-- This file is corresponding to Release 9.1.10.101 from 2014/08/11 00:00:00 --------------------------------------------------------------------------- -- (C)opyright 2006-2014 bintec elmeg GmbH -- $RCSfile: mib-ipsec,v $ -- $Revision: 1.39 $ -- $Date: 2014-02-07 11:21:02 $ --------------------------------------------------------------------------- FEC-IPSEC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, enterprises, IpAddress, TimeTicks, Counter32, snmpModules, mib-2, Unsigned32, Counter64 FROM SNMPv2-SMI DisplayString, TestAndIncr, TimeStamp FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF ipsec, Date, HexValue, BitValue FROM BINTEC-MIB InetAddressIPv6 FROM INET-ADDRESS-MIB; --------------------------------------------------------------------------- ipsecMIB MODULE-IDENTITY LAST-UPDATED "201308120000Z" ORGANIZATION "bintec elmeg GmbH" CONTACT-INFO "EMail: info@bintec-elmeg.com Web: www.bintec-elmeg.com" DESCRIPTION "Vendor specific Management Information for the IPSec Subsystem" ::= { ipsec 250 } --------------------------------------------------------------------------- -- Global IPSec Settings ipsecGlobals OBJECT IDENTIFIER ::= { ipsec 1 } --Static table containing global settings for IPSec ipsecGlobPeerIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Index of first IPsec peer in ipsecPeerTable. If this object is set to a Value <= 0, IPSec is switched explicitly off. If the peer referenced by this object does not exist in the table, all packets will be dropped." ::= { ipsecGlobals 1 } ipsecGlobEnabled OBJECT-TYPE SYNTAX INTEGER { true(1), -- IPSec enabled false(2) -- IPSec disabled } MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/disables IPSec globally." DEFVAL { false } ::= { ipsecGlobals 41 } ipsecGlobDefaultAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4) -- Authentication using RSA encryption } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the authentication method used by default. If the ipsecPeerAuthMethod field of an ipsecPeerEntry and the ikePropAuthMethod field of the ikeProposalTableEntry used are set to 'default', this value is assumed. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4) -- Authentication using RSA encryption." ::= { ipsecGlobals 2 } ipsecGlobDefaultCertificate OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the default certificate in the certTable used for local authentication for ike keyed rules with non pre-shared-key authentication. This may be overwritten by the certificate specified for the individual ipsec peers." ::= { ipsecGlobals 3 } ipsecGlobDefaultLocalId OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The default ID used for local authentication for ike keyed rules. If this is an empty or invaid id string one of the subject alternative names or the subject name from the default certificate is used. This does not relpace an empty local id string for an IPsec peer with a valid certificate. The subject name or one of the subject alternative names from this certificate is used then" ::= { ipsecGlobals 4 } ipsecGlobDefaultIpsecProposal OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Index of default ipsec proposal used for traffic entries with empty ipsec proposal, defined for peers with empty default ipsec proposal." ::= { ipsecGlobals 5 } ipsecGlobDefaultIkeProposal OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Index of default ike proposal used for peers with empty default ike proposal." ::= { ipsecGlobals 6 } ipsecGlobDefaultIpsecLifeTime OBJECT-TYPE SYNTAX INTEGER UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "Index of default lifetime for ike SA's in ipsecLifeTimeTable. This lifetime is used, when there is no valid lifetime entry specified for an IPsec peer entry." ::= { ipsecGlobals 7 } ipsecGlobDefaultIkeLifeTime OBJECT-TYPE SYNTAX INTEGER UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable with the default lifetime settings used for IKE SA's. This lifetime is used whenever there is no valid lifetime entry specified for a peer entry and the IKE proposal used." ::= { ipsecGlobals 8 } ipsecGlobDefaultIkeGroup OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Index of default IKE group used if no IKE group is defined for a peer. Possible values: 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP)." DEFVAL { 1 } ::= { ipsecGlobals 9 } ipsecGlobIkeProfile OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the default IKE (phase 1) profile to use." DEFVAL { 0 } ::= { ipsecGlobals 39 } ipsecGlobIpsecProfile OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the default IPSec (phase 2) profile to use." DEFVAL { 0 } ::= { ipsecGlobals 40 } ipsecGlobMaxSysLogLevel OBJECT-TYPE SYNTAX INTEGER { emerg(1), alert(2), crit(3), err(4), warning(5), notice(6), info(7), debug(8) } MAX-ACCESS read-write STATUS current DESCRIPTION "Maximum level for syslog messages issued by IPSec. All messages with a level higher than this value are suppressed, independently from other global syslog level settings. Possible settings: emerg(1), alert(2), crit(3), err(4), warning(5), notice(6), info(7), debug(8)." DEFVAL { debug } ::= { ipsecGlobals 10 } ipsecGlobDefaultGranularity OBJECT-TYPE SYNTAX INTEGER { coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the default granularity used for IPSEC SA negotiation. Possible values: coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host." DEFVAL { coarse } ::= { ipsecGlobals 11 } ipsecGlobDefaultPh1Mode OBJECT-TYPE SYNTAX INTEGER { id-protect(1), -- Use identity protection (main) mode aggressive(2) -- Use aggressive mode } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the default exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2) -- Use aggressive mode." DEFVAL { id-protect } ::= { ipsecGlobals 12 } ipsecGlobDefaultPfsGroup OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the PFS group to use. PFS is done only for phase 2, i.e. the Phase 1 SAs are not deleted after phase 2 negotiation is completed. Note however, that if the peer has configured PFS for identity and destroys phase 1 SAs, this side will also destroy them when notified. Possible values: 0 (no PFS) 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP)." ::= { ipsecGlobals 13 } ipsecGlobIkePort OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the port the IKE key management service listens to." DEFVAL { 500 } ::= { ipsecGlobals 20 } ipsecGlobMaxRetries OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum number of retries sent by IKE for one message." DEFVAL { 10 } ::= { ipsecGlobals 21 } ipsecGlobRetryTimeout0milli OBJECT-TYPE SYNTAX INTEGER UNITS "milliseconds" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the period of time in milliseconds before an IKE message is repeated for the first time if the answer is missing. After each retry, this timeout is increased up to the value specified in ipsecGlobRetryTimeoutMaxsec." DEFVAL { 500 } ::= { ipsecGlobals 22 } ipsecGlobRetryTimeoutMaxsec OBJECT-TYPE SYNTAX INTEGER UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum period of time in seconds before an IKE message is repeated if the answer is missing. The retry timeout is not increased beyond this limit." DEFVAL { 30 } ::= { ipsecGlobals 23 } ipsecGlobMaxNegotiationTimeoutsec OBJECT-TYPE SYNTAX INTEGER UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum number of seconds after which a negotiation is canceled if it is not finished." DEFVAL { 300 } ::= { ipsecGlobals 24 } ipsecGlobMaxIkeSas OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum number of simultaneous ISAKMP Security associations allowed. If this limit is reached, the entries are removed from the database, starting with the ones that will expire very soon. If that is not enough, the entries are deleted in reverse LRU order." DEFVAL { 512 } ::= { ipsecGlobals 25 } ipsecGlobIgnoreCrPayloads OBJECT-TYPE SYNTAX INTEGER { true(1), -- ignore all certificate requests false(2) -- process certificate request payloads } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether certificate request payloads should be ignored by IKE. Possible values: true(1), -- ignore all certificate requests false(2) -- process certificate request payloads." DEFVAL { false } ::= { ipsecGlobals 29 } ipsecGlobNoCrPayloads OBJECT-TYPE SYNTAX INTEGER { true(1), -- suppress certificate requests false(2) -- send certificate requests } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether IKE should suppress certificate requests. Possible values: true(1), -- suppress certificate requests false(2) -- send certificate requests." DEFVAL { false } ::= { ipsecGlobals 30 } ipsecGlobNoKeyHashPayloads OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not send key hash payloads false(2) -- send key hash payloads } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether IKE should suppress key hash payloads. Possible values: true(1), -- suppress key hash payloads false(2) -- send key hash payloads." DEFVAL { false } ::= { ipsecGlobals 31 } ipsecGlobNoCrls OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not send certificate revocation lists false(2) -- send certificate revocation lists } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether IKE should send certificate revocation lists. Possible values: true(1), -- do not send certificate revocation lists false(2) -- send certificate revocation lists." DEFVAL { true } ::= { ipsecGlobals 32 } ipsecGlobSendFullCertChains OBJECT-TYPE SYNTAX INTEGER { true(1), -- send full certificate chains false(2) -- do not send full certificate chains } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether IKE should send full certificate chains. Possible values: true(1), -- send full certificate chains false(2) -- do not send full certificate chains." DEFVAL { true } ::= { ipsecGlobals 33 } ipsecGlobTrustIcmpMsg OBJECT-TYPE SYNTAX INTEGER { true(1), -- trust ICMP messages false(2) -- do not trust ICMP messages } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether IKE should trust icmp port and host unreachable error messages. ICMP port and host unreachable messages are only trusted if there have not yet been received any datagrams from the remote host in this negotiation. This means, if the local side receives an ICMP port or host unreachable message as the first response to the initial packet of a new phase 1 negotiation, it cancels the negotiation immediately. Possible values: true(1), -- trust ICMP messages false(2) -- do not trust ICMP messages." DEFVAL { false } ::= { ipsecGlobals 34 } ipsecGlobSpiSize OBJECT-TYPE SYNTAX INTEGER UNITS "bytes" MAX-ACCESS read-write STATUS current DESCRIPTION "A compatibility flag that specifies the length of the SPI in bytes, which is used when an ISAKMP SA SPI (Cookie) is sent to the remote peer. This field takes effect only if ipsecGlobZeroIsakmpCookies is true." DEFVAL { 32 } ::= { ipsecGlobals 35 } ipsecGlobZeroIsakmpCookies OBJECT-TYPE SYNTAX INTEGER { true(1), -- send zero cookies in ISAKMP messages false(2) -- send ISAKMP cookies } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether zeroed ISAKMP cookies should be sent. Possible Values: true(1), -- send zero cookies in ISAKMP messages false(2) -- send ISAKMP cookies." DEFVAL { false } ::= { ipsecGlobals 36 } ipsecGlobMaxKeyLength OBJECT-TYPE SYNTAX INTEGER UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum length of an encryption key (in bits) that is accepted from the remote end. This limit prevents denial of service attacks where the attacker asks for a huge key for an encryption algorithm that allows variable length keys." DEFVAL { 1024 } ::= { ipsecGlobals 37 } ipsecGlobNoInitialContact OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not send initial contact messages false(2) -- send initial contact messages if appropriate } MAX-ACCESS read-write STATUS current DESCRIPTION "Do not send IKE initial contact messages in IKE negotiations even if no SA's exist with a peer. Possible values: true(1), -- do not send initial contact messages false(2) -- send initial contact messages if appropriate." DEFVAL { false } ::= { ipsecGlobals 38 } ipsecGlobBlockTimeout OBJECT-TYPE SYNTAX INTEGER (1..3600) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "For peers with nonzero block time, the value of this object is used instead of ipsecGlobMaxNegotiationTimeoutSec." DEFVAL { 15 } ::= { ipsecGlobals 42 } ipsecGlobDPDIdleThreshold OBJECT-TYPE SYNTAX INTEGER (1..3600) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "The minimum idle time period after which a dpd request is sent." DEFVAL { 15 } ::= { ipsecGlobals 43 } ipsecGlobDPDMaxRetries OBJECT-TYPE SYNTAX INTEGER (1..10) MAX-ACCESS read-write STATUS current DESCRIPTION "The number of DPD retries sent before a peer is considered dead." DEFVAL { 3 } ::= { ipsecGlobals 44 } ipsecGlobDPDRetryTimeout OBJECT-TYPE SYNTAX INTEGER (1..10) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "The number of seconds between retries." DEFVAL { 2 } ::= { ipsecGlobals 45 } ipsecGlobIkev2Enabled OBJECT-TYPE SYNTAX INTEGER { true(1), -- IKEv2 enabled false(2) -- IKEv2 disabled } MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/disables IKEv2 globally." DEFVAL { true } ::= { ipsecGlobals 46 } -- End Global IPSec Settings -- Second Table With Global IPSec Settings ipsecGlobalsContinued OBJECT IDENTIFIER ::= { ipsec 11 } -- Second static table containing global settings for IPSec ipsecGlobContPreIpsecRules OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies an index in the IPsec traffic table containing a list of traffic definitions which has to be considered prior to the traffic lists of the IPSec peers in IPSec traffic processing. It may contain either pass or drop entries (protect entries are ignored, if erroneously configured)." DEFVAL { 0 } ::= { ipsecGlobalsContinued 1 } ipsecGlobContPostIpsecRules OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies an index in the IPsec traffic table containing a list of traffic definitions which has to be considered after the traffic lists of the IPSec peers in IPSec traffic processing. It may contain either pass or drop entries (protect entries are ignored, if erroneously configured)." DEFVAL { 0 } ::= { ipsecGlobalsContinued 11 } ipsecGlobContDefaultRule OBJECT-TYPE SYNTAX INTEGER { drop(1), -- drop all packets pass(2) -- allow all packets pass plain } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies how to treat packets which do not match any entry in the traffic lists of the active peers or the pre-and post IPSec rules. Possible values: drop(1), -- drop all packets pass(2) -- allow all packets pass plain." DEFVAL { drop } ::= { ipsecGlobalsContinued 2 } ipsecGlobContUse32BitCpi OBJECT-TYPE SYNTAX INTEGER { true(1), -- send CPI as 32 bit numbers false(2) -- send CPI as 16 bit numbers } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether the CPI values in IKE IPComP negotiations should be sent as 16 bit numbers. Possible values: true(1), -- send CPI as 32 bit numbers false(2) -- send CPI as 16 bit numbers." DEFVAL { false } ::= { ipsecGlobalsContinued 4 } ipsecGlobContNoWellKnownCpis OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not use the well known cpi values false(2) -- use the well known cpi values } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether the well known CPI values should be used in IKE IPComP negotiations. If set to true, IKE will allocate random CPI values from the negotiable range 256-61439. Possible values: true(1), -- do not use the well known cpi values false(2) -- use the well known cpi values." DEFVAL { false } ::= { ipsecGlobalsContinued 5 } ipsecGlobContNoPmtuDiscovery OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not perform PMTU discovery false(2) -- perform PMTU discovery } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the default PMTU discovery policy if the ipsecPeerPmtuDiscovery flag is set to default. Possible values: true(1), -- do not perform PMTU discovery false(2) -- perform PMTU discovery." DEFVAL { true } ::= { ipsecGlobalsContinued 7 } ipsecGlobContDefaultPmtuTtl OBJECT-TYPE SYNTAX INTEGER UNITS "minutes" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the time-to-live (in minutes) of a PMTU value derived from an ICMP PMTU message received for an IPSec packet. After this time, the mtu is increased step-by-step using the values from RFC 1191 until a new ICMP PMTU message is received. A ttl value of 0 means infinite." DEFVAL { 10 } ::= { ipsecGlobalsContinued 8 } ipsecGlobContPrivateInterface OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the index of the systems' private interface. If the private interface is set (i.e. non-negative), certain address spoofing attacks are made impossible from IPSec itself." DEFVAL { -1 } ::= { ipsecGlobalsContinued 9 } ipsecGlobContSaSyncInterface OBJECT-TYPE SYNTAX INTEGER { true(1), -- delete SAs false(2) -- do not delete SAs } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether IKE and IPSec SA's should be are deleted if the interface over which the packets are initially sent is going down or dormant Possible values: true(1), -- delete SAs false(2) -- do not delete SAs." DEFVAL { false } ::= { ipsecGlobalsContinued 10 } ipsecGlobContDefaultPfsIdentity OBJECT-TYPE SYNTAX INTEGER { true(1), -- delete phase 1 SAs false(2) -- do not delete phase 1 SAs } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. It may be overridden by the individual settings for a peer entry, if the ipsecPeerPfsIdentity is not set to 'default'. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2) -- do not delete phase 1 SAs." DEFVAL { false } ::= { ipsecGlobalsContinued 12 } ipsecGlobContPfsIdentityDelay OBJECT-TYPE SYNTAX INTEGER UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the number of seconds to wait before deleting the underlying phase 1 SA after a Phase 2 SA has been established, if PFS for identity is configured." DEFVAL { 8 } ::= { ipsecGlobalsContinued 15 } ipsecGlobContIkeLoggingLevel OBJECT-TYPE SYNTAX INTEGER (0..127) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the IKE logging level. IKE log messages are output as syslog messages on level debug. Note that the global syslog table level must be set to debug in order to see these messages. Possible values: 0: no IKE log messages ... 3: IKE error output ... 6: IKE trace output ... 