idnits 2.17.1 draft-ietf-ipsec-flow-monitoring-mib-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 102 instances of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 223 has weird spacing: '...s which allow...' == Line 335 has weird spacing: '...roup is the I...' == Line 396 has weird spacing: '...tistics based...' == Line 2033 has weird spacing: '...ured by the p...' == Line 5310 has weird spacing: '...e index of th...' == (2 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (02 Mar 2003) is 7720 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2119' is mentioned on line 145, but not defined -- Looks like a reference, but probably isn't: '2271' on line 151 -- Looks like a reference, but probably isn't: '1155' on line 156 -- Looks like a reference, but probably isn't: '1212' on line 156 -- Looks like a reference, but probably isn't: '1215' on line 156 -- Looks like a reference, but probably isn't: '1902' on line 157 -- Looks like a reference, but probably isn't: '1903' on line 158 -- Looks like a reference, but probably isn't: '1904' on line 158 -- Looks like a reference, but probably isn't: '1157' on line 171 -- Looks like a reference, but probably isn't: '1901' on line 164 -- Looks like a reference, but probably isn't: '1906' on line 166 -- Looks like a reference, but probably isn't: '2272' on line 166 -- Looks like a reference, but probably isn't: '2274' on line 167 -- Looks like a reference, but probably isn't: '1905' on line 172 -- Looks like a reference, but probably isn't: '2273' on line 174 -- Looks like a reference, but probably isn't: '2275' on line 176 == Unused Reference: 'RFC2407' is defined on line 6929, but no explicit reference was found in the text == Unused Reference: 'RFC2401' is defined on line 6932, but no explicit reference was found in the text == Unused Reference: 'RFC2409' is defined on line 6935, but no explicit reference was found in the text == Unused Reference: 'RFC2408' is defined on line 6938, but no explicit reference was found in the text == Unused Reference: 'IGMIB' is defined on line 6942, but no explicit reference was found in the text == Unused Reference: 'RFC1902' is defined on line 6945, but no explicit reference was found in the text == Unused Reference: 'RFC2271' is defined on line 6950, but no explicit reference was found in the text == Unused Reference: 'RFC1155' is defined on line 6954, but no explicit reference was found in the text == Unused Reference: 'RFC1212' is defined on line 6958, but no explicit reference was found in the text == Unused Reference: 'RFC1215' is defined on line 6961, but no explicit reference was found in the text == Unused Reference: 'RFC1903' is defined on line 6964, but no explicit reference was found in the text == Unused Reference: 'RFC1904' is defined on line 6969, but no explicit reference was found in the text == Unused Reference: 'RFC1157' is defined on line 6974, but no explicit reference was found in the text == Unused Reference: 'RFC1901' is defined on line 6978, but no explicit reference was found in the text == Unused Reference: 'RFC1906' is defined on line 6982, but no explicit reference was found in the text == Unused Reference: 'RFC2272' is defined on line 6987, but no explicit reference was found in the text == Unused Reference: 'RFC2274' is defined on line 6992, but no explicit reference was found in the text == Unused Reference: 'RFC1905' is defined on line 6996, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2407 (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2401 (Obsoleted by RFC 4301) ** Obsolete normative reference: RFC 2409 (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2408 (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2233 (ref. 'IGMIB') (Obsoleted by RFC 2863) ** Obsolete normative reference: RFC 1902 (Obsoleted by RFC 2578) ** Obsolete normative reference: RFC 2271 (Obsoleted by RFC 2571) ** Downref: Normative reference to an Informational RFC: RFC 1215 ** Obsolete normative reference: RFC 1903 (Obsoleted by RFC 2579) ** Obsolete normative reference: RFC 1904 (Obsoleted by RFC 2580) ** Downref: Normative reference to an Historic RFC: RFC 1157 ** Downref: Normative reference to an Historic RFC: RFC 1901 ** Obsolete normative reference: RFC 1906 (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 2272 (Obsoleted by RFC 2572) ** Obsolete normative reference: RFC 2274 (Obsoleted by RFC 2574) ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) Summary: 20 errors (**), 0 flaws (~~), 26 warnings (==), 17 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Engineering Task Force C. Madson, Cisco Systems Inc. 2 IPsec Working Group L. Temoshenko, Cisco Systems. 3 INTERNET-DRAFT: C. Pellecuru, Cisco Systems. 4 Expires in six months B. Harrison, Tivoli Systems. 5 S. Ramakrishnan, Cisco Systems. 6 02 Mar 2003 8 IPsec Flow Monitoring MIB 9 11 Status of this Memo 13 This document is an Internet-Draft and is in full conformance with 14 all provisions of Section 10 of RFC2026. 16 This document is a submission to the IETF Internet Protocol Security 17 Working Group. Comments are solicited and should be addressed to the 18 working group mailing list (ipsec@lists.tislabs.com) or to the 19 editor(s). 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as Internet- 24 Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/1id-abstracts.html 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 To learn the current status of any Internet-Draft, please check the 38 "id- abstracts.txt" listing contained in the Internet-Drafts Shadow 39 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 40 munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or 41 ftp.isi.edu (US West Coast). 43 Distribution of this memo is unlimited. 45 Copyright Notice 47 Copyright (C) The Internet Society (2001-03). All Rights Reserved. 49 Abstract 50 This document describes a high-level MIB for monitoring, accounting 51 trending and failure detection for IPsec-based networks. Optional 52 features of the MIB include trending of IPsec-related metrics and 53 archiving of VPN failures. 55 Table of Contents 57 1. Introduction ..............................................3 58 1.1 Overview ..................................................3 59 1.2 The SNMPv2 Network Management Framework ...................4 60 2. Architecture of the MIB ...................................5 61 2.1 Support for Different Control Protocols ...................6 62 3.1 IPsec Levels Group ........................................6 63 3.2 IPsec Phase-1 Group .......................................6 64 3.3 IPsec Phase-2 Group .......................................8 65 3.4 IPsec History Group .......................................9 66 3.4.1 Journaling Active Tunnels ...............................10 67 3.5 IPsec Failure Group ......................................10 68 3.6 IPsec Trap Control Group .................................11 69 4. Elements Deferred to Future Versions ....................11 70 5. MIB Definitions ..........................................12 71 6. Intellectual Property ...................................147 72 7. Acknowledgments .........................................148 73 8. Security Considerations .................................148 74 9. References ..............................................148 75 10. Editors' Addresses ......................................150 76 11. Expiration ..............................................151 77 12. Full Copyright Statement ................................151 79 1. Introduction 81 1.1. Overview 83 As VPN technology in the shape of IPsec is deployed, customers, 84 particularly large enterprise and Service Providers, are requiring a 85 standard way to monitor their VPNs. Service Providers in particular 86 are often required to maintain service level agreements (SLAs) that 87 guarantee quality and performance to their customers. In addition to 88 this the provider must be able to accurately bill customers. Both 89 enterprise customers and providers collect usage statistics for 90 capacity planning and to ensure sufficient resources are available 91 for redundancy and high availability. 93 This document defines a high level MIB for monitoring, trending 94 and troubleshooting IPsec connections. The metrics defined by thi 95 MIB may be used to identify trends and enforce service level 96 agreements. The troubleshooting functionality is in the form of 97 records of failure events and traps sent as a result of operational 98 failures during the setting up, tearing down and normal lifetime of 99 IPsec flows. It is meant as an indication of failure to the personnel 100 of a Network Operation Center. This MIB does not present in-depth low 101 level debugging and diagnostic support that may be used by 102 implementers of IPsec, but rather, it may be seen as complementary to 103 such a MIB. This MIB does not provide support for the configuration 104 of IPsec-capable devices. 106 The definition presented is driven by customer requirements for a MIB 107 encompassing statistics collection that may be used for accounting 108 purposes, trending as well as status monitoring, error collection and 109 real-time alerting via traps. 111 The MIB has been designed based on specific requirements from service 112 providers that want to offer an outsourced VPN service to customers, 113 with the main focuses being: provision of services in such a way that 114 satisfies Service Level Agreements, support for a multi-vendor 115 environment, and incorporation with existing network management 116 software. 118 The MIB was designed in 1999 and has since evolved with the 119 experience in its deployment in the field. While the MIB is likely 120 to be deployed for managing IPsec VPNs, the MIB is not specifi 121 to this application of IPsec. The MIB may be used equally well t 122 manage any IPsec-based network. 124 Section 2 describes the architecture and abstractions defined by the 125 MIB. This section is important for understanding the remaining 126 sections. 128 Section 3 describes various object groups defined in the MIB. These 129 include the Levels group, the IPsec Phase-1 group, IPsec Phase-2 130 group, the history group, the VPN failure group and finally the 131 notifications group. Important relationships between the groups have 132 also been highlighted. 134 Section 4 lists the items that are planned to be included in the MI 135 in the next revision. 137 Section 5 defines a collection of managed objects used to instrument 138 IPsec structures and activities in the managed entity. 140 Sections 6, 7, 8, 9, 10 and 11 are administrative in nature. 142 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 143 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 144 document are to be interpreted as described in [RFC2119]. 146 1.2. The SNMPv2 Network Management Framework 148 The SNMP Management Framework presently consists of five major 149 components: 151 1) An overall architecture, described in RFC 2271 [2271]. 153 2) Mechanisms for describing and naming objects and events for the 154 purpose of management. The first version of this Structure of 155 Management Information (SMI) is called SMIv1 and described in RFC 156 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second 157 version, called SMIv2, is described in RFC 1902 [1902],RFC 1903 158 [1903] and RFC 1904 [1904]. 160 3) Message protocols for transferring management information. The 161 first version of the SNMP message protocol is called SNMPv1 and 162 described in RFC 1157 [1157]. A second version of the SNMP message 163 protocol, which is not an Internet standards track protocol, is 164 called SNMPv2c and described in RFC 1901 [1901] and RFC 1906 165 [1906]. The third version of the message protocol is called 166 SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272] and RFC 167 2274 [2274]. 169 4) Protocol operations for accessing management information. The 170 first set of protocol operations and associated PDU formats is 171 described in RFC 1157 [1157]. A second set of protocol operations 172 and associated PDU formats is described in RFC 1905 [1905]. 174 5) A set of fundamental applications described in RFC 2273 [2273] and 175 the view-based access control mechanism described in RFC 2275 176 [2275]. 178 2. Architecture of the MIB 180 This section provides a view of the overall architecture, and 181 describes the major MIB groups and table definitions. The MIB covers 182 both Phase 1 Security Associations (SAs) and Phase 2 or IPsec SAs. 183 An example of Phase 1 structures are the SAs created by the Interne 184 Key Exchange (IKE) protocol. 186 The key component of this MIB is the abstraction of a traffic flow or 187 a "tunnel". A tunnel signifies a sustained application traffic flow. 188 A Phase 1 tunnel (IKE tunnel) is represented by a single ISAKMP SA 189 which has been established after a successful completion of Phase 1. 190 When the ISAKMP SA expires or is terminated, the tunnel is deeme 191 to cease to exist as well. 193 (ISAKMP SA (ISAKMP SA 194 created) expires) 195 |<----------------[ISAKMP SA]------------------>| 197 |<--------------- Phase 1 Tunnel -------------->| 199 In the context of Phase 2 SAs, an "IPsec tunnel" is defined as the 200 virtual link formed by successsive Phase 2 SA bundles that share the 201 same Phase 2 proxy identifiers. When the last SA budle expires and is 202 not replaced by a new set of SA bundle, the tunnel is said to expire. 204 (Start of application 205 traffic) 206 [SA bundle 1]----->| 207 [SA bundle 2]----->| 208 [SA bundle 3]----->| 209 (End of 210 application 211 traffic) 212 |<---------------- Phase 2 Tunnel ---------------->| 214 Another key component of this MIB is the monitoring of large numbers 215 of dynamic tunnels. In the case of clients initiating connections to 216 a gateway, it is not usually possible for the gateway to have 217 knowledge of all the attributes of the client, in particular the 218 identity of the client, before the start of the session. The MIB must 219 support these dynamic connections in addition to static tunnels that 220 usually exist between gateway devices. 222 The information provided in the MIB includes statistics on individual 223 SAs as well as global totals which allows the provider to report on 224 individual customer SLAs as well as monitoring the overall health of 225 the VPN service. Statistics are provided on packet counts and drops, 226 notify messages, failures, deletes and exchanges between peers. This 227 information is presented in the form of groups that cover specific 228 aspects of the VPN to facilitate accurate evaluation of performance 229 and the generation of meaningful reports. 231 2.1 Support for Different Control Protocols 233 This document uses the term Control Protocol to denote the protocol 234 used to setup and maintain the IPsec (Phase 2) SAs. The architecture 235 of the MIB supports the instrumentation of any control protocol. Th 236 current version of the MIB defines an IKE group to support th 237 deployment of IPsec with IKE. This is an optional group and henc 238 need not be implemented to claim compliance with the MIB. As newe 239 control protocols are standardized (IKEv2, KINK, etc), the module 240 for these protocols can be plugged into this MIB as other optiona 241 groups. 243 3. MIB Group Definitions 245 This section outlines the major MIB groups and table definitions. The 246 MIB covers both Phase 1 or Internet key Exchange SAs and Phase 2 or 247 IPsec SAs. 249 3.1. IPsec Levels Group 251 The Levels Group consists of global single instance objects accessed 252 using an index of zero. Currently, the MIB Level object is the only 253 object contained in this group. Initially the value of this object 254 will be one (1) and incremented as changes are made to the MIB. 256 3.2. IPsec Phase-1 Group 258 Provides global statistics for all phase 1 tunnels, active and 259 previous. The Internet Key Exchange Peer Table defines the peers 260 involved in any Phase 1 tunnel associated with active Phase 2 261 tunnels. Statistics for each active phase 1 tunnel (including policy 262 attributes) are contained in the IKE Tunnel table, and the IKE Peer 263 Association to Phase 2 Tunnel Correlation Table provides a link 264 between each Phase 1 peer entry and any associated active Phase 2 265 tunnels. 267 ikeGlobalStats 269 All Phase 1 Tunnel Stats including statistics pertaining to 270 IKE mode configuration. 272 ikeTunnelTable 273 IkeTunnelEntry 274 -----> ikePeerEntryTable 275 IkePeerEntry 276 -----> ikePeerCorrTable 277 IkePeerCorrEntry 278 -----> ipSecTunnelTable 279 IpSecTunnelEntry 281 The relationships modeled in Phase-1 group are as follows: 283 .--------------. .----------------. 284 | Phase1 | |Control Protocol| 285 | Peer |---------->> | (IKE) Tunnel | 286 | Table | | Table | 287 `--------------' `----------------' 288 ^ ^ 289 ^ ^ 290 | . 291 | . 292 .--------------. .--------------. 293 | Phase1 Peer | | IPsec | 294 | Correlation |-----------> | Tunnel | 295 | Table | | Table | 296 `--------------' `--------------' 298 Single arrow (>) represents a 1:1 relation. Double arrow represents 299 a 1:n relationship. Dotted arrow (...) represents a relationship 300 that is defined as a "softlink", i.e., a relationship that is 301 implemented in the software but which is not enforced by SMI. The 302 relationship between an IPsec tunnel and the Control tunnel that 303 negotiated that IPsec tunnel is implemented using a softlink i 304 order to facilitate "dangling" IPsec implementations (i.e. 305 implementations where an ISAKMP SA may expire prior to the expiry o 306 the Phase-2 SAs that were negotiated using the ISAKMP SA). Note tha 307 control tunnel types other than IKE can be accomodated using thi 308 architecture. 310 As the diagram above illustrates, there can be one or more IKE 311 tunnels between a Phase 1 peer pair. There can be one or more IPsec 312 tunnels between a given Phase 1 peer pair. When there are no Control 313 (such as IKE) or IPsec tunnels to a peer, the peer entr 314 corresponding to that peer is removed from the Phase 1 Peer table. 316 3.3. IPsec Phase-2 Group 318 This group defines six subgroups. The first is a Global Statistics 319 table that accumulates statistics pertaining to various Phase-2 320 activities and tunnel statistics from all active and previous Phase 2 321 tunnels. The second group defines the active Phase 2 IPsec tunnel 322 table. Each entry in this table corresponds to a single active 323 Phase-2 IPsec flow on the managed entity and includes the algorithms 324 used and counts of activities such as number of packets successfully 325 encrypted or number of encryption failures. The tunnel endpoint table 326 forms the third subgroup under Phase 2 group. This table identifies 327 the clients using the active IPsec flows and the protocols riding on 328 the flows. The clients are subnets, hosts or collection of IP 329 addresses. The protocol for which the flow as setup is identified 330 using the id of the protocol and the port number (eg: SMTP = TCP/25). 331 Since endpoints are associated with active IPsec tunnels, each entry 332 in te endpoint table refers to an entry in the active IPsec tunnel 333 table. 335 The fourth subgroup under Phase-2 group is the IPsec security 336 association table (ipSecSaTable). This table identifies the structure 337 of each active IPsec tunnel by mapping the active IPsec tunnel into 338 its component security associations. This table deprecates the 339 previously defined ipSecSpiTable. 341 ipSecGlobalStats 343 All Phase 2 Tunnel Stats 345 IpSecTunnelTable 347 IpSecTunnelEntry 349 -----> ipSecEndptTable 350 IpSecEntptEntry 352 -----> ipSecSaTable 353 IpSecSaEntry (Inbound) 354 IpSecSaEntry (Outbound) 356 The relationships modeled in Phase-1 group are as follows: 358 .----------------. 359 |Control Protocol| 360 | (IKE) Tunnel | 361 | Table | 362 `----------------' 363 ^ 364 ^ 365 . 366 . 367 .--------------. .--------------. 368 | IPsec | | End Point | 369 | Tunnel |<----------- | Table | 370 | Table | | | 371 `--------------' `--------------' 372 ^ 373 ^ 374 | 375 | 376 .--------------. 377 | IPsec | 378 | SA | 379 | Table | 380 `--------------' 382 As the diagram above illustrates, for every entry in the End Point 383 table, there is a unique entry in the active IPsec tunnel table. A 384 number of entries in the IPsec SA table map to a specific entry in t 385 he IPsec tunnel table. This is because an IPsec tunnel is composed of 386 at least two Phase-2 security associations. Note also, that th 387 relationshop between Phase-2 IPsec tunnels and Phase 2 IKE tunnels is 388 n:1 and is implemented as a softlink, to accomodate dangling IPsec 389 implementations. 391 3.4. IPsec History Group 393 This group includes tables for Phase-1 Tunnel History, Phase-2 Tunnel 394 History, and Phase-2 Endpoint History. The number of entries in each 395 table defined by the value of ipSecHistTablSize. The tables cover 396 phase 1 and phase 2 statistics based on accumulating packet and 397 octet counts and failures based on security policy parameters and 398 tunnel lifetimes. Examples are a count of the total number of octets 399 encrypted using 3DES, or the number of authentication failures when 400 the algorithm used was MD5. 402 The relationships modeled in Phase-1 group are as follows: 404 .--------------. 405 | IKE Tunnel | 406 | History | 407 | Table | 408 `--------------' 409 ^ 410 ^ 411 . 412 . 413 . 414 .--------------. .--------------. 415 | IPsec Tunnel | | Phase 2 | 416 | History | <---------- | EndPoint | 417 | Table | | History Table| 418 `--------------' `--------------' 420 For every entry in the End Point History table, there is a unique 421 entry in the IPsec Tunnel History table. This is because when an 422 IPsec tunnel expires, the end point entry associated with the tunnel 423 expires also. Also note that the IKE tunnel that negotiated an 424 expired instance of IPsec tunnel may not be present in the IKE Tunnel 425 History table; the IKE tunnel may instead be still in the active IKE 426 tunnel table. 428 Implementation Hint: The failure group may be implemented using ring 429 buffers of the prescribed maximum size. This will automatically cause 430 the oldest entry to be phased out to accomodate a new entry, should 431 the buffer be full. 433 3.4.1. Journaling Active Tunnels 435 The history group also allows for journaling active Phase 1 and Phase 436 2 sessions by taking a snapshot of the active tunnels into the 437 respective history tables whenever required. By setting an 438 appropriate value in the MIB object ipSecHistCheckPoint, the operator 439 may initiate a snapshot operation. 441 3.5. IPsec Failure Group 442 This group includes tables for phase 1 and phase 2 failures. Failures 443 include 445 1) tunnel setup failures (the failure of a tunnel to be setup) 447 2) tunnel operational failures (the tunnel was setip, but was 448 terminated before the negotiated lifetime expired). 450 The size of each table is dependent on the value of the ipSecFailTa- 451 bleSize object. Each failure entry for either phase 1 or 2 includes 452 the specific reason for the failure, for example a CRL failure, and 453 the time of the failure. 455 There are two tables in the failure group - one corresponding to 456 failure of Phase-1 operations (IKE failures) and the second 457 correspondign to Phase-2 failures. There is no specific relationship 458 between the two tables modeled in this group. Note, however, that 459 for every tunnel failure recorded in the failure group, there is an 460 entry in the corresponding (IKE or IPsec) Tunnel History table 461 (unless such an entry has been phased out to accomodate a new entry). 463 Implementation Hint: The failure group may be implemented using ring 464 buffers of the prescribed maximum size. This will automatically cause 465 the oldest entry to be phased out to accomodate a new entry, should 466 the buffer be full. 468 3.6. IPsec Trap Control Group 470 This group controls the sending of IPsec traps. Traps are considered 471 to include both error conditions, and any events that cause a change 472 in state on the device. Events that trigger traps include normal 473 events such as tunnel starts and stops and failure events such as 474 early tunnel terminations, receipt of an invalid SPI, system errors, 475 failure to establish tunnels, certificate failures and protocol 476 errors. 478 4. Elements Deferred to Future Versions 480 A number of information elements relevant to the management of 481 IPsec-based VPNs have been postponed to the next revision of this 482 document. These include the following. 484 1) Support for Stream Control Transmission Protocol Apart from the 485 inclusion of a new IKE ID type, SCTP requires that an IKE/IPsec 486 tunnel be able to support multiple endpoint entries (selectors). 488 Hence the mapping between IPsec tunnel table and the End Point 489 table must be made 1:n. 491 2) Support for KINK As details pertaining to KINK are resolved, Phase 492 1 group in the MIB will be redefined to support multiple key 493 management protocols. 495 3) Multicast/GDOI A future version if this MIB will include support 496 for group key-negotiations and multicast over IPsec. 498 4) NAT with IPsec Many implementations use UDP encapsulation to 499 support NAT with IPsec. The Phase-1 and Phase-2 tunnel tables will 500 be expanded to include attributes pertaining to this 501 configuration. 503 5. MIB Definitions 505 IPSEC-FLOW-MONITOR-MIB DEFINITIONS ::= BEGIN 507 -- PREFACE: 508 -- IPSEC-FLOW-MONITOR-MIB Module models 509 -- the standard, dynamic aspects of IPsec. 510 -- These include counters and objects that are of 511 -- management interest in a standard IPSec 512 -- implementation. The MIB does not define 513 -- vendor-specific IPSec attributes. 515 IMPORTS 516 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, 517 Counter32, Counter64, Gauge32, Integer32, experimental 518 FROM SNMPv2-SMI 519 TEXTUAL-CONVENTION, DisplayString, TimeStamp, 520 TimeInterval, TruthValue 521 FROM SNMPv2-TC 522 MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP 523 FROM SNMPv2-CONF 525 ControlProtocol, 526 Phase1PeerIdentityType, 527 IkeNegoMode, 528 IkeHashAlgo, 529 IkeAuthMethod, 530 DiffHellmanGrp, 531 EncapMode, 532 EncryptAlgo, 533 Spi, 534 AuthAlgo, 535 CompAlgo, 536 EndPtType 537 FROM IPSEC-FLOW-MIB-TC; 539 ipSecFlowMonitorMIB MODULE-IDENTITY 540 LAST-UPDATED "200302171158Z" 541 ORGANIZATION "Tivoli Systems and Cisco Systems" 542 CONTACT-INFO 543 "Tivoli Systems 544 Research Triangle Park, NC 546 Cisco Systems 547 170 W Tasman Drive 548 San Jose, CA 95134 549 USA 551 Tel: +1 800 553-NETS 552 E-mail: harrisob@us.ibm.com 553 cs-ipsecmib@external.cisco.com" 555 DESCRIPTION 556 "This is a MIB Module for monitoring the structure 557 and status of IPSec-based networks. The MIB has bee 558 designed to be adopted as an IETF standard. Henc 559 vendor-specific features of IPSec protocol are exclude 560 from this MIB. 562 Acronyms 563 The following acronyms are used in this document: 565 IPSec: Secure IP Protocol 567 VPN: Virtual Private Network 569 ISAKMP: Internet Security Association and Key Exchange 570 Protocol 572 IKE: Internet Key Exchange Protocol 574 SA: Security Association 576 MM: Main Mode - the process of setting up 577 a Phase 1 SA to secure the exchanges 578 required to setup Phase 2 SAs 580 QM: Quick Mode - the process of setting up 581 Phase 2 Security Associations using 582 a Phase 1 SA. 584 Phase 1 Tunnel: 585 An ISAKMP SA can be regarded as representing 586 a flow of ISAKMP/IKE traffic. Hence an ISAKMP 587 is referred to as a 'Phase 1 Tunnel' in this 588 document 590 Control Tunnel: 591 Another term for a Phase 1 Tunnel. 593 Phase 2 Tunnel: 594 AN instance of a non-ISAKMP SA bundle in which all 595 the SA share the same proxy identifiers (IDii,IDir) 596 protect the same stream of application traffic. 597 Such an SA bundle is termed a 'Phase 2 Tunnel'. 