#pragma warning disable IDE1006 // Naming Styles
namespace Vanara.PInvoke;
public static partial class FwpUClnt
{
///
/// Additional configuration information for the IPsec SA hash algorithm as specified by a IPSEC_AUTH_CONFIG which maps to a UINT8.
///
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_AUTH_TRANSFORM_ID0_")]
public enum IPSEC_AUTH_CONFIG : byte
{
///
/// HMAC (Hash Message Authentication Code) secret key authentication algorithm. MD5 (Message Digest) data integrity and data origin
/// authentication algorithm.
///
IPSEC_AUTH_CONFIG_HMAC_MD5_96,
///
/// HMAC secret key authentication algorithm. SHA-1 (Secure Hash Algorithm) data integrity and data origin authentication algorithm.
///
IPSEC_AUTH_CONFIG_HMAC_SHA_1_96,
/// HMAC secret key authentication algorithm. SHA-256 data integrity and data origin authentication algorithm.
IPSEC_AUTH_CONFIG_HMAC_SHA_256_128,
///
/// GCM (Galois Counter Mode) secret key authentication algorithm. AES(Advanced Encryption Standard) data integrity and data origin
/// authentication algorithm, with 128-bit key.
///
IPSEC_AUTH_CONFIG_GCM_AES_128,
///
/// GCM secret key authentication algorithm. AES data integrity and data origin authentication algorithm, with 192-bit key.
///
IPSEC_AUTH_CONFIG_GCM_AES_192,
///
/// GCM secret key authentication algorithm. AES data integrity and data origin authentication algorithm, with 256-bit key.
///
IPSEC_AUTH_CONFIG_GCM_AES_256,
///
IPSEC_AUTH_CONFIG_MAX,
}
///
/// The IPSEC_AUTH_TYPE enumerated type indicates the type of hash algorithm used in an IPsec SA for data origin authentication
/// and integrity protection.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ne-ipsectypes-ipsec_auth_type typedef enum IPSEC_AUTH_TYPE_ {
// IPSEC_AUTH_MD5 = 0, IPSEC_AUTH_SHA_1, IPSEC_AUTH_SHA_256, IPSEC_AUTH_AES_128, IPSEC_AUTH_AES_192, IPSEC_AUTH_AES_256, IPSEC_AUTH_MAX } IPSEC_AUTH_TYPE;
[PInvokeData("ipsectypes.h", MSDNShortId = "NE:ipsectypes.IPSEC_AUTH_TYPE_")]
public enum IPSEC_AUTH_TYPE
{
///
/// Value:
/// 0
/// Specifies MD5 hash algorithm.
/// See
/// RFC 1321
/// for further information.
///
IPSEC_AUTH_MD5,
///
/// Specifies SHA 1 hash algorithm.
/// See NIST, FIPS PUB 180-1 for more information.
///
IPSEC_AUTH_SHA_1,
///
/// Specifies SHA 256 hash algorithm.
/// See NIST, Draft FIPS PUB 180-2 for more information.
/// Note Available only on Windows Server 2008, Windows Vista with SP1, and later.
///
IPSEC_AUTH_SHA_256,
///
/// Specifies 128-bit AES hash algorithm.
/// Note Available only on Windows Server 2008, Windows Vista with SP1, and later.
///
IPSEC_AUTH_AES_128,
///
/// Specifies 192-bit AES hash algorithm.
/// Note Available only on Windows Server 2008, Windows Vista with SP1, and later.
///
IPSEC_AUTH_AES_192,
///
/// Specifies 256-bit AES hash algorithm.
/// Note Available only on Windows Server 2008, Windows Vista with SP1, and later.
///
IPSEC_AUTH_AES_256,
/// Maximum value for testing purposes.
IPSEC_AUTH_MAX,
}
///
/// Additional configuration information for the encryption algorithm as specified by IPSEC_CIPHER_CONFIG which maps to a UINT8.
///
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_CIPHER_TRANSFORM_ID0_")]
public enum IPSEC_CIPHER_CONFIG : byte
{
/// DES (Data Encryption Standard) algorithm. CBC (Cipher Block Chaining) mode of operation.
IPSEC_CIPHER_CONFIG_CBC_DES = 1,
/// 3DES algorithm. CBC mode of operation.
IPSEC_CIPHER_CONFIG_CBC_3DES = 2,
/// AES-128 (Advanced Encryption Standard) algorithm. CBC mode of operation.
IPSEC_CIPHER_CONFIG_CBC_AES_128 = 3,
/// AES-192 algorithm. CBC mode of operation.
IPSEC_CIPHER_CONFIG_CBC_AES_192 = 4,
/// AES-256 algorithm. CBC mode of operation.
IPSEC_CIPHER_CONFIG_CBC_AES_256 = 5,
/// AES-128 algorithm. GCM (Galois Counter Mode) mode of operation.
IPSEC_CIPHER_CONFIG_GCM_AES_128 = 6,
/// AES-192 algorithm. GCM (Galois Counter Mode) mode of operation.
IPSEC_CIPHER_CONFIG_GCM_AES_192 = 7,
/// AES-256 algorithm. GCM (Galois Counter Mode) mode of operation.
IPSEC_CIPHER_CONFIG_GCM_AES_256 = 8,
///
IPSEC_CIPHER_CONFIG_MAX = 9,
}
///
/// The IPSEC_CIPHER_TYPE enumerated type indicates the type of encryption algorithm used in an IPsec SA for data privacy.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ne-ipsectypes-ipsec_cipher_type typedef enum IPSEC_CIPHER_TYPE_ {
// IPSEC_CIPHER_TYPE_DES = 1, IPSEC_CIPHER_TYPE_3DES, IPSEC_CIPHER_TYPE_AES_128, IPSEC_CIPHER_TYPE_AES_192, IPSEC_CIPHER_TYPE_AES_256,
// IPSEC_CIPHER_TYPE_MAX } IPSEC_CIPHER_TYPE;
[PInvokeData("ipsectypes.h", MSDNShortId = "NE:ipsectypes.IPSEC_CIPHER_TYPE_")]
public enum IPSEC_CIPHER_TYPE
{
///
/// Value:
/// 1
/// Specifies DES encryption.
///
IPSEC_CIPHER_TYPE_DES,
/// Specifies 3DES encryption.
IPSEC_CIPHER_TYPE_3DES,
/// Specifies AES-128 encryption.
IPSEC_CIPHER_TYPE_AES_128,
/// Specifies AES-192 encryption.
IPSEC_CIPHER_TYPE_AES_192,
/// Specifies AES-256 encryption.
IPSEC_CIPHER_TYPE_AES_256,
/// Maximum value for testing only.
IPSEC_CIPHER_TYPE_MAX,
}
/// Flags for IPSEC_DOSP_OPTIONS0.
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_DOSP_OPTIONS0_")]
[Flags]
public enum IPSEC_DOSP_FLAG : uint
{
/// Allows the IKEv1 keying module. By default, it is blocked.
IPSEC_DOSP_FLAG_ENABLE_IKEV1 = 0x00000001,
/// Allows the IKEv2 keying module. By default, it is blocked.
IPSEC_DOSP_FLAG_ENABLE_IKEV2 = 0x00000002,
/// Blocks the AuthIP keying module. By default, it is allowed.
IPSEC_DOSP_FLAG_DISABLE_AUTHIP = 0x00000004,
///
/// Allows all matching IPv4 traffic and non-IPsec IPv6 traffic. By default, all IPv4 traffic and non-IPsecIPv6 traffic, except IPv6
/// ICMP, will be blocked.
///
IPSEC_DOSP_FLAG_DISABLE_DEFAULT_BLOCK = 0x00000008,
/// Blocks all matching IPv6 traffic.
IPSEC_DOSP_FLAG_FILTER_BLOCK = 0x00000010,
/// Allows all matching IPv6 traffic.
IPSEC_DOSP_FLAG_FILTER_EXEMPT = 0x00000020,
}
/// The IPSEC_FAILURE_POINT enumerated type specifies at what point IPsec has failed.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ne-ipsectypes-ipsec_failure_point typedef enum IPSEC_FAILURE_POINT_ {
// IPSEC_FAILURE_NONE = 0, IPSEC_FAILURE_ME, IPSEC_FAILURE_PEER, IPSEC_FAILURE_POINT_MAX } IPSEC_FAILURE_POINT;
[PInvokeData("ipsectypes.h", MSDNShortId = "NE:ipsectypes.IPSEC_FAILURE_POINT_")]
public enum IPSEC_FAILURE_POINT
{
///
/// Value:
/// 0
/// IPsec has not failed.
///
IPSEC_FAILURE_NONE,
/// The local system is the failure point.
IPSEC_FAILURE_ME,
/// A peer system is the failure point.
IPSEC_FAILURE_PEER,
/// Maximum value for testing only.
IPSEC_FAILURE_POINT_MAX,
}
/// Flags for IPSEC_KEY_MANAGER0.
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes._IPSEC_KEY_MANAGER0")]
[Flags]
public enum IPSEC_KEY_MANAGER_FLAG : uint
{
///
/// Specifies that the TIA will be able to accept key notifications and also potentially dictate keys. If this flag is not set, the
/// TIA can only accept key notifications and will not be able to dictate keys.
///
IPSEC_KEY_MANAGER_FLAG_DICTATE_KEY = 0x00000001
}
/// Flags for
[Flags]
public enum IPSEC_KEYING_POLICY_FLAG : uint
{
/// Forces the use of a Kerberos proxy server when acting as initiator.
IPSEC_KEYING_POLICY_FLAG_TERMINATING_MATCH = 0x00000001
}
///
/// The IPSEC_PFS_GROUP enumerated type specifies the Diffie Hellman algorithm that should be used for Quick Mode PFS (Perfect
/// Forward Secrecy).
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ne-ipsectypes-ipsec_pfs_group typedef enum IPSEC_PFS_GROUP_ {
// IPSEC_PFS_NONE = 0, IPSEC_PFS_1, IPSEC_PFS_2, IPSEC_PFS_2048, IPSEC_PFS_14, IPSEC_PFS_ECP_256, IPSEC_PFS_ECP_384, IPSEC_PFS_MM,
// IPSEC_PFS_24, IPSEC_PFS_MAX } IPSEC_PFS_GROUP;
[PInvokeData("ipsectypes.h", MSDNShortId = "NE:ipsectypes.IPSEC_PFS_GROUP_")]
public enum IPSEC_PFS_GROUP
{
///
/// Value:
/// 0
/// Specifies no Quick Mode PFS.
///
IPSEC_PFS_NONE = 0,
/// Specifies Diffie Hellman group 1.
IPSEC_PFS_1,
/// Specifies Diffie Hellman group 2.
IPSEC_PFS_2,
/// Specifies Diffie Hellman group 14.
IPSEC_PFS_2048,
///
/// Specifies Diffie Hellman group 14.
///
/// Note This group was called Diffie Hellman group 2048 when it was introduced. The name has since been changed to match
/// standard terminology.
///
/// Note Available only for Windows 8 and Windows Server 2012.
///
IPSEC_PFS_14,
/// Specifies Diffie Hellman ECP group 256.
IPSEC_PFS_ECP_256,
/// Specifies Diffie Hellman ECP group 384.
IPSEC_PFS_ECP_384,
/// Use the same Diffie Hellman as the main mode that contains this quick mode.
IPSEC_PFS_MM,
///
/// Specifies Diffie Hellman group 24.
/// Note Available only for Windows 8 and Windows Server 2012.
///
IPSEC_PFS_24,
/// Maximum value for testing only.
IPSEC_PFS_MAX,
}
/// Flags for IPSEC_TUNNEL_POLICY0.
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TUNNEL_POLICY0_")]
[Flags]
public enum IPSEC_POLICY_FLAG : uint
{
/// Do negotiation discovery in secure ring.
IPSEC_POLICY_FLAG_ND_SECURE = 0x00000002,
/// Do negotiation discovery in the untrusted perimeter zone.
IPSEC_POLICY_FLAG_ND_BOUNDARY = 0x00000004,
/// Clear the "DontFragment" bit on the outer IP header of an IPsec tunneled packet.
IPSEC_POLICY_FLAG_CLEAR_DF_ON_TUNNEL = 0x00000008,
///
/// If set, IPsec expects that either the local or remote machine is behind a network address translation (NAT) device, but not both.
/// This allows for less secure, but more flexible behavior.
///
IPSEC_POLICY_FLAG_NAT_ENCAP_ALLOW_PEER_BEHIND_NAT = 0x00000010,
/// If set, IPsec expects default ports when either the local, the remote, or both machines are behind a NAT device.
IPSEC_POLICY_FLAG_NAT_ENCAP_ALLOW_GENERAL_NAT_TRAVERSAL = 0x00000020,
/// If set, Internet Key Exchange (IKE) will not send the ISAKMP attribute for 'seconds' lifetime during quick mode negotiation.
IPSEC_POLICY_FLAG_DONT_NEGOTIATE_SECOND_LIFETIME = 0x00000040,
/// If set, IKE will not send the ISAKMP attribute for 'byte' lifetime during quick mode negotiation.
IPSEC_POLICY_FLAG_DONT_NEGOTIATE_BYTE_LIFETIME = 0x00000080,
/// Negotiate IPv6 inside IPv4 IPsec tunneling. Applicable only for tunnel mode policy, and supported only by IKEv2.
IPSEC_POLICY_FLAG_ENABLE_V6_IN_V4_TUNNELING = 0x00000100,
///
/// Enable calls to RAS VPN server for address assignment. Applicable only for tunnel mode policy, and supported only by IKEv2.
///
IPSEC_POLICY_FLAG_ENABLE_SERVER_ADDR_ASSIGNMENT = 0x00000200,
///
/// Allow outbound connections to bypass the tunnel policy. Applicable only for tunnel mode policy on a tunnel gateway. Do not set on
/// a tunnel client.
///
IPSEC_POLICY_FLAG_TUNNEL_ALLOW_OUTBOUND_CLEAR_CONNECTION = 0x00000400,
/// Allow ESP or UDP 500/4500 traffic to bypass the tunnel. Applicable only for tunnel mode policy.
IPSEC_POLICY_FLAG_TUNNEL_BYPASS_ALREADY_SECURE_CONNECTION = 0x00000800,
/// Allow ICMPv6 traffic to bypass the tunnel. Applicable only for tunnel mode policy.
IPSEC_POLICY_FLAG_TUNNEL_BYPASS_ICMPV6 = 0x00001000,
/// Allow key dictation for quick mode policy. Applicable only for AuthIP policy.
IPSEC_POLICY_FLAG_KEY_MANAGER_ALLOW_DICTATE_KEY = 0x00002000,
/// Allow key notification for quick mode policy. Applicable for AuthIP/IKE/IKEv2 policy.
IPSEC_POLICY_FLAG_KEY_MANAGER_ALLOW_NOTIFY_KEY = 0x00004000,
///
IPSEC_POLICY_FLAG_RESERVED1 = 0x00008000,
///
IPSEC_POLICY_FLAG_SITE_TO_SITE_TUNNEL = 0x00010000,
}
/// Flags for IPSEC_SA_BUNDLE0.
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_BUNDLE0_")]
[Flags]
public enum IPSEC_SA_BUNDLE_FLAG : uint
{
/// Negotiation discovery is enabled in secure ring.
IPSEC_SA_BUNDLE_FLAG_ND_SECURE = 0x00000001,
/// Negotiation discovery in enabled in the untrusted perimeter zone.
IPSEC_SA_BUNDLE_FLAG_ND_BOUNDARY = 0x00000002,
/// Peer is in untrusted perimeter zone ring and a NAT is in the way. Used with negotiation discovery.
IPSEC_SA_BUNDLE_FLAG_ND_PEER_NAT_BOUNDARY = 0x00000004,
/// Indicates that this is an SA for connections that require guaranteed encryption.
IPSEC_SA_BUNDLE_FLAG_GUARANTEE_ENCRYPTION = 0x00000008,
/// Indicates that this is an SA to an NLB server.
IPSEC_SA_BUNDLE_FLAG_NLB = 0x00000010,
/// Indicates that this SA should bypass machine LUID verification.
IPSEC_SA_BUNDLE_FLAG_NO_MACHINE_LUID_VERIFY = 0x00000020,
/// Indicates that this SA should bypass impersonation LUID verification.
IPSEC_SA_BUNDLE_FLAG_NO_IMPERSONATION_LUID_VERIFY = 0x00000040,
/// Indicates that this SA should bypass explicit credential handle matching.
IPSEC_SA_BUNDLE_FLAG_NO_EXPLICIT_CRED_MATCH = 0x00000080,
/// Allows an SA formed with a peer name to carry traffic that does not have an associated peer target.
IPSEC_SA_BUNDLE_FLAG_ALLOW_NULL_TARGET_NAME_MATCH = 0x00000200,
///
/// Clears the DontFragment bit on the outer IP header of an IPsec-tunneled packet. This flag is applicable only to tunnel
/// mode SAs.
///
IPSEC_SA_BUNDLE_FLAG_CLEAR_DF_ON_TUNNEL = 0x00000400,
///
/// Default encapsulation ports (4500 and 4000) can be used when matching this SA with packets on outbound connections that do not
/// have an associated IPsec-NAT-shim context.
///
IPSEC_SA_BUNDLE_FLAG_ASSUME_UDP_CONTEXT_OUTBOUND = 0x00000800,
/// Peer has negotiation discovery enabled, and is on a perimeter network.
IPSEC_SA_BUNDLE_FLAG_ND_PEER_BOUNDARY = 0x00001000,
///
/// Suppresses the duplicate SA deletion logic. THis logic is performed by the kernel when an outbound SA is added, to prevent
/// unnecessary duplicate SAs.
///
IPSEC_SA_BUNDLE_FLAG_SUPPRESS_DUPLICATE_DELETION = 0x00002000,
/// Indicates that the peer computer supports negotiating a separate SA for connections that require guaranteed encryption.
IPSEC_SA_BUNDLE_FLAG_PEER_SUPPORTS_GUARANTEE_ENCRYPTION = 0x00004000,
///
IPSEC_SA_BUNDLE_FLAG_FORCE_INBOUND_CONNECTIONS = 0x00008000,
///
IPSEC_SA_BUNDLE_FLAG_FORCE_OUTBOUND_CONNECTIONS = 0x00010000,
///
IPSEC_SA_BUNDLE_FLAG_FORWARD_PATH_INITIATOR = 0x00020000,
///
IPSEC_SA_BUNDLE_FLAG_ENABLE_OPTIONAL_ASYMMETRIC_IDLE = 0x0040000,
///
IPSEC_SA_BUNDLE_FLAG_USING_DICTATED_KEYS = 0x00080000,
///
IPSEC_SA_BUNDLE_FLAG_LOCALLY_DICTATED_KEYS = 0x00100000,
///
IPSEC_SA_BUNDLE_FLAG_SA_OFFLOADED = 0x00200000,
///
///
IPSEC_SA_BUNDLE_FLAG_IP_IN_IP_PKT = 0x00400000,
///
IPSEC_SA_BUNDLE_FLAG_LOW_POWER_MODE_SUPPORT = 0x00800000,
}
///
/// The IPSEC_SA_CONTEXT_EVENT_TYPE0 enumeration specifies the type of IPsec security association (SA) context change event.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ne-ipsectypes-ipsec_sa_context_event_type0 typedef enum
// IPSEC_SA_CONTEXT_EVENT_TYPE0_ { IPSEC_SA_CONTEXT_EVENT_ADD = 1, IPSEC_SA_CONTEXT_EVENT_DELETE, IPSEC_SA_CONTEXT_EVENT_MAX } IPSEC_SA_CONTEXT_EVENT_TYPE0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NE:ipsectypes.IPSEC_SA_CONTEXT_EVENT_TYPE0_")]
public enum IPSEC_SA_CONTEXT_EVENT_TYPE0
{
///
/// Value:
/// 1
/// A new IPsec SA context was added.
///
IPSEC_SA_CONTEXT_EVENT_ADD,
/// An IPsec SA context was deleted.
IPSEC_SA_CONTEXT_EVENT_DELETE,
/// Maximum value for testing purposes.
IPSEC_SA_CONTEXT_EVENT_MAX,
}
/// The IPSEC_TOKEN_MODE enumerated type specifies different IPsec modes in which a token can be obtained.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ne-ipsectypes-ipsec_token_mode typedef enum IPSEC_TOKEN_MODE_ {
// IPSEC_TOKEN_MODE_MAIN = 0, IPSEC_TOKEN_MODE_EXTENDED, IPSEC_TOKEN_MODE_MAX } IPSEC_TOKEN_MODE;
[PInvokeData("ipsectypes.h", MSDNShortId = "NE:ipsectypes.IPSEC_TOKEN_MODE_")]
public enum IPSEC_TOKEN_MODE
{
///
/// Value:
/// 0
/// Token was obtained in main mode.
///
IPSEC_TOKEN_MODE_MAIN,
/// Token was obtained in extended mode.
IPSEC_TOKEN_MODE_EXTENDED,
/// Maximum value for testing only.
IPSEC_TOKEN_MODE_MAX,
}
/// The IPSEC_TOKEN_PRINCIPAL enumerated type specifies an access token principal.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ne-ipsectypes-ipsec_token_principal typedef enum IPSEC_TOKEN_PRINCIPAL_
// { IPSEC_TOKEN_PRINCIPAL_LOCAL = 0, IPSEC_TOKEN_PRINCIPAL_PEER, IPSEC_TOKEN_PRINCIPAL_MAX } IPSEC_TOKEN_PRINCIPAL;
[PInvokeData("ipsectypes.h", MSDNShortId = "NE:ipsectypes.IPSEC_TOKEN_PRINCIPAL_")]
public enum IPSEC_TOKEN_PRINCIPAL
{
///
/// Value:
/// 0
/// The principal for the IPsec access token is "Local".
///
IPSEC_TOKEN_PRINCIPAL_LOCAL,
/// The principal for the IPsec access token is "Peer".
IPSEC_TOKEN_PRINCIPAL_PEER,
/// Maximum value for testing only.
IPSEC_TOKEN_PRINCIPAL_MAX,
}
/// The IPSEC_TOKEN_TYPE enumerated type specifies an IPsec token type.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ne-ipsectypes-ipsec_token_type typedef enum IPSEC_TOKEN_TYPE_ {
// IPSEC_TOKEN_TYPE_MACHINE = 0, IPSEC_TOKEN_TYPE_IMPERSONATION, IPSEC_TOKEN_TYPE_MAX } IPSEC_TOKEN_TYPE;
[PInvokeData("ipsectypes.h", MSDNShortId = "NE:ipsectypes.IPSEC_TOKEN_TYPE_")]
public enum IPSEC_TOKEN_TYPE
{
///
/// Value:
/// 0
/// Machine token.
///
IPSEC_TOKEN_TYPE_MACHINE,
/// Impersonation token.
IPSEC_TOKEN_TYPE_IMPERSONATION,
/// Maximum value for testing only.
IPSEC_TOKEN_TYPE_MAX,
}
/// The IPSEC_TRAFFIC_TYPE enumerated type specifies the type of IPsec traffic being described.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ne-ipsectypes-ipsec_traffic_type typedef enum IPSEC_TRAFFIC_TYPE_ {
// IPSEC_TRAFFIC_TYPE_TRANSPORT = 0, IPSEC_TRAFFIC_TYPE_TUNNEL, IPSEC_TRAFFIC_TYPE_MAX } IPSEC_TRAFFIC_TYPE;
[PInvokeData("ipsectypes.h", MSDNShortId = "NE:ipsectypes.IPSEC_TRAFFIC_TYPE_")]
public enum IPSEC_TRAFFIC_TYPE
{
///
/// Value:
/// 0
/// Specifies transport traffic.
///
IPSEC_TRAFFIC_TYPE_TRANSPORT,
/// Specifies tunnel traffic.
IPSEC_TRAFFIC_TYPE_TUNNEL,
/// Maximum value for testing only.
IPSEC_TRAFFIC_TYPE_MAX,
}
/// The IPSEC_TRANSFORM_TYPE enumerated type indicates the type of an IPsec security association (SA) transform.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ne-ipsectypes-ipsec_transform_type typedef enum IPSEC_TRANSFORM_TYPE_ {
// IPSEC_TRANSFORM_AH = 1, IPSEC_TRANSFORM_ESP_AUTH, IPSEC_TRANSFORM_ESP_CIPHER, IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER,
// IPSEC_TRANSFORM_ESP_AUTH_FW, IPSEC_TRANSFORM_TYPE_MAX } IPSEC_TRANSFORM_TYPE;
[PInvokeData("ipsectypes.h", MSDNShortId = "NE:ipsectypes.IPSEC_TRANSFORM_TYPE_")]
public enum IPSEC_TRANSFORM_TYPE
{
///
/// Value:
/// 1
/// Specifies Authentication Header (AH) transform.
///
IPSEC_TRANSFORM_AH = 1,
/// Specifies Encapsulating Security Payload (ESP) authentication-only transform.
IPSEC_TRANSFORM_ESP_AUTH,
/// Specifies ESP cipher transform.
IPSEC_TRANSFORM_ESP_CIPHER,
/// Specifies ESP authentication and cipher transform.
IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER,
///
///
/// Specifies that the first packet should be sent twice: once with ESP/AH encapsulation, and once in clear text. The entire session
/// is then sent in clear text.
///
///
/// The initial packet will allow the existing firewall rules to apply to the connection. The subsequent clear text data stream
/// allows intermediaries to modify the stream.
///
/// Note Available only on Windows Server 2008 R2, Windows 7, or later.
///
IPSEC_TRANSFORM_ESP_AUTH_FW,
/// Maximum value for testing only.
IPSEC_TRANSFORM_TYPE_MAX,
}
/// The IPSEC_ADDRESS_INFO0 structure is used to store mobile additional address information.
///
/// IPSEC_ADDRESS_INFO0 is a specific implementation of IPSEC_ADDRESS_INFO. See WFP Version-Independent Names and Targeting
/// Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_address_info0 typedef struct IPSEC_ADDRESS_INFO0_ {
// UINT32 numV4Addresses; UINT32 *v4Addresses; UINT32 numV6Addresses; FWP_BYTE_ARRAY16 *v6Addresses; } IPSEC_ADDRESS_INFO0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_ADDRESS_INFO0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_ADDRESS_INFO0
{
/// The number of IPv4 addresses stored in the v4Addresses member.
public uint numV4Addresses;
/// Pointer to an array of IPv4 local addresses to indicate to peer.
public IntPtr pv4Addresses;
/// Array of IPv4 local addresses to indicate to peer.
public IN_ADDR[] v4Addresses => pv4Addresses.ToArray((int)numV4Addresses) ?? new IN_ADDR[0];
/// The number of IPv6 addresses stored in the v6Addresses member.
public uint numV6Addresses;
/// Pointer to an array of IPv6 local addresses to indicate to peer.
public IntPtr pv6Addresses;
/// Array of IPv6 local addresses to indicate to peer.
public IN6_ADDR[] v6Addresses => pv6Addresses.ToArray((int)numV6Addresses) ?? new IN6_ADDR[0];
}
/// The IPSEC_AGGREGATE_DROP_PACKET_STATISTICS1 is available.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_aggregate_drop_packet_statistics0 typedef struct
// IPSEC_AGGREGATE_DROP_PACKET_STATISTICS0_ { UINT32 invalidSpisOnInbound; UINT32 decryptionFailuresOnInbound; UINT32
// authenticationFailuresOnInbound; UINT32 udpEspValidationFailuresOnInbound; UINT32 replayCheckFailuresOnInbound; UINT32
// invalidClearTextInbound; UINT32 saNotInitializedOnInbound; UINT32 receiveOverIncorrectSaInbound; UINT32
// secureReceivesNotMatchingFilters; } IPSEC_AGGREGATE_DROP_PACKET_STATISTICS0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_AGGREGATE_DROP_PACKET_STATISTICS0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_AGGREGATE_DROP_PACKET_STATISTICS0
{
/// Number of invalid SPIs on inbound.
public uint invalidSpisOnInbound;
/// Number of decryption failures on inbound.
public uint decryptionFailuresOnInbound;
/// Number of authentication failures on inbound.
public uint authenticationFailuresOnInbound;
/// Number of UDP ESP validation failures on inbound.
public uint udpEspValidationFailuresOnInbound;
/// Number of replay check failures on inbound.
public uint replayCheckFailuresOnInbound;
/// Number of invalid clear text instances on inbound.
public uint invalidClearTextInbound;
/// Number of inbound drops for packets received on SAs that were not fully initialized.
public uint saNotInitializedOnInbound;
/// Number of inbound drops for packets received on SAs whose characteristics did not match the packet.
public uint receiveOverIncorrectSaInbound;
/// Number of inbound IPsec secured packets that did not match any inbound IPsec transport layer filter.
public uint secureReceivesNotMatchingFilters;
}
///
/// The IPSEC_AGGREGATE_DROP_PACKET_STATISTICS1 structure stores aggregate IPsec kernel packet drop statistics.
/// IPSEC_AGGREGATE_DROP_PACKET_STATISTICS0 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_aggregate_drop_packet_statistics1 typedef struct
// IPSEC_AGGREGATE_DROP_PACKET_STATISTICS1_ { UINT32 invalidSpisOnInbound; UINT32 decryptionFailuresOnInbound; UINT32
// authenticationFailuresOnInbound; UINT32 udpEspValidationFailuresOnInbound; UINT32 replayCheckFailuresOnInbound; UINT32
// invalidClearTextInbound; UINT32 saNotInitializedOnInbound; UINT32 receiveOverIncorrectSaInbound; UINT32
// secureReceivesNotMatchingFilters; UINT32 totalDropPacketsInbound; } IPSEC_AGGREGATE_DROP_PACKET_STATISTICS1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_AGGREGATE_DROP_PACKET_STATISTICS1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_AGGREGATE_DROP_PACKET_STATISTICS1
{
/// Number of invalid SPIs on inbound.
public uint invalidSpisOnInbound;
/// Number of decryption failures on inbound.
public uint decryptionFailuresOnInbound;
/// Number of authentication failures on inbound.
public uint authenticationFailuresOnInbound;
/// Number of UDP ESP validation failures on inbound.
public uint udpEspValidationFailuresOnInbound;
/// Number of replay check failures on inbound.
public uint replayCheckFailuresOnInbound;
/// Number of invalid clear text instances on inbound.
public uint invalidClearTextInbound;
/// Number of inbound drops for packets received on SAs that were not fully initialized.
public uint saNotInitializedOnInbound;
/// Number of inbound drops for packets received on SAs whose characteristics did not match the packet.
public uint receiveOverIncorrectSaInbound;
/// Number of inbound IPsec secured packets that did not match any inbound IPsec transport layer filter.
public uint secureReceivesNotMatchingFilters;
/// Number of inbound drops for all packets.
public uint totalDropPacketsInbound;
}
/// The IPSEC_AGGREGATE_SA_STATISTICS0 structure stores aggregate IPsec kernel security association (SA) statistics.
///
/// IPSEC_AGGREGATE_SA_STATISTICS0 is a specific implementation of IPSEC_AGGREGATE_SA_STATISTICS. See WFP Version-Independent
/// Names and Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_aggregate_sa_statistics0 typedef struct
// IPSEC_AGGREGATE_SA_STATISTICS0_ { UINT32 activeSas; UINT32 pendingSaNegotiations; UINT32 totalSasAdded; UINT32 totalSasDeleted; UINT32
// successfulRekeys; UINT32 activeTunnels; UINT32 offloadedSas; } IPSEC_AGGREGATE_SA_STATISTICS0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_AGGREGATE_SA_STATISTICS0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_AGGREGATE_SA_STATISTICS0
{
/// Number of active SAs.
public uint activeSas;
/// Number of pending SA negotiations.
public uint pendingSaNegotiations;
/// Total number of SAs added.
public uint totalSasAdded;
/// Total number of SAs deleted.
public uint totalSasDeleted;
/// Number of successful re-keys.
public uint successfulRekeys;
/// Number of active tunnels.
public uint activeTunnels;
/// Number of offloaded SAs.
public uint offloadedSas;
}
/// The IPSEC_AH_DROP_PACKET_STATISTICS0 structure stores IPsec AH drop packet statistics.
///
/// IPSEC_AH_DROP_PACKET_STATISTICS0 is a specific implementation of IPSEC_AH_DROP_PACKET_STATISTICS. See WFP Version-Independent
/// Names and Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_ah_drop_packet_statistics0 typedef struct
// IPSEC_AH_DROP_PACKET_STATISTICS0_ { UINT32 invalidSpisOnInbound; UINT32 authenticationFailuresOnInbound; UINT32
// replayCheckFailuresOnInbound; UINT32 saNotInitializedOnInbound; } IPSEC_AH_DROP_PACKET_STATISTICS0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_AH_DROP_PACKET_STATISTICS0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_AH_DROP_PACKET_STATISTICS0
{
/// Number of invalid SPIs on inbound.
public uint invalidSpisOnInbound;
/// Number of authentication failures on inbound.
public uint authenticationFailuresOnInbound;
/// Number of replay check failures on inbound.
public uint replayCheckFailuresOnInbound;
/// Number of inbound drops for packets received on SAs that were not fully initialized.
public uint saNotInitializedOnInbound;
}
///
/// The IPSEC_AUTH_AND_CIPHER_TRANSFORM0 structure is used to store hash and encryption specific information together for an SA
/// transform in an IPsec quick mode policy.
///
///
/// IPSEC_AUTH_AND_CIPHER_TRANSFORM0 is a specific implementation of IPSEC_AUTH_AND_CIPHER_TRANSFORM. See WFP Version-Independent
/// Names and Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_auth_and_cipher_transform0 typedef struct
// IPSEC_AUTH_AND_CIPHER_TRANSFORM0_ { IPSEC_AUTH_TRANSFORM0 authTransform; IPSEC_CIPHER_TRANSFORM0 cipherTransform; } IPSEC_AUTH_AND_CIPHER_TRANSFORM0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_AUTH_AND_CIPHER_TRANSFORM0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_AUTH_AND_CIPHER_TRANSFORM0
{
/// Hash specific information as specified by IPSEC_AUTH_TRANSFORM0.
public IPSEC_AUTH_TRANSFORM0 authTransform;
/// Encryption specific information as specified by IPSEC_CIPHER_TRANSFORM0.
public IPSEC_CIPHER_TRANSFORM0 cipherTransform;
}
///
/// The IPSEC_AUTH_TRANSFORM_ID0 structure is used to uniquely identify the hash algorithm used in an IPsec security association (SA).
