XEDIA-IPSEC-MIB

Imported modules

SNMPv2-SMI	SNMPv2-TC	SNMPv2-CONF
XEDIA-REG	IF-MIB

Imported symbols

MODULE-IDENTITY	OBJECT-TYPE	Integer32
IpAddress	Gauge32	Counter32
TimeTicks	TEXTUAL-CONVENTION	DisplayString
RowStatus	TruthValue	MODULE-COMPLIANCE
OBJECT-GROUP	xediaMibs	ifIndex

Defined Types

Unsigned32
Gauge32

IpsecSecurityProfileName
A name for a security profile.
TEXTUAL-CONVENTION
	DisplayString	Size(1..32)

IpsecKeyValue
Cryptographic variable length keys.
TEXTUAL-CONVENTION
	OCTET STRING	Size(16\|24)

IpsecTunnelName
An administrative name for a tunnel.
TEXTUAL-CONVENTION
	DisplayString	Size(1..32)

IkeAuthentMethod
ISAKMP Authentication Method.
TEXTUAL-CONVENTION
	INTEGER	none(0), presharedKey(1), dsaSig(2), rsaSig(3), rsaEncrypt(4)

IpsecSecurityProfileEntry
SEQUENCE
	ipsecSecurityProfileName	IpsecSecurityProfileName
	ipsecSecurityProfileProtocol	BIT STRING
	ipsecSecurityProfileEncryption	INTEGER
	ipsecSecurityProfileAuthentication	INTEGER
	ipsecSecurityProfileCompression	INTEGER
	ipsecSecurityProfileExpirationTimer	Unsigned32
	ipsecSecurityProfileExpirationVolume	Unsigned32
	ipsecSecurityProfileInactivityTimer	Unsigned32
	ipsecSecurityProfileEnablePfs	TruthValue
	ipsecSecurityProfileOakleyGroup	INTEGER
	ipsecSecurityProfileAssignmentStatus	INTEGER
	ipsecSecurityProfileRowStatus	RowStatus

IpsecIfEntry
SEQUENCE
	ipsecIfType	INTEGER
	ipsecIfRemoteGateway	IpAddress
	ipsecIfPresharedKey	DisplayString
	ipsecIfCurTunnels	Gauge32
	ipsecIfTotTunnels	Counter32
	ipsecIfUpTunnels	Gauge32
	ipsecIfLastTunnelChange	TimeTicks
	ipsecIfCurSAs	Gauge32
	ipsecIfTotSAs	Counter32
	ipsecIfInErrsInvalidSpi	Counter32
	ipsecIfOutDiscardsNoTunnel	Counter32
	ipsecIfInCompressedPkts	Counter32
	ipsecIfInCompressedOctets	Counter32
	ipsecIfOutCompressedPkts	Counter32
	ipsecIfOutCompressedOctets	Counter32
	ipsecIfIkeAuthentMethod	IkeAuthentMethod
	ipsecIfIkeInitiate	INTEGER
	ipsecIfIkeKeepaliveUpdate	Unsigned32
	ipsecIfIkeKeepaliveExpire	Unsigned32
	ipsecIfIkeKeepaliveCancel	Unsigned32
	ipsecIfIkeKeepaliveState	INTEGER
	ipsecIfPacketsQueued	Counter32

IpsecTunnelEntry
SEQUENCE
	ipsecTunnelName	IpsecTunnelName
	ipsecTunnelType	INTEGER
	ipsecTunnelAdminStatus	INTEGER
	ipsecTunnelOperStatus	INTEGER
	ipsecTunnelLastChange	TimeTicks
	ipsecTunnelLocalAddress	IpAddress
	ipsecTunnelLocalAddressMask	IpAddress
	ipsecTunnelRemoteAddress	IpAddress
	ipsecTunnelRemoteAddressMask	IpAddress
	ipsecTunnelRemoteGateway	IpAddress
	ipsecTunnelSecurityProfile	IpsecSecurityProfileName
	ipsecTunnelIkeAuthentMethod	IkeAuthentMethod
	ipsecTunnelClientAddressAssign	INTEGER
	ipsecTunnelCurSAs	Gauge32
	ipsecTunnelTotSAs	Counter32
	ipsecTunnelInPkts	Counter32
	ipsecTunnelInOctets	Counter32
	ipsecTunnelInDiscardsQueFull	Counter32
	ipsecTunnelInErrsInvalidMac	Counter32
	ipsecTunnelInErrsInvalidSeq	Counter32
	ipsecTunnelInErrsInvalidFormat	Counter32
	ipsecTunnelOutPkts	Counter32
	ipsecTunnelOutOctets	Counter32
	ipsecTunnelOutDiscardsStateNotUp	Counter32
	ipsecTunnelOutDiscardsNoSA	Counter32
	ipsecTunnelOutDiscardsQueFull	Counter32
	ipsecTunnelRowStatus	RowStatus
	ipsecTunnelInCompressedPkts	Counter32
	ipsecTunnelInCompressedOctets	Counter32
	ipsecTunnelOutCompressedPkts	Counter32
	ipsecTunnelOutCompressedOctets	Counter32

