-- This file is corresponding to Release 6.1.2.100 from 2001/09/26 00:00:00 -- (C)opyright 1999 BinTec Communications AG -- $RCSfile: mibipsec,v $ -- $Revision: 1.23 $ BIANCA-BRICK-IPSEC-MIB DEFINITIONS ::= BEGIN IMPORTS IpAddress, Counter, TimeTicks FROM RFC1155-SMI OBJECT-TYPE FROM RFC-1212; org OBJECT IDENTIFIER ::= { iso 3 } dod OBJECT IDENTIFIER ::= { org 6 } internet OBJECT IDENTIFIER ::= { dod 1 } private OBJECT IDENTIFIER ::= { internet 4 } enterprises OBJECT IDENTIFIER ::= { private 1 } bintec OBJECT IDENTIFIER ::= { enterprises 272 } bibo OBJECT IDENTIFIER ::= { bintec 4 } -- textual conventions DisplayString ::= OCTET STRING -- This data type is used to model textual information taken -- from the NVT ASCII character set. By convention, objects -- with this syntax are declared as having -- -- SIZE (0..255) HexValue ::= INTEGER -- Management Information for the IPSec Subsystem of the BIANCA/BRICK, ipsec OBJECT IDENTIFIER ::= { bibo 26 } -- Global IPSec Settings ipsecGlobals OBJECT IDENTIFIER ::= { ipsec 1 } --Static table containing global settings for IPSec ipsecGlobPeerIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of first IPsec peer in ipsecPeerTable. If this object is set to a Value <= 0, IPSec is switched explicitly off. If the peer referenced by this object does not exist in the table, all packets will be dropped." ::= { ipsecGlobals 1 } ipsecGlobDefaultAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4) -- Authentication using RSA encryption } ACCESS read-write STATUS mandatory DESCRIPTION "The authentication method used by default. If the ipsecPeerAuthMethod field of an ipsecPeerEntry is set to 'default', this value is assumed. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4) -- Authentication using RSA encryption." ::= { ipsecGlobals 2 } ipsecGlobDefaultCertificate OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the default certificate in the certTable used for local authentication for ike keyed rules with non pre-shared-key authentication. This may be overwritten by the certificate specified for the individual ipsec peers." ::= { ipsecGlobals 3 } ipsecGlobDefaultLocalId OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "The default ID used for local authentication for ike keyed rules. If this is an empty or invaid id string one of the subject alternative names or the subject name from the default certificate is used. This does not relpace an empty local id string for an IPsec peer with a valid certificate. The subject name or one of the subject alternative names from this certificate is used then" ::= { ipsecGlobals 4 } ipsecGlobDefaultIpsecProposal OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of default ipsec proposal used for traffic entries with empty ipsec proposal, defined for peers with empty default ipsec proposal." ::= { ipsecGlobals 5 } ipsecGlobDefaultIkeProposal OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of default ike proposal used for peers with empty default ike proposal." ::= { ipsecGlobals 6 } ipsecGlobDefaultIpsecLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of default lifetime for ike SA's in ipsecLifeTimeTable. This lifetime is used, when there is no valid lifetime entry specified for an IPsec peer entry." ::= { ipsecGlobals 7 } ipsecGlobDefaultIkeLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of default lifetime for ipsec SA's in ipsecLifeTimeTable. This lifetime is used, when there is no valid lifetime entry specified for an IPsec SA, its traffic entry and its peer entry." ::= { ipsecGlobals 8 } ipsecGlobDefaultIkeGroup OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of default IKE group used for peer entries with empty or invalid ike group. Possible values: 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP)." ::= { ipsecGlobals 9 } ipsecGlobMaxSysLogLevel OBJECT-TYPE SYNTAX INTEGER { emerg(1), alert(2), crit(3), err(4), warning(5), notice(6), info(7), debug(8) } ACCESS read-write STATUS mandatory DESCRIPTION "Maximum level for syslog messages issued by IPSec. All messages with a level higher than this value are suppressed, independently from other global syslog level settings. Possible settings: emerg(1), alert(2), crit(3), err(4), warning(5), notice(6), info(7), debug(8)." ::= { ipsecGlobals 10 } ipsecGlobDefaultGranularity OBJECT-TYPE SYNTAX INTEGER { coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the default granularity used for IPSEC SA negotiation. Possible values: coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host." ::= { ipsecGlobals 11 } ipsecGlobDefaultPh1Mode OBJECT-TYPE SYNTAX INTEGER { id-protect(1), -- Use identity protection (main) mode aggressive(2) -- Use aggressive mode } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the default exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2) -- Use aggressive mode." ::= { ipsecGlobals 12 } ipsecGlobDefaultPfsGroup OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the PFS group to use. PFS is done only for phase 2, i.e. the Phase 1 SAs are not deleted after phase 2 negotiation is completed. Note however, that if the peer has configured PFS for identity and destroys phase 1 SAs, this side will also destroy them when notified. Possible values: 0 (no PFS) 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP)." ::= { ipsecGlobals 13 } ipsecGlobIkePort OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the port the IKE key management service listens to." ::= { ipsecGlobals 20 } ipsecGlobMaxRetries OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the maximum number of retries sent by IKE for one message." ::= { ipsecGlobals 21 } ipsecGlobRetryTimeout0milli OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the period of time in milliseconds before an IKE message is repeated for the first time if the answer is missing. After each retry, this timeout is increased up to the value specified in ipsecGlobRetryTimeoutMaxsec." ::= { ipsecGlobals 22 } ipsecGlobRetryTimeoutMaxsec OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the maximum period of time in seconds before an IKE message is repeated if the answer is missing. The retry timeout is not increased beyond this limit." ::= { ipsecGlobals 23 } ipsecGlobMaxNegotiationTimeoutsec OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the maximum number of seconds after which a negotiation is canceled if it is not finished." ::= { ipsecGlobals 24 } ipsecGlobMaxIkeSas OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the maximum number of simultaneous ISAKMP Security associations allowed. If this limit is reached, the entries are removed from the database, starting with the ones that will expire very soon. If that is not enough, the entries are deleted in reverse LRU order." ::= { ipsecGlobals 25 } ipsecGlobAntiCloggingLength OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the length in bits of the local secret used for ISAKMP anti-clogging cookies." ::= { ipsecGlobals 26 } ipsecGlobAntiCloggingHash OBJECT-TYPE SYNTAX INTEGER { md5(3), -- MD5 hash algorithm sha1(4) -- SHA hash algorithm } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the algorithm which is used for creating anti-clogging-tokens. Possible values: md5(3), -- MD5 hash algorithm sha1(4) -- SHA hash algorithm." ::= { ipsecGlobals 27 } ipsecGlobLocalSecretPeriodsec OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the period of time in seconds after which a new secret for creating local anti-clogging tokens is created. The previous secret is remembered, so that the anti-clogging tokens created with the previous secret are also recognized