-- Copyright (C) 2009-2012 Aricent Group . All Rights Reserved -- $Id: fsvpnpolicy.mib,v 1.12 2012/11/07 12:19:22 siva Exp $ FS-VPNPOLICY-MIB DEFINITIONS ::= BEGIN IMPORTS enterprises, MODULE-IDENTITY, OBJECT-TYPE, Integer32, Counter32 FROM SNMPv2-SMI InterfaceIndexOrZero FROM IF-MIB RowStatus, DisplayString FROM SNMPv2-TC InetAddressType, InetAddress, InetAddressPrefixLength FROM INET-ADDRESS-MIB; fsVpnPolicy MODULE-IDENTITY LAST-UPDATED "201209050000Z" ORGANIZATION "ARICENT COMMUNICATIONS SOFTWARE" CONTACT-INFO "support@aricent.com" DESCRIPTION "The MIB module that describes managed objects of general use by the IPSEC Protocol." REVISION "201209050000Z" DESCRIPTION "The MIB module that describes managed objects of general use by the IPSEC Protocol." ::= { enterprises futuresoftware (2076) 143 } -- Top level components of this MIB module. fsVpnObjects OBJECT IDENTIFIER ::= { fsVpnPolicy 1 } fsVpnScalars OBJECT IDENTIFIER ::= { fsVpnPolicy 2 } -- Start of VPN scalrs fsVpnGlobalStatus OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables/disables the IPSEC processing administratively. By Default it is set to disable" DEFVAL { disable } ::= { fsVpnScalars 1 } -- VPN global statistics fsVpnMaxTunnels OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of Maximum Tunnels supported by the VPN Module." ::= { fsVpnScalars 2 } fsVpnIpPktsIn OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total Number of Incoming Packets through VPN Module." ::= { fsVpnScalars 3 } fsVpnIpPktsOut OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total Number of Outgoing Packets through VPN Module." ::= { fsVpnScalars 4 } fsVpnPktsSecured OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total Number of Packets Secured by VPN module." ::= { fsVpnScalars 5 } fsVpnPktsDropped OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total Number of Packets Dropped by VPN module." ::= { fsVpnScalars 6 } fsVpnIkeSAsActive OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of Active IKE Security Associations in VPN module." ::= { fsVpnScalars 7 } fsVpnIkeNegotiations OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of IKE Security associations negotiated in VPN Module." ::= { fsVpnScalars 8 } fsVpnIkeRekeys OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of IKE security associations Re-Keyed." ::= { fsVpnScalars 9 } fsVpnIkeNegoFailed OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total number of failed IKE security association negotiations." ::= { fsVpnScalars 10 } fsVpnIPSecSAsActive OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of Active IPSec Security Associations in VPN Module." ::= { fsVpnScalars 11 } fsVpnIPSecNegotiations OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of Negotiated IPSec Security Associations in VPN Module." ::= { fsVpnScalars 12 } fsVpnIPSecNegoFailed OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Number of failed IPSec security association negotiations." ::= { fsVpnScalars 13 } fsVpnTotalRekeys OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Total Number of security associations Re-Keyed." ::= { fsVpnScalars 14 } fsVpnRaServer OBJECT-TYPE SYNTAX INTEGER { disable (0), enable (1) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables/disables the RAVPN server. By Default it is set to enable(ie. Router will act as RAVPN Server)" DEFVAL { enable } ::= { fsVpnScalars 15 } fsVpnDummyPktGen OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object is to enable/disable the dummy packet generation. Dummy Packet generation is part of Traffic Flow confidentiality and involves generation of packets with next header value 59. The packets generated are not processed by the peer." DEFVAL { disable } ::= { fsVpnScalars 16 } fsVpnDummyPktParam OBJECT-TYPE SYNTAX Integer32 (1..100) MAX-ACCESS read-write STATUS current DESCRIPTION "This object is to specify the length of the Dummy packet." DEFVAL { 25 } ::= { fsVpnScalars 17 } fsIkeTraceOption OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to enable Trace Statements in Ike Module. A FOUR BYTE integer is used for enabling the level of tracing. Each BIT in the four byte integer, represents a particular level of Trace. To Set the trace level for Ike. BIT 0 - Initialisation and Shutdown Trace. BIT 1 - Management trace. BIT 2 - Data path trace. BIT 3 - Control Plane trace. BIT 4 - Packet Dump. BIT 5 - OS Resource trace. BIT 6 - All Failure trace (All failures including Packet Validation) BIT 7 - Buffer Trace. Note: BIT 0 - Least significant bit BIT 7 - Most significant bit For example, setting the trace level to the value -0001 0101, will enable Init-Shutdown, data path and packet dump trace levels. Setting all the bits will enable all the trace levels and resetting them will disable all the trace levels." DEFVAL { 0 } ::= { fsVpnScalars 18 } fsIpsecTraceOption OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to enable Trace Statements in Ipsec Module. A FOUR BYTE integer is used for enabling the level of tracing. Each BIT in the four byte integer, represents a particular level of Trace. To Set the trace level for Ike. BIT 0 - Initialization and Shutdown Trace. BIT 1 - Management trace. BIT 2 - Data path trace. BIT 3 - Control Plane trace. BIT 4 - Packet Dump. BIT 5 - OS Resource trace. BIT 6 - All Failure trace (All failures including Packet Validation) BIT 7 - Buffer Trace. Note: BIT 0 - Least significant bit BIT 7 - Most significant bit For example, setting the trace level to the value -0001 0101, will enable Init-Shutdown, data path and packet dump trace levels. Setting all the bits will enable all the trace levels and resetting them will disable all the trace levels." DEFVAL { 0 } ::= { fsVpnScalars 19 } -- End of scalars -- VPN policy table BEGIN fsVpnTable OBJECT-TYPE SYNTAX SEQUENCE OF FsVpnEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the VPN association between a source and destination. It is consulted for authentication and ciphering of inbound and outbound datagrams. Datagrams which are forwarded by this entity are not authenticated." ::= { fsVpnObjects 1 } fsVpnEntry OBJECT-TYPE SYNTAX FsVpnEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry is a unique parameter to identify the mapping between a particular source and destination address. The entry specifies the authentication algorithm and key to use, the direction of authentication (inbound or outbound) and a Security Parameter Index (SPI),tunnel termination addresses, local network and remote network. Updating the table elements is not allowed when the row is active" INDEX { fsVpnPolicyName } ::= { fsVpnTable 1 } FsVpnEntry ::= SEQUENCE { fsVpnPolicyName DisplayString, fsVpnPolicyType INTEGER, fsVpnPolicyPriority Integer32, fsVpnTunTermAddrType InetAddressType, fsVpnLocalTunTermAddr InetAddress, fsVpnRemoteTunTermAddr InetAddress, fsVpnProtectNetworkType InetAddressType, fsVpnLocalProtectNetwork InetAddress, fsVpnLocalProtectNetworkPrefixLen InetAddressPrefixLength, fsVpnRemoteProtectNetwork InetAddress, fsVpnRemoteProtectNetworkPrefixLen InetAddressPrefixLength, fsVpnIkeSrcPortRange DisplayString, fsVpnIkeDstPortRange DisplayString, fsVpnSecurityProtocol INTEGER, fsVpnInboundSpi Integer32, fsVpnOutboundSpi Integer32, fsVpnMode INTEGER, fsVpnAuthAlgo INTEGER, fsVpnAhKey OCTET STRING, fsVpnEncrAlgo INTEGER, fsVpnEspKey OCTET STRING, fsVpnAntiReplay INTEGER, fsVpnPolicyFlag INTEGER, fsVpnProtocol INTEGER, fsVpnPolicyIntfIndex InterfaceIndexOrZero, fsVpnIkePhase1HashAlgo INTEGER, fsVpnIkePhase1EncryptionAlgo INTEGER, fsVpnIkePhase1DHGroup INTEGER, fsVpnIkePhase1LocalIdType INTEGER, fsVpnIkePhase1LocalIdValue DisplayString, fsVpnIkePhase1PeerIdType INTEGER, fsVpnIkePhase1PeerIdValue DisplayString, fsVpnIkePhase1LifeTimeType INTEGER, fsVpnIkePhase1LifeTime Integer32, fsVpnIkePhase1Mode INTEGER, fsVpnIkePhase2AuthAlgo INTEGER, fsVpnIkePhase2EspEncryptionAlgo