IpsecSaEntry
SEQUENCE
	ipsecSaName	DisplayString
	ipsecSaIndex	Unsigned32
	ipsecSaSpi	Unsigned32
	ipsecSaCreation	INTEGER
	ipsecSaDirection	INTEGER
	ipsecSaProtocol	INTEGER
	ipsecSaEncryptionKey	IpsecKeyValue
	ipsecSaAuthenticationKey	IpsecKeyValue
	ipsecSaInOutPkts	Counter32
	ipsecSaInOutOctets	Counter32
	ipsecSaRowStatus	RowStatus

Defined Values

xediaIpsecMIB		1.3.6.1.4.1.838.3.14
This module defines objects for management of Xedia's IP security (IPsec) Virtual Private Network (VPN) component.
MODULE-IDENTITY

ipsecObjects		1.3.6.1.4.1.838.3.14.1
OBJECT IDENTIFIER

ipsecConformance		1.3.6.1.4.1.838.3.14.2
OBJECT IDENTIFIER

ipsecSubsystemGroup		1.3.6.1.4.1.838.3.14.1.1
OBJECT IDENTIFIER

ipsecTransformLayerType		1.3.6.1.4.1.838.3.14.1.1.1
The type of IPSec Transform Layer currently active (i.e., software only, hardware assisted).
Status: current	Access: read-only
OBJECT-TYPE
	DisplayString

ipsecAlgorithms		1.3.6.1.4.1.838.3.14.1.1.2
The IPSec algorithms currently available.
Status: current	Access: read-only
OBJECT-TYPE
	DisplayString

ipsecSecurityProfileTable		1.3.6.1.4.1.838.3.14.1.2
This table defines a set of security attributes that will be used to describe a security association (SA). There may be many SAs that use the same security profile.
Status: current	Access: not-accessible
OBJECT-TYPE
	SEQUENCE OF
		IpsecSecurityProfileEntry

ipsecSecurityProfileEntry		1.3.6.1.4.1.838.3.14.1.2.1
The attributes that make up a single security profile. New entries are created using the ipsecSecurityProfileRowStatus object.
Status: current	Access: not-accessible
OBJECT-TYPE
	IpsecSecurityProfileEntry

ipsecSecurityProfileName		1.3.6.1.4.1.838.3.14.1.2.1.1
The name of the security profile. For example 'Medium-Security' or 'Maximum-Security'.
Status: current	Access: not-accessible
OBJECT-TYPE
	IpsecSecurityProfileName

ipsecSecurityProfileProtocol		1.3.6.1.4.1.838.3.14.1.2.1.2
The IPsec security protocol(s). When the combination of 'ah(1)' and 'esp(0)' is used, the authentication protocol specified in ipsecSecurityProfileAuthentication is used for AH only and no authentication is performed for ESP.
Status: current	Access: read-create
OBJECT-TYPE
	BIT STRING	esp(0), ah(1), ipcomp(2)

ipsecSecurityProfileEncryption		1.3.6.1.4.1.838.3.14.1.2.1.3
The encryption protocol. In the first release we support 'des(3)', 'des3(4)', and null(12)' only.
Status: current	Access: read-create
OBJECT-TYPE
	INTEGER	des(2), des3(3), null(11)

ipsecSecurityProfileAuthentication		1.3.6.1.4.1.838.3.14.1.2.1.4
The authentication protocol. Used for ESP or AH only. Note that when ipsecSecurityProfileAuthentication is not 'null(1)', anti-replay services are also implemented.
Status: current	Access: read-create
OBJECT-TYPE
	INTEGER	md5(1), sha1(2), null(99)

ipsecSecurityProfileCompression		1.3.6.1.4.1.838.3.14.1.2.1.5
The compression method. This is used when ipsecSecurityProfileProtocol is set to 'ipcomp(2)' or both 'esp(0)' and 'ipcomp(2)'. The default is 'lzs(3)'.
Status: current	Access: read-create
OBJECT-TYPE
	INTEGER	oui(1), deflate(2), lzs(3), v42bis(4), null(99)

