WebApps/Observium_CE
1
0
Fork 0
Code Pull Requests Activity
Observium_CE/mibs/bintec/FEC-IPSEC-MIB

7264 lines
213 KiB
Plaintext
Raw Blame History

-- This file is corresponding to Release 9.1.10.101 from 2014/08/11 00:00:00
---------------------------------------------------------------------------
-- (C)opyright 2006-2014 bintec elmeg GmbH
-- $RCSfile: mib-ipsec,v $
-- $Revision: 1.39 $
-- $Date: 2014-02-07 11:21:02 $
---------------------------------------------------------------------------
FEC-IPSEC-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, enterprises,
IpAddress, TimeTicks, Counter32, snmpModules, mib-2, Unsigned32, Counter64
FROM SNMPv2-SMI
DisplayString, TestAndIncr, TimeStamp
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF
ipsec, Date, HexValue, BitValue
FROM BINTEC-MIB
InetAddressIPv6
FROM INET-ADDRESS-MIB;
---------------------------------------------------------------------------
ipsecMIB MODULE-IDENTITY
LAST-UPDATED "201308120000Z"
ORGANIZATION "bintec elmeg GmbH"
CONTACT-INFO "EMail: info@bintec-elmeg.com
Web: www.bintec-elmeg.com"
DESCRIPTION "Vendor specific Management Information for the IPSec Subsystem"
::= { ipsec 250 }
---------------------------------------------------------------------------
-- Global IPSec Settings
ipsecGlobals OBJECT IDENTIFIER ::= { ipsec 1 }
--Static table containing global settings for IPSec
ipsecGlobPeerIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Index of first IPsec peer in ipsecPeerTable.
If this object is set to a Value <= 0, IPSec is switched
explicitly off. If the peer referenced by this object does not
exist in the table, all packets will be dropped."
::= { ipsecGlobals 1 }
ipsecGlobEnabled OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- IPSec enabled
false(2) -- IPSec disabled
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Enables/disables IPSec globally."
DEFVAL { false }
::= { ipsecGlobals 41 }
ipsecGlobDefaultAuthMethod OBJECT-TYPE
SYNTAX INTEGER {
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3), -- Authentication using RSA signatures
rsa-enc(4) -- Authentication using RSA encryption
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the authentication method used by default.
If the ipsecPeerAuthMethod field of an ipsecPeerEntry and the
ikePropAuthMethod field of the ikeProposalTableEntry used are
set to 'default', this value is assumed.
Possible values:
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3), -- Authentication using RSA signatures
rsa-enc(4) -- Authentication using RSA encryption."
::= { ipsecGlobals 2 }
ipsecGlobDefaultCertificate OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index of the default certificate in the certTable used for
local authentication for ike keyed rules with non
pre-shared-key authentication. This may be overwritten by the
certificate specified for the individual ipsec peers."
::= { ipsecGlobals 3 }
ipsecGlobDefaultLocalId OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The default ID used for local authentication for ike keyed
rules. If this is an empty or invaid id string one of the
subject alternative names or the subject name from the default
certificate is used. This does not relpace an empty local
id string for an IPsec peer with a valid certificate. The
subject name or one of the subject alternative names from this
certificate is used then"
::= { ipsecGlobals 4 }
ipsecGlobDefaultIpsecProposal OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Index of default ipsec proposal used for traffic entries with
empty ipsec proposal, defined for peers with empty default
ipsec proposal."
::= { ipsecGlobals 5 }
ipsecGlobDefaultIkeProposal OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Index of default ike proposal used for peers with empty default
ike proposal."
::= { ipsecGlobals 6 }
ipsecGlobDefaultIpsecLifeTime OBJECT-TYPE
SYNTAX INTEGER
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Index of default lifetime for ike SA's in ipsecLifeTimeTable.
This lifetime is used, when there is no valid lifetime entry
specified for an IPsec peer entry."
::= { ipsecGlobals 7 }
ipsecGlobDefaultIkeLifeTime OBJECT-TYPE
SYNTAX INTEGER
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies an index in the ipsecLifeTimeTable with the
default lifetime settings used for IKE SA's.
This lifetime is used whenever there is no valid lifetime entry
specified for a peer entry and the IKE proposal used."
::= { ipsecGlobals 8 }
ipsecGlobDefaultIkeGroup OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Index of default IKE group used if no IKE group is defined for a peer.
Possible values:
1 (768 bit MODP),
2 (1024 bit MODP),
5 (1536 bit MODP)."
DEFVAL { 1 }
::= { ipsecGlobals 9 }
ipsecGlobIkeProfile OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the default IKE (phase 1) profile
to use."
DEFVAL { 0 }
::= { ipsecGlobals 39 }
ipsecGlobIpsecProfile OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the default IPSec (phase 2) profile
to use."
DEFVAL { 0 }
::= { ipsecGlobals 40 }
ipsecGlobMaxSysLogLevel OBJECT-TYPE
SYNTAX INTEGER {
emerg(1),
alert(2),
crit(3),
err(4),
warning(5),
notice(6),
info(7),
debug(8)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Maximum level for syslog messages issued by IPSec. All
messages with a level higher than this value are suppressed,
independently from other global syslog level settings.
Possible settings:
emerg(1),
alert(2),
crit(3),
err(4),
warning(5),
notice(6),
info(7),
debug(8)."
DEFVAL { debug }
::= { ipsecGlobals 10 }
ipsecGlobDefaultGranularity OBJECT-TYPE
SYNTAX INTEGER {
coarse(2), -- Create only one SA for each Traffic entry
ip(3), -- Create one SA for each host
proto(4), -- Create one SA for each protocol and host
port(5) -- Create one SA for each port and host
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the default granularity used
for IPSEC SA negotiation.
Possible values:
coarse(2), -- Create only one SA for each Traffic entry
ip(3), -- Create one SA for each host
proto(4), -- Create one SA for each protocol and host
port(5) -- Create one SA for each port and host."
DEFVAL { coarse }
::= { ipsecGlobals 11 }
ipsecGlobDefaultPh1Mode OBJECT-TYPE
SYNTAX INTEGER {
id-protect(1), -- Use identity protection (main) mode
aggressive(2) -- Use aggressive mode
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the default exchange mode used for IKE
SA negotiation.
Possible values:
id-protect(1), -- Use identity protection (main) mode
aggressive(2) -- Use aggressive mode."
DEFVAL { id-protect }
::= { ipsecGlobals 12 }
ipsecGlobDefaultPfsGroup OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the PFS group to use.
PFS is done only for phase 2, i.e. the Phase 1 SAs are not
deleted after phase 2 negotiation is completed.
Note however, that if the peer has configured PFS for
identity and destroys phase 1 SAs, this side will also
destroy them when notified.
Possible values:
0 (no PFS)
1 (768 bit MODP),
2 (1024 bit MODP),
5 (1536 bit MODP)."
::= { ipsecGlobals 13 }
ipsecGlobIkePort OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the port the IKE key management service
listens to."
DEFVAL { 500 }
::= { ipsecGlobals 20 }
ipsecGlobMaxRetries OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum number of retries sent by IKE
for one message."
DEFVAL { 10 }
::= { ipsecGlobals 21 }
ipsecGlobRetryTimeout0milli OBJECT-TYPE
SYNTAX INTEGER
UNITS "milliseconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the period of time in milliseconds before
an IKE message is repeated for the first time if the answer is
missing. After each retry, this timeout is increased up to the
value specified in ipsecGlobRetryTimeoutMaxsec."
DEFVAL { 500 }
::= { ipsecGlobals 22 }
ipsecGlobRetryTimeoutMaxsec OBJECT-TYPE
SYNTAX INTEGER
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum period of time in seconds
before an IKE message is repeated if the answer is missing. The
retry timeout is not increased beyond this limit."
DEFVAL { 30 }
::= { ipsecGlobals 23 }
ipsecGlobMaxNegotiationTimeoutsec OBJECT-TYPE
SYNTAX INTEGER
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum number of seconds after which
a negotiation is canceled if it is not finished."
DEFVAL { 300 }
::= { ipsecGlobals 24 }
ipsecGlobMaxIkeSas OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum number of simultaneous ISAKMP
Security associations allowed. If this limit is reached, the
entries are removed from the database, starting with the ones
that will expire very soon. If that is not enough, the entries
are deleted in reverse LRU order."
DEFVAL { 512 }
::= { ipsecGlobals 25 }
ipsecGlobIgnoreCrPayloads OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- ignore all certificate requests
false(2) -- process certificate request payloads
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether certificate request payloads
should be ignored by IKE.
Possible values:
true(1), -- ignore all certificate requests
false(2) -- process certificate request payloads."
DEFVAL { false }
::= { ipsecGlobals 29 }
ipsecGlobNoCrPayloads OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- suppress certificate requests
false(2) -- send certificate requests
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether IKE should suppress certificate
requests.
Possible values:
true(1), -- suppress certificate requests
false(2) -- send certificate requests."
DEFVAL { false }
::= { ipsecGlobals 30 }
ipsecGlobNoKeyHashPayloads OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- do not send key hash payloads
false(2) -- send key hash payloads
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether IKE should suppress key hash
payloads.
Possible values:
true(1), -- suppress key hash payloads
false(2) -- send key hash payloads."
DEFVAL { false }
::= { ipsecGlobals 31 }
ipsecGlobNoCrls OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- do not send certificate revocation lists
false(2) -- send certificate revocation lists
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether IKE should send certificate
revocation lists.
Possible values:
true(1), -- do not send certificate revocation lists
false(2) -- send certificate revocation lists."
DEFVAL { true }
::= { ipsecGlobals 32 }
ipsecGlobSendFullCertChains OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- send full certificate chains
false(2) -- do not send full certificate chains
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether IKE should send full certificate
chains.
Possible values:
true(1), -- send full certificate chains
false(2) -- do not send full certificate chains."
DEFVAL { true }
::= { ipsecGlobals 33 }
ipsecGlobTrustIcmpMsg OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- trust ICMP messages
false(2) -- do not trust ICMP messages
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether IKE should trust icmp port and
host unreachable error messages. ICMP port and host unreachable
messages are only trusted if there have not yet been received
any datagrams from the remote host in this negotiation.
This means, if the local side receives an ICMP port or host
unreachable message as the first response to the initial packet
of a new phase 1 negotiation, it cancels the negotiation
immediately.
Possible values:
true(1), -- trust ICMP messages
false(2) -- do not trust ICMP messages."
DEFVAL { false }
::= { ipsecGlobals 34 }
ipsecGlobSpiSize OBJECT-TYPE
SYNTAX INTEGER
UNITS "bytes"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A compatibility flag that specifies the length of the SPI in
bytes, which is used when an ISAKMP SA SPI (Cookie) is sent to
the remote peer.
This field takes effect only if ipsecGlobZeroIsakmpCookies
is true."
DEFVAL { 32 }
::= { ipsecGlobals 35 }
ipsecGlobZeroIsakmpCookies OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- send zero cookies in ISAKMP messages
false(2) -- send ISAKMP cookies
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether zeroed ISAKMP cookies should be
sent.
Possible Values:
true(1), -- send zero cookies in ISAKMP messages
false(2) -- send ISAKMP cookies."
DEFVAL { false }
::= { ipsecGlobals 36 }
ipsecGlobMaxKeyLength OBJECT-TYPE
SYNTAX INTEGER
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum length of an encryption key
(in bits) that is accepted from the remote end. This limit
prevents denial of service attacks where the attacker asks for
a huge key for an encryption algorithm that allows variable
length keys."
DEFVAL { 1024 }
::= { ipsecGlobals 37 }
ipsecGlobNoInitialContact OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- do not send initial contact messages
false(2) -- send initial contact messages if appropriate
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Do not send IKE initial contact messages in IKE negotiations
even if no SA's exist with a peer.
Possible values:
true(1), -- do not send initial contact messages
false(2) -- send initial contact messages if appropriate."
DEFVAL { false }
::= { ipsecGlobals 38 }
ipsecGlobBlockTimeout OBJECT-TYPE
SYNTAX INTEGER (1..3600)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"For peers with nonzero block time, the value of this object is
used instead of ipsecGlobMaxNegotiationTimeoutSec."
DEFVAL { 15 }
::= { ipsecGlobals 42 }
ipsecGlobDPDIdleThreshold OBJECT-TYPE
SYNTAX INTEGER (1..3600)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The minimum idle time period after which a dpd request is sent."
DEFVAL { 15 }
::= { ipsecGlobals 43 }
ipsecGlobDPDMaxRetries OBJECT-TYPE
SYNTAX INTEGER (1..10)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The number of DPD retries sent before a peer is considered dead."
DEFVAL { 3 }
::= { ipsecGlobals 44 }
ipsecGlobDPDRetryTimeout OBJECT-TYPE
SYNTAX INTEGER (1..10)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The number of seconds between retries."
DEFVAL { 2 }
::= { ipsecGlobals 45 }
ipsecGlobIkev2Enabled OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- IKEv2 enabled
false(2) -- IKEv2 disabled
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Enables/disables IKEv2 globally."
DEFVAL { true }
::= { ipsecGlobals 46 }
-- End Global IPSec Settings
-- Second Table With Global IPSec Settings
ipsecGlobalsContinued OBJECT IDENTIFIER ::= { ipsec 11 }
-- Second static table containing global settings for IPSec
ipsecGlobContPreIpsecRules OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies an index in the IPsec traffic
table containing a list of traffic definitions which
has to be considered prior to the traffic lists of
the IPSec peers in IPSec traffic processing.
It may contain either pass or drop entries (protect entries
are ignored, if erroneously configured)."
DEFVAL { 0 }
::= { ipsecGlobalsContinued 1 }
ipsecGlobContPostIpsecRules OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies an index in the IPsec traffic
table containing a list of traffic definitions which
has to be considered after the traffic lists of
the IPSec peers in IPSec traffic processing.
It may contain either pass or drop entries (protect entries
are ignored, if erroneously configured)."
DEFVAL { 0 }
::= { ipsecGlobalsContinued 11 }
ipsecGlobContDefaultRule OBJECT-TYPE
SYNTAX INTEGER {
drop(1), -- drop all packets
pass(2) -- allow all packets pass plain
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies how to treat packets which do not match
any entry in the traffic lists of the active peers or the
pre-and post IPSec rules.
Possible values:
drop(1), -- drop all packets
pass(2) -- allow all packets pass plain."
DEFVAL { drop }
::= { ipsecGlobalsContinued 2 }
ipsecGlobContUse32BitCpi OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- send CPI as 32 bit numbers
false(2) -- send CPI as 16 bit numbers
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether the CPI values in IKE IPComP
negotiations should be sent as 16 bit numbers.
Possible values:
true(1), -- send CPI as 32 bit numbers
false(2) -- send CPI as 16 bit numbers."
DEFVAL { false }
::= { ipsecGlobalsContinued 4 }
ipsecGlobContNoWellKnownCpis OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- do not use the well known cpi values
false(2) -- use the well known cpi values
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether the well known CPI values
should be used in IKE IPComP negotiations. If set to true,
IKE will allocate random CPI values from the negotiable
range 256-61439.
Possible values:
true(1), -- do not use the well known cpi values
false(2) -- use the well known cpi values."
DEFVAL { false }
::= { ipsecGlobalsContinued 5 }
ipsecGlobContNoPmtuDiscovery OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- do not perform PMTU discovery
false(2) -- perform PMTU discovery
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the default PMTU discovery policy
if the ipsecPeerPmtuDiscovery flag is set to default.
Possible values:
true(1), -- do not perform PMTU discovery
false(2) -- perform PMTU discovery."
DEFVAL { true }
::= { ipsecGlobalsContinued 7 }
ipsecGlobContDefaultPmtuTtl OBJECT-TYPE
SYNTAX INTEGER
UNITS "minutes"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the time-to-live (in minutes) of a
PMTU value derived from an ICMP PMTU message
received for an IPSec packet. After this time, the mtu is
increased step-by-step using the values from RFC 1191 until
a new ICMP PMTU message is received. A ttl value of 0 means
infinite."
DEFVAL { 10 }
::= { ipsecGlobalsContinued 8 }
ipsecGlobContPrivateInterface OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the index of the systems' private
interface. If the private interface is set (i.e. non-negative),
certain address spoofing attacks are made impossible from IPSec
itself."
DEFVAL { -1 }
::= { ipsecGlobalsContinued 9 }
ipsecGlobContSaSyncInterface OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- delete SAs
false(2) -- do not delete SAs
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether IKE and IPSec SA's should be
are deleted if the interface over which the packets are
initially sent is going down or dormant
Possible values:
true(1), -- delete SAs
false(2) -- do not delete SAs."
DEFVAL { false }
::= { ipsecGlobalsContinued 10 }
ipsecGlobContDefaultPfsIdentity OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- delete phase 1 SAs
false(2) -- do not delete phase 1 SAs
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether IKE SA's should be deleted
immediately after a phase 2 (IPSec-) SA pair has been
negotiated.
It may be overridden by the individual settings for a peer
entry, if the ipsecPeerPfsIdentity is not set to 'default'.
The consequence of enabling this feature is that before each
phase 2 negotiation there always has to be a phase 1
negotiation. Thus individual phase 2 SAs cannot be
associated with one another or, respectively, if the
identity of a remote peer is known to an eavesdropper
for one SA, he cannot conclude that the next SA is
negotiated with the same remote peer.
Note: Setting this flag only makes sense if configured
together with id-protect mode or RSA encryption for
authentication and if the IP address of the remote
peer does not allow conclusions about its identity
(i.e. dynamic remote peer addresses).
Possible values:
true(1), -- delete phase 1 SAs
false(2) -- do not delete phase 1 SAs."
DEFVAL { false }
::= { ipsecGlobalsContinued 12 }
ipsecGlobContPfsIdentityDelay OBJECT-TYPE
SYNTAX INTEGER
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the number of seconds to wait before
deleting the underlying phase 1 SA after a Phase 2 SA has
been established, if PFS for identity is configured."
DEFVAL { 8 }
::= { ipsecGlobalsContinued 15 }
ipsecGlobContIkeLoggingLevel OBJECT-TYPE
SYNTAX INTEGER (0..127)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the IKE logging level.
IKE log messages are output as syslog messages on level debug.
Note that the global syslog table level must be set to debug
in order to see these messages.
Possible values:
0: no IKE log messages
... 3: IKE error output
... 6: IKE trace output
... 9: IKE detailed results output
10 ...: hexdumps of IKE messages."
DEFVAL { 0 }
::= { ipsecGlobalsContinued 13 }
ipsecGlobContHeartbeatDefault OBJECT-TYPE
SYNTAX INTEGER {
none(1), -- neither send nor expect heartbeats
expect(2), -- expect heartbeats
send(3), -- send heartbeats
both(4) -- send and expect heartbeats
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies whether heartbeats should be sent
over phase 1 SAs (not used for IPv6).
Possible values:
none(1), -- neither send nor expect heartbeats
expect(2), -- expect heartbeats
send(3), -- send heartbeats
both(4) -- send and expect heartbeats."
DEFVAL { none }
::= { ipsecGlobalsContinued 16 }
ipsecGlobContHeartbeatInterval OBJECT-TYPE
SYNTAX INTEGER (1..900)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the time interval in seconds between
heartbeats. At this rate heartbeats are sent and/or
expected if configured (not used for IPv6)."
DEFVAL { 5 }
::= { ipsecGlobalsContinued 17 }
ipsecGlobContHeartbeatTolerance OBJECT-TYPE
SYNTAX INTEGER (1..900)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum number of missing heartbeats
allowed before an SA is discarded (not used for IPv6)."
DEFVAL { 4 }
::= { ipsecGlobalsContinued 18 }
ipsecGlobContDialBlockTime OBJECT-TYPE
SYNTAX INTEGER (-1..43200)
UNITS "minutes"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Amount of time in minutes how long an ipsecDial entry remains
in state blocked-for-outgoing after a cost producing trigger
call was detected. Given value denotes time in minutes.
Special value -1 means to block entry until unblocked manually
by deactivating entry and reactivating it afterwards.
Default value is -1."
DEFVAL { -1 }
::= { ipsecGlobalsContinued 14 }
ipsecGlobContObsoleteFeatureMask OBJECT-TYPE
SYNTAX BitValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Some obsolete features are represented by a bit in this mask
and could be re-enabled for testing or compatibility purpose.
A mask-bit of 1 enable the approprate (obsolete) feature.
A mask-bit of 0 disable the appropriate feature completely.
Bit Feature
0x00000001: re-enable delayed apf-graph-node-memory free
0x00000002: tbd.
The default-value is 0 - all obsolete features are disabled.
Do not change this default-value if not really necessary"
DEFVAL { 0 }
::= { ipsecGlobalsContinued 66 }
ipsecGlobContP1Always OBJECT-TYPE
SYNTAX INTEGER {
enabled (1), -- always rekey phase 1 if phase 2 is rekeyed
disabled (2) -- rekey phase 1 only if necessary
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether a phase 1 rekeying is always
done immediately before phase 2 rekeying.
Note this is different from pfs for identity because the
latter discards the phase 1 SA immediately after phase 2
establishment.
This feature is mainly a compatibility flag for some
non-standard implementations which always expect a phase 1 SA
if a phase 2 SA exists. Please also select a longer lifetime
for phase 1 than phase 2 then."
DEFVAL { disabled }
::= { ipsecGlobalsContinued 69 }
ipsecGlobContHwAccel OBJECT-TYPE
SYNTAX INTEGER {
yes (1),
no (2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Enables/disables usage of encryption engine."
