-- *------------------------------------------------------------------
-- * CISCO-IKE-CONFIGURATION-MIB.my
-- * IKE Configuration MIB
-- *
-- * September 2004, S Ramakrishnan
-- *
-- * Copyright (c) 2004 by cisco Systems, Inc.
-- * All rights reserved.
-- *------------------------------------------------------------------CISCO-IKE-CONFIGURATION-MIB DEFINITIONS::=BEGINIMPORTSMODULE-IDENTITY,OBJECT-TYPE,NOTIFICATION-TYPE,Unsigned32FROM SNMPv2-SMI
RowStatus,TruthValue,TEXTUAL-CONVENTIONFROM SNMPv2-TC
MODULE-COMPLIANCE,OBJECT-GROUP,NOTIFICATION-GROUPFROM SNMPv2-CONF
InetAddress,InetAddressType,InetAddressPrefixLengthFROM INET-ADDRESS-MIB
CIPsecPhase1PeerIdentityType,
CIPsecIkeAuthMethod,
CIPsecDiffHellmanGrp,
CIPsecIkeHashAlgorithm,
CIPsecEncryptAlgorithm,
CIPsecIkePRFAlgorithm,
CIKEIsakmpDoi,
CIKELifetime,
CIPsecControlProtocol,
CIKELifesize FROM CISCO-IPSEC-TC
ciscoMgmt FROM CISCO-SMI;ciscoIkeConfigMIB MODULE-IDENTITY
LAST-UPDATED"200409160000Z"ORGANIZATION"Cisco Systems"CONTACT-INFO" Cisco Systems
Customer Service
Postal: 170 W Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: cs-ipsecmib@external.cisco.com"DESCRIPTION"This is a MIB Module for configuring and viewing IKE
parameters and policies.
Acronyms
The following acronyms are used in this document:
IPsec: Secure IP Protocol
VPN: Virtual Private Network
ISAKMP: Internet Security Association and Key Exchange
Protocol
IKE: Internet Key Exchange Protocol
DOI: Domain of Interpretation (of the attributes
of IKE protocol in the context of a specific
Phase-2 protocol).
SA: Security Association
(ref: rfc2408).
SPI: Security Parameter Index is the pointer or
identifier used in accessing SA attributes
(ref: rfc2408).
MM: Main Mode - the process of setting up
a Phase 1 SA to secure the exchanges
required to setup Phase 2 SAs
Phase 1 Tunnel:
An ISAKMP SA can be regarded as representing
a flow of ISAKMP/IKE traffic. Hence an ISAKMP
is referred to as a 'Phase 1 Tunnel' in this
document.
Phase 2 Tunnel:
A Phase 2 Tunnel is an instance of a
non-ISAKMP SA bundle in which all the SA
share the same proxy identifiers (IDii,IDir)
and protect the same stream of application
traffic.
Note that a Phase 2 tunnel may comprise one
SA bundle at any given point of time, but
the SA bundle changes with time due to
key refresh.
History of the MIB
This MIB was originally written as CISCO-IPSEC-MIB
which combined the configuration of IKE and IPsec
protocols into a single MIB.
"REVISION"200409160000Z"DESCRIPTION"Initial version of this MIB module."::={ ciscoMgmt 423}cicIkeConfigMIBNotifs OBJECTIDENTIFIER::={ ciscoIkeConfigMIB 0}cicIkeConfigMIBObjects OBJECTIDENTIFIER::={ ciscoIkeConfigMIB 1}cicIkeConfigMIBConform OBJECTIDENTIFIER::={ ciscoIkeConfigMIB 2}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- IKE Configuration MIB Object Groups
--
-- This MIB module contains the following groups:
-- 1) IKE Enabler group
-- 2) IKE Identitiy group
-- 3) IKE Failure Recovery group
-- 4) IKE Peer authentication group
-- 5) IKE Connection policies
-- 6) IKE Service control
-- 7) IKE configuration Notifications
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++cicIkeCfgOperations OBJECTIDENTIFIER::={ cicIkeConfigMIBObjects 1}cicIkeCfgIdentities OBJECTIDENTIFIER::={ cicIkeConfigMIBObjects 2}cicIkeCfgFailureRecovery OBJECTIDENTIFIER::={ cicIkeConfigMIBObjects 3}cicIkeCfgPeerAuth OBJECTIDENTIFIER::={ cicIkeConfigMIBObjects 4}cicIkeCfgPskAuthConfig OBJECTIDENTIFIER::={ cicIkeCfgPeerAuth 1}cicIkeCfgNonceAuthConfig OBJECTIDENTIFIER::={ cicIkeCfgPeerAuth 2}
cicIkeCfgPkiAuthConfig OBJECTIDENTIFIER::={ cicIkeCfgPeerAuth 3}cicIkeCfgPolicies OBJECTIDENTIFIER::={ cicIkeConfigMIBObjects 5}cicIkeCfgServiceControl OBJECTIDENTIFIER::={ cicIkeConfigMIBObjects 6}cicIkeCfgCallAdmssionnCtrl OBJECTIDENTIFIER::={ cicIkeCfgServiceControl 1}cicIkeCfgQoSControl OBJECTIDENTIFIER::={ cicIkeCfgServiceControl 2}
cicIkeConfigMibNotifCntl OBJECTIDENTIFIER::={ cicIkeConfigMIBObjects 7}-- Textual conventionsCicIkeConfigPskIndex ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"An arbitrary unique value identifying the
configured pre-shared keys."SYNTAXUnsigned32(1..65535)CicIkeConfigInitiatorIndex ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"An arbitrary unique value identifying the
configured IKE version initiator."SYNTAXUnsigned32(1..65535)-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- Objects to control the IKE operational state.
