HM2-VPN-MIB: View SNMP OID List / Download MIB

This MIB defines the SNMP interface for Hirschmann VPN implementations.

A hm2VpnUpTrap trap signals that a VPN connection is about to enter the up state from some other state (see 'hm2VpnConnOperStatus').

A hm2VpnDownTrap trap signals that a VPN connection is about to enter the down state from some other state (see 'hm2VpnConnOperStatus').

Maximum number of VPN connections supported. Notice that the maximum number of active and up VPN connections is limited to hm2VpnConnActiveMax.

Maximum number of active (and up) VPN connections supported.

This object always holds an appropriate value to be used for hm2VpnConnIndex when creating entries in the hm2VpnConnTable. The value 0 indicates that no unassigned entries are available. To obtain the hm2VpnConnIndex value for a new entry, the management station issues a SNMP retrieval operation to obtain the current value of this object. After each row creation or deletion the agent modifies the value to the next unassigned index.

A list of VPN connections.

A VPN connection entry.

An index that uniquely identifies the entry in the table.

Version of the IKE protocol: o ike: accept IKEv1/v2 as responder, start with IKEv2 as initiator o ikev1: used protocol is IKE version 1 (ISAKMP) o ikev2: used protocol is IKE version 2 Enumeration: 'ikev2': 3, 'ike': 1, 'ikev1': 2.

If this host acts as a responder it does not initiate a key exchange (IKE) nor connection parameters negotiation. Otherwise, this host acts as an initiator - then it initiates an IKE actively. Enumeration: 'initiator': 1, 'responder': 2.

Lifetime of IKE security association in seconds. The maximum value is 24 hours (86400 seconds).

If greater than zero, the local peer sends Dead Peer Detection (DPD) messages (according to RFC 3706) to the remote peer. This value specifies the timeout in seconds, the remote peer is declared dead, if not responding. The value 0 disables this feature.

Hostname (FQDN) or IP address of local security gateway. If the value is 'any', then the IP address of the matching interface is used. Establishing the connection may be delayed until the hostname (if specified) can be resolved.

Typically the hostname (FQDN) or IP address of remote security gateway. If this value is 'any', then any IP address is accepted when establishing an IKE-SA as responder. Also a network in CIDR notation, to be accepted when establishing the IKE-SA, is allowed as responder. As initiator such values are not allowed. Establishing the VPN connection may be delayed until the hostname (if specified) can be resolved.

Type of authentication to be used: pre-shared key, individual X509 certificates (separate for CA and local identification) or one PKCS12 container with all the needed certificates (including the CA). Enumeration: 'psk': 1, 'individualx509': 2, 'pkcs12': 3.

The phase 1 exchange mode to be used (IKEv1). Enumeration: 'aggressive': 2, 'main': 1.

PEM encoded X.509 certificate file name (RFC 1422), if authentication type in 'hm2VpnConnIkeAuthType' is 'individualx509'. This certificate is used for RSA based signature verification in local and remote certificates. The file needs to be uploaded separately.

PEM encoded X.509 certificate file name (RFC 1422), if authentication type in 'hm2VpnConnIkeAuthType' is 'individualx509'. This certificate is used for RSA based authentication of remote peer at the local side. This certificate binds the identity of remote peer to it's public key. It is optional because typically send by the remote peer while negotiating an ISAKMP/IKE security association. The file needs to be uploaded separately.

PEM encoded X.509 certificate file name (RFC 1422) to be used, if authentication type in 'hm2VpnConnIkeAuthType' is 'individualx509' or 'pkcs12'. This certificate is used for authentication of local peer at the remote side. The certificate binds the identity of local peer to it's public key, signed by the certification authority (CA) from 'hm2VpnConnIkeAuthCertCA'. The file needs to be uploaded separately.

Private key file name to be used, if authentication type in 'hm2VpnConnIkeAuthType' is 'individualx509' and the key stored on the device is encrypted with a passphrase (so it cannot automatically be matched with the certificate). Note that this is only the filename of the private key. The passphrase must be added to 'hm2VpnConnIkeAuthPasswd'.

Passphrase to be used for decryption of private key from 'hm2VpnConnIkeAuthPrivKey' or the certificate container for 'pkcs12' type certificates which are uploaded encrypted.

Pre-shared key (passphrase) to be used if authentication type in 'hm2VpnConnIkeAuthType' is 'psk'. The pre-shared key sequence cannot contain newline or double-quote characters. Alternatively to characters sequence, pre-shared secrets can be represented as hexadecimal or Base64 encoded binary values. A character sequence beginning with 0x is interpreted as sequence hexadecimal digits. Similarly, a character sequence beginning with 0s is interpreted as Base64 encoded binary data.

