-- *------------------------------------------------------------------
-- * CISCO-ENHANCED-IPSEC-FLOW-MIB.my:
-- * Enhanced IPsec Flow Monitoring MIB.
-- *
-- * August 2004, S Ramakrishnan, John Fan
-- *
-- * Copyright (c) 2004 by cisco Systems, Inc.
-- * All rights reserved.
-- *------------------------------------------------------------------CISCO-ENHANCED-IPSEC-FLOW-MIB DEFINITIONS::=BEGINIMPORTSMODULE-IDENTITY,OBJECT-TYPE,NOTIFICATION-TYPE,Counter32,Counter64,Gauge32,Unsigned32FROM SNMPv2-SMI
TimeStamp,TimeInterval,TruthValueFROM SNMPv2-TC
MODULE-COMPLIANCE,OBJECT-GROUP,NOTIFICATION-GROUPFROM SNMPv2-CONF
InetAddressType,InetAddressFROM INET-ADDRESS-MIB
SnmpAdminStringFROM SNMP-FRAMEWORK-MIB
CiscoIpProtocol, CiscoPort FROM CISCO-TC
CIPsecEncryptionKeySize,
CIPsecControlProtocol,
CIPsecDiffHellmanGrp,
CIPsecEncapMode,
CIPsecEncryptAlgorithm,
CIPsecSpi,
CIPsecAuthAlgorithm,
CIPsecCompAlgorithm,
CIPsecEndPtType,
CIPsecNATTraversalMode,
CIPsecPhase1TunnelIndexOrZero,
CIPsecPhase2TunnelIndex,
CIPsecPhase2SaDirection,
CIPsecProtocol,
CIPsecPmtu,
CIPsecTunnelStatus FROM CISCO-IPSEC-TC
ciscoMgmt FROM CISCO-SMI
ifIndex,InterfaceIndexFROM IF-MIB;ciscoEnhancedIpsecFlowMIB MODULE-IDENTITYLAST-UPDATED"200501120000Z"ORGANIZATION"Cisco Systems, Inc."CONTACT-INFO"
Cisco Systems
Customer Service
Postal: 170 W Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: cs-ipsecmib@external.cisco.com
"DESCRIPTION"
This is a MIB Module for monitoring the structures
and status of IPSec-based networks. The MIB has been
designed to be adopted as an IETF standard. Hence
vendor-specific features of IPSec protocol are excluded
from this MIB.
Acronyms
The following acronyms are used in this document:
IPsec: Secure IP Protocol
VPN: Virtual Private Network
ISAKMP: Internet Security Association and Key Exchange
Protocol
IKE: Internet Key Exchange Protocol
SA: Security Association
(ref: rfc2408).
SPI: Security Parameter Index is the pointer or
identifier used in accessing SA attributes
(ref: rfc2408).
MM: Main Mode - the process of setting up
a Phase 1 SA to secure the exchanges
required to setup Phase 2 SAs
QM: Quick Mode - the process of setting up
Phase 2 Security Associations using
a Phase 1 SA.
Phase 1 Tunnel:
An ISAKMP SA can be regarded as representing
a flow of ISAKMP/IKE traffic. Hence an ISAKMP
is referred to as a 'Phase 1 Tunnel' in this
document.
Control Tunnel:
Another term for a Phase 1 Tunnel.
Phase 2 Tunnel:
An instance of a non-ISAKMP SA bundle in which all
the SA share the same proxy identifiers (IDii,IDir)
protect the same stream of application traffic.
Such an SA bundle is termed a 'Phase 2 Tunnel'.
Note that a Phase 2 tunnel may comprise different
SA bundles and different number of SA bundles at
different times (due to key refresh).
MTU:
Maximum Transmission Unit (of an IPsec tunnel).
History of the MIB
A precursor to this MIB was written by Tivoli and implemented
in IBM Nways routers in 1999. During late 1999, Cisco adopted
the MIB and together with Tivoli publised the IPsec Flow
Monitor MIB in IETF IPsec WG in
draft-ietf-ipsec-flow-monitoring-mib-00.txt. In 2000, the
MIB was Cisco-ized and implemented this draft as
CISCO-IPSEC-FLOW-MONITOR-MIB in IOS and VPN3000 platforms.
With the evolution of IKEv2, the MIB was modified and
presented to the IPsec WG again in May 2003 in
draft-ietf-ipsec-flow-monitoring-mib-02.txt.
With the emergence of multiple IPsec signaling protocols,
it became apparent that the signaling aspects of IPsec
need to be instrumented separately in their own right.
Thus, the IPsec control attributes and metrics were
separated out into CISCO-IPSEC-SIGNALING-MIB and
CISCO-IKE-FLOW-MIB.
This version of the draft is the version of the draft
that models that IPsec data protocol, structures and
activity alone.
Overview of MIB
The MIB contains four major groups of objects which are
used to manage the IPsec Protocol. These groups include
a Levels Group, a Phase-1 Group, a Phase-2 Group,
a History Group, a Failure Group and a TRAP Control Group.
The following table illustrates the structure of the
IPsec MIB.
The Phase 2 group models objects pertaining to
IPsec data tunnels.
The History group is to aid applications that do
trending analysis.
The Failure group is to enable an operator to
do troubleshooting and debugging of the VPN Router.
Further, counters are supported to aid detection
of potential security violations.
In addition to the three major MIB Groups, there are
a number of Notifications. The following table
illustrates the name and description of the
IPsec TRAPs.
"REVISION"200501120000Z"DESCRIPTION"Added a new table, ceipSecTunnelSaTable"REVISION"200408310000Z"DESCRIPTION"
Initial version of this module.
"::={ ciscoMgmt 432}ciscoEnhancedIpsecFlowMIBNotifs OBJECTIDENTIFIER::={ ciscoEnhancedIpsecFlowMIB 0}ciscoEnhancedIpsecFlowMIBObjects OBJECTIDENTIFIER::={ ciscoEnhancedIpsecFlowMIB 1}ciscoEnhancedIpsecFlowMIBConform OBJECTIDENTIFIER::={ ciscoEnhancedIpsecFlowMIB 2}ceipSecPhaseTwo OBJECTIDENTIFIER::={ ciscoEnhancedIpsecFlowMIBObjects 1}
ceipSecHistory OBJECTIDENTIFIER::={ ciscoEnhancedIpsecFlowMIBObjects 2}ceipSecFailures OBJECTIDENTIFIER::={ ciscoEnhancedIpsecFlowMIBObjects 3}ceipSecNotificationCntl OBJECTIDENTIFIER::={ ciscoEnhancedIpsecFlowMIBObjects 5}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- IPsec Phase-2 Group
--
-- This group consists of:
-- 1) IPsec Phase-2 Global Statistics
-- 2) IPsec Phase-2 Tunnel Table
-- 3) IPsec Phase-2 Endpoint Table
-- 4) IPsec Phase-2 Security Protection Index Table
-- 4) IPsec Phase-2 Security Protection Index Objects
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The IPsec Phase-2 Global Tunnel Statistics
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ceipSecGlobalStats OBJECTIDENTIFIER::={ ceipSecPhaseTwo 1}ceipSecGlobalActiveTunnels OBJECT-TYPESYNTAXGauge32UNITS"Tunnels"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of currently active
IPsec Phase-2 Tunnels."::={ ceipSecGlobalStats 1}ceipSecGlobalPreviousTunnels OBJECT-TYPESYNTAXCounter64UNITS"Tunnels"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of previously active
IPsec Phase-2 Tunnels."::={ ceipSecGlobalStats 2}ceipSecGlobalInOctets OBJECT-TYPESYNTAXCounter64UNITS"Octets"
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number of
octets received by all current and previous
IPsec Phase-2 Tunnels. This value is accumulated
BEFORE determining whether or not the packet
should be decompressed."::={ ceipSecGlobalStats 3}ceipSecGlobalInDecompOctets OBJECT-TYPESYNTAXCounter64UNITS"Octets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number
of decompressed octets received by all current
and previous IPsec Phase-2 Tunnels. This value
is accumulated AFTER the packet is decompressed.
If compression is not being used, this value
will match the value of ceipSecGlobalInOctets."::={ ceipSecGlobalStats 4}ceipSecGlobalInPkts OBJECT-TYPESYNTAXCounter64UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets received
by all current and previous
IPsec Phase-2 Tunnels."::={ ceipSecGlobalStats 5}ceipSecGlobalInDrops OBJECT-TYPESYNTAXCounter64UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped
during receive processing by all current and
previous IPsec Phase-2 Tunnels. This count does
NOT include packets dropped due to
Anti-Replay processing."::={ ceipSecGlobalStats 6}ceipSecGlobalInReplayDrops OBJECT-TYPESYNTAXCounter64UNITS"Packets"
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped during
receive processing due to Anti-Replay
processing by all current and previous IPsec
Phase-2 Tunnels."::={ ceipSecGlobalStats 7}ceipSecGlobalInAuths OBJECT-TYPESYNTAXCounter64UNITS"Events"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound authentication's
performed by all current and previous IPsec
Phase-2 Tunnels."::={ ceipSecGlobalStats 8}ceipSecGlobalInAuthFails OBJECT-TYPESYNTAXCounter64UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound authentication's
which ended in failure by all current and
previous IPsec Phase-2 Tunnels."::={ ceipSecGlobalStats 9}ceipSecGlobalInDecrypts OBJECT-TYPESYNTAXCounter64UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound decryption's
performed by all current and previous IPsec
Phase-2 Tunnels."::={ ceipSecGlobalStats 10}ceipSecGlobalInDecryptFails OBJECT-TYPESYNTAXCounter64UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound decryption's
which ended in failure by all current and
previous IPsec Phase-2 Tunnels."::={ ceipSecGlobalStats 11}ceipSecGlobalOutOctets OBJECT-TYPESYNTAXCounter64UNITS"Octets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number
of octets sent by all current and previous
IPsec Phase-2 Tunnels. This value is accumulated
AFTER determining whether or not the packet should
be compressed."::={ ceipSecGlobalStats 12}ceipSecGlobalOutUncompOctets OBJECT-TYPESYNTAXCounter64UNITS"Octets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number of
uncompressed octets sent by all current and previous
IPsec Phase-2 Tunnels. This value is accumulated
BEFORE the packet is compressed. If compression is
not being used, this value will match the
value of ceipSecGlobalOutOctets."::={ ceipSecGlobalStats 13}ceipSecGlobalOutPkts OBJECT-TYPESYNTAXCounter64UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets sent by all
current and previous IPsec Phase-2 Tunnels."::={ ceipSecGlobalStats 14}ceipSecGlobalOutDrops OBJECT-TYPESYNTAXCounter64UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped during send
processing by all current and previous IPsec
Phase-2 Tunnels."::={ ceipSecGlobalStats 15}
ceipSecGlobalOutAuths OBJECT-TYPESYNTAXCounter64UNITS"Events"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound authentication's
performed by all current and previous IPsec
Phase-2 Tunnels."::={ ceipSecGlobalStats 16}ceipSecGlobalOutAuthFails OBJECT-TYPESYNTAXCounter64UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound authentication's
which ended in failure
by all current and previous IPsec Phase-2 Tunnels."::={ ceipSecGlobalStats 17}ceipSecGlobalOutEncrypts OBJECT-TYPESYNTAXCounter64UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound encryption's performed
by all current and previous IPsec Phase-2 Tunnels."::={ ceipSecGlobalStats 18}ceipSecGlobalOutEncryptFails OBJECT-TYPESYNTAXCounter64UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound encryption's
which ended in failure by all current and
previous IPsec Phase-2 Tunnels."::={ ceipSecGlobalStats 19}ceipSecGlobalProtocolUseFails OBJECT-TYPESYNTAXCounter64UNITS"Failures"MAX-ACCESSread-only
STATUScurrentDESCRIPTION"The total number of protocol use failures
which occurred during processing of all current
and previously active IPsec Phase-2 Tunnels."::={ ceipSecGlobalStats 20}ceipSecGlobalNoSaFails OBJECT-TYPESYNTAXCounter64UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of non-existent Security
Association in failures which occurred during
processing of all current and previous IPsec
Phase-2 Tunnels."::={ ceipSecGlobalStats 21}ceipSecGlobalSysCapFails OBJECT-TYPESYNTAXCounter64UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of system capacity failures
which occurred during processing of all current
and previously active IPsec Phase-2 Tunnels."::={ ceipSecGlobalStats 22}ceipSecGlobalOutCompressedPkts OBJECT-TYPESYNTAXCounter64UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The cumulative number of outbound packets across all
IPsec flows terminating at this device which were
successfully compressed."::={ ceipSecGlobalStats 23}ceipSecGlobalOutCompSkippedPkts OBJECT-TYPESYNTAXCounter64UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets across all
IPsec flows terminating at this devices that were
to be compressed but which were skipped due to
the compression hysteresis."::={ ceipSecGlobalStats 24}ceipSecGlobalOutCompFailPkts OBJECT-TYPESYNTAXCounter64UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets across all IPsec
flows terminating at this device that failed compression
because they grew in size after compression."::={ ceipSecGlobalStats 25}ceipSecGlobalOutCompTooSmallPkts OBJECT-TYPESYNTAXCounter64UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets across all IPsec
flows terminating at this device that were to be
compressed but were smaller than the compression
threshold size. This number is cumulative since the
last system start.
