-- extracted from draft-ietf-ipsec-ike-monitor-mib-00.txt -- at Mon Nov 15 17:11:29 1999 IKE-MON-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Integer32, Unsigned32, Gauge32, OBJECT-IDENTITY, experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI TruthValue FROM SNMPv2-TC IpsecIpv6Address, IpsecRawId FROM IPSEC-SA-MON-MIB saLocalIpAddress, saRemoteIpAddress, saInitiatorCookie, saResponderCookie, saLocalUdpPort, saRemoteUdpPort FROM ISAKMP-DOI-IND-MON-MIB IpsecDoiIdentType, IkeAuthMethod, IkeEncryptionAlgorithm, IkeGroupDescription, IkePrf, IkeNotifyMessageType, IkeHashAlgorithm, IpsecDoiTransformIdent, IkeExchangeType, IpsecDoiSecProtocolId FROM IPSEC-ISAKMP-IKE-DOI-TC; ikeMonModule MODULE-IDENTITY LAST-UPDATED "9910211200Z" ORGANIZATION "IETF IPsec Working Group" CONTACT-INFO " Tim Jenkins TimeStep Corporation 362 Terry Fox Drive Kanata, ON K0A 2H0 Canada +1 (613) 599-3610 tjenkins@timestep.com John Shriver Intel Corporation 28 Crosby Drive Bedford, MA 01730 +1 (781) 687-1329 John.Shriver@intel.com " DESCRIPTION "The MIB module to describe IKE phase 1 SAs, security association suites, and entity level objects and events for those types." REVISION "9910211200Z" DESCRIPTION "Initial revision." -- replace xxx in next line before release, uncomment before release -- ::= { mib-2 xxx } -- delete next line before release ::= { experimental 500 } -- invalid! ikeMonMIBObjects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all IKE monitoring MIB branches." ::= { ikeMonModule 1 } -- -- significant branches -- ikePhase1Objects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for IKE phase 1 objects." ::= { ikeMonMIBObjects 1 } phase2Objects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for IKE phase 2 objects, including the suite and phase 2 SA tables." ::= { ikeMonMIBObjects 2 } oakleyObjects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for Oakley groups." ::= { ikeMonMIBObjects 3 } ikeGroups OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which describe the groups in this MIB." ::= { ikeMonMIBObjects 4 } ikeConformance OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which describe the conformance for this MIB." ::= { ikeMonMIBObjects 5 } -- -- significant IKE phase 1 SA branches -- ikeTables OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for the IKE phase 1 security associations table." ::= { ikePhase1Objects 1 } ikeGlobals OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global values for IKE." ::= { ikePhase1Objects 2 } ikeTrafStats OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global values for IKE." ::= { ikePhase1Objects 3 } ikeErrors OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global values for IKE." ::= { ikePhase1Objects 4 } ikeTrapControl OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all trap controls for the IKE phase 1 SA portion of this MIB." ::= { ikePhase1Objects 5 } ikeTraps OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all traps for the IKE phase 1 SA portion of this MIB." ::= { ikePhase1Objects 6 } ikeNotifications OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all notification objects of this MIB." ::= { ikePhase1Objects 7 } -- -- significant SA suite branches -- suiteTables OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for the suite table." ::= { phase2Objects 1 } suiteGlobals OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global values for suites." ::= { phase2Objects 2 } suiteTrafStats OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global counters for suite traffic statistics." ::= { phase2Objects 3 } suiteErrors OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global error counters for suites." ::= { phase2Objects 4 } suiteTrapControl OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all trap controls for the suite portion of this MIB." ::= { phase2Objects 5 } suiteTraps OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all traps for the suite portion of this MIB." ::= { phase2Objects 6 } -- -- the Oakley Group MIB-Group -- -- a collection of objects providing information about the -- Oakley Groups that the entity knows about that are not well known -- -- A table is defined for each type of Oakley group -- (each value in 'IkeGroupDescription'). -- -- This MIB has tables for groups of type MODP, ECP, or EC2N. -- For groups that are not MODP, ECP, or EC2N, a new table should be -- defined in a MIB for that group. The table should have one -- integer index, which should be the first column. The columns -- should be the IKE attributes used by that new type of group. -- modpGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF ModpGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing Oakley MODP groups that are not well known that the entity has negotiated or knows about. There should be one row for every Oakley MODP group negotiated or supported by the entity that is not a well- known group. The maximum number of rows is implementation dependent." ::= { oakleyObjects 1 } modpGroupEntry OBJECT-TYPE SYNTAX ModpGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular Oakley MODP group. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { modpGroupIndex } ::= { modpGroupTable 1 } ModpGroupEntry ::= SEQUENCE { modpGroupIndex Unsigned32, -- component parts modpFieldSize Unsigned32, modpPrime OCTET STRING, modpGenerator OCTET STRING, modpLPF OCTET STRING, modpStrength Unsigned32 } modpGroupIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each Oakley MODP group. It is recommended that values are assigned contiguously starting from 1. The value for each MODP group must remain constant at least from one re-initialization of entity's network management system to the next re-initialization." ::= { modpGroupEntry 1 } modpFieldSize OBJECT-TYPE SYNTAX Unsigned32 UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The size of a field element, in bits." REFERENCE "RFC 2412 Appendix A" ::= { modpGroupEntry 2 } modpPrime OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The prime of the MODP group." REFERENCE "RFC 2412 Appendix A" ::= { modpGroupEntry 3 } modpGenerator OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The generator value of the MODP group." REFERENCE "RFC 2412 Appendix A" ::= { modpGroupEntry 4 } modpLPF OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The largest prime factor of the group size, or 0 if unspecified." REFERENCE "RFC 2412 Appendix A" ::= { modpGroupEntry 5 } modpStrength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The strength of the group, which is approximately the number of key-bits protected, or 0 if unspecified." REFERENCE "RFC 2412 Appendix A" ::= { modpGroupEntry 6 } ecpGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF EcpGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing Oakley ECP groups that are not well known that the entity has negotiated or knows about. There should be one row for every Oakley ECP group negotiated or supported by the entity that is not a well- known group. The maximum number of rows is implementation dependent." ::= { oakleyObjects 2 } ecpGroupEntry OBJECT-TYPE SYNTAX EcpGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular Oakley ECP group. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { ecpGroupIndex } ::= { ecpGroupTable 1 } EcpGroupEntry ::= SEQUENCE { ecpGroupIndex Unsigned32, -- component parts ecpFieldSize Unsigned32, ecpPrime OCTET STRING, ecpGeneratorOne OCTET STRING, ecpGeneratorTwo OCTET STRING, ecpParameterOne OCTET STRING, ecpParameterTwo OCTET STRING, ecpLPF OCTET STRING, ecpOrder OCTET STRING, ecpStrength Unsigned32 } ecpGroupIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each Oakley ECP group. It is recommended that values are assigned contiguously starting from 1. The value for each ECP group must remain constant at least from one re-initialization of entity's network management system to the next re-initialization." ::= { ecpGroupEntry 1 } ecpFieldSize OBJECT-TYPE SYNTAX Unsigned32 UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The size of a field element, in bits." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 2 } ecpPrime OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The prime of the ECP group." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 3 } ecpGeneratorOne OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The first generator value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 4 } ecpGeneratorTwo OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The second generator value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 5 } ecpParameterOne OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The first elliptic curve parameter value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 6 } ecpParameterTwo OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The second elliptic curve parameter value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 7 } ecpLPF OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The largest prime factor of the group size, or 0 if unspecified." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 8 } ecpOrder OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The order of the group, or 0 if it is unspecified." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 9 } ecpStrength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The strength of the group, which is approximately the number of key-bits protected." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 10 } ec2nGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF Ec2nGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing Oakley EC2N groups that are not well known that the entity has negotiated or knows about. There should be one row for every Oakley group negotiated or supported by the entity that is not a well-known group. The maximum number of rows is implementation dependent." ::= { oakleyObjects 3 } ec2nGroupEntry OBJECT-TYPE SYNTAX Ec2nGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular Oakley EC2N group. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { ec2nGroupIndex } ::= { ec2nGroupTable 1 } Ec2nGroupEntry ::= SEQUENCE { ec2nGroupIndex Unsigned32, -- component parts ec2nDegree Unsigned32, ec2nIrrPoly OCTET STRING, ec2nGeneratorOne OCTET STRING, ec2nGeneratorTwo OCTET STRING, ec2nParameterOne OCTET STRING, ec2nParameterTwo OCTET STRING, ec2nLPF OCTET STRING, ec2nOrder OCTET STRING, ec2nStrength Unsigned32 } ec2nGroupIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each Oakley EC2N group. It is recommended that values are assigned contiguously starting from 1. The value for each EC2N group must remain constant at least from one re-initialization of entity's network management system to the next re-initialization." ::= { ec2nGroupEntry 1 } ec2nDegree OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The degree of the irreducible polynomial." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 2 } ec2nIrrPoly OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The prime or the irreducible field polynomial." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 3 } ec2nGeneratorOne OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The first generator value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 4 } ec2nGeneratorTwo OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The second generator value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 5 } ec2nParameterOne OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The first elliptic curve parameter value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 6 } ec2nParameterTwo OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The second elliptic curve parameter value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 7 } ec2nLPF OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The largest prime factor of the group size, or 0 if unspecified." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 8 } ec2nOrder OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The order of the group, or 0 if it is unspecified." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 9 } ec2nStrength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The strength of the group, which is approximately the number of key-bits protected, or 0 if it is unspecified." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 10 } -- -- the IKE Phase 1 SA MIB-Group -- -- a collection of objects providing information about -- the IKE phase 1 SAs -- ikeSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing the IKE SAs. The number of rows is the same as the number of IKE phase 2 SAs that are in the process of being negotiated or are negotiated in the entity. Phrased another way, there is a row in this table for each row in 'saTable' for which 'saDoi' is 'ipsecDOI(1)'. The maximum number of rows is implementation dependent." ::= { ikeTables 1 } ikeSaEntry OBJECT-TYPE SYNTAX IkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IKE SA. There is an entry in this table for each 'saEntry' in which which 'saDoi' is 'ipsecDOI(1)'. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { saLocalIpAddress, saRemoteIpAddress, saInitiatorCookie, saResponderCookie } ::= { ikeSaTable 1 } IkeSaEntry ::= SEQUENCE { -- ID and authentication information saAuthMethod IkeAuthMethod, saPeerIdType IpsecDoiIdentType, saPeerId IpsecRawId, saPeerCertSerialNum OCTET STRING, saPeerCertIssuer OCTET STRING, saLocalIdType IpsecDoiIdentType, saLocalId IpsecRawId, -- security algorithm information saEncAlg IkeEncryptionAlgorithm, saEncKeyLength Unsigned32, saHashAlg IkeHashAlgorithm, saHashKeyLength Unsigned32, saPRF IkePrf, saOakleyGroupDesc IkeGroupDescription, saOakleyGroup OBJECT IDENTIFIER, -- expiration limits saLimitSeconds Unsigned32, -- 0 if none saLimitKbytes Unsigned32, -- 0 if none saLimitKeyUses Unsigned32, -- 0 if none -- current operating statistics saAccKbytes Counter32, saKeyUses Counter32, saCreatedSuites Counter32, saDeletedSuites Counter32 } saAuthMethod OBJECT-TYPE SYNTAX IkeAuthMethod MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication method used to authenticate the peers. Note that this does not include the specific method of extended authentication if extended authentication is used." ::= { ikeSaEntry 1 } saPeerIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the peer that negotiated this SA." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { ikeSaEntry 2 } saPeerId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the used by the peer that negotiated this SA." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { ikeSaEntry 3 } saPeerCertSerialNum OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..63)) MAX-ACCESS read-only STATUS current DESCRIPTION "The serial number of the certificate of the peer this SA was negotiated with. This object has no meaning if a certificate was not used in authenticating the peer." ::= { ikeSaEntry 4 } saPeerCertIssuer OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The issuer name of the certificate of the peer this control channel was negotiated with. This object has no meaning if a certificate was not used in authenticating the peer." ::= { ikeSaEntry 5 } saLocalIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the local entity that negotiated this SA." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { ikeSaEntry 6 } saLocalId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the used by the local entity that negotiated this SA." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { ikeSaEntry 7 } saEncAlg OBJECT-TYPE SYNTAX IkeEncryptionAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used to protect this SA." ::= { ikeSaEntry 8 } saEncKeyLength OBJECT-TYPE SYNTAX Unsigned32 (0..65531) UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the 'saEncAlg' object. It may be 0 if the key length is implicit in the specified algorithm." ::= { ikeSaEntry 9 } saHashAlg OBJECT-TYPE SYNTAX IkeHashAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The hash algorithm used to protect this SA." ::= { ikeSaEntry 10 } saHashKeyLength OBJECT-TYPE SYNTAX Unsigned32 (0..65531) UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the 'saHashAlg' object. It may be 0 if the key length is implicit in the specified algorithm." ::= { ikeSaEntry 11 } saPRF OBJECT-TYPE SYNTAX IkePrf MAX-ACCESS read-only STATUS current DESCRIPTION "The pseudo-random function used by this SA, or 0 if the HMAC version of the negotiated hash algorithm is used as a pseudo-random function." REFERENCE "RFC 2409 Appendix A" ::= { ikeSaEntry 12 } saOakleyGroupDesc OBJECT-TYPE SYNTAX IkeGroupDescription MAX-ACCESS read-only STATUS current DESCRIPTION "The group number used to generate the Diffie-Hellman key pair when setting up the SA, or 0 if none of the defined groups was used. If this value is 0, the 'saOakleyGroup' must not also be OBJECT IDENTIFIER { 0 0 }." REFERENCE "RFC 2409 Section 6." ::= { ikeSaEntry 13 } saOakleyGroup OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The object identifier of the Oakley group row that was used if a well-known group was not used to generate the Diffie- Hellman key pair for this SA. If a well-known group was used, the value should be set to the OBJECT IDENTIFIER { 0 0 }. For example, if the group is a MODP group, the value of this object is the object identifier of 'modpGroupIndex' of the appropriate row ('modpGroupEntry') in 'modpGroupTable'." REFERENCE "RFC 2409 Section 6" ::= { ikeSaEntry 14 } saLimitSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum number of seconds the SA is allowed to exist, or 0 if there is no time-based limit on the existence of the SA. The display value is limited to 4,294,967,295 seconds (more than 136 years); values greater than that value will be truncated." ::= { ikeSaEntry 15 } saLimitKbytes OBJECT-TYPE SYNTAX Unsigned32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum number of kilobytes the SA is allowed to encrypt before it expires, or 0 if there is no traffic-by- byte-based limit on the existence of the SA. The display value is limited to 4,294,967,295 kilobytes (more than 4,194,304 Mbyte ); values greater than that value will be truncated." ::= { ikeSaEntry 16 } saLimitKeyUses OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum number of times the SA is allowed to provide keying material from its own Diffie-Hellman exchange before it expires, or 0 if there is no keying material-based limit on the existence of the SA." ::= { ikeSaEntry 17 } saAccKbytes OBJECT-TYPE SYNTAX Counter32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of kilobytes the SA has encrypted that count against any lifetime restriction based on traffic. This value may be 0 if there is no such restriction." ::= { ikeSaEntry 18 } saKeyUses OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the SA is has provided keying material derived from its own original Diffie-Hellman exchange." ::= { ikeSaEntry 19 } saCreatedSuites OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of SA suites that this SA has successfully created. In other words, the total number of successful quick mode exchanges multiplied by the number of SA payloads in each of those exchanges." ::= { ikeSaEntry 20 } saDeletedSuites OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of SA suites that this SA has sent or received SA suite delete notifications for. When delete notifications are sent or received for more than one SA in an SA suite, this number shall be decremented by one, and not by the number SAs in the suite that were deleted." ::= { ikeSaEntry 21 } -- -- the IKE SA By Creators Table -- saByCreatorsTable OBJECT-TYPE SYNTAX SEQUENCE OF SaByCreatorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table that sorts the IKE phase 1 SAs by the endpoint identifiers. The number of rows in this table is the same as the number of IKE phase 1 SAs in the entity." ::= { ikeTables 2 } saByCreatorsEntry OBJECT-TYPE SYNTAX SaByCreatorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) referencing a particular IKE phase 1 SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { saByCreatorsLocalIdType, saByCreatorsLocalId, saByCreatorsPeerIdType, saByCreatorsPeerId, saByCreatorsIndex } ::= { saByCreatorsTable 1 } SaByCreatorsEntry ::= SEQUENCE { -- index saByCreatorsLocalIdType IpsecDoiIdentType, saByCreatorsLocalId IpsecRawId, saByCreatorsPeerIdType IpsecDoiIdentType, saByCreatorsPeerId IpsecRawId, saByCreatorsIndex Unsigned32, -- sa reference saIkeLocalIpAddress OBJECT IDENTIFIER, saIkeRemoteIpAddress OBJECT IDENTIFIER, saIkeInitiatorCookie OBJECT IDENTIFIER, saIkeResponderCookie OBJECT IDENTIFIER } saByCreatorsLocalIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the local entity that negotiated this SA." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { saByCreatorsEntry 1 } saByCreatorsLocalId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the used by the local entity that negotiated this SA." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { saByCreatorsEntry 2 } saByCreatorsPeerIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the remote entity that negotiated this SA." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { saByCreatorsEntry 3 } saByCreatorsPeerId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the used by the remote entity that negotiated this SA." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { saByCreatorsEntry 4 } saByCreatorsIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each IKE phase 1 SA that exists between the two endpoints. It is recommended that values are assigned contiguously starting from 1." ::= { saByCreatorsEntry 5 } saIkeLocalIpAddress OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The 'saLocalIpAddress' of the phase 1 SA for this row." ::= { saByCreatorsEntry 6 } saIkeRemoteIpAddress OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The 'saRemoteIpAddress' of the phase 1 SA for this row." ::= { saByCreatorsEntry 7 } saIkeInitiatorCookie OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The 'saInitiatorCookie' of the phase 1 SA for this row." ::= { saByCreatorsEntry 8 } saIkeResponderCookie OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The 'saResponderCookie' of the phase 1 SA for this row." ::= { saByCreatorsEntry 9 } -- the Exchange Count MIB-Group -- -- a collection of objects providing information about the -- number of exchanges performed using ISAKMP-based SAs -- exchangeTable OBJECT-TYPE SYNTAX SEQUENCE OF ExchangeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing the exchanges used. There should be one row for every exchange attempt that has occurred using a phase 1 security association that exists in the entity. The maximum number of rows is implementation dependent." ::= { ikeTables 3 } exchangeEntry OBJECT-TYPE SYNTAX ExchangeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular exchange used in an SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { saLocalIpAddress, saRemoteIpAddress, saInitiatorCookie, saResponderCookie, exchangeType } ::= { exchangeTable 1 } ExchangeEntry::= SEQUENCE { -- identification exchangeType IkeExchangeType, -- the statistics exchangeTotalCount Counter32, exchangeInitiatedCount Counter32, exchangeRespondedCount Counter32 } exchangeType OBJECT-TYPE SYNTAX IkeExchangeType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the exchange for which the statistics of this row apply." ::= { exchangeEntry 1 } exchangeTotalCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of complete exchanges of the type performed using the SA, as either initiator or as responder. If there were failed attempts to initiate exchanges, this value is not equal to the sum of 'exchangeInitiatedCount' and 'exchangeRespondedCount'." ::= { exchangeEntry 2 } exchangeInitiatedCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of exchanges of the type attempted using the SA as initiator. This includes exchange that failed or were incomplete" ::= { exchangeEntry 3 } exchangeRespondedCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of complete exchanges of the type performed using the SA as responder." ::= { exchangeEntry 4 } -- -- the Suite MIB-Group -- -- a collection of objects providing information about -- the phase 2 SA suites -- suiteTable OBJECT-TYPE SYNTAX SEQUENCE OF SuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing the phase 2 suites. The number of rows in this table is the same as the number of suites in the entity. The maximum number of rows is implementation dependent." ::= { suiteTables 1 } suiteEntry OBJECT-TYPE SYNTAX SuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular phase 2 SA suite. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { suiteIndex } ::= { suiteTable 1 } SuiteEntry ::= SEQUENCE { -- index suiteIndex Unsigned32, -- end points suiteLocalAddress IpsecIpv6Address, suiteRemoteAddress IpsecIpv6Address, -- creator ID information suitePhase1RemoteIdType IpsecDoiIdentType, suitePhase1RemoteId IpsecRawId, suitePhase1LocalIdType IpsecDoiIdentType, suitePhase1LocalId IpsecRawId, -- selectors suiteRemoteId IpsecRawId, suiteRemoteIdType IpsecDoiIdentType, suiteLocalId IpsecRawId, suiteLocalIdType IpsecDoiIdentType, suiteProtocol Integer32, suiteRemotePort Integer32, suiteLocalPort Integer32, -- keying material source information suiteOakleyGroupDesc IkeGroupDescription, suiteOakleyGroup OBJECT IDENTIFIER, -- operating statistics suiteLifeSeconds Counter32, suiteInUserOctets Counter64, suiteInPackets Counter64, suiteOutUserOctets Counter64, suiteOutPackets Counter64, -- error statistics suiteSendErrors Counter32, suiteReceiveErrors Counter32 } suiteIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each SA suite. It is recommended that values are assigned contiguously starting from 1." ::= { suiteEntry 1 } suiteLocalAddress OBJECT-TYPE SYNTAX IpsecIpv6Address MAX-ACCESS read-only STATUS current DESCRIPTION "The address used by the local entity that negotiated the SA suite. IPv4 entities will prefix the IP address with '0000:0000:0000:0000:0000:FFFF::'." ::= { suiteEntry 2 } suiteRemoteAddress OBJECT-TYPE SYNTAX IpsecIpv6Address MAX-ACCESS read-only STATUS current DESCRIPTION "The address used by the remote entity that negotiated the SA suite. IPv4 entities will prefix the IP address with '0000:0000:0000:0000:0000:FFFF::'." ::= { suiteEntry 3 } suitePhase1RemoteIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the remote entity that negotiated this suite." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { suiteEntry 4 } suitePhase1RemoteId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the remote entity that negotiated this suite." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { suiteEntry 5 } suitePhase1LocalIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the local entity that negotiated this suite." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { suiteEntry 6 } suitePhase1LocalId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the local entity that negotiated this suite." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { suiteEntry 7 } suiteRemoteId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The remote identifier of the SAs in the suite. It may be 0 if unknown or if the suite uses transport mode encapsulation. This corresponds to the destination identifier of outbound SAs in the suite, and to the source identifier of inbound SAs in the suite. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." ::= { suiteEntry 8 } suiteRemoteIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used for 'suiteRemoteId'. It may be 0 if unknown or if the suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." ::= { suiteEntry 9 } suiteLocalId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The local identifier of the SAs in the suite. It may be 0 if unknown or if the suite uses transport mode encapsulation. This corresponds to the source identifier of outbound SAs in the suite, and to the destination identifier of inbound SAs in the suite. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." REFERENCE "RFC 2401 section 4.4.2" ::= { suiteEntry 10 } suiteLocalIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used for 'suiteLocalId'. It may be 0 if unknown or if the suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." REFERENCE "RFC 2401 section 4.4.2" ::= { suiteEntry 11 } suiteProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The transport-layer protocol number that this suite carries, or 0 if it carries any protocol. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." REFERENCE "RFC 2401 section 4.4.2" ::= { suiteEntry 12 } suiteRemotePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The remote port number of the protocol that this suite carries, or 0 if it carries any port number. This corresponds to the destination port number of outbound SAs in the suite, and to the source port number of inbound SAs in the suite. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." REFERENCE "RFC 2401 section 4.4.2" ::= { suiteEntry 13 } suiteLocalPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The local port number of the protocol that this SA carries, or 0 if it carries any port number. This corresponds to the source port number of outbound SAs in the suite, and to the destination port number of inbound SAs in the suite. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations" REFERENCE "RFC 2401 section 4.4.2" ::= { suiteEntry 14 } suiteOakleyGroupDesc OBJECT-TYPE SYNTAX IkeGroupDescription MAX-ACCESS read-only STATUS current DESCRIPTION "The group number used to generate the Diffie-Hellman key pair when setting up the SA, or 0 if none of the well known groups was used, or if perfect forward secrecy was not used." ::= { suiteEntry 15 } suiteOakleyGroup OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The table index value of the Oakley group row that was used if a well-known group was not used to generate the Diffie- Hellman key pair for this SA. If a well-known group was used, or if perfect forward secrecy was not used, the value should be set to the OBJECT IDENTIFIER { 0 0 }." ::= { suiteEntry 16 } suiteLifeSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of seconds that the SA has existed." ::= { suiteEntry 17 } suiteInUserOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the suite in the inbound direction. This is the same as the user level traffic of the inner most inbound SA in the suite. Note that if the inner-most SA is a shared IPcomp SA, then this value may be difficult to calculate." ::= { suiteEntry 18 } suiteInPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets handled by the suite. This is the same as the number of packets handled by any one of the inbound SAs in the suite." ::= { suiteEntry 19 } suiteOutUserOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the suite in the outbound direction. This is the same as the user level traffic of the inner most outbound SA in the suite. Note that if the inner most SA is a shared IPcomp SA, then this value may be difficult to calculate." ::= { suiteEntry 20 } suiteOutPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound packets handled by the suite. This is the same as the number of packets handled by any one of the outbound SAs in the suite." ::= { suiteEntry 21 } suiteSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound packets discarded by the suite due to any error. This is the same as the sum of all errors of all outbound SAs in the suite." ::= { suiteEntry 22 } suiteReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the suite due to any error. This is the same as the sum of all errors of all inbound SAs in the suite." ::= { suiteEntry 23 } -- -- the Phase 2 SA MIB-Group -- -- a collection of objects providing information about -- the phase 2 SAs in SA suites -- phase2SaTable OBJECT-TYPE SYNTAX SEQUENCE OF Phase2SaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing ID information for the phase 2 SAs that are part of suites. The number of rows in this table is the same as the number of unidirectional phase 2 IPsec SA pairs that are created as part of suites. The maximum number of rows is implementation dependent." ::= { suiteTables 2 } phase2SaEntry OBJECT-TYPE SYNTAX Phase2SaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular phase 2 SA within a suite. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { suiteIndex, saOrder } ::= { phase2SaTable 1 } Phase2SaEntry ::= SEQUENCE { -- additional indexing objects saOrder Unsigned32, -- SA identifiers saProtocol IpsecDoiTransformIdent, saInSpi Unsigned32, saOutSpi Unsigned32 } saOrder OBJECT-TYPE SYNTAX Unsigned32 (1..15) MAX-ACCESS read-only STATUS current DESCRIPTION "The position within the suite of the pair of SAs indicated by this row. A value of 1 is used to represent the outer-most SA pair. The outer-most SA of any given packet has its header next to the outer IP header of the processed packet, while the inner-most SA has its header nearest the data of the unprocessed packet. (Note that the IPcomp header may be missing in actual usage if a particular packet was not compressed.) This value should be monotonically increasing for every SA pair in a suite. The maximum value is implementation dependent, but will generally not exceed three." ::= { phase2SaEntry 1 } saProtocol OBJECT-TYPE SYNTAX IpsecDoiTransformIdent MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol of the inbound/outbound SA pair indicated by this row of the table." ::= { phase2SaEntry 2 } saInSpi OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The security parameters index of the inbound SA of the inbound/outbound SA pair. If the protocol of the SA pair is IPcomp, this value is the CPI. This value is used with the value of 'suiteLocalAddress' from the row indexed by 'suiteIndex' to create a SPI/address pair that uniquely identifies the inbound SA used in this SA suite. This can then be used to look up the SA in the appropriate inbound SA table, based on 'saProtocol'." REFERENCE "RFC 2406 Section 2.1" ::= { phase2SaEntry 3 } saOutSpi OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The security parameters index of the outbound SA of the inbound/outbound SA pair. If the protocol of the SA pair is IPcomp, this value is the CPI. This value is used with the value of 'suiteLocalAddress' from the row indexed by 'suiteIndex' to create a SPI/address pair that uniquely identifies the outbound SA used in this SA suite. This can then be used to look up the SA in the appropriate outbound SA table, based on 'saProtocol'." REFERENCE "RFC 2406 Section 2.1" ::= { phase2SaEntry 4 } -- -- the Phase 2 Suite By Creators Table -- suiteByCreatorsTable OBJECT-TYPE SYNTAX SEQUENCE OF SuiteByCreatorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table that sorts the SA suites by the endpoint identifiers. The number of rows in this table is the same as the number of suites in the entity." ::= { suiteTables 3 } suiteByCreatorsEntry OBJECT-TYPE SYNTAX SuiteByCreatorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) referencing a particular suite. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { suiteByCreatorsP1LocalIdType, suiteByCreatorsP1LocalId, suiteByCreatorsP1RemoteIdType, suiteByCreatorsP1RemoteId, suiteByCreatorsIndex } ::= { suiteByCreatorsTable 1 } SuiteByCreatorsEntry ::= SEQUENCE { -- index suiteByCreatorsP1LocalIdType IpsecDoiIdentType, suiteByCreatorsP1LocalId IpsecRawId, suiteByCreatorsP1RemoteIdType IpsecDoiIdentType, suiteByCreatorsP1RemoteId IpsecRawId, suiteByCreatorsIndex Unsigned32, -- suite reference suiteByCreatorsRef OBJECT IDENTIFIER } suiteByCreatorsP1LocalIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the local entity that negotiated this suite." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { suiteByCreatorsEntry 1 } suiteByCreatorsP1LocalId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the local entity that negotiated this suite." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { suiteByCreatorsEntry 2 } suiteByCreatorsP1RemoteIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the remote entity that negotiated this suite." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { suiteByCreatorsEntry 3 } suiteByCreatorsP1RemoteId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the remote entity that negotiated this suite." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { suiteByCreatorsEntry 4 } suiteByCreatorsIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each SA suite that is between the two endpoints. It is recommended that values are assigned contiguously starting from 1 for each SA suite between the two endpoints." ::= { suiteByCreatorsEntry 5 } suiteByCreatorsRef OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The value of 'suiteIndex' in the row ('suiteEntry') of the 'suiteTable' to which this row refers." ::= { suiteByCreatorsEntry 6 } -- -- the Phase 2 Suite By Selector Table -- suiteBySelectorsTable OBJECT-TYPE SYNTAX SEQUENCE OF SuiteBySelectorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table that sorts the suites by the selectors. The number of rows in this table is the same as the number of suites in the entity." ::= { suiteTables 4 } suiteBySelectorsEntry OBJECT-TYPE SYNTAX SuiteBySelectorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) referencing a particular suite. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { suiteBySelectorsLocalId, suiteBySelectorsLocalIdType, suiteBySelectorsRemoteId, suiteBySelectorsRemoteIdType, suiteBySelectorsProtocol, suiteBySelectorsLocalPort, suiteBySelectorsRemotePort, suiteBySelectorsIndex } ::= { suiteBySelectorsTable 1 } SuiteBySelectorsEntry ::= SEQUENCE { -- index suiteBySelectorsLocalId IpsecRawId, suiteBySelectorsLocalIdType IpsecDoiIdentType, suiteBySelectorsRemoteId IpsecRawId, suiteBySelectorsRemoteIdType IpsecDoiIdentType, suiteBySelectorsProtocol Integer32, suiteBySelectorsLocalPort Integer32, suiteBySelectorsRemotePort Integer32, suiteBySelectorsIndex Unsigned32, -- suite reference suiteBySelectorsRef OBJECT IDENTIFIER } suiteBySelectorsLocalId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The local identifier of the selector of the suite. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." ::= { suiteBySelectorsEntry 1 } suiteBySelectorsLocalIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used for 'suiteBySelectorsLocalId'. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." ::= { suiteBySelectorsEntry 2 } suiteBySelectorsRemoteId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The remote identifier of the selector of the suite. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." REFERENCE "RFC 2401 section 4.4.2" ::= { suiteBySelectorsEntry 3 } suiteBySelectorsRemoteIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used for 'suiteBySelectorsRemoteId'. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." REFERENCE "RFC 2401 section 4.4.2" ::= { suiteBySelectorsEntry 4 } suiteBySelectorsProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The transport-layer protocol number that this suite carries, or 0 if it carries any protocol. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." REFERENCE "RFC 2401 section 4.4.2" ::= { suiteBySelectorsEntry 5 } suiteBySelectorsLocalPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The local port number of the protocol that this suite carries, or 0 if it carries any port number. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations." REFERENCE "RFC 2401 section 4.4.2" ::= { suiteBySelectorsEntry 6 } suiteBySelectorsRemotePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The remote port number of the protocol that this SA carries, or 0 if it carries any port number. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations" REFERENCE "RFC 2401 section 4.4.2" ::= { suiteBySelectorsEntry 7 } suiteBySelectorsIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each SA suite that the same selectors. It is recommended that values are assigned contiguously starting from 1." ::= { suiteBySelectorsEntry 8 } suiteBySelectorsRef OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The value of 'suiteIndex' in the row ('suiteEntry') of the 'suiteTable' to which this row refers." ::= { suiteBySelectorsEntry 9 } -- -- the Phase 2 SA to Suite Table -- ipsecSaInSuiteTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaInSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table that allows determination of which suite a particular phase 2 SA is in. The number of rows in this table is the same as the number of phase 2 SAs in the entity." ::= { suiteTables 5 } ipsecSaInSuiteEntry OBJECT-TYPE SYNTAX IpsecSaInSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) referencing a particular phase 2 SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { ipsecSaInSuiteDestAddress, ipsecSaInSuiteProtocol, ipsecSaInSuiteSpi } ::= { ipsecSaInSuiteTable 1 } IpsecSaInSuiteEntry ::= SEQUENCE { -- index ipsecSaInSuiteDestAddress IpsecIpv6Address, ipsecSaInSuiteProtocol IpsecDoiSecProtocolId, ipsecSaInSuiteSpi Unsigned32, -- SA reference ipsecSaInSuiteRef OBJECT IDENTIFIER } ipsecSaInSuiteDestAddress OBJECT-TYPE SYNTAX IpsecIpv6Address MAX-ACCESS read-only STATUS current DESCRIPTION "The destination address of the IPsec phase 2 SA to which this row refers." ::= { ipsecSaInSuiteEntry 1 } ipsecSaInSuiteProtocol OBJECT-TYPE SYNTAX IpsecDoiSecProtocolId MAX-ACCESS read-only STATUS current DESCRIPTION "The security protocol of the IPsec phase 2 SA to which this row refers." ::= { ipsecSaInSuiteEntry 2 } ipsecSaInSuiteSpi OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The SPI value of the IPsec phase 2 SA to which this row refers. If the value of 'ipsecSaInSuiteProtocol' is 'protoIpcomp(4)', then this is the CPI of the SA." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { ipsecSaInSuiteEntry 3 } ipsecSaInSuiteRef OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The value of 'suiteIndex' in the row ('suiteEntry') of the 'suiteTable' to which this row refers. This is the suite that uses this SA." ::= { ipsecSaInSuiteEntry 4 } -- the Notify Message MIB-Group -- -- a collection of objects providing information about -- the occurrences of notify messages notifyCountTable OBJECT-TYPE SYNTAX SEQUENCE OF NotifyCountEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec notify message counts. Rows are created in this table for every notification type that has been sent or received by the entity. This table MAY be sparsely populated; that is, rows for which the count is 0 may be absent." ::= { ikeNotifications 1 } notifyCountEntry OBJECT-TYPE SYNTAX NotifyCountEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the total number of occurrences of a notify message. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { notifyProtocol, notifyType } ::= { notifyCountTable 1 } NotifyCountEntry ::= SEQUENCE { -- identification notifyProtocol IpsecDoiSecProtocolId, notifyType IkeNotifyMessageType, -- ocurrences notifySentCount Counter32, notifyReceivedCount Counter32 } notifyProtocol OBJECT-TYPE SYNTAX IpsecDoiSecProtocolId MAX-ACCESS read-only STATUS current DESCRIPTION "The value representing a protocol for which the notify was used." REFERENCE "RFC 2408 Section 3.14" ::= { notifyCountEntry 1 } notifyType OBJECT-TYPE SYNTAX IkeNotifyMessageType MAX-ACCESS read-only STATUS current DESCRIPTION "The value representing a specific ISAKMP notify message, or 0 if unknown. Values are assigned from the set of notify message types as defined in Section 3.14.1 of [ISAKMP], and enhanced by the IPsec DOI. In addition, the value 0 may be used for this object when the object is used as a trap cause, and the cause is unknown." REFERENCE "RFC 2408 Section 3.14.1" ::= { notifyCountEntry 2 } notifySentCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of times the specific notify message has been sent by the entity since system boot." ::= { notifyCountEntry 3 } notifyReceivedCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of times the specific notify message has been received by the entity since system boot." ::= { notifyCountEntry 4 } -- the IKE Entity MIB-Group -- -- a collection of objects providing information about overall IKE -- status in the entity -- -- IKE phase 1 SA statistics -- ikeCurrentSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of IKE SAs in the entity." ::= { ikeGlobals 1 } ikeCurrentInitiatedSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of IKE SAs successfully negotiated in the entity that were initiated by the entity." ::= { ikeGlobals 2 } ikeCurrentRespondedSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of IKE SAs successfully negotiated in the