BIANCA-BRICK-IPSEC-MIB: View SNMP OID List / Download MIB

Index of first IPsec peer in ipsecPeerTable. If this object is set to a Value <= 0, IPSec is switched explicitly off. If the peer referenced by this object does not exist in the table, all packets will be dropped.

The authentication method used by default. If the ipsecPeerAuthMethod field of an ipsecPeerEntry is set to 'default', this value is assumed. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4) -- Authentication using RSA encryption. Enumeration: 'dss-sig': 2, 'pre-sh-key': 1, 'rsa-enc': 4, 'rsa-sig': 3.

The index of the default certificate in the certTable used for local authentication for ike keyed rules with non pre-shared-key authentication. This may be overwritten by the certificate specified for the individual ipsec peers.

The default ID used for local authentication for ike keyed rules. If this is an empty or invaid id string one of the subject alternative names or the subject name from the default certificate is used. This does not relpace an empty local id string for an IPsec peer with a valid certificate. The subject name or one of the subject alternative names from this certificate is used then

Index of default ipsec proposal used for traffic entries with empty ipsec proposal, defined for peers with empty default ipsec proposal.

Index of default ike proposal used for peers with empty default ike proposal.

Index of default lifetime for ike SA's in ipsecLifeTimeTable. This lifetime is used, when there is no valid lifetime entry specified for an IPsec peer entry.

Index of default lifetime for ipsec SA's in ipsecLifeTimeTable. This lifetime is used, when there is no valid lifetime entry specified for an IPsec SA, its traffic entry and its peer entry.

Index of default IKE group used for peer entries with empty or invalid ike group. Possible values: 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP).

Maximum level for syslog messages issued by IPSec. All messages with a level higher than this value are suppressed, independently from other global syslog level settings. Possible settings: emerg(1), alert(2), crit(3), err(4), warning(5), notice(6), info(7), debug(8). Enumeration: 'info': 7, 'notice': 6, 'err': 4, 'alert': 2, 'debug': 8, 'emerg': 1, 'crit': 3, 'warning': 5.

This object specifies the default granularity used for IPSEC SA negotiation. Possible values: coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host. Enumeration: 'port': 5, 'ip': 3, 'coarse': 2, 'proto': 4.

This object specifies the default exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2) -- Use aggressive mode. Enumeration: 'aggressive': 2, 'id-protect': 1.

This object specifies the PFS group to use. PFS is done only for phase 2, i.e. the Phase 1 SAs are not deleted after phase 2 negotiation is completed. Note however, that if the peer has configured PFS for identity and destroys phase 1 SAs, this side will also destroy them when notified. Possible values: 0 (no PFS) 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP).

This object specifies the port the IKE key management service listens to.

This object specifies the maximum number of retries sent by IKE for one message.

This object specifies the period of time in milliseconds before an IKE message is repeated for the first time if the answer is missing. After each retry, this timeout is increased up to the value specified in ipsecGlobRetryTimeoutMaxsec.

This object specifies the maximum period of time in seconds before an IKE message is repeated if the answer is missing. The retry timeout is not increased beyond this limit.

This object specifies the maximum number of seconds after which a negotiation is canceled if it is not finished.

This object specifies the maximum number of simultaneous ISAKMP Security associations allowed. If this limit is reached, the entries are removed from the database, starting with the ones that will expire very soon. If that is not enough, the entries are deleted in reverse LRU order.

This object specifies the length in bits of the local secret used for ISAKMP anti-clogging cookies.

This object specifies the algorithm which is used for creating anti-clogging-tokens. Possible values: md5(3), -- MD5 hash algorithm sha1(4) -- SHA hash algorithm. Enumeration: 'sha1': 4, 'md5': 3.

This object specifies the period of time in seconds after which a new secret for creating local anti-clogging tokens is created. The previous secret is remembered, so that the anti-clogging tokens created with the previous secret are also recognized as valid. After the local secret is recreated again, the old tokens are not recognized anymore and all IKE packets belonging to the old security associations are discarded. This means that the maximum lifetime of an ISAKMP SA is twice the value of this timer.

This object specifies whether certificate request payloads should be ignored by IKE. Possible values: true(1), -- ignore all certificate requests false(2) -- process certificate request payloads. Enumeration: 'false': 2, 'true': 1.

This object specifies whether IKE should suppress certificate requests. Possible values: true(1), -- suppress certificate requests false(2) -- send certificate requests. Enumeration: 'false': 2, 'true': 1.

This object specifies whether IKE should suppress key hash payloads. Possible values: true(1), -- suppress key hash payloads false(2) -- send key hash payloads. Enumeration: 'false': 2, 'true': 1.

This object specifies whether IKE should send certificate revocation lists. Possible values: true(1), -- do not send certificate revocation lists false(2) -- send certificate revocation lists. Enumeration: 'false': 2, 'true': 1.

