--
-- * $Source$
-- *------------------------------------------------------------------
-- * CISCO-IPSEC-MIB.my: IOS-Specific IPSec Configuration
-- Monitoring MIB
-- *
-- * April 2000, S Ramakrishnan
-- *
-- * Copyright (c) 2000 by cisco Systems, Inc.
-- * All rights reserved.
-- *
-- *------------------------------------------------------------------CISCO-IPSEC-MIB DEFINITIONS::=BEGIN-- PREFACE:-- CISCO-IPSEC MIB Module defines Cisco-- implementation-specific metrics-- useful in managing IPsec VPNs on-- Cisco boxes. This is to be used as a-- supplement to the standard IPsec MIB-- proposed by Cisco.-- DISCLAIMER:-- Caution. This MIB is temporary and experimental.
-- In the future it will be removed from products,-- perhaps with short notice, in favor of more standard-- or generic MIBs. Application developers should not-- depend on long-term access to this MIB.-- RELATIONSHIP TO CLI:-- Information contained in all the MIB elements defined-- in this module are affected by CLI operations, EXCEPT-- where it is explicitly noted to the contrary.IMPORTSMODULE-IDENTITY,OBJECT-TYPE,NOTIFICATION-TYPE,Counter32,Gauge32,Integer32FROM SNMPv2-SMI
MODULE-COMPLIANCE,OBJECT-GROUPFROM SNMPv2-CONF
DisplayString,TruthValue,TEXTUAL-CONVENTIONFROM SNMPv2-TC
ifIndex
FROM IF-MIB
-- FROM RFC1213-MIBciscoExperiment
FROM CISCO-SMI;ciscoIPsecMIB MODULE-IDENTITYLAST-UPDATED"200008071139Z"ORGANIZATION"Cisco Systems, Inc."CONTACT-INFO" Cisco Systems
Enterprise Business Management Unit
Postal: 170 W Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: cs-ipsecurity@cisco.com"DESCRIPTION"The MIB module for modeling Cisco-specific
IPsec attributes
Overview of Cisco IPsec MIB
MIB description
This MIB models the Cisco implementation-specific
attributes of a Cisco entity that implements IPsec.
This MIB is complementary to the standard IPsec MIB
proposed jointly by Tivoli and Cisco.
The ciscoIPsec MIB provides the operational information
on Cisco's IPsec tunnelling implementation.
The following entities are managed:
1) ISAKMP Group:
a) ISAKMP global parameters
b) ISAKMP Policy Table
2) IPSec Group:
a) IPSec Global Parameters
b) IPSec Global Traffic Parameters
c) Cryptomap Group
- Cryptomap Set Table
- Cryptomap Table
- CryptomapSet Binding Table
3) System Capacity & Capability Group:
a) Capacity Parameters
b) Capability Parameters
4) Trap Control Group
5) Notifications Group"::={ ciscoExperiment 62}--
-- Textual Conventions
--CIPsecLifetime ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"Value in units of seconds"SYNTAXGauge32(120..86400)CIPsecLifesize ::=TEXTUAL-CONVENTION
STATUScurrentDESCRIPTION"Value in units of kilobytes"SYNTAXGauge32(2560..536870912)CIPsecNumCryptoMaps ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"Integral units representing count of cryptomaps"SYNTAXGauge32(0..2147483647)CryptomapType ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The type of a cryptomap entry. Cryptomap
is a unit of IOS IPSec policy specification."SYNTAXINTEGER{cryptomapTypeNONE(0),cryptomapTypeMANUAL(1),cryptomapTypeISAKMP(2),cryptomapTypeCET(3),cryptomapTypeDYNAMIC(4),cryptomapTypeDYNAMICDISCOVERY(5)}
CryptomapSetBindStatus ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The status of the binding of a cryptomap set
to the specified interface. The value qhen queried
is always 'attached'. When set to 'detached', the
cryptomap set if detached from the specified interface.
