>> MIB - Management Information Base

>> Table: ipsecPeerTable - (.1.3.6.1.4.1.272.4.26.5.1)

Description: This object contains the description of an IPSec peer.

ipsecPeerTable
OIDNameTypeAccess
.1IndexINTEGERR
.2NextIndexINTEGERR
.3DescriptionDisplayStringRW
.4CaCertsDisplayStringR
.5PeerIdsDisplayStringRW
.6PeerAddressIpAddressR
.7LocalIdDisplayStringR
.8LocalAddressIpAddressRW
.9LocalCertINTEGERR
.10IkeProposalsINTEGERR
.11TrafficListINTEGERRW
.12PublicInterfaceINTEGERR
.13PfsIdentityENUMR
.14DynamicAddressDisplayStringRW
.15VirtualInterfaceENUMRW
.20AuthMethodENUMR
.21PreSharedKeyDisplayStringRW
.22IkeGroupINTEGERR
.23PfsGroupINTEGERR
.24Ph1ModeENUMR
.25IkeLifeTimeINTEGERR
.26IpsecLifeTimeINTEGERR
.29KeepAliveENUMR
.30GranularityENUMR
.31DontVerifyPadENUMR
.36NoPmtuDiscoveryENUMR
.42DefaultIpsecProposalsINTEGERR
.43HeartbeatENUMR
.44OperStatusENUMR
.45IsdnCBENUMRW
.47PriorityINTEGERRW
.48IkeProfileINTEGERRW
.49IpsecProfileINTEGERRW
.50AdminStatusENUMD
.51TtlINTEGERR
.52CurrentLocalAddressIpAddressR
.53CurrentRemoteAddressIpAddressR
.54NumP1INTEGERR
.55NumP1NegotiatingINTEGERR
.56NumP1EstablishedINTEGERR
.57NumP1DeletedINTEGERR
.58NumBundlesINTEGERR
.59NumBundlesNegotiatingINTEGERR
.60NumBundlesEstablishedINTEGERR
.64Ph1LTokenINTEGERR
.65Ph1RTokenINTEGERR
.66IsdnCBModeENUMRW
.67IsdnCBDChanModeENUMRW
.68IsdnCBNextModeENUMR

