-- *------------------------------------------------------------------ -- * CISCO-ENHANCED-IPSEC-FLOW-MIB.my: -- * Enhanced IPsec Flow Monitoring MIB. -- * -- * August 2004, S Ramakrishnan, John Fan -- * -- * Copyright (c) 2004 by cisco Systems, Inc. -- * All rights reserved. -- *------------------------------------------------------------------ CISCO-ENHANCED-IPSEC-FLOW-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Counter32, Counter64, Gauge32, Unsigned32 FROM SNMPv2-SMI TimeStamp, TimeInterval, TruthValue FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF InetAddressType, InetAddress FROM INET-ADDRESS-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB CiscoIpProtocol, CiscoPort FROM CISCO-TC CIPsecEncryptionKeySize, CIPsecControlProtocol, CIPsecDiffHellmanGrp, CIPsecEncapMode, CIPsecEncryptAlgorithm, CIPsecSpi, CIPsecAuthAlgorithm, CIPsecCompAlgorithm, CIPsecEndPtType, CIPsecNATTraversalMode, CIPsecPhase1TunnelIndexOrZero, CIPsecPhase2TunnelIndex, CIPsecPhase2SaDirection, CIPsecProtocol, CIPsecPmtu, CIPsecTunnelStatus FROM CISCO-IPSEC-TC ciscoMgmt FROM CISCO-SMI ifIndex, InterfaceIndex FROM IF-MIB; ciscoEnhancedIpsecFlowMIB MODULE-IDENTITY LAST-UPDATED "200501120000Z" ORGANIZATION "Cisco Systems, Inc." CONTACT-INFO " Cisco Systems Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: cs-ipsecmib@external.cisco.com " DESCRIPTION " This is a MIB Module for monitoring the structures and status of IPSec-based networks. The MIB has been designed to be adopted as an IETF standard. Hence vendor-specific features of IPSec protocol are excluded from this MIB. Acronyms The following acronyms are used in this document: IPsec: Secure IP Protocol VPN: Virtual Private Network ISAKMP: Internet Security Association and Key Exchange Protocol IKE: Internet Key Exchange Protocol SA: Security Association (ref: rfc2408). SPI: Security Parameter Index is the pointer or identifier used in accessing SA attributes (ref: rfc2408). MM: Main Mode - the process of setting up a Phase 1 SA to secure the exchanges required to setup Phase 2 SAs QM: Quick Mode - the process of setting up Phase 2 Security Associations using a Phase 1 SA. Phase 1 Tunnel: An ISAKMP SA can be regarded as representing a flow of ISAKMP/IKE traffic. Hence an ISAKMP is referred to as a 'Phase 1 Tunnel' in this document. Control Tunnel: Another term for a Phase 1 Tunnel. Phase 2 Tunnel: An instance of a non-ISAKMP SA bundle in which all the SA share the same proxy identifiers (IDii,IDir) protect the same stream of application traffic. Such an SA bundle is termed a 'Phase 2 Tunnel'. Note that a Phase 2 tunnel may comprise different SA bundles and different number of SA bundles at different times (due to key refresh). MTU: Maximum Transmission Unit (of an IPsec tunnel). History of the MIB A precursor to this MIB was written by Tivoli and implemented in IBM Nways routers in 1999. During late 1999, Cisco adopted the MIB and together with Tivoli publised the IPsec Flow Monitor MIB in IETF IPsec WG in draft-ietf-ipsec-flow-monitoring-mib-00.txt. In 2000, the MIB was Cisco-ized and implemented this draft as CISCO-IPSEC-FLOW-MONITOR-MIB in IOS and VPN3000 platforms. With the evolution of IKEv2, the MIB was modified and presented to the IPsec WG again in May 2003 in draft-ietf-ipsec-flow-monitoring-mib-02.txt. With the emergence of multiple IPsec signaling protocols, it became apparent that the signaling aspects of IPsec need to be instrumented separately in their own right. Thus, the IPsec control attributes and metrics were separated out into CISCO-IPSEC-SIGNALING-MIB and CISCO-IKE-FLOW-MIB. This version of the draft is the version of the draft that models that IPsec data protocol, structures and activity alone. Overview of MIB The MIB contains four major groups of objects which are used to manage the IPsec Protocol. These groups include a Levels Group, a Phase-1 Group, a Phase-2 Group, a History Group, a Failure Group and a TRAP Control Group. The following table illustrates the structure of the IPsec MIB. The Phase 2 group models objects pertaining to IPsec data tunnels. The History group is to aid applications that do trending analysis. The Failure group is to enable an operator to do troubleshooting and debugging of the VPN Router. Further, counters are supported to aid detection of potential security violations. In addition to the three major MIB Groups, there are a number of Notifications. The following table illustrates the name and description of the IPsec TRAPs. " REVISION "200501120000Z" DESCRIPTION "Added a new table, ceipSecTunnelSaTable" REVISION "200408310000Z" DESCRIPTION " Initial version of this module. " ::= { ciscoMgmt 432 } ciscoEnhancedIpsecFlowMIBNotifs OBJECT IDENTIFIER ::= { ciscoEnhancedIpsecFlowMIB 0} ciscoEnhancedIpsecFlowMIBObjects OBJECT IDENTIFIER ::= { ciscoEnhancedIpsecFlowMIB 1 } ciscoEnhancedIpsecFlowMIBConform OBJECT IDENTIFIER ::= { ciscoEnhancedIpsecFlowMIB 2 } ceipSecPhaseTwo OBJECT IDENTIFIER ::= { ciscoEnhancedIpsecFlowMIBObjects 1 } ceipSecHistory OBJECT IDENTIFIER ::= { ciscoEnhancedIpsecFlowMIBObjects 2 } ceipSecFailures OBJECT IDENTIFIER ::= { ciscoEnhancedIpsecFlowMIBObjects 3 } ceipSecNotificationCntl OBJECT IDENTIFIER ::= { ciscoEnhancedIpsecFlowMIBObjects 5 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- IPsec Phase-2 Group -- -- This group consists of: -- 1) IPsec Phase-2 Global Statistics -- 2) IPsec Phase-2 Tunnel Table -- 3) IPsec Phase-2 Endpoint Table -- 4) IPsec Phase-2 Security Protection Index Table -- 4) IPsec Phase-2 Security Protection Index Objects -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Global Tunnel Statistics -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecGlobalStats OBJECT IDENTIFIER ::= { ceipSecPhaseTwo 1 } ceipSecGlobalActiveTunnels OBJECT-TYPE SYNTAX Gauge32 UNITS "Tunnels" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of currently active IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 1 } ceipSecGlobalPreviousTunnels OBJECT-TYPE SYNTAX Counter64 UNITS "Tunnels" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of previously active IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 2 } ceipSecGlobalInOctets OBJECT-TYPE SYNTAX Counter64 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets received by all current and previous IPsec Phase-2 Tunnels. This value is accumulated BEFORE determining whether or not the packet should be decompressed." ::= { ceipSecGlobalStats 3 } ceipSecGlobalInDecompOctets OBJECT-TYPE SYNTAX Counter64 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of decompressed octets received by all current and previous IPsec Phase-2 Tunnels. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of ceipSecGlobalInOctets." ::= { ceipSecGlobalStats 4 } ceipSecGlobalInPkts OBJECT-TYPE SYNTAX Counter64 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 5 } ceipSecGlobalInDrops OBJECT-TYPE SYNTAX Counter64 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing by all current and previous IPsec Phase-2 Tunnels. This count does NOT include packets dropped due to Anti-Replay processing." ::= { ceipSecGlobalStats 6 } ceipSecGlobalInReplayDrops OBJECT-TYPE SYNTAX Counter64 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing due to Anti-Replay processing by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 7 } ceipSecGlobalInAuths OBJECT-TYPE SYNTAX Counter64 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's performed by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 8 } ceipSecGlobalInAuthFails OBJECT-TYPE SYNTAX Counter64 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 9 } ceipSecGlobalInDecrypts OBJECT-TYPE SYNTAX Counter64 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's performed by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 10 } ceipSecGlobalInDecryptFails OBJECT-TYPE SYNTAX Counter64 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 11 } ceipSecGlobalOutOctets OBJECT-TYPE SYNTAX Counter64 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets sent by all current and previous IPsec Phase-2 Tunnels. This value is accumulated AFTER determining whether or not the packet should be compressed." ::= { ceipSecGlobalStats 12 } ceipSecGlobalOutUncompOctets OBJECT-TYPE SYNTAX Counter64 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of uncompressed octets sent by all current and previous IPsec Phase-2 Tunnels. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of ceipSecGlobalOutOctets." ::= { ceipSecGlobalStats 13 } ceipSecGlobalOutPkts OBJECT-TYPE SYNTAX Counter64 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 14 } ceipSecGlobalOutDrops OBJECT-TYPE SYNTAX Counter64 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during send processing by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 15 } ceipSecGlobalOutAuths OBJECT-TYPE SYNTAX Counter64 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's performed by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 16 } ceipSecGlobalOutAuthFails OBJECT-TYPE SYNTAX Counter64 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 17 } ceipSecGlobalOutEncrypts OBJECT-TYPE SYNTAX Counter64 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's performed by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 18 } ceipSecGlobalOutEncryptFails OBJECT-TYPE SYNTAX Counter64 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 19 } ceipSecGlobalProtocolUseFails OBJECT-TYPE SYNTAX Counter64 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of protocol use failures which occurred during processing of all current and previously active IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 20 } ceipSecGlobalNoSaFails OBJECT-TYPE SYNTAX Counter64 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of non-existent Security Association in failures which occurred during processing of all current and previous IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 21 } ceipSecGlobalSysCapFails OBJECT-TYPE SYNTAX Counter64 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of system capacity failures which occurred during processing of all current and previously active IPsec Phase-2 Tunnels." ::= { ceipSecGlobalStats 22 } ceipSecGlobalOutCompressedPkts OBJECT-TYPE SYNTAX Counter64 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The cumulative number of outbound