1-- This file is corresponding to Release 9.1.10.101 from 2014/08/11 00:00:00 2 3 4--------------------------------------------------------------------------- 5-- (C)opyright 2006-2014 bintec elmeg GmbH 6-- $RCSfile: mib-ipsec,v $ 7-- $Revision: 1.39 $ 8-- $Date: 2014-02-07 11:21:02 $ 9--------------------------------------------------------------------------- 10 11FEC-IPSEC-MIB DEFINITIONS ::= BEGIN 12 13IMPORTS 14 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, enterprises, 15 IpAddress, TimeTicks, Counter32, snmpModules, mib-2, Unsigned32, Counter64 16 FROM SNMPv2-SMI 17 DisplayString, TestAndIncr, TimeStamp 18 FROM SNMPv2-TC 19 MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP 20 FROM SNMPv2-CONF 21 ipsec, Date, HexValue, BitValue 22 FROM BINTEC-MIB 23 InetAddressIPv6 24 FROM INET-ADDRESS-MIB; 25 26 27--------------------------------------------------------------------------- 28 29ipsecMIB MODULE-IDENTITY 30 LAST-UPDATED "201308120000Z" 31 ORGANIZATION "bintec elmeg GmbH" 32 CONTACT-INFO "EMail: info@bintec-elmeg.com 33 Web: www.bintec-elmeg.com" 34 DESCRIPTION "Vendor specific Management Information for the IPSec Subsystem" 35 36 ::= { ipsec 250 } 37 38--------------------------------------------------------------------------- 39 40 41-- Global IPSec Settings 42 43 ipsecGlobals OBJECT IDENTIFIER ::= { ipsec 1 } 44 --Static table containing global settings for IPSec 45 46 47 ipsecGlobPeerIndex OBJECT-TYPE 48 SYNTAX INTEGER 49 MAX-ACCESS read-only 50 STATUS current 51 DESCRIPTION 52 "Index of first IPsec peer in ipsecPeerTable. 53 If this object is set to a Value <= 0, IPSec is switched 54 explicitly off. If the peer referenced by this object does not 55 exist in the table, all packets will be dropped." 56 ::= { ipsecGlobals 1 } 57 58 ipsecGlobEnabled OBJECT-TYPE 59 SYNTAX INTEGER { 60 true(1), -- IPSec enabled 61 false(2) -- IPSec disabled 62 } 63 MAX-ACCESS read-write 64 STATUS current 65 DESCRIPTION 66 "Enables/disables IPSec globally." 67 DEFVAL { false } 68 ::= { ipsecGlobals 41 } 69 70 ipsecGlobDefaultAuthMethod OBJECT-TYPE 71 SYNTAX INTEGER { 72 pre-sh-key(1), -- Authentication using pre shared keys 73 dss-sig(2), -- Authentication using DSS signatures 74 rsa-sig(3), -- Authentication using RSA signatures 75 rsa-enc(4) -- Authentication using RSA encryption 76 } 77 MAX-ACCESS read-only 78 STATUS current 79 DESCRIPTION 80 "This object specifies the authentication method used by default. 81 If the ipsecPeerAuthMethod field of an ipsecPeerEntry and the 82 ikePropAuthMethod field of the ikeProposalTableEntry used are 83 set to 'default', this value is assumed. 84 Possible values: 85 pre-sh-key(1), -- Authentication using pre shared keys 86 dss-sig(2), -- Authentication using DSS signatures 87 rsa-sig(3), -- Authentication using RSA signatures 88 rsa-enc(4) -- Authentication using RSA encryption." 89 ::= { ipsecGlobals 2 } 90 91 ipsecGlobDefaultCertificate OBJECT-TYPE 92 SYNTAX INTEGER 93 MAX-ACCESS read-only 94 STATUS current 95 DESCRIPTION 96 "The index of the default certificate in the certTable used for 97 local authentication for ike keyed rules with non 98 pre-shared-key authentication. This may be overwritten by the 99 certificate specified for the individual ipsec peers." 100 ::= { ipsecGlobals 3 } 101 102 ipsecGlobDefaultLocalId OBJECT-TYPE 103 SYNTAX DisplayString 104 MAX-ACCESS read-only 105 STATUS current 106 DESCRIPTION 107 "The default ID used for local authentication for ike keyed 108 rules. If this is an empty or invaid id string one of the 109 subject alternative names or the subject name from the default 110 certificate is used. This does not relpace an empty local 111 id string for an IPsec peer with a valid certificate. The 112 subject name or one of the subject alternative names from this 113 certificate is used then" 114 ::= { ipsecGlobals 4 } 115 116 ipsecGlobDefaultIpsecProposal OBJECT-TYPE 117 SYNTAX INTEGER 118 MAX-ACCESS read-only 119 STATUS current 120 DESCRIPTION 121 "Index of default ipsec proposal used for traffic entries with 122 empty ipsec proposal, defined for peers with empty default 123 ipsec proposal." 124 ::= { ipsecGlobals 5 } 125 126 ipsecGlobDefaultIkeProposal OBJECT-TYPE 127 SYNTAX INTEGER 128 MAX-ACCESS read-only 129 STATUS current 130 DESCRIPTION 131 "Index of default ike proposal used for peers with empty default 132 ike proposal." 133 ::= { ipsecGlobals 6 } 134 135 ipsecGlobDefaultIpsecLifeTime OBJECT-TYPE 136 SYNTAX INTEGER 137 UNITS "seconds" 138 MAX-ACCESS read-only 139 STATUS current 140 DESCRIPTION 141 "Index of default lifetime for ike SA's in ipsecLifeTimeTable. 142 This lifetime is used, when there is no valid lifetime entry 143 specified for an IPsec peer entry." 144 ::= { ipsecGlobals 7 } 145 146 ipsecGlobDefaultIkeLifeTime OBJECT-TYPE 147 SYNTAX INTEGER 148 UNITS "seconds" 149 MAX-ACCESS read-only 150 STATUS current 151 DESCRIPTION 152 "This object specifies an index in the ipsecLifeTimeTable with the 153 default lifetime settings used for IKE SA's. 154 This lifetime is used whenever there is no valid lifetime entry 155 specified for a peer entry and the IKE proposal used." 156 ::= { ipsecGlobals 8 } 157 158 ipsecGlobDefaultIkeGroup OBJECT-TYPE 159 SYNTAX INTEGER 160 MAX-ACCESS read-only 161 STATUS current 162 DESCRIPTION 163 "Index of default IKE group used if no IKE group is defined for a peer. 164 Possible values: 165 1 (768 bit MODP), 166 2 (1024 bit MODP), 167 5 (1536 bit MODP)." 168 DEFVAL { 1 } 169 ::= { ipsecGlobals 9 } 170 171 ipsecGlobIkeProfile OBJECT-TYPE 172 SYNTAX INTEGER 173 MAX-ACCESS read-write 174 STATUS current 175 DESCRIPTION 176 "This object specifies the default IKE (phase 1) profile 177 to use." 178 DEFVAL { 0 } 179 ::= { ipsecGlobals 39 } 180 181 ipsecGlobIpsecProfile OBJECT-TYPE 182 SYNTAX INTEGER 183 MAX-ACCESS read-write 184 STATUS current 185 DESCRIPTION 186 "This object specifies the default IPSec (phase 2) profile 187 to use." 188 DEFVAL { 0 } 189 ::= { ipsecGlobals 40 } 190 191 ipsecGlobMaxSysLogLevel OBJECT-TYPE 192 SYNTAX INTEGER { 193 emerg(1), 194 alert(2), 195 crit(3), 196 err(4), 197 warning(5), 198 notice(6), 199 info(7), 200 debug(8) 201 } 202 MAX-ACCESS read-write 203 STATUS current 204 DESCRIPTION 205 "Maximum level for syslog messages issued by IPSec. All 206 messages with a level higher than this value are suppressed, 207 independently from other global syslog level settings. 208 Possible settings: 209 emerg(1), 210 alert(2), 211 crit(3), 212 err(4), 213 warning(5), 214 notice(6), 215 info(7), 216 debug(8)." 217 DEFVAL { debug } 218 ::= { ipsecGlobals 10 } 219 220 ipsecGlobDefaultGranularity OBJECT-TYPE 221 SYNTAX INTEGER { 222 coarse(2), -- Create only one SA for each Traffic entry 223 ip(3), -- Create one SA for each host 224 proto(4), -- Create one SA for each protocol and host 225 port(5) -- Create one SA for each port and host 226 } 227 MAX-ACCESS read-only 228 STATUS current 229 DESCRIPTION 230 "This object specifies the default granularity used 231 for IPSEC SA negotiation. 232 Possible values: 233 coarse(2), -- Create only one SA for each Traffic entry 234 ip(3), -- Create one SA for each host 235 proto(4), -- Create one SA for each protocol and host 236 port(5) -- Create one SA for each port and host." 237 DEFVAL { coarse } 238 ::= { ipsecGlobals 11 } 239 240 ipsecGlobDefaultPh1Mode OBJECT-TYPE 241 SYNTAX INTEGER { 242 id-protect(1), -- Use identity protection (main) mode 243 aggressive(2) -- Use aggressive mode 244 } 245 MAX-ACCESS read-only 246 STATUS current 247 DESCRIPTION 248 "This object specifies the default exchange mode used for IKE 249 SA negotiation. 250 Possible values: 251 id-protect(1), -- Use identity protection (main) mode 252 aggressive(2) -- Use aggressive mode." 253 DEFVAL { id-protect } 254 ::= { ipsecGlobals 12 } 255 256 ipsecGlobDefaultPfsGroup OBJECT-TYPE 257 SYNTAX INTEGER 258 MAX-ACCESS read-only 259 STATUS current 260 DESCRIPTION 261 "This object specifies the PFS group to use. 262 PFS is done only for phase 2, i.e. the Phase 1 SAs are not 263 deleted after phase 2 negotiation is completed. 264 Note however, that if the peer has configured PFS for 265 identity and destroys phase 1 SAs, this side will also 266 destroy them when notified. 267 Possible values: 268 0 (no PFS) 269 1 (768 bit MODP), 270 2 (1024 bit MODP), 271 5 (1536 bit MODP)." 272 ::= { ipsecGlobals 13 } 273 274 ipsecGlobIkePort OBJECT-TYPE 275 SYNTAX INTEGER 276 MAX-ACCESS read-write 277 STATUS current 278 DESCRIPTION 279 "This object specifies the port the IKE key management service 280 listens to." 281 DEFVAL { 500 } 282 ::= { ipsecGlobals 20 } 283 284 285 ipsecGlobMaxRetries OBJECT-TYPE 286 SYNTAX INTEGER 287 MAX-ACCESS read-write 288 STATUS current 289 DESCRIPTION 290 "This object specifies the maximum number of retries sent by IKE 291 for one message." 292 DEFVAL { 10 } 293 ::= { ipsecGlobals 21 } 294 295 ipsecGlobRetryTimeout0milli OBJECT-TYPE 296 SYNTAX INTEGER 297 UNITS "milliseconds" 298 MAX-ACCESS read-write 299 STATUS current 300 DESCRIPTION 301 "This object specifies the period of time in milliseconds before 302 an IKE message is repeated for the first time if the answer is 303 missing. After each retry, this timeout is increased up to the 304 value specified in ipsecGlobRetryTimeoutMaxsec." 305 DEFVAL { 500 } 306 ::= { ipsecGlobals 22 } 307 308 ipsecGlobRetryTimeoutMaxsec OBJECT-TYPE 309 SYNTAX INTEGER 310 UNITS "seconds" 311 MAX-ACCESS read-write 312 STATUS current 313 DESCRIPTION 314 "This object specifies the maximum period of time in seconds 315 before an IKE message is repeated if the answer is missing. The 316 retry timeout is not increased beyond this limit." 317 DEFVAL { 30 } 318 ::= { ipsecGlobals 23 } 319 320 ipsecGlobMaxNegotiationTimeoutsec OBJECT-TYPE 321 SYNTAX INTEGER 322 UNITS "seconds" 323 MAX-ACCESS read-write 324 STATUS current 325 DESCRIPTION 326 "This object specifies the maximum number of seconds after which 327 a negotiation is canceled if it is not finished." 328 DEFVAL { 300 } 329 ::= { ipsecGlobals 24 } 330 331 ipsecGlobMaxIkeSas OBJECT-TYPE 332 SYNTAX INTEGER 333 MAX-ACCESS read-write 334 STATUS current 335 DESCRIPTION 336 "This object specifies the maximum number of simultaneous ISAKMP 337 Security associations allowed. If this limit is reached, the 338 entries are removed from the database, starting with the ones 339 that will expire very soon. If that is not enough, the entries 340 are deleted in reverse LRU order." 341 DEFVAL { 512 } 342 ::= { ipsecGlobals 25 } 343 344 ipsecGlobIgnoreCrPayloads OBJECT-TYPE 345 SYNTAX INTEGER { 346 true(1), -- ignore all certificate requests 347 false(2) -- process certificate request payloads 348 } 349 MAX-ACCESS read-write 350 STATUS current 351 DESCRIPTION 352 "This object specifies whether certificate request payloads 353 should be ignored by IKE. 354 Possible values: 355 true(1), -- ignore all certificate requests 356 false(2) -- process certificate request payloads." 357 DEFVAL { false } 358 ::= { ipsecGlobals 29 } 359 360 ipsecGlobNoCrPayloads OBJECT-TYPE 361 SYNTAX INTEGER { 362 true(1), -- suppress certificate requests 363 false(2) -- send certificate requests 364 } 365 MAX-ACCESS read-write 366 STATUS current 367 DESCRIPTION 368 "This object specifies whether IKE should suppress certificate 369 requests. 370 Possible values: 371 true(1), -- suppress certificate requests 372 false(2) -- send certificate requests." 373 DEFVAL { false } 374 ::= { ipsecGlobals 30 } 375 376 ipsecGlobNoKeyHashPayloads OBJECT-TYPE 377 SYNTAX INTEGER { 378 true(1), -- do not send key hash payloads 379 false(2) -- send key hash payloads 380 } 381 MAX-ACCESS read-write 382 STATUS current 383 DESCRIPTION 384 "This object specifies whether IKE should suppress key hash 385 payloads. 386 Possible values: 387 true(1), -- suppress key hash payloads 388 false(2) -- send key hash payloads." 389 DEFVAL { false } 390 ::= { ipsecGlobals 31 } 391 392 ipsecGlobNoCrls OBJECT-TYPE 393 SYNTAX INTEGER { 394 true(1), -- do not send certificate revocation lists 395 false(2) -- send certificate revocation lists 396 } 397 MAX-ACCESS read-write 398 STATUS current 399 DESCRIPTION 400 "This object specifies whether IKE should send certificate 401 revocation lists. 402 Possible values: 403 true(1), -- do not send certificate revocation lists 404 false(2) -- send certificate revocation lists." 405 DEFVAL { true } 406 ::= { ipsecGlobals 32 } 407 408 ipsecGlobSendFullCertChains OBJECT-TYPE 409 SYNTAX INTEGER { 410 true(1), -- send full certificate chains 411 false(2) -- do not send full certificate chains 412 } 413 MAX-ACCESS read-write 414 STATUS current 415 DESCRIPTION 416 "This object specifies whether IKE should send full certificate 417 chains. 418 Possible values: 419 true(1), -- send full certificate chains 420 false(2) -- do not send full certificate chains." 421 DEFVAL { true } 422 ::= { ipsecGlobals 33 } 423 424 ipsecGlobTrustIcmpMsg OBJECT-TYPE 425 SYNTAX INTEGER { 426 true(1), -- trust ICMP messages 427 false(2) -- do not trust ICMP messages 428 } 429 MAX-ACCESS read-write 430 STATUS current 431 DESCRIPTION 432 "This object specifies whether IKE should trust icmp port and 433 host unreachable error messages. ICMP port and host unreachable 434 messages are only trusted if there have not yet been received 435 any datagrams from the remote host in this negotiation. 436 This means, if the local side receives an ICMP port or host 437 unreachable message as the first response to the initial packet 438 of a new phase 1 negotiation, it cancels the negotiation 439 immediately. 440 Possible values: 441 true(1), -- trust ICMP messages 442 false(2) -- do not trust ICMP messages." 443 DEFVAL { false } 444 ::= { ipsecGlobals 34 } 445 446 ipsecGlobSpiSize OBJECT-TYPE 447 SYNTAX INTEGER 448 UNITS "bytes" 449 MAX-ACCESS read-write 450 STATUS current 451 DESCRIPTION 452 "A compatibility flag that specifies the length of the SPI in 453 bytes, which is used when an ISAKMP SA SPI (Cookie) is sent to 454 the remote peer. 455 This field takes effect only if ipsecGlobZeroIsakmpCookies 456 is true." 457 DEFVAL { 32 } 458 ::= { ipsecGlobals 35 } 459 460 ipsecGlobZeroIsakmpCookies OBJECT-TYPE 461 SYNTAX INTEGER { 462 true(1), -- send zero cookies in ISAKMP messages 463 false(2) -- send ISAKMP cookies 464 } 465 MAX-ACCESS read-write 466 STATUS current 467 DESCRIPTION 468 "This object specifies whether zeroed ISAKMP cookies should be 469 sent. 470 Possible Values: 471 true(1), -- send zero cookies in ISAKMP messages 472 false(2) -- send ISAKMP cookies." 473 DEFVAL { false } 474 ::= { ipsecGlobals 36 } 475 476 ipsecGlobMaxKeyLength OBJECT-TYPE 477 SYNTAX INTEGER 478 UNITS "bits" 479 MAX-ACCESS read-write 480 STATUS current 481 DESCRIPTION 482 "This object specifies the maximum length of an encryption key 483 (in bits) that is accepted from the remote end. This limit 484 prevents denial of service attacks where the attacker asks for 485 a huge key for an encryption algorithm that allows variable 486 length keys." 487 DEFVAL { 1024 } 488 ::= { ipsecGlobals 37 } 489 490 ipsecGlobNoInitialContact OBJECT-TYPE 491 SYNTAX INTEGER { 492 true(1), -- do not send initial contact messages 493 false(2) -- send initial contact messages if appropriate 494 } 495 MAX-ACCESS read-write 496 STATUS current 497 DESCRIPTION 498 "Do not send IKE initial contact messages in IKE negotiations 499 even if no SA's exist with a peer. 500 Possible values: 501 true(1), -- do not send initial contact messages 502 false(2) -- send initial contact messages if appropriate." 503 DEFVAL { false } 504 ::= { ipsecGlobals 38 } 505 506 ipsecGlobBlockTimeout OBJECT-TYPE 507 SYNTAX INTEGER (1..3600) 508 UNITS "seconds" 509 MAX-ACCESS read-write 510 STATUS current 511 DESCRIPTION 512 "For peers with nonzero block time, the value of this object is 513 used instead of ipsecGlobMaxNegotiationTimeoutSec." 514 DEFVAL { 15 } 515 ::= { ipsecGlobals 42 } 516 517 ipsecGlobDPDIdleThreshold OBJECT-TYPE 518 SYNTAX INTEGER (1..3600) 519 UNITS "seconds" 520 MAX-ACCESS read-write 521 STATUS current 522 DESCRIPTION 523 "The minimum idle time period after which a dpd request is sent." 524 DEFVAL { 15 } 525 ::= { ipsecGlobals 43 } 526 527 ipsecGlobDPDMaxRetries OBJECT-TYPE 528 SYNTAX INTEGER (1..10) 529 MAX-ACCESS read-write 530 STATUS current 531 DESCRIPTION 532 "The number of DPD retries sent before a peer is considered dead." 533 DEFVAL { 3 } 534 ::= { ipsecGlobals 44 } 535 536 ipsecGlobDPDRetryTimeout OBJECT-TYPE 537 SYNTAX INTEGER (1..10) 538 UNITS "seconds" 539 MAX-ACCESS read-write 540 STATUS current 541 DESCRIPTION 542 "The number of seconds between retries." 543 DEFVAL { 2 } 544 ::= { ipsecGlobals 45 } 545 546 ipsecGlobIkev2Enabled OBJECT-TYPE 547 SYNTAX INTEGER { 548 true(1), -- IKEv2 enabled 549 false(2) -- IKEv2 disabled 550 } 551 MAX-ACCESS read-write 552 STATUS current 553 DESCRIPTION 554 "Enables/disables IKEv2 globally." 555 DEFVAL { true } 556 ::= { ipsecGlobals 46 } 557 558 559-- End Global IPSec Settings 560 561 562 563-- Second Table With Global IPSec Settings 564 565 ipsecGlobalsContinued OBJECT IDENTIFIER ::= { ipsec 11 } 566 -- Second static table containing global settings for IPSec 567 568 569 ipsecGlobContPreIpsecRules OBJECT-TYPE 570 SYNTAX INTEGER 571 MAX-ACCESS read-write 572 STATUS current 573 DESCRIPTION 574 "This object specifies an index in the IPsec traffic 575 table containing a list of traffic definitions which 576 has to be considered prior to the traffic lists of 577 the IPSec peers in IPSec traffic processing. 578 It may contain either pass or drop entries (protect entries 579 are ignored, if erroneously configured)." 580 DEFVAL { 0 } 581 ::= { ipsecGlobalsContinued 1 } 582 583 ipsecGlobContPostIpsecRules OBJECT-TYPE 584 SYNTAX INTEGER 585 MAX-ACCESS read-write 586 STATUS current 587 DESCRIPTION 588 "This object specifies an index in the IPsec traffic 589 table containing a list of traffic definitions which 590 has to be considered after the traffic lists of 591 the IPSec peers in IPSec traffic processing. 592 It may contain either pass or drop entries (protect entries 593 are ignored, if erroneously configured)." 594 DEFVAL { 0 } 595 ::= { ipsecGlobalsContinued 11 } 596 597 ipsecGlobContDefaultRule OBJECT-TYPE 598 SYNTAX INTEGER { 599 drop(1), -- drop all packets 600 pass(2) -- allow all packets pass plain 601 } 602 MAX-ACCESS read-write 603 STATUS current 604 DESCRIPTION 605 "This object specifies how to treat packets which do not match 606 any entry in the traffic lists of the active peers or the 607 pre-and post IPSec rules. 608 Possible values: 609 drop(1), -- drop all packets 610 pass(2) -- allow all packets pass plain." 611 DEFVAL { drop } 612 ::= { ipsecGlobalsContinued 2 } 613 614 ipsecGlobContUse32BitCpi OBJECT-TYPE 615 SYNTAX INTEGER { 616 true(1), -- send CPI as 32 bit numbers 617 false(2) -- send CPI as 16 bit numbers 618 } 619 MAX-ACCESS read-write 620 STATUS current 621 DESCRIPTION 622 "This object specifies whether the CPI values in IKE IPComP 623 negotiations should be sent as 16 bit numbers. 624 Possible values: 625 true(1), -- send CPI as 32 bit numbers 626 false(2) -- send CPI as 16 bit numbers." 627 DEFVAL { false } 628 ::= { ipsecGlobalsContinued 4 } 629 630 ipsecGlobContNoWellKnownCpis OBJECT-TYPE 631 SYNTAX INTEGER { 632 true(1), -- do not use the well known cpi values 633 false(2) -- use the well known cpi values 634 } 635 MAX-ACCESS read-write 636 STATUS current 637 DESCRIPTION 638 "This object specifies whether the well known CPI values 639 should be used in IKE IPComP negotiations. If set to true, 640 IKE will allocate random CPI values from the negotiable 641 range 256-61439. 642 Possible values: 643 true(1), -- do not use the well known cpi values 644 false(2) -- use the well known cpi values." 645 DEFVAL { false } 646 ::= { ipsecGlobalsContinued 5 } 647 648 ipsecGlobContNoPmtuDiscovery OBJECT-TYPE 649 SYNTAX INTEGER { 650 true(1), -- do not perform PMTU discovery 651 false(2) -- perform PMTU discovery 652 } 653 MAX-ACCESS read-only 654 STATUS current 655 DESCRIPTION 656 "This object specifies the default PMTU discovery policy 657 if the ipsecPeerPmtuDiscovery flag is set to default. 658 Possible values: 659 true(1), -- do not perform PMTU discovery 660 false(2) -- perform PMTU discovery." 661 DEFVAL { true } 662 ::= { ipsecGlobalsContinued 7 } 663 664 ipsecGlobContDefaultPmtuTtl OBJECT-TYPE 665 SYNTAX INTEGER 666 UNITS "minutes" 667 MAX-ACCESS read-write 668 STATUS current 669 DESCRIPTION 670 "This object specifies the time-to-live (in minutes) of a 671 PMTU value derived from an ICMP PMTU message 672 received for an IPSec packet. After this time, the mtu is 673 increased step-by-step using the values from RFC 1191 until 674 a new ICMP PMTU message is received. A ttl value of 0 means 675 infinite." 676 DEFVAL { 10 } 677 ::= { ipsecGlobalsContinued 8 } 678 679 ipsecGlobContPrivateInterface OBJECT-TYPE 680 SYNTAX INTEGER 681 MAX-ACCESS read-write 682 STATUS current 683 DESCRIPTION 684 "This object specifies the index of the systems' private 685 interface. If the private interface is set (i.e. non-negative), 686 certain address spoofing attacks are made impossible from IPSec 687 itself." 688 DEFVAL { -1 } 689 ::= { ipsecGlobalsContinued 9 } 690 691 ipsecGlobContSaSyncInterface OBJECT-TYPE 692 SYNTAX INTEGER { 693 true(1), -- delete SAs 694 false(2) -- do not delete SAs 695 } 696 MAX-ACCESS read-write 697 STATUS current 698 DESCRIPTION 699 "This object specifies whether IKE and IPSec SA's should be 700 are deleted if the interface over which the packets are 701 initially sent is going down or dormant 702 Possible values: 703 true(1), -- delete SAs 704 false(2) -- do not delete SAs." 705 DEFVAL { false } 706 ::= { ipsecGlobalsContinued 10 } 707 708 ipsecGlobContDefaultPfsIdentity OBJECT-TYPE 709 SYNTAX INTEGER { 710 true(1), -- delete phase 1 SAs 711 false(2) -- do not delete phase 1 SAs 712 } 713 MAX-ACCESS read-write 714 STATUS current 715 DESCRIPTION 716 "This object specifies whether IKE SA's should be deleted 717 immediately after a phase 2 (IPSec-) SA pair has been 718 negotiated. 719 It may be overridden by the individual settings for a peer 720 entry, if the ipsecPeerPfsIdentity is not set to 'default'. 721 The consequence of enabling this feature is that before each 722 phase 2 negotiation there always has to be a phase 1 723 negotiation. Thus individual phase 2 SAs cannot be 724 associated with one another or, respectively, if the 725 identity of a remote peer is known to an eavesdropper 726 for one SA, he cannot conclude that the next SA is 727 negotiated with the same remote peer. 728 Note: Setting this flag only makes sense if configured 729 together with id-protect mode or RSA encryption for 730 authentication and if the IP address of the remote 731 peer does not allow conclusions about its identity 732 (i.e. dynamic remote peer addresses). 733 Possible values: 734 true(1), -- delete phase 1 SAs 735 false(2) -- do not delete phase 1 SAs." 736 DEFVAL { false } 737 ::= { ipsecGlobalsContinued 12 } 738 739 ipsecGlobContPfsIdentityDelay OBJECT-TYPE 740 SYNTAX INTEGER 741 UNITS "seconds" 742 MAX-ACCESS read-write 743 STATUS current 744 DESCRIPTION 745 "This object specifies the number of seconds to wait before 746 deleting the underlying phase 1 SA after a Phase 2 SA has 747 been established, if PFS for identity is configured." 748 DEFVAL { 8 } 749 ::= { ipsecGlobalsContinued 15 } 750 751 ipsecGlobContIkeLoggingLevel OBJECT-TYPE 752 SYNTAX INTEGER (0..127) 753 MAX-ACCESS read-write 754 STATUS current 755 DESCRIPTION 756 "This object specifies the IKE logging level. 757 IKE log messages are output as syslog messages on level debug. 758 Note that the global syslog table level must be set to debug 759 in order to see these messages. 760 Possible values: 761 0: no IKE log messages 762 ... 3: IKE error output 763 ... 6: IKE trace output 764 ... 9: IKE detailed results output 765 10 ...: hexdumps of IKE messages." 766 DEFVAL { 0 } 767 ::= { ipsecGlobalsContinued 13 } 768 769 ipsecGlobContHeartbeatDefault OBJECT-TYPE 770 SYNTAX INTEGER { 771 none(1), -- neither send nor expect heartbeats 772 expect(2), -- expect heartbeats 773 send(3), -- send heartbeats 774 both(4) -- send and expect heartbeats 775 } 776 MAX-ACCESS read-only 777 STATUS current 778 DESCRIPTION 779 "This object specifies whether heartbeats should be sent 780 over phase 1 SAs (not used for IPv6). 781 Possible values: 782 none(1), -- neither send nor expect heartbeats 783 expect(2), -- expect heartbeats 784 send(3), -- send heartbeats 785 both(4) -- send and expect heartbeats." 786 DEFVAL { none } 787 ::= { ipsecGlobalsContinued 16 } 788 789 ipsecGlobContHeartbeatInterval OBJECT-TYPE 790 SYNTAX INTEGER (1..900) 791 UNITS "seconds" 792 MAX-ACCESS read-write 793 STATUS current 794 DESCRIPTION 795 "This object specifies the time interval in seconds between 796 heartbeats. At this rate heartbeats are sent and/or 797 expected if configured (not used for IPv6)." 798 DEFVAL { 5 } 799 ::= { ipsecGlobalsContinued 17 } 800 801 ipsecGlobContHeartbeatTolerance OBJECT-TYPE 802 SYNTAX INTEGER (1..900) 803 MAX-ACCESS read-write 804 STATUS current 805 DESCRIPTION 806 "This object specifies the maximum number of missing heartbeats 807 allowed before an SA is discarded (not used for IPv6)." 808 DEFVAL { 4 } 809 ::= { ipsecGlobalsContinued 18 } 810 811 ipsecGlobContDialBlockTime OBJECT-TYPE 812 SYNTAX INTEGER (-1..43200) 813 UNITS "minutes" 814 MAX-ACCESS read-write 815 STATUS current 816 DESCRIPTION 817 "Amount of time in minutes how long an ipsecDial entry remains 818 in state blocked-for-outgoing after a cost producing trigger 819 call was detected. Given value denotes time in minutes. 820 Special value -1 means to block entry until unblocked manually 821 by deactivating entry and reactivating it afterwards. 822 Default value is -1." 823 DEFVAL { -1 } 824 ::= { ipsecGlobalsContinued 14 } 825 826 ipsecGlobContObsoleteFeatureMask OBJECT-TYPE 827 SYNTAX BitValue 828 MAX-ACCESS read-write 829 STATUS current 830 DESCRIPTION 831 "Some obsolete features are represented by a bit in this mask 832 and could be re-enabled for testing or compatibility purpose. 833 A mask-bit of 1 enable the approprate (obsolete) feature. 834 A mask-bit of 0 disable the appropriate feature completely. 835 836 Bit Feature 837 0x00000001: re-enable delayed apf-graph-node-memory free 838 0x00000002: tbd. 839 840 The default-value is 0 - all obsolete features are disabled. 841 Do not change this default-value if not really necessary" 842 DEFVAL { 0 } 843 ::= { ipsecGlobalsContinued 66 } 844 845 ipsecGlobContP1Always OBJECT-TYPE 846 SYNTAX INTEGER { 847 enabled (1), -- always rekey phase 1 if phase 2 is rekeyed 848 disabled (2) -- rekey phase 1 only if necessary 849 } 850 MAX-ACCESS read-write 851 STATUS current 852 DESCRIPTION 853 "This object specifies whether a phase 1 rekeying is always 854 done immediately before phase 2 rekeying. 