1 IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN
4 Unsigned32, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
5 TEXTUAL-CONVENTION, MODULE-COMPLIANCE, OBJECT-GROUP
9 InstanceId, ReferenceId, TagId, TagReferenceId
12 FROM FRAMEWORK-TC-PIB;
14 ipSecPolicyPib MODULE-IDENTITY
15 SUBJECT-CATEGORY { tbd } -- IPsec Client Type --
16 LAST-UPDATED "200202241800Z"
17 ORGANIZATION "IETF ipsp WG"
23 Phone: +1 781 993 3923
24 Email: man.m.li@nokia.com
27 Div. of Computer Communications
28 Lulea University of Technology
31 Phone: +46 920 49 3030
32 Email: avri@sm.luth.se
39 Phone: +1 503 264 9531
41 Email: jamie.jason@intel.com
45 Suite 300, 565 Metro Place South
47 Phone: +1 614 923 6241
48 Email: CWang@smartpipes.com
51 SSH Communications Security Corp.
53 FIN-00100 Helsinki, Finland
54 Phone: +358 20 500 7466
55 Email: markus.stenberg@ssh.com"
59 "This PIB module contains a set of policy rule classes that
60 describe IPsec policies."
61 ::= { pib yyy } รป- yyy to be assigned by IANA --
64 Unsigned16 ::= TEXTUAL-CONVENTION
67 "An unsigned 16 bit integer."
68 SYNTAX Unsigned32 (0..65535)
70 ipSecAssociation OBJECT-IDENTITY
73 "This group specifies IPsec Security Associations."
74 ::= { ipSecPolicyPib 1 }
76 ipSecAhTransform OBJECT-IDENTITY
79 "This group specifies AH Transforms."
80 ::= { ipSecPolicyPib 2 }
82 ipSecEspTransform OBJECT-IDENTITY
85 "This group specifies ESP Transforms."
86 ::= { ipSecPolicyPib 3 }
88 ipSecCompTransform OBJECT-IDENTITY
91 "This group specifies Comp Transforms."
92 ::= { ipSecPolicyPib 4 }
94 ipSecIkeAssociation OBJECT-IDENTITY
97 "This group specifies IKE Security Associations."
98 ::= { ipSecPolicyPib 5 }
100 ipSecCredential OBJECT-IDENTITY
103 "This group specifies credentials for IKE phase one negotiations."
104 ::= { ipSecPolicyPib 6 }
106 ipSecSelector OBJECT-IDENTITY
109 "This group specifies selectors for IPsec associations."
110 ::= { ipSecPolicyPib 7 }
112 ipSecPolicyTimePeriod OBJECT-IDENTITY
115 "This group specifies the time periods during which a policy rule
117 ::= { ipSecPolicyPib 8 }
119 ipSecIfCapability OBJECT-IDENTITY
122 "This group specifies capabilities associated with interface
124 ::= { ipSecPolicyPib 9 }
126 ipSecPolicyPibConformance OBJECT-IDENTITY
129 "This group specifies requirements for conformance to the IPsec
131 ::= { ipSecPolicyPib 10 }
136 -- The ipSecRuleTable
139 ipSecRuleTable OBJECT-TYPE
140 SYNTAX SEQUENCE OF IpSecRuleEntry
144 "This table is the starting point for specifying an IPsec policy.
145 It contains an ordered list of IPsec rules. "
146 ::= { ipSecAssociation 1 }
148 ipSecRuleEntry OBJECT-TYPE
149 SYNTAX IpSecRuleEntry
152 "Specifies an instance of this class"
153 PIB-INDEX { ipSecRulePrid }
159 ::= { ipSecRuleTable 1 }
161 IpSecRuleEntry ::= SEQUENCE {
162 ipSecRulePrid InstanceId,
163 ipSecRuleIfName SnmpAdminString,
164 ipSecRuleRoles RoleCombination,
165 ipSecRuleDirection INTEGER,
166 ipSecRuleIpSecSelectorSetId TagReferenceId,
167 ipSecRuleipSecIpsoFilterSetId TagReferenceId,
168 ipSecRuleIpSecActionSetId TagReferenceId,
169 ipSecRuleActionExecutionStrategy INTEGER,
170 ipSecRuleOrder Unsigned16,
171 ipSecRuleLimitNegotiation INTEGER,
172 ipSecRuleAutoStart TruthValue,
173 ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId
176 ipSecRulePrid OBJECT-TYPE
180 "An integer index that uniquely identifies an instance of this
182 ::= { ipSecRuleEntry 1 }
184 ipSecRuleIfName OBJECT-TYPE
185 SYNTAX SnmpAdminString
188 "The interface capability set to which this IPsec rule applies.
189 The interface capability name specified by this attribute MUST
190 exist in the frwkIfCapSetTable [FR-PIB] prior to association with
191 an instance of this class."
192 ::= { ipSecRuleEntry 2 }
194 ipSecRuleRoles OBJECT-TYPE
195 SYNTAX RoleCombination
198 "Specifies the role combination of the interface to which this
199 IPsec rule should apply. There must exist an instance in the
200 frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
201 combination, together with the interface capability set specified
202 by ipSecRuleIfName, prior to association with an instance of this
204 ::= { ipSecRuleEntry 3 }
206 ipSecRuleDirection OBJECT-TYPE
214 "Specifies the direction of traffic to which this rule should
216 ::= { ipSecRuleEntry 4 }
218 ipSecRuleIpSecSelectorSetId OBJECT-TYPE
219 SYNTAX TagReferenceId
220 PIB-TAG { ipSecSelectorSetSelectorSetId }
223 "Identifies a set of selectors to be associated with this IPsec
225 ::= { ipSecRuleEntry 5 }
227 ipSecRuleipSecIpsoFilterSetId OBJECT-TYPE
228 SYNTAX TagReferenceId
229 PIB-TAG { ipSecIpsoFilterSetFilterSetId }
232 "Identifies a set of IPSO filters to be associated with this IPsec
233 rule. A value of zero indicates that there are no IPSO filters
234 associated with this rule.
236 When the value of this attribute is not zero, the set of IPSO
237 filters is ANDed with the set of Selectors specified by
238 ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a
239 selector in the selector sets and a filter in the IPSO filter sets
240 before the actions associated with this rule can be applied."
241 ::= { ipSecRuleEntry 6 }
243 ipSecRuleIpSecActionSetId OBJECT-TYPE
244 SYNTAX TagReferenceId
245 PIB-TAG { ipSecActionSetActionSetId }
248 "Identifies a set of IPsec actions to be associated with this
250 ::= { ipSecRuleEntry 7 }
252 ipSecRuleActionExecutionStrategy OBJECT-TYPE
259 "Specifies the strategy to be used in executing the sequenced
260 actions in the action set identified by ipSecRuleIpSecActionSetId.
262 DoAll (1) causes the execution of all the actions in the action
263 set according to their defined precedence order. The precedence
264 order is specified by the ipSecActionSetOrder in the
267 DoUntilSuccess (2) causes the execution of actions according to
268 their defined precedence order until a successful execution of a
269 single action. The precedence order is specified by the
270 ipSecActionSetOrder in the ipSecActionSetTable."
271 ::= { ipSecRuleEntry 8 }
273 ipSecRuleOrder OBJECT-TYPE
277 "Specifies the precedence order of the rule within all the rules
278 associated with {IfName, Roles}. A smaller value indicates a
279 higher precedence order. "
280 ::= { ipSecRuleEntry 9 }
282 ipSecRuleLimitNegotiation OBJECT-TYPE
290 "Limits the negotiation method. Before proceeding with a phase 2
291 negotiation, the LimitNegotiation property of the IPsecRule is
292 first checked to determine if the negotiation part indicated for
293 the rule matches that of the current negotiation (Initiator,
294 Responder, or Either).
296 This attribute is ignored when an attempt is made to refresh an
297 expiring SA (either side can initiate a refresh operation). The
298 system can determine that the negotiation is a refresh operation
299 by checking to see if the selector information matches that of an
300 existing SA. If LimitNegotiation does not match and the selector
301 corresponds to a new SA, the negotiation is stopped. "
302 ::= { ipSecRuleEntry 10 }
304 ipSecRuleAutoStart OBJECT-TYPE
308 "Indicates if this rule should be automatically executed."
309 ::= { ipSecRuleEntry 11 }
311 ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
312 SYNTAX TagReferenceId
313 PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
316 "Identifies an IPsec rule time period set, specified in
317 ipSecRuleTimePeriodSetTable, that is associated with this rule.
319 A value of zero indicates that this IPsec rule is always valid."
320 ::= { ipSecRuleEntry 12 }
325 -- The ipSecActionSetTable
328 ipSecActionSetTable OBJECT-TYPE
329 SYNTAX SEQUENCE OF IpSecActionSetEntry
333 "Specifies IPsec action sets."
334 ::= { ipSecAssociation 2 }
336 ipSecActionSetEntry OBJECT-TYPE
337 SYNTAX IpSecActionSetEntry
340 "Specifies an instance of this class"
341 PIB-INDEX { ipSecActionSetPrid }
343 ipSecActionSetActionSetId,
344 ipSecActionSetActionId,
345 ipSecActionSetDoActionLogging,
346 ipSecActionSetDoPacketLogging,
349 ::= { ipSecActionSetTable 1 }
351 IpSecActionSetEntry ::= SEQUENCE {
352 ipSecActionSetPrid InstanceId,
353 ipSecActionSetActionSetId TagId,
354 ipSecActionSetActionId Prid,
355 ipSecActionSetDoActionLogging TruthValue,
356 ipSecActionSetDoPacketLogging TruthValue,
357 ipSecActionSetOrder Unsigned16
360 ipSecActionSetPrid OBJECT-TYPE
364 "An integer index that uniquely identifies an instance of this
366 ::= { ipSecActionSetEntry 1 }
368 ipSecActionSetActionSetId OBJECT-TYPE
372 "An IPsec action set is composed of one or more IPsec actions.
373 Each action belonging to the same set has the same ActionSetId."
374 ::= { ipSecActionSetEntry 2 }
376 ipSecActionSetActionId OBJECT-TYPE
380 "A pointer to a valid instance in another table that describes an
383 For IPsec static actions, it MUST point to an instance in the
384 ipSecStaticActionTable.
386 For IPsec negotiation actions, it MUST point to an instance in the
387 ipSecNegotiationActionTable. For other actions, it may point to an
388 instance in a table specified by other PIB modules."
389 ::= { ipSecActionSetEntry 3 }
391 ipSecActionSetDoActionLogging OBJECT-TYPE
395 "Specifies whether a log message is to be generated when the
396 action is performed. This applies for ipSecNegotiationActions
397 with the meaning of logging a message when the negotiation is
398 attempted (with the success or failure result). This also applies
399 for ipSecStaticAction only for PreconfiguredTransport action or
400 PreconfiguredTunnel action with the meaning of logging a message
401 when the preconfigured SA is actually installed in the SADB."
402 ::= { ipSecActionSetEntry 4 }
404 ipSecActionSetDoPacketLogging OBJECT-TYPE
408 "Specifies whether to log when the resulting security association
409 is used to process a packet. For ipSecStaticActions, a log message
410 is to be generated when the IPsecBypass, IpsecDiscard or IKEReject
411 actions are executed."
412 ::= { ipSecActionSetEntry 5 }
414 ipSecActionSetOrder OBJECT-TYPE
418 "Specifies the precedence order of the action within the action
419 set. An action with a smaller precedence order is to be applied
420 before one with a larger precedence order. "
421 ::= { ipSecActionSetEntry 6 }
426 -- The ipSecStaticActionTable
429 ipSecStaticActionTable OBJECT-TYPE
430 SYNTAX SEQUENCE OF IpSecStaticActionEntry
434 "Specifies IPsec static actions."
435 ::= { ipSecAssociation 3 }
437 ipSecStaticActionEntry OBJECT-TYPE
438 SYNTAX IpSecStaticActionEntry
441 "Specifies an instance of this class"
442 PIB-INDEX { ipSecStaticActionPrid }
444 ipSecStaticActionAction,
445 ipSecStaticActionTunnelEndpointId,
446 ipSecStaticActionDfHandling,
447 ipSecStaticActionSpi,
448 ipSecStaticActionLifetimeSeconds,
449 ipSecStaticActionLifetimeKilobytes,
450 ipSecStaticActionSaTransformId
452 ::= { ipSecStaticActionTable 1 }
454 IpSecStaticActionEntry ::= SEQUENCE {
455 ipSecStaticActionPrid InstanceId,
456 ipSecStaticActionAction INTEGER,
457 ipSecStaticActionTunnelEndpointId ReferenceId,
458 ipSecStaticActionDfHandling INTEGER,
459 ipSecStaticActionSpi Unsigned32,
460 ipSecStaticActionLifetimeSeconds Unsigned32,
461 ipSecStaticActionLifetimeKilobytes Unsigned32,
462 ipSecStaticActionSaTransformId Prid
465 ipSecStaticActionPrid OBJECT-TYPE
469 "An integer index that uniquely identifies an instance of this
471 ::= { ipSecStaticActionEntry 1 }
473 ipSecStaticActionAction OBJECT-TYPE
478 preConfiguredTransport(4),
479 preConfiguredTunnel(5)
483 "Specifies the IPsec action to be applied to the traffic. byPass
484 (1) means that packets are to be allowed to pass in the clear.
485 discard (2) means that packets are to be discarded. ikeRejection
486 (3) means that that an IKE negotiation should not even be
487 attempted or continued. preConfiguredTransport (4) means that an
488 IPsec transport SA is pre-configured. preConfiguredTunnel (5)
489 means that an IPsec tunnel SA is pre-configured. "
490 ::= { ipSecStaticActionEntry 2 }
492 ipSecStaticActionTunnelEndpointId OBJECT-TYPE
494 PIB-REFERENCES {ipSecAddressEntry }
497 "When ipSecStaticActionAction is preConfiguredTunnel (5), this
498 attribute indicates the peer gateway IP address. This address MUST
499 be a single endpoint address.
501 When ipSecStaticActionAction is not preConfiguredTunnel, this
502 attribute MUST be zero."
503 ::= { ipSecStaticActionEntry 3 }
505 ipSecStaticActionDfHandling OBJECT-TYPE
513 "When ipSecStaticActionAction is preConfiguredTunnel, this
514 attribute specifies how the DF bit is managed.
516 Copy (1) indicates to copy the DF bit from the internal IP header
517 to the external IP header. Set (2) indicates to set the DF bit of
518 the external IP header to 1. Clear (3) indicates to clear the DF
519 bit of the external IP header to 0.
521 When ipSecStaticActionAction is not preConfiguredTunnel, this
522 attribute MUST be ignored. "
523 ::= { ipSecStaticActionEntry 4 }
525 ipSecStaticActionSpi OBJECT-TYPE
529 "Specifies the SPI to be used with the SA Transform identified by
530 ipSecStaticActionSaTransformId.
532 When ipSecStaticActionAction is neither
533 preConfiguredTransportAction nor preConfiguredTunnelAction, this
534 attribute MUST be ignored."
535 ::= { ipSecStaticActionEntry 5 }
537 ipSecStaticActionLifetimeSeconds OBJECT-TYPE
541 "Specifies the amount of time (in seconds) that a security
542 association derived from this action should be used. When
543 ipSecStaticActionAction is neither preConfiguredTransportAction
544 nor preConfiguredTunnelAction, this attribute MUST be ignored.
546 A value of zero indicates that there is not a lifetime associated
547 with this action (i.e., infinite lifetime).
549 The actual lifetime of the preconfigured SA will be the smallest
550 of the value of this LifetimeSeconds property and of the value of
551 the MaxLifetimeSeconds property of the associated SA Transform.
