XEDIA-IPSEC-MIB: View SNMP OID List / Download MIB

This module defines objects for management of Xedias IP security (IPsec) Virtual Private Network (VPN) component.

The type of IPSec Transform Layer currently active (i.e., software only, hardware assisted).

The IPSec algorithms currently available.

This table defines a set of security attributes that will be used to describe a security association (SA). There may be many SAs that use the same security profile.

The attributes that make up a single security profile. New entries are created using the ipsecSecurityProfileRowStatus object.

The name of the security profile. For example Medium-Security or Maximum-Security.

The IPsec security protocol(s). When the combination of ah(1) and esp(0) is used, the authentication protocol specified in ipsecSecurityProfileAuthentication is used for AH only and no authentication is performed for ESP.

The encryption protocol. In the first release we support des(3), des3(4), and null(12) only.

The authentication protocol. Used for ESP or AH only. Note that when ipsecSecurityProfileAuthentication is not null(1), anti-replay services are also implemented.

The compression method. This is used when ipsecSecurityProfileProtocol is set to ipcomp(2) or both esp(0) and ipcomp(2). The default is lzs(3).

The number of seconds before the SA expires. When 0, the SA expiration timer is disabled. The default is 24*3600 = 86400 seconds (i.e., 24 hours). The minimum allowed expiration timer value is 5*60 = 300 seconds (i.e., 5 minutes). The maximum value is 86400 seconds (i.e., 24 hours). Rekeying begins 1 minute prior to SA expiration.

The number of KBytes before re-keying. When 0, SA expiration volume is disabled. The default is 0. The minimum allowed expiration volume value is 100 KBytes. The maximum is 1000000KBytes (i.e., 10GBytes). Rekeying begins when 95% of the volume limit has been used up.

The number of seconds of inactivity before the SA is removed. When 0, SA inactivity timer is disabled. The minimum allowed expiration timer value is 10*60 = 600 seconds (i.e., 10 minutes). The maximum value is 86400 seconds (i.e., 24 hours). Note that the inactivity timer, if enabled, must be less than the expiration timer minus one minute, to ensure it will expire for an idle SA prior to the start of rekeying.

When enabled PFS is enforced. This requires generation on new key material for each protocol SA (i.e., non ISAKMP SA). The default is false(2).

Defines 1st or 2nd Oakley group used by ISAKMP. The default is first(1).

When status is assigned(1), the security profile is referenced by one or more SAs. Modifications and deletions are allowed for unassigned security profiles only.

This object allows entries to be created and deleted in this table. Note that entries with ipsecSecurityProfileAssignmentStatus of assigned(1) cannot be deleted.

Information associated with an IPSec Interface.

Information about a single IPSec Interface.

The type of IPSec interface.

The IP address of the remote security gateway.

Specifies pre-shared key to be used by ISAKMP for authentication.

The number of tunnels currently configured on the interface.

The total number of tunnels created on the interface since the interface was created.

The number of tunnels in the Up state on the interface.

The value of sysUpTime the last time a tunnel on the interface changed status (ipsecTunnelOperStatus). This object indicates to the manager when it needs to repoll for new tunnel configuration and status.

The current number of security associations (SAs) for all the tunnels on this interface. Typically there will be 2 SAs (1 inbound and 1 outbound) for each tunnel in the up state. During dynamic tunnel rekeying there may be 0 to 4 SAs on a tunnel since IKE removes the current SAs and adds new SAs.

The total number of security associations (SAs) for all tunnels created on the interface since the interface was configured. For interfaces with dynamic tunnels, this object gives an indication of how many IKE rekeying events have occured. Every time a dynamic tunnel successfully rekeys, new inbound and outbound SAs are created and this object is incremented by 2.

The total number of IPSec packets received which contained an invalid SPI (Security Parameter Index) and therefore could not be associated with a tunnel nor a specific interface.

The number of packets that could not be send out a tunnel because the tunnel lookup failed.

