IKEEXT_POLICY2 structure

The IKEEXT_POLICY2 structure is used to store the IKE/AuthIP main mode negotiation policy.

Note  IKEEXT_POLICY2 is the specific implementation of IKEEXT_POLICY used in Windows 8. See WFP Version-Independent Names and Targeting Specific Versions of Windows for more information. For Windows 7, IKEEXT_POLICY1 is available. For Windows Vista, IKEEXT_POLICY0 is available.
 

Syntax


typedef struct IKEEXT_POLICY2_ {
  UINT32                                   softExpirationTime;
  UINT32                                   numAuthenticationMethods;
  IKEEXT_AUTHENTICATION_METHOD2            *authenticationMethods;
  IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE initiatorImpersonationType;
  UINT32                                   numIkeProposals;
  IKEEXT_PROPOSAL0                         *ikeProposals;
  UINT32                                   flags;
  UINT32                                   maxDynamicFilters;
  UINT32                                   retransmitDurationSecs;
} IKEEXT_POLICY2;

Members

softExpirationTime

Type: UINT32

Lifetime of the IPsec soft SA, in seconds. The caller must set this to 0.

numAuthenticationMethods

Type: UINT32

Number of authentication methods.

authenticationMethods

Type: IKEEXT_AUTHENTICATION_METHOD2*

Array of acceptable authentication methods.

initiatorImpersonationType

Type: IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE

Type of impersonation. Applies only to AuthIP.

numIkeProposals

Type: UINT32

Number of main mode proposals.

ikeProposals

Type: IKEEXT_PROPOSAL0*

Array of main mode proposals.

flags

Type: UINT32

A combination of the following values.

IKE/AuthIP policy flagMeaning
IKEEXT_POLICY_FLAG_DISABLE_DIAGNOSTICS

Disable special diagnostics mode for IKE/Authip. This will prevent IKE/AuthIp from accepting unauthenticated notifications from peer, or sending MS_STATUS notifications to peer.

IKEEXT_POLICY_FLAG_NO_MACHINE_LUID_VERIFY

Disable SA verification of machine LUID.

IKEEXT_POLICY_FLAG_NO_IMPERSONATION_LUID_VERIFY

Disable SA verification of machine impersonation LUID.

IKEEXT_POLICY_FLAG_ENABLE_OPTIONAL_DH

Allow the responder to accept any DH proposal, including no DH, regardless of what is configured in policy. This flag is valid only if AuthIP is used.

 

maxDynamicFilters

Type: UINT32

Maximum number of dynamic IPsec filters per remote IP address and per transport layer that is allowed to be added for any SA negotiated using this policy.

Set this to 0 to disable dynamic filter addition. Dynamic filters are added by IKE/AuthIP on responder, when the QM traffic proposed by initiator is a subset of responder's traffic configuration.

retransmitDurationSecs

Type: UINT32

The number of seconds for which IKEv2 SA negotiation packets will be retransmitted before the SA times out. The caller must set this to at least 120 seconds.

Requirements

Minimum supported client

Windows 8 [desktop apps only]

Minimum supported server

Windows Server 2012 [desktop apps only]

Header

Iketypes.h

IDL

Iketypes.idl

See also

Windows Filtering Platform API Structures
IKEEXT_AUTHENTICATION_METHOD2
IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE
IKEEXT_PROPOSAL0

 

 

Show: