-- extracted from draft-ietf-ipsec-monitor-mib-00.txt -- at Mon Nov 15 17:10:50 1999 IPSEC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Integer32, Unsigned32, experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI DateAndTime, TruthValue FROM SNMPv2-TC; ipsecMIB MODULE-IDENTITY LAST-UPDATED "9901251200Z" ORGANIZATION "IETF IPSec Working Group" CONTACT-INFO " Tim Jenkins TimeStep Corporation 362 Terry Fox Drive Kanata, ON K0A 2H0 Canada 613-599-3610 tjenkins@timestep.com" DESCRIPTION "The MIB module to describe generic IPSec objects, and entity level IPSec objects and events." REVISION "9901251200Z" DESCRIPTION "Initial revision." -- ::= { mib-2 ?? } ::= { experimental 500 } ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 } ipsec OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 } -- the IPSec Protection Suites MIB-Group -- -- a collection of objects providing information about -- IPSec protection suites ipsecProtSuiteTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecProtSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec protection suites." ::= { ipsec 1 } ipsecProtSuiteEntry OBJECT-TYPE SYNTAX IpsecProtSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IPSec protection suite." INDEX { ipsecProtSuiteIndex } ::= { ipsecProtSuiteTable 1 } IpsecProtSuiteEntry ::= SEQUENCE { ipsecProtSuiteIndex Integer32, -- identification ipsecProtSuiteLocalAddress OCTET STRING, ipsecProtSuiteRemoteAddress OCTET STRING, ipsecProtSuiteInboundEspSpi Unsigned32, ipsecProtSuiteOutboundEspSpi Unsigned32, ipsecProtSuiteInboundAhSpi Unsigned32, ipsecProtSuiteOutboundAhSpi Unsigned32, ipsecProtSuiteInboundCompCpi INTEGER, ipsecProtSuiteOutboundCompCpi INTEGER, -- protection suite selectors ipsecProtSuiteLocalId OCTET STRING, ipsecProtSuiteLocalIdType Unsigned32, ipsecProtSuiteRemoteId OCTET STRING, ipsecProtSuiteRemoteIdType Unsigned32, ipsecProtSuiteProtocol Integer32, ipsecProtSuiteLocalPort Integer32, ipsecProtSuiteRemotePort Integer32, -- creation mechanism ipsecProtSuiteDifHelGroupDesc Integer32, ipsecProtSuiteDifHelGroupType Integer32, ipsecProtSuitePFS TruthValue, -- security services description ipsecProtSuiteEncapsulation INTEGER, ipsecProtSuiteEspEncAlg Integer32, ipsecProtSuiteEspEncKeyLength Unsigned32, ipsecProtSuiteEspAuthAlg Integer32, ipsecProtSuiteAhAuthAlg Integer32, ipsecProtSuiteCompAlg Integer32, -- expiration limits ipsecProtSuiteCreationTime DateAndTime, ipsecProtSuiteTimeLimit OCTET STRING, -- sec., 0 if none ipsecProtSuiteTrafficLimit OCTET STRING, -- 0 if none ipsecProtSuiteInTrafficCount OCTET STRING, ipsecProtSuiteOutTrafficCount OCTET STRING, -- current operating statistics ipsecProtSuiteInboundTraffic Counter64, ipsecProtSuiteOutboundTraffic Counter64, ipsecProtSuiteInboundPackets Counter64, ipsecProtSuiteOutboundPackets Counter64, -- error statistics ipsecProtSuiteDecryptErrors Counter32, ipsecProtSuiteAuthErrors Counter32, ipsecProtSuiteReplayErrors Counter32, ipsecProtSuitePolicyErrors Counter32, ipsecProtSuiteOtherReceiveErrors Counter32, ipsecProtSuiteSendErrors Counter32 } ipsecProtSuiteIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each IPSec protection suite. It is recommended that values are assigned contiguously starting from 1." ::= { ipsecProtSuiteEntry 1 } ipsecProtSuiteLocalAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 16 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The local IP address used by the protection suite. The size of this object is 4 if the address is an IPv4 address, or 16 if the address is an IPv6 address." ::= { ipsecProtSuiteEntry 2 } ipsecProtSuiteRemoteAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 16 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The peer IP address used by the protection suite. The size of this object is 4 if the address is an IPv4 address, or 16 if the address is an IPv6 address." ::= { ipsecProtSuiteEntry 3 } ipsecProtSuiteInboundEspSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the inbound protection suite that provides the ESP security service, or zero if ESP is not used." ::= { ipsecProtSuiteEntry 4 } ipsecProtSuiteOutboundEspSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the outbound protection suite that provides the ESP security service, or zero if ESP is not used." ::= { ipsecProtSuiteEntry 5 } ipsecProtSuiteInboundAhSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the inbound protection suite that provides the AH security service, or zero if AH is not used." ::= { ipsecProtSuiteEntry 6 } ipsecProtSuiteOutboundAhSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the outbound protection suite that provides the AH security service, or zero if AH is not used." ::= { ipsecProtSuiteEntry 7 } ipsecProtSuiteInboundCompCpi OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the CPI for the inbound protection suite that provides IP compression, or zero if IPCOMP is not used." ::= { ipsecProtSuiteEntry 8 } ipsecProtSuiteOutboundCompCpi OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the CPI for the outbound protection suite that provides IP compression, or zero if IPCOMP is not used." ::= { ipsecProtSuiteEntry 9 } ipsecProtSuiteLocalId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The local identifier of the protection suite, or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecProtSuiteEntry 10 } ipsecProtSuiteLocalIdType OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecTunnelLocalId', or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecProtSuiteEntry 11 } ipsecProtSuiteRemoteId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The remote identifier of the protection suite, or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecProtSuiteEntry 12 } ipsecProtSuiteRemoteIdType OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecTunnelRemoteId', or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecProtSuiteEntry 13 } ipsecProtSuiteProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The IP protocol number that this protection suite carries, or 0 if it carries any protocol." ::= { ipsecProtSuiteEntry 14 } ipsecProtSuiteLocalPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The local UDP or TCP port number that this protection suite carries, or 0 if it carries any port number." ::= { ipsecProtSuiteEntry 15 } ipsecProtSuiteRemotePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The remote UDP or TCP port number that this protection suite carries, or 0 if it carries any port number." ::= { ipsecProtSuiteEntry 16 } ipsecProtSuiteDifHelGroupDesc OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group description used to set up this protection suite, or 0 if the description is unknown. Specific values are used as described in the ISAKMP Class Values of Group Description from Appendix A of [IKE]." ::= { ipsecProtSuiteEntry 17 } ipsecProtSuiteDifHelGroupType OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group type used to set up this protection suite, or 0 if the type is unknown. Specific values are used as described in the ISAKMP Class Values of Group Type from Appendix A of [IKE]." ::= { ipsecProtSuiteEntry 18 } ipsecProtSuitePFS OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "'true' if the protection suite was created using perfect forward secrect." ::= { ipsecProtSuiteEntry 19 } ipsecProtSuiteEncapsulation OBJECT-TYPE SYNTAX INTEGER { transport(1), tunnel(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of encapsulation used by this protection suite." ::= { ipsecProtSuiteEntry 20 } ipsecProtSuiteEspEncAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic carried by this protection suite if it uses ESP or 0 if there is no encryption applied by ESP or if ESP is not used. Specific values are taken from section 4.4.4 of [IPDOI]." ::= { ipsecProtSuiteEntry 21 } ipsecProtSuiteEspEncKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the 'ipsecTunnelEspEncAlg' object, or 0 if the key length is implicit in the specified algorithm or there is no encryption specified." ::= { ipsecProtSuiteEntry 22 } ipsecProtSuiteEspAuthAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this protection suite if it uses ESP or 0 if there is no authentication applied by ESP or if ESP is not used. Specific values are taken from the Authentication Algorithm attribute values of Section 4.5 of [IPDOI]." ::= { ipsecProtSuiteEntry 23 } ipsecProtSuiteAhAuthAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this protection suite if it uses AH or 0 if AH is not used. Specific values are taken from Section 4.4.3 of [IPDOI]." ::= { ipsecProtSuiteEntry 24 } ipsecProtSuiteCompAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the