855 Note this is different from pfs for identity because the 856 latter discards the phase 1 SA immediately after phase 2 857 establishment. 858 This feature is mainly a compatibility flag for some 859 non-standard implementations which always expect a phase 1 SA 860 if a phase 2 SA exists. Please also select a longer lifetime 861 for phase 1 than phase 2 then." 862 DEFVAL { disabled } 863 ::= { ipsecGlobalsContinued 69 } 864 865 ipsecGlobContHwAccel OBJECT-TYPE 866 SYNTAX INTEGER { 867 yes (1), 868 no (2) 869 } 870 MAX-ACCESS read-write 871 STATUS current 872 DESCRIPTION 873 "Enables/disables usage of encryption engine." 874 DEFVAL { yes } 875 ::= { ipsecGlobalsContinued 70 } 876 877 ipsecGlobContSupportVarKeyLength4Twofish OBJECT-TYPE 878 SYNTAX INTEGER { 879 yes (1), 880 no (2) 881 } 882 MAX-ACCESS read-write 883 STATUS current 884 DESCRIPTION 885 "Enables/disables support of variable key sizes for the 886 Twofish algorithm. Note that the Twofish related settings 887 within the ipsecAlgorithmTable will be synchronized 888 accordingly. If set to no (2) the system will act in the 889 backward compatibility mode. This setting might be necessary 890 in some dedicated cases in order to avoid IKE negotiation 891 problems." 892 DEFVAL { yes } 893 ::= { ipsecGlobalsContinued 71 } 894 895 ipsecGlobContIkev2Profile OBJECT-TYPE 896 SYNTAX Unsigned32 897 MAX-ACCESS read-write 898 STATUS current 899 DESCRIPTION 900 "This object specifies the default IKE_SA profile to use 901 (only for IKEv2). If set to 0 no profile is configured 902 as default." 903 DEFVAL { 0 } 904 ::= { ipsecGlobalsContinued 72 } 905 906 ipsecGlobContMaxIkev2Sas OBJECT-TYPE 907 SYNTAX INTEGER (1..100000) 908 MAX-ACCESS read-write 909 STATUS current 910 DESCRIPTION 911 "This object specifies the maximum number of simultaneous IKEv2 912 Security associations allowed. If this limit is reached, the 913 entries are removed from the database, starting with the ones 914 that will expire very soon. If that is not enough, the entries 915 are deleted in reverse LRU order." 916 DEFVAL { 512 } 917 ::= { ipsecGlobalsContinued 73 } 918 919 ipsecGlobContPathFinder OBJECT-TYPE 920 SYNTAX INTEGER { 921 enabled (1), 922 disabled (2) 923 } 924 MAX-ACCESS read-write 925 STATUS current 926 DESCRIPTION 927 "Enables/disables the IPSec pathfinder mode, that means 928 all the traffic (IKE, ESP and AH) is embedded within a 929 pseudo HTTPS session between the peers (similar to the 930 NAT-T mode)." 931 DEFVAL { disabled } 932 ::= { ipsecGlobalsContinued 74 } 933 934 ipsecGlobContXauthTimeout OBJECT-TYPE 935 SYNTAX INTEGER (10..600) 936 UNITS "seconds" 937 MAX-ACCESS read-write 938 STATUS current 939 DESCRIPTION 940 "If an extended authentication is requested, this is 941 the time (in seconds) the device will wait for response. A useful 942 value is important when username and password are entered manually 943 by the user." 944 DEFVAL { 120 } 945 ::= { ipsecGlobalsContinued 75 } 946 947-- End Second Table With Global IPSec Settings 948 949-- IPSec RADIUS settings Table 950 ipsecRadius OBJECT IDENTIFIER ::= { ipsec 13 } 951 -- Table with RADIUS settings for IPSec 952 953 ipsecRadiusPresetState OBJECT-TYPE 954 SYNTAX INTEGER { 955 not-loaded(1), -- RADIUS preset peers are not loaded 956 loading(2), -- RADIUS preset peers are currently loaded 957 loaded(3), -- RADIUS preset peers have been loaded 958 reloading(4) -- RADIUS preset peers are currently reloaded 959 } 960 MAX-ACCESS read-only 961 STATUS current 962 DESCRIPTION 963 "This object shows the status of the RADIUS preset peers load 964 process." 965 DEFVAL { not-loaded } 966 ::= { ipsecRadius 1 } 967 968 ipsecRadiusPresetPeers OBJECT-TYPE 969 SYNTAX INTEGER 970 MAX-ACCESS read-only 971 STATUS current 972 DESCRIPTION 973 "The number of RADIUS preset peers currently loaded." 974 ::= { ipsecRadius 2 } 975 976 ipsecRadiusDynamicAuthentication OBJECT-TYPE 977 SYNTAX INTEGER { 978 enabled(1), -- dynamic authentication via RADIUS enabled 979 disabled(2) -- dynamic authentication via RADIUS disabled 980 } 981 MAX-ACCESS read-write 982 STATUS current 983 DESCRIPTION 984 "This object enables/disables dynamic authentication via RADIUS. 985 If no peer has been found matching an incoming IKE negotiation, 986 the configured RADIUS servers are consulted (if any)." 987 DEFVAL { disabled } 988 ::= { ipsecRadius 3 } 989 990-- End global IPSec Radius settings 991 992 993-- IPSec Security Associations Table 994 995 ipsecSaTable OBJECT-TYPE 996 SYNTAX SEQUENCE OF IpsecSaEntry 997 MAX-ACCESS not-accessible 998 STATUS current 999 DESCRIPTION 1000 "This table contains the list of currently active IPSec security 1001 associations." 1002 ::= { ipsec 3 } 1003 1004 ipsecSaEntry OBJECT-TYPE 1005 SYNTAX IpsecSaEntry 1006 MAX-ACCESS not-accessible 1007 STATUS current 1008 DESCRIPTION 1009 "This object contains an IPSec security association." 1010 INDEX { 1011 ipsecSaSecProto, 1012 ipsecSaSpi 1013 } 1014 ::= { ipsecSaTable 1 } 1015 1016 IpsecSaEntry ::= 1017 SEQUENCE { 1018 ipsecSaIndex INTEGER, 1019 ipsecSaState INTEGER, 1020 ipsecSaDir INTEGER, 1021 ipsecSaMode INTEGER, 1022 ipsecSaSecProto INTEGER, 1023 ipsecSaSpi HexValue, 1024 ipsecSaAuthAlg INTEGER, 1025 ipsecSaEncAlg INTEGER, 1026 ipsecSaCompAlg INTEGER, 1027 ipsecSaAuthKeyLen INTEGER, 1028 ipsecSaEncKeyLen INTEGER, 1029 ipsecSaReplayErrors INTEGER, 1030 ipsecSaRecvErrors INTEGER, 1031 ipsecSaDecryptErrors INTEGER, 1032 ipsecSaBundle INTEGER, 1033 ipsecSaBundleNesting INTEGER, 1034 ipsecSaSpiSize INTEGER, 1035 ipsecSaEncKey OCTET STRING, 1036 ipsecSaAuthKey OCTET STRING, 1037 ipsecSaIkeMajVersion INTEGER, 1038 ipsecSaIkeMinVersion INTEGER 1039 } 1040 1041 ipsecSaIndex OBJECT-TYPE 1042 SYNTAX INTEGER 1043 MAX-ACCESS read-only 1044 STATUS current 1045 DESCRIPTION 1046 "A unique index for this entry." 1047 ::= { ipsecSaEntry 1 } 1048 1049 ipsecSaState OBJECT-TYPE 1050 SYNTAX INTEGER { 1051 expired(2), -- The SA is expired and will not be rekeyed 1052 negotiating(4), -- This SA is currently negotiated 1053 established(5) -- The SA is alive and will eventually be rekeyed 1054 } 1055 MAX-ACCESS read-only 1056 STATUS current 1057 DESCRIPTION 1058 "The current state of the security association 1059 Possible values: 1060 alive(1), -- The SA is alive 1061 expired(2), -- The SA is expired 1062 negotiating(4),-- This SA is currently negotiated 1063 established(5) -- The SA is alive and will eventually be 1064 rekeyed." 1065 DEFVAL { negotiating } 1066 ::= { ipsecSaEntry 3 } 1067 1068 ipsecSaDir OBJECT-TYPE 1069 SYNTAX INTEGER { 1070 inbound(1), -- An inbound security association 1071 outbound(2) -- An outbound security association 1072 } 1073 MAX-ACCESS read-only 1074 STATUS current 1075 DESCRIPTION 1076 "This object specifies whether the SA is used for inbound or 1077 outbound processing. 1078 Possible values: 1079 inbound(1), -- An inbound security association 1080 outbound(2) -- An outbound security association." 1081 ::= { ipsecSaEntry 5 } 1082 1083 ipsecSaMode OBJECT-TYPE 1084 SYNTAX INTEGER { 1085 tunnel(1), -- A tunnel mode SA 1086 transport(2) -- A transport mode SA 1087 } 1088 MAX-ACCESS read-only 1089 STATUS current 1090 DESCRIPTION 1091 "This object specifies whether the SA is in tunnel or 1092 transport mode. 1093 Possible values: 1094 tunnel(1), -- A tunnel mode SA 1095 transport(2) -- A transport mode SA." 1096 ::= { ipsecSaEntry 6 } 1097 1098 ipsecSaSecProto OBJECT-TYPE 1099 SYNTAX INTEGER { 1100 esp(50), -- Encapsulating Security Payload 1101 ah(51), -- Authentication Header 1102 ipcomp(108) -- Internet Payload Compression Protocol 1103 } 1104 MAX-ACCESS read-only 1105 STATUS current 1106 DESCRIPTION 1107 "This object specifies the security protocol applied by this SA. 1108 Possible values: 1109 esp(50), -- Encapsulating Security Payload 1110 ah(51), -- Authentication Header 1111 ipcomp(108) -- Internet Payload Compression Protocol." 1112 ::= { ipsecSaEntry 7 } 1113 1114 ipsecSaSpi OBJECT-TYPE 1115 SYNTAX HexValue 1116 MAX-ACCESS read-only 1117 STATUS current 1118 DESCRIPTION 1119 "The Security Parameters Index of this SA." 1120 ::= { ipsecSaEntry 17 } 1121 1122 ipsecSaAuthAlg OBJECT-TYPE 1123 SYNTAX INTEGER { 1124 none(2), -- No hash algorithm 1125 md5-96(4), -- The MD5 hash algorithm 1126 sha1-96(6) -- The Secure Hash Algorithm 1127 } 1128 MAX-ACCESS read-only 1129 STATUS current 1130 DESCRIPTION 1131 "The hash algorithm used, if any. 1132 Possible Values: 1133 none(2), -- No hash algorithm applied 1134 md5-96(4), -- The MD5 hash algorithm 1135 sha1-96(6) -- The Secure Hash Algorithm." 1136 ::= { ipsecSaEntry 18 } 1137 1138 ipsecSaEncAlg OBJECT-TYPE 1139 SYNTAX INTEGER { 1140 none(1), -- No encryption applied 1141 des-cbc(2), -- DES in CBC mode 1142 des3-cbc(3), -- Triple DES in CBC mode 1143 blowfish-cbc(4), -- Blowfish in CBC mode 1144 cast128-cbc(5), -- CAST with 128 bit key in CBC mode 1145 twofish-cbc(6), -- Twofish in CBC mode 1146 aes-cbc(7) -- AES in CBC mode 1147 } 1148 MAX-ACCESS read-only 1149 STATUS current 1150 DESCRIPTION 1151 "The encryption algorithm used, if any. 1152 Possible Values: 1153 none(1), -- No encryption applied 1154 des-cbc(2), -- DES in CBC mode 1155 des3-cbc(3), -- Triple DES in CBC mode 1156 blowfish-cbc(4), -- Blowfish in CBC mode 1157 cast128-cbc(5), -- CAST with 128 bit key in CBC mode 1158 twofish-cbc(6), -- Twofish in CBC mode 1159 aes-cbc(7) -- AES in CBC mode." 1160 ::= { ipsecSaEntry 19 } 1161 1162 ipsecSaCompAlg OBJECT-TYPE 1163 SYNTAX INTEGER { 1164 none(2), -- No compression 1165 deflate(3) -- DEFLATE compression algorithm 1166 } 1167 MAX-ACCESS read-only 1168 STATUS current 1169 DESCRIPTION 1170 "The compression algorithm used, if any. 1171 Possible Values: 1172 none(1), -- No compression 1173 deflate(2) -- DEFLATE compression algorithm." 1174 DEFVAL { none } 1175 ::= { ipsecSaEntry 20 } 1176 1177 ipsecSaAuthKeyLen OBJECT-TYPE 1178 SYNTAX INTEGER 1179 UNITS "bytes" 1180 MAX-ACCESS read-only 1181 STATUS current 1182 DESCRIPTION 1183 "The length in bytes of the key used for authentication, 1184 if any." 1185 ::= { ipsecSaEntry 21 } 1186 1187 ipsecSaEncKeyLen OBJECT-TYPE 1188 SYNTAX INTEGER 1189 UNITS "bytes" 1190 MAX-ACCESS read-only 1191 STATUS current 1192 DESCRIPTION 1193 "The length in bytes of the key used for encryption, if any." 1194 ::= { ipsecSaEntry 22 } 1195 1196 ipsecSaReplayErrors OBJECT-TYPE 1197 SYNTAX INTEGER 1198 MAX-ACCESS read-only 1199 STATUS current 1200 DESCRIPTION 1201 "The number of replayed packets detected for this SA." 1202 ::= { ipsecSaEntry 33 } 1203 1204 ipsecSaRecvErrors OBJECT-TYPE 1205 SYNTAX INTEGER 1206 MAX-ACCESS read-only 1207 STATUS current 1208 DESCRIPTION 1209 "The number of receive errors (replayed packets not counted) 1210 detected for this SA." 1211 ::= { ipsecSaEntry 34 } 1212 1213 ipsecSaDecryptErrors OBJECT-TYPE 1214 SYNTAX INTEGER 1215 MAX-ACCESS read-only 1216 STATUS current 1217 DESCRIPTION 1218 "The number of decryption errors (ESP only) detected for 1219 this SA." 1220 ::= { ipsecSaEntry 35 } 1221 1222 ipsecSaBundle OBJECT-TYPE 1223 SYNTAX INTEGER 1224 MAX-ACCESS read-only 1225 STATUS current 1226 DESCRIPTION 1227 "unique id of SA-bundle within this SA is used." 1228 ::= { ipsecSaEntry 39 } 1229 1230 ipsecSaBundleNesting OBJECT-TYPE 1231 SYNTAX INTEGER 1232 MAX-ACCESS read-only 1233 STATUS current 1234 DESCRIPTION 1235 "place of SA within SA-Bundle." 1236 ::= { ipsecSaEntry 40 } 1237 1238 ipsecSaSpiSize OBJECT-TYPE 1239 SYNTAX INTEGER 1240 UNITS "bytes" 1241 MAX-ACCESS read-only 1242 STATUS current 1243 DESCRIPTION 1244 "The size of the SPI in bytes." 1245 ::= { ipsecSaEntry 45 } 1246 1247 ipsecSaEncKey OBJECT-TYPE 1248 SYNTAX OCTET STRING 1249 MAX-ACCESS not-accessible 1250 STATUS current 1251 DESCRIPTION 1252 "" 1253 ::= { ipsecSaEntry 64 } 1254 1255 ipsecSaAuthKey OBJECT-TYPE 1256 SYNTAX OCTET STRING 1257 MAX-ACCESS not-accessible 1258 STATUS current 1259 DESCRIPTION 1260 "" 1261 ::= { ipsecSaEntry 65 } 1262 1263 ipsecSaIkeMajVersion OBJECT-TYPE 1264 SYNTAX INTEGER 1265 MAX-ACCESS read-only 1266 STATUS current 1267 DESCRIPTION 1268 "The IKE major version number." 1269 DEFVAL { 1 } 1270 ::= { ipsecSaEntry 66 } 1271 1272 ipsecSaIkeMinVersion OBJECT-TYPE 1273 SYNTAX INTEGER 1274 MAX-ACCESS read-only 1275 STATUS current 1276 DESCRIPTION 1277 "The IKE minor version number." 1278 DEFVAL { 0 } 1279 ::= { ipsecSaEntry 67 } 1280 1281-- End IPSec Security Associations Table 1282 1283 1284-- IPSec SA Bundle Table 1285 1286 ipsecBundleTable OBJECT-TYPE 1287 SYNTAX SEQUENCE OF IpsecBundleEntry 1288 MAX-ACCESS not-accessible 1289 STATUS current 1290 DESCRIPTION 1291 "This table contains the list of currently active IPSec security 1292 associations." 1293 ::= { ipsec 16 } 1294 1295 ipsecBundleEntry OBJECT-TYPE 1296 SYNTAX IpsecBundleEntry 1297 MAX-ACCESS not-accessible 1298 STATUS current 1299 DESCRIPTION 1300 "This object contains an IPSec security association." 1301 INDEX { 1302 ipsecBundleIndex 1303 } 1304 ::= { ipsecBundleTable 1 } 1305 1306 IpsecBundleEntry ::= 1307 SEQUENCE { 1308 ipsecBundleIndex INTEGER, 1309 ipsecBundlePeerIndex INTEGER, 1310 ipsecBundleTrafficIndex INTEGER, 1311 ipsecBundleState INTEGER, 1312 ipsecBundleNumSas INTEGER, 1313 ipsecBundleRole INTEGER, 1314 ipsecBundleRekeyedBundle INTEGER, 1315 ipsecBundleRekeyingBundle INTEGER, 1316 ipsecBundleLastStateChange TimeTicks, 1317 ipsecBundleHeartbeatsEnabled INTEGER, 1318 ipsecBundleCreator INTEGER, 1319 ipsecBundleTunnelLocal IpAddress, 1320 ipsecBundleTunnelRemote IpAddress, 1321 ipsecBundlePmtuDiscovery INTEGER, 1322 ipsecBundleKeepAlive INTEGER, 1323 ipsecBundleVerifyPad INTEGER, 1324 ipsecBundleLifeSeconds Unsigned32, 1325 ipsecBundleLifeKBytes Unsigned32, 1326 ipsecBundleRekeySeconds INTEGER, 1327 ipsecBundleRekeyKBytes INTEGER, 1328 ipsecBundleProto INTEGER, 1329 ipsecBundleLocalAddress IpAddress, 1330 ipsecBundleLocalMaskLen INTEGER, 1331 ipsecBundleLocalRange IpAddress, 1332 ipsecBundleLocalPort INTEGER, 1333 ipsecBundleRemoteAddress IpAddress, 1334 ipsecBundleRemoteMaskLen INTEGER, 1335 ipsecBundleRemoteRange IpAddress, 1336 ipsecBundleRemotePort INTEGER, 1337 ipsecBundleInPkt Counter64, 1338 ipsecBundleInHb Counter64, 1339 ipsecBundleInBytes Counter64, 1340 ipsecBundleInBytesNetto Counter64, 1341 ipsecBundleOutPkt Counter64, 1342 ipsecBundleOutHb Counter64, 1343 ipsecBundleOutBytes Counter64, 1344 ipsecBundleOutBytesNetto Counter64, 1345 ipsecBundleNatT INTEGER, 1346 ipsecBundleNatOaLocal IpAddress, 1347 ipsecBundleNatOaRemote IpAddress, 1348 ipsecBundleIkeMajVersion INTEGER, 1349 ipsecBundleIkeMinVersion INTEGER 1350 } 1351 1352 ipsecBundleIndex OBJECT-TYPE 1353 SYNTAX INTEGER 1354 MAX-ACCESS read-only 1355 STATUS current 1356 DESCRIPTION 1357 "A unique index for this entry." 1358 ::= { ipsecBundleEntry 1 } 1359 1360 ipsecBundlePeerIndex OBJECT-TYPE 1361 SYNTAX INTEGER 1362 MAX-ACCESS read-only 1363 STATUS current 1364 DESCRIPTION 1365 "The index of the peer for which this bundle was created." 1366 ::= { ipsecBundleEntry 5 } 1367 1368 ipsecBundleTrafficIndex OBJECT-TYPE 1369 SYNTAX INTEGER 1370 MAX-ACCESS read-only 1371 STATUS current 1372 DESCRIPTION 1373 "The index of the traffic entry for which this bundle was created." 1374 ::= { ipsecBundleEntry 6 } 1375 1376 ipsecBundleState OBJECT-TYPE 1377 SYNTAX INTEGER { 1378 established(1), -- The bundle is alive 1379 expired(2), -- The bundle is expired 1380 delete (3), -- Mark this bundle for deletion 1381 negotiating(4), -- This bundle is currently negotiated 1382 rekeyed(5), -- Rekeying of bundle succeeded 1383 heartbeat-lost(6), -- Heartbeat receive timeout 1384 failed(7) -- The negotiation failed 1385 } 1386 MAX-ACCESS read-write 1387 STATUS current 1388 DESCRIPTION 1389 "The current state of the bundle 1390 Possible values: 1391 established(1), -- The bundle is alive 1392 expired(2), -- The bundle is expired 1393 delete (3), -- Mark this bundle for deletion 1394 negotiating(4), -- This bundle is currently negotiated 1395 rekeyed(5), -- Rekeying of bundle succeeded 1396 heartbeat-lost(6), -- Heartbeat receive timeout 1397 failed(7) -- The negotiation failed." 1398 DEFVAL { negotiating } 1399 ::= { ipsecBundleEntry 7 } 1400 1401 ipsecBundleNumSas OBJECT-TYPE 1402 SYNTAX INTEGER 1403 MAX-ACCESS read-only 1404 STATUS current 1405 DESCRIPTION 1406 "The number of SAs contained in this bundle." 1407 ::= { ipsecBundleEntry 8 } 1408 1409 ipsecBundleRole OBJECT-TYPE 1410 SYNTAX INTEGER { 1411 initiator(1), -- this end initiated the negotiation 1412 responder(2) -- the remote end initiated the negotiation 1413 } 1414 MAX-ACCESS read-only 1415 STATUS current 1416 DESCRIPTION 1417 "This object specifies by which side the SA bundle 1418 negotiation was initiated. 1419 Possible values: 1420 initiator(1), -- this end initiated the negotiation 1421 responder(2) -- the remote end initiated the negotiation." 1422 ::= { ipsecBundleEntry 9 } 1423 1424 ipsecBundleRekeyedBundle OBJECT-TYPE 1425 SYNTAX INTEGER 1426 MAX-ACCESS read-only 1427 STATUS current 1428 DESCRIPTION 1429 "This object indicates upon rekeying, which bundle (actually 1430 its BundleIndex) is going to be replaced by that one." 1431 ::= { ipsecBundleEntry 10 } 1432 1433 ipsecBundleRekeyingBundle OBJECT-TYPE 1434 SYNTAX INTEGER 1435 MAX-ACCESS read-only 1436 STATUS current 1437 DESCRIPTION 1438 "This object indicates upon rekeying, which bundle (actually 1439 its BundleIndex) is going to replace that one." 1440 ::= { ipsecBundleEntry 11 } 1441 1442 ipsecBundleLastStateChange OBJECT-TYPE 1443 SYNTAX TimeTicks 1444 MAX-ACCESS read-only 1445 STATUS current 1446 DESCRIPTION 1447 "This object indicates the time in time ticks from system start 1448 by which the state of this bundle entry was changed last. 1449 To determine the absolute time, the current sysUpTime must be 1450 subtracted from this value." 1451 ::= { ipsecBundleEntry 12 } 1452 1453 ipsecBundleHeartbeatsEnabled OBJECT-TYPE 1454 SYNTAX INTEGER { 1455 none(1), -- neither sending nor expecting heartbeats 1456 expect(2), -- expecting heartbeats 1457 send(3), -- sending heartbeats 1458 both(4) -- sending and expecting heartbeats 1459 } 1460 MAX-ACCESS read-only 1461 STATUS current 1462 DESCRIPTION 1463 "This object specifies whether heartbeats are sent and/or 1464 expected over this bundle. 1465 Possible values: 1466 none(1), -- neither sending nor expecting heartbeats 1467 expect(2), -- expecting heartbeats 1468 send(3), -- sending heartbeats 1469 both(4) -- sending and expecting heartbeats." 1470 ::= { ipsecBundleEntry 13 } 1471 1472 ipsecBundleCreator OBJECT-TYPE 1473 SYNTAX INTEGER { 1474 manual(1), -- A manually keyed IPSec SA bundle 1475 ike(2) -- An automatically keyed SA bundle created by IKE 1476 } 1477 MAX-ACCESS read-only 1478 STATUS current 1479 DESCRIPTION 1480 "This object specifies how the SA was created 1481 Possible values: 1482 manual(1),-- A manually keyed IPSec SA bundle 1483 ike(2) -- An automatically keyed SA bundle created by IKE." 1484 ::= { ipsecBundleEntry 14 } 1485 1486 ipsecBundleTunnelLocal OBJECT-TYPE 1487 SYNTAX IpAddress 1488 MAX-ACCESS read-only 1489 STATUS current 1490 DESCRIPTION 1491 "The local IP address of the outer packet header. For 1492 transport mode bundles this address is the same as the 1493 ipsecBundleLocalAddress." 1494 ::= { ipsecBundleEntry 15 } 1495 1496 ipsecBundleTunnelRemote OBJECT-TYPE 1497 SYNTAX IpAddress 1498 MAX-ACCESS read-only 1499 STATUS current 1500 DESCRIPTION 1501 "The remote IP address of the outer packet header. For 1502 transport mode bundles, this address is the same as the 1503 ipsecBundleRemoteAddress." 1504 ::= { ipsecBundleEntry 16 } 1505 1506 ipsecBundlePmtuDiscovery OBJECT-TYPE 1507 SYNTAX INTEGER { 1508 enabled(2), -- copy DF bit from original packet; propagate PMTU 1509 disabled(1) -- clear DF bit in IPSec packet; 1510 -- fragment if necessary 1511 } 1512 MAX-ACCESS read-only 1513 STATUS current 1514 DESCRIPTION 1515 "This object specifies the initialization of the DF bit in 1516 outgoing IPSec packets for this bundle. It decides whether 1517 PMTU discovery is propagated over the IPSec tunnel or not. 1518 Possible values: 1519 enabled(1), -- copy DF bit from original packet; propagate PMTU 1520 disabled(2) -- clear DF bit in IPSec packet; 1521 -- fragment if necessary." 1522 ::= { ipsecBundleEntry 17 } 1523 1524 ipsecBundleKeepAlive OBJECT-TYPE 1525 SYNTAX INTEGER { 1526 true(1), -- rekey even if no traffic was processed by this bundle 1527 false(2) -- rekey only if at least one packet was processed 1528 } 1529 MAX-ACCESS read-only 1530 STATUS current 1531 DESCRIPTION 1532 "This object specifies the circumstances under which this SA 1533 bundle will be rekeyed. 1534 Possible values: 1535 true(1), -- rekey even if no traffic was processed 1536 false(2) -- rekey only if at least one packet was processed." 1537 ::= { ipsecBundleEntry 18 } 1538 1539 ipsecBundleVerifyPad OBJECT-TYPE 1540 SYNTAX INTEGER { 1541 true(1), -- normal, self-describing ESP padding 1542 false(2) -- old style ESP padding 1543 } 1544 MAX-ACCESS read-only 1545 STATUS current 1546 DESCRIPTION 1547 "This object specifies the kind of padding expected for ESP SAs 1548 within this bundle. 1549 Possible values: 1550 true(1), -- normal, self-describing ESP padding 1551 false(2) -- old style ESP padding." 1552 ::= { ipsecBundleEntry 19 } 1553 1554 ipsecBundleLifeSeconds OBJECT-TYPE 1555 SYNTAX Unsigned32 1556 UNITS "seconds" 1557 MAX-ACCESS read-only 1558 STATUS current 1559 DESCRIPTION 1560 "The period in seconds after which this bundle will be destroyed." 1561 ::= { ipsecBundleEntry 20 } 1562 1563 ipsecBundleLifeKBytes OBJECT-TYPE 1564 SYNTAX Unsigned32 1565 UNITS "kilo bytes" 1566 MAX-ACCESS read-only 1567 STATUS current 1568 DESCRIPTION 1569 "The amount of data allowed to be protected by this bundle until 1570 it is destroyed (ipsecBundleOutBytes or ipecBundleOutBytes)." 1571 ::= { ipsecBundleEntry 21 } 1572 1573 ipsecBundleRekeySeconds OBJECT-TYPE 1574 SYNTAX INTEGER 1575 UNITS "seconds" 1576 MAX-ACCESS read-only 1577 STATUS current 1578 DESCRIPTION 1579 "The period in seconds after which this bundle will be rekeyed." 1580 ::= { ipsecBundleEntry 22 } 1581 1582 ipsecBundleRekeyKBytes OBJECT-TYPE 1583 SYNTAX INTEGER 1584 UNITS "kilo bytes" 1585 MAX-ACCESS read-only 1586 STATUS current 1587 DESCRIPTION 1588 "The amount of data allowed to be protected by this bundle until 1589 it is rekeyed (ipsecBundleOutBytes or ipecBundleOutBytes)." 1590 ::= { ipsecBundleEntry 23 } 1591 1592 ipsecBundleProto OBJECT-TYPE 1593 SYNTAX INTEGER { 1594 icmp(1), 1595 igmp(2), 1596 ggp(3), 1597 ipip(4), 1598 st(5), 1599 tcp(6), 1600 cbt(7), 1601 egp(8), 1602 igp(9), 1603 bbn(10), 1604 nvp(11), 1605 pup(12), 1606 argus(13), 1607 emcon(14), 1608 xnet(15), 1609 chaos(16), 1610 udp(17), 1611 mux(18), 1612 dcn(19), 1613 hmp(20), 1614 prm(21), 1615 xns(22), 1616 trunk1(23), 1617 trunk2(24), 1618 leaf1(25), 1619 leaf2(26), 1620 rdp(27), 1621 irtp(28), 1622 isotp4(29), 1623 netblt(30), 1624 mfe(31), 1625 merit(32), 1626 sep(33), 1627 pc3(34), 1628 idpr(35), 1629 xtp(36), 1630 ddp(37), 1631 idprc(38), 1632 tp(39), 1633 il(40), 1634 ipv6(41), 1635 sdrp(42), 1636 ipv6route(43), 1637 ipv6frag(44), 1638 idrp(45), 1639 rsvp(46), 1640 gre(47), 1641 mhrp(48), 1642 bna(49), 1643 esp(50), 1644 ah(51), 1645 inlsp(52), 1646 swipe(53), 1647 narp(54), 1648 mobile(55), 1649 tlsp(56), 1650 skip(57), 1651 ipv6icmp(58), 1652 ipv6nonxt(59), 1653 ipv6opts(60), 1654 ipproto-61(61), 1655 cftp(62), 1656 local(63), 1657 sat(64), 1658 kryptolan(65), 1659 rvd(66), 1660 ippc(67), 1661 distfs(68), 1662 satmon(69), 1663 visa(70), 1664 ipcv(71), 1665 cpnx(72), 1666 cphb(73), 1667 wsn(74), 1668 pvp(75), 1669 brsatmon(76), 1670 sunnd(77), 1671 wbmon(78), 1672 wbexpak(79), 1673 isoip(80), 1674 vmtp(81), 1675 securevmtp(82), 1676 vines(83), 1677 ttp(84), 1678 nsfnet(85), 1679 dgp(86), 1680 tcf(87), 1681 eigrp(88), 1682 ospfigp(89), 1683 sprite(90), 1684 larp(91), 1685 mtp(92), 1686 ax25(93), 1687 ipwip(94), 1688 micp(95), 1689 scc(96), 1690 etherip(97), 1691 encap(98), 1692 encrypt(99), 1693 gmtp(100), 1694 ifmp(101), 1695 pnni(102), 1696 pim(103), 1697 aris(104), 1698 scps(105), 1699 qnx(106), 1700 an(107), 1701 ippcp(108), 1702 snp(109), 1703 compaq(110), 1704 ipxip(111), 1705 vrrp(112), 1706 pgm(113), 1707 hop0(114), 1708 l2tp(115), 1709 ipproto-116(116), 1710 ipproto-117(117), 1711 ipproto-118(118), 1712 ipproto-119(119), 1713 ipproto-120(120), 1714 ipproto-121(121), 1715 ipproto-122(122), 1716 ipproto-123(123), 1717 ipproto-124(124), 1718 ipproto-125(125), 1719 ipproto-126(126), 1720 ipproto-127(127), 1721 ipproto-128(128), 1722 ipproto-129(129), 1723 ipproto-130(130), 1724 ipproto-131(131), 1725 ipproto-132(132), 1726 ipproto-133(133), 1727 ipproto-134(134), 1728 ipproto-135(135), 1729 ipproto-136(136), 1730 ipproto-137(137), 1731 ipproto-138(138), 1732 ipproto-139(139), 1733 ipproto-140(140), 1734 ipproto-141(141), 1735 ipproto-142(142), 1736 ipproto-143(143), 1737 ipproto-144(144), 1738 ipproto-145(145), 1739 ipproto-146(146), 1740 ipproto-147(147), 1741 ipproto-148(148), 1742 ipproto-149(149), 1743 ipproto-150(150), 1744 ipproto-151(151), 1745 ipproto-152(152), 1746 ipproto-153(153), 1747 ipproto-154(154), 1748 ipproto-155(155), 1749 ipproto-156(156), 1750 ipproto-157(157), 1751 ipproto-158(158), 1752 ipproto-159(159), 1753 ipproto-160(160), 1754 ipproto-161(161), 1755 ipproto-162(162), 1756 ipproto-163(163), 1757 ipproto-164(164), 1758 ipproto-165(165), 1759 ipproto-166(166), 1760 ipproto-167(167), 1761 ipproto-168(168), 1762 ipproto-169(169), 1763 ipproto-170(170), 1764 ipproto-171(171), 1765 ipproto-172(172), 1766 ipproto-173(173), 1767 ipproto-174(174), 1768 ipproto-175(175), 1769 ipproto-176(176), 1770 ipproto-177(177), 1771 ipproto-178(178), 1772 ipproto-179(179), 1773 ipproto-180(180), 1774 ipproto-181(181), 1775 ipproto-182(182), 1776 ipproto-183(183), 1777 ipproto-184(184), 1778 ipproto-185(185), 1779 ipproto-186(186), 1780 ipproto-187(187), 1781 ipproto-188(188), 1782 ipproto-189(189), 1783 ipproto-190(190), 1784 ipproto-191(191), 1785 ipproto-192(192), 1786 ipproto-193(193), 1787 ipproto-194(194), 1788 ipproto-195(195), 1789 ipproto-196(196), 1790 ipproto-197(197), 1791 ipproto-198(198), 1792 ipproto-199(199), 1793 ipproto-200(200), 1794 ipproto-201(201), 1795 ipproto-202(202), 1796 ipproto-203(203), 1797 ipproto-204(204), 1798 ipproto-205(205), 1799 ipproto-206(206), 1800 ipproto-207(207), 1801 ipproto-208(208), 1802 ipproto-209(209), 1803 ipproto-210(210), 1804 ipproto-211(211), 1805 ipproto-212(212), 1806 ipproto-213(213), 1807 ipproto-214(214), 1808 ipproto-215(215), 1809 ipproto-216(216), 1810 ipproto-217(217), 1811 ipproto-218(218), 1812 ipproto-219(219), 1813 ipproto-220(220), 1814 ipproto-221(221), 1815 ipproto-222(222), 1816 ipproto-223(223), 1817 ipproto-224(224), 1818 ipproto-225(225), 1819 ipproto-226(226), 1820 ipproto-227(227), 1821 ipproto-228(228), 1822 ipproto-229(229), 1823 ipproto-230(230), 1824 ipproto-231(231), 1825 ipproto-232(232), 1826 ipproto-233(233), 1827 ipproto-234(234), 1828 ipproto-235(235), 1829 ipproto-236(236), 1830 ipproto-237(237), 1831 ipproto-238(238), 1832 ipproto-239(239), 1833 ipproto-240(240), 1834 ipproto-241(241), 1835 ipproto-242(242), 1836 ipproto-243(243), 1837 ipproto-244(244), 1838 ipproto-245(245), 1839 ipproto-246(246), 1840 ipproto-247(247), 1841 ipproto-248(248), 1842 ipproto-249(249), 1843 ipproto-250(250), 1844 ipproto-251(251), 1845 ipproto-252(252), 1846 ipproto-253(253), 1847 ipproto-254(254), 1848 dont-verify(255) 1849 } 1850 MAX-ACCESS read-only 1851 STATUS current 1852 DESCRIPTION 1853 "The protocol of the traffic selectors." 