Local peer identifier to be sent within ID payload during negotiation. The ID payload is used to identify the initiator of the security association. The identity is used by the responder to determine the correct host system security policy requirement for the association (see RFC 2407, section 4.6.2 for details when using IKEv1 and RFC 4306, section 3.5 for IKEv2). Allowed formats for this object depend on 'hm2VpnConnIkeAuthLocType': o default: don't care o address: don't care, take IPv4 address or host name from hm2VpnConnIkeLocalAddr o id: - IPv4 address or host name - key identifier - fully qualified domain name - fully qualified RFC 822 email address - X.500 distinguished name (DN)

Type of local peer identifier in 'hm2VpnConnIkeAuthLocId': o default: If 'hm2VpnConnIkeAuthType' is 'psk' then use the IP address or host name from 'hm2VpnConnIkeLocalAddr' as local identifier. In case of 'individualx509' or 'pkcs12' use the DN from local certificate in 'hm2VpnConnIkeAuthCertLocal'. o address: use the IP address or DNS name from 'hm2VpnConnIkeLocalAddr' as local identifier. o id: use the configured value in hm2VpnConnIkeAuthLocId (it can be of any type in the description). For further information see RFC 2407, section 4.6.2 Enumeration: 'default': 1, 'id': 3, 'address': 2.

Remote peer identifier to be compared with ID payload during negotiation. The ID payload is used to identify the initiator of the security association. The identity is used by the responder to determine the correct host system security policy requirement for the association (see RFC 2407, section 4.6.2 for details when using IKEv1 and RFC 4306, section 3.5 for IKEv2). Allowed formats for this entry depend on 'hm2VpnConnIkeAuthRemType': o any: don't care o address: don't care, take IPv4 address or host name from hm2VpnConnIkeRemoteAddr o id: - IPv4 address or host name - key identifier - fully qualified domain name - fully qualified RFC 822 email address - X.500 distinguished name (DN)

Type of remote peer identifier in hm2VpnConnIkeAuthRemId: o any: received remote identifier is not checked o address: use the IP address or host name from 'hm2VpnConnIkeRemoteAddr' as remote identifier. o id: use the configured value in hm2VpnConnIkeAuthRemId (it can be of any type in the description). For further information see RFC 2407, section 4.6.2 Enumeration: 'id': 3, 'any': 1, 'address': 2.

Diffie-Hellman key agreement algorithm to be used for establishment of IKE-SA: o any: accept all supported algorithms as responder, use default as initiator o modp1024: RSA with 1024 bits modulus (DH Group 2) o modp1536: RSA with 1536 bits modulus (DH Group 5) o modp2048: RSA with 2048 bits modulus (DH Group 14) o modp3072: RSA with 3072 bits modulus (DH Group 15) o modp4096: RSA with 4096 bits modulus (DH Group 16) Enumeration: 'modp1536': 3, 'modp1024': 2, 'modp3072': 5, 'modp4096': 6, 'modp2048': 4, 'any': 1.

Integrity (MAC) algorithm to be used in IKEv2: o any: accept all supported algorithms as responder, use various pre-defined as initiator o hmacmd5: HMAC-MD5 (length 96 bit) o hmacsha1: HMAC-SHA1 (length 96 bit) o hmacsha256: HMAC-SHA256 (length 128 bit) o hmacsha384: HMAC-SHA384 (length 196 bit) o hmacsha512: HMAC-SHA512 (length 256 bit) Enumeration: 'hmacsha512': 6, 'hmacsha384': 5, 'hmacsha256': 4, 'hmacmd5': 2, 'hmacsha1': 3, 'any': 1.

Encryption algorithm to be used in IKE: o any: accept all supported algorithms as responder, use various pre-defined as initiator o des: DES o des3: Triple-DES o aes128: AES with 128 key bits o aes192: AES with 192 key bits o aes256: AES with 256 key bits Enumeration: 'aes256': 6, 'des': 2, 'des3': 3, 'aes128': 4, 'aes192': 5, 'any': 1.

whether re-keying of an IKE_SA should also re-authenticate the peer. In IKEv1, re-authentication is always done (also when set to false). In IKEv2, a value of false does re-keying without un-installing the IPsec SAs, a value of true creates a new IKE_SA from scratch and tries to recreate all IPsec SAs.

IPsec encapsulation mode. Enumeration: 'tunnel': 1.

