diff -r 000000000000 -r 33413c0669b9 vpnengine/ikev1lib/inc/ikev1negotiation.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/vpnengine/ikev1lib/inc/ikev1negotiation.h Thu Dec 17 09:14:51 2009 +0200 @@ -0,0 +1,532 @@ +/* +* Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies). +* All rights reserved. +* This component and the accompanying materials are made available +* under the terms of "Eclipse Public License v1.0" +* which accompanies this distribution, and is available +* at the URL "http://www.eclipse.org/legal/epl-v10.html". +* +* Initial Contributors: +* Nokia Corporation - initial contribution. +* +* Contributors: +* +* Description: IKEv1 negotiation. +* +*/ + +#ifndef C_IKEV1NEGOTIATION_H +#define C_IKEV1NEGOTIATION_H + +#include + +#include "ikev1payloads.h" +#include "ikev1extra.h" +#include "ikev1SAdata.h" +#include "ikepolparser.h" +#include "ipsecsaspiretriever.h" + +#define INITIATOR 0 +#define RESPONDER 1 + +#define PHASE_I 1 //Used to identify the PHASE number +#define PHASE_II 2 + +#define OAKLEY_DEFAULT_NONCE_SIZE 128/8 //128 bits = 16 bytes +#define ISAKMP_HEADER_SIZE 28 +#define ISAKMP_HASH_SIZE 24 //Size for 3des_cbc return value +#define MAX_PRF_LENGTH 24 //In bytes corresponds to 3DES_CBC +#define MAX_RETRANS_TIMER 10 //Isakmp packet retransmission timer +#define MAX_RETRANS_COUNT 7 //Maximum retransmission count + +//Vendor ID type codes values +#define HASH_VENDOR_ID 0 //Contains only a vendor specific hash +#define EXPANDED_VENDOR_ID 1 //Contains NAT probing data and a vendor specific hash +#define IETF_NATT_VENDOR_ID 2 //Vendor ID for draft +#define IETF_RFC_NATT_VENDOR_ID 3 + +const TInt KMaxDpdRetryCount( 2 ); + +struct TSPINode +{ + TInt iPropNum; //Proposal # + TUint32 iSeq; //Sequence # in the GETSPI msg + TUint32 iSPI; //Received SPI +}; + +class TPfkeyMessage; +class CIkev1PluginSession; +class CAuthDialogInfo; +class CIkev1Timeout; +class CX509Certificate; +class CIkeKeys; +class CIkeV1PkiService; +class TSAISAKMP; +class TPayloadISAKMP; +class TKeyISAKMP; +class TIdentISAKMP; +class TCertificateISAKMP; +class TSignatureISAKMP; +class THashISAKMP; +class TNotificationISAKMP; +class TVendorISAKMP; +class TINTNETISAKMP; +class TProposalISAKMP; +class CIkev1NatDiscovery; +class CIKECRACKNegotiation; +class CTransNegotiation; +class TIkev1IsakmpStream; +class MIkeDebug; +class MKmdEventLoggerIf; +class CPFKeySocketIf; + +// +// Class CIkev1Negotiation: Contains all the info for each negotiation in progress +// +NONSHARABLE_CLASS(CIkev1Negotiation) : public CBase, + public MIpsecSaSpiRetrieverCallback + { + friend class CIkev1InfoNegotiation; + friend class TIkev1IsakmpStream; + friend class CIKECRACKNegotiation; + friend class CTransNegotiation; + friend class CIkev1Payloads; + +public: + static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession, + CPFKeySocketIf& aPFKeySocketIf, + MIkeDebug& aDebug, + const TInetAddr& aRemote, + const TCookie& aInitiator, + const TCookie& aResponder ); + + static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession, + CPFKeySocketIf& aPFKeySocketIf, + MIkeDebug& aDebug, + const TInetAddr& aRemote, + const TCookie& aInitiator, + TBool aAutoLogin ); + + static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession, + CPFKeySocketIf& aPFKeySocketIf, + MIkeDebug& aDebug, + TIkev1SAData* aIkev1SAdata, + TUint aRole, + const TPfkeyMessage *aReq = NULL ); + + static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession, + CPFKeySocketIf& aPFKeySocketIf, + MIkeDebug& aDebug, + const TInetAddr& aRemote, + TBool aAutoLogin ); + + static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession, + CPFKeySocketIf& aPFKeySocketIf, + MIkeDebug& aDebug, + const TInetAddr& aRemote, + const TPfkeyMessage& aReq ); + + ~CIkev1Negotiation(); + + TBool ExecuteL( const ThdrISAKMP& aHdr, + const TInetAddr& aRemote, + TInt aLocalPort ); + TBool ExecutePhase2L( const ThdrISAKMP& aHdr, + const TInetAddr& aRemote, + TInt aLocalPort ); + TBool ExecuteTransactionL( const ThdrISAKMP &aHdr, + const TInetAddr& aRemote, + TInt aLocalPort ); + void InitNegotiationL(); + void InitPhase2L(); + //used by the timer + void ReSendL(); + + inline TUint32 AcqSeq() {return iAcquireSeq;} + inline TInt GetNotifyStatus() {return iReceivedNotify;} + inline void SetNotifyStatus(TInt aStatus) {if (iReceivedNotify == KErrNone) iReceivedNotify = aStatus;} + inline TBool Autologin() {return iAutoLogin;} + inline TBool Finished() {return iFinished;} + inline void SetFinished() {iFinished = ETrue;} + inline void SetRekeyInfo(CSARekeyInfo* aSARekeyInfo) { iSARekeyInfo = aSARekeyInfo;} + inline TUint32 SAId() {return iSAId;} + TIkev1IsakmpStream* SaveIkeMsgBfr(TIkev1IsakmpStream* aMsg); + void AuthDialogCompletedL(CAuthDialogInfo *aUserInfo); + TInt32 RandomMessageId(); + void SendDeleteL(TUint8 aProtocol, TUint32 aIpsecSPI = 0); //Send a Delete payload for the negotiation + void SendKeepAliveMsgL(TIkev1SAData* aSa); + + TBool IsRekeyingIkeSa(); + void PreparePhase2L(const TPfkeyMessage &aReq); + + MKmdEventLoggerIf& EventLogger(); + +// from base class MIpsecSaSpiRetrieverCallback + + /** + * Notification about completion of IPsec SPI SA retrieve. + * + * @param aSpiRequestId Id of the SPI retrieve request. + * @param aStatus Completion status + * @param aSpi SPI value + */ + void IpsecSaSpiRetrieved(TUint32 aSpiRequestId, + TInt aStatus, + TUint32 aSpi); + +private: + + CIkev1Negotiation( CIkev1PluginSession* aPluginSession, + CPFKeySocketIf& aPFKeySocketIf, + MIkeDebug& aDebug ); + CIkev1Negotiation( CIkev1PluginSession* aPluginSession, + CPFKeySocketIf& aPFKeySocketIf, + MIkeDebug& aDebug, + const TInetAddr& aRemote, + const TCookie& aInitiator ); + CIkev1Negotiation( CIkev1PluginSession* aPluginSession, + CPFKeySocketIf& aPFKeySocketIf, + MIkeDebug& aDebug, + const TInetAddr& aRemote ); + + void ConstructL( TBool aAutoLogin ); + //When receiving an acquire + void ConstructL( const TPfkeyMessage& aReq ); + // To create a negotiation form an existing ISAKMP SA either as negotiator or responder + void ConstructL( TIkev1SAData* aIkev1SAdata, + TUint aRole, + const TPfkeyMessage *aReq = NULL ); + + void GetAcquireDataL(const TPfkeyMessage &aReq); + void CommonConstructL(); + TBool BuildProposals1L(); + TInt BuildProposals2L(); + //Packet processing functions + TBool ProcessHeaderL(const ThdrISAKMP &aHdr); + //received packet processing depending on the stage + TBool ProcessStage1L(const ThdrISAKMP &aHdr); //Checks SA from INITIATOR + TBool ProcessStage2L(const ThdrISAKMP &aHdr); //Checks SA from RESPONDER + TBool ProcessStage3MainL(const ThdrISAKMP &aHdr); //Checks KE,NONCE from INITIATOR + TBool ProcessStage3AggrL(const ThdrISAKMP &aHdr);//Checks ID,AUTH from RESPONDER + TBool ProcessStage4L(const ThdrISAKMP &aHdr); //Checks KE,NONCE from RESPONDER + TBool ProcessStage5L(const ThdrISAKMP &aHdr); //Checks