CeipSecTunnelEntry |
|
SEQUENCE |
|
|
|
|
ceipSecTunIndex |
CIPsecPhase2TunnelIndex |
|
|
ceipSecTunLocalAddressType |
InetAddressType |
|
|
ceipSecTunLocalAddress |
InetAddress |
|
|
ceipSecTunRemoteAddressType |
InetAddressType |
|
|
ceipSecTunRemoteAddress |
InetAddress |
|
|
ceipSecTunControlProtocol |
CIPsecControlProtocol |
|
|
ceipSecTunControlTunnelIndex |
CIPsecPhase1TunnelIndexOrZero |
|
|
ceipSecTunControlTunnelAlive |
TruthValue |
|
|
ceipSecTunEncapMode |
CIPsecEncapMode |
|
|
ceipSecTunNATTraversalMode |
CIPsecNATTraversalMode |
|
|
ceipSecTunLifeSize |
Unsigned32 |
|
|
ceipSecTunLifeTime |
Unsigned32 |
|
|
ceipSecTunActiveTime |
TimeInterval |
|
|
ceipSecTunSaLifeSizeThreshold |
Unsigned32 |
|
|
ceipSecTunSaLifeTimeThreshold |
Unsigned32 |
|
|
ceipSecTunTotalRefreshes |
Counter32 |
|
|
ceipSecTunExpiredSaInstances |
Counter32 |
|
|
ceipSecTunCurrentSaInstances |
Gauge32 |
|
|
ceipSecTunInSaDHGrp |
CIPsecDiffHellmanGrp |
|
|
ceipSecTunInSaEncryptAlgo |
CIPsecEncryptAlgorithm |
|
|
ceipSecTunInSaEncryptKeySize |
CIPsecEncryptionKeySize |
|
|
ceipSecTunInSaAhAuthAlgo |
CIPsecAuthAlgorithm |
|
|
ceipSecTunInSaEspAuthAlgo |
CIPsecAuthAlgorithm |
|
|
ceipSecTunInSaDecompAlgo |
CIPsecCompAlgorithm |
|
|
ceipSecTunOutSaDHGrp |
CIPsecDiffHellmanGrp |
|
|
ceipSecTunOutSaEncryptAlgo |
CIPsecEncryptAlgorithm |
|
|
ceipSecTunOutSaEncryptKeySize |
CIPsecEncryptionKeySize |
|
|
ceipSecTunOutSaAhAuthAlgo |
CIPsecAuthAlgorithm |
|
|
ceipSecTunOutSaEspAuthAlgo |
CIPsecAuthAlgorithm |
|
|
ceipSecTunOutSaCompAlgo |
CIPsecCompAlgorithm |
|
|
ceipSecTunPmtu |
CIPsecPmtu |
|
|
ceipSecTunInOctets |
Counter64 |
|
|
ceipSecTunInDecompOctets |
Counter64 |
|
|
ceipSecTunInPkts |
Counter32 |
|
|
ceipSecTunInDropPkts |
Counter32 |
|
|
ceipSecTunInReplayDropPkts |
Counter32 |
|
|
ceipSecTunInAuths |
Counter32 |
|
|
ceipSecTunInAuthFails |
Counter32 |
|
|
ceipSecTunInDecrypts |
Counter32 |
|
|
ceipSecTunInDecryptFails |
Counter32 |
|
|
ceipSecTunOutOctets |
Counter64 |
|
|
ceipSecTunOutUncompOctets |
Counter64 |
|
|
ceipSecTunOutPkts |
Counter32 |
|
|
ceipSecTunOutDropPkts |
Counter32 |
|
|
ceipSecTunOutAuths |
Counter32 |
|
|
ceipSecTunOutAuthFails |
Counter32 |
|
|
ceipSecTunOutEncrypts |
Counter32 |
|
|
ceipSecTunOutEncryptFails |
Counter32 |
|
|
ceipSecTunOutCompressedPkts |
Counter32 |
|
|
ceipSecTunOutCompSkippedPkts |
Counter32 |
|
|
ceipSecTunOutCompFailPkts |
Counter32 |
|
|
ceipSecTunOutCompTooSmallPkts |
Counter32 |
|
|
ceipSecIfIndex |
InterfaceIndex |
|
|
ceipSecTunStatus |
CIPsecTunnelStatus |
|
CeipSecEndPtEntry |
|
SEQUENCE |
|
|
|
|
ceipSecEndPtIndex |
Unsigned32 |
|
|
ceipSecEndPtLocalName |
SnmpAdminString |
|
|
ceipSecEndPtLocalType |
CIPsecEndPtType |
|
|
ceipSecEndPtLocalAddrType1 |
InetAddressType |
|
|
ceipSecEndPtLocalAddr1 |
InetAddress |
|
|
ceipSecEndPtLocalAddrType2 |
InetAddressType |
|
|
ceipSecEndPtLocalAddr2 |
InetAddress |
|
|
ceipSecEndPtLocalProtocol |
CiscoIpProtocol |
|
|
ceipSecEndPtLocalPort |
CiscoPort |
|
|
ceipSecEndPtRemoteName |
SnmpAdminString |
|
|
ceipSecEndPtRemoteType |
CIPsecEndPtType |
|
|
ceipSecEndPtRemoteAddrType1 |
InetAddressType |
|
|
ceipSecEndPtRemoteAddr1 |
InetAddress |
|
|
ceipSecEndPtRemoteAddrType2 |
InetAddressType |
|
|
ceipSecEndPtRemoteAddr2 |
InetAddress |
|
|
ceipSecEndPtRemoteProtocol |
CiscoIpProtocol |
|
|
ceipSecEndPtRemotePort |
CiscoPort |
|
CeipSecTunnelSaEntry |
|
SEQUENCE |
|
|
|
|
ceipSecTunSaProtocol |
CIPsecProtocol |
|
|
ceipSecTunSaIndex |
Unsigned32 |
|
|
ceipSecTunSaDirection |
CIPsecPhase2SaDirection |
|
|
ceipSecTunSaValue |
CIPsecSpi |
|
|
ceipSecTunSaIfIndex |
InterfaceIndex |
|
|
ceipSecTunSaInOctets |
Counter64 |
|
|
ceipSecTunSaInDecompOctets |
Counter64 |
|
|
ceipSecTunSaInPkts |
Counter64 |
|
|
ceipSecTunSaInDropPkts |
Counter64 |
|
|
ceipSecTunSaInReplayDropPkts |
Counter64 |
|
|
ceipSecTunSaInAuths |
Counter64 |
|
|
ceipSecTunSaInAuthFails |
Counter64 |
|
|
ceipSecTunSaInDecrypts |
Counter64 |
|
|
ceipSecTunSaInDecryptFails |
Counter64 |
|
|
ceipSecTunSaOutOctets |
Counter64 |
|
|
ceipSecTunSaOutUncompOctets |
Counter64 |
|
|
ceipSecTunSaOutPkts |
Counter64 |
|
|
ceipSecTunSaOutDropPkts |
Counter64 |
|
|
ceipSecTunSaOutAuths |
Counter64 |
|
|
ceipSecTunSaOutAuthFails |
Counter64 |
|
|
ceipSecTunSaOutEncrypts |
Counter64 |
|
|
ceipSecTunSaOutEncryptFails |
Counter64 |
|
|
ceipSecTunSaOutCompressedPkts |
Counter64 |
|
|
ceipSecTunSaOutCompSkippedPkts |
Counter64 |
|
|
ceipSecTunSaOutCompFailPkts |
Counter64 |
|
|
ceipSecTunSaOutCompTooSmallPkts |
Counter64 |
|
|
ceipSecTunSaStatus |
INTEGER |
|
CeipSecTunnelHistEntry |
|
SEQUENCE |
|
|
|
|
ceipSecTunHistIndex |
Unsigned32 |
|
|
ceipSecTunHistTermReason |
INTEGER |
|
|
ceipSecTunHistActiveIndex |
CIPsecPhase2TunnelIndex |
|
|
ceipSecTunHistLocalAddressType |
InetAddressType |
|
|
ceipSecTunHistLocalAddress |
InetAddress |
|
|
ceipSecTunHistRemoteAddressType |
InetAddressType |
|
|
ceipSecTunHistRemoteAddress |
InetAddress |
|
|
ceipSecTunHistControlProtocol |
CIPsecControlProtocol |
|
|
ceipSecTunHistControlTunnelIndex |
CIPsecPhase1TunnelIndexOrZero |
|
|
ceipSecTunHistEncapMode |
CIPsecEncapMode |
|
|
ceipSecTunHistNATTraversalMode |
CIPsecNATTraversalMode |
|
|
ceipSecTunHistLifeSize |
Unsigned32 |
|
|
ceipSecTunHistLifeTime |
Unsigned32 |
|
|
ceipSecTunHistStartTime |
TimeStamp |
|
|
ceipSecTunHistActiveTime |
TimeInterval |
|