598 Note that a Phase 2 tunnel may comprise different 599 SA bundles and different number of SA bundles at 600 different times (due to key refresh). 602 Overview of IPsec MIB 604 The MIB contains six major groups of objects which are 605 used to manage the IPSec Protocol. These groups include 606 a Levels Group, a Phase-1 Group, a Phase-2 Group, 607 a History Group, a Failure Group and a TRAP Control Group. 608 The following table illustrates the structure of the 609 IPSec MIB. 611 The Phase 1 group models objects pertaining to 612 IKE negotiations and Phase 1 tunnels. 614 The Phase 2 group models objects pertaining to 615 IPSec data tunnels. 617 The History group is to aid applications that do 618 trending analysis. 620 The Failure group is to enable an operator to 621 do troubleshooting and debugging of the VPN Router. 622 Further, counters are supported to aid detection 623 of potential security violations. 625 In addition to the five major MIB Groups, there are 626 a number of Notifications. The following table 627 illustrates the name and description of the 628 IPSec TRAPs. 630 For a detailed discussion, please refer to the IETF 631 draft draft-ietf-ipsec-flow-monitoring-mib-01.txt. 632 " 634 REVISION "9911041800Z" 635 DESCRIPTION 636 "Initial version of this MIB module proposed to IETF." 638 REVISION "2001031200Z" 639 DESCRIPTION 640 "Phase-1 group updated with mode config metrics in globals 641 as well as IKE peer table. 642 Phase-2 group updated with new group metrics. New grou 643 failures added to Failure group. 644 Notifications pertaining to new group added. 645 SPI table deprecated and an updated IPsec SA table added. 646 Compliance clauses updated." 648 REVISION "200303021158Z" 649 DESCRIPTION 650 "Third submission of the draft to IETF. Changes incorporated 651 based on comments received on the second draft. Highlights: 652 1) IKE Group made optional 653 2) Provision to accomodate other Phase 1 protocols. 654 3) Phase 1 Peer Association table decoupled from 655 IKE group. 656 4) Local and Remote value indices to Phase 1 Pee 657 Association table constrained to 128-bit length by MD5 658 hashing. 659 5) Mapping of Phase 2 tunnels to Phase 1 tunnels 660 made generic (non-IKE). 661 6) Phase 1 traps redefined as `Control Channel' traps. 662 7) High capacity counters defined for Phase-1 and Phase-2 663 expired counters." 665 -- Placeholder anchor 666 --::= { xxx 171 } 667 ::= { experimental 171 } 669 -- +++++++++++++++++++++++++++++++++++++++++++++++++++ 670 -- Local Textual Conventions 671 -- +++++++++++++++++++++++++++++++++++++++++++++++++++ 672 HashedString ::= TEXTUAL-CONVENTION 673 STATUS current 674 DESCRIPTION 675 "128-bit MD5 output string of an input string" 676 SYNTAX OCTET STRING(SIZE(16)) 678 IPSIpAddress ::= TEXTUAL-CONVENTION 679 STATUS current 680 DESCRIPTION 681 "An IP V4 or V6 Address." 682 SYNTAX OCTET STRING(SIZE(4 | 16)) 683 -- IP V4 or V6 Address 685 IkePeerType ::= TEXTUAL-CONVENTION 686 STATUS deprecated 687 DESCRIPTION 688 "The type of IPsec Phase-1 IKE peer identity. 689 The IKE peer may be identified by one of the 690 ID types defined in IPSEC DOI. 692 This textual convention has been deprecated in 693 favour of the more generic `Phase1PeerType'. 694 (defined in module IPSEC-FLOW-MIB-TC)." 696 SYNTAX INTEGER { 697 reserved(0), 698 id_ipv4_addr(1), 699 id_fqdn(2), 700 id_dn(3), 701 id_ipv6_addr(4) 702 } 704 KeyType ::= TEXTUAL-CONVENTION 705 STATUS deprecated 706 DESCRIPTION 707 "The type of key used by an IPsec Phase-2 Tunnel. 709 This textual convention has been deprecated and has been 710 repaced by the standard textual convention ControlProtocol 711 (defined in module IPSEC-FLOW-MIB-TC)." 713 SYNTAX INTEGER{ 714 reserved(0), 715 key_ike(1), 716 key_manual(2), 717 key_kink(3), 718 key_ikev2(4) 719 } 721 TunnelStatus ::= TEXTUAL-CONVENTION 722 STATUS current 723 DESCRIPTION 724 "The status of a Tunnel. Objects of this type may 725 be used to bring the tunnel down by setting 726 value of this object to destroy(4). Objects of this 727 type cannot be used to create a Tunnel." 728 SYNTAX INTEGER { 729 reserved(0), 730 awaitXauth(1), -- in Phase 1.5 731 awaitCommit(2), -- waiting for commit bit 732 active(3), -- ready for QM 733 destroy(4) 734 } 736 TrapStatus ::= TEXTUAL-CONVENTION 737 STATUS current 738 DESCRIPTION 739 "The administrative status for sending a TRAP." 740 SYNTAX INTEGER { 741 reserved(0), 742 enabled(1), 743 disabled(2) 744 } 746 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 747 -- IPsec MIB Object Groups 748 -- 749 -- This MIB module contains the following groups: 750 -- 1) IPsec Levels Group 751 -- 2) IPsec Phase-1 Group 752 -- 3) IPsec Phase-2 Group 753 -- 4) IPsec History Group 754 -- 5) IPsec Failure Group 755 -- 6) IPsec TRAP Control Group 756 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 758 ipSecMIBObjects OBJECT IDENTIFIER ::= 759 {ipSecFlowMonitorMIB 1} 761 ipSecLevels OBJECT IDENTIFIER 762 ::= { ipSecMIBObjects 1 } 763 ipSecPhaseOne OBJECT IDENTIFIER 764 ::= { ipSecMIBObjects 2 } 765 ipSecPhaseTwo OBJECT IDENTIFIER 766 ::= { ipSecMIBObjects 3 } 768 ipSecHistory OBJECT IDENTIFIER 769 ::= { ipSecMIBObjects 4 } 770 ipSecFailures OBJECT IDENTIFIER 771 ::= { ipSecMIBObjects 5 } 772 ipSecTrapCntl OBJECT IDENTIFIER 773 ::= { ipSecMIBObjects 6 } 775 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 776 -- IPsec Levels Group 777 -- 778 -- This group consists of a: 779 -- 1) IPsec MIB Level 780 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 782 ipSecMibLevel OBJECT-TYPE 783 SYNTAX Integer32 (1..4096) 784 MAX-ACCESS read-only 785 STATUS current 786 DESCRIPTION 787 "The version of the IPsec MIB." 788 ::= { ipSecLevels 1 } 790 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 791 -- The IPsec Phase-1 Internet Key Exchange (IKE) Group 792 -- 793 -- This group consists of: 794 -- 1) IPsec Phase-1 Global Statistics 795 -- 2) IPsec Phase-1 Peer Table 796 -- 3) IPsec Phase-1 Tunnel Table 797 -- 4) IPsec Phase-1 Correlation Table 798 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 800 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 801 -- The IPsec Phase-1 Global Statistics 802 -- This entire group is optional and needs to be implemented 803 -- only if the managed entity supports IKE. 804 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 805 ikeGroup OBJECT IDENTIFIER 806 ::= { ipSecPhaseOne 1 } 808 ikeGlobalStats OBJECT IDENTIFIER 809 ::= { ikeGroup 1 } 811 ikeGlobalActiveTunnels OBJECT-TYPE 812 SYNTAX Gauge32 813 MAX-ACCESS read-only 814 STATUS current 815 DESCRIPTION 816 "The number of currently active IPsec 817 Phase-1 IKE Tunnels. This is equal to the 818 number of ISAKMP SAs currently active." 819 ::= { ikeGlobalStats 1 } 821 ikeGlobalPreviousTunnels OBJECT-TYPE 822 SYNTAX Counter32 823 UNITS "SAs" 824 MAX-ACCESS read-only 825 STATUS current 826 DESCRIPTION 827 "The total number of previously active 828 IPsec Phase-1 IKE Tunnels. This is equal to 829 the total number of ISAKMP SAs that were 830 active since the bootup of the device 831 but which have since expired." 832 ::= { ikeGlobalStats 2 } 834 ikeGlobalInOctets OBJECT-TYPE 835 SYNTAX Counter32 836 UNITS "Octets" 837 MAX-ACCESS read-only 838 STATUS current 839 DESCRIPTION 840 "The total number of octets received by all currently 841 and previously active IPsec Phase-1 IKE Tunnels." 842 ::= { ikeGlobalStats 3 } 844 ikeGlobalInPkts OBJECT-TYPE 845 SYNTAX Counter32 846 UNITS "Packets" 847 MAX-ACCESS read-only 848 STATUS current 849 DESCRIPTION 850 "The total number of packets received by all 851 currently and previously active IPsec 852 Phase-1 IKE Tunnels." 853 ::= { ikeGlobalStats 4 } 855 ikeGlobalInDropPkts OBJECT-TYPE 856 SYNTAX Counter32 857 UNITS "Packets" 858 MAX-ACCESS read-only 859 STATUS current 860 DESCRIPTION 861 "The total number of packets which were 862 dropped during receive processing by all 863 currently and previously 864 active IPsec Phase-1 IKE Tunnels." 865 ::= { ikeGlobalStats 5 } 867 ikeGlobalInNotifys OBJECT-TYPE 868 SYNTAX Counter32 869 UNITS "Notification Payloads" 870 MAX-ACCESS read-only 871 STATUS current 872 DESCRIPTION 873 "The total number of notifys received by 874 all currently and previously active IPsec 875 Phase-1 IKE Tunnels." 876 ::= { ikeGlobalStats 6 } 878 ikeGlobalInP2Exchgs OBJECT-TYPE 879 SYNTAX Counter32 880 UNITS "SA Payloads" 881 MAX-ACCESS read-only 882 STATUS current 883 DESCRIPTION 884 "The total number of IPsec Phase-2 exchanges 885 received by all currently and previously 886 active IPsec Phase-1 IKE Tunnels." 887 ::= { ikeGlobalStats 7 } 889 ikeGlobalInP2ExchgInvalids OBJECT-TYPE 890 SYNTAX Counter32 891 UNITS "SA Payloads" 892 MAX-ACCESS read-only 893 STATUS current 894 DESCRIPTION 895 "The total number of IPsec Phase-2 exchanges 896 which were received and found to be contain 897 references to unrecognized security parameters. 898 This value is accumulated across all currently 899 and previously active IPsec ISAKMP SAs." 900 ::= { ikeGlobalStats 8 } 902 ikeGlobalInP2ExchgRejects OBJECT-TYPE 903 SYNTAX Counter32 904 UNITS "SA Payloads" 905 MAX-ACCESS read-only 906 STATUS current 907 DESCRIPTION 908 "The total number of IPsec Phase-2 exchanges 909 which were received and validated but were 910 rejected by the local policy. This value is 911 accumulated across all currently and previously 912 active IPsec ISAKMP SAs." 913 ::= { ikeGlobalStats 9 } 915 ikeGlobalInP2SaDelRequests OBJECT-TYPE 916 SYNTAX Counter32 917 UNITS "Notification Payloads" 918 MAX-ACCESS read-only 919 STATUS current 920 DESCRIPTION 921 "The total number of IPsec Phase-2 security 922 association delete requests received by all 923 currently and previously 924 active and IPsec Phase-1 IKE Tunnels." 925 ::= { ikeGlobalStats 10 } 927 ikeGlobalOutOctets OBJECT-TYPE 928 SYNTAX Counter32 929 UNITS "Octets" 930 MAX-ACCESS read-only 931 STATUS current 932 DESCRIPTION 933 "The total number of octets sent by all currently 934 and previously active and IPsec Phase-1 935 IKE Tunnels." 936 ::= { ikeGlobalStats 11 } 938 ikeGlobalOutPkts OBJECT-TYPE 939 SYNTAX Counter32 940 UNITS "Packets" 941 MAX-ACCESS read-only 942 STATUS current 943 DESCRIPTION 944 "The total number of packets sent by all currently 945 and previously active and IPsec Phase-1 946 Tunnels." 947 ::= { ikeGlobalStats 12 } 949 ikeGlobalOutDropPkts OBJECT-TYPE 950 SYNTAX Counter32 951 UNITS "Packets" 952 MAX-ACCESS read-only 953 STATUS current 954 DESCRIPTION 955 "The total number of packets which were dropped 956 during send processing by all currently 957 and previously 958 active IPsec Phase-1 IKE Tunnels." 959 ::= { ikeGlobalStats 13 } 961 ikeGlobalOutNotifys OBJECT-TYPE 962 SYNTAX Counter32 963 UNITS "Notification Payloads" 964 MAX-ACCESS read-only 965 STATUS current 966 DESCRIPTION 967 "The total number of notifys sent by all currently 968 and previously active IPsec Phase-1 IKE Tunnels." 969 ::= { ikeGlobalStats 14 } 971 ikeGlobalOutP2Exchgs OBJECT-TYPE 972 SYNTAX Counter32 973 UNITS "SA Payloads" 974 MAX-ACCESS read-only 975 STATUS current 976 DESCRIPTION 977 "The total number of IPsec Phase-2 exchanges 978 which were sent by all currently and previously 979 active IPsec Phase-1 IKE Tunnels." 980 ::= { ikeGlobalStats 15 } 982 ikeGlobalOutP2ExchgInvalids OBJECT-TYPE 983 SYNTAX Counter32 984 UNITS "SA Payloads" 985 MAX-ACCESS read-only 986 STATUS current 987 DESCRIPTION 988 "The total number of IPsec Phase-2 exchanges 989 which were sent and were flagged by the peer to 990 contain references to unrecognized security 991 parameters. This value is accumulated across all 992 currently and previously active IPsec ISAKMP SAs." 993 ::= { ikeGlobalStats 16 } 995 ikeGlobalOutP2ExchgRejects OBJECT-TYPE 996 SYNTAX Counter32 997 UNITS "SA Payloads" 998 MAX-ACCESS read-only 999 STATUS current 1000 DESCRIPTION 1001 "The total number of IPsec Phase-2 exchanges 1002 which were sent, validated by the peer but were 1003 rejected by the peer's policy. This value is 1004 accumulated across all currently and previously 1005 active IPsec ISAKMP SAs." 1006 ::= { ikeGlobalStats 17 } 1008 ikeGlobalOutP2SaDelRequests OBJECT-TYPE 1009 SYNTAX Counter32 1010 UNITS "Notification Payloads" 1011 MAX-ACCESS read-only 1012 STATUS current 1013 DESCRIPTION 1014 "The total number of IPsec Phase-2 SA 1015 delete requests sent by all currently and 1016 previously active IPsec Phase-1 IKE Tunnels." 1017 ::= { ikeGlobalStats 18 } 1019 ikeGlobalInitTunnels OBJECT-TYPE 1020 SYNTAX Counter32 1021 UNITS "SAs" 1022 MAX-ACCESS read-only 1023 STATUS current 1024 DESCRIPTION 1025 "The total number of IPsec Phase-1 IKE 1026 Tunnels which were locally initiated." 1027 ::= { ikeGlobalStats 19 } 1029 ikeGlobalInitTunnelFails OBJECT-TYPE 1030 SYNTAX Counter32 1031 UNITS "SAs" 1032 MAX-ACCESS read-only 1033 STATUS current 1034 DESCRIPTION 1035 "The total number of IPsec Phase-1 IKE Tunnels 1036 which were locally initiated and failed to activate." 1037 ::= { ikeGlobalStats 20 } 1039 ikeGlobalRespTunnelFails OBJECT-TYPE 1040 SYNTAX Counter32 1041 UNITS "SAs" 1042 MAX-ACCESS read-only 1043 STATUS current 1044 DESCRIPTION 1045 "The total number of IPsec Phase-1 IKE Tunnels 1046 which were remotely initiated and failed to activate." 1047 ::= { ikeGlobalStats 21 } 1049 ikeGlobalSysCapFails OBJECT-TYPE 1050 SYNTAX Counter32 1051 UNITS "Failures" 1052 MAX-ACCESS read-only 1053 STATUS current 1054 DESCRIPTION 1055 "The total number of system capcity failures 1056 which occurred during processing of all current 1057 and previously active IPsec Phase-1 IKE Tunnels." 1058 ::= { ikeGlobalStats 22 } 1060 ikeGlobalAuthFails OBJECT-TYPE 1061 SYNTAX Counter32 1062 UNITS "Failures" 1063 MAX-ACCESS read-only 1064 STATUS current 1065 DESCRIPTION 1066 "The total number of authentications which ended 1067 in failure by all current and previous IPsec Phase-1 1068 IKE Tunnels." 1069 ::= { ikeGlobalStats 23 } 1071 ikeGlobalDecryptFails OBJECT-TYPE 1072 SYNTAX Counter32 1073 UNITS "Failures" 1074 MAX-ACCESS read-only 1075 STATUS current 1076 DESCRIPTION 1077 "The total number of decryptions which ended 1078 in failure by all current and previous IPsec Phase-1 1079 IKE Tunnels." 1080 ::= { ikeGlobalStats 24 } 1082 ikeGlobalHashValidFails OBJECT-TYPE 1083 SYNTAX Counter32 1084 UNITS "Failures" 1085 MAX-ACCESS read-only 1086 STATUS current 1087 DESCRIPTION 1088 "The total number of hash validations which ended 1089 in failure by all current and previous IPsec Phase-1 1090 IKE Tunnels." 1091 ::= { ikeGlobalStats 25 } 1093 ikeGlobalNoSaFails OBJECT-TYPE 1094 SYNTAX Counter32 1095 UNITS "Failures" 1096 MAX-ACCESS read-only 1097 STATUS current 1098 DESCRIPTION 1099 "The total number of non-existent Security Association 1100 in failures which occurred during processing of 1101 all current and previous IPsec Phase-1 IKE Tunnels." 1102 ::= { ikeGlobalStats 26 } 1104 ikeGlobalRespTunnels OBJECT-TYPE 1105 SYNTAX Counter32 1106 UNITS "SAs" 1107 MAX-ACCESS read-only 1108 STATUS current 1109 DESCRIPTION 1110 "The total number of IPsec Phase-1 IKE 1111 Tunnels which were remotely initiated." 1112 ::= { ikeGlobalStats 27 } 1114 ikeGlobalInXauthFailures OBJECT-TYPE 1115 SYNTAX Counter32 1116 UNITS "Failures" 1117 MAX-ACCESS read-only 1118 STATUS current 1119 DESCRIPTION 1120 "The number of times the extended authentication 1121 information supplied by an IKE peer was found 1122 to be invalid by the local entity." 1123 ::= { ikeGlobalStats 28 } 1125 ikeGlobalOutXauthFailures OBJECT-TYPE 1126 SYNTAX Counter32 1127 UNITS "Failures" 1128 MAX-ACCESS read-only 1129 STATUS current 1130 DESCRIPTION 1131 "The number of times the extended authentication 1132 information supplied by the managed entity to an 1133 IKE peer was found to be invalid by the remote peer." 1134 ::= { ikeGlobalStats 29 } 1136 ikeGlobalInP1SaDelRequests OBJECT-TYPE 1137 SYNTAX Counter32 1138 UNITS "Notification Payloads" 1139 MAX-ACCESS read-only 1140 STATUS current 1141 DESCRIPTION 1142 "The total number of ISAKMP security association 1143 delete requests received by all currently and 1144 previously active and ISAKMP security associations." 1145 ::= { ikeGlobalStats 30 } 1147 ikeGlobalOutP1SaDelRequests OBJECT-TYPE 1148 SYNTAX Counter32 1149 UNITS "Notification Payloads" 1150 MAX-ACCESS read-only 1151 STATUS current 1152 DESCRIPTION 1153 "The total number of ISAKMP security association 1154 delete requests sent by all currently and 1155 previously active and ISAKMP security associations." 1156 ::= { ikeGlobalStats 31 } 1158 ikeGlobalInConfigs OBJECT-TYPE 1159 SYNTAX Counter32 1160 UNITS "Mode Configuration Setting Payloads" 1161 MAX-ACCESS read-only 1162 STATUS current 1163 DESCRIPTION 1164 "The total number of Mode Configuration settings 1165 received (either CFG_REPLY or CFG_SET payloads) 1166 by this entity." 1167 ::= { ikeGlobalStats 32 } 1169 ikeGlobalOutConfigs OBJECT-TYPE 1170 SYNTAX Counter32 1171 UNITS "Mode Configuration Setting Payloads" 1172 MAX-ACCESS read-only 1173 STATUS current 1174 DESCRIPTION 1175 "The total number of Mode Configuration settings 1176 dispatched (either CFG_REPLY or CFG_SET payloads) 1177 by this entity." 1178 ::= { ikeGlobalStats 33 } 1180 ikeGlobalInConfigsRejects OBJECT-TYPE 1181 SYNTAX Counter32 1182 UNITS "Mode Configuration Setting Acknowledgements" 1183 MAX-ACCESS read-only 1184 STATUS current 1185 DESCRIPTION 1186 "The total number of Mode Configuration settings 1187 which were received (either CFG_REPLY or CFG_SET 1188 payloads) by this entity and which were rejected 1189 by the local entity." 1190 ::= { ikeGlobalStats 34 } 1192 ikeGlobalOutConfigsRejects OBJECT-TYPE 1193 SYNTAX Counter32 1194 UNITS "Mode Configuration Setting Acknowledgements" 1195 MAX-ACCESS read-only 1196 STATUS current 1197 DESCRIPTION 1198 "The total number of Mode Configuration settings 1199 which were dispatched (either CFG_REPLY or CFG_SET 1200 payloads) by this entity and which were rejected 1201 by the client peer." 1202 ::= { ikeGlobalStats 35 } 1204 ikeGlobalHcPreviousTunnels OBJECT-TYPE 1205 SYNTAX Counter64 1206 UNITS "Integral units" 1207 MAX-ACCESS read-only 1208 STATUS current 1209 DESCRIPTION 1210 "A high capacity count of the total number of 1211 previously active IPsec Phase-1 IKE Tunnels. This i 1212 equal to the total number of ISAKMP SAs that were 1213 active since the bootup of the device but which 1214 have since expired." 1215 ::= { ikeGlobalStats 36 } 1217 ikeGlobalPreviousTunnelsWraps OBJECT-TYPE 1218 SYNTAX Counter32 1219 UNITS "Integral units" 1220 MAX-ACCESS read-only 1221 STATUS current 1222 DESCRIPTION 1223 "The number of times the quantit 1224 `ikeGlobalPreviousTunnels' (previously active IPse 1225 Phase-1 IKE tunnels) has wrapped." 1226 ::= { ikeGlobalStats 37 } 1228 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1229 -- The IPsec Phase-1 Internet Key Exchange Tunnel Table 1230 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1231 ikeTunnelTable OBJECT-TYPE 1232 SYNTAX SEQUENCE OF IkeTunnelEntry 1233 MAX-ACCESS not-accessible 1234 STATUS current 1235 DESCRIPTION 1236 "The IPsec Phase-1 Internet Key Exchange Tunnel Table. 1238 There is one entry in this table for each active IPsec 1239 Phase-1 IKE Tunnel." 1240 ::= { ikeGroup 2 } 1242 ikeTunnelEntry OBJECT-TYPE 1243 SYNTAX IkeTunnelEntry 1244 MAX-ACCESS not-accessible 1245 STATUS current 1246 DESCRIPTION 1247 "Each entry contains the attributes associated with 1248 an active IPsec Phase-1 IKE Tunnel." 1249 INDEX { ikeTunIndex } 1250 ::= { ikeTunnelTable 1} 1252 IkeTunnelEntry ::= SEQUENCE { 1253 ikeTunIndex Integer32, 1254 ikeTunLocalType Phase1PeerIdentityType, 1255 ikeTunLocalValue DisplayString, 1256 ikeTunLocalAddr IPSIpAddress, 1257 ikeTunLocalName DisplayString, 1258 ikeTunRemoteType Phase1PeerIdentityType, 1259 ikeTunRemoteValue DisplayString, 1260 ikeTunRemoteAddr IPSIpAddress, 1261 ikeTunRemoteName DisplayString, 1262 ikeTunNegoMode IkeNegoMode, 1263 ikeTunDiffHellmanGrp DiffHellmanGrp, 1264 ikeTunEncryptAlgo EncryptAlgo, 1265 ikeTunHashAlgo IkeHashAlgo, 1266 ikeTunAuthMethod IkeAuthMethod, 1267 ikeTunLifeTime Integer32, 1268 ikeTunActiveTime TimeInterval, 1269 ikeTunSaRefreshThreshold Integer32, 1270 ikeTunTotalRefreshes Counter32, 1271 ikeTunInOctets Counter32, 1272 ikeTunInPkts Counter32, 1273 ikeTunInDropPkts Counter32, 1274 ikeTunInNotifys Counter32, 1275 ikeTunInP2Exchgs Counter32, 1276 ikeTunInP2ExchgInvalids Counter32, 1277 ikeTunInP2ExchgRejects Counter32, 1278 ikeTunInP2SaDelRequests Counter32, 1279 ikeTunOutOctets Counter32, 1280 ikeTunOutPkts Counter32, 1281 ikeTunOutDropPkts Counter32, 1282 ikeTunOutNotifys Counter32, 1283 ikeTunOutP2Exchgs Counter32, 1284 ikeTunOutP2ExchgInvalids Counter32, 1285 ikeTunOutP2ExchgRejects Counter32, 1286 ikeTunOutP2SaDelRequests Counter32, 1287 ikeTunStatus TunnelStatus, 1288 ikeTunInNewGrpReqs Counter32, 1289 ikeTunOutNewGrpReqs Counter32, 1290 ikeTunInNewGrpReqsRejected Counter32, 1291 ikeTunOutNewGrpReqsRejected Counter32, 1292 ikeTunInConfigs Counter32, 1293 ikeTunOutConfigs Counter32, 1294 ikeTunInConfigsRejects Counter32, 1295 ikeTunOutConfigsRejects Counter32, 1296 ikeTunEncryptKeySize Integer32 1297 } 1299 ikeTunIndex OBJECT-TYPE 1300 SYNTAX Integer32 (1..2147483647) 1301 MAX-ACCESS not-accessible 1302 STATUS current 1303 DESCRIPTION 1304 "The index of the IPsec Phase-1 IKE Tunnel Table. 1305 The value of the index is a number which begins 1306 at one and is incremented with each tunnel that 1307 is created. The value of this object will 1308 wrap at 2,147,483,647." 1309 ::= { ikeTunnelEntry 1 } 1311 ikeTunLocalType OBJECT-TYPE 1312 SYNTAX Phase1PeerIdentityType 1313 MAX-ACCESS read-only 1314 STATUS current 1315 DESCRIPTION 1316 "The type of local peer identity. The local 1317 peer may be identified by: 1318 1. an IP address, or 1319 2. or a fully qualified domain name string. 1320 3. or a distinguished name string." 1321 ::= { ikeTunnelEntry 2 } 1323 ikeTunLocalValue OBJECT-TYPE 1324 SYNTAX DisplayString 1325 MAX-ACCESS read-only 1326 STATUS current 1327 DESCRIPTION 1328 "The value of the local peer identity. 1330 If the local peer type is an IP Address, then this 1331 is the IP Address used to identify the local peer. 1333 If the local peer type is id_fqdn, then this is 1334 the FQDN of the remote peer. 1336 If the local peer type is a id_dn, then this is 1337 the distinguished name string of the local peer." 1338 ::= { ikeTunnelEntry 3 } 1340 ikeTunLocalAddr OBJECT-TYPE 1341 SYNTAX IPSIpAddress 1342 MAX-ACCESS read-only 1343 STATUS current 1344 DESCRIPTION 1345 "The IP address of the local endpoint for the IPsec 1346 Phase-1 IKE Tunnel." 1347 ::= { ikeTunnelEntry 4 } 1349 ikeTunLocalName OBJECT-TYPE 1350 SYNTAX DisplayString 1351 MAX-ACCESS read-only 1352 STATUS current 1353 DESCRIPTION 1354 "The DNS name of the local IP address for 1355 the IPsec Phase-1 IKE Tunnel. If the DNS 1356 name associated with the local tunnel endpoint 1357 is not known, then the value of this 1358 object will be a NULL string." 1359 ::= { ikeTunnelEntry 5 } 1361 ikeTunRemoteType OBJECT-TYPE 1362 SYNTAX Phase1PeerIdentityType 1363 MAX-ACCESS read-only 1364 STATUS current 1365 DESCRIPTION 1366 "The type of remote peer identity. 1367 The remote peer may be identified by: 1368 1. an IP address, or 1369 2. or a fully qualified domain name string. 1370 3. or a distinguished name string." 1371 ::= { ikeTunnelEntry 6 } 1373 ikeTunRemoteValue OBJECT-TYPE 1374 SYNTAX DisplayString 1375 MAX-ACCESS read-only 1376 STATUS current 1377 DESCRIPTION 1378 "The value of the remote peer identity. 1380 If the remote peer type is an IP Address, then this 1381 is the IP Address used to identify the remote peer. 1383 If the remote peer type is id_fqdn, then this is 1384 the FQDN of the remote peer. 1386 If the remote peer type is a id_dn, then this is 1387 the distinguished named string of the remote peer." 1388 ::= { ikeTunnelEntry 7 } 1390 ikeTunRemoteAddr OBJECT-TYPE 1391 SYNTAX IPSIpAddress 1392 MAX-ACCESS read-only 1393 STATUS current 1394 DESCRIPTION 1395 "The IP address of the remote endpoint for the IPsec 1396 Phase-1 IKE Tunnel." 1397 ::= { ikeTunnelEntry 8 } 1399 ikeTunRemoteName OBJECT-TYPE 1400 SYNTAX DisplayString 1401 MAX-ACCESS read-only 1402 STATUS current 1403 DESCRIPTION 1404 "The DNS name of the remote IP address of IPsec Phase-1 1405 IKE Tunnel. If the DNS name associated with the remote 1406 tunnel endpoint is not known, then the value of this 1407 object will be a NULL string." 1408 ::= { ikeTunnelEntry 9 } 1410 ikeTunNegoMode OBJECT-TYPE 1411 SYNTAX IkeNegoMode 1412 MAX-ACCESS read-only 1413 STATUS current 1414 DESCRIPTION 1415 "The negotiation mode of the IPsec Phase-1 IKE Tunnel." 1416 ::= { ikeTunnelEntry 10 } 1418 ikeTunDiffHellmanGrp OBJECT-TYPE 1419 SYNTAX DiffHellmanGrp 1420 MAX-ACCESS read-only 1421 STATUS current 1422 DESCRIPTION 1423 "The Diffie Hellman Group used in IPsec Phase-1 IKE 1424 negotiations." 1425 ::= { ikeTunnelEntry 11 } 1427 ikeTunEncryptAlgo OBJECT-TYPE 1428 SYNTAX EncryptAlgo 1429 MAX-ACCESS read-only 1430 STATUS current 1431 DESCRIPTION 1432 "The encryption algorithm used in IPsec Phase-1 IKE 1433 negotiations." 1434 ::= { ikeTunnelEntry 12 } 1436 ikeTunHashAlgo OBJECT-TYPE 1437 SYNTAX IkeHashAlgo 1438 MAX-ACCESS read-only 1439 STATUS current 1440 DESCRIPTION 1441 "The hash algorithm used in IPsec Phase-1 IKE 1442 negotiations." 1443 ::= { ikeTunnelEntry 13 } 1445 ikeTunAuthMethod OBJECT-TYPE 1446 SYNTAX IkeAuthMethod 1447 MAX-ACCESS read-only 1448 STATUS current 1449 DESCRIPTION 1450 "The authentication method used in IPsec Phase-1 IKE 1451 negotiations." 1452 ::= { ikeTunnelEntry 14 } 1454 ikeTunLifeTime OBJECT-TYPE 1455 SYNTAX Integer32 (1..2147483647) 1456 UNITS "seconds" 1457 MAX-ACCESS read-only 1458 STATUS current 1459 DESCRIPTION 1460 "The negotiated LifeTime of the IPsec Phase-1 IKE Tunnel 1461 in seconds." 1462 ::= { ikeTunnelEntry 15 } 1464 ikeTunActiveTime OBJECT-TYPE 1465 SYNTAX TimeInterval 1466 MAX-ACCESS read-only 1467 STATUS current 1468 DESCRIPTION 1469 "The length of time the IPsec Phase-1 IKE tunnel has been 1470 active in hundredths of seconds." 1471 ::= { ikeTunnelEntry 16 } 1473 ikeTunSaRefreshThreshold OBJECT-TYPE 1474 SYNTAX Integer32 (1..2147483647) 1475 UNITS "seconds" 1476 MAX-ACCESS read-only 1477 STATUS current 1478 DESCRIPTION 1479 "The security assoication refresh threshold in seconds." 1480 ::= { ikeTunnelEntry 17 } 1482 ikeTunTotalRefreshes OBJECT-TYPE 1483 SYNTAX Counter32 1484 UNITS "QM Exchanges" 1485 MAX-ACCESS read-only 1486 STATUS current 1487 DESCRIPTION 1488 "The total number of security associations 1489 refreshes performed." 1490 ::= { ikeTunnelEntry 18 } 1492 ikeTunInOctets OBJECT-TYPE 1493 SYNTAX Counter32 1494 UNITS "Octets" 1495 MAX-ACCESS read-only 1496 STATUS current 1497 DESCRIPTION 1498 "The total number of octets received by 1499 this IPsec Phase-1 IKE Tunnel." 1500 ::= { ikeTunnelEntry 19 } 1502 ikeTunInPkts OBJECT-TYPE 1503 SYNTAX Counter32 1504 UNITS "Packets" 1505 MAX-ACCESS read-only 1506 STATUS current 1507 DESCRIPTION 1508 "The total number of packets received by 1509 this IPsec Phase-1 IKE Tunnel." 1510 ::= { ikeTunnelEntry 20 } 1512 ikeTunInDropPkts OBJECT-TYPE 1513 SYNTAX Counter32 1514 UNITS "Packets" 1515 MAX-ACCESS read-only 1516 STATUS current 1517 DESCRIPTION 1518 "The total number of packets dropped 1519 by this IPsec Phase-1 IKE Tunnel during 1520 receive processing." 1521 ::= { ikeTunnelEntry 21 } 1523 ikeTunInNotifys OBJECT-TYPE 1524 SYNTAX Counter32 1525 UNITS "Notification Payloads" 1526 MAX-ACCESS read-only 1527 STATUS current 1528 DESCRIPTION 1529 "The total number of notifys received by 1530 this IPsec Phase-1 IKE Tunnel." 1531 ::= { ikeTunnelEntry 22 } 1533 ikeTunInP2Exchgs OBJECT-TYPE 1534 SYNTAX Counter32 1535 UNITS "SA Payloads" 1536 MAX-ACCESS read-only 1537 STATUS current 1538 DESCRIPTION 1539 "The total number of IPsec Phase-2 1540 exchanges received by 1541 this IPsec Phase-1 IKE Tunnel." 1542 ::= { ikeTunnelEntry 23 } 1544 ikeTunInP2ExchgInvalids OBJECT-TYPE 1545 SYNTAX Counter32 1546 UNITS "SA Payloads" 1547 MAX-ACCESS read-only 1548 STATUS current 1549 DESCRIPTION 1550 "The total number of IPsec Phase-2 exchanges 1551 received on this tunnel that were found to 1552 contain references to unrecognized security 1553 parameters." 