INTEGER, fsVpnIkePhase2LifeTimeType INTEGER, fsVpnIkePhase2LifeTime Integer32, fsVpnIkePhase2DHGroup INTEGER , fsVpnIkeVersion INTEGER, fsVpnCertAlgoType INTEGER, fsVpnPolicyRowStatus RowStatus } fsVpnPolicyName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is the index for accessing Ip Security table entries." ::= { fsVpnEntry 1 } fsVpnPolicyType OBJECT-TYPE SYNTAX INTEGER { ipsecManual (1), ikePresharedkey (2), ikeCertificate(3), xauth (4), raVpnPresharedKey (5) } MAX-ACCESS read-write STATUS current DESCRIPTION "An entity to identify the type of policy" ::= { fsVpnEntry 2 } fsVpnPolicyPriority OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-write STATUS current DESCRIPTION "An entity to identify the priority of the Policy" ::= { fsVpnEntry 3 } fsVpnTunTermAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "The tunnel termination IP address type. This object support only ipv4(1), ipv6(2) values." ::= { fsVpnEntry 4 } fsVpnLocalTunTermAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "This address is matched with the local address in the packet during authentication of inbound and outbound datagrams." ::= { fsVpnEntry 5 } fsVpnRemoteTunTermAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "This address is matched with the destination address in the packet during authentication of inbound and outbound datagrams." ::= { fsVpnEntry 6 } fsVpnProtectNetworkType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "The local protected network address type. This object support only ipv4(1), ipv6(2) values." ::= { fsVpnEntry 7 } fsVpnLocalProtectNetwork OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "This address is used in identifying the source network for a given VPN policy." ::= { fsVpnEntry 8 } fsVpnLocalProtectNetworkPrefixLen OBJECT-TYPE SYNTAX InetAddressPrefixLength MAX-ACCESS read-write STATUS current DESCRIPTION "The length of the local protected network prefix." ::= { fsVpnEntry 9 } fsVpnRemoteProtectNetwork OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "This address is used in identifying the destination network for a given VPN policy." ::= { fsVpnEntry 10 } fsVpnRemoteProtectNetworkPrefixLen OBJECT-TYPE SYNTAX InetAddressPrefixLength MAX-ACCESS read-write STATUS current DESCRIPTION "The length of the remote protected network prefix." ::= { fsVpnEntry 11 } fsVpnIkeSrcPortRange OBJECT-TYPE SYNTAX DisplayString(SIZE (1..11)) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the Source port range for the Traffic Selectors for IKEv2." ::= { fsVpnEntry 12 } fsVpnIkeDstPortRange OBJECT-TYPE SYNTAX DisplayString(SIZE (1..11)) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the Destination port range for the Traffic Selectors for IKEv2." ::= { fsVpnEntry 13 } fsVpnSecurityProtocol OBJECT-TYPE SYNTAX INTEGER { espproto(50), ahproto(51) } MAX-ACCESS read-write STATUS current DESCRIPTION "Security protocol header used for authentication (AH) or (ESP)." ::= { fsVpnEntry 14 } fsVpnInboundSpi OBJECT-TYPE SYNTAX Integer32 (256 ..2147483647) MAX-ACCESS read-write STATUS current DESCRIPTION "This is an arbitrary 32-bit value identifying the security association for this datagram. This also indicates the SPI for the inbound direction. The Security Parameter Index value 0 is reserved to Indicate that 'no security association exists'. The set of Security Parameters Index values In the range 1 through 255 are reserved to the IANA for future use. Any SPI value greater than 255 can be configured. This entity is used only for IPSEC-Manual" ::= { fsVpnEntry 15 } fsVpnOutboundSpi OBJECT-TYPE SYNTAX Integer32 (256 ..2147483647) MAX-ACCESS read-write STATUS current DESCRIPTION "This is an arbitrary 32-bit value identifying the security association for this datagram. This also indicates the SPI for the outbound direction. The Security Parameter Index value 0 is reserved to Indicate that 'no security association exists'. The set of Security Parameters Index values