|
1 /* |
|
2 * Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: |
|
15 * This module contains the private vendor specific extension of IKE. |
|
16 * All of the current private extensions are related to Nokia VPN gateway |
|
17 * and shall be used ONLY when the EPOC IKE is acting as a Nokia VPN remote |
|
18 * access client. |
|
19 * The following private extension are implemented: |
|
20 * |
|
21 * 1) Internal Address payload usage |
|
22 * Internal address payload is used to the deliver a secure network |
|
23 * adderess and secure network DNS address(es) from VPN gateway to a client. |
|
24 * The Internal address payloads are used in the last two IKE main mode |
|
25 * messages as follows: |
|
26 * |
|
27 * Client (initiator) Gateway (responder) |
|
28 * .. SA, KE ... ---> |
|
29 * <--- ..SA, KE ... |
|
30 * HDR*, INT_ADDR ---> |
|
31 * <--- HDR*, INT_ADDR |
|
32 * |
|
33 * Client sends an INT_ADDR payload with PRI_INTERNAL_ADDRESS attribute |
|
34 * Attribute value is 0.0.0.0. |
|
35 * |
|
36 * Gateway responds with an INT_ADDR payload with PRI_INTERNAL_ADDRESS |
|
37 * attribute containing client internal address x.y.z.w |
|
38 * Gateway INT_ADDR payload may also contain attributes PRI_INTERNAL_DNS and |
|
39 * PRI_INTERNAL_WINS. PRI_INTERNAL_DNS contains a list of DNS IP addresses and |
|
40 * PRI_INTERNAL_WINS a list of WINS IP addresses. |
|
41 * |
|
42 * |
|
43 * 2) The NAT Traversal probing |
|
44 * The expanded Vendor-Id payload usage for the NAT Traversal probing. |
|
45 * The expanded Vendor-Id payloads contains the following information: |
|
46 * |
|
47 * Client (initiator) Gateway (responder) |
|
48 * VID(hash, ip_addr, port) ---> |
|
49 * <--- VID(hash, detected_ip_addr, |
|
50 * detected_port) |
|
51 * |
|
52 * Client sends a expanded Vendor-Id payload containing the following information: |
|
53 * hash = Nokia VPN vendor specific hash data (used to recognize peer) |
|
54 * ip_addr = Client IKE own IP address |
|
55 * port = Client IKE own port (=500) |
|
56 * |
|
57 * Gateway responds with expanded Vendor-Id payload containing the following information: |
|
58 * hash = Nokia VPN vendor specific hash data (used to recognize peer) |
|
59 * detected_ip_addr = Client IP address as detected in received IKE message |
|
60 * IP header (=source IP address) |
|
61 * detected_port = Client port as detected in received IKE message |
|
62 * UDP header (=source port) |
|
63 * |
|
64 * Both client and gateway do the following examination |
|
65 * if ( ip_addr != detected_ip_addr ) || ( port != detected_port ) |
|
66 * then NAT Traversal shall be used IPSEC ESP traffic between |
|
67 * the client and gateway |
|
68 * |
|
69 * Nokia VPN specific NAT Traversal means that IPSEC ESP traffic shall be |
|
70 * capsulated with UDP header. |
|
71 * The used UDP port for that purpose is 9872 |
|
72 */ |
|
73 |
|
74 #ifndef IKEV1PRIVATE_H |
|
75 #define IKEV1PRIVATE_H |
|
76 |
|
77 #include <f32file.h> |
|
78 #include "ikemsgheader.h" |
|
79 |
|
80 |
|
81 class TIkev1IsakmpStream; |
|
82 class CIkeIPSocket; |
|
83 class CIkeData; |
|
84 class TVendorISAKMP; |
|
85 class TINTNETISAKMP; |
|
86 class CInternalAddress; |
|
87 class TInetAddr; |
|
88 |
|
89 TInt ConstructVendorId(TBool aNATProbe, |
|
90 TUint8 *aICOOKIE, |
|
91 TUint8 *aRCOOKIE, |
|
92 TInetAddr &aLocalAddr, |
|
93 TVendorISAKMP *vendor_payload); |
|
94 TInt BuildVendorIdHash(TUint8 *aICOOKIE, |
|
95 TUint8 *aRCOOKIE, |
