ike package

Subpackages

• ike.util package
  • Submodules
  • ike.util.cipher module
  • ike.util.conv module
  • ike.util.dh module
  • ike.util.dump module
  • ike.util.external module
  • ike.util.prf module
  • ike.util.pubkey module
  • Module contents

Submodules

ike.const module

class ike.const.AuthenticationType

Bases: enum.IntEnum

An enumeration.

DSS = 3

PSK = 2

RSA = 1

class ike.const.ExchangeType

Bases: enum.IntEnum

An enumeration.

CREATE_CHILD_SA = 36

IKE_AUTH = 35

IKE_SA_INIT = 34

INFORMATIONAL = 37

class ike.const.MessageType

Bases: enum.IntEnum

An enumeration.

ADDITIONAL_IP4_ADDRESS = 16397

ADDITIONAL_IP6_ADDRESS = 16398

ADDITIONAL_TS_POSSIBLE = 16386

ANOTHER_AUTH_FOLLOWS = 16405

AUTHENTICATION_FAILED = 24

AUTHORIZATION_FAILED = 46

AUTH_LIFETIME = 16403

CHILDLESS_IKEV2_SUPPORTED = 16418

CHILD_SA_NOT_FOUND = 44

COOKIE = 16390

COOKIE2 = 16401

EAP_ONLY_AUTHENTICATION = 16417

ERX_SUPPORTED = 16427

ESP_TFC_PADDING_NOT_SUPPORTED = 16394

FAILED_CP_REQUIRED = 37

HTTP_CERT_LOOKUP_SUPPORTED = 16392

IFOM_CAPABILITY = 16428

IKEV2_MESSAGE_ID_SYNC = 16422

IKEV2_MESSAGE_ID_SYNC_SUPPORTED = 16420

INITIAL_CONTACT = 16384

INTERNAL_ADDRESS_FAILURE = 36

INVALID_GROUP_ID = 45

INVALID_IKE_SPI = 4

INVALID_KE_PAYLOAD = 17

INVALID_MAJOR_VERSION = 5

INVALID_MESSAGE_ID = 9

INVALID_SELECTORS = 39

INVALID_SPI = 11

INVALID_SYNTAX = 7

IPCOMP_SUPPORTED = 16387

IPSEC_REPLAY_COUNTER_SYNC = 16423

IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED = 16421

LINK_ID = 16414

MOBIKE_SUPPORTED = 16396

MULTIPLE_AUTH_SUPPORTED = 16404

NAT_DETECTION_DESTINATION_IP = 16389

NAT_DETECTION_SOURCE_IP = 16388

NON_FIRST_FRAGMENTS_ALSO = 16395

NO_ADDITIONAL_ADDRESSES = 16399

NO_ADDITIONAL_SAS = 35

NO_NATS_ALLOWED = 16402

NO_PROPOSAL_CHOSEN = 14

PSK_CONFIRM = 16426

PSK_PERSIST = 16425

QUICK_CRASH_DETECTION = 16419

REDIRECT = 16407

REDIRECTED_FROM = 16408

REDIRECT_SUPPORTED = 16406

REKEY_SA = 16393

ROHC_SUPPORTED = 16416

Reserved = 0

SECURE_PASSWORD_METHODS = 16424

SENDER_REQUEST_ID = 16429

SET_WINDOW_SIZE = 16385

SINGLE_PAIR_REQUIRED = 34

TEMPORARY_FAILURE = 43

TICKET_ACK = 16411

TICKET_LT_OPAQUE = 16409

TICKET_NACK = 16412

TICKET_OPAQUE = 16413

TICKET_REQUEST = 16410

TS_UNACCEPTABLE = 38

UNACCEPTABLE_ADDRESSES = 40

UNEXPECTED_NAT_DETECTED = 41

UNSUPPORTED_CRITICAL_PAYLOAD = 1

UPDATE_SA_ADDRESSES = 16400

USE_ASSIGNED_HoA = 42

USE_TRANSPORT_MODE = 16391

USE_WESP_MODE = 16415

class ike.const.ProtocolID

Bases: enum.IntEnum

An enumeration.