1854 ::= { ipsecBundleEntry 24 } 1855 1856 ipsecBundleLocalAddress OBJECT-TYPE 1857 SYNTAX IpAddress 1858 MAX-ACCESS read-only 1859 STATUS current 1860 DESCRIPTION 1861 "The local address (host or network or range start address) 1862 of the traffic selectors, 1863 source for outbound, destination for inbound." 1864 ::= { ipsecBundleEntry 25 } 1865 1866 ipsecBundleLocalMaskLen OBJECT-TYPE 1867 SYNTAX INTEGER 1868 MAX-ACCESS read-only 1869 STATUS current 1870 DESCRIPTION 1871 "The local network masklen of the traffic selectors, 1872 source for outbound, destination for inbound." 1873 ::= { ipsecBundleEntry 26 } 1874 1875 ipsecBundleLocalRange OBJECT-TYPE 1876 SYNTAX IpAddress 1877 MAX-ACCESS read-only 1878 STATUS current 1879 DESCRIPTION 1880 "The local address range end address of the traffic selectors, 1881 source for outbound, destination for inbound." 1882 ::= { ipsecBundleEntry 27 } 1883 1884 ipsecBundleLocalPort OBJECT-TYPE 1885 SYNTAX INTEGER 1886 MAX-ACCESS read-only 1887 STATUS current 1888 DESCRIPTION 1889 "The local port of the traffic selectors, 1890 source for outbound, destination for inbound." 1891 ::= { ipsecBundleEntry 28 } 1892 1893 ipsecBundleRemoteAddress OBJECT-TYPE 1894 SYNTAX IpAddress 1895 MAX-ACCESS read-only 1896 STATUS current 1897 DESCRIPTION 1898 "The remote address (host or network or range start address) 1899 of the traffic selectors 1900 source for outbound, destination for inbound." 1901 ::= { ipsecBundleEntry 29 } 1902 1903 ipsecBundleRemoteMaskLen OBJECT-TYPE 1904 SYNTAX INTEGER 1905 MAX-ACCESS read-only 1906 STATUS current 1907 DESCRIPTION 1908 "The remote network masklen of the traffic selectors 1909 source for outbound, destination for inbound." 1910 ::= { ipsecBundleEntry 30 } 1911 1912 ipsecBundleRemoteRange OBJECT-TYPE 1913 SYNTAX IpAddress 1914 MAX-ACCESS read-only 1915 STATUS current 1916 DESCRIPTION 1917 "The remote address range end address of the traffic selectors 1918 source for outbound, destination for inbound." 1919 ::= { ipsecBundleEntry 31 } 1920 1921 ipsecBundleRemotePort OBJECT-TYPE 1922 SYNTAX INTEGER 1923 MAX-ACCESS read-only 1924 STATUS current 1925 DESCRIPTION 1926 "The remote port of the traffic selectors 1927 source for outbound, destination for inbound." 1928 ::= { ipsecBundleEntry 32 } 1929 1930 ipsecBundleInPkt OBJECT-TYPE 1931 SYNTAX Counter64 1932 MAX-ACCESS read-only 1933 STATUS current 1934 DESCRIPTION 1935 "The total number of inbound packets processed by this bundle." 1936 ::= { ipsecBundleEntry 33 } 1937 1938 ipsecBundleInHb OBJECT-TYPE 1939 SYNTAX Counter64 1940 MAX-ACCESS read-only 1941 STATUS current 1942 DESCRIPTION 1943 "The number of heartbeat packets received over this bundle." 1944 ::= { ipsecBundleEntry 34 } 1945 1946 ipsecBundleInBytes OBJECT-TYPE 1947 SYNTAX Counter64 1948 UNITS "bytes" 1949 MAX-ACCESS read-only 1950 STATUS current 1951 DESCRIPTION 1952 "The number of inbound bytes (including IPSec overhead) 1953 processed by this bundle." 1954 ::= { ipsecBundleEntry 35 } 1955 1956 ipsecBundleInBytesNetto OBJECT-TYPE 1957 SYNTAX Counter64 1958 UNITS "bytes" 1959 MAX-ACCESS read-only 1960 STATUS current 1961 DESCRIPTION 1962 "The number of inbound bytes (netto: IPSec headers excluded) 1963 processed by this bundle." 1964 ::= { ipsecBundleEntry 37 } 1965 1966 ipsecBundleOutPkt OBJECT-TYPE 1967 SYNTAX Counter64 1968 MAX-ACCESS read-only 1969 STATUS current 1970 DESCRIPTION 1971 "The total number of outbound packets processed by this bundle." 1972 ::= { ipsecBundleEntry 39 } 1973 1974 ipsecBundleOutHb OBJECT-TYPE 1975 SYNTAX Counter64 1976 MAX-ACCESS read-only 1977 STATUS current 1978 DESCRIPTION 1979 "The number of heartbeat packets sent for this bundle." 1980 ::= { ipsecBundleEntry 40 } 1981 1982 ipsecBundleOutBytes OBJECT-TYPE 1983 SYNTAX Counter64 1984 UNITS "bytes" 1985 MAX-ACCESS read-only 1986 STATUS current 1987 DESCRIPTION 1988 "The number of outbound bytes (including IPSec overhead) 1989 processed by this bundle." 1990 ::= { ipsecBundleEntry 41 } 1991 1992 ipsecBundleOutBytesNetto OBJECT-TYPE 1993 SYNTAX Counter64 1994 UNITS "bytes" 1995 MAX-ACCESS read-only 1996 STATUS current 1997 DESCRIPTION 1998 "The number of outbound bytes (netto: IPSec headers excluded) 1999 processed by this bundle." 2000 ::= { ipsecBundleEntry 43 } 2001 2002 ipsecBundleNatT OBJECT-TYPE 2003 SYNTAX INTEGER { 2004 enabled(1), -- use udp encapsulation 2005 disabled(2) -- do not use udp encapsulation 2006 } 2007 MAX-ACCESS read-only 2008 STATUS current 2009 DESCRIPTION 2010 "This object specifies if the udp encapsulation of ESP packets 2011 is active within this bundle. 2012 Possible values: 2013 enabled(1), -- use udp encapsulation 2014 disabled(2) -- do not use udp encapsulation." 2015 ::= { ipsecBundleEntry 45 } 2016 2017 ipsecBundleNatOaLocal OBJECT-TYPE 2018 SYNTAX IpAddress 2019 MAX-ACCESS read-only 2020 STATUS current 2021 DESCRIPTION 2022 "The local IP address as seen by the remote side. 2023 Only valid for transport mode bundles with NatT enabled." 2024 ::= { ipsecBundleEntry 46 } 2025 2026 ipsecBundleNatOaRemote OBJECT-TYPE 2027 SYNTAX IpAddress 2028 MAX-ACCESS read-only 2029 STATUS current 2030 DESCRIPTION 2031 "The remote IP address as seen by the remote side. 2032 Only valid for transport mode bundles with NatT enabled." 2033 ::= { ipsecBundleEntry 47 } 2034 2035 ipsecBundleIkeMajVersion OBJECT-TYPE 2036 SYNTAX INTEGER 2037 MAX-ACCESS read-only 2038 STATUS current 2039 DESCRIPTION 2040 "The IKE major version number." 2041 DEFVAL { 1 } 2042 ::= { ipsecBundleEntry 48 } 2043 2044 ipsecBundleIkeMinVersion OBJECT-TYPE 2045 SYNTAX INTEGER 2046 MAX-ACCESS read-only 2047 STATUS current 2048 DESCRIPTION 2049 "The IKE minor version number." 2050 DEFVAL { 0 } 2051 ::= { ipsecBundleEntry 49 } 2052 2053 2054-- End IPSec Bundle Table 2055 2056-- IKE Security Associations Table 2057 2058 ikeSaTable OBJECT-TYPE 2059 SYNTAX SEQUENCE OF IkeSaEntry 2060 MAX-ACCESS not-accessible 2061 STATUS current 2062 DESCRIPTION 2063 "This table contains the list of currently active IKE security 2064 associations." 2065 ::= { ipsec 4 } 2066 2067 ikeSaEntry OBJECT-TYPE 2068 SYNTAX IkeSaEntry 2069 MAX-ACCESS not-accessible 2070 STATUS current 2071 DESCRIPTION 2072 "This object contains an IKE security association." 2073 INDEX { 2074 ikeSaIndex 2075 } 2076 ::= { ikeSaTable 1 } 2077 2078 IkeSaEntry ::= 2079 SEQUENCE { 2080 ikeSaIndex INTEGER, 2081 ikeSaState INTEGER, 2082 ikeSaXchType INTEGER, 2083 ikeSaAuthMethod INTEGER, 2084 ikeSaEncAlg INTEGER, 2085 ikeSaHashAlg INTEGER, 2086 ikeSaPrfAlg INTEGER, 2087 ikeSaRole INTEGER, 2088 ikeSaLocalId DisplayString, 2089 ikeSaRemoteId DisplayString, 2090 ikeSaLocalIp IpAddress, 2091 ikeSaRemoteIp IpAddress, 2092 ikeSaCookieI OCTET STRING, 2093 ikeSaCookieR OCTET STRING, 2094 ikeSaCreated Date, 2095 ikeSaLastUsed Date, 2096 ikeSaExpires Date, 2097 ikeSaNumCerts INTEGER, 2098 ikeSaNumNegotiations INTEGER, 2099 ikeSaBytes INTEGER, 2100 ikeSaMajVersion INTEGER, 2101 ikeSaMinVersion INTEGER, 2102 ikeSaPeerIndex INTEGER, 2103 ikeSaHeartbeatsEnabled INTEGER, 2104 ikeSaHeartbeatsSent INTEGER, 2105 ikeSaHeartbeatsReceived INTEGER, 2106 ikeSaLocalPort INTEGER, 2107 ikeSaRemotePort INTEGER, 2108 ikeSaXauthType INTEGER, 2109 ikeSaXauthUser DisplayString 2110 } 2111 2112 ikeSaIndex OBJECT-TYPE 2113 SYNTAX INTEGER 2114 MAX-ACCESS read-only 2115 STATUS current 2116 DESCRIPTION 2117 "A unique index for this entry." 2118 ::= { ikeSaEntry 1 } 2119 2120 ikeSaState OBJECT-TYPE 2121 SYNTAX INTEGER { 2122 negotiating(1), -- the SA is still being negotiated 2123 established(2), -- the SA negotiation is finished 2124 waiting-for-remove(3), -- the SA is waiting for removal 2125 delete(7) -- mark the SA for deletion 2126 } 2127 MAX-ACCESS read-write 2128 STATUS current 2129 DESCRIPTION 2130 "This object specifies the state of the SA. 2131 Possible values: 2132 negotiating(1), -- the SA is still being negotiated 2133 established(2), -- the SA negotiation is finished 2134 waiting-for-remove(3), -- the SA is waiting for removal 2135 delete(7) -- mark the SA for deletion." 2136 DEFVAL { negotiating } 2137 ::= { ikeSaEntry 3 } 2138 2139 ikeSaXchType OBJECT-TYPE 2140 SYNTAX INTEGER { 2141 base(1), -- IKE base mode mode 2142 id-protect(2), -- IKE identity protection 2143 -- (oakley main mode) 2144 aggressive(4), -- IKE (oakley) aggressive mode 2145 any(256) -- Other mode 2146 } 2147 MAX-ACCESS read-only 2148 STATUS current 2149 DESCRIPTION 2150 "The exchange mode used to create the SA. 2151 Possible values: 2152 base(1), -- IKE base mode mode 2153 id-protect(2), -- IKE identity protection 2154 -- (oakley main mode) 2155 authentication-only(3), -- Authentication only mode 2156 aggressive(4), -- IKE (oakley) aggressive mode 2157 info(5), -- IKE informational exchange mode 2158 quick(32), -- IKE quick mode 2159 new-group(33), -- IKE new group mode 2160 any(256) -- Other mode." 2161 ::= { ikeSaEntry 4 } 2162 2163 ikeSaAuthMethod OBJECT-TYPE 2164 SYNTAX INTEGER { 2165 pre-sh-key(1), -- Authentication using pre shared keys 2166 dss-sig(2), -- Authentication using DSS signatures 2167 rsa-sig(3), -- Authentication using RSA signatures 2168 rsa-enc(4), -- Authentication using RSA encryption 2169 rsa-enc-rev(5) -- Authentication using revised RSA encryption 2170 } 2171 MAX-ACCESS read-only 2172 STATUS current 2173 DESCRIPTION 2174 "The authenticatin method used when negotiating this SA. 2175 Possible values: 2176 pre-sh-key(1), -- Authentication using pre shared keys 2177 dss-sig(2), -- Authentication using DSS signatures 2178 rsa-sig(3), -- Authentication using RSA signatures 2179 rsa-enc(4), -- Authentication using RSA encryption 2180 rsa-enc-rev(5) -- Authentication using revised RSA encryption." 2181 ::= { ikeSaEntry 5 } 2182 2183 ikeSaEncAlg OBJECT-TYPE 2184 SYNTAX INTEGER { 2185 des(1), 2186 idea(2), -- not used 2187 blowfish(3), 2188 rc5(4), -- not used 2189 des3(5), 2190 cast128(6), -- CAST with 128 bit key 2191 aes(7), -- AES encryption algorithm 2192 twofish(9) 2193 } 2194 MAX-ACCESS read-only 2195 STATUS current 2196 DESCRIPTION 2197 "The encryption algorithm used." 2198 ::= { ikeSaEntry 26 } 2199 2200 ikeSaHashAlg OBJECT-TYPE 2201 SYNTAX INTEGER { 2202 md5(1), -- The MD5 hash algorithm 2203 sha(2), -- The Secure Hash Algorithm 2204 tiger(3), -- The Tiger hash algorithm 2205 ripemd160(4) -- The RIPE MD 160 hash algorithm 2206 } 2207 MAX-ACCESS read-only 2208 STATUS current 2209 DESCRIPTION 2210 "The hash algorithm used." 2211 ::= { ikeSaEntry 27 } 2212 2213 ikeSaPrfAlg OBJECT-TYPE 2214 SYNTAX INTEGER { 2215 md5(1), -- The MD5 hash algorithm 2216 sha(2), -- The Secure Hash Algorithm 2217 tiger(3), -- The Tiger hash algorithm 2218 ripemd160(4) -- The RIPE MD 160 hash algorithm 2219 } 2220 MAX-ACCESS read-only 2221 STATUS current 2222 DESCRIPTION 2223 "The hash algorithm used for the pseudo random function." 2224 ::= { ikeSaEntry 28 } 2225 2226 ikeSaRole OBJECT-TYPE 2227 SYNTAX INTEGER { 2228 initiator(1), -- this end initiated the SA negotiation 2229 responder(2) -- the remote end initiated the SA negotiation 2230 } 2231 MAX-ACCESS read-only 2232 STATUS current 2233 DESCRIPTION 2234 "This object specifies by which side the SA 2235 negotiation was initiated. 2236 Possible values: 2237 initiator(1), -- this end initiated the SA negotiation 2238 responder(2) -- the remote end initiated the SA negotiation." 2239 ::= { ikeSaEntry 7 } 2240 2241 ikeSaLocalId OBJECT-TYPE 2242 SYNTAX DisplayString 2243 MAX-ACCESS read-only 2244 STATUS current 2245 DESCRIPTION 2246 "The local ID used for authentication." 2247 ::= { ikeSaEntry 8 } 2248 2249 ikeSaRemoteId OBJECT-TYPE 2250 SYNTAX DisplayString 2251 MAX-ACCESS read-only 2252 STATUS current 2253 DESCRIPTION 2254 "The remote ID used for authentication." 2255 ::= { ikeSaEntry 9 } 2256 2257 ikeSaLocalIp OBJECT-TYPE 2258 SYNTAX IpAddress 2259 MAX-ACCESS read-only 2260 STATUS current 2261 DESCRIPTION 2262 "The local IP address used in the IKE communication." 2263 ::= { ikeSaEntry 10 } 2264 2265 ikeSaRemoteIp OBJECT-TYPE 2266 SYNTAX IpAddress 2267 MAX-ACCESS read-only 2268 STATUS current 2269 DESCRIPTION 2270 "The remote IP address used in the IKE communication." 2271 ::= { ikeSaEntry 11 } 2272 2273 ikeSaCookieI OBJECT-TYPE 2274 SYNTAX OCTET STRING 2275 MAX-ACCESS read-only 2276 STATUS current 2277 DESCRIPTION 2278 "The cookie of the initiator." 2279 ::= { ikeSaEntry 12 } 2280 2281 ikeSaCookieR OBJECT-TYPE 2282 SYNTAX OCTET STRING 2283 MAX-ACCESS read-only 2284 STATUS current 2285 DESCRIPTION 2286 "The cookie of the responder." 2287 ::= { ikeSaEntry 13 } 2288 2289 ikeSaCreated OBJECT-TYPE 2290 SYNTAX Date 2291 MAX-ACCESS read-only 2292 STATUS current 2293 DESCRIPTION 2294 "Time the SA was created." 2295 ::= { ikeSaEntry 24 } 2296 2297 ikeSaLastUsed OBJECT-TYPE 2298 SYNTAX Date 2299 MAX-ACCESS read-only 2300 STATUS current 2301 DESCRIPTION 2302 "Time the SA was used last." 2303 ::= { ikeSaEntry 25 } 2304 2305 ikeSaExpires OBJECT-TYPE 2306 SYNTAX Date 2307 MAX-ACCESS read-only 2308 STATUS current 2309 DESCRIPTION 2310 "Time the SA will expire." 2311 ::= { ikeSaEntry 29 } 2312 2313 ikeSaNumCerts OBJECT-TYPE 2314 SYNTAX INTEGER 2315 MAX-ACCESS read-only 2316 STATUS current 2317 DESCRIPTION 2318 "The number of certificates received from the remote 2319 side when negotiating this SA." 2320 ::= { ikeSaEntry 15 } 2321 2322 ikeSaNumNegotiations OBJECT-TYPE 2323 SYNTAX INTEGER 2324 MAX-ACCESS read-only 2325 STATUS current 2326 DESCRIPTION 2327 "This object specifies the number of currently active 2328 negotiations for this SA." 2329 ::= { ikeSaEntry 16 } 2330 2331 ikeSaBytes OBJECT-TYPE 2332 SYNTAX INTEGER 2333 UNITS "bytes" 2334 MAX-ACCESS read-only 2335 STATUS current 2336 DESCRIPTION 2337 "Number of bytes transmitted using this SA." 2338 ::= { ikeSaEntry 17 } 2339 2340 ikeSaMajVersion OBJECT-TYPE 2341 SYNTAX INTEGER 2342 MAX-ACCESS read-only 2343 STATUS current 2344 DESCRIPTION 2345 "The IKE major version number." 2346 ::= { ikeSaEntry 18 } 2347 2348 ikeSaMinVersion OBJECT-TYPE 2349 SYNTAX INTEGER 2350 MAX-ACCESS read-only 2351 STATUS current 2352 DESCRIPTION 2353 "The IKE minor version number." 2354 ::= { ikeSaEntry 19 } 2355 2356 ikeSaPeerIndex OBJECT-TYPE 2357 SYNTAX INTEGER 2358 MAX-ACCESS read-only 2359 STATUS current 2360 DESCRIPTION 2361 "The index of the peer for which this SA was created." 2362 ::= { ikeSaEntry 20 } 2363 2364 ikeSaHeartbeatsEnabled OBJECT-TYPE 2365 SYNTAX INTEGER { 2366 send(1), -- send heartbeats 2367 expect(2), -- expect heartbeats 2368 both(3), -- send and expect heartbeats 2369 none(4) -- neither send nor expect heartbeats 2370 } 2371 MAX-ACCESS read-only 2372 STATUS current 2373 DESCRIPTION 2374 "This object specifies whether heartbeats are sent/expected 2375 over this SA 2376 possible values: 2377 send(1), -- send heartbeats 2378 expect(2), -- expect heartbeats 2379 both(3), -- send and expect heartbeats 2380 none(4) -- neither send nor expect heartbeats." 2381 ::= { ikeSaEntry 21 } 2382 2383 ikeSaHeartbeatsSent OBJECT-TYPE 2384 SYNTAX INTEGER 2385 MAX-ACCESS read-only 2386 STATUS current 2387 DESCRIPTION 2388 "Number of Heartbeats sent over this SA." 2389 ::= { ikeSaEntry 22 } 2390 2391 ikeSaHeartbeatsReceived OBJECT-TYPE 2392 SYNTAX INTEGER 2393 MAX-ACCESS read-only 2394 STATUS current 2395 DESCRIPTION 2396 "Number of Heartbeats received over this SA." 2397 ::= { ikeSaEntry 23 } 2398 2399 ikeSaLocalPort OBJECT-TYPE 2400 SYNTAX INTEGER (0..65535) 2401 MAX-ACCESS read-only 2402 STATUS current 2403 DESCRIPTION 2404 "Local port currently used for the SA." 2405 ::= { ikeSaEntry 30 } 2406 2407 ikeSaRemotePort OBJECT-TYPE 2408 SYNTAX INTEGER (0..65535) 2409 MAX-ACCESS read-only 2410 STATUS current 2411 DESCRIPTION 2412 "Remote port currently used for the SA." 2413 ::= { ikeSaEntry 31 } 2414 2415 ikeSaXauthType OBJECT-TYPE 2416 SYNTAX INTEGER { 2417 generic(0), -- generic 2418 radius-chap(1), -- RADIUS-CHAP 2419 otp(2), -- One-Time-Password 2420 s-key(3), -- S/KEY One-Time-Password 2421 none(32768) -- no XAUTH used 2422 } 2423 MAX-ACCESS read-only 2424 STATUS current 2425 DESCRIPTION 2426 "This object displayes whether XAUTH is used or not 2427 after complete establishment of the SA. 2428 If XAUTH is used then the type of the extended 2429 authentication is displayed." 2430 DEFVAL { none } 2431 ::= { ikeSaEntry 32 } 2432 2433 ikeSaXauthUser OBJECT-TYPE 2434 SYNTAX DisplayString 2435 MAX-ACCESS read-only 2436 STATUS current 2437 DESCRIPTION 2438 "User name used for Extended Authentication." 2439 ::= { ikeSaEntry 33 } 2440 2441 2442-- End IKE Security Associations Table 2443 2444 2445-- IKE (Phase 1) Profile Table 2446 2447 ikeProfileTable OBJECT-TYPE 2448 SYNTAX SEQUENCE OF IkeProfileEntry 2449 MAX-ACCESS not-accessible 2450 STATUS current 2451 DESCRIPTION 2452 "This table contains the list of IKE (Phase 1) profiles." 2453 ::= { ipsec 14 } 2454 2455 ikeProfileEntry OBJECT-TYPE 2456 SYNTAX IkeProfileEntry 2457 MAX-ACCESS not-accessible 2458 STATUS current 2459 DESCRIPTION 2460 "This object contains an IPSec phase 1 profile." 2461 INDEX { 2462 ikePrfProposal 2463 } 2464 ::= { ikeProfileTable 1 } 2465 2466 IkeProfileEntry ::= 2467 SEQUENCE { 2468 ikePrfIndex INTEGER, 2469 ikePrfDescription DisplayString, 2470 ikePrfAuthMethod INTEGER, 2471 ikePrfMode INTEGER, 2472 ikePrfProposal INTEGER, 2473 ikePrfGroup INTEGER, 2474 ikePrfCert INTEGER, 2475 ikePrfLocalId DisplayString, 2476 ikePrfCaCerts DisplayString, 2477 ikePrfLifeTime INTEGER, 2478 ikePrfPfsIdentity INTEGER, 2479 ikePrfHeartbeats INTEGER, 2480 ikePrfBlockTime INTEGER, 2481 ikePrfNatT INTEGER, 2482 ikePrfMtuMax INTEGER, 2483 ikePrfLifeSeconds Unsigned32, 2484 ikePrfLifeKBytes Unsigned32, 2485 ikePrfLifeRekeyPercent INTEGER, 2486 ikePrfLifePolicy INTEGER 2487 } 2488 2489 ikePrfIndex OBJECT-TYPE 2490 SYNTAX INTEGER 2491 MAX-ACCESS read-only 2492 STATUS current 2493 DESCRIPTION 2494 "A unique index identifying this entry." 2495 ::= { ikeProfileEntry 1 } 2496 2497 ikePrfDescription OBJECT-TYPE 2498 SYNTAX DisplayString 2499 MAX-ACCESS read-write 2500 STATUS current 2501 DESCRIPTION 2502 "An optional description for this profile." 2503 ::= { ikeProfileEntry 2 } 2504 2505 ikePrfAuthMethod OBJECT-TYPE 2506 SYNTAX INTEGER { 2507 pre-sh-key(1), -- Authentication using pre shared keys 2508 dss-sig(2), -- Authentication using DSS signatures 2509 rsa-sig(3), -- Authentication using RSA signatures 2510 rsa-enc(4), -- Authentication using RSA encryption 2511 default(14), -- use settings from default profile 2512 delete(15) -- mark this entry for deletion 2513 } 2514 MAX-ACCESS read-write 2515 STATUS current 2516 DESCRIPTION 2517 "This object specifies the authentication method used for this profile. 2518 Possible values: 2519 pre-sh-key(1), -- Authentication using pre shared keys 2520 dss-sig(2), -- Authentication using DSS signatures 2521 rsa-sig(3), -- Authentication using RSA signatures 2522 rsa-enc(4), -- Authentication using RSA encryption 2523 default(14), -- use settings from default profile 2524 -- (pre-sh-key if this is the default profile) 2525 delete(15) -- mark this entry for deletion." 2526 DEFVAL { default } 2527 ::= { ikeProfileEntry 3 } 2528 2529 ikePrfMode OBJECT-TYPE 2530 SYNTAX INTEGER { 2531 id-protect(1), -- Use identity protection (main) mode 2532 aggressive(2), -- Use aggressive mode 2533 default(3), -- Use default setting from the 2534 -- global profile 2535 id-protect-only(4), -- only id-protect mode allowed 2536 aggressive-only(5) -- only aggressive mode allowed 2537 } 2538 MAX-ACCESS read-write 2539 STATUS current 2540 DESCRIPTION 2541 "This object specifies the exchange mode used for IKE 2542 SA negotiation. 2543 Possible values: 2544 id-protect(1), -- Use identity protection (main) mode 2545 aggressive(2), -- Use aggressive mode 2546 default(3), -- Use default setting from the 2547 -- global profile 2548 id-protect-only(4), -- only id-protect mode allowed 2549 aggressive-only(5) -- only aggressive mode allowed." 2550 DEFVAL { default } 2551 ::= { ikeProfileEntry 4 } 2552 2553 ikePrfProposal OBJECT-TYPE 2554 SYNTAX INTEGER 2555 MAX-ACCESS read-write 2556 STATUS current 2557 DESCRIPTION 2558 "The index of the first IKE proposal which may be used 2559 for IKE SA negotiation with this profile." 2560 ::= { ikeProfileEntry 5 } 2561 2562 ikePrfGroup OBJECT-TYPE 2563 SYNTAX INTEGER (1..5) 2564 MAX-ACCESS read-write 2565 STATUS current 2566 DESCRIPTION 2567 "This object specifies the IKE group to use with this profile. 2568 Possible values: 2569 1: a 768-bit MODP group 2570 2: a 1024-bit MODP group 2571 5: a 1536-bit MODP group" 2572 ::= { ikeProfileEntry 6 } 2573 2574 ikePrfCert OBJECT-TYPE 2575 SYNTAX INTEGER (0..32767) 2576 MAX-ACCESS read-write 2577 STATUS current 2578 DESCRIPTION 2579 "The index of the certificate used for authentication 2580 in the certTable. Ignored for AuthMethod == pre_shared_key." 2581 ::= { ikeProfileEntry 7 } 2582 2583 ikePrfLocalId OBJECT-TYPE 2584 SYNTAX DisplayString 2585 MAX-ACCESS read-write 2586 STATUS current 2587 DESCRIPTION 2588 "The local ID used for authentication with this profile. 2589 Syntax: 2590 - X500 distinguished name: 2591 <obj-name=obj-value, obj-ID=obj-value, ...> 2592 - IPV4-Address: 2593 |123.456.789.012| with or without '|' 2594 - IPV4 Address Range: 2595 |123.456.789.012-123.456.789.013| with or without '|' 2596 - IPV4 Address Subnet: 2597 |123.456.789.012/255.255.255.0| with or without '|' 2598 or: 2599 |123.456.789.012/24| with or without '|' 2600 - Key-ID: arbitrary string: 2601 {anything} 2602 - Fully Qualified User Name (FQUN): 2603 (anything) or user@domain with mandatory '@' 2604 - Fully Qualified Domain Name (FQDN): 2605 [anything] or any name without '@' not matching any other 2606 syntax" 2607 ::= { ikeProfileEntry 8 } 2608 2609 ikePrfCaCerts OBJECT-TYPE 2610 SYNTAX DisplayString 2611 MAX-ACCESS read-write 2612 STATUS current 2613 DESCRIPTION 2614 "Receives a comma separated list with indices (0..32767) 2615 of special certificate authority certificates accepted 2616 for this profile." 2617 ::= { ikeProfileEntry 9 } 2618 2619 ikePrfLifeTime OBJECT-TYPE 2620 SYNTAX INTEGER 2621 MAX-ACCESS read-only 2622 STATUS current 2623 DESCRIPTION 2624 "This object specifies an index in the ipsecLifeTimeTable with the 2625 lifetime settings to be used for IKE SA negotiation with this profile. 2626 If the lifetime pointed to by this index does not exist or is 2627 inappropriate, the default lifetime is taken. 2628 The usage of this object is deprecated, use the ikePrfLifeXxx 2629 variables directly instead." 2630 DEFVAL { -1 } 2631 ::= { ikeProfileEntry 10 } 2632 2633 ikePrfPfsIdentity OBJECT-TYPE 2634 SYNTAX INTEGER { 2635 true(1), -- delete phase 1 SAs 2636 false(2), -- reuse phase 1 SAs 2637 default(3) -- use value from default profile 2638 -- (false, if this is the default profile) 2639 } 2640 MAX-ACCESS read-write 2641 STATUS current 2642 DESCRIPTION 2643 "This object specifies whether IKE SA's should be deleted 2644 immediately after a phase 2 (IPSec-) SA pair has been 2645 negotiated. 2646 The consequence of enabling this feature is that before each 2647 phase 2 negotiation there always has to be a phase 1 2648 negotiation. Thus individual phase 2 SAs cannot be 2649 associated with one another or, respectively, if the 2650 identity of a remote peer is known to an eavesdropper 2651 for one SA, he cannot conclude that the next SA is 2652 negotiated with the same remote peer. 2653 Note: Setting this flag only makes sense if configured 2654 together with id-protect mode or RSA encryption for 2655 authentication and if the IP address of the remote 2656 peer does not allow conclusions about its identity 2657 (i.e. dynamic remote peer addresses). 2658 Possible values: 2659 true(1), -- delete phase 1 SAs 2660 false(2), -- reuse phase 1 SAs 2661 default(3) -- use value from default profile 2662 -- (false if this is the default profile)." 2663 DEFVAL { default } 2664 ::= { ikeProfileEntry 11 } 2665 2666 ikePrfHeartbeats OBJECT-TYPE 2667 SYNTAX INTEGER { 2668 none(1), -- neither send nor expect heartbeats 2669 expect(2), -- expect heartbeats 2670 send(3), -- send heartbeats 2671 both(4), -- send and expect heartbeats 2672 default(5), -- use default value 2673 auto(6), -- detect support using vendor id 2674 dpd(7), -- use DPD method for proof-of-liveliness 2675 dpd-idle(8) -- use DPD, detect dead peers even while idle 2676 } 2677 MAX-ACCESS read-write 2678 STATUS current 2679 DESCRIPTION 2680 "This object specifies whether heartbeats should be sent 2681 over phase 1 SAs for this profile (heartbeats are not 2682 used for IPv6). 2683 Possible values: 2684 none(1), -- neither send nor expect heartbeats 2685 expect(2), -- expect heartbeats 2686 send(3), -- send heartbeats 2687 both(4), -- send and expect heartbeats 2688 default(5), -- use value from default profile 2689 -- (auto if this is the default profile) 2690 auto(6), -- detect support using vendor id 2691 dpd(7), -- use DPD method for proof-of-liveliness 2692 dpd-idle(8) -- use DPD, detect dead peers even while idle." 2693 DEFVAL { default } 2694 ::= { ikeProfileEntry 12 } 2695 2696 ikePrfBlockTime OBJECT-TYPE 2697 SYNTAX INTEGER (-1..86400) 2698 UNITS "seconds" 2699 MAX-ACCESS read-write 2700 STATUS current 2701 DESCRIPTION 2702 "This object specifies the time in seconds for which a peer is 2703 blocked for any IPSec operations after a phase 1 initiator 2704 negotiation failed. 2705 Special values: 2706 -1: use settings from global profile (do not block by default) 2707 0: do not block the peer at all." 2708 DEFVAL { -1 } 2709 ::= { ikeProfileEntry 13 } 2710 2711 ikePrfNatT OBJECT-TYPE 2712 SYNTAX INTEGER { 2713 enabled(1), -- enable Nat-Traversal 2714 disabled(2), -- disable Nat-Traversal 2715 default(3), -- use value from default profile 2716 -- (enabled, if this is the default profile) 2717 enforce(4) -- enforce NAT-T, independant from NAT 2718 -- detection 2719 } 2720 MAX-ACCESS read-write 2721 STATUS current 2722 DESCRIPTION 2723 "This object specifies whether NAT-Traversal is enabled 2724 Possible values: 2725 enabled(1), -- enable Nat-Traversal 2726 disabled(2), -- disable Nat-Traversal 2727 default(3) -- use value from default profile 2728 -- (disabled, if this is the default profile)." 