Setting the value to 'attached' will result in
SNMP General Error."SYNTAXINTEGER{unknown(0),attached(1),detached(2)}IPSIpAddress ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"An IP V4 or V6 Address."SYNTAXOCTETSTRING(SIZE(4 | 16))-- IP V4 or V6 AddressIkeHashAlgo ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The hash algorithm used in IPsec Phase-1
IKE negotiations."SYNTAXINTEGER{none(1),
md5(2),sha(3)}IkeAuthMethod ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The authentication method used in IPsec Phase-1 IKE
negotiations."SYNTAXINTEGER{none(1),preSharedKey(2),rsaSig(3),rsaEncrypt(4),revPublicKey(5)}IkeIdentityType ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The type of identity used by the local entity to
identity itself to the peer with which it performs
IPSec Main Mode negotiations. This type decides the
content of the Identification payload in the
Main Mode of IPSec tunnel setup."SYNTAXINTEGER{isakmpIdTypeUNKNOWN(0),isakmpIdTypeADDRESS(1),
isakmpIdTypeHOSTNAME(2)}DiffHellmanGrp ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The Diffie Hellman Group used in negotiations."SYNTAXINTEGER{none(1),dhGroup1(2),dhGroup2(3)}EncryptAlgo ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The encryption algorithm used in negotiations."SYNTAXINTEGER{none(1),des(2),des3(3)}TrapStatus ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The administrative status for sending a TRAP."SYNTAXINTEGER{enabled(1),
disabled(2)}-- Objects, Notifications & ConformancesciscoIPsecMIBObjects OBJECTIDENTIFIER::={ ciscoIPsecMIB 1}ciscoIPsecMIBNotificationPrefix OBJECTIDENTIFIER::={ciscoIPsecMIB 2}ciscoIPsecMIBConformance OBJECTIDENTIFIER::={ciscoIPsecMIB 3}--
-- Cisco IPSec MIB Object Groups
--
-- This MIB module contains the following groups:
-- 1) Cisco ISAKMP Group
-- 2) Cisco IPSec Group
-- 2a) Cisco IPSec Global Parameters
-- 2b) Cisco IPSec Statistics
-- 2c) Cisco IPSec Cryptomap Group
-- (i) Statically Defined Cryptomap Sets
-- (ii) Wild-carded Cryptomap Sets (Dynamic templates)
-- 3) Cisco IPsec Notifications Group
-- 4) Module Conformance
--cipsIsakmpGroup OBJECTIDENTIFIER::={ ciscoIPsecMIBObjects 1}cipsIPsecGroup OBJECTIDENTIFIER::={ ciscoIPsecMIBObjects 2}cipsIPsecGlobals OBJECTIDENTIFIER::={ cipsIPsecGroup 1}
cipsIPsecStatistics OBJECTIDENTIFIER::={ cipsIPsecGroup 2}cipsCryptomapGroup OBJECTIDENTIFIER::={ cipsIPsecGroup 3}cipsSysCapacityGroup OBJECTIDENTIFIER::={ ciscoIPsecMIBObjects 3}cipsTrapCntlGroup OBJECTIDENTIFIER::={ ciscoIPsecMIBObjects 4}--
--
-- IOS ISAKMP Configuration Section
--
--cipsIsakmpEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of this object is TRUE if ISAKMP
has been enabled on the managed entity. Otherise
the value of this object is FALSE."::={ cipsIsakmpGroup 1}cipsIsakmpIdentity OBJECT-TYPESYNTAX IkeIdentityType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of this object is shows the type of
identity used by the managed entity in ISAKMP
negotiations with another peer."::={ cipsIsakmpGroup 2}cipsIsakmpKeepaliveInterval OBJECT-TYPESYNTAXInteger32(10..3600)UNITS"seconds"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of this object is time interval in
seconds between successive ISAKMP keepalive
heartbeats issued to the peers to which IKE
tunnels have been setup."::={ cipsIsakmpGroup 3}cipsNumIsakmpPolicies OBJECT-TYPESYNTAXInteger32(1..2147483647)MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of this object is the number of
ISAKMP policies that have been configured on the
managed entity."::={ cipsIsakmpGroup 4}--
-- Cisco ISAKMP Policy Entries
--cipsIsakmpPolicyTable OBJECT-TYPESYNTAXSEQUENCEOF CipsIsakmpPolicyEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table containing the list of all
ISAKMP policy entries configured by the operator."::={ cipsIsakmpGroup 5}cipsIsakmpPolicyEntry OBJECT-TYPESYNTAX CipsIsakmpPolicyEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the attributes
associated with a single ISAKMP
Policy entry."INDEX{ cipsIsakmpPolPriority }::={ cipsIsakmpPolicyTable 1}
CipsIsakmpPolicyEntry ::=SEQUENCE{
cipsIsakmpPolPriority Integer32,
cipsIsakmpPolEncr EncryptAlgo,
cipsIsakmpPolHash IkeHashAlgo,
cipsIsakmpPolAuth IkeAuthMethod,
cipsIsakmpPolGroup DiffHellmanGrp,
cipsIsakmpPolLifetime Integer32}cipsIsakmpPolPriority OBJECT-TYPESYNTAXInteger32(0..65535)MAX-ACCESSnot-accessibleSTATUScurrent
DESCRIPTION"The priotity of this ISAKMP Policy entry.
This is also the index of this table."::={ cipsIsakmpPolicyEntry 1}cipsIsakmpPolEncr OBJECT-TYPESYNTAX EncryptAlgo
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The encryption transform specified by this
ISAKMP policy specification. The Internet Key Exchange
(IKE) tunnels setup using this policy item would
use the specified encryption transform to protect the
ISAKMP PDUs."::={ cipsIsakmpPolicyEntry 2}cipsIsakmpPolHash OBJECT-TYPESYNTAX IkeHashAlgo
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The hash transform specified by this
ISAKMP policy specification. The IKE tunnels
setup using this policy item would use the
specified hash transform to protect the
ISAKMP PDUs."::={ cipsIsakmpPolicyEntry 3}cipsIsakmpPolAuth OBJECT-TYPESYNTAX IkeAuthMethod
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The peer authentication mthod specified by
this ISAKMP policy specification. If this policy
entity is selected for negotiation with a peer,
the local entity would authenticate the peer using
the method specified by this object."::={ cipsIsakmpPolicyEntry 4}cipsIsakmpPolGroup OBJECT-TYPESYNTAX DiffHellmanGrp
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object specifies the Oakley group used
for Diffie Hellman exchange in the Main Mode.
If this policy item is selected to negotiate
Main Mode with an IKE peer, the local entity
chooses the group specified by this object to
perform Diffie Hellman exchange with the
peer."::={ cipsIsakmpPolicyEntry 5}cipsIsakmpPolLifetime OBJECT-TYPESYNTAXInteger32(60..86400)UNITS"seconds"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object specifies the lifetime in seconds
of the IKE tunnels generated using this
policy specification."::={ cipsIsakmpPolicyEntry 6}--
-- Cisco IPsec Global Configuration Group
--cipsSALifetime OBJECT-TYPESYNTAX CIPsecLifetime
UNITS"Seconds"
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The default lifetime (in seconds) assigned
to an SA as a global policy (maybe overridden
in specific cryptomap definitions)."::={ cipsIPsecGlobals 1}cipsSALifesize OBJECT-TYPESYNTAX CIPsecLifesize
UNITS"KBytes"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The default lifesize in KBytes assigned to an SA
as a global policy (unless overridden in cryptomap
definition)"::={ cipsIPsecGlobals 2}cipsNumStaticCryptomapSets OBJECT-TYPESYNTAX CIPsecNumCryptoMaps
UNITS"Integral Units"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of Cryptomap Sets that are are fully
configured. Statically defined cryptomap sets
are ones where the operator has fully specified
all the parameters required set up IPSec
Virtual Private Networks (VPNs)."::={ cipsIPsecGlobals 3}cipsNumCETCryptomapSets OBJECT-TYPESYNTAX CIPsecNumCryptoMaps
UNITS"Integral Units"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of static Cryptomap Sets that have
at least one CET cryptomap element
as a member of the set."::={ cipsIPsecGlobals 4}cipsNumDynamicCryptomapSets OBJECT-TYPESYNTAX CIPsecNumCryptoMaps
UNITS"Integral Units"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of dynamic IPSec Policy templates
(called 'dynamic cryptomap templates') configured
on the managed entity."::={ cipsIPsecGlobals 5}cipsNumTEDCryptomapSets OBJECT-TYPESYNTAX CIPsecNumCryptoMaps
UNITS"Integral Units"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of static Cryptomap Sets that have
at least one dynamic cryptomap template
bound to them which has the Tunnel Endpoint Discovery
(TED) enabled."::={ cipsIPsecGlobals 6}--
-- Cisco IPsec Cryptomap Statistics Group
--cipsNumTEDProbesReceived OBJECT-TYPESYNTAXCounter32UNITS"Integral Units"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of TED probes that were received by this
managed entity since bootup. Not affected by any
CLI operation."::={ cipsIPsecStatistics 1}cipsNumTEDProbesSent OBJECT-TYPESYNTAXCounter32UNITS"Integral Units"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of TED probes that were dispatched by all
the dynamic cryptomaps in this managed entity since
bootup. Not affected by any CLI operation."::={ cipsIPsecStatistics 2}cipsNumTEDFailures OBJECT-TYPESYNTAXCounter32UNITS"Integral Units"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of TED probes that were dispatched by
the local entity and that failed to locate crypto
endpoint. Not affected by any CLI operation."