as valid. After the local secret is recreated again, the old tokens are not recognized anymore and all IKE packets belonging to the old security associations are discarded. This means that the maximum lifetime of an ISAKMP SA is twice the value of this timer." ::= { ipsecGlobals 28 } ipsecGlobIgnoreCrPayloads OBJECT-TYPE SYNTAX INTEGER { true(1), -- ignore all certificate requests false(2) -- process certificate request payloads } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether certificate request payloads should be ignored by IKE. Possible values: true(1), -- ignore all certificate requests false(2) -- process certificate request payloads." ::= { ipsecGlobals 29 } ipsecGlobNoCrPayloads OBJECT-TYPE SYNTAX INTEGER { true(1), -- suppress certificate requests false(2) -- send certificate requests } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE should suppress certificate requests. Possible values: true(1), -- suppress certificate requests false(2) -- send certificate requests." ::= { ipsecGlobals 30 } ipsecGlobNoKeyHashPayloads OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not send key hash payloads false(2) -- send key hash payloads } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE should suppress key hash payloads. Possible values: true(1), -- suppress key hash payloads false(2) -- send key hash payloads." ::= { ipsecGlobals 31 } ipsecGlobNoCrls OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not send certificate revocation lists false(2) -- send certificate revocation lists } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE should send certificate revocation lists. Possible values: true(1), -- do not send certificate revocation lists false(2) -- send certificate revocation lists." ::= { ipsecGlobals 32 } ipsecGlobSendFullCertChains OBJECT-TYPE SYNTAX INTEGER { true(1), -- send full certificate chains false(2) -- do not send full certificate chains } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE should send full certificate chains. Possible values: true(1), -- send full certificate chains false(2) -- do not send full certificate chains." ::= { ipsecGlobals 33 } ipsecGlobTrustIcmpMsg OBJECT-TYPE SYNTAX INTEGER { true(1), -- trust ICMP messages false(2) -- do not trust ICMP messages } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE should trust icmp port and host unreachable error messages. ICMP port and host unreachable messages are only trusted if there have not yet been received any datagrams from the remote host in this negotiation. This means, if the local side receives an ICMP port or host unreachable message as the first response to the initial packet of a new phase 1 negotiation, it cancels the negotiation immediately. Possible values: true(1), -- trust ICMP messages false(2) -- do not trust ICMP messages." ::= { ipsecGlobals 34 } ipsecGlobSpiSize OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "A compatibility flag that specifies the length of the SPI in bytes, which is used when an ISAKMP SA SPI (Cookie) is sent to the remote peer. This field takes effect only if ipsecGlobZeroIsakmpCookies is true." ::= { ipsecGlobals 35 } ipsecGlobZeroIsakmpCookies OBJECT-TYPE SYNTAX INTEGER { true(1), -- send zero cookies in ISAKMP messages false(2) -- send ISAKMP cookies } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether zeroed ISAKMP cookies should be sent. Possible Values: true(1), -- send zero cookies in ISAKMP messages false(2) -- send ISAKMP cookies." ::= { ipsecGlobals 36 } ipsecGlobMaxKeyLength OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the maximum length of an encryption key (in bits) that is accepted from the remote end. This limit prevents denial of service attacks where the attacker asks for a huge key for an encryption algorithm that allows variable length keys." ::= { ipsecGlobals 37 } ipsecGlobNoInitialContact OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not send initial contact messages false(2) -- send initial contact messages if appropriate } ACCESS read-write STATUS mandatory DESCRIPTION "Do not send IKE initial contact messages in IKE negotiations even if no SA's exist with a peer. Possible values: true(1), -- do not send initial contact messages false(2) -- send initial comntact messages if appropriate." ::= { ipsecGlobals 38 } -- End Global IPSec Settings -- Second Table With Global IPSec Settings ipsecGlobalsContinued OBJECT IDENTIFIER ::= { ipsec 11 } -- Second static table containing global settings for IPSec ipsecGlobContPreIpsecRules OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the IPsec traffic table containing a list of traffic definitions which has to be considered prior to the traffic lists of the IPSec peers in IPSec traffic processing. It may contain either pass or drop entries (protect entries are ignored, if erroneously configured)." ::= { ipsecGlobalsContinued 1 } ipsecGlobContDefaultRule OBJECT-TYPE SYNTAX INTEGER { drop(1), -- drop all packets pass(2) -- allow all packets pass plain } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies how to treat packets which do not match any entry in the traffic lists of the active peers. Possible values: drop(1), -- drop all packets pass(2) -- allow all packets pass plain." ::= { ipsecGlobalsContinued 2 } -- End Second Table With Global IPSec Settings -- Public Key Table ipsecPublicKeyTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecPubKeyEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of public key pairs and ID's used with IPSec." ::= { ipsec 2 } ipsecPubKeyEntry OBJECT-TYPE SYNTAX IpsecPubKeyEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains a key pair for a certain public key algorithm and the ids used together with this key." INDEX { ipsecPubKeyAlgorithm, ipsecPubKeyKeyLength } ::= { ipsecPublicKeyTable 1 } IpsecPubKeyEntry ::= SEQUENCE { ipsecPubKeyIndex INTEGER, ipsecPubKeyDescription DisplayString, ipsecPubKeyAlgorithm INTEGER, ipsecPubKeyKeyLength INTEGER } ipsecPubKeyIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index for this entry." ::= { ipsecPubKeyEntry 1 } ipsecPubKeyDescription OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "An optional description for this key." ::= { ipsecPubKeyEntry 2 } ipsecPubKeyAlgorithm OBJECT-TYPE SYNTAX INTEGER { rsa(2), -- The RSA encryption algorithm dsa(3) -- The digital signature algorithm } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies the algorithm for which the key is used. Possible values: rsa(2), -- The RSA encryption algorithm dsa(3) -- The digital signature algorithm." ::= { ipsecPubKeyEntry 3 } ipsecPubKeyKeyLength OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The size of the public and private keys in bits." ::= { ipsecPubKeyEntry 4 } -- End Public Key Table -- IPSec Security Associations Table ipsecSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of currently active IPSec security associations." ::= { ipsec 3 } ipsecSaEntry OBJECT-TYPE SYNTAX IpsecSaEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains an IPSec security association." INDEX { ipsecSaIndex } ::= { ipsecSaTable 1 } IpsecSaEntry ::= SEQUENCE { ipsecSaIndex INTEGER, ipsecSaState INTEGER, ipsecSaCreator INTEGER, ipsecSaDir INTEGER, ipsecSaMode INTEGER, ipsecSaSecProto INTEGER, ipsecSaPeerIp IpAddress, ipsecSaLocalIp IpAddress, ipsecSaSrcAddress IpAddress, ipsecSaSrcMaskLen INTEGER, ipsecSaSrcRange IpAddress, ipsecSaDstAddress IpAddress, ipsecSaDstMaskLen INTEGER, ipsecSaDstRange IpAddress, ipsecSaPeerIp IpAddress, ipsecSaSpi HexValue, ipsecSaAuthAlg INTEGER, ipsecSaEncAlg INTEGER, ipsecSaAuthKeyLen INTEGER, ipsecSaEncKeyLen