-- This file is corresponding to Release 6.3.1.100 from 2003/03/10 00:00:00 -- (C)opyright 1999 BinTec Communications AG -- $RCSfile: mibipsec,v $ -- $Revision: 1.51.2.1 $ BIANCA-BRICK-IPSEC-MIB DEFINITIONS ::= BEGIN IMPORTS IpAddress, Counter, TimeTicks FROM RFC1155-SMI OBJECT-TYPE FROM RFC-1212; org OBJECT IDENTIFIER ::= { iso 3 } dod OBJECT IDENTIFIER ::= { org 6 } internet OBJECT IDENTIFIER ::= { dod 1 } private OBJECT IDENTIFIER ::= { internet 4 } enterprises OBJECT IDENTIFIER ::= { private 1 } bintec OBJECT IDENTIFIER ::= { enterprises 272 } bibo OBJECT IDENTIFIER ::= { bintec 4 } -- textual conventions DisplayString ::= OCTET STRING -- This data type is used to model textual information taken -- from the NVT ASCII character set. By convention, objects -- with this syntax are declared as having -- -- SIZE (0..255) HexValue ::= INTEGER BitValue ::= INTEGER -- Management Information for the IPSec Subsystem of the BIANCA/BRICK, ipsec OBJECT IDENTIFIER ::= { bibo 26 } -- Global IPSec Settings ipsecGlobals OBJECT IDENTIFIER ::= { ipsec 1 } --Static table containing global settings for IPSec ipsecGlobPeerIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of first IPsec peer in ipsecPeerTable. If this object is set to a Value <= 0, IPSec is switched explicitly off. If the peer referenced by this object does not exist in the table, all packets will be dropped." ::= { ipsecGlobals 1 } ipsecGlobDefaultAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4) -- Authentication using RSA encryption } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the authentication method used by default. If the ipsecPeerAuthMethod field of an ipsecPeerEntry and the ikePropAuthMethod field of the ikeProposalTableEntry used are set to 'default', this value is assumed. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4) -- Authentication using RSA encryption." ::= { ipsecGlobals 2 } ipsecGlobDefaultCertificate OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the default certificate in the certTable used for local authentication for ike keyed rules with non pre-shared-key authentication. This may be overwritten by the certificate specified for the individual ipsec peers." ::= { ipsecGlobals 3 } ipsecGlobDefaultLocalId OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "The default ID used for local authentication for ike keyed rules. If this is an empty or invaid id string one of the subject alternative names or the subject name from the default certificate is used. This does not relpace an empty local id string for an IPsec peer with a valid certificate. The subject name or one of the subject alternative names from this certificate is used then" ::= { ipsecGlobals 4 } ipsecGlobDefaultIpsecProposal OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of default ipsec proposal used for traffic entries with empty ipsec proposal, defined for peers with empty default ipsec proposal." ::= { ipsecGlobals 5 } ipsecGlobDefaultIkeProposal OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of default ike proposal used for peers with empty default ike proposal." ::= { ipsecGlobals 6 } ipsecGlobDefaultIpsecLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of default lifetime for ike SA's in ipsecLifeTimeTable. This lifetime is used, when there is no valid lifetime entry specified for an IPsec peer entry." ::= { ipsecGlobals 7 } ipsecGlobDefaultIkeLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable with the default lifetime settings used for IKE SA's. This lifetime is used whenever there is no valid lifetime entry specified for a peer entry and the IKE proposal used." ::= { ipsecGlobals 8 } ipsecGlobDefaultIkeGroup OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of default IKE group used if no IKE group is defined for a peer. Possible values: 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP)." ::= { ipsecGlobals 9 } ipsecGlobMaxSysLogLevel OBJECT-TYPE SYNTAX INTEGER { emerg(1), alert(2), crit(3), err(4), warning(5), notice(6), info(7), debug(8) } ACCESS read-write STATUS mandatory DESCRIPTION "Maximum level for syslog messages issued by IPSec. All messages with a level higher than this value are suppressed, independently from other global syslog level settings. Possible settings: emerg(1), alert(2), crit(3), err(4), warning(5), notice(6), info(7), debug(8)." ::= { ipsecGlobals 10 } ipsecGlobDefaultGranularity OBJECT-TYPE SYNTAX INTEGER { coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the default granularity used for IPSEC SA negotiation. Possible values: coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host." ::= { ipsecGlobals 11 } ipsecGlobDefaultPh1Mode OBJECT-TYPE SYNTAX INTEGER { id-protect(1), -- Use identity protection (main) mode aggressive(2) -- Use aggressive mode } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the default exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2) -- Use aggressive mode." ::= { ipsecGlobals 12 } ipsecGlobDefaultPfsGroup OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the PFS group to use. PFS is done only for phase 2, i.e. the Phase 1 SAs are not deleted after phase 2 negotiation is completed. Note however, that if the peer has configured PFS for identity and destroys phase 1 SAs, this side will also destroy them when notified. Possible values: 0 (no PFS) 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP)." ::= { ipsecGlobals 13 } ipsecGlobIkePort OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the port the IKE key management service listens to." ::= { ipsecGlobals 20 } ipsecGlobMaxRetries OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the maximum number of retries sent by IKE for one message." ::= { ipsecGlobals 21 } ipsecGlobRetryTimeout0milli OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the period of time in milliseconds before an IKE message is repeated for the first time if the answer is missing. After each retry, this timeout is increased up to the value specified in ipsecGlobRetryTimeoutMaxsec." ::= { ipsecGlobals 22 } ipsecGlobRetryTimeoutMaxsec OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the maximum period of time in seconds before an IKE message is repeated if the answer is missing. The retry timeout is not increased beyond this limit." ::= { ipsecGlobals 23 } ipsecGlobMaxNegotiationTimeoutsec OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the maximum number of seconds after which a negotiation is canceled if it is not finished." ::= { ipsecGlobals 24 } ipsecGlobMaxIkeSas OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the maximum number of simultaneous ISAKMP Security associations allowed. If this limit is reached, the entries are removed from the database, starting with the ones that will expire very soon. If that is not enough, the entries are deleted in reverse LRU order." ::= { ipsecGlobals 25 } ipsecGlobAntiCloggingLength OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the length in bits of the local secret used for ISAKMP anti-clogging cookies." ::= { ipsecGlobals 26 } ipsecGlobAntiCloggingHash OBJECT-TYPE SYNTAX INTEGER { md5(3), -- MD5 hash algorithm sha1(4) -- SHA hash algorithm } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the algorithm which is used for creating anti-clogging-tokens. Possible values: md5(3), -- MD5 hash algorithm sha1(4) -- SHA hash algorithm." ::= { ipsecGlobals 27 } ipsecGlobLocalSecretPeriodsec OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the period of time in seconds after which a new secret for creating local anti-clogging tokens is created. The previous secret is remembered, so that the anti-clogging tokens created with the previous secret are also recognized as valid. After the local secret is recreated again, the old tokens are not recognized anymore and all IKE packets belonging to the old security associations are discarded. This means that the maximum lifetime of an ISAKMP SA is twice the value of this timer." ::= { ipsecGlobals 28 } ipsecGlobIgnoreCrPayloads OBJECT-TYPE SYNTAX INTEGER { true(1), -- ignore all certificate requests false(2) -- process certificate request payloads } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether certificate request payloads should be ignored by IKE. Possible values: true(1), -- ignore all certificate requests false(2) -- process certificate request payloads." ::= { ipsecGlobals 29 } ipsecGlobNoCrPayloads OBJECT-TYPE SYNTAX INTEGER { true(1), -- suppress certificate requests false(2) -- send certificate requests } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE should suppress certificate requests. Possible values: true(1), -- suppress certificate requests false(2) -- send certificate requests." ::= { ipsecGlobals 30 } ipsecGlobNoKeyHashPayloads OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not send key hash payloads false(2) -- send key hash payloads } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE should suppress key hash payloads. Possible values: true(1), -- suppress key hash payloads false(2) -- send key hash payloads." ::= { ipsecGlobals 31 } ipsecGlobNoCrls OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not send certificate revocation lists false(2) -- send certificate revocation lists } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE should send certificate revocation lists. Possible values: true(1), -- do not send certificate revocation lists false(2) -- send certificate revocation lists." ::= { ipsecGlobals 32 } ipsecGlobSendFullCertChains OBJECT-TYPE SYNTAX INTEGER { true(1), -- send full certificate chains false(2) -- do not send full certificate chains } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE should send full certificate chains. Possible values: true(1), -- send full certificate chains false(2) -- do not send full certificate chains." ::= { ipsecGlobals 33 } ipsecGlobTrustIcmpMsg OBJECT-TYPE SYNTAX INTEGER { true(1), -- trust ICMP messages false(2) -- do not trust ICMP messages } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE should trust icmp port and host unreachable error messages. ICMP port and host unreachable messages are only trusted if there have not yet been received any datagrams from the remote host in this negotiation. This means, if the local side receives an ICMP port or host unreachable message as the first response to the initial packet of a new phase 1 negotiation, it cancels the negotiation immediately. Possible values: true(1), -- trust ICMP messages false(2) -- do not trust ICMP messages." ::= { ipsecGlobals 34 } ipsecGlobSpiSize OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "A compatibility flag that specifies the length of the SPI in bytes, which is used when an ISAKMP SA SPI (Cookie) is sent to the remote peer. This field takes effect only if ipsecGlobZeroIsakmpCookies is true." ::= { ipsecGlobals 35 } ipsecGlobZeroIsakmpCookies OBJECT-TYPE SYNTAX INTEGER { true(1), -- send zero cookies in ISAKMP messages false(2) -- send ISAKMP cookies } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether zeroed ISAKMP cookies should be sent. Possible Values: true(1), -- send zero cookies in ISAKMP messages false(2) -- send ISAKMP cookies." ::= { ipsecGlobals 36 } ipsecGlobMaxKeyLength OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the maximum length of an encryption key (in bits) that is accepted from the