/* Copyright (c) Microsoft Corporation SYNOPSIS Defines data types used by IPsec. */ import "fwptypes.idl"; import "iketypes.idl"; cpp_quote("#if _MSC_VER >= 800") cpp_quote("#if _MSC_VER >= 1200") cpp_quote("#pragma warning(push)") cpp_quote("#endif") cpp_quote("#pragma warning(disable:4201)") cpp_quote("#endif") typedef struct FWPM_FILTER0_ FWPM_FILTER0; /////////////////////////////////////////////////////////////////////////////// // // Definitions for building IPsec policies. // /////////////////////////////////////////////////////////////////////////////// // Stores the lifetime in seconds/kilobytes/packets for an IPsec SA. typedef struct IPSEC_SA_LIFETIME0_ { UINT32 lifetimeSeconds; UINT32 lifetimeKilobytes; UINT32 lifetimePackets; } IPSEC_SA_LIFETIME0; // Indicates the type of an IPsec SA transform. typedef [v1_enum] enum IPSEC_TRANSFORM_TYPE_ { IPSEC_TRANSFORM_AH=1, IPSEC_TRANSFORM_ESP_AUTH, IPSEC_TRANSFORM_ESP_CIPHER, IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER, IPSEC_TRANSFORM_TYPE_MAX } IPSEC_TRANSFORM_TYPE; // Indicates the type of hash algorithm used in an IPsec SA for data origin // authentication and integrity protection. typedef [v1_enum] enum IPSEC_AUTH_TYPE_ { IPSEC_AUTH_MD5, IPSEC_AUTH_SHA_1, IPSEC_AUTH_MAX } IPSEC_AUTH_TYPE; // Type used to specify additional configuration information for an IPsec SA // hash algorithm. typedef UINT8 IPSEC_AUTH_CONFIG; // Various values allowed for this type. cpp_quote("#define IPSEC_AUTH_CONFIG_HMAC_MD5_96 (0)") cpp_quote("#define IPSEC_AUTH_CONFIG_HMAC_SHA_1_96 (1)") cpp_quote("#define IPSEC_AUTH_CONFIG_MAX (2)") // Type used to uniquely identify the hash algorithm used in an IPsec SA. typedef struct IPSEC_AUTH_TRANSFORM_ID0_ { // The type of the hash algorithm. IPSEC_AUTH_TYPE authType; // Additional configuration information for the hash algorithm. IPSEC_AUTH_CONFIG authConfig; } IPSEC_AUTH_TRANSFORM_ID0; // Type used to store identifier of a pluggable crypto module. typedef GUID IPSEC_CRYPTO_MODULE_ID; // Type used to store hash specific information for an SA transform. typedef struct IPSEC_AUTH_TRANSFORM0_ { // The identifier of the hash algorithm. IPSEC_AUTH_TRANSFORM_ID0 authTransformId; // The idenitifier of the pluggable crypto module that should implement this // hash transform. [unique] IPSEC_CRYPTO_MODULE_ID* cryptoModuleId; } IPSEC_AUTH_TRANSFORM0; // Indicates the type of encryption algorithm used in an IPsec SA for data // privacy. typedef [v1_enum] enum IPSEC_CIPHER_TYPE_ { IPSEC_CIPHER_TYPE_DES=1, IPSEC_CIPHER_TYPE_3DES, IPSEC_CIPHER_TYPE_AES_128, IPSEC_CIPHER_TYPE_AES_192, IPSEC_CIPHER_TYPE_AES_256, IPSEC_CIPHER_TYPE_MAX } IPSEC_CIPHER_TYPE; // Type used to specify additional configuration information for an IPsec SA // encryption algorithm. typedef UINT8 IPSEC_CIPHER_CONFIG; // Various values allowed for this type. cpp_quote("#define IPSEC_CIPHER_CONFIG_CBC_DES (1)") cpp_quote("#define IPSEC_CIPHER_CONFIG_CBC_3DES (2)") cpp_quote("#define IPSEC_CIPHER_CONFIG_CBC_AES_128 (3)") cpp_quote("#define IPSEC_CIPHER_CONFIG_CBC_AES_192 (4)") cpp_quote("#define IPSEC_CIPHER_CONFIG_CBC_AES_256 (5)") cpp_quote("#define IPSEC_CIPHER_CONFIG_MAX (6)") // Type used to uniquely