::={ cipsIPsecStatistics 3}--
-- Cisco IPsec System Capacity/Capability Group
--cipsMaxSAs OBJECT-TYPESYNTAXINTEGER(0..65535)UNITS"Integral Units"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The maximum number of IPsec Security Associations
that can be established on this managed entity.
If no theoretical limit exists, this
returns value 0.
Not affected by any CLI operation."::={ cipsSysCapacityGroup 1}cips3DesCapable OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of this object is TRUE if the
managed entity has the hardware nad software
features to support 3DES encryption algorithm.
Not affected by any CLI operation."::={ cipsSysCapacityGroup 2}--
-- IOS IPSec Configuration Group
----
-- Cisco IPSec Static Cryptomaps Metrics
--cipsStaticCryptomapSetTable OBJECT-TYPE
SYNTAXSEQUENCEOF CipsStaticCryptomapSetEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table containing the list of all
cryptomap sets that are fully specified
and are not wild-carded.
The operator may include different types of
cryptomaps in such a set - manual, CET,
ISAKMP or dynamic."::={ cipsCryptomapGroup 1}cipsStaticCryptomapSetEntry OBJECT-TYPESYNTAX CipsStaticCryptomapSetEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the attributes
associated with a single static
cryptomap set."INDEX{ cipsStaticCryptomapSetName }::={ cipsStaticCryptomapSetTable 1}
CipsStaticCryptomapSetEntry ::=SEQUENCE{
cipsStaticCryptomapSetName DisplayString,
cipsStaticCryptomapSetSize Gauge32,
cipsStaticCryptomapSetNumIsakmp Gauge32,
cipsStaticCryptomapSetNumManual Gauge32,
cipsStaticCryptomapSetNumCET Gauge32,
cipsStaticCryptomapSetNumDynamic Gauge32,
cipsStaticCryptomapSetNumDisc Gauge32,
cipsStaticCryptomapSetNumSAs Gauge32}cipsStaticCryptomapSetName OBJECT-TYPESYNTAXDisplayStringMAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The index of the static cryptomap table. The value
of the string is the name string assigned by the
operator in defining the cryptomap set."::={ cipsStaticCryptomapSetEntry 1}cipsStaticCryptomapSetSize OBJECT-TYPESYNTAXGauge32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of cryptomap entries contained in
this cryptomap set.
"::={ cipsStaticCryptomapSetEntry 2}cipsStaticCryptomapSetNumIsakmp OBJECT-TYPESYNTAXGauge32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of cryptomaps associated with this
cryptomap set that use ISAKMP protocol to do key
exchange."::={ cipsStaticCryptomapSetEntry 3}cipsStaticCryptomapSetNumManual OBJECT-TYPE
SYNTAXGauge32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of cryptomaps associated with this
cryptomap set that require the operator to manually
setup the keys and SPIs."::={ cipsStaticCryptomapSetEntry 4}cipsStaticCryptomapSetNumCET OBJECT-TYPESYNTAXGauge32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of cryptomaps of type 'ipsec-cisco'
associated with this cryptomap set. Such
cryptomap elements implement Cisco Encryption Technology
based Virtual Private Networks."::={ cipsStaticCryptomapSetEntry 5}cipsStaticCryptomapSetNumDynamic OBJECT-TYPESYNTAXGauge32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of dynamic cryptomap templates
linked to this cryptomap set."::={ cipsStaticCryptomapSetEntry 6}cipsStaticCryptomapSetNumDisc OBJECT-TYPESYNTAXGauge32MAX-ACCESSread-onlySTATUScurrent
DESCRIPTION"The number of dynamic cryptomap templates
linked to this cryptomap set that have Tunnel Endpoint
Discovery (TED) enabled."::={ cipsStaticCryptomapSetEntry 7}cipsStaticCryptomapSetNumSAs OBJECT-TYPESYNTAXGauge32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of and IPsec Security Associations
that are active and were setup using this cryptomap. "::={ cipsStaticCryptomapSetEntry 8}--
-- Cisco IPSec Dynamic Cryptomaps Group
--cipsDynamicCryptomapSetTable OBJECT-TYPESYNTAXSEQUENCEOF CipsDynamicCryptomapSetEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table containing the list of all dynamic
cryptomaps that use IKE, defined on
the managed entity."::={ cipsCryptomapGroup 2}cipsDynamicCryptomapSetEntry OBJECT-TYPESYNTAX CipsDynamicCryptomapSetEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the attributes associated
with a single dynamic cryptomap template."INDEX{ cipsDynamicCryptomapSetName }::={ cipsDynamicCryptomapSetTable 1}
CipsDynamicCryptomapSetEntry ::=SEQUENCE{
cipsDynamicCryptomapSetName DisplayString,
cipsDynamicCryptomapSetSize Gauge32,
cipsDynamicCryptomapSetNumAssoc Gauge32}cipsDynamicCryptomapSetName OBJECT-TYPESYNTAXDisplayStringMAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The index of the dynamic cryptomap table.