///
///
/// IPSEC_AUTH_TRANSFORM_ID0 is a specific implementation of IPSEC_AUTH_TRANSFORM_ID. See WFP Version-Independent Names and
/// Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_auth_transform_id0 typedef struct
// IPSEC_AUTH_TRANSFORM_ID0_ { IPSEC_AUTH_TYPE authType; IPSEC_AUTH_CONFIG authConfig; } IPSEC_AUTH_TRANSFORM_ID0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_AUTH_TRANSFORM_ID0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_AUTH_TRANSFORM_ID0
{
/// The type of the hash algorithm as specified by IPSEC_AUTH_TYPE.
public IPSEC_AUTH_TYPE authType;
///
///
/// Additional configuration information for the IPsec SA hash algorithm as specified by a IPSEC_AUTH_CONFIG which maps to a UINT8.
///
/// Possible values:
///
///
/// IPsec authentication configuration
/// Meaning
///
/// -
/// IPSEC_AUTH_CONFIG_HMAC_MD5_96
///
/// HMAC (Hash Message Authentication Code) secret key authentication algorithm. MD5 (Message Digest) data integrity and data origin
/// authentication algorithm.
///
///
/// -
/// IPSEC_AUTH_CONFIG_HMAC_SHA_1_96
/// HMAC secret key authentication algorithm. SHA-1 (Secure Hash Algorithm) data integrity and data origin authentication algorithm.
///
/// -
/// IPSEC_AUTH_CONFIG_HMAC_SHA_256_128
/// HMAC secret key authentication algorithm. SHA-256 data integrity and data origin authentication algorithm.
///
/// -
/// IPSEC_AUTH_CONFIG_GCM_AES_128
///
/// GCM (Galois Counter Mode) secret key authentication algorithm. AES(Advanced Encryption Standard) data integrity and data origin
/// authentication algorithm, with 128-bit key.
///
///
/// -
/// IPSEC_AUTH_CONFIG_GCM_AES_192
/// GCM secret key authentication algorithm. AES data integrity and data origin authentication algorithm, with 192-bit key.
///
/// -
/// IPSEC_AUTH_CONFIG_GCM_AES_256
/// GCM secret key authentication algorithm. AES data integrity and data origin authentication algorithm, with 256-bit key.
///
///
///
public IPSEC_AUTH_CONFIG authConfig;
/// Initializes a new instance of the struct.
/// The type of the hash algorithm as specified by IPSEC_AUTH_TYPE.
/// Additional configuration information for the IPsec SA hash algorithm.
public IPSEC_AUTH_TRANSFORM_ID0(IPSEC_AUTH_TYPE type, IPSEC_AUTH_CONFIG config)
{
authType = type;
authConfig = config;
}
}
/// The IPSEC_AUTH_TRANSFORM0 structure specifies hash specific information for an SA transform.
///
/// IPSEC_AUTH_TRANSFORM0 is a specific implementation of IPSEC_AUTH_TRANSFORM. See WFP Version-Independent Names and Targeting
/// Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_auth_transform0 typedef struct
// IPSEC_AUTH_TRANSFORM0_ { IPSEC_AUTH_TRANSFORM_ID0 authTransformId; IPSEC_CRYPTO_MODULE_ID *cryptoModuleId; } IPSEC_AUTH_TRANSFORM0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_AUTH_TRANSFORM0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_AUTH_TRANSFORM0
{
///
/// The identifier of the hash algorithm as specified by IPSEC_AUTH_TRANSFORM_ID0.
/// Possible values:
///
///
/// Value
/// Meaning
///
/// -
/// IPSEC_AUTH_TRANSFORM_ID_HMAC_MD5_96
/// IPSEC_AUTH_MD5, IPSEC_AUTH_CONFIG_HMAC_MD5_96
///
/// -
/// IPSEC_AUTH_TRANSFORM_ID_HMAC_SHA_1_96
/// IPSEC_AUTH_SHA_1, IPSEC_AUTH_CONFIG_HMAC_SHA_1_96
///
/// -
/// IPSEC_AUTH_TRANSFORM_ID_HMAC_SHA_256_128
/// IPSEC_AUTH_SHA_256, IPSEC_AUTH_CONFIG_HMAC_SHA_256_128
///
/// -
/// IPSEC_AUTH_TRANSFORM_ID_GCM_AES_128
/// IPSEC_AUTH_AES_128, IPSEC_AUTH_CONFIG_GCM_AES_128
///
/// -
/// IPSEC_AUTH_TRANSFORM_ID_GCM_AES_192
/// IPSEC_AUTH_AES_192, IPSEC_AUTH_CONFIG_GCM_AES_192
///
/// -
/// IPSEC_AUTH_TRANSFORM_ID_GCM_AES_256
/// IPSEC_AUTH_AES_256, IPSEC_AUTH_CONFIG_GCM_AES_256
///
///
///
public IPSEC_AUTH_TRANSFORM_ID0 authTransformId;
/// Unused parameter, always set this to NULL.
public IntPtr cryptoModuleId;
}
///
/// The IPSEC_CIPHER_TRANSFORM_ID0 structure specifies information used to uniquely identify the encryption algorithm used in an
/// IPsec SA.
///
///
/// IPSEC_CIPHER_TRANSFORM_ID0 is a specific implementation of IPSEC_CIPHER_TRANSFORM_ID. See WFP Version-Independent Names and
/// Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_cipher_transform_id0 typedef struct
// IPSEC_CIPHER_TRANSFORM_ID0_ { IPSEC_CIPHER_TYPE cipherType; IPSEC_CIPHER_CONFIG cipherConfig; } IPSEC_CIPHER_TRANSFORM_ID0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_CIPHER_TRANSFORM_ID0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_CIPHER_TRANSFORM_ID0
{
/// The type of the encryption algorithm as specified by IPSEC_CIPHER_TYPE.
public IPSEC_CIPHER_TYPE cipherType;
///
///
/// Additional configuration information for the encryption algorithm as specified by IPSEC_CIPHER_CONFIG which maps to a UINT8.
///
/// Possible values:
///
///
/// IPsec encryption configuration
/// Meaning
///
/// -
/// IPSEC_CIPHER_CONFIG_CBC_DES
/// DES (Data Encryption Standard) algorithm. CBC (Cipher Block Chaining) mode of operation.
///
/// -
/// IPSEC_CIPHER_CONFIG_CBC_3DES
/// 3DES algorithm. CBC mode of operation.
///
/// -
/// IPSEC_CIPHER_CONFIG_CBC_AES_128
/// AES-128 (Advanced Encryption Standard) algorithm. CBC mode of operation.
///
/// -
/// IPSEC_CIPHER_CONFIG_CBC_AES_192
/// AES-192 algorithm. CBC mode of operation.
///
/// -
/// IPSEC_CIPHER_CONFIG_CBC_AES_256
/// AES-256 algorithm. CBC mode of operation.
///
/// -
/// IPSEC_CIPHER_CONFIG_GCM_AES_128
/// AES-128 algorithm. GCM (Galois Counter Mode) mode of operation.
///
/// -
/// IPSEC_CIPHER_CONFIG_GCM_AES_192
/// AES-192 algorithm. GCM (Galois Counter Mode) mode of operation.
///
/// -
/// IPSEC_CIPHER_CONFIG_GCM_AES_256
/// AES-256 algorithm. GCM (Galois Counter Mode) mode of operation.
///
///
///
public IPSEC_CIPHER_CONFIG cipherConfig;
/// Initializes a new instance of the struct.
/// The type of the encryption algorithm.
/// Additional configuration information for the encryption algorithm.
public IPSEC_CIPHER_TRANSFORM_ID0(IPSEC_CIPHER_TYPE type, IPSEC_CIPHER_CONFIG config)
{
cipherType = type;
cipherConfig = config;
}
}
///
/// The IPSEC_CIPHER_TRANSFORM0 structure is used to store encryption specific information for an SA transform in an IPsec quick
/// mode policy.
///
///
/// IPSEC_CIPHER_TRANSFORM0 is a specific implementation of IPSEC_CIPHER_TRANSFORM. See WFP Version-Independent Names and
/// Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_cipher_transform0 typedef struct
// IPSEC_CIPHER_TRANSFORM0_ { IPSEC_CIPHER_TRANSFORM_ID0 cipherTransformId; IPSEC_CRYPTO_MODULE_ID *cryptoModuleId; } IPSEC_CIPHER_TRANSFORM0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_CIPHER_TRANSFORM0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_CIPHER_TRANSFORM0
{
///
/// The identifier of the encryption algorithm as specified by IPSEC_CIPHER_TRANSFORM_ID0.
/// Possible values:
///
///
/// Value
/// Meaning
///
/// -
/// IPSEC_CIPHER_TRANSFORM_ID_CBC_DES
/// IPSEC_CIPHER_TYPE_DES, IPSEC_CIPHER_CONFIG_CBC_DES
///
/// -
/// IPSEC_CIPHER_TRANSFORM_ID_CBC_3DES
/// IPSEC_CIPHER_TYPE_3DES, IPSEC_CIPHER_CONFIG_CBC_3DES
///
/// -
/// IPSEC_CIPHER_TRANSFORM_ID_AES_128
/// IPSEC_CIPHER_TYPE_AES_128, IPSEC_CIPHER_CONFIG_CBC_AES_128
///
/// -
/// IPSEC_CIPHER_TRANSFORM_ID_AES_192
/// IPSEC_CIPHER_TYPE_AES_192, IPSEC_CIPHER_CONFIG_CBC_AES_192
///
/// -
/// IPSEC_CIPHER_TRANSFORM_ID_AES_256
/// IPSEC_CIPHER_TYPE_AES_256, IPSEC_CIPHER_CONFIG_CBC_AES_256
///
/// -
/// IPSEC_CIPHER_TRANSFORM_ID_GCM_AES_128
/// IPSEC_CIPHER_TYPE_AES_128, IPSEC_CIPHER_CONFIG_GCM_AES_128
///
/// -
/// IPSEC_CIPHER_TRANSFORM_ID_GCM_AES_192
/// IPSEC_CIPHER_TYPE_AES_192, IPSEC_CIPHER_CONFIG_GCM_AES_192
///
/// -
/// IPSEC_CIPHER_TRANSFORM_ID_GCM_AES_256
/// IPSEC_CIPHER_TYPE_AES_256, IPSEC_CIPHER_CONFIG_GCM_AES_256
///
///
///
public IPSEC_CIPHER_TRANSFORM_ID0 cipherTransformId;
/// Unused parameter, always set this to NULL.
public IntPtr cryptoModuleId;
}
/// The IPSEC_DOSP_OPTIONS0 structure is used to store configuration parameters for IPsec DoS Protection.
///
/// IPSEC_DOSP_OPTIONS0 is a specific implementation of IPSEC_DOSP_OPTIONS. See WFP Version-Independent Names and Targeting
/// Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_dosp_options0 typedef struct IPSEC_DOSP_OPTIONS0_ {
// UINT32 stateIdleTimeoutSeconds; UINT32 perIPRateLimitQueueIdleTimeoutSeconds; UINT8 ipV6IPsecUnauthDscp; UINT32
// ipV6IPsecUnauthRateLimitBytesPerSec; UINT32 ipV6IPsecUnauthPerIPRateLimitBytesPerSec; UINT8 ipV6IPsecAuthDscp; UINT32
// ipV6IPsecAuthRateLimitBytesPerSec; UINT8 icmpV6Dscp; UINT32 icmpV6RateLimitBytesPerSec; UINT8 ipV6FilterExemptDscp; UINT32
// ipV6FilterExemptRateLimitBytesPerSec; UINT8 defBlockExemptDscp; UINT32 defBlockExemptRateLimitBytesPerSec; UINT32 maxStateEntries;
// UINT32 maxPerIPRateLimitQueues; UINT32 flags; UINT32 numPublicIFLuids; UINT64 *publicIFLuids; UINT32 numInternalIFLuids; UINT64
// *internalIFLuids; FWP_V6_ADDR_AND_MASK publicV6AddrMask; FWP_V6_ADDR_AND_MASK internalV6AddrMask; } IPSEC_DOSP_OPTIONS0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_DOSP_OPTIONS0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_DOSP_OPTIONS0
{
/// The number of seconds before idle timeout. This value must be greater than 0.
public uint stateIdleTimeoutSeconds;
/// The idle timeout for the per IP rate limit queue object. This value must be greater than 0.
public uint perIPRateLimitQueueIdleTimeoutSeconds;
///
/// The DSCP marking for unauthenticated inbound IPv6 IPsec traffic. This value must be less than or equal to 63. Specify
/// IPSEC_DOSP_DSCP_DISABLE_VALUE to disable DSCP marking for this category.
///
public byte ipV6IPsecUnauthDscp;
///
/// The rate limit for unauthenticated inbound IPv6 IPsec traffic. Specify IPSEC_DOSP_RATE_LIMIT_DISABLE_VALUE to disable rate
/// limiting for this category.
///
public uint ipV6IPsecUnauthRateLimitBytesPerSec;
///
/// The rate limit for unauthenticated inbound IPv6 IPsec traffic per internal IP address. Specify
/// IPSEC_DOSP_RATE_LIMIT_DISABLE_VALUE to disable rate limiting for this category.
///
public uint ipV6IPsecUnauthPerIPRateLimitBytesPerSec;
///
/// The DSCP marking for authenticated inbound IPv6 IPsec traffic. The value must be less than or equal to 63. Specify
/// IPSEC_DOSP_DSCP_DISABLE_VALUE to disable DSCP marking for this category.
///
public byte ipV6IPsecAuthDscp;
///
/// The rate limit for authenticated inbound IPv6 IPsec traffic. Specify IPSEC_DOSP_RATE_LIMIT_DISABLE_VALUE to disable rate limiting
/// for this category..
///
public uint ipV6IPsecAuthRateLimitBytesPerSec;
///
/// The DSCP marking for inbound ICMPv6 traffic. The value must be less than or equal to 63. Specify IPSEC_DOSP_DSCP_DISABLE_VALUE to
/// disable DSCP marking for this category.
///
public byte icmpV6Dscp;
///
/// The rate limit for inbound ICMPv6 traffic. Specify IPSEC_DOSP_RATE_LIMIT_DISABLE_VALUE to disable rate limiting for this category.
///
public uint icmpV6RateLimitBytesPerSec;
///
/// The DSCP marking for inbound IPv6 filter exempted traffic. The value must be less than or equal to 63. Specify
/// IPSEC_DOSP_DSCP_DISABLE_VALUE to disable DSCP marking for this category.
///
public byte ipV6FilterExemptDscp;
///
/// The rate limit for inbound IPV6 filter exempted traffic. Specify IPSEC_DOSP_RATE_LIMIT_DISABLE_VALUE to disable rate limiting for
/// this category.
///
public uint ipV6FilterExemptRateLimitBytesPerSec;
///
/// The DSCP marking for inbound default-block exempted traffic. The value must be less than or equal to 63. Specify
/// IPSEC_DOSP_DSCP_DISABLE_VALUE to disable DSCP marking for this category.
///
public byte defBlockExemptDscp;
///
/// The rate limit for inbound default-block exempted traffic. Specify IPSEC_DOSP_RATE_LIMIT_DISABLE_VALUE to disable rate limiting
/// for this category.
///
public uint defBlockExemptRateLimitBytesPerSec;
/// The maximum number of state entries in the table. The value must be greater than 0.
public uint maxStateEntries;
///
/// The maximum number of rate limit queues for inbound unauthenticated IPv6 IPsec traffic per internal IP address. The value must be
/// greater than 0.
///
public uint maxPerIPRateLimitQueues;
///
/// A combination of the following values.
///
///
/// IPsec DoS Protection options flag
/// Meaning
///
/// -
/// IPSEC_DOSP_FLAG_ENABLE_IKEV1
/// Allows the IKEv1 keying module. By default, it is blocked.
///
/// -
/// IPSEC_DOSP_FLAG_ENABLE_IKEV2
/// Allows the IKEv2 keying module. By default, it is blocked.
///
/// -
/// IPSEC_DOSP_FLAG_DISABLE_AUTHIP
/// Blocks the AuthIP keying module. By default, it is allowed.
///
/// -
/// IPSEC_DOSP_FLAG_DISABLE_DEFAULT_BLOCK
///
/// Allows all matching IPv4 traffic and non-IPsec IPv6 traffic. By default, all IPv4 traffic and non-IPsecIPv6 traffic, except IPv6
/// ICMP, will be blocked.
///
///
/// -
/// IPSEC_DOSP_FLAG_FILTER_BLOCK
/// Blocks all matching IPv6 traffic.
///
/// -
/// IPSEC_DOSP_FLAG_FILTER_EXEMPT
/// Allows all matching IPv6 traffic.
///
///
///
public IPSEC_DOSP_FLAG flags;
/// The number of public Internet facing interface identifiers for which DOS protection should be enabled.
public uint numPublicIFLuids;
/// Pointer to an array of public Internet facing interface identifiers for which DOS protection should be enabled.
public IntPtr publicIFLuids;
/// The number of internal network facing interface identifiers for which DOS protection should be enabled.
public uint numInternalIFLuids;
/// Pointer to an array of internal network facing interface identifiers for which DOS protection should be enabled.
public IntPtr internalIFLuids;
/// Optional public IPv6 address or subnet for this policy, as specified in FWP_V6_ADDR_AND_MASK.
public FWP_V6_ADDR_AND_MASK publicV6AddrMask;
/// Optional internal IPv6 address or subnet for this policy, as specified in FWP_V6_ADDR_AND_MASK.
public FWP_V6_ADDR_AND_MASK internalV6AddrMask;
}
/// The IPSEC_DOSP_STATE_ENUM_TEMPLATE0 structure is used to enumerate IPsec DoS Protection state entries.