identify the encryption algorithm used in an IPsec SA. typedef struct IPSEC_CIPHER_TRANSFORM_ID0_ { // The type of the encryption algorithm. IPSEC_CIPHER_TYPE cipherType; // Additional configuration information for the encryption algorithm. IPSEC_CIPHER_CONFIG cipherConfig; } IPSEC_CIPHER_TRANSFORM_ID0; // Type used to store encryption specific information for an SA transform. typedef struct IPSEC_CIPHER_TRANSFORM0_ { // The identifier of the encryption algorithm. IPSEC_CIPHER_TRANSFORM_ID0 cipherTransformId; // The idenitifier of the pluggable crypto module that should implement this // encryption transform. [unique] IPSEC_CRYPTO_MODULE_ID* cryptoModuleId; } IPSEC_CIPHER_TRANSFORM0; // Type used to store hash and encryption specific information together for an // SA transform. typedef struct IPSEC_AUTH_AND_CIPHER_TRANSFORM0_ { // Hash specific information IPSEC_AUTH_TRANSFORM0 authTransform; // encryption specific information IPSEC_CIPHER_TRANSFORM0 cipherTransform; } IPSEC_AUTH_AND_CIPHER_TRANSFORM0; // Type used to store an SA transform. typedef struct IPSEC_SA_TRANSFORM0_ { // Type of the transform. IPSEC_TRANSFORM_TYPE ipsecTransformType; // Tagged union containing transform type specific data. [switch_type(IPSEC_TRANSFORM_TYPE), switch_is(ipsecTransformType)] union { [case(IPSEC_TRANSFORM_AH)] [unique] IPSEC_AUTH_TRANSFORM0* ahTransform; [case(IPSEC_TRANSFORM_ESP_AUTH)] [unique] IPSEC_AUTH_TRANSFORM0* espAuthTranform; [case(IPSEC_TRANSFORM_ESP_CIPHER)] [unique] IPSEC_CIPHER_TRANSFORM0* espCipherTransform; [case(IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER)] [unique] IPSEC_AUTH_AND_CIPHER_TRANSFORM0* espAuthAndCipherTransform; }; } IPSEC_SA_TRANSFORM0; // Type that specifies the Diffie Hellman algorithm that should be used for // Quick Mode PFS (Perfect Forward Secrecy). typedef [v1_enum] enum IPSEC_PFS_GROUP_ { // No PFS needed. IPSEC_PFS_NONE = 0, IPSEC_PFS_1, IPSEC_PFS_2, IPSEC_PFS_2048, IPSEC_PFS_ECP_256, IPSEC_PFS_ECP_384, // Use the same diffie hellman as the Main Mode that contains this quick // mode. IPSEC_PFS_MM, IPSEC_PFS_MAX } IPSEC_PFS_GROUP; // Type used to store an IPsec quick mode proposal. The proposal describes the // various parameters of the IPsec SA that is potentially generated from this // proposal. typedef struct IPSEC_PROPOSAL0_ { // Lifetime of the IPsec SA IPSEC_SA_LIFETIME0 lifetime; // Number of IPsec SA transforms UINT32 numSaTransforms; // Array of IPsec SA transforms [size_is(numSaTransforms), ref] IPSEC_SA_TRANSFORM0* saTransforms; // PFS group of the IPsec SA IPSEC_PFS_GROUP pfsGroup; } IPSEC_PROPOSAL0; // Type used to specify the SA idle timeout in IPsec policy. typedef struct IPSEC_SA_IDLE_TIMEOUT0_ { // Timeout in seconds after which the IPsec SAs in the bundle should idle // out. UINT32 idleTimeoutSeconds; // Timeout in seconds after which the IPsec SAs in the bundle should idle // out, if the peer machine supports fail over (NLBS, cluster, etc). UINT32 idleTimeoutSecondsFailOver; } IPSEC_SA_IDLE_TIMEOUT0; ////////// // Flags specifying policy characteristics. ////////// // Do negotiation discovery in secure ring. cpp_quote("#define IPSEC_POLICY_FLAG_ND_SECURE (0x00000002)") // Do negotiation