>> MIB - Management Information Base

>> Table: ikeProfileTable - (.1.3.6.1.4.1.272.4.26.14.1)

Description: This object contains an IPSec phase 1 profile.

ikeProfileTable
OIDNameTypeAccess
.1IndexINTEGERR
.2DescriptionDisplayStringRW
.3AuthMethodENUMD
.4ModeENUMRW
.5ProposalINTEGERRW
.6GroupINTEGERRW
.7CertINTEGERRW
.8LocalIdDisplayStringRW
.9CaCertsDisplayStringRW
.10LifeTimeINTEGERR
.11PfsIdentityENUMRW
.12HeartbeatsENUMRW
.13BlockTimeINTEGERRW
.14NatTENUMRW
.15MtuMaxINTEGERRW
.16LifeSecondsUnsigned32RW
.17LifeKBytesUnsigned32RW
.18LifeRekeyPercentINTEGERRW
.19LifePolicyENUMRW

Index
A unique index identifying this entry.
Description
An optional description for this profile.

Range: 0 to 255

AuthMethod
This object specifies the authentication method used for this profile. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- use settings from default profile -- (pre-sh-key if this is the default profile) delete(15) -- mark this entry for deletion.

Enumerations:

  • pre-sh-key (1)
  • dss-sig (2)
  • rsa-sig (3)
  • rsa-enc (4)
  • default (14)
  • delete (15)
Mode
This object specifies the exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3), -- Use default setting from the -- global profile id-protect-only(4), -- only id-protect mode allowed aggressive-only(5) -- only aggressive mode allowed.

Enumerations:

  • id-protect (1)
  • aggressive (2)
  • default (3)
  • id-protect-only (4)
  • aggressive-only (5)
Proposal
The index of the first IKE proposal which may be used for IKE SA negotiation with this profile.
Group
This object specifies the IKE group to use with this profile. Possible values: 1: a 768-bit MODP group 2: a 1024-bit MODP group 5: a 1536-bit MODP group

Range: 1 to 5

Cert
The index of the certificate used for authentication in the certTable. Ignored for AuthMethod == pre_shared_key.

Range: 0 to 32767

LocalId
The local ID used for authentication with this profile. Syntax: - X500 distinguished name: - IPV4-Address: |123.456.789.012| with or without '|' - IPV4 Address Range: |123.456.789.012-123.456.789.013| with or without '|' - IPV4 Address Subnet: |123.456.789.012/255.255.255.0| with or without '|' or: |123.456.789.012/24| with or without '|' - Key-ID: arbitrary length hexadecimal string with even number of digits: { 01 23 45 67 89 ab cd ef } - Fully Qualified User Name (FQUN): (anything) or user@domain with mandatory '@' - Fully Qualified Domain Name (FQDN): [anything] or any name without '@' not matching any other syntax

Range: 0 to 255

CaCerts
Receives a comma separated list with indices (0..32767) of special certificate authority certificates accepted for this profile.

Range: 0 to 255

LifeTime
This object specifies an index in the ipsecLifeTimeTable with the lifetime settings to be used for IKE SA negotiation with this profile. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime is taken. The usage of this object is deprecated, use the ikePrfLifeXxx variables directly instead.
PfsIdentity
This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2), -- reuse phase 1 SAs default(3) -- use value from default profile -- (false if this is the default profile).

Enumerations:

  • true (1)
  • false (2)
  • default (3)
Heartbeats
This object specifies whether heartbeats should be sent over phase 1 SAs for this profile. Possible values: none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4), -- send and expect heartbeats default(5), -- use value from default profile -- (auto if this is the default profile) auto(6), -- detect support using vendor id dpd(7), -- use DPD method for proof-of-liveliness dpd-idle(8) -- use DPD, detect dead peers even while idle.

Enumerations:

  • none (1)
  • expect (2)
  • send (3)
  • both (4)
  • default (5)
  • auto (6)
  • dpd (7)
  • dpd-idle (8)
BlockTime
This object specifies the time in seconds for which a peer is blocked for any IPSec operations after a phase 1 initiator negotiation failed. Special values: -1: use settings from global profile (do not block by default) 0: do not block the peer at all.

Range: -1 to 86400

NatT
This object specifies whether NAT-Traversal is enabled Possible values: enabled(1), -- enable Nat-Traversal disabled(2), -- disable Nat-Traversal default(3) -- use value from default profile -- (disabled, if this is the default profile).

Enumerations:

  • enabled (1)
  • disabled (2)
  • default (3)
MtuMax
The maximum MTU value allowed for ipsecPeerMtu. Zero means use value from global profile, if this is the global profile, 1418 is assumed. Nonzero values smaller than 214 are reset to the minimum of 214.

Range: 0 to 65535

LifeSeconds
The maximum time (in seconds) after which an SA will be deleted.
LifeKBytes
The maximum amount of data (in KB) which may be protected by an SA before it is deleted.
LifeRekeyPercent
The percentage of the lifetimes (traffic and time based) after which rekeying is started.

Range: 50 to 100

LifePolicy
This object specifies the way a lifetime proposal is handled. Possible values: loose(1), -- accept and use anything proposed strict(2), -- accept and use only what is configured notify(3), -- accept anything, if own values are smaller than what was proposed use these and send responder lifetime notification use_default_lifetime(4) -- use lifetime values from default -- profile.

Enumerations:

  • loose (1)
  • strict (2)
  • notify (3)
  • use-default-lifetime (4)


MIB Reference to Software Version 7.6.2 generated on 2008/03/07. Provided by webmaster@funkwerk-ec.com
Copyright ©2008 by Funkwerk Enterprise Communications GmbH