Added in API level 31

IkeSessionParams

class IkeSessionParams
kotlin.Any
   ↳ android.net.ipsec.ike.IkeSessionParams

IkeSessionParams contains all user provided configurations for negotiating an IkeSession.

Note that all negotiated configurations will be reused during rekey including SA Proposal and lifetime.

Summary

Nested classes

This class can be used to incrementally construct a IkeSessionParams.

abstract

This class contains common information of an IKEv2 authentication configuration.

This class represents the configuration to support IKEv2 public-key-signature-based authentication of the local side.

This class represents the configuration to support IKEv2 public-key-signature-based authentication of the remote side.

This class represents the configuration to support EAP authentication of the local side.

This class represents the configuration to support IKEv2 pre-shared-key-based authentication of local or remote side.

Constants
static Int

If set, the IKE library will accept any remote (server) identity, even if it does not match the configured remote identity

static Int

If set, and EAP has been configured as the authentication method, the IKE library will request that the remote (also) use an EAP-only authentication flow.

static Int

Configures the IKE session to always send to port 4500.

static Int

If set, the IKE library will send INITIAL_CONTACT notification to the peers.

static Int

If set, the IKE Session will attempt to handle IP address changes using RFC4555 MOBIKE.

Public methods
Int

Retrieves the Dead Peer Detection(DPD) delay in seconds

Int

Retrieves hard lifetime in seconds

MutableList<IkeSaProposal!>

Retrieves all IkeSaProposals configured

IkeSessionParams.IkeAuthConfig

Retrieves the local (client) authentication configuration

IkeIdentification

Retrieves the local (client) identity

Int

Retrieves the Network Address Translation Traversal (NATT) keepalive delay in seconds

Network?

Retrieves the configured Network, or null if was not set.

IkeSessionParams.IkeAuthConfig

Retrieves the remote (server) authentication configuration

IkeIdentification

Retrieves the required remote (server) identity

IntArray

Retrieves the relative retransmission timeout list in milliseconds

String

Retrieves the configured server hostname

Int

Retrieves soft lifetime in seconds

Boolean
hasIkeOption(ikeOption: Int)

Checks if the given IKE Session negotiation option is set

Constants

IKE_OPTION_ACCEPT_ANY_REMOTE_ID

Added in API level 31
static val IKE_OPTION_ACCEPT_ANY_REMOTE_ID: Int

If set, the IKE library will accept any remote (server) identity, even if it does not match the configured remote identity

See Builder#setRemoteIdentification(IkeIdentification)

Value: 0

IKE_OPTION_EAP_ONLY_AUTH

Added in API level 31
static val IKE_OPTION_EAP_ONLY_AUTH: Int

If set, and EAP has been configured as the authentication method, the IKE library will request that the remote (also) use an EAP-only authentication flow.

@see Builder#setAuthEap(X509Certificate, EapSessionConfig)

Value: 1

IKE_OPTION_FORCE_PORT_4500

Added in API level 31
static val IKE_OPTION_FORCE_PORT_4500: Int

Configures the IKE session to always send to port 4500.

If set, the IKE Session will be initiated and maintained exclusively using destination port 4500, regardless of the presence of NAT. Otherwise, the IKE Session will be initiated on destination port 500; then, if either a NAT is detected or both MOBIKE and NAT-T are supported by the peer, it will proceed on port 4500.

Value: 3

IKE_OPTION_INITIAL_CONTACT

Added in API level 33
static val IKE_OPTION_INITIAL_CONTACT: Int

If set, the IKE library will send INITIAL_CONTACT notification to the peers.

If this option is set, the INITIAL_CONTACT notification payload is sent in IKE_AUTH. The client can use this option to assert to the peer that this IKE SA is the only IKE SA currently active between the authenticated identities.

@see "https://tools.ietf.org/html/rfc7296#section-2.4" RFC 7296, Internet Key Exchange Protocol Version 2 (IKEv2)

@see Builder#addIkeOption(int)

Value: 4

IKE_OPTION_MOBIKE

Added in API level 31
static val IKE_OPTION_MOBIKE: Int

If set, the IKE Session will attempt to handle IP address changes using RFC4555 MOBIKE.

Upon IP address changes (including Network changes), the IKE session will initiate an RFC 4555 MOBIKE procedure, migrating both this IKE Session and associated IPsec Transforms to the new local and remote address pair.

The IKE library will first attempt to enable MOBIKE to handle the changes of underlying network and addresses. For callers targeting SDK android.os.Build.VERSION_CODES#S_V2 and earlier, this option will implicitly enable the support for rekey-based mobility, and thus if the server does not support MOBIKE, the IKE Session will try migration by rekeying all associated IPsec SAs. This rekey-based mobility feature is not best-practice and has technical issues; accordingly, it will no longer be enabled for callers targeting SDK android.os.Build.VERSION_CODES#TIRAMISU and above.

