--=========================================================================== -- Copyright (C) 2000 Paradyne Corporation -- PDN-IPSEC-MANUAL-MIB DEFINITIONS ::= BEGIN IMPORTS Integer32,IpAddress, OBJECT-TYPE, MODULE-IDENTITY FROM SNMPv2-SMI OBJECT-GROUP FROM SNMPv2-CONF pdn-common FROM PDN-HEADER-MIB RowStatus,DisplayString FROM SNMPv2-TC ; pdnIPSec MODULE-IDENTITY LAST-UPDATED "0201190000Z" ORGANIZATION "Paradyne Corporation MIB Working Group" CONTACT-INFO "Paradyne Corporation 8545 126th Avenue North Largo, FL 33733 www.paradyne.com General Comments to: mibwg_team@paradyne.com Editors Dragana Gough" DESCRIPTION " This MIB contains objects that are used to configure vpn ipsec manula keys." REVISION "0201190000Z" DESCRIPTION "Initial Release" ::= { pdn-common 34 } --VPN/IPSEC MIB -- This mib is designed to configure ipsec for use in VPN managemnt stack -- -- Speedway PC --________________ __________________ --| | | | --|135.26.21.101 | 135.92.250.1| | --| |*_________________________* | --| 10.10.10.1->* *<- 64.35.10.1 | --| |_________________________| | --|______________| |________________| -- -- -- -- VPN TUNNEL IP Address 135.26.21.101 NIC IP ADDR 64.35.10.1 -- GATEWAY(135.26.21.254) GATEWAY( 64.35.10.1) -- -- MANAGEMENT IP Address 10.10.10.1 -- GATEWAY(10.10.10.254) TUNNEL, ESP, SHA-1, DES -- -- DIRECTION TUNNEL SOURCE IP - 135.92.250.1 -- IN TUNNEL, ESP, SHA-1, DES TUNNEL DESTINATION IP - 135.26.21.101 -- OUT TUNNEL, ESP, SHA-1, DES INNER DESTINATION IP - 10.10.10.1 -- -- TUNNEL SOURCE IP - (135.26.21.101) -- TUNNEL DESTINATION IP - (135.92.250.1) -- INNER DESTINATION IP - (64.35.10.1) -- IN SPI (ESP) IN SPI (ESP) -- OUT SPI (ESP) OUT SPI (ESP) -- -- MORE INFORMATION ON IPSEC Manual Key configuration -- can be found in RFC2709 and RFC2401. -- User can configure generic parameters and use them -- without reconfiguring it for each conneciton. -- SPI has to be configured for each connection -- Using first table in the mib, pdnUsrConfigIpSecKeyTable, -- user would be able to configure which key -- will be used for each transform (ah,esp,comp), each -- algorithm( hmacmd5(1), hmacsha1(2), cbcdes(3), -- cbc3des(4), null(5)) and each direction. Next table, -- pdnUsrIpSecKeySetupTable, user can specify -- globaly, which algorithm (hmacmd5(1), hmacsha1(2), cbcdes(3), -- cbc3des(4), null(5)) will be used for each transform (ah, esp, comp) -- and in each direction. This -- will be used as configured here unless user reconfigures them in -- pdnIPSecConnectionTable (for each -- connection).pdnIPSecSPDTable is used to set up Security Policy Database. -- There is SPD per system. -- pdnUsrIpSecKeySetupTable contains most of the objects that -- can be perconfigured in advance or can be -- change here to apply to the connection that is being configured. -- pdnIPSecConnectionRemoteHostAddress -- pdnIPSecConnectionTunnelEndpointLocalIpAddr, -- pdnIPSecConnectionTunnelEndpointLocalIpMask -- pdnIPSecConnectionTunnelEndpointRemoteIpAddr, -- pdnIPSecConnectionTunnelEndpointRemoteIpMask are -- IP addresses that have to configured for each connection. -- pdnIPSecConnectionIPSecAHInboundSPI, -- pdnIPSecConnectionIPSecAHOutboundSPI, -- pdnIPSecConnectionIPSecESPInboundSPI -- pdnIPSecConnectionIPSecESPOutboundSPI -- have to be unique for each connection. If those objects -- are not supplied by user, system will create one -- for each of those objects for each connection. -- -- TO CONFIGURE IPSEC MANUAL KEYS USER SHOULD FOLLOW THIS PROCEDURE: -- -- 1) Configure all global parameters that can be used across all connections -- pdnUsrConfigIPSecInboundAntiReplay -- pdnUsrConfigIPSecOutboundAntiReplay -- pdnUsrConfigLocalTunnelEndpointIPAddr -- -- configure keys using pdnUsrConfigIpSecKeyTable -- (each key should be configured for ah and esp