
    }

    if (iExchange == ISAKMP_EXCHANGE_AGGR) //Aggressive contains more payloads
    {
        if ( preshared_key && !cert_required ) {
           //
           // Only pre-shared key authentication proposal(s) exists
           // Check if is necessary to ask user name/password (= IKE ID/preshared key)
           // from user
           //
           if ( CheckCredentials(iHostData) != KErrNone ) {
              DEBUG_LOG(_L("Failed to get credentials for Aggressive pre-shared auth!"));
              SetFinished();
              return;
           }
        }   
        ComputeNonceL();         //Nonce to be sent
        if ( cert_required && !iOwnCert ) 
           ReadOwnCertL();    // For possible DER ASN1 distuingish name Ident
        msg->IsakmpKeyL();
        msg->IsakmpNonce();
        msg->IsakmpOwnIdentL();
		
        //For aggressive mode we send a CR if a cert is going to be needed
        if ((!iPeerX509Cert) && (cert_required))
        {
           msg->IsakmpCertificateReqL();   
        }
        if ( iHostData->iUseNatProbing )
             vendor_id_type = EXPANDED_VENDOR_ID;
        else vendor_id_type = HASH_VENDOR_ID;           
        msg->IsakmpVendorId(vendor_id_type,
                            (TUint8*)iCookie_I.Ptr(),
                            (TUint8*)iCookie_R.Ptr(), iLocalAddr);
            
    }
	
	if ( iHostData->iDPDHeartBeat != 0 )
	   BuildDPDVendorId(*msg);
	
    if ( iNatDiscovery ) {
       iNatDiscovery->BuildNatVendorId(*msg);
       iNatDiscovery->BuildRfcNatVendorId(*msg);
    }
	
    if ( iHostData->iUseXauth || iHostData->iUseCfgMode ) {  
       CTransNegotiation::BuildXauthVendorId(*msg);  
    }

    SendL(*msg);
    iStage = 2;
}

//Builds the proposal list from the structure in the engine
TBool CIkev1Negotiation::BuildProposals1L()
{
    TProposalData *p_list = iHostData->iPropList;

    if (!p_list)
    {
        DEBUG_LOG(_L("ERROR: No proposals in the configuration file. Negotiation Cancelled"));
        return EFalse;
    }
    iProposal_I.iSPI.FillZ(4);  //filled with 0 (not send anyway)
    iProposal_I.iProposalNum   = FIRST_ISAKMP_PROPOSAL; 
    iProposal_I.iProtocol      = PROTO_ISAKMP;
    iProposal_I.iNumTransforms = 0;
    
    TUint8 trans_num = FIRST_ISAKMP_TRANSFORM;

    TAttrib *prev=NULL,*attrlist=NULL;
    
    while ( p_list )
    {
        iProposal_I.iNumTransforms ++;
        attrlist = new (ELeave) TAttrib;
        if (!iProposal_I.iAttrList) //First transform
            iProposal_I.iAttrList=attrlist; //attrlist safe
        if (prev)
            prev->iNext = attrlist;
        prev = attrlist;
        
        attrlist->iTransformID  = KEY_IKE; //only one allowed by Protocol ISAKMP (KEY_IKE)
        attrlist->iTransformNum = trans_num;
        trans_num++;        
        switch (p_list->iEncrAlg)
        {
        case IKE_PARSER_DES_CBC:
            attrlist->iEncrAlg=DES_CBC;     //DES_CBC
            break;
        case IKE_PARSER_DES3_CBC:
            attrlist->iEncrAlg=DES3_CBC;    //DES3_CBC
            break;
        case IKE_PARSER_AES_CBC:
            attrlist->iEncrAlg   = AES_CBC;     //AES_CBC
            attrlist->iKeyLength = (TUint16)p_list->iEncrKeyLth;
            if (!attrlist->iKeyLength)
               attrlist->iKeyLength = 128; //default AES key size   
            break;
        default:
            DEBUG_LOG(_L("ISAKMP Proposals error (Bad Encryption algorithm)"));
            return EFalse;
        }
        switch (p_list->iHashAlg)
        {
        case IKE_PARSER_MD5:
            attrlist->iHashAlg=HASH_MD5;    //HASH_MD5
            break;
        case IKE_PARSER_SHA1:
            attrlist->iHashAlg=HASH_SHA1;   //HASH_SHA1
            break;
        default:
            DEBUG_LOG(_L("ISAKMP Proposals error (Bad Hash algorithm)"));
            return EFalse;
        }
        switch (p_list->iAuthMeth)
        {
        case IKE_PARSER_RSA_SIG:
            attrlist->iAuthMethod=RSA_SIG;
            break;
        case IKE_PARSER_DSS_SIG:
            attrlist->iAuthMethod=DSS_SIG;
            break;
        case IKE_PARSER_PRE_SHARED:
            attrlist->iAuthMethod=PRE_SHARED;           
            break;
        case IKE_PARSER_CRACK:
            attrlist->iAuthMethod=IKE_A_CRACK; //CRACK authentication
            break;
            
        default:
            DEBUG_LOG(_L("ISAKMP Proposals error (Bad Authentication Method)"));
            return EFalse;
        }
        
        switch (p_list->iGroupDesc)
        {
        case IKE_PARSER_MODP_768:
            attrlist->iGroupDesc = MODP_768;
            break;
        case IKE_PARSER_MODP_1024:
            attrlist->iGroupDesc = MODP_1024;
            break;
        case IKE_PARSER_MODP_1536:
            attrlist->iGroupDesc = MODP_1536;
            break;
        case IKE_PARSER_MODP_2048:
            attrlist->iGroupDesc = MODP_2048;
            break;
        default:
            DEBUG_LOG(_L("ISAKMP Proposals error (Bad Group description)"));
            return EFalse;      
        }

        switch (p_list->iGroupType)
        {
        case IKE_PARSER_MODP:
            attrlist->iGroupType = MODP;
            break;
        case IKE_PARSER_DEFAULT:
            break;
        default:
            DEBUG_LOG(_L("ISAKMP Proposals error (Bad Group Type)"));
            return EFalse;
        }

        switch (p_list->iPRF)
        {
        case IKE_PARSER_DES3_CBC_MAC:
            attrlist->iPRF=OAKLEY_PRF_3DES_CBC_MAC;
            break;
        case IKE_PARSER_NONE:
            break;
        default:
            DEBUG_LOG(_L("ISAKMP Proposals error (Bad PRF specified)"));
            return EFalse;
        }

        TUint32 lifetime = ByteOrder::Swap32(p_list->iLifetimeSec);
        if (lifetime)
            attrlist->iLifeDurationSecs.Copy((TUint8 *)&lifetime, sizeof(lifetime));

        lifetime = ByteOrder::Swap32(p_list->iLifetimeKb);
        if (lifetime)
            attrlist->iLifeDurationKBytes.Copy((TUint8 *)&lifetime, sizeof(lifetime));

        //
        // Store parameters for extended authentication
        //
        attrlist->iXauthUsed = iHostData->iUseXauth;
        attrlist->iRole      = iRole;
        
        p_list = p_list->iNext;
        
    }
    attrlist->iNext=NULL;   //Last transform


    return ETrue;
}

//Builds Phase_II proposals from the config. file to when acting as RESPONDER to see if 
//proposals received are acceptable.
TInt CIkev1Negotiation::BuildProposals2L()
{
    CIpsecSaSpecList* SaList = NULL;
    TInetAddr empty_addr;  //empty address
    TInt err = KErrNone;
    
    TRAP(err,
        if ( iLocalIDType_II == 0 )  //Local ID not received (so remote neither) so it's the same as gateway
            {
            TInetAddr localSelector(iLocalAddr);
            localSelector.SetPort(iIDLocalPort);
            TInetAddr remoteSelector(iRemoteAddr);
            remoteSelector.SetPort(iIDRemotePort);
            
            SaList = iPluginSession->GetIpseSaSpecListLC(localSelector, empty_addr, 
                                                         remoteSelector, empty_addr,
                                                         iIDProtocol );
            }
        else    // either none or both (RFC 2409 5.5 so we must have both)
            {
            TInetAddr localSelector(iLocalAddr1_ID_II);
            localSelector.SetPort(iIDLocalPort);
            TInetAddr remoteSelector(iRemoteAddr1_ID_II);
            remoteSelector.SetPort(iIDRemotePort);
    
            
            SaList = iPluginSession->GetIpseSaSpecListLC(localSelector,
                                                         iLocalAddr2_ID_II,
                                                         remoteSelector,
                                                         iRemoteAddr2_ID_II,
                                                         iIDProtocol );
            }
        
        CleanupStack::Pop(SaList);
    );
    
    if (err != KErrNone)
        return err;
    
    CleanupStack::PushL(SaList);

    //Phase II proposals

    CProposal_II *prop = NULL;
    TAttrib_II *attr_II = NULL;
    const TIpsecSaSpec *spec = NULL;
    TInt count = SaList->Count();
    TInt i     = 0;

    while ( i < count ) 
    {
        prop = new (ELeave) CProposal_II();
        CleanupStack::PushL(prop);
        prop->ConstructL(1);
        iProposal_IIList->AppendL(prop);
        CleanupStack::Pop();    //prop safe
        //
        // Only 1 proposal which may be AND'd (many prop with same num) if many bundles
        // Only 1 transform because no OR'ing implemented in IPSEC
        //
        prop->iProposalNum   = FIRST_IPSEC_PROPOSAL;
        prop->iNumTransforms = 1;  

        attr_II = new (ELeave) TAttrib_II();
        CleanupStack::PushL(attr_II);
        prop->iAttrList->AppendL(attr_II);
        CleanupStack::Pop();    //attr_II safe
        
        attr_II->iTransformNum = FIRST_IPSEC_TRANSFORM;     

        spec = &(SaList->At(i));
        
        if (spec->iType == SADB_SATYPE_AH)
        {
            prop->iProtocol=PROTO_IPSEC_AH;
            if (spec->iAalg == SADB_AALG_MD5HMAC)
            {
                attr_II->iTransformID = AH_MD5;
                attr_II->iAuthAlg = DOI_HMAC_MD5;
            }
            else if (spec->iAalg == SADB_AALG_SHA1HMAC)
            {
                attr_II->iTransformID=AH_SHA;
                attr_II->iAuthAlg = DOI_HMAC_SHA;
            }
            else
            {
                DEBUG_LOG(_L("Unsupported Authentication Algorithm in IPsec Policy"));
                err = KKmdIkeNoProposalErr;
                break;
            }
            // No auth with variable encryption
        }
        else if (spec->iType == SADB_SATYPE_ESP)
        {
            prop->iProtocol = PROTO_IPSEC_ESP;
            // Request ESP from peer host

            attr_II->iTransformID = spec->iEalg;
			switch ( attr_II->iTransformID )
			{
				case ESP_DES_CBC:
				case ESP_3DES_CBC:
				case ESP_NULL:
					break;

				case ESP_AES_CBC:
					attr_II->iKeyLength = spec->iEalgLen;   //If 0 it won't be sent
					break;

				default:
					DEBUG_LOG(_L("IPsec Encryption algorithm is not implemented. Wrong algorithms file"));
	                err = KKmdIkeNoProposalErr;
	                break;
			}	
			
			if (err != KErrNone)
			    {
			    break;
			    }
			
            if (spec->iAalg != SADB_AALG_NONE)
            {
                if (spec->iAalg == SADB_AALG_MD5HMAC)
                    attr_II->iAuthAlg = DOI_HMAC_MD5;
                else if (spec->iAalg == SADB_AALG_SHA1HMAC)
                    attr_II->iAuthAlg = DOI_HMAC_SHA;
                else
                {
                    DEBUG_LOG(_L("Unsupported Authentication Algorithm in IPsec Policy"));
                    err = KKmdIkeNoProposalErr;
                    break;
                }
            }
        }

        //Check if PFS in use...
        iPFS = spec->iPfs;

        if (spec->iTransportMode)
             attr_II->iEncMode = DOI_TRANSPORT;
        else attr_II->iEncMode = DOI_TUNNEL;

        //////////////////////////////////////////////////////////
        //
        // Check if remote identity defined in Security Policy
        // If it is not set iDefaultLocalID = ETrue.
        // This prevents destination identity information to IPSEC
        // in PFKEY Update- and Add primitives
        // (see UpdateSADatabaseL() method)
        //
        //////////////////////////////////////////////////////////
        if ( spec->iRemoteIdentity.Length() == 0 )
           iDefaultLocalID = ETrue;
		if ( !ExamineRemoteIdentity(spec->iRemoteIdentity) )
		{
			DEBUG_LOG(_L("Remote Identity mismatch with IPsec Policy"));
            err = KKmdIkeNoProposalErr;
            break;
		}
		
        //Only Hard Lifetimes taken into account
        TInt64 lifetime64 = spec->iHard.iAddTime;
        TUint high = 0;
        TUint low = 0;
        if (lifetime64!=0)
        {
            high = ByteOrder::Swap32(I64HIGH(lifetime64));          
            if (high > 0)
                attr_II->iLifeDurationSecs.Copy((TUint8 *)&high, sizeof(high));
            low = ByteOrder::Swap32(I64LOW(lifetime64));                        
            attr_II->iLifeDurationSecs.Append((TUint8 *)&low, sizeof(low));
        }

        //Bytes lifetime
        lifetime64 = spec->iHard.iBytes;
        lifetime64 = (lifetime64/1024); //Bytes to KB
        if (lifetime64 != 0)
        {
            high = ByteOrder::Swap32(I64HIGH(lifetime64));                      
            if (high > 0)
                attr_II->iLifeDurationKBytes.Copy((TUint8 *)&high, sizeof(high));
            low = ByteOrder::Swap32(I64LOW(lifetime64));                                    
            attr_II->iLifeDurationKBytes.Append((TUint8 *)&low, sizeof(low));
        }
        if (iPFS)
        {
            switch (iHostData->iGroupDesc_II)
            {
            case IKE_PARSER_MODP_768:
                attr_II->iGroupDesc = MODP_768;
                break;
            case IKE_PARSER_MODP_1024:
                attr_II->iGroupDesc = MODP_1024;
                break;
            case IKE_PARSER_MODP_1536:
                attr_II->iGroupDesc = MODP_1536;
                break;
            case IKE_PARSER_MODP_2048:
                attr_II->iGroupDesc = MODP_2048;
                break;
            default:    //Shouldn't happen but the error will be detected later
                err = KKmdIkeNoProposalErr;
                break;
            }
            
            if (err != KErrNone)
                {
                break;
                }            
        }
        
        prop->iReplayWindowLength = spec->iReplayWindowLength;

        i ++;
    }   //while

    if (err != KErrNone)
        {
        delete iProposal_IIList;
        iProposal_IIList = NULL;        
        }
    
    CleanupStack::PopAndDestroy(SaList);  //SAList
    
    return err;
}

TBool CIkev1Negotiation::ExamineRemoteIdentity(const TDesC8& aRemoteIdInPolicy)
{
   //////////////////////////////////////////////////////////////////
   //
   // This method is called when we are acting as a Quick mode responder.   
   // The purpose of this method is compare remote Identity information
   // received in Quick Mode IKE message (=IDi) to the remote Identity
   // information in the local Ipsec Policy.
   // If Identitiea are NOT matching the FALSE response is returned.
   // There is the following special "kludge" is done in these test:
   // Identity IPv4 address and IPv4 subnet with prefix 32 are
   // interpreted to be same as well as IPv6 address and IPv6 subnet
   // with prefix 128. When this situation occurs a special flag 
   // (iSwapRemoteIdType = ETrue) is set in CIkev1Negotiation object
   //
   //////////////////////////////////////////////////////////////////
   TBool      AddrMatch;   
   TInetAddr  IpAddr;
   TInetAddr  IpMask;
   TUint8     IdType;
   TInt       PrefixLength = 0;
   TInetAddr* PrefixPtr    = NULL;      
   
   if ( !ProcessIdentityData(aRemoteIdInPolicy, &IdType, &IpAddr, &IpMask) )
	  return EFalse;
   
   AddrMatch = IpAddr.Match(iRemoteAddr1_ID_II);

   if ( AddrMatch )
   {	   
      if ( (IdType == ID_IPV4_ADDR_SUBNET ) || (IdType == ID_IPV6_ADDR_SUBNET) ) 
      {
		 // 
		 // Identity in policy is IP subnet
		 //
	     if ( iRemoteIDType_II == IdType )
		 {
		    // 
		    // Both identity in policy and identity in IKE IDi payload are
		    // IP subnets. The subnet masks MUST match, too
		    //
			AddrMatch = IpMask.Match(iRemoteAddr2_ID_II);
		 }
		 else
		 {
			 if ( ( (IdType == ID_IPV4_ADDR_SUBNET ) && (iRemoteIDType_II == ID_IPV4_ADDR)) ||
			      ( (IdType == ID_IPV6_ADDR_SUBNET ) && (iRemoteIDType_II == ID_IPV6_ADDR)))
			 {	 
			    // 
			    // Identity in IKE IDi payload is an IP address
			    // Do the special check: There must be full mask in the
			    // subnet identity configured in policy
			    //
				if ( IdType == ID_IPV6_ADDR_SUBNET )
					 PrefixLength = 128;
				else PrefixLength = 32;
				PrefixPtr = &IpMask;
				DEBUG_LOG(_L("Peer is using IP address IDi, full mask subnet required in local end!"));
			 }
			 else AddrMatch = EFalse;  
		 }	 
      }	   
      else
      {
	     // 
	     // Identity in policy is IP address.
	     //
		 if ( ( (IdType == ID_IPV4_ADDR ) && (iRemoteIDType_II == ID_IPV4_ADDR_SUBNET)) ||
			  ( (IdType == ID_IPV6_ADDR ) && (iRemoteIDType_II == ID_IPV6_ADDR_SUBNET)))
		 {	 
				// 
				// Identity in IKE IDi payload is an IP subnet
				// Do the special check: There must be full mask in the
				// subnet identity in IKE IDi payload
				//
			 if ( IdType == ID_IPV6_ADDR )
			      PrefixLength = 128;
			 else PrefixLength = 32;
			 PrefixPtr = &iRemoteAddr2_ID_II;
			 DEBUG_LOG(_L("An IP address ID used in local end, full mask subnet required in peer IDi!"));
		 }
		 else if ( iRemoteIDType_II != IdType )
				 AddrMatch = EFalse;
		 
      }
   }

   if ( PrefixPtr )
   {	   	   
	  if ( PrefixLength == PrefixLen(*PrefixPtr) )
	  {	  
	  	 iSwapRemoteIdType = ETrue;
		 DEBUG_LOG(_L("Required ID OK, modified remote IDi informed to IPsec!"));		 
	  }	 
	  else AddrMatch = EFalse;
   }
   
   return AddrMatch;
}

TBool CIkev1Negotiation::ProcessIdentityData(const TDesC8& aIdentity, TUint8* aToIdType,
										TInetAddr* aToIpAddr1, TInetAddr* aToIpAddr2)
{
   if ( !aToIdType || !aToIpAddr1 || !aToIpAddr2 )
	  return EFalse;
   
   aToIpAddr1->Init(KAFUnspec);
   aToIpAddr2->Init(KAFUnspec);
   *aToIdType = 0;
		   
   if ( aIdentity.Length() )
   {	   
      TInt offset = aIdentity.Find(_L8("/"));
   
      switch (offset)
      {
	     case KErrNotFound:  //Simple address
         { 
#ifdef _UNICODE
		    HBufC *unibuf = HBufC::New(aIdentity.Length());
			if ( !unibuf )
			    return EFalse;	
	        unibuf->Des().Copy(aIdentity);
	    	if ( aToIpAddr1->Input(unibuf->Des()) != KErrNone )
	    	{
				delete unibuf;
		    	DEBUG_LOG(_L("Bad IP address identity!"));
				return EFalse;
	    	}  
		    delete unibuf;
#else
		    if (aToIpAddr1->Input(aIdentity) != KErrNone)
		    {
				DEBUG_LOG(_L("Bad IP address identity!"));
				return EFalse;
		    }
#endif  
		    if ( aToIpAddr1->Family() == KAfInet )
			     *aToIdType = ID_IPV4_ADDR;
		    else *aToIdType = ID_IPV6_ADDR;
		    break;
     	 }
		 
	     default:    //Subnet
	     {
				//addr1 - subnet
		 TInt prefix_len;	 
#ifdef _UNICODE
		    HBufC *unibuf = HBufC::New(aIdentity.Length());
			if ( !unibuf )
				return EFalse;
			unibuf->Des().Copy(aIdentity);			
		    TPtrC addr_buf(unibuf->Ptr(), offset);
		    if (aToIpAddr1->Input(addr_buf) != KErrNone)
		    {
				delete unibuf;				
			    DEBUG_LOG(_L("Bad Subnet Identity address!"));
				return EFalse;
		    }
		    TPtrC prefix_ptr(unibuf->Ptr() + offset + 1, unibuf->Length() - offset - 1);
#else
		    TPtrC addr_buf(aIdentity.Ptr(), offset);
			if (aToIpAddr1->.Input(addr_buf) != KErrNone)
			{
				DEB(LogError(_L("Bad Subnet Identity address!"));)
				return EFalse;
			}
		    TPtrC prefix_ptr(aIdentity.Ptr() + offset + 1, aIdentity.Length() - offset - 1);
#endif  
				//addr2 - mask
		    TLex lex(prefix_ptr);
		    if (lex.Val(prefix_len) != KErrNone)
		    {
			   DEBUG_LOG(_L("Bad Subnet Identity PREFIX Length!"));
			   return EFalse;
		    }
#ifdef _UNICODE
		    delete unibuf;
#endif
			if ( aToIpAddr1->Family() == KAfInet )
			{
			   if ( prefix_len > 32 )	
			   {
				  DEBUG_LOG(_L("Bad Subnet Identity: Prefix too long!"));
				  return EFalse;
			   }
			   *aToIdType = ID_IPV4_ADDR_SUBNET;
			   PrefixMask(*aToIpAddr2, prefix_len, KAfInet);
			}
			else    //KAfInet6
			{
				if ( prefix_len > 128 )	
				{
					DEBUG_LOG(_L("Bad Subnet Identity: Prefix too long!"));
					return EFalse;
				}
				*aToIdType = ID_IPV6_ADDR_SUBNET;
				PrefixMask(*aToIpAddr2, prefix_len, KAfInet);
			}

		 }
		 
	  } //end switch
   }	  

   return ETrue;
}

//First msg of PHASE_II as initiator
void CIkev1Negotiation::InitPhase2L()
{
    //Quick mode stage 1
    DEBUG_LOG(_L("-------- IKE: Initiating PHASE II --------"));
    iPhase = PHASE_II;
    iDOI=IPSEC_DOI;
    iStage = 1;

    GetSPIL();
    //the rest will be done in ReceiveSPI
}

//Requests an SPI from the kernel

void CIkev1Negotiation::GetSPIL()
{
    CProposal_IIList *propII_List;
    CProposal_II *prop=NULL;
    TUint8 sa_type = 0;

    DEBUG_LOG1(_L("GetSPI in stage: %d"), iStage);

    iInboundSPIList = new (ELeave) CArrayFixFlat<TSPINode>(1);

    if (iRole == RESPONDER) //If Phase II proposal Chosen
        propII_List = iChosenProp_IIList;   //If RESPONDER
    else
        propII_List = iProposal_IIList; //If INITIATOR

    TInt i, count = propII_List->Count();
    for (i = 0; i < count; i++) //May have many Phase_II proposals
    {
        prop = propII_List->At(i);
        if (prop->iProtocol == PROTO_IPSEC_AH)
            sa_type = SADB_SATYPE_AH;
        else if (prop->iProtocol == PROTO_IPSEC_ESP)
            sa_type = SADB_SATYPE_ESP;
        else
            sa_type = 0;    //Unknown Protocol

        TInetAddr myAddr(iLocalAddr);
		if ( myAddr.IsUnspecified() )
		    User::LeaveIfError( iPluginSession->GetLocalAddress( myAddr ) );
        TInetAddr peerAddr(iRemoteAddr);
        peerAddr.SetPort(0);
        TSPINode node;
        node.iPropNum = prop->iProposalNum;
        node.iSeq = iSeq;
        iInboundSPIList->AppendL(node);
        
        
        __ASSERT_DEBUG( iIpsecSaSpiRetriever != NULL,
                        User::Invariant() );
        iIpsecSaSpiRetriever->Cancel();
        iIpsecSaSpiRetriever->GetIpsecSaSpi( iSeq++, sa_type, peerAddr, myAddr );        
        iPendingSPI++;      //To know when all received in ReceiveSPIL()
    }

    DEBUG_LOG1(_L("GetSPI seq= %d"), iSeq);
}

//aSPI received in Network order.
void CIkev1Negotiation::ReceiveSPIL(TUint32 aSPI, TUint32 aSeq)
{
	TIkev1IsakmpStream* msg = SaveIkeMsgBfr( new (ELeave) TIkev1IsakmpStream(iDebug) );
	
    DEBUG_LOG2(_L("ReceiveSPIL: SPI=%x, Seq=%u"), ByteOrder::Swap32(aSPI), aSeq);

    CProposal_IIList *propII_List = iProposal_IIList;
    TInt i;
    for (i = 0; i < iInboundSPIList->Count(); i++)
    {
        if (iInboundSPIList->At(i).iSeq == aSeq)
        {
            iInboundSPIList->At(i).iSPI = aSPI;
            break;
        }
        //prop = prop->iNext;   //To assign the SPI to the correct proposal
    }
    if (iRole==INITIATOR)
        propII_List->At(i)->iSPI.Copy((TUint8*)&aSPI,sizeof(TUint32));  //needed to send it to the other Peer

    if (--iPendingSPI)  // Check if still waiting for some SPI
        return;

    iExchange = IKE_QUICK_MODE; //Current mode being used.
    //Builds and send the packet

    if ((iHostData->iCommit) && (iRole==RESPONDER)) //Responder  && if commit bit used we set the flag
        iFlags |= ISAKMP_HDR_CFLAG; //Sets the Commit bit if this side set it else

    msg->IsakmpInit(this);
    msg->IsakmpHashL();
    msg->IsakmpSa();
    ComputeNonceL();     //Computes a new Nonce for PHASE_II
    msg->IsakmpNonce();
    if (iPFS)   //Only sent if PFS in use...
        msg->IsakmpKeyL();

    if (iStage==1)  //Initiator
    {
        //
        // If Internal address private extension used change iLocalAddr1_ID_II to
        // correspond that address
        //
        if ( iInternalAddr ) {
           iLocalAddr1_ID_II = iInternalAddr->iClientIntAddr;       
           iLocalIDType_II   = ID_IPV4_ADDR;
           iDefaultLocalID   = ETrue;  
        }   
        DEBUG_LOG(_L("PhaseII IV:"));   //New IV for phase II
        ComputeIVL(iIV, iMessageId);
        //IDs must be sent if TUNNEL mode or is explicitly specified in the acquire
        if ((!iLocalAddr1_ID_II.IsUnspecified()) || (!iRemoteAddr1_ID_II.IsUnspecified()) ||
            (iIDProtocol != 0) || (iIDLocalPort != 0) || (iIDRemotePort != 0))
        {
            msg->IsakmpOwnIdentL();     //Own proxy
            msg->IsakmpPeerIdentL();    //Peer Proxy
        }
    }
    else if (iStage==2) //Responder
    {
        if (iIDReceived)    //If received we send it back, otherwise no
        {
            msg->IsakmpPeerIdentL();
            msg->IsakmpOwnIdentL(); 
        }
        if (iHostData->iResponderLifetime)
            CheckSendResponderLifetime(*msg);    //Adds to the message the RESPONDER_LIFETIME payload if needed
    }
    else return;

    if (iHostData->iReplayStatus)
    {
        DEBUG_LOG(_L("Constructing REPLAY-STATUS"));
    
        TInt i;
        CProposal_II *prop;
        for (i = 0 ; i < iProposal_IIList->Count(); i++)
        {
            prop = iProposal_IIList->At(i);
            msg->IsakmpReplayStatus(prop->iProtocol, iInboundSPIList->At(i).iSPI, prop->iReplayWindowLength);
        }
    }
    msg->IsakmpHashContL(); //inserts the hash in the correct position of the buffer
    SendL(*msg);

    iStage++;   //Next stage
}

void CIkev1Negotiation::AcquireSAErrorResponse(TInt aError)
	{
	DEBUG_LOG(_L("CIkev1Negotiation::AcquireSAErrorResponse"));
		
	if ( iProposal_IIList )
		{
		for ( TInt j=0; j<iProposal_IIList->Count(); j++ )
			{			
			TIpsecSAData sa_data;	
		    sa_data.iSeq = iAcquireSeq;
		    sa_data.iPid = iPfkeyAcquirePID;
			sa_data.iSPI = 0;	
			sa_data.iDst = iRemoteAddr;
			
			CProposal_II* prop_II = iProposal_IIList->At( j );

			if ( prop_II->iProtocol == PROTO_IPSEC_AH )
				{
				sa_data.iSAType = SADB_SATYPE_AH;				
				}
	        else if ( prop_II->iProtocol == PROTO_IPSEC_ESP )
	            {
	            sa_data.iSAType = SADB_SATYPE_ESP;
	            }
			iPluginSession->AcquireSAError( sa_data, aError );
			}
		}
    iAcquirePending = EFalse;
	}

//Will update the outbound
void CIkev1Negotiation::UpdateSADatabaseL()
{
#ifdef _DEBUG
    TBuf<40> addr_buf;
#endif    
    TUint8 sa_type=0;
    TUint8 auth_alg=0;
    TUint8 encr_alg=0;
    TUint32 updateSPI,addSPI;
    TIpsecSAData sa_data;
    TBool   TunnelMode;
	//
    // Received Phase II key (Might be Auth + Encr keys)
	// (Buffers are allocated for max 1024 bits key material
	HBufC8* outboundKey_II = HBufC8::NewLC(128);
	HBufC8* inboundKey_II  = HBufC8::NewLC(128);     	
    TPtrC8 in_authKey(0,0), out_authKey(0,0);
    TPtrC8 in_encrKey(0,0), out_encrKey(0,0);
    //Identities
#ifdef _UNICODE	
	TBuf<80> id_work;
#endif						
	HBufC8* local_id   = HBufC8::NewLC(128);
	HBufC8* remote_id  = HBufC8::NewLC(128);
    // ESP UDP Encapsulation extension data	
	HBufC8* gen_ext_data = HBufC8::NewLC(128);     	
	TPtr8 GenExtData((TUint8*)gen_ext_data->Ptr(), 0, gen_ext_data->Des().MaxLength());
	
	DEBUG_LOG(_L("---UPDATING SAD---"));	
	
    if ((!iDefaultLocalID) && (iLocalIDType_II != 0))
    {
        switch (iLocalIDType_II)
        {   
        case ID_IPV4_ADDR:
        case ID_IPV6_ADDR:
#ifdef _UNICODE				
            iLocalAddr1_ID_II.OutputWithScope(id_work);
			local_id->Des().Copy(id_work);			
#else
			iLocalAddr1_ID_II.OutputWithScope(local_id->Des());			
#endif			
            break;
			
        case ID_IPV4_ADDR_SUBNET:
        case ID_IPV6_ADDR_SUBNET:
#ifdef _UNICODE							
            iLocalAddr1_ID_II.OutputWithScope(id_work);
			local_id->Des().Copy(id_work);			
#else
			iLocalAddr1_ID_II.OutputWithScope(local_id->Des());			
#endif						
            local_id->Des().AppendFormat(_L8("/%d"),PrefixLen(iLocalAddr2_ID_II));  //PrefixLen can't fail because checked before
            break;
        default:    //Should never come here
            DEBUG_LOG1(_L("Local ID type %d not supported"), iLocalIDType_II);
			CleanupStack::PopAndDestroy(5);  //key buffer, identities and ESP UDP encaps data
            return;
        }
    }

    if ((!iDefaultRemoteID) && (iRemoteIDType_II != 0) )
    {
        switch (iRemoteIDType_II)
        {   
        case ID_IPV4_ADDR:
        case ID_IPV6_ADDR:
#ifdef _UNICODE				
			iRemoteAddr1_ID_II.OutputWithScope(id_work);
			remote_id->Des().Copy(id_work);			
#else
			iRemoteAddr1_ID_II.OutputWithScope(remote_id->Des());			
#endif
			if ( iSwapRemoteIdType )
			{
			   if ( iRemoteIDType_II == ID_IPV4_ADDR )
				    remote_id->Des().AppendFormat(_L8("/%d"), 32);
			   else remote_id->Des().AppendFormat(_L8("/%d"), 128);
			}	
            break;
			
        case ID_IPV4_ADDR_SUBNET:
        case ID_IPV6_ADDR_SUBNET:
#ifdef _UNICODE				
			iRemoteAddr1_ID_II.OutputWithScope(id_work);
			remote_id->Des().Copy(id_work);			
#else
			iRemoteAddr1_ID_II.OutputWithScope(remote_id->Des());			
#endif
			if ( !iSwapRemoteIdType )
               remote_id->Des().AppendFormat(_L8("/%d"),PrefixLen(iRemoteAddr2_ID_II));    //PrefixLen can't fail because checked before
            break;
			
        default:    //Should never come here
            DEBUG_LOG1(_L("Remote ID type %d not supported"), iRemoteIDType_II);
			CleanupStack::PopAndDestroy(5);  //key buffer, identities and ESP UDP encaps data					
            return;
        }
    }