|
ceipSecTunHistTotalRefreshes |
Counter32 |
|
|
ceipSecTunHistTotalSas |
Counter32 |
|
|
ceipSecTunHistInSaDHGrp |
CIPsecDiffHellmanGrp |
|
|
ceipSecTunHistInSaEncryptAlgo |
CIPsecEncryptAlgorithm |
|
|
ceipSecTunHistInSaEncryptKeySize |
CIPsecEncryptionKeySize |
|
|
ceipSecTunHistInSaAhAuthAlgo |
CIPsecAuthAlgorithm |
|
|
ceipSecTunHistInSaEspAuthAlgo |
CIPsecAuthAlgorithm |
|
|
ceipSecTunHistInSaDecompAlgo |
CIPsecCompAlgorithm |
|
|
ceipSecTunHistOutSaDHGrp |
CIPsecDiffHellmanGrp |
|
|
ceipSecTunHistOutSaEncryptAlgo |
CIPsecEncryptAlgorithm |
|
|
ceipSecTunHistOutSaEncryptKeySz |
CIPsecEncryptionKeySize |
|
|
ceipSecTunHistOutSaAhAuthAlgo |
CIPsecAuthAlgorithm |
|
|
ceipSecTunHistOutSaEspAuthAlgo |
CIPsecAuthAlgorithm |
|
|
ceipSecTunHistOutSaCompAlgo |
CIPsecCompAlgorithm |
|
|
ceipSecTunHistPmtu |
CIPsecPmtu |
|
|
ceipSecTunHistInOctets |
Counter64 |
|
|
ceipSecTunHistInDecompOctets |
Counter64 |
|
|
ceipSecTunHistInPkts |
Counter32 |
|
|
ceipSecTunHistInDropPkts |
Counter32 |
|
|
ceipSecTunHistInReplayDropPkts |
Counter32 |
|
|
ceipSecTunHistInAuths |
Counter32 |
|
|
ceipSecTunHistInAuthFails |
Counter32 |
|
|
ceipSecTunHistInDecrypts |
Counter32 |
|
|
ceipSecTunHistInDecryptFails |
Counter32 |
|
|
ceipSecTunHistOutOctets |
Counter64 |
|
|
ceipSecTunHistOutUncompOctets |
Counter64 |
|
|
ceipSecTunHistOutPkts |
Counter32 |
|
|
ceipSecTunHistOutDropPkts |
Counter32 |
|
|
ceipSecTunHistOutAuths |
Counter32 |
|
|
ceipSecTunHistOutAuthFails |
Counter32 |
|
|
ceipSecTunHistOutEncrypts |
Counter32 |
|
|
ceipSecTunHistOutEncryptFails |
Counter32 |
|
|
ceipSecTunHistOutCompressedPkts |
Counter32 |
|
|
ceipSecTunHistOutCompSkippedPkts |
Counter32 |
|
|
ceipSecTunHistOutCompFailPkts |
Counter32 |
|
|
ceipSecTunHistOutCompSmallPkts |
Counter32 |
|
CeipSecEndPtHistEntry |
|
SEQUENCE |
|
|
|
|
ceipSecEndPtHistIndex |
Unsigned32 |
|
|
ceipSecEndPtHistTunIndex |
Unsigned32 |
|
|
ceipSecEndPtHistActiveIndex |
Unsigned32 |
|
|
ceipSecEndPtHistLocalName |
SnmpAdminString |
|
|
ceipSecEndPtHistLocalType |
CIPsecEndPtType |
|
|
ceipSecEndPtHistLocalAddrType1 |
InetAddressType |
|
|
ceipSecEndPtHistLocalAddr1 |
InetAddress |
|
|
ceipSecEndPtHistLocalAddrType2 |
InetAddressType |
|
|
ceipSecEndPtHistLocalAddr2 |
InetAddress |
|
|
ceipSecEndPtHistLocalProtocol |
CiscoIpProtocol |
|
|
ceipSecEndPtHistLocalPort |
CiscoPort |
|
|
ceipSecEndPtHistRemoteName |
SnmpAdminString |
|
|
ceipSecEndPtHistRemoteType |
CIPsecEndPtType |
|
|
ceipSecEndPtHistRemoteAddrType1 |
InetAddressType |
|
|
ceipSecEndPtHistRemoteAddr1 |
InetAddress |
|
|
ceipSecEndPtHistRemoteAddrType2 |
InetAddressType |
|
|
ceipSecEndPtHistRemoteAddr2 |
InetAddress |
|
|