discovery on the perimeter network. cpp_quote("#define IPSEC_POLICY_FLAG_ND_BOUNDARY (0x00000004)") // Clear the "DontFragment" bit on the outer IP header of an IPsec tunneled // packet. Applicable only to tunnel mode policy. cpp_quote("#define IPSEC_POLICY_FLAG_CLEAR_DF_ON_TUNNEL (0x00000008)") // The 2 flags below are used to control the IPsec behavior for assuming default // encapsulation ports {4500, 4500} when matching an SA (negotiated using this // policy) with packets on outbound connections that don't have an associated // IPsec-NAT-shim context. Note that this rule comes into play only when a NAT // is detected. By default, if neither of the 2 flags are specified, IPsec is // most secure and assumes default ports only when local machine is behind NAT // and remote machine is not (which is the most common case). // // If this flag is specified, IPsec assumes default ports when either local // machine or remote machine is behind NAT, but not both. Behavior becomes less // secure but more flexible. cpp_quote("#define IPSEC_POLICY_FLAG_NAT_ENCAP_ALLOW_PEER_BEHIND_NAT (0x00000010)") // If this flag is specified, IPsec assumes default ports when either local // machine or remote machine is behind NAT, or even when both are behind NATs. // Behavior becomes least secure but most flexible. cpp_quote("#define IPSEC_POLICY_FLAG_NAT_ENCAP_ALLOW_GENERAL_NAT_TRAVERSAL (0x00000020)") // If this flag is specified, IKE will not send the ISAKMP attribute for 'seconds' // lifetime during quick mode negotiation. This flag is useful when // interoperating with 3rd party devices that dont support 'seconds' lifetime. cpp_quote("#define IPSEC_POLICY_FLAG_DONT_NEGOTIATE_SECOND_LIFETIME (0x00000040)") // If this flag is specified, IKE will not send the ISAKMP attribute for 'byte' // lifetime during quick mode negotiation. This flag is useful when // interoperating with 3rd party devices that dont support 'byte' lifetime. cpp_quote("#define IPSEC_POLICY_FLAG_DONT_NEGOTIATE_BYTE_LIFETIME (0x00000080)") // Type used to store transport mode quick mode negotiation policy typedef struct IPSEC_TRANSPORT_POLICY0_ { // Number of quick mode proposals in the policy UINT32 numIpsecProposals; // Array of quick mode proposals. [size_is(numIpsecProposals), ref] IPSEC_PROPOSAL0* ipsecProposals; // Flags UINT32 flags; // Timeout in seconds, after which the IPsec SA should stop accepting // packets coming in the clear. Used for negotiation discovery. UINT32 ndAllowClearTimeoutSeconds; // The SA idle timeout IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout; // The Authip extended mode authentication policy [unique] IKEEXT_EM_POLICY0* emPolicy; } IPSEC_TRANSPORT_POLICY0; // Type used to store end points of a tunnel mode SA typedef struct IPSEC_TUNNEL_ENDPOINTS0_ { // IP version of the addresses FWP_IP_VERSION ipVersion; // Tagged union containing the local tunnel end point address. [switch_type(FWP_IP_VERSION), switch_is(ipVersion)] union { [case(FWP_IP_VERSION_V4)] UINT32 localV4Address; [case(FWP_IP_VERSION_V6)] UINT8 localV6Address[16]; }; // Tagged union containing the remote tunnel end point address. [switch_type(FWP_IP_VERSION), switch_is(ipVersion)] union { [case(FWP_IP_VERSION_V4)] UINT32 remoteV4Address; [case(FWP_IP_VERSION_V6)] UINT8 remoteV6Address[16]; }; } IPSEC_TUNNEL_ENDPOINTS0; // Type used to store tunnel mode quick mode negotiation policy typedef struct IPSEC_TUNNEL_POLICY0_ { // Flags UINT32 flags; // Number of quick mode proposals in the policy UINT32 numIpsecProposals; // Array of quick mode proposals. [size_is(numIpsecProposals), ref] IPSEC_PROPOSAL0* ipsecProposals; // Tunnel end points of the IPsec SA generated from this policy. IPSEC_TUNNEL_ENDPOINTS0 tunnelEndpoints; // The SA idle timeout IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout; // The Authip extended mode authentication policy [unique] IKEEXT_EM_POLICY0* emPolicy; } IPSEC_TUNNEL_POLICY0; // Defines an unordered set of keying modules that will be tried for IPsec. typedef struct IPSEC_KEYING_POLICY0_ { // Array of allowed keying modules. UINT32 numKeyMods; [size_is(numKeyMods), ref] GUID* keyModKeys; } IPSEC_KEYING_POLICY0; /////////////////////////////////////////////////////////////////////////////// // // Definitions for retrieving IPsec statistics. // /////////////////////////////////////////////////////////////////////////////// typedef struct IPSEC_AGGREGATE_SA_STATISTICS0_ { UINT32 activeSas; UINT32 pendingSaNegotiations; UINT32 totalSasAdded; UINT32 totalSasDeleted; UINT32 successfulRekeys ; UINT32 activeTunnels; UINT32 offloadedSas; } IPSEC_AGGREGATE_SA_STATISTICS0; typedef struct IPSEC_ESP_DROP_PACKET_STATISTICS0_ { UINT32 invalidSpisOnInbound; UINT32 decryptionFailuresOnInbound; UINT32 authenticationFailuresOnInbound; UINT32 replayCheckFailuresOnInbound; UINT32 saNotInitializedOnInbound; } IPSEC_ESP_DROP_PACKET_STATISTICS0; typedef struct IPSEC_AH_DROP_PACKET_STATISTICS0_ { UINT32 invalidSpisOnInbound; UINT32 authenticationFailuresOnInbound; UINT32 replayCheckFailuresOnInbound; UINT32 saNotInitializedOnInbound; } IPSEC_AH_DROP_PACKET_STATISTICS0; typedef struct IPSEC_AGGREGATE_DROP_PACKET_STATISTICS0_ { UINT32 invalidSpisOnInbound; UINT32 decryptionFailuresOnInbound; UINT32 authenticationFailuresOnInbound; UINT32 udpEspValidationFailuresOnInbound; UINT32 replayCheckFailuresOnInbound; UINT32 invalidClearTextInbound; UINT32 saNotInitializedOnInbound; UINT32 receiveOverIncorrectSaInbound; UINT32 secureReceivesNotMatchingFilters; }IPSEC_AGGREGATE_DROP_PACKET_STATISTICS0; typedef struct IPSEC_TRAFFIC_STATISTICS0_ { UINT64 encryptedByteCount; UINT64 authenticatedAHByteCount; UINT64 authenticatedESPByteCount; UINT64 transportByteCount; UINT64 tunnelByteCount; UINT64 offloadByteCount; } IPSEC_TRAFFIC_STATISTICS0; typedef struct IPSEC_STATISTICS0_ { IPSEC_AGGREGATE_SA_STATISTICS0 aggregateSaStatistics; IPSEC_ESP_DROP_PACKET_STATISTICS0 espDropPacketStatistics; IPSEC_AH_DROP_PACKET_STATISTICS0 ahDropPacketStatistics; IPSEC_AGGREGATE_DROP_PACKET_STATISTICS0 aggregateDropPacketStatistics; IPSEC_TRAFFIC_STATISTICS0 inboundTrafficStatistics; IPSEC_TRAFFIC_STATISTICS0 outboundTrafficStatistics; } IPSEC_STATISTICS0; /////////////////////////////////////////////////////////////////////////////// // // Definitions for building IPsec SA bundles. // /////////////////////////////////////////////////////////////////////////////// // Type