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++cicIkeEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"
This object reflects the operational status (enabled/
disabled) of the IKE entity on the managed device.
'true' - IKE is enabled.
'false' - IKE is disabled.
"::={ cicIkeCfgOperations 1}
cicIkeAggressModeEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"
This object reflects if the IKE entity on the managed
device performs aggressive mode negotiations.
'true' - IKE entity performs aggressive mode
negotiations.
'false' - IKE entity does not perform aggressive mode
negotiations.
"::={ cicIkeCfgOperations 2}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- Objects to show and control the IKE identity of the
-- local entity.
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
cicIkeCfgIdentityTable OBJECT-TYPESYNTAXSEQUENCEOF CicIkeCfgIdentityEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"
The table containing the list of Phase-1 identities
used by the IKE protocol for the different Phase-2
DOIs it operates in.
"::={ cicIkeCfgIdentities 1}cicIkeCfgIdentityEntry OBJECT-TYPESYNTAX CicIkeCfgIdentityEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"
Each entry represents a Phase-1 identity
used by IKE for a specific Phase-2 DOI.
"INDEX{ cicIkeCfgIdentityDoi }::={ cicIkeCfgIdentityTable 1}
CicIkeCfgIdentityEntry ::=SEQUENCE{
cicIkeCfgIdentityDoi CIKEIsakmpDoi,
cicIkeCfgIdentityType CIPsecPhase1PeerIdentityType
}cicIkeCfgIdentityDoi OBJECT-TYPESYNTAX CIKEIsakmpDoi
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"
This is the DOI type that is supported
by this IKE entity on the managed device and
for which the Phase-1 identity corresponding to this
conceptual row is being defined.
"::={ cicIkeCfgIdentityEntry 1}cicIkeCfgIdentityType OBJECT-TYPESYNTAX CIPsecPhase1PeerIdentityType
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"
The Phase I identity type used by the Phase-2 DOI
corresponding to this conceptual row.
"::={ cicIkeCfgIdentityEntry 2}cicIkeCfgInitiatorNextAvailTable OBJECT-TYPESYNTAXSEQUENCEOF CicIkeCfgInitiatorNextAvailEntry
MAX-ACCESSnot-accessible
STATUScurrentDESCRIPTION"
The table providing the next available index for
the cicIkeCfgInitiatorTable, in a domain of
interpretation(DOI), identified by
cicIkeCfgIdentityDoi. This value is only a
recommended value, but the user can choose to
use a different value to create an entry
in the cicIkeCfgInitiatorTable.
"::={ cicIkeCfgIdentities 2}cicIkeCfgInitiatorNextAvailEntry OBJECT-TYPESYNTAX CicIkeCfgInitiatorNextAvailEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"
Each entry represents a next available index
for the cicIkeCfgInitiatorTable.
"AUGMENTS{ cicIkeCfgIdentityEntry }::={ cicIkeCfgInitiatorNextAvailTable 1}
CicIkeCfgInitiatorNextAvailEntry ::=SEQUENCE{
cicIkeCfgInitiatorNextAvailIndex CicIkeConfigInitiatorIndex
}cicIkeCfgInitiatorNextAvailIndex OBJECT-TYPESYNTAX CicIkeConfigInitiatorIndex
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"
The object specifies the next available index for
object cicIkeCfgInitiatorIndex which can be used for
creating an entry in cicIkeCfgInitiatorTable.
"::={ cicIkeCfgInitiatorNextAvailEntry 1}
cicIkeCfgInitiatorTable OBJECT-TYPESYNTAXSEQUENCEOF CicIkeCfgInitiatorEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table containing the IKE version initiators
for peers.
"::={ cicIkeCfgIdentities 3}cicIkeCfgInitiatorEntry OBJECT-TYPESYNTAX CicIkeCfgInitiatorEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry represents the IKE protocol version
initiated when connecting to a remote peer.