2729 DEFVAL { default } 2730 ::= { ikeProfileEntry 14 } 2731 2732 ikePrfMtuMax OBJECT-TYPE 2733 SYNTAX INTEGER (0..65535) 2734 MAX-ACCESS read-write 2735 STATUS current 2736 DESCRIPTION 2737 "The maximum MTU value allowed for ipsecPeerStatMtu. 2738 Zero means use value from global profile, 2739 if this is the global profile, 1418 is assumed. 2740 Nonzero values smaller than 214 are reset to the minimum of 214." 2741 DEFVAL { 0 } 2742 ::= { ikeProfileEntry 15 } 2743 2744 ikePrfLifeSeconds OBJECT-TYPE 2745 SYNTAX Unsigned32 2746 UNITS "seconds" 2747 MAX-ACCESS read-write 2748 STATUS current 2749 DESCRIPTION 2750 "The maximum time (in seconds) after which an SA will be 2751 deleted." 2752 DEFVAL { 900 } 2753 ::= { ikeProfileEntry 16 } 2754 2755 2756 ikePrfLifeKBytes OBJECT-TYPE 2757 SYNTAX Unsigned32 2758 UNITS "kilo bytes" 2759 MAX-ACCESS read-write 2760 STATUS current 2761 DESCRIPTION 2762 "The maximum amount of data (in KB) which may be protected 2763 by an SA before it is deleted." 2764 DEFVAL { 0 } 2765 ::= { ikeProfileEntry 17 } 2766 2767 2768 ikePrfLifeRekeyPercent OBJECT-TYPE 2769 SYNTAX INTEGER (50..100) 2770 MAX-ACCESS read-write 2771 STATUS obsolete 2772 DESCRIPTION 2773 "WARNING: this object is obsolete and must not be used." 2774 DEFVAL { 80 } 2775 ::= { ikeProfileEntry 18 } 2776 2777 ikePrfLifePolicy OBJECT-TYPE 2778 SYNTAX INTEGER { 2779 loose(1), -- accept and use anything proposed 2780 strict(2), -- accept and use only what is configured 2781 notify(3), -- accept anything (send responder lifetime) 2782 use-default-lifetime(4) -- use lifetime values from default 2783 -- profile 2784 } 2785 MAX-ACCESS read-write 2786 STATUS current 2787 DESCRIPTION 2788 "This object specifies the way a lifetime proposal is 2789 handled. Possible values: 2790 loose(1), -- accept and use anything proposed 2791 strict(2), -- accept and use only what is configured 2792 notify(3), -- accept anything, if own values are smaller 2793 than what was proposed use these and 2794 send responder lifetime notification 2795 use_default_lifetime(4) -- use lifetime values from default 2796 -- profile." 2797 DEFVAL { use-default-lifetime } 2798 ::= { ikeProfileEntry 19 } 2799 2800-- End IKE (Phase 1) Profile Table 2801 2802-- IPSec (Phase 2) Profile Table 2803 2804 ipsecProfileTable OBJECT-TYPE 2805 SYNTAX SEQUENCE OF IpsecProfileEntry 2806 MAX-ACCESS not-accessible 2807 STATUS current 2808 DESCRIPTION 2809 "This table contains the list of IPSec (Phase 2) profiles." 2810 ::= { ipsec 15 } 2811 2812 ipsecProfileEntry OBJECT-TYPE 2813 SYNTAX IpsecProfileEntry 2814 MAX-ACCESS not-accessible 2815 STATUS current 2816 DESCRIPTION 2817 "This object contains an IPSec phase 1 profile." 2818 INDEX { 2819 ipsecPrfProposal 2820 } 2821 ::= { ipsecProfileTable 1 } 2822 2823 IpsecProfileEntry ::= 2824 SEQUENCE { 2825 ipsecPrfIndex INTEGER, 2826 ipsecPrfDescription DisplayString, 2827 ipsecPrfProposal INTEGER, 2828 ipsecPrfPfsGroup INTEGER, 2829 ipsecPrfLifeTime INTEGER, 2830 ipsecPrfHeartbeats INTEGER, 2831 ipsecPrfPmtuDiscovery INTEGER, 2832 ipsecPrfGranularity INTEGER, 2833 ipsecPrfKeepAlive INTEGER, 2834 ipsecPrfVerifyPad INTEGER, 2835 ipsecPrfForceTunnelMode INTEGER, 2836 ipsecPrfLifeSeconds Unsigned32, 2837 ipsecPrfLifeKBytes Unsigned32, 2838 ipsecPrfLifeRekeyPercent INTEGER, 2839 ipsecPrfLifePolicy INTEGER 2840 } 2841 2842 ipsecPrfIndex OBJECT-TYPE 2843 SYNTAX INTEGER 2844 MAX-ACCESS read-only 2845 STATUS current 2846 DESCRIPTION 2847 "A unique index identifying this entry." 2848 ::= { ipsecProfileEntry 1 } 2849 2850 ipsecPrfDescription OBJECT-TYPE 2851 SYNTAX DisplayString 2852 MAX-ACCESS read-write 2853 STATUS current 2854 DESCRIPTION 2855 "An optional description for this profile." 2856 ::= { ipsecProfileEntry 2 } 2857 2858 ipsecPrfProposal OBJECT-TYPE 2859 SYNTAX INTEGER 2860 MAX-ACCESS read-write 2861 STATUS current 2862 DESCRIPTION 2863 "The index of the IPSec proposal used for this profile." 2864 ::= { ipsecProfileEntry 3 } 2865 2866 ipsecPrfPfsGroup OBJECT-TYPE 2867 SYNTAX INTEGER (-1..5) 2868 MAX-ACCESS read-write 2869 STATUS current 2870 DESCRIPTION 2871 "The Diffie Hellman group used for additional Perfect 2872 Forward Secrecy (PFS) DH exponentiations. 2873 Possible values: 2874 -1: do not use PFS 2875 0: use value from default profile (do not use PFS 2876 if this is the default profile) 2877 1: a 768-bit MODP group, 2878 2: a 1024-bit MODP group, 2879 5: a 1536-bit MODP group." 2880 ::= { ipsecProfileEntry 4 } 2881 2882 ipsecPrfLifeTime OBJECT-TYPE 2883 SYNTAX INTEGER 2884 MAX-ACCESS read-only 2885 STATUS current 2886 DESCRIPTION 2887 "This object specifies an index in the 2888 ipsecLifeTimeTable. 2889 The usage of this object is deprecated, use the ipsecPrfLifeXxx 2890 variables directly instead." 2891 DEFVAL { -1 } 2892 ::= { ipsecProfileEntry 5 } 2893 2894 ipsecPrfHeartbeats OBJECT-TYPE 2895 SYNTAX INTEGER { 2896 none(1), -- neither send nor expect heartbeats 2897 expect(2), -- expect heartbeats 2898 send(3), -- send heartbeats 2899 both(4), -- send and expect heartbeats 2900 default(5), -- use settings from peer or global profile 2901 auto(6) -- detect support using vendor id 2902 } 2903 MAX-ACCESS read-write 2904 STATUS current 2905 DESCRIPTION 2906 "This object specifies whether heartbeats should be sent 2907 over phase 2 SAs for this profile (heartbeats are not 2908 used for IPv6). 2909 Possible values: 2910 none(1), -- neither send nor expect heartbeats 2911 expect(2), -- expect heartbeats 2912 send(3), -- send heartbeats 2913 both(4). -- send and expect heartbeats 2914 default(5), -- use settings from peer or global profile 2915 (auto if this is the global profile) 2916 auto(6) -- detect support using vendor id." 2917 DEFVAL { default } 2918 ::= { ipsecProfileEntry 6 } 2919 2920 ipsecPrfPmtuDiscovery OBJECT-TYPE 2921 SYNTAX INTEGER { 2922 disabled(1), -- do not perform PMTU discovery 2923 enabled(2), -- perform PMTU discovery 2924 default(3) -- use settings from peer or global profile 2925 -- (enabled if this is the global profile) 2926 } 2927 MAX-ACCESS read-write 2928 STATUS current 2929 DESCRIPTION 2930 "This object specifies the PMTU discovery policy for this peer. 2931 Possible values: 2932 disabled(1), -- do not perform PMTU discovery 2933 enabled(2) -- perform PMTU discovery 2934 default(3) -- use settings from peer or global profile 2935 -- (enabled if this is the global profile)." 2936 DEFVAL { default } 2937 ::= { ipsecProfileEntry 7 } 2938 2939 ipsecPrfGranularity OBJECT-TYPE 2940 SYNTAX INTEGER { 2941 default(1), -- use granulaity settings from default profile 2942 -- (coarse if this is the default profile) 2943 coarse(2), -- Create only one SA for each Traffic entry 2944 ip(3), -- Create one SA for each host 2945 proto(4), -- Create one SA for each protocol and host 2946 port(5), -- Create one SA for each port and host 2947 local-services(6) -- same as 'coarse' but 'ip' for local services 2948 } 2949 MAX-ACCESS read-write 2950 STATUS current 2951 DESCRIPTION 2952 "This object specifies the granularity with which SA's 2953 are created with this profile. 2954 Possible values: 2955 default(1), -- use granulaity settings from default profile 2956 -- (coarse if this is the default profile) 2957 coarse(2), -- Create only one SA for each Traffic entry 2958 ip(3), -- Create one SA for each host 2959 proto(4), -- Create one SA for each protocol and host 2960 port(5) -- Create one SA for each port and host." 2961 DEFVAL { default } 2962 ::= { ipsecProfileEntry 8 } 2963 2964 ipsecPrfKeepAlive OBJECT-TYPE 2965 SYNTAX INTEGER { 2966 true(1), -- rekey SA's even if no data was transferred 2967 false(2), -- do not rekey SA's if no data was transferred 2968 default (3), -- use value from default profile 2969 -- (false if this is the default profile) 2970 delete (4) -- mark this entry for deletion 2971 } 2972 MAX-ACCESS read-write 2973 STATUS current 2974 DESCRIPTION 2975 "This object specifies whether IKE SA's 2976 are rekeyed even if there was no data transferred over 2977 them. 2978 Possible values: 2979 true(1), -- rekey SA's even if no data was transferred 2980 false(2), -- do not rekey SA's if no data was transferred 2981 default (3), -- use value from default profile 2982 -- (false if this is the default profile) 2983 delete (4) -- mark this entry for deletion." 2984 DEFVAL { default } 2985 ::= { ipsecProfileEntry 9 } 2986 2987 ipsecPrfVerifyPad OBJECT-TYPE 2988 SYNTAX INTEGER { 2989 true(1), -- normal, self-describing ESP padding 2990 false(2), -- old style ESP padding 2991 default(3) -- use setting from peer or global profile 2992 } 2993 MAX-ACCESS read-write 2994 STATUS current 2995 DESCRIPTION 2996 "This object is a compatibility option for older ipsec 2997 implementations. It enables or disables an old way of ESP 2998 padding (no self describing padding). 2999 Possible values: 3000 true(1), -- normal, self-describing ESP padding 3001 false(2), -- old style ESP padding 3002 default(3) -- use setting from peer or global profile 3003 (true if this is the global profile)." 3004 DEFVAL { default } 3005 ::= { ipsecProfileEntry 10 } 3006 3007 ipsecPrfForceTunnelMode OBJECT-TYPE 3008 SYNTAX INTEGER { 3009 true(1), -- Use tunnel mode even if transport mode is possible 3010 false(2), -- Use transport mode whenever possible 3011 default(3) -- Use settings from default profile 3012 } 3013 MAX-ACCESS read-write 3014 STATUS current 3015 DESCRIPTION 3016 "This object specifies the strategy when transport mode is used. 3017 By default, the system always uses transport mode, if possible. 3018 If this variable is set to true, always tunnel mode will be used 3019 for this traffic entry, even if source and destination address 3020 match the tunnel endpoints. 3021 Possible values: 3022 true(1), -- Use tunnel mode even if transport mode is possible 3023 false(2), -- Use transport mode whenever possible 3024 default(3) -- Use settings from default profile 3025 (if this is the default, false is assumed)." 3026 DEFVAL { default } 3027 ::= { ipsecProfileEntry 11 } 3028 3029 ipsecPrfLifeSeconds OBJECT-TYPE 3030 SYNTAX Unsigned32 3031 UNITS "seconds" 3032 MAX-ACCESS read-write 3033 STATUS current 3034 DESCRIPTION 3035 "The maximum time (in seconds) after which an SA will be 3036 deleted." 3037 DEFVAL { 900 } 3038 ::= { ipsecProfileEntry 16 } 3039 3040 3041 ipsecPrfLifeKBytes OBJECT-TYPE 3042 SYNTAX Unsigned32 3043 UNITS "kilo bytes" 3044 MAX-ACCESS read-write 3045 STATUS current 3046 DESCRIPTION 3047 "The maximum amount of data (in KB) which may be protected 3048 by an SA before it is deleted." 3049 DEFVAL { 0 } 3050 ::= { ipsecProfileEntry 17 } 3051 3052 3053 ipsecPrfLifeRekeyPercent OBJECT-TYPE 3054 SYNTAX INTEGER (50..100) 3055 MAX-ACCESS read-write 3056 STATUS current 3057 DESCRIPTION 3058 "The percentage of the lifetimes (traffic and time based) 3059 after which rekeying is started." 3060 DEFVAL { 80 } 3061 ::= { ipsecProfileEntry 18 } 3062 3063 ipsecPrfLifePolicy OBJECT-TYPE 3064 SYNTAX INTEGER { 3065 loose(1), -- accept and use anything proposed 3066 strict(2), -- accept and use only what is configured 3067 notify(3), -- accept anything (send responder lifetime) 3068 use-default-lifetime(4) -- use lifetime values from default 3069 -- profile 3070 } 3071 MAX-ACCESS read-write 3072 STATUS current 3073 DESCRIPTION 3074 "This object specifies the way a lifetime proposal is 3075 handled. Possible values: 3076 loose(1), -- accept and use anything proposed 3077 strict(2), -- accept and use only what is configured 3078 notify(3) -- accept anything, if own values are smaller 3079 than what was proposed use these and 3080 send responder lifetime notification 3081 use_default_lifetime(4) -- use lifetime values from default 3082 -- profile." 3083 DEFVAL { use-default-lifetime } 3084 ::= { ipsecProfileEntry 19 } 3085 3086-- End IPSec (Phase 2) Profile Table 3087 3088 3089-- IPSec Peer Table 3090 3091 ipsecPeerTable OBJECT-TYPE 3092 SYNTAX SEQUENCE OF IpsecPeerEntry 3093 MAX-ACCESS not-accessible 3094 STATUS current 3095 DESCRIPTION 3096 "This table contains the list of IPSec peers." 3097 ::= { ipsec 5 } 3098 3099 ipsecPeerEntry OBJECT-TYPE 3100 SYNTAX IpsecPeerEntry 3101 MAX-ACCESS not-accessible 3102 STATUS current 3103 DESCRIPTION 3104 "This object contains the description of an IPSec peer." 3105 INDEX { 3106 ipsecPeerTrafficList 3107 } 3108 ::= { ipsecPeerTable 1 } 3109 3110 IpsecPeerEntry ::= 3111 SEQUENCE { 3112 ipsecPeerIndex INTEGER, 3113 ipsecPeerPriority INTEGER, 3114 ipsecPeerDescription DisplayString, 3115 ipsecPeerDynamicAddress DisplayString, 3116 ipsecPeerPeerIds DisplayString, 3117 ipsecPeerLocalAddress IpAddress, 3118 ipsecPeerTrafficList INTEGER, 3119 ipsecPeerIkeProfile INTEGER, 3120 ipsecPeerIpsecProfile INTEGER, 3121 ipsecPeerPreSharedKey DisplayString, 3122 ipsecPeerVirtualInterface INTEGER, 3123 ipsecPeerStartMode INTEGER, 3124 ipsecPeerAdminStatus INTEGER, 3125 ipsecPeerIsdnCB INTEGER, 3126 ipsecPeerPreSharedKeyData OCTET STRING, 3127 ipsecPeerIsdnCBMode INTEGER, 3128 ipsecPeerIsdnCBDChanMode INTEGER, 3129 ipsecPeerType INTEGER, 3130 ipsecPeerDynAddrPoolId INTEGER, 3131 ipsecPeerDynAddrLocalIp IpAddress, 3132 ipsecPeerXauthProfile Unsigned32, 3133 ipsecPeerDynAddrRole INTEGER, 3134 ipsecPeerIkeVersion INTEGER, 3135-- IKEv2 specific Peer parameters 3136 ipsecPeerLocalId DisplayString, 3137 ipsecPeerAuthMethod INTEGER, 3138 ipsecPeerCert INTEGER, 3139 ipsecPeerCaCerts DisplayString, 3140-- universal (IKEv1 and IKEv2) Peer parameters 3141 ipsecPeerDynAddrMode INTEGER, 3142 ipsecPeerMobike INTEGER, 3143 ipsecPeerPublicIfIndex INTEGER, 3144 ipsecPeerPublicIfIndexMode INTEGER 3145 } 3146 3147-- these read-only parameters are moved to the new ipsecPeerStatTable: 3148-- ipsecPeerNextIndex OID ipsecPeerEntry 2 3149-- ipsecPeerCaCerts OID ipsecPeerEntry 4 3150-- ipsecPeerPeerAddress OID ipsecPeerEntry 6 3151-- ipsecPeerLocalId OID ipsecPeerEntry 7 3152-- ipsecPeerLocalCert OID ipsecPeerEntry 9 3153-- ipsecPeerIkeProposals OID ipsecPeerEntry 10 3154-- ipsecPeerPublicInterface OID ipsecPeerEntry 12 3155-- ipsecPeerPfsIdentity OID ipsecPeerEntry 13 3156-- ipsecPeerAuthMethod OID ipsecPeerEntry 20 3157-- ipsecPeerIkeGroup OID ipsecPeerEntry 22 3158-- ipsecPeerPfsGroup OID ipsecPeerEntry 23 3159-- ipsecPeerPh1Mode OID ipsecPeerEntry 24 3160-- ipsecPeerIkeLifeTime OID ipsecPeerEntry 25 3161-- ipsecPeerIpsecLifeTime OID ipsecPeerEntry 26 3162-- ipsecPeerKeepAlive OID ipsecPeerEntry 29 3163-- ipsecPeerGranularity OID ipsecPeerEntry 30 3164-- ipsecPeerDontVerifyPad OID ipsecPeerEntry 31 3165-- ipsecPeerNoPmtuDiscovery OID ipsecPeerEntry 36 3166-- ipsecPeerOperStatus OID ipsecPeerEntry 44 3167-- ipsecPeerDefaultIpsecProposals OID ipsecPeerEntry 42 3168-- ipsecPeerHeartbeat OID ipsecPeerEntry 43 3169-- ipsecPeerTtl OID ipsecPeerEntry 51 3170-- ipsecPeerCurrentLocalAddress OID ipsecPeerEntry 52 3171-- ipsecPeerCurrentRemoteAddress OID ipsecPeerEntry 53 3172-- ipsecPeerNumP1 OID ipsecPeerEntry 54 3173-- ipsecPeerNumP1Negotiating OID ipsecPeerEntry 55 3174-- ipsecPeerNumP1Established OID ipsecPeerEntry 56 3175-- ipsecPeerNumP1Deleted OID ipsecPeerEntry 57 3176-- ipsecPeerNumBundles OID ipsecPeerEntry 58 3177-- ipsecPeerNumBundlesNegotiating OID ipsecPeerEntry 59 3178-- ipsecPeerNumBundlesEstablished OID ipsecPeerEntry 60 3179-- ipsecPeerPh1LToken OID ipsecPeerEntry 64 3180-- ipsecPeerPh1RToken OID ipsecPeerEntry 65 3181-- ipsecPeerIsdnCBNextMode OID ipsecPeerEntry 68 3182-- ipsecPeerNatDetect OID ipsecPeerEntry 69 3183-- ipsecPeerNatTLocalPort OID ipsecPeerEntry 70 3184-- ipsecPeerNatTRemotePort OID ipsecPeerEntry 71 3185-- ipsecPeerMtu OID ipsecPeerEntry 72 3186-- ipsecPeerRxIdle OID ipsecPeerEntry 74 3187-- ipsecPeerTxIdle OID ipsecPeerEntry 75 3188-- ipsecPeerDPD OID ipsecPeerEntry 76 3189-- ipsecPeerDPDRetries OID ipsecPeerEntry 77 3190 3191 ipsecPeerIndex OBJECT-TYPE 3192 SYNTAX INTEGER 3193 MAX-ACCESS read-only 3194 STATUS current 3195 DESCRIPTION 3196 "A unique index identifying this entry." 3197 ::= { ipsecPeerEntry 1 } 3198 3199 3200 ipsecPeerPriority OBJECT-TYPE 3201 SYNTAX INTEGER 3202 MAX-ACCESS read-write 3203 STATUS current 3204 DESCRIPTION 3205 "Defines the matching priority." 3206 ::= { ipsecPeerEntry 47 } 3207 3208 3209 ipsecPeerDescription OBJECT-TYPE 3210 SYNTAX DisplayString 3211 MAX-ACCESS read-write 3212 STATUS current 3213 DESCRIPTION 3214 "An optional description for this peer." 3215 ::= { ipsecPeerEntry 3 } 3216 3217 3218 ipsecPeerDynamicAddress OBJECT-TYPE 3219 SYNTAX DisplayString 3220 MAX-ACCESS read-write 3221 STATUS current 3222 DESCRIPTION 3223 "The IP-address of the peer. 3224 This object may contain either an IP address or a domain name." 3225 ::= { ipsecPeerEntry 14 } 3226 3227 3228 ipsecPeerPeerIds OBJECT-TYPE 3229 SYNTAX DisplayString 3230 MAX-ACCESS read-write 3231 STATUS current 3232 DESCRIPTION 3233 "The IDs of the peer which are accepted for authentication. 3234 Syntax: 3235 - X500 distinguished name: 3236 <obj-name=obj-value, obj-ID=obj-value, ...> 3237 - IPV4-Address: 3238 |123.456.789.012| with or without '|' 3239 - IPV4 Address Range (only IKEv1): 3240 |123.456.789.012-123.456.789.013| with or without '|' 3241 - IPV4 Address Subnet (only IKEv1): 3242 |123.456.789.012/255.255.255.0| with or without '|' 3243 or: 3244 |123.456.789.012/24| with or without '|' 3245 - Key-ID: arbitrary string: 3246 {anything} 3247 - Fully Qualified User Name (FQUN) (for IKEv1) or 3248 Fully-qualified RFC 822 email address string (for IKEv2): 3249 (anything) or user@domain with mandatory '@' 3250 - Fully Qualified Domain Name (FQDN): 3251 [anything] or any name without '@' not matching any other 3252 syntax" 3253 ::= { ipsecPeerEntry 5 } 3254 3255 3256 ipsecPeerLocalAddress OBJECT-TYPE 3257 SYNTAX IpAddress 3258 MAX-ACCESS read-write 3259 STATUS current 3260 DESCRIPTION 3261 "The local address used for IPSec encrypted packets." 3262 ::= { ipsecPeerEntry 8 } 3263 3264 3265 ipsecPeerTrafficList OBJECT-TYPE 3266 SYNTAX INTEGER 3267 MAX-ACCESS read-write 3268 STATUS current 3269 DESCRIPTION 3270 "This object specifies the first entry of possibly a 3271 chain of traffic entries from the ipsecTrafficTable 3272 which should be protected with IPSec using this peer." 3273 ::= { ipsecPeerEntry 11 } 3274 3275 ipsecPeerVirtualInterface OBJECT-TYPE 3276 SYNTAX INTEGER { 3277 disabled(1), -- no virtual interface for this peer 3278 enabled(2) -- a virtual interface will be assigned this peer 3279 } 3280 MAX-ACCESS read-write 3281 STATUS current 3282 DESCRIPTION 3283 "This object specifies if a virtual interface should be created 3284 for this peer. If set to enabled, all traffic routed towards 3285 this peer will be protected. The traffic list for this peer 3286 is ignored then. The index of the interface associated with 3287 this peer is calculated as follows: 3288 ifIndex = ipsecPeerIndex + 100000." 3289 DEFVAL { disabled } 3290 ::= { ipsecPeerEntry 15 } 3291 3292 ipsecPeerStartMode OBJECT-TYPE 3293 SYNTAX INTEGER { 3294 on-demand(1), -- packet triggered start, 3295 -- fall back to dormant if unused 3296 always-up(2) -- always set up and keep up 3297 } 3298 MAX-ACCESS read-write 3299 STATUS current 3300 DESCRIPTION 3301 "This object specifies the events which make the IPSec peer go up. 3302 Possible values: 3303 on-demand(1), -- packet triggered start, 3304 -- fall back to dormant if unused 3305 always-up(2) -- always set up and keep up." 3306 DEFVAL { on-demand } 3307 ::= { ipsecPeerEntry 16 } 3308 3309 ipsecPeerIkeProfile OBJECT-TYPE 3310 SYNTAX INTEGER 3311 MAX-ACCESS read-write 3312 STATUS current 3313 DESCRIPTION 3314 "When ipsecPeerIkeVersion is set to ikev1 this is an index from 3315 the ikeProfileTable containing a special phase 1 profile to 3316 use for this peer. 3317 When ipsecPeerIkeVersion is set to ikev2 this is an index from 3318 the ikev2ProfileTable containing a special IKE_SA profile to 3319 use for this peer." 3320 ::= { ipsecPeerEntry 48 } 3321 3322 ipsecPeerIpsecProfile OBJECT-TYPE 3323 SYNTAX INTEGER 3324 MAX-ACCESS read-write 3325 STATUS current 3326 DESCRIPTION 3327 "The index from the ipsecProfileTable containing a special 3328 phase 2 profile to use for this peer." 3329 ::= { ipsecPeerEntry 49 } 3330 3331 ipsecPeerPreSharedKey OBJECT-TYPE 3332 SYNTAX DisplayString 3333 MAX-ACCESS read-write 3334 STATUS current 3335 DESCRIPTION 3336 "The pre-shared-key used with this peer, if pre-shared-keys 3337 are used for authentication. This field serves only 3338 as an input field and its contents are replaced with 3339 a single asterisk immediately after it is set." 3340 ::= { ipsecPeerEntry 21 } 3341 3342 ipsecPeerAdminStatus OBJECT-TYPE 3343 SYNTAX INTEGER { 3344 up(1), 3345 down(2), 3346-- testing(3), 3347 dialup(4), 3348 callback(5), 3349 delete(15) 3350 } 3351 MAX-ACCESS read-write 3352 STATUS current 3353 DESCRIPTION 3354 "Peer administrative state." 3355 DEFVAL { up } 3356 ::= { ipsecPeerEntry 50 } 3357 3358 ipsecPeerIsdnCB OBJECT-TYPE 3359 SYNTAX INTEGER { 3360 enabled(1), 3361 disabled(2), 3362 passive(3), -- expect an ISDN call and setup IPSec tunnel 3363 active(4) -- setup an ISDN call and expect IPSec tunnel setup 3364 } 3365 MAX-ACCESS read-write 3366 STATUS current 3367 DESCRIPTION 3368 "Switch for turning ISDN call back feature on and off 3369 specifically for peer. 3370 Default value is disabled." 3371 DEFVAL { disabled } 3372 ::= { ipsecPeerEntry 45 } 3373 3374 ipsecPeerPreSharedKeyData OBJECT-TYPE 3375 SYNTAX OCTET STRING 3376 MAX-ACCESS not-accessible 3377 STATUS current 3378 DESCRIPTION 3379 "Field used for storing the pre-shared-key permanently." 3380 ::= { ipsecPeerEntry 63 } 3381 3382 ipsecPeerIsdnCBMode OBJECT-TYPE 3383 SYNTAX INTEGER { 3384 compat(1), 3385 auto(2), 3386 auto-d(3), 3387 d(4), 3388 db(5), 3389 b(6) 3390 } 3391 MAX-ACCESS read-write 3392 STATUS current 3393 DESCRIPTION 3394 "Define callback mode. 3395 The following modes are defined: 3396 compat(1) -- compatibility to old callback 3397 auto(2) -- automatically detect best method 3398 auto-d(3) -- automatically detect best D channel method 3399 d(4) -- use D channel only 3400 db(5) -- try D channel first, fall back to B 3401 b(6) -- use B channel only 3402 3403 Default value for that variable is compat(1)." 3404 DEFVAL { compat } 3405 ::= { ipsecPeerEntry 66 } 3406 3407 ipsecPeerIsdnCBDChanMode OBJECT-TYPE 3408 SYNTAX INTEGER { 3409 llc(1), 3410 subaddr(2), 3411 llc-and-subaddr(3), 3412 llc-subaddr(4), 3413 subaddr-llc(5) 3414 } 3415 MAX-ACCESS read-write 3416 STATUS current 3417 DESCRIPTION 3418 "Define callback D channel mode. 3419 The following modes are defined: 3420 llc(1) -- code token into LLC information 3421 element only 3422 subaddr(2) -- code token into SUBADDR information 3423 element only 3424 llc-and-subaddr(3) -- redundantly use LLC and SUBADDR 3425 information elements 3426 llc-subaddr(4) -- try LLC first, then SUBADDR 3427 subaddr-llc(5) -- try SUBADDR first, then LLC 3428 3429 Default value for that variable is LLC(1)." 3430 DEFVAL { llc } 3431 ::= { ipsecPeerEntry 67 } 3432 3433 ipsecPeerType OBJECT-TYPE 3434 SYNTAX INTEGER { 3435 fixed(1), -- only one peer allowed for this entry 3436 dynamic-client(2) -- duplicated for each incoming client 3437 } 3438 MAX-ACCESS read-write 3439 STATUS current 3440 DESCRIPTION 3441 "The type of the peer. Dynamic peer entries are duplicated 3442 whenever an incoming IKE request matches the ID and/or 3443 address information of the remote side. 3444 Note: 3445 - For traffic list peers the duplication also includes the 3446 traffic list entries configured for this peer entry. 3447 - For virtual interface peers, host routes will be added 3448 for the peer address automatically. 3449 Possible values: 3450 fixed(1), -- only one peer allowed for this entry 3451 dynamic_client(2) -- duplicated for each incoming client." 3452 DEFVAL { fixed } 3453 ::= { ipsecPeerEntry 73 } 3454 3455 ipsecPeerDynAddrPoolId OBJECT-TYPE 3456 SYNTAX INTEGER (-1..65535) 3457 MAX-ACCESS read-write 3458 STATUS current 3459 DESCRIPTION 3460 "Identifier of Dynamic Address Pool if IP address is 3461 assigned via IKE Configuration Method. 3462 A value of -1 means that no Pool is assigned." 3463 DEFVAL { -1 } 3464 ::= { ipsecPeerEntry 78 } 3465 3466 ipsecPeerDynAddrLocalIp OBJECT-TYPE 3467 SYNTAX IpAddress 3468 MAX-ACCESS read-write 3469 STATUS current 3470 DESCRIPTION 3471 "The local IP address used in the IKE communication 3472 when remote IP address is taken from IP address pool." 3473 ::= { ipsecPeerEntry 79 } 3474 3475 ipsecPeerXauthProfile OBJECT-TYPE 3476 SYNTAX Unsigned32 (0..4294967295) 3477 MAX-ACCESS read-write 3478 STATUS current 3479 DESCRIPTION 3480 "The index from the xauthProfileTable containing a special 3481 XAUTH profile to use for this peer. 3482 A value of 0 means that no XAUTH profile is assigned." 3483 DEFVAL { 0 } 3484 ::= { ipsecPeerEntry 80 } 3485 3486 ipsecPeerDynAddrRole OBJECT-TYPE 3487 SYNTAX INTEGER { 3488 none(1), -- no IP address assignment via IKE Config Mode 3489 client(2), -- get IP address via IKE Config Mode from remote 3490 server(3) -- assign IP address via IKE Config Mode to remote 3491 } 3492 MAX-ACCESS read-write 3493 STATUS current 3494 DESCRIPTION 3495 "Determines if IKE Config Mode is used and which role is performed: 3496 none(1), -- no IP address assignemt via IKE Config Mode 3497 client(2) -- get IP address via IKE Config Mode from remote 3498 server(3) -- assign IP address via IKE Config Mode to remote 3499 3500 In server role ipsecPeerDynAddrPoolId defines IP address pool to 3501 use for address assignment to clients. If an invalid pool ID is 3502 configured, peer is treated as if role was 'none'. 3503 3504 Default is 'none', that means IKE Config Mode is not used at all." 3505 DEFVAL { none } 3506 ::= { ipsecPeerEntry 81 } 3507 3508 ipsecPeerIkeVersion OBJECT-TYPE 3509 SYNTAX INTEGER { 3510 ikev1(1), 3511 ikev2(2) 3512 } 3513 MAX-ACCESS read-write 3514 STATUS current 3515 DESCRIPTION 3516 "Indicates the major version of IKE protocol to use. If set to 3517 ikev1 the value of ipsecPeerIkeProfile is used as index into 3518 ikeProfileTable. If set to ikev2 the value of 3519 ipsecPeerIkeProfile is used as index into ikev2ProfileTable." 3520 DEFVAL { ikev1 } 3521 ::= { ipsecPeerEntry 82 } 3522 3523-- IKEv2 specific Peer parameters 3524 3525 ipsecPeerLocalId OBJECT-TYPE 3526 SYNTAX DisplayString 3527 MAX-ACCESS read-write 3528 STATUS current 3529 DESCRIPTION 3530 "The local ID used for authentication with this profile. 3531 Syntax: 3532 - X500 distinguished name: 3533 <obj-name=obj-value, obj-ID=obj-value, ...