used to store the SPI for an IPsec SA. typedef UINT32 IPSEC_SA_SPI; // Type used to store hash specific information for an IPsec SA. typedef struct IPSEC_SA_AUTH_INFORMATION0_ { // Hash algorithm specific details IPSEC_AUTH_TRANSFORM0 authTransform; // Key used for the hash algorithm. FWP_BYTE_BLOB authKey; } IPSEC_SA_AUTH_INFORMATION0; // Type used to store encryption specific information for an IPsec SA. typedef struct IPSEC_SA_CIPHER_INFORMATION0_ { // Encryption algorithm specific details IPSEC_CIPHER_TRANSFORM0 cipherTransform; // Key used for the encryption algorithm. FWP_BYTE_BLOB cipherKey; } IPSEC_SA_CIPHER_INFORMATION0; // Type used to store hash and encryption specific information for an IPsec SA. typedef struct IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0_ { // Encryption specific information IPSEC_SA_CIPHER_INFORMATION0 saCipherInformation; // Hash specific information IPSEC_SA_AUTH_INFORMATION0 saAuthInformation; } IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0; // Type to store information about an IPsec SA typedef struct IPSEC_SA0_ { // SPI of the SA IPSEC_SA_SPI spi; // Transform type of the SA IPSEC_TRANSFORM_TYPE saTransformType; // Tagged union containing information about the SA transform. [switch_type(IPSEC_TRANSFORM_TYPE), switch_is(saTransformType)] union { [case(IPSEC_TRANSFORM_AH)] [unique] IPSEC_SA_AUTH_INFORMATION0* ahInformation; [case(IPSEC_TRANSFORM_ESP_AUTH)] [unique] IPSEC_SA_AUTH_INFORMATION0* espAuthInformation; [case(IPSEC_TRANSFORM_ESP_CIPHER)] [unique] IPSEC_SA_CIPHER_INFORMATION0* espCipherInformation; [case(IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER)] [unique] IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0* espAuthAndCipherInformation; }; } IPSEC_SA0; // Type used to store keying module specific information in the SA. typedef struct IPSEC_KEYMODULE_STATE0_ { // The identifier of the keying module. GUID keyModuleKey; // A byte blob containing opaques keying module specific information. FWP_BYTE_BLOB stateBlob; } IPSEC_KEYMODULE_STATE0; ////////// // Flags specifying IPsec SA characteristics. ////////// // Negotiation discovery is enabled in secure ring. cpp_quote("#define IPSEC_SA_BUNDLE_FLAG_ND_SECURE (0x00000001)") // Negotiation discovery is enabled on the perimeter network. cpp_quote("#define IPSEC_SA_BUNDLE_FLAG_ND_BOUNDARY (0x00000002)") // Peer is on a perimeter network and a NAT is in the way. Used with // negotiation discovery. cpp_quote("#define IPSEC_SA_BUNDLE_FLAG_ND_PEER_NAT_BOUNDARY (0x00000004)") // Is a guarantee encryption SA cpp_quote("#define IPSEC_SA_BUNDLE_FLAG_GUARANTEE_ENCRYPTION (0x00000008)") // Is SA to NLB server cpp_quote("#define IPSEC_SA_BUNDLE_FLAG_NLB (0x00000010)") // Should SA bypass machine luid verification cpp_quote("#define IPSEC_SA_BUNDLE_FLAG_NO_MACHINE_LUID_VERIFY (0x00000020)") // Should SA bypass impersonation luid verification cpp_quote("#define IPSEC_SA_BUNDLE_FLAG_NO_IMPERSONATION_LUID_VERIFY (0x00000040)") // Should SA bypass explicit credential handle match cpp_quote("#define IPSEC_SA_BUNDLE_FLAG_NO_EXPLICIT_CRED_MATCH (0x00000080)") // Let SA formed with peer name carry traffic that doesn't have a // peer