552 Except if the value of this LifetimeSeconds property is zero, then
553 there will be no lifetime associated to this SA."
554 ::= { ipSecStaticActionEntry 6 }
556 ipSecStaticActionLifetimeKilobytes OBJECT-TYPE
560 "Specifies the SA lifetime in kilobytes. When
561 ipSecStaticActionAction is neither preConfiguredTransportAction
562 nor preConfiguredTunnelAction, this attribute MUST be ignored.
564 A value of zero indicates that there is not a lifetime associated
565 with this action (i.e., infinite lifetime).
567 The actual lifetime of the preconfigured SA will be the smallest
568 of the value of this LifetimeKilobytes property and of the value
569 of the MaxLifetimeKilobytes property of the associated SA
570 transform. Except if the value of this LifetimeKilobytes property
571 is zero, then there will be no lifetime associated with this
574 ::= { ipSecStaticActionEntry 7 }
576 ipSecStaticActionSaTransformId OBJECT-TYPE
580 "A pointer to a valid instance in another table that describes an
581 SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable."
582 ::= { ipSecStaticActionEntry 8 }
587 -- The ipSecNegotiationActionTable
590 ipSecNegotiationActionTable OBJECT-TYPE
591 SYNTAX SEQUENCE OF IpSecNegotiationActionEntry
595 "Specifies IPsec negotiation actions."
596 ::= { ipSecAssociation 4 }
598 ipSecNegotiationActionEntry OBJECT-TYPE
599 SYNTAX IpSecNegotiationActionEntry
602 "Specifies an instance of this class"
603 PIB-INDEX { ipSecNegotiationActionPrid }
605 ipSecNegotiationActionAction,
606 ipSecNegotiationActionTunnelEndpointId,
607 ipSecNegotiationActionDfHandling,
608 ipSecNegotiationActionIpSecSecurityAssociationId,
609 ipSecNegotiationActionKeyExchangeId
611 ::= { ipSecNegotiationActionTable 1 }
613 IpSecNegotiationActionEntry ::= SEQUENCE {
614 ipSecNegotiationActionPrid InstanceId,
615 ipSecNegotiationActionAction INTEGER,
616 ipSecNegotiationActionTunnelEndpointId ReferenceId,
617 ipSecNegotiationActionDfHandling INTEGER,
618 ipSecNegotiationActionIpSecSecurityAssociationId ReferenceId,
619 ipSecNegotiationActionKeyExchangeId Prid
622 ipSecNegotiationActionPrid OBJECT-TYPE
626 "An integer index that uniquely identifies an instance of this
628 ::= { ipSecNegotiationActionEntry 1 }
630 ipSecNegotiationActionAction OBJECT-TYPE
637 "Specifies the IPsec action to be applied to the traffic.
638 transport(1) means that the packet should be protected with a
639 security association in transport mode. tunnel(2) means that the
640 packet should be protected with a security association in tunnel
641 mode. If tunnel (2) is specified, ipSecActionTunnelEndpointId
642 MUST also be specified."
643 ::= { ipSecNegotiationActionEntry 2 }
645 ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE
647 PIB-REFERENCES {ipSecAddressEntry }
650 "When ipSecActionAction is tunnel (2), this attribute indicates
651 the peer gateway IP address. This address MUST be a single
654 When ipSecActionAction is not tunnel, this attribute MUST be
656 ::= { ipSecNegotiationActionEntry 3 }
658 ipSecNegotiationActionDfHandling OBJECT-TYPE
666 "When ipSecActionAction is tunnel, this attribute specifies how
667 the DF bit is managed.
669 Copy (1) indicates to copy the DF bit from the internal IP header
670 to the external IP header. Set (2) indicates to set the DF bit of
671 the external IP header to 1. Clear (3) indicates to clear the DF
672 bit of the external IP header to 0.
674 When ipSecActionAction is not tunnel, this attribute MUST be
676 ::= { ipSecNegotiationActionEntry 4 }
678 ipSecNegotiationActionIpSecSecurityAssociationId OBJECT-TYPE
680 PIB-REFERENCES {ipSecAssociationEntry }
683 "Pointer to a valid instance in the
684 ipSecSecurityAssociationTable."
685 ::= { ipSecNegotiationActionEntry 5 }
687 ipSecNegotiationActionKeyExchangeId OBJECT-TYPE
691 "A pointer to a valid instance in another table that describes key
692 exchange associations. If a single IKE phase one negotiation is
693 used for the key exchange, this attribute MUST point to an
694 instance in the ipSecIkeAssociationTable. If multiple IKE phase
695 one negotiations (e.g., with different modes) are to be tried
696 until success, this attribute SHOULD point to ipSecIkeRuleTable.
698 For other key exchange methods, this attribute may point to an
699 instance of a PRC defined in some other PIB.
701 A value of zero means that there is no key exchange procedure
703 ::= { ipSecNegotiationActionEntry 6 }
708 -- The ipSecAssociationTable
711 ipSecAssociationTable OBJECT-TYPE
712 SYNTAX SEQUENCE OF IpSecAssociationEntry
716 "Specifies IPsec associations."
717 ::= { ipSecAssociation 5 }
719 ipSecAssociationEntry OBJECT-TYPE
720 SYNTAX IpSecAssociationEntry
723 "Specifies an instance of this class"
724 PIB-INDEX { ipSecAssociationPrid }
726 ipSecAssociationMinLifetimeSeconds,
727 ipSecAssociationMinLifetimeKilobytes,
728 ipSecAssociationIdleDurationSeconds,
729 ipSecAssociationUsePfs,
730 ipSecAssociationVendorId,
731 ipSecAssociationUseKeyExchangeGroup,
732 ipSecAssociationDhGroup,
733 ipSecAssociationGranularity,
734 ipSecAssociationProposalSetId
736 ::= { ipSecAssociationTable 1 }
738 IpSecAssociationEntry ::= SEQUENCE {
739 ipSecAssociationPrid InstanceId,
740 ipSecAssociationMinLifetimeSeconds Unsigned32,
741 ipSecAssociationMinLifetimeKilobytes Unsigned32,
742 ipSecAssociationIdleDurationSeconds Unsigned32,
743 ipSecAssociationUsePfs TruthValue,
744 ipSecAssociationVendorId OCTET STRING,
745 ipSecAssociationUseKeyExchangeGroup TruthValue,
746 ipSecAssociationDhGroup Unsigned16,
747 ipSecAssociationGranularity INTEGER,
748 ipSecAssociationProposalSetId TagReferenceId
751 ipSecAssociationPrid OBJECT-TYPE
755 "An integer index that uniquely identifies an instance of this
757 ::= { ipSecAssociationEntry 1 }
759 ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
763 "Specifies the minimum SA seconds lifetime that will be accepted
764 from a peer while negotiating an SA based upon this action.
765 A value of zero indicates that there is no minimum lifetime
767 ::= { ipSecAssociationEntry 2 }
769 ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
773 "Specifies the minimum kilobyte lifetime that will be accepted
774 from a negotiating peer while negotiating an SA based upon this
775 action. A value of zero indicates that there is no minimum
777 ::= { ipSecAssociationEntry 3 }
779 ipSecAssociationIdleDurationSeconds OBJECT-TYPE
783 "Specifies how long, in seconds, a security association may remain
784 unused before it is deleted.
786 A value of zero indicates that idle detection should not be used
787 for the security association (only the seconds and kilobyte
788 lifetimes will be used)."
789 ::= { ipSecAssociationEntry 4 }
791 ipSecAssociationUsePfs OBJECT-TYPE
795 "Specifies whether or not to use PFS when refreshing keys."
796 ::= { ipSecAssociationEntry 5 }
798 ipSecAssociationVendorId OBJECT-TYPE
802 "Specifies the IKE Vendor ID. This attribute is used together with
803 the property ipSecAssociationDhGroup (when it is in the vendor-
804 specific range) to identify the key exchange group. This
805 attribute is ignored unless ipSecAssociationUsePFS is true and
806 ipSecAssociationUseKeyExchangeGroup is false and
807 ipSecAssociationDhGroup is in the vendor-specific range (32768-
809 ::= { ipSecAssociationEntry 6 }
811 ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE
815 "Specifies whether or not to use the same GroupId for phase 2 as
816 was used in phase 1. If UsePFS is false, then this attribute is
819 A value of true indicates that the phase 2 GroupId should be the
820 same as phase 1. A value of false indicates that the group number
821 specified by the ipSecSecurityAssociationDhGroup attribute SHALL
822 be used for phase 2. "
823 ::= { ipSecAssociationEntry 7 }
825 ipSecAssociationDhGroup OBJECT-TYPE
829 "Specifies the key exchange group to use for phase 2 when the
830 property ipSecSecurityAssociationUsePfs is true and the property
831 ipSecSecurityAssociationUseKeyExchangeGroup is false."
832 ::= { ipSecAssociationEntry 8 }
834 ipSecAssociationGranularity OBJECT-TYPE
843 "Specifies how the proposed selector for the security association
846 A value of 1 (subnet) indicates that the source and destination
847 subnet masks of the filter entry are used.
849 A value of 2 (address) indicates that only the source and
850 destination IP addresses of the triggering packet are used.
852 A value of 3 (protocol) indicates that the source and destination
853 IP addresses and the IP protocol of the triggering packet are
856 A value of 4 (port) indicates that the source and destination IP
857 addresses and the IP protocol and the source and destination layer
858 4 ports of the triggering packet are used. "
859 ::= { ipSecAssociationEntry 9 }
861 ipSecAssociationProposalSetId OBJECT-TYPE
862 SYNTAX TagReferenceId
863 PIB-TAG { ipSecProposalSetProposalSetId }
866 "Identifies a set of IPsec proposals that is associated with this
868 ::= { ipSecAssociationEntry 10 }
873 -- The ipSecProposalSetTable
876 ipSecProposalSetTable OBJECT-TYPE
877 SYNTAX SEQUENCE OF IpSecProposalSetEntry
881 "Specifies IPsec proposal sets. Proposals within a set are ORed
882 with preference order. "
883 ::= { ipSecAssociation 6 }
885 ipSecProposalSetEntry OBJECT-TYPE
886 SYNTAX IpSecProposalSetEntry
889 "Specifies an instance of this class"
890 PIB-INDEX { ipSecProposalSetPrid }
892 ipSecProposalSetProposalSetId,
893 ipSecProposalSetProposalId,
894 ipSecProposalSetOrder
896 ::= { ipSecProposalSetTable 1 }
898 IpSecProposalSetEntry ::= SEQUENCE {
899 ipSecProposalSetPrid InstanceId,
900 ipSecProposalSetProposalSetId TagId,
901 ipSecProposalSetProposalId ReferenceId,
902 ipSecProposalSetOrder Unsigned16
905 ipSecProposalSetPrid OBJECT-TYPE
909 "An integer index that uniquely identifies an instance of this
911 ::= { ipSecProposalSetEntry 1 }
913 ipSecProposalSetProposalSetId OBJECT-TYPE
919 "An IPsec proposal set is composed of one or more IPsec proposals.
920 Each proposal belonging to the same set has the same
922 ::= { ipSecProposalSetEntry 2 }
924 ipSecProposalSetProposalId OBJECT-TYPE
926 PIB-REFERENCES {ipSecProposalEntry }
929 "A pointer to a valid instance in the ipSecProposalTable."
930 ::= { ipSecProposalSetEntry 3 }
932 ipSecProposalSetOrder OBJECT-TYPE
936 "An integer that specifies the precedence order of the proposal
937 identified by ipSecProposalSetProposalId in a proposal set. The
938 proposal set is identified by ipSecProposalSetProposalSetId.
939 Proposals within a set are ORed with preference order. A smaller
940 integer value indicates a higher preference."
941 ::= { ipSecProposalSetEntry 4 }
946 -- The ipSecProposalTable
949 ipSecProposalTable OBJECT-TYPE
950 SYNTAX SEQUENCE OF IpSecProposalEntry
954 "Specifies IPsec proposals. It has references to ESP, AH and
955 IPCOMP Transform sets. Within a proposal, different types of
956 transforms are ANDed. Multiple transforms of the same type are
957 ORed with preference order."
958 ::= { ipSecAssociation 7 }
960 ipSecProposalEntry OBJECT-TYPE
961 SYNTAX IpSecProposalEntry
964 "Specifies an instance of this class"
965 PIB-INDEX { ipSecProposalPrid }
967 ipSecProposalEspTransformSetId,
968 ipSecProposalAhTransformSetId,
969 ipSecProposalCompTransformSetId
971 ::= { ipSecProposalTable 1 }
973 IpSecProposalEntry ::= SEQUENCE {
974 ipSecProposalPrid InstanceId,
975 ipSecProposalEspTransformSetId TagReferenceId,
976 ipSecProposalAhTransformSetId TagReferenceId,
977 ipSecProposalCompTransformSetId TagReferenceId
980 ipSecProposalPrid OBJECT-TYPE
984 "An integer index that uniquely identifies an instance of this
986 ::= { ipSecProposalEntry 1 }
988 ipSecProposalEspTransformSetId OBJECT-TYPE
989 SYNTAX TagReferenceId
990 PIB-TAG { ipSecEspTransformSetTransformSetId }
993 "An integer that identifies a set of ESP transforms, specified in
994 ipSecEspTransformSetTable, that is associated with this proposal."
995 ::= { ipSecProposalEntry 2 }
997 ipSecProposalAhTransformSetId OBJECT-TYPE
998 SYNTAX TagReferenceId
999 PIB-TAG { ipSecAhTransformSetTransformSetId }
1002 "An integer that identifies an AH transform set, specified in
1003 ipSecAhTransformSetTable, that is associated with this proposal."
1004 ::= { ipSecProposalEntry 3 }
1006 ipSecProposalCompTransformSetId OBJECT-TYPE
1007 SYNTAX TagReferenceId
1008 PIB-TAG { ipSecCompTransformSetTransformSetId }
1011 "An integer that identifies a set of IPComp transforms, specified
1012 in ipSecCompTransformSetTable, that is associated with this
1014 ::= { ipSecProposalEntry 4 }
1019 -- The ipSecAhTransformSetTable
1022 ipSecAhTransformSetTable OBJECT-TYPE
1023 SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
1027 "Specifies AH transform sets. Within a transform set, the
1028 transforms are ORed with preference order. "
1029 ::= { ipSecAhTransform 1 }
1031 ipSecAhTransformSetEntry OBJECT-TYPE
1032 SYNTAX IpSecAhTransformSetEntry
1035 "Specifies an instance of this class"
1036 PIB-INDEX { ipSecAhTransformSetPrid }
1038 ipSecAhTransformSetTransformSetId,
1039 ipSecAhTransformSetTransformId,
1040 ipSecAhTransformSetOrder
1042 ::= { ipSecAhTransformSetTable 1 }
1044 IpSecAhTransformSetEntry ::= SEQUENCE {
1045 ipSecAhTransformSetPrid InstanceId,
1046 ipSecAhTransformSetTransformSetId TagId,
1047 ipSecAhTransformSetTransformId ReferenceId,
1048 ipSecAhTransformSetOrder Unsigned16
1051 ipSecAhTransformSetPrid OBJECT-TYPE
1055 "An integer index that uniquely identifies an instance of this
1057 ::= { ipSecAhTransformSetEntry 1 }
1059 ipSecAhTransformSetTransformSetId OBJECT-TYPE
1063 "An AH transform set is composed of one or more AH transforms.
1064 Each transform belonging to the same set has the same
1066 ::= { ipSecAhTransformSetEntry 2 }
1068 ipSecAhTransformSetTransformId OBJECT-TYPE
1070 PIB-REFERENCES {ipSecAhTransformEntry }
1073 "A pointer to a valid instance in the ipSecAhTransformTable."