In the range 1 through 255 are reserved to the IANA for future use. Any SPI value greater than 255 can be configured. This entity is used only for IPSEC-Manual" ::= { fsVpnEntry 16 } fsVpnMode OBJECT-TYPE SYNTAX INTEGER { tunnel (1), -- tunnel mode transport (2) -- transport mode } MAX-ACCESS read-write STATUS current DESCRIPTION "The supporting security association mode The security association mode must be configured as tunnel for a security gateway. A Host can be configured both in transport and tunnel mode" ::= { fsVpnEntry 17 } fsVpnAuthAlgo OBJECT-TYPE SYNTAX INTEGER { hmacmd5 (1), hmacsha1 (2), xcbcmac (5), hmacsha256 (12), hmacsha384 (13), hmacsha512 (14) } MAX-ACCESS read-write STATUS current DESCRIPTION " The authentication algorithm configured for the particular security association entry. Setting the algorithm to hmac-md5 (3), hmac-sha1(4),xcbcmac(5),hmac-sha-256(12),hmac-sha-384(13) and hmac-sha-512(14) requires a key for authentication. This entity is used only for IPSEC-Manual " ::= { fsVpnEntry 18 } fsVpnAhKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..64)) MAX-ACCESS read-write STATUS current DESCRIPTION "This is the key used for authentication when the algorithm configured is either hmac-md5 , hmac-sha1 ,xcbcmac,hmac-sha-256(12),hmac-sha-384(13) or hmac-sha-512(14).For HmacMd5and xcbcmac the key must be 16 bytes, for HmacSha1 the fixed size for key is 20 bytes, for HmacSha256 the fixed size for key is 32 bytes, for HmacSha384 the fixed size for key is 48 bytes, for HmacSha512 the fixed size for key is 64 bytes. This entity is used only for IPSEC-Manual" ::= { fsVpnEntry 19 } fsVpnEncrAlgo OBJECT-TYPE SYNTAX INTEGER { descbc (4), tripledescbc (5), aes128 (12), aes192 (13), aes256 (14) } MAX-ACCESS read-write STATUS current DESCRIPTION "The algorithm to be used for Encapsulation Security Payload (ESP) Header. This object is to be configured only if the Security protocol to be used is ESP. This entity is used only for IPSEC-Manual. DES - Specifies to use Data Encryption Standard (DES) for encryption. 3DES - Specifies to use Triple Data Encryption Standard (3DES) for encryption. AES - Specifies to use Advanced Encryption Standard (AES) with a 128-bit key for encryption. AES-192 - Specifies to use AES with a 192-bit key for encryption. AES-256 - Specifies to use AES with a 256-bit key for encryption. " ::= { fsVpnEntry 20 } fsVpnEspKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..256)) MAX-ACCESS read-write STATUS current DESCRIPTION "This is the key used for encryption/decryption when the algorithm configured is either descbc,3descbc or aes128,aes192 or aes256.For 3descbc this object is used for configuring the first key. This entity is used only for IPSEC-Manual" ::= { fsVpnEntry 21 } fsVpnAntiReplay OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "The object is used for activating the anti replay functionality of the security protocols. This entity is used only for IPSEC-Manual" DEFVAL { enable } ::= { fsVpnEntry 22 } fsVpnPolicyFlag OBJECT-TYPE SYNTAX INTEGER { filter (1), -- drops the packet apply (3), -- applies IPSEC on the packet bypass (4) -- bypasses the IPSEC for the packet } MAX-ACCESS read-write STATUS current DESCRIPTION "The choices that can be applied on any outbound/inbound datagrams." ::= { fsVpnEntry 23 } fsVpnProtocol OBJECT-TYPE SYNTAX INTEGER { icmpv4 (1), tcp (6), udp (17), espproto (50), ahproto (51), icmpv6 (58), any (9000) } MAX-ACCESS read-write STATUS current DESCRIPTION "The Proto index value which uniquely identifies the protocol for which this Selector Table entry exists.In case of no specific protocol any can be used whose value is assigned as 9000" ::= { fsVpnEntry 24 } fsVpnPolicyIntfIndex OBJECT-TYPE SYNTAX InterfaceIndexOrZero MAX-ACCESS read-write STATUS current DESCRIPTION "This is the interface for which the VPN policy is to be applied. The value zero indicates interface is not configured yet." ::= { fsVpnEntry 