9: IKE detailed results output 10 ...: hexdumps of IKE messages." DEFVAL { 0 } ::= { ipsecGlobalsContinued 13 } ipsecGlobContHeartbeatDefault OBJECT-TYPE SYNTAX INTEGER { none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4) -- send and expect heartbeats } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies whether heartbeats should be sent over phase 1 SAs (not used for IPv6). Possible values: none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4) -- send and expect heartbeats." DEFVAL { none } ::= { ipsecGlobalsContinued 16 } ipsecGlobContHeartbeatInterval OBJECT-TYPE SYNTAX INTEGER (1..900) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the time interval in seconds between heartbeats. At this rate heartbeats are sent and/or expected if configured (not used for IPv6)." DEFVAL { 5 } ::= { ipsecGlobalsContinued 17 } ipsecGlobContHeartbeatTolerance OBJECT-TYPE SYNTAX INTEGER (1..900) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum number of missing heartbeats allowed before an SA is discarded (not used for IPv6)." DEFVAL { 4 } ::= { ipsecGlobalsContinued 18 } ipsecGlobContDialBlockTime OBJECT-TYPE SYNTAX INTEGER (-1..43200) UNITS "minutes" MAX-ACCESS read-write STATUS current DESCRIPTION "Amount of time in minutes how long an ipsecDial entry remains in state blocked-for-outgoing after a cost producing trigger call was detected. Given value denotes time in minutes. Special value -1 means to block entry until unblocked manually by deactivating entry and reactivating it afterwards. Default value is -1." DEFVAL { -1 } ::= { ipsecGlobalsContinued 14 } ipsecGlobContObsoleteFeatureMask OBJECT-TYPE SYNTAX BitValue MAX-ACCESS read-write STATUS current DESCRIPTION "Some obsolete features are represented by a bit in this mask and could be re-enabled for testing or compatibility purpose. A mask-bit of 1 enable the approprate (obsolete) feature. A mask-bit of 0 disable the appropriate feature completely. Bit Feature 0x00000001: re-enable delayed apf-graph-node-memory free 0x00000002: tbd. The default-value is 0 - all obsolete features are disabled. Do not change this default-value if not really necessary" DEFVAL { 0 } ::= { ipsecGlobalsContinued 66 } ipsecGlobContP1Always OBJECT-TYPE SYNTAX INTEGER { enabled (1), -- always rekey phase 1 if phase 2 is rekeyed disabled (2) -- rekey phase 1 only if necessary } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether a phase 1 rekeying is always done immediately before phase 2 rekeying. Note this is different from pfs for identity because the latter discards the phase 1 SA immediately after phase 2 establishment. This feature is mainly a compatibility flag for some non-standard implementations which always expect a phase 1 SA if a phase 2 SA exists. Please also select a longer lifetime for phase 1 than phase 2 then." DEFVAL { disabled } ::= { ipsecGlobalsContinued 69 } ipsecGlobContHwAccel OBJECT-TYPE SYNTAX INTEGER { yes (1), no (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/disables usage of encryption engine." DEFVAL { yes } ::= { ipsecGlobalsContinued 70 } ipsecGlobContSupportVarKeyLength4Twofish OBJECT-TYPE SYNTAX INTEGER { yes (1), no (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/disables support of variable key sizes for the Twofish algorithm. Note that the Twofish related settings within the ipsecAlgorithmTable will be synchronized accordingly. If set to no (2) the system will act in the backward compatibility mode. This setting might be necessary in some dedicated cases in order to avoid IKE negotiation problems." DEFVAL { yes } ::= { ipsecGlobalsContinued 71 } ipsecGlobContIkev2Profile OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the default IKE_SA profile to use (only for IKEv2). If set to 0 no profile is configured as default." DEFVAL { 0 } ::= { ipsecGlobalsContinued 72 } ipsecGlobContMaxIkev2Sas OBJECT-TYPE SYNTAX INTEGER (1..100000) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum number of simultaneous IKEv2 Security associations allowed. If this limit is reached, the entries are removed from the database, starting with the ones that will expire very soon. If that is not enough, the entries are deleted in reverse LRU order." DEFVAL { 512 } ::= { ipsecGlobalsContinued 73 } ipsecGlobContPathFinder OBJECT-TYPE SYNTAX INTEGER { enabled (1), disabled (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/disables the IPSec pathfinder mode, that means all the traffic (IKE, ESP and AH) is embedded within a pseudo HTTPS session between the peers (similar to the NAT-T mode)." DEFVAL { disabled } ::= { ipsecGlobalsContinued 74 } ipsecGlobContXauthTimeout OBJECT-TYPE SYNTAX INTEGER (10..600) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "If an extended authentication is requested, this is the time (in seconds) the device will wait for response. A useful value is important when username and password are entered manually by the user." DEFVAL { 120 } ::= { ipsecGlobalsContinued 75 } -- End Second Table With Global IPSec Settings -- IPSec RADIUS settings Table ipsecRadius OBJECT IDENTIFIER ::= { ipsec 13 } -- Table with RADIUS settings for IPSec ipsecRadiusPresetState OBJECT-TYPE SYNTAX INTEGER { not-loaded(1), -- RADIUS preset peers are not loaded loading(2), -- RADIUS preset peers are currently loaded loaded(3), -- RADIUS preset peers have been loaded reloading(4) -- RADIUS preset peers are currently reloaded } MAX-ACCESS read-only STATUS current DESCRIPTION "This object shows the status of the RADIUS preset peers load process." DEFVAL { not-loaded } ::= { ipsecRadius 1 } ipsecRadiusPresetPeers OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS preset peers currently loaded." ::= { ipsecRadius 2 } ipsecRadiusDynamicAuthentication OBJECT-TYPE SYNTAX INTEGER { enabled(1), -- dynamic authentication via RADIUS enabled disabled(2) -- dynamic authentication via RADIUS disabled } MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables/disables dynamic authentication via RADIUS. If no peer has been found matching an incoming IKE negotiation, the configured RADIUS servers are consulted (if any)." DEFVAL { disabled } ::= { ipsecRadius 3 } -- End global IPSec Radius settings -- IPSec Security Associations Table ipsecSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of currently active IPSec security associations." ::= { ipsec 3 } ipsecSaEntry OBJECT-TYPE SYNTAX IpsecSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains an IPSec security association." INDEX { ipsecSaSecProto, ipsecSaSpi } ::= { ipsecSaTable 1 } IpsecSaEntry ::= SEQUENCE { ipsecSaIndex INTEGER, ipsecSaState INTEGER, ipsecSaDir INTEGER, ipsecSaMode INTEGER, ipsecSaSecProto INTEGER, ipsecSaSpi HexValue, ipsecSaAuthAlg INTEGER, ipsecSaEncAlg INTEGER, ipsecSaCompAlg INTEGER, ipsecSaAuthKeyLen INTEGER, ipsecSaEncKeyLen INTEGER, ipsecSaReplayErrors INTEGER, ipsecSaRecvErrors INTEGER, ipsecSaDecryptErrors INTEGER, ipsecSaBundle INTEGER, ipsecSaBundleNesting INTEGER, ipsecSaSpiSize INTEGER, ipsecSaEncKey OCTET STRING, ipsecSaAuthKey OCTET STRING, ipsecSaIkeMajVersion INTEGER, ipsecSaIkeMinVersion INTEGER } ipsecSaIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique index for this entry." ::= { ipsecSaEntry 1 } ipsecSaState OBJECT-TYPE SYNTAX INTEGER { expired(2), -- The SA is expired and will not be rekeyed negotiating(4), -- This SA is currently negotiated established(5) -- The SA is alive and will eventually be rekeyed } MAX-ACCESS read-only STATUS current DESCRIPTION "The current state of the security association Possible values: alive(1), -- The SA is alive expired(2), -- The SA is expired negotiating(4),-- This SA is currently negotiated established(5) -- The SA is alive and will eventually be rekeyed." DEFVAL { negotiating } ::= { ipsecSaEntry 3 } ipsecSaDir OBJECT-TYPE SYNTAX INTEGER { inbound(1), -- An inbound security association outbound(2) -- An outbound security association } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies whether the SA is used for inbound or outbound processing. Possible values: inbound(1), -- An inbound security association outbound(2) -- An outbound security association." ::= { ipsecSaEntry 5 } ipsecSaMode OBJECT-TYPE SYNTAX INTEGER { tunnel(1), -- A tunnel mode SA transport(2) -- A transport mode SA } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies whether the SA is in tunnel or transport mode. Possible values: tunnel(1), -- A tunnel mode SA transport(2) -- A transport mode SA." ::= { ipsecSaEntry 6 } ipsecSaSecProto OBJECT-TYPE SYNTAX INTEGER { esp(50), -- Encapsulating Security Payload ah(51), -- Authentication Header ipcomp(108) -- Internet Payload Compression Protocol } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the security protocol applied by this SA. Possible values: esp(50), -- Encapsulating Security Payload ah(51), -- Authentication Header ipcomp(108) -- Internet Payload Compression Protocol." ::= { ipsecSaEntry 7 } ipsecSaSpi OBJECT-TYPE SYNTAX HexValue MAX-ACCESS read-only STATUS current DESCRIPTION "The Security Parameters Index of this SA." ::= { ipsecSaEntry 17 } ipsecSaAuthAlg OBJECT-TYPE SYNTAX INTEGER { none(2), -- No hash algorithm md5-96(4), -- The MD5 hash algorithm sha1-96(6) -- The Secure Hash Algorithm } MAX-ACCESS read-only STATUS current DESCRIPTION "The hash algorithm used, if any. Possible Values: none(2), -- No hash algorithm applied md5-96(4), -- The MD5 hash algorithm sha1-96(6) -- The Secure Hash Algorithm." ::= { ipsecSaEntry 18 } ipsecSaEncAlg OBJECT-TYPE SYNTAX INTEGER { none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4), -- Blowfish in CBC mode cast128-cbc(5), -- CAST with 128 bit key in CBC mode twofish-cbc(6), -- Twofish in CBC mode aes-cbc(7) -- AES in CBC mode } MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used, if any. Possible Values: none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4), -- Blowfish in CBC mode cast128-cbc(5), -- CAST with 128 bit key in CBC mode twofish-cbc(6), -- Twofish in CBC mode aes-cbc(7) -- AES in CBC mode." ::= { ipsecSaEntry 19 } ipsecSaCompAlg OBJECT-TYPE SYNTAX INTEGER { none(2), -- No compression deflate(3) -- DEFLATE compression algorithm } MAX-ACCESS read-only STATUS current DESCRIPTION "The compression algorithm used, if any. Possible Values: none(1), -- No compression deflate(2) -- DEFLATE compression algorithm." DEFVAL { none } ::= { ipsecSaEntry 20 } ipsecSaAuthKeyLen OBJECT-TYPE SYNTAX INTEGER UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The length in bytes of the key used for authentication, if any." ::= { ipsecSaEntry 21 } ipsecSaEncKeyLen OBJECT-TYPE SYNTAX INTEGER UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The length in bytes of the key used for encryption, if any." ::= { ipsecSaEntry 22 } ipsecSaReplayErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of replayed packets detected for this SA." ::= { ipsecSaEntry 33 } ipsecSaRecvErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of receive errors (replayed packets not counted) detected for this SA." ::= { ipsecSaEntry 34 } ipsecSaDecryptErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of decryption errors (ESP only) detected for this SA." ::= { ipsecSaEntry 35 } ipsecSaBundle OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "unique id of SA-bundle within this SA is used." ::= { ipsecSaEntry 39 } ipsecSaBundleNesting OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "place of SA within SA-Bundle." ::= { ipsecSaEntry 40 } ipsecSaSpiSize OBJECT-TYPE SYNTAX INTEGER UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The size of the SPI in bytes." ::= { ipsecSaEntry 45 } ipsecSaEncKey OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS not-accessible STATUS current DESCRIPTION "" ::= { ipsecSaEntry 64 } ipsecSaAuthKey OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS not-accessible STATUS current DESCRIPTION "" ::= { ipsecSaEntry 65 } ipsecSaIkeMajVersion OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The IKE major version number." DEFVAL { 1 } ::= { ipsecSaEntry 66 } ipsecSaIkeMinVersion OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The IKE minor version number." DEFVAL { 0 } ::= { ipsecSaEntry 67 } -- End IPSec Security Associations Table -- IPSec SA Bundle Table ipsecBundleTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecBundleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of currently active IPSec security associations." ::= { ipsec 16 } ipsecBundleEntry OBJECT-TYPE SYNTAX IpsecBundleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains an IPSec security association." INDEX { ipsecBundleIndex } ::= { ipsecBundleTable 1 } IpsecBundleEntry ::= SEQUENCE { ipsecBundleIndex INTEGER, ipsecBundlePeerIndex INTEGER, ipsecBundleTrafficIndex INTEGER, ipsecBundleState INTEGER, ipsecBundleNumSas INTEGER, ipsecBundleRole INTEGER, ipsecBundleRekeyedBundle INTEGER, ipsecBundleRekeyingBundle INTEGER, ipsecBundleLastStateChange TimeTicks, ipsecBundleHeartbeatsEnabled INTEGER, ipsecBundleCreator INTEGER, ipsecBundleTunnelLocal IpAddress, ipsecBundleTunnelRemote IpAddress, ipsecBundlePmtuDiscovery INTEGER, ipsecBundleKeepAlive INTEGER, ipsecBundleVerifyPad INTEGER, ipsecBundleLifeSeconds Unsigned32, ipsecBundleLifeKBytes Unsigned32, ipsecBundleRekeySeconds INTEGER, ipsecBundleRekeyKBytes INTEGER, ipsecBundleProto INTEGER, ipsecBundleLocalAddress IpAddress, ipsecBundleLocalMaskLen INTEGER, ipsecBundleLocalRange IpAddress, ipsecBundleLocalPort INTEGER, ipsecBundleRemoteAddress IpAddress, ipsecBundleRemoteMaskLen INTEGER, ipsecBundleRemoteRange IpAddress, ipsecBundleRemotePort INTEGER, ipsecBundleInPkt Counter64, ipsecBundleInHb Counter64, ipsecBundleInBytes Counter64, ipsecBundleInBytesNetto Counter64, ipsecBundleOutPkt Counter64, ipsecBundleOutHb Counter64, ipsecBundleOutBytes Counter64, ipsecBundleOutBytesNetto Counter64, ipsecBundleNatT INTEGER, ipsecBundleNatOaLocal IpAddress, ipsecBundleNatOaRemote IpAddress, ipsecBundleIkeMajVersion INTEGER, ipsecBundleIkeMinVersion INTEGER } ipsecBundleIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique index for this entry." ::= { ipsecBundleEntry 1 } ipsecBundlePeerIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the peer for which this bundle was created." ::= { ipsecBundleEntry 5 } ipsecBundleTrafficIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the traffic entry for which this bundle was created." ::= { ipsecBundleEntry 6 } ipsecBundleState OBJECT-TYPE SYNTAX INTEGER { established(1), -- The bundle is alive expired(2), -- The bundle is expired delete (3), -- Mark this bundle for deletion negotiating(4), -- This bundle is currently negotiated rekeyed(5), -- Rekeying of bundle succeeded heartbeat-lost(6), -- Heartbeat receive timeout failed(7) -- The negotiation failed } MAX-ACCESS read-write STATUS current DESCRIPTION "The current state of the bundle Possible values: established(1), -- The bundle is alive expired(2), -- The bundle is expired delete (3), -- Mark this bundle for deletion negotiating(4), -- This bundle is currently negotiated rekeyed(5), -- Rekeying of bundle succeeded heartbeat-lost(6), -- Heartbeat receive timeout failed(7) -- The negotiation failed." DEFVAL { negotiating } ::= { ipsecBundleEntry 7 } ipsecBundleNumSas OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of SAs contained in this bundle." ::= { ipsecBundleEntry 8 } ipsecBundleRole OBJECT-TYPE SYNTAX INTEGER { initiator(1), -- this end initiated the negotiation responder(2) -- the remote end initiated the negotiation } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies by which side the SA bundle negotiation was initiated. Possible values: initiator(1), -- this end initiated the negotiation responder(2) -- the remote end initiated the negotiation." ::= { ipsecBundleEntry 9 } ipsecBundleRekeyedBundle OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates upon rekeying, which bundle (actually its BundleIndex) is going to be replaced by that one." ::= { ipsecBundleEntry 10 } ipsecBundleRekeyingBundle OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates upon rekeying, which bundle (actually its BundleIndex) is going to replace that one." ::= { ipsecBundleEntry 11 } ipsecBundleLastStateChange OBJECT-TYPE SYNTAX TimeTicks MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the time in time ticks from system start by which the state of this bundle entry was changed last. To determine the absolute time, the current sysUpTime must be subtracted from this value." ::= { ipsecBundleEntry 12 } ipsecBundleHeartbeatsEnabled OBJECT-TYPE SYNTAX INTEGER { none(1), -- neither sending nor expecting heartbeats expect(2), -- expecting heartbeats send(3), -- sending heartbeats both(4) -- sending and expecting heartbeats } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies whether heartbeats are sent and/or expected over this bundle. Possible values: none(1), -- neither sending nor expecting heartbeats expect(2), -- expecting heartbeats send(3), -- sending heartbeats both(4) -- sending and expecting heartbeats." ::= { ipsecBundleEntry 13 } ipsecBundleCreator OBJECT-TYPE SYNTAX INTEGER { manual(1), -- A manually keyed IPSec SA bundle ike(2) -- An automatically keyed SA bundle created by IKE } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies how the SA was created Possible values: manual(1),-- A manually keyed IPSec SA bundle ike(2) -- An automatically keyed SA bundle created by IKE." ::= { ipsecBundleEntry 14 } ipsecBundleTunnelLocal OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local IP address of the outer packet header. For transport mode bundles this address is the same as the ipsecBundleLocalAddress." ::= { ipsecBundleEntry 15 } ipsecBundleTunnelRemote OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote IP address of the outer packet header. For transport mode bundles, this address is the same as the ipsecBundleRemoteAddress." ::= { ipsecBundleEntry 16 } ipsecBundlePmtuDiscovery OBJECT-TYPE SYNTAX INTEGER { enabled(2), -- copy DF bit from original packet; propagate PMTU disabled(1) -- clear DF bit in IPSec packet; -- fragment if necessary } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the initialization of the DF bit in outgoing IPSec packets for this bundle. It decides whether PMTU discovery is propagated over the IPSec tunnel or not. Possible values: enabled(1), -- copy DF bit from original packet; propagate PMTU disabled(2) -- clear DF bit in IPSec packet; -- fragment if necessary." ::= { ipsecBundleEntry 17 } ipsecBundleKeepAlive OBJECT-TYPE SYNTAX INTEGER { true(1), -- rekey even if no traffic was processed by this bundle false(2) -- rekey only if at least one packet was processed } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the circumstances under which this SA bundle will be rekeyed. Possible values: true(1), -- rekey even if no traffic was processed false(2) -- rekey only if at least one packet was processed." ::= { ipsecBundleEntry 18 } ipsecBundleVerifyPad OBJECT-TYPE SYNTAX INTEGER { true(1), -- normal, self-describing ESP padding false(2) -- old style ESP padding } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the kind of padding expected for ESP SAs within this bundle. Possible values: true(1), -- normal, self-describing ESP padding false(2) -- old style ESP padding." ::= { ipsecBundleEntry 19 } ipsecBundleLifeSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The period in seconds after which this bundle will be destroyed." ::= { ipsecBundleEntry 20 } ipsecBundleLifeKBytes OBJECT-TYPE SYNTAX Unsigned32 UNITS "kilo bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of data allowed to be protected by this bundle until it is destroyed (ipsecBundleOutBytes or ipecBundleOutBytes)." ::= { ipsecBundleEntry 21 } ipsecBundleRekeySeconds OBJECT-TYPE SYNTAX INTEGER UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The period in seconds after which this bundle will be rekeyed." ::= { ipsecBundleEntry 22 } ipsecBundleRekeyKBytes OBJECT-TYPE SYNTAX INTEGER UNITS "kilo bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of data allowed to be protected by this bundle until it is rekeyed (ipsecBundleOutBytes or ipecBundleOutBytes)." ::= { ipsecBundleEntry 23 } ipsecBundleProto OBJECT-TYPE SYNTAX INTEGER { icmp(1), igmp(2), ggp(3), ipip(4), st(5), tcp(6), cbt(7), egp(8), igp(9), bbn(10), nvp(11), pup(12), argus(13), emcon(14), xnet(15), chaos(16), udp(17), mux(18), dcn(19), hmp(20), prm(21), xns(22), trunk1(23), trunk2(24), leaf1(25), leaf2(26), rdp(27), irtp(28), isotp4(29), netblt(30), mfe(31), merit(32), sep(33), pc3(34), idpr(35), xtp(36), ddp(37), idprc(38), tp(39), il(40), ipv6(41), sdrp(42), ipv6route(43), ipv6frag(44), idrp(45), rsvp(46), gre(47), mhrp(48), bna(49), esp(50), ah(51), inlsp(52), swipe(53), narp(54), mobile(55), tlsp(56), skip(57), ipv6icmp(58), ipv6nonxt(59), ipv6opts(60), ipproto-61(61), cftp(62), local(63), sat(64), kryptolan(65), rvd(66), ippc(67), distfs(68), satmon(69), visa(70), ipcv(71), cpnx(72), cphb(73), wsn(74), pvp(75), brsatmon(76), sunnd(77), wbmon(78), wbexpak(79), isoip(80), vmtp(81), securevmtp(82), vines(83), ttp(84), nsfnet(85), dgp(86), tcf(87), eigrp(88), ospfigp(89), sprite(90), larp(91), mtp(92), ax25(93), ipwip(94), micp(95), scc(96), etherip(97), encap(98), encrypt(99), gmtp(100), ifmp(101), pnni(102), pim(103), aris(104), scps(105), qnx(106), an(107), ippcp(108), snp(109), compaq(110), ipxip(111), vrrp(112), pgm(113), hop0(114), l2tp(115), ipproto-116(116), ipproto-117(117), ipproto-118(118), ipproto-119(119), ipproto-120(120), ipproto-121(121), ipproto-122(122), ipproto-123(123), ipproto-124(124), ipproto-125(125), ipproto-126(126), ipproto-127(127), ipproto-128(128), ipproto-129(129), ipproto-130(130), ipproto-131(131), ipproto-132(132), ipproto-133(133), ipproto-134(134), ipproto-135(135), ipproto-136(136), ipproto-137(137), ipproto-138(138), ipproto-139(139), ipproto-140(140), ipproto-141(141), ipproto-142(142), ipproto-143(143), ipproto-144(144), ipproto-145(145), ipproto-146(146), ipproto-147(147), ipproto-148(148), ipproto-149(149), ipproto-150(150), ipproto-151(151), ipproto-152(152), ipproto-153(153), ipproto-154(154), ipproto-155(155), ipproto-156(156), ipproto-157(157), ipproto-158(158), ipproto-159(159), ipproto-160(160), ipproto-161(161), ipproto-162(162), ipproto-163(163), ipproto-164(164), ipproto-165(165), ipproto-166(166), ipproto-167(167), ipproto-168(168), ipproto-169(169), ipproto-170(170), ipproto-171(171), ipproto-172(172), ipproto-173(173), ipproto-174(174), ipproto-175(175), ipproto-176(176), ipproto-177(177), ipproto-178(178), ipproto-179(179), ipproto-180(180), ipproto-181(181), ipproto-182(182), ipproto-183(183), ipproto-184(184), ipproto-185(185), ipproto-186(186), ipproto-187(187), ipproto-188(188), ipproto-189(189), ipproto-190(190), ipproto-191(191), ipproto-192(192), ipproto-193(193), ipproto-194(194), ipproto-195(195), ipproto-196(196), ipproto-197(197), ipproto-198(198), ipproto-199(199), ipproto-200(200), ipproto-201(201), ipproto-202(202), ipproto-203(203), ipproto-204(204), ipproto-205(205), ipproto-206(206), ipproto-207(207), ipproto-208(208), ipproto-209(209), ipproto-210(210), ipproto-211(211), ipproto-212(212), ipproto-213(213), ipproto-214(214), ipproto-215(215), ipproto-216(216), ipproto-217(217), ipproto-218(218), ipproto-219(219), ipproto-220(220), ipproto-221(221), ipproto-222(222), ipproto-223(223), ipproto-224(224), ipproto-225(225), ipproto-226(226), ipproto-227(227), ipproto-228(228), ipproto-229(229), ipproto-230(230), ipproto-231(231), ipproto-232(232), ipproto-233(233), ipproto-234(234), ipproto-235(235), ipproto-236(236), ipproto-237(237), ipproto-238(238), ipproto-239(239), ipproto-240(240), ipproto-241(241), ipproto-242(242), ipproto-243(243), ipproto-244(244), ipproto-245(245), ipproto-246(246), ipproto-247(247), ipproto-248(248), ipproto-249(249), ipproto-250(250), ipproto-251(251), ipproto-252(252), ipproto-253(253), ipproto-254(254), dont-verify(255) } MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol of the traffic selectors." ::= { ipsecBundleEntry 24 } ipsecBundleLocalAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local address (host or network or range start address) of the traffic selectors, source for outbound, destination for inbound." ::= { ipsecBundleEntry 25 } ipsecBundleLocalMaskLen OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The local network masklen of the traffic selectors, source for outbound, destination for inbound." ::= { ipsecBundleEntry 26 } ipsecBundleLocalRange OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local address range end address of the traffic selectors, source for outbound, destination for inbound." ::= { ipsecBundleEntry 27 } ipsecBundleLocalPort OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The local port of the traffic selectors, source for outbound, destination for inbound." ::= { ipsecBundleEntry 28 } ipsecBundleRemoteAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote address (host or network or range start address) of the traffic selectors source for outbound, destination for inbound." ::= { ipsecBundleEntry 29 } ipsecBundleRemoteMaskLen OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The remote network masklen of the traffic selectors source for outbound, destination for inbound." ::= { ipsecBundleEntry 30 } ipsecBundleRemoteRange OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote address range end address of the traffic selectors source for outbound, destination for inbound." ::= { ipsecBundleEntry 31 } ipsecBundleRemotePort OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The remote port of the traffic selectors source for outbound, destination for inbound." ::= { ipsecBundleEntry 32 } ipsecBundleInPkt OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets processed by this bundle." ::= { ipsecBundleEntry 33 } ipsecBundleInHb OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of heartbeat packets received over this bundle." ::= { ipsecBundleEntry 34 } ipsecBundleInBytes OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound bytes (including IPSec overhead) processed by this bundle." ::= { ipsecBundleEntry 35 } ipsecBundleInBytesNetto OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound bytes (netto: IPSec headers excluded) processed by this bundle." ::= { ipsecBundleEntry 37 } ipsecBundleOutPkt OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets processed by this bundle." ::= { ipsecBundleEntry 39 } ipsecBundleOutHb OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of heartbeat packets sent for this bundle." ::= { ipsecBundleEntry 40 } ipsecBundleOutBytes OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound bytes (including IPSec overhead) processed by this bundle." ::= { ipsecBundleEntry 41 } ipsecBundleOutBytesNetto OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound bytes (netto: IPSec headers excluded) processed by this bundle." ::= { ipsecBundleEntry 43 } ipsecBundleNatT OBJECT-TYPE SYNTAX INTEGER { enabled(1), -- use udp encapsulation disabled(2) -- do not use udp encapsulation } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies if the udp encapsulation of ESP packets is active within this bundle. Possible values: enabled(1), -- use udp encapsulation disabled(2) -- do not use udp encapsulation." ::= { ipsecBundleEntry 45 } ipsecBundleNatOaLocal OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local IP address as seen by the remote side. Only valid for transport mode bundles with NatT enabled." ::= { ipsecBundleEntry 46 } ipsecBundleNatOaRemote OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote IP address as seen by the remote side. Only valid for transport mode bundles with NatT enabled." ::= { ipsecBundleEntry 47 } ipsecBundleIkeMajVersion OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The IKE major version number." DEFVAL { 1 } ::= { ipsecBundleEntry 48 } ipsecBundleIkeMinVersion OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The IKE minor version number." DEFVAL { 0 } ::= { ipsecBundleEntry 49 } -- End IPSec Bundle Table -- IKE Security Associations Table ikeSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of currently active IKE security associations." ::= { ipsec 4 } ikeSaEntry OBJECT-TYPE SYNTAX IkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains an IKE security association." INDEX { ikeSaIndex } ::= { ikeSaTable 1 } IkeSaEntry ::= SEQUENCE { ikeSaIndex INTEGER, ikeSaState INTEGER, ikeSaXchType INTEGER, ikeSaAuthMethod INTEGER, ikeSaEncAlg INTEGER, ikeSaHashAlg INTEGER, ikeSaPrfAlg INTEGER, ikeSaRole INTEGER, ikeSaLocalId DisplayString, ikeSaRemoteId DisplayString, ikeSaLocalIp IpAddress, ikeSaRemoteIp IpAddress, ikeSaCookieI OCTET STRING, ikeSaCookieR OCTET STRING, ikeSaCreated Date, ikeSaLastUsed Date, ikeSaExpires Date, ikeSaNumCerts INTEGER, ikeSaNumNegotiations INTEGER, ikeSaBytes INTEGER, ikeSaMajVersion INTEGER, ikeSaMinVersion INTEGER, ikeSaPeerIndex INTEGER, ikeSaHeartbeatsEnabled INTEGER, ikeSaHeartbeatsSent INTEGER, ikeSaHeartbeatsReceived INTEGER, ikeSaLocalPort INTEGER, ikeSaRemotePort INTEGER, ikeSaXauthType INTEGER, ikeSaXauthUser DisplayString } ikeSaIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique index for this entry." ::= { ikeSaEntry 1 } ikeSaState OBJECT-TYPE SYNTAX INTEGER { negotiating(1), -- the SA is still being negotiated established(2), -- the SA negotiation is finished waiting-for-remove(3), -- the SA is waiting for removal delete(7) -- mark the SA for deletion } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the state of the SA. Possible values: negotiating(1), -- the SA is still being negotiated established(2), -- the SA negotiation is finished waiting-for-remove(3), -- the SA is waiting for removal delete(7) -- mark the SA for deletion." DEFVAL { negotiating } ::= { ikeSaEntry 3 } ikeSaXchType OBJECT-TYPE SYNTAX INTEGER { base(1), -- IKE base mode mode id-protect(2), -- IKE identity protection -- (oakley main mode) aggressive(4), -- IKE (oakley) aggressive mode any(256) -- Other mode } MAX-ACCESS read-only STATUS current DESCRIPTION "The exchange mode used to create the SA. Possible values: base(1), -- IKE base mode mode id-protect(2), -- IKE identity protection -- (oakley main mode) authentication-only(3), -- Authentication only mode aggressive(4), -- IKE (oakley) aggressive mode info(5), -- IKE informational exchange mode quick(32), -- IKE quick mode new-group(33), -- IKE new group mode any(256) -- Other mode." ::= { ikeSaEntry 4 } ikeSaAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption rsa-enc-rev(5) -- Authentication using revised RSA encryption } MAX-ACCESS read-only STATUS current DESCRIPTION "The authenticatin method used when negotiating this SA. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption rsa-enc-rev(5) -- Authentication using revised RSA encryption." ::= { ikeSaEntry 5 } ikeSaEncAlg OBJECT-TYPE SYNTAX INTEGER { des(1), idea(2), -- not used blowfish(3), rc5(4), -- not used des3(5), cast128(6), -- CAST with 128 bit key aes(7), -- AES encryption algorithm twofish(9) } MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used." ::= { ikeSaEntry 26 } ikeSaHashAlg OBJECT-TYPE SYNTAX INTEGER { md5(1), -- The MD5 hash algorithm sha(2), -- The Secure Hash Algorithm tiger(3), -- The Tiger hash algorithm ripemd160(4) -- The RIPE MD 160 hash algorithm } MAX-ACCESS read-only STATUS current DESCRIPTION "The hash algorithm used." ::= { ikeSaEntry 27 } ikeSaPrfAlg OBJECT-TYPE SYNTAX INTEGER { md5(1), -- The MD5 hash algorithm sha(2), -- The Secure Hash Algorithm tiger(3), -- The Tiger hash algorithm ripemd160(4) -- The RIPE MD 160 hash algorithm } MAX-ACCESS read-only STATUS current DESCRIPTION "The hash algorithm used for the pseudo random function." ::= { ikeSaEntry 28 } ikeSaRole OBJECT-TYPE SYNTAX INTEGER { initiator(1), -- this end initiated the SA negotiation responder(2) -- the remote end initiated the SA negotiation } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies by which side the SA negotiation was initiated. Possible values: initiator(1), -- this end initiated the SA negotiation responder(2) -- the remote end initiated the SA negotiation." ::= { ikeSaEntry 7 } ikeSaLocalId OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The local ID used for authentication." ::= { ikeSaEntry 8 } ikeSaRemoteId OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The remote ID used for authentication." ::= { ikeSaEntry 9 } ikeSaLocalIp OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local IP address used in the IKE communication." ::= { ikeSaEntry 10 } ikeSaRemoteIp OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote IP address used in the IKE communication." ::= { ikeSaEntry 11 } ikeSaCookieI OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "The cookie of the initiator." ::= { ikeSaEntry 12 } ikeSaCookieR OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "The cookie of the responder." ::= { ikeSaEntry 13 } ikeSaCreated OBJECT-TYPE SYNTAX Date MAX-ACCESS read-only STATUS current DESCRIPTION "Time the SA was created." ::= { ikeSaEntry 24 } ikeSaLastUsed OBJECT-TYPE SYNTAX Date MAX-ACCESS read-only STATUS current DESCRIPTION "Time the SA was used last." ::= { ikeSaEntry 25 } ikeSaExpires OBJECT-TYPE SYNTAX Date MAX-ACCESS read-only STATUS current DESCRIPTION "Time the SA will expire." ::= { ikeSaEntry 29 } ikeSaNumCerts OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of certificates received from the remote side when negotiating this SA." ::= { ikeSaEntry 15 } ikeSaNumNegotiations OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the number of currently active negotiations for this SA." ::= { ikeSaEntry 16 } ikeSaBytes OBJECT-TYPE SYNTAX INTEGER UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "Number of bytes transmitted using this SA." ::= { ikeSaEntry 17 } ikeSaMajVersion OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The IKE major version number." ::= { ikeSaEntry 18 } ikeSaMinVersion OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The IKE minor version number." ::= { ikeSaEntry 19 } ikeSaPeerIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the peer for which this SA was created." ::= { ikeSaEntry 20 } ikeSaHeartbeatsEnabled OBJECT-TYPE SYNTAX INTEGER { send(1), -- send heartbeats expect(2), -- expect heartbeats both(3), -- send and expect heartbeats none(4) -- neither send nor expect heartbeats } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies whether heartbeats are sent/expected over this SA possible values: send(1), -- send heartbeats expect(2), -- expect heartbeats both(3), -- send and expect heartbeats none(4) -- neither send nor expect heartbeats." ::= { ikeSaEntry 21 } ikeSaHeartbeatsSent OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of Heartbeats sent over this SA." ::= { ikeSaEntry 22 } ikeSaHeartbeatsReceived OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of Heartbeats received over this SA." ::= { ikeSaEntry 23 } ikeSaLocalPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Local port currently used for the SA." ::= { ikeSaEntry 30 } ikeSaRemotePort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Remote port currently used for the SA." ::= { ikeSaEntry 31 } ikeSaXauthType OBJECT-TYPE SYNTAX INTEGER { generic(0), -- generic radius-chap(1), -- RADIUS-CHAP otp(2), -- One-Time-Password s-key(3), -- S/KEY One-Time-Password none(32768) -- no XAUTH used } MAX-ACCESS read-only STATUS current DESCRIPTION "This object displayes whether XAUTH is used or not after complete establishment of the SA. If XAUTH is used then the type of the extended authentication is displayed." DEFVAL { none } ::= { ikeSaEntry 32 } ikeSaXauthUser OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "User name used for Extended Authentication." ::= { ikeSaEntry 33 } -- End IKE Security Associations Table -- IKE (Phase 1) Profile Table ikeProfileTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeProfileEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of IKE (Phase 1) profiles." ::= { ipsec 14 } ikeProfileEntry OBJECT-TYPE SYNTAX IkeProfileEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains an IPSec phase 1 profile." INDEX { ikePrfProposal } ::= { ikeProfileTable 1 } IkeProfileEntry ::= SEQUENCE { ikePrfIndex INTEGER, ikePrfDescription DisplayString, ikePrfAuthMethod INTEGER, ikePrfMode INTEGER, ikePrfProposal INTEGER, ikePrfGroup INTEGER, ikePrfCert INTEGER, ikePrfLocalId DisplayString, ikePrfCaCerts DisplayString, ikePrfLifeTime INTEGER, ikePrfPfsIdentity INTEGER, ikePrfHeartbeats INTEGER, ikePrfBlockTime INTEGER, ikePrfNatT INTEGER, ikePrfMtuMax INTEGER, ikePrfLifeSeconds Unsigned32, ikePrfLifeKBytes Unsigned32, ikePrfLifeRekeyPercent INTEGER, ikePrfLifePolicy INTEGER } ikePrfIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique index identifying this entry." ::= { ikeProfileEntry 1 } ikePrfDescription OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "An optional description for this profile." ::= { ikeProfileEntry 2 } ikePrfAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- use settings from default profile delete(15) -- mark this entry for deletion } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the authentication method used for this profile. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- use settings from default profile -- (pre-sh-key if this is the default profile) delete(15) -- mark this entry for deletion." DEFVAL { default } ::= { ikeProfileEntry 3 } ikePrfMode OBJECT-TYPE SYNTAX INTEGER { id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3), -- Use default setting from the -- global profile id-protect-only(4), -- only id-protect mode allowed aggressive-only(5) -- only aggressive mode allowed } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3), -- Use default setting from the -- global profile id-protect-only(4), -- only id-protect mode allowed aggressive-only(5) -- only aggressive mode allowed." DEFVAL { default } ::= { ikeProfileEntry 4 } ikePrfProposal OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "The index of the first IKE proposal which may be used for IKE SA negotiation with this profile." ::= { ikeProfileEntry 5 } ikePrfGroup OBJECT-TYPE SYNTAX INTEGER (1..5) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the IKE group to use with this profile. Possible values: 1: a 768-bit MODP group 2: a 1024-bit MODP group 5: a 1536-bit MODP group" ::= { ikeProfileEntry 6 } ikePrfCert OBJECT-TYPE SYNTAX INTEGER (0..32767) MAX-ACCESS read-write STATUS current DESCRIPTION "The index of the certificate used for authentication in the certTable. Ignored for AuthMethod == pre_shared_key." ::= { ikeProfileEntry 7 } ikePrfLocalId OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "The local ID used for authentication with this profile. Syntax: - X500 distinguished name: - IPV4-Address: |123.456.789.012| with or without '|' - IPV4 Address Range: |123.456.789.012-123.456.789.013| with or without '|' - IPV4 Address Subnet: |123.456.789.012/255.255.255.0| with or without '|' or: |123.456.789.012/24| with or without '|' - Key-ID: arbitrary string: {anything} - Fully Qualified User Name (FQUN): (anything) or user@domain with mandatory '@' - Fully Qualified Domain Name (FQDN): [anything] or any name without '@' not matching any other syntax" ::= { ikeProfileEntry 8 } ikePrfCaCerts OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "Receives a comma separated list with indices (0..32767) of special certificate authority certificates accepted for this profile." ::= { ikeProfileEntry 9 } ikePrfLifeTime OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable with the lifetime settings to be used for IKE SA negotiation with this profile. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime is taken. The usage of this object is deprecated, use the ikePrfLifeXxx variables directly instead." DEFVAL { -1 } ::= { ikeProfileEntry 10 } ikePrfPfsIdentity OBJECT-TYPE SYNTAX INTEGER { true(1), -- delete phase 1 SAs false(2), -- reuse phase 1 SAs default(3) -- use value from default profile -- (false, if this is the default profile) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2), -- reuse phase 1 SAs default(3) -- use value from default profile -- (false if this is the default profile)." DEFVAL { default } ::= { ikeProfileEntry 11 } ikePrfHeartbeats OBJECT-TYPE SYNTAX INTEGER { none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4), -- send and expect heartbeats default(5), -- use default value auto(6), -- detect support using vendor id dpd(7), -- use DPD method for proof-of-liveliness dpd-idle(8) -- use DPD, detect dead peers even while idle } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether heartbeats should be sent over phase 1 SAs for this profile (heartbeats are not used for IPv6). Possible values: none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4), -- send and expect heartbeats default(5), -- use value from default profile -- (auto if this is the default profile) auto(6), -- detect support using vendor id dpd(7), -- use DPD method for proof-of-liveliness dpd-idle(8) -- use DPD, detect dead peers even while idle." DEFVAL { default } ::= { ikeProfileEntry 12 } ikePrfBlockTime OBJECT-TYPE SYNTAX INTEGER (-1..86400) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the time in seconds for which a peer is blocked for any IPSec operations after a phase 1 initiator negotiation failed. Special values: -1: use settings from global profile (do not block by default) 0: do not block the peer at all." DEFVAL { -1 } ::= { ikeProfileEntry 13 } ikePrfNatT OBJECT-TYPE SYNTAX INTEGER { enabled(1), -- enable Nat-Traversal disabled(2), -- disable Nat-Traversal default(3), -- use value from default profile -- (enabled, if this is the default profile) enforce(4) -- enforce NAT-T, independant from NAT -- detection } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether NAT-Traversal is enabled Possible values: enabled(1), -- enable Nat-Traversal disabled(2), -- disable Nat-Traversal default(3) -- use value from default profile -- (disabled, if this is the default profile)." DEFVAL { default } ::= { ikeProfileEntry 14 } ikePrfMtuMax OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The maximum MTU value allowed for ipsecPeerStatMtu. Zero means use value from global profile, if this is the global profile, 1418 is assumed. Nonzero values smaller than 214 are reset to the minimum of 214." DEFVAL { 0 } ::= { ikeProfileEntry 15 } ikePrfLifeSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "The maximum time (in seconds) after which an SA will be deleted." DEFVAL { 900 } ::= { ikeProfileEntry 16 } ikePrfLifeKBytes OBJECT-TYPE SYNTAX Unsigned32 UNITS "kilo bytes" MAX-ACCESS read-write STATUS current DESCRIPTION "The maximum amount of data (in KB) which may be protected by an SA before it is deleted." DEFVAL { 0 } ::= { ikeProfileEntry 17 } ikePrfLifeRekeyPercent OBJECT-TYPE SYNTAX INTEGER (50..100) MAX-ACCESS read-write STATUS obsolete DESCRIPTION "WARNING: this object is obsolete and must not be used." DEFVAL { 80 } ::= { ikeProfileEntry 18 } ikePrfLifePolicy OBJECT-TYPE SYNTAX INTEGER { loose(1), -- accept and use anything proposed strict(2), -- accept and use only what is configured notify(3), -- accept anything (send responder lifetime) use-default-lifetime(4) -- use lifetime values from default -- profile } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the way a lifetime proposal is handled. Possible values: loose(1), -- accept and use anything proposed strict(2), -- accept and use only what is configured notify(3), -- accept anything, if own values are smaller than what was proposed use these and send responder lifetime notification use_default_lifetime(4) -- use lifetime values from default -- profile." DEFVAL { use-default-lifetime } ::= { ikeProfileEntry 19 } -- End IKE (Phase 1) Profile Table -- IPSec (Phase 2) Profile Table ipsecProfileTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecProfileEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of IPSec (Phase 2) profiles." ::= { ipsec 15 } ipsecProfileEntry OBJECT-TYPE SYNTAX IpsecProfileEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains an IPSec phase 1 profile." INDEX { ipsecPrfProposal } ::= { ipsecProfileTable 1 } IpsecProfileEntry ::= SEQUENCE { ipsecPrfIndex INTEGER, ipsecPrfDescription DisplayString, ipsecPrfProposal INTEGER, ipsecPrfPfsGroup INTEGER, ipsecPrfLifeTime INTEGER, ipsecPrfHeartbeats INTEGER, ipsecPrfPmtuDiscovery INTEGER, ipsecPrfGranularity INTEGER, ipsecPrfKeepAlive INTEGER, ipsecPrfVerifyPad INTEGER, ipsecPrfForceTunnelMode INTEGER, ipsecPrfLifeSeconds Unsigned32, ipsecPrfLifeKBytes Unsigned32, ipsecPrfLifeRekeyPercent INTEGER, ipsecPrfLifePolicy INTEGER } ipsecPrfIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique index identifying this entry." ::= { ipsecProfileEntry 1 } ipsecPrfDescription OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "An optional description for this profile." ::= { ipsecProfileEntry 2 } ipsecPrfProposal OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "The index of the IPSec proposal used for this profile." ::= { ipsecProfileEntry 3 } ipsecPrfPfsGroup OBJECT-TYPE SYNTAX INTEGER (-1..5) MAX-ACCESS read-write STATUS current DESCRIPTION "The Diffie Hellman group used for additional Perfect Forward Secrecy (PFS) DH exponentiations. Possible values: -1: do not use PFS 0: use value from default profile (do not use PFS if this is the default profile) 1: a 768-bit MODP group, 2: a 1024-bit MODP group, 5: a 1536-bit MODP group." ::= { ipsecProfileEntry 4 } ipsecPrfLifeTime OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable. The usage of this object is deprecated, use the ipsecPrfLifeXxx variables directly instead." DEFVAL { -1 } ::= { ipsecProfileEntry 5 } ipsecPrfHeartbeats OBJECT-TYPE SYNTAX INTEGER { none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4), -- send and expect heartbeats default(5), -- use settings from peer or global profile auto(6) -- detect support using vendor id } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether heartbeats should be sent over phase 2 SAs for this profile (heartbeats are not used for IPv6). Possible values: none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4). -- send and expect heartbeats default(5), -- use settings from peer or global profile (auto if this is the global profile) auto(6) -- detect support using vendor id." DEFVAL { default } ::= { ipsecProfileEntry 6 } ipsecPrfPmtuDiscovery OBJECT-TYPE SYNTAX INTEGER { disabled(1), -- do not perform PMTU discovery enabled(2), -- perform PMTU discovery default(3) -- use settings from peer or global profile -- (enabled if this is the global profile) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the PMTU discovery policy for this peer. Possible values: disabled(1), -- do not perform PMTU discovery enabled(2) -- perform PMTU discovery default(3) -- use settings from peer or global profile -- (enabled if this is the global profile)." DEFVAL { default } ::= { ipsecProfileEntry 7 } ipsecPrfGranularity OBJECT-TYPE SYNTAX INTEGER { default(1), -- use granulaity settings from default profile -- (coarse if this is the default profile) coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5), -- Create one SA for each port and host local-services(6) -- same as 'coarse' but 'ip' for local services } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the granularity with which SA's are created with this profile. Possible values: default(1), -- use granulaity settings from default profile -- (coarse if this is the default profile) coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host." DEFVAL { default } ::= { ipsecProfileEntry 8 } ipsecPrfKeepAlive OBJECT-TYPE SYNTAX INTEGER { true(1), -- rekey SA's even if no data was transferred false(2), -- do not rekey SA's if no data was transferred default (3), -- use value from default profile -- (false if this is the default profile) delete (4) -- mark this entry for deletion } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether IKE SA's are rekeyed even if there was no data transferred over them. Possible values: true(1), -- rekey SA's even if no data was transferred false(2), -- do not rekey SA's if no data was transferred default (3), -- use value from default profile -- (false if this is the default profile) delete (4) -- mark this entry for deletion." DEFVAL { default } ::= { ipsecProfileEntry 9 } ipsecPrfVerifyPad OBJECT-TYPE SYNTAX INTEGER { true(1), -- normal, self-describing ESP padding false(2), -- old style ESP padding default(3) -- use setting from peer or global profile } MAX-ACCESS read-write STATUS current DESCRIPTION "This object is a compatibility option for older ipsec implementations. It enables or disables an old way of ESP padding (no self describing padding). Possible values: true(1), -- normal, self-describing ESP padding false(2), -- old style ESP padding default(3) -- use setting from peer or global profile (true if this is the global profile)." DEFVAL { default } ::= { ipsecProfileEntry 10 } ipsecPrfForceTunnelMode OBJECT-TYPE SYNTAX INTEGER { true(1), -- Use tunnel mode even if transport mode is possible false(2), -- Use transport mode whenever possible default(3) -- Use settings from default profile } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the strategy when transport mode is used. By default, the system always uses transport mode, if possible. If this variable is set to true, always tunnel mode will be used for this traffic entry, even if source and destination address match the tunnel endpoints. Possible values: true(1), -- Use tunnel mode even if transport mode is possible false(2), -- Use transport mode whenever possible default(3) -- Use settings from default profile (if this is the default, false is assumed)." DEFVAL { default } ::= { ipsecProfileEntry 11 } ipsecPrfLifeSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "The maximum time (in seconds) after which an SA will be deleted." DEFVAL { 900 } ::= { ipsecProfileEntry 16 } ipsecPrfLifeKBytes OBJECT-TYPE SYNTAX Unsigned32 UNITS "kilo bytes" MAX-ACCESS read-write STATUS current DESCRIPTION "The maximum amount of data (in KB) which may be protected by an SA before it is deleted." DEFVAL { 0 } ::= { ipsecProfileEntry 17 } ipsecPrfLifeRekeyPercent OBJECT-TYPE SYNTAX INTEGER (50..100) MAX-ACCESS read-write STATUS current DESCRIPTION "The percentage of the lifetimes (traffic and time based) after which rekeying is started." DEFVAL { 80 } ::= { ipsecProfileEntry 18 } ipsecPrfLifePolicy OBJECT-TYPE SYNTAX INTEGER { loose(1), -- accept and use anything proposed strict(2), -- accept and use only what is configured notify(3), -- accept anything (send responder lifetime) use-default-lifetime(4) -- use lifetime values from default -- profile } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the way a lifetime proposal is handled. Possible values: loose(1), -- accept and use anything proposed strict(2), -- accept and use only what is configured notify(3) -- accept anything, if own values are smaller than what was proposed use these and send responder lifetime notification use_default_lifetime(4) -- use lifetime values from default -- profile." DEFVAL { use-default-lifetime } ::= { ipsecProfileEntry 19 } -- End IPSec (Phase 2) Profile Table -- IPSec Peer Table ipsecPeerTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecPeerEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of IPSec peers." ::= { ipsec 5 } ipsecPeerEntry OBJECT-TYPE SYNTAX IpsecPeerEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the description of an IPSec peer." INDEX { ipsecPeerTrafficList } ::= { ipsecPeerTable 1 } IpsecPeerEntry ::= SEQUENCE { ipsecPeerIndex INTEGER, ipsecPeerPriority INTEGER, ipsecPeerDescription DisplayString, ipsecPeerDynamicAddress DisplayString, ipsecPeerPeerIds DisplayString, ipsecPeerLocalAddress IpAddress, ipsecPeerTrafficList INTEGER, ipsecPeerIkeProfile INTEGER, ipsecPeerIpsecProfile INTEGER, ipsecPeerPreSharedKey DisplayString, ipsecPeerVirtualInterface INTEGER, ipsecPeerStartMode INTEGER, ipsecPeerAdminStatus INTEGER, ipsecPeerIsdnCB INTEGER, ipsecPeerPreSharedKeyData OCTET STRING, ipsecPeerIsdnCBMode INTEGER, ipsecPeerIsdnCBDChanMode INTEGER, ipsecPeerType INTEGER, ipsecPeerDynAddrPoolId INTEGER, ipsecPeerDynAddrLocalIp IpAddress, ipsecPeerXauthProfile Unsigned32, ipsecPeerDynAddrRole INTEGER, ipsecPeerIkeVersion INTEGER, -- IKEv2 specific Peer parameters ipsecPeerLocalId DisplayString, ipsecPeerAuthMethod INTEGER, ipsecPeerCert INTEGER, ipsecPeerCaCerts DisplayString, -- universal (IKEv1 and IKEv2) Peer parameters ipsecPeerDynAddrMode INTEGER, ipsecPeerMobike INTEGER, ipsecPeerPublicIfIndex INTEGER, ipsecPeerPublicIfIndexMode INTEGER } -- these read-only parameters are moved to the new ipsecPeerStatTable: -- ipsecPeerNextIndex OID ipsecPeerEntry 2 -- ipsecPeerCaCerts OID ipsecPeerEntry 4 -- ipsecPeerPeerAddress OID ipsecPeerEntry 6 -- ipsecPeerLocalId OID ipsecPeerEntry 7 -- ipsecPeerLocalCert OID ipsecPeerEntry 9 -- ipsecPeerIkeProposals OID ipsecPeerEntry 10 -- ipsecPeerPublicInterface OID ipsecPeerEntry 12 -- ipsecPeerPfsIdentity OID ipsecPeerEntry 13 -- ipsecPeerAuthMethod OID ipsecPeerEntry 20 -- ipsecPeerIkeGroup OID ipsecPeerEntry 22 -- ipsecPeerPfsGroup OID ipsecPeerEntry 23 -- ipsecPeerPh1Mode OID ipsecPeerEntry 24 -- ipsecPeerIkeLifeTime OID ipsecPeerEntry 25 -- ipsecPeerIpsecLifeTime OID ipsecPeerEntry 26 -- ipsecPeerKeepAlive OID ipsecPeerEntry 29 -- ipsecPeerGranularity OID ipsecPeerEntry 30 -- ipsecPeerDontVerifyPad OID ipsecPeerEntry 31 -- ipsecPeerNoPmtuDiscovery OID ipsecPeerEntry 36 -- ipsecPeerOperStatus OID ipsecPeerEntry 44 -- ipsecPeerDefaultIpsecProposals OID ipsecPeerEntry 42 -- ipsecPeerHeartbeat OID ipsecPeerEntry 43 -- ipsecPeerTtl OID ipsecPeerEntry 51 -- ipsecPeerCurrentLocalAddress OID ipsecPeerEntry 52 -- ipsecPeerCurrentRemoteAddress OID ipsecPeerEntry 53 -- ipsecPeerNumP1 OID ipsecPeerEntry 54 -- ipsecPeerNumP1Negotiating OID ipsecPeerEntry 55 -- ipsecPeerNumP1Established OID ipsecPeerEntry 56 -- ipsecPeerNumP1Deleted OID ipsecPeerEntry 57 -- ipsecPeerNumBundles OID ipsecPeerEntry 58 -- ipsecPeerNumBundlesNegotiating OID ipsecPeerEntry 59 -- ipsecPeerNumBundlesEstablished OID ipsecPeerEntry 60 -- ipsecPeerPh1LToken OID ipsecPeerEntry 64 -- ipsecPeerPh1RToken OID ipsecPeerEntry 65 -- ipsecPeerIsdnCBNextMode OID ipsecPeerEntry 68 -- ipsecPeerNatDetect OID ipsecPeerEntry 69 -- ipsecPeerNatTLocalPort OID ipsecPeerEntry 70 -- ipsecPeerNatTRemotePort OID ipsecPeerEntry 71 -- ipsecPeerMtu OID ipsecPeerEntry 72 -- ipsecPeerRxIdle OID ipsecPeerEntry 74 -- ipsecPeerTxIdle OID ipsecPeerEntry 75 -- ipsecPeerDPD OID ipsecPeerEntry 76 -- ipsecPeerDPDRetries OID ipsecPeerEntry 77 ipsecPeerIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique index identifying this entry." ::= { ipsecPeerEntry 1 } ipsecPeerPriority OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "Defines the matching priority." ::= { ipsecPeerEntry 47 } ipsecPeerDescription OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "An optional description for this peer." ::= { ipsecPeerEntry 3 } ipsecPeerDynamicAddress OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "The IP-address of the peer. This object may contain either an IP address or a domain name." ::= { ipsecPeerEntry 14 } ipsecPeerPeerIds OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "The IDs of the peer which are accepted for authentication. Syntax: - X500 distinguished name: - IPV4-Address: |123.456.789.012| with or without '|' - IPV4 Address Range (only IKEv1): |123.456.789.012-123.456.789.013| with or without '|' - IPV4 Address Subnet (only IKEv1): |123.456.789.012/255.255.255.0| with or without '|' or: |123.456.789.012/24| with or without '|' - Key-ID: arbitrary string: {anything} - Fully Qualified User Name (FQUN) (for IKEv1) or Fully-qualified RFC 822 email address string (for IKEv2): (anything) or user@domain with mandatory '@' - Fully Qualified Domain Name (FQDN): [anything] or any name without '@' not matching any other syntax" ::= { ipsecPeerEntry 5 } ipsecPeerLocalAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The local address used for IPSec encrypted packets." ::= { ipsecPeerEntry 8 } ipsecPeerTrafficList OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the first entry of possibly a chain of traffic entries from the ipsecTrafficTable which should be protected with IPSec using this peer." ::= { ipsecPeerEntry 11 } ipsecPeerVirtualInterface OBJECT-TYPE SYNTAX INTEGER { disabled(1), -- no virtual interface for this peer enabled(2) -- a virtual interface will be assigned this peer } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies if a virtual interface should be created for this peer. If set to enabled, all traffic routed towards this peer will be protected. The traffic list for this peer is ignored then. The index of the interface associated with this peer is calculated as follows: ifIndex = ipsecPeerIndex + 100000." DEFVAL { disabled } ::= { ipsecPeerEntry 15 } ipsecPeerStartMode OBJECT-TYPE SYNTAX INTEGER { on-demand(1), -- packet triggered start, -- fall back to dormant if unused always-up(2) -- always set up and keep up } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the events which make the IPSec peer go up. Possible values: on-demand(1), -- packet triggered start, -- fall back to dormant if unused always-up(2) -- always set up and keep up." DEFVAL { on-demand } ::= { ipsecPeerEntry 16 } ipsecPeerIkeProfile OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "When ipsecPeerIkeVersion is set to ikev1 this is an index from the ikeProfileTable containing a special phase 1 profile to use for this peer. When ipsecPeerIkeVersion is set to ikev2 this is an index from the ikev2ProfileTable containing a special IKE_SA profile to use for this peer." ::= { ipsecPeerEntry 48 } ipsecPeerIpsecProfile OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "The index from the ipsecProfileTable containing a special phase 2 profile to use for this peer." ::= { ipsecPeerEntry 49 } ipsecPeerPreSharedKey OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "The pre-shared-key used with this peer, if pre-shared-keys are used for authentication. This field serves only as an input field and its contents are replaced with a single asterisk immediately after it is set." ::= { ipsecPeerEntry 21 } ipsecPeerAdminStatus OBJECT-TYPE SYNTAX INTEGER { up(1), down(2), -- testing(3), dialup(4), callback(5), delete(15) } MAX-ACCESS read-write STATUS current DESCRIPTION "Peer administrative state." DEFVAL { up } ::= { ipsecPeerEntry 50 } ipsecPeerIsdnCB OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2), passive(3), -- expect an ISDN call and setup IPSec tunnel active(4) -- setup an ISDN call and expect IPSec tunnel setup } MAX-ACCESS read-write STATUS current DESCRIPTION "Switch for turning ISDN call back feature on and off specifically for peer. Default value is disabled." DEFVAL { disabled } ::= { ipsecPeerEntry 45 } ipsecPeerPreSharedKeyData OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS not-accessible STATUS current DESCRIPTION "Field used for storing the pre-shared-key permanently." ::= { ipsecPeerEntry 63 } ipsecPeerIsdnCBMode OBJECT-TYPE SYNTAX INTEGER { compat(1), auto(2), auto-d(3), d(4), db(5), b(6) } MAX-ACCESS read-write STATUS current DESCRIPTION "Define callback mode. The following modes are defined: compat(1) -- compatibility to old callback auto(2) -- automatically detect best method auto-d(3) -- automatically detect best D channel method d(4) -- use D channel only db(5) -- try D channel first, fall back to B b(6) -- use B channel only Default value for that variable is compat(1)." DEFVAL { compat } ::= { ipsecPeerEntry 66 } ipsecPeerIsdnCBDChanMode OBJECT-TYPE SYNTAX INTEGER { llc(1), subaddr(2), llc-and-subaddr(3), llc-subaddr(4), subaddr-llc(5) } MAX-ACCESS read-write STATUS current DESCRIPTION "Define callback D channel mode. The following modes are defined: llc(1) -- code token into LLC information element only subaddr(2) -- code token into SUBADDR information element only llc-and-subaddr(3) -- redundantly use LLC and SUBADDR information elements llc-subaddr(4) -- try LLC first, then SUBADDR subaddr-llc(5) -- try SUBADDR first, then LLC Default value for that variable is LLC(1)." DEFVAL { llc } ::= { ipsecPeerEntry 67 } ipsecPeerType OBJECT-TYPE SYNTAX INTEGER { fixed(1), -- only one peer allowed for this entry dynamic-client(2) -- duplicated for each incoming client } MAX-ACCESS read-write STATUS current DESCRIPTION "The type of the peer. Dynamic peer entries are duplicated whenever an incoming IKE request matches the ID and/or address information of the remote side. Note: - For traffic list peers the duplication also includes the traffic list entries configured for this peer entry. - For virtual interface peers, host routes will be added for the peer address automatically. Possible values: fixed(1), -- only one peer allowed for this entry dynamic_client(2) -- duplicated for each incoming client." DEFVAL { fixed } ::= { ipsecPeerEntry 73 } ipsecPeerDynAddrPoolId OBJECT-TYPE SYNTAX INTEGER (-1..