>> MIB - Management Information Base

>> Table: ipsecPeerTable - (.1.3.6.1.4.1.272.4.26.5.1)

Description: This object contains the description of an IPSec peer.

ipsecPeerTable
OIDNameTypeAccess
.1IndexINTEGERR
.2NextIndexINTEGERR
.3DescriptionDisplayStringRW
.4CaCertsDisplayStringR
.5PeerIdsDisplayStringRW
.6PeerAddressIpAddressR
.7LocalIdDisplayStringR
.8LocalAddressIpAddressRW
.9LocalCertINTEGERR
.10IkeProposalsINTEGERR
.11TrafficListINTEGERRW
.12PublicInterfaceINTEGERR
.13PfsIdentityENUMR
.14DynamicAddressDisplayStringRW
.15VirtualInterfaceENUMRW
.16StartModeENUMRW
.20AuthMethodENUMR
.21PreSharedKeyDisplayStringRW
.22IkeGroupINTEGERR
.23PfsGroupINTEGERR
.24Ph1ModeENUMR
.25IkeLifeTimeINTEGERR
.26IpsecLifeTimeINTEGERR
.29KeepAliveENUMR
.30GranularityENUMR
.31DontVerifyPadENUMR
.36NoPmtuDiscoveryENUMR
.42DefaultIpsecProposalsINTEGERR
.43HeartbeatENUMR
.44OperStatusENUMR
.45IsdnCBENUMRW
.47PriorityINTEGERRW
.48IkeProfileINTEGERRW
.49IpsecProfileINTEGERRW
.50AdminStatusENUMD
.51TtlINTEGERR
.52CurrentLocalAddressIpAddressR
.53CurrentRemoteAddressIpAddressR
.54NumP1INTEGERR
.55NumP1NegotiatingINTEGERR
.56NumP1EstablishedINTEGERR
.57NumP1DeletedINTEGERR
.58NumBundlesINTEGERR
.59NumBundlesNegotiatingINTEGERR
.60NumBundlesEstablishedINTEGERR
.63PreSharedKeyDataOCTET STRINGN
.64Ph1LTokenINTEGERR
.65Ph1RTokenINTEGERR
.66IsdnCBModeENUMRW
.67IsdnCBDChanModeENUMRW
.68IsdnCBNextModeENUMR
.69NatDetectENUMR
.70NatTLocalPortINTEGERR
.71NatTRemotePortINTEGERR
.72MtuINTEGERR
.73TypeENUMRW
.74RxIdleTimeTicksR
.75TxIdleTimeTicksR
.76DPDENUMR
.77DPDRetriesINTEGERR
.78DynAddrPoolIdINTEGERRW
.79DynAddrLocalIpIpAddressRW

Index
A unique index identifying this entry.
NextIndex
The index of the next peer in hierarchy.
Description
An optional description for this peer.

Range: 0 to 255

CaCerts
Receives a comma separated list with indices of optional certificate authority certificates accepted for this peer.

Range: 0 to 255

PeerIds
The IDs of the peer which are accepted for authentication. Syntax: - X500 distinguished name: - IPV4-Address: |123.456.789.012| with or without '|' - IPV4 Address Range: |123.456.789.012-123.456.789.013| with or without '|' - IPV4 Address Subnet: |123.456.789.012/255.255.255.0| with or without '|' or: |123.456.789.012/24| with or without '|' - Key-ID: arbitrary length hexadecimal string with even number of digits: { 01 23 45 67 89 ab cd ef } - Fully Qualified User Name (FQUN): (anything) or user@domain with mandatory '@' - Fully Qualified Domain Name (FQDN): [anything] or any name without '@' not matching any other syntax Multiple IDs may be specified by separating them with commas