    TUint32 flags = 0;
    if (iPFS)
    {
        flags = SADB_SAFLAGS_PFS;
        DEBUG_LOG(_L("PFS enabled"));
    }

    TUint32 addPID;
    if (iRole==INITIATOR)
        addPID = iPfkeyAcquirePID;  //Require to remove the Larval SA
    else
        addPID = iPluginSession->Uid();
    
    DEBUG_LOG2(_L("SAD seq= %d , PID= %d"), iAcquireSeq, addPID);

    TInt i, j;
    for (i = 0; i < iInboundSPIList->Count(); i++)
    {
        if (iInboundSPIList->At(i).iPropNum == iProposalNum)
            break;
    }

    CProposal_II *prop;
    TSPINode inboundspi_node;
    TInt key_len, encr_len, auth_len;
    TChosenAttrib_II *attr_II;
    TInt count = iChosenProp_IIList->Count();

    for (j = 0 ; j < count; j++)
    {
        prop = iChosenProp_IIList->At(j);
        inboundspi_node = iInboundSPIList->At(i);
        attr_II = (TChosenAttrib_II *)prop->iAttrList->At(0);   //only 1 transform is chosen no matter how many there are
        if (prop->iProtocol == PROTO_IPSEC_AH)
        {
            
            sa_type  = SADB_SATYPE_AH;
            encr_alg = 0;
            auth_alg = attr_II->iTransformID;
			auth_len = (TInt)HMAC_KeyLength((TUint8)auth_alg);
			
			TPtr8 AHOutKey((TUint8*)outboundKey_II->Ptr(), 0, outboundKey_II->Des().MaxLength());
			TPtr8 AHInKey((TUint8*)inboundKey_II->Ptr(), 0, inboundKey_II->Des().MaxLength());
			
            ComputeKeys2L(prop, auth_len, inboundspi_node, AHOutKey, AHInKey);
            in_encrKey.Set(NULL, 0);
            out_encrKey.Set(NULL, 0);
            in_authKey.Set(inboundKey_II->Ptr(), auth_len/8);
            out_authKey.Set(outboundKey_II->Ptr(),auth_len/8);
        }
        else if (prop->iProtocol == PROTO_IPSEC_ESP)
        {
            sa_type = SADB_SATYPE_ESP;
            encr_alg = attr_II->iTransformID;
            if (attr_II->iKeyLength!=0)
                encr_len = attr_II->iKeyLength;
            else    //not sent means constant size or variable and use default
            {
				switch ( encr_alg )
				{
					case ESP_DES_CBC:
						encr_len = 64;
						break;
					case ESP_3DES_CBC:
						encr_len = 3*64;
						break;
					case ESP_NULL:
						encr_len = 0;
						break;
					case ESP_AES_CBC:
						encr_len = 128;
						break;
					default:	
						encr_len = 0;
						break;
						
				}	
            }

            if (attr_II->iAuthAlg==DOI_HMAC_MD5)
                auth_alg = SADB_AALG_MD5HMAC;
            else if (attr_II->iAuthAlg==DOI_HMAC_SHA)
                auth_alg = SADB_AALG_SHA1HMAC;
            else
                auth_alg = 0;

            auth_len = (TInt)HMAC_KeyLength((TUint8)auth_alg);
            key_len = encr_len + auth_len;

			TPtr8 ESPOutKey((TUint8*)outboundKey_II->Ptr(), 0, outboundKey_II->Des().MaxLength());
			TPtr8 ESPInKey((TUint8*)inboundKey_II->Ptr(), 0, inboundKey_II->Des().MaxLength());			
            ComputeKeys2L(prop, key_len, inboundspi_node, ESPOutKey, ESPInKey);

            in_encrKey.Set(inboundKey_II->Ptr(), encr_len/8);
            out_encrKey.Set(outboundKey_II->Ptr(), encr_len/8);

            //If no HMAC selected the next instr does nothing because size will be 0
            in_authKey.Set(inboundKey_II->Ptr() + in_encrKey.Length(),auth_len/8);
            out_authKey.Set(outboundKey_II->Ptr() + out_encrKey.Length(),auth_len/8);
            //
            // Nokia specific NAT traversal info (=ESP UDP tunneling)  
            // If iNAT_T_Required is true connection is over NAT:ted
            // newtork (=local end behind NAT).
			//
            if ( iNAT_T_Required ) {
               flags |= SADB_SAFLAGS_NAT_T;
            }
        }
        else
		{	
			DEBUG_LOG1(_L("Unknown IPsec protocol %d"), prop->iProtocol);
			CleanupStack::PopAndDestroy(5);  //key buffer, identities and ESP UDP encaps data					
			return;
		}	

        updateSPI = inboundspi_node.iSPI;
        Mem::Copy((TUint8*)&addSPI, prop->iSPI.Ptr(), sizeof(TUint32));

        TInetAddr local_addr(iLocalAddr);
        local_addr.SetPort(iIDLocalPort);
        TInetAddr remote_addr(iRemoteAddr);    
        remote_addr.SetPort(iIDRemotePort);
    
        //This will be always outbound
        
        TInt64 time(0), bytes(0);
        TPtrC8 time_ptr(attr_II->iLifeDurationSecs);
        TPtrC8 bytes_ptr(attr_II->iLifeDurationKBytes);
        if (attr_II->iReducedLifeSecs.Length() != 0)
            time_ptr.Set(attr_II->iReducedLifeSecs);

        if (attr_II->iReducedLifeKBytes.Length() != 0)
            bytes_ptr.Set(attr_II->iReducedLifeKBytes);

        ComputeLifetimes_II(time_ptr, bytes_ptr, time, bytes);
        if (time == 0)  //default lifetime applied
            time = DEFAULT_IPSEC_SA_LIFETIME;
        
        if (iHardLifetime > time)
            {
            DEBUG_LOG2(_L("Time %u, hard lifetime %d"),
                    I64LOW(time), I64LOW(iHardLifetime));
            time = iHardLifetime;
            }

        if (attr_II->iEncMode==DOI_TUNNEL)
        {
            TunnelMode = ETrue;
            DEBUG_LOG(_L("TUNNEL MODE"));
#ifdef _DEBUG            
            iLocalAddr1_ID_II.OutputWithScope(addr_buf);
            DEBUG_LOG1(_L("Local ID: net %S"), &addr_buf);
            
            if ((iLocalIDType_II == ID_IPV4_ADDR_SUBNET) || (iLocalIDType_II == ID_IPV6_ADDR_SUBNET))
                {
                iLocalAddr2_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG1(_L(", mask %S"), &addr_buf);
                }
            DEBUG_LOG1(_L(" (port %d)"), iIDLocalPort);
            iRemoteAddr1_ID_II.OutputWithScope(addr_buf);
            DEBUG_LOG1(_L("Remote ID: addr %S"), &addr_buf);
            if ((iRemoteIDType_II == ID_IPV4_ADDR_SUBNET) || (iRemoteIDType_II == ID_IPV6_ADDR_SUBNET))
                {
                iRemoteAddr2_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG1(_L(", mask %S"), &addr_buf);
                }
            DEBUG_LOG1(_L(" (port %d)"), iIDRemotePort);
#endif // _DEBUG            
            
        }
        else {
            TunnelMode = EFalse;        
            DEBUG_LOG(_L("TRANSPORT MODE"));
        }
        DEBUG_LOG1(_L("Sec Lifetime set to %u"),I64LOW(time));
        DEBUG_LOG1(_L("KB Lifetime set to %u"),I64LOW(bytes));

        //Inbound SA.
        sa_data.iSAType = sa_type;
        sa_data.iSeq = iAcquireSeq;
        sa_data.iSrc = remote_addr;
        sa_data.iDst = local_addr;
        sa_data.iProtocol = iIDProtocol;
        sa_data.iSrcIdType = iRemoteIDType_II;
        sa_data.iDstIdType = iLocalIDType_II;       
        sa_data.iSrcIdent.Set((TUint8 *)remote_id->Ptr(), remote_id->Length(), remote_id->Length());
        sa_data.iDstIdent.Set((TUint8 *)local_id->Ptr(), local_id->Length(), local_id->Length());
        sa_data.iPid = iPluginSession->Uid();
        sa_data.iSPI = updateSPI;
        sa_data.iAuthAlg = auth_alg;
        sa_data.iEncrAlg = encr_alg;
        sa_data.iAuthKey.Set(in_authKey);
        sa_data.iEncrKey.Set(in_encrKey);
        TIpsecSALifetime lifetime(0, bytes, time, 0);
        sa_data.iHard = &lifetime;
        sa_data.iReplayWindowLength = prop->iReplayWindowLength;

        if ( (sa_type == SADB_SATYPE_ESP) && (GenExtData.Length() == 0) ) {     
           //
           // Store possible NAT traversal info for IPSEC to do ESP UDP encapsulation correctly
           //
            PFKeyExtDataUtil::BuildUdpEncExtensionData( GenExtData,
                                                        iNAT_D_Flags,
                                                        (flags & SADB_SAFLAGS_NAT_T),
                                                        iHostData->iUseNatProbing,
                                                        (TUint16)iHostData->iEspUdpPort, 
                                                        UDP_KEEPALIVE_TIME,
                                                        iLastRemoteAddr,
                                                        iRemoteOriginalAddr );
        }
        
        if ( GenExtData.Length() ) {
           sa_data.iGenericExtension.Set(GenExtData);      
        }

        if ( TunnelMode ) {
           //
           // Get VPN interface index 
           //
           TUint32 vpnInterfaceIndex = iPluginSession->VpnInterfaceIndex();
           if ( vpnInterfaceIndex != 0 )
               {
               sa_data.iInternalAddress.Init( KAfInet6 );
               sa_data.iInternalAddress.SetScope( vpnInterfaceIndex );
               flags |= SADB_SAFLAGS_INT_ADDR;
               }
           }
        sa_data.iFlags = flags;
		iPluginSession->UpdateSAL(sa_data);
		TIpsecSPI SpiData;
		SpiData.iProtocol = sa_type;
		SpiData.iSrcAddr  = remote_addr;
		SpiData.iDstAddr  = local_addr;
		SpiData.iSPI      = updateSPI;
		SpiData.iInbound  = ETrue;
		iPluginSession->AddIpsecSPIToSAL(iSAId, SpiData);

        sa_data.iFlags &= ~SADB_SAFLAGS_INT_ADDR; //No VPN interface index to outbound SA
        //Outbound SA.
        //First check there's no other SA with the same parameters and
        //erase it if happens (very unlikely, but still possible)
		SpiData.iDstAddr = remote_addr;
		SpiData.iSrcAddr = local_addr;
		SpiData.iSPI     = addSPI;
		SpiData.iInbound = EFalse;
		if ( iPluginSession->DeleteIpsecSpi(iSAId, addSPI, EFalse) )		
        {
            DEBUG_LOG(_L("Deleting previously negotiated IPsec SA"));
			iPluginSession->DeleteIpsecSA(SpiData.iSPI, SpiData.iSrcAddr, SpiData.iDstAddr, 
                                              SpiData.iProtocol);
        }
        //Some changes in the SA, the rest is the same
        sa_data.iSrc = local_addr;
        sa_data.iDst = remote_addr;
        sa_data.iSrcIdType = iLocalIDType_II;
        sa_data.iDstIdType = iRemoteIDType_II;
        sa_data.iSrcIdent.Set((TUint8 *)local_id->Ptr(), local_id->Length(), local_id->Length());
        sa_data.iDstIdent.Set((TUint8 *)remote_id->Ptr(), remote_id->Length(), remote_id->Length());
        sa_data.iPid = addPID;
        sa_data.iSPI = addSPI;
        sa_data.iAuthKey.Set(out_authKey);
        sa_data.iEncrKey.Set(out_encrKey);
        
        iPluginSession->AddSAL(sa_data);
		iPluginSession->AddIpsecSPIToSAL(iSAId, SpiData);
        
        i++;    //To get the correct SPIs from iInboundSPIList
	} //end for

	CleanupStack::PopAndDestroy(5);  //key buffer, identities and ESP UDP encaps data
	
	iAcquirePending = EFalse;
	
}

void CIkev1Negotiation::ComputeLifetimes_II(const TDesC8 &aLifetime, const TDesC8 &aLifesize, TInt64 &aTime, TInt64 &aBytes)
{
    TInt64 maxnum = MAKE_TINT64(0x7fffffffu, 0xffffffffu);
        
    if (Desc8ToTInt64(aLifetime, aTime) != KErrNone)
        {
        DEBUG_LOG(_L("Phase_II Lifetime(sec) Overflowed Setting to maximum value"));
        }
    if (Desc8ToTInt64(aLifesize, aBytes) != KErrNone) {
        DEBUG_LOG(_L("Phase_II Lifetime(kbytes) Overflowed Setting to maximum value"));
    }       
    else 
    {   if (aBytes < maxnum / 1024) //Make sure no overflow
            aBytes = aBytes * 1024; //KB to Bytes
        else
        {
            aBytes = MAKE_TINT64(KMaxTInt, KMaxTUint);            
            DEBUG_LOG(_L("Phase_II Lifetime(kbytes) Overflowed Setting to maximum value"));
        }
    }

}


TBool CIkev1Negotiation::Phase_IExchangeL(const ThdrISAKMP &aHdr)
{       
    if (!ProcessHeaderL(aHdr))
        return EFalse;

    DEBUG_LOG2(_L("---------- Phase %d - Stage %d ----------"),iPhase, iStage);
    if (iPhase == PHASE_I)
    {
        if (aHdr.GetExchange() == ISAKMP_EXCHANGE_ID)
            MainModeReplyL();   //Main Mode
        else
            AggressiveReplyL(); //Aggressive Mode
    }
    else
    {
        QuickModeReplyL();
    }
    return ETrue;
}

TBool CIkev1Negotiation::Phase_IIExchangeL(const ThdrISAKMP &aHdr)
{       
    if (!ProcessHeaderL(aHdr))
        return EFalse;

    DEBUG_LOG2(_L("---------- Phase %d - Stage %d ----------"),iPhase, iStage);

    QuickModeReplyL();

    return ETrue;
}

void CIkev1Negotiation::QuickModeReplyL()
{

	TIkev1IsakmpStream* msg = SaveIkeMsgBfr( new (ELeave) TIkev1IsakmpStream(iDebug) );	
    switch(iStage)
    {
    //INITIATOR cases
    case 3: //Send last message (if no COMMIT)
        msg->IsakmpInit(this);
        msg->IsakmpHashL();
        SendL(*msg);
        iStage = 4;  

        if (iRecvFlags & ISAKMP_HDR_CFLAG)  //Commit Bit set
             return; //Not finished yet. We wait for CONNECTED
        
        //No Commot bit, Update SA database
        UpdateSADatabaseL();
        SetFinished();    //No more stages.
        break;
	case 1: 
		DEBUG_LOG(_L("QuickModeReplyL in Stage 1 ?"));		
		break;
    case 5: //Send last message (extra message waiting for commit(
        //No more processing required
        SetFinished();    //No more stages.
        break;
    //RESPONDER cases
    case 2:
        GetSPIL();
        //rest done in receiveSPI
        break;
    case 4:
        if (iRecvFlags & ISAKMP_HDR_CFLAG)  //Commit Bit set
        {
            DEBUG_LOG(_L("Sending CONNECTED Status message"));
            msg->IsakmpInit(this);

            //HASH Payload only if payload protected with encryption
            if (iFlags & ISAKMP_HDR_EFLAG)
                msg->IsakmpHashL();
        
            msg->IsakmpNotification(CONNECTED, iChosenProp_IIList->At(0)->iProtocol);

            if (iFlags & ISAKMP_HDR_EFLAG)
                msg->IsakmpHashContL();
                
            SendL(*msg);
        }
        SetFinished();
        break;
    }
}

//Builds and sends a Phase I reply for Main Mode
void CIkev1Negotiation::MainModeReplyL()
{
	TIkev1IsakmpStream* msg = SaveIkeMsgBfr( new (ELeave) TIkev1IsakmpStream(iDebug) );		
    TInt          vendor_type;
 
    switch(iStage)
    {
    //
    //RESPONDER replies
    //
    case 2: 
        msg->IsakmpInit(this);
        msg->IsakmpSa();
        if ( iHostData->iDPDHeartBeat != 0 )
           BuildDPDVendorId(*msg);        
        if ( iNatDiscovery ) {
           iNatDiscovery->BuildNatVendorId(*msg); 
           iNatDiscovery->BuildRfcNatVendorId(*msg);
        }   
        SendL(*msg);
        iStage = 3;
        break;
    case 4:
        ComputeNonceL();         //Nonce to be sent
        msg->IsakmpInit(this);
        msg->IsakmpKeyL();
        msg->IsakmpNonce();
        if (((iChosenProposal_I.iAttrList->iAuthMethod == RSA_SIG) ||
             (iChosenProposal_I.iAttrList->iAuthMethod == DSS_SIG)) && !iPeerX509Cert)
           msg->IsakmpCertificateReqL();
		if ( iNatDiscovery ) {
			iNatDiscovery->BuildDiscoveryPayloadsL(*msg, iChosenProposal_I.iAttrList->iHashAlg,
				                                  (TUint8*)iCookie_I.Ptr(), (TUint8*)iCookie_R.Ptr(),
				                                  iLocalAddr, iLastRemoteAddr);    
		}
		SendL(*msg);
        iStage = 5; //next stage
        iFlags |= ISAKMP_HDR_EFLAG; //From now on encryption is used
        if (!ComputeKeysL())    //Generates keying material for encryption stages
            return; //error don't send reply packet
        break;
    case 6:
        msg->IsakmpInit(this);
        
        switch(iChosenProposal_I.iAttrList->iAuthMethod)
        {
        case RSA_SIG:
        case DSS_SIG:
            msg->IsakmpOwnIdentL();
            msg->IsakmpCertificateL();
            msg->IsakmpSignatureL();
            break;
        case PRE_SHARED:
            msg->IsakmpOwnIdentL();
            msg->IsakmpHashL();
            break;
        }
        
        if ( iHostData->iInitialContact &&   
             iRole == INITIATOR &&
             iSARekeyInfo == NULL ) 
        {
           DEBUG_LOG(_L("Constructing INITIAL-CONTACT"));
           msg->IsakmpNotification(DOI_INITIAL_CONTACT, PROTO_ISAKMP); //Not protected by the hash!
        }
        
        SendL(*msg);

		IsakmpPhase1CompletedL();
        break;
    //
    //INITIATOR replies
    //
    case 3:
        ComputeNonceL();         //Nonce to be sent
        msg->IsakmpInit(this);
        msg->IsakmpKeyL();
        msg->IsakmpNonce();
        if ( iChosenProposal_I.iAttrList->iAuthMethod == IKE_A_CRACK && !iPeerX509Cert )
		{
            msg->IsakmpCertificateReqL();
        }
        if ( iHostData->iUseNatProbing )
             vendor_type = EXPANDED_VENDOR_ID;
        else vendor_type = HASH_VENDOR_ID;
        msg->IsakmpVendorId(vendor_type,       
                              (TUint8*)iCookie_I.Ptr(),
                              (TUint8*)iCookie_R.Ptr(), iLocalAddr);
        if ( iNatDiscovery )
		{
           iNatDiscovery->BuildDiscoveryPayloadsL(*msg, iChosenProposal_I.iAttrList->iHashAlg,
                                                 (TUint8*)iCookie_I.Ptr(), (TUint8*)iCookie_R.Ptr(),
                                                 iLocalAddr, iLastRemoteAddr);    
        }   
        SendL(*msg);
        iStage = 4; //next stage
        break;

    case 5:
        iFlags |= ISAKMP_HDR_EFLAG; //From now on encryption is used
        if (!ComputeKeysL())    //Generates keying material for encryption stages
            return; //error don't send reply packet
        
        msg->IsakmpInit(this);
        
        switch(iChosenProposal_I.iAttrList->iAuthMethod)
        {
        case RSA_SIG:
        case DSS_SIG:
            msg->IsakmpOwnIdentL(); //Also fills iOwnIdentPayload!
            msg->IsakmpCertificateL();
            msg->IsakmpSignatureL();
            if (!iPeerX509Cert)
               msg->IsakmpCertificateReqL(); 
            break;
        case PRE_SHARED:
            msg->IsakmpOwnIdentL();
            msg->IsakmpHashL();
            break;
        }
        
        
        if ( iFamiliarPeer && iHostData->iUseInternalAddr )
           msg->IsakmpIntnet(0);  /* null IPV4 address as parameter */

		if ( iHostData->iInitialContact &&
		    !iPluginSession->FindIkev1SADataWithAddr(iRemoteAddr) &&
            iRole == INITIATOR &&
		    iSARekeyInfo == NULL ) 
		{
			DEBUG_LOG(_L("Constructing INITIAL-CONTACT"));
			msg->IsakmpNotification(DOI_INITIAL_CONTACT, PROTO_ISAKMP); //Not protected by the hash!
		}
		
        SendL(*msg);
        iStage = 6; //next stage
        
        break;
    case 7:
        // CRACK authentication going. No actions required here !
        break;
    default:
        DEBUG_LOG1(_L("Main mode Wrong Phase number requested (%d) !!"),iStage);
    }

}


//Builds and sends a Phase I reply for Aggressive Mode
void CIkev1Negotiation::AggressiveReplyL()
{
	TIkev1IsakmpStream* msg = SaveIkeMsgBfr( new (ELeave) TIkev1IsakmpStream(iDebug) );			
	
    switch(iStage)
    {
    case 2://RESPONDER Sends the 2nd msg. of the exchange
        ComputeNonceL();         //Nonce to be sent
        msg->IsakmpInit(this);
        msg->IsakmpSa();
        msg->IsakmpKeyL();
        msg->IsakmpNonce();
        msg->IsakmpOwnIdentL();
        
        if (!ComputeKeysL()) //Needed to compute hash before computing signature
		{
		   return;
		}   
        
        if ( iHostData->iDPDHeartBeat != 0 )
           BuildDPDVendorId(*msg);        
        if ( iNatDiscovery ) {
           iNatDiscovery->BuildNatVendorId(*msg);
           iNatDiscovery->BuildRfcNatVendorId(*msg);
           iNatDiscovery->BuildDiscoveryPayloadsL(*msg, iChosenProposal_I.iAttrList->iHashAlg,
                                                 (TUint8*)iCookie_I.Ptr(), (TUint8*)iCookie_R.Ptr(),
                                                 iLocalAddr, iLastRemoteAddr);    
        }   
        
        switch (iChosenProposal_I.iAttrList->iAuthMethod)
        {
        case RSA_SIG:
        case DSS_SIG:
            msg->IsakmpCertificateL();
            msg->IsakmpSignatureL();
            if (!iPeerX509Cert) //No stored cert so send a CR
            {
                msg->IsakmpCertificateReqL();
            }
            break;
        case PRE_SHARED:
            msg->IsakmpHashL();
            break;
        }
        SendL(*msg);
		
        iStage = 3; //next stage
		
        break;
    case 3://INITIATOR
        iFlags |= ISAKMP_HDR_EFLAG; //From now on encryption is used                
        msg->IsakmpInit(this);
        if ( iNatDiscovery ) {
           iNatDiscovery->BuildDiscoveryPayloadsL(*msg, iChosenProposal_I.iAttrList->iHashAlg,
                                                 (TUint8*)iCookie_I.Ptr(), (TUint8*)iCookie_R.Ptr(),
                                                 iLocalAddr, iLastRemoteAddr);    
        }   
        
        switch (iChosenProposal_I.iAttrList->iAuthMethod)
        {
        case RSA_SIG:
        case DSS_SIG:
            msg->IsakmpCertificateL();   
            msg->IsakmpSignatureL(); 
            break;
        case PRE_SHARED:
            msg->IsakmpHashL();
            break;
        }
		if ( iHostData->iInitialContact &&
		     !iPluginSession->FindIkev1SADataWithAddr(iRemoteAddr) &&
             iRole == INITIATOR &&
		     iSARekeyInfo == NULL ) //Only sent if no ISAKMP SA established
		{
			DEBUG_LOG(_L("Constructing INITIAL-CONTACT"));
			msg->IsakmpNotification(DOI_INITIAL_CONTACT, PROTO_ISAKMP); //Not protected by the hash!
		}

        SendL(*msg);
        IsakmpPhase1CompletedL();       
        break;
	case 4:
		// Aggressive mode as responder completed
		DEBUG_LOG(_L("Aggressive mode as responder completed"));		
		break;
		
    case 7:
        // CRACK authentication going. No actions required here !
        break;
    default:
        DEBUG_LOG1(_L("Main mode Wrong Phase number requested (%d) !! "),iStage);
    }
	
}

void CIkev1Negotiation::SaveISAKMPSAL()
{
	//
	// Create a new IKEv1 SA object       
	//
	TIkev1SAData SaData;
	SaData.iCookie_I       = iCookie_I;
	SaData.iCookie_R       = iCookie_R;
	SaData.iSAId           = iSAId;
	SaData.iSAState        = 0;
	SaData.iInitiator      = (iRole == INITIATOR);
	SaData.iAutoLogin      = iAutoLogin;
	SaData.iDPDSupported   = iDPDSupported;
	SaData.iFamiliarPeer   = iFamiliarPeer;
	SaData.iNAT_T_Required = iNAT_T_Required;
	SaData.iNAT_D_Flags    = iNAT_D_Flags;
	SaData.iIkeData        = iHostData;
	SaData.iLocalAddr      = iLocalAddr;
	SaData.iRemoteAddr     = iRemoteAddr;
	SaData.iDestinAddr     = iLastRemoteAddr;
	SaData.iVirtualIp      = iInternalAddr;
	SaData.iSeq            = iSeq;
	SaData.iPrevExchange   = iPrevExchange;
	SaData.iFlags          = iFlags;
	
	SaData.iEncrAlg        = iChosenProposal_I.iAttrList->iEncrAlg;
	SaData.iHashAlg        = iChosenProposal_I.iAttrList->iHashAlg;
	SaData.iGroupDesc      = iChosenProposal_I.iAttrList->iGroupDesc;
	SaData.iGroupType      = iChosenProposal_I.iAttrList->iGroupType;				
	SaData.iKeyLength      = iChosenProposal_I.iAttrList->iKeyLength;

	TUint32 Lifetime = 0;
	TUint Len = iChosenProposal_I.iAttrList->iLifeDurationSecs.Length();
	if (Len > 0)
	{
		if (Len > sizeof(TUint32))
		{
			Lifetime = KMaxTUint32;
		}
		else    // (len <= sizeof(TUint32))
		{
			Mem::Copy(&Lifetime, iChosenProposal_I.iAttrList->iLifeDurationSecs.Ptr(), Len);
			Lifetime = ByteOrder::Swap32(Lifetime);
			Lifetime = Lifetime >> (sizeof(TUint32)*8 - Len*8);   //To set the correct value (shift in bits)
		}
	}
	SaData.iLifeTimeSecs = Lifetime;
	
	Lifetime = 0;
	Len = iChosenProposal_I.iAttrList->iLifeDurationKBytes.Length();
	if (Len > 0)
	{
		if (Len > sizeof(TUint32))
		{
			Lifetime = KMaxTUint32;
		}
		else    // (len <= sizeof(TUint32))
		{
			Mem::Copy(&Lifetime, iChosenProposal_I.iAttrList->iLifeDurationKBytes.Ptr(), Len);
			Lifetime = ByteOrder::Swap32(Lifetime);
			Lifetime = Lifetime >> (sizeof(TUint32)*8 - Len*8);   //To set the correct value (shift in bits)
		}
	}
	SaData.iLifeTimeKB = Lifetime;

	SaData.iSKEYID     = iSKEYID;
	SaData.iSKEYID_d   = iSKEYID_d;
	SaData.iSKEYID_a   = iSKEYID_a;
	SaData.iSKEYID_e   = iSKEYID_e;
	SaData.iLastIV     = iLastIV;
	SaData.iIV         = iIV;

	if ( iDPDSupported && iHostData->iDPDHeartBeat )
	{
	   //
	   //  Initialize DPD protocol parameters in TIkev1SAData
	   //
		TPtr8 ptr((TUint8*)&SaData.iDPDSequence, sizeof(TUint32));	 
		ptr.SetLength(sizeof(TUint32));
		TRandom::RandomL(ptr);	
		SaData.iDPDSequence &= 0x7fffffff;
		SaData.iDPDRetry = 0;
		SaData.iPendingDPDSequence  = 0;
		SaData.iExpectedDPDSequence = 0;		
	}	
		
	iLastIKEMsgInfo.Store(SaData.iLastIKEMsgInfo);
    SaData.iLastMsg = iLastMsg;
	iPluginSession->CreateIkev1SAL(SaData, iSARekeyInfo);   // Add rekey info later
}

TBool CIkev1Negotiation::ProcessHeaderL(const ThdrISAKMP &aHdr)
{
    //checks on the header    
    if (!CheckCookies(aHdr.GetCookieI(), aHdr.GetCookieR()))
        return EFalse;

    if (iStage == 1)
    {
        if (iPhase == PHASE_I)
        {
            iCookie_I = aHdr.GetCookieI();  //save initiator cookie
            iCookie_R = CreateCookieL(); //create responder cookie
        }
        iMessageId = aHdr.GetMessageId();
    }
    
    //checks on the header    
    if (!CheckPayloadCode(aHdr.GetPayload()))
        return EFalse;

    if (!CheckVersionL(aHdr.GetVersion()))
        return EFalse;
    
    if (!CheckExchangeTypeL(aHdr.GetExchange()))
        return EFalse;

    if (!CheckFlagsL(aHdr.GetFlags()))
        return EFalse;
    iRecvFlags = aHdr.GetFlags();   //Save the flags for later use

    if (!CheckMessageIdL(aHdr.GetMessageId()))
        return EFalse;

    iLengthLeft -= ISAKMP_HEADER_SIZE;  //Updates the length left in the buffer

    //EVEN stages RESPONDER, ODD ones INITIATOR
    DEBUG_LOG(_L("Processing packet..."));
    if (iPhase == PHASE_I)
    {
        switch (iStage)
        {
            case 1:
                if (!ProcessStage1L(aHdr))
                    return EFalse;
                break;
            case 2:
                if (!ProcessStage2L(aHdr))
                    return EFalse;
                break;
            case 3:
                if (iExchange == ISAKMP_EXCHANGE_ID)
                {
                    if (!ProcessStage3MainL(aHdr))
                        return EFalse;
                }
                else    //ISAKMP_EXCHANGE_AGGR
                {
                    if (!ProcessStage3AggrL(aHdr))
                        return EFalse;
                }
                break;
            case 4:
                if (!ProcessStage4L(aHdr))
                    return EFalse;
                break;
            case 5:
                if (!ProcessStage5L(aHdr))
                    return EFalse;
                break;
            case 6:
                if (!ProcessStage6L(aHdr))
                    return EFalse;
                break;
            case 7:
                if (!ProcessStage7L(aHdr))   /* For CRACK negotiation */
                    return EFalse;
                break;
            default:
                return EFalse;
        }
    }
    else    //PHASE_II
    {
        switch (iStage)
        {
            case 1:
                if (!ProcessStage1Phase2L(aHdr))
                    return EFalse;
                break;
            case 2:
                if (!ProcessStage2Phase2L(aHdr))
                    return EFalse;
                break;
            case 3:
                if (!ProcessStage3Phase2L(aHdr))
                    return EFalse;
                break;
            case 4:
                if (!ProcessCONNECTEDL(aHdr))
                    return EFalse;
                break;
            default:
                DEBUG_LOG(_L("Quick Bad Stage"));
        }
    }
    return ETrue;
}

//Process payloads appearing in Stage 1. Responder Role
TBool CIkev1Negotiation::ProcessStage1L(const ThdrISAKMP &aHdr)
{
	CIkev1Payloads* payload = CIkev1Payloads::NewL(aHdr, *this, iDebug);
	if (!payload)
	   return EFalse;	

	CleanupStack::PushL(payload);
	
    //SA Payload processing (all modes)
    if (!ProcessSAL(payload->iSa, NULL))
    {
		CleanupStack::PopAndDestroy();  //payload
        return EFalse;
    }

	//Process vendor ID:s  
	ProcessVendorL(payload->iVids);
	