The value of the string is the one assigned
by the operator in defining the cryptomap set."::={ cipsDynamicCryptomapSetEntry 1}cipsDynamicCryptomapSetSize OBJECT-TYPESYNTAXGauge32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of cryptomap entries in this cryptomap."::={ cipsDynamicCryptomapSetEntry 2}cipsDynamicCryptomapSetNumAssoc OBJECT-TYPESYNTAXGauge32MAX-ACCESSread-only
STATUScurrentDESCRIPTION"The number of static cryptomap sets with which
this dynamic cryptomap is associated. "::={ cipsDynamicCryptomapSetEntry 3}--
-- Cisco IPSec Static Cryptomap Table
--cipsStaticCryptomapTable OBJECT-TYPESYNTAXSEQUENCEOF CipsStaticCryptomapEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table ilisting the member cryptomaps
of the cryptomap sets that are configured
on the managed entity."::={ cipsCryptomapGroup 3}cipsStaticCryptomapEntry OBJECT-TYPESYNTAX CipsStaticCryptomapEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the attributes
associated with a single static
(fully specified) cryptomap entry.
This table does not include the members
of dynamic cryptomap sets that may be
linked with the parent static cryptomap set."INDEX{ cipsStaticCryptomapSetName,-- from Cryptomap Set Table
cipsStaticCryptomapPriority }::={ cipsStaticCryptomapTable 1}
CipsStaticCryptomapEntry ::=SEQUENCE{
cipsStaticCryptomapPriority Integer32,
cipsStaticCryptomapType CryptomapType,
cipsStaticCryptomapDescr DisplayString,
cipsStaticCryptomapPeer IPSIpAddress,
cipsStaticCryptomapNumPeers Integer32,
cipsStaticCryptomapPfs DiffHellmanGrp,
cipsStaticCryptomapLifetime Integer32,
cipsStaticCryptomapLifesize Integer32,
cipsStaticCryptomapLevelHost TruthValue}cipsStaticCryptomapPriority OBJECT-TYPESYNTAXInteger32(0..65535)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The priority of the cryptomap entry in the
cryptomap set. This is the second index component
of this table."::={ cipsStaticCryptomapEntry 1}cipsStaticCryptomapType OBJECT-TYPESYNTAX CryptomapType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the cryptomap entry. This can be an ISAKMP
cryptomap, CET or manual. Dynamic cryptomaps are not
counted in this table."::={ cipsStaticCryptomapEntry 2}cipsStaticCryptomapDescr OBJECT-TYPESYNTAXDisplayStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The description string entered by the operatoir
while creating this cryptomap. The string generally
identifies a description and the purpose of this
policy."::={ cipsStaticCryptomapEntry 3}cipsStaticCryptomapPeer OBJECT-TYPESYNTAX IPSIpAddress
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The IP address of the current peer associated with
this IPSec policy item. Traffic that is protected by
this cryptomap is protected by a tunnel that terminates
at the device whose IP address is specified by this
object."::={ cipsStaticCryptomapEntry 4}cipsStaticCryptomapNumPeers OBJECT-TYPESYNTAXInteger32(0..40)MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of peers associated with this cryptomap
entry. The peers other than the one identified by
'cipsStaticCryptomapPeer' are backup peers.