ipsecSecurityProfileExpirationTimer		1.3.6.1.4.1.838.3.14.1.2.1.6
The number of seconds before the SA expires. When 0, the SA expiration timer is disabled. The default is 243600 = 86400 seconds (i.e., 24 hours). The minimum allowed expiration timer value is 560 = 300 seconds (i.e., 5 minutes). The maximum value is 86400 seconds (i.e., 24 hours). Rekeying begins 1 minute prior to SA expiration.
Status: current	Access: read-create
OBJECT-TYPE
	Unsigned32	0 \| 300..86400

ipsecSecurityProfileExpirationVolume		1.3.6.1.4.1.838.3.14.1.2.1.7
The number of KBytes before re-keying. When 0, SA expiration volume is disabled. The default is 0. The minimum allowed expiration volume value is 100 KBytes. The maximum is 1000000KBytes (i.e., 10GBytes). Rekeying begins when 95% of the volume limit has been used up.
Status: current	Access: read-create
OBJECT-TYPE
	Unsigned32	0 \| 100..1000000

ipsecSecurityProfileInactivityTimer		1.3.6.1.4.1.838.3.14.1.2.1.8
The number of seconds of inactivity before the SA is removed. When 0, SA inactivity timer is disabled. The minimum allowed expiration timer value is 10*60 = 600 seconds (i.e., 10 minutes). The maximum value is 86400 seconds (i.e., 24 hours). Note that the inactivity timer, if enabled, must be less than the expiration timer minus one minute, to ensure it will expire for an idle SA prior to the start of rekeying.
Status: current	Access: read-create
OBJECT-TYPE
	Unsigned32	0 \| 600..86400

ipsecSecurityProfileEnablePfs		1.3.6.1.4.1.838.3.14.1.2.1.9
When enabled PFS is enforced. This requires generation on new key material for each protocol SA (i.e., non ISAKMP SA). The default is 'false(2)'.
Status: current	Access: read-create
OBJECT-TYPE
	TruthValue

ipsecSecurityProfileOakleyGroup		1.3.6.1.4.1.838.3.14.1.2.1.10
Defines 1st or 2nd Oakley group used by ISAKMP. The default is 'first(1)'.
Status: current	Access: read-create
OBJECT-TYPE
	INTEGER	first(1), second(2)

ipsecSecurityProfileAssignmentStatus		1.3.6.1.4.1.838.3.14.1.2.1.11
When status is 'assigned(1)', the security profile is referenced by one or more SAs. Modifications and deletions are allowed for unassigned security profiles only.
Status: current	Access: read-only
OBJECT-TYPE
	INTEGER	assigned(1), unassigned(2)

ipsecSecurityProfileRowStatus		1.3.6.1.4.1.838.3.14.1.2.1.12
This object allows entries to be created and deleted in this table. Note that entries with ipsecSecurityProfileAssignmentStatus of 'assigned(1)' cannot be deleted.
Status: current	Access: read-create
OBJECT-TYPE
	RowStatus

ipsecIfTable		1.3.6.1.4.1.838.3.14.1.3
Information associated with an IPSec Interface.
Status: current	Access: not-accessible
OBJECT-TYPE
	SEQUENCE OF
		IpsecIfEntry

ipsecIfEntry		1.3.6.1.4.1.838.3.14.1.3.1
Information about a single IPSec Interface.
Status: current	Access: not-accessible
OBJECT-TYPE
	IpsecIfEntry

ipsecIfType		1.3.6.1.4.1.838.3.14.1.3.1.1
The type of IPSec interface.
Status: current	Access: read-only
OBJECT-TYPE
	INTEGER	dialin(1), siteToSite(2)

ipsecIfRemoteGateway		1.3.6.1.4.1.838.3.14.1.3.1.2
The IP address of the remote security gateway.
Status: current	Access: read-write
OBJECT-TYPE
	IpAddress

ipsecIfPresharedKey		1.3.6.1.4.1.838.3.14.1.3.1.3
Specifies pre-shared key to be used by ISAKMP for authentication.
Status: current	Access: read-write
OBJECT-TYPE
	DisplayString	Size(1..32)

ipsecIfCurTunnels		1.3.6.1.4.1.838.3.14.1.3.1.4
The number of tunnels currently configured on the interface.
Status: current	Access: read-only
OBJECT-TYPE
	Gauge32

ipsecIfTotTunnels		1.3.6.1.4.1.838.3.14.1.3.1.5
The total number of tunnels created on the interface since the interface was created.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecIfUpTunnels		1.3.6.1.4.1.838.3.14.1.3.1.6
The number of tunnels in the 'Up' state on the interface.
Status: current	Access: read-only
OBJECT-TYPE
	Gauge32

