1 IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN
5 Unsigned32, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
6 TEXTUAL-CONVENTION, MODULE-COMPLIANCE, OBJECT-GROUP, pib
10 InstanceId, ReferenceId, TagId, TagReferenceId, Prid
13 FROM SNMP-FRAMEWORK-MIB
15 FROM FRAMEWORK-TC-PIB;
17 ipSecPolicyPib MODULE-IDENTITY
18 SUBJECT-CATEGORIES { all } -- IPsec Client Type --
19 LAST-UPDATED "200202241800Z"
20 ORGANIZATION "IETF ipsp WG"
26 Phone: +1 781 993 3923
27 Email: man.m.li@nokia.com
30 Div. of Computer Communications
31 Lulea University of Technology
34 Phone: +46 920 49 3030
35 Email: avri@sm.luth.se
42 Phone: +1 503 264 9531
44 Email: jamie.jason@intel.com
48 Suite 300, 565 Metro Place South
50 Phone: +1 614 923 6241
51 Email: CWang@smartpipes.com
54 SSH Communications Security Corp.
56 FIN-00100 Helsinki, Finland
57 Phone: +358 20 500 7466
58 Email: markus.stenberg@ssh.com"
62 "This PIB module contains a set of policy rule classes that
63 describe IPsec policies."
64 ::= { ibrpib 6 } -- yyy to be assigned by IANA --
67 Unsigned16 ::= TEXTUAL-CONVENTION
70 "An unsigned 16 bit integer."
71 SYNTAX Unsigned32 (0..65535)
73 ipSecAssociation OBJECT-IDENTITY
76 "This group specifies IPsec Security Associations."
77 ::= { ipSecPolicyPib 1 }
79 ipSecAhTransform OBJECT-IDENTITY
82 "This group specifies AH Transforms."
83 ::= { ipSecPolicyPib 2 }
85 ipSecEspTransform OBJECT-IDENTITY
88 "This group specifies ESP Transforms."
89 ::= { ipSecPolicyPib 3 }
91 ipSecCompTransform OBJECT-IDENTITY
94 "This group specifies Comp Transforms."
95 ::= { ipSecPolicyPib 4 }
97 ipSecIkeAssociation OBJECT-IDENTITY
100 "This group specifies IKE Security Associations."
101 ::= { ipSecPolicyPib 5 }
103 ipSecCredential OBJECT-IDENTITY
106 "This group specifies credentials for IKE phase one negotiations."
107 ::= { ipSecPolicyPib 6 }
109 ipSecSelector OBJECT-IDENTITY
112 "This group specifies selectors for IPsec associations."
113 ::= { ipSecPolicyPib 7 }
115 ipSecPolicyTimePeriod OBJECT-IDENTITY
118 "This group specifies the time periods during which a policy rule
120 ::= { ipSecPolicyPib 8 }
122 ipSecIfCapability OBJECT-IDENTITY
125 "This group specifies capabilities associated with interface
127 ::= { ipSecPolicyPib 9 }
129 ipSecPolicyPibConformance OBJECT-IDENTITY
132 "This group specifies requirements for conformance to the IPsec
134 ::= { ipSecPolicyPib 10 }
139 -- The ipSecRuleTable
142 ipSecRuleTable OBJECT-TYPE
143 SYNTAX SEQUENCE OF IpSecRuleEntry
147 "This table is the starting point for specifying an IPsec policy.
148 It contains an ordered list of IPsec rules. "
149 ::= { ipSecAssociation 1 }
151 ipSecRuleEntry OBJECT-TYPE
152 SYNTAX IpSecRuleEntry
155 "Specifies an instance of this class"
156 PIB-INDEX { ipSecRulePrid }
162 ::= { ipSecRuleTable 1 }
164 IpSecRuleEntry ::= SEQUENCE {
165 ipSecRulePrid InstanceId,
166 ipSecRuleIfName SnmpAdminString,
167 ipSecRuleRoles RoleCombination,
168 ipSecRuleDirection INTEGER,
169 ipSecRuleIpSecSelectorSetId TagReferenceId,
170 ipSecRuleipSecIpsoFilterSetId TagReferenceId,
171 ipSecRuleIpSecActionSetId TagReferenceId,
172 ipSecRuleActionExecutionStrategy INTEGER,
173 ipSecRuleOrder Unsigned16,
174 ipSecRuleLimitNegotiation INTEGER,
175 ipSecRuleAutoStart TruthValue,
176 ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId
179 ipSecRulePrid OBJECT-TYPE
183 "An integer index that uniquely identifies an instance of this
185 ::= { ipSecRuleEntry 1 }
187 ipSecRuleIfName OBJECT-TYPE
188 SYNTAX SnmpAdminString
191 "The interface capability set to which this IPsec rule applies.
192 The interface capability name specified by this attribute MUST
193 exist in the frwkIfCapSetTable [FR-PIB] prior to association with
194 an instance of this class."
195 ::= { ipSecRuleEntry 2 }
197 ipSecRuleRoles OBJECT-TYPE
198 SYNTAX RoleCombination
201 "Specifies the role combination of the interface to which this
202 IPsec rule should apply. There must exist an instance in the
203 frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
204 combination, together with the interface capability set specified
205 by ipSecRuleIfName, prior to association with an instance of this
207 ::= { ipSecRuleEntry 3 }
209 ipSecRuleDirection OBJECT-TYPE
217 "Specifies the direction of traffic to which this rule should
219 ::= { ipSecRuleEntry 4 }
221 ipSecRuleIpSecSelectorSetId OBJECT-TYPE
222 SYNTAX TagReferenceId
223 PIB-TAG { ipSecSelectorSetSelectorSetId }
226 "Identifies a set of selectors to be associated with this IPsec
228 ::= { ipSecRuleEntry 5 }
230 ipSecRuleipSecIpsoFilterSetId OBJECT-TYPE
231 SYNTAX TagReferenceId
232 PIB-TAG { ipSecIpsoFilterSetFilterSetId }
235 "Identifies a set of IPSO filters to be associated with this IPsec
236 rule. A value of zero indicates that there are no IPSO filters
237 associated with this rule.
239 When the value of this attribute is not zero, the set of IPSO
240 filters is ANDed with the set of Selectors specified by
241 ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a
242 selector in the selector sets and a filter in the IPSO filter sets
243 before the actions associated with this rule can be applied."
244 ::= { ipSecRuleEntry 6 }
246 ipSecRuleIpSecActionSetId OBJECT-TYPE
247 SYNTAX TagReferenceId
248 PIB-TAG { ipSecActionSetActionSetId }
251 "Identifies a set of IPsec actions to be associated with this
253 ::= { ipSecRuleEntry 7 }
255 ipSecRuleActionExecutionStrategy OBJECT-TYPE
262 "Specifies the strategy to be used in executing the sequenced
263 actions in the action set identified by ipSecRuleIpSecActionSetId.
265 DoAll (1) causes the execution of all the actions in the action
266 set according to their defined precedence order. The precedence
267 order is specified by the ipSecActionSetOrder in the
270 DoUntilSuccess (2) causes the execution of actions according to
271 their defined precedence order until a successful execution of a
272 single action. The precedence order is specified by the
273 ipSecActionSetOrder in the ipSecActionSetTable."
274 ::= { ipSecRuleEntry 8 }
276 ipSecRuleOrder OBJECT-TYPE
280 "Specifies the precedence order of the rule within all the rules
281 associated with {IfName, Roles}. A smaller value indicates a
282 higher precedence order. "
283 ::= { ipSecRuleEntry 9 }
285 ipSecRuleLimitNegotiation OBJECT-TYPE
293 "Limits the negotiation method. Before proceeding with a phase 2
294 negotiation, the LimitNegotiation property of the IPsecRule is
295 first checked to determine if the negotiation part indicated for
296 the rule matches that of the current negotiation (Initiator,
297 Responder, or Either).
299 This attribute is ignored when an attempt is made to refresh an
300 expiring SA (either side can initiate a refresh operation). The
301 system can determine that the negotiation is a refresh operation
302 by checking to see if the selector information matches that of an
303 existing SA. If LimitNegotiation does not match and the selector
304 corresponds to a new SA, the negotiation is stopped. "
305 ::= { ipSecRuleEntry 10 }
307 ipSecRuleAutoStart OBJECT-TYPE
311 "Indicates if this rule should be automatically executed."
312 ::= { ipSecRuleEntry 11 }
314 ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
315 SYNTAX TagReferenceId
316 PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
319 "Identifies an IPsec rule time period set, specified in
320 ipSecRuleTimePeriodSetTable, that is associated with this rule.
322 A value of zero indicates that this IPsec rule is always valid."
323 ::= { ipSecRuleEntry 12 }
328 -- The ipSecActionSetTable
331 ipSecActionSetTable OBJECT-TYPE
332 SYNTAX SEQUENCE OF IpSecActionSetEntry
336 "Specifies IPsec action sets."
337 ::= { ipSecAssociation 2 }
339 ipSecActionSetEntry OBJECT-TYPE
340 SYNTAX IpSecActionSetEntry
343 "Specifies an instance of this class"
344 PIB-INDEX { ipSecActionSetPrid }
346 ipSecActionSetActionSetId,
347 ipSecActionSetActionId,
348 ipSecActionSetDoActionLogging,
349 ipSecActionSetDoPacketLogging,
352 ::= { ipSecActionSetTable 1 }
354 IpSecActionSetEntry ::= SEQUENCE {
355 ipSecActionSetPrid InstanceId,
356 ipSecActionSetActionSetId TagId,
357 ipSecActionSetActionId Prid,
358 ipSecActionSetDoActionLogging TruthValue,
359 ipSecActionSetDoPacketLogging TruthValue,
360 ipSecActionSetOrder Unsigned16
363 ipSecActionSetPrid OBJECT-TYPE
367 "An integer index that uniquely identifies an instance of this
369 ::= { ipSecActionSetEntry 1 }
371 ipSecActionSetActionSetId OBJECT-TYPE
375 "An IPsec action set is composed of one or more IPsec actions.
376 Each action belonging to the same set has the same ActionSetId."
377 ::= { ipSecActionSetEntry 2 }
379 ipSecActionSetActionId OBJECT-TYPE
383 "A pointer to a valid instance in another table that describes an
386 For IPsec static actions, it MUST point to an instance in the
387 ipSecStaticActionTable.
389 For IPsec negotiation actions, it MUST point to an instance in the
390 ipSecNegotiationActionTable. For other actions, it may point to an
391 instance in a table specified by other PIB modules."
392 ::= { ipSecActionSetEntry 3 }
394 ipSecActionSetDoActionLogging OBJECT-TYPE
398 "Specifies whether a log message is to be generated when the
399 action is performed. This applies for ipSecNegotiationActions
400 with the meaning of logging a message when the negotiation is
401 attempted (with the success or failure result). This also applies
402 for ipSecStaticAction only for PreconfiguredTransport action or
403 PreconfiguredTunnel action with the meaning of logging a message
404 when the preconfigured SA is actually installed in the SADB."
405 ::= { ipSecActionSetEntry 4 }
407 ipSecActionSetDoPacketLogging OBJECT-TYPE
411 "Specifies whether to log when the resulting security association
412 is used to process a packet. For ipSecStaticActions, a log message
413 is to be generated when the IPsecBypass, IpsecDiscard or IKEReject
414 actions are executed."
415 ::= { ipSecActionSetEntry 5 }
417 ipSecActionSetOrder OBJECT-TYPE
421 "Specifies the precedence order of the action within the action
422 set. An action with a smaller precedence order is to be applied
423 before one with a larger precedence order. "
424 ::= { ipSecActionSetEntry 6 }
429 -- The ipSecStaticActionTable
432 ipSecStaticActionTable OBJECT-TYPE
433 SYNTAX SEQUENCE OF IpSecStaticActionEntry
437 "Specifies IPsec static actions."
438 ::= { ipSecAssociation 3 }
440 ipSecStaticActionEntry OBJECT-TYPE
441 SYNTAX IpSecStaticActionEntry
444 "Specifies an instance of this class"
445 PIB-INDEX { ipSecStaticActionPrid }
447 ipSecStaticActionAction,
448 ipSecStaticActionTunnelEndpointId,
449 ipSecStaticActionDfHandling,
450 ipSecStaticActionSpi,
451 ipSecStaticActionLifetimeSeconds,
452 ipSecStaticActionLifetimeKilobytes,
453 ipSecStaticActionSaTransformId
455 ::= { ipSecStaticActionTable 1 }
457 IpSecStaticActionEntry ::= SEQUENCE {
458 ipSecStaticActionPrid InstanceId,
459 ipSecStaticActionAction INTEGER,
460 ipSecStaticActionTunnelEndpointId ReferenceId,
461 ipSecStaticActionDfHandling INTEGER,
462 ipSecStaticActionSpi Unsigned32,
463 ipSecStaticActionLifetimeSeconds Unsigned32,
464 ipSecStaticActionLifetimeKilobytes Unsigned32,
465 ipSecStaticActionSaTransformId Prid
468 ipSecStaticActionPrid OBJECT-TYPE
472 "An integer index that uniquely identifies an instance of this
474 ::= { ipSecStaticActionEntry 1 }
476 ipSecStaticActionAction OBJECT-TYPE
481 preConfiguredTransport(4),
482 preConfiguredTunnel(5)
486 "Specifies the IPsec action to be applied to the traffic. byPass
487 (1) means that packets are to be allowed to pass in the clear.
488 discard (2) means that packets are to be discarded. ikeRejection
489 (3) means that that an IKE negotiation should not even be
490 attempted or continued. preConfiguredTransport (4) means that an
491 IPsec transport SA is pre-configured. preConfiguredTunnel (5)
492 means that an IPsec tunnel SA is pre-configured. "
493 ::= { ipSecStaticActionEntry 2 }
495 ipSecStaticActionTunnelEndpointId OBJECT-TYPE
497 PIB-REFERENCES {ipSecAddressEntry }
500 "When ipSecStaticActionAction is preConfiguredTunnel (5), this
501 attribute indicates the peer gateway IP address. This address MUST
502 be a single endpoint address.
504 When ipSecStaticActionAction is not preConfiguredTunnel, this
505 attribute MUST be zero."
506 ::= { ipSecStaticActionEntry 3 }
508 ipSecStaticActionDfHandling OBJECT-TYPE
516 "When ipSecStaticActionAction is preConfiguredTunnel, this
517 attribute specifies how the DF bit is managed.
519 Copy (1) indicates to copy the DF bit from the internal IP header
520 to the external IP header. Set (2) indicates to set the DF bit of
521 the external IP header to 1. Clear (3) indicates to clear the DF
522 bit of the external IP header to 0.
524 When ipSecStaticActionAction is not preConfiguredTunnel, this
525 attribute MUST be ignored. "
526 ::= { ipSecStaticActionEntry 4 }
528 ipSecStaticActionSpi OBJECT-TYPE
532 "Specifies the SPI to be used with the SA Transform identified by
533 ipSecStaticActionSaTransformId.
535 When ipSecStaticActionAction is neither
536 preConfiguredTransportAction nor preConfiguredTunnelAction, this
537 attribute MUST be ignored."
538 ::= { ipSecStaticActionEntry 5 }
540 ipSecStaticActionLifetimeSeconds OBJECT-TYPE
544 "Specifies the amount of time (in seconds) that a security
545 association derived from this action should be used. When
546 ipSecStaticActionAction is neither preConfiguredTransportAction
547 nor preConfiguredTunnelAction, this attribute MUST be ignored.
549 A value of zero indicates that there is not a lifetime associated
550 with this action (i.e., infinite lifetime).