///
/// IPSEC_DOSP_STATE_ENUM_TEMPLATE0 is a specific implementation of IPSEC_DOSP_STATE_ENUM_TEMPLATE. See WFP Version-Independent
/// Names and Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_dosp_state_enum_template0 typedef struct
// IPSEC_DOSP_STATE_ENUM_TEMPLATE0_ { FWP_V6_ADDR_AND_MASK publicV6AddrMask; FWP_V6_ADDR_AND_MASK internalV6AddrMask; } IPSEC_DOSP_STATE_ENUM_TEMPLATE0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_DOSP_STATE_ENUM_TEMPLATE0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_DOSP_STATE_ENUM_TEMPLATE0
{
/// An FWP_V6_ADDR_AND_MASK structure that specifies the public IPv6 address.
public FWP_V6_ADDR_AND_MASK publicV6AddrMask;
/// An FWP_V6_ADDR_AND_MASK structure that specifies the internal IPv6 address.
public FWP_V6_ADDR_AND_MASK internalV6AddrMask;
}
/// The IPSEC_DOSP_STATE0 structure is used to store state information for IPsec DoS Protection.
///
/// IPSEC_DOSP_STATE0 is a specific implementation of IPSEC_DOSP_STATE. See WFP Version-Independent Names and Targeting Specific
/// Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_dosp_state0 typedef struct IPSEC_DOSP_STATE0_ {
// UINT8 publicHostV6Addr[16]; UINT8 internalHostV6Addr[16]; UINT64 totalInboundIPv6IPsecAuthPackets; UINT64
// totalOutboundIPv6IPsecAuthPackets; UINT32 durationSecs; } IPSEC_DOSP_STATE0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_DOSP_STATE0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_DOSP_STATE0
{
/// The IPv6 address of the public host.
public IN6_ADDR publicHostV6Addr;
/// The IPv6 address of the internal host.
public IN6_ADDR internalHostV6Addr;
/// The total number of inbound IPv6 IPsec packets that have been allowed since the state entry was created.
public ulong totalInboundIPv6IPsecAuthPackets;
/// The total number of outbound IPv6 IPsec packets that have been allowed since the state entry was created.
public ulong totalOutboundIPv6IPsecAuthPackets;
/// The duration, in seconds, since the state entry was created.
public uint durationSecs;
}
/// The IPSEC_DOSP_STATISTICS0 structure is used to store statistics for IPsec DoS Protection.
///
/// IPSEC_DOSP_STATISTICS0 is a specific implementation of IPSEC_DOSP_STATISTICS. See WFP Version-Independent Names and Targeting
/// Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_dosp_statistics0 typedef struct
// IPSEC_DOSP_STATISTICS0_ { UINT64 totalStateEntriesCreated; UINT64 currentStateEntries; UINT64 totalInboundAllowedIPv6IPsecUnauthPkts;
// UINT64 totalInboundRatelimitDiscardedIPv6IPsecUnauthPkts; UINT64 totalInboundPerIPRatelimitDiscardedIPv6IPsecUnauthPkts; UINT64
// totalInboundOtherDiscardedIPv6IPsecUnauthPkts; UINT64 totalInboundAllowedIPv6IPsecAuthPkts; UINT64
// totalInboundRatelimitDiscardedIPv6IPsecAuthPkts; UINT64 totalInboundOtherDiscardedIPv6IPsecAuthPkts; UINT64
// totalInboundAllowedICMPv6Pkts; UINT64 totalInboundRatelimitDiscardedICMPv6Pkts; UINT64 totalInboundAllowedIPv6FilterExemptPkts; UINT64
// totalInboundRatelimitDiscardedIPv6FilterExemptPkts; UINT64 totalInboundDiscardedIPv6FilterBlockPkts; UINT64
// totalInboundAllowedDefBlockExemptPkts; UINT64 totalInboundRatelimitDiscardedDefBlockExemptPkts; UINT64
// totalInboundDiscardedDefBlockPkts; UINT64 currentInboundIPv6IPsecUnauthPerIPRateLimitQueues; } IPSEC_DOSP_STATISTICS0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_DOSP_STATISTICS0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_DOSP_STATISTICS0
{
/// The total number of state entries that have been created since the computer was last started.
public ulong totalStateEntriesCreated;
/// The current number of state entries in the table.
public ulong currentStateEntries;
///
/// The total number of inbound IPv6 IPsec unauthenticated packets that have been allowed since the computer was last started.
///
public ulong totalInboundAllowedIPv6IPsecUnauthPkts;
///
/// The total number of inbound IPv6 IPsec unauthenticated packets that have been discarded due to rate limiting since the computer
/// was last started.
///
public ulong totalInboundRatelimitDiscardedIPv6IPsecUnauthPkts;
///
/// The total number of inbound IPv6 IPsec unauthenticated packets that have been discarded due to per internal IP address rate
/// limiting since the computer was last started.
///
public ulong totalInboundPerIPRatelimitDiscardedIPv6IPsecUnauthPkts;
///
/// The total number of inbound IPV6 IPsec unauthenticated packets that have been discarded due to all other reasons since the
/// computer was last started.
///
public ulong totalInboundOtherDiscardedIPv6IPsecUnauthPkts;
/// The total number of inbound IPv6 IPsec authenticated packets that have been allowed since the computer was last started.
public ulong totalInboundAllowedIPv6IPsecAuthPkts;
///
/// The total number of inbound IPv6 IPsec authenticated packets that have been discarded due to rate limiting since the computer was
/// last started.
///
public ulong totalInboundRatelimitDiscardedIPv6IPsecAuthPkts;
///
/// The total number of inbound IPV6 IPsec authenticated packets that have been discarded due to all other reasons since the computer
/// was last started.
///
public ulong totalInboundOtherDiscardedIPv6IPsecAuthPkts;
/// The total number of inbound ICMPv6 packets that have been allowed since the computer was last started.
public ulong totalInboundAllowedICMPv6Pkts;
///
/// The total number of inbound ICMPv6 packets that have been discarded due to rate limiting since the computer was last started.
///
public ulong totalInboundRatelimitDiscardedICMPv6Pkts;
/// The total number of inbound IPv6 filter exempted packets that have been allowed since the computer was last started.
public ulong totalInboundAllowedIPv6FilterExemptPkts;
///
/// The total number of inbound IPv6 filter exempted packets that have been discarded due to rate limiting since the computer was
/// last started.
///
public ulong totalInboundRatelimitDiscardedIPv6FilterExemptPkts;
/// The total number of inbound IPv6 filter blocked packets that have been discarded since the computer was last started.
public ulong totalInboundDiscardedIPv6FilterBlockPkts;
/// The total number of inbound default-block exempted packets that have been allowed since the computer was last started.
public ulong totalInboundAllowedDefBlockExemptPkts;
///
/// The total number of inbound default-block exempted packets that have been discarded due to rate limiting since the computer was
/// last started.
///
public ulong totalInboundRatelimitDiscardedDefBlockExemptPkts;
/// The total number of inbound default-block packets that have been discarded since the computer was last started.
public ulong totalInboundDiscardedDefBlockPkts;
/// The current number of per internal IP address rate limit queues for inbound IPv6 unauthenticated IPsec traffic.
public ulong currentInboundIPv6IPsecUnauthPerIPRateLimitQueues;
}
/// The IPSEC_ESP_DROP_PACKET_STATISTICS0 structure stores ESP drop packet statistics.
///
/// IPSEC_ESP_DROP_PACKET_STATISTICS0 is a specific implementation of IPSEC_ESP_DROP_PACKET_STATISTICS. See WFP
/// Version-Independent Names and Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_esp_drop_packet_statistics0 typedef struct
// IPSEC_ESP_DROP_PACKET_STATISTICS0_ { UINT32 invalidSpisOnInbound; UINT32 decryptionFailuresOnInbound; UINT32
// authenticationFailuresOnInbound; UINT32 replayCheckFailuresOnInbound; UINT32 saNotInitializedOnInbound; } IPSEC_ESP_DROP_PACKET_STATISTICS0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_ESP_DROP_PACKET_STATISTICS0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_ESP_DROP_PACKET_STATISTICS0
{
/// Number of invalid SPIs on inbound.
public uint invalidSpisOnInbound;
/// Number of decryption failures on inbound.
public uint decryptionFailuresOnInbound;
/// Number of authentication failures on inbound.
public uint authenticationFailuresOnInbound;
/// Number of replay check failures on inbound.
public uint replayCheckFailuresOnInbound;
/// Number of inbound drops for packets received on SAs that were not fully initialized.
public uint saNotInitializedOnInbound;
}
///
/// The IPSEC_GETSPI0 structure contains information that must be supplied when requesting a security parameter index (SPI) from
/// the IPsec driver. IPSEC_GETSPI1 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_getspi0 typedef struct IPSEC_GETSPI0_ {
// IPSEC_TRAFFIC0 inboundIpsecTraffic; FWP_IP_VERSION ipVersion; union { IPSEC_V4_UDP_ENCAPSULATION0 *inboundUdpEncapsulation; };
// IPSEC_CRYPTO_MODULE_ID *rngCryptoModuleID; } IPSEC_GETSPI0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_GETSPI0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_GETSPI0
{
/// An IPSEC_TRAFFIC0 structure that describes traffic characteristics of the inbound IPsec SA.
public IPSEC_TRAFFIC0 inboundIpsecTraffic;
/// A FWP_IP_VERSION value that indicates the IP version of the inbound IPsec traffic.
public FWP_IP_VERSION ipVersion;
///
///
/// Optional structure that specifies the IPsec NAT Traversal (NATT) UDP encapsulation ports.
///
/// Available when ipVersion is FWP_IP_VERSION_V4.
///
public IntPtr inboundUdpEncapsulation;
/// Not used. A IPSEC_CRYPTO_MODULE_ID is a GUID value.
public GuidPtr rngCryptoModuleID;
}
///
/// The IPSEC_GETSPI1 structure contains information that must be supplied when requesting a security parameter index (SPI) from
/// the IPsec driver. IPSEC_GETSPI0 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_getspi1 typedef struct IPSEC_GETSPI1_ {
// IPSEC_TRAFFIC1 inboundIpsecTraffic; FWP_IP_VERSION ipVersion; union { IPSEC_V4_UDP_ENCAPSULATION0 *inboundUdpEncapsulation; };
// IPSEC_CRYPTO_MODULE_ID *rngCryptoModuleID; } IPSEC_GETSPI1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_GETSPI1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_GETSPI1
{
/// An IPSEC_TRAFFIC1 structure that describes traffic characteristics of the inbound IPsec SA.
public IPSEC_TRAFFIC1 inboundIpsecTraffic;
/// An FWP_IP_VERSION value that indicates the IP version of the inbound IPsec traffic.
public FWP_IP_VERSION ipVersion;
///
///
/// Optional structure that specifies the IPsec NAT Traversal (NATT) UDP encapsulation ports.
///
/// Available when ipVersion is FWP_IP_VERSION_V4.
///
public IntPtr inboundUdpEncapsulation;
/// Not used. An IPSEC_CRYPTO_MODULE_ID is a GUID value.
public GuidPtr rngCryptoModuleID;
}
/// The IPSEC_ID0 structure contains information corresponding to identities that are authenticated by IPsec.
///
/// IPSEC_ID0 is a specific implementation of IPSEC_ID. See WFP Version-Independent Names and Targeting Specific Versions of
/// Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_id0 typedef struct IPSEC_ID0_ { wchar_t
// *mmTargetName; wchar_t *emTargetName; UINT32 numTokens; IPSEC_TOKEN0 *tokens; UINT64 explicitCredentials; UINT64 logonId; } IPSEC_ID0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_ID0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_ID0
{
/// Optional main mode target service principal name (SPN). This is often the machine name.
[MarshalAs(UnmanagedType.LPWStr)]
public string? mmTargetName;
/// Optional extended mode target SPN.
[MarshalAs(UnmanagedType.LPWStr)]
public string? emTargetName;
/// Optional. Number of IPSEC_TOKEN0 structures present in the tokens member.
public uint numTokens;
/// Optional array of structures.
public IntPtr tokens;
/// Optional handle to explicit credentials.
public ulong explicitCredentials;
/// Unused parameter. This should always be 0.
public ulong logonId;
}
/// The IPSEC_KEY_MANAGER0 structure is used to register key management callbacks with IPsec.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_key_manager0 typedef struct _IPSEC_KEY_MANAGER0 {
// GUID keyManagerKey; FWPM_DISPLAY_DATA0 displayData; UINT32 flags; UINT8 keyDictationTimeoutHint; } IPSEC_KEY_MANAGER0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes._IPSEC_KEY_MANAGER0")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_KEY_MANAGER0
{
///
/// Type: GUID
/// Uniquely identifies the Key Manager.
///
public Guid keyManagerKey;
///
/// Type: FWPM_DISPLAY_DATA0
/// Contains annotations associated with the filter.
///
public FWPM_DISPLAY_DATA0 displayData;
///
/// Type: UINT32
/// Possible values:
///
///
/// Value
/// Meaning
///
/// -
/// IPSEC_KEY_MANAGER_FLAG_DICTATE_KEY
///
/// Specifies that the TIA will be able to accept key notifications and also potentially dictate keys. If this flag is not set, the
/// TIA can only accept key notifications and will not be able to dictate keys.
///
///
///
///
public IPSEC_KEY_MANAGER_FLAG flags;
///
/// Type: UINT8
///
/// Time, in seconds, after which the keyDictation callback must return in order for registration to succeed. Set this field
/// to 0 in order to use the default timeout (5 seconds).
///
///
public byte keyDictationTimeoutHint;
}
/// The IPSEC_KEYING_POLICY1 is available.
///
/// IPSEC_KEYING_POLICY0 is a specific implementation of IPSEC_KEYING_POLICY. See WFP Version-Independent Names and Targeting
/// Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_keying_policy0 typedef struct IPSEC_KEYING_POLICY0_
// { UINT32 numKeyMods; GUID *keyModKeys; } IPSEC_KEYING_POLICY0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_KEYING_POLICY0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_KEYING_POLICY0
{
/// Number of keying modules in the array.
public uint numKeyMods;
/// Array of distinct keying modules.
public IntPtr keyModKeys;
}
/// The structure defines an unordered set of keying modules that will be tried for IPsec.IPSEC_KEYING_POLICY0 is available.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_keying_policy1 typedef struct IPSEC_KEYING_POLICY1_
// { UINT32 numKeyMods; GUID *keyModKeys; UINT32 flags; } IPSEC_KEYING_POLICY1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_KEYING_POLICY1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_KEYING_POLICY1
{
///
/// Type: UINT32
/// Number of keying modules in the array.
///
public uint numKeyMods;
///
/// Type: GUID*
/// Array of distinct keying modules.
///
public IntPtr keyModKeys;
///
/// Type: UINT32
/// Possible values:
///
///
/// Value
/// Meaning
///
/// -
/// IPSEC_KEYING_POLICY_FLAG_TERMINATING_MATCH
/// Forces the use of a Kerberos proxy server when acting as initiator.
///
///
///
public IPSEC_KEYING_POLICY_FLAG flags;
}
/// The IPSEC_KEYMODULE_STATE0 structure stores Internet Protocol Security (IPsec) keying module specific information.
///
/// IPSEC_KEYMODULE_STATE0 is a specific implementation of IPSEC_KEYMODULE_STATE. See WFP Version-Independent Names and Targeting
/// Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_keymodule_state0 typedef struct
// IPSEC_KEYMODULE_STATE0_ { GUID keyModuleKey; FWP_BYTE_BLOB stateBlob; } IPSEC_KEYMODULE_STATE0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_KEYMODULE_STATE0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_KEYMODULE_STATE0
{
/// The identifier of the keying module.
public Guid keyModuleKey;
/// A byte blob containing opaque keying module specific information.
public FWP_BYTE_BLOB stateBlob;
}
/// The IPSEC_PROPOSAL0 structure is used to store an IPsec quick mode proposal.
///
/// The proposal describes the various parameters of the IPsec SA that is potentially generated from this proposal.
///
/// IPSEC_PROPOSAL0 is a specific implementation of IPSEC_PROPOSAL. See WFP Version-Independent Names and Targeting Specific
/// Versions of Windows for more information.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_proposal0 typedef struct IPSEC_PROPOSAL0_ {
// IPSEC_SA_LIFETIME0 lifetime; UINT32 numSaTransforms; IPSEC_SA_TRANSFORM0 *saTransforms; IPSEC_PFS_GROUP pfsGroup; } IPSEC_PROPOSAL0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_PROPOSAL0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_PROPOSAL0
{
/// Lifetime of the IPsec security association (SA) as specified by IPSEC_SA_LIFETIME0. Cannot be zero.
public IPSEC_SA_LIFETIME0 lifetime;
/// Number of IPsec SA transforms. The only possible values are 1 and 2. Use 2 only when specifying AH plus ESP transforms.
public uint numSaTransforms;
/// Array of IPsec SA transforms as specified by .
public IntPtr saTransforms;
/// Perfect forward secrecy (PFS) group of the IPsec SA as specified by IPSEC_PFS_GROUP.
public IPSEC_PFS_GROUP pfsGroup;
}
///
/// The IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0 structure stores information about the authentication and encryption algorithms of
/// an IPsec security association (SA).
