-- *******************************************************************
-- Juniper Networks IPSEC Generic Flow Monitoring object mibs
--
-- Copyright (c) 2001-2007, Juniper Networks, Inc.
-- All rights reserved.
--
-- The contents of this document are subject to change without notice.
-- *******************************************************************JUNIPER-IPSEC-FLOW-MON-MIB DEFINITIONS::=BEGINIMPORTSMODULE-IDENTITY,OBJECT-TYPE,Counter32,Counter64,Integer32,Unsigned32FROM SNMPv2-SMI
InetAddress,InetAddressTypeFROM INET-ADDRESS-MIB
TEXTUAL-CONVENTION,DisplayString,TimeIntervalFROM SNMPv2-TC
jnxIpSecMibRoot
FROM JUNIPER-SMI;jnxIpSecFlowMonMIB MODULE-IDENTITYLAST-UPDATED"200705112153Z"-- May 16, 2007ORGANIZATION"Juniper Networks, Inc."CONTACT-INFO"Juniper Technical Assistance Center
Juniper Networks, Inc.
1194 N. Mathilda Avenue
Sunnyvale, CA 94089
E-mail: support@juniper.net"DESCRIPTION"This module defines the object used to monitor the
entries pertaining to IPSec objects and the management
of the IPSEC VPN functionalities.
tables:
- IKE tunnel table
- IPSec tunnel table
- IPSec security associations table.
This mib module is based on JNX-IPSEC-MONITOR-MIB.
Building on the existing IKE infrastruature, the
security IKE implementation integrates the value-added
features for the security products"REVISION"200705160000Z"-- May 16, 2007DESCRIPTION"Revised the MIB to exlude platform/product specific attributes"::={ jnxIpSecMibRoot 1}---- Branch tree objects--jnxIpSecFlowMonNotifications OBJECTIDENTIFIER::={ jnxIpSecFlowMonMIB 0}jnxIpSecFlowMonPhaseOne OBJECTIDENTIFIER::={ jnxIpSecFlowMonMIB 1}jnxIpSecFlowMonPhaseTwo OBJECTIDENTIFIER::={ jnxIpSecFlowMonMIB 2}-- +++++++++++++++++++++++++++++++++++++++++++++++++++-- Local Textual Conventions-- +++++++++++++++++++++++++++++++++++++++++++++++++++JnxIkePeerType ::=TEXTUAL-CONVENTION
STATUScurrentDESCRIPTION"The type of IPsec Phase-1 IKE peer identity. It is the
local IKE identify to send in the exchange.
The IKE peer may be identified by one of the ID types
defined in IPSEC DOI.
idIpv4Addr - IPv4 Address.
idUfqdn - user fully qualified domain name (user@hostname).
idFqdn - full qualified domain name
idDn - distinquished name"SYNTAXINTEGER{unknown (0),idIpv4Addr (1),idFqdn (2),idDn (3),idUfqdn (4)}JnxIkeNegoMode ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The IPsec Phase-1 IKE negotiation mode.
Main Mode: A six-message Phase 1 exchange that provides identity
protection.
Aggressive mode: a three-message phase 1 exchange that does
not provide identity protection"SYNTAXINTEGER{
main (1),aggressive (2)}JnxIkeHashAlgo ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The hash algorithm used in IPsec Phase-1 IKE negotiations."SYNTAXINTEGER{md5(1),sha(2)}JnxIkeAuthMethod ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The authentication method used in IPsec Phase-1 IKE
negotiations."SYNTAXINTEGER{preSharedKey (1),dssSignature (2),rsaSignature (3),rsaEncryption (4),revRsaEncryption (5),xauthPreSharedKey (6),xauthDssSignature (7),xauthRsaSignature (8),xauthRsaEncryption (9),xauthRevRsaEncryption (10)}JnxIkePeerRole ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"Role of the local endpoint in negotiating the IPsec Phase-1 IKE
security association. It can be either Initiator or Responder."SYNTAXINTEGER{initiator (1),responder (2)}JnxIkeTunStateType ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"State of the Phase-1 IKE negotiation."SYNTAXINTEGER{up (1),down (2)
}JnxDiffHellmanGrp ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The Diffie Hellman Group used in negotiations.