ipsecIfLastTunnelChange		1.3.6.1.4.1.838.3.14.1.3.1.7
The value of sysUpTime the last time a tunnel on the interface changed status (ipsecTunnelOperStatus). This object indicates to the manager when it needs to repoll for new tunnel configuration and status.
Status: current	Access: read-only
OBJECT-TYPE
	TimeTicks

ipsecIfCurSAs		1.3.6.1.4.1.838.3.14.1.3.1.8
The current number of security associations (SAs) for all the tunnels on this interface. Typically there will be 2 SAs (1 inbound and 1 outbound) for each tunnel in the 'up' state. During dynamic tunnel rekeying there may be 0 to 4 SAs on a tunnel since IKE removes the current SAs and adds new SAs.
Status: current	Access: read-only
OBJECT-TYPE
	Gauge32

ipsecIfTotSAs		1.3.6.1.4.1.838.3.14.1.3.1.9
The total number of security associations (SAs) for all tunnels created on the interface since the interface was configured. For interfaces with dynamic tunnels, this object gives an indication of how many IKE rekeying events have occured. Every time a dynamic tunnel successfully rekeys, new inbound and outbound SAs are created and this object is incremented by 2.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecIfInErrsInvalidSpi		1.3.6.1.4.1.838.3.14.1.3.1.10
The total number of IPSec packets received which contained an invalid SPI (Security Parameter Index) and therefore could not be associated with a tunnel nor a specific interface.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecIfOutDiscardsNoTunnel		1.3.6.1.4.1.838.3.14.1.3.1.11
The number of packets that could not be send out a tunnel because the tunnel lookup failed.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecIfInCompressedPkts		1.3.6.1.4.1.838.3.14.1.3.1.12
The total number of compressed packets received.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecIfInCompressedOctets		1.3.6.1.4.1.838.3.14.1.3.1.13
The total number of bytes after decompression in compressed packets received.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecIfOutCompressedPkts		1.3.6.1.4.1.838.3.14.1.3.1.14
The total number of compressed packets transmitted.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecIfOutCompressedOctets		1.3.6.1.4.1.838.3.14.1.3.1.15
The total number of bytes prior to compression in compressed packets transmitted.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecIfIkeAuthentMethod		1.3.6.1.4.1.838.3.14.1.3.1.16
Specifies the authentication method which will be used by this gateway to establish dynamic IKE tunnel connections. Note that the ipsecTunnelAuthentMethod represents the authentication method used to bring up the current tunnel connection.
Status: current	Access: read-write
OBJECT-TYPE
	IkeAuthentMethod

ipsecIfIkeInitiate		1.3.6.1.4.1.838.3.14.1.3.1.17
Specifies when IKE will initiate dynamic, site to site tunnel establishment with the remote gateway. If 'automatic(1)', the gateway attempts to negotiate tunnels as soon as they are configured and enabled. If 'outboundTraffic(2)', the gateway attempts to negotiate tunnels only when traffic is routed out the tunnel. If 'disabled(3)', the gateway never initiates tunnel establishment. In all cases, the gateway will participate in tunnel negotiation when initiated by the remote gateway. Note that this object is 'disabled(3)' for dialin group and client tunnels since clients always initiate.
Status: current	Access: read-write
OBJECT-TYPE
	INTEGER	disabled(0), automatic(1), outboundTraffic(2)

ipsecIfIkeKeepaliveUpdate		1.3.6.1.4.1.838.3.14.1.3.1.18
IKE keepalive protocol update timeout value. When set to 0, the IKE keepalive protocol is disabled. Default is set to disabled. Minimum value is 10 sec, maximum value is 3600 sec. This value specifies frequency in seconds of IKE keepalive update messages to be generated.
Status: current	Access: read-write
OBJECT-TYPE
	Unsigned32	0 \| 10..3600

ipsecIfIkeKeepaliveExpire		1.3.6.1.4.1.838.3.14.1.3.1.19
IKE keepalive protocol expire retry counter value. Default is set to 4. Minimum value is 2, maximum value is 10. This value specifies a number of IKE keepalive update messages missed before the remote gateway/end system is declared to be down.
Status: current	Access: read-write
OBJECT-TYPE
	Unsigned32	2..10

ipsecIfIkeKeepaliveCancel		1.3.6.1.4.1.838.3.14.1.3.1.20
IKE keepalive protocol cancel retry counter value. Default is set to 6. Minimum value is 2, maximum value is 10. This value specifies a number of IKE keepalive update messages missed immediately after IKE keepalive protocol starts running for the protocol to be disabled (likely reason: remote gateway does not support/disabled IKE keepalive protocol.
Status: current	Access: read-write
OBJECT-TYPE
	Unsigned32	2..10