25 } fsVpnIkePhase1HashAlgo OBJECT-TYPE SYNTAX INTEGER { md5(1), sha1(2), sha256(12), sha384(13), sha512(14) } MAX-ACCESS read-write STATUS current DESCRIPTION "SHA - Specifies to use Secure Hash Algorithm (SHA) as the hash algorithm. SHA1 produces 160-bit hash values, SHA256 produces 256-bit hash values, SHA384 produces 384-bit hash values, SHA512 produces 512-bit hash values, which are longer than MD5. SHA is generally considered more secure and is the recommended hash algorithm. MD5 - Specifies to use Message Digest 5 (MD5) as the hash algorithm. MD5 produces a 128-bit hash values. " DEFVAL { 2 } ::= { fsVpnEntry 26 } fsVpnIkePhase1EncryptionAlgo OBJECT-TYPE SYNTAX INTEGER { descbc(4), tripledescbc(5), aes128(12), aes192(13), aes256(14) } MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies which encryption algorithm should be used in Policy negotiation" DEFVAL { 4 } ::= { fsVpnEntry 27 } fsVpnIkePhase1DHGroup OBJECT-TYPE SYNTAX INTEGER { group1(1), group2(2), group5(5), group14(14) } MAX-ACCESS read-write STATUS current DESCRIPTION "Diffie-Hellman (DH) is a public key cryptography protocol that enables two parties to establish a shared secret over unsecured communications channels. It will be used in Internet Key Exchange (IKE) to establish session keys. GROUP_1 - Specifies to use 768-bit Diffie-Hellman Group 1 cryptography. GROUP_2 - Specifies to use 1024-bit Diffie-Hellman Group 2 cryptography. GROUP_5 - Specifies to use 1536-bit Diffie-Hellman Group 5 cryptography. GROUP_14 - Specifies to use 2048-bit Diffie-Hellman Group 14 cryptography. " DEFVAL { group2 } ::= { fsVpnEntry 28 } fsVpnIkePhase1LocalIdType OBJECT-TYPE SYNTAX INTEGER { ipv4(1), fqdn(2), email(3), ipv6(5), dn(9), keyId(11) } MAX-ACCESS read-write STATUS current DESCRIPTION "This is Identity Type for supported Local Node." ::= { fsVpnEntry 29 } fsVpnIkePhase1LocalIdValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "This is the value for the supported Local Node type of phase 1" ::= { fsVpnEntry 30 } fsVpnIkePhase1PeerIdType OBJECT-TYPE SYNTAX INTEGER { ipv4(1), fqdn(2), email(3), ipv6(5), dn(9), keyId(11) } MAX-ACCESS read-write STATUS current DESCRIPTION "This is Peer Identity Type supported for phase 1 of the IKE negotiation." ::= { fsVpnEntry 31 } fsVpnIkePhase1PeerIdValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "This is the Peer Identity value for the supported peer type of phase 1. eg. for ipv4 151.100.10.10, for email abc@xyz.com" ::= { fsVpnEntry 32 } fsVpnIkePhase1LifeTimeType OBJECT-TYPE SYNTAX INTEGER { secs(1), mins(3), hrs(4), days(5) } MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the IKE life time units." DEFVAL { 1 } ::= { fsVpnEntry 33 } fsVpnIkePhase1LifeTime OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION "Enter the duration, in fsVpnIkePhase1LifeTimeType, of the IKE security association (SA), after which the IKE SA expires and is re-negotiated. if you wish to save setup time for new IPsec SAs, configure a longer IKE SA lifetime. However, shorter lifetimes provide more secure IKE negotiations because the SA between the tunnel endpoints must be successfully renegotiated more frequently. NOTE in case of IKEv1: If the IKEv1 lifetimes on two peers are not the same (equal in duration), the IKE policy lifetime of the initiating peer must be shorter than the lifetime of the responding peer, and the shorter lifetime will be used in IKE negotiations between the devices. " DEFVAL { 2400 } ::= { fsVpnEntry 34 } fsVpnIkePhase1Mode OBJECT-TYPE SYNTAX INTEGER { main(2), aggressive(4) } MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the IKE Phase 1 mode, whether main or aggressive." ::= { fsVpnEntry 35 } fsVpnIkePhase2AuthAlgo OBJECT-TYPE SYNTAX INTEGER { md5(1), sha(2), xcbcmac(5), hmacsha256 (12), hmacsha384 (13), hmacsha512 (14) } MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies which hash algorithm to be used" ::= { fsVpnEntry 36 } fsVpnIkePhase2EspEncryptionAlgo OBJECT-TYPE SYNTAX INTEGER { descbc(4), tripledescbc(5), null(11), aes128(12), aes192(13), aes256(14), aesctr128(15), aesctr192(16), aesctr256(17) } MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies which encryption algorithm should be used for ESP" ::= { fsVpnEntry 37 } fsVpnIkePhase2LifeTimeType OBJECT-TYPE SYNTAX INTEGER { secs(1), kb(2), mins(3), hrs(4), days(5) } MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the IPSec SA life time type." DEFVAL { 1 } ::= { fsVpnEntry 38 } fsVpnIkePhase2LifeTime OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the IPsec security association (SA) lifetime in fsVpnIkePhase2LifeTimeType. The SA is re-negotiated after the time limit elapses. " DEFVAL { 800 } ::= { fsVpnEntry 39 } fsVpnIkePhase2DHGroup OBJECT-TYPE SYNTAX INTEGER { none (0), group1(1), group2(2), group5(5), group14(14) } MAX-ACCESS read-write STATUS current DESCRIPTION "Perfect Forward Secrecy (PFS) generates and uses a unique session key for each encrypted exchange. The unique session key protects the exchange from subsequent decryption, even if the entire exchange was recorded and the attacker has obtained the pre-shared and/or private keys used by the endpoint devices. To enable PFS, choose a Diffie-Hellman group to use in generating the PFS session key. " ::= { fsVpnEntry 40 } fsVpnIkeVersion OBJECT-TYPE SYNTAX INTEGER { ikev1 (1), ikev2 (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used for configuring the IKE version - IKev1 (1) or IKEv2 (2) protocol to be used for key negotiation" ::= { fsVpnEntry 41 } fsVpnCertAlgoType OBJECT-TYPE SYNTAX INTEGER { rsa (1), dsa (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used for configuring the Authentication Algorithm - RSA (1) or DSA (2) to be used for authentication This object needs to configure as RSA (1) or DSA (1) to configure fsVpnPolicyType object as ikeCertificate (3)" ::= { fsVpnEntry 42 } fsVpnPolicyRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create and delete rows from the fsVpnTable." ::= { fsVpnEntry 43 } --fsVpnTable END --fsVpnRaUsersTable Table BEGIN fsVpnRaUsersTable OBJECT-TYPE SYNTAX SEQUENCE OF FsVpnRaUsersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used to identify the remote access users when acting as a RAVPN Server" ::= { fsVpnObjects 2 } fsVpnRaUsersEntry OBJECT-TYPE SYNTAX FsVpnRaUsersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used for configuration of usernames and passwords for remote access users" INDEX { fsVpnRaUserName } ::= { fsVpnRaUsersTable 1 } FsVpnRaUsersEntry ::= SEQUENCE { fsVpnRaUserName DisplayString, fsVpnRaUserSecret DisplayString, fsVpnRaUserRowStatus RowStatus } fsVpnRaUserName OBJECT-TYPE SYNTAX DisplayString (SIZE (1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "User Name is the index for accessing the Remote Users table" ::= { fsVpnRaUsersEntry 1 } fsVpnRaUserSecret OBJECT-TYPE SYNTAX DisplayString (SIZE (1..32)) MAX-ACCESS read-write STATUS current DESCRIPTION "Password for the remote user" ::= { fsVpnRaUsersEntry 2 } fsVpnRaUserRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create and delete rows in the fsVpnRaUsersTable." ::= { fsVpnRaUsersEntry 3 } -- fsVpnRaUsersTable Table END --fsVpnRaAddressPoolTable Table BEGIN fsVpnRaAddressPoolTable OBJECT-TYPE SYNTAX SEQUENCE OF FsVpnRaAddressPoolEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used to allocated IP addresses to remote users using local address pool" ::= { fsVpnObjects 3 } fsVpnRaAddressPoolEntry OBJECT-TYPE SYNTAX FsVpnRaAddressPoolEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used for configuration of local address pool for the remote users. Start and end IP address should be specified for each pool" INDEX { fsVpnRaAddressPoolName } ::= { fsVpnRaAddressPoolTable 1 } FsVpnRaAddressPoolEntry ::= SEQUENCE { fsVpnRaAddressPoolName DisplayString, fsVpnRaAddressPoolAddrType InetAddressType, fsVpnRaAddressPoolStart