modp768 -- 768-bit MODP
modp1024 -- 1024-bit MODP
modp1536 -- 1536-bit MODP; voyager only
"SYNTAXINTEGER{unknown (0),modp768 (1),modp1024 (2),modp1536 (5)}JnxKeyType ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The type of key used by an IPsec Phase-2 Tunnel."SYNTAXINTEGER{unknown (0),keyIke (1),keyManual (2)}JnxEncapMode ::=TEXTUAL-CONVENTION
STATUScurrentDESCRIPTION"The encapsulation mode used by an IPsec Phase-2 Tunnel."SYNTAXINTEGER{unknown (0),tunnel (1),transport (2)}JnxEncryptAlgo ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The encryption algorithm used in negotiations."SYNTAXINTEGER{espDes (1),esp3des (2),espNull (3),espAes128 (4),espAes192 (5),espAes256 (6)}JnxAuthAlgo ::=TEXTUAL-CONVENTION
STATUScurrentDESCRIPTION"The authentication algorithm used by a
security association of an IPsec Phase-2 Tunnel."SYNTAXINTEGER{unknown (0),hmacMd5 (1),hmacSha (2)}JnxRemotePeerType ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The type of the remote peer gateway (endpoint). It can be one
of the following two types:
- static (Remote peer whose IP address is known beforehand)
- dynamic (Remote peer whose IP address is not known
beforehand).
"SYNTAXINTEGER{unknown (0),static (1),dynamic (2)}JnxSpiType ::=TEXTUAL-CONVENTIONSTATUScurrent
DESCRIPTION"The type of the SPI associated with IPsec Phase-2 security
associations."SYNTAXUnsigned32(256..4294967295)JnxSAType ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"SA Type manual or dynamic"SYNTAXINTEGER{unknown (0),manual (1),dynamic (2)}-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- Number of IKE Tunnels currently active-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++jnxIkeNumOfTunnels OBJECT-TYPESYNTAXINTEGERMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of IKE Tunnels (phase-1) actively negotiating between
peers. The SA can be in either the up or down state.
This attribute should detail the number of IKE tunnels
in jnxIkeTunnelMonTable."
::={ jnxIpSecFlowMonPhaseOne 1}-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- The IPsec Phase-1 Internet Key Exchange Tunnel Table---- Phase 1 is used to negotiate the parameter and key material required-- to establish an ISAKMP AS.---- The phase 1 IKE gateway key exchange: tunnel peer device. Phase 1-- security association components include encryption algorithm,-- authentication, Diffie-Hellman group values and anthentication method-- such as pre-shared keys or certificates.-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++jnxIkeTunnelMonTable OBJECT-TYPESYNTAXSEQUENCEOF JnxIkeTunnelMonEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-1 Internet Key Exchange Tunnel Table.
There is one entry in this table for each active IPsec
Phase-1 IKE Tunnel."::={ jnxIpSecFlowMonPhaseOne 2}jnxIkeTunnelMonEntry OBJECT-TYPESYNTAX JnxIkeTunnelMonEntry
MAX-ACCESSnot-accessibleSTATUScurrent
DESCRIPTION"Each entry contains the attributes associated with
an active IPsec Phase-1 IKE Tunnel."INDEX{ jnxIkeTunMonRemoteGwAddrType,
jnxIkeTunMonRemoteGwAddr,
jnxIkeTunMonIndex }::={ jnxIkeTunnelMonTable 1}
JnxIkeTunnelMonEntry ::=SEQUENCE{
jnxIkeTunMonRemoteGwAddrType InetAddressType,
jnxIkeTunMonRemoteGwAddr InetAddress,
jnxIkeTunMonIndex Integer32,
jnxIkeTunMonLocalGwAddrType InetAddressType,
jnxIkeTunMonLocalGwAddr InetAddress,
jnxIkeTunMonState JnxIkeTunStateType,
jnxIkeTunMonInitiatorCookie DisplayString,
jnxIkeTunMonResponderCookie DisplayString,
jnxIkeTunMonLocalRole JnxIkePeerRole,
jnxIkeTunMonLocalIdType JnxIkePeerType,
jnxIkeTunMonLocalIdValue DisplayString,
jnxIkeTunMonLocalCertName DisplayString,
jnxIkeTunMonRemoteIdType JnxIkePeerType,
jnxIkeTunMonRemoteIdValue DisplayString,
jnxIkeTunMonNegoMode JnxIkeNegoMode,
jnxIkeTunMonDiffHellmanGrp JnxDiffHellmanGrp,
jnxIkeTunMonEncryptAlgo JnxEncryptAlgo,
jnxIkeTunMonHashAlgo JnxIkeHashAlgo,