ipsecIfIkeKeepaliveState		1.3.6.1.4.1.838.3.14.1.3.1.21
IKE keepalive state.
Status: current	Access: read-only
OBJECT-TYPE
	INTEGER	inactive(1), running(2), failed(3)

ipsecIfPacketsQueued		1.3.6.1.4.1.838.3.14.1.3.1.22
The total number of packets that are currently queued for all dynamic site-to-site tunnels created on the interface. These packets will remained queued for a particular tunnel until that tunnel state transitions to DOWN or UP.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelTable		1.3.6.1.4.1.838.3.14.1.4
The tunnel table is used to configure and monitor VPN tunnels. There two cases here: site-to-site and remote dial-in. For site-to-site VPN the entry in the tunnel table must be configured. There are two types of tunnels: static tunnels and dynamic tunnels. When dynamic tunnels are configured and become operational, the ISAKMP protocol creates an SA pair, one inbound and one outbound. When static tunnels are configured, inbound and outbound SAa need to be created through network management. In this case key and peer SPI (security profile index) must be set. Static SAs are like ATM PVCs. Dynamic SAs are like ATM SVCs. All dial-in clients are organized into user groups. One or more users (dial-in clients) may be in the group. All dial-in users that are members of the same group get the same security attributes. Actual users may be either configured internally (in the ipsecRemoteClient table) or in the external database such as X.500 directory or Radius, etc. The administrator has an option of defining a Default group. Users that do not have any User group membership are assigned into a Default group. For remote dial-in VPNs, the tunnel entries are first statically configured for every defined user group, for example XediaEngineering, etc. Tunnels for individual users in the group are created automatically when user of the group initiates a connection. These automatically created remote client tunnels are 'children' of a statically configured 'parent' user group tunnel. The name of automatically created dial-in tunnel (which must be unique) is constructed as follows: tunnelName.userName, for example XediaEngineering.schwartz. For site-to-site and dial-in-group tunnel VPNs the objects' access is as specified. For dial-in 'children' tunnel VPNs which are automatically created by the system, all objects are read-only except for ipsecTunnelAdminStatus. This object has write access and when set to down, it would result in tearing down user dial-in session, i.e. all security associations for this dial-in client will be deleted.
Status: current	Access: not-accessible
OBJECT-TYPE
	SEQUENCE OF
		IpsecTunnelEntry

ipsecTunnelEntry		1.3.6.1.4.1.838.3.14.1.4.1
Information about a tunnel. Tunnels are manually created using the ipsecTunnelRowStatus object.
Status: current	Access: not-accessible
OBJECT-TYPE
	IpsecTunnelEntry

ipsecTunnelName		1.3.6.1.4.1.838.3.14.1.4.1.1
Name of the tunnel. For example, Boston-to-LA (site-to-site), XediaEnginnering (remote client dial-in group), etc. The name must be unique in the system and it is used as tunnel entry index. When new tunneling tables are defined (i.e. L2TP, etc.) the tunnel name still has to be unique in the system.
Status: current	Access: not-accessible
OBJECT-TYPE
	IpsecTunnelName

ipsecTunnelType		1.3.6.1.4.1.838.3.14.1.4.1.2
The tunnel type. When 'dialinGroup(1)', 'dialinClient(2)' or 'siteToSiteDynamic(4)' is specified, ISAKMP is responsible for SA creation. Otherwise, when 'siteToSiteStatic(2)' is specified, SAs must be configured manually. This definition implies that all dial-in tunnels (and SAs created for them) are always dynamic. Tunnels of type 'dialinGroup(1)' are created by the administrator and are read-write. They have a range of remote client addresses. When a dial-in client connects within the remote client range of a parent tunnel, a read-only 'dialinClient(2)' tunnel is dynamically created.
Status: current	Access: read-create
OBJECT-TYPE
	INTEGER	dialinGroup(1), dialinClient(2), siteToSiteStatic(3), siteToSiteDynamic(4)

ipsecTunnelAdminStatus		1.3.6.1.4.1.838.3.14.1.4.1.3
This object is the desired state of the tunnel and is similar to interface administrative state. The default is 'up(1)'. When the ipsecTunnelAdminStatus is set to 'up(1)' for a dialin parent tunnel, it enables remote clients in this group to connect to the VPN gateway. When the ipsecTunnelAdminStatus is set to 'down(2)' for a dialin parent tunnel, it disables remote clients in this group from connecting to the VPN gateway. When tunnelAdminStatus is set to up for siteToSiteStatic, it enables use of statically configured SAs. Setting it to down, effectively disables use of statically configured SAs. When tunnelAdminStatus is set to up for siteToSiteDynamic, it enables the VPN gateway to start establishments of SAs via ISAKMP. If the ISAKMP failed to setup SA (for example when the peer is not ready) it will periodically retry SA establishment indefinetly until it succeeds. Setting it to down, disables initiation of SAs and it also disables responding to remote ISAKMP initiation requests.
Status: current	Access: read-create
OBJECT-TYPE
	INTEGER	up(1), down(2)

