>> MIB - Management Information Base

>> Table: ipsecGlobalsContinued - (.1.3.6.1.4.1.272.4.26.11)

ipsecGlobalsContinued
OIDNameTypeAccess
.1PreIpsecRulesINTEGERRW
.2DefaultRuleENUMRW
.4Use32BitCpiENUMRW
.5NoWellKnownCpisENUMRW
.7NoPmtuDiscoveryENUMR
.8DefaultPmtuTtlINTEGERRW
.9PrivateInterfaceINTEGERRW
.10SaSyncInterfaceENUMRW
.11PostIpsecRulesINTEGERRW
.12DefaultPfsIdentityENUMRW
.13IkeLoggingLevelINTEGERRW
.14DialBlockTimeINTEGERRW
.15PfsIdentityDelayINTEGERRW
.16HeartbeatDefaultENUMR
.17HeartbeatIntervalINTEGERRW
.18HeartbeatToleranceINTEGERRW
.66ObsoleteFeatureMaskBitValueRW
.69P1AlwaysENUMRW

PreIpsecRules
This object specifies an index in the IPsec traffic
table containing a list of traffic definitions which
has to be considered prior to the traffic lists of
the IPSec peers in IPSec traffic processing.  
It may contain either pass or drop entries (protect entries
are ignored, if erroneously configured).
DefaultRule
This object specifies how to treat packets which do not match
any entry in the traffic lists of the active peers or the 
pre-and post IPSec rules.
Possible values:
drop(1), -- drop all packets
pass(2)  -- allow all packets pass plain.
Enumerations:
  • drop (1)
  • pass (2)
Use32BitCpi
This object specifies whether the CPI values in IKE IPComP 
negotiations should be sent as 16 bit numbers.
Possible values:
true(1),  -- send CPI as 32 bit numbers
false(2)  -- send CPI as 16 bit numbers.
Enumerations:
  • true (1)
  • false (2)
NoWellKnownCpis
This object specifies whether the well known CPI values 
should be used in IKE IPComP negotiations. If set to true, 
IKE will allocate random CPI values from the negotiable 
range 256-61439.
Possible values:
true(1),  -- do not use the well known cpi values
false(2)  -- use the well known cpi values.
Enumerations:
  • true (1)
  • false (2)
NoPmtuDiscovery
This object specifies the default PMTU discovery policy 
if the ipsecPeerPmtuDiscovery flag is set to default.
Possible values:
true(1),  -- do not perform PMTU discovery
false(2)  -- perform PMTU discovery.
Enumerations:
  • true (1)
  • false (2)
DefaultPmtuTtl
This object specifies the time-to-live (in minutes) of a
PMTU value derived from an ICMP PMTU message
received for an IPSec packet. After this time, the mtu is
increased step-by-step using the values from RFC 1191 until
a new ICMP PMTU message is received. A ttl value of 0 means
infinite.
PrivateInterface
This object specifies the index of the systems' private 
interface. If the private interface is set (i.e. non-negative),
certain address spoofing attacks are made impossible from IPSec
itself.
SaSyncInterface
This object specifies whether IKE and IPSec SA's should be
are deleted if the interface over which the packets are 
initially sent is going down or dormant
Possible values:
true(1), 	-- delete SAs
false(2)	-- do not delete SAs.
Enumerations:
  • true (1)
  • false (2)
PostIpsecRules
This object specifies an index in the IPsec traffic
table containing a list of traffic definitions which
has to be considered after the traffic lists of
the IPSec peers in IPSec traffic processing.  
It may contain either pass or drop entries (protect entries
are ignored, if erroneously configured).
DefaultPfsIdentity
This object specifies whether IKE SA's should be deleted
immediately after a phase 2 (IPSec-) SA pair has been 
negotiated.
It may be overridden by the individual settings for a peer 
entry, if the ipsecPeerPfsIdentity is not set to 'default'.
The consequence of enabling this feature is that before each 
phase 2 negotiation there always has to be a phase 1
negotiation. Thus individual phase 2 SAs cannot be
associated with one another or, respectively, if the
identity of a remote peer is known to an eavesdropper
for one SA, he cannot conclude that the next SA is
negotiated with the same remote peer. 
Note: Setting this flag only makes sense if configured
together with id-protect mode or RSA encryption for
authentication and if the IP address of the remote
peer does not allow conclusions about its identity
(i.e. dynamic remote peer addresses).
Possible values:
true(1), 	-- delete phase 1 SAs
false(2)	-- do not delete phase 1 SAs.
Enumerations:
  • true (1)
  • false (2)
IkeLoggingLevel
This object specifies the IKE logging level.
IKE log messages are output as syslog messages on level debug.
Note that the global syslog table level must be set to debug 
in order to see these messages.
Possible values:
0: no IKE log messages
...  3: IKE error output
...  6: IKE trace output
...  9: IKE detailed results output
10 ...: hexdumps of IKE messages.
DialBlockTime
Amount of time in minutes how long an ipsecDial entry remains
in state blocked-for-outgoing after a cost producing trigger
call was detected. Given value denotes time in minutes.
Special value -1 means to block entry until unblocked manually
by deactivating entry and reactivating it afterwards.
Default value is -1.
PfsIdentityDelay
This object specifies the number of seconds to wait before 
deleting the underlying phase 1 SA after a Phase 2 SA has 
been established, if PFS for identity is configured.
HeartbeatDefault
This object specifies whether heartbeats should be sent 
over phase 1 SAs.
Possible values:
none(1),     -- neither send nor expect heartbeats
expect(2), 	-- expect heartbeats
send(3),     -- send heartbeats
both(4)	-- send and expect heartbeats.
Enumerations:
  • none (1)
  • expect (2)
  • send (3)
  • both (4)
HeartbeatInterval
This object specifies the time interval in seconds between 
heartbeats. At this rate heartbeats are sent and/or 
expected if configured.
HeartbeatTolerance
This object specifies the maximum number of missing heartbeats
allowed before an SA is discarded.
ObsoleteFeatureMask
Some obsolete features are represented by a bit in this mask
and could be re-enabled for testing or compatibility purpose.
A mask-bit of 1 enable the approprate (obsolete) feature.
A mask-bit of 0 disable the appropriate feature completely.
Bit         Feature
0x00000001: re-enable delayed apf-graph-node-memory free
0x00000002: tbd.
The default-value is 0 - all obsolete features are disabled.
Do not change this default-value if not really necessary
P1Always
This object specifies whether a phase 1 rekeying is always
done immediately before phase 2 rekeying.
Note this is different from pfs for identity because the
latter discards the phase 1 SA immediately after phase 2
establishment.
This feature is mainly a compatibility flag for some
non-standard implementations which always expect a phase 1 SA
if a phase 2 SA exists. Please also select a longer lifetime
for phase 1 than phase 2 then.
Enumerations:
  • enabled (1)
  • disabled (2)


MIB Reference to Software Version 7.5.1 generated on 2006/08/03. Provided by webmaster@funkwerk-ec.com
Copyright ©2006 by Funkwerk Enterprise Communications GmbH