Checking whether or not MOBIKE is supported by both the IKE library and the server in an IKE Session is done via IkeSessionConfiguration#isIkeExtensionEnabled(int).

It is recommended that IKE_OPTION_MOBIKE be enabled unless precluded for compatibility reasons.

If this option is set for an IKE Session, Transport-mode SAs will not be allowed in that Session.

Callers that need to perform migration of IPsec transforms and tunnels MUST implement migration specific methods in IkeSessionCallback and ChildSessionCallback.

Value: 2

Public methods

getDpdDelaySeconds

Added in API level 31
fun getDpdDelaySeconds(): Int

Retrieves the Dead Peer Detection(DPD) delay in seconds

Return
Int Value is IKE_DPD_DELAY_SEC_MIN or greater

getHardLifetimeSeconds

Added in API level 31
fun getHardLifetimeSeconds(): Int

Retrieves hard lifetime in seconds

Return
Int Value is between IKE_HARD_LIFETIME_SEC_MINIMUM and IKE_HARD_LIFETIME_SEC_MAXIMUM inclusive

getIkeSaProposals

Added in API level 31
fun getIkeSaProposals(): MutableList<IkeSaProposal!>

Retrieves all IkeSaProposals configured

Return
MutableList<IkeSaProposal!> This value cannot be null.

getLocalAuthConfig

Added in API level 31
fun getLocalAuthConfig(): IkeSessionParams.IkeAuthConfig

Retrieves the local (client) authentication configuration

Return
IkeSessionParams.IkeAuthConfig This value cannot be null.

getLocalIdentification

Added in API level 31
fun getLocalIdentification(): IkeIdentification

Retrieves the local (client) identity

Return
IkeIdentification This value cannot be null.

getNattKeepAliveDelaySeconds

Added in API level 31
fun getNattKeepAliveDelaySeconds(): Int

Retrieves the Network Address Translation Traversal (NATT) keepalive delay in seconds

Return
Int Value is between IKE_NATT_KEEPALIVE_DELAY_SEC_MIN and IKE_NATT_KEEPALIVE_DELAY_SEC_MAX inclusive

getNetwork

Added in API level 31
fun getNetwork(): Network?

Retrieves the configured Network, or null if was not set.

@see Builder#setNetwork(Network)

getRemoteAuthConfig

Added in API level 31
fun getRemoteAuthConfig(): IkeSessionParams.IkeAuthConfig

Retrieves the remote (server) authentication configuration

Return
IkeSessionParams.IkeAuthConfig This value cannot be null.

getRemoteIdentification

Added in API level 31
fun getRemoteIdentification(): IkeIdentification

Retrieves the required remote (server) identity

Return
IkeIdentification This value cannot be null.

getRetransmissionTimeoutsMillis

Added in API level 31
fun getRetransmissionTimeoutsMillis(): IntArray

Retrieves the relative retransmission timeout list in milliseconds

@see Builder#setRetransmissionTimeoutsMillis(int[])

Return
IntArray This value cannot be null.

getServerHostname

Added in API level 31
fun getServerHostname(): String

Retrieves the configured server hostname

The configured server hostname will be resolved during IKE Session creation.

Return
String This value cannot be null.

getSoftLifetimeSeconds

Added in API level 31
fun getSoftLifetimeSeconds(): Int

Retrieves soft lifetime in seconds

Return
Int Value is between IKE_SOFT_LIFETIME_SEC_MINIMUM and IKE_HARD_LIFETIME_SEC_MAXIMUM inclusive

hasIkeOption

Added in API level 31
fun hasIkeOption(ikeOption: Int): Boolean

Checks if the given IKE Session negotiation option is set

Parameters
ikeOption Int: the option to check. Value is android.net.ipsec.ike.IkeSessionParams#IKE_OPTION_ACCEPT_ANY_REMOTE_ID, android.net.ipsec.ike.IkeSessionParams#IKE_OPTION_EAP_ONLY_AUTH, android.net.ipsec.ike.IkeSessionParams#IKE_OPTION_MOBIKE, android.net.ipsec.ike.IkeSessionParams#IKE_OPTION_FORCE_PORT_4500, android.net.ipsec.ike.IkeSessionParams#IKE_OPTION_INITIAL_CONTACT, android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_REKEY_MOBILITY, android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_AUTOMATIC_ADDRESS_FAMILY_SELECTION, android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_AUTOMATIC_NATT_KEEPALIVES, or android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_AUTOMATIC_KEEPALIVE_ON_OFF
Exceptions
java.lang.IllegalArgumentException if the provided option is invalid.