"::={ ceipSecGlobalStats 26}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The IPsec Phase-2 Tunnel Table
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ceipSecTunnelTable OBJECT-TYPESYNTAXSEQUENCEOF CeipSecTunnelEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-2 Tunnel Table.
There is one entry in this table for
each active IPsec Phase-2 Tunnel."::={ ceipSecPhaseTwo 2}ceipSecTunnelEntry OBJECT-TYPESYNTAX CeipSecTunnelEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the attributes
associated with an active IPsec Phase-2 Tunnel."INDEX{ ceipSecTunIndex }::={ ceipSecTunnelTable 1}
CeipSecTunnelEntry ::=SEQUENCE{
ceipSecTunIndex CIPsecPhase2TunnelIndex,
ceipSecTunLocalAddressType InetAddressType,
ceipSecTunLocalAddress InetAddress,
ceipSecTunRemoteAddressType InetAddressType,
ceipSecTunRemoteAddress InetAddress,
ceipSecTunControlProtocol CIPsecControlProtocol,
ceipSecTunControlTunnelIndex CIPsecPhase1TunnelIndexOrZero,
ceipSecTunControlTunnelAlive TruthValue,
ceipSecTunEncapMode CIPsecEncapMode,
ceipSecTunNATTraversalMode CIPsecNATTraversalMode,
ceipSecTunLifeSize Unsigned32,
ceipSecTunLifeTime Unsigned32,
ceipSecTunActiveTime TimeInterval,
ceipSecTunSaLifeSizeThreshold Unsigned32,
ceipSecTunSaLifeTimeThreshold Unsigned32,
ceipSecTunTotalRefreshes Counter32,
ceipSecTunExpiredSaInstances Counter32,
ceipSecTunCurrentSaInstances Gauge32,
ceipSecTunInSaDHGrp CIPsecDiffHellmanGrp,
ceipSecTunInSaEncryptAlgo CIPsecEncryptAlgorithm,
ceipSecTunInSaEncryptKeySize CIPsecEncryptionKeySize,
ceipSecTunInSaAhAuthAlgo CIPsecAuthAlgorithm,
ceipSecTunInSaEspAuthAlgo CIPsecAuthAlgorithm,
ceipSecTunInSaDecompAlgo CIPsecCompAlgorithm,
ceipSecTunOutSaDHGrp CIPsecDiffHellmanGrp,
ceipSecTunOutSaEncryptAlgo CIPsecEncryptAlgorithm,
ceipSecTunOutSaEncryptKeySize CIPsecEncryptionKeySize,
ceipSecTunOutSaAhAuthAlgo CIPsecAuthAlgorithm,
ceipSecTunOutSaEspAuthAlgo CIPsecAuthAlgorithm,
ceipSecTunOutSaCompAlgo CIPsecCompAlgorithm,
ceipSecTunPmtu CIPsecPmtu,
ceipSecTunInOctets Counter64,
ceipSecTunInDecompOctets Counter64,
ceipSecTunInPkts Counter32,
ceipSecTunInDropPkts Counter32,
ceipSecTunInReplayDropPkts Counter32,
ceipSecTunInAuths Counter32,
ceipSecTunInAuthFails Counter32,
ceipSecTunInDecrypts Counter32,
ceipSecTunInDecryptFails Counter32,
ceipSecTunOutOctets Counter64,
ceipSecTunOutUncompOctets Counter64,
ceipSecTunOutPkts Counter32,
ceipSecTunOutDropPkts Counter32,
ceipSecTunOutAuths Counter32,
ceipSecTunOutAuthFails Counter32,
ceipSecTunOutEncrypts Counter32,
ceipSecTunOutEncryptFails Counter32,
ceipSecTunOutCompressedPkts Counter32,
ceipSecTunOutCompSkippedPkts Counter32,
ceipSecTunOutCompFailPkts Counter32,
ceipSecTunOutCompTooSmallPkts Counter32,
ceipSecIfIndex InterfaceIndex,
ceipSecTunStatus CIPsecTunnelStatus
}ceipSecTunIndex OBJECT-TYPESYNTAX CIPsecPhase2TunnelIndex
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The index of the IPsec Phase-2 Tunnel Table.
The value of the index is a number which begins
at 1 and is incremented with each tunnel that is
created. The value of this object will wrap at
2,147,483,647.
Since this object must correspond to a valid
Phase-2 IPsec tunnel, this object may not assume
the value of 0."::={ ceipSecTunnelEntry 1}ceipSecTunLocalAddressType OBJECT-TYPE
SYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address of the local endpoint
for the IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 2}ceipSecTunLocalAddress OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The IP address of the local endpoint
for the IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 3}ceipSecTunRemoteAddressType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address of the remote
endpoint for the IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 4}ceipSecTunRemoteAddress OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The IP address of the remote endpoint for
the IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 5}ceipSecTunControlProtocol OBJECT-TYPESYNTAX CIPsecControlProtocol
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Identifies the protocol used to setup and
administer this Phase-2 IPsec tunnel.
In case this tunnel was spawned by an IPsec
signaling protocol, this MIB object contains the
value of the object 'cisgIpsSgProtocol' defined
in CISCO-IPSEC-SIGNALING-MIB in the table
'cisgIpsSgTunnelTable' in the row corresponding
to the control tunnel.
A value of 'cpManual' is indicative of a
manually installed and administered Phase-2
tunnel."::={ ceipSecTunnelEntry 6}ceipSecTunControlTunnelIndex OBJECT-TYPESYNTAX CIPsecPhase1TunnelIndexOrZero
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The index of the associated IPsec Phase-1
Tunnel. In case this tunnel was spawned by an
IPsec signaling protocol, this MIB object
contains the value of the object 'cisgIpsSgTunIndex'
defined in CISCO-IPSEC-SIGNALING-MIB in the table
'cisgIpsSgTunnelTable' in the row corresponding to
the control tunnel.
A value of 0 identifies that this Phase-2 tunnel
was setup manually."::={ ceipSecTunnelEntry 7}ceipSecTunControlTunnelAlive OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"An indicator which specifies whether or not the
IPsec Phase-1 Tunnel that spawned this Phase-2
tunnel currently exists."::={ ceipSecTunnelEntry 8}ceipSecTunEncapMode OBJECT-TYPESYNTAX CIPsecEncapMode
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The encapsulation mode used by the
IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 9}ceipSecTunNATTraversalMode OBJECT-TYPESYNTAX CIPsecNATTraversalMode
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The encapsulation used by the IPsec Phase-2
tunnel for NAT traversal.
The value of this object is constrained based on
the value of the column 'ceipSecTunEncapMode'. If
the value of 'ceipSecTunEncapMode' is 'encapTransport',
then this object may not assume the values
'natEncapIPsecOverUdp' or 'natEncapIPsecOverTcp'.
"::={ ceipSecTunnelEntry 10}
ceipSecTunLifeSize OBJECT-TYPESYNTAXUnsigned32(1..4294967295)UNITS"KBytes"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The negotiated LifeSize of the
IPsec Phase-2 Tunnel in kilobytes."::={ ceipSecTunnelEntry 11}ceipSecTunLifeTime OBJECT-TYPESYNTAXUnsigned32UNITS"Seconds"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The negotiated LifeTime of the IPsec Phase-2
Tunnel in seconds.
If the tunnel was setup manually, the value of this
MIB element should be 0."::={ ceipSecTunnelEntry 12}ceipSecTunActiveTime OBJECT-TYPESYNTAXTimeIntervalMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The length of time the IPsec Phase-2
Tunnel has been active in hundredths of seconds."::={ ceipSecTunnelEntry 13}ceipSecTunSaLifeSizeThreshold OBJECT-TYPESYNTAXUnsigned32UNITS"KBytes"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The security association LifeSize refresh
threshold in kilobytes.
If the tunnel was setup manually, the value of this
MIB element should be 0."::={ ceipSecTunnelEntry 14}ceipSecTunSaLifeTimeThreshold OBJECT-TYPESYNTAXUnsigned32UNITS"Seconds"MAX-ACCESSread-only
STATUScurrentDESCRIPTION"The security association LifeTime refresh
threshold in seconds.
If the tunnel was setup manually, the value of this
MIB element should be 0."::={ ceipSecTunnelEntry 15}ceipSecTunTotalRefreshes OBJECT-TYPESYNTAXCounter32UNITS"QM Exchanges"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of security
association refreshes performed."::={ ceipSecTunnelEntry 16}ceipSecTunExpiredSaInstances OBJECT-TYPESYNTAXCounter32UNITS"SAs"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of security associations
which have expired.
If the tunnel was setup manually, the value of this
MIB element should be 0."::={ ceipSecTunnelEntry 17}ceipSecTunCurrentSaInstances OBJECT-TYPESYNTAXGauge32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of security associations
which are currently active or expiring."::={ ceipSecTunnelEntry 18}ceipSecTunInSaDHGrp OBJECT-TYPESYNTAX CIPsecDiffHellmanGrp
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The Diffie Hellman Group used
by the inbound security association of the
IPsec Phase-2 Tunnel.
If the tunnel was setup manually, the value of this
MIB element would be `none'."::={ ceipSecTunnelEntry 19}
ceipSecTunInSaEncryptAlgo OBJECT-TYPESYNTAX CIPsecEncryptAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The encryption algorithm used by the inbound security
association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 20}ceipSecTunInSaEncryptKeySize OBJECT-TYPESYNTAX CIPsecEncryptionKeySize
UNITS"Bits"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The key size in bits of the negotiated key to be
used with the algorithm denoted by
'ceipSecTunInSaEncryptAlgo'.
For DES and 3DES the key size is respectively 56 and
168. For AES, this will denote the negotiated key size. "::={ ceipSecTunnelEntry 21}ceipSecTunInSaAhAuthAlgo OBJECT-TYPESYNTAX CIPsecAuthAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The authentication algorithm used by the inbound
authentication header (AH) security association of
the IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 22}ceipSecTunInSaEspAuthAlgo OBJECT-TYPESYNTAX CIPsecAuthAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The authentication algorithm used by the inbound
ecapsulation security protocol (ESP) security
association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 23}ceipSecTunInSaDecompAlgo OBJECT-TYPESYNTAX CIPsecCompAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The decompression algorithm used by the inbound
security association of the IPsec Phase-2 Tunnel."