INTEGER, ipsecSaLifeKBytes INTEGER, ipsecSaLifeSeconds INTEGER, ipsecSaProto INTEGER, ipsecSaSrcPort INTEGER, ipsecSaDstPort INTEGER, ipsecSaSeconds INTEGER, ipsecSaBytes INTEGER, ipsecSaPackets INTEGER, ipsecSaReplayErrors INTEGER, ipsecSaRecvErrors INTEGER, ipsecSaDecryptErrors INTEGER } ipsecSaIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index for this entry." ::= { ipsecSaEntry 1 } ipsecSaState OBJECT-TYPE SYNTAX INTEGER { alive(1), -- The SA is alive and will eventually be rekeyed expired(2), -- The SA is expired and will not be rekeyed delete (3) -- mark this sa for deletion } ACCESS read-write STATUS mandatory DESCRIPTION "The current state of the security association Possible values: alive(1), -- The SA is alive and will eventually be rekeyed expired(2), -- The SA is expired and will not be rekeyed delete (3) -- mark this sa for deletion." ::= { ipsecSaEntry 3 } ipsecSaCreator OBJECT-TYPE SYNTAX INTEGER { manual(1), -- A manually keyed IPSec SA ike(2) -- An automatically keyed SA created by IKE } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies how the SA was created Possible values: manual(1), -- A manually keyed IPSec SA ike(2) -- An automatically keyed SA created by IKE." ::= { ipsecSaEntry 4 } ipsecSaDir OBJECT-TYPE SYNTAX INTEGER { inbound(1), -- An inbound security association outbound(2) -- An outbound security association } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies whether the SA is used for inbound or outbound processing. Possible values: inbound(1), -- An inbound security association outbound(2) -- An outbound security association." ::= { ipsecSaEntry 5 } ipsecSaMode OBJECT-TYPE SYNTAX INTEGER { tunnel(1), -- A tunnel mode SA transport(2) -- A transport mode SA } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies whether the SA is in tunnel or transport mode. Possible values: tunnel(1), -- A tunnel mode SA transport(2) -- A transport mode SA." ::= { ipsecSaEntry 6 } ipsecSaSecProto OBJECT-TYPE SYNTAX INTEGER { esp(50), -- Encapsulating Security Payload ah(51), -- Authentication Header ipcomp(108) -- Internet Payload Compression Protocol } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies the security protocol applied by this SA. Possible values: esp(50), -- Encapsulating Security Payload ah(51), -- Authentication Header ipcomp(108) -- Internet Payload Compression Protocol." ::= { ipsecSaEntry 7 } ipsecSaLocalIp OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The local IP address of the outer packet header. For transport mode SAs, this address is the same as the ipsecSaSrcAddress." ::= { ipsecSaEntry 8 } ipsecSaPeerIp OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The destination IP address of the outer packet header. For transport mode SAs, this address is the same as the ipsecSaDstAddress." ::= { ipsecSaEntry 9 } ipsecSaSrcAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The address of the source network this SA covers (if the SrcRange field is nonzero, this is the first address of a range of addresses)." ::= { ipsecSaEntry 10 } ipsecSaSrcMaskLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The mask length of the source network this SA covers (only meaningful, if the SrcRange field is zero)." ::= { ipsecSaEntry 11 } ipsecSaSrcRange OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The last address of a range of source addresses (starting with SrcAddress) this SA covers. Overrides SrcMaskLen." ::= { ipsecSaEntry 12 } ipsecSaDstAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The address of the destination network this SA covers (if the DstRange field is nonzero, this is the first address of a range of addresses)." ::= { ipsecSaEntry 13 } ipsecSaDstMaskLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The mask length of the destination network this SA covers (only meaningful, if the DstRange field is zero)." ::= { ipsecSaEntry 14 } ipsecSaDstRange OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The last address of a range of destination addresses (starting with DstAddress) this SA covers. Overrides DstMaskLen." ::= { ipsecSaEntry 15 } ipsecSaSpi OBJECT-TYPE SYNTAX HexValue ACCESS read-only STATUS mandatory DESCRIPTION "The Security Parameters Index of this SA." ::= { ipsecSaEntry 17 } ipsecSaAuthAlg OBJECT-TYPE SYNTAX INTEGER { none(2), -- No hash algorithm md5-96(4), -- The MD5 hash algorithm sha1-96(6) -- The Secure Hash Algorithm } ACCESS read-only STATUS mandatory DESCRIPTION "The hash algorithm used, if any. Possible Values: none(2), -- No hash algorithm applied md5-96(4), -- The MD5 hash algorithm sha1-96(6) -- The Secure Hash Algorithm." ::= { ipsecSaEntry 18 } ipsecSaEncAlg OBJECT-TYPE SYNTAX INTEGER { none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4), -- Blowfish in CBC mode cast128-cbc(5) -- CAST with 128 bit key in CBC mode } ACCESS read-only STATUS mandatory DESCRIPTION "The encryption algorithm used, if any. Possible Values: none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4), -- Blowfish in CBC mode cast128-cbc(5) -- CAST with 128 bit key in CBC mode." ::= { ipsecSaEntry 19 } ipsecSaAuthKeyLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The length of the key used for authentication, if any." ::= { ipsecSaEntry 21 } ipsecSaEncKeyLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The length of the key used for encryption, if any." ::= { ipsecSaEntry 22 } ipsecSaLifeSeconds OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The period in seconds after which this SA will be destroyed." ::= { ipsecSaEntry 25 } ipsecSaLifeKBytes OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The amount of data allowed to be protected by this SA until it is destroyed." ::= { ipsecSaEntry 26 } ipsecSaProto OBJECT-TYPE SYNTAX INTEGER { icmp(1), igmp(2), ggp(3), ipip(4), st(5), tcp(6), cbt(7), egp(8), igp(9), bbn(10), nvp(11), pup(12), argus(13), emcon(14), xnet(15), chaos(16), udp(17), mux(18), dcn(19), hmp(20), prm(21), xns(22), trunk1(23), trunk2(24), leaf1(25), leaf2(26), rdp(27), irtp(28), isotp4(29), netblt(30), mfe(31), merit(32), sep(33), pc3(34), idpr(35), xtp(36), ddp(37), idprc(38), tp(39), il(40), ipv6(41), sdrp(42), ipv6route(43), ipv6frag(44), idrp(45), rsvp(46), gre(47), mhrp(48), bna(49), esp(50), ah(51), inlsp(52), swipe(53), narp(54), mobile(55), tlsp(56), skip(57), ipv6icmp(58), ipv6nonxt(59), ipv6opts(60), ipproto-61(61), cftp(62), local(63), sat(64), kryptolan(65), rvd(66), ippc(67), distfs(68), satmon(69), visa(70), ipcv(71), cpnx(72), cphb(73), wsn(74), pvp(75), brsatmon(76), sunnd(77), wbmon(78), wbexpak(79), isoip(80), vmtp(81), securevmtp(82), vines(83), ttp(84), nsfnet(85), dgp(86), tcf(87), eigrp(88), ospfigp(89), sprite(90), larp(91), mtp(92), ax25(93), ipwip(94), micp(95), scc(96), etherip(97), encap(98), encrypt(99), gmtp(100), ifmp(101), pnni(102), pim(103), aris(104), scps(105), qnx(106), an(107), ippcp(108), snp(109), compaq(110), ipxip(111), vrrp(112), pgm(113), hop0(114), l2tp(115), ipproto-116(116), ipproto-117(117), ipproto-118(118), ipproto-119(119), ipproto-120(120), ipproto-121(121), ipproto-122(122), ipproto-123(123), ipproto-124(124), ipproto-125(125), ipproto-126(126), ipproto-127(127), ipproto-128(128), ipproto-129(129), ipproto-130(130), ipproto-131(131), ipproto-132(132), ipproto-133(133), ipproto-134(134), ipproto-135(135), ipproto-136(136), ipproto-137(137), ipproto-138(138), ipproto-139(139), ipproto-140(140), ipproto-141(141), ipproto-142(142), ipproto-143(143), ipproto-144(144), ipproto-145(145), ipproto-146(146), ipproto-147(147), ipproto-148(148), ipproto-149(149), ipproto-150(150), ipproto-151(151), ipproto-152(152), ipproto-153(153), ipproto-154(154), ipproto-155(155), ipproto-156(156), ipproto-157(157), ipproto-158(158), ipproto-159(159), ipproto-160(160), ipproto-161(161), ipproto-162(162), ipproto-163(163), ipproto-164(164), ipproto-165(165), ipproto-166(166), ipproto-167(167), ipproto-168(168), ipproto-169(169), ipproto-170(170), ipproto-171(171), ipproto-172(172), ipproto-173(173), ipproto-174(174), ipproto-175(175), ipproto-176(176), ipproto-177(177), ipproto-178(178), ipproto-179(179), ipproto-180(180), ipproto-181(181), ipproto-182(182), ipproto-183(183), ipproto-184(184), ipproto-185(185), ipproto-186(186), ipproto-187(187), ipproto-188(188), ipproto-189(189), ipproto-190(190), ipproto-191(191), ipproto-192(192), ipproto-193(193), ipproto-194(194), ipproto-195(195), ipproto-196(196), ipproto-197(197), ipproto-198(198), ipproto-199(199), ipproto-200(200), ipproto-201(201), ipproto-202(202), ipproto-203(203), ipproto-204(204), ipproto-205(205), ipproto-206(206), ipproto-207(207), ipproto-208(208), ipproto-209(209), ipproto-210(210), ipproto-211(211), ipproto-212(212), ipproto-213(213), ipproto-214(214), ipproto-215(215), ipproto-216(216), ipproto-217(217), ipproto-218(218), ipproto-219(219), ipproto-220(220), ipproto-221(221), ipproto-222(222), ipproto-223(223), ipproto-224(224), ipproto-225(225), ipproto-226(226), ipproto-227(227), ipproto-228(228), ipproto-229(229), ipproto-230(230), ipproto-231(231), ipproto-232(232), ipproto-233(233), ipproto-234(234), ipproto-235(235), ipproto-236(236), ipproto-237(237), ipproto-238(238), ipproto-239(239), ipproto-240(240), ipproto-241(241), ipproto-242(242), ipproto-243(243), ipproto-244(244), ipproto-245(245), ipproto-246(246), ipproto-247(247), ipproto-248(248), ipproto-249(249), ipproto-250(250), ipproto-251(251), ipproto-252(252), ipproto-253(253), ipproto-254(254), dont-verify(255) } ACCESS read-only STATUS mandatory DESCRIPTION "The protocol this SA covers." ::= { ipsecSaEntry 27 } ipsecSaSrcPort OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The source port this SA covers, 0 for any." ::= { ipsecSaEntry 28 } ipsecSaDstPort OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The destination port this SA covers, 0 for any." ::= { ipsecSaEntry 29 } ipsecSaSeconds OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of seconds since this SA was created." ::= { ipsecSaEntry 30 } ipsecSaBytes OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The amount of data in kilobytes protected by this SA." ::= { ipsecSaEntry 31 } ipsecSaPackets OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of packets protected by this SA." ::= { ipsecSaEntry 32 } ipsecSaReplayErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of replayed packets detected for this SA." ::= { ipsecSaEntry 33 } ipsecSaRecvErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of receive errors (replayed packets not counted) detected for this SA." ::= { ipsecSaEntry 34 } ipsecSaDecryptErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of decryption errors (ESP only) detected for this SA." ::= { ipsecSaEntry 35 } -- End IPSec Security Associations Table -- IKE Security Associations Table ikeSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeSaEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of currently active IKE security associations." ::= { ipsec 4 } ikeSaEntry OBJECT-TYPE SYNTAX IkeSaEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains an IKE security association." INDEX { ikeSaIndex } ::= { ikeSaTable 1 } IkeSaEntry ::= SEQUENCE { ikeSaIndex INTEGER, ikeSaState INTEGER, ikeSaXchType INTEGER, ikeSaAuthMethod INTEGER, ikeSaAlgs DisplayString, ikeSaRole INTEGER, ikeSaLocalId DisplayString, ikeSaRemoteId DisplayString, ikeSaRemoteIp IpAddress, ikeSaCookieI OCTET STRING, ikeSaCookieR OCTET STRING, ikeSaTimes DisplayString, ikeSaNumCerts INTEGER, ikeSaNumNegotiations INTEGER, ikeSaBytes INTEGER, ikeSaMajVersion INTEGER, ikeSaMinVersion INTEGER } ikeSaIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index for this entry." ::= { ikeSaEntry 1 } ikeSaState OBJECT-TYPE SYNTAX INTEGER { negotiating(1), -- the SA is still being negotiated established(2), -- the SA negotiation is finished waiting-for-remove(3), -- the SA is waiting for removal delete(7) -- mark the SA for deletion } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the state of the SA. Possible values: negotiating(1), -- the SA is still being negotiated established(2), -- the SA negotiation is finished waiting-for-remove(3), -- the SA is waiting for removal delete(7) -- mark the SA for deletion." ::= { ikeSaEntry 3 } ikeSaXchType OBJECT-TYPE SYNTAX INTEGER { base(1), -- IKE base mode mode id-protect(2), -- IKE identity protection -- (oakley main mode) authentication-only(3), -- Authentication only mode aggressive(4), -- IKE (oakley) aggressive mode info(5), -- IKE informational exchange mode quick(32), -- IKE quick mode new-group(33), -- IKE new group mode any(256) -- Other mode } ACCESS read-only STATUS mandatory DESCRIPTION "The exchange mode used to create the SA. Possible values: base(1), -- IKE base mode mode id-protect(2), -- IKE identity protection -- (oakley main mode) authentication-only(3), -- Authentication only mode aggressive(4), -- IKE (oakley) aggressive mode info(5), -- IKE informational exchange mode quick(32), -- IKE quick mode new-group(33), -- IKE new group mode any(256) -- Other mode." ::= { ikeSaEntry 4 } ikeSaAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4) -- Authentication using RSA encryption } ACCESS read-only STATUS mandatory DESCRIPTION "The authenticatin method used when negotiating this SA. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4) -- Authentication using RSA encryption." ::= { ikeSaEntry 5 } ikeSaAlgs OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "The names of the encryption and hash algorithm and of the prf." ::= { ikeSaEntry 6 } ikeSaRole OBJECT-TYPE SYNTAX INTEGER { initiator(1), -- this end initiated the SA negotiation responder(2) -- the remote end initiated the SA negotiation } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies by which side the SA negotiation was initiated. Possible values: true(1), -- this end initiated the SA negotiation false(2) -- the remote end initiated the SA negotiation." ::= { ikeSaEntry 7 } ikeSaLocalId OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "The local ID used for authentication." ::= { ikeSaEntry 8 } ikeSaRemoteId OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "The remote ID used for authentication." ::= { ikeSaEntry 9 } ikeSaRemoteIp OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The remote IP address used in the IKE communication." ::= { ikeSaEntry 11 } ikeSaCookieI OBJECT-TYPE SYNTAX OCTET STRING ACCESS read-only STATUS mandatory DESCRIPTION "The cookie of the initiator." ::= { ikeSaEntry 12 } ikeSaCookieR OBJECT-TYPE SYNTAX OCTET STRING ACCESS read-only STATUS mandatory DESCRIPTION "The cookie of the responder." ::= { ikeSaEntry 13 } ikeSaTimes OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "The creation time and last used time of the SA in human readable format." ::= { ikeSaEntry 14 } ikeSaNumCerts OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of certificates received from the remote side when negotiating this SA." ::= { ikeSaEntry 15 } ikeSaNumNegotiations OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies the number of currently active negotiations for this SA." ::= { ikeSaEntry 16 } ikeSaBytes OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of bytes transmitted using this SA." ::= { ikeSaEntry 17 } ikeSaMajVersion OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The IKE major version number." ::= { ikeSaEntry 18 } ikeSaMinVersion OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The IKE minor version number." ::= { ikeSaEntry 19 } -- End IKE Security Associations Table -- IPSec Peer Table ipsecPeerTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecPeerEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of IPSec peers." ::= { ipsec 5 } ipsecPeerEntry OBJECT-TYPE SYNTAX IpsecPeerEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains the description of an IPSec peer." INDEX { ipsecPeerTrafficList } ::= { ipsecPeerTable 1 } IpsecPeerEntry ::= SEQUENCE { ipsecPeerIndex INTEGER, ipsecPeerNextIndex INTEGER, ipsecPeerDescription DisplayString, ipsecPeerPeerIds DisplayString, ipsecPeerPeerAddress IpAddress, ipsecPeerLocalId DisplayString, ipsecPeerLocalAddress IpAddress, ipsecPeerLocalCert INTEGER, ipsecPeerIkeProposals INTEGER, ipsecPeerTrafficList INTEGER, ipsecPeerAuthMethod INTEGER, ipsecPeerPreSharedKey DisplayString, ipsecPeerIkeGroup INTEGER, ipsecPeerPfsGroup INTEGER, ipsecPeerPh1Mode INTEGER, ipsecPeerIkeLifeTime INTEGER, ipsecPeerIpsecLifeTime INTEGER, ipsecPeerKeepAlive INTEGER, ipsecPeerGranularity INTEGER, ipsecPeerDontVerifyPad INTEGER, ipsecPeerDefaultIpsecProposals INTEGER, ipsecPeerPreSharedKeyData OCTET STRING } ipsecPeerIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index identifying this entry." ::= { ipsecPeerEntry 1 } ipsecPeerNextIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the next peer in hierarchy." ::= { ipsecPeerEntry 2 } ipsecPeerDescription OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "An optional description for this peer." ::= { ipsecPeerEntry 3 } ipsecPeerPeerIds OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "The IDs of the peer which are accepted for authentication." ::= { ipsecPeerEntry 5 } ipsecPeerPeerAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The IP-address of the peer." ::= { ipsecPeerEntry 6 } ipsecPeerLocalId OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "The local ID used for authentication." ::= { ipsecPeerEntry 7 } ipsecPeerLocalAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The local address used for IPSec encrypted packets." ::= { ipsecPeerEntry 8 } ipsecPeerLocalCert OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the certificate used for local authentication in the certTable. Only useful for automatically keyed traffic with dsa or rsa authentication." ::= { ipsecPeerEntry 9 } ipsecPeerIkeProposals OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the first IKE proposal which may be used for IKE SA negotiation with this peer." ::= { ipsecPeerEntry 10 } ipsecPeerTrafficList OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the first entry of possibly a chain of traffic entries from the ipsecTrafficTable which should be protected with IPSec using this peer." ::= { ipsecPeerEntry 11 } ipsecPeerAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- Use the default settings from the -- ipsecGlobals table delete(15) -- mark this entry for deletion } ACCESS read-write STATUS mandatory DESCRIPTION "The authentication method used. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- Use the default settings from the -- ipsecGlobals table delete(15) -- mark this entry for deletion." ::= { ipsecPeerEntry 20 } ipsecPeerPreSharedKey OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "The pre-shared-key used with this peer, if pre-shared-keys are used for authentication. This field serves only as an input field and its contents are replaced with a single asterisk immediately after it is set." ::= { ipsecPeerEntry 21 } ipsecPeerIkeGroup OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The Group used for Diffie Hellman key agreement algorithm. Possible values: 0: use default value from ipsecGlobals table 1: a 768-bit MODP group 2: a 1024-bit MODP group 3: a GF[2^155] group 4: a GF[2^185] group 5: a 1536-bit MODP group" ::= { ipsecPeerEntry 22 } ipsecPeerPfsGroup OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The Diffie Hellman group used for additional Perfect Forward Secrecy (PFS) DH exponentiations. Possible values: -1: explicitly do not use PFS (overrides ipsecGlob2DefaultPfsGroup), 0: use default value from ipsecGlob2DefaultPfsGroup, 1: a 768-bit MODP group, 2: a 1024-bit MODP group, 5: a 1536-bit MODP group." ::= { ipsecPeerEntry 23 } ipsecPeerPh1Mode OBJECT-TYPE SYNTAX INTEGER { id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3) -- Use default setting from the -- ipsecGlobalsTable } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3) -- Use default settings from the -- ipsecGlobalsTable." ::= { ipsecPeerEntry 24 } ipsecPeerIkeLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used." ::= { ipsecPeerEntry 25 } ipsecPeerIpsecLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable. This lifetime overwrites the lifetimes specified for all traffic entries and their proposals referenced by this peer entry. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used." ::= { ipsecPeerEntry 26 } ipsecPeerKeepAlive OBJECT-TYPE SYNTAX INTEGER { true(1), -- rekey SA's even if no data was transferred false(2) -- do not rekey SA's if no data was transferred } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE SA's with this peer are rekeyed even if there was no data transferred over them. Possible values: true(1), -- rekey SA's even if no data was transferred false(2) -- do not rekey SA's if no data was transferred." ::= { ipsecPeerEntry 29 } ipsecPeerGranularity OBJECT-TYPE SYNTAX INTEGER { default(1), -- use the setting from the ipsecGlobalsTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the granularity with which SA's with this peer are created. Possible values: default(1), -- use the setting from the ipsecGlobalsTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host." ::= { ipsecPeerEntry 30 } ipsecPeerDontVerifyPad OBJECT-TYPE SYNTAX INTEGER { false(1), -- normal, self-describing ESP padding true(2) -- old style ESP padding } ACCESS read-write STATUS mandatory DESCRIPTION "This object is a compatibility option for older ipsec implementations. It enables or disables an old way of ESP padding (no self describing padding). Possible values: false(1), -- normal, self-describing ESP padding true(2) -- old style ESP padding." ::= { ipsecPeerEntry 31 } ipsecPeerDefaultIpsecProposals OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the default IPSec proposal used for encrypting all the traffic bound to the (optional) logical interface created for this peer." ::= { ipsecPeerEntry 42 } ipsecPeerPreSharedKeyData OBJECT-TYPE SYNTAX OCTET STRING ACCESS not-accessible STATUS mandatory DESCRIPTION "Field used for storing the pre-shared-key permanently." ::= { ipsecPeerEntry 63 } -- End IPSec Peer Table -- IKE Proposal Table ikeProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeProposalEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of IKE proposals. The entries may be concatenated on a logical or basis using the NextChoice field to choices of multiple proposals." ::= { ipsec 6 } ikeProposalEntry OBJECT-TYPE SYNTAX IkeProposalEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains an IKE proposal, i.e. the encryption algorithm and the hash algorithm used to protect traffic sent over an IKE SA." INDEX { ikePropEncAlg } ::= { ikeProposalTable 1 } IkeProposalEntry ::= SEQUENCE { ikePropIndex INTEGER, ikePropNextChoice INTEGER, ikePropDescription DisplayString, ikePropEncAlg INTEGER, ikePropHashAlg INTEGER } ikePropIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index identifying this entry." ::= { ikeProposalEntry 1 } ikePropNextChoice OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the index of the next proposal of a choice of proposals. If this object is 0, this marks the end of a proposal chain." ::= { ikeProposalEntry 2 } ikePropDescription OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "An optional textual description of the proposal chain beginning at this entry." ::= { ikeProposalEntry 3 } ikePropEncAlg OBJECT-TYPE SYNTAX INTEGER { none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4),-- Blowfish in CBC mode cast128-cbc(5) -- CAST in CBC mode with 128 bit key } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the encryption algorithm used to protect traffic sent over an IKE SA. Possible values: none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4), -- Blowfish in CBC mode cast128-cbc(5) -- CAST in CBC mode with 128 bit key." ::= { ikeProposalEntry 4 } ikePropHashAlg OBJECT-TYPE SYNTAX INTEGER { delete(1), -- Delete this entry none(2), -- No hash algorithm md5(3), -- The MD5 hash algorithm sha1(4) -- The Secure Hash Algorithm } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the hash algorithm used to protect traffic sent over an IKE SA. Possible values: delete(1), -- Delete this entry none(2), -- No hash algorithm md5(3), -- The MD5 hash algorithm sha1(4), -- The Secure Hash Algorithm." ::= { ikeProposalEntry 5 } -- End IKE Proposal Table -- IPSec Traffic Table ipsecTrafficTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecTrafficEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains lists of Traffic and the actions which should be applied to it, together with the necessary parameters." ::= { ipsec 7 } ipsecTrafficEntry OBJECT-TYPE SYNTAX IpsecTrafficEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains a description of a type of IP traffic and the action which should be applied to it together with the necessary parameters." INDEX { ipsecTrProto } ::= { ipsecTrafficTable 1 } IpsecTrafficEntry ::= SEQUENCE { ipsecTrIndex INTEGER, ipsecTrNextIndex INTEGER, ipsecTrDescription DisplayString, ipsecTrLocalAddress IpAddress, ipsecTrLocalMaskLen INTEGER, ipsecTrLocalRange IpAddress, ipsecTrRemoteAddress IpAddress, ipsecTrRemoteMaskLen INTEGER, ipsecTrRemoteRange IpAddress, ipsecTrProto INTEGER, ipsecTrLocalPort INTEGER, ipsecTrRemotePort INTEGER, ipsecTrAction INTEGER, ipsecTrProposal INTEGER, ipsecTrForceTunnelMode INTEGER, ipsecTrLifeTime INTEGER, ipsecTrGranularity INTEGER, ipsecTrKeepAlive INTEGER } ipsecTrIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index identifying this entry." ::= { ipsecTrafficEntry 1 } ipsecTrNextIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the index of the next traffic entry in hierarchy." ::= { ipsecTrafficEntry 2 } ipsecTrDescription OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "An optional human readable description for this traffic entry." ::= { ipsecTrafficEntry 3 } ipsecTrLocalAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The source IP-address of this traffic entry. It maybe either a single address, a network address (in combination with ipsecTrSrcMask), or the first address of an address range (in combination with ipsecTrLocalRange)." ::= { ipsecTrafficEntry 4 } ipsecTrLocalMaskLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The length of the network mask for a source network." ::= { ipsecTrafficEntry 5 } ipsecTrLocalRange OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The last address of a source address range. If this field is nonzero, the ipsecTrLocalMaskLen field is ignored and the source is considered as a range of addresses beginning with ipsecTrLocalAddress and ending with ipsecTrLocalRange." ::= { ipsecTrafficEntry 6 } ipsecTrRemoteAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The destination IP-address of this traffic entry. It maybe either a single address, a network address (in combination with ipsecTrDstMask), or the first address of an address range (in combination with ipsecTrRemoteRange)." ::= { ipsecTrafficEntry 7 } ipsecTrRemoteMaskLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The length of the network mask for a destination network." ::= { ipsecTrafficEntry 8 } ipsecTrRemoteRange OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The last address of a destination address range. If this field is nonzero, the ipsecTrRemoteMaskLen field is ignored and the source is considered as a range of addresses beginning with ipsecTrRemoteAddress and ending with ipsecTrRemoteRange." ::= { ipsecTrafficEntry 9 } ipsecTrProto OBJECT-TYPE SYNTAX INTEGER { icmp(1), igmp(2), ggp(3), ipip(4), st(5), tcp(6), cbt(7), egp(8), igp(9), bbn(10), nvp(11), pup(12), argus(13), emcon(14), xnet(15), chaos(16), udp(17), mux(18), dcn(19), hmp(20), prm(21), xns(22), trunk1(23), trunk2(24), leaf1(25), leaf2(26), rdp(27), irtp(28), isotp4(29), netblt(30), mfe(31), merit(32), sep(33), pc3(34), idpr(35), xtp(36), ddp(37), idprc(38), tp(39), il(40), ipv6(41), sdrp(42), ipv6route(43), ipv6frag(44), idrp(45), rsvp(46), gre(47), mhrp(48), bna(49), esp(50), ah(51), inlsp(52), swipe(53), narp(54), mobile(55), tlsp(56), skip(57), ipv6icmp(58), ipv6nonxt(59), ipv6opts(60), ipproto-61(61), cftp(62), local(63), sat(64), kryptolan(65), rvd(66), ippc(67), distfs(68), satmon(69), visa(70), ipcv(71), cpnx(72), cphb(73), wsn(74), pvp(75), brsatmon(76), sunnd(77), wbmon(78), wbexpak(79), isoip(80), vmtp(81), securevmtp(82), vines(83), ttp(84), nsfnet(85), dgp(86), tcf(87), eigrp(88), ospfigp(89), sprite(90), larp(91), mtp(92), ax25(93), ipwip(94), micp(95), scc(96), etherip(97), encap(98), encrypt(99), gmtp(100), ifmp(101), pnni(102), pim(103), aris(104), scps(105), qnx(106), an(107), ippcp(108), snp(109), compaq(110), ipxip(111), vrrp(112), pgm(113), hop0(114), l2tp(115), ipproto-116(116), ipproto-117(117), ipproto-118(118), ipproto-119(119), ipproto-120(120), ipproto-121(121), ipproto-122(122), ipproto-123(123), ipproto-124(124), ipproto-125(125), ipproto-126(126), ipproto-127(127), ipproto-128(128), ipproto-129(129), ipproto-130(130), ipproto-131(131), ipproto-132(132), ipproto-133(133), ipproto-134(134), ipproto-135(135), ipproto-136(136), ipproto-137(137), ipproto-138(138), ipproto-139(139), ipproto-140(140), ipproto-141(141), ipproto-142(142), ipproto-143(143), ipproto-144(144), ipproto-145(145), ipproto-146(146), ipproto-147(147), ipproto-148(148), ipproto-149(149), ipproto-150(150), ipproto-151(151), ipproto-152(152), ipproto-153(153), ipproto-154(154), ipproto-155(155), ipproto-156(156), ipproto-157(157), ipproto-158(158), ipproto-159(159), ipproto-160(160), ipproto-161(161), ipproto-162(162), ipproto-163(163), ipproto-164(164), ipproto-165(165), ipproto-166(166), ipproto-167(167), ipproto-168(168), ipproto-169(169), ipproto-170(170), ipproto-171(171), ipproto-172(172), ipproto-173(173), ipproto-174(174), ipproto-175(175), ipproto-176(176), ipproto-177(177), ipproto-178(178), ipproto-179(179), ipproto-180(180), ipproto-181(181), ipproto-182(182), ipproto-183(183), ipproto-184(184), ipproto-185(185), ipproto-186(186), ipproto-187(187), ipproto-188(188), ipproto-189(189), ipproto-190(190), ipproto-191(191), ipproto-192(192), ipproto-193(193), ipproto-194(194), ipproto-195(195), ipproto-196(196), ipproto-197(197), ipproto-198(198), ipproto-199(199), ipproto-200(200), ipproto-201(201), ipproto-202(202), ipproto-203(203), ipproto-204(204), ipproto-205(205), ipproto-206(206), ipproto-207(207), ipproto-208(208), ipproto-209(209), ipproto-210(210), ipproto-211(211), ipproto-212(212), ipproto-213(213), ipproto-214(214), ipproto-215(215), ipproto-216(216), ipproto-217(217), ipproto-218(218), ipproto-219(219), ipproto-220(220), ipproto-221(221), ipproto-222(222), ipproto-223(223), ipproto-224(224), ipproto-225(225), ipproto-226(226), ipproto-227(227), ipproto-228(228), ipproto-229(229), ipproto-230(230), ipproto-231(231), ipproto-232(232), ipproto-233(233), ipproto-234(234), ipproto-235(235), ipproto-236(236), ipproto-237(237), ipproto-238(238), ipproto-239(239), ipproto-240(240), ipproto-241(241), ipproto-242(242), ipproto-243(243), ipproto-244(244), ipproto-245(245), ipproto-246(246), ipproto-247(247), ipproto-248(248), ipproto-249(249), ipproto-250(250), ipproto-251(251), ipproto-252(252), ipproto-253(253), ipproto-254(254), dont-verify(255) } ACCESS