AH = 2

ESP = 3

IKE = 1

ike.initiator module

IKE v2 (RFC 5996) initiator implementation

Usage:

initiator.py <remote_peer>

To clean up afterwards,

setkey -FP && setkey -F

class ike.initiator.IKEInitiator

Bases: asyncio.protocols.DatagramProtocol

Implements an IKE initiator that attempt to negotiate a single child SA to remote peer.

connectionRefused()

connection_made(transport)

datagram_received(data, address)

ike.initiator.main(peer)

ike.payloads module

IKEv2 Payloads as specified in RFC 5996 sections 3.2 - 3.16

class ike.payloads.AUTH(signed_octets=None, data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._IkePayload

Authentication Payload

class ike.payloads.IDi(data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._IkePayload

Identification Payload for initiator

class ike.payloads.IDr(data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._IkePayload

Identification Payload for responder

class ike.payloads.KE(data=None, next_payload=<no_next_payload: 0>, critical=False, group=14, diffie_hellman=None)

Bases: ike.payloads._IkePayload

Key Exchange Payload

parse(data)

class ike.payloads.Nonce(data=None, next_payload=<no_next_payload: 0>, critical=False, nonce=None)

Bases: ike.payloads._IkePayload

Nonce Payload

parse(data)

class ike.payloads.Notify(notify_type=None, data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._IkePayload

Notify Payload

parse(data)

class ike.payloads.SA(data=None, proposals=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._IkePayload

Security Association Payload

parse(data)

class ike.payloads.SK(data=None, next_payload=<no_next_payload: 0>, critical=False, iv=None, ciphertext=None)

Bases: ike.payloads._IkePayload

Encrypted Payload

mac(hmac)

class ike.payloads.TSi(addr=None, data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._TS

Traffic Selector Payload for initiator

class ike.payloads.TSr(addr=None, data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._TS

Traffic Selector Payload for responder

class ike.payloads.Type

Bases: enum.IntEnum

Payload types from IANA

AUTH = 39

CERT = 37

CERTREQ = 38

CP = 47

Delete = 42

EAP = 48

GSA = 51

GSPM = 49

IDg = 50

IDi = 35

IDr = 36

KD = 52

KE = 34

Ni = 40

Nonce = 40

Notify = 41

Nr = 40

SA = 33

SK = 46

TSi = 44

TSr = 45

no_next_payload = 0

ike.payloads.get_by_type(payload_type)

Returns an IkePayload (sub)class based on the RFC5996 payload_type :param payload_type: int() Ike Payload type

ike.proposal module

Implements Proposal and Transform substructures for Security association (SA) payloads.

Conforms to RFC5996 section 3.3

class ike.proposal.Proposal(data=None, num=1, protocol=<ProtocolID.IKE: 1>, spi=None, spi_len=0, last=False, transforms=None)

Bases: object

data

parse(data)

class ike.proposal.Transform(name, keysize=None, last=False)

Bases: object

data

ike.protocol module

High level interface to IKEv2 protocol

class ike.protocol.IKE(address, peer, dh_group=14, nonce_len=32)

Bases: object

A single IKE negotiation / SA.

Currently implements only Initiator side of the negotiation.

auth_recv()

Handle peer’s IKE_AUTH response.

auth_send()

Generates the second (IKE_AUTH) packet for Initiator

Returns:bytes() containing a valid IKE_INIT packet

authenticate_peer(auth_data, peer_id, message)

Verifies the peers authentication.

decrypt(data)

Decrypts an encrypted (SK, 46) IKE payload using self.SK_er

Parameters:data – Encrypted IKE payload including headers (payloads.SK()) Returns:next_payload, data_containing_payloads Raises:IkeError – If packet is corrupted.

encrypt_and_hmac(packet)

Encrypts and signs a Packet() using self.SK_ei and self.SK_ai

Parameters:packet – Unecrypted Packet() with one or more payloads. Returns:Encrypted and signed Packet() with a single payloads.SK

init_recv()

Parses the IKE_INIT response packet received from Responder.

Assigns the correct values of rSPI and Nr Calculates Diffie-Hellman exchange and assigns all keys to self.

init_send()

Generates the first (IKE_INIT) packet for Initiator

Returns:bytes() containing a valid IKE_INIT packet

install_ipsec_sas()

parse_packet(data)

Parses a received packet in to Packet() with corresponding payloads. Will decrypt encrypted packets when needed.

Parameters:data – bytes() IKE packet from wire. Returns:Packet() instance Raises:IkeError – on malformed packet

verify_hmac(data)

Verifies the HMAC signature of an encrypted (SK, 46) payload using self.SK_ar

Parameters:data – bytes(payloads.SK()) Raises:IkeError – if calculated signature does not match the one in the payload

exception ike.protocol.IkeError

Bases: Exception

class ike.protocol.Packet(data=None, exchange_type=None, message_id=0, iSPI=0, rSPI=0)

Bases: object

An IKE packet.

To generate packets:

1. instantiate an Packet()
2. add payloads by Packet.add_payload(<payloads.IkePayload instance>)
3. send bytes(Packet) to other peer.

Received packets should be generated by IKE.parse_packet().

add_payload(payload)

Adds a payload to packet, updating last payload’s next_payload field

class ike.protocol.State

Bases: enum.IntEnum

An enumeration.

AUTH = 2

INIT = 1

STARTING = 0

Module contents