::={ ceipSecTunnelEntry 24}ceipSecTunOutSaDHGrp OBJECT-TYPESYNTAX CIPsecDiffHellmanGrp
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The Diffie Hellman Group used by the outbound security
association of the IPsec Phase-2 Tunnel.
If the tunnel was setup manually, the value of this
MIB element would be 'none'."::={ ceipSecTunnelEntry 25}ceipSecTunOutSaEncryptAlgo OBJECT-TYPESYNTAX CIPsecEncryptAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The encryption algorithm used by the outbound security
association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 26}ceipSecTunOutSaEncryptKeySize OBJECT-TYPESYNTAX CIPsecEncryptionKeySize
UNITS"Bits"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The key size in bits of the negotiated key to be
used with the algorithm denoted by
'ceipSecTunOutSaEncryptAlgo'.
For DES and 3DES the key size is respectively 56 and
168. For AES, this will denote the negotiated key size."::={ ceipSecTunnelEntry 27}ceipSecTunOutSaAhAuthAlgo OBJECT-TYPESYNTAX CIPsecAuthAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The authentication algorithm used by the outbound
authentication header (AH) security association of
the IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 28}ceipSecTunOutSaEspAuthAlgo OBJECT-TYPESYNTAX CIPsecAuthAlgorithm
MAX-ACCESSread-onlySTATUScurrent
DESCRIPTION"The authentication algorithm used by the inbound
encapsulation security protocol (ESP)
security association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 29}ceipSecTunOutSaCompAlgo OBJECT-TYPESYNTAX CIPsecCompAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The compression algorithm used by the inbound
security association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 30}ceipSecTunPmtu OBJECT-TYPESYNTAX CIPsecPmtu
UNITS"Octets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The Path MTU for this IPsec Phase-2 tunnel, which has
been either learnt from the network or which has been
specified by the administrator. The lower end of the
range is 68 which is the minimum MTU for IPv4."::={ ceipSecTunnelEntry 31}ceipSecTunInOctets OBJECT-TYPESYNTAXCounter64UNITS"Octets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number of octets
received by this IPsec Phase-2 Tunnel. This value is
accumulated BEFORE determining whether or not the packet
should be decompressed."::={ ceipSecTunnelEntry 32}ceipSecTunInDecompOctets OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number of decompressed
octets received by this IPsec Phase-2 Tunnel. This value
is accumulated AFTER the packet is decompressed. If
compression is not being used, this value will match the
value of ceipSecTunInOctets."::={ ceipSecTunnelEntry 33}ceipSecTunInPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets received by this IPsec
Phase-2 Tunnel."::={ ceipSecTunnelEntry 34}ceipSecTunInDropPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped
during receive processing by this IPsec Phase-2
Tunnel. This count does NOT include
packets dropped due to Anti-Replay processing."::={ ceipSecTunnelEntry 35}ceipSecTunInReplayDropPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped during
receive processing due to Anti-Replay processing
by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 36}ceipSecTunInAuths OBJECT-TYPESYNTAXCounter32UNITS"Events"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound
authentication's performed by this
IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 37}ceipSecTunInAuthFails OBJECT-TYPESYNTAXCounter32UNITS"Failures"
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound authentication's
which ended in failure by this IPsec Phase-2 Tunnel ."::={ ceipSecTunnelEntry 38}ceipSecTunInDecrypts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound decryption's performed
by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 39}ceipSecTunInDecryptFails OBJECT-TYPESYNTAXCounter32UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound decryption's
which ended in failure by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 40}ceipSecTunOutOctets OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number of octets
sent by this IPsec Phase-2 Tunnel. This value is
accumulated AFTER determining whether or not the
packet should be compressed."::={ ceipSecTunnelEntry 41}ceipSecTunOutUncompOctets OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number
of uncompressed octets sent by this IPsec
Phase-2 Tunnel. This value is accumulated BEFORE
the packet is compressed. If compression
is not being used, this value will match the value
of ceipSecTunOutOctets."::={ ceipSecTunnelEntry 42}ceipSecTunOutPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets sent by this
IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 43}ceipSecTunOutDropPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped during
send processing by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 44}ceipSecTunOutAuths OBJECT-TYPESYNTAXCounter32UNITS"Events"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound authentication's performed
by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 45}ceipSecTunOutAuthFails OBJECT-TYPESYNTAXCounter32UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound
authentication's which ended in failure
by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 46}ceipSecTunOutEncrypts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-only
STATUScurrentDESCRIPTION"The total number of outbound encryption's performed
by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 47}ceipSecTunOutEncryptFails OBJECT-TYPESYNTAXCounter32UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound encryption's
which ended in failure by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelEntry 48}ceipSecTunOutCompressedPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets
which were successfully compressed."::={ ceipSecTunnelEntry 49}ceipSecTunOutCompSkippedPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets that were to be
compressed but which were skipped due to the compression
hysteresis."::={ ceipSecTunnelEntry 50}ceipSecTunOutCompFailPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets that failed
compression because they grew in size after compression."::={ ceipSecTunnelEntry 51}
ceipSecTunOutCompTooSmallPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets that were to be
compressed but were smaller than the compression threshold
size."::={ ceipSecTunnelEntry 52}ceipSecIfIndex OBJECT-TYPESYNTAXInterfaceIndexMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object represents the ifIndex of an interface
where this tunnel is created.
Multiple IPsec tunnels can be created using the same
interface."::={ ceipSecTunnelEntry 53}ceipSecTunStatus OBJECT-TYPESYNTAX CIPsecTunnelStatus
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The status of the MIB table row.
This object can be used to bring the tunnel down
or force a rekeying.
When the value is set to destroy(5), the SA
bundle is destroyed and this row is deleted
from this table. When the value is set to rekey(6),
then rekeying is forced on this tunnel.
When this MIB value is queried, the value of
active(4) is always returned, if the instance
exists.
This object cannot be used to create a MIB
table row."::={ ceipSecTunnelEntry 54}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The IPsec Phase-2 Tunnel Endpoint Table
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ceipSecEndPtTable OBJECT-TYPESYNTAXSEQUENCEOF CeipSecEndPtEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-2 Tunnel Endpoint Table.
This table contains an entry for each
active endpoint associated with an IPsec
Phase-2 Tunnel."::={ ceipSecPhaseTwo 3}ceipSecEndPtEntry OBJECT-TYPESYNTAX CeipSecEndPtEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"An IPsec Phase-2 Tunnel Endpoint entry."INDEX{ ceipSecTunIndex,-- from ceipSecTunnelTable
ceipSecEndPtIndex }::={ ceipSecEndPtTable 1}
CeipSecEndPtEntry ::=SEQUENCE{
ceipSecEndPtIndex Unsigned32,
ceipSecEndPtLocalName SnmpAdminString,
ceipSecEndPtLocalType CIPsecEndPtType,
ceipSecEndPtLocalAddrType1 InetAddressType,
ceipSecEndPtLocalAddr1 InetAddress,
ceipSecEndPtLocalAddrType2 InetAddressType,
ceipSecEndPtLocalAddr2 InetAddress,
ceipSecEndPtLocalProtocol CiscoIpProtocol,
ceipSecEndPtLocalPort CiscoPort,
ceipSecEndPtRemoteName SnmpAdminString,
ceipSecEndPtRemoteType CIPsecEndPtType,
ceipSecEndPtRemoteAddrType1 InetAddressType,
ceipSecEndPtRemoteAddr1 InetAddress,
ceipSecEndPtRemoteAddrType2 InetAddressType,
ceipSecEndPtRemoteAddr2 InetAddress,
ceipSecEndPtRemoteProtocol CiscoIpProtocol,
ceipSecEndPtRemotePort CiscoPort
}ceipSecEndPtIndex OBJECT-TYPESYNTAXUnsigned32(1..4294967295)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The number of the Endpoint associated with the
IPsec Phase-2 Tunnel Table. The value of this
index is a number which begins at one and
is incremented with each Endpoint associated
with an IPsec Phase-2 Tunnel.
The value of this object will wrap at 4,294,967,295."::={ ceipSecEndPtEntry 1}ceipSecEndPtLocalName OBJECT-TYPESYNTAXSnmpAdminStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The DNS name of the local Endpoint."::={ ceipSecEndPtEntry 2}ceipSecEndPtLocalType OBJECT-TYPESYNTAX CIPsecEndPtType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of identity for the local Endpoint."::={ ceipSecEndPtEntry 3}ceipSecEndPtLocalAddrType1 OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address for this local Endpoint's
first IP address."::={ ceipSecEndPtEntry 4}ceipSecEndPtLocalAddr1 OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The local Endpoint's first IP address specification.
If the local Endpoint type is single IP address,
then this is the value of the IP address.
If the local Endpoint type is IP subnet, then this
is the value of the subnet.
If the local Endpoint type is IP address range,
then this is the value of beginning IP address
of the range.
If the type is an IP address, a range or a subnet,
the type of the address can be inferred from
ceipSecEndPtLocalType."::={ ceipSecEndPtEntry 5}ceipSecEndPtLocalAddrType2 OBJECT-TYPESYNTAXInetAddressType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address for this local Endpoint's
second IP address."::={ ceipSecEndPtEntry 6}ceipSecEndPtLocalAddr2 OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The local Endpoint's second IP address specification.
If the local Endpoint type is single IP address,
then this is the value of the IP address.
If the local Endpoint type is IP subnet, then this
is the value of the subnet mask.
If the local Endpoint type is IP address range,
then this is the value of ending IP address
of the range.
If the type is an IP address, a range or a subnet,
the type of the address can be inferred from
ceipSecEndPtLocalType."::={ ceipSecEndPtEntry 7}ceipSecEndPtLocalProtocol OBJECT-TYPESYNTAX CiscoIpProtocol
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The protocol number of the local Endpoint's traffic."::={ ceipSecEndPtEntry 8}ceipSecEndPtLocalPort OBJECT-TYPESYNTAX CiscoPort
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The port number of the local Endpoint's traffic."::={ ceipSecEndPtEntry 9}ceipSecEndPtRemoteName OBJECT-TYPESYNTAXSnmpAdminStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The DNS name of the remote Endpoint."::={ ceipSecEndPtEntry 10}ceipSecEndPtRemoteType OBJECT-TYPE
SYNTAX CIPsecEndPtType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of identity for the remote Endpoint."::={ ceipSecEndPtEntry 11}ceipSecEndPtRemoteAddrType1 OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address for this remote Endpoint's
first IP address."::={ ceipSecEndPtEntry 12}ceipSecEndPtRemoteAddr1 OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The remote Endpoint's first IP address specification.
If the remote Endpoint type is single IP address,
then this is the value of the IP address.
If the remote Endpoint type is IP subnet, then this
is the value of the subnet.
If the remote Endpoint type is IP address range,
then this is the value of beginning IP address
of the range.
If the type is an IP address, a range or a subnet,
the type of the address can be inferred from
ceipSecEndPtRemoteType."::={ ceipSecEndPtEntry 13}ceipSecEndPtRemoteAddrType2 OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address for this remote Endpoint's
second IP address."::={ ceipSecEndPtEntry 14}ceipSecEndPtRemoteAddr2 OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The remote Endpoint's second IP address specification.
If the remote Endpoint type is single IP address,
then this is the value of the IP address.
If the remote Endpoint type is IP subnet, then this
is the value of the subnet mask.
If the remote Endpoint type is IP address range,
then this is the value of ending IP address of
the range.