This object specifies whether IKE should send full certificate chains. Possible values: true(1), -- send full certificate chains false(2) -- do not send full certificate chains. Enumeration: 'false': 2, 'true': 1.

This object specifies whether IKE should trust icmp port and host unreachable error messages. ICMP port and host unreachable messages are only trusted if there have not yet been received any datagrams from the remote host in this negotiation. This means, if the local side receives an ICMP port or host unreachable message as the first response to the initial packet of a new phase 1 negotiation, it cancels the negotiation immediately. Possible values: true(1), -- trust ICMP messages false(2) -- do not trust ICMP messages. Enumeration: 'false': 2, 'true': 1.

A compatibility flag that specifies the length of the SPI in bytes, which is used when an ISAKMP SA SPI (Cookie) is sent to the remote peer. This field takes effect only if ipsecGlobZeroIsakmpCookies is true.

This object specifies whether zeroed ISAKMP cookies should be sent. Possible Values: true(1), -- send zero cookies in ISAKMP messages false(2) -- send ISAKMP cookies. Enumeration: 'false': 2, 'true': 1.

This object specifies the maximum length of an encryption key (in bits) that is accepted from the remote end. This limit prevents denial of service attacks where the attacker asks for a huge key for an encryption algorithm that allows variable length keys.

Do not send IKE initial contact messages in IKE negotiations even if no SA's exist with a peer. Possible values: true(1), -- do not send initial contact messages false(2) -- send initial comntact messages if appropriate. Enumeration: 'false': 2, 'true': 1.

This table contains the list of public key pairs and ID's used with IPSec.

This object contains a key pair for a certain public key algorithm and the ids used together with this key.

A unique index for this entry.

An optional description for this key.

This object specifies the algorithm for which the key is used. Possible values: rsa(2), -- The RSA encryption algorithm dsa(3) -- The digital signature algorithm. Enumeration: 'rsa': 2, 'dsa': 3.

The size of the public and private keys in bits.

This table contains the list of currently active IPSec security associations.

This object contains an IPSec security association.

A unique index for this entry.

The current state of the security association Possible values: alive(1), -- The SA is alive and will eventually be rekeyed expired(2), -- The SA is expired and will not be rekeyed delete (3) -- mark this sa for deletion. Enumeration: 'expired': 2, 'alive': 1, 'delete': 3.

This object specifies how the SA was created Possible values: manual(1), -- A manually keyed IPSec SA ike(2) -- An automatically keyed SA created by IKE. Enumeration: 'manual': 1, 'ike': 2.

This object specifies whether the SA is used for inbound or outbound processing. Possible values: inbound(1), -- An inbound security association outbound(2) -- An outbound security association. Enumeration: 'inbound': 1, 'outbound': 2.

This object specifies whether the SA is in tunnel or transport mode. Possible values: tunnel(1), -- A tunnel mode SA transport(2) -- A transport mode SA. Enumeration: 'tunnel': 1, 'transport': 2.

This object specifies the security protocol applied by this SA. Possible values: esp(50), -- Encapsulating Security Payload ah(51), -- Authentication Header ipcomp(108) -- Internet Payload Compression Protocol. Enumeration: 'ah': 51, 'ipcomp': 108, 'esp': 50.

The local IP address of the outer packet header. For transport mode SAs, this address is the same as the ipsecSaSrcAddress.

The destination IP address of the outer packet header. For transport mode SAs, this address is the same as the ipsecSaDstAddress.

The address of the source network this SA covers (if the SrcRange field is nonzero, this is the first address of a range of addresses).

The mask length of the source network this SA covers (only meaningful, if the SrcRange field is zero).

The last address of a range of source addresses (starting with SrcAddress) this SA covers. Overrides SrcMaskLen.

The address of the destination network this SA covers (if the DstRange field is nonzero, this is the first address of a range of addresses).

The mask length of the destination network this SA covers (only meaningful, if the DstRange field is zero).

The last address of a range of destination addresses (starting with DstAddress) this SA covers. Overrides DstMaskLen.

The Security Parameters Index of this SA.

The hash algorithm used, if any. Possible Values: none(2), -- No hash algorithm applied md5-96(4), -- The MD5 hash algorithm sha1-96(6) -- The Secure Hash Algorithm. Enumeration: 'none': 2, 'sha1-96': 6, 'md5-96': 4.

The encryption algorithm used, if any. Possible Values: none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4), -- Blowfish in CBC mode cast128-cbc(5) -- CAST with 128 bit key in CBC mode. Enumeration: 'cast128-cbc': 5, 'none': 1, 'blowfish-cbc': 4, 'des3-cbc': 3, 'des-cbc': 2.

The length of the key used for authentication, if any.

The length of the key used for encryption, if any.

The period in seconds after which this SA will be destroyed.

The amount of data allowed to be protected by this SA until it is destroyed.

The protocol this SA covers. Enumeration: 'ipproto-239': 239, 'ipproto-130': 130, 'mfe': 31, 'skip': 57, 'ttp': 84, 'merit': 32, 'chaos': 16, 'ipproto-159': 159, 'ipproto-158': 158, 'netblt': 30, 'tcf': 87, 'ipproto-150': 150, 'ipproto-153': 153, 'ipproto-152': 152, 'ipproto-155': 155, 'ipproto-154': 154, 'ipproto-157': 157, 'ipproto-156': 156, 'ipproto-252': 252, 'ipproto-253': 253, 'ipproto-250': 250, 'ipproto-145': 145, 'ipproto-254': 254, 'xtp': 36, 'scc': 96, 'tp': 39, 'securevmtp': 82, 'aris': 104, 'bna': 49, 'local': 63, 'rsvp': 46, 'nvp': 11, 'nsfnet': 85, 'ipproto-242': 242, 'sunnd': 77, 'ipxip': 111, 'tcp': 6, 'ipproto-148': 148, 'ipproto-149': 149, 'ipproto-146': 146, 'ipproto-147': 147, 'ipproto-144': 144, 'cphb': 73, 'ipproto-142': 142, 'ipproto-143': 143, 'ipproto-140': 140, 'ipproto-141': 141, 'ipproto-227': 227, 'ipproto-226': 226, 'ipproto-225': 225, 'ipproto-224': 224, 'satmon': 69, 'ipproto-222': 222, 'ipproto-221': 221, 'ipproto-194': 194, 'pc3': 34, 'emcon': 14, 'ipproto-229': 229, 'wsn': 74, 'idpr': 35, 'ipproto-218': 218, 'ipproto-191': 191, 'cftp': 62, 'pvp': 75, 'hop0': 114, 'ipproto-170': 170, 'sep': 33, 'ipproto-219': 219, 'pnni': 102, 'cpnx': 72, 'pim': 103, 'ipproto-228': 228, 'ipproto-233': 233, 'ipproto-234': 234, 'ipproto-235': 235, 'ipproto-139': 139, 'larp': 91, 'ipv6icmp': 58, 'compaq': 110, 'ipproto-232': 232, 'esp': 50, 'ipproto-133': 133, 'ipproto-132': 132, 'ipproto-131': 131, 'ddp': 37, 'ipproto-137': 137, 'mux': 18, 'ipproto-135': 135, 'ipproto-134': 134, 'vrrp': 112, 'ipwip': 94, 'ipproto-125': 125, 'ipproto-211': 211, 'wbmon': 78, 'dcn': 19, 'trunk1': 23, 'trunk2': 24, 'ipproto-198': 198, 'ggp': 3, 'distfs': 68, 'ipproto-169': 169, 'qnx': 106, 'wbexpak': 79, 'ipproto-209': 209, 'ipproto-208': 208, 'ipproto-244': 244, 'xnet': 15, 'ipproto-201': 201, 'ipproto-200': 200, 'ipproto-203': 203, 'ipproto-202': 202, 'pup': 12, 'ipproto-204': 204, 'ipproto-207': 207, 'ipproto-206': 206, 'ipproto-128': 128, 'ipproto-129': 129, 'xns': 22, 'ipproto-237': 237, 'rdp': 27, 'ipproto-120': 120, 'ipproto-121': 121, 'ipproto-122': 122, 'idprc': 38, 'ipproto-124': 124, 'argus': 13, 'ipproto-126': 126, 'ipproto-127': 127, 'ipproto-136': 136, 'ipproto-230': 230, 'idrp': 45, 'vmtp': 81, 'ipproto-116': 116, 'pgm': 113, 'ipproto-123': 123, 'ipproto-195': 195, 'isoip': 80, 'ipproto-197': 197, 'ipproto-196': 196, 'ippc': 67, 'ipproto-190': 190, 'ipproto-193': 193, 'ipproto-192': 192, 'ipproto-216': 216, 'ipproto-217': 217, 'ipproto-214': 214, 'ipproto-215': 215, 'ipproto-199': 199, 'tlsp': 56, 'ipproto-210': 210, 'igmp': 2, 'bbn': 10, 'ipproto-240': 240, 'ipproto-119': 119, 'ipproto-118': 118, 'ipproto-212': 212, 'ipproto-205': 205, 'ipproto-117': 117, 'swipe': 53, 'ipproto-241': 241, 'l2tp': 115, 'ipv6': 41, 'isotp4': 29, 'udp': 17, 'ipproto-189': 189, 'ipproto-213': 213, 'sprite': 90, 'ipproto-182': 182, 'mhrp': 48, 'ipproto-180': 180, 'ipproto-181': 181, 'hmp': 20, 'ipproto-187': 187, 'ipproto-184': 184, 'micp': 95, 'ippcp': 108, 'ipproto-249': 249, 'icmp': 1, 'ipproto-248': 248, 'ipproto-223': 223, 'ipproto-162': 162, 'ipproto-61': 61, 'mtp': 92, 'ipip': 4, 'ipproto-245': 245, 'eigrp': 88, 'ipv6route': 43, 'sdrp': 42, 'inlsp': 52, 'ipv6nonxt': 59, 'rvd': 66, 'prm': 21, 'ah': 51, 'ipproto-188': 188, 'brsatmon': 76, 'an': 107, 'il': 40, 'cbt': 7, 'ipproto-238': 238, 'ax25': 93, 'ifmp': 101, 'ospfigp': 89, 'sat': 64, 'ipproto-177': 177, 'ipproto-176': 176, 'ipproto-175': 175, 'ipproto-174': 174, 'encrypt': 99, 'ipproto-172': 172, 'ipproto-171': 171, 'igp': 9, 'etherip': 97, 'narp': 54, 'ipproto-179': 179, 'ipproto-178': 178, 'ipproto-251': 251, 'gre': 47, 'encap': 98, 'ipproto-183': 183, 'irtp': 28, 'ipproto-220': 220, 'gmtp': 100, 'ipproto-243': 243, 'ipproto-138': 138, 'ipproto-186': 186, 'ipv6frag': 44, 'ipproto-236': 236, 'dgp': 86, 'visa': 70, 'leaf1': 25, 'snp': 109, 'leaf2': 26, 'ipproto-173': 173, 'ipproto-185': 185, 'ipproto-231': 231, 'ipproto-164': 164, 'ipproto-165': 165, 'ipproto-166': 166, 'ipproto-167': 167, 'ipproto-160': 160, 'ipproto-161': 161, 'ipproto-151': 151, 'ipproto-163': 163, 'mobile': 55, 'scps': 105, 'ipproto-247': 247, 'egp': 8, 'ipproto-168': 168, 'kryptolan': 65, 'vines': 83, 'st': 5, 'ipcv': 71, 'ipproto-246': 246, 'dont-verify': 255, 'ipv6opts': 60.

The source port this SA covers, 0 for any.

The destination port this SA covers, 0 for any.

The number of seconds since this SA was created.

The amount of data in kilobytes protected by this SA.

The number of packets protected by this SA.

The number of replayed packets detected for this SA.

The number of receive errors (replayed packets not counted) detected for this SA.

The number of decryption errors (ESP only) detected for this SA.

This table contains the list of currently active IKE security associations.

This object contains an IKE security association.

A unique index for this entry.

This object specifies the state of the SA. Possible values: negotiating(1), -- the SA is still being negotiated established(2), -- the SA negotiation is finished waiting-for-remove(3), -- the SA is waiting for removal delete(7) -- mark the SA for deletion. Enumeration: 'established': 2, 'waiting-for-remove': 3, 'negotiating': 1, 'delete': 7.

The exchange mode used to create the SA. Possible values: base(1), -- IKE base mode mode id-protect(2), -- IKE identity protection -- (oakley main mode) authentication-only(3), -- Authentication only mode aggressive(4), -- IKE (oakley) aggressive mode info(5), -- IKE informational exchange mode quick(32), -- IKE quick mode new-group(33), -- IKE new group mode any(256) -- Other mode. Enumeration: 'info': 5, 'base': 1, 'authentication-only': 3, 'quick': 32, 'new-group': 33, 'aggressive': 4, 'any': 256, 'id-protect': 2.

The authenticatin method used when negotiating this SA. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4) -- Authentication using RSA encryption. Enumeration: 'dss-sig': 2, 'pre-sh-key': 1, 'rsa-enc': 4, 'rsa-sig': 3.

The names of the encryption and hash algorithm and of the prf.

This object specifies by which side the SA negotiation was initiated. Possible values: true(1), -- this end initiated the SA negotiation false(2) -- the remote end initiated the SA negotiation. Enumeration: 'initiator': 1, 'responder': 2.

The local ID used for authentication.

The remote ID used for authentication.

The remote IP address used in the IKE communication.

The cookie of the initiator.

The cookie of the responder.

The creation time and last used time of the SA in human readable format.

The number of certificates received from the remote side when negotiating this SA.

This object specifies the number of currently active negotiations for this SA.

Number of bytes transmitted using this SA.

The IKE major version number.

The IKE minor version number.

This table contains the list of IPSec peers.

This object contains the description of an IPSec peer.

A unique index identifying this entry.

The index of the next peer in hierarchy.

An optional description for this peer.

The IDs of the peer which are accepted for authentication.

The IP-address of the peer.