ID,AUTH from INITIATOR + TBool ProcessStage6L(const ThdrISAKMP &aHdr); //Checks ID,AUTH from RESPONDER + TBool ProcessStage7L(const ThdrISAKMP &aHdr); //CRACK authentication going + TBool ProcessStage1Phase2L(const ThdrISAKMP &aHdr);//Checks HASH(1),SA,KE,NONCE,ID from INITIATOR + TBool ProcessStage2Phase2L(const ThdrISAKMP &aHdr);//Checks HASH(2),SA from RESPONDER + TBool ProcessStage3Phase2L(const ThdrISAKMP &aHdr);//Checks HASH(3) from INITIATOR/RESPONDER + TBool ProcessCONNECTEDL(const ThdrISAKMP &aHdr);//Checks HASH(INF, NOTIF) from RESPONDER + TBool ProcessSAL(const TSAISAKMP *aPayload, TUint8 *aRecvProposals); + TBool ProcessProposalsL(const TPayloadISAKMP *aPayload,TUint32 aLengthLeft, TUint8 *aRecvProposals); + TInt ProcessTransformsL(const TPayloadISAKMP *aPayload,TUint32 aLengthLeft); + TInt ProcessTransforms2L(const TPayloadISAKMP *aPayload,CProposal_II *aProp,TUint32 aLengthLeft); + TInt ProcessAttributesL(const TPayloadISAKMP *aPayload,TAttrib *aAttrib); //checks and return the SA attributes + TInt ProcessAttributes2L(const TPayloadISAKMP *aPayload,TAttrib_II *aAttrib,TUint8 aProtocol); //checks and return the SA attributes + TBool ProcessKeyL(const TKeyISAKMP *aKey); //check payload and stores public key value + TBool ProcessNonceL(const TPayloadISAKMP *aPayload); + TBool ProcessStage1_II_IDsL(const TIdentISAKMP *aInit_ID_payload,const TIdentISAKMP *aResp_ID_payload, CProposal_IIList *aRecv_proposals); + TBool ProcessStage2_II_IDsL(const TIdentISAKMP *aInit_ID_payload,const TIdentISAKMP *aResp_ID_payload);//, CProposal_IIList *aRecv_proposals); + TBool CheckIdentL(const TPayloadISAKMP *aPayload); + TBool ProcessCertificateReqL(const TCertificateReqISAKMP *aCertReq); + TBool ProcessCertificateReqArrayL(const CArrayFixFlat *aCRPayloadArray); + TBool ProcessCertificateArrayL(CArrayFixFlat *aCertArray); + TBool ProcessSignatureL(const TSignatureISAKMP *aPayload); + TBool ProcessHashL(const THashISAKMP *aHashPayload); + TBool ProcessHash2L(const ThdrISAKMP &aHdr, const THashISAKMP *aHashPayload, TUint aPadding); + TBool ProcessNotificationL(const TNotificationISAKMP *aNotifPayload); + TBool ProcessResponderLifetimeL(const TNotificationISAKMP *aNotifPayload); + TBool ProcessReplayStatus(const TNotificationISAKMP *aNotifPayload); + TBool ProcessInitialContactL(const TNotificationISAKMP *notif_payload); + void ProcessVendorL(CArrayFixFlat* aVids); + void ProcessIntAddrL(const TINTNETISAKMP *aIntnetPayload); + + TBool Phase_IExchangeL(const ThdrISAKMP &aHdr); + TBool Phase_IIExchangeL(const ThdrISAKMP &aHdr); + void QuickModeReplyL(); + void MainModeReplyL(); + void AggressiveReplyL(); + + //Certificate reading functions + TBool ReadCAsL(CArrayFixFlat *aCAList); + TBool ReadOwnCertL(); + + TCookie CreateCookieL() const; + TBool CheckCookies(const TCookie& aInit, const TCookie& aResp); + TBool CheckPayloadCode(TUint8 aPayload); + TBool CheckVersionL(TUint8 aVersion); + TBool CheckExchangeTypeL(TUint8 aType); + TBool CheckFlagsL(TUint8 aFlags); + TBool CheckMessageIdL(TUint32 aId); + TBool CheckDOI(TUint32 aDOI); + TBool CheckSituationL(TUint32 aSIT); + TBool CheckGenericPayloadL(const TPayloadISAKMP *aPayload); + TBool CheckProtocolL(TUint8 aProtocol); //checks if protocol supported + TBool CheckSPIL(const TProposalISAKMP *aProposal); //checks if the SPI is valid + TBool CheckTransformID(TUint8 aProtocol,TUint8 aID); + + //SA Attributes checking functions + TBool