    TUint16 auth_method = iChosenProposal_I.iAttrList->iAuthMethod;
	
	switch (auth_method)
	{
		case RSA_SIG:
		case DSS_SIG:
			//Process the possible CR payloads
			if ( !ProcessCertificateReqArrayL(payload->iCertReqs) ) {
				CleanupStack::PopAndDestroy();  //payload
				return EFalse;
			}
			//Process the possible CERT payloads
			if ( !ProcessCertificateArrayL(payload->iCerts) ) {
				CleanupStack::PopAndDestroy();  //payload
				return EFalse;
			}
			break;

		default:
			break;
	}

	
    if (iExchange == ISAKMP_EXCHANGE_ID)
    {
		if ( payload->iKe || payload->iNonce || payload->iHash || payload->iSign ||
			 payload->iIds->Count() )
		{
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}	
    }
    else //ISAKMP_EXCHANGE_AGGR
    {
		if ( !payload->iKe || !payload->iNonce || (payload->iIds->Count() != 1) )
		{
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}	
		
        //Key Payload processing (all modes)
        if (!ProcessKeyL(payload->iKe))
        {
            CleanupStack::PopAndDestroy();  //payload
            return EFalse;
        }
		TIdentISAKMP* id_payload    = (TIdentISAKMP*)payload->iIds->At(0);  // The first ID		
		TNonceISAKMP* nonce_payload = (TNonceISAKMP*)payload->iNonce;
		
        //Nonce Payload processing
        if (!ProcessNonceL(nonce_payload))
        {
			CleanupStack::PopAndDestroy();  //payload
            return EFalse;
        }
        //ID Payload processing
        if (!CheckIdentL(id_payload))
        {
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
        }
        //Save the ident payload for HASH_I/R computing
        delete iPeerIdentPayload;
		iPeerIdentPayload = NULL;
        iPeerIdentPayloadSize = id_payload->GetLength() - sizeof(TPayloadISAKMP);
        iPeerIdentPayload = new (ELeave) TUint8[iPeerIdentPayloadSize];
        Mem::Copy(iPeerIdentPayload,((TUint8 *)id_payload)+sizeof(TPayloadISAKMP),iPeerIdentPayloadSize);
        
        if ( iNatDiscovery )
		{
		   if ( payload->iNatDs->Count() )
		   {	   
               iNAT_D_Flags = iNatDiscovery->CheckDiscoveryPayloadsL(payload->iNatDs, iChosenProposal_I.iAttrList->iHashAlg,
                                                                    (TUint8*)iCookie_I.Ptr(), (TUint8*)iCookie_R.Ptr(),
                                                                     iLocalAddr, iLastRemoteAddr);
		       if ( iNAT_D_Flags )
			      iLastRemoteAddr.SetPort(FLOATED_IKE_PORT);
		   }
		   else
		   {
			   if ( iLastRemoteAddr.Port() == FLOATED_IKE_PORT )
				   iNAT_D_Flags |= LOCAL_END_NAT; 
		   }	   
        }
        
    }//end aggressive

				   
    CleanupStack::PopAndDestroy();  //payload
    iStage = 2;
    return ETrue;
    
}
                
//Process payloads appearing in Stage 3. Initiator Role
TBool CIkev1Negotiation::ProcessStage2L(const ThdrISAKMP &aHdr)
{
	CIkev1Payloads* payload = CIkev1Payloads::NewL(aHdr, *this, iDebug);
	if (!payload)
		return EFalse;
	
	CleanupStack::PushL(payload);
	
	iCookie_R = aHdr.GetCookieR();    //Save the responder Cookie	

    //SA Payload processing (all modes)
    if (!ProcessSAL(payload->iSa, NULL)) {
        CleanupStack::PopAndDestroy();  // payload
        return EFalse;
    }

	ProcessVendorL(payload->iVids);
	
    if ( iAutoLogin && (iLocalAddr.Family() == KAFUnspec ) ) {
        User::LeaveIfError( iPluginSession->GetLocalAddress( iLocalAddr ) ); //No local address, get it now (used later with NAT traversal)
    }

    //NOW we know the auth method chosen!
    TUint16 auth_method = iChosenProposal_I.iAttrList->iAuthMethod;

    switch (auth_method)
    {
    case RSA_SIG:
    case DSS_SIG:
        //Process the possible CR payloads
        if ( !ProcessCertificateReqArrayL(payload->iCertReqs) )
		{
            CleanupStack::PopAndDestroy();  //payload
            return EFalse;
        }
	    if (!ProcessCertificateArrayL(payload->iCerts))
		{
		    CleanupStack::PopAndDestroy();  //payload
		    return EFalse;
 		}
        break;
		
    default:
		break;
    }

	if (iExchange == ISAKMP_EXCHANGE_ID)
	{
		if ( payload->iKe || payload->iNonce || payload->iHash || payload->iSign ||
			 payload->iIds->Count() )
		{
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}	
	}
    else //ISAKMP_EXCHANGE_AGGR
    {
		if ( !payload->iKe || 
		     !payload->iNonce || 
		     (!payload->iHash && auth_method == PRE_SHARED) // hash is a must only with PSK
		     || (payload->iIds->Count() != 1) )
		{
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}	
        //Key Payload processing (all modes)
        if (!ProcessKeyL(payload->iKe))
		{
			CleanupStack::PopAndDestroy();  //payload			
            return EFalse;
		}
		TIdentISAKMP* id_payload    = (TIdentISAKMP*)payload->iIds->At(0);  // The first ID		
		TNonceISAKMP* nonce_payload = (TNonceISAKMP*)payload->iNonce;
		
		//Nonce Payload processing
		if (!ProcessNonceL(nonce_payload))
		{
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}
		
		//ID Payload processing
		if (!CheckIdentL(id_payload))
		{
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}
		
        //Save the ident payload for HASH_I/R computing
        delete iPeerIdentPayload;
		iPeerIdentPayload = NULL;
        iPeerIdentPayloadSize = id_payload->GetLength()-sizeof(TPayloadISAKMP);
        iPeerIdentPayload = new (ELeave) TUint8[iPeerIdentPayloadSize];
        Mem::Copy(iPeerIdentPayload,((TUint8 *)id_payload)+sizeof(TPayloadISAKMP),iPeerIdentPayloadSize);
        
        if (!ComputeKeysL())    //Computes the keys to be used. Needed to compute HASH_R
		{
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}	
			
        switch (auth_method)
        {
        case PRE_SHARED:
			if (!ProcessHashL(payload->iHash))
			{
				CleanupStack::PopAndDestroy();  //payload			
				return EFalse;
			}
			DEBUG_LOG(_L("HASH OK!"));
            break;
        case RSA_SIG:
        case DSS_SIG:
        case IKE_A_CRACK:
            //Signature payload processing and checking
            if (!ProcessSignatureL(payload->iSign)) {
				CleanupStack::PopAndDestroy();  //payload	
                return EFalse;
			}	
            if ( auth_method == IKE_A_CRACK ) {
			   CleanupStack::PopAndDestroy();  //payload					
               return StartCRACKAuthL();
            }
			else {
				if (!CertifyRemoteIdentityL(id_payload))
				{
					DEBUG_LOG(_L("ProcessStage2L RSA_SIG CertifyRemoteIdentityL failed"));
					DEBUG_LOG(_L("AUTHENTICATION_FAILED"));
					SetErrorStatus( KKmdIkeAuthFailedErr );
					SendNotifyL(AUTHENTICATION_FAILED);
					CleanupStack::PopAndDestroy();  //payload			
					return EFalse;
				}
			}	
            break;

		default:
			break;
			
		}
		
		if ( iNatDiscovery && payload->iNatDs->Count()) {
			iNAT_D_Flags = iNatDiscovery->CheckDiscoveryPayloadsL(payload->iNatDs, iChosenProposal_I.iAttrList->iHashAlg,
				                                                 (TUint8*)iCookie_I.Ptr(), (TUint8*)iCookie_R.Ptr(),
				                                                  iLocalAddr, iLastRemoteAddr);
			if ( iNAT_D_Flags )
				iLastRemoteAddr.SetPort(FLOATED_IKE_PORT); 
		}
    }
	
	CleanupStack::PopAndDestroy();  //payload
	
    iStage = 3;
    return ETrue;
}

// Process payloads appearing in Stage 4. Order NOT relevant. Only Main Mode
// Handles message: HDR, KE, [HASH(1),] <IDii>PubKey_r, <Ni>PubKey_r for RSAENCR
// Handles message: HDR, KE, Ni for the rest [CERTREQ] in certificates
TBool CIkev1Negotiation::ProcessStage3MainL(const ThdrISAKMP &aHdr)
{
	CIkev1Payloads* payload = CIkev1Payloads::NewL(aHdr, *this, iDebug);
	if (!payload)
		return EFalse;

	CleanupStack::PushL(payload);

	if ( payload->iSa || !payload->iNonce || payload->iHash || payload->iSign )
	{
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}	
	
    TUint16 auth_method = iChosenProposal_I.iAttrList->iAuthMethod;
	
    //Process payloads
    //Main mode (ONLY)
    //Key Payload processing (all methods)
    if (!ProcessKeyL(payload->iKe))
    {
        CleanupStack::PopAndDestroy();  //payload
        return EFalse;
    }

    if ((auth_method == RSA_SIG) || (auth_method == DSS_SIG))
    {
        //Process the possible CR payloads
        if ( !ProcessCertificateReqArrayL(payload->iCertReqs) )
		{
            CleanupStack::PopAndDestroy();  //payload
            return EFalse;
        }
    }

	TNonceISAKMP* nonce_payload = (TNonceISAKMP*)payload->iNonce;
	
	ProcessVendorL(payload->iVids);
	
	if ( iNatDiscovery && payload->iNatDs->Count() )
	{ 
		iNAT_D_Flags = iNatDiscovery->CheckDiscoveryPayloadsL(payload->iNatDs, iChosenProposal_I.iAttrList->iHashAlg,
		                                                     (TUint8*)iCookie_I.Ptr(), (TUint8*)iCookie_R.Ptr(),
                                                   			  iLocalAddr, iLastRemoteAddr);
		if ( iNAT_D_Flags )
			iLastRemoteAddr.SetPort(FLOATED_IKE_PORT); 
	}
	
    //Nonce Payload processing (all methods)
	TBool Status = ProcessNonceL(nonce_payload);
	if ( Status )
	{
	   iStage = 4;
	}   
	CleanupStack::PopAndDestroy();  //payload
	
    return Status;
}


//Process payloads appearing in 3(Aggressive). Order NOT relevant
TBool CIkev1Negotiation::ProcessStage3AggrL(const ThdrISAKMP &aHdr)
{
	CIkev1Payloads* payload = CIkev1Payloads::NewL(aHdr, *this, iDebug);
	if (!payload)
		return EFalse;

	CleanupStack::PushL(payload);

    TUint16 auth_method = iChosenProposal_I.iAttrList->iAuthMethod;

    //Mode-dependent processing
    switch (auth_method)
    {
    case PRE_SHARED:
        //Hash payload processing
        if (!ProcessHashL(payload->iHash))
		{
			CleanupStack::PopAndDestroy();  //payload			
            return EFalse;
		}
        DEBUG_LOG(_L("HASH OK!"));
        break;
    case RSA_SIG:
    case DSS_SIG:
        //Certificate payload processing
        if (!ProcessCertificateArrayL(payload->iCerts))
		{
			CleanupStack::PopAndDestroy();  //payload
            return EFalse;
		}
        //Signature payload processing
        if (!ProcessSignatureL(payload->iSign))
		{	
			CleanupStack::PopAndDestroy();  //payload			
            return EFalse;
		}	
        break;
		
    default:
		break;
    }

	ProcessVendorL(payload->iVids);			
	
	if ( iNatDiscovery && payload->iNatDs->Count() ) { 
		iNAT_D_Flags = iNatDiscovery->CheckDiscoveryPayloadsL(payload->iNatDs, iChosenProposal_I.iAttrList->iHashAlg,
			                                                 (TUint8*)iCookie_I.Ptr(), (TUint8*)iCookie_R.Ptr(),
			                                                  iLocalAddr, iLastRemoteAddr);
		if ( iNAT_D_Flags )
			iLastRemoteAddr.SetPort(FLOATED_IKE_PORT); 
	}

	CleanupStack::PopAndDestroy();  //payload
	
    iFlags |= ISAKMP_HDR_EFLAG; //From now on encryption is used
	IsakmpPhase1CompletedL();
	iStage = 4;                 
    return ETrue;

}


//Process payloads appearing in Stage 5. Order NOT relevant. ONLY for MAIN Mode
// Preshared and signatures: HDR, KE, Nr
// RSA Encr. : HDR, <IDir>PubKey_i, <Nr_b>PubKey_i
// RSA Revised Encr. : HDR, <Nr_b>PubKey_i , <KE_b>Ke_r, <IDir>Ke_r
TBool CIkev1Negotiation::ProcessStage4L(const ThdrISAKMP &aHdr)
{
	CIkev1Payloads* payload = CIkev1Payloads::NewL(aHdr, *this, iDebug);
	if (!payload)
		return EFalse;

	CleanupStack::PushL(payload);

	if (  payload->iSa || !payload->iNonce || !payload->iKe )
	{
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}	

	TUint16 auth_method = iChosenProposal_I.iAttrList->iAuthMethod;	

    if ((auth_method == RSA_SIG) || (auth_method == DSS_SIG))
    {
        //Process the possible CR payloads
        if ( !ProcessCertificateReqArrayL(payload->iCertReqs) )
		{
            CleanupStack::PopAndDestroy();  //payload
            return EFalse;
        }
    }

    //Key Payload processing (all methods)
    if (!ProcessKeyL(payload->iKe))
	{
		CleanupStack::PopAndDestroy();  //payload		
        return EFalse;
	}
	if ( auth_method != PRE_SHARED ) {
		if (!ProcessCertificateArrayL(payload->iCerts)) {
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}
	}	
	TNonceISAKMP* nonce_payload = (TNonceISAKMP*)payload->iNonce;	
	
    //Nonce Payload processing (all modes)
	TBool Status = ProcessNonceL(nonce_payload);
    if (!Status)
    {
		CleanupStack::PopAndDestroy();  //payload
        return EFalse;
    }
	ProcessVendorL(payload->iVids);
	
	if ( iNatDiscovery && payload->iNatDs->Count() )
	{ 
		iNAT_D_Flags = iNatDiscovery->CheckDiscoveryPayloadsL(payload->iNatDs, iChosenProposal_I.iAttrList->iHashAlg,
		                                                   	 (TUint8*)iCookie_I.Ptr(), (TUint8*)iCookie_R.Ptr(),
			                                                  iLocalAddr, iLastRemoteAddr);
		if ( iNAT_D_Flags )
			iLastRemoteAddr.SetPort(FLOATED_IKE_PORT); 
	}

    if ( auth_method == IKE_A_CRACK )
	{
       /*---------------------------------------------------
        * Process message: HDR, [CERT], KEr, Nr, SIG
        * - Verify CRACK signature and if OK
        * - Initialize CRACK authentication
        *---------------------------------------------------*/
		Status = ComputeKeysL();
        if ( Status )  //Generates keying material for encryption stages
		{
			Status = ProcessSignatureL(payload->iSign); 
			if ( Status ) //Signature payload processing and checking
			{
				Status = StartCRACKAuthL();   			   
			} 	   
		}
    }
	else
	{
	    iStage = 5;	    
	}	

	CleanupStack::PopAndDestroy();  //payload			
    return Status;
}


//Process payloads appearing in Stage 6. Order NOT relevant
TBool CIkev1Negotiation::ProcessStage5L(const ThdrISAKMP &aHdr)
{
	CIkev1Payloads* payload = CIkev1Payloads::NewL(aHdr, *this, iDebug);
	if (!payload)
		return EFalse;

	CleanupStack::PushL(payload);
	if (  payload->iSa || payload->iNonce || payload->iKe )
	{
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}	

    TUint16 auth_method      = iChosenProposal_I.iAttrList->iAuthMethod;
	TIdentISAKMP* id_payload = NULL;
	// ID Payload processing (all modes)
	if ( payload->iIds->Count() != 1 )
	{
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}
	id_payload = (TIdentISAKMP*)payload->iIds->At(0);  // The first ID						
	if (!CheckIdentL(id_payload))
	{
		CleanupStack::PopAndDestroy();  //payload						
		return EFalse;
	}	
		//Save the ident payload for HASH_I/R computing
	delete iPeerIdentPayload;
	iPeerIdentPayload = NULL;		
	iPeerIdentPayloadSize=id_payload->GetLength()-sizeof(TPayloadISAKMP);
	iPeerIdentPayload = new (ELeave) TUint8[iPeerIdentPayloadSize];
	Mem::Copy(iPeerIdentPayload,((TUint8 *)id_payload)+sizeof(TPayloadISAKMP),iPeerIdentPayloadSize);

    //Mode-dependent processing
    switch (auth_method)
    {
    case PRE_SHARED:
        //Hash payload processing
        if (!ProcessHashL(payload->iHash))
		{
			CleanupStack::PopAndDestroy();  //payload			
            return EFalse;
		}
		DEBUG_LOG(_L("HASH OK!"));		
        break;
    case RSA_SIG:
    case DSS_SIG:
        //Certificate payload processing
        if (!ProcessCertificateArrayL(payload->iCerts))
		{
			CleanupStack::PopAndDestroy();  //payload									
            return EFalse;
		}
		if (!CertifyRemoteIdentityL(id_payload))
		{
    		DEBUG_LOG(_L("ProcessStage5L RSA_SIG CertifyRemoteIdentityL failed"));
			DEBUG_LOG(_L("AUTHENTICATION_FAILED"));
			SetErrorStatus( KKmdIkeAuthFailedErr );
			SendNotifyL(AUTHENTICATION_FAILED);
			CleanupStack::PopAndDestroy();  //payload			
			return EFalse;
		}
        //Signature payload processing and checking
        if (!ProcessSignatureL(payload->iSign))
		{
			CleanupStack::PopAndDestroy();  //payload
            return EFalse;
		}
		//Process the possible CR payloads (needed if we are responder)
		if ( iRole == RESPONDER )
		{	
		   if ( !ProcessCertificateReqArrayL(payload->iCertReqs) )
		   {
			  CleanupStack::PopAndDestroy();  //payload
			  return EFalse;
		   }
		   if ( !iOwnCert ) 
			   ReadOwnCertL(); // Peer does not required a specific cert. Get any
		}   
        break;
		
    default:
		break;
    }//end switch

    // Process notification payloads
	TInt i = 0;
	while ( i < payload->iNotifs->Count() ) {
		if (!ProcessNotificationL(payload->iNotifs->At(i)))
		{
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}		
        i ++; 		
	}	

	ProcessVendorL(payload->iVids);

	CleanupStack::PopAndDestroy();  //payload			
	
    if (iExchange == ISAKMP_EXCHANGE_ID)
         iStage = 6;
    else iStage = 3;

    return ETrue;
}


//Process payloads appearing in Stage 6(Main)  Order NOT relevant
TBool CIkev1Negotiation::ProcessStage6L(const ThdrISAKMP &aHdr)
{
	CIkev1Payloads* payload = CIkev1Payloads::NewL(aHdr, *this, iDebug);
	if (!payload)
		return EFalse;

	CleanupStack::PushL(payload);
	if (  payload->iSa || payload->iNonce || payload->iKe )
	{
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}	
	

    TUint16 auth_method = iChosenProposal_I.iAttrList->iAuthMethod;
	TIdentISAKMP* id_payload = NULL;
    //ID Payload processing (all modes)
	if ( payload->iIds->Count() != 1 )
	{
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}
	id_payload = (TIdentISAKMP*)payload->iIds->At(0);  // The first ID						
	if (!CheckIdentL(id_payload))
	{
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}	
	//Save the ident payload for HASH_I/R computing
    delete iPeerIdentPayload;
	iPeerIdentPayload = NULL;		
	iPeerIdentPayloadSize=id_payload->GetLength()-sizeof(TPayloadISAKMP);
	iPeerIdentPayload = new (ELeave) TUint8[iPeerIdentPayloadSize];
	Mem::Copy(iPeerIdentPayload,((TUint8 *)id_payload)+sizeof(TPayloadISAKMP),iPeerIdentPayloadSize);

    //Mode-dependent processing
    switch (auth_method)
    {
    case PRE_SHARED:
        //Hash payload processing
        if (!ProcessHashL(payload->iHash))
		{
			CleanupStack::PopAndDestroy();  //payload			
            return EFalse;
		}
		DEBUG_LOG(_L("HASH OK!"));		
        break;
    case RSA_SIG:
    case DSS_SIG:
		//Certificate payload processing
		if (!ProcessCertificateArrayL(payload->iCerts))
		{
			CleanupStack::PopAndDestroy();  //payload									
			return EFalse;
		}
		if (!CertifyRemoteIdentityL(id_payload))
		{
			DEBUG_LOG(_L("ProcessStage6L RSA_SIG CertifyRemoteIdentityL failed"));
			DEBUG_LOG(_L("AUTHENTICATION_FAILED"));
			SetErrorStatus( KKmdIkeAuthFailedErr );
			SendNotifyL(AUTHENTICATION_FAILED);
			CleanupStack::PopAndDestroy();  //payload			
			return EFalse;
		}
		//Signature payload processing and checking
		if (!ProcessSignatureL(payload->iSign))
		{
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}
        break;
    default:
        break;
    }

	// Process notification payloads
	TInt i = 0;
	while ( i < payload->iNotifs->Count() ) {
		if (!ProcessNotificationL(payload->iNotifs->At(i)))
		{
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}		
		i ++; 		
	}	

	ProcessVendorL(payload->iVids);	
    // Internal address payload processing
    ProcessIntAddrL(payload->iIaddr);

	CleanupStack::PopAndDestroy();  //payload	

	return IsakmpPhase1CompletedL();	
	
}

//Process payloads appearing in Stage 7 = CRACK authentication going
TBool CIkev1Negotiation::ProcessStage7L(const ThdrISAKMP &aHdr)
{
TBool status = ETrue;
TInt  crack_status;

    if ( iCRACKneg ) {
       crack_status = iCRACKneg->ExecuteCRACKMsgL(aHdr);
       
       switch ( crack_status ) {
           
           case CRACK_SUCCESS:
               /*-------------------------------------------------------
                * CRACK authentication has been succesfully completed
                * Take actions to start Quick mode negotiation
                *------------------------------------------------------*/
               delete iCRACKneg;
               iCRACKneg = NULL;
               iLastIV.Copy(iIV);  //Saves last IV in Phase 1
               DEBUG_LOG(_L("Last IV Saved!"));
               IsakmpPhase1CompletedL();
               break;
               
           case CRACK_CONTINUE:
               /*----------------------------------------------------------
                * CRACK authentication continues, no further actions needed
                *----------------------------------------------------------*/
               break;

           case CRACK_IGNORE_MSG:
               /*----------------------------------------------------------
                * CRACK authentication continues, received message ignored
                *----------------------------------------------------------*/
               status = EFalse;            
               break;
               
           default:
               /*----------------------------------------------------------
                * CRACK authentication failed, negotiation failed
                *----------------------------------------------------------*/
			   LOG_KMD_EVENT( MKmdEventLoggerIf::KLogError,
			                  R_VPN_MSG_VPN_GW_AUTH_FAIL,
			                  KKmdIkeAuthFailedErr,
			                  iPluginSession->VpnIapId(),
			                  &iRemoteAddr );		   			   
               status    = EFalse;                         
			   SetErrorStatus(KKmdIkeAuthFailedErr);
               AcquireSAErrorResponse(KKmdIkeAuthFailedErr);
               break;

       }       
    }

    return status;
}

//Called as a RESPONDER for PHASE_II
//Checks HASH(1),SA,KE,NONCE,[ID,ID] from INITIATOR
TBool CIkev1Negotiation::ProcessStage1Phase2L(const ThdrISAKMP &aHdr)
{
	CIkev1Payloads* payload = CIkev1Payloads::NewL(aHdr, *this, iDebug);
	if (!payload)
		return EFalse;

	CleanupStack::PushL(payload);
	
	if (  !payload->iSa || !payload->iNonce )
	{
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}	
	
    //Payload Processing

    CProposal_IIList *recv_proposals = new (ELeave) CProposal_IIList(1);    //, *prop
    CleanupStack::PushL(recv_proposals);

    //SA
    if (!ProcessSAL(payload->iSa, (TUint8 *)recv_proposals))
    {
        CleanupStack::PopAndDestroy(2); //recv_proposals + payload
        return EFalse;
    }

    //ID payloads (if existing)
	if ( payload->iIds->Count() == 2 )
	{
       if (!ProcessStage1_II_IDsL(payload->iIds->At(0), payload->iIds->At(1), recv_proposals))
       {
          CleanupStack::PopAndDestroy(2); //recv_proposals + payload
          return EFalse;
       }
	}
	else if ( payload->iIds->Count() != 0 )
	{
		DEBUG_LOG(_L("Unsupported Phase II ID payload count"));		
		CleanupStack::PopAndDestroy(2); //recv_proposals + payload
		return EFalse;
	}	
    //After ID to know what address to search in the "SAD"
	TInt err = BuildProposals2L();
    if (err != KErrNone)
    {
        DEBUG_LOG(_L("NO_PROPOSAL_CHOSEN: No policy matching"));
        SendNotifyL(NO_PROPOSAL_CHOSEN);
        CleanupStack::PopAndDestroy(2); //recv_proposals + payload
        return EFalse;
    }

    //Contains the transform nums matching if multiple proposals
    CTransModifierList *trans_array = new (ELeave) CTransModifierList(1);
    CleanupStack::PushL(trans_array);

    TInt num = iProposal_IIList->MultiMatchL(recv_proposals, iRole == RESPONDER, trans_array);//If RESPONDER relaxed comparison (no lifetimes checked)
    iProposalNum = num; // Set to num not 1
#ifdef _DEBUG
    TBuf<128> err_buf;
#endif    
    if (num < 0)
    {
#ifdef _DEBUG    
        err_buf.Copy(_L("NO_PROPOSAL_CHOSEN: Phase II proposal not accepted - "));
        AppendAttributeError(num, err_buf);
        DEBUG_LOG(err_buf);
#endif        
        SetErrorStatus( KKmdIkeNoProposalErr );
        SendNotifyL(NO_PROPOSAL_CHOSEN);
        CleanupStack::PopAndDestroy(3); //transarray + recv_proposals + payload
        return EFalse;
    }

    //Copy the chosen transform
    //Actually is the same one as recv_proposals because we should always receive a single proposal with a single transform.
    CreateChosenProposalL(recv_proposals, num, trans_array);

    CleanupStack::PopAndDestroy(2); //transarray + recv_proposals

    //Process the possible NOTIFICATION payloads
    for (TInt i = 0; i < payload->iNotifs->Count(); i++)
    {
        if (!ProcessNotificationL(payload->iNotifs->At(i)))
        {
            CleanupStack::PopAndDestroy();  //payload
            return EFalse;
        }
    }
    
    if (!ProcessNonceL(payload->iNonce))
	{
		CleanupStack::PopAndDestroy();  //payload		
        return EFalse;
	}
    //HASH
    if (!ProcessHash2L(aHdr, payload->iHash, payload->iPadding))
	{
		CleanupStack::PopAndDestroy();  //payload				
        return EFalse;
	} 
    
    if (!ProcessKeyL(payload->iKe))
	{
		CleanupStack::PopAndDestroy();  //payload								
        return EFalse;
	}

	ProcessVendorL(payload->iVids);		
	
    if ( iNatDiscovery ) {
       iNAT_D_Flags |= iNatDiscovery->GetPeerOriginalAddress(payload->iNatOa, iRemoteOriginalAddr, iChosenProp_IIList);
    }
	
	CleanupStack::PopAndDestroy();  //notif_payload_array	
    iStage = 2;
    return ETrue;
}

//Creates a new proposal list from a selected part of another list (Certain proposal and transforms) 
void CIkev1Negotiation::CreateChosenProposalL(CProposal_IIList* aPropList, TInt aPropNum, CTransModifierList *aTransArray)
{

    CProposal_II *prop, *new_propII;
    TAttrib_II *attr_II;
    TChosenAttrib_II *new_attr_II;
    TInt count = aPropList->Count();
    TInt i = 0;
    TInt j = 0;

    //
    // Find selected proroposal from list
    //
    while ( i < count)
    {
        if (aPropList->At(i)->iProposalNum == aPropNum)
            break;
        i ++;
    }
    
    TTransModifier *tmodif;
    TInt64 own_time, own_bytes, peer_time, peer_bytes;
    delete iChosenProp_IIList;  //Must be erased because can contain data from previous retransmissions
	iChosenProp_IIList = NULL;	
    iChosenProp_IIList = new (ELeave) CProposal_IIList(1);
    while ( i < count )
    {
        prop = aPropList->At(i);
        if ( prop->iProposalNum != aPropNum)
            break; // Stop, another Proposal 

        new_propII = new (ELeave) CProposal_II();
        CleanupStack::PushL(new_propII);
        new_propII->ConstructL(1);
        iChosenProp_IIList->AppendL(new_propII);
        CleanupStack::Pop();    //new_propII safe

        new_propII->iProtocol = prop->iProtocol;
        new_propII->iNumTransforms = 1; //We only choose 1 transform for each proposal
        new_propII->iProposalNum   = (TUint8)aPropNum;
        new_propII->iSPI.Copy(prop->iSPI);
        tmodif = aTransArray->At(j);
        new_propII->iReplayWindowLength = tmodif->iReplayWindowLength;

        attr_II = prop->iAttrList->At(tmodif->iTransNum);   //look for the chosen transform in the prop
        ComputeLifetimes_II(tmodif->iReducedLifeSecs, tmodif->iReducedLifeKBytes, own_time, own_bytes);
        ComputeLifetimes_II(attr_II->iLifeDurationSecs, attr_II->iLifeDurationKBytes, peer_time, peer_bytes);
        
        //Only copy the chosen transform
        new_attr_II = new (ELeave) TChosenAttrib_II();
        CleanupStack::PushL(new_attr_II);
        new_attr_II->Copy(*attr_II);
        if ((peer_time > own_time) && (own_time != 0))
        {
            new_attr_II->iReducedLifeSecs.Set(tmodif->iReducedLifeSecs);
            DEBUG_LOG1(_L("Lifetime bigger than the one set. Reducing to %d"), own_time);
        }
        else
            new_attr_II->iReducedLifeSecs.Set(NULL, 0);
            
        if ((peer_bytes > own_bytes) && (own_bytes != 0))
        {
            new_attr_II->iReducedLifeKBytes.Set(tmodif->iReducedLifeKBytes);
            DEBUG_LOG1(_L("Lifesize bigger than the one set. Reducing to %d"), own_bytes);
        }
        else
            new_attr_II->iReducedLifeKBytes.Set(NULL, 0);

        new_propII->iAttrList->AppendL(new_attr_II);
        CleanupStack::Pop();    //new_attrII safe

        j++;  // Next transform modifer
        i++;  // Next proposal
        
    }
}


//Called as a INITIATOR for PHASE_II
//Checks HASH(1),SA, ,NONCE,[KE] [ID,ID] from RESPONDER
TBool CIkev1Negotiation::ProcessStage2Phase2L(const ThdrISAKMP &aHdr)
{
	CIkev1Payloads* payload = CIkev1Payloads::NewL(aHdr, *this, iDebug);
	if (!payload)
		return EFalse;

	CleanupStack::PushL(payload);

	if (  !payload->iSa || !payload->iNonce  )
	{
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}	

    CProposal_IIList *recv_proposals = new (ELeave) CProposal_IIList(1);
    CleanupStack::PushL(recv_proposals);

	//SA
	if (!ProcessSAL(payload->iSa, (TUint8 *)recv_proposals))
	{
		CleanupStack::PopAndDestroy(2); //recv_proposals + payload
		return EFalse;
	}

	//ID payloads (if existing)
	if ( payload->iIds->Count() == 2 )
	{
		if (!ProcessStage2_II_IDsL(payload->iIds->At(0), payload->iIds->At(1)))
		{
			CleanupStack::PopAndDestroy(2); //recv_proposals + payload
			return EFalse;
		}
	}
	else if ( payload->iIds->Count() != 0 )
	{
		DEBUG_LOG(_L("Unsupported Phase II ID payload count"));		
				CleanupStack::PopAndDestroy(2); //recv_proposals + payload
		return EFalse;
	}	
	
    //Contains the transform nums matching if multiple proposals
    CTransModifierList *trans_array = new (ELeave) CTransModifierList(1);
    CleanupStack::PushL(trans_array);

    //Check the received proposals match the proposed one (Got from
    //acquire msg.) 
   	TInt num = iProposal_IIList->MultiMatchL(recv_proposals, iRole == RESPONDER, trans_array);//If RESPONDER relaxed comparison (no lifetimes checked)
#ifdef _DEBUG   	
    TBuf<128> err_buf;
#endif    
    if (num < 0)
    {
#ifdef _DEBUG    
        err_buf.Copy(_L("BAD_PROPOSAL_SYNTAX: Phase II reply doesn't match proposal - "));
        AppendAttributeError(num, err_buf);
        DEBUG_LOG(err_buf);
#endif        
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(BAD_PROPOSAL_SYNTAX);
        CleanupStack::PopAndDestroy(3); //transarray + recv_proposals + payload
        return EFalse;
    }
    // iProposalNum set to correspond local proposal numbering
    iProposalNum = trans_array->At(0)->iPropNum; 
    //Copy the chosen transform
    CreateChosenProposalL(recv_proposals, num, trans_array);