552 The actual lifetime of the preconfigured SA will be the smallest
553 of the value of this LifetimeSeconds property and of the value of
554 the MaxLifetimeSeconds property of the associated SA Transform.
555 Except if the value of this LifetimeSeconds property is zero, then
556 there will be no lifetime associated to this SA."
557 ::= { ipSecStaticActionEntry 6 }
559 ipSecStaticActionLifetimeKilobytes OBJECT-TYPE
563 "Specifies the SA lifetime in kilobytes. When
564 ipSecStaticActionAction is neither preConfiguredTransportAction
565 nor preConfiguredTunnelAction, this attribute MUST be ignored.
567 A value of zero indicates that there is not a lifetime associated
568 with this action (i.e., infinite lifetime).
570 The actual lifetime of the preconfigured SA will be the smallest
571 of the value of this LifetimeKilobytes property and of the value
572 of the MaxLifetimeKilobytes property of the associated SA
573 transform. Except if the value of this LifetimeKilobytes property
574 is zero, then there will be no lifetime associated with this
577 ::= { ipSecStaticActionEntry 7 }
579 ipSecStaticActionSaTransformId OBJECT-TYPE
583 "A pointer to a valid instance in another table that describes an
584 SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable."
585 ::= { ipSecStaticActionEntry 8 }
590 -- The ipSecNegotiationActionTable
593 ipSecNegotiationActionTable OBJECT-TYPE
594 SYNTAX SEQUENCE OF IpSecNegotiationActionEntry
598 "Specifies IPsec negotiation actions."
599 ::= { ipSecAssociation 4 }
601 ipSecNegotiationActionEntry OBJECT-TYPE
602 SYNTAX IpSecNegotiationActionEntry
605 "Specifies an instance of this class"
606 PIB-INDEX { ipSecNegotiationActionPrid }
608 ipSecNegotiationActionAction,
609 ipSecNegotiationActionTunnelEndpointId,
610 ipSecNegotiationActionDfHandling,
611 ipSecNegotiationActionIpSecSecurityAssociationId,
612 ipSecNegotiationActionKeyExchangeId
614 ::= { ipSecNegotiationActionTable 1 }
616 IpSecNegotiationActionEntry ::= SEQUENCE {
617 ipSecNegotiationActionPrid InstanceId,
618 ipSecNegotiationActionAction INTEGER,
619 ipSecNegotiationActionTunnelEndpointId ReferenceId,
620 ipSecNegotiationActionDfHandling INTEGER,
621 ipSecNegotiationActionIpSecSecurityAssociationId ReferenceId,
622 ipSecNegotiationActionKeyExchangeId Prid
625 ipSecNegotiationActionPrid OBJECT-TYPE
629 "An integer index that uniquely identifies an instance of this
631 ::= { ipSecNegotiationActionEntry 1 }
633 ipSecNegotiationActionAction OBJECT-TYPE
640 "Specifies the IPsec action to be applied to the traffic.
641 transport(1) means that the packet should be protected with a
642 security association in transport mode. tunnel(2) means that the
643 packet should be protected with a security association in tunnel
644 mode. If tunnel (2) is specified, ipSecActionTunnelEndpointId
645 MUST also be specified."
646 ::= { ipSecNegotiationActionEntry 2 }
648 ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE
650 PIB-REFERENCES {ipSecAddressEntry }
653 "When ipSecActionAction is tunnel (2), this attribute indicates
654 the peer gateway IP address. This address MUST be a single
657 When ipSecActionAction is not tunnel, this attribute MUST be
659 ::= { ipSecNegotiationActionEntry 3 }
661 ipSecNegotiationActionDfHandling OBJECT-TYPE
669 "When ipSecActionAction is tunnel, this attribute specifies how
670 the DF bit is managed.
672 Copy (1) indicates to copy the DF bit from the internal IP header
673 to the external IP header. Set (2) indicates to set the DF bit of
674 the external IP header to 1. Clear (3) indicates to clear the DF
675 bit of the external IP header to 0.
677 When ipSecActionAction is not tunnel, this attribute MUST be
679 ::= { ipSecNegotiationActionEntry 4 }
681 ipSecNegotiationActionIpSecSecurityAssociationId OBJECT-TYPE
683 PIB-REFERENCES {ipSecAssociationEntry }
686 "Pointer to a valid instance in the
687 ipSecSecurityAssociationTable."
688 ::= { ipSecNegotiationActionEntry 5 }
690 ipSecNegotiationActionKeyExchangeId OBJECT-TYPE
694 "A pointer to a valid instance in another table that describes key
695 exchange associations. If a single IKE phase one negotiation is
696 used for the key exchange, this attribute MUST point to an
697 instance in the ipSecIkeAssociationTable. If multiple IKE phase
698 one negotiations (e.g., with different modes) are to be tried
699 until success, this attribute SHOULD point to ipSecIkeRuleTable.
701 For other key exchange methods, this attribute may point to an
702 instance of a PRC defined in some other PIB.
704 A value of zero means that there is no key exchange procedure
706 ::= { ipSecNegotiationActionEntry 6 }
711 -- The ipSecAssociationTable
714 ipSecAssociationTable OBJECT-TYPE
715 SYNTAX SEQUENCE OF IpSecAssociationEntry
719 "Specifies IPsec associations."
720 ::= { ipSecAssociation 5 }
722 ipSecAssociationEntry OBJECT-TYPE
723 SYNTAX IpSecAssociationEntry
726 "Specifies an instance of this class"
727 PIB-INDEX { ipSecAssociationPrid }
729 ipSecAssociationMinLifetimeSeconds,
730 ipSecAssociationMinLifetimeKilobytes,
731 ipSecAssociationIdleDurationSeconds,
732 ipSecAssociationUsePfs,
733 ipSecAssociationVendorId,
734 ipSecAssociationUseKeyExchangeGroup,
735 ipSecAssociationDhGroup,
736 ipSecAssociationGranularity,
737 ipSecAssociationProposalSetId
739 ::= { ipSecAssociationTable 1 }
741 IpSecAssociationEntry ::= SEQUENCE {
742 ipSecAssociationPrid InstanceId,
743 ipSecAssociationMinLifetimeSeconds Unsigned32,
744 ipSecAssociationMinLifetimeKilobytes Unsigned32,
745 ipSecAssociationIdleDurationSeconds Unsigned32,
746 ipSecAssociationUsePfs TruthValue,
747 ipSecAssociationVendorId OCTET STRING,
748 ipSecAssociationUseKeyExchangeGroup TruthValue,
749 ipSecAssociationDhGroup Unsigned16,
750 ipSecAssociationGranularity INTEGER,
751 ipSecAssociationProposalSetId TagReferenceId
754 ipSecAssociationPrid OBJECT-TYPE
758 "An integer index that uniquely identifies an instance of this
760 ::= { ipSecAssociationEntry 1 }
762 ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
766 "Specifies the minimum SA seconds lifetime that will be accepted
767 from a peer while negotiating an SA based upon this action.
768 A value of zero indicates that there is no minimum lifetime
770 ::= { ipSecAssociationEntry 2 }
772 ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
776 "Specifies the minimum kilobyte lifetime that will be accepted
777 from a negotiating peer while negotiating an SA based upon this
778 action. A value of zero indicates that there is no minimum
780 ::= { ipSecAssociationEntry 3 }
782 ipSecAssociationIdleDurationSeconds OBJECT-TYPE
786 "Specifies how long, in seconds, a security association may remain
787 unused before it is deleted.
789 A value of zero indicates that idle detection should not be used
790 for the security association (only the seconds and kilobyte
791 lifetimes will be used)."
792 ::= { ipSecAssociationEntry 4 }
794 ipSecAssociationUsePfs OBJECT-TYPE
798 "Specifies whether or not to use PFS when refreshing keys."
799 ::= { ipSecAssociationEntry 5 }
801 ipSecAssociationVendorId OBJECT-TYPE
805 "Specifies the IKE Vendor ID. This attribute is used together with
806 the property ipSecAssociationDhGroup (when it is in the vendor-
807 specific range) to identify the key exchange group. This
808 attribute is ignored unless ipSecAssociationUsePFS is true and
809 ipSecAssociationUseKeyExchangeGroup is false and
810 ipSecAssociationDhGroup is in the vendor-specific range (32768-
812 ::= { ipSecAssociationEntry 6 }
814 ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE
818 "Specifies whether or not to use the same GroupId for phase 2 as
819 was used in phase 1. If UsePFS is false, then this attribute is
822 A value of true indicates that the phase 2 GroupId should be the
823 same as phase 1. A value of false indicates that the group number
824 specified by the ipSecSecurityAssociationDhGroup attribute SHALL
825 be used for phase 2. "
826 ::= { ipSecAssociationEntry 7 }
828 ipSecAssociationDhGroup OBJECT-TYPE
832 "Specifies the key exchange group to use for phase 2 when the
833 property ipSecSecurityAssociationUsePfs is true and the property
834 ipSecSecurityAssociationUseKeyExchangeGroup is false."
835 ::= { ipSecAssociationEntry 8 }
837 ipSecAssociationGranularity OBJECT-TYPE
846 "Specifies how the proposed selector for the security association
849 A value of 1 (subnet) indicates that the source and destination
850 subnet masks of the filter entry are used.
852 A value of 2 (address) indicates that only the source and
853 destination IP addresses of the triggering packet are used.
855 A value of 3 (protocol) indicates that the source and destination
856 IP addresses and the IP protocol of the triggering packet are
859 A value of 4 (port) indicates that the source and destination IP
860 addresses and the IP protocol and the source and destination layer
861 4 ports of the triggering packet are used. "
862 ::= { ipSecAssociationEntry 9 }
864 ipSecAssociationProposalSetId OBJECT-TYPE
865 SYNTAX TagReferenceId
866 PIB-TAG { ipSecProposalSetProposalSetId }
869 "Identifies a set of IPsec proposals that is associated with this
871 ::= { ipSecAssociationEntry 10 }
876 -- The ipSecProposalSetTable
879 ipSecProposalSetTable OBJECT-TYPE
880 SYNTAX SEQUENCE OF IpSecProposalSetEntry
884 "Specifies IPsec proposal sets. Proposals within a set are ORed
885 with preference order. "
886 ::= { ipSecAssociation 6 }
888 ipSecProposalSetEntry OBJECT-TYPE
889 SYNTAX IpSecProposalSetEntry
892 "Specifies an instance of this class"
893 PIB-INDEX { ipSecProposalSetPrid }
895 ipSecProposalSetProposalSetId,
896 ipSecProposalSetProposalId,
897 ipSecProposalSetOrder
899 ::= { ipSecProposalSetTable 1 }
901 IpSecProposalSetEntry ::= SEQUENCE {
902 ipSecProposalSetPrid InstanceId,
903 ipSecProposalSetProposalSetId TagId,
904 ipSecProposalSetProposalId ReferenceId,
905 ipSecProposalSetOrder Unsigned16
908 ipSecProposalSetPrid OBJECT-TYPE
912 "An integer index that uniquely identifies an instance of this
914 ::= { ipSecProposalSetEntry 1 }
916 ipSecProposalSetProposalSetId OBJECT-TYPE
922 "An IPsec proposal set is composed of one or more IPsec proposals.
923 Each proposal belonging to the same set has the same
925 ::= { ipSecProposalSetEntry 2 }
927 ipSecProposalSetProposalId OBJECT-TYPE
929 PIB-REFERENCES {ipSecProposalEntry }
932 "A pointer to a valid instance in the ipSecProposalTable."
933 ::= { ipSecProposalSetEntry 3 }
935 ipSecProposalSetOrder OBJECT-TYPE
939 "An integer that specifies the precedence order of the proposal
940 identified by ipSecProposalSetProposalId in a proposal set. The
941 proposal set is identified by ipSecProposalSetProposalSetId.
942 Proposals within a set are ORed with preference order. A smaller
943 integer value indicates a higher preference."
944 ::= { ipSecProposalSetEntry 4 }
949 -- The ipSecProposalTable
952 ipSecProposalTable OBJECT-TYPE
953 SYNTAX SEQUENCE OF IpSecProposalEntry
957 "Specifies IPsec proposals. It has references to ESP, AH and
958 IPCOMP Transform sets. Within a proposal, different types of
959 transforms are ANDed. Multiple transforms of the same type are
960 ORed with preference order."
961 ::= { ipSecAssociation 7 }
963 ipSecProposalEntry OBJECT-TYPE
964 SYNTAX IpSecProposalEntry
967 "Specifies an instance of this class"
968 PIB-INDEX { ipSecProposalPrid }
970 ipSecProposalEspTransformSetId,
971 ipSecProposalAhTransformSetId,
972 ipSecProposalCompTransformSetId
974 ::= { ipSecProposalTable 1 }
976 IpSecProposalEntry ::= SEQUENCE {
977 ipSecProposalPrid InstanceId,
978 ipSecProposalEspTransformSetId TagReferenceId,
979 ipSecProposalAhTransformSetId TagReferenceId,
980 ipSecProposalCompTransformSetId TagReferenceId
983 ipSecProposalPrid OBJECT-TYPE
987 "An integer index that uniquely identifies an instance of this
989 ::= { ipSecProposalEntry 1 }
991 ipSecProposalEspTransformSetId OBJECT-TYPE
992 SYNTAX TagReferenceId
993 PIB-TAG { ipSecEspTransformSetTransformSetId }
996 "An integer that identifies a set of ESP transforms, specified in
997 ipSecEspTransformSetTable, that is associated with this proposal."
998 ::= { ipSecProposalEntry 2 }
1000 ipSecProposalAhTransformSetId OBJECT-TYPE
1001 SYNTAX TagReferenceId
1002 PIB-TAG { ipSecAhTransformSetTransformSetId }
1005 "An integer that identifies an AH transform set, specified in
1006 ipSecAhTransformSetTable, that is associated with this proposal."
1007 ::= { ipSecProposalEntry 3 }
1009 ipSecProposalCompTransformSetId OBJECT-TYPE
1010 SYNTAX TagReferenceId
1011 PIB-TAG { ipSecCompTransformSetTransformSetId }
1014 "An integer that identifies a set of IPComp transforms, specified
1015 in ipSecCompTransformSetTable, that is associated with this
1017 ::= { ipSecProposalEntry 4 }
1022 -- The ipSecAhTransformSetTable
1025 ipSecAhTransformSetTable OBJECT-TYPE
1026 SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
1030 "Specifies AH transform sets. Within a transform set, the
1031 transforms are ORed with preference order. "
1032 ::= { ipSecAhTransform 1 }
1034 ipSecAhTransformSetEntry OBJECT-TYPE
1035 SYNTAX IpSecAhTransformSetEntry
1038 "Specifies an instance of this class"
1039 PIB-INDEX { ipSecAhTransformSetPrid }
1041 ipSecAhTransformSetTransformSetId,
1042 ipSecAhTransformSetTransformId,
1043 ipSecAhTransformSetOrder
1045 ::= { ipSecAhTransformSetTable 1 }
1047 IpSecAhTransformSetEntry ::= SEQUENCE {
1048 ipSecAhTransformSetPrid InstanceId,
1049 ipSecAhTransformSetTransformSetId TagId,
1050 ipSecAhTransformSetTransformId ReferenceId,
1051 ipSecAhTransformSetOrder Unsigned16
1054 ipSecAhTransformSetPrid OBJECT-TYPE
1058 "An integer index that uniquely identifies an instance of this
1060 ::= { ipSecAhTransformSetEntry 1 }
1062 ipSecAhTransformSetTransformSetId OBJECT-TYPE
1066 "An AH transform set is composed of one or more AH transforms.
