#ifndef _VPN_CONTROL_H
#define _VPN_CONTROL_H
+#include "algorithm_types.h"
+#include <net/if.h>
+#if __has_include(<nw/private.h>)
+#include <nw/private.h>
+#else
+#include <network/nat64.h>
+#endif
+
#define VPNCONTROLSOCK_PATH ADMINPORTDIR "/vpncontrol.sock"
#define FROM_LOCAL 0
#define FROM_REMOTE 1
+
extern char *vpncontrolsock_path;
extern uid_t vpncontrolsock_owner;
extern gid_t vpncontrolsock_group;
#define VPNCTL_CMD_UNBIND 0x0002
#define VPNCTL_CMD_REDIRECT 0x0003
#define VPNCTL_CMD_PING 0x0004
+#define VPNCTL_CMD_CONNECT 0x0011
+#define VPNCTL_CMD_DISCONNECT 0x0012
+#define VPNCTL_CMD_START_PH2 0x0013
+#define VPNCTL_CMD_XAUTH_INFO 0x0014
+#define VPNCTL_CMD_START_DPD 0x0015
+#define VPNCTL_CMD_ASSERT 0x0016
+#define VPNCTL_CMD_RECONNECT 0x0017
+#define VPNCTL_CMD_SET_NAT64_PREFIX 0x0018
#define VPNCTL_STATUS_IKE_FAILED 0x8001
#define VPNCTL_STATUS_PH1_START_US 0x8011
#define VPNCTL_STATUS_PH1_START_PEER 0x8012
#define VPNCTL_STATUS_PH1_ESTABLISHED 0x8013
#define VPNCTL_STATUS_PH2_START 0x8021
#define VPNCTL_STATUS_PH2_ESTABLISHED 0x8022
+#define VPNCTL_STATUS_NEED_AUTHINFO 0x8101
+#define VPNCTL_STATUS_NEED_REAUTHINFO 0x8102
+#define VPNCTL_STATUS_PEER_RESP 0x8103
+
+/*
+ * Flags
+ */
+#define VPNCTL_FLAG_MODECFG_USED 0x0001
+#define VPNCTL_FLAG_IKE_VERSION 0x0002
+#define VPNCTL_FLAG_IKEV2 VPNCTL_FLAG_IKE_VERSION
+
+/*
+ * XAUTH Attribute Types
+ */
+#ifndef __IPSEC_BUILD__
+#define XAUTH_TYPE 16520
+#define XAUTH_USER_NAME 16521
+#define XAUTH_USER_PASSWORD 16522
+#define XAUTH_PASSCODE 16523
+#define XAUTH_MESSAGE 16524
+#define XAUTH_CHALLENGE 16525
+#define XAUTH_DOMAIN 16526
+#define XAUTH_STATUS 16527
+#define XAUTH_NEXT_PIN 16528
+#define XAUTH_ANSWER 16529
+
+
+/* Types for XAUTH_TYPE */
+#define XAUTH_TYPE_GENERIC 0
+#define XAUTH_TYPE_CHAP 1
+#define XAUTH_TYPE_OTP 2
+#define XAUTH_TYPE_SKEY 3
+
+/* Mode cfg Attribute types */
+#define INTERNAL_IP4_ADDRESS 1
+#define INTERNAL_IP4_NETMASK 2
+#define INTERNAL_IP4_DNS 3
+#define INTERNAL_IP4_NBNS 4
+#define INTERNAL_ADDRESS_EXPIRY 5
+#define INTERNAL_IP4_DHCP 6
+#define APPLICATION_VERSION 7
+#define INTERNAL_IP6_ADDRESS 8
+#define INTERNAL_IP6_NETMASK 9
+#define INTERNAL_IP6_DNS 10
+#define INTERNAL_IP6_NBNS 11
+#define INTERNAL_IP6_DHCP 12
+#define INTERNAL_IP4_SUBNET 13
+#define SUPPORTED_ATTRIBUTES 14
+#define INTERNAL_IP6_SUBNET 15
+
+#define UNITY_BANNER 28672
+#define UNITY_SAVE_PASSWD 28673
+#define UNITY_DEF_DOMAIN 28674
+#define UNITY_SPLITDNS_NAME 28675
+#define UNITY_SPLIT_INCLUDE 28676
+#define UNITY_NATT_PORT 28677
+#define UNITY_LOCAL_LAN 28678
+#define UNITY_PFS 28679
+#define UNITY_FW_TYPE 28680
+#define UNITY_BACKUP_SERVERS 28681
+#define UNITY_DDNS_HOSTNAME 28682
+
+/* 3.3 Data Attributes
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ !A! Attribute Type ! AF=0 Attribute Length !
+ !F! ! AF=1 Attribute Value !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ . AF=0 Attribute Value .
+ . AF=1 Not Transmitted .