    CleanupStack::PopAndDestroy(2); //transarray + recv_proposals

	//Process the possible NOTIFICATION payloads
	for (TInt i = 0; i < payload->iNotifs->Count(); i++)
	{
		if (!ProcessNotificationL(payload->iNotifs->At(i)))
		{
			CleanupStack::PopAndDestroy();  //payload
			return EFalse;
		}
	}
	//NONCE
   	if (!ProcessNonceL(payload->iNonce))
   	{
    	CleanupStack::PopAndDestroy();  //payload		
	    return EFalse;
	}
	//HASH
	if (!ProcessHash2L(aHdr, payload->iHash, payload->iPadding))
	{
		CleanupStack::PopAndDestroy();  //payload				
		return EFalse;
	} 
	//KEY (if present (PFS))
	if (!ProcessKeyL(payload->iKe))
	{
	    SetErrorStatus( KKmdIkeNegotFailed );
		SendNotifyL(PAYLOAD_MALFORMED);					
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}   

	ProcessVendorL(payload->iVids);
	
	if ( iNatDiscovery ) {
		iNAT_D_Flags |= iNatDiscovery->GetPeerOriginalAddress(payload->iNatOa, iRemoteOriginalAddr, iChosenProp_IIList);
	}

    if ( iRecvFlags & ISAKMP_HDR_CFLAG )   //Commit Bit set       
    {
        iFlags |= ISAKMP_HDR_CFLAG; //Sets the Commit bit if this side set it else
        DEBUG_LOG(_L("SAD update delayed until CONNECTED received"));
    }

	CleanupStack::PopAndDestroy();  //payload				
    iStage = 3;
    return ETrue;

}

TBool CIkev1Negotiation::ProcessStage3Phase2L(const ThdrISAKMP &aHdr)
{
	CIkev1Payloads* payload = CIkev1Payloads::NewL(aHdr, *this, iDebug);
	if (!payload)
		return EFalse;

	CleanupStack::PushL(payload);

	if ( payload->iSa || payload->iNonce || payload->iKe || payload->iIds->Count() != 0 ) 
	{
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}	
	
    //Hash Payload
	TBool Status = ProcessHash2L(aHdr, payload->iHash, payload->iPadding);
    if ( Status )
	{
       	//END OF THE PHASE II (Quick mode) negotiation.
		//Now we need to update the PFKEY SA database
		ProcessVendorL(payload->iVids);				
		UpdateSADatabaseL();
		iStage = 4;
	}
	CleanupStack::PopAndDestroy();  //payload		
    return Status;
}

TBool CIkev1Negotiation::ProcessCONNECTEDL(const ThdrISAKMP &aHdr)
{
	CIkev1Payloads* payload = CIkev1Payloads::NewL(aHdr, *this, iDebug);
	if (!payload)
		return EFalse;

	CleanupStack::PushL(payload);

	if ( !payload->iHash || (payload->iNotifs->Count() != 1) || payload->iSa ||
		 payload->iNonce || payload->iKe || (payload->iIds->Count() != 0) ) 
	{
		DEBUG_LOG(_L("PAYLOAD_MALFORMED (no hash or notfic payload)"));
		SetErrorStatus( KKmdIkeNegotFailed );
		SendNotifyL(PAYLOAD_MALFORMED);
		CleanupStack::PopAndDestroy();  //payload
		return EFalse;
	}	

    //Checks if the hash value is OK. Here because need the
    //notification payload
	const TNotificationISAKMP* notif_payload = payload->iNotifs->At(0);
	TBool Status = VerifyInformationalHashL(payload->iHash, notif_payload, iMessageId);	 
    if ( Status )
    {  //Hash OK
		if ((notif_payload->GetDOI() == IPSEC_DOI) && (notif_payload->GetMsgType() == CONNECTED))
		{
			//END OF THE PHASE II (Quick mode) negotiation.
			//Now we need to update the PFKEY SA database
			DEBUG_LOG(_L("CONNECTED message received. Updating SAD"));
			UpdateSADatabaseL();
			iStage = 5;			
		}
    }
    else   
    {
		DEBUG_LOG(_L("AUTHENTICATION_FAILED (Informational hash)"));
		SetErrorStatus( KKmdIkeAuthFailedErr );
		SendNotifyL(AUTHENTICATION_FAILED);
    }
	CleanupStack::PopAndDestroy();  //payload		
    return Status;
}

//returns KErrNone if OK, otherwise error already treated.
TBool CIkev1Negotiation::ProcessSAL(const TSAISAKMP *aSA, TUint8 *aRecvProposals)
{
    //payload not present
    if (!aSA)
    {
        DEBUG_LOG(_L("NO SA PAYLOAD"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(PAYLOAD_MALFORMED);
        return EFalse;
    }

    //requires a special length check to know the proposals and transforms are not bigger than 
    //the size specified in th SA
    TUint32 SALengthLeft = aSA->GetLength() - aSA->Size();

    TUint8 next_payload = aSA->GetPayload();
    if ((next_payload == ISAKMP_PAYLOAD_P) || (next_payload == ISAKMP_PAYLOAD_T))
    {
        DEBUG_LOG(_L("INVALID_PAYLOAD_TYPE (Bad next payload for the SA)"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(INVALID_PAYLOAD_TYPE);   // Payloads and transforms are processed as a part of the SA,
        return EFalse;
    }

    TUint32 doi=aSA->GetDOI();
    if (!CheckDOI(doi))
    {
        DEBUG_LOG(_L("DOI_NOT_SUPPORTED in SA payload"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(DOI_NOT_SUPPORTED);  //send the informational exchange
        return EFalse;
    }

    if (iStage == 1)
        iDOI = doi;

    //Process SITuation depending on DOI. In this implementation always is IPSEC DOI
    if (!CheckSituationL(aSA->GetSIT()))
        return EFalse;

    if (aSA->HasLDId()) //If no Labeled Domain Identifier no more processing for the SA
    {
        DEBUG_LOG(_L("Label Domain Identifier (LDI) not supported"));
        return EFalse;
    }
    
    if (iPhase==PHASE_I)    //Only used in Phase_I. PHASE_II hashs check it directly from received paylaod
    {
        //Store the SA payload for further calculations in Hash.
        if (iRole==RESPONDER)
        {
            iSAPayloadSize = aSA->GetLength()-sizeof(TPayloadISAKMP);
            delete iSAPayload;
			iSAPayload = NULL;
            iSAPayload = new (ELeave) (TUint8[iSAPayloadSize]); //Generic payload NOT included
            Mem::Copy(iSAPayload,(((TUint8 *)aSA)+sizeof(TPayloadISAKMP)),iSAPayloadSize);
        }
    }
    const TPayloadISAKMP *payload = aSA->Payload();
    return ProcessProposalsL(payload, SALengthLeft, aRecvProposals);
}


//Do the process required for proposals and transforms. The aPayload given must be a proposal
TBool CIkev1Negotiation::ProcessProposalsL(const TPayloadISAKMP *aPayload, TUint32 aLengthLeft, TUint8 *aRecvProposals)
{
    TProposalISAKMP *proposal;
    const TPayloadISAKMP *ppayload=aPayload;
    TUint8 payType = ppayload->GetPayload();
    TUint32 len_left;
    CProposal_IIList *recv_proposals = (CProposal_IIList *)aRecvProposals;
    CProposal_II *auxProp_II;
    TBool found = EFalse;   //At least 1 transform matching

    //Many Proposals. The RESPONDER MUST choose a transform for each proposal or reject the 
    //full suite of attributes.
    do  
    {       
        //General payload check
        if ((payType != ISAKMP_PAYLOAD_NONE) && (payType != ISAKMP_PAYLOAD_P))
        {
            DEBUG_LOG(_L("INVALID_PAYLOAD_TYPE (Bad next payload for the proposal)"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_PAYLOAD_TYPE);
            return EFalse;
        }

        if (aPayload->GetReserved() != 0)   //Must be always 0
        {
            DEBUG_LOG(_L("INVALID RESERVED FIELD"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(PAYLOAD_MALFORMED);
            return EFalse;
        }
        
        //requires special length check
        if ((aPayload->GetLength() < MIN_ISAKMP_PAYLOAD_SIZE) || (aPayload->GetLength() > aLengthLeft))
        {
            DEBUG_LOG(_L("BAD PAYLOAD SIZE"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(PAYLOAD_MALFORMED);
            return EFalse;
        }

        aLengthLeft -= aPayload->GetLength();   //dcreases the length of the prop. and its transforms

        proposal = TProposalISAKMP::Ptr(ppayload);
        
        
        if (!CheckProtocolL(proposal->GetProtocol()))
            return EFalse;

        if (!CheckSPIL(proposal))
            return EFalse;

        len_left = proposal->GetLength() - (proposal->Size() + proposal->GetSPISize()); 
        //len_left contains the length of the transforms only

        TInt ret = KErrNotFound;
        if (iPhase == PHASE_I)
        {
            iChosenProposal_I.iProtocol = proposal->GetProtocol();
            iChosenProposal_I.iSPI.Copy((TUint8 *)proposal->SPI(), proposal->GetSPISize());
            iChosenProposal_I.iNumTransforms = 1;   //Phase I only one transf chosen
            iChosenProposal_I.iProposalNum = proposal->GetNum();//Not compulsory but preferable to speed up the search process in the peer
            
            ret = ProcessTransformsL(ppayload,len_left);
            
            if (ret == KErrNone)
                return ETrue;//valid transform found
            else if (ret != KErrNotFound)
            {
                DEBUG_LOG(_L("ATTRIBUTES_NOT_SUPPORTED"));
                SetErrorStatus( KKmdIkeNegotFailed );
                SendNotifyL(ATTRIBUTES_NOT_SUPPORTED);
                return EFalse;
            }
            //If not found there may be other proposal to check
        }
        else    //PHASE_II
        {
            auxProp_II = new (ELeave) CProposal_II();
            CleanupStack::PushL(auxProp_II);
            auxProp_II->ConstructL(proposal->GetNumTrans());
            auxProp_II->iProtocol=proposal->GetProtocol();
            auxProp_II->iSPI.Copy((TUint8 *)proposal->SPI(), proposal->GetSPISize());
            auxProp_II->iNumTransforms = proposal->GetNumTrans();   //Number of transforms in the proposal
            auxProp_II->iProposalNum = proposal->GetNum();  //Proposal num
            
            ret = ProcessTransforms2L(ppayload, auxProp_II, len_left);
            if (ret==KErrNone)//valid transform found
            {   
                //Adds the new proposal to the list of chosen proposals
                recv_proposals->AppendL(auxProp_II);
                CleanupStack::Pop();    //auxProp_II safe
                found = ETrue;
                //go for the next proposal
            }
            else
            {
                DEBUG_LOG(_L("ATTRIBUTES_NOT_SUPPORTED"));
                SendNotifyL(ATTRIBUTES_NOT_SUPPORTED);
                CleanupStack::PopAndDestroy();  //delete auxProp_II;    //delete the current proposal
                return EFalse;
            }
        }

        payType = ppayload->GetPayload();
        ppayload = ppayload->Next();    //Next payload if there's any
    } while (payType!=ISAKMP_PAYLOAD_NONE); //Proposal loop

    if (!found)
    {
        DEBUG_LOG(_L("ATTRIBUTES_NOT_SUPPORTED"));
        SendNotifyL(ATTRIBUTES_NOT_SUPPORTED);
        return EFalse;
    }

    return found;
}

//processes all the  PHASE I transforms. The parameter payload is the proposal containing
//the transforms to be able to access the # of transforms.
//Returns if any transform accepted (KErrNone) or not (KErrNotFound) or processing error (KErrGeneral)
TInt CIkev1Negotiation::ProcessTransformsL(const TPayloadISAKMP *aPayload,TUint32 aLengthLeft)
{
    DEBUG_LOG(_L("-> CIkev1Negotiation::ProcessTransformsL()"));
    TUint16 reason;             
    TInt ret = KErrGeneral;
     const TTransformISAKMP *transf;
    const TProposalISAKMP *proposal=TProposalISAKMP::Ptr(aPayload);
    //First transform. Not Next() because would be the next proposal or non-sa payload
    const TPayloadISAKMP *tpayload=proposal->Payload();
    
    TInt payType = tpayload->GetPayload();  //Type of the payload following the first transform
    transf = TTransformISAKMP::Ptr(tpayload);
    
    TInt numTransf  = (TInt)transf->GetNum();  // First transform number
    TInt lastTransf = numTransf + (TInt)proposal->GetNumTrans(); // Last transform number
    
    while ( numTransf < lastTransf ) 
    {
        //only permited payload codes
        if ((payType != ISAKMP_PAYLOAD_NONE) && (payType != ISAKMP_PAYLOAD_T))
        {
            DEBUG_LOG(_L("INVALID_PAYLOAD_TYPE (Bad next payload for the transform)"));
            SendNotifyL(INVALID_PAYLOAD_TYPE);
            return KErrGeneral;
        }

        if (tpayload->GetReserved() != 0)   //Must be always 0
        {
            DEBUG_LOG(_L("INVALID RESERVED FIELD"));
            SendNotifyL(PAYLOAD_MALFORMED);
            return KErrGeneral;
        }
        
        //requires special length check
        if ((tpayload->GetLength() < MIN_ISAKMP_PAYLOAD_SIZE) || (tpayload->GetLength() > aLengthLeft))
        {
            DEBUG_LOG(_L("BAD PAYLOAD SIZE"));
            SendNotifyL(PAYLOAD_MALFORMED);
            return KErrGeneral;
        }
        
        if (!CheckTransformID(PROTO_ISAKMP,transf->GetID()))
            {
            DEBUG_LOG(_L(" Continue"));

            numTransf++;                          // Next supposed transform #              
            payType = tpayload->GetPayload();
            tpayload = tpayload->Next();    //next payload (transform)
            transf = TTransformISAKMP::Ptr(tpayload);

            continue;   //If fails, transform discarded!, not error
            }
        
        if ( transf->GetNum() != numTransf )  //Not the correct #
        {
            DEBUG_LOG1(_L("BAD_PROPOSAL_SYNTAX (Non conscutive transform number (%d)"),transf->GetNum());
            SendNotifyL(BAD_PROPOSAL_SYNTAX);
            DEBUG_LOG(_L("<- CIkev1Negotiation::ProcessTransformsL() KErrGeneral"));
            return KErrGeneral;
        }

        if (transf->GetReserved() != 0 )    //Should be always 0
        {
            DEBUG_LOG(_L("INVALID RESERVED FIELD"));
            SendNotifyL(PAYLOAD_MALFORMED);
            DEBUG_LOG(_L("<- CIkev1Negotiation::ProcessTransformsL() KErrGeneral"));
            return KErrGeneral;
        }

        numTransf++;                          // Next supposed transform #              
        //Attributes to be checked depending on Transf ID
        TAttrib attrib;
        
        ret = ProcessAttributesL(tpayload, &attrib);
        
        if (ret != KErrNone)
        {
            if (ret != KErrNotFound)
                {
                DEBUG_LOG(_L("<- CIkev1Negotiation::ProcessTransformsL() KErrGeneral"));
                return KErrGeneral; //Error in the attributes. Already reported
                }
            //Not accepted but correct
        }
        else    // Accepted attributes if (AttrChosen(attrib))
        {  
            //Checks the response or proposal is the same as one of our proposals
            TAttrib *attr_list = iProposal_I.iAttrList;
            TInt ret = KErrNotFound;
#ifdef _DEBUG            
            TBuf<256> buf;
#endif            
            while (attr_list && (ret != KErrNone) )
            {
                ret = attrib.Compare(*attr_list, iRole==RESPONDER); //If RESPONDER relaxed comparison (no lifetimes checked)                
                if (ret != KErrNone)
                {
#ifdef _DEBUG                
                    DEBUG_LOG1(_L("Transform #%d not matching proposal Reason: "), attrib.iTransformNum);
                    AppendAttributeError(ret, buf);
                    DEBUG_LOG(buf);
#endif                    
                }
                attr_list = attr_list->iNext;   //next transform proposed

            }
            if (ret == KErrNone)
            {
               *iChosenProposal_I.iAttrList = attrib;       
               DEBUG_LOG(_L("<- CIkev1Negotiation::ProcessTransformsL() KErrNone"));
               return KErrNone; //If the attibute are supported there's no need to check more SA
            }   
            else    //No proposal matches
            {
               if ( numTransf == lastTransf ) //Is there more transforms to check
               {    
                  if (iRole == INITIATOR)
                  {
                      reason = BAD_PROPOSAL_SYNTAX;
                      DEBUG_LOG(_L("BAD_PROPOSAL_SYNTAX (Phase I reply don't match proposal)"));
                      SetErrorStatus( KKmdIkeNegotFailed );
                  }                           
                  else
                  {
                      reason = NO_PROPOSAL_CHOSEN;                    
                      DEBUG_LOG(_L("NO_PROPOSAL_CHOSEN (Received Proposal doesn't match accepted attributes (Check own proposals))"));
                  }           
                  SendNotifyL(reason);
                  DEBUG_LOG(_L("<- CIkev1Negotiation::ProcessTransformsL() KErrNotFound"));
                  return KErrNotFound;
               }    
            }
        }

        payType = tpayload->GetPayload();
        tpayload = tpayload->Next();    //next payload (transform)
        transf = TTransformISAKMP::Ptr(tpayload);
        
    }

    DEBUG_LOG(_L("<- CIkev1Negotiation::ProcessTransformsL() KErrNotFound"));

    //if reaches this point meanse no transform accepted in this proposal
    //Notifies to the upper level
    return KErrNotFound;

}


//Logs the error when comparing a proposal
//void CIkev1Negotiation::LogAttributeError(TInt aTransformNum, TInt aErr)
void CIkev1Negotiation::AppendAttributeError(TInt aErr, TDes &aBuf) const
{
#ifndef _DEBUG
    (void)aErr;
    (void)aBuf;
#endif

#ifdef _DEBUG
    switch (aErr)
    {
    case KErrNotFound:
        aBuf.Append(_L("No proposals\n"));
        break;
    case KErrTransformID:
        aBuf.Append(_L("Different Transform Algorithm\n"));
        break;
    case KErrEncrAlg:
        aBuf.Append(_L("Different Encryption Algorithm\n"));
        break;
    case KErrHashAlg:
        aBuf.Append(_L("Different Hash Algorithm\n"));
        break;
    case KErrAuthMethod:
        aBuf.Append(_L("Different Authentication Method\n"));
        break;
    case KErrGroupDesc:
        aBuf.Append(_L("Different Group Description\n"));
        break;
    case KErrGroupType:
        aBuf.Append(_L("Different Group Type\n"));
        break;
    case KErrGroupPrime:
        aBuf.Append(_L("Different Group Prime\n"));
        break;
    case KErrGroupGen1:
        aBuf.Append(_L("Different Group Generator 1\n"));
        break;
    case KErrGroupGen2:
        aBuf.Append(_L("Different Group Generator 2\n"));
        break;
    case KErrGroupCurveA:
        aBuf.Append(_L("Different Group Curve A\n"));
        break;
    case KErrGroupCurveB:
        aBuf.Append(_L("Different Group Curve A\n"));
        break;
    case KErrPRF:
        aBuf.Append(_L("Different PRF\n"));
        break;
    case KErrKeyLength:
        aBuf.Append(_L("Different Key Length\n"));
        break;
    case KErrFieldSize:
        aBuf.Append(_L("Different Field Size\n"));
        break;
    case KErrGroupOrder:
        aBuf.Append(_L("Different Group Order\n"));
        break;
    case KErrLifeTime:
        aBuf.Append(_L("Different Lifetime\n"));
        break;
    case KErrLifeSize:
        aBuf.Append(_L("Different LifeSize\n"));
        break;
    case KErrEncMode:
        aBuf.Append(_L("Different Encapsulation Mode\n"));
        break;
    case KErrAuthAlg:
        aBuf.Append(_L("Different Authentication Algorithm\n"));
        break;
    case KErrKeyRounds:
        aBuf.Append(_L("Different Key Rounds\n"));
        break;
    case KErrComprDicSize:
        aBuf.Append(_L("Different Compress Dictionary Size\n"));
        break;
    case KErrComprPrivAlg:
        aBuf.Append(_L("Different Compress Private Algorithm\n"));
        break;
    case KErrTransformNum:
        aBuf.Append(_L("Different Transform Num.\n"));
        break;
    case KErrPropProtocol:
        aBuf.Append(_L("Proposals have different protocol.\n"));
        break;
    case KErrNoTransforms:
        aBuf.Append(_L("Proposal has no transforms \n"));
        break;
    case KErrNoRemoteProposals:
        aBuf.Append(_L("Remote Proposals list is empty\n"));
        break;
    case KErrNoLocalProposals:
        aBuf.Append(_L("Local Proposals list is empty\n"));
        break;
    case KErrPropNumberMismatch:
        aBuf.Append(_L("The proposals lists have diferent number of AND'd proposals"));
        break;
    default:
        aBuf.Append(_L("Unknown\n"));
    }
#endif  
}

//processes all the PHASE II transforms. The parameter payload is the proposal containing
//the transforms to be able to access the # of transforms.
//Returns if any transform accepted (KErrNone) or not (KErrNotFound) or processing error (KErrGeneral)
TInt CIkev1Negotiation::ProcessTransforms2L(const TPayloadISAKMP *aPayload,CProposal_II *aProp,TUint32 aLengthLeft)
{
    DEBUG_LOG(_L("-> CIkev1Negotiation::ProcessTransforms2L()"));

    TInt ret;
    const TTransformISAKMP *transf;
    const TProposalISAKMP *proposal=TProposalISAKMP::Ptr(aPayload);
    //First transform. Not Next() because would be the next proposal or non-sa payload
    const TPayloadISAKMP *tpayload = proposal->Payload();

    TAttrib_II *attr_II = NULL; 
    TInt payType = tpayload->GetPayload();  //Type of the payload following the first transform
    transf = TTransformISAKMP::Ptr(tpayload);
    
    TInt numTransf  = (TInt)transf->GetNum();  // First transform number
    TInt lastTransf = numTransf + (TInt)proposal->GetNumTrans(); // Last transform number   

    while ( numTransf < lastTransf ) 
    {
        //only permited payload codes
        if ((payType != ISAKMP_PAYLOAD_NONE) && (payType != ISAKMP_PAYLOAD_T))
        {
            DEBUG_LOG(_L("INVALID_PAYLOAD_TYPE (Bad next payload for the transform)"));
            SendNotifyL(INVALID_PAYLOAD_TYPE);
            return KErrGeneral;
        }
        
        if (tpayload->GetReserved() != 0)   //Must be always 0
        {
            DEBUG_LOG(_L("INVALID RESERVED FIELD"));
            SendNotifyL(PAYLOAD_MALFORMED);
            return KErrGeneral;
        }
        
        //requires special length check
        if ((tpayload->GetLength() < MIN_ISAKMP_PAYLOAD_SIZE) || (tpayload->GetLength() > aLengthLeft))
        {
            DEBUG_LOG(_L("BAD PAYLOAD SIZE"));
            SendNotifyL(PAYLOAD_MALFORMED);
            return KErrGeneral;
        }
        
        if (!CheckTransformID(aProp->iProtocol,transf->GetID()))
            {
            DEBUG_LOG(_L(" Transform doesn't match, moving on to the next one"));
            payType = tpayload->GetPayload();
            tpayload = tpayload->Next();    //next payload (transform)
            transf = TTransformISAKMP::Ptr(tpayload);
            numTransf++;                          // Next supposed transform #
            continue;   //If fails, transform discarded!, not error
            }
        
        if ( transf->GetNum() != numTransf )  //Not the correct #. Must be consecutive
        {   
            DEBUG_LOG1(_L("BAD_PROPOSAL_SYNTAX (Non conscutive transform number (%d)"),transf->GetNum());
            SendNotifyL(BAD_PROPOSAL_SYNTAX);
            return KErrGeneral;
        }

        if (transf->GetReserved() != 0 )    //Must be always 0
        {
            DEBUG_LOG(_L("INVALID RESERVED FIELD"));
            SendNotifyL(PAYLOAD_MALFORMED);
            return KErrGeneral;
        }
        
        //Attributes to be checked depending on Transf ID
        attr_II = new (ELeave) TAttrib_II();
        CleanupStack::PushL(attr_II);
        ret = ProcessAttributes2L(tpayload, attr_II, aProp->iProtocol);
        if (ret != KErrNone)    //Some invalid attribute
        {
            DEBUG_LOG(_L(" Invalid attribute"));
            CleanupStack::PopAndDestroy();  //delete attr_II;
            if (ret != KErrNotFound)
                return KErrGeneral; //Error in the attributes. Already reported
            else    //Invalid transform- Ignored
            {
                DEBUG_LOG2(_L("Transform %d of proposal %d ignored"), transf->GetNum(), aProp->iProposalNum);
            }
        }
        else    //Accepted, must check if really proposed or if matches the configuration if RESPONDER
        {
            DEBUG_LOG(_L(" Adding new attribute"));
            aProp->iAttrList->AppendL(attr_II); //Add the new attribute
            CleanupStack::Pop();    //attr_II saf
        }
        payType = tpayload->GetPayload();
        tpayload = tpayload->Next();    //next payload (transform)
        transf = TTransformISAKMP::Ptr(tpayload);
        numTransf++;                          // Next supposed transform #
        
    }

    //No valid transform found
    if (aProp->iAttrList->Count() == 0)
        {
        DEBUG_LOG(_L("<- CIkev1Negotiation::ProcessTransforms2L() KErrNotFound"));
        return KErrNotFound;
        }

    DEBUG_LOG(_L("<- CIkev1Negotiation::ProcessTransforms2L() KErrNone"));
    return KErrNone;
}


//Copies and checks the values of the attributes. The parameter aPayload must be a transform
//aAttrib will contain the sent attributes if the return value is KErrNone, otherwise should be
//ignore because there was an error reading them (KErrGeneral) or the transform was not accepted (KErrNotFound)
TInt CIkev1Negotiation::ProcessAttributesL(const TPayloadISAKMP *aPayload, TAttrib *aAttrib)
{
    const TTransformISAKMP *transf = TTransformISAKMP::Ptr(aPayload);
    TInt length= aPayload->GetLength() - sizeof(*transf); //To process the attribs
    TDataISAKMP *attr= transf->SAAttrib();
    
    aAttrib->iTransformNum = transf->GetNum();
    aAttrib->iTransformID  = transf->GetID();
    //
	// Store parameters for extended authentication
	//
	aAttrib->iXauthUsed = iHostData->iUseXauth;
	aAttrib->iRole      = iRole;
	
    TUint16 lifeType  = 0; //No type assigned yet
    TUint32 lifeValue = 0; //No value assigned yet
    TUint16 val;
    
    while ( length>0 )
    {
        length = length - attr->Size();
        if (length<0)   //Mismatch between lengths!!!
        {
            DEBUG_LOG(_L("BAD_PROPOSAL_SYNTAX (Length mismatch in the attibutes)"));
            SendNotifyL(BAD_PROPOSAL_SYNTAX);
            return KErrGeneral;
        }
        switch (attr->Type())
        {
        case OAKLEY_ATTR_TYPE_ENCR_ALG:
            if (!CheckEncrAlg(attr->Value()))
                return KErrNotFound;
            aAttrib->iEncrAlg=attr->Value();
            break;
        case OAKLEY_ATTR_TYPE_HASH_ALG:
            if (!CheckHashAlg(attr->Value()))
                return KErrNotFound;
            aAttrib->iHashAlg = attr->Value();
            break;
        case OAKLEY_ATTR_TYPE_AUTH_METH:
            val = CTransNegotiation::GetAuthMethod(attr->Value(), iHostData->iUseXauth, iRole);
            if (!CheckAuthMethod(val))
                return KErrNotFound;
            aAttrib->iAuthMethod = val;
            break;
        case OAKLEY_ATTR_TYPE_GROUP_DESC:
            if (!CheckGroupDesc(attr->Value()))
                return KErrNotFound;
            aAttrib->iGroupDesc = attr->Value();
            break;
        case OAKLEY_ATTR_TYPE_GROUP_TYPE:
            if (!CheckGroupType(attr->Value()))
                return KErrNotFound;
            aAttrib->iGroupType = attr->Value();
            break;
        case OAKLEY_ATTR_TYPE_GROUP_PRIME:
            if (attr->IsBasic())
            {
                val = attr->Value();
                aAttrib->iGroupPrime.Copy((TUint8*)&val, sizeof(val));
            }
            else
                aAttrib->iGroupPrime.Copy(attr->VarValue(),attr->Length());
            break;
        case OAKLEY_ATTR_TYPE_GROUP_GEN1:
            if (attr->IsBasic())
            {
                val = attr->Value();
                aAttrib->iGroupGen1.Copy((TUint8*)&val, sizeof(val));
            }
            else
                aAttrib->iGroupGen1.Copy(attr->VarValue(),attr->Length());
            break;
        case OAKLEY_ATTR_TYPE_GROUP_GEN2:
            if (attr->IsBasic())
            {
                val = attr->Value();
                aAttrib->iGroupGen2.Copy((TUint8*)&val, sizeof(val));
            }
            else
                aAttrib->iGroupGen2.Copy(attr->VarValue(),attr->Length());
            break;
        case OAKLEY_ATTR_TYPE_GROUP_CRVA:
            if (attr->IsBasic())
            {
                val = attr->Value();
                aAttrib->iGroupCurveA.Copy((TUint8*)&val, sizeof(val));
            }
            else
                aAttrib->iGroupCurveA.Copy(attr->VarValue(),attr->Length());
            break;
        case OAKLEY_ATTR_TYPE_GROUP_CRVB:
            if (attr->IsBasic())
            {
                val = attr->Value();
                aAttrib->iGroupCurveB.Copy((TUint8*)&val, sizeof(val));
            }
            else
                aAttrib->iGroupCurveB.Copy(attr->VarValue(),attr->Length());
            break;
        case OAKLEY_ATTR_TYPE_LIFE_TYPE:
            lifeType = attr->Value();
            if (!CheckLifeType(lifeType))
            {
                DEBUG_LOG(_L("BAD_PROPOSAL_SYNTAX (Invalid lifetime type)"));
                SendNotifyL(BAD_PROPOSAL_SYNTAX);
                return KErrGeneral;
            }
            break;
        case OAKLEY_ATTR_TYPE_LIFE_DUR:
            if (attr->IsBasic())
            {
                lifeValue = ByteOrder::Swap32(attr->Value());
                if (lifeType == SECONDS)
                    aAttrib->iLifeDurationSecs.Copy((TUint8 *)&lifeValue, sizeof(lifeValue));
                else if (lifeType == KBYTES)
                    aAttrib->iLifeDurationKBytes.Copy((TUint8 *)&lifeValue, sizeof(lifeValue));
                else
                {
                    DEBUG_LOG(_L("BAD_PROPOSAL_SYNTAX (Invalid lifetime type)"));
                    SendNotifyL(BAD_PROPOSAL_SYNTAX);
                    return KErrGeneral;
                }
            }
            else    //Not basic
            {
                if (lifeType == SECONDS)
                    aAttrib->iLifeDurationSecs.Copy(attr->VarValue(),attr->Length());
                else if (lifeType == KBYTES)
                    aAttrib->iLifeDurationKBytes.Copy(attr->VarValue(),attr->Length());
                else
                {
                    DEBUG_LOG(_L("BAD_PROPOSAL_SYNTAX (Invalid lifetime type)"));
                    SendNotifyL(BAD_PROPOSAL_SYNTAX);
                    return KErrGeneral;
                }
            }
            break;
        case OAKLEY_ATTR_TYPE_PRF:
            if (!CheckPRF(attr->Value()))
                return KErrNotFound;
            aAttrib->iPRF=attr->Value();
            break;
        case OAKLEY_ATTR_TYPE_KEY_LEN:
            aAttrib->iKeyLength = attr->Value();
            break;
        case OAKLEY_ATTR_TYPE_FIELD_SIZE:
            if (!CheckFieldSize(attr->Value()))
                return KErrNotFound;
            aAttrib->iFieldSize=attr->Value();
            break;
        case OAKLEY_ATTR_TYPE_GROUP_ORDER:
            if (attr->IsBasic())
            {
                val = attr->Value();
                aAttrib->iGroupOrder.Copy((TUint8*)&val, sizeof(val));
            }
            else
                aAttrib->iGroupOrder.Copy(attr->VarValue(),attr->Length());
            break;
        default:
            DEBUG_LOG(_L("ATTRIBUTES_NOT_SUPPORTED (Invalid attribute number)"));
            SendNotifyL(ATTRIBUTES_NOT_SUPPORTED);
            return KErrGeneral;
        }
        attr = attr->Next();
    }
    