Lifetime of IPsec security association in seconds. The maximum value is 8 hours (28800 seconds).

How long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin. The maximum value is half an hour (1800 seconds). The margin time needs to be at most half of the lifetime.

Diffie-Hellman key agreement algorithm to be used for IPsec-SA session key establishment: o any: accept all supported algorithms as responder, use various pre-defined as initiator o modp1024: RSA with 1024 bits modulus (DH Group 2) o modp1536: RSA with 1536 bits modulus (DH Group 5) o modp2048: RSA with 2048 bits modulus (DH Group 14) o modp3072: RSA with 3072 bits modulus (DH Group 15) o modp4096: RSA with 4096 bits modulus (DH Group 16) o none: no Perfect Forward Secrecy (PFS) Enumeration: 'modp1536': 3, 'none': 7, 'modp1024': 2, 'modp3072': 5, 'modp4096': 6, 'modp2048': 4, 'any': 1.

Integrity (MAC) algorithm to be used in IPsec: o any: accept all supported algorithms as responder, use various pre-defined as initiator o hmacmd5: HMAC-MD5 (length 96 bit) o hmacsha1: HMAC-SHA1 (length 96 bit) o hmacsha256: HMAC-SHA256 (length 128 bit) o hmacsha384: HMAC-SHA384 (length 196 bit) o hmacsha512: HMAC-SHA512 (length 256 bit) Enumeration: 'hmacsha512': 6, 'hmacsha384': 5, 'hmacsha256': 4, 'hmacmd5': 2, 'hmacsha1': 3, 'any': 1.

Encryption algorithm to be used for payload encryption in IPsec: o any: accept all supported algorithms as responder, use various pre-defined as initiator o des: DES o des3: Triple-DES o aes128: AES-CBC with 128 key bits o aes192: AES-CBC with 192 key bits o aes256: AES-CBC with 256 key bits o aes128ctr: AES-COUNTER with 128 key bits o aes192ctr: AES-COUNTER with 192 key bits o aes256ctr: AES-COUNTER with 256 key bits o aes128gcm64: AES-GCM with 64 bit ICV with 128 key bits o aes128gcm96: AES-GCM with 96 bit ICV with 128 key bits o aes128gcm128: AES-GCM with 128 bit ICV with 128 key bits o aes192gcm64: AES-GCM with 64 bit ICV with 192 key bits o aes192gcm96: AES-GCM with 96 bit ICV with 192 key bits o aes192gcm128: AES-GCM with 128 bit ICV with 192 key bits o aes256gcm64: AES-GCM with 64 bit ICV with 256 key bits o aes256gcm96: AES-GCM with 96 bit ICV with 256 key bits o aes256gcm128: AES-GCM with 128 bit ICV with 256 key bits Enumeration: 'aes128ctr': 7, 'aes256': 6, 'aes128gcm96': 11, 'aes192gcm64': 13, 'aes192gcm96': 14, 'aes192gcm128': 15, 'aes128gcm64': 10, 'des': 2, 'aes128gcm128': 12, 'des3': 3, 'aes256ctr': 9, 'aes192ctr': 8, 'aes128': 4, 'aes256gcm96': 17, 'aes256gcm128': 18, 'aes192': 5, 'aes256gcm64': 16, 'any': 1.

The current operational status of the VPN connection: o 'up': the IKE-SA and all IPsec SAs are up; o 'down': the IKE-SA and all IPsec SAs are down; o 'negotiation': key exchange and algorithm negotiation is in progress (or, as responder, waiting to be contacted for that purpose); o 'constructing': the IKE-SA is up, but at least one IPsec-SA is not established so far; o 'dormant': waiting for a precondition to be fulfilled before connection setup, e.g.: - a dynamically assigned IP address; - successful hostname resolution; - assignment of a valid system time. o 're-keying': key exchange is in progress after timeout of lifetime has occured, either IKE or IPSEC; Enumeration: 'negotiation': 3, 'dormant': 5, 'constructing': 4, 'up': 1, 'down': 2, 're-keying': 6.

User defined text.

Last error notification occurred for this connection. This is useful if the connection does not reach the up state to see if an error has occurred in the proposal exchange or when establishing the tunnel. In most cases this variable should be empty.

Used for debugging purpose of the VPN connections. May affect the performance significant. Please handle with care. If the bit is set informational(0) messages, unhandled(1) messages (not handled by the stack) are logged to the event log Bits: 'unhandled': 1, 'informational': 0.