remote end. This limit prevents denial of service attacks where the attacker asks for a huge key for an encryption algorithm that allows variable length keys." ::= { ipsecGlobals 37 } ipsecGlobNoInitialContact OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not send initial contact messages false(2) -- send initial contact messages if appropriate } ACCESS read-write STATUS mandatory DESCRIPTION "Do not send IKE initial contact messages in IKE negotiations even if no SA's exist with a peer. Possible values: true(1), -- do not send initial contact messages false(2) -- send initial comntact messages if appropriate." ::= { ipsecGlobals 38 } -- End Global IPSec Settings -- Second Table With Global IPSec Settings ipsecGlobalsContinued OBJECT IDENTIFIER ::= { ipsec 11 } -- Second static table containing global settings for IPSec ipsecGlobContPreIpsecRules OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the IPsec traffic table containing a list of traffic definitions which has to be considered prior to the traffic lists of the IPSec peers in IPSec traffic processing. It may contain either pass or drop entries (protect entries are ignored, if erroneously configured)." ::= { ipsecGlobalsContinued 1 } ipsecGlobContPostIpsecRules OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the IPsec traffic table containing a list of traffic definitions which has to be considered after the traffic lists of the IPSec peers in IPSec traffic processing. It may contain either pass or drop entries (protect entries are ignored, if erroneously configured)." ::= { ipsecGlobalsContinued 11 } ipsecGlobContDefaultRule OBJECT-TYPE SYNTAX INTEGER { drop(1), -- drop all packets pass(2) -- allow all packets pass plain } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies how to treat packets which do not match any entry in the traffic lists of the active peers or the pre-and post IPSec rules. Possible values: drop(1), -- drop all packets pass(2) -- allow all packets pass plain." ::= { ipsecGlobalsContinued 2 } ipsecGlobContUse32BitCpi OBJECT-TYPE SYNTAX INTEGER { true(1), -- send CPI as 32 bit numbers false(2) -- send CPI as 16 bit numbers } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether the CPI values in IKE IPComP negotiations should be sent as 16 bit numbers. Possible values: true(1), -- send CPI as 32 bit numbers false(2) -- send CPI as 16 bit numbers." ::= { ipsecGlobalsContinued 4 } ipsecGlobContNoWellKnownCpis OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not use the well known cpi values false(2) -- use the well known cpi values } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether the well known CPI values should be used in IKE IPComP negotiations. If set to true, IKE will allocate random CPI values from the negotiable range 256-61439. Possible values: true(1), -- do not use the well known cpi values false(2) -- use the well known cpi values." ::= { ipsecGlobalsContinued 5 } ipsecGlobContNoPmtuDiscovery OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not perform PMTU discovery false(2) -- perform PMTU discovery } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the default PMTU discovery policy if the ipsecPeerPmtuDiscovery flag is set to default. Possible values: true(1), -- do not perform PMTU discovery false(2) -- perform PMTU discovery." ::= { ipsecGlobalsContinued 7 } ipsecGlobContDefaultPmtuTtl OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the time-to-live (in minutes) of a PMTU value derived from an ICMP PMTU message received for an IPSec packet. After this time, the mtu is increased step-by-step using the values from RFC 1191 until a new ICMP PMTU message is received. A ttl value of 0 means infinite." ::= { ipsecGlobalsContinued 8 } ipsecGlobContPrivateInterface OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the index of the systems' private interface. If the private interface is set (i.e. non-negative), certain address spoofing attacks are made impossible from IPSec itself." ::= { ipsecGlobalsContinued 9 } ipsecGlobContSaSyncInterface OBJECT-TYPE SYNTAX INTEGER { true(1), -- delete SAs false(2) -- do not delete SAs } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE and IPSec SA's should be are deleted if the interface over which the packets are initially sent is going down or dormant Possible values: true(1), -- delete SAs false(2) -- do not delete SAs." ::= { ipsecGlobalsContinued 10 } ipsecGlobContPfsIdentityDelay OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the number of seconds to wait before deleting the underlying phase 1 SA after a Phase 2 SA has been established, if PFS for identity is configured." ::= { ipsecGlobalsContinued 15 } ipsecGlobContDefaultPfsIdentity OBJECT-TYPE SYNTAX INTEGER { true(1), -- delete phase 1 SAs false(2) -- do not delete phase 1 SAs } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. It may be overridden by the individual settings for a peer entry, if the ipsecPeerPfsIdentity is not set to 'default'. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2) -- do not delete phase 1 SAs." ::= { ipsecGlobalsContinued 12 } ipsecGlobContIkeLoggingLevel OBJECT-TYPE SYNTAX INTEGER (0..127) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the IKE logging level. IKE log messages are output as syslog messages on level debug. Note that the global syslog table level must be set to debug in order to see these messages. Possible values: 0: no IKE log messages ... 3: IKE error output ... 6: IKE trace output ... 9: IKE detailed results output 10 ...: hexdumps of IKE messages." ::= { ipsecGlobalsContinued 13 } ipsecGlobContHeartbeatDefault OBJECT-TYPE SYNTAX INTEGER { none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4) -- send and expect heartbeats } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether heartbeats should be sent over phase 1 SAs. Possible values: none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4) -- send and expect heartbeats." ::= { ipsecGlobalsContinued 16 } ipsecGlobContHeartbeatInterval OBJECT-TYPE SYNTAX INTEGER (1..900) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the time interval in seconds between heartbeats. At this rate heartbeats are sent and/or expected if configured." ::= { ipsecGlobalsContinued 17 } ipsecGlobContHeartbeatTolerance OBJECT-TYPE SYNTAX INTEGER (1..900) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the maximum number of missing heartbeats allowed before an SA is discarded." ::= { ipsecGlobalsContinued 18 } ipsecGlobContDialBlockTime OBJECT-TYPE SYNTAX INTEGER (-1..43200) ACCESS read-write STATUS mandatory DESCRIPTION "Amount of time in minutes how long an ipsecDial entry remains in state blocked-for-outgoing after a cost producing trigger call was detected. Given value denotes time in minutes. Special value -1 means to block entry until unblocked manually by deactivating entry and reactivating it afterwards. Default value is -1." ::= { ipsecGlobalsContinued 14 } ipsecGlobContMinFcChangeDelay OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The time (in milliseconds) the update of the filter code is delayed. If more changes to the filter code occur during this time, the change of the filter code is delayed up to a maximum of ipsecGlobMaxFcChangeDelay." ::= { ipsecGlobalsContinued 64 } ipsecGlobContMaxFcChangeDelay OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The maximum time (in milliseconds) the update of the filter code is delayed if multiple phase 2 SA negotiations occur within ipsecGlobMinFcChangeDelay" ::= { ipsecGlobalsContinued 65 } ipsecGlobContObsoleteFeatureMask OBJECT-TYPE SYNTAX BitValue ACCESS read-write STATUS mandatory DESCRIPTION "Some obsolete features are represented by a bit in this mask and could be re-enabled for testing or compatibility purpose. A mask-bit of 1 enable the approprate (obsolete) feature. A mask-bit of 0 disable the appropriate feature completely. Bit Feature 0x00000001: re-enable delayed apf-graph-node-memory free 0x00000002: tbd. The default-value is 0 - all obsolete features are disabled. Do not change this default-value if not really necessary" ::= { ipsecGlobalsContinued 66 } ipsecGlobContUniqueIds OBJECT-TYPE SYNTAX INTEGER { true(1), -- delete SAs by remote ID false(2) -- delete SAs by remote address } ACCESS read-write STATUS mandatory DESCRIPTION "This flag decides how an INITIAL CONTACT notification from a remote peer is handled: if set to true, all SAs negotiated with peers having the same phase 1 ID than the peer which sent the notification are deleted. If set to false, all SAs negotiated with peers having the same remote address are deleted." ::= { ipsecGlobalsContinued 67 } ipsecGlobContAntiSpoofing OBJECT-TYPE SYNTAX INTEGER { enabled (1), -- enable spoofing protection disabled (2) -- disable spoofing protection } ACCESS read-write STATUS mandatory DESCRIPTION "This object allows to enable the IPSec anti spoofing feature: It makes IPSec drop incoming clear text packets which are configured to be protected by IPSec. Note: enabling this feature together with overlapping local and remote networks increases memory consumption significantly. You can disable this feature if the spoofing protection is done e.g. by NAT." ::= { ipsecGlobalsContinued 68 } -- End Second Table With Global IPSec Settings -- IPSec RADIUS settings Table ipsecRadius OBJECT IDENTIFIER ::= { ipsec 13 } -- Table with RADIUS settings for IPSec ipsecRadiusPresetState OBJECT-TYPE SYNTAX INTEGER { not-loaded(1), -- RADIUS preset peers are not loaded loading(2), -- RADIUS preset peers are currently loaded loaded(3), -- RADIUS preset peers have been loaded reloading(4) -- RADIUS preset peers are currently reloaded } ACCESS read-only STATUS mandatory DESCRIPTION "This object shows the status of the RADIUS preset peers load process." ::= { ipsecRadius 1 } ipsecRadiusPresetPeers OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The index of the first peer of the dynamically loaded RADIUS preset peers. If zero, no RADIUS preset peers have been loaded. The RADIUS preset peers are considered before the statically configured peers." ::= { ipsecRadius 2 } -- End global IPSec Radius settings -- Public Key Table ipsecPublicKeyTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecPubKeyEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of public key pairs and ID's used with IPSec." ::= { ipsec 2 } ipsecPubKeyEntry OBJECT-TYPE SYNTAX IpsecPubKeyEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains a key pair for a certain public key algorithm and the ids used together with this key." INDEX { ipsecPubKeyAlgorithm, ipsecPubKeyKeyLength } ::= { ipsecPublicKeyTable 1 } IpsecPubKeyEntry ::= SEQUENCE { ipsecPubKeyIndex INTEGER, ipsecPubKeyDescription DisplayString, ipsecPubKeyAlgorithm INTEGER, ipsecPubKeyKeyLength INTEGER, ipsecPubKeyPublicExponent INTEGER, ipsecPubKeyState INTEGER } ipsecPubKeyIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index for this entry." ::= { ipsecPubKeyEntry 1 } ipsecPubKeyDescription OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "An optional description for this key." ::= { ipsecPubKeyEntry 2 } ipsecPubKeyAlgorithm OBJECT-TYPE SYNTAX INTEGER { rsa(2), -- The RSA encryption algorithm dsa(3), -- The digital signature algorithm delete(15) -- Mark this entry for deletion } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the