IPSEC_SA_BUNDLE1 structure (ipsectypes.h)

  • Article

The IPSEC_SA_BUNDLE1 structure is used to store information about an IPsec security association (SA) bundle. IPSEC_SA_BUNDLE0 is available.

 

Syntax

typedef struct IPSEC_SA_BUNDLE1_ {
  UINT32                 flags;
  IPSEC_SA_LIFETIME0     lifetime;
  UINT32                 idleTimeoutSeconds;
  UINT32                 ndAllowClearTimeoutSeconds;
  IPSEC_ID0              *ipsecId;
  UINT32                 napContext;
  UINT32                 qmSaId;
  UINT32                 numSAs;
  IPSEC_SA0              *saList;
  IPSEC_KEYMODULE_STATE0 *keyModuleState;
  FWP_IP_VERSION         ipVersion;
  union {
    UINT32 peerV4PrivateAddress;
  };
  UINT64                 mmSaId;
  IPSEC_PFS_GROUP        pfsGroup;
  GUID                   saLookupContext;
  UINT64                 qmFilterId;
} IPSEC_SA_BUNDLE1;

Members

flags

A combination of the following values.

IPsec SA bundle flag Meaning
IPSEC_SA_BUNDLE_FLAG_ND_SECURE
 Negotiation discovery is enabled in secure ring.
IPSEC_SA_BUNDLE_FLAG_ND_BOUNDARY
 Negotiation discovery in enabled in the untrusted perimeter zone.
IPSEC_SA_BUNDLE_FLAG_ND_PEER_NAT_BOUNDARY
 Peer is in untrusted perimeter zone ring and a network address translation (NAT) is in the way. Used with negotiation discovery.
IPSEC_SA_BUNDLE_FLAG_GUARANTEE_ENCRYPTION
 Indicates that this is an SA for connections that require guaranteed encryption.
IPSEC_SA_BUNDLE_FLAG_NLB
 Indicates that this is an SA to an NLB server.
IPSEC_SA_BUNDLE_FLAG_NO_MACHINE_LUID_VERIFY
 Indicates that this SA should bypass machine LUID verification.
IPSEC_SA_BUNDLE_FLAG_NO_IMPERSONATION_LUID_VERIFY
 Indicates that this SA should bypass impersonation LUID verification.
IPSEC_SA_BUNDLE_FLAG_NO_EXPLICIT_CRED_MATCH
 Indicates that this SA should bypass explicit credential handle matching.
IPSEC_SA_BUNDLE_FLAG_ALLOW_NULL_TARGET_NAME_MATCH
 Allows an SA formed with a peer name to carry traffic that does not have an associated peer target.
IPSEC_SA_BUNDLE_FLAG_CLEAR_DF_ON_TUNNEL
 Clears the DontFragment bit on the outer IP header of an IPsec-tunneled packet. This flag is applicable only to tunnel mode SAs.
IPSEC_SA_BUNDLE_FLAG_ASSUME_UDP_CONTEXT_OUTBOUND
 Default encapsulation ports (4500 and 4000) can be used when matching this SA with packets on outbound connections that do not have an associated IPsec-NAT-shim context.
IPSEC_SA_BUNDLE_FLAG_ND_PEER_BOUNDARY
 Peer has negotiation discovery enabled, and is on a perimeter network.
IPSEC_SA_BUNDLE_FLAG_SUPPRESS_DUPLICATE_DELETION
 Suppresses the duplicate SA deletion logic. THis logic is performed by the kernel when an outbound SA is added, to prevent unnecessary duplicate SAs.
IPSEC_SA_BUNDLE_FLAG_PEER_SUPPORTS_GUARANTEE_ENCRYPTION
 Indicates that the peer computer supports negotiating a separate SA for connections that require guaranteed encryption.

lifetime

Lifetime of all the SAs in the bundle as specified by IPSEC_SA_LIFETIME0.

idleTimeoutSeconds

Timeout in seconds after which the SAs in the bundle will idle out (due to traffic inactivity) and expire.

ndAllowClearTimeoutSeconds

Timeout in seconds, after which the IPsec SA should stop accepting packets coming in the clear.

Used for negotiation discovery.

ipsecId

Pointer to an IPSEC_ID0 structure that contains optional IPsec identity info.

napContext

Network Access Point (NAP) peer credentials information.

qmSaId

SA identifier used by IPsec when choosing the SA to expire. For an IPsec SA pair, the qmSaId must be the same between the initiating and responding machines and across inbound and outbound SA bundles. For different IPsec pairs, the qmSaId must be different.

numSAs

Number of SAs in the bundle. The only possible values are 1 and 2. Use 2 only when specifying AH and ESP SAs.

saList

Array of IPsec SAs in the bundle. For AH and ESP SAs, use index 0 for ESP SA and index 1 for AH SA.

See IPSEC_SA0 for more information.

keyModuleState

Optional keying module specific information as specified by IPSEC_KEYMODULE_STATE0.

ipVersion

IP version as specified by FWP_IP_VERSION.

peerV4PrivateAddress

Available when ipVersion is FWP_IP_VERSION_V4. If peer is behind a NAT device, this member stores the peer's private address.

mmSaId

Use this ID to correlate this IPsec SA with the IKE SA that generated it.

pfsGroup

Specifies whether Quick Mode perfect forward secrecy (PFS) was enabled for this SA, and if so, contains the Diffie-Hellman group that was used for PFS.

See IPSEC_PFS_GROUP for more information.

saLookupContext

SA lookup context which is propagated from the SA to data connections flowing over that SA. It is made available to any application that queries socket security properties using the Winsock API WSAQuerySocketSecurity function, allowing the application to obtain detailed IPsec authentication information for its connection.

qmFilterId

Requirements

Requirement Value
Minimum supported client Windows 7 [desktop apps only]
Minimum supported server Windows Server 2008 R2 [desktop apps only]
Header ipsectypes.h

See also

FWP_IP_VERSION

IPSEC_KEYMODULE_STATE0

IPSEC_PFS_GROUP

IPSEC_SA0

IPSEC_SA_LIFETIME0

Windows Filtering Platform API Structures