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "Identifier of Dynamic Address Pool if IP address is assigned via IKE Configuration Method. A value of -1 means that no Pool is assigned." DEFVAL { -1 } ::= { ipsecPeerEntry 78 } ipsecPeerDynAddrLocalIp OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The local IP address used in the IKE communication when remote IP address is taken from IP address pool." ::= { ipsecPeerEntry 79 } ipsecPeerXauthProfile OBJECT-TYPE SYNTAX Unsigned32 (0..4294967295) MAX-ACCESS read-write STATUS current DESCRIPTION "The index from the xauthProfileTable containing a special XAUTH profile to use for this peer. A value of 0 means that no XAUTH profile is assigned." DEFVAL { 0 } ::= { ipsecPeerEntry 80 } ipsecPeerDynAddrRole OBJECT-TYPE SYNTAX INTEGER { none(1), -- no IP address assignment via IKE Config Mode client(2), -- get IP address via IKE Config Mode from remote server(3) -- assign IP address via IKE Config Mode to remote } MAX-ACCESS read-write STATUS current DESCRIPTION "Determines if IKE Config Mode is used and which role is performed: none(1), -- no IP address assignemt via IKE Config Mode client(2) -- get IP address via IKE Config Mode from remote server(3) -- assign IP address via IKE Config Mode to remote In server role ipsecPeerDynAddrPoolId defines IP address pool to use for address assignment to clients. If an invalid pool ID is configured, peer is treated as if role was 'none'. Default is 'none', that means IKE Config Mode is not used at all." DEFVAL { none } ::= { ipsecPeerEntry 81 } ipsecPeerIkeVersion OBJECT-TYPE SYNTAX INTEGER { ikev1(1), ikev2(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates the major version of IKE protocol to use. If set to ikev1 the value of ipsecPeerIkeProfile is used as index into ikeProfileTable. If set to ikev2 the value of ipsecPeerIkeProfile is used as index into ikev2ProfileTable." DEFVAL { ikev1 } ::= { ipsecPeerEntry 82 } -- IKEv2 specific Peer parameters ipsecPeerLocalId OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "The local ID used for authentication with this profile. Syntax: - X500 distinguished name: - IPV4-Address: |123.456.789.012| with or without '|' - Key-ID: arbitrary string: {anything} - Fully-qualified RFC 822 email address string: (anything) or user@domain with mandatory '@' - Fully Qualified Domain Name (FQDN): [anything] or any name without '@' not matching any other syntax (only for IKEv2)." ::= { ipsecPeerEntry 83 } ipsecPeerAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3) -- Authentication using RSA signatures } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the authentication method used by default. If the ipsecPeerAuthMethod field of an ipsecPeerEntry and the ikePropAuthMethod field of the ikeProposalTableEntry used are set to 'default', this value is assumed. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3) -- Authentication using RSA signatures (only for IKEv2)." ::= { ipsecPeerEntry 84 } ipsecPeerCert OBJECT-TYPE SYNTAX INTEGER (0..32767) MAX-ACCESS read-write STATUS current DESCRIPTION "The index of the certificate used for authentication in the certTable. Ignored for AuthMethod == pre_shared_key. (only for IKEv2)." ::= { ipsecPeerEntry 85 } ipsecPeerCaCerts OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "Receives a comma separated list with indices (0..32767) of special certificate authority certificates accepted for this profile. (only for IKEv2)." ::= { ipsecPeerEntry 86 } ipsecPeerDynAddrMode OBJECT-TYPE SYNTAX INTEGER { pull(1), -- the client will request IP address and the gateway -- will answer the request push(2) -- the gateway will set IP address to the client and -- the client will accept or deny it } MAX-ACCESS read-write STATUS current DESCRIPTION "When IP address assignment via IKE Config Mode is configured (ipsecPeerDynAddrRole != none) this object specifies the used mode: pull(1), -- the client will request IP address and the gateway will answer the request push(2) -- the gateway will set IP address to the client and the client will accept or deny it The ipsecPeerDynAddrMode value has to be the same for both sides of the tunnel. With default value 'pull' the peer (ipsecPeerDynAddrRole == client) will request IP address and the gateway (ipsecPeerDynAddrRole == server) will answer the request. The 'push' mode is needed for partner devices that require this mode. This object matters only when ipsecPeerDynAddrRole != none." DEFVAL { pull } ::= { ipsecPeerEntry 87 } ipsecPeerMobike OBJECT-TYPE SYNTAX INTEGER { enabled(1), -- peer supports MOBIKE disabled(2) -- peer does not support MOBIKE } MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates whether the peer supports MOBIKE or not. Only when both sides of a VPN connection support MOBIKE an IP address change is possible. Possible values: enabled(1), -- Peer supports MOBIKE and signals MOBIKE support by including a MOBIKE_SUPPORTED notification in the IKE_AUTH message. disabled(2) -- Peer does not support MOBIKE. (only for IKEv2)." DEFVAL { enabled } ::= { ipsecPeerEntry 88 } ipsecPeerPublicIfIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "The index value which uniquely identifies the physical interface that should be used for all ipsec traffic as initiator. When multiple eqivalent routes to the given peer are available this is used as additional parameter for routing decisions. If set to -1 then normal routing is used. As responder the interface from the first received packet is used and therefore this index value is ignored." DEFVAL { -1 } ::= { ipsecPeerEntry 90 } ipsecPeerPublicIfIndexMode OBJECT-TYPE SYNTAX INTEGER { force(1), -- the given interface is used, even if a route -- with lower metric is available. preferred(2) -- the given interface is used, if no route -- with lower metric is available. } MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the mode used in conjunction with ipsecPeerPublicIfIndex. force(1), -- the given interface is used, even if a route with lower metric is available. preferred(2) -- the given interface is used, if no route with lower metric is available. This object matters only when ipsecPeerPublicIfIndex > 0." DEFVAL { force } ::= { ipsecPeerEntry 91 } -- End IPSec Peer Table -- IKE IPSec Peer Status and Statistic Variables Table ipsecPeerStatTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecPeerStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of IPSec peers status and statistic variables." ::= { ipsec 28 } ipsecPeerStatEntry OBJECT-TYPE SYNTAX IpsecPeerStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the status and statistic variables of an IPSec peer." INDEX { ipsecPeerStatIndex } ::= { ipsecPeerStatTable 1 } IpsecPeerStatEntry ::= SEQUENCE { ipsecPeerStatIndex INTEGER, ipsecPeerStatNextIndex INTEGER, ipsecPeerStatCaCerts DisplayString, ipsecPeerStatPeerAddress IpAddress, ipsecPeerStatLocalId DisplayString, ipsecPeerStatLocalCert INTEGER, ipsecPeerStatPublicInterface INTEGER, ipsecPeerStatIkeProposals INTEGER, ipsecPeerStatPfsIdentity INTEGER, ipsecPeerStatAuthMethod INTEGER, ipsecPeerStatIkeGroup INTEGER, ipsecPeerStatPfsGroup INTEGER, ipsecPeerStatPh1Mode INTEGER, ipsecPeerStatIkeLifeTime INTEGER, ipsecPeerStatIpsecLifeTime INTEGER, ipsecPeerStatKeepAlive INTEGER, ipsecPeerStatGranularity INTEGER, ipsecPeerStatDontVerifyPad INTEGER, ipsecPeerStatNoPmtuDiscovery INTEGER, ipsecPeerStatOperStatus INTEGER, ipsecPeerStatDefaultIpsecProposals INTEGER, ipsecPeerStatHeartbeat INTEGER, ipsecPeerStatTtl INTEGER, ipsecPeerStatCurrentLocalAddress IpAddress, ipsecPeerStatCurrentRemoteAddress IpAddress, ipsecPeerStatNumP1 INTEGER, ipsecPeerStatNumP1Negotiating INTEGER, ipsecPeerStatNumP1Established INTEGER, ipsecPeerStatNumP1Deleted INTEGER, ipsecPeerStatNumBundles INTEGER, ipsecPeerStatNumBundlesNegotiating INTEGER, ipsecPeerStatNumBundlesEstablished INTEGER, ipsecPeerStatPh1LToken INTEGER, ipsecPeerStatPh1RToken INTEGER, ipsecPeerStatIsdnCBNextMode INTEGER, ipsecPeerStatNatDetect INTEGER, ipsecPeerStatNatTLocalPort INTEGER, ipsecPeerStatNatTRemotePort INTEGER, ipsecPeerStatMtu INTEGER, ipsecPeerStatRxIdle TimeTicks, ipsecPeerStatTxIdle TimeTicks, ipsecPeerStatDPD INTEGER, ipsecPeerStatDPDRetries INTEGER, -- IKEv2 specific Peer parameters ipsecPeerStatNumIkeSas INTEGER, ipsecPeerStatNumIkeSasNegotiating INTEGER, ipsecPeerStatNumIkeSasEstablished INTEGER, ipsecPeerStatNumIkeSasDeleted INTEGER } ipsecPeerStatIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique index identifying this entry." ::= { ipsecPeerStatEntry 1 } ipsecPeerStatNextIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the next peer in hierarchy." ::= { ipsecPeerStatEntry 2 } ipsecPeerStatCaCerts OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "Receives a comma separated list with indices of optional certificate authority certificates accepted for this peer." ::= { ipsecPeerStatEntry 3 } ipsecPeerStatPeerAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "This object shows the fixed IP-address of the peer, if any." ::= { ipsecPeerStatEntry 4 } ipsecPeerStatLocalId OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The local ID used for authentication. Syntax: - X500 distinguished name: - IPV4-Address: |123.456.789.012| with or without '|' - IPV4 Address Range: |123.456.789.012-123.456.789.013| with or without '|' - IPV4 Address Subnet: |123.456.789.012/255.255.255.0| with or without '|' or: |123.456.789.012/24| with or without '|' - Key-ID: arbitrary length hexadecimal string with even number of digits: { 01 23 45 67 89 ab cd ef } - Fully Qualified User Name (FQUN): (anything) or user@domain with mandatory '@' - Fully Qualified Domain Name (FQDN): [anything] or any name without '@' not matching any other syntax The usage of this field is deprecated, use ikePrfLocalId now!" ::= { ipsecPeerStatEntry 5 } ipsecPeerStatLocalCert OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the certificate used for local authentication in the certTable. Only useful for automatically keyed traffic with dsa or rsa authentication." ::= { ipsecPeerStatEntry 6 } ipsecPeerStatPublicInterface OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the index of the public interface for which the traffic list assigned to this peer should be valid. If set to -1, the traffic list is valid for all interfaces. If the traffic is routed via a different interface, no SA negotiation is performed and traffic may be unprotected unless there is another peer for the other interface." DEFVAL { -1 } ::= { ipsecPeerStatEntry 7 } ipsecPeerStatIkeProposals OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Index of default ike proposal used for peers with empty default ike proposal." ::= { ipsecPeerStatEntry 8 } ipsecPeerStatPfsIdentity OBJECT-TYPE SYNTAX INTEGER { true(1), -- delete phase 1 SAs false(2), -- do not delete phase 1 SAs default(3) -- use setting in ipsecGlobContDefaultPfsIdentity } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. If overrides the default setting ipsecGlobContDefaultPfsIdentity if not set to 'default'. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2), -- do not delete phase 1 SAs default(3) -- use setting in ipsecGlobContDefaultPfsIdentity." DEFVAL { default } ::= { ipsecPeerStatEntry 9 } ipsecPeerStatAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- Use the default settings from the ikeProposalEntry -- used or the ipsecGlobDefaultAuthMethod delete(15) -- mark this entry for deletion } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the authentication method used for this peer. It overrides the setting in the IKE proposals used. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- Use the setting from the ikeProposalEntry -- used or the ipsecGlobDefaultAuthMethod delete(15) -- mark this entry for deletion." DEFVAL { default } ::= { ipsecPeerStatEntry 10 } ipsecPeerStatIkeGroup OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies a special IKE group which is to be used for this peer only. It overrides the setting in the ikeProposal used. Possible values: 0: use the value from the ikeProposal used 1: a 768-bit MODP group 2: a 1024-bit MODP group 5: a 1536-bit MODP group" ::= { ipsecPeerStatEntry 11 } ipsecPeerStatPfsGroup OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman group used for additional Perfect Forward Secrecy (PFS) DH exponentiations. Possible values: -1: explicitly do not use PFS (overrides ipsecGlob2DefaultPfsGroup), 0: use default value from ipsecGlob2DefaultPfsGroup, 1: a 768-bit MODP group, 2: a 1024-bit MODP group, 5: a 1536-bit MODP group." ::= { ipsecPeerStatEntry 12 } ipsecPeerStatPh1Mode OBJECT-TYPE SYNTAX INTEGER { id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3) -- Use default setting from the -- ipsecGlobalsTable } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3) -- Use default settings from the -- ipsecGlobalsTable." DEFVAL { default } ::= { ipsecPeerStatEntry 13 } ipsecPeerStatIkeLifeTime OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable with the lifetime settings to be used for IKE SA negotiation with this peer. It overrides the setting in the IKE proposal used. If the lifetime pointed to by this index does not exist or is inappropriate, the lifetime from the IKE proposal used is taken." ::= { ipsecPeerStatEntry 14 } ipsecPeerStatIpsecLifeTime OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable. This lifetime overwrites the lifetimes specified for all traffic entries and their proposals referenced by this peer entry. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used." ::= { ipsecPeerStatEntry 15 } ipsecPeerStatKeepAlive OBJECT-TYPE SYNTAX INTEGER { true(1), -- rekey SA's even if no data was transferred false(2) -- do not rekey SA's if no data was transferred } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies whether IKE SA's with this peer are rekeyed even if there was no data transferred over them. Possible values: true(1), -- rekey SA's even if no data was transferred false(2) -- do not rekey SA's if no data was transferred." ::= { ipsecPeerStatEntry 16 } ipsecPeerStatGranularity OBJECT-TYPE SYNTAX INTEGER { default(1), -- use the setting from the ipsecGlobalsTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the granularity with which SA's with this peer are created. Possible values: default(1), -- use the setting from the ipsecGlobalsTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host." DEFVAL { default } ::= { ipsecPeerStatEntry 17 } ipsecPeerStatDontVerifyPad OBJECT-TYPE SYNTAX INTEGER { false(1), -- normal, self-describing ESP padding true(2) -- old style ESP padding } MAX-ACCESS read-only STATUS current DESCRIPTION "This object is a compatibility option for older ipsec implementations. It enables or disables an old way of ESP padding (no self describing padding). Possible values: false(1), -- normal, self-describing ESP padding true(2) -- old style ESP padding." ::= { ipsecPeerStatEntry 18 } ipsecPeerStatNoPmtuDiscovery OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not perform PMTU discovery false(2), -- perform PMTU discovery default(3)-- use default settings from -- ipsecGlobContNoPmtuDiscovery } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the PMTU discovery policy for this peer. Possible values: true(1), -- do not perform PMTU discovery false(2) -- perform PMTU discovery default(3)-- use default settings from -- ipsecGlobContNoPmtuDiscovery." DEFVAL { default } ::= { ipsecPeerStatEntry 19 } ipsecPeerStatOperStatus OBJECT-TYPE SYNTAX INTEGER { -- *** states as defined for ifOperStatus *** up(1), down(2), -- testing(3), -- unknown(4), dormant(5), blocked(6), -- idle(32), awaiting-callback(33), -- calling-back(34), ip-lookup(35), going-up(36), wait-if(37), wait-publish(38), wait-localip(39), going-up-trans(40) } MAX-ACCESS read-only STATUS current DESCRIPTION "Peer operational state." DEFVAL { dormant } ::= { ipsecPeerStatEntry 20 } ipsecPeerStatDefaultIpsecProposals OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the default IPSec proposal used for encrypting all the traffic bound to the (optional) logical interface created for this peer." ::= { ipsecPeerStatEntry 21 } ipsecPeerStatHeartbeat OBJECT-TYPE SYNTAX INTEGER { none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4), -- send and expect heartbeats default(5) -- use setting from -- ipsecGlobContHeartbeatDefault } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies whether heartbeats should be sent over phase 1 SAs for this peer. Possible values: none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4), -- send and expect heartbeats default(5) -- use setting from -- ipsecGlobContHeartbeatDefault." DEFVAL { default } ::= { ipsecPeerStatEntry 22 } ipsecPeerStatTtl OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object shows the maximum period of time in seconds the peer will remain in the current state." ::= { ipsecPeerStatEntry 23 } ipsecPeerStatCurrentLocalAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The currently used local IP-address for this peer." ::= { ipsecPeerStatEntry 24 } ipsecPeerStatCurrentRemoteAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The currently known remote IP-address of this peer." ::= { ipsecPeerStatEntry 25 } ipsecPeerStatNumP1 OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current IKE SAs for this peer." ::= { ipsecPeerStatEntry 26 } ipsecPeerStatNumP1Negotiating OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current IKE SAs in state 'negotiating' for this peer." ::= { ipsecPeerStatEntry 27 } ipsecPeerStatNumP1Established OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current IKE SAs in state 'established' for this peer." ::= { ipsecPeerStatEntry 28 } ipsecPeerStatNumP1Deleted OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current IKE SAs in state 'waiting_for_remove' for this peer." ::= { ipsecPeerStatEntry 29 } ipsecPeerStatNumBundles OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current IPSec SA bundles for this peer." ::= { ipsecPeerStatEntry 30 } ipsecPeerStatNumBundlesNegotiating OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current IPSec SA bundles for this peer." ::= { ipsecPeerStatEntry 31 } ipsecPeerStatNumBundlesEstablished OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current IPSec SA bundles in state 'established' for this peer." ::= { ipsecPeerStatEntry 32 } ipsecPeerStatPh1LToken OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Locally generated token that must be used by triggered peer upon call back." ::= { ipsecPeerStatEntry 33 } ipsecPeerStatPh1RToken OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "Remotely generated token which must be used during phase one of IPsec connection establishment." ::= { ipsecPeerStatEntry 34 } ipsecPeerStatIsdnCBNextMode OBJECT-TYPE SYNTAX INTEGER { unknown(1), d-llc(2), d-subaddr(3), d-llc-subaddr(4), b(5) } MAX-ACCESS read-only STATUS current DESCRIPTION "Define callback mode that is to be tried next. The following modes are defined: unknown(1) -- still unset, derive it from other settings d-llc(2) -- use D channel mode with LLC next d-subaddr(3) -- use D channel mode with SUBADDR next d-llc-subaddr(4) -- use D channel mode with LLC and SUBADDR next b(5) -- use B channel mode next Default value for that variable is unknown(1)." DEFVAL { unknown } ::= { ipsecPeerStatEntry 35 } ipsecPeerStatNatDetect OBJECT-TYPE SYNTAX INTEGER { local(1), -- local NAT detected remote(2), -- remote NAT detected both(3), -- local and remote NAT detected none(4), -- no NAT present unknown(8) -- NAT detection not finished } MAX-ACCESS read-only STATUS current DESCRIPTION "The latest result of the NAT detection performed with the peer. Possible values: local(1), -- local NAT detected remote(2), -- remote NAT detected both(3), -- local and remote NAT detected none(4), -- no NAT present unknown(8) -- NAT detection not performed or not finished." ::= { ipsecPeerStatEntry 36 } ipsecPeerStatNatTLocalPort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The local port currently usd for NAT-T IKE and ESP SAs with this Peer." ::= { ipsecPeerStatEntry 37 } ipsecPeerStatNatTRemotePort OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The remote port currently usd for NAT-T IKE and ESP SAs with this Peer." ::= { ipsecPeerStatEntry 38 } ipsecPeerStatMtu OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The current MTU of this peer. This value is copied to ifMtu if ipsecPeerVirtualInterface is set to enabled." DEFVAL { 1418 } ::= { ipsecPeerStatEntry 39 } ipsecPeerStatRxIdle OBJECT-TYPE SYNTAX TimeTicks MAX-ACCESS read-only STATUS current DESCRIPTION "The time period for which no packet has been received from this peer." ::= { ipsecPeerStatEntry 40 } ipsecPeerStatTxIdle OBJECT-TYPE SYNTAX TimeTicks MAX-ACCESS read-only STATUS current DESCRIPTION "The time period for which no packet has been transmitted to this peer." ::= { ipsecPeerStatEntry 41 } ipsecPeerStatDPD OBJECT-TYPE SYNTAX INTEGER { none(1), -- DPD not active v1(2), -- DPD Version 1 active v1-idle(3), -- DPD Version 1 in idle mode active ikev2(4) -- IKEv2 INFORMATIONAL exchanges active } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of Dead Peer Detection (DPD) currently active for this peer. Possible values: none(1) -- DPD not active