compression algorithm applied to traffic carried by this protection suite if it uses IPCOMP. Specific values are taken from Section 4.4.5 of [IPDOI]." ::= { ipsecProtSuiteEntry 25 } ipsecProtSuiteCreationTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the current protection suite was set up." ::= { ipsecProtSuiteEntry 26 } ipsecProtSuiteTimeLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the protection suite, or 0 if there is no time constraint on its expiration." ::= { ipsecProtSuiteEntry 27 } ipsecProtSuiteTrafficLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in 1024-byte blocks that the protection suite is allowed to support, or 0 if there is no traffic constraint on its expiration." ::= { ipsecProtSuiteEntry 28 } ipsecProtSuiteInTrafficCount OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of inbound traffic accumulated that counts against the protection suite's expiration by traffic limitation, measured in 1024-byte blocks. This value may be 0 if the protection suite does not expire based on traffic. In the case of multiple SAs within a protection suite, this value is the maximum of any traffic accumulation values applied to any of the individual SAs within the protection suite." ::= { ipsecProtSuiteEntry 29 } ipsecProtSuiteOutTrafficCount OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of outbound traffic accumulated that counts against the protection suite's expiration by traffic limitation, measured in 1024-byte blocks. This value may be 0 if the protection suite does not expire based on traffic. In the case of multiple SAs within a protection suite, this value is the maximum of any traffic accumulation values applied to any of the individual SAs within the protection suite." ::= { ipsecProtSuiteEntry 30 } ipsecProtSuiteInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the protection suite in the inbound direction. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit." ::= { ipsecProtSuiteEntry 31 } ipsecProtSuiteOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the protection suite in the outbound direction. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit." ::= { ipsecProtSuiteEntry 32 } ipsecProtSuiteInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the protection suite in the inbound direction." ::= { ipsecProtSuiteEntry 33 } ipsecProtSuiteOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the protection suite in the outbound direction." ::= { ipsecProtSuiteEntry 34 } ipsecProtSuiteDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to decryption errors." ::= { ipsecProtSuiteEntry 35 } ipsecProtSuiteAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to authentication errors. This includes hash failures in both ESP and AH." ::= { ipsecProtSuiteEntry 36 } ipsecProtSuiteReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to replay errors. This includes replay failures both ESP and AH." ::= { ipsecProtSuiteEntry 37 } ipsecProtSuitePolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to policy errors." ::= { ipsecProtSuiteEntry 38 } ipsecProtSuiteOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to errors other than decryption, authentication or replay errors. This may include decompression errors or errors due to a lack of receive buffers." ::= { ipsecProtSuiteEntry 39 } ipsecProtSuiteSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound packets discarded by the protection suite due to any error. This may include compression errors or errors due to a lack of transmit buffers." ::= { ipsecProtSuiteEntry 40 } -- the IPSec IKE MIB-Group -- -- a collection of objects providing information about -- IPSec's IKE SAs ipsecIkeSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecIkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec's IKE SAs." ::= { ipsec 2 } ipsecIkeSaEntry OBJECT-TYPE SYNTAX IpsecIkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IKE SA." INDEX { ipsecIkeSaIndex } ::= { ipsecIkeSaTable 1 } IpsecIkeSaEntry ::= SEQUENCE { ipsecIkeSaIndex Integer32, -- identifier information ipsecIkeSaInitiatorCookie OCTET STRING, ipsecIkeSaResponderCookie OCTET STRING, ipsecIkeSaLocalIpAddress OCTET STRING, ipsecIkeSaLocalPortNumber INTEGER, ipsecIkeSaLocalIdType Integer32, ipsecIkeSaLocalId OCTET STRING, -- peer information ipsecIkeSaPeerIpAddress OCTET STRING, ipsecIkeSaPeerPortNumber