IKEEXT_POLICY1 structure

The IKEEXT_POLICY1 structure is used to store the IKE/AuthIP main mode negotiation policy.

Note  IKEEXT_POLICY1 is the specific implementation of IKEEXT_POLICY used in Windows 7. See WFP Version-Independent Names and Targeting Specific Versions of Windows for more information. For Windows 8, IKEEXT_POLICY2 is available.For Windows Vista, IKEEXT_POLICY0 is available.
 

Syntax


typedef struct IKEEXT_POLICY1_ {
  UINT32                                   softExpirationTime;
  UINT32                                   numAuthenticationMethods;
  IKEEXT_AUTHENTICATION_METHOD1            *authenticationMethods;
  IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE initiatorImpersonationType;
  UINT32                                   numIkeProposals;
  IKEEXT_PROPOSAL0                         *ikeProposals;
  UINT32                                   flags;
  UINT32                                   maxDynamicFilters;
  UINT32                                   retransmitDurationSecs;
} IKEEXT_POLICY1;

Members

softExpirationTime

Lifetime of the IPsec soft SA, in seconds. The caller must set this to 0.

numAuthenticationMethods

Number of authentication methods.

authenticationMethods

Array of acceptable authentication methods.

See IKEEXT_AUTHENTICATION_METHOD1 for more information.

initiatorImpersonationType

Type of impersonation. Applies only to AuthIP.

See IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE for more information.

numIkeProposals

Number of main mode proposals.

ikeProposals

Array of main mode proposals.

See IKEEXT_PROPOSAL0 for more information.

flags

A combination of the following values.

IKE/AuthIP policy flagMeaning
IKEEXT_POLICY_FLAG_DISABLE_DIAGNOSTICS

Disable special diagnostics mode for IKE/Authip. This will prevent IKE/AuthIp from accepting unauthenticated notifications from peer, or sending MS_STATUS notifications to peer.

IKEEXT_POLICY_FLAG_NO_MACHINE_LUID_VERIFY

Disable SA verification of machine LUID.

IKEEXT_POLICY_FLAG_NO_IMPERSONATION_LUID_VERIFY

Disable SA verification of machine impersonation LUID.

IKEEXT_POLICY_FLAG_ENABLE_OPTIONAL_DH

Allow the responder to accept any DH proposal, including no DH, regardless of what is configured in policy. This flag is valid only if AuthIP is used.

 

maxDynamicFilters

Maximum number of dynamic IPsec filters per remote IP address and per transport layer that is allowed to be added for any SA negotiated using this policy.

Set this to 0 to disable dynamic filter addition. Dynamic filters are added by IKE/AuthIP on responder, when the QM traffic proposed by initiator is a subset of responder's traffic configuration.

retransmitDurationSecs

The number of seconds for which IKEv2 SA negotiation packets will be retransmitted before the SA times out. The caller must set this to at least 120 seconds.

Requirements

Minimum supported client

Windows 7 [desktop apps only]

Minimum supported server

Windows Server 2008 R2 [desktop apps only]

Header

Iketypes.h

IDL

Iketypes.idl

See also

Windows Filtering Platform API Structures
IKEEXT_AUTHENTICATION_METHOD1
IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE
IKEEXT_PROPOSAL0

 

 

Show: