mirror of
https://github.com/hsnodgrass/snmp_mib_archive.git
synced 2025-04-18 00:13:02 +00:00
1759 lines
56 KiB
Plaintext
1759 lines
56 KiB
Plaintext
-- *------------------------------------------------------------------
|
|
-- * CISCO-IPSEC-PROVISIONING-MIB.my: IPsec Provisioning MIB
|
|
-- *
|
|
-- * August 2004, S Ramakrishnan, John Fan
|
|
-- *
|
|
-- * Copyright (c) 2004, 2005 by Cisco Systems, Inc.
|
|
-- * All rights reserved.
|
|
-- *
|
|
-- *------------------------------------------------------------------
|
|
|
|
CISCO-IPSEC-PROVISIONING-MIB DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS
|
|
MODULE-IDENTITY,
|
|
OBJECT-TYPE,
|
|
NOTIFICATION-TYPE,
|
|
Unsigned32 FROM SNMPv2-SMI
|
|
MODULE-COMPLIANCE,
|
|
OBJECT-GROUP,
|
|
NOTIFICATION-GROUP FROM SNMPv2-CONF
|
|
RowStatus,
|
|
TruthValue FROM SNMPv2-TC
|
|
ifIndex FROM IF-MIB
|
|
SnmpAdminString FROM SNMP-FRAMEWORK-MIB
|
|
InetAddressType,
|
|
InetAddress FROM INET-ADDRESS-MIB
|
|
CIPsecTransform,
|
|
CIPsecLifetime,
|
|
CIPsecTunnelIdleTime,
|
|
CIPsecLifesize,
|
|
CIPsecEncapMode,
|
|
CIPsecDiffHellmanGrp,
|
|
CIPsecNumCryptoMaps,
|
|
CIPsecCryptomapType,
|
|
CIPsecSecuritySuite FROM CISCO-IPSEC-TC
|
|
ciscoMgmt FROM CISCO-SMI;
|
|
|
|
|
|
ciscoIPsecProvisioningMIB MODULE-IDENTITY
|
|
LAST-UPDATED "200511020000Z"
|
|
ORGANIZATION "Cisco Systems, Inc."
|
|
CONTACT-INFO "Cisco Systems
|
|
Network Management Technology Group
|
|
|
|
Postal: 170 W Tasman Drive
|
|
San Jose, CA 95134
|
|
USA
|
|
|
|
Tel: +1 800 553-NETS
|
|
E-mail: cs-ipsecurity@cisco.com"
|
|
DESCRIPTION
|
|
"IPSec is the next-generation network layer crypto
|
|
framework described in RFC2401-2411.
|
|
This MIB defines the IPsec configurations.
|
|
It may be used to view and provision IPsec-based
|
|
VPNs.
|
|
|
|
To create an IPsec tunnel, you need first configure
|
|
Internet Key Exchange (IKE). IKE negotiates Security
|
|
Associations with the peer for IPsec. To find out
|
|
how to configure IKE, please see
|
|
CISCO-IKE-CONFIGURATION-MIB for detail.
|
|
|
|
Once you setup IKE, you will have to configure IPsec.
|
|
To configure IPsec, you need perform following steps.
|
|
1. Create an IPsec transform set.
|
|
A transform set describes a security protocol
|
|
(AH or ESP) with its corresponding algorithms.
|
|
For example, ESP with the DES cipher algorithm
|
|
and HMAC-SHA for authentication.
|
|
|
|
2. Create a cryptomap and its peers.
|
|
This will a) select data flows that need security
|
|
processing and b) defines the policy for these flows
|
|
and the crypto peer that traffic needs to go to.
|
|
|
|
3. Apply cryptomap to an interface
|
|
A crypto map is applied to an egress interface.
|
|
Outgoing data flows are protected by this cryptomap.
|
|
|
|
Acronyms
|
|
The following acronyms are used in this document:
|
|
|
|
Static Cryptomap Template:
|
|
A static cryptomap template (or static cryptomap)
|
|
is a security template created for IPsec.
|
|
A static cryptomap pulls together various parts
|
|
to set up an IPsec security association
|
|
which includes:
|
|
- which traffic should be protected by IPsec
|
|
- where IPsec protected traffic should be sent
|
|
- the local address used for the the IPsec traffic
|
|
- which transform sets should be applied to this
|
|
traffic
|
|
|
|
Dynamic Cryptomap Template:
|
|
A dynamic cryptomap template (or a dynamic cryptomap)
|
|
is essentially a crypto map entry without all the
|
|
parameters configured. It acts as a policy template
|
|
where the missing parameters are later dynamically
|
|
configured (as the result of an IPsec negotiation)
|
|
to match a peer's requirements.
|
|
|
|
Cryptomap Set:
|
|
A cryptomap set may contain multiple cryptomap
|
|
templates which specify an IPsec policy.
|
|
|
|
TED:
|
|
Tunnel Endpoint Discovery protocol
|
|
|
|
MIB Structure
|
|
-------------
|
|
This MIB provides the operational information on
|
|
Cisco's IPsec implementation of IPsec. This MIB
|
|
delineates ISAKMP and IPsec configuration. This MIB
|
|
deals only with IPsec (Phase-2) configuration. The
|
|
following entities are managed:
|
|
a) IPsec Global Parameters
|
|
b) IPsec transform set definitions
|
|
c) Cryptomap Group
|
|
- Cryptomap Set Table
|
|
- Cryptomap Table
|
|
- CryptomapSet Transform Binding Table
|
|
- CryptomapSet Peer Binding Table
|
|
- CryptomapSet Interface Binding Table
|
|
|
|
d) Notification Control Group
|
|
e) Notifications Group
|
|
"
|
|
REVISION "200511020000Z"
|
|
DESCRIPTION
|
|
"Updated description of objects in cipsIPsecXformSetTable
|
|
and fixed typo."
|
|
REVISION "200501250000Z"
|
|
DESCRIPTION
|
|
"Added new table cipsIfCryptomapSetInfoTable"
|
|
REVISION "200410010000Z"
|
|
DESCRIPTION
|
|
"Initial version of this module.
|
|
"
|
|
::= { ciscoMgmt 431 }
|
|
|
|
-- Objects, Notifications & Conformances
|
|
|
|
ciscoIPsecProvisioningMIBNotifs OBJECT IDENTIFIER
|
|
::= { ciscoIPsecProvisioningMIB 0 }
|
|
|
|
ciscoIPsecProvisioningMIBObjects OBJECT IDENTIFIER
|
|
::= { ciscoIPsecProvisioningMIB 1 }
|
|
|
|
ciscoIPsecProvisioningMIBConform OBJECT IDENTIFIER
|
|
::= { ciscoIPsecProvisioningMIB 2 }
|
|
|
|
cipsIPsecGlobals OBJECT IDENTIFIER
|
|
::= { ciscoIPsecProvisioningMIBObjects 1 }
|
|
|
|
cipsIPsecTransforms OBJECT IDENTIFIER
|
|
::= { ciscoIPsecProvisioningMIBObjects 2 }
|
|
|
|
cipsCryptoMapGeneral OBJECT IDENTIFIER
|
|
::= { ciscoIPsecProvisioningMIBObjects 3 }
|
|
|
|
cipsCryptoMaps OBJECT IDENTIFIER
|
|
::= { ciscoIPsecProvisioningMIBObjects 4 }
|
|
|
|
cipsNotificationCntl OBJECT IDENTIFIER
|
|
::= { ciscoIPsecProvisioningMIBObjects 5 }
|
|
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
-- Cisco IPsec Global Configuration Group
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
cipsTunnelLifetime OBJECT-TYPE
|
|
SYNTAX CIPsecLifetime
|
|
UNITS "seconds"
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The default lifetime (in seconds) assigned
|
|
to an IPsec tunnel as a global policy (maybe
|
|
overridden in specific cryptomap definitions).
|
|
"
|
|
REFERENCE
|
|
"For information on how a security association
|
|
is established for an IPsec tunnel, please refer
|
|
to RFC2409, section 4, paragraph 4. "
|
|
DEFVAL { 3600 }
|
|
::= { cipsIPsecGlobals 1 }
|
|
|
|
cipsTunnelLifesize OBJECT-TYPE
|
|
SYNTAX CIPsecLifesize
|
|
UNITS "KBytes"
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The default lifesize in KBytes assigned to an IPsec
|
|
tunnel as a global policy (unless overridden in
|
|
cryptomap definition).
|
|
"
|
|
DEFVAL { 4608000 }
|
|
::= { cipsIPsecGlobals 2 }
|
|
|
|
cipsTunnelIdleTimeout OBJECT-TYPE
|
|
SYNTAX CIPsecTunnelIdleTime
|
|
UNITS "seconds"
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of seconds of idle time (no activity)
|
|
after which an IPsec tunnel (and its parent ISAKMP
|
|
SA) is to be deleted. An IPsec tunnel never times out
|
|
if a value 0 is specified.
|
|
"
|
|
DEFVAL { 0 }
|
|
::= { cipsIPsecGlobals 3 }
|
|
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
-- IPsec Transform Sets
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
cipsIPsecXformSetTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CipsIPsecXformSetEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table contains the list of all the transform sets
|
|
configured on the managed entity. A transform set is usually
|
|
configured by a management console before a cryptomap is
|
|
created. Multiple transform sets could be assigned to a
|
|
cryptomap configuration.
|
|
"
|
|
::= { cipsIPsecTransforms 1 }
|
|
|
|
cipsIPsecXformSetEntry OBJECT-TYPE
|
|
SYNTAX CipsIPsecXformSetEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Each entry represents a single configured
|
|
IPsec transform set.
|
|
"
|
|
INDEX { cipsXformSetName }
|
|
::= { cipsIPsecXformSetTable 1 }
|
|
|
|
CipsIPsecXformSetEntry ::= SEQUENCE {
|
|
cipsXformSetName SnmpAdminString,
|
|
cipsXformSetId Unsigned32,
|
|
cipsXformSetSuite CIPsecSecuritySuite,
|
|
cipsXformSetEncryptionXform CIPsecTransform,
|
|
cipsXformSetIntegrityXformEsp CIPsecTransform,
|
|
cipsXformSetIntegrityXformAh CIPsecTransform,
|
|
cipsXformSetCompressionXform CIPsecTransform,
|
|
cipsXformSetMode CIPsecEncapMode,
|
|
cipsXformSetStatus RowStatus
|
|
}
|
|
|
|
cipsXformSetName OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE(1..80))
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object contains the name of the transform set
|
|
corresponding to this conceptual row.
|
|
"
|
|
::= { cipsIPsecXformSetEntry 1 }
|
|
|
|
cipsXformSetId OBJECT-TYPE
|
|
SYNTAX Unsigned32 (1..2147483647)
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This is the sequence number of the transform set that
|
|
uniquely identifies the transform set.
|
|
Distinct transform sets must have distinct sequence
|
|
numbers.
|
|
"
|
|
::= { cipsIPsecXformSetEntry 2 }
|
|
|
|
cipsXformSetSuite OBJECT-TYPE
|
|
SYNTAX CIPsecSecuritySuite
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the suite of Phase-2 security
|
|
protocols of this transform set.
|
|
"
|
|
::= { cipsIPsecXformSetEntry 3 }
|
|
|
|
cipsXformSetEncryptionXform OBJECT-TYPE
|
|
SYNTAX CIPsecTransform
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the transform used for
|
|
ESP encryption.
|
|
|
|
The only values this object may assume are 'xformNONE',
|
|
'xformEspNULL', 'xformEspDES', 'xformEsp3DES',
|
|
'xformEspAES128', 'xformEspAES192', 'xformEspAES256',
|
|
'xformEspAESCtr128', 'xformEspAESCtr192', 'xformEspAESCtr256'
|
|
and 'xformEspAESXCbcMac'.
|
|
|
|
If the value of the corresponding instance of
|
|
cipsXformSetSuite is 'suiteIntegAh', 'suiteIntegAhComp'
|
|
or 'suiteOther', this object must be set to 'xformNONE'.
|
|
For any other value of the corresponding instance of
|
|
cipsXformSetSuite, this object must not be set to
|
|
'xformNONE'.
|
|
"
|
|
DEFVAL { xformNONE }
|
|
::= { cipsIPsecXformSetEntry 4 }
|
|
|
|
cipsXformSetIntegrityXformEsp OBJECT-TYPE
|
|
SYNTAX CIPsecTransform
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the transform used to
|
|
implement integrity check with ESP protocol.
|
|
|
|
If the value of the corresponding instance of
|
|
cipsXformSetSuite is 'suiteIntegAh', 'suiteIntegAhComp'
|
|
or 'suiteOther', this object must be set to 'xformNONE'.
|
|
For any other value of the corresponding instance of
|
|
cipsXformSetSuite, this object must not be set to
|
|
'xformNONE'.
|
|
"
|
|
DEFVAL { xformNONE }
|
|
::= { cipsIPsecXformSetEntry 5 }
|
|
|
|
cipsXformSetIntegrityXformAh OBJECT-TYPE
|
|
SYNTAX CIPsecTransform
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the transform used to
|
|
implement integrity check with AH protocol.
|
|
|
|
If the value of the corresponding instance of
|
|
cipsXformSetSuite is neither 'suiteIntegAh' nor
|
|
'suiteIntegAhComp', this object must be set
|
|
to 'xformNONE'. For any other value of the corresponding
|
|
instance of cipsXformSetSuite, this object must not be
|
|
set to 'xformNONE'.
|
|
"
|
|
DEFVAL { xformNONE }
|
|
::= { cipsIPsecXformSetEntry 6 }
|
|
|
|
|
|
cipsXformSetCompressionXform OBJECT-TYPE
|
|
SYNTAX CIPsecTransform
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the transform used to
|
|
implement packet compression.
|
|
|
|
If the value of the corresponding instance of
|
|
cipsXformSetSuite is 'suiteConf', 'suiteIntegEsp',
|
|
'suiteIntegAh', 'suiteConfAh', 'suiteIntegEspAhS',
|
|
'suiteConfIntegEsp', 'suiteConfIntegEspAh' or
|
|
'suiteOther', this object must be set to 'xformNONE'.
|
|
For any other value of the corresponding instance of
|
|
cipsXformSetSuite, this object must not be set to
|
|
'xformNONE'.
|
|
"
|
|
DEFVAL { xformNONE }
|
|
::= { cipsIPsecXformSetEntry 7 }
|
|
|
|
|
|
cipsXformSetMode OBJECT-TYPE
|
|
SYNTAX CIPsecEncapMode
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the encapsulation mode of the
|
|
transform set.
|
|
"
|
|
DEFVAL { encapTunnel }
|
|
::= { cipsIPsecXformSetEntry 8 }
|
|
|
|
cipsXformSetStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the status of the
|
|
transform set entry.
|
|
"
|
|
::= { cipsIPsecXformSetEntry 9 }
|
|
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
-- IPsec Cryptomap Group
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
cipsNumStaticCryptomapSets OBJECT-TYPE
|
|
SYNTAX CIPsecNumCryptoMaps
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object reflects the number of static cryptomap
|
|
sets that are fully configured. Statically defined
|
|
cryptomap sets are ones where the operator has fully
|
|
specified all the parameters required to set up IPsec
|
|
connections.
|
|
"
|
|
::= { cipsCryptoMapGeneral 1 }
|
|
|
|
cipsNumDynamicCryptomapSets OBJECT-TYPE
|
|
SYNTAX CIPsecNumCryptoMaps
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object reflects the number of dynamic IPsec
|
|
policy templates (called dynamic cryptomap
|
|
templates) that are fully configured.
|
|
"
|
|
::= { cipsCryptoMapGeneral 2 }
|
|
|
|
cipsNumTEDCryptomapSets OBJECT-TYPE
|
|
SYNTAX CIPsecNumCryptoMaps
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object reflects the number of static cryptomap
|
|
sets that have at least one dynamic cryptomap template
|
|
which has the Tunnel Endpoint Discovery (TED) enabled.
|
|
"
|
|
::= { cipsCryptoMapGeneral 3 }
|
|
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
-- Cisco IPsec Static Cryptomaps
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
cipsStaticCryptomapSetTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CipsStaticCryptomapSetEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This read-only table contains the list of all
|
|
cryptomap sets that are fully configured.
|
|
|
|
The operator may include different types of
|
|
cryptomaps in such a set - manual, ISAKMP or
|
|
dynamic.
|
|
|
|
An entry is added to (removed from) this table
|
|
automatically by the agent when the first (last)
|
|
'active' entry with the corresponding
|
|
cipsStaticCryptomapSetName is added to
|
|
(removed from) cipsStaticCryptomapTable.
|
|
"
|
|
::= { cipsCryptoMaps 1 }
|
|
|
|
cipsStaticCryptomapSetEntry OBJECT-TYPE
|
|
SYNTAX CipsStaticCryptomapSetEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Each entry contains the attributes
|
|
associated with a single static cryptomap set.
|
|
"
|
|
INDEX { cipsStaticCryptomapSetName }
|
|
::= { cipsStaticCryptomapSetTable 1 }
|
|
|
|
CipsStaticCryptomapSetEntry ::= SEQUENCE {
|
|
cipsStaticCryptomapSetSize Unsigned32,
|
|
cipsStaticCryptomapSetNumIsakmp Unsigned32,
|
|
cipsStaticCryptomapSetNumManual Unsigned32,
|
|
cipsStaticCryptomapSetNumDynamic Unsigned32,
|
|
cipsStaticCryptomapSetNumTED Unsigned32,
|
|
cipsStaticCryptomapSetNumSAs Unsigned32
|
|
}
|
|
|
|
cipsStaticCryptomapSetSize OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object reflects the total number of cryptomap
|
|
templates contained in this cryptomap set.
|
|
"
|
|
::= { cipsStaticCryptomapSetEntry 1 }
|
|
|
|
cipsStaticCryptomapSetNumIsakmp OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object reflects the number of cryptomaps
|
|
associated with this cryptomap set that use ISAKMP
|
|
protocol to do key exchange.
|
|
"
|
|
::= { cipsStaticCryptomapSetEntry 2 }
|
|
|
|
cipsStaticCryptomapSetNumManual OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object reflects the number of cryptomaps
|
|
associated with this cryptomap set that require the
|
|
operator to manually setup the keys and SPIs.
|
|
"
|
|
::= { cipsStaticCryptomapSetEntry 3 }
|
|
|
|
cipsStaticCryptomapSetNumDynamic OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object reflects the number of dynamic
|
|
cryptomap templates linked to this cryptomap set.
|
|
"
|
|
::= { cipsStaticCryptomapSetEntry 4 }
|
|
|
|
cipsStaticCryptomapSetNumTED OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object reflects the number of dynamic
|
|
cryptomap templates linked to this cryptomap set
|
|
that have Tunnel Endpoint Discovery (TED) enabled.
|
|
"
|
|
::= { cipsStaticCryptomapSetEntry 5 }
|
|
|
|
cipsStaticCryptomapSetNumSAs OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object reflects the number of IPsec Security
|
|
Associations that are active and were setup using this
|
|
cryptomap set.
|
|
"
|
|
::= { cipsStaticCryptomapSetEntry 6 }
|
|
|
|
--
|
|
-- Cisco IPSec Static Cryptomap Table
|
|
--
|
|
|
|
cipsStaticCryptomapTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CipsStaticCryptomapEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The table listing the member cryptomaps
|
|
of the cryptomap sets that are configured
|
|
on the managed entity.
|
|
|
|
This table does not include the members
|
|
of dynamic cryptomap sets that may be
|
|
linked with the parent static cryptomap set.
|
|
|
|
Deletion of a cipsStaticCryptomapEntry will
|
|
fail if the cipsStaticCryptomapSetName this
|
|
cipsStaticCryptomapEntry belongs to is referred
|
|
by a cipsCryptomapSetIfEntry.
|
|
"
|
|
::= { cipsCryptoMaps 3 }
|
|
|
|
cipsStaticCryptomapEntry OBJECT-TYPE
|
|
SYNTAX CipsStaticCryptomapEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Each entry contains the attributes associated with a
|
|
single static (fully specified) cryptomap entry,
|
|
identified by its priority.
|
|
"
|
|
INDEX { cipsStaticCryptomapSetName,
|
|
cipsStaticCryptomapPriority }
|
|
::= { cipsStaticCryptomapTable 1}
|
|
|
|
CipsStaticCryptomapEntry ::= SEQUENCE {
|
|
cipsStaticCryptomapSetName SnmpAdminString,
|
|
cipsStaticCryptomapPriority Unsigned32,
|
|
cipsStaticCryptomapType CIPsecCryptomapType,
|
|
cipsStaticCryptomapDescr SnmpAdminString,
|
|
cipsStaticCryptomapIpFilter OCTET STRING,
|
|
cipsStaticCryptomapXformSetList OCTET STRING,
|
|
cipsStaticCryptomapNumPeers Unsigned32,
|
|
cipsStaticCryotomapNextPIndex Unsigned32,
|
|
cipsStaticCryptomapCurPAddrType InetAddressType,
|
|
cipsStaticCryptomapCurPAddr InetAddress,
|
|
cipsStaticCryptomapPfs CIPsecDiffHellmanGrp,
|
|
cipsStaticCryptomapLifetime CIPsecLifetime,
|
|
cipsStaticCryptomapLifesize CIPsecLifesize,
|
|
cipsStaticCryptomapLevelHost TruthValue,
|
|
cipsStaticCryptomapIdleTimeout CIPsecTunnelIdleTime,
|
|
cipsStaticCryptomapAutoPeer TruthValue,
|
|
cipsStaticCryptomapStatus RowStatus
|
|
}
|
|
|
|
cipsStaticCryptomapSetName OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE(1..80))
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The index of the static cryptomap table. The value
|
|
of the string is the name string assigned by the
|
|
NMS when defining a cryptomap set.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 1 }
|
|
|
|
cipsStaticCryptomapPriority OBJECT-TYPE
|
|
SYNTAX Unsigned32 (1..65535)
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The priority of the cryptomap entry in the
|
|
cryptomap set. A cryptomap entry with smaller
|
|
cipsStaticCryptomapPriority value takes
|
|
precedence over the ones with larger values.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 2 }
|
|
|
|
cipsStaticCryptomapType OBJECT-TYPE
|
|
SYNTAX CIPsecCryptomapType
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The type of the cryptomap entry. This can be an ISAKMP
|
|
cryptomap or manual. Dynamic cryptomaps are not
|
|
counted in this table.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 3 }
|
|
|
|
cipsStaticCryptomapDescr OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE(1..127))
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The description string created by the SNMP agent
|
|
while creating this cryptomap. The string generally
|
|
identifies a description and the purpose of this
|
|
policy.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 4 }
|
|
|
|
cipsStaticCryptomapIpFilter OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object specifies an IP protocol filter,
|
|
cippfIpProfileName
|
|
(defined in CISCO-IP-PROTOCOL-FILTER-MIB),
|
|
to be secured using this cryptomap entry.
|
|
|
|
When this object has a value of zero-length
|
|
string, this object is not valid/applicable.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 5 }
|
|
|
|
cipsStaticCryptomapXformSetList OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The list of cipsXformSetId that are members
|
|
of this CipsStaticCryptomapEntry.
|
|
|
|
The value of this object is a concatenation of zero or
|
|
more 4-octet strings, where each 4-octet string contains
|
|
a 32-bit cipsXformSetId value in network byte order.
|
|
|
|
A zero length string value means this list has no
|
|
members.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 6 }
|
|
|
|
cipsStaticCryptomapNumPeers OBJECT-TYPE
|
|
SYNTAX Unsigned32 (0..50)
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object reflects the number of peers associated
|
|
with this cryptomap entry. The other peers listed in
|
|
table cipsIPsecCryMapPeerTable are backup peers.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 7 }
|
|
|
|
cipsStaticCryotomapNextPIndex OBJECT-TYPE
|
|
SYNTAX Unsigned32 (1..50)
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object specifies the next available index for object
|
|
cipsCryMapPeerIndex which can be used for
|
|
creating an entry in cipsIPsecCryMapPeerTable.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 8 }
|
|
|
|
|
|
cipsStaticCryptomapCurPAddrType OBJECT-TYPE
|
|
SYNTAX InetAddressType
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the address type of
|
|
cipsStaticCryptomapCurPAddr to which this cryptomap
|
|
entry is currently connected.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 9 }
|
|
|
|
cipsStaticCryptomapCurPAddr OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The IP address of the peer to which this cryptomap
|
|
entry is currently connected.
|
|
|
|
The value of cipsStaticCryptomapCurPAddrType is
|
|
'unknown' and this MIB object is a zero-length
|
|
string when no tunnels are presently spawned by this
|
|
cryptomap entry or when cipsStaticCryptomapAutoPeer is
|
|
equal to 'true'.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 10 }
|
|
|
|
cipsStaticCryptomapPfs OBJECT-TYPE
|
|
SYNTAX CIPsecDiffHellmanGrp
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object identifies if the tunnels instantiated
|
|
due to this policy item should use Perfect Forward
|
|
Secrecy (PFS) and if so, what group of Oakley
|
|
they should use.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 11 }
|
|
|
|
cipsStaticCryptomapLifetime OBJECT-TYPE
|
|
SYNTAX CIPsecLifetime
|
|
UNITS "seconds"
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object specifies the lifetime of the IPsec
|
|
Security Associations (SA) created using this IPsec
|
|
policy entry.
|
|
|
|
The default value of this object is the current value
|
|
of the object cipsTunnelLifetime. When a value 0
|
|
is specified in cipsStaticCryptomapLifetime,
|
|
the default value is used as the lifetime.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 12 }
|
|
|
|
cipsStaticCryptomapLifesize OBJECT-TYPE
|
|
SYNTAX CIPsecLifesize
|
|
UNITS "KBytes"
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object identifies the lifesize (maximum traffic
|
|
in bytes that may be carried) of the IPSec SAs
|
|
created using this IPSec policy entry.
|
|
When a Security Association (SA) is created using
|
|
this IPsec policy entry, its lifesize takes the value
|
|
of this object.
|
|
|
|
The default value of this object is the current value
|
|
of the object cipsTunnelLifesize. When a value 0
|
|
is specified in cipsStaticCryptomapLifesize,
|
|
the default value is used as the lifesize.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 13 }
|
|
|
|
cipsStaticCryptomapLevelHost OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object specifies the granularity of the
|
|
IPSec SAs created using this IPSec policy entry.
|
|
If this value is 'true', distinct SA bundles are
|
|
created for distinct hosts at the end of
|
|
the application traffic.
|
|
"
|
|
DEFVAL { false }
|
|
::= { cipsStaticCryptomapEntry 14 }
|
|
|
|
cipsStaticCryptomapIdleTimeout OBJECT-TYPE
|
|
SYNTAX CIPsecTunnelIdleTime
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object specifies the idle time (lack of traffic)
|
|
in seconds of a tunnel spawned by this cryptomap after
|
|
which the tunnel will be torn down.
|
|
|
|
The default value of this object is the current value
|
|
of cipsTunnelIdleTimeout.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 15 }
|
|
|
|
cipsStaticCryptomapAutoPeer OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"If 'true' the destination address is taken as the
|
|
peer address, while creating the tunnel.
|
|
If 'false' the value shown by the object
|
|
cipsStaticCryptomapCurPAddr is being used as
|
|
the peer address.
|
|
"
|
|
DEFVAL { false }
|
|
::= { cipsStaticCryptomapEntry 16 }
|
|
|
|
cipsStaticCryptomapStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object identifies the status of the cryptomap
|
|
entry represented by this conceptual row.
|
|
"
|
|
::= { cipsStaticCryptomapEntry 17 }
|
|
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
-- IPsec Cryptomap Peer binding table
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
|
cipsIPsecCryMapPeerTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CipsIPsecCryMapPeerEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The table containing the binding of peers to
|
|
cryptomap entries.
|
|
|
|
An entry is removed from this table
|
|
automatically by the agent when the last
|
|
'active' entry with the corresponding
|
|
cipsStaticCryptomapSetName is removed from
|
|
cipsStaticCryptomapTable.
|
|
"
|
|
::= { cipsCryptoMaps 4 }
|
|
|
|
cipsIPsecCryMapPeerEntry OBJECT-TYPE
|
|
SYNTAX CipsIPsecCryMapPeerEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Each entry represents the binding of
|
|
an IPsec peer address to the specified
|
|
cryptomap.
|
|
"
|
|
INDEX {
|
|
cipsStaticCryptomapSetName,
|
|
cipsStaticCryptomapPriority,
|
|
cipsCryMapPeerIndex
|
|
}
|
|
::= { cipsIPsecCryMapPeerTable 1 }
|
|
|
|
CipsIPsecCryMapPeerEntry ::= SEQUENCE {
|
|
cipsCryMapPeerIndex Unsigned32,
|
|
cipsCryMapPeerAddrType InetAddressType,
|
|
cipsCryMapPeerAddr InetAddress,
|
|
cipsCryMapPeerOrder Unsigned32,
|
|
cipsCryMapPeerStatus RowStatus
|
|
}
|
|
|
|
cipsCryMapPeerIndex OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This arbitrary number represents the index number
|
|
in the cryptomap entry of the peer corresponding
|
|
to this conceptual row.
|
|
|
|
This object could have the same value as
|
|
cipsStaticCryotomapNextPIndex.
|
|
"
|
|
::= { cipsIPsecCryMapPeerEntry 1 }
|
|
|
|
cipsCryMapPeerAddrType OBJECT-TYPE
|
|
SYNTAX InetAddressType
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the address type of
|
|
cipsCryMapPeerAddr.
|
|
|
|
This object cannot be modified while the corresponding
|
|
value of cipsCryMapPeerStatus is equal to
|
|
'active'.
|
|
"
|
|
::= { cipsIPsecCryMapPeerEntry 2 }
|
|
|
|
cipsCryMapPeerAddr OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the address of the peer
|
|
corresponding to this conceptual row.
|
|
|
|
This object cannot be modified while the corresponding
|
|
value of cipsCryMapPeerStatus is equal to
|
|
'active'.
|
|
"
|
|
::= { cipsIPsecCryMapPeerEntry 3 }
|
|
|
|
cipsCryMapPeerOrder OBJECT-TYPE
|
|
SYNTAX Unsigned32 (1..50)
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object represents the order in the cryptomap
|
|
entry of the peer corresponding to this
|
|
conceptual row.
|
|
|
|
The peer with the lowest order number is applied
|
|
first, that is cipsCryMapPeerOrder '1'.
|
|
"
|
|
::= { cipsIPsecCryMapPeerEntry 4 }
|
|
|
|
cipsCryMapPeerStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object specifies the status column used for
|
|
creating and deleting instances of the columnar
|
|
objects in the table.
|
|
"
|
|
::= { cipsIPsecCryMapPeerEntry 5 }
|
|
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
-- Cisco IPsec Cryptomap Set IF Binding Table
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
cipsCryptomapSetIfTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CipsCryptomapSetIfEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The table lists the binding of cryptomap sets
|
|
to the interfaces of the managed entity.
|
|
One interface can be bound to only one cryptomap set
|
|
while one cryptomap set can be bound to multiple
|
|
interfaces.
|
|
|
|
Any interface (with any ifType) which supports
|
|
IPsec can be used in this table.
|
|
"
|
|
::= { cipsCryptoMaps 5 }
|
|
|
|
cipsCryptomapSetIfEntry OBJECT-TYPE
|
|
SYNTAX CipsCryptomapSetIfEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Each entry lists the association between an interface
|
|
and a cryptomap set (static) that is defined
|
|
on the managed entity.
|
|
"
|
|
INDEX { cipsStaticCryptomapSetName, ifIndex }
|
|
::= { cipsCryptomapSetIfTable 1}
|
|
|
|
CipsCryptomapSetIfEntry ::= SEQUENCE {
|
|
cipsCryptomapSetIfStatus RowStatus
|
|
}
|
|
|
|
cipsCryptomapSetIfStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object identifies the status of the binding
|
|
of the specified cryptomap set with the specified
|
|
interface.
|
|
|
|
Detaching a cryptomap from an interface:
|
|
----------------------------------------
|
|
When set to 'destroy', if a cryptomap set is
|
|
attached to the interface corresponding to
|
|
ifIndex, the cryptomap set is detached from
|
|
the interface.
|
|
|
|
Attaching a cryptomap to an interface:
|
|
----------------------------------------
|
|
If the value 'createAndGo' is set:
|
|
a row in this table can be created only if it identifies
|
|
a cryptomap which is represented by an entry in
|
|
cipsStaticCryptomapSetTable.
|
|
"
|
|
::= { cipsCryptomapSetIfEntry 1 }
|
|
|
|
cipsIfCryptomapSetInfoTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CipsIfCryptomapSetInfoEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The table lists the binding information of a
|
|
interface to a cryptomap sets on the managed entity.
|
|
One interface can be bound to only one cryptomap set
|
|
while one cryptomap set can be bound to multiple
|
|
interfaces.
|
|
|
|
An entry is added to cipsIfCryptomapSetInfoTable when
|
|
a static cryptomap set is successfully assigned to an
|
|
interface (of any ifType) in cipsCryptomapSetIfTable.
|
|
An entry is deleted from cipsIfCryptomapSetInfoTable
|
|
when its assignment is removed
|
|
from cipsIfCryptomapSetInfoTable.
|
|
"
|
|
::= { cipsCryptoMaps 6 }
|
|
|
|
cipsIfCryptomapSetInfoEntry OBJECT-TYPE
|
|
SYNTAX CipsIfCryptomapSetInfoEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Each entry lists the binding between an interface
|
|
and a cryptomap set (static) that is defined
|
|
on the managed entity.
|
|
"
|
|
INDEX { ifIndex }
|
|
::= { cipsIfCryptomapSetInfoTable 1 }
|
|
|
|
CipsIfCryptomapSetInfoEntry ::= SEQUENCE {
|
|
cipsIfStaticCryptomapSetName SnmpAdminString
|
|
}
|
|
|
|
cipsIfStaticCryptomapSetName OBJECT-TYPE
|
|
SYNTAX SnmpAdminString (SIZE(1..80))
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The name of a static cryptomap set which is bound
|
|
to this interface. The value of the string is one of
|
|
the entries in cipsStaticCryptomapSetTable indexed by
|
|
cipsStaticCryptomapSetName.
|
|
"
|
|
::= { cipsIfCryptomapSetInfoEntry 1 }
|
|
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
-- IPsec TRAP Control Group
|
|
-- This group of objects controls the emission of traps
|
|
-- corresponding to changes in IPsec configuration.
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
cipsCntlAllNotifs OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object must be set to 'true' to enable any
|
|
notification in addition to the notification-specific
|
|
control variables defined below.
|
|
|
|
A notification <foo> defined in this module is
|
|
enabled if and only if the expression
|
|
|
|
(cipsCntlAllNotifs && cipsCntl<foo>)
|
|
|
|
evaluates to 'true'.
|
|
"
|
|
DEFVAL { true }
|
|
::= { cipsNotificationCntl 1 }
|
|
|
|
cipsCntlCryptomapAdded OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This variable controls the generation of
|
|
ciscoIPsecProvCryptomapAdded notification.
|
|
|
|
When this variable is set to 'true', a notification
|
|
is generated when a static cryptomap is created
|
|
in cipsStaticCryptomapTable.
|
|
When this variable is set to 'false',
|
|
generation of this notification is disabled.
|
|
"
|
|
DEFVAL { true }
|
|
::= { cipsNotificationCntl 2 }
|
|
|
|
cipsCntlCryptomapDeleted OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This variable controls the generation of
|
|
ciscoIPsecProvCryptomapDeleted notification.
|
|
|
|
When this variable is set to 'true', a notification
|
|
is generated when a static cryptomap is deleted from
|
|
cipsStaticCryptomapTable.
|
|
When this variable is set to 'false',
|
|
generation of this notification is disabled.
|
|
"
|
|
DEFVAL { true }
|
|
::= { cipsNotificationCntl 3 }
|
|
|
|
cipsCntlCryptomapSetAttached OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This variable controls the generation of
|
|
ciscoIPsecProvCryptomapAttached notification.
|
|
|
|
When this variable is set to 'true', a notification
|
|
is generated when a cryptomap set is attached to an
|
|
active interface.
|
|
When this variable is set to 'false', generation of
|
|
this notification is disabled.
|
|
"
|
|
DEFVAL { true }
|
|
::= { cipsNotificationCntl 4 }
|
|
|
|
cipsCntlCryptomapSetDetached OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This variable controls the generation of
|
|
ciscoIPsecProvCryptomapDetached notification.
|
|
|
|
When this variable is set to 'true', a notification
|
|
is generated when a cryptomap set is detached from
|
|
an active interface.
|
|
When this variable is set to 'false', generation of
|
|
this notification is disabled.
|
|
"
|
|
DEFVAL { true }
|
|
::= { cipsNotificationCntl 5 }
|
|
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
-- Cisco-specific IPsec Notifications
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
ciscoIPsecProvCryptomapAdded NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
cipsStaticCryptomapType,
|
|
cipsStaticCryptomapSetSize
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This notification is generated when a new cryptomap
|
|
is added to the specified cryptomap set. Object
|
|
'cipsStaticCryptomapSetSize' contains the number of
|
|
cryptomap entries after the addition.
|
|
"
|
|
::= { ciscoIPsecProvisioningMIBNotifs 1 }
|
|
|
|
ciscoIPsecProvCryptomapDeleted NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
cipsStaticCryptomapSetSize
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This notification is generated when a cryptomap is
|
|
removed from the specified cryptomap set. Object
|
|
'cipsStaticCryptomapSetSize' contains the number of
|
|
cryptomap entries after the deletion.
|
|
"
|
|
::= { ciscoIPsecProvisioningMIBNotifs 2 }
|
|
|
|
ciscoIPsecProvCryptomapAttached NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
cipsStaticCryptomapSetSize,
|
|
cipsStaticCryptomapSetNumIsakmp,
|
|
cipsStaticCryptomapSetNumDynamic
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A cryptomap set must be attached to an interface
|
|
of the device in order for it to be operational.
|
|
This trap is generated when the cryptomap set
|
|
attached to an active interface of
|
|
the managed entity.
|
|
|
|
The contents of the notification includes:
|
|
Size of the attached cryptomap set,
|
|
Number of ISAKMP cryptomaps in the set and
|
|
Number of Dynamic cryptomaps in the set.
|
|
"
|
|
::= { ciscoIPsecProvisioningMIBNotifs 3 }
|
|
|
|
ciscoIPsecProvCryptomapDetached NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
cipsStaticCryptomapSetSize
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is generated when a cryptomap set is
|
|
detached from an interafce to which it was bound
|
|
earlier. The context of the event identifies the
|
|
size of the cryptomap set.
|
|
"
|
|
::= { ciscoIPsecProvisioningMIBNotifs 4 }
|
|
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
-- Conformance Information
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
ciscoIPsecProvMIBCompliances OBJECT IDENTIFIER
|
|
::= { ciscoIPsecProvisioningMIBConform 1 }
|
|
|
|
ciscoIPsecProvMIBGroups OBJECT IDENTIFIER
|
|
::= { ciscoIPsecProvisioningMIBConform 2 }
|
|
|
|
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
-- Compliance Statements
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
ciscoIPsecProvMIBCompliance MODULE-COMPLIANCE
|
|
STATUS deprecated -- superceeded by
|
|
-- ciscoIPsecProvMIBComplianceRev1
|
|
DESCRIPTION
|
|
"The compliance statement for entities which
|
|
implement the Cisco IPsec Provisioning MIB.
|
|
"
|
|
MODULE -- this module
|
|
MANDATORY-GROUPS {
|
|
ciscoIPsecProvGlobalsGroup,
|
|
ciscoIPsecProvXformsGroup,
|
|
ciscoIPsecProvStCryptomapGroup,
|
|
ciscoIPsecCryptomapPeerGroup,
|
|
ciscoIPsecProvNotifCntlGroup
|
|
}
|
|
|
|
GROUP ciscoIPsecProvDynCryptomapGroup
|
|
DESCRIPTION
|
|
"This group must be implemented if the
|
|
IKE implementation on the managed entity
|
|
implements dynamic cryptomaps.
|
|
"
|
|
|
|
GROUP ciscoIPsecProvTedCryptomapGroup
|
|
DESCRIPTION
|
|
"This group must be implemented if the
|
|
IKE implementation on the managed entity
|
|
implements tunnel endpoint discovery.
|
|
"
|
|
|
|
GROUP ciscoIPsecProvNotifGroup
|
|
DESCRIPTION
|
|
"This group is optional.
|
|
"
|
|
|
|
OBJECT cipsTunnelLifetime
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsTunnelLifesize
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsTunnelIdleTimeout
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCntlAllNotifs
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCntlCryptomapAdded
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCntlCryptomapDeleted
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCntlCryptomapSetAttached
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCntlCryptomapSetDetached
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsXformSetMode
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapIpFilter
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapXformSetList
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapPfs
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapLifetime
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapLifesize
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapLevelHost
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapIdleTimeout
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapAutoPeer
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsXformSetStatus
|
|
SYNTAX INTEGER {
|
|
active(1),
|
|
createAndGo(4),
|
|
destroy(6)
|
|
}
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
|
|
If write access is implemented, only three values
|
|
'createAndGo', 'destroy' and 'active' out of the
|
|
six enumerated values need to be supported.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapStatus
|
|
SYNTAX INTEGER {
|
|
active(1),
|
|
createAndGo(4),
|
|
destroy(6)
|
|
}
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
|
|
If write access is implemented, only three values
|
|
'createAndGo', 'destroy' and 'active' out of the
|
|
six enumerated values need to be supported.
|
|
"
|
|
|
|
OBJECT cipsCryMapPeerStatus
|
|
SYNTAX INTEGER {
|
|
active(1),
|
|
createAndGo(4),
|
|
destroy(6)}
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Only three values 'createAndGo', 'destroy' and
|
|
'active' out of the six enumerated values need to
|
|
be supported.
|
|
|
|
Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCryptomapSetIfStatus
|
|
SYNTAX INTEGER {
|
|
active(1),
|
|
createAndGo(4),
|
|
destroy(6)}
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Only three values 'createAndGo', 'destroy' and
|
|
'active' out of the six enumerated values need to
|
|
be supported.
|
|
|
|
Write access is not required.
|
|
"
|
|
|
|
::= { ciscoIPsecProvMIBCompliances 1 }
|
|
|
|
ciscoIPsecProvMIBComplianceRev1 MODULE-COMPLIANCE
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The compliance statement for entities which
|
|
implement the Cisco IPsec Provisioning MIB.
|
|
"
|
|
MODULE -- this module
|
|
MANDATORY-GROUPS {
|
|
ciscoIPsecProvGlobalsGroup,
|
|
ciscoIPsecProvXformsGroup,
|
|
ciscoIPsecProvStCryptomapGroup,
|
|
ciscoIPsecCryptomapPeerGroup,
|
|
ciscoIPsecProvNotifCntlGroup,
|
|
ciscoIPsecProvInfoGroup
|
|
}
|
|
|
|
GROUP ciscoIPsecProvDynCryptomapGroup
|
|
DESCRIPTION
|
|
"This group must be implemented if the
|
|
IKE implementation on the managed entity
|
|
implements dynamic cryptomaps.
|
|
"
|
|
|
|
GROUP ciscoIPsecProvTedCryptomapGroup
|
|
DESCRIPTION
|
|
"This group must be implemented if the
|
|
IKE implementation on the managed entity
|
|
implements tunnel endpoint discovery.
|
|
"
|
|
|
|
GROUP ciscoIPsecProvNotifGroup
|
|
DESCRIPTION
|
|
"This group is optional.
|
|
"
|
|
|
|
OBJECT cipsTunnelLifetime
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsTunnelLifesize
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsTunnelIdleTimeout
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCntlAllNotifs
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCntlCryptomapAdded
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCntlCryptomapDeleted
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCntlCryptomapSetAttached
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCntlCryptomapSetDetached
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsXformSetMode
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapIpFilter
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapXformSetList
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapPfs
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapLifetime
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapLifesize
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapLevelHost
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapIdleTimeout
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapAutoPeer
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsXformSetStatus
|
|
SYNTAX INTEGER {
|
|
active(1),
|
|
createAndGo(4),
|
|
destroy(6)
|
|
}
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
|
|
If write access is implemented, only three values
|
|
'createAndGo', 'destroy' and 'active' out of the
|
|
six enumerated values need to be supported.
|
|
"
|
|
|
|
OBJECT cipsStaticCryptomapStatus
|
|
SYNTAX INTEGER {
|
|
active(1),
|
|
createAndGo(4),
|
|
destroy(6)
|
|
}
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Write access is not required.
|
|
|
|
If write access is implemented, only three values
|
|
'createAndGo', 'destroy' and 'active' out of the
|
|
six enumerated values need to be supported.
|
|
"
|
|
|
|
OBJECT cipsCryMapPeerStatus
|
|
SYNTAX INTEGER {
|
|
active(1),
|
|
createAndGo(4),
|
|
destroy(6)}
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Only three values 'createAndGo', 'destroy' and
|
|
'active' out of the six enumerated values need to
|
|
be supported.
|
|
|
|
Write access is not required.
|
|
"
|
|
|
|
OBJECT cipsCryptomapSetIfStatus
|
|
SYNTAX INTEGER {
|
|
active(1),
|
|
createAndGo(4),
|
|
destroy(6)}
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION
|
|
"Only three values 'createAndGo', 'destroy' and
|
|
'active' out of the six enumerated values need to
|
|
be supported.
|
|
|
|
Write access is not required.
|
|
"
|
|
|
|
::= { ciscoIPsecProvMIBCompliances 2 }
|
|
|
|
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
-- Units of Conformance
|
|
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
ciscoIPsecProvGlobalsGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cipsTunnelLifetime,
|
|
cipsTunnelLifesize,
|
|
cipsTunnelIdleTimeout
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects providing Global
|
|
IPSec policy monitoring capability to a
|
|
IPsec capable VPN router.
|
|
"
|
|
::= { ciscoIPsecProvMIBGroups 1 }
|
|
|
|
|
|
ciscoIPsecProvXformsGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cipsXformSetId,
|
|
cipsXformSetMode,
|
|
cipsXformSetSuite,
|
|
cipsXformSetEncryptionXform,
|
|
cipsXformSetIntegrityXformEsp,
|
|
cipsXformSetIntegrityXformAh,
|
|
cipsXformSetCompressionXform,
|
|
cipsXformSetStatus
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects modeling IPsec
|
|
transform sets and transform set mappings."
|
|
::= { ciscoIPsecProvMIBGroups 2 }
|
|
|
|
|
|
ciscoIPsecProvStCryptomapGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cipsNumStaticCryptomapSets,
|
|
cipsStaticCryptomapSetSize,
|
|
cipsStaticCryptomapSetNumIsakmp,
|
|
cipsStaticCryptomapSetNumManual,
|
|
cipsStaticCryptomapSetNumDynamic,
|
|
cipsStaticCryptomapSetNumTED,
|
|
cipsStaticCryptomapSetNumSAs,
|
|
--
|
|
cipsStaticCryptomapType ,
|
|
cipsStaticCryptomapDescr ,
|
|
cipsStaticCryptomapIpFilter,
|
|
cipsStaticCryptomapXformSetList,
|
|
cipsStaticCryptomapNumPeers ,
|
|
cipsStaticCryotomapNextPIndex,
|
|
cipsStaticCryptomapCurPAddrType,
|
|
cipsStaticCryptomapCurPAddr,
|
|
cipsStaticCryptomapPfs ,
|
|
cipsStaticCryptomapLifetime ,
|
|
cipsStaticCryptomapLifesize ,
|
|
cipsStaticCryptomapLevelHost ,
|
|
cipsStaticCryptomapIdleTimeout ,
|
|
cipsStaticCryptomapStatus,
|
|
cipsStaticCryptomapAutoPeer,
|
|
--
|
|
cipsCryMapPeerStatus,
|
|
--
|
|
cipsCryptomapSetIfStatus
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects modeling static
|
|
crypto configuration of the Static (fully specified)
|
|
Cryptomap Sets on the managed entity.
|
|
"
|
|
::= { ciscoIPsecProvMIBGroups 3 }
|
|
|
|
ciscoIPsecProvDynCryptomapGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cipsNumDynamicCryptomapSets
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects modeling the configuration
|
|
of IPsec dynamic cryptomap elements.
|
|
"
|
|
::= { ciscoIPsecProvMIBGroups 4 }
|
|
|
|
ciscoIPsecProvTedCryptomapGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cipsNumTEDCryptomapSets
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects instrumenting the
|
|
properties of the Cryptomaps using tunnel
|
|
endpoint discovery protocol."
|
|
::= { ciscoIPsecProvMIBGroups 5 }
|
|
|
|
ciscoIPsecCryptomapPeerGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cipsCryMapPeerAddrType,
|
|
cipsCryMapPeerAddr,
|
|
cipsCryMapPeerOrder
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects displaying the
|
|
binding of an IPsec peer address to the specified
|
|
cryptomap.
|
|
"
|
|
::= { ciscoIPsecProvMIBGroups 6 }
|
|
|
|
ciscoIPsecProvNotifCntlGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cipsCntlAllNotifs,
|
|
cipsCntlCryptomapAdded,
|
|
cipsCntlCryptomapDeleted,
|
|
cipsCntlCryptomapSetAttached,
|
|
cipsCntlCryptomapSetDetached
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects providing IPsec
|
|
Notification capability to a IPsec-capable
|
|
router. It is mandatory to implement
|
|
this set of objects pertaining to
|
|
IOS notifications about IPSec activity.
|
|
"
|
|
::= { ciscoIPsecProvMIBGroups 7 }
|
|
|
|
ciscoIPsecProvNotifGroup NOTIFICATION-GROUP
|
|
NOTIFICATIONS {
|
|
ciscoIPsecProvCryptomapDetached,
|
|
ciscoIPsecProvCryptomapAttached,
|
|
ciscoIPsecProvCryptomapDeleted,
|
|
ciscoIPsecProvCryptomapAdded
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of notification objects signaling
|
|
changes to the IPsec configuration on the managed
|
|
entity.
|
|
"
|
|
::= { ciscoIPsecProvMIBGroups 8 }
|
|
|
|
ciscoIPsecProvInfoGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cipsIfStaticCryptomapSetName
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects providing current IPsec
|
|
configuration information on the managedentity.
|
|
"
|
|
::= { ciscoIPsecProvMIBGroups 9 }
|
|
|
|
END
|