    //Done here to ensure both received
    if (aAttrib->iKeyLength !=0)
        if (!CheckKeyLength(aAttrib->iKeyLength, (TUint8)aAttrib->iEncrAlg ,PROTO_ISAKMP))
            return KErrNotFound;

    return KErrNone;
}

//Copies and checks the values of the attributes. The parameter aPayload must be a transform
//aAttrib will contain the sent attributes if the return value is KErrNone, otherwise should be
//ignore because there was an error reading them (KErrGeneral) or the transform was not accepted (KErrNotFound)
TInt CIkev1Negotiation::ProcessAttributes2L(const TPayloadISAKMP *aPayload, TAttrib_II *aAttrib,TUint8 aProtocol)
{
    const TTransformISAKMP *transf = TTransformISAKMP::Ptr(aPayload);
    TInt length= aPayload->GetLength() - sizeof(*transf); //To process the attribs
    
    aAttrib->iTransformNum = transf->GetNum();
    aAttrib->iTransformID = transf->GetID();
    TDataISAKMP *attr= transf->SAAttrib();
    TUint16 lifeType = 0;   //No type assigned yet
    TUint32 lifeValue = 0;
    while (length>0)
    {
        length = length - attr->Size();
        if (length<0)   //Mismatch between lengths!!!
        {
            DEBUG_LOG(_L("BAD_PROPOSAL_SYNTAX (Length mismatch in the attibutes)"));
            SendNotifyL(BAD_PROPOSAL_SYNTAX);
            return KErrGeneral;
        }
        switch (attr->Type())
        {
        case DOI_ATTR_TYPE_LIFE_TYPE:
            lifeType=attr->Value();
            if (!CheckLifeType(lifeType))
            {
                DEBUG_LOG(_L("BAD_PROPOSAL_SYNTAX (Invalid lifetime type)"));
                SendNotifyL(BAD_PROPOSAL_SYNTAX);
                return KErrGeneral;
            }
            break;
        case DOI_ATTR_TYPE_LIFE_DUR:
            if (attr->IsBasic())
            {
                lifeValue = ByteOrder::Swap32(attr->Value());
                if (lifeType==SECONDS)
                    aAttrib->iLifeDurationSecs.Copy((TUint8 *)&lifeValue, sizeof(lifeValue));
                else if (lifeType==KBYTES)
                    aAttrib->iLifeDurationKBytes.Copy((TUint8 *)&lifeValue, sizeof(lifeValue));
                else
                {
                    DEBUG_LOG(_L("BAD_PROPOSAL_SYNTAX (No lifetime type received)"));
                    SendNotifyL(BAD_PROPOSAL_SYNTAX);
                    return KErrGeneral;
                }
            }
            else
            {
                if (lifeType==SECONDS)
                    aAttrib->iLifeDurationSecs.Copy(attr->VarValue(),attr->Length());
                else if (lifeType==KBYTES)
                    aAttrib->iLifeDurationKBytes.Copy(attr->VarValue(),attr->Length());
                else
                {
                    DEBUG_LOG(_L("BAD_PROPOSAL_SYNTAX (No lifetime type received)"));
                    SendNotifyL(BAD_PROPOSAL_SYNTAX);
                    return KErrGeneral;
                }
            }
            lifeType = 0;   //Cannot received another lifetime without setting the type again
            break;
        case DOI_ATTR_TYPE_GROUP_DESC:
            if (!CheckGroupDesc(attr->Value()))
                return KErrNotFound;
            aAttrib->iGroupDesc=attr->Value();
            break;
        case DOI_ATTR_TYPE_ENC_MODE:    //Encapsulation Mode
            if (!CheckEncMode(attr->Value()))
                return KErrNotFound;
            aAttrib->iEncMode=attr->Value();
            if ( aAttrib->iEncMode == UDP_ENC_TUNNEL || aAttrib->iEncMode == UDP_RFC_ENC_TUNNEL  )
               aAttrib->iEncMode = DOI_TUNNEL;
            if ( aAttrib->iEncMode == UDP_ENC_TRANSPORT || aAttrib->iEncMode == UDP_RFC_ENC_TRANSPORT)
               aAttrib->iEncMode = DOI_TRANSPORT;
            break;
        case DOI_ATTR_TYPE_AUTH_ALG:
            if (!CheckAuthAlg(attr->Value()))
                return KErrNotFound;
            aAttrib->iAuthAlg=attr->Value();
            break;
        case DOI_ATTR_TYPE_KEY_LEN:
            aAttrib->iKeyLength = attr->Value();
            break;  
        case DOI_ATTR_TYPE_KEY_ROUNDS:
            aAttrib->iKeyRounds=attr->Value();
            break;
/*          
        case DOI_ATTR_TYPE_COMP_DIC_SIZE:   //Compress Dictionary size
            aAttrib->iComprDicSize=attr->Value();
            break;  
        case DOI_ATTR_TYPE_COMP_PRIV_ALG:   //Compress Dictionary size
            aAttrib->iComprPrivAlg=attr->Value();
            break;
*/          
        default:
            DEBUG_LOG(_L("ATTRIBUTES_NOT_SUPPORTED (Invalid attribute number)"));
            SendNotifyL(ATTRIBUTES_NOT_SUPPORTED);
            return KErrGeneral;
        }
        attr = attr->Next();
    }

    if (lifeType != 0)  //Type set but not sent
    {
        DEBUG_LOG(_L("Lifetime type set but value not sent!"));
        return KErrNotFound;
    }

    if (aAttrib->iKeyLength !=0)
        if (!CheckKeyLength(aAttrib->iKeyLength,transf->GetID(),aProtocol)) //Check key length correct
            return KErrNotFound;

    return KErrNone;
}


//returns KErrNone if OK, otherwise error already treated.
TBool CIkev1Negotiation::ProcessKeyL(const TKeyISAKMP *aKey)
{
    //const TKeyISAKMP *key = TKeyISAKMP::Ptr(aPayload);
    
    //payload not present
    if (iPhase==PHASE_I)
    {
        if (!aKey)
        {
            DEBUG_LOG(_L("NO KEY Payload"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(PAYLOAD_MALFORMED);
            return EFalse;
        }
        //Doesn't return yet because it needs to copy the received key
    }
    else    //PHASE_II
    {
        if (!aKey)
        {
            if (iPFS)
            {
                DEBUG_LOG(_L("KEY Payload Expected (PFS is enabled)"));
                return EFalse;
            }

            return ETrue;
            
        }
        else    // Key present
        {
            if (!iPFS)
            {
                DEBUG_LOG(_L("KEY Payload NOT Expected (PFS is disabled)"));
                return EFalse;
            }
            //Doesn't return yet because it needs to copy the received key
        }
    }
        
    //stores the public key sent by the other peer. Only if key received and PFS enabled (PHASE II only)
    iPeerPublicKey.Copy(aKey->KeyData(), aKey->GetLength() - sizeof(*aKey));
    return ETrue;
}


TBool CIkev1Negotiation::ProcessNonceL(const TPayloadISAKMP *aPayload)
{
    const TNonceISAKMP *nonce = TNonceISAKMP::Ptr(aPayload);

    //payload not present
    if (!nonce)
    {
        DEBUG_LOG(_L("NO NONCE PAYLOAD"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(PAYLOAD_MALFORMED);
        return EFalse;
    }

    //stores the nonce sent by the other peer
    if (iRole==RESPONDER)
        iNONCE_I.Copy(nonce->NonceData(),nonce->NonceDataLen());
    else
        iNONCE_R.Copy(nonce->NonceData(),nonce->NonceDataLen());

    return ETrue;

}

TBool CIkev1Negotiation::ProcessStage1_II_IDsL(const TIdentISAKMP *aInit_ID_payload,const TIdentISAKMP *aResp_ID_payload, CProposal_IIList *aRecv_proposals)
{
    //IDci
    //First we check the received IDs to be able to build the proposals for phase_II
    TInt32 addr;        //Contains a numeric IPv4 addr to be sent
    TBuf<40> addr_buf;  //Contains a text IPv4/IPv6 addr to be sent

    TIp6Addr ip6addr;   //IPV6 raw address

    //We receive the peer proxy address or gateway client
    TAttrib_II *attr_II = aRecv_proposals->At(0)->iAttrList->At(0);
    if (aInit_ID_payload)   //ID Payload received
    {
        iIDReceived = ETrue;
        if (!CheckIdentL(aInit_ID_payload))  
            return EFalse;

        iIDRemotePort = aInit_ID_payload->GetPort();
        iIDProtocol = aInit_ID_payload->GetProtocol();
        iRemoteIDType_II = aInit_ID_payload->GetIDType();

        switch (aInit_ID_payload->GetIDType())
        {
            case ID_IPV4_ADDR:
                Mem::Copy((TUint8 *)&addr, aInit_ID_payload->IDData(),sizeof(TInt32));
                iRemoteAddr1_ID_II.SetAddress(ByteOrder::Swap32(addr));
                DEBUG_LOG(_L("Remote ID received"));
                DEBUG_LOG(_L("Setting Remote ID to:"));
                iRemoteAddr1_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(addr_buf);
                if (iRemoteAddr.Match(iRemoteAddr1_ID_II))
                    iDefaultRemoteID = ETrue;   //Must be sent but won't be used when updating the SAD
                else if (attr_II->iEncMode == DOI_TRANSPORT)
                {
                    DEBUG_LOG(_L("ADDRESS_NOTIFICATION (Received ID MUST match the Remote addr in Transport mode)"));
                    SendNotifyL(ADDRESS_NOTIFICATION);
                    return EFalse;
                }
                break;
            case ID_IPV4_ADDR_SUBNET:
                Mem::Copy((TUint8 *)&addr, aInit_ID_payload->IDData(),sizeof(TInt32));  //Address
                iRemoteAddr1_ID_II.SetAddress(ByteOrder::Swap32(addr));
                Mem::Copy((TUint8 *)&addr, aInit_ID_payload->IDData() + sizeof(TInt32),sizeof(TInt32)); //Mask
                iRemoteAddr2_ID_II.SetAddress(ByteOrder::Swap32(addr));
                iRemoteAddr1_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(_L("Setting Remote ID to: addr = "));
                DEBUG_LOG(addr_buf);
                iRemoteAddr2_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(_L(" mask = "));
                DEBUG_LOG(addr_buf);
                if (PrefixLen(iRemoteAddr2_ID_II) < KErrNone)   //Invalid Mask  (can't be > 32 bec. we get only 4 bytes)
                {
                    DEBUG_LOG(_L("INVALID_ID_INFORMATION (Invalid peer proxy mask for type ID_IPV4_ADDR_SUBNET)"));
                    SetErrorStatus( KKmdIkeNegotFailed );
                    SendNotifyL(INVALID_ID_INFORMATION);
                    return EFalse;
                }
                if (attr_II->iEncMode == DOI_TRANSPORT)
                {
                    if (!iRemoteAddr.Match(iRemoteAddr1_ID_II, iRemoteAddr2_ID_II))
                    {
                        DEBUG_LOG(_L("ADDRESS_NOTIFICATION (Remote ID MUST match the net & mask received)"));
                        SetErrorStatus( KKmdIkeNegotFailed );
                        SendNotifyL(ADDRESS_NOTIFICATION);
                        return EFalse;
                    }
                }
                break;
            case ID_IPV6_ADDR:
                Mem::Copy(&ip6addr.u.iAddr8, aInit_ID_payload->IDData(), sizeof(ip6addr.u.iAddr8));
                iRemoteAddr1_ID_II.SetAddress(ip6addr);
                DEBUG_LOG(_L("Remote ID received"));
                DEBUG_LOG(_L("Setting Remote ID to:"));
                iRemoteAddr1_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(addr_buf);
                if (iRemoteAddr.Match(iRemoteAddr1_ID_II))
                    iDefaultRemoteID = ETrue;   //Must be sent but won't be used when updating the SAD
                else if (attr_II->iEncMode == DOI_TRANSPORT)
                {
                    DEBUG_LOG(_L("ADDRESS_NOTIFICATION (Remote ID doesn't match received IDi in Transport mode)"));
                    SendNotifyL(ADDRESS_NOTIFICATION);
                    return EFalse;
                }
                break;
            case ID_IPV6_ADDR_SUBNET:
                Mem::Copy(&ip6addr.u.iAddr8, aInit_ID_payload->IDData(), sizeof(ip6addr.u.iAddr8)); //Address               
                iRemoteAddr1_ID_II.SetAddress(ip6addr);
                Mem::Copy(&ip6addr.u.iAddr8, aInit_ID_payload->IDData() + sizeof(ip6addr.u.iAddr8), sizeof(ip6addr.u.iAddr8));  //Mask
                iRemoteAddr2_ID_II.SetAddress(ip6addr);
                DEBUG_LOG(_L("Remote ID (subnet) received"));
                DEBUG_LOG(_L("Setting Remote ID to: addr = "));
                iRemoteAddr1_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(addr_buf);
                DEBUG_LOG(_L(" mask = "));
                iRemoteAddr2_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(addr_buf);
                if (PrefixLen(iRemoteAddr2_ID_II) < 0)  //Invalid Mask
                {
                    DEBUG_LOG(_L("INVALID_ID_INFORMATION (Invalid peer proxy mask for type ID_IPV6_ADDR_SUBNET)"));
                    SetErrorStatus( KKmdIkeNegotFailed );
                    SendNotifyL(INVALID_ID_INFORMATION);
                    return EFalse;
                }
                if (attr_II->iEncMode == DOI_TRANSPORT)
                {
                    if (!iRemoteAddr.Match(iRemoteAddr1_ID_II, iRemoteAddr2_ID_II))
                    {
                        DEBUG_LOG(_L("ADDRESS_NOTIFICATION (Remote ID MUST match the net & mask received)"));
                        SetErrorStatus( KKmdIkeNegotFailed );
                        SendNotifyL(ADDRESS_NOTIFICATION);
                        return EFalse;
                    }
                }
                break;
            default:    //redundant. Detected in CheckIdentL()
                DEBUG_LOG(_L("INVALID_ID_INFORMATION (ID Type not supported)"));
                SetErrorStatus( KKmdIkeNegotFailed );
                SendNotifyL(INVALID_ID_INFORMATION);
                return EFalse;
        }//switch
    }
    else    //No id received (That means we're negotiating directly with the end host) (RFC 2409 5.5)
    {
        //For TRANSPORT we don't need to do anything
        iIDLocalPort = 0;
        iIDRemotePort = 0;
        iIDProtocol = 0;
        return ETrue;   //No need to check the Responder ID if no Initiator ID received
    }

    //IDcr
    //Receive our proxy. We don't know it because we are responders so the other peer tells us who does it
    //want to communicate with
    if (aResp_ID_payload)   //ID Payload received
    {
        if (!CheckIdentL(aResp_ID_payload))
            return EFalse;

        iIDLocalPort = aResp_ID_payload->GetPort();
        iLocalIDType_II = aResp_ID_payload->GetIDType();
        if (iIDProtocol != aResp_ID_payload->GetProtocol()) //Must be the same sent in the IDCi
        {
            DEBUG_LOG(_L("INVALID_ID_INFORMATION (Local ID Protocol different from Remote ID Protocol. Must be the same)"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_ID_INFORMATION);
            return EFalse;
        }

        switch (aResp_ID_payload->GetIDType())
        {
            case ID_IPV4_ADDR:
                Mem::Copy((TUint8 *)&addr, aResp_ID_payload->IDData(),sizeof(TInt32));
                iLocalAddr1_ID_II.SetAddress(ByteOrder::Swap32(addr));
                DEBUG_LOG(_L("Local ID received"));
                DEBUG_LOG(_L("Setting Local ID to:"));
                iLocalAddr1_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(addr_buf);
                if ( iInternalAddr ) {
                   //
                   // Check ID against internal address instead of local address
                   //
                   if (iInternalAddr->iClientIntAddr.Match(iLocalAddr1_ID_II))
                       iDefaultLocalID = ETrue;  //Must be sent but won't be used when updating the SAD
                }
                else {
                   if (iLocalAddr.Match(iLocalAddr1_ID_II))
                        iDefaultLocalID = ETrue; //Must be sent but won't be used when updating the SAD
                   else if (attr_II->iEncMode == DOI_TRANSPORT)
                   {
                       DEBUG_LOG(_L("ADDRESS_NOTIFICATION (Local ID MUST match the net & mask received)"));
                       SetErrorStatus( KKmdIkeNegotFailed );
                       SendNotifyL(ADDRESS_NOTIFICATION);
                       return EFalse;
                   }   
                }
                break;
            case ID_IPV4_ADDR_SUBNET:
                Mem::Copy((TUint8 *)&addr, aResp_ID_payload->IDData(),sizeof(TInt32));  //Address
                iLocalAddr1_ID_II.SetAddress(ByteOrder::Swap32(addr));
                Mem::Copy((TUint8 *)&addr, aResp_ID_payload->IDData() + sizeof(TInt32),sizeof(TInt32)); //Mask
                iLocalAddr2_ID_II.SetAddress(ByteOrder::Swap32(addr));
                DEBUG_LOG(_L("Setting Local ID to: addr = "));
                iLocalAddr1_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(addr_buf);
                DEBUG_LOG(_L(" mask = "));
                iLocalAddr2_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(addr_buf);
                if (PrefixLen(iLocalAddr2_ID_II) < 0)   //Invalid Mask
                {
                    DEBUG_LOG(_L("INVALID_ID_INFORMATION (Invalid Remote ID mask for type ID_IPV4_ADDR_SUBNET)"));
                    SetErrorStatus( KKmdIkeNegotFailed );
                    SendNotifyL(INVALID_ID_INFORMATION);
                    return EFalse;
                }
                if (attr_II->iEncMode == DOI_TRANSPORT)
                {
                    if (!iLocalAddr.Match(iLocalAddr1_ID_II, iLocalAddr2_ID_II))
                    {
                        DEBUG_LOG(_L("ADDRESS_NOTIFICATION (Local ID MUST match the net & mask received)"));
                        SetErrorStatus( KKmdIkeNegotFailed );
                        SendNotifyL(ADDRESS_NOTIFICATION);
                        return EFalse;
                    }
                }
                break;
            case ID_IPV6_ADDR:
                Mem::Copy(&ip6addr.u.iAddr8, aResp_ID_payload->IDData(), sizeof(ip6addr.u.iAddr8));
                //iOwnProxyAddr.SetAddress(ip6addr);
                iLocalAddr1_ID_II.SetAddress(ip6addr);
                DEBUG_LOG(_L("Own Proxy received"));
                DEBUG_LOG(_L("Setting Own Proxy address to:"));
                iLocalAddr1_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(addr_buf);
                if (iLocalAddr.Match(iLocalAddr1_ID_II))
                    iDefaultLocalID = ETrue;    //Must be sent but won't be used when updating the SAD
                else if (attr_II->iEncMode == DOI_TRANSPORT)
                {
                    DEBUG_LOG(_L("ADDRESS_NOTIFICATION (Local ID MUST match the net & mask received)"));
                    SendNotifyL(ADDRESS_NOTIFICATION);
                    return EFalse;
                }
                break;
            case ID_IPV6_ADDR_SUBNET:
                Mem::Copy(&ip6addr.u.iAddr8, aResp_ID_payload->IDData(), sizeof(ip6addr.u.iAddr8)); //Address
                iLocalAddr1_ID_II.SetAddress(ip6addr);
                Mem::Copy(&ip6addr.u.iAddr8, aResp_ID_payload->IDData() + sizeof(ip6addr.u.iAddr8), sizeof(ip6addr.u.iAddr8));  //Mask
                iLocalAddr2_ID_II.SetAddress(ip6addr);
                DEBUG_LOG(_L("Setting Own Proxy to: addr = "));
                iLocalAddr1_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(addr_buf);
                DEBUG_LOG(_L(" mask = "));
                iLocalAddr2_ID_II.OutputWithScope(addr_buf);
                DEBUG_LOG(addr_buf);
                if (PrefixLen(iLocalAddr2_ID_II) < 0)   //Invalid Mask
                {
                    DEBUG_LOG(_L("INVALID_ID_INFORMATION (Invalid Remote ID mask for type ID_IPV6_ADDR_SUBNET)"));
                    SetErrorStatus( KKmdIkeNegotFailed );
                    SendNotifyL(INVALID_ID_INFORMATION);
                    return EFalse;
                }
                if (attr_II->iEncMode == DOI_TRANSPORT)
                {
                    if (!iLocalAddr.Match(iLocalAddr1_ID_II, iLocalAddr2_ID_II))
                    {
                        DEBUG_LOG(_L("ADDRESS_NOTIFICATION (Local ID MUST match the net & mask received)"));
                        SetErrorStatus( KKmdIkeNegotFailed );
                        SendNotifyL(ADDRESS_NOTIFICATION);
                        return EFalse;
                    }
                }
                break;
            default:
                DEBUG_LOG(_L("INVALID_ID_INFORMATION (ID Type not supported)"));
                SetErrorStatus( KKmdIkeNegotFailed );
                SendNotifyL(INVALID_ID_INFORMATION);
                return EFalse;
        }//switch
    }

    return ETrue;
}


TBool CIkev1Negotiation::ProcessStage2_II_IDsL(const TIdentISAKMP *aInit_ID_payload,const TIdentISAKMP *aResp_ID_payload)//, CProposal_IIList *aRecv_proposals)
{
    TInt32 addr4_int;       //Contains a numeric IPv4 addr to be sent
    TIp6Addr ip6addr;   //IPV6 raw address
    TInetAddr tmp_addr;
    //Here we check the initator proxy (Our client) sent by us has been received correctly
    if (aInit_ID_payload)   //ID Payload received
    {
        if (!CheckIdentL(aInit_ID_payload))
            return EFalse;

        if (aInit_ID_payload->GetPort() != iIDLocalPort)
        {
            DEBUG_LOG(_L("INVALID_ID_INFORMATION (Local ID Port different from the one sent)"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_ID_INFORMATION);
            return EFalse;
        }

        if (aInit_ID_payload->GetProtocol() != iIDProtocol)
        {
            DEBUG_LOG(_L("INVALID_ID_INFORMATION (Local ID Protocol different from the one sent)"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_ID_INFORMATION);
            return EFalse;
        }

        switch (aInit_ID_payload->GetIDType())
        {
        case ID_IPV4_ADDR:
            Mem::Copy((TUint8 *)&addr4_int,aInit_ID_payload->IDData(),sizeof(TInt32));
            tmp_addr.SetAddress(ByteOrder::Swap32(addr4_int));
            if (!tmp_addr.Match(iLocalAddr1_ID_II))
            {
                DEBUG_LOG(_L("Wrong Own ID received (Different from the one sent)"));
                SetErrorStatus( KKmdIkeNegotFailed );
                SendNotifyL(INVALID_ID_INFORMATION);
                return EFalse;
            }
            break;
        case ID_IPV4_ADDR_SUBNET:
            //Subnet
            Mem::Copy((TUint8 *)&addr4_int,aInit_ID_payload->IDData(),sizeof(TInt32));
            tmp_addr.SetAddress(ByteOrder::Swap32(addr4_int));
            if (!tmp_addr.Match(iLocalAddr1_ID_II))
            {
                //The ID subnet is not the one we sent!
                DEBUG_LOG(_L("Wrong Own ID subnet received (Different from the one sent)"));
                SetErrorStatus( KKmdIkeNegotFailed );
                SendNotifyL(INVALID_ID_INFORMATION);
                return EFalse;
            }
            //Mask
            Mem::Copy((TUint8 *)&addr4_int,aInit_ID_payload->IDData() + sizeof(TInt32),sizeof(TInt32));
            tmp_addr.SetAddress(ByteOrder::Swap32(addr4_int));          
            if (!tmp_addr.Match(iLocalAddr2_ID_II))
            {
                //The ID mask is not the one we sent!
                DEBUG_LOG(_L("Wrong Own ID mask received (Different from the one sent)"));
                SetErrorStatus( KKmdIkeNegotFailed );
                SendNotifyL(INVALID_ID_INFORMATION);
                return EFalse;
            }
            break;
        case ID_IPV6_ADDR:
            Mem::Copy(&ip6addr.u.iAddr8, aInit_ID_payload->IDData(), sizeof(ip6addr.u.iAddr8));
            tmp_addr.SetAddress(ip6addr);
            if (!tmp_addr.Match(iLocalAddr1_ID_II))
            {
                //The ID is not the one we sent!
                DEBUG_LOG(_L("Wrong Local ID received (Different from the one sent)"));
                SetErrorStatus( KKmdIkeNegotFailed );
                SendNotifyL(INVALID_ID_INFORMATION);
                return EFalse;
            }
            break;
        case ID_IPV6_ADDR_SUBNET:
            //subnet
            Mem::Copy(&ip6addr.u.iAddr8, aInit_ID_payload->IDData(), sizeof(ip6addr.u.iAddr8));
            tmp_addr.SetAddress(ip6addr);
            if (!tmp_addr.Match(iLocalAddr1_ID_II))
            {
                //The ID is not the one we sent!
                DEBUG_LOG(_L("Wrong Local ID subnet received (Different from the one sent)"));
                SetErrorStatus( KKmdIkeNegotFailed );
                SendNotifyL(INVALID_ID_INFORMATION);
                return EFalse;
            }
            //mask
            Mem::Copy(&ip6addr.u.iAddr8, aInit_ID_payload->IDData() + sizeof(ip6addr.u.iAddr8), sizeof(ip6addr.u.iAddr8));
            tmp_addr.SetAddress(ip6addr);
            if (!tmp_addr.Match(iLocalAddr2_ID_II))
            {
                //The ID is not the one we sent!
                DEBUG_LOG(_L("Wrong Local ID mask received (Different from the one sent)"));
                SetErrorStatus( KKmdIkeNegotFailed );
                SendNotifyL(INVALID_ID_INFORMATION);
                return EFalse;
            }
            break;
        default:
            DEBUG_LOG(_L("INVALID_ID_INFORMATION (ID Type not supported)"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_ID_INFORMATION);
            return EFalse;
        }//switch
    }
    else    //No id sent (That means we're negotiating directly with the end host
    {
        if (!iLocalAddr1_ID_II.IsUnspecified())
        {
            DEBUG_LOG(_L("IDci expected and not received!"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_ID_INFORMATION);
            return EFalse;
        }
    }

    //We receive the peer (responder) proxy address or gateway client
    if (aResp_ID_payload)   //ID Payload received
    {
        if (!CheckIdentL(aResp_ID_payload))
            return EFalse;

        if (aResp_ID_payload->GetPort() != iIDRemotePort)
        {
            DEBUG_LOG(_L("INVALID_ID_INFORMATION (Remote Port different from the one sent)"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_ID_INFORMATION);
            return EFalse;
        }

        if (aResp_ID_payload->GetProtocol() != iIDProtocol)
        {
            DEBUG_LOG(_L("INVALID_ID_INFORMATION (Responder ID Protocol different from the one sent)"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_ID_INFORMATION);
            return EFalse;
        }

        switch (aResp_ID_payload->GetIDType())
        {
            case ID_IPV4_ADDR:
                Mem::Copy((TUint8 *)&addr4_int,aResp_ID_payload->IDData(),sizeof(TInt32));
                tmp_addr.SetAddress(ByteOrder::Swap32(addr4_int));
                DEBUG_LOG(_L("IDcr received"));
                if (!iRemoteAddr1_ID_II.Match(tmp_addr))
                {
                    DEBUG_LOG(_L("INVALID_ID_INFORMATION (Wrong Remote ID, doesn't match sent one)"));
                    SetErrorStatus( KKmdIkeNegotFailed );
                    SendNotifyL(INVALID_ID_INFORMATION);
                    return EFalse;
                }
                break;
            case ID_IPV4_ADDR_SUBNET:
                //subnet address
                Mem::Copy((TUint8 *)&addr4_int,aResp_ID_payload->IDData(),sizeof(TInt32));
                tmp_addr.SetAddress(ByteOrder::Swap32(addr4_int));
                if (!tmp_addr.Match(iRemoteAddr1_ID_II))
                {
                    //The ID subnet is not the one we sent!
                    DEBUG_LOG(_L("Wrong Remote ID subnet received (Different from the one sent)"));
                    SetErrorStatus( KKmdIkeNegotFailed );
                    SendNotifyL(INVALID_ID_INFORMATION);
                    return EFalse;
                }
                //Mask address
                Mem::Copy((TUint8 *)&addr4_int,aResp_ID_payload->IDData() + sizeof(TInt32),sizeof(TInt32));
                tmp_addr.SetAddress(ByteOrder::Swap32(addr4_int));          
                if (!tmp_addr.Match(iRemoteAddr2_ID_II))
                {
                    //The ID mask is not the one we sent!
                    DEBUG_LOG(_L("Wrong Remote ID mask received (Different from the one sent)"));
                    SetErrorStatus( KKmdIkeNegotFailed );
                    SendNotifyL(INVALID_ID_INFORMATION);
                    return EFalse;
                }
                break;
            case ID_IPV6_ADDR:
                Mem::Copy(&ip6addr.u.iAddr8,aResp_ID_payload->IDData(), sizeof(ip6addr.u.iAddr8));
                tmp_addr.SetAddress(ip6addr);
                DEBUG_LOG(_L("IDcr received"));
                if (!iRemoteAddr1_ID_II.Match(tmp_addr))
                {
                    DEBUG_LOG(_L("INVALID_ID_INFORMATION (Wrong ID, doesn't match sent proxy)"));
                    SetErrorStatus( KKmdIkeNegotFailed );
                    SendNotifyL(INVALID_ID_INFORMATION);
                    return EFalse;
                }
                break;
            case ID_IPV6_ADDR_SUBNET:
                //subnet
                Mem::Copy(&ip6addr.u.iAddr8, aResp_ID_payload->IDData(), sizeof(ip6addr.u.iAddr8));
                tmp_addr.SetAddress(ip6addr);
                if (!tmp_addr.Match(iRemoteAddr1_ID_II))
                {
                    //The ID is not the one we sent!
                    DEBUG_LOG(_L("Wrong Remote ID subnet received (Different from the one sent)"));
                    SetErrorStatus( KKmdIkeNegotFailed );
                    SendNotifyL(INVALID_ID_INFORMATION);
                    return EFalse;
                }
                //mask
                Mem::Copy(&ip6addr.u.iAddr8, aResp_ID_payload->IDData() + sizeof(ip6addr.u.iAddr8), sizeof(ip6addr.u.iAddr8));
                tmp_addr.SetAddress(ip6addr);
                if (!tmp_addr.Match(iRemoteAddr2_ID_II))
                {
                    //The ID is not the one we sent!
                    DEBUG_LOG(_L("Wrong Remote ID mask received (Different from the one sent)"));
                    SetErrorStatus( KKmdIkeNegotFailed );
                    SendNotifyL(INVALID_ID_INFORMATION);
                    return EFalse;
                }
                break;
            default:    //Only these 2 modes make sense no reason for subnets or range
                DEBUG_LOG(_L("INVALID_ID_INFORMATION (Remote ID Type not supported)"));
                SetErrorStatus( KKmdIkeNegotFailed );
                SendNotifyL(INVALID_ID_INFORMATION);
                return EFalse;
        }//switch
    }
    else    //No id sent (That means we're negotiating directly with the end host. We check it's TRUE!
    {
        if (!iRemoteAddr1_ID_II.IsUnspecified())
        {
            DEBUG_LOG(_L("IDcr expected and not received!"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_ID_INFORMATION);
            return EFalse;
        }
    }

    return ETrue;
}


TBool CIkev1Negotiation::CheckIdentL(const TPayloadISAKMP *aPayload)
{
    const TIdentISAKMP *ident = TIdentISAKMP::Ptr(aPayload);
    
    //payload not present
    if (!ident)
    {
        DEBUG_LOG(_L("NO ID PAYLOAD"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(PAYLOAD_MALFORMED);
        return EFalse;
    }

    if (iPhase  == PHASE_I)
    {
        TUint8 protocol = ident->GetProtocol();
        if ((protocol != KProtocolInetUdp) && (protocol != 0))
        {
            DEBUG_LOG(_L("INVALID_ID_INFORMATION: Bad Phase I Protocol (Only UDP(17) or 0 accepted)"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_ID_INFORMATION);
            return EFalse;
        }
        TUint16 port = ident->GetPort();
        if ((port != 0) && (port != IKE_PORT) && (port != FLOATED_IKE_PORT) )
        {
            DEBUG_LOG(_L("INVALID_ID_INFORMATION: Invalid Bad Phase I Port. (Only 0, 500 or 4500 accepted)"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_ID_INFORMATION);
            return EFalse;
        }
        switch (ident->GetIDType())
        {
        case ID_IPV4_ADDR:
        case ID_IPV6_ADDR:
        case ID_FQDN:                       
        case ID_USER_FQDN:
        case ID_DER_ASN1_DN:
            break;
        default:
            DEBUG_LOG(_L("INVALID_ID_INFORMATION: Invalid Type (Only IPV4/IPV6/User FQDN and DER ASN1 DN accepted in PHASE I)"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_ID_INFORMATION);
            return EFalse;
        }
    }

    return ETrue;
}


//Certificate Request Payload processing (all modes).
TBool CIkev1Negotiation::ProcessCertificateReqL(const TCertificateReqISAKMP *aCertReq)
{
    if (iChosenProposal_I.iAttrList->iAuthMethod == IKE_A_CRACK)
    {
        DEBUG_LOG(_L("CR ignored when CRACK auth !)"));
        return ETrue;
    }