v1(2) -- DPD Version 1 active v1-idle(3) -- DPD Version 1 in idle mode active ikev2(4) -- IKEv2 INFORMATIONAL exchanges active." DEFVAL { none } ::= { ipsecPeerStatEntry 42 } ipsecPeerStatDPDRetries OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The nuber of DPD retries currently sent without reply." ::= { ipsecPeerStatEntry 43 } ipsecPeerStatNumIkeSas OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current IKE SAs for this peer (only for IKEv2)." ::= { ipsecPeerStatEntry 44 } ipsecPeerStatNumIkeSasNegotiating OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current IKE SAs in state 'negotiating' for this peer (only for IKEv2)." ::= { ipsecPeerStatEntry 45 } ipsecPeerStatNumIkeSasEstablished OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current IKE SAs in state 'established' for this peer (only for IKEv2)." ::= { ipsecPeerStatEntry 46 } ipsecPeerStatNumIkeSasDeleted OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current IKE SAs in state 'waiting_for_remove' for this peer (only for IKEv2)." ::= { ipsecPeerStatEntry 47 } -- End IPSec Peer Status and Statistic Variables Table -- IKE Proposal Table ikeProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of IKE proposals. The entries may be concatenated on a logical or basis using the NextChoice field to choices of multiple proposals." ::= { ipsec 6 } ikeProposalEntry OBJECT-TYPE SYNTAX IkeProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains an IKE proposal, i.e. the encryption algorithm and the hash algorithm used to protect traffic sent over an IKE SA." INDEX { ikePropEncAlg } ::= { ikeProposalTable 1 } IkeProposalEntry ::= SEQUENCE { ikePropIndex INTEGER, ikePropNextChoice INTEGER, ikePropDescription DisplayString, ikePropEncAlg INTEGER, ikePropHashAlg INTEGER, ikePropGroup INTEGER, ikePropAuthMethod INTEGER, ikePropEncKeySize INTEGER, ikePropEncKeySizeMin INTEGER, ikePropEncKeySizeMax INTEGER } ikePropIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique index identifying this entry." ::= { ikeProposalEntry 1 } ikePropNextChoice OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the index of the next proposal of a choice of proposals. If this object is 0, this marks the end of a proposal chain." ::= { ikeProposalEntry 2 } ikePropDescription OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "An optional textual description of the proposal chain beginning at this entry." ::= { ikeProposalEntry 3 } ikePropEncAlg OBJECT-TYPE SYNTAX INTEGER { none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4),-- Blowfish in CBC mode cast128-cbc(5), -- CAST in CBC mode with 128 bit key twofish-cbc(6), -- Twofish in CBC mode aes-cbc(7), -- AES in CBC mode rijndael-cbc(31) -- rijndael (former name for AES) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the encryption algorithm used to protect traffic sent over an IKE SA. Possible values: none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4), -- Blowfish in CBC mode cast128-cbc(5) -- CAST in CBC mode with 128 bit key twofish-cbc(6), -- Twofish in CBC mode aes-cbc(7), -- AES in CBC mode rijndael-cbc(31) -- rijndael (former name for AES)." DEFVAL { aes-cbc } ::= { ikeProposalEntry 4 } ikePropHashAlg OBJECT-TYPE SYNTAX INTEGER { delete(1), -- Delete this entry none(2), -- No hash algorithm md5(3), -- The MD5 hash algorithm sha1(4), -- The Secure Hash Algorithm ripemd160(5), -- The RipeMD160 Hash Algorithm tiger192(6) -- The Tiger Hash Algorithm } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the hash algorithm used to protect traffic sent over an IKE SA. Possible values: delete(1), -- Delete this entry none(2), -- No hash algorithm md5(3), -- The MD5 hash algorithm sha1(4), -- The Secure Hash Algorithm ripemd160(5),-- The RipeMD160 Hash Algorithm tiger192(6) -- The Tiger Hash Algorithm." DEFVAL { ripemd160 } ::= { ikeProposalEntry 5 } ikePropGroup OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "Index of the IKE group used with this proposal. It may be overridden by a valid IKE group index of an IPSec peer or in ipsecGlobDefaultIkeGroup. Possible values: 0 (use default setting in ipsecPeerIkeGroup or ipsecGlobDefaultIkeGroup), 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP)." DEFVAL { 2 } ::= { ikeProposalEntry 7 } ikePropAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(33) -- Use default authentication method } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the authentication method used with this proposal. It may be overridden by the setting in the ipsecPeerEntry table. If set to 'default' the value in ipsecGlobDefaultAuthMethod is used. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(33) -- Use default authentication method." DEFVAL { default } ::= { ikeProposalEntry 8 } ikePropEncKeySize OBJECT-TYPE SYNTAX INTEGER (0..2048) UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the encryption key size used with this proposal. The limits for the individual algorithms can be seen in the ipsecAlgorithmTable. If a length outside the limits for the specified algorithm is specified, it is reset to the max/min value possible." ::= { ikeProposalEntry 9 } ikePropEncKeySizeMin OBJECT-TYPE SYNTAX INTEGER (0..2048) UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum encryption key size accepted with this proposal. The limits for the individual algorithms can be seen in the ipsecAlgorithmTable. If a length outside the limits for the specified algorithm is specified, it is reset to the max/min value possible." ::= { ikeProposalEntry 10 } ikePropEncKeySizeMax OBJECT-TYPE SYNTAX INTEGER (0..2048) UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum encryption key size accepted with this proposal. The limits for the individual algorithms can be seen in the ipsecAlgorithmTable. If a length outside the limits for the specified algorithm is specified, it is reset to the max/min value possible." ::= { ikeProposalEntry 11 } -- End IKE Proposal Table -- IPSec Traffic Table ipsecTrafficTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecTrafficEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains lists of Traffic and the actions which should be applied to it, together with the necessary parameters." ::= { ipsec 7 } ipsecTrafficEntry OBJECT-TYPE SYNTAX IpsecTrafficEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains a description of a type of IP traffic and the action which should be applied to it together with the necessary parameters." INDEX { ipsecTrProto } ::= { ipsecTrafficTable 1 } IpsecTrafficEntry ::= SEQUENCE { ipsecTrIndex INTEGER, ipsecTrNextIndex INTEGER, ipsecTrDescription DisplayString, ipsecTrLocalAddressType INTEGER, ipsecTrLocalAddress IpAddress, ipsecTrLocalMaskLen INTEGER, ipsecTrLocalRange IpAddress, ipsecTrRemoteAddressType INTEGER, ipsecTrRemoteAddress IpAddress, ipsecTrRemoteMaskLen INTEGER, ipsecTrRemoteRange IpAddress, ipsecTrProto INTEGER, ipsecTrLocalPort INTEGER, ipsecTrRemotePort INTEGER, ipsecTrAction INTEGER, ipsecTrProposal INTEGER, ipsecTrForceTunnelMode INTEGER, ipsecTrLifeTime INTEGER, ipsecTrGranularity INTEGER, ipsecTrKeepAlive INTEGER, ipsecTrProfile INTEGER, ipsecTrInterface INTEGER, ipsecTrDirection INTEGER, ipsecTrCreator INTEGER } ipsecTrIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique index identifying this entry." ::= { ipsecTrafficEntry 1 } ipsecTrNextIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the index of the next traffic entry in hierarchy." ::= { ipsecTrafficEntry 2 } ipsecTrDescription OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "An optional human readable description for this traffic entry." ::= { ipsecTrafficEntry 3 } ipsecTrLocalAddressType OBJECT-TYPE SYNTAX INTEGER { fixed(1), -- fixed address ph1(2) -- own dynamic phase 1 address } MAX-ACCESS read-write STATUS current DESCRIPTION "The type of the local address specification. This may be either a statically configured address or a dynamic address which is taken from some state information." DEFVAL { fixed } ::= { ipsecTrafficEntry 21 } ipsecTrLocalAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The source IP-address of this traffic entry. It maybe either a single address, a network address (in combination with ipsecTrSrcMask), or the first address of an address range (in combination with ipsecTrLocalRange)." ::= { ipsecTrafficEntry 4 } ipsecTrLocalMaskLen OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "The length of the network mask for a source network." ::= { ipsecTrafficEntry 5 } ipsecTrLocalRange OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The last address of a source address range. If this field is nonzero, the ipsecTrLocalMaskLen field is ignored and the source is considered as a range of addresses beginning with ipsecTrLocalAddress and ending with ipsecTrLocalRange." ::= { ipsecTrafficEntry 6 } ipsecTrRemoteAddressType OBJECT-TYPE SYNTAX INTEGER { fixed(1), -- fixed address ph1(2), -- remote dynamic phase 1 address dhcp(3) -- remote ip address retrieved via DHCP } MAX-ACCESS read-write STATUS current DESCRIPTION "The type of the remote address specification. This may be either a statically configured address or a dynamic address which is taken from some state information." DEFVAL { fixed } ::= { ipsecTrafficEntry 22 } ipsecTrRemoteAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The destination IP-address of this traffic entry. It maybe either a single address, a network address (in combination with ipsecTrDstMask), or the first address of an address range (in combination with ipsecTrRemoteRange)." ::= { ipsecTrafficEntry 7 } ipsecTrRemoteMaskLen OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "The length of the network mask for a destination network." ::= { ipsecTrafficEntry 8 } ipsecTrRemoteRange OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The last address of a destination address range. If this field is nonzero, the ipsecTrRemoteMaskLen field is ignored and the source is considered as a range of addresses beginning with ipsecTrRemoteAddress and ending with ipsecTrRemoteRange." ::= { ipsecTrafficEntry 9 } ipsecTrProto OBJECT-TYPE SYNTAX INTEGER { icmp(1), igmp(2), ggp(3), ipip(4), st(5), tcp(6), cbt(7), egp(8), igp(9), bbn(10), nvp(11), pup(12), argus(13), emcon(14), xnet(15), chaos(16), udp(17), mux(18), dcn(19), hmp(20), prm(21), xns(22), trunk1(23), trunk2(24), leaf1(25), leaf2(26), rdp(27), irtp(28), isotp4(29), netblt(30), mfe(31), merit(32), sep(33), pc3(34), idpr(35), xtp(36), ddp(37), idprc(38), tp(39), il(40), ipv6(41), sdrp(42), ipv6route(43), ipv6frag(44), idrp(45), rsvp(46), gre(47), mhrp(48), bna(49), esp(50), ah(51), inlsp(52), swipe(53), narp(54), mobile(55), tlsp(56), skip(57), ipv6icmp(58), ipv6nonxt(59), ipv6opts(60), ipproto-61(61), cftp(62), local(63), sat(64), kryptolan(65), rvd(66), ippc(67), distfs(68), satmon(69), visa(70), ipcv(71), cpnx(72), cphb(73), wsn(74), pvp(75), brsatmon(76), sunnd(77), wbmon(78), wbexpak(79), isoip(80), vmtp(81), securevmtp(82), vines(83), ttp(84), nsfnet(85), dgp(86), tcf(87), eigrp(88), ospfigp(89), sprite(90), larp(91), mtp(92), ax25(93), ipwip(94), micp(95), scc(96), etherip(97), encap(98), encrypt(99), gmtp(100), ifmp(101), pnni(102), pim(103), aris(104), scps(105), qnx(106), an(107), ippcp(108), snp(109), compaq(110), ipxip(111), vrrp(112), pgm(113), hop0(114), l2tp(115), ipproto-116(116), ipproto-117(117), ipproto-118(118), ipproto-119(119), ipproto-120(120), ipproto-121(121), ipproto-122(122), ipproto-123(123), ipproto-124(124), ipproto-125(125), ipproto-126(126), ipproto-127(127), ipproto-128(128), ipproto-129(129), ipproto-130(130), ipproto-131(131), ipproto-132(132), ipproto-133(133), ipproto-134(134), ipproto-135(135), ipproto-136(136), ipproto-137(137), ipproto-138(138), ipproto-139(139), ipproto-140(140), ipproto-141(141), ipproto-142(142), ipproto-143(143), ipproto-144(144), ipproto-145(145), ipproto-146(146), ipproto-147(147), ipproto-148(148), ipproto-149(149), ipproto-150(150), ipproto-151(151), ipproto-152(152), ipproto-153(153), ipproto-154(154), ipproto-155(155), ipproto-156(156), ipproto-157(157), ipproto-158(158), ipproto-159(159), ipproto-160(160), ipproto-161(161), ipproto-162(162), ipproto-163(163), ipproto-164(164), ipproto-165(165), ipproto-166(166), ipproto-167(167), ipproto-168(168), ipproto-169(169), ipproto-170(170), ipproto-171(171), ipproto-172(172), ipproto-173(173), ipproto-174(174), ipproto-175(175), ipproto-176(176), ipproto-177(177), ipproto-178(178), ipproto-179(179), ipproto-180(180), ipproto-181(181), ipproto-182(182), ipproto-183(183), ipproto-184(184), ipproto-185(185), ipproto-186(186), ipproto-187(187), ipproto-188(188), ipproto-189(189), ipproto-190(190), ipproto-191(191), ipproto-192(192), ipproto-193(193), ipproto-194(194), ipproto-195(195), ipproto-196(196), ipproto-197(197), ipproto-198(198), ipproto-199(199), ipproto-200(200), ipproto-201(201), ipproto-202(202), ipproto-203(203), ipproto-204(204), ipproto-205(205), ipproto-206(206), ipproto-207(207), ipproto-208(208), ipproto-209(209), ipproto-210(210), ipproto-211(211), ipproto-212(212), ipproto-213(213), ipproto-214(214), ipproto-215(215), ipproto-216(216), ipproto-217(217), ipproto-218(218), ipproto-219(219), ipproto-220(220), ipproto-221(221), ipproto-222(222), ipproto-223(223), ipproto-224(224), ipproto-225(225), ipproto-226(226), ipproto-227(227), ipproto-228(228), ipproto-229(229), ipproto-230(230), ipproto-231(231), ipproto-232(232), ipproto-233(233), ipproto-234(234), ipproto-235(235), ipproto-236(236), ipproto-237(237), ipproto-238(238), ipproto-239(239), ipproto-240(240), ipproto-241(241), ipproto-242(242), ipproto-243(243), ipproto-244(244), ipproto-245(245), ipproto-246(246), ipproto-247(247), ipproto-248(248), ipproto-249(249), ipproto-250(250), ipproto-251(251), ipproto-252(252), ipproto-253(253), ipproto-254(254), dont-verify(255) } MAX-ACCESS read-write STATUS current DESCRIPTION "The transport protocol defined for this entry." DEFVAL { dont-verify } ::= { ipsecTrafficEntry 10 } ipsecTrLocalPort OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "The source port defined for this traffic entry." ::= { ipsecTrafficEntry 11 } ipsecTrRemotePort OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "The destination port defined for this traffic entry." ::= { ipsecTrafficEntry 12 } ipsecTrAction OBJECT-TYPE SYNTAX INTEGER { delete(1), -- Delete this entry always-plain(2), -- Forward the packets without -- protection even if there is a -- matching SA and independent from -- the position of the traffic entry -- in the list. pass(3), -- Forward the packets without -- protection protect(4), -- Protect the traffic as specified -- in the proposal. Drop unprotected -- traffic of this kind. drop(5) -- Drop all packets matching this -- traffic entry } MAX-ACCESS read-write STATUS current DESCRIPTION "The action to be applied to traffic matching this entry. Possible values: delete(1), -- Delete this entry always-plain(2), -- Forward the packets without -- protection even if there is a -- matching SA and independent from -- the position of the traffic entry -- in the list. pass(3), -- Forward the packets without -- protection protect(4), -- Protect the traffic as specified -- in the proposal. Drop unprotected -- traffic of this kind. drop(5) -- Drop all packets matching this -- traffic entry." DEFVAL { protect } ::= { ipsecTrafficEntry 13 } ipsecTrProposal OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies an index in the ipsecProposalTable. This may be the first proposal of possibly a choice of multiple, optionally nested proposals which is to be offered with IKE (automatic keying) or a manual proposal (manual keying)." ::= { ipsecTrafficEntry 14 } ipsecTrForceTunnelMode OBJECT-TYPE SYNTAX INTEGER { true(1), -- Use tunnel mode even if transport mode is possible false(2) -- Use transport mode whenever possible } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the strategy when transport mode is used. By default, the system always uses transport mode, if possible. If this variable is set to true, always tunnel mode will be used for this traffic entry, even if source and destination address match the tunnel endpoints. Possible values: true(1), -- Use tunnel mode even if transport mode is possible false(2) -- Use transport mode whenever possible." ::= { ipsecTrafficEntry 15 } ipsecTrLifeTime OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable. This lifetime overwrites the lifetimes specified for all proposals referenced by this traffic entry. It may itself be overwritten by an explicit lifetime specified for the peer entry referencing this traffic entry. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used." ::= { ipsecTrafficEntry 16 } ipsecTrGranularity OBJECT-TYPE SYNTAX INTEGER { default(1), -- use the setting from the ipsecPeerTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the granularity with which SA's must be created for this kind of traffic. Possible values: default(1), -- use the setting from the ipsecPeerTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host." DEFVAL { default } ::= { ipsecTrafficEntry 17 } ipsecTrKeepAlive OBJECT-TYPE SYNTAX INTEGER { true(1), -- rekey SA's even if no data was transferred false(2), -- do not rekey SA's if no data was transferred default(3) -- use the default setting from the peer entry -- referencing this traffic entry } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies whether SA's created for this kind of traffic should be rekeyed on expiration of soft lifetimes even if there has not been sent any traffic over them. Possible values: true(1), -- rekey SA's even if no data was transferred false(2), -- do not rekey SA's if no data was transferred default(3) -- use the default setting from the peer entry -- referencing this traffic entry." DEFVAL { default } ::= { ipsecTrafficEntry 18 } ipsecTrProfile OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "The index from the ipsecProfileTable containing a special phase 2 profile to use for this traffic entry." ::= { ipsecTrafficEntry 23 } ipsecTrInterface OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the interface for which the traffic entry should be valid (pass, drop and protect entries). If this object is set to -1, there is no interface restriction." DEFVAL { -1 } ::= { ipsecTrafficEntry 19 } ipsecTrDirection OBJECT-TYPE SYNTAX INTEGER { bidirectional(1), -- matches packets from remote to local -- and vice versa inbound(2), -- matches only packets from remote to local outbound(3) -- matches only packets from local to remote } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the direction for which this traffic entry should match. It only applies for pass and drop entries, for protect entries it is meaningless. Possible values: bidirectional(1), -- matches packets from remote to local -- and vice versa inbound(2), -- matches only packets from remote to local outbound(3) -- matches only packets from local to remote." DEFVAL { 1 } ::= { ipsecTrafficEntry 20 } ipsecTrCreator OBJECT-TYPE SYNTAX INTEGER { config(1), -- created by configd/snmp radius-preset(2), -- created by RADIUS preset radius(3), -- created by dynamic RADIUS ike(4) -- created by IKE (for dynamic client) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object shows the creator of the traffic entry." DEFVAL { config } ::= { ipsecTrafficEntry 36 } -- End IPSec Traffic Table -- IPSec Algorithm definition table ipsecAlgorithmTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecAlgorithmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of supported IPSec algorithms and their key sizes." ::= { ipsec 17 } ipsecAlgorithmEntry OBJECT-TYPE SYNTAX IpsecAlgorithmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains an IPSec algorithm." INDEX { ipsecAlgId } ::= { ipsecAlgorithmTable 1 } IpsecAlgorithmEntry ::= SEQUENCE { ipsecAlgId INTEGER, ipsecAlgMinKeySize INTEGER, ipsecAlgDefKeySize INTEGER, ipsecAlgMaxKeySize INTEGER, ipsecAlgUseMinKeySize INTEGER, ipsecAlgUseDefKeySize INTEGER, ipsecAlgUseMaxKeySize INTEGER } ipsecAlgId OBJECT-TYPE SYNTAX INTEGER { aes(1), -- AES cipher alg twofish(2), -- Twofish cipher alg blowfish(3), -- Blowfish cipher alg cast(4), -- Cast cipher