The local ID used for authentication.

The local address used for IPSec encrypted packets.

The index of the certificate used for local authentication in the certTable. Only useful for automatically keyed traffic with dsa or rsa authentication.

The index of the first IKE proposal which may be used for IKE SA negotiation with this peer.

This object specifies the first entry of possibly a chain of traffic entries from the ipsecTrafficTable which should be protected with IPSec using this peer.

The authentication method used. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- Use the default settings from the -- ipsecGlobals table delete(15) -- mark this entry for deletion. Enumeration: 'pre-sh-key': 1, 'rsa-sig': 3, 'default': 14, 'dss-sig': 2, 'rsa-enc': 4, 'delete': 15.

The pre-shared-key used with this peer, if pre-shared-keys are used for authentication. This field serves only as an input field and its contents are replaced with a single asterisk immediately after it is set.

The Group used for Diffie Hellman key agreement algorithm. Possible values: 0: use default value from ipsecGlobals table 1: a 768-bit MODP group 2: a 1024-bit MODP group 3: a GF[2^155] group 4: a GF[2^185] group 5: a 1536-bit MODP group

The Diffie Hellman group used for additional Perfect Forward Secrecy (PFS) DH exponentiations. Possible values: -1: explicitly do not use PFS (overrides ipsecGlob2DefaultPfsGroup), 0: use default value from ipsecGlob2DefaultPfsGroup, 1: a 768-bit MODP group, 2: a 1024-bit MODP group, 5: a 1536-bit MODP group.

This object specifies the exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3) -- Use default settings from the -- ipsecGlobalsTable. Enumeration: 'default': 3, 'aggressive': 2, 'id-protect': 1.

This object specifies an index in the ipsecLifeTimeTable. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used.

This object specifies an index in the ipsecLifeTimeTable. This lifetime overwrites the lifetimes specified for all traffic entries and their proposals referenced by this peer entry. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used.

This object specifies whether IKE SA's with this peer are rekeyed even if there was no data transferred over them. Possible values: true(1), -- rekey SA's even if no data was transferred false(2) -- do not rekey SA's if no data was transferred. Enumeration: 'false': 2, 'true': 1.

This object specifies the granularity with which SA's with this peer are created. Possible values: default(1), -- use the setting from the ipsecGlobalsTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host. Enumeration: 'default': 1, 'ip': 3, 'port': 5, 'coarse': 2, 'proto': 4.

This object is a compatibility option for older ipsec implementations. It enables or disables an old way of ESP padding (no self describing padding). Possible values: false(1), -- normal, self-describing ESP padding true(2) -- old style ESP padding. Enumeration: 'true': 2, 'false': 1.

The index of the default IPSec proposal used for encrypting all the traffic bound to the (optional) logical interface created for this peer.

Field used for storing the pre-shared-key permanently.

This table contains the list of IKE proposals. The entries may be concatenated on a logical or basis using the NextChoice field to choices of multiple proposals.

This object contains an IKE proposal, i.e. the encryption algorithm and the hash algorithm used to protect traffic sent over an IKE SA.

A unique index identifying this entry.

This object specifies the index of the next proposal of a choice of proposals. If this object is 0, this marks the end of a proposal chain.

An optional textual description of the proposal chain beginning at this entry.

This object specifies the encryption algorithm used to protect traffic sent over an IKE SA. Possible values: none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish-cbc(4), -- Blowfish in CBC mode cast128-cbc(5) -- CAST in CBC mode with 128 bit key. Enumeration: 'cast128-cbc': 5, 'none': 1, 'blowfish-cbc': 4, 'des3-cbc': 3, 'des-cbc': 2.

This object specifies the hash algorithm used to protect traffic sent over an IKE SA. Possible values: delete(1), -- Delete this entry none(2), -- No hash algorithm md5(3), -- The MD5 hash algorithm sha1(4), -- The Secure Hash Algorithm. Enumeration: 'sha1': 4, 'none': 2, 'md5': 3, 'delete': 1.

This table contains lists of Traffic and the actions which should be applied to it, together with the necessary parameters.

This object contains a description of a type of IP traffic and the action which should be applied to it together with the necessary parameters.

A unique index identifying this entry.

This object specifies the index of the next traffic entry in hierarchy.

An optional human readable description for this traffic entry.

The source IP-address of this traffic entry. It maybe either a single address, a network address (in combination with ipsecTrSrcMask), or the first address of an address range (in combination with ipsecTrLocalRange).

The length of the network mask for a source network.

The last address of a source address range. If this field is nonzero, the ipsecTrLocalMaskLen field is ignored and the source is considered as a range of addresses beginning with ipsecTrLocalAddress and ending with ipsecTrLocalRange.

