-- extracted from draft-ietf-ipsec-mib-03.txt -- at Mon Nov 15 17:11:09 1999 IPSEC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Integer32, Unsigned32, experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI DateAndTime, TruthValue FROM SNMPv2-TC; ipsecMIB MODULE-IDENTITY LAST-UPDATED "9811301200Z" ORGANIZATION "IETF IPSec Working Group" CONTACT-INFO " Tim Jenkins TimeStep Corporation 362 Terry Fox Drive Kanata, ON K0A 2H0 Canada 613-599-3610 tjenkins@timestep.com" DESCRIPTION "The MIB module to describe generic IPSec objects, transient and permanent virtual tunnels created by IPSec SAs, and entity level IPSec objects and events." REVISION "9811301200Z" DESCRIPTION "Initial revision." -- ::= { mib-2 ?? } -- need correct value here ::= { experimental 500 } ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 } ipsec OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 } -- the IPSec IKE Control Channel MIB-Group -- -- a collection of objects providing information about -- IPSec's IKE virtual IKE control channel ipsecIkeConChanTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecIkeConChanEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec's IKE control channels." ::= { ipsec 1 } ipsecIkeConChanEntry OBJECT-TYPE SYNTAX IpsecIkeConChanEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IKE control channel." INDEX { ipsecIkeConChanIndex } ::= { ipsecIkeConChanTable 1 } IpsecIkeConChanEntry ::= SEQUENCE { ipsecIkeConChanIndex Integer32, -- the real identifiers for the control channel ipsecIkeConChanLocalIdType Integer32, ipsecIkeConChanLocalId OCTET STRING, ipsecIkeConChanPeerIdType Integer32, ipsecIkeConChanPeerId OCTET STRING, ipsecIkeConChanAuthMethod Integer32, ipsecIkeConChanPeerCertSerialNum OCTET STRING, ipsecIkeConChanPeerCertIssuer OCTET STRING, -- virtual channel status ipsecIkeConChanType INTEGER, ipsecIkeConChanCurrentSaNum Unsigned32, ipsecIkeConChanTotalSaNum Counter64, -- aggregate statistics (all SAs) ipsecIkeConChanTimeStart DateAndTime, ipsecIkeConChanInboundTraffic Counter64, -- in bytes ipsecIkeConChanOutboundTraffic Counter64, -- in bytes ipsecIkeConChanInboundPackets Counter64, ipsecIkeConChanOutboundPackets Counter64, -- aggregate error statistics ipsecIkeConChanDecryptErrors Counter32, ipsecIkeConChanHashErrors Counter32, ipsecIkeConChanOtherReceiveErrors Counter32, ipsecIkeConChanSendErrors Counter32, -- IPSec SA (Phase 2) statistics (aggregate) ipsecIkeConChanIpsecInboundTraffic Counter64, ipsecIkeConChanIpsecOutboundTraffic Counter64, ipsecIkeConChanIpsecInboundPackets Counter64, ipsecIkeConChanIpsecOutboundPackets Counter64, -- IPSec SA (Phase 2) error statistics (aggregate) ipsecIkeConChanIpsecDecryptErrors Counter32, ipsecIkeConChanIpsecAuthErrors Counter32, ipsecIkeConChanIpsecReplayErrors Counter32, ipsecIkeConChanIpsecOtherReceiveErrors Counter32, ipsecIkeConChanIpsecSendErrors Counter32 } ipsecIkeConChanIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each tunnel interface. It is recommended that values are assigned contiguously starting from 1. The value for each channel interface must remain constant at least from one re-initialization of entity's network management system to the next re-initialization. Further, the value for channel interfaces that are marked as permanent must remain constant across all re- initializations of the network management system." ::= { ipsecIkeConChanEntry 1 } ipsecIkeConChanLocalIdType OBJECT-TYPE SYNTAX Integer32 (0..256) MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the local end of the control channel. Specific values are used as described in Section 4.6.2.1 of [IPDOI]." ::= { ipsecIkeConChanEntry 2 } ipsecIkeConChanLocalId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the local host that negotiated this control channel. The length may require truncation under some conditions." ::= { ipsecIkeConChanEntry 3 } ipsecIkeConChanPeerIdType OBJECT-TYPE SYNTAX Integer32 (0..256) MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the peer. Specific values are used as described in Section 4.6.2.1 of [IPDOI]." ::= { ipsecIkeConChanEntry 4 } ipsecIkeConChanPeerId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the peer host that negotiated this control channel. The length may require truncation under some conditions." ::= { ipsecIkeConChanEntry 5 } ipsecIkeConChanAuthMethod OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication method used to authenticate the peers. Note that this does not include the specific method of authentication if extended authenticated is used. Specific values are used as described in the ISAKMP Class Values of Authentication Method from Appendix A of [IKE]." ::= { ipsecIkeConChanEntry 6 } ipsecIkeConChanPeerCertSerialNum OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..63)) MAX-ACCESS read-only STATUS current DESCRIPTION "The serial number of the certificate of the peer this control channel was negotiated with. This object has no meaning if a certificate was not used in authenticating the peer." ::= { ipsecIkeConChanEntry 7 } ipsecIkeConChanPeerCertIssuer OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The serial number of the certificate of the peer this control channel was negotiated with. This object has no meaning if a certificate was not used in authenticating the peer." ::= { ipsecIkeConChanEntry 8 } ipsecIkeConChanType OBJECT-TYPE SYNTAX INTEGER { transient(1), permanent(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of control channel represented by this row. A transient link will disappear from the table when the SAs needed for it cannot be established. A permanent link will shows its