INTEGER, ipsecIkeSaAuthMethod Integer32, ipsecIkeSaPeerIdType Integer32, ipsecIkeSaPeerId OCTET STRING, ipsecIkeSaPeerCertSerialNum OCTET STRING, ipsecIkeSaPeerCertIssuer OCTET STRING, -- security algorithm information ipsecIkeSaEncAlg INTEGER, ipsecIkeSaEncKeyLength Integer32, ipsecIkeSaHashAlg Integer32, ipsecIkeSaDifHelGroupDesc Integer32, ipsecIkeSaDifHelGroupType Integer32, ipsecIkeSaDifHelFieldSize Integer32, ipsecIkeSaPRF Integer32, ipsecIkeSaPFS TruthValue, -- expiration limits ipsecIkeSaTimeStart DateAndTime, ipsecIkeSaTimeLimit OCTET STRING, -- in seconds ipsecIkeSaTrafficLimit OCTET STRING, -- in kbytes -- operating statistics ipsecIkeSaInboundTraffic Counter64, -- in bytes ipsecIkeSaOutboundTraffic Counter64, -- in bytes ipsecIkeSaInboundPackets Counter32, ipsecIkeSaOutboundPackets Counter32, ipsecIkeProtSuitesCreated Counter32, ipsecIkeProtSuitesDeleted Counter32, -- error statistics ipsecIkeSaDecryptErrors Counter32, ipsecIkeSaAuthErrors Counter32, ipsecIkeSaOtherReceiveErrors Counter32, ipsecIkeSaSendErrors Counter32 } ipsecIkeSaIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each phase 1 SA. It is recommended that values are assigned contiguously starting from 1. The value for each entry must remain constant at least from one re-initialization of entity's network management system to the next re-initialization." ::= { ipsecIkeSaEntry 1 } ipsecIkeSaInitiatorCookie OBJECT-TYPE SYNTAX OCTET STRING (SIZE (16)) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the cookie used by the initiator for the phase 1 SA." ::= { ipsecIkeSaEntry 2 } ipsecIkeSaResponderCookie OBJECT-TYPE SYNTAX OCTET STRING (SIZE (16)) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the cookie used by the responder for the phase 1 SA." ::= { ipsecIkeSaEntry 3 } ipsecIkeSaLocalIpAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 16 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The local IP address used to negotiated the SA. The size of the object is 4 if the address is an IPv4 address and 16 if an IPv6 address." ::= { ipsecIkeSaEntry 4 } ipsecIkeSaLocalPortNumber OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The local UDP port number that this SA was negotiated with." ::= { ipsecIkeSaEntry 5 } ipsecIkeSaLocalIdType OBJECT-TYPE SYNTAX Integer32 (0..256) MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the local end of this SA. Specific values are used as described in Section 4.6.2.1 of [IPDOI]." ::= { ipsecIkeSaEntry 8 } ipsecIkeSaLocalId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the local host that negotiated this SA. The length may require truncation under some conditions." ::= { ipsecIkeSaEntry 9 } ipsecIkeSaPeerIpAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 16 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the peer that this SA was negotiated with. The size of the object is 4 if the address is an IPv4 address and 16 if it is an IPv6 address." ::= { ipsecIkeSaEntry 10 } ipsecIkeSaPeerPortNumber OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The UDP port number of the peer that this SA was negotiated with." ::= { ipsecIkeSaEntry 11 } ipsecIkeSaAuthMethod OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication method used to authenticate the peer. Note that this does not include the specific method of authentication if extended authenticated is used. Specific values are used as described in the ISAKMP Class Values of Authentication Method from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 12 } ipsecIkeSaPeerIdType OBJECT-TYPE SYNTAX Integer32 (0..256) MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the peer. Specific values are used as described in Section 4.6.2.1 of [IPDOI]." ::= { ipsecIkeSaEntry 13 } ipsecIkeSaPeerId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the peer this SA was negotiated with. The length may require truncation under some conditions." ::= { ipsecIkeSaEntry 14 } ipsecIkeSaPeerCertSerialNum OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..63)) MAX-ACCESS read-only STATUS current DESCRIPTION "The serial number of the certificate of the peer this SA was negotiated with. This object has no meaning if a certificate was not used in authenticating the peer." ::= { ipsecIkeSaEntry 15 } ipsecIkeSaPeerCertIssuer OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The