The total number of compressed packets received.

The total number of bytes after decompression in compressed packets received.

The total number of compressed packets transmitted.

The total number of bytes prior to compression in compressed packets transmitted.

Specifies the authentication method which will be used by this gateway to establish dynamic IKE tunnel connections. Note that the ipsecTunnelAuthentMethod represents the authentication method used to bring up the current tunnel connection.

Specifies when IKE will initiate dynamic, site to site tunnel establishment with the remote gateway. If automatic(1), the gateway attempts to negotiate tunnels as soon as they are configured and enabled. If outboundTraffic(2), the gateway attempts to negotiate tunnels only when traffic is routed out the tunnel. If disabled(3), the gateway never initiates tunnel establishment. In all cases, the gateway will participate in tunnel negotiation when initiated by the remote gateway. Note that this object is disabled(3) for dialin group and client tunnels since clients always initiate.

IKE keepalive protocol update timeout value. When set to 0, the IKE keepalive protocol is disabled. Default is set to disabled. Minimum value is 10 sec, maximum value is 3600 sec. This value specifies frequency in seconds of IKE keepalive update messages to be generated.

IKE keepalive protocol expire retry counter value. Default is set to 4. Minimum value is 2, maximum value is 10. This value specifies a number of IKE keepalive update messages missed before the remote gateway/end system is declared to be down.

IKE keepalive protocol cancel retry counter value. Default is set to 6. Minimum value is 2, maximum value is 10. This value specifies a number of IKE keepalive update messages missed immediately after IKE keepalive protocol starts running for the protocol to be disabled (likely reason: remote gateway does not support/disabled IKE keepalive protocol.

IKE keepalive state.

The total number of packets that are currently queued for all dynamic site-to-site tunnels created on the interface. These packets will remained queued for a particular tunnel until that tunnel state transitions to DOWN or UP.

The tunnel table is used to configure and monitor VPN tunnels. There two cases here: site-to-site and remote dial-in. For site-to-site VPN the entry in the tunnel table must be configured. There are two types of tunnels: static tunnels and dynamic tunnels. When dynamic tunnels are configured and become operational, the ISAKMP protocol creates an SA pair, one inbound and one outbound. When static tunnels are configured, inbound and outbound SAa need to be created through network management. In this case key and peer SPI (security profile index) must be set. Static SAs are like ATM PVCs. Dynamic SAs are like ATM SVCs. All dial-in clients are organized into user groups. One or more users (dial-in clients) may be in the group. All dial-in users that are members of the same group get the same security attributes. Actual users may be either configured internally (in the ipsecRemoteClient table) or in the external database such as X.500 directory or Radius, etc. The administrator has an option of defining a Default group. Users that do not have any User group membership are assigned into a Default group. For remote dial-in VPNs, the tunnel entries are first statically configured for every defined user group, for example XediaEngineering, etc. Tunnels for individual users in the group are created automatically when user of the group initiates a connection. These automatically created remote client tunnels are children of a statically configured parent user group tunnel. The name of automatically created dial-in tunnel (which must be unique) is constructed as follows: tunnelName.userName, for example XediaEngineering.schwartz. For site-to-site and dial-in-group tunnel VPNs the objects access is as specified. For dial-in children tunnel VPNs which are automatically created by the system, all objects are read-only except for ipsecTunnelAdminStatus. This object has write access and when set to down, it would result in tearing down user dial-in session, i.e. all security associations for this dial-in client will be deleted.

Information about a tunnel. Tunnels are manually created using the ipsecTunnelRowStatus object.

Name of the tunnel. For example, Boston-to-LA (site-to-site), XediaEnginnering (remote client dial-in group), etc. The name must be unique in the system and it is used as tunnel entry index. When new tunneling tables are defined (i.e. L2TP, etc.) the tunnel name still has to be unique in the system.