1074 ::= { ipSecAhTransformSetEntry 3 }
1076 ipSecAhTransformSetOrder OBJECT-TYPE
1080 "An integer that specifies the precedence order of the transform
1081 identified by ipSecAhTransformSetTransformId within a transform
1082 set. The transform set is identified by
1083 ipSecAhTransformSetTransformSetId. Transforms within a set are
1084 ORed with preference order. A smaller integer value indicates a
1086 ::= { ipSecAhTransformSetEntry 4 }
1091 -- The ipSecAhTransformTable
1094 ipSecAhTransformTable OBJECT-TYPE
1095 SYNTAX SEQUENCE OF IpSecAhTransformEntry
1099 "Specifies AH transforms."
1100 ::= { ipSecAhTransform 2 }
1102 ipSecAhTransformEntry OBJECT-TYPE
1103 SYNTAX IpSecAhTransformEntry
1106 "Specifies an instance of this class"
1107 PIB-INDEX { ipSecAhTransformPrid }
1109 ipSecAhTransformTransformId,
1110 ipSecAhTransformIntegrityKey,
1111 ipSecAhTransformUseReplayPrevention,
1112 ipSecAhTransformReplayPreventionWindowSize,
1113 ipSecAhTransformVendorId,
1114 ipSecAhTransformMaxLifetimeSeconds,
1115 ipSecAhTransformMaxLifetimeKilobytes
1117 ::= { ipSecAhTransformTable 1 }
1119 IpSecAhTransformEntry ::= SEQUENCE {
1120 ipSecAhTransformPrid InstanceId,
1121 ipSecAhTransformTransformId INTEGER,
1122 ipSecAhTransformIntegrityKey OCTET STRING,
1123 ipSecAhTransformUseReplayPrevention TruthValue,
1124 ipSecAhTransformReplayPreventionWindowSize Unsigned32,
1125 ipSecAhTransformVendorId OCTET STRING,
1126 ipSecAhTransformMaxLifetimeSeconds Unsigned32,
1127 ipSecAhTransformMaxLifetimeKilobytes Unsigned32
1130 ipSecAhTransformPrid OBJECT-TYPE
1134 "An integer index that uniquely identifies an instance of this
1136 ::= { ipSecAhTransformEntry 1 }
1138 ipSecAhTransformTransformId OBJECT-TYPE
1146 "Specifies the transform ID of the AH algorithm to propose."
1147 ::= { ipSecAhTransformEntry 2 }
1149 ipSecAhTransformIntegrityKey OBJECT-TYPE
1153 "When this AH transform instance is used for a Static Action, this
1154 attribute specifies the integrity key to be used. This attribute
1155 MUST be ignored when this AH transform instance is used for a
1156 Negotiation Action."
1157 ::= { ipSecAhTransformEntry 3 }
1159 ipSecAhTransformUseReplayPrevention OBJECT-TYPE
1163 "Specifies whether to enable replay prevention detection."
1164 ::= { ipSecAhTransformEntry 4 }
1166 ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE
1170 "Specifies, in bits, the length of the sliding window used by the
1171 replay prevention detection mechanism. The value of this property
1172 is ignored if UseReplayPrevention is false. It is assumed that the
1173 window size will be power of 2."
1174 ::= { ipSecAhTransformEntry 5 }
1176 ipSecAhTransformVendorId OBJECT-TYPE
1180 "Specifies the vendor ID for vendor-defined transforms."
1181 ::= { ipSecAhTransformEntry 6 }
1183 ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE
1187 "Specifies the maximum amount of time to propose for a security
1188 association to remain valid.
1190 A value of zero indicates that the default of 8 hours be used. A
1191 non-zero value indicates the maximum seconds lifetime."
1192 ::= { ipSecAhTransformEntry 7 }
1194 ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE
1198 "Specifies the maximum kilobyte lifetime to propose for a security
1199 association to remain valid.
1201 A value of zero indicates that there should be no maximum kilobyte
1202 lifetime. A non-zero value specifies the desired kilobyte
1204 ::= { ipSecAhTransformEntry 8 }
1209 -- The ipSecEspTransformSetTable
1212 ipSecEspTransformSetTable OBJECT-TYPE
1213 SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
1217 "Specifies ESP transform sets. Within a transform set, the choices
1218 are ORed with preference order. "
1219 ::= { ipSecEspTransform 1 }
1221 ipSecEspTransformSetEntry OBJECT-TYPE
1222 SYNTAX IpSecEspTransformSetEntry
1225 "Specifies an instance of this class"
1226 PIB-INDEX { ipSecEspTransformSetPrid }
1228 ipSecEspTransformSetTransformSetId,
1229 ipSecEspTransformSetTransformId,
1230 ipSecEspTransformSetOrder
1232 ::= { ipSecEspTransformSetTable 1 }
1234 IpSecEspTransformSetEntry ::= SEQUENCE {
1235 ipSecEspTransformSetPrid InstanceId,
1236 ipSecEspTransformSetTransformSetId TagId,
1237 ipSecEspTransformSetTransformId ReferenceId,
1238 ipSecEspTransformSetOrder Unsigned16
1241 ipSecEspTransformSetPrid OBJECT-TYPE
1245 "An integer index that uniquely identifies an instance of this
1247 ::= { ipSecEspTransformSetEntry 1 }
1249 ipSecEspTransformSetTransformSetId OBJECT-TYPE
1253 "An ESP transform set is composed of one or more ESP transforms.
1254 Each transform belonging to the same set has the same
1256 ::= { ipSecEspTransformSetEntry 2 }
1258 ipSecEspTransformSetTransformId OBJECT-TYPE
1260 PIB-REFERENCES {ipSecEspTransformEntry }
1263 "A pointer to a valid instance in the ipSecEspTransformTable."
1264 ::= { ipSecEspTransformSetEntry 3 }
1266 ipSecEspTransformSetOrder OBJECT-TYPE
1270 "An integer that specifies the precedence order of the transform
1271 identified by ipSecEspTransformSetTransformId within a transform
1272 set. The transform set is identified by
1273 ipSecEspTransformSetTransformSetId. Transforms within a set are
1274 ORed with preference order. A smaller integer value indicates a
1276 ::= { ipSecEspTransformSetEntry 4 }
1281 -- The ipSecEspTransformTable
1284 ipSecEspTransformTable OBJECT-TYPE
1285 SYNTAX SEQUENCE OF IpSecEspTransformEntry
1289 "Specifies ESP transforms."
1290 ::= { ipSecEspTransform 2 }
1292 ipSecEspTransformEntry OBJECT-TYPE
1293 SYNTAX IpSecEspTransformEntry
1296 "Specifies an instance of this class"
1297 PIB-INDEX { ipSecEspTransformPrid }
1299 ipSecEspTransformIntegrityTransformId,
1300 ipSecEspTransformCipherTransformId,
1301 ipSecEspTransformIntegrityKey,
1302 ipSecEspTransformCipherKey,
1303 ipSecEspTransformCipherKeyRounds,
1304 ipSecEspTransformCipherKeyLength,
1305 ipSecEspTransformUseReplayPrevention,
1306 ipSecEspTransformReplayPreventionWindowSize,
1307 ipSecEspTransformVendorId,
1308 ipSecEspTransformMaxLifetimeSeconds,
1309 ipSecEspTransformMaxLifetimeKilobytes
1311 ::= { ipSecEspTransformTable 1 }
1313 IpSecEspTransformEntry ::= SEQUENCE {
1314 ipSecEspTransformPrid InstanceId,
1315 ipSecEspTransformIntegrityTransformId INTEGER,
1316 ipSecEspTransformCipherTransformId INTEGER,
1317 ipSecEspTransformIntegrityKey OCTET STRING,
1318 ipSecEspTransformCipherKey OCTET STRING,
1319 ipSecEspTransformCipherKeyRounds Unsigned16,
1320 ipSecEspTransformCipherKeyLength Unsigned16,
1321 ipSecEspTransformUseReplayPrevention TruthValue,
1322 ipSecEspTransformReplayPreventionWindowSize Unsigned32,
1323 ipSecEspTransformVendorId OCTET STRING,
1324 ipSecEspTransformMaxLifetimeSeconds Unsigned32,
1325 ipSecEspTransformMaxLifetimeKilobytes Unsigned32
1328 ipSecEspTransformPrid OBJECT-TYPE
1332 "An integer index that uniquely identifies an instance of this
1334 ::= { ipSecEspTransformEntry 1 }
1336 ipSecEspTransformIntegrityTransformId OBJECT-TYPE
1346 "Specifies the transform ID of the ESP integrity algorithm to
1348 ::= { ipSecEspTransformEntry 2 }
1350 ipSecEspTransformCipherTransformId OBJECT-TYPE
1366 "Specifies the transform ID of the ESP encryption algorithm to
1368 ::= { ipSecEspTransformEntry 3 }
1370 ipSecEspTransformIntegrityKey OBJECT-TYPE
1374 "When this ESP transform instance is used for a Static Action,
1375 this attribute specifies the integrity key to be used. This
1376 attribute MUST be ignored when this ESP transform instance is used
1377 for a Negotiation Action."
1378 ::= { ipSecEspTransformEntry 4 }
1380 ipSecEspTransformCipherKey OBJECT-TYPE
1384 "When this ESP transform instance is used for a Static Action,
1385 this attribute specifies the cipher key to be used. This attribute
1386 MUST be ignored when this ESP transform instance is used for a
1387 Negotiation Action."
1388 ::= { ipSecEspTransformEntry 5 }
1390 ipSecEspTransformCipherKeyRounds OBJECT-TYPE
1396 "Specifies the number of key rounds for the ESP encryption
1397 algorithm. For encryption algorithms that use fixed number of key
1398 rounds, this value is ignored."
1399 ::= { ipSecEspTransformEntry 6 }
1401 ipSecEspTransformCipherKeyLength OBJECT-TYPE
1405 "Specifies, in bits, the key length for the ESP encryption
1406 algorithm. For encryption algorithms that use fixed-length keys,
1407 this value is ignored."
1408 ::= { ipSecEspTransformEntry 7 }
1410 ipSecEspTransformUseReplayPrevention OBJECT-TYPE
1414 "Specifies whether to enable replay prevention detection."
1415 ::= { ipSecEspTransformEntry 8 }
1417 ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE
1421 "Specifies, in bits, the length of the sliding window used by the
1422 replay prevention detection mechanism. The value of this property
1423 is ignored if UseReplayPrevention is false. It is assumed that the
1424 window size will be power of 2."
1425 ::= { ipSecEspTransformEntry 9 }
1427 ipSecEspTransformVendorId OBJECT-TYPE
1431 "Specifies the vendor ID for vendor-defined transforms."
1432 ::= { ipSecEspTransformEntry 10 }
1434 ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE
1438 "Specifies the maximum amount of time to propose for a security
1439 association to remain valid.
1441 A value of zero indicates that the default of 8 hours be used. A
1442 non-zero value indicates the maximum seconds lifetime."
1443 ::= { ipSecEspTransformEntry 11 }
1445 ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE
1449 "Specifies the maximum kilobyte lifetime to propose for a security
1450 association to remain valid.
1452 A value of zero indicates that there should be no maximum kilobyte
1453 lifetime. A non-zero value specifies the desired kilobyte
1455 ::= { ipSecEspTransformEntry 12 }
1460 -- The ipSecCompTransformSetTable
1463 ipSecCompTransformSetTable OBJECT-TYPE
1464 SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
1468 "Specifies IPComp transform sets. Within a transform set, the
1469 choices are ORed with preference order."
1470 ::= { ipSecCompTransform 1 }
1472 ipSecCompTransformSetEntry OBJECT-TYPE
1473 SYNTAX IpSecCompTransformSetEntry
1476 "Specifies an instance of this class"
1477 PIB-INDEX { ipSecCompTransformSetPrid }
1479 ipSecCompTransformSetTransformSetId,
1480 ipSecCompTransformSetTransformId,
1481 ipSecCompTransformSetOrder
1483 ::= { ipSecCompTransformSetTable 1 }
1485 IpSecCompTransformSetEntry ::= SEQUENCE {
1486 ipSecCompTransformSetPrid InstanceId,
1487 ipSecCompTransformSetTransformSetId TagId,
1488 ipSecCompTransformSetTransformId ReferenceId,
1489 ipSecCompTransformSetOrder Unsigned16
1492 ipSecCompTransformSetPrid OBJECT-TYPE
1496 "An integer index that uniquely identifies an instance of this
1498 ::= { ipSecCompTransformSetEntry 1 }
1500 ipSecCompTransformSetTransformSetId OBJECT-TYPE
1504 "An IPCOMP transform set is composed of one or more IPCOMP
1505 transforms. Each transform belonging to the same set has the same
1507 ::= { ipSecCompTransformSetEntry 2 }
1509 ipSecCompTransformSetTransformId OBJECT-TYPE
1511 PIB-REFERENCES {ipSecCompTransformEntry }
1514 "A pointer to a valid instance in the ipSecCompTransformTable."
1515 ::= { ipSecCompTransformSetEntry 3 }
1517 ipSecCompTransformSetOrder OBJECT-TYPE
1521 "An integer that specifies the precedence order of the transform
1522 identified by ipSecCompTransformSetTransformId within a transform
1523 set. The transform set is identified by
1524 ipSecCompTransformSetTransformSetId. Transforms within a set are
1525 ORed with preference order. A smaller integer value indicates a
1527 ::= { ipSecCompTransformSetEntry 4 }
1532 -- The ipSecCompTransformTable
1535 ipSecCompTransformTable OBJECT-TYPE
1536 SYNTAX SEQUENCE OF IpSecCompTransformEntry
1540 "Specifies IP compression (IPCOMP) algorithms."
1541 ::= { ipSecCompTransform 2 }
1543 ipSecCompTransformEntry OBJECT-TYPE
1544 SYNTAX IpSecCompTransformEntry
1547 "Specifies an instance of this class"
1548 PIB-INDEX { ipSecCompTransformPrid }
1550 ipSecCompTransformAlgorithm,
1551 ipSecCompTransformDictionarySize,
1552 ipSecCompTransformPrivateAlgorithm,
1553 ipSecCompTransformVendorId,
1554 ipSecCompTransformMaxLifetimeSeconds,
1555 ipSecCompTransformMaxLifetimeKilobytes
1557 ::= { ipSecCompTransformTable 1 }
1559 IpSecCompTransformEntry ::= SEQUENCE {
1560 ipSecCompTransformPrid InstanceId,
1561 ipSecCompTransformAlgorithm INTEGER,
1562 ipSecCompTransformDictionarySize Unsigned16,
1563 ipSecCompTransformPrivateAlgorithm Unsigned32,
1564 ipSecCompTransformVendorId OCTET STRING,
1565 ipSecCompTransformMaxLifetimeSeconds Unsigned32,
1566 ipSecCompTransformMaxLifetimeKilobytes Unsigned32
1569 ipSecCompTransformPrid OBJECT-TYPE
1573 "An integer index that uniquely identifies an instance of this
1575 ::= { ipSecCompTransformEntry 1 }
1577 ipSecCompTransformAlgorithm OBJECT-TYPE
1585 "Specifies the transform ID of the IPCOMP compression algorithm to
1587 ::= { ipSecCompTransformEntry 2 }
1589 ipSecCompTransformDictionarySize OBJECT-TYPE
1593 "Specifies the log2 maximum size of the dictionary for the
1594 compression algorithm. For compression algorithms that have pre-
1595 defined dictionary sizes, this value is ignored."