///
///
/// IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0 is a specific implementation of IPSEC_SA_AUTH_AND_CIPHER_INFORMATION. See WFP
/// Version-Independent Names and Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_auth_and_cipher_information0 typedef struct
// IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0_ { IPSEC_SA_CIPHER_INFORMATION0 saCipherInformation; IPSEC_SA_AUTH_INFORMATION0
// saAuthInformation; } IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0
{
/// Encryption algorithm information as specified by IPSEC_SA_CIPHER_INFORMATION0.
public IPSEC_SA_CIPHER_INFORMATION0 saCipherInformation;
/// Authentication algorithm information as specified by IPSEC_SA_AUTH_INFORMATION0.
public IPSEC_SA_AUTH_INFORMATION0 saAuthInformation;
}
///
/// The IPSEC_SA_AUTH_INFORMATION0 structure stores information about the authentication algorithm of an IPsec security
/// association (SA).
///
///
/// IPSEC_SA_AUTH_INFORMATION0 is a specific implementation of IPSEC_SA_AUTH_INFORMATION. See WFP Version-Independent Names and
/// Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_auth_information0 typedef struct
// IPSEC_SA_AUTH_INFORMATION0_ { IPSEC_AUTH_TRANSFORM0 authTransform; FWP_BYTE_BLOB authKey; } IPSEC_SA_AUTH_INFORMATION0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_AUTH_INFORMATION0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_AUTH_INFORMATION0
{
/// Authentication algorithm details as specified by IPSEC_AUTH_TRANSFORM0.
public IPSEC_AUTH_TRANSFORM0 authTransform;
/// Key used for the authentication algorithm stored in a FWP_BYTE_BLOB structure.
public FWP_BYTE_BLOB authKey;
}
///
/// The IPSEC_SA_BUNDLE0 structure is used to store information about an IPsec security association (SA) bundle. IPSEC_SA_BUNDLE1
/// is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_bundle0 typedef struct IPSEC_SA_BUNDLE0_ { UINT32
// flags; IPSEC_SA_LIFETIME0 lifetime; UINT32 idleTimeoutSeconds; UINT32 ndAllowClearTimeoutSeconds; IPSEC_ID0 *ipsecId; UINT32
// napContext; UINT32 qmSaId; UINT32 numSAs; IPSEC_SA0 *saList; IPSEC_KEYMODULE_STATE0 *keyModuleState; FWP_IP_VERSION ipVersion; union {
// UINT32 peerV4PrivateAddress; }; UINT64 mmSaId; IPSEC_PFS_GROUP pfsGroup; } IPSEC_SA_BUNDLE0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_BUNDLE0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_BUNDLE0
{
///
/// A combination of the following values.
///
///
/// IPsec SA bundle flag
/// Meaning
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ND_SECURE
/// Negotiation discovery is enabled in secure ring.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ND_BOUNDARY
/// Negotiation discovery in enabled in the untrusted perimeter zone.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ND_PEER_NAT_BOUNDARY
/// Peer is in untrusted perimeter zone ring and a NAT is in the way. Used with negotiation discovery.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_GUARANTEE_ENCRYPTION
/// Indicates that this is an SA for connections that require guaranteed encryption.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_NLB
/// Indicates that this is an SA to an NLB server.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_NO_MACHINE_LUID_VERIFY
/// Indicates that this SA should bypass machine LUID verification.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_NO_IMPERSONATION_LUID_VERIFY
/// Indicates that this SA should bypass impersonation LUID verification.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_NO_EXPLICIT_CRED_MATCH
/// Indicates that this SA should bypass explicit credential handle matching.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ALLOW_NULL_TARGET_NAME_MATCH
/// Allows an SA formed with a peer name to carry traffic that does not have an associated peer target.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_CLEAR_DF_ON_TUNNEL
///
/// Clears the DontFragment bit on the outer IP header of an IPsec-tunneled packet. This flag is applicable only to tunnel
/// mode SAs.
///
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ASSUME_UDP_CONTEXT_OUTBOUND
///
/// Default encapsulation ports (4500 and 4000) can be used when matching this SA with packets on outbound connections that do not
/// have an associated IPsec-NAT-shim context.
///
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ND_PEER_BOUNDARY
/// Peer has negotiation discovery enabled, and is on a perimeter network.
///
///
///
public IPSEC_SA_BUNDLE_FLAG flags;
/// Lifetime of all the SAs in the bundle as specified by IPSEC_SA_LIFETIME0.
public IPSEC_SA_LIFETIME0 lifetime;
/// Timeout in seconds after which the SAs in the bundle will idle out (due to traffic inactivity) and expire.
public uint idleTimeoutSeconds;
///
/// Timeout in seconds, after which the IPsec SA should stop accepting packets coming in the clear.
/// Used for negotiation discovery.
///
public uint ndAllowClearTimeoutSeconds;
/// Pointer to an structure that contains optional IPsec identity info.
public IntPtr ipsecId;
/// Network Access Protection (NAP) peer credentials information.
public uint napContext;
///
/// SA identifier used by IPsec when choosing the SA to expire. For an IPsec SA pair, the qmSaId must be the same between the
/// initiating and responding machines and across inbound and outbound SA bundles. For different IPsec pairs, the qmSaId must
/// be different.
///
public uint qmSaId;
/// Number of SAs in the bundle. The only possible values are 1 and 2. Use 2 only when specifying AH + ESP SAs.
public uint numSAs;
///
/// Array of IPsec SAs in the bundle. For AH + ESP SAs, use index [0] for ESP SA and index [1] for AH SA.
/// See IPSEC_SA0 for more information.
///
public IntPtr saList;
/// Optional keying module specific information as specified by IPSEC_KEYMODULE_STATE0.
public IntPtr keyModuleState;
/// IP version as specified by FWP_IP_VERSION.
public FWP_IP_VERSION ipVersion;
///
/// Available when ipVersion is FWP_IP_VERSION_V4. If peer is behind a network address translation (NAT) device, this
/// member stores the peer's private address.
///
public IN_ADDR peerV4PrivateAddress;
/// Use this ID to correlate this IPsec SA with the IKE SA that generated it.
public ulong mmSaId;
///
///
/// Specifies whether Quick Mode perfect forward secrecy (PFS) was enabled for this SA, and if so, contains the Diffie-Hellman group
/// that was used for PFS.
///
/// See IPSEC_PFS_GROUP for more information.
///
public IPSEC_PFS_GROUP pfsGroup;
}
///
/// The IPSEC_SA_BUNDLE1 structure is used to store information about an IPsec security association (SA) bundle. IPSEC_SA_BUNDLE0
/// is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_bundle1 typedef struct IPSEC_SA_BUNDLE1_ { UINT32
// flags; IPSEC_SA_LIFETIME0 lifetime; UINT32 idleTimeoutSeconds; UINT32 ndAllowClearTimeoutSeconds; IPSEC_ID0 *ipsecId; UINT32
// napContext; UINT32 qmSaId; UINT32 numSAs; IPSEC_SA0 *saList; IPSEC_KEYMODULE_STATE0 *keyModuleState; FWP_IP_VERSION ipVersion; union {
// UINT32 peerV4PrivateAddress; }; UINT64 mmSaId; IPSEC_PFS_GROUP pfsGroup; GUID saLookupContext; UINT64 qmFilterId; } IPSEC_SA_BUNDLE1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_BUNDLE1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_BUNDLE1
{
///
/// A combination of the following values.
///
///
/// IPsec SA bundle flag
/// Meaning
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ND_SECURE
/// Negotiation discovery is enabled in secure ring.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ND_BOUNDARY
/// Negotiation discovery in enabled in the untrusted perimeter zone.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ND_PEER_NAT_BOUNDARY
/// Peer is in untrusted perimeter zone ring and a network address translation (NAT) is in the way. Used with negotiation discovery.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_GUARANTEE_ENCRYPTION
/// Indicates that this is an SA for connections that require guaranteed encryption.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_NLB
/// Indicates that this is an SA to an NLB server.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_NO_MACHINE_LUID_VERIFY
/// Indicates that this SA should bypass machine LUID verification.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_NO_IMPERSONATION_LUID_VERIFY
/// Indicates that this SA should bypass impersonation LUID verification.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_NO_EXPLICIT_CRED_MATCH
/// Indicates that this SA should bypass explicit credential handle matching.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ALLOW_NULL_TARGET_NAME_MATCH
/// Allows an SA formed with a peer name to carry traffic that does not have an associated peer target.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_CLEAR_DF_ON_TUNNEL
///
/// Clears the DontFragment bit on the outer IP header of an IPsec-tunneled packet. This flag is applicable only to tunnel
/// mode SAs.
///
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ASSUME_UDP_CONTEXT_OUTBOUND
///
/// Default encapsulation ports (4500 and 4000) can be used when matching this SA with packets on outbound connections that do not
/// have an associated IPsec-NAT-shim context.
///
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_ND_PEER_BOUNDARY
/// Peer has negotiation discovery enabled, and is on a perimeter network.
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_SUPPRESS_DUPLICATE_DELETION
///
/// Suppresses the duplicate SA deletion logic. THis logic is performed by the kernel when an outbound SA is added, to prevent
/// unnecessary duplicate SAs.
///
///
/// -
/// IPSEC_SA_BUNDLE_FLAG_PEER_SUPPORTS_GUARANTEE_ENCRYPTION
/// Indicates that the peer computer supports negotiating a separate SA for connections that require guaranteed encryption.
///
///
///
public IPSEC_SA_BUNDLE_FLAG flags;
/// Lifetime of all the SAs in the bundle as specified by IPSEC_SA_LIFETIME0.
public IPSEC_SA_LIFETIME0 lifetime;
/// Timeout in seconds after which the SAs in the bundle will idle out (due to traffic inactivity) and expire.
public uint idleTimeoutSeconds;
///
/// Timeout in seconds, after which the IPsec SA should stop accepting packets coming in the clear.
/// Used for negotiation discovery.
///
public uint ndAllowClearTimeoutSeconds;
/// Pointer to an IPSEC_ID0 structure that contains optional IPsec identity info.
public IntPtr ipsecId;
/// Network Access Point (NAP) peer credentials information.
public uint napContext;
///
/// SA identifier used by IPsec when choosing the SA to expire. For an IPsec SA pair, the qmSaId must be the same between the
/// initiating and responding machines and across inbound and outbound SA bundles. For different IPsec pairs, the qmSaId must
/// be different.
///
public uint qmSaId;
/// Number of SAs in the bundle. The only possible values are 1 and 2. Use 2 only when specifying AH and ESP SAs.
public uint numSAs;
///
/// Array of IPsec SAs in the bundle. For AH and ESP SAs, use index 0 for ESP SA and index 1 for AH SA.
/// See IPSEC_SA0 for more information.
///
public IntPtr saList;
/// Optional keying module specific information as specified by IPSEC_KEYMODULE_STATE0.
public IntPtr keyModuleState;
/// IP version as specified by FWP_IP_VERSION.
public FWP_IP_VERSION ipVersion;
///
/// Available when ipVersion is FWP_IP_VERSION_V4. If peer is behind a NAT device, this member stores the peer's
/// private address.
///
public IN_ADDR peerV4PrivateAddress;
/// Use this ID to correlate this IPsec SA with the IKE SA that generated it.
public ulong mmSaId;
///
///
/// Specifies whether Quick Mode perfect forward secrecy (PFS) was enabled for this SA, and if so, contains the Diffie-Hellman group
/// that was used for PFS.
///
/// See IPSEC_PFS_GROUP for more information.
///
public IPSEC_PFS_GROUP pfsGroup;
///
/// SA lookup context which is propagated from the SA to data connections flowing over that SA. It is made available to any
/// application that queries socket security properties using the Winsock API WSAQuerySocketSecurity function, allowing the
/// application to obtain detailed IPsec authentication information for its connection.
///
public Guid saLookupContext;
///
public ulong qmFilterId;
}
///
/// The IPSEC_SA_CIPHER_INFORMATION0 structure stores information about the encryption algorithm of an IPsec security association (SA).
///
///
/// IPSEC_SA_CIPHER_INFORMATION0 is a specific implementation of IPSEC_SA_CIPHER_INFORMATION. See WFP Version-Independent Names
/// and Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_cipher_information0 typedef struct
// IPSEC_SA_CIPHER_INFORMATION0_ { IPSEC_CIPHER_TRANSFORM0 cipherTransform; FWP_BYTE_BLOB cipherKey; } IPSEC_SA_CIPHER_INFORMATION0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_CIPHER_INFORMATION0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_CIPHER_INFORMATION0
{
/// Encryption algorithm specific details as specified by IPSEC_CIPHER_TRANSFORM0.
public IPSEC_CIPHER_TRANSFORM0 cipherTransform;
/// Key used for the encryption algorithm as specified by FWP_BYTE_BLOB.
public FWP_BYTE_BLOB cipherKey;
}
/// The IPSEC_SA_CONTEXT_CHANGE0 structure contains information about an IPsec security association (SA) context change.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_context_change0 typedef struct
// IPSEC_SA_CONTEXT_CHANGE0_ { IPSEC_SA_CONTEXT_EVENT_TYPE0 changeType; UINT64 saContextId; } IPSEC_SA_CONTEXT_CHANGE0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_CONTEXT_CHANGE0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_CONTEXT_CHANGE0
{
///
/// Type: IPSEC_SA_CONTEXT_EVENT_TYPE0
/// The type of IPsec SA context change event.
///
public IPSEC_SA_CONTEXT_EVENT_TYPE0 changeType;
///
/// Type: UINT64
/// Identifier of the IPsec SA context that changed.
///
public ulong saContextId;
}
///
/// The IPSEC_SA_CONTEXT_ENUM_TEMPLATE0 structure is an enumeration template used to enumerate security association (SA) contexts.
///
///
/// IPSEC_SA_CONTEXT_ENUM_TEMPLATE0 is a specific implementation of IPSEC_SA_CONTEXT_ENUM_TEMPLATE. See WFP Version-Independent
/// Names and Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_context_enum_template0 typedef struct
// IPSEC_SA_CONTEXT_ENUM_TEMPLATE0_ { FWP_CONDITION_VALUE0 localSubNet; FWP_CONDITION_VALUE0 remoteSubNet; } IPSEC_SA_CONTEXT_ENUM_TEMPLATE0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_CONTEXT_ENUM_TEMPLATE0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_CONTEXT_ENUM_TEMPLATE0
{
///
///
/// An FWP_CONDITION_VALUE0 structure that specifies a subnet from which SA contexts that contain a local address will be returned.
/// This member may be empty.
///
/// Acceptable type values for this member are: FWP_V6_ADDR_AND_MASK.
///
public FWP_CONDITION_VALUE0 localSubNet;
///
///
/// An FWP_CONDITION_VALUE0 structure that specifies a subnet from which SA contexts that contain a remote address will be returned.
/// This member may be empty.
///
/// Acceptable type values for this member are: FWP_V6_ADDR_AND_MASK.
///
public FWP_CONDITION_VALUE0 remoteSubNet;
}
///
/// The IPSEC_SA_CONTEXT_SUBSCRIPTION0 structure stores information used to subscribe to notifications about a particular IPsec
/// security association (SA) context.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_context_subscription0 typedef struct
// IPSEC_SA_CONTEXT_SUBSCRIPTION0_ { IPSEC_SA_CONTEXT_ENUM_TEMPLATE0 *enumTemplate; UINT32 flags; GUID sessionKey; } IPSEC_SA_CONTEXT_SUBSCRIPTION0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_CONTEXT_SUBSCRIPTION0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_CONTEXT_SUBSCRIPTION0
{
///
/// Type: IPSEC_SA_CONTEXT_ENUM_TEMPLATE0*
/// Enumeration template for limiting the subscription.
///
public IntPtr enumTemplate;
///
/// Type: UINT32
/// This member is reserved for system use.
///
public uint flags;
///
/// Type: GUID
/// Identifies the session that created the subscription.
///
public Guid sessionKey;
}
/// The IPSEC_SA_CONTEXT0 structure encapsulates an inbound and outbound SA pair. IPSEC_SA_CONTEXT1 is available.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_context0 typedef struct IPSEC_SA_CONTEXT0_ {
// UINT64 saContextId; IPSEC_SA_DETAILS0 *inboundSa; IPSEC_SA_DETAILS0 *outboundSa; } IPSEC_SA_CONTEXT0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_CONTEXT0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_CONTEXT0
{
/// Identifies the SA context.
public ulong saContextId;
/// An structure that contains information about the inbound SA.
public IntPtr inboundSa;
/// An IPSEC_SA_DETAILS0 structure that contains information about the outbound SA.
public IntPtr outboundSa;
}
///
/// The IPSEC_SA_CONTEXT1 structure encapsulates an inbound and outbound security association (SA) pair. IPSEC_SA_CONTEXT0 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_context1 typedef struct IPSEC_SA_CONTEXT1_ {
// UINT64 saContextId; IPSEC_SA_DETAILS1 *inboundSa; IPSEC_SA_DETAILS1 *outboundSa; } IPSEC_SA_CONTEXT1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_CONTEXT1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_CONTEXT1
{
/// Identifies the SA context.
public ulong saContextId;
/// An structure that contains information about the inbound SA.
public IntPtr inboundSa;
/// An IPSEC_SA_DETAILS1 structure that contains information about the outbound SA.
public IntPtr outboundSa;
}
///
/// The IPSEC_SA_DETAILS0 structure is used to store information returned when enumerating IPsec security associations (SAs).