jnxIkeTunMonAuthMethod JnxIkeAuthMethod,
jnxIkeTunMonLifeTime Integer32,
jnxIkeTunMonActiveTime TimeInterval,
jnxIkeTunMonInOctets Counter64,
jnxIkeTunMonInPkts Counter32,
jnxIkeTunMonOutOctets Counter64,
jnxIkeTunMonOutPkts Counter32,
jnxIkeTunMonXAuthUserId DisplayString,
jnxIkeTunMonDPDDownCount Counter32}jnxIkeTunMonRemoteGwAddrType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IP address type of the remote gateway (endpoint) for the IPsec
Phase-1 IKE Tunnel."::={ jnxIkeTunnelMonEntry 1}jnxIkeTunMonRemoteGwAddr OBJECT-TYPESYNTAXInetAddressMAX-ACCESSnot-accessible
STATUScurrentDESCRIPTION"The IP address of the remote gateway (endpoint) for the IPsec
Phase-1 IKE Tunnel."::={ jnxIkeTunnelMonEntry 2}jnxIkeTunMonIndex OBJECT-TYPESYNTAXInteger32(1..2147483647)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The index of the IPsec Phase-1 IKE Tunnel Table.
The value of the index is a number which begins
at one and is incremented with each tunnel that
is created. The value of this object will
wrap at 2,147,483,647."::={ jnxIkeTunnelMonEntry 3}jnxIkeTunMonLocalGwAddr OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The IP address of the local endpoint (gateway) for the IPsec
Phase-1 IKE Tunnel."::={ jnxIkeTunnelMonEntry 4}jnxIkeTunMonLocalGwAddrType OBJECT-TYPE
SYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The IP address type of the local endpoint (gateway) for the IPsec
Phase-1 IKE Tunnel."::={ jnxIkeTunnelMonEntry 5}jnxIkeTunMonState OBJECT-TYPESYNTAX JnxIkeTunStateType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The state of the IKE tunnel, It can be:
1. up - negotiation completed
2. down- being negotiated"::={ jnxIkeTunnelMonEntry 6}jnxIkeTunMonInitiatorCookie OBJECT-TYPESYNTAXDisplayStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Cookie as generated by the peer that initiated the IKE Phase-1
negotiation. This cookie is carried in the ISAKMP header."::={ jnxIkeTunnelMonEntry 7}jnxIkeTunMonResponderCookie OBJECT-TYPESYNTAXDisplayString
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Cookie as generated by the peer responding to the IKE Phase-1
negotiation initiated by the remote peer. This cookie is carried
in the ISAKMP header."::={ jnxIkeTunnelMonEntry 8}jnxIkeTunMonLocalRole OBJECT-TYPESYNTAX JnxIkePeerRole
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The role of local peer identity. The Role of the local peer can be:
1. initiator.
2. or responder."::={ jnxIkeTunnelMonEntry 9}jnxIkeTunMonLocalIdType OBJECT-TYPESYNTAX JnxIkePeerType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of local peer identity. The local
peer may be identified by:
1. an IP address, or
2. or a fully qualified domain name string.
3. or a distinguished name string."::={ jnxIkeTunnelMonEntry 10}jnxIkeTunMonLocalIdValue OBJECT-TYPE
SYNTAXDisplayStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of the local peer identity.
If the local peer type is an IP Address, then this
is the IP Address used to identify the local peer.
If the local peer type is id_fqdn, then this is
the FQDN of the remote peer.
If the local peer type is a id_dn, then this is
the distinguished name string of the local peer."::={ jnxIkeTunnelMonEntry 11}jnxIkeTunMonLocalCertName OBJECT-TYPESYNTAXDisplayStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Name of the certificate used for authentication of the local
tunnel endpoint. This object will have some valid value only
if negotiated IKE authentication method is other than pre-saherd
key. If the IKE negotiation do not use certificate based
authentication method, then the value of this object will be a
NULL string."::={ jnxIkeTunnelMonEntry 12}jnxIkeTunMonRemoteIdType OBJECT-TYPESYNTAX JnxIkePeerType
MAX-ACCESSread-only
STATUScurrentDESCRIPTION"The type of remote peer identity.