ceipSecEndPtHistRemoteProtocol |
CiscoIpProtocol |
|
|
ceipSecEndPtHistRemotePort |
CiscoPort |
|
CeipSecFailEntry |
|
SEQUENCE |
|
|
|
|
ceipSecFailIndex |
Unsigned32 |
|
|
ceipSecFailReason |
INTEGER |
|
|
ceipSecFailTime |
TimeStamp |
|
|
ceipSecFailTunnelIndex |
CIPsecPhase2TunnelIndex |
|
|
ceipSecFailSaSpi |
CIPsecSpi |
|
|
ceipSecFailPktSrcAddressType |
InetAddressType |
|
|
ceipSecFailPktSrcAddress |
InetAddress |
|
|
ceipSecFailPktDstAddressType |
InetAddressType |
|
|
ceipSecFailPktDstAddress |
InetAddress |
|
ciscoEnhancedIpsecFlowMIB |
1.3.6.1.4.1.9.9.432 |
This is a MIB Module for monitoring the structures
and status of IPSec-based networks. The MIB has been
designed to be adopted as an IETF standard. Hence
vendor-specific features of IPSec protocol are excluded
from this MIB.
Acronyms
The following acronyms are used in this document:
IPsec: Secure IP Protocol
VPN: Virtual Private Network
ISAKMP: Internet Security Association and Key Exchange
Protocol
IKE: Internet Key Exchange Protocol
SA: Security Association
(ref: rfc2408).
SPI: Security Parameter Index is the pointer or
identifier used in accessing SA attributes
(ref: rfc2408).
MM: Main Mode - the process of setting up
a Phase 1 SA to secure the exchanges
required to setup Phase 2 SAs
QM: Quick Mode - the process of setting up
Phase 2 Security Associations using
a Phase 1 SA.
Phase 1 Tunnel:
An ISAKMP SA can be regarded as representing
a flow of ISAKMP/IKE traffic. Hence an ISAKMP
is referred to as a 'Phase 1 Tunnel' in this
document.
Control Tunnel:
Another term for a Phase 1 Tunnel.
Phase 2 Tunnel:
An instance of a non-ISAKMP SA bundle in which all
the SA share the same proxy identifiers (IDii,IDir)
protect the same stream of application traffic.
Such an SA bundle is termed a 'Phase 2 Tunnel'.
Note that a Phase 2 tunnel may comprise different
SA bundles and different number of SA bundles at
different times (due to key refresh).
MTU:
Maximum Transmission Unit (of an IPsec tunnel).
History of the MIB
A precursor to this MIB was written by Tivoli and implemented
in IBM Nways routers in 1999. During late 1999, Cisco adopted
the MIB and together with Tivoli publised the IPsec Flow
Monitor MIB in IETF IPsec WG in
draft-ietf-ipsec-flow-monitoring-mib-00.txt. In 2000, the
MIB was Cisco-ized and implemented this draft as
CISCO-IPSEC-FLOW-MONITOR-MIB in IOS and VPN3000 platforms.
With the evolution of IKEv2, the MIB was modified and
presented to the IPsec WG again in May 2003 in
draft-ietf-ipsec-flow-monitoring-mib-02.txt.
With the emergence of multiple IPsec signaling protocols,
it became apparent that the signaling aspects of IPsec
need to be instrumented separately in their own right.