entity that were initiated by the peer entity." ::= { ikeGlobals 3 } ikeTotalSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs successfully negotiated in the entity since boot time." ::= { ikeGlobals 4 } ikeTotalInitiatedSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs successfully negotiated in the entity since boot time that were initiated by the entity." ::= { ikeGlobals 5 } ikeTotalRespondedSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs successfully negotiated in the entity since boot time that were initiated by the peer entity." ::= { ikeGlobals 6 } ikeTotalAttempts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs negotiation attempts made since boot time. This includes successful negotiations." ::= { ikeGlobals 7 } ikeTotalSaInitAttempts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs negotiation attempts made where the entity was the initiator since boot time. This includes successful negotiations." ::= { ikeGlobals 8 } ikeTotalSaRespAttempts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs negotiation attempts made where the entity was the responder since boot time. This includes successful negotiations." ::= { ikeGlobals 9 } -- -- IKE Aggregate Traffic Statistics -- ikeTotalInPackets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE packets received by the entity since boot time, including re-transmissions and un-encrypted packets." ::= { ikeTrafStats 1 } ikeTotalOutPackets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE packets sent by the entity since boot time, including re-transmissions and un-encrypted packets." ::= { ikeTrafStats 2 } ikeTotalInOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of IKE traffic received by the entity since boot time, measured in bytes, including any re- transmitted packets received, and including encrypted and un-encrypted packets." ::= { ikeTrafStats 3 } ikeTotalOutOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of IKE traffic sent by the entity since boot time, measured in bytes, including any re-transmissions and including encrypted and un-encrypted packets." ::= { ikeTrafStats 4 } -- -- IKE Phase 1 SA Aggregate Errors -- ikeTotalInitFailures OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of attempts to initiate an IKE phase 1 SA that failed since boot time, when there was a response from the peer entity. This value may be used to detect clogging or denial-of- service attacks." ::= { ikeErrors 1 } ikeTotalInitNoResponses OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of attempts to initiate an IKE phase 1 SA that failed since boot time, when there was no response from the peer entity. This should only be incremented if the peer does not repond to the first packet of attempted negotiations." ::= { ikeErrors 2 } ikeTotalRespFailures OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of attempts to initiate an IKE phase 1 SA that failed since boot time, when the initiation attempt came for the peer entity." ::= { ikeErrors 3 } -- -- Suite Global Objects -- totalSuites OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of suites created by the entity since system boot." ::= { suiteGlobals 1 } currentSuites OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of suites currently in existence in the entity." ::= { suiteGlobals 2 } -- -- Suite Aggregate Traffic Statistics -- suiteTotalInUserKbytes OBJECT-TYPE SYNTAX Counter64 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of user level traffic carried by all suites in the entity since boot time, measured in kilobytes, in the inbound direction. This is the sum of the 'suiteInUserOctets' column for all suite rows created since boot time." ::= { suiteTrafStats 1 } suiteTotalInPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets carried by all suites in the entity since boot time in the inbound direction. This is the sum of the 'suiteInPackets' column for all suite rows created since boot time." ::= { suiteTrafStats 2 } suiteTotalOutUserKbytes OBJECT-TYPE SYNTAX Counter64 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of user level traffic carried by all suites in the entity since boot time, measured in kilobytes, in the outbound direction. This is the sum of the 'suiteOutUserOctets' column for all suite rows created since boot time." ::= { suiteTrafStats 3 } suiteTotalOutPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets carried by all suites in the entity since boot time, in the outbound direction. This is the sum of the 'suiteOutPackets' column for all suite rows created since boot time." ::= { suiteTrafStats 4 } -- -- Suite Aggregate Error Counts -- suiteInitFailures OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of attempts to initiate an suite that failed since boot time, when the attempt was initiated locally." ::= { suiteErrors 1 } suiteRespondFailures OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of attempts to initiate an suite that failed since boot time, when the attempt was initiated by the peer entity." ::= { suiteErrors 2 } -- -- Traps and Trap Control -- ikeNegFailureTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether ikeNegFailure traps should be generated." DEFVAL { false } ::= { ikeTrapControl 1 } ikeNegFailure NOTIFICATION-TYPE OBJECTS { saLocalIdType, saLocalId, saPeerIdType, saPeerId, saLocalIpAddress, saLocalUdpPort, saRemoteIpAddress, saRemoteUdpPort, saAuthMethod, saPeerCertSerialNum, saPeerCertIssuer, ikeTotalInitFailures, ikeTotalInitNoResponses, ikeTotalRespFailures, notifyType } STATUS current DESCRIPTION "An attempt to negotiate a phase 1 IKE SA failed. The notification type sent or received is also sent as part of the trap, along with the current value of the total negotiation error counters for ISAKMP." ::= { ikeTraps 1 } suiteNegFailureTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether 'suiteNegFailure' traps should be generated." DEFVAL { false } ::= { suiteTrapControl 1 } suiteNegFailure NOTIFICATION-TYPE OBJECTS { suiteRemoteId, suiteRemoteIdType, suiteLocalId, suiteLocalIdType, suiteProtocol, suiteRemotePort, suiteLocalPort, suiteInitFailures, suiteRespondFailures, notifyType } STATUS current DESCRIPTION "An attempt to negotiate a phase 2 SA suite for the specified selectors failed. The current total failure counts are passed as well as the notification type sent or received as part of the failure." ::= { suiteTraps 1 } END