status in the ipsecIkeConChanStatus object." ::= { ipsecIkeConChanEntry 9 } ipsecIkeConChanCurrentSaNum OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently active SAs that are available for use by this control channel. If the control channel is permanent, a 0 value in this object indicates the channel is either never tried or down. If the control channel is transient, this object can never be 0 valued." ::= { ipsecIkeConChanEntry 10 } ipsecIkeConChanTotalSaNum OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of SAs, including all expired and active SAs, that have been set up to support this control channel." ::= { ipsecIkeConChanEntry 11 } ipsecIkeConChanTimeStart OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the first SA within the control channel was set up." ::= { ipsecIkeConChanEntry 12 } ipsecIkeConChanInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the control channel in the inbound direction. In other words, it is the aggregate value of all inbound traffic carried by all phase 1 SAs ever set up to support the control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 13 } ipsecIkeConChanOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the control channel in the outbound direction. In other words, it is the aggregate value of all outbound traffic carried by all phase 1 SAs ever set up to support the control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 14 } ipsecIkeConChanInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets handled by the control channel since it became active in the inbound direction. In other words, it is the aggregate value of the number of inbound packets carried by all phase 1 SAs ever set up to support the control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 15 } ipsecIkeConChanOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets handled by the control channel since it became active in the outbound direction. In other words, it is the aggregate value of the number of outbound packets carried by all phase 1 SAs ever set up to support the control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 16 } ipsecIkeConChanDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this control channel discarded due to decryption errors. Note that this refers to IKE protocol packets, and not to packets carried by IPSec protection suites set up by the SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 17 } ipsecIkeConChanHashErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this control channel discarded due to hash errors. Note that this refers to IKE protocol packets, and not to packets carried by IPSec protection suites set up by the SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 18 } ipsecIkeConChanOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this control channel discarded for reasons other than bad hashes or decryption errors. This may include packets dropped to a lack of receive buffer space. Note that this refers to IKE protocol packets, and not to packets carried by IPSec protection suites set up by the SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 19 } ipsecIkeConChanSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets from this control channel discarded for any reason. This may include packets dropped to a lack of transmit buffer space. Note that this refers to IKE protocol packets, and not to packets carried by IPSec protection suites set up by the SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 20 } ipsecIkeConChanIpsecInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of inbound traffic measured in bytes handled by all IPSec SAs set up by phase 1 SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 21 } ipsecIkeConChanIpsecOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of outbound traffic measured in bytes handled by all IPSec protection suites set up by all phase 1 SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 22 } ipsecIkeConChanIpsecInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets handled by all IPSec protection suites set up by phase 1 SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 23 } ipsecIkeConChanIpsecOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets handled by all IPSec protection suites set up by phase 1 SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 24 } ipsecIkeConChanIpsecDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by all IPSec protection suites set up by all phase 1 SAs in this control channel due to decryption errors. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 25 } ipsecIkeConChanIpsecAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by all IPSec protection suites set up by all phase 1 SAs in this control channel due to authentication errors. This includes hash failures in IPSec SAs using ESP and AH. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 26 } ipsecIkeConChanIpsecReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by all IPSec protection suites set up by all phase 1 SAs in this control channel due to replay errors. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 27 } ipsecIkeConChanIpsecOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by all IPSec protection suites set up by all phase 1 SAs in this control channel due to errors other than authentication, decryption or replay errors. This may include packets dropped due to lack of receive buffers. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 34 } ipsecIkeConChanIpsecSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets discarded by all IPSec protection suites set up by all phase 1 SAs in this control channel due to any error. This may include packets dropped due to lack of receive buffers. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 28 } -- the IPSec IKE MIB-Group -- -- a collection of objects providing information about -- IPSec's IKE SAs and the virtual phase 1 SA tunnels ipsecIkeSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecIkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec's IKE SAs." ::= { ipsec 2 } ipsecIkeSaEntry OBJECT-TYPE SYNTAX IpsecIkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IKE SA." INDEX { ipsecIkeSaIndex } ::= { ipsecIkeSaTable 1 } IpsecIkeSaEntry ::= SEQUENCE { ipsecIkeSaIndex Integer32, ipsecIkeSaConChanIndex Integer32, -- identifier information ipsecIkeSaInitiatorCookie OCTET STRING, ipsecIkeSaResponderCookie OCTET STRING, ipsecIkeSaState INTEGER, -- connection information ipsecIkeSaLocalIpAddress OCTET STRING, ipsecIkeSaLocalPortNumber INTEGER, ipsecIkeSaPeerIpAddress OCTET STRING, ipsecIkeSaPeerPortNumber INTEGER, -- security algorithm information ipsecIkeSaEncAlg INTEGER, ipsecIkeSaEncKeyLength Unsigned32, ipsecIkeSaHashAlg Integer32, ipsecIkeSaDifHelGroupDesc Integer32, ipsecIkeSaDifHelGroupType Integer32, ipsecIkeSaPRF Integer32, -- expiration limits, current SA ipsecIkeSaTimeStart DateAndTime, ipsecIkeSaTimeLimit OCTET STRING, -- in seconds ipsecIkeSaTrafficLimit OCTET STRING, ipsecIkeSaTrafficCount OCTET STRING, -- this SA's operating statistics ipsecIkeSaInboundTraffic Counter64, -- in bytes ipsecIkeSaOutboundTraffic Counter64, -- in bytes ipsecIkeSaInboundPackets Counter64, ipsecIkeSaOutboundPackets Counter64, -- this SA's error statistics ipsecIkeSaDecryptErrors Counter32, ipsecIkeSaHashErrors Counter32, ipsecIkeSaOtherReceiveErrors Counter32, ipsecIkeSaSendErrors Counter32 } ipsecIkeSaIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each IKE SA. Values are assigned contiguously starting from 1." ::= { ipsecIkeSaEntry 1 } ipsecIkeSaConChanIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A reference to the IKE control channel that this SA supports. It is the value of 'ipsecIkeConChanLocalIdType'." ::= { ipsecIkeSaEntry 2 } ipsecIkeSaInitiatorCookie OBJECT-TYPE SYNTAX OCTET STRING (SIZE (16)) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the cookie used by the initiator for the current phase 1 SA." ::= { ipsecIkeSaEntry 3 } ipsecIkeSaResponderCookie OBJECT-TYPE SYNTAX OCTET STRING (SIZE (16)) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the cookie used by the responder for the current phase 1 SA." ::= { ipsecIkeSaEntry 4 } ipsecIkeSaState OBJECT-TYPE SYNTAX INTEGER { tryingInitiator(0), tryingInitiatorIDProt(1), tryingResponder(2), tryingResponderIDProt(3), upInitiator(4), upInitiatorIDProt(5), upResponder(6), upResponderIDProt(7) } MAX-ACCESS read-only STATUS current DESCRIPTION "The current state of the SA. 'tryingInitiator' means this end is attempting to negotiate the SA using aggressive mode and is the initiator. 'tryingInitiatorIDProt' means this end is attempting to negotiate the SA using main mode and is the initiator. 'tryingResponder' means the peer is attempting to negotiate the SA using aggressive mode as initiator. 'tryingResponderIDProt' means the peer is attempting to negotiate the SA using main mode as initiator. 'upInitiator' means the SA is up, and this end is the initiator. 'upResponder' means the the SA is up and the peer is the initiator. On the latter two, the suffix 'IDProt' means main mode was used to negotiate the SA." ::= { ipsecIkeSaEntry 5 } ipsecIkeSaLocalIpAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 8 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The local IP address that this SA was negotiated with, or 0 if unknown. The size of this object is 4 if the IP address is a IPv4 address. The size is 8 of the IP address is an IPv6 address." ::= { ipsecIkeSaEntry 6 } ipsecIkeSaLocalPortNumber OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The local UDP port number that this SA was negotiated with." DEFVAL { 500 } ::= { ipsecIkeSaEntry 7 } ipsecIkeSaPeerIpAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 8 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the peer that this SA was negotiated with, or 0 if unknown. The size of this object is 4 if the IP address is a IPv4 address. The size is 8 of the IP address is an IPv6 address." ::= { ipsecIkeSaEntry 8 } ipsecIkeSaPeerPortNumber OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The peer UDP port number of the peer that this SA was negotiated with." DEFVAL { 500 } ::= { ipsecIkeSaEntry 9 } ipsecIkeSaEncAlg OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic carried on this SA. Specific values are used as described in the ISAKMP Class Values of Encryption Algorithms from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 10 } ipsecIkeSaEncKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for algorithm specified in the 'ipsecIkeSaEncAlg' object or 0 if the key length is implicit in the specified algorithm." ::= { ipsecIkeSaEntry 11 } ipsecIkeSaHashAlg OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried on this SA. Specific values are used as described in the ISAKMP Class Values of Hash Algorithms from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 12 } ipsecIkeSaDifHelGroupDesc OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group description used or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Description from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 13 } ipsecIkeSaDifHelGroupType OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group type used or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Type