The destination IP-address of this traffic entry. It maybe either a single address, a network address (in combination with ipsecTrDstMask), or the first address of an address range (in combination with ipsecTrRemoteRange).

The length of the network mask for a destination network.

The last address of a destination address range. If this field is nonzero, the ipsecTrRemoteMaskLen field is ignored and the source is considered as a range of addresses beginning with ipsecTrRemoteAddress and ending with ipsecTrRemoteRange.

The transport protocol defined for this entry. Enumeration: 'ipproto-239': 239, 'ipproto-130': 130, 'mfe': 31, 'skip': 57, 'ttp': 84, 'merit': 32, 'chaos': 16, 'ipproto-159': 159, 'ipproto-158': 158, 'netblt': 30, 'tcf': 87, 'ipproto-150': 150, 'ipproto-153': 153, 'ipproto-152': 152, 'ipproto-155': 155, 'ipproto-154': 154, 'ipproto-157': 157, 'ipproto-156': 156, 'ipproto-252': 252, 'ipproto-253': 253, 'ipproto-250': 250, 'ipproto-145': 145, 'ipproto-254': 254, 'xtp': 36, 'scc': 96, 'tp': 39, 'securevmtp': 82, 'aris': 104, 'bna': 49, 'local': 63, 'rsvp': 46, 'nvp': 11, 'nsfnet': 85, 'ipproto-242': 242, 'sunnd': 77, 'ipxip': 111, 'tcp': 6, 'ipproto-148': 148, 'ipproto-149': 149, 'ipproto-146': 146, 'ipproto-147': 147, 'ipproto-144': 144, 'cphb': 73, 'ipproto-142': 142, 'ipproto-143': 143, 'ipproto-140': 140, 'ipproto-141': 141, 'ipproto-227': 227, 'ipproto-226': 226, 'ipproto-225': 225, 'ipproto-224': 224, 'satmon': 69, 'ipproto-222': 222, 'ipproto-221': 221, 'ipproto-194': 194, 'pc3': 34, 'emcon': 14, 'ipproto-229': 229, 'wsn': 74, 'idpr': 35, 'ipproto-218': 218, 'ipproto-191': 191, 'cftp': 62, 'pvp': 75, 'hop0': 114, 'ipproto-170': 170, 'sep': 33, 'ipproto-219': 219, 'pnni': 102, 'cpnx': 72, 'pim': 103, 'ipproto-228': 228, 'ipproto-233': 233, 'ipproto-234': 234, 'ipproto-235': 235, 'ipproto-139': 139, 'larp': 91, 'ipv6icmp': 58, 'compaq': 110, 'ipproto-232': 232, 'esp': 50, 'ipproto-133': 133, 'ipproto-132': 132, 'ipproto-131': 131, 'ddp': 37, 'ipproto-137': 137, 'mux': 18, 'ipproto-135': 135, 'ipproto-134': 134, 'vrrp': 112, 'ipwip': 94, 'ipproto-125': 125, 'ipproto-211': 211, 'wbmon': 78, 'dcn': 19, 'trunk1': 23, 'trunk2': 24, 'ipproto-198': 198, 'ggp': 3, 'distfs': 68, 'ipproto-169': 169, 'qnx': 106, 'wbexpak': 79, 'ipproto-209': 209, 'ipproto-208': 208, 'ipproto-244': 244, 'xnet': 15, 'ipproto-201': 201, 'ipproto-200': 200, 'ipproto-203': 203, 'ipproto-202': 202, 'pup': 12, 'ipproto-204': 204, 'ipproto-207': 207, 'ipproto-206': 206, 'ipproto-128': 128, 'ipproto-129': 129, 'xns': 22, 'ipproto-237': 237, 'rdp': 27, 'ipproto-120': 120, 'ipproto-121': 121, 'ipproto-122': 122, 'idprc': 38, 'ipproto-124': 124, 'argus': 13, 'ipproto-126': 126, 'ipproto-127': 127, 'ipproto-136': 136, 'ipproto-230': 230, 'idrp': 45, 'vmtp': 81, 'ipproto-116': 116, 'pgm': 113, 'ipproto-123': 123, 'ipproto-195': 195, 'isoip': 80, 'ipproto-197': 197, 'ipproto-196': 196, 'ippc': 67, 'ipproto-190': 190, 'ipproto-193': 193, 'ipproto-192': 192, 'ipproto-216': 216, 'ipproto-217': 217, 'ipproto-214': 214, 'ipproto-215': 215, 'ipproto-199': 199, 'tlsp': 56, 'ipproto-210': 210, 'igmp': 2, 'bbn': 10, 'ipproto-240': 240, 'ipproto-119': 119, 'ipproto-118': 118, 'ipproto-212': 212, 'ipproto-205': 205, 'ipproto-117': 117, 'swipe': 53, 'ipproto-241': 241, 'l2tp': 115, 'ipv6': 41, 'isotp4': 29, 'udp': 17, 'ipproto-189': 189, 'ipproto-213': 213, 'sprite': 90, 'ipproto-182': 182, 'mhrp': 48, 'ipproto-180': 180, 'ipproto-181': 181, 'hmp': 20, 'ipproto-187': 187, 'ipproto-184': 184, 'micp': 95, 'ippcp': 108, 'ipproto-249': 249, 'icmp': 1, 'ipproto-248': 248, 'ipproto-223': 223, 'ipproto-162': 162, 'ipproto-61': 61, 'mtp': 92, 'ipip': 4, 'ipproto-245': 245, 'eigrp': 88, 'ipv6route': 43, 'sdrp': 42, 'inlsp': 52, 'ipv6nonxt': 59, 'rvd': 66, 'prm': 21, 'ah': 51, 'ipproto-188': 188, 'brsatmon': 76, 'an': 107, 'il': 40, 'cbt': 7, 'ipproto-238': 238, 'ax25': 93, 'ifmp': 101, 'ospfigp': 89, 'sat': 64, 'ipproto-177': 177, 'ipproto-176': 176, 'ipproto-175': 175, 'ipproto-174': 174, 'encrypt': 99, 'ipproto-172': 172, 'ipproto-171': 171, 'igp': 9, 'etherip': 97, 'narp': 54, 'ipproto-179': 179, 'ipproto-178': 178, 'ipproto-251': 251, 'gre': 47, 'encap': 98, 'ipproto-183': 183, 'irtp': 28, 'ipproto-220': 220, 'gmtp': 100, 'ipproto-243': 243, 'ipproto-138': 138, 'ipproto-186': 186, 'ipv6frag': 44, 'ipproto-236': 236, 'dgp': 86, 'visa': 70, 'leaf1': 25, 'snp': 109, 'leaf2': 26, 'ipproto-173': 173, 'ipproto-185': 185, 'ipproto-231': 231, 'ipproto-164': 164, 'ipproto-165': 165, 'ipproto-166': 166, 'ipproto-167': 167, 'ipproto-160': 160, 'ipproto-161': 161, 'ipproto-151': 151, 'ipproto-163': 163, 'mobile': 55, 'scps': 105, 'ipproto-247': 247, 'egp': 8, 'ipproto-168': 168, 'kryptolan': 65, 'vines': 83, 'st': 5, 'ipcv': 71, 'ipproto-246': 246, 'dont-verify': 255, 'ipv6opts': 60.