DEFVAL { yes }
::= { ipsecGlobalsContinued 70 }
ipsecGlobContSupportVarKeyLength4Twofish OBJECT-TYPE
SYNTAX INTEGER {
yes (1),
no (2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Enables/disables support of variable key sizes for the
Twofish algorithm. Note that the Twofish related settings
within the ipsecAlgorithmTable will be synchronized
accordingly. If set to no (2) the system will act in the
backward compatibility mode. This setting might be necessary
in some dedicated cases in order to avoid IKE negotiation
problems."
DEFVAL { yes }
::= { ipsecGlobalsContinued 71 }
ipsecGlobContIkev2Profile OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the default IKE_SA profile to use
(only for IKEv2). If set to 0 no profile is configured
as default."
DEFVAL { 0 }
::= { ipsecGlobalsContinued 72 }
ipsecGlobContMaxIkev2Sas OBJECT-TYPE
SYNTAX INTEGER (1..100000)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum number of simultaneous IKEv2
Security associations allowed. If this limit is reached, the
entries are removed from the database, starting with the ones
that will expire very soon. If that is not enough, the entries
are deleted in reverse LRU order."
DEFVAL { 512 }
::= { ipsecGlobalsContinued 73 }
ipsecGlobContPathFinder OBJECT-TYPE
SYNTAX INTEGER {
enabled (1),
disabled (2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Enables/disables the IPSec pathfinder mode, that means
all the traffic (IKE, ESP and AH) is embedded within a
pseudo HTTPS session between the peers (similar to the
NAT-T mode)."
DEFVAL { disabled }
::= { ipsecGlobalsContinued 74 }
ipsecGlobContXauthTimeout OBJECT-TYPE
SYNTAX INTEGER (10..600)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"If an extended authentication is requested, this is
the time (in seconds) the device will wait for response. A useful
value is important when username and password are entered manually
by the user."
DEFVAL { 120 }
::= { ipsecGlobalsContinued 75 }
-- End Second Table With Global IPSec Settings
-- IPSec RADIUS settings Table
ipsecRadius OBJECT IDENTIFIER ::= { ipsec 13 }
-- Table with RADIUS settings for IPSec
ipsecRadiusPresetState OBJECT-TYPE
SYNTAX INTEGER {
not-loaded(1), -- RADIUS preset peers are not loaded
loading(2), -- RADIUS preset peers are currently loaded
loaded(3), -- RADIUS preset peers have been loaded
reloading(4) -- RADIUS preset peers are currently reloaded
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object shows the status of the RADIUS preset peers load
process."
DEFVAL { not-loaded }
::= { ipsecRadius 1 }
ipsecRadiusPresetPeers OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of RADIUS preset peers currently loaded."
::= { ipsecRadius 2 }
ipsecRadiusDynamicAuthentication OBJECT-TYPE
SYNTAX INTEGER {
enabled(1), -- dynamic authentication via RADIUS enabled
disabled(2) -- dynamic authentication via RADIUS disabled
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object enables/disables dynamic authentication via RADIUS.
If no peer has been found matching an incoming IKE negotiation,
the configured RADIUS servers are consulted (if any)."
DEFVAL { disabled }
::= { ipsecRadius 3 }
-- End global IPSec Radius settings
-- IPSec Security Associations Table
ipsecSaTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of currently active IPSec security
associations."
::= { ipsec 3 }
ipsecSaEntry OBJECT-TYPE
SYNTAX IpsecSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains an IPSec security association."
INDEX {
ipsecSaSecProto,
ipsecSaSpi
}
::= { ipsecSaTable 1 }
IpsecSaEntry ::=
SEQUENCE {
ipsecSaIndex INTEGER,
ipsecSaState INTEGER,
ipsecSaDir INTEGER,
ipsecSaMode INTEGER,
ipsecSaSecProto INTEGER,
ipsecSaSpi HexValue,
ipsecSaAuthAlg INTEGER,
ipsecSaEncAlg INTEGER,
ipsecSaCompAlg INTEGER,
ipsecSaAuthKeyLen INTEGER,
ipsecSaEncKeyLen INTEGER,
ipsecSaReplayErrors INTEGER,
ipsecSaRecvErrors INTEGER,
ipsecSaDecryptErrors INTEGER,
ipsecSaBundle INTEGER,
ipsecSaBundleNesting INTEGER,
ipsecSaSpiSize INTEGER,
ipsecSaEncKey OCTET STRING,
ipsecSaAuthKey OCTET STRING,
ipsecSaIkeMajVersion INTEGER,
ipsecSaIkeMinVersion INTEGER
}
ipsecSaIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique index for this entry."
::= { ipsecSaEntry 1 }
ipsecSaState OBJECT-TYPE
SYNTAX INTEGER {
expired(2), -- The SA is expired and will not be rekeyed
negotiating(4), -- This SA is currently negotiated
established(5) -- The SA is alive and will eventually be rekeyed
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current state of the security association
Possible values:
alive(1), -- The SA is alive
expired(2), -- The SA is expired
negotiating(4),-- This SA is currently negotiated
established(5) -- The SA is alive and will eventually be
rekeyed."
DEFVAL { negotiating }
::= { ipsecSaEntry 3 }
ipsecSaDir OBJECT-TYPE
SYNTAX INTEGER {
inbound(1), -- An inbound security association
outbound(2) -- An outbound security association
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies whether the SA is used for inbound or
outbound processing.
Possible values:
inbound(1), -- An inbound security association
outbound(2) -- An outbound security association."
::= { ipsecSaEntry 5 }
ipsecSaMode OBJECT-TYPE
SYNTAX INTEGER {
tunnel(1), -- A tunnel mode SA
transport(2) -- A transport mode SA
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies whether the SA is in tunnel or
transport mode.
Possible values:
tunnel(1), -- A tunnel mode SA
transport(2) -- A transport mode SA."
::= { ipsecSaEntry 6 }
ipsecSaSecProto OBJECT-TYPE
SYNTAX INTEGER {
esp(50), -- Encapsulating Security Payload
ah(51), -- Authentication Header
ipcomp(108) -- Internet Payload Compression Protocol
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the security protocol applied by this SA.
Possible values:
esp(50), -- Encapsulating Security Payload
ah(51), -- Authentication Header
ipcomp(108) -- Internet Payload Compression Protocol."
::= { ipsecSaEntry 7 }
ipsecSaSpi OBJECT-TYPE
SYNTAX HexValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Security Parameters Index of this SA."
::= { ipsecSaEntry 17 }
ipsecSaAuthAlg OBJECT-TYPE
SYNTAX INTEGER {
none(2), -- No hash algorithm
md5-96(4), -- The MD5 hash algorithm
sha1-96(6) -- The Secure Hash Algorithm
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The hash algorithm used, if any.
Possible Values:
none(2), -- No hash algorithm applied
md5-96(4), -- The MD5 hash algorithm
sha1-96(6) -- The Secure Hash Algorithm."
::= { ipsecSaEntry 18 }
ipsecSaEncAlg OBJECT-TYPE
SYNTAX INTEGER {
none(1), -- No encryption applied
des-cbc(2), -- DES in CBC mode
des3-cbc(3), -- Triple DES in CBC mode
blowfish-cbc(4), -- Blowfish in CBC mode
cast128-cbc(5), -- CAST with 128 bit key in CBC mode
twofish-cbc(6), -- Twofish in CBC mode
aes-cbc(7) -- AES in CBC mode
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The encryption algorithm used, if any.
Possible Values:
none(1), -- No encryption applied
des-cbc(2), -- DES in CBC mode
des3-cbc(3), -- Triple DES in CBC mode
blowfish-cbc(4), -- Blowfish in CBC mode
cast128-cbc(5), -- CAST with 128 bit key in CBC mode
twofish-cbc(6), -- Twofish in CBC mode
aes-cbc(7) -- AES in CBC mode."
::= { ipsecSaEntry 19 }
ipsecSaCompAlg OBJECT-TYPE
SYNTAX INTEGER {
none(2), -- No compression
deflate(3) -- DEFLATE compression algorithm
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The compression algorithm used, if any.
Possible Values:
none(1), -- No compression
deflate(2) -- DEFLATE compression algorithm."
DEFVAL { none }
::= { ipsecSaEntry 20 }
ipsecSaAuthKeyLen OBJECT-TYPE
SYNTAX INTEGER
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length in bytes of the key used for authentication,
if any."
::= { ipsecSaEntry 21 }
ipsecSaEncKeyLen OBJECT-TYPE
SYNTAX INTEGER
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length in bytes of the key used for encryption, if any."
::= { ipsecSaEntry 22 }
ipsecSaReplayErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of replayed packets detected for this SA."
::= { ipsecSaEntry 33 }
ipsecSaRecvErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of receive errors (replayed packets not counted)
detected for this SA."
::= { ipsecSaEntry 34 }
ipsecSaDecryptErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of decryption errors (ESP only) detected for
this SA."
::= { ipsecSaEntry 35 }
ipsecSaBundle OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"unique id of SA-bundle within this SA is used."
::= { ipsecSaEntry 39 }
ipsecSaBundleNesting OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"place of SA within SA-Bundle."
::= { ipsecSaEntry 40 }
ipsecSaSpiSize OBJECT-TYPE
SYNTAX INTEGER
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The size of the SPI in bytes."
::= { ipsecSaEntry 45 }
ipsecSaEncKey OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
""
::= { ipsecSaEntry 64 }
ipsecSaAuthKey OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
""
::= { ipsecSaEntry 65 }
ipsecSaIkeMajVersion OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IKE major version number."
DEFVAL { 1 }
::= { ipsecSaEntry 66 }
ipsecSaIkeMinVersion OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IKE minor version number."
DEFVAL { 0 }
::= { ipsecSaEntry 67 }
-- End IPSec Security Associations Table
-- IPSec SA Bundle Table
ipsecBundleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecBundleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of currently active IPSec security
associations."
::= { ipsec 16 }
ipsecBundleEntry OBJECT-TYPE
SYNTAX IpsecBundleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains an IPSec security association."
INDEX {
ipsecBundleIndex
}
::= { ipsecBundleTable 1 }
IpsecBundleEntry ::=
SEQUENCE {
ipsecBundleIndex INTEGER,
ipsecBundlePeerIndex INTEGER,
ipsecBundleTrafficIndex INTEGER,
ipsecBundleState INTEGER,
ipsecBundleNumSas INTEGER,
ipsecBundleRole INTEGER,
ipsecBundleRekeyedBundle INTEGER,
ipsecBundleRekeyingBundle INTEGER,
ipsecBundleLastStateChange TimeTicks,
ipsecBundleHeartbeatsEnabled INTEGER,
ipsecBundleCreator INTEGER,
ipsecBundleTunnelLocal IpAddress,
ipsecBundleTunnelRemote IpAddress,
ipsecBundlePmtuDiscovery INTEGER,
ipsecBundleKeepAlive INTEGER,
ipsecBundleVerifyPad INTEGER,
ipsecBundleLifeSeconds Unsigned32,
ipsecBundleLifeKBytes Unsigned32,
ipsecBundleRekeySeconds INTEGER,
ipsecBundleRekeyKBytes INTEGER,
ipsecBundleProto INTEGER,
ipsecBundleLocalAddress IpAddress,
ipsecBundleLocalMaskLen INTEGER,
ipsecBundleLocalRange IpAddress,
ipsecBundleLocalPort INTEGER,
ipsecBundleRemoteAddress IpAddress,
ipsecBundleRemoteMaskLen INTEGER,
ipsecBundleRemoteRange IpAddress,
ipsecBundleRemotePort INTEGER,
ipsecBundleInPkt Counter64,
ipsecBundleInHb Counter64,
ipsecBundleInBytes Counter64,
ipsecBundleInBytesNetto Counter64,
ipsecBundleOutPkt Counter64,
ipsecBundleOutHb Counter64,
ipsecBundleOutBytes Counter64,
ipsecBundleOutBytesNetto Counter64,
ipsecBundleNatT INTEGER,
ipsecBundleNatOaLocal IpAddress,
ipsecBundleNatOaRemote IpAddress,
ipsecBundleIkeMajVersion INTEGER,
ipsecBundleIkeMinVersion INTEGER
}
ipsecBundleIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique index for this entry."
::= { ipsecBundleEntry 1 }
ipsecBundlePeerIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index of the peer for which this bundle was created."
::= { ipsecBundleEntry 5 }
ipsecBundleTrafficIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index of the traffic entry for which this bundle was created."
::= { ipsecBundleEntry 6 }
ipsecBundleState OBJECT-TYPE
SYNTAX INTEGER {
established(1), -- The bundle is alive
expired(2), -- The bundle is expired
delete (3), -- Mark this bundle for deletion
negotiating(4), -- This bundle is currently negotiated
rekeyed(5), -- Rekeying of bundle succeeded
heartbeat-lost(6), -- Heartbeat receive timeout
failed(7) -- The negotiation failed
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The current state of the bundle
Possible values:
established(1), -- The bundle is alive
expired(2), -- The bundle is expired
delete (3), -- Mark this bundle for deletion
negotiating(4), -- This bundle is currently negotiated
rekeyed(5), -- Rekeying of bundle succeeded
heartbeat-lost(6), -- Heartbeat receive timeout
failed(7) -- The negotiation failed."
DEFVAL { negotiating }
::= { ipsecBundleEntry 7 }
ipsecBundleNumSas OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of SAs contained in this bundle."
::= { ipsecBundleEntry 8 }
ipsecBundleRole OBJECT-TYPE
SYNTAX INTEGER {
initiator(1), -- this end initiated the negotiation
responder(2) -- the remote end initiated the negotiation
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies by which side the SA bundle
negotiation was initiated.
Possible values:
initiator(1), -- this end initiated the negotiation
responder(2) -- the remote end initiated the negotiation."
::= { ipsecBundleEntry 9 }
ipsecBundleRekeyedBundle OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates upon rekeying, which bundle (actually
its BundleIndex) is going to be replaced by that one."
::= { ipsecBundleEntry 10 }
ipsecBundleRekeyingBundle OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates upon rekeying, which bundle (actually
its BundleIndex) is going to replace that one."
::= { ipsecBundleEntry 11 }
ipsecBundleLastStateChange OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates the time in time ticks from system start
by which the state of this bundle entry was changed last.
To determine the absolute time, the current sysUpTime must be
subtracted from this value."
::= { ipsecBundleEntry 12 }
ipsecBundleHeartbeatsEnabled OBJECT-TYPE
SYNTAX INTEGER {
none(1), -- neither sending nor expecting heartbeats
expect(2), -- expecting heartbeats
send(3), -- sending heartbeats
both(4) -- sending and expecting heartbeats
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies whether heartbeats are sent and/or
expected over this bundle.
Possible values:
none(1), -- neither sending nor expecting heartbeats
expect(2), -- expecting heartbeats
send(3), -- sending heartbeats
both(4) -- sending and expecting heartbeats."
::= { ipsecBundleEntry 13 }
ipsecBundleCreator OBJECT-TYPE
SYNTAX INTEGER {
manual(1), -- A manually keyed IPSec SA bundle
ike(2) -- An automatically keyed SA bundle created by IKE
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies how the SA was created
Possible values:
manual(1),-- A manually keyed IPSec SA bundle
ike(2) -- An automatically keyed SA bundle created by IKE."
::= { ipsecBundleEntry 14 }
ipsecBundleTunnelLocal OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local IP address of the outer packet header. For
transport mode bundles this address is the same as the
ipsecBundleLocalAddress."
::= { ipsecBundleEntry 15 }
ipsecBundleTunnelRemote OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote IP address of the outer packet header. For
transport mode bundles, this address is the same as the
ipsecBundleRemoteAddress."
::= { ipsecBundleEntry 16 }
ipsecBundlePmtuDiscovery OBJECT-TYPE
SYNTAX INTEGER {
enabled(2), -- copy DF bit from original packet; propagate PMTU
disabled(1) -- clear DF bit in IPSec packet;
-- fragment if necessary
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the initialization of the DF bit in
outgoing IPSec packets for this bundle. It decides whether
PMTU discovery is propagated over the IPSec tunnel or not.
Possible values:
enabled(1), -- copy DF bit from original packet; propagate PMTU
disabled(2) -- clear DF bit in IPSec packet;
-- fragment if necessary."
::= { ipsecBundleEntry 17 }
ipsecBundleKeepAlive OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- rekey even if no traffic was processed by this bundle
false(2) -- rekey only if at least one packet was processed
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the circumstances under which this SA
bundle will be rekeyed.
Possible values:
true(1), -- rekey even if no traffic was processed
false(2) -- rekey only if at least one packet was processed."
::= { ipsecBundleEntry 18 }
ipsecBundleVerifyPad OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- normal, self-describing ESP padding
false(2) -- old style ESP padding
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the kind of padding expected for ESP SAs
within this bundle.
Possible values:
true(1), -- normal, self-describing ESP padding
false(2) -- old style ESP padding."
::= { ipsecBundleEntry 19 }
ipsecBundleLifeSeconds OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The period in seconds after which this bundle will be destroyed."
::= { ipsecBundleEntry 20 }
ipsecBundleLifeKBytes OBJECT-TYPE
SYNTAX Unsigned32
UNITS "kilo bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of data allowed to be protected by this bundle until
it is destroyed (ipsecBundleOutBytes or ipecBundleOutBytes)."
::= { ipsecBundleEntry 21 }
ipsecBundleRekeySeconds OBJECT-TYPE
SYNTAX INTEGER
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The period in seconds after which this bundle will be rekeyed."
::= { ipsecBundleEntry 22 }
ipsecBundleRekeyKBytes OBJECT-TYPE
SYNTAX INTEGER
UNITS "kilo bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of data allowed to be protected by this bundle until
it is rekeyed (ipsecBundleOutBytes or ipecBundleOutBytes)."
::= { ipsecBundleEntry 23 }
ipsecBundleProto OBJECT-TYPE
SYNTAX INTEGER {
icmp(1),
igmp(2),
ggp(3),
ipip(4),
st(5),
tcp(6),
cbt(7),
egp(8),
igp(9),
bbn(10),
nvp(11),
pup(12),
argus(13),
emcon(14),
xnet(15),
chaos(16),
udp(17),
mux(18),
dcn(19),
hmp(20),
prm(21),
xns(22),
trunk1(23),
trunk2(24),
leaf1(25),
leaf2(26),
rdp(27),
irtp(28),
isotp4(29),
netblt(30),
mfe(31),
merit(32),
sep(33),
pc3(34),
idpr(35),
xtp(36),
ddp(37),
idprc(38),
tp(39),
il(40),
ipv6(41),
sdrp(42),
ipv6route(43),
ipv6frag(44),
idrp(45),
rsvp(46),
gre(47),
mhrp(48),
bna(49),
esp(50),
ah(51),
inlsp(52),
swipe(53),
narp(54),
mobile(55),
tlsp(56),
skip(57),
ipv6icmp(58),
ipv6nonxt(59),
ipv6opts(60),
ipproto-61(61),
cftp(62),
local(63),
sat(64),
kryptolan(65),
rvd(66),
ippc(67),
distfs(68),
satmon(69),
visa(70),
ipcv(71),
cpnx(72),
cphb(73),
wsn(74),
pvp(75),
brsatmon(76),
sunnd(77),
wbmon(78),
wbexpak(79),
isoip(80),
vmtp(81),
securevmtp(82),
vines(83),
ttp(84),
nsfnet(85),
dgp(86),
tcf(87),
eigrp(88),
ospfigp(89),
sprite(90),
larp(91),
mtp(92),
ax25(93),
ipwip(94),
micp(95),
scc(96),
etherip(97),
encap(98),
encrypt(99),
gmtp(100),
ifmp(101),
pnni(102),
pim(103),
aris(104),
scps(105),
qnx(106),
an(107),
ippcp(108),
snp(109),
compaq(110),
ipxip(111),
vrrp(112),
pgm(113),
hop0(114),
l2tp(115),
ipproto-116(116),
ipproto-117(117),
ipproto-118(118),
ipproto-119(119),
ipproto-120(120),
ipproto-121(121),
ipproto-122(122),
ipproto-123(123),
ipproto-124(124),
ipproto-125(125),
ipproto-126(126),
ipproto-127(127),
ipproto-128(128),
ipproto-129(129),
ipproto-130(130),
ipproto-131(131),
ipproto-132(132),
ipproto-133(133),
ipproto-134(134),
ipproto-135(135),
ipproto-136(136),
ipproto-137(137),
ipproto-138(138),
ipproto-139(139),
ipproto-140(140),
ipproto-141(141),
ipproto-142(142),
ipproto-143(143),
ipproto-144(144),
ipproto-145(145),
ipproto-146(146),
ipproto-147(147),
ipproto-148(148),
ipproto-149(149),
ipproto-150(150),
ipproto-151(151),
ipproto-152(152),
ipproto-153(153),
ipproto-154(154),
ipproto-155(155),
ipproto-156(156),
ipproto-157(157),
ipproto-158(158),
ipproto-159(159),
ipproto-160(160),
ipproto-161(161),
ipproto-162(162),
ipproto-163(163),
ipproto-164(164),
ipproto-165(165),
ipproto-166(166),
ipproto-167(167),
ipproto-168(168),
ipproto-169(169),
ipproto-170(170),
ipproto-171(171),
ipproto-172(172),
ipproto-173(173),
ipproto-174(174),
ipproto-175(175),
ipproto-176(176),
ipproto-177(177),
ipproto-178(178),
ipproto-179(179),
ipproto-180(180),
ipproto-181(181),
ipproto-182(182),
ipproto-183(183),
ipproto-184(184),
ipproto-185(185),
ipproto-186(186),
ipproto-187(187),
ipproto-188(188),
ipproto-189(189),
ipproto-190(190),
ipproto-191(191),
ipproto-192(192),
ipproto-193(193),
ipproto-194(194),
ipproto-195(195),
ipproto-196(196),
ipproto-197(197),
ipproto-198(198),
ipproto-199(199),
ipproto-200(200),
ipproto-201(201),
ipproto-202(202),
ipproto-203(203),
ipproto-204(204),
ipproto-205(205),
ipproto-206(206),
ipproto-207(207),
ipproto-208(208),
ipproto-209(209),
ipproto-210(210),
ipproto-211(211),
ipproto-212(212),
ipproto-213(213),
ipproto-214(214),
ipproto-215(215),
ipproto-216(216),
ipproto-217(217),
ipproto-218(218),
ipproto-219(219),
ipproto-220(220),
ipproto-221(221),
ipproto-222(222),
ipproto-223(223),
ipproto-224(224),
ipproto-225(225),
ipproto-226(226),
ipproto-227(227),
ipproto-228(228),
ipproto-229(229),
ipproto-230(230),
ipproto-231(231),
ipproto-232(232),
ipproto-233(233),
ipproto-234(234),
ipproto-235(235),
ipproto-236(236),
ipproto-237(237),
ipproto-238(238),
ipproto-239(239),
ipproto-240(240),
ipproto-241(241),
ipproto-242(242),
ipproto-243(243),
ipproto-244(244),
ipproto-245(245),
ipproto-246(246),
ipproto-247(247),
ipproto-248(248),
ipproto-249(249),
ipproto-250(250),
ipproto-251(251),
ipproto-252(252),
ipproto-253(253),
ipproto-254(254),
dont-verify(255)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The protocol of the traffic selectors."
