1 /* 2 * fiked - a fake IKE PSK+XAUTH daemon based on vpnc 3 * Copyright (C) 2005, Daniel Roethlisberger <daniel@roe.ch> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License as published by 7 * the Free Software Foundation; either version 2 of the License, or 8 * (at your option) any later version. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program; if not, see http://www.gnu.org/copyleft/ 17 * 18 * $Id: isakmp.h 62 2005-10-31 00:42:54Z roe $ 19 * $VPNC: isakmp.h 61 2005-09-20 11:30:30Z massar $ 20 */ 21 22 /* ISAKMP constants. 23 Copyright (C) 2002 Geoffrey Keating 24 25 This program is free software; you can redistribute it and/or modify 26 it under the terms of the GNU General Public License as published by 27 the Free Software Foundation; either version 2 of the License, or 28 (at your option) any later version. 29 30 This program is distributed in the hope that it will be useful, 31 but WITHOUT ANY WARRANTY; without even the implied warranty of 32 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 33 GNU General Public License for more details. 34 35 You should have received a copy of the GNU General Public License 36 along with this program; if not, write to the Free Software 37 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 38 */ 39 40 #ifndef __ISAKMP_H__ 41 #define __ISAKMP_H__ 42 43 /* Flag bits for header. */ 44 #define ISAKMP_FLAG_E 0x1 45 #define ISAKMP_FLAG_C 0x2 46 #define ISAKMP_FLAG_A 0x4 47 48 /* Payload types */ 49 enum isakmp_payload_enum { 50 ISAKMP_PAYLOAD_NONE = 0, 51 ISAKMP_PAYLOAD_SA, 52 ISAKMP_PAYLOAD_P, 53 ISAKMP_PAYLOAD_T, 54 ISAKMP_PAYLOAD_KE, 55 ISAKMP_PAYLOAD_ID, 56 ISAKMP_PAYLOAD_CERT, 57 ISAKMP_PAYLOAD_CR, 58 ISAKMP_PAYLOAD_HASH, 59 ISAKMP_PAYLOAD_SIG, 60 ISAKMP_PAYLOAD_NONCE, 61 ISAKMP_PAYLOAD_N, 62 ISAKMP_PAYLOAD_D, 63 ISAKMP_PAYLOAD_VID, 64 ISAKMP_PAYLOAD_MODECFG_ATTR, 65 ISAKMP_PAYLOAD_NAT_D, 66 ISAKMP_PAYLOAD_NAT_OA, 67 ISAKMP_PAYLOAD_NAT_D_OLD = 0x82 68 }; 69 70 /* Exchange types. */ 71 enum isakmp_exchange_enum { 72 ISAKMP_EXCHANGE_NONE = 0, 73 ISAKMP_EXCHANGE_BASE, 74 ISAKMP_EXCHANGE_IDENTITY, 75 ISAKMP_EXCHANGE_AUTH_ONLY, 76 ISAKMP_EXCHANGE_AGGRESSIVE, 77 ISAKMP_EXCHANGE_INFORMATIONAL, 78 ISAKMP_EXCHANGE_MODECFG_TRANSACTION, 79 ISAKMP_EXCHANGE_IKE_QUICK = 32, 80 ISAKMP_EXCHANGE_IKE_NEW_GROUP 81 }; 82 83 /* DOI types. */ 84 enum isakmp_doi_enum { 85 ISAKMP_DOI_GENERIC = 0, 86 ISAKMP_DOI_IPSEC 87 }; 88 89 /* Notify message types. */ 90 enum isakmp_notify_enum { 91 ISAKMP_N_INVALID_PAYLOAD_TYPE = 1, 92 ISAKMP_N_DOI_NOT_SUPPORTED, 93 ISAKMP_N_SITUATION_NOT_SUPPORTED, 