1554 ::= { ikeTunnelEntry 24 } 1556 ikeTunInP2ExchgRejects OBJECT-TYPE 1557 SYNTAX Counter32 1558 UNITS "SA Payloads" 1559 MAX-ACCESS read-only 1560 STATUS current 1561 DESCRIPTION 1562 "The total number of IPsec Phase-2 exchanges 1563 received on this tunnel that were validated but were 1564 rejected by the local policy." 1565 ::= { ikeTunnelEntry 25 } 1567 ikeTunInP2SaDelRequests OBJECT-TYPE 1568 SYNTAX Counter32 1569 UNITS "Notification Payloads" 1570 MAX-ACCESS read-only 1571 STATUS current 1572 DESCRIPTION 1573 "The total number of IPsec Phase-2 1574 security association delete requests received 1575 by this IPsec Phase-1 IKE Tunnel." 1576 ::= { ikeTunnelEntry 26 } 1578 ikeTunOutOctets OBJECT-TYPE 1579 SYNTAX Counter32 1580 UNITS "Octets" 1581 MAX-ACCESS read-only 1582 STATUS current 1583 DESCRIPTION 1584 "The total number of octets sent by this IPsec Phase-1 1585 IKE Tunnel." 1586 ::= { ikeTunnelEntry 27 } 1588 ikeTunOutPkts OBJECT-TYPE 1589 SYNTAX Counter32 1590 UNITS "Packets" 1591 MAX-ACCESS read-only 1592 STATUS current 1593 DESCRIPTION 1594 "The total number of packets sent by this IPsec Phase-1 1595 IKE Tunnel." 1596 ::= { ikeTunnelEntry 28 } 1598 ikeTunOutDropPkts OBJECT-TYPE 1599 SYNTAX Counter32 1600 UNITS "Packets" 1601 MAX-ACCESS read-only 1602 STATUS current 1603 DESCRIPTION 1604 "The total number of packets dropped by this 1605 IPsec Phase-1 IKE Tunnel during send processing." 1606 ::= { ikeTunnelEntry 29 } 1608 ikeTunOutNotifys OBJECT-TYPE 1609 SYNTAX Counter32 1610 UNITS "Notification Payloads" 1611 MAX-ACCESS read-only 1612 STATUS current 1613 DESCRIPTION 1614 "The total number of notifys sent by this 1615 IPsec Phase-1 Tunnel." 1616 ::= { ikeTunnelEntry 30 } 1618 ikeTunOutP2Exchgs OBJECT-TYPE 1619 SYNTAX Counter32 1620 UNITS "SA Payloads" 1621 MAX-ACCESS read-only 1622 STATUS current 1623 DESCRIPTION 1624 "The total number of IPsec Phase-2 exchanges sent by 1625 this IPsec Phase-1 IKE Tunnel." 1626 ::= { ikeTunnelEntry 31 } 1628 ikeTunOutP2ExchgInvalids OBJECT-TYPE 1629 SYNTAX Counter32 1630 UNITS "SA Payloads" 1631 MAX-ACCESS read-only 1632 STATUS current 1633 DESCRIPTION 1634 "The total number of IPsec Phase-2 exchanges 1635 sent on this tunnel that were found by the peer 1636 to contain references to security parameters 1637 not recognized by the peer." 1638 ::= { ikeTunnelEntry 32 } 1640 ikeTunOutP2ExchgRejects OBJECT-TYPE 1641 SYNTAX Counter32 1642 UNITS "SA Payloads" 1643 MAX-ACCESS read-only 1644 STATUS current 1645 DESCRIPTION 1646 "The total number of IPsec Phase-2 exchanges 1647 sent on this tunnel that were validated by the peer 1648 but were rejected by the peer's policy." 1649 ::= { ikeTunnelEntry 33 } 1651 ikeTunOutP2SaDelRequests OBJECT-TYPE 1652 SYNTAX Counter32 1653 UNITS "Notification Payloads" 1654 MAX-ACCESS read-only 1655 STATUS current 1656 DESCRIPTION 1657 "The total number of IPsec Phase-2 security association 1658 delete requests sent by this IPsec Phase-1 IKE Tunnel." 1659 ::= { ikeTunnelEntry 34 } 1661 ikeTunStatus OBJECT-TYPE 1662 SYNTAX TunnelStatus 1663 MAX-ACCESS read-write 1664 STATUS current 1665 DESCRIPTION 1666 "The status of the MIB table row. 1668 This object can be used to bring the tunnel down 1669 by setting value of this object to destroy(2). 1671 This object cannot be used to create 1672 a MIB table row." 1673 ::= { ikeTunnelEntry 35 } 1675 ikeTunInNewGrpReqs OBJECT-TYPE 1676 SYNTAX Counter32 1677 UNITS "Negotiations" 1678 MAX-ACCESS read-only 1679 STATUS current 1680 DESCRIPTION 1681 "The total number of New Group exchanges initiated 1682 remotely using this IKE tunnel." 1683 ::= { ikeTunnelEntry 36 } 1685 ikeTunOutNewGrpReqs OBJECT-TYPE 1686 SYNTAX Counter32 1687 UNITS "Negotiations" 1688 MAX-ACCESS read-only 1689 STATUS current 1690 DESCRIPTION 1691 "The total number of New Group exchanges initiated 1692 locally using this IKE tunnel." 1693 ::= { ikeTunnelEntry 37 } 1695 ikeTunInNewGrpReqsRejected OBJECT-TYPE 1696 SYNTAX Counter32 1697 UNITS "Negotiations" 1698 MAX-ACCESS read-only 1699 STATUS current 1700 DESCRIPTION 1701 "The total number of New Group exchanges initiated 1702 remotely using this IKE tunnel that ended in a failure." 1703 ::= { ikeTunnelEntry 38 } 1705 ikeTunOutNewGrpReqsRejected OBJECT-TYPE 1706 SYNTAX Counter32 1707 UNITS "Negotiations" 1708 MAX-ACCESS read-only 1709 STATUS current 1710 DESCRIPTION 1711 "The total number of New Group exchanges initiated 1712 locally using this IKE tunnel that ended in a failure." 1713 ::= { ikeTunnelEntry 39 } 1715 ikeTunInConfigs OBJECT-TYPE 1716 SYNTAX Counter32 1717 UNITS "Mode Configuration Setting Payloads" 1718 MAX-ACCESS read-only 1719 STATUS current 1720 DESCRIPTION 1721 "The total number of Mode Configuration settings 1722 received (either CFG_REPLY or CFG_SET payloads) 1723 by the local entity on the ISAKMP SA represented by this 1724 IKE tunnel." 1725 ::= { ikeTunnelEntry 40 } 1727 ikeTunOutConfigs OBJECT-TYPE 1728 SYNTAX Counter32 1729 UNITS "Mode Configuration Setting Payloads" 1730 MAX-ACCESS read-only 1731 STATUS current 1732 DESCRIPTION 1733 "The total number of Mode Configuration settings 1734 dispatched (either CFG_REPLY or CFG_SET payloads) 1735 by the local entity on the ISAKMP SA represented by this 1736 IKE tunnel." 1737 ::= { ikeTunnelEntry 41 } 1739 ikeTunInConfigsRejects OBJECT-TYPE 1740 SYNTAX Counter32 1741 UNITS "Mode Configuration Setting Payloads" 1742 MAX-ACCESS read-only 1743 STATUS current 1744 DESCRIPTION 1745 "The total number of Mode Configuration settings 1746 which were received (either CFG_REPLY or CFG_SET 1747 payloads) and rejected by this entity using the ISAKMP 1748 SA represented by this IKE tunnel." 1749 ::= { ikeTunnelEntry 42 } 1751 ikeTunOutConfigsRejects OBJECT-TYPE 1752 SYNTAX Counter32 1753 UNITS "Mode Configuration Setting Payloads" 1754 MAX-ACCESS read-only 1755 STATUS current 1756 DESCRIPTION 1757 "The total number of Mode Configuration settings 1758 which were dispatched (either CFG_REPLY or CFG_SET 1759 payloads) by this entity and were rejected by the 1760 peer (client) using the ISAKMP SA represented by this 1761 IKE tunnel." 1762 ::= { ikeTunnelEntry 43 } 1764 ikeTunEncryptKeySize OBJECT-TYPE 1765 SYNTAX Integer32 1766 UNITS "Bits" 1767 MAX-ACCESS read-only 1768 STATUS current 1769 DESCRIPTION 1770 "The key size in bits of the negotiated key to be 1771 used with the algorithm denoted by the column 1772 'ikeTunEncryptAlgo'. For DES and 3DES the key size i 1773 respectively 56 and 168. For AES, this will denote th 1774 negotiated key size." 1775 ::= { ikeTunnelEntry 44 } 1777 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1778 -- The IPsec Phase-1 Internet Key Exchange Peer Table. 1779 -- This is a mandatory group. If all IPsec flows are manually 1780 -- administred, this table would be empty. 1781 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1782 phase1PeerTable OBJECT-TYPE 1783 SYNTAX SEQUENCE OF Phase1PeerEntry 1784 MAX-ACCESS not-accessible 1785 STATUS current 1786 DESCRIPTION 1787 "The IPsec Phase-1 Key Exchange Peer Table. Ther 1788 is one entry in this table for each IPsec Phase-1 pee 1789 with which the managed entity is currently associate 1790 by virtue of an active IPsec Phase-1 Control Tunnel. 1791 peer has an entry in this table, if and only if ther 1792 is at least one Phase-1 or Phase-2 tunnel terminatin 1793 on the managed entity from the peer. When all Phase- 1794 and Phase-2 tunnels to a peer have expired, the entr 1795 for the peer is deleted off this table." 1796 ::= { ipSecPhaseOne 2 } 1798 phase1PeerEntry OBJECT-TYPE 1799 SYNTAX Phase1PeerEntry 1800 MAX-ACCESS not-accessible 1801 STATUS current 1802 DESCRIPTION 1803 "Each entry contains the attributes associated 1804 with an IPsec Phase-1 IKE peer association." 1805 INDEX { phase1PeerLocalType, 1806 phase1PeerHLocalValue, 1807 phase1PeerRemoteType, 1808 phase1PeerHRemoteValue, 1809 phase1PeerIntIndex } 1810 ::= { phase1PeerTable 1} 1812 Phase1PeerEntry ::= SEQUENCE { 1813 phase1PeerLocalType Phase1PeerIdentityType, 1814 phase1PeerLocalValue DisplayString, 1815 phase1PeerHLocalValue HashedString, 1816 phase1PeerRemoteType Phase1PeerIdentityType, 1817 phase1PeerRemoteValue DisplayString, 1818 phase1PeerHRemoteValue HashedString, 1819 phase1PeerIntIndex Integer32, 1820 phase1PeerLocalAddr IPSIpAddress, 1821 phase1PeerRemoteAddr IPSIpAddress, 1822 phase1PeerActiveTime TimeInterval, 1823 phase1PeerActiveTunnelIndex Integer32, 1824 phase1PeerConfigAppVersion DisplayString, 1825 phase1PeerConfigAddress IPSIpAddress, 1826 phase1PeerConfigNetmask IPSIpAddress, 1827 phase1PeerConfigDns IPSIpAddress, 1828 phase1PeerConfigNbns IPSIpAddress, 1829 phase1PeerConfigDhcp IPSIpAddress, 1830 phase1Protocol ControlProtocol 1831 } 1833 phase1PeerLocalType OBJECT-TYPE 1834 SYNTAX Phase1PeerIdentityType 1835 MAX-ACCESS not-accessible 1836 STATUS current 1837 DESCRIPTION 1838 "The type of local peer identity. The local peer 1839 may be identified by: 1840 1. an IP address, or 1841 2. or a fully qualified domain name. 1842 3. or a distinguished name." 1843 ::= { phase1PeerEntry 1 } 1845 phase1PeerLocalValue OBJECT-TYPE 1846 SYNTAX DisplayString 1847 MAX-ACCESS read-only 1848 STATUS current 1849 DESCRIPTION 1850 "The value of the local peer identity. 1852 If the local peer type is an IP Address, then this 1853 is the IP Address used to identify the local peer. 1855 If the local peer type is a id_fqdn, then this is 1856 the FQDN of the local peer. 1858 If the local peer type is id_dn, then this is 1859 the DN string of the local peer. Value of this object 1860 could be arbitrarily large making this object unsuitable 1861 to be used for indexing this table (please refer to 1862 the definition of 'phase1PeerHLocalValue'." 1863 ::= { phase1PeerEntry 2 } 1865 phase1PeerHLocalValue OBJECT-TYPE 1866 SYNTAX HashedString 1867 MAX-ACCESS not-accessible 1868 STATUS current 1869 DESCRIPTION 1870 "The 128-bit MD5 hash output of the value represente 1871 by the element phase1PeerLocalValue. The hashing is 1872 required to restrict the length of the SNMP index 1873 to a legal size: 1875 phase1PeerHRemoteValue = MD5(phase1PeerLocalValue)." 1876 ::= { phase1PeerEntry 3 } 1878 phase1PeerRemoteType OBJECT-TYPE 1879 SYNTAX Phase1PeerIdentityType 1880 MAX-ACCESS not-accessible 1881 STATUS current 1882 DESCRIPTION 1883 "The type of remote peer identity. The remote peer 1884 may be identified by: 1885 1. an IP address, or 1886 2. or a fully qualified domain name. 1887 3. or a distinguished name." 1888 ::= { phase1PeerEntry 4 } 1890 phase1PeerRemoteValue OBJECT-TYPE 1891 SYNTAX DisplayString 1892 MAX-ACCESS read-only 1893 STATUS current 1894 DESCRIPTION 1895 "The value of the remote peer identity. 1897 If the remote peer type is an IP Address, then this 1898 is the IP Address used to identify the remote peer. 1900 If the remote peer type is id_fqdn, then this is 1901 the FQDN of the remote peer. 1903 If the remote peer type is a id_dn, then this is 1904 the DN string of the remote peer. Value of this object 1905 could be arbitrarily large making this object unsuitable 1906 to be used for indexing this table (please refer to 1907 the definition of 'phase1PeerHRemoteValue'." 1908 ::= { phase1PeerEntry 5 } 1910 phase1PeerHRemoteValue OBJECT-TYPE 1911 SYNTAX HashedString 1912 MAX-ACCESS not-accessible 1913 STATUS current 1914 DESCRIPTION 1915 "The 128-bit MD5 hash output of the value represente 1916 by the element phase1PeerRemoteValue. The hashing is 1917 required to restrict the length of the SNMP index 1918 to a legal size: 1920 phase1PeerHRemoteValue = MD5(phase1PeerRemoteValue)." 1921 ::= { phase1PeerEntry 6 } 1923 phase1PeerIntIndex OBJECT-TYPE 1924 SYNTAX Integer32 (1..2147483647) 1925 MAX-ACCESS not-accessible 1926 STATUS current 1927 DESCRIPTION 1928 "The internal index of the local-remote 1929 peer association. This internal index is used 1930 to uniquely identify multiple associations between 1931 the local and remote peer." 1932 ::= { phase1PeerEntry 7 } 1934 phase1PeerLocalAddr OBJECT-TYPE 1935 SYNTAX IPSIpAddress 1936 MAX-ACCESS read-only 1937 STATUS current 1938 DESCRIPTION 1939 "The IP address of the local peer." 1940 ::= { phase1PeerEntry 8 } 1942 phase1PeerRemoteAddr OBJECT-TYPE 1943 SYNTAX IPSIpAddress 1944 MAX-ACCESS read-only 1945 STATUS current 1946 DESCRIPTION 1947 "The IP address of the remote peer." 1948 ::= { phase1PeerEntry 9 } 1950 phase1PeerActiveTime OBJECT-TYPE 1951 SYNTAX TimeInterval 1952 MAX-ACCESS read-only 1953 STATUS current 1954 DESCRIPTION 1955 "The length of time that the peer association has 1956 existed in hundredths of a second." 1957 ::= { phase1PeerEntry 10 } 1959 phase1PeerActiveTunnelIndex OBJECT-TYPE 1960 SYNTAX Integer32 (1..2147483647) 1961 MAX-ACCESS read-only 1962 STATUS current 1963 DESCRIPTION 1964 "The index of the active IPsec Phase-1 IKE Tunnel 1965 (ikeTunIndex in the ikeTunnelTable) for this peer 1966 association. If an IPsec Phase-1 IKE Tunnel is 1967 not currently active, then the value of this 1968 object will be zero." 1969 ::= { phase1PeerEntry 11 } 1971 phase1PeerConfigAppVersion OBJECT-TYPE 1972 SYNTAX DisplayString 1973 MAX-ACCESS read-only 1974 STATUS current 1975 DESCRIPTION 1976 "The NULL terminated printable application version of the 1977 peer. If the peer did not issue the APPLICATION_VERSION 1978 attribute, this field is NULL." 1979 ::= { phase1PeerEntry 12 } 1981 phase1PeerConfigAddress OBJECT-TYPE 1982 SYNTAX IPSIpAddress 1983 MAX-ACCESS read-only 1984 STATUS current 1985 DESCRIPTION 1986 "The IP address configured by the peer on this entity. 1987 If the local entity did not receive either 1988 INTERNAL_IP4_ADDRESS or INTERNAL_IP6_ADDRESS from 1989 the peer, this field should have the NULL IP address." 1991 ::= { phase1PeerEntry 13 } 1993 phase1PeerConfigNetmask OBJECT-TYPE 1994 SYNTAX IPSIpAddress 1995 MAX-ACCESS read-only 1996 STATUS current 1997 DESCRIPTION 1998 "The netmask configured by the peer on this entity. 1999 If the local entity did not receive either 2000 INTERNAL_V4_MASK or INTERNAL_IP6_MASK from 2001 the peer, this field should have the NULL IP address." 2002 ::= { phase1PeerEntry 14 } 2004 phase1PeerConfigDns OBJECT-TYPE 2005 SYNTAX IPSIpAddress 2006 MAX-ACCESS read-only 2007 STATUS current 2008 DESCRIPTION 2009 "The address of the DNS server configured by the peer 2010 on the local entity using CFG_SET or CFG_REPLY. If the 2011 local entity did not receive either INTERNAL_V4_DNS or 2012 INTERNAL_IP6_DNS from the peer, this field should have 2013 the NULL IP address." 2014 ::= { phase1PeerEntry 15 } 2016 phase1PeerConfigNbns OBJECT-TYPE 2017 SYNTAX IPSIpAddress 2018 MAX-ACCESS read-only 2019 STATUS current 2020 DESCRIPTION 2021 "The address of the NetBios Name Server configured by 2022 the peer on the local entity using CFG_SET or CFG_REPLY. 2023 If the local entity did not receive either INTERNAL_V4_NBNS 2024 INTERNAL_IP6_NBNS from the peer, this field should have 2025 the NULL IP address." 2026 ::= { phase1PeerEntry 16 } 2028 phase1PeerConfigDhcp OBJECT-TYPE 2029 SYNTAX IPSIpAddress 2030 MAX-ACCESS read-only 2031 STATUS current 2032 DESCRIPTION 2033 "The address of the DHCP Server configured by the peer 2034 on the local entity using CFG_SET or CFG_REPLY. 2035 If the local entity did not receive either INTERNAL_V4_DHCP 2036 INTERNAL_IP6_DHCP from the peer, this field should have 2037 the NULL IP address." 2039 ::= { phase1PeerEntry 17 } 2041 phase1Protocol OBJECT-TYPE 2042 SYNTAX ControlProtocol 2043 MAX-ACCESS read-only 2044 STATUS current 2045 DESCRIPTION 2046 "The keying and control protocol used to setup 2047 and administer Phase-1 and Phase-2 tunnels to this 2048 peer." 2049 ::= { phase1PeerEntry 18 } 2051 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2052 -- The Phase-1 Peer Association to Phase-2 Tunnel Correlatio 2053 -- Table 2054 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2055 phase1PeerCorrTable OBJECT-TYPE 2056 SYNTAX SEQUENCE OF Phase1PeerCorrEntry 2057 MAX-ACCESS not-accessible 2058 STATUS current 2059 DESCRIPTION 2060 "The IPsec Phase-1 Peer Association to IPsec Phase- 2061 Tunnel Correlation Table. There is one entry in this tabl 2062 for each active IPsec Phase-2 Tunnel." 2063 ::= { ipSecPhaseOne 3 } 2065 phase1PeerCorrEntry OBJECT-TYPE 2066 SYNTAX Phase1PeerCorrEntry 2067 MAX-ACCESS not-accessible 2068 STATUS current 2069 DESCRIPTION 2070 "Each entry contains the attributes of an 2071 IPsec Phase-1 Peer Association to IPsec Phase- 2072 Tunnel Correlation." 2073 INDEX { phase1PeerCorrLocalType, 2074 phase1PeerCorrLocalValue, 2075 phase1PeerCorrRemoteType, 2076 phase1PeerCorrRemoteValue, 2077 phase1PeerCorrIntIndex, 2078 phase1PeerCorrSeqNum } 2079 ::= { phase1PeerCorrTable 1} 2081 Phase1PeerCorrEntry ::= SEQUENCE { 2082 phase1PeerCorrLocalType Phase1PeerIdentityType, 2083 phase1PeerCorrLocalValue DisplayString, 2084 phase1PeerCorrRemoteType Phase1PeerIdentityType, 2085 phase1PeerCorrRemoteValue DisplayString, 2086 phase1PeerCorrIntIndex Integer32, 2087 phase1PeerCorrSeqNum Integer32, 2088 phase1PeerCorrIpSecTunIndex Integer32, 2089 phase1PeerCorrControlProtocol ControlProtocol 2090 } 2092 phase1PeerCorrLocalType OBJECT-TYPE 2093 SYNTAX Phase1PeerIdentityType 2094 MAX-ACCESS not-accessible 2095 STATUS current 2096 DESCRIPTION 2097 "The type of local peer identity. The local peer 2098 may be identified by: 2099 1. an IP address, or 2100 2. or a fully qualified domain name. 2101 3. or a distinguished name." 2102 ::= { phase1PeerCorrEntry 1 } 2104 phase1PeerCorrLocalValue OBJECT-TYPE 2105 SYNTAX DisplayString 2106 MAX-ACCESS not-accessible 2107 STATUS current 2108 DESCRIPTION 2109 "The value of the local peer identity. 2111 If the local peer type is an IP Address, then this 2112 is the IP Address used to identify the local peer. 2114 If the local peer type is id_fqdn, then this is 2115 the FQDN of the local entity. 2117 If the local peer type is a id_dn, then this is 2118 the distinguished named string of the local peer." 2119 ::= { phase1PeerCorrEntry 2 } 2121 phase1PeerCorrRemoteType OBJECT-TYPE 2122 SYNTAX Phase1PeerIdentityType 2123 MAX-ACCESS not-accessible 2124 STATUS current 2125 DESCRIPTION 2126 "The type of remote peer identity. The remote peer 2127 may be identified by: 2128 1. an IP address, or 2129 2. or a fully qualified domain name. 2130 3. or a distinguished name." 2131 ::= { phase1PeerCorrEntry 3 } 2133 phase1PeerCorrRemoteValue OBJECT-TYPE 2134 SYNTAX DisplayString 2135 MAX-ACCESS not-accessible 2136 STATUS current 2137 DESCRIPTION 2138 "The value of the remote peer identity. 2140 If the remote peer type is an IP Address, then this 2141 is the IP Address used to identify the remote peer. 2143 If the remote peer type is id_fqdn, then this is 2144 the FQDN of the remote peer. 2146 If the remote peer type is a id_dn, then this is 2147 the distinguished named string of the remote peer." 2148 ::= { phase1PeerCorrEntry 4 } 2150 phase1PeerCorrIntIndex OBJECT-TYPE 2151 SYNTAX Integer32 (1..2147483647) 2152 MAX-ACCESS not-accessible 2153 STATUS current 2154 DESCRIPTION 2155 "The internal index of the local-remote 2156 peer association. This internal index is 2157 used to uniquely identify multiple associations 2158 between the local and remote peer." 2159 ::= { phase1PeerCorrEntry 5 } 2161 phase1PeerCorrSeqNum OBJECT-TYPE 2162 SYNTAX Integer32 (1..2147483647) 2163 MAX-ACCESS not-accessible 2164 STATUS current 2165 DESCRIPTION 2166 "The sequence number of the local-remote 2167 peer association. This sequence number is 2168 used to uniquely identify multiple instances 2169 of an unique association between 2170 the local and remote peer." 2171 ::= { phase1PeerCorrEntry 6 } 2173 phase1PeerCorrIpSecTunIndex OBJECT-TYPE 2174 SYNTAX Integer32 (1..2147483647) 2175 MAX-ACCESS read-only 2176 STATUS current 2177 DESCRIPTION 2178 "The index of the active IPsec Phase-2 Tunnel 2179 (ipSecTunIndex in the ipSecTunnelTable) for this 2180 IPsec Phase-1 IKE Peer Association." 2181 ::= { phase1PeerCorrEntry 7 } 2183 phase1PeerCorrControlProtocol OBJECT-TYPE 2184 SYNTAX ControlProtocol 2185 MAX-ACCESS read-only 2186 STATUS current 2187 DESCRIPTION 2188 "The keying and control protocol used to setup 2189 and administer the Phase-1 and Phase-2 tunnels thi 2190 table entry refers to." 2191 ::= { phase1PeerCorrEntry 8 } 2193 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2194 -- IPsec Phase-2 Group 2195 -- 2196 -- This group consists of: 2197 -- 1) IPsec Phase-2 Global Statistics 2198 -- 2) IPsec Phase-2 Tunnel Table 2199 -- 3) IPsec Phase-2 Endpoint Table 2200 -- 4) IPsec Phase-2 Security Protection Index Table 2201 -- 4) IPsec Phase-2 Security Protection Index Objects 2202 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2204 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2205 -- The IPsec Phase-2 Global Tunnel Statistics 2206 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2207 ipSecGlobalStats OBJECT IDENTIFIER 2208 ::= { ipSecPhaseTwo 1 } 2210 ipSecGlobalActiveTunnels OBJECT-TYPE 2211 SYNTAX Gauge32 2212 UNITS "Integral units" 2213 MAX-ACCESS read-only 2214 STATUS current 2215 DESCRIPTION 2216 "The total number of currently active 2217 IPsec Phase-2 Tunnels." 2218 ::= { ipSecGlobalStats 1 } 2220 ipSecGlobalPreviousTunnels OBJECT-TYPE 2221 SYNTAX Counter32 2222 UNITS "Phase-2 Tunnels" 2223 MAX-ACCESS read-only 2224 STATUS current 2225 DESCRIPTION 2226 "The total number of previously active 2227 IPsec Phase-2 Tunnels." 2228 ::= { ipSecGlobalStats 2 } 2230 ipSecGlobalInOctets OBJECT-TYPE 2231 SYNTAX Counter32 2232 UNITS "Octets" 2233 MAX-ACCESS read-only 2234 STATUS current 2235 DESCRIPTION 2236 "The total number of octets received by all 2237 current and previous IPsec Phase-2 Tunnels. 2238 This value is 2239 accumulated BEFORE determining whether or not 2240 the packet should be decompressed. See also 2241 ipSecGlobalInOctWraps for the number of times 2242 this counter has wrapped." 2243 ::= { ipSecGlobalStats 3 } 2245 ipSecGlobalHcInOctets OBJECT-TYPE 2246 SYNTAX Counter64 2247 MAX-ACCESS read-only 2248 STATUS current 2249 DESCRIPTION 2250 "A high capacity count of the total number of 2251 octets received by all current and previous 2252 IPsec Phase-2 Tunnels. This value is accumulated 2253 BEFORE determining whether or not the packet 2254 should be decompressed." 2255 ::= { ipSecGlobalStats 4 } 2257 ipSecGlobalInOctWraps OBJECT-TYPE 2258 SYNTAX Counter32 2259 UNITS "Integral units" 2260 MAX-ACCESS read-only 2261 STATUS current 2262 DESCRIPTION 2263 "The number of times the global octets received 2264 counter (ipSecGlobalInOctets) has wrapped." 2265 ::= { ipSecGlobalStats 5 } 2267 ipSecGlobalInDecompOctets OBJECT-TYPE 2268 SYNTAX Counter32 2269 UNITS "Octets" 2270 MAX-ACCESS read-only 2271 STATUS current 2272 DESCRIPTION 2273 "The total number of decompressed octets received 2274 by all current and previous IPsec Phase-2 Tunnels. 2275 This value is accumulated AFTER the packet is 2276 decompressed. If compression is not being used, 2277 this value will match the value of ipSecGlobalInOctets. 2278 See also ipSecGlobalInDecompOctWraps 2279 for the number of times this counter has wrapped." 2280 ::= { ipSecGlobalStats 6 } 2282 ipSecGlobalHcInDecompOctets OBJECT-TYPE 2283 SYNTAX Counter64 2284 MAX-ACCESS read-only 2285 STATUS current 2286 DESCRIPTION 2287 "A high capacity count of the total number 2288 of decompressed octets received by all current 2289 and previous IPsec Phase-2 Tunnels. This value 2290 is accumulated AFTER the packet is decompressed. 2291 If compression is not being used, this value 2292 will match the value of ipSecGlobalHcInOctets." 2293 ::= { ipSecGlobalStats 7 } 2295 ipSecGlobalInDecompOctWraps OBJECT-TYPE 2296 SYNTAX Counter32 2297 UNITS "Integral units" 2298 MAX-ACCESS read-only 2299 STATUS current 2300 DESCRIPTION 2301 "The number of times the global decompressed 2302 octets received counter 2303 (ipSecGlobalInDecompOctets) has wrapped." 2304 ::= { ipSecGlobalStats 8 } 2306 ipSecGlobalInPkts OBJECT-TYPE 2307 SYNTAX Counter32 2308 UNITS "Packets" 2309 MAX-ACCESS read-only 2310 STATUS current 2311 DESCRIPTION 2312 "The total number of packets received 2313 by all current and previous 2314 IPsec Phase-2 Tunnels." 2315 ::= { ipSecGlobalStats 9 } 2317 ipSecGlobalInDrops OBJECT-TYPE 2318 SYNTAX Counter32 2319 UNITS "Packets" 2320 MAX-ACCESS read-only 2321 STATUS current 2322 DESCRIPTION 2323 "The total number of packets dropped 2324 during receive processing by all current and previous 2325 IPsec Phase-2 Tunnels. This count does 2326 NOT include packets dropped due to 2327 Anti-Replay processing." 2328 ::= { ipSecGlobalStats 10 } 2330 ipSecGlobalInReplayDrops OBJECT-TYPE 2331 SYNTAX Counter32 2332 UNITS "Packets" 2333 MAX-ACCESS read-only 2334 STATUS current 2335 DESCRIPTION 2336 "The total number of packets dropped during 2337 receive processing due to Anti-Replay 2338 processing by all current and previous IPsec 2339 Phase-2 Tunnels." 2340 ::= { ipSecGlobalStats 11 } 2342 ipSecGlobalInAuths OBJECT-TYPE 2343 SYNTAX Counter32 2344 UNITS "Events" 2345 MAX-ACCESS read-only 2346 STATUS current 2347 DESCRIPTION 2348 "The total number of inbound authentication's 2349 performed by all current and previous IPsec 2350 Phase-2 Tunnels." 2351 ::= { ipSecGlobalStats 12 } 2353 ipSecGlobalInAuthFails OBJECT-TYPE 2354 SYNTAX Counter32 2355 UNITS "Failures" 2356 MAX-ACCESS read-only 2357 STATUS current 2358 DESCRIPTION 2359 "The total number of inbound authentication's 2360 which ended in failure by all current and previous 2361 IPsec Phase-2 Tunnels." 2362 ::= { ipSecGlobalStats 13 } 2364 ipSecGlobalInDecrypts OBJECT-TYPE 2365 SYNTAX Counter32 2366 UNITS "Packets" 2367 MAX-ACCESS read-only 2368 STATUS current 2369 DESCRIPTION 2370 "The total number of inbound decryption's 2371 performed by all current and previous IPsec 2372 Phase-2 Tunnels." 2373 ::= { ipSecGlobalStats 14 } 2375 ipSecGlobalInDecryptFails OBJECT-TYPE 2376 SYNTAX Counter32 2377 UNITS "Packets" 2378 MAX-ACCESS read-only 2379 STATUS current 2380 DESCRIPTION 2381 "The total number of inbound decryption's 2382 which ended in failure by all current and 2383 previous IPsec Phase-2 Tunnels." 2384 ::= { ipSecGlobalStats 15 } 2386 ipSecGlobalOutOctets OBJECT-TYPE 2387 SYNTAX Counter32 2388 UNITS "Octets" 2389 MAX-ACCESS read-only 2390 STATUS current 2391 DESCRIPTION 2392 "The total number of octets sent by all 2393 current and previous IPsec Phase-2 Tunnels. 2394 This value is accumulated AFTER determining 2395 whether or not the packet should be compressed. 2396 See also ipSecGlobalOutOctWraps for the 2397 number of times this counter has wrapped." 2398 ::= { ipSecGlobalStats 16 } 2400 ipSecGlobalHcOutOctets OBJECT-TYPE 2401 SYNTAX Counter64 2402 MAX-ACCESS read-only 2403 STATUS current 2404 DESCRIPTION 2405 "A high capacity count of the total number 2406 of octets sent by all current and previous 2407 IPsec Phase-2 Tunnels. This value is accumulated 2408 AFTER determining whether or not the packet should 2409 be compressed." 2410 ::= { ipSecGlobalStats 17 } 2412 ipSecGlobalOutOctWraps OBJECT-TYPE 2413 SYNTAX Counter32 2414 UNITS "Integral units" 2415 MAX-ACCESS read-only 2416 STATUS current 2417 DESCRIPTION 2418 "The number of times the global octets sent counter 2419 (ipSecGlobalOutOctets) has wrapped." 2420 ::= { ipSecGlobalStats 18 } 2422 ipSecGlobalOutUncompOctets OBJECT-TYPE 2423 SYNTAX Counter32 2424 UNITS "Octets" 2425 MAX-ACCESS read-only 2426 STATUS current 2427 DESCRIPTION 2428 "The total number of uncompressed octets sent 2429 by all current and previous IPsec Phase-2 Tunnels. 2430 This value is accumulated BEFORE the packet is 2431 compressed. If compression is not being used, this 2432 value will match the value of ipSecGlobalOutOctets. 2433 See also ipSecGlobalOutDecompOctWraps for the number 2434 of times this counter has wrapped." 