packets across all IPsec flows terminating at this device which were successfully compressed." ::= { ceipSecGlobalStats 23 } ceipSecGlobalOutCompSkippedPkts OBJECT-TYPE SYNTAX Counter64 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets across all IPsec flows terminating at this devices that were to be compressed but which were skipped due to the compression hysteresis." ::= { ceipSecGlobalStats 24 } ceipSecGlobalOutCompFailPkts OBJECT-TYPE SYNTAX Counter64 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets across all IPsec flows terminating at this device that failed compression because they grew in size after compression." ::= { ceipSecGlobalStats 25 } ceipSecGlobalOutCompTooSmallPkts OBJECT-TYPE SYNTAX Counter64 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets across all IPsec flows terminating at this device that were to be compressed but were smaller than the compression threshold size. This number is cumulative since the last system start. " ::= { ceipSecGlobalStats 26 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Tunnel Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecTunnelTable OBJECT-TYPE SYNTAX SEQUENCE OF CeipSecTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel Table. There is one entry in this table for each active IPsec Phase-2 Tunnel." ::= { ceipSecPhaseTwo 2 } ceipSecTunnelEntry OBJECT-TYPE SYNTAX CeipSecTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with an active IPsec Phase-2 Tunnel." INDEX { ceipSecTunIndex } ::= { ceipSecTunnelTable 1 } CeipSecTunnelEntry ::= SEQUENCE { ceipSecTunIndex CIPsecPhase2TunnelIndex, ceipSecTunLocalAddressType InetAddressType, ceipSecTunLocalAddress InetAddress, ceipSecTunRemoteAddressType InetAddressType, ceipSecTunRemoteAddress InetAddress, ceipSecTunControlProtocol CIPsecControlProtocol, ceipSecTunControlTunnelIndex CIPsecPhase1TunnelIndexOrZero, ceipSecTunControlTunnelAlive TruthValue, ceipSecTunEncapMode CIPsecEncapMode, ceipSecTunNATTraversalMode CIPsecNATTraversalMode, ceipSecTunLifeSize Unsigned32, ceipSecTunLifeTime Unsigned32, ceipSecTunActiveTime TimeInterval, ceipSecTunSaLifeSizeThreshold Unsigned32, ceipSecTunSaLifeTimeThreshold Unsigned32, ceipSecTunTotalRefreshes Counter32, ceipSecTunExpiredSaInstances Counter32, ceipSecTunCurrentSaInstances Gauge32, ceipSecTunInSaDHGrp CIPsecDiffHellmanGrp, ceipSecTunInSaEncryptAlgo CIPsecEncryptAlgorithm, ceipSecTunInSaEncryptKeySize CIPsecEncryptionKeySize, ceipSecTunInSaAhAuthAlgo CIPsecAuthAlgorithm, ceipSecTunInSaEspAuthAlgo CIPsecAuthAlgorithm, ceipSecTunInSaDecompAlgo CIPsecCompAlgorithm, ceipSecTunOutSaDHGrp CIPsecDiffHellmanGrp, ceipSecTunOutSaEncryptAlgo CIPsecEncryptAlgorithm, ceipSecTunOutSaEncryptKeySize CIPsecEncryptionKeySize, ceipSecTunOutSaAhAuthAlgo CIPsecAuthAlgorithm, ceipSecTunOutSaEspAuthAlgo CIPsecAuthAlgorithm, ceipSecTunOutSaCompAlgo CIPsecCompAlgorithm, ceipSecTunPmtu CIPsecPmtu, ceipSecTunInOctets Counter64, ceipSecTunInDecompOctets Counter64, ceipSecTunInPkts Counter32, ceipSecTunInDropPkts Counter32, ceipSecTunInReplayDropPkts Counter32, ceipSecTunInAuths Counter32, ceipSecTunInAuthFails Counter32, ceipSecTunInDecrypts Counter32, ceipSecTunInDecryptFails Counter32, ceipSecTunOutOctets Counter64, ceipSecTunOutUncompOctets Counter64, ceipSecTunOutPkts Counter32, ceipSecTunOutDropPkts Counter32, ceipSecTunOutAuths Counter32, ceipSecTunOutAuthFails Counter32, ceipSecTunOutEncrypts Counter32, ceipSecTunOutEncryptFails Counter32, ceipSecTunOutCompressedPkts Counter32, ceipSecTunOutCompSkippedPkts Counter32, ceipSecTunOutCompFailPkts Counter32, ceipSecTunOutCompTooSmallPkts Counter32, ceipSecIfIndex InterfaceIndex, ceipSecTunStatus CIPsecTunnelStatus } ceipSecTunIndex OBJECT-TYPE SYNTAX CIPsecPhase2TunnelIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of the IPsec Phase-2 Tunnel Table. The value of the index is a number which begins at 1 and is incremented with each tunnel that is created. The value of this object will wrap at 2,147,483,647. Since this object must correspond to a valid Phase-2 IPsec tunnel, this object may not assume the value of 0." ::= { ceipSecTunnelEntry 1 } ceipSecTunLocalAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address of the local endpoint for the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 2 } ceipSecTunLocalAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local endpoint for the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 3 } ceipSecTunRemoteAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address of the remote endpoint for the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 4 } ceipSecTunRemoteAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote endpoint for the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 5 } ceipSecTunControlProtocol OBJECT-TYPE SYNTAX CIPsecControlProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "Identifies the protocol used to setup and administer this Phase-2 IPsec tunnel. In case this tunnel was spawned by an IPsec signaling protocol, this MIB object contains the value of the object 'cisgIpsSgProtocol' defined in CISCO-IPSEC-SIGNALING-MIB in the table 'cisgIpsSgTunnelTable' in the row corresponding to the control tunnel. A value of 'cpManual' is indicative of a manually installed and administered Phase-2 tunnel." ::= { ceipSecTunnelEntry 6 } ceipSecTunControlTunnelIndex OBJECT-TYPE SYNTAX CIPsecPhase1TunnelIndexOrZero MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the associated IPsec Phase-1 Tunnel. In case this tunnel was spawned by an IPsec signaling protocol, this MIB object contains the value of the object 'cisgIpsSgTunIndex' defined in CISCO-IPSEC-SIGNALING-MIB in the table 'cisgIpsSgTunnelTable' in the row corresponding to the control tunnel. A value of 0 identifies that this Phase-2 tunnel was setup manually." ::= { ceipSecTunnelEntry 7 } ceipSecTunControlTunnelAlive OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "An indicator which specifies whether or not the IPsec Phase-1 Tunnel that spawned this Phase-2 tunnel currently exists." ::= { ceipSecTunnelEntry 8 } ceipSecTunEncapMode OBJECT-TYPE SYNTAX CIPsecEncapMode MAX-ACCESS read-only STATUS current DESCRIPTION "The encapsulation mode used by the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 9 } ceipSecTunNATTraversalMode OBJECT-TYPE SYNTAX CIPsecNATTraversalMode MAX-ACCESS read-only STATUS current DESCRIPTION "The encapsulation used by the IPsec Phase-2 tunnel for NAT traversal. The value of this object is constrained based on the value of the column 'ceipSecTunEncapMode'. If the value of 'ceipSecTunEncapMode' is 'encapTransport', then this object may not assume the values 'natEncapIPsecOverUdp' or 'natEncapIPsecOverTcp'. " ::= { ceipSecTunnelEntry 10 } ceipSecTunLifeSize OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) UNITS "KBytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeSize of the IPsec Phase-2 Tunnel in kilobytes." ::= { ceipSecTunnelEntry 11 } ceipSecTunLifeTime OBJECT-TYPE SYNTAX Unsigned32 UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeTime of the IPsec Phase-2 Tunnel in seconds. If the tunnel was setup manually, the value of this MIB element should be 0." ::= { ceipSecTunnelEntry 12 } ceipSecTunActiveTime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time the IPsec Phase-2 Tunnel has been active in hundredths of seconds." ::= { ceipSecTunnelEntry 13 } ceipSecTunSaLifeSizeThreshold OBJECT-TYPE SYNTAX Unsigned32 UNITS "KBytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The security association LifeSize refresh threshold in kilobytes. If the tunnel was setup manually, the value of this MIB element should be 0." ::= { ceipSecTunnelEntry 14 } ceipSecTunSaLifeTimeThreshold OBJECT-TYPE SYNTAX Unsigned32 UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The security association LifeTime refresh threshold in seconds. If the tunnel was setup manually, the value of this MIB element should be 0." ::= { ceipSecTunnelEntry 15 } ceipSecTunTotalRefreshes OBJECT-TYPE SYNTAX Counter32 UNITS "QM Exchanges" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security association refreshes performed." ::= { ceipSecTunnelEntry 16 } ceipSecTunExpiredSaInstances OBJECT-TYPE SYNTAX Counter32 UNITS "SAs" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations which have expired. If the tunnel was setup manually, the value of this MIB element should be 0." ::= { ceipSecTunnelEntry 17 } ceipSecTunCurrentSaInstances OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of security associations which are currently active or expiring." ::= { ceipSecTunnelEntry 18 } ceipSecTunInSaDHGrp OBJECT-TYPE SYNTAX CIPsecDiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used by the inbound security association of the IPsec Phase-2 Tunnel. If the tunnel was setup manually, the value of this MIB element would be `none'." ::= { ceipSecTunnelEntry 19 } ceipSecTunInSaEncryptAlgo OBJECT-TYPE SYNTAX CIPsecEncryptAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 20 } ceipSecTunInSaEncryptKeySize OBJECT-TYPE SYNTAX CIPsecEncryptionKeySize UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The key size in bits of the negotiated key to be used with the algorithm denoted by 'ceipSecTunInSaEncryptAlgo'. For DES and 3DES the key size is respectively 56 and 168. For AES, this will denote the negotiated key size. " ::= { ceipSecTunnelEntry 21 } ceipSecTunInSaAhAuthAlgo OBJECT-TYPE SYNTAX CIPsecAuthAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 22 } ceipSecTunInSaEspAuthAlgo OBJECT-TYPE SYNTAX CIPsecAuthAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound ecapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 23 } ceipSecTunInSaDecompAlgo OBJECT-TYPE SYNTAX CIPsecCompAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The decompression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 24 } ceipSecTunOutSaDHGrp OBJECT-TYPE SYNTAX CIPsecDiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used by the outbound security association of the IPsec Phase-2 Tunnel. If the tunnel was setup manually, the value of this MIB element would be 'none'." ::= { ceipSecTunnelEntry 25 } ceipSecTunOutSaEncryptAlgo OBJECT-TYPE SYNTAX CIPsecEncryptAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the outbound security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 