InetAddress, fsVpnRaAddressPoolEnd InetAddress, fsVpnRaAddressPoolPrefixLen InetAddressPrefixLength, fsVpnRaAddressPoolRowStatus RowStatus } fsVpnRaAddressPoolName OBJECT-TYPE SYNTAX DisplayString (SIZE (1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Pool Name is the index for accessing the Remote Access Address Pool table" ::= { fsVpnRaAddressPoolEntry 1 } fsVpnRaAddressPoolAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "IP address type of the pool for remote users This object support only ipv4(1), ipv6(2) values." ::= { fsVpnRaAddressPoolEntry 2 } fsVpnRaAddressPoolStart OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "Starting IP address of the pool for remote users" ::= { fsVpnRaAddressPoolEntry 3 } fsVpnRaAddressPoolEnd OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "End IP address of the pool for remote users" ::= { fsVpnRaAddressPoolEntry 4 } fsVpnRaAddressPoolPrefixLen OBJECT-TYPE SYNTAX InetAddressPrefixLength MAX-ACCESS read-write STATUS current DESCRIPTION "The prefix length of the address pool" ::= { fsVpnRaAddressPoolEntry 5 } fsVpnRaAddressPoolRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create and delete rows in the fsVpnRaAddressPoolTable." ::= { fsVpnRaAddressPoolEntry 6 } -- fsVpnRaAddressPoolTable Table END fsVpnRemoteIdTable OBJECT-TYPE SYNTAX SEQUENCE OF FsVpnRemoteIdEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table provides VPN tunnels remote users identities information. The remote identity and the preshared key (PSK) bindings are globally available to all the VPN tunnels and can be mapped whenever required. One identity can be mapped to multiple tunnels. " ::= { fsVpnObjects 4 } fsVpnRemoteIdEntry OBJECT-TYPE SYNTAX FsVpnRemoteIdEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in this table does not support 'notInService' and 'createAndGo'. " INDEX { fsVpnRemoteIdType, fsVpnRemoteIdValue } ::= { fsVpnRemoteIdTable 1 } FsVpnRemoteIdEntry ::= SEQUENCE { fsVpnRemoteIdType INTEGER, fsVpnRemoteIdValue DisplayString, fsVpnRemoteIdKey DisplayString, fsVpnRemoteIdAuthType Integer32, fsVpnRemoteIdStatus RowStatus } fsVpnRemoteIdType OBJECT-TYPE SYNTAX INTEGER { ipv4(1), fqdn(2), email(3), ipv6(5), dn(9), keyId(11) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "User identity types supported by the gateway chosen to interpret the data of fsVpnRemoteIdValue object. Ip addresses should be represented with 'ipv4' type. A fully qualified domain name (or FQDN) is an unambiguous domain name that specifies the node's position in the DNS tree hierarchy absolutely. To distinguish an FQDN from a regular domain name, a trailing period is added. ex: somehost.example.com " REFERENCE "Section 4.6.2.1, IP Security Domain of Interpretation RFC2407" ::= { fsVpnRemoteIdEntry 1 } fsVpnRemoteIdValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS not-accessible STATUS current DESCRIPTION "It represents the value corresponding to the type mentioned in fsVpnRemoteIdType object. The maximum permitted length of an FQDN is 255 bytes. " ::= { fsVpnRemoteIdEntry 2 } fsVpnRemoteIdKey OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "This is the pre-shared key with the gateway. The PSK will be used by the gateway to authenticate the phase-I IKE transactions with this user. " ::= { fsVpnRemoteIdEntry 3 } fsVpnRemoteIdAuthType OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION "It represents the value corresponding to the Authentication method configured." ::= { fsVpnRemoteIdEntry 4 } fsVpnRemoteIdStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Used to add and delete the remote user identities. A value of 'createAndGo' is not supported because PSK is mandatory to authenticate the user. " ::= { fsVpnRemoteIdEntry 5 } -- end of vpn remote identity table (fsVpnRemoteIdTable) fsVpnCertInfoTable OBJECT-TYPE SYNTAX SEQUENCE OF FsVpnCertInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table provides certificates