1067 Each transform belonging to the same set has the same
1069 ::= { ipSecAhTransformSetEntry 2 }
1071 ipSecAhTransformSetTransformId OBJECT-TYPE
1073 PIB-REFERENCES {ipSecAhTransformEntry }
1076 "A pointer to a valid instance in the ipSecAhTransformTable."
1077 ::= { ipSecAhTransformSetEntry 3 }
1079 ipSecAhTransformSetOrder OBJECT-TYPE
1083 "An integer that specifies the precedence order of the transform
1084 identified by ipSecAhTransformSetTransformId within a transform
1085 set. The transform set is identified by
1086 ipSecAhTransformSetTransformSetId. Transforms within a set are
1087 ORed with preference order. A smaller integer value indicates a
1089 ::= { ipSecAhTransformSetEntry 4 }
1094 -- The ipSecAhTransformTable
1097 ipSecAhTransformTable OBJECT-TYPE
1098 SYNTAX SEQUENCE OF IpSecAhTransformEntry
1102 "Specifies AH transforms."
1103 ::= { ipSecAhTransform 2 }
1105 ipSecAhTransformEntry OBJECT-TYPE
1106 SYNTAX IpSecAhTransformEntry
1109 "Specifies an instance of this class"
1110 PIB-INDEX { ipSecAhTransformPrid }
1112 ipSecAhTransformTransformId,
1113 ipSecAhTransformIntegrityKey,
1114 ipSecAhTransformUseReplayPrevention,
1115 ipSecAhTransformReplayPreventionWindowSize,
1116 ipSecAhTransformVendorId,
1117 ipSecAhTransformMaxLifetimeSeconds,
1118 ipSecAhTransformMaxLifetimeKilobytes
1120 ::= { ipSecAhTransformTable 1 }
1122 IpSecAhTransformEntry ::= SEQUENCE {
1123 ipSecAhTransformPrid InstanceId,
1124 ipSecAhTransformTransformId INTEGER,
1125 ipSecAhTransformIntegrityKey OCTET STRING,
1126 ipSecAhTransformUseReplayPrevention TruthValue,
1127 ipSecAhTransformReplayPreventionWindowSize Unsigned32,
1128 ipSecAhTransformVendorId OCTET STRING,
1129 ipSecAhTransformMaxLifetimeSeconds Unsigned32,
1130 ipSecAhTransformMaxLifetimeKilobytes Unsigned32
1133 ipSecAhTransformPrid OBJECT-TYPE
1137 "An integer index that uniquely identifies an instance of this
1139 ::= { ipSecAhTransformEntry 1 }
1141 ipSecAhTransformTransformId OBJECT-TYPE
1149 "Specifies the transform ID of the AH algorithm to propose."
1150 ::= { ipSecAhTransformEntry 2 }
1152 ipSecAhTransformIntegrityKey OBJECT-TYPE
1156 "When this AH transform instance is used for a Static Action, this
1157 attribute specifies the integrity key to be used. This attribute
1158 MUST be ignored when this AH transform instance is used for a
1159 Negotiation Action."
1160 ::= { ipSecAhTransformEntry 3 }
1162 ipSecAhTransformUseReplayPrevention OBJECT-TYPE
1166 "Specifies whether to enable replay prevention detection."
1167 ::= { ipSecAhTransformEntry 4 }
1169 ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE
1173 "Specifies, in bits, the length of the sliding window used by the
1174 replay prevention detection mechanism. The value of this property
1175 is ignored if UseReplayPrevention is false. It is assumed that the
1176 window size will be power of 2."
1177 ::= { ipSecAhTransformEntry 5 }
1179 ipSecAhTransformVendorId OBJECT-TYPE
1183 "Specifies the vendor ID for vendor-defined transforms."
1184 ::= { ipSecAhTransformEntry 6 }
1186 ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE
1190 "Specifies the maximum amount of time to propose for a security
1191 association to remain valid.
1193 A value of zero indicates that the default of 8 hours be used. A
1194 non-zero value indicates the maximum seconds lifetime."
1195 ::= { ipSecAhTransformEntry 7 }
1197 ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE
1201 "Specifies the maximum kilobyte lifetime to propose for a security
1202 association to remain valid.
1204 A value of zero indicates that there should be no maximum kilobyte
1205 lifetime. A non-zero value specifies the desired kilobyte
1207 ::= { ipSecAhTransformEntry 8 }
1212 -- The ipSecEspTransformSetTable
1215 ipSecEspTransformSetTable OBJECT-TYPE
1216 SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
1220 "Specifies ESP transform sets. Within a transform set, the choices
1221 are ORed with preference order. "
1222 ::= { ipSecEspTransform 1 }
1224 ipSecEspTransformSetEntry OBJECT-TYPE
1225 SYNTAX IpSecEspTransformSetEntry
1228 "Specifies an instance of this class"
1229 PIB-INDEX { ipSecEspTransformSetPrid }
1231 ipSecEspTransformSetTransformSetId,
1232 ipSecEspTransformSetTransformId,
1233 ipSecEspTransformSetOrder
1235 ::= { ipSecEspTransformSetTable 1 }
1237 IpSecEspTransformSetEntry ::= SEQUENCE {
1238 ipSecEspTransformSetPrid InstanceId,
1239 ipSecEspTransformSetTransformSetId TagId,
1240 ipSecEspTransformSetTransformId ReferenceId,
1241 ipSecEspTransformSetOrder Unsigned16
1244 ipSecEspTransformSetPrid OBJECT-TYPE
1248 "An integer index that uniquely identifies an instance of this
1250 ::= { ipSecEspTransformSetEntry 1 }
1252 ipSecEspTransformSetTransformSetId OBJECT-TYPE
1256 "An ESP transform set is composed of one or more ESP transforms.
1257 Each transform belonging to the same set has the same
1259 ::= { ipSecEspTransformSetEntry 2 }
1261 ipSecEspTransformSetTransformId OBJECT-TYPE
1263 PIB-REFERENCES {ipSecEspTransformEntry }
1266 "A pointer to a valid instance in the ipSecEspTransformTable."
1267 ::= { ipSecEspTransformSetEntry 3 }
1269 ipSecEspTransformSetOrder OBJECT-TYPE
1273 "An integer that specifies the precedence order of the transform
1274 identified by ipSecEspTransformSetTransformId within a transform
1275 set. The transform set is identified by
1276 ipSecEspTransformSetTransformSetId. Transforms within a set are
1277 ORed with preference order. A smaller integer value indicates a
1279 ::= { ipSecEspTransformSetEntry 4 }
1284 -- The ipSecEspTransformTable
1287 ipSecEspTransformTable OBJECT-TYPE
1288 SYNTAX SEQUENCE OF IpSecEspTransformEntry
1292 "Specifies ESP transforms."
1293 ::= { ipSecEspTransform 2 }
1295 ipSecEspTransformEntry OBJECT-TYPE
1296 SYNTAX IpSecEspTransformEntry
1299 "Specifies an instance of this class"
1300 PIB-INDEX { ipSecEspTransformPrid }
1302 ipSecEspTransformIntegrityTransformId,
1303 ipSecEspTransformCipherTransformId,
1304 ipSecEspTransformIntegrityKey,
1305 ipSecEspTransformCipherKey,
1306 ipSecEspTransformCipherKeyRounds,
1307 ipSecEspTransformCipherKeyLength,
1308 ipSecEspTransformUseReplayPrevention,
1309 ipSecEspTransformReplayPreventionWindowSize,
1310 ipSecEspTransformVendorId,
1311 ipSecEspTransformMaxLifetimeSeconds,
1312 ipSecEspTransformMaxLifetimeKilobytes
1314 ::= { ipSecEspTransformTable 1 }
1316 IpSecEspTransformEntry ::= SEQUENCE {
1317 ipSecEspTransformPrid InstanceId,
1318 ipSecEspTransformIntegrityTransformId INTEGER,
1319 ipSecEspTransformCipherTransformId INTEGER,
1320 ipSecEspTransformIntegrityKey OCTET STRING,
1321 ipSecEspTransformCipherKey OCTET STRING,
1322 ipSecEspTransformCipherKeyRounds Unsigned16,
1323 ipSecEspTransformCipherKeyLength Unsigned16,
1324 ipSecEspTransformUseReplayPrevention TruthValue,
1325 ipSecEspTransformReplayPreventionWindowSize Unsigned32,
1326 ipSecEspTransformVendorId OCTET STRING,
1327 ipSecEspTransformMaxLifetimeSeconds Unsigned32,
1328 ipSecEspTransformMaxLifetimeKilobytes Unsigned32
1331 ipSecEspTransformPrid OBJECT-TYPE
1335 "An integer index that uniquely identifies an instance of this
1337 ::= { ipSecEspTransformEntry 1 }
1339 ipSecEspTransformIntegrityTransformId OBJECT-TYPE
1349 "Specifies the transform ID of the ESP integrity algorithm to
1351 ::= { ipSecEspTransformEntry 2 }
1353 ipSecEspTransformCipherTransformId OBJECT-TYPE
1369 "Specifies the transform ID of the ESP encryption algorithm to
1371 ::= { ipSecEspTransformEntry 3 }
1373 ipSecEspTransformIntegrityKey OBJECT-TYPE
1377 "When this ESP transform instance is used for a Static Action,
1378 this attribute specifies the integrity key to be used. This
1379 attribute MUST be ignored when this ESP transform instance is used
1380 for a Negotiation Action."
1381 ::= { ipSecEspTransformEntry 4 }
1383 ipSecEspTransformCipherKey OBJECT-TYPE
1387 "When this ESP transform instance is used for a Static Action,
1388 this attribute specifies the cipher key to be used. This attribute
1389 MUST be ignored when this ESP transform instance is used for a
1390 Negotiation Action."
1391 ::= { ipSecEspTransformEntry 5 }
1393 ipSecEspTransformCipherKeyRounds OBJECT-TYPE
1399 "Specifies the number of key rounds for the ESP encryption
1400 algorithm. For encryption algorithms that use fixed number of key
1401 rounds, this value is ignored."
1402 ::= { ipSecEspTransformEntry 6 }
1404 ipSecEspTransformCipherKeyLength OBJECT-TYPE
1408 "Specifies, in bits, the key length for the ESP encryption
1409 algorithm. For encryption algorithms that use fixed-length keys,
1410 this value is ignored."
1411 ::= { ipSecEspTransformEntry 7 }
1413 ipSecEspTransformUseReplayPrevention OBJECT-TYPE
1417 "Specifies whether to enable replay prevention detection."
1418 ::= { ipSecEspTransformEntry 8 }
1420 ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE
1424 "Specifies, in bits, the length of the sliding window used by the
1425 replay prevention detection mechanism. The value of this property
1426 is ignored if UseReplayPrevention is false. It is assumed that the
1427 window size will be power of 2."
1428 ::= { ipSecEspTransformEntry 9 }
1430 ipSecEspTransformVendorId OBJECT-TYPE
1434 "Specifies the vendor ID for vendor-defined transforms."
1435 ::= { ipSecEspTransformEntry 10 }
1437 ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE
1441 "Specifies the maximum amount of time to propose for a security
1442 association to remain valid.
1444 A value of zero indicates that the default of 8 hours be used. A
1445 non-zero value indicates the maximum seconds lifetime."
1446 ::= { ipSecEspTransformEntry 11 }
1448 ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE
1452 "Specifies the maximum kilobyte lifetime to propose for a security
1453 association to remain valid.
1455 A value of zero indicates that there should be no maximum kilobyte
1456 lifetime. A non-zero value specifies the desired kilobyte
1458 ::= { ipSecEspTransformEntry 12 }
1463 -- The ipSecCompTransformSetTable
1466 ipSecCompTransformSetTable OBJECT-TYPE
1467 SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
1471 "Specifies IPComp transform sets. Within a transform set, the
1472 choices are ORed with preference order."
1473 ::= { ipSecCompTransform 1 }
1475 ipSecCompTransformSetEntry OBJECT-TYPE
1476 SYNTAX IpSecCompTransformSetEntry
1479 "Specifies an instance of this class"
1480 PIB-INDEX { ipSecCompTransformSetPrid }
1482 ipSecCompTransformSetTransformSetId,
1483 ipSecCompTransformSetTransformId,
1484 ipSecCompTransformSetOrder
1486 ::= { ipSecCompTransformSetTable 1 }
1488 IpSecCompTransformSetEntry ::= SEQUENCE {
1489 ipSecCompTransformSetPrid InstanceId,
1490 ipSecCompTransformSetTransformSetId TagId,
1491 ipSecCompTransformSetTransformId ReferenceId,
1492 ipSecCompTransformSetOrder Unsigned16
1495 ipSecCompTransformSetPrid OBJECT-TYPE
1499 "An integer index that uniquely identifies an instance of this
1501 ::= { ipSecCompTransformSetEntry 1 }
1503 ipSecCompTransformSetTransformSetId OBJECT-TYPE
1507 "An IPCOMP transform set is composed of one or more IPCOMP
1508 transforms. Each transform belonging to the same set has the same
1510 ::= { ipSecCompTransformSetEntry 2 }
1512 ipSecCompTransformSetTransformId OBJECT-TYPE
1514 PIB-REFERENCES {ipSecCompTransformEntry }
1517 "A pointer to a valid instance in the ipSecCompTransformTable."
1518 ::= { ipSecCompTransformSetEntry 3 }
1520 ipSecCompTransformSetOrder OBJECT-TYPE
1524 "An integer that specifies the precedence order of the transform
1525 identified by ipSecCompTransformSetTransformId within a transform
1526 set. The transform set is identified by
1527 ipSecCompTransformSetTransformSetId. Transforms within a set are
1528 ORed with preference order. A smaller integer value indicates a
1530 ::= { ipSecCompTransformSetEntry 4 }
1535 -- The ipSecCompTransformTable
1538 ipSecCompTransformTable OBJECT-TYPE
1539 SYNTAX SEQUENCE OF IpSecCompTransformEntry
1543 "Specifies IP compression (IPCOMP) algorithms."
1544 ::= { ipSecCompTransform 2 }
1546 ipSecCompTransformEntry OBJECT-TYPE
1547 SYNTAX IpSecCompTransformEntry
1550 "Specifies an instance of this class"
1551 PIB-INDEX { ipSecCompTransformPrid }
1553 ipSecCompTransformAlgorithm,
1554 ipSecCompTransformDictionarySize,
1555 ipSecCompTransformPrivateAlgorithm,
1556 ipSecCompTransformVendorId,
1557 ipSecCompTransformMaxLifetimeSeconds,
1558 ipSecCompTransformMaxLifetimeKilobytes
1560 ::= { ipSecCompTransformTable 1 }
1562 IpSecCompTransformEntry ::= SEQUENCE {
1563 ipSecCompTransformPrid InstanceId,
1564 ipSecCompTransformAlgorithm INTEGER,
1565 ipSecCompTransformDictionarySize Unsigned16,
1566 ipSecCompTransformPrivateAlgorithm Unsigned32,
1567 ipSecCompTransformVendorId OCTET STRING,
1568 ipSecCompTransformMaxLifetimeSeconds Unsigned32,
1569 ipSecCompTransformMaxLifetimeKilobytes Unsigned32
1572 ipSecCompTransformPrid OBJECT-TYPE
1576 "An integer index that uniquely identifies an instance of this
1578 ::= { ipSecCompTransformEntry 1 }
1580 ipSecCompTransformAlgorithm OBJECT-TYPE
1588 "Specifies the transform ID of the IPCOMP compression algorithm to
1590 ::= { ipSecCompTransformEntry 2 }
1592 ipSecCompTransformDictionarySize OBJECT-TYPE
1596 "Specifies the log2 maximum size of the dictionary for the
1597 compression algorithm. For compression algorithms that have pre-
1598 defined dictionary sizes, this value is ignored."
