>> MIB - Management Information Base

>> Table: ipsecGlobals - (.1.3.6.1.4.1.272.4.26.1)

ipsecGlobals
OIDNameTypeAccess
.1PeerIndexINTEGERR
.2DefaultAuthMethodENUMR
.3DefaultCertificateINTEGERR
.4DefaultLocalIdDisplayStringR
.5DefaultIpsecProposalINTEGERR
.6DefaultIkeProposalINTEGERR
.7DefaultIpsecLifeTimeINTEGERR
.8DefaultIkeLifeTimeINTEGERR
.9DefaultIkeGroupINTEGERR
.10MaxSysLogLevelENUMRW
.11DefaultGranularityENUMR
.12DefaultPh1ModeENUMR
.13DefaultPfsGroupINTEGERR
.20IkePortINTEGERRW
.21MaxRetriesINTEGERRW
.22RetryTimeout0milliINTEGERRW
.23RetryTimeoutMaxsecINTEGERRW
.24MaxNegotiationTimeoutsecINTEGERRW
.25MaxIkeSasINTEGERRW
.26AntiCloggingLengthINTEGERRW
.27AntiCloggingHashENUMRW
.28LocalSecretPeriodsecINTEGERRW
.29IgnoreCrPayloadsENUMRW
.30NoCrPayloadsENUMRW
.31NoKeyHashPayloadsENUMRW
.32NoCrlsENUMRW
.33SendFullCertChainsENUMRW
.34TrustIcmpMsgENUMRW
.35SpiSizeINTEGERRW
.36ZeroIsakmpCookiesENUMRW
.37MaxKeyLengthINTEGERRW
.38NoInitialContactENUMRW
.39IkeProfileINTEGERRW
.40IpsecProfileINTEGERRW
.41EnabledENUMRW
.42BlockTimeoutINTEGERRW