The remote peer may be identified by:
1. an IP address, or
2. or a fully qualified domain name string.
3. or a distinguished name string."::={ jnxIkeTunnelMonEntry 13}jnxIkeTunMonRemoteIdValue OBJECT-TYPESYNTAXDisplayStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of the remote peer identity.
If the remote peer type is an IP Address, then this
is the IP Address used to identify the remote peer.
If the remote peer type is id_fqdn, then this is
the FQDN of the remote peer.
If the remote peer type is a id_dn, then this is
the distinguished named string of the remote peer."::={ jnxIkeTunnelMonEntry 14}jnxIkeTunMonNegoMode OBJECT-TYPESYNTAX JnxIkeNegoMode
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The negotiation mode of the IPsec Phase-1 IKE Tunnel."::={ jnxIkeTunnelMonEntry 15}jnxIkeTunMonDiffHellmanGrp OBJECT-TYPE
SYNTAX JnxDiffHellmanGrp
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The Diffie Hellman Group used in IPsec Phase-1 IKE
negotiations."::={ jnxIkeTunnelMonEntry 16}jnxIkeTunMonEncryptAlgo OBJECT-TYPESYNTAX JnxEncryptAlgo
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The encryption algorithm used in IPsec Phase-1 IKE negotiations."::={ jnxIkeTunnelMonEntry 17}jnxIkeTunMonHashAlgo OBJECT-TYPESYNTAX JnxIkeHashAlgo
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The hash algorithm used in IPsec Phase-1 IKE negotiations."::={ jnxIkeTunnelMonEntry 18}jnxIkeTunMonAuthMethod OBJECT-TYPESYNTAX JnxIkeAuthMethod
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION
"The authentication method used in IPsec Phase-1 IKE
negotiations."::={ jnxIkeTunnelMonEntry 19}jnxIkeTunMonLifeTime OBJECT-TYPESYNTAXInteger32(1..2147483647)UNITS"seconds"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The negotiated LifeTime of the IPsec Phase-1 IKE Tunnel
in seconds."::={ jnxIkeTunnelMonEntry 20}jnxIkeTunMonActiveTime OBJECT-TYPESYNTAXTimeIntervalMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The length of time the IPsec Phase-1 IKE tunnel has been
active in hundredths of seconds."::={ jnxIkeTunnelMonEntry 21}jnxIkeTunMonInOctets OBJECT-TYPESYNTAXCounter64UNITS"Octets"MAX-ACCESSread-only
STATUScurrentDESCRIPTION"The total number of octets received by this IPsec Phase-1
IKE security association."::={ jnxIkeTunnelMonEntry 22}jnxIkeTunMonInPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets received by this IPsec Phase-1
IKE security association."::={ jnxIkeTunnelMonEntry 23}jnxIkeTunMonOutOctets OBJECT-TYPESYNTAXCounter64UNITS"Octets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of octets sent by this IPsec Phase-1
IKE security association."::={ jnxIkeTunnelMonEntry 24}jnxIkeTunMonOutPkts OBJECT-TYPESYNTAXCounter32UNITS"Packets"
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The total number of packets sent by this IPsec Phase-1
IKE security association."::={ jnxIkeTunnelMonEntry 25}jnxIkeTunMonXAuthUserId OBJECT-TYPESYNTAXDisplayStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The extended Authentication (XAuth) User Identifier, identifies the
user associated with this IPSec Phase negotiation."::={ jnxIkeTunnelMonEntry 26}jnxIkeTunMonDPDDownCount OBJECT-TYPESYNTAXCounter32UNITS"Packets"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The number of times that the remote peer is detected
in a dead (or down) state."::={ jnxIkeTunnelMonEntry 27}-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- The IPsec Phase-2 Tunnel Table--
-- During this phase, IKE negotiates IPSEC SA parameters and setup-- matching IPSEC SA in the peers.---- Phase 2 VPN: tunnel peer connection, associated with a specific policy-- or a tunnel interface. Phase 2 security association components include-- encryption and authentication algorithms, proxy-IDs and optional DH-- group values.-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++jnxIpSecNumOfTunnels OBJECT-TYPESYNTAXINTEGERMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of IPSEC VPN Tunnels.
This attribute should detail the number of IPSEC VPN tunnel
in jnxIpSecTunnelTable."::={ jnxIpSecFlowMonPhaseTwo 1}jnxIpSecTunnelMonTable OBJECT-TYPESYNTAXSEQUENCEOF JnxIpSecTunnelMonEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-2 Tunnel Table.