target associated with it cpp_quote("#define IPSEC_SA_BUNDLE_FLAG_ALLOW_NULL_TARGET_NAME_MATCH (0x00000200)") // Clear the "DontFragment" bit on the outer IP header of an IPsec tunneled // packet. Applicable only to tunnel mode SAs. cpp_quote("#define IPSEC_SA_BUNDLE_FLAG_CLEAR_DF_ON_TUNNEL (0x00000400)") // Specifies if it is ok to assume default encapsulation ports {4500, 4500} when // matching this SA with packets on outbound connections that don't have an // associated IPsec-NAT-shim context. cpp_quote("#define IPSEC_SA_BUNDLE_FLAG_ASSUME_UDP_CONTEXT_OUTBOUND (0x00000800)") // Type used to store handle to an access token. typedef UINT64 IPSEC_TOKEN_HANDLE; typedef [v1_enum] enum IPSEC_TOKEN_TYPE_ { IPSEC_TOKEN_TYPE_MACHINE, IPSEC_TOKEN_TYPE_IMPERSONATION, IPSEC_TOKEN_TYPE_MAX } IPSEC_TOKEN_TYPE; typedef [v1_enum] enum IPSEC_TOKEN_PRINCIPAL_ { IPSEC_TOKEN_PRINCIPAL_LOCAL, IPSEC_TOKEN_PRINCIPAL_PEER, IPSEC_TOKEN_PRINCIPAL_MAX } IPSEC_TOKEN_PRINCIPAL; typedef [v1_enum] enum IPSEC_TOKEN_MODE_ { IPSEC_TOKEN_MODE_MAIN, IPSEC_TOKEN_MODE_EXTENDED, IPSEC_TOKEN_MODE_MAX } IPSEC_TOKEN_MODE; // Type containing various pieces of IPsec-specific information for an access // token typedef struct IPSEC_TOKEN0_ { // Type of the token IPSEC_TOKEN_TYPE type; // Token principal IPSEC_TOKEN_PRINCIPAL principal; // Mode in which token was obtained IPSEC_TOKEN_MODE mode; // This can be the handle to an access token or the // TOKEN_STATISTICS.ModifiedId of an access token depending on the context // in which this type is being used. IPSEC_TOKEN_HANDLE token; } IPSEC_TOKEN0; // Type containing various pieces of information corresponding to identities // that are authenticated by IPsec. typedef struct IPSEC_ID0_ { // Optional Main Mode target SPN [string, unique] wchar_t* mmTargetName; // Optional Extended Mode target SPN [string, unique] wchar_t* emTargetName; // Optional array of IPsec tokens UINT32 numTokens; [size_is(numTokens), unique] IPSEC_TOKEN0* tokens; // Optional handle to explicit credentials UINT64 explicitCredentials; // Optional handle to logon Id UINT64 logonId; } IPSEC_ID0; // Type used to store information about an IPsec SA bundle. typedef struct IPSEC_SA_BUNDLE0_ { // Flags UINT32 flags; // Lifetime of all the SAs in the bundle. If any lifetime value (seconds, // kilobytes, or packets) is specifed as 0, then the corresponding lifetime // check will be disabled. Security note: specifying 0 for lifetimePackets // has the adverse side-effect of also disabling IPsec replay checks for the // SA bundle. IPSEC_SA_LIFETIME0 lifetime; // Timeout in seconds after which the SAs in the bundle will idle out. // Specifying 0 will disable idle timeout of the SA bundle. UINT32 idleTimeoutSeconds; // Timeout in seconds, after which the IPsec SA should stop accepting // packets coming in the clear. Used for negotiation discovery. UINT32 ndAllowClearTimeoutSeconds; // Optional IPsec identity info. Note in this context, if present, the // ipsecId->tokens[i].token will be the handle to an access token. // Also note: the targetNames in the ipsecId should only be trusted on the // MM/EM initiator. On responder, they are used for SA lookups // only, but have no associated