1596 ::= { ipSecCompTransformEntry 3 }
1598 ipSecCompTransformPrivateAlgorithm OBJECT-TYPE
1602 "Specifies a private vendor-specific compression algorithm."
1603 ::= { ipSecCompTransformEntry 4 }
1605 ipSecCompTransformVendorId OBJECT-TYPE
1609 "Specifies the vendor ID for vendor-defined transforms."
1610 ::= { ipSecCompTransformEntry 5 }
1612 ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE
1616 "Specifies the maximum amount of time to propose for a security
1617 association to remain valid.
1619 A value of zero indicates that the default of 8 hours be used. A
1620 non-zero value indicates the maximum seconds lifetime."
1621 ::= { ipSecCompTransformEntry 6 }
1623 ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE
1627 "Specifies the maximum kilobyte lifetime to propose for a security
1628 association to remain valid.
1630 A value of zero indicates that there should be no maximum kilobyte
1631 lifetime. A non-zero value specifies the desired kilobyte
1633 ::= { ipSecCompTransformEntry 7 }
1638 -- The ipSecIkeRuleTable
1641 ipSecIkeRuleTable OBJECT-TYPE
1642 SYNTAX SEQUENCE OF IpSecIkeRuleEntry
1646 "Specifies IKE rules. This table is required only when specifying:
1648 - Multiple IKE phase one actions (e.g., with different exchange
1649 modes) that are associated with one IPsec association. These
1650 actions are to be tried in sequence till one success.
1652 - IKE phase one actions that start automatically.
1654 Support of this table is optional."
1655 ::= { ipSecIkeAssociation 1 }
1657 ipSecIkeRuleEntry OBJECT-TYPE
1658 SYNTAX IpSecIkeRuleEntry
1661 "Specifies an instance of this class"
1662 PIB-INDEX { ipSecIkeRulePrid }
1666 ipSecIkeRuleIkeActionSetId,
1667 ipSecIkeRuleActionExecutionStrategy,
1668 ipSecIkeRuleLimitNegotiation,
1669 ipSecIkeRuleAutoStart
1671 ::= { ipSecIkeRuleTable 1 }
1673 IpSecIkeRuleEntry ::= SEQUENCE {
1674 ipSecIkeRulePrid InstanceId,
1675 ipSecIkeRuleIfName SnmpAdminString,
1676 ipSecIkeRuleRoles RoleCombination,
1677 ipSecIkeRuleIkeActionSetId TagReferenceId,
1678 ipSecIkeRuleActionExecutionStrategy INTEGER,
1679 ipSecIkeRuleLimitNegotiation INTEGER,
1680 ipSecIkeRuleAutoStart TruthValue,
1681 ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId
1684 ipSecIkeRulePrid OBJECT-TYPE
1688 "An integer index that uniquely identifies an instance of this
1690 ::= { ipSecIkeRuleEntry 1 }
1692 ipSecIkeRuleIfName OBJECT-TYPE
1693 SYNTAX SnmpAdminString
1696 "The interface capability set to which this IKE rule applies. The
1697 interface capability name specified by this attribute must exist
1698 in the frwkIfCapSetTable [FR-PIB] prior to association with an
1699 instance of this class.
1701 This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
1702 ::= { ipSecIkeRuleEntry 2 }
1704 ipSecIkeRuleRoles OBJECT-TYPE
1705 SYNTAX RoleCombination
1708 "Specifies the role combination of the interface to which this IKE
1709 rule should apply. There must exist an instance in the
1710 frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
1711 combination, together with the interface capability set specified
1712 by ipSecIkeRuleIfName, prior to association with an instance of
1715 This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
1716 ::= { ipSecIkeRuleEntry 3 }
1718 ipSecIkeRuleIkeActionSetId OBJECT-TYPE
1719 SYNTAX TagReferenceId
1720 PIB-TAG { ipSecIkeActionSetActionSetId }
1723 "Identifies a set of IKE actions to be associated with this rule."
1724 ::= { ipSecIkeRuleEntry 4 }
1726 ipSecIkeRuleActionExecutionStrategy OBJECT-TYPE
1733 "Specifies the strategy to be used in executing the sequenced
1734 actions in the action set identified by ipSecRuleIpSecActionSetId.
1736 DoAll (1) causes the execution of all the actions in the action
1737 set according to their defined precedence order. The precedence
1738 order is specified by the ipSecActionSetOrder in
1739 ipSecIkeActionSetTable.
1741 DoUntilSuccess (2) causes the execution of actions according to
1742 their defined precedence order until a successful execution of a
1743 single action. The precedence order is specified by the
1744 ipSecActionSetOrder in ipSecIkeActionSetTable."
1745 ::= { ipSecIkeRuleEntry 5 }
1747 ipSecIkeRuleLimitNegotiation OBJECT-TYPE
1755 "Limits the negotiation method. Before proceeding with a phase 1
1756 negotiation, this property is checked to determine if the
1757 negotiation role of the rule matches that defined for the
1758 negotiation being undertaken (e.g., Initiator, Responder, or
1759 Both). If this check fails (e.g. the current role is IKE responder
1760 while the rule specifies IKE initiator), then the IKE negotiation
1761 is stopped. Note that this only applies to new IKE phase 1
1762 negotiations and has no effect on either renegotiation or refresh
1763 operations with peers for which an established SA already exists."
1764 ::= { ipSecIkeRuleEntry 6 }
1766 ipSecIkeRuleAutoStart OBJECT-TYPE
1770 "Indicates if this rule should be automatically executed."
1771 ::= { ipSecIkeRuleEntry 7 }
1773 ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
1774 SYNTAX TagReferenceId
1775 PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
1778 "Identifies a rule time period set, specified in
1779 ipSecRuleTimePeriodSetTable, that is associated with this rule.
1781 A value of zero indicates that this rule is always valid."
1782 ::= { ipSecIkeRuleEntry 8 }
1787 -- The ipSecIkeActionSetTable
1790 ipSecIkeActionSetTable OBJECT-TYPE
1791 SYNTAX SEQUENCE OF IpSecIkeActionSetEntry
1795 "Specifies IKE action sets."
1796 ::= { ipSecIkeAssociation 2 }
1798 ipSecIkeActionSetEntry OBJECT-TYPE
1799 SYNTAX IpSecIkeActionSetEntry
1802 "Specifies an instance of this class"
1803 PIB-INDEX { ipSecIkeActionSetPrid }
1805 ipSecIkeActionSetActionSetId,
1806 ipSecIkeActionSetActionId,
1807 ipSecIkeActionSetOrder
1809 ::= { ipSecIkeActionSetTable 1 }
1811 IpSecIkeActionSetEntry ::= SEQUENCE {
1812 ipSecIkeActionSetPrid InstanceId,
1813 ipSecIkeActionSetActionSetId TagId,
1814 ipSecIkeActionSetActionId Prid,
1815 ipSecIkeActionSetOrder Unsigned16
1818 ipSecIkeActionSetPrid OBJECT-TYPE
1822 "An integer index that uniquely identifies an instance of this
1824 ::= { ipSecIkeActionSetEntry 1 }
1826 ipSecIkeActionSetActionSetId OBJECT-TYPE
1830 "An IKE action set is composed of one or more IKE actions. Each
1831 action belonging to the same set has the same ActionSetId."
1832 ::= { ipSecIkeActionSetEntry 2 }
1834 ipSecIkeActionSetActionId OBJECT-TYPE
1838 "A pointer to a valid instance in the ipSecIkeAssociationTable."
1839 ::= { ipSecIkeActionSetEntry 3 }
1841 ipSecIkeActionSetOrder OBJECT-TYPE
1845 "Specifies the precedence order of the action within the action
1846 set. An action with a smaller precedence order is to be tried
1847 before one with a larger precedence order. "
1848 ::= { ipSecIkeActionSetEntry 4 }
1853 -- The ipSecIkeAssociationTable
1856 ipSecIkeAssociationTable OBJECT-TYPE
1857 SYNTAX SEQUENCE OF IpSecIkeAssociationEntry
1861 "Specifies IKE associations."
1862 ::= { ipSecIkeAssociation 3 }
1864 ipSecIkeAssociationEntry OBJECT-TYPE
1865 SYNTAX IpSecIkeAssociationEntry
1868 "Specifies an instance of this class"
1869 PIB-INDEX { ipSecIkeAssociationPrid }
1871 ipSecIkeAssociationMinLiftetimeSeconds,
1872 ipSecIkeAssociationMinLifetimeKilobytes,
1873 ipSecIkeAssociationIdleDurationSeconds,
1874 ipSecIkeAssociationExchangeMode,
1875 ipSecIkeAssociationUseIkeIdentityType,
1876 ipSecIkeAssociationUseIkeIdentityValue,
1877 ipSecIkeAssociationIkePeerEndpoint,
1878 ipSecIkeAssociationPresharedKey,
1879 ipSecIkeAssociationVendorId,
1880 ipSecIkeAssociationAggressiveModeGroupId,
1881 ipSecIkeAssociationLocalCredentialId,
1882 ipSecIkeAssociationDoActionLogging,
1883 ipSecIkeAssociationIkeProposalSetId
1885 ::= { ipSecIkeAssociationTable 1 }
1887 IpSecIkeAssociationEntry ::= SEQUENCE {
1888 ipSecIkeAssociationPrid InstanceId,
1889 ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
1890 ipSecIkeAssociationMinLifetimeKilobytes Unsigned32,
1891 ipSecIkeAssociationIdleDurationSeconds Unsigned32,
1892 ipSecIkeAssociationExchangeMode INTEGER,
1893 ipSecIkeAssociationUseIkeIdentityType INTEGER,
1894 ipSecIkeAssociationUseIkeIdentityValue OCTET STRING,
1895 ipSecIkeAssociationIkePeerEndpoint ReferenceId,
1896 ipSecIkeAssociationPresharedKey OCTET STRING,
1897 ipSecIkeAssociationVendorId OCTET STRING,
1898 ipSecIkeAssociationAggressiveModeGroupId Unsigned16,
1899 ipSecIkeAssociationLocalCredentialId TagReferenceId,
1900 ipSecIkeAssociationDoActionLogging TruthValue,
1901 ipSecIkeAssociationIkeProposalSetId TagReferenceId
1904 ipSecIkeAssociationPrid OBJECT-TYPE
1908 "An integer index that uniquely identifies an instance of this
1910 ::= { ipSecIkeAssociationEntry 1 }
1912 ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE
1916 "Specifies the minimum SA seconds lifetime that will be accepted
1917 from a peer while negotiating an SA based upon this action.
1919 A value of zero indicates that there is no minimum lifetime
1921 ::= { ipSecIkeAssociationEntry 2 }
1923 ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
1927 "Specifies the minimum kilobyte lifetime that will be accepted
1928 from a negotiating peer while negotiating an SA based upon this
1931 A value of zero indicates that there is no minimum lifetime
1933 ::= { ipSecIkeAssociationEntry 3 }
1935 ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE
1939 "Specifies how long, in seconds, a security association may remain
1940 unused before it is deleted.
1942 A value of zero indicates that idle detection should not be used
1943 for the security association (only the seconds and kilobyte
1944 lifetimes will be used)."
1945 ::= { ipSecIkeAssociationEntry 4 }
1947 ipSecIkeAssociationExchangeMode OBJECT-TYPE
1955 "Specifies the negotiation mode that the IKE server will use for
1957 ::= { ipSecIkeAssociationEntry 5 }
1959 ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE
1967 ipV4-Address-Range(7),
1968 ipV6-Address-Range(8),
1975 "Specifies the type of IKE identity to use during IKE phase one
1977 ::= { ipSecIkeAssociationEntry 6 }
1979 ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE
1983 "Specifies the ID payload value to be provided to the peer during
1984 IKE phase one negotiation."
1985 ::= { ipSecIkeAssociationEntry 7 }
1987 ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE
1989 PIB-REFERENCES {ipSecIkePeerEndpointEntry }
1992 "Pointer to a valid instance in the ipSecIkePeerEndpointTable to
1993 indicate an IKE peer endpoint."
1994 ::= { ipSecIkeAssociationEntry 8 }
1996 ipSecIkeAssociationPresharedKey OBJECT-TYPE
2000 "This attribute specifies the preshared key or secret to use for
2001 IKE authentication. This is the key for all the IKE proposals of
2002 this association that set ipSecIkeProposalAuthenticationMethod to
2004 ::= { ipSecIkeAssociationEntry 9 }
2006 ipSecIkeAssociationVendorId OBJECT-TYPE
2010 "Specifies the value to be used in the Vendor ID payload.
2012 A value of NULL means that Vendor ID payload will be neither
2013 generated nor accepted. A non-NULL value means that a Vendor ID
2014 payload will be generated (when acting as an initiator) or is
2015 expected (when acting as a responder). "
2016 ::= { ipSecIkeAssociationEntry 10 }
2018 ipSecIkeAssociationAggressiveModeGroupId OBJECT-TYPE
2022 "Specifies the group ID to be used for aggressive mode. This
2023 attribute is ignored unless the attribute
2024 ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If
2025 the value of this attribute is from the vendor-specific range
2026 (32768-65535), this attribute qualifies the group number."
2027 ::= { ipSecIkeAssociationEntry 11 }
2029 ipSecIkeAssociationLocalCredentialId OBJECT-TYPE
2030 SYNTAX TagReferenceId
2031 PIB-TAG { ipSecCredentialSetSetId }
2034 "Indicates a group of credentials. One of the credentials in the
2035 group MUST be used when establishing an IKE association with the
2037 ::= { ipSecIkeAssociationEntry 12 }
2039 ipSecIkeAssociationDoActionLogging OBJECT-TYPE
2043 "Specifies whether a log message is to be generated when the
2044 negotiation is attempted (with the success or failure result)."
2045 ::= { ipSecIkeAssociationEntry 13 }
2047 ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE
2048 SYNTAX TagReferenceId
2049 PIB-TAG { ipSecIkeProposalSetProposalSetId }
2052 "Identifies a set of IKE proposals that is associated with this
2054 ::= { ipSecIkeAssociationEntry 14 }
2059 -- The ipSecIkeProposalSetTable
2062 ipSecIkeProposalSetTable OBJECT-TYPE
2063 SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry
2067 "Specifies IKE proposal sets. Proposals within a set are ORed with
2069 ::= { ipSecIkeAssociation 4 }
2071 ipSecIkeProposalSetEntry OBJECT-TYPE
2072 SYNTAX IpSecIkeProposalSetEntry
2075 "Specifies an instance of this class"
2076 PIB-INDEX { ipSecIkeProposalSetPrid }
2078 ipSecIkeProposalSetProposalSetId,
2079 ipSecIkeProposalSetProposalId,
2080 ipSecIkeProposalSetOrder
2082 ::= { ipSecIkeProposalSetTable 1 }
2084 IpSecIkeProposalSetEntry ::= SEQUENCE {
2085 ipSecIkeProposalSetPrid InstanceId,
2086 ipSecIkeProposalSetProposalSetId TagId,
2087 ipSecIkeProposalSetProposalId ReferenceId,
2088 ipSecIkeProposalSetOrder Unsigned16
2091 ipSecIkeProposalSetPrid OBJECT-TYPE
2095 "An integer index that uniquely identifies an instance of this
2097 ::= { ipSecIkeProposalSetEntry 1 }
2099 ipSecIkeProposalSetProposalSetId OBJECT-TYPE
2103 "An IKE proposal set is composed of one or more IKE proposals.
2104 Each proposal belonging to the same set has the same
2106 ::= { ipSecIkeProposalSetEntry 2 }
2108 ipSecIkeProposalSetProposalId OBJECT-TYPE
2110 PIB-REFERENCES {ipSecIkeProposalEntry }
2113 "A pointer to a valid instance in the ipSecIkeProposalTable."