94 ISAKMP_N_INVALID_COOKIE, 95 ISAKMP_N_INVALID_MAJOR_VERSION, 96 ISAKMP_N_INVALID_MINOR_VERSION, 97 ISAKMP_N_INVALID_EXCHANGE_TYPE, 98 ISAKMP_N_INVALID_FLAGS, 99 ISAKMP_N_INVALID_MESSAGE_ID, 100 ISAKMP_N_INVALID_PROTOCOL_ID, 101 ISAKMP_N_INVALID_SPI, 102 ISAKMP_N_INVALID_TRANSFORM_ID, 103 ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED, 104 ISAKMP_N_NO_PROPOSAL_CHOSEN, 105 ISAKMP_N_BAD_PROPOSAL_SYNTAX, 106 ISAKMP_N_PAYLOAD_MALFORMED, 107 ISAKMP_N_INVALID_KEY_INFORMATION, 108 ISAKMP_N_INVALID_ID_INFORMATION, 109 ISAKMP_N_INVALID_CERT_ENCODING, 110 ISAKMP_N_INVALID_CERTIFICATE, 111 ISAKMP_N_CERT_TYPE_UNSUPPORTED, 112 ISAKMP_N_INVALID_CERT_AUTHORITY, 113 ISAKMP_N_INVALID_HASH_INFORMATION, 114 ISAKMP_N_AUTHENTICATION_FAILED, 115 ISAKMP_N_INVALID_SIGNATURE, 116 ISAKMP_N_ADDRESS_NOTIFICATION, 117 ISAKMP_N_NOTIFY_SA_LIFETIME, 118 ISAKMP_N_CERTIFICATE_UNAVAILABLE, 119 ISAKMP_N_UNSUPPORTED_EXCHANGE_TYPE, 120 ISAKMP_N_UNEQUAL_PAYLOAD_LENGTHS, 121 ISAKMP_N_CONNECTED = 16384, 122 ISAKMP_N_IPSEC_RESPONDER_LIFETIME = 24576, 123 ISAKMP_N_IPSEC_REPLAY_STATUS, 124 ISAKMP_N_IPSEC_INITIAL_CONTACT, 125 ISAKMP_N_CISCO_LOAD_BALANCE = 40501, 126 ISAKMP_N_CISCO_HEARTBEAT = 40756 127 }; 128 129 /* IKE attribute types. */ 130 enum ike_attr_enum { 131 IKE_ATTRIB_ENC = 1, 132 IKE_ATTRIB_HASH, 133 IKE_ATTRIB_AUTH_METHOD, 134 IKE_ATTRIB_GROUP_DESC, 135 IKE_ATTRIB_GROUP_TYPE, 136 IKE_ATTRIB_GROUP_PRIME, 137 IKE_ATTRIB_GROUP_GEN_1, 138 IKE_ATTRIB_GROUP_GEN_2, 139 IKE_ATTRIB_GROUP_CURVE_A, 140 IKE_ATTRIB_GROUP_CURVE_B, 141 IKE_ATTRIB_LIFE_TYPE, 142 IKE_ATTRIB_LIFE_DURATION, 143 IKE_ATTRIB_PRF, 144 IKE_ATTRIB_KEY_LENGTH, 145 IKE_ATTRIB_FIELD_SIZE, 146 IKE_ATTRIB_GROUP_ORDER, 147 IKE_ATTRIB_BLOCK_SIZE 148 }; 149 150 /* IKE encryption algorithm IDs. */ 151 enum ike_enc_enum { 152 IKE_ENC_DES_CBC = 1, 153 IKE_ENC_IDEA_CBC, 154 IKE_ENC_BLOWFISH_CBC, 155 IKE_ENC_RC5_R16_B16_CBC, 156 IKE_ENC_3DES_CBC, 157 IKE_ENC_CAST_CBC, 158 IKE_ENC_AES_CBC 159 }; 160 161 /* IKE hash algorithm IDs. */ 162 enum ike_hash_enum { 163 IKE_HASH_MD5 = 1, 164 IKE_HASH_SHA, 165 IKE_HASH_TIGER, 166 IKE_HASH_SHA2_256, 167 IKE_HASH_SHA2_384, 168 IKE_HASH_SHA2_512 169 }; 170 171 /* IKE authentication method IDs. */ 172 enum ike_auth_enum { 173 IKE_AUTH_PRESHARED = 1, 174 IKE_AUTH_DSS, 175 IKE_AUTH_RSA_SIG, 176 IKE_AUTH_RSA_ENC, 177 IKE_AUTH_RSA_ENC_2, 178 IKE_AUTH_EL_GAMAL_ENC, 179 IKE_AUTH_EL_GAMAL_ENC_REV, 180 IKE_AUTH_ECDSA_SIG, 181 IKE_AUTH_XAUTHInitPreShared = 65001, 182 IKE_AUTH_XAUTHRespPreShared, 183 IKE_AUTH_XAUTHInitDSS, 184 IKE_AUTH_XAUTHRespDSS, 185 