from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 14 } ipsecIkeSaPRF OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The pseudo-random functions used, or 0 if not used or if unknown. Specific values are used as described in the ISAKMP Class Values of PRF from Appendix A of [IKE] (which specifies none at the present time)." ::= { ipsecIkeSaEntry 15 } ipsecIkeSaTimeStart OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the current SA within the link was set up. It is not the date and time that the virtual tunnel was set up." ::= { ipsecIkeSaEntry 16 } ipsecIkeSaTimeLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the current SA supporting the virtual tunnel, or 0 if there is no time constraint on its expiration." ::= { ipsecIkeSaEntry 17 } ipsecIkeSaTrafficLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in 1024-byte blocks that the current SA supporting the virtual tunnel is allowed to support, or 0 if there is no traffic constraint on its expiration." ::= { ipsecIkeSaEntry 18} ipsecIkeSaTrafficCount OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic that this SA has processed that contributes against it expiration by traffic limit, measured in 1024-byte blocks. It includes traffic in both directions. It may be 0 if there is no traffic constraint on the SA's expiration." ::= { ipsecIkeSaEntry 19 } ipsecIkeSaInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic measured in bytes handled in the current SA in the inbound direction." ::= { ipsecIkeSaEntry 20 } ipsecIkeSaOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic measured in bytes handled in the current SA in the outbound direction." ::= { ipsecIkeSaEntry 21 } ipsecIkeSaInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled in the current SA in the inbound direction." ::= { ipsecIkeSaEntry 22 } ipsecIkeSaOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled in the current SA in the outbound direction." ::= { ipsecIkeSaEntry 23 } ipsecIkeSaDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this SA discarded due to decryption errors. The following may used as a guideline to distinguish decryption errors from protocol negotiation errors: If there are any errors in the packet's generic payload structures (next payload field, reserved, payload length), then this is considered a decryption error. If an error happens inside the payload structure, then it is not assumed to be a decryption error, and is considered a protocol negotiation error." ::= { ipsecIkeSaEntry 24 } ipsecIkeSaHashErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this SA discarded due to hash errors. These errors are considered packet errors, and not protocol negotation errors. The case of hash failures when the hash is generated by authentication data is considered an authentication failure, and not a hash failure." ::= { ipsecIkeSaEntry 25 } ipsecIkeSaOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this SA discarded for reasons other than bad hashes or decryption errors. This may include packets dropped to a lack of receive buffer space. Packets that contain protocol negotation errors are not considered dropped packets." ::= { ipsecIkeSaEntry 26 } ipsecIkeSaSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets from this SA discarded for any reason. This may include packets dropped to a lack of transmit buffer space." ::= { ipsecIkeSaEntry 27 } -- the IPSec Tunnel MIB-Group -- -- a collection of objects providing information about -- IPSec protection suite-based virtual tunnels ipsecTunnelTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec protection suite-based tunnels." ::= { ipsec 3 } ipsecTunnelEntry OBJECT-TYPE SYNTAX IpsecTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular configured tunnel." INDEX { ipsecTunnelIndex } ::= { ipsecTunnelTable 1 } IpsecTunnelEntry ::= SEQUENCE { ipsecTunnelIndex Integer32, ipsecTunnelIkeConChan Integer32, -- if not static ipsecTunnelType INTEGER, -- static, transient, permanent -- tunnel identifiers ipsecTunnelLocalIdentifier OCTET STRING, ipsecTunnelLocalIdentifierType INTEGER, ipsecTunnelRemoteIdentifier OCTET STRING, ipsecTunnelRemoteIdentifierType INTEGER, ipsecTunnelProtocol Integer32, ipsecTunnelLocalPort Integer32, ipsecTunnelRemotePort Integer32, -- tunnel creation mechanism ipsecTunnelDifHelGroupDesc Integer32, ipsecTunnelDifHelGroupType Integer32, ipsecTunnelPFS TruthValue, -- tunnel security services description ipsecTunnelEncapsulation INTEGER, ipsecTunnelEspEncAlg Integer32, ipsecTunnelEspEncKeyLength Unsigned32, ipsecTunnelEspAuthAlg Integer32, ipsecTunnelAhAuthAlg Integer32, ipsecTunnelCompAlg Integer32, -- aggregate statistics ipsecTunnelStartTime DateAndTime, ipsecTunnelCurrentProtSuitesNum Unsigned32, ipsecTunnelTotalProtSuitesNum Counter32, ipsecTunnelTotalInboundTraffic Counter64, ipsecTunnelTotalOutboundTraffic Counter64, ipsecTunnelTotalInboundPackets Counter64, ipsecTunnelTotalOutboundPackets Counter64, -- aggregate error statistics ipsecTunnelDecryptErrors Counter32, ipsecTunnelAuthErrors Counter32, ipsecTunnelReplayErrors Counter32, ipsecTunnelPolicyErrors Counter32, ipsecTunnelOtherReceiveErrors Counter32, ipsecTunnelSendErrors Counter32 } ipsecTunnelIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each tunnel interface. It is recommended that values are assigned contiguously starting from 1. The value for each tunnel interface must remain constant at least from one re-initialization of the entity's network management system to the next re-initialization. Further, the value for tunnel interfaces that are marked as permanent must remain constant across all re- initializations of the network management system." ::= { ipsecTunnelEntry 1 } ipsecTunnelIkeConChan OBJECT-TYPE SYNTAX Integer32 (0..