transforms, -- inbound and outbound direction, and all 5 alogorithms) -- -- configure algorithms using pdnUsrIpSecKeySetupTable -- (each algorithm should be configured for ah and esp transforms and -- inbound and outbound direction) -- -- create Security Policy Database Entry that will be used -- on each packet accessing server -- This is done using pdnIPSecSPDTable . -- pdnIPSecSPDEntryAction will specify action to be -- taken on each packet. The policies created will be -- used on the packets that match ip addresses -- of their origin. So this table will be used once the -- connection is established. -- --2) Configure Each connection -- this is done using pdnIPSecConnectionTable. -- pdnIPSecConnectionRemoteHostAddress -- pdnIPSecConnectionTunnelEndpointLocalIpAddr, -- pdnIPSecConnectionTunnelEndpointLocalIpMask -- pdnIPSecConnectionTunnelEndpointRemoteIpAddr, -- pdnIPSecConnectionTunnelEndpointRemoteIpMask are -- IP addresses that have to configured for each connection in this table. -- -- All the other objects can be ignored in which case -- objects set up in step one will be used. -- -- Also pdnIPSecConnectionIPSecAHInboundSPI, -- pdnIPSecConnectionIPSecAHOutboundSPI, -- pdnIPSecConnectionIPSecESPInboundSPI -- pdnIPSecConnectionIPSecESPOutboundSPI have to be -- unique for each connection. If those objects -- re not supplied by user in this table system will create -- one for each of those objects for each connection. -- pdnVpnConfig OBJECT IDENTIFIER ::= { pdnIPSec 1 } pdnVpnConfigGroups OBJECT IDENTIFIER ::= { pdnVpnConfig 1 } pdnIPSecConfig OBJECT IDENTIFIER ::= { pdnVpnConfigGroups 1 } pdnIPSecConfigGroups OBJECT IDENTIFIER ::= { pdnIPSecConfig 1 } pdnIPSecKeyConfig OBJECT IDENTIFIER ::= { pdnIPSecConfigGroups 1 } pdnIPSecSPDConfig OBJECT IDENTIFIER ::= { pdnIPSecConfigGroups 2 } pdnIPSecConnectionConfig OBJECT IDENTIFIER ::= { pdnIPSecConfigGroups 3 } --IP Sec configuration pdnUsrConfigIPSec OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to enable/disable ipsec." ::= { pdnVpnConfig 2 } pdnUsrConfigIPSecInboundAntiReplay OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to enable/disable inbound anti replay." ::= { pdnIPSecConfig 2 } pdnUsrConfigIPSecOutboundAntiReplay OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to enable/disable inbound anti replay." ::= { pdnIPSecConfig 3 } pdnUsrConfigLocalTunnelEndpointIPAddr OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to configure ip address of local tunnel endpoint." ::= { pdnIPSecConfig 4 } --ipsec global key configuration table pdnUsrConfigIpSecKeyTable OBJECT-TYPE SYNTAX SEQUENCE OF PdnUsrConfigIpSecKeyTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used to configure ip sec key." ::= { pdnIPSecKeyConfig 1 } pdnUsrConfigIpSecKeyTableEntry OBJECT-TYPE SYNTAX PdnUsrConfigIpSecKeyTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Device ip sec key configuration table entry." INDEX { pdnUsrConfigIpSecKeyTransform, pdnUsrConfigIpSecKeyDirection, pdnUsrConfigIpSecKeyAlg} ::= { pdnUsrConfigIpSecKeyTable 1 } PdnUsrConfigIpSecKeyTableEntry ::= SEQUENCE { pdnUsrConfigIpSecKeyTransform INTEGER, pdnUsrConfigIpSecKeyDirection INTEGER, pdnUsrConfigIpSecKeyAlg INTEGER, pdnUsrConfigIpSecKey OCTET STRING, pdnUsrConfigIpSecKeyMaxLen Integer32 } pdnUsrConfigIpSecKeyTransform OBJECT-TYPE SYNTAX INTEGER { esp(1), ah(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object is used to configure transform for the connection." ::= { pdnUsrConfigIpSecKeyTableEntry 1 } pdnUsrConfigIpSecKeyDirection OBJECT-TYPE SYNTAX INTEGER { inbound(1), outbound(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object is used to configure direction." ::= { pdnUsrConfigIpSecKeyTableEntry 2 } pdnUsrConfigIpSecKeyAlg OBJECT-TYPE SYNTAX INTEGER { hmacmd5(1), hmacsha1(2), cbcdes(3), cbc3des(4), null(5) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object is used to configure algorithm." ::= { pdnUsrConfigIpSecKeyTableEntry 3 } pdnUsrConfigIpSecKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0 | 8 | 16 | 20 | 24)) MAX-ACCESS read-create STATUS current DESCRIPTION " This object is used to configure authentication key for a specific transform, direction and algorithm." ::= { pdnUsrConfigIpSecKeyTableEntry 4 } pdnUsrConfigIpSecKeyMaxLen OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION " This object is used to establish max length of the pdnUsrConfigIpSecKey." ::= { pdnUsrConfigIpSecKeyTableEntry 5 } -- ipsec global algorithm setup table pdnUsrIpSecKeySetupTable OBJECT-TYPE SYNTAX SEQUENCE OF PdnUsrIpSecKeySetupTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used to setup ip sec key." ::= { pdnIPSecKeyConfig 2 } pdnUsrIpSecKeySetupTableEntry OBJECT-TYPE SYNTAX PdnUsrIpSecKeySetupTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Device ip sec key setup table entry." INDEX {pdnUsrIpSecKeySetupTransform, pdnUsrIpSecKeySetupDirection } ::= { pdnUsrIpSecKeySetupTable 1 } PdnUsrIpSecKeySetupTableEntry ::= SEQUENCE { pdnUsrIpSecKeySetupTransform INTEGER, pdnUsrIpSecKeySetupDirection INTEGER, pdnUsrIpSecKeySetupAlg BITS } pdnUsrIpSecKeySetupTransform OBJECT-TYPE SYNTAX INTEGER { ah(1), esp(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object is used to configure transform." ::= { pdnUsrIpSecKeySetupTableEntry 1 } pdnUsrIpSecKeySetupDirection OBJECT-TYPE SYNTAX INTEGER { inbound(1), outbound(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object is used to configure direction." ::= { pdnUsrIpSecKeySetupTableEntry 2 } pdnUsrIpSecKeySetupAlg OBJECT-TYPE SYNTAX BITS { hmacmd5(0), hmacsha1(1), cbcdes(2), cbc3des(3), null(4) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to setup ipsec algorithm key. if pdnUsrConfigIpSecKeyTransform is ah(1), then the valid choices for this object are hmacmd5(1), and hmacsha1(2). Otherwise, if pdnUserConfigIpSecKeyTransform indicates that the transform is esp(2) the valid choices are hmacmd5(1), and hmacsha1(2) for authentication algorithm and if any of the following is choosen - cbcdes(3), cbc3des(4) and null(5), than the esp is encryption algorithm." ::= { pdnUsrIpSecKeySetupTableEntry 3 } --Security Policy Database pdnIPSecSPDTable OBJECT-TYPE SYNTAX SEQUENCE OF PdnIPSecSPDTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used to configure security policy database" ::= { pdnIPSecSPDConfig 1 } pdnIPSecSPDTableEntry OBJECT-TYPE SYNTAX PdnIPSecSPDTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Device security policy database entry." INDEX { pdnIPSecSPDEntryIndex } ::= { pdnIPSecSPDTable 1 } PdnIPSecSPDTableEntry ::= SEQUENCE { pdnIPSecSPDEntryIndex Integer32, pdnIPSecSPDEntryName DisplayString (SIZE(1..255)), pdnIPSecSPDEntryPriority Integer32, pdnIPSecSPDEntryPolicyMode INTEGER, pdnIPSecSPDEntryLocalIp DisplayString, pdnIPSecSPDEntryRemoteIp DisplayString, pdnIPSecSPDEntryTransportProtocol INTEGER, pdnIPSecSPDEntryLocalPort Integer32, pdnIPSecSPDEntryRemotePort Integer32, pdnIPSecSPDEntryDirection INTEGER, pdnIPSecSPDEntryAction INTEGER, pdnIPSecSPDEntryTunnelEndpointIp IpAddress, pdnIPSecSPDEntryRowStatus RowStatus } pdnIPSecSPDEntryIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object is used by pdnIPSecSPDTable to identify the row of this table. When creating the new row in the table the value of this object may be obtained by retreiving the value of pdnIPSecSPDEntryIndexNext." ::= { pdnIPSecSPDTableEntry 1 } pdnIPSecSPDEntryName OBJECT-TYPE SYNTAX DisplayString (SIZE(1..