IKE_AUTH_XAUTHInitRSA, 186 IKE_AUTH_XAUTHRespRSA, 187 IKE_AUTH_XAUTHInitRSAEncryption, 188 IKE_AUTH_XAUTHRespRSAEncryption, 189 IKE_AUTH_XAUTHInitRSARevisedEncryption, 190 IKE_AUTH_XAUTHRespRSARevisedEncryption 191 }; 192 193 /* IKE group IDs. */ 194 enum ike_group_enum { 195 IKE_GROUP_MODP_768 = 1, 196 IKE_GROUP_MODP_1024, 197 IKE_GROUP_EC2N_155, 198 IKE_GROUP_EC2N_185, 199 IKE_GROUP_MODP_1536, 200 IKE_GROUP_EC2N_163sect, 201 IKE_GROUP_EC2N_163K, 202 IKE_GROUP_EC2N_283sect, 203 IKE_GROUP_EC2N_283K, 204 IKE_GROUP_EC2N_409sect, 205 IKE_GROUP_EC2N_409K, 206 IKE_GROUP_EC2N_571sect, 207 IKE_GROUP_EC2N_571K 208 }; 209 210 /* IKE group type IDs. */ 211 enum ike_group_type_enum { 212 IKE_GROUP_TYPE_MODP = 1, 213 IKE_GROUP_TYPE_ECP, 214 IKE_GROUP_TYPE_EC2N 215 }; 216 217 /* IKE life type IDs. */ 218 enum ike_life_enum { 219 IKE_LIFE_TYPE_SECONDS = 1, 220 IKE_LIFE_TYPE_K 221 }; 222 223 /* IPSEC situation masks. */ 224 enum isakmp_ipsect_sit_enum { 225 ISAKMP_IPSEC_SIT_IDENTITY_ONLY = 0x1, 226 ISAKMP_IPSEC_SIT_SECRECY = 0x2, 227 ISAKMP_IPSEC_SIT_INTEGRITY = 0x4 228 }; 229 230 /* IPSEC Identification types. */ 231 enum isakmp_ipsec_id_enum { 232 ISAKMP_IPSEC_ID_RESERVED = 0, 233 ISAKMP_IPSEC_ID_IPV4_ADDR, 234 ISAKMP_IPSEC_ID_FQDN, 235 ISAKMP_IPSEC_ID_USER_FQDN, 236 ISAKMP_IPSEC_ID_IPV4_ADDR_SUBNET, 237 ISAKMP_IPSEC_ID_IPV6_ADDR, 238 ISAKMP_IPSEC_ID_IPV6_ADDR_SUBNET, 239 ISAKMP_IPSEC_ID_IPV4_ADDR_RANGE, 240 ISAKMP_IPSEC_ID_IPV6_ADDR_RANGE, 241 ISAKMP_IPSEC_ID_DER_ASN1_DN, 242 ISAKMP_IPSEC_ID_DER_ASN1_GN, 243 ISAKMP_IPSEC_ID_KEY_ID 244 }; 245 246 /* IPSEC protocol IDs. */ 247 enum isakmp_ipsec_proto_enum { 248 ISAKMP_IPSEC_PROTO_RESERVED = 0, 249 ISAKMP_IPSEC_PROTO_ISAKMP, 250 ISAKMP_IPSEC_PROTO_IPSEC_AH, 251 ISAKMP_IPSEC_PROTO_IPSEC_ESP, 252 ISAKMP_IPSEC_PROTO_IPCOMP 253 }; 254 255 /* IPSEC transform IDs. */ 256 enum isakmp_ipsec_key_enum { 257 ISAKMP_IPSEC_KEY_RESERVED = 0, 258 ISAKMP_IPSEC_KEY_IKE 259 }; 260 261 /* IPSEC AH IDs. */ 262 enum isakmp_ipsec_ah_enum { 263 ISAKMP_IPSEC_AH_RESERVED = 0, 264 ISAKMP_IPSEC_AH_MD5 = 2, 265 ISAKMP_IPSEC_AH_SHA, 266 ISAKMP_IPSEC_AH_DES, 267 ISAKMP_IPSEC_AH_SHA2_256, 268 ISAKMP_IPSEC_AH_SHA2_384, 269 ISAKMP_IPSEC_AH_SHA2_512, 270 ISAKMP_IPSEC_AH_RIPEMD 271 }; 272 273 /* IPSEC ESP IDs. */ 274 enum isakmp_ipsec_esp_enum { 275 ISAKMP_IPSEC_ESP_RESERVED = 0, 276 ISAKMP_IPSEC_ESP_DES_IV64, 277 ISAKMP_IPSEC_ESP_DES, 278 ISAKMP_IPSEC_ESP_3DES, 279 ISAKMP_IPSEC_ESP_RC5, 280 ISAKMP_IPSEC_ESP_IDEA, 281 ISAKMP_IPSEC_ESP_CAST, 282 ISAKMP_IPSEC_ESP_BLOWFISH, 283 ISAKMP_IPSEC_ESP_3IDEA, 284 ISAKMP_IPSEC_ESP_DES_IV32, 