Partager via


IPSEC_SA_BUNDLE0 (Compact 2013)

3/26/2014

This structure is used to store information about an IPSec security association (SA) bundle.

Syntax

typedef struct IPSEC_SA_BUNDLE0_ {
  UINT32 flags;
  IPSEC_SA_LIFETIME0 lifetime;
  UINT32 idleTimeoutSeconds;
  UINT32 ndAllowClearTimeoutSeconds;
  IPSEC_ID0* ipsecId;
  UINT32 napContext;
  UINT32 qmSaId;
  UINT32 numSAs;
  IPSEC_SA0* saList;
  IPSEC_KEYMODULE_STATE0* keyModuleState;
  FWP_IP_VERSION ipVersion;
  union {
    UINT32 peerV4PrivateAddress;
    ;      // case(FWP_IP_VERSION_V6)
  };
  UINT64 mmSaId;
  IPSEC_PFS_GROUP pfsGroup;
} IPSEC_SA_BUNDLE0;

Members

  • flags
    A combination of the values listed in the Remarks section below
  • idleTimeoutSeconds
    Timeout in seconds after which the SAs in the bundle will idle out (due to traffic inactivity) and expire
  • ndAllowClearTimeoutSeconds
    Timeout in seconds, after which the IPsec SA should stop accepting packets coming in the clear.

    Used for negotiation discovery.

  • ipsecId
    Pointer to an IPSEC_ID0 structure that contains optional IPsec identity info.
  • napContext
    Network Access Point (NAP) peer credentials information.
  • qmSaId
    SA identifier used by IPsec when choosing the SA to expire. For an IPsec SA pair, the qmSaId must be the same between the initiating and responding machines and across inbound and outbound SA bundles. For different IPsec pairs, the qmSaId must be different.
  • numSAs
    Number of SAs in the bundle. The only possible values are 1 and 2. Use 2 only when specifying AH + ESP SAs.
  • saList
    Array of IPsec SAs in the bundle. For AH + ESP SAs, use index [0] for ESP SA and index [1] for AH SA.

    See topic IPSEC_SA0 for more information.

  • peerV4PrivateAddress
    Available when ipVersion is FWP_IP_VERSION_V4. If peer is behind a network address translation (NAT) device, this member stores the peer's private address.
  • mmSaId
    Use this ID to correlate this IPsec SA with the IKE SA that generated it.
  • pfsGroup
    Specifies whether Quick Mode perfect forward secrecy (PFS) was enabled for this SA, and if so, contains the Diffie-Hellman group that was used for PFS.

    See topic IPSEC_PFS_GROUP for more information.

Remarks

The data type IPSEC_TOKEN_HANDLE is defined in ipsectypes.h as UINT64.

The following is a list of the possible values for the flags data member:

IPSec SA bundle flag

Meaning

IPSEC_SA_BUNDLE_FLAG_ND_SECURE

Negotiation discovery is enabled in secure ring.

IPSEC_SA_BUNDLE_FLAG_ND_BOUNDARY

Negotiation discovery in enabled in the untrusted perimeter zone.

IPSEC_SA_BUNDLE_FLAG_ND_PEER_NAT_BOUNDARY

Peer is in untrusted perimeter zone ring and a NAT is in the way. Used with negotiation discovery.

IPSEC_SA_BUNDLE_FLAG_GUARANTEE_ENCRYPTION

Indicates that this is an encryption SA.

IPSEC_SA_BUNDLE_FLAG_NLB

Indicates that this is an SA to an NLB server.

IPSEC_SA_BUNDLE_FLAG_NO_MACHINE_LUID_VERIFY

Indicates that this SA should bypass machine LUID verification.

IPSEC_SA_BUNDLE_FLAG_NO_IMPERSONATION_LUID_VERIFY

Indicates that this SA should bypass impersonation LUID verification.

IPSEC_SA_BUNDLE_FLAG_NO_EXPLICIT_CRED_MATCH

Indicates that this SA should bypass explicit credential handle matching.

IPSEC_SA_BUNDLE_FLAG_ALLOW_NULL_TARGET_NAME_MATCH

Allows an SA formed with a peer name to carry traffic that does not have an associated peer target.

IPSEC_SA_BUNDLE_FLAG_CLEAR_DF_ON_TUNNEL

Clears the DontFragment bit on the outer IP header of an IPsec-tunneled packet. This flag is applicable only to tunnel mode SAs.

IPSEC_SA_BUNDLE_FLAG_ASSUME_UDP_CONTEXT_OUTBOUND

Default encapsulation ports (4500 and 4000) can be used when matching this SA with packets on outbound connections that do not have an associated IPsec-NAT-shim context.

Requirements

Header

fwpmu.h

See Also

Reference

WFP IPsec Structures

Other Resources

Windows Filtering Platform