algorithm for which the key is used. Possible values: rsa(2), -- The RSA encryption algorithm dsa(3), -- The digital signature algorithm delete(15) -- Mark this entry for deletion." ::= { ipsecPubKeyEntry 3 } ipsecPubKeyKeyLength OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The size of the public and private keys in bits." ::= { ipsecPubKeyEntry 4 } ipsecPubKeyPublicExponent OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The RSA public exponent of the key. (undefined for DSA)" ::= { ipsecPubKeyEntry 5 } ipsecPubKeyState OBJECT-TYPE SYNTAX INTEGER { generating(1), -- Key generation is in progress complete(2), -- Key generation is complete error(3) -- Key generation terminated with an error } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies the state of the Key. Possible values: generating(1), -- Key generation is in progress complete(2), -- Key generation is complete error(3) -- Key generation terminated with an error." ::= { ipsecPubKeyEntry 6 } -- End Public Key Table -- IPSec Security Associations Table ipsecSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of currently active IPSec security associations." ::= { ipsec 3 } ipsecSaEntry OBJECT-TYPE SYNTAX IpsecSaEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains an IPSec security association." INDEX { ipsecSaIndex } ::= { ipsecSaTable 1 } IpsecSaEntry ::= SEQUENCE { ipsecSaIndex INTEGER, ipsecSaState INTEGER, ipsecSaCreator INTEGER, ipsecSaDir INTEGER, ipsecSaMode INTEGER, ipsecSaSecProto INTEGER, ipsecSaPeerIp IpAddress, ipsecSaLocalIp IpAddress, ipsecSaSrcAddress IpAddress, ipsecSaSrcMaskLen INTEGER, ipsecSaSrcRange IpAddress, ipsecSaDstAddress IpAddress, ipsecSaDstMaskLen INTEGER, ipsecSaDstRange IpAddress, ipsecSaPeerIp IpAddress, ipsecSaSpi HexValue, ipsecSaAuthAlg INTEGER, ipsecSaEncAlg INTEGER, ipsecSaCompAlg INTEGER, ipsecSaAuthKeyLen INTEGER, ipsecSaEncKeyLen INTEGER, ipsecSaLifeKBytes INTEGER, ipsecSaLifeSeconds INTEGER, ipsecSaProto INTEGER, ipsecSaSrcPort INTEGER, ipsecSaDstPort INTEGER, ipsecSaSeconds INTEGER, ipsecSaBytes INTEGER, ipsecSaPackets INTEGER, ipsecSaReplayErrors INTEGER, ipsecSaRecvErrors INTEGER, ipsecSaDecryptErrors INTEGER, ipsecSaPeerIndex INTEGER, ipsecSaTrafficIndex INTEGER, ipsecSaHeartbeats INTEGER } ipsecSaIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index for this entry." ::= { ipsecSaEntry 1 } ipsecSaState OBJECT-TYPE SYNTAX INTEGER { alive(1), -- The SA is alive and will eventually be rekeyed expired(2), -- The SA is expired and will not be rekeyed delete (3) -- mark this sa for deletion } ACCESS read-write STATUS mandatory DESCRIPTION "The current state of the security association Possible values: alive(1), -- The SA is alive and will eventually be rekeyed expired(2), -- The SA is expired and will not be rekeyed delete (3) -- mark this sa for deletion." ::= { ipsecSaEntry 3 } ipsecSaCreator OBJECT-TYPE SYNTAX INTEGER { manual(1), -- A manually keyed IPSec SA ike(2) -- An automatically keyed SA created by IKE } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies how the SA was created Possible values: manual(1), -- A manually keyed IPSec SA ike(2) -- An automatically keyed SA created by IKE." ::= { ipsecSaEntry 4 } ipsecSaDir OBJECT-TYPE SYNTAX INTEGER { inbound(1), -- An inbound security association outbound(2) -- An outbound security association } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies whether the SA is used for inbound or outbound processing. Possible values: inbound(1), -- An inbound security association outbound(2) -- An outbound security association." ::= { ipsecSaEntry 5 } ipsecSaMode OBJECT-TYPE SYNTAX INTEGER { tunnel(1), -- A tunnel mode SA transport(2) -- A transport mode SA } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies whether the SA is in tunnel or transport mode. Possible values: tunnel(1), -- A tunnel mode SA transport(2) -- A transport mode SA." ::= { ipsecSaEntry 6 } ipsecSaSecProto OBJECT-TYPE SYNTAX INTEGER { esp(50), -- Encapsulating Security Payload ah(51), -- Authentication Header ipcomp(108) -- Internet Payload Compression Protocol } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies the security protocol applied by this SA. Possible values: esp(50), -- Encapsulating Security Payload ah(51), -- Authentication Header ipcomp(108) -- Internet Payload Compression Protocol." ::= { ipsecSaEntry 7 } ipsecSaLocalIp OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The local IP address of the outer packet header. For transport mode SAs, this address is the same as the ipsecSaSrcAddress." ::= { ipsecSaEntry 8 } ipsecSaPeerIp OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The destination IP address of the outer packet header. For transport mode SAs, this address is the same as the ipsecSaDstAddress." ::= { ipsecSaEntry 9 } ipsecSaSrcAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The address of the source network this SA covers (if the SrcRange field is nonzero, this is the first address of a range of addresses)." ::= { ipsecSaEntry 10 } ipsecSaSrcMaskLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The mask length of the source network this SA covers (only meaningful, if the SrcRange field is zero)." ::= { ipsecSaEntry 11 } ipsecSaSrcRange OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The last address of a range of source addresses (starting with SrcAddress) this SA covers. Overrides SrcMaskLen." ::= { ipsecSaEntry 12 } ipsecSaDstAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The address of the destination network this SA covers (if the DstRange field is nonzero, this is the first address of a range of addresses)." ::= { ipsecSaEntry 13 } ipsecSaDstMaskLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The mask length of the destination network this SA covers (only meaningful, if the DstRange field is zero)." ::= { ipsecSaEntry 14 } ipsecSaDstRange OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The last address of a range of destination addresses (starting with DstAddress) this SA covers. Overrides DstMaskLen." ::= { ipsecSaEntry 15 } ipsecSaSpi OBJECT-TYPE SYNTAX HexValue ACCESS read-only STATUS mandatory DESCRIPTION "The Security Parameters Index of this SA." ::= { ipsecSaEntry 17 } ipsecSaAuthAlg OBJECT-TYPE SYNTAX INTEGER { none(2), -- No hash algorithm md5-96(4), -- The MD5 hash algorithm sha1-96(6) -- The Secure Hash Algorithm } ACCESS read-only STATUS mandatory DESCRIPTION "The hash algorithm used, if any. Possible Values: none(2), -- No hash algorithm applied md5-96(4), -- The MD5 hash algorithm sha1-96(6) -- The Secure Hash Algorithm." ::= { ipsecSaEntry 18 } ipsecSaEncAlg OBJECT-TYPE SYNTAX INTEGER { none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4), -- Blowfish in CBC mode cast128-cbc(5), -- CAST with 128 bit key in CBC mode twofish-cbc(6), -- Twofish in CBC mode rijndael-cbc(7) -- Rijndael in CBC mode } ACCESS read-only STATUS mandatory DESCRIPTION "The encryption algorithm used, if any. Possible Values: none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4), -- Blowfish in CBC mode cast128-cbc(5), -- CAST with 128 bit key in CBC mode twofish-cbc(6), -- Twofish in CBC mode rijndael-cbc(7) -- Rijndael in CBC mode." ::= { ipsecSaEntry 19 } ipsecSaCompAlg OBJECT-TYPE SYNTAX INTEGER { none(2), -- No compression deflate(3) -- DEFLATE compression algorithm } ACCESS read-only STATUS mandatory DESCRIPTION "The compression algorithm used, if any. Possible Values: none(1), -- No compression deflate(2) -- DEFLATE compression algorithm." ::= { ipsecSaEntry 20 } ipsecSaAuthKeyLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The length of the key used for authentication, if any." ::= { ipsecSaEntry 21 } ipsecSaEncKeyLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The length of the key used for encryption, if any." ::= { ipsecSaEntry 22 } ipsecSaLifeSeconds OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The period in seconds after which this SA will be destroyed." ::= { ipsecSaEntry 25 } ipsecSaLifeKBytes OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The amount of data allowed to be protected by this SA until it is destroyed." ::= { ipsecSaEntry 26 } ipsecSaProto OBJECT-TYPE SYNTAX INTEGER { icmp(1), igmp(2), ggp(3), ipip(4), st(5), tcp(6), cbt(7), egp(8), igp(9), bbn(10), nvp(11), pup(12), argus(13), emcon(14), xnet(15), chaos(16), udp(17), mux(18), dcn(19), hmp(20), prm(21), xns(22), trunk1(23), trunk2(24), leaf1(25), leaf2(26), rdp(27), irtp(28), isotp4(29), netblt(30), mfe(31), merit(32), sep(33), pc3(34), idpr(35), xtp(36), ddp(37), idprc(38), tp(39), il(40), ipv6(41), sdrp(42), ipv6route(43), ipv6frag(44), idrp(45), rsvp(46), gre(47), mhrp(48), bna(49), esp(50), ah(51), inlsp(52), swipe(53), narp(54), mobile(55), tlsp(56), skip(57), ipv6icmp(58), ipv6nonxt(59), ipv6opts(60), ipproto-61(61), cftp(62), local(63), sat(64), kryptolan(65), rvd(66), ippc(67), distfs(68), satmon(69), visa(70), ipcv(71), cpnx(72), cphb(73), wsn(74), pvp(75), brsatmon(76), sunnd(77), wbmon(78), wbexpak(79), isoip(80), vmtp(81), securevmtp(82), vines(83), ttp(84), nsfnet(85), dgp(86), tcf(87), eigrp(88), ospfigp(89), sprite(90), larp(91), mtp(92), ax25(93), ipwip(94), micp(95), scc(96), etherip(97), encap(98), encrypt(99), gmtp(100), ifmp(101), pnni(102), pim(103), aris(104), scps(105), qnx(106), an(107), ippcp(108), snp(109), compaq(110), ipxip(111), vrrp(112), pgm(113), hop0(114), l2tp(115), ipproto-116(116), ipproto-117(117), ipproto-118(118), ipproto-119(119), ipproto-120(120), ipproto-121(121), ipproto-122(122), ipproto-123(123), ipproto-124(124), ipproto-125(125), ipproto-126(126), ipproto-127(127), ipproto-128(128), ipproto-129(129), ipproto-130(130), ipproto-131(131), ipproto-132(132), ipproto-133(133), ipproto-134(134), ipproto-135(135), ipproto-136(136), ipproto-137(137), ipproto-138(138), ipproto-139(139), ipproto-140(140), ipproto-141(141), ipproto-142(142), ipproto-143(143), ipproto-144(144), ipproto-145(145), ipproto-146(146), ipproto-147(147), ipproto-148(148), ipproto-149(149), ipproto-150(150), ipproto-151(151), ipproto-152(152), ipproto-153(153), ipproto-154(154), ipproto-155(155), ipproto-156(156), ipproto-157(157), ipproto-158(158), ipproto-159(159), ipproto-160(160), ipproto-161(161), ipproto-162(162), ipproto-163(163), ipproto-164(164), ipproto-165(165), ipproto-166(166), ipproto-167(167), ipproto-168(168), ipproto-169(169), ipproto-170(170), ipproto-171(171), ipproto-172(172), ipproto-173(173), ipproto-174(174), ipproto-175(175), ipproto-176(176), ipproto-177(177), ipproto-178(178), ipproto-179(179), ipproto-180(180), ipproto-181(181), ipproto-182(182), ipproto-183(183), ipproto-184(184), ipproto-185(185), ipproto-186(186), ipproto-187(187), ipproto-188(188), ipproto-189(189), ipproto-190(190), ipproto-191(191), ipproto-192(192), ipproto-193(193), ipproto-194(194), ipproto-195(195), ipproto-196(196), ipproto-197(197), ipproto-198(198), ipproto-199(199), ipproto-200(200), ipproto-201(201), ipproto-202(202), ipproto-203(203), ipproto-204(204), ipproto-205(205), ipproto-206(206), ipproto-207(207), ipproto-208(208), ipproto-209(209), ipproto-210(210), ipproto-211(211), ipproto-212(212), ipproto-213(213), ipproto-214(214), ipproto-215(215), ipproto-216(216), ipproto-217(217), ipproto-218(218), ipproto-219(219), ipproto-220(220), ipproto-221(221), ipproto-222(222), ipproto-223(223), ipproto-224(224), ipproto-225(225), ipproto-226(226), ipproto-227(227), ipproto-228(228), ipproto-229(229), ipproto-230(230), ipproto-231(231), ipproto-232(232), ipproto-233(233), ipproto-234(234), ipproto-235(235), ipproto-236(236), ipproto-237(237), ipproto-238(238), ipproto-239(239), ipproto-240(240), ipproto-241(241), ipproto-242(242), ipproto-243(243), ipproto-244(244), ipproto-245(245), ipproto-246(246), ipproto-247(247), ipproto-248(248), ipproto-249(249), ipproto-250(250), ipproto-251(251), ipproto-252(252), ipproto-253(253), ipproto-254(254), dont-verify(255) } ACCESS