285 ISAKMP_IPSEC_ESP_RC4, 286 ISAKMP_IPSEC_ESP_NULL, 287 ISAKMP_IPSEC_ESP_AES, 288 ISAKMP_IPSEC_ESP_AES_128_CTR, 289 ISAKMP_IPSEC_ESP_AES_MARS = 249, 290 ISAKMP_IPSEC_ESP_AES_RC6, 291 ISAKMP_IPSEC_ESP_AES_RIJNDAEL, 292 ISAKMP_IPSEC_ESP_AES_SERPENT, 293 ISAKMP_IPSEC_ESP_AES_TWOFISH 294 }; 295 296 /* IPSEC attribute types. */ 297 enum isakmp_ipsec_attr_enum { 298 ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE = 1, 299 ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION, 300 ISAKMP_IPSEC_ATTRIB_GROUP_DESC, 301 ISAKMP_IPSEC_ATTRIB_ENCAP_MODE, 302 ISAKMP_IPSEC_ATTRIB_AUTH_ALG, 303 ISAKMP_IPSEC_ATTRIB_KEY_LENGTH, 304 ISAKMP_IPSEC_ATTRIB_KEY_ROUNDS, 305 ISAKMP_IPSEC_ATTRIB_COMP_DICT_SIZE, 306 ISAKMP_IPSEC_ATTRIB_COMP_PRIVATE_ALG, 307 ISAKMP_IPSEC_ATTRIB_ECN_TUNNEL 308 }; 309 310 /* IPSEC compression IDs. */ 311 enum isakmp_ipsec_ipcomp_enum { 312 ISAKMP_IPSEC_IPCOMP_RESERVED = 0, 313 ISAKMP_IPSEC_IPCOMP_OUI, 314 ISAKMP_IPSEC_IPCOMP_DEFLATE, 315 ISAKMP_IPSEC_IPCOMP_LZS, 316 ISAKMP_IPSEC_IPCOMP_V42BIS 317 }; 318 319 /* IPSEC lifetime attribute values. */ 320 enum ipsec_life_enum { 321 IPSEC_LIFE_SECONDS = 1, 322 IPSEC_LIFE_K 323 }; 324 325 /* IPSEC encapsulation attribute numbers. */ 326 enum ipsec_encap_enum { 327 IPSEC_ENCAP_TUNNEL = 1, 328 IPSEC_ENCAP_TRANSPORT, 329 IPSEC_ENCAP_UDP_TUNNEL, 330 IPSEC_ENCAP_UDP_TRANSPORT, 331 IPSEC_ENCAP_UDP_TUNNEL_OLD = 61443, 332 IPSEC_ENCAP_UDP_TRANSPORT_OLD 333 }; 334 335 /* IPSEC authentication attribute numbers. */ 336 enum ipsec_auth_enum { 337 IPSEC_AUTH_HMAC_MD5 = 1, 338 IPSEC_AUTH_HMAC_SHA, 339 IPSEC_AUTH_DES_MAC, 340 IPSEC_AUTH_KPDK 341 }; 342 343 /* Other numbers. */ 344 #define ISAKMP_COOKIE_LENGTH 8 345 #define ISAKMP_VERSION 0x10 346 /* offsets */ 347 #define ISAKMP_I_COOKIE_O 0 348 #define ISAKMP_R_COOKIE_O 8 349 #define ISAKMP_EXCHANGE_TYPE_O 18 350 #define ISAKMP_FLAGS_O 19 351 #define ISAKMP_MESSAGE_ID_O 20 352 #define ISAKMP_LENGTH_O 24 353 #define ISAKMP_PAYLOAD_O 28 354 355 /* Support for draft-ietf-ipsec-isakmp-xauth-06.txt (yuk). */ 356 #define XAUTH_VENDOR_ID { 0x09, 0x00, 0x26, 0x89, 0xDF, 0xD6, 0xB7, 0x12 } 357 /* From dead-peer-detection RFC 3706 */ 358 #define DPD_VENDOR_ID { 0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1, 0xC9, \ 359 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57, 0x01, 0x00} 360 #define UNITY_VENDOR_ID { 0x12, 0xF5, 0xF2, 0x8C, 0x45, 0x71, 0x68, 0xA9, \ 361 0x70, 0x2D, 0x9F, 0xE2, 0x74, 0xCC, 0x01, 0x00 } 362 #define UNKNOWN_VENDOR_ID { 0x12, 0x6E, 0x1F, 0x57, 0x72, 0x91, 0x15, 0x3B, \ 363 0x20, 0x48, 0x5F, 0x7F, 0x15, 