::= { ipsecBundleEntry 24 }
ipsecBundleLocalAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local address (host or network or range start address)
of the traffic selectors,
source for outbound, destination for inbound."
::= { ipsecBundleEntry 25 }
ipsecBundleLocalMaskLen OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local network masklen of the traffic selectors,
source for outbound, destination for inbound."
::= { ipsecBundleEntry 26 }
ipsecBundleLocalRange OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local address range end address of the traffic selectors,
source for outbound, destination for inbound."
::= { ipsecBundleEntry 27 }
ipsecBundleLocalPort OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local port of the traffic selectors,
source for outbound, destination for inbound."
::= { ipsecBundleEntry 28 }
ipsecBundleRemoteAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote address (host or network or range start address)
of the traffic selectors
source for outbound, destination for inbound."
::= { ipsecBundleEntry 29 }
ipsecBundleRemoteMaskLen OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote network masklen of the traffic selectors
source for outbound, destination for inbound."
::= { ipsecBundleEntry 30 }
ipsecBundleRemoteRange OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote address range end address of the traffic selectors
source for outbound, destination for inbound."
::= { ipsecBundleEntry 31 }
ipsecBundleRemotePort OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote port of the traffic selectors
source for outbound, destination for inbound."
::= { ipsecBundleEntry 32 }
ipsecBundleInPkt OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets processed by this bundle."
::= { ipsecBundleEntry 33 }
ipsecBundleInHb OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of heartbeat packets received over this bundle."
::= { ipsecBundleEntry 34 }
ipsecBundleInBytes OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound bytes (including IPSec overhead)
processed by this bundle."
::= { ipsecBundleEntry 35 }
ipsecBundleInBytesNetto OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound bytes (netto: IPSec headers excluded)
processed by this bundle."
::= { ipsecBundleEntry 37 }
ipsecBundleOutPkt OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets processed by this bundle."
::= { ipsecBundleEntry 39 }
ipsecBundleOutHb OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of heartbeat packets sent for this bundle."
::= { ipsecBundleEntry 40 }
ipsecBundleOutBytes OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound bytes (including IPSec overhead)
processed by this bundle."
::= { ipsecBundleEntry 41 }
ipsecBundleOutBytesNetto OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound bytes (netto: IPSec headers excluded)
processed by this bundle."
::= { ipsecBundleEntry 43 }
ipsecBundleNatT OBJECT-TYPE
SYNTAX INTEGER {
enabled(1), -- use udp encapsulation
disabled(2) -- do not use udp encapsulation
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies if the udp encapsulation of ESP packets
is active within this bundle.
Possible values:
enabled(1), -- use udp encapsulation
disabled(2) -- do not use udp encapsulation."
::= { ipsecBundleEntry 45 }
ipsecBundleNatOaLocal OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local IP address as seen by the remote side.
Only valid for transport mode bundles with NatT enabled."
::= { ipsecBundleEntry 46 }
ipsecBundleNatOaRemote OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote IP address as seen by the remote side.
Only valid for transport mode bundles with NatT enabled."
::= { ipsecBundleEntry 47 }
ipsecBundleIkeMajVersion OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IKE major version number."
DEFVAL { 1 }
::= { ipsecBundleEntry 48 }
ipsecBundleIkeMinVersion OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IKE minor version number."
DEFVAL { 0 }
::= { ipsecBundleEntry 49 }
-- End IPSec Bundle Table
-- IKE Security Associations Table
ikeSaTable OBJECT-TYPE
SYNTAX SEQUENCE OF IkeSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of currently active IKE security
associations."
::= { ipsec 4 }
ikeSaEntry OBJECT-TYPE
SYNTAX IkeSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains an IKE security association."
INDEX {
ikeSaIndex
}
::= { ikeSaTable 1 }
IkeSaEntry ::=
SEQUENCE {
ikeSaIndex INTEGER,
ikeSaState INTEGER,
ikeSaXchType INTEGER,
ikeSaAuthMethod INTEGER,
ikeSaEncAlg INTEGER,
ikeSaHashAlg INTEGER,
ikeSaPrfAlg INTEGER,
ikeSaRole INTEGER,
ikeSaLocalId DisplayString,
ikeSaRemoteId DisplayString,
ikeSaLocalIp IpAddress,
ikeSaRemoteIp IpAddress,
ikeSaCookieI OCTET STRING,
ikeSaCookieR OCTET STRING,
ikeSaCreated Date,
ikeSaLastUsed Date,
ikeSaExpires Date,
ikeSaNumCerts INTEGER,
ikeSaNumNegotiations INTEGER,
ikeSaBytes INTEGER,
ikeSaMajVersion INTEGER,
ikeSaMinVersion INTEGER,
ikeSaPeerIndex INTEGER,
ikeSaHeartbeatsEnabled INTEGER,
ikeSaHeartbeatsSent INTEGER,
ikeSaHeartbeatsReceived INTEGER,
ikeSaLocalPort INTEGER,
ikeSaRemotePort INTEGER,
ikeSaXauthType INTEGER,
ikeSaXauthUser DisplayString
}
ikeSaIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique index for this entry."
::= { ikeSaEntry 1 }
ikeSaState OBJECT-TYPE
SYNTAX INTEGER {
negotiating(1), -- the SA is still being negotiated
established(2), -- the SA negotiation is finished
waiting-for-remove(3), -- the SA is waiting for removal
delete(7) -- mark the SA for deletion
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the state of the SA.
Possible values:
negotiating(1), -- the SA is still being negotiated
established(2), -- the SA negotiation is finished
waiting-for-remove(3), -- the SA is waiting for removal
delete(7) -- mark the SA for deletion."
DEFVAL { negotiating }
::= { ikeSaEntry 3 }
ikeSaXchType OBJECT-TYPE
SYNTAX INTEGER {
base(1), -- IKE base mode mode
id-protect(2), -- IKE identity protection
-- (oakley main mode)
aggressive(4), -- IKE (oakley) aggressive mode
any(256) -- Other mode
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The exchange mode used to create the SA.
Possible values:
base(1), -- IKE base mode mode
id-protect(2), -- IKE identity protection
-- (oakley main mode)
authentication-only(3), -- Authentication only mode
aggressive(4), -- IKE (oakley) aggressive mode
info(5), -- IKE informational exchange mode
quick(32), -- IKE quick mode
new-group(33), -- IKE new group mode
any(256) -- Other mode."
::= { ikeSaEntry 4 }
ikeSaAuthMethod OBJECT-TYPE
SYNTAX INTEGER {
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3), -- Authentication using RSA signatures
rsa-enc(4), -- Authentication using RSA encryption
rsa-enc-rev(5) -- Authentication using revised RSA encryption
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The authenticatin method used when negotiating this SA.
Possible values:
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3), -- Authentication using RSA signatures
rsa-enc(4), -- Authentication using RSA encryption
rsa-enc-rev(5) -- Authentication using revised RSA encryption."
::= { ikeSaEntry 5 }
ikeSaEncAlg OBJECT-TYPE
SYNTAX INTEGER {
des(1),
idea(2), -- not used
blowfish(3),
rc5(4), -- not used
des3(5),
cast128(6), -- CAST with 128 bit key
aes(7), -- AES encryption algorithm
twofish(9)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The encryption algorithm used."
::= { ikeSaEntry 26 }
ikeSaHashAlg OBJECT-TYPE
SYNTAX INTEGER {
md5(1), -- The MD5 hash algorithm
sha(2), -- The Secure Hash Algorithm
tiger(3), -- The Tiger hash algorithm
ripemd160(4) -- The RIPE MD 160 hash algorithm
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The hash algorithm used."
::= { ikeSaEntry 27 }
ikeSaPrfAlg OBJECT-TYPE
SYNTAX INTEGER {
md5(1), -- The MD5 hash algorithm
sha(2), -- The Secure Hash Algorithm
tiger(3), -- The Tiger hash algorithm
ripemd160(4) -- The RIPE MD 160 hash algorithm
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The hash algorithm used for the pseudo random function."
::= { ikeSaEntry 28 }
ikeSaRole OBJECT-TYPE
SYNTAX INTEGER {
initiator(1), -- this end initiated the SA negotiation
responder(2) -- the remote end initiated the SA negotiation
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies by which side the SA
negotiation was initiated.
Possible values:
initiator(1), -- this end initiated the SA negotiation
responder(2) -- the remote end initiated the SA negotiation."
::= { ikeSaEntry 7 }
ikeSaLocalId OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local ID used for authentication."
::= { ikeSaEntry 8 }
ikeSaRemoteId OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote ID used for authentication."
::= { ikeSaEntry 9 }
ikeSaLocalIp OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local IP address used in the IKE communication."
::= { ikeSaEntry 10 }
ikeSaRemoteIp OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote IP address used in the IKE communication."
::= { ikeSaEntry 11 }
ikeSaCookieI OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cookie of the initiator."
::= { ikeSaEntry 12 }
ikeSaCookieR OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The cookie of the responder."
::= { ikeSaEntry 13 }
ikeSaCreated OBJECT-TYPE
SYNTAX Date
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Time the SA was created."
::= { ikeSaEntry 24 }
ikeSaLastUsed OBJECT-TYPE
SYNTAX Date
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Time the SA was used last."
::= { ikeSaEntry 25 }
ikeSaExpires OBJECT-TYPE
SYNTAX Date
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Time the SA will expire."
::= { ikeSaEntry 29 }
ikeSaNumCerts OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of certificates received from the remote
side when negotiating this SA."
::= { ikeSaEntry 15 }
ikeSaNumNegotiations OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the number of currently active
negotiations for this SA."
::= { ikeSaEntry 16 }
ikeSaBytes OBJECT-TYPE
SYNTAX INTEGER
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of bytes transmitted using this SA."
::= { ikeSaEntry 17 }
ikeSaMajVersion OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IKE major version number."
::= { ikeSaEntry 18 }
ikeSaMinVersion OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IKE minor version number."
::= { ikeSaEntry 19 }
ikeSaPeerIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index of the peer for which this SA was created."
::= { ikeSaEntry 20 }
ikeSaHeartbeatsEnabled OBJECT-TYPE
SYNTAX INTEGER {
send(1), -- send heartbeats
expect(2), -- expect heartbeats
both(3), -- send and expect heartbeats
none(4) -- neither send nor expect heartbeats
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies whether heartbeats are sent/expected
over this SA
possible values:
send(1), -- send heartbeats
expect(2), -- expect heartbeats
both(3), -- send and expect heartbeats
none(4) -- neither send nor expect heartbeats."
::= { ikeSaEntry 21 }
ikeSaHeartbeatsSent OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of Heartbeats sent over this SA."
::= { ikeSaEntry 22 }
ikeSaHeartbeatsReceived OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of Heartbeats received over this SA."
::= { ikeSaEntry 23 }
ikeSaLocalPort OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Local port currently used for the SA."
::= { ikeSaEntry 30 }
ikeSaRemotePort OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Remote port currently used for the SA."
::= { ikeSaEntry 31 }
ikeSaXauthType OBJECT-TYPE
SYNTAX INTEGER {
generic(0), -- generic
radius-chap(1), -- RADIUS-CHAP
otp(2), -- One-Time-Password
s-key(3), -- S/KEY One-Time-Password
none(32768) -- no XAUTH used
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object displayes whether XAUTH is used or not
after complete establishment of the SA.
If XAUTH is used then the type of the extended
authentication is displayed."
DEFVAL { none }
::= { ikeSaEntry 32 }
ikeSaXauthUser OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"User name used for Extended Authentication."
::= { ikeSaEntry 33 }
-- End IKE Security Associations Table
-- IKE (Phase 1) Profile Table
ikeProfileTable OBJECT-TYPE
SYNTAX SEQUENCE OF IkeProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of IKE (Phase 1) profiles."
::= { ipsec 14 }
ikeProfileEntry OBJECT-TYPE
SYNTAX IkeProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains an IPSec phase 1 profile."
INDEX {
ikePrfProposal
}
::= { ikeProfileTable 1 }
IkeProfileEntry ::=
SEQUENCE {
ikePrfIndex INTEGER,
ikePrfDescription DisplayString,
ikePrfAuthMethod INTEGER,
ikePrfMode INTEGER,
ikePrfProposal INTEGER,
ikePrfGroup INTEGER,
ikePrfCert INTEGER,
ikePrfLocalId DisplayString,
ikePrfCaCerts DisplayString,
ikePrfLifeTime INTEGER,
ikePrfPfsIdentity INTEGER,
ikePrfHeartbeats INTEGER,
ikePrfBlockTime INTEGER,
ikePrfNatT INTEGER,
ikePrfMtuMax INTEGER,
ikePrfLifeSeconds Unsigned32,
ikePrfLifeKBytes Unsigned32,
ikePrfLifeRekeyPercent INTEGER,
ikePrfLifePolicy INTEGER
}
ikePrfIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique index identifying this entry."
::= { ikeProfileEntry 1 }
ikePrfDescription OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An optional description for this profile."
::= { ikeProfileEntry 2 }
ikePrfAuthMethod OBJECT-TYPE
SYNTAX INTEGER {
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3), -- Authentication using RSA signatures
rsa-enc(4), -- Authentication using RSA encryption
default(14), -- use settings from default profile
delete(15) -- mark this entry for deletion
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the authentication method used for this profile.
Possible values:
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3), -- Authentication using RSA signatures
rsa-enc(4), -- Authentication using RSA encryption
default(14), -- use settings from default profile
-- (pre-sh-key if this is the default profile)
delete(15) -- mark this entry for deletion."
DEFVAL { default }
::= { ikeProfileEntry 3 }
ikePrfMode OBJECT-TYPE
SYNTAX INTEGER {
id-protect(1), -- Use identity protection (main) mode
aggressive(2), -- Use aggressive mode
default(3), -- Use default setting from the
-- global profile
id-protect-only(4), -- only id-protect mode allowed
aggressive-only(5) -- only aggressive mode allowed
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the exchange mode used for IKE
SA negotiation.
Possible values:
id-protect(1), -- Use identity protection (main) mode
aggressive(2), -- Use aggressive mode
default(3), -- Use default setting from the
-- global profile
id-protect-only(4), -- only id-protect mode allowed
aggressive-only(5) -- only aggressive mode allowed."
DEFVAL { default }
::= { ikeProfileEntry 4 }
ikePrfProposal OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The index of the first IKE proposal which may be used
for IKE SA negotiation with this profile."
::= { ikeProfileEntry 5 }
ikePrfGroup OBJECT-TYPE
SYNTAX INTEGER (1..5)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the IKE group to use with this profile.
Possible values:
1: a 768-bit MODP group
2: a 1024-bit MODP group
5: a 1536-bit MODP group"
::= { ikeProfileEntry 6 }
ikePrfCert OBJECT-TYPE
SYNTAX INTEGER (0..32767)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The index of the certificate used for authentication
in the certTable. Ignored for AuthMethod == pre_shared_key."
::= { ikeProfileEntry 7 }
ikePrfLocalId OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The local ID used for authentication with this profile.
Syntax:
- X500 distinguished name:
<obj-name=obj-value, obj-ID=obj-value, ...>
- IPV4-Address:
|123.456.789.012| with or without '|'
- IPV4 Address Range:
|123.456.789.012-123.456.789.013| with or without '|'
- IPV4 Address Subnet:
|123.456.789.012/255.255.255.0| with or without '|'
or:
|123.456.789.012/24| with or without '|'
- Key-ID: arbitrary string:
{anything}
- Fully Qualified User Name (FQUN):
(anything) or user@domain with mandatory '@'
- Fully Qualified Domain Name (FQDN):
[anything] or any name without '@' not matching any other
syntax"
::= { ikeProfileEntry 8 }
ikePrfCaCerts OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Receives a comma separated list with indices (0..32767)
of special certificate authority certificates accepted
for this profile."
::= { ikeProfileEntry 9 }
ikePrfLifeTime OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies an index in the ipsecLifeTimeTable with the
lifetime settings to be used for IKE SA negotiation with this profile.
If the lifetime pointed to by this index does not exist or is
inappropriate, the default lifetime is taken.
The usage of this object is deprecated, use the ikePrfLifeXxx
variables directly instead."
DEFVAL { -1 }
::= { ikeProfileEntry 10 }
ikePrfPfsIdentity OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- delete phase 1 SAs
false(2), -- reuse phase 1 SAs
default(3) -- use value from default profile
-- (false, if this is the default profile)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether IKE SA's should be deleted
immediately after a phase 2 (IPSec-) SA pair has been
negotiated.
The consequence of enabling this feature is that before each
phase 2 negotiation there always has to be a phase 1
negotiation. Thus individual phase 2 SAs cannot be
associated with one another or, respectively, if the
identity of a remote peer is known to an eavesdropper
for one SA, he cannot conclude that the next SA is
negotiated with the same remote peer.
Note: Setting this flag only makes sense if configured
together with id-protect mode or RSA encryption for
authentication and if the IP address of the remote
peer does not allow conclusions about its identity
(i.e. dynamic remote peer addresses).
Possible values:
true(1), -- delete phase 1 SAs
false(2), -- reuse phase 1 SAs
default(3) -- use value from default profile
-- (false if this is the default profile)."
DEFVAL { default }
::= { ikeProfileEntry 11 }
ikePrfHeartbeats OBJECT-TYPE
SYNTAX INTEGER {
none(1), -- neither send nor expect heartbeats
expect(2), -- expect heartbeats
send(3), -- send heartbeats
both(4), -- send and expect heartbeats
default(5), -- use default value
auto(6), -- detect support using vendor id
dpd(7), -- use DPD method for proof-of-liveliness
dpd-idle(8) -- use DPD, detect dead peers even while idle
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether heartbeats should be sent
over phase 1 SAs for this profile (heartbeats are not
used for IPv6).
Possible values:
none(1), -- neither send nor expect heartbeats
expect(2), -- expect heartbeats
send(3), -- send heartbeats
both(4), -- send and expect heartbeats
default(5), -- use value from default profile
-- (auto if this is the default profile)
auto(6), -- detect support using vendor id
dpd(7), -- use DPD method for proof-of-liveliness
dpd-idle(8) -- use DPD, detect dead peers even while idle."
DEFVAL { default }
::= { ikeProfileEntry 12 }
ikePrfBlockTime OBJECT-TYPE
SYNTAX INTEGER (-1..86400)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the time in seconds for which a peer is
blocked for any IPSec operations after a phase 1 initiator
negotiation failed.
Special values:
-1: use settings from global profile (do not block by default)
0: do not block the peer at all."
DEFVAL { -1 }
::= { ikeProfileEntry 13 }
ikePrfNatT OBJECT-TYPE
SYNTAX INTEGER {
enabled(1), -- enable Nat-Traversal
disabled(2), -- disable Nat-Traversal
default(3), -- use value from default profile
-- (enabled, if this is the default profile)
enforce(4) -- enforce NAT-T, independant from NAT
-- detection
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether NAT-Traversal is enabled
Possible values:
enabled(1), -- enable Nat-Traversal
disabled(2), -- disable Nat-Traversal
default(3) -- use value from default profile
-- (disabled, if this is the default profile)."
DEFVAL { default }
::= { ikeProfileEntry 14 }
ikePrfMtuMax OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum MTU value allowed for ipsecPeerStatMtu.
Zero means use value from global profile,
if this is the global profile, 1418 is assumed.
Nonzero values smaller than 214 are reset to the minimum of 214."
DEFVAL { 0 }
::= { ikeProfileEntry 15 }
ikePrfLifeSeconds OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum time (in seconds) after which an SA will be
deleted."