"INDEX{ cicIkeCfgIdentityDoi, cicIkeCfgInitiatorIndex }::={ cicIkeCfgInitiatorTable 1}
CicIkeCfgInitiatorEntry ::=SEQUENCE{
cicIkeCfgInitiatorIndex CicIkeConfigInitiatorIndex,
cicIkeCfgInitiatorPAddrType CIPsecPhase1PeerIdentityType,
cicIkeCfgInitiatorPAddr OCTETSTRING,
cicIkeCfgInitiatorVer CIPsecControlProtocol,
cicIkeCfgInitiatorStatus RowStatus}cicIkeCfgInitiatorIndex OBJECT-TYPESYNTAX CicIkeConfigInitiatorIndex
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"An arbitrary value identifying the configured
IKE version initiated for a peer in this domain of
interpretation, identified by cicIkeCfgIdentityDoi,
on a managed device. This object could have the
same value as cicIkeCfgInitiatorNextAvailIndex.
"::={ cicIkeCfgInitiatorEntry 1}cicIkeCfgInitiatorPAddrType OBJECT-TYPESYNTAX CIPsecPhase1PeerIdentityType
MAX-ACCESSread-createSTATUScurrentDESCRIPTION"
The Phase 1 ID type of the remote peer for which
this IKE protocol initiator is configured.
This object cannot be modified while the
corresponding value of cicIkeCfgInitiatorStatus is
equal to 'active'.
"::={ cicIkeCfgInitiatorEntry 2}cicIkeCfgInitiatorPAddr OBJECT-TYPESYNTAXOCTETSTRING(SIZE(1..255))MAX-ACCESSread-createSTATUScurrentDESCRIPTION"This object represents the address of the remote
peer corresponding to this conceptual row.
This object cannot be modified while the
corresponding value of cicIkeCfgInitiatorStatus is
equal to 'active'.
"::={ cicIkeCfgInitiatorEntry 3}cicIkeCfgInitiatorVer OBJECT-TYPESYNTAX CIPsecControlProtocol
MAX-ACCESSread-createSTATUScurrentDESCRIPTION"This object represents the IKE protocol version
used when connecting to a remote peer specified in
cicIkeCfgInitiatorPAddr.
This object cannot be modified while the
corresponding value of cicIkeCfgInitiatorStatus is
equal to 'active'.
"::={ cicIkeCfgInitiatorEntry 4}cicIkeCfgInitiatorStatus OBJECT-TYPE
SYNTAXRowStatusMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The status of this conceptual row. To configure an
IKE version initiator entry, the NMS must do a
multivarbind set containing
cicIkeCfgInitiatorPAddrType, cicIkeCfgInitiatorPAddr
and cicIkeCfgInitiatorVer.
Creation of row can only be done via 'createAndGo'.
To remove a row, set this object value to 'destroy'.
"::={ cicIkeCfgInitiatorEntry 5}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- Objects to show and control IKE failure recovery.
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++cicIkeCfgFailureRecovConfigTable OBJECT-TYPE
SYNTAXSEQUENCEOF CicIkeCfgFailureRecovConfigEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table containing the failure recovery
configuration for IKE per supported DOI in the
managed entity.
"::={ cicIkeCfgFailureRecovery 1}cicIkeCfgFailureRecovConfigEntry OBJECT-TYPESYNTAX CicIkeCfgFailureRecovConfigEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry represents a Phase I failure recovery
configuration for the Phase 2 DOI corresponding
to the conceptual row."AUGMENTS{ cicIkeCfgIdentityEntry }::={ cicIkeCfgFailureRecovConfigTable 1}
CicIkeCfgFailureRecovConfigEntry ::=SEQUENCE{
cicIkeKeepAliveEnabled TruthValue,
cicIkeKeepAliveType INTEGER,
cicIkeKeepAliveInterval Unsigned32,
cicIkeKeepAliveRetryInterval Unsigned32,
cicIkeInvalidSpiNotify TruthValue}cicIkeKeepAliveEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrent
DESCRIPTION"
This object reflects if the IKE entity in the
managed device performs keepalives with all the
peers for the DOI corresponding to this
conceptual row.
'true' - keepalives are performed.
'false' - no keepalives are performed.
"::={ cicIkeCfgFailureRecovConfigEntry 1}cicIkeKeepAliveType OBJECT-TYPESYNTAXINTEGER{ none(1), periodic(2), ondemand(3)}MAX-ACCESSread-write
STATUScurrentDESCRIPTION"
This object reflects the type of keepalives to be used
by the IKE entity on the managed device with all the
peers for the DOI corresponding to this conceptual row.
"::={ cicIkeCfgFailureRecovConfigEntry 2}cicIkeKeepAliveInterval OBJECT-TYPESYNTAXUnsigned32(1..86400)UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"
This object reflects the keepalive interval in
seconds used by the IKE entity on the managed
device with all the peers for the DOI corresponding
to this conceptual row.
"::={ cicIkeCfgFailureRecovConfigEntry 3}cicIkeKeepAliveRetryInterval OBJECT-TYPESYNTAXUnsigned32(1..600)UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"
This object reflects the keepalive retry interval
in seconds used by the IKE entity on the managed
device with all the peers for the DOI corresponding
to this conceptual row.
"::={ cicIkeCfgFailureRecovConfigEntry 4}cicIkeInvalidSpiNotify OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"
This object reflects if the IKE entity on the managed
device notifies any peer when an IPsec Phase-1 or
Phase-2 packet with an invalid SPI is received from
that peer for the DOI corresponding to this
conceptual row.