identity guarantee [unique] IPSEC_ID0* ipsecId; // NAP peer credentials info UINT32 napContext; // In scenarios where multiple simultaneous SA bundles are established for // the same traffic, the qmSaId is used by IPSec for choosing the SA to // expire. Note that for an IPsec SA pair, the qmSaId must be the same // between initiator & responder machines and across inbound & outbound SA // bundles, and for different IPsec SA pairs the qmSaIds must be different. UINT32 qmSaId; // Number of SAs in the bundle. UINT32 numSAs; // Array of IPSec SAs in the bundle. [size_is(numSAs), ref] IPSEC_SA0* saList; // Optional keying module specific information [unique] IPSEC_KEYMODULE_STATE0* keyModuleState; // IP version FWP_IP_VERSION ipVersion; // If IP version is V4, and peer is behind a NAT, this stores the the peer // private address [switch_type(FWP_IP_VERSION), switch_is(ipVersion)] union { [case(FWP_IP_VERSION_V4)] UINT32 peerV4PrivateAddress; [case(FWP_IP_VERSION_V6)]; }; // LUID of the MM SA used to generate this QM SA. UINT64 mmSaId; // Specifies whether Quick Mode PFS (Pefect Forward Secrecy) was enabled for // this SA, and if so, contains the Diffie Hellman group that was used for // PFS. IPSEC_PFS_GROUP pfsGroup; } IPSEC_SA_BUNDLE0; /////////////////////////////////////////////////////////////////////////////// // // Definitions for describing IPsec traffic. // /////////////////////////////////////////////////////////////////////////////// // Type of IPsec traffic being described. typedef [v1_enum] enum IPSEC_TRAFFIC_TYPE_ { IPSEC_TRAFFIC_TYPE_TRANSPORT, IPSEC_TRAFFIC_TYPE_TUNNEL, IPSEC_TRAFFIC_TYPE_MAX } IPSEC_TRAFFIC_TYPE; // Type containing parameters used to describe IPsec traffic typedef struct IPSEC_TRAFFIC0_ { // IP version FWP_IP_VERSION ipVersion; // Tagged union containing the local address of the IPsec traffic [switch_type(FWP_IP_VERSION), switch_is(ipVersion)] union { [case(FWP_IP_VERSION_V4)] UINT32 localV4Address; [case(FWP_IP_VERSION_V6)] UINT8 localV6Address[16]; }; // Tagged union containing the remote address of the IPsec traffic [switch_type(FWP_IP_VERSION), switch_is(ipVersion)] union { [case(FWP_IP_VERSION_V4)] UINT32 remoteV4Address; [case(FWP_IP_VERSION_V6)] UINT8 remoteV6Address[16]; }; // type of traffic being described IPSEC_TRAFFIC_TYPE trafficType; // If traffic type is transport mode, this is the LUID of the FWPS transport // layer filter corresponding to this traffic. If traffic type is tunnel // mode, this is the LUID of the associated QM policy. [switch_type(IPSEC_TRAFFIC_TYPE), switch_is(trafficType)] union { [case (IPSEC_TRAFFIC_TYPE_TRANSPORT)] UINT64 ipsecFilterId; [case (IPSEC_TRAFFIC_TYPE_TUNNEL)] UINT64 tunnelPolicyId; }; // The remote TCP/UDP port for this traffic. This is normally only specified // in specific scenarios where the remote port condition in the transport // layer filter is more generic than the actual remote port. UINT16 remotePort; } IPSEC_TRAFFIC0; // Type used to store the UDP encapsulation ports, if UDP-ESP encapsulation is // taking place. typedef struct IPSEC_V4_UDP_ENCAPSULATION0_ { // Local UDP encapsulation port UINT16 localUdpEncapPort; // Remote UDP encapsulation port UINT16 