alg des3(5), -- Triple DES cipher alg des(6), -- DES cipher alg null(7), -- NULL pseudo cipher rijndael(31) -- rijndael (former name for AES) } MAX-ACCESS read-only STATUS current DESCRIPTION "The id of the algorithm. Possible values: aes(1), -- AES cipher alg twofish(2), -- Twofish cipher alg blowfish(3), -- Blowfish cipher alg cast(4), -- Cast cipher alg des3(5), -- Triple DES cipher alg des(6), -- DES cipher alg null(7), -- NULL pseudo cipher rijndael(31) -- rijndael (former name for AES)." ::= { ipsecAlgorithmEntry 1 } ipsecAlgMinKeySize OBJECT-TYPE SYNTAX INTEGER (0..2048) UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The minimum key length in bits possible for this algorithm." ::= { ipsecAlgorithmEntry 3 } ipsecAlgDefKeySize OBJECT-TYPE SYNTAX INTEGER (0..2048) UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The default key length in bits used for this algorithm." ::= { ipsecAlgorithmEntry 4 } ipsecAlgMaxKeySize OBJECT-TYPE SYNTAX INTEGER (0..2048) UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum key length in bits possible for this algorithm." ::= { ipsecAlgorithmEntry 5 } ipsecAlgUseMinKeySize OBJECT-TYPE SYNTAX INTEGER (0..2048) UNITS "bits" MAX-ACCESS read-only STATUS obsolete DESCRIPTION "WARNING: this object is obsolete and must not be used." ::= { ipsecAlgorithmEntry 6 } ipsecAlgUseDefKeySize OBJECT-TYPE SYNTAX INTEGER (0..2048) UNITS "bits" MAX-ACCESS read-only STATUS obsolete DESCRIPTION "WARNING: this object is obsolete and must not be used." ::= { ipsecAlgorithmEntry 7 } ipsecAlgUseMaxKeySize OBJECT-TYPE SYNTAX INTEGER (0..2048) UNITS "bits" MAX-ACCESS read-only STATUS obsolete DESCRIPTION "WARNING: this object is obsolete and must not be used." ::= { ipsecAlgorithmEntry 8 } -- End IPSec Algorithm definition table -- IPSec Proposal Table ipsecProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of IPSec proposals known to the system. The combinations of algorithms allowed are constructed from any combinations of algorithms enabled in an entry, in the order of the preferences specified." ::= { ipsec 8 } ipsecProposalEntry OBJECT-TYPE SYNTAX IpsecProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains an IPSec proposal, i.e. a proposed set of security parameters applied to traffic sent over an IPSec security association." INDEX { ipsecPropProto } ::= { ipsecProposalTable 1 } IpsecProposalEntry ::= SEQUENCE { ipsecPropIndex INTEGER, ipsecPropNext INTEGER, ipsecPropDescription DisplayString, ipsecPropProto INTEGER, ipsecPropIpcomp INTEGER, ipsecPropEspAes INTEGER, ipsecPropEspTwofish INTEGER, ipsecPropEspBlowfish INTEGER, ipsecPropEspCast INTEGER, ipsecPropEspDes3 INTEGER, ipsecPropEspDes INTEGER, ipsecPropEspNull INTEGER, ipsecPropEspRijndael INTEGER, ipsecPropEspMd5 INTEGER, ipsecPropEspSha1 INTEGER, ipsecPropEspNoMac INTEGER, ipsecPropAhMd5 INTEGER, ipsecPropAhSha1 INTEGER, ipsecPropIpcompDeflate INTEGER, ipsecPropAesKeySize INTEGER, ipsecPropAesKeySizeMin INTEGER, ipsecPropAesKeySizeMax INTEGER, ipsecPropBlowfishKeySize INTEGER, ipsecPropBlowfishKeySizeMin INTEGER, ipsecPropBlowfishKeySizeMax INTEGER, ipsecPropTwofishKeySize INTEGER, ipsecPropTwofishKeySizeMin INTEGER, ipsecPropTwofishKeySizeMax INTEGER } ipsecPropIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique index for this entry." ::= { ipsecProposalEntry 1 } ipsecPropNext OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "The index of the next Proposal in the actual chain." ::= { ipsecProposalEntry 2 } ipsecPropDescription OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "An optional human readable description for this proposal." ::= { ipsecProposalEntry 4 } ipsecPropProto OBJECT-TYPE SYNTAX INTEGER { esp(1), -- Encapsulating Security Payload ah(2), -- Authentication Header esp-ah(3), -- ESP and AH delete(8) -- delete this entry } MAX-ACCESS read-write STATUS current DESCRIPTION "The security protocol to apply. Possible values: esp(1), -- Encapsulating Security Payload ah(2), -- Authentication Header esp-ah(3), -- ESP and AH delete(8) -- delete this entry." DEFVAL { esp } ::= { ipsecProposalEntry 6 } ipsecPropIpcomp OBJECT-TYPE SYNTAX INTEGER { enabled(1), -- Enable IPComP disabled(2), -- Disable IPComP force(3) -- Force use of IPComP } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of IPComP in the proposal. Possible values: enabled(1), -- Enable IPComP disabled(2), -- Disable IPComP force(3) -- Force use of IPComP." DEFVAL { disabled } ::= { ipsecProposalEntry 20 } ipsecPropEspAes OBJECT-TYPE SYNTAX INTEGER (0..7) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the AES encryption algorithm in the proposal. Possible values: 0, -- disables AES 1..7 -- enables AES and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 40 } ipsecPropEspTwofish OBJECT-TYPE SYNTAX INTEGER (0..7) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the Twofish encryption algorithm in the proposal. Possible values: 0, -- disables Twofish 1..7 -- enables Twofish and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 41 } ipsecPropEspBlowfish OBJECT-TYPE SYNTAX INTEGER (0..7) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the Blowfish encryption algorithm in the proposal. Possible values: 0, -- disables Blowfish 1..7 -- enables Blowfish and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 42 } ipsecPropEspCast OBJECT-TYPE SYNTAX INTEGER (0..7) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the Cast encryption algorithm in the proposal. Possible values: 0, -- disables Cast 1..7 -- enables Cast and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 43 } ipsecPropEspDes3 OBJECT-TYPE SYNTAX INTEGER (0..7) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the DES3 encryption algorithm in the proposal. Possible values: 0, -- disables DES3 1..7 -- enables DES3 and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 44 } ipsecPropEspDes OBJECT-TYPE SYNTAX INTEGER (0..7) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the DES encryption algorithm in the proposal. Possible values: 0, -- disables DES 1..7 -- enables DES and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 45 } ipsecPropEspNull OBJECT-TYPE SYNTAX INTEGER (0..7) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the DES encryption algorithm in the proposal. Possible values: 0, -- disables DES 1..7 -- enables DES and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 46 } ipsecPropEspRijndael OBJECT-TYPE SYNTAX INTEGER (-1..7) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the Rijndael encryption algorithm in the proposal. The use of this object is deprecated since rijndael has been accepted as the algorithm for AES. Its value is transferred to ipsecPropEspAes, if different from -1. Possible values: -1 -- use ipsecPropEspAes to determine the priority value 0, -- disables Rijndael 1..7 -- enables Rijndael and specifies its priority among the encryption algorithms." DEFVAL { -1 } ::= { ipsecProposalEntry 49 } ipsecPropEspMd5 OBJECT-TYPE SYNTAX INTEGER (0..3) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the MD5 authentication algorithm for ESP in the proposal. Possible values: 0, -- disables MD5 1..3 -- enables MD5 and specifies its priority among the authentication algorithms." ::= { ipsecProposalEntry 50 } ipsecPropEspSha1 OBJECT-TYPE SYNTAX INTEGER (0..3) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the Sha1 authentication algorithm for ESP in the proposal. Possible values: 0, -- disables SHA-1 1..3 -- enables SHA-1 and specifies its priority among the authentication algorithms." ::= { ipsecProposalEntry 51 } ipsecPropEspNoMac OBJECT-TYPE SYNTAX INTEGER (0..3) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether ESP without authentication is allowed in the proposal. Possible values: 0, -- disables ESP 1..3 -- enables ESP without authentication and specifies its priority among the other authentication algorithms enabled for ESP." ::= { ipsecProposalEntry 52 } ipsecPropAhMd5 OBJECT-TYPE SYNTAX INTEGER (0..2) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the MD5 authentication algorithm for AH in the proposal. Possible values: 0, -- disables MD5 1..2 -- enables MD5 and specifies its priority among the authentication algorithms." ::= { ipsecProposalEntry 60 } ipsecPropAhSha1 OBJECT-TYPE SYNTAX INTEGER (0..2) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the Sha1 authentication algorithm for AH in the proposal. Possible values: 0, -- disables SHA-1 1..2 -- enables SHA-1 and specifies its priority among the authentication algorithms." ::= { ipsecProposalEntry 61 } ipsecPropIpcompDeflate OBJECT-TYPE SYNTAX INTEGER (0..1) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the use of the DEFLATE compression algorithm in the proposal. Possible values: 0, -- disables DEFLATE 1..1 -- enables DEFLATE and specifies its priority among the compression algorithms." ::= { ipsecProposalEntry 70 } ipsecPropAesKeySize OBJECT-TYPE SYNTAX INTEGER { aes128(128), -- use 128 bit AES aes192(192), -- use 192 bit AES aes256(256) -- use 256 bit AES } UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the key size in bits for the AES algorithm, if enabled. Possible Values: aes128(128), -- use 128 bit AES aes192(192), -- use 192 bit AES aes256(256) -- use 256 bit AES." ::= { ipsecProposalEntry 80 } ipsecPropAesKeySizeMin OBJECT-TYPE SYNTAX INTEGER { aes128(128), -- use 128 bit AES aes192(192), -- use 192 bit AES aes256(256) -- use 256 bit AES } UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the minimum accepted key size in bits for the AES algorithm, if enabled. Possible Values: aes128(128), -- use 128 bit AES aes192(192), -- use 192 bit AES aes256(256) -- use 256 bit AES." ::= { ipsecProposalEntry 81 } ipsecPropAesKeySizeMax OBJECT-TYPE SYNTAX INTEGER { aes128(128), -- use 128 bit AES aes192(192), -- use 192 bit AES aes256(256) -- use 256 bit AES } UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum accepted key size in bits for the AES algorithm, if enabled. Possible Values: aes128(128), -- use 128 bit AES aes192(192), -- use 192 bit AES aes256(256) -- use 256 bit AES." ::= { ipsecProposalEntry 82 } ipsecPropBlowfishKeySize OBJECT-TYPE SYNTAX INTEGER (40..448) UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the key size in bits for the Blowfish algorithm, if enabled. Note: the key size must be a multiple of 8 bits. If not, it will be rounded up to the next 8 bit boundary." ::= { ipsecProposalEntry 83 } ipsecPropBlowfishKeySizeMin OBJECT-TYPE SYNTAX INTEGER (40..448) UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the minimum accepted key size in bits for the Blowfish algorithm, if enabled." ::= { ipsecProposalEntry 84 } ipsecPropBlowfishKeySizeMax OBJECT-TYPE SYNTAX INTEGER (40..448) UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum accepted key size in bits for the Blowfish algorithm, if enabled." ::= { ipsecProposalEntry 85 } ipsecPropTwofishKeySize OBJECT-TYPE SYNTAX INTEGER { twofish128(128), -- use 128 bit Twofish twofish192(192), -- use 192 bit Twofish twofish256(256) -- use 256 bit Twofish } UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the key size in bits for the Twofish algorithm, if enabled. Possible Values: twofish128(128), -- use 128 bit Twofish twofish192(192), -- use 192 bit Twofish twofish256(256) -- use 256 bit Twofish." ::= { ipsecProposalEntry 86 } ipsecPropTwofishKeySizeMin OBJECT-TYPE SYNTAX INTEGER { twofish128(128), -- use 128 bit Twofish twofish192(192), -- use 192 bit Twofish twofish256(256) -- use 256 bit Twofish } UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the minimum accepted key size in bits for the Twofish algorithm, if enabled. Possible Values: twofish128(128), -- use 128 bit Twofish twofish192(192), -- use 192 bit Twofish twofish256(256) -- use 256 bit Twofish." ::= { ipsecProposalEntry 87 } ipsecPropTwofishKeySizeMax OBJECT-TYPE SYNTAX INTEGER { twofish128(128), -- use 128 bit Twofish twofish192(192), -- use 192 bit Twofish twofish256(256) -- use 256 bit Twofish } UNITS "bits" MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the maximum accepted key size in bits for the AES algorithm, if enabled. Possible Values: twofish128(128), -- use 128 bit Twofish twofish192(192), -- use 192 bit Twofish twofish256(256) -- use 256 bit Twofish." ::= { ipsecProposalEntry 88 } -- End IPSec Proposal Table -- IPSec Life Time Table ipsecLifeTimeTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecLifeTimeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of defined lifetimes for IPsec and IKE SAs." ::= { ipsec 9 } ipsecLifeTimeEntry OBJECT-TYPE SYNTAX IpsecLifeTimeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains a lifetime, i.e. the soft and hard expiry limits for IPsec and IKE SA's. The usage of this table is deprecated, use the ikePrfLifeXxx and ipsecPrfLifeXxx variables in the ikeProfileTable and ipsecProfileTable directly instead." INDEX { ipsecLifeType } ::= { ipsecLifeTimeTable 1 } IpsecLifeTimeEntry ::= SEQUENCE { ipsecLifeIndex INTEGER, ipsecLifeType INTEGER, ipsecLifeHardKb INTEGER, ipsecLifeHardSec INTEGER, ipsecLifePolicy INTEGER, ipsecLifeSoftPercent INTEGER } ipsecLifeIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique index identifying this entry." ::= { ipsecLifeTimeEntry 1 } ipsecLifeType OBJECT-TYPE SYNTAX INTEGER { delete(1), -- Delete this entry generic(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the type of a lifetime entry." DEFVAL { generic } ::= { ipsecLifeTimeEntry 2 } ipsecLifeHardKb OBJECT-TYPE SYNTAX INTEGER UNITS "kilo bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum amount of data (in KB) which may be protected by an SA before it is deleted." DEFVAL { 0 } ::= { ipsecLifeTimeEntry 5 } ipsecLifeHardSec OBJECT-TYPE SYNTAX INTEGER UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum time (in seconds) after which an SA will be refreshed,." DEFVAL { 900 } ::= { ipsecLifeTimeEntry 6 } ipsecLifePolicy OBJECT-TYPE SYNTAX INTEGER { loose(1), -- accept and use anything proposed strict(2), -- accept and use only what is configured notify(3) -- accept anything (send responder lifetime) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the way the lifetime information is applied. Possible values: loose(1), -- accept and use anything proposed strict(2), -- accept and use only what is configured notify(3) -- accept anything, if own values are smaller than what was proposed use these and send responder lifetime notification." DEFVAL { loose } ::= { ipsecLifeTimeEntry 7 } ipsecLifeSoftPercent OBJECT-TYPE SYNTAX INTEGER (50..100) MAX-ACCESS read-only STATUS current DESCRIPTION "The percentage of the hard lifetimes (traffic and time based) after which rekeying is started." DEFVAL { 80 } ::= { ipsecLifeTimeEntry 8 } -- End IPSec Life Time Table -- IPSec global statistics Table ipsecStats OBJECT IDENTIFIER ::= { ipsec 10 } --Static table containing global IPSec statistics ipsecStatsCurrentIkeSas OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Current number of IKE SA's (both IKEv1 and IKEv2)." ::= { ipsecStats 1 } ipsecStatsCurrentIpsecSas OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Current number of IPSec SA's." ::= { ipsecStats 2 } ipsecStatsTrig OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets which triggered an IKE negotiation." ::= { ipsecStats 9 } ipsecStatsFragPkt OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of partial packets currently being reassembled." ::= { ipsecStats 10 } ipsecStatsFragBytes OBJECT-TYPE SYNTAX INTEGER UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "Total size of the partial packets currently being reassembled." ::= { ipsecStats 11 } ipsecStatsFragNonfirst OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of non-first fragments currently queued." ::= { ipsecStats 12 } ipsecStatsDecryptErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of decryption errors." ::= { ipsecStats 13 } ipsecStatsAuthErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of authentication errors." ::= { ipsecStats 14 } ipsecStatsReplayErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of replay errors." ::= { ipsecStats 15 } ipsecStatsPolicyErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of policy errors." ::= { ipsecStats 16 } ipsecStatsOtherErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of other receive errors." ::= { ipsecStats 17 } ipsecStatsSendErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of send errors." ::= { ipsecStats 18 } ipsecStatsUnknownSpiErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of unknown SPI errors." ::= { ipsecStats 19 } ipsecStatsIkeNumP1 OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of IKE phase-1 negotiations performed. " ::= { ipsecStats 20 } ipsecStatsIkeNumFailedP1 OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of failed IKE phase-1 negotiations." ::= { ipsecStats 21 } ipsecStatsIkeNumQm OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of IKE quick-mode negotiations performed. " ::= { ipsecStats 22 } ipsecStatsIkeNumFailedQm OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of failed IKE quick-mode negotiations. " ::= { ipsecStats 23 } ipsecStatsEspCurrentInbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of active inbound ESP SAs." ::= { ipsecStats 24 } ipsecStatsEspTotalInbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound ESP SAs since the system was started." ::= { ipsecStats 25 } ipsecStatsEspCurrentOutbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of active outbound ESP SAs." ::= { ipsecStats 26 } ipsecStatsEspTotalOutbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound ESP SAs since the system was started." ::= { ipsecStats 27 } ipsecStatsAhCurrentInbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of active inbound AH SAs." ::= { ipsecStats 28 } ipsecStatsAhTotalInbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound AH SAs since the system was started." ::= { ipsecStats 29 } ipsecStatsAhCurrentOutbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of active outbound AH SAs." ::= { ipsecStats 30 } ipsecStatsAhTotalOutbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound AH SAs since the system was started." ::= { ipsecStats 31 } ipsecStatsIpcompCurrentInbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of active inbound IPComp SAs." ::= { ipsecStats 32 } ipsecStatsIpcompTotalInbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound IPComp SAs since the system was started." ::= { ipsecStats 33 } ipsecStatsIpcompCurrentOutbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of active outbound IPComp SAs." ::= { ipsecStats 34 } ipsecStatsIpcompTotalOutbound OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound IPComp SAs since the system was started." ::= { ipsecStats 35 } ipsecStatsPeersUp OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of Peers currently in state 'up'." ::= { ipsecStats 36 } ipsecStatsPeersBlocked OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of Peers currently in state 'blocked'." ::= { ipsecStats 37 } ipsecStatsPeersDormant OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of Peers currently in state 'dormant'." ::= { ipsecStats 38 } ipsecStatsCurrentIkeSasNegotiating OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Current number of IKE SA's in state 'established' (both IKEv1 and IKEv2)." ::= { ipsecStats 39 } ipsecStatsCurrentIkeSasEstablished OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Current number of IKE SA's in state 'established' (both IKEv1 and IKEv2)." ::= { ipsecStats 40 } ipsecStatsCurrentIkeSasDeleted OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Current number of IKE SA's in state 'deleted' or 'waiting_for_remove' (both IKEv1 and IKEv2)." ::= { ipsecStats 41 } ipsecStatsCurrentBundles OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Current number of IPSec bundles." ::= { ipsecStats 42 } ipsecStatsCurrentBundlesEstablished OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Current number of IPSec bundles in state 'established'." ::= { ipsecStats 43 } ipsecStatsCurrentBundlesNegotiating OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Current number of IPSec bundles in state 'established'." ::= { ipsecStats 