DEFVAL { 900 }
::= { ikeProfileEntry 16 }
ikePrfLifeKBytes OBJECT-TYPE
SYNTAX Unsigned32
UNITS "kilo bytes"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum amount of data (in KB) which may be protected
by an SA before it is deleted."
DEFVAL { 0 }
::= { ikeProfileEntry 17 }
ikePrfLifeRekeyPercent OBJECT-TYPE
SYNTAX INTEGER (50..100)
MAX-ACCESS read-write
STATUS obsolete
DESCRIPTION
"WARNING: this object is obsolete and must not be used."
DEFVAL { 80 }
::= { ikeProfileEntry 18 }
ikePrfLifePolicy OBJECT-TYPE
SYNTAX INTEGER {
loose(1), -- accept and use anything proposed
strict(2), -- accept and use only what is configured
notify(3), -- accept anything (send responder lifetime)
use-default-lifetime(4) -- use lifetime values from default
-- profile
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the way a lifetime proposal is
handled. Possible values:
loose(1), -- accept and use anything proposed
strict(2), -- accept and use only what is configured
notify(3), -- accept anything, if own values are smaller
than what was proposed use these and
send responder lifetime notification
use_default_lifetime(4) -- use lifetime values from default
-- profile."
DEFVAL { use-default-lifetime }
::= { ikeProfileEntry 19 }
-- End IKE (Phase 1) Profile Table
-- IPSec (Phase 2) Profile Table
ipsecProfileTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of IPSec (Phase 2) profiles."
::= { ipsec 15 }
ipsecProfileEntry OBJECT-TYPE
SYNTAX IpsecProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains an IPSec phase 1 profile."
INDEX {
ipsecPrfProposal
}
::= { ipsecProfileTable 1 }
IpsecProfileEntry ::=
SEQUENCE {
ipsecPrfIndex INTEGER,
ipsecPrfDescription DisplayString,
ipsecPrfProposal INTEGER,
ipsecPrfPfsGroup INTEGER,
ipsecPrfLifeTime INTEGER,
ipsecPrfHeartbeats INTEGER,
ipsecPrfPmtuDiscovery INTEGER,
ipsecPrfGranularity INTEGER,
ipsecPrfKeepAlive INTEGER,
ipsecPrfVerifyPad INTEGER,
ipsecPrfForceTunnelMode INTEGER,
ipsecPrfLifeSeconds Unsigned32,
ipsecPrfLifeKBytes Unsigned32,
ipsecPrfLifeRekeyPercent INTEGER,
ipsecPrfLifePolicy INTEGER
}
ipsecPrfIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique index identifying this entry."
::= { ipsecProfileEntry 1 }
ipsecPrfDescription OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An optional description for this profile."
::= { ipsecProfileEntry 2 }
ipsecPrfProposal OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The index of the IPSec proposal used for this profile."
::= { ipsecProfileEntry 3 }
ipsecPrfPfsGroup OBJECT-TYPE
SYNTAX INTEGER (-1..5)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The Diffie Hellman group used for additional Perfect
Forward Secrecy (PFS) DH exponentiations.
Possible values:
-1: do not use PFS
0: use value from default profile (do not use PFS
if this is the default profile)
1: a 768-bit MODP group,
2: a 1024-bit MODP group,
5: a 1536-bit MODP group."
::= { ipsecProfileEntry 4 }
ipsecPrfLifeTime OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies an index in the
ipsecLifeTimeTable.
The usage of this object is deprecated, use the ipsecPrfLifeXxx
variables directly instead."
DEFVAL { -1 }
::= { ipsecProfileEntry 5 }
ipsecPrfHeartbeats OBJECT-TYPE
SYNTAX INTEGER {
none(1), -- neither send nor expect heartbeats
expect(2), -- expect heartbeats
send(3), -- send heartbeats
both(4), -- send and expect heartbeats
default(5), -- use settings from peer or global profile
auto(6) -- detect support using vendor id
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether heartbeats should be sent
over phase 2 SAs for this profile (heartbeats are not
used for IPv6).
Possible values:
none(1), -- neither send nor expect heartbeats
expect(2), -- expect heartbeats
send(3), -- send heartbeats
both(4). -- send and expect heartbeats
default(5), -- use settings from peer or global profile
(auto if this is the global profile)
auto(6) -- detect support using vendor id."
DEFVAL { default }
::= { ipsecProfileEntry 6 }
ipsecPrfPmtuDiscovery OBJECT-TYPE
SYNTAX INTEGER {
disabled(1), -- do not perform PMTU discovery
enabled(2), -- perform PMTU discovery
default(3) -- use settings from peer or global profile
-- (enabled if this is the global profile)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the PMTU discovery policy for this peer.
Possible values:
disabled(1), -- do not perform PMTU discovery
enabled(2) -- perform PMTU discovery
default(3) -- use settings from peer or global profile
-- (enabled if this is the global profile)."
DEFVAL { default }
::= { ipsecProfileEntry 7 }
ipsecPrfGranularity OBJECT-TYPE
SYNTAX INTEGER {
default(1), -- use granulaity settings from default profile
-- (coarse if this is the default profile)
coarse(2), -- Create only one SA for each Traffic entry
ip(3), -- Create one SA for each host
proto(4), -- Create one SA for each protocol and host
port(5), -- Create one SA for each port and host
local-services(6) -- same as 'coarse' but 'ip' for local services
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the granularity with which SA's
are created with this profile.
Possible values:
default(1), -- use granulaity settings from default profile
-- (coarse if this is the default profile)
coarse(2), -- Create only one SA for each Traffic entry
ip(3), -- Create one SA for each host
proto(4), -- Create one SA for each protocol and host
port(5) -- Create one SA for each port and host."
DEFVAL { default }
::= { ipsecProfileEntry 8 }
ipsecPrfKeepAlive OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- rekey SA's even if no data was transferred
false(2), -- do not rekey SA's if no data was transferred
default (3), -- use value from default profile
-- (false if this is the default profile)
delete (4) -- mark this entry for deletion
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether IKE SA's
are rekeyed even if there was no data transferred over
them.
Possible values:
true(1), -- rekey SA's even if no data was transferred
false(2), -- do not rekey SA's if no data was transferred
default (3), -- use value from default profile
-- (false if this is the default profile)
delete (4) -- mark this entry for deletion."
DEFVAL { default }
::= { ipsecProfileEntry 9 }
ipsecPrfVerifyPad OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- normal, self-describing ESP padding
false(2), -- old style ESP padding
default(3) -- use setting from peer or global profile
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object is a compatibility option for older ipsec
implementations. It enables or disables an old way of ESP
padding (no self describing padding).
Possible values:
true(1), -- normal, self-describing ESP padding
false(2), -- old style ESP padding
default(3) -- use setting from peer or global profile
(true if this is the global profile)."
DEFVAL { default }
::= { ipsecProfileEntry 10 }
ipsecPrfForceTunnelMode OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- Use tunnel mode even if transport mode is possible
false(2), -- Use transport mode whenever possible
default(3) -- Use settings from default profile
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the strategy when transport mode is used.
By default, the system always uses transport mode, if possible.
If this variable is set to true, always tunnel mode will be used
for this traffic entry, even if source and destination address
match the tunnel endpoints.
Possible values:
true(1), -- Use tunnel mode even if transport mode is possible
false(2), -- Use transport mode whenever possible
default(3) -- Use settings from default profile
(if this is the default, false is assumed)."
DEFVAL { default }
::= { ipsecProfileEntry 11 }
ipsecPrfLifeSeconds OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum time (in seconds) after which an SA will be
deleted."
DEFVAL { 900 }
::= { ipsecProfileEntry 16 }
ipsecPrfLifeKBytes OBJECT-TYPE
SYNTAX Unsigned32
UNITS "kilo bytes"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum amount of data (in KB) which may be protected
by an SA before it is deleted."
DEFVAL { 0 }
::= { ipsecProfileEntry 17 }
ipsecPrfLifeRekeyPercent OBJECT-TYPE
SYNTAX INTEGER (50..100)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The percentage of the lifetimes (traffic and time based)
after which rekeying is started."
DEFVAL { 80 }
::= { ipsecProfileEntry 18 }
ipsecPrfLifePolicy OBJECT-TYPE
SYNTAX INTEGER {
loose(1), -- accept and use anything proposed
strict(2), -- accept and use only what is configured
notify(3), -- accept anything (send responder lifetime)
use-default-lifetime(4) -- use lifetime values from default
-- profile
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the way a lifetime proposal is
handled. Possible values:
loose(1), -- accept and use anything proposed
strict(2), -- accept and use only what is configured
notify(3) -- accept anything, if own values are smaller
than what was proposed use these and
send responder lifetime notification
use_default_lifetime(4) -- use lifetime values from default
-- profile."
DEFVAL { use-default-lifetime }
::= { ipsecProfileEntry 19 }
-- End IPSec (Phase 2) Profile Table
-- IPSec Peer Table
ipsecPeerTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecPeerEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of IPSec peers."
::= { ipsec 5 }
ipsecPeerEntry OBJECT-TYPE
SYNTAX IpsecPeerEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains the description of an IPSec peer."
INDEX {
ipsecPeerTrafficList
}
::= { ipsecPeerTable 1 }
IpsecPeerEntry ::=
SEQUENCE {
ipsecPeerIndex INTEGER,
ipsecPeerPriority INTEGER,
ipsecPeerDescription DisplayString,
ipsecPeerDynamicAddress DisplayString,
ipsecPeerPeerIds DisplayString,
ipsecPeerLocalAddress IpAddress,
ipsecPeerTrafficList INTEGER,
ipsecPeerIkeProfile INTEGER,
ipsecPeerIpsecProfile INTEGER,
ipsecPeerPreSharedKey DisplayString,
ipsecPeerVirtualInterface INTEGER,
ipsecPeerStartMode INTEGER,
ipsecPeerAdminStatus INTEGER,
ipsecPeerIsdnCB INTEGER,
ipsecPeerPreSharedKeyData OCTET STRING,
ipsecPeerIsdnCBMode INTEGER,
ipsecPeerIsdnCBDChanMode INTEGER,
ipsecPeerType INTEGER,
ipsecPeerDynAddrPoolId INTEGER,
ipsecPeerDynAddrLocalIp IpAddress,
ipsecPeerXauthProfile Unsigned32,
ipsecPeerDynAddrRole INTEGER,
ipsecPeerIkeVersion INTEGER,
-- IKEv2 specific Peer parameters
ipsecPeerLocalId DisplayString,
ipsecPeerAuthMethod INTEGER,
ipsecPeerCert INTEGER,
ipsecPeerCaCerts DisplayString,
-- universal (IKEv1 and IKEv2) Peer parameters
ipsecPeerDynAddrMode INTEGER,
ipsecPeerMobike INTEGER,
ipsecPeerPublicIfIndex INTEGER,
ipsecPeerPublicIfIndexMode INTEGER
}
-- these read-only parameters are moved to the new ipsecPeerStatTable:
-- ipsecPeerNextIndex OID ipsecPeerEntry 2
-- ipsecPeerCaCerts OID ipsecPeerEntry 4
-- ipsecPeerPeerAddress OID ipsecPeerEntry 6
-- ipsecPeerLocalId OID ipsecPeerEntry 7
-- ipsecPeerLocalCert OID ipsecPeerEntry 9
-- ipsecPeerIkeProposals OID ipsecPeerEntry 10
-- ipsecPeerPublicInterface OID ipsecPeerEntry 12
-- ipsecPeerPfsIdentity OID ipsecPeerEntry 13
-- ipsecPeerAuthMethod OID ipsecPeerEntry 20
-- ipsecPeerIkeGroup OID ipsecPeerEntry 22
-- ipsecPeerPfsGroup OID ipsecPeerEntry 23
-- ipsecPeerPh1Mode OID ipsecPeerEntry 24
-- ipsecPeerIkeLifeTime OID ipsecPeerEntry 25
-- ipsecPeerIpsecLifeTime OID ipsecPeerEntry 26
-- ipsecPeerKeepAlive OID ipsecPeerEntry 29
-- ipsecPeerGranularity OID ipsecPeerEntry 30
-- ipsecPeerDontVerifyPad OID ipsecPeerEntry 31
-- ipsecPeerNoPmtuDiscovery OID ipsecPeerEntry 36
-- ipsecPeerOperStatus OID ipsecPeerEntry 44
-- ipsecPeerDefaultIpsecProposals OID ipsecPeerEntry 42
-- ipsecPeerHeartbeat OID ipsecPeerEntry 43
-- ipsecPeerTtl OID ipsecPeerEntry 51
-- ipsecPeerCurrentLocalAddress OID ipsecPeerEntry 52
-- ipsecPeerCurrentRemoteAddress OID ipsecPeerEntry 53
-- ipsecPeerNumP1 OID ipsecPeerEntry 54
-- ipsecPeerNumP1Negotiating OID ipsecPeerEntry 55
-- ipsecPeerNumP1Established OID ipsecPeerEntry 56
-- ipsecPeerNumP1Deleted OID ipsecPeerEntry 57
-- ipsecPeerNumBundles OID ipsecPeerEntry 58
-- ipsecPeerNumBundlesNegotiating OID ipsecPeerEntry 59
-- ipsecPeerNumBundlesEstablished OID ipsecPeerEntry 60
-- ipsecPeerPh1LToken OID ipsecPeerEntry 64
-- ipsecPeerPh1RToken OID ipsecPeerEntry 65
-- ipsecPeerIsdnCBNextMode OID ipsecPeerEntry 68
-- ipsecPeerNatDetect OID ipsecPeerEntry 69
-- ipsecPeerNatTLocalPort OID ipsecPeerEntry 70
-- ipsecPeerNatTRemotePort OID ipsecPeerEntry 71
-- ipsecPeerMtu OID ipsecPeerEntry 72
-- ipsecPeerRxIdle OID ipsecPeerEntry 74
-- ipsecPeerTxIdle OID ipsecPeerEntry 75
-- ipsecPeerDPD OID ipsecPeerEntry 76
-- ipsecPeerDPDRetries OID ipsecPeerEntry 77
ipsecPeerIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique index identifying this entry."
::= { ipsecPeerEntry 1 }
ipsecPeerPriority OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Defines the matching priority."
::= { ipsecPeerEntry 47 }
ipsecPeerDescription OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An optional description for this peer."
::= { ipsecPeerEntry 3 }
ipsecPeerDynamicAddress OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The IP-address of the peer.
This object may contain either an IP address or a domain name."
::= { ipsecPeerEntry 14 }
ipsecPeerPeerIds OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The IDs of the peer which are accepted for authentication.
Syntax:
- X500 distinguished name:
<obj-name=obj-value, obj-ID=obj-value, ...>
- IPV4-Address:
|123.456.789.012| with or without '|'
- IPV4 Address Range (only IKEv1):
|123.456.789.012-123.456.789.013| with or without '|'
- IPV4 Address Subnet (only IKEv1):
|123.456.789.012/255.255.255.0| with or without '|'
or:
|123.456.789.012/24| with or without '|'
- Key-ID: arbitrary string:
{anything}
- Fully Qualified User Name (FQUN) (for IKEv1) or
Fully-qualified RFC 822 email address string (for IKEv2):
(anything) or user@domain with mandatory '@'
- Fully Qualified Domain Name (FQDN):
[anything] or any name without '@' not matching any other
syntax"
::= { ipsecPeerEntry 5 }
ipsecPeerLocalAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The local address used for IPSec encrypted packets."
::= { ipsecPeerEntry 8 }
ipsecPeerTrafficList OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the first entry of possibly a
chain of traffic entries from the ipsecTrafficTable
which should be protected with IPSec using this peer."
::= { ipsecPeerEntry 11 }
ipsecPeerVirtualInterface OBJECT-TYPE
SYNTAX INTEGER {
disabled(1), -- no virtual interface for this peer
enabled(2) -- a virtual interface will be assigned this peer
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies if a virtual interface should be created
for this peer. If set to enabled, all traffic routed towards
this peer will be protected. The traffic list for this peer
is ignored then. The index of the interface associated with
this peer is calculated as follows:
ifIndex = ipsecPeerIndex + 100000."
DEFVAL { disabled }
::= { ipsecPeerEntry 15 }
ipsecPeerStartMode OBJECT-TYPE
SYNTAX INTEGER {
on-demand(1), -- packet triggered start,
-- fall back to dormant if unused
always-up(2) -- always set up and keep up
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the events which make the IPSec peer go up.
Possible values:
on-demand(1), -- packet triggered start,
-- fall back to dormant if unused
always-up(2) -- always set up and keep up."
DEFVAL { on-demand }
::= { ipsecPeerEntry 16 }
ipsecPeerIkeProfile OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"When ipsecPeerIkeVersion is set to ikev1 this is an index from
the ikeProfileTable containing a special phase 1 profile to
use for this peer.
When ipsecPeerIkeVersion is set to ikev2 this is an index from
the ikev2ProfileTable containing a special IKE_SA profile to
use for this peer."
::= { ipsecPeerEntry 48 }
ipsecPeerIpsecProfile OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The index from the ipsecProfileTable containing a special
phase 2 profile to use for this peer."
::= { ipsecPeerEntry 49 }
ipsecPeerPreSharedKey OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The pre-shared-key used with this peer, if pre-shared-keys
are used for authentication. This field serves only
as an input field and its contents are replaced with
a single asterisk immediately after it is set."
::= { ipsecPeerEntry 21 }
ipsecPeerAdminStatus OBJECT-TYPE
SYNTAX INTEGER {
up(1),
down(2),
-- testing(3),
dialup(4),
callback(5),
delete(15)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Peer administrative state."
DEFVAL { up }
::= { ipsecPeerEntry 50 }
ipsecPeerIsdnCB OBJECT-TYPE
SYNTAX INTEGER {
enabled(1),
disabled(2),
passive(3), -- expect an ISDN call and setup IPSec tunnel
active(4) -- setup an ISDN call and expect IPSec tunnel setup
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Switch for turning ISDN call back feature on and off
specifically for peer.
Default value is disabled."
DEFVAL { disabled }
::= { ipsecPeerEntry 45 }
ipsecPeerPreSharedKeyData OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Field used for storing the pre-shared-key permanently."
::= { ipsecPeerEntry 63 }
ipsecPeerIsdnCBMode OBJECT-TYPE
SYNTAX INTEGER {
compat(1),
auto(2),
auto-d(3),
d(4),
db(5),
b(6)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Define callback mode.
The following modes are defined:
compat(1) -- compatibility to old callback
auto(2) -- automatically detect best method
auto-d(3) -- automatically detect best D channel method
d(4) -- use D channel only
db(5) -- try D channel first, fall back to B
b(6) -- use B channel only
Default value for that variable is compat(1)."
DEFVAL { compat }
::= { ipsecPeerEntry 66 }
ipsecPeerIsdnCBDChanMode OBJECT-TYPE
SYNTAX INTEGER {
llc(1),
subaddr(2),
llc-and-subaddr(3),
llc-subaddr(4),
subaddr-llc(5)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Define callback D channel mode.
The following modes are defined:
llc(1) -- code token into LLC information
element only
subaddr(2) -- code token into SUBADDR information
element only
llc-and-subaddr(3) -- redundantly use LLC and SUBADDR
information elements
llc-subaddr(4) -- try LLC first, then SUBADDR
subaddr-llc(5) -- try SUBADDR first, then LLC
Default value for that variable is LLC(1)."
DEFVAL { llc }
::= { ipsecPeerEntry 67 }
ipsecPeerType OBJECT-TYPE
SYNTAX INTEGER {
fixed(1), -- only one peer allowed for this entry
dynamic-client(2) -- duplicated for each incoming client
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The type of the peer. Dynamic peer entries are duplicated
whenever an incoming IKE request matches the ID and/or
address information of the remote side.
Note:
- For traffic list peers the duplication also includes the
traffic list entries configured for this peer entry.
- For virtual interface peers, host routes will be added
for the peer address automatically.
Possible values:
fixed(1), -- only one peer allowed for this entry
dynamic_client(2) -- duplicated for each incoming client."
DEFVAL { fixed }
::= { ipsecPeerEntry 73 }
ipsecPeerDynAddrPoolId OBJECT-TYPE
SYNTAX INTEGER (-1..65535)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Identifier of Dynamic Address Pool if IP address is
assigned via IKE Configuration Method.
A value of -1 means that no Pool is assigned."
DEFVAL { -1 }
::= { ipsecPeerEntry 78 }
ipsecPeerDynAddrLocalIp OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The local IP address used in the IKE communication
when remote IP address is taken from IP address pool."
::= { ipsecPeerEntry 79 }
ipsecPeerXauthProfile OBJECT-TYPE
SYNTAX Unsigned32 (0..4294967295)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The index from the xauthProfileTable containing a special
XAUTH profile to use for this peer.
A value of 0 means that no XAUTH profile is assigned."
DEFVAL { 0 }
::= { ipsecPeerEntry 80 }
ipsecPeerDynAddrRole OBJECT-TYPE
SYNTAX INTEGER {
none(1), -- no IP address assignment via IKE Config Mode
client(2), -- get IP address via IKE Config Mode from remote
server(3) -- assign IP address via IKE Config Mode to remote
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Determines if IKE Config Mode is used and which role is performed:
none(1), -- no IP address assignemt via IKE Config Mode
client(2) -- get IP address via IKE Config Mode from remote
server(3) -- assign IP address via IKE Config Mode to remote
In server role ipsecPeerDynAddrPoolId defines IP address pool to
use for address assignment to clients. If an invalid pool ID is
configured, peer is treated as if role was 'none'.
Default is 'none', that means IKE Config Mode is not used at all."
DEFVAL { none }
::= { ipsecPeerEntry 81 }
ipsecPeerIkeVersion OBJECT-TYPE
SYNTAX INTEGER {
ikev1(1),
ikev2(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates the major version of IKE protocol to use. If set to
ikev1 the value of ipsecPeerIkeProfile is used as index into
ikeProfileTable. If set to ikev2 the value of
ipsecPeerIkeProfile is used as index into ikev2ProfileTable."
DEFVAL { ikev1 }
::= { ipsecPeerEntry 82 }
-- IKEv2 specific Peer parameters
ipsecPeerLocalId OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The local ID used for authentication with this profile.
Syntax:
- X500 distinguished name:
<obj-name=obj-value, obj-ID=obj-value, ...>
- IPV4-Address:
|123.456.789.012| with or without '|'
- Key-ID: arbitrary string:
{anything}
- Fully-qualified RFC 822 email address string:
(anything) or user@domain with mandatory '@'
- Fully Qualified Domain Name (FQDN):
[anything] or any name without '@' not matching any other
syntax
(only for IKEv2)."
::= { ipsecPeerEntry 83 }
ipsecPeerAuthMethod OBJECT-TYPE
SYNTAX INTEGER {
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3) -- Authentication using RSA signatures
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the authentication method used by default.
If the ipsecPeerAuthMethod field of an ipsecPeerEntry and the
ikePropAuthMethod field of the ikeProposalTableEntry used are
set to 'default', this value is assumed.
Possible values:
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3) -- Authentication using RSA signatures
(only for IKEv2)."
::= { ipsecPeerEntry 84 }
ipsecPeerCert OBJECT-TYPE
SYNTAX INTEGER (0..32767)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The index of the certificate used for authentication
in the certTable. Ignored for AuthMethod == pre_shared_key.
(only for IKEv2)."
::= { ipsecPeerEntry 85 }
ipsecPeerCaCerts OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Receives a comma separated list with indices (0..32767)
of special certificate authority certificates accepted
for this profile.
(only for IKEv2)."
::= { ipsecPeerEntry 86 }
ipsecPeerDynAddrMode OBJECT-TYPE
SYNTAX INTEGER {
pull(1), -- the client will request IP address and the gateway
-- will answer the request
push(2) -- the gateway will set IP address to the client and
-- the client will accept or deny it
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"When IP address assignment via IKE Config Mode is configured
(ipsecPeerDynAddrRole != none) this object specifies the used mode:
pull(1), -- the client will request IP address and the gateway
will answer the request
push(2) -- the gateway will set IP address to the client and
the client will accept or deny it
The ipsecPeerDynAddrMode value has to be the same for both sides of
the tunnel. With default value 'pull' the peer (ipsecPeerDynAddrRole ==
client) will request IP address and the gateway (ipsecPeerDynAddrRole ==
server) will answer the request.
The 'push' mode is needed for partner devices that require this mode.
This object matters only when ipsecPeerDynAddrRole != none."
DEFVAL { pull }
::= { ipsecPeerEntry 87 }
ipsecPeerMobike OBJECT-TYPE
SYNTAX INTEGER {
enabled(1), -- peer supports MOBIKE
disabled(2) -- peer does not support MOBIKE
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object indicates whether the peer supports MOBIKE or not.
Only when both sides of a VPN connection support MOBIKE an IP
address change is possible.
Possible values:
enabled(1), -- Peer supports MOBIKE and signals MOBIKE
support by including a MOBIKE_SUPPORTED
notification in the IKE_AUTH message.
disabled(2) -- Peer does not support MOBIKE.
(only for IKEv2)."
DEFVAL { enabled }
::= { ipsecPeerEntry 88 }
ipsecPeerPublicIfIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The index value which uniquely identifies the physical interface
that should be used for all ipsec traffic as initiator.
When multiple eqivalent routes to the given peer are available this
is used as additional parameter for routing decisions.
If set to -1 then normal routing is used.
As responder the interface from the first received packet is used
and therefore this index value is ignored."
DEFVAL { -1 }
::= { ipsecPeerEntry 90 }
ipsecPeerPublicIfIndexMode OBJECT-TYPE
SYNTAX INTEGER {
force(1), -- the given interface is used, even if a route
-- with lower metric is available.
preferred(2) -- the given interface is used, if no route
-- with lower metric is available.
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object defines the mode used in conjunction with
ipsecPeerPublicIfIndex.
force(1), -- the given interface is used, even if a route
with lower metric is available.
preferred(2) -- the given interface is used, if no route
with lower metric is available.
This object matters only when ipsecPeerPublicIfIndex > 0."
DEFVAL { force }
::= { ipsecPeerEntry 91 }
-- End IPSec Peer Table
-- IKE IPSec Peer Status and Statistic Variables Table
ipsecPeerStatTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecPeerStatEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of IPSec peers status and statistic variables."
::= { ipsec 28 }
ipsecPeerStatEntry OBJECT-TYPE
SYNTAX IpsecPeerStatEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains the status and statistic variables of an IPSec peer."
INDEX {
ipsecPeerStatIndex
}
::= { ipsecPeerStatTable 1 }
IpsecPeerStatEntry ::=
SEQUENCE {
ipsecPeerStatIndex INTEGER,
ipsecPeerStatNextIndex INTEGER,
ipsecPeerStatCaCerts DisplayString,
ipsecPeerStatPeerAddress IpAddress,
ipsecPeerStatLocalId DisplayString,
ipsecPeerStatLocalCert INTEGER,
ipsecPeerStatPublicInterface INTEGER,
ipsecPeerStatIkeProposals INTEGER,
ipsecPeerStatPfsIdentity INTEGER,
ipsecPeerStatAuthMethod INTEGER,
ipsecPeerStatIkeGroup INTEGER,
ipsecPeerStatPfsGroup INTEGER,
ipsecPeerStatPh1Mode INTEGER,
ipsecPeerStatIkeLifeTime INTEGER,
ipsecPeerStatIpsecLifeTime INTEGER,
ipsecPeerStatKeepAlive INTEGER,
ipsecPeerStatGranularity INTEGER,
ipsecPeerStatDontVerifyPad INTEGER,
ipsecPeerStatNoPmtuDiscovery INTEGER,
ipsecPeerStatOperStatus INTEGER,
ipsecPeerStatDefaultIpsecProposals INTEGER,
ipsecPeerStatHeartbeat INTEGER,
ipsecPeerStatTtl INTEGER,
ipsecPeerStatCurrentLocalAddress IpAddress,
ipsecPeerStatCurrentRemoteAddress IpAddress,
ipsecPeerStatNumP1 INTEGER,
ipsecPeerStatNumP1Negotiating INTEGER,
ipsecPeerStatNumP1Established INTEGER,
ipsecPeerStatNumP1Deleted INTEGER,
ipsecPeerStatNumBundles INTEGER,
ipsecPeerStatNumBundlesNegotiating INTEGER,
ipsecPeerStatNumBundlesEstablished INTEGER,
ipsecPeerStatPh1LToken INTEGER,
ipsecPeerStatPh1RToken INTEGER,
ipsecPeerStatIsdnCBNextMode INTEGER,
ipsecPeerStatNatDetect INTEGER,
ipsecPeerStatNatTLocalPort INTEGER,
ipsecPeerStatNatTRemotePort INTEGER,
ipsecPeerStatMtu INTEGER,
ipsecPeerStatRxIdle TimeTicks,
ipsecPeerStatTxIdle TimeTicks,
ipsecPeerStatDPD INTEGER,
ipsecPeerStatDPDRetries INTEGER,
-- IKEv2 specific Peer parameters
ipsecPeerStatNumIkeSas INTEGER,
ipsecPeerStatNumIkeSasNegotiating INTEGER,
ipsecPeerStatNumIkeSasEstablished INTEGER,
ipsecPeerStatNumIkeSasDeleted INTEGER
}
ipsecPeerStatIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique index identifying this entry."
::= { ipsecPeerStatEntry 1 }
ipsecPeerStatNextIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index of the next peer in hierarchy."
::= { ipsecPeerStatEntry 2 }
ipsecPeerStatCaCerts OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Receives a comma separated list with indices of optional
certificate authority certificates accepted for this peer."
::= { ipsecPeerStatEntry 3 }
ipsecPeerStatPeerAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object shows the fixed IP-address of the peer, if any."
::= { ipsecPeerStatEntry 4 }
ipsecPeerStatLocalId OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local ID used for authentication.
Syntax:
- X500 distinguished name:
<obj-name=obj-value, obj-ID=obj-value, ...>
- IPV4-Address:
|123.456.789.012| with or without '|'
- IPV4 Address Range:
|123.456.789.012-123.456.789.013| with or without '|'
- IPV4 Address Subnet:
|123.456.789.012/255.255.255.0| with or without '|'
or:
|123.456.789.012/24| with or without '|'
- Key-ID: arbitrary length hexadecimal string
with even number of digits:
{ 01 23 45 67 89 ab cd ef }
- Fully Qualified User Name (FQUN):
(anything) or user@domain with mandatory '@'
- Fully Qualified Domain Name (FQDN):
[anything] or any name without '@' not matching any other
syntax
The usage of this field is deprecated, use ikePrfLocalId now!"
::= { ipsecPeerStatEntry 5 }
ipsecPeerStatLocalCert OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index of the certificate used for local authentication
in the certTable. Only useful for automatically keyed traffic
with dsa or rsa authentication."
::= { ipsecPeerStatEntry 6 }
ipsecPeerStatPublicInterface OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the index of the public interface
for which the traffic list assigned to this peer should be
valid.
If set to -1, the traffic list is valid for all interfaces.
If the traffic is routed via a different interface,
no SA negotiation is performed and traffic may be unprotected
unless there is another peer for the other interface."
DEFVAL { -1 }
::= { ipsecPeerStatEntry 7 }
ipsecPeerStatIkeProposals OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Index of default ike proposal used for peers with empty default
ike proposal."
::= { ipsecPeerStatEntry 8 }
ipsecPeerStatPfsIdentity OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- delete phase 1 SAs
false(2), -- do not delete phase 1 SAs
default(3) -- use setting in ipsecGlobContDefaultPfsIdentity
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies whether IKE SA's should be deleted
immediately after a phase 2 (IPSec-) SA pair has been
negotiated.
If overrides the default setting ipsecGlobContDefaultPfsIdentity
if not set to 'default'.
The consequence of enabling this feature is that before each
phase 2 negotiation there always has to be a phase 1
negotiation. Thus individual phase 2 SAs cannot be
associated with one another or, respectively, if the
identity of a remote peer is known to an eavesdropper
for one SA, he cannot conclude that the next SA is
negotiated with the same remote peer.
Note: Setting this flag only makes sense if configured
together with id-protect mode or RSA encryption for
authentication and if the IP address of the remote
peer does not allow conclusions about its identity
(i.e. dynamic remote peer addresses).
Possible values:
true(1), -- delete phase 1 SAs
false(2), -- do not delete phase 1 SAs
default(3) -- use setting in ipsecGlobContDefaultPfsIdentity."
DEFVAL { default }
::= { ipsecPeerStatEntry 9 }
ipsecPeerStatAuthMethod OBJECT-TYPE
SYNTAX INTEGER {
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3), -- Authentication using RSA signatures
rsa-enc(4), -- Authentication using RSA encryption
default(14), -- Use the default settings from the ikeProposalEntry
-- used or the ipsecGlobDefaultAuthMethod
delete(15) -- mark this entry for deletion
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the authentication method used for this peer.
It overrides the setting in the IKE proposals used.
Possible values:
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3), -- Authentication using RSA signatures
rsa-enc(4), -- Authentication using RSA encryption
default(14), -- Use the setting from the ikeProposalEntry
-- used or the ipsecGlobDefaultAuthMethod
delete(15) -- mark this entry for deletion."
DEFVAL { default }
::= { ipsecPeerStatEntry 10 }
ipsecPeerStatIkeGroup OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies a special IKE group which is to be used
for this peer only. It overrides the setting in the ikeProposal
used.
Possible values:
0: use the value from the ikeProposal used
1: a 768-bit MODP group
2: a 1024-bit MODP group
5: a 1536-bit MODP group"
::= { ipsecPeerStatEntry 11 }
ipsecPeerStatPfsGroup OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Diffie Hellman group used for additional Perfect
Forward Secrecy (PFS) DH exponentiations.
Possible values:
-1: explicitly do not use PFS
(overrides ipsecGlob2DefaultPfsGroup),
0: use default value from ipsecGlob2DefaultPfsGroup,
1: a 768-bit MODP group,
2: a 1024-bit MODP group,
5: a 1536-bit MODP group."
::= { ipsecPeerStatEntry 12 }
ipsecPeerStatPh1Mode OBJECT-TYPE
SYNTAX INTEGER {
id-protect(1), -- Use identity protection (main) mode
aggressive(2), -- Use aggressive mode
default(3) -- Use default setting from the
-- ipsecGlobalsTable
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the exchange mode used for IKE
SA negotiation.
Possible values:
id-protect(1), -- Use identity protection (main) mode
aggressive(2), -- Use aggressive mode
default(3) -- Use default settings from the
-- ipsecGlobalsTable."
DEFVAL { default }
::= { ipsecPeerStatEntry 13 }
ipsecPeerStatIkeLifeTime OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies an index in the ipsecLifeTimeTable with the
lifetime settings to be used for IKE SA negotiation with this peer.
It overrides the setting in the IKE proposal used.
If the lifetime pointed to by this index does not exist or is
inappropriate, the lifetime from the IKE proposal used is
taken."
::= { ipsecPeerStatEntry 14 }
ipsecPeerStatIpsecLifeTime OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies an index in the
ipsecLifeTimeTable. This lifetime overwrites the
lifetimes specified for all traffic entries and their
proposals referenced by this peer entry. If the
lifetime pointed to by this index does not exist or
is inappropriate, the default lifetime from the
ipsecGlobalsTable is used."
::= { ipsecPeerStatEntry 15 }
ipsecPeerStatKeepAlive OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- rekey SA's even if no data was transferred
false(2) -- do not rekey SA's if no data was transferred
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies whether IKE SA's with this peer
are rekeyed even if there was no data transferred over
them.
Possible values:
true(1), -- rekey SA's even if no data was transferred
false(2) -- do not rekey SA's if no data was transferred."
::= { ipsecPeerStatEntry 16 }
ipsecPeerStatGranularity OBJECT-TYPE
SYNTAX INTEGER {
default(1), -- use the setting from the ipsecGlobalsTable
coarse(2), -- Create only one SA for each Traffic entry
ip(3), -- Create one SA for each host
proto(4), -- Create one SA for each protocol and host
port(5) -- Create one SA for each port and host
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the granularity with which SA's
with this peer are created.
Possible values:
default(1), -- use the setting from the ipsecGlobalsTable
coarse(2), -- Create only one SA for each Traffic entry
ip(3), -- Create one SA for each host
proto(4), -- Create one SA for each protocol and host
port(5) -- Create one SA for each port and host."
DEFVAL { default }
::= { ipsecPeerStatEntry 17 }
ipsecPeerStatDontVerifyPad OBJECT-TYPE
SYNTAX INTEGER {
false(1), -- normal, self-describing ESP padding
true(2) -- old style ESP padding
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object is a compatibility option for older ipsec
implementations. It enables or disables an old way of ESP
padding (no self describing padding).
Possible values:
false(1), -- normal, self-describing ESP padding
true(2) -- old style ESP padding."
::= { ipsecPeerStatEntry 18 }
ipsecPeerStatNoPmtuDiscovery OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- do not perform PMTU discovery
false(2), -- perform PMTU discovery
default(3)-- use default settings from
-- ipsecGlobContNoPmtuDiscovery
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the PMTU discovery policy for this peer.
Possible values:
true(1), -- do not perform PMTU discovery
false(2) -- perform PMTU discovery
default(3)-- use default settings from
-- ipsecGlobContNoPmtuDiscovery."
DEFVAL { default }
::= { ipsecPeerStatEntry 19 }
ipsecPeerStatOperStatus OBJECT-TYPE
SYNTAX INTEGER {
-- *** states as defined for ifOperStatus ***
up(1),
down(2),
-- testing(3),
-- unknown(4),
dormant(5),
blocked(6),
-- idle(32),
awaiting-callback(33),
-- calling-back(34),
ip-lookup(35),
going-up(36),
wait-if(37),
wait-publish(38),
wait-localip(39),
going-up-trans(40)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Peer operational state."
DEFVAL { dormant }
::= { ipsecPeerStatEntry 20 }
ipsecPeerStatDefaultIpsecProposals OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index of the default IPSec proposal used for
encrypting all the traffic bound to the (optional)
logical interface created for this peer."
::= { ipsecPeerStatEntry 21 }
ipsecPeerStatHeartbeat OBJECT-TYPE
SYNTAX INTEGER {
none(1), -- neither send nor expect heartbeats
expect(2), -- expect heartbeats
send(3), -- send heartbeats
both(4), -- send and expect heartbeats
default(5) -- use setting from
-- ipsecGlobContHeartbeatDefault
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies whether heartbeats should be sent
over phase 1 SAs for this peer.
Possible values:
none(1), -- neither send nor expect heartbeats
expect(2), -- expect heartbeats
send(3), -- send heartbeats
both(4), -- send and expect heartbeats
default(5) -- use setting from
-- ipsecGlobContHeartbeatDefault."
DEFVAL { default }
::= { ipsecPeerStatEntry 22 }
ipsecPeerStatTtl OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object shows the maximum period of time in seconds
the peer will remain in the current state."
::= { ipsecPeerStatEntry 23 }
ipsecPeerStatCurrentLocalAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The currently used local IP-address for this peer."
::= { ipsecPeerStatEntry 24 }
ipsecPeerStatCurrentRemoteAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The currently known remote IP-address of this peer."
::= { ipsecPeerStatEntry 25 }
ipsecPeerStatNumP1 OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current IKE SAs for this peer."
::= { ipsecPeerStatEntry 26 }
ipsecPeerStatNumP1Negotiating OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current IKE SAs in state 'negotiating'
for this peer."
::= { ipsecPeerStatEntry 27 }
ipsecPeerStatNumP1Established OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current IKE SAs in state 'established'
for this peer."
::= { ipsecPeerStatEntry 28 }
ipsecPeerStatNumP1Deleted OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current IKE SAs in state 'waiting_for_remove'
for this peer."
::= { ipsecPeerStatEntry 29 }
ipsecPeerStatNumBundles OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current IPSec SA bundles for this peer."
::= { ipsecPeerStatEntry 30 }
ipsecPeerStatNumBundlesNegotiating OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current IPSec SA bundles for this peer."
::= { ipsecPeerStatEntry 31 }
ipsecPeerStatNumBundlesEstablished OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current IPSec SA bundles in state 'established'
for this peer."
::= { ipsecPeerStatEntry 32 }
ipsecPeerStatPh1LToken OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Locally generated token that must be used by triggered peer
upon call back."
::= { ipsecPeerStatEntry 33 }
ipsecPeerStatPh1RToken OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Remotely generated token which must be used during phase one
of IPsec connection establishment."
::= { ipsecPeerStatEntry 34 }
ipsecPeerStatIsdnCBNextMode OBJECT-TYPE
SYNTAX INTEGER {
unknown(1),
d-llc(2),
d-subaddr(3),
d-llc-subaddr(4),
b(5)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Define callback mode that is to be tried next.
The following modes are defined:
unknown(1) -- still unset, derive it from other
settings
d-llc(2) -- use D channel mode with LLC next
d-subaddr(3) -- use D channel mode with SUBADDR next
d-llc-subaddr(4) -- use D channel mode with LLC and
SUBADDR next
b(5) -- use B channel mode next
Default value for that variable is unknown(1)."
DEFVAL { unknown }
::= { ipsecPeerStatEntry 35 }
ipsecPeerStatNatDetect OBJECT-TYPE
SYNTAX INTEGER {
local(1), -- local NAT detected
remote(2), -- remote NAT detected
both(3), -- local and remote NAT detected
none(4), -- no NAT present
unknown(8) -- NAT detection not finished
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The latest result of the NAT detection performed with the peer.
Possible values:
local(1), -- local NAT detected
remote(2), -- remote NAT detected
both(3), -- local and remote NAT detected
none(4), -- no NAT present
unknown(8) -- NAT detection not performed or not finished."
::= { ipsecPeerStatEntry 36 }
ipsecPeerStatNatTLocalPort OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local port currently usd for NAT-T IKE and ESP SAs
with this Peer."
::= { ipsecPeerStatEntry 37 }
ipsecPeerStatNatTRemotePort OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote port currently usd for NAT-T IKE and ESP SAs
with this Peer."
::= { ipsecPeerStatEntry 38 }
ipsecPeerStatMtu OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current MTU of this peer. This value is copied to ifMtu if
ipsecPeerVirtualInterface is set to enabled."
DEFVAL { 1418 }
::= { ipsecPeerStatEntry 39 }
ipsecPeerStatRxIdle OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time period for which no packet has been received
from this peer."
::= { ipsecPeerStatEntry 40 }
ipsecPeerStatTxIdle OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time period for which no packet has been transmitted
to this peer."
::= { ipsecPeerStatEntry 41 }
ipsecPeerStatDPD OBJECT-TYPE
SYNTAX INTEGER {
none(1), -- DPD not active
v1(2), -- DPD Version 1 active
v1-idle(3), -- DPD Version 1 in idle mode active
ikev2(4) -- IKEv2 INFORMATIONAL exchanges active
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of Dead Peer Detection (DPD) currently active
for this peer.