2435 ::= { ipSecGlobalStats 19 } 2437 ipSecGlobalHcOutUncompOctets OBJECT-TYPE 2438 SYNTAX Counter64 2439 UNITS "Octets" 2440 MAX-ACCESS read-only 2441 STATUS current 2442 DESCRIPTION 2443 "A high capacity count of the total number of 2444 uncompressed octets sent by all current and previous 2445 IPsec Phase-2 Tunnels. This value is accumulated 2446 BEFORE the packet is compressed. If compression is 2447 not being used, this value will match the 2448 value of ipSecGlobalHcOutOctets." 2449 ::= { ipSecGlobalStats 20 } 2451 ipSecGlobalOutUncompOctWraps OBJECT-TYPE 2452 SYNTAX Counter32 2453 UNITS "Integral units" 2454 MAX-ACCESS read-only 2455 STATUS current 2456 DESCRIPTION 2457 "The number of times the global uncompressed 2458 octets sent counter (ipSecGlobalOutUncompOctets) 2459 has wrapped." 2460 ::= { ipSecGlobalStats 21 } 2462 ipSecGlobalOutPkts OBJECT-TYPE 2463 SYNTAX Counter32 2464 UNITS "Packets" 2465 MAX-ACCESS read-only 2466 STATUS current 2467 DESCRIPTION 2468 "The total number of packets sent by all 2469 current and previous 2470 IPsec Phase-2 Tunnels." 2471 ::= { ipSecGlobalStats 22 } 2473 ipSecGlobalOutDrops OBJECT-TYPE 2474 SYNTAX Counter32 2475 UNITS "Packets" 2476 MAX-ACCESS read-only 2477 STATUS current 2478 DESCRIPTION 2479 "The total number of packets dropped during send 2480 processing by all current and previous IPsec 2481 Phase-2 Tunnels." 2482 ::= { ipSecGlobalStats 23 } 2484 ipSecGlobalOutAuths OBJECT-TYPE 2485 SYNTAX Counter32 2486 UNITS "Events" 2487 MAX-ACCESS read-only 2488 STATUS current 2489 DESCRIPTION 2490 "The total number of outbound authentication's 2491 performed by all current and previous IPsec 2492 Phase-2 Tunnels." 2493 ::= { ipSecGlobalStats 24 } 2495 ipSecGlobalOutAuthFails OBJECT-TYPE 2496 SYNTAX Counter32 2497 UNITS "Failures" 2498 MAX-ACCESS read-only 2499 STATUS current 2500 DESCRIPTION 2501 "The total number of outbound authentication's 2502 which ended in failure 2503 by all current and previous IPsec Phase-2 Tunnels." 2504 ::= { ipSecGlobalStats 25 } 2506 ipSecGlobalOutEncrypts OBJECT-TYPE 2507 SYNTAX Counter32 2508 UNITS "Packets" 2509 MAX-ACCESS read-only 2510 STATUS current 2511 DESCRIPTION 2512 "The total number of outbound encryption's performed 2513 by all current and previous IPsec Phase-2 Tunnels." 2514 ::= { ipSecGlobalStats 26 } 2516 ipSecGlobalOutEncryptFails OBJECT-TYPE 2517 SYNTAX Counter32 2518 UNITS "Failures" 2519 MAX-ACCESS read-only 2520 STATUS current 2521 DESCRIPTION 2522 "The total number of outbound encryption's 2523 which ended in failure by all current and 2524 previous IPsec Phase-2 Tunnels." 2525 ::= { ipSecGlobalStats 27 } 2527 ipSecGlobalOutCompressedPkts OBJECT-TYPE 2528 SYNTAX Counter32 2529 UNITS "Packets" 2530 MAX-ACCESS read-only 2531 STATUS current 2532 DESCRIPTION 2533 "The cumulative number of outbound packets across all 2534 IPsec flows terminating at this device which were 2535 successfully compressed. 2536 This number is cumulative since the last system start." 2537 ::= { ipSecGlobalStats 28 } 2539 ipSecGlobalOutCompSkippedPkts OBJECT-TYPE 2540 SYNTAX Counter32 2541 UNITS "Packets" 2542 MAX-ACCESS read-only 2543 STATUS current 2544 DESCRIPTION 2545 "The total number of outbound packets across all IPsec 2546 flows terminating at this devices that were to be compressed 2547 but which were skipped due to the compression hysteresis. 2548 This number is cumulative since the last system start." 2549 ::= { ipSecGlobalStats 29 } 2551 ipSecGlobalOutCompFailPkts OBJECT-TYPE 2552 SYNTAX Counter32 2553 UNITS "Packets" 2554 MAX-ACCESS read-only 2555 STATUS current 2556 DESCRIPTION 2557 "The total number of outbound packets across all IPsec 2558 flows terminating at this device that failed compression 2559 because they grew in size after compression. 2560 This number is cumulative since the last system start." 2561 ::= { ipSecGlobalStats 30 } 2563 ipSecGlobalOutCompTooSmallPkts OBJECT-TYPE 2564 SYNTAX Counter32 2565 UNITS "Packets" 2566 MAX-ACCESS read-only 2567 STATUS current 2568 DESCRIPTION 2569 "The total number of outbound packets across all IPsec 2570 flows terminating at this device that were to be compressed 2571 but were smaller than the compression threshold size. 2572 This number is cumulative since the last system start." 2573 ::= { ipSecGlobalStats 31 } 2575 ipSecGlobalProtocolUseFails OBJECT-TYPE 2576 SYNTAX Counter32 2577 UNITS "Failures" 2578 MAX-ACCESS read-only 2579 STATUS current 2580 DESCRIPTION 2581 "The total number of protocol use failures 2582 which occurred during processing of all current 2583 and previously active IPsec Phase-2 Tunnels." 2584 ::= { ipSecGlobalStats 32 } 2586 ipSecGlobalNoSaFails OBJECT-TYPE 2587 SYNTAX Counter32 2588 UNITS "Failures" 2589 MAX-ACCESS read-only 2590 STATUS current 2591 DESCRIPTION 2592 "The total number of non-existent Security Assocication 2593 in failures which occurred during processing of all 2594 current and previous IPsec Phase-2 Tunnels." 2595 ::= { ipSecGlobalStats 33 } 2597 ipSecGlobalSysCapFails OBJECT-TYPE 2598 SYNTAX Counter32 2599 UNITS "Failures" 2600 MAX-ACCESS read-only 2601 STATUS current 2602 DESCRIPTION 2603 "The total number of system capacity failures 2604 which occurred during processing of all current 2605 and previously active IPsec Phase-2 Tunnels." 2606 ::= { ipSecGlobalStats 34 } 2608 ipSecGlobalHcPreviousTunnels OBJECT-TYPE 2609 SYNTAX Counter64 2610 UNITS "Integral units" 2611 MAX-ACCESS read-only 2612 STATUS current 2613 DESCRIPTION 2614 "A high capacity count of the total number of 2615 previously active IPsec Phase-2 Tunnels." 2616 ::= { ipSecGlobalStats 35 } 2618 ipSecGlobalPreviousTunnelsWraps OBJECT-TYPE 2619 SYNTAX Counter32 2620 UNITS "Integral units" 2621 MAX-ACCESS read-only 2622 STATUS current 2623 DESCRIPTION 2624 "The number of times the quantit 2625 `ipSecGlobalPreviousTunnels' (previously active IPse 2626 Phase-2 tunnels) has wrapped." 2627 ::= { ipSecGlobalStats 36 } 2629 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2630 -- The IPsec Phase-2 Tunnel Table 2631 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2632 ipSecTunnelTable OBJECT-TYPE 2633 SYNTAX SEQUENCE OF IpSecTunnelEntry 2634 MAX-ACCESS not-accessible 2635 STATUS current 2636 DESCRIPTION 2637 "The IPsec Phase-2 Tunnel Table. 2638 There is one entry in this table for 2639 each active IPsec Phase-2 Tunnel." 2640 ::= { ipSecPhaseTwo 2 } 2642 ipSecTunnelEntry OBJECT-TYPE 2643 SYNTAX IpSecTunnelEntry 2644 MAX-ACCESS not-accessible 2645 STATUS current 2646 DESCRIPTION 2647 "Each entry contains the attributes 2648 associated with an active IPsec Phase-2 Tunnel." 2650 INDEX { ipSecTunIndex } 2651 ::= { ipSecTunnelTable 1 } 2653 IpSecTunnelEntry ::= SEQUENCE { 2654 ipSecTunIndex Integer32, 2655 ipSecTunIkeTunnelIndex Integer32, 2656 ipSecTunIkeTunnelAlive TruthValue, 2657 ipSecTunLocalAddr IPSIpAddress, 2658 ipSecTunRemoteAddr IPSIpAddress, 2659 ipSecTunKeyType KeyType, 2660 ipSecTunEncapMode EncapMode, 2661 ipSecTunLifeSize Integer32, 2662 ipSecTunLifeTime Integer32, 2663 ipSecTunActiveTime TimeInterval, 2664 ipSecTunSaLifeSizeThreshold Integer32, 2665 ipSecTunSaLifeTimeThreshold Integer32, 2666 ipSecTunTotalRefreshes Counter32, 2667 ipSecTunExpiredSaInstances Counter32, 2668 ipSecTunCurrentSaInstances Gauge32, 2669 ipSecTunInSaDiffHellmanGrp DiffHellmanGrp, 2670 ipSecTunInSaEncryptAlgo EncryptAlgo, 2671 ipSecTunInSaAhAuthAlgo AuthAlgo, 2672 ipSecTunInSaEspAuthAlgo AuthAlgo, 2673 ipSecTunInSaDecompAlgo CompAlgo, 2674 ipSecTunOutSaDiffHellmanGrp DiffHellmanGrp, 2675 ipSecTunOutSaEncryptAlgo EncryptAlgo, 2676 ipSecTunOutSaAhAuthAlgo AuthAlgo, 2677 ipSecTunOutSaEspAuthAlgo AuthAlgo, 2678 ipSecTunOutSaCompAlgo CompAlgo, 2679 ipSecTunPmtu Integer32, 2680 ipSecTunInOctets Counter32, 2681 ipSecTunHcInOctets Counter64, 2682 ipSecTunInOctWraps Counter32, 2683 ipSecTunInDecompOctets Counter32, 2684 ipSecTunHcInDecompOctets Counter64, 2685 ipSecTunInDecompOctWraps Counter32, 2686 ipSecTunInPkts Counter32, 2687 ipSecTunInDropPkts Counter32, 2688 ipSecTunInReplayDropPkts Counter32, 2689 ipSecTunInAuths Counter32, 2690 ipSecTunInAuthFails Counter32, 2691 ipSecTunInDecrypts Counter32, 2692 ipSecTunInDecryptFails Counter32, 2693 ipSecTunOutOctets Counter32, 2694 ipSecTunHcOutOctets Counter64, 2695 ipSecTunOutOctWraps Counter32, 2696 ipSecTunOutUncompOctets Counter32, 2697 ipSecTunHcOutUncompOctets Counter64, 2698 ipSecTunOutUncompOctWraps Counter32, 2699 ipSecTunOutPkts Counter32, 2700 ipSecTunOutDropPkts Counter32, 2701 ipSecTunOutAuths Counter32, 2702 ipSecTunOutAuthFails Counter32, 2703 ipSecTunOutEncrypts Counter32, 2704 ipSecTunOutEncryptFails Counter32, 2705 ipSecTunOutCompressedPkts Counter32, 2706 ipSecTunOutCompSkippedPkts Counter32, 2707 ipSecTunOutCompFailPkts Counter32, 2708 ipSecTunOutCompTooSmallPkts Counter32, 2709 ipSecTunStatus TunnelStatus, 2710 ipSecTunControlProtocol ControlProtocol, 2711 ipSecTunControlTunnelIndex Integer32, 2712 ipSecTunControlTunnelAlive TruthValue, 2713 ipSecTunInSaEncryptKeySize Integer32, 2714 ipSecTunOutSaEncryptKeySize Integer32 2715 } 2717 ipSecTunIndex OBJECT-TYPE 2718 SYNTAX Integer32 (1..2147483647) 2719 MAX-ACCESS not-accessible 2720 STATUS current 2721 DESCRIPTION 2722 "The index of the IPsec Phase-2 Tunnel Table. 2723 The value of the index is a number which begins 2724 at one and is incremented with each tunnel that 2725 is created. The value of this object will wrap 2726 at 2,147,483,647." 2727 ::= { ipSecTunnelEntry 1 } 2729 ipSecTunIkeTunnelIndex OBJECT-TYPE 2730 SYNTAX Integer32 (1..2147483647) 2731 MAX-ACCESS read-only 2732 STATUS deprecated 2733 DESCRIPTION 2734 "The index of the associated IPsec Phase-1 2735 IKE Tunnel. 2736 (ikeTunIndex in the ikeTunnelTable)" 2737 ::= { ipSecTunnelEntry 2 } 2739 ipSecTunIkeTunnelAlive OBJECT-TYPE 2740 SYNTAX TruthValue 2741 MAX-ACCESS read-only 2742 STATUS deprecated 2743 DESCRIPTION 2744 "An indicator which specifies whether or not the 2745 IPsec Phase-1 IKE Tunnel currently exists. This object 2746 has been deprecated in favour of more generic pointers 2747 to the control tunnel (ipSecTunControlTunnelIndex)." 2748 ::= { ipSecTunnelEntry 3 } 2750 ipSecTunLocalAddr OBJECT-TYPE 2751 SYNTAX IPSIpAddress 2752 MAX-ACCESS read-only 2753 STATUS current 2754 DESCRIPTION 2755 "The IP address of the local endpoint for the IPsec 2756 Phase-2 Tunnel." 2757 ::= { ipSecTunnelEntry 4 } 2759 ipSecTunRemoteAddr OBJECT-TYPE 2760 SYNTAX IPSIpAddress 2761 MAX-ACCESS read-only 2762 STATUS current 2763 DESCRIPTION 2764 "The IP address of the remote endpoint for the IPsec 2765 Phase-2 Tunnel." 2766 ::= { ipSecTunnelEntry 5 } 2768 ipSecTunKeyType OBJECT-TYPE 2769 SYNTAX KeyType 2770 MAX-ACCESS read-only 2771 STATUS deprecated 2772 DESCRIPTION 2773 "The type of key used by the IPsec Phase-2 Tunnel. This 2774 object has been deprecated in favour o 2775 ipSecTunControlProtocol." 2776 ::= { ipSecTunnelEntry 6 } 2778 ipSecTunEncapMode OBJECT-TYPE 2779 SYNTAX EncapMode 2780 MAX-ACCESS read-only 2781 STATUS current 2782 DESCRIPTION 2783 "The encapsulation mode used by the 2784 IPsec Phase-2 Tunnel." 2785 ::= { ipSecTunnelEntry 7 } 2787 ipSecTunLifeSize OBJECT-TYPE 2788 SYNTAX Integer32 (1..2147483647) 2789 UNITS "KBytes" 2790 MAX-ACCESS read-only 2791 STATUS current 2792 DESCRIPTION 2793 "The negotiated LifeSize of the 2794 IPsec Phase-2 Tunnel in kilobytes." 2795 ::= { ipSecTunnelEntry 8 } 2797 ipSecTunLifeTime OBJECT-TYPE 2798 SYNTAX Integer32 (0..2147483647) 2799 UNITS "Seconds" 2800 MAX-ACCESS read-only 2801 STATUS current 2802 DESCRIPTION 2803 "The negotiated LifeTime of the IPsec Phase- 2804 Tunnel in seconds. 2806 If the tunnel was setup manually, the value of this 2807 MIB element should be 0." 2808 ::= { ipSecTunnelEntry 9 } 2810 ipSecTunActiveTime OBJECT-TYPE 2811 SYNTAX TimeInterval 2812 MAX-ACCESS read-only 2813 STATUS current 2814 DESCRIPTION 2815 "The length of time the IPsec Phase-2 2816 Tunnel has been 2817 active in hundredths of seconds." 2818 ::= { ipSecTunnelEntry 10 } 2820 ipSecTunSaLifeSizeThreshold OBJECT-TYPE 2821 SYNTAX Integer32 (0..2147483647) 2822 UNITS "KBytes" 2823 MAX-ACCESS read-only 2824 STATUS current 2825 DESCRIPTION 2826 "The security association LifeSize refresh 2827 threshold in kilobytes. 2829 If the tunnel was setup manually, the value of this 2830 MIB element should be 0." 2831 ::= { ipSecTunnelEntry 11 } 2833 ipSecTunSaLifeTimeThreshold OBJECT-TYPE 2834 SYNTAX Integer32 (0..2147483647) 2835 UNITS "Seconds" 2836 MAX-ACCESS read-only 2837 STATUS current 2838 DESCRIPTION 2839 "The security association LifeTime refresh 2840 threshold in seconds. 2842 If the tunnel was setup manually, the value of this 2843 MIB element should be 0." 2844 ::= { ipSecTunnelEntry 12 } 2846 ipSecTunTotalRefreshes OBJECT-TYPE 2847 SYNTAX Counter32 2848 UNITS "QM Exchanges" 2849 MAX-ACCESS read-only 2850 STATUS current 2851 DESCRIPTION 2852 "The total number of security 2853 association refreshes performed." 2854 ::= { ipSecTunnelEntry 13 } 2856 ipSecTunExpiredSaInstances OBJECT-TYPE 2857 SYNTAX Counter32 2858 UNITS "SAs" 2859 MAX-ACCESS read-only 2860 STATUS current 2861 DESCRIPTION 2862 "The total number of security associations 2863 which have expired. 2865 If the tunnel was setup manually, the value of this 2866 MIB element should be 0." 2867 ::= { ipSecTunnelEntry 14 } 2869 ipSecTunCurrentSaInstances OBJECT-TYPE 2870 SYNTAX Gauge32 2871 MAX-ACCESS read-only 2872 STATUS current 2873 DESCRIPTION 2874 "The number of security associations 2875 which are currently active or expiring." 2876 ::= { ipSecTunnelEntry 15 } 2878 ipSecTunInSaDiffHellmanGrp OBJECT-TYPE 2879 SYNTAX DiffHellmanGrp 2880 MAX-ACCESS read-only 2881 STATUS current 2882 DESCRIPTION 2883 "The Diffie Hellman Group used 2884 by the inbound security association of the 2885 IPsec Phase-2 Tunnel. 2887 If the tunnel was setup manually, the value of this 2888 MIB element would be `none'." 2889 ::= { ipSecTunnelEntry 16 } 2891 ipSecTunInSaEncryptAlgo OBJECT-TYPE 2892 SYNTAX EncryptAlgo 2893 MAX-ACCESS read-only 2894 STATUS current 2895 DESCRIPTION 2896 "The encryption algorithm used by the inbound security 2897 association of the IPsec Phase-2 Tunnel." 2898 ::= { ipSecTunnelEntry 17 } 2900 ipSecTunInSaAhAuthAlgo OBJECT-TYPE 2901 SYNTAX AuthAlgo 2902 MAX-ACCESS read-only 2903 STATUS current 2904 DESCRIPTION 2905 "The authentication algorithm used by the inbound 2906 authentication header (AH) security association of 2907 the IPsec Phase-2 Tunnel." 2908 ::= { ipSecTunnelEntry 18 } 2910 ipSecTunInSaEspAuthAlgo OBJECT-TYPE 2911 SYNTAX AuthAlgo 2912 MAX-ACCESS read-only 2913 STATUS current 2914 DESCRIPTION 2915 "The authentication algorithm used by the inbound 2916 ecapsulation security protocol (ESP) security 2917 association of the IPsec Phase-2 Tunnel." 2918 ::= { ipSecTunnelEntry 19 } 2920 ipSecTunInSaDecompAlgo OBJECT-TYPE 2921 SYNTAX CompAlgo 2922 MAX-ACCESS read-only 2923 STATUS current 2924 DESCRIPTION 2925 "The decompression algorithm used by the inbound 2926 security association of the IPsec Phase-2 Tunnel." 2927 ::= { ipSecTunnelEntry 20 } 2929 ipSecTunOutSaDiffHellmanGrp OBJECT-TYPE 2930 SYNTAX DiffHellmanGrp 2931 MAX-ACCESS read-only 2932 STATUS current 2933 DESCRIPTION 2934 "The Diffie Hellman Group used by the outbound security 2935 association of the IPsec Phase-2 Tunnel. 2937 If the tunnel was setup manually, the value of this 2938 MIB element would be 'none'." 2939 ::= { ipSecTunnelEntry 21 } 2941 ipSecTunOutSaEncryptAlgo OBJECT-TYPE 2942 SYNTAX EncryptAlgo 2943 MAX-ACCESS read-only 2944 STATUS current 2945 DESCRIPTION 2946 "The encryption algorithm used by the outbound security 2947 association of the IPsec Phase-2 Tunnel." 2948 ::= { ipSecTunnelEntry 22 } 2950 ipSecTunOutSaAhAuthAlgo OBJECT-TYPE 2951 SYNTAX AuthAlgo 2952 MAX-ACCESS read-only 2953 STATUS current 2954 DESCRIPTION 2955 "The authentication algorithm used by the outbound 2956 authentication header (AH) security association of 2957 the IPsec Phase-2 Tunnel." 2958 ::= { ipSecTunnelEntry 23 } 2960 ipSecTunOutSaEspAuthAlgo OBJECT-TYPE 2961 SYNTAX AuthAlgo 2962 MAX-ACCESS read-only 2963 STATUS current 2964 DESCRIPTION 2965 "The authentication algorithm used by the inbound 2966 encapsulation security protocol (ESP) 2967 security association of the IPsec Phase-2 Tunnel." 2968 ::= { ipSecTunnelEntry 24 } 2970 ipSecTunOutSaCompAlgo OBJECT-TYPE 2971 SYNTAX CompAlgo 2972 MAX-ACCESS read-only 2973 STATUS current 2974 DESCRIPTION 2975 "The compression algorithm used by the inbound 2976 security association of the IPsec Phase-2 Tunnel." 2977 ::= { ipSecTunnelEntry 25 } 2979 ipSecTunPmtu OBJECT-TYPE 2980 SYNTAX Integer32 (68..1500) 2981 UNITS "Octets" 2982 MAX-ACCESS read-only 2983 STATUS current 2984 DESCRIPTION 2985 "The Path MTU for this IPsec Phase-2 tunnel, which ha 2986 been either learnt from the network or which has been 2987 specified by the administrator. The lower end of the 2988 range is 68 which is the minimum MTU for IPv4." 2989 ::= { ipSecTunnelEntry 26 } 2991 ipSecTunInOctets OBJECT-TYPE 2992 SYNTAX Counter32 2993 UNITS "Octets" 2994 MAX-ACCESS read-only 2995 STATUS current 2996 DESCRIPTION 2997 "The total number of octets received by this IPsec 2998 Phase-2 Tunnel. This value is accumulated 2999 BEFORE determining whether or not the packet should be 3000 decompressed. See also ipSecTunInOctWraps for the 3001 number of times this counter has wrapped." 3002 ::= { ipSecTunnelEntry 27 } 3004 ipSecTunHcInOctets OBJECT-TYPE 3005 SYNTAX Counter64 3006 UNITS "Octets" 3007 MAX-ACCESS read-only 3008 STATUS current 3009 DESCRIPTION 3010 "A high capacity count of the total number of octets 3011 received by this IPsec Phase-2 Tunnel. This value is 3012 accumulated BEFORE determining whether or not the packet 3013 should be decompressed." 3014 ::= { ipSecTunnelEntry 28 } 3016 ipSecTunInOctWraps OBJECT-TYPE 3017 SYNTAX Counter32 3018 UNITS "Integral units" 3019 MAX-ACCESS read-only 3020 STATUS current 3021 DESCRIPTION 3022 "The number of times the octets received counter 3023 (ipSecTunInOctets) has wrapped." 3024 ::= { ipSecTunnelEntry 29 } 3026 ipSecTunInDecompOctets OBJECT-TYPE 3027 SYNTAX Counter32 3028 UNITS "Octets" 3029 MAX-ACCESS read-only 3030 STATUS current 3031 DESCRIPTION 3032 "The total number of decompressed octets received 3033 by this IPsec Phase-2 Tunnel. This value is 3034 accumulated AFTER the packet is decompressed. 3035 If compression is not being 3036 used, this value will match the value of 3037 ipSecTunInOctets. See also ipSecTunInDecompOctWraps 3038 for the number of times 3039 this counter has wrapped." 3040 ::= { ipSecTunnelEntry 30 } 3042 ipSecTunHcInDecompOctets OBJECT-TYPE 3043 SYNTAX Counter64 3044 MAX-ACCESS read-only 3045 STATUS current 3046 DESCRIPTION 3047 "A high capacity count of the total number of decompressed 3048 octets received by this IPsec Phase-2 Tunnel. This value 3049 is accumulated AFTER the packet is decompressed. If 3050 compression is not being used, this value will match the 3051 value of ipSecTunHcInOctets." 3052 ::= { ipSecTunnelEntry 31 } 3054 ipSecTunInDecompOctWraps OBJECT-TYPE 3055 SYNTAX Counter32 3056 UNITS "Integral units" 3057 MAX-ACCESS read-only 3058 STATUS current 3059 DESCRIPTION 3060 "The number of times the decompressed 3061 octets received counter 3062 (ipSecTunInDecompOctets) has wrapped." 3063 ::= { ipSecTunnelEntry 32 } 3065 ipSecTunInPkts OBJECT-TYPE 3066 SYNTAX Counter32 3067 UNITS "Packets" 3068 MAX-ACCESS read-only 3069 STATUS current 3070 DESCRIPTION 3071 "The total number of packets received 3072 by this IPsec Phase-2 Tunnel." 3074 ::= { ipSecTunnelEntry 33 } 3076 ipSecTunInDropPkts OBJECT-TYPE 3077 SYNTAX Counter32 3078 UNITS "Packets" 3079 MAX-ACCESS read-only 3080 STATUS current 3081 DESCRIPTION 3082 "The total number of packets dropped 3083 during receive processing by this IPsec Phase-2 3084 Tunnel. This count does NOT include 3085 packets dropped due to Anti-Replay processing." 3086 ::= { ipSecTunnelEntry 34 } 3088 ipSecTunInReplayDropPkts OBJECT-TYPE 3089 SYNTAX Counter32 3090 UNITS "Packets" 3091 MAX-ACCESS read-only 3092 STATUS current 3093 DESCRIPTION 3094 "The total number of packets dropped during 3095 receive processing due to Anti-Replay processing 3096 by this IPsec Phase-2 Tunnel." 3097 ::= { ipSecTunnelEntry 35 } 3099 ipSecTunInAuths OBJECT-TYPE 3100 SYNTAX Counter32 3101 UNITS "Events" 3102 MAX-ACCESS read-only 3103 STATUS current 3104 DESCRIPTION 3105 "The total number of inbound 3106 authentication's performed by this 3107 IPsec Phase-2 Tunnel." 3108 ::= { ipSecTunnelEntry 36 } 3110 ipSecTunInAuthFails OBJECT-TYPE 3111 SYNTAX Counter32 3112 UNITS "Failures" 3113 MAX-ACCESS read-only 3114 STATUS current 3115 DESCRIPTION 3116 "The total number of inbound authentication's 3117 which ended in 3118 failure by this IPsec Phase-2 Tunnel ." 3119 ::= { ipSecTunnelEntry 37 } 3121 ipSecTunInDecrypts OBJECT-TYPE 3122 SYNTAX Counter32 3123 UNITS "Packets" 3124 MAX-ACCESS read-only 3125 STATUS current 3126 DESCRIPTION 3127 "The total number of inbound decryption's performed 3128 by this IPsec Phase-2 Tunnel." 3129 ::= { ipSecTunnelEntry 38 } 3131 ipSecTunInDecryptFails OBJECT-TYPE 3132 SYNTAX Counter32 3133 UNITS "Failures" 3134 MAX-ACCESS read-only 3135 STATUS current 3136 DESCRIPTION 3137 "The total number of inbound decryption's 3138 which ended in failure 3139 by this IPsec Phase-2 Tunnel." 3140 ::= { ipSecTunnelEntry 39 } 3142 ipSecTunOutOctets OBJECT-TYPE 3143 SYNTAX Counter32 3144 UNITS "Octets" 3145 MAX-ACCESS read-only 3146 STATUS current 3147 DESCRIPTION 3148 "The total number of octets sent by this IPsec 3149 Phase-2 Tunnel. This value is accumulated 3150 AFTER determining whether or not the packet should 3151 be compressed. See also ipSecTunOutOctWraps for 3152 the number of times this counter has wrapped." 3153 ::= { ipSecTunnelEntry 40 } 3155 ipSecTunHcOutOctets OBJECT-TYPE 3156 SYNTAX Counter64 3157 MAX-ACCESS read-only 3158 STATUS current 3159 DESCRIPTION 3160 "A high capacity count of the total number of octets 3161 sent by this IPsec Phase-2 Tunnel. This value is 3162 accumulated AFTER determining whether or not the 3163 packet 3164 should be compressed." 3165 ::= { ipSecTunnelEntry 41 } 3167 ipSecTunOutOctWraps OBJECT-TYPE 3168 SYNTAX Counter32 3169 UNITS "Integral units" 3170 MAX-ACCESS read-only 3171 STATUS current 3172 DESCRIPTION 3173 "The number of times the out octets counter 3174 (ipSecTunOutOctets) has wrapped." 3175 ::= { ipSecTunnelEntry 42 } 3177 ipSecTunOutUncompOctets OBJECT-TYPE 3178 SYNTAX Counter32 3179 UNITS "Octets" 3180 MAX-ACCESS read-only 3181 STATUS current 3182 DESCRIPTION 3183 "The total number of uncompressed octets sent 3184 by this IPsec Phase-2 Tunnel. This value 3185 is accumulated BEFORE the packet is compressed. 3186 If compression is not being used, this value 3187 will match the value of ipSecTunOutOctets. 3188 See also ipSecTunOutDecompOctWraps for the 3189 number of times this counter has wrapped." 3190 ::= { ipSecTunnelEntry 43 } 3192 ipSecTunHcOutUncompOctets OBJECT-TYPE 3193 SYNTAX Counter64 3194 MAX-ACCESS read-only 3195 STATUS current 3196 DESCRIPTION 3197 "A high capacity count of the total number 3198 of uncompressed octets sent by this IPsec 3199 Phase-2 Tunnel. This value is accumulated BEFORE 3200 the packet is compressed. If compression 3201 is not being used, this value will match the value 3202 of ipSecTunHcOutOctets." 3203 ::= { ipSecTunnelEntry 44 } 3205 ipSecTunOutUncompOctWraps OBJECT-TYPE 3206 SYNTAX Counter32 3207 UNITS "Integral units" 3208 MAX-ACCESS read-only 3209 STATUS current 3210 DESCRIPTION 3211 "The number of times the uncompressed octets sent 3212 counter (ipSecTunOutUncompOctets) has wrapped." 3213 ::= { ipSecTunnelEntry 45 } 3215 ipSecTunOutPkts OBJECT-TYPE 3216 SYNTAX Counter32 3217 UNITS "Packets" 3218 MAX-ACCESS read-only 3219 STATUS current 3220 DESCRIPTION 3221 "The total number of packets sent by this 3222 IPsec Phase-2 Tunnel." 3223 ::= { ipSecTunnelEntry 46 } 3225 ipSecTunOutDropPkts OBJECT-TYPE 3226 SYNTAX Counter32 3227 UNITS "Packets" 3228 MAX-ACCESS read-only 3229 STATUS current 3230 DESCRIPTION 3231 "The total number of packets dropped during 3232 send processing by this IPsec Phase-2 Tunnel." 3233 ::= { ipSecTunnelEntry 47 } 3235 ipSecTunOutAuths OBJECT-TYPE 3236 SYNTAX Counter32 3237 UNITS "Events" 3238 MAX-ACCESS read-only 3239 STATUS current 3240 DESCRIPTION 3241 "The total number of outbound authentication's performed 3242 by this IPsec Phase-2 Tunnel." 3243 ::= { ipSecTunnelEntry 48 } 3245 ipSecTunOutAuthFails OBJECT-TYPE 3246 SYNTAX Counter32 3247 UNITS "Failures" 3248 MAX-ACCESS read-only 3249 STATUS current 3250 DESCRIPTION 3251 "The total number of outbound 3252 authentication's which ended in failure 3253 by this IPsec Phase-2 Tunnel." 3254 ::= { ipSecTunnelEntry 49 } 3256 ipSecTunOutEncrypts OBJECT-TYPE 3257 SYNTAX Counter32 3258 UNITS "Packets" 3259 MAX-ACCESS read-only 3260 STATUS current 3261 DESCRIPTION 3262 "The total number of outbound encryption's performed 3263 by this IPsec Phase-2 Tunnel." 3264 ::= { ipSecTunnelEntry 50 } 3266 ipSecTunOutEncryptFails OBJECT-TYPE 3267 SYNTAX Counter32 3268 UNITS "Failures" 3269 MAX-ACCESS read-only 3270 STATUS current 3271 DESCRIPTION 3272 "The total number of outbound encryption's 3273 which ended in failure by this IPsec Phase-2 Tunnel." 3274 ::= { ipSecTunnelEntry 51 } 3276 ipSecTunOutCompressedPkts OBJECT-TYPE 3277 SYNTAX Counter32 3278 UNITS "Packets" 3279 MAX-ACCESS read-only 3280 STATUS current 3281 DESCRIPTION 3282 "The total number of outbound packets 3283 which were successfully compressed." 3284 ::= { ipSecTunnelEntry 52 } 3286 ipSecTunOutCompSkippedPkts OBJECT-TYPE 3287 SYNTAX Counter32 3288 UNITS "Packets" 3289 MAX-ACCESS read-only 3290 STATUS current 3291 DESCRIPTION 3292 "The total number of outbound packets that were to be 3293 compressed but which were skipped due to the compression 3294 hysteresis." 3295 ::= { ipSecTunnelEntry 53 } 3297 ipSecTunOutCompFailPkts OBJECT-TYPE 3298 SYNTAX Counter32 3299 UNITS "Packets" 3300 MAX-ACCESS read-only 3301 STATUS current 3302 DESCRIPTION 3303 "The total number of outbound packets that failed 3304 compression because they grew in size after compression." 3305 ::= { ipSecTunnelEntry 54 } 3307 ipSecTunOutCompTooSmallPkts OBJECT-TYPE 3308 SYNTAX Counter32 3309 UNITS "Packets" 3310 MAX-ACCESS read-only 3311 STATUS current 3312 DESCRIPTION 3313 "The total number of outbound packets that were to be 3314 compressed but were smaller than the compression threshold 3315 size." 3316 ::= { ipSecTunnelEntry 55 } 3318 ipSecTunStatus OBJECT-TYPE 3319 SYNTAX TunnelStatus 3320 MAX-ACCESS read-write 3321 STATUS current 3322 DESCRIPTION 3323 "The status of the MIB table row. 3325 This object can be used to bring the tunnel down 3326 by setting value of this object to destroy(2). 3327 When the value is set to destroy(2), the SA 3328 bundle is destroyed and this row is deleted 3329 from this table. 3331 When this MIB value is queried, the value of 3332 active(1) is always returned, if the instance 3333 exists. 3335 This object cannot be used to create a MIB 3336 table row." 3337 ::= { ipSecTunnelEntry 56 } 3339 ipSecTunControlProtocol OBJECT-TYPE 3340 SYNTAX ControlProtocol 3341 MAX-ACCESS read-only 3342 STATUS current 3343 DESCRIPTION 3344 "Identifies the protocol used to setup and administer this 3345 Phase-2 Ipsec tunnel. If IKE was used to setup this tunnel, 3346 then this value of this column would be `cp_ike'. A value of 3347 cp_none is indicative of a manually installed and administered 3348 Phase-2 tunnel." 3349 ::= { ipSecTunnelEntry 57 } 3351 ipSecTunControlTunnelIndex OBJECT-TYPE 3352 SYNTAX Integer32 (0..2147483647) 3353 MAX-ACCESS read-only 3354 STATUS current 3355 DESCRIPTION 3356 "The index of the associated IPsec Phase-1 3357 Tunnel (in case of IKE, this value would refer t 3358 ikeTunIndex in the ikeTunnelTable). 3360 A value of 0 identifies that this Phase-2 tunne 3361 was setup manually." 3362 ::= { ipSecTunnelEntry 58 } 3364 ipSecTunControlTunnelAlive OBJECT-TYPE 3365 SYNTAX TruthValue 3366 MAX-ACCESS read-only 3367 STATUS current 3368 DESCRIPTION 3369 "An indicator which specifies whether or not the 3370 IPsec Phase-1 Tunnel that spawned this Phase-2 3371 tunnel currently exists." 