The row status of this table entry. If the row status is 'active' then it is not allowed to change any value (this applies also to active traffic selectors). The maximum number of active VPN connections is limited to hm2VpnConnMax. The maximum number of active and up VPN connections is limited to hm2VpnConnActiveMax.

A list of VPN connections.

A VPN connection entry.

Version of the IKE protocol used by connection: o ikev1: used protocol is IKE version 1 (ISAKMP) o ikev2: used protocol is IKE version 2 Enumeration: 'ikev2': 2, 'ikev1': 1.

Algorithms the IKE use for key exchange.

Algorithms IPsec use for the data communication.

Local host detected by IKE.

Remote host detected by IKE.

Time in seconds since the connection has been established (is updated after IKE re-authentication).

Time in seconds when the next IKE re-authentication will take place.

Time in seconds when the next IKE re-keying will take place.

Time in seconds when the next IPsec re-keying will take place.

Number of input Bytes from this IPsec tunnel.

Number of input packets from this IPsec tunnel.

Time in seconds since the IPsec tunnel has received last time data.

Number of output Bytes to this IPsec tunnel.

Number of output packets to this IPsec tunnel.

Time in seconds since to the IPsec tunnel has sent last time data.

The IKE initiator SPI (local or remote, depends on initiator settings).

The IKE responder SPI (local or remote, depends on initiator settings).

The input IPsec SPI.

The output IPsec SPI.

A list of traffic selectors. For details on the role of traffic selectors in IPsec protocol see RFC 2409, section 5.5 and RFC 4306, section 2.9.

A traffic selector entry. A traffic selector defines the subnet/host addresses for which this IPSec connection (SA) is responsible.

An index that (together with the connection index hm2VpnConnIndex) identifies the entry in the traffic selector table. This index can be choosen freely, but must be greater than 0.

Host or subnet address in CIDR notation (a.b.c.d/n) for which this traffic descriptor (and the associated VPN connection) is responsible. This address is compared to the source address of IP packets sent, when determining the associated IPsec and IKE-SA. The special keyword 'any' means that the address comparison always matches.

Host or subnet address in CIDR notation (a.b.c.d/n) for which this traffic descriptor (and the associated VPN connection) is responsible. This address is compared to the destination address of IP packets sent, when determining the associated IPsec and IKE-SA. The special keyword 'any' means that the address comparison always matches.

The optional source restrictions (names or numbers) , e.g. tcp/http which is equal to 6/80, or udp which is equal to udp/any or /53 which is equal to any/53

The optional destination restrictions (names or numbers) , e.g. tcp/http which is equal to 6/80, or udp which is equal to udp/any or /53 which is equal to any/53

User defined text.

The row status of this table entry. Only traffic selector entries with an 'active' row status will be considered if the connections row status is set 'active'. Independent of that dependency any value in this entry can be changed only if the row status is not 'active'.

Setting the correct passphrase here before uploading an encrypted private key or an encrypted PKCS12 container will trigger the decryption of the uploaded file before storing on the device. The value cannot be read and is not stored after the file transfer. WARNING: the file is stored unencrypted on the device. Use with care!

The list of certificates available on the device.

A certificate file entry. A certificate file which has been copied to the device and can be used for VPN connections.

Index of the entry.

Subject field of certificate.

Certificate issuer.

Time and date when certificate is begining to be valid.

Time and date when certificate will expire.

Name of the file consisting of alphanumeric characters plus hyphen, underscore and dot.

Type of the container file used. Enumeration: 'peer': 2, 'encryptedkey': 3, 'ca': 1, 'pkcs12': 4, 'encryptedpkcs12': 5.

Time and date of last write access using the content of the variable hm2SystemTime.

Shows if a Peer certificate has a private key uploaded on the device. A Peer certificate cannot be used without a private key uploaded to the device. Does not apply to CA certificates. Enumeration: 'notFound': 3, 'none': 1, 'present': 2.

Name of the file consisting of alphanumeric characters plus hyphen, underscore and dot.

Number of active connections that use this certificate. The certificate cannot be deleted from the device unless there are no active connections using it (this field is set to 0).

Provides a way to delete unused certificate files from the device. A certificate can only be deleted if there are no active connections using it (see hm2VpnCertificateNoConnections). Deleting a Peer certificate automatically deletes the private key asociated with it (if any). Enumeration: 'other': 1, 'delete': 2.

Indicates that for a VPN connection no active traffic selectors are available.

Indicates that too many VPN connections are in active state.

Indicates that too many VPN connections shall be added to the configuration.

Indicates that an active row shall be changed.

Indicates that for a VPN connection as initiator the remote end point is set to any.