If the type is an IP address, a range or a subnet,
the type of the address can be inferred from
ceipSecEndPtRemoteType."::={ ceipSecEndPtEntry 15}ceipSecEndPtRemoteProtocol OBJECT-TYPESYNTAX CiscoIpProtocol
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The protocol number of the remote Endpoint's traffic."::={ ceipSecEndPtEntry 16}ceipSecEndPtRemotePort OBJECT-TYPESYNTAX CiscoPort
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The port number of the remote Endpoint's traffic."::={ ceipSecEndPtEntry 17}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The IPsec Phase-2 Security Association Table
-- This table provides the security association (SA)
-- decomposition of the tunnels listed in the tunnel table.
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ceipSecSaTable OBJECT-TYPESYNTAXSEQUENCEOF CeipSecSaEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-2 Security Association Table.
This table identifies the structure (in terms of
component SAs) of each active Phase-2 IPsec tunnel.
This table contains an entry for each active and
expiring security association and maps each entry
in the active Phase-2 tunnel table (ceipSecTunTable)
into a number of entries in this table. The index
of this table reflects the
<destination-address, protocol, spi>
rule for identifying Security Associations."::={ ceipSecPhaseTwo 4}ceipSecSaEntry OBJECT-TYPE
SYNTAX CeipSecSaEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the attributes associated with
active and expiring IPsec Phase-2
security associations."INDEX{ ceipSecTunIndex,-- from ceipSecTunnelTable
ceipSecSaProtocol,
ceipSecSaIndex }::={ ceipSecSaTable 1}
CeipSecSaEntry ::=SEQUENCE{
ceipSecSaProtocol CIPsecProtocol,
ceipSecSaIndex Unsigned32,
ceipSecSaDirection CIPsecPhase2SaDirection,
ceipSecSaValue CIPsecSpi,
ceipSecSaStatus INTEGER}ceipSecSaProtocol OBJECT-TYPESYNTAX CIPsecProtocol
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This column represents the security protocol (AH,
ESP or IPComp) for which this security association
was setup. "::={ ceipSecSaEntry 1}ceipSecSaIndex OBJECT-TYPESYNTAXUnsigned32(1..4294967295)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The object, in the context of the IPsec tunnel
'ceipSecTunIndex', is an index of security
associations comprising the Phase-2 IPsec tunnel
represented by the tunnel index 'ceipSecTunIndex'.
The value of this index is a number which begins at
1 and is incremented with each SPI associated with
the corresponding IPsec Phase-2 Tunnel."::={ ceipSecSaEntry 2}ceipSecSaDirection OBJECT-TYPESYNTAX CIPsecPhase2SaDirection
MAX-ACCESSread-only
STATUScurrentDESCRIPTION"Phase-2 IPsec security associations are simplex.
Hence a particular security association is used either
for securing outgoing traffic or decoding incoming
traffic. This column identifies the direction of the
security association represented by this entry. "::={ ceipSecSaEntry 3}ceipSecSaValue OBJECT-TYPESYNTAX CIPsecSpi
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This is the value of the Security Protection Index
(SPI) assigned by the system to the security
association represented by this entry. "::={ ceipSecSaEntry 4}ceipSecSaStatus OBJECT-TYPESYNTAXINTEGER{unknown(1),active(2),expiring(3)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION" This column represents the status of the security
association represented by this conceptual row. If
the status of the SA is 'active', the SA is ready
for active use. The status 'expiring' represents any
of the various states that the security association
transitions through before being purged. "::={ ceipSecSaEntry 5}ceipSecTunnelSaTable OBJECT-TYPESYNTAXSEQUENCEOF CeipSecTunnelSaEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-2 Tunnel Security Association Table.
This table identifies the SAs that are currently
associated with an active Phase-2 tunnel.
This table contains an entry for each active or
expiring security association (SA) which is
associated with an ceipSecTunnelEntry in 'active' state
and provides statistic information of this SA.
There might be multiple SAs associated with one
ceipSecTunnelEntry."::={ ceipSecPhaseTwo 5}ceipSecTunnelSaEntry OBJECT-TYPESYNTAX CeipSecTunnelSaEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the attributes and statistics
associated with an active or expiring IPsec Phase-2
security associations."INDEX{ ceipSecTunIndex,-- from ceipSecTunnelTable
ceipSecTunSaProtocol,
ceipSecTunSaIndex,
ceipSecTunSaDirection }::={ ceipSecTunnelSaTable 1}
CeipSecTunnelSaEntry ::=SEQUENCE{
ceipSecTunSaProtocol CIPsecProtocol,
ceipSecTunSaIndex Unsigned32,
ceipSecTunSaDirection CIPsecPhase2SaDirection,
ceipSecTunSaValue CIPsecSpi,
ceipSecTunSaIfIndex InterfaceIndex,
ceipSecTunSaInOctets Counter64,
ceipSecTunSaInDecompOctets Counter64,
ceipSecTunSaInPkts Counter64,
ceipSecTunSaInDropPkts Counter64,
ceipSecTunSaInReplayDropPkts Counter64,
ceipSecTunSaInAuths Counter64,
ceipSecTunSaInAuthFails Counter64,
ceipSecTunSaInDecrypts Counter64,
ceipSecTunSaInDecryptFails Counter64,
ceipSecTunSaOutOctets Counter64,
ceipSecTunSaOutUncompOctets Counter64,
ceipSecTunSaOutPkts Counter64,
ceipSecTunSaOutDropPkts Counter64,
ceipSecTunSaOutAuths Counter64,
ceipSecTunSaOutAuthFails Counter64,
ceipSecTunSaOutEncrypts Counter64,
ceipSecTunSaOutEncryptFails Counter64,
ceipSecTunSaOutCompressedPkts Counter64,
ceipSecTunSaOutCompSkippedPkts Counter64,
ceipSecTunSaOutCompFailPkts Counter64,
ceipSecTunSaOutCompTooSmallPkts Counter64,
ceipSecTunSaStatus INTEGER}ceipSecTunSaProtocol OBJECT-TYPESYNTAX CIPsecProtocol
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This column represents the security protocol (AH,
ESP or IPComp) for which this security association
was setup. "::={ ceipSecTunnelSaEntry 1}ceipSecTunSaIndex OBJECT-TYPESYNTAXUnsigned32(1..4294967295)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The object, in the context of the IPsec tunnel
'ceipSecTunIndex', is an index of security
associations comprising the Phase-2 IPsec tunnel
represented by the tunnel index 'ceipSecTunIndex'.
The value of this index is a number which begins at
1 and is incremented with each SPI associated with
the corresponding IPsec Phase-2 Tunnel."::={ ceipSecTunnelSaEntry 2}ceipSecTunSaDirection OBJECT-TYPESYNTAX CIPsecPhase2SaDirection
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Phase-2 IPsec security associations are simplex.
Hence a particular security association is used either
for securing outgoing traffic or decoding incoming
traffic. This column identifies the direction of the
security association represented by this entry. "::={ ceipSecTunnelSaEntry 3}ceipSecTunSaValue OBJECT-TYPESYNTAX CIPsecSpi
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This is the value of the Security Protection Index
(SPI) assigned by the system to the security
association represented by this entry. "::={ ceipSecTunnelSaEntry 4}ceipSecTunSaIfIndex OBJECT-TYPESYNTAXInterfaceIndexMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object represents the ifIndex of an interface
where a tunnel with ceipSecTunIndex is created.
Multiple IPsec tunnels can be created using the same
interface."::={ ceipSecTunnelSaEntry 5}ceipSecTunSaInOctets OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number of octets
received by using this SA. This value is
accumulated BEFORE determining whether or not the packet
should be decompressed."::={ ceipSecTunnelSaEntry 6}ceipSecTunSaInDecompOctets OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number of decompressed
octets received by using this SA. This value
is accumulated AFTER the packet is decompressed. If
compression is not being used, this value will match the
value of ceipSecTunSaTunInOctets."::={ ceipSecTunnelSaEntry 7}ceipSecTunSaInPkts OBJECT-TYPE
SYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets received by using this SA."::={ ceipSecTunnelSaEntry 8}ceipSecTunSaInDropPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped
during receive process by using this SA.
This count does NOT include packets dropped due
to Anti-Replay processing."::={ ceipSecTunnelSaEntry 9}ceipSecTunSaInReplayDropPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped during
receive processing due to Anti-Replay processing
by using this SA."::={ ceipSecTunnelSaEntry 10}ceipSecTunSaInAuths OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound authentication's
performed by using this SA."::={ ceipSecTunnelSaEntry 11}ceipSecTunSaInAuthFails OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound authentication's
which ended in failure by using this SA."::={ ceipSecTunnelSaEntry 12}ceipSecTunSaInDecrypts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-only
STATUScurrentDESCRIPTION"The total number of inbound decryption's performed
by this SA."::={ ceipSecTunnelSaEntry 13}ceipSecTunSaInDecryptFails OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound decryption's
which ended in failure by using this SA."::={ ceipSecTunnelSaEntry 14}ceipSecTunSaOutOctets OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number of octets
sent by using this SA. This value is
accumulated AFTER determining whether or not the packet
should be compressed."::={ ceipSecTunnelSaEntry 15}ceipSecTunSaOutUncompOctets OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number
of uncompressed octets sent by using this SA.
This value is accumulated BEFORE
the packet is compressed. If compression
is not being used, this value will match the value
of ceipSecTunSaTunOutOctets."::={ ceipSecTunnelSaEntry 16}ceipSecTunSaOutPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets sent by using this SA."::={ ceipSecTunnelSaEntry 17}ceipSecTunSaOutDropPkts OBJECT-TYPESYNTAXCounter64
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped during
send processing by using this SA."::={ ceipSecTunnelSaEntry 18}ceipSecTunSaOutAuths OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound authentication's performed
by using this SA."::={ ceipSecTunnelSaEntry 19}ceipSecTunSaOutAuthFails OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound
authentication's which ended in failure
by using this SA."::={ ceipSecTunnelSaEntry 20}ceipSecTunSaOutEncrypts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound encryption's performed
by using this SA."::={ ceipSecTunnelSaEntry 21}ceipSecTunSaOutEncryptFails OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound encryption's
which ended in failure by using this SA."::={ ceipSecTunnelSaEntry 22}ceipSecTunSaOutCompressedPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrent
DESCRIPTION"The total number of outbound packets
which were successfully compressed by using this
SA."::={ ceipSecTunnelSaEntry 23}ceipSecTunSaOutCompSkippedPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets that were to be
compressed but which were skipped due to the compression
hysteresis when using this SA."::={ ceipSecTunnelSaEntry 24}ceipSecTunSaOutCompFailPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets that failed
compression because they grew in size after compression
when using this SA."::={ ceipSecTunnelSaEntry 25}ceipSecTunSaOutCompTooSmallPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets that were to be
compressed but were smaller than the compression threshold
size when using this SA."::={ ceipSecTunnelSaEntry 26}ceipSecTunSaStatus OBJECT-TYPESYNTAXINTEGER{unknown(1),active(2),expiring(3)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION" This column represents the status of the security
association represented by this conceptual row. If
the status of the SA is 'active', the SA is ready
for active use. The status 'expiring' represents any
of the various states that the security association
transitions through before being purged. "::={ ceipSecTunnelSaEntry 27}ceipSecIfTunnelTable OBJECT-TYPESYNTAXSEQUENCEOF CeipSecIfTunnelEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-2 Tunnels to Interface association
table. This table contains an entry for each
active IPsec Phase-2 Tunnel created under an interface.