> 3534 - IPV4-Address: 3535 |123.456.789.012| with or without '|' 3536 - Key-ID: arbitrary string: 3537 {anything} 3538 - Fully-qualified RFC 822 email address string: 3539 (anything) or user@domain with mandatory '@' 3540 - Fully Qualified Domain Name (FQDN): 3541 [anything] or any name without '@' not matching any other 3542 syntax 3543 (only for IKEv2)." 3544 ::= { ipsecPeerEntry 83 } 3545 3546 ipsecPeerAuthMethod OBJECT-TYPE 3547 SYNTAX INTEGER { 3548 pre-sh-key(1), -- Authentication using pre shared keys 3549 dss-sig(2), -- Authentication using DSS signatures 3550 rsa-sig(3) -- Authentication using RSA signatures 3551 } 3552 MAX-ACCESS read-write 3553 STATUS current 3554 DESCRIPTION 3555 "This object specifies the authentication method used by default. 3556 If the ipsecPeerAuthMethod field of an ipsecPeerEntry and the 3557 ikePropAuthMethod field of the ikeProposalTableEntry used are 3558 set to 'default', this value is assumed. 3559 Possible values: 3560 pre-sh-key(1), -- Authentication using pre shared keys 3561 dss-sig(2), -- Authentication using DSS signatures 3562 rsa-sig(3) -- Authentication using RSA signatures 3563 (only for IKEv2)." 3564 ::= { ipsecPeerEntry 84 } 3565 3566 ipsecPeerCert OBJECT-TYPE 3567 SYNTAX INTEGER (0..32767) 3568 MAX-ACCESS read-write 3569 STATUS current 3570 DESCRIPTION 3571 "The index of the certificate used for authentication 3572 in the certTable. Ignored for AuthMethod == pre_shared_key. 3573 (only for IKEv2)." 3574 ::= { ipsecPeerEntry 85 } 3575 3576 ipsecPeerCaCerts OBJECT-TYPE 3577 SYNTAX DisplayString 3578 MAX-ACCESS read-write 3579 STATUS current 3580 DESCRIPTION 3581 "Receives a comma separated list with indices (0..32767) 3582 of special certificate authority certificates accepted 3583 for this profile. 3584 (only for IKEv2)." 3585 ::= { ipsecPeerEntry 86 } 3586 3587 ipsecPeerDynAddrMode OBJECT-TYPE 3588 SYNTAX INTEGER { 3589 pull(1), -- the client will request IP address and the gateway 3590 -- will answer the request 3591 push(2) -- the gateway will set IP address to the client and 3592 -- the client will accept or deny it 3593 } 3594 MAX-ACCESS read-write 3595 STATUS current 3596 DESCRIPTION 3597 "When IP address assignment via IKE Config Mode is configured 3598 (ipsecPeerDynAddrRole != none) this object specifies the used mode: 3599 pull(1), -- the client will request IP address and the gateway 3600 will answer the request 3601 push(2) -- the gateway will set IP address to the client and 3602 the client will accept or deny it 3603 3604 The ipsecPeerDynAddrMode value has to be the same for both sides of 3605 the tunnel. With default value 'pull' the peer (ipsecPeerDynAddrRole == 3606 client) will request IP address and the gateway (ipsecPeerDynAddrRole == 3607 server) will answer the request. 3608 The 'push' mode is needed for partner devices that require this mode. 3609 3610 This object matters only when ipsecPeerDynAddrRole != none." 3611 DEFVAL { pull } 3612 ::= { ipsecPeerEntry 87 } 3613 3614 ipsecPeerMobike OBJECT-TYPE 3615 SYNTAX INTEGER { 3616 enabled(1), -- peer supports MOBIKE 3617 disabled(2) -- peer does not support MOBIKE 3618 } 3619 MAX-ACCESS read-write 3620 STATUS current 3621 DESCRIPTION 3622 "This object indicates whether the peer supports MOBIKE or not. 3623 Only when both sides of a VPN connection support MOBIKE an IP 3624 address change is possible. 3625 Possible values: 3626 enabled(1), -- Peer supports MOBIKE and signals MOBIKE 3627 support by including a MOBIKE_SUPPORTED 3628 notification in the IKE_AUTH message. 3629 disabled(2) -- Peer does not support MOBIKE. 3630 (only for IKEv2)." 3631 DEFVAL { enabled } 3632 3633 ::= { ipsecPeerEntry 88 } 3634 3635 3636 ipsecPeerPublicIfIndex OBJECT-TYPE 3637 SYNTAX INTEGER 3638 MAX-ACCESS read-write 3639 STATUS current 3640 DESCRIPTION 3641 "The index value which uniquely identifies the physical interface 3642 that should be used for all ipsec traffic as initiator. 3643 When multiple eqivalent routes to the given peer are available this 3644 is used as additional parameter for routing decisions. 3645 If set to -1 then normal routing is used. 3646 As responder the interface from the first received packet is used 3647 and therefore this index value is ignored." 3648 DEFVAL { -1 } 3649 ::= { ipsecPeerEntry 90 } 3650 3651 ipsecPeerPublicIfIndexMode OBJECT-TYPE 3652 SYNTAX INTEGER { 3653 force(1), -- the given interface is used, even if a route 3654 -- with lower metric is available. 3655 preferred(2) -- the given interface is used, if no route 3656 -- with lower metric is available. 3657 } 3658 MAX-ACCESS read-write 3659 STATUS current 3660 DESCRIPTION 3661 "This object defines the mode used in conjunction with 3662 ipsecPeerPublicIfIndex. 3663 force(1), -- the given interface is used, even if a route 3664 with lower metric is available. 3665 preferred(2) -- the given interface is used, if no route 3666 with lower metric is available. 3667 This object matters only when ipsecPeerPublicIfIndex > 0." 3668 DEFVAL { force } 3669 ::= { ipsecPeerEntry 91 } 3670 3671-- End IPSec Peer Table 3672 3673 3674-- IKE IPSec Peer Status and Statistic Variables Table 3675 3676 ipsecPeerStatTable OBJECT-TYPE 3677 SYNTAX SEQUENCE OF IpsecPeerStatEntry 3678 MAX-ACCESS not-accessible 3679 STATUS current 3680 DESCRIPTION 3681 "This table contains the list of IPSec peers status and statistic variables." 3682 ::= { ipsec 28 } 3683 3684 ipsecPeerStatEntry OBJECT-TYPE 3685 SYNTAX IpsecPeerStatEntry 3686 MAX-ACCESS not-accessible 3687 STATUS current 3688 DESCRIPTION 3689 "This object contains the status and statistic variables of an IPSec peer." 3690 INDEX { 3691 ipsecPeerStatIndex 3692 } 3693 ::= { ipsecPeerStatTable 1 } 3694 3695 IpsecPeerStatEntry ::= 3696 SEQUENCE { 3697 ipsecPeerStatIndex INTEGER, 3698 ipsecPeerStatNextIndex INTEGER, 3699 ipsecPeerStatCaCerts DisplayString, 3700 ipsecPeerStatPeerAddress IpAddress, 3701 ipsecPeerStatLocalId DisplayString, 3702 ipsecPeerStatLocalCert INTEGER, 3703 ipsecPeerStatPublicInterface INTEGER, 3704 ipsecPeerStatIkeProposals INTEGER, 3705 ipsecPeerStatPfsIdentity INTEGER, 3706 ipsecPeerStatAuthMethod INTEGER, 3707 ipsecPeerStatIkeGroup INTEGER, 3708 ipsecPeerStatPfsGroup INTEGER, 3709 ipsecPeerStatPh1Mode INTEGER, 3710 ipsecPeerStatIkeLifeTime INTEGER, 3711 ipsecPeerStatIpsecLifeTime INTEGER, 3712 ipsecPeerStatKeepAlive INTEGER, 3713 ipsecPeerStatGranularity INTEGER, 3714 ipsecPeerStatDontVerifyPad INTEGER, 3715 ipsecPeerStatNoPmtuDiscovery INTEGER, 3716 ipsecPeerStatOperStatus INTEGER, 3717 ipsecPeerStatDefaultIpsecProposals INTEGER, 3718 ipsecPeerStatHeartbeat INTEGER, 3719 ipsecPeerStatTtl INTEGER, 3720 ipsecPeerStatCurrentLocalAddress IpAddress, 3721 ipsecPeerStatCurrentRemoteAddress IpAddress, 3722 ipsecPeerStatNumP1 INTEGER, 3723 ipsecPeerStatNumP1Negotiating INTEGER, 3724 ipsecPeerStatNumP1Established INTEGER, 3725 ipsecPeerStatNumP1Deleted INTEGER, 3726 ipsecPeerStatNumBundles INTEGER, 3727 ipsecPeerStatNumBundlesNegotiating INTEGER, 3728 ipsecPeerStatNumBundlesEstablished INTEGER, 3729 ipsecPeerStatPh1LToken INTEGER, 3730 ipsecPeerStatPh1RToken INTEGER, 3731 ipsecPeerStatIsdnCBNextMode INTEGER, 3732 ipsecPeerStatNatDetect INTEGER, 3733 ipsecPeerStatNatTLocalPort INTEGER, 3734 ipsecPeerStatNatTRemotePort INTEGER, 3735 ipsecPeerStatMtu INTEGER, 3736 ipsecPeerStatRxIdle TimeTicks, 3737 ipsecPeerStatTxIdle TimeTicks, 3738 ipsecPeerStatDPD INTEGER, 3739 ipsecPeerStatDPDRetries INTEGER, 3740-- IKEv2 specific Peer parameters 3741 ipsecPeerStatNumIkeSas INTEGER, 3742 ipsecPeerStatNumIkeSasNegotiating INTEGER, 3743 ipsecPeerStatNumIkeSasEstablished INTEGER, 3744 ipsecPeerStatNumIkeSasDeleted INTEGER 3745 } 3746 3747 ipsecPeerStatIndex OBJECT-TYPE 3748 SYNTAX INTEGER 3749 MAX-ACCESS read-only 3750 STATUS current 3751 DESCRIPTION 3752 "A unique index identifying this entry." 3753 ::= { ipsecPeerStatEntry 1 } 3754 3755 3756 ipsecPeerStatNextIndex OBJECT-TYPE 3757 SYNTAX INTEGER 3758 MAX-ACCESS read-only 3759 STATUS current 3760 DESCRIPTION 3761 "The index of the next peer in hierarchy." 3762 ::= { ipsecPeerStatEntry 2 } 3763 3764 3765 ipsecPeerStatCaCerts OBJECT-TYPE 3766 SYNTAX DisplayString 3767 MAX-ACCESS read-only 3768 STATUS current 3769 DESCRIPTION 3770 "Receives a comma separated list with indices of optional 3771 certificate authority certificates accepted for this peer." 3772 ::= { ipsecPeerStatEntry 3 } 3773 3774 ipsecPeerStatPeerAddress OBJECT-TYPE 3775 SYNTAX IpAddress 3776 MAX-ACCESS read-only 3777 STATUS current 3778 DESCRIPTION 3779 "This object shows the fixed IP-address of the peer, if any." 3780 ::= { ipsecPeerStatEntry 4 } 3781 3782 ipsecPeerStatLocalId OBJECT-TYPE 3783 SYNTAX DisplayString 3784 MAX-ACCESS read-only 3785 STATUS current 3786 DESCRIPTION 3787 "The local ID used for authentication. 3788 Syntax: 3789 - X500 distinguished name: 3790 <obj-name=obj-value, obj-ID=obj-value, ...> 3791 - IPV4-Address: 3792 |123.456.789.012| with or without '|' 3793 - IPV4 Address Range: 3794 |123.456.789.012-123.456.789.013| with or without '|' 3795 - IPV4 Address Subnet: 3796 |123.456.789.012/255.255.255.0| with or without '|' 3797 or: 3798 |123.456.789.012/24| with or without '|' 3799 - Key-ID: arbitrary length hexadecimal string 3800 with even number of digits: 3801 { 01 23 45 67 89 ab cd ef } 3802 - Fully Qualified User Name (FQUN): 3803 (anything) or user@domain with mandatory '@' 3804 - Fully Qualified Domain Name (FQDN): 3805 [anything] or any name without '@' not matching any other 3806 syntax 3807 The usage of this field is deprecated, use ikePrfLocalId now!" 3808 ::= { ipsecPeerStatEntry 5 } 3809 3810 ipsecPeerStatLocalCert OBJECT-TYPE 3811 SYNTAX INTEGER 3812 MAX-ACCESS read-only 3813 STATUS current 3814 DESCRIPTION 3815 "The index of the certificate used for local authentication 3816 in the certTable. Only useful for automatically keyed traffic 3817 with dsa or rsa authentication." 3818 ::= { ipsecPeerStatEntry 6 } 3819 3820 ipsecPeerStatPublicInterface OBJECT-TYPE 3821 SYNTAX INTEGER 3822 MAX-ACCESS read-only 3823 STATUS current 3824 DESCRIPTION 3825 "This object specifies the index of the public interface 3826 for which the traffic list assigned to this peer should be 3827 valid. 3828 If set to -1, the traffic list is valid for all interfaces. 3829 3830 If the traffic is routed via a different interface, 3831 no SA negotiation is performed and traffic may be unprotected 3832 unless there is another peer for the other interface." 3833 DEFVAL { -1 } 3834 ::= { ipsecPeerStatEntry 7 } 3835 3836 ipsecPeerStatIkeProposals OBJECT-TYPE 3837 SYNTAX INTEGER 3838 MAX-ACCESS read-only 3839 STATUS current 3840 DESCRIPTION 3841 "Index of default ike proposal used for peers with empty default 3842 ike proposal." 3843 ::= { ipsecPeerStatEntry 8 } 3844 3845 ipsecPeerStatPfsIdentity OBJECT-TYPE 3846 SYNTAX INTEGER { 3847 true(1), -- delete phase 1 SAs 3848 false(2), -- do not delete phase 1 SAs 3849 default(3) -- use setting in ipsecGlobContDefaultPfsIdentity 3850 } 3851 MAX-ACCESS read-only 3852 STATUS current 3853 DESCRIPTION 3854 "This object specifies whether IKE SA's should be deleted 3855 immediately after a phase 2 (IPSec-) SA pair has been 3856 negotiated. 3857 If overrides the default setting ipsecGlobContDefaultPfsIdentity 3858 if not set to 'default'. 3859 The consequence of enabling this feature is that before each 3860 phase 2 negotiation there always has to be a phase 1 3861 negotiation. Thus individual phase 2 SAs cannot be 3862 associated with one another or, respectively, if the 3863 identity of a remote peer is known to an eavesdropper 3864 for one SA, he cannot conclude that the next SA is 3865 negotiated with the same remote peer. 3866 Note: Setting this flag only makes sense if configured 3867 together with id-protect mode or RSA encryption for 3868 authentication and if the IP address of the remote 3869 peer does not allow conclusions about its identity 3870 (i.e. dynamic remote peer addresses). 3871 Possible values: 3872 true(1), -- delete phase 1 SAs 3873 false(2), -- do not delete phase 1 SAs 3874 default(3) -- use setting in ipsecGlobContDefaultPfsIdentity." 3875 DEFVAL { default } 3876 ::= { ipsecPeerStatEntry 9 } 3877 3878 ipsecPeerStatAuthMethod OBJECT-TYPE 3879 SYNTAX INTEGER { 3880 pre-sh-key(1), -- Authentication using pre shared keys 3881 dss-sig(2), -- Authentication using DSS signatures 3882 rsa-sig(3), -- Authentication using RSA signatures 3883 rsa-enc(4), -- Authentication using RSA encryption 3884 default(14), -- Use the default settings from the ikeProposalEntry 3885 -- used or the ipsecGlobDefaultAuthMethod 3886 delete(15) -- mark this entry for deletion 3887 } 3888 MAX-ACCESS read-only 3889 STATUS current 3890 DESCRIPTION 3891 "This object specifies the authentication method used for this peer. 3892 It overrides the setting in the IKE proposals used. 3893 Possible values: 3894 pre-sh-key(1), -- Authentication using pre shared keys 3895 dss-sig(2), -- Authentication using DSS signatures 3896 rsa-sig(3), -- Authentication using RSA signatures 3897 rsa-enc(4), -- Authentication using RSA encryption 3898 default(14), -- Use the setting from the ikeProposalEntry 3899 -- used or the ipsecGlobDefaultAuthMethod 3900 delete(15) -- mark this entry for deletion." 3901 DEFVAL { default } 3902 ::= { ipsecPeerStatEntry 10 } 3903 3904 ipsecPeerStatIkeGroup OBJECT-TYPE 3905 SYNTAX INTEGER 3906 MAX-ACCESS read-only 3907 STATUS current 3908 DESCRIPTION 3909 "This object specifies a special IKE group which is to be used 3910 for this peer only. It overrides the setting in the ikeProposal 3911 used. 3912 Possible values: 3913 0: use the value from the ikeProposal used 3914 1: a 768-bit MODP group 3915 2: a 1024-bit MODP group 3916 5: a 1536-bit MODP group" 3917 ::= { ipsecPeerStatEntry 11 } 3918 3919 ipsecPeerStatPfsGroup OBJECT-TYPE 3920 SYNTAX INTEGER 3921 MAX-ACCESS read-only 3922 STATUS current 3923 DESCRIPTION 3924 "The Diffie Hellman group used for additional Perfect 3925 Forward Secrecy (PFS) DH exponentiations. 3926 Possible values: 3927 -1: explicitly do not use PFS 3928 (overrides ipsecGlob2DefaultPfsGroup), 3929 0: use default value from ipsecGlob2DefaultPfsGroup, 3930 1: a 768-bit MODP group, 3931 2: a 1024-bit MODP group, 3932 5: a 1536-bit MODP group." 3933 ::= { ipsecPeerStatEntry 12 } 3934 3935 ipsecPeerStatPh1Mode OBJECT-TYPE 3936 SYNTAX INTEGER { 3937 id-protect(1), -- Use identity protection (main) mode 3938 aggressive(2), -- Use aggressive mode 3939 default(3) -- Use default setting from the 3940 -- ipsecGlobalsTable 3941 } 3942 MAX-ACCESS read-only 3943 STATUS current 3944 DESCRIPTION 3945 "This object specifies the exchange mode used for IKE 3946 SA negotiation. 3947 Possible values: 3948 id-protect(1), -- Use identity protection (main) mode 3949 aggressive(2), -- Use aggressive mode 3950 default(3) -- Use default settings from the 3951 -- ipsecGlobalsTable." 3952 DEFVAL { default } 3953 ::= { ipsecPeerStatEntry 13 } 3954 3955 ipsecPeerStatIkeLifeTime OBJECT-TYPE 3956 SYNTAX INTEGER 3957 MAX-ACCESS read-only 3958 STATUS current 3959 DESCRIPTION 3960 "This object specifies an index in the ipsecLifeTimeTable with the 3961 lifetime settings to be used for IKE SA negotiation with this peer. 3962 It overrides the setting in the IKE proposal used. 3963 If the lifetime pointed to by this index does not exist or is 3964 inappropriate, the lifetime from the IKE proposal used is 3965 taken." 3966 ::= { ipsecPeerStatEntry 14 } 3967 3968 ipsecPeerStatIpsecLifeTime OBJECT-TYPE 3969 SYNTAX INTEGER 3970 MAX-ACCESS read-only 3971 STATUS current 3972 DESCRIPTION 3973 "This object specifies an index in the 3974 ipsecLifeTimeTable. This lifetime overwrites the 3975 lifetimes specified for all traffic entries and their 3976 proposals referenced by this peer entry. If the 3977 lifetime pointed to by this index does not exist or 3978 is inappropriate, the default lifetime from the 3979 ipsecGlobalsTable is used." 3980 ::= { ipsecPeerStatEntry 15 } 3981 3982 ipsecPeerStatKeepAlive OBJECT-TYPE 3983 SYNTAX INTEGER { 3984 true(1), -- rekey SA's even if no data was transferred 3985 false(2) -- do not rekey SA's if no data was transferred 3986 } 3987 MAX-ACCESS read-only 3988 STATUS current 3989 DESCRIPTION 3990 "This object specifies whether IKE SA's with this peer 3991 are rekeyed even if there was no data transferred over 3992 them. 3993 Possible values: 3994 true(1), -- rekey SA's even if no data was transferred 3995 false(2) -- do not rekey SA's if no data was transferred." 3996 ::= { ipsecPeerStatEntry 16 } 3997 3998 ipsecPeerStatGranularity OBJECT-TYPE 3999 SYNTAX INTEGER { 4000 default(1), -- use the setting from the ipsecGlobalsTable 4001 coarse(2), -- Create only one SA for each Traffic entry 4002 ip(3), -- Create one SA for each host 4003 proto(4), -- Create one SA for each protocol and host 4004 port(5) -- Create one SA for each port and host 4005 } 4006 MAX-ACCESS read-only 4007 STATUS current 4008 DESCRIPTION 4009 "This object specifies the granularity with which SA's 4010 with this peer are created. 4011 Possible values: 4012 default(1), -- use the setting from the ipsecGlobalsTable 4013 coarse(2), -- Create only one SA for each Traffic entry 4014 ip(3), -- Create one SA for each host 4015 proto(4), -- Create one SA for each protocol and host 4016 port(5) -- Create one SA for each port and host." 4017 DEFVAL { default } 4018 ::= { ipsecPeerStatEntry 17 } 4019 4020 ipsecPeerStatDontVerifyPad OBJECT-TYPE 4021 SYNTAX INTEGER { 4022 false(1), -- normal, self-describing ESP padding 4023 true(2) -- old style ESP padding 4024 } 4025 MAX-ACCESS read-only 4026 STATUS current 4027 DESCRIPTION 4028 "This object is a compatibility option for older ipsec 4029 implementations. It enables or disables an old way of ESP 4030 padding (no self describing padding). 4031 Possible values: 4032 false(1), -- normal, self-describing ESP padding 4033 true(2) -- old style ESP padding." 4034 ::= { ipsecPeerStatEntry 18 } 4035 4036 ipsecPeerStatNoPmtuDiscovery OBJECT-TYPE 4037 SYNTAX INTEGER { 4038 true(1), -- do not perform PMTU discovery 4039 false(2), -- perform PMTU discovery 4040 default(3)-- use default settings from 4041 -- ipsecGlobContNoPmtuDiscovery 4042 } 4043 MAX-ACCESS read-only 4044 STATUS current 4045 DESCRIPTION 4046 "This object specifies the PMTU discovery policy for this peer. 4047 Possible values: 4048 true(1), -- do not perform PMTU discovery 4049 false(2) -- perform PMTU discovery 4050 default(3)-- use default settings from 4051 -- ipsecGlobContNoPmtuDiscovery." 4052 DEFVAL { default } 4053 ::= { ipsecPeerStatEntry 19 } 4054 4055 ipsecPeerStatOperStatus OBJECT-TYPE 4056 SYNTAX INTEGER { 4057-- *** states as defined for ifOperStatus *** 4058 up(1), 4059 down(2), 4060-- testing(3), 4061-- unknown(4), 4062 dormant(5), 4063 blocked(6), 4064-- idle(32), 4065 awaiting-callback(33), 4066-- calling-back(34), 4067 ip-lookup(35), 4068 going-up(36), 4069 wait-if(37), 4070 wait-publish(38), 4071 wait-localip(39), 4072 going-up-trans(40) 4073 } 4074 MAX-ACCESS read-only 4075 STATUS current 4076 DESCRIPTION 4077 "Peer operational state." 4078 DEFVAL { dormant } 4079 ::= { ipsecPeerStatEntry 20 } 4080 4081 ipsecPeerStatDefaultIpsecProposals OBJECT-TYPE 4082 SYNTAX INTEGER 4083 MAX-ACCESS read-only 4084 STATUS current 4085 DESCRIPTION 4086 "The index of the default IPSec proposal used for 4087 encrypting all the traffic bound to the (optional) 4088 logical interface created for this peer." 4089 ::= { ipsecPeerStatEntry 21 } 4090 4091 ipsecPeerStatHeartbeat OBJECT-TYPE 4092 SYNTAX INTEGER { 4093 none(1), -- neither send nor expect heartbeats 4094 expect(2), -- expect heartbeats 4095 send(3), -- send heartbeats 4096 both(4), -- send and expect heartbeats 4097 default(5) -- use setting from 4098 -- ipsecGlobContHeartbeatDefault 4099 } 4100 MAX-ACCESS read-only 4101 STATUS current 4102 DESCRIPTION 4103 "This object specifies whether heartbeats should be sent 4104 over phase 1 SAs for this peer. 4105 Possible values: 4106 none(1), -- neither send nor expect heartbeats 4107 expect(2), -- expect heartbeats 4108 send(3), -- send heartbeats 4109 both(4), -- send and expect heartbeats 4110 default(5) -- use setting from 4111 -- ipsecGlobContHeartbeatDefault." 4112 DEFVAL { default } 4113 ::= { ipsecPeerStatEntry 22 } 4114 4115 ipsecPeerStatTtl OBJECT-TYPE 4116 SYNTAX INTEGER 4117 MAX-ACCESS read-only 4118 STATUS current 4119 DESCRIPTION 4120 "This object shows the maximum period of time in seconds 4121 the peer will remain in the current state." 4122 ::= { ipsecPeerStatEntry 23 } 4123 4124 ipsecPeerStatCurrentLocalAddress OBJECT-TYPE 4125 SYNTAX IpAddress 4126 MAX-ACCESS read-only 4127 STATUS current 4128 DESCRIPTION 4129 "The currently used local IP-address for this peer." 4130 ::= { ipsecPeerStatEntry 24 } 4131 4132 ipsecPeerStatCurrentRemoteAddress OBJECT-TYPE 4133 SYNTAX IpAddress 4134 MAX-ACCESS read-only 4135 STATUS current 4136 DESCRIPTION 4137 "The currently known remote IP-address of this peer." 4138 ::= { ipsecPeerStatEntry 25 } 4139 4140 ipsecPeerStatNumP1 OBJECT-TYPE 4141 SYNTAX INTEGER 4142 MAX-ACCESS read-only 4143 STATUS current 4144 DESCRIPTION 4145 "The number of current IKE SAs for this peer." 4146 ::= { ipsecPeerStatEntry 26 } 4147 4148 ipsecPeerStatNumP1Negotiating OBJECT-TYPE 4149 SYNTAX INTEGER 4150 MAX-ACCESS read-only 4151 STATUS current 4152 DESCRIPTION 4153 "The number of current IKE SAs in state 'negotiating' 4154 for this peer." 4155 ::= { ipsecPeerStatEntry 27 } 4156 4157 ipsecPeerStatNumP1Established OBJECT-TYPE 4158 SYNTAX INTEGER 4159 MAX-ACCESS read-only 4160 STATUS current 4161 DESCRIPTION 4162 "The number of current IKE SAs in state 'established' 4163 for this peer." 4164 ::= { ipsecPeerStatEntry 28 } 4165 4166 ipsecPeerStatNumP1Deleted OBJECT-TYPE 4167 SYNTAX INTEGER 4168 MAX-ACCESS read-only 4169 STATUS current 4170 DESCRIPTION 4171 "The number of current IKE SAs in state 'waiting_for_remove' 4172 for this peer." 4173 ::= { ipsecPeerStatEntry 29 } 4174 4175 ipsecPeerStatNumBundles OBJECT-TYPE 4176 SYNTAX INTEGER 4177 MAX-ACCESS read-only 4178 STATUS current 4179 DESCRIPTION 4180 "The number of current IPSec SA bundles for this peer." 4181 ::= { ipsecPeerStatEntry 30 } 4182 4183 ipsecPeerStatNumBundlesNegotiating OBJECT-TYPE 4184 SYNTAX INTEGER 4185 MAX-ACCESS read-only 4186 STATUS current 4187 DESCRIPTION 4188 "The number of current IPSec SA bundles for this peer." 4189 ::= { ipsecPeerStatEntry 31 } 4190 4191 ipsecPeerStatNumBundlesEstablished OBJECT-TYPE 4192 SYNTAX INTEGER 4193 MAX-ACCESS read-only 4194 STATUS current 4195 DESCRIPTION 4196 "The number of current IPSec SA bundles in state 'established' 4197 for this peer." 4198 ::= { ipsecPeerStatEntry 32 } 4199 4200 ipsecPeerStatPh1LToken OBJECT-TYPE 4201 SYNTAX INTEGER (0..65535) 4202 MAX-ACCESS read-only 4203 STATUS current 4204 DESCRIPTION 4205 "Locally generated token that must be used by triggered peer 4206 upon call back." 4207 ::= { ipsecPeerStatEntry 33 } 4208 4209 ipsecPeerStatPh1RToken OBJECT-TYPE 4210 SYNTAX INTEGER (0..65535) 4211 MAX-ACCESS read-only 4212 STATUS current 4213 DESCRIPTION 4214 "Remotely generated token which must be used during phase one 4215 of IPsec connection establishment." 4216 ::= { ipsecPeerStatEntry 34 } 4217 4218 ipsecPeerStatIsdnCBNextMode OBJECT-TYPE 4219 SYNTAX INTEGER { 4220 unknown(1), 4221 d-llc(2), 4222 d-subaddr(3), 4223 d-llc-subaddr(4), 4224 b(5) 4225 } 4226 MAX-ACCESS read-only 4227 STATUS current 4228 DESCRIPTION 4229 "Define callback mode that is to be tried next. 4230 The following modes are defined: 4231 unknown(1) -- still unset, derive it from other 4232 settings 4233 d-llc(2) -- use D channel mode with LLC next 4234 d-subaddr(3) -- use D channel mode with SUBADDR next 4235 d-llc-subaddr(4) -- use D channel mode with LLC and 4236 SUBADDR next 4237 b(5) -- use B channel mode next 4238 4239 Default value for that variable is unknown(1)." 4240 DEFVAL { unknown } 4241 ::= { ipsecPeerStatEntry 35 } 4242 4243 ipsecPeerStatNatDetect OBJECT-TYPE 4244 SYNTAX INTEGER { 4245 local(1), -- local NAT detected 4246 remote(2), -- remote NAT detected 4247 both(3), -- local and remote NAT detected 4248 none(4), -- no NAT present 4249 unknown(8) -- NAT detection not finished 4250 } 4251 MAX-ACCESS read-only 4252 STATUS current 4253 DESCRIPTION 4254 "The latest result of the NAT detection performed with the peer. 4255 Possible values: 4256 local(1), -- local NAT detected 4257 remote(2), -- remote NAT detected 4258 both(3), -- local and remote NAT detected 4259 none(4), -- no NAT present 4260 unknown(8) -- NAT detection not performed or not finished." 4261 ::= { ipsecPeerStatEntry 36 } 4262 4263 ipsecPeerStatNatTLocalPort OBJECT-TYPE 4264 SYNTAX INTEGER (0..65535) 4265 MAX-ACCESS read-only 4266 STATUS current 4267 DESCRIPTION 4268 "The local port currently usd for NAT-T IKE and ESP SAs 4269 with this Peer." 4270 ::= { ipsecPeerStatEntry 37 } 4271 4272 ipsecPeerStatNatTRemotePort OBJECT-TYPE 4273 SYNTAX INTEGER (0..65535) 4274 MAX-ACCESS read-only 4275 STATUS current 4276 DESCRIPTION 4277 "The remote port currently usd for NAT-T IKE and ESP SAs 4278 with this Peer." 4279 ::= { ipsecPeerStatEntry 38 } 4280 4281 ipsecPeerStatMtu OBJECT-TYPE 4282 SYNTAX INTEGER (0..65535) 4283 MAX-ACCESS read-only 4284 STATUS current 4285 DESCRIPTION 4286 "The current MTU of this peer. This value is copied to ifMtu if 4287 ipsecPeerVirtualInterface is set to enabled." 4288 DEFVAL { 1418 } 4289 ::= { ipsecPeerStatEntry 39 } 4290 4291 ipsecPeerStatRxIdle OBJECT-TYPE 4292 SYNTAX TimeTicks 4293 MAX-ACCESS read-only 4294 STATUS current 4295 DESCRIPTION 4296 "The time period for which no packet has been received 4297 from this peer." 4298 ::= { ipsecPeerStatEntry 40 } 4299 4300 ipsecPeerStatTxIdle OBJECT-TYPE 4301 SYNTAX TimeTicks 4302 MAX-ACCESS read-only 4303 STATUS current 4304 DESCRIPTION 4305 "The time period for which no packet has been transmitted 4306 to this peer." 4307 ::= { ipsecPeerStatEntry 41 } 4308 4309 ipsecPeerStatDPD OBJECT-TYPE 4310 SYNTAX INTEGER { 4311 none(1), -- DPD not active 4312 v1(2), -- DPD Version 1 active 4313 v1-idle(3), -- DPD Version 1 in idle mode active 4314 ikev2(4) -- IKEv2 INFORMATIONAL exchanges active 4315 } 4316 MAX-ACCESS read-only 4317 STATUS current 4318 DESCRIPTION 4319 "The type of Dead Peer Detection (DPD) currently active 4320 for this peer. 4321 Possible values: 4322 none(1) -- DPD not active 4323 v1(2) -- DPD Version 1 active 4324 v1-idle(3) -- DPD Version 1 in idle mode active 4325 ikev2(4) -- IKEv2 INFORMATIONAL exchanges active." 4326 DEFVAL { none } 4327 ::= { ipsecPeerStatEntry 42 } 4328 4329 ipsecPeerStatDPDRetries OBJECT-TYPE 4330 SYNTAX INTEGER 4331 MAX-ACCESS read-only 4332 STATUS current 4333 DESCRIPTION 4334 "The nuber of DPD retries currently sent without reply." 