/// IPSEC_SA_DETAILS1 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_details0 typedef struct IPSEC_SA_DETAILS0_ {
// FWP_IP_VERSION ipVersion; FWP_DIRECTION saDirection; IPSEC_TRAFFIC0 traffic; IPSEC_SA_BUNDLE0 saBundle; union {
// IPSEC_V4_UDP_ENCAPSULATION0 *udpEncapsulation; }; FWPM_FILTER0 *transportFilter; } IPSEC_SA_DETAILS0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_DETAILS0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_DETAILS0
{
/// Internet Protocol (IP) version as specified by FWP_IP_VERSION.
public FWP_IP_VERSION ipVersion;
/// Indicates direction of the IPsec SA as specified by FWP_DIRECTION.
public FWP_DIRECTION saDirection;
/// The traffic being secured by this IPsec SA as specified by IPSEC_TRAFFIC0.
public IPSEC_TRAFFIC0 traffic;
/// Various parameters of the SA as specified by IPSEC_SA_BUNDLE0.
public IPSEC_SA_BUNDLE0 saBundle;
///
///
/// An structure that stores the UDP encapsulation ports if UDP-ESP encapsulation is
/// enabled on the SA.
///
/// Available if ipVersion is FWP_IP_VERSION_V4.
///
public IntPtr udpEncapsulation;
/// The transport layer filter corresponding to this IPsec SA as specified by FWPM_FILTER0.
public IntPtr transportFilter;
}
///
/// The IPSEC_SA_DETAILS1 structure is used to store information returned when enumerating IPsec security associations (SAs).
/// IPSEC_SA_DETAILS0 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_details1 typedef struct IPSEC_SA_DETAILS1_ {
// FWP_IP_VERSION ipVersion; FWP_DIRECTION saDirection; IPSEC_TRAFFIC1 traffic; IPSEC_SA_BUNDLE1 saBundle; union {
// IPSEC_V4_UDP_ENCAPSULATION0 *udpEncapsulation; }; FWPM_FILTER0 *transportFilter; IPSEC_VIRTUAL_IF_TUNNEL_INFO0 virtualIfTunnelInfo; } IPSEC_SA_DETAILS1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_DETAILS1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_DETAILS1
{
/// An FWP_IP_VERSION value that specifies the IP version. In tunnel mode, this is the version of the outer header.
public FWP_IP_VERSION ipVersion;
/// An FWP_DIRECTION value that indicates the direction of the IPsec SA.
public FWP_DIRECTION saDirection;
///
/// An IPSEC_TRAFFIC1 structure that specifies the traffic being secured by this IPsec SA. In tunnel mode, this contains both the
/// tunnel endpoints and Quick Mode (QM) traffic selectors.
///
public IPSEC_TRAFFIC1 traffic;
/// An IPSEC_SA_BUNDLE1 structure that specifies various parameters of the SA .
public IPSEC_SA_BUNDLE1 saBundle;
///
///
/// An IPSEC_V4_UDP_ENCAPSULATION0 structure that stores the UDP encapsulation ports if UDP-ESP encapsulation is enabled on the SA.
///
/// Available if ipVersion is FWP_IP_VERSION_V4.
///
public IntPtr udpEncapsulation;
/// An FWPM_FILTER0 structure that specifies the transport layer filter that corresponds to this IPsec SA.
public IntPtr transportFilter;
///
/// An IPSEC_VIRTUAL_IF_TUNNEL_INFO0 structure that specifies the virtual interface tunnel information. Only supported by Internet
/// Key Exchange version 2 (IKEv2).
///
public IPSEC_VIRTUAL_IF_TUNNEL_INFO0 virtualIfTunnelInfo;
}
///
/// The IPSEC_SA_ENUM_TEMPLATE0 structure specifies a template used for restricting the enumeration of IPsec security associations (SAs).
///
///
/// IPSEC_SA_ENUM_TEMPLATE0 is a specific implementation of IPSEC_SA_ENUM_TEMPLATE. See WFP Version-Independent Names and
/// Targeting Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_enum_template0 typedef struct
// IPSEC_SA_ENUM_TEMPLATE0_ { FWP_DIRECTION saDirection; } IPSEC_SA_ENUM_TEMPLATE0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_ENUM_TEMPLATE0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_ENUM_TEMPLATE0
{
///
/// Direction of the SA.
/// See FWP_DIRECTION for more information.
///
public FWP_DIRECTION saDirection;
}
/// The IPSEC_SA_IDLE_TIMEOUT0 structure specifies the security association (SA) idle timeout in IPsec policy.
///
/// IPSEC_SA_IDLE_TIMEOUT0 is a specific implementation of IPSEC_SA_IDLE_TIMEOUT. See WFP Version-Independent Names and Targeting
/// Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_idle_timeout0 typedef struct
// IPSEC_SA_IDLE_TIMEOUT0_ { UINT32 idleTimeoutSeconds; UINT32 idleTimeoutSecondsFailOver; } IPSEC_SA_IDLE_TIMEOUT0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_IDLE_TIMEOUT0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_IDLE_TIMEOUT0
{
/// Specifies the amount of time in seconds after which IPsec SAs should become idle.
public uint idleTimeoutSeconds;
///
/// Specifies the amount of time in seconds after which IPsec SAs should become idle if the peer machine supports fail over.
///
public uint idleTimeoutSecondsFailOver;
}
///
/// The IPSEC_SA_LIFETIME0 structure stores the lifetime in seconds/kilobytes/packets for an IPsec security association (SA).
///
///
/// IPSEC_SA_LIFETIME0 is a specific implementation of IPSEC_SA_LIFETIME. See WFP Version-Independent Names and Targeting Specific
/// Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_lifetime0 typedef struct IPSEC_SA_LIFETIME0_ {
// UINT32 lifetimeSeconds; UINT32 lifetimeKilobytes; UINT32 lifetimePackets; } IPSEC_SA_LIFETIME0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_LIFETIME0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_LIFETIME0
{
/// SA lifetime in seconds.
public uint lifetimeSeconds;
/// SA lifetime in kilobytes.
public uint lifetimeKilobytes;
/// SA lifetime in packets.
public uint lifetimePackets;
}
///
/// The IPSEC_SA_TRANSFORM0 structure is used to store an IPsec security association (SA) transform in an IPsec quick mode policy.
///
///
/// IPSEC_SA_TRANSFORM0 is a specific implementation of IPSEC_SA_TRANSFORM. See WFP Version-Independent Names and Targeting
/// Specific Versions of Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa_transform0 typedef struct IPSEC_SA_TRANSFORM0_ {
// IPSEC_TRANSFORM_TYPE ipsecTransformType; union { IPSEC_AUTH_TRANSFORM0 *ahTransform; IPSEC_AUTH_TRANSFORM0 *espAuthTransform;
// IPSEC_CIPHER_TRANSFORM0 *espCipherTransform; IPSEC_AUTH_AND_CIPHER_TRANSFORM0 *espAuthAndCipherTransform; IPSEC_AUTH_TRANSFORM0
// *espAuthFwTransform; }; } IPSEC_SA_TRANSFORM0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA_TRANSFORM0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA_TRANSFORM0
{
///
/// Type of the SA transform.
/// See IPSEC_TRANSFORM_TYPE for more information.
///
public IPSEC_TRANSFORM_TYPE ipsecTransformType;
private IntPtr ptr;
///
/// SA transform data. Available when ipsecTransformType is IPSEC_TRANSFORM_AH.
/// See IPSEC_AUTH_TRANSFORM0 for more information.
///
public SafeCoTaskMemStruct ahTransform { get => new(ptr, false); set => ptr = value; }
///
/// SA transform data. Available when ipsecTransformType is IPSEC_TRANSFORM_ESP_AUTH.
/// See IPSEC_AUTH_TRANSFORM0 for more information.
///
public SafeCoTaskMemStruct espAuthTransform { get => new(ptr, false); set => ptr = value; }
///
/// SA transform data. Available when ipsecTransformType is IPSEC_TRANSFORM_ESP_CIPHER.
/// See IPSEC_CIPHER_TRANSFORM0 for more information.
///
public SafeCoTaskMemStruct espCipherTransform { get => new(ptr, false); set => ptr = value; }
///
/// SA transform data. Available when ipsecTransformType is IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER.
/// See IPSEC_AUTH_AND_CIPHER_TRANSFORM0 for more information.
///
public SafeCoTaskMemStruct espAuthAndCipherTransform { get => new(ptr, false); set => ptr = value; }
///
/// SA transform data. Available when ipsecTransformType is IPSEC_TRANSFORM_ESP_AUTH_FW.
/// See IPSEC_AUTH_TRANSFORM0 for more information.
/// Note Available only on Windows Server 2008 R2, Windows 7, or later.
///
public SafeCoTaskMemStruct espAuthFwTransform { get => new(ptr, false); set => ptr = value; }
}
/// The IPSEC_SA0 structure is used to store information about an IPsec security association (SA).
///
/// IPSEC_SA0 is a specific implementation of IPSEC_SA. See WFP Version-Independent Names and Targeting Specific Versions of
/// Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_sa0 typedef struct IPSEC_SA0_ { IPSEC_SA_SPI spi;
// IPSEC_TRANSFORM_TYPE saTransformType; union { IPSEC_SA_AUTH_INFORMATION0 *ahInformation; IPSEC_SA_AUTH_INFORMATION0
// *espAuthInformation; IPSEC_SA_CIPHER_INFORMATION0 *espCipherInformation; IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0
// *espAuthAndCipherInformation; IPSEC_SA_AUTH_INFORMATION0 *espAuthFwInformation; }; } IPSEC_SA0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_SA0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_SA0
{
/// Security parameter index (SPI) of the IPsec SA. IPSEC_SA_SPI is defined in ipsectypes.h as UINT32.
public uint spi;
///
/// Transform type of the SA specifying the IPsec security protocol.
/// See IPSEC_TRANSFORM_TYPE for more information.
///
public IPSEC_TRANSFORM_TYPE saTransformType;
private IntPtr ptr;
///
/// Security algorithms of the SA transform. Available when saTransformType is IPSEC_TRANSFORM_AH.
/// See IPSEC_SA_AUTH_INFORMATION0 for more information.
///
public SafeCoTaskMemStruct ahInformation { get => new(ptr, false); set => ptr = value; }
///
/// Security algorithms of the SA transform. Available when saTransformType is IPSEC_TRANSFORM_ESP_AUTH.
/// See IPSEC_SA_AUTH_INFORMATION0 for more information.
///
public SafeCoTaskMemStruct espAuthInformation { get => new(ptr, false); set => ptr = value; }
///
/// Security algorithms of the SA transform. Available when saTransformType is IPSEC_TRANSFORM_ESP_CIPHER.
/// See IPSEC_SA_CIPHER_INFORMATION0 for more information.
///
public SafeCoTaskMemStruct espCipherInformation { get => new(ptr, false); set => ptr = value; }
///
/// Security algorithms of the SA transform. Available when saTransformType is IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER.
/// See IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0 for more information.
///
public SafeCoTaskMemStruct espAuthAndCipherInformation { get => new(ptr, false); set => ptr = value; }
///
/// Security algorithms of the SA transform. Available when saTransformType is IPSEC_TRANSFORM_ESP_AUTH_FW.
/// Note Available only on Windows Server 2008 R2, Windows 7, or later.
///
public SafeCoTaskMemStruct espAuthFwInformation { get => new(ptr, false); set => ptr = value; } }
/// The IPSEC_STATISTICS0 structure is the top-level of the IPsec statistics structures. IPSEC_STATISTICS1 is available.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_statistics0 typedef struct IPSEC_STATISTICS0_ {
// IPSEC_AGGREGATE_SA_STATISTICS0 aggregateSaStatistics; IPSEC_ESP_DROP_PACKET_STATISTICS0 espDropPacketStatistics;
// IPSEC_AH_DROP_PACKET_STATISTICS0 ahDropPacketStatistics; IPSEC_AGGREGATE_DROP_PACKET_STATISTICS0 aggregateDropPacketStatistics;
// IPSEC_TRAFFIC_STATISTICS0 inboundTrafficStatistics; IPSEC_TRAFFIC_STATISTICS0 outboundTrafficStatistics; } IPSEC_STATISTICS0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_STATISTICS0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_STATISTICS0
{
/// IPSEC_AGGREGATE_SA_STATISTICS0 structure containing IPsec aggregate SA statistics.
public IPSEC_AGGREGATE_SA_STATISTICS0 aggregateSaStatistics;
/// IPSEC_ESP_DROP_PACKET_STATISTICS0 structure containing IPsec ESP drop packet statistics.
public IPSEC_ESP_DROP_PACKET_STATISTICS0 espDropPacketStatistics;
/// IPSEC_AH_DROP_PACKET_STATISTICS0 structure containing IPsec AH drop packet statistics.
public IPSEC_AH_DROP_PACKET_STATISTICS0 ahDropPacketStatistics;
/// IPSEC_AGGREGATE_DROP_PACKET_STATISTICS0 structure containing IPsec aggregate drop packet statistics.
public IPSEC_AGGREGATE_DROP_PACKET_STATISTICS0 aggregateDropPacketStatistics;
/// IPSEC_TRAFFIC_STATISTICS0 structure containing IPsec inbound traffic statistics.
public IPSEC_TRAFFIC_STATISTICS0 inboundTrafficStatistics;
/// IPSEC_TRAFFIC_STATISTICS0 structure containing IPsec outbound traffic statistics.
public IPSEC_TRAFFIC_STATISTICS0 outboundTrafficStatistics;
}
/// The IPSEC_STATISTICS1 structure is the top-level of the IPsec statistics structures. IPSEC_STATISTICS0 is available.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_statistics1 typedef struct IPSEC_STATISTICS1_ {
// IPSEC_AGGREGATE_SA_STATISTICS0 aggregateSaStatistics; IPSEC_ESP_DROP_PACKET_STATISTICS0 espDropPacketStatistics;
// IPSEC_AH_DROP_PACKET_STATISTICS0 ahDropPacketStatistics; IPSEC_AGGREGATE_DROP_PACKET_STATISTICS1 aggregateDropPacketStatistics;
// IPSEC_TRAFFIC_STATISTICS1 inboundTrafficStatistics; IPSEC_TRAFFIC_STATISTICS1 outboundTrafficStatistics; } IPSEC_STATISTICS1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_STATISTICS1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_STATISTICS1
{
/// IPSEC_AGGREGATE_SA_STATISTICS0 structure containing IPsec aggregate SA statistics.
public IPSEC_AGGREGATE_SA_STATISTICS0 aggregateSaStatistics;
/// IPSEC_ESP_DROP_PACKET_STATISTICS0 structure containing IPsec ESP drop packet statistics.
public IPSEC_ESP_DROP_PACKET_STATISTICS0 espDropPacketStatistics;
/// IPSEC_AH_DROP_PACKET_STATISTICS0 structure containing IPsec AH drop packet statistics.
public IPSEC_AH_DROP_PACKET_STATISTICS0 ahDropPacketStatistics;
/// IPSEC_AGGREGATE_DROP_PACKET_STATISTICS1 structure containing IPsec aggregate drop packet statistics.
public IPSEC_AGGREGATE_DROP_PACKET_STATISTICS1 aggregateDropPacketStatistics;
/// IPSEC_TRAFFIC_STATISTICS1 structure containing IPsec inbound traffic statistics.
public IPSEC_TRAFFIC_STATISTICS1 inboundTrafficStatistics;
/// IPSEC_TRAFFIC_STATISTICS1 structure containing IPsec outbound traffic statistics.
public IPSEC_TRAFFIC_STATISTICS1 outboundTrafficStatistics;
}
/// The IPSEC_TOKEN0 structure contains various information about an IPsec-specific access token.
///
/// IPSEC_TOKEN0 is a specific implementation of IPSEC_TOKEN. See WFP Version-Independent Names and Targeting Specific Versions of
/// Windows for more information.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_token0 typedef struct IPSEC_TOKEN0_ {
// IPSEC_TOKEN_TYPE type; IPSEC_TOKEN_PRINCIPAL principal; IPSEC_TOKEN_MODE mode; IPSEC_TOKEN_HANDLE token; } IPSEC_TOKEN0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TOKEN0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TOKEN0
{
/// An IPSEC_TOKEN_TYPE value that specifies the type of token.
public IPSEC_TOKEN_TYPE type;
/// An IPSEC_TOKEN_PRINCIPAL value that specifies the token principal.
public IPSEC_TOKEN_PRINCIPAL principal;
/// An IPSEC_TOKEN_MODE value that indicates in which mode the token was obtained.
public IPSEC_TOKEN_MODE mode;
/// Handle to the access token. An IPSEC_TOKEN_HANDLE is of type UINT64.
public ulong token;
}
/// The IPSEC_TRAFFIC_STATISTICS0 structure stores IPsec traffic statistics. IPSEC_TRAFFIC_STATISTICS1 is available.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_traffic_statistics0 typedef struct
// IPSEC_TRAFFIC_STATISTICS0_ { UINT64 encryptedByteCount; UINT64 authenticatedAHByteCount; UINT64 authenticatedESPByteCount; UINT64
// transportByteCount; UINT64 tunnelByteCount; UINT64 offloadByteCount; } IPSEC_TRAFFIC_STATISTICS0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TRAFFIC_STATISTICS0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TRAFFIC_STATISTICS0
{
/// Specifies encrypted byte count.
public ulong encryptedByteCount;
/// Specifies authenticated AH byte count.
public ulong authenticatedAHByteCount;
/// Specifies authenticated ESP byte count.
public ulong authenticatedESPByteCount;
/// Specifies transport byte count.
public ulong transportByteCount;
/// Specifies tunnel byte count.
public ulong tunnelByteCount;
/// Specifies offload byte count.
public ulong offloadByteCount;
}
/// The IPSEC_TRAFFIC_STATISTICS1 structure stores IPsec traffic statistics. IPSEC_TRAFFIC_STATISTICS0 is available.