    TInt ret = CheckEncodingL(aCertReq->GetEncoding());
    switch (ret)
    {
    case KErrGeneral:
        return EFalse;
    case KErrNotSupported:  //Not supported but not an error, just ignored
        return ETrue;   
    }

	if ( !iPkiService )
	   return EFalse;
	TBool Status = EFalse;
	    //
        // No specific CA asked. Find a certificate using own trusted CA list
        //
    if ( ReadOwnCertL())
        {
         Status = ETrue; 
        }
   
    return Status;

}


//Certificate Request Payload(s) processing (all modes).
TBool CIkev1Negotiation::ProcessCertificateReqArrayL(const CArrayFixFlat<const TCertificateReqISAKMP *> *aCRPayloadArray)
{
	
    TInt count = aCRPayloadArray->Count();
    if ( count == 0 )
	{
       return ETrue;   // No Certificate requests   
    }
    
    if ( ProcessCertificateReqL(aCRPayloadArray->At(0)) )
       {
        DEBUG_LOG(_L("User Certificate required by peer found"));           
        iSendCert = ETrue;  //Requires sending our cert in next interchange where allowed/expected, otherwise not sent
        return ETrue;
       }
    HBufC8* CAName = NULL;
    CIkeCaList* trustedCaList = iPkiService->CaList();
    
    TInt Status=0;
    
    for (TInt i=0; i < trustedCaList->Count(); i++)
        {
        CIkeCaElem* CaElem = (*trustedCaList)[i];                     
                
        CAName = IkeCert::GetCertificateFieldDERL(CaElem->Certificate(), KSubjectName);
        CleanupStack::PushL(CAName);
        
        TRAP_IGNORE(Status=iPkiService->ReadChainL(iHostData, CAName)); 
        
        CleanupStack::PopAndDestroy(CAName);
        CAName=NULL;
        
        if ( Status == KErrNone )
            {
             delete iOwnCert;
             iOwnCert = iPkiService->GetCertificate();
             
             iICA1 = iPkiService->GetTrustedICA1();
                    
             iICA2 = iPkiService->GetTrustedICA2();
             
             iPeerTrustedCA = iPkiService->GetTrustedCA();
             
             iSendCert = ETrue;  //Requires sending our cert in next interchange where allowed/expected, otherwise not sent
             
             DEBUG_LOG(_L("Certificate chain Found!"));
             return ETrue;
             }
        }
    
   
    if ( Status == KVpnErrInvalidCaCertFile)
        {
         SetErrorStatus(KVpnErrInvalidCaCertFile);  
         
         SendNotifyL(CERTIFICATE_UNAVAILABLE);
         
         DEBUG_LOG(_L("Certificate chain read failed!"));
           
         return EFalse;
        }
	
    SetErrorStatus(KKmdIkeNoCertFoundErr);  
    SendNotifyL(CERTIFICATE_UNAVAILABLE);
    DEBUG_LOG(_L("Certificate Chain r!"));
    
    return EFalse;
}

//Certificate Payload(s) processing (all modes).
TBool CIkev1Negotiation::ProcessCertificateArrayL(CArrayFixFlat<const TCertificateISAKMP *>* aCertArray)
{
	TBool Status;	
	if ( iCertRequested )
		 Status = EFalse;
	else Status = ETrue;

	if ( iPkiService && aCertArray->Count() )
	{	        
        const CIkeCaList* trustedCaList = iPkiService->CaList();
    	CX509Certificate* PeerCert = IkePkiUtils::VerifyCertificateL(*aCertArray,
    	                                                             *trustedCaList);
    	if ( PeerCert )
	    {
		   delete iPeerX509Cert;
		   iPeerX509Cert = PeerCert;
	       DEBUG_LOG(_L("Peer Certificate is OK"));
		   Status = ETrue; 		
	    }
		else
		{
		   Status = EFalse;					
	       DEBUG_LOG(_L("Peer Certificate is rejected"));
		}			   
	}			
			
	return Status; 
}

//Checks the signature sent by the peer host
TBool CIkev1Negotiation::ProcessSignatureL(const TSignatureISAKMP *aSigPayload)
{
    TBool ret;
    //payload not present
    if (!aSigPayload || !iPeerX509Cert )
    {
        DEBUG_LOG(_L("NO SIG PAYLOAD"));
		SetErrorStatus(KKmdIkePeerAuthFailed);  				
        SendNotifyL(PAYLOAD_MALFORMED);
        return EFalse;
    }

    //DSS only allows SHA1 as hash
    TUint16 tmp = iChosenProposal_I.iAttrList->iHashAlg;
    if (iChosenProposal_I.iAttrList->iAuthMethod==DSS_SIG)
        iChosenProposal_I.iAttrList->iHashAlg = HASH_SHA1;

    TBuf8<ISAKMP_HASH_SIZE> hash;
    //Verify the peer signature
    if (iRole==RESPONDER)
    {
        ComputeHash1L(hash);   //Computes the value of iHASH_I the signature checking
                            //Nothing else to compute.
    }
    else    //Initiator
    {
        ComputeHashrL(hash); //Computes the value of CRACK digest for signature checking
    }

    ret = VerifySignatureL(iPeerX509Cert, (TUint8 *)hash.Ptr(), hash.Length(), aSigPayload->SigData(),aSigPayload->GetDataLength());

    //restores the value of the Hash alg.
    iChosenProposal_I.iAttrList->iHashAlg = tmp;

    if (!ret)
    {
        DEBUG_LOG(_L("INVALID_SIGNATURE 2"));
		SetErrorStatus(KKmdIkePeerAuthFailed);				
        SendNotifyL(INVALID_SIGNATURE);
        return EFalse;
    }

	DEBUG_LOG(_L("Peer Signature is OK"));           	
    return ETrue;
}


TBool CIkev1Negotiation::ProcessHashL(const THashISAKMP *aHashPayload)
{
	TBool Status = EFalse;
	if (aHashPayload)
	{
        //Compute peer's hash							
		TBuf8<ISAKMP_HASH_SIZE> hash;
		if ( (iStage == 6) || ((iStage == 2) && (iExchange == ISAKMP_EXCHANGE_AGGR)))
			 ComputeHashrL(hash);
		else ComputeHash1L(hash);
		Status = (Mem::Compare((TUint8 *)hash.Ptr(), hash.Length(), aHashPayload->Data(), aHashPayload->DataLen()) == 0 );
		if ( !Status )
		{
			DEBUG_LOG(_L("INVALID_HASH_INFORMATION"));
			SendNotifyL(INVALID_HASH_INFORMATION);
		}
	}	
	
    return Status;
}


TBool CIkev1Negotiation::ProcessHash2L(const ThdrISAKMP &aHdr, const THashISAKMP *aHashPayload, TUint aPadding)
{
	TBool Status = EFalse;
    if ( aHashPayload )
	{
	   TUint8* hashMsg = (TUint8*)aHashPayload->Next();
	   TInt hashMsgLen = aHdr.GetLength() - sizeof(aHdr) - aHashPayload->GetLength() - aPadding;
	   Status = VerifyHash2L(aHashPayload, hashMsg, hashMsgLen);
	   if (!Status)
	   {
		   DEBUG_LOG(_L("INVALID_HASH_INFORMATION"));
		   SendNotifyL(INVALID_HASH_INFORMATION);
       }
	}   
	else   
    {
       DEBUG_LOG(_L("PAYLOAD_MALFORMED"));
       SendNotifyL(PAYLOAD_MALFORMED);
    }

    return Status;
}


//Check a notification Payload inserted in a normal exchange (MAIN , AGGR, QUICK)
TBool CIkev1Negotiation::ProcessNotificationL(const TNotificationISAKMP *aNotifPayload)
{
    if (!aNotifPayload)
        return ETrue;   //optional so noting happens

    if (!CheckDOI(aNotifPayload->GetDOI()))
    {
        DEBUG_LOG(_L("Bad DOI in the NOT payload"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(DOI_NOT_SUPPORTED);  //send the informational exchange
        return EFalse;
    }
    
    switch(aNotifPayload->GetMsgType())
    {
    case DOI_RESPONDER_LIFETIME:
        return ProcessResponderLifetimeL(aNotifPayload);
    case DOI_REPLAY_STATUS:
        return ProcessReplayStatus(aNotifPayload);
    case DOI_INITIAL_CONTACT:
        return ProcessInitialContactL(aNotifPayload);
    default:
        DEBUG_LOG(_L("INVALID MESSAGE TYPE in NOT payload"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(PAYLOAD_MALFORMED);
        return EFalse;
    }

}


//Processes a RESPONDER-LIFETIME NOT payload
TBool CIkev1Negotiation::ProcessResponderLifetimeL(const TNotificationISAKMP *aNotifPayload)
{
    TBuf8<2 * ISAKMP_COOKIE_SIZE> spi, own_neg_spi;
    DEBUG_LOG(_L("Processing RESPONDER-LIFETIME"));

			
    if (!((iPhase == PHASE_II) && (iStage == 2)))
    {
		if ( iPhase == PHASE_I ) {
		   DEBUG_LOG(_L("RESPONDER-LIFETIME payload in phase 1, ignored !!"));
		   return ETrue;		
		}
		else {
  		   DEBUG_LOG(_L("Unexpected RESPONDER-LIFETIME payload (Bad stage)"));
  		   SetErrorStatus( KKmdIkeNegotFailed );
		   SendNotifyL(INVALID_PAYLOAD_TYPE);
    	   return EFalse;
		}	
    }

    TUint8 protocol = aNotifPayload->GetProtocol();
    if ((protocol != PROTO_IPSEC_AH) && (protocol != PROTO_IPSEC_ESP) &&
        (protocol != PROTO_ISAKMP)   && (protocol != 0))
    {
        DEBUG_LOG(_L("Bad protocol in the RESPONDER-LIFETIME payload"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(INVALID_PROTOCOL_ID);
        return EFalse;
    }

    TUint8 spi_size = aNotifPayload->GetSPISize();
    CProposal_II *prop;
    TInt i;
    //If SPI sent
    switch (spi_size)
    {
    case 2 * ISAKMP_COOKIE_SIZE:    //ISAKMP spi
        spi.Copy(aNotifPayload->GetSPI(), aNotifPayload->GetSPISize());
        own_neg_spi.Copy(iCookie_I);
        own_neg_spi.Append(iCookie_R);

        if (spi.Compare(own_neg_spi) != 0)
        {
            DEBUG_LOG(_L("Invalid SPI size in the RESPONDER-LIFETIME payload. Payload ignored"));
            SetErrorStatus( KKmdIkeNegotFailed );
            SendNotifyL(INVALID_SPI);
            return EFalse;
        }
        if (iChosenProp_IIList->Count() > 1)    
        {
            DEBUG_LOG(_L("RESPONDER-LIFETIME ignored. More than one SA (need a IPsec SPI to know which one to use) "));
            return EFalse;
        }
        prop = iChosenProp_IIList->At(0);       //Only one proposal
        break;
    case 0: //Compatibility with Alchemy cc500
        if (iChosenProp_IIList->Count() > 1)    
        {
            DEBUG_LOG(_L("RESPONDER-LIFETIME ignored. More than one SA (need a IPsec SPI to know which one to use) "));
            return EFalse;
        }

        prop = iChosenProp_IIList->At(0);       //Only one proposal
        break;
    case sizeof(TUint32):           //IPSEC SPI
        spi.Copy(aNotifPayload->GetSPI(), aNotifPayload->GetSPISize());
        prop = NULL;    //Only for the debugger, the loop will have at least one proposal
        for (i = 0; i < iChosenProp_IIList->Count(); i++)
        {
            prop = iChosenProp_IIList->At(i);       //Only one proposal
            if (((prop->iSPI.Compare(spi) == 0) && prop->iProtocol == protocol)) //right prop   
                break;
        }

        if (i == iChosenProp_IIList->Count())   //No prop matches
        {
            DEBUG_LOG(_L("RESPONDER-LIFETIME ignored. IPsec SPI doesn't match any chosen proposal"));
            return EFalse;
        }
        break;
    default:
        DEBUG_LOG(_L("Bad SPI size in the RESPONDER-LIFETIME payload"));
        return EFalse;
    }
    TAttrib_II *transform = prop->iAttrList->At(0); //Only one transform
    TInt data_len = aNotifPayload->GetNotifDataSize();
    TUint8 *data_ptr = aNotifPayload->GetNotifData();
    TUint16 lifeType = 0;   //No type assigned yet
    TInt64 lifeValue = 0;   //No type assigned yet
    TInt64 lifeValue32;
    TInt64 curr_lifeValue = 0;
    TInt32 duration;

    TDataISAKMP *attr = (TDataISAKMP*)data_ptr;
    while (data_len > 0)
    {
        data_len = data_len - attr->Size();
        if (data_len < 0)   //Mismatch between lengths!!!
        {
            DEBUG_LOG(_L("RESPONDER-LIFETIME (Length mismatch in the attibutes)"));
            return EFalse;
        }
        switch (attr->Type())
        {
        case DOI_ATTR_TYPE_LIFE_TYPE:           
        case OAKLEY_ATTR_TYPE_LIFE_TYPE:
            lifeType = attr->Value();
            if (!CheckLifeType(lifeType))
            {
                DEBUG_LOG(_L("RESPONDER-LIFETIME (Invalid lifetime type)"));
                return EFalse;
            }
            break;
        case DOI_ATTR_TYPE_LIFE_DUR:                        
        case OAKLEY_ATTR_TYPE_LIFE_DUR:
            if (attr->IsBasic())
            {
                duration = ByteOrder::Swap32(attr->Value());
                lifeValue = MAKE_TINT64(0, duration);
                lifeValue32 = I64LOW(lifeValue);                
                if (lifeType == SECONDS)
                {
                    Desc8ToTInt64(transform->iLifeDurationSecs, curr_lifeValue);        //can't fail
                    if (lifeValue < curr_lifeValue)
                        transform->iLifeDurationSecs.Copy((TUint8 *)&lifeValue32, sizeof(lifeValue32));
                }
                else if (lifeType == KBYTES)
                {
                    Desc8ToTInt64(transform->iLifeDurationKBytes, curr_lifeValue);  //can't fail
                    if (lifeValue < curr_lifeValue)
                        transform->iLifeDurationKBytes.Copy((TUint8 *)&lifeValue32, sizeof(lifeValue32));
                }
                else
                {
                    DEBUG_LOG(_L("RESPONDER-LIFETIME (Invalid lifetime type)"));
                    return EFalse;
                }
            }
            else    //Not basic
            {
                TPtrC8 ptr(attr->VarValue(),attr->Length());

                if (lifeType == SECONDS)
                {
                    if (Desc8ToTInt64(ptr, lifeValue) != KErrNone)
                        {
                        DEBUG_LOG(_L("RESPONDER-LIFETIME Lifetime(Sec) Overflowed Setting to maximum value"));
                        }
                    Desc8ToTInt64(transform->iLifeDurationSecs, curr_lifeValue);        //can't fail
                    if (lifeValue < curr_lifeValue)
                        transform->iLifeDurationSecs.Copy(attr->VarValue(),attr->Length());
                }
                else if (lifeType == KBYTES)
                {
                    if (Desc8ToTInt64(ptr, lifeValue) != KErrNone)
                        {
                        DEBUG_LOG(_L("RESPONDER-LIFETIME Lifetime(KBytes) Overflowed Setting to maximum value"));
                        }
                    Desc8ToTInt64(transform->iLifeDurationKBytes, curr_lifeValue);  //can't fail
                    if (lifeValue < curr_lifeValue)
                        transform->iLifeDurationKBytes.Copy(attr->VarValue(),attr->Length());
                }
                else
                {
                    DEBUG_LOG(_L("RESPONDER-LIFETIME (Invalid lifetime type)"));
                    return EFalse;
                }
            }
            break;
        default:
            DEBUG_LOG1(_L("RESPONDER-LIFETIME (Invalid attribute (%d) received)"), attr->Type());
            return EFalse;
        }//switch
        attr = attr->Next();
    }//while

    return ETrue;
}

//Processes a REPLAY-STATUS NOT payload
TBool CIkev1Negotiation::ProcessReplayStatus(const TNotificationISAKMP *aNotifPayload)
{
    TBuf8<2 * ISAKMP_COOKIE_SIZE> spi, own_neg_spi;

    DEBUG_LOG(_L("Processing REPLAY-STATUS"));

    if (!((iPhase == PHASE_II) && ((iStage == 1) || (iStage == 2))))
    {
        DEBUG_LOG(_L("Unexpected REPLAY-STATUS payload (Bad stage)"));
        return EFalse;
    }

    TUint8 protocol = aNotifPayload->GetProtocol();
    if ((protocol != PROTO_IPSEC_AH) && (protocol != PROTO_IPSEC_ESP) &&
        (protocol != PROTO_ISAKMP)   && (protocol != 0))
    {
        DEBUG_LOG(_L("Bad protocol in the REPLAY-STATUS payload"));
        return EFalse;
    }
    
    TInt i;
    TUint8 spi_size = aNotifPayload->GetSPISize();
    CProposal_II *prop;
    //If SPI sent
    switch (spi_size)
    {
    case 2 * ISAKMP_COOKIE_SIZE:    //ISAKMP spi
        spi.Copy(aNotifPayload->GetSPI(), aNotifPayload->GetSPISize());
        own_neg_spi.Copy(iCookie_I);
        own_neg_spi.Append(iCookie_R);
        if (spi.Compare(own_neg_spi) != 0)
        {
            DEBUG_LOG(_L("Invalid SPI size in the REPLAY-STATUS payload. Payload ignored"));
            return EFalse;
        }
        if (iChosenProp_IIList->Count() > 1)    
        {
            DEBUG_LOG(_L("REPLAY-STATUS ignored. More than one IPsec SA (need an IPsec SPI to know which one to use) "));
            return EFalse;
        }
        break;
    case 0: //Compatibility with Alchemy cc500
        if (iChosenProp_IIList->Count() > 1)
        {
            DEBUG_LOG(_L("RESPONDER-LIFETIME ignored. More than one SA (need a IPsec SPI to know which one to use) "));
            return EFalse;
        }
        prop = iChosenProp_IIList->At(0);       //Only one proposal
        break;
    case sizeof(TUint32):           //IPSEC SPI
        spi.Copy(aNotifPayload->GetSPI(), aNotifPayload->GetSPISize());
        for (i = 0; i < iChosenProp_IIList->Count(); i++)
        {
            prop = iChosenProp_IIList->At(i);       //Only one proposal
            if (((prop->iSPI.Compare(spi) == 0) && prop->iProtocol == protocol)) //right prop
                break;
        }
        if (i == iChosenProp_IIList->Count())   //No prop matches
        {
            DEBUG_LOG(_L("REPLAY-STATUS ignored. IPsec SPI doesn't match any chosen proposal"));
            return EFalse;
        }
        break;
    default:
        DEBUG_LOG(_L("Bad SPI size in the REPLAY-STATUS payload"));
        return EFalse;
    }

    TInt data_len = aNotifPayload->GetNotifDataSize();
    TUint32 *data = (TUint32 *)aNotifPayload->GetNotifData();
    if (STATIC_CAST(TUint, data_len) < sizeof(*data))
    {
        DEBUG_LOG(_L("REPLAY-STATUS (Length mismatch in the attibutes)"));
        return EFalse;
    }

#ifdef _DEBUG
    if (ByteOrder::Swap32(*data) == 0)
        DEBUG_LOG(_L("Anti-Replay Disabled on Peer Host"));
    else
        DEBUG_LOG(_L("Anti-Replay Enabled on Peer Host"));
#endif        
    return ETrue;
}


TBool CIkev1Negotiation::ProcessInitialContactL(const TNotificationISAKMP *aNotifPayload)
{
    TBuf8<2 * ISAKMP_COOKIE_SIZE> spi, neg_spi;

    DEBUG_LOG(_L("Processing INITIAL-CONTACT"));
                                                              // 7 = CRACK 
    if (!(iPhase == PHASE_I && (iStage == 5 || iStage == 6 || iStage == 7)))
    {
        DEBUG_LOG(_L("Unexpected INITIAL-CONTACT payload (Bad stage)"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(INVALID_PAYLOAD_TYPE);
        return EFalse;
    }

    if (aNotifPayload->GetProtocol() != PROTO_ISAKMP &&
        aNotifPayload->GetProtocol() != 0 )
        
    {
        DEBUG_LOG(_L("Bad protocol in the INITIAL_CONTACT payload"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(INVALID_PROTOCOL_ID);
        return EFalse;
    }

    if (aNotifPayload->GetSPISize() != 2 * ISAKMP_COOKIE_SIZE)
    {
        DEBUG_LOG(_L("Bad SPI size in the INITIAL_CONTACT payload"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(INVALID_SPI);
        return EFalse;
    }
    spi.Copy(aNotifPayload->GetSPI(), aNotifPayload->GetSPISize());
    neg_spi.Copy(iCookie_I);
    neg_spi.Append(iCookie_R);

    if (spi.Compare(neg_spi) != 0)
    {
        DEBUG_LOG(_L("Invalid SPI size in the INITIAL_CONTACT payload"));
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(INVALID_SPI);
        return EFalse;
    }
   
    if ( iRole == RESPONDER )
        {        
        // Expired SAs are not returned.
        TIkev1SAData* sa = iPluginSession->FindIkev1SADataWithAddr( iRemoteAddr );	
        while ( sa != NULL )
            {
            iPluginSession->UpdateIkev1SAL( sa->iSAId, ETrue );
            sa = iPluginSession->FindIkev1SADataWithAddr( iRemoteAddr );
            }
        
        // Delete other ongoing negotiations.
        CIkev1Negotiation* next = iPluginSession->FirstNegotiation();    
        while ( next != NULL )
            {
            CIkev1Negotiation* current = next;
            next = current->iNext;
            if ( current != this )
                {
                delete current;
                }
            }
        }

    return ETrue;
}



void CIkev1Negotiation::ProcessVendorL(CArrayFixFlat<const TVendorISAKMP*>* aVids)
{
	TBool result;	
    TInt i = 0;

	while ( i < aVids->Count() )
	{
    	TVendorISAKMP* VendorPayload = (TVendorISAKMP*)aVids->At(i);
        DEBUG_LOG(_L("Vendor ID received!\nHex: "));
        DEBUG_LOG_ARRAY(VendorPayload->VIDData(), VendorPayload->GetLength() - sizeof(*VendorPayload));
				
        if ( iLocalAddr.Family() == KAFUnspec )
            User::LeaveIfError( iPluginSession->GetLocalAddress( iLocalAddr ) ); // No local address info, get it !

		result = EFalse;
        iNAT_T_Required = ProcessVendorId(&result,
                                          (TUint8*)iCookie_I.Ptr(),
                                          (TUint8*)iCookie_R.Ptr(),
                                          iLocalAddr,
                                          VendorPayload);
        if ( result )
		{
           iFamiliarPeer = result;
#ifdef _DEBUG           
           DEBUG_LOG(_L("Nokia VPN gateway in peer!"));
		   if ( iNAT_T_Required  ) { 
	  	      DEBUG_LOG(_L("NAT Traversal needed!"));
		      if ( !iHostData->iUseNatProbing )
		      DEBUG_LOG(_L(" NAT probe not requested! NAT-T not used!"));    
		   }
#endif // _DEBUG	   
		   iNAT_T_Required = iNAT_T_Required & iHostData->iUseNatProbing;				   
        }   
        else
		{
		   if ( CheckDPDVendorId(VendorPayload) )
		   {
			  DEBUG_LOG(_L("Peer supports IETF Dead Peer Detection!"));			   
			  iDPDSupported = ETrue;
		   }	  
		   else if ( iNatDiscovery )
		   {
              result = iNatDiscovery->CheckNatVendorId(VendorPayload);
              if ( result )
              {
              	DEBUG_LOG(_L("Peer supports IETF (draft-03) NAT Traversal!"));              	
              }
              else
              {
              	result = iNatDiscovery->CheckRfcNatVendorId(VendorPayload);
              	if ( result )
              	    {
              		iVendorIDRfc=ETrue;
              	    DEBUG_LOG(_L("Peer supports IETF NAT Traversal!"));
              	    }
              }	
		   }		  
		}

		i ++;		
	}

}

//
//Process Internal address payload received
//
void CIkev1Negotiation::ProcessIntAddrL(const TINTNETISAKMP *aIntnetPayload)
{
    if ( aIntnetPayload && iFamiliarPeer && iHostData->iUseInternalAddr ) {
       delete iInternalAddr; //delete if already exists (old)
	   iInternalAddr = NULL;
       iInternalAddr = ProcessIntNetL((TINTNETISAKMP*) aIntnetPayload);
#ifdef _DEBUG       
       if ( iInternalAddr) {  
          TBuf<80> buf;
          TBuf<40> txt_addr;
          iInternalAddr->iClientIntAddr.OutputWithScope(txt_addr);
          DEBUG_LOG1(_L("Internal address received: %S"),&txt_addr);
       }
#endif       
    }   
}

//Computes the hash for phase II
void CIkev1Negotiation::ComputeHash2L(TDes8& aHash, TInt aStage, const TUint8 *aHashMsg, TInt aHashMsgLen)
{
	
	HBufC8* prf_data =
    HBufC8::NewLC(((aHashMsgLen + iNONCE_I.Length() + iNONCE_R.Length() + (2*sizeof(TUint32))) | 0x3) + 1);

    if (aStage == 3)
        prf_data->Des().Append(0);

    TUint32 id = ByteOrder::Swap32(iMessageId);
    prf_data->Des().Append((TUint8*)&id,sizeof(iMessageId));
    DEBUG_LOG(_L("ID"));
    switch (aStage)
    {
    case 2:
        prf_data->Des().Append(iNONCE_I);
        //No break is intended
    case 1:
        prf_data->Des().Append(aHashMsg,aHashMsgLen);
        break;
    case 3:
        
        prf_data->Des().Append(iNONCE_I);
        DEBUG_LOG(_L("iNONCE_I"));
        prf_data->Des().Append(iNONCE_R);
        DEBUG_LOG(_L("iNONCE_R"));
        break;
    default:
		CleanupStack::PopAndDestroy();  //prf_data		
        return;
    }

    DEBUG_LOG1(_L("Hash_II(%d) prf"),aStage);

    ComputePRFL(aHash, iSKEYID_a, prf_data->Des());
    
    DEBUG_LOG(_L("HASH"));

	CleanupStack::PopAndDestroy();  //prf_data

}

//Computes the hash for a protected informational exchange
void CIkev1Negotiation::ComputeHashInfL(TDes8& aHash, const TUint8 *aHashMsg, TInt aHashMsgLen)
{
	
	HBufC8* prf_data =
    HBufC8::NewLC(((aHashMsgLen + sizeof(iMessageId)) | 0x3) + 1);

    //prf(SKEYID_a, M_ID | N/D)
    TUint32 id = ByteOrder::Swap32(iMessageId);
    prf_data->Des().Append((TUint8*)&id, sizeof(iMessageId));

    prf_data->Des().Append(aHashMsg, aHashMsgLen);
    
    DEBUG_LOG(_L("Hash_NOT prf"));

    ComputePRFL(aHash, iSKEYID_a, prf_data->Des());

    DEBUG_LOG(_L("HASH"));

	CleanupStack::PopAndDestroy();  //prf_data			

}

//Verifies that aHash is correct
TBool CIkev1Negotiation::VerifyHash2L(const THashISAKMP *aHash,const TUint8 *aHashMsg, TInt aHashMsgLen)
{
	TBuf8<ISAKMP_HASH_SIZE> tmp_hash;	
	
    ComputeHash2L(tmp_hash, iStage, aHashMsg, aHashMsgLen);    //Computes the specified phase II hash

    TBool Status = (Mem::Compare((TUint8*)tmp_hash.Ptr(), tmp_hash.Length(), aHash->Data(), aHash->DataLen()) == 0);

	return Status;
}

//Verifies the hash of a Notification or Delete payload
// Used also to verify the hash of Transaction exchange (Attribute payload) 
TBool CIkev1Negotiation::VerifyInformationalHashL(const THashISAKMP *aHash,const TPayloadISAKMP *aPayload, TUint32 aMessageId)
{
    TBuf8<MAX_PRF_LENGTH> tmp_hash;

    TUint32 tmp_id = ByteOrder::Swap32(aMessageId);
    HBufC8 *prf_buf = HBufC8::NewLC(sizeof(tmp_id) + aPayload->GetLength());
    prf_buf->Des().Copy((TUint8 *)&tmp_id , sizeof(tmp_id));
    prf_buf->Des().Append((TUint8 *)aPayload, aPayload->GetLength());

    ComputePRFL(tmp_hash, iSKEYID_a, prf_buf->Des());
    TPtrC8 hash_ptr(aHash->Data(),aHash->DataLen());
    TBool b = (tmp_hash.Compare(hash_ptr)==0);
    CleanupStack::PopAndDestroy();  //prf_buf
    return (b);
}


//Computes Own Nonce using current time a seed
void CIkev1Negotiation::ComputeNonceL()
{
    DEBUG_LOG(_L("Computed NONCE."));
    if (iRole==INITIATOR)
    {
        iNONCE_I.SetLength(OAKLEY_DEFAULT_NONCE_SIZE);
        TRandom::RandomL(iNONCE_I);
    }
    else
    {       
        iNONCE_R.SetLength(OAKLEY_DEFAULT_NONCE_SIZE);
        TRandom::RandomL(iNONCE_R);
    }
}

//Computes HASH_R value
void CIkev1Negotiation::ComputeHashrL(TDes8 &aHash)
{
    TInt    id_size = 0;
    TUint16 auth_method = iChosenProposal_I.iAttrList->iAuthMethod;

    DEBUG_LOG(_L("Computing HASH_R"));

    if ( auth_method != IKE_A_CRACK ) {         
       if (iRole==INITIATOR)   
       {  //peer id. payload
          id_size = iPeerIdentPayloadSize;
          DEBUG_LOG(_L("PeerID"));
       }
       else    
       {  //Own identification payload
          id_size = iOwnIdentPayloadSize;
          DEBUG_LOG(_L("OwnID"));
       }
    }   
            
    DEBUG_LOG(_L("SKEYID"));

    HBufC8 *prf_data;
    if (iRole==INITIATOR)   //peer id. payload
    {
        prf_data = HBufC8::NewLC(iPeerPublicKey.Length() + iOwnPublicKey_ptr.Length() + iCookie_R.Length()
        + iCookie_I.Length() + iSAPayloadSize + id_size);
        prf_data->Des().Copy(iPeerPublicKey);
        prf_data->Des().Append(iOwnPublicKey_ptr);
        prf_data->Des().Append(iCookie_R);
        prf_data->Des().Append(iCookie_I);
        prf_data->Des().Append(iSAPayload,iSAPayloadSize);  //stored at the begining
        if ( auth_method != IKE_A_CRACK )
           prf_data->Des().Append(iPeerIdentPayload, iPeerIdentPayloadSize);
    }
    else    //RESPONDER
    {
        prf_data = HBufC8::NewLC(iOwnPublicKey_ptr.Length() + iPeerPublicKey.Length() + iCookie_R.Length()
        + iCookie_I.Length() + iSAPayloadSize + id_size);
        prf_data->Des().Copy(iOwnPublicKey_ptr);
        prf_data->Des().Append(iPeerPublicKey);
        prf_data->Des().Append(iCookie_R);
        prf_data->Des().Append(iCookie_I);
        prf_data->Des().Append(iSAPayload,iSAPayloadSize);  //stored at the begining
        if ( auth_method != IKE_A_CRACK )
           prf_data->Des().Append(iOwnIdentPayload, iOwnIdentPayloadSize);
    }

    DEBUG_LOG(_L("PRF"));

    ComputePRFL(aHash, iSKEYID, prf_data->Des());

    CleanupStack::PopAndDestroy();  //prf_data

    DEBUG_LOG(_L("HASH_R"));

}


//Computes the value of iHASH_I
void CIkev1Negotiation::ComputeHash1L(TDes8 &aHash)
{
    TInt    id_size = 0;
    TUint16 auth_method = iChosenProposal_I.iAttrList->iAuthMethod; 

    DEBUG_LOG(_L("Computing HASH_I"));

    if ( auth_method != IKE_A_CRACK ) {         
       if (iRole==INITIATOR)   //Own identification payload
       {
          id_size = iOwnIdentPayloadSize;
          DEBUG_LOG(_L("OwnID"));
       }
       else    //peer id. payload
       {
          id_size = iPeerIdentPayloadSize;
          DEBUG_LOG(_L("PeerID"));
       }
    }   
            
            
    DEBUG_LOG(_L("SKEYID"));

    HBufC8 *prf_data;
    if (iRole==INITIATOR)
    {
        prf_data = HBufC8::NewLC(iOwnPublicKey_ptr.Length() + iPeerPublicKey.Length() + iCookie_I.Length()
        + iCookie_R.Length() + iSAPayloadSize + id_size);
        prf_data->Des().Copy(iOwnPublicKey_ptr);
        prf_data->Des().Append(iPeerPublicKey);
        prf_data->Des().Append(iCookie_I);
        prf_data->Des().Append(iCookie_R);
        prf_data->Des().Append(iSAPayload,iSAPayloadSize);  //stored at the begining
        if ( auth_method != IKE_A_CRACK )
           prf_data->Des().Append(iOwnIdentPayload,iOwnIdentPayloadSize);      
    }
    else    //RESPONDER
    {
        prf_data = HBufC8::NewLC(iPeerPublicKey.Length() + iOwnPublicKey_ptr.Length() + iCookie_I.Length()
                                 + iCookie_R.Length() + iSAPayloadSize + id_size);
        prf_data->Des().Copy(iPeerPublicKey);
        prf_data->Des().Append(iOwnPublicKey_ptr);
        prf_data->Des().Append(iCookie_I);
        prf_data->Des().Append(iCookie_R);
        prf_data->Des().Append(iSAPayload,iSAPayloadSize);  //stored at the begining

        if ( auth_method != IKE_A_CRACK )       
           prf_data->Des().Append(iPeerIdentPayload, iPeerIdentPayloadSize);        
    }   

    DEBUG_LOG(_L("PRF"));

    ComputePRFL(aHash, iSKEYID, prf_data->Des());
    CleanupStack::PopAndDestroy();  //prf_buf
    DEBUG_LOG(_L("HASH_I"));
}


//Checks the encryption alg is valid
TBool CIkev1Negotiation::CheckEncrAlg(TUint16 aValue)
{
    switch (aValue)
    {
    case DES_CBC:
    case DES3_CBC:
    case AES_CBC:
        return ETrue;
    case IDEA_CBC:
    case BLOWFISH_CBC:
    case RC5_R16_B64_CBC:
    case CAST_CBC:
        DEBUG_LOG(_L("Not implemented Encr algorithm"));
        return ETrue; // Unknown attribute value NOT a fatal error !            
    }
    DEBUG_LOG(_L("Bad Encr algorithm"));

    return ETrue; // Unknown attribute value NOT a fatal error !
}



TBool CIkev1Negotiation::CheckHashAlg(TUint16 aValue)
{
    switch (aValue)
    {
    case HASH_MD5:
    case HASH_SHA1:
        return ETrue;
    case HASH_TIGER:
        DEBUG_LOG(_L("Not implemented Hash algorithm"));
        return ETrue; // Unknown attribute value NOT a fatal error !                            
    }
    DEBUG_LOG(_L("Bad Hash algorithm"));
        return ETrue; // Unknown attribute value NOT a fatal error !                        