|
96 TUint8 *hash_data); |
|
97 TBool ProcessVendorId(TBool *aFamiliarPeer, |
|
98 TUint8 *aICOOKIE, |
|
99 TUint8 *aRCOOKIE, |
|
100 TInetAddr &aLocalAddr, |
|
101 TVendorISAKMP *aVendorPayload); |
|
102 void BuildDPDVendorId(TIkev1IsakmpStream &aMsg); |
|
103 TBool CheckDPDVendorId(const TVendorISAKMP *aVendorPayload); |
|
104 CInternalAddress* ProcessIntNetL(TINTNETISAKMP *aIntNetpayload); |
|
105 |
|
106 TBool InsertVPNInterfaceL(CInternalAddress *aInternalAddr, CIkeIPSocket *aSocket, TUint32 *aIfNbr, RFs *aFS); |
|
107 TBool RemoveVPNInterfaceL(CInternalAddress *aInternalAddr, CIkeIPSocket *aSocket, TUint32 *aIfNbr, RFs *aFS); |
|
108 TBool AddVPNRoute(CInternalAddress *aInternalAddr, CIkeIPSocket *aSocket, |
|
109 TInetAddr &aDstAddr, TInetAddr &aDstMask); |
|
110 TInt CheckCredentials(CIkeData *aHostData); |
|
111 /*--------------------------------------------------------------------------- |
|
112 * |
|
113 * Expanded Vendor Id payload option VENDOR_OPTION_NAT_TRAVERSAL handling: |
|
114 * 1 2 3 |
|
115 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 |
|
116 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|
117 * ! sin_lth ! sin_family ! sin_port ! |
|
118 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|
119 * ! sin_addr ! |
|
120 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|
121 * ! ! |
|
122 * . Zero * 2(?) . |
|
123 * ! ! |
|
124 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|
125 * |
|
126 * |
|
127 *---------------------------------------------------------------------------*/ |
|
128 #define SIN_LTH 16 // VENDOR_OPTION_NAT_TRAVERSAL data part length |
|
129 #define SIN_FAMILY 2 // = IPv4 Address |
|
130 |
|
131 |
|
132 class TNATTOption |
|
133 { |
|
134 public: |
|
135 inline void InitOption() { Mem::FillZ(&u.iData8[0], SIN_LTH); |
|
136 u.iData8[0] = SIN_LTH; u.iData8[1] = SIN_FAMILY;} |
|
137 inline void SetPort(TUint16 aPort) { PUT16(&u.iData8[2], aPort);} |
|
138 inline void SetAddress(TUint32 aAddr) { PUT32(&u.iData8[4], aAddr);} |
|
139 inline TUint16 GetPort() {return (TUint16)GET16(&u.iData8[2]);} |
|
140 inline TUint32 GetAddress() {return (TUint32)GET32(&u.iData8[4]);} |
|
141 private: |
|
142 union |
|
143 { |
|
144 TUint32 iData32[4]; |
|
145 TUint16 iData16[8]; |
|
146 TUint8 iData8[16]; |
|
147 } u; |
|
148 }; |
|
149 |
|
150 /*--------------------------------------------------------------------------- |
|
151 * |
|
152 * Expanded Vendor Id payload option VENDOR_OPTION_VERSION handling: |
|
153 * 1 2 3 |
|
154 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 |
|
155 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|
156 * ! MAJOR VERSION ! MINOR VERSION ! |
|
157 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|
158 * |
|
159 *---------------------------------------------------------------------------*/ |
|
160 #define VERSION_LTH 4 // VENDOR_OPTION_VERSION data part length |
|
161 #define MAJOR_VERSION 3 // ???????????!!!!!!!!!!!!!!!!???????????? |
|
162 #define MINOR_VERSION 3 // ???????????!!!!!!!!!!!!!!!!???????????? |
|
163 |
|
164 class TVersionOption |
|
165 { |
|
166 public: |
|
167 inline void SetVersion(TUint16 aMajor, |
|
168 TUint16 aMinor) { PUT16(&u.iData8[0], aMajor); |
|
169 PUT16(&u.iData8[2], aMinor);} |
|
170 private: |
|
171 union |
|
172 { |
|
173 TUint32 iData32[1]; |
|
174 TUint16 iData16[2]; |
|
175 TUint8 iData8[4]; |
|
176 } u; |
|
177 }; |
|
178 |
|
179 #endif // IKEV1PRIVATE_H |