Multiple IPsec Phase-2 Tunnels can be created using the
same interface."::={ ceipSecPhaseTwo 6}ceipSecIfTunnelEntry OBJECT-TYPESYNTAX CeipSecIfTunnelEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the IPsec Phase-2 Tunnel
associated with an interface."INDEX{ ifIndex,
ceipSecTunIndex }::={ ceipSecIfTunnelTable 1}
CeipSecIfTunnelEntry ::=SEQUENCE{
ceipSecIfTunnelStatus CIPsecTunnelStatus
}ceipSecIfTunnelStatus OBJECT-TYPESYNTAX CIPsecTunnelStatus
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object corresponds to the status of
a IPsec Phase-2 Tunnel in ceipSecTunnelTable
indexed by ceipSecTunIndex. The valid status
this object can have are 'active' and
'awaitCommit'."::={ ceipSecIfTunnelEntry 1}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The IPsec History Group
--
-- This group consists of:
-- 1) IPsec History Global Objects
-- 2) IPsec Phase-2 History Objects
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
ceipSecHistGlobal OBJECTIDENTIFIER::={ ceipSecHistory 1}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- IPsec History Global Control Objects
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ceipSecHistGlobalCntl OBJECTIDENTIFIER::={ ceipSecHistGlobal 1}ceipSecHistTableSize OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The window size of the IPsec Phase-2 History Tables.
The IPsec Phase-2 History Tables are implemented as
a sliding window in which only the last 'N' entries
are maintained. This object is used specify the number
of entries which will be maintained in the IPsec
Phase-2 History Tables.
An implementation may choose suitable minimum and
maximum values for this element based on the local
policy and available resources. If an SNMP SET request
specifies a value outside this window for this element,
in appropriate SNMP error code should be returned.
Setting this value to zero is equivalent to deleting
all conceptual rows in the archiving tables
('ceipSecHistTable' and 'ceipSecEndPtHistTable') and
disabling the archiving of entries in the tables. "::={ ceipSecHistGlobalCntl 1}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The IPsec Phase-2 Tunnel History Table
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ceipSecTunnelHistTable OBJECT-TYPESYNTAXSEQUENCEOF CeipSecTunnelHistEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-2 Tunnel History Table.
This table is conceptually a sliding window in
which only the last 'N' entries are maintained,
where 'N' is the value of the object
'ceipSecHistTableSize'.
If the value of 'ceipSecHistTableSize' is 0,
archiving of entries in this table is disabled. "::={ ceipSecHistory 2}
ceipSecTunnelHistEntry OBJECT-TYPESYNTAX CeipSecTunnelHistEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the attributes associated
with a previously active IPsec Phase-2 Tunnel."INDEX{ ceipSecTunHistIndex }::={ ceipSecTunnelHistTable 1}
CeipSecTunnelHistEntry ::=SEQUENCE{
ceipSecTunHistIndex Unsigned32,
ceipSecTunHistTermReason INTEGER,
ceipSecTunHistActiveIndex CIPsecPhase2TunnelIndex,
ceipSecTunHistLocalAddressType InetAddressType,
ceipSecTunHistLocalAddress InetAddress,
ceipSecTunHistRemoteAddressType InetAddressType,
ceipSecTunHistRemoteAddress InetAddress,
ceipSecTunHistControlProtocol CIPsecControlProtocol,
ceipSecTunHistControlTunnelIndex CIPsecPhase1TunnelIndexOrZero,
ceipSecTunHistEncapMode CIPsecEncapMode,
ceipSecTunHistNATTraversalMode CIPsecNATTraversalMode,
ceipSecTunHistLifeSize Unsigned32,
ceipSecTunHistLifeTime Unsigned32,
ceipSecTunHistStartTime TimeStamp,
ceipSecTunHistActiveTime TimeInterval,
ceipSecTunHistTotalRefreshes Counter32,
ceipSecTunHistTotalSas Counter32,
ceipSecTunHistInSaDHGrp CIPsecDiffHellmanGrp,
ceipSecTunHistInSaEncryptAlgo CIPsecEncryptAlgorithm,
ceipSecTunHistInSaEncryptKeySize CIPsecEncryptionKeySize,
ceipSecTunHistInSaAhAuthAlgo CIPsecAuthAlgorithm,
ceipSecTunHistInSaEspAuthAlgo CIPsecAuthAlgorithm,
ceipSecTunHistInSaDecompAlgo CIPsecCompAlgorithm,
ceipSecTunHistOutSaDHGrp CIPsecDiffHellmanGrp,
ceipSecTunHistOutSaEncryptAlgo CIPsecEncryptAlgorithm,
ceipSecTunHistOutSaEncryptKeySz CIPsecEncryptionKeySize,
ceipSecTunHistOutSaAhAuthAlgo CIPsecAuthAlgorithm,
ceipSecTunHistOutSaEspAuthAlgo CIPsecAuthAlgorithm,
ceipSecTunHistOutSaCompAlgo CIPsecCompAlgorithm,
ceipSecTunHistPmtu CIPsecPmtu,
ceipSecTunHistInOctets Counter64,
ceipSecTunHistInDecompOctets Counter64,
ceipSecTunHistInPkts Counter32,
ceipSecTunHistInDropPkts Counter32,
ceipSecTunHistInReplayDropPkts Counter32,
ceipSecTunHistInAuths Counter32,
ceipSecTunHistInAuthFails Counter32,
ceipSecTunHistInDecrypts Counter32,
ceipSecTunHistInDecryptFails Counter32,
ceipSecTunHistOutOctets Counter64,
ceipSecTunHistOutUncompOctets Counter64,
ceipSecTunHistOutPkts Counter32,
ceipSecTunHistOutDropPkts Counter32,
ceipSecTunHistOutAuths Counter32,
ceipSecTunHistOutAuthFails Counter32,
ceipSecTunHistOutEncrypts Counter32,
ceipSecTunHistOutEncryptFails Counter32,
ceipSecTunHistOutCompressedPkts Counter32,
ceipSecTunHistOutCompSkippedPkts Counter32,
ceipSecTunHistOutCompFailPkts Counter32,
ceipSecTunHistOutCompSmallPkts Counter32}ceipSecTunHistIndex OBJECT-TYPESYNTAXUnsigned32(1..4294967295)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The index of the IPsec Phase-2 Tunnel History Table.
The value of the index is a number which
begins at one and is incremented with each tunnel
that ends. The value
of this object will wrap at 4,294,967,295."::={ ceipSecTunnelHistEntry 1}ceipSecTunHistTermReason OBJECT-TYPESYNTAXINTEGER{other(1),normal(2),operRequest(3),peerDelRequest(4),peerLost(5),applicationInitiated(6),xauthFailure(7),seqNumRollOver(8),checkPointReq(9)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The reason the IPsec Phase-2 Tunnel was terminated.
Possible reasons include:
1 = other
2 = normal termination
3 = operator request
4 = peer delete request was received
5 = contact with peer was lost
6 = applicationInitiated (eg: L2TP requesting the
termination)
7 = failure of extended authentication
8 = local failure occurred
9 = operator initiated check point request"::={ ceipSecTunnelHistEntry 2}ceipSecTunHistActiveIndex OBJECT-TYPESYNTAX CIPsecPhase2TunnelIndex
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The index of the previously active IPsec Phase-2
Tunnel.
This object must correspond to an expired IPsec
tunnel; hence this object may not assume the value
of 0. "::={ ceipSecTunnelHistEntry 3}ceipSecTunHistLocalAddressType OBJECT-TYPE
SYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address of the local endpoint for
the IPsec Phase-2 Tunnel. "::={ ceipSecTunnelHistEntry 4}ceipSecTunHistLocalAddress OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The IP address of the local endpoint for
the IPsec Phase-2 Tunnel. "::={ ceipSecTunnelHistEntry 5}ceipSecTunHistRemoteAddressType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address of the remote endpoint
for the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 6}ceipSecTunHistRemoteAddress OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The IP address of the remote endpoint for
the IPsec Phase-2 Tunnel. "::={ ceipSecTunnelHistEntry 7}ceipSecTunHistControlProtocol OBJECT-TYPESYNTAX CIPsecControlProtocol
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Identifies the protocol that was used to setup
and administer Phase-2 IPsec tunnel. "::={ ceipSecTunnelHistEntry 8}ceipSecTunHistControlTunnelIndex OBJECT-TYPESYNTAX CIPsecPhase1TunnelIndexOrZero
MAX-ACCESSread-only
STATUScurrentDESCRIPTION"The index of the IPsec Phase-1 Tunnel that spawned
this Phase-2 tunnel (in case of IKE, this value
would refer to 'csikeTunIndex' in the 'csikeTunnelTable').
If the IPsec tunnel corresponding to this entry
was setup manually, the value of this object should
be zero. "::={ ceipSecTunnelHistEntry 9}ceipSecTunHistEncapMode OBJECT-TYPESYNTAX CIPsecEncapMode
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The encapsulation mode used by the
IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 10}ceipSecTunHistNATTraversalMode OBJECT-TYPESYNTAX CIPsecNATTraversalMode
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The encapsulation used by the IPsec Phase-2
tunnel corresponding to this conceptual row
for NAT traversal."::={ ceipSecTunnelHistEntry 11}ceipSecTunHistLifeSize OBJECT-TYPESYNTAXUnsigned32(1..4294967295)UNITS"KBytes"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The negotiated LifeSize of the IPsec Phase-2 Tunnel in
kilobytes."::={ ceipSecTunnelHistEntry 12}ceipSecTunHistLifeTime OBJECT-TYPESYNTAXUnsigned32(1..4294967295)UNITS"Seconds"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION
"The negotiated LifeTime of the IPsec Phase-2 Tunnel in
seconds."::={ ceipSecTunnelHistEntry 13}ceipSecTunHistStartTime OBJECT-TYPESYNTAXTimeStampMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of sysUpTime in hundredths of seconds
when the IPsec Phase-2 Tunnel was started."::={ ceipSecTunnelHistEntry 14}ceipSecTunHistActiveTime OBJECT-TYPESYNTAXTimeIntervalMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The length of time the IPsec Phase-2 Tunnel has been
active in hundredths of seconds."::={ ceipSecTunnelHistEntry 15}ceipSecTunHistTotalRefreshes OBJECT-TYPESYNTAXCounter32UNITS"QM Exchanges"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of security association refreshes
performed."::={ ceipSecTunnelHistEntry 16}ceipSecTunHistTotalSas OBJECT-TYPESYNTAXCounter32UNITS"SAs"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of security associations used
during the life of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 17}ceipSecTunHistInSaDHGrp OBJECT-TYPESYNTAX CIPsecDiffHellmanGrp
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The Diffie Hellman Group used by the inbound security
association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 18}ceipSecTunHistInSaEncryptAlgo OBJECT-TYPESYNTAX CIPsecEncryptAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The encryption algorithm used by the inbound security
association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 19}ceipSecTunHistInSaEncryptKeySize OBJECT-TYPESYNTAX CIPsecEncryptionKeySize
UNITS"Bits"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The size in bits of the key which was negotiated to
be used with the encryption transform used with this
tunnel denoted by ceipSecTunHistInSaEncryptAlgo.
For DES and 3DES the key size is respectively 56 and
168. For AES, this will denote the negotiated key size."::={ ceipSecTunnelHistEntry 20}ceipSecTunHistInSaAhAuthAlgo OBJECT-TYPESYNTAX CIPsecAuthAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The authentication algorithm used by the inbound
authentication header (AH) security association of
the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 21}ceipSecTunHistInSaEspAuthAlgo OBJECT-TYPESYNTAX CIPsecAuthAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The authentication algorithm used by the inbound
encapsulation security protocol (ESP)
security association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 22}ceipSecTunHistInSaDecompAlgo OBJECT-TYPESYNTAX CIPsecCompAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The decompression algorithm used by the inbound
security association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 23}ceipSecTunHistOutSaDHGrp OBJECT-TYPESYNTAX CIPsecDiffHellmanGrp
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The Diffie Hellman Group used by the outbound security
association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 24}ceipSecTunHistOutSaEncryptAlgo OBJECT-TYPESYNTAX CIPsecEncryptAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The encryption algorithm used by the outbound security
association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 25}ceipSecTunHistOutSaEncryptKeySz OBJECT-TYPESYNTAX CIPsecEncryptionKeySize
UNITS"Bits"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The size in bits of the key which was negotiated to
be used with the encryption transform used with this
tunnel denoted by ceipSecTunHistOutSaEncryptAlgo.