PeerIndex
Index of first IPsec peer in ipsecPeerTable.
If this object is set to a Value <= 0, IPSec is switched
explicitly off. If the peer referenced by this object does not
exist in the table, all packets will be dropped.
DefaultAuthMethod
This object specifies the authentication method used by default. 
If the ipsecPeerAuthMethod field of an ipsecPeerEntry and the
ikePropAuthMethod field of the ikeProposalTableEntry used are
set to 'default', this value is assumed.
Possible values:
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2),	  -- Authentication using DSS signatures
rsa-sig(3),	  -- Authentication using RSA signatures
rsa-enc(4)	  -- Authentication using RSA encryption.
Enumerations:
  • pre-sh-key (1)
  • dss-sig (2)
  • rsa-sig (3)
  • rsa-enc (4)
DefaultCertificate
The index of the default certificate in the certTable used for 
local authentication for ike keyed rules with non 
pre-shared-key authentication. This may be overwritten by the 
certificate specified for the individual ipsec peers.
DefaultLocalId
The default ID used for local authentication for ike keyed 
rules.  If this is an empty or invaid id string one of the
subject alternative names or the subject name from the default
certificate is used. This does not relpace an empty local
id string for an IPsec peer with a valid certificate. The
subject name or one of the subject alternative names from this 
certificate is used then
DefaultIpsecProposal
Index of default ipsec proposal used for traffic entries with 
empty ipsec proposal, defined for peers with empty default 
ipsec proposal.
DefaultIkeProposal
Index of default ike proposal used for peers with empty default
ike proposal.
DefaultIpsecLifeTime
Index of default lifetime for ike SA's in ipsecLifeTimeTable.
This lifetime is used, when there is no valid lifetime entry
specified for an IPsec peer entry.
DefaultIkeLifeTime
This object specifies an index in the ipsecLifeTimeTable with the 
default lifetime settings used for IKE SA's.
This lifetime is used whenever there is no valid lifetime entry 
specified for a peer entry and the IKE proposal used.
DefaultIkeGroup
Index of default IKE group used if no IKE group is defined for a peer.
Possible values:
1 (768 bit MODP), 
2 (1024 bit MODP), 
5 (1536 bit MODP).
MaxSysLogLevel
Maximum level for syslog messages issued by IPSec. All
messages with a level higher than this value are suppressed, 
independently from other global syslog level settings.
Possible settings:
emerg(1), 
alert(2), 
crit(3), 
err(4), 
warning(5), 
notice(6), 
info(7), 
debug(8).
Enumerations:
  • emerg (1)
  • alert (2)
  • crit (3)
  • err (4)
  • warning (5)
  • notice (6)
  • info (7)
  • debug (8)
DefaultGranularity
This object specifies the default granularity used
for IPSEC SA negotiation.
Possible values:
coarse(2),	-- Create only one SA for each Traffic entry
ip(3),	-- Create one SA for each host
proto(4),	-- Create one SA for each protocol and host
port(5)	-- Create one SA for each port and host.
Enumerations:
  • coarse (2)
  • ip (3)
  • proto (4)
  • port (5)
DefaultPh1Mode
This object specifies the default exchange mode used for IKE
SA negotiation.
Possible values:
id-protect(1),	-- Use identity protection (main) mode 
aggressive(2) 	-- Use aggressive mode.
Enumerations:
  • id-protect (1)
  • aggressive (2)
DefaultPfsGroup
This object specifies the PFS group to use.
PFS is done only for phase 2, i.e. the Phase 1 SAs are not 
deleted after phase 2 negotiation is completed.
Note however, that if the peer has configured PFS for
identity and destroys phase 1 SAs, this side will also 
destroy them when notified.
Possible values:
0 (no PFS)
1 (768 bit MODP), 
2 (1024 bit MODP), 
5 (1536 bit MODP).
IkePort
This object specifies the port the IKE key management service
listens to.
MaxRetries
This object specifies the maximum number of retries sent by IKE
for one message.
RetryTimeout0milli
This object specifies the period of time in milliseconds before
an IKE message is repeated for the first time if the answer is
missing. After each retry, this timeout is increased up to the
value specified in ipsecGlobRetryTimeoutMaxsec.
RetryTimeoutMaxsec
This object specifies the maximum period of time in seconds
before an IKE message is repeated if the answer is missing. The
retry timeout is not increased beyond this limit.
MaxNegotiationTimeoutsec
This object specifies the maximum number of seconds after which
a negotiation is canceled if it is not finished.
MaxIkeSas
This object specifies the maximum number of simultaneous ISAKMP
Security associations allowed. If this limit is reached, the
entries are removed from the database, starting with the ones
that will expire very soon. If that is not enough, the entries
are deleted in reverse LRU order.
AntiCloggingLength
This object specifies the length in bits of the local
secret used for ISAKMP anti-clogging cookies.
AntiCloggingHash
This object specifies the algorithm which is used for creating
anti-clogging-tokens.
Possible values:
md5(3),	-- MD5 hash algorithm
sha1(4) 	-- SHA hash algorithm.
Enumerations:
  • md5 (3)
  • sha1 (4)
LocalSecretPeriodsec
This object specifies the period of time in seconds after which
a new secret for creating local anti-clogging tokens is
created.  The previous secret is remembered, so that the
anti-clogging tokens created with the previous secret are
also recognized as valid. After the local secret is recreated
again, the old tokens are not recognized anymore and all IKE
packets belonging to the old security associations are
discarded. This means that the maximum lifetime of an ISAKMP SA
is twice the value of this timer.
IgnoreCrPayloads
This object specifies whether certificate request payloads
should be ignored by IKE.
Possible values:
true(1), 	-- ignore all certificate requests
false(2)	-- process certificate request payloads.
Enumerations:
  • true (1)
  • false (2)
NoCrPayloads
This object specifies whether IKE should suppress certificate
requests. 
Possible values:
true(1), 	-- suppress certificate requests
false(2)	-- send certificate requests.
Enumerations:
  • true (1)
  • false (2)
NoKeyHashPayloads
This object specifies whether IKE should suppress key hash
payloads.
Possible values:
true(1), 	-- suppress key hash payloads
false(2)	-- send key hash payloads.
Enumerations:
  • true (1)
  • false (2)
NoCrls
This object specifies whether IKE should send certificate
revocation lists.
Possible values:
true(1), 	-- do not send certificate revocation lists
false(2)	-- send certificate revocation lists.
Enumerations:
  • true (1)
  • false (2)
SendFullCertChains
This object specifies whether IKE should send full certificate
chains.
Possible values:
true(1), 	-- send full certificate chains
false(2)	-- do not send full certificate chains.
Enumerations:
  • true (1)
  • false (2)
TrustIcmpMsg
This object specifies whether IKE should trust icmp port and
host unreachable error messages. ICMP port and host unreachable
messages are only trusted if there have not yet been received
any datagrams from the remote host in this negotiation.
This means, if the local side receives an ICMP port or host 
unreachable message as the first response to the initial packet 
of a new phase 1 negotiation, it cancels the negotiation 
immediately.
Possible values:
true(1), 	-- trust ICMP messages
false(2)	-- do not trust ICMP messages.
Enumerations:
  • true (1)
  • false (2)
SpiSize
A compatibility flag that specifies the length of the SPI in
bytes, which is used when an ISAKMP SA SPI (Cookie) is sent to 
the remote peer. 
This field takes effect only if ipsecGlobZeroIsakmpCookies
is true.
ZeroIsakmpCookies
This object specifies whether zeroed ISAKMP cookies should be
sent.
Possible Values:
true(1), -- send zero cookies in ISAKMP messages
false(2) -- send ISAKMP cookies.
Enumerations:
  • true (1)
  • false (2)
MaxKeyLength
This object specifies the maximum length of an encryption key
(in bits) that is accepted from the remote end. This limit
prevents denial of service attacks where the attacker asks for
a huge key for an encryption algorithm that allows variable
length keys.
NoInitialContact
Do not send IKE initial contact messages in IKE negotiations
even if no SA's exist with a peer.
Possible values:
true(1), -- do not send initial contact messages
false(2) -- send initial comntact messages if appropriate.
Enumerations:
  • true (1)
  • false (2)
IkeProfile
This object specifies the default IKE (phase 1) profile
to use.
IpsecProfile
This object specifies the default IPSec (phase 2) profile
to use.
Enabled
Enables/disables IPSec globally.
Enumerations:
  • true (1)
  • false (2)
BlockTimeout
For peers with nonzero block time, the value of this object is 
used instead of ipsecGlobMaxNegotiationTimeoutSec.


Copyright ©2003 by BinTec Access Networks GmbH