There is one entry in this table for each active IPsec Phase-2
Tunnel. If the tunnel is terminated, then the entry is no longer
available after the table has been refreshed. "::={ jnxIpSecFlowMonPhaseTwo 2}
jnxIpSecTunnelMonEntry OBJECT-TYPESYNTAX JnxIpSecTunnelMonEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the attributes
associated with an active IPsec Phase-2 Tunnel."INDEX{ jnxIpSecTunMonRemoteGwAddrType,
jnxIpSecTunMonRemoteGwAddr,
jnxIpSecTunMonIndex}::={ jnxIpSecTunnelMonTable 1}
JnxIpSecTunnelMonEntry ::=SEQUENCE{
jnxIpSecTunMonRemoteGwAddrType InetAddressType,
jnxIpSecTunMonRemoteGwAddr InetAddress,
jnxIpSecTunMonIndex Integer32,
jnxIpSecTunMonLocalGwAddrType InetAddressType,
jnxIpSecTunMonLocalGwAddr InetAddress,
jnxIpSecTunMonLocalProxyId DisplayString,
jnxIpSecTunMonRemoteProxyId DisplayString,
jnxIpSecTunMonKeyType JnxKeyType,
jnxIpSecTunMonRemotePeerType JnxRemotePeerType,
jnxIpSecTunMonOutEncryptedBytes Counter64,
jnxIpSecTunMonOutEncryptedPkts Counter64,
jnxIpSecTunMonInDecryptedBytes Counter64,
jnxIpSecTunMonInDecryptedPkts Counter64,
jnxIpSecTunMonAHInBytes Counter64,
jnxIpSecTunMonAHInPkts Counter64,
jnxIpSecTunMonAHOutBytes Counter64,
jnxIpSecTunMonAHOutPkts Counter64,
jnxIpSecTunMonReplayDropPkts Counter64,
jnxIpSecTunMonAhAuthFails Counter64,
jnxIpSecTunMonEspAuthFails Counter64,
jnxIpSecTunMonDecryptFails Counter64,
jnxIpSecTunMonBadHeaders Counter64,
jnxIpSecTunMonBadTrailers Counter64,
jnxIpSecTunMonDroppedPkts Counter64}jnxIpSecTunMonRemoteGwAddrType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IP address type of the remote gateway (endpoint) for the IPsec
Phase-2 Tunnel."
::={ jnxIpSecTunnelMonEntry 1}jnxIpSecTunMonRemoteGwAddr OBJECT-TYPESYNTAXInetAddressMAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IP address of the remote gateway (endpoint) for the IPsec
Phase-2 Tunnel."::={ jnxIpSecTunnelMonEntry 2}jnxIpSecTunMonIndex OBJECT-TYPESYNTAXInteger32(1..2147483647)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The index of the IPsec Phase-2 Tunnel Table.
The value of the index is a number which begins at one and
is incremented with each tunnel that is created. The value of
this object will wrap at 2,147,483,647."::={ jnxIpSecTunnelMonEntry 3}jnxIpSecTunMonLocalGwAddrType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION
"The IP address type of the local gateway (endpoint) for the IPsec
Phase-2 Tunnel."::={ jnxIpSecTunnelMonEntry 4}jnxIpSecTunMonLocalGwAddr OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The IP address of the local gateway (endpoint) for the IPsec
Phase-2 Tunnel."::={ jnxIpSecTunnelMonEntry 5}jnxIpSecTunMonLocalProxyId OBJECT-TYPESYNTAXDisplayStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Identifier for the local end."::={ jnxIpSecTunnelMonEntry 6}jnxIpSecTunMonRemoteProxyId OBJECT-TYPESYNTAXDisplayStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Identifier for the remote end."::={ jnxIpSecTunnelMonEntry 7}
jnxIpSecTunMonKeyType OBJECT-TYPESYNTAX JnxKeyType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of key used by the IPsec Phase-2 Tunnel. It can be
one of the following two types:
- IKE negotiated
- Manually installed"::={ jnxIpSecTunnelMonEntry 8}jnxIpSecTunMonRemotePeerType OBJECT-TYPESYNTAX JnxRemotePeerType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of the remote peer gateway (endpoint). It can be one
of the following two types:
- static (Remote peer whose IP address is known beforehand)
- dynamic (Remote peer whose IP address is not known
beforehand)"::={ jnxIpSecTunnelMonEntry 9}jnxIpSecTunMonOutEncryptedBytes OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of bytes encrypted by this Phase-2 tunnel."::={ jnxIpSecTunnelMonEntry 10}
jnxIpSecTunMonOutEncryptedPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of packets encrypted by this Phase-2 tunnel."::={ jnxIpSecTunnelMonEntry 11}jnxIpSecTunMonInDecryptedBytes OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of bytes decrypted by this Phase-2 tunnel."::={ jnxIpSecTunnelMonEntry 12}jnxIpSecTunMonInDecryptedPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of packets decrypted by this Phase-2 tunnel."::={ jnxIpSecTunnelMonEntry 13}jnxIpSecTunMonAHInBytes OBJECT-TYPESYNTAXCounter64
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of incoming bytes authenticated using AH by this Phase-2
tunnel."::={ jnxIpSecTunnelMonEntry 14}jnxIpSecTunMonAHInPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of incoming packets authenticated using AH by this Phase-2
tunnel."::={ jnxIpSecTunnelMonEntry 15}jnxIpSecTunMonAHOutBytes OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of outgoing bytes applied AH by this Phase-2 tunnel."::={ jnxIpSecTunnelMonEntry 16}jnxIpSecTunMonAHOutPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of outgoing packets applied AH by this Phase-2 tunnel."::={ jnxIpSecTunnelMonEntry 17}jnxIpSecTunMonReplayDropPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of packets dropped by this Phase-2 tunnel due to
anti replay check failure."::={ jnxIpSecTunnelMonEntry 18}jnxIpSecTunMonAhAuthFails OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of packets received by this Phase-2 tunnel that
failed AH authentication."::={ jnxIpSecTunnelMonEntry 19}jnxIpSecTunMonEspAuthFails OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION
"Number of packets received by this Phase-2 tunnel that
failed ESP authentication."::={ jnxIpSecTunnelMonEntry 20}jnxIpSecTunMonDecryptFails OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of packets received by this Phase-2 tunnel that
failed decryption."::={ jnxIpSecTunnelMonEntry 21}jnxIpSecTunMonBadHeaders OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of packets received by this Phase-2 tunnel that
failed due to bad headers."::={ jnxIpSecTunnelMonEntry 22}jnxIpSecTunMonBadTrailers OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Number of packets received by this Phase-2 tunnel that
failed due to bad ESP trailers."
::={ jnxIpSecTunnelMonEntry 23}jnxIpSecTunMonDroppedPkts OBJECT-TYPESYNTAXCounter64MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Total number of dropped packets for this Phase-2 tunnel."::={ jnxIpSecTunnelMonEntry 26}-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++-- The IPsec Phase-2 Security Association (SA) Table-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++jnxIpSecSaMonTable OBJECT-TYPESYNTAXSEQUENCEOF JnxIpSecSaMonEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The IPsec Phase-2 Security Association Table.
This table identifies the structure (in terms of
component SAs) of each active Phase-2 IPsec tunnel.
This table contains an entry for each active and
expiring security association and maps each entry
in the active Phase-2 tunnel table (ipSecTunTable)
into a number of entries in this table.
SA contains the information negotiated by IKE. The SA
is like a contract laying out the rules of the VPN
connection for the duration of the SA. An SA is assigned
a 32-bit number that, when used in conjunction with the
destination IP address, uniquely identifies the SA. This
number is called the Security Parameters Index or SPI.
IPSec SAs area unidirectional and they are unique in
each security protocol. A set of SAs are needed for a
protected data pipe, one per direction per protocol.