}


TBool CIkev1Negotiation::CheckAuthMethod(TUint16 aValue)
{
    switch (aValue)
    {   
    case PRE_SHARED:
        if (iHostData->iPresharedKey.iKey.Length()==0)  //No preshared key defined
        {
            DEBUG_LOG(_L("Authentication method error (No Preshared key available"));
            return EFalse;
        }
        return ETrue;
    case RSA_SIG:
    case DSS_SIG:
    case IKE_A_CRACK:       
        return ETrue;
    }
    DEBUG_LOG(_L("Bad Authentication method"));
    return ETrue; // Unknown attribute value NOT a fatal error !

}

TBool CIkev1Negotiation::CheckGroupDesc(TUint16 aValue)
{
    switch (aValue)
    {
    case MODP_768:
    case MODP_1024:
    case MODP_1536:     
    case MODP_2048:
        return ETrue;
    case EC2N_155:
    case EC2N_185:
        break;
    }

    return ETrue; // Unknown attribute value NOT a fatal error !    
}


TBool CIkev1Negotiation::CheckGroupType(TUint16 aValue)
{
    switch(aValue)
    {
    case MODP:
        return ETrue;
    case ECP:
    case EC2N:
        break;      
    }

    return ETrue; // Unknown attribute value NOT a fatal error !        

}

TBool CIkev1Negotiation::CheckGroupPrime(const TUint8* /* aValue */, TUint16 /* length */)
{
    return ETrue;
}

TBool CIkev1Negotiation::CheckGroupGen(const TUint8* /* aValue */, TUint16 /* length */)
{
    return ETrue;
}

TBool CIkev1Negotiation::CheckGroupCurve(const TUint8* /* aValue */, TUint16 /* length */)
{
    return ETrue;
}

//Used for Phase I and II
TBool CIkev1Negotiation::CheckLifeType(TUint16 aValue)
{
    switch(aValue)
    {
    case SECONDS:
    case KBYTES:
        return ETrue;
    }
    return EFalse;
}

TBool CIkev1Negotiation::CheckLifeDuration(const TUint8* /* aValue */, TUint16 /* length */)
{
    return ETrue;
}

TBool CIkev1Negotiation::CheckPRF(TUint16 aValue)
{
    if (aValue!=OAKLEY_PRF_3DES_CBC_MAC)
    {
        DEBUG_LOG(_L("Bad PRF"));    
        return EFalse;
    }
    return ETrue;
}

TBool CIkev1Negotiation::CheckKeyLength(TUint16 /*aValue*/,TUint8 aID,TUint8 aProtocol)
{
    TBool Status = ETrue;
    switch (aProtocol)
    {
    case PROTO_ISAKMP:
        if ( aID != AES_CBC )
		{	
           Status = EFalse; //all other supported algs have fixed size
		   DEBUG_LOG(_L("Key length specified with fixed ISAKMP encryption algorithm"));
		}
        break;
    case PROTO_IPSEC_AH:
        Status = EFalse;      //Supported algorithms have fixed key length
		DEBUG_LOG(_L("Key length specified with fixed AH integrity algorithm"));
        break;
    case PROTO_IPSEC_ESP:
		if ( aID != ESP_AES_CBC )
		{	
		   Status = EFalse;
		   DEBUG_LOG(_L("Key length specified with fixed ESP encryption algorithm"));		   
		}   
        break;
    default:    //Unsupported SA type
		Status = EFalse;      //Supported algorithms have fixed key length
		break;
    }

	return Status;
}

TBool CIkev1Negotiation::CheckFieldSize(TUint16 /* aValue */)
{
    DEBUG_LOG(_L("Field size not supported"));
    return EFalse;
}

TBool CIkev1Negotiation::CheckGroupOrder(const TUint8* /* aValue */, TUint16 /* length */)
{
    DEBUG_LOG(_L("Group Order not supported "));
    return ETrue; // Unknown attribute value NOT a fatal error !                    
}

//Encapsulation mode
TBool CIkev1Negotiation::CheckEncMode(TUint16 aValue)
{
    switch (aValue)
    {
    case DOI_TUNNEL:
    case DOI_TRANSPORT:
        return ETrue;
    case UDP_ENC_TUNNEL:
    case UDP_RFC_ENC_TUNNEL:
//  case UDP_ENC_TRANSPORT:  
        if ( iNAT_D_Flags )
           return ETrue;
        break;
    }

    DEBUG_LOG(_L("Bad Encapsulation mode"));
    return EFalse;
    
}

//defined authentication algorithm types. Other are invalid.
TBool CIkev1Negotiation::CheckAuthAlg(TUint16 aValue)
{
    switch (aValue)
    {
    case DOI_HMAC_MD5:
    case DOI_HMAC_SHA:
        return ETrue;
	case DOI_DES_MAC:		
    case DOI_KPDK:
        DEBUG_LOG(_L("Unimplemented Auhentication Algorithm"));
    }
    DEBUG_LOG(_L("Bad Auhentication Algorithm"));
    return ETrue; // Unknown attribute value NOT a fatal error !                        
}

//By now only X509_CERT_SIG. Tristate error codes:
//KErrNone -> accepted
//KErrNotSupported ignored but no error Notification.
//KErrGeneral: NOT accepted 
TInt CIkev1Negotiation::CheckEncodingL(TUint8 aEncoding)
{
    switch (aEncoding)
    {
    case X509_CERT_SIG://X.509 Certificate - Signature
        break;
    case CRL://Certificate Revocation List (CRL)
        DEBUG_LOG(_L("WARNING: CRL ignored because not supported"));
        return KErrNotSupported;    //No notification, just ignored!
    case PKCS://PKCS #7 wrapped X.509 certificate
    case PGP://PGP Certificate
    case DNS ://DNS Signed Key
    case X509_CERT_KE://X.509 Certificate - Key Exchange
    case KERBEROS://Kerberos Tokens
    case ARL://Authority Revocation List (ARL)
    case SPKI://SPKI Certificate
    case X509_CERT_ATTR://X.509 Certificate - Attribute
        DEBUG_LOG(_L("CERT_TYPE_UNSUPPORTED (not supported CERT type)"));
        SendNotifyL(CERT_TYPE_UNSUPPORTED);
        return KErrNotSupported;    // No notification, just ignored!        

    default://Invalid encoding type
        DEBUG_LOG(_L("INVALID_CERT_ENCODING (not existent CERT type)"));
        SendNotifyL(INVALID_CERT_ENCODING);
        return KErrNotSupported;    // No notification, just ignored!                

    }

    return KErrNone;
}


//Provisional (Uses as a seed time, Address and port)
TCookie CIkev1Negotiation::CreateCookieL() const
{
    TCookie c;
    //Cookie generation is Random no longer uses known data like addr
    //or port (wrong?)
    c.SetLength(ISAKMP_COOKIE_SIZE);
	TRandom::RandomL(c);
    return c;
}

TInt32 CIkev1Negotiation::RandomMessageId()
{
    TTime tmp_time;
    tmp_time.UniversalTime();
    TInt64 seed = tmp_time.Int64();
    TInt32 rand = Math::Rand(seed);
    return rand;
}

TBool CIkev1Negotiation::CheckCookies(const TCookie& aInit, const TCookie& aResp)
    {
    TCookie NULL_COOKIE;
    NULL_COOKIE.FillZ(ISAKMP_COOKIE_SIZE);

    if ( iCookie_I.Compare(NULL_COOKIE) != 0 &&
         iCookie_I.Compare(aInit) != 0 )
        {
        DEBUG_LOG(_L("Initiator COOKIE incorrect"));
        return EFalse;
        }
    if ( iCookie_R.Compare(NULL_COOKIE) != 0 &&
         iCookie_R.Compare(aResp) != 0 )
        {
        DEBUG_LOG(_L("Responder COOKIE incorrect"));
        return EFalse;
        }

    return ETrue;    
    }

//Checks if the payload value is correct
TBool CIkev1Negotiation::CheckPayloadCode(TUint8 aPayload)
{
    switch (aPayload)
    {
    case ISAKMP_PAYLOAD_NONE:
    case ISAKMP_PAYLOAD_SA:
    case ISAKMP_PAYLOAD_P:
    case ISAKMP_PAYLOAD_T:
    case ISAKMP_PAYLOAD_KE:
    case ISAKMP_PAYLOAD_ID:
    case ISAKMP_PAYLOAD_CERT:
    case ISAKMP_PAYLOAD_CR:
    case ISAKMP_PAYLOAD_HASH:
    case ISAKMP_PAYLOAD_SIG:
    case ISAKMP_PAYLOAD_NONCE:
    case ISAKMP_PAYLOAD_NOTIF:
    case ISAKMP_PAYLOAD_D:
    case ISAKMP_PAYLOAD_VID:
    case ISAKMP_PAYLOAD_ATTRIBUTES:                         
    case ISAKMP_PAYLOAD_CHRE:
    case ISAKMP_INT_NETWORK:
    case IETF_NAT_DISCOVERY:
    case IETF_RFC_NAT_DISCOVERY:
    case IETF_NAT_ORIG_ADDR:
    case IETF_RFC_NAT_ORIG_ADDR:
        return ETrue;   //supported payload type
    }
    DEBUG_LOG1(_L("INVALID_PAYLOAD_TYPE (%x)"),aPayload);
    return EFalse;

}


//Checks if the version (major,minor) is supported
TBool CIkev1Negotiation::CheckVersionL(TUint8 aVersion)
{
    if (aVersion >> 4  > MAJOR)
    {
        DEBUG_LOG(_L("INVALID_MAJOR_VERSION"));
        SendNotifyL(INVALID_MAJOR_VERSION);
        return EFalse;
    }

    if (aVersion & (0x0f) > MINOR)
    {
        DEBUG_LOG(_L("INVALID_MINOR_VERSION"));
        SendNotifyL(INVALID_MINOR_VERSION);
        return EFalse;
    }

    return ETrue;   //version correct
}

//Checks if the exchange type is valid and the same as in the negotiation
TBool CIkev1Negotiation::CheckExchangeTypeL(TUint8 aType)
{
    switch (aType)
    {
    case ISAKMP_EXCHANGE_ID:    //Main
    case ISAKMP_EXCHANGE_AGGR:  // Agressive
    case ISAKMP_EXCHANGE_INFO:
    case IKE_QUICK_MODE:
        //invalid Exchange Type Not the same being used and not an error notification
        if (aType != iExchange)
        {
            DEBUG_LOG(_L("INVALID_EXCHANGE_TYPE"));  //send the informational exchange
            SendNotifyL(INVALID_EXCHANGE_TYPE);  //send the informational exchange
            return EFalse;  //invalid Exchange Type
        }
        break;
    case ISAKMP_EXCHANGE_BASE:  // Base
    case ISAKMP_EXCHANGE_NONE:  // Identity Protection (Main mode in IKE)
    case ISAKMP_EXCHANGE_AUTH:  // Authentication Only
    case IKE_NEW_GROUP_MODE:    // New Group Mode
        DEBUG_LOG(_L("INVALID_EXCHANGE_TYPE"));  //send the informational exchange
        SendNotifyL(UNSUPPORTED_EXCHANGE_TYPE);  //send the informational exchange
        return EFalse;
    }

    return ETrue;
}

//Checks the non-relevant bits are 0. Other comprovations are done when needed
TBool CIkev1Negotiation::CheckFlagsL(TUint8 aFlags)
{
    if (aFlags >> 3 != 0)
    {
        DEBUG_LOG(_L("INVALID_FLAGS"));  //send the informational exchange
        SendNotifyL(INVALID_FLAGS);  //send the informational exchange
        return EFalse;
    }

    return ETrue;
}

//Checks the Id has a correct value. 0 in Phase I, the correct one in Phase II
TBool CIkev1Negotiation::CheckMessageIdL(TUint32 aId)
{
    if (aId != iMessageId)    //iMessageId will be 0 during Phase I
    {
        DEBUG_LOG2(_L("INVALID_MESSAGE_ID %u (neg=%u)"),aId, iMessageId);
        SendNotifyL(INVALID_MESSAGE_ID); //send the informational exchange
        return EFalse;
    }
    return ETrue;
}

//Checks the DOI is valid
TBool CIkev1Negotiation::CheckDOI(TUint32 aDOI)
{
    if (aDOI > IPSEC_DOI)    //Not IPSEC nor ISAKMP DOI
        return EFalse;

    return ETrue;
}

//Checks the SIT is valid
TBool CIkev1Negotiation::CheckSituationL(TUint32 aSIT)
{
    //Secrecy and integrity not yet supported
    if ((aSIT & IPSEC_SIT_SECRECY) || (aSIT & IPSEC_SIT_INTEGRITY))
    {
        DEBUG_LOG(_L("SITUATION_NOT_SUPPORTED"));    //send the informational exchange
        SendNotifyL(SITUATION_NOT_SUPPORTED);    //send the informational exchange
        return EFalse;
    }

    return ETrue;
}
//check the generic payload is OK. Correct payload + Reserved==0
TBool CIkev1Negotiation::CheckGenericPayloadL(const TPayloadISAKMP *aPayload)
{
    if (!CheckPayloadCode(aPayload->GetPayload()))
        return EFalse;

    if (aPayload->GetReserved() != 0)   //Must be always 0
    {
        DEBUG_LOG(_L("INVALID RESERVED FIELD"));
        SendNotifyL(PAYLOAD_MALFORMED);
        return EFalse;
    }

    if ((aPayload->GetLength() < MIN_ISAKMP_PAYLOAD_SIZE) || (aPayload->GetLength() > iLengthLeft))
    {
        DEBUG_LOG(_L("BAD PAYLOAD SIZE"));
        SendNotifyL(PAYLOAD_MALFORMED);
        return EFalse;
    }

    iLengthLeft -= aPayload->GetLength();   //Updates the length left in the buffer

    return ETrue;

}

//checks if protocol supported
TBool CIkev1Negotiation::CheckProtocolL(TUint8 aProtocol)
{
    switch (aProtocol)
    {
        //PHASE_I Protocol
        case PROTO_ISAKMP:  //Only when establishing own SA??
            if (iPhase != PHASE_I)
            {
                DEBUG_LOG(_L("INVALID_PROTOCOL_ID (ISAKMP only allowed in Phase I)"));
                SendNotifyL(INVALID_PROTOCOL_ID);
                return EFalse;
            }
            return ETrue;
			
        //PHASE_II Protocols
        case PROTO_IPSEC_AH:
        case PROTO_IPSEC_ESP:
            if (iPhase != PHASE_II)
            {
                DEBUG_LOG1(_L("INVALID_PROTOCOL_ID (Prot (%u) only allowed in Phase II)"),aProtocol);
                SendNotifyL(INVALID_PROTOCOL_ID);
                return EFalse;
            }
            return ETrue;
    }
    DEBUG_LOG1(_L("INVALID_PROTOCOL_ID (Unknown Protocol (%u))"),aProtocol);
    SendNotifyL(INVALID_PROTOCOL_ID);
    return EFalse;
}

TBool CIkev1Negotiation::CheckSPIL(const TProposalISAKMP *aProposal)
{

    TUint size=aProposal->GetSPISize();
    if (iPhase == PHASE_I)
    {
        if (size > MAX_SPI_SIZE)
        {
            DEBUG_LOG(_L("INVALID_SPI (Bad Size)"));
            SendNotifyL(INVALID_SPI);
            return EFalse;
        }
    }
    else    //Phase II
    {
        TUint32 spi = 0;
        if (aProposal->GetSPISize() > sizeof(TUint32))
        {
            DEBUG_LOG(_L("INVALID_SPI (Too big. Max. is 32 bits)"));
            SendNotifyL(INVALID_SPI);
            return EFalse;
        }
        Mem::Copy((TUint8 *)&spi, ((TProposalISAKMP *)aProposal)->SPI(), aProposal->GetSPISize());
        spi = ByteOrder::Swap32(spi);
        if (spi < 256)  //The first 256 are reserved
        {
            DEBUG_LOG(_L("INVALID_SPI (spi's < 256 are RESERVED)"));
            SendNotifyL(INVALID_SPI);
            return EFalse;
        }
    }
    return ETrue;
}

//Checks for transform payloads. MUST NOT abort processing, just discard the payload
TBool CIkev1Negotiation::CheckTransformID(TUint8 aProtocol,TUint8 aID)
{
    switch (aProtocol)
    {
    case PROTO_ISAKMP:
        if (aID != KEY_IKE)
            return EFalse;
        break;
		
    case PROTO_IPSEC_AH:
		if ( (aID != AH_MD5) && (aID != AH_SHA))
		{
			DEBUG_LOG(_L("Unsupported Authentication Algorithm"));					
			return EFalse;
		}
        break;
    case PROTO_IPSEC_ESP:
		switch ( aID )
		{
			case ESP_DES_CBC:
			case ESP_3DES_CBC:
			case ESP_NULL:
			case ESP_AES_CBC:				
				break;
			default:
				DEBUG_LOG(_L("Unsupported Encryption Algorithm"));
				return EFalse;
		}	
        break;
		
    default:
        return EFalse;
    }

    return ETrue;
}


//Diffie-Hellman key exchange
//The info in iNegotiation MUST be correct
TBool CIkev1Negotiation::ComputeDHPublicValueL()
{
    TUint desc;
    if (iPhase == PHASE_I)
    {
        //If aggressive sends the SA and KE at the same time b4 knowing the chosen group.
        //The group in the first proposed transform is chosen. Shouldn't be transforms with 
        //different groups sent. Checked when using the configuration tool?
        if ((iExchange == ISAKMP_EXCHANGE_AGGR) && (iRole == INITIATOR))
            desc = iProposal_I.iAttrList->iGroupDesc;
        else
            desc = iChosenProposal_I.iAttrList->iGroupDesc;
    }
    else
    {
        if (iRole == INITIATOR) //We have to use one of the proposals because we don't have the reply yet
                                //Anyay only one group can be specified for phase II so it's fine
            desc = iProposal_IIList->At(0)->iAttrList->At(0)->iGroupDesc;
        else    //RESPONDER
            desc = iChosenProp_IIList->At(0)->iAttrList->At(0)->iGroupDesc;
    }

    delete iOwnKeys;    //Happens in phase II because we may recalculate the DH value.
	iOwnKeys = NULL;
    delete iOwnPublicKey;   // Happens in phase II because we may recalculate the DH value.
    iOwnPublicKey = NULL;

    iOwnKeys = GeneratePubPrivKeysL(desc);
    if (!iOwnKeys)
    {
        DEBUG_LOG(_L("Error generating DH public and private keys"));
        return EFalse;
    }
    iOwnPublicKey = iOwnKeys->GetPubKey();    //save the public key in a buffer to have easy access
    iOwnPublicKey_ptr.Set(iOwnPublicKey->Des());
    return ETrue;
}


//Initial IV computation
//Pre:Requires correct Public keys alredy stored!!!
TBool CIkev1Negotiation::InitIVL()
{
	HBufC8* prf_data =
    HBufC8::NewLC(((iOwnPublicKey_ptr.Length() + iPeerPublicKey.Length()) | 0x3) + 1);
	
    if (iRole == INITIATOR)
    {
        prf_data->Des().Copy(iOwnPublicKey_ptr);
        prf_data->Des().Append(iPeerPublicKey);

    }
    else    //RESPONDER
    {
        prf_data->Des().Copy(iPeerPublicKey);
        prf_data->Des().Append(iOwnPublicKey_ptr);
    }
    if (iChosenProposal_I.iAttrList->iHashAlg == HASH_MD5)
         MD5HashL(prf_data->Des(), iIV);
    else SHA1HashL(prf_data->Des(), iIV);

    if (iChosenProposal_I.iAttrList->iEncrAlg == AES_CBC )
         iIVSize = 16;
    else iIVSize = 8;
    iIV.SetLength(iIVSize); 
    DEBUG_LOG(_L("Init"));

	CleanupStack::PopAndDestroy();  //prf_data
    
    return ETrue;
}



//subsequent IV computations. Like when send notifications or beginning of Phase II
TBool CIkev1Negotiation::ComputeIVL(TDes8 &aIV, TInt32 aMessageId)
{ 
	HBufC8* prf_data =
    HBufC8::NewLC(((aIV.Length() + sizeof(aMessageId)) | 0x3) + 1);
	
    if ((iChosenProposal_I.iAttrList->iEncrAlg != DES3_CBC) &&
	    (iChosenProposal_I.iAttrList->iEncrAlg != AES_CBC)  &&
	    (iChosenProposal_I.iAttrList->iEncrAlg != DES_CBC))
    {
        return EFalse;
    }
    //former IV
    prf_data->Des().Copy(aIV);
    //Message ID
    TInt32 id = ByteOrder::Swap32(aMessageId);  //Needed to add it

    prf_data->Des().Append((TUint8 *)&id, sizeof(id));
    
    DEBUG_LOG(_L("prf"));
    if (iChosenProposal_I.iAttrList->iHashAlg == HASH_MD5)
		 MD5HashL(prf_data->Des(), aIV);
    else SHA1HashL(prf_data->Des(), aIV);
		
    DEBUG_LOG(_L("Computed IV"));
			
    CleanupStack::PopAndDestroy();  //prf_data			
    return ETrue;
}

//Generates all the keying material SKEYID,SKEYID_d,SKEYID_a,SKEYID_e
TBool CIkev1Negotiation::ComputeKeysL()
{
	TUint desc;			
    //If aggressive sends the SA and KE at the same time b4 knowing the chosen group.
    //The group in the first proposed transform is chosen. Shouldn't be transforms with 
    //different groups sent
    if ((iExchange == ISAKMP_EXCHANGE_AGGR) && (iRole == INITIATOR))
        desc = iProposal_I.iAttrList->iGroupDesc;
    else
        desc = iChosenProposal_I.iAttrList->iGroupDesc;
	//
	//Computes agreed key 
	//
	HBufC8* agreedKey = ComputeAgreedKeyL(desc, iPeerPublicKey, iOwnKeys);  //(gxy)
	if ( !agreedKey ) {
		DEBUG_LOG(_L("DH secret creation failed (ComputeAgreedKeyL)"));
		SetErrorStatus( KKmdIkeNegotFailed );
		SendNotifyL(INVALID_KEY_INFORMATION);				
		return EFalse;
	}
	CleanupStack::PushL(agreedKey);  //agreedKey

	// Use prf and agreed DH-key to generate keying material
	HBufC8* prf_data =
    HBufC8::NewLC(((iNONCE_I.Length() + iNONCE_R.Length() + 2*ISAKMP_COOKIE_SIZE) | 0x3) + 1);
	HBufC8* prf_key  =
    HBufC8::NewLC(((iNONCE_I.Length() + iNONCE_R.Length() ) | 0x3) + 1);

    DEBUG_LOG(_L("Agreed Key."));

    switch(iChosenProposal_I.iAttrList->iAuthMethod)
    {
    case RSA_SIG:
    case DSS_SIG:
    case IKE_A_CRACK:       
        //For signatures:
        //SKEYID = prf(Ni_b|Nr_b, g^xy)
        //key
        prf_key->Des().Copy(iNONCE_I);
        prf_key->Des().Append(iNONCE_R);
        ComputePRFL(iSKEYID, prf_key->Des(), agreedKey->Des());
        break;
    case PRE_SHARED:
        {
        //pre-shared keys:
        //SKEYID=prf(pre_shared key, Ni_b | Nr_b);
        //data
        prf_data->Des().Copy(iNONCE_I.Ptr(),iNONCE_I.Length());
        prf_data->Des().Append(iNONCE_R.Ptr(),iNONCE_R.Length());
        DEBUG_LOG(_L("Pre-shared Key"));
#ifdef _UNICODE
        HBufC8 *preshared_key_buf = HBufC8::NewLC(iHostData->iPresharedKey.iKey.Length());
        preshared_key_buf->Des().Copy(iHostData->iPresharedKey.iKey);
        TPtrC8 preshared_key_ptr(preshared_key_buf->Des());
#else
        TPtrC8 preshared_key_ptr(iHostData->iPresharedKey.iKey);
#endif
        ComputePRFL(iSKEYID, preshared_key_ptr, prf_data->Des());
#ifdef _UNICODE
        CleanupStack::PopAndDestroy();  //presharedkey_buf
#endif
        }
        break;
    default://method not implemented
        DEBUG_LOG1(_L("ATTRIBUTES_NOT_SUPPORTED:Auth Method %d not supported "),iChosenProposal_I.iAttrList->iAuthMethod);
        SetErrorStatus( KKmdIkeNegotFailed );
        SendNotifyL(ATTRIBUTES_NOT_SUPPORTED);
        return EFalse;
    }
	
	CleanupStack::PopAndDestroy(2);  //prf_data and prf_key
	prf_data =
	HBufC8::NewLC(((agreedKey->Length() + iSKEYID.Length() + 2*ISAKMP_COOKIE_SIZE + 4) | 0x3) + 1);
	
    prf_data->Des().Copy(agreedKey->Des());
    prf_data->Des().Append(iCookie_I);
    prf_data->Des().Append(iCookie_R);
    prf_data->Des().Append(0);
    ComputePRFL(iSKEYID_d, iSKEYID, prf_data->Des());

    prf_data->Des().Copy(iSKEYID_d);
    prf_data->Des().Append(agreedKey->Des());
    prf_data->Des().Append(iCookie_I);
    prf_data->Des().Append(iCookie_R);
    prf_data->Des().Append(1);
    ComputePRFL(iSKEYID_a, iSKEYID, prf_data->Des());

    prf_data->Des().Copy(iSKEYID_a);
    prf_data->Des().Append(agreedKey->Des());
    prf_data->Des().Append(iCookie_I);
    prf_data->Des().Append(iCookie_R);
    prf_data->Des().Append(2);
    ComputePRFL(iSKEYID_e, iSKEYID, prf_data->Des());

	agreedKey->Des().FillZ();  // Zeroe DH secret g^xy

    //Builds the IV 
    if (!InitIVL())
    {
        DEBUG_LOG(_L("Error Computing IV"));
        return EFalse;
    }
    if (iExchange == ISAKMP_EXCHANGE_AGGR)
    {
        iLastIV.Copy(iIV);      //Saves last IV in Phase 1
        iLastIV.SetLength(iIVSize);   
        DEBUG_LOG(_L("Last IV Saved!"));
    }

    //if key extension required:
    TUint8 *key;
    TInt key_len=0;
    TInt total_key_len = ISAKMPEncrKeyLength((TUint8)iChosenProposal_I.iAttrList->iEncrAlg);
    if (iSKEYID_e.Length() < total_key_len)
    {
        DEBUG_LOG(_L("Extending encrytion key..."));
        key = new (ELeave) TUint8[total_key_len*2];
        CleanupStack::PushL(key);
        key[0] = 0;
        TPtr8 kx0_ptr(key, 1, 1);
        TPtr8 kx1_ptr(key, 0, total_key_len * 2);
        ComputePRFL(kx1_ptr, iSKEYID_e, kx0_ptr); //K1=prf(SKEYID_e,0)
        key_len += kx1_ptr.Length();
        
        while (key_len < total_key_len)
        {
            kx0_ptr.Set(&key[key_len - kx1_ptr.Length()], kx1_ptr.Length(), total_key_len);
            kx1_ptr.Set(&key[key_len], 0, total_key_len);
            ComputePRFL(kx1_ptr, iSKEYID_e, kx0_ptr); //Kx=prf(SKEYID_e,K<x-1>)
            key_len += kx1_ptr.Length();
        }
        iSKEYID_e.Copy(key, total_key_len);
        CleanupStack::PopAndDestroy();  //key
        DEBUG_LOG(_L(" SKEYID_e (EXTENDED)"));
    }
	else
	{
		iSKEYID_e.SetLength(total_key_len);		
		DEBUG_LOG(_L(" SKEYID_e"));
	}
    
    DEBUG_LOG(_L(" Init IV"));

	CleanupStack::PopAndDestroy(2);  //prf_data and agreedKey
	
    return ETrue;
}

//Computes the IPSEC keys needed for each IPSEC SA
//KEYMAT = prf(SKEY_ID, protocol | SPI | Ni_b | Nr_b)
//if PFS:
//KEYMAT = prf(SKEY_ID, g(qm)^xy | protocol | SPI | Ni_b | Nr_b)
void CIkev1Negotiation::ComputeKeys2L(const CProposal_II *aProp, TInt aKeyLen, TSPINode &aInboundSpiNode, TDes8& aOutboundKey_II, TDes8& aInboundKey_II)
{
    DEBUG_LOG(_L("Computing PHASE II keys "));
    
    aOutboundKey_II.SetLength(0);
    aInboundKey_II.SetLength(0);
    DEBUG_LOG(_L("Total Computed Key Length="));
    DEBUG_LOG_NUM(aKeyLen);

	HBufC8* agreedKey = NULL; //g(qm)^xy
	TInt  prf_len = iSKEYID_d.Length() + iNONCE_I.Length() + iNONCE_R.Length() + 8; // 8 for protocol and SPI
	
    if (iPFS)
    {
        agreedKey = ComputeAgreedKeyL(iChosenProp_IIList->At(0)->iAttrList->At(0)->iGroupDesc, iPeerPublicKey, iOwnKeys);
		if ( !agreedKey )
			User::Leave(KErrGeneral);
		CleanupStack::PushL(agreedKey);
		prf_len += agreedKey->Length(); 
        DEBUG_LOG(_L(" Agreed Key"));
    }
#ifdef _DEBUG    
	else DEBUG_LOG(_L("(NO PFS)"));
#endif // _DEBUG	

    DEBUG_LOG(_L("Protocol:"));
    DEBUG_LOG_NUM(aProp->iProtocol);
  
    TUint32 in_spi = aInboundSpiNode.iSPI;  //inbound spi in Network Order
    DEBUG_LOG(_L("InSPI:"));
    DEBUG_LOG_NUM(ByteOrder::Swap32(in_spi));
    TUint32 out_spi;
    Mem::Copy((TUint8 *)&out_spi, aProp->iSPI.Ptr(), aProp->iSPI.Length());
    DEBUG_LOG1(_L("OutSPI: %x"), out_spi);
    //Inbound and outbound calculations only differ in the SPI
    //If the key is not long enough we need to extend it
    TPtr8 key_ptr((TUint8 *)aOutboundKey_II.Ptr() + aOutboundKey_II.Length(), 0, aOutboundKey_II.MaxLength());
	
