-- -- * $Source$ -- *------------------------------------------------------------------ -- * CISCO-IPSEC-MIB.my: IOS-Specific IPSec Configuration -- Monitoring MIB -- * -- * April 2000, S Ramakrishnan -- * -- * Copyright (c) 2000 by cisco Systems, Inc. -- * All rights reserved. -- * -- *------------------------------------------------------------------ CISCO-IPSEC-MIB DEFINITIONS ::= BEGIN -- PREFACE: -- CISCO-IPSEC MIB Module defines Cisco -- implementation-specific metrics -- useful in managing IPsec VPNs on -- Cisco boxes. This is to be used as a -- supplement to the standard IPsec MIB -- proposed by Cisco. -- DISCLAIMER: -- Caution. This MIB is temporary and experimental. -- In the future it will be removed from products, -- perhaps with short notice, in favor of more standard -- or generic MIBs. Application developers should not -- depend on long-term access to this MIB. -- RELATIONSHIP TO CLI: -- Information contained in all the MIB elements defined -- in this module are affected by CLI operations, EXCEPT -- where it is explicitly noted to the contrary. IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Counter32, Gauge32, Integer32 FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF DisplayString, TruthValue, TEXTUAL-CONVENTION FROM SNMPv2-TC ifIndex FROM IF-MIB -- FROM RFC1213-MIB ciscoExperiment FROM CISCO-SMI; ciscoIPsecMIB MODULE-IDENTITY LAST-UPDATED "200008071139Z" ORGANIZATION "Cisco Systems, Inc." CONTACT-INFO " Cisco Systems Enterprise Business Management Unit Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: cs-ipsecurity@cisco.com" DESCRIPTION "The MIB module for modeling Cisco-specific IPsec attributes Overview of Cisco IPsec MIB MIB description This MIB models the Cisco implementation-specific attributes of a Cisco entity that implements IPsec. This MIB is complementary to the standard IPsec MIB proposed jointly by Tivoli and Cisco. The ciscoIPsec MIB provides the operational information on Cisco's IPsec tunnelling implementation. The following entities are managed: 1) ISAKMP Group: a) ISAKMP global parameters b) ISAKMP Policy Table 2) IPSec Group: a) IPSec Global Parameters b) IPSec Global Traffic Parameters c) Cryptomap Group - Cryptomap Set Table - Cryptomap Table - CryptomapSet Binding Table 3) System Capacity & Capability Group: a) Capacity Parameters b) Capability Parameters 4) Trap Control Group 5) Notifications Group" ::= { ciscoExperiment 62 } -- -- Textual Conventions -- CIPsecLifetime ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Value in units of seconds" SYNTAX Gauge32(120..86400) CIPsecLifesize ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Value in units of kilobytes" SYNTAX Gauge32(2560..536870912) CIPsecNumCryptoMaps ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Integral units representing count of cryptomaps" SYNTAX Gauge32(0..2147483647) CryptomapType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The type of a cryptomap entry. Cryptomap is a unit of IOS IPSec policy specification." SYNTAX INTEGER { cryptomapTypeNONE(0), cryptomapTypeMANUAL(1), cryptomapTypeISAKMP(2), cryptomapTypeCET(3), cryptomapTypeDYNAMIC(4), cryptomapTypeDYNAMICDISCOVERY(5) } CryptomapSetBindStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The status of the binding of a cryptomap set to the specified interface. The value qhen queried is always 'attached'. When set to 'detached', the cryptomap set if detached from the specified interface. Setting the value to 'attached' will result in SNMP General Error." SYNTAX INTEGER { unknown(0), attached(1), detached(2) } IPSIpAddress ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An IP V4 or V6 Address." SYNTAX OCTET STRING(SIZE(4 | 16)) -- IP V4 or V6 Address IkeHashAlgo ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The hash algorithm used in IPsec Phase-1 IKE negotiations." SYNTAX INTEGER { none(1), md5(2), sha(3) } IkeAuthMethod ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The authentication method used in IPsec Phase-1 IKE negotiations." SYNTAX INTEGER { none(1), preSharedKey(2), rsaSig(3), rsaEncrypt(4), revPublicKey(5) } IkeIdentityType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The type of identity used by the local entity to identity itself to the peer with which it performs IPSec Main Mode negotiations. This type decides the content of the Identification payload in the Main Mode of IPSec tunnel setup." SYNTAX INTEGER { isakmpIdTypeUNKNOWN(0), isakmpIdTypeADDRESS(1), isakmpIdTypeHOSTNAME(2) } DiffHellmanGrp ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The Diffie Hellman Group used in negotiations." SYNTAX INTEGER { none(1), dhGroup1(2), dhGroup2(3) } EncryptAlgo ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The encryption algorithm used in negotiations." SYNTAX INTEGER { none(1), des(2), des3(3) } TrapStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The administrative status for sending a TRAP." SYNTAX INTEGER { enabled(1), disabled(2) } -- Objects, Notifications & Conformances ciscoIPsecMIBObjects OBJECT IDENTIFIER ::= { ciscoIPsecMIB 1 } ciscoIPsecMIBNotificationPrefix OBJECT IDENTIFIER ::= {ciscoIPsecMIB 2} ciscoIPsecMIBConformance OBJECT IDENTIFIER ::= {ciscoIPsecMIB 3} -- -- Cisco IPSec MIB Object Groups -- -- This MIB module contains the following groups: -- 1) Cisco ISAKMP Group -- 2) Cisco IPSec Group -- 2a) Cisco IPSec Global Parameters -- 2b) Cisco IPSec Statistics -- 2c) Cisco IPSec Cryptomap Group -- (i) Statically Defined Cryptomap Sets -- (ii) Wild-carded Cryptomap Sets (Dynamic templates) -- 3) Cisco IPsec Notifications Group -- 4) Module Conformance -- cipsIsakmpGroup OBJECT IDENTIFIER ::= { ciscoIPsecMIBObjects 1 } cipsIPsecGroup OBJECT IDENTIFIER ::= { ciscoIPsecMIBObjects 2 } cipsIPsecGlobals OBJECT IDENTIFIER ::= { cipsIPsecGroup 1 } cipsIPsecStatistics OBJECT IDENTIFIER ::= { cipsIPsecGroup 2 } cipsCryptomapGroup OBJECT IDENTIFIER ::= { cipsIPsecGroup 3 } cipsSysCapacityGroup OBJECT IDENTIFIER ::= { ciscoIPsecMIBObjects 3 } cipsTrapCntlGroup OBJECT IDENTIFIER ::= { ciscoIPsecMIBObjects 4 } -- -- -- IOS ISAKMP Configuration Section -- -- cipsIsakmpEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of this object is TRUE if ISAKMP has been enabled on the managed entity. Otherise the value of this object is FALSE." ::= { cipsIsakmpGroup 1 } cipsIsakmpIdentity OBJECT-TYPE SYNTAX IkeIdentityType MAX-ACCESS read-only STATUS current DESCRIPTION "The value of this object is shows the type of identity used by the managed entity in ISAKMP negotiations with another peer." ::= { cipsIsakmpGroup 2 } cipsIsakmpKeepaliveInterval OBJECT-TYPE SYNTAX Integer32(10..3600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of this object is time interval in seconds between successive ISAKMP keepalive heartbeats issued to the peers to which IKE tunnels have been setup." ::= { cipsIsakmpGroup 3 } cipsNumIsakmpPolicies OBJECT-TYPE SYNTAX Integer32(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of this object is the number of ISAKMP policies that have been configured on the managed entity." ::= { cipsIsakmpGroup 4 } -- -- Cisco ISAKMP Policy Entries -- cipsIsakmpPolicyTable OBJECT-TYPE SYNTAX SEQUENCE OF CipsIsakmpPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table containing the list of all ISAKMP policy entries configured by the operator." ::= { cipsIsakmpGroup 5 } cipsIsakmpPolicyEntry OBJECT-TYPE SYNTAX CipsIsakmpPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a single ISAKMP Policy entry." INDEX { cipsIsakmpPolPriority } ::= { cipsIsakmpPolicyTable 1 } CipsIsakmpPolicyEntry ::= SEQUENCE { cipsIsakmpPolPriority Integer32, cipsIsakmpPolEncr EncryptAlgo, cipsIsakmpPolHash IkeHashAlgo, cipsIsakmpPolAuth IkeAuthMethod, cipsIsakmpPolGroup DiffHellmanGrp, cipsIsakmpPolLifetime Integer32 } cipsIsakmpPolPriority OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priotity of this ISAKMP Policy entry. This is also the index of this table." ::= { cipsIsakmpPolicyEntry 1 } cipsIsakmpPolEncr OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption transform specified by this ISAKMP policy specification. The Internet Key Exchange (IKE) tunnels setup using this policy item would use the specified encryption transform to protect the ISAKMP PDUs." ::= { cipsIsakmpPolicyEntry 2 } cipsIsakmpPolHash OBJECT-TYPE SYNTAX IkeHashAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The hash transform specified by this ISAKMP policy specification. The IKE tunnels setup using this policy item would use the specified hash transform to protect the ISAKMP PDUs." ::= { cipsIsakmpPolicyEntry 3 } cipsIsakmpPolAuth OBJECT-TYPE SYNTAX IkeAuthMethod MAX-ACCESS read-only STATUS current DESCRIPTION "The peer authentication mthod specified by this ISAKMP policy specification. If this policy entity is selected for negotiation with a peer, the local entity would authenticate the peer using the method specified by this object." ::= { cipsIsakmpPolicyEntry 4 } cipsIsakmpPolGroup OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the Oakley group used for Diffie Hellman exchange in the Main Mode. If this policy item is selected to negotiate Main Mode with an IKE peer, the local entity chooses the group specified by this object to perform Diffie Hellman exchange with the peer." ::= { cipsIsakmpPolicyEntry 5 } cipsIsakmpPolLifetime OBJECT-TYPE SYNTAX Integer32(60..86400) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies the lifetime in seconds of the IKE tunnels generated using this policy specification." ::= { cipsIsakmpPolicyEntry 6 } -- -- Cisco IPsec Global Configuration Group -- cipsSALifetime OBJECT-TYPE SYNTAX CIPsecLifetime UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The default lifetime (in seconds) assigned to an SA as a global policy (maybe overridden in specific cryptomap definitions)." ::= { cipsIPsecGlobals 1 } cipsSALifesize OBJECT-TYPE SYNTAX CIPsecLifesize UNITS "KBytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The default lifesize in KBytes assigned to an SA as a global policy (unless overridden in cryptomap definition)" ::= { cipsIPsecGlobals 2 } cipsNumStaticCryptomapSets OBJECT-TYPE SYNTAX CIPsecNumCryptoMaps UNITS "Integral Units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of Cryptomap Sets that are are fully configured. Statically defined cryptomap sets are ones where the operator has fully specified all the parameters required set up IPSec Virtual Private Networks (VPNs)." ::= { cipsIPsecGlobals 3 } cipsNumCETCryptomapSets OBJECT-TYPE SYNTAX CIPsecNumCryptoMaps UNITS "Integral Units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of static Cryptomap Sets that have at least one CET cryptomap element as a member of the set." ::= { cipsIPsecGlobals 4 } cipsNumDynamicCryptomapSets OBJECT-TYPE SYNTAX CIPsecNumCryptoMaps UNITS "Integral Units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of dynamic IPSec Policy templates (called 'dynamic cryptomap templates') configured on the managed entity." ::= { cipsIPsecGlobals 5 } cipsNumTEDCryptomapSets OBJECT-TYPE SYNTAX CIPsecNumCryptoMaps UNITS "Integral Units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of static Cryptomap Sets that have at least one dynamic cryptomap template bound to them which has the Tunnel Endpoint Discovery (TED) enabled." ::= { cipsIPsecGlobals 6 } -- -- Cisco IPsec Cryptomap Statistics Group -- cipsNumTEDProbesReceived OBJECT-TYPE SYNTAX Counter32 UNITS "Integral Units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of TED probes that were received by this managed entity since bootup. Not affected by any CLI operation." ::= { cipsIPsecStatistics 1 } cipsNumTEDProbesSent OBJECT-TYPE SYNTAX Counter32 UNITS "Integral Units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of TED probes that were dispatched by all the dynamic cryptomaps in this managed entity since bootup. Not affected by any CLI operation." ::= { cipsIPsecStatistics 2 } cipsNumTEDFailures OBJECT-TYPE SYNTAX Counter32 UNITS "Integral Units" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of TED probes that were dispatched by the local entity and that failed to locate crypto endpoint. Not affected by any CLI operation." ::= { cipsIPsecStatistics 3 } -- -- Cisco IPsec System Capacity/Capability Group -- cipsMaxSAs OBJECT-TYPE SYNTAX INTEGER(0..65535) UNITS "Integral Units" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum number of IPsec Security Associations that can be established on this managed entity. If no theoretical limit exists, this returns value 0. Not affected by any CLI operation." ::= { cipsSysCapacityGroup 1 } cips3DesCapable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of this object is TRUE if the managed entity has the hardware nad software features to support 3DES encryption algorithm. Not affected by any CLI operation." ::= { cipsSysCapacityGroup 2 } -- -- IOS IPSec Configuration Group -- -- -- Cisco IPSec Static Cryptomaps Metrics -- cipsStaticCryptomapSetTable OBJECT-TYPE SYNTAX SEQUENCE OF CipsStaticCryptomapSetEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table containing the list of all cryptomap sets that are fully specified and are not wild-carded. The operator may include different types of cryptomaps in such a set - manual, CET, ISAKMP or dynamic." ::= { cipsCryptomapGroup 1 } cipsStaticCryptomapSetEntry OBJECT-TYPE SYNTAX CipsStaticCryptomapSetEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a single static cryptomap set." INDEX { cipsStaticCryptomapSetName } ::= { cipsStaticCryptomapSetTable 1} CipsStaticCryptomapSetEntry ::= SEQUENCE { cipsStaticCryptomapSetName DisplayString, cipsStaticCryptomapSetSize Gauge32, cipsStaticCryptomapSetNumIsakmp Gauge32, cipsStaticCryptomapSetNumManual Gauge32, cipsStaticCryptomapSetNumCET Gauge32, cipsStaticCryptomapSetNumDynamic Gauge32, cipsStaticCryptomapSetNumDisc Gauge32, cipsStaticCryptomapSetNumSAs Gauge32 } cipsStaticCryptomapSetName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of the static cryptomap table. The value of the string is the name string assigned by the operator in defining the cryptomap set." ::= { cipsStaticCryptomapSetEntry 1 } cipsStaticCryptomapSetSize OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of cryptomap entries contained in this cryptomap set. " ::= { cipsStaticCryptomapSetEntry 2 } cipsStaticCryptomapSetNumIsakmp OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of cryptomaps associated with this cryptomap set that use ISAKMP protocol to do key exchange." ::= { cipsStaticCryptomapSetEntry 3 } cipsStaticCryptomapSetNumManual OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of cryptomaps associated with this cryptomap set that require the operator to manually setup the keys and SPIs." ::= { cipsStaticCryptomapSetEntry 4 } cipsStaticCryptomapSetNumCET OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of cryptomaps of type 'ipsec-cisco' associated with this cryptomap set. Such cryptomap elements implement Cisco Encryption Technology based Virtual Private Networks." ::= { cipsStaticCryptomapSetEntry 5 } cipsStaticCryptomapSetNumDynamic OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of dynamic cryptomap templates linked to this cryptomap set." ::= { cipsStaticCryptomapSetEntry 6 } cipsStaticCryptomapSetNumDisc OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of dynamic cryptomap templates linked to this cryptomap set that have Tunnel Endpoint Discovery (TED) enabled." ::= { cipsStaticCryptomapSetEntry 7 } cipsStaticCryptomapSetNumSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of and IPsec Security Associations that are active and were setup using this cryptomap. " ::= { cipsStaticCryptomapSetEntry 8 } -- -- Cisco IPSec Dynamic Cryptomaps Group -- cipsDynamicCryptomapSetTable OBJECT-TYPE SYNTAX SEQUENCE OF CipsDynamicCryptomapSetEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table containing the list of all dynamic cryptomaps that use IKE, defined on the managed entity." ::= { cipsCryptomapGroup 2 } cipsDynamicCryptomapSetEntry OBJECT-TYPE SYNTAX CipsDynamicCryptomapSetEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a single dynamic cryptomap template." INDEX { cipsDynamicCryptomapSetName } ::= { cipsDynamicCryptomapSetTable 1 } CipsDynamicCryptomapSetEntry ::= SEQUENCE { cipsDynamicCryptomapSetName DisplayString, cipsDynamicCryptomapSetSize Gauge32, cipsDynamicCryptomapSetNumAssoc Gauge32 } cipsDynamicCryptomapSetName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of the dynamic cryptomap table. The value of the string is the one assigned by the operator in defining the cryptomap set." ::= { cipsDynamicCryptomapSetEntry 1 } cipsDynamicCryptomapSetSize OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of cryptomap entries in this cryptomap." ::= { cipsDynamicCryptomapSetEntry 2 } cipsDynamicCryptomapSetNumAssoc OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of static cryptomap sets with which this dynamic cryptomap is associated. " ::= { cipsDynamicCryptomapSetEntry 3 } -- -- Cisco IPSec Static Cryptomap Table -- cipsStaticCryptomapTable OBJECT-TYPE SYNTAX SEQUENCE OF CipsStaticCryptomapEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table ilisting the member cryptomaps of the cryptomap sets that are configured on the managed entity." ::= { cipsCryptomapGroup 3 } cipsStaticCryptomapEntry OBJECT-TYPE SYNTAX CipsStaticCryptomapEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a single static (fully specified) cryptomap entry. This table does not include the members of dynamic cryptomap sets that may be linked with the parent static cryptomap set." INDEX { cipsStaticCryptomapSetName, -- from Cryptomap Set Table cipsStaticCryptomapPriority } ::= { cipsStaticCryptomapTable 1} CipsStaticCryptomapEntry ::= SEQUENCE { cipsStaticCryptomapPriority Integer32, cipsStaticCryptomapType CryptomapType, cipsStaticCryptomapDescr DisplayString, cipsStaticCryptomapPeer IPSIpAddress, cipsStaticCryptomapNumPeers Integer32, cipsStaticCryptomapPfs DiffHellmanGrp, cipsStaticCryptomapLifetime Integer32, cipsStaticCryptomapLifesize Integer32, cipsStaticCryptomapLevelHost TruthValue } cipsStaticCryptomapPriority OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority of the cryptomap entry in the cryptomap set. This is the second index component of this table." ::= { cipsStaticCryptomapEntry 1 } cipsStaticCryptomapType OBJECT-TYPE SYNTAX CryptomapType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the cryptomap entry. This can be an ISAKMP cryptomap, CET or manual. Dynamic cryptomaps are not counted in this table." ::= { cipsStaticCryptomapEntry 2 } cipsStaticCryptomapDescr OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The description string entered by the operatoir while creating this cryptomap. The string generally identifies a description and the purpose of this policy." ::= { cipsStaticCryptomapEntry 3 } cipsStaticCryptomapPeer OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the current peer associated with this IPSec policy item. Traffic that is protected by this cryptomap is protected by a tunnel that terminates at the device whose IP address is specified by this object." ::= { cipsStaticCryptomapEntry 4 } cipsStaticCryptomapNumPeers OBJECT-TYPE SYNTAX Integer32(0..40) MAX-ACCESS read-only STATUS current DESCRIPTION "The number of peers associated with this cryptomap entry. The peers other than the one identified by 'cipsStaticCryptomapPeer' are backup peers. Manual cryptomaps may have only one peer." ::= { cipsStaticCryptomapEntry 5 } cipsStaticCryptomapPfs OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "This object identifies if the tunnels instantiated due to this policy item should use Perfect Forward Secrecy (PFS) and if so, what group of Oakley they should use." ::= { cipsStaticCryptomapEntry 6 } cipsStaticCryptomapLifetime OBJECT-TYPE SYNTAX Integer32(0|120..86400) MAX-ACCESS read-only STATUS current DESCRIPTION "This object identifies the lifetime of the IPSec Security Associations (SA) created using this IPSec policy entry. If this value is zero, the lifetime assumes the value specified by the global lifetime parameter." ::= { cipsStaticCryptomapEntry 7 } cipsStaticCryptomapLifesize OBJECT-TYPE SYNTAX Integer32(0|2560..536870912) MAX-ACCESS read-only STATUS current DESCRIPTION "This object identifies the lifesize (maximum traffic in bytes that may be carried) of the IPSec SAs created using this IPSec policy entry. If this value is zero, the lifetime assumes the value specified by the global lifesize parameter." ::= { cipsStaticCryptomapEntry 8 } cipsStaticCryptomapLevelHost OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This object identifies the granularity of the IPSec SAs created using this IPSec policy entry. If this value is TRUE, distinct SA bundles are created for distinct hosts at the end of the application traffic." ::= { cipsStaticCryptomapEntry 9 } -- -- Cisco IPSec Cryptomap Set Binding Table -- cipsCryptomapSetIfTable OBJECT-TYPE SYNTAX SEQUENCE OF CipsCryptomapSetIfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table lists the binding of cryptomap sets to the interfaces of the managed entity." ::= { cipsCryptomapGroup 4 } cipsCryptomapSetIfEntry OBJECT-TYPE SYNTAX CipsCryptomapSetIfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the record of the association between an interface and a cryptomap set (static) that is defined on the managed entity. Note that the cryptomap set identified in this binding must static. Dynamic cryptomaps cannot be bound to interfaces." INDEX { ifIndex, -- from IF table cipsStaticCryptomapSetName } ::= { cipsCryptomapSetIfTable 1} CipsCryptomapSetIfEntry ::= SEQUENCE { cipsCryptomapSetIfVirtual TruthValue, cipsCryptomapSetIfStatus CryptomapSetBindStatus } cipsCryptomapSetIfVirtual OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of this object identifies if the interface to which the cryptomap set is attached is a tunnel (such as a GRE or PPTP tunnel)." ::= { cipsCryptomapSetIfEntry 1 } cipsCryptomapSetIfStatus OBJECT-TYPE SYNTAX CryptomapSetBindStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object identifies the status of the binding of the specified cryptomap set with the specified interface. The value when queried is always 'attached'. When set to 'detached', the cryptomap set if detached from the specified interface. The effect of this is same as the CLI command config-if# no crypto map cryptomapSetName Setting the value to 'attached' will result in SNMP General Error." ::= { cipsCryptomapSetIfEntry 2 } -- -- IOS-IPsec TRAP Control Group -- -- This group of objects controls the sending of -- IOS-specific IPsec TRAPs. -- cipsCntlIsakmpPolicyAdded OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IOS IPsec ISAKMP Policy Add trap." DEFVAL { disabled } ::= { cipsTrapCntlGroup 1 } cipsCntlIsakmpPolicyDeleted OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IOS IPsec ISAKMP Policy Delete trap." DEFVAL { disabled } ::= { cipsTrapCntlGroup 2 } cipsCntlCryptomapAdded OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IOS IPsec Cryptomap Add trap." DEFVAL { disabled } ::= { cipsTrapCntlGroup 3 } cipsCntlCryptomapDeleted OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IOS IPsec Cryptomap Delete trap." DEFVAL { disabled } ::= { cipsTrapCntlGroup 4 } cipsCntlCryptomapSetAttached OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IOS IPsec trap that is issued when a cryptomap set is attached to an interface." DEFVAL { disabled } ::= { cipsTrapCntlGroup 5 } cipsCntlCryptomapSetDetached OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IOS IPsec trap that is issued when a cryptomap set is detached from an interface. to which it was earlier bound." DEFVAL { disabled } ::= { cipsTrapCntlGroup 6 } cipsCntlTooManySAs OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IOS IPsec trap that is issued when the number of SAs crosses the maximum number of SAs that may be supported on the managed entity." DEFVAL { disabled } ::= { cipsTrapCntlGroup 7 } -- -- Cisco-specific IPSec Notifications -- cipsMIBNotifications OBJECT IDENTIFIER ::= { ciscoIPsecMIBNotificationPrefix 0 } cipsIsakmpPolicyAdded NOTIFICATION-TYPE OBJECTS { cipsNumIsakmpPolicies } STATUS current DESCRIPTION "This trap is generated when a new ISAKMP policy element is defined on the managed entity. The context of the event includes the updated number of ISAKMP policy elements currently available." ::= { cipsMIBNotifications 1 } cipsIsakmpPolicyDeleted NOTIFICATION-TYPE OBJECTS { cipsNumIsakmpPolicies } STATUS current DESCRIPTION "This trap is generated when an existing ISAKMP policy element is deleted on the managed entity. The context of the event includes the updated number of ISAKMP policy elements currently available." ::= { cipsMIBNotifications 2 } cipsCryptomapAdded NOTIFICATION-TYPE OBJECTS { cipsStaticCryptomapType, cipsStaticCryptomapSetSize } STATUS current DESCRIPTION "This trap is generated when a new cryptomap is added to the specified cryptomap set." ::= { cipsMIBNotifications 3 } cipsCryptomapDeleted NOTIFICATION-TYPE OBJECTS { cipsStaticCryptomapSetSize } STATUS current DESCRIPTION "This trap is generated when a cryptomap is removed from the specified cryptomap set." ::= { cipsMIBNotifications 4 } cipsCryptomapSetAttached NOTIFICATION-TYPE OBJECTS { cipsStaticCryptomapSetSize, cipsStaticCryptomapSetNumIsakmp, cipsStaticCryptomapSetNumDynamic } STATUS current DESCRIPTION "A cryptomap set must be attached to an interface of the device in order for it to be operational. This trap is generated when the cryptomap set attached to an active interface of the managed entity. The context of the notification includes: Size of the attached cryptomap set, Number of ISAKMP cryptomaps in the set and Number of Dynamic cryptomaps in the set." ::= { cipsMIBNotifications 5 } cipsCryptomapSetDetached NOTIFICATION-TYPE OBJECTS { cipsStaticCryptomapSetSize } STATUS current DESCRIPTION "This trap is generated when a cryptomap set is detached from an interafce to which it was bound earlier. The context of the event identifies the size of the cryptomap set." ::= { cipsMIBNotifications 6 } cipsTooManySAs NOTIFICATION-TYPE OBJECTS { cipsMaxSAs } STATUS current DESCRIPTION "This trap is generated when a new SA is attempted to be setup while the number of currently active SAs equals the maximum configurable. The variables are: cipsMaxSAs" ::= { cipsMIBNotifications 7 } -- -- Cisco IPsec Module Compliance -- cipsMIBConformances OBJECT IDENTIFIER ::= { ciscoIPsecMIBConformance 1 } cipsMIBGroups OBJECT IDENTIFIER ::= { ciscoIPsecMIBConformance 2 } cipsMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for entities which implement the Cisco