read-write STATUS mandatory DESCRIPTION "The transport protocol defined for this entry." ::= { ipsecTrafficEntry 10 } ipsecTrLocalPort OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The source port defined for this traffic entry." ::= { ipsecTrafficEntry 11 } ipsecTrRemotePort OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The destination port defined for this traffic entry." ::= { ipsecTrafficEntry 12 } ipsecTrAction OBJECT-TYPE SYNTAX INTEGER { delete(1), -- Delete this entry always-plain(2), -- Forward the packets without -- protection even if there is a -- matching SA and independent from -- the position of the traffic entry -- in the list. pass(3), -- Forward the packets without -- protection protect(4), -- Protect the traffic as specified -- in the proposal. Drop unprotected -- traffic of this kind. drop(5) -- Drop all packets matching this -- traffic entry } ACCESS read-write STATUS mandatory DESCRIPTION "The action to be applied to traffic matching this entry. Possible values: delete(1), -- Delete this entry always-plain(2), -- Forward the packets without -- protection even if there is a -- matching SA and independent from -- the position of the traffic entry -- in the list. pass(3), -- Forward the packets without -- protection protect(4), -- Protect the traffic as specified -- in the proposal. Drop unprotected -- traffic of this kind. drop(5) -- Drop all packets matching this -- traffic entry." ::= { ipsecTrafficEntry 13 } ipsecTrProposal OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the ipsecProposalTable. This may be the first proposal of possibly a choice of multiple, optionally nested proposals which is to be offered with IKE (automatic keying) or a manual proposal (manual keying)." ::= { ipsecTrafficEntry 14 } ipsecTrForceTunnelMode OBJECT-TYPE SYNTAX INTEGER { true(1), -- Use tunnel mode even if transport mode is possible false(2) -- Use transport mode whenever possible } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the strategy when transport mode is used. By default, the system always uses transport mode, if possible. If this variable is set to true, always tunnel mode will be used for this traffic entry, even if source and destination address match the tunnel endpoints. Possible values: true(1), -- Use tunnel mode even if transport mode is possible false(2) -- Use transport mode whenever possible." ::= { ipsecTrafficEntry 15 } ipsecTrLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable. This lifetime overwrites the lifetimes specified for all proposals referenced by this traffic entry. It may itself be overwritten by an explicit lifetime specified for the peer entry referencing this traffic entry. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used." ::= { ipsecTrafficEntry 16 } ipsecTrGranularity OBJECT-TYPE SYNTAX INTEGER { default(1), -- use the setting from the ipsecPeerTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the granularity with which SA's must be created for this kind of traffic. Possible values: default(1), -- use the setting from the ipsecPeerTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host." ::= { ipsecTrafficEntry 17 } ipsecTrKeepAlive OBJECT-TYPE SYNTAX INTEGER { true(1), -- rekey SA's even if no data was transferred false(2), -- do not rekey SA's if no data was transferred default(3) -- use the default setting from the peer entry -- referencing this traffic entry } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether SA's created for this kind of traffic should be rekeyed on expiration of soft lifetimes even if there has not been sent any traffic over them. Possible values: true(1), -- rekey SA's even if no data was transferred false(2), -- do not rekey SA's if no data was transferred default(3) -- use the default setting from the peer entry -- referencing this traffic entry." ::= { ipsecTrafficEntry 18 } -- End IPSec Traffic Table -- IPSec Proposal Table ipsecProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecProposalEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of IPSec proposals. The entries may be concatenated on a logical 'or' or a logical 'and' basis -depending on the setting of the 'BoolOp' field- using the 'Next' field. This makes the configuration of multiple choices of proposal bundles possible. Possible concatenation: (proposal1 or propsal2 or ... proposaln) and (proposal1 or propsal2 or ... proposaln) and : : (proposal1 or propsal2 or ... proposaln) This table also includes manually keyed security associations, which may not be concatenated to choices with BoolOp set to 'or'" ::= { ipsec 8 } ipsecProposalEntry OBJECT-TYPE SYNTAX IpsecProposalEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains an IPSec proposal, i.e. a proposed set of security parameters applied to traffic sent over an IPSec security association." INDEX { ipsecPropProto } ::= { ipsecProposalTable 1 } IpsecProposalEntry ::= SEQUENCE { ipsecPropIndex INTEGER, ipsecPropNext INTEGER, ipsecPropBoolOp INTEGER, ipsecPropDescription DisplayString, ipsecPropProto INTEGER, ipsecPropEncAlg INTEGER, ipsecPropAuthAlg INTEGER, ipsecPropLifeTime INTEGER, ipsecPropInSpi HexValue, ipsecPropOutSpi HexValue, ipsecPropEncKeyIn DisplayString, ipsecPropEncKeyOut DisplayString, ipsecPropAuthKeyIn DisplayString, ipsecPropAuthKeyOut DisplayString, ipsecPropEncKeyDataIn OCTET STRING, ipsecPropEncKeyDataOut OCTET STRING, ipsecPropAuthKeyDataIn OCTET STRING, ipsecPropAuthKeyDataOut OCTET STRING } ipsecPropIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index for this entry." ::= { ipsecProposalEntry 1 } ipsecPropNext OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the next Proposal in the actual chain." ::= { ipsecProposalEntry 2 } ipsecPropBoolOp OBJECT-TYPE SYNTAX INTEGER { delete(1), -- Delete this entry or(2), -- Concatenation with logical 'or' and(3) -- Concatenation with logical 'and' } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies how the proposal referenced by Next should be concatenated. Possible values: delete(1), -- Delete this entry or(2), -- Concatenation with logical 'or' and(3) -- Concatenation with logical 'and'." ::= { ipsecProposalEntry 3 } ipsecPropDescription OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "An optional human readable description for this proposal." ::= { ipsecProposalEntry 4 } ipsecPropProto OBJECT-TYPE SYNTAX INTEGER { esp(1), -- Encapsulating Security Payload ah(2) -- Authentication Header } ACCESS read-write STATUS mandatory DESCRIPTION "The security protocol to apply. Possible values: esp(1), -- Encapsulating Security Payload ah(2) -- Authentication Header." ::= { ipsecProposalEntry 6 } ipsecPropEncAlg OBJECT-TYPE SYNTAX INTEGER { none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4),-- Blowfish in CBC mode cast128-cbc(5) -- CAST with 128 bit key in