Index
A unique index identifying this entry.
NextIndex
The index of the next peer in hierarchy.
Description
An optional description for this peer.
CaCerts
Receives a comma separated list with indices of optional
certificate authority certificates accepted for this peer.
PeerIds
The IDs of the peer which are accepted for authentication.
PeerAddress
This object shows the fixed IP-address of the peer, if any.
LocalId
The local ID used for authentication.
LocalAddress
The local address used for IPSec encrypted packets.
LocalCert
The index of the certificate used for local authentication 
in the certTable. Only useful for automatically keyed traffic
with dsa or rsa authentication.
IkeProposals
The index of the first IKE proposal which may be used
for IKE SA negotiation with this peer.
TrafficList
This object specifies the first entry of possibly a
chain of traffic entries from the ipsecTrafficTable
which should be protected with IPSec using this peer.
PublicInterface
This object specifies the index of the public interface
for which the traffic list assigned to this peer should be 
valid. 
If set to -1, the traffic list is valid for all interfaces.
If the traffic is routed via a different interface, 
no SA negotiation is performed and traffic may be unprotected 
unless there is another peer for the other interface.
PfsIdentity
This object specifies whether IKE SA's should be deleted
immediately after a phase 2 (IPSec-) SA pair has been 
negotiated.
If overrides the default setting ipsecGlobContDefaultPfsIdentity
if not set to 'default'.
The consequence of enabling this feature is that before each 
phase 2 negotiation there always has to be a phase 1
negotiation. Thus individual phase 2 SAs cannot be
associated with one another or, respectively, if the
identity of a remote peer is known to an eavesdropper
for one SA, he cannot conclude that the next SA is
negotiated with the same remote peer. 
Note: Setting this flag only makes sense if configured
together with id-protect mode or RSA encryption for
authentication and if the IP address of the remote
peer does not allow conclusions about its identity
(i.e. dynamic remote peer addresses).
Possible values:
true(1), 	-- delete phase 1 SAs
false(2),	-- do not delete phase 1 SAs
default(3)   -- use setting in ipsecGlobContDefaultPfsIdentity.
Enumerations:
  • true (1)
  • false (2)
  • default (3)
DynamicAddress
The IP-address of the peer.
This object may contain either an IP address or a domain name.
VirtualInterface
This object specifies if a virtual interface should be created
for this peer. If set to enabled, all traffic routed towards
this peer will be protected. The traffic list for this peer 
is ignored then. The index of the interface associated with
this peer is calculated as follows: 
ifIndex = ipsecPeerIndex + 100000.
Enumerations:
  • disabled (1)
  • enabled (2)
AuthMethod
This object specifies the authentication method used for this peer.
It overrides the setting in the IKE proposals used.
Possible values:
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), 	  -- Authentication using DSS signatures
rsa-sig(3), 	  -- Authentication using RSA signatures
rsa-enc(4), 	  -- Authentication using RSA encryption
default(14),	  -- Use the setting from the ikeProposalEntry
-- used or the ipsecGlobDefaultAuthMethod
delete(15)	  -- mark this entry for deletion.
Enumerations:
  • pre-sh-key (1)
  • dss-sig (2)
  • rsa-sig (3)
  • rsa-enc (4)
  • default (14)
  • delete (15)
PreSharedKey
The pre-shared-key used with this peer, if pre-shared-keys
are used for authentication. This field serves only
as an input field and its contents are replaced with
a single asterisk immediately after it is set.
IkeGroup
This object specifies a special IKE group which is to be used
for this peer only. It overrides the setting in the ikeProposal
used.
Possible values:
0: use the value from the ikeProposal used
1: a 768-bit MODP group
2: a 1024-bit MODP group
5: a 1536-bit MODP group
PfsGroup
The Diffie Hellman group used for additional Perfect
Forward Secrecy (PFS) DH exponentiations.
Possible values:
-1: explicitly do not use PFS 
(overrides ipsecGlob2DefaultPfsGroup), 
0: use default value from ipsecGlob2DefaultPfsGroup, 
1: a 768-bit MODP group, 
2: a 1024-bit MODP group, 
5: a 1536-bit MODP group.
Ph1Mode
This object specifies the exchange mode used for IKE
SA negotiation.
Possible values:
id-protect(1),	-- Use identity protection (main) mode 
aggressive(2), 	-- Use aggressive mode
default(3)		-- Use default settings from the 
-- ipsecGlobalsTable.
Enumerations:
  • id-protect (1)
  • aggressive (2)
  • default (3)
IkeLifeTime
This object specifies an index in the ipsecLifeTimeTable with the 
lifetime settings to be used for IKE SA negotiation with this peer.
It overrides the setting in the IKE proposal used. 
If the lifetime pointed to by this index does not exist or is
inappropriate, the lifetime from the IKE proposal used is
taken.
IpsecLifeTime
This object specifies an index in the
ipsecLifeTimeTable. This lifetime overwrites the
lifetimes specified for all traffic entries and their
proposals referenced by this peer entry. If the
lifetime pointed to by this index does not exist or
is inappropriate, the default lifetime from the