'true' - IKE entity notifies peer.
'false' - IKE entity does not notify peer.
"::={ cicIkeCfgFailureRecovConfigEntry 5}--
-- Table giving next available index for pre-shared
-- authentication key table
--cicIkeCfgPskNextAvailTable OBJECT-TYPESYNTAXSEQUENCEOF CicIkeCfgPskNextAvailEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"
The table providing the next available index for the
cicIkeCfgPskTable, in a domain of interpretation(DOI),
identified by cicIkeCfgIdentityDoi.
This value is only a recommended value, but the user
can choose to use a different value to create an
entry in the cicIkeCfgPskTable.
"::={ cicIkeCfgPskAuthConfig 1}cicIkeCfgPskNextAvailEntry OBJECT-TYPESYNTAX CicIkeCfgPskNextAvailEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"
Each entry represents a next available index for the
cicIkeCfgPskTable.
"AUGMENTS{ cicIkeCfgIdentityEntry }::={ cicIkeCfgPskNextAvailTable 1}
CicIkeCfgPskNextAvailEntry ::=SEQUENCE{
cicIkeCfgPskNextAvailIndex CicIkeConfigPskIndex
}cicIkeCfgPskNextAvailIndex OBJECT-TYPESYNTAX CicIkeConfigPskIndex
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION
"
The object specifies the next available index for
object cicIkeCfgPskIndex which can be used for
creating an entry in cicIkeCfgPskTable.
"::={ cicIkeCfgPskNextAvailEntry 1}---
--- IKE pre-shared authentication key table
---cicIkeCfgPskTable OBJECT-TYPESYNTAXSEQUENCEOF CicIkeCfgPskEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"
The table containing the list of pre shared
authentication keys configured to be used by
IKE protocol catalogued by the DOI and the peer
identity. It is possible to have
multiple peers per DOI.
"::={ cicIkeCfgPskAuthConfig 2}cicIkeCfgPskEntry OBJECT-TYPESYNTAX CicIkeCfgPskEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"
Each entry represents a configured pre-shared
authentication key for a specific peer.
"INDEX{ cicIkeCfgIdentityDoi, cicIkeCfgPskIndex }::={ cicIkeCfgPskTable 1}
CicIkeCfgPskEntry ::=SEQUENCE{
cicIkeCfgPskIndex CicIkeConfigPskIndex,
cicIkeCfgPskKey OCTETSTRING,
cicIkeCfgPskRemIdentType CIPsecPhase1PeerIdentityType,
cicIkeCfgPskRemIdentTypeStand InetAddressType,
cicIkeCfgPskRemIdentity OCTETSTRING,
cicIkeCfgPskRemIdAddrOrRg1OrSn InetAddress,
cicIkeCfgPskRemIdAddrRange2 InetAddress,
cicIkeCfgPskRemIdSubnetMask InetAddressPrefixLength,
cicIkeCfgPskStatus RowStatus}cicIkeCfgPskIndex OBJECT-TYPESYNTAX CicIkeConfigPskIndex
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION
"
An arbitrary value identifying the configured
pre-shared keys for IKE entity in this domain of
interpretation, identified by cicIkeCfgIdentityDoi,
on a managed device. This object could have the
same value as cicIkeCfgPskNextAvailIndex.
"::={ cicIkeCfgPskEntry 1}cicIkeCfgPskKey OBJECT-TYPESYNTAXOCTETSTRING(SIZE(1..255))MAX-ACCESSread-createSTATUScurrentDESCRIPTION"
The pre-shared authorization key used in
authenticating the peer corresponding to this
conceptual row.
This object cannot be modified while the
corresponding value of cicIkeCfgPskStatus is equal
to 'active'.
"::={ cicIkeCfgPskEntry 2}cicIkeCfgPskRemIdentType OBJECT-TYPESYNTAX CIPsecPhase1PeerIdentityType
MAX-ACCESSread-createSTATUScurrentDESCRIPTION"
The Phase 1 ID type of the remote peer identity for
which this preshared key is configured.
This object cannot be modified while the
corresponding value of cicIkeCfgPskStatus is equal
to 'active'.
"::={ cicIkeCfgPskEntry 3}
cicIkeCfgPskRemIdentTypeStand OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"If the object 'cicIkeCfgPskRemIdentType' is one
of
idIpv4Addr
idIpv6Addr
idIpv4AddrRange
idIpv6AddrRange
idIpv4AddrSubnet
idIpv6AddrSubnet
then this object contains the type of InetAddress
for the corresponding value(s) of
cicIkeCfgPskRemIdAddrOrRg1OrSn,
cicIkeCfgPskRemIdAddrRange2 and/or
cicIkeCfgPskRemIdSubnetMask.
This object would have a value 'unknown', for other
values of cicIkeCfgPskRemIdentType.