3372 ::= { ipSecTunnelEntry 59 } 3374 ipSecTunInSaEncryptKeySize OBJECT-TYPE 3375 SYNTAX Integer32 3376 UNITS "Bits" 3377 MAX-ACCESS read-only 3378 STATUS current 3379 DESCRIPTION 3380 "The key size in bits of the negotiated key to be 3381 used with the algorithm denoted by ipSecTunInSaEncryptAlgo. 3382 For DES and 3DES the key size is respectively 56 and 3383 168. For AES, this will denote the negotiated key size." 3384 ::= { ipSecTunnelEntry 60 } 3386 ipSecTunOutSaEncryptKeySize OBJECT-TYPE 3387 SYNTAX Integer32 3388 UNITS "Bits" 3389 MAX-ACCESS read-only 3390 STATUS current 3391 DESCRIPTION 3392 "The key size in bits of the negotiated key to be 3393 used with the algorithm denoted by ipSecTunOutSaEncryptAlgo. 3394 For DES and 3DES the key size is respectively 56 and 3395 168. For AES, this will denote the negotiated key size." 3396 ::= { ipSecTunnelEntry 61 } 3398 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3399 -- The IPsec Phase-2 Tunnel Endpoint Table 3400 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3401 ipSecEndPtTable OBJECT-TYPE 3402 SYNTAX SEQUENCE OF IpSecEndPtEntry 3403 MAX-ACCESS not-accessible 3404 STATUS current 3405 DESCRIPTION 3406 "The IPsec Phase-2 Tunnel Endpoint Table. 3407 This table contains an entry for each 3408 active endpoint associated with an IPsec 3409 Phase-2 Tunnel." 3410 ::= { ipSecPhaseTwo 3 } 3412 ipSecEndPtEntry OBJECT-TYPE 3413 SYNTAX IpSecEndPtEntry 3414 MAX-ACCESS not-accessible 3415 STATUS current 3416 DESCRIPTION 3417 "An IPsec Phase-2 Tunnel Endpoint entry." 3418 INDEX { ipSecTunIndex, -- from ipSecTunnelTable 3419 ipSecEndPtIndex } 3420 ::= { ipSecEndPtTable 1 } 3422 IpSecEndPtEntry ::= SEQUENCE { 3423 ipSecEndPtIndex Integer32, 3424 ipSecEndPtLocalName DisplayString, 3425 ipSecEndPtLocalType EndPtType, 3426 ipSecEndPtLocalAddr1 IPSIpAddress, 3427 ipSecEndPtLocalAddr2 IPSIpAddress, 3428 ipSecEndPtLocalProtocol Integer32, 3429 ipSecEndPtLocalPort Integer32, 3430 ipSecEndPtRemoteName DisplayString, 3431 ipSecEndPtRemoteType EndPtType, 3432 ipSecEndPtRemoteAddr1 IPSIpAddress, 3433 ipSecEndPtRemoteAddr2 IPSIpAddress, 3434 ipSecEndPtRemoteProtocol Integer32, 3435 ipSecEndPtRemotePort Integer32 3436 } 3438 ipSecEndPtIndex OBJECT-TYPE 3439 SYNTAX Integer32 (1..2147483647) 3440 MAX-ACCESS not-accessible 3441 STATUS current 3442 DESCRIPTION 3443 "The number of the Endpoint associated with the 3444 IPsec Phase-2 Tunnel Table. The value of this 3445 index is a number which begins at one and 3446 is incremented with each Endpoint associated 3447 with an IPsec Phase-2 Tunnel. 3448 The value of this object will wrap at 2,147,483,647." 3450 ::= { ipSecEndPtEntry 1 } 3452 ipSecEndPtLocalName OBJECT-TYPE 3453 SYNTAX DisplayString 3454 MAX-ACCESS read-only 3455 STATUS current 3456 DESCRIPTION 3457 "The DNS name of the local Endpoint." 3458 ::= { ipSecEndPtEntry 2 } 3460 ipSecEndPtLocalType OBJECT-TYPE 3461 SYNTAX EndPtType 3462 MAX-ACCESS read-only 3463 STATUS current 3464 DESCRIPTION 3465 "The type of identity for the local Endpoint. 3466 Possible values are: 3467 1) a single IP address, or 3468 2) an IP address range, or 3469 3) an IP subnet." 3470 ::= { ipSecEndPtEntry 3 } 3472 ipSecEndPtLocalAddr1 OBJECT-TYPE 3473 SYNTAX IPSIpAddress 3474 MAX-ACCESS read-only 3475 STATUS current 3476 DESCRIPTION 3477 "The local Endpoint's first IP address specification. 3479 If the local Endpoint type is single IP address, 3480 then this is the value of the IP address. 3482 If the local Endpoint type is IP subnet, then this 3483 is the value of the subnet. 3485 If the local Endpoint type is IP address range, 3486 then this is the value of beginning IP address 3487 of the range." 3488 ::= { ipSecEndPtEntry 4 } 3490 ipSecEndPtLocalAddr2 OBJECT-TYPE 3491 SYNTAX IPSIpAddress 3492 MAX-ACCESS read-only 3493 STATUS current 3494 DESCRIPTION 3495 "The local Endpoint's second IP address specification. 3497 If the local Endpoint type is single IP address, 3498 then this is the value of the IP address. 3500 If the local Endpoint type is IP subnet, then this 3501 is the value of the subnet mask. 3503 If the local Endpoint type is IP address range, 3504 then this is the value of ending IP address 3505 of the range." 3506 ::= { ipSecEndPtEntry 5 } 3508 ipSecEndPtLocalProtocol OBJECT-TYPE 3509 SYNTAX Integer32 (0..255) 3510 MAX-ACCESS read-only 3511 STATUS current 3512 DESCRIPTION 3513 "The protocol number of the local Endpoint's traffic." 3514 ::= { ipSecEndPtEntry 6 } 3516 ipSecEndPtLocalPort OBJECT-TYPE 3517 SYNTAX Integer32 (0..65535) 3518 MAX-ACCESS read-only 3519 STATUS current 3520 DESCRIPTION 3521 "The port number of the local Endpoint's traffic." 3522 ::= { ipSecEndPtEntry 7 } 3524 ipSecEndPtRemoteName OBJECT-TYPE 3525 SYNTAX DisplayString 3526 MAX-ACCESS read-only 3527 STATUS current 3528 DESCRIPTION 3529 "The DNS name of the remote Endpoint." 3530 ::= { ipSecEndPtEntry 8 } 3532 ipSecEndPtRemoteType OBJECT-TYPE 3533 SYNTAX EndPtType 3534 MAX-ACCESS read-only 3535 STATUS current 3536 DESCRIPTION 3537 "The type of identity for the remote Endpoint. 3538 Possible values are: 3539 1) a single IP address, or 3540 2) an IP address range, or 3541 3) an IP subnet." 3542 ::= { ipSecEndPtEntry 9 } 3544 ipSecEndPtRemoteAddr1 OBJECT-TYPE 3545 SYNTAX IPSIpAddress 3546 MAX-ACCESS read-only 3547 STATUS current 3548 DESCRIPTION 3549 "The remote Endpoint's first IP address specification. 3551 If the remote Endpoint type is single IP address, 3552 then this is the value of the IP address. 3554 If the remote Endpoint type is IP subnet, then this 3555 is the value of the subnet. 3557 If the remote Endpoint type is IP address range, 3558 then this is the value of beginning IP address 3559 of the range." 3560 ::= { ipSecEndPtEntry 10 } 3562 ipSecEndPtRemoteAddr2 OBJECT-TYPE 3563 SYNTAX IPSIpAddress 3564 MAX-ACCESS read-only 3565 STATUS current 3566 DESCRIPTION 3567 "The remote Endpoint's second IP address specification. 3569 If the remote Endpoint type is single IP address, 3570 then this is the value of the IP address. 3572 If the remote Endpoint type is IP subnet, then this 3573 is the value of the subnet mask. 3575 If the remote Endpoint type is IP address range, 3576 then this is the value of ending IP address of 3577 the range." 3578 ::= { ipSecEndPtEntry 11 } 3580 ipSecEndPtRemoteProtocol OBJECT-TYPE 3581 SYNTAX Integer32 (0..255) 3582 MAX-ACCESS read-only 3583 STATUS current 3584 DESCRIPTION 3585 "The protocol number of the remote Endpoint's traffic." 3586 ::= { ipSecEndPtEntry 12 } 3588 ipSecEndPtRemotePort OBJECT-TYPE 3589 SYNTAX Integer32 (0..65535) 3590 MAX-ACCESS read-only 3591 STATUS current 3592 DESCRIPTION 3593 "The port number of the remote Endpoint's traffic." 3594 ::= { ipSecEndPtEntry 13 } 3596 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3597 -- The IPsec Phase-2 Security Protection Index Table (deprecated) 3598 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3600 -- The tunnel SA decomposition table: This table has been deprecaterd 3601 -- and has been replaced ipSecSaTable. New IPsec devices will not 3602 -- support this table. Older products will continue to support 3603 -- this table for some time in order to be backwards compatible with 3604 -- existing network management applications. 3606 ipSecSpiTable OBJECT-TYPE 3607 SYNTAX SEQUENCE OF IpSecSpiEntry 3608 MAX-ACCESS not-accessible 3609 STATUS deprecated 3610 DESCRIPTION 3611 "The IPsec Phase-2 Security Protection Index Table. 3612 This table contains an entry for each active 3613 and expiring security 3614 association." 3615 ::= { ipSecPhaseTwo 4 } 3617 ipSecSpiEntry OBJECT-TYPE 3618 SYNTAX IpSecSpiEntry 3619 MAX-ACCESS not-accessible 3620 STATUS deprecated 3621 DESCRIPTION 3622 "Each entry contains the attributes associated with 3623 active and expiring IPsec Phase-2 3624 security associations." 3625 INDEX { ipSecTunIndex, -- from ipSecTunnelTable 3626 ipSecSpiIndex } 3627 ::= { ipSecSpiTable 1 } 3629 IpSecSpiEntry ::= SEQUENCE { 3630 ipSecSpiIndex Integer32, 3631 ipSecSpiDirection INTEGER, 3632 ipSecSpiValue Spi, 3633 ipSecSpiProtocol INTEGER, 3634 ipSecSpiStatus INTEGER 3635 } 3637 ipSecSpiIndex OBJECT-TYPE 3638 SYNTAX Integer32 (1..2147483647) 3639 MAX-ACCESS not-accessible 3640 STATUS deprecated 3641 DESCRIPTION 3642 "The number of the SPI associated with the 3643 Phase-2 Tunnel Table. The value of this 3644 index is a number which begins at one and is 3645 incremented with each SPI associated with an 3646 IPsec Phase-2 Tunnel. The value of this 3647 object will wrap at 2,147,483,647." 3648 ::= { ipSecSpiEntry 1 } 3650 ipSecSpiDirection OBJECT-TYPE 3651 SYNTAX INTEGER{ 3652 in(1), 3653 out(2) 3654 } 3655 MAX-ACCESS read-only 3656 STATUS deprecated 3657 DESCRIPTION 3658 "The direction of the SPI." 3659 ::= { ipSecSpiEntry 2 } 3661 ipSecSpiValue OBJECT-TYPE 3662 SYNTAX Spi 3663 MAX-ACCESS read-only 3664 STATUS deprecated 3665 DESCRIPTION 3666 "The value of the SPI." 3667 ::= { ipSecSpiEntry 3 } 3669 ipSecSpiProtocol OBJECT-TYPE 3670 SYNTAX INTEGER{ 3671 ah(1), 3672 esp(2), 3673 ipcomp(3) 3674 } 3675 MAX-ACCESS read-only 3676 STATUS deprecated 3677 DESCRIPTION 3678 "The protocol of the SPI." 3679 ::= { ipSecSpiEntry 4 } 3681 ipSecSpiStatus OBJECT-TYPE 3682 SYNTAX INTEGER{ 3683 active(1), 3684 expiring(2) 3686 } 3687 MAX-ACCESS read-only 3688 STATUS deprecated 3689 DESCRIPTION 3690 "The status of the SPI." 3691 ::= { ipSecSpiEntry 5 } 3693 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3694 -- The IPsec New Group metrics 3695 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3696 ipSecGlobalNewGrpStats OBJECT IDENTIFIER 3697 ::= { ipSecPhaseTwo 5 } 3699 ipSecGlobalInNewGrpReqs OBJECT-TYPE 3700 SYNTAX Counter32 3701 UNITS "Negotiations" 3702 MAX-ACCESS read-only 3703 STATUS current 3704 DESCRIPTION 3705 "The total number of New Group exchanges initiated 3706 remotely." 3707 ::= { ipSecGlobalNewGrpStats 1 } 3709 ipSecGlobalOutNewGrpReqs OBJECT-TYPE 3710 SYNTAX Counter32 3711 UNITS "Negotiations" 3712 MAX-ACCESS read-only 3713 STATUS current 3714 DESCRIPTION 3715 "The total number of New Group exchanges initiated 3716 locally." 3717 ::= { ipSecGlobalNewGrpStats 2 } 3719 ipSecGlobalInNewGrpReqsRejected OBJECT-TYPE 3720 SYNTAX Counter32 3721 UNITS "Negotiations" 3722 MAX-ACCESS read-only 3723 STATUS current 3724 DESCRIPTION 3725 "The total number of New Group exchanges initiated 3726 remotely that ended in a failure." 3727 ::= { ipSecGlobalNewGrpStats 3 } 3729 ipSecGlobalOutNewGrpReqsRejected OBJECT-TYPE 3730 SYNTAX Counter32 3731 UNITS "Negotiations" 3732 MAX-ACCESS read-only 3733 STATUS current 3734 DESCRIPTION 3735 "The total number of New Group exchanges initiated 3736 locally that ended in a failure." 3737 ::= { ipSecGlobalNewGrpStats 4 } 3739 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3740 -- The IPsec Phase-2 Security Association Table 3741 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3743 -- The tunnel SA decomposition table: This table replaces the 3744 -- now deprecated ipSecSpiTable. 3746 ipSecSaTable OBJECT-TYPE 3747 SYNTAX SEQUENCE OF IpSecSaEntry 3748 MAX-ACCESS not-accessible 3749 STATUS current 3750 DESCRIPTION 3751 "The IPsec Phase-2 Security Association Table. 3752 This table identifies the structure (in terms of 3753 component SAs) of each active Phase-2 IPsec tunnel. 3754 This table contains an entry for each active and 3755 expiring security association and maps each entry 3756 in the active Phase-2 tunnel table (ipSecTunTable) 3757 into a number of entries in this table. The index of this 3758 table reflects the 3760 3762 rule for identifying Security Associations." 3763 ::= { ipSecPhaseTwo 6 } 3765 ipSecSaEntry OBJECT-TYPE 3766 SYNTAX IpSecSaEntry 3767 MAX-ACCESS not-accessible 3768 STATUS current 3769 DESCRIPTION 3770 "Each entry contains the attributes associated with 3771 active and expiring IPsec Phase-2 3772 security associations." 3773 INDEX { ipSecTunIndex, -- from ipSecTunnelTable 3774 ipSecSaProtocol, 3775 ipSecSaIndex } 3776 ::= { ipSecSaTable 1 } 3778 IpSecSaEntry ::= SEQUENCE { 3779 ipSecSaIndex Integer32, 3780 ipSecSaDirection INTEGER, 3781 ipSecSaValue Spi, 3782 ipSecSaProtocol INTEGER, 3783 ipSecSaStatus INTEGER 3784 } 3786 ipSecSaIndex OBJECT-TYPE 3787 SYNTAX Integer32 (1..2147483647) 3788 MAX-ACCESS not-accessible 3789 STATUS current 3790 DESCRIPTION 3791 "The index, in the context of the IPsec tunnel ipSecTunIndex, 3792 of the security association represented by this table entry. 3793 The value of this index is a number which begins at one and 3794 is incremented with each SPI associated with an IPsec Phase-2 3795 Tunnel. The value of this object will wrap at 2,147,483,647." 3796 ::= { ipSecSaEntry 1 } 3798 ipSecSaDirection OBJECT-TYPE 3799 SYNTAX INTEGER{ 3800 in(1), 3801 out(2) 3802 } 3803 MAX-ACCESS read-only 3804 STATUS current 3805 DESCRIPTION 3806 "Phase-2 IPsec security associations are simplex. Hence 3807 a particular security association is used either 3808 for securing outgoing traffic or decoding incoming traffic. 3809 This column identifies the direction of the security 3810 association represented by this entry." 3811 ::= { ipSecSaEntry 2 } 3813 ipSecSaValue OBJECT-TYPE 3814 SYNTAX Spi 3815 MAX-ACCESS read-only 3816 STATUS current 3817 DESCRIPTION 3818 "This is the value of the Security Protection Index (SPI) 3819 assigned by the system to the security association represented 3820 by this entry." 3821 ::= { ipSecSaEntry 3 } 3823 ipSecSaProtocol OBJECT-TYPE 3824 SYNTAX INTEGER{ 3825 reserved(0), 3826 ah(1), 3827 esp(2), 3828 ipcomp(3) 3829 } 3830 MAX-ACCESS read-only 3831 STATUS current 3832 DESCRIPTION 3833 "This column represents the security protocol (AH, ESP or 3834 IPComp) for which this security association was setup." 3835 ::= { ipSecSaEntry 4 } 3837 ipSecSaStatus OBJECT-TYPE 3838 SYNTAX INTEGER{ 3839 unknown(0), 3840 active(1), 3841 expiring(2) 3842 } 3843 MAX-ACCESS read-only 3844 STATUS current 3845 DESCRIPTION 3846 "This column represents the status of the security association 3847 represented by this tabel entry. If the status of the SA is 3848 'active', the SA is ready for active use. The status 3849 'expiring' represents any of the various states that the 3850 security association transitions through before being purged." 3851 ::= { ipSecSaEntry 5 } 3853 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3854 -- The IPsec History Group 3855 -- 3856 -- This group consists of a: 3857 -- 1) IPsec History Global Objects 3858 -- 2) IPsec Phase-1 History Objects 3859 -- 3) IPsec Phase-2 History Objects 3860 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3861 ipSecHistGlobal OBJECT IDENTIFIER 3862 ::= { ipSecHistory 1 } 3863 ipSecHistPhaseOne OBJECT IDENTIFIER 3864 ::= { ipSecHistory 2 } 3865 ipSecHistPhaseTwo OBJECT IDENTIFIER 3866 ::= { ipSecHistory 3 } 3868 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3869 -- IPsec History Global Control Objects 3870 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3871 ipSecHistGlobalCntl OBJECT IDENTIFIER 3872 ::= { ipSecHistGlobal 1 } 3874 ipSecHistTableSize OBJECT-TYPE 3875 SYNTAX Integer32 (1..2147483647) 3876 MAX-ACCESS read-write 3877 STATUS current 3878 DESCRIPTION 3879 "The window size of the IPsec Phase-1 and Phase-2 3880 History Tables. 3882 The IPsec Phase-1 and Phase-2 History Tables are 3883 implemented as a sliding window in which only the 3884 last n entries are maintained. This object is used 3885 specify the number of entries which will be 3886 maintained in the IPsec Phase-1 and 3887 Phase-2 History Tables. 3889 An implementation may choose suitable minimum and 3890 maximum values for this element based on the local 3891 policy and available resources. If an SNMP SET request 3892 specifies a value outside this window for this element, 3893 a BAD VALUE may be returned." 3895 ::= { ipSecHistGlobalCntl 1 } 3897 ipSecHistCheckPoint OBJECT-TYPE 3898 SYNTAX INTEGER { 3899 ready(1), 3900 checkPoint(2) 3901 } 3903 MAX-ACCESS read-write 3904 STATUS current 3905 DESCRIPTION 3906 "The current state of check point processing. 3908 This object will return ready when the agent is 3909 ready to create on-demand history entries for 3910 active IPsec Tunnels or checkPoint when the 3911 agent is currently creating on-demand history 3912 entries for active IPsec Tunnels. 3914 By setting this value to checkPoint, the agent 3915 will create: 3916 a) an entry in the IPsec Phase-1 Tunnel History 3917 for each active IPsec Phase-1 Tunnel and 3918 b) an entry in the IPsec Phase-2 Tunnel History 3919 Table and an entry in the IPsec Phase-2 3920 Tunnel EndPoint History Table 3921 for each active IPsec Phase-2 Tunnel." 3922 ::= { ipSecHistGlobalCntl 2 } 3924 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3925 -- The IPsec Phase-1 Tunnel History Table 3926 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3927 ikeTunnelHistTable OBJECT-TYPE 3928 SYNTAX SEQUENCE OF IkeTunnelHistEntry 3929 MAX-ACCESS not-accessible 3930 STATUS current 3931 DESCRIPTION 3932 "The IPsec Phase-1 Internet Key Exchange Tunnel 3933 History Table. This table is implemented as a 3934 sliding window in which only the last n entries 3935 are maintained. The maximum number of entries 3936 is specified by the ipSecHistTableSize object." 3937 ::= { ipSecHistPhaseOne 1 } 3939 ikeTunnelHistEntry OBJECT-TYPE 3940 SYNTAX IkeTunnelHistEntry 3941 MAX-ACCESS not-accessible 3942 STATUS current 3943 DESCRIPTION 3944 "Each entry contains the attributes 3945 associated with a previously active IPsec 3946 Phase-1 IKE Tunnel." 3947 INDEX { ikeTunHistIndex } 3948 ::= { ikeTunnelHistTable 1} 3950 IkeTunnelHistEntry ::= SEQUENCE { 3951 ikeTunHistIndex Integer32, 3952 ikeTunHistTermReason INTEGER, 3953 ikeTunHistActiveIndex Integer32, 3954 ikeTunHistPeerLocalType Phase1PeerIdentityType, 3955 ikeTunHistPeerLocalValue DisplayString, 3956 ikeTunHistPeerIntIndex Integer32, 3957 ikeTunHistPeerRemoteType Phase1PeerIdentityType, 3958 ikeTunHistPeerRemoteValue DisplayString, 3959 ikeTunHistLocalAddr IPSIpAddress, 3960 ikeTunHistLocalName DisplayString, 3961 ikeTunHistRemoteAddr IPSIpAddress, 3962 ikeTunHistRemoteName DisplayString, 3963 ikeTunHistNegoMode IkeNegoMode, 3964 ikeTunHistDiffHellmanGrp DiffHellmanGrp, 3965 ikeTunHistEncryptAlgo EncryptAlgo, 3966 ikeTunHistHashAlgo IkeHashAlgo, 3967 ikeTunHistAuthMethod IkeAuthMethod, 3968 ikeTunHistLifeTime Integer32, 3969 ikeTunHistStartTime TimeStamp, 3970 ikeTunHistActiveTime TimeInterval, 3971 ikeTunHistTotalRefreshes Counter32, 3972 ikeTunHistTotalSas Counter32, 3973 ikeTunHistInOctets Counter32, 3974 ikeTunHistInPkts Counter32, 3975 ikeTunHistInDropPkts Counter32, 3976 ikeTunHistInNotifys Counter32, 3977 ikeTunHistInP2Exchgs Counter32, 3978 ikeTunHistInP2ExchgInvalids Counter32, 3979 ikeTunHistInP2ExchgRejects Counter32, 3980 ikeTunHistInP2SaDelRequests Counter32, 3981 ikeTunHistOutOctets Counter32, 3982 ikeTunHistOutPkts Counter32, 3983 ikeTunHistOutDropPkts Counter32, 3984 ikeTunHistOutNotifys Counter32, 3985 ikeTunHistOutP2Exchgs Counter32, 3986 ikeTunHistOutP2ExchgInvalids Counter32, 3987 ikeTunHistOutP2ExchgRejects Counter32, 3988 ikeTunHistOutP2SaDelRequests Counter32, 3989 ikeTunHistInNewGrpReqs Counter32, 3990 ikeTunHistOutNewGrpReqs Counter32, 3991 ikeTunHistInNewGrpReqsRejected Counter32, 3992 ikeTunHistOutNewGrpReqsRejected Counter32, 3993 ikeTunHistInConfigs Counter32, 3994 ikeTunHistOutConfigs Counter32, 3995 ikeTunHistInConfigsRejects Counter32, 3996 ikeTunHistOutConfigsRejects Counter32, 3997 ikeTunHistEncryptKeySize Integer32 3998 } 4000 ikeTunHistIndex OBJECT-TYPE 4001 SYNTAX Integer32 (1..2147483647) 4002 MAX-ACCESS not-accessible 4003 STATUS current 4004 DESCRIPTION 4005 "The index of the IPsec Phase-1 IKE Tunnel History 4006 Table. The value of the index is a number which 4007 begins at one and is incremented with each 4008 tunnel that ends. The value of this object 4009 will wrap at 2,147,483,647." 4010 ::= { ikeTunnelHistEntry 1 } 4012 ikeTunHistTermReason OBJECT-TYPE 4013 SYNTAX INTEGER { 4014 other(1), 4015 normal(2), 4016 operRequest(3), 4017 peerDelRequest(4), 4018 peerLost(5), 4019 applicationInitiated(6), 4020 xauthFailure(7), 4021 localFailure(8), 4022 checkPointReg(9) 4023 } 4024 MAX-ACCESS read-only 4025 STATUS current 4026 DESCRIPTION 4027 "The reason the IPsec Phase-1 IKE Tunnel was terminated. 4028 Possible reasons include: 4029 1 = other 4030 2 = normal termination 4031 3 = operator request 4032 4 = peer delete request was received 4033 5 = contact with peer was lost 4034 6 = applicationInitiated (eg: L2TP requesting the termination) 4035 7 = failure of extended authentication 4036 8 = local failure occurred. 4037 9 = operator initiated check point request" 4038 ::= { ikeTunnelHistEntry 2 } 4040 ikeTunHistActiveIndex OBJECT-TYPE 4041 SYNTAX Integer32 (1..2147483647) 4042 MAX-ACCESS read-only 4043 STATUS current 4044 DESCRIPTION 4045 "The index of the previously active IPsec 4046 Phase-1 IKE Tunnel." 4047 ::= { ikeTunnelHistEntry 3 } 4049 ikeTunHistPeerLocalType OBJECT-TYPE 4050 SYNTAX Phase1PeerIdentityType 4051 MAX-ACCESS read-only 4052 STATUS current 4053 DESCRIPTION 4054 "The type of local peer identity. The local peer 4055 may be indentified by: 4056 1. an IP address, or 4057 2. or a fully qualified domain name. 4058 3. or a distinguished name." 4059 ::= { ikeTunnelHistEntry 4 } 4061 ikeTunHistPeerLocalValue OBJECT-TYPE 4062 SYNTAX DisplayString 4063 MAX-ACCESS read-only 4064 STATUS current 4065 DESCRIPTION 4066 "The value of the local peer identity. 4068 If the local peer type is an IP Address, then this 4069 is the IP Address used to identify the local peer. 4071 If the local peer type is id_fqdn, then this is 4072 the FQDN of the local entity. 4074 If the local peer type is a id_dn, then this is 4075 the distinguished named string of the local entity." 4076 ::= { ikeTunnelHistEntry 5 } 4078 ikeTunHistPeerIntIndex OBJECT-TYPE 4079 SYNTAX Integer32 (1..2147483647) 4080 MAX-ACCESS read-only 4081 STATUS current 4082 DESCRIPTION 4083 "The internal index of the local-remote peer 4084 association. This internal index is used to 4085 uniquely identify multiple associations between 4086 the local and remote peer." 4087 ::= { ikeTunnelHistEntry 6 } 4089 ikeTunHistPeerRemoteType OBJECT-TYPE 4090 SYNTAX Phase1PeerIdentityType 4091 MAX-ACCESS read-only 4092 STATUS current 4093 DESCRIPTION 4094 "The type of remote peer identity. The remote 4095 peer may be indentified by: 4096 1. an IP address, or 4097 2. or a fully qualified domain name. 4098 3. or a distinguished name." 4099 ::= { ikeTunnelHistEntry 7 } 4101 ikeTunHistPeerRemoteValue OBJECT-TYPE 4102 SYNTAX DisplayString 4103 MAX-ACCESS read-only 4104 STATUS current 4105 DESCRIPTION 4106 "The value of the remote peer identity. 4108 If the remote peer type is an IP Address, then this 4109 is the IP Address used to identify the remote peer. 4111 If the remote peer type is id_fqdn, then this is 4112 the FQDN of the remote peer. 4114 If the remote peer type is a id_dn, then this is 4115 the distinguished named string of the remote peer." 4116 ::= { ikeTunnelHistEntry 8 } 4118 ikeTunHistLocalAddr OBJECT-TYPE 4119 SYNTAX IPSIpAddress 4120 MAX-ACCESS read-only 4121 STATUS current 4122 DESCRIPTION 4123 "The IP address of the local endpoint for the IPsec 4124 Phase-1 IKE Tunnel." 4125 ::= { ikeTunnelHistEntry 9 } 4127 ikeTunHistLocalName OBJECT-TYPE 4128 SYNTAX DisplayString 4129 MAX-ACCESS read-only 4130 STATUS current 4131 DESCRIPTION 4132 "The DNS name of the local IP address for 4133 the IPsec Phase-1 IKE Tunnel. If the DNS 4134 name associated with the local tunnel endpoint 4135 is not known, then the value of this 4136 object will be a NULL string." 4137 ::= { ikeTunnelHistEntry 10 } 4139 ikeTunHistRemoteAddr OBJECT-TYPE 4140 SYNTAX IPSIpAddress 4141 MAX-ACCESS read-only 4142 STATUS current 4143 DESCRIPTION 4144 "The IP address of the remote endpoint for the IPsec 4145 Phase-1 IKE Tunnel." 4146 ::= { ikeTunnelHistEntry 11 } 4148 ikeTunHistRemoteName OBJECT-TYPE 4149 SYNTAX DisplayString 4150 MAX-ACCESS read-only 4151 STATUS current 4152 DESCRIPTION 4153 "The DNS name of the remote IP address of IPsec Phase-1 4154 IKE Tunnel. If the DNS name associated with the remote 4155 tunnel endpoint is not known, then the value of this 4156 object will be a NULL string." 4157 ::= { ikeTunnelHistEntry 12 } 4159 ikeTunHistNegoMode OBJECT-TYPE 4160 SYNTAX IkeNegoMode 4161 MAX-ACCESS read-only 4162 STATUS current 4163 DESCRIPTION 4164 "The negotiation mode of the IPsec Phase-1 IKE Tunnel." 4165 ::= { ikeTunnelHistEntry 13 } 4167 ikeTunHistDiffHellmanGrp OBJECT-TYPE 4168 SYNTAX DiffHellmanGrp 4169 MAX-ACCESS read-only 4170 STATUS current 4171 DESCRIPTION 4172 "The Diffie Hellman Group used in IPsec Phase-1 IKE 4173 negotiations." 4174 ::= { ikeTunnelHistEntry 14 } 4176 ikeTunHistEncryptAlgo OBJECT-TYPE 4177 SYNTAX EncryptAlgo 4178 MAX-ACCESS read-only 4179 STATUS current 4180 DESCRIPTION 4181 "The encryption algorithm used in IPsec Phase-1 IKE 4182 negotiations." 4183 ::= { ikeTunnelHistEntry 15 } 4185 ikeTunHistHashAlgo OBJECT-TYPE 4186 SYNTAX IkeHashAlgo 4187 MAX-ACCESS read-only 4188 STATUS current 4189 DESCRIPTION 4190 "The hash algorithm used in IPsec Phase-1 IKE 4191 negotiations." 4192 ::= { ikeTunnelHistEntry 16 } 4194 ikeTunHistAuthMethod OBJECT-TYPE 4195 SYNTAX IkeAuthMethod 4196 MAX-ACCESS read-only 4197 STATUS current 4198 DESCRIPTION 4199 "The authentication method used in IPsec Phase-1 IKE 4200 negotiations." 4201 ::= { ikeTunnelHistEntry 17 } 4203 ikeTunHistLifeTime OBJECT-TYPE 4204 SYNTAX Integer32 (1..2147483647) 4205 MAX-ACCESS read-only 4206 STATUS current 4207 DESCRIPTION 4208 "The negotiated LifeTime of the IPsec Phase-1 IKE Tunnel 4209 in seconds." 4210 ::= { ikeTunnelHistEntry 18 } 4212 ikeTunHistStartTime OBJECT-TYPE 4213 SYNTAX TimeStamp 4214 MAX-ACCESS read-only 4215 STATUS current 4216 DESCRIPTION 4217 "The value of sysUpTime in hundredths of seconds 4218 when the IPsec Phase-1 IKE tunnel was started." 4219 ::= { ikeTunnelHistEntry 19 } 4221 ikeTunHistActiveTime OBJECT-TYPE 4222 SYNTAX TimeInterval 4223 MAX-ACCESS read-only 4224 STATUS current 4225 DESCRIPTION 4226 "The length of time the IPsec Phase-1 IKE tunnel was been 4227 active in hundredths of seconds." 4228 ::= { ikeTunnelHistEntry 20 } 4230 ikeTunHistTotalRefreshes OBJECT-TYPE 4231 SYNTAX Counter32 4232 UNITS "QM Exchanges" 4233 MAX-ACCESS read-only 4234 STATUS current 4235 DESCRIPTION 4236 "The total number of security associations 4237 refreshes performed." 4238 ::= { ikeTunnelHistEntry 21 } 4240 ikeTunHistTotalSas OBJECT-TYPE 4241 SYNTAX Counter32 4242 UNITS "SAs" 4243 MAX-ACCESS read-only 4244 STATUS current 4245 DESCRIPTION 4246 "The total number of security associations 4247 used during the 4248 life of the IPsec Phase-1 IKE Tunnel." 4250 ::= { ikeTunnelHistEntry 22 } 4252 ikeTunHistInOctets OBJECT-TYPE 4253 SYNTAX Counter32 4254 UNITS "Octets" 4255 MAX-ACCESS read-only 4256 STATUS current 4257 DESCRIPTION 4258 "The total number of octets received by this 4259 IPsec Phase-1 IKE Tunnel." 4260 ::= { ikeTunnelHistEntry 23 } 4262 ikeTunHistInPkts OBJECT-TYPE 4263 SYNTAX Counter32 4264 UNITS "Packets" 4265 MAX-ACCESS read-only 4266 STATUS current 4267 DESCRIPTION 4268 "The total number of packets received 4269 by this IPsec Phase-1 4270 IKE Tunnel." 4271 ::= { ikeTunnelHistEntry 24 } 4273 ikeTunHistInDropPkts OBJECT-TYPE 4274 SYNTAX Counter32 4275 UNITS "Packets" 4276 MAX-ACCESS read-only 4277 STATUS current 4278 DESCRIPTION 4279 "The total number of packets dropped 4280 by this IPsec Phase-1 4281 IKE Tunnel during receive processing." 4282 ::= { ikeTunnelHistEntry 25 } 4284 ikeTunHistInNotifys OBJECT-TYPE 4285 SYNTAX Counter32 4286 UNITS "Notification Payloads" 4287 MAX-ACCESS read-only 4288 STATUS current 4289 DESCRIPTION 4290 "The total number of notifys received 4291 by this IPsec Phase-1 4292 IKE Tunnel." 4293 ::= { ikeTunnelHistEntry 26 } 4295 ikeTunHistInP2Exchgs OBJECT-TYPE 4296 SYNTAX Counter32 4297 UNITS "SA Payloads" 4298 MAX-ACCESS read-only 4299 STATUS current 4300 DESCRIPTION 4301 "The total number of IPsec Phase-2 4302 exchanges received by 4303 this IPsec Phase-1 IKE Tunnel." 