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the index into the IKE control channel table that created this tunnel (ipsecIkeConChanIndex), or 0 if the tunnel is created by a static IPSec protection suite." ::= { ipsecTunnelEntry 2 } ipsecTunnelType OBJECT-TYPE SYNTAX INTEGER { static(0), transient(1), permanent(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the virtual tunnel represented by this row. 'static' means that the tunnel is supported by a single static IPSec protection suite that was setup by configuration, and not by using a key exchange protocol. In this case, the value of ipsecTunnelIkeSa must be 0." ::= { ipsecTunnelEntry 3 } ipsecTunnelLocalIdentifier OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The local identifier of the virtual tunnel, or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecTunnelEntry 4 } ipsecTunnelLocalIdentifierType OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecTunnelLocalIdentifier', or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecTunnelEntry 5 } ipsecTunnelRemoteIdentifier OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The remote identifier of the virtual tunnel, or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecTunnelEntry 6 } ipsecTunnelRemoteIdentifierType OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecTunnelRemoteIdentifier', or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecTunnelEntry 7 } ipsecTunnelProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The number of the protocol that this tunnel carries, or 0 if it carries any protocol." ::= { ipsecTunnelEntry 8 } ipsecTunnelLocalPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The number of the local port that this tunnel carries, or 0 if it carries any port number." ::= { ipsecTunnelEntry 9 } ipsecTunnelRemotePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The number of the remote port that this tunnel carries, or 0 if it carries any port number." ::= { ipsecTunnelEntry 10 } ipsecTunnelDifHelGroupDesc OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group description used to set up protection suites for this tunnel or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Description from Appendix A of [IKE]." ::= { ipsecTunnelEntry 11 } ipsecTunnelDifHelGroupType OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION " A unique value representing the Diffie-Hellman group type used to set up protection suites for this tunnel or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Type from Appendix A of [IKE]." ::= { ipsecTunnelEntry 12 } ipsecTunnelPFS OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "'true' if protection suites setup for this tunnel were created using perfect forward secrect." ::= { ipsecTunnelEntry 13 } ipsecTunnelEncapsulation OBJECT-TYPE SYNTAX INTEGER { transport(1), tunnel(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of encapsulation used by protection suites created for this virtual tunnel." ::= { ipsecTunnelEntry 14 } ipsecTunnelEspEncAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic carried by this tunnel if it uses ESP or 0 if there is no encryption applied by ESP or if ESP is not used. Specific values are taken from section 4.4.4 of [IPDOI]." ::= { ipsecTunnelEntry 15 } ipsecTunnelEspEncKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the 'ipsecTunnelEspEncAlg' object, or 0 if the key length is implicit in the specified algorithm or there is no encryption specified." ::= { ipsecTunnelEntry 16 } ipsecTunnelEspAuthAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this tunnel if it uses ESP or 0 if there is no authentication applied by ESP or if ESP is not used. Specific values are taken from the Authentication Algorithm attribute values of Section 4.5 of [IPDOI]." ::= { ipsecTunnelEntry 17 } ipsecTunnelAhAuthAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this tunnel if it uses AH or 0 if AH is not used. Specific values are taken from Section 4.4.3 of [IPDOI]." ::= { ipsecTunnelEntry 18 } ipsecTunnelCompAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the compression algorithm applied to traffic carried by this tunnel if it uses IPCOMP. Specific values are taken from Section 4.4.5 of [IPDOI]." ::= { ipsecTunnelEntry 19 } ipsecTunnelStartTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that this virtual tunnel was set up. If this is a permanent virtual tunnel, it is not reset when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 20 } ipsecTunnelCurrentProtSuitesNum OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of protection suites currently active supporting this virtual tunnel. If this number is 0, the tunnel must be considered down. Also if this number is 0, the tunnel must a permanent tunnel, since transient tunnels that are down do not appear in the table." ::= { ipsecTunnelEntry 21 } ipsecTunnelTotalProtSuitesNum OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of protection suites, including all current protection suites, that have been set up to support this virtual tunnel." ::= { ipsecTunnelEntry 22 } ipsecTunnelTotalInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the tunnel in the inbound direction. In other words, it is the aggregate value of all inbound traffic carried by all IPSec protection suites ever set up to support the virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 23 } ipsecTunnelTotalOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the tunnel in the outbound direction. In other words, it is the aggregate value of all inbound traffic carried by all IPSec protection suites ever set up to support the virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 24 } ipsecTunnelTotalInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets handled in the tunnel in the inbound direction. In other words, it is the aggregate value of all inbound packets carried by all IPSec protection suites ever set up to support the virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 25 } ipsecTunnelTotalOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets handled in the tunnel in the outbound direction. In other words, it is the aggregate value of all outbound packets carried by all IPSec SAs ever set up to support the virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 26 } ipsecTunnelDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to decryption errors in ESP. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 27 } ipsecTunnelAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to authentication errors. This includes hash failures in IPSec protection suites using both ESP and AH. If this is a permanent virtual tunnel, it is not resetto zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 28 } ipsecTunnelReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to replay errors. This includes replay failures in IPSec protection suites using both ESP and AH. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 29 } ipsecTunnelPolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to policy errors. This includes errors in all transforms if protection suites are used. Policy errors are due to the detection of a packet that was inappropriately sent into this tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 30 } ipsecTunnelOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to errors other than decryption, authentication or replay errors. This may include packets dropped due to a lack of receive buffers. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 31 } ipsecTunnelSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets discarded by this virtual tunnel due to any error. This may include packets dropped due to a lack of transmit buffers. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 32 } -- the IPSec Protection Suites MIB-Group -- -- a collection of objects providing information about -- IPSec protection suites ipsecProtSuiteTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecProtSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec protection suites." ::= { ipsec 4 } ipsecProtSuiteEntry OBJECT-TYPE SYNTAX IpsecProtSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IPSec SA." INDEX { ipsecProtSuiteIndex } ::= { ipsecProtSuiteTable 1 } IpsecProtSuiteEntry ::= SEQUENCE { ipsecProtSuiteIndex Integer32, ipsecProtSuiteTunnel Integer32, -- from ipsecTunnelTable -- identification ipsecProtSuitePeerAddress OCTET STRING, ipsecProtSuiteInboundEspSpi Unsigned32, ipsecProtSuiteOutboundEspSpi Unsigned32, ipsecProtSuiteInboundAhSpi Unsigned32, ipsecProtSuiteOutboundAhSpi Unsigned32, ipsecProtSuiteInboundCompCpi INTEGER, ipsecProtSuiteOutboundCompCpi INTEGER, -- expiration limits ipsecProtSuiteCreationTime DateAndTime, ipsecProtSuiteTimeLimit OCTET STRING, -- sec., 0 if none ipsecProtSuiteTrafficLimit OCTET STRING, -- 0 if none ipsecProtSuiteTrafficCount OCTET STRING, -- current operating statistics ipsecProtSuiteInboundTraffic Counter64, ipsecProtSuiteOutboundTraffic Counter64, ipsecProtSuiteInboundPackets Counter64, ipsecProtSuiteOutboundPackets Counter64, -- error statistics ipsecProtSuiteDecryptErrors Counter32, ipsecProtSuiteAuthErrors Counter32, ipsecProtSuiteReplayErrors Counter32, ipsecProtSuitePolicyErrors Counter32, ipsecProtSuiteOtherReceiveErrors Counter32, ipsecProtSuiteSendErrors Counter32 } ipsecProtSuiteIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each IPSec protection suite. It is recommended that values are assigned contiguously starting from 1." ::= { ipsecProtSuiteEntry 1 } ipsecProtSuiteTunnel OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the index into the IPSec tunnel table that this protection suite supports (ipsecTunnelIndex)." ::= { ipsecProtSuiteEntry 2 } ipsecProtSuitePeerAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 8 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The peer IP address used by the protection suite. The size of this object is 4 if the address is an IPv4 address, or 8 if the address is an IPv6 address." ::= { ipsecProtSuiteEntry 3 } ipsecProtSuiteInboundEspSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the inbound protection suite that provides the ESP security service, or zero if ESP is not used." ::= { ipsecProtSuiteEntry 4 } ipsecProtSuiteOutboundEspSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the outbound protection suite that provides the ESP security service, or zero if ESP is not used." ::= { ipsecProtSuiteEntry 5 } ipsecProtSuiteInboundAhSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the inbound protection suite that provides the AH security service, or zero if AH is not used." ::= { ipsecProtSuiteEntry 6 } ipsecProtSuiteOutboundAhSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the outbound protection suite that provides the AH security service, or zero if AH is not used." ::= { ipsecProtSuiteEntry 7 } ipsecProtSuiteInboundCompCpi OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the CPI for the inbound protection suite that provides IP compression, or zero if IPCOMP is not used." ::= { ipsecProtSuiteEntry 8 } ipsecProtSuiteOutboundCompCpi OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the CPI for the outbound protection suite that provides IP compression, or