read-only STATUS mandatory DESCRIPTION "The protocol this SA covers." ::= { ipsecSaEntry 27 } ipsecSaSrcPort OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The source port this SA covers, 0 for any." ::= { ipsecSaEntry 28 } ipsecSaDstPort OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The destination port this SA covers, 0 for any." ::= { ipsecSaEntry 29 } ipsecSaSeconds OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of seconds since this SA was created." ::= { ipsecSaEntry 30 } ipsecSaBytes OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The amount of data in kilobytes protected by this SA." ::= { ipsecSaEntry 31 } ipsecSaPackets OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of packets protected by this SA." ::= { ipsecSaEntry 32 } ipsecSaReplayErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of replayed packets detected for this SA." ::= { ipsecSaEntry 33 } ipsecSaRecvErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of receive errors (replayed packets not counted) detected for this SA." ::= { ipsecSaEntry 34 } ipsecSaDecryptErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of decryption errors (ESP only) detected for this SA." ::= { ipsecSaEntry 35 } ipsecSaPeerIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The index of the peer for which this SA was created." ::= { ipsecSaEntry 36 } ipsecSaTrafficIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The index of the traffic entry for which this SA was created." ::= { ipsecSaEntry 37 } ipsecSaHeartbeats OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of heartbeats received / sent by this SA." ::= { ipsecSaEntry 38 } -- End IPSec Security Associations Table -- IKE Security Associations Table ikeSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeSaEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of currently active IKE security associations." ::= { ipsec 4 } ikeSaEntry OBJECT-TYPE SYNTAX IkeSaEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains an IKE security association." INDEX { ikeSaIndex } ::= { ikeSaTable 1 } IkeSaEntry ::= SEQUENCE { ikeSaIndex INTEGER, ikeSaState INTEGER, ikeSaXchType INTEGER, ikeSaAuthMethod INTEGER, ikeSaAlgs DisplayString, ikeSaRole INTEGER, ikeSaLocalId DisplayString, ikeSaRemoteId DisplayString, ikeSaLocalIp IpAddress, ikeSaRemoteIp IpAddress, ikeSaCookieI OCTET STRING, ikeSaCookieR OCTET STRING, ikeSaTimes DisplayString, ikeSaNumCerts INTEGER, ikeSaNumNegotiations INTEGER, ikeSaBytes INTEGER, ikeSaMajVersion INTEGER, ikeSaMinVersion INTEGER, ikeSaPeerIndex INTEGER, ikeSaTrafficIndex INTEGER, ikeSaHeartbeatsSent INTEGER, ikeSaHeartbeatsReceived INTEGER } ikeSaIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index for this entry." ::= { ikeSaEntry 1 } ikeSaState OBJECT-TYPE SYNTAX INTEGER { negotiating(1), -- the SA is still being negotiated established(2), -- the SA negotiation is finished waiting-for-remove(3), -- the SA is waiting for removal delete(7) -- mark the SA for deletion } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the state of the SA. Possible values: negotiating(1), -- the SA is still being negotiated established(2), -- the SA negotiation is finished waiting-for-remove(3), -- the SA is waiting for removal delete(7) -- mark the SA for deletion." ::= { ikeSaEntry 3 } ikeSaXchType OBJECT-TYPE SYNTAX INTEGER { base(1), -- IKE base mode mode id-protect(2), -- IKE identity protection -- (oakley main mode) authentication-only(3), -- Authentication only mode aggressive(4), -- IKE (oakley) aggressive mode info(5), -- IKE informational exchange mode quick(32), -- IKE quick mode new-group(33), -- IKE new group mode any(256) -- Other mode } ACCESS read-only STATUS mandatory DESCRIPTION "The exchange mode used to create the SA. Possible values: base(1), -- IKE base mode mode id-protect(2), -- IKE identity protection -- (oakley main mode) authentication-only(3), -- Authentication only mode aggressive(4), -- IKE (oakley) aggressive mode info(5), -- IKE informational exchange mode quick(32), -- IKE quick mode new-group(33), -- IKE new group mode any(256) -- Other mode." ::= { ikeSaEntry 4 } ikeSaAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption rsa-enc-rev(5) -- Authentication using revised RSA encryption } ACCESS read-only STATUS mandatory DESCRIPTION "The authenticatin method used when negotiating this SA. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption rsa-enc-rev(5) -- Authentication using revised RSA encryption." ::= { ikeSaEntry 5 } ikeSaAlgs OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "The names of the encryption and hash algorithm and of the prf." ::= { ikeSaEntry 6 } ikeSaRole OBJECT-TYPE SYNTAX INTEGER { initiator(1), -- this end initiated the SA negotiation responder(2) -- the remote end initiated the SA negotiation } ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies by which side the SA negotiation was initiated. Possible values: true(1), -- this end initiated the SA negotiation false(2) -- the remote end initiated the SA negotiation." ::= { ikeSaEntry 7 } ikeSaLocalId OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "The local ID used for authentication." ::= { ikeSaEntry 8 } ikeSaRemoteId OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "The remote ID used for authentication." ::= { ikeSaEntry 9 } ikeSaLocalIp OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The local IP address used in the IKE communication." ::= { ikeSaEntry 10 } ikeSaRemoteIp OBJECT-TYPE SYNTAX IpAddress ACCESS read-only STATUS mandatory DESCRIPTION "The remote IP address used in the IKE communication." ::= { ikeSaEntry 11 } ikeSaCookieI OBJECT-TYPE SYNTAX OCTET STRING ACCESS read-only STATUS mandatory DESCRIPTION "The cookie of the initiator." ::= { ikeSaEntry 12 } ikeSaCookieR OBJECT-TYPE SYNTAX OCTET STRING ACCESS read-only STATUS mandatory DESCRIPTION "The cookie of the responder." ::= { ikeSaEntry 13 } ikeSaTimes OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "The creation time and last used time of the SA in human readable format." ::= { ikeSaEntry 14 } ikeSaNumCerts OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of certificates received from the remote side when negotiating this SA." ::= { ikeSaEntry 15 } ikeSaNumNegotiations OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "This object specifies the number of currently active negotiations for this SA." ::= { ikeSaEntry 16 } ikeSaBytes OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of bytes transmitted using this SA." ::= { ikeSaEntry 17 } ikeSaMajVersion OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The IKE major version number." ::= { ikeSaEntry 18 } ikeSaMinVersion OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The IKE minor version number." ::= { ikeSaEntry 19 } ikeSaPeerIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The index of the peer for which this SA was created." ::= { ikeSaEntry 20 } ikeSaTrafficIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The index of the traffic entry for which this SA was created." ::= { ikeSaEntry 21 } ikeSaHeartbeatsSent OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of Heartbeats sent over this SA." ::= { ikeSaEntry 22 } ikeSaHeartbeatsReceived OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of Heartbeats received over this SA." ::= { ikeSaEntry 23 } -- End IKE Security Associations Table -- IPSec Peer Table ipsecPeerTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecPeerEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of IPSec peers." ::= { ipsec 5 } ipsecPeerEntry OBJECT-TYPE SYNTAX IpsecPeerEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains the description of an IPSec peer." INDEX { ipsecPeerTrafficList } ::= { ipsecPeerTable 1 } IpsecPeerEntry ::= SEQUENCE { ipsecPeerIndex INTEGER, ipsecPeerNextIndex INTEGER, ipsecPeerDescription DisplayString, ipsecPeerCaCerts DisplayString, ipsecPeerPeerIds DisplayString, ipsecPeerPeerAddress IpAddress, ipsecPeerDynamicAddress DisplayString, ipsecPeerLocalId DisplayString, ipsecPeerLocalAddress IpAddress, ipsecPeerLocalCert INTEGER, ipsecPeerIkeProposals INTEGER, ipsecPeerTrafficList INTEGER, ipsecPeerPublicInterface INTEGER, ipsecPeerPfsIdentity INTEGER, ipsecPeerAuthMethod INTEGER, ipsecPeerPreSharedKey DisplayString, ipsecPeerIkeGroup INTEGER, ipsecPeerPfsGroup INTEGER, ipsecPeerPh1Mode INTEGER, ipsecPeerIkeLifeTime INTEGER, ipsecPeerIpsecLifeTime INTEGER, ipsecPeerKeepAlive INTEGER, ipsecPeerGranularity INTEGER, ipsecPeerDontVerifyPad INTEGER, ipsecPeerNoPmtuDiscovery INTEGER, ipsecPeerOperStatus INTEGER, ipsecPeerIsdnCB INTEGER, ipsecPeerDefaultIpsecProposals INTEGER, ipsecPeerHeartbeats INTEGER, ipsecPeerCreator INTEGER, ipsecPeerPreSharedKeyData OCTET STRING } ipsecPeerIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index identifying this entry." ::= { ipsecPeerEntry 1 } ipsecPeerNextIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the next peer in hierarchy." ::= { ipsecPeerEntry 2 } ipsecPeerDescription OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "An optional description for this peer." ::= { ipsecPeerEntry 3 } ipsecPeerCaCerts OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "Receives a comma separated list with indices of optional certificate authority certificates accepted for this peer." ::= { ipsecPeerEntry 4 } ipsecPeerPeerIds OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "The IDs of the peer which are accepted for authentication." ::= { ipsecPeerEntry 5 } ipsecPeerPeerAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The (fixed) IP-address of the peer. This object is obsolete. If set, its contents are copied to ipsecPeerDynamicAddress." ::= { ipsecPeerEntry 6 } ipsecPeerDynamicAddress OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "The IP-address of the peer. This object may contain either an IP address or a domain name." ::= { ipsecPeerEntry 14 } ipsecPeerLocalId OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "The local ID used for authentication." ::= { ipsecPeerEntry 7 } ipsecPeerLocalAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The local address used for IPSec encrypted packets." ::= { ipsecPeerEntry 8 } ipsecPeerLocalCert OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the certificate used for local authentication in the certTable. Only useful for automatically keyed traffic with dsa or rsa authentication." ::= { ipsecPeerEntry 9 } ipsecPeerIkeProposals OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the first IKE proposal which may be used for IKE SA negotiation with this peer." ::= { ipsecPeerEntry 10 } ipsecPeerTrafficList OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the first entry of possibly a chain of traffic entries from the ipsecTrafficTable which should be protected with IPSec using this peer." ::= { ipsecPeerEntry 11 } ipsecPeerPublicInterface OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the index of the public interface for which the traffic list assigned to this peer should be valid. If set to -1, the traffic list is valid for all interfaces. If the traffic is routed via a different interface, no SA negotiation is performed and traffic may be unprotected unless there is another peer for the other interface." ::= { ipsecPeerEntry 12 } ipsecPeerPfsIdentity OBJECT-TYPE SYNTAX INTEGER { true(1), -- delete phase 1 SAs false(2), -- do not delete phase 1 SAs default(3) -- use setting in ipsecGlobContDefaultPfsIdentity } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. If overrides the default setting ipsecGlobContDefaultPfsIdentity if not set to 'default'. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2), -- do not delete phase 1 SAs default(3) -- use setting in ipsecGlobContDefaultPfsIdentity." ::= { ipsecPeerEntry 13 } ipsecPeerAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- Use the default settings from the ikeProposalEntry -- used or the ipsecGlobDefaultAuthMethod delete(15) -- mark this entry for deletion } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the authentication method used for this peer. It overrides the setting in the IKE proposals used. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- Use the setting from the ikeProposalEntry -- used or the ipsecGlobDefaultAuthMethod delete(15) -- mark this entry for deletion." ::= { ipsecPeerEntry 20 } ipsecPeerPreSharedKey OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "The pre-shared-key used with this peer, if pre-shared-keys are used for authentication. This field serves only as an input field and its contents are replaced with a single asterisk immediately after it is set." ::= { ipsecPeerEntry 21 } ipsecPeerIkeGroup OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies a special IKE group which is to be used for this peer only. It overrides the setting in the ikeProposal used. Possible values: 0: use the value from the ikeProposal used 1: a 768-bit MODP group 2: a 1024-bit MODP group 5: a 1536-bit MODP group" ::= { ipsecPeerEntry 22 } ipsecPeerPfsGroup OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The Diffie Hellman group used for additional Perfect Forward Secrecy (PFS) DH exponentiations. Possible values: -1: explicitly do not use PFS (overrides ipsecGlob2DefaultPfsGroup), 0: use default value from ipsecGlob2DefaultPfsGroup, 1: a 768-bit MODP group, 2: a 1024-bit MODP group, 5: a 1536-bit MODP group." ::= { ipsecPeerEntry 23 } ipsecPeerPh1Mode OBJECT-TYPE SYNTAX INTEGER { id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3) -- Use default setting from the -- ipsecGlobalsTable } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3) -- Use default settings from the -- ipsecGlobalsTable." ::= { ipsecPeerEntry 24 } ipsecPeerIkeLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable with the lifetime settings to be used for IKE SA negotiation with this peer. It overrides the setting in the IKE proposal used. If the lifetime pointed to by this index does not exist or is inappropriate, the lifetime from the IKE proposal used is taken." ::= { ipsecPeerEntry 25 } ipsecPeerIpsecLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable. This lifetime overwrites the lifetimes specified for all traffic entries and their proposals referenced by this peer entry. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used." ::= { ipsecPeerEntry 26 } ipsecPeerKeepAlive OBJECT-TYPE SYNTAX INTEGER { true(1), -- rekey SA's even if no data was transferred false(2) -- do not rekey SA's if no data was transferred } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether IKE SA's with this peer are rekeyed even if there was no data transferred over them. Possible values: true(1), -- rekey SA's even if no data was transferred false(2) -- do not rekey SA's if no data was transferred." ::= { ipsecPeerEntry 29 } ipsecPeerGranularity OBJECT-TYPE SYNTAX INTEGER { default(1), -- use the setting from the ipsecGlobalsTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the granularity with which SA's with this peer are created. Possible values: default(1), -- use the setting from the ipsecGlobalsTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host." ::= { ipsecPeerEntry 30 } ipsecPeerDontVerifyPad OBJECT-TYPE SYNTAX INTEGER { false(1), -- normal, self-describing ESP padding true(2) -- old style ESP padding } ACCESS read-write STATUS mandatory DESCRIPTION "This object is a compatibility option for older ipsec implementations. It enables or disables an old way of ESP padding (no self describing padding). Possible values: false(1), -- normal, self-describing ESP padding true(2) -- old style ESP padding." ::= { ipsecPeerEntry 31 } ipsecPeerNoPmtuDiscovery OBJECT-TYPE SYNTAX INTEGER { true(1), -- do not perform PMTU discovery false(2), -- perform PMTU discovery default(3)-- use default settings from -- ipsecGlobContNoPmtuDiscovery } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the PMTU discovery policy for this peer. Possible values: true(1), -- do not perform PMTU discovery false(2) -- perform PMTU discovery default(3)-- use default settings from -- ipsecGlobContNoPmtuDiscovery." ::= { ipsecPeerEntry 36 } ipsecPeerDefaultIpsecProposals OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the default IPSec proposal used for encrypting all the traffic bound to the (optional) logical interface created for this peer." ::= { ipsecPeerEntry 42 } ipsecPeerHeartbeat OBJECT-TYPE SYNTAX INTEGER { none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4), -- send and expect heartbeats default(5) -- use setting from -- ipsecGlobContHeartbeatDefault } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether heartbeats should be sent over phase 1 SAs for this peer. Possible values: none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4), -- send and expect heartbeats default(5) -- use setting from -- ipsecGlobContHeartbeatDefault." ::= { ipsecPeerEntry 43 } ipsecPeerOperStatus OBJECT-TYPE SYNTAX INTEGER { -- *** states as defined for OperStatus in ifTable *** -- up(1), -- down(2), -- testing(3), -- unknown(4), -- dormant(5), -- blocked(6) idle(32), awaiting-callback(33), calling-back(34) } ACCESS read-only STATUS mandatory DESCRIPTION "Peer operational state. Currently it only indicates whether any call back actions are ongoing. Default value is idle." ::= { ipsecPeerEntry 44 } ipsecPeerIsdnCB OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2), passive(3), -- expect an ISDN call and setup IPSec tunnel active(4) -- setup an ISDN call and expect IPSec tunnel setup } ACCESS read-write STATUS mandatory DESCRIPTION "Switch for turning ISDN call back feature on and off specifically for peer. Default value is disabled." ::= { ipsecPeerEntry 45 } ipsecPeerCreator OBJECT-TYPE SYNTAX INTEGER { config(1), -- created by configd/snmp radius-preset(2) -- created by RADIUS preset } ACCESS read-only STATUS mandatory DESCRIPTION "This object shows the creator of the peer entry." ::= { ipsecPeerEntry 46 } ipsecPeerPreSharedKeyData OBJECT-TYPE SYNTAX OCTET STRING ACCESS not-accessible STATUS mandatory DESCRIPTION "Field used for storing the pre-shared-key permanently." ::= { ipsecPeerEntry 63 } -- End IPSec Peer Table -- IKE Proposal Table ikeProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeProposalEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of IKE proposals. The entries may be concatenated on a logical or basis using the NextChoice field to choices of multiple proposals." ::= { ipsec 6 } ikeProposalEntry OBJECT-TYPE SYNTAX IkeProposalEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains an IKE proposal, i.e. the encryption algorithm and the hash algorithm used to protect traffic sent over an IKE SA." INDEX { ikePropEncAlg } ::= { ikeProposalTable 1 } IkeProposalEntry ::= SEQUENCE { ikePropIndex INTEGER, ikePropNextChoice INTEGER, ikePropDescription DisplayString, ikePropEncAlg INTEGER, ikePropHashAlg INTEGER, ikePropLifeTime INTEGER, ikePropGroup INTEGER, ikePropAuthMethod INTEGER } ikePropIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index identifying this entry." ::= { ikeProposalEntry 1 } ikePropNextChoice OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the index of the next proposal of a choice of proposals. If this object is 0, this marks the end of a proposal chain." ::= { ikeProposalEntry 2 } ikePropDescription OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "An optional textual description of the proposal chain beginning at this entry." ::= { ikeProposalEntry 3 } ikePropEncAlg OBJECT-TYPE SYNTAX INTEGER { none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4),-- Blowfish in CBC mode cast128-cbc(5), -- CAST in CBC mode with 128 bit key twofish-cbc(6), -- Twofish in CBC mode rijndael-cbc(7) -- Rijndael in CBC mode } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the encryption algorithm used to protect traffic sent over an IKE SA. Possible values: none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4), -- Blowfish in CBC mode cast128-cbc(5) -- CAST in CBC mode with 128 bit key twofish-cbc(6), -- Twofish in CBC mode rijndael-cbc(7) -- Rijndael in CBC mode." ::= { ikeProposalEntry 4 } ikePropHashAlg OBJECT-TYPE SYNTAX INTEGER { delete(1), -- Delete this entry none(2), -- No hash algorithm md5(3), -- The MD5 hash algorithm sha1(4), -- The Secure Hash Algorithm ripemd160(5), -- The RipeMD160 Hash Algorithm tiger192(6) -- The Tiger Hash Algorithm } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the hash algorithm used to protect traffic sent over an IKE SA. Possible values: delete(1), -- Delete this entry none(2), -- No hash algorithm md5(3), -- The MD5 hash algorithm sha1(4), -- The Secure Hash Algorithm ripemd160(5),-- The RipeMD160 Hash Algorithm tiger192(6) -- The Tiger Hash Algorithm." ::= { ikeProposalEntry 5 } ikePropLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable with the lifetime settings to be used for IKE SA negotiation with this proposal. It may be overridden by a valid lifetime index of an IPSec peer. If this object is set to zero or the lifetime pointed to by this index does not exist or is inappropriate, the setting in ipsecGlobDefaultIkeProposal is used." ::= { ikeProposalEntry 6 } ikePropGroup OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index of the IKE group used with this proposal. It may be overridden by a valid IKE group index of an IPSec peer or in ipsecGlobDefaultIkeGroup. Possible values: 0 (use default setting in ipsecPeerIkeGroup or ipsecGlobDefaultIkeGroup), 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP)." ::= { ikeProposalEntry 7 } ikePropAuthMethod OBJECT-TYPE SYNTAX INTEGER { pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(33) -- Use default authentication method } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the authentication method used with this proposal. It may be overridden by the setting in the ipsecPeerEntry table. If set to 'default' the value in ipsecGlobDefaultAuthMethod is used. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(33) -- Use default authentication method." ::= { ikeProposalEntry 8 } -- End IKE Proposal Table -- IPSec Traffic Table ipsecTrafficTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecTrafficEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains lists of Traffic and the actions which should be applied to it, together with the necessary parameters." ::= { ipsec 7 } ipsecTrafficEntry OBJECT-TYPE SYNTAX IpsecTrafficEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains a description of a type of IP traffic and the action which should be applied to it together with the necessary parameters." INDEX { ipsecTrProto } ::= { ipsecTrafficTable 1 } IpsecTrafficEntry ::= SEQUENCE { ipsecTrIndex INTEGER, ipsecTrNextIndex INTEGER, ipsecTrDescription DisplayString, ipsecTrLocalAddress IpAddress, ipsecTrLocalMaskLen INTEGER, ipsecTrLocalRange IpAddress, ipsecTrRemoteAddress IpAddress, ipsecTrRemoteMaskLen INTEGER, ipsecTrRemoteRange IpAddress, ipsecTrProto INTEGER, ipsecTrLocalPort INTEGER, ipsecTrRemotePort INTEGER, ipsecTrAction INTEGER, ipsecTrProposal INTEGER, ipsecTrForceTunnelMode INTEGER, ipsecTrLifeTime INTEGER, ipsecTrGranularity INTEGER, ipsecTrKeepAlive INTEGER, ipsecTrInterface INTEGER, ipsecTrDirection INTEGER, ipsecTrInSpi HexValue, ipsecTrOutSpi HexValue, ipsecTrEncKeyIn DisplayString, ipsecTrEncKeyOut DisplayString, ipsecTrAuthKeyIn DisplayString, ipsecTrAuthKeyOut DisplayString, ipsecTrCreator INTEGER, ipsecTrEncKeyDataIn OCTET STRING, ipsecTrEncKeyDataOut OCTET STRING, ipsecTrAuthKeyDataIn OCTET STRING, ipsecTrAuthKeyDataOut OCTET STRING } ipsecTrIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index identifying this entry." ::= { ipsecTrafficEntry 1 } ipsecTrNextIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the index of the next traffic entry in hierarchy." ::= { ipsecTrafficEntry 2 } ipsecTrDescription OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "An optional human readable description for this traffic entry." ::= { ipsecTrafficEntry 3 } ipsecTrLocalAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The source IP-address of this traffic entry. It maybe either a single address, a network address (in combination with ipsecTrSrcMask), or the first address of an address range (in combination with ipsecTrLocalRange)." ::= { ipsecTrafficEntry 4 } ipsecTrLocalMaskLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The length of the network mask for a source network." ::= { ipsecTrafficEntry 5 } ipsecTrLocalRange OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The last address of a source address range. If this field is nonzero, the ipsecTrLocalMaskLen field is ignored and the source is considered as a range of addresses beginning with ipsecTrLocalAddress and ending with ipsecTrLocalRange." ::= { ipsecTrafficEntry 6 } ipsecTrRemoteAddress OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The destination IP-address of this traffic entry. It maybe either a single address, a network address (in combination with ipsecTrDstMask), or the first address of an address range (in combination with ipsecTrRemoteRange)." ::= { ipsecTrafficEntry 7 } ipsecTrRemoteMaskLen OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The length of the network mask for a destination network." ::= { ipsecTrafficEntry 8 } ipsecTrRemoteRange OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "The last address of a destination address range. If this field is nonzero, the ipsecTrRemoteMaskLen field is ignored and the source is considered as a range of addresses beginning with ipsecTrRemoteAddress and ending with ipsecTrRemoteRange." ::= { ipsecTrafficEntry 9 } ipsecTrProto OBJECT-TYPE SYNTAX INTEGER { icmp(1), igmp(2), ggp(3), ipip(4), st(5), tcp(6), cbt(7), egp(8), igp(9), bbn(10), nvp(11), pup(12), argus(13), emcon(14), xnet(15), chaos(16), udp(17), mux(18), dcn(19), hmp(20), prm(21), xns(22), trunk1(23), trunk2(24), leaf1(25), leaf2(26), rdp(27), irtp(28), isotp4(29), netblt(30), mfe(31), merit(32), sep(33), pc3(34), idpr(35), xtp(36), ddp(37), idprc(38), tp(39), il(40), ipv6(41), sdrp(42), ipv6route(43), ipv6frag(44), idrp(45), rsvp(46), gre(47), mhrp(48), bna(49), esp(50), ah(51), inlsp(52), swipe(53), narp(54), mobile(55), tlsp(56), skip(57), ipv6icmp(58), ipv6nonxt(59), ipv6opts(60), ipproto-61(61), cftp(62), local(63), sat(64), kryptolan(65), rvd(66), ippc(67), distfs(68), satmon(69), visa(70), ipcv(71), cpnx(72), cphb(73), wsn(74), pvp(75), brsatmon(76), sunnd(77), wbmon(78), wbexpak(79), isoip(80), vmtp(81), securevmtp(82), vines(83), ttp(84), nsfnet(85), dgp(86), tcf(87), eigrp(88), ospfigp(89), sprite(90), larp(91), mtp(92), ax25(93), ipwip(94), micp(95), scc(96), etherip(97), encap(98), encrypt(99), gmtp(100), ifmp(101), pnni(102), pim(103), aris(104), scps(105), qnx(106), an(107), ippcp(108), snp(109), compaq(110), ipxip(111), vrrp(112), pgm(113), hop0(114), l2tp(115), ipproto-116(116), ipproto-117(117), ipproto-118(118), ipproto-119(119), ipproto-120(120), ipproto-121(121), ipproto-122(122), ipproto-123(123), ipproto-124(124), ipproto-125(125), ipproto-126(126), ipproto-127(127), ipproto-128(128), ipproto-129(129), ipproto-130(130), ipproto-131(131), ipproto-132(132), ipproto-133(133), ipproto-134(134), ipproto-135(135), ipproto-136(136), ipproto-137(137), ipproto-138(138), ipproto-139(139), ipproto-140(140), ipproto-141(141), ipproto-142(142), ipproto-143(143), ipproto-144(144), ipproto-145(145), ipproto-146(146), ipproto-147(147), ipproto-148(148), ipproto-149(149), ipproto-150(150), ipproto-151(151), ipproto-152(152), ipproto-153(153), ipproto-154(154), ipproto-155(155), ipproto-156(156), ipproto-157(157), ipproto-158(158), ipproto-159(159), ipproto-160(160), ipproto-161(161), ipproto-162(162), ipproto-163(163), ipproto-164(164), ipproto-165(165), ipproto-166(166), ipproto-167(167), ipproto-168(168), ipproto-169(169), ipproto-170(170), ipproto-171(171), ipproto-172(172), ipproto-173(173), ipproto-174(174), ipproto-175(175), ipproto-176(176), ipproto-177(177), ipproto-178(178), ipproto-179(179), ipproto-180(180), ipproto-181(181), ipproto-182(182), ipproto-183(183), ipproto-184(184), ipproto-185(185), ipproto-186(186), ipproto-187(187), ipproto-188(188), ipproto-189(189), ipproto-190(190), ipproto-191(191), ipproto-192(192), ipproto-193(193), ipproto-194(194), ipproto-195(195), ipproto-196(196), ipproto-197(197), ipproto-198(198), ipproto-199(199), ipproto-200(200), ipproto-201(201), ipproto-202(202), ipproto-203(203), ipproto-204(204), ipproto-205(205), ipproto-206(206), ipproto-207(207), ipproto-208(208), ipproto-209(209), ipproto-210(210), ipproto-211(211), ipproto-212(212), ipproto-213(213), ipproto-214(214), ipproto-215(215), ipproto-216(216), ipproto-217(217), ipproto-218(218), ipproto-219(219), ipproto-220(220), ipproto-221(221), ipproto-222(222), ipproto-223(223), ipproto-224(224), ipproto-225(225), ipproto-226(226), ipproto-227(227), ipproto-228(228), ipproto-229(229), ipproto-230(230), ipproto-231(231), ipproto-232(232), ipproto-233(233), ipproto-234(234), ipproto-235(235), ipproto-236(236), ipproto-237(237), ipproto-238(238), ipproto-239(239), ipproto-240(240), ipproto-241(241), ipproto-242(242), ipproto-243(243), ipproto-244(244), ipproto-245(245), ipproto-246(246), ipproto-247(247), ipproto-248(248), ipproto-249(249), ipproto-250(250), ipproto-251(251), ipproto-252(252), ipproto-253(253), ipproto-254(254), dont-verify(255) } ACCESS read-write STATUS mandatory DESCRIPTION "The transport protocol defined for this entry." ::= { ipsecTrafficEntry 10 } ipsecTrLocalPort OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The source port defined for this traffic entry." ::= { ipsecTrafficEntry 11 } ipsecTrRemotePort OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The destination port defined for this traffic entry." ::= { ipsecTrafficEntry 12 } ipsecTrAction OBJECT-TYPE SYNTAX INTEGER { delete(1), -- Delete this entry always-plain(2), -- Forward the packets without -- protection even if there is a -- matching SA and independent from -- the position of the traffic entry -- in the list. pass(3), -- Forward the packets without -- protection protect(4), -- Protect the traffic as specified -- in the proposal. Drop unprotected -- traffic of this kind. drop(5) -- Drop all packets matching this -- traffic entry } ACCESS read-write STATUS mandatory DESCRIPTION "The action to be applied to traffic matching this entry. Possible values: delete(1), -- Delete this entry always-plain(2), -- Forward the packets without -- protection even if there is a -- matching SA and independent from -- the position of the traffic entry -- in the list. pass(3), -- Forward the packets without -- protection protect(4), -- Protect the traffic as specified -- in the proposal. Drop unprotected -- traffic of this kind. drop(5) -- Drop all packets matching this -- traffic entry." ::= { ipsecTrafficEntry 13 } ipsecTrProposal OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the ipsecProposalTable. This may be the first proposal of possibly a choice of multiple, optionally nested proposals which is to be offered with IKE (automatic keying) or a manual proposal (manual keying)." ::= { ipsecTrafficEntry 14 } ipsecTrForceTunnelMode OBJECT-TYPE SYNTAX INTEGER { true(1), -- Use tunnel mode even if transport mode is possible false(2) -- Use transport mode whenever possible } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the strategy when transport mode is used. By default, the system always uses transport mode, if possible. If this variable is set to true, always tunnel mode will be used for this traffic entry, even if source and destination address match the tunnel endpoints. Possible values: true(1), -- Use tunnel mode even if transport mode is possible false(2) -- Use transport mode whenever possible." ::= { ipsecTrafficEntry 15 } ipsecTrLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies an index in the ipsecLifeTimeTable. This lifetime overwrites the lifetimes specified for all proposals referenced by this traffic entry. It may itself be overwritten by an explicit lifetime specified for the peer entry referencing this traffic entry. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used." ::= { ipsecTrafficEntry 16 } ipsecTrGranularity OBJECT-TYPE SYNTAX INTEGER { default(1), -- use the setting from the ipsecPeerTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the granularity with which SA's must be created for this kind of traffic. Possible values: default(1), -- use the setting from the ipsecPeerTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host." ::= { ipsecTrafficEntry 17 } ipsecTrKeepAlive OBJECT-TYPE SYNTAX INTEGER { true(1), -- rekey SA's even if no data was transferred false(2), -- do not rekey SA's if no data was transferred default(3) -- use the default setting from the peer entry -- referencing this traffic entry } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether SA's created for this kind of traffic should be rekeyed on expiration of soft lifetimes even if there has not been sent any traffic over them. Possible values: true(1), -- rekey SA's even if no data was transferred false(2), -- do not rekey SA's if no data was transferred default(3) -- use the default setting from the peer entry -- referencing this traffic entry." ::= { ipsecTrafficEntry 18 } ipsecTrInterface OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the interface for which the traffic entry should be valid (pass and drop entries only). If ipsecTrAction is set to ipsecTrAction_protect, this object is ignored. If this object is set to -1, there is no interface restriction." ::= { ipsecTrafficEntry 19 } ipsecTrDirection OBJECT-TYPE SYNTAX INTEGER { bidirectional(1), -- matches packets from remote to local -- and vice versa inbound(2), -- matches only packets from local to remote outbound(3) -- matches only packets from remote to local } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the direction for which this traffic entry should match. It only applies for pass and drop entries, for protect entries it is meaningless. Possible values: bidirectional(1), -- matches packets from remote to local -- and vice versa inbound(2), -- matches only packets from local to remote outbound(3) -- matches only packets from remote to local." ::= { ipsecTrafficEntry 20 } ipsecTrInSpi OBJECT-TYPE SYNTAX HexValue ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the Security Parameters Index (SPI) which should be used for the inbound SA of a manually keyed traffic entry. The SPI is used to distinguish between multiple IPSec connections to the same peer with the same security protocol. The outbound SPI of the remote sides' corresponding traffic entry has to be equal to this value. This object is ignored for automatically keyed SAs, as it is chosen randomly by the initiator." ::= { ipsecTrafficEntry 30 } ipsecTrOutSpi OBJECT-TYPE SYNTAX HexValue ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the Security Parameters Index (SPI) which should be used for the outbound SA of a manually keyed traffic entry. The SPI is used to distinguish between multiple IPSec connections to the same peer with the same security protocol. The inbound SPI of the remote sides' corresponding traffic entry has to be equal to this value. This object is ignored for automatically keyed SAs, as it is chosen randomly by the initiator." ::= { ipsecTrafficEntry 31 } ipsecTrEncKeyIn OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "This object serves as an input field for the inbound encryption key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatically keyed traffic entries or for traffic entries which do not require an encryption key." ::= { ipsecTrafficEntry 32 } ipsecTrEncKeyOut OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "This object serves as an input field for the outbound encryption key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatically keyed traffic entries or for traffic entries which do not require an encryption key." ::= { ipsecTrafficEntry 33 } ipsecTrAuthKeyIn OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "This object serves as an input field for the inbound authentication key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatically keyed traffic entries or for traffic entries which do not require an authentication key." ::= { ipsecTrafficEntry 34 } ipsecTrAuthKeyOut OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "This object serves as an input field for the outbound authentication key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatically keyed traffic entries or for traffic entries which do not require an authentication key." ::= { ipsecTrafficEntry 35 } ipsecTrCreator OBJECT-TYPE SYNTAX INTEGER { config(1), -- created by configd/snmp radius-preset(2) -- created by RADIUS preset } ACCESS read-only STATUS mandatory DESCRIPTION "This object shows the creator of the traffic entry." ::= { ipsecTrafficEntry 36 } ipsecTrEncKeyDataIn OBJECT-TYPE SYNTAX OCTET STRING ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= { ipsecTrafficEntry 65 } ipsecTrEncKeyDataOut OBJECT-TYPE SYNTAX OCTET STRING ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= { ipsecTrafficEntry 66 } ipsecTrAuthKeyDataIn OBJECT-TYPE SYNTAX OCTET STRING ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= { ipsecTrafficEntry 67 } ipsecTrAuthKeyDataOut OBJECT-TYPE SYNTAX OCTET STRING ACCESS not-accessible STATUS mandatory DESCRIPTION "" ::= { ipsecTrafficEntry 68 } -- End IPSec Traffic Table -- IPSec Proposal Table ipsecProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecProposalEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of IPSec proposals known to the system. The combinations of algorithms allowed are constructed from any combinations of algorithms enabled in an entry, in the order of the preferences specified." ::= { ipsec 8 } ipsecProposalEntry OBJECT-TYPE SYNTAX IpsecProposalEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains an IPSec proposal, i.e. a proposed set of security parameters applied to traffic sent over an IPSec security association." INDEX { ipsecPropProto } ::= { ipsecProposalTable 1 } IpsecProposalEntry ::= SEQUENCE { ipsecPropIndex INTEGER, ipsecPropNext INTEGER, ipsecPropDescription DisplayString, ipsecPropProto INTEGER, ipsecPropEncAlg INTEGER, ipsecPropAuthAlg INTEGER, ipsecPropLifeTime INTEGER, ipsecPropIpcomp INTEGER, ipsecPropEspRijndael INTEGER, ipsecPropEspTwofish INTEGER, ipsecPropEspBlowfish INTEGER, ipsecPropEspCast INTEGER, ipsecPropEspDes3 INTEGER, ipsecPropEspDes INTEGER, ipsecPropEspNull INTEGER, ipsecPropEspMd5 INTEGER, ipsecPropEspSha1 INTEGER, ipsecPropEspNoMac INTEGER, ipsecPropAhMd5 INTEGER, ipsecPropAhSha1 INTEGER, ipsecPropIpcompDeflate INTEGER } ipsecPropIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index for this entry." ::= { ipsecProposalEntry 1 } ipsecPropNext OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index of the next Proposal in the actual chain." ::= { ipsecProposalEntry 2 } ipsecPropDescription OBJECT-TYPE SYNTAX DisplayString ACCESS read-write STATUS mandatory DESCRIPTION "An optional human readable description for this proposal." ::= { ipsecProposalEntry 4 } ipsecPropProto OBJECT-TYPE SYNTAX INTEGER { esp(1), -- Encapsulating Security Payload ah(2), -- Authentication Header esp-ah(3), -- ESP and AH delete(8) -- delete this entry } ACCESS read-write STATUS mandatory DESCRIPTION "The security protocol to apply. Possible values: esp(1), -- Encapsulating Security Payload ah(2), -- Authentication Header esp-ah(3), -- ESP and AH delete(8) -- delete this entry." ::= { ipsecProposalEntry 6 } ipsecPropEncAlg OBJECT-TYPE SYNTAX INTEGER { none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4),-- Blowfish in CBC mode cast128-cbc(5) -- CAST with 128 bit key in CBC mode } ACCESS read-write STATUS mandatory DESCRIPTION "The use of this object is deprecated. An entry containing a nonzero value in this field is converted to a new entry. All algorithms are reset to zero, only the one corresponding to the algorithm specified in this field and in the ipsecPropAuthAlg field are set." ::= { ipsecProposalEntry 7 } ipsecPropAuthAlg OBJECT-TYPE SYNTAX INTEGER { none(2), -- No hmac md5-96(4), -- Use the MD5 hash algorithm with 96 bit -- output sha1-96(6) -- Use the Secure Hash Algorithm with 96 bit -- output } ACCESS read-write STATUS mandatory DESCRIPTION "The use of this object is deprecated. An entry containing a nonzero value in this field is converted to a new entry. All algorithms are reset to zero, only the one corresponding to the algorithm specified in this field and in the ipsecPropEncAlg field are set." ::= { ipsecProposalEntry 8 } ipsecPropLifeTime OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The index in the ipsecLifeTimeTable containing the lifetime values ued for an SA created from this proposal. This field may be overwritten by an explicit lifetime specified for the traffic entry which references this proposal entry, or by an explicit lifetime specified for the peer entry referencing that traffic entry. If this field is empty or points to a nonexistent or inappropriate lifetime entry, the default life time from the ipsecGlobalsTable is used." ::= { ipsecProposalEntry 10 } ipsecPropIpcomp OBJECT-TYPE SYNTAX INTEGER { enabled(1), -- Enable IPComP disabled(2), -- Disable IPComP force(3) -- Force use of IPComP } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of IPComP in the proposal. Possible values: enabled(1), -- Enable IPComP disabled(2), -- Disable IPComP force(3) -- Force use of IPComP." ::= { ipsecProposalEntry 20 } ipsecPropEspRijndael OBJECT-TYPE SYNTAX INTEGER (0..7) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the Rijndael encryption algorithm in the proposal. Possible values: 0, -- disables Rijndael 1..7 -- enables Rijndael and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 40 } ipsecPropEspTwofish OBJECT-TYPE SYNTAX INTEGER (0..7) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the Twofish encryption algorithm in the proposal. Possible values: 0, -- disables Twofish 1..7 -- enables Twofish and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 41 } ipsecPropEspBlowfish OBJECT-TYPE SYNTAX INTEGER (0..7) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the Blowfish encryption algorithm in the proposal. Possible values: 0, -- disables Blowfish 1..7 -- enables Blowfish and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 42 } ipsecPropEspCast OBJECT-TYPE SYNTAX INTEGER (0..7) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the Cast encryption algorithm in the proposal. Possible values: 0, -- disables Cast 1..7 -- enables Cast and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 43 } ipsecPropEspDes3 OBJECT-TYPE SYNTAX INTEGER (0..7) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the DES3 encryption algorithm in the proposal. Possible values: 0, -- disables DES3 1..7 -- enables DES3 and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 44 } ipsecPropEspDes OBJECT-TYPE SYNTAX INTEGER (0..7) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the DES encryption algorithm in the proposal. Possible values: 0, -- disables DES 1..7 -- enables DES and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 45 } ipsecPropEspNull OBJECT-TYPE SYNTAX INTEGER (0..7) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the DES encryption algorithm in the proposal. Possible values: 0, -- disables DES 1..7 -- enables DES and specifies its priority among the encryption algorithms." ::= { ipsecProposalEntry 46 } ipsecPropEspMd5 OBJECT-TYPE SYNTAX INTEGER (0..3) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the MD5 authentication algorithm for ESP in the proposal. Possible values: 0, -- disables MD5 1..3 -- enables MD5 and specifies its priority among the authentication algorithms." ::= { ipsecProposalEntry 50 } ipsecPropEspSha1 OBJECT-TYPE SYNTAX INTEGER (0..3) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the Sha1 authentication algorithm for ESP in the proposal. Possible values: 0, -- disables SHA-1 1..3 -- enables SHA-1 and specifies its priority among the authentication algorithms." ::= { ipsecProposalEntry 51 } ipsecPropEspNoMac OBJECT-TYPE SYNTAX INTEGER (0..3) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies whether ESP without authentication is allowed in the proposal. Possible values: 0, -- disables ESP 1..3 -- enables ESP without authentication and specifies its priority among the other authentication algorithms enabled for ESP." ::= { ipsecProposalEntry 52 } ipsecPropAhMd5 OBJECT-TYPE SYNTAX INTEGER (0..2) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the MD5 authentication algorithm for AH in the proposal. Possible values: 0, -- disables MD5 1..2 -- enables MD5 and specifies its priority among