For DES and 3DES the key size is respectively 56 and
168. For AES, this will denote the negotiated key
size."::={ ceipSecTunnelHistEntry 26}ceipSecTunHistOutSaAhAuthAlgo OBJECT-TYPESYNTAX CIPsecAuthAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The authentication algorithm used by the outbound
authentication header (AH) security association of
the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 27}
ceipSecTunHistOutSaEspAuthAlgo OBJECT-TYPESYNTAX CIPsecAuthAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The authentication algorithm used by the inbound
ecapsulation security protocol (ESP)
security association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 28}ceipSecTunHistOutSaCompAlgo OBJECT-TYPESYNTAX CIPsecCompAlgorithm
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The compression algorithm used by the inbound
security association of the IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 29}ceipSecTunHistPmtu OBJECT-TYPESYNTAX CIPsecPmtu
UNITS"Octets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The Path MTU that was determined for this IPsec
Phase-2 tunnel."::={ ceipSecTunnelHistEntry 30}ceipSecTunHistInOctets OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number of octets
received by this IPsec Phase-2 Tunnel. This value
is accumulated BEFORE determining whether or not
the packet should be decompressed."::={ ceipSecTunnelHistEntry 31}ceipSecTunHistInDecompOctets OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number of
decompressed octets received by this IPsec Phase-2 Tunnel.
This value is accumulated AFTER the packet is
decompressed.
If compression is not being used, this value will match
the value of ceipSecTunInOctets. "::={ ceipSecTunnelHistEntry 32}ceipSecTunHistInPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets received by this
IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 33}ceipSecTunHistInDropPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped during
receive processing by this IPsec Phase-2 Tunnel.
This count does NOT include packets
dropped due to Anti-Replay processing."::={ ceipSecTunnelHistEntry 34}ceipSecTunHistInReplayDropPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped during
receive processing due to Anti-Replay processing
by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 35}ceipSecTunHistInAuths OBJECT-TYPESYNTAXCounter32UNITS"Events"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound authentication's
performed by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 36}
ceipSecTunHistInAuthFails OBJECT-TYPESYNTAXCounter32UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound authentication's
which ended in failure by this IPsec Phase-2 Tunnel ."::={ ceipSecTunnelHistEntry 37}ceipSecTunHistInDecrypts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound decryption's performed
by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 38}ceipSecTunHistInDecryptFails OBJECT-TYPESYNTAXCounter32UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of inbound decryption's
which ended in failure by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 39}ceipSecTunHistOutOctets OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A high capacity count of the total number of octets
sent by this IPsec Phase-2 Tunnel. This value
is accumulated AFTER determining whether or not
the packet should be compressed."::={ ceipSecTunnelHistEntry 40}ceipSecTunHistOutUncompOctets OBJECT-TYPESYNTAXCounter64UNITS"Octets"MAX-ACCESSread-onlySTATUScurrent
DESCRIPTION"A high capacity count of the total
number of uncompressed octets sent by this
IPsec Phase-2 Tunnel. This value is accumulated
BEFORE the packet is compressed. If compression
is not being used, this value will match the value
of 'ceipSecTunOutOctets'."::={ ceipSecTunnelHistEntry 41}ceipSecTunHistOutPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets sent by this
IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 42}ceipSecTunHistOutDropPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets dropped during
send processing by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 43}ceipSecTunHistOutAuths OBJECT-TYPESYNTAXCounter32UNITS"Events"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound authentication's
performed by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 44}ceipSecTunHistOutAuthFails OBJECT-TYPESYNTAXCounter32UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound authentication's
which ended in failure by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 45}
ceipSecTunHistOutEncrypts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound encryption's performed
by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 46}ceipSecTunHistOutEncryptFails OBJECT-TYPESYNTAXCounter32UNITS"Failures"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound encryption's
which ended in failure by this IPsec Phase-2 Tunnel."::={ ceipSecTunnelHistEntry 47}ceipSecTunHistOutCompressedPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets
which were successfully compressed."::={ ceipSecTunnelHistEntry 48}ceipSecTunHistOutCompSkippedPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets that were to be
compressed but which were skipped due to the
compression hysteresis."::={ ceipSecTunnelHistEntry 49}ceipSecTunHistOutCompFailPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-only
STATUScurrentDESCRIPTION"The total number of outbound packets that failed
compression because they grew in size after compression."::={ ceipSecTunnelHistEntry 50}ceipSecTunHistOutCompSmallPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of outbound packets that were
to be compressed but were smaller than the
compression threshold size."::={ ceipSecTunnelHistEntry 51}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The IPsec Phase-2 Tunnel Endpoint History Table
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ceipSecEndPtHistTable OBJECT-TYPESYNTAXSEQUENCEOF CeipSecEndPtHistEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-2 Tunnel Endpoint History Table.
This table is conceptually a sliding window in
which only the last 'N' entries are maintained,
where 'N' is the value of the object
'ceipSecHistTableSize'.
If the value of 'ceipSecHistTableSize' is 0,
archiving of entries in this table is disabled."::={ ceipSecHistory 3}ceipSecEndPtHistEntry OBJECT-TYPESYNTAX CeipSecEndPtHistEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the attributes associated with
a previously active IPsec Phase-2 Tunnel Endpoint."INDEX{ ceipSecEndPtHistIndex }::={ ceipSecEndPtHistTable 1}
CeipSecEndPtHistEntry ::=SEQUENCE{
ceipSecEndPtHistIndex Unsigned32,
ceipSecEndPtHistTunIndex Unsigned32,
ceipSecEndPtHistActiveIndex Unsigned32,
ceipSecEndPtHistLocalName SnmpAdminString,
ceipSecEndPtHistLocalType CIPsecEndPtType,
ceipSecEndPtHistLocalAddrType1 InetAddressType,
ceipSecEndPtHistLocalAddr1 InetAddress,
ceipSecEndPtHistLocalAddrType2 InetAddressType,
ceipSecEndPtHistLocalAddr2 InetAddress,
ceipSecEndPtHistLocalProtocol CiscoIpProtocol,
ceipSecEndPtHistLocalPort CiscoPort,
ceipSecEndPtHistRemoteName SnmpAdminString,
ceipSecEndPtHistRemoteType CIPsecEndPtType,
ceipSecEndPtHistRemoteAddrType1 InetAddressType,
ceipSecEndPtHistRemoteAddr1 InetAddress,
ceipSecEndPtHistRemoteAddrType2 InetAddressType,
ceipSecEndPtHistRemoteAddr2 InetAddress,
ceipSecEndPtHistRemoteProtocol CiscoIpProtocol,
ceipSecEndPtHistRemotePort CiscoPort
}ceipSecEndPtHistIndex OBJECT-TYPESYNTAXUnsigned32(1..4294967295)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The number of the previously active Endpoint
associated with a IPsec Phase-2 Tunnel Table.
The value of this index is a number which begins
at one and is incremented with each Endpoint
associated with an IPsec Phase-2 Tunnel.
The value of this object will wrap at 4,294,967,295."::={ ceipSecEndPtHistEntry 1}ceipSecEndPtHistTunIndex OBJECT-TYPESYNTAXUnsigned32(1..4294967295)MAX-ACCESSread-onlySTATUScurrent
DESCRIPTION"The index of the previously active IPsec
Phase-2 Tunnel Table."::={ ceipSecEndPtHistEntry 2}ceipSecEndPtHistActiveIndex OBJECT-TYPESYNTAXUnsigned32(1..4294967295)MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The index of the previously active Endpoint."::={ ceipSecEndPtHistEntry 3}ceipSecEndPtHistLocalName OBJECT-TYPESYNTAXSnmpAdminStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The DNS name of the local Endpoint."::={ ceipSecEndPtHistEntry 4}ceipSecEndPtHistLocalType OBJECT-TYPESYNTAX CIPsecEndPtType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of identity for the local Endpoint."::={ ceipSecEndPtHistEntry 5}ceipSecEndPtHistLocalAddrType1 OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address for this local Endpoint's
first IP address."::={ ceipSecEndPtHistEntry 6}ceipSecEndPtHistLocalAddr1 OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The local Endpoint's first IP address specification.
If the local Endpoint type is single IP address,
then this is the value of the IP address.
If the local Endpoint type is IP subnet, then this
is the value of the subnet.
If the local Endpoint type is IP address range,
then this is the value of beginning IP address of
the range.
If the type is an IP address, a range or a subnet,
the type of the address can be inferred from
cceipSecEndPtLocalType.
"::={ ceipSecEndPtHistEntry 7}ceipSecEndPtHistLocalAddrType2 OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address for this local Endpoint's
second IP address."::={ ceipSecEndPtHistEntry 8}ceipSecEndPtHistLocalAddr2 OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The local Endpoint's second IP address
specification.
If the local Endpoint type is single IP address,
then this is the value of the IP address.
If the local Endpoint type is IP subnet, then this
is the value of the subnet mask.
If the local Endpoint type is IP address range,
then this is the value of ending IP address of
the range.
If the type is an IP address, a range or a subnet,
the type of the address can be inferred from
cceipSecEndPtLocalType.
"::={ ceipSecEndPtHistEntry 9}ceipSecEndPtHistLocalProtocol OBJECT-TYPESYNTAX CiscoIpProtocol
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The protocol number of the local Endpoint's
traffic."::={ ceipSecEndPtHistEntry 10}ceipSecEndPtHistLocalPort OBJECT-TYPESYNTAX CiscoPort
MAX-ACCESSread-onlySTATUScurrent
DESCRIPTION"The port number of the local Endpoint's traffic."::={ ceipSecEndPtHistEntry 11}ceipSecEndPtHistRemoteName OBJECT-TYPESYNTAXSnmpAdminStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The DNS name of the remote Endpoint."::={ ceipSecEndPtHistEntry 12}ceipSecEndPtHistRemoteType OBJECT-TYPESYNTAX CIPsecEndPtType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of identity for the remote Endpoint."::={ ceipSecEndPtHistEntry 13}ceipSecEndPtHistRemoteAddrType1 OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address for this remote Endpoint's
first IP address."::={ ceipSecEndPtHistEntry 14}ceipSecEndPtHistRemoteAddr1 OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The remote Endpoint's first IP address
specification.
If the remote Endpoint type is single IP address,
then this is the value of the IP address.
If the remote Endpoint type is IP subnet, then this
is the value of the subnet.
If the remote Endpoint type is IP address range,
then this is the value of beginning IP address of
the range.
If the type is an IP address, a range or a subnet,
the type of the address can be inferred from
cceipSecEndPtRemoteType.
"::={ ceipSecEndPtHistEntry 15}ceipSecEndPtHistRemoteAddrType2 OBJECT-TYPE
SYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the IP address for this remote Endpoint's
second IP address."::={ ceipSecEndPtHistEntry 16}ceipSecEndPtHistRemoteAddr2 OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The remote Endpoint's second IP address
specification.
If the remote Endpoint type is single IP address,
then this is the value of the IP address.
If the remote Endpoint type is IP subnet, then this
is the value of the subnet mask.
If the remote Endpoint type is IP address range,
then this is the value of ending IP address of the
range.