Thus, the IPsec control attributes and metrics were
separated out into CISCO-IPSEC-SIGNALING-MIB and
CISCO-IKE-FLOW-MIB.
This version of the draft is the version of the draft
that models that IPsec data protocol, structures and
activity alone.
Overview of MIB
The MIB contains four major groups of objects which are
used to manage the IPsec Protocol. These groups include
a Levels Group, a Phase-1 Group, a Phase-2 Group,
a History Group, a Failure Group and a TRAP Control Group.
The following table illustrates the structure of the
IPsec MIB.
The Phase 2 group models objects pertaining to
IPsec data tunnels.
The History group is to aid applications that do
trending analysis.
The Failure group is to enable an operator to
do troubleshooting and debugging of the VPN Router.
Further, counters are supported to aid detection
of potential security violations.
In addition to the three major MIB Groups, there are
a number of Notifications. The following table
illustrates the name and description of the
IPsec TRAPs. |
MODULE-IDENTITY |
|
|
|
ceipSecTunnelEntry |
1.3.6.1.4.1.9.9.432.1.1.2.1 |
Each entry contains the attributes
associated with an active IPsec Phase-2 Tunnel. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CeipSecTunnelEntry |
|
|
ceipSecEndPtEntry |
1.3.6.1.4.1.9.9.432.1.1.3.1 |
An IPsec Phase-2 Tunnel Endpoint entry. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CeipSecEndPtEntry |
|
|
ceipSecSaEntry |
1.3.6.1.4.1.9.9.432.1.1.4.1 |
Each entry contains the attributes associated with
active and expiring IPsec Phase-2
security associations. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CeipSecSaEntry |
|
|
ceipSecTunnelSaEntry |
1.3.6.1.4.1.9.9.432.1.1.5.1 |
Each entry contains the attributes and statistics
associated with an active or expiring IPsec Phase-2
security associations. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CeipSecTunnelSaEntry |
|
|
ceipSecIfTunnelEntry |
1.3.6.1.4.1.9.9.432.1.1.6.1 |
Each entry contains the IPsec Phase-2 Tunnel
associated with an interface. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CeipSecIfTunnelEntry |
|
|
ceipSecTunnelHistEntry |
1.3.6.1.4.1.9.9.432.1.2.2.1 |
Each entry contains the attributes associated
with a previously active IPsec Phase-2 Tunnel. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CeipSecTunnelHistEntry |
|
|
ceipSecEndPtHistEntry |
1.3.6.1.4.1.9.9.432.1.2.3.1 |
Each entry contains the attributes associated with
a previously active IPsec Phase-2 Tunnel Endpoint. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CeipSecEndPtHistEntry |
|
|
ceipSecFailEntry |
1.3.6.1.4.1.9.9.432.1.3.2.1 |
Each entry contains the attributes associated with
an IPsec Phase-1 failure. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CeipSecFailEntry |
|
|
ceipSecFailReason |
1.3.6.1.4.1.9.9.432.1.3.2.1.2 |
The reason for the failure. Possible reasons
include:
1 = other
2 = internal error occurred
3 = peer encoding error
4 = proposal failure
5 = protocol use failure
6 = non-existent security association
7 = decryption failure
8 = encryption failure
9 = inbound authentication failure
10 = outbound authentication failure
11 = compression failure
12 = system capacity failure
13 = peer delete request was received
14 = contact with peer was lost
15 = sequence number rolled over
16 = operator requested termination
17 = performance utilization exceeding the threshold. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
INTEGER |
other(1), internalError(2), peerEncodingError(3), proposalFailure(4), protocolUseFail(5), nonExistentSa(6), decryptFailure(7), encryptFailure(8), inAuthFailure(9), outAuthFailure(10), compression(11), sysCapExceeded(12), peerDelRequest(13), peerLost(14), seqNumRollOver(15), operRequest(16), performanceUtilization(17) |
|
ciscoEnhIPsecFlowHistoryGroup |
1.3.6.1.4.1.9.9.432.2.2.3 |
This group consists of objects that pertain
to maintenance of history of IPsec Phase 2
activity. |
Status: current |
Access: read-only |
OBJECT-GROUP |
|
|
|