the authentication algorithms." ::= { ipsecProposalEntry 60 } ipsecPropAhSha1 OBJECT-TYPE SYNTAX INTEGER (0..2) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the Sha1 authentication algorithm for AH in the proposal. Possible values: 0, -- disables SHA-1 1..2 -- enables SHA-1 and specifies its priority among the authentication algorithms." ::= { ipsecProposalEntry 61 } ipsecPropIpcompDeflate OBJECT-TYPE SYNTAX INTEGER (0..1) ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the use of the DEFLATE compression algorithm in the proposal. Possible values: 0, -- disables DEFLATE 1..1 -- enables DEFLATE and specifies its priority among the compression algorithms." ::= { ipsecProposalEntry 70 } -- End IPSec Proposal Table -- IPSec Life Time Table ipsecLifeTimeTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecLifeTimeEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains the list of defined lifetimes for IPsec and IKE SAs." ::= { ipsec 9 } ipsecLifeTimeEntry OBJECT-TYPE SYNTAX IpsecLifeTimeEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains a lifetime, i.e. the soft and hard expiry limits for IPsec and IKE SA's." INDEX { ipsecLifeType } ::= { ipsecLifeTimeTable 1 } IpsecLifeTimeEntry ::= SEQUENCE { ipsecLifeIndex INTEGER, ipsecLifeType INTEGER, ipsecLifeSoftKb INTEGER, ipsecLifeSoftSec INTEGER, ipsecLifeHardKb INTEGER, ipsecLifeHardSec INTEGER } ipsecLifeIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "A unique index identifying this entry." ::= { ipsecLifeTimeEntry 1 } ipsecLifeType OBJECT-TYPE SYNTAX INTEGER { delete(1), -- Delete this entry generic(2) } ACCESS read-write STATUS mandatory DESCRIPTION "This object specifies the type of a lifetime entry." ::= { ipsecLifeTimeEntry 2 } ipsecLifeSoftKb OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The maximum amount of data (in KB) which may be protected by an SA before it is refreshed." ::= { ipsecLifeTimeEntry 3 } ipsecLifeSoftSec OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The maximum time (in seconds) after which an SA will be refreshed,." ::= { ipsecLifeTimeEntry 4 } ipsecLifeHardKb OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The maximum amount of data (in KB) which may be protected by an SA before it is deleted." ::= { ipsecLifeTimeEntry 5 } ipsecLifeHardSec OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "The maximum time (in seconds) after which an SA will be refreshed,." ::= { ipsecLifeTimeEntry 6 } -- End IPSec Life Time Table -- IPSec global statistics Table ipsecStats OBJECT IDENTIFIER ::= { ipsec 10 } --Static table containing global IPSec statistics ipsecStatsCurrentIkeSas OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Current number of IKE SA's." ::= { ipsecStats 1 } ipsecStatsCurrentIpsecSas OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Current number of IPSec SA's." ::= { ipsecStats 2 } ipsecStatsIp OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of IP packets processed." ::= { ipsecStats 3 } ipsecStatsNonIp OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of non-IP packets processed." ::= { ipsecStats 4 } ipsecStatsAh OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of AH packets processed." ::= { ipsecStats 5 } ipsecStatsEsp OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of ESP packets processed." ::= { ipsecStats 6 } ipsecStatsDrop OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of packets dropped." ::= { ipsecStats 7 } ipsecStatsPass OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of packets passed plain." ::= { ipsecStats 8 } ipsecStatsTrig OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of packets which triggered an IKE negotiation." ::= { ipsecStats 9 } ipsecStatsFragPkt OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of partial packets currently being reassembled." ::= { ipsecStats 10 } ipsecStatsFragBytes OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Total size of the partial packets currently being reassembled." ::= { ipsecStats 11 } ipsecStatsFragNonfirst OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of non-first fragments currently queued." ::= { ipsecStats 12 } ipsecStatsDecryptErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of decryption errors." ::= { ipsecStats 13 } ipsecStatsAuthErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of authentication errors." ::= { ipsecStats 14 } ipsecStatsReplayErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of replay errors." ::= { ipsecStats 15 } ipsecStatsPolicyErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of policy errors." ::= { ipsecStats 16 } ipsecStatsOtherErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of other receive errors." ::= { ipsecStats 17 } ipsecStatsSendErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of send errors." ::= { ipsecStats 18 } ipsecStatsUnknownSpiErrors OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "Number of unknown SPI errors." ::= { ipsecStats 19 } ipsecStatsIkeNumP1 OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of IKE phase-1 negotiations performed. " ::= { ipsecStats 20 } ipsecStatsIkeNumFailedP1 OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of failed IKE phase-1 negotiations." ::= { ipsecStats 21 } ipsecStatsIkeNumQm OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of IKE quick-mode negotiations performed. " ::= { ipsecStats 22 } ipsecStatsIkeNumFailedQm OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of failed IKE quick-mode negotiations. " ::= { ipsecStats 23 } ipsecStatsEspCurrentInbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of active inbound ESP SAs." ::= { ipsecStats 24 } ipsecStatsEspTotalInbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of inbound ESP SAs since the system was started." ::= { ipsecStats 25 } ipsecStatsEspCurrentOutbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of active outbound ESP SAs." ::= { ipsecStats 26 } ipsecStatsEspTotalOutbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of outbound ESP SAs since the system was started." ::= { ipsecStats 27 } ipsecStatsAhCurrentInbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of active inbound AH SAs." ::= { ipsecStats 28 } ipsecStatsAhTotalInbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of inbound AH SAs since the system was started." ::= { ipsecStats 29 } ipsecStatsAhCurrentOutbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of active outbound AH SAs." ::= { ipsecStats 30 } ipsecStatsAhTotalOutbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of outbound AH SAs since the system was started." ::= { ipsecStats 31 } ipsecStatsIpcompCurrentInbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of active inbound IPComp SAs." ::= { ipsecStats 32 } ipsecStatsIpcompTotalInbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of inbound IPComp SAs since the system was started." ::= { ipsecStats 33 } ipsecStatsIpcompCurrentOutbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of active outbound IPComp SAs." ::= { ipsecStats 34 } ipsecStatsIpcompTotalOutbound OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "The number of outbound IPComp SAs since the system was started." ::= { ipsecStats 35 } -- IPSec Dial Table ipsecDialTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecDialEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains dial entries specifying all parameters needed for ISDN triggered call back." ::= { ipsec 12 } ipsecDialEntry OBJECT-TYPE SYNTAX IpsecDialEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This object contains a dial entry used for mapping ISDN numbers to peers for ISDN call back feature." INDEX { ipsecDialIfIndex } ::= { ipsecDialTable 1 } IpsecDialEntry ::= SEQUENCE { ipsecDialIfIndex INTEGER, ipsecDialDirection INTEGER, ipsecDialNumber DisplayString, ipsecDialSubAddress OCTET STRING, ipsecDialTypeOfSubAddr INTEGER, ipsecDialLocalNumber DisplayString, ipsecDialLocalSubAddress OCTET STRING, ipsecDialTypeOfLocalSubAddr INTEGER, ipsecDialAdminStatus INTEGER, ipsecDialOperStatus INTEGER } ipsecDialIfIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Index that maps to a peer in a unique way." ::= { ipsecDialEntry 1 } ipsecDialDirection OBJECT-TYPE SYNTAX INTEGER { incoming(1), outgoing(2), both(3), delete(4) } ACCESS read-write STATUS mandatory DESCRIPTION "Calling direction for which entry applies." ::= { ipsecDialEntry 2 } ipsecDialNumber OBJECT-TYPE SYNTAX DisplayString (SIZE(0..63)) ACCESS read-write STATUS mandatory DESCRIPTION "Party number of remote peer. Used for matching calling party number on incoming calls and for called party number on outgoing calls." ::= { ipsecDialEntry 3 } ipsecDialSubAddress OBJECT-TYPE SYNTAX OCTET STRING ACCESS read-write STATUS mandatory DESCRIPTION "Subaddress of remote peer. Used for matching calling party subaddress on incoming calls and for called party subaddress on outgoing calls." ::= { ipsecDialEntry 4 } ipsecDialTypeOfSubAddr OBJECT-TYPE SYNTAX INTEGER { nsap(1), user-specified(2), reserved(3) } ACCESS read-write STATUS mandatory DESCRIPTION "Type of subaddress of remote peer. Used for matching calling party subaddress on incoming calls and for called party subaddress on outgoing calls." ::= { ipsecDialEntry 5 } ipsecDialLocalNumber OBJECT-TYPE SYNTAX DisplayString (SIZE(0..63)) ACCESS read-write STATUS mandatory DESCRIPTION "Local Party number. Used for matching called party number on incoming calls and for calling party number on outgoing calls. Special value '*' is treated as wildcard, i.e. calls with any called party number will be accepted. Default value is '*'." ::= { ipsecDialEntry 6 } ipsecDialLocalSubAddress OBJECT-TYPE SYNTAX OCTET STRING ACCESS read-write STATUS mandatory DESCRIPTION "Local subaddress. Used for matching called party subaddress on incoming calls and for calling party subaddress on outgoing calls. Special value '*' is treated as wildcard, i.e. calls with any called party subaddress (of arbitrary type) will be accepted. Default value is '*'." ::= { ipsecDialEntry 7 } ipsecDialTypeOfLocalSubAddr OBJECT-TYPE SYNTAX INTEGER { nsap(1), user-specified(2), reserved(3) } ACCESS read-write STATUS mandatory DESCRIPTION "Type of local subaddress. Used for matching called party subaddress on incoming calls and for calling party subaddress on outgoing calls. Subaddress type is only checked as long as subaddress is not '*'. Default value is nsap." ::= { ipsecDialEntry 8 } ipsecDialAdminStatus OBJECT-TYPE SYNTAX INTEGER { active(1), inactive(2) } ACCESS read-write STATUS mandatory DESCRIPTION "Administrative status for dial entry. This object allows for temporarily disabling ipsecDial entries without the need to actually deletion them. This is achieved by assigning value inactive. Default value is active." ::= { ipsecDialEntry 9 } ipsecDialOperStatus OBJECT-TYPE SYNTAX INTEGER { active(1), inactive(2), blocked-for-outgoing(3) } ACCESS read-only STATUS mandatory DESCRIPTION "Operational status for dial entry. This object indicates current status ipsecDial entry is in. Beside values defined for ipsecDialAdminStatus, status blocked-for-outgoing is defined, which is used in case triggering call back resulted in a cost generating connected call to avoid unpredictably high phone bills." ::= { ipsecDialEntry 10 } -- End IPSec Dial Table END -- of BIANCA-BRICK-IPSEC-MIB definitions