IKEEXT_POLICY2 structure (iketypes.h)

  • Article

The IKEEXT_POLICY2 structure is used to store the IKE/AuthIP main mode negotiation policy. IKEEXT_POLICY0 is available.

 

Syntax

typedef struct IKEEXT_POLICY2_ {
  UINT32                                   softExpirationTime;
  UINT32                                   numAuthenticationMethods;
  IKEEXT_AUTHENTICATION_METHOD2            *authenticationMethods;
  IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE initiatorImpersonationType;
  UINT32                                   numIkeProposals;
  IKEEXT_PROPOSAL0                         *ikeProposals;
  UINT32                                   flags;
  UINT32                                   maxDynamicFilters;
  UINT32                                   retransmitDurationSecs;
} IKEEXT_POLICY2;

Members

softExpirationTime

Type: UINT32

Lifetime of the IPsec soft SA, in seconds. The caller must set this to 0.

numAuthenticationMethods

Type: UINT32

Number of authentication methods.

authenticationMethods

Type: IKEEXT_AUTHENTICATION_METHOD2*

Array of acceptable authentication methods.

initiatorImpersonationType

Type: IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE

Type of impersonation. Applies only to AuthIP.

numIkeProposals

Type: UINT32

Number of main mode proposals.

ikeProposals

Type: IKEEXT_PROPOSAL0*

Array of main mode proposals.

flags

Type: UINT32

A combination of the following values.

IKE/AuthIP policy flag Meaning
IKEEXT_POLICY_FLAG_DISABLE_DIAGNOSTICS
 Disable special diagnostics mode for IKE/Authip. This will prevent IKE/AuthIp from accepting unauthenticated notifications from peer, or sending MS_STATUS notifications to peer.
IKEEXT_POLICY_FLAG_NO_MACHINE_LUID_VERIFY
 Disable SA verification of machine LUID.
IKEEXT_POLICY_FLAG_NO_IMPERSONATION_LUID_VERIFY
 Disable SA verification of machine impersonation LUID.
IKEEXT_POLICY_FLAG_ENABLE_OPTIONAL_DH
 Allow the responder to accept any DH proposal, including no DH, regardless of what is configured in policy. This flag is valid only if AuthIP is used.

maxDynamicFilters

Type: UINT32

Maximum number of dynamic IPsec filters per remote IP address and per transport layer that is allowed to be added for any SA negotiated using this policy.

Set this to 0 to disable dynamic filter addition. Dynamic filters are added by IKE/AuthIP on responder, when the QM traffic proposed by initiator is a subset of responder's traffic configuration.

retransmitDurationSecs

Type: UINT32

The number of seconds for which IKEv2 SA negotiation packets will be retransmitted before the SA times out. The caller must set this to at least 120 seconds.

Requirements

Requirement Value
Minimum supported client Windows 8 [desktop apps only]
Minimum supported server Windows Server 2012 [desktop apps only]
Header iketypes.h

See also

IKEEXT_AUTHENTICATION_IMPERSONATION_TYPE

IKEEXT_AUTHENTICATION_METHOD2

IKEEXT_PROPOSAL0

Windows Filtering Platform API Structures