IPsec MIB" MODULE -- this module MANDATORY-GROUPS { cipsMIBConfIsakmpGroup, cipsMIBConfIPSecGlobalsGroup, cipsMIBConfCapacityGroup, cipsMIBStaticCryptomapGroup, cipsMIBMandatoryNotifCntlGroup } OBJECT cipsCntlIsakmpPolicyAdded MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT cipsCntlIsakmpPolicyDeleted MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT cipsCntlCryptomapAdded MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT cipsCntlCryptomapDeleted MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT cipsCntlCryptomapSetAttached MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT cipsCntlCryptomapSetDetached MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT cipsCntlTooManySAs MIN-ACCESS read-only DESCRIPTION "Write access is not required." ::= { cipsMIBConformances 1 } -- -- MIB Groups (Units of Conformance) -- cipsMIBConfIsakmpGroup OBJECT-GROUP OBJECTS { cipsIsakmpEnabled, cipsIsakmpIdentity, cipsIsakmpKeepaliveInterval, cipsNumIsakmpPolicies -- cipsIsakmpPolPriority, -- cipsIsakmpPolEncr, -- cipsIsakmpPolHash, -- cipsIsakmpPolAuth, -- cipsIsakmpPolGroup, -- cipsIsakmpPolLifetime } STATUS current DESCRIPTION "A collection of objects providing Global ISAKMP policy monitoring capability to a Cisco IPsec capable VPN router." ::= { cipsMIBGroups 1 } cipsMIBConfIPSecGlobalsGroup OBJECT-GROUP OBJECTS { cipsSALifetime, cipsSALifesize } STATUS current DESCRIPTION "A collection of objects providing Global IPSec policy monitoring capability to a Cisco IPsec capable VPN router." ::= { cipsMIBGroups 2 } cipsMIBConfCapacityGroup OBJECT-GROUP OBJECTS { cipsMaxSAs, cips3DesCapable } STATUS current DESCRIPTION "A collection of objects providing IPsec System Capacity monitoring capability to a Cisco IPsec capable VPN router." ::= { cipsMIBGroups 3 } cipsMIBStaticCryptomapGroup OBJECT-GROUP OBJECTS { cipsStaticCryptomapSetSize, cipsStaticCryptomapSetNumIsakmp, cipsStaticCryptomapSetNumCET, cipsStaticCryptomapSetNumSAs } STATUS current DESCRIPTION "A collection of objects instrumenting the properties of the Static (fully specified) Cryptomap Sets on an IPsec-capable IOS router." ::= { cipsMIBGroups 4 } cipsMIBManualCryptomapGroup OBJECT-GROUP OBJECTS { cipsStaticCryptomapSetNumManual } STATUS current DESCRIPTION "A collection of objects instrumenting the properties of the Manual Cryptomap entries on a Cisco IPsec capable IOS router." ::= { cipsMIBGroups 5 } cipsMIBDynamicCryptomapGroup OBJECT-GROUP OBJECTS { cipsNumTEDProbesReceived, cipsNumTEDProbesSent, cipsNumTEDFailures, -- cipsStaticCryptomapSetNumDynamic, cipsStaticCryptomapSetNumDisc, cipsNumTEDCryptomapSets, cipsDynamicCryptomapSetSize, cipsDynamicCryptomapSetNumAssoc } STATUS current DESCRIPTION "A collection of objects instrumenting the properties of the Dynamic Cryptomap group on a Cisco IPsec capable IOS router." ::= { cipsMIBGroups 6 } cipsMIBMandatoryNotifCntlGroup OBJECT-GROUP OBJECTS { cipsCntlIsakmpPolicyAdded, cipsCntlIsakmpPolicyDeleted, cipsCntlCryptomapAdded, cipsCntlCryptomapDeleted, cipsCntlCryptomapSetAttached, cipsCntlCryptomapSetDetached, cipsCntlTooManySAs } STATUS current DESCRIPTION "A collection of objects providing IPsec Notification capability to a IPsec-capable IOS router. It is mandatory to implement this set of objects pertaining to IOS notifications about IPSec activity." ::= { cipsMIBGroups 7 } --cipsMIBOptionalNotificationGroup NOTIFICATION-GROUP -- NOTIFICATIONS { -- cipsIsakmpPolicyAdded, -- cipsIsakmpPolicyDeleted, -- cipsCryptomapAdded, -- cipsCryptomapDeleted, -- cipsCryptomapSetAttached, -- cipsCryptomapSetDetached, -- cipsTooManySAs -- } -- STATUS current -- DESCRIPTION -- "A collection of objects providing IPsec -- Notification capability to a IPsec-capable -- IOS router. This set of notifications is optional." -- ::= { cipsMIBGroups 8 } END