4335 ::= { ipsecPeerStatEntry 43 } 4336 4337 ipsecPeerStatNumIkeSas OBJECT-TYPE 4338 SYNTAX INTEGER 4339 MAX-ACCESS read-only 4340 STATUS current 4341 DESCRIPTION 4342 "The number of current IKE SAs for this peer (only for IKEv2)." 4343 ::= { ipsecPeerStatEntry 44 } 4344 4345 ipsecPeerStatNumIkeSasNegotiating OBJECT-TYPE 4346 SYNTAX INTEGER 4347 MAX-ACCESS read-only 4348 STATUS current 4349 DESCRIPTION 4350 "The number of current IKE SAs in state 'negotiating' 4351 for this peer (only for IKEv2)." 4352 ::= { ipsecPeerStatEntry 45 } 4353 4354 ipsecPeerStatNumIkeSasEstablished OBJECT-TYPE 4355 SYNTAX INTEGER 4356 MAX-ACCESS read-only 4357 STATUS current 4358 DESCRIPTION 4359 "The number of current IKE SAs in state 'established' 4360 for this peer (only for IKEv2)." 4361 ::= { ipsecPeerStatEntry 46 } 4362 4363 ipsecPeerStatNumIkeSasDeleted OBJECT-TYPE 4364 SYNTAX INTEGER 4365 MAX-ACCESS read-only 4366 STATUS current 4367 DESCRIPTION 4368 "The number of current IKE SAs in state 'waiting_for_remove' 4369 for this peer (only for IKEv2)." 4370 ::= { ipsecPeerStatEntry 47 } 4371 4372 4373-- End IPSec Peer Status and Statistic Variables Table 4374 4375 4376-- IKE Proposal Table 4377 4378 ikeProposalTable OBJECT-TYPE 4379 SYNTAX SEQUENCE OF IkeProposalEntry 4380 MAX-ACCESS not-accessible 4381 STATUS current 4382 DESCRIPTION 4383 "This table contains the list of IKE proposals. The 4384 entries may be concatenated on a logical or basis 4385 using the NextChoice field to choices of multiple 4386 proposals." 4387 ::= { ipsec 6 } 4388 4389 ikeProposalEntry OBJECT-TYPE 4390 SYNTAX IkeProposalEntry 4391 MAX-ACCESS not-accessible 4392 STATUS current 4393 DESCRIPTION 4394 "This object contains an IKE proposal, i.e. the 4395 encryption algorithm and the hash algorithm used to 4396 protect traffic sent over an IKE SA." 4397 INDEX { 4398 ikePropEncAlg 4399 } 4400 ::= { ikeProposalTable 1 } 4401 4402 IkeProposalEntry ::= 4403 SEQUENCE { 4404 ikePropIndex INTEGER, 4405 ikePropNextChoice INTEGER, 4406 ikePropDescription DisplayString, 4407 ikePropEncAlg INTEGER, 4408 ikePropHashAlg INTEGER, 4409 ikePropGroup INTEGER, 4410 ikePropAuthMethod INTEGER, 4411 ikePropEncKeySize INTEGER, 4412 ikePropEncKeySizeMin INTEGER, 4413 ikePropEncKeySizeMax INTEGER 4414 } 4415 4416 4417 ikePropIndex OBJECT-TYPE 4418 SYNTAX INTEGER 4419 MAX-ACCESS read-only 4420 STATUS current 4421 DESCRIPTION 4422 "A unique index identifying this entry." 4423 ::= { ikeProposalEntry 1 } 4424 4425 ikePropNextChoice OBJECT-TYPE 4426 SYNTAX INTEGER 4427 MAX-ACCESS read-write 4428 STATUS current 4429 DESCRIPTION 4430 "This object specifies the index of the next proposal 4431 of a choice of proposals. If this object is 0, this 4432 marks the end of a proposal chain." 4433 ::= { ikeProposalEntry 2 } 4434 4435 4436 ikePropDescription OBJECT-TYPE 4437 SYNTAX DisplayString 4438 MAX-ACCESS read-write 4439 STATUS current 4440 DESCRIPTION 4441 "An optional textual description of the proposal chain 4442 beginning at this entry." 4443 ::= { ikeProposalEntry 3 } 4444 4445 4446 ikePropEncAlg OBJECT-TYPE 4447 SYNTAX INTEGER { 4448 none(1), -- No encryption applied 4449 des-cbc(2), -- DES in CBC mode 4450 des3-cbc(3), -- Triple DES in CBC mode 4451 blowfish-cbc(4),-- Blowfish in CBC mode 4452 cast128-cbc(5), -- CAST in CBC mode with 128 bit key 4453 twofish-cbc(6), -- Twofish in CBC mode 4454 aes-cbc(7), -- AES in CBC mode 4455 rijndael-cbc(31) -- rijndael (former name for AES) 4456 } 4457 MAX-ACCESS read-write 4458 STATUS current 4459 DESCRIPTION 4460 "This object specifies the encryption algorithm used 4461 to protect traffic sent over an IKE SA. 4462 Possible values: 4463 none(1), -- No encryption applied 4464 des-cbc(2), -- DES in CBC mode 4465 des3-cbc(3), -- Triple DES in CBC mode 4466 blowfish-cbc(4), -- Blowfish in CBC mode 4467 cast128-cbc(5) -- CAST in CBC mode with 128 bit key 4468 twofish-cbc(6), -- Twofish in CBC mode 4469 aes-cbc(7), -- AES in CBC mode 4470 rijndael-cbc(31) -- rijndael (former name for AES)." 4471 DEFVAL { aes-cbc } 4472 ::= { ikeProposalEntry 4 } 4473 4474 4475 ikePropHashAlg OBJECT-TYPE 4476 SYNTAX INTEGER { 4477 delete(1), -- Delete this entry 4478 none(2), -- No hash algorithm 4479 md5(3), -- The MD5 hash algorithm 4480 sha1(4), -- The Secure Hash Algorithm 4481 ripemd160(5), -- The RipeMD160 Hash Algorithm 4482 tiger192(6) -- The Tiger Hash Algorithm 4483 } 4484 MAX-ACCESS read-write 4485 STATUS current 4486 DESCRIPTION 4487 "This object specifies the hash algorithm used to 4488 protect traffic sent over an IKE SA. 4489 Possible values: 4490 delete(1), -- Delete this entry 4491 none(2), -- No hash algorithm 4492 md5(3), -- The MD5 hash algorithm 4493 sha1(4), -- The Secure Hash Algorithm 4494 ripemd160(5),-- The RipeMD160 Hash Algorithm 4495 tiger192(6) -- The Tiger Hash Algorithm." 4496 DEFVAL { ripemd160 } 4497 ::= { ikeProposalEntry 5 } 4498 4499 4500 ikePropGroup OBJECT-TYPE 4501 SYNTAX INTEGER 4502 MAX-ACCESS read-write 4503 STATUS current 4504 DESCRIPTION 4505 "Index of the IKE group used with this proposal. 4506 It may be overridden by a valid IKE group index of an IPSec peer 4507 or in ipsecGlobDefaultIkeGroup. 4508 Possible values: 4509 0 (use default setting in ipsecPeerIkeGroup 4510 or ipsecGlobDefaultIkeGroup), 4511 1 (768 bit MODP), 4512 2 (1024 bit MODP), 4513 5 (1536 bit MODP)." 4514 DEFVAL { 2 } 4515 ::= { ikeProposalEntry 7 } 4516 4517 4518 ikePropAuthMethod OBJECT-TYPE 4519 SYNTAX INTEGER { 4520 pre-sh-key(1), -- Authentication using pre shared keys 4521 dss-sig(2), -- Authentication using DSS signatures 4522 rsa-sig(3), -- Authentication using RSA signatures 4523 rsa-enc(4), -- Authentication using RSA encryption 4524 default(33) -- Use default authentication method 4525 } 4526 MAX-ACCESS read-write 4527 STATUS current 4528 DESCRIPTION 4529 "This object specifies the authentication method used with this 4530 proposal. 4531 It may be overridden by the setting in the ipsecPeerEntry table. 4532 If set to 'default' the value in ipsecGlobDefaultAuthMethod is used. 4533 Possible values: 4534 pre-sh-key(1), -- Authentication using pre shared keys 4535 dss-sig(2), -- Authentication using DSS signatures 4536 rsa-sig(3), -- Authentication using RSA signatures 4537 rsa-enc(4), -- Authentication using RSA encryption 4538 default(33) -- Use default authentication method." 4539 DEFVAL { default } 4540 ::= { ikeProposalEntry 8 } 4541 4542 4543 ikePropEncKeySize OBJECT-TYPE 4544 SYNTAX INTEGER (0..2048) 4545 UNITS "bits" 4546 MAX-ACCESS read-write 4547 STATUS current 4548 DESCRIPTION 4549 "This object specifies the encryption key size used with this 4550 proposal. The limits for the individual algorithms can be seen 4551 in the ipsecAlgorithmTable. 4552 If a length outside the limits for the specified algorithm is 4553 specified, it is reset to the max/min value possible." 4554 ::= { ikeProposalEntry 9 } 4555 4556 ikePropEncKeySizeMin OBJECT-TYPE 4557 SYNTAX INTEGER (0..2048) 4558 UNITS "bits" 4559 MAX-ACCESS read-write 4560 STATUS current 4561 DESCRIPTION 4562 "This object specifies the maximum encryption key size accepted 4563 with this proposal. 4564 The limits for the individual algorithms can be seen in the 4565 ipsecAlgorithmTable. 4566 If a length outside the limits for the specified algorithm is 4567 specified, it is reset to the max/min value possible." 4568 ::= { ikeProposalEntry 10 } 4569 4570 ikePropEncKeySizeMax OBJECT-TYPE 4571 SYNTAX INTEGER (0..2048) 4572 UNITS "bits" 4573 MAX-ACCESS read-write 4574 STATUS current 4575 DESCRIPTION 4576 "This object specifies the maximum encryption key size accepted 4577 with this proposal. 4578 The limits for the individual algorithms can be seen in the 4579 ipsecAlgorithmTable. 4580 If a length outside the limits for the specified algorithm is 4581 specified, it is reset to the max/min value possible." 4582 ::= { ikeProposalEntry 11 } 4583 4584-- End IKE Proposal Table 4585 4586 4587-- IPSec Traffic Table 4588 4589 ipsecTrafficTable OBJECT-TYPE 4590 SYNTAX SEQUENCE OF IpsecTrafficEntry 4591 MAX-ACCESS not-accessible 4592 STATUS current 4593 DESCRIPTION 4594 "This table contains lists of Traffic and the actions 4595 which should be applied to it, together with the 4596 necessary parameters." 4597 ::= { ipsec 7 } 4598 4599 ipsecTrafficEntry OBJECT-TYPE 4600 SYNTAX IpsecTrafficEntry 4601 MAX-ACCESS not-accessible 4602 STATUS current 4603 DESCRIPTION 4604 "This object contains a description of a type of IP 4605 traffic and the action which should be applied to it 4606 together with the necessary parameters." 4607 INDEX { 4608 ipsecTrProto 4609 } 4610 ::= { ipsecTrafficTable 1 } 4611 4612 IpsecTrafficEntry ::= 4613 SEQUENCE { 4614 ipsecTrIndex INTEGER, 4615 ipsecTrNextIndex INTEGER, 4616 ipsecTrDescription DisplayString, 4617 ipsecTrLocalAddressType INTEGER, 4618 ipsecTrLocalAddress IpAddress, 4619 ipsecTrLocalMaskLen INTEGER, 4620 ipsecTrLocalRange IpAddress, 4621 ipsecTrRemoteAddressType INTEGER, 4622 ipsecTrRemoteAddress IpAddress, 4623 ipsecTrRemoteMaskLen INTEGER, 4624 ipsecTrRemoteRange IpAddress, 4625 ipsecTrProto INTEGER, 4626 ipsecTrLocalPort INTEGER, 4627 ipsecTrRemotePort INTEGER, 4628 ipsecTrAction INTEGER, 4629 ipsecTrProposal INTEGER, 4630 ipsecTrForceTunnelMode INTEGER, 4631 ipsecTrLifeTime INTEGER, 4632 ipsecTrGranularity INTEGER, 4633 ipsecTrKeepAlive INTEGER, 4634 ipsecTrProfile INTEGER, 4635 ipsecTrInterface INTEGER, 4636 ipsecTrDirection INTEGER, 4637 ipsecTrCreator INTEGER 4638 } 4639 4640 ipsecTrIndex OBJECT-TYPE 4641 SYNTAX INTEGER 4642 MAX-ACCESS read-only 4643 STATUS current 4644 DESCRIPTION 4645 "A unique index identifying this entry." 4646 ::= { ipsecTrafficEntry 1 } 4647 4648 ipsecTrNextIndex OBJECT-TYPE 4649 SYNTAX INTEGER 4650 MAX-ACCESS read-write 4651 STATUS current 4652 DESCRIPTION 4653 "This object specifies the index of the next traffic 4654 entry in hierarchy." 4655 ::= { ipsecTrafficEntry 2 } 4656 4657 4658 ipsecTrDescription OBJECT-TYPE 4659 SYNTAX DisplayString 4660 MAX-ACCESS read-write 4661 STATUS current 4662 DESCRIPTION 4663 "An optional human readable description for this traffic entry." 4664 ::= { ipsecTrafficEntry 3 } 4665 4666 4667 ipsecTrLocalAddressType OBJECT-TYPE 4668 SYNTAX INTEGER { 4669 fixed(1), -- fixed address 4670 ph1(2) -- own dynamic phase 1 address 4671 } 4672 MAX-ACCESS read-write 4673 STATUS current 4674 DESCRIPTION 4675 "The type of the local address specification. 4676 This may be either a statically configured address or a 4677 dynamic address which is taken from some state information." 4678 DEFVAL { fixed } 4679 ::= { ipsecTrafficEntry 21 } 4680 4681 4682 ipsecTrLocalAddress OBJECT-TYPE 4683 SYNTAX IpAddress 4684 MAX-ACCESS read-write 4685 STATUS current 4686 DESCRIPTION 4687 "The source IP-address of this traffic entry. It maybe 4688 either a single address, a network address (in 4689 combination with ipsecTrSrcMask), or the first address 4690 of an address range (in combination with 4691 ipsecTrLocalRange)." 4692 ::= { ipsecTrafficEntry 4 } 4693 4694 4695 ipsecTrLocalMaskLen OBJECT-TYPE 4696 SYNTAX INTEGER 4697 MAX-ACCESS read-write 4698 STATUS current 4699 DESCRIPTION 4700 "The length of the network mask for a source network." 4701 ::= { ipsecTrafficEntry 5 } 4702 4703 4704 ipsecTrLocalRange OBJECT-TYPE 4705 SYNTAX IpAddress 4706 MAX-ACCESS read-write 4707 STATUS current 4708 DESCRIPTION 4709 "The last address of a source address range. If this 4710 field is nonzero, the ipsecTrLocalMaskLen field is 4711 ignored and the source is considered as a range of 4712 addresses beginning with ipsecTrLocalAddress and ending 4713 with ipsecTrLocalRange." 4714 ::= { ipsecTrafficEntry 6 } 4715 4716 4717 ipsecTrRemoteAddressType OBJECT-TYPE 4718 SYNTAX INTEGER { 4719 fixed(1), -- fixed address 4720 ph1(2), -- remote dynamic phase 1 address 4721 dhcp(3) -- remote ip address retrieved via DHCP 4722 } 4723 MAX-ACCESS read-write 4724 STATUS current 4725 DESCRIPTION 4726 "The type of the remote address specification. 4727 This may be either a statically configured address or a 4728 dynamic address which is taken from some state information." 4729 DEFVAL { fixed } 4730 ::= { ipsecTrafficEntry 22 } 4731 4732 4733 ipsecTrRemoteAddress OBJECT-TYPE 4734 SYNTAX IpAddress 4735 MAX-ACCESS read-write 4736 STATUS current 4737 DESCRIPTION 4738 "The destination IP-address of this traffic entry. It maybe 4739 either a single address, a network address (in 4740 combination with ipsecTrDstMask), or the first address 4741 of an address range (in combination with 4742 ipsecTrRemoteRange)." 4743 ::= { ipsecTrafficEntry 7 } 4744 4745 4746 ipsecTrRemoteMaskLen OBJECT-TYPE 4747 SYNTAX INTEGER 4748 MAX-ACCESS read-write 4749 STATUS current 4750 DESCRIPTION 4751 "The length of the network mask for a destination network." 4752 ::= { ipsecTrafficEntry 8 } 4753 4754 4755 ipsecTrRemoteRange OBJECT-TYPE 4756 SYNTAX IpAddress 4757 MAX-ACCESS read-write 4758 STATUS current 4759 DESCRIPTION 4760 "The last address of a destination address range. If 4761 this field is nonzero, the ipsecTrRemoteMaskLen field is 4762 ignored and the source is considered as a range of 4763 addresses beginning with ipsecTrRemoteAddress and ending 4764 with ipsecTrRemoteRange." 4765 ::= { ipsecTrafficEntry 9 } 4766 4767 4768 ipsecTrProto OBJECT-TYPE 4769 SYNTAX INTEGER { 4770 icmp(1), 4771 igmp(2), 4772 ggp(3), 4773 ipip(4), 4774 st(5), 4775 tcp(6), 4776 cbt(7), 4777 egp(8), 4778 igp(9), 4779 bbn(10), 4780 nvp(11), 4781 pup(12), 4782 argus(13), 4783 emcon(14), 4784 xnet(15), 4785 chaos(16), 4786 udp(17), 4787 mux(18), 4788 dcn(19), 4789 hmp(20), 4790 prm(21), 4791 xns(22), 4792 trunk1(23), 4793 trunk2(24), 4794 leaf1(25), 4795 leaf2(26), 4796 rdp(27), 4797 irtp(28), 4798 isotp4(29), 4799 netblt(30), 4800 mfe(31), 4801 merit(32), 4802 sep(33), 4803 pc3(34), 4804 idpr(35), 4805 xtp(36), 4806 ddp(37), 4807 idprc(38), 4808 tp(39), 4809 il(40), 4810 ipv6(41), 4811 sdrp(42), 4812 ipv6route(43), 4813 ipv6frag(44), 4814 idrp(45), 4815 rsvp(46), 4816 gre(47), 4817 mhrp(48), 4818 bna(49), 4819 esp(50), 4820 ah(51), 4821 inlsp(52), 4822 swipe(53), 4823 narp(54), 4824 mobile(55), 4825 tlsp(56), 4826 skip(57), 4827 ipv6icmp(58), 4828 ipv6nonxt(59), 4829 ipv6opts(60), 4830 ipproto-61(61), 4831 cftp(62), 4832 local(63), 4833 sat(64), 4834 kryptolan(65), 4835 rvd(66), 4836 ippc(67), 4837 distfs(68), 4838 satmon(69), 4839 visa(70), 4840 ipcv(71), 4841 cpnx(72), 4842 cphb(73), 4843 wsn(74), 4844 pvp(75), 4845 brsatmon(76), 4846 sunnd(77), 4847 wbmon(78), 4848 wbexpak(79), 4849 isoip(80), 4850 vmtp(81), 4851 securevmtp(82), 4852 vines(83), 4853 ttp(84), 4854 nsfnet(85), 4855 dgp(86), 4856 tcf(87), 4857 eigrp(88), 4858 ospfigp(89), 4859 sprite(90), 4860 larp(91), 4861 mtp(92), 4862 ax25(93), 4863 ipwip(94), 4864 micp(95), 4865 scc(96), 4866 etherip(97), 4867 encap(98), 4868 encrypt(99), 4869 gmtp(100), 4870 ifmp(101), 4871 pnni(102), 4872 pim(103), 4873 aris(104), 4874 scps(105), 4875 qnx(106), 4876 an(107), 4877 ippcp(108), 4878 snp(109), 4879 compaq(110), 4880 ipxip(111), 4881 vrrp(112), 4882 pgm(113), 4883 hop0(114), 4884 l2tp(115), 4885 ipproto-116(116), 4886 ipproto-117(117), 4887 ipproto-118(118), 4888 ipproto-119(119), 4889 ipproto-120(120), 4890 ipproto-121(121), 4891 ipproto-122(122), 4892 ipproto-123(123), 4893 ipproto-124(124), 4894 ipproto-125(125), 4895 ipproto-126(126), 4896 ipproto-127(127), 4897 ipproto-128(128), 4898 ipproto-129(129), 4899 ipproto-130(130), 4900 ipproto-131(131), 4901 ipproto-132(132), 4902 ipproto-133(133), 4903 ipproto-134(134), 4904 ipproto-135(135), 4905 ipproto-136(136), 4906 ipproto-137(137), 4907 ipproto-138(138), 4908 ipproto-139(139), 4909 ipproto-140(140), 4910 ipproto-141(141), 4911 ipproto-142(142), 4912 ipproto-143(143), 4913 ipproto-144(144), 4914 ipproto-145(145), 4915 ipproto-146(146), 4916 ipproto-147(147), 4917 ipproto-148(148), 4918 ipproto-149(149), 4919 ipproto-150(150), 4920 ipproto-151(151), 4921 ipproto-152(152), 4922 ipproto-153(153), 4923 ipproto-154(154), 4924 ipproto-155(155), 4925 ipproto-156(156), 4926 ipproto-157(157), 4927 ipproto-158(158), 4928 ipproto-159(159), 4929 ipproto-160(160), 4930 ipproto-161(161), 4931 ipproto-162(162), 4932 ipproto-163(163), 4933 ipproto-164(164), 4934 ipproto-165(165), 4935 ipproto-166(166), 4936 ipproto-167(167), 4937 ipproto-168(168), 4938 ipproto-169(169), 4939 ipproto-170(170), 4940 ipproto-171(171), 4941 ipproto-172(172), 4942 ipproto-173(173), 4943 ipproto-174(174), 4944 ipproto-175(175), 4945 ipproto-176(176), 4946 ipproto-177(177), 4947 ipproto-178(178), 4948 ipproto-179(179), 4949 ipproto-180(180), 4950 ipproto-181(181), 4951 ipproto-182(182), 4952 ipproto-183(183), 4953 ipproto-184(184), 4954 ipproto-185(185), 4955 ipproto-186(186), 4956 ipproto-187(187), 4957 ipproto-188(188), 4958 ipproto-189(189), 4959 ipproto-190(190), 4960 ipproto-191(191), 4961 ipproto-192(192), 4962 ipproto-193(193), 4963 ipproto-194(194), 4964 ipproto-195(195), 4965 ipproto-196(196), 4966 ipproto-197(197), 4967 ipproto-198(198), 4968 ipproto-199(199), 4969 ipproto-200(200), 4970 ipproto-201(201), 4971 ipproto-202(202), 4972 ipproto-203(203), 4973 ipproto-204(204), 4974 ipproto-205(205), 4975 ipproto-206(206), 4976 ipproto-207(207), 4977 ipproto-208(208), 4978 ipproto-209(209), 4979 ipproto-210(210), 4980 ipproto-211(211), 4981 ipproto-212(212), 4982 ipproto-213(213), 4983 ipproto-214(214), 4984 ipproto-215(215), 4985 ipproto-216(216), 4986 ipproto-217(217), 4987 ipproto-218(218), 4988 ipproto-219(219), 4989 ipproto-220(220), 4990 ipproto-221(221), 4991 ipproto-222(222), 4992 ipproto-223(223), 4993 ipproto-224(224), 4994 ipproto-225(225), 4995 ipproto-226(226), 4996 ipproto-227(227), 4997 ipproto-228(228), 4998 ipproto-229(229), 4999 ipproto-230(230), 5000 ipproto-231(231), 5001 ipproto-232(232), 5002 ipproto-233(233), 5003 ipproto-234(234), 5004 ipproto-235(235), 5005 ipproto-236(236), 5006 ipproto-237(237), 5007 ipproto-238(238), 5008 ipproto-239(239), 5009 ipproto-240(240), 5010 ipproto-241(241), 5011 ipproto-242(242), 5012 ipproto-243(243), 5013 ipproto-244(244), 5014 ipproto-245(245), 5015 ipproto-246(246), 5016 ipproto-247(247), 5017 ipproto-248(248), 5018 ipproto-249(249), 5019 ipproto-250(250), 5020 ipproto-251(251), 5021 ipproto-252(252), 5022 ipproto-253(253), 5023 ipproto-254(254), 5024 dont-verify(255) 5025 } 5026 MAX-ACCESS read-write 5027 STATUS current 5028 DESCRIPTION 5029 "The transport protocol defined for this entry." 5030 DEFVAL { dont-verify } 5031 ::= { ipsecTrafficEntry 10 } 5032 5033 5034 ipsecTrLocalPort OBJECT-TYPE 5035 SYNTAX INTEGER 5036 MAX-ACCESS read-write 5037 STATUS current 5038 DESCRIPTION 5039 "The source port defined for this traffic entry." 5040 ::= { ipsecTrafficEntry 11 } 5041 5042 5043 ipsecTrRemotePort OBJECT-TYPE 5044 SYNTAX INTEGER 5045 MAX-ACCESS read-write 5046 STATUS current 5047 DESCRIPTION 5048 "The destination port defined for this traffic entry." 5049 ::= { ipsecTrafficEntry 12 } 5050 5051 5052 ipsecTrAction OBJECT-TYPE 5053 SYNTAX INTEGER { 5054 delete(1), -- Delete this entry 5055 always-plain(2), -- Forward the packets without 5056 -- protection even if there is a 5057 -- matching SA and independent from 5058 -- the position of the traffic entry 5059 -- in the list. 5060 pass(3), -- Forward the packets without 5061 -- protection 5062 protect(4), -- Protect the traffic as specified 5063 -- in the proposal. Drop unprotected 5064 -- traffic of this kind. 5065 drop(5) -- Drop all packets matching this 5066 -- traffic entry 5067 } 5068 MAX-ACCESS read-write 5069 STATUS current 5070 DESCRIPTION 5071 "The action to be applied to traffic matching this entry. 5072 Possible values: 5073 delete(1), -- Delete this entry 5074 always-plain(2), -- Forward the packets without 5075 -- protection even if there is a 5076 -- matching SA and independent from 5077 -- the position of the traffic entry 5078 -- in the list. 5079 pass(3), -- Forward the packets without 5080 -- protection 5081 protect(4), -- Protect the traffic as specified 5082 -- in the proposal. Drop unprotected 5083 -- traffic of this kind. 5084 drop(5) -- Drop all packets matching this 5085 -- traffic entry." 5086 DEFVAL { protect } 5087 ::= { ipsecTrafficEntry 13 } 5088 5089 5090 ipsecTrProposal OBJECT-TYPE 5091 SYNTAX INTEGER 5092 MAX-ACCESS read-only 5093 STATUS current 5094 DESCRIPTION 5095 "This object specifies an index in the 5096 ipsecProposalTable. This may be the first proposal of 5097 possibly a choice of multiple, optionally nested 5098 proposals which is to be offered with IKE (automatic 5099 keying) or a manual proposal (manual keying)." 5100 ::= { ipsecTrafficEntry 14 } 5101 5102 5103 ipsecTrForceTunnelMode OBJECT-TYPE 5104 SYNTAX INTEGER { 5105 true(1), -- Use tunnel mode even if transport mode is possible 5106 false(2) -- Use transport mode whenever possible 5107 } 5108 MAX-ACCESS read-only 5109 STATUS current 5110 DESCRIPTION 5111 "This object specifies the strategy when transport mode is used. 5112 By default, the system always uses transport mode, if possible. 5113 If this variable is set to true, always tunnel mode will be used 5114 for this traffic entry, even if source and destination address 5115 match the tunnel endpoints. 5116 Possible values: 5117 true(1), -- Use tunnel mode even if transport mode is possible 5118 false(2) -- Use transport mode whenever possible." 5119 ::= { ipsecTrafficEntry 15 } 5120 5121 5122 ipsecTrLifeTime OBJECT-TYPE 5123 SYNTAX INTEGER 5124 MAX-ACCESS read-only 5125 STATUS current 5126 DESCRIPTION 5127 "This object specifies an index in the 5128 ipsecLifeTimeTable. This lifetime overwrites the 5129 lifetimes specified for all proposals referenced by 5130 this traffic entry. It may itself be overwritten by 5131 an explicit lifetime specified for the peer entry 5132 referencing this traffic entry. If the lifetime 5133 pointed to by this index does not exist or is 5134 inappropriate, the default lifetime from the 5135 ipsecGlobalsTable is used." 5136 ::= { ipsecTrafficEntry 16 } 5137 5138 5139 ipsecTrGranularity OBJECT-TYPE 5140 SYNTAX INTEGER { 5141 default(1), -- use the setting from the ipsecPeerTable 5142 coarse(2), -- Create only one SA for each Traffic entry 5143 ip(3), -- Create one SA for each host 5144 proto(4), -- Create one SA for each protocol and host 5145 port(5) -- Create one SA for each port and host 5146 } 5147 MAX-ACCESS read-only 5148 STATUS current 5149 DESCRIPTION 5150 "This object specifies the granularity with which SA's 5151 must be created for this kind of traffic. 5152 Possible values: 5153 default(1), -- use the setting from the ipsecPeerTable 5154 coarse(2), -- Create only one SA for each Traffic entry 5155 ip(3), -- Create one SA for each host 5156 proto(4), -- Create one SA for each protocol and host 5157 port(5) -- Create one SA for each port and host." 5158 DEFVAL { default } 5159 ::= { ipsecTrafficEntry 17 } 5160 5161 5162 ipsecTrKeepAlive OBJECT-TYPE 5163 SYNTAX INTEGER { 5164 true(1), -- rekey SA's even if no data was transferred 5165 false(2), -- do not rekey SA's if no data was transferred 5166 default(3) -- use the default setting from the peer entry 5167 -- referencing this traffic entry 5168 } 5169 MAX-ACCESS read-only 5170 STATUS current 5171 DESCRIPTION 5172 "This object specifies whether SA's created for this kind 5173 of traffic should be rekeyed on expiration of soft 5174 lifetimes even if there has not been sent any traffic 5175 over them. 5176 Possible values: 5177 true(1), -- rekey SA's even if no data was transferred 5178 false(2), -- do not rekey SA's if no data was transferred 5179 default(3) -- use the default setting from the peer entry 5180 -- referencing this traffic entry." 5181 DEFVAL { default } 5182 ::= { ipsecTrafficEntry 18 } 5183 5184 5185 ipsecTrProfile OBJECT-TYPE 5186 SYNTAX INTEGER 5187 MAX-ACCESS read-write 5188 STATUS current 5189 DESCRIPTION 5190 "The index from the ipsecProfileTable containing a special 5191 phase 2 profile to use for this traffic entry." 5192 ::= { ipsecTrafficEntry 23 } 5193 5194 5195 ipsecTrInterface OBJECT-TYPE 5196 SYNTAX INTEGER 5197 MAX-ACCESS read-write 5198 STATUS current 5199 DESCRIPTION 5200 "This object specifies the interface for which the traffic 5201 entry should be valid (pass, drop and protect entries). 5202 If this object is set to -1, there is no interface 5203 restriction." 5204 DEFVAL { -1 } 5205 ::= { ipsecTrafficEntry 19 } 5206 5207 5208 ipsecTrDirection OBJECT-TYPE 5209 SYNTAX INTEGER { 5210 bidirectional(1), -- matches packets from remote to local 5211 -- and vice versa 5212 inbound(2), -- matches only packets from remote to local 5213 outbound(3) -- matches only packets from local to remote 5214 } 5215 MAX-ACCESS read-write 5216 STATUS current 5217 DESCRIPTION 5218 "This object specifies the direction for which this traffic 5219 entry should match. 5220 It only applies for pass and drop entries, for protect entries 5221 it is meaningless. 5222 Possible values: 5223 bidirectional(1), -- matches packets from remote to local 5224 -- and vice versa 5225 inbound(2), -- matches only packets from remote to local 5226 outbound(3) -- matches only packets from local to remote." 5227 DEFVAL { 1 } 5228 ::= { ipsecTrafficEntry 20 } 5229 5230 5231 ipsecTrCreator OBJECT-TYPE 5232 SYNTAX INTEGER { 5233 config(1), -- created by configd/snmp 5234 radius-preset(2), -- created by RADIUS preset 5235 radius(3), -- created by dynamic RADIUS 5236 ike(4) -- created by IKE (for dynamic client) 5237 } 5238 MAX-ACCESS read-only 5239 STATUS current 5240 DESCRIPTION 5241 "This object shows the creator of the traffic entry." 5242 DEFVAL { config } 5243 ::= { ipsecTrafficEntry 36 } 5244 5245 5246-- End IPSec Traffic Table 5247 5248 5249 5250-- IPSec Algorithm definition table 5251 5252 ipsecAlgorithmTable OBJECT-TYPE 5253 SYNTAX SEQUENCE OF IpsecAlgorithmEntry 5254 MAX-ACCESS not-accessible 5255 STATUS current 5256 DESCRIPTION 5257 "This table contains the list of supported IPSec algorithms 5258 and their key sizes." 5259 ::= { ipsec 17 } 5260 5261 ipsecAlgorithmEntry OBJECT-TYPE 5262 SYNTAX IpsecAlgorithmEntry 5263 MAX-ACCESS not-accessible 5264 STATUS current 5265 DESCRIPTION 5266 "This object contains an IPSec algorithm." 5267 INDEX { 5268 ipsecAlgId 5269 } 5270 ::= { ipsecAlgorithmTable 1 } 5271 5272 IpsecAlgorithmEntry ::= 5273 SEQUENCE { 5274 ipsecAlgId INTEGER, 5275 ipsecAlgMinKeySize INTEGER, 5276 ipsecAlgDefKeySize INTEGER, 5277 ipsecAlgMaxKeySize INTEGER, 5278 ipsecAlgUseMinKeySize INTEGER, 5279 ipsecAlgUseDefKeySize INTEGER, 5280 ipsecAlgUseMaxKeySize INTEGER 5281 } 5282 5283 ipsecAlgId OBJECT-TYPE 5284 SYNTAX INTEGER { 5285 aes(1), -- AES cipher alg 5286 twofish(2), -- Twofish cipher alg 5287 blowfish(3), -- Blowfish cipher alg 5288 cast(4), -- Cast cipher alg 5289 des3(5), -- Triple DES cipher alg 5290 des(6), -- DES cipher alg 5291 null(7), -- NULL pseudo cipher 5292 rijndael(31) -- rijndael (former name for AES) 5293 } 5294 MAX-ACCESS read-only 5295 STATUS current 5296 DESCRIPTION 5297 "The id of the algorithm. 