CBC mode } ACCESS read-write STATUS mandatory DESCRIPTION "The encryption algorithm to apply, if any. Possible values: none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish(4), -- Blowfish in CBC mode cast128-cbc(5) -- CAST with 128 bit key in CBC mode." ::= { ipsecProposalEntry 7 } ipsecPropAuthAlg OBJECT-TYPE SYNTAX INTEGER { none(2), -- No hmac md5-96(4), -- Use the MD5 hash algorithm with 96 bit -- output sha1-96(6) -- Use the Secure Hash Algorithm with 96 bit -- output } ACCESS read-write STATUS mandatory DESCRIPTION "The hmac algorithm to use for authentication, if any. Possible values: none(2), -- No hmac md5-96(4), -- Use the MD5 hash algorithm with 96 bit -- output sha1-96(6) -- Use the Secure Hash Algorithm with 96 bit -- output." ::= { ipsecProposalEntry 8 } ipsecPropLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index in the ipsecLifeTimeTable containing the lifetime values ued for an SA created from this proposal. This field may be overwritten by an explicit lifetime specified for the traffic entry which references this proposal entry, or by an explicit lifetime specified for the peer entry referencing that traffic entry. If this field is empty or points to a nonexistent or inappropriate lifetime entry, the default life time from the ipsecGlobalsTable is used." ::= { ipsecProposalEntry 10 } ipsecPropInSpi OBJECT-TYPE SYNTAX HexValue ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the Security Parameters Index (SPI) which should be used for the inbound SA of a manually keyed Proposal. The SPI is used to distinguish between multiple IPSec connections to the same peer with the same security protocol. The outbound SPI of the remote sides' corresponding proposal entry has to be equal to this value. This object is ignored for automatically keyed SAs, as it is chosen randomly by the initiator." ::= { ipsecProposalEntry 11 } ipsecPropOutSpi OBJECT-TYPE SYNTAX HexValue ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the Security Parameters Index (SPI) which should be used for the outbound SA of a manually keyed Proposal. The SPI is used to distinguish between multiple IPSec connections to the same peer with the same security protocol. The inbound SPI of the remote sides' corresponding proposal entry has to be equal to this value. This object is ignored for automatically keyed SAs, as it is chosen randomly by the initiator." ::= { ipsecProposalEntry 12 } ipsecPropEncKeyIn OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "This object serves as an input field for the inbound encryption key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatic proposals or for proposals which do not require an encryption key." ::= { ipsecProposalEntry 14 } ipsecPropEncKeyOut OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "This object serves as an input field for the outbound encryption key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatic proposals or for proposals which do not require an encryption key." ::= { ipsecProposalEntry 15 } ipsecPropAuthKeyIn OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "This object serves as an input field for the inbound authentication key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatic proposals or for proposals which do not require an authentication key." ::= { ipsecProposalEntry 17 } ipsecPropAuthKeyOut OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "This object serves as an input field for the outbound authentication key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatic proposals or for proposals which do not require an authentication key." ::= { ipsecProposalEntry 18 } ipsecPropEncKeyDataIn OBJECT-TYPE SYNTAX OCTET STRING ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= { ipsecProposalEntry 33 } ipsecPropEncKeyDataOut OBJECT-TYPE SYNTAX OCTET STRING ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= { ipsecProposalEntry 34 } ipsecPropAuthKeyDataIn OBJECT-TYPE SYNTAX OCTET STRING ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= { ipsecProposalEntry 35 } ipsecPropAuthKeyDataOut OBJECT-TYPE SYNTAX OCTET STRING ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= { ipsecProposalEntry 36 } -- End IPSec Proposal Table -- IPSec Life Time Table ipsecLifeTimeTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecLifeTimeEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of defined lifetimes for IPsec and IKE SAs." ::= { ipsec 9 } ipsecLifeTimeEntry OBJECT-TYPE SYNTAX IpsecLifeTimeEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains a lifetime, i.e. the soft and hard expiry limits for IPsec and IKE SA's." INDEX { ipsecLifeType } ::= { ipsecLifeTimeTable 1 } IpsecLifeTimeEntry ::= SEQUENCE { ipsecLifeIndex INTEGER, ipsecLifeType INTEGER, ipsecLifeSoftKb INTEGER, ipsecLifeSoftSec INTEGER, ipsecLifeHardKb INTEGER, ipsecLifeHardSec INTEGER } ipsecLifeIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index identifying this entry." ::= { ipsecLifeTimeEntry 1 } ipsecLifeType OBJECT-TYPE SYNTAX INTEGER { delete(1), -- Delete this entry generic(2) } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the type of a lifetime entry." ::= { ipsecLifeTimeEntry 2 } ipsecLifeSoftKb OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The maximum amount of data (in KB) which may be protected by an SA before it is refreshed." ::= { ipsecLifeTimeEntry 3 } ipsecLifeSoftSec OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The maximum time (in seconds) after which an SA will be refreshed,." ::= { ipsecLifeTimeEntry 4 } ipsecLifeHardKb OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The maximum amount of data (in KB) which may be protected by an SA before it is deleted." ::= { ipsecLifeTimeEntry 5 } ipsecLifeHardSec OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The maximum time (in seconds) after which an SA will be refreshed,." ::= { ipsecLifeTimeEntry 6 } -- End IPSec Life Time Table -- IPSec global statistics Table ipsecStats OBJECT IDENTIFIER ::= { ipsec 10 } --Static table containing global IPSec statistics ipsecStatsCurrentIkeSas OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Current number of IKE SA's." ::= { ipsecStats 1 } ipsecStatsCurrentIpsecSas OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Current number of IPSec SA's." ::= { ipsecStats 2 } ipsecStatsIp OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of IP packets processed." ::= { ipsecStats 3 } ipsecStatsNonIp OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of non-IP packets processed." ::= { ipsecStats 4 } ipsecStatsAh OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of AH packets processed." ::= { ipsecStats 5 } ipsecStatsEsp OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of ESP packets processed." ::= { ipsecStats 6 } ipsecStatsDrop OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of packets dropped." ::= { ipsecStats 7 } ipsecStatsPass OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of packets passed plain." ::= { ipsecStats 8 } ipsecStatsTrig OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of packets which triggered an IKE negotiation." ::= { ipsecStats 9 } ipsecStatsFragPkt OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of partial packets currently being reassembled." ::= { ipsecStats 10 } ipsecStatsFragBytes OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Total size of the partial packets currently being reassembled." ::= { ipsecStats 11 } ipsecStatsFragNonfirst OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of non-first fragments currently queued." ::= { ipsecStats 12 } END -- of BIANCA-BRICK-IPSEC-MIB definitions