1599 ::= { ipSecCompTransformEntry 3 }
1601 ipSecCompTransformPrivateAlgorithm OBJECT-TYPE
1605 "Specifies a private vendor-specific compression algorithm."
1606 ::= { ipSecCompTransformEntry 4 }
1608 ipSecCompTransformVendorId OBJECT-TYPE
1612 "Specifies the vendor ID for vendor-defined transforms."
1613 ::= { ipSecCompTransformEntry 5 }
1615 ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE
1619 "Specifies the maximum amount of time to propose for a security
1620 association to remain valid.
1622 A value of zero indicates that the default of 8 hours be used. A
1623 non-zero value indicates the maximum seconds lifetime."
1624 ::= { ipSecCompTransformEntry 6 }
1626 ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE
1630 "Specifies the maximum kilobyte lifetime to propose for a security
1631 association to remain valid.
1633 A value of zero indicates that there should be no maximum kilobyte
1634 lifetime. A non-zero value specifies the desired kilobyte
1636 ::= { ipSecCompTransformEntry 7 }
1641 -- The ipSecIkeRuleTable
1644 ipSecIkeRuleTable OBJECT-TYPE
1645 SYNTAX SEQUENCE OF IpSecIkeRuleEntry
1649 "Specifies IKE rules. This table is required only when specifying:
1651 - Multiple IKE phase one actions (e.g., with different exchange
1652 modes) that are associated with one IPsec association. These
1653 actions are to be tried in sequence till one success.
1655 - IKE phase one actions that start automatically.
1657 Support of this table is optional."
1658 ::= { ipSecIkeAssociation 1 }
1660 ipSecIkeRuleEntry OBJECT-TYPE
1661 SYNTAX IpSecIkeRuleEntry
1664 "Specifies an instance of this class"
1665 PIB-INDEX { ipSecIkeRulePrid }
1669 ipSecIkeRuleIkeActionSetId,
1670 ipSecIkeRuleActionExecutionStrategy,
1671 ipSecIkeRuleLimitNegotiation,
1672 ipSecIkeRuleAutoStart
1674 ::= { ipSecIkeRuleTable 1 }
1676 IpSecIkeRuleEntry ::= SEQUENCE {
1677 ipSecIkeRulePrid InstanceId,
1678 ipSecIkeRuleIfName SnmpAdminString,
1679 ipSecIkeRuleRoles RoleCombination,
1680 ipSecIkeRuleIkeActionSetId TagReferenceId,
1681 ipSecIkeRuleActionExecutionStrategy INTEGER,
1682 ipSecIkeRuleLimitNegotiation INTEGER,
1683 ipSecIkeRuleAutoStart TruthValue,
1684 ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId
1687 ipSecIkeRulePrid OBJECT-TYPE
1691 "An integer index that uniquely identifies an instance of this
1693 ::= { ipSecIkeRuleEntry 1 }
1695 ipSecIkeRuleIfName OBJECT-TYPE
1696 SYNTAX SnmpAdminString
1699 "The interface capability set to which this IKE rule applies. The
1700 interface capability name specified by this attribute must exist
1701 in the frwkIfCapSetTable [FR-PIB] prior to association with an
1702 instance of this class.
1704 This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
1705 ::= { ipSecIkeRuleEntry 2 }
1707 ipSecIkeRuleRoles OBJECT-TYPE
1708 SYNTAX RoleCombination
1711 "Specifies the role combination of the interface to which this IKE
1712 rule should apply. There must exist an instance in the
1713 frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
1714 combination, together with the interface capability set specified
1715 by ipSecIkeRuleIfName, prior to association with an instance of
1718 This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
1719 ::= { ipSecIkeRuleEntry 3 }
1721 ipSecIkeRuleIkeActionSetId OBJECT-TYPE
1722 SYNTAX TagReferenceId
1723 PIB-TAG { ipSecIkeActionSetActionSetId }
1726 "Identifies a set of IKE actions to be associated with this rule."
1727 ::= { ipSecIkeRuleEntry 4 }
1729 ipSecIkeRuleActionExecutionStrategy OBJECT-TYPE
1736 "Specifies the strategy to be used in executing the sequenced
1737 actions in the action set identified by ipSecRuleIpSecActionSetId.
1739 DoAll (1) causes the execution of all the actions in the action
1740 set according to their defined precedence order. The precedence
1741 order is specified by the ipSecActionSetOrder in
1742 ipSecIkeActionSetTable.
1744 DoUntilSuccess (2) causes the execution of actions according to
1745 their defined precedence order until a successful execution of a
1746 single action. The precedence order is specified by the
1747 ipSecActionSetOrder in ipSecIkeActionSetTable."
1748 ::= { ipSecIkeRuleEntry 5 }
1750 ipSecIkeRuleLimitNegotiation OBJECT-TYPE
1758 "Limits the negotiation method. Before proceeding with a phase 1
1759 negotiation, this property is checked to determine if the
1760 negotiation role of the rule matches that defined for the
1761 negotiation being undertaken (e.g., Initiator, Responder, or
1762 Both). If this check fails (e.g. the current role is IKE responder
1763 while the rule specifies IKE initiator), then the IKE negotiation
1764 is stopped. Note that this only applies to new IKE phase 1
1765 negotiations and has no effect on either renegotiation or refresh
1766 operations with peers for which an established SA already exists."
1767 ::= { ipSecIkeRuleEntry 6 }
1769 ipSecIkeRuleAutoStart OBJECT-TYPE
1773 "Indicates if this rule should be automatically executed."
1774 ::= { ipSecIkeRuleEntry 7 }
1776 ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
1777 SYNTAX TagReferenceId
1778 PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
1781 "Identifies a rule time period set, specified in
1782 ipSecRuleTimePeriodSetTable, that is associated with this rule.
1784 A value of zero indicates that this rule is always valid."
1785 ::= { ipSecIkeRuleEntry 8 }
1790 -- The ipSecIkeActionSetTable
1793 ipSecIkeActionSetTable OBJECT-TYPE
1794 SYNTAX SEQUENCE OF IpSecIkeActionSetEntry
1798 "Specifies IKE action sets."
1799 ::= { ipSecIkeAssociation 2 }
1801 ipSecIkeActionSetEntry OBJECT-TYPE
1802 SYNTAX IpSecIkeActionSetEntry
1805 "Specifies an instance of this class"
1806 PIB-INDEX { ipSecIkeActionSetPrid }
1808 ipSecIkeActionSetActionSetId,
1809 ipSecIkeActionSetActionId,
1810 ipSecIkeActionSetOrder
1812 ::= { ipSecIkeActionSetTable 1 }
1814 IpSecIkeActionSetEntry ::= SEQUENCE {
1815 ipSecIkeActionSetPrid InstanceId,
1816 ipSecIkeActionSetActionSetId TagId,
1817 ipSecIkeActionSetActionId Prid,
1818 ipSecIkeActionSetOrder Unsigned16
1821 ipSecIkeActionSetPrid OBJECT-TYPE
1825 "An integer index that uniquely identifies an instance of this
1827 ::= { ipSecIkeActionSetEntry 1 }
1829 ipSecIkeActionSetActionSetId OBJECT-TYPE
1833 "An IKE action set is composed of one or more IKE actions. Each
1834 action belonging to the same set has the same ActionSetId."
1835 ::= { ipSecIkeActionSetEntry 2 }
1837 ipSecIkeActionSetActionId OBJECT-TYPE
1841 "A pointer to a valid instance in the ipSecIkeAssociationTable."
1842 ::= { ipSecIkeActionSetEntry 3 }
1844 ipSecIkeActionSetOrder OBJECT-TYPE
1848 "Specifies the precedence order of the action within the action
1849 set. An action with a smaller precedence order is to be tried
1850 before one with a larger precedence order. "
1851 ::= { ipSecIkeActionSetEntry 4 }
1856 -- The ipSecIkeAssociationTable
1859 ipSecIkeAssociationTable OBJECT-TYPE
1860 SYNTAX SEQUENCE OF IpSecIkeAssociationEntry
1864 "Specifies IKE associations."
1865 ::= { ipSecIkeAssociation 3 }
1867 ipSecIkeAssociationEntry OBJECT-TYPE
1868 SYNTAX IpSecIkeAssociationEntry
1871 "Specifies an instance of this class"
1872 PIB-INDEX { ipSecIkeAssociationPrid }
1874 ipSecIkeAssociationMinLiftetimeSeconds,
1875 ipSecIkeAssociationMinLifetimeKilobytes,
1876 ipSecIkeAssociationIdleDurationSeconds,
1877 ipSecIkeAssociationExchangeMode,
1878 ipSecIkeAssociationUseIkeIdentityType,
1879 ipSecIkeAssociationUseIkeIdentityValue,
1880 ipSecIkeAssociationIkePeerEndpoint,
1881 ipSecIkeAssociationPresharedKey,
1882 ipSecIkeAssociationVendorId,
1883 ipSecIkeAssociationAggressiveModeGroupId,
1884 ipSecIkeAssociationLocalCredentialId,
1885 ipSecIkeAssociationDoActionLogging,
1886 ipSecIkeAssociationIkeProposalSetId
1888 ::= { ipSecIkeAssociationTable 1 }
1890 IpSecIkeAssociationEntry ::= SEQUENCE {
1891 ipSecIkeAssociationPrid InstanceId,
1892 ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
1893 ipSecIkeAssociationMinLifetimeKilobytes Unsigned32,
1894 ipSecIkeAssociationIdleDurationSeconds Unsigned32,
1895 ipSecIkeAssociationExchangeMode INTEGER,
1896 ipSecIkeAssociationUseIkeIdentityType INTEGER,
1897 ipSecIkeAssociationUseIkeIdentityValue OCTET STRING,
1898 ipSecIkeAssociationIkePeerEndpoint ReferenceId,
1899 ipSecIkeAssociationPresharedKey OCTET STRING,
1900 ipSecIkeAssociationVendorId OCTET STRING,
1901 ipSecIkeAssociationAggressiveModeGroupId Unsigned16,
1902 ipSecIkeAssociationLocalCredentialId TagReferenceId,
1903 ipSecIkeAssociationDoActionLogging TruthValue,
1904 ipSecIkeAssociationIkeProposalSetId TagReferenceId
1907 ipSecIkeAssociationPrid OBJECT-TYPE
1911 "An integer index that uniquely identifies an instance of this
1913 ::= { ipSecIkeAssociationEntry 1 }
1915 ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE
1919 "Specifies the minimum SA seconds lifetime that will be accepted
1920 from a peer while negotiating an SA based upon this action.
1922 A value of zero indicates that there is no minimum lifetime
1924 ::= { ipSecIkeAssociationEntry 2 }
1926 ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
1930 "Specifies the minimum kilobyte lifetime that will be accepted
1931 from a negotiating peer while negotiating an SA based upon this
1934 A value of zero indicates that there is no minimum lifetime
1936 ::= { ipSecIkeAssociationEntry 3 }
1938 ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE
1942 "Specifies how long, in seconds, a security association may remain
1943 unused before it is deleted.
1945 A value of zero indicates that idle detection should not be used
1946 for the security association (only the seconds and kilobyte
1947 lifetimes will be used)."
1948 ::= { ipSecIkeAssociationEntry 4 }
1950 ipSecIkeAssociationExchangeMode OBJECT-TYPE
1958 "Specifies the negotiation mode that the IKE server will use for
1960 ::= { ipSecIkeAssociationEntry 5 }
1962 ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE
1970 ipV4-Address-Range(7),
1971 ipV6-Address-Range(8),
1978 "Specifies the type of IKE identity to use during IKE phase one
1980 ::= { ipSecIkeAssociationEntry 6 }
1982 ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE
1986 "Specifies the ID payload value to be provided to the peer during
1987 IKE phase one negotiation."
1988 ::= { ipSecIkeAssociationEntry 7 }
1990 ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE
1992 PIB-REFERENCES {ipSecIkePeerEndpointEntry }
1995 "Pointer to a valid instance in the ipSecIkePeerEndpointTable to
1996 indicate an IKE peer endpoint."
1997 ::= { ipSecIkeAssociationEntry 8 }
1999 ipSecIkeAssociationPresharedKey OBJECT-TYPE
2003 "This attribute specifies the preshared key or secret to use for
2004 IKE authentication. This is the key for all the IKE proposals of
2005 this association that set ipSecIkeProposalAuthenticationMethod to
2007 ::= { ipSecIkeAssociationEntry 9 }
2009 ipSecIkeAssociationVendorId OBJECT-TYPE
2013 "Specifies the value to be used in the Vendor ID payload.
2015 A value of NULL means that Vendor ID payload will be neither
2016 generated nor accepted. A non-NULL value means that a Vendor ID
2017 payload will be generated (when acting as an initiator) or is
2018 expected (when acting as a responder). "
2019 ::= { ipSecIkeAssociationEntry 10 }
2021 ipSecIkeAssociationAggressiveModeGroupId OBJECT-TYPE
2025 "Specifies the group ID to be used for aggressive mode. This
2026 attribute is ignored unless the attribute
2027 ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If
2028 the value of this attribute is from the vendor-specific range
2029 (32768-65535), this attribute qualifies the group number."
2030 ::= { ipSecIkeAssociationEntry 11 }
2032 ipSecIkeAssociationLocalCredentialId OBJECT-TYPE
2033 SYNTAX TagReferenceId
2034 PIB-TAG { ipSecCredentialSetSetId }
2037 "Indicates a group of credentials. One of the credentials in the
2038 group MUST be used when establishing an IKE association with the
2040 ::= { ipSecIkeAssociationEntry 12 }
2042 ipSecIkeAssociationDoActionLogging OBJECT-TYPE
2046 "Specifies whether a log message is to be generated when the
2047 negotiation is attempted (with the success or failure result)."
2048 ::= { ipSecIkeAssociationEntry 13 }
2050 ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE
2051 SYNTAX TagReferenceId
2052 PIB-TAG { ipSecIkeProposalSetProposalSetId }
2055 "Identifies a set of IKE proposals that is associated with this
2057 ::= { ipSecIkeAssociationEntry 14 }
2062 -- The ipSecIkeProposalSetTable
2065 ipSecIkeProposalSetTable OBJECT-TYPE
2066 SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry
2070 "Specifies IKE proposal sets. Proposals within a set are ORed with
2072 ::= { ipSecIkeAssociation 4 }
2074 ipSecIkeProposalSetEntry OBJECT-TYPE
2075 SYNTAX IpSecIkeProposalSetEntry
2078 "Specifies an instance of this class"
2079 PIB-INDEX { ipSecIkeProposalSetPrid }
2081 ipSecIkeProposalSetProposalSetId,
2082 ipSecIkeProposalSetProposalId,
2083 ipSecIkeProposalSetOrder
2085 ::= { ipSecIkeProposalSetTable 1 }
2087 IpSecIkeProposalSetEntry ::= SEQUENCE {
2088 ipSecIkeProposalSetPrid InstanceId,
2089 ipSecIkeProposalSetProposalSetId TagId,
2090 ipSecIkeProposalSetProposalId ReferenceId,
2091 ipSecIkeProposalSetOrder Unsigned16
2094 ipSecIkeProposalSetPrid OBJECT-TYPE
2098 "An integer index that uniquely identifies an instance of this
2100 ::= { ipSecIkeProposalSetEntry 1 }
2102 ipSecIkeProposalSetProposalSetId OBJECT-TYPE
2106 "An IKE proposal set is composed of one or more IKE proposals.
2107 Each proposal belonging to the same set has the same
2109 ::= { ipSecIkeProposalSetEntry 2 }
2111 ipSecIkeProposalSetProposalId OBJECT-TYPE
2113 PIB-REFERENCES {ipSecIkeProposalEntry }
2116 "A pointer to a valid instance in the ipSecIkeProposalTable."