ipsecTunnelOperStatus		1.3.6.1.4.1.838.3.14.1.4.1.4
This is the operational state (the actual state of the tunnel. This object is similar to interface operational state.
Status: current	Access: read-only
OBJECT-TYPE
	INTEGER	up(1), down(2), initializing(3)

ipsecTunnelLastChange		1.3.6.1.4.1.838.3.14.1.4.1.5
The value of sysUpTime the last time the ipsecTunnelOperStatus changed. On re-initialization of the system, this object contains a zero value. When a new tunnel is created, this will be initialized to the value of sysUpTime when the entry was created.
Status: current	Access: read-only
OBJECT-TYPE
	TimeTicks

ipsecTunnelLocalAddress		1.3.6.1.4.1.838.3.14.1.4.1.6
The local address and mask define the local trusted subnet (or single host if mask is all 1's) for the tunnel. The local trusted subnet or host identifies 'source' addresses for the tunnel. The local trusted address(es) together with the remote trusted address(es) identify the traffic flow into the tunnel. This attribute and the mask default to 0 which specifies any source address for the tunnel.
Status: current	Access: read-create
OBJECT-TYPE
	IpAddress

ipsecTunnelLocalAddressMask		1.3.6.1.4.1.838.3.14.1.4.1.7
The local trusted address mask of the tunnel. Refer to ipsecTunnelLocalAddress.
Status: current	Access: read-create
OBJECT-TYPE
	IpAddress

ipsecTunnelRemoteAddress		1.3.6.1.4.1.838.3.14.1.4.1.8
The remote address and mask define the remote trusted subnet (or single host if mask is all 1's) for the tunnel. The remote trusted subnet or host identifies 'destination' addresses for the tunnel. The remote trusted address(es) together with the local trusted address(es) identify the traffic flow into the tunnel. This attribute and the mask default to 0 which specifies any destination address for the tunnel. For 'dialinGroup' tunnels with ipsecTunnelClientAddressAssign set to 'internalPool', the remote subnet is used as a pool of addresses which the gateway allocates to dialin clients. In this case, the remote subnet must be specified. For 'dialinClient(2)' tunnels this object gives the enterprise address of the client aka the 'inner' client address within the tunnel as opposed to the 'outer' Internet address which is given by ipsecTunnelRemoteGateway.
Status: current	Access: read-create
OBJECT-TYPE
	IpAddress

ipsecTunnelRemoteAddressMask		1.3.6.1.4.1.838.3.14.1.4.1.9
The remote trusted address mask of the tunnel. Refer to ipsecTunnelRemoteAddress. For dialin client tunnels, the ipsecTunnelRemoteAddress and ipsecTunnelRemoteMask provides represents the client's assigned subnet mask.
Status: current	Access: read-create
OBJECT-TYPE
	IpAddress

ipsecTunnelRemoteGateway		1.3.6.1.4.1.838.3.14.1.4.1.10
The IP address of the remote security gateway. For 'siteToSite' tunnels, this object is a copy of the associated ipsecIfRemoteGateway. For 'dialinClient' tunnels, this is the 'outer' Internet address of the client as opposed to the 'inner' enterprise address which is given by ipsecTunnelRemoteAddress.
Status: current	Access: read-only
OBJECT-TYPE
	IpAddress

ipsecTunnelSecurityProfile		1.3.6.1.4.1.838.3.14.1.4.1.11
Defines which Security Profile to use for this tunnel. This is a name of Security Profile entry in the Security Profile table.
Status: current	Access: read-create
OBJECT-TYPE
	IpsecSecurityProfileName

ipsecTunnelIkeAuthentMethod		1.3.6.1.4.1.838.3.14.1.4.1.12
Defines authentication method which was used to establish the current IKE tunnel connection. Not applicable for static tunnels. Note that ipsecIfIkeAuthentMethod specifies the method with which the local system will attempt to initiate a connection.
Status: current	Access: read-only
OBJECT-TYPE
	IkeAuthentMethod