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_traffic_statistics1 typedef struct
// IPSEC_TRAFFIC_STATISTICS1_ { UINT64 encryptedByteCount; UINT64 authenticatedAHByteCount; UINT64 authenticatedESPByteCount; UINT64
// transportByteCount; UINT64 tunnelByteCount; UINT64 offloadByteCount; UINT64 totalSuccessfulPackets; } IPSEC_TRAFFIC_STATISTICS1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TRAFFIC_STATISTICS1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TRAFFIC_STATISTICS1
{
/// Specifies encrypted byte count.
public ulong encryptedByteCount;
/// Specifies authenticated AH byte count.
public ulong authenticatedAHByteCount;
/// Specifies authenticated ESP byte count.
public ulong authenticatedESPByteCount;
/// Specifies transport byte count.
public ulong transportByteCount;
/// Specifies tunnel byte count.
public ulong tunnelByteCount;
/// Specifies offload byte count.
public ulong offloadByteCount;
/// The total number of packets that were successfully transmitted.
public ulong totalSuccessfulPackets;
}
/// The IPSEC_TRAFFIC0 structure specifies parameters to describe IPsec traffic. IPSEC_TRAFFIC1 is available.
///
/// The IPSEC_TRAFFIC0 type describes the characteristics of the traffic that will match the SA.
///
/// For IPsec transport mode, the localVAddress and remoteVAddress members specify the IP addresses. The
/// ipsecFilterId member specifies (as part of the transport layer filter conditions) the transport protocol information (such as
/// IP protocol, ports, etc), of the matching traffic. However, if the remotePort member is nonzero, its value will override the
/// remote port specified in the transport layer filter.
///
///
/// For IPsec tunnel mode, the localVAddress and remoteVAddress members specify the outer IP header tunnel endpoints. The
/// tunnelPolicyId member specifies (as part of the filter conditions specified via FwpmIPsecTunnelAdd0) the inner IP header
/// addresses, transport protocol information, of the matching traffic. The remotePort member should not be specified for tunnel mode.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_traffic0 typedef struct IPSEC_TRAFFIC0_ {
// FWP_IP_VERSION ipVersion; union { UINT32 localV4Address; UINT8 localV6Address[16]; }; union { UINT32 remoteV4Address; UINT8
// remoteV6Address[16]; }; IPSEC_TRAFFIC_TYPE trafficType; union { UINT64 ipsecFilterId; UINT64 tunnelPolicyId; }; UINT16 remotePort; } IPSEC_TRAFFIC0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TRAFFIC0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TRAFFIC0
{
///
/// Internet Protocol (IP) version.
/// See FWP_IP_VERSION for more information.
///
public FWP_IP_VERSION ipVersion;
private FWP_BYTE_ARRAY_ADDR local;
private FWP_BYTE_ARRAY_ADDR remote;
///
/// The local IPv4 address of the IPsec traffic.
/// Specified when ipVersion is FWP_IP_VERSION_V4.
///
public IN_ADDR localV4Address { get => local.addr; set => local.addr = value; }
///
/// The local IPv6 address of the IPsec traffic.
/// Specified when ipVersion is FWP_IP_VERSION_V6.
///
public IN6_ADDR localV6Address { get => local.addr6; set => local.addr6 = value; }
///
/// The remote IPv4 address of the IPsec traffic.
/// Specified when ipVersion is FWP_IP_VERSION_V4.
///
public IN_ADDR remoteV4Address { get => remote.addr; set => remote.addr = value; }
///
/// The remote IPv6 address of the IPsec traffic.
/// Specified when ipVersion is FWP_IP_VERSION_V6.
///
public IN6_ADDR remoteV6Address { get => remote.addr6; set => remote.addr6 = value; }
///
/// Type of IPsec traffic.
/// See IPSEC_TRAFFIC_TYPE for more information.
///
public IPSEC_TRAFFIC_TYPE trafficType;
///
/// The LUID of the FWPS transport layer filter corresponding to this traffic.
/// Available if trafficType is IPSEC_TRAFFIC_TYPE_TRANSPORT.
///
public ulong ipsecFilterId;
///
/// The LUID of the associated Quick Mode (QM) tunnel policy.
/// Available if trafficType is IPSEC_TRAFFIC_TYPE_TUNNEL.
///
public ulong tunnelPolicyId { get => ipsecFilterId; set => ipsecFilterId = value; }
///
/// The remote TCP/UDP port for this traffic. This is used when the remote port condition in the transport layer filter is more
/// generic than the actual remote port.
///
public ushort remotePort;
}
/// The IPSEC_TRAFFIC1 structure specifies parameters to describe IPsec traffic. IPSEC_TRAFFIC0 is available.
///
/// The IPSEC_TRAFFIC1 type describes the characteristics of the traffic that will match the SA.
///
/// For IPsec transport mode, the localVAddress and remoteVAddress members specify the IP addresses. The
/// ipsecFilterId member specifies (as part of the transport layer filter conditions) the transport protocol information (such as
/// IP protocol, ports, etc), of the matching traffic. However, if the localPort, remotePort, or ipProtocol member
/// is nonzero, its value will override the corresponding value specified in the transport layer filter.
///
///
/// For IPsec tunnel mode, the localVAddress and remoteVAddress members specify the outer IP header tunnel endpoints. The
/// tunnelPolicyId member specifies (as part of the filter conditions specified via FwpmIPsecTunnelAdd1) the inner IP header
/// addresses and transport protocol information of the matching traffic. The localPort, remotePort, and ipProtocol
/// members should not be specified for tunnel mode.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_traffic1 typedef struct IPSEC_TRAFFIC1_ {
// FWP_IP_VERSION ipVersion; union { UINT32 localV4Address; UINT8 localV6Address[16]; }; union { UINT32 remoteV4Address; UINT8
// remoteV6Address[16]; }; IPSEC_TRAFFIC_TYPE trafficType; union { UINT64 ipsecFilterId; UINT64 tunnelPolicyId; }; UINT16 remotePort;
// UINT16 localPort; UINT8 ipProtocol; UINT64 localIfLuid; UINT32 realIfProfileId; } IPSEC_TRAFFIC1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TRAFFIC1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TRAFFIC1
{
///
/// Internet Protocol (IP) version.
/// See FWP_IP_VERSION for more information.
///
public FWP_IP_VERSION ipVersion;
private FWP_BYTE_ARRAY_ADDR local;
private FWP_BYTE_ARRAY_ADDR remote;
///
/// The local IPv4 address of the IPsec traffic.
/// Specified when ipVersion is FWP_IP_VERSION_V4.
///
public IN_ADDR localV4Address { get => local.addr; set => local.addr = value; }
///
/// The local IPv6 address of the IPsec traffic.
/// Specified when ipVersion is FWP_IP_VERSION_V6.
///
public IN6_ADDR localV6Address { get => local.addr6; set => local.addr6 = value; }
///
/// The remote IPv4 address of the IPsec traffic.
/// Specified when ipVersion is FWP_IP_VERSION_V4.
///
public IN_ADDR remoteV4Address { get => remote.addr; set => remote.addr = value; }
///
/// The remote IPv6 address of the IPsec traffic.
/// Specified when ipVersion is FWP_IP_VERSION_V6.
///
public IN6_ADDR remoteV6Address { get => remote.addr6; set => remote.addr6 = value; }
///
/// Type of IPsec traffic.
/// See IPSEC_TRAFFIC_TYPE for more information.
///
public IPSEC_TRAFFIC_TYPE trafficType;
///
/// The LUID of the FWPS transport layer filter corresponding to this traffic.
/// Available if trafficType is IPSEC_TRAFFIC_TYPE_TRANSPORT.
///
public ulong ipsecFilterId;
///
/// The LUID of the associated Quick Mode (QM) tunnel policy.
/// Available if trafficType is IPSEC_TRAFFIC_TYPE_TUNNEL.
///
public ulong tunnelPolicyId { get => ipsecFilterId; set => ipsecFilterId = value; }
///
/// The remote TCP/UDP port for this traffic. This is used when the remote port condition in the transport layer filter is more
/// generic than the actual remote port.
///
public ushort remotePort;
///
/// The local TCP/UDP port for this traffic. This is used when the local port condition in the transport layer filter is more generic
/// than the actual local port.
///
public ushort localPort;
///
/// The IP protocol for this traffic. This is used when the IP protocol condition in the transport layer filter is more generic than
/// the actual IP protocol.
///
public byte ipProtocol;
/// The LUID of the local interface corresponding to the local address specified above.
public ulong localIfLuid;
/// The profile ID corresponding to the actual interface that the traffic is using.
public uint realIfProfileId;
}
///
/// The IPSEC_TRANSPORT_POLICY0 structure stores the quick mode negotiation policy for transport mode IPsec.
/// IPSEC_TRANSPORT_POLICY2 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_transport_policy0 typedef struct
// IPSEC_TRANSPORT_POLICY0_ { UINT32 numIpsecProposals; IPSEC_PROPOSAL0 *ipsecProposals; UINT32 flags; UINT32 ndAllowClearTimeoutSeconds;
// IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout; IKEEXT_EM_POLICY0 *emPolicy; } IPSEC_TRANSPORT_POLICY0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TRANSPORT_POLICY0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TRANSPORT_POLICY0
{
/// Number of quick mode proposals in the policy.
public uint numIpsecProposals;
///
/// Array of quick mode proposals.
/// See IPSEC_PROPOSAL0 for more information.
///
public IntPtr ipsecProposals;
///
/// A combination of the following values.
///
///
/// IPsec policy flag
/// Meaning
///
/// -
/// IPSEC_POLICY_FLAG_ND_SECURE
/// Do negotiation discovery in secure ring.
///
/// -
/// IPSEC_POLICY_FLAG_ND_BOUNDARY
/// Do negotiation discovery in the untrusted perimeter zone.
///
/// -
/// IPSEC_POLICY_FLAG_NAT_ENCAP_ALLOW_PEER_BEHIND_NAT
///
/// If set, IPsec expects that either the local or remote machine is behind a network address translation (NAT) device, but not both.
/// This allows for less secure, but more flexible behavior.
///
///
/// -
/// IPSEC_POLICY_FLAG_NAT_ENCAP_ALLOW_GENERAL_NAT_TRAVERSAL
/// If set, IPsec expects default ports when either the local, the remote, or both machines are behind a NAT device.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_SECOND_LIFETIME
/// If set, Internet Key Exchange (IKE) will not send the ISAKMP attribute for 'seconds' lifetime during quick mode negotiation.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_BYTE_LIFETIME
/// If set, IKE will not send the ISAKMP attribute for 'byte' lifetime during quick mode negotiation.
///
///
///
public IPSEC_POLICY_FLAG flags;
///
/// Timeout in seconds, after which the IPsec security association (SA) should stop accepting packets coming in the clear. Used for
/// negotiation discovery.
///
public uint ndAllowClearTimeoutSeconds;
/// An IPSEC_SA_IDLE_TIMEOUT0 structure that specifies the SA idle timeout in IPsec policy.
public IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout;
///
/// The AuthIP extended mode authentication policy.
/// See IKEEXT_EM_POLICY0 for more information.
///
public IntPtr emPolicy;
}
///
/// The IPSEC_TRANSPORT_POLICY1 structure stores the quick mode negotiation policy for transport mode IPsec.
/// IPSEC_TRANSPORT_POLICY2 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_transport_policy1 typedef struct
// IPSEC_TRANSPORT_POLICY1_ { UINT32 numIpsecProposals; IPSEC_PROPOSAL0 *ipsecProposals; UINT32 flags; UINT32 ndAllowClearTimeoutSeconds;
// IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout; IKEEXT_EM_POLICY1 *emPolicy; } IPSEC_TRANSPORT_POLICY1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TRANSPORT_POLICY1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TRANSPORT_POLICY1
{
/// Number of quick mode proposals in the policy.
public uint numIpsecProposals;
///
/// Array of quick mode proposals.
/// See IPSEC_PROPOSAL0 for more information.
///
public IntPtr ipsecProposals;
///
/// A combination of the following values.
///
///
/// IPsec policy flag
/// Meaning
///
/// -
/// IPSEC_POLICY_FLAG_ND_SECURE
/// Do negotiation discovery in secure ring.
///
/// -
/// IPSEC_POLICY_FLAG_ND_BOUNDARY
/// Do negotiation discovery in the untrusted perimeter zone.
///
/// -
/// IPSEC_POLICY_FLAG_NAT_ENCAP_ALLOW_PEER_BEHIND_NAT
///
/// If set, IPsec expects that either the local or remote machine is behind a network address translation (NAT) device, but not both.
/// This allows for less secure, but more flexible behavior.
///
///
/// -
/// IPSEC_POLICY_FLAG_NAT_ENCAP_ALLOW_GENERAL_NAT_TRAVERSAL
/// If set, IPsec expects default ports when either the local, the remote, or both machines are behind a NAT device.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_SECOND_LIFETIME
/// If set, Internet Key Exchange (IKE) will not send the ISAKMP attribute for 'seconds' lifetime during quick mode negotiation.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_BYTE_LIFETIME
/// If set, IKE will not send the ISAKMP attribute for 'byte' lifetime during quick mode negotiation.
///
///
///
public IPSEC_POLICY_FLAG flags;
///
/// Timeout in seconds, after which the IPsec security association (SA) should stop accepting packets coming in the clear. Used for
/// negotiation discovery.
///
public uint ndAllowClearTimeoutSeconds;
/// An IPSEC_SA_IDLE_TIMEOUT0 structure that specifies the SA idle timeout in IPsec policy.
public IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout;
///
/// The AuthIP extended mode authentication policy.
/// See IKEEXT_EM_POLICY1 for more information.
///
public IntPtr emPolicy;
}
///
/// The IPSEC_TRANSPORT_POLICY2 structure stores the quick mode negotiation policy for transport mode IPsec.
/// IPSEC_TRANSPORT_POLICY0 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_transport_policy2 typedef struct
// IPSEC_TRANSPORT_POLICY2_ { UINT32 numIpsecProposals; IPSEC_PROPOSAL0 *ipsecProposals; UINT32 flags; UINT32 ndAllowClearTimeoutSeconds;
// IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout; IKEEXT_EM_POLICY2 *emPolicy; } IPSEC_TRANSPORT_POLICY2;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TRANSPORT_POLICY2_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TRANSPORT_POLICY2
{
///
/// Type: UINT32
/// Number of quick mode proposals in the policy.
///
public uint numIpsecProposals;
///
/// Type: IPSEC_PROPOSAL0*
/// Array of quick mode proposals.
///
public IntPtr ipsecProposals;
///
/// Type: UINT32
/// A combination of the following values.
///
///
/// IPsec policy flag
/// Meaning
///
/// -
/// IPSEC_POLICY_FLAG_ND_SECURE
/// Do negotiation discovery in secure ring.
///
/// -
/// IPSEC_POLICY_FLAG_ND_BOUNDARY
/// Do negotiation discovery in the untrusted perimeter zone.
///
/// -
/// IPSEC_POLICY_FLAG_NAT_ENCAP_ALLOW_PEER_BEHIND_NAT
///
/// If set, IPsec expects that either the local or remote machine is behind a network address translation (NAT) device, but not both.
/// This allows for less secure, but more flexible behavior.
///
///
/// -
/// IPSEC_POLICY_FLAG_NAT_ENCAP_ALLOW_GENERAL_NAT_TRAVERSAL
/// If set, IPsec expects default ports when either the local, the remote, or both machines are behind a NAT device.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_SECOND_LIFETIME
/// If set, Internet Key Exchange (IKE) will not send the ISAKMP attribute for 'seconds' lifetime during quick mode negotiation.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_BYTE_LIFETIME
/// If set, IKE will not send the ISAKMP attribute for 'byte' lifetime during quick mode negotiation.
///
/// -
/// IPSEC_POLICY_FLAG_KEY_MANAGER_ALLOW_DICTATE_KEY
/// Allow key dictation for quick mode policy. Applicable only for AuthIP policy.
///
/// -
/// IPSEC_POLICY_FLAG_KEY_MANAGER_ALLOW_NOTIFY_KEY
/// Allow key notification for quick mode policy. Applicable for AuthIP/IKE/IKEv2 policy.
///
///
///
public IPSEC_POLICY_FLAG flags;
///
/// Type: UINT32
///
/// Timeout in seconds, after which the IPsec security association (SA) should stop accepting packets coming in the clear. Used for
/// negotiation discovery.
///
///
public uint ndAllowClearTimeoutSeconds;
///
/// Type: IPSEC_SA_IDLE_TIMEOUT0
/// The SA idle timeout in IPsec policy.
///
public IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout;
///
/// Type: IKEEXT_EM_POLICY2*
/// The AuthIP extended mode authentication policy.
///
public IntPtr emPolicy;
}
/// The IPSEC_TUNNEL_ENDPOINT0 structure is used to store address information for an end point of a tunnel mode SA.
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TUNNEL_ENDPOINT0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TUNNEL_ENDPOINT0
{
/// Specifies the IP version. In tunnel mode, this is the version of the outer header.
public FWP_IP_VERSION ipVersion;
private FWP_BYTE_ARRAY_ADDR _addr;
///
public IN_ADDR v4Address { get => _addr.addr; set => _addr.addr = value; }
///
public IN6_ADDR v6Address { get => _addr.addr6; set => _addr.addr6 = value; }
}
///
/// The IPSEC_TUNNEL_ENDPOINTS0 structure is used to store end points of a tunnel mode SA. IPSEC_TUNNEL_ENDPOINTS2 is available.