44 } ipsecStatsInPkt OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of packets received." ::= { ipsecStats 45 } ipsecStatsInPass OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of inbound packets passed." ::= { ipsecStats 46 } ipsecStatsInDrop OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of inbound packets dropped (error packets excluded)." ::= { ipsecStats 47 } ipsecStatsInDecaps OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of inbound error packets." ::= { ipsecStats 48 } ipsecStatsInErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of inbound packets dropped." ::= { ipsecStats 49 } ipsecStatsOutPkt OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of outbound packets." ::= { ipsecStats 50 } ipsecStatsOutPass OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of outbound packets passed." ::= { ipsecStats 51 } ipsecStatsOutDrop OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of outbound packets dropped (error packets excluded)." ::= { ipsecStats 52 } ipsecStatsOutEncaps OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of outbound packets encapsulated." ::= { ipsecStats 53 } ipsecStatsOutErrors OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of outbound error packets." ::= { ipsecStats 544 } ipsecStatsInEsp OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of inbound packets decapsulated by ESP." ::= { ipsecStats 55 } ipsecStatsInAh OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of inbound packets decapsulated by AH." ::= { ipsecStats 56 } ipsecStatsInIpcomp OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of inbound packets decapsulated by IPComP." ::= { ipsecStats 57 } ipsecStatsOutEsp OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of outbound packets encapsulated by ESP." ::= { ipsecStats 58 } ipsecStatsOutAh OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of outbound packets encapsulated by AH." ::= { ipsecStats 59 } ipsecStatsOutIpcomp OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "Number of outbound packets encapsulated by IPComP." ::= { ipsecStats 60 } ipsecStatsIkev2NumIkeSas OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of IKE_SA negotiations performed (only for IKEv2)." ::= { ipsecStats 63 } ipsecStatsIkev2NumFailedIkeSas OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of failed IKE_SA negotiations (only for IKEv2)." ::= { ipsecStats 64 } ipsecStatsIkev2NumCreateChildSas OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of CREATE_CHILD_SA exchanges performed (only for IKEv2)." ::= { ipsecStats 65 } ipsecStatsIkev2NumFailedCreateChildSas OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of failed CREATE_CHILD_SA exchanges (only for IKEv2)." ::= { ipsecStats 66 } -- IPSec Dial Table ipsecDialTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecDialEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains dial entries specifying all parameters needed for ISDN triggered call back." ::= { ipsec 12 } ipsecDialEntry OBJECT-TYPE SYNTAX IpsecDialEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains a dial entry used for mapping ISDN numbers to peers for ISDN call back feature." INDEX { ipsecDialIfIndex } ::= { ipsecDialTable 1 } IpsecDialEntry ::= SEQUENCE { ipsecDialIfIndex INTEGER, ipsecDialDirection INTEGER, ipsecDialNumber DisplayString, ipsecDialSubAddress OCTET STRING, ipsecDialTypeOfSubAddr INTEGER, ipsecDialLocalNumber DisplayString, ipsecDialLocalSubAddress OCTET STRING, ipsecDialTypeOfLocalSubAddr INTEGER, ipsecDialAdminStatus INTEGER, ipsecDialOperStatus INTEGER } ipsecDialIfIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "Index that maps to a peer in a unique way." ::= { ipsecDialEntry 1 } ipsecDialDirection OBJECT-TYPE SYNTAX INTEGER { incoming(1), outgoing(2), both(3), delete(4) } MAX-ACCESS read-write STATUS current DESCRIPTION "Calling direction for which entry applies." DEFVAL { both } ::= { ipsecDialEntry 2 } ipsecDialNumber OBJECT-TYPE SYNTAX DisplayString (SIZE(0..63)) MAX-ACCESS read-write STATUS current DESCRIPTION "Party number of remote peer. Used for matching calling party number on incoming calls and for called party number on outgoing calls." ::= { ipsecDialEntry 3 } ipsecDialSubAddress OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-write STATUS current DESCRIPTION "Subaddress of remote peer. Used for matching calling party subaddress on incoming calls and for called party subaddress on outgoing calls." DEFVAL { "" } ::= { ipsecDialEntry 4 } ipsecDialTypeOfSubAddr OBJECT-TYPE SYNTAX INTEGER { nsap(1), user-specified(2), reserved(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "Type of subaddress of remote peer. Used for matching calling party subaddress on incoming calls and for called party subaddress on outgoing calls." DEFVAL { nsap } ::= { ipsecDialEntry 5 } ipsecDialLocalNumber OBJECT-TYPE SYNTAX DisplayString (SIZE(0..63)) MAX-ACCESS read-write STATUS current DESCRIPTION "Local Party number. Used for matching called party number on incoming calls and for calling party number on outgoing calls. Special value '*' is treated as wildcard, i.e. calls with any called party number will be accepted. Default value is '*'." DEFVAL { "*" } ::= { ipsecDialEntry 6 } ipsecDialLocalSubAddress OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-write STATUS current DESCRIPTION "Local subaddress. Used for matching called party subaddress on incoming calls and for calling party subaddress on outgoing calls. Special value '*' is treated as wildcard, i.e. calls with any called party subaddress (of arbitrary type) will be accepted. Default value is '*'." DEFVAL { "*" } ::= { ipsecDialEntry 7 } ipsecDialTypeOfLocalSubAddr OBJECT-TYPE SYNTAX INTEGER { nsap(1), user-specified(2), reserved(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "Type of local subaddress. Used for matching called party subaddress on incoming calls and for calling party subaddress on outgoing calls. Subaddress type is only checked as long as subaddress is not '*'. Default value is nsap." DEFVAL { nsap } ::= { ipsecDialEntry 8 } ipsecDialAdminStatus OBJECT-TYPE SYNTAX INTEGER { active(1), inactive(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Administrative status for dial entry. This object allows for temporarily disabling ipsecDial entries without the need to actually deletion them. This is achieved by assigning value inactive. Default value is active." DEFVAL { active } ::= { ipsecDialEntry 9 } ipsecDialOperStatus OBJECT-TYPE SYNTAX INTEGER { active(1), inactive(2), blocked-for-outgoing(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "Operational status for dial entry. This object indicates current status ipsecDial entry is in. Beside values defined for ipsecDialAdminStatus, status blocked-for-outgoing is defined, which is used in case triggering call back resulted in a cost generating connected call to avoid unpredictably high phone bills." ::= { ipsecDialEntry 10 } -- End IPSec Dial Table -- XAUTH Profile Table xauthProfileTable OBJECT-TYPE SYNTAX SEQUENCE OF XauthProfileEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of XAUTH profiles." ::= { ipsec 18 } xauthProfileEntry OBJECT-TYPE SYNTAX XauthProfileEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains an XAUTH profile." INDEX { xauthPrfIndex } ::= { xauthProfileTable 1 } XauthProfileEntry ::= SEQUENCE { xauthPrfIndex Unsigned32, xauthPrfDescription DisplayString, xauthPrfRole INTEGER, xauthPrfMode INTEGER, xauthPrfAAAServerGroupId INTEGER, xauthPrfUserListGroupId INTEGER, xauthPrfTimeout INTEGER, xauthPrfAdminStatus INTEGER } xauthPrfIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS read-write STATUS current DESCRIPTION "A unique index identifying this entry." ::= { xauthProfileEntry 1 } xauthPrfDescription OBJECT-TYPE SYNTAX DisplayString (SIZE (0..50)) MAX-ACCESS read-write STATUS current DESCRIPTION "An optional description for this profile, only used for descriptive purposes (max. 50 characters)." ::= { xauthProfileEntry 2 } xauthPrfRole OBJECT-TYPE SYNTAX INTEGER { server(1), -- XAUTH server client(2) -- XAUTH client } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies which role is choosed for this profile. Possible values: server(1) -- XAUTH is used and local device is the XAUTH server, i.e. this side requests extended authentication client(2) -- XAUTH is used and local device is the XAUTH client, i.e. this side responds with its extended authentication credentials " DEFVAL { server } ::= { xauthProfileEntry 3 } xauthPrfMode OBJECT-TYPE SYNTAX INTEGER { local(1), -- radius(2) -- } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the kind how to get user data for authentication. Possible values: local(1), -- user data are configured locally in the entries of xauthUserListTable that are referenced by xauthPrfUserListGroupId radius(1) -- user data are configured at RADIUS server, RADIUS server is referenced by xauthPrfAAAServerGroupId that corresponds to radiusSrvGroupId in radiusSrvTable, 'radius' mode is only valid for server role " DEFVAL { radius } ::= { xauthProfileEntry 4 } xauthPrfAAAServerGroupId OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the group ID which is used for RADIUS authentication to find the associated server entry in radiusSrvTable for XAUTH. See description of radiusSrvGroupId for details. This object is only valid for entries with xauthPrfMode 'radius'." DEFVAL { 0 } ::= { xauthProfileEntry 5 } xauthPrfUserListGroupId OBJECT-TYPE SYNTAX INTEGER (1..1000) MAX-ACCESS read-write STATUS current DESCRIPTION "This object refers to a group of one or more user entries in xauthUserListTable. This object is only valid for entries with xauthPrfUserMode 'local'." DEFVAL { 1 } ::= { xauthProfileEntry 6 } xauthPrfTimeout OBJECT-TYPE SYNTAX INTEGER UNITS "seconds" MAX-ACCESS read-write STATUS obsolete DESCRIPTION "WARNING: this object is obsolete and must not be used." DEFVAL { 0 } ::= { xauthProfileEntry 7 } xauthPrfAdminStatus OBJECT-TYPE SYNTAX INTEGER { enable(1), delete(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "MIB entry deletion is performed by this object: - enable : enables xauthPrfTable entry - delete : deletes xauthPrfTable entry." DEFVAL { enable } ::= { xauthProfileEntry 8 } -- End XAUTH Profile Table -- XAUTH User List Table xauthUserListTable OBJECT-TYPE SYNTAX SEQUENCE OF XauthUserListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the list of XAUTH users." ::= { ipsec 19 } xauthUserListEntry OBJECT-TYPE SYNTAX XauthUserListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains an XAUTH user." INDEX { xauthUserListIndex } ::= { xauthUserListTable 1 } XauthUserListEntry ::= SEQUENCE { xauthUserListIndex INTEGER, xauthUserListGroupId INTEGER, xauthUserListName DisplayString, xauthUserListPassword DisplayString, xauthUserListPasswordData OCTET STRING, xauthUserListAdminStatus INTEGER } xauthUserListIndex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "A unique index identifying this entry." ::= { xauthUserListEntry 1 } xauthUserListGroupId OBJECT-TYPE SYNTAX INTEGER (1..1000) MAX-ACCESS read-write STATUS current DESCRIPTION "ID for creating logical groups of XAUTH users." DEFVAL { 1 } ::= { xauthUserListEntry 2 } xauthUserListName OBJECT-TYPE SYNTAX DisplayString (SIZE(1..63)) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the user name." ::= { xauthUserListEntry 3 } xauthUserListPassword OBJECT-TYPE SYNTAX DisplayString (SIZE(0..63)) MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the user's password. This field serves only as an input field and its contents is replaced with a single asterisk immediately after it is set." ::= { xauthUserListEntry 4 } xauthUserListPasswordData OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS not-accessible STATUS current DESCRIPTION "Field used for storing the user's password permanently." ::= { xauthUserListEntry 5 } xauthUserListAdminStatus OBJECT-TYPE SYNTAX INTEGER { enable(1), delete(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "MIB entry deletion is performed by this object: - enable : enables xauthUserListTable entry - delete : deletes xauthUserListTable entry." DEFVAL { enable } ::= { xauthUserListEntry 6 } -- End IPSec XAUTH User Table -- IPSecPeerTraffic Table ipsecPeerTrafficTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecPeerTrafficEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains peer related lists of traffic permitted for Phase 2 negotiation. Note that this table contains optional entries solely, in the default case (no entries) subsequently no restriction will take place." ::= { ipsec 29 } ipsecPeerTrafficEntry OBJECT-TYPE SYNTAX IpsecPeerTrafficEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains peer related lists of traffic permitted for Phase 2 negotiation. Note that this table contains optional entries solely, in the default case (no entries) subsequently no restriction will take place." INDEX { ipsecPeerTrafficIfindex, ipsecPeerTrafficLocalAddress, ipsecPeerTrafficRemoteAddress } ::= { ipsecPeerTrafficTable 1 } IpsecPeerTrafficEntry ::= SEQUENCE { ipsecPeerTrafficIfindex INTEGER, ipsecPeerTrafficDescription DisplayString, ipsecPeerTrafficLocalAddress IpAddress, ipsecPeerTrafficLocalMask IpAddress, ipsecPeerTrafficLocalPort INTEGER, ipsecPeerTrafficLocalPortRange INTEGER, ipsecPeerTrafficRemoteAddress IpAddress, ipsecPeerTrafficRemoteMask IpAddress, ipsecPeerTrafficRemotePort INTEGER, ipsecPeerTrafficRemotePortRange INTEGER, ipsecPeerTrafficProtocol INTEGER, ipsecPeerTrafficPolicy INTEGER -- ipsecPeerTrafficAction INTEGER } ipsecPeerTrafficIfindex OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-write STATUS current DESCRIPTION "." ::= { ipsecPeerTrafficEntry 1 } ipsecPeerTrafficDescription OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "An optional human readable description for this entry." ::= { ipsecPeerTrafficEntry 2 } ipsecPeerTrafficLocalAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The local IP-address of this entry. It maybe either a single address or a network address (in combination with ipsecPeerTrafficLocalMask)." ::= { ipsecPeerTrafficEntry 3 } ipsecPeerTrafficLocalMask OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The length of the network mask for a local network." ::= { ipsecPeerTrafficEntry 4 } ipsecPeerTrafficLocalPort OBJECT-TYPE SYNTAX INTEGER (-1..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The local port defined for this entry." DEFVAL { -1 } ::= { ipsecPeerTrafficEntry 5 } ipsecPeerTrafficLocalPortRange OBJECT-TYPE SYNTAX INTEGER (0..65534) MAX-ACCESS read-write STATUS current DESCRIPTION "The local port range defined for this entry." DEFVAL { 1 } ::= { ipsecPeerTrafficEntry 6 } ipsecPeerTrafficRemoteAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The remote IP-address of this entry. It maybe either a single address or a network address (in combination with ipsecPeerTrafficRemoteMask)." ::= { ipsecPeerTrafficEntry 7 } ipsecPeerTrafficRemoteMask OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The network mask for a remote network." ::= { ipsecPeerTrafficEntry 8 } ipsecPeerTrafficRemotePort OBJECT-TYPE SYNTAX INTEGER (-1..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The remote UDP/TCP port defined for this entry." DEFVAL { -1 } ::= { ipsecPeerTrafficEntry 9 } ipsecPeerTrafficRemotePortRange OBJECT-TYPE SYNTAX INTEGER (0..65534) MAX-ACCESS read-write STATUS current DESCRIPTION "The remote UDP/TCP port range defined for this entry." DEFVAL { 1 } ::= { ipsecPeerTrafficEntry 10 } ipsecPeerTrafficProtocol OBJECT-TYPE SYNTAX INTEGER { icmp(1), igmp(2), ggp(3), ipip(4), st(5), tcp(6), cbt(7), egp(8), igp(9), bbn(10), nvp(11), pup(12), argus(13), emcon(14), xnet(15), chaos(16), udp(17), mux(18), dcn(19), hmp(20), prm(21), xns(22), trunk1(23), trunk2(24), leaf1(25), leaf2(26), rdp(27), irtp(28), isotp4(29), netblt(30), mfe(31), merit(32), sep(33), pc3(34), idpr(35), xtp(36), ddp(37), idprc(38), tp(39), il(40), ipv6(41), sdrp(42), ipv6route(43), ipv6frag(44), idrp(45), rsvp(46), gre(47), mhrp(48), bna(49), esp(50), ah(51), inlsp(52), swipe(53), narp(54), mobile(55), tlsp(56), skip(57), ipv6icmp(58), ipv6nonxt(59), ipv6opts(60), ipproto-61(61), cftp(62), local(63), sat(64), kryptolan(65), rvd(66), ippc(67), distfs(68), satmon(69), visa(70), ipcv(71), cpnx(72), cphb(73), wsn(74), pvp(75), brsatmon(76), sunnd(77), wbmon(78), wbexpak(79), isoip(80), vmtp(81), securevmtp(82), vines(83), ttp(84), nsfnet(85), dgp(86), tcf(87), eigrp(88), ospfigp(89), sprite(90), larp(91), mtp(92), ax25(93), ipwip(94), micp(95), scc(96), etherip(97), encap(98), encrypt(99), gmtp(100), ifmp(101), pnni(102), pim(103), aris(104), scps(105), qnx(106), an(107), ippcp(108), snp(109), compaq(110), ipxip(111), vrrp(112), pgm(113), hop0(114), l2tp(115), ipproto-116(116), ipproto-117(117), ipproto-118(118), ipproto-119(119), ipproto-120(120), ipproto-121(121), ipproto-122(122), ipproto-123(123), ipproto-124(124), ipproto-125(125), ipproto-126(126), ipproto-127(127), ipproto-128(128), ipproto-129(129), ipproto-130(130), ipproto-131(131), ipproto-132(132), ipproto-133(133), ipproto-134(134), ipproto-135(135), ipproto-136(136), ipproto-137(137), ipproto-138(138), ipproto-139(139), ipproto-140(140), ipproto-141(141), ipproto-142(142), ipproto-143(143), ipproto-144(144), ipproto-145(145), ipproto-146(146), ipproto-147(147), ipproto-148(148), ipproto-149(149), ipproto-150(150), ipproto-151(151), ipproto-152(152), ipproto-153(153), ipproto-154(154), ipproto-155(155), ipproto-156(156), ipproto-157(157), ipproto-158(158), ipproto-159(159), ipproto-160(160), ipproto-161(161), ipproto-162(162), ipproto-163(163), ipproto-164(164), ipproto-165(165), ipproto-166(166), ipproto-167(167), ipproto-168(168), ipproto-169(169), ipproto-170(170), ipproto-171(171), ipproto-172(172), ipproto-173(173), ipproto-174(174), ipproto-175(175), ipproto-176(176), ipproto-177(177), ipproto-178(178), ipproto-179(179), ipproto-180(180), ipproto-181(181), ipproto-182(182), ipproto-183(183), ipproto-184(184), ipproto-185(185), ipproto-186(186), ipproto-187(187), ipproto-188(188), ipproto-189(189), ipproto-190(190), ipproto-191(191), ipproto-192(192), ipproto-193(193), ipproto-194(194), ipproto-195(195), ipproto-196(196), ipproto-197(197), ipproto-198(198), ipproto-199(199), ipproto-200(200), ipproto-201(201), ipproto-202(202), ipproto-203(203), ipproto-204(204), ipproto-205(205), ipproto-206(206), ipproto-207(207), ipproto-208(208), ipproto-209(209), ipproto-210(210), ipproto-211(211), ipproto-212(212), ipproto-213(213), ipproto-214(214), ipproto-215(215), ipproto-216(216), ipproto-217(217), ipproto-218(218), ipproto-219(219), ipproto-220(220), ipproto-221(221), ipproto-222(222), ipproto-223(223), ipproto-224(224), ipproto-225(225), ipproto-226(226), ipproto-227(227), ipproto-228(228), ipproto-229(229), ipproto-230(230), ipproto-231(231), ipproto-232(232), ipproto-233(233), ipproto-234(234), ipproto-235(235), ipproto-236(236), ipproto-237(237), ipproto-238(238), ipproto-239(239), ipproto-240(240), ipproto-241(241), ipproto-242(242), ipproto-243(243), ipproto-244(244), ipproto-245(245), ipproto-246(246), ipproto-247(247), ipproto-248(248), ipproto-249(249), ipproto-250(250), ipproto-251(251), ipproto-252(252), ipproto-253(253), ipproto-254(254), dont-verify(256) } MAX-ACCESS read-write STATUS current DESCRIPTION "The transport protocol defined for this entry." DEFVAL { dont-verify } ::= { ipsecPeerTrafficEntry 11 } ipsecPeerTrafficPolicy OBJECT-TYPE SYNTAX INTEGER { delete(1), -- delete this entry role-initiator(2), -- P2 initiator mode traffic policy role-responder(3), -- P2 responder mode traffic policy both(4) -- P2 initiator as well as responder traffic policy } MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether this network policy is used for inbound, outbound or both processing. Possible values: delete(1) -- delete this entry role-initiator(2) -- P2 initiator mode traffic policy role-responder(3) -- P2 responder mode traffic policy both(4) -- P2 initiator as well as responder traffic policy." DEFVAL { role-initiator } ::= { ipsecPeerTrafficEntry 12 } -- End IPSecPeerTraffic Table END