2114 ::= { ipSecIkeProposalSetEntry 3 }
2116 ipSecIkeProposalSetOrder OBJECT-TYPE
2120 "An integer that specifies the precedence order of the proposal
2121 identified by ipSecIkeProposalSetProposalId in a proposal set. The
2122 proposal set is identified by ipSecIkeProposalSetProposalSetId.
2123 Proposals within a set are ORed with preference order. A smaller
2124 integer value indicates a higher preference."
2125 ::= { ipSecIkeProposalSetEntry 4 }
2130 -- The ipSecIkeProposalTable
2133 ipSecIkeProposalTable OBJECT-TYPE
2134 SYNTAX SEQUENCE OF IpSecIkeProposalEntry
2138 "Specifies IKE proposals."
2139 ::= { ipSecIkeAssociation 5 }
2141 ipSecIkeProposalEntry OBJECT-TYPE
2142 SYNTAX IpSecIkeProposalEntry
2145 "Specifies an instance of this class"
2146 PIB-INDEX { ipSecIkeProposalPrid }
2148 ipSecIkeProposalMaxLifetimeSeconds,
2149 ipSecIkeProposalMaxLifetimeKilobytes,
2150 ipSecIkeProposalCipherAlgorithm,
2151 ipSecIkeProposalHashAlgorithm,
2152 ipSecIkeProposalAuthenticationMethod,
2153 ipSecIkeProposalPrfAlgorithm,
2154 ipSecIkeProposalIkeDhGroup,
2155 ipSecIkeProposalVendorId
2157 ::= { ipSecIkeProposalTable 1 }
2159 IpSecIkeProposalEntry ::= SEQUENCE {
2160 ipSecIkeProposalPrid InstanceId,
2161 ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
2162 ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
2163 ipSecIkeProposalCipherAlgorithm INTEGER,
2164 ipSecIkeProposalHashAlgorithm INTEGER,
2165 ipSecIkeProposalAuthenticationMethod INTEGER,
2166 ipSecIkeProposalPrfAlgorithm Unsigned16,
2167 ipSecIkeProposalIkeDhGroup Unsigned16,
2168 ipSecIkeProposalVendorId OCTET STRING
2171 ipSecIkeProposalPrid OBJECT-TYPE
2175 "An integer index that uniquely identifies an instance of this
2177 ::= { ipSecIkeProposalEntry 1 }
2179 ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE
2183 "Specifies the maximum amount of time to propose for a security
2184 association to remain valid.
2186 A value of zero indicates that the default of 8 hours be used. A
2187 non-zero value indicates the maximum seconds lifetime."
2188 ::= { ipSecIkeProposalEntry 2 }
2190 ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
2194 "Specifies the maximum kilobyte lifetime to propose for a security
2195 association to remain valid.
2197 A value of zero indicates that there should be no maximum kilobyte
2198 lifetime. A non-zero value specifies the desired kilobyte
2200 ::= { ipSecIkeProposalEntry 3 }
2202 ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
2213 "Specifies the encryption algorithm to propose for the IKE
2215 ::= { ipSecIkeProposalEntry 4 }
2217 ipSecIkeProposalHashAlgorithm OBJECT-TYPE
2225 "Specifies the hash algorithm to propose for the IKE association."
2226 ::= { ipSecIkeProposalEntry 5 }
2228 ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
2234 revisedRsaEncryption(5),
2239 "Specifies the authentication method to propose for the IKE
2241 ::= { ipSecIkeProposalEntry 6 }
2243 ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
2247 "Specifies the Psuedo-Random Function (PRF) to propose for the IKE
2249 ::= { ipSecIkeProposalEntry 7 }
2251 ipSecIkeProposalIkeDhGroup OBJECT-TYPE
2255 "Specifies the Diffie-Hellman group to propose for the IKE
2256 association. The value of this property is to be ignored when
2257 doing aggressive mode."
2258 ::= { ipSecIkeProposalEntry 8 }
2260 ipSecIkeProposalVendorId OBJECT-TYPE
2264 "Further qualifies the key exchange group. The property is
2265 ignored unless the exchange is not in aggressive mode and the
2266 property GroupID is in the vendor-specific range."
2267 ::= { ipSecIkeProposalEntry 9 }
2272 -- The ipSecIkePeerEndpointTable
2275 ipSecIkePeerEndpointTable OBJECT-TYPE
2276 SYNTAX SEQUENCE OF IpSecIkePeerEndpointEntry
2280 "Specifies IKE peer endpoints."
2281 ::= { ipSecIkeAssociation 6 }
2283 ipSecIkePeerEndpointEntry OBJECT-TYPE
2284 SYNTAX IpSecIkePeerEndpointEntry
2287 "Specifies an instance of this class"
2288 PIB-INDEX { ipSecIkePeerEndpointPrid }
2290 ipSecIkePeerEndpointIdentityType,
2291 ipSecIkePeerEndpointIdentityValue,
2292 ipSecIkePeerEndpointAddressType,
2293 ipSecIkePeerEndpointAddress,
2294 ipSecIkePeerEndpointCredentialSetId
2296 ::= { ipSecIkePeerEndpointTable 1 }
2298 IpSecIkePeerEndpointEntry ::= SEQUENCE {
2299 ipSecIkePeerEndpointPrid InstanceId,
2300 ipSecIkePeerEndpointIdentityType INTEGER,
2301 ipSecIkePeerEndpointIdentityValue OCTET STRING,
2302 ipSecIkePeerEndpointAddressType INTEGER,
2303 ipSecIkePeerEndpointAddress OCTET STRING,
2304 ipSecIkePeerEndpointCredentialSetId TagReferenceId
2307 ipSecIkePeerEndpointPrid OBJECT-TYPE
2311 "An integer index that uniquely identifies an instance of this
2313 ::= { ipSecIkePeerEndpointEntry 1 }
2315 ipSecIkePeerEndpointIdentityType OBJECT-TYPE
2323 ipV4-Address-Range(7),
2324 ipV6-Address-Range(8),
2331 "Specifies the type of identity that MUST be provided by the peer
2332 in the ID payload during IKE phase one negotiation."
2333 ::= { ipSecIkePeerEndpointEntry 2 }
2335 ipSecIkePeerEndpointIdentityValue OBJECT-TYPE
2339 "Specifies the value to be matched with the ID payload provided by
2340 the peer during IKE phase one negotiation.
2342 Different Wildcards wildcard mechanisms can be used as well as the
2343 prefix notation for IPv4 addresses depending on the ID payload:
2345 - an IdentityValue of "*@company.com" will match an user FQDN ID
2346 payload of "JDOE@COMPANY.COM"
2348 - an IdentityValue of "*.company.com" will match a FQDN ID payload
2349 of "WWW.COMPANY.COM"
2351 - an IdentityValue of "cn=*,ou=engineering,o=company,c=us" will
2352 match a DER DN ID payload of "cn=John Doe, ou=engineering,
2355 - an IdentityValue of "193.190.125.0/24" will match an IPv4
2356 address ID payload of 193.190.125.10.
2358 - an IdentityValue of "193.190.125.*" will also match an IPv4
2359 address ID payload of 193.190.125.10.
2361 The above wildcard mechanisms MUST be supported for all ID
2362 payloads supported by the local IKE entity. The character "*"
2363 replaces 0 or multiple instances of any character."
2364 ::= { ipSecIkePeerEndpointEntry 3 }
2366 ipSecIkePeerEndpointAddressType OBJECT-TYPE
2373 "Specifies IKE peer endpoint address type. This attribute MUST be
2374 ignored if ipSecIkeRuleAutoStart is false."
2375 ::= { ipSecIkePeerEndpointEntry 4 }
2377 ipSecIkePeerEndpointAddress OBJECT-TYPE
2381 "Specifies an endpoint address with which this PEP establishes IKE
2382 association. This attribute is used only when the IKE association
2383 is to be started automatically. Hence, this attribute MUST be
2384 ignored if ipSecIkeRuleAutoStart is false."
2385 ::= { ipSecIkePeerEndpointEntry 5 }
2387 ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE
2388 SYNTAX TagReferenceId
2389 PIB-TAG { ipSecCredentialSetSetId }
2392 "Identifies a set of credentials. Any one of the credentials in
2393 the set is acceptable as the IKE peer credential."
2394 ::= { ipSecIkePeerEndpointEntry 6 }
2399 -- The ipSecCredentialSetTable
2402 ipSecCredentialSetTable OBJECT-TYPE
2403 SYNTAX SEQUENCE OF IpSecCredentialSetEntry
2407 "Specifies credential sets.
2409 For IKE peer credentials, any one of the credentials in the set is
2410 acceptable as peer credential during IEK phase 1 negotiation. For
2411 IKE local credentials, any one of the credentials in the set can
2412 be used in IKE phase 1 negotiation."
2413 ::= { ipSecCredential 1 }
2415 ipSecCredentialSetEntry OBJECT-TYPE
2416 SYNTAX IpSecCredentialSetEntry
2419 "Specifies an instance of this class"
2420 PIB-INDEX { ipSecCredentialSetPrid }
2422 ipSecCredentialSetPrid,
2423 ipSecCredentialSetSetId,
2424 ipSecCredentialSetCredentialId
2426 ::= { ipSecCredentialSetTable 1 }
2428 IpSecCredentialSetEntry ::= SEQUENCE {
2429 ipSecCredentialSetPrid InstanceId,
2430 ipSecCredentialSetSetId TagId,
2431 ipSecCredentialSetCredentialId ReferenceId
2434 ipSecCredentialSetPrid OBJECT-TYPE
2438 "An integer index that uniquely identifies an instance of this
2440 ::= { ipSecCredentialSetEntry 1 }
2442 ipSecCredentialSetSetId OBJECT-TYPE
2446 "A credential set is composed of one or more credentials. Each
2447 credential belonging to the same set has the same
2449 ::= { ipSecCredentialSetEntry 2 }
2451 ipSecCredentialSetCredentialId OBJECT-TYPE
2453 PIB-REFERENCES {ipSecCredentialEntry }
2456 "A pointer to a valid instance in the ipSecCredentialTable."
2457 ::= { ipSecCredentialSetEntry 3 }
2462 -- The ipSecCredentialTable
2465 ipSecCredentialTable OBJECT-TYPE
2466 SYNTAX SEQUENCE OF IpSecCredentialEntry
2470 "Specifies credentials."
2471 ::= { ipSecCredential 2 }
2473 ipSecCredentialEntry OBJECT-TYPE
2474 SYNTAX IpSecCredentialEntry
2477 "Specifies an instance of this class"
2478 PIB-INDEX { ipSecCredentialPrid }
2480 ipSecCredentialCredentialType,
2481 ipSecCredentialFieldsId,
2482 ipSecCredentialCrlDistributionPoint
2484 ::= { ipSecCredentialTable 1 }
2486 IpSecCredentialEntry ::= SEQUENCE {
2487 ipSecCredentialPrid InstanceId,
2488 ipSecCredentialCredentialType INTEGER,
2489 ipSecCredentialFieldsId TagReferenceId,
2490 ipSecCredentialCrlDistributionPoint OCTET STRING
2493 ipSecCredentialPrid OBJECT-TYPE
2497 "An integer index that uniquely identifies an instance of this
2499 ::= { ipSecCredentialEntry 1 }
2501 ipSecCredentialCredentialType OBJECT-TYPE
2508 "Specifies the type of credential to be matched."
2509 ::= { ipSecCredentialEntry 2 }
2511 ipSecCredentialFieldsId OBJECT-TYPE
2512 SYNTAX TagReferenceId
2513 PIB-TAG { ipSecCredentialFieldsSetId }
2516 "Identifies a group of matching criteria to be used for the peer
2517 credential. The identified criteria MUST all be satisfied."
2518 ::= { ipSecCredentialEntry 3 }
2520 ipSecCredentialCrlDistributionPoint OBJECT-TYPE
2524 "When credential type is certificate X509, this attribute
2525 identifies the Certificate Revocation List (CRL) distribution
2526 point for this credential."
2527 ::= { ipSecCredentialEntry 4 }
2532 -- The ipSecCredentialFieldsTable
2535 ipSecCredentialFieldsTable OBJECT-TYPE
2536 SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry
2540 "Specifies sets of credential sub-fields and their values to be
2542 ::= { ipSecCredential 3 }
2544 ipSecCredentialFieldsEntry OBJECT-TYPE
2545 SYNTAX IpSecCredentialFieldsEntry
2548 "Specifies an instance of this class"
2549 PIB-INDEX { ipSecCredentialFieldsPrid }
2551 ipSecCredentialFieldsName,
2552 ipSecCredentialFieldsValue,
2553 ipSecCredentialFieldsSetId
2555 ::= { ipSecCredentialFieldsTable 1 }
2557 IpSecCredentialFieldsEntry ::= SEQUENCE {
2558 ipSecCredentialFieldsPrid InstanceId,
2559 ipSecCredentialFieldsName OCTET STRING,
2560 ipSecCredentialFieldsValue OCTET STRING,
2561 ipSecCredentialFieldsSetId TagId
2564 ipSecCredentialFieldsPrid OBJECT-TYPE
2568 "An integer index that uniquely identifies an instance of this
2570 ::= { ipSecCredentialFieldsEntry 1 }
2572 ipSecCredentialFieldsName OBJECT-TYPE
2576 "Specifies the sub-field of the credential to match with. This is
2577 the string representation of a X.509 certificate attribute, e.g.:
2578 "serialNumber", "issuerName", "subjectName", etc..
2580 ::= { ipSecCredentialFieldsEntry 2 }
2582 ipSecCredentialFieldsValue OBJECT-TYPE
2586 "Specifies the value to match with for the sub-field identified by
2587 ipSecCredentialFieldsName. A wildcard mechanism can be used in the
2588 Value string. E.g., if the Name is "subjectName" then a Value of
2589 "cn=*,ou=engineering,o=foo,c=be" will match successfully a
2590 certificate whose subject attribute is "cn=Jane Doe,
2591 ou=engineering, o=foo, c=be". The wildcard character '*' can be
2592 used to represent 0 or several characters."
2593 ::= { ipSecCredentialFieldsEntry 3 }
2595 ipSecCredentialFieldsSetId OBJECT-TYPE
2599 "Specifies the set this criteria belongs to. All criteria within a
2600 set MUST all be satisfied."
2601 ::= { ipSecCredentialFieldsEntry 4 }
2606 -- The ipSecSelectorSetTable
2609 ipSecSelectorSetTable OBJECT-TYPE
2610 SYNTAX SEQUENCE OF IpSecSelectorSetEntry
2614 "Specifies IPsec selector sets."
2615 ::= { ipSecSelector 1 }
2617 ipSecSelectorSetEntry OBJECT-TYPE
2618 SYNTAX IpSecSelectorSetEntry
2621 "Specifies an instance of this class"
2622 PIB-INDEX { ipSecSelectorSetPrid }
2624 ipSecSelectorSetSelectorSetId,
2625 ipSecSelectorSetSelectorId,
2626 ipSecSelectorSetOrder
2628 ::= { ipSecSelectorSetTable 1 }
2630 IpSecSelectorSetEntry ::= SEQUENCE {
2631 ipSecSelectorSetPrid InstanceId,
2632 ipSecSelectorSetSelectorSetId TagId,
2633 ipSecSelectorSetSelectorId Prid,
2634 ipSecSelectorSetOrder Unsigned16
2637 ipSecSelectorSetPrid OBJECT-TYPE
2641 "An integer index that uniquely identifies an instance of this
2643 ::= { ipSecSelectorSetEntry 1 }
2645 ipSecSelectorSetSelectorSetId OBJECT-TYPE
2649 "An IPsec selector set is composed of one or more IPsec selectors.