"::={ cicIkeCfgPskEntry 4}cicIkeCfgPskRemIdentity OBJECT-TYPESYNTAXOCTETSTRING(SIZE(1..255))MAX-ACCESSread-createSTATUScurrentDESCRIPTION"
The Phase 1 ID identity of the peer for which
this preshared key is configured on the local entity.
This object cannot be modified while the
corresponding value of cicIkeCfgPskStatus is equal to
'active'.
"::={ cicIkeCfgPskEntry 5}
cicIkeCfgPskRemIdAddrOrRg1OrSn OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-createSTATUScurrentDESCRIPTION"
If the object cicIkeCfgPskRemIdentType is one
of
idIpv4Addr
idIpv6Addr
idIpv4AddrRange
idIpv6AddrRange
idIpv4AddrSubnet
idIpv6AddrSubnet
then this object contains the first or only
component of the Phase 1 identity. Otherwise, the
value contained in this object will be a zero
length string which should be disregarded.
"::={ cicIkeCfgPskEntry 6}cicIkeCfgPskRemIdAddrRange2 OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-createSTATUScurrentDESCRIPTION"
If the object cicIkeCfgPskRemIdentType is one
of
idIpv4AddrRange
idIpv6AddrRange
then this object contains the second component of
the Phase 1 identity. Otherwise, the
value contained in this object will be a zero
length string which should be disregarded.
"::={ cicIkeCfgPskEntry 7}cicIkeCfgPskRemIdSubnetMask OBJECT-TYPESYNTAXInetAddressPrefixLengthMAX-ACCESSread-create
STATUScurrentDESCRIPTION"
If the object 'cicIkeCfgPskRemIdentType' is one of
idIpv4AddrSubnet
idIpv6AddrSubnet
then this object contains the second component of
the Phase 1 identity.
Otherwise, the value contained in this object will
be zero which should be disregarded.
"::={ cicIkeCfgPskEntry 8}cicIkeCfgPskStatus OBJECT-TYPESYNTAXRowStatusMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The status of this conceptual row. To configure
an pre shared authentication key entry, the NMS must
do a multivarbind set containing cicIkeCfgPskKey,
cicIkeCfgPskRemIdentType,cicIkeCfgPskRemIdentity.
Creation of row can only be done via 'createAndGo'.
To remove a row, set this object value to 'destroy'.
"::={ cicIkeCfgPskEntry 9}--
-- Cisco ISAKMP Policy Entries
--cicIkeCfgPolicyTable OBJECT-TYPESYNTAXSEQUENCEOF CicIkeCfgPolicyEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"
The table containing the list of all
ISAKMP policy entries configured by the operator.
"
::={ cicIkeCfgPolicies 1}cicIkeCfgPolicyEntry OBJECT-TYPESYNTAX CicIkeCfgPolicyEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"
Each entry contains the attributes associated with
a single ISAKMP Policy entry.
"INDEX{ cicIkeCfgIdentityDoi, cicIkeCfgPolicyPriority }::={ cicIkeCfgPolicyTable 1}
CicIkeCfgPolicyEntry ::=SEQUENCE{
cicIkeCfgPolicyPriority Unsigned32,
cicIkeCfgPolicyEncr CIPsecEncryptAlgorithm,
cicIkeCfgPolicyHash CIPsecIkeHashAlgorithm,
cicIkeCfgPolicyPRF CIPsecIkePRFAlgorithm,
cicIkeCfgPolicyAuth CIPsecIkeAuthMethod,
cicIkeCfgPolicyDHGroup CIPsecDiffHellmanGrp,
cicIkeCfgPolicyLifetime CIKELifetime,
cicIkeCfgPolicyLifesize CIKELifesize,
cicIkeCfgPolicyStatus RowStatus}cicIkeCfgPolicyPriority OBJECT-TYPESYNTAXUnsigned32(1..65534)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"
The priority of this ISAKMP Policy entry. The policy
with lower value would take precedence over
the policy with higher value in the same DOI.
"::={ cicIkeCfgPolicyEntry 1}cicIkeCfgPolicyEncr OBJECT-TYPESYNTAX CIPsecEncryptAlgorithm
MAX-ACCESSread-createSTATUScurrentDESCRIPTION"
The encryption transform specified by this
ISAKMP policy specification. The Internet Key
Exchange (IKE) tunnels setup using this policy item
would use the specified encryption transform to protect
the ISAKMP PDUs.
"DEFVAL{ esp3des }::={ cicIkeCfgPolicyEntry 2}
cicIkeCfgPolicyHash OBJECT-TYPESYNTAX CIPsecIkeHashAlgorithm
MAX-ACCESSread-createSTATUScurrentDESCRIPTION"
The hash transform specified by this
ISAKMP policy specification. The IKE tunnels
setup using this policy item would use the
specified hash transform to protect the
ISAKMP PDUs.
"DEFVAL{ sha }::={ cicIkeCfgPolicyEntry 3}cicIkeCfgPolicyPRF OBJECT-TYPESYNTAX CIPsecIkePRFAlgorithm
MAX-ACCESSread-create
STATUScurrentDESCRIPTION"
The Pseudo Random Function algorithm specified by
this ISAKMP policy specification. The value of this
object would only be used for IKEv2.