"::={ jnxIpSecFlowMonPhaseTwo 3}jnxIpSecSaMonEntry OBJECT-TYPESYNTAX JnxIpSecSaMonEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry contains the attributes associated with
active and expiring IPsec Phase-2
security associations."INDEX{ jnxIpSecTunMonRemoteGwAddrType,-- From jnxIpSecTunnelTable
jnxIpSecTunMonRemoteGwAddr,-- From jnxIpSecTunnelTable
jnxIpSecTunMonIndex,-- From jnxIpSecTunnelTable
jnxIpSecSaMonIndex }::={ jnxIpSecSaMonTable 1}
JnxIpSecSaMonEntry ::=SEQUENCE{
jnxIpSecSaMonIndex Integer32,
jnxIpSecSaMonProtocol INTEGER,
jnxIpSecSaMonInSpi JnxSpiType,
jnxIpSecSaMonOutSpi JnxSpiType,
jnxIpSecSaMonType JnxSAType,
jnxIpSecSaMonEncapMode JnxEncapMode,
jnxIpSecSaMonLifeSize Integer32,
jnxIpSecSaMonLifeTime Integer32,
jnxIpSecSaMonActiveTime TimeInterval,
jnxIpSecSaMonLifeSizeThreshold Integer32,
jnxIpSecSaMonLifeTimeThreshold Integer32,
jnxIpSecSaMonEncryptAlgo JnxEncryptAlgo,
jnxIpSecSaMonAuthAlgo JnxAuthAlgo,
jnxIpSecSaMonState INTEGER}jnxIpSecSaMonIndex OBJECT-TYPESYNTAXInteger32(1..65535)MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The index, in the context of the IPsec tunnel ipSecTunIndex,
of the security association represented by this table entry.
The value of this index is a number which begins at one and
is incremented with each SPI associated with an IPsec Phase-2
Tunnel. The value of this object will wrap at 65535."::={ jnxIpSecSaMonEntry 1}
jnxIpSecSaMonProtocol OBJECT-TYPESYNTAXINTEGER{ah(1),esp(2)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The index, represents the security protocol (AH, ESP or
IPComp) for which this security association was setup."::={ jnxIpSecSaMonEntry 2}jnxIpSecSaMonInSpi OBJECT-TYPESYNTAX JnxSpiType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of the incoming SPI."::={ jnxIpSecSaMonEntry 3}jnxIpSecSaMonOutSpi OBJECT-TYPESYNTAX JnxSpiType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The value of the outgoing SPI."::={ jnxIpSecSaMonEntry 4}
jnxIpSecSaMonType OBJECT-TYPESYNTAX JnxSAType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This field represents the type of security associations
which can be either manual or dynamic"::={ jnxIpSecSaMonEntry 5}jnxIpSecSaMonEncapMode OBJECT-TYPESYNTAX JnxEncapMode
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The encapsulation mode used by an IPsec Phase-2 Tunnel. "::={ jnxIpSecSaMonEntry 6}jnxIpSecSaMonLifeSize OBJECT-TYPESYNTAXInteger32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The negotiated LifeSize of the IPsec Phase-2 Tunnel in kilobytes. "::={ jnxIpSecSaMonEntry 7}jnxIpSecSaMonLifeTime OBJECT-TYPESYNTAXInteger32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The negotiated LifeTime of the IPsec Phase-2 Tunnel in seconds. "::={ jnxIpSecSaMonEntry 8}jnxIpSecSaMonActiveTime OBJECT-TYPESYNTAXTimeIntervalMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The length of time the IPsec Phase-2 Tunnel has been active in
hundredths of seconds. "::={ jnxIpSecSaMonEntry 9}jnxIpSecSaMonLifeSizeThreshold OBJECT-TYPESYNTAXInteger32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The security association LifeSize refresh threshold in kilobytes. "::={ jnxIpSecSaMonEntry 10}jnxIpSecSaMonLifeTimeThreshold OBJECT-TYPESYNTAXInteger32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The security association LifeTime refresh threshold in seconds. "
::={ jnxIpSecSaMonEntry 11}jnxIpSecSaMonEncryptAlgo OBJECT-TYPESYNTAX JnxEncryptAlgo
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The Encryption algorithm used to encrypt
the packets which can be either es-cbc or 3des-cbc. "::={ jnxIpSecSaMonEntry 12}jnxIpSecSaMonAuthAlgo OBJECT-TYPESYNTAX JnxAuthAlgo
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The algorithm used for authentication of packets which
can be hmac-md5-96 or hmac-sha1-96"::={ jnxIpSecSaMonEntry 13}jnxIpSecSaMonState OBJECT-TYPESYNTAXINTEGER{unknown (0),active (1),expiring (2)}MAX-ACCESSread-only
STATUScurrentDESCRIPTION"This column represents the status of the security association
represented by this table entry. If the status of the SA is
'active', the SA is ready for active use. The status
'expiring' represents any of the various states that the
security association transitions through before being purged."::={ jnxIpSecSaMonEntry 14}END