2117 ::= { ipSecIkeProposalSetEntry 3 }
2119 ipSecIkeProposalSetOrder OBJECT-TYPE
2123 "An integer that specifies the precedence order of the proposal
2124 identified by ipSecIkeProposalSetProposalId in a proposal set. The
2125 proposal set is identified by ipSecIkeProposalSetProposalSetId.
2126 Proposals within a set are ORed with preference order. A smaller
2127 integer value indicates a higher preference."
2128 ::= { ipSecIkeProposalSetEntry 4 }
2133 -- The ipSecIkeProposalTable
2136 ipSecIkeProposalTable OBJECT-TYPE
2137 SYNTAX SEQUENCE OF IpSecIkeProposalEntry
2141 "Specifies IKE proposals."
2142 ::= { ipSecIkeAssociation 5 }
2144 ipSecIkeProposalEntry OBJECT-TYPE
2145 SYNTAX IpSecIkeProposalEntry
2148 "Specifies an instance of this class"
2149 PIB-INDEX { ipSecIkeProposalPrid }
2151 ipSecIkeProposalMaxLifetimeSeconds,
2152 ipSecIkeProposalMaxLifetimeKilobytes,
2153 ipSecIkeProposalCipherAlgorithm,
2154 ipSecIkeProposalHashAlgorithm,
2155 ipSecIkeProposalAuthenticationMethod,
2156 ipSecIkeProposalPrfAlgorithm,
2157 ipSecIkeProposalIkeDhGroup,
2158 ipSecIkeProposalVendorId
2160 ::= { ipSecIkeProposalTable 1 }
2162 IpSecIkeProposalEntry ::= SEQUENCE {
2163 ipSecIkeProposalPrid InstanceId,
2164 ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
2165 ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
2166 ipSecIkeProposalCipherAlgorithm INTEGER,
2167 ipSecIkeProposalHashAlgorithm INTEGER,
2168 ipSecIkeProposalAuthenticationMethod INTEGER,
2169 ipSecIkeProposalPrfAlgorithm Unsigned16,
2170 ipSecIkeProposalIkeDhGroup Unsigned16,
2171 ipSecIkeProposalVendorId OCTET STRING
2174 ipSecIkeProposalPrid OBJECT-TYPE
2178 "An integer index that uniquely identifies an instance of this
2180 ::= { ipSecIkeProposalEntry 1 }
2182 ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE
2186 "Specifies the maximum amount of time to propose for a security
2187 association to remain valid.
2189 A value of zero indicates that the default of 8 hours be used. A
2190 non-zero value indicates the maximum seconds lifetime."
2191 ::= { ipSecIkeProposalEntry 2 }
2193 ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
2197 "Specifies the maximum kilobyte lifetime to propose for a security
2198 association to remain valid.
2200 A value of zero indicates that there should be no maximum kilobyte
2201 lifetime. A non-zero value specifies the desired kilobyte
2203 ::= { ipSecIkeProposalEntry 3 }
2205 ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
2216 "Specifies the encryption algorithm to propose for the IKE
2218 ::= { ipSecIkeProposalEntry 4 }
2220 ipSecIkeProposalHashAlgorithm OBJECT-TYPE
2228 "Specifies the hash algorithm to propose for the IKE association."
2229 ::= { ipSecIkeProposalEntry 5 }
2231 ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
2237 revisedRsaEncryption(5),
2242 "Specifies the authentication method to propose for the IKE
2244 ::= { ipSecIkeProposalEntry 6 }
2246 ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
2250 "Specifies the Psuedo-Random Function (PRF) to propose for the IKE
2252 ::= { ipSecIkeProposalEntry 7 }
2254 ipSecIkeProposalIkeDhGroup OBJECT-TYPE
2258 "Specifies the Diffie-Hellman group to propose for the IKE
2259 association. The value of this property is to be ignored when
2260 doing aggressive mode."
2261 ::= { ipSecIkeProposalEntry 8 }
2263 ipSecIkeProposalVendorId OBJECT-TYPE
2267 "Further qualifies the key exchange group. The property is
2268 ignored unless the exchange is not in aggressive mode and the
2269 property GroupID is in the vendor-specific range."
2270 ::= { ipSecIkeProposalEntry 9 }
2275 -- The ipSecIkePeerEndpointTable
2278 ipSecIkePeerEndpointTable OBJECT-TYPE
2279 SYNTAX SEQUENCE OF IpSecIkePeerEndpointEntry
2283 "Specifies IKE peer endpoints."
2284 ::= { ipSecIkeAssociation 6 }
2286 ipSecIkePeerEndpointEntry OBJECT-TYPE
2287 SYNTAX IpSecIkePeerEndpointEntry
2290 "Specifies an instance of this class"
2291 PIB-INDEX { ipSecIkePeerEndpointPrid }
2293 ipSecIkePeerEndpointIdentityType,
2294 ipSecIkePeerEndpointIdentityValue,
2295 ipSecIkePeerEndpointAddressType,
2296 ipSecIkePeerEndpointAddress,
2297 ipSecIkePeerEndpointCredentialSetId
2299 ::= { ipSecIkePeerEndpointTable 1 }
2301 IpSecIkePeerEndpointEntry ::= SEQUENCE {
2302 ipSecIkePeerEndpointPrid InstanceId,
2303 ipSecIkePeerEndpointIdentityType INTEGER,
2304 ipSecIkePeerEndpointIdentityValue OCTET STRING,
2305 ipSecIkePeerEndpointAddressType INTEGER,
2306 ipSecIkePeerEndpointAddress OCTET STRING,
2307 ipSecIkePeerEndpointCredentialSetId TagReferenceId
2310 ipSecIkePeerEndpointPrid OBJECT-TYPE
2314 "An integer index that uniquely identifies an instance of this
2316 ::= { ipSecIkePeerEndpointEntry 1 }
2318 ipSecIkePeerEndpointIdentityType OBJECT-TYPE
2326 ipV4-Address-Range(7),
2327 ipV6-Address-Range(8),
2334 "Specifies the type of identity that MUST be provided by the peer
2335 in the ID payload during IKE phase one negotiation."
2336 ::= { ipSecIkePeerEndpointEntry 2 }
2338 ipSecIkePeerEndpointIdentityValue OBJECT-TYPE
2342 "Specifies the value to be matched with the ID payload provided by
2343 the peer during IKE phase one negotiation.
2345 Different Wildcards wildcard mechanisms can be used as well as the
2346 prefix notation for IPv4 addresses depending on the ID payload:
2348 - an IdentityValue of '*@company.com' will match an user FQDN ID
2349 payload of 'JDOE@COMPANY.COM'
2351 - an IdentityValue of '*.company.com' will match a FQDN ID payload
2352 of 'WWW.COMPANY.COM'
2354 - an IdentityValue of 'cn=*,ou=engineering,o=company,c=us' will
2355 match a DER DN ID payload of 'cn=John Doe, ou=engineering,
2358 - an IdentityValue of '193.190.125.0/24' will match an IPv4
2359 address ID payload of 193.190.125.10.
2361 - an IdentityValue of '193.190.125.*' will also match an IPv4
2362 address ID payload of 193.190.125.10.
2364 The above wildcard mechanisms MUST be supported for all ID
2365 payloads supported by the local IKE entity. The character '*'
2366 replaces 0 or multiple instances of any character."
2367 ::= { ipSecIkePeerEndpointEntry 3 }
2369 ipSecIkePeerEndpointAddressType OBJECT-TYPE
2376 "Specifies IKE peer endpoint address type. This attribute MUST be
2377 ignored if ipSecIkeRuleAutoStart is false."
2378 ::= { ipSecIkePeerEndpointEntry 4 }
2380 ipSecIkePeerEndpointAddress OBJECT-TYPE
2384 "Specifies an endpoint address with which this PEP establishes IKE
2385 association. This attribute is used only when the IKE association
2386 is to be started automatically. Hence, this attribute MUST be
2387 ignored if ipSecIkeRuleAutoStart is false."
2388 ::= { ipSecIkePeerEndpointEntry 5 }
2390 ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE
2391 SYNTAX TagReferenceId
2392 PIB-TAG { ipSecCredentialSetSetId }
2395 "Identifies a set of credentials. Any one of the credentials in
2396 the set is acceptable as the IKE peer credential."
2397 ::= { ipSecIkePeerEndpointEntry 6 }
2402 -- The ipSecCredentialSetTable
2405 ipSecCredentialSetTable OBJECT-TYPE
2406 SYNTAX SEQUENCE OF IpSecCredentialSetEntry
2410 "Specifies credential sets.
2412 For IKE peer credentials, any one of the credentials in the set is
2413 acceptable as peer credential during IEK phase 1 negotiation. For
2414 IKE local credentials, any one of the credentials in the set can
2415 be used in IKE phase 1 negotiation."
2416 ::= { ipSecCredential 1 }
2418 ipSecCredentialSetEntry OBJECT-TYPE
2419 SYNTAX IpSecCredentialSetEntry
2422 "Specifies an instance of this class"
2423 PIB-INDEX { ipSecCredentialSetPrid }
2425 ipSecCredentialSetPrid,
2426 ipSecCredentialSetSetId,
2427 ipSecCredentialSetCredentialId
2429 ::= { ipSecCredentialSetTable 1 }
2431 IpSecCredentialSetEntry ::= SEQUENCE {
2432 ipSecCredentialSetPrid InstanceId,
2433 ipSecCredentialSetSetId TagId,
2434 ipSecCredentialSetCredentialId ReferenceId
2437 ipSecCredentialSetPrid OBJECT-TYPE
2441 "An integer index that uniquely identifies an instance of this
2443 ::= { ipSecCredentialSetEntry 1 }
2445 ipSecCredentialSetSetId OBJECT-TYPE
2449 "A credential set is composed of one or more credentials. Each
2450 credential belonging to the same set has the same
2452 ::= { ipSecCredentialSetEntry 2 }
2454 ipSecCredentialSetCredentialId OBJECT-TYPE
2456 PIB-REFERENCES {ipSecCredentialEntry }
2459 "A pointer to a valid instance in the ipSecCredentialTable."
2460 ::= { ipSecCredentialSetEntry 3 }
2465 -- The ipSecCredentialTable
2468 ipSecCredentialTable OBJECT-TYPE
2469 SYNTAX SEQUENCE OF IpSecCredentialEntry
2473 "Specifies credentials."
2474 ::= { ipSecCredential 2 }
2476 ipSecCredentialEntry OBJECT-TYPE
2477 SYNTAX IpSecCredentialEntry
2480 "Specifies an instance of this class"
2481 PIB-INDEX { ipSecCredentialPrid }
2483 ipSecCredentialCredentialType,
2484 ipSecCredentialFieldsId,
2485 ipSecCredentialCrlDistributionPoint
2487 ::= { ipSecCredentialTable 1 }
2489 IpSecCredentialEntry ::= SEQUENCE {
2490 ipSecCredentialPrid InstanceId,
2491 ipSecCredentialCredentialType INTEGER,
2492 ipSecCredentialFieldsId TagReferenceId,
2493 ipSecCredentialCrlDistributionPoint OCTET STRING
2496 ipSecCredentialPrid OBJECT-TYPE
2500 "An integer index that uniquely identifies an instance of this
2502 ::= { ipSecCredentialEntry 1 }
2504 ipSecCredentialCredentialType OBJECT-TYPE
2511 "Specifies the type of credential to be matched."
2512 ::= { ipSecCredentialEntry 2 }
2514 ipSecCredentialFieldsId OBJECT-TYPE
2515 SYNTAX TagReferenceId
2516 PIB-TAG { ipSecCredentialFieldsSetId }
2519 "Identifies a group of matching criteria to be used for the peer
2520 credential. The identified criteria MUST all be satisfied."
2521 ::= { ipSecCredentialEntry 3 }
2523 ipSecCredentialCrlDistributionPoint OBJECT-TYPE
2527 "When credential type is certificate X509, this attribute
2528 identifies the Certificate Revocation List (CRL) distribution
2529 point for this credential."
2530 ::= { ipSecCredentialEntry 4 }
2535 -- The ipSecCredentialFieldsTable
2538 ipSecCredentialFieldsTable OBJECT-TYPE
2539 SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry
2543 "Specifies sets of credential sub-fields and their values to be
2545 ::= { ipSecCredential 3 }
2547 ipSecCredentialFieldsEntry OBJECT-TYPE
2548 SYNTAX IpSecCredentialFieldsEntry
2551 "Specifies an instance of this class"
2552 PIB-INDEX { ipSecCredentialFieldsPrid }
2554 ipSecCredentialFieldsName,
2555 ipSecCredentialFieldsValue,
2556 ipSecCredentialFieldsSetId
2558 ::= { ipSecCredentialFieldsTable 1 }
2560 IpSecCredentialFieldsEntry ::= SEQUENCE {
2561 ipSecCredentialFieldsPrid InstanceId,
2562 ipSecCredentialFieldsName OCTET STRING,
2563 ipSecCredentialFieldsValue OCTET STRING,
2564 ipSecCredentialFieldsSetId TagId
2567 ipSecCredentialFieldsPrid OBJECT-TYPE
2571 "An integer index that uniquely identifies an instance of this
2573 ::= { ipSecCredentialFieldsEntry 1 }
2575 ipSecCredentialFieldsName OBJECT-TYPE
2579 "Specifies the sub-field of the credential to match with. This is
2580 the string representation of a X.509 certificate attribute, e.g.:
2581 'serialNumber', 'issuerName', 'subjectName', etc.."
2582 ::= { ipSecCredentialFieldsEntry 2 }
2584 ipSecCredentialFieldsValue OBJECT-TYPE
2588 "Specifies the value to match with for the sub-field identified by
2589 ipSecCredentialFieldsName. A wildcard mechanism can be used in the
2590 Value string. E.g., if the Name is 'subjectName' then a Value of
2591 'cn=*,ou=engineering,o=foo,c=be' will match successfully a
2592 certificate whose subject attribute is 'cn=Jane Doe,
2593 ou=engineering, o=foo, c=be'. The wildcard character '*' can be
2594 used to represent 0 or several characters."
2595 ::= { ipSecCredentialFieldsEntry 3 }
2597 ipSecCredentialFieldsSetId OBJECT-TYPE
2601 "Specifies the set this criteria belongs to. All criteria within a
2602 set MUST all be satisfied."
2603 ::= { ipSecCredentialFieldsEntry 4 }
2608 -- The ipSecSelectorSetTable
2611 ipSecSelectorSetTable OBJECT-TYPE
2612 SYNTAX SEQUENCE OF IpSecSelectorSetEntry
2616 "Specifies IPsec selector sets."
2617 ::= { ipSecSelector 1 }
2619 ipSecSelectorSetEntry OBJECT-TYPE
2620 SYNTAX IpSecSelectorSetEntry
2623 "Specifies an instance of this class"
2624 PIB-INDEX { ipSecSelectorSetPrid }
2626 ipSecSelectorSetSelectorSetId,
2627 ipSecSelectorSetSelectorId,
2628 ipSecSelectorSetOrder
2630 ::= { ipSecSelectorSetTable 1 }
2632 IpSecSelectorSetEntry ::= SEQUENCE {
2633 ipSecSelectorSetPrid InstanceId,
2634 ipSecSelectorSetSelectorSetId TagId,
2635 ipSecSelectorSetSelectorId Prid,
2636 ipSecSelectorSetOrder Unsigned16
2639 ipSecSelectorSetPrid OBJECT-TYPE
2643 "An integer index that uniquely identifies an instance of this
2645 ::= { ipSecSelectorSetEntry 1 }
2647 ipSecSelectorSetSelectorSetId OBJECT-TYPE
2651 "An IPsec selector set is composed of one or more IPsec selectors.