26 } ceipSecTunOutSaEncryptKeySize OBJECT-TYPE SYNTAX CIPsecEncryptionKeySize UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The key size in bits of the negotiated key to be used with the algorithm denoted by 'ceipSecTunOutSaEncryptAlgo'. For DES and 3DES the key size is respectively 56 and 168. For AES, this will denote the negotiated key size." ::= { ceipSecTunnelEntry 27 } ceipSecTunOutSaAhAuthAlgo OBJECT-TYPE SYNTAX CIPsecAuthAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the outbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 28 } ceipSecTunOutSaEspAuthAlgo OBJECT-TYPE SYNTAX CIPsecAuthAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound encapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 29 } ceipSecTunOutSaCompAlgo OBJECT-TYPE SYNTAX CIPsecCompAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The compression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 30 } ceipSecTunPmtu OBJECT-TYPE SYNTAX CIPsecPmtu UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The Path MTU for this IPsec Phase-2 tunnel, which has been either learnt from the network or which has been specified by the administrator. The lower end of the range is 68 which is the minimum MTU for IPv4." ::= { ceipSecTunnelEntry 31 } ceipSecTunInOctets OBJECT-TYPE SYNTAX Counter64 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets received by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed." ::= { ceipSecTunnelEntry 32 } ceipSecTunInDecompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of decompressed octets received by this IPsec Phase-2 Tunnel. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of ceipSecTunInOctets." ::= { ceipSecTunnelEntry 33 } ceipSecTunInPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 34 } ceipSecTunInDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing by this IPsec Phase-2 Tunnel. This count does NOT include packets dropped due to Anti-Replay processing." ::= { ceipSecTunnelEntry 35 } ceipSecTunInReplayDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing due to Anti-Replay processing by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 36 } ceipSecTunInAuths OBJECT-TYPE SYNTAX Counter32 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's performed by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 37 } ceipSecTunInAuthFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's which ended in failure by this IPsec Phase-2 Tunnel ." ::= { ceipSecTunnelEntry 38 } ceipSecTunInDecrypts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's performed by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 39 } ceipSecTunInDecryptFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 40 } ceipSecTunOutOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets sent by this IPsec Phase-2 Tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed." ::= { ceipSecTunnelEntry 41 } ceipSecTunOutUncompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of uncompressed octets sent by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of ceipSecTunOutOctets." ::= { ceipSecTunnelEntry 42 } ceipSecTunOutPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 43 } ceipSecTunOutDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during send processing by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 44 } ceipSecTunOutAuths OBJECT-TYPE SYNTAX Counter32 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's performed by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 45 } ceipSecTunOutAuthFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 46 } ceipSecTunOutEncrypts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's performed by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 47 } ceipSecTunOutEncryptFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelEntry 48 } ceipSecTunOutCompressedPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets which were successfully compressed." ::= { ceipSecTunnelEntry 49 } ceipSecTunOutCompSkippedPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that were to be compressed but which were skipped due to the compression hysteresis." ::= { ceipSecTunnelEntry 50 } ceipSecTunOutCompFailPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that failed compression because they grew in size after compression." ::= { ceipSecTunnelEntry 51 } ceipSecTunOutCompTooSmallPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that were to be compressed but were smaller than the compression threshold size." ::= { ceipSecTunnelEntry 52 } ceipSecIfIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents the ifIndex of an interface where this tunnel is created. Multiple IPsec tunnels can be created using the same interface." ::= { ceipSecTunnelEntry 53 } ceipSecTunStatus OBJECT-TYPE SYNTAX CIPsecTunnelStatus MAX-ACCESS read-write STATUS current DESCRIPTION "The status of the MIB table row. This object can be used to bring the tunnel down or force a rekeying. When the value is set to destroy(5), the SA bundle is destroyed and this row is deleted from this table. When the value is set to rekey(6), then rekeying is forced on this tunnel. When this MIB value is queried, the value of active(4) is always returned, if the instance exists. This object cannot be used to create a MIB table row." ::= { ceipSecTunnelEntry 54 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Tunnel Endpoint Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecEndPtTable OBJECT-TYPE SYNTAX SEQUENCE OF CeipSecEndPtEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel Endpoint Table. This table contains an entry for each active endpoint associated with an IPsec Phase-2 Tunnel." ::= { ceipSecPhaseTwo 3 } ceipSecEndPtEntry OBJECT-TYPE SYNTAX CeipSecEndPtEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An IPsec Phase-2 Tunnel Endpoint entry." INDEX { ceipSecTunIndex, -- from ceipSecTunnelTable ceipSecEndPtIndex } ::= { ceipSecEndPtTable 1 } CeipSecEndPtEntry ::= SEQUENCE { ceipSecEndPtIndex Unsigned32, ceipSecEndPtLocalName SnmpAdminString, ceipSecEndPtLocalType CIPsecEndPtType, ceipSecEndPtLocalAddrType1 InetAddressType, ceipSecEndPtLocalAddr1 InetAddress, ceipSecEndPtLocalAddrType2 InetAddressType, ceipSecEndPtLocalAddr2 InetAddress, ceipSecEndPtLocalProtocol CiscoIpProtocol, ceipSecEndPtLocalPort CiscoPort, ceipSecEndPtRemoteName SnmpAdminString, ceipSecEndPtRemoteType CIPsecEndPtType, ceipSecEndPtRemoteAddrType1 InetAddressType, ceipSecEndPtRemoteAddr1 InetAddress, ceipSecEndPtRemoteAddrType2 InetAddressType, ceipSecEndPtRemoteAddr2 InetAddress, ceipSecEndPtRemoteProtocol CiscoIpProtocol, ceipSecEndPtRemotePort CiscoPort } ceipSecEndPtIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The number of the Endpoint associated with the IPsec Phase-2 Tunnel Table. The value of this index is a number which begins at one and is incremented with each Endpoint associated with an IPsec Phase-2 Tunnel. The value of this object will wrap at 4,294,967,295." ::= { ceipSecEndPtEntry 1 } ceipSecEndPtLocalName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the local Endpoint." ::= { ceipSecEndPtEntry 2 } ceipSecEndPtLocalType OBJECT-TYPE SYNTAX CIPsecEndPtType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the local Endpoint." ::= { ceipSecEndPtEntry 3 } ceipSecEndPtLocalAddrType1 OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address for this local Endpoint's first IP address." ::= { ceipSecEndPtEntry 4 } ceipSecEndPtLocalAddr1 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's first IP address specification. If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet. If the local Endpoint type is IP address range, then this is the value of beginning IP address of the range. If the type is an IP address, a range or a subnet, the type of the address can be inferred from ceipSecEndPtLocalType." ::= { ceipSecEndPtEntry 5 } ceipSecEndPtLocalAddrType2 OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address for this local Endpoint's second IP address." ::= { ceipSecEndPtEntry 6 } ceipSecEndPtLocalAddr2 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's second IP address specification. If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet mask. If the local Endpoint type is IP address range, then this is the value of ending IP address of the range. If the type is an IP address, a range or a subnet, the type of the address can be inferred from ceipSecEndPtLocalType." ::= { ceipSecEndPtEntry 7 } ceipSecEndPtLocalProtocol OBJECT-TYPE SYNTAX CiscoIpProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol number of the local Endpoint's traffic." ::= { ceipSecEndPtEntry 8 } ceipSecEndPtLocalPort OBJECT-TYPE SYNTAX CiscoPort MAX-ACCESS read-only STATUS current DESCRIPTION "The port number of the local Endpoint's traffic." ::= { ceipSecEndPtEntry 9 } ceipSecEndPtRemoteName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the remote Endpoint." ::= { ceipSecEndPtEntry 10 } ceipSecEndPtRemoteType OBJECT-TYPE SYNTAX CIPsecEndPtType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the remote Endpoint." ::= { ceipSecEndPtEntry 11 } ceipSecEndPtRemoteAddrType1 OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address for this remote Endpoint's first IP address." ::= { ceipSecEndPtEntry 12 } ceipSecEndPtRemoteAddr1 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's first IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet. If the remote Endpoint type is IP address range, then this is the value of beginning IP address of the range. If the type is an IP address, a range or a subnet, the type of the address can be inferred from ceipSecEndPtRemoteType." ::= { ceipSecEndPtEntry 13 } ceipSecEndPtRemoteAddrType2 OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address for this remote Endpoint's second IP address." ::= { ceipSecEndPtEntry 14 } ceipSecEndPtRemoteAddr2 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's second IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet mask. If the remote Endpoint type is IP address range, then this is the value of ending IP address of the range. If the type is an IP address, a range or a subnet, the type of the address can be inferred from ceipSecEndPtRemoteType." ::= { ceipSecEndPtEntry 15 } ceipSecEndPtRemoteProtocol OBJECT-TYPE SYNTAX CiscoIpProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol number of the remote Endpoint's traffic." ::= { ceipSecEndPtEntry 16 } ceipSecEndPtRemotePort OBJECT-TYPE SYNTAX CiscoPort MAX-ACCESS read-only STATUS current DESCRIPTION "The port number of the remote Endpoint's traffic." ::= { ceipSecEndPtEntry 17 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Security Association Table -- This table provides the security association (SA) -- decomposition of the tunnels listed in the tunnel table. -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecSaTable OBJECT-TYPE SYNTAX SEQUENCE OF CeipSecSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Security Association Table. This table identifies the structure (in terms of component SAs) of each active Phase-2 IPsec tunnel. This table contains an entry for each active and expiring security association and maps each entry in the active Phase-2 tunnel table (ceipSecTunTable) into a number of entries in this table. The index of this table reflects the rule for identifying Security Associations." ::= { ceipSecPhaseTwo 4 } ceipSecSaEntry OBJECT-TYPE SYNTAX CeipSecSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with active and expiring IPsec Phase-2 security associations." INDEX { ceipSecTunIndex, -- from ceipSecTunnelTable ceipSecSaProtocol, ceipSecSaIndex } ::= { ceipSecSaTable 1 } CeipSecSaEntry ::= SEQUENCE { ceipSecSaProtocol CIPsecProtocol, ceipSecSaIndex Unsigned32, ceipSecSaDirection CIPsecPhase2SaDirection, ceipSecSaValue CIPsecSpi, ceipSecSaStatus INTEGER } ceipSecSaProtocol OBJECT-TYPE SYNTAX CIPsecProtocol MAX-ACCESS not-accessible STATUS current DESCRIPTION "This column represents the security protocol (AH, ESP or IPComp) for which this security association was setup. " ::= { ceipSecSaEntry 1 } ceipSecSaIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The object, in the context of the IPsec tunnel 'ceipSecTunIndex', is an index of security associations comprising the Phase-2 IPsec tunnel represented by the tunnel index 'ceipSecTunIndex'. The value of this index is a number which begins at 1 and is incremented with each SPI associated with the corresponding IPsec Phase-2 Tunnel." ::= { ceipSecSaEntry 2 } ceipSecSaDirection OBJECT-TYPE SYNTAX CIPsecPhase2SaDirection MAX-ACCESS read-only STATUS current DESCRIPTION "Phase-2 IPsec security associations are simplex. Hence a particular security association is used either for securing outgoing traffic or decoding incoming traffic. This column identifies the direction of the security association represented by this entry. " ::= { ceipSecSaEntry 3 } ceipSecSaValue OBJECT-TYPE SYNTAX CIPsecSpi MAX-ACCESS read-only STATUS current DESCRIPTION "This is the value of the Security Protection Index (SPI) assigned by the system to the security association represented by this entry. " ::= { ceipSecSaEntry 4 } ceipSecSaStatus OBJECT-TYPE SYNTAX INTEGER{ unknown(1), active(2), expiring(3) } MAX-ACCESS read-only STATUS current DESCRIPTION " This column represents the status of the security association represented by this conceptual row. If the status of the SA is 'active', the SA is ready for active use. The status 'expiring' represents any of the various states that the security association transitions through before being purged. " ::= { ceipSecSaEntry 5 } ceipSecTunnelSaTable OBJECT-TYPE SYNTAX SEQUENCE OF CeipSecTunnelSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel Security Association Table. This table identifies the SAs that are currently associated with an active Phase-2 tunnel. This table contains an entry for each active or expiring security association (SA) which is associated with an ceipSecTunnelEntry in 'active' state and provides statistic information of this SA. There might be multiple SAs associated with one ceipSecTunnelEntry." ::= { ceipSecPhaseTwo 5 } ceipSecTunnelSaEntry OBJECT-TYPE SYNTAX CeipSecTunnelSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes and statistics associated with an active or expiring IPsec Phase-2 security associations." INDEX { ceipSecTunIndex, -- from ceipSecTunnelTable ceipSecTunSaProtocol, ceipSecTunSaIndex, ceipSecTunSaDirection } ::= { ceipSecTunnelSaTable 1 } CeipSecTunnelSaEntry ::= SEQUENCE { ceipSecTunSaProtocol CIPsecProtocol, ceipSecTunSaIndex Unsigned32, ceipSecTunSaDirection CIPsecPhase2SaDirection, ceipSecTunSaValue CIPsecSpi, ceipSecTunSaIfIndex InterfaceIndex, ceipSecTunSaInOctets Counter64, ceipSecTunSaInDecompOctets Counter64, ceipSecTunSaInPkts Counter64, ceipSecTunSaInDropPkts Counter64, ceipSecTunSaInReplayDropPkts Counter64, ceipSecTunSaInAuths Counter64, ceipSecTunSaInAuthFails Counter64, ceipSecTunSaInDecrypts Counter64, ceipSecTunSaInDecryptFails Counter64, ceipSecTunSaOutOctets Counter64, ceipSecTunSaOutUncompOctets Counter64, ceipSecTunSaOutPkts Counter64, ceipSecTunSaOutDropPkts Counter64, ceipSecTunSaOutAuths Counter64, ceipSecTunSaOutAuthFails Counter64, ceipSecTunSaOutEncrypts Counter64, ceipSecTunSaOutEncryptFails Counter64, ceipSecTunSaOutCompressedPkts Counter64, ceipSecTunSaOutCompSkippedPkts Counter64, ceipSecTunSaOutCompFailPkts Counter64, ceipSecTunSaOutCompTooSmallPkts Counter64, ceipSecTunSaStatus INTEGER } ceipSecTunSaProtocol OBJECT-TYPE SYNTAX CIPsecProtocol MAX-ACCESS not-accessible STATUS current DESCRIPTION "This column represents the security protocol (AH, ESP or IPComp) for which this security association was setup. " ::= { ceipSecTunnelSaEntry 1 } ceipSecTunSaIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The object, in the context of the IPsec tunnel 'ceipSecTunIndex', is an index of security associations comprising the Phase-2 IPsec tunnel represented by the tunnel index 'ceipSecTunIndex'. The value of this index is a number which begins at 1 and is incremented with each SPI associated with the corresponding IPsec Phase-2 Tunnel." ::= { ceipSecTunnelSaEntry 2 } ceipSecTunSaDirection OBJECT-TYPE SYNTAX CIPsecPhase2SaDirection MAX-ACCESS not-accessible STATUS current DESCRIPTION "Phase-2 IPsec security associations are simplex. Hence a particular security association is used either for securing outgoing traffic or decoding incoming traffic. This column identifies the direction of the security association represented by this entry. " ::= { ceipSecTunnelSaEntry 3 } ceipSecTunSaValue OBJECT-TYPE SYNTAX CIPsecSpi MAX-ACCESS read-only STATUS current DESCRIPTION "This is the value of the Security Protection Index (SPI) assigned by the system to the security association represented by this entry. " ::= { ceipSecTunnelSaEntry 4 } ceipSecTunSaIfIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-only STATUS current DESCRIPTION "This object represents the ifIndex of an interface where a tunnel with ceipSecTunIndex is created. Multiple IPsec tunnels can be created using the same interface." ::= { ceipSecTunnelSaEntry 5 } ceipSecTunSaInOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets received by using this SA. This value is accumulated BEFORE determining whether or not the packet should be decompressed." ::= { ceipSecTunnelSaEntry 6 } ceipSecTunSaInDecompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of decompressed octets received by using this SA. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of ceipSecTunSaTunInOctets." ::= { ceipSecTunnelSaEntry 7 } ceipSecTunSaInPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by using this SA." ::= { ceipSecTunnelSaEntry 8 } ceipSecTunSaInDropPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive process by using this SA. This count does NOT include packets dropped due to Anti-Replay processing." ::= { ceipSecTunnelSaEntry 9 } ceipSecTunSaInReplayDropPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing due to Anti-Replay processing by using this SA." ::= { ceipSecTunnelSaEntry 10 } ceipSecTunSaInAuths OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's performed by using this SA." ::= { ceipSecTunnelSaEntry 11 } ceipSecTunSaInAuthFails OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's which ended in failure by using this SA." ::= { ceipSecTunnelSaEntry 12 } ceipSecTunSaInDecrypts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's performed by this SA." ::= { ceipSecTunnelSaEntry 13 } ceipSecTunSaInDecryptFails OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's which ended in failure by using this SA." ::= { ceipSecTunnelSaEntry 14 } ceipSecTunSaOutOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets sent by using this SA. This value is accumulated AFTER determining whether or not the packet should be compressed." ::= { ceipSecTunnelSaEntry 15 } ceipSecTunSaOutUncompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of uncompressed octets sent by using this SA. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of ceipSecTunSaTunOutOctets." ::= { ceipSecTunnelSaEntry 16 } ceipSecTunSaOutPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by using this SA." ::= { ceipSecTunnelSaEntry 17 } ceipSecTunSaOutDropPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during send processing by using this SA." ::= { ceipSecTunnelSaEntry 18 } ceipSecTunSaOutAuths OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's performed by using this SA." ::= { ceipSecTunnelSaEntry 19 } ceipSecTunSaOutAuthFails OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's which ended in failure by using this SA." ::= { ceipSecTunnelSaEntry 20 } ceipSecTunSaOutEncrypts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's performed by using this SA." ::= { ceipSecTunnelSaEntry 21 } ceipSecTunSaOutEncryptFails OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's which ended in failure by using this SA." ::= { ceipSecTunnelSaEntry 22 } ceipSecTunSaOutCompressedPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets which were successfully compressed by using this SA." ::= { ceipSecTunnelSaEntry 23 } ceipSecTunSaOutCompSkippedPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that were to be compressed but which were skipped due to the compression hysteresis when using this SA." ::= { ceipSecTunnelSaEntry 24 } ceipSecTunSaOutCompFailPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that failed compression because they grew in size after compression when using this SA." ::= { ceipSecTunnelSaEntry 25 } ceipSecTunSaOutCompTooSmallPkts OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that were to