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure spd entries name." ::= { pdnIPSecSPDTableEntry 2 } pdnIPSecSPDEntryPriority OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "Internally the table will be sorted based on this object- in the increasing order of priority. The table lookups will be done on the sorted table." ::= { pdnIPSecSPDTableEntry 3 } pdnIPSecSPDEntryPolicyMode OBJECT-TYPE SYNTAX INTEGER { tunnel(1), transport(2), nonIpsecMode(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure policy mode. For more detail description of tunnel, transport and noIpsecMode refer to RFC2709." ::= { pdnIPSecSPDTableEntry 4 } pdnIPSecSPDEntryLocalIp OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure local host ip address, or range of addresses or a address/mask pair. The syntax is xxx.xxx.xxx.xxx for host ip xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy for the range of ip addresses xxx.xxx.xxx.xxx:xxx.xxx.000.000 for ipaddress/mask. If 'any' is specified all ip addresses are allowed." ::= { pdnIPSecSPDTableEntry 5 } pdnIPSecSPDEntryRemoteIp OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure remote host ip address, or range of addresses or a address/mask pair. The syntax is xxx.xxx.xxx.xxx for host ip xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy for the range of ip addresses xxx.xxx.xxx.xxx:xxx.xxx.000.000 for ipaddress/mask. If 'any' is specified all ip addresses are allowed." ::= { pdnIPSecSPDTableEntry 6 } pdnIPSecSPDEntryTransportProtocol OBJECT-TYPE SYNTAX INTEGER { tcp (1), udp (2), icmp(3), igmp(4), ipInIpv4(5), ipInIpv6(6), esp(7), ah(8), ospf(9), any (10) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure transport protocol." ::= { pdnIPSecSPDTableEntry 7 } pdnIPSecSPDEntryLocalPort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure local port. A value of zero will be used as wildcard." ::= { pdnIPSecSPDTableEntry 8 } pdnIPSecSPDEntryRemotePort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure remote port. A value of zero will be used as wildcard." ::= { pdnIPSecSPDTableEntry 9 } pdnIPSecSPDEntryDirection OBJECT-TYPE SYNTAX INTEGER { inbound(1), outbound(2), inboundOutbound(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure direction." ::= { pdnIPSecSPDTableEntry 10 } pdnIPSecSPDEntryAction OBJECT-TYPE SYNTAX INTEGER { apply(1), bypass(2), discard(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure action." ::= { pdnIPSecSPDTableEntry 11 } pdnIPSecSPDEntryTunnelEndpointIp OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure tunnel endpoint ip address; it is only applicable when tunnel mode is set." ::= { pdnIPSecSPDTableEntry 12 } pdnIPSecSPDEntryRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to add/delete row in this table." ::= { pdnIPSecSPDTableEntry 13 } pdnIPSecSPDEntryIndexNext OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION " This object contains an appropriate value to be used for pdnIPSecSPDTable. The value of 0 indicates that no unassigned entries are available. To obtain pdnIPsecSPDEntryIndex value for the new entry the manager issues a management protocol retrieval operation to obtain a current value of this object. After each retrieval, the agent should modify the value to the next unassigned index. " ::= { pdnIPSecSPDConfig 2 } --Security Policy associtated with each connection pdnIPSecConnectionTable OBJECT-TYPE SYNTAX SEQUENCE OF PdnIPSecConnectionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used to associate security policy database to a connection." ::= { pdnIPSecConnectionConfig 1 } pdnIPSecConnectionEntry OBJECT-TYPE SYNTAX PdnIPSecConnectionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Device security policy database entry that associates connection to security policy." INDEX { pdnIPSecConnectionIndex } ::= { pdnIPSecConnectionTable 1 } PdnIPSecConnectionEntry ::= SEQUENCE { pdnIPSecConnectionIndex Integer32, pdnIPSecConnectionMode