zero if IPCOMP is not used." ::= { ipsecProtSuiteEntry 9 } ipsecProtSuiteCreationTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the current protection suite was set up." ::= { ipsecProtSuiteEntry 10 } ipsecProtSuiteTimeLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the protection suite, or 0 if there is no time constraint on its expiration." ::= { ipsecProtSuiteEntry 11 } ipsecProtSuiteTrafficLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in 1024-byte blocks that the protection suite is allowed to support, or 0 if there is no traffic constraint on its expiration." ::= { ipsecProtSuiteEntry 12 } ipsecProtSuiteTrafficCount OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic accumulated that counts against the protection suite's expiration by traffic limitation, measured in 1024-byte blocks." ::= { ipsecProtSuiteEntry 13 } ipsecProtSuiteInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the protection suite in the inbound direction. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit." ::= { ipsecProtSuiteEntry 14 } ipsecProtSuiteOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the protection suite in the outbound direction. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit." ::= { ipsecProtSuiteEntry 15 } ipsecProtSuiteInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the protection suite in the inbound direction." ::= { ipsecProtSuiteEntry 16 } ipsecProtSuiteOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the protection suite in the outbound direction." ::= { ipsecProtSuiteEntry 17 } ipsecProtSuiteDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to decryption errors." ::= { ipsecProtSuiteEntry 18 } ipsecProtSuiteAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to authentication errors. This includes hash failures in both ESP and AH." ::= { ipsecProtSuiteEntry 19 } ipsecProtSuiteReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to replay errors. This includes replay failures both ESP and AH." ::= { ipsecProtSuiteEntry 20 } ipsecProtSuitePolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to policy errors." ::= { ipsecProtSuiteEntry 21 } ipsecProtSuiteOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to errors other than decryption, authentication or replay errors. This may include decompression errors or errors due to a lack of receive buffers." ::= { ipsecProtSuiteEntry 22 } ipsecProtSuiteSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound packets discarded by the protection suite due to any error. This may include compression errors or errors due to a lack of transmit buffers." ::= { ipsecProtSuiteEntry 23 } -- the IPSec Entity MIB-Group -- -- a collection of objects providing information about overall IPSec -- status in the entity -- -- Definitions of significant branches -- ipsecTrapsA OBJECT IDENTIFIER ::= { ipsec 5 } ipsecTraps OBJECT IDENTIFIER ::= { ipsecTrapsA 0 } ipsecProtSuiteCounts OBJECT IDENTIFIER ::= { ipsec 6 } ipsecPermChanTunStats OBJECT IDENTIFIER ::= { ipsec 7 } ipsecTransChanTunStats OBJECT IDENTIFIER ::= { ipsec 8 } ipsecNotifications OBJECT IDENTIFIER ::= { ipsec 9 } ipsecErrorStats OBJECT IDENTIFIER ::= { ipsec 10 } -- -- SA and protection suite counts -- ipsecTotalIkeSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 1 SAs established by the entity since boot time. It is not the total number of channels established by the entity since boot time. It includes SAs established to support both permanent and transient channels." ::= { ipsecProtSuiteCounts 1 } ipsecTotalIpsecProtSuites OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of protection suites established by the entity since boot time. It is not the total number of IPSec virtual tunnels established by the entity since boot time. It includes protection suites established to support both permanent and transient tunnels." ::= { ipsecProtSuiteCounts 2 } -- -- permanent channel and tunnel statistics -- ipsecCnfgPermIkeChannels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 1 control channels in the entity that are configured as permanent." ::= { ipsecPermChanTunStats 1 } ipsecUpPermIkeChannels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 1 control channels in the entity that are configured as permanent and are up and available for use." ::= { ipsecPermChanTunStats 2 } ipsecCnfgPermIpsecTunnels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 tunnels in the entity that are configured as permanent." ::= { ipsecPermChanTunStats 3 } ipsecUpPermIpsecTunnels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 tunnels in the entity that are configured as permanent and are up and available for use." ::= { ipsecPermChanTunStats 4 } -- -- transient tunnel counts -- ipsecTotalTransIkeTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of transient phase 1 tunnels established by the entity since boot time." ::= { ipsecTransChanTunStats 1 } ipsecCurrentTransIkeTunnels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of transient phase 1 tunnels in the entity that are up and available for use at this moment in time." ::= { ipsecTransChanTunStats 2 } ipsecTotalTransIpsecTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of transient phase 2 tunnels established by the entity since boot time." ::= { ipsecTransChanTunStats 3 } ipsecCurrentTransIpsecTunnels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of phase 2 tunnels in the entity that are up and available for use at this moment in time." ::= { ipsecTransChanTunStats 4 } -- -- transient protection suite traffic statistics -- ipsecTotalTransInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets carried on transient