2652 Each selector belonging to the same set has the same
2654 ::= { ipSecSelectorSetEntry 2 }
2656 ipSecSelectorSetSelectorId OBJECT-TYPE
2660 "A pointer to a valid instance in another table that describes
2661 selectors. To use selectors defined in this IPsec PIB module, this
2662 attribute MUST point to an instance in ipSecSelectorTable. This
2663 attribute may also point to an instance in a selector or filter
2664 table defined in other PIB modules."
2665 ::= { ipSecSelectorSetEntry 3 }
2667 ipSecSelectorSetOrder OBJECT-TYPE
2671 "An integer that specifies the precedence order of the selectors
2672 identified by ipSecSelectorId within a selector set. The selector
2673 set is identified by ipSecSelectorSetId. A smaller integer value
2674 indicates a higher preference. All selectors constructed from the
2675 instance pointed by ipSecSelectorId have the same order."
2676 ::= { ipSecSelectorSetEntry 4 }
2681 -- The ipSecSelectorTable
2684 ipSecSelectorTable OBJECT-TYPE
2685 SYNTAX SEQUENCE OF IpSecSelectorEntry
2689 "Specifies IPsec selectors. Each row in the selector table
2690 represents multiple selectors. These selectors are obtained as
2693 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
2694 addresses from the ipSecAddressTable whose ipSecAddressGroupId
2695 matches the ipSecSelectorSrcAddressGroupId.
2697 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
2698 addresses from the ipSecAddressTable whose ipSecAddressGroupId
2699 matches the ipSecSelectorDstAddressGroupId.
2701 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
2702 or ranges of port whose ipSecL4PortGroupId matches the
2703 ipSecSelectorSrcPortGroupId.
2705 4. Substitute the ipSecSelectorDstPortGroupId with all the ports
2706 or ranges of port whose ipSecL4PortGroupId matches the
2707 ipSecSelectorDstPortGroupId.
2709 5. Construct all the possible combinations of the above four
2710 fields. Then add to the combinations the ipSecSelectorProtocol,
2711 ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form
2712 all the selectors.el attributes to form the list of selectors.
2714 The relative order of the selectors constructed from a single row
2716 ::= { ipSecSelector 2 }
2718 ipSecSelectorEntry OBJECT-TYPE
2719 SYNTAX IpSecSelectorEntry
2722 "Specifies an instance of this class"
2723 PIB-INDEX { ipSecSelectorPrid }
2725 ipSecSelectorSrcAddressGroupId,
2726 ipSecSelectorSrcPortGroupId,
2727 ipSecSelectorDstAddressGroupId,
2728 ipSecSelectorDstPortGroupId,
2729 ipSecSelectorProtocol,
2731 ipSecSelectorFlowLabel
2733 ::= { ipSecSelectorTable 1 }
2735 IpSecSelectorEntry ::= SEQUENCE {
2736 ipSecSelectorPrid InstanceId,
2737 ipSecSelectorSrcAddressGroupId TagReferenceId,
2738 ipSecSelectorSrcPortGroupId TagReferenceId,
2739 ipSecSelectorDstAddressGroupId TagReferenceId,
2740 ipSecSelectorDstPortGroupId TagReferenceId,
2741 ipSecSelectorProtocol INTEGER,
2742 ipSecSelectorDscp INTEGER,
2743 ipSecSelectorFlowLabel OCTET STRING
2746 ipSecSelectorPrid OBJECT-TYPE
2750 "An integer index that uniquely identifies an instance of this
2752 ::= { ipSecSelectorEntry 1 }
2754 ipSecSelectorSrcAddressGroupId OBJECT-TYPE
2755 SYNTAX TagReferenceId
2756 PIB-TAG { ipSecAddressGroupId }
2759 "Indicates source addresses. All addresses in ipSecAddressTable
2760 whose ipSecAddressGroupId matches this value are included as
2763 A value of zero indicates wildcard address, i.e., any address
2765 ::= { ipSecSelectorEntry 2 }
2767 ipSecSelectorSrcPortGroupId OBJECT-TYPE
2768 SYNTAX TagReferenceId
2769 PIB-TAG { ipSecL4PortGroupId }
2772 "Indicates source layer 4 port numbers. All ports in ipSecL4Port
2773 whose ipSecL4PortGroupId matches this value are included.
2776 A value of zero indicates wildcard port, i.e., any port number
2778 ::= { ipSecSelectorEntry 3 }
2780 ipSecSelectorDstAddressGroupId OBJECT-TYPE
2781 SYNTAX TagReferenceId
2782 PIB-TAG { ipSecAddressGroupId }
2785 "Indicates destination addresses. All addresses in
2786 ipSecAddressTable whose ipSecAddressGroupId matches this value are
2787 included as destination addresses.
2789 A value of zero indicates wildcard address, i.e., any address
2791 ::= { ipSecSelectorEntry 4 }
2793 ipSecSelectorDstPortGroupId OBJECT-TYPE
2794 SYNTAX TagReferenceId
2795 PIB-TAG { ipSecL4PortGroupId }
2798 "Indicates destination layer 4 port numbers. All ports in
2799 ipSecL4Port whose ipSecL4PortGroupId matches this value are
2802 A value of zero indicates wildcard port, i.e., any port number
2804 ::= { ipSecSelectorEntry 5 }
2806 ipSecSelectorProtocol OBJECT-TYPE
2807 SYNTAX INTEGER (0..255)
2810 "Specifies IP protocol to match against a packet's protocol. A
2811 value of zero indicates wildcard protocol, i.e., any protocol
2813 ::= { ipSecSelectorEntry 6 }
2815 ipSecSelectorDscp OBJECT-TYPE
2816 SYNTAX INTEGER (-1..63)
2819 "Specifies the DSCP value to match against the DSCP in a packet
2820 header. A value of -1 indicates match all."
2821 ::= { ipSecSelectorEntry 7 }
2823 ipSecSelectorFlowLabel OBJECT-TYPE
2829 "Specifies the Flow Label to match against the Flow Label field in
2830 the IPv6 header of a packet. This attribute MUST be a zero length
2831 OCTET STRING when specifying selectors for IPv4 packets."
2832 ::= { ipSecSelectorEntry 8 }
2837 -- The ipSecAddressTable
2840 ipSecAddressTable OBJECT-TYPE
2841 SYNTAX SEQUENCE OF IpSecAddressEntry
2845 "Specifies IP addresses. To specify a single IP address,
2846 ipSecAddressAddrMin MUST be specified. To specify a range of
2847 addresses, both ipSecAddressAddrMin and ipSecAddressAddrMax MUST
2848 be specified. To specify a subnet, both ipSecAddressAddrMin and
2849 ipSecAddressAddrMask MUST be specified. "
2850 ::= { ipSecSelector 3 }
2852 ipSecAddressEntry OBJECT-TYPE
2853 SYNTAX IpSecAddressEntry
2856 "Specifies an instance of this class"
2857 PIB-INDEX { ipSecAddressPrid }
2859 ipSecAddressAddressType,
2860 ipSecAddressAddrMask,
2861 ipSecAddressAddrMin,
2862 ipSecAddressAddrMax,
2865 ::= { ipSecAddressTable 1 }
2867 IpSecAddressEntry ::= SEQUENCE {
2868 ipSecAddressPrid InstanceId,
2869 ipSecAddressAddressType INTEGER,
2870 ipSecAddressAddrMask OCTET STRING,
2871 ipSecAddressAddrMin OCTET STRING,
2872 ipSecAddressAddrMax OCTET STRING,
2873 ipSecAddressGroupId TagId
2876 ipSecAddressPrid OBJECT-TYPE
2880 "An integer index that uniquely identifies an instance of this
2882 ::= { ipSecAddressEntry 1 }
2884 ipSecAddressAddressType OBJECT-TYPE
2892 ipV4-Address-Range(7),
2893 ipV6-Address-Range(8),
2900 "Specifies the address type. "
2901 ::= { ipSecAddressEntry 2 }
2903 ipSecAddressAddrMask OBJECT-TYPE
2907 "A mask for the matching of the IP address. A zero bit in the mask
2908 means that the corresponding bit in the address always matches.
2910 This attribute MUST be ignored when ipSecAddressAddressType is not
2911 of IPv4 or IPv6 type."
2912 ::= { ipSecAddressEntry 3 }
2914 ipSecAddressAddrMin OBJECT-TYPE
2918 "Specifies an IP address. "
2919 ::= { ipSecAddressEntry 4 }
2921 ipSecAddressAddrMax OBJECT-TYPE
2925 "If a range of addresses is used then this specifies the ending
2926 address. The type of this address must be the same as the
2927 ipSecAddressAddrMin.
2929 If no range is specified then this attribute MUST be a zero length
2931 ::= { ipSecAddressEntry 5 }
2933 ipSecAddressGroupId OBJECT-TYPE
2937 "Specifies the group this IP address, address range or subnet
2938 address belongs to."
2939 ::= { ipSecAddressEntry 6 }
2944 -- The ipSecL4PortTable
2947 ipSecL4PortTable OBJECT-TYPE
2948 SYNTAX SEQUENCE OF IpSecL4PortEntry
2952 "Specifies layer four port numbers."
2953 ::= { ipSecSelector 4 }
2955 ipSecL4PortEntry OBJECT-TYPE
2956 SYNTAX IpSecL4PortEntry
2959 "Specifies an instance of this class"
2960 PIB-INDEX { ipSecL4PortPrid }
2966 ::= { ipSecL4PortTable 1 }
2968 IpSecL4PortEntry ::= SEQUENCE {
2969 ipSecL4PortPrid InstanceId,
2970 ipSecL4PortPortMin Unsigned16,
2971 ipSecL4PortPortMax Unsigned16,
2972 ipSecL4PortGroupId TagId
2975 ipSecL4PortPrid OBJECT-TYPE
2979 "An integer index that uniquely identifies an instance of this
2981 ::= { ipSecL4PortEntry 1 }
2983 ipSecL4PortPortMin OBJECT-TYPE
2988 "Specifies a layer 4 port or the first layer 4 port number of a
2989 range of ports. The value of this attribute must be equal or less
2990 than that of ipSecL4PortPortMax.
2992 A value of zero indicates any port matches."
2993 ::= { ipSecL4PortEntry 2 }
2995 ipSecL4PortPortMax OBJECT-TYPE
2999 "Specifies the last layer 4 port in the range. If only a single
3000 port is specified, the value of this attribute must be equal to
3001 that of ipSecL4PortPortMin. Otherwise, the value of this attribute
3002 MUST be greater than that specified by ipSecL4PortPortMin.
3004 If ipSecL4PortPortMin is zero, this attribute MUST be ignored."
3005 ::= { ipSecL4PortEntry 3 }
3007 ipSecL4PortGroupId OBJECT-TYPE
3011 "Specifies the group this port or port range belongs to."
3012 ::= { ipSecL4PortEntry 4 }
3017 -- The ipSecIpsoFilterSetTable
3020 ipSecIpsoFilterSetTable OBJECT-TYPE
3021 SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry
3025 "Specifies IPSO filter sets."
3026 ::= { ipSecSelector 5 }
3028 ipSecIpsoFilterSetEntry OBJECT-TYPE
3029 SYNTAX IpSecIpsoFilterSetEntry
3032 "Specifies an instance of this class"
3033 PIB-INDEX { ipSecIpsoFilterSetPrid }
3035 ipSecIpsoFilterSetFilterSetId,
3036 ipSecIpsoFilterSetFilterId,
3037 ipSecIpsoFilterSetOrder
3039 ::= { ipSecIpsoFilterSetTable 1 }
3041 IpSecIpsoFilterSetEntry ::= SEQUENCE {
3042 ipSecIpsoFilterSetPrid InstanceId,
3043 ipSecIpsoFilterSetFilterSetId TagId,
3044 ipSecIpsoFilterSetFilterId ReferenceId,
3045 ipSecIpsoFilterSetOrder Unsigned16
3048 ipSecIpsoFilterSetPrid OBJECT-TYPE
3052 "An integer index that uniquely identifies an instance of this
3054 ::= { ipSecIpsoFilterSetEntry 1 }
3056 ipSecIpsoFilterSetFilterSetId OBJECT-TYPE
3060 "An IPSO filter set is composed of one or more IPSO filters. Each
3061 filter belonging to the same set has the same FilterSetId."
3062 ::= { ipSecIpsoFilterSetEntry 2 }
3064 ipSecIpsoFilterSetFilterId OBJECT-TYPE
3066 PIB-REFERENCES {ipSecIpsoFilterEntry }
3069 "A pointer to a valid instance in the ipSecIpsoFilterTable."
3070 ::= { ipSecIpsoFilterSetEntry 3 }
3072 ipSecIpsoFilterSetOrder OBJECT-TYPE
3076 "An integer that specifies the precedence order of the filter
3077 identified by ipSecIpsoFilterSetFilterId within a filter set. The
3078 filter set is identified by ipSecIpsoFilterSetFilterSetId. A
3079 smaller integer value indicates a higher preference."
3080 ::= { ipSecIpsoFilterSetEntry 4 }
3085 -- The ipSecIpsoFilterTable
3088 ipSecIpsoFilterTable OBJECT-TYPE
3089 SYNTAX SEQUENCE OF IpSecIpsoFilterEntry
3093 "Specifies IPSO filters."
3094 ::= { ipSecSelector 6 }
3096 ipSecIpsoFilterEntry OBJECT-TYPE
3097 SYNTAX IpSecIpsoFilterEntry
3100 "Specifies an instance of this class"
3101 PIB-INDEX { ipSecIpsoFilterPrid }
3103 ipSecIpsoFilterMatchConditionType,
3104 ipSecIpsoFilterClassificationLevel,
3105 ipSecIpsoFilterProtectionAuthority
3107 ::= { ipSecIpsoFilterTable 1 }
3109 IpSecIpsoFilterEntry ::= SEQUENCE {
3110 ipSecIpsoFilterPrid InstanceId,
3111 ipSecIpsoFilterMatchConditionType INTEGER,
3112 ipSecIpsoFilterClassificationLevel INTEGER,
3113 ipSecIpsoFilterProtectionAuthority INTEGER
3116 ipSecIpsoFilterPrid OBJECT-TYPE
3120 "An integer index that uniquely identifies an instance of this
3122 ::= { ipSecIpsoFilterEntry 1 }
3124 ipSecIpsoFilterMatchConditionType OBJECT-TYPE
3126 classificationLevel(1),
3127 protectionAuthority(2)
3131 "Specifies the IPSO header field to be matched."
3132 ::= { ipSecIpsoFilterEntry 2 }
3134 ipSecIpsoFilterClassificationLevel OBJECT-TYPE
3143 "Specifies the value for classification level to be matched
3144 against. This attribute MUST be ignored if
3145 ipSecIpsoFilterMatchConditionType is not 1 (classificationLevel)."
3146 ::= { ipSecIpsoFilterEntry 3 }
3148 ipSecIpsoFilterProtectionAuthority OBJECT-TYPE
3158 "Specifies the value for protection authority to be matched
3159 against. This attribute MUST be ignored if
3160 ipSecIpsoFilterMatchConditionType is not 2 (protectionAuthority).
3162 ::= { ipSecIpsoFilterEntry 4 }
3167 -- The ipSecRuleTimePeriodTable
3170 ipSecRuleTimePeriodTable OBJECT-TYPE
3171 SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
3175 "Specifies the time periods during which a policy rule is valid.