issuer of the certificate of the peer this SA was negotiated with. This object has no meaning if a certificate was not used in authenticating the peer." ::= { ipsecIkeSaEntry 16 } ipsecIkeSaEncAlg OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic carried by this SA. Specific values are used as described in the ISAKMP Class Values of Encryption Algorithms from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 17 } ipsecIkeSaEncKeyLength OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for algorithm specified in the ipsecIkeSaEncAlg object or 0 if the key length is implicit in the specified algorithm." ::= { ipsecIkeSaEntry 18 } ipsecIkeSaHashAlg OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this SA. Specific values are used as described in the ISAKMP Class Values of Hash Algorithms from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 19 } ipsecIkeSaDifHelGroupDesc OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group description used or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Description from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 20 } ipsecIkeSaDifHelGroupType OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group type used or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Type from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 21 } ipsecIkeSaDifHelFieldSize OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The field size, in bits, of the Diffie-Hellman group used to generate the key-pair, or 0 if unknown." ::= { ipsecIkeSaEntry 22 } ipsecIkeSaPRF OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The pseudo-random functions used, or 0 if not used or if unknown. Specific values are used as described in the ISAKMP Class Values of PRF from Appendix A of [IKE] (which specifies none at the present time)." ::= { ipsecIkeSaEntry 23 } ipsecIkeSaPFS OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "A value that indicates that perfect forward secrecy is used for all IPSec SAs created by this IKE SA." ::= { ipsecIkeSaEntry 24 } ipsecIkeSaTimeStart OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the SA was set up." ::= { ipsecIkeSaEntry 25 } ipsecIkeSaTimeLimit OBJECT-TYPE SYNTAX OCTET STRING UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the SA, or 0 if there is no time constraint on its expiration." ::= { ipsecIkeSaEntry 26 } ipsecIkeSaTrafficLimit OBJECT-TYPE SYNTAX OCTET STRING UNITS "Kbytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in 1024-byte blocks that the SA is allowed to carry, or 0 if there is no traffic constraint on its expiration." ::= { ipsecIkeSaEntry 27 } ipsecIkeSaInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount traffic measured in bytes handled in the SA in the inbound direction." ::= { ipsecIkeSaEntry 28 } ipsecIkeSaOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount traffic measured in bytes handled in the SA in the outbound direction." ::= { ipsecIkeSaEntry 29 } ipsecIkeSaInboundPackets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled in the SA in the inbound direction." ::= { ipsecIkeSaEntry 30 } ipsecIkeSaOutboundPackets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled in the SA in the outbound direction." ::= { ipsecIkeSaEntry 31 } ipsecIkeProtSuitesCreated OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 protection suites created by the SA." ::= { ipsecIkeSaEntry 32 } ipsecIkeProtSuitesDeleted OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 protection suites deleted by the SA." ::= { ipsecIkeSaEntry 33 } ipsecIkeSaDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the phase1 SA due to decryption errors." ::= { ipsecIkeSaEntry 34 } ipsecIkeSaAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the phase 1 SA due to authentication errors." ::= { ipsecIkeSaEntry 35 } ipsecIkeSaOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the phase 1 SA due to errors other than decryption or authentication errors. This may include errors due to a lack of receive buffers." ::= { ipsecIkeSaEntry 36 } ipsecIkeSaSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound packets discarded by the phase 1 SA due to any error. This may include errors due to a lack of transmit buffers." ::= { ipsecIkeSaEntry 37 } -- the IPSec Entity MIB-Group -- -- a collection of objects providing information