IPSEC_SA_BUNDLE0 (Compact 2013)
3/26/2014
This structure is used to store information about an IPSec security association (SA) bundle.
Syntax
typedef struct IPSEC_SA_BUNDLE0_ {
UINT32 flags;
IPSEC_SA_LIFETIME0 lifetime;
UINT32 idleTimeoutSeconds;
UINT32 ndAllowClearTimeoutSeconds;
IPSEC_ID0* ipsecId;
UINT32 napContext;
UINT32 qmSaId;
UINT32 numSAs;
IPSEC_SA0* saList;
IPSEC_KEYMODULE_STATE0* keyModuleState;
FWP_IP_VERSION ipVersion;
union {
UINT32 peerV4PrivateAddress;
; // case(FWP_IP_VERSION_V6)
};
UINT64 mmSaId;
IPSEC_PFS_GROUP pfsGroup;
} IPSEC_SA_BUNDLE0;
Members
- flags
A combination of the values listed in the Remarks section below
- lifetime
Lifetime of all the SAs in the bundle as specified by IPSEC_SA_LIFETIME0.
- idleTimeoutSeconds
Timeout in seconds after which the SAs in the bundle will idle out (due to traffic inactivity) and expire
ndAllowClearTimeoutSeconds
Timeout in seconds, after which the IPsec SA should stop accepting packets coming in the clear.Used for negotiation discovery.
- ipsecId
Pointer to an IPSEC_ID0 structure that contains optional IPsec identity info.
- napContext
Network Access Point (NAP) peer credentials information.
- qmSaId
SA identifier used by IPsec when choosing the SA to expire. For an IPsec SA pair, the qmSaId must be the same between the initiating and responding machines and across inbound and outbound SA bundles. For different IPsec pairs, the qmSaId must be different.
- numSAs
Number of SAs in the bundle. The only possible values are 1 and 2. Use 2 only when specifying AH + ESP SAs.
saList
Array of IPsec SAs in the bundle. For AH + ESP SAs, use index [0] for ESP SA and index [1] for AH SA.See topic IPSEC_SA0 for more information.
- keyModuleState
Optional keying module specific information as specified by IPSEC_KEYMODULE_STATE0.
- ipVersion
IP version as specified by FWP_IP_VERSION.
- peerV4PrivateAddress
Available when ipVersion is FWP_IP_VERSION_V4. If peer is behind a network address translation (NAT) device, this member stores the peer's private address.
- mmSaId
Use this ID to correlate this IPsec SA with the IKE SA that generated it.
pfsGroup
Specifies whether Quick Mode perfect forward secrecy (PFS) was enabled for this SA, and if so, contains the Diffie-Hellman group that was used for PFS.See topic IPSEC_PFS_GROUP for more information.
Remarks
The data type IPSEC_TOKEN_HANDLE is defined in ipsectypes.h as UINT64.
The following is a list of the possible values for the flags data member:
IPSec SA bundle flag |
Meaning |
|---|---|
IPSEC_SA_BUNDLE_FLAG_ND_SECURE |
Negotiation discovery is enabled in secure ring. |
IPSEC_SA_BUNDLE_FLAG_ND_BOUNDARY |
Negotiation discovery in enabled in the untrusted perimeter zone. |
IPSEC_SA_BUNDLE_FLAG_ND_PEER_NAT_BOUNDARY |
Peer is in untrusted perimeter zone ring and a NAT is in the way. Used with negotiation discovery. |
IPSEC_SA_BUNDLE_FLAG_GUARANTEE_ENCRYPTION |
Indicates that this is an encryption SA. |
IPSEC_SA_BUNDLE_FLAG_NLB |
Indicates that this is an SA to an NLB server. |
IPSEC_SA_BUNDLE_FLAG_NO_MACHINE_LUID_VERIFY |
Indicates that this SA should bypass machine LUID verification. |
IPSEC_SA_BUNDLE_FLAG_NO_IMPERSONATION_LUID_VERIFY |
Indicates that this SA should bypass impersonation LUID verification. |
IPSEC_SA_BUNDLE_FLAG_NO_EXPLICIT_CRED_MATCH |
Indicates that this SA should bypass explicit credential handle matching. |
IPSEC_SA_BUNDLE_FLAG_ALLOW_NULL_TARGET_NAME_MATCH |
Allows an SA formed with a peer name to carry traffic that does not have an associated peer target. |
IPSEC_SA_BUNDLE_FLAG_CLEAR_DF_ON_TUNNEL |
Clears the DontFragment bit on the outer IP header of an IPsec-tunneled packet. This flag is applicable only to tunnel mode SAs. |
IPSEC_SA_BUNDLE_FLAG_ASSUME_UDP_CONTEXT_OUTBOUND |
Default encapsulation ports (4500 and 4000) can be used when matching this SA with packets on outbound connections that do not have an associated IPsec-NAT-shim context. |
Requirements
Header |
fwpmu.h |