be compressed but were smaller than the compression threshold size when using this SA." ::= { ceipSecTunnelSaEntry 26 } ceipSecTunSaStatus OBJECT-TYPE SYNTAX INTEGER{ unknown(1), active(2), expiring(3) } MAX-ACCESS read-only STATUS current DESCRIPTION " This column represents the status of the security association represented by this conceptual row. If the status of the SA is 'active', the SA is ready for active use. The status 'expiring' represents any of the various states that the security association transitions through before being purged. " ::= { ceipSecTunnelSaEntry 27 } ceipSecIfTunnelTable OBJECT-TYPE SYNTAX SEQUENCE OF CeipSecIfTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnels to Interface association table. This table contains an entry for each active IPsec Phase-2 Tunnel created under an interface. Multiple IPsec Phase-2 Tunnels can be created using the same interface." ::= { ceipSecPhaseTwo 6 } ceipSecIfTunnelEntry OBJECT-TYPE SYNTAX CeipSecIfTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the IPsec Phase-2 Tunnel associated with an interface." INDEX { ifIndex, ceipSecTunIndex } ::= { ceipSecIfTunnelTable 1 } CeipSecIfTunnelEntry ::= SEQUENCE { ceipSecIfTunnelStatus CIPsecTunnelStatus } ceipSecIfTunnelStatus OBJECT-TYPE SYNTAX CIPsecTunnelStatus MAX-ACCESS read-only STATUS current DESCRIPTION "This object corresponds to the status of a IPsec Phase-2 Tunnel in ceipSecTunnelTable indexed by ceipSecTunIndex. The valid status this object can have are 'active' and 'awaitCommit'." ::= { ceipSecIfTunnelEntry 1 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec History Group -- -- This group consists of: -- 1) IPsec History Global Objects -- 2) IPsec Phase-2 History Objects -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecHistGlobal OBJECT IDENTIFIER ::= { ceipSecHistory 1 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- IPsec History Global Control Objects -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecHistGlobalCntl OBJECT IDENTIFIER ::= { ceipSecHistGlobal 1 } ceipSecHistTableSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The window size of the IPsec Phase-2 History Tables. The IPsec Phase-2 History Tables are implemented as a sliding window in which only the last 'N' entries are maintained. This object is used specify the number of entries which will be maintained in the IPsec Phase-2 History Tables. An implementation may choose suitable minimum and maximum values for this element based on the local policy and available resources. If an SNMP SET request specifies a value outside this window for this element, in appropriate SNMP error code should be returned. Setting this value to zero is equivalent to deleting all conceptual rows in the archiving tables ('ceipSecHistTable' and 'ceipSecEndPtHistTable') and disabling the archiving of entries in the tables. " ::= { ceipSecHistGlobalCntl 1 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Tunnel History Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecTunnelHistTable OBJECT-TYPE SYNTAX SEQUENCE OF CeipSecTunnelHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel History Table. This table is conceptually a sliding window in which only the last 'N' entries are maintained, where 'N' is the value of the object 'ceipSecHistTableSize'. If the value of 'ceipSecHistTableSize' is 0, archiving of entries in this table is disabled. " ::= { ceipSecHistory 2 } ceipSecTunnelHistEntry OBJECT-TYPE SYNTAX CeipSecTunnelHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a previously active IPsec Phase-2 Tunnel." INDEX { ceipSecTunHistIndex } ::= { ceipSecTunnelHistTable 1 } CeipSecTunnelHistEntry ::= SEQUENCE { ceipSecTunHistIndex Unsigned32, ceipSecTunHistTermReason INTEGER, ceipSecTunHistActiveIndex CIPsecPhase2TunnelIndex, ceipSecTunHistLocalAddressType InetAddressType, ceipSecTunHistLocalAddress InetAddress, ceipSecTunHistRemoteAddressType InetAddressType, ceipSecTunHistRemoteAddress InetAddress, ceipSecTunHistControlProtocol CIPsecControlProtocol, ceipSecTunHistControlTunnelIndex CIPsecPhase1TunnelIndexOrZero, ceipSecTunHistEncapMode CIPsecEncapMode, ceipSecTunHistNATTraversalMode CIPsecNATTraversalMode, ceipSecTunHistLifeSize Unsigned32, ceipSecTunHistLifeTime Unsigned32, ceipSecTunHistStartTime TimeStamp, ceipSecTunHistActiveTime TimeInterval, ceipSecTunHistTotalRefreshes Counter32, ceipSecTunHistTotalSas Counter32, ceipSecTunHistInSaDHGrp CIPsecDiffHellmanGrp, ceipSecTunHistInSaEncryptAlgo CIPsecEncryptAlgorithm, ceipSecTunHistInSaEncryptKeySize CIPsecEncryptionKeySize, ceipSecTunHistInSaAhAuthAlgo CIPsecAuthAlgorithm, ceipSecTunHistInSaEspAuthAlgo CIPsecAuthAlgorithm, ceipSecTunHistInSaDecompAlgo CIPsecCompAlgorithm, ceipSecTunHistOutSaDHGrp CIPsecDiffHellmanGrp, ceipSecTunHistOutSaEncryptAlgo CIPsecEncryptAlgorithm, ceipSecTunHistOutSaEncryptKeySz CIPsecEncryptionKeySize, ceipSecTunHistOutSaAhAuthAlgo CIPsecAuthAlgorithm, ceipSecTunHistOutSaEspAuthAlgo CIPsecAuthAlgorithm, ceipSecTunHistOutSaCompAlgo CIPsecCompAlgorithm, ceipSecTunHistPmtu CIPsecPmtu, ceipSecTunHistInOctets Counter64, ceipSecTunHistInDecompOctets Counter64, ceipSecTunHistInPkts Counter32, ceipSecTunHistInDropPkts Counter32, ceipSecTunHistInReplayDropPkts Counter32, ceipSecTunHistInAuths Counter32, ceipSecTunHistInAuthFails Counter32, ceipSecTunHistInDecrypts Counter32, ceipSecTunHistInDecryptFails Counter32, ceipSecTunHistOutOctets Counter64, ceipSecTunHistOutUncompOctets Counter64, ceipSecTunHistOutPkts Counter32, ceipSecTunHistOutDropPkts Counter32, ceipSecTunHistOutAuths Counter32, ceipSecTunHistOutAuthFails Counter32, ceipSecTunHistOutEncrypts Counter32, ceipSecTunHistOutEncryptFails Counter32, ceipSecTunHistOutCompressedPkts Counter32, ceipSecTunHistOutCompSkippedPkts Counter32, ceipSecTunHistOutCompFailPkts Counter32, ceipSecTunHistOutCompSmallPkts Counter32 } ceipSecTunHistIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of the IPsec Phase-2 Tunnel History Table. The value of the index is a number which begins at one and is incremented with each tunnel that ends. The value of this object will wrap at 4,294,967,295." ::= { ceipSecTunnelHistEntry 1 } ceipSecTunHistTermReason OBJECT-TYPE SYNTAX INTEGER { other(1), normal(2), operRequest(3), peerDelRequest(4), peerLost(5), applicationInitiated(6), xauthFailure(7), seqNumRollOver(8), checkPointReq(9) } MAX-ACCESS read-only STATUS current DESCRIPTION "The reason the IPsec Phase-2 Tunnel was terminated. Possible reasons include: 1 = other 2 = normal termination 3 = operator request 4 = peer delete request was received 5 = contact with peer was lost 6 = applicationInitiated (eg: L2TP requesting the termination) 7 = failure of extended authentication 8 = local failure occurred 9 = operator initiated check point request" ::= { ceipSecTunnelHistEntry 2 } ceipSecTunHistActiveIndex OBJECT-TYPE SYNTAX CIPsecPhase2TunnelIndex MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the previously active IPsec Phase-2 Tunnel. This object must correspond to an expired IPsec tunnel; hence this object may not assume the value of 0. " ::= { ceipSecTunnelHistEntry 3 } ceipSecTunHistLocalAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address of the local endpoint for the IPsec Phase-2 Tunnel. " ::= { ceipSecTunnelHistEntry 4 } ceipSecTunHistLocalAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local endpoint for the IPsec Phase-2 Tunnel. " ::= { ceipSecTunnelHistEntry 5 } ceipSecTunHistRemoteAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address of the remote endpoint for the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 6 } ceipSecTunHistRemoteAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote endpoint for the IPsec Phase-2 Tunnel. " ::= { ceipSecTunnelHistEntry 7 } ceipSecTunHistControlProtocol OBJECT-TYPE SYNTAX CIPsecControlProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "Identifies the protocol that was used to setup and administer Phase-2 IPsec tunnel. " ::= { ceipSecTunnelHistEntry 8 } ceipSecTunHistControlTunnelIndex OBJECT-TYPE SYNTAX CIPsecPhase1TunnelIndexOrZero MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the IPsec Phase-1 Tunnel that spawned this Phase-2 tunnel (in case of IKE, this value would refer to 'csikeTunIndex' in the 'csikeTunnelTable'). If the IPsec tunnel corresponding to this entry was setup manually, the value of this object should be zero. " ::= { ceipSecTunnelHistEntry 9 } ceipSecTunHistEncapMode OBJECT-TYPE SYNTAX CIPsecEncapMode MAX-ACCESS read-only STATUS current DESCRIPTION "The encapsulation mode used by the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 10 } ceipSecTunHistNATTraversalMode OBJECT-TYPE SYNTAX CIPsecNATTraversalMode MAX-ACCESS read-only STATUS current DESCRIPTION "The encapsulation used by the IPsec Phase-2 tunnel corresponding to this conceptual row for NAT traversal." ::= { ceipSecTunnelHistEntry 11 } ceipSecTunHistLifeSize OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) UNITS "KBytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeSize of the IPsec Phase-2 Tunnel in kilobytes." ::= { ceipSecTunnelHistEntry 12 } ceipSecTunHistLifeTime OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeTime of the IPsec Phase-2 Tunnel in seconds." ::= { ceipSecTunnelHistEntry 13 } ceipSecTunHistStartTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime in hundredths of seconds when the IPsec Phase-2 Tunnel was started." ::= { ceipSecTunnelHistEntry 14 } ceipSecTunHistActiveTime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time the IPsec Phase-2 Tunnel has been active in hundredths of seconds." ::= { ceipSecTunnelHistEntry 15 } ceipSecTunHistTotalRefreshes OBJECT-TYPE SYNTAX Counter32 UNITS "QM Exchanges" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security association refreshes performed." ::= { ceipSecTunnelHistEntry 16 } ceipSecTunHistTotalSas OBJECT-TYPE SYNTAX Counter32 UNITS "SAs" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations used during the life of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 17 } ceipSecTunHistInSaDHGrp OBJECT-TYPE SYNTAX CIPsecDiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 18 } ceipSecTunHistInSaEncryptAlgo OBJECT-TYPE SYNTAX CIPsecEncryptAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 19 } ceipSecTunHistInSaEncryptKeySize OBJECT-TYPE SYNTAX