Possible values:
none(1) -- DPD not active
v1(2) -- DPD Version 1 active
v1-idle(3) -- DPD Version 1 in idle mode active
ikev2(4) -- IKEv2 INFORMATIONAL exchanges active."
DEFVAL { none }
::= { ipsecPeerStatEntry 42 }
ipsecPeerStatDPDRetries OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The nuber of DPD retries currently sent without reply."
::= { ipsecPeerStatEntry 43 }
ipsecPeerStatNumIkeSas OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current IKE SAs for this peer (only for IKEv2)."
::= { ipsecPeerStatEntry 44 }
ipsecPeerStatNumIkeSasNegotiating OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current IKE SAs in state 'negotiating'
for this peer (only for IKEv2)."
::= { ipsecPeerStatEntry 45 }
ipsecPeerStatNumIkeSasEstablished OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current IKE SAs in state 'established'
for this peer (only for IKEv2)."
::= { ipsecPeerStatEntry 46 }
ipsecPeerStatNumIkeSasDeleted OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current IKE SAs in state 'waiting_for_remove'
for this peer (only for IKEv2)."
::= { ipsecPeerStatEntry 47 }
-- End IPSec Peer Status and Statistic Variables Table
-- IKE Proposal Table
ikeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IkeProposalEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of IKE proposals. The
entries may be concatenated on a logical or basis
using the NextChoice field to choices of multiple
proposals."
::= { ipsec 6 }
ikeProposalEntry OBJECT-TYPE
SYNTAX IkeProposalEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains an IKE proposal, i.e. the
encryption algorithm and the hash algorithm used to
protect traffic sent over an IKE SA."
INDEX {
ikePropEncAlg
}
::= { ikeProposalTable 1 }
IkeProposalEntry ::=
SEQUENCE {
ikePropIndex INTEGER,
ikePropNextChoice INTEGER,
ikePropDescription DisplayString,
ikePropEncAlg INTEGER,
ikePropHashAlg INTEGER,
ikePropGroup INTEGER,
ikePropAuthMethod INTEGER,
ikePropEncKeySize INTEGER,
ikePropEncKeySizeMin INTEGER,
ikePropEncKeySizeMax INTEGER
}
ikePropIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique index identifying this entry."
::= { ikeProposalEntry 1 }
ikePropNextChoice OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the index of the next proposal
of a choice of proposals. If this object is 0, this
marks the end of a proposal chain."
::= { ikeProposalEntry 2 }
ikePropDescription OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An optional textual description of the proposal chain
beginning at this entry."
::= { ikeProposalEntry 3 }
ikePropEncAlg OBJECT-TYPE
SYNTAX INTEGER {
none(1), -- No encryption applied
des-cbc(2), -- DES in CBC mode
des3-cbc(3), -- Triple DES in CBC mode
blowfish-cbc(4),-- Blowfish in CBC mode
cast128-cbc(5), -- CAST in CBC mode with 128 bit key
twofish-cbc(6), -- Twofish in CBC mode
aes-cbc(7), -- AES in CBC mode
rijndael-cbc(31) -- rijndael (former name for AES)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the encryption algorithm used
to protect traffic sent over an IKE SA.
Possible values:
none(1), -- No encryption applied
des-cbc(2), -- DES in CBC mode
des3-cbc(3), -- Triple DES in CBC mode
blowfish-cbc(4), -- Blowfish in CBC mode
cast128-cbc(5) -- CAST in CBC mode with 128 bit key
twofish-cbc(6), -- Twofish in CBC mode
aes-cbc(7), -- AES in CBC mode
rijndael-cbc(31) -- rijndael (former name for AES)."
DEFVAL { aes-cbc }
::= { ikeProposalEntry 4 }
ikePropHashAlg OBJECT-TYPE
SYNTAX INTEGER {
delete(1), -- Delete this entry
none(2), -- No hash algorithm
md5(3), -- The MD5 hash algorithm
sha1(4), -- The Secure Hash Algorithm
ripemd160(5), -- The RipeMD160 Hash Algorithm
tiger192(6) -- The Tiger Hash Algorithm
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the hash algorithm used to
protect traffic sent over an IKE SA.
Possible values:
delete(1), -- Delete this entry
none(2), -- No hash algorithm
md5(3), -- The MD5 hash algorithm
sha1(4), -- The Secure Hash Algorithm
ripemd160(5),-- The RipeMD160 Hash Algorithm
tiger192(6) -- The Tiger Hash Algorithm."
DEFVAL { ripemd160 }
::= { ikeProposalEntry 5 }
ikePropGroup OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Index of the IKE group used with this proposal.
It may be overridden by a valid IKE group index of an IPSec peer
or in ipsecGlobDefaultIkeGroup.
Possible values:
0 (use default setting in ipsecPeerIkeGroup
or ipsecGlobDefaultIkeGroup),
1 (768 bit MODP),
2 (1024 bit MODP),
5 (1536 bit MODP)."
DEFVAL { 2 }
::= { ikeProposalEntry 7 }
ikePropAuthMethod OBJECT-TYPE
SYNTAX INTEGER {
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3), -- Authentication using RSA signatures
rsa-enc(4), -- Authentication using RSA encryption
default(33) -- Use default authentication method
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the authentication method used with this
proposal.
It may be overridden by the setting in the ipsecPeerEntry table.
If set to 'default' the value in ipsecGlobDefaultAuthMethod is used.
Possible values:
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3), -- Authentication using RSA signatures
rsa-enc(4), -- Authentication using RSA encryption
default(33) -- Use default authentication method."
DEFVAL { default }
::= { ikeProposalEntry 8 }
ikePropEncKeySize OBJECT-TYPE
SYNTAX INTEGER (0..2048)
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the encryption key size used with this
proposal. The limits for the individual algorithms can be seen
in the ipsecAlgorithmTable.
If a length outside the limits for the specified algorithm is
specified, it is reset to the max/min value possible."
::= { ikeProposalEntry 9 }
ikePropEncKeySizeMin OBJECT-TYPE
SYNTAX INTEGER (0..2048)
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum encryption key size accepted
with this proposal.
The limits for the individual algorithms can be seen in the
ipsecAlgorithmTable.
If a length outside the limits for the specified algorithm is
specified, it is reset to the max/min value possible."
::= { ikeProposalEntry 10 }
ikePropEncKeySizeMax OBJECT-TYPE
SYNTAX INTEGER (0..2048)
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum encryption key size accepted
with this proposal.
The limits for the individual algorithms can be seen in the
ipsecAlgorithmTable.
If a length outside the limits for the specified algorithm is
specified, it is reset to the max/min value possible."
::= { ikeProposalEntry 11 }
-- End IKE Proposal Table
-- IPSec Traffic Table
ipsecTrafficTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecTrafficEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains lists of Traffic and the actions
which should be applied to it, together with the
necessary parameters."
::= { ipsec 7 }
ipsecTrafficEntry OBJECT-TYPE
SYNTAX IpsecTrafficEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains a description of a type of IP
traffic and the action which should be applied to it
together with the necessary parameters."
INDEX {
ipsecTrProto
}
::= { ipsecTrafficTable 1 }
IpsecTrafficEntry ::=
SEQUENCE {
ipsecTrIndex INTEGER,
ipsecTrNextIndex INTEGER,
ipsecTrDescription DisplayString,
ipsecTrLocalAddressType INTEGER,
ipsecTrLocalAddress IpAddress,
ipsecTrLocalMaskLen INTEGER,
ipsecTrLocalRange IpAddress,
ipsecTrRemoteAddressType INTEGER,
ipsecTrRemoteAddress IpAddress,
ipsecTrRemoteMaskLen INTEGER,
ipsecTrRemoteRange IpAddress,
ipsecTrProto INTEGER,
ipsecTrLocalPort INTEGER,
ipsecTrRemotePort INTEGER,
ipsecTrAction INTEGER,
ipsecTrProposal INTEGER,
ipsecTrForceTunnelMode INTEGER,
ipsecTrLifeTime INTEGER,
ipsecTrGranularity INTEGER,
ipsecTrKeepAlive INTEGER,
ipsecTrProfile INTEGER,
ipsecTrInterface INTEGER,
ipsecTrDirection INTEGER,
ipsecTrCreator INTEGER
}
ipsecTrIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique index identifying this entry."
::= { ipsecTrafficEntry 1 }
ipsecTrNextIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the index of the next traffic
entry in hierarchy."
::= { ipsecTrafficEntry 2 }
ipsecTrDescription OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An optional human readable description for this traffic entry."
::= { ipsecTrafficEntry 3 }
ipsecTrLocalAddressType OBJECT-TYPE
SYNTAX INTEGER {
fixed(1), -- fixed address
ph1(2) -- own dynamic phase 1 address
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The type of the local address specification.
This may be either a statically configured address or a
dynamic address which is taken from some state information."
DEFVAL { fixed }
::= { ipsecTrafficEntry 21 }
ipsecTrLocalAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The source IP-address of this traffic entry. It maybe
either a single address, a network address (in
combination with ipsecTrSrcMask), or the first address
of an address range (in combination with
ipsecTrLocalRange)."
::= { ipsecTrafficEntry 4 }
ipsecTrLocalMaskLen OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The length of the network mask for a source network."
::= { ipsecTrafficEntry 5 }
ipsecTrLocalRange OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The last address of a source address range. If this
field is nonzero, the ipsecTrLocalMaskLen field is
ignored and the source is considered as a range of
addresses beginning with ipsecTrLocalAddress and ending
with ipsecTrLocalRange."
::= { ipsecTrafficEntry 6 }
ipsecTrRemoteAddressType OBJECT-TYPE
SYNTAX INTEGER {
fixed(1), -- fixed address
ph1(2), -- remote dynamic phase 1 address
dhcp(3) -- remote ip address retrieved via DHCP
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The type of the remote address specification.
This may be either a statically configured address or a
dynamic address which is taken from some state information."
DEFVAL { fixed }
::= { ipsecTrafficEntry 22 }
ipsecTrRemoteAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The destination IP-address of this traffic entry. It maybe
either a single address, a network address (in
combination with ipsecTrDstMask), or the first address
of an address range (in combination with
ipsecTrRemoteRange)."
::= { ipsecTrafficEntry 7 }
ipsecTrRemoteMaskLen OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The length of the network mask for a destination network."
::= { ipsecTrafficEntry 8 }
ipsecTrRemoteRange OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The last address of a destination address range. If
this field is nonzero, the ipsecTrRemoteMaskLen field is
ignored and the source is considered as a range of
addresses beginning with ipsecTrRemoteAddress and ending
with ipsecTrRemoteRange."
::= { ipsecTrafficEntry 9 }
ipsecTrProto OBJECT-TYPE
SYNTAX INTEGER {
icmp(1),
igmp(2),
ggp(3),
ipip(4),
st(5),
tcp(6),
cbt(7),
egp(8),
igp(9),
bbn(10),
nvp(11),
pup(12),
argus(13),
emcon(14),
xnet(15),
chaos(16),
udp(17),
mux(18),
dcn(19),
hmp(20),
prm(21),
xns(22),
trunk1(23),
trunk2(24),
leaf1(25),
leaf2(26),
rdp(27),
irtp(28),
isotp4(29),
netblt(30),
mfe(31),
merit(32),
sep(33),
pc3(34),
idpr(35),
xtp(36),
ddp(37),
idprc(38),
tp(39),
il(40),
ipv6(41),
sdrp(42),
ipv6route(43),
ipv6frag(44),
idrp(45),
rsvp(46),
gre(47),
mhrp(48),
bna(49),
esp(50),
ah(51),
inlsp(52),
swipe(53),
narp(54),
mobile(55),
tlsp(56),
skip(57),
ipv6icmp(58),
ipv6nonxt(59),
ipv6opts(60),
ipproto-61(61),
cftp(62),
local(63),
sat(64),
kryptolan(65),
rvd(66),
ippc(67),
distfs(68),
satmon(69),
visa(70),
ipcv(71),
cpnx(72),
cphb(73),
wsn(74),
pvp(75),
brsatmon(76),
sunnd(77),
wbmon(78),
wbexpak(79),
isoip(80),
vmtp(81),
securevmtp(82),
vines(83),
ttp(84),
nsfnet(85),
dgp(86),
tcf(87),
eigrp(88),
ospfigp(89),
sprite(90),
larp(91),
mtp(92),
ax25(93),
ipwip(94),
micp(95),
scc(96),
etherip(97),
encap(98),
encrypt(99),
gmtp(100),
ifmp(101),
pnni(102),
pim(103),
aris(104),
scps(105),
qnx(106),
an(107),
ippcp(108),
snp(109),
compaq(110),
ipxip(111),
vrrp(112),
pgm(113),
hop0(114),
l2tp(115),
ipproto-116(116),
ipproto-117(117),
ipproto-118(118),
ipproto-119(119),
ipproto-120(120),
ipproto-121(121),
ipproto-122(122),
ipproto-123(123),
ipproto-124(124),
ipproto-125(125),
ipproto-126(126),
ipproto-127(127),
ipproto-128(128),
ipproto-129(129),
ipproto-130(130),
ipproto-131(131),
ipproto-132(132),
ipproto-133(133),
ipproto-134(134),
ipproto-135(135),
ipproto-136(136),
ipproto-137(137),
ipproto-138(138),
ipproto-139(139),
ipproto-140(140),
ipproto-141(141),
ipproto-142(142),
ipproto-143(143),
ipproto-144(144),
ipproto-145(145),
ipproto-146(146),
ipproto-147(147),
ipproto-148(148),
ipproto-149(149),
ipproto-150(150),
ipproto-151(151),
ipproto-152(152),
ipproto-153(153),
ipproto-154(154),
ipproto-155(155),
ipproto-156(156),
ipproto-157(157),
ipproto-158(158),
ipproto-159(159),
ipproto-160(160),
ipproto-161(161),
ipproto-162(162),
ipproto-163(163),
ipproto-164(164),
ipproto-165(165),
ipproto-166(166),
ipproto-167(167),
ipproto-168(168),
ipproto-169(169),
ipproto-170(170),
ipproto-171(171),
ipproto-172(172),
ipproto-173(173),
ipproto-174(174),
ipproto-175(175),
ipproto-176(176),
ipproto-177(177),
ipproto-178(178),
ipproto-179(179),
ipproto-180(180),
ipproto-181(181),
ipproto-182(182),
ipproto-183(183),
ipproto-184(184),
ipproto-185(185),
ipproto-186(186),
ipproto-187(187),
ipproto-188(188),
ipproto-189(189),
ipproto-190(190),
ipproto-191(191),
ipproto-192(192),
ipproto-193(193),
ipproto-194(194),
ipproto-195(195),
ipproto-196(196),
ipproto-197(197),
ipproto-198(198),
ipproto-199(199),
ipproto-200(200),
ipproto-201(201),
ipproto-202(202),
ipproto-203(203),
ipproto-204(204),
ipproto-205(205),
ipproto-206(206),
ipproto-207(207),
ipproto-208(208),
ipproto-209(209),
ipproto-210(210),
ipproto-211(211),
ipproto-212(212),
ipproto-213(213),
ipproto-214(214),
ipproto-215(215),
ipproto-216(216),
ipproto-217(217),
ipproto-218(218),
ipproto-219(219),
ipproto-220(220),
ipproto-221(221),
ipproto-222(222),
ipproto-223(223),
ipproto-224(224),
ipproto-225(225),
ipproto-226(226),
ipproto-227(227),
ipproto-228(228),
ipproto-229(229),
ipproto-230(230),
ipproto-231(231),
ipproto-232(232),
ipproto-233(233),
ipproto-234(234),
ipproto-235(235),
ipproto-236(236),
ipproto-237(237),
ipproto-238(238),
ipproto-239(239),
ipproto-240(240),
ipproto-241(241),
ipproto-242(242),
ipproto-243(243),
ipproto-244(244),
ipproto-245(245),
ipproto-246(246),
ipproto-247(247),
ipproto-248(248),
ipproto-249(249),
ipproto-250(250),
ipproto-251(251),
ipproto-252(252),
ipproto-253(253),
ipproto-254(254),
dont-verify(255)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The transport protocol defined for this entry."
DEFVAL { dont-verify }
::= { ipsecTrafficEntry 10 }
ipsecTrLocalPort OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The source port defined for this traffic entry."
::= { ipsecTrafficEntry 11 }
ipsecTrRemotePort OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The destination port defined for this traffic entry."
::= { ipsecTrafficEntry 12 }
ipsecTrAction OBJECT-TYPE
SYNTAX INTEGER {
delete(1), -- Delete this entry
always-plain(2), -- Forward the packets without
-- protection even if there is a
-- matching SA and independent from
-- the position of the traffic entry
-- in the list.
pass(3), -- Forward the packets without
-- protection
protect(4), -- Protect the traffic as specified
-- in the proposal. Drop unprotected
-- traffic of this kind.
drop(5) -- Drop all packets matching this
-- traffic entry
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The action to be applied to traffic matching this entry.
Possible values:
delete(1), -- Delete this entry
always-plain(2), -- Forward the packets without
-- protection even if there is a
-- matching SA and independent from
-- the position of the traffic entry
-- in the list.
pass(3), -- Forward the packets without
-- protection
protect(4), -- Protect the traffic as specified
-- in the proposal. Drop unprotected
-- traffic of this kind.
drop(5) -- Drop all packets matching this
-- traffic entry."
DEFVAL { protect }
::= { ipsecTrafficEntry 13 }
ipsecTrProposal OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies an index in the
ipsecProposalTable. This may be the first proposal of
possibly a choice of multiple, optionally nested
proposals which is to be offered with IKE (automatic
keying) or a manual proposal (manual keying)."
::= { ipsecTrafficEntry 14 }
ipsecTrForceTunnelMode OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- Use tunnel mode even if transport mode is possible
false(2) -- Use transport mode whenever possible
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the strategy when transport mode is used.
By default, the system always uses transport mode, if possible.
If this variable is set to true, always tunnel mode will be used
for this traffic entry, even if source and destination address
match the tunnel endpoints.
Possible values:
true(1), -- Use tunnel mode even if transport mode is possible
false(2) -- Use transport mode whenever possible."
::= { ipsecTrafficEntry 15 }
ipsecTrLifeTime OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies an index in the
ipsecLifeTimeTable. This lifetime overwrites the
lifetimes specified for all proposals referenced by
this traffic entry. It may itself be overwritten by
an explicit lifetime specified for the peer entry
referencing this traffic entry. If the lifetime
pointed to by this index does not exist or is
inappropriate, the default lifetime from the
ipsecGlobalsTable is used."
::= { ipsecTrafficEntry 16 }
ipsecTrGranularity OBJECT-TYPE
SYNTAX INTEGER {
default(1), -- use the setting from the ipsecPeerTable
coarse(2), -- Create only one SA for each Traffic entry
ip(3), -- Create one SA for each host
proto(4), -- Create one SA for each protocol and host
port(5) -- Create one SA for each port and host
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the granularity with which SA's
must be created for this kind of traffic.
Possible values:
default(1), -- use the setting from the ipsecPeerTable
coarse(2), -- Create only one SA for each Traffic entry
ip(3), -- Create one SA for each host
proto(4), -- Create one SA for each protocol and host
port(5) -- Create one SA for each port and host."
DEFVAL { default }
::= { ipsecTrafficEntry 17 }
ipsecTrKeepAlive OBJECT-TYPE
SYNTAX INTEGER {
true(1), -- rekey SA's even if no data was transferred
false(2), -- do not rekey SA's if no data was transferred
default(3) -- use the default setting from the peer entry
-- referencing this traffic entry
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies whether SA's created for this kind
of traffic should be rekeyed on expiration of soft
lifetimes even if there has not been sent any traffic
over them.
Possible values:
true(1), -- rekey SA's even if no data was transferred
false(2), -- do not rekey SA's if no data was transferred
default(3) -- use the default setting from the peer entry
-- referencing this traffic entry."
DEFVAL { default }
::= { ipsecTrafficEntry 18 }
ipsecTrProfile OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The index from the ipsecProfileTable containing a special
phase 2 profile to use for this traffic entry."
::= { ipsecTrafficEntry 23 }
ipsecTrInterface OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the interface for which the traffic
entry should be valid (pass, drop and protect entries).
If this object is set to -1, there is no interface
restriction."
DEFVAL { -1 }
::= { ipsecTrafficEntry 19 }
ipsecTrDirection OBJECT-TYPE
SYNTAX INTEGER {
bidirectional(1), -- matches packets from remote to local
-- and vice versa
inbound(2), -- matches only packets from remote to local
outbound(3) -- matches only packets from local to remote
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the direction for which this traffic
entry should match.
It only applies for pass and drop entries, for protect entries
it is meaningless.
Possible values:
bidirectional(1), -- matches packets from remote to local
-- and vice versa
inbound(2), -- matches only packets from remote to local
outbound(3) -- matches only packets from local to remote."
DEFVAL { 1 }
::= { ipsecTrafficEntry 20 }
ipsecTrCreator OBJECT-TYPE
SYNTAX INTEGER {
config(1), -- created by configd/snmp
radius-preset(2), -- created by RADIUS preset
radius(3), -- created by dynamic RADIUS
ike(4) -- created by IKE (for dynamic client)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object shows the creator of the traffic entry."