CheckEncrAlg(TUint16 aValue); + TBool CheckHashAlg(TUint16 aValue); + TBool CheckAuthMethod(TUint16 aValue); + TBool CheckGroupDesc(TUint16 aValue); + TBool CheckGroupType(TUint16 aValue); + TBool CheckGroupPrime(const TUint8* aValue, TUint16 length); + TBool CheckGroupGen(const TUint8* aValue, TUint16 length); + TBool CheckGroupCurve(const TUint8* aValue, TUint16 length); + TBool CheckLifeType(TUint16 aValue); + TBool CheckLifeDuration(const TUint8* aValue, TUint16 length); + TBool CheckPRF(TUint16 aValue); + TBool CheckKeyLength(TUint16 aValue,TUint8 aID,TUint8 aProtocol); + TBool CheckFieldSize(TUint16 aValue); + TBool CheckGroupOrder(const TUint8* aValue, TUint16 length); + TBool CheckEncMode(TUint16 aValue); + TBool CheckAuthAlg(TUint16 aValue); + + //Certificate payload checks + TBool CertifyRemoteIdentityL(const TIdentISAKMP *aIdPayload); + TInt CheckEncodingL(TUint8 aEncoding); + + + //Signatures + TBool VerifySignatureL(CX509Certificate *aCert,TUint8 *iHash, TInt aLength,TUint8 *aSig,TUint aSigLength); + + + //Diffie-Hellman Exchange Routines + TBool ComputeDHPublicValueL(); + void ComputeNonceL(); + + //Hash and Signature computation + void ComputeHashrL(TDes8 &aHash); + void ComputeHash1L(TDes8 &aHash); + void ComputeHash2L(TDes8& aHash,TInt aStage,const TUint8 *aHashMsg=NULL,TInt aHashMsgLen=0); + TBool VerifyHash2L(const THashISAKMP *iHash,const TUint8 *aHashMsg=NULL,TInt aHashMsgLen=0); + TBool VerifyInformationalHashL(const THashISAKMP *aHash,const TPayloadISAKMP *aPayload, TUint32 iMessageId); + void ComputeHashInfL(TDes8& aHash,const TUint8 *aHashMsg,TInt aHashMsgLen); + + //Send a Notification packet informing of an error. + void SendNotifyL(TUint16 aError); + + void CheckSendResponderLifetime(TIkev1IsakmpStream &aMsg); + static TPtrC ExchangeType(TUint8 aExchange); + static void TextPayload(TDes &aBuf, TUint8 aPayload); + static TPtrC TextNotifyType(TUint16 aNotif); + + //PFKEY related functions + void AcquireSAErrorResponse(TInt aError); + void GetSPIL(); + void ReceiveSPIL(TUint32 aSPI, TUint32 aSeq); + + void UpdateSADatabaseL(); + + void ComputeLifetimes_II(const TDesC8 &aLifetime, const TDesC8 &aLifesize, TInt64 &aTime, TInt64 &aBytes); + + //CRACK related functions + TBool StartCRACKAuthL(); + + TBool IsakmpPhase1CompletedL(); + + //Socket + void SendL(TIkev1IsakmpStream &aMsg); + + inline TUint Role() {return iRole;} + inline CIkev1PluginSession* PluginSession() {return iPluginSession;} + TInt HashLength(); //Output size for PRF algorithm + + TUint32 ISAKMPEncrKeyLength(TUint8 aAlgId) const; //in bytes + TUint32 HMAC_KeyLength(TUint8 aId) const; + + //builds the correct key using the values in iNegotiation + TBool ComputeKeysL(); + void ComputeKeys2L(const CProposal_II *aProp, TInt aKeyLen, TSPINode &aInboundSpiNode, TDes8& aOutboundKey_II, TDes8& aInboundKey_II); + void ComputePRFL(TDes8 &prf_output, const TDesC8 &prf_key, const TDesC8 &prf_data); + TBool InitIVL(); //Initial IV value + TBool ComputeIVL(TDes8 &aIV, TInt32 aMessageId); //subsequent IV computations + //Encryption routines + void AppendAttributeError(TInt aErr, TDes &aBuf) const; + void SaveISAKMPSAL(); + void CreateChosenProposalL(CProposal_IIList* aPropList, TInt aPropNum, CTransModifierList *aTransArray); + TBool ExamineRemoteIdentity(const TDesC8& aRemoteIdInPolicy); + TBool ProcessIdentityData(const TDesC8& aIdentity, TUint8* aToIdType, TInetAddr* aToIpAddr1, TInetAddr* aToIpAddr2); + + void