The tunnel type. When dialinGroup(1), dialinClient(2) or siteToSiteDynamic(4) is specified, ISAKMP is responsible for SA creation. Otherwise, when siteToSiteStatic(2) is specified, SAs must be configured manually. This definition implies that all dial-in tunnels (and SAs created for them) are always dynamic. Tunnels of type dialinGroup(1) are created by the administrator and are read-write. They have a range of remote client addresses. When a dial-in client connects within the remote client range of a parent tunnel, a read-only dialinClient(2) tunnel is dynamically created.

This object is the desired state of the tunnel and is similar to interface administrative state. The default is up(1). When the ipsecTunnelAdminStatus is set to up(1) for a dialin parent tunnel, it enables remote clients in this group to connect to the VPN gateway. When the ipsecTunnelAdminStatus is set to down(2) for a dialin parent tunnel, it disables remote clients in this group from connecting to the VPN gateway. When tunnelAdminStatus is set to up for siteToSiteStatic, it enables use of statically configured SAs. Setting it to down, effectively disables use of statically configured SAs. When tunnelAdminStatus is set to up for siteToSiteDynamic, it enables the VPN gateway to start establishments of SAs via ISAKMP. If the ISAKMP failed to setup SA (for example when the peer is not ready) it will periodically retry SA establishment indefinetly until it succeeds. Setting it to down, disables initiation of SAs and it also disables responding to remote ISAKMP initiation requests.

This is the operational state (the actual state of the tunnel. This object is similar to interface operational state.

The value of sysUpTime the last time the ipsecTunnelOperStatus changed. On re-initialization of the system, this object contains a zero value. When a new tunnel is created, this will be initialized to the value of sysUpTime when the entry was created.

The local address and mask define the local trusted subnet (or single host if mask is all 1s) for the tunnel. The local trusted subnet or host identifies source addresses for the tunnel. The local trusted address(es) together with the remote trusted address(es) identify the traffic flow into the tunnel. This attribute and the mask default to 0 which specifies any source address for the tunnel.

The local trusted address mask of the tunnel. Refer to ipsecTunnelLocalAddress.

The remote address and mask define the remote trusted subnet (or single host if mask is all 1s) for the tunnel. The remote trusted subnet or host identifies destination addresses for the tunnel. The remote trusted address(es) together with the local trusted address(es) identify the traffic flow into the tunnel. This attribute and the mask default to 0 which specifies any destination address for the tunnel. For dialinGroup tunnels with ipsecTunnelClientAddressAssign set to internalPool, the remote subnet is used as a pool of addresses which the gateway allocates to dialin clients. In this case, the remote subnet must be specified. For dialinClient(2) tunnels this object gives the enterprise address of the client aka the inner client address within the tunnel as opposed to the outer Internet address which is given by ipsecTunnelRemoteGateway.

The remote trusted address mask of the tunnel. Refer to ipsecTunnelRemoteAddress. For dialin client tunnels, the ipsecTunnelRemoteAddress and ipsecTunnelRemoteMask provides represents the clients assigned subnet mask.

The IP address of the remote security gateway. For siteToSite tunnels, this object is a copy of the associated ipsecIfRemoteGateway. For dialinClient tunnels, this is the outer Internet address of the client as opposed to the inner enterprise address which is given by ipsecTunnelRemoteAddress.

Defines which Security Profile to use for this tunnel. This is a name of Security Profile entry in the Security Profile table.

Defines authentication method which was used to establish the current IKE tunnel connection. Not applicable for static tunnels. Note that ipsecIfIkeAuthentMethod specifies the method with which the local system will attempt to initiate a connection.

Address assignment method is configured for dialin group tunnels and determines how clients within the group will be assigned an enterprise IP address and subnet. The enterprise address is the inner tunneled address as opposed to the outer Internet address which is typically assigned by the clients local ISP. If disabled(0), clients are preconfigured with an address and subnet, so no assignment occurs. If internalPool(1), clients are assigned an address and subnet from the dialin groups remote address/mask. If radius(2), clients address and subnet are given by the RADIUS server as part of the users information. This object is read-only for clients and simply reflects the address assignment value of the dialin group. This object is not applicable for site to site tunnels and will always read disabled(0).