ipsecTunnelClientAddressAssign		1.3.6.1.4.1.838.3.14.1.4.1.13
Address assignment method is configured for dialin group tunnels and determines how clients within the group will be assigned an enterprise IP address and subnet. The enterprise address is the 'inner' tunneled address as opposed to the 'outer' Internet address which is typically assigned by the client's local ISP. If 'disabled(0)', clients are preconfigured with an address and subnet, so no assignment occurs. If 'internalPool(1)', clients are assigned an address and subnet from the dialin group's remote address/mask. If 'radius(2)', clients' address and subnet are given by the RADIUS server as part of the user's information. This object is read-only for clients and simply reflects the address assignment value of the dialin group. This object is not applicable for site to site tunnels and will always read 'disabled(0)'.
Status: current	Access: read-create
OBJECT-TYPE
	INTEGER	disabled(1), internalPool(3), radius(4)

ipsecTunnelCurSAs		1.3.6.1.4.1.838.3.14.1.4.1.14
The current number of security associations (SAs) for this tunnel. Typically there will be 2 SAs (1 inbound and 1 outbound) for a tunnel in the 'up' state. During dynamic tunnel rekeying there may be 0 to 4 SAs on the tunnel since IKE removes the current SAs and adds new SAs.
Status: current	Access: read-only
OBJECT-TYPE
	Gauge32

ipsecTunnelTotSAs		1.3.6.1.4.1.838.3.14.1.4.1.15
The total number of security associations (SAs) created for this tunnel since the tunnel was configured. For dynamic tunnels, this object gives an indication of how many IKE rekeying events have occured. Every time a dynamic tunnel successfully rekeys, new inbound and outbound SAs are created and this object is incremented by 2.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelInPkts		1.3.6.1.4.1.838.3.14.1.4.1.16
The total number of packets received on the tunnel since it was created.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelInOctets		1.3.6.1.4.1.838.3.14.1.4.1.17
The total number of bytes received on the tunnel since it was created.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelInDiscardsQueFull		1.3.6.1.4.1.838.3.14.1.4.1.18
The total number of packets received on the tunnel which had to be dropped because of a full queue.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelInErrsInvalidMac		1.3.6.1.4.1.838.3.14.1.4.1.19
The total number of packets received on the tunnel with invalid authentication data.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelInErrsInvalidSeq		1.3.6.1.4.1.838.3.14.1.4.1.20
The total number of packets received on the tunnel with an invalid sequence number.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelInErrsInvalidFormat		1.3.6.1.4.1.838.3.14.1.4.1.21
The total number of packets received on the tunnel with a valid sequence number and authentication data (if applicable), but an invalid packet format. For instance if the packet has an invalid length or next header.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelOutPkts		1.3.6.1.4.1.838.3.14.1.4.1.22
The total number of packets transmitted out the tunnel since it was created.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelOutOctets		1.3.6.1.4.1.838.3.14.1.4.1.23
The total number of bytes transmitted out the tunnel since it was created.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelOutDiscardsStateNotUp		1.3.6.1.4.1.838.3.14.1.4.1.24
The total number of packets that could not be sent out the tunnel because the tunnel state was not up.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelOutDiscardsNoSA		1.3.6.1.4.1.838.3.14.1.4.1.25
The total number of packets that could not be sent out the tunnel because there was no security association (SA).
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelOutDiscardsQueFull		1.3.6.1.4.1.838.3.14.1.4.1.26
The total number of packets that could not be sent out the tunnel because the transform engine's queue was full.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelRowStatus		1.3.6.1.4.1.838.3.14.1.4.1.27
This object allows entries to be created and deleted in this table.
Status: current	Access: read-create
OBJECT-TYPE
	RowStatus

ipsecTunnelInCompressedPkts		1.3.6.1.4.1.838.3.14.1.4.1.28
The total number of compressed packets received on the tunnel since it was created.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelInCompressedOctets		1.3.6.1.4.1.838.3.14.1.4.1.29
The total number of bytes after decompression in compressed packets received on the tunnel since it was created.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelOutCompressedPkts		1.3.6.1.4.1.838.3.14.1.4.1.30
The total number of compressed packets transmitted out the tunnel since it was created.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecTunnelOutCompressedOctets		1.3.6.1.4.1.838.3.14.1.4.1.31
The total number of bytes prior to compression in compressed packets transmitted out the tunnel since it was created.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecSaTable		1.3.6.1.4.1.838.3.14.1.5
Security Association (SA) table. Each entry in the table is a Security Association. SA's are associated with a single IPSec tunnel or transport and indexed accordingly. SA's associated with a tunnel will have the same ifIndex and name as the tunnel. SA's associated with a transport have a zero ifIndex and the same name as the transport. Dynamic site-to-site and dialin-client tunnels have dynamic SA's created dynamically by ISAKMP. Dialin-group tunnels do not have associated SA's since these represent a group of dialin-client tunnels which individually have SA's. Static tunnels have static SA's created manually.
Status: current	Access: not-accessible
OBJECT-TYPE
	SEQUENCE OF
		IpsecSaEntry