DpdNotifyMessageReceivedL(TIkev1SAData* aSa, TUint16 aMsgType, TUint32 aSequence); + TUint32 GetNextSequence(TUint32 aSequence); + void SendDpdNotifyMessageL(TUint16 aMsgType, TUint32 aSequence); + + TInt ErrorStatus(); + void SetErrorStatus(TInt aStatus); + + void SendAndSaveIkeMsgL( const TDesC8& aIkeMsg, + TInetAddr& aDestAddr, + TBool aUseNatPort ); + + TBool IsRetransmit(TLastIKEMsg& aRef); + void SaveRetransmitInfo(TLastIKEMsg& aRef); + void SaveLastMsgL(); + +public: + TCookie iCookie_I; // Initiator Cookie (Used with responder to create KEYID) + TCookie iCookie_R; // Responder Cookie + TUint32 iSAId; + TUint32 iMessageId; // Message Id. o during Phase I + CIkev1Negotiation *iNext; // A link field to maintain negotiations. + +private: + //Data relevant to the host + CIkeData *iHostData; + + //Internal Data + TInetAddr iLocalAddr; + TInetAddr iRemoteAddr; // Remote Address (Gateway or end host) + + + TUint iRole; // If we are PHASE I Initiator or Responder + TUint iPhase; // Phase I or II + TUint iStage; // Negotiation Stage + + //Header Data + TUint8 iExchange; // IKE mode in use (Main, agressive,...) + TUint8 iPrevExchange; // Used to process the last msg of Phase I + + TUint8 iFlags; // Own flags to use when sending a msg header + TUint8 iRecvFlags; // Received flags in the last msg header + TBool iCommitBitSet; // If true the Commit bit has been set by this host + TUint32 iNotifyMessageId; // Message Id. for Informational Exchanges + TLastIKEMsg iLastIKEMsgInfo;// Information of the last received IKE message + + //SA Data + TUint8 *iSAPayload; // Initiator SA payload (used in the hash computation). Generic payload NOT included + TInt iSAPayloadSize; + TUint32 iDOI; // Must be IPSEC = 1 + + //Proposal/transform list Phase I and II + TProposal iProposal_I; // Contains proposed SA attrib for Phase I with it's attr list + TProposal iChosenProposal_I; + CProposal_IIList *iProposal_IIList; //Contains the Phase_II Proposal List (PROPOSED) + CProposal_IIList *iChosenProp_IIList; //Contains the Phase_II Proposal List (Received from the remote peer) + + + TInt iProposalNum; //Accepted proposed proposal. Needed to know which are the valid SPIs in the next list + CArrayFixFlat *iInboundSPIList; + + //Keys (DH Generated public value when own) + CIkeKeys *iOwnKeys; //Contains own public and private keys + HBufC8 *iOwnPublicKey; + TPtrC8 iOwnPublicKey_ptr; + TBuf8 iPeerPublicKey; //(gxr) + TBuf8 iSKEYID; //KEY used for encryption/decryption of messages + TBuf8 iSKEYID_d; //KEY used to derive keys for non-ISAKMP SAs + TBuf8 iSKEYID_a; //KEY used for authentication of ISAKMP messages + TBuf8 iSKEYID_e; //KEY used for encryption/decryption of ISAKMP messages + + //IV used by des_cbc and des3_cbc is 8 and for AES 16 + TBuf8 iIV; //normal IV + TBuf8 iLastIV; //Saves the last IV of PHASE_I to compute iNotifIV everytime and the first IV in Quick mode + TInt iIVSize; //Current IV/cipher block size + + //Perfect Forward Secrecy + TBool iPFS; + + //Replay Window Length + //TInt8 iReplayWindowLength; + + //Nonces + TBuf8 iNONCE_I; + TBuf8 iNONCE_R; + + //IDENTITY info + TUint8 *iPeerIdentPayload; //Full Peer ID payload for HASH_I/R computation.Generic payload NOT included + TInt iPeerIdentPayloadSize; + TUint8 *iOwnIdentPayload; //Full own ID payload for HASH_I/R computation.Generic payload NOT included + TInt iOwnIdentPayloadSize; + //TUint8 iIDType; + TUint16 iIDLocalPort; + TUint16 