2650 Each selector belonging to the same set has the same
2652 ::= { ipSecSelectorSetEntry 2 }
2654 ipSecSelectorSetSelectorId OBJECT-TYPE
2658 "A pointer to a valid instance in another table that describes
2659 selectors. To use selectors defined in this IPsec PIB module, this
2660 attribute MUST point to an instance in ipSecSelectorTable. This
2661 attribute may also point to an instance in a selector or filter
2662 table defined in other PIB modules."
2663 ::= { ipSecSelectorSetEntry 3 }
2665 ipSecSelectorSetOrder OBJECT-TYPE
2669 "An integer that specifies the precedence order of the selectors
2670 identified by ipSecSelectorId within a selector set. The selector
2671 set is identified by ipSecSelectorSetId. A smaller integer value
2672 indicates a higher preference. All selectors constructed from the
2673 instance pointed by ipSecSelectorId have the same order."
2674 ::= { ipSecSelectorSetEntry 4 }
2679 -- The ipSecSelectorTable
2682 ipSecSelectorTable OBJECT-TYPE
2683 SYNTAX SEQUENCE OF IpSecSelectorEntry
2687 "Specifies IPsec selectors. Each row in the selector table
2688 represents multiple selectors. These selectors are obtained as
2691 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
2692 addresses from the ipSecAddressTable whose ipSecAddressGroupId
2693 matches the ipSecSelectorSrcAddressGroupId.
2695 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
2696 addresses from the ipSecAddressTable whose ipSecAddressGroupId
2697 matches the ipSecSelectorDstAddressGroupId.
2699 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
2700 or ranges of port whose ipSecL4PortGroupId matches the
2701 ipSecSelectorSrcPortGroupId.
2703 4. Substitute the ipSecSelectorDstPortGroupId with all the ports
2704 or ranges of port whose ipSecL4PortGroupId matches the
2705 ipSecSelectorDstPortGroupId.
2707 5. Construct all the possible combinations of the above four
2708 fields. Then add to the combinations the ipSecSelectorProtocol,
2709 ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form
2710 all the selectors.el attributes to form the list of selectors.
2712 The relative order of the selectors constructed from a single row
2714 ::= { ipSecSelector 2 }
2716 ipSecSelectorEntry OBJECT-TYPE
2717 SYNTAX IpSecSelectorEntry
2720 "Specifies an instance of this class"
2721 PIB-INDEX { ipSecSelectorPrid }
2723 ipSecSelectorSrcAddressGroupId,
2724 ipSecSelectorSrcPortGroupId,
2725 ipSecSelectorDstAddressGroupId,
2726 ipSecSelectorDstPortGroupId,
2727 ipSecSelectorProtocol,
2729 ipSecSelectorFlowLabel
2731 ::= { ipSecSelectorTable 1 }
2733 IpSecSelectorEntry ::= SEQUENCE {
2734 ipSecSelectorPrid InstanceId,
2735 ipSecSelectorSrcAddressGroupId TagReferenceId,
2736 ipSecSelectorSrcPortGroupId TagReferenceId,
2737 ipSecSelectorDstAddressGroupId TagReferenceId,
2738 ipSecSelectorDstPortGroupId TagReferenceId,
2739 ipSecSelectorProtocol INTEGER,
2740 ipSecSelectorDscp INTEGER,
2741 ipSecSelectorFlowLabel OCTET STRING
2744 ipSecSelectorPrid OBJECT-TYPE
2748 "An integer index that uniquely identifies an instance of this
2750 ::= { ipSecSelectorEntry 1 }
2752 ipSecSelectorSrcAddressGroupId OBJECT-TYPE
2753 SYNTAX TagReferenceId
2754 PIB-TAG { ipSecAddressGroupId }
2757 "Indicates source addresses. All addresses in ipSecAddressTable
2758 whose ipSecAddressGroupId matches this value are included as
2761 A value of zero indicates wildcard address, i.e., any address
2763 ::= { ipSecSelectorEntry 2 }
2765 ipSecSelectorSrcPortGroupId OBJECT-TYPE
2766 SYNTAX TagReferenceId
2767 PIB-TAG { ipSecL4PortGroupId }
2770 "Indicates source layer 4 port numbers. All ports in ipSecL4Port
2771 whose ipSecL4PortGroupId matches this value are included.
2774 A value of zero indicates wildcard port, i.e., any port number
2776 ::= { ipSecSelectorEntry 3 }
2778 ipSecSelectorDstAddressGroupId OBJECT-TYPE
2779 SYNTAX TagReferenceId
2780 PIB-TAG { ipSecAddressGroupId }
2783 "Indicates destination addresses. All addresses in
2784 ipSecAddressTable whose ipSecAddressGroupId matches this value are
2785 included as destination addresses.
2787 A value of zero indicates wildcard address, i.e., any address
2789 ::= { ipSecSelectorEntry 4 }
2791 ipSecSelectorDstPortGroupId OBJECT-TYPE
2792 SYNTAX TagReferenceId
2793 PIB-TAG { ipSecL4PortGroupId }
2796 "Indicates destination layer 4 port numbers. All ports in
2797 ipSecL4Port whose ipSecL4PortGroupId matches this value are
2800 A value of zero indicates wildcard port, i.e., any port number
2802 ::= { ipSecSelectorEntry 5 }
2804 ipSecSelectorProtocol OBJECT-TYPE
2805 SYNTAX INTEGER (0..255)
2808 "Specifies IP protocol to match against a packet's protocol. A
2809 value of zero indicates wildcard protocol, i.e., any protocol
2811 ::= { ipSecSelectorEntry 6 }
2813 ipSecSelectorDscp OBJECT-TYPE
2814 SYNTAX INTEGER (-1..63)
2817 "Specifies the DSCP value to match against the DSCP in a packet
2818 header. A value of -1 indicates match all."
2819 ::= { ipSecSelectorEntry 7 }
2821 ipSecSelectorFlowLabel OBJECT-TYPE
2827 "Specifies the Flow Label to match against the Flow Label field in
2828 the IPv6 header of a packet. This attribute MUST be a zero length
2829 OCTET STRING when specifying selectors for IPv4 packets."
2830 ::= { ipSecSelectorEntry 8 }
2835 -- The ipSecAddressTable
2838 ipSecAddressTable OBJECT-TYPE
2839 SYNTAX SEQUENCE OF IpSecAddressEntry
2843 "Specifies IP addresses. To specify a single IP address,
2844 ipSecAddressAddrMin MUST be specified. To specify a range of
2845 addresses, both ipSecAddressAddrMin and ipSecAddressAddrMax MUST
2846 be specified. To specify a subnet, both ipSecAddressAddrMin and
2847 ipSecAddressAddrMask MUST be specified. "
2848 ::= { ipSecSelector 3 }
2850 ipSecAddressEntry OBJECT-TYPE
2851 SYNTAX IpSecAddressEntry
2854 "Specifies an instance of this class"
2855 PIB-INDEX { ipSecAddressPrid }
2857 ipSecAddressAddressType,
2858 ipSecAddressAddrMask,
2859 ipSecAddressAddrMin,
2860 ipSecAddressAddrMax,
2863 ::= { ipSecAddressTable 1 }
2865 IpSecAddressEntry ::= SEQUENCE {
2866 ipSecAddressPrid InstanceId,
2867 ipSecAddressAddressType INTEGER,
2868 ipSecAddressAddrMask OCTET STRING,
2869 ipSecAddressAddrMin OCTET STRING,
2870 ipSecAddressAddrMax OCTET STRING,
2871 ipSecAddressGroupId TagId
2874 ipSecAddressPrid OBJECT-TYPE
2878 "An integer index that uniquely identifies an instance of this
2880 ::= { ipSecAddressEntry 1 }
2882 ipSecAddressAddressType OBJECT-TYPE
2890 ipV4-Address-Range(7),
2891 ipV6-Address-Range(8),
2898 "Specifies the address type. "
2899 ::= { ipSecAddressEntry 2 }
2901 ipSecAddressAddrMask OBJECT-TYPE
2905 "A mask for the matching of the IP address. A zero bit in the mask
2906 means that the corresponding bit in the address always matches.
2908 This attribute MUST be ignored when ipSecAddressAddressType is not
2909 of IPv4 or IPv6 type."
2910 ::= { ipSecAddressEntry 3 }
2912 ipSecAddressAddrMin OBJECT-TYPE
2916 "Specifies an IP address. "
2917 ::= { ipSecAddressEntry 4 }
2919 ipSecAddressAddrMax OBJECT-TYPE
2923 "If a range of addresses is used then this specifies the ending
2924 address. The type of this address must be the same as the
2925 ipSecAddressAddrMin.
2927 If no range is specified then this attribute MUST be a zero length
2929 ::= { ipSecAddressEntry 5 }
2931 ipSecAddressGroupId OBJECT-TYPE
2935 "Specifies the group this IP address, address range or subnet
2936 address belongs to."
2937 ::= { ipSecAddressEntry 6 }
2942 -- The ipSecL4PortTable
2945 ipSecL4PortTable OBJECT-TYPE
2946 SYNTAX SEQUENCE OF IpSecL4PortEntry
2950 "Specifies layer four port numbers."
2951 ::= { ipSecSelector 4 }
2953 ipSecL4PortEntry OBJECT-TYPE
2954 SYNTAX IpSecL4PortEntry
2957 "Specifies an instance of this class"
2958 PIB-INDEX { ipSecL4PortPrid }
2964 ::= { ipSecL4PortTable 1 }
2966 IpSecL4PortEntry ::= SEQUENCE {
2967 ipSecL4PortPrid InstanceId,
2968 ipSecL4PortPortMin Unsigned16,
2969 ipSecL4PortPortMax Unsigned16,
2970 ipSecL4PortGroupId TagId
2973 ipSecL4PortPrid OBJECT-TYPE
2977 "An integer index that uniquely identifies an instance of this
2979 ::= { ipSecL4PortEntry 1 }
2981 ipSecL4PortPortMin OBJECT-TYPE
2986 "Specifies a layer 4 port or the first layer 4 port number of a
2987 range of ports. The value of this attribute must be equal or less
2988 than that of ipSecL4PortPortMax.
2990 A value of zero indicates any port matches."
2991 ::= { ipSecL4PortEntry 2 }
2993 ipSecL4PortPortMax OBJECT-TYPE
2997 "Specifies the last layer 4 port in the range. If only a single
2998 port is specified, the value of this attribute must be equal to
2999 that of ipSecL4PortPortMin. Otherwise, the value of this attribute
3000 MUST be greater than that specified by ipSecL4PortPortMin.
3002 If ipSecL4PortPortMin is zero, this attribute MUST be ignored."
3003 ::= { ipSecL4PortEntry 3 }
3005 ipSecL4PortGroupId OBJECT-TYPE
3009 "Specifies the group this port or port range belongs to."
3010 ::= { ipSecL4PortEntry 4 }
3015 -- The ipSecIpsoFilterSetTable
3018 ipSecIpsoFilterSetTable OBJECT-TYPE
3019 SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry
3023 "Specifies IPSO filter sets."
3024 ::= { ipSecSelector 5 }
3026 ipSecIpsoFilterSetEntry OBJECT-TYPE
3027 SYNTAX IpSecIpsoFilterSetEntry
3030 "Specifies an instance of this class"
3031 PIB-INDEX { ipSecIpsoFilterSetPrid }
3033 ipSecIpsoFilterSetFilterSetId,
3034 ipSecIpsoFilterSetFilterId,
3035 ipSecIpsoFilterSetOrder
3037 ::= { ipSecIpsoFilterSetTable 1 }
3039 IpSecIpsoFilterSetEntry ::= SEQUENCE {
3040 ipSecIpsoFilterSetPrid InstanceId,
3041 ipSecIpsoFilterSetFilterSetId TagId,
3042 ipSecIpsoFilterSetFilterId ReferenceId,
3043 ipSecIpsoFilterSetOrder Unsigned16
3046 ipSecIpsoFilterSetPrid OBJECT-TYPE
3050 "An integer index that uniquely identifies an instance of this
3052 ::= { ipSecIpsoFilterSetEntry 1 }
3054 ipSecIpsoFilterSetFilterSetId OBJECT-TYPE
3058 "An IPSO filter set is composed of one or more IPSO filters. Each
3059 filter belonging to the same set has the same FilterSetId."
3060 ::= { ipSecIpsoFilterSetEntry 2 }
3062 ipSecIpsoFilterSetFilterId OBJECT-TYPE
3064 PIB-REFERENCES {ipSecIpsoFilterEntry }
3067 "A pointer to a valid instance in the ipSecIpsoFilterTable."
3068 ::= { ipSecIpsoFilterSetEntry 3 }
3070 ipSecIpsoFilterSetOrder OBJECT-TYPE
3074 "An integer that specifies the precedence order of the filter
3075 identified by ipSecIpsoFilterSetFilterId within a filter set. The
3076 filter set is identified by ipSecIpsoFilterSetFilterSetId. A
3077 smaller integer value indicates a higher preference."
3078 ::= { ipSecIpsoFilterSetEntry 4 }
3083 -- The ipSecIpsoFilterTable
3086 ipSecIpsoFilterTable OBJECT-TYPE
3087 SYNTAX SEQUENCE OF IpSecIpsoFilterEntry
3091 "Specifies IPSO filters."
3092 ::= { ipSecSelector 6 }
3094 ipSecIpsoFilterEntry OBJECT-TYPE
3095 SYNTAX IpSecIpsoFilterEntry
3098 "Specifies an instance of this class"
3099 PIB-INDEX { ipSecIpsoFilterPrid }
3101 ipSecIpsoFilterMatchConditionType,
3102 ipSecIpsoFilterClassificationLevel,
3103 ipSecIpsoFilterProtectionAuthority
3105 ::= { ipSecIpsoFilterTable 1 }
3107 IpSecIpsoFilterEntry ::= SEQUENCE {
3108 ipSecIpsoFilterPrid InstanceId,
3109 ipSecIpsoFilterMatchConditionType INTEGER,
3110 ipSecIpsoFilterClassificationLevel INTEGER,
3111 ipSecIpsoFilterProtectionAuthority INTEGER
3114 ipSecIpsoFilterPrid OBJECT-TYPE
3118 "An integer index that uniquely identifies an instance of this
3120 ::= { ipSecIpsoFilterEntry 1 }
3122 ipSecIpsoFilterMatchConditionType OBJECT-TYPE
3124 classificationLevel(1),
3125 protectionAuthority(2)
3129 "Specifies the IPSO header field to be matched."
3130 ::= { ipSecIpsoFilterEntry 2 }
3132 ipSecIpsoFilterClassificationLevel OBJECT-TYPE
3141 "Specifies the value for classification level to be matched
3142 against. This attribute MUST be ignored if
3143 ipSecIpsoFilterMatchConditionType is not 1 (classificationLevel)."
3144 ::= { ipSecIpsoFilterEntry 3 }
3146 ipSecIpsoFilterProtectionAuthority OBJECT-TYPE
3156 "Specifies the value for protection authority to be matched
3157 against. This attribute MUST be ignored if
3158 ipSecIpsoFilterMatchConditionType is not 2 (protectionAuthority).
3160 ::= { ipSecIpsoFilterEntry 4 }
3165 -- The ipSecRuleTimePeriodTable
3168 ipSecRuleTimePeriodTable OBJECT-TYPE
3169 SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
3173 "Specifies the time periods during which a policy rule is valid.