///
/// For the unnamed union containing the local tunnel end point address, switch_type(FWP_IP_VERSION), switch_is(ipVersion).
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_tunnel_endpoints0 typedef struct
// IPSEC_TUNNEL_ENDPOINTS0_ { FWP_IP_VERSION ipVersion; union { UINT32 localV4Address; UINT8 localV6Address[16]; }; union { UINT32
// remoteV4Address; UINT8 remoteV6Address[16]; }; } IPSEC_TUNNEL_ENDPOINTS0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TUNNEL_ENDPOINTS0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TUNNEL_ENDPOINTS0
{
///
/// IP version of the addresses.
/// See FWP_IP_VERSION for more information.
///
public FWP_IP_VERSION ipVersion;
private FWP_BYTE_ARRAY_ADDR local;
private FWP_BYTE_ARRAY_ADDR remote;
/// case(FWP_IP_VERSION_V4)
public IN_ADDR localV4Address { get => local.addr; set => local.addr = value; }
///
/// case(FWP_IP_VERSION_V6)
/// switch_type(FWP_IP_VERSION), switch_is(ipVersion)
/// Tagged union containing the remote tunnel end point address.
///
public IN6_ADDR localV6Address { get => local.addr6; set => local.addr6 = value; }
/// case(FWP_IP_VERSION_V4)
public IN_ADDR remoteV4Address { get => remote.addr; set => remote.addr = value; }
/// case(FWP_IP_VERSION_V6)
public IN6_ADDR remoteV6Address { get => remote.addr6; set => remote.addr6 = value; }
}
///
/// The IPSEC_TUNNEL_ENDPOINTS1 structure is used to store end points of a tunnel mode SA. IPSEC_TUNNEL_ENDPOINTS2 is available.
///
/// For the unnamed union containing the local tunnel end point address, switch_type(FWP_IP_VERSION), switch_is(ipVersion).
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_tunnel_endpoints1 typedef struct
// IPSEC_TUNNEL_ENDPOINTS1_ { FWP_IP_VERSION ipVersion; union { UINT32 localV4Address; UINT8 localV6Address[16]; }; union { UINT32
// remoteV4Address; UINT8 remoteV6Address[16]; }; UINT64 localIfLuid; } IPSEC_TUNNEL_ENDPOINTS1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TUNNEL_ENDPOINTS1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TUNNEL_ENDPOINTS1
{
/// An FWP_IP_VERSION value that specifies the IP version. In tunnel mode, this is the version of the outer header.
public FWP_IP_VERSION ipVersion;
private FWP_BYTE_ARRAY_ADDR local;
private FWP_BYTE_ARRAY_ADDR remote;
/// Optional LUID of the local interface corresponding to the local address specified above.
public ulong localIfLuid;
/// case(FWP_IP_VERSION_V4)
public IN_ADDR localV4Address { get => local.addr; set => local.addr = value; }
///
/// case(FWP_IP_VERSION_V6)
/// switch_type(FWP_IP_VERSION), switch_is(ipVersion)
/// Tagged union containing the remote tunnel end point address.
///
public IN6_ADDR localV6Address { get => local.addr6; set => local.addr6 = value; }
/// case(FWP_IP_VERSION_V4)
public IN_ADDR remoteV4Address { get => remote.addr; set => remote.addr = value; }
/// case(FWP_IP_VERSION_V6)
public IN6_ADDR remoteV6Address { get => remote.addr6; set => remote.addr6 = value; }
}
///
/// The IPSEC_TUNNEL_ENDPOINTS2 structure is used to store end points of a tunnel mode SA. IPSEC_TUNNEL_ENDPOINTS1 is available.
/// For Windows Vista, IPSEC_TUNNEL_ENDPOINTS0 is available.
///
/// For the unnamed union containing the local tunnel end point address, switch_type(FWP_IP_VERSION), switch_is(ipVersion).
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_tunnel_endpoints2 typedef struct
// IPSEC_TUNNEL_ENDPOINTS2_ { FWP_IP_VERSION ipVersion; union { UINT32 localV4Address; UINT8 localV6Address[16]; }; union { UINT32
// remoteV4Address; UINT8 remoteV6Address[16]; }; UINT64 localIfLuid; wchar_t *remoteFqdn; UINT32 numAddresses; IPSEC_TUNNEL_ENDPOINT0
// *remoteAddresses; } IPSEC_TUNNEL_ENDPOINTS2;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TUNNEL_ENDPOINTS2_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TUNNEL_ENDPOINTS2
{
/// An FWP_IP_VERSION value that specifies the IP version. In tunnel mode, this is the version of the outer header.
public FWP_IP_VERSION ipVersion;
private FWP_BYTE_ARRAY_ADDR local;
private FWP_BYTE_ARRAY_ADDR remote;
/// Optional LUID of the local interface corresponding to the local address specified above.
public ulong localIfLuid;
/// Configuration of multiple remote addresses and fully qualified domain names for asymmetric tunneling support.
[MarshalAs(UnmanagedType.LPWStr)]
public string remoteFqdn;
/// The number of remote tunnel addresses.
public uint numAddresses;
/// The remote tunnel end point address information.
public IntPtr remoteAddresses;
/// case(FWP_IP_VERSION_V4)
public IN_ADDR localV4Address { get => local.addr; set => local.addr = value; }
///
/// case(FWP_IP_VERSION_V6)
/// switch_type(FWP_IP_VERSION), switch_is(ipVersion)
/// Tagged union containing the remote tunnel end point address.
///
public IN6_ADDR localV6Address { get => local.addr6; set => local.addr6 = value; }
/// case(FWP_IP_VERSION_V4)
public IN_ADDR remoteV4Address { get => remote.addr; set => remote.addr = value; }
/// case(FWP_IP_VERSION_V6)
public IN6_ADDR remoteV6Address { get => remote.addr6; set => remote.addr6 = value; }
}
///
/// The IPSEC_TUNNEL_POLICY0 structure stores the quick mode negotiation policy for tunnel mode IPsec. IPSEC_TUNNEL_POLICY2 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_tunnel_policy0 typedef struct IPSEC_TUNNEL_POLICY0_
// { UINT32 flags; UINT32 numIpsecProposals; IPSEC_PROPOSAL0 *ipsecProposals; IPSEC_TUNNEL_ENDPOINTS0 tunnelEndpoints;
// IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout; IKEEXT_EM_POLICY0 *emPolicy; } IPSEC_TUNNEL_POLICY0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TUNNEL_POLICY0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TUNNEL_POLICY0
{
///
/// A combination of the following values.
///
///
/// IPsec policy flag
/// Meaning
///
/// -
/// IPSEC_POLICY_FLAG_ND_SECURE
/// Do negotiation discovery in secure ring.
///
/// -
/// IPSEC_POLICY_FLAG_ND_BOUNDARY
/// Do negotiation discovery in the untrusted perimeter zone.
///
/// -
/// IPSEC_POLICY_FLAG_CLEAR_DF_ON_TUNNEL
/// Clear the "DontFragment" bit on the outer IP header of an IPsec tunneled packet.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_SECOND_LIFETIME
/// If set, Internet Key Exchange (IKE) will not send the ISAKMP attribute for 'seconds' lifetime during quick mode negotiation.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_BYTE_LIFETIME
/// If set, IKE will not send the ISAKMP attribute for 'byte' lifetime during quick mode negotiation.
///
///
///
public IPSEC_POLICY_FLAG flags;
/// Number of quick mode proposals in the policy.
public uint numIpsecProposals;
///
/// Array of quick mode proposals.
/// See for more information.
///
public IntPtr ipsecProposals;
///
/// Tunnel endpoints of the IPsec security association (SA) generated from this policy.
/// See IPSEC_TUNNEL_ENDPOINTS0 for more information.
///
public IPSEC_TUNNEL_ENDPOINTS0 tunnelEndpoints;
/// An IPSEC_SA_IDLE_TIMEOUT0 structure that specifies the SA idle timeout in IPsec policy.
public IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout;
///
/// The AuthIP extended mode authentication policy.
/// See IKEEXT_EM_POLICY0 for more information.
///
public IntPtr emPolicy;
}
///
/// The IPSEC_TUNNEL_POLICY1 structure stores the quick mode negotiation policy for tunnel mode IPsec. IPSEC_TUNNEL_POLICY2 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_tunnel_policy1 typedef struct IPSEC_TUNNEL_POLICY1_
// { UINT32 flags; UINT32 numIpsecProposals; IPSEC_PROPOSAL0 *ipsecProposals; IPSEC_TUNNEL_ENDPOINTS1 tunnelEndpoints;
// IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout; IKEEXT_EM_POLICY1 *emPolicy; } IPSEC_TUNNEL_POLICY1;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TUNNEL_POLICY1_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TUNNEL_POLICY1
{
///
/// A combination of the following values.
///
///
/// IPsec policy flag
/// Meaning
///
/// -
/// IPSEC_POLICY_FLAG_ND_SECURE
/// Do negotiation discovery in secure ring.
///
/// -
/// IPSEC_POLICY_FLAG_ND_BOUNDARY
/// Do negotiation discovery in the untrusted perimeter zone.
///
/// -
/// IPSEC_POLICY_FLAG_CLEAR_DF_ON_TUNNEL
/// Clear the "DontFragment" bit on the outer IP header of an IPsec tunneled packet.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_SECOND_LIFETIME
/// If set, Internet Key Exchange (IKE) will not send the ISAKMP attribute for 'seconds' lifetime during quick mode negotiation.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_BYTE_LIFETIME
/// If set, IKE will not send the ISAKMP attribute for 'byte' lifetime during quick mode negotiation.
///
/// -
/// IPSEC_POLICY_FLAG_ENABLE_V6_IN_V4_TUNNELING
/// Negotiate IPv6 inside IPv4 IPsec tunneling. Applicable only for tunnel mode policy, and supported only by IKEv2.
///
/// -
/// IPSEC_POLICY_FLAG_ENABLE_SERVER_ADDR_ASSIGNMENT
/// Enable calls to RAS VPN server for address assignment. Applicable only for tunnel mode policy, and supported only by IKEv2.
///
/// -
/// IPSEC_POLICY_FLAG_TUNNEL_ALLOW_OUTBOUND_CLEAR_CONNECTION
///
/// Allow outbound connections to bypass the tunnel policy. Applicable only for tunnel mode policy on a tunnel gateway. Do not set on
/// a tunnel client.
///
///
/// -
/// IPSEC_POLICY_FLAG_TUNNEL_BYPASS_ALREADY_SECURE_CONNECTION
/// Allow ESP or UDP 500/4500 traffic to bypass the tunnel. Applicable only for tunnel mode policy.
///
/// -
/// IPSEC_POLICY_FLAG_TUNNEL_BYPASS_ICMPV6
/// Allow ICMPv6 traffic to bypass the tunnel. Applicable only for tunnel mode policy.
///
///
///
public IPSEC_POLICY_FLAG flags;
/// Number of quick mode proposals in the policy.
public uint numIpsecProposals;
///
/// Array of quick mode proposals.
/// See IPSEC_PROPOSAL0 for more information.
///
public IntPtr ipsecProposals;
///
/// Tunnel endpoints of the IPsec security association (SA) generated from this policy.
/// See IPSEC_TUNNEL_ENDPOINTS1 for more information.
///
public IPSEC_TUNNEL_ENDPOINTS1 tunnelEndpoints;
/// An IPSEC_SA_IDLE_TIMEOUT0 structure that specifies the SA idle timeout in IPsec policy.
public IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout;
///
/// The AuthIP extended mode authentication policy.
/// See IKEEXT_EM_POLICY1 for more information.
///
public IntPtr emPolicy;
}
///
/// The IPSEC_TUNNEL_POLICY2 structure stores the quick mode negotiation policy for tunnel mode IPsec. IPSEC_TUNNEL_POLICY1 is
/// available. For Windows Vista, IPSEC_TUNNEL_POLICY0 is available.
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_tunnel_policy2 typedef struct IPSEC_TUNNEL_POLICY2_
// { UINT32 flags; UINT32 numIpsecProposals; IPSEC_PROPOSAL0 *ipsecProposals; IPSEC_TUNNEL_ENDPOINTS2 tunnelEndpoints;
// IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout; IKEEXT_EM_POLICY2 *emPolicy; UINT32 fwdPathSaLifetime; } IPSEC_TUNNEL_POLICY2;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_TUNNEL_POLICY2_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_TUNNEL_POLICY2
{
///
/// Type: UINT32
/// A combination of the following values.
///
///
/// IPsec policy flag
/// Meaning
///
/// -
/// IPSEC_POLICY_FLAG_ND_SECURE
/// Do negotiation discovery in secure ring.
///
/// -
/// IPSEC_POLICY_FLAG_ND_BOUNDARY
/// Do negotiation discovery in the untrusted perimeter zone.
///
/// -
/// IPSEC_POLICY_FLAG_CLEAR_DF_ON_TUNNEL
/// Clear the "DontFragment" bit on the outer IP header of an IPsec tunneled packet.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_SECOND_LIFETIME
/// If set, Internet Key Exchange (IKE) will not send the ISAKMP attribute for 'seconds' lifetime during quick mode negotiation.
///
/// -
/// IPSEC_POLICY_FLAG_DONT_NEGOTIATE_BYTE_LIFETIME
/// If set, IKE will not send the ISAKMP attribute for 'byte' lifetime during quick mode negotiation.
///
/// -
/// IPSEC_POLICY_FLAG_ENABLE_V6_IN_V4_TUNNELING
/// Negotiate IPv6 inside IPv4 IPsec tunneling. Applicable only for tunnel mode policy, and supported only by IKEv2.
///
/// -
/// IPSEC_POLICY_FLAG_ENABLE_SERVER_ADDR_ASSIGNMENT
/// Enable calls to RAS VPN server for address assignment. Applicable only for tunnel mode policy, and supported only by IKEv2.
///
/// -
/// IPSEC_POLICY_FLAG_TUNNEL_ALLOW_OUTBOUND_CLEAR_CONNECTION
///
/// Allow outbound connections to bypass the tunnel policy. Applicable only for tunnel mode policy on a tunnel gateway. Do not set on
/// a tunnel client.
///
///
/// -
/// IPSEC_POLICY_FLAG_TUNNEL_BYPASS_ALREADY_SECURE_CONNECTION
/// Allow ESP or UDP 500/4500 traffic to bypass the tunnel. Applicable only for tunnel mode policy.
///
/// -
/// IPSEC_POLICY_FLAG_TUNNEL_BYPASS_ICMPV6
/// Allow ICMPv6 traffic to bypass the tunnel. Applicable only for tunnel mode policy.
///
/// -
/// IPSEC_POLICY_FLAG_KEY_MANAGER_ALLOW_DICTATE_KEY
/// Allow key dictation for quick mode policy. Applicable only for AuthIP policy.
///
/// -
/// IPSEC_POLICY_FLAG_KEY_MANAGER_ALLOW_NOTIFY_KEY
/// Allow key notification for quick mode policy. Applicable for AuthIP/IKE/IKEv2 policy.
///
///
///
public IPSEC_POLICY_FLAG flags;
///
/// Type: UINT32
/// Number of quick mode proposals in the policy.
///
public uint numIpsecProposals;
///
/// Type: IPSEC_PROPOSAL0*
/// Array of quick mode proposals.
///
public IntPtr ipsecProposals;
///
/// Type: IPSEC_TUNNEL_ENDPOINTS2
/// Tunnel endpoints of the IPsec security association (SA) generated from this policy.
///
public IPSEC_TUNNEL_ENDPOINTS2 tunnelEndpoints;
///
/// Type: IPSEC_SA_IDLE_TIMEOUT0
/// Specifies the SA idle timeout in IPsec policy.
///
public IPSEC_SA_IDLE_TIMEOUT0 saIdleTimeout;
///
/// Type: IKEEXT_EM_POLICY2*
/// The AuthIP extended mode authentication policy.
///
public IntPtr emPolicy;
///
/// Type: UINT32
/// The forward path SA lifetime indicating the length of time for this connection.
///
public uint fwdPathSaLifetime;
}
///
/// The IPSEC_V4_UDP_ENCAPSULATION0 structure stores the User Datagram Protocol (UDP) encapsulation ports for Encapsulating
/// Security Payload (ESP) encapsulation.
///
///
/// This is used only when a NAT was detected as part of the IPsec NAT traversal specification.
///
/// IPSEC_V4_UDP_ENCAPSULATION0 is a specific implementation of IPSEC_V4_UDP_ENCAPSULATION. See WFP Version-Independent Names and
/// Targeting Specific Versions of Windows for more information.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/ipsectypes/ns-ipsectypes-ipsec_v4_udp_encapsulation0 typedef struct
// IPSEC_V4_UDP_ENCAPSULATION0_ { UINT16 localUdpEncapPort; UINT16 remoteUdpEncapPort; } IPSEC_V4_UDP_ENCAPSULATION0;
[PInvokeData("ipsectypes.h", MSDNShortId = "NS:ipsectypes.IPSEC_V4_UDP_ENCAPSULATION0_")]
[StructLayout(LayoutKind.Sequential)]
public struct IPSEC_V4_UDP_ENCAPSULATION0
{
/// Source UDP encapsulation port.
public ushort localUdpEncapPort;
/// Destination UDP encapsulation port.
public ushort remoteUdpEncapPort;
}
}