ipsecGlobalsTable is used.
KeepAlive
This object specifies whether IKE SA's with this peer
are rekeyed even if there was no data transferred over
them.
Possible values:
true(1), 	-- rekey SA's even if no data was transferred
false(2)	-- do not rekey SA's if no data was transferred.
Enumerations:
  • true (1)
  • false (2)
Granularity
This object specifies the granularity with which SA's
with this peer are created.
Possible values:
default(1), 	-- use the setting from the ipsecGlobalsTable
coarse(2),	-- Create only one SA for each Traffic entry
ip(3),	-- Create one SA for each host
proto(4),	-- Create one SA for each protocol and host
port(5)	-- Create one SA for each port and host.
Enumerations:
  • default (1)
  • coarse (2)
  • ip (3)
  • proto (4)
  • port (5)
DontVerifyPad
This object is a compatibility option for older ipsec 
implementations. It enables or disables an old way of ESP 
padding (no self describing padding).
Possible values:
false(1), 	-- normal, self-describing ESP padding
true(2)	-- old style ESP padding.
Enumerations:
  • false (1)
  • true (2)
NoPmtuDiscovery
This object specifies the PMTU discovery policy for this peer.
Possible values:
true(1),  -- do not perform PMTU discovery
false(2)  -- perform PMTU discovery
default(3)-- use default settings from 
-- ipsecGlobContNoPmtuDiscovery.
Enumerations:
  • true (1)
  • false (2)
  • default (3)
DefaultIpsecProposals
The index of the default IPSec proposal used for
encrypting all the traffic bound to the (optional)
logical interface created for this peer.
Heartbeat
This object specifies whether heartbeats should be sent 
over phase 1 SAs for this peer.
Possible values:
none(1),     -- neither send nor expect heartbeats
expect(2), 	-- expect heartbeats
send(3),     -- send heartbeats
both(4),	-- send and expect heartbeats
default(5)	-- use setting from 
-- ipsecGlobContHeartbeatDefault.
Enumerations:
  • none (1)
  • expect (2)
  • send (3)
  • both (4)
  • default (5)
OperStatus
Peer operational state.
Enumerations:
  • up (1)
  • down (2)
  • dormant (5)
  • blocked (6)
  • awaiting-callback (33)
  • ip-lookup (35)
  • going-up (36)
  • wait-if (37)
  • wait-publish (38)
  • wait-localip (39)
IsdnCB
Switch for turning ISDN call back feature on and off
specifically for peer.
Default value is disabled.
Enumerations:
  • enabled (1)
  • disabled (2)
  • passive (3)
  • active (4)
Priority
Defines the matching priority.
IkeProfile
The index from the ikeProfileTable containing a special
phase 1 profile to use for this peer.
IpsecProfile
The index from the ipsecProfileTable containing a special 
phase 2 profile to use for this peer.
AdminStatus
Peer administrative state.
Enumerations:
  • up (1)
  • down (2)
  • dialup (4)
  • callback (5)
  • delete (15)
Ttl
This object shows the maximum period of time in seconds 
the peer will remain in the current state.
CurrentLocalAddress
The currently used local IP-address for this peer.
CurrentRemoteAddress
The currently known remote IP-address of this peer.
NumP1
The number of current IKE SAs for this peer.
NumP1Negotiating
The number of current IKE SAs in state 'established'
for this peer.
NumP1Established
The number of current IKE SAs in state 'established'
for this peer.
NumP1Deleted
The number of current IKE SAs in state 'established'
for this peer.
NumBundles
The number of current IPSec SA bundles for this peer.
NumBundlesNegotiating
The number of current IPSec SA bundles for this peer.
NumBundlesEstablished
The number of current IPSec SA bundles in state 'established'
for this peer.
Ph1LToken
Locally generated token that must be used by triggered peer
upon call back.
Ph1RToken
Remotely generated token which must be used during phase one
of IPsec connection establishment.
IsdnCBMode
Define callback mode.
The following modes are defined:
compat(1)	-- compatibility to old callback
auto(2)      -- automatically detect best method
auto-D(3)	-- automatically detect best D channel method
D(4)		-- use D channel only
DB(5)	-- try D channel first, fall back to B
B(6)		-- use B channel only
Default value for that variable is compat(1).
Enumerations:
  • compat (1)
  • auto (2)
  • auto-D (3)
  • D (4)
  • DB (5)
  • B (6)
IsdnCBDChanMode
Define callback D channel mode.
The following modes are defined:
LLC(1)		-- code token into LLC information
element only
SUBADDR(2)    	-- code token into SUBADDR information
element only
LLC-and-SUBADDR(3)	-- redundantly use LLC and SUBADDR
information elements
LLC-SUBADDR(4)	-- try LLC first, then SUBADDR
SUBADDR-LLC(5)	-- try SUBADDR first, then LLC
Default value for that variable is LLC(1).
Enumerations:
  • LLC (1)
  • SUBADDR (2)
  • LLC-and-SUBADDR (3)
  • LLC-SUBADDR (4)
  • SUBADDR-LLC (5)
IsdnCBNextMode
Define callback mode that is to be tried next.
The following modes are defined:
unknown(1)		-- still unset, derive it from other
settings
D-LLC(2)    		-- use D channel mode with LLC next
D-SUBADDR(3)		-- use D channel mode with SUBADDR next
D-LLC-SUBADDR(4)	-- use D channel mode with LLC and
SUBADDR next
B(5)			-- use B channel mode next
Default value for that variable is unknown(1).
Enumerations:
  • unknown (1)
  • D-LLC (2)
  • D-SUBADDR (3)
  • D-LLC-SUBADDR (4)
  • B (5)


Copyright ©2003 by BinTec Access Networks GmbH