4304 ::= { ikeTunnelHistEntry 27 } 4306 ikeTunHistInP2ExchgInvalids OBJECT-TYPE 4307 SYNTAX Counter32 4308 UNITS "SA Payloads" 4309 MAX-ACCESS read-only 4310 STATUS current 4311 DESCRIPTION 4312 "The total number of IPsec Phase-2 exchanges 4313 received on this tunnel that were found to 4314 contain references to unrecognized security 4315 parameters." 4316 ::= { ikeTunnelHistEntry 28 } 4318 ikeTunHistInP2ExchgRejects OBJECT-TYPE 4319 SYNTAX Counter32 4320 UNITS "SA Payloads" 4321 MAX-ACCESS read-only 4322 STATUS current 4323 DESCRIPTION 4324 "The total number of IPsec Phase-2 exchanges 4325 received on this tunnel that were validated but were 4326 rejected by the local policy." 4327 ::= { ikeTunnelHistEntry 29 } 4329 ikeTunHistInP2SaDelRequests OBJECT-TYPE 4330 SYNTAX Counter32 4331 UNITS "Notification Payloads" 4332 MAX-ACCESS read-only 4333 STATUS current 4334 DESCRIPTION 4335 "The total number of IPsec Phase-2 security association 4336 delete requests received by this IPsec 4337 Phase-1 IKE Tunnel." 4338 ::= { ikeTunnelHistEntry 30 } 4340 ikeTunHistOutOctets OBJECT-TYPE 4341 SYNTAX Counter32 4342 UNITS "Octets" 4343 MAX-ACCESS read-only 4344 STATUS current 4345 DESCRIPTION 4346 "The total number of octets sent by this IPsec Phase-1 4347 IKE Tunnel." 4348 ::= { ikeTunnelHistEntry 31 } 4350 ikeTunHistOutPkts OBJECT-TYPE 4351 SYNTAX Counter32 4352 UNITS "Packets" 4353 MAX-ACCESS read-only 4354 STATUS current 4355 DESCRIPTION 4356 "The total number of packets sent by this IPsec Phase-1 4357 IKE Tunnel." 4358 ::= { ikeTunnelHistEntry 32 } 4360 ikeTunHistOutDropPkts OBJECT-TYPE 4361 SYNTAX Counter32 4362 UNITS "Packets" 4363 MAX-ACCESS read-only 4364 STATUS current 4365 DESCRIPTION 4366 "The total number of packets dropped 4367 by this IPsec Phase-1 4368 IKE Tunnel during send processing." 4369 ::= { ikeTunnelHistEntry 33 } 4371 ikeTunHistOutNotifys OBJECT-TYPE 4372 SYNTAX Counter32 4373 UNITS "Notification Payloads" 4374 MAX-ACCESS read-only 4375 STATUS current 4376 DESCRIPTION 4377 "The total number of notifys sent by this IPsec Phase-1 4378 IKE Tunnel." 4379 ::= { ikeTunnelHistEntry 34 } 4381 ikeTunHistOutP2Exchgs OBJECT-TYPE 4382 SYNTAX Counter32 4383 UNITS "SA Payloads" 4384 MAX-ACCESS read-only 4385 STATUS current 4386 DESCRIPTION 4387 "The total number of IPsec Phase-2 exchanges sent by 4388 this IPsec Phase-1 IKE Tunnel." 4389 ::= { ikeTunnelHistEntry 35 } 4391 ikeTunHistOutP2ExchgInvalids OBJECT-TYPE 4392 SYNTAX Counter32 4393 UNITS "SA Payloads" 4394 MAX-ACCESS read-only 4395 STATUS current 4396 DESCRIPTION 4397 "The total number of IPsec Phase-2 exchanges 4398 sent on this tunnel that were found by the peer 4399 to contain references to security parameters 4400 not recognized by the peer." 4401 ::= { ikeTunnelHistEntry 36 } 4403 ikeTunHistOutP2ExchgRejects OBJECT-TYPE 4404 SYNTAX Counter32 4405 UNITS "SA Payloads" 4406 MAX-ACCESS read-only 4407 STATUS current 4408 DESCRIPTION 4409 "The total number of IPsec Phase-2 exchanges 4410 sent on this tunnel that were validated by the peer 4411 but were rejected by the peer's policy." 4412 ::= { ikeTunnelHistEntry 37 } 4414 ikeTunHistOutP2SaDelRequests OBJECT-TYPE 4415 SYNTAX Counter32 4416 UNITS "Notification Payloads" 4417 MAX-ACCESS read-only 4418 STATUS current 4419 DESCRIPTION 4420 "The total number of IPsec Phase-2 security association 4421 delete requests sent by this IPsec Phase-1 IKE Tunnel." 4422 ::= { ikeTunnelHistEntry 38 } 4424 ikeTunHistInNewGrpReqs OBJECT-TYPE 4425 SYNTAX Counter32 4426 UNITS "Negotiations" 4427 MAX-ACCESS read-only 4428 STATUS current 4429 DESCRIPTION 4430 "The total number of New Group exchanges initiated 4431 remotely using this IKE tunnel during its lifetime." 4432 ::= { ikeTunnelHistEntry 39 } 4434 ikeTunHistOutNewGrpReqs OBJECT-TYPE 4435 SYNTAX Counter32 4436 UNITS "Negotiations" 4437 MAX-ACCESS read-only 4438 STATUS current 4439 DESCRIPTION 4440 "The total number of New Group exchanges initiated 4441 locally using this IKE tunnel during its lifetime." 4442 ::= { ikeTunnelHistEntry 40 } 4444 ikeTunHistInNewGrpReqsRejected OBJECT-TYPE 4445 SYNTAX Counter32 4446 UNITS "Negotiations" 4447 MAX-ACCESS read-only 4448 STATUS current 4449 DESCRIPTION 4450 "The total number of New Group exchanges initiated 4451 remotely using this IKE tunnel during its lifetime 4452 that ended in a failure." 4453 ::= { ikeTunnelHistEntry 41 } 4455 ikeTunHistOutNewGrpReqsRejected OBJECT-TYPE 4456 SYNTAX Counter32 4457 UNITS "Negotiations" 4458 MAX-ACCESS read-only 4459 STATUS current 4460 DESCRIPTION 4461 "The total number of New Group exchanges initiated 4462 locally using this IKE tunnel during its lifetime 4463 that ended in a failure." 4464 ::= { ikeTunnelHistEntry 42 } 4466 ikeTunHistInConfigs OBJECT-TYPE 4467 SYNTAX Counter32 4468 UNITS "Mode Configuration Setting Payloads" 4469 MAX-ACCESS read-only 4470 STATUS current 4471 DESCRIPTION 4472 "The total number of Mode Configuration settings 4473 received (either CFG_REPLY or CFG_SET payloads) 4474 by the local entity on the ISAKMP SA represented by this 4475 IKE tunnel." 4476 ::= { ikeTunnelHistEntry 43 } 4478 ikeTunHistOutConfigs OBJECT-TYPE 4479 SYNTAX Counter32 4480 UNITS "Mode Configuration Setting Payloads" 4481 MAX-ACCESS read-only 4482 STATUS current 4483 DESCRIPTION 4484 "The total number of Mode Configuration settings 4485 dispatched (either CFG_REPLY or CFG_SET payloads) 4486 by the local entity on the ISAKMP SA represented by this 4487 IKE tunnel." 4488 ::= { ikeTunnelHistEntry 44 } 4490 ikeTunHistInConfigsRejects OBJECT-TYPE 4491 SYNTAX Counter32 4492 UNITS "Mode Configuration Setting Payloads" 4493 MAX-ACCESS read-only 4494 STATUS current 4495 DESCRIPTION 4496 "The total number of Mode Configuration settings 4497 which were received (either CFG_REPLY or CFG_SET 4498 payloads) and rejected by this entity using the ISAKMP 4499 SA represented by this IKE tunnel." 4500 ::= { ikeTunnelHistEntry 45 } 4502 ikeTunHistOutConfigsRejects OBJECT-TYPE 4503 SYNTAX Counter32 4504 UNITS "Mode Configuration Setting Payloads" 4505 MAX-ACCESS read-only 4506 STATUS current 4507 DESCRIPTION 4508 "The total number of Mode Configuration settings 4509 which were dispatched (either CFG_REPLY or CFG_SET 4510 payloads) by this entity and were rejected by the 4511 peer (client) using the ISAKMP SA represented by this 4512 IKE tunnel." 4513 ::= { ikeTunnelHistEntry 46 } 4515 ikeTunHistEncryptKeySize OBJECT-TYPE 4516 SYNTAX Integer32 4517 UNITS "Bits" 4518 MAX-ACCESS read-only 4519 STATUS current 4520 DESCRIPTION 4521 "The size in bits of the key which was negotiated 4522 for the IKE tunnel to be used with the algorithm denote 4523 by the column 'ikeTunEncryptAlgo'. For DES and 3DES the ke 4524 size is respectively 56 and 168. For AES, this will denot 4525 the negotiated key size." 4526 ::= { ikeTunnelHistEntry 47 } 4528 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4529 -- The IPsec Phase-2 Tunnel History Table 4530 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4531 ipSecTunnelHistTable OBJECT-TYPE 4532 SYNTAX SEQUENCE OF IpSecTunnelHistEntry 4533 MAX-ACCESS not-accessible 4534 STATUS current 4535 DESCRIPTION 4536 "The IPsec Phase-2 Tunnel History Table. 4537 This table is implemented as a sliding 4538 window in which only the 4539 last n entries are maintained. The maximum number 4540 of entries 4541 is specified by the ipSecHistTableSize object." 4542 ::= { ipSecHistPhaseTwo 1 } 4544 ipSecTunnelHistEntry OBJECT-TYPE 4545 SYNTAX IpSecTunnelHistEntry 4546 MAX-ACCESS not-accessible 4547 STATUS current 4548 DESCRIPTION 4549 "Each entry contains the attributes associated with 4550 a previously active IPsec Phase-2 Tunnel." 4551 INDEX { ipSecTunHistIndex } 4552 ::= { ipSecTunnelHistTable 1 } 4554 IpSecTunnelHistEntry ::= SEQUENCE { 4555 ipSecTunHistIndex Integer32, 4556 ipSecTunHistTermReason INTEGER, 4557 ipSecTunHistActiveIndex Integer32, 4558 ipSecTunHistIkeTunnelIndex Integer32, 4559 ipSecTunHistLocalAddr IPSIpAddress, 4560 ipSecTunHistRemoteAddr IPSIpAddress, 4561 ipSecTunHistKeyType KeyType, 4562 ipSecTunHistEncapMode EncapMode, 4563 ipSecTunHistLifeSize Integer32, 4564 ipSecTunHistLifeTime Integer32, 4565 ipSecTunHistStartTime TimeStamp, 4566 ipSecTunHistActiveTime TimeInterval, 4567 ipSecTunHistTotalRefreshes Counter32, 4568 ipSecTunHistTotalSas Counter32, 4569 ipSecTunHistInSaDiffHellmanGrp DiffHellmanGrp, 4570 ipSecTunHistInSaEncryptAlgo EncryptAlgo, 4571 ipSecTunHistInSaAhAuthAlgo AuthAlgo, 4572 ipSecTunHistInSaEspAuthAlgo AuthAlgo, 4573 ipSecTunHistInSaDecompAlgo CompAlgo, 4574 ipSecTunHistOutSaDiffHellmanGrp DiffHellmanGrp, 4575 ipSecTunHistOutSaEncryptAlgo EncryptAlgo, 4576 ipSecTunHistOutSaAhAuthAlgo AuthAlgo, 4577 ipSecTunHistOutSaEspAuthAlgo AuthAlgo, 4578 ipSecTunHistOutSaCompAlgo CompAlgo, 4579 ipSecTunHistPmtu Integer32, 4580 ipSecTunHistInOctets Counter32, 4581 ipSecTunHistHcInOctets Counter64, 4582 ipSecTunHistInOctWraps Counter32, 4583 ipSecTunHistInDecompOctets Counter32, 4584 ipSecTunHistHcInDecompOctets Counter64, 4585 ipSecTunHistInDecompOctWraps Counter32, 4586 ipSecTunHistInPkts Counter32, 4587 ipSecTunHistInReplayDropPkts Counter32, 4588 ipSecTunHistInDropPkts Counter32, 4589 ipSecTunHistInAuths Counter32, 4590 ipSecTunHistInAuthFails Counter32, 4591 ipSecTunHistInDecrypts Counter32, 4592 ipSecTunHistInDecryptFails Counter32, 4593 ipSecTunHistOutOctets Counter32, 4594 ipSecTunHistHcOutOctets Counter64, 4595 ipSecTunHistOutOctWraps Counter32, 4596 ipSecTunHistOutUncompOctets Counter32, 4597 ipSecTunHistHcOutUncompOctets Counter64, 4598 ipSecTunHistOutUncompOctWraps Counter32, 4599 ipSecTunHistOutPkts Counter32, 4600 ipSecTunHistOutDropPkts Counter32, 4601 ipSecTunHistOutAuths Counter32, 4602 ipSecTunHistOutAuthFails Counter32, 4603 ipSecTunHistOutEncrypts Counter32, 4604 ipSecTunHistOutEncryptFails Counter32, 4605 ipSecTunHistOutCompressedPkts Counter32, 4606 ipSecTunHistOutCompSkippedPkts Counter32, 4607 ipSecTunHistOutCompFailPkts Counter32, 4608 ipSecTunHistOutCompTooSmallPkts Counter32, 4609 ipSecTunHistControlProtocol ControlProtocol, 4610 ipSecTunHistControlTunnelIndex Integer32, 4611 ipSecTunHistInSaEncryptKeySize Integer32, 4612 ipSecTunHistOutSaEncryptKeySize Integer32 4613 } 4615 ipSecTunHistIndex OBJECT-TYPE 4616 SYNTAX Integer32 (1..2147483647) 4617 MAX-ACCESS not-accessible 4618 STATUS current 4619 DESCRIPTION 4620 "The index of the IPsec Phase-2 Tunnel History Table. 4621 The value of the index is a number which 4622 begins at one and is incremented with each tunnel 4623 that ends. The value 4624 of this object will wrap at 2,147,483,647." 4626 ::= { ipSecTunnelHistEntry 1 } 4628 ipSecTunHistTermReason OBJECT-TYPE 4629 SYNTAX INTEGER { 4630 other(1), 4631 normal(2), 4632 operRequest(3), 4633 peerDelRequest(4), 4634 peerLost(5), 4635 applicationInitiated(6), 4636 xauthFailure(7), 4637 seqNumRollOver(8), 4638 checkPointReq(9) 4639 } 4640 MAX-ACCESS read-only 4641 STATUS current 4642 DESCRIPTION 4643 "The reason the IPsec Phase-2 Tunnel was terminated. 4644 Possible reasons include: 4645 1 = other 4646 2 = normal termination 4647 3 = operator request 4648 4 = peer delete request was received 4649 5 = contact with peer was lost 4650 6 = applicationInitiated (eg: L2TP requesting the termination) 4651 7 = failure of extended authentication 4652 8 = local failure occurred 4653 9 = operator initiated check point request" 4654 ::= { ipSecTunnelHistEntry 2 } 4656 ipSecTunHistActiveIndex OBJECT-TYPE 4657 SYNTAX Integer32 (1..2147483647) 4658 MAX-ACCESS read-only 4659 STATUS current 4660 DESCRIPTION 4661 "The index of the previously active 4662 IPsec Phase-2 Tunnel." 4663 ::= { ipSecTunnelHistEntry 3 } 4665 ipSecTunHistIkeTunnelIndex OBJECT-TYPE 4666 SYNTAX Integer32 (1..2147483647) 4667 MAX-ACCESS read-only 4668 STATUS deprecated 4669 DESCRIPTION 4670 "The index of the associated IPsec Phase-1 Tunnel 4671 (ikeTunIndex in the ikeTunnelTable)." 4672 ::= { ipSecTunnelHistEntry 4 } 4674 ipSecTunHistLocalAddr OBJECT-TYPE 4675 SYNTAX IPSIpAddress 4676 MAX-ACCESS read-only 4677 STATUS current 4678 DESCRIPTION 4679 "The IP address of the local endpoint for the IPsec 4680 Phase-2 Tunnel." 4681 ::= { ipSecTunnelHistEntry 5 } 4683 ipSecTunHistRemoteAddr OBJECT-TYPE 4684 SYNTAX IPSIpAddress 4685 MAX-ACCESS read-only 4686 STATUS current 4687 DESCRIPTION 4688 "The IP address of the remote endpoint for the IPsec 4689 Phase-2 Tunnel." 4690 ::= { ipSecTunnelHistEntry 6 } 4692 ipSecTunHistKeyType OBJECT-TYPE 4693 SYNTAX KeyType 4694 MAX-ACCESS read-only 4695 STATUS deprecated 4696 DESCRIPTION 4697 "The type of key used by the IPsec Phase-2 Tunnel." 4698 ::= { ipSecTunnelHistEntry 7 } 4700 ipSecTunHistEncapMode OBJECT-TYPE 4701 SYNTAX EncapMode 4702 MAX-ACCESS read-only 4703 STATUS current 4704 DESCRIPTION 4705 "The encapsulation mode used by the 4706 IPsec Phase-2 Tunnel." 4707 ::= { ipSecTunnelHistEntry 8 } 4709 ipSecTunHistLifeSize OBJECT-TYPE 4710 SYNTAX Integer32 (1..2147483647) 4711 UNITS "KBytes" 4712 MAX-ACCESS read-only 4713 STATUS current 4714 DESCRIPTION 4715 "The negotiated LifeSize of the IPsec Phase-2 Tunnel in 4716 kilobytes." 4717 ::= { ipSecTunnelHistEntry 9 } 4719 ipSecTunHistLifeTime OBJECT-TYPE 4720 SYNTAX Integer32 (1..2147483647) 4721 UNITS "Seconds" 4722 MAX-ACCESS read-only 4723 STATUS current 4724 DESCRIPTION 4725 "The negotiated LifeTime of the IPsec Phase-2 Tunnel in 4726 seconds." 4727 ::= { ipSecTunnelHistEntry 10 } 4729 ipSecTunHistStartTime OBJECT-TYPE 4730 SYNTAX TimeStamp 4731 MAX-ACCESS read-only 4732 STATUS current 4733 DESCRIPTION 4734 "The value of sysUpTime in hundredths of seconds 4735 when the IPsec Phase-2 Tunnel was started." 4736 ::= { ipSecTunnelHistEntry 11 } 4738 ipSecTunHistActiveTime OBJECT-TYPE 4739 SYNTAX TimeInterval 4740 MAX-ACCESS read-only 4741 STATUS current 4742 DESCRIPTION 4743 "The length of time the IPsec Phase-2 Tunnel has been 4744 active in hundredths of seconds." 4745 ::= { ipSecTunnelHistEntry 12 } 4747 ipSecTunHistTotalRefreshes OBJECT-TYPE 4748 SYNTAX Counter32 4749 UNITS "QM Exchanges" 4750 MAX-ACCESS read-only 4751 STATUS current 4752 DESCRIPTION 4753 "The total number of security association refreshes 4754 performed." 4755 ::= { ipSecTunnelHistEntry 13 } 4757 ipSecTunHistTotalSas OBJECT-TYPE 4758 SYNTAX Counter32 4759 UNITS "SAs" 4760 MAX-ACCESS read-only 4761 STATUS current 4762 DESCRIPTION 4763 "The total number of security associations used 4764 during the 4765 life of the IPsec Phase-2 Tunnel." 4766 ::= { ipSecTunnelHistEntry 14 } 4768 ipSecTunHistInSaDiffHellmanGrp OBJECT-TYPE 4769 SYNTAX DiffHellmanGrp 4770 MAX-ACCESS read-only 4771 STATUS current 4772 DESCRIPTION 4773 "The Diffie Hellman Group used by the inbound security 4774 association of the IPsec Phase-2 Tunnel." 4775 ::= { ipSecTunnelHistEntry 15 } 4777 ipSecTunHistInSaEncryptAlgo OBJECT-TYPE 4778 SYNTAX EncryptAlgo 4779 MAX-ACCESS read-only 4780 STATUS current 4781 DESCRIPTION 4782 "The encryption algorithm used by the inbound security 4783 association of the IPsec Phase-2 Tunnel." 4784 ::= { ipSecTunnelHistEntry 16 } 4786 ipSecTunHistInSaAhAuthAlgo OBJECT-TYPE 4787 SYNTAX AuthAlgo 4788 MAX-ACCESS read-only 4789 STATUS current 4790 DESCRIPTION 4791 "The authentication algorithm used by the inbound 4792 authentication header (AH) security association of 4793 the IPsec Phase-2 Tunnel." 4794 ::= { ipSecTunnelHistEntry 17 } 4796 ipSecTunHistInSaEspAuthAlgo OBJECT-TYPE 4797 SYNTAX AuthAlgo 4798 MAX-ACCESS read-only 4799 STATUS current 4800 DESCRIPTION 4801 "The authentication algorithm used by the inbound 4802 encapsulation security protocol (ESP) 4803 security association of 4804 the IPsec Phase-2 Tunnel." 4805 ::= { ipSecTunnelHistEntry 18 } 4807 ipSecTunHistInSaDecompAlgo OBJECT-TYPE 4808 SYNTAX CompAlgo 4809 MAX-ACCESS read-only 4810 STATUS current 4811 DESCRIPTION 4812 "The decompression algorithm used by the inbound 4813 security association of the IPsec Phase-2 Tunnel." 4815 ::= { ipSecTunnelHistEntry 19 } 4817 ipSecTunHistOutSaDiffHellmanGrp OBJECT-TYPE 4818 SYNTAX DiffHellmanGrp 4819 MAX-ACCESS read-only 4820 STATUS current 4821 DESCRIPTION 4822 "The Diffie Hellman Group used by the outbound security 4823 association of the IPsec Phase-2 Tunnel." 4824 ::= { ipSecTunnelHistEntry 20 } 4826 ipSecTunHistOutSaEncryptAlgo OBJECT-TYPE 4827 SYNTAX EncryptAlgo 4828 MAX-ACCESS read-only 4829 STATUS current 4830 DESCRIPTION 4831 "The encryption algorithm used by the outbound security 4832 association of the IPsec Phase-2 Tunnel." 4833 ::= { ipSecTunnelHistEntry 21 } 4835 ipSecTunHistOutSaAhAuthAlgo OBJECT-TYPE 4836 SYNTAX AuthAlgo 4837 MAX-ACCESS read-only 4838 STATUS current 4839 DESCRIPTION 4840 "The authentication algorithm used by the outbound 4841 authentication header (AH) security association of 4842 the IPsec Phase-2 Tunnel." 4843 ::= { ipSecTunnelHistEntry 22 } 4845 ipSecTunHistOutSaEspAuthAlgo OBJECT-TYPE 4846 SYNTAX AuthAlgo 4847 MAX-ACCESS read-only 4848 STATUS current 4849 DESCRIPTION 4850 "The authentication algorithm used by the inbound 4851 ecapsulation security protocol (ESP) 4852 security association of the IPsec Phase-2 Tunnel." 4853 ::= { ipSecTunnelHistEntry 23 } 4855 ipSecTunHistOutSaCompAlgo OBJECT-TYPE 4856 SYNTAX CompAlgo 4857 MAX-ACCESS read-only 4858 STATUS current 4859 DESCRIPTION 4860 "The compression algorithm used by the inbound 4861 security association of the IPsec Phase-2 Tunnel." 4863 ::= { ipSecTunnelHistEntry 24 } 4865 ipSecTunHistPmtu OBJECT-TYPE 4866 SYNTAX Integer32 (21..576) 4867 UNITS "Octets" 4868 MAX-ACCESS read-only 4869 STATUS current 4870 DESCRIPTION 4871 "The Path MTU that was determined for this IPsec 4872 Phase-2 tunnel." 4873 ::= { ipSecTunnelHistEntry 25 } 4875 ipSecTunHistInOctets OBJECT-TYPE 4876 SYNTAX Counter32 4877 UNITS "Octets" 4878 MAX-ACCESS read-only 4879 STATUS current 4880 DESCRIPTION 4881 "The total number of octets received by this IPsec 4882 Phase-2 Tunnel. This value is accumulated 4883 BEFORE determining whether or not the packet should 4884 be decompressed. See also ipSecTunInOctWraps for 4885 the number of times this counter has wrapped." 4886 ::= { ipSecTunnelHistEntry 26 } 4888 ipSecTunHistHcInOctets OBJECT-TYPE 4889 SYNTAX Counter64 4890 MAX-ACCESS read-only 4891 STATUS current 4892 DESCRIPTION 4893 "A high capacity count of the total number of octets 4894 received by this IPsec Phase-2 Tunnel. This value is 4895 accumulated BEFORE determining whether or not 4896 the packet should be decompressed." 4897 ::= { ipSecTunnelHistEntry 27 } 4899 ipSecTunHistInOctWraps OBJECT-TYPE 4900 SYNTAX Counter32 4901 UNITS "Integral units" 4902 MAX-ACCESS read-only 4903 STATUS current 4904 DESCRIPTION 4905 "The number of times the octets received counter 4906 (ipSecTunInOctets) has wrapped." 4907 ::= { ipSecTunnelHistEntry 28 } 4909 ipSecTunHistInDecompOctets OBJECT-TYPE 4910 SYNTAX Counter32 4911 UNITS "Octets" 4912 MAX-ACCESS read-only 4913 STATUS current 4914 DESCRIPTION 4915 "The total number of decompressed octets received by this 4916 IPsec Phase-2 Tunnel. This value is accumulated AFTER 4917 the packet is decompressed. If compression is not being 4918 used, this value will match the value of ipSecTunInOctets. 4919 See also ipSecTunInDecompOctWraps for the number of times 4920 this counter has wrapped." 4921 ::= { ipSecTunnelHistEntry 29 } 4923 ipSecTunHistHcInDecompOctets OBJECT-TYPE 4924 SYNTAX Counter64 4925 MAX-ACCESS read-only 4926 STATUS current 4927 DESCRIPTION 4928 "A high capacity count of the total number of decompressed 4929 octets received by this IPsec Phase-2 Tunnel. This value 4930 is accumulated AFTER the packet is decompressed. If 4931 compression is not being used, this value will match the 4932 value of ipSecTunHcInOctets." 4933 ::= { ipSecTunnelHistEntry 30 } 4935 ipSecTunHistInDecompOctWraps OBJECT-TYPE 4936 SYNTAX Counter32 4937 UNITS "Integral units" 4938 MAX-ACCESS read-only 4939 STATUS current 4940 DESCRIPTION 4941 "The number of times the decompressed octets 4942 received counter (ipSecTunInDecompOctets) has wrapped." 4943 ::= { ipSecTunnelHistEntry 31 } 4945 ipSecTunHistInPkts OBJECT-TYPE 4946 SYNTAX Counter32 4947 UNITS "Packets" 4948 MAX-ACCESS read-only 4949 STATUS current 4950 DESCRIPTION 4951 "The total number of packets received by this 4952 IPsec Phase-2 Tunnel." 4953 ::= { ipSecTunnelHistEntry 32 } 4955 ipSecTunHistInDropPkts OBJECT-TYPE 4956 SYNTAX Counter32 4957 UNITS "Packets" 4958 MAX-ACCESS read-only 4959 STATUS current 4960 DESCRIPTION 4961 "The total number of packets dropped during 4962 receive processing by this IPsec Phase-2 Tunnel. 4963 This count does NOT include packets 4964 dropped due to Anti-Replay processing." 4965 ::= { ipSecTunnelHistEntry 33 } 4967 ipSecTunHistInReplayDropPkts OBJECT-TYPE 4968 SYNTAX Counter32 4969 UNITS "Packets" 4970 MAX-ACCESS read-only 4971 STATUS current 4972 DESCRIPTION 4973 "The total number of packets dropped during 4974 receive processing due to Anti-Replay processing 4975 by this IPsec Phase-2 Tunnel." 4976 ::= { ipSecTunnelHistEntry 34 } 4978 ipSecTunHistInAuths OBJECT-TYPE 4979 SYNTAX Counter32 4980 UNITS "Events" 4981 MAX-ACCESS read-only 4982 STATUS current 4983 DESCRIPTION 4984 "The total number of inbound authentication's 4985 performed 4986 by this IPsec Phase-2 Tunnel." 4987 ::= { ipSecTunnelHistEntry 35 } 4989 ipSecTunHistInAuthFails OBJECT-TYPE 4990 SYNTAX Counter32 4991 UNITS "Failures" 4992 MAX-ACCESS read-only 4993 STATUS current 4994 DESCRIPTION 4995 "The total number of inbound authentication's 4996 which ended in 4997 failure by this IPsec Phase-2 Tunnel ." 4998 ::= { ipSecTunnelHistEntry 36 } 5000 ipSecTunHistInDecrypts OBJECT-TYPE 5001 SYNTAX Counter32 5002 UNITS "Packets" 5003 MAX-ACCESS read-only 5004 STATUS current 5005 DESCRIPTION 5006 "The total number of inbound decryption's performed 5007 by this IPsec Phase-2 Tunnel." 5008 ::= { ipSecTunnelHistEntry 37 } 5010 ipSecTunHistInDecryptFails OBJECT-TYPE 5011 SYNTAX Counter32 5012 UNITS "Failures" 5013 MAX-ACCESS read-only 5014 STATUS current 5015 DESCRIPTION 5016 "The total number of inbound decryption's 5017 which ended in failure 5018 by this IPsec Phase-2 Tunnel." 5019 ::= { ipSecTunnelHistEntry 38 } 5021 ipSecTunHistOutOctets OBJECT-TYPE 5022 SYNTAX Counter32 5023 UNITS "Octets" 5024 MAX-ACCESS read-only 5025 STATUS current 5026 DESCRIPTION 5027 "The total number of octets sent by this IPsec 5028 Phase-2 Tunnel. This value is accumulated 5029 AFTER determining whether or not the 5030 packet should be 5031 compressed. See also ipSecTunOutOctWraps for the 5032 number of times this counter has wrapped." 5033 ::= { ipSecTunnelHistEntry 39 } 5035 ipSecTunHistHcOutOctets OBJECT-TYPE 5036 SYNTAX Counter64 5037 MAX-ACCESS read-only 5038 STATUS current 5039 DESCRIPTION 5040 "A high capacity count of the total number of octets 5041 sent by this IPsec Phase-2 Tunnel. This value 5042 is accumulated AFTER determining whether or not 5043 the packet should be 5044 compressed." 5045 ::= { ipSecTunnelHistEntry 40 } 5047 ipSecTunHistOutOctWraps OBJECT-TYPE 5048 SYNTAX Counter32 5049 UNITS "Integral units" 5050 MAX-ACCESS read-only 5051 STATUS current 5052 DESCRIPTION 5053 "The number of times the octets sent counter 5054 (ipSecTunOutOctets) has wrapped." 5055 ::= { ipSecTunnelHistEntry 41 } 5057 ipSecTunHistOutUncompOctets OBJECT-TYPE 5058 SYNTAX Counter32 5059 UNITS "Octets" 5060 MAX-ACCESS read-only 5061 STATUS current 5062 DESCRIPTION 5063 "The total number of uncompressed octets sent by this 5064 IPsec Phase-2 Tunnel. This value is accumulated BEFORE 5065 the packet is compressed. If compression is not being 5066 used, this value will match the value of 5067 ipSecTunOutOctets. See also 5068 ipSecTunOutDecompOctWraps for the number of times 5069 this counter has wrapped." 5070 ::= { ipSecTunnelHistEntry 42 } 5072 ipSecTunHistHcOutUncompOctets OBJECT-TYPE 5073 SYNTAX Counter64 5074 UNITS "Octets" 5075 MAX-ACCESS read-only 5076 STATUS current 5077 DESCRIPTION 5078 "A high capacity count of the total 5079 number of uncompressed octets sent by this 5080 IPsec Phase-2 Tunnel. This value is accumulated 5081 BEFORE the packet is compressed. If compression 5082 is not being used, this value will match the value of 5083 ipSecTunHcOutOctets." 5084 ::= { ipSecTunnelHistEntry 43 } 5086 ipSecTunHistOutUncompOctWraps OBJECT-TYPE 5087 SYNTAX Counter32 5088 UNITS "Integral units" 5089 MAX-ACCESS read-only 5090 STATUS current 5091 DESCRIPTION 5092 "The number of times the uncompressed octets sent counter 5093 (ipSecTunOutUncompOctets) has wrapped." 5094 ::= { ipSecTunnelHistEntry 44 } 5096 ipSecTunHistOutPkts OBJECT-TYPE 5097 SYNTAX Counter32 5098 UNITS "Packets" 5099 MAX-ACCESS read-only 5100 STATUS current 5101 DESCRIPTION 5102 "The total number of packets sent by this 5103 IPsec Phase-2 Tunnel." 5104 ::= { ipSecTunnelHistEntry 45 } 5106 ipSecTunHistOutDropPkts OBJECT-TYPE 5107 SYNTAX Counter32 5108 UNITS "Packets" 5109 MAX-ACCESS read-only 5110 STATUS current 5111 DESCRIPTION 5112 "The total number of packets dropped 5113 during send processing 5114 by this IPsec Phase-2 Tunnel." 5115 ::= { ipSecTunnelHistEntry 46 } 5117 ipSecTunHistOutAuths OBJECT-TYPE 5118 SYNTAX Counter32 5119 UNITS "Events" 5120 MAX-ACCESS read-only 5121 STATUS current 5122 DESCRIPTION 5123 "The total number of outbound authentication's performed 5124 by this IPsec Phase-2 Tunnel." 5125 ::= { ipSecTunnelHistEntry 47 } 5127 ipSecTunHistOutAuthFails OBJECT-TYPE 5128 SYNTAX Counter32 5129 UNITS "Failures" 5130 MAX-ACCESS read-only 5131 STATUS current 5132 DESCRIPTION 5133 "The total number of outbound authentication's 5134 which ended in 5135 failure by this IPsec Phase-2 Tunnel." 5136 ::= { ipSecTunnelHistEntry 48 } 5138 ipSecTunHistOutEncrypts OBJECT-TYPE 5139 SYNTAX Counter32 5140 UNITS "Packets" 5141 MAX-ACCESS read-only 5142 STATUS current 5143 DESCRIPTION 5144 "The total number of outbound encryption's performed 5145 by this IPsec Phase-2 Tunnel." 5146 ::= { ipSecTunnelHistEntry 49 } 5148 ipSecTunHistOutEncryptFails OBJECT-TYPE 5149 SYNTAX Counter32 5150 UNITS "Failures" 5151 MAX-ACCESS read-only 5152 STATUS current 5153 DESCRIPTION 5154 "The total number of outbound encryption's 5155 which ended in failure 5156 by this IPsec Phase-2 Tunnel." 5157 ::= { ipSecTunnelHistEntry 50 } 5159 ipSecTunHistOutCompressedPkts OBJECT-TYPE 5160 SYNTAX Counter32 5161 UNITS "Packets" 5162 MAX-ACCESS read-only 5163 STATUS current 5164 DESCRIPTION 5165 "The total number of outbound packets 5166 which were successfully compressed." 5167 ::= { ipSecTunnelHistEntry 51 } 5169 ipSecTunHistOutCompSkippedPkts OBJECT-TYPE 5170 SYNTAX Counter32 5171 UNITS "Packets" 5172 MAX-ACCESS read-only 5173 STATUS current 5174 DESCRIPTION 5175 "The total number of outbound packets that were to be 5176 compressed but which were skipped due to the compression 5177 hysteresis." 5178 ::= { ipSecTunnelHistEntry 52 } 5180 ipSecTunHistOutCompFailPkts OBJECT-TYPE 5181 SYNTAX Counter32 5182 UNITS "Packets" 5183 MAX-ACCESS read-only 5184 STATUS current 5185 DESCRIPTION 5186 "The total number of outbound packets that failed 5187 compression because they grew in size after compression." 5188 ::= { ipSecTunnelHistEntry 53 } 5190 ipSecTunHistOutCompTooSmallPkts OBJECT-TYPE 5191 SYNTAX Counter32 5192 UNITS "Packets" 5193 MAX-ACCESS read-only 5194 STATUS current 5195 DESCRIPTION 5196 "The total number of outbound packets that were to be 5197 compressed but were smaller than the compression threshold 5198 size." 5199 ::= { ipSecTunnelHistEntry 54 } 5201 ipSecTunHistControlProtocol OBJECT-TYPE 5202 SYNTAX ControlProtocol 5203 MAX-ACCESS read-only 5204 STATUS current 5205 DESCRIPTION 5206 "Identifies the protocol that was used to setup and administer 5207 Phase-2 IPsec tunnel. If IKE was used to setup this tunnel, 5208 then this value of this column would be `cp_ike'." 