Manual cryptomaps may have only one peer."::={ cipsStaticCryptomapEntry 5}cipsStaticCryptomapPfs OBJECT-TYPESYNTAX DiffHellmanGrp
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object identifies if the tunnels instantiated
due to this policy item should use Perfect Forward Secrecy
(PFS) and if so, what group of Oakley they should use."::={ cipsStaticCryptomapEntry 6}cipsStaticCryptomapLifetime OBJECT-TYPESYNTAXInteger32(0|120..86400)MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object identifies the lifetime of the IPSec
Security Associations (SA) created using this IPSec policy
entry. If this value is zero, the lifetime assumes the
value specified by the global lifetime parameter."::={ cipsStaticCryptomapEntry 7}cipsStaticCryptomapLifesize OBJECT-TYPESYNTAXInteger32(0|2560..536870912)
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object identifies the lifesize (maximum traffic
in bytes that may be carried) of the IPSec SAs
created using this IPSec policy entry.
If this value is zero, the lifetime assumes the
value specified by the global lifesize parameter."::={ cipsStaticCryptomapEntry 8}cipsStaticCryptomapLevelHost OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object identifies the granularity of the
IPSec SAs created using this IPSec policy entry.
If this value is TRUE, distinct SA bundles are created
for distinct hosts at the end of the application traffic."::={ cipsStaticCryptomapEntry 9}--
-- Cisco IPSec Cryptomap Set Binding Table
--cipsCryptomapSetIfTable OBJECT-TYPESYNTAXSEQUENCEOF CipsCryptomapSetIfEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table lists the binding of cryptomap sets
to the interfaces of the managed entity."::={ cipsCryptomapGroup 4}cipsCryptomapSetIfEntry OBJECT-TYPE
SYNTAX CipsCryptomapSetIfEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the record of
the association between an interface
and a cryptomap set (static) that is defined
on the managed entity.
Note that the cryptomap set identified in
this binding must static. Dynamic cryptomaps cannot
be bound to interfaces."INDEX{ ifIndex,-- from IF table
cipsStaticCryptomapSetName }::={ cipsCryptomapSetIfTable 1}
CipsCryptomapSetIfEntry ::=SEQUENCE{
cipsCryptomapSetIfVirtual TruthValue,
cipsCryptomapSetIfStatus CryptomapSetBindStatus
}cipsCryptomapSetIfVirtual OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of this object identifies if the
interface to which the cryptomap set is attached
is a tunnel (such as a GRE or PPTP tunnel)."::={ cipsCryptomapSetIfEntry 1}cipsCryptomapSetIfStatus OBJECT-TYPESYNTAX CryptomapSetBindStatus
MAX-ACCESSread-write
STATUScurrentDESCRIPTION"This object identifies the status of the binding
of the specified cryptomap set with the specified
interface. The value when queried is always 'attached'.
When set to 'detached', the cryptomap set if detached
from the specified interface. The effect of this is same
as the CLI command
config-if# no crypto map cryptomapSetName
Setting the value to 'attached' will result in
SNMP General Error."::={ cipsCryptomapSetIfEntry 2}--
-- IOS-IPsec TRAP Control Group
--
-- This group of objects controls the sending of
-- IOS-specific IPsec TRAPs.
--cipsCntlIsakmpPolicyAdded OBJECT-TYPESYNTAX TrapStatus
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state of
sending the IOS IPsec ISAKMP Policy Add trap."DEFVAL{ disabled }::={ cipsTrapCntlGroup 1}cipsCntlIsakmpPolicyDeleted OBJECT-TYPESYNTAX TrapStatus
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state of
sending the IOS IPsec ISAKMP Policy Delete trap."DEFVAL{ disabled }::={ cipsTrapCntlGroup 2}
cipsCntlCryptomapAdded OBJECT-TYPESYNTAX TrapStatus
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state of
sending the IOS IPsec Cryptomap Add trap."DEFVAL{ disabled }::={ cipsTrapCntlGroup 3}cipsCntlCryptomapDeleted OBJECT-TYPESYNTAX TrapStatus
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state of
sending the IOS IPsec Cryptomap Delete trap."DEFVAL{ disabled }::={ cipsTrapCntlGroup 4}cipsCntlCryptomapSetAttached OBJECT-TYPESYNTAX TrapStatus
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state of
sending the IOS IPsec trap that is issued
when a cryptomap set is attached to an interface."DEFVAL{ disabled }::={ cipsTrapCntlGroup 5}
cipsCntlCryptomapSetDetached OBJECT-TYPESYNTAX TrapStatus
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state of
sending the IOS IPsec trap that is issued
when a cryptomap set is detached from an interface.