3176 The values of the first five attributes in a row are ANDed
3177 together to determine the validity period(s). If any of the five
3178 attributes is not present, it is treated as having value always
3180 ::= { ipSecPolicyTimePeriod 1 }
3182 ipSecRuleTimePeriodEntry OBJECT-TYPE
3183 SYNTAX IpSecRuleTimePeriodEntry
3186 "Specifies an instance of this class"
3187 PIB-INDEX { ipSecRuleTimePeriodPrid }
3189 ipSecRuleTimePeriodTimePeriod,
3190 ipSecRuleTimePeriodMonthOfYearMask,
3191 ipSecRuleTimePeriodDayOfMonthMask,
3192 ipSecRuleTimePeriodDayOfWeekMask,
3193 ipSecRuleTimePeriodTimeOfDayMask,
3194 ipSecRuleTimePeriodLocalOrUtcTime
3196 ::= { ipSecRuleTimePeriodTable 1 }
3198 IpSecRuleTimePeriodEntry ::= SEQUENCE {
3199 ipSecRuleTimePeriodPrid InstanceId,
3200 ipSecRuleTimePeriodTimePeriod OCTET STRING,
3201 ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
3202 ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
3203 ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
3204 ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
3205 ipSecRuleTimePeriodLocalOrUtcTime INTEGER
3208 ipSecRuleTimePeriodPrid OBJECT-TYPE
3212 "An integer index to uniquely identify an instance of this class"
3213 ::= { ipSecRuleTimePeriodEntry 1 }
3215 ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
3219 "An octet string that identifies an overall range of calendar
3220 dates and times over which a policy rule is valid. It reuses the
3221 format for an explicit time period defined in RFC 2445 : a string
3222 representing a starting date and time, in which the character 'T'
3223 indicates the beginning of the time portion, followed by the
3224 solidus character '/', followed by a similar string representing
3225 an end date and time. The first date indicates the beginning of
3226 the range, while the second date indicates the end. Thus, the
3227 second date and time must be later than the first. Date/times are
3228 expressed as substrings of the form yyyymmddThhmmss.
3230 There are also two special cases:
3232 - If the first date/time is replaced with the string
3233 THISANDPRIOR, then the property indicates that a policy rule is
3234 valid [from now] until the date/time that appears after the '/'.
3236 - If the second date/time is replaced with the string
3237 THISANDFUTURE, then the property indicates that a policy rule
3238 becomes valid on the date/time that appears before the '/', and
3239 remains valid from that point on.
3241 ::= { ipSecRuleTimePeriodEntry 2 }
3243 ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
3247 "An octet string that specifies which months the policy is valid
3248 for. The octet string is structured as follows:
3250 - a 4-octet length field, indicating the length of the entire
3251 octet string; this field is always set to 0x00000006 for this
3254 - a 2-octet field consisting of 12 bits identifying the 12 months
3255 of the year, beginning with January and ending with December,
3256 followed by 4 bits that are always set to '0'. For each month,
3257 the value '1' indicates that the policy is valid for that month,
3258 and the value '0' indicates that it is not valid.
3260 If this property is omitted, then the policy rule is treated as
3261 valid for all twelve months."
3262 ::= { ipSecRuleTimePeriodEntry 3 }
3264 ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
3268 "An octet string that specifies which days of the month the policy
3269 is valid for. The octet string is structured as follows:
3271 -a 4-octet length field, indicating the length of the entire octet
3272 string; this field is always set to 0x0000000C for this property;
3274 -an 8-octet field consisting of 31 bits identifying the days of
3275 the month counting from the beginning, followed by 31 more bits
3276 identifying the days of the month counting from the end, followed
3277 by 2 bits that are always set to '0'. For each day, the value '1'
3278 indicates that the policy is valid for that day, and the value '0'
3279 indicates that it is not valid.
3281 For months with fewer than 31 days, the digits corresponding to
3282 days that the months do not have (counting in both directions) are
3285 ::= { ipSecRuleTimePeriodEntry 4 }
3287 ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
3291 "An octet string that specifies which days of the week the policy
3292 is valid for. The octet string is structured as follows:
3294 - a 4-octet length field, indicating the length of the entire
3295 octet string; this field is always set to 0x00000005 for this
3298 - a 1-octet field consisting of 7 bits identifying the 7 days of
3299 the week, beginning with Sunday and ending with Saturday, followed
3300 by 1 bit that is always set to '0'. For each day of the week, the
3301 value '1' indicates that the policy is valid for that day, and the
3302 value '0' indicates that it is not valid.
3304 ::= { ipSecRuleTimePeriodEntry 5 }
3306 ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
3310 "An octet string that specifies a range of times in a day the
3311 policy is valid for. It is formatted as follows:
3313 A time string beginning with the character 'T', followed by the
3314 solidus character '/', followed by a second time string. The
3315 first time indicates the beginning of the range, while the second
3316 time indicates the end. Times are expressed as substrings of the
3319 The second substring always identifies a later time than the first
3320 substring. To allow for ranges that span midnight, however, the
3321 value of the second string may be smaller than the value of the
3322 first substring. Thus, T080000/T210000 identifies the range from
3323 0800 until 2100, while T210000/T080000 identifies the range from
3324 2100 until 0800 of the following day."
3325 ::= { ipSecRuleTimePeriodEntry 6 }
3327 ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
3334 "This property indicates whether the times represented in this
3335 table represent local times or UTC times. There is no provision
3336 for mixing of local times and UTC times: the value of this
3337 property applies to all of the other time-related properties."
3338 ::= { ipSecRuleTimePeriodEntry 7 }
3343 -- The ipSecRuleTimePeriodSetTable
3346 ipSecRuleTimePeriodSetTable OBJECT-TYPE
3347 SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
3351 "Specifies time period sets. The ipSecRuleTimePeriodTable can
3352 specify only a single time period within a day. This table enables
3353 the specification of multiple time periods within a day by
3354 grouping them into one set. "
3355 ::= { ipSecPolicyTimePeriod 2 }
3357 ipSecRuleTimePeriodSetEntry OBJECT-TYPE
3358 SYNTAX IpSecRuleTimePeriodSetEntry
3361 "Specifies an instance of this class"
3362 PIB-INDEX { ipSecRuleTimePeriodSetPrid }
3364 ipSecRuleTimePeriodSetRuleTimePeriodSetId,
3365 ipSecRuleTimePeriodSetRuleTimePeriodId
3367 ::= { ipSecRuleTimePeriodSetTable 1 }
3369 IpSecRuleTimePeriodSetEntry ::= SEQUENCE {
3370 ipSecRuleTimePeriodSetPrid InstanceId,
3371 ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId,
3372 ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId
3375 ipSecRuleTimePeriodSetPrid OBJECT-TYPE
3379 "An integer index to uniquely identify an instance of this class"
3380 ::= { ipSecRuleTimePeriodSetEntry 1 }
3382 ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
3386 "An integer that uniquely identifies an ipSecRuleTimePeriod set. "
3387 ::= { ipSecRuleTimePeriodSetEntry 2 }
3389 ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
3391 PIB-REFERENCES {ipSecRuleTimePeriodEntry }
3394 "An integer that identifies an ipSecRuleTimePeriod, specified by
3395 ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is
3396 included in this set."
3397 ::= { ipSecRuleTimePeriodSetEntry 3 }
3402 -- The ipSecIfCapsTable
3405 ipSecIfCapsTable OBJECT-TYPE
3406 SYNTAX SEQUENCE OF IpSecIfCapsEntry
3410 "Specifies capabilities that may be associated with an interface
3411 of a specific type. The instances of this table are referenced by
3412 the frwkIfCapSetCapability attribute of the frwkIfCapSetTable [FR-
3414 ::= { ipSecIfCapability 1 }
3416 ipSecIfCapsEntry OBJECT-TYPE
3417 SYNTAX IpSecIfCapsEntry
3420 "Specifies an instance of this class"
3421 PIB-INDEX { ipSecIfCapsPrid }
3423 ipSecIfCapsDirection,
3424 ipSecIfCapsMaxIpSecActions,
3425 ipSecIfCapsMaxIkeActions
3427 ::= { ipSecIfCapsTable 1 }
3429 IpSecIfCapsEntry ::= SEQUENCE {
3430 ipSecIfCapsPrid InstanceId,
3431 ipSecIfCapsDirection INTEGER,
3432 ipSecIfCapsMaxIpSecActions Unsigned16,
3433 ipSecIfCapsMaxIkeActions Unsigned16
3436 ipSecIfCapsPrid OBJECT-TYPE
3440 "An integer index that uniquely identifies an instance of this
3442 ::= { ipSecIfCapsEntry 1 }
3444 ipSecIfCapsDirection OBJECT-TYPE
3452 "Specifies the direction for which this capability applies."
3453 ::= { ipSecIfCapsEntry 2 }
3455 ipSecIfCapsMaxIpSecActions OBJECT-TYPE
3459 "Specifies the maximum number of actions an IPsec action set may
3460 contain. IPsec action sets are specified by the
3461 ipSecActionSetTable.
3463 A value of zero indicates that there is no maximum limit."
3464 ::= { ipSecIfCapsEntry 3 }
3466 ipSecIfCapsMaxIkeActions OBJECT-TYPE
3470 "Specifies the maximum number of actions an IKE action set may
3471 contain. IKE action sets are specified by the
3472 ipSecIkeActionSetTable.
3474 A value of zero indicates that there is no maximum limit."
3475 ::= { ipSecIfCapsEntry 4 }
3480 -- Conformance Section
3483 ipSecPolicyPibConformanceCompliances
3484 OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 }
3486 ipSecPolicyPibConformanceGroups
3487 OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }
3489 ipSecPibCompliance MODULE-COMPLIANCE
3492 " Compliance statement"
3493 MODULE -- this module
3496 ipSecActionSetGroup,
3497 ipSecStaticActionGroup,
3498 ipSecNegotiationActionGroup,
3499 ipSecAssociationGroup,
3500 ipSecProposalSetGroup,
3502 ipSecAhTransformSetGroup,
3503 ipSecAhTransformGroup,
3504 ipSecEspTransformSetGroup,
3505 ipSecEspTransformGroup,
3506 ipSecCompTransformSetGroup,
3507 ipSecCompTransformGroup,
3508 ipSecIkeAssociationGroup,
3509 ipSecIkeProposalSetGroup,
3510 ipSecIkeProposalGroup,
3511 ipSecIkePeerEndpointGroup,
3512 ipSecCredentialSetGroup,
3513 ipSecCredentialGroup,
3514 ipSecCredentialFieldsGroup,
3515 ipSecSelectorSetGroup,
3522 GROUP ipSecIkeRuleGroup
3524 "This group is mandatory if any of the following is supported: 1)
3525 multiple IKE phase one actions (e.g., with different exchange
3526 modes) are associated with an IPsec rule. These actions are to be
3527 tried in sequence till one success; 2) IKE phase one actions that
3528 start automatically."
3530 GROUP ipSecIkeActionSetGroup
3532 "This group is mandatory if any of the following is supported: 1)
3533 multiple IKE phase one actions (e.g., with different exchange
3534 modes) are associated with an IPsec rule. These actions are to be
3535 tried in sequence till one success; 2) IKE phase one actions that
3536 start automatically."
3538 GROUP ipSecIpsoFilterSetGroup
3540 "This group is mandatory if IPSO filter is supported."
3542 GROUP ipSecIpsoFilterGroup
3544 "This group is mandatory if IPSO filter is supported."
3546 GROUP ipSecRuleTimePeriodGroup
3548 "This group is mandatory if policy scheduling is supported."
3550 GROUP ipSecRuleTimePeriodSetGroup
3552 "This group is mandatory if policy scheduling is supported."
3554 OBJECT ipSecRuleipSecIpsoFilterSetId
3555 PIB-MIN-ACCESS not-accessible
3557 " Support of this attribute is optional"
3559 OBJECT ipSecRuleLimitNegotiation
3560 PIB-MIN-ACCESS not-accessible
3562 " Support of this attribute is optional"
3564 OBJECT ipSecRuleAutoStart
3565 PIB-MIN-ACCESS not-accessible
3567 " Support of this attribute is optional"
3569 OBJECT ipSecRuleIpSecRuleTimePeriodGroupId
3570 PIB-MIN-ACCESS not-accessible
3572 " Support of this attribute is optional"
3574 OBJECT ipSecActionSetDoActionLogging
3575 PIB-MIN-ACCESS not-accessible
3577 " Support of this attribute is optional"
3579 OBJECT ipSecActionSetDoPacketLogging
3580 PIB-MIN-ACCESS not-accessible
3582 " Support of this attribute is optional"
3584 OBJECT ipSecAssociationMinLifetimeSeconds
3585 PIB-MIN-ACCESS not-accessible
3587 " Support of this attribute is optional"
3589 OBJECT ipSecAssociationMinLifetimeKilobytes
3590 PIB-MIN-ACCESS not-accessible
3592 " Support of this attribute is optional"
3594 OBJECT ipSecAssociationIdleDurationSeconds
3595 PIB-MIN-ACCESS not-accessible
3597 " Support of this attribute is optional"
3599 OBJECT ipSecAssociationVendorId
3600 PIB-MIN-ACCESS not-accessible
3602 " Support of this attribute is optional"
3604 OBJECT ipSecAssociationUseKeyExchangeGroup
3605 PIB-MIN-ACCESS not-accessible
3607 " Support of this attribute is optional"
3609 OBJECT ipSecAssociationGranularity
3610 PIB-MIN-ACCESS not-accessible
3612 " Support of this attribute is optional"
3614 OBJECT ipSecAhTransformUseReplayPrevention
3615 PIB-MIN-ACCESS not-accessible
3617 " Support of this attribute is optional"
3619 OBJECT ipSecAhTransformReplayPreventionWindowSize
3620 PIB-MIN-ACCESS not-accessible
3622 " Support of this attribute is optional"
3624 OBJECT ipSecAhTransformVendorId
3625 PIB-MIN-ACCESS not-accessible
3627 " Support of this attribute is optional"
3629 OBJECT ipSecEspTransformCipherKeyRounds
3630 PIB-MIN-ACCESS not-accessible
3632 " Support of this attribute is optional"
3634 OBJECT ipSecEspTransformCipherKeyLength
3635 PIB-MIN-ACCESS not-accessible
3637 " Support of this attribute is optional"
3639 OBJECT ipSecEspTransformUseReplayPrevention
3640 PIB-MIN-ACCESS not-accessible
3642 " Support of this attribute is optional"
3644 OBJECT ipSecEspTransformReplayPreventionWindowSize
3645 PIB-MIN-ACCESS not-accessible
3647 " Support of this attribute is optional"
3649 OBJECT ipSecEspTransformVendorId
3650 PIB-MIN-ACCESS not-accessible
3652 " Support of this attribute is optional"
3654 OBJECT ipSecCompTransformDictionarySize
3655 PIB-MIN-ACCESS not-accessible
3657 " Support of this attribute is optional"
3659 OBJECT ipSecCompTransformPrivateAlgorithm
3660 PIB-MIN-ACCESS not-accessible
3662 " Support of this attribute is optional"
3664 OBJECT ipSecCompTransformVendorId
3665 PIB-MIN-ACCESS not-accessible
3667 " Support of this attribute is optional"
3669 OBJECT ipSecIkeAssociationMinLiftetimeSeconds
3670 PIB-MIN-ACCESS not-accessible
3672 " Support of this attribute is optional"
3674 OBJECT ipSecIkeAssociationMinLifetimeKilobytes
3675 PIB-MIN-ACCESS not-accessible
3677 " Support of this attribute is optional"
3679 OBJECT ipSecIkeAssociationIdleDurationSeconds
3680 PIB-MIN-ACCESS not-accessible
3682 " Support of this attribute is optional"
3684 OBJECT ipSecIkeAssociationPresharedKey
3685 PIB-MIN-ACCESS not-accessible
3687 " Support of this attribute is optional"
3689 OBJECT ipSecIkeAssociationVendorId
3690 PIB-MIN-ACCESS not-accessible
3692 " Support of this attribute is optional"
3694 OBJECT ipSecIkeAssociationAggressiveModeGroupId
3695 PIB-MIN-ACCESS not-accessible
3697 " Support of this attribute is optional"
3699 OBJECT ipSecIkeAssociationLocalCredentialId
3700 PIB-MIN-ACCESS not-accessible
3702 " Support of this attribute is optional"
3704 OBJECT ipSecIkeAssociationDoActionLogging
3705 PIB-MIN-ACCESS not-accessible
3707 " Support of this attribute is optional"
3709 OBJECT ipSecIkeProposalPrfAlgorithm
3710 PIB-MIN-ACCESS not-accessible
3712 " Support of this attribute is optional"
3714 OBJECT ipSecIkeProposalVendorId
3715 PIB-MIN-ACCESS not-accessible
3717 " Support of this attribute is optional"
3719 OBJECT ipSecIkePeerEndpointAddressType
3720 PIB-MIN-ACCESS not-accessible
3722 " Support of this attribute is optional"
3724 OBJECT ipSecIkePeerEndpointAddress
3725 PIB-MIN-ACCESS not-accessible
3727 " Support of this attribute is optional"
3729 OBJECT ipSecIfCapsMaxIkeActions
3730 PIB-MIN-ACCESS not-accessible
3732 " Support of this attribute is optional"
3734 OBJECT ipSecRuleActionExecutionStrategy
3739 " Support of doUntilSuccess(2) is not required"
3741 OBJECT ipSecStaticActionAction
3745 preConfiguredTransport(4),
3746 preConfiguredTunnel(5)
3749 " Support of ikeRejection(3) is not required"
3751 ::= { ipSecPolicyPibConformanceCompliances 1 }
3753 ipSecRuleGroup OBJECT-GROUP
3758 ipSecRuleIpSecSelectorSetId,
3759 ipSecRuleipSecIpsoFilterSetId,
3760 ipSecRuleIpSecActionSetId,
3761 ipSecRuleActionExecutionStrategy,
3763 ipSecRuleLimitNegotiation,
3765 ipSecRuleIpSecRuleTimePeriodGroupId
3769 "Objects from the ipSecRuleTable."