DEFVAL { config }
::= { ipsecTrafficEntry 36 }
-- End IPSec Traffic Table
-- IPSec Algorithm definition table
ipsecAlgorithmTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecAlgorithmEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of supported IPSec algorithms
and their key sizes."
::= { ipsec 17 }
ipsecAlgorithmEntry OBJECT-TYPE
SYNTAX IpsecAlgorithmEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains an IPSec algorithm."
INDEX {
ipsecAlgId
}
::= { ipsecAlgorithmTable 1 }
IpsecAlgorithmEntry ::=
SEQUENCE {
ipsecAlgId INTEGER,
ipsecAlgMinKeySize INTEGER,
ipsecAlgDefKeySize INTEGER,
ipsecAlgMaxKeySize INTEGER,
ipsecAlgUseMinKeySize INTEGER,
ipsecAlgUseDefKeySize INTEGER,
ipsecAlgUseMaxKeySize INTEGER
}
ipsecAlgId OBJECT-TYPE
SYNTAX INTEGER {
aes(1), -- AES cipher alg
twofish(2), -- Twofish cipher alg
blowfish(3), -- Blowfish cipher alg
cast(4), -- Cast cipher alg
des3(5), -- Triple DES cipher alg
des(6), -- DES cipher alg
null(7), -- NULL pseudo cipher
rijndael(31) -- rijndael (former name for AES)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The id of the algorithm.
Possible values:
aes(1), -- AES cipher alg
twofish(2), -- Twofish cipher alg
blowfish(3), -- Blowfish cipher alg
cast(4), -- Cast cipher alg
des3(5), -- Triple DES cipher alg
des(6), -- DES cipher alg
null(7), -- NULL pseudo cipher
rijndael(31) -- rijndael (former name for AES)."
::= { ipsecAlgorithmEntry 1 }
ipsecAlgMinKeySize OBJECT-TYPE
SYNTAX INTEGER (0..2048)
UNITS "bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The minimum key length in bits possible for this algorithm."
::= { ipsecAlgorithmEntry 3 }
ipsecAlgDefKeySize OBJECT-TYPE
SYNTAX INTEGER (0..2048)
UNITS "bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The default key length in bits used for this algorithm."
::= { ipsecAlgorithmEntry 4 }
ipsecAlgMaxKeySize OBJECT-TYPE
SYNTAX INTEGER (0..2048)
UNITS "bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum key length in bits possible for this algorithm."
::= { ipsecAlgorithmEntry 5 }
ipsecAlgUseMinKeySize OBJECT-TYPE
SYNTAX INTEGER (0..2048)
UNITS "bits"
MAX-ACCESS read-only
STATUS obsolete
DESCRIPTION
"WARNING: this object is obsolete and must not be used."
::= { ipsecAlgorithmEntry 6 }
ipsecAlgUseDefKeySize OBJECT-TYPE
SYNTAX INTEGER (0..2048)
UNITS "bits"
MAX-ACCESS read-only
STATUS obsolete
DESCRIPTION
"WARNING: this object is obsolete and must not be used."
::= { ipsecAlgorithmEntry 7 }
ipsecAlgUseMaxKeySize OBJECT-TYPE
SYNTAX INTEGER (0..2048)
UNITS "bits"
MAX-ACCESS read-only
STATUS obsolete
DESCRIPTION
"WARNING: this object is obsolete and must not be used."
::= { ipsecAlgorithmEntry 8 }
-- End IPSec Algorithm definition table
-- IPSec Proposal Table
ipsecProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecProposalEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of IPSec proposals known to the
system.
The combinations of algorithms allowed are
constructed from any combinations of algorithms
enabled in an entry, in the order of the preferences
specified."
::= { ipsec 8 }
ipsecProposalEntry OBJECT-TYPE
SYNTAX IpsecProposalEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains an IPSec proposal, i.e. a
proposed set of security parameters applied to
traffic sent over an IPSec security association."
INDEX {
ipsecPropProto
}
::= { ipsecProposalTable 1 }
IpsecProposalEntry ::=
SEQUENCE {
ipsecPropIndex INTEGER,
ipsecPropNext INTEGER,
ipsecPropDescription DisplayString,
ipsecPropProto INTEGER,
ipsecPropIpcomp INTEGER,
ipsecPropEspAes INTEGER,
ipsecPropEspTwofish INTEGER,
ipsecPropEspBlowfish INTEGER,
ipsecPropEspCast INTEGER,
ipsecPropEspDes3 INTEGER,
ipsecPropEspDes INTEGER,
ipsecPropEspNull INTEGER,
ipsecPropEspRijndael INTEGER,
ipsecPropEspMd5 INTEGER,
ipsecPropEspSha1 INTEGER,
ipsecPropEspNoMac INTEGER,
ipsecPropAhMd5 INTEGER,
ipsecPropAhSha1 INTEGER,
ipsecPropIpcompDeflate INTEGER,
ipsecPropAesKeySize INTEGER,
ipsecPropAesKeySizeMin INTEGER,
ipsecPropAesKeySizeMax INTEGER,
ipsecPropBlowfishKeySize INTEGER,
ipsecPropBlowfishKeySizeMin INTEGER,
ipsecPropBlowfishKeySizeMax INTEGER,
ipsecPropTwofishKeySize INTEGER,
ipsecPropTwofishKeySizeMin INTEGER,
ipsecPropTwofishKeySizeMax INTEGER
}
ipsecPropIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique index for this entry."
::= { ipsecProposalEntry 1 }
ipsecPropNext OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The index of the next Proposal in the actual chain."
::= { ipsecProposalEntry 2 }
ipsecPropDescription OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An optional human readable description for this proposal."
::= { ipsecProposalEntry 4 }
ipsecPropProto OBJECT-TYPE
SYNTAX INTEGER {
esp(1), -- Encapsulating Security Payload
ah(2), -- Authentication Header
esp-ah(3), -- ESP and AH
delete(8) -- delete this entry
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The security protocol to apply.
Possible values:
esp(1), -- Encapsulating Security Payload
ah(2), -- Authentication Header
esp-ah(3), -- ESP and AH
delete(8) -- delete this entry."
DEFVAL { esp }
::= { ipsecProposalEntry 6 }
ipsecPropIpcomp OBJECT-TYPE
SYNTAX INTEGER {
enabled(1), -- Enable IPComP
disabled(2), -- Disable IPComP
force(3) -- Force use of IPComP
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of IPComP in the proposal.
Possible values:
enabled(1), -- Enable IPComP
disabled(2), -- Disable IPComP
force(3) -- Force use of IPComP."
DEFVAL { disabled }
::= { ipsecProposalEntry 20 }
ipsecPropEspAes OBJECT-TYPE
SYNTAX INTEGER (0..7)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the AES
encryption algorithm in the proposal.
Possible values:
0, -- disables AES
1..7 -- enables AES and specifies its priority among
the encryption algorithms."
::= { ipsecProposalEntry 40 }
ipsecPropEspTwofish OBJECT-TYPE
SYNTAX INTEGER (0..7)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the Twofish
encryption algorithm in the proposal.
Possible values:
0, -- disables Twofish
1..7 -- enables Twofish and specifies its priority among
the encryption algorithms."
::= { ipsecProposalEntry 41 }
ipsecPropEspBlowfish OBJECT-TYPE
SYNTAX INTEGER (0..7)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the Blowfish
encryption algorithm in the proposal.
Possible values:
0, -- disables Blowfish
1..7 -- enables Blowfish and specifies its priority among
the encryption algorithms."
::= { ipsecProposalEntry 42 }
ipsecPropEspCast OBJECT-TYPE
SYNTAX INTEGER (0..7)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the Cast
encryption algorithm in the proposal.
Possible values:
0, -- disables Cast
1..7 -- enables Cast and specifies its priority among
the encryption algorithms."
::= { ipsecProposalEntry 43 }
ipsecPropEspDes3 OBJECT-TYPE
SYNTAX INTEGER (0..7)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the DES3
encryption algorithm in the proposal.
Possible values:
0, -- disables DES3
1..7 -- enables DES3 and specifies its priority among
the encryption algorithms."
::= { ipsecProposalEntry 44 }
ipsecPropEspDes OBJECT-TYPE
SYNTAX INTEGER (0..7)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the DES
encryption algorithm in the proposal.
Possible values:
0, -- disables DES
1..7 -- enables DES and specifies its priority among
the encryption algorithms."
::= { ipsecProposalEntry 45 }
ipsecPropEspNull OBJECT-TYPE
SYNTAX INTEGER (0..7)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the DES
encryption algorithm in the proposal.
Possible values:
0, -- disables DES
1..7 -- enables DES and specifies its priority among
the encryption algorithms."
::= { ipsecProposalEntry 46 }
ipsecPropEspRijndael OBJECT-TYPE
SYNTAX INTEGER (-1..7)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the Rijndael
encryption algorithm in the proposal.
The use of this object is deprecated since rijndael has been
accepted as the algorithm for AES. Its value is transferred to
ipsecPropEspAes, if different from -1.
Possible values:
-1 -- use ipsecPropEspAes to determine the priority value
0, -- disables Rijndael
1..7 -- enables Rijndael and specifies its priority among
the encryption algorithms."
DEFVAL { -1 }
::= { ipsecProposalEntry 49 }
ipsecPropEspMd5 OBJECT-TYPE
SYNTAX INTEGER (0..3)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the MD5 authentication
algorithm for ESP in the proposal.
Possible values:
0, -- disables MD5
1..3 -- enables MD5 and specifies its priority among
the authentication algorithms."
::= { ipsecProposalEntry 50 }
ipsecPropEspSha1 OBJECT-TYPE
SYNTAX INTEGER (0..3)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the Sha1 authentication
algorithm for ESP in the proposal.
Possible values:
0, -- disables SHA-1
1..3 -- enables SHA-1 and specifies its priority among
the authentication algorithms."
::= { ipsecProposalEntry 51 }
ipsecPropEspNoMac OBJECT-TYPE
SYNTAX INTEGER (0..3)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether ESP without authentication
is allowed in the proposal.
Possible values:
0, -- disables ESP
1..3 -- enables ESP without authentication and specifies
its priority among the other authentication
algorithms enabled for ESP."
::= { ipsecProposalEntry 52 }
ipsecPropAhMd5 OBJECT-TYPE
SYNTAX INTEGER (0..2)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the MD5 authentication
algorithm for AH in the proposal.
Possible values:
0, -- disables MD5
1..2 -- enables MD5 and specifies its priority among
the authentication algorithms."
::= { ipsecProposalEntry 60 }
ipsecPropAhSha1 OBJECT-TYPE
SYNTAX INTEGER (0..2)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the Sha1 authentication
algorithm for AH in the proposal.
Possible values:
0, -- disables SHA-1
1..2 -- enables SHA-1 and specifies its priority among
the authentication algorithms."
::= { ipsecProposalEntry 61 }
ipsecPropIpcompDeflate OBJECT-TYPE
SYNTAX INTEGER (0..1)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the use of the DEFLATE
compression algorithm in the proposal.
Possible values:
0, -- disables DEFLATE
1..1 -- enables DEFLATE and specifies its priority among
the compression algorithms."
::= { ipsecProposalEntry 70 }
ipsecPropAesKeySize OBJECT-TYPE
SYNTAX INTEGER {
aes128(128), -- use 128 bit AES
aes192(192), -- use 192 bit AES
aes256(256) -- use 256 bit AES
}
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the key size in bits for the AES
algorithm, if enabled.
Possible Values:
aes128(128), -- use 128 bit AES
aes192(192), -- use 192 bit AES
aes256(256) -- use 256 bit AES."
::= { ipsecProposalEntry 80 }
ipsecPropAesKeySizeMin OBJECT-TYPE
SYNTAX INTEGER {
aes128(128), -- use 128 bit AES
aes192(192), -- use 192 bit AES
aes256(256) -- use 256 bit AES
}
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the minimum accepted key size in bits
for the AES algorithm, if enabled.
Possible Values:
aes128(128), -- use 128 bit AES
aes192(192), -- use 192 bit AES
aes256(256) -- use 256 bit AES."
::= { ipsecProposalEntry 81 }
ipsecPropAesKeySizeMax OBJECT-TYPE
SYNTAX INTEGER {
aes128(128), -- use 128 bit AES
aes192(192), -- use 192 bit AES
aes256(256) -- use 256 bit AES
}
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum accepted key size in bits
for the AES algorithm, if enabled.
Possible Values:
aes128(128), -- use 128 bit AES
aes192(192), -- use 192 bit AES
aes256(256) -- use 256 bit AES."
::= { ipsecProposalEntry 82 }
ipsecPropBlowfishKeySize OBJECT-TYPE
SYNTAX INTEGER (40..448)
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the key size in bits for the Blowfish
algorithm, if enabled.
Note: the key size must be a multiple of 8 bits.
If not, it will be rounded up to the next 8 bit boundary."
::= { ipsecProposalEntry 83 }
ipsecPropBlowfishKeySizeMin OBJECT-TYPE
SYNTAX INTEGER (40..448)
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the minimum accepted key size in bits
for the Blowfish algorithm, if enabled."
::= { ipsecProposalEntry 84 }
ipsecPropBlowfishKeySizeMax OBJECT-TYPE
SYNTAX INTEGER (40..448)
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum accepted key size in bits
for the Blowfish algorithm, if enabled."
::= { ipsecProposalEntry 85 }
ipsecPropTwofishKeySize OBJECT-TYPE
SYNTAX INTEGER {
twofish128(128), -- use 128 bit Twofish
twofish192(192), -- use 192 bit Twofish
twofish256(256) -- use 256 bit Twofish
}
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the key size in bits for the Twofish
algorithm, if enabled.
Possible Values:
twofish128(128), -- use 128 bit Twofish
twofish192(192), -- use 192 bit Twofish
twofish256(256) -- use 256 bit Twofish."
::= { ipsecProposalEntry 86 }
ipsecPropTwofishKeySizeMin OBJECT-TYPE
SYNTAX INTEGER {
twofish128(128), -- use 128 bit Twofish
twofish192(192), -- use 192 bit Twofish
twofish256(256) -- use 256 bit Twofish
}
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the minimum accepted key size in bits
for the Twofish algorithm, if enabled.
Possible Values:
twofish128(128), -- use 128 bit Twofish
twofish192(192), -- use 192 bit Twofish
twofish256(256) -- use 256 bit Twofish."
::= { ipsecProposalEntry 87 }
ipsecPropTwofishKeySizeMax OBJECT-TYPE
SYNTAX INTEGER {
twofish128(128), -- use 128 bit Twofish
twofish192(192), -- use 192 bit Twofish
twofish256(256) -- use 256 bit Twofish
}
UNITS "bits"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the maximum accepted key size in bits
for the AES algorithm, if enabled.
Possible Values:
twofish128(128), -- use 128 bit Twofish
twofish192(192), -- use 192 bit Twofish
twofish256(256) -- use 256 bit Twofish."
::= { ipsecProposalEntry 88 }
-- End IPSec Proposal Table
-- IPSec Life Time Table
ipsecLifeTimeTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecLifeTimeEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of defined lifetimes for IPsec
and IKE SAs."
::= { ipsec 9 }
ipsecLifeTimeEntry OBJECT-TYPE
SYNTAX IpsecLifeTimeEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains a lifetime, i.e. the soft and hard
expiry limits for IPsec and IKE SA's.
The usage of this table is deprecated, use the ikePrfLifeXxx
and ipsecPrfLifeXxx variables in the ikeProfileTable
and ipsecProfileTable directly instead."
INDEX {
ipsecLifeType
}
::= { ipsecLifeTimeTable 1 }
IpsecLifeTimeEntry ::=
SEQUENCE {
ipsecLifeIndex INTEGER,
ipsecLifeType INTEGER,
ipsecLifeHardKb INTEGER,
ipsecLifeHardSec INTEGER,
ipsecLifePolicy INTEGER,
ipsecLifeSoftPercent INTEGER
}
ipsecLifeIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique index identifying this entry."
::= { ipsecLifeTimeEntry 1 }
ipsecLifeType OBJECT-TYPE
SYNTAX INTEGER {
delete(1), -- Delete this entry
generic(2)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the type of a lifetime entry."
DEFVAL { generic }
::= { ipsecLifeTimeEntry 2 }
ipsecLifeHardKb OBJECT-TYPE
SYNTAX INTEGER
UNITS "kilo bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum amount of data (in KB) which may be protected
by an SA before it is deleted."
DEFVAL { 0 }
::= { ipsecLifeTimeEntry 5 }
ipsecLifeHardSec OBJECT-TYPE
SYNTAX INTEGER
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum time (in seconds) after which an SA will be
refreshed,."
DEFVAL { 900 }
::= { ipsecLifeTimeEntry 6 }
ipsecLifePolicy OBJECT-TYPE
SYNTAX INTEGER {
loose(1), -- accept and use anything proposed
strict(2), -- accept and use only what is configured
notify(3) -- accept anything (send responder lifetime)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies the way the lifetime information is
applied. Possible values:
loose(1), -- accept and use anything proposed
strict(2), -- accept and use only what is configured
notify(3) -- accept anything, if own values are smaller
than what was proposed use these and
send responder lifetime notification."
DEFVAL { loose }
::= { ipsecLifeTimeEntry 7 }
ipsecLifeSoftPercent OBJECT-TYPE
SYNTAX INTEGER (50..100)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The percentage of the hard lifetimes (traffic and time based)
after which rekeying is started."
DEFVAL { 80 }
::= { ipsecLifeTimeEntry 8 }
-- End IPSec Life Time Table
-- IPSec global statistics Table
ipsecStats OBJECT IDENTIFIER ::= { ipsec 10 }
--Static table containing global IPSec statistics
ipsecStatsCurrentIkeSas OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current number of IKE SA's (both IKEv1 and IKEv2)."
::= { ipsecStats 1 }
ipsecStatsCurrentIpsecSas OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current number of IPSec SA's."
::= { ipsecStats 2 }
ipsecStatsTrig OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of packets which triggered an IKE negotiation."
::= { ipsecStats 9 }
ipsecStatsFragPkt OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of partial packets currently being reassembled."
::= { ipsecStats 10 }
ipsecStatsFragBytes OBJECT-TYPE
SYNTAX INTEGER
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Total size of the partial packets currently being reassembled."
::= { ipsecStats 11 }
ipsecStatsFragNonfirst OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of non-first fragments currently queued."
::= { ipsecStats 12 }
ipsecStatsDecryptErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of decryption errors."
::= { ipsecStats 13 }
ipsecStatsAuthErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of authentication errors."
::= { ipsecStats 14 }
ipsecStatsReplayErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of replay errors."
::= { ipsecStats 15 }
ipsecStatsPolicyErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of policy errors."
::= { ipsecStats 16 }
ipsecStatsOtherErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of other receive errors."
::= { ipsecStats 17 }
ipsecStatsSendErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of send errors."
::= { ipsecStats 18 }
ipsecStatsUnknownSpiErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of unknown SPI errors."
::= { ipsecStats 19 }
ipsecStatsIkeNumP1 OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of IKE phase-1 negotiations performed. "
::= { ipsecStats 20 }
ipsecStatsIkeNumFailedP1 OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of failed IKE phase-1 negotiations."
::= { ipsecStats 21 }
ipsecStatsIkeNumQm OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of IKE quick-mode negotiations performed. "
::= { ipsecStats 22 }
ipsecStatsIkeNumFailedQm OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of failed IKE quick-mode negotiations. "
::= { ipsecStats 23 }
ipsecStatsEspCurrentInbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of active inbound ESP SAs."
::= { ipsecStats 24 }
ipsecStatsEspTotalInbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound ESP SAs since the system was started."
::= { ipsecStats 25 }
ipsecStatsEspCurrentOutbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of active outbound ESP SAs."
::= { ipsecStats 26 }
ipsecStatsEspTotalOutbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound ESP SAs since the system was started."
::= { ipsecStats 27 }
ipsecStatsAhCurrentInbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of active inbound AH SAs."
::= { ipsecStats 28 }
ipsecStatsAhTotalInbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound AH SAs since the system was started."
::= { ipsecStats 29 }
ipsecStatsAhCurrentOutbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of active outbound AH SAs."
::= { ipsecStats 30 }
ipsecStatsAhTotalOutbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound AH SAs since the system was started."
::= { ipsecStats 31 }
ipsecStatsIpcompCurrentInbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of active inbound IPComp SAs."
::= { ipsecStats 32 }
ipsecStatsIpcompTotalInbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound IPComp SAs since the system was started."
::= { ipsecStats 33 }
ipsecStatsIpcompCurrentOutbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of active outbound IPComp SAs."
::= { ipsecStats 34 }
ipsecStatsIpcompTotalOutbound OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound IPComp SAs since the system was started."
::= { ipsecStats 35 }
ipsecStatsPeersUp OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of Peers currently in state 'up'."
::= { ipsecStats 36 }
ipsecStatsPeersBlocked OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of Peers currently in state 'blocked'."
::= { ipsecStats 37 }
ipsecStatsPeersDormant OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of Peers currently in state 'dormant'."
::= { ipsecStats 38 }
ipsecStatsCurrentIkeSasNegotiating OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current number of IKE SA's in state 'established'
(both IKEv1 and IKEv2)."
::= { ipsecStats 39 }
ipsecStatsCurrentIkeSasEstablished OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current number of IKE SA's in state 'established'
(both IKEv1 and IKEv2)."
::= { ipsecStats 40 }
ipsecStatsCurrentIkeSasDeleted OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current number of IKE SA's in state 'deleted' or
'waiting_for_remove' (both IKEv1 and IKEv2)."