to which it was earlier bound."DEFVAL{ disabled }::={ cipsTrapCntlGroup 6}cipsCntlTooManySAs OBJECT-TYPESYNTAX TrapStatus
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state of
sending the IOS IPsec trap that is issued
when the number of SAs crosses the maximum
number of SAs that may be supported on
the managed entity."DEFVAL{ disabled }::={ cipsTrapCntlGroup 7}--
-- Cisco-specific IPSec Notifications
--cipsMIBNotifications OBJECTIDENTIFIER::={ ciscoIPsecMIBNotificationPrefix 0}cipsIsakmpPolicyAdded NOTIFICATION-TYPEOBJECTS{
cipsNumIsakmpPolicies
}STATUScurrentDESCRIPTION"This trap is generated when a new ISAKMP
policy element is defined on the managed entity.
The context of the event includes the updated
number of ISAKMP policy elements currently available."::={ cipsMIBNotifications 1}cipsIsakmpPolicyDeleted NOTIFICATION-TYPEOBJECTS{
cipsNumIsakmpPolicies
}STATUScurrentDESCRIPTION"This trap is generated when an existing ISAKMP
policy element is deleted on the managed entity.
The context of the event includes the updated
number of ISAKMP policy elements currently available."::={ cipsMIBNotifications 2}cipsCryptomapAdded NOTIFICATION-TYPEOBJECTS{
cipsStaticCryptomapType,
cipsStaticCryptomapSetSize
}STATUScurrentDESCRIPTION"This trap is generated when a new cryptomap is
added to the specified cryptomap set."::={ cipsMIBNotifications 3}cipsCryptomapDeleted NOTIFICATION-TYPEOBJECTS{
cipsStaticCryptomapSetSize
}STATUScurrentDESCRIPTION"This trap is generated when a cryptomap is
removed from the specified cryptomap set."::={ cipsMIBNotifications 4}cipsCryptomapSetAttached NOTIFICATION-TYPEOBJECTS{
cipsStaticCryptomapSetSize,
cipsStaticCryptomapSetNumIsakmp,
cipsStaticCryptomapSetNumDynamic
}STATUScurrentDESCRIPTION"A cryptomap set must be attached to an interface
of the device in order for it to be operational.
This trap is generated when the cryptomap set
attached to an active interface of the managed entity.
The context of the notification includes:
Size of the attached cryptomap set,
Number of ISAKMP cryptomaps in the set and
Number of Dynamic cryptomaps in the set."::={ cipsMIBNotifications 5}cipsCryptomapSetDetached NOTIFICATION-TYPEOBJECTS{
cipsStaticCryptomapSetSize
}STATUScurrentDESCRIPTION"This trap is generated when a cryptomap set is
detached from an interafce to which it was
bound earlier. The context of the event identifies the
size of the cryptomap set."::={ cipsMIBNotifications 6}
cipsTooManySAs NOTIFICATION-TYPEOBJECTS{
cipsMaxSAs
}STATUScurrentDESCRIPTION"This trap is generated when a new SA is attempted
to be setup while the number of currently active SAs
equals the maximum configurable. The variables are:
cipsMaxSAs"::={ cipsMIBNotifications 7}--
-- Cisco IPsec Module Compliance
--cipsMIBConformances OBJECTIDENTIFIER::={ ciscoIPsecMIBConformance 1}cipsMIBGroups OBJECTIDENTIFIER::={ ciscoIPsecMIBConformance 2}cipsMIBCompliance MODULE-COMPLIANCESTATUScurrentDESCRIPTION"The compliance statement for entities which
implement the Cisco IPsec MIB"MODULE-- this moduleMANDATORY-GROUPS{
cipsMIBConfIsakmpGroup,
cipsMIBConfIPSecGlobalsGroup,
cipsMIBConfCapacityGroup,
cipsMIBStaticCryptomapGroup,
cipsMIBMandatoryNotifCntlGroup
}OBJECT cipsCntlIsakmpPolicyAdded
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cipsCntlIsakmpPolicyDeleted
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cipsCntlCryptomapAdded