5209 ::= { ipSecTunnelHistEntry 55 } 5211 ipSecTunHistControlTunnelIndex OBJECT-TYPE 5212 SYNTAX Integer32 (1..2147483647) 5213 MAX-ACCESS read-only 5214 STATUS current 5215 DESCRIPTION 5216 "The index of the IPsec Phase-1 Tunnel that spawned this 5217 Phase-2 tunnel (in case of IKE, this value would refer t 5218 ikeTunIndex in the ikeTunnelTable)" 5219 ::= { ipSecTunnelHistEntry 56 } 5221 ipSecTunHistInSaEncryptKeySize OBJECT-TYPE 5222 SYNTAX Integer32 5223 UNITS "Bits" 5224 MAX-ACCESS read-only 5225 STATUS current 5226 DESCRIPTION 5227 "The size in bits of the key which was negotiated to be use 5228 with the encryption transform used with this tunnel denote 5229 by ipSecTunHistInSaEncryptAlgo. 5230 For DES and 3DES the key size is respectively 56 and 5231 168. For AES, this will denote the negotiated key size." 5232 ::= { ipSecTunnelHistEntry 57 } 5234 ipSecTunHistOutSaEncryptKeySize OBJECT-TYPE 5235 SYNTAX Integer32 5236 UNITS "Bits" 5237 MAX-ACCESS read-only 5238 STATUS current 5239 DESCRIPTION 5240 "The size in bits of the key which was negotiated to be use 5241 with the encryption transform used with this tunnel denote 5242 by ipSecTunHistOutSaEncryptAlgo. 5243 For DES and 3DES the key size is respectively 56 and 5244 168. For AES, this will denote the negotiated key size." 5245 ::= { ipSecTunnelHistEntry 58 } 5247 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5248 -- The IPsec Phase-2 Tunnel Endpoint History Table 5249 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5250 ipSecEndPtHistTable OBJECT-TYPE 5251 SYNTAX SEQUENCE OF IpSecEndPtHistEntry 5252 MAX-ACCESS not-accessible 5253 STATUS current 5254 DESCRIPTION 5255 "The IPsec Phase-2 Tunnel Endpoint History Table. 5256 This table is implemented as a 5257 sliding window in which only the 5258 last n entries are maintained. 5259 The maximum number of entries 5260 is specified by the ipSecHistTableSize object." 5261 ::= { ipSecHistPhaseTwo 2 } 5263 ipSecEndPtHistEntry OBJECT-TYPE 5264 SYNTAX IpSecEndPtHistEntry 5265 MAX-ACCESS not-accessible 5266 STATUS current 5267 DESCRIPTION 5268 "Each entry contains the attributes associated with 5269 a previously active IPsec Phase-2 Tunnel Endpoint." 5270 INDEX { ipSecEndPtHistIndex } 5271 ::= { ipSecEndPtHistTable 1 } 5273 IpSecEndPtHistEntry ::= SEQUENCE { 5274 ipSecEndPtHistIndex Integer32, 5275 ipSecEndPtHistTunIndex Integer32, 5276 ipSecEndPtHistActiveIndex Integer32, 5277 ipSecEndPtHistLocalName DisplayString, 5278 ipSecEndPtHistLocalType EndPtType, 5279 ipSecEndPtHistLocalAddr1 IPSIpAddress, 5280 ipSecEndPtHistLocalAddr2 IPSIpAddress, 5281 ipSecEndPtHistLocalProtocol Integer32, 5282 ipSecEndPtHistLocalPort Integer32, 5283 ipSecEndPtHistRemoteName DisplayString, 5284 ipSecEndPtHistRemoteType EndPtType, 5285 ipSecEndPtHistRemoteAddr1 IPSIpAddress, 5286 ipSecEndPtHistRemoteAddr2 IPSIpAddress, 5287 ipSecEndPtHistRemoteProtocol Integer32, 5288 ipSecEndPtHistRemotePort Integer32 5289 } 5291 ipSecEndPtHistIndex OBJECT-TYPE 5292 SYNTAX Integer32 (1..2147483647) 5293 MAX-ACCESS not-accessible 5294 STATUS current 5295 DESCRIPTION 5296 "The number of the previously active 5297 Endpoint associated 5298 with a IPsec Phase-2 Tunnel Table. The value 5299 of this index is a number which begins at 5300 one and is incremented with each Endpoint 5301 associated with an IPsec Phase-2 Tunnel. 5302 The value of this object will wrap at 2,147,483,647." 5303 ::= { ipSecEndPtHistEntry 1 } 5305 ipSecEndPtHistTunIndex OBJECT-TYPE 5306 SYNTAX Integer32 (1..2147483647) 5307 MAX-ACCESS read-only 5308 STATUS current 5309 DESCRIPTION 5310 "The index of the previously active IPsec 5311 Phase-2 Tunnel Table." 5312 ::= { ipSecEndPtHistEntry 2 } 5314 ipSecEndPtHistActiveIndex OBJECT-TYPE 5315 SYNTAX Integer32 (1..2147483647) 5316 MAX-ACCESS read-only 5317 STATUS current 5318 DESCRIPTION 5319 "The index of the previously active Endpoint." 5320 ::= { ipSecEndPtHistEntry 3 } 5322 ipSecEndPtHistLocalName OBJECT-TYPE 5323 SYNTAX DisplayString 5324 MAX-ACCESS read-only 5325 STATUS current 5326 DESCRIPTION 5327 "The DNS name of the local Endpoint." 5328 ::= { ipSecEndPtHistEntry 4 } 5330 ipSecEndPtHistLocalType OBJECT-TYPE 5331 SYNTAX EndPtType 5332 --INTEGER { 5333 --singleIpAddr(1), 5334 --ipAddrRange(2), 5335 --ipSubnet(3) 5336 --} 5337 MAX-ACCESS read-only 5338 STATUS current 5339 DESCRIPTION 5340 "The type of identity for the local Endpoint. 5341 Possible values are: 5342 1) a single IP address, or 5343 2) an IP address range, or 5344 3) an IP subnet." 5345 ::= { ipSecEndPtHistEntry 5 } 5347 ipSecEndPtHistLocalAddr1 OBJECT-TYPE 5348 SYNTAX IPSIpAddress 5349 MAX-ACCESS read-only 5350 STATUS current 5351 DESCRIPTION 5352 "The local Endpoint's first IP address specification. 5354 If the local Endpoint type is single IP address, 5355 then this is the value of the IP address. 5357 If the local Endpoint type is IP subnet, then this 5358 is the value of the subnet. 5360 If the local Endpoint type is IP address range, 5361 then this is the value of beginning IP address of 5362 the range." 5363 ::= { ipSecEndPtHistEntry 6 } 5365 ipSecEndPtHistLocalAddr2 OBJECT-TYPE 5366 SYNTAX IPSIpAddress 5367 MAX-ACCESS read-only 5368 STATUS current 5369 DESCRIPTION 5370 "The local Endpoint's second IP address specification. 5372 If the local Endpoint type is single IP address, 5373 then this is the value of the IP address. 5375 If the local Endpoint type is IP subnet, then this 5376 is the value of the subnet mask. 5378 If the local Endpoint type is IP address range, 5379 then this is the value of ending IP address of 5380 the range." 5381 ::= { ipSecEndPtHistEntry 7 } 5383 ipSecEndPtHistLocalProtocol OBJECT-TYPE 5384 SYNTAX Integer32 (0..255) 5385 MAX-ACCESS read-only 5386 STATUS current 5387 DESCRIPTION 5388 "The protocol number of the local Endpoint's traffic." 5389 ::= { ipSecEndPtHistEntry 8 } 5391 ipSecEndPtHistLocalPort OBJECT-TYPE 5392 SYNTAX Integer32 (0..65535) 5393 MAX-ACCESS read-only 5394 STATUS current 5395 DESCRIPTION 5396 "The port number of the local Endpoint's traffic." 5397 ::= { ipSecEndPtHistEntry 9 } 5399 ipSecEndPtHistRemoteName OBJECT-TYPE 5400 SYNTAX DisplayString 5401 MAX-ACCESS read-only 5402 STATUS current 5403 DESCRIPTION 5404 "The DNS name of the remote Endpoint." 5405 ::= { ipSecEndPtHistEntry 10 } 5407 ipSecEndPtHistRemoteType OBJECT-TYPE 5408 SYNTAX EndPtType 5409 --INTEGER { 5410 --singleIpAddr(1), 5411 --ipAddrRange(2), 5412 --ipSubnet(3) 5413 --} 5414 MAX-ACCESS read-only 5415 STATUS current 5416 DESCRIPTION 5417 "The type of identity for the remote Endpoint. 5418 Possible values are: 5419 1) a single IP address, or 5420 2) an IP address range, or 5421 3) an IP subnet." 5422 ::= { ipSecEndPtHistEntry 11 } 5424 ipSecEndPtHistRemoteAddr1 OBJECT-TYPE 5425 SYNTAX IPSIpAddress 5426 MAX-ACCESS read-only 5427 STATUS current 5428 DESCRIPTION 5429 "The remote Endpoint's first IP address specification. 5431 If the remote Endpoint type is single IP address, 5432 then this is the value of the IP address. 5434 If the remote Endpoint type is IP subnet, then this 5435 is the value of the subnet. 5437 If the remote Endpoint type is IP address range, 5438 then this is the value of beginning IP address of 5439 the range." 5440 ::= { ipSecEndPtHistEntry 12 } 5442 ipSecEndPtHistRemoteAddr2 OBJECT-TYPE 5443 SYNTAX IPSIpAddress 5444 MAX-ACCESS read-only 5445 STATUS current 5446 DESCRIPTION 5447 "The remote Endpoint's second IP address specification. 5449 If the remote Endpoint type is single IP address, 5450 then this 5451 is the value of the IP address. 5453 If the remote Endpoint type is IP subnet, then this 5454 is the value of the subnet mask. 5456 If the remote Endpoint type is IP address range, 5457 then this 5458 is the value of ending IP address of the range." 5459 ::= { ipSecEndPtHistEntry 13 } 5461 ipSecEndPtHistRemoteProtocol OBJECT-TYPE 5462 SYNTAX Integer32 (0..255) 5463 MAX-ACCESS read-only 5464 STATUS current 5465 DESCRIPTION 5466 "The protocol number of the remote Endpoint's traffic." 5467 ::= { ipSecEndPtHistEntry 14 } 5469 ipSecEndPtHistRemotePort OBJECT-TYPE 5470 SYNTAX Integer32 (0..65535) 5471 MAX-ACCESS read-only 5472 STATUS current 5473 DESCRIPTION 5474 "The port number of the remote Endpoint's traffic." 5475 ::= { ipSecEndPtHistEntry 15 } 5477 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5478 -- The IPsec Failure Group 5479 -- 5480 -- This group consists of a: 5481 -- 1) IPsec Failure Global Objects 5482 -- 2) IPsec Phase-1 Tunnel Failure Table 5483 -- 3) IPsec Phase-2 Tunnel Failure Table 5484 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5485 ipSecFailGlobal OBJECT IDENTIFIER 5486 ::= { ipSecFailures 1 } 5487 ipSecFailPhaseOne OBJECT IDENTIFIER 5488 ::= { ipSecFailures 2 } 5489 ipSecFailPhaseTwo OBJECT IDENTIFIER 5490 ::= { ipSecFailures 3 } 5492 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5493 -- The IPsec Failure Global Control Objects 5494 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5495 ipSecFailGlobalCntl OBJECT IDENTIFIER 5496 ::= { ipSecFailGlobal 1 } 5498 ipSecFailTableSize OBJECT-TYPE 5499 SYNTAX Integer32 (1..2147483647) 5500 MAX-ACCESS read-write 5501 STATUS current 5502 DESCRIPTION 5503 "The window size of the IPsec Phase-1 and Phase-2 5504 Failure Tables. 5506 The IPsec Phase-1 and Phase-2 Failure Tables are 5507 implemented as a sliding window in which only the 5508 last N entries are maintained. This object is used 5509 specify the number of entries which will be 5510 maintained in the IPsec Phase-1 and Phase-2 Failure 5511 Tables. 5513 An implementation may choose suitable minimum and 5514 maximum values for this element based on the local 5515 policy and available resources. If an SNMP SET request 5516 specifies a value outside this window for this element, 5517 a BAD VALUE may be returned." 5519 ::= { ipSecFailGlobalCntl 1 } 5521 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5522 -- The IPsec Phase-1 Failure Table 5523 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5524 ikeFailTable OBJECT-TYPE 5525 SYNTAX SEQUENCE OF IkeFailEntry 5526 MAX-ACCESS not-accessible 5527 STATUS current 5528 DESCRIPTION 5529 "The IPsec Phase-1 Failure Table. 5530 This table is implemented as a sliding 5531 window in which only the last n entries are 5532 maintained. The maximum number of entries 5533 is specified by the ipSecFailTableSize object." 5534 ::= { ipSecFailPhaseOne 1 } 5536 ikeFailEntry OBJECT-TYPE 5537 SYNTAX IkeFailEntry 5538 MAX-ACCESS not-accessible 5539 STATUS current 5540 DESCRIPTION 5541 "Each entry contains the attributes associated 5542 with an IPsec Phase-1 failure." 5543 INDEX { ikeFailIndex } 5544 ::= { ikeFailTable 1 } 5546 IkeFailEntry ::= SEQUENCE { 5547 ikeFailIndex Integer32, 5548 ikeFailReason INTEGER, 5549 ikeFailTime TimeStamp, 5550 ikeFailLocalType Phase1PeerIdentityType, 5551 ikeFailLocalValue DisplayString, 5552 ikeFailRemoteType Phase1PeerIdentityType, 5553 ikeFailRemoteValue DisplayString, 5554 ikeFailLocalAddr IPSIpAddress, 5555 ikeFailRemoteAddr IPSIpAddress 5556 } 5558 ikeFailIndex OBJECT-TYPE 5559 SYNTAX Integer32 (1..2147483647) 5560 MAX-ACCESS not-accessible 5561 STATUS current 5562 DESCRIPTION 5563 "The IPsec Phase-1 Failure Table index. 5564 The value of the index is a number which 5565 begins at one and is incremented with each 5566 IPsec Phase-1 failure. The value 5567 of this object will wrap at 2,147,483,647." 5568 ::= { ikeFailEntry 1 } 5570 ikeFailReason OBJECT-TYPE 5571 SYNTAX INTEGER{ 5572 other(1), 5573 peerDelRequest(2), 5574 peerLost(3), 5575 localFailure(4), 5576 authFailure(5), 5577 hashValidation(6), 5578 encryptFailure(7), 5579 internalError(8), 5580 sysCapExceeded(9), 5581 proposalFailure(10), 5582 peerCertUnavailable(11), 5583 peerCertNotValid(12), 5584 localCertExpired(13), 5585 crlFailure(14), 5586 peerEncodingError(15), 5587 nonExistentSa(16), 5588 xauthFailure(17), 5589 operRequest(18) 5590 } 5591 MAX-ACCESS read-only 5592 STATUS current 5593 DESCRIPTION 5594 "The reason for the failure. Possible reasons include: 5595 1 = other 5596 2 = peer delete request was received 5597 3 = contact with peer was lost 5598 4 = local failure occurred 5599 5 = authentication failure 5600 6 = hash validation failure 5601 7 = encryption failure 5602 8 = internal error occurred 5603 9 = system capacity failure 5604 10 = proposal failure 5605 11 = peer's certificate is unavailable 5606 12 = peer's certificate was found invalid 5607 13 = local certificate expired 5608 14 = certificate revoke list (crl) failure 5609 15 = peer encoding error 5610 16 = ISAKMP PDU has pointer to non-existent cookie 5611 17 = operator requested termination." 5612 ::= { ikeFailEntry 2 } 5614 ikeFailTime OBJECT-TYPE 5615 SYNTAX TimeStamp 5616 MAX-ACCESS read-only 5617 STATUS current 5618 DESCRIPTION 5619 "The value of sysUpTime in hundredths of seconds 5620 at the time of the failure." 5621 ::= { ikeFailEntry 3 } 5623 ikeFailLocalType OBJECT-TYPE 5624 SYNTAX Phase1PeerIdentityType 5625 MAX-ACCESS read-only 5626 STATUS current 5627 DESCRIPTION 5628 "The type of local peer identity. The local peer 5629 may be indentified by: 5630 1. an IP address, or 5631 2. or a fully qualified domain name. 5632 3. or a distinguished name." 5633 ::= { ikeFailEntry 4 } 5635 ikeFailLocalValue OBJECT-TYPE 5636 SYNTAX DisplayString 5637 MAX-ACCESS read-only 5638 STATUS current 5639 DESCRIPTION 5640 "The value of the local peer identity. 5642 If the local peer type is an IP Address, then this 5643 is the IP Address used to identify the local peer. 5645 If the local peer type is id_fqdn, then this is 5646 the FQDN of the local entity. 5648 If the local peer type is a id_dn, then this is 5649 the distinguished named string of the local entity." 5650 ::= { ikeFailEntry 5 } 5652 ikeFailRemoteType OBJECT-TYPE 5653 SYNTAX Phase1PeerIdentityType 5654 MAX-ACCESS read-only 5655 STATUS current 5656 DESCRIPTION 5657 "The type of remote peer identity. The remote 5658 peer may be identified by: 5659 1. an IP address, or 5660 2. or a fully qualified domain name. 5662 3. or a distinguished name." 5663 ::= { ikeFailEntry 6 } 5665 ikeFailRemoteValue OBJECT-TYPE 5666 SYNTAX DisplayString 5667 MAX-ACCESS read-only 5668 STATUS current 5669 DESCRIPTION 5670 "The value of the remote peer identity. 5672 If the remote peer type is an IP Address, then this 5673 is the IP Address used to identify the remote peer. 5675 If the remote peer type is id_fqdn, then this is 5676 the FQDN of the remote peer. 5678 If the remote peer type is a id_dn, then this is 5679 the distinguished named string of the remote peer." 5680 ::= { ikeFailEntry 7 } 5682 ikeFailLocalAddr OBJECT-TYPE 5683 SYNTAX IPSIpAddress 5684 MAX-ACCESS read-only 5685 STATUS current 5686 DESCRIPTION 5687 "The IP address of the local peer." 5688 ::= { ikeFailEntry 8 } 5690 ikeFailRemoteAddr OBJECT-TYPE 5691 SYNTAX IPSIpAddress 5692 MAX-ACCESS read-only 5693 STATUS current 5694 DESCRIPTION 5695 "The IP address of the remote peer." 5696 ::= { ikeFailEntry 9 } 5698 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5699 -- The IPsec Phase-2 Failure Table 5700 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5701 ipSecFailTable OBJECT-TYPE 5702 SYNTAX SEQUENCE OF IpSecFailEntry 5703 MAX-ACCESS not-accessible 5704 STATUS current 5705 DESCRIPTION 5706 "The IPsec Phase-2 Failure Table. 5707 This table is implemented as a sliding window 5708 in which only the last n entries are maintained. 5710 The maximum number of entries 5711 is specified by the ipSecFailTableSize object." 5712 ::= { ipSecFailPhaseTwo 1 } 5714 ipSecFailEntry OBJECT-TYPE 5715 SYNTAX IpSecFailEntry 5716 MAX-ACCESS not-accessible 5717 STATUS current 5718 DESCRIPTION 5719 "Each entry contains the attributes associated with 5720 an IPsec Phase-1 failure." 5721 INDEX { ipSecFailIndex } 5722 ::= { ipSecFailTable 1 } 5724 IpSecFailEntry ::= SEQUENCE { 5725 ipSecFailIndex Integer32, 5726 ipSecFailReason INTEGER, 5727 ipSecFailTime TimeStamp, 5728 ipSecFailTunnelIndex Integer32, 5729 ipSecFailSaSpi Integer32, 5730 ipSecFailPktSrcAddr IPSIpAddress, 5731 ipSecFailPktDstAddr IPSIpAddress 5732 } 5734 ipSecFailIndex OBJECT-TYPE 5735 SYNTAX Integer32 (1..2147483647) 5736 MAX-ACCESS not-accessible 5737 STATUS current 5738 DESCRIPTION 5739 "The IPsec Phase-2 Failure Table index. 5740 The value of the index is a number which 5741 begins at one and is incremented with each 5742 IPsec Phase-1 failure. The value 5743 of this object will wrap at 2,147,483,647." 5744 ::= { ipSecFailEntry 1 } 5746 ipSecFailReason OBJECT-TYPE 5747 SYNTAX INTEGER{ 5748 other(1), 5749 internalError(2), 5750 peerEncodingError(3), 5751 proposalFailure(4), 5752 protocolUseFail(5), 5753 nonExistentSa(6), 5754 decryptFailure(7), 5755 encryptFailure(8), 5756 inAuthFailure(9), 5757 outAuthFailure(10), 5758 compression(11), 5759 sysCapExceeded(12), 5760 peerDelRequest(13), 5761 peerLost(14), 5762 seqNumRollOver(15), 5763 operRequest(16) 5764 } 5765 MAX-ACCESS read-only 5766 STATUS current 5767 DESCRIPTION 5768 "The reason for the failure. Possible reasons 5769 include: 5770 1 = other 5771 2 = internal error occurred 5772 3 = peer encoding error 5773 4 = proposal failure 5774 5 = protocol use failure 5775 6 = non-existent security association 5776 7 = decryption failure 5777 8 = encryption failure 5778 9 = inbound authentication failure 5779 10 = outbound authentication failure 5780 11 = compression failure 5781 12 = system capacity failure 5782 13 = peer delete request was received 5783 14 = contact with peer was lost 5784 15 = sequence number rolled over 5785 16 = operator requested termination." 5786 ::= { ipSecFailEntry 2 } 5788 ipSecFailTime OBJECT-TYPE 5789 SYNTAX TimeStamp 5790 MAX-ACCESS read-only 5791 STATUS current 5792 DESCRIPTION 5793 "The value of sysUpTime in hundredths of seconds 5794 at the time of the failure." 5795 ::= { ipSecFailEntry 3 } 5797 ipSecFailTunnelIndex OBJECT-TYPE 5798 SYNTAX Integer32 (1..2147483647) 5799 MAX-ACCESS read-only 5800 STATUS current 5801 DESCRIPTION 5802 "The Phase-2 Tunnel index (ipSecTunIndex)." 5803 ::= { ipSecFailEntry 4 } 5805 ipSecFailSaSpi OBJECT-TYPE 5806 SYNTAX Integer32 (0..2147483647) 5807 MAX-ACCESS read-only 5808 STATUS current 5809 DESCRIPTION 5810 "The security association SPI value." 5811 ::= { ipSecFailEntry 5 } 5813 ipSecFailPktSrcAddr OBJECT-TYPE 5814 SYNTAX IPSIpAddress 5815 MAX-ACCESS read-only 5816 STATUS current 5817 DESCRIPTION 5818 "The packet's source IP address." 5819 ::= { ipSecFailEntry 6 } 5821 ipSecFailPktDstAddr OBJECT-TYPE 5822 SYNTAX IPSIpAddress 5823 MAX-ACCESS read-only 5824 STATUS current 5825 DESCRIPTION 5826 "The packet's destination IP address." 5827 ::= { ipSecFailEntry 7 } 5829 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5830 -- The IPsec TRAP Control Group 5831 -- 5832 -- This group of objects controls the sending of IPsec TRAPs. 5833 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5834 ipSecTrapCntlIkeTunnelStart OBJECT-TYPE 5835 SYNTAX TrapStatus 5836 MAX-ACCESS read-write 5837 STATUS current 5838 DESCRIPTION 5839 "This object defines the administrative state of 5840 sending the IPsec IKE Phase-1 Tunnel Start TRAP " 5841 DEFVAL { disabled } 5842 ::= { ipSecTrapCntl 1 } 5844 ipSecTrapCntlIkeTunnelStop OBJECT-TYPE 5845 SYNTAX TrapStatus 5846 MAX-ACCESS read-write 5847 STATUS current 5848 DESCRIPTION 5849 "This object defines the administrative state 5850 of sending the 5851 IPsec IKE Phase-1 Tunnel Stop TRAP " 5852 DEFVAL { disabled } 5853 ::= { ipSecTrapCntl 2 } 5855 ipSecTrapCntlIkeSysFailure OBJECT-TYPE 5856 SYNTAX TrapStatus 5857 MAX-ACCESS read-write 5858 STATUS current 5859 DESCRIPTION 5860 "This object defines the administrative state 5861 of sending the 5862 IPsec IKE Phase-1 System Failure TRAP " 5863 DEFVAL { disabled } 5864 ::= { ipSecTrapCntl 3 } 5866 ipSecTrapCntlIkeCertCrlFailure OBJECT-TYPE 5867 SYNTAX TrapStatus 5868 MAX-ACCESS read-write 5869 STATUS current 5870 DESCRIPTION 5871 "This object defines the administrative 5872 state of sending the 5873 IPsec IKE Phase-1 Certificate/CRL Failure TRAP " 5874 DEFVAL { disabled } 5875 ::= { ipSecTrapCntl 4 } 5877 ipSecTrapCntlIkeProtocolFail OBJECT-TYPE 5878 SYNTAX TrapStatus 5879 MAX-ACCESS read-write 5880 STATUS current 5881 DESCRIPTION 5882 "This object defines the administrative 5883 state of sending the 5884 IPsec IKE Phase-1 Protocol Failure TRAP " 5885 DEFVAL { disabled } 5886 ::= { ipSecTrapCntl 5 } 5888 ipSecTrapCntlIkeNoSa OBJECT-TYPE 5889 SYNTAX TrapStatus 5890 MAX-ACCESS read-write 5891 STATUS current 5892 DESCRIPTION 5893 "This object defines the administrative 5894 state of sending the IPsec IKE Phase-1 5895 No Security Association TRAP." 5896 DEFVAL { disabled } 5897 ::= { ipSecTrapCntl 6 } 5899 ipSecTrapCntlIpSecTunnelStart OBJECT-TYPE 5900 SYNTAX TrapStatus 5901 MAX-ACCESS read-write 5902 STATUS current 5903 DESCRIPTION 5904 "This object defines the administrative state 5905 of sending the IPsec 5906 Phase-2 Tunnel Start TRAP " 5907 DEFVAL { disabled } 5908 ::= { ipSecTrapCntl 7 } 5910 ipSecTrapCntlIpSecTunnelStop OBJECT-TYPE 5911 SYNTAX TrapStatus 5912 MAX-ACCESS read-write 5913 STATUS current 5914 DESCRIPTION 5915 "This object defines the administrative 5916 state of sending the IPsec 5917 Phase-2 Tunnel Stop TRAP " 5918 DEFVAL { disabled } 5919 ::= { ipSecTrapCntl 8 } 5921 ipSecTrapCntlIpSecSysFailure OBJECT-TYPE 5922 SYNTAX TrapStatus 5923 MAX-ACCESS read-write 5924 STATUS current 5925 DESCRIPTION 5926 "This object defines the administrative state 5927 of sending the IPsec 5928 Phase-2 System Failure TRAP " 5929 DEFVAL { disabled } 5930 ::= { ipSecTrapCntl 9 } 5932 ipSecTrapCntlIpSecSetUpFailure OBJECT-TYPE 5933 SYNTAX TrapStatus 5934 MAX-ACCESS read-write 5935 STATUS current 5936 DESCRIPTION 5937 "This object defines the administrative state 5938 of sending the IPsec 5939 Phase-2 Set Up Failure TRAP " 5940 DEFVAL { disabled } 5941 ::= { ipSecTrapCntl 10 } 5943 ipSecTrapCntlIpSecEarlyTunTerm OBJECT-TYPE 5944 SYNTAX TrapStatus 5945 MAX-ACCESS read-write 5946 STATUS current 5947 DESCRIPTION 5948 "This object defines the administrative state 5949 of sending the IPsec 5950 Phase-2 Early Tunnel Termination TRAP " 5951 DEFVAL { disabled } 5952 ::= { ipSecTrapCntl 11 } 5954 ipSecTrapCntlIpSecProtocolFail OBJECT-TYPE 5955 SYNTAX TrapStatus 5956 MAX-ACCESS read-write 5957 STATUS current 5958 DESCRIPTION 5959 "This object defines the administrative state 5960 of sending the IPsec 5961 Phase-2 Protocol Failure TRAP " 5962 DEFVAL { disabled } 5963 ::= { ipSecTrapCntl 12 } 5965 ipSecTrapCntlIpSecNoSa OBJECT-TYPE 5966 SYNTAX TrapStatus 5967 MAX-ACCESS read-write 5968 STATUS current 5969 DESCRIPTION 5970 "This object defines the administrative state 5971 of sending the IPsec Phase-2 No Security 5972 Association TRAP " 5973 DEFVAL { disabled } 5974 ::= { ipSecTrapCntl 13 } 5976 ipSecTrapCntlInNewGrpRejected OBJECT-TYPE 5977 SYNTAX TrapStatus 5978 MAX-ACCESS read-write 5979 STATUS current 5980 DESCRIPTION 5981 "This object defines the administrative state 5982 of sending the IPsec Phase-2 No Security 5983 Association TRAP " 5984 DEFVAL { disabled } 5985 ::= { ipSecTrapCntl 14 } 5987 ipSecTrapCntlOutNewGrpRejected OBJECT-TYPE 5988 SYNTAX TrapStatus 5989 MAX-ACCESS read-write 5990 STATUS current 5991 DESCRIPTION 5992 "This object defines the administrative state 5993 of sending the IPsec Phase-2 No Security 5994 Association TRAP " 5995 DEFVAL { disabled } 5996 ::= { ipSecTrapCntl 15 } 5998 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5999 -- IPsec Notifications - TRAPs 6000 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 6002 ipSecMIBNotificationPrefix OBJECT IDENTIFIER 6003 ::= {ipSecFlowMonitorMIB 2} 6005 ipSecMIBNotifications OBJECT IDENTIFIER 6006 ::= { ipSecMIBNotificationPrefix 0} 6008 ikeTunnelStart NOTIFICATION-TYPE 6009 OBJECTS { 6010 phase1PeerLocalAddr, 6011 phase1PeerRemoteAddr, 6012 ikeTunLifeTime 6013 } 6014 STATUS current 6015 DESCRIPTION 6016 "This notification is generated when an IPsec Phase-1 6017 IKE Tunnel becomes active." 6018 ::= { ipSecMIBNotifications 1 } 6020 ikeTunnelStop NOTIFICATION-TYPE 6021 OBJECTS { 6022 ikeTunHistTermReason, 6023 phase1PeerLocalAddr, 6024 phase1PeerRemoteAddr, 6025 ikeTunActiveTime 6026 } 6027 STATUS current 6028 DESCRIPTION 6029 "This notification is generated when an IPsec Phase-1 6030 IKE Tunnel becomes inactive." 6031 ::= { ipSecMIBNotifications 2 } 6033 ikeSysFailure NOTIFICATION-TYPE 6034 OBJECTS { 6035 phase1PeerLocalAddr, 6036 phase1PeerRemoteAddr 6037 } 6038 STATUS current 6039 DESCRIPTION 6040 "This notification is generated when the processing for 6041 an IPsec Phase-1 IKE Tunnel experiences an internal 6042 or system capacity error." 6043 ::= { ipSecMIBNotifications 3 } 6045 ikeCertCrlFailure NOTIFICATION-TYPE 6046 OBJECTS { 6047 phase1PeerLocalAddr, 6048 phase1PeerRemoteAddr 6049 } 6050 STATUS current 6051 DESCRIPTION 6052 "This notification is generated when the processing for 6053 an IPsec Phase-1 IKE Tunnel experiences a Certificate 6054 or a Certificate Revoke List (CRL) related error." 6055 ::= { ipSecMIBNotifications 4 } 6057 ikeProtocolFailure NOTIFICATION-TYPE 6058 OBJECTS { 6059 phase1PeerLocalAddr, 6060 phase1PeerRemoteAddr 6061 } 6062 STATUS current 6063 DESCRIPTION 6064 "This notification is generated when the processing for 6065 an IPsec Phase-1 IKE Tunnel experiences a protocol 6066 related error." 6067 ::= { ipSecMIBNotifications 5 } 6069 ikeNoSa NOTIFICATION-TYPE 6070 OBJECTS { 6071 phase1PeerLocalAddr, 6072 phase1PeerRemoteAddr 6073 } 6074 STATUS current 6075 DESCRIPTION 6076 "This notification is generated when the IKE entity 6077 recieves an ISAKMP PDU with a reference to a non-existent 6078 cookie." 6079 ::= { ipSecMIBNotifications 6 } 6081 ipSecTunnelStart NOTIFICATION-TYPE 6082 OBJECTS { 6083 ipSecTunLifeTime, 6084 ipSecTunLifeSize 6085 } 6087 STATUS current 6088 DESCRIPTION 6089 "This notification is generated when an IPsec Phase-2 6090 Tunnel becomes active." 6091 ::= { ipSecMIBNotifications 7 } 6093 ipSecTunnelStop NOTIFICATION-TYPE 6094 OBJECTS { 6095 ipSecTunHistTermReason, 6096 ipSecTunActiveTime 6097 } 6098 STATUS current 6099 DESCRIPTION 6100 "This notification is generated when an IPsec Phase-2 6101 Tunnel becomes inactive." 6102 ::= { ipSecMIBNotifications 8 } 6104 ipSecSysFailure NOTIFICATION-TYPE 6105 OBJECTS { 6106 phase1PeerLocalAddr, 6107 phase1PeerRemoteAddr, 6108 ipSecTunActiveTime, 6109 ipSecSpiProtocol 6110 } 6111 STATUS current 6112 DESCRIPTION 6113 "This notification is generated when the processing for 6114 an IPsec Phase-2 Tunnel experiences an internal 6115 or system capacity error." 6116 ::= { ipSecMIBNotifications 9 } 6118 ipSecSetUpFailure NOTIFICATION-TYPE 6119 OBJECTS { 6120 phase1PeerLocalAddr, 6121 phase1PeerRemoteAddr 6122 } 6123 STATUS current 6124 DESCRIPTION 6125 "This notification is generated when the setup for 6126 an IPsec Phase-2 Tunnel fails." 6127 ::= { ipSecMIBNotifications 10 } 6129 ipSecEarlyTunTerm NOTIFICATION-TYPE 6130 OBJECTS { 6131 ipSecTunActiveTime, 6132 ipSecSpiProtocol 6133 } 6135 STATUS current 6136 DESCRIPTION 6137 "This notification is generated when an an IPsec Phase-2 6138 Tunnel is terminated earily or before expected." 6139 ::= { ipSecMIBNotifications 11 } 6141 ipSecProtocolFailure NOTIFICATION-TYPE 6142 OBJECTS { 6143 ipSecTunActiveTime, 6144 ipSecSpiProtocol 6145 } 6146 STATUS current 6147 DESCRIPTION 6148 "This notification is generated when the processing for 6149 an IPsec Phase-2 Tunnel experiences a protocol 6150 related error." 