	HBufC8* prf_data = HBufC8::NewLC((prf_len | 0x3) + 1);
	
    while ((aOutboundKey_II.Length() * 8) < aKeyLen)  //include the key extension algorithm
    {
        prf_data->Des().Copy(key_ptr);
        if (agreedKey)//Only used if PFS
        {
            prf_data->Des().Append(agreedKey->Des());
        }
        prf_data->Des().Append(&aProp->iProtocol, sizeof(aProp->iProtocol));
        prf_data->Des().Append(aProp->iSPI.Ptr(),aProp->iSPI.Length());
        prf_data->Des().Append(iNONCE_I);
        prf_data->Des().Append(iNONCE_R);
        key_ptr.Set((TUint8 *)aOutboundKey_II.Ptr() + aOutboundKey_II.Length(), 0, aOutboundKey_II.MaxLength() - aOutboundKey_II.Length());
        ComputePRFL(key_ptr, iSKEYID_d, prf_data->Des());
        aOutboundKey_II.SetLength(aOutboundKey_II.Length() + key_ptr.Length());
    }

    key_ptr.Set((TUint8 *)aInboundKey_II.Ptr() + aInboundKey_II.Length(), 0, aOutboundKey_II.MaxLength());
    while ((aInboundKey_II.Length() * 8) < aKeyLen)  //include the key extension algorithm
    {
        prf_data->Des().Copy(key_ptr);
        if (agreedKey)//Only used if PFS
        {
            prf_data->Des().Append(agreedKey->Des());
        }
        prf_data->Des().Append(&aProp->iProtocol,sizeof(aProp->iProtocol));
        prf_data->Des().Append((TUint8 *)&in_spi, sizeof(TUint32));
        prf_data->Des().Append(iNONCE_I);
        prf_data->Des().Append(iNONCE_R);
        
        key_ptr.Set((TUint8 *)aInboundKey_II.Ptr() + aInboundKey_II.Length(), 0, aInboundKey_II.MaxLength() - aInboundKey_II.Length());
        ComputePRFL(key_ptr, iSKEYID_d, prf_data->Des());
        aInboundKey_II.SetLength(aInboundKey_II.Length() + key_ptr.Length());
    }

	if ( agreedKey )		
	     CleanupStack::PopAndDestroy(2);  //prf_data and agreedKey
	else CleanupStack::PopAndDestroy();   //prf_data
			
}


/* This function is called by oakley module to do pseudo random computation for
   given data */
//IMPORTANT: If some func added or modified check MAX_PRF_LENGTH is correct in ike.h

void CIkev1Negotiation::ComputePRFL(TDes8 &prf_output, const TDesC8 &prf_key, const TDesC8 &prf_data)
{
// All actions taken are moved into the crypto module IKE_CRYPTO.CPP
    
    if ( iChosenProposal_I.iAttrList->iPRF == OAKLEY_PRF_3DES_CBC_MAC)
    {
       DEBUG_LOG(_L("PRF (3DES_CBC_MAC)"));        
       Hmac3DesCbcL(prf_data, prf_output, prf_key);  
    }
    else
    {
      // Use HMAC version of the negotiated hash function as default PRF
        if ( iChosenProposal_I.iAttrList->iHashAlg == HASH_MD5 ) {
           DEBUG_LOG(_L("PRF (MD5)"));           
           MD5HmacL(prf_data, prf_output, prf_key);
        }   
        else {
           if ( iChosenProposal_I.iAttrList->iHashAlg == HASH_SHA1 ) {
              DEBUG_LOG(_L("PRF (SHA1)"));              
              SHA1HmacL(prf_data, prf_output, prf_key);
           }
        }   
    }

}


//NOTE: Must be called after ProcessCertificate() !!!
TBool CIkev1Negotiation::CertifyRemoteIdentityL(const TIdentISAKMP *aIdPayload)
{
  TBool Status = EFalse;
  TInt id_len  = aIdPayload->IDDataLen();

  if ( id_len && iPkiService && iPeerX509Cert )
  {
    TPtrC8 IdData((TUint8 *)aIdPayload->IDData(), id_len);

    // Leave is trapped and handled here because the event log is easily accessible
    // and in the upper layers it would not be possible to identify the
    // cause of the error based on the generic leave code.
    TRAPD(err, Status = IkePkiUtils::CertifyIdentityL(iPeerX509Cert, IdData, (TInt)aIdPayload->GetIDType()));

    if( KErrNotSupported == err )
    {
      LOG_KMD_EVENT( MKmdEventLoggerIf::KLogError,
                     R_VPN_MSG_CERT_ERROR,
                     KErrNotSupported,
                     iPluginSession->VpnIapId(),
                     &iRemoteAddr );
    }

#ifdef _DEBUG    
    if (Status)
        DEBUG_LOG(_L("Remote identity has been certified"));
#endif // _DEBUG    
  }
       
  return Status;
}


//Digests aHash with the key in aCert and compares it to the stored value aSig
//Needs to be check after the Signature payload has been processed
TBool CIkev1Negotiation::VerifySignatureL(CX509Certificate *aCert,TUint8 *aHash, TInt aHashLength,TUint8 *aSig, TUint aSigLength)
{

	TBool ret = EFalse;
	if ( iPkiService )
	{
		TPtrC8 Signature(aSig, aSigLength);
		TPtrC8 RefHash(aHash, aHashLength);	   							   			
	    ret = IkePkiUtils::VerifyIkev1SignatureL(Signature, RefHash, *aCert);
	}   
	
    return ret;


}

//NOTE!!! The func sets iFinished to TRUE always so after detecting an error the communication finishes.
//If it doesn't have to iFinished should be set outside the function.
void CIkev1Negotiation::SendNotifyL(TUint16 aError)
{
	SetFinished();  //Ends the negotiation (error condition detected) If CONNECTED also should end
	
#ifdef _DEBUG	
    TBuf<60> buf;
    DEBUG_LOG(_L("SendNotifyL(), Reason: "));
    buf.Append(TextNotifyType(aError));
    DEBUG_LOG(buf);
#endif // _DEBUG    
    TUint8 protocol = PROTO_ISAKMP;
    TUint8 tmp_exchange = iExchange;
    TUint32 tmp_msg_id = iMessageId;
	TIkev1IsakmpStream* msg = SaveIkeMsgBfr( new (ELeave) TIkev1IsakmpStream(iDebug) );			
    //If configured to send notification payloads for errors
    if (iHostData->iNotify)
    {
        iExchange = ISAKMP_EXCHANGE_INFO;
        iMessageId = RandomMessageId();
        msg->IsakmpInit(this);
		
        //HASH Payload only if payload protected with encyption
        if (iFlags & ISAKMP_HDR_EFLAG)
      		msg->IsakmpHashL();		

        if (iPhase == PHASE_I)
            protocol = iChosenProposal_I.iProtocol;
        else
        {
            if (iChosenProp_IIList) //May be the begining of PHASE_II when still not decided
                protocol = iChosenProp_IIList->At(0)->iProtocol;
        }
        msg->IsakmpNotification(aError, protocol);

        if (iFlags & ISAKMP_HDR_EFLAG)
        {
            msg->IsakmpHashContL();
        }

        iExchange  = tmp_exchange;
        iMessageId = tmp_msg_id;

		SendL(*msg);

  		LOG_KMD_EVENT( MKmdEventLoggerIf::KLogError,
  		               R_VPN_MSG_SENT_ERROR_RESPONSE,
  		               aError,
  		               iPluginSession->VpnIapId(),
  		               &iRemoteAddr );
    }

}


//Hash function key length (in bytes)
TInt CIkev1Negotiation::HashLength()
{
    if (iChosenProposal_I.iAttrList->iPRF == OAKLEY_PRF_3DES_CBC_MAC)
        return 24;
        
    //If no PRF hash alg used instead.
    if (iChosenProposal_I.iAttrList->iPRF==0)
    {
        if (iChosenProposal_I.iAttrList->iHashAlg==HASH_MD5)
            return HMAC_MD5_SIZE/8; //16 bytes
            //return MD5_DIGEST_LENGTH;
        else if (iChosenProposal_I.iAttrList->iHashAlg==HASH_SHA1)
            return HMAC_SHA1_SIZE/8;
            //return SHA_DIGEST_LENGTH;
    }
    
    return 0;
}


//Could be done using directly iEncrAlg from the chosen transform (in bytes)
TUint32 CIkev1Negotiation::ISAKMPEncrKeyLength(TUint8 aAlgId) const
{
    TUint32 KeyLth = 0;
    switch (aAlgId) {
        case DES_CBC:
            KeyLth = 8;
            break;
        case DES3_CBC:
            KeyLth = 24;
            break;
        case AES_CBC:
            if ( iChosenProposal_I.iAttrList->iKeyLength )
                 KeyLth = (TUint32)(iChosenProposal_I.iAttrList->iKeyLength/8);
            else KeyLth = 16;  // default
            break;
        default:
            break;
    }           
        
    return KeyLth;
}

TIkev1IsakmpStream* CIkev1Negotiation::SaveIkeMsgBfr(TIkev1IsakmpStream* aMsg)
{
	delete iSavedIkeMsgBfr;
    iSavedIkeMsgBfr = aMsg;
	return aMsg;
}	

//Returns the key length (in bits) of an algorithm for iAuth (TAttrib_II) field when protocol is AH
TUint32 CIkev1Negotiation::HMAC_KeyLength(TUint8 aId) const
{
    if (aId == SADB_AALG_MD5HMAC)
        return (HMAC_MD5_SIZE);
    else if (aId == SADB_AALG_SHA1HMAC)
        return (HMAC_SHA1_SIZE);

  return (0); // Error 
}

//Exchange Type
TPtrC CIkev1Negotiation::TextNotifyType(TUint16 aNotif)
{
#ifndef _DEBUG
    (void)aNotif;
#endif

#ifdef _DEBUG
    //TBuf<35> err;
    switch(aNotif)
    {
    case INVALID_PAYLOAD_TYPE:
        return _L("INVALID_PAYLOAD_TYPE");
    case DOI_NOT_SUPPORTED:
        return _L("DOI_NOT_SUPPORTED");
    case SITUATION_NOT_SUPPORTED:
        return _L("SITUATION_NOT_SUPPORTED");
    case INVALID_COOKIE:
        return _L("INVALID_COOKIE");
    case INVALID_MAJOR_VERSION:
        return _L("INVALID_MAJOR_VERSION");
    case INVALID_MINOR_VERSION:
        return _L("INVALID_MINOR_VERSION");
    case INVALID_EXCHANGE_TYPE:
        return _L("INVALID_EXCHANGE_TYPE");
    case INVALID_FLAGS:
        return _L("INVALID_FLAGS");
    case INVALID_MESSAGE_ID:
        return _L("INVALID_MESSAGE_ID");
    case INVALID_PROTOCOL_ID:
        return _L("INVALID_PROTOCOL_ID");
    case INVALID_SPI:
        return _L("INVALID_SPI");
    case INVALID_TRANSFORM_ID:
        return _L("INVALID_TRANSFORM_ID");
    case ATTRIBUTES_NOT_SUPPORTED:
        return _L("ATTRIBUTES_NOT_SUPPORTED");
    case NO_PROPOSAL_CHOSEN:
        return _L("NO_PROPOSAL_CHOSEN");
    case BAD_PROPOSAL_SYNTAX:
        return _L("BAD_PROPOSAL_SYNTAX");
    case PAYLOAD_MALFORMED:
        return _L("PAYLOAD_MALFORMED");
    case INVALID_KEY_INFORMATION:
        return _L("INVALID_KEY_INFORMATION");
    case INVALID_ID_INFORMATION:
        return _L("INVALID_ID_INFORMATION");
    case INVALID_CERT_ENCODING:
        return _L("INVALID_CERT_ENCODING");
    case INVALID_CERTIFICATE:
        return _L("INVALID_CERTIFICATE");
    case CERT_TYPE_UNSUPPORTED:
        return _L("CERT_TYPE_UNSUPPORTED");
    case INVALID_CERT_AUTHORITY:
        return _L("INVALID_CERT_AUTHORITY");
    case INVALID_HASH_INFORMATION:
        return _L("INVALID_HASH_INFORMATION");
    case AUTHENTICATION_FAILED:
        return _L("AUTHENTICATION_FAILED");
    case INVALID_SIGNATURE:
        return _L("INVALID_SIGNATURE");
    case ADDRESS_NOTIFICATION:
        return _L("ADDRESS_NOTIFICATION");
    case NOTIFY_SA_LIFETIME:
        return _L("NOTIFY_SA_LIFETIME");
    case CERTIFICATE_UNAVAILABLE:
        return _L("CERTIFICATE_UNAVAILABLE");
    case UNSUPPORTED_EXCHANGE_TYPE:
        return _L("UNSUPPORTED_EXCHANGE_TYPE");
    case UNEQUAL_PAYLOAD_LENGTHS:
        return _L("UNEQUAL_PAYLOAD_LENGTHS");
    case CONNECTED:
        return _L("CONNECTED");
	case DOI_RESPONDER_LIFETIME:
		return _L("RESPONDER_LIFETIME");
	case DOI_REPLAY_STATUS:
		return _L("REPLAY_STATUS");
	case DOI_INITIAL_CONTACT:
		return _L("INITIAL_CONTACT");
    }
    return _L("Unknown ");
#else
    return NULL;
#endif          
}


void CIkev1Negotiation::TextPayload(TDes &aBuf, TUint8 aPayload)
{
#ifndef _DEBUG
    (void)aBuf;
    (void)aPayload;
#endif

#ifdef _DEBUG
    switch(aPayload)
    {
    case ISAKMP_PAYLOAD_NONE:// (Terminator)
        aBuf = _L("ISAKMP_PAYLOAD_NONE");
        break;
    case ISAKMP_PAYLOAD_SA:// Security Association
        aBuf = _L("ISAKMP_PAYLOAD_SA");
        break;
    case ISAKMP_PAYLOAD_P:// Proposal
        aBuf = _L("ISAKMP_PAYLOAD_P");
        break;
    case ISAKMP_PAYLOAD_T:// Transform
        aBuf = _L("ISAKMP_PAYLOAD_T");
        break;
    case ISAKMP_PAYLOAD_KE:// Key Exchange
        aBuf = _L("ISAKMP_PAYLOAD_KE");
        break;
    case ISAKMP_PAYLOAD_ID:// Identification
        aBuf = _L("ISAKMP_PAYLOAD_ID");
        break;
    case ISAKMP_PAYLOAD_CERT:// Certificate
        aBuf = _L("ISAKMP_PAYLOAD_CERT");
        break;
    case ISAKMP_PAYLOAD_CR:// Certificate Request
        aBuf = _L("ISAKMP_PAYLOAD_CR");
        break;
    case ISAKMP_PAYLOAD_HASH:// Hash
        aBuf = _L("ISAKMP_PAYLOAD_HASH");
        break;
    case ISAKMP_PAYLOAD_SIG:// Signature
        aBuf = _L("ISAKMP_PAYLOAD_SIG");
        break;
    case ISAKMP_PAYLOAD_NONCE:// Nonce
        aBuf = _L("ISAKMP_PAYLOAD_NONCE");
        break;
    case ISAKMP_PAYLOAD_NOTIF:// Notification
        aBuf = _L("ISAKMP_PAYLOAD_NOTIF");
        break;
    case ISAKMP_PAYLOAD_D:// Delete
        aBuf = _L("ISAKMP_PAYLOAD_D");
        break;
    case ISAKMP_PAYLOAD_VID:// Vendor ID
        aBuf = _L("ISAKMP_PAYLOAD_VID");
        break;
    case ISAKMP_PAYLOAD_PRIVATE:// Private use (up to 255)
        aBuf = _L("ISAKMP_PAYLOAD_PRIVATE");
        break;
    default:
        aBuf.Format(_L("Unknown (%d) "),aPayload);
    }
#endif                  
}

//Sends the built message through the socket
void CIkev1Negotiation::SendL(TIkev1IsakmpStream &aMsg)
{
    if (aMsg.iError)
    {
        DEBUG_LOG(_L("Error Building message"));
        return;
    }
    TBuf8<IKEV1_MAX_IV_SIZE> tmp_IV;
    
    ThdrISAKMP *hdr = (ThdrISAKMP *)aMsg.iBuf.Ptr();
    hdr->SetLength(aMsg.iBuf.Length());
    DEBUG_LOG(_L("Sending (clear)..."));
    
    TBool FloatedPort = EFalse; 
    if ( iNAT_D_Flags & (REMOTE_END_NAT + LOCAL_END_NAT) )
        FloatedPort = ETrue;
    
#ifdef _DEBUG
    const TPtrC8 ikeMsgPtr( aMsg.iBuf.Ptr(), aMsg.iBuf.Length() );
    TInetAddr localAddr;
    iPluginSession->GetLocalAddress( localAddr );    
    TInt port = ( FloatedPort ? IkeSocket::KIkePort4500 : IkeSocket::KIkePort500 );
    localAddr.SetPort( port );
    TRACE_MSG_IKEV1( ikeMsgPtr, localAddr, iLastRemoteAddr );
#endif // _DEBUG
    
    TPtr8 lastMsg(iLastMsg->Des());   

    if (hdr->GetFlags() & ISAKMP_HDR_EFLAG)
    {
        DEBUG_LOG(_L("Encrypting..."));

        if (hdr->GetExchange()==ISAKMP_EXCHANGE_INFO || hdr->GetExchange()==ISAKMP_EXCHANGE_TRANSACT )
        {
            if ( hdr->GetExchange()==ISAKMP_EXCHANGE_TRANSACT )
            {
               //
               // Get current IV via CTransNegotiation object linked into
               // CIkev1Negotiation  
               //
               if ( !iTransactionNeg ||
                    !iTransactionNeg->GetIV(hdr->GetMessageId(), tmp_IV) )
               {
                   DEBUG_LOG(_L("Send error ! Cannot get Transaction IV !"));
                   return;
               }       
               DEBUG_LOG(_L("Transaction IV"));                     
               EncryptL(aMsg.iBuf, lastMsg, tmp_IV, iSKEYID_e, iChosenProposal_I.iAttrList->iEncrAlg);
               iTransactionNeg->SetIV(hdr->GetMessageId(), tmp_IV);
            }   
            else
            {
               if (iLastIV.Length() != 0)
                    tmp_IV.Copy(iLastIV);
               else    //iLastIV not yet computed so current iIV is used
                    tmp_IV.Copy(iIV);
               ComputeIVL(tmp_IV, hdr->GetMessageId());
               DEBUG_LOG(_L("Notif IV"));
               EncryptL(aMsg.iBuf, lastMsg, tmp_IV, iSKEYID_e, iChosenProposal_I.iAttrList->iEncrAlg);
            }   

        }
        else    //Normal exchange MAIN, AGGR or QUICK
        {
            DEBUG_LOG(_L("IV"));
            EncryptL(aMsg.iBuf, lastMsg, iIV, iSKEYID_e, iChosenProposal_I.iAttrList->iEncrAlg);
            DEBUG_LOG(_L("New IV (dec)"));
            //Saves last iIV in Phase 1
            if (((iStage==6) && (iExchange == ISAKMP_EXCHANGE_ID)) ||
                ((iStage==3) && (iExchange == ISAKMP_EXCHANGE_AGGR)))
            {
                iLastIV.Copy(iIV);  
                DEBUG_LOG(_L("Last IV Saved!"));
            }
        }

        DEBUG_LOG(_L("Sending ..."));
        DEBUG_LOG1(_L("EncrLen = %d"), lastMsg.Length());
    }
    else
        {
        lastMsg.Copy(aMsg.iBuf);
        }

    hdr = (ThdrISAKMP *)lastMsg.Ptr();
    hdr->SetLength(lastMsg.Length());  //Set the total length!!!		

    if (hdr->GetExchange() == ISAKMP_EXCHANGE_INFO)
    {
        SendAndSaveIkeMsgL(lastMsg, iLastRemoteAddr, FloatedPort);   //No timers!
    }
    else    //Normal msg.
    {
        iTimer->Cancel();   //Cancel previous timer because reply received & processed
        DEBUG_LOG(_L("Timer Cancelled!"));
        iRetryNum = 0;
		SendAndSaveIkeMsgL(lastMsg, iLastRemoteAddr, FloatedPort);
        iTimer->IssueRequest(MAX_RETRANS_TIMER * 1000000); // 1000000 = 1 second
    }
    
}


void CIkev1Negotiation::ReSendL()
{
    //Will resend a packet in the interval (MAX_RETRANS_TIMER/2 , MAX_RETRANS_TIMER)
    if ( iRetryNum < MAX_RETRANS_COUNT ) 
    {
        DEBUG_LOG2(_L("---------- Phase %d - Stage %d ----------"),iPhase, iStage - 1);
        DEBUG_LOG1(_L("ReSending(%d)..."), iRetryNum);
		TBool FloatedPort = EFalse;	
		if ( iNAT_D_Flags & (REMOTE_END_NAT + LOCAL_END_NAT) )
			FloatedPort = ETrue;
		TPtr8 lastMsg(iLastMsg->Des());
		iPluginSession->SendIkeMsgL(lastMsg, iLastRemoteAddr, FloatedPort);  
        //next retransmission between MAX_RETRANS_TIMER/2 and MAX_RETRANS_TIMER seconds
        TTime tmp_time;
        TReal secs = 0;
        tmp_time.UniversalTime();
        TInt64 seed = tmp_time.Int64();
        TInt rand = Math::Rand(seed);
        TInt err = Math::Round(secs, rand / (KMaxTInt / MAX_RETRANS_TIMER/2), 0);
        secs = Math::Round(secs, secs + MAX_RETRANS_TIMER/2, 0);
        if ((!secs) || (err != KErrNone))
            secs = MAX_RETRANS_TIMER/2;
        iTimer->IssueRequest((TInt)secs * 1000000);  // 1000000 = 1 second
        iRetryNum++;
    }
    else
    {
		SendDeleteL(PROTO_ISAKMP);
		if ( iPhase == PHASE_I )
		{	
           DEBUG_LOG(_L("Max num retries reached!!!"));
		}		
		else
		{		    
		    DEBUG_LOG(_L("Quick mode failed, Max num retries reached!!!"));
		}
	
		if ( iPhase == PHASE_I &&
		     iPluginSession->FindIkev1SA() == NULL )
		{
            // Set error status in Phase 1, if there are no IKE SAs.
            if ( GetNotifyStatus() )
                 SetErrorStatus(KKmdIkeNoProposalErr);                                           
            else SetErrorStatus(KKmdIkeNoResponseErr);
		}
		
        LOG_KMD_EVENT( MKmdEventLoggerIf::KLogError,
                       R_VPN_MSG_VPN_GW_NO_RESP,
                       ErrorStatus(),
                       iPluginSession->VpnIapId(),
                       &iRemoteAddr );								
        iPluginSession->DeleteNegotiation( this );
    }
}

void CIkev1Negotiation::SendDeleteL(TUint8 aProtocol, TUint32 aIpsecSPI)
{
	TIkev1IsakmpStream* msg = SaveIkeMsgBfr( new (ELeave) TIkev1IsakmpStream(iDebug) );							
	
    TBuf8<MAX_SPI_SIZE> SPI;

    DEBUG_LOG(_L("Sending Delete payload..."));
    
    //Creates a DUMMY negotiation with the info to send the packet
    TUint8 tmp_exchange = iExchange;
    iExchange=ISAKMP_EXCHANGE_INFO; //Set the exchange type as info

    msg->IsakmpInit(this);

    //HASH Payload only if payload protected with encyption
    if (iFlags & ISAKMP_HDR_EFLAG)
	    msg->IsakmpHashL();	

    if (aProtocol == PROTO_ISAKMP)  //ISAKMP SPI are the cookies
    {
        SPI.Copy(iCookie_I);
        SPI.Append(iCookie_R);
    }
    else    //IPSECSPI
    {
        SPI.Copy((TUint8 *)&aIpsecSPI, sizeof(TUint32));
    }
    msg->IsakmpDelete(SPI, aProtocol);

    if (iFlags & ISAKMP_HDR_EFLAG)
    {
        msg->IsakmpHashContL();
    }
    DEBUG_LOG(_L("Sending Delete Payload..."));
	SendL(*msg);

    iExchange = tmp_exchange;
}

void CIkev1Negotiation::CheckSendResponderLifetime(TIkev1IsakmpStream &aMsg)
{
    TInt count = iChosenProp_IIList->Count();
    CProposal_II *prop;
    TChosenAttrib_II *attr_II;
    TSPINode inboundspi_node;
    TInt j;
    for (j = 0 ; j < count; j++)    //Check all the chosen proposals (Probably one)
    {
        prop = iChosenProp_IIList->At(j);
        inboundspi_node = iInboundSPIList->At(j);
        attr_II = (TChosenAttrib_II *)prop->iAttrList->At(0);   //only 1 transform is chosen no matter how many there are

        if ((attr_II->iReducedLifeSecs.Length() != 0) || (attr_II->iReducedLifeKBytes.Length() != 0))   //Any lifetime to update
            aMsg.IsakmpResponderLifetime(prop->iProtocol, inboundspi_node.iSPI, attr_II->iReducedLifeSecs, attr_II->iReducedLifeKBytes);

    }
}


/**--------------------------------------------------------------------
 *
 *  The following methods are used to implement the Dead Peer Detection
 *  protocol defined in <draft-ietf-ipsec-dpd-04.txt>
 *  When timeout expires the R-U-THERE notify message is transmitted
 *  if there has not been any activity during the last timeout
 *
 *--------------------------------------------------------------------*/
void CIkev1Negotiation::DpdNotifyMessageReceivedL(TIkev1SAData* aSa, TUint16 aMsgType, TUint32 aSequence)
{

	if ( aMsgType == DPD_R_U_THERE )
	{
	  //
	  // -- Assure that sequence number in notify data is what expected
	  // -- If ok, transmit a R-U-THERE-ACK
	  //
		DEBUG_LOG(_L("DPD R-U-THERE Notify received"));	  
		if ( (aSa->iExpectedDPDSequence == aSequence) || (aSa->iExpectedDPDSequence == 0) )
		{
			aSa->iExpectedDPDSequence = GetNextSequence(aSequence);
			DEBUG_LOG(_L("Sending DPD R-U-THERE_ACK notify"));
			SendDpdNotifyMessageL(DPD_R_U_THERE_ACK, aSequence);
			iPluginSession->UpdateIkev1SAL(aSa->iSAId, EFalse, aSa);			
		}
#ifdef _DEBUG		
		else DEBUG_LOG(_L("Wrong sequence number in DPD notify message"));
#endif // _DEBUG		
	}
	else if ( aMsgType == DPD_R_U_THERE_ACK )
	{
	  //
	  // -- Assure that sequence number in notify data is corresponds
	  //    current pending sequence
	  //
		DEBUG_LOG(_L("DPD R-U-THERE-ACK Notify received"));
		if ( aSa->iPendingDPDSequence == aSequence )
		{
			aSa->iPendingDPDSequence = 0;
			aSa->iDPDRetry           = 0;
			iPluginSession->UpdateIkev1SAL(aSa->iSAId, EFalse, aSa);
		}
#ifdef _DEBUG		
		else DEBUG_LOG(_L("Wrong sequence number in DPD notify ack message"));
#endif // _DEBUG		
	}	
}

void CIkev1Negotiation::SendKeepAliveMsgL(TIkev1SAData* aSa)
{
	if ( aSa->iDPDRetry > KMaxDpdRetryCount )
	{
		//
		//  DPD Retry count exhausted, current IKE SA in interpreted to
		//  be closed
		//
        LOG_KMD_EVENT( MKmdEventLoggerIf::KLogError,
                       R_VPN_MSG_VPN_GW_NO_RESP,
                       KKmdIkeNoResponseErr,
                       iPluginSession->VpnIapId(),
                       &iRemoteAddr );      	
        
		iPluginSession->DeleteIpsecSAs(aSa->iSAId);		
		iPluginSession->UpdateIkev1SAL(aSa->iSAId, ETrue);
	}
	else
	{
	    //
	    //  Send DPD R-U-THERE notify message 
	    //
		if ( aSa->iPendingDPDSequence == 0 )
		{	
			aSa->iPendingDPDSequence = aSa->iDPDSequence;
			aSa->iDPDSequence = GetNextSequence(aSa->iDPDSequence);			
		}	
		else
		{
		    aSa->iDPDRetry ++;
		}
		DEBUG_LOG(_L("Sending DPD R-U-THERE notify"));		
		SendDpdNotifyMessageL(DPD_R_U_THERE, aSa->iPendingDPDSequence);
	}
	SetFinished();
}

MKmdEventLoggerIf& CIkev1Negotiation::EventLogger()
{
    return iPluginSession->EventLogger();
}

void CIkev1Negotiation::IpsecSaSpiRetrieved(TUint32 aSpiRequestId, 
                                            TInt aStatus, 
                                            TUint32 aSpi) 
{
    DEBUG_LOG3(_L("IPsec SA SPI retrieved, seq=%d, SPI=%d, status=%d"),
            aSpiRequestId, aSpi, aStatus);
    if ( aStatus == KErrNone )
        {
        TRAP( aStatus, ReceiveSPIL( aSpi, aSpiRequestId ) );
        }
    else
        {
        iPluginSession->HandleError( aStatus );
        }
}

TBool CIkev1Negotiation::IsRekeyingIkeSa()
{
    return ( iSARekeyInfo != NULL );
}

void CIkev1Negotiation::PreparePhase2L(const TPfkeyMessage &aReq)
{
    DEBUG_LOG(_L("Prepare for Phase II"));
    GetAcquireDataL(aReq);
    iPhaseIIAfterIkeSaRekey = ETrue;
}

TUint32 CIkev1Negotiation::GetNextSequence(TUint32 aSequence)
{
	aSequence ++;
	if ( aSequence == 0 )
		aSequence = 1;
	return aSequence;
}

void CIkev1Negotiation::SendDpdNotifyMessageL(TUint16 aMsgType, TUint32 aSequence)
{
	iExchange  = ISAKMP_EXCHANGE_INFO;
	iMessageId = RandomMessageId();
	TIkev1IsakmpStream* Msg = SaveIkeMsgBfr( new (ELeave) TIkev1IsakmpStream(iDebug) );
	Msg->IsakmpInit(this);
	Msg->IsakmpHashL();
	TUint32 NotifData = ByteOrder::Swap32(aSequence);
	Msg->IsakmpNotification(aMsgType, PROTO_ISAKMP, (TUint8*)&NotifData, sizeof(NotifData));
	Msg->IsakmpHashContL();
	SendL(*Msg);
}

TInt CIkev1Negotiation::ErrorStatus()
{
    TInt ret( KErrNone );
    if ( iPluginSession )
    {
        ret = iPluginSession->ErrorStatus();
    }
    return ret;
}

void CIkev1Negotiation::SetErrorStatus(TInt aStatus)
{
    SetFinished();
    iPluginSession->SetErrorStatus(aStatus);
}

void CIkev1Negotiation::SendAndSaveIkeMsgL( const TDesC8& aIkeMsg,
                                            TInetAddr& aDestAddr,
                                            TBool aUseNatPort )
{
    iPluginSession->SendIkeMsgL( aIkeMsg, aDestAddr, aUseNatPort );
    SaveLastMsgL();
}


TBool CIkev1Negotiation::IsRetransmit(TLastIKEMsg& aRef)
{       
    TBool isRetransmit(EFalse);
    if (iLastIKEMsgInfo.IsUninitialized())
        {
        TIkev1SAData* ikev1SAData = iPluginSession->FindIkev1SAData(iSAId);
        if (ikev1SAData && ikev1SAData->iLastIKEMsgInfo.IsReTransmit(aRef))
            {
            isRetransmit = ETrue;
            }
        }
    else
        {
        isRetransmit = iLastIKEMsgInfo.IsReTransmit(aRef);
        }
    return isRetransmit;
}

void CIkev1Negotiation::SaveRetransmitInfo(TLastIKEMsg& aRef)
{
    aRef.Store(iLastIKEMsgInfo);
    TIkev1SAData* ikev1SAData = iPluginSession->FindIkev1SAData(iSAId);
    if (ikev1SAData != NULL)
        {
        aRef.Store(ikev1SAData->iLastIKEMsgInfo);
        }
}

void CIkev1Negotiation::SaveLastMsgL()
{
    if ( iLastMsg != NULL )
        {
        TIkev1SAData* ikev1SAData = iPluginSession->FindIkev1SAData(iSAId);
        if ( ikev1SAData != NULL )
            {
            delete ikev1SAData->iLastMsg;
            ikev1SAData->iLastMsg = iLastMsg->AllocL(); 
            }                
        }    
}