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cipsCntlCryptomapDeleted
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cipsCntlCryptomapSetAttached
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cipsCntlCryptomapSetDetached
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cipsCntlTooManySAs
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."::={ cipsMIBConformances 1}--
-- MIB Groups (Units of Conformance)
--cipsMIBConfIsakmpGroup OBJECT-GROUP
OBJECTS{
cipsIsakmpEnabled,
cipsIsakmpIdentity,
cipsIsakmpKeepaliveInterval,
cipsNumIsakmpPolicies
-- cipsIsakmpPolPriority,-- cipsIsakmpPolEncr,-- cipsIsakmpPolHash,-- cipsIsakmpPolAuth,-- cipsIsakmpPolGroup,-- cipsIsakmpPolLifetime}STATUScurrentDESCRIPTION"A collection of objects providing Global
ISAKMP policy monitoring capability to a
Cisco IPsec capable VPN router."::={ cipsMIBGroups 1}cipsMIBConfIPSecGlobalsGroup OBJECT-GROUPOBJECTS{
cipsSALifetime,
cipsSALifesize
}STATUScurrentDESCRIPTION"A collection of objects providing Global
IPSec policy monitoring capability to a
Cisco IPsec capable VPN router."::={ cipsMIBGroups 2}cipsMIBConfCapacityGroup OBJECT-GROUPOBJECTS{
cipsMaxSAs,
cips3DesCapable
}STATUScurrent
DESCRIPTION"A collection of objects providing IPsec
System Capacity monitoring capability to
a Cisco IPsec capable VPN router."::={ cipsMIBGroups 3}cipsMIBStaticCryptomapGroup OBJECT-GROUPOBJECTS{
cipsStaticCryptomapSetSize,
cipsStaticCryptomapSetNumIsakmp,
cipsStaticCryptomapSetNumCET,
cipsStaticCryptomapSetNumSAs
}STATUScurrentDESCRIPTION"A collection of objects instrumenting
the properties of the Static (fully specified)
Cryptomap Sets on an IPsec-capable
IOS router."::={ cipsMIBGroups 4}cipsMIBManualCryptomapGroup OBJECT-GROUPOBJECTS{
cipsStaticCryptomapSetNumManual
}STATUScurrentDESCRIPTION"A collection of objects instrumenting
the properties of the Manual Cryptomap entries
on a Cisco IPsec capable IOS router."::={ cipsMIBGroups 5}cipsMIBDynamicCryptomapGroup OBJECT-GROUPOBJECTS{
cipsNumTEDProbesReceived,
cipsNumTEDProbesSent,
cipsNumTEDFailures,--
cipsStaticCryptomapSetNumDynamic,
cipsStaticCryptomapSetNumDisc,
cipsNumTEDCryptomapSets,
cipsDynamicCryptomapSetSize,
cipsDynamicCryptomapSetNumAssoc
}STATUScurrentDESCRIPTION"A collection of objects instrumenting
the properties of the Dynamic Cryptomap group
on a Cisco IPsec capable IOS router."::={ cipsMIBGroups 6}cipsMIBMandatoryNotifCntlGroup OBJECT-GROUPOBJECTS{
cipsCntlIsakmpPolicyAdded,
cipsCntlIsakmpPolicyDeleted,
cipsCntlCryptomapAdded,
cipsCntlCryptomapDeleted,
cipsCntlCryptomapSetAttached,
cipsCntlCryptomapSetDetached,
cipsCntlTooManySAs
}STATUScurrentDESCRIPTION"A collection of objects providing IPsec
Notification capability to a IPsec-capable
IOS router. It is mandatory to implement
this set of objects pertaining to
IOS notifications about IPSec activity."::={ cipsMIBGroups 7}--cipsMIBOptionalNotificationGroup NOTIFICATION-GROUP
-- NOTIFICATIONS {
-- cipsIsakmpPolicyAdded,
-- cipsIsakmpPolicyDeleted,
-- cipsCryptomapAdded,
-- cipsCryptomapDeleted,
-- cipsCryptomapSetAttached,
-- cipsCryptomapSetDetached,
-- cipsTooManySAs
-- }
-- STATUS current
-- DESCRIPTION
-- "A collection of objects providing IPsec
-- Notification capability to a IPsec-capable
-- IOS router. This set of notifications is optional."
-- ::= { cipsMIBGroups 8 }END