Range: 0 to 255

PeerAddress
This object shows the fixed IP-address of the peer, if any.
LocalId
The local ID used for authentication. Syntax: - X500 distinguished name: - IPV4-Address: |123.456.789.012| with or without '|' - IPV4 Address Range: |123.456.789.012-123.456.789.013| with or without '|' - IPV4 Address Subnet: |123.456.789.012/255.255.255.0| with or without '|' or: |123.456.789.012/24| with or without '|' - Key-ID: arbitrary length hexadecimal string with even number of digits: { 01 23 45 67 89 ab cd ef } - Fully Qualified User Name (FQUN): (anything) or user@domain with mandatory '@' - Fully Qualified Domain Name (FQDN): [anything] or any name without '@' not matching any other syntax The usage of this field is deprecated, use ikePrfLocalId now!

Range: 0 to 255

LocalAddress
The local address used for IPSec encrypted packets.
LocalCert
The index of the certificate used for local authentication in the certTable. Only useful for automatically keyed traffic with dsa or rsa authentication.
IkeProposals
The index of the first IKE proposal which may be used for IKE SA negotiation with this peer.
TrafficList
This object specifies the first entry of possibly a chain of traffic entries from the ipsecTrafficTable which should be protected with IPSec using this peer.
PublicInterface
This object specifies the index of the public interface for which the traffic list assigned to this peer should be valid. If set to -1, the traffic list is valid for all interfaces.

If the traffic is routed via a different interface, no SA negotiation is performed and traffic may be unprotected unless there is another peer for the other interface.

PfsIdentity
This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. If overrides the default setting ipsecGlobContDefaultPfsIdentity if not set to 'default'. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2), -- do not delete phase 1 SAs default(3) -- use setting in ipsecGlobContDefaultPfsIdentity.

Enumerations:

  • true (1)
  • false (2)
  • default (3)
DynamicAddress
The IP-address of the peer. This object may contain either an IP address or a domain name.

Range: 0 to 255

VirtualInterface
This object specifies if a virtual interface should be created for this peer. If set to enabled, all traffic routed towards this peer will be protected. The traffic list for this peer is ignored then. The index of the interface associated with this peer is calculated as follows: ifIndex = ipsecPeerIndex + 100000.

Enumerations:

  • disabled (1)
  • enabled (2)
StartMode
This object specifies the events which make the IPSec peer go up. Possible values: on-demand(1), -- packet triggered start, -- fall back to dormant if unused always-up(2) -- always set up and keep up.

Enumerations:

  • on-demand (1)
  • always-up (2)
AuthMethod
This object specifies the authentication method used for this peer. It overrides the setting in the IKE proposals used. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- Use the setting from the ikeProposalEntry -- used or the ipsecGlobDefaultAuthMethod delete(15) -- mark this entry for deletion.

Enumerations:

  • pre-sh-key (1)
  • dss-sig (2)
  • rsa-sig (3)
  • rsa-enc (4)
  • default (14)
  • delete (15)
PreSharedKey
The pre-shared-key used with this peer, if pre-shared-keys are used for authentication. This field serves only as an input field and its contents are replaced with a single asterisk immediately after it is set.

Range: 0 to 255

IkeGroup
This object specifies a special IKE group which is to be used for this peer only. It overrides the setting in the ikeProposal used. Possible values: 0: use the value from the ikeProposal used 1: a 768-bit MODP group 2: a 1024-bit MODP group 5: a 1536-bit MODP group
PfsGroup
The Diffie Hellman group used for additional Perfect Forward Secrecy (PFS) DH exponentiations. Possible values: -1: explicitly do not use PFS (overrides ipsecGlob2DefaultPfsGroup), 0: use default value from ipsecGlob2DefaultPfsGroup, 1: a 768-bit MODP group, 2: a 1024-bit MODP group, 5: a 1536-bit MODP group.
Ph1Mode
This object specifies the exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3) -- Use default settings from the -- ipsecGlobalsTable.

