libopenikev2 provides, at the moment, the following features:
- Creation of SAs. The library allows the negociation of IKE SAs and IPSEC (AH and ESP) SAs using either, tunnel and transport mode. This negociation is performed automatically by the library.
- Authentication method. The library allows to use any kind of authentication method.
- Rekeying. The library makes SA rekeying when the configurated rekey time is elapsed. The rekeying is made in a soft way, creating the new SAs before deleting the old ones.
- Cookie mechanism. The library implements the cookie DoS prevention mechanism. The cookie generation method is concrete implementation dependent and must be defined by the library users.
- IPv6 support. The library has IPv6 address support. Library clients can use IPv6 addresses as well as IPv4 addresses.
- Internal address configuration.
The library allows to assing an internal address to the initiator
of a IKEv2 communication using the configuration payloads. The internal
address can be obtained using two methods: based on configuration
parameters or using an external DHCP server.
- Notification extensibility. The library allows to extend the notification payload processing without recompilation. It allows to register new NotifyControllers that will manage the notification processing. This feature may be used, in example, to implement the "Repeated Authentication in IKEv2" or "MOBIKE" mechanims.
- Event bus system. Since the library performs all the IKEv2 functionallity, the library clients cannot know what is happening inside it without a notification system. The library sends events to the clients in order to notify them if a SA has been established or failed, if a SA has been rekeyed, if the core has finished, etc. Clients may take pertinet actions in function of the received events.
- Configuration system. Library behaviour can be tuned up using the configuration system. Using it is possible to define the authorized peers, the ID and the keys (or certificates) to be used, the rekeying times, and a lot of parameters. This configuration may be changed dinamically.
- Security policy creation. Library allows to clients to install security policies before start with the IKEv2 core functionallity. This feature lets the clients to avoid the use of external utilities as setkey or ip commands.
- Start exchanges. Usually the exchanges are started automatically by the library depending on the configuration parameters and the received IPsec events, so clients should not start any exchange and theyonly should tune up the configuration. However, it is possible that an application using libopeniev2 wants to start an INFORMATIONAL exchange due to an external event. libopenikev2 allows to start INFORMATIONAL exchanges containing any kind of payload.
- Authenticator. This interface is implemented to provide authentication based on preshared keys and certificates of any kind. It also provides support to perform the EAP based authentication, providing an implementation of the EAP-MD5 (client and server side) and EAP-TLS (only client side) methods. Additionally, it is possible to act as a EAP passthrough with a RADIUS server, allowing any EAP method supported by it.
- IpsecControllerImpl. This interface is implemeted twice, using a netlink socket (XFRM) and using a PFKEYv2 socket. The XFRM implementation allows full traffic selector negociation (narrowing).
- NetworkControllerImpl, IpAddress. These interfaces are implemented using the standard socket library. NetworkControllerImpl has also implemented the "Remote Address Configuration" methods allowing to obtain the remote address randomly or from a DHCP server.
- ThreadControllerImpl, Mutex, Condition. These interfaces are implemented using the pthread library.
- CryptoController, Cipher, DH, Random, KeyRing. These interfaces are implemented using the libcrypto library, from the openssl project. They allow to use the most common crypto algorithms (AES, 3DES, BLOWFISH, SHA1, MD5) and the MODP groups 1, 2, 5, 14, 15, 16, 17 and 18.
- Attribute. This interface is implemented several times, to allow bool attributes, int32 attributes, string attributes and "Payload" attributes.
- LogImpl. This interface is implemented three times, in order to generate the log output in plain text, in color text (using escape sequencies) and in HTML code.
- NotifyController. This interface is implemented for manage the AUTH_LIFETIME notification (defined in the "Repeated Authentication in IKEv2" document).
openikev2 uses the previous libraries in order to create an application that initializes all subsystems and acts as a daemon providing IKEv2 service.
It has a powerfull configuration file that allows to establish all the libopenikev2 configuration. IPsec policies can be defined there, so there is no need to use tools like setkey or ip to manage the policies.