"DEFVAL{ prfHmacSha1 }::={ cicIkeCfgPolicyEntry 4}cicIkeCfgPolicyAuth OBJECT-TYPESYNTAX CIPsecIkeAuthMethod
MAX-ACCESSread-createSTATUScurrentDESCRIPTION"
The peer authentication method specified by
this ISAKMP policy specification. If this policy
entity is selected for negotiation with a peer,
the local entity would authenticate the peer using
the method specified by this object.
"DEFVAL{ preSharedKey }::={ cicIkeCfgPolicyEntry 5}cicIkeCfgPolicyDHGroup OBJECT-TYPESYNTAX CIPsecDiffHellmanGrp
MAX-ACCESSread-createSTATUScurrentDESCRIPTION"
This object specifies the Oakley group used
for Diffie Hellman exchange in the Main Mode.
If this policy item is selected to negotiate
Main Mode with an IKE peer, the local entity
chooses the group specified by this object to
perform Diffie Hellman exchange with the
peer.
"DEFVAL{ modp1024 }::={ cicIkeCfgPolicyEntry 6}cicIkeCfgPolicyLifetime OBJECT-TYPESYNTAX CIKELifetime
UNITS"seconds"MAX-ACCESSread-createSTATUScurrentDESCRIPTION"
This object specifies the lifetime in seconds
of the IKE tunnels generated using this
policy specification.
"DEFVAL{86400}::={ cicIkeCfgPolicyEntry 7}
cicIkeCfgPolicyLifesize OBJECT-TYPESYNTAX CIKELifesize
UNITS"kbytes"MAX-ACCESSread-createSTATUScurrentDESCRIPTION"
This object specifies the life size in Kbytes
of the IKE tunnels generated using this
policy specification.
"DEFVAL{2560}::={ cicIkeCfgPolicyEntry 8}cicIkeCfgPolicyStatus OBJECT-TYPESYNTAXRowStatusMAX-ACCESSread-createSTATUScurrent
DESCRIPTION"
This object specifies the status of the ISAKMP
policy corresponding to this conceptual row.
Creation of row can only be done via 'createAndGo'.
To remove a row, set this object value to 'destroy'.
"::={ cicIkeCfgPolicyEntry 9}--
-- Notification Configuration
--cicNotifCntlIkeAllNotifs OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"
This value of this object must be 'true' to enable
any notification in addition to the
notification-specific control variables
defined below.
A notification <foo> defined in this module is
enabled if and only if the expression
(cicNotifCntlIkeAllNotifs && cicNotifCntlIke<foo>)
evaluates to 'true'.
"DEFVAL{ true }::={ cicIkeConfigMibNotifCntl 1}cicNotifCntlIkeOperStateChanged OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"When cicNotifCntlIkeAllNotifs has the value
'true', this variable controls the generation of
the ciscoIkeConfigOperStateChanged notification.
When this variable is set to 'true', generation
of the notification is enabled. When this variable
is set to 'false', generation of the notification
is disabled.
"DEFVAL{ true }::={ cicIkeConfigMibNotifCntl 2}cicNotifCntlIkePskAdded OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"When cicNotifCntlIkeAllNotifs has the value 'true',
this variable controls the generation of
cicNotifCntlIkePskAdded notification.
When this variable is set to 'true', generation
of the notification is enabled. When this variable
is set to 'false', generation of the notification
is disabled.
"DEFVAL{ true }::={ cicIkeConfigMibNotifCntl 3}cicNotifCntlIkePskDeleted OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"When cicNotifCntlIkeAllNotifs has the value 'true',
this variable controls the generation of
cicNotifCntlIkePskDeleted notification.
When this variable is set to 'true', generation
of the notification is enabled. When this variable
is set to 'false', generation of the notification
is disabled.
"DEFVAL{ true }
::={ cicIkeConfigMibNotifCntl 4}cicNotifCntlIkePolicyAdded OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"When cicNotifCntlIkeAllNotifs has the value 'true',
this variable controls the generation of
cicNotifCntlIkePolicyAdded notification.
When this variable is set to 'true', generation
of the notification is enabled. When this variable
is set to 'false', generation of the notification
is disabled.
"DEFVAL{ true }::={ cicIkeConfigMibNotifCntl 5}
cicNotifCntlIkePolicyDeleted OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"When cicNotifCntlIkeAllNotifs has the value 'true',
this variable controls the generation of
cicNotifCntlIkePolicyDeleted notification.
When this variable is set to 'true', generation
of the notification is enabled. When this variable
is set to 'false', generation of the notification
is disabled.
"DEFVAL{ true }::={ cicIkeConfigMibNotifCntl 6}-- ******************************************************************
-- Notifications
-- ******************************************************************ciscoIkeConfigOperStateChanged NOTIFICATION-TYPEOBJECTS{ cicIkeEnabled }STATUScurrentDESCRIPTION"
The notification is generated when the operational
state of IKE entity on the managed device has
been changed.