Enumerations:

  • id-protect (1)
  • aggressive (2)
  • default (3)
IkeLifeTime
This object specifies an index in the ipsecLifeTimeTable with the lifetime settings to be used for IKE SA negotiation with this peer. It overrides the setting in the IKE proposal used. If the lifetime pointed to by this index does not exist or is inappropriate, the lifetime from the IKE proposal used is taken.
IpsecLifeTime
This object specifies an index in the ipsecLifeTimeTable. This lifetime overwrites the lifetimes specified for all traffic entries and their proposals referenced by this peer entry. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used.
KeepAlive
This object specifies whether IKE SA's with this peer are rekeyed even if there was no data transferred over them. Possible values: true(1), -- rekey SA's even if no data was transferred false(2) -- do not rekey SA's if no data was transferred.

Enumerations:

  • true (1)
  • false (2)
Granularity
This object specifies the granularity with which SA's with this peer are created. Possible values: default(1), -- use the setting from the ipsecGlobalsTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host.

Enumerations:

  • default (1)
  • coarse (2)
  • ip (3)
  • proto (4)
  • port (5)
DontVerifyPad
This object is a compatibility option for older ipsec implementations. It enables or disables an old way of ESP padding (no self describing padding). Possible values: false(1), -- normal, self-describing ESP padding true(2) -- old style ESP padding.

Enumerations:

  • false (1)
  • true (2)
NoPmtuDiscovery
This object specifies the PMTU discovery policy for this peer. Possible values: true(1), -- do not perform PMTU discovery false(2) -- perform PMTU discovery default(3)-- use default settings from -- ipsecGlobContNoPmtuDiscovery.

Enumerations:

  • true (1)
  • false (2)
  • default (3)
DefaultIpsecProposals
The index of the default IPSec proposal used for encrypting all the traffic bound to the (optional) logical interface created for this peer.
Heartbeat
This object specifies whether heartbeats should be sent over phase 1 SAs for this peer. Possible values: none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4), -- send and expect heartbeats default(5) -- use setting from -- ipsecGlobContHeartbeatDefault.

Enumerations:

  • none (1)
  • expect (2)
  • send (3)
  • both (4)
  • default (5)
OperStatus
Peer operational state.

Enumerations:

  • up (1)
  • down (2)
  • dormant (5)
  • blocked (6)
  • awaiting-callback (33)
  • ip-lookup (35)
  • going-up (36)
  • wait-if (37)
  • wait-publish (38)
  • wait-localip (39)
IsdnCB
Switch for turning ISDN call back feature on and off specifically for peer. Default value is disabled.

Enumerations:

  • enabled (1)
  • disabled (2)
  • passive (3)
  • active (4)
Priority
Defines the matching priority.
IkeProfile
The index from the ikeProfileTable containing a special phase 1 profile to use for this peer.
IpsecProfile
The index from the ipsecProfileTable containing a special phase 2 profile to use for this peer.
AdminStatus
Peer administrative state.

Enumerations:

  • up (1)
  • down (2)
  • dialup (4)
  • callback (5)
  • delete (15)
Ttl
This object shows the maximum period of time in seconds the peer will remain in the current state.
CurrentLocalAddress
The currently used local IP-address for this peer.
CurrentRemoteAddress
The currently known remote IP-address of this peer.
NumP1
The number of current IKE SAs for this peer.
NumP1Negotiating
The number of current IKE SAs in state 'established' for this peer.
NumP1Established
The number of current IKE SAs in state 'established' for this peer.
NumP1Deleted
The number of current IKE SAs in state 'established' for this peer.
NumBundles
The number of current IPSec SA bundles for this peer.
NumBundlesNegotiating
The number of current IPSec SA bundles for this peer.
NumBundlesEstablished
The number of current IPSec SA bundles in state 'established' for this peer.
PreSharedKeyData
Field used for storing the pre-shared-key permanently.
Ph1LToken
Locally generated token that must be used by triggered peer upon call back.