INTEGER, pdnIPSecConnectionTransform INTEGER, pdnIPSecConnectionRemoteHostAddress DisplayString, pdnIPSecConnectionTunnelEndpointLocalIpAddr IpAddress, pdnIPSecConnectionTunnelEndpointLocalIpMask IpAddress, pdnIPSecConnectionTunnelEndpointRemoteIpAddr IpAddress, pdnIPSecConnectionTunnelEndpointRemoteIpMask IpAddress, pdnIPSecConnectionAntiReplay INTEGER, pdnIPSecConnectionIPSecAHInboundAuthenticationAlg INTEGER, pdnIPSecConnectionIPSecAHOutboundAuthenticationAlg INTEGER, pdnIPSecConnectionIPSecESPInboundAuthenticationAlg INTEGER, pdnIPSecConnectionIPSecESPOutboundAuthenticationAlg INTEGER, pdnIPSecConnectionIPSecESPInboundEncryptionAlg INTEGER, pdnIPSecConnectionIPSecESPOutboundEncryptionAlg INTEGER, pdnIPSecConnectionIPSecAHInboundAuthenticationKey OCTET STRING, pdnIPSecConnectionIPSecAHOutboundAuthenticationKey OCTET STRING, pdnIPSecConnectionIPSecESPInboundAuthenticationKey OCTET STRING, pdnIPSecConnectionIPSecESPOutboundAuthenticationKey OCTET STRING, pdnIPSecConnectionIPSecESPInboundEncryptionKey OCTET STRING, pdnIPSecConnectionIPSecESPOutboundEncryptionKey OCTET STRING, pdnIPSecConnectionIPSecAHInboundSPI Integer32, pdnIPSecConnectionIPSecAHOutboundSPI Integer32, pdnIPSecConnectionIPSecESPInboundSPI Integer32, pdnIPSecConnectionIPSecESPOutboundSPI Integer32, pdnIPSecConnectionDirection INTEGER, pdnIPSecConnectionName DisplayString (SIZE(1..255)), pdnIPSecConnectionRowStatus RowStatus } pdnIPSecConnectionIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object is used by pdnIPSecConnectionTable to identify the row of this table. When creating the new row in the table the value of this object may be obtained by retreiving the value of pdnIPSecConnectionIndexNext." ::= { pdnIPSecConnectionEntry 1 } pdnIPSecConnectionMode OBJECT-TYPE SYNTAX INTEGER { tunnel(1), transport(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure mode." ::= { pdnIPSecConnectionEntry 2 } pdnIPSecConnectionTransform OBJECT-TYPE SYNTAX INTEGER { esp(1), ah(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure transform for the connection. If this object is not configured than pdnUsrConfigIpSecTransform is used to determine if the transform is esp(1) or ah(2). However, if the transform is configured in both places, pdnUsrConfigIpSecTransform and here, pdnIPSecConnectionTransform is used to determine which transform is being used for the specific connection." ::= { pdnIPSecConnectionEntry 3 } pdnIPSecConnectionRemoteHostAddress OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure remote host ip address, or range of addresses or a address/mask pair. The syntax is xxx.xxx.xxx.xxx for host ip xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy for the range of ip addresses xxx.xxx.xxx.xxx:xxx.xxx.000.000 for ipaddress/mask. 'any' is a wildcard." ::= { pdnIPSecConnectionEntry 4 } pdnIPSecConnectionTunnelEndpointLocalIpAddr OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure tunnel local endpoint ip address." ::= { pdnIPSecConnectionEntry 5 } pdnIPSecConnectionTunnelEndpointLocalIpMask OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure tunnel local endpoint ip mask." ::= { pdnIPSecConnectionEntry 6 } pdnIPSecConnectionTunnelEndpointRemoteIpAddr OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure tunnel remote endpoint ip address." ::= { pdnIPSecConnectionEntry 7 } pdnIPSecConnectionTunnelEndpointRemoteIpMask OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure tunnel remote endpoint ip mask." ::= { pdnIPSecConnectionEntry 8 } pdnIPSecConnectionAntiReplay OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure anti replay. If this object is not configured, pdnUsrConfigIPSecAntiReplay will be used to determine is anti replay is enabled or disabled. If both objects are configured, pdnIPSecConnectionAntiReplay