"::={ cicIkeConfigMIBNotifs 1}ciscoIkeConfigPskAdded NOTIFICATION-TYPEOBJECTS{ cicIkeCfgPskRemIdentType,
cicIkeCfgPskRemIdentity }STATUScurrent
DESCRIPTION"
This notification is generated when a new preshared
key is configured on the managed device.
"::={ cicIkeConfigMIBNotifs 2}ciscoIkeConfigPskDeleted NOTIFICATION-TYPEOBJECTS{ cicIkeCfgPskRemIdentType,
cicIkeCfgPskRemIdentity }STATUScurrentDESCRIPTION"
This notification is generated when an existing
preshared key is configured on the managed device is
about to be deleted.
"::={ cicIkeConfigMIBNotifs 3}ciscoIkeConfigPolicyAdded NOTIFICATION-TYPEOBJECTS{ cicIkeCfgPolicyEncr,
cicIkeCfgPolicyHash,
cicIkeCfgPolicyAuth,
cicIkeCfgPolicyDHGroup }STATUScurrentDESCRIPTION"
This notification is generated when a new ISAKMP
policy is configured on the managed device.
"::={ cicIkeConfigMIBNotifs 4}ciscoIkeConfigPolicyDeleted NOTIFICATION-TYPEOBJECTS{ cicIkeCfgPolicyEncr,
cicIkeCfgPolicyHash,
cicIkeCfgPolicyAuth,
cicIkeCfgPolicyDHGroup }STATUScurrentDESCRIPTION"
This notification is issued when an existing ISAKMP
policy configured on the managed device is about
to be deleted.
"::={ cicIkeConfigMIBNotifs 5}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- Conformance Information
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++cicIkeCfgMIBGroups OBJECTIDENTIFIER::={ cicIkeConfigMIBConform 1}cicIkeCfgMIBCompliances OBJECTIDENTIFIER::={ cicIkeConfigMIBConform 2}
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- Compliance Statements
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++cicIkeCfgMIBCompliance MODULE-COMPLIANCESTATUScurrentDESCRIPTION"The compliance statement for SNMP entities
the Internet Key Exchange Protocol
configuration MIB."MODULE-- this moduleMANDATORY-GROUPS{
cicIkeCfgOperGroup,
cicIkeCfgIdentitiesGroup,
cicIkeCfgPskAuthGroup,
cicIkeCfgPolicyGroup
}GROUP cicIkeCfgOptionalPolicyGroup
DESCRIPTION"This group is optional."GROUP cicIkeCfgFailureRecoveryGroup
DESCRIPTION"
This group is conditionally mandatory and must be
implemented by the agent of the managed entity
if and only if
a) the managed entity implements Internet Key
Exchange keepalive operations or
b) the managed entity implements IKE
failure signaling (such as the Invalid SPI
notification).
"GROUP cicIkeCfgNotificationGroup
DESCRIPTION"This group is optional."GROUP cicIkeCfgNotifCntlGroup
DESCRIPTION"The agent must implement this group if it
implements the group 'cicIkeCfgNotificationGroup'."
OBJECT cicIkeEnabled
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicIkeAggressModeEnabled
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicIkeKeepAliveEnabled
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicIkeKeepAliveType
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicIkeKeepAliveInterval
MIN-ACCESSread-only
DESCRIPTION"Write access is not required. It is compliant
to support only a subset of the values in the
range defined."OBJECT cicIkeKeepAliveRetryInterval
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required. It is compliant
to support only a subset of the values in the
range defined."OBJECT cicIkeInvalidSpiNotify
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicIkeCfgPskKey
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."
OBJECT cicIkeCfgPskRemIdentType
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required.
Note that an implementation need not support all
identity types listed in the definition of the
textual convention CIPsecPhase1PeerIdentityType."OBJECT cicIkeCfgPskRemIdentity
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicIkeCfgPskRemIdAddrOrRg1OrSn
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicIkeCfgPskRemIdAddrRange2
MIN-ACCESSread-onlyDESCRIPTION
"Write access is not required."OBJECT cicIkeCfgPskRemIdSubnetMask
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicIkeCfgPskStatus
SYNTAXINTEGER{
active(1),
createAndGo(4),
destroy(6)}MIN-ACCESSread-onlyDESCRIPTION"Write access is not required.
Only three values 'createAndGo', 'destroy' and
'active' out of the six enumerated values need to
be supported if write is supported."-- OBJECT cicIkeCfgPolicyPriority
-- SYNTAX Unsigned32(1..255)
-- DESCRIPTION
-- "It is compliant to support a maximum value for
-- this object which is smaller than the defined
-- maximum value."OBJECT cicIkeCfgPolicyStatus
SYNTAXINTEGER{
active(1),
createAndGo(4),
destroy(6)}DESCRIPTION" Only three values 'createAndGo', 'destroy' and
'active' out of the six enumerated values need to
be supported if write is supported."