Range: 0 to 65535

Ph1RToken
Remotely generated token which must be used during phase one of IPsec connection establishment.

Range: 0 to 65535

IsdnCBMode
Define callback mode. The following modes are defined: compat(1) -- compatibility to old callback auto(2) -- automatically detect best method auto-d(3) -- automatically detect best D channel method d(4) -- use D channel only db(5) -- try D channel first, fall back to B b(6) -- use B channel only

Default value for that variable is compat(1).

Enumerations:

  • compat (1)
  • auto (2)
  • auto-d (3)
  • d (4)
  • db (5)
  • b (6)
IsdnCBDChanMode
Define callback D channel mode. The following modes are defined: llc(1) -- code token into LLC information element only subaddr(2) -- code token into SUBADDR information element only llc-and-subaddr(3) -- redundantly use LLC and SUBADDR information elements llc-subaddr(4) -- try LLC first, then SUBADDR subaddr-llc(5) -- try SUBADDR first, then LLC

Default value for that variable is LLC(1).

Enumerations:

  • llc (1)
  • subaddr (2)
  • llc-and-subaddr (3)
  • llc-subaddr (4)
  • subaddr-llc (5)
IsdnCBNextMode
Define callback mode that is to be tried next. The following modes are defined: unknown(1) -- still unset, derive it from other settings d-llc(2) -- use D channel mode with LLC next d-subaddr(3) -- use D channel mode with SUBADDR next d-llc-subaddr(4) -- use D channel mode with LLC and SUBADDR next b(5) -- use B channel mode next

Default value for that variable is unknown(1).

Enumerations:

  • unknown (1)
  • d-llc (2)
  • d-subaddr (3)
  • d-llc-subaddr (4)
  • b (5)
NatDetect
The latest result of the NAT detection performed with the peer. Possible values: local(1), -- local NAT detected remote(2), -- remote NAT detected both(3), -- local and remote NAT detected none(4), -- no NAT present unknown(8) -- NAT detection not performed or not finished.

Enumerations:

  • local (1)
  • remote (2)
  • both (3)
  • none (4)
  • unknown (8)
NatTLocalPort
The local port currently usd for NAT-T IKE and ESP SAs with this Peer.

Range: 0 to 65535

NatTRemotePort
The remote port currently usd for NAT-T IKE and ESP SAs with this Peer.

Range: 0 to 65535

Mtu
The current MTU of this peer. This value is copied to ifMtu if ipsecPeerVirtualInterface is set to enabled.

Range: 0 to 65535

Type
The type of the peer. Dynamic peer entries are duplicated whenever an incoming IKE request matches the ID and/or address information of the remote side. Note: - For traffic list peers the duplication also includes the traffic list entries configured for this peer entry. - For virtual interface peers, host routes will be added for the peer address automatically. Possible values: fixed(1), -- only one peer allowed for this entry dynamic_client(2) -- duplicated for each incoming client.

Enumerations:

  • fixed (1)
  • dynamic-client (2)
RxIdle
The time period for which no packet has been received from this peer.
TxIdle
The time period for which no packet has been transmitted to this peer.
DPD
The type of Dead Peer Detection (DPD) currently active for this peer. Possible values: none(1) -- DPD not active v1(2) -- DPD Version 1 active v1-idle(3) -- DPD Version 1 in idle mode active.

Enumerations:

  • none (1)
  • v1 (2)
  • v1-idle (3)
DPDRetries
The nuber of DPD retries currently sent without reply.
DynAddrPoolId
Identifier of Dynamic Address Pool if IP address is assigned via IKE Configuration Method. A value of -1 means that no Pool is assigned.

Range: -1 to 65535

DynAddrLocalIp
The local IP address used in the IKE communication when remote IP address is taken from IP address pool.


MIB Reference to Software Version 7.6.2 generated on 2008/03/07. Provided by webmaster@funkwerk-ec.com
Copyright ©2008 by Funkwerk Enterprise Communications GmbH