is used to configure anti replay for the specified connection." ::= { pdnIPSecConnectionEntry 9 } pdnIPSecConnectionIPSecAHInboundAuthenticationAlg OBJECT-TYPE SYNTAX INTEGER { hmacmd5(1), hmacsha1(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure inbound ah authentication algorithm. If this object is not configured, pdnUsrIpSecKeySetupAlg from pdnUsrIpSecKeySetupTable is used to determine which algorithm will be used for the specified connection. In that case valid choices are hmacmd5(1) and hmacsha1(2). If both objects are setup pdnIPSecConnectionIPSecAHInboundAuthenticationAlg is used to configure algorithm for the specified connection." ::= { pdnIPSecConnectionEntry 10 } pdnIPSecConnectionIPSecAHOutboundAuthenticationAlg OBJECT-TYPE SYNTAX INTEGER { hmacmd5(1), hmacsha1(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure outbound ah authentication algorithm. If this object is not configured, pdnUsrIpSecKeySetupAlg from pdnUsrIpSecKeySetupTable is used to determine which algorithm will be used for the specified connection. In that case valid choices are hmacmd5(1) and hmacsha1(2). If both objects are setup pdnIPSecConnectionIPSecAHOutboundAuthenticationAlg is used to configure algorithm for the specified connection." ::= { pdnIPSecConnectionEntry 11 } pdnIPSecConnectionIPSecESPInboundAuthenticationAlg OBJECT-TYPE SYNTAX INTEGER { hmacmd5(1), hmacsha1(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure inbound esp authentication algorithm. If this object is not configured, pdnUsrIpSecKeySetupAlg from pdnUsrIpSecKeySetupTable is used to determine which algorithm will be used for the specified connection. In that case valid choices are hmacmd5(1) and hmacsha1(2). If both objects are setup pdnIPSecConnectionIPSecESPInboundAuthenticationAlg is used to configure algorithm for the specified connection." ::= { pdnIPSecConnectionEntry 12 } pdnIPSecConnectionIPSecESPOutboundAuthenticationAlg OBJECT-TYPE SYNTAX INTEGER { hmacmd5(1), hmacsha1(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure outbound esp authentication algorithm. If this object is not configured, pdnUsrIpSecKeySetupAlg from pdnUsrIpSecKeySetupTable is used to determine which algorithm will be used for the specified connection. In that case valid choices are hmacmd5(1) and hmacsha1(2). If both objects are setup pdnIPSecConnectionIPSecESPOutboundAuthenticationAlg is used to configure algorithm for the specified connection." ::= { pdnIPSecConnectionEntry 13 } pdnIPSecConnectionIPSecESPInboundEncryptionAlg OBJECT-TYPE SYNTAX INTEGER { cbcdes(1), cbc3des(2), null(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure inbound esp encryption algorithm. If this object is not configured, pdnUserIpSecKeySetupAlg from pdnUserIpSecKeySetupTalbe is used to determine which algorithm will be used to configure specific connection. In that case valid chocies are cbcdes(1), cbc3des(2), null(3). If both objects are configured, pdnIPSecConnectionIPSecESPInboundEncryptionAlg is used to configure specified connection." ::= { pdnIPSecConnectionEntry 14 } pdnIPSecConnectionIPSecESPOutboundEncryptionAlg OBJECT-TYPE SYNTAX INTEGER { cbcdes(1), cbc3des(2), null(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure outbound esp encryption algorithm. If this object is not configured, pdnUserIpSecKeySetupAlg from pdnUserIpSecKeySetupTable is used to determine which algorithm will be used to configure specific connection. In that case valid chocies are cbcdes(1), cbc3des(2), null(3). If both objects are configured, pdnIPSecConnectionIPSecESPOutboundEncryptionAlg is used to configure specified connection." ::= { pdnIPSecConnectionEntry 15 } pdnIPSecConnectionIPSecAHInboundAuthenticationKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(16 | 