The source port defined for this traffic entry.

The destination port defined for this traffic entry.

The action to be applied to traffic matching this entry. Possible values: delete(1), -- Delete this entry always-plain(2), -- Forward the packets without -- protection even if there is a -- matching SA and independent from -- the position of the traffic entry -- in the list. pass(3), -- Forward the packets without -- protection protect(4), -- Protect the traffic as specified -- in the proposal. Drop unprotected -- traffic of this kind. drop(5) -- Drop all packets matching this -- traffic entry. Enumeration: 'always-plain': 2, 'drop': 5, 'protect': 4, 'pass': 3, 'delete': 1.

This object specifies an index in the ipsecProposalTable. This may be the first proposal of possibly a choice of multiple, optionally nested proposals which is to be offered with IKE (automatic keying) or a manual proposal (manual keying).

This object specifies the strategy when transport mode is used. By default, the system always uses transport mode, if possible. If this variable is set to true, always tunnel mode will be used for this traffic entry, even if source and destination address match the tunnel endpoints. Possible values: true(1), -- Use tunnel mode even if transport mode is possible false(2) -- Use transport mode whenever possible. Enumeration: 'false': 2, 'true': 1.

This object specifies an index in the ipsecLifeTimeTable. This lifetime overwrites the lifetimes specified for all proposals referenced by this traffic entry. It may itself be overwritten by an explicit lifetime specified for the peer entry referencing this traffic entry. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used.

This object specifies the granularity with which SA's must be created for this kind of traffic. Possible values: default(1), -- use the setting from the ipsecPeerTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host. Enumeration: 'default': 1, 'ip': 3, 'port': 5, 'coarse': 2, 'proto': 4.

This object specifies whether SA's created for this kind of traffic should be rekeyed on expiration of soft lifetimes even if there has not been sent any traffic over them. Possible values: true(1), -- rekey SA's even if no data was transferred false(2), -- do not rekey SA's if no data was transferred default(3) -- use the default setting from the peer entry -- referencing this traffic entry. Enumeration: 'default': 3, 'false': 2, 'true': 1.