IPSec tunnels since boot time." ::= { ipsecTransChanTunStats 5 } ipsecTotalTransOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets carried on transient IPSec tunnels since boot time." ::= { ipsecTransChanTunStats 6 } ipsecTotalTransInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of inbound traffic carried on transient IPSec tunnels since boot time, measured in 1024-octet blocks." ::= { ipsecTransChanTunStats 7 } ipsecTotalTransOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of outbound traffic carried on transient IPSec tunnels since boot time, measured in 1024-octet blocks." ::= { ipsecTransChanTunStats 8 } -- -- error counts -- ipsecUnknownSpiErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with SPIs or CPIs that were not valid." ::= { ipsecErrorStats 1 } ipsecIkeProtocolErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with IKE protocol errors. This includes packets with invalid cookies, but does not include errors that could be associated with specific IKE SAs." ::= { ipsecErrorStats 2 } ipsecIpsecAuthenticationErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with authentication errors in the IPSec SAs. This includes all packets in which the hash value is determined to be invalid." ::= { ipsecErrorStats 3 } ipsecIpsecReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with replay errors in the IPSec SAs." ::= { ipsecErrorStats 4 } ipsecIpsecPolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time and discarded due to policy errors. This includes packets that had selectors that were invalid for the SA that carried them." ::= { ipsecErrorStats 5 } -- the IPSec Notify Message MIB-Group -- -- a collection of objects providing information about -- the occurrences of notify messages ipsecNotifyMessageTotalCount OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of all types of notify messages sent or received by the entity since boot time. It is the sum of all occurrences in the 'ipsecNotifyCountTable'." ::= { ipsecNotifications 1 } ipsecNotifyCountTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecNotifyCountEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec notify message counts. This table MAY be sparsely populated; that is, rows for which the count is 0 may be absent." ::= { ipsecNotifications 2 } ipsecNotifyCountEntry OBJECT-TYPE SYNTAX IpsecNotifyCountEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the total number of occurrences of a notify message." INDEX { ipsecNotifyMessage } ::= { ipsecNotifyCountTable 1 } IpsecNotifyCountEntry::= SEQUENCE { ipsecNotifyMessage INTEGER, ipsecNotifyMessageCount Counter32 } ipsecNotifyMessage OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value representing a specific IPSec notify message, or 0 if unknown. Values are assigned from the set of notify message types as defined in Section 3.14.1 of [ISAKMP]. In addition, the value 0 may be used for this object when the object is used as a trap cause, and the cause is unknown." ::= { ipsecNotifyCountEntry 1 } ipsecNotifyMessageCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of times the specific notify message has been received or sent by the entity since system boot." ::= { ipsecNotifyCountEntry 2 } -- -- traps -- ipsecTrapPermIkeNegFailure NOTIFICATION-TYPE OBJECTS { ipsecIkeConChanIndex, ipsecNotifyMessage } STATUS current DESCRIPTION "An attempt to negotiate a phase 1 SA for the specified permanent IKE tunnel failed." ::= { ipsecTraps 1 } ipsecTrapTransIkeNegFailure NOTIFICATION-TYPE OBJECTS { ipsecIkeConChanLocalIdType, ipsecIkeConChanLocalId, ipsecIkeConChanPeerIdType, ipsecIkeConChanPeerId, ipsecIkeSaLocalIpAddress, ipsecIkeSaLocalPortNumber, ipsecIkeSaLocalIpAddress, ipsecIkeSaLocalPortNumber, ipsecIkeConChanAuthMethod, ipsecIkeConChanPeerCertSerialNum, ipsecIkeConChanPeerCertIssuer, ipsecNotifyMessage } STATUS current DESCRIPTION "An attempt to negotiate a phase 1 SA for a transient IKE tunnel failed. This trap is different from the 'ipsecTrapPermIkeNegFailure' trap, since this one will likely result in the removal of this entry from the IKE control channel table." ::= { ipsecTraps 2 } ipsecTrapInvalidCookie NOTIFICATION-TYPE OBJECTS { ipsecIkeSaPeerIpAddress, ipsecIkeSaPeerPortNumber } STATUS current DESCRIPTION "IKE packets with invalid cookies were detected from the specified peer. Implementations SHOULD send one trap per peer (within a reasonable time period, rather than sending one trap per packet." ::= { ipsecTraps 3 } ipsecTrapIpsecNegFailure NOTIFICATION-TYPE OBJECTS { ipsecIkeConChanIndex, ipsecNotifyMessage } STATUS current DESCRIPTION "An attempt to negotiate a phase 2 protection suite within the specified IKE tunnel failed." ::= { ipsecTraps 4 } ipsecTrapIpsecAuthFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets with invalid hashes were found in the specified protection suite. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 5 } ipsecTrapIpsecReplayFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets with invalid sequence numbers were found in the specified protection suite. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 6 } ipsecTrapIpsecPolicyFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets carrying packets with invalid selectors for the specified protection suite were found. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 7 } ipsecTrapInvalidSpi NOTIFICATION-TYPE OBJECTS { ipsecIkeSaPeerIpAddress } STATUS current DESCRIPTION "ESP, AH or IPCOMP packets with unknown SPIs (or CPIs) were detected from the specified peer. Implementations SHOULD send one trap per peer (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 8 } END