ipsecSaEntry		1.3.6.1.4.1.838.3.14.1.5.1
Information about a specific Security Association.
Status: current	Access: not-accessible
OBJECT-TYPE
	IpsecSaEntry

ipsecSaName		1.3.6.1.4.1.838.3.14.1.5.1.1
The name of the tunnel or transport that this Security Association is associated with.
Status: current	Access: not-accessible
OBJECT-TYPE
	DisplayString	Size(1..32)

ipsecSaIndex		1.3.6.1.4.1.838.3.14.1.5.1.2
A numeric index to allow multiple Security Associations per tunnel or transport.
Status: current	Access: not-accessible
OBJECT-TYPE
	Unsigned32

ipsecSaSpi		1.3.6.1.4.1.838.3.14.1.5.1.3
Security profile index. For static or dynamic inbound SAs, SPI is selected by us. For dynamic outbound SAs, SPI is selected by peer. For static outbound SAs, SPI is manually configured.
Status: current	Access: read-create
OBJECT-TYPE
	Unsigned32

ipsecSaCreation		1.3.6.1.4.1.838.3.14.1.5.1.4
Specifies how SA was created. Manually configured SAs will have the value static(1). Dynamical SAs such as those created by key management protocols such as ISA-KMP will have the value dynamic(2).
Status: current	Access: read-only
OBJECT-TYPE
	INTEGER	static(1), dynamic(2)

ipsecSaDirection		1.3.6.1.4.1.838.3.14.1.5.1.5
SA direction. Traffic SAs are unidirectional whereas key management protocol SAs such as ISA-KMP are bidirectional.
Status: current	Access: read-create
OBJECT-TYPE
	INTEGER	ipSecInbound(1), ipSecOutbound(2)

ipsecSaProtocol		1.3.6.1.4.1.838.3.14.1.5.1.6
Specifies the SA protocol type.
Status: current	Access: read-create
OBJECT-TYPE
	INTEGER	isakmp(1), ah(2), esp(3), ipcomp(4)

ipsecSaEncryptionKey		1.3.6.1.4.1.838.3.14.1.5.1.7
The SAs encryption key. For a dynamic SA, the encryption key is negotiated by the key management protocol such as ISAKMP and is not writeable. For static SAs, the keys are manually configured.
Status: current	Access: read-create
OBJECT-TYPE
	IpsecKeyValue

ipsecSaAuthenticationKey		1.3.6.1.4.1.838.3.14.1.5.1.8
For dynamic SAs, the authentication keys have been negotiated by ISAKMP. For static SA, the keys have been configured. For static SA this is read-create object. For dynamic SA the object is not accessible.
Status: current	Access: read-create
OBJECT-TYPE
	IpsecKeyValue

ipsecSaInOutPkts		1.3.6.1.4.1.838.3.14.1.5.1.9
It counts a total number of frames since the SA was created. For inbound SA it represents received frames. For outbound SA it represent transmitted frames. For isakmp SA it represents both received and transmitted frames.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecSaInOutOctets		1.3.6.1.4.1.838.3.14.1.5.1.10
It counts a total number of bytes since the SA was created. For inbound SA it represents received bytes. For outbound SA it represent transmitted bytes. For isakmp SA it represents both received and transmitted bytes.
Status: current	Access: read-only
OBJECT-TYPE
	Counter32

ipsecSaRowStatus		1.3.6.1.4.1.838.3.14.1.5.1.11
This object allows entries to be created and deleted in this table. The only supported values supported are active(1), createAndGo(4), and destroy(4).
Status: current	Access: read-create
OBJECT-TYPE
	RowStatus

ipsecCompliances		1.3.6.1.4.1.838.3.14.2.1
OBJECT IDENTIFIER

ipsecGroups		1.3.6.1.4.1.838.3.14.2.2
OBJECT IDENTIFIER

ipsecCompliance		1.3.6.1.4.1.838.3.14.2.1.1
The compliance statement for all agents that support this MIB. A compliant agent implements all objects defined in this MIB.
Status: current	Access: read-create
MODULE-COMPLIANCE

ipsecAllGroup		1.3.6.1.4.1.838.3.14.2.2.1
The set of all accessible objects in this MIB.
Status: current	Access: read-create
OBJECT-GROUP