This table contains the list of IPSec proposals. The entries may be concatenated on a logical 'or' or a logical 'and' basis -depending on the setting of the 'BoolOp' field- using the 'Next' field. This makes the configuration of multiple choices of proposal bundles possible. Possible concatenation: (proposal1 or propsal2 or ... proposaln) and (proposal1 or propsal2 or ... proposaln) and : : (proposal1 or propsal2 or ... proposaln) This table also includes manually keyed security associations, which may not be concatenated to choices with BoolOp set to 'or'

This object contains an IPSec proposal, i.e. a proposed set of security parameters applied to traffic sent over an IPSec security association.

A unique index for this entry.

The index of the next Proposal in the actual chain.

This object specifies how the proposal referenced by Next should be concatenated. Possible values: delete(1), -- Delete this entry or(2), -- Concatenation with logical 'or' and(3) -- Concatenation with logical 'and'. Enumeration: 'and': 3, 'or': 2, 'delete': 1.

An optional human readable description for this proposal.

The security protocol to apply. Possible values: esp(1), -- Encapsulating Security Payload ah(2) -- Authentication Header. Enumeration: 'ah': 2, 'esp': 1.

The encryption algorithm to apply, if any. Possible values: none(1), -- No encryption applied des-cbc(2), -- DES in CBC mode des3-cbc(3), -- Triple DES in CBC mode blowfish(4), -- Blowfish in CBC mode cast128-cbc(5) -- CAST with 128 bit key in CBC mode. Enumeration: 'cast128-cbc': 5, 'none': 1, 'blowfish-cbc': 4, 'des3-cbc': 3, 'des-cbc': 2.

The hmac algorithm to use for authentication, if any. Possible values: none(2), -- No hmac md5-96(4), -- Use the MD5 hash algorithm with 96 bit -- output sha1-96(6) -- Use the Secure Hash Algorithm with 96 bit -- output. Enumeration: 'none': 2, 'sha1-96': 6, 'md5-96': 4.

The index in the ipsecLifeTimeTable containing the lifetime values ued for an SA created from this proposal. This field may be overwritten by an explicit lifetime specified for the traffic entry which references this proposal entry, or by an explicit lifetime specified for the peer entry referencing that traffic entry. If this field is empty or points to a nonexistent or inappropriate lifetime entry, the default life time from the ipsecGlobalsTable is used.

This object specifies the Security Parameters Index (SPI) which should be used for the inbound SA of a manually keyed Proposal. The SPI is used to distinguish between multiple IPSec connections to the same peer with the same security protocol. The outbound SPI of the remote sides' corresponding proposal entry has to be equal to this value. This object is ignored for automatically keyed SAs, as it is chosen randomly by the initiator.

This object specifies the Security Parameters Index (SPI) which should be used for the outbound SA of a manually keyed Proposal. The SPI is used to distinguish between multiple IPSec connections to the same peer with the same security protocol. The inbound SPI of the remote sides' corresponding proposal entry has to be equal to this value. This object is ignored for automatically keyed SAs, as it is chosen randomly by the initiator.

This object serves as an input field for the inbound encryption key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatic proposals or for proposals which do not require an encryption key.

This object serves as an input field for the outbound encryption key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatic proposals or for proposals which do not require an encryption key.

This object serves as an input field for the inbound authentication key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatic proposals or for proposals which do not require an authentication key.

This object serves as an input field for the outbound authentication key used with manually keyed SAs. Its contents are reset to a single asterisk immediately after the set operation (or input via the console). It is not evaluated for automatic proposals or for proposals which do not require an authentication key.

This table contains the list of defined lifetimes for IPsec and IKE SAs.

This object contains a lifetime, i.e. the soft and hard expiry limits for IPsec and IKE SA's.

A unique index identifying this entry.

This object specifies the type of a lifetime entry. Enumeration: 'generic': 2, 'delete': 1.

The maximum amount of data (in KB) which may be protected by an SA before it is refreshed.

The maximum time (in seconds) after which an SA will be refreshed,.

The maximum amount of data (in KB) which may be protected by an SA before it is deleted.

The maximum time (in seconds) after which an SA will be refreshed,.

Current number of IKE SA's.

Current number of IPSec SA's.

Number of IP packets processed.

Number of non-IP packets processed.

Number of AH packets processed.

Number of ESP packets processed.

Number of packets dropped.

Number of packets passed plain.

Number of packets which triggered an IKE negotiation.

Number of partial packets currently being reassembled.

Total size of the partial packets currently being reassembled.

Number of non-first fragments currently queued.

This object specifies an index in the IPsec traffic table containing a list of traffic definitions which has to be considered prior to the traffic lists of the IPSec peers in IPSec traffic processing. It may contain either pass or drop entries (protect entries are ignored, if erroneously configured).

This object specifies how to treat packets which do not match any entry in the traffic lists of the active peers. Possible values: drop(1), -- drop all packets pass(2) -- allow all packets pass plain. Enumeration: 'drop': 1, 'pass': 2.