CIPsecEncryptionKeySize UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The size in bits of the key which was negotiated to be used with the encryption transform used with this tunnel denoted by ceipSecTunHistInSaEncryptAlgo. For DES and 3DES the key size is respectively 56 and 168. For AES, this will denote the negotiated key size." ::= { ceipSecTunnelHistEntry 20 } ceipSecTunHistInSaAhAuthAlgo OBJECT-TYPE SYNTAX CIPsecAuthAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 21 } ceipSecTunHistInSaEspAuthAlgo OBJECT-TYPE SYNTAX CIPsecAuthAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound encapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 22 } ceipSecTunHistInSaDecompAlgo OBJECT-TYPE SYNTAX CIPsecCompAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The decompression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 23 } ceipSecTunHistOutSaDHGrp OBJECT-TYPE SYNTAX CIPsecDiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used by the outbound security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 24 } ceipSecTunHistOutSaEncryptAlgo OBJECT-TYPE SYNTAX CIPsecEncryptAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the outbound security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 25 } ceipSecTunHistOutSaEncryptKeySz OBJECT-TYPE SYNTAX CIPsecEncryptionKeySize UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The size in bits of the key which was negotiated to be used with the encryption transform used with this tunnel denoted by ceipSecTunHistOutSaEncryptAlgo. For DES and 3DES the key size is respectively 56 and 168. For AES, this will denote the negotiated key size." ::= { ceipSecTunnelHistEntry 26 } ceipSecTunHistOutSaAhAuthAlgo OBJECT-TYPE SYNTAX CIPsecAuthAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the outbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 27 } ceipSecTunHistOutSaEspAuthAlgo OBJECT-TYPE SYNTAX CIPsecAuthAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound ecapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 28 } ceipSecTunHistOutSaCompAlgo OBJECT-TYPE SYNTAX CIPsecCompAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The compression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 29 } ceipSecTunHistPmtu OBJECT-TYPE SYNTAX CIPsecPmtu UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The Path MTU that was determined for this IPsec Phase-2 tunnel." ::= { ceipSecTunnelHistEntry 30 } ceipSecTunHistInOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets received by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed." ::= { ceipSecTunnelHistEntry 31 } ceipSecTunHistInDecompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of decompressed octets received by this IPsec Phase-2 Tunnel. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of ceipSecTunInOctets. " ::= { ceipSecTunnelHistEntry 32 } ceipSecTunHistInPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 33 } ceipSecTunHistInDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing by this IPsec Phase-2 Tunnel. This count does NOT include packets dropped due to Anti-Replay processing." ::= { ceipSecTunnelHistEntry 34 } ceipSecTunHistInReplayDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing due to Anti-Replay processing by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 35 } ceipSecTunHistInAuths OBJECT-TYPE SYNTAX Counter32 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's performed by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 36 } ceipSecTunHistInAuthFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's which ended in failure by this IPsec Phase-2 Tunnel ." ::= { ceipSecTunnelHistEntry 37 } ceipSecTunHistInDecrypts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's performed by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 38 } ceipSecTunHistInDecryptFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 39 } ceipSecTunHistOutOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets sent by this IPsec Phase-2 Tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed." ::= { ceipSecTunnelHistEntry 40 } ceipSecTunHistOutUncompOctets OBJECT-TYPE SYNTAX Counter64 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of uncompressed octets sent by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of 'ceipSecTunOutOctets'." ::= { ceipSecTunnelHistEntry 41 } ceipSecTunHistOutPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 42 } ceipSecTunHistOutDropPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during send processing by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 43 } ceipSecTunHistOutAuths OBJECT-TYPE SYNTAX Counter32 UNITS "Events" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's performed by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 44 } ceipSecTunHistOutAuthFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 45 } ceipSecTunHistOutEncrypts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's performed by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 46 } ceipSecTunHistOutEncryptFails OBJECT-TYPE SYNTAX Counter32 UNITS "Failures" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { ceipSecTunnelHistEntry 47 } ceipSecTunHistOutCompressedPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets which were successfully compressed." ::= { ceipSecTunnelHistEntry 48 } ceipSecTunHistOutCompSkippedPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that were to be compressed but which were skipped due to the compression hysteresis." ::= { ceipSecTunnelHistEntry 49 } ceipSecTunHistOutCompFailPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that failed compression because they grew in size after compression." ::= { ceipSecTunnelHistEntry 50 } ceipSecTunHistOutCompSmallPkts OBJECT-TYPE SYNTAX Counter32 UNITS "Packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets that were to be compressed but were smaller than the compression threshold size." ::= { ceipSecTunnelHistEntry 51 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Tunnel Endpoint History Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecEndPtHistTable OBJECT-TYPE SYNTAX SEQUENCE OF CeipSecEndPtHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel Endpoint History Table. This table is conceptually a sliding window in which only the last 'N' entries are maintained, where 'N' is the value of the object 'ceipSecHistTableSize'. If the value of 'ceipSecHistTableSize' is 0, archiving of entries in this table is disabled." ::= { ceipSecHistory 3 } ceipSecEndPtHistEntry OBJECT-TYPE SYNTAX CeipSecEndPtHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a previously active IPsec Phase-2 Tunnel Endpoint." INDEX { ceipSecEndPtHistIndex } ::= { ceipSecEndPtHistTable 1 } CeipSecEndPtHistEntry ::= SEQUENCE { ceipSecEndPtHistIndex Unsigned32, ceipSecEndPtHistTunIndex Unsigned32, ceipSecEndPtHistActiveIndex Unsigned32, ceipSecEndPtHistLocalName SnmpAdminString, ceipSecEndPtHistLocalType CIPsecEndPtType, ceipSecEndPtHistLocalAddrType1 InetAddressType, ceipSecEndPtHistLocalAddr1 InetAddress, ceipSecEndPtHistLocalAddrType2 InetAddressType, ceipSecEndPtHistLocalAddr2 InetAddress, ceipSecEndPtHistLocalProtocol CiscoIpProtocol, ceipSecEndPtHistLocalPort CiscoPort, ceipSecEndPtHistRemoteName SnmpAdminString, ceipSecEndPtHistRemoteType CIPsecEndPtType, ceipSecEndPtHistRemoteAddrType1 InetAddressType, ceipSecEndPtHistRemoteAddr1 InetAddress, ceipSecEndPtHistRemoteAddrType2 InetAddressType, ceipSecEndPtHistRemoteAddr2 InetAddress, ceipSecEndPtHistRemoteProtocol CiscoIpProtocol, ceipSecEndPtHistRemotePort CiscoPort } ceipSecEndPtHistIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The number of the previously active Endpoint associated with a IPsec Phase-2 Tunnel Table. The value of this index is a number which begins at one and is incremented with each Endpoint associated with an IPsec Phase-2 Tunnel. The value of this object will wrap at 4,294,967,295." ::= { ceipSecEndPtHistEntry 1 } ceipSecEndPtHistTunIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the previously active IPsec Phase-2 Tunnel Table." ::= { ceipSecEndPtHistEntry 2 } ceipSecEndPtHistActiveIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the previously active Endpoint." ::= { ceipSecEndPtHistEntry 3 } ceipSecEndPtHistLocalName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the local Endpoint." ::= { ceipSecEndPtHistEntry 4 } ceipSecEndPtHistLocalType OBJECT-TYPE SYNTAX CIPsecEndPtType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the local Endpoint." ::= { ceipSecEndPtHistEntry 5 } ceipSecEndPtHistLocalAddrType1 OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address for this local Endpoint's first IP address." ::= { ceipSecEndPtHistEntry 6 } ceipSecEndPtHistLocalAddr1 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's first IP address specification. If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet. If the local Endpoint type is IP address range, then this is the value of beginning IP address of the range. If the type is an IP address, a range or a subnet, the type of the address can be inferred from cceipSecEndPtLocalType. " ::= { ceipSecEndPtHistEntry 7 } ceipSecEndPtHistLocalAddrType2 OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address for this local Endpoint's second IP address." ::= { ceipSecEndPtHistEntry 8 } ceipSecEndPtHistLocalAddr2 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's second IP address specification. If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet mask. If the local Endpoint type is IP address range, then this is the value of ending IP address of the range. If the type is an IP address, a range or a subnet, the type of the address can be inferred from cceipSecEndPtLocalType. " ::= { ceipSecEndPtHistEntry 9 } ceipSecEndPtHistLocalProtocol OBJECT-TYPE SYNTAX CiscoIpProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol number of the local Endpoint's traffic." ::= { ceipSecEndPtHistEntry 10 } ceipSecEndPtHistLocalPort OBJECT-TYPE SYNTAX CiscoPort MAX-ACCESS read-only STATUS current DESCRIPTION "The port number of the local Endpoint's traffic." ::= { ceipSecEndPtHistEntry 11 } ceipSecEndPtHistRemoteName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the remote Endpoint." ::= { ceipSecEndPtHistEntry 12 } ceipSecEndPtHistRemoteType OBJECT-TYPE SYNTAX