0x5B, 0x4B, 0xC8 } 364 /* Support for draft-ietf-ipsec-nat-t-ike-02 */ 365 #define NATT_VENDOR_ID { 0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E, \ 366 0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F } 367 368 /* Support for draft-ietf-ipsec-isakmp-mode-cfg-05.txt (yuk). */ 369 370 enum isakmp_modecfg_cfg_enum { 371 ISAKMP_MODECFG_CFG_REQUEST = 1, 372 ISAKMP_MODECFG_CFG_REPLY, 373 ISAKMP_MODECFG_CFG_SET, 374 ISAKMP_MODECFG_CFG_ACK 375 }; 376 377 enum isakmp_modecfg_attrib_enum { 378 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS = 1, 379 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK, 380 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS, 381 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS, 382 ISAKMP_MODECFG_ATTRIB_INTERNAL_ADDRESS_EXPIRY, 383 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DHCP, 384 ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION, 385 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_ADDRESS, 386 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_NETMASK, 387 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_DNS, 388 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_NBNS, 389 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_DHCP, 390 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_SUBNET, 391 ISAKMP_MODECFG_ATTRIB_SUPPORTED_ATTRIBUTES, 392 ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_SUBNET, 393 ISAKMP_XAUTH_ATTRIB_TYPE = 0x4088, 394 ISAKMP_XAUTH_ATTRIB_USER_NAME, 395 ISAKMP_XAUTH_ATTRIB_USER_PASSWORD, 396 ISAKMP_XAUTH_ATTRIB_PASSCODE, 397 ISAKMP_XAUTH_ATTRIB_MESSAGE, 398 ISAKMP_XAUTH_ATTRIB_CHALLENGE, 399 ISAKMP_XAUTH_ATTRIB_DOMAIN, 400 ISAKMP_XAUTH_ATTRIB_STATUS, 401 ISAKMP_XAUTH_ATTRIB_NEXT_PIN, 402 ISAKMP_XAUTH_ATTRIB_ANSWER, /* TYPE .. ANSWER is excluded from dump */ 403 ISAKMP_MODECFG_ATTRIB_CISCO_BANNER = 0x7000, 404 ISAKMP_MODECFG_ATTRIB_CISCO_SAVE_PW, 405 ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN, 406 ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_DNS, 407 ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC, 408 ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT, 409 ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN, /* whatever 0x7006 is... */ 410 ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS, 411 ISAKMP_MODECFG_ATTRIB_CISCO_FW_TYPE, 412 ISAKMP_MODECFG_ATTRIB_CISCO_BACKUP_SERVER, 413 ISAKMP_MODECFG_ATTRIB_CISCO_DDNS_HOSTNAME, 414 ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR = 0x7d88 /* strange cisco things ... need docs! */ 415 }; 416 417 #endif 418