OBJECT cicNotifCntlIkeAllNotifs
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicNotifCntlIkeOperStateChanged
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicNotifCntlIkePskAdded
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicNotifCntlIkePskDeleted
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicNotifCntlIkePolicyAdded
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicNotifCntlIkePolicyDeleted
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicIkeCfgInitiatorPAddrType
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicIkeCfgInitiatorPAddr
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cicIkeCfgInitiatorVer
MIN-ACCESSread-onlyDESCRIPTION
"Write access is not required."OBJECT cicIkeCfgInitiatorStatus
SYNTAXINTEGER{
active(1),
createAndGo(4),
destroy(6)}MIN-ACCESSread-onlyDESCRIPTION"Write access is not required.
Only three values 'createAndGo', 'destroy' and
'active' out of the six enumerated values need to
be supported if write is supported."::={ cicIkeCfgMIBCompliances 1}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- Units of Conformance: List of current groups
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++cicIkeCfgOperGroup OBJECT-GROUPOBJECTS{
cicIkeEnabled,
cicIkeAggressModeEnabled
}STATUScurrentDESCRIPTION"
This group consists of objects that reflect the
operational state of the IKE entity on the
managed device.
"::={ cicIkeCfgMIBGroups 1}cicIkeCfgIdentitiesGroup OBJECT-GROUPOBJECTS{
cicIkeCfgIdentityType,
cicIkeCfgInitiatorNextAvailIndex,
cicIkeCfgInitiatorPAddrType,
cicIkeCfgInitiatorPAddr,
cicIkeCfgInitiatorVer,
cicIkeCfgInitiatorStatus
}STATUScurrentDESCRIPTION"
This group consists of objects that reflect the
Phase 1 ID used by the IKE entity on the
managed device.
"::={ cicIkeCfgMIBGroups 2}cicIkeCfgFailureRecoveryGroup OBJECT-GROUPOBJECTS{
cicIkeKeepAliveEnabled ,
cicIkeKeepAliveType ,
cicIkeKeepAliveInterval ,
cicIkeKeepAliveRetryInterval ,
cicIkeInvalidSpiNotify
}STATUScurrentDESCRIPTION"
This group consists of objects that define how the
local IKE entity is configured to respond to
common failures.
"::={ cicIkeCfgMIBGroups 3}cicIkeCfgPskAuthGroup OBJECT-GROUPOBJECTS{
cicIkeCfgPskNextAvailIndex,
cicIkeCfgPskKey,
cicIkeCfgPskRemIdentType,
cicIkeCfgPskRemIdentTypeStand,
cicIkeCfgPskRemIdentity,
cicIkeCfgPskRemIdAddrOrRg1OrSn,
cicIkeCfgPskRemIdAddrRange2,
cicIkeCfgPskRemIdSubnetMask,
cicIkeCfgPskStatus
}STATUScurrentDESCRIPTION"
This group consists of objects that are used to
view and configure the preshared keys configured on
the managed entity.
"::={ cicIkeCfgMIBGroups 4}cicIkeCfgPolicyGroup OBJECT-GROUPOBJECTS{
cicIkeCfgPolicyEncr,
cicIkeCfgPolicyHash,
cicIkeCfgPolicyPRF,
cicIkeCfgPolicyAuth,
cicIkeCfgPolicyDHGroup,
cicIkeCfgPolicyLifetime,
cicIkeCfgPolicyStatus
}STATUScurrentDESCRIPTION"
This group consists of objects that are used to
view and configure the ISAKMP policies configured on
the managed device.
"::={ cicIkeCfgMIBGroups 5}cicIkeCfgOptionalPolicyGroup OBJECT-GROUPOBJECTS{
cicIkeCfgPolicyLifesize
}STATUScurrentDESCRIPTION"
This group consists of objects pertaining to ISAKMP
policy management which are optional and may not be
supported by every implementation of IKE.
"::={ cicIkeCfgMIBGroups 6}cicIkeCfgNotifCntlGroup OBJECT-GROUPOBJECTS{
cicNotifCntlIkeAllNotifs,
cicNotifCntlIkeOperStateChanged,
cicNotifCntlIkePskAdded,
cicNotifCntlIkePskDeleted,
cicNotifCntlIkePolicyAdded,
cicNotifCntlIkePolicyDeleted
}STATUScurrentDESCRIPTION"
This group of objects controls the sending
of notifications to signal the state of Phase-1 IKE
configuration on the managed device.
"::={ cicIkeCfgMIBGroups 7}
cicIkeCfgNotificationGroup NOTIFICATION-GROUPNOTIFICATIONS{
ciscoIkeConfigOperStateChanged,
ciscoIkeConfigPskAdded ,
ciscoIkeConfigPskDeleted ,
ciscoIkeConfigPolicyAdded ,
ciscoIkeConfigPolicyDeleted
}STATUScurrentDESCRIPTION"
This group contains the notifications to signal the
changes to IKE on the managed device.
"::={ cicIkeCfgMIBGroups 8}END