5298 Possible values: 5299 aes(1), -- AES cipher alg 5300 twofish(2), -- Twofish cipher alg 5301 blowfish(3), -- Blowfish cipher alg 5302 cast(4), -- Cast cipher alg 5303 des3(5), -- Triple DES cipher alg 5304 des(6), -- DES cipher alg 5305 null(7), -- NULL pseudo cipher 5306 rijndael(31) -- rijndael (former name for AES)." 5307 ::= { ipsecAlgorithmEntry 1 } 5308 5309 5310 ipsecAlgMinKeySize OBJECT-TYPE 5311 SYNTAX INTEGER (0..2048) 5312 UNITS "bits" 5313 MAX-ACCESS read-only 5314 STATUS current 5315 DESCRIPTION 5316 "The minimum key length in bits possible for this algorithm." 5317 ::= { ipsecAlgorithmEntry 3 } 5318 5319 5320 ipsecAlgDefKeySize OBJECT-TYPE 5321 SYNTAX INTEGER (0..2048) 5322 UNITS "bits" 5323 MAX-ACCESS read-only 5324 STATUS current 5325 DESCRIPTION 5326 "The default key length in bits used for this algorithm." 5327 ::= { ipsecAlgorithmEntry 4 } 5328 5329 5330 ipsecAlgMaxKeySize OBJECT-TYPE 5331 SYNTAX INTEGER (0..2048) 5332 UNITS "bits" 5333 MAX-ACCESS read-only 5334 STATUS current 5335 DESCRIPTION 5336 "The maximum key length in bits possible for this algorithm." 5337 ::= { ipsecAlgorithmEntry 5 } 5338 5339 5340 ipsecAlgUseMinKeySize OBJECT-TYPE 5341 SYNTAX INTEGER (0..2048) 5342 UNITS "bits" 5343 MAX-ACCESS read-only 5344 STATUS obsolete 5345 DESCRIPTION 5346 "WARNING: this object is obsolete and must not be used." 5347 ::= { ipsecAlgorithmEntry 6 } 5348 5349 5350 ipsecAlgUseDefKeySize OBJECT-TYPE 5351 SYNTAX INTEGER (0..2048) 5352 UNITS "bits" 5353 MAX-ACCESS read-only 5354 STATUS obsolete 5355 DESCRIPTION 5356 "WARNING: this object is obsolete and must not be used." 5357 ::= { ipsecAlgorithmEntry 7 } 5358 5359 5360 ipsecAlgUseMaxKeySize OBJECT-TYPE 5361 SYNTAX INTEGER (0..2048) 5362 UNITS "bits" 5363 MAX-ACCESS read-only 5364 STATUS obsolete 5365 DESCRIPTION 5366 "WARNING: this object is obsolete and must not be used." 5367 ::= { ipsecAlgorithmEntry 8 } 5368 5369 5370-- End IPSec Algorithm definition table 5371 5372 5373-- IPSec Proposal Table 5374 5375 ipsecProposalTable OBJECT-TYPE 5376 SYNTAX SEQUENCE OF IpsecProposalEntry 5377 MAX-ACCESS not-accessible 5378 STATUS current 5379 DESCRIPTION 5380 "This table contains the list of IPSec proposals known to the 5381 system. 5382 The combinations of algorithms allowed are 5383 constructed from any combinations of algorithms 5384 enabled in an entry, in the order of the preferences 5385 specified." 5386 ::= { ipsec 8 } 5387 5388 ipsecProposalEntry OBJECT-TYPE 5389 SYNTAX IpsecProposalEntry 5390 MAX-ACCESS not-accessible 5391 STATUS current 5392 DESCRIPTION 5393 "This object contains an IPSec proposal, i.e. a 5394 proposed set of security parameters applied to 5395 traffic sent over an IPSec security association." 5396 INDEX { 5397 ipsecPropProto 5398 } 5399 ::= { ipsecProposalTable 1 } 5400 5401 IpsecProposalEntry ::= 5402 SEQUENCE { 5403 ipsecPropIndex INTEGER, 5404 ipsecPropNext INTEGER, 5405 ipsecPropDescription DisplayString, 5406 ipsecPropProto INTEGER, 5407 ipsecPropIpcomp INTEGER, 5408 ipsecPropEspAes INTEGER, 5409 ipsecPropEspTwofish INTEGER, 5410 ipsecPropEspBlowfish INTEGER, 5411 ipsecPropEspCast INTEGER, 5412 ipsecPropEspDes3 INTEGER, 5413 ipsecPropEspDes INTEGER, 5414 ipsecPropEspNull INTEGER, 5415 ipsecPropEspRijndael INTEGER, 5416 ipsecPropEspMd5 INTEGER, 5417 ipsecPropEspSha1 INTEGER, 5418 ipsecPropEspNoMac INTEGER, 5419 ipsecPropAhMd5 INTEGER, 5420 ipsecPropAhSha1 INTEGER, 5421 ipsecPropIpcompDeflate INTEGER, 5422 ipsecPropAesKeySize INTEGER, 5423 ipsecPropAesKeySizeMin INTEGER, 5424 ipsecPropAesKeySizeMax INTEGER, 5425 ipsecPropBlowfishKeySize INTEGER, 5426 ipsecPropBlowfishKeySizeMin INTEGER, 5427 ipsecPropBlowfishKeySizeMax INTEGER, 5428 ipsecPropTwofishKeySize INTEGER, 5429 ipsecPropTwofishKeySizeMin INTEGER, 5430 ipsecPropTwofishKeySizeMax INTEGER 5431 } 5432 5433 ipsecPropIndex OBJECT-TYPE 5434 SYNTAX INTEGER 5435 MAX-ACCESS read-only 5436 STATUS current 5437 DESCRIPTION 5438 "A unique index for this entry." 5439 ::= { ipsecProposalEntry 1 } 5440 5441 5442 ipsecPropNext OBJECT-TYPE 5443 SYNTAX INTEGER 5444 MAX-ACCESS read-write 5445 STATUS current 5446 DESCRIPTION 5447 "The index of the next Proposal in the actual chain." 5448 ::= { ipsecProposalEntry 2 } 5449 5450 5451 ipsecPropDescription OBJECT-TYPE 5452 SYNTAX DisplayString 5453 MAX-ACCESS read-write 5454 STATUS current 5455 DESCRIPTION 5456 "An optional human readable description for this proposal." 5457 ::= { ipsecProposalEntry 4 } 5458 5459 5460 ipsecPropProto OBJECT-TYPE 5461 SYNTAX INTEGER { 5462 esp(1), -- Encapsulating Security Payload 5463 ah(2), -- Authentication Header 5464 esp-ah(3), -- ESP and AH 5465 delete(8) -- delete this entry 5466 } 5467 MAX-ACCESS read-write 5468 STATUS current 5469 DESCRIPTION 5470 "The security protocol to apply. 5471 Possible values: 5472 esp(1), -- Encapsulating Security Payload 5473 ah(2), -- Authentication Header 5474 esp-ah(3), -- ESP and AH 5475 delete(8) -- delete this entry." 5476 DEFVAL { esp } 5477 ::= { ipsecProposalEntry 6 } 5478 5479 5480 ipsecPropIpcomp OBJECT-TYPE 5481 SYNTAX INTEGER { 5482 enabled(1), -- Enable IPComP 5483 disabled(2), -- Disable IPComP 5484 force(3) -- Force use of IPComP 5485 } 5486 MAX-ACCESS read-write 5487 STATUS current 5488 DESCRIPTION 5489 "This object specifies the use of IPComP in the proposal. 5490 Possible values: 5491 enabled(1), -- Enable IPComP 5492 disabled(2), -- Disable IPComP 5493 force(3) -- Force use of IPComP." 5494 DEFVAL { disabled } 5495 ::= { ipsecProposalEntry 20 } 5496 5497 5498 ipsecPropEspAes OBJECT-TYPE 5499 SYNTAX INTEGER (0..7) 5500 MAX-ACCESS read-write 5501 STATUS current 5502 DESCRIPTION 5503 "This object specifies the use of the AES 5504 encryption algorithm in the proposal. 5505 Possible values: 5506 0, -- disables AES 5507 1..7 -- enables AES and specifies its priority among 5508 the encryption algorithms." 5509 ::= { ipsecProposalEntry 40 } 5510 5511 5512 ipsecPropEspTwofish OBJECT-TYPE 5513 SYNTAX INTEGER (0..7) 5514 MAX-ACCESS read-write 5515 STATUS current 5516 DESCRIPTION 5517 "This object specifies the use of the Twofish 5518 encryption algorithm in the proposal. 5519 Possible values: 5520 0, -- disables Twofish 5521 1..7 -- enables Twofish and specifies its priority among 5522 the encryption algorithms." 5523 ::= { ipsecProposalEntry 41 } 5524 5525 5526 ipsecPropEspBlowfish OBJECT-TYPE 5527 SYNTAX INTEGER (0..7) 5528 MAX-ACCESS read-write 5529 STATUS current 5530 DESCRIPTION 5531 "This object specifies the use of the Blowfish 5532 encryption algorithm in the proposal. 5533 Possible values: 5534 0, -- disables Blowfish 5535 1..7 -- enables Blowfish and specifies its priority among 5536 the encryption algorithms." 5537 ::= { ipsecProposalEntry 42 } 5538 5539 5540 ipsecPropEspCast OBJECT-TYPE 5541 SYNTAX INTEGER (0..7) 5542 MAX-ACCESS read-write 5543 STATUS current 5544 DESCRIPTION 5545 "This object specifies the use of the Cast 5546 encryption algorithm in the proposal. 5547 Possible values: 5548 0, -- disables Cast 5549 1..7 -- enables Cast and specifies its priority among 5550 the encryption algorithms." 5551 ::= { ipsecProposalEntry 43 } 5552 5553 5554 ipsecPropEspDes3 OBJECT-TYPE 5555 SYNTAX INTEGER (0..7) 5556 MAX-ACCESS read-write 5557 STATUS current 5558 DESCRIPTION 5559 "This object specifies the use of the DES3 5560 encryption algorithm in the proposal. 5561 Possible values: 5562 0, -- disables DES3 5563 1..7 -- enables DES3 and specifies its priority among 5564 the encryption algorithms." 5565 ::= { ipsecProposalEntry 44 } 5566 5567 5568 ipsecPropEspDes OBJECT-TYPE 5569 SYNTAX INTEGER (0..7) 5570 MAX-ACCESS read-write 5571 STATUS current 5572 DESCRIPTION 5573 "This object specifies the use of the DES 5574 encryption algorithm in the proposal. 5575 Possible values: 5576 0, -- disables DES 5577 1..7 -- enables DES and specifies its priority among 5578 the encryption algorithms." 5579 ::= { ipsecProposalEntry 45 } 5580 5581 5582 ipsecPropEspNull OBJECT-TYPE 5583 SYNTAX INTEGER (0..7) 5584 MAX-ACCESS read-write 5585 STATUS current 5586 DESCRIPTION 5587 "This object specifies the use of the DES 5588 encryption algorithm in the proposal. 5589 Possible values: 5590 0, -- disables DES 5591 1..7 -- enables DES and specifies its priority among 5592 the encryption algorithms." 5593 ::= { ipsecProposalEntry 46 } 5594 5595 5596 ipsecPropEspRijndael OBJECT-TYPE 5597 SYNTAX INTEGER (-1..7) 5598 MAX-ACCESS read-write 5599 STATUS current 5600 DESCRIPTION 5601 "This object specifies the use of the Rijndael 5602 encryption algorithm in the proposal. 5603 The use of this object is deprecated since rijndael has been 5604 accepted as the algorithm for AES. Its value is transferred to 5605 ipsecPropEspAes, if different from -1. 5606 Possible values: 5607 -1 -- use ipsecPropEspAes to determine the priority value 5608 0, -- disables Rijndael 5609 1..7 -- enables Rijndael and specifies its priority among 5610 the encryption algorithms." 5611 DEFVAL { -1 } 5612 ::= { ipsecProposalEntry 49 } 5613 5614 5615 ipsecPropEspMd5 OBJECT-TYPE 5616 SYNTAX INTEGER (0..3) 5617 MAX-ACCESS read-write 5618 STATUS current 5619 DESCRIPTION 5620 "This object specifies the use of the MD5 authentication 5621 algorithm for ESP in the proposal. 5622 Possible values: 5623 0, -- disables MD5 5624 1..3 -- enables MD5 and specifies its priority among 5625 the authentication algorithms." 5626 ::= { ipsecProposalEntry 50 } 5627 5628 5629 ipsecPropEspSha1 OBJECT-TYPE 5630 SYNTAX INTEGER (0..3) 5631 MAX-ACCESS read-write 5632 STATUS current 5633 DESCRIPTION 5634 "This object specifies the use of the Sha1 authentication 5635 algorithm for ESP in the proposal. 5636 Possible values: 5637 0, -- disables SHA-1 5638 1..3 -- enables SHA-1 and specifies its priority among 5639 the authentication algorithms." 5640 ::= { ipsecProposalEntry 51 } 5641 5642 5643 ipsecPropEspNoMac OBJECT-TYPE 5644 SYNTAX INTEGER (0..3) 5645 MAX-ACCESS read-write 5646 STATUS current 5647 DESCRIPTION 5648 "This object specifies whether ESP without authentication 5649 is allowed in the proposal. 5650 Possible values: 5651 0, -- disables ESP 5652 1..3 -- enables ESP without authentication and specifies 5653 its priority among the other authentication 5654 algorithms enabled for ESP." 5655 ::= { ipsecProposalEntry 52 } 5656 5657 5658 ipsecPropAhMd5 OBJECT-TYPE 5659 SYNTAX INTEGER (0..2) 5660 MAX-ACCESS read-write 5661 STATUS current 5662 DESCRIPTION 5663 "This object specifies the use of the MD5 authentication 5664 algorithm for AH in the proposal. 5665 Possible values: 5666 0, -- disables MD5 5667 1..2 -- enables MD5 and specifies its priority among 5668 the authentication algorithms." 5669 ::= { ipsecProposalEntry 60 } 5670 5671 5672 ipsecPropAhSha1 OBJECT-TYPE 5673 SYNTAX INTEGER (0..2) 5674 MAX-ACCESS read-write 5675 STATUS current 5676 DESCRIPTION 5677 "This object specifies the use of the Sha1 authentication 5678 algorithm for AH in the proposal. 5679 Possible values: 5680 0, -- disables SHA-1 5681 1..2 -- enables SHA-1 and specifies its priority among 5682 the authentication algorithms." 5683 ::= { ipsecProposalEntry 61 } 5684 5685 5686 ipsecPropIpcompDeflate OBJECT-TYPE 5687 SYNTAX INTEGER (0..1) 5688 MAX-ACCESS read-write 5689 STATUS current 5690 DESCRIPTION 5691 "This object specifies the use of the DEFLATE 5692 compression algorithm in the proposal. 5693 Possible values: 5694 0, -- disables DEFLATE 5695 1..1 -- enables DEFLATE and specifies its priority among 5696 the compression algorithms." 5697 ::= { ipsecProposalEntry 70 } 5698 5699 5700 ipsecPropAesKeySize OBJECT-TYPE 5701 SYNTAX INTEGER { 5702 aes128(128), -- use 128 bit AES 5703 aes192(192), -- use 192 bit AES 5704 aes256(256) -- use 256 bit AES 5705 } 5706 UNITS "bits" 5707 MAX-ACCESS read-write 5708 STATUS current 5709 DESCRIPTION 5710 "This object specifies the key size in bits for the AES 5711 algorithm, if enabled. 5712 Possible Values: 5713 aes128(128), -- use 128 bit AES 5714 aes192(192), -- use 192 bit AES 5715 aes256(256) -- use 256 bit AES." 5716 ::= { ipsecProposalEntry 80 } 5717 5718 5719 ipsecPropAesKeySizeMin OBJECT-TYPE 5720 SYNTAX INTEGER { 5721 aes128(128), -- use 128 bit AES 5722 aes192(192), -- use 192 bit AES 5723 aes256(256) -- use 256 bit AES 5724 } 5725 UNITS "bits" 5726 MAX-ACCESS read-write 5727 STATUS current 5728 DESCRIPTION 5729 "This object specifies the minimum accepted key size in bits 5730 for the AES algorithm, if enabled. 5731 Possible Values: 5732 aes128(128), -- use 128 bit AES 5733 aes192(192), -- use 192 bit AES 5734 aes256(256) -- use 256 bit AES." 5735 ::= { ipsecProposalEntry 81 } 5736 5737 5738 ipsecPropAesKeySizeMax OBJECT-TYPE 5739 SYNTAX INTEGER { 5740 aes128(128), -- use 128 bit AES 5741 aes192(192), -- use 192 bit AES 5742 aes256(256) -- use 256 bit AES 5743 } 5744 UNITS "bits" 5745 MAX-ACCESS read-write 5746 STATUS current 5747 DESCRIPTION 5748 "This object specifies the maximum accepted key size in bits 5749 for the AES algorithm, if enabled. 5750 Possible Values: 5751 aes128(128), -- use 128 bit AES 5752 aes192(192), -- use 192 bit AES 5753 aes256(256) -- use 256 bit AES." 5754 ::= { ipsecProposalEntry 82 } 5755 5756 5757 ipsecPropBlowfishKeySize OBJECT-TYPE 5758 SYNTAX INTEGER (40..448) 5759 UNITS "bits" 5760 MAX-ACCESS read-write 5761 STATUS current 5762 DESCRIPTION 5763 "This object specifies the key size in bits for the Blowfish 5764 algorithm, if enabled. 5765 Note: the key size must be a multiple of 8 bits. 5766 If not, it will be rounded up to the next 8 bit boundary." 5767 ::= { ipsecProposalEntry 83 } 5768 5769 5770 ipsecPropBlowfishKeySizeMin OBJECT-TYPE 5771 SYNTAX INTEGER (40..448) 5772 UNITS "bits" 5773 MAX-ACCESS read-write 5774 STATUS current 5775 DESCRIPTION 5776 "This object specifies the minimum accepted key size in bits 5777 for the Blowfish algorithm, if enabled." 5778 ::= { ipsecProposalEntry 84 } 5779 5780 5781 ipsecPropBlowfishKeySizeMax OBJECT-TYPE 5782 SYNTAX INTEGER (40..448) 5783 UNITS "bits" 5784 MAX-ACCESS read-write 5785 STATUS current 5786 DESCRIPTION 5787 "This object specifies the maximum accepted key size in bits 5788 for the Blowfish algorithm, if enabled." 5789 ::= { ipsecProposalEntry 85 } 5790 5791 5792 ipsecPropTwofishKeySize OBJECT-TYPE 5793 SYNTAX INTEGER { 5794 twofish128(128), -- use 128 bit Twofish 5795 twofish192(192), -- use 192 bit Twofish 5796 twofish256(256) -- use 256 bit Twofish 5797 } 5798 UNITS "bits" 5799 MAX-ACCESS read-write 5800 STATUS current 5801 DESCRIPTION 5802 "This object specifies the key size in bits for the Twofish 5803 algorithm, if enabled. 5804 Possible Values: 5805 twofish128(128), -- use 128 bit Twofish 5806 twofish192(192), -- use 192 bit Twofish 5807 twofish256(256) -- use 256 bit Twofish." 5808 ::= { ipsecProposalEntry 86 } 5809 5810 5811 ipsecPropTwofishKeySizeMin OBJECT-TYPE 5812 SYNTAX INTEGER { 5813 twofish128(128), -- use 128 bit Twofish 5814 twofish192(192), -- use 192 bit Twofish 5815 twofish256(256) -- use 256 bit Twofish 5816 } 5817 UNITS "bits" 5818 MAX-ACCESS read-write 5819 STATUS current 5820 DESCRIPTION 5821 "This object specifies the minimum accepted key size in bits 5822 for the Twofish algorithm, if enabled. 5823 Possible Values: 5824 twofish128(128), -- use 128 bit Twofish 5825 twofish192(192), -- use 192 bit Twofish 5826 twofish256(256) -- use 256 bit Twofish." 5827 ::= { ipsecProposalEntry 87 } 5828 5829 5830 ipsecPropTwofishKeySizeMax OBJECT-TYPE 5831 SYNTAX INTEGER { 5832 twofish128(128), -- use 128 bit Twofish 5833 twofish192(192), -- use 192 bit Twofish 5834 twofish256(256) -- use 256 bit Twofish 5835 } 5836 UNITS "bits" 5837 MAX-ACCESS read-write 5838 STATUS current 5839 DESCRIPTION 5840 "This object specifies the maximum accepted key size in bits 5841 for the AES algorithm, if enabled. 5842 Possible Values: 5843 twofish128(128), -- use 128 bit Twofish 5844 twofish192(192), -- use 192 bit Twofish 5845 twofish256(256) -- use 256 bit Twofish." 5846 ::= { ipsecProposalEntry 88 } 5847 5848 5849 5850-- End IPSec Proposal Table 5851 5852 5853-- IPSec Life Time Table 5854 5855 ipsecLifeTimeTable OBJECT-TYPE 5856 SYNTAX SEQUENCE OF IpsecLifeTimeEntry 5857 MAX-ACCESS not-accessible 5858 STATUS current 5859 DESCRIPTION 5860 "This table contains the list of defined lifetimes for IPsec 5861 and IKE SAs." 5862 ::= { ipsec 9 } 5863 5864 ipsecLifeTimeEntry OBJECT-TYPE 5865 SYNTAX IpsecLifeTimeEntry 5866 MAX-ACCESS not-accessible 5867 STATUS current 5868 DESCRIPTION 5869 "This object contains a lifetime, i.e. the soft and hard 5870 expiry limits for IPsec and IKE SA's. 5871 The usage of this table is deprecated, use the ikePrfLifeXxx 5872 and ipsecPrfLifeXxx variables in the ikeProfileTable 5873 and ipsecProfileTable directly instead." 5874 INDEX { 5875 ipsecLifeType 5876 } 5877 ::= { ipsecLifeTimeTable 1 } 5878 5879 IpsecLifeTimeEntry ::= 5880 SEQUENCE { 5881 ipsecLifeIndex INTEGER, 5882 ipsecLifeType INTEGER, 5883 ipsecLifeHardKb INTEGER, 5884 ipsecLifeHardSec INTEGER, 5885 ipsecLifePolicy INTEGER, 5886 ipsecLifeSoftPercent INTEGER 5887 } 5888 5889 5890 ipsecLifeIndex OBJECT-TYPE 5891 SYNTAX INTEGER 5892 MAX-ACCESS read-only 5893 STATUS current 5894 DESCRIPTION 5895 "A unique index identifying this entry." 5896 ::= { ipsecLifeTimeEntry 1 } 5897 5898 ipsecLifeType OBJECT-TYPE 5899 SYNTAX INTEGER { 5900 delete(1), -- Delete this entry 5901 generic(2) 5902 } 5903 MAX-ACCESS read-only 5904 STATUS current 5905 DESCRIPTION 5906 "This object specifies the type of a lifetime entry." 5907 DEFVAL { generic } 5908 ::= { ipsecLifeTimeEntry 2 } 5909 5910 5911 ipsecLifeHardKb OBJECT-TYPE 5912 SYNTAX INTEGER 5913 UNITS "kilo bytes" 5914 MAX-ACCESS read-only 5915 STATUS current 5916 DESCRIPTION 5917 "The maximum amount of data (in KB) which may be protected 5918 by an SA before it is deleted." 5919 DEFVAL { 0 } 5920 ::= { ipsecLifeTimeEntry 5 } 5921 5922 5923 ipsecLifeHardSec OBJECT-TYPE 5924 SYNTAX INTEGER 5925 UNITS "seconds" 5926 MAX-ACCESS read-only 5927 STATUS current 5928 DESCRIPTION 5929 "The maximum time (in seconds) after which an SA will be 5930 refreshed,." 5931 DEFVAL { 900 } 5932 ::= { ipsecLifeTimeEntry 6 } 5933 5934 5935 ipsecLifePolicy OBJECT-TYPE 5936 SYNTAX INTEGER { 5937 loose(1), -- accept and use anything proposed 5938 strict(2), -- accept and use only what is configured 5939 notify(3) -- accept anything (send responder lifetime) 5940 } 5941 MAX-ACCESS read-only 5942 STATUS current 5943 DESCRIPTION 5944 "This object specifies the way the lifetime information is 5945 applied. Possible values: 5946 loose(1), -- accept and use anything proposed 5947 strict(2), -- accept and use only what is configured 5948 notify(3) -- accept anything, if own values are smaller 5949 than what was proposed use these and 5950 send responder lifetime notification." 5951 DEFVAL { loose } 5952 ::= { ipsecLifeTimeEntry 7 } 5953 5954 5955 ipsecLifeSoftPercent OBJECT-TYPE 5956 SYNTAX INTEGER (50..100) 5957 MAX-ACCESS read-only 5958 STATUS current 5959 DESCRIPTION 5960 "The percentage of the hard lifetimes (traffic and time based) 5961 after which rekeying is started." 5962 DEFVAL { 80 } 5963 ::= { ipsecLifeTimeEntry 8 } 5964 5965 5966-- End IPSec Life Time Table 5967 5968-- IPSec global statistics Table 5969 5970 ipsecStats OBJECT IDENTIFIER ::= { ipsec 10 } 5971 --Static table containing global IPSec statistics 5972 5973 5974 ipsecStatsCurrentIkeSas OBJECT-TYPE 5975 SYNTAX INTEGER 5976 MAX-ACCESS read-only 5977 STATUS current 5978 DESCRIPTION 5979 "Current number of IKE SA's (both IKEv1 and IKEv2)." 5980 ::= { ipsecStats 1 } 5981 5982 ipsecStatsCurrentIpsecSas OBJECT-TYPE 5983 SYNTAX INTEGER 5984 MAX-ACCESS read-only 5985 STATUS current 5986 DESCRIPTION 5987 "Current number of IPSec SA's." 5988 ::= { ipsecStats 2 } 5989 5990 ipsecStatsTrig OBJECT-TYPE 5991 SYNTAX INTEGER 5992 MAX-ACCESS read-only 5993 STATUS current 5994 DESCRIPTION 5995 "Number of packets which triggered an IKE negotiation." 5996 ::= { ipsecStats 9 } 5997 5998 ipsecStatsFragPkt OBJECT-TYPE 5999 SYNTAX INTEGER 6000 MAX-ACCESS read-only 6001 STATUS current 6002 DESCRIPTION 6003 "Number of partial packets currently being reassembled." 6004 ::= { ipsecStats 10 } 6005 6006 ipsecStatsFragBytes OBJECT-TYPE 6007 SYNTAX INTEGER 6008 UNITS "bytes" 6009 MAX-ACCESS read-only 6010 STATUS current 6011 DESCRIPTION 6012 "Total size of the partial packets currently being reassembled." 6013 ::= { ipsecStats 11 } 6014 6015 ipsecStatsFragNonfirst OBJECT-TYPE 6016 SYNTAX INTEGER 6017 MAX-ACCESS read-only 6018 STATUS current 6019 DESCRIPTION 6020 "Number of non-first fragments currently queued." 6021 ::= { ipsecStats 12 } 6022 6023 ipsecStatsDecryptErrors OBJECT-TYPE 6024 SYNTAX INTEGER 6025 MAX-ACCESS read-only 6026 STATUS current 6027 DESCRIPTION 6028 "Number of decryption errors." 6029 ::= { ipsecStats 13 } 6030 6031 ipsecStatsAuthErrors OBJECT-TYPE 6032 SYNTAX INTEGER 6033 MAX-ACCESS read-only 6034 STATUS current 6035 DESCRIPTION 6036 "Number of authentication errors." 6037 ::= { ipsecStats 14 } 6038 6039 ipsecStatsReplayErrors OBJECT-TYPE 6040 SYNTAX INTEGER 6041 MAX-ACCESS read-only 6042 STATUS current 6043 DESCRIPTION 6044 "Number of replay errors." 6045 ::= { ipsecStats 15 } 6046 6047 ipsecStatsPolicyErrors OBJECT-TYPE 6048 SYNTAX INTEGER 6049 MAX-ACCESS read-only 6050 STATUS current 6051 DESCRIPTION 6052 "Number of policy errors." 6053 ::= { ipsecStats 16 } 6054 6055 ipsecStatsOtherErrors OBJECT-TYPE 6056 SYNTAX INTEGER 6057 MAX-ACCESS read-only 6058 STATUS current 6059 DESCRIPTION 6060 "Number of other receive errors." 6061 ::= { ipsecStats 17 } 6062 6063 ipsecStatsSendErrors OBJECT-TYPE 6064 SYNTAX INTEGER 6065 MAX-ACCESS read-only 6066 STATUS current 6067 DESCRIPTION 6068 "Number of send errors." 6069 ::= { ipsecStats 18 } 6070 6071 ipsecStatsUnknownSpiErrors OBJECT-TYPE 6072 SYNTAX INTEGER 6073 MAX-ACCESS read-only 6074 STATUS current 6075 DESCRIPTION 6076 "Number of unknown SPI errors." 6077 ::= { ipsecStats 19 } 6078 6079 6080 ipsecStatsIkeNumP1 OBJECT-TYPE 6081 SYNTAX INTEGER 6082 MAX-ACCESS read-only 6083 STATUS current 6084 DESCRIPTION 6085 "The number of IKE phase-1 negotiations performed. " 6086 ::= { ipsecStats 20 } 6087 6088 ipsecStatsIkeNumFailedP1 OBJECT-TYPE 6089 SYNTAX INTEGER 6090 MAX-ACCESS read-only 6091 STATUS current 6092 DESCRIPTION 6093 "The number of failed IKE phase-1 negotiations." 6094 ::= { ipsecStats 21 } 6095 6096 ipsecStatsIkeNumQm OBJECT-TYPE 6097 SYNTAX INTEGER 6098 MAX-ACCESS read-only 6099 STATUS current 6100 DESCRIPTION 6101 "The number of IKE quick-mode negotiations performed. " 6102 ::= { ipsecStats 22 } 6103 6104 ipsecStatsIkeNumFailedQm OBJECT-TYPE 6105 SYNTAX INTEGER 6106 MAX-ACCESS read-only 6107 STATUS current 6108 DESCRIPTION 6109 "The number of failed IKE quick-mode negotiations. " 6110 ::= { ipsecStats 23 } 6111 6112 ipsecStatsEspCurrentInbound OBJECT-TYPE 6113 SYNTAX INTEGER 6114 MAX-ACCESS read-only 6115 STATUS current 6116 DESCRIPTION 6117 "The number of active inbound ESP SAs." 6118 ::= { ipsecStats 24 } 6119 6120 ipsecStatsEspTotalInbound OBJECT-TYPE 6121 SYNTAX INTEGER 6122 MAX-ACCESS read-only 6123 STATUS current 6124 DESCRIPTION 6125 "The number of inbound ESP SAs since the system was started." 6126 ::= { ipsecStats 25 } 6127 6128 ipsecStatsEspCurrentOutbound OBJECT-TYPE 6129 SYNTAX INTEGER 6130 MAX-ACCESS read-only 6131 STATUS current 6132 DESCRIPTION 6133 "The number of active outbound ESP SAs." 6134 ::= { ipsecStats 26 } 6135 6136 ipsecStatsEspTotalOutbound OBJECT-TYPE 6137 SYNTAX INTEGER 6138 MAX-ACCESS read-only 6139 STATUS current 6140 DESCRIPTION 6141 "The number of outbound ESP SAs since the system was started." 6142 ::= { ipsecStats 27 } 6143 6144 ipsecStatsAhCurrentInbound OBJECT-TYPE 6145 SYNTAX INTEGER 6146 MAX-ACCESS read-only 6147 STATUS current 6148 DESCRIPTION 6149 "The number of active inbound AH SAs." 6150 ::= { ipsecStats 28 } 6151 6152 ipsecStatsAhTotalInbound OBJECT-TYPE 6153 SYNTAX INTEGER 6154 MAX-ACCESS read-only 6155 STATUS current 6156 DESCRIPTION 6157 "The number of inbound AH SAs since the system was started." 6158 ::= { ipsecStats 29 } 6159 6160 ipsecStatsAhCurrentOutbound OBJECT-TYPE 6161 SYNTAX INTEGER 6162 MAX-ACCESS read-only 6163 STATUS current 6164 DESCRIPTION 6165 "The number of active outbound AH SAs." 6166 ::= { ipsecStats 30 } 6167 6168 ipsecStatsAhTotalOutbound OBJECT-TYPE 6169 SYNTAX INTEGER 6170 MAX-ACCESS read-only 6171 STATUS current 6172 DESCRIPTION 6173 "The number of outbound AH SAs since the system was started." 6174 ::= { ipsecStats 31 } 6175 6176 ipsecStatsIpcompCurrentInbound OBJECT-TYPE 6177 SYNTAX INTEGER 6178 MAX-ACCESS read-only 6179 STATUS current 6180 DESCRIPTION 6181 "The number of active inbound IPComp SAs." 6182 ::= { ipsecStats 32 } 6183 6184 ipsecStatsIpcompTotalInbound OBJECT-TYPE 6185 SYNTAX INTEGER 6186 MAX-ACCESS read-only 6187 STATUS current 6188 DESCRIPTION 6189 "The number of inbound IPComp SAs since the system was started." 6190 ::= { ipsecStats 33 } 6191 6192 ipsecStatsIpcompCurrentOutbound OBJECT-TYPE 6193 SYNTAX INTEGER 6194 MAX-ACCESS read-only 6195 STATUS current 6196 DESCRIPTION 6197 "The number of active outbound IPComp SAs." 6198 ::= { ipsecStats 34 } 6199 6200 ipsecStatsIpcompTotalOutbound OBJECT-TYPE 6201 SYNTAX INTEGER 6202 MAX-ACCESS read-only 6203 STATUS current 6204 DESCRIPTION 6205 "The number of outbound IPComp SAs since the system was started." 6206 ::= { ipsecStats 35 } 6207 6208 ipsecStatsPeersUp OBJECT-TYPE 6209 SYNTAX INTEGER 6210 MAX-ACCESS read-only 6211 STATUS current 6212 DESCRIPTION 6213 "The number of Peers currently in state 'up'." 6214 ::= { ipsecStats 36 } 6215 6216 ipsecStatsPeersBlocked OBJECT-TYPE 6217 SYNTAX INTEGER 6218 MAX-ACCESS read-only 6219 STATUS current 6220 DESCRIPTION 6221 "The number of Peers currently in state 'blocked'." 6222 ::= { ipsecStats 37 } 6223 6224 ipsecStatsPeersDormant OBJECT-TYPE 6225 SYNTAX INTEGER 6226 MAX-ACCESS read-only 6227 STATUS current 6228 DESCRIPTION 6229 "The number of Peers currently in state 'dormant'." 6230 ::= { ipsecStats 38 } 6231 6232 ipsecStatsCurrentIkeSasNegotiating OBJECT-TYPE 6233 SYNTAX INTEGER 6234 MAX-ACCESS read-only 6235 STATUS current 6236 DESCRIPTION 6237 "Current number of IKE SA's in state 'established' 6238 (both IKEv1 and IKEv2)." 6239 ::= { ipsecStats 39 } 6240 6241 ipsecStatsCurrentIkeSasEstablished OBJECT-TYPE 6242 SYNTAX INTEGER 6243 MAX-ACCESS read-only 6244 STATUS current 6245 DESCRIPTION 6246 "Current number of IKE SA's in state 'established' 6247 (both IKEv1 and IKEv2)." 6248 ::= { ipsecStats 40 } 6249 6250 ipsecStatsCurrentIkeSasDeleted OBJECT-TYPE 6251 SYNTAX INTEGER 6252 MAX-ACCESS read-only 6253 STATUS current 6254 DESCRIPTION 6255 "Current number of IKE SA's in state 'deleted' or 6256 'waiting_for_remove' (both IKEv1 and IKEv2)." 