information that are used for peer authentication. The certificates are globally available to all the VPN tunnels and can be mapped whenever required. One identity can be mapped to multiple tunnels. " ::= { fsVpnObjects 5 } fsVpnCertInfoEntry OBJECT-TYPE SYNTAX FsVpnCertInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "'createAndGo' is not supported by this table." INDEX { fsVpnCertKeyString} ::= { fsVpnCertInfoTable 1 } FsVpnCertInfoEntry ::= SEQUENCE { fsVpnCertKeyString DisplayString, fsVpnCertKeyType INTEGER, fsVpnCertKeyFileName DisplayString, fsVpnCertFileName DisplayString, fsVpnCertEncodeType INTEGER, fsVpnCertStatus RowStatus } fsVpnCertKeyString OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS not-accessible STATUS current DESCRIPTION "Key identity string supported by the gateway choosen to uniquely identify the certificate information. " ::= { fsVpnCertInfoEntry 1 } fsVpnCertKeyType OBJECT-TYPE SYNTAX INTEGER { rsa (1), dsa (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "It represents the type of algorithm used to generate the key which is used to generate the certificate. RSA - Ron Rivest, Adi Shamir and Len Adleman Algorithm, DSA - Digital Signature Algorithm. " DEFVAL { rsa } ::= { fsVpnCertInfoEntry 2 } fsVpnCertKeyFileName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "This is the file in which the key used to generate the certificate is stored." ::= { fsVpnCertInfoEntry 3 } fsVpnCertFileName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "This is the file in which the certificate information is stored. This will be used by the gateway to authenticate the phase-I IKE transactions with this user." ::= { fsVpnCertInfoEntry 4 } fsVpnCertEncodeType OBJECT-TYPE SYNTAX INTEGER { pem (1), der (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "It represents the encoding type by which the certificate information are encoded PEM - Privacy Enhanced Mail encoding DER - Distinguished Encoding Rules encoding." DEFVAL { pem } ::= { fsVpnCertInfoEntry 5 } fsVpnCertStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "'createAndGo' is not supported by this table." ::= { fsVpnCertInfoEntry 6 } -- end of vpn Certificate Information table (fsVpnCertInfoTable) fsVpnCaCertInfoTable OBJECT-TYPE SYNTAX SEQUENCE OF FsVpnCaCertInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table provides Certificate Authority (CA) certificates information. The certificates are globally available to authorize all the VPN certificates and can be mapped whenever required." ::= { fsVpnObjects 6 } fsVpnCaCertInfoEntry OBJECT-TYPE SYNTAX FsVpnCaCertInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "'createAndGo is not supported by this table." INDEX { fsVpnCaCertKeyString} ::= { fsVpnCaCertInfoTable 1 } FsVpnCaCertInfoEntry ::= SEQUENCE { fsVpnCaCertKeyString DisplayString, fsVpnCaCertFileName DisplayString, fsVpnCaCertEncodeType INTEGER, fsVpnCaCertStatus RowStatus } fsVpnCaCertKeyString OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS not-accessible STATUS current DESCRIPTION "Key identity string supported by the gateway chosen to uniquely identify the CA certificate information." ::= { fsVpnCaCertInfoEntry 1 } fsVpnCaCertFileName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "This is the file in which the CA certificate information is stored. This will be used by the gateway to authorize the peer certificates used for security negotiations. " ::= { fsVpnCaCertInfoEntry 2 } fsVpnCaCertEncodeType OBJECT-TYPE SYNTAX INTEGER { pem (1), der (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "It represents the encoding type by which the certificate information are encoded PEM - Privacy Enhanced Mail encoding DER - Distinguished Encoding Rules encoding." DEFVAL { pem } ::= { fsVpnCaCertInfoEntry 3 } fsVpnCaCertStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "'createAndGo' is not supported by this table." ::= { fsVpnCaCertInfoEntry 4 } END