IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN IMPORTS ibrpib FROM TUBS-SMI Unsigned32, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, TEXTUAL-CONVENTION, MODULE-COMPLIANCE, OBJECT-GROUP, pib FROM COPS-PR-SPPI TruthValue FROM SNMPv2-TC InstanceId, ReferenceId, TagId, TagReferenceId, Prid FROM COPS-PR-SPPI-TC SnmpAdminString FROM SNMP-FRAMEWORK-MIB RoleCombination FROM FRAMEWORK-TC-PIB; ipSecPolicyPib MODULE-IDENTITY SUBJECT-CATEGORIES { all } -- IPsec Client Type -- LAST-UPDATED "200202241800Z" ORGANIZATION "IETF ipsp WG" CONTACT-INFO " Man Li Nokia 5 Wayside Road, Burlington, MA 01803 Phone: +1 781 993 3923 Email: man.m.li@nokia.com Avri Doria Div. of Computer Communications Lulea University of Technology SE-971 87 Lulea, Sweden Phone: +46 920 49 3030 Email: avri@sm.luth.se Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 Phone: +1 503 264 9531 Fax: +1 503 264 9428 Email: jamie.jason@intel.com Cliff Wang SmartPipes Inc. Suite 300, 565 Metro Place South Dublin, OH 43017 Phone: +1 614 923 6241 Email: CWang@smartpipes.com Markus Stenberg SSH Communications Security Corp. Fredrikinkatu 42 FIN-00100 Helsinki, Finland Phone: +358 20 500 7466 Email: markus.stenberg@ssh.com" DESCRIPTION "This PIB module contains a set of policy rule classes that describe IPsec policies." ::= { ibrpib 6 } -- yyy to be assigned by IANA -- Unsigned16 ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An unsigned 16 bit integer." SYNTAX Unsigned32 (0..65535) ipSecAssociation OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies IPsec Security Associations." ::= { ipSecPolicyPib 1 } ipSecAhTransform OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies AH Transforms." ::= { ipSecPolicyPib 2 } ipSecEspTransform OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies ESP Transforms." ::= { ipSecPolicyPib 3 } ipSecCompTransform OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies Comp Transforms." ::= { ipSecPolicyPib 4 } ipSecIkeAssociation OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies IKE Security Associations." ::= { ipSecPolicyPib 5 } ipSecCredential OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies credentials for IKE phase one negotiations." ::= { ipSecPolicyPib 6 } ipSecSelector OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies selectors for IPsec associations." ::= { ipSecPolicyPib 7 } ipSecPolicyTimePeriod OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies the time periods during which a policy rule is valid." ::= { ipSecPolicyPib 8 } ipSecIfCapability OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies capabilities associated with interface types." ::= { ipSecPolicyPib 9 } ipSecPolicyPibConformance OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies requirements for conformance to the IPsec Policy PIB" ::= { ipSecPolicyPib 10 } -- -- -- The ipSecRuleTable -- ipSecRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleEntry PIB-ACCESS install STATUS current DESCRIPTION "This table is the starting point for specifying an IPsec policy. It contains an ordered list of IPsec rules. " ::= { ipSecAssociation 1 } ipSecRuleEntry OBJECT-TYPE SYNTAX IpSecRuleEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecRulePrid } UNIQUENESS { ipSecRuleIfName, ipSecRuleRoles, ipSecRuleOrder } ::= { ipSecRuleTable 1 } IpSecRuleEntry ::= SEQUENCE { ipSecRulePrid InstanceId, ipSecRuleIfName SnmpAdminString, ipSecRuleRoles RoleCombination, ipSecRuleDirection INTEGER, ipSecRuleIpSecSelectorSetId TagReferenceId, ipSecRuleipSecIpsoFilterSetId TagReferenceId, ipSecRuleIpSecActionSetId TagReferenceId, ipSecRuleActionExecutionStrategy INTEGER, ipSecRuleOrder Unsigned16, ipSecRuleLimitNegotiation INTEGER, ipSecRuleAutoStart TruthValue, ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId } ipSecRulePrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecRuleEntry 1 } ipSecRuleIfName OBJECT-TYPE SYNTAX SnmpAdminString STATUS current DESCRIPTION "The interface capability set to which this IPsec rule applies. The interface capability name specified by this attribute MUST exist in the frwkIfCapSetTable [FR-PIB] prior to association with an instance of this class." ::= { ipSecRuleEntry 2 } ipSecRuleRoles OBJECT-TYPE SYNTAX RoleCombination STATUS current DESCRIPTION "Specifies the role combination of the interface to which this IPsec rule should apply. There must exist an instance in the frwkIfCapSetRoleComboTable [FR-PIB] specifying this role combination, together with the interface capability set specified by ipSecRuleIfName, prