2.2.1.2.237 ROUTER_CUSTOM_IKEv2_POLICY_0

  • Article

The ROUTER_CUSTOM_IKEv2_POLICY_0 structure<166> is used to get or set configuration parameters to be used during quick mode security association (QM SA) or main mode security association (MM SA) negotiation for IKEv2 [RFC4306] and L2TP devices.

 typedef struct _ROUTER_CUSTOM_IKEv2_POLICY_0 {
   DWORD dwIntegrityMethod;
   DWORD dwEncryptionMethod;
   DWORD dwCipherTransformConstant;
   DWORD dwAuthTransformConstant;
   DWORD dwPfsGroup;
   DWORD dwDhGroup;
 } ROUTER_CUSTOM_IKEv2_POLICY_0,
  *PROUTER_CUSTOM_IKEv2_POLICY_0,
  ROUTER_CUSTOM_L2TP_POLICY_0,
  *PROUTER_CUSTOM_L2TP_POLICY_0;

dwIntegrityMethod: Specifies the integrity check algorithm to be negotiated during MM SA negotiation [RFC4306]. This SHOULD have one of the following values.

Value

Meaning

INTEGRITY_MD5

(0x0)

Specifies MD5 hash algorithm.

INTEGRITY_SHA1

(0x1)

Specifies SHA1 hash algorithm.

INTEGRITY_SHA_256

(0x2)

Specifies a 256-bit SHA encryption.

INTEGRITY_SHA_384

(0x3)

Specifies a 384-bit SHA encryption.

dwEncryptionMethod: Specifies the encryption algorithm to be negotiated during MM SA negotiation [RFC4306]. This SHOULD have one of the following values.

Value

Meaning

CIPHER_DES

(0x0)

Specifies DES encryption.

CIPHER_3DES

(0x1)

Specifies 3DES encryption.

CIPHER_AES_128

(0x2)

Specifies AES-128 encryption.

CIPHER_AES_192

(0x3)

Specifies AES-192 encryption.

CIPHER_AES_256

(0x4)

Specifies AES-256 encryption.

dwCipherTransformConstant: Specifies the encryption algorithm to be negotiated during QM SA negotiation [RFC4306]. This SHOULD have one of the following values.

Value

Meaning

CIPHER_CONFIG_CBC_DES

(0x1)

DES (Data Encryption Standard) algorithm. CBC (Cipher Block Chaining) mode of operation. [RFC2410]

CIPHER_CONFIG_CBC_3DES

(0x2)

3DES algorithm. CBC mode of operation. [RFC2451]

CIPHER_CONFIG_CBC_AES_128

(0x3)

AES-128 (Advanced Encryption Standard) algorithm. CBC mode of operation. [RFC3602]

CIPHER_CONFIG_CBC_AES_192

(0x4)

AES-192 algorithm. CBC mode of operation. [RFC3602]

CIPHER_CONFIG_CBC_AES_256

(0x5)  

AES-256 algorithm. CBC mode of operation. [RFC3602]

CIPHER_CONFIG_GCM_AES_128

(0x6)

AES-128 algorithm. GCM (Galois Counter Mode) mode of operation. [RFC4106]

CIPHER_CONFIG_GCM_AES_192

(0x7)

AES-192 algorithm. GCM (Galois Counter Mode) mode of operation. [RFC4106]

CIPHER_CONFIG_GCM_AES_256

(0x8)

AES-256 algorithm. GCM (Galois Counter Mode) mode of operation. [RFC4106]

dwAuthTransformConstant: Specifies the hash algorithm to be negotiated during QM SA negotiation [RFC4306]. This SHOULD have one of the following values.

Value

Meaning

AUTH_CONFIG_HMAC_MD5_96

(0x0)

Hash-based Message Authentication Code (HMAC) secret key authentication algorithm. MD5data integrity and data origin authentication algorithm. [RFC2403]

AUTH_CONFIG_HMAC_SHA_1_96

(0x1)

HMAC secret key authentication algorithm. SHA-1 (Secure Hash Algorithm) data integrity and data origin authentication algorithm. [RFC2404]

AUTH_CONFIG_HMAC_SHA_256_128

(0x2)

HMAC secret key authentication algorithm. SHA-256 data integrity and data origin authentication algorithm.

AUTH_CONFIG_GCM_AES_128

(0x3)

GCM (Galois Counter Mode) secret key authentication algorithm. AES(Advanced Encryption Standard) data integrity and data origin authentication algorithm, with 128-bit key.

AUTH_CONFIG_GCM_AES_192

(0x4)

GCM secret key authentication algorithm. AES data integrity and data origin authentication algorithm, with 192-bit key.

AUTH_CONFIG_GCM_AES_256

(0x5)

GCM secret key authentication algorithm. AES data integrity and data origin authentication algorithm, with 256-bit key.

dwPfsGroup: Specifies the Diffie-Hellman algorithm to be used for Quick Mode Perfect Forward Secrecy (PFS) [RFC4306]. This SHOULD have one of the following values.

Value

Meaning

PFS_NONE

(0x0)

Specifies no Quick Mode PFS.

PFS_1

(0x1)

Specifies Diffie- Hellman group 1.

PFS_2

(0x2)

Specifies Diffie- Hellman group 2.

PFS_2048

(0x3)

Specifies Diffie- Hellman group 2048.

PFS_ECP_256

(0x4)

Specifies Diffie- Hellman ECP group 256.

PFS_ECP_384

(0x5)

Specifies Diffie- Hellman ECP group 384.

PFS_MM

(0x6)

Use the same Diffie- Hellman as the main mode (MM) that contains this quick mode (QM).

PFS_24

(0x7)

Specifies Diffie- Hellman group 24.

dwDhGroup: Specifies the type of Diffie-Hellman group used for Internet Key Exchange (IKE) key generation during MM SA negotiation [RFC4306]. This SHOULD have one of the following values.

Value

Meaning

DH_GROUP_NONE

(0x0)

No key exchange algorithms defined.

DH_GROUP_1

(0x1)

Do key exchange with Diffie-Hellman group 1.

DH_GROUP_2

(0x2)

Do key exchange with Diffie-Hellman group 2.

DH_GROUP_14

(0x3)

Do key exchange with Diffie-Hellman group 14.

DH_GROUP_2048

(0x3)

Do key exchange with Diffie-Hellman group 14. This group was called Diffie-Hellman group 2048 when it was introduced. The name has been changed to match standard terminology.

DH_ECP_256

(0x4)

Do key exchange with elliptic curve Diffie-Hellman 256.

DH_ECP_384

(0x5)

Do key exchange with elliptic curve Diffie-Hellman 384.

DH_GROUP_24

(0x6)

Do key exchange with Diffie-Hellman group 24.