6151 ::= { ipSecMIBNotifications 12 } 6153 ipSecNoSa NOTIFICATION-TYPE 6154 STATUS current 6155 DESCRIPTION 6156 "This notification is generated when the managed entity 6157 receives an IPsec packet with a non-existent SPI." 6158 ::= { ipSecMIBNotifications 13 } 6160 ipSecInNewGrpRejected NOTIFICATION-TYPE 6161 OBJECTS { 6162 phase1PeerLocalAddr, 6163 phase1PeerRemoteAddr 6164 } 6165 STATUS current 6166 DESCRIPTION 6167 "This notification is generated when the managed entity 6168 receives and rejects an incoming new group proposal 6169 from an IKE peer (ikePeerRemoteAddr). The ISAKMP 6170 context of the exchange can be obtained from the IKE 6171 tunnel index which is contained in the index of the 6172 varbind objects of this trap." 6173 ::= { ipSecMIBNotifications 14 } 6175 ipSecOutNewGrpRejected NOTIFICATION-TYPE 6176 OBJECTS { 6177 phase1PeerLocalAddr, 6178 phase1PeerRemoteAddr 6179 } 6180 STATUS current 6181 DESCRIPTION 6182 "This notification is generated when the managed entity 6183 issues a new group proposal to the peer (ikePeerRemoteAddr) 6184 and the peer rejects the proposal. The ISAKMP context of 6185 the exchange can be obtained from the IKE tunnel index 6186 which is contained in the index of the varbind objects 6187 of this trap." 6188 ::= { ipSecMIBNotifications 15 } 6190 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 6191 -- Conformance Information 6192 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 6193 ipSecMIBConformance OBJECT IDENTIFIER 6194 ::= { ipSecFlowMonitorMIB 3 } 6196 ipSecMIBGroups OBJECT IDENTIFIER 6197 ::= { ipSecMIBConformance 1 } 6199 ipSecMIBCompliances OBJECT IDENTIFIER 6200 ::= { ipSecMIBConformance 2 } 6202 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 6203 -- Compliance Statements 6204 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 6205 ipSecMIBCompliance MODULE-COMPLIANCE 6206 STATUS current 6207 DESCRIPTION 6208 "The compliance statement for SNMP entities 6209 the IP Security Protocol." 6211 MODULE -- this module 6212 MANDATORY-GROUPS { ipSecLevelsGroup, 6213 ipSecPeerAssociationGroup, 6214 ipSecPhaseTwoGroup 6215 } 6217 --GROUP ipSecLevelsGroup 6218 --DESCRIPTION "The ipSecLevelsGroup is a mandatory group 6219 --containing objects providing meta-information 6220 --about the MIB itself and its version." 6222 --GROUP ipSecPhaseOneGroup 6223 --DESCRIPTION "The ipSecPhaseOneGroup is a mandatory group 6224 --containing objects providing information 6225 --about IKE and ISAKMP activity and structures 6226 --resulting from such activity in the managed 6227 --entity." 6229 GROUP ipSecIkeGroup 6230 DESCRIPTION "The ipSecIkeGroup is a conditional group 6231 containing objects providing information 6232 about IKE and ISAKMP activity and structures 6233 resulting from such activity in the managed 6234 entity." 6236 --GROUP ipSecPeerAssociationGroup 6237 --DESCRIPTION "The ipSecPeerAssociationGroup is a mandator 6238 --group containing objects providing information 6239 --about association of the managed entity 6240 --with peers in Phase 1." 6242 --GROUP ipSecIkeGroup 6243 --DESCRIPTION "The ipSecIkeGroup encloses all thge IKE 6244 --related MIB elements. This is an optional 6245 --group and needs to be implemented only if 6246 --the managed entity implements IKE protocol." 6248 --GROUP ipSecPhaseTwoGroup 6249 --DESCRIPTION "The ipSecPhaseTwoGroup is a mandatory group 6250 --containing objects providing information 6251 --about Phase-2 IPsec (Quick Mode & New Grp 6252 --Grp Mode) activity and structures resulting 6253 --from such --activity in the managed entity." 6255 GROUP ipSecHistoryGroup 6256 DESCRIPTION "The ipSecHistoryGroup is an optional group 6257 containing objects providing information 6258 about expired structures pertaining to 6259 Phase-1 (IKE & ISAKMP) and Phase-2 IPsec 6260 (Quick Mode & New Grp Mode) activity. 6262 This group consists of: 6263 1) IPsec History Global Objects 6264 2) IPsec Phase-1 History Objects 6265 3) IPsec Phase-2 History Objects" 6267 GROUP ipSecFailuresGroup 6268 DESCRIPTION "The ipSecFailuresGroup is an optional group 6269 containing objects providing information 6270 about failures of operations pertaining to 6271 Phase-1 (IKE & ISAKMP) and Phase-2 IPsec 6272 (Quick Mode & New Grp Mode) activity. 6274 This group consists of: 6276 1) IPsec Failure Global Objects 6277 2) IPsec Phase-1 Tunnel Failure Table 6278 3) IPsec Phase-2 Tunnel Failure Table" 6280 GROUP ipSecTrapCntlGroup 6281 DESCRIPTION "The ipSecTrapCntlGroup is an optional group 6282 containing objects providing control of 6283 notifications pertaining to Phase-1 (IKE & 6284 ISAKMP) and Phase-2 IPsec (Quick Mode & 6285 New Grp Mode) activity." 6287 GROUP ipSecModeConfigGroup 6288 DESCRIPTION "The ipSecModeConfigGroup is an optional group 6289 containing objects providing information 6290 about the IKE Mode Configuration activity 6291 on the managed entity. 6293 This group consists of: 6294 1) Global metrics about IKE Mod 6295 Configuration activity 6296 2) Phase-1 IKE Tunnel-wise Mode Configuration 6297 metrics 6298 3) Historical IKE Mode Configuration metrics 6299 on a per expired tunnel basis." 6301 GROUP ipSecNewGrpGroup 6302 DESCRIPTIO 6303 "The ipSecNewGrpGroup is an optional group 6304 containing objects providing information 6305 about the Phase-2 New Group activity on the 6306 managed entity. 6308 This group consists of: 6309 1) Global metrics about new group negotiations 6310 2) Phase-1 IKE Tunnel-wise new group metrics 6311 3) Historical new group metrics on a per tunnel basis. 6312 4) Notifications pertaining to new grp failures." 6314 OBJECT ikeTunStatus 6315 MIN-ACCESS read-only 6316 DESCRIPTION 6317 "Write access is not required." 6319 OBJECT ipSecTunStatus 6320 MIN-ACCESS read-only 6321 DESCRIPTION 6322 "Write access is not required." 6324 ::= { ipSecMIBCompliances 1 } 6326 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 6327 -- Units of Conformance 6328 -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 6329 ipSecLevelsGroup OBJECT-GROUP 6330 OBJECTS { 6331 ipSecMibLevel 6332 } 6333 STATUS current 6334 DESCRIPTION 6335 "This group consists of a: 6336 1) IPsec MIB Level" 6337 ::= { ipSecMIBGroups 1 } 6339 ipSecIkeGroup OBJECT-GROUP 6340 OBJECTS { 6341 -- The IPsec Phase-1 Global Statistics 6342 ikeGlobalActiveTunnels, 6343 ikeGlobalPreviousTunnels, 6344 ikeGlobalHcPreviousTunnels, 6345 ikeGlobalPreviousTunnelsWraps, 6346 ikeGlobalInOctets, 6347 ikeGlobalInPkts, 6348 ikeGlobalInDropPkts, 6349 ikeGlobalInNotifys, 6350 ikeGlobalInP2Exchgs, 6351 ikeGlobalInP2ExchgInvalids, 6352 ikeGlobalInP2ExchgRejects, 6353 ikeGlobalInP2SaDelRequests, 6354 ikeGlobalOutOctets, 6355 ikeGlobalOutPkts, 6356 ikeGlobalOutDropPkts, 6357 ikeGlobalOutNotifys, 6358 ikeGlobalOutP2Exchgs, 6359 ikeGlobalOutP2ExchgInvalids, 6360 ikeGlobalOutP2ExchgRejects, 6361 ikeGlobalOutP2SaDelRequests, 6362 ikeGlobalInitTunnels, 6363 ikeGlobalInitTunnelFails, 6364 ikeGlobalRespTunnelFails, 6365 ikeGlobalSysCapFails, 6366 ikeGlobalAuthFails, 6367 ikeGlobalDecryptFails, 6368 ikeGlobalHashValidFails, 6369 ikeGlobalNoSaFails, 6370 ikeGlobalRespTunnels, 6371 ikeGlobalInP1SaDelRequests, 6372 ikeGlobalOutP1SaDelRequests, 6374 -- The IPsec Phase-1 Internet Key Exchange 6375 -- Tunnel Table 6376 ikeTunLocalType, 6377 ikeTunLocalValue, 6378 ikeTunLocalAddr, 6379 ikeTunLocalName, 6380 ikeTunRemoteType, 6381 ikeTunRemoteValue, 6382 ikeTunRemoteAddr, 6383 ikeTunRemoteName, 6384 ikeTunNegoMode, 6385 ikeTunDiffHellmanGrp, 6386 ikeTunEncryptAlgo, 6387 ikeTunHashAlgo, 6388 ikeTunAuthMethod, 6389 ikeTunLifeTime, 6390 ikeTunActiveTime, 6391 ikeTunSaRefreshThreshold, 6392 ikeTunTotalRefreshes, 6393 ikeTunInOctets, 6394 ikeTunInPkts, 6395 ikeTunInDropPkts, 6396 ikeTunInNotifys, 6397 ikeTunInP2Exchgs, 6398 ikeTunInP2ExchgInvalids, 6399 ikeTunInP2ExchgRejects, 6400 ikeTunInP2SaDelRequests, 6401 ikeTunOutOctets, 6402 ikeTunOutPkts, 6403 ikeTunOutDropPkts, 6404 ikeTunOutNotifys, 6405 ikeTunOutP2Exchgs, 6406 ikeTunOutP2ExchgInvalids, 6407 ikeTunOutP2ExchgRejects, 6408 ikeTunOutP2SaDelRequests, 6409 ikeTunStatus, 6410 ikeTunEncryptKeySize 6411 } 6412 STATUS current 6413 DESCRIPTION 6414 "This group consists of: 6415 1) IKE Global Objects 6416 2) IKE Tunnel table." 6418 ::= { ipSecMIBGroups 2 } 6420 ipSecPeerAssociationGroup OBJECT-GROUP 6421 OBJECTS { 6422 -- The Phase-1 Peer Association group 6423 phase1PeerLocalValue, 6424 phase1PeerRemoteValue, 6425 phase1PeerLocalAddr, 6426 phase1PeerRemoteAddr, 6427 phase1PeerActiveTime, 6428 phase1PeerActiveTunnelIndex, 6429 phase1PeerConfigAppVersion, 6430 phase1PeerConfigAddress, 6431 phase1PeerConfigNetmask, 6432 phase1PeerConfigDns, 6433 phase1PeerConfigNbns, 6434 phase1PeerConfigDhcp, 6435 phase1Protocol, 6436 -- 6437 --phase1PeerCorrLocalType, 6438 --phase1PeerCorrLocalValue, 6439 --phase1PeerCorrRemoteType, 6440 --phase1PeerCorrRemoteValue, 6441 --phase1PeerCorrIntIndex, 6442 --phase1PeerCorrSeqNum, 6443 phase1PeerCorrIpSecTunIndex, 6444 phase1PeerCorrControlProtocol 6445 } 6446 STATUS current 6447 DESCRIPTION 6448 "This group consists of: 6449 1) IPsec Phase-1 Peer Association table. 6450 2) IPsec Phase-1 Correlation Table" 6451 ::= { ipSecMIBGroups 3 } 6453 ipSecXauthGroup OBJECT-GROUP 6454 OBJECTS { 6455 -- The IPsec extended authentication (Phase-1.5) 6456 -- Global Statistics 6457 ikeGlobalInXauthFailures, 6458 ikeGlobalOutXauthFailures 6459 } 6460 STATUS current 6461 DESCRIPTION 6462 "This group consists of metrics pertaining to 6463 IKE extended authentication. Devices that do 6464 not support Xauth need not implement this group." 6466 ::= { ipSecMIBGroups 4 } 6468 ipSecPhaseTwoGroup OBJECT-GROUP 6469 OBJECTS { 6470 -- The IPsec Phase-2 Global Tunnel Statistics 6471 ipSecGlobalActiveTunnels, 6472 ipSecGlobalPreviousTunnels, 6473 ipSecGlobalHcPreviousTunnels, 6474 ipSecGlobalPreviousTunnelsWraps, 6475 ipSecGlobalInOctets, 6476 ipSecGlobalHcInOctets, 6477 ipSecGlobalInOctWraps, 6478 ipSecGlobalInDecompOctets, 6479 ipSecGlobalHcInDecompOctets, 6480 ipSecGlobalInDecompOctWraps, 6481 ipSecGlobalInPkts, 6482 ipSecGlobalInDrops, 6483 ipSecGlobalInReplayDrops, 6484 ipSecGlobalInAuths, 6485 ipSecGlobalInAuthFails, 6486 ipSecGlobalInDecrypts, 6487 ipSecGlobalInDecryptFails, 6488 ipSecGlobalOutOctets, 6489 ipSecGlobalHcOutOctets, 6490 ipSecGlobalOutOctWraps, 6491 ipSecGlobalOutUncompOctets, 6492 ipSecGlobalHcOutUncompOctets, 6493 ipSecGlobalOutUncompOctWraps, 6494 ipSecGlobalOutPkts, 6495 ipSecGlobalOutDrops, 6496 ipSecGlobalOutAuths, 6497 ipSecGlobalOutAuthFails, 6498 ipSecGlobalOutEncrypts, 6499 ipSecGlobalOutEncryptFails, 6500 ipSecGlobalProtocolUseFails, 6501 ipSecGlobalNoSaFails, 6502 ipSecGlobalSysCapFails, 6503 ipSecGlobalOutCompressedPkts, 6504 ipSecGlobalOutCompSkippedPkts, 6505 ipSecGlobalOutCompFailPkts, 6506 ipSecGlobalOutCompTooSmallPkts, 6508 -- The IPsec Phase-2 Tunnel Table 6509 -- ipSecTunIndex, 6510 -- ipSecTunIkeTunnelIndex, 6511 -- ipSecTunIkeTunnelAlive, 6512 ipSecTunLocalAddr, 6513 ipSecTunRemoteAddr, 6514 -- ipSecTunKeyType, 6515 ipSecTunEncapMode, 6516 ipSecTunLifeSize, 6517 ipSecTunLifeTime, 6518 ipSecTunActiveTime, 6519 ipSecTunSaLifeSizeThreshold, 6520 ipSecTunSaLifeTimeThreshold, 6521 ipSecTunTotalRefreshes, 6522 ipSecTunExpiredSaInstances, 6523 ipSecTunCurrentSaInstances, 6524 ipSecTunInSaDiffHellmanGrp, 6525 ipSecTunInSaEncryptAlgo, 6526 ipSecTunInSaAhAuthAlgo, 6527 ipSecTunInSaEspAuthAlgo, 6528 ipSecTunInSaDecompAlgo, 6529 ipSecTunOutSaDiffHellmanGrp, 6530 ipSecTunOutSaEncryptAlgo, 6531 ipSecTunOutSaAhAuthAlgo, 6532 ipSecTunOutSaEspAuthAlgo, 6533 ipSecTunOutSaCompAlgo, 6534 ipSecTunPmtu, 6535 ipSecTunInOctets, 6536 ipSecTunHcInOctets, 6537 ipSecTunInOctWraps, 6538 ipSecTunInDecompOctets, 6539 ipSecTunHcInDecompOctets, 6540 ipSecTunInDecompOctWraps, 6541 ipSecTunInPkts, 6542 ipSecTunInDropPkts, 6543 ipSecTunInReplayDropPkts, 6544 ipSecTunInAuths, 6545 ipSecTunInAuthFails, 6546 ipSecTunInDecrypts, 6547 ipSecTunInDecryptFails, 6548 ipSecTunOutOctets, 6549 ipSecTunHcOutOctets, 6550 ipSecTunOutOctWraps, 6551 ipSecTunOutUncompOctets, 6552 ipSecTunHcOutUncompOctets, 6553 ipSecTunOutUncompOctWraps, 6554 ipSecTunOutPkts, 6555 ipSecTunOutDropPkts, 6556 ipSecTunOutAuths, 6557 ipSecTunOutAuthFails, 6558 ipSecTunOutEncrypts, 6559 ipSecTunOutEncryptFails, 6560 ipSecTunOutCompressedPkts, 6561 ipSecTunOutCompSkippedPkts, 6562 ipSecTunOutCompFailPkts, 6563 ipSecTunOutCompTooSmallPkts, 6564 ipSecTunStatus, 6565 ipSecTunControlTunnelIndex, 6566 ipSecTunControlProtocol, 6567 ipSecTunControlTunnelAlive, 6568 ipSecTunInSaEncryptKeySize, 6569 ipSecTunOutSaEncryptKeySize, 6571 -- The IPsec Phase-2 Tunnel Endpoint Table 6572 -- ipSecEndPtIndex, 6573 ipSecEndPtLocalName, 6574 ipSecEndPtLocalType, 6575 ipSecEndPtLocalAddr1, 6576 ipSecEndPtLocalAddr2, 6577 ipSecEndPtLocalProtocol, 6578 ipSecEndPtLocalPort, 6579 ipSecEndPtRemoteName, 6580 ipSecEndPtRemoteType, 6581 ipSecEndPtRemoteAddr1, 6582 ipSecEndPtRemoteAddr2, 6583 ipSecEndPtRemoteProtocol, 6584 ipSecEndPtRemotePort, 6586 -- The IPsec Phase-2 Security Assocaition Table 6587 -- ipSecTunIndex 6588 ipSecSaDirection, 6589 ipSecSaValue, 6590 ipSecSaProtocol, 6591 ipSecSaStatus 6592 } 6593 STATUS current 6594 DESCRIPTION 6595 "This group consists of: 6596 1) IPsec Phase-2 Global Statistics 6597 2) IPsec Phase-2 Tunnel Table 6598 3) IPsec Phase-2 Endpoint Table 6599 4) IPsec Phase-2 Security Protection Index Table" 6600 ::= { ipSecMIBGroups 5 } 6602 ipSecHistoryGroup OBJECT-GROUP 6603 OBJECTS { 6604 -- IPsec History Global Control Objects 6605 ipSecHistTableSize, 6606 ipSecHistCheckPoint, 6607 -- The IPsec Phase-1 Tunnel History Table 6608 ikeTunHistTermReason, 6609 ikeTunHistActiveIndex, 6610 ikeTunHistPeerLocalType, 6611 ikeTunHistPeerLocalValue, 6612 ikeTunHistPeerIntIndex, 6613 ikeTunHistPeerRemoteType, 6614 ikeTunHistPeerRemoteValue, 6615 ikeTunHistLocalAddr, 6616 ikeTunHistLocalName, 6617 ikeTunHistRemoteAddr, 6618 ikeTunHistRemoteName, 6619 ikeTunHistNegoMode, 6620 ikeTunHistDiffHellmanGrp, 6621 ikeTunHistEncryptAlgo, 6622 ikeTunHistEncryptKeySize, 6623 ikeTunHistHashAlgo, 6624 ikeTunHistAuthMethod, 6625 ikeTunHistLifeTime, 6626 ikeTunHistStartTime, 6627 ikeTunHistActiveTime, 6628 ikeTunHistTotalRefreshes, 6629 ikeTunHistTotalSas, 6630 ikeTunHistInOctets, 6631 ikeTunHistInPkts, 6632 ikeTunHistInDropPkts, 6633 ikeTunHistInNotifys, 6634 ikeTunHistInP2Exchgs, 6635 ikeTunHistInP2ExchgInvalids, 6636 ikeTunHistInP2ExchgRejects, 6637 ikeTunHistInP2SaDelRequests, 6638 ikeTunHistOutOctets, 6639 ikeTunHistOutPkts, 6640 ikeTunHistOutDropPkts, 6641 ikeTunHistOutNotifys, 6642 ikeTunHistOutP2Exchgs, 6643 ikeTunHistOutP2ExchgInvalids, 6644 ikeTunHistOutP2ExchgRejects, 6645 ikeTunHistOutP2SaDelRequests, 6647 -- The IPsec Phase-2 Tunnel History Table 6648 -- ipSecTunHistIndex, 6649 ipSecTunHistTermReason, 6650 ipSecTunHistActiveIndex, 6651 --ipSecTunHistIkeTunnelIndex, 6652 ipSecTunHistLocalAddr, 6653 ipSecTunHistRemoteAddr, 6654 -- ipSecTunHistKeyType, 6655 ipSecTunHistEncapMode, 6656 ipSecTunHistLifeSize, 6657 ipSecTunHistLifeTime, 6658 ipSecTunHistStartTime, 6659 ipSecTunHistActiveTime, 6660 ipSecTunHistTotalRefreshes, 6661 ipSecTunHistTotalSas, 6662 ipSecTunHistInSaDiffHellmanGrp, 6663 ipSecTunHistInSaEncryptAlgo, 6664 ipSecTunHistInSaAhAuthAlgo, 6665 ipSecTunHistInSaEspAuthAlgo, 6666 ipSecTunHistInSaDecompAlgo, 6667 ipSecTunHistOutSaDiffHellmanGrp, 6668 ipSecTunHistOutSaEncryptAlgo, 6669 ipSecTunHistOutSaAhAuthAlgo, 6670 ipSecTunHistOutSaEspAuthAlgo, 6671 ipSecTunHistOutSaCompAlgo, 6672 ipSecTunHistPmtu, 6673 ipSecTunHistInOctets, 6674 ipSecTunHistHcInOctets, 6675 ipSecTunHistInOctWraps, 6676 ipSecTunHistInDecompOctets, 6677 ipSecTunHistHcInDecompOctets, 6678 ipSecTunHistInDecompOctWraps, 6679 ipSecTunHistInPkts, 6680 ipSecTunHistInDropPkts, 6681 ipSecTunHistInReplayDropPkts, 6682 ipSecTunHistInAuths, 6683 ipSecTunHistInAuthFails, 6684 ipSecTunHistInDecrypts, 6685 ipSecTunHistInDecryptFails, 6686 ipSecTunHistOutOctets, 6687 ipSecTunHistHcOutOctets, 6688 ipSecTunHistOutOctWraps, 6689 ipSecTunHistOutUncompOctets, 6690 ipSecTunHistHcOutUncompOctets, 6691 ipSecTunHistOutUncompOctWraps, 6692 ipSecTunHistOutPkts, 6693 ipSecTunHistOutDropPkts, 6694 ipSecTunHistOutAuths, 6695 ipSecTunHistOutAuthFails, 6696 ipSecTunHistOutEncrypts, 6697 ipSecTunHistOutEncryptFails, 6698 ipSecTunHistOutCompressedPkts, 6699 ipSecTunHistOutCompSkippedPkts, 6700 ipSecTunHistOutCompFailPkts, 6701 ipSecTunHistOutCompTooSmallPkts, 6702 ipSecTunHistControlProtocol, 6703 ipSecTunHistControlTunnelIndex, 6704 ipSecTunHistInSaEncryptKeySize, 6705 ipSecTunHistOutSaEncryptKeySize, 6707 -- The IPsec Phase-2 End Point History Table 6708 -- ipSecEndPtHistIndex, 6709 ipSecEndPtHistTunIndex, 6710 ipSecEndPtHistActiveIndex, 6711 ipSecEndPtHistLocalName, 6712 ipSecEndPtHistLocalType, 6713 ipSecEndPtHistLocalAddr1, 6714 ipSecEndPtHistLocalAddr2, 6715 ipSecEndPtHistLocalProtocol, 6716 ipSecEndPtHistLocalPort, 6717 ipSecEndPtHistRemoteName, 6718 ipSecEndPtHistRemoteType, 6719 ipSecEndPtHistRemoteAddr1, 6720 ipSecEndPtHistRemoteAddr2, 6721 ipSecEndPtHistRemoteProtocol, 6722 ipSecEndPtHistRemotePort 6723 } 6724 STATUS current 6725 DESCRIPTION 6726 "This group consists of: 6727 1) IPsec History Global Objects 6728 2) IPsec Phase-1 History Objects 6729 3) IPsec Phase-2 History Objects" 6730 ::= { ipSecMIBGroups 6 } 6732 ipSecFailuresGroup OBJECT-GROUP 6733 OBJECTS { 6734 -- The IPsec Failure Global Control Objects 6735 ipSecFailTableSize, 6737 -- The IPsec Phase-1 Failure Table 6738 ikeFailReason, 6739 ikeFailTime, 6740 ikeFailLocalType, 6741 ikeFailLocalValue, 6742 ikeFailRemoteType, 6743 ikeFailRemoteValue, 6744 ikeFailLocalAddr, 6745 ikeFailRemoteAddr, 6746 -- The IPsec Phase-2 Failure Table 6747 -- ipSecFailIndex, 6748 ipSecFailReason, 6749 ipSecFailTime, 6750 ipSecFailTunnelIndex, 6751 ipSecFailSaSpi, 6752 ipSecFailPktSrcAddr, 6753 ipSecFailPktDstAddr 6754 } 6755 STATUS current 6756 DESCRIPTION 6757 "This group consists of: 6758 1) IPsec Failure Global Objects 6759 2) IPsec Phase-1 Tunnel Failure Table 6760 3) IPsec Phase-2 Tunnel Failure Table" 6761 ::= { ipSecMIBGroups 7 } 6763 ipSecTrapCntlGroup OBJECT-GROUP 6764 OBJECTS { 6765 ipSecTrapCntlIkeTunnelStart, 6766 ipSecTrapCntlIkeTunnelStop, 6767 ipSecTrapCntlIkeSysFailure, 6768 ipSecTrapCntlIkeCertCrlFailure, 6769 ipSecTrapCntlIkeProtocolFail, 6770 ipSecTrapCntlIkeNoSa, 6771 ipSecTrapCntlIpSecTunnelStart, 6772 ipSecTrapCntlIpSecTunnelStop, 6773 ipSecTrapCntlIpSecSysFailure, 6774 ipSecTrapCntlIpSecSetUpFailure, 6775 ipSecTrapCntlIpSecEarlyTunTerm, 6776 ipSecTrapCntlIpSecProtocolFail, 6777 ipSecTrapCntlIpSecNoSa, 6778 ipSecTrapCntlInNewGrpRejected, 6779 ipSecTrapCntlOutNewGrpRejected 6780 } 6781 STATUS current 6782 DESCRIPTION 6783 "This group of objects controls the sending of IPsec TRAPs." 6784 ::= { ipSecMIBGroups 8 } 6786 ipSecNotificationGroup NOTIFICATION-GROUP 6787 NOTIFICATIONS { 6788 ikeTunnelStart, 6789 ikeTunnelStop, 6790 ikeSysFailure, 6791 ikeCertCrlFailure, 6792 ikeProtocolFailure, 6793 ikeNoSa, 6794 ipSecTunnelStart, 6795 ipSecTunnelStop, 6796 ipSecSysFailure, 6797 ipSecSetUpFailure, 6798 ipSecEarlyTunTerm, 6799 ipSecProtocolFailure, 6800 ipSecNoSa, 6801 ipSecInNewGrpRejected, 6802 ipSecOutNewGrpRejected 6803 } 6804 STATUS current 6805 DESCRIPTION 6806 "This group contains the notifications for the IPsec MIB." 6807 ::= { ipSecMIBGroups 9 } 6809 ipSecModeConfigGroup OBJECT-GROUP 6810 OBJECTS { 6811 -- The IPsec Mode Configuration group 6812 ikeGlobalInConfigs, 6813 ikeGlobalOutConfigs, 6814 ikeGlobalInConfigsRejects, 6815 ikeGlobalOutConfigsRejects, 6816 --ikePeerConfigAppVersion, 6817 --ikePeerConfigAddress, 6818 --ikePeerConfigNetmask, 6819 --ikePeerConfigDns, 6820 --ikePeerConfigNbns, 6821 --ikePeerConfigDhcp, 6822 ikeTunInConfigs, 6823 ikeTunOutConfigs, 6824 ikeTunInConfigsRejects, 6825 ikeTunOutConfigsRejects, 6826 ikeTunHistInConfigs, 6827 ikeTunHistOutConfigs, 6828 ikeTunHistInConfigsRejects, 6829 ikeTunHistOutConfigsRejects 6830 } 6831 STATUS current 6832 DESCRIPTION 6833 "This group consists of: 6834 1) Global metrics about IKE Mode Configuration activity 6835 2) Phase-1 IKE Tunnel-wise Mode Configuration metrics 6836 3) Historical IKE Mode Configuration metrics on a per 6837 expired tunnel basis." 6838 ::= { ipSecMIBGroups 10 } 6840 ipSecNewGrpGroup OBJECT-GROUP 6841 OBJECTS { 6842 -- The IPsec New Group negotiation group 6843 ikeTunInNewGrpReqs, 6844 ikeTunOutNewGrpReqs, 6845 ikeTunInNewGrpReqsRejected, 6846 ikeTunOutNewGrpReqsRejected, 6847 ikeTunHistInNewGrpReqs, 6848 ikeTunHistOutNewGrpReqs, 6849 ikeTunHistInNewGrpReqsRejected, 6850 ikeTunHistOutNewGrpReqsRejected, 6851 ipSecGlobalInNewGrpReqs, 6852 ipSecGlobalOutNewGrpReqs, 6853 ipSecGlobalInNewGrpReqsRejected, 6854 ipSecGlobalOutNewGrpReqsRejected 6855 } 6856 STATUS current 6857 DESCRIPTION 6858 "This group consists of: 6859 1) Global metrics about new group negotiations 6860 2) Phase-1 IKE Tunnel-wise new group metrics 6861 3) Historical new group metrics on a per tunnel basis. 6862 4) Notifications pertaining to new grp failures." 6863 ::= { ipSecMIBGroups 11 } 6865 deprecatedObjectGroup OBJECT-GROUP 6866 OBJECTS { 6867 -- The deprecated table 'ipSecSpiTable' 6868 ipSecSpiDirection, 6869 ipSecSpiValue, 6870 ipSecSpiProtocol, 6871 ipSecSpiStatus, 6872 ipSecTunIkeTunnelIndex, 6873 ipSecTunIkeTunnelAlive, 6874 ipSecTunKeyType, 6875 ipSecTunHistIkeTunnelIndex, 6876 ipSecTunHistKeyType 6877 } 6878 STATUS deprecated 6879 DESCRIPTION "A collection of objects that have bee 6880 deprecated." 6881 ::= { ipSecMIBGroups 12 } 6883 END 6885 6. Intellectual Property 6886 The IETF takes no position regarding the validity or scope of any 6887 intellectual property or other rights that might be claimed to 6888 pertain to the implementation or use of the technology described in 6889 this document or the extent to which any license under such rights 6890 might or might not be available; neither does it represent that it 6891 has made any effort to identify any such rights. Information on the 6892 IETF's procedures with respect to rights in standards-track and 6893 standards-related documentation can be found in BCP-11. Copies of 6894 claims of rights made available for publication and any assurances of 6895 licenses to be made available, or the result of an attempt made to 6896 obtain a general license or permission for the use of such 6897 proprietary rights by implementors or users of this specification can 6898 be obtained from the IETF Secretariat. 6900 The IETF invites any interested party to bring to its attention any 6901 copyrights, patents or patent applications, or other proprietary 6902 rights which may cover technology that may be required to practice 6903 this standard. Please address the information to the IETF Executive 6904 Director. 6906 7. Acknowledgements 6908 The editors would like to thank: Ajay Dankar, Jamal Mohamed, Mayank 6909 Jain, Roy Pereira, David McGrew and Lauren Heintz. 6911 8. Security Considerations 6913 This document describes how a management station can monitor 6914 structure and acivity of IPsec based VPNs. Applications have access 6915 to data which is not secured. Applications SHOULD take reasonable 6916 steps to protect the data from disclosure. 6918 This document also contains a MIB definition module. The information 6919 contained in this MIB describes a VPN service whose variables may be 6920 read and in some cases set. 6922 It is important that access to the MIB is limited to the appropriate 6923 users, and that information exchanges between users, management 6924 stations, agents and any other devices is provided via a secure 6925 mechanism such as an encrypted session. 6927 9. References 6929 [RFC2407] Piper, D., "The Internet IP Security Domain of 6930 Interpretation for ISAKMP", RFC 2407, November 1998. 6932 [RFC2401] Kent, S., Atkinson, R., "Security Architecture for the 6933 Internet Protocol", RFC 2401, November 1998. 6935 [RFC2409] Harkins, D., Carrel, D., "The Internet Key Exchange 6936 (IKE), RFC 2409, November 1998. 6938 [RFC2408] Maughan, D., Schertler, M., Schneider, M., and Turner, 6939 J., "Internet Security Association and Key Management 6940 Protocol (ISAKMP)_,RFC 2408, November 1998. 6942 [IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group 6943 MIB using SMIv2", RFC2233 6945 [RFC1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 6946 "Structure of Management Information for version 2 of 6947 the Simple Network Management Protocol (SNMPv2)", RFC 6948 1902, January 1996. 6950 [RFC2271] Harrington, D., Presuhn, R., and B. Wijnen, "An 6951 Architecture for Describing SNMP Management Frameworks", 6952 RFC 2271, January 1998 6954 [RFC1155] Rose, M. and K. McCloghrie, "Structure and 6955 Identification of Management Information for TCP/IP- 6956 based internets", STD 16, RFC 1155, May 1990. 6958 [RFC1212] Rose, M. and K. McCloghrie, "Concise MIB Definitions", 6959 STD 16, RFC 1212, March 1991. 6961 [RFC1215] M. Rose, "A Convention for Defining Traps for use with 6962 the SNMP", RFC 1215, March 1991 6964 [RFC1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, 6965 M., and S. Waldbusser, "Textual Conventions for Version 6966 2 of the Simple Network Management Protocol (SNMPv2)", 6967 RFC 1903,January 1996. 6969 [RFC1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, 6970 M., and S. Waldbusser, "Conformance Statements for 6971 Version 2 of the Simple Network Management Protocol 6972 (SNMPv2)", RFC 1904,January 1996. 6974 [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, 6975 "Simple Network Management Protocol", RFC 1157, May 6976 1990. 6978 [RFC1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, 6979 M., and S. Waldbusser, "Introduction to Community-based 6980 SNMPv2", RFC 1901, January 1996. 6982 [RFC1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, 6983 M., and S. Waldbusser, "Transport Mappings for Version 6984 2 of the Simple Network Management Protocol (SNMPv2)", 6985 RFC 1906,January 1996. 6987 [RFC2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, 6988 "Message Processing and Dispatching for the Simple 6989 Network Management Protocol (SNMP)", RFC 2272, January 6990 1998. 6992 [RFC2274] Blumenthal, U., and B. Wijnen, "User-based Security 6993 Model (USM) for version 3 of the Simple Network 6994 Management Protocol (SNMPv3)", RFC 2274, January 1998. 6996 [RFC1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, 6997 M., and S. Waldbusser, "Protocol Operations for Version 6998 2 of the Simple Network Management Protocol (SNMPv2)", 6999 RFC 1905, January 1996. 7001 10. Editor's Addresses 7003 Cheryl Madson 7004 Cisco Systems 7005 170 W Tasman Drive 7006 San Jose, Ca 95134 7007 Phone: +1 (408) 527 2817 7008 EMail: cmadson@cisco.com 7010 Leo Temoshenko 7011 Cisco Systems 7012 170 W Tasman Drive 7013 San Jose, Ca 95134 7014 USA 7015 Phone: +1 (919) 392 8381 7016 EMail: leot@cisco.com 7018 Chinna Narasimha Reddy Pellacuru 7019 Cisco Systems 7020 170 W Tasman Drive 7021 San Jose, Ca 95134 7022 USA 7023 Phone: +1 (408) 527 3109 7024 EMail: pcn@cisco.com 7026 Bret Harrison 7027 Tivoli Systems Inc. 7028 3901 S. Miami Blvd 7029 Durham, NC. 27703 7030 Phone: +1 (919) 224-1000 7031 EMail: bret_harrison@tivoli.com 7033 S Ramakrishnan 7034 Cisco Systems 7035 170 W Tasman Drive 7036 San Jose, Ca 95134 7037 USA 7038 Phone: +1 (408) 527 7309 7039 EMail: rks@cisco.com 7041 11. Expiration 7043 This draft expires Aug 16, 2003. 7045 12. Full Copyright Statement 7047 Copyright (C) The Internet Society (2001). All Rights Reserved. 7048 This document and translations of it may be copied and furnished t 7049 others, and derivative works that comment on or otherwise explain it 7050 or assist in its implementation may be prepared, copied, publishe 7051 and distributed, in whole or in part, without restriction of an 7052 kind, provided that the above copyright notice and this paragraph ar 7053 included on all such copies and derivative works. However, thi 7054 document itself may not be modified in any way, such as by removin 7055 the copyright notice or references to the Internet Society or othe 7056 Internet organizations, except as needed for the purpose o 7057 developing Internet standards in which case the procedures fo 7058 copyrights defined in the Internet Standards process must b 7059 followed, or as required to translate it into languages other tha 7060 English. 7062 The limited permissions granted above are perpetual and will not b 7063 revoked by the Internet Society or its successors or assigns. 7065 This document and the information contained herein is provided on an 7066 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERIN 7067 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 7068 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATIO 7069 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 7070 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.