iIDRemotePort; + TUint8 iIDProtocol; + TBool iIDReceived; + + TBool iSwapRemoteIdType; + TBool iDefaultRemoteID; //To avoid updating the Remote ID if a default is being used + TInetAddr iRemoteAddr1_ID_II;// Remote proxy Address, subnet or initial range + TInetAddr iRemoteAddr2_ID_II;// Remote proxy mask or end range + TUint8 iRemoteIDType_II; + TBool iDefaultLocalID; //To avoid updating the Local ID if a default is being used + TInetAddr iLocalAddr1_ID_II; // Local proxy Address, subnet or initial range + TInetAddr iLocalAddr2_ID_II; // Local proxy mask or end range if implemented + TUint8 iLocalIDType_II; + + // + //IETF NAT Traversal information + // + CIkev1NatDiscovery *iNatDiscovery; // IETF NAT traversal control object pointer + TUint32 iNAT_D_Flags; // If not zero, there is NAT between sites + TInetAddr iLastRemoteAddr; // Last detected remote address + TInetAddr iRemoteOriginalAddr; // Private address of the remote end + + // + //NAT Traversal information + // + TBool iFamiliarPeer; // Nokia VPN implementation detected in peer + TBool iNAT_T_Required; // True when NAT detected between local end and peer + + // + // Dead peer detection support + // + TBool iDPDSupported; // Both ends support DPD + + // + //Internal address information received from Nokia VPN gateway + // + CInternalAddress *iInternalAddr; //Internal address and possible DNS addresses + + // + // Certificates + // + TUint8 iEncoding; + CX509Certificate *iPeerX509Cert; //Received X509 certificate (or read in RSA encryption if already stored). + + // + // Trusted CA certificates list + // + HBufC8* iPeerTrustedCA; //Trusted CA (of peer) + HBufC8* iICA1; //Level 1 Intermediate certificate + HBufC8* iICA2; //Level 2 Intermediate certificate + HBufC8* iCA; + HBufC8* iOwnCert; //Certificate in use + + TBool iSendCert; //Tells if is Required to send our cert in next stage (Told in a Cert Req.) + TBool iCertRequested; //Tells whether we've requested a CERT through a CR + + //PFKEY related data + TBool iAcquirePending; //Informs if Acquire is pending + TUint32 iAcquireSeq; //Seq num received in the acquire msg. will be used for UPDATE + TUint32 iSeq; //Current Seq. num will be used in GETSPI + TUint32 iPfkeyAcquirePID; //PID in the acquire msg. will be used in GETSPI + TUint8 iPendingSPI; // Used for GetSPI and Receive in case there are many SPI to request + + //Miscellanious data + HBufC8* iLastMsg; // Last message sent (Used for retransmissions). + CIkev1Timeout *iTimer; // Timer to retry sending a message + TInt iRetryNum; // Number of retry in the current message + TBool iFinished; //Tells if the negotiation is finished to destroy it + TBool iAutoLogin; //If ETrue, Negotiation started by policy activation + TInt iReceivedNotify; //Status value of (the first) received Notify payload + TUint32 iLengthLeft; //Use to check the size of a payload is not bigger than the data left to process + + //References to objects + CIkev1PluginSession* iPluginSession; // IKEv1 plugin session + CIkeV1PkiService* iPkiService; + CIKECRACKNegotiation* iCRACKneg; + CTransNegotiation* iTransactionNeg; + CSARekeyInfo* iSARekeyInfo; + TIkev1IsakmpStream* iSavedIkeMsgBfr; + TBool iVendorIDRfc; + + TBool iPhaseIIAfterIkeSaRekey; // Start PhaseII after IKE SA rekeying + TInt64 iHardLifetime; + + CIpsecSaSpiRetriever* iIpsecSaSpiRetriever; + CPFKeySocketIf& iPFKeySocketIf; + MIkeDebug& iDebug; + }; + +#endif // C_IKEV1NEGOTIATION_H