3174 The values of the first five attributes in a row are ANDed
3175 together to determine the validity period(s). If any of the five
3176 attributes is not present, it is treated as having value always
3178 ::= { ipSecPolicyTimePeriod 1 }
3180 ipSecRuleTimePeriodEntry OBJECT-TYPE
3181 SYNTAX IpSecRuleTimePeriodEntry
3184 "Specifies an instance of this class"
3185 PIB-INDEX { ipSecRuleTimePeriodPrid }
3187 ipSecRuleTimePeriodTimePeriod,
3188 ipSecRuleTimePeriodMonthOfYearMask,
3189 ipSecRuleTimePeriodDayOfMonthMask,
3190 ipSecRuleTimePeriodDayOfWeekMask,
3191 ipSecRuleTimePeriodTimeOfDayMask,
3192 ipSecRuleTimePeriodLocalOrUtcTime
3194 ::= { ipSecRuleTimePeriodTable 1 }
3196 IpSecRuleTimePeriodEntry ::= SEQUENCE {
3197 ipSecRuleTimePeriodPrid InstanceId,
3198 ipSecRuleTimePeriodTimePeriod OCTET STRING,
3199 ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
3200 ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
3201 ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
3202 ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
3203 ipSecRuleTimePeriodLocalOrUtcTime INTEGER
3206 ipSecRuleTimePeriodPrid OBJECT-TYPE
3210 "An integer index to uniquely identify an instance of this class"
3211 ::= { ipSecRuleTimePeriodEntry 1 }
3213 ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
3217 "An octet string that identifies an overall range of calendar
3218 dates and times over which a policy rule is valid. It reuses the
3219 format for an explicit time period defined in RFC 2445 : a string
3220 representing a starting date and time, in which the character 'T'
3221 indicates the beginning of the time portion, followed by the
3222 solidus character '/', followed by a similar string representing
3223 an end date and time. The first date indicates the beginning of
3224 the range, while the second date indicates the end. Thus, the
3225 second date and time must be later than the first. Date/times are
3226 expressed as substrings of the form yyyymmddThhmmss.
3228 There are also two special cases:
3230 - If the first date/time is replaced with the string
3231 THISANDPRIOR, then the property indicates that a policy rule is
3232 valid [from now] until the date/time that appears after the '/'.
3234 - If the second date/time is replaced with the string
3235 THISANDFUTURE, then the property indicates that a policy rule
3236 becomes valid on the date/time that appears before the '/', and
3237 remains valid from that point on.
3239 ::= { ipSecRuleTimePeriodEntry 2 }
3241 ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
3245 "An octet string that specifies which months the policy is valid
3246 for. The octet string is structured as follows:
3248 - a 4-octet length field, indicating the length of the entire
3249 octet string; this field is always set to 0x00000006 for this
3252 - a 2-octet field consisting of 12 bits identifying the 12 months
3253 of the year, beginning with January and ending with December,
3254 followed by 4 bits that are always set to '0'. For each month,
3255 the value '1' indicates that the policy is valid for that month,
3256 and the value '0' indicates that it is not valid.
3258 If this property is omitted, then the policy rule is treated as
3259 valid for all twelve months."
3260 ::= { ipSecRuleTimePeriodEntry 3 }
3262 ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
3266 "An octet string that specifies which days of the month the policy
3267 is valid for. The octet string is structured as follows:
3269 -a 4-octet length field, indicating the length of the entire octet
3270 string; this field is always set to 0x0000000C for this property;
3272 -an 8-octet field consisting of 31 bits identifying the days of
3273 the month counting from the beginning, followed by 31 more bits
3274 identifying the days of the month counting from the end, followed
3275 by 2 bits that are always set to '0'. For each day, the value '1'
3276 indicates that the policy is valid for that day, and the value '0'
3277 indicates that it is not valid.
3279 For months with fewer than 31 days, the digits corresponding to
3280 days that the months do not have (counting in both directions) are
3283 ::= { ipSecRuleTimePeriodEntry 4 }
3285 ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
3289 "An octet string that specifies which days of the week the policy
3290 is valid for. The octet string is structured as follows:
3292 - a 4-octet length field, indicating the length of the entire
3293 octet string; this field is always set to 0x00000005 for this
3296 - a 1-octet field consisting of 7 bits identifying the 7 days of
3297 the week, beginning with Sunday and ending with Saturday, followed
3298 by 1 bit that is always set to '0'. For each day of the week, the
3299 value '1' indicates that the policy is valid for that day, and the
3300 value '0' indicates that it is not valid.
3302 ::= { ipSecRuleTimePeriodEntry 5 }
3304 ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
3308 "An octet string that specifies a range of times in a day the
3309 policy is valid for. It is formatted as follows:
3311 A time string beginning with the character 'T', followed by the
3312 solidus character '/', followed by a second time string. The
3313 first time indicates the beginning of the range, while the second
3314 time indicates the end. Times are expressed as substrings of the
3317 The second substring always identifies a later time than the first
3318 substring. To allow for ranges that span midnight, however, the
3319 value of the second string may be smaller than the value of the
3320 first substring. Thus, T080000/T210000 identifies the range from
3321 0800 until 2100, while T210000/T080000 identifies the range from
3322 2100 until 0800 of the following day."
3323 ::= { ipSecRuleTimePeriodEntry 6 }
3325 ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
3332 "This property indicates whether the times represented in this
3333 table represent local times or UTC times. There is no provision
3334 for mixing of local times and UTC times: the value of this
3335 property applies to all of the other time-related properties."
3336 ::= { ipSecRuleTimePeriodEntry 7 }
3341 -- The ipSecRuleTimePeriodSetTable
3344 ipSecRuleTimePeriodSetTable OBJECT-TYPE
3345 SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
3349 "Specifies time period sets. The ipSecRuleTimePeriodTable can
3350 specify only a single time period within a day. This table enables
3351 the specification of multiple time periods within a day by
3352 grouping them into one set. "
3353 ::= { ipSecPolicyTimePeriod 2 }
3355 ipSecRuleTimePeriodSetEntry OBJECT-TYPE
3356 SYNTAX IpSecRuleTimePeriodSetEntry
3359 "Specifies an instance of this class"
3360 PIB-INDEX { ipSecRuleTimePeriodSetPrid }
3362 ipSecRuleTimePeriodSetRuleTimePeriodSetId,
3363 ipSecRuleTimePeriodSetRuleTimePeriodId
3365 ::= { ipSecRuleTimePeriodSetTable 1 }
3367 IpSecRuleTimePeriodSetEntry ::= SEQUENCE {
3368 ipSecRuleTimePeriodSetPrid InstanceId,
3369 ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId,
3370 ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId
3373 ipSecRuleTimePeriodSetPrid OBJECT-TYPE
3377 "An integer index to uniquely identify an instance of this class"
3378 ::= { ipSecRuleTimePeriodSetEntry 1 }
3380 ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
3384 "An integer that uniquely identifies an ipSecRuleTimePeriod set. "
3385 ::= { ipSecRuleTimePeriodSetEntry 2 }
3387 ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
3389 PIB-REFERENCES {ipSecRuleTimePeriodEntry }
3392 "An integer that identifies an ipSecRuleTimePeriod, specified by
3393 ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is
3394 included in this set."
3395 ::= { ipSecRuleTimePeriodSetEntry 3 }
3400 -- The ipSecIfCapsTable
3403 ipSecIfCapsTable OBJECT-TYPE
3404 SYNTAX SEQUENCE OF IpSecIfCapsEntry
3408 "Specifies capabilities that may be associated with an interface
3409 of a specific type. The instances of this table are referenced by
3410 the frwkIfCapSetCapability attribute of the frwkIfCapSetTable [FR-
3412 ::= { ipSecIfCapability 1 }
3414 ipSecIfCapsEntry OBJECT-TYPE
3415 SYNTAX IpSecIfCapsEntry
3418 "Specifies an instance of this class"
3419 PIB-INDEX { ipSecIfCapsPrid }
3421 ipSecIfCapsDirection,
3422 ipSecIfCapsMaxIpSecActions,
3423 ipSecIfCapsMaxIkeActions
3425 ::= { ipSecIfCapsTable 1 }
3427 IpSecIfCapsEntry ::= SEQUENCE {
3428 ipSecIfCapsPrid InstanceId,
3429 ipSecIfCapsDirection INTEGER,
3430 ipSecIfCapsMaxIpSecActions Unsigned16,
3431 ipSecIfCapsMaxIkeActions Unsigned16
3434 ipSecIfCapsPrid OBJECT-TYPE
3438 "An integer index that uniquely identifies an instance of this
3440 ::= { ipSecIfCapsEntry 1 }
3442 ipSecIfCapsDirection OBJECT-TYPE
3450 "Specifies the direction for which this capability applies."
3451 ::= { ipSecIfCapsEntry 2 }
3453 ipSecIfCapsMaxIpSecActions OBJECT-TYPE
3457 "Specifies the maximum number of actions an IPsec action set may
3458 contain. IPsec action sets are specified by the
3459 ipSecActionSetTable.
3461 A value of zero indicates that there is no maximum limit."
3462 ::= { ipSecIfCapsEntry 3 }
3464 ipSecIfCapsMaxIkeActions OBJECT-TYPE
3468 "Specifies the maximum number of actions an IKE action set may
3469 contain. IKE action sets are specified by the
3470 ipSecIkeActionSetTable.
3472 A value of zero indicates that there is no maximum limit."
3473 ::= { ipSecIfCapsEntry 4 }
3478 -- Conformance Section
3481 ipSecPolicyPibConformanceCompliances
3482 OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 }
3484 ipSecPolicyPibConformanceGroups
3485 OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }
3487 IPsecPibCompilance MODULE-COMPLIANCE
3490 " Compliance statement"
3491 MODULE รป- this module
3494 ipSecActionSetGroup,
3495 ipSecStaticActionGroup,
3496 ipSecNegotiationActionGroup,
3497 ipSecAssociationGroup,
3498 ipSecProposalSetGroup,
3500 ipSecAhTransformSetGroup,
3501 ipSecAhTransformGroup,
3502 ipSecEspTransformSetGroup,
3503 ipSecEspTransformGroup,
3504 ipSecCompTransformSetGroup,
3505 ipSecCompTransformGroup,
3506 ipSecIkeAssociationGroup,
3507 ipSecIkeProposalSetGroup,
3508 ipSecIkeProposalGroup,
3509 ipSecIkePeerEndpointGroup,
3510 ipSecCredentialSetGroup,
3511 ipSecCredentialGroup,
3512 ipSecCredentialFieldsGroup,
3513 ipSecSelectorSetGroup,
3520 GROUP ipSecIkeRuleGroup
3522 "This group is mandatory if any of the following is supported: 1)
3523 multiple IKE phase one actions (e.g., with different exchange
3524 modes) are associated with an IPsec rule. These actions are to be
3525 tried in sequence till one success; 2) IKE phase one actions that
3526 start automatically."
3528 GROUP ipSecIkeActionSetGroup
3530 "This group is mandatory if any of the following is supported: 1)
3531 multiple IKE phase one actions (e.g., with different exchange
3532 modes) are associated with an IPsec rule. These actions are to be
3533 tried in sequence till one success; 2) IKE phase one actions that
3534 start automatically."
3536 GROUP ipSecIpsoFilterSetGroup
3538 "This group is mandatory if IPSO filter is supported."
3540 GROUP ipSecIpsoFilterGroup
3542 "This group is mandatory if IPSO filter is supported."
3544 GROUP ipSecRuleTimePeriodGroup
3546 "This group is mandatory if policy scheduling is supported."
3548 GROUP ipSecRuleTimePeriodSetGroup
3550 "This group is mandatory if policy scheduling is supported."
3552 OBJECT ipSecRuleipSecIpsoFilterSetId
3553 PIB-MIN-ACCESS not-accessible
3555 " Support of this attribute is optional"
3557 OBJECT ipSecRuleLimitNegotiation
3558 PIB-MIN-ACCESS not-accessible
3560 " Support of this attribute is optional"
3562 OBJECT ipSecRuleAutoStart
3563 PIB-MIN-ACCESS not-accessible
3565 " Support of this attribute is optional"
3567 OBJECT ipSecRuleIpSecRuleTimePeriodGroupId
3568 PIB-MIN-ACCESS not-accessible
3570 " Support of this attribute is optional"
3572 OBJECT ipSecActionSetDoActionLogging
3573 PIB-MIN-ACCESS not-accessible
3575 " Support of this attribute is optional"
3577 OBJECT ipSecActionSetDoPacketLogging
3578 PIB-MIN-ACCESS not-accessible
3580 " Support of this attribute is optional"
3582 OBJECT ipSecAssociationMinLifetimeSeconds
3583 PIB-MIN-ACCESS not-accessible
3585 " Support of this attribute is optional"
3587 OBJECT ipSecAssociationMinLifetimeKilobytes
3588 PIB-MIN-ACCESS not-accessible
3590 " Support of this attribute is optional"
3592 OBJECT ipSecAssociationIdleDurationSeconds
3593 PIB-MIN-ACCESS not-accessible
3595 " Support of this attribute is optional"
3597 OBJECT ipSecAssociationVendorId
3598 PIB-MIN-ACCESS not-accessible
3600 " Support of this attribute is optional"
3602 OBJECT ipSecAssociationUseKeyExchangeGroup
3603 PIB-MIN-ACCESS not-accessible
3605 " Support of this attribute is optional"
3607 OBJECT ipSecAssociationGranularity
3608 PIB-MIN-ACCESS not-accessible
3610 " Support of this attribute is optional"
3612 OBJECT ipSecAhTransformUseReplayPrevention
3613 PIB-MIN-ACCESS not-accessible
3615 " Support of this attribute is optional"
3617 OBJECT ipSecAhTransformReplayPreventionWindowSize
3618 PIB-MIN-ACCESS not-accessible
3620 " Support of this attribute is optional"
3622 OBJECT ipSecAhTransformVendorId
3623 PIB-MIN-ACCESS not-accessible
3625 " Support of this attribute is optional"
3627 OBJECT ipSecEspTransformCipherKeyRounds
3628 PIB-MIN-ACCESS not-accessible
3630 " Support of this attribute is optional"
3632 OBJECT ipSecEspTransformCipherKeyLength
3633 PIB-MIN-ACCESS not-accessible
3635 " Support of this attribute is optional"
3637 OBJECT ipSecEspTransformUseReplayPrevention
3638 PIB-MIN-ACCESS not-accessible
3640 " Support of this attribute is optional"
3642 OBJECT ipSecEspTransformReplayPreventionWindowSize
3643 PIB-MIN-ACCESS not-accessible
3645 " Support of this attribute is optional"
3647 OBJECT ipSecEspTransformVendorId
3648 PIB-MIN-ACCESS not-accessible
3650 " Support of this attribute is optional"
3652 OBJECT ipSecCompTransformDictionarySize
3653 PIB-MIN-ACCESS not-accessible
3655 " Support of this attribute is optional"
3657 OBJECT ipSecCompTransformPrivateAlgorithm
3658 PIB-MIN-ACCESS not-accessible
3660 " Support of this attribute is optional"
3662 OBJECT ipSecCompTransformVendorId
3663 PIB-MIN-ACCESS not-accessible
3665 " Support of this attribute is optional"
3667 OBJECT ipSecIkeAssociationMinLiftetimeSeconds
3668 PIB-MIN-ACCESS not-accessible
3670 " Support of this attribute is optional"
3672 OBJECT ipSecIkeAssociationMinLifetimeKilobytes
3673 PIB-MIN-ACCESS not-accessible
3675 " Support of this attribute is optional"
3677 OBJECT ipSecIkeAssociationIdleDurationSeconds
3678 PIB-MIN-ACCESS not-accessible
3680 " Support of this attribute is optional"
3682 OBJECT ipSecIkeAssociationPresharedKey
3683 PIB-MIN-ACCESS not-accessible
3685 " Support of this attribute is optional"
3687 OBJECT ipSecIkeAssociationVendorId
3688 PIB-MIN-ACCESS not-accessible
3690 " Support of this attribute is optional"
3692 OBJECT ipSecIkeAssociationAggressiveModeGroupId
3693 PIB-MIN-ACCESS not-accessible
3695 " Support of this attribute is optional"
3697 OBJECT ipSecIkeAssociationLocalCredentialId
3698 PIB-MIN-ACCESS not-accessible
3700 " Support of this attribute is optional"
3702 OBJECT ipSecIkeAssociationDoActionLogging
3703 PIB-MIN-ACCESS not-accessible
3705 " Support of this attribute is optional"
3707 OBJECT ipSecIkeProposalPrfAlgorithm
3708 PIB-MIN-ACCESS not-accessible
3710 " Support of this attribute is optional"
3712 OBJECT ipSecIkeProposalVendorId
3713 PIB-MIN-ACCESS not-accessible
3715 " Support of this attribute is optional"
3717 OBJECT ipSecIkePeerEndpointAddressType
3718 PIB-MIN-ACCESS not-accessible
3720 " Support of this attribute is optional"
3722 OBJECT ipSecIkePeerEndpointAddress
3723 PIB-MIN-ACCESS not-accessible
3725 " Support of this attribute is optional"
3727 OBJECT ipSecIfCapsMaxIkeActions
3728 PIB-MIN-ACCESS not-accessible
3730 " Support of this attribute is optional"
3732 OBJECT ipSecRuleActionExecutionStrategy
3737 " Support of doUntilSuccess(2) is not required"
3739 OBJECT ipSecStaticActionAction
3743 preConfiguredTransport(4),
3744 preConfiguredTunnel(5)
3747 " Support of ikeRejection(3) is not required"
3749 ::= { ipSecPolicyPibConformanceCompliances 1 }
3751 ipSecRuleGroup OBJECT-GROUP
3756 ipSecRuleIpSecSelectorSetId,
3757 ipSecRuleipSecIpsoFilterSetId,
3758 ipSecRuleIpSecActionSetId,
3759 ipSecRuleActionExecutionStrategy,
3761 ipSecRuleLimitNegotiation,
3763 ipSecRuleIpSecRuleTimePeriodGroupId
3767 "Objects from the ipSecRuleTable."