3770 ::= { ipSecPolicyPibConformanceGroups 1 }
3772 ipSecActionSetGroup OBJECT-GROUP
3774 ipSecActionSetActionSetId,
3775 ipSecActionSetActionId,
3776 ipSecActionSetDoActionLogging,
3777 ipSecActionSetDoPacketLogging,
3782 "Objects from the ipSecActionSetTable."
3783 ::= { ipSecPolicyPibConformanceGroups 2 }
3785 ipSecStaticActionGroup OBJECT-GROUP
3787 ipSecStaticActionAction,
3788 ipSecStaticActionTunnelEndpointId,
3789 ipSecStaticActionDfHandling,
3790 ipSecStaticActionSpi,
3791 ipSecStaticActionLifetimeSeconds,
3792 ipSecStaticActionLifetimeKilobytes,
3793 ipSecStaticActionSaTransformId
3797 "Objects from the ipSecStaticActionTable."
3798 ::= { ipSecPolicyPibConformanceGroups 3 }
3800 ipSecNegotiationActionGroup OBJECT-GROUP
3802 ipSecNegotiationActionAction,
3803 ipSecNegotiationActionTunnelEndpointId,
3804 ipSecNegotiationActionDfHandling,
3805 ipSecNegotiationActionIpSecSecurityAssociationId,
3806 ipSecNegotiationActionKeyExchangeId
3810 "Objects from the ipSecNegotiationActionTable."
3811 ::= { ipSecPolicyPibConformanceGroups 4 }
3813 ipSecAssociationGroup OBJECT-GROUP
3815 ipSecAssociationMinLifetimeSeconds,
3816 ipSecAssociationMinLifetimeKilobytes,
3817 ipSecAssociationIdleDurationSeconds,
3818 ipSecAssociationUsePfs,
3819 ipSecAssociationVendorId,
3820 ipSecAssociationUseKeyExchangeGroup,
3821 ipSecAssociationDhGroup,
3822 ipSecAssociationGranularity,
3823 ipSecAssociationProposalSetId
3827 "Objects from the ipSecAssociationTable."
3828 ::= { ipSecPolicyPibConformanceGroups 5 }
3830 ipSecProposalSetGroup OBJECT-GROUP
3832 ipSecProposalSetProposalSetId,
3833 ipSecProposalSetProposalId,
3834 ipSecProposalSetOrder
3838 "Objects from the ipSecProposalSetTable."
3839 ::= { ipSecPolicyPibConformanceGroups 6 }
3841 ipSecProposalGroup OBJECT-GROUP
3843 ipSecProposalEspTransformSetId,
3844 ipSecProposalAhTransformSetId,
3845 ipSecProposalCompTransformSetId
3849 "Objects from the ipSecProposalTable."
3850 ::= { ipSecPolicyPibConformanceGroups 7 }
3852 ipSecAhTransformSetGroup OBJECT-GROUP
3854 ipSecAhTransformSetTransformSetId,
3855 ipSecAhTransformSetTransformId,
3856 ipSecAhTransformSetOrder
3860 "Objects from the ipSecAhTransformSetTable."
3861 ::= { ipSecPolicyPibConformanceGroups 8 }
3863 ipSecAhTransformGroup OBJECT-GROUP
3865 ipSecAhTransformTransformId,
3866 ipSecAhTransformIntegrityKey,
3867 ipSecAhTransformUseReplayPrevention,
3868 ipSecAhTransformReplayPreventionWindowSize,
3869 ipSecAhTransformVendorId,
3870 ipSecAhTransformMaxLifetimeSeconds,
3871 ipSecAhTransformMaxLifetimeKilobytes
3875 "Objects from the ipSecAhTransformTable."
3876 ::= { ipSecPolicyPibConformanceGroups 9 }
3878 ipSecEspTransformSetGroup OBJECT-GROUP
3880 ipSecEspTransformSetTransformSetId,
3881 ipSecEspTransformSetTransformId,
3882 ipSecEspTransformSetOrder
3886 "Objects from the ipSecEspTransformSetTable."
3887 ::= { ipSecPolicyPibConformanceGroups 10 }
3889 ipSecEspTransformGroup OBJECT-GROUP
3891 ipSecEspTransformIntegrityTransformId,
3892 ipSecEspTransformCipherTransformId,
3893 ipSecEspTransformIntegrityKey,
3894 ipSecEspTransformCipherKey,
3895 ipSecEspTransformCipherKeyRounds,
3896 ipSecEspTransformCipherKeyLength,
3897 ipSecEspTransformUseReplayPrevention,
3898 ipSecEspTransformReplayPreventionWindowSize,
3899 ipSecEspTransformVendorId,
3900 ipSecEspTransformMaxLifetimeSeconds,
3901 ipSecEspTransformMaxLifetimeKilobytes
3905 "Objects from the ipSecEspTransformTable."
3906 ::= { ipSecPolicyPibConformanceGroups 11 }
3908 ipSecCompTransformSetGroup OBJECT-GROUP
3910 ipSecCompTransformSetTransformSetId,
3911 ipSecCompTransformSetTransformId,
3912 ipSecCompTransformSetOrder
3916 "Objects from the ipSecCompTransformSetTable."
3917 ::= { ipSecPolicyPibConformanceGroups 12 }
3919 ipSecCompTransformGroup OBJECT-GROUP
3921 ipSecCompTransformAlgorithm,
3922 ipSecCompTransformDictionarySize,
3923 ipSecCompTransformPrivateAlgorithm,
3924 ipSecCompTransformVendorId,
3925 ipSecCompTransformMaxLifetimeSeconds,
3926 ipSecCompTransformMaxLifetimeKilobytes
3930 "Objects from the ipSecCompTransformTable."
3931 ::= { ipSecPolicyPibConformanceGroups 13 }
3933 ipSecIkeRuleGroup OBJECT-GROUP
3937 ipSecIkeRuleIkeActionSetId,
3938 ipSecIkeRuleActionExecutionStrategy,
3939 ipSecIkeRuleLimitNegotiation,
3940 ipSecIkeRuleAutoStart,
3941 ipSecIkeRuleIpSecRuleTimePeriodGroupId
3945 "Objects from the ipSecIkeRuleTable."
3946 ::= { ipSecPolicyPibConformanceGroups 14 }
3948 ipSecIkeActionSetGroup OBJECT-GROUP
3950 ipSecIkeActionSetActionSetId,
3951 ipSecIkeActionSetActionId,
3952 ipSecIkeActionSetOrder
3956 "Objects from the ipSecIkeActionSetTable."
3957 ::= { ipSecPolicyPibConformanceGroups 15 }
3959 ipSecIkeAssociationGroup OBJECT-GROUP
3961 ipSecIkeAssociationMinLiftetimeSeconds,
3962 ipSecIkeAssociationMinLifetimeKilobytes,
3963 ipSecIkeAssociationIdleDurationSeconds,
3964 ipSecIkeAssociationExchangeMode,
3965 ipSecIkeAssociationUseIkeIdentityType,
3966 ipSecIkeAssociationUseIkeIdentityValue,
3967 ipSecIkeAssociationIkePeerEndpoint,
3968 ipSecIkeAssociationPresharedKey,
3969 ipSecIkeAssociationVendorId,
3970 ipSecIkeAssociationAggressiveModeGroupId,
3971 ipSecIkeAssociationLocalCredentialId,
3972 ipSecIkeAssociationDoActionLogging,
3973 ipSecIkeAssociationIkeProposalSetId
3977 "Objects from the ipSecIkeAssociationTable."
3978 ::= { ipSecPolicyPibConformanceGroups 16 }
3980 ipSecIkeProposalSetGroup OBJECT-GROUP
3982 ipSecIkeProposalSetProposalSetId,
3983 ipSecIkeProposalSetProposalId,
3984 ipSecIkeProposalSetOrder
3988 "Objects from the ipSecIkeProposalSetTable."
3989 ::= { ipSecPolicyPibConformanceGroups 17 }
3991 ipSecIkeProposalGroup OBJECT-GROUP
3993 ipSecIkeProposalMaxLifetimeSeconds,
3994 ipSecIkeProposalMaxLifetimeKilobytes,
3995 ipSecIkeProposalCipherAlgorithm,
3996 ipSecIkeProposalHashAlgorithm,
3997 ipSecIkeProposalAuthenticationMethod,
3998 ipSecIkeProposalPrfAlgorithm,
3999 ipSecIkeProposalIkeDhGroup,
4000 ipSecIkeProposalVendorId
4004 "Objects from the ipSecIkeProposalTable."
4005 ::= { ipSecPolicyPibConformanceGroups 18 }
4007 ipSecIkePeerEndpointGroup OBJECT-GROUP
4009 ipSecIkePeerEndpointIdentityType,
4010 ipSecIkePeerEndpointIdentityValue,
4011 ipSecIkePeerEndpointAddressType,
4012 ipSecIkePeerEndpointAddress,
4013 ipSecIkePeerEndpointCredentialSetId
4017 "Objects from the ipSecIkePeerEndpointTable."
4018 ::= { ipSecPolicyPibConformanceGroups 19 }
4020 ipSecCredentialSetGroup OBJECT-GROUP
4022 ipSecCredentialSetSetId,
4023 ipSecCredentialSetCredentialId
4027 "Objects from the ipSecCredentialSetTable."
4028 ::= { ipSecPolicyPibConformanceGroups 20 }
4030 ipSecCredentialGroup OBJECT-GROUP
4032 ipSecCredentialCredentialType,
4033 ipSecCredentialFieldsId,
4034 ipSecCredentialCrlDistributionPoint
4038 "Objects from the ipSecCredentialTable."
4039 ::= { ipSecPolicyPibConformanceGroups 21 }
4041 ipSecCredentialFieldsGroup OBJECT-GROUP
4043 ipSecCredentialFieldsName,
4044 ipSecCredentialFieldsValue,
4045 ipSecCredentialFieldsSetId
4049 "Objects from the ipSecCredentialFieldsTable."
4050 ::= { ipSecPolicyPibConformanceGroups 22 }
4052 ipSecSelectorSetGroup OBJECT-GROUP
4054 ipSecSelectorSetSelectorSetId,
4055 ipSecSelectorSetSelectorId,
4056 ipSecSelectorSetOrder
4060 "Objects from the ipSecSelectorSetTable."
4061 ::= { ipSecPolicyPibConformanceGroups 23 }
4063 ipSecSelectorGroup OBJECT-GROUP
4065 ipSecSelectorSrcAddressGroupId,
4066 ipSecSelectorSrcPortGroupId,
4067 ipSecSelectorDstAddressGroupId,
4068 ipSecSelectorDstPortGroupId,
4069 ipSecSelectorProtocol,
4071 ipSecSelectorFlowLabel
4075 "Objects from the ipSecSelectorTable."
4076 ::= { ipSecPolicyPibConformanceGroups 24 }
4078 ipSecAddressGroup OBJECT-GROUP
4080 ipSecAddressAddressType,
4081 ipSecAddressAddrMask,
4082 ipSecAddressAddrMin,
4083 ipSecAddressAddrMax,
4088 "Objects from the ipSecAddressTable."
4089 ::= { ipSecPolicyPibConformanceGroups 25 }
4091 ipSecL4PortGroup OBJECT-GROUP
4099 "Objects from the ipSecL4PortTable."
4100 ::= { ipSecPolicyPibConformanceGroups 26 }
4102 ipSecIpsoFilterSetGroup OBJECT-GROUP
4104 ipSecIpsoFilterSetFilterSetId,
4105 ipSecIpsoFilterSetFilterId,
4106 ipSecIpsoFilterSetOrder
4110 "Objects from the ipSecIpsoFilterSetTable."
4111 ::= { ipSecPolicyPibConformanceGroups 27 }
4113 ipSecIpsoFilterGroup OBJECT-GROUP
4115 ipSecIpsoFilterMatchConditionType,
4116 ipSecIpsoFilterClassificationLevel,
4117 ipSecIpsoFilterProtectionAuthority
4121 "Objects from the ipSecIpsoFilterTable."
4122 ::= { ipSecPolicyPibConformanceGroups 28 }
4124 ipSecRuleTimePeriodGroup OBJECT-GROUP
4126 ipSecRuleTimePeriodTimePeriod,
4127 ipSecRuleTimePeriodMonthOfYearMask,
4128 ipSecRuleTimePeriodDayOfMonthMask,
4129 ipSecRuleTimePeriodDayOfWeekMask,
4130 ipSecRuleTimePeriodTimeOfDayMask,
4131 ipSecRuleTimePeriodLocalOrUtcTime
4135 "Objects from the ipSecRuleTimePeriodTable."
4136 ::= { ipSecPolicyPibConformanceGroups 29 }
4138 ipSecRuleTimePeriodSetGroup OBJECT-GROUP
4140 ipSecRuleTimePeriodSetRuleTimePeriodSetId,
4141 ipSecRuleTimePeriodSetRuleTimePeriodId
4145 "Objects from the ipSecRuleTimePeriodSetTable."
4146 ::= { ipSecPolicyPibConformanceGroups 30 }
4148 ipSecIfCapsGroup OBJECT-GROUP
4150 ipSecIfCapsDirection,
4151 ipSecIfCapsMaxIpSecActions,
4152 ipSecIfCapsMaxIkeActions
4156 "Objects from the ipSecIfCapsTable."
4157 ::= { ipSecPolicyPibConformanceGroups 31 }