::= { ipsecStats 41 }
ipsecStatsCurrentBundles OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current number of IPSec bundles."
::= { ipsecStats 42 }
ipsecStatsCurrentBundlesEstablished OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current number of IPSec bundles in state 'established'."
::= { ipsecStats 43 }
ipsecStatsCurrentBundlesNegotiating OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Current number of IPSec bundles in state 'established'."
::= { ipsecStats 44 }
ipsecStatsInPkt OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of packets received."
::= { ipsecStats 45 }
ipsecStatsInPass OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of inbound packets passed."
::= { ipsecStats 46 }
ipsecStatsInDrop OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of inbound packets dropped (error packets excluded)."
::= { ipsecStats 47 }
ipsecStatsInDecaps OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of inbound error packets."
::= { ipsecStats 48 }
ipsecStatsInErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of inbound packets dropped."
::= { ipsecStats 49 }
ipsecStatsOutPkt OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of outbound packets."
::= { ipsecStats 50 }
ipsecStatsOutPass OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of outbound packets passed."
::= { ipsecStats 51 }
ipsecStatsOutDrop OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of outbound packets dropped (error packets excluded)."
::= { ipsecStats 52 }
ipsecStatsOutEncaps OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of outbound packets encapsulated."
::= { ipsecStats 53 }
ipsecStatsOutErrors OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of outbound error packets."
::= { ipsecStats 544 }
ipsecStatsInEsp OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of inbound packets decapsulated by ESP."
::= { ipsecStats 55 }
ipsecStatsInAh OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of inbound packets decapsulated by AH."
::= { ipsecStats 56 }
ipsecStatsInIpcomp OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of inbound packets decapsulated by IPComP."
::= { ipsecStats 57 }
ipsecStatsOutEsp OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of outbound packets encapsulated by ESP."
::= { ipsecStats 58 }
ipsecStatsOutAh OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of outbound packets encapsulated by AH."
::= { ipsecStats 59 }
ipsecStatsOutIpcomp OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of outbound packets encapsulated by IPComP."
::= { ipsecStats 60 }
ipsecStatsIkev2NumIkeSas OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of IKE_SA negotiations performed (only for IKEv2)."
::= { ipsecStats 63 }
ipsecStatsIkev2NumFailedIkeSas OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of failed IKE_SA negotiations (only for IKEv2)."
::= { ipsecStats 64 }
ipsecStatsIkev2NumCreateChildSas OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of CREATE_CHILD_SA exchanges performed (only for IKEv2)."
::= { ipsecStats 65 }
ipsecStatsIkev2NumFailedCreateChildSas OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of failed CREATE_CHILD_SA exchanges (only for IKEv2)."
::= { ipsecStats 66 }
-- IPSec Dial Table
ipsecDialTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecDialEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains dial entries specifying all parameters
needed for ISDN triggered call back."
::= { ipsec 12 }
ipsecDialEntry OBJECT-TYPE
SYNTAX IpsecDialEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains a dial entry used for mapping ISDN
numbers to peers for ISDN call back feature."
INDEX {
ipsecDialIfIndex
}
::= { ipsecDialTable 1 }
IpsecDialEntry ::=
SEQUENCE {
ipsecDialIfIndex INTEGER,
ipsecDialDirection INTEGER,
ipsecDialNumber DisplayString,
ipsecDialSubAddress OCTET STRING,
ipsecDialTypeOfSubAddr INTEGER,
ipsecDialLocalNumber DisplayString,
ipsecDialLocalSubAddress OCTET STRING,
ipsecDialTypeOfLocalSubAddr INTEGER,
ipsecDialAdminStatus INTEGER,
ipsecDialOperStatus INTEGER
}
ipsecDialIfIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Index that maps to a peer in a unique way."
::= { ipsecDialEntry 1 }
ipsecDialDirection OBJECT-TYPE
SYNTAX INTEGER {
incoming(1),
outgoing(2),
both(3),
delete(4)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Calling direction for which entry applies."
DEFVAL { both }
::= { ipsecDialEntry 2 }
ipsecDialNumber OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..63))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Party number of remote peer. Used for matching calling party
number on incoming calls and for called party number on
outgoing calls."
::= { ipsecDialEntry 3 }
ipsecDialSubAddress OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Subaddress of remote peer. Used for matching calling party
subaddress on incoming calls and for called party subaddress
on outgoing calls."
DEFVAL { "" }
::= { ipsecDialEntry 4 }
ipsecDialTypeOfSubAddr OBJECT-TYPE
SYNTAX INTEGER {
nsap(1),
user-specified(2),
reserved(3)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Type of subaddress of remote peer. Used for matching calling
party subaddress on incoming calls and for called party
subaddress on outgoing calls."
DEFVAL { nsap }
::= { ipsecDialEntry 5 }
ipsecDialLocalNumber OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..63))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Local Party number. Used for matching called party number on
incoming calls and for calling party number on outgoing calls.
Special value '*' is treated as wildcard, i.e. calls with
any called party number will be accepted.
Default value is '*'."
DEFVAL { "*" }
::= { ipsecDialEntry 6 }
ipsecDialLocalSubAddress OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Local subaddress. Used for matching called party subaddress on
incoming calls and for calling party subaddress on outgoing
calls.
Special value '*' is treated as wildcard, i.e. calls with
any called party subaddress (of arbitrary type) will be
accepted.
Default value is '*'."
DEFVAL { "*" }
::= { ipsecDialEntry 7 }
ipsecDialTypeOfLocalSubAddr OBJECT-TYPE
SYNTAX INTEGER {
nsap(1),
user-specified(2),
reserved(3)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Type of local subaddress. Used for matching called party
subaddress on incoming calls and for calling party subaddress
on outgoing calls. Subaddress type is only checked as long as
subaddress is not '*'.
Default value is nsap."
DEFVAL { nsap }
::= { ipsecDialEntry 8 }
ipsecDialAdminStatus OBJECT-TYPE
SYNTAX INTEGER {
active(1),
inactive(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Administrative status for dial entry. This object allows for
temporarily disabling ipsecDial entries without the need to
actually deletion them. This is achieved by assigning value
inactive.
Default value is active."
DEFVAL { active }
::= { ipsecDialEntry 9 }
ipsecDialOperStatus OBJECT-TYPE
SYNTAX INTEGER {
active(1),
inactive(2),
blocked-for-outgoing(3)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Operational status for dial entry. This object indicates
current status ipsecDial entry is in. Beside values defined
for ipsecDialAdminStatus, status blocked-for-outgoing is
defined, which is used in case triggering call back resulted
in a cost generating connected call to avoid unpredictably
high phone bills."
::= { ipsecDialEntry 10 }
-- End IPSec Dial Table
-- XAUTH Profile Table
xauthProfileTable OBJECT-TYPE
SYNTAX SEQUENCE OF XauthProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of XAUTH profiles."
::= { ipsec 18 }
xauthProfileEntry OBJECT-TYPE
SYNTAX XauthProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains an XAUTH profile."
INDEX {
xauthPrfIndex
}
::= { xauthProfileTable 1 }
XauthProfileEntry ::=
SEQUENCE {
xauthPrfIndex Unsigned32,
xauthPrfDescription DisplayString,
xauthPrfRole INTEGER,
xauthPrfMode INTEGER,
xauthPrfAAAServerGroupId INTEGER,
xauthPrfUserListGroupId INTEGER,
xauthPrfTimeout INTEGER,
xauthPrfAdminStatus INTEGER
}
xauthPrfIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A unique index identifying this entry."
::= { xauthProfileEntry 1 }
xauthPrfDescription OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..50))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An optional description for this profile, only used for
descriptive purposes (max. 50 characters)."
::= { xauthProfileEntry 2 }
xauthPrfRole OBJECT-TYPE
SYNTAX INTEGER {
server(1), -- XAUTH server
client(2) -- XAUTH client
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies which role is choosed for this profile.
Possible values:
server(1) -- XAUTH is used and local device is the XAUTH server,
i.e. this side requests extended authentication
client(2) -- XAUTH is used and local device is the XAUTH client,
i.e. this side responds with its extended
authentication credentials
"
DEFVAL { server }
::= { xauthProfileEntry 3 }
xauthPrfMode OBJECT-TYPE
SYNTAX INTEGER {
local(1), --
radius(2) --
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the kind how to get user data for authentication.
Possible values:
local(1), -- user data are configured locally in the entries
of xauthUserListTable that are referenced by
xauthPrfUserListGroupId
radius(1) -- user data are configured at RADIUS server, RADIUS server
is referenced by xauthPrfAAAServerGroupId that
corresponds to radiusSrvGroupId in radiusSrvTable,
'radius' mode is only valid for server role
"
DEFVAL { radius }
::= { xauthProfileEntry 4 }
xauthPrfAAAServerGroupId OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the group ID which is used for RADIUS
authentication to find the associated server entry in
radiusSrvTable for XAUTH. See description of radiusSrvGroupId for
details.
This object is only valid for entries with xauthPrfMode 'radius'."
DEFVAL { 0 }
::= { xauthProfileEntry 5 }
xauthPrfUserListGroupId OBJECT-TYPE
SYNTAX INTEGER (1..1000)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object refers to a group of one or more user entries in
xauthUserListTable.
This object is only valid for entries with xauthPrfUserMode 'local'."
DEFVAL { 1 }
::= { xauthProfileEntry 6 }
xauthPrfTimeout OBJECT-TYPE
SYNTAX INTEGER
UNITS "seconds"
MAX-ACCESS read-write
STATUS obsolete
DESCRIPTION
"WARNING: this object is obsolete and must not be used."
DEFVAL { 0 }
::= { xauthProfileEntry 7 }
xauthPrfAdminStatus OBJECT-TYPE
SYNTAX INTEGER { enable(1), delete(2) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"MIB entry deletion is performed by this object:
- enable : enables xauthPrfTable entry
- delete : deletes xauthPrfTable entry."
DEFVAL { enable }
::= { xauthProfileEntry 8 }
-- End XAUTH Profile Table
-- XAUTH User List Table
xauthUserListTable OBJECT-TYPE
SYNTAX SEQUENCE OF XauthUserListEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains the list of XAUTH users."
::= { ipsec 19 }
xauthUserListEntry OBJECT-TYPE
SYNTAX XauthUserListEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains an XAUTH user."
INDEX {
xauthUserListIndex
}
::= { xauthUserListTable 1 }
XauthUserListEntry ::=
SEQUENCE {
xauthUserListIndex INTEGER,
xauthUserListGroupId INTEGER,
xauthUserListName DisplayString,
xauthUserListPassword DisplayString,
xauthUserListPasswordData OCTET STRING,
xauthUserListAdminStatus INTEGER
}
xauthUserListIndex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A unique index identifying this entry."
::= { xauthUserListEntry 1 }
xauthUserListGroupId OBJECT-TYPE
SYNTAX INTEGER (1..1000)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"ID for creating logical groups of XAUTH users."
DEFVAL { 1 }
::= { xauthUserListEntry 2 }
xauthUserListName OBJECT-TYPE
SYNTAX DisplayString (SIZE(1..63))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the user name."
::= { xauthUserListEntry 3 }
xauthUserListPassword OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..63))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the user's password.
This field serves only as an input field and its contents
is replaced with a single asterisk immediately after it is set."
::= { xauthUserListEntry 4 }
xauthUserListPasswordData OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Field used for storing the user's password permanently."
::= { xauthUserListEntry 5 }
xauthUserListAdminStatus OBJECT-TYPE
SYNTAX INTEGER { enable(1), delete(2) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"MIB entry deletion is performed by this object:
- enable : enables xauthUserListTable entry
- delete : deletes xauthUserListTable entry."
DEFVAL { enable }
::= { xauthUserListEntry 6 }
-- End IPSec XAUTH User Table
-- IPSecPeerTraffic Table
ipsecPeerTrafficTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecPeerTrafficEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains peer related lists of traffic permitted
for Phase 2 negotiation. Note that this table contains
optional entries solely, in the default case (no entries)
subsequently no restriction will take place."
::= { ipsec 29 }
ipsecPeerTrafficEntry OBJECT-TYPE
SYNTAX IpsecPeerTrafficEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains peer related lists of traffic permitted
for Phase 2 negotiation. Note that this table contains
optional entries solely, in the default case (no entries)
subsequently no restriction will take place."
INDEX {
ipsecPeerTrafficIfindex, ipsecPeerTrafficLocalAddress,
ipsecPeerTrafficRemoteAddress
}
::= { ipsecPeerTrafficTable 1 }
IpsecPeerTrafficEntry ::=
SEQUENCE {
ipsecPeerTrafficIfindex INTEGER,
ipsecPeerTrafficDescription DisplayString,
ipsecPeerTrafficLocalAddress IpAddress,
ipsecPeerTrafficLocalMask IpAddress,
ipsecPeerTrafficLocalPort INTEGER,
ipsecPeerTrafficLocalPortRange INTEGER,
ipsecPeerTrafficRemoteAddress IpAddress,
ipsecPeerTrafficRemoteMask IpAddress,
ipsecPeerTrafficRemotePort INTEGER,
ipsecPeerTrafficRemotePortRange INTEGER,
ipsecPeerTrafficProtocol INTEGER,
ipsecPeerTrafficPolicy INTEGER
-- ipsecPeerTrafficAction INTEGER
}
ipsecPeerTrafficIfindex OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"."
::= { ipsecPeerTrafficEntry 1 }
ipsecPeerTrafficDescription OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An optional human readable description for this entry."
::= { ipsecPeerTrafficEntry 2 }
ipsecPeerTrafficLocalAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The local IP-address of this entry. It maybe
either a single address or a network address (in
combination with ipsecPeerTrafficLocalMask)."
::= { ipsecPeerTrafficEntry 3 }
ipsecPeerTrafficLocalMask OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The length of the network mask for a local network."
::= { ipsecPeerTrafficEntry 4 }
ipsecPeerTrafficLocalPort OBJECT-TYPE
SYNTAX INTEGER (-1..65535)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The local port defined for this entry."
DEFVAL { -1 }
::= { ipsecPeerTrafficEntry 5 }
ipsecPeerTrafficLocalPortRange OBJECT-TYPE
SYNTAX INTEGER (0..65534)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The local port range defined for this entry."
DEFVAL { 1 }
::= { ipsecPeerTrafficEntry 6 }
ipsecPeerTrafficRemoteAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The remote IP-address of this entry. It maybe
either a single address or a network address (in
combination with ipsecPeerTrafficRemoteMask)."
::= { ipsecPeerTrafficEntry 7 }
ipsecPeerTrafficRemoteMask OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The network mask for a remote network."
::= { ipsecPeerTrafficEntry 8 }
ipsecPeerTrafficRemotePort OBJECT-TYPE
SYNTAX INTEGER (-1..65535)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The remote UDP/TCP port defined for this entry."
DEFVAL { -1 }
::= { ipsecPeerTrafficEntry 9 }
ipsecPeerTrafficRemotePortRange OBJECT-TYPE
SYNTAX INTEGER (0..65534)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The remote UDP/TCP port range defined for this entry."
DEFVAL { 1 }
::= { ipsecPeerTrafficEntry 10 }
ipsecPeerTrafficProtocol OBJECT-TYPE
SYNTAX INTEGER {
icmp(1),
igmp(2),
ggp(3),
ipip(4),
st(5),
tcp(6),
cbt(7),
egp(8),
igp(9),
bbn(10),
nvp(11),
pup(12),
argus(13),
emcon(14),
xnet(15),
chaos(16),
udp(17),
mux(18),
dcn(19),
hmp(20),
prm(21),
xns(22),
trunk1(23),
trunk2(24),
leaf1(25),
leaf2(26),
rdp(27),
irtp(28),
isotp4(29),
netblt(30),
mfe(31),
merit(32),
sep(33),
pc3(34),
idpr(35),
xtp(36),
ddp(37),
idprc(38),
tp(39),
il(40),
ipv6(41),
sdrp(42),
ipv6route(43),
ipv6frag(44),
idrp(45),
rsvp(46),
gre(47),
mhrp(48),
bna(49),
esp(50),
ah(51),
inlsp(52),
swipe(53),
narp(54),
mobile(55),
tlsp(56),
skip(57),
ipv6icmp(58),
ipv6nonxt(59),
ipv6opts(60),
ipproto-61(61),
cftp(62),
local(63),
sat(64),
kryptolan(65),
rvd(66),
ippc(67),
distfs(68),
satmon(69),
visa(70),
ipcv(71),
cpnx(72),
cphb(73),
wsn(74),
pvp(75),
brsatmon(76),
sunnd(77),
wbmon(78),
wbexpak(79),
isoip(80),
vmtp(81),
securevmtp(82),
vines(83),
ttp(84),
nsfnet(85),
dgp(86),
tcf(87),
eigrp(88),
ospfigp(89),
sprite(90),
larp(91),
mtp(92),
ax25(93),
ipwip(94),
micp(95),
scc(96),
etherip(97),
encap(98),
encrypt(99),
gmtp(100),
ifmp(101),
pnni(102),
pim(103),
aris(104),
scps(105),
qnx(106),
an(107),
ippcp(108),
snp(109),
compaq(110),
ipxip(111),
vrrp(112),
pgm(113),
hop0(114),
l2tp(115),
ipproto-116(116),
ipproto-117(117),
ipproto-118(118),
ipproto-119(119),
ipproto-120(120),
ipproto-121(121),
ipproto-122(122),
ipproto-123(123),
ipproto-124(124),
ipproto-125(125),
ipproto-126(126),
ipproto-127(127),
ipproto-128(128),
ipproto-129(129),
ipproto-130(130),
ipproto-131(131),
ipproto-132(132),
ipproto-133(133),
ipproto-134(134),
ipproto-135(135),
ipproto-136(136),
ipproto-137(137),
ipproto-138(138),
ipproto-139(139),
ipproto-140(140),
ipproto-141(141),
ipproto-142(142),
ipproto-143(143),
ipproto-144(144),
ipproto-145(145),
ipproto-146(146),
ipproto-147(147),
ipproto-148(148),
ipproto-149(149),
ipproto-150(150),
ipproto-151(151),
ipproto-152(152),
ipproto-153(153),
ipproto-154(154),
ipproto-155(155),
ipproto-156(156),
ipproto-157(157),
ipproto-158(158),
ipproto-159(159),
ipproto-160(160),
ipproto-161(161),
ipproto-162(162),
ipproto-163(163),
ipproto-164(164),
ipproto-165(165),
ipproto-166(166),
ipproto-167(167),
ipproto-168(168),
ipproto-169(169),
ipproto-170(170),
ipproto-171(171),
ipproto-172(172),
ipproto-173(173),
ipproto-174(174),
ipproto-175(175),
ipproto-176(176),
ipproto-177(177),
ipproto-178(178),
ipproto-179(179),
ipproto-180(180),
ipproto-181(181),
ipproto-182(182),
ipproto-183(183),
ipproto-184(184),
ipproto-185(185),
ipproto-186(186),
ipproto-187(187),
ipproto-188(188),
ipproto-189(189),
ipproto-190(190),
ipproto-191(191),
ipproto-192(192),
ipproto-193(193),
ipproto-194(194),
ipproto-195(195),
ipproto-196(196),
ipproto-197(197),
ipproto-198(198),
ipproto-199(199),
ipproto-200(200),
ipproto-201(201),
ipproto-202(202),
ipproto-203(203),
ipproto-204(204),
ipproto-205(205),
ipproto-206(206),
ipproto-207(207),
ipproto-208(208),
ipproto-209(209),
ipproto-210(210),
ipproto-211(211),
ipproto-212(212),
ipproto-213(213),
ipproto-214(214),
ipproto-215(215),
ipproto-216(216),
ipproto-217(217),
ipproto-218(218),
ipproto-219(219),
ipproto-220(220),
ipproto-221(221),
ipproto-222(222),
ipproto-223(223),
ipproto-224(224),
ipproto-225(225),
ipproto-226(226),
ipproto-227(227),
ipproto-228(228),
ipproto-229(229),
ipproto-230(230),
ipproto-231(231),
ipproto-232(232),
ipproto-233(233),
ipproto-234(234),
ipproto-235(235),
ipproto-236(236),
ipproto-237(237),
ipproto-238(238),
ipproto-239(239),
ipproto-240(240),
ipproto-241(241),
ipproto-242(242),
ipproto-243(243),
ipproto-244(244),
ipproto-245(245),
ipproto-246(246),
ipproto-247(247),
ipproto-248(248),
ipproto-249(249),
ipproto-250(250),
ipproto-251(251),
ipproto-252(252),
ipproto-253(253),
ipproto-254(254),
dont-verify(256)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The transport protocol defined for this entry."
DEFVAL { dont-verify }
::= { ipsecPeerTrafficEntry 11 }
ipsecPeerTrafficPolicy OBJECT-TYPE
SYNTAX INTEGER {
delete(1), -- delete this entry
role-initiator(2), -- P2 initiator mode traffic policy
role-responder(3), -- P2 responder mode traffic policy
both(4) -- P2 initiator as well as responder traffic policy
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether this network policy is used
for inbound, outbound or both processing.
Possible values:
delete(1) -- delete this entry
role-initiator(2) -- P2 initiator mode traffic policy
role-responder(3) -- P2 responder mode traffic policy
both(4) -- P2 initiator as well as responder
traffic policy."
DEFVAL { role-initiator }
::= { ipsecPeerTrafficEntry 12 }
-- End IPSecPeerTraffic Table
END
View Git Blame Copy Permalink