20)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure inbound ah authentication key. If this object is not configured, pdnUsrConfigIpSecKey from pdnUsrConfigIpSecKeyTable is used to configure ah inbound authentication key for the specific connection. If both objects are configured than pdnIPSecConnectionIPSecAHInboundAuthenticationKey is used to configure key for the specified connection." ::= { pdnIPSecConnectionEntry 16 } pdnIPSecConnectionIPSecAHOutboundAuthenticationKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(16 | 20)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure outbound ah authentication key. If this object is not configured, pdnUsrConfigIpSecKey from pdnUsrConfigIpSecKeyTable is used to configure ah outbound authentication key for the specific connection. If both objects are configured than pdnIPSecConnectionIPSecAHOutboundAuthenticationKey is used to configure key for the specified connection." ::= { pdnIPSecConnectionEntry 17 } pdnIPSecConnectionIPSecESPInboundAuthenticationKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(16 | 20)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure inbound esp authentication key. If this object is not configured, pdnUsrConfigIpSecKey from pdnUsrConfigIpSecKeyTable is used to configure esp inbound authentication key for the specific connection. If both objects are configured than pdnIPSecConnectionIPSecESPInboundAuthenticationKey is used to configure key for the specified connection." ::= { pdnIPSecConnectionEntry 18 } pdnIPSecConnectionIPSecESPOutboundAuthenticationKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(16 | 20)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure outbound esp authentication key. If this object is not configured, pdnUsrConfigIpSecKey from pdnUsrConfigIpSecKeyTable is used to configure esp outbound authentication key for the specific connection. If both objects are configured than pdnIPSecConnectionIPSecESPOutboundAuthenticationKey is used to configure key for the specified connection." ::= { pdnIPSecConnectionEntry 19 } pdnIPSecConnectionIPSecESPInboundEncryptionKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0 |8 | 24)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure inbound esp encryption key. If this object is not configured, pdnUsrConfigIpSecKey from pdnUsrConfigIpSecKeyTable is used to configure esp inbound encryption key for the specific connection. If both objects are configured than pdnIPSecConnectionIPSecESPInboundEncryptionKey is used to configure key for the specified connection." ::= { pdnIPSecConnectionEntry 20 } pdnIPSecConnectionIPSecESPOutboundEncryptionKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0 |8 | 24)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure outbound esp encryption key. If this object is not configured, pdnUsrConfigIpSecKey from pdnUsrConfigIpSecKeyTable is used to configure esp outbound encryption key for the specific connection. If both objects are configured than pdnIPSecConnectionIPSecESPOutboundEncryptionKey is used to configure key for the specified connection." ::= { pdnIPSecConnectionEntry 21 } pdnIPSecConnectionIPSecAHInboundSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure inbound ah Security Parameter Index. If this object is not configured SPI will be created by the system." ::= { pdnIPSecConnectionEntry 22 } pdnIPSecConnectionIPSecAHOutboundSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure outbound ah Security Parameter Index. If this objects is not configured SPI will be created by the system." ::= { pdnIPSecConnectionEntry 23 } pdnIPSecConnectionIPSecESPInboundSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure inbound esp Security Parameter Index. If this objects is not created SPI will be created by the