Expand Minimize

IPSEC_SA_BUNDLE1 structure

The IPSEC_SA_BUNDLE1 structure is used to store information about an IPsec security association (SA) bundle.

Note  IPSEC_SA_BUNDLE1 is the specific implementation of IPSEC_SA_BUNDLE used in Windows 7 and later. See WFP Version-Independent Names and Targeting Specific Versions of Windows for more information. For Windows Vista, IPSEC_SA_BUNDLE0 is available.

Syntax


typedef struct IPSEC_SA_BUNDLE1_ {
  UINT32                 flags;
  IPSEC_SA_LIFETIME0     lifetime;
  UINT32                 idleTimeoutSeconds;
  UINT32                 ndAllowClearTimeoutSeconds;
  IPSEC_ID0              *ipsecId;
  UINT32                 napContext;
  UINT32                 qmSaId;
  UINT32                 numSAs;
  IPSEC_SA0              *saList;
  IPSEC_KEYMODULE_STATE0 *keyModuleState;
  FWP_IP_VERSION         ipVersion;
  union {
    UINT32 peerV4PrivateAddress;
    ;      // case(FWP_IP_VERSION_V6)
  };
  UINT64                 mmSaId;
  IPSEC_PFS_GROUP        pfsGroup;
  GUID                   saLookupContext;
                         qmFilterId;
} IPSEC_SA_BUNDLE1;

Members

flags

A combination of the following values.

IPsec SA bundle flagMeaning
IPSEC_SA_BUNDLE_FLAG_ND_SECURE

Negotiation discovery is enabled in secure ring.

IPSEC_SA_BUNDLE_FLAG_ND_BOUNDARY

Negotiation discovery in enabled in the untrusted perimeter zone.

IPSEC_SA_BUNDLE_FLAG_ND_PEER_NAT_BOUNDARY

Peer is in untrusted perimeter zone ring and a network address translation (NAT) is in the way. Used with negotiation discovery.

IPSEC_SA_BUNDLE_FLAG_GUARANTEE_ENCRYPTION

Indicates that this is an SA for connections that require guaranteed encryption.

IPSEC_SA_BUNDLE_FLAG_NLB

Indicates that this is an SA to an NLB server.

IPSEC_SA_BUNDLE_FLAG_NO_MACHINE_LUID_VERIFY

Indicates that this SA should bypass machine LUID verification.

IPSEC_SA_BUNDLE_FLAG_NO_IMPERSONATION_LUID_VERIFY

Indicates that this SA should bypass impersonation LUID verification.

IPSEC_SA_BUNDLE_FLAG_NO_EXPLICIT_CRED_MATCH

Indicates that this SA should bypass explicit credential handle matching.

IPSEC_SA_BUNDLE_FLAG_ALLOW_NULL_TARGET_NAME_MATCH

Allows an SA formed with a peer name to carry traffic that does not have an associated peer target.

IPSEC_SA_BUNDLE_FLAG_CLEAR_DF_ON_TUNNEL

Clears the DontFragment bit on the outer IP header of an IPsec-tunneled packet. This flag is applicable only to tunnel mode SAs.

IPSEC_SA_BUNDLE_FLAG_ASSUME_UDP_CONTEXT_OUTBOUND

Default encapsulation ports (4500 and 4000) can be used when matching this SA with packets on outbound connections that do not have an associated IPsec-NAT-shim context.

IPSEC_SA_BUNDLE_FLAG_ND_PEER_BOUNDARY

Peer has negotiation discovery enabled, and is on a perimeter network.

IPSEC_SA_BUNDLE_FLAG_SUPPRESS_DUPLICATE_DELETION

Suppresses the duplicate SA deletion logic. THis logic is performed by the kernel when an outbound SA is added, to prevent unnecessary duplicate SAs.

IPSEC_SA_BUNDLE_FLAG_PEER_SUPPORTS_GUARANTEE_ENCRYPTION

Indicates that the peer computer supports negotiating a separate SA for connections that require guaranteed encryption.

 

lifetime

Lifetime of all the SAs in the bundle as specified by IPSEC_SA_LIFETIME0.

idleTimeoutSeconds

Timeout in seconds after which the SAs in the bundle will idle out (due to traffic inactivity) and expire.

ndAllowClearTimeoutSeconds

Timeout in seconds, after which the IPsec SA should stop accepting packets coming in the clear.

Used for negotiation discovery.

ipsecId

Pointer to an IPSEC_ID0 structure that contains optional IPsec identity info.

napContext

Network Access Point (NAP) peer credentials information.

qmSaId

SA identifier used by IPsec when choosing the SA to expire. For an IPsec SA pair, the qmSaId must be the same between the initiating and responding machines and across inbound and outbound SA bundles. For different IPsec pairs, the qmSaId must be different.

numSAs

Number of SAs in the bundle. The only possible values are 1 and 2. Use 2 only when specifying AH and ESP SAs.

saList

Array of IPsec SAs in the bundle. For AH and ESP SAs, use index 0 for ESP SA and index 1 for AH SA.

See IPSEC_SA0 for more information.

keyModuleState

Optional keying module specific information as specified by IPSEC_KEYMODULE_STATE0.

ipVersion

IP version as specified by FWP_IP_VERSION.

peerV4PrivateAddress

Available when ipVersion is FWP_IP_VERSION_V4. If peer is behind a NAT device, this member stores the peer's private address.

mmSaId

Use this ID to correlate this IPsec SA with the IKE SA that generated it.

pfsGroup

Specifies whether Quick Mode perfect forward secrecy (PFS) was enabled for this SA, and if so, contains the Diffie-Hellman group that was used for PFS.

See IPSEC_PFS_GROUP for more information.

saLookupContext

SA lookup context which is propagated from the SA to data connections flowing over that SA. It is made available to any application that queries socket security properties using the Winsock API WSAQuerySocketSecurity function, allowing the application to obtain detailed IPsec authentication information for its connection.

qmFilterId

Requirements

Minimum supported client

Windows 7 [desktop apps only]

Minimum supported server

Windows Server 2008 R2 [desktop apps only]

Header

Ipsectypes.h

IDL

Ipsectypes.idl

See also

Windows Filtering Platform API Structures
FWP_IP_VERSION
IPSEC_KEYMODULE_STATE0
IPSEC_PFS_GROUP
IPSEC_SA0
IPSEC_SA_LIFETIME0

 

 

Community Additions

ADD
Show:
© 2014 Microsoft