Builder

Builder

Builder()

Construct Builder

Builder

Builder(ikeSessionParams: IkeSessionParams)

Construct Builder from the IkeSessionParams object.

addIkeOption

fun addIkeOption(ikeOption: Int): IkeSessionParams.Builder

Sets the specified IKE Option as enabled.

addIkeSaProposal

fun addIkeSaProposal(proposal: IkeSaProposal): IkeSessionParams.Builder

Adds an IKE SA proposal to the IkeSessionParams being built.

build

fun build(): IkeSessionParams

Validates and builds the IkeSessionParams.

removeIkeOption

fun removeIkeOption(ikeOption: Int): IkeSessionParams.Builder

Resets (disables) the specified IKE Option.

setAuthDigitalSignature

fun setAuthDigitalSignature(
    serverCaCert: X509Certificate?, 
    clientEndCert: X509Certificate, 
    clientPrivateKey: PrivateKey
): IkeSessionParams.Builder

Configures the IkeSession to use public-key-signature-based authentication.

The public key included by the client end certificate and the private key used for signing MUST be a matching key pair.

The IKE library will use the strongest signature algorithm supported by both sides.

Currenly only RSA digital signature is supported.

setAuthDigitalSignature

fun setAuthDigitalSignature(
    serverCaCert: X509Certificate?, 
    clientEndCert: X509Certificate, 
    clientIntermediateCerts: MutableList<X509Certificate!>, 
    clientPrivateKey: PrivateKey
): IkeSessionParams.Builder

Configures the IkeSession to use public-key-signature-based authentication.

The public key included by the client end certificate and the private key used for signing MUST be a matching key pair.

The IKE library will use the strongest signature algorithm supported by both sides.

Currenly only RSA digital signature is supported.

setAuthEap

fun setAuthEap(
    serverCaCert: X509Certificate?, 
    eapConfig: EapSessionConfig
): IkeSessionParams.Builder

Configures the IkeSession to use EAP authentication.

Not all EAP methods provide mutual authentication. As such EAP MUST be used in conjunction with a public-key-signature-based authentication of the remote server, unless EAP-Only authentication is enabled.

Callers may enable EAP-Only authentication by setting IKE_OPTION_EAP_ONLY_AUTH, which will make IKE library request the remote to use EAP-Only authentication. The remote may opt to reject the request, at which point the received certificates and authentication payload WILL be validated with the provided root CA or system's truststore as usual. Only safe EAP methods as listed in RFC 5998 will be accepted for EAP-Only authentication.

If IKE_OPTION_EAP_ONLY_AUTH is set, callers MUST configure EAP as the authentication method and all EAP methods set in EAP Session configuration MUST be safe methods that are accepted for EAP-Only authentication. Otherwise callers will get an exception when building the IkeSessionParams

Callers MUST declare only one authentication method. Calling this function will override the previously set authentication configuration.

setAuthPsk

fun setAuthPsk(sharedKey: ByteArray): IkeSessionParams.Builder

Configures the IkeSession to use pre-shared-key-based authentication.

Both client and server MUST be authenticated using the provided shared key. IKE authentication will fail if the remote peer tries to use other authentication methods.

Callers MUST declare only one authentication method. Calling this function will override the previously set authentication configuration.

Callers SHOULD NOT use this if any other authentication methods can be used; PSK-based authentication is generally considered insecure.

setDpdDelaySeconds

fun setDpdDelaySeconds(dpdDelaySeconds: Int): IkeSessionParams.Builder

Sets the Dead Peer Detection(DPD) delay in seconds.

setLifetimeSeconds

fun setLifetimeSeconds(
    hardLifetimeSeconds: Int, 
    softLifetimeSeconds: Int
): IkeSessionParams.Builder

Sets hard and soft lifetimes.

Lifetimes will not be negotiated with the remote IKE server.

setLocalIdentification

fun setLocalIdentification(identification: IkeIdentification): IkeSessionParams.Builder

Sets local IKE identification for the IkeSessionParams being built.

It is not allowed to use KEY ID together with digital-signature-based authentication as per RFC 7296.

setNattKeepAliveDelaySeconds

fun setNattKeepAliveDelaySeconds(nattKeepaliveDelaySeconds: Int): IkeSessionParams.Builder

Sets the Network Address Translation Traversal (NATT) keepalive delay in seconds.

setNetwork

fun setNetwork(network: Network?): IkeSessionParams.Builder

Sets the Network for the IkeSessionParams being built.

If no Network is provided, the default Network (as per android.net.ConnectivityManager#getActiveNetwork()) will be used when constructing an IkeSession.

setRemoteIdentification

fun setRemoteIdentification(identification: IkeIdentification): IkeSessionParams.Builder

Sets remote IKE identification for the IkeSessionParams being built.

setRetransmissionTimeoutsMillis

fun setRetransmissionTimeoutsMillis(retransTimeoutMillisList: IntArray): IkeSessionParams.Builder

Sets the retransmission timeout list in milliseconds.

Configures the retransmission by providing an array of relative retransmission timeouts in milliseconds. After sending out a request and before receiving the response, the IKE Session will iterate through the array and wait for the relative timeout before the next retry. If the last timeout is exceeded, the IKE Session will be terminated.

Each element in the array MUST be a value from 500 ms to 1800000 ms (30 minutes). The length of the array MUST NOT exceed 10. This retransmission timeout list defaults to {0.5s, 1s, 2s, 4s, 8s}

setServerHostname

fun setServerHostname(serverHostname: String): IkeSessionParams.Builder

Sets the server hostname for the IkeSessionParams being built.