The current number of security associations (SAs) for this tunnel. Typically there will be 2 SAs (1 inbound and 1 outbound) for a tunnel in the up state. During dynamic tunnel rekeying there may be 0 to 4 SAs on the tunnel since IKE removes the current SAs and adds new SAs.

The total number of security associations (SAs) created for this tunnel since the tunnel was configured. For dynamic tunnels, this object gives an indication of how many IKE rekeying events have occured. Every time a dynamic tunnel successfully rekeys, new inbound and outbound SAs are created and this object is incremented by 2.

The total number of packets received on the tunnel since it was created.

The total number of bytes received on the tunnel since it was created.

The total number of packets received on the tunnel which had to be dropped because of a full queue.

The total number of packets received on the tunnel with invalid authentication data.

The total number of packets received on the tunnel with an invalid sequence number.

The total number of packets received on the tunnel with a valid sequence number and authentication data (if applicable), but an invalid packet format. For instance if the packet has an invalid length or next header.

The total number of packets transmitted out the tunnel since it was created.

The total number of bytes transmitted out the tunnel since it was created.

The total number of packets that could not be sent out the tunnel because the tunnel state was not up.

The total number of packets that could not be sent out the tunnel because there was no security association (SA).

The total number of packets that could not be sent out the tunnel because the transform engines queue was full.

This object allows entries to be created and deleted in this table.

The total number of compressed packets received on the tunnel since it was created.

The total number of bytes after decompression in compressed packets received on the tunnel since it was created.

The total number of compressed packets transmitted out the tunnel since it was created.

The total number of bytes prior to compression in compressed packets transmitted out the tunnel since it was created.

Security Association (SA) table. Each entry in the table is a Security Association. SAs are associated with a single IPSec tunnel or transport and indexed accordingly. SAs associated with a tunnel will have the same ifIndex and name as the tunnel. SAs associated with a transport have a zero ifIndex and the same name as the transport. Dynamic site-to-site and dialin-client tunnels have dynamic SAs created dynamically by ISAKMP. Dialin-group tunnels do not have associated SAs since these represent a group of dialin-client tunnels which individually have SAs. Static tunnels have static SAs created manually.

Information about a specific Security Association.

The name of the tunnel or transport that this Security Association is associated with.

A numeric index to allow multiple Security Associations per tunnel or transport.

Security profile index. For static or dynamic inbound SAs, SPI is selected by us. For dynamic outbound SAs, SPI is selected by peer. For static outbound SAs, SPI is manually configured.

Specifies how SA was created. Manually configured SAs will have the value static(1). Dynamical SAs such as those created by key management protocols such as ISA-KMP will have the value dynamic(2).

SA direction. Traffic SAs are unidirectional whereas key management protocol SAs such as ISA-KMP are bidirectional.

Specifies the SA protocol type.

The SAs encryption key. For a dynamic SA, the encryption key is negotiated by the key management protocol such as ISAKMP and is not writeable. For static SAs, the keys are manually configured.

For dynamic SAs, the authentication keys have been negotiated by ISAKMP. For static SA, the keys have been configured. For static SA this is read-create object. For dynamic SA the object is not accessible.

It counts a total number of frames since the SA was created. For inbound SA it represents received frames. For outbound SA it represent transmitted frames. For isakmp SA it represents both received and transmitted frames.

It counts a total number of bytes since the SA was created. For inbound SA it represents received bytes. For outbound SA it represent transmitted bytes. For isakmp SA it represents both received and transmitted bytes.

This object allows entries to be created and deleted in this table. The only supported values supported are active(1), createAndGo(4), and destroy(4).

The compliance statement for all agents that support this MIB. A compliant agent implements all objects defined in this MIB.

The set of all accessible objects in this MIB.