If the type is an IP address, a range or a subnet,
the type of the address can be inferred from
cceipSecEndPtRemoteType."::={ ceipSecEndPtHistEntry 17}ceipSecEndPtHistRemoteProtocol OBJECT-TYPESYNTAX CiscoIpProtocol
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The protocol number of the remote Endpoint's traffic."::={ ceipSecEndPtHistEntry 18}ceipSecEndPtHistRemotePort OBJECT-TYPESYNTAX CiscoPort
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The port number of the remote Endpoint's traffic."::={ ceipSecEndPtHistEntry 19}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The IPsec Failure Group
--
-- This group consists of:
-- 1) IPsec Failure Global Objects
-- 2) IPsec Phase-2 Tunnel Failure Table
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ceipSecFailGlobal OBJECTIDENTIFIER::={ ceipSecFailures 1}
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The IPsec Failure Global Control Objects
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ceipSecFailGlobalCntl OBJECTIDENTIFIER::={ ceipSecFailGlobal 1}ceipSecFailTableSize OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The window size of the IPsec Phase-2 Failure Table.
The IPsec Phase-2 Failure Tables are implemented as
a sliding window in which only the last N entries are
maintained. This object is used specify the number of
entries which will be maintained in the IPsec Phase-2
Failure Tables.
An implementation may choose suitable minimum and
maximum values for this element based on the local
policy and available resources. If an SNMP SET
request specifies a value outside this window for
this element, an appropriate SNMP error vode must
be returned.
Setting this value to zero is equivalent to deleting
all conceptual rows in the archiving table
'ceipSecFailTable' and disabling the archiving of
entries in these tables."::={ ceipSecFailGlobalCntl 1}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The IPsec Phase-2 Failure Table
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ceipSecFailTable OBJECT-TYPESYNTAXSEQUENCEOF CeipSecFailEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-2 Failure Table.
This table is implemented as a sliding window
in which only the last n entries are maintained.
The maximum number of entries
is specified by the ceipSecFailTableSize object."::={ ceipSecFailures 2}ceipSecFailEntry OBJECT-TYPESYNTAX CeipSecFailEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION
"Each entry contains the attributes associated with
an IPsec Phase-1 failure."INDEX{ ceipSecFailIndex }::={ ceipSecFailTable 1}
CeipSecFailEntry ::=SEQUENCE{
ceipSecFailIndex Unsigned32,
ceipSecFailReason INTEGER,
ceipSecFailTime TimeStamp,
ceipSecFailTunnelIndex CIPsecPhase2TunnelIndex,
ceipSecFailSaSpi CIPsecSpi,
ceipSecFailPktSrcAddressType InetAddressType,
ceipSecFailPktSrcAddress InetAddress,
ceipSecFailPktDstAddressType InetAddressType,
ceipSecFailPktDstAddress InetAddress}ceipSecFailIndex OBJECT-TYPESYNTAXUnsigned32(1..4294967295)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-2 Failure Table index.
The value of the index is a number which
begins at one and is incremented with each
IPsec Phase-1 failure. The value of this
object will wrap at 4,294,967,295."::={ ceipSecFailEntry 1}ceipSecFailReason OBJECT-TYPESYNTAXINTEGER{other(1),internalError(2),peerEncodingError(3),proposalFailure(4),protocolUseFail(5),nonExistentSa(6),decryptFailure(7),
encryptFailure(8),inAuthFailure(9),outAuthFailure(10),compression(11),sysCapExceeded(12),peerDelRequest(13),peerLost(14),seqNumRollOver(15),operRequest(16)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The reason for the failure. Possible reasons
include:
1 = other
2 = internal error occurred
3 = peer encoding error
4 = proposal failure
5 = protocol use failure
6 = non-existent security association
7 = decryption failure
8 = encryption failure
9 = inbound authentication failure
10 = outbound authentication failure
11 = compression failure
12 = system capacity failure
13 = peer delete request was received
14 = contact with peer was lost
15 = sequence number rolled over
16 = operator requested termination."::={ ceipSecFailEntry 2}ceipSecFailTime OBJECT-TYPESYNTAXTimeStampMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of sysUpTime in hundredths of seconds
at the time of the failure."::={ ceipSecFailEntry 3}ceipSecFailTunnelIndex OBJECT-TYPESYNTAX CIPsecPhase2TunnelIndex
MAX-ACCESSread-onlySTATUScurrent
DESCRIPTION"The Phase-2 Tunnel index (ceipSecTunIndex).
If this conceptual row corresponds to an operation
failure (that is, the failure of an established
Phase-2 IPsec tunnel), then the value of this object
may not be zero."::={ ceipSecFailEntry 4}ceipSecFailSaSpi OBJECT-TYPESYNTAX CIPsecSpi
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The security association SPI value.
If this conceptual row corresponds to a setup
failure (failure to establish the tunnel), the
value of this MIB object is undefined."::={ ceipSecFailEntry 5}ceipSecFailPktSrcAddressType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the packet's source IP address."::={ ceipSecFailEntry 6}ceipSecFailPktSrcAddress OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The packet's source IP address."::={ ceipSecFailEntry 7}ceipSecFailPktDstAddressType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the packet's destination IP address."::={ ceipSecFailEntry 8}ceipSecFailPktDstAddress OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION
"The packet's destination IP address."::={ ceipSecFailEntry 9}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The IPsec Notification Control Group
--
-- This group of objects controls the sending of IPsec
-- SNMP notifications.
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ceipSecNotiCntlIpSecAllNotifs OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object
sending any notification
defined in this MIB module. That is, a particular
notification 'foo' defined in this MIB module is
enabled if and only if the expression
(ceipSecNotiCntlIpSecAllNotifs && ceipSecNotiCntl<foo>)
evaluates to 'true', where ceipSecNotiCntl<foo> is a
notification defined in this MIB module.
"DEFVAL{ true }::={ ceipSecNotificationCntl 1}ceipSecNotifCntlIpSecTunnelStart OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state
of sending the IPsec Phase-2 Tunnel Start TRAP.
If the value of this object is 'true', the issuing
of the notification 'ciscoEnhIpsecFlowTunnelStart'
is enabled. "DEFVAL{ true }::={ ceipSecNotificationCntl 2}ceipSecNotifCntlIpSecTunnelStop OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state of
sending the IPsec Phase-2 Tunnel Stop TRAP.
If the value of this object is 'true', the issuing
of the notification 'ciscoEnhIpsecFlowTunnelStop'
is enabled."DEFVAL{ true }::={ ceipSecNotificationCntl 3}
ceipSecNotifCntlIpSecSysFailure OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state
of sending the IPsec Phase-2 System Failure TRAP.
If the value of this object is 'true', the issuing
of the notification 'ciscoEnhIpsecFlowSysFailure'
is enabled."DEFVAL{ true }::={ ceipSecNotificationCntl 4}ceipSecNotifCntlIpSecSetUpFail OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state
of sending the IPsec Phase-2 Set Up Failure TRAP.
If the value of this object is 'true', the issuing
of the notification 'ciscoEnhIpsecFlowSetupFail'
is enabled."DEFVAL{ true }::={ ceipSecNotificationCntl 5}ceipSecNotifCntlIpSecBadSa OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object defines the administrative state of
sending the IPsec Phase-2 No Security Association
trap.
If the value of this object is 'true', the issuing
of the notification 'ciscoEnhIpsecFlowBadSa' is
enabled."DEFVAL{ true }::={ ceipSecNotificationCntl 6}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- IPsec Notifications - TRAPs
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ciscoEnhIpsecFlowTunnelStart NOTIFICATION-TYPEOBJECTS{
ceipSecTunLifeTime,
ceipSecTunLifeSize
}
STATUScurrentDESCRIPTION"This notification is generated when an IPsec Phase-2
Tunnel becomes active."::={ ciscoEnhancedIpsecFlowMIBNotifs 1}ciscoEnhIpsecFlowTunnelStop NOTIFICATION-TYPEOBJECTS{
ceipSecTunHistTermReason,
ceipSecTunActiveTime
}STATUScurrentDESCRIPTION"This notification is generated when an IPsec Phase-2
Tunnel becomes inactive."::={ ciscoEnhancedIpsecFlowMIBNotifs 2}ciscoEnhIpsecFlowSysFailure NOTIFICATION-TYPEOBJECTS{
ceipSecFailReason,
ceipSecFailPktSrcAddressType,
ceipSecFailPktSrcAddress,
ceipSecFailPktDstAddressType,
ceipSecFailPktDstAddress
}STATUScurrentDESCRIPTION"This notification is generated when the processing
for an IPsec Phase-2 Tunnel experiences an internal
or system capacity error."::={ ciscoEnhancedIpsecFlowMIBNotifs 3}ciscoEnhIpsecFlowSetupFail NOTIFICATION-TYPEOBJECTS{
ceipSecFailReason,
ceipSecFailPktSrcAddressType,
ceipSecFailPktSrcAddress,
ceipSecFailPktDstAddressType,
ceipSecFailPktDstAddress
}STATUScurrentDESCRIPTION"This notification is generated when the setup for
an IPsec Phase-2 Tunnel fails."::={ ciscoEnhancedIpsecFlowMIBNotifs 4}ciscoEnhIpsecFlowBadSa NOTIFICATION-TYPEOBJECTS{
ceipSecFailSaSpi
}
STATUScurrentDESCRIPTION"This notification is generated when the managed
entity receives an IPsec packet with a non-existent
(non-existant in the local Security Association
Database) SPI."::={ ciscoEnhancedIpsecFlowMIBNotifs 5}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- Conformance Information
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ciscoEnhIPsecFlowMIBCompliances OBJECTIDENTIFIER::={ ciscoEnhancedIpsecFlowMIBConform 1}ciscoIPsecFlowMIBGroups OBJECTIDENTIFIER::={ ciscoEnhancedIpsecFlowMIBConform 2}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- Compliance Statements
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ciscoEnhIPsecFlowMIBCompliance MODULE-COMPLIANCESTATUScurrentDESCRIPTION"The compliance statement for SNMP entities