3768 ::= { ipSecPolicyPibConformanceGroups 1 }
3770 ipSecActionSetGroup OBJECT-GROUP
3772 ipSecActionSetActionSetId,
3773 ipSecActionSetActionId,
3774 ipSecActionSetDoActionLogging,
3775 ipSecActionSetDoPacketLogging,
3780 "Objects from the ipSecActionSetTable."
3781 ::= { ipSecPolicyPibConformanceGroups 2 }
3783 ipSecStaticActionGroup OBJECT-GROUP
3785 ipSecStaticActionAction,
3786 ipSecStaticActionTunnelEndpointId,
3787 ipSecStaticActionDfHandling,
3788 ipSecStaticActionSpi,
3789 ipSecStaticActionLifetimeSeconds,
3790 ipSecStaticActionLifetimeKilobytes,
3791 ipSecStaticActionSaTransformId
3795 "Objects from the ipSecStaticActionTable."
3796 ::= { ipSecPolicyPibConformanceGroups 3 }
3798 ipSecNegotiationActionGroup OBJECT-GROUP
3800 ipSecNegotiationActionAction,
3801 ipSecNegotiationActionTunnelEndpointId,
3802 ipSecNegotiationActionDfHandling,
3803 ipSecNegotiationActionIpSecSecurityAssociationId,
3804 ipSecNegotiationActionKeyExchangeId
3808 "Objects from the ipSecNegotiationActionTable."
3809 ::= { ipSecPolicyPibConformanceGroups 4 }
3811 ipSecAssociationGroup OBJECT-GROUP
3813 ipSecAssociationMinLifetimeSeconds,
3814 ipSecAssociationMinLifetimeKilobytes,
3815 ipSecAssociationIdleDurationSeconds,
3816 ipSecAssociationUsePfs,
3817 ipSecAssociationVendorId,
3818 ipSecAssociationUseKeyExchangeGroup,
3819 ipSecAssociationDhGroup,
3820 ipSecAssociationGranularity,
3821 ipSecAssociationProposalSetId
3825 "Objects from the ipSecAssociationTable."
3826 ::= { ipSecPolicyPibConformanceGroups 5 }
3828 ipSecProposalSetGroup OBJECT-GROUP
3830 ipSecProposalSetProposalSetId,
3831 ipSecProposalSetProposalId,
3832 ipSecProposalSetOrder
3836 "Objects from the ipSecProposalSetTable."
3837 ::= { ipSecPolicyPibConformanceGroups 6 }
3839 ipSecProposalGroup OBJECT-GROUP
3841 ipSecProposalEspTransformSetId,
3842 ipSecProposalAhTransformSetId,
3843 ipSecProposalCompTransformSetId
3847 "Objects from the ipSecProposalTable."
3848 ::= { ipSecPolicyPibConformanceGroups 7 }
3850 ipSecAhTransformSetGroup OBJECT-GROUP
3852 ipSecAhTransformSetTransformSetId,
3853 ipSecAhTransformSetTransformId,
3854 ipSecAhTransformSetOrder
3858 "Objects from the ipSecAhTransformSetTable."
3859 ::= { ipSecPolicyPibConformanceGroups 8 }
3861 ipSecAhTransformGroup OBJECT-GROUP
3863 ipSecAhTransformTransformId,
3864 ipSecAhTransformIntegrityKey,
3865 ipSecAhTransformUseReplayPrevention,
3866 ipSecAhTransformReplayPreventionWindowSize,
3867 ipSecAhTransformVendorId,
3868 ipSecAhTransformMaxLifetimeSeconds,
3869 ipSecAhTransformMaxLifetimeKilobytes
3873 "Objects from the ipSecAhTransformTable."
3874 ::= { ipSecPolicyPibConformanceGroups 9 }
3876 ipSecEspTransformSetGroup OBJECT-GROUP
3878 ipSecEspTransformSetTransformSetId,
3879 ipSecEspTransformSetTransformId,
3880 ipSecEspTransformSetOrder
3884 "Objects from the ipSecEspTransformSetTable."
3885 ::= { ipSecPolicyPibConformanceGroups 10 }
3887 ipSecEspTransformGroup OBJECT-GROUP
3889 ipSecEspTransformIntegrityTransformId,
3890 ipSecEspTransformCipherTransformId,
3891 ipSecEspTransformIntegrityKey,
3892 ipSecEspTransformCipherKey,
3893 ipSecEspTransformCipherKeyRounds,
3894 ipSecEspTransformCipherKeyLength,
3895 ipSecEspTransformUseReplayPrevention,
3896 ipSecEspTransformReplayPreventionWindowSize,
3897 ipSecEspTransformVendorId,
3898 ipSecEspTransformMaxLifetimeSeconds,
3899 ipSecEspTransformMaxLifetimeKilobytes
3903 "Objects from the ipSecEspTransformTable."
3904 ::= { ipSecPolicyPibConformanceGroups 11 }
3906 ipSecCompTransformSetGroup OBJECT-GROUP
3908 ipSecCompTransformSetTransformSetId,
3909 ipSecCompTransformSetTransformId,
3910 ipSecCompTransformSetOrder
3914 "Objects from the ipSecCompTransformSetTable."
3915 ::= { ipSecPolicyPibConformanceGroups 12 }
3917 ipSecCompTransformGroup OBJECT-GROUP
3919 ipSecCompTransformAlgorithm,
3920 ipSecCompTransformDictionarySize,
3921 ipSecCompTransformPrivateAlgorithm,
3922 ipSecCompTransformVendorId,
3923 ipSecCompTransformMaxLifetimeSeconds,
3924 ipSecCompTransformMaxLifetimeKilobytes
3928 "Objects from the ipSecCompTransformTable."
3929 ::= { ipSecPolicyPibConformanceGroups 13 }
3931 ipSecIkeRuleGroup OBJECT-GROUP
3935 ipSecIkeRuleIkeActionSetId,
3936 ipSecIkeRuleActionExecutionStrategy,
3937 ipSecIkeRuleLimitNegotiation,
3938 ipSecIkeRuleAutoStart,
3939 ipSecIkeRuleIpSecRuleTimePeriodGroupId
3943 "Objects from the ipSecIkeRuleTable."
3944 ::= { ipSecPolicyPibConformanceGroups 14 }
3946 ipSecIkeActionSetGroup OBJECT-GROUP
3948 ipSecIkeActionSetActionSetId,
3949 ipSecIkeActionSetActionId,
3950 ipSecIkeActionSetOrder
3954 "Objects from the ipSecIkeActionSetTable."
3955 ::= { ipSecPolicyPibConformanceGroups 15 }
3957 ipSecIkeAssociationGroup OBJECT-GROUP
3959 ipSecIkeAssociationMinLiftetimeSeconds,
3960 ipSecIkeAssociationMinLifetimeKilobytes,
3961 ipSecIkeAssociationIdleDurationSeconds,
3962 ipSecIkeAssociationExchangeMode,
3963 ipSecIkeAssociationUseIkeIdentityType,
3964 ipSecIkeAssociationUseIkeIdentityValue,
3965 ipSecIkeAssociationIkePeerEndpoint,
3966 ipSecIkeAssociationPresharedKey,
3967 ipSecIkeAssociationVendorId,
3968 ipSecIkeAssociationAggressiveModeGroupId,
3969 ipSecIkeAssociationLocalCredentialId,
3970 ipSecIkeAssociationDoActionLogging,
3971 ipSecIkeAssociationIkeProposalSetId
3975 "Objects from the ipSecIkeAssociationTable."
3976 ::= { ipSecPolicyPibConformanceGroups 16 }
3978 ipSecIkeProposalSetGroup OBJECT-GROUP
3980 ipSecIkeProposalSetProposalSetId,
3981 ipSecIkeProposalSetProposalId,
3982 ipSecIkeProposalSetOrder
3986 "Objects from the ipSecIkeProposalSetTable."
3987 ::= { ipSecPolicyPibConformanceGroups 17 }
3989 ipSecIkeProposalGroup OBJECT-GROUP
3991 ipSecIkeProposalMaxLifetimeSeconds,
3992 ipSecIkeProposalMaxLifetimeKilobytes,
3993 ipSecIkeProposalCipherAlgorithm,
3994 ipSecIkeProposalHashAlgorithm,
3995 ipSecIkeProposalAuthenticationMethod,
3996 ipSecIkeProposalPrfAlgorithm,
3997 ipSecIkeProposalIkeDhGroup,
3998 ipSecIkeProposalVendorId
4002 "Objects from the ipSecIkeProposalTable."
4003 ::= { ipSecPolicyPibConformanceGroups 18 }
4005 ipSecIkePeerEndpointGroup OBJECT-GROUP
4007 ipSecIkePeerEndpointIdentityType,
4008 ipSecIkePeerEndpointIdentityValue,
4009 ipSecIkePeerEndpointAddressType,
4010 ipSecIkePeerEndpointAddress,
4011 ipSecIkePeerEndpointCredentialSetId
4015 "Objects from the ipSecIkePeerEndpointTable."
4016 ::= { ipSecPolicyPibConformanceGroups 19 }
4018 ipSecCredentialSetGroup OBJECT-GROUP
4020 ipSecCredentialSetSetId,
4021 ipSecCredentialSetCredentialId
4025 "Objects from the ipSecCredentialSetTable."
4026 ::= { ipSecPolicyPibConformanceGroups 20 }
4028 ipSecCredentialGroup OBJECT-GROUP
4030 ipSecCredentialCredentialType,
4031 ipSecCredentialFieldsId,
4032 ipSecCredentialCrlDistributionPoint
4036 "Objects from the ipSecCredentialTable."
4037 ::= { ipSecPolicyPibConformanceGroups 21 }
4039 ipSecCredentialFieldsGroup OBJECT-GROUP
4041 ipSecCredentialFieldsName,
4042 ipSecCredentialFieldsValue,
4043 ipSecCredentialFieldsSetId
4047 "Objects from the ipSecCredentialFieldsTable."
4048 ::= { ipSecPolicyPibConformanceGroups 22 }
4050 ipSecSelectorSetGroup OBJECT-GROUP
4052 ipSecSelectorSetSelectorSetId,
4053 ipSecSelectorSetSelectorId,
4054 ipSecSelectorSetOrder
4058 "Objects from the ipSecSelectorSetTable."
4059 ::= { ipSecPolicyPibConformanceGroups 23 }
4061 ipSecSelectorGroup OBJECT-GROUP
4063 ipSecSelectorSrcAddressGroupId,
4064 ipSecSelectorSrcPortGroupId,
4065 ipSecSelectorDstAddressGroupId,
4066 ipSecSelectorDstPortGroupId,
4067 ipSecSelectorProtocol,
4069 ipSecSelectorFlowLabel
4073 "Objects from the ipSecSelectorTable."
4074 ::= { ipSecPolicyPibConformanceGroups 24 }
4076 ipSecAddressGroup OBJECT-GROUP
4078 ipSecAddressAddressType,
4079 ipSecAddressAddrMask,
4080 ipSecAddressAddrMin,
4081 ipSecAddressAddrMax,
4086 "Objects from the ipSecAddressTable."
4087 ::= { ipSecPolicyPibConformanceGroups 25 }
4089 ipSecL4PortGroup OBJECT-GROUP
4097 "Objects from the ipSecL4PortTable."
4098 ::= { ipSecPolicyPibConformanceGroups 26 }
4100 ipSecIpsoFilterSetGroup OBJECT-GROUP
4102 ipSecIpsoFilterSetFilterSetId,
4103 ipSecIpsoFilterSetFilterId,
4104 ipSecIpsoFilterSetOrder
4108 "Objects from the ipSecIpsoFilterSetTable."
4109 ::= { ipSecPolicyPibConformanceGroups 27 }
4111 ipSecIpsoFilterGroup OBJECT-GROUP
4113 ipSecIpsoFilterMatchConditionType,
4114 ipSecIpsoFilterClassificationLevel,
4115 ipSecIpsoFilterProtectionAuthority
4119 "Objects from the ipSecIpsoFilterTable."
4120 ::= { ipSecPolicyPibConformanceGroups 28 }
4122 ipSecRuleTimePeriodGroup OBJECT-GROUP
4124 ipSecRuleTimePeriodTimePeriod,
4125 ipSecRuleTimePeriodMonthOfYearMask,
4126 ipSecRuleTimePeriodDayOfMonthMask,
4127 ipSecRuleTimePeriodDayOfWeekMask,
4128 ipSecRuleTimePeriodTimeOfDayMask,
4129 ipSecRuleTimePeriodLocalOrUtcTime
4133 "Objects from the ipSecRuleTimePeriodTable."
4134 ::= { ipSecPolicyPibConformanceGroups 29 }
4136 ipSecRuleTimePeriodSetGroup OBJECT-GROUP
4138 ipSecRuleTimePeriodSetRuleTimePeriodSetId,
4139 ipSecRuleTimePeriodSetRuleTimePeriodId
4143 "Objects from the ipSecRuleTimePeriodSetTable."
4144 ::= { ipSecPolicyPibConformanceGroups 30 }
4146 ipSecIfCapsGroup OBJECT-GROUP
4148 ipSecIfCapsDirection,
4149 ipSecIfCapsMaxIpSecActions,
4150 ipSecIfCapsMaxIkeActions
4154 "Objects from the ipSecIfCapsTable."
4155 ::= { ipSecPolicyPibConformanceGroups 31 }