remoteUdpEncapPort; } IPSEC_V4_UDP_ENCAPSULATION0; /////////////////////////////////////////////////////////////////////////////// // // Definitions for managing IPsec SAs. // /////////////////////////////////////////////////////////////////////////////// // Information that must be supplied when requesting a SPI from the IPsec // driver. typedef struct IPSEC_GETSPI0_ { // Traffic description corresponding to the inbound SA. IPSEC_TRAFFIC0 inboundIpsecTraffic; FWP_IP_VERSION ipVersion; // For IPv4 this specifies the NATT UDP encapsulation ports. [switch_type(FWP_IP_VERSION), switch_is(ipVersion)] union { [case(FWP_IP_VERSION_V4)] [unique] IPSEC_V4_UDP_ENCAPSULATION0* inboundUdpEncapsulation; [case(FWP_IP_VERSION_V6)]; }; // Not used currently. [unique] IPSEC_CRYPTO_MODULE_ID* rngCryptoModuleID; } IPSEC_GETSPI0; // Public state associated with an IPsec security association. typedef struct IPSEC_SA_DETAILS0_ { // IP version FWP_IP_VERSION ipVersion; // Indicates direction of the Ipsec SA FWP_DIRECTION saDirection; // The traffic being secured by this IPsec SA IPSEC_TRAFFIC0 traffic; // various parameters of the SA. IPSEC_SA_BUNDLE0 saBundle; // If UDP-ESP encapsulation is enabled on the SA, this stores the UDP // encapsulation ports. [switch_type(FWP_IP_VERSION), switch_is(ipVersion)] union { [case(FWP_IP_VERSION_V4)] [unique] IPSEC_V4_UDP_ENCAPSULATION0* udpEncapsulation; [case(FWP_IP_VERSION_V6)]; }; // The transport layer filter corresponding to this IPsec SA. [ref] FWPM_FILTER0* transportFilter; } IPSEC_SA_DETAILS0; // Encapsulates an inbound/outbound SA pair. typedef struct IPSEC_SA_CONTEXT0_ { // LUID identifying the SA context. UINT64 saContextId; // Inbound SA -- may be NULL. [unique] IPSEC_SA_DETAILS0* inboundSa; // Outbound SA -- may be NULL. [unique] IPSEC_SA_DETAILS0* outboundSa; } IPSEC_SA_CONTEXT0; // Template used for enumerating IPsec SA contexts typedef struct IPSEC_SA_CONTEXT_ENUM_TEMPLATE0_ { // If not empty, only SA contexts containing an SA whose local address is on // the specified subnet will be returned. May be of type FWP_UINT32, // FWP_BYTE_ARRAY16_TYPE, FWP_V4_ADDR_MASK, or FWP_V6_ADDR_MASK. FWP_CONDITION_VALUE0 localSubNet; // If not empty, only SA contexts containing an SA whose remote address is // on the specified subnet will be returned. May be of type FWP_UINT32, // FWP_BYTE_ARRAY16_TYPE, FWP_V4_ADDR_MASK, or FWP_V6_ADDR_MASK. FWP_CONDITION_VALUE0 remoteSubNet; } IPSEC_SA_CONTEXT_ENUM_TEMPLATE0; // Template used for enumerating IPsec SAs typedef struct IPSEC_SA_ENUM_TEMPLATE0_ { // Direction of the SA FWP_DIRECTION saDirection; } IPSEC_SA_ENUM_TEMPLATE0; // Type used for indicating where an IPsec failure occured typedef [v1_enum] enum IPSEC_FAILURE_POINT_ { // No information available. IPSEC_FAILURE_NONE, // IPsec failure happened on local machine. IPSEC_FAILURE_ME, // IPsec failure happened on remote machine. IPSEC_FAILURE_PEER, // Invalid value, used for parameter validation. IPSEC_FAILURE_POINT_MAX } IPSEC_FAILURE_POINT; cpp_quote("#if _MSC_VER >= 800") cpp_quote("#if _MSC_VER >= 1200") cpp_quote("#pragma warning(pop)") cpp_quote("#else") cpp_quote("#pragma warning(default:4201)") cpp_quote("#endif") cpp_quote("#endif")