about overall IPSec -- status in the entity -- -- Definitions of significant branches -- ipsecTrapsA OBJECT IDENTIFIER ::= { ipsec 3 } ipsecTraps OBJECT IDENTIFIER ::= { ipsecTrapsA 0 } ipsecIpsecStats OBJECT IDENTIFIER ::= { ipsec 4 } ipsecIpsecErrorStats OBJECT IDENTIFIER ::= { ipsec 5 } ipsecIkeStats OBJECT IDENTIFIER ::= { ipsec 6 } ipsecIkeErrorStats OBJECT IDENTIFIER ::= { ipsec 7 } ipsecNotifications OBJECT IDENTIFIER ::= { ipsec 8 } -- -- entity IPSec statistics -- ipsecIpsecTotalProtSuites OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 protection suites established by the entity since boot time." ::= { ipsecIpsecStats 1 } ipsecIpsecNegFailures OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 protection suite negotiations that failed that occurred in the entity since boot time." ::= { ipsecIpsecStats 2 } ipsecIpsecTotalInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets carried on IPSec protection suites since boot time." ::= { ipsecIpsecStats 3 } ipsecIpsecTotalTransOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets carried on IPSec protection suites since boot time." ::= { ipsecIpsecStats 4 } ipsecIpsecTotalTransInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "Kbytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of inbound traffic carried on IPSec protection suites since boot time, measured in 1024-octet blocks." ::= { ipsecIpsecStats 5 } ipsecIpsecTotalTransOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "Kbytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of outbound traffic carried on IPSec protection suites since boot time, measured in 1024-octet blocks." ::= { ipsecIpsecStats 6 } -- -- IPSec error counts -- ipsecIpsecDecryptionErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time with decryption errors." ::= { ipsecIpsecErrorStats 1 } ipsecIpsecAuthenticationErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time with authentication errors. This includes all packets in which the hash value is determined to be invalid." ::= { ipsecIpsecErrorStats 2 } ipsecIpsecReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time with replay errors." ::= { ipsecIpsecErrorStats 3 } ipsecIpsecPolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time and discarded due to policy errors. This includes packets that had selectors that were invalid for the SA or protection suite that carried them." ::= { ipsecIpsecErrorStats 4 } ipsecIpsecOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time and discarded due to errors not due to decryption, authentication, replay or policy." ::= { ipsecIpsecErrorStats 5 } ipsecIpsecSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets to be sent by the entity in the IPSec protection suites since boot time and discarded due to errors." ::= { ipsecIpsecErrorStats 6 } ipsecUnknownSpiErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with SPIs or CPIs that were not valid." ::= { ipsecIpsecErrorStats 7 } -- -- entity IKE statistics -- ipsecIkeTotalSAs OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 1 SAs successfully established by the entity since boot time." ::= { ipsecIkeStats 1 } ipsecIkeNegFailures OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 1 SA negotiations that failed that occurred in the entity since boot time." ::= { ipsecIkeStats 2 } ipsecIkeTotalInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets carried on phase 1 SAs since boot time." ::= { ipsecIkeStats 3 } ipsecIkeTotalTransOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets carried on phase 1 SAs since boot time." ::= { ipsecIkeStats 4 } ipsecIkeTotalTransInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "Kbytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of inbound traffic carried on phase 1 SAs since boot time, measured in 1024-octet blocks." ::= { ipsecIkeStats 5 } ipsecIkeTotalTransOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "Kbytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of outbound traffic carried on phase 1 SAs since boot time, measured in 1024-octet blocks." ::= { ipsecIkeStats 6 } -- -- IKE error counts -- ipsecIkeProtocolErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with IKE protocol errors. This includes packets with invalid cookies, but does not include errors that are associated with specific IKE