CIPsecEndPtType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the remote Endpoint." ::= { ceipSecEndPtHistEntry 13 } ceipSecEndPtHistRemoteAddrType1 OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address for this remote Endpoint's first IP address." ::= { ceipSecEndPtHistEntry 14 } ceipSecEndPtHistRemoteAddr1 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's first IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet. If the remote Endpoint type is IP address range, then this is the value of beginning IP address of the range. If the type is an IP address, a range or a subnet, the type of the address can be inferred from cceipSecEndPtRemoteType. " ::= { ceipSecEndPtHistEntry 15 } ceipSecEndPtHistRemoteAddrType2 OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the IP address for this remote Endpoint's second IP address." ::= { ceipSecEndPtHistEntry 16 } ceipSecEndPtHistRemoteAddr2 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's second IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet mask. If the remote Endpoint type is IP address range, then this is the value of ending IP address of the range. If the type is an IP address, a range or a subnet, the type of the address can be inferred from cceipSecEndPtRemoteType." ::= { ceipSecEndPtHistEntry 17 } ceipSecEndPtHistRemoteProtocol OBJECT-TYPE SYNTAX CiscoIpProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol number of the remote Endpoint's traffic." ::= { ceipSecEndPtHistEntry 18 } ceipSecEndPtHistRemotePort OBJECT-TYPE SYNTAX CiscoPort MAX-ACCESS read-only STATUS current DESCRIPTION "The port number of the remote Endpoint's traffic." ::= { ceipSecEndPtHistEntry 19 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Failure Group -- -- This group consists of: -- 1) IPsec Failure Global Objects -- 2) IPsec Phase-2 Tunnel Failure Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecFailGlobal OBJECT IDENTIFIER ::= { ceipSecFailures 1 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Failure Global Control Objects -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecFailGlobalCntl OBJECT IDENTIFIER ::= { ceipSecFailGlobal 1 } ceipSecFailTableSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The window size of the IPsec Phase-2 Failure Table. The IPsec Phase-2 Failure Tables are implemented as a sliding window in which only the last N entries are maintained. This object is used specify the number of entries which will be maintained in the IPsec Phase-2 Failure Tables. An implementation may choose suitable minimum and maximum values for this element based on the local policy and available resources. If an SNMP SET request specifies a value outside this window for this element, an appropriate SNMP error vode must be returned. Setting this value to zero is equivalent to deleting all conceptual rows in the archiving table 'ceipSecFailTable' and disabling the archiving of entries in these tables." ::= { ceipSecFailGlobalCntl 1 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Phase-2 Failure Table -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecFailTable OBJECT-TYPE SYNTAX SEQUENCE OF CeipSecFailEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Failure Table. This table is implemented as a sliding window in which only the last n entries are maintained. The maximum number of entries is specified by the ceipSecFailTableSize object." ::= { ceipSecFailures 2 } ceipSecFailEntry OBJECT-TYPE SYNTAX CeipSecFailEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with an IPsec Phase-1 failure." INDEX { ceipSecFailIndex } ::= { ceipSecFailTable 1 } CeipSecFailEntry ::= SEQUENCE { ceipSecFailIndex Unsigned32, ceipSecFailReason INTEGER, ceipSecFailTime TimeStamp, ceipSecFailTunnelIndex CIPsecPhase2TunnelIndex, ceipSecFailSaSpi CIPsecSpi, ceipSecFailPktSrcAddressType InetAddressType, ceipSecFailPktSrcAddress InetAddress, ceipSecFailPktDstAddressType InetAddressType, ceipSecFailPktDstAddress InetAddress } ceipSecFailIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Failure Table index. The value of the index is a number which begins at one and is incremented with each IPsec Phase-1 failure. The value of this object will wrap at 4,294,967,295." ::= { ceipSecFailEntry 1 } ceipSecFailReason OBJECT-TYPE SYNTAX INTEGER{ other(1), internalError(2), peerEncodingError(3), proposalFailure(4), protocolUseFail(5), nonExistentSa(6), decryptFailure(7), encryptFailure(8), inAuthFailure(9), outAuthFailure(10), compression(11), sysCapExceeded(12), peerDelRequest(13), peerLost(14), seqNumRollOver(15), operRequest(16) } MAX-ACCESS read-only STATUS current DESCRIPTION "The reason for the failure. Possible reasons include: 1 = other 2 = internal error occurred 3 = peer encoding error 4 = proposal failure 5 = protocol use failure 6 = non-existent security association 7 = decryption failure 8 = encryption failure 9 = inbound authentication failure 10 = outbound authentication failure 11 = compression failure 12 = system capacity failure 13 = peer delete request was received 14 = contact with peer was lost 15 = sequence number rolled over 16 = operator requested termination." ::= { ceipSecFailEntry 2 } ceipSecFailTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime in hundredths of seconds at the time of the failure." ::= { ceipSecFailEntry 3 } ceipSecFailTunnelIndex OBJECT-TYPE SYNTAX CIPsecPhase2TunnelIndex MAX-ACCESS read-only STATUS current DESCRIPTION "The Phase-2 Tunnel index (ceipSecTunIndex). If this conceptual row corresponds to an operation failure (that is, the failure of an established Phase-2 IPsec tunnel), then the value of this object may not be zero." ::= { ceipSecFailEntry 4 } ceipSecFailSaSpi OBJECT-TYPE SYNTAX CIPsecSpi MAX-ACCESS read-only STATUS current DESCRIPTION "The security association SPI value. If this conceptual row corresponds to a setup failure (failure to establish the tunnel), the value of this MIB object is undefined." ::= { ceipSecFailEntry 5 } ceipSecFailPktSrcAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the packet's source IP address." ::= { ceipSecFailEntry 6 } ceipSecFailPktSrcAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The packet's source IP address." ::= { ceipSecFailEntry 7 } ceipSecFailPktDstAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the packet's destination IP address." ::= { ceipSecFailEntry 8 } ceipSecFailPktDstAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The packet's destination IP address." ::= { ceipSecFailEntry 9 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- The IPsec Notification Control Group -- -- This group of objects controls the sending of IPsec -- SNMP notifications. -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ceipSecNotiCntlIpSecAllNotifs OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object sending any notification defined in this MIB module. That is, a particular notification 'foo' defined in this MIB module is enabled if and only if the expression (ceipSecNotiCntlIpSecAllNotifs && ceipSecNotiCntl) evaluates to 'true', where ceipSecNotiCntl is a notification defined in this MIB module. " DEFVAL { true } ::= { ceipSecNotificationCntl 1 } ceipSecNotifCntlIpSecTunnelStart OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Tunnel Start TRAP. If the value of this object is 'true', the issuing of the notification 'ciscoEnhIpsecFlowTunnelStart' is enabled. " DEFVAL { true } ::= { ceipSecNotificationCntl 2 } ceipSecNotifCntlIpSecTunnelStop OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Tunnel Stop TRAP. If the value of this object is 'true', the issuing of the notification 'ciscoEnhIpsecFlowTunnelStop' is enabled." DEFVAL { true } ::= { ceipSecNotificationCntl 3 } ceipSecNotifCntlIpSecSysFailure OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 System Failure TRAP. If the value of this object is 'true', the issuing of the notification 'ciscoEnhIpsecFlowSysFailure' is enabled." DEFVAL { true } ::= { ceipSecNotificationCntl 4 } ceipSecNotifCntlIpSecSetUpFail OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Set Up Failure TRAP. If the value of this object is 'true', the issuing of the notification 'ciscoEnhIpsecFlowSetupFail' is enabled." DEFVAL { true } ::= { ceipSecNotificationCntl 5 } ceipSecNotifCntlIpSecBadSa OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 No Security Association trap. If the value of this object is 'true', the issuing of the notification 'ciscoEnhIpsecFlowBadSa' is enabled." DEFVAL { true } ::= { ceipSecNotificationCntl 6 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- IPsec Notifications - TRAPs -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ciscoEnhIpsecFlowTunnelStart NOTIFICATION-TYPE OBJECTS { ceipSecTunLifeTime, ceipSecTunLifeSize } STATUS current DESCRIPTION "This notification is generated when an IPsec Phase-2 Tunnel becomes active." ::= { ciscoEnhancedIpsecFlowMIBNotifs 1 } ciscoEnhIpsecFlowTunnelStop NOTIFICATION-TYPE OBJECTS { ceipSecTunHistTermReason, ceipSecTunActiveTime } STATUS current DESCRIPTION "This notification is generated when an IPsec Phase-2 Tunnel becomes inactive." ::= { ciscoEnhancedIpsecFlowMIBNotifs 2 } ciscoEnhIpsecFlowSysFailure NOTIFICATION-TYPE OBJECTS { ceipSecFailReason, ceipSecFailPktSrcAddressType, ceipSecFailPktSrcAddress, ceipSecFailPktDstAddressType, ceipSecFailPktDstAddress } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-2 Tunnel experiences an internal or system capacity error." ::= { ciscoEnhancedIpsecFlowMIBNotifs 3 } ciscoEnhIpsecFlowSetupFail NOTIFICATION-TYPE OBJECTS { ceipSecFailReason, ceipSecFailPktSrcAddressType, ceipSecFailPktSrcAddress, ceipSecFailPktDstAddressType, ceipSecFailPktDstAddress } STATUS current DESCRIPTION "This notification is generated when the setup for an IPsec Phase-2 Tunnel fails." ::= { ciscoEnhancedIpsecFlowMIBNotifs 4 } ciscoEnhIpsecFlowBadSa NOTIFICATION-TYPE OBJECTS { ceipSecFailSaSpi } STATUS current DESCRIPTION "This notification is generated when the managed entity receives an IPsec packet with a non-existent (non-existant in the local Security Association Database) SPI." ::= { ciscoEnhancedIpsecFlowMIBNotifs 5 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- Conformance Information -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ciscoEnhIPsecFlowMIBCompliances OBJECT IDENTIFIER ::= { ciscoEnhancedIpsecFlowMIBConform 1 } ciscoIPsecFlowMIBGroups OBJECT IDENTIFIER ::= { ciscoEnhancedIpsecFlowMIBConform 2 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- Compliance Statements -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ciscoEnhIPsecFlowMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities pertaining to Phase-2 of IP Security Protocol." MODULE -- this module MANDATORY-GROUPS { ciscoEnhIPsecFlowActivityGroup, ciscoEnhIPsecFlowCoreHistGroup, ciscoEnhIPsecFlowCoreFailGroup, ciscoEnhIPsecFlowTunnelSaGroup } GROUP ciscoEnhIPsecFlowHistoryGroup DESCRIPTION "This group is optional and must be implemented by the agent of the managed entity if the managed entity implements historical archiving of IPsec flows." GROUP ciscoEnhIPsecFlowFailureGroup DESCRIPTION "This group is optional and must be implemented by the agent of the managed entity if the managed entity implements historical archiving of failure of IPsec Phase-2 operations and tunnels." GROUP ciscoEnhIPsecFlowNotifGroup DESCRIPTION "The group is optional." GROUP ciscoEnhIPsecFlowNotifCntlGroup DESCRIPTION "The agent must implement this group if it implements the group 'ciscoEnhIPsecFlowNotifGroup'." OBJECT ceipSecTunStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ceipSecHistTableSize MIN-ACCESS read-only DESCRIPTION "Write access is not required. In addition, implementations which want to disable archiving of tunnels may set the value of this object to zero." OBJECT ceipSecFailTableSize MIN-ACCESS read-only DESCRIPTION "Write access is not required. In addition, implementations which want to disable archiving of failures may set the value of this object to zero." OBJECT ceipSecNotiCntlIpSecAllNotifs MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ceipSecNotifCntlIpSecTunnelStart MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ceipSecNotifCntlIpSecTunnelStop MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ceipSecNotifCntlIpSecSysFailure MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ceipSecNotifCntlIpSecSetUpFail MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT ceipSecNotifCntlIpSecBadSa MIN-ACCESS read-only DESCRIPTION "Write access is not required." ::= { ciscoEnhIPsecFlowMIBCompliances 1 } -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- Units of Conformance: List of current groups -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ciscoEnhIPsecFlowActivityGroup OBJECT-GROUP OBJECTS { -- The IPsec Phase-2 Global Tunnel Statistics ceipSecGlobalActiveTunnels, ceipSecGlobalPreviousTunnels, ceipSecGlobalInOctets, ceipSecGlobalInDecompOctets, ceipSecGlobalInPkts, ceipSecGlobalInDrops, ceipSecGlobalInReplayDrops, ceipSecGlobalInAuths, ceipSecGlobalInAuthFails, ceipSecGlobalInDecrypts, ceipSecGlobalInDecryptFails, ceipSecGlobalOutOctets, ceipSecGlobalOutUncompOctets, ceipSecGlobalOutPkts, ceipSecGlobalOutDrops, ceipSecGlobalOutAuths, ceipSecGlobalOutAuthFails, ceipSecGlobalOutEncrypts, ceipSecGlobalOutEncryptFails, ceipSecGlobalProtocolUseFails, ceipSecGlobalNoSaFails, ceipSecGlobalSysCapFails, ceipSecGlobalOutCompressedPkts, ceipSecGlobalOutCompSkippedPkts, ceipSecGlobalOutCompFailPkts, ceipSecGlobalOutCompTooSmallPkts, -- The IPsec Phase-2 Tunnel Table ceipSecTunEncapMode, ceipSecTunLifeSize, ceipSecTunLifeTime, ceipSecTunActiveTime, ceipSecTunSaLifeSizeThreshold, ceipSecTunSaLifeTimeThreshold, ceipSecTunTotalRefreshes, ceipSecTunExpiredSaInstances, ceipSecTunCurrentSaInstances, ceipSecTunInSaDHGrp, ceipSecTunInSaEncryptAlgo, ceipSecTunInSaAhAuthAlgo, ceipSecTunInSaEspAuthAlgo, ceipSecTunInSaDecompAlgo, ceipSecTunOutSaDHGrp, ceipSecTunOutSaEncryptAlgo, ceipSecTunOutSaAhAuthAlgo, ceipSecTunOutSaEspAuthAlgo, ceipSecTunOutSaCompAlgo, ceipSecTunPmtu, ceipSecTunInOctets, ceipSecTunInDecompOctets, ceipSecTunInPkts, ceipSecTunInDropPkts, ceipSecTunInReplayDropPkts, ceipSecTunInAuths, ceipSecTunInAuthFails, ceipSecTunInDecrypts, ceipSecTunInDecryptFails, ceipSecTunOutOctets, ceipSecTunOutUncompOctets, ceipSecTunOutPkts, ceipSecTunOutDropPkts, ceipSecTunOutAuths, ceipSecTunOutAuthFails, ceipSecTunOutEncrypts, ceipSecTunOutEncryptFails, ceipSecTunOutCompressedPkts, ceipSecTunOutCompSkippedPkts, ceipSecTunOutCompFailPkts, ceipSecTunOutCompTooSmallPkts, ceipSecIfIndex, ceipSecTunStatus, ceipSecTunControlTunnelIndex, ceipSecTunControlProtocol, ceipSecTunControlTunnelAlive, ceipSecTunInSaEncryptKeySize, ceipSecTunOutSaEncryptKeySize, ceipSecTunLocalAddressType, ceipSecTunLocalAddress, ceipSecTunRemoteAddressType, ceipSecTunRemoteAddress, ceipSecTunNATTraversalMode, -- The IPsec Phase-2 Tunnel Endpoint Table ceipSecEndPtLocalName, ceipSecEndPtLocalType, ceipSecEndPtLocalAddrType1, ceipSecEndPtLocalAddr1, ceipSecEndPtLocalAddrType2, ceipSecEndPtLocalAddr2, ceipSecEndPtLocalProtocol, ceipSecEndPtLocalPort, ceipSecEndPtRemoteName, ceipSecEndPtRemoteType, ceipSecEndPtRemoteAddrType1, ceipSecEndPtRemoteAddr1, ceipSecEndPtRemoteAddrType2, ceipSecEndPtRemoteAddr2, ceipSecEndPtRemoteProtocol, ceipSecEndPtRemotePort, -- The IPsec Phase-2 Security Assocaition Table ceipSecSaDirection, ceipSecSaValue, ceipSecSaStatus } STATUS current DESCRIPTION " This group consists of: 1) IPsec Phase-2 Global Statistics 2) IPsec Phase-2 Tunnel Table 3) IPsec Phase-2 Endpoint Table 4) IPsec Phase-2 Security Association Table " REFERENCE " rfc2408, rfc2407; rfc2409 section 5.5 " ::= { ciscoIPsecFlowMIBGroups 1 } ciscoEnhIPsecFlowCoreHistGroup OBJECT-GROUP OBJECTS { -- IPsec History Global Control Objects ceipSecHistTableSize } STATUS current DESCRIPTION " This group consists of the core (mandatory) objects pertaining to maintaining history of IPsec activity. " ::= { ciscoIPsecFlowMIBGroups 2 } ciscoEnhIPsecFlowHistoryGroup OBJECT-GROUP OBJECTS { -- The IPsec Phase-2 History group ceipSecTunHistTermReason, ceipSecTunHistActiveIndex, ceipSecTunHistEncapMode, ceipSecTunHistLifeSize, ceipSecTunHistLifeTime, ceipSecTunHistStartTime, ceipSecTunHistActiveTime, ceipSecTunHistTotalRefreshes, ceipSecTunHistTotalSas, ceipSecTunHistInSaDHGrp, ceipSecTunHistInSaEncryptAlgo, ceipSecTunHistInSaAhAuthAlgo, ceipSecTunHistInSaEspAuthAlgo, ceipSecTunHistInSaDecompAlgo, ceipSecTunHistOutSaDHGrp, ceipSecTunHistOutSaEncryptAlgo, ceipSecTunHistOutSaAhAuthAlgo, ceipSecTunHistOutSaEspAuthAlgo, ceipSecTunHistOutSaCompAlgo, ceipSecTunHistPmtu, ceipSecTunHistInOctets, ceipSecTunHistInDecompOctets, ceipSecTunHistInPkts, ceipSecTunHistInDropPkts, ceipSecTunHistInReplayDropPkts, ceipSecTunHistInAuths, ceipSecTunHistInAuthFails, ceipSecTunHistInDecrypts, ceipSecTunHistInDecryptFails, ceipSecTunHistOutOctets, ceipSecTunHistOutUncompOctets, ceipSecTunHistOutPkts, ceipSecTunHistOutDropPkts, ceipSecTunHistOutAuths, ceipSecTunHistOutAuthFails, ceipSecTunHistOutEncrypts, ceipSecTunHistOutEncryptFails, ceipSecTunHistOutCompressedPkts, ceipSecTunHistOutCompSkippedPkts, ceipSecTunHistOutCompFailPkts, ceipSecTunHistOutCompSmallPkts, ceipSecTunHistControlProtocol, ceipSecTunHistControlTunnelIndex, ceipSecTunHistInSaEncryptKeySize, ceipSecTunHistOutSaEncryptKeySz, ceipSecTunHistLocalAddressType, ceipSecTunHistLocalAddress, ceipSecTunHistRemoteAddressType, ceipSecTunHistRemoteAddress, ceipSecTunHistNATTraversalMode, -- The IPsec Phase-2 End Point History Table ceipSecEndPtHistTunIndex, ceipSecEndPtHistActiveIndex, ceipSecEndPtHistLocalName, ceipSecEndPtHistLocalType, ceipSecEndPtHistLocalAddrType1, ceipSecEndPtHistLocalAddr1, ceipSecEndPtHistLocalAddrType2, ceipSecEndPtHistLocalAddr2, ceipSecEndPtHistLocalProtocol, ceipSecEndPtHistLocalPort, ceipSecEndPtHistRemoteName, ceipSecEndPtHistRemoteType, ceipSecEndPtHistRemoteAddrType1, ceipSecEndPtHistRemoteAddr1, ceipSecEndPtHistRemoteAddrType2, ceipSecEndPtHistRemoteAddr2, ceipSecEndPtHistRemoteProtocol, ceipSecEndPtHistRemotePort } STATUS current DESCRIPTION "This group consists of objects that pertain to maintenance of history of IPsec Phase 2 activity." ::= { ciscoIPsecFlowMIBGroups 3 } ciscoEnhIPsecFlowCoreFailGroup OBJECT-GROUP OBJECTS { -- Objects associated with implementing -- core failure group. ceipSecFailTableSize } STATUS current DESCRIPTION "This group consists of the core (mandatory) objects pertaining to maintaining history of failure IPsec activity." ::= { ciscoIPsecFlowMIBGroups 4 } ciscoEnhIPsecFlowFailureGroup OBJECT-GROUP OBJECTS { -- The IPsec Phase-2 Failure group ceipSecFailReason, ceipSecFailTime, ceipSecFailTunnelIndex, ceipSecFailSaSpi, ceipSecFailPktSrcAddressType , ceipSecFailPktSrcAddress , ceipSecFailPktDstAddressType , ceipSecFailPktDstAddress } STATUS current DESCRIPTION "This group consists of objects that pertain to maintenance of history of failures associated with Phase 2 IPsec activity." ::= { ciscoIPsecFlowMIBGroups 5 } ciscoEnhIPsecFlowNotifCntlGroup OBJECT-GROUP OBJECTS { ceipSecNotiCntlIpSecAllNotifs, ceipSecNotifCntlIpSecTunnelStart, ceipSecNotifCntlIpSecTunnelStop, ceipSecNotifCntlIpSecSysFailure, ceipSecNotifCntlIpSecSetUpFail, ceipSecNotifCntlIpSecBadSa } STATUS current DESCRIPTION "This group of objects controls the sending of notifications pertaining to IPsec Phase-2 processing." ::= { ciscoIPsecFlowMIBGroups 6 } ciscoEnhIPsecFlowNotifGroup NOTIFICATION-GROUP NOTIFICATIONS { ciscoEnhIpsecFlowTunnelStart, ciscoEnhIpsecFlowTunnelStop, ciscoEnhIpsecFlowSysFailure, ciscoEnhIpsecFlowSetupFail, ciscoEnhIpsecFlowBadSa } STATUS current DESCRIPTION "This group contains the notifications pertaining to Phase-2 operations and data transfer." REFERENCE " rfc2408, rfc2407; rfc2409 section 5.5 " ::= { ciscoIPsecFlowMIBGroups 7 } ciscoEnhIPsecFlowTunnelSaGroup OBJECT-GROUP OBJECTS { ceipSecTunSaValue, ceipSecTunSaIfIndex, ceipSecTunSaInOctets, ceipSecTunSaInDecompOctets, ceipSecTunSaInPkts, ceipSecTunSaInDropPkts, ceipSecTunSaInReplayDropPkts, ceipSecTunSaInAuths, ceipSecTunSaInAuthFails, ceipSecTunSaInDecrypts, ceipSecTunSaInDecryptFails, ceipSecTunSaOutOctets, ceipSecTunSaOutUncompOctets, ceipSecTunSaOutPkts, ceipSecTunSaOutDropPkts, ceipSecTunSaOutAuths, ceipSecTunSaOutAuthFails, ceipSecTunSaOutEncrypts, ceipSecTunSaOutEncryptFails, ceipSecTunSaOutCompressedPkts, ceipSecTunSaOutCompSkippedPkts, ceipSecTunSaOutCompFailPkts, ceipSecTunSaOutCompTooSmallPkts, ceipSecTunSaStatus, ceipSecIfTunnelStatus } STATUS current DESCRIPTION " This group consists of the Phase-2 IPsec tunnel Security Association and traffic information. " ::= { ciscoIPsecFlowMIBGroups 8 } END