system." ::= { pdnIPSecConnectionEntry 24} pdnIPSecConnectionIPSecESPOutboundSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure outbound esp Security Parameter Index. If this objects is not created SPI will be created by the system." ::= { pdnIPSecConnectionEntry 25 } pdnIPSecConnectionDirection OBJECT-TYPE SYNTAX INTEGER { inbound(1), outbound(2), inboundOutbound(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure direction. If this object is not configured pdnUsrConfigIpSecKeyTable object pdnUsrConfigIpSecKeyDirection will be used to determine direction for the connection." ::= { pdnIPSecConnectionEntry 26 } pdnIPSecConnectionName OBJECT-TYPE SYNTAX DisplayString (SIZE(1..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to configure spd entries name." ::= { pdnIPSecConnectionEntry 27 } pdnIPSecConnectionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to add/delete entry from this table." ::= { pdnIPSecConnectionEntry 28 } pdnIPSecConnectionIndexNext OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION " This object contains an appropriate value to be used for pdnIPSecConnectionTable. The value of 0 indicates that no unassigned entries are available. To obtain pdnIPSecConnectionIndex value for the new entry the manager issues a management protocol retrieval operation to obtain a current value of this object. After each retrieval, the agent should modify the value to the next unassigned index. " ::= { pdnIPSecConnectionConfig 2 } --CONFORMANCE INFORMATION pdnIPSecConfigurationGroup OBJECT-GROUP OBJECTS { pdnUsrConfigIPSec, pdnUsrConfigIPSecInboundAntiReplay, pdnUsrConfigIPSecOutboundAntiReplay, pdnUsrConfigLocalTunnelEndpointIPAddr, pdnUsrConfigIpSecKey, pdnUsrConfigIpSecKeyMaxLen, pdnUsrIpSecKeySetupAlg } STATUS current DESCRIPTION "This collection of objects is used to configure ip sec." ::= { pdnIPSecConfigGroups 4 } pdnIPSecSPDConfigurationGroup OBJECT-GROUP OBJECTS { pdnIPSecSPDEntryPriority, pdnIPSecSPDEntryName, pdnIPSecSPDEntryPolicyMode, pdnIPSecSPDEntryLocalIp, pdnIPSecSPDEntryRemoteIp, pdnIPSecSPDEntryTransportProtocol, pdnIPSecSPDEntryLocalPort, pdnIPSecSPDEntryRemotePort, pdnIPSecSPDEntryDirection, pdnIPSecSPDEntryAction, pdnIPSecSPDEntryTunnelEndpointIp, pdnIPSecSPDEntryRowStatus, pdnIPSecSPDEntryIndexNext } STATUS current DESCRIPTION "This collection of objects is used to configure security policy database." ::= { pdnIPSecConfigGroups 5 } pdnIPSecConnectionConfigurationGroup OBJECT-GROUP OBJECTS { pdnIPSecConnectionMode, pdnIPSecConnectionTransform, pdnIPSecConnectionRemoteHostAddress, pdnIPSecConnectionTunnelEndpointLocalIpAddr, pdnIPSecConnectionTunnelEndpointLocalIpMask, pdnIPSecConnectionTunnelEndpointRemoteIpAddr, pdnIPSecConnectionTunnelEndpointRemoteIpMask, pdnIPSecConnectionAntiReplay, pdnIPSecConnectionIPSecAHInboundAuthenticationAlg, pdnIPSecConnectionIPSecAHOutboundAuthenticationAlg, pdnIPSecConnectionIPSecESPInboundAuthenticationAlg, pdnIPSecConnectionIPSecESPOutboundAuthenticationAlg, pdnIPSecConnectionIPSecESPInboundEncryptionAlg, pdnIPSecConnectionIPSecESPOutboundEncryptionAlg, pdnIPSecConnectionIPSecAHInboundAuthenticationKey, pdnIPSecConnectionIPSecAHOutboundAuthenticationKey, pdnIPSecConnectionIPSecESPInboundAuthenticationKey, pdnIPSecConnectionIPSecESPOutboundAuthenticationKey, pdnIPSecConnectionIPSecESPInboundEncryptionKey, pdnIPSecConnectionIPSecESPOutboundEncryptionKey, pdnIPSecConnectionIPSecAHInboundSPI, pdnIPSecConnectionIPSecAHOutboundSPI, pdnIPSecConnectionIPSecESPInboundSPI, pdnIPSecConnectionIPSecESPOutboundSPI, pdnIPSecConnectionDirection, pdnIPSecConnectionName, pdnIPSecConnectionRowStatus, pdnIPSecConnectionIndexNext } STATUS current DESCRIPTION "This collection of objects is used to configure security policy for each connection." ::= { pdnIPSecConfigGroups 6 } END