6257 ::= { ipsecStats 41 } 6258 6259 ipsecStatsCurrentBundles OBJECT-TYPE 6260 SYNTAX INTEGER 6261 MAX-ACCESS read-only 6262 STATUS current 6263 DESCRIPTION 6264 "Current number of IPSec bundles." 6265 ::= { ipsecStats 42 } 6266 6267 ipsecStatsCurrentBundlesEstablished OBJECT-TYPE 6268 SYNTAX INTEGER 6269 MAX-ACCESS read-only 6270 STATUS current 6271 DESCRIPTION 6272 "Current number of IPSec bundles in state 'established'." 6273 ::= { ipsecStats 43 } 6274 6275 ipsecStatsCurrentBundlesNegotiating OBJECT-TYPE 6276 SYNTAX INTEGER 6277 MAX-ACCESS read-only 6278 STATUS current 6279 DESCRIPTION 6280 "Current number of IPSec bundles in state 'established'." 6281 ::= { ipsecStats 44 } 6282 6283 ipsecStatsInPkt OBJECT-TYPE 6284 SYNTAX INTEGER 6285 MAX-ACCESS read-only 6286 STATUS current 6287 DESCRIPTION 6288 "Number of packets received." 6289 ::= { ipsecStats 45 } 6290 6291 ipsecStatsInPass OBJECT-TYPE 6292 SYNTAX INTEGER 6293 MAX-ACCESS read-only 6294 STATUS current 6295 DESCRIPTION 6296 "Number of inbound packets passed." 6297 ::= { ipsecStats 46 } 6298 6299 ipsecStatsInDrop OBJECT-TYPE 6300 SYNTAX INTEGER 6301 MAX-ACCESS read-only 6302 STATUS current 6303 DESCRIPTION 6304 "Number of inbound packets dropped (error packets excluded)." 6305 ::= { ipsecStats 47 } 6306 6307 ipsecStatsInDecaps OBJECT-TYPE 6308 SYNTAX INTEGER 6309 MAX-ACCESS read-only 6310 STATUS current 6311 DESCRIPTION 6312 "Number of inbound error packets." 6313 ::= { ipsecStats 48 } 6314 6315 ipsecStatsInErrors OBJECT-TYPE 6316 SYNTAX INTEGER 6317 MAX-ACCESS read-only 6318 STATUS current 6319 DESCRIPTION 6320 "Number of inbound packets dropped." 6321 ::= { ipsecStats 49 } 6322 6323 ipsecStatsOutPkt OBJECT-TYPE 6324 SYNTAX INTEGER 6325 MAX-ACCESS read-only 6326 STATUS current 6327 DESCRIPTION 6328 "Number of outbound packets." 6329 ::= { ipsecStats 50 } 6330 6331 ipsecStatsOutPass OBJECT-TYPE 6332 SYNTAX INTEGER 6333 MAX-ACCESS read-only 6334 STATUS current 6335 DESCRIPTION 6336 "Number of outbound packets passed." 6337 ::= { ipsecStats 51 } 6338 6339 ipsecStatsOutDrop OBJECT-TYPE 6340 SYNTAX INTEGER 6341 MAX-ACCESS read-only 6342 STATUS current 6343 DESCRIPTION 6344 "Number of outbound packets dropped (error packets excluded)." 6345 ::= { ipsecStats 52 } 6346 6347 ipsecStatsOutEncaps OBJECT-TYPE 6348 SYNTAX INTEGER 6349 MAX-ACCESS read-only 6350 STATUS current 6351 DESCRIPTION 6352 "Number of outbound packets encapsulated." 6353 ::= { ipsecStats 53 } 6354 6355 ipsecStatsOutErrors OBJECT-TYPE 6356 SYNTAX INTEGER 6357 MAX-ACCESS read-only 6358 STATUS current 6359 DESCRIPTION 6360 "Number of outbound error packets." 6361 ::= { ipsecStats 544 } 6362 6363 ipsecStatsInEsp OBJECT-TYPE 6364 SYNTAX INTEGER 6365 MAX-ACCESS read-only 6366 STATUS current 6367 DESCRIPTION 6368 "Number of inbound packets decapsulated by ESP." 6369 ::= { ipsecStats 55 } 6370 6371 ipsecStatsInAh OBJECT-TYPE 6372 SYNTAX INTEGER 6373 MAX-ACCESS read-only 6374 STATUS current 6375 DESCRIPTION 6376 "Number of inbound packets decapsulated by AH." 6377 ::= { ipsecStats 56 } 6378 6379 ipsecStatsInIpcomp OBJECT-TYPE 6380 SYNTAX INTEGER 6381 MAX-ACCESS read-only 6382 STATUS current 6383 DESCRIPTION 6384 "Number of inbound packets decapsulated by IPComP." 6385 ::= { ipsecStats 57 } 6386 6387 ipsecStatsOutEsp OBJECT-TYPE 6388 SYNTAX INTEGER 6389 MAX-ACCESS read-only 6390 STATUS current 6391 DESCRIPTION 6392 "Number of outbound packets encapsulated by ESP." 6393 ::= { ipsecStats 58 } 6394 6395 ipsecStatsOutAh OBJECT-TYPE 6396 SYNTAX INTEGER 6397 MAX-ACCESS read-only 6398 STATUS current 6399 DESCRIPTION 6400 "Number of outbound packets encapsulated by AH." 6401 ::= { ipsecStats 59 } 6402 6403 ipsecStatsOutIpcomp OBJECT-TYPE 6404 SYNTAX INTEGER 6405 MAX-ACCESS read-only 6406 STATUS current 6407 DESCRIPTION 6408 "Number of outbound packets encapsulated by IPComP." 6409 ::= { ipsecStats 60 } 6410 6411 ipsecStatsIkev2NumIkeSas OBJECT-TYPE 6412 SYNTAX INTEGER 6413 MAX-ACCESS read-only 6414 STATUS current 6415 DESCRIPTION 6416 "The number of IKE_SA negotiations performed (only for IKEv2)." 6417 ::= { ipsecStats 63 } 6418 6419 ipsecStatsIkev2NumFailedIkeSas OBJECT-TYPE 6420 SYNTAX INTEGER 6421 MAX-ACCESS read-only 6422 STATUS current 6423 DESCRIPTION 6424 "The number of failed IKE_SA negotiations (only for IKEv2)." 6425 ::= { ipsecStats 64 } 6426 6427 ipsecStatsIkev2NumCreateChildSas OBJECT-TYPE 6428 SYNTAX INTEGER 6429 MAX-ACCESS read-only 6430 STATUS current 6431 DESCRIPTION 6432 "The number of CREATE_CHILD_SA exchanges performed (only for IKEv2)." 6433 ::= { ipsecStats 65 } 6434 6435 ipsecStatsIkev2NumFailedCreateChildSas OBJECT-TYPE 6436 SYNTAX INTEGER 6437 MAX-ACCESS read-only 6438 STATUS current 6439 DESCRIPTION 6440 "The number of failed CREATE_CHILD_SA exchanges (only for IKEv2)." 6441 ::= { ipsecStats 66 } 6442 6443-- IPSec Dial Table 6444 6445 ipsecDialTable OBJECT-TYPE 6446 SYNTAX SEQUENCE OF IpsecDialEntry 6447 MAX-ACCESS not-accessible 6448 STATUS current 6449 DESCRIPTION 6450 "This table contains dial entries specifying all parameters 6451 needed for ISDN triggered call back." 6452 ::= { ipsec 12 } 6453 6454 ipsecDialEntry OBJECT-TYPE 6455 SYNTAX IpsecDialEntry 6456 MAX-ACCESS not-accessible 6457 STATUS current 6458 DESCRIPTION 6459 "This object contains a dial entry used for mapping ISDN 6460 numbers to peers for ISDN call back feature." 6461 INDEX { 6462 ipsecDialIfIndex 6463 } 6464 ::= { ipsecDialTable 1 } 6465 6466 IpsecDialEntry ::= 6467 SEQUENCE { 6468 ipsecDialIfIndex INTEGER, 6469 ipsecDialDirection INTEGER, 6470 ipsecDialNumber DisplayString, 6471 ipsecDialSubAddress OCTET STRING, 6472 ipsecDialTypeOfSubAddr INTEGER, 6473 ipsecDialLocalNumber DisplayString, 6474 ipsecDialLocalSubAddress OCTET STRING, 6475 ipsecDialTypeOfLocalSubAddr INTEGER, 6476 ipsecDialAdminStatus INTEGER, 6477 ipsecDialOperStatus INTEGER 6478 } 6479 6480 ipsecDialIfIndex OBJECT-TYPE 6481 SYNTAX INTEGER 6482 MAX-ACCESS read-write 6483 STATUS current 6484 DESCRIPTION 6485 "Index that maps to a peer in a unique way." 6486 ::= { ipsecDialEntry 1 } 6487 6488 ipsecDialDirection OBJECT-TYPE 6489 SYNTAX INTEGER { 6490 incoming(1), 6491 outgoing(2), 6492 both(3), 6493 delete(4) 6494 } 6495 MAX-ACCESS read-write 6496 STATUS current 6497 DESCRIPTION 6498 "Calling direction for which entry applies." 6499 DEFVAL { both } 6500 ::= { ipsecDialEntry 2 } 6501 6502 ipsecDialNumber OBJECT-TYPE 6503 SYNTAX DisplayString (SIZE(0..63)) 6504 MAX-ACCESS read-write 6505 STATUS current 6506 DESCRIPTION 6507 "Party number of remote peer. Used for matching calling party 6508 number on incoming calls and for called party number on 6509 outgoing calls." 6510 ::= { ipsecDialEntry 3 } 6511 6512 ipsecDialSubAddress OBJECT-TYPE 6513 SYNTAX OCTET STRING 6514 MAX-ACCESS read-write 6515 STATUS current 6516 DESCRIPTION 6517 "Subaddress of remote peer. Used for matching calling party 6518 subaddress on incoming calls and for called party subaddress 6519 on outgoing calls." 6520 DEFVAL { "" } 6521 ::= { ipsecDialEntry 4 } 6522 6523 ipsecDialTypeOfSubAddr OBJECT-TYPE 6524 SYNTAX INTEGER { 6525 nsap(1), 6526 user-specified(2), 6527 reserved(3) 6528 } 6529 MAX-ACCESS read-write 6530 STATUS current 6531 DESCRIPTION 6532 "Type of subaddress of remote peer. Used for matching calling 6533 party subaddress on incoming calls and for called party 6534 subaddress on outgoing calls." 6535 DEFVAL { nsap } 6536 ::= { ipsecDialEntry 5 } 6537 6538 ipsecDialLocalNumber OBJECT-TYPE 6539 SYNTAX DisplayString (SIZE(0..63)) 6540 MAX-ACCESS read-write 6541 STATUS current 6542 DESCRIPTION 6543 "Local Party number. Used for matching called party number on 6544 incoming calls and for calling party number on outgoing calls. 6545 Special value '*' is treated as wildcard, i.e. calls with 6546 any called party number will be accepted. 6547 Default value is '*'." 6548 DEFVAL { "*" } 6549 ::= { ipsecDialEntry 6 } 6550 6551 ipsecDialLocalSubAddress OBJECT-TYPE 6552 SYNTAX OCTET STRING 6553 MAX-ACCESS read-write 6554 STATUS current 6555 DESCRIPTION 6556 "Local subaddress. Used for matching called party subaddress on 6557 incoming calls and for calling party subaddress on outgoing 6558 calls. 6559 Special value '*' is treated as wildcard, i.e. calls with 6560 any called party subaddress (of arbitrary type) will be 6561 accepted. 6562 Default value is '*'." 6563 DEFVAL { "*" } 6564 ::= { ipsecDialEntry 7 } 6565 6566 ipsecDialTypeOfLocalSubAddr OBJECT-TYPE 6567 SYNTAX INTEGER { 6568 nsap(1), 6569 user-specified(2), 6570 reserved(3) 6571 } 6572 MAX-ACCESS read-write 6573 STATUS current 6574 DESCRIPTION 6575 "Type of local subaddress. Used for matching called party 6576 subaddress on incoming calls and for calling party subaddress 6577 on outgoing calls. Subaddress type is only checked as long as 6578 subaddress is not '*'. 6579 Default value is nsap." 6580 DEFVAL { nsap } 6581 ::= { ipsecDialEntry 8 } 6582 6583 ipsecDialAdminStatus OBJECT-TYPE 6584 SYNTAX INTEGER { 6585 active(1), 6586 inactive(2) 6587 } 6588 MAX-ACCESS read-write 6589 STATUS current 6590 DESCRIPTION 6591 "Administrative status for dial entry. This object allows for 6592 temporarily disabling ipsecDial entries without the need to 6593 actually deletion them. This is achieved by assigning value 6594 inactive. 6595 Default value is active." 6596 DEFVAL { active } 6597 ::= { ipsecDialEntry 9 } 6598 6599 ipsecDialOperStatus OBJECT-TYPE 6600 SYNTAX INTEGER { 6601 active(1), 6602 inactive(2), 6603 blocked-for-outgoing(3) 6604 } 6605 MAX-ACCESS read-only 6606 STATUS current 6607 DESCRIPTION 6608 "Operational status for dial entry. This object indicates 6609 current status ipsecDial entry is in. Beside values defined 6610 for ipsecDialAdminStatus, status blocked-for-outgoing is 6611 defined, which is used in case triggering call back resulted 6612 in a cost generating connected call to avoid unpredictably 6613 high phone bills." 6614 ::= { ipsecDialEntry 10 } 6615 6616-- End IPSec Dial Table 6617 6618-- XAUTH Profile Table 6619 6620 xauthProfileTable OBJECT-TYPE 6621 SYNTAX SEQUENCE OF XauthProfileEntry 6622 MAX-ACCESS not-accessible 6623 STATUS current 6624 DESCRIPTION 6625 "This table contains the list of XAUTH profiles." 6626 ::= { ipsec 18 } 6627 6628 xauthProfileEntry OBJECT-TYPE 6629 SYNTAX XauthProfileEntry 6630 MAX-ACCESS not-accessible 6631 STATUS current 6632 DESCRIPTION 6633 "This object contains an XAUTH profile." 6634 INDEX { 6635 xauthPrfIndex 6636 } 6637 ::= { xauthProfileTable 1 } 6638 6639 XauthProfileEntry ::= 6640 SEQUENCE { 6641 xauthPrfIndex Unsigned32, 6642 xauthPrfDescription DisplayString, 6643 xauthPrfRole INTEGER, 6644 xauthPrfMode INTEGER, 6645 xauthPrfAAAServerGroupId INTEGER, 6646 xauthPrfUserListGroupId INTEGER, 6647 xauthPrfTimeout INTEGER, 6648 xauthPrfAdminStatus INTEGER 6649 } 6650 6651 xauthPrfIndex OBJECT-TYPE 6652 SYNTAX Unsigned32 (1..4294967295) 6653 MAX-ACCESS read-write 6654 STATUS current 6655 DESCRIPTION 6656 "A unique index identifying this entry." 6657 ::= { xauthProfileEntry 1 } 6658 6659 xauthPrfDescription OBJECT-TYPE 6660 SYNTAX DisplayString (SIZE (0..50)) 6661 MAX-ACCESS read-write 6662 STATUS current 6663 DESCRIPTION 6664 "An optional description for this profile, only used for 6665 descriptive purposes (max. 50 characters)." 6666 ::= { xauthProfileEntry 2 } 6667 6668 xauthPrfRole OBJECT-TYPE 6669 SYNTAX INTEGER { 6670 server(1), -- XAUTH server 6671 client(2) -- XAUTH client 6672 } 6673 MAX-ACCESS read-write 6674 STATUS current 6675 DESCRIPTION 6676 "This object specifies which role is choosed for this profile. 6677 Possible values: 6678 server(1) -- XAUTH is used and local device is the XAUTH server, 6679 i.e. this side requests extended authentication 6680 client(2) -- XAUTH is used and local device is the XAUTH client, 6681 i.e. this side responds with its extended 6682 authentication credentials 6683 " 6684 DEFVAL { server } 6685 ::= { xauthProfileEntry 3 } 6686 6687 xauthPrfMode OBJECT-TYPE 6688 SYNTAX INTEGER { 6689 local(1), -- 6690 radius(2) -- 6691 } 6692 MAX-ACCESS read-write 6693 STATUS current 6694 DESCRIPTION 6695 "This object specifies the kind how to get user data for authentication. 6696 Possible values: 6697 local(1), -- user data are configured locally in the entries 6698 of xauthUserListTable that are referenced by 6699 xauthPrfUserListGroupId 6700 radius(1) -- user data are configured at RADIUS server, RADIUS server 6701 is referenced by xauthPrfAAAServerGroupId that 6702 corresponds to radiusSrvGroupId in radiusSrvTable, 6703 'radius' mode is only valid for server role 6704 " 6705 DEFVAL { radius } 6706 ::= { xauthProfileEntry 4 } 6707 6708 xauthPrfAAAServerGroupId OBJECT-TYPE 6709 SYNTAX INTEGER 6710 MAX-ACCESS read-write 6711 STATUS current 6712 DESCRIPTION 6713 "This object specifies the group ID which is used for RADIUS 6714 authentication to find the associated server entry in 6715 radiusSrvTable for XAUTH. See description of radiusSrvGroupId for 6716 details. 6717 This object is only valid for entries with xauthPrfMode 'radius'." 6718 DEFVAL { 0 } 6719 ::= { xauthProfileEntry 5 } 6720 6721 xauthPrfUserListGroupId OBJECT-TYPE 6722 SYNTAX INTEGER (1..1000) 6723 MAX-ACCESS read-write 6724 STATUS current 6725 DESCRIPTION 6726 "This object refers to a group of one or more user entries in 6727 xauthUserListTable. 6728 This object is only valid for entries with xauthPrfUserMode 'local'." 6729 DEFVAL { 1 } 6730 ::= { xauthProfileEntry 6 } 6731 6732 xauthPrfTimeout OBJECT-TYPE 6733 SYNTAX INTEGER 6734 UNITS "seconds" 6735 MAX-ACCESS read-write 6736 STATUS obsolete 6737 DESCRIPTION 6738 "WARNING: this object is obsolete and must not be used." 6739 DEFVAL { 0 } 6740 ::= { xauthProfileEntry 7 } 6741 6742 xauthPrfAdminStatus OBJECT-TYPE 6743 SYNTAX INTEGER { enable(1), delete(2) } 6744 MAX-ACCESS read-write 6745 STATUS current 6746 DESCRIPTION 6747 "MIB entry deletion is performed by this object: 6748 - enable : enables xauthPrfTable entry 6749 - delete : deletes xauthPrfTable entry." 6750 DEFVAL { enable } 6751 ::= { xauthProfileEntry 8 } 6752 6753-- End XAUTH Profile Table 6754 6755-- XAUTH User List Table 6756 6757 xauthUserListTable OBJECT-TYPE 6758 SYNTAX SEQUENCE OF XauthUserListEntry 6759 MAX-ACCESS not-accessible 6760 STATUS current 6761 DESCRIPTION 6762 "This table contains the list of XAUTH users." 6763 ::= { ipsec 19 } 6764 6765 xauthUserListEntry OBJECT-TYPE 6766 SYNTAX XauthUserListEntry 6767 MAX-ACCESS not-accessible 6768 STATUS current 6769 DESCRIPTION 6770 "This object contains an XAUTH user." 6771 INDEX { 6772 xauthUserListIndex 6773 } 6774 ::= { xauthUserListTable 1 } 6775 6776 XauthUserListEntry ::= 6777 SEQUENCE { 6778 xauthUserListIndex INTEGER, 6779 xauthUserListGroupId INTEGER, 6780 xauthUserListName DisplayString, 6781 xauthUserListPassword DisplayString, 6782 xauthUserListPasswordData OCTET STRING, 6783 xauthUserListAdminStatus INTEGER 6784 } 6785 6786 xauthUserListIndex OBJECT-TYPE 6787 SYNTAX INTEGER 6788 MAX-ACCESS read-write 6789 STATUS current 6790 DESCRIPTION 6791 "A unique index identifying this entry." 6792 ::= { xauthUserListEntry 1 } 6793 6794 xauthUserListGroupId OBJECT-TYPE 6795 SYNTAX INTEGER (1..1000) 6796 MAX-ACCESS read-write 6797 STATUS current 6798 DESCRIPTION 6799 "ID for creating logical groups of XAUTH users." 6800 DEFVAL { 1 } 6801 ::= { xauthUserListEntry 2 } 6802 6803 xauthUserListName OBJECT-TYPE 6804 SYNTAX DisplayString (SIZE(1..63)) 6805 MAX-ACCESS read-write 6806 STATUS current 6807 DESCRIPTION 6808 "This object specifies the user name." 6809 ::= { xauthUserListEntry 3 } 6810 6811 xauthUserListPassword OBJECT-TYPE 6812 SYNTAX DisplayString (SIZE(0..63)) 6813 MAX-ACCESS read-write 6814 STATUS current 6815 DESCRIPTION 6816 "This object specifies the user's password. 6817 This field serves only as an input field and its contents 6818 is replaced with a single asterisk immediately after it is set." 6819 ::= { xauthUserListEntry 4 } 6820 6821 xauthUserListPasswordData OBJECT-TYPE 6822 SYNTAX OCTET STRING 6823 MAX-ACCESS not-accessible 6824 STATUS current 6825 DESCRIPTION 6826 "Field used for storing the user's password permanently." 6827 ::= { xauthUserListEntry 5 } 6828 6829 xauthUserListAdminStatus OBJECT-TYPE 6830 SYNTAX INTEGER { enable(1), delete(2) } 6831 MAX-ACCESS read-write 6832 STATUS current 6833 DESCRIPTION 6834 "MIB entry deletion is performed by this object: 6835 - enable : enables xauthUserListTable entry 6836 - delete : deletes xauthUserListTable entry." 6837 DEFVAL { enable } 6838 ::= { xauthUserListEntry 6 } 6839 6840-- End IPSec XAUTH User Table 6841 6842-- IPSecPeerTraffic Table 6843 6844 ipsecPeerTrafficTable OBJECT-TYPE 6845 SYNTAX SEQUENCE OF IpsecPeerTrafficEntry 6846 MAX-ACCESS not-accessible 6847 STATUS current 6848 DESCRIPTION 6849 "This table contains peer related lists of traffic permitted 6850 for Phase 2 negotiation. Note that this table contains 6851 optional entries solely, in the default case (no entries) 6852 subsequently no restriction will take place." 6853 ::= { ipsec 29 } 6854 6855 ipsecPeerTrafficEntry OBJECT-TYPE 6856 SYNTAX IpsecPeerTrafficEntry 6857 MAX-ACCESS not-accessible 6858 STATUS current 6859 DESCRIPTION 6860 "This table contains peer related lists of traffic permitted 6861 for Phase 2 negotiation. Note that this table contains 6862 optional entries solely, in the default case (no entries) 6863 subsequently no restriction will take place." 6864 INDEX { 6865 ipsecPeerTrafficIfindex, ipsecPeerTrafficLocalAddress, 6866 ipsecPeerTrafficRemoteAddress 6867 } 6868 ::= { ipsecPeerTrafficTable 1 } 6869 6870 IpsecPeerTrafficEntry ::= 6871 SEQUENCE { 6872 ipsecPeerTrafficIfindex INTEGER, 6873 ipsecPeerTrafficDescription DisplayString, 6874 ipsecPeerTrafficLocalAddress IpAddress, 6875 ipsecPeerTrafficLocalMask IpAddress, 6876 ipsecPeerTrafficLocalPort INTEGER, 6877 ipsecPeerTrafficLocalPortRange INTEGER, 6878 ipsecPeerTrafficRemoteAddress IpAddress, 6879 ipsecPeerTrafficRemoteMask IpAddress, 6880 ipsecPeerTrafficRemotePort INTEGER, 6881 ipsecPeerTrafficRemotePortRange INTEGER, 6882 ipsecPeerTrafficProtocol INTEGER, 6883 ipsecPeerTrafficPolicy INTEGER 6884-- ipsecPeerTrafficAction INTEGER 6885 } 6886 6887 ipsecPeerTrafficIfindex OBJECT-TYPE 6888 SYNTAX INTEGER 6889 MAX-ACCESS read-write 6890 STATUS current 6891 DESCRIPTION 6892 "." 6893 ::= { ipsecPeerTrafficEntry 1 } 6894 6895 ipsecPeerTrafficDescription OBJECT-TYPE 6896 SYNTAX DisplayString 6897 MAX-ACCESS read-write 6898 STATUS current 6899 DESCRIPTION 6900 "An optional human readable description for this entry." 6901 ::= { ipsecPeerTrafficEntry 2 } 6902 6903 ipsecPeerTrafficLocalAddress OBJECT-TYPE 6904 SYNTAX IpAddress 6905 MAX-ACCESS read-write 6906 STATUS current 6907 DESCRIPTION 6908 "The local IP-address of this entry. It maybe 6909 either a single address or a network address (in 6910 combination with ipsecPeerTrafficLocalMask)." 6911 ::= { ipsecPeerTrafficEntry 3 } 6912 6913 ipsecPeerTrafficLocalMask OBJECT-TYPE 6914 SYNTAX IpAddress 6915 MAX-ACCESS read-write 6916 STATUS current 6917 DESCRIPTION 6918 "The length of the network mask for a local network." 6919 ::= { ipsecPeerTrafficEntry 4 } 6920 6921 ipsecPeerTrafficLocalPort OBJECT-TYPE 6922 SYNTAX INTEGER (-1..65535) 6923 MAX-ACCESS read-write 6924 STATUS current 6925 DESCRIPTION 6926 "The local port defined for this entry." 6927 DEFVAL { -1 } 6928 ::= { ipsecPeerTrafficEntry 5 } 6929 6930 ipsecPeerTrafficLocalPortRange OBJECT-TYPE 6931 SYNTAX INTEGER (0..65534) 6932 MAX-ACCESS read-write 6933 STATUS current 6934 DESCRIPTION 6935 "The local port range defined for this entry." 6936 DEFVAL { 1 } 6937 ::= { ipsecPeerTrafficEntry 6 } 6938 6939 ipsecPeerTrafficRemoteAddress OBJECT-TYPE 6940 SYNTAX IpAddress 6941 MAX-ACCESS read-write 6942 STATUS current 6943 DESCRIPTION 6944 "The remote IP-address of this entry. It maybe 6945 either a single address or a network address (in 6946 combination with ipsecPeerTrafficRemoteMask)." 6947 ::= { ipsecPeerTrafficEntry 7 } 6948 6949 ipsecPeerTrafficRemoteMask OBJECT-TYPE 6950 SYNTAX IpAddress 6951 MAX-ACCESS read-write 6952 STATUS current 6953 DESCRIPTION 6954 "The network mask for a remote network." 6955 ::= { ipsecPeerTrafficEntry 8 } 6956 6957 ipsecPeerTrafficRemotePort OBJECT-TYPE 6958 SYNTAX INTEGER (-1..65535) 6959 MAX-ACCESS read-write 6960 STATUS current 6961 DESCRIPTION 6962 "The remote UDP/TCP port defined for this entry." 6963 DEFVAL { -1 } 6964 ::= { ipsecPeerTrafficEntry 9 } 6965 6966 ipsecPeerTrafficRemotePortRange OBJECT-TYPE 6967 SYNTAX INTEGER (0..65534) 6968 MAX-ACCESS read-write 6969 STATUS current 6970 DESCRIPTION 6971 "The remote UDP/TCP port range defined for this entry." 6972 DEFVAL { 1 } 6973 ::= { ipsecPeerTrafficEntry 10 } 6974 6975 ipsecPeerTrafficProtocol OBJECT-TYPE 6976 SYNTAX INTEGER { 6977 icmp(1), 6978 igmp(2), 6979 ggp(3), 6980 ipip(4), 6981 st(5), 6982 tcp(6), 6983 cbt(7), 6984 egp(8), 6985 igp(9), 6986 bbn(10), 6987 nvp(11), 6988 pup(12), 6989 argus(13), 6990 emcon(14), 6991 xnet(15), 6992 chaos(16), 6993 udp(17), 6994 mux(18), 6995 dcn(19), 6996 hmp(20), 6997 prm(21), 6998 xns(22), 6999 trunk1(23), 7000 trunk2(24), 7001 leaf1(25), 7002 leaf2(26), 7003 rdp(27), 7004 irtp(28), 7005 isotp4(29), 7006 netblt(30), 7007 mfe(31), 7008 merit(32), 7009 sep(33), 7010 pc3(34), 7011 idpr(35), 7012 xtp(36), 7013 ddp(37), 7014 idprc(38), 7015 tp(39), 7016 il(40), 7017 ipv6(41), 7018 sdrp(42), 7019 ipv6route(43), 7020 ipv6frag(44), 7021 idrp(45), 7022 rsvp(46), 7023 gre(47), 7024 mhrp(48), 7025 bna(49), 7026 esp(50), 7027 ah(51), 7028 inlsp(52), 7029 swipe(53), 7030 narp(54), 7031 mobile(55), 7032 tlsp(56), 7033 skip(57), 7034 ipv6icmp(58), 7035 ipv6nonxt(59), 7036 ipv6opts(60), 7037 ipproto-61(61), 7038 cftp(62), 7039 local(63), 7040 sat(64), 7041 kryptolan(65), 7042 rvd(66), 7043 ippc(67), 7044 distfs(68), 7045 satmon(69), 7046 visa(70), 7047 ipcv(71), 7048 cpnx(72), 7049 cphb(73), 7050 wsn(74), 7051 pvp(75), 7052 brsatmon(76), 7053 sunnd(77), 7054 wbmon(78), 7055 wbexpak(79), 7056 isoip(80), 7057 vmtp(81), 7058 securevmtp(82), 7059 vines(83), 7060 ttp(84), 7061 nsfnet(85), 7062 dgp(86), 7063 tcf(87), 7064 eigrp(88), 7065 ospfigp(89), 7066 sprite(90), 7067 larp(91), 7068 mtp(92), 7069 ax25(93), 7070 ipwip(94), 7071 micp(95), 7072 scc(96), 7073 etherip(97), 7074 encap(98), 7075 encrypt(99), 7076 gmtp(100), 7077 ifmp(101), 7078 pnni(102), 7079 pim(103), 7080 aris(104), 7081 scps(105), 7082 qnx(106), 7083 an(107), 7084 ippcp(108), 7085 snp(109), 7086 compaq(110), 7087 ipxip(111), 7088 vrrp(112), 7089 pgm(113), 7090 hop0(114), 7091 l2tp(115), 7092 ipproto-116(116), 7093 ipproto-117(117), 7094 ipproto-118(118), 7095 ipproto-119(119), 7096 ipproto-120(120), 7097 ipproto-121(121), 7098 ipproto-122(122), 7099 ipproto-123(123), 7100 ipproto-124(124), 7101 ipproto-125(125), 7102 ipproto-126(126), 7103 ipproto-127(127), 7104 ipproto-128(128), 7105 ipproto-129(129), 7106 ipproto-130(130), 7107 ipproto-131(131), 7108 ipproto-132(132), 7109 ipproto-133(133), 7110 ipproto-134(134), 7111 ipproto-135(135), 7112 ipproto-136(136), 7113 ipproto-137(137), 7114 ipproto-138(138), 7115 ipproto-139(139), 7116 ipproto-140(140), 7117 ipproto-141(141), 7118 ipproto-142(142), 7119 ipproto-143(143), 7120 ipproto-144(144), 7121 ipproto-145(145), 7122 ipproto-146(146), 7123 ipproto-147(147), 7124 ipproto-148(148), 7125 ipproto-149(149), 7126 ipproto-150(150), 7127 ipproto-151(151), 7128 ipproto-152(152), 7129 ipproto-153(153), 7130 ipproto-154(154), 7131 ipproto-155(155), 7132 ipproto-156(156), 7133 ipproto-157(157), 7134 ipproto-158(158), 7135 ipproto-159(159), 7136 ipproto-160(160), 7137 ipproto-161(161), 7138 ipproto-162(162), 7139 ipproto-163(163), 7140 ipproto-164(164), 7141 ipproto-165(165), 7142 ipproto-166(166), 7143 ipproto-167(167), 7144 ipproto-168(168), 7145 ipproto-169(169), 7146 ipproto-170(170), 7147 ipproto-171(171), 7148 ipproto-172(172), 7149 ipproto-173(173), 7150 ipproto-174(174), 7151 ipproto-175(175), 7152 ipproto-176(176), 7153 ipproto-177(177), 7154 ipproto-178(178), 7155 ipproto-179(179), 7156 ipproto-180(180), 7157 ipproto-181(181), 7158 ipproto-182(182), 7159 ipproto-183(183), 7160 ipproto-184(184), 7161 ipproto-185(185), 7162 ipproto-186(186), 7163 ipproto-187(187), 7164 ipproto-188(188), 7165 ipproto-189(189), 7166 ipproto-190(190), 7167 ipproto-191(191), 7168 ipproto-192(192), 7169 ipproto-193(193), 7170 ipproto-194(194), 7171 ipproto-195(195), 7172 ipproto-196(196), 7173 ipproto-197(197), 7174 ipproto-198(198), 7175 ipproto-199(199), 7176 ipproto-200(200), 7177 ipproto-201(201), 7178 ipproto-202(202), 7179 ipproto-203(203), 7180 ipproto-204(204), 7181 ipproto-205(205), 7182 ipproto-206(206), 7183 ipproto-207(207), 7184 ipproto-208(208), 7185 ipproto-209(209), 7186 ipproto-210(210), 7187 ipproto-211(211), 7188 ipproto-212(212), 7189 ipproto-213(213), 7190 ipproto-214(214), 7191 ipproto-215(215), 7192 ipproto-216(216), 7193 ipproto-217(217), 7194 ipproto-218(218), 7195 ipproto-219(219), 7196 ipproto-220(220), 7197 ipproto-221(221), 7198 ipproto-222(222), 7199 ipproto-223(223), 7200 ipproto-224(224), 7201 ipproto-225(225), 7202 ipproto-226(226), 7203 ipproto-227(227), 7204 ipproto-228(228), 7205 ipproto-229(229), 7206 ipproto-230(230), 7207 ipproto-231(231), 7208 ipproto-232(232), 7209 ipproto-233(233), 7210 ipproto-234(234), 7211 ipproto-235(235), 7212 ipproto-236(236), 7213 ipproto-237(237), 7214 ipproto-238(238), 7215 ipproto-239(239), 7216 ipproto-240(240), 7217 ipproto-241(241), 7218 ipproto-242(242), 7219 ipproto-243(243), 7220 ipproto-244(244), 7221 ipproto-245(245), 7222 ipproto-246(246), 7223 ipproto-247(247), 7224 ipproto-248(248), 7225 ipproto-249(249), 7226 ipproto-250(250), 7227 ipproto-251(251), 7228 ipproto-252(252), 7229 ipproto-253(253), 7230 ipproto-254(254), 7231 dont-verify(256) 7232 } 7233 MAX-ACCESS read-write 7234 STATUS current 7235 DESCRIPTION 7236 "The transport protocol defined for this entry." 7237 DEFVAL { dont-verify } 7238 ::= { ipsecPeerTrafficEntry 11 } 7239 7240 ipsecPeerTrafficPolicy OBJECT-TYPE 7241 SYNTAX INTEGER { 7242 delete(1), -- delete this entry 7243 role-initiator(2), -- P2 initiator mode traffic policy 7244 role-responder(3), -- P2 responder mode traffic policy 7245 both(4) -- P2 initiator as well as responder traffic policy 7246 } 7247 MAX-ACCESS read-write 7248 STATUS current 7249 DESCRIPTION 7250 "This object specifies whether this network policy is used 7251 for inbound, outbound or both processing. 7252 Possible values: 7253 delete(1) -- delete this entry 7254 role-initiator(2) -- P2 initiator mode traffic policy 7255 role-responder(3) -- P2 responder mode traffic policy 7256 both(4) -- P2 initiator as well as responder 7257 traffic policy." 7258 DEFVAL { role-initiator } 7259 ::= { ipsecPeerTrafficEntry 12 } 7260 7261-- End IPSecPeerTraffic Table 7262 7263END 7264