SAs." ::= { ipsecIkeErrorStats 1 } ipsecIkeDecryptionErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time with decryption errors." ::= { ipsecIkeErrorStats 2 } ipsecIkeAuthenticationErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in the IPSec protection suites since boot time with authentication errors. This includes all packets in which the hash value is determined to be invalid." ::= { ipsecIkeErrorStats 3 } ipsecIkeOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in phase 1 SAs since boot time and discarded due to errors not due to decryption or authentication." ::= { ipsecIkeErrorStats 4 } ipsecIkeSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets to be sent by the entity in phase 1 SAs since boot time and discarded due to errors." ::= { ipsecIkeErrorStats 5 } -- the IPSec Notify Message MIB-Group -- -- a collection of objects providing information about -- the occurrences of notify messages ipsecNotifyMessageTotalCount OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of all types of notify messages sent or received by the entity since boot time. It is the sum of all occurrences in the 'ipsecNotifyCountTable'." ::= { ipsecNotifications 1 } ipsecNotifyCountTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecNotifyCountEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec notify message counts. This table MAY be sparsely populated; that is, rows for which the count is 0 may be absent." ::= { ipsecNotifications 2 } ipsecNotifyCountEntry OBJECT-TYPE SYNTAX IpsecNotifyCountEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the total number of occurrences of a notify message." INDEX { ipsecNotifyMessage } ::= { ipsecNotifyCountTable 1 } IpsecNotifyCountEntry::= SEQUENCE { ipsecNotifyMessage INTEGER, ipsecNotifyMessageCount Counter32 } ipsecNotifyMessage OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value representing a specific IPSec notify message, or 0 if unknown. Values are assigned from the set of notify message types as defined in Section 3.14.1 of [ISAKMP]. In addition, the value 0 may be used for this object when the object is used as a trap cause, and the cause is unknown." ::= { ipsecNotifyCountEntry 1 } ipsecNotifyMessageCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of times the specific notify message has been received or sent by the entity since system boot." ::= { ipsecNotifyCountEntry 2 } -- -- traps -- ipsecTrapIkeNegFailure NOTIFICATION-TYPE OBJECTS { ipsecIkeSaLocalIdType, ipsecIkeSaLocalId, ipsecIkeSaPeerIdType, ipsecIkeSaPeerId, ipsecIkeSaLocalIpAddress, ipsecIkeSaLocalPortNumber, ipsecIkeSaPeerIpAddress, ipsecIkeSaPeerPortNumber, ipsecIkeSaAuthMethod, ipsecIkeSaPeerCertSerialNum, ipsecIkeSaPeerCertIssuer, ipsecNotifyMessage } STATUS current DESCRIPTION "An attempt to negotiate a phase 1 SA failed." ::= { ipsecTraps 1 } ipsecTrapInvalidCookie NOTIFICATION-TYPE OBJECTS { ipsecIkeSaPeerIpAddress, ipsecIkeSaPeerPortNumber } STATUS current DESCRIPTION "IKE packets with invalid cookies were detected from the specified peer. Implementations SHOULD send one trap per peer (within a reasonable time period, rather than sending one trap per packet." ::= { ipsecTraps 2 } ipsecTrapIpsecNegFailure NOTIFICATION-TYPE OBJECTS { ipsecIkeSaIndex, ipsecNotifyMessage } STATUS current DESCRIPTION "An attempt to negotiate a phase 2 protection suite within the specified IKE SA failed." ::= { ipsecTraps 3 } ipsecTrapIpsecAuthFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets with invalid hashes were found in the specified protection suite. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 4 } ipsecTrapIpsecReplayFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets with invalid sequence numbers were found in the specified protection suite. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 5 } ipsecTrapIpsecPolicyFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets carrying packets with invalid selectors for the specified protection suite were found. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 6 } ipsecTrapInvalidSpi NOTIFICATION-TYPE OBJECTS { ipsecIkeSaPeerIpAddress } STATUS current DESCRIPTION "ESP, AH or IPCOMP packets with unknown SPIs (or CPIs) were detected from the specified peer. Implementations SHOULD send one trap per peer (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 7 } END