pertaining to Phase-2 of IP Security Protocol."MODULE-- this moduleMANDATORY-GROUPS{
ciscoEnhIPsecFlowActivityGroup,
ciscoEnhIPsecFlowCoreHistGroup,
ciscoEnhIPsecFlowCoreFailGroup,
ciscoEnhIPsecFlowTunnelSaGroup
}GROUP ciscoEnhIPsecFlowHistoryGroup
DESCRIPTION"This group is optional and must be implemented
by the agent of the managed entity if the managed
entity implements historical archiving of IPsec
flows."GROUP ciscoEnhIPsecFlowFailureGroup
DESCRIPTION"This group is optional and must be implemented
by the agent of the managed entity if the
managed entity implements historical archiving
of failure of IPsec Phase-2 operations and tunnels."GROUP ciscoEnhIPsecFlowNotifGroup
DESCRIPTION"The group is optional."GROUP ciscoEnhIPsecFlowNotifCntlGroup
DESCRIPTION"The agent must implement this group if it implements
the group 'ciscoEnhIPsecFlowNotifGroup'."OBJECT ceipSecTunStatus
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT ceipSecHistTableSize
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required. In addition,
implementations which want to disable archiving
of tunnels may set the value of this object to
zero."OBJECT ceipSecFailTableSize
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required. In addition,
implementations which want to disable archiving
of failures may set the value of this object to
zero."OBJECT ceipSecNotiCntlIpSecAllNotifs
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT ceipSecNotifCntlIpSecTunnelStart
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT ceipSecNotifCntlIpSecTunnelStop
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT ceipSecNotifCntlIpSecSysFailure
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT ceipSecNotifCntlIpSecSetUpFail
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT ceipSecNotifCntlIpSecBadSa
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."::={ ciscoEnhIPsecFlowMIBCompliances 1}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- Units of Conformance: List of current groups
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ciscoEnhIPsecFlowActivityGroup OBJECT-GROUPOBJECTS{
-- The IPsec Phase-2 Global Tunnel Statistics
ceipSecGlobalActiveTunnels,
ceipSecGlobalPreviousTunnels,
ceipSecGlobalInOctets,
ceipSecGlobalInDecompOctets,
ceipSecGlobalInPkts,
ceipSecGlobalInDrops,
ceipSecGlobalInReplayDrops,
ceipSecGlobalInAuths,
ceipSecGlobalInAuthFails,
ceipSecGlobalInDecrypts,
ceipSecGlobalInDecryptFails,
ceipSecGlobalOutOctets,
ceipSecGlobalOutUncompOctets,
ceipSecGlobalOutPkts,
ceipSecGlobalOutDrops,
ceipSecGlobalOutAuths,
ceipSecGlobalOutAuthFails,
ceipSecGlobalOutEncrypts,
ceipSecGlobalOutEncryptFails,
ceipSecGlobalProtocolUseFails,
ceipSecGlobalNoSaFails,
ceipSecGlobalSysCapFails,
ceipSecGlobalOutCompressedPkts,
ceipSecGlobalOutCompSkippedPkts,
ceipSecGlobalOutCompFailPkts,
ceipSecGlobalOutCompTooSmallPkts,-- The IPsec Phase-2 Tunnel Table
ceipSecTunEncapMode,
ceipSecTunLifeSize,
ceipSecTunLifeTime,
ceipSecTunActiveTime,
ceipSecTunSaLifeSizeThreshold,
ceipSecTunSaLifeTimeThreshold,
ceipSecTunTotalRefreshes,
ceipSecTunExpiredSaInstances,
ceipSecTunCurrentSaInstances,
ceipSecTunInSaDHGrp,
ceipSecTunInSaEncryptAlgo,
ceipSecTunInSaAhAuthAlgo,
ceipSecTunInSaEspAuthAlgo,
ceipSecTunInSaDecompAlgo,
ceipSecTunOutSaDHGrp,
ceipSecTunOutSaEncryptAlgo,
ceipSecTunOutSaAhAuthAlgo,
ceipSecTunOutSaEspAuthAlgo,
ceipSecTunOutSaCompAlgo,
ceipSecTunPmtu,
ceipSecTunInOctets,
ceipSecTunInDecompOctets,
ceipSecTunInPkts,
ceipSecTunInDropPkts,
ceipSecTunInReplayDropPkts,
ceipSecTunInAuths,
ceipSecTunInAuthFails,
ceipSecTunInDecrypts,
ceipSecTunInDecryptFails,
ceipSecTunOutOctets,
ceipSecTunOutUncompOctets,
ceipSecTunOutPkts,
ceipSecTunOutDropPkts,
ceipSecTunOutAuths,
ceipSecTunOutAuthFails,
ceipSecTunOutEncrypts,
ceipSecTunOutEncryptFails,
ceipSecTunOutCompressedPkts,
ceipSecTunOutCompSkippedPkts,
ceipSecTunOutCompFailPkts,
ceipSecTunOutCompTooSmallPkts,
ceipSecIfIndex,
ceipSecTunStatus,
ceipSecTunControlTunnelIndex,
ceipSecTunControlProtocol,
ceipSecTunControlTunnelAlive,
ceipSecTunInSaEncryptKeySize,
ceipSecTunOutSaEncryptKeySize,
ceipSecTunLocalAddressType,
ceipSecTunLocalAddress,
ceipSecTunRemoteAddressType,
ceipSecTunRemoteAddress,
ceipSecTunNATTraversalMode,-- The IPsec Phase-2 Tunnel Endpoint Table
ceipSecEndPtLocalName,
ceipSecEndPtLocalType,
ceipSecEndPtLocalAddrType1,
ceipSecEndPtLocalAddr1,
ceipSecEndPtLocalAddrType2,
ceipSecEndPtLocalAddr2,
ceipSecEndPtLocalProtocol,
ceipSecEndPtLocalPort,
ceipSecEndPtRemoteName,
ceipSecEndPtRemoteType,
ceipSecEndPtRemoteAddrType1,
ceipSecEndPtRemoteAddr1,
ceipSecEndPtRemoteAddrType2,
ceipSecEndPtRemoteAddr2,
ceipSecEndPtRemoteProtocol,
ceipSecEndPtRemotePort,-- The IPsec Phase-2 Security Assocaition Table
ceipSecSaDirection,
ceipSecSaValue,
ceipSecSaStatus
}STATUScurrentDESCRIPTION"
This group consists of:
1) IPsec Phase-2 Global Statistics
2) IPsec Phase-2 Tunnel Table
3) IPsec Phase-2 Endpoint Table
4) IPsec Phase-2 Security Association Table
"REFERENCE"
rfc2408, rfc2407; rfc2409 section 5.5
"::={ ciscoIPsecFlowMIBGroups 1}ciscoEnhIPsecFlowCoreHistGroup OBJECT-GROUPOBJECTS{-- IPsec History Global Control Objects
ceipSecHistTableSize
}STATUScurrentDESCRIPTION"
This group consists of the core (mandatory)
objects pertaining to maintaining history of
IPsec activity.
"::={ ciscoIPsecFlowMIBGroups 2}ciscoEnhIPsecFlowHistoryGroup OBJECT-GROUPOBJECTS{-- The IPsec Phase-2 History group
ceipSecTunHistTermReason,
ceipSecTunHistActiveIndex,
ceipSecTunHistEncapMode,
ceipSecTunHistLifeSize,
ceipSecTunHistLifeTime,
ceipSecTunHistStartTime,
ceipSecTunHistActiveTime,
ceipSecTunHistTotalRefreshes,
ceipSecTunHistTotalSas,
ceipSecTunHistInSaDHGrp,
ceipSecTunHistInSaEncryptAlgo,
ceipSecTunHistInSaAhAuthAlgo,
ceipSecTunHistInSaEspAuthAlgo,
ceipSecTunHistInSaDecompAlgo,
ceipSecTunHistOutSaDHGrp,
ceipSecTunHistOutSaEncryptAlgo,
ceipSecTunHistOutSaAhAuthAlgo,
ceipSecTunHistOutSaEspAuthAlgo,
ceipSecTunHistOutSaCompAlgo,
ceipSecTunHistPmtu,
ceipSecTunHistInOctets,
ceipSecTunHistInDecompOctets,
ceipSecTunHistInPkts,
ceipSecTunHistInDropPkts,
ceipSecTunHistInReplayDropPkts,
ceipSecTunHistInAuths,
ceipSecTunHistInAuthFails,
ceipSecTunHistInDecrypts,
ceipSecTunHistInDecryptFails,
ceipSecTunHistOutOctets,
ceipSecTunHistOutUncompOctets,
ceipSecTunHistOutPkts,
ceipSecTunHistOutDropPkts,
ceipSecTunHistOutAuths,
ceipSecTunHistOutAuthFails,
ceipSecTunHistOutEncrypts,
ceipSecTunHistOutEncryptFails,
ceipSecTunHistOutCompressedPkts,
ceipSecTunHistOutCompSkippedPkts,
ceipSecTunHistOutCompFailPkts,
ceipSecTunHistOutCompSmallPkts,
ceipSecTunHistControlProtocol,
ceipSecTunHistControlTunnelIndex,
ceipSecTunHistInSaEncryptKeySize,
ceipSecTunHistOutSaEncryptKeySz,
ceipSecTunHistLocalAddressType,
ceipSecTunHistLocalAddress,
ceipSecTunHistRemoteAddressType,
ceipSecTunHistRemoteAddress,
ceipSecTunHistNATTraversalMode,-- The IPsec Phase-2 End Point History Table
ceipSecEndPtHistTunIndex,
ceipSecEndPtHistActiveIndex,
ceipSecEndPtHistLocalName,
ceipSecEndPtHistLocalType,
ceipSecEndPtHistLocalAddrType1,
ceipSecEndPtHistLocalAddr1,
ceipSecEndPtHistLocalAddrType2,
ceipSecEndPtHistLocalAddr2,
ceipSecEndPtHistLocalProtocol,
ceipSecEndPtHistLocalPort,
ceipSecEndPtHistRemoteName,
ceipSecEndPtHistRemoteType,
ceipSecEndPtHistRemoteAddrType1,
ceipSecEndPtHistRemoteAddr1,
ceipSecEndPtHistRemoteAddrType2,
ceipSecEndPtHistRemoteAddr2,
ceipSecEndPtHistRemoteProtocol,
ceipSecEndPtHistRemotePort
}STATUScurrentDESCRIPTION"This group consists of objects that pertain
to maintenance of history of IPsec Phase 2
activity."::={ ciscoIPsecFlowMIBGroups 3}ciscoEnhIPsecFlowCoreFailGroup OBJECT-GROUPOBJECTS{-- Objects associated with implementing-- core failure group.
ceipSecFailTableSize
}STATUScurrentDESCRIPTION"This group consists of the core (mandatory)
objects pertaining to maintaining history of
failure IPsec activity."::={ ciscoIPsecFlowMIBGroups 4}ciscoEnhIPsecFlowFailureGroup OBJECT-GROUPOBJECTS{-- The IPsec Phase-2 Failure group
ceipSecFailReason,
ceipSecFailTime,
ceipSecFailTunnelIndex,
ceipSecFailSaSpi,
ceipSecFailPktSrcAddressType ,
ceipSecFailPktSrcAddress ,
ceipSecFailPktDstAddressType ,
ceipSecFailPktDstAddress
}STATUScurrentDESCRIPTION
"This group consists of objects that pertain
to maintenance of history of failures
associated with Phase 2 IPsec activity."::={ ciscoIPsecFlowMIBGroups 5}ciscoEnhIPsecFlowNotifCntlGroup OBJECT-GROUPOBJECTS{
ceipSecNotiCntlIpSecAllNotifs,
ceipSecNotifCntlIpSecTunnelStart,
ceipSecNotifCntlIpSecTunnelStop,
ceipSecNotifCntlIpSecSysFailure,
ceipSecNotifCntlIpSecSetUpFail,
ceipSecNotifCntlIpSecBadSa
}STATUScurrentDESCRIPTION"This group of objects controls the sending
of notifications pertaining to IPsec Phase-2
processing."::={ ciscoIPsecFlowMIBGroups 6}ciscoEnhIPsecFlowNotifGroup NOTIFICATION-GROUPNOTIFICATIONS{
ciscoEnhIpsecFlowTunnelStart,
ciscoEnhIpsecFlowTunnelStop,
ciscoEnhIpsecFlowSysFailure,
ciscoEnhIpsecFlowSetupFail,
ciscoEnhIpsecFlowBadSa
}STATUScurrentDESCRIPTION"This group contains the notifications pertaining
to Phase-2 operations and data transfer."REFERENCE"
rfc2408, rfc2407; rfc2409 section 5.5
"::={ ciscoIPsecFlowMIBGroups 7}ciscoEnhIPsecFlowTunnelSaGroup OBJECT-GROUPOBJECTS{
ceipSecTunSaValue,
ceipSecTunSaIfIndex,
ceipSecTunSaInOctets,
ceipSecTunSaInDecompOctets,
ceipSecTunSaInPkts,
ceipSecTunSaInDropPkts,
ceipSecTunSaInReplayDropPkts,
ceipSecTunSaInAuths,
ceipSecTunSaInAuthFails,
ceipSecTunSaInDecrypts,
ceipSecTunSaInDecryptFails,
ceipSecTunSaOutOctets,
ceipSecTunSaOutUncompOctets,
ceipSecTunSaOutPkts,
ceipSecTunSaOutDropPkts,
ceipSecTunSaOutAuths,
ceipSecTunSaOutAuthFails,
ceipSecTunSaOutEncrypts,
ceipSecTunSaOutEncryptFails,
ceipSecTunSaOutCompressedPkts,
ceipSecTunSaOutCompSkippedPkts,
ceipSecTunSaOutCompFailPkts,
ceipSecTunSaOutCompTooSmallPkts,
ceipSecTunSaStatus,
ceipSecIfTunnelStatus
}STATUScurrentDESCRIPTION"
This group consists of the Phase-2 IPsec tunnel
Security Association and traffic information.
"::={ ciscoIPsecFlowMIBGroups 8}END