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+struct isakmp_data {
+ u_int16_t type; /* defined by DOI-spec, and Attribute Format */
+ u_int16_t lorv; /* if f equal 1, Attribute Length */
+ /* if f equal 0, Attribute Value */
+ /* if f equal 1, Attribute Value */
+};
+#endif
/* commands and status for vpn control. */
/* network byte order. */
struct vpnctl_cmd_bind {
struct vpnctl_hdr hdr;
u_int32_t address; /* 0xFFFFFFFF = all */
+ u_int16_t vers_len; /* if zero - no version provided */
+ /* name/version string of length vers_len */
};
/* unbind to stop receiving status for specified address */
u_int32_t address; /* 0xFFFFFFFF = all */
};
-/* redirect client to specified address */
-struct vpnctl_cmd_redirect {
+
+/* connect to specified address */
+struct vpnctl_cmd_connect {
+ struct vpnctl_hdr hdr;
+ u_int32_t address;
+};
+
+struct vpnctl_cmd_set_nat64_prefix {
+ struct vpnctl_hdr hdr;
+ nw_nat64_prefix_t nat64_prefix;
+};
+
+struct vpnctl_sa_selector {
+ u_int32_t src_tunnel_address;
+ u_int32_t src_tunnel_mask;
+ u_int32_t dst_tunnel_address;
+ u_int32_t dst_tunnel_mask;
+ u_int16_t src_tunnel_port;
+ u_int16_t dst_tunnel_port;
+ u_int16_t ul_protocol;
+ u_int16_t reserved;
+};
+
+struct vpnctl_algo {
+ u_int16_t algo_class;
+ u_int16_t algo;
+ u_int16_t key_len; /* for enc algorithms only */
+ u_int16_t reserved;
+};
+
+/* start phase 2 */
+struct vpnctl_cmd_start_ph2 {
struct vpnctl_hdr hdr;
u_int32_t address;
+ u_int32_t lifetime; /* seconds */
+ u_int16_t pfs_group; /* defined in algorithm_types.h */
+ u_int16_t selector_count;
+ u_int16_t algo_count;
+ u_int16_t reserved;
+ /* array of struct vpnctl_sa_selector */
+ /* array of struct vpnctl_algo */
+};
+
+/* assert connection (after network change) */
+struct vpnctl_cmd_assert {
+ struct vpnctl_hdr hdr;
+ u_int32_t src_address;
+ u_int32_t dst_address;
+};
+
+/* set xauth info */
+struct vpnctl_cmd_xauth_info {
+ struct vpnctl_hdr hdr;
+ u_int32_t address;
+ /* packed array of variable sized struct isakmp_data */
+};
+
+/* redirect client to specified address */
+struct vpnctl_cmd_redirect {
+ struct vpnctl_hdr hdr;
+ u_int32_t address;
u_int32_t redirect_address;
u_int16_t force;
};
+/* start dpd */
+struct vpnctl_cmd_start_dpd {
+ struct vpnctl_hdr hdr;
+ u_int32_t address;
+};
/*
* IKE Notify codes - mirrors codes in isakmp.h
#define VPNCTL_NTYPE_UNSUPPORTED_EXCHANGE_TYPE 29
#define VPNCTL_NTYPE_UNEQUAL_PAYLOAD_LENGTHS 30
#define VPNCTL_NTYPE_LOAD_BALANCE 40501
+#define VPNCTL_NTYPE_PEER_DEAD 50001 /* detected by DPD */
+#define VPNCTL_NTYPE_PH1_DELETE 50002 /* received a delete payload leaving no PH1 SA for the remote address */
+#define VPNCTL_NTYPE_IDLE_TIMEOUT 50003
+#define VPNCTL_NTYPE_LOCAL_CERT_PREMATURE 50004 /* certificate is premature */
+#define VPNCTL_NTYPE_LOCAL_CERT_EXPIRED 50005 /* certificate has expired */
+#define VPNCTL_NTYPE_PEER_CERT_PREMATURE 50006 /* peer's certificate is premature */
+#define VPNCTL_NTYPE_PEER_CERT_EXPIRED 50007 /* peer's certificate has expired */
+#define VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJNAME 50008 /* peer's certificate has an invalid subjname */
+#define VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJALTNAME 50009 /* peer's certificate has an invalid subjaltname */
#define VPNCTL_NTYPE_INTERNAL_ERROR -1
struct vpnctl_status_phase_change {
struct vpnctl_hdr hdr;
u_int32_t address;
+ /* The following is included when VPNCTL_FLAG_MODECFG_USED flag set */
+ // struct vpnctl_modecfg_params mode_cfg;
+
};
+
+/* packet format for auth needed status */
+struct vpnctl_status_need_authinfo {
+ struct vpnctl_hdr hdr;
+ u_int32_t address;
+ /* packed array of variable sized struct isakmp_data */
+};
+
+
+struct split_address {
+ u_int32_t splitaddr;
+ u_int32_t splitmask;
+};
+
+struct vpnctl_modecfg_params {
+ u_int32_t outer_local_addr;
+ u_int16_t outer_remote_port;
+ u_int16_t outer_local_port;
+ u_int8_t ifname[IFNAMSIZ];
+ /*
+ * ifname for outer_local_addr (not null terminated)
+ * followed by packed array of attributes (struct isakmp_data)
+ */
+};
+
+
/* Packet formats for failed status */
struct vpnctl_status_failed {
struct vpnctl_hdr hdr;
u_int8_t data[0];
};
+struct vpnctl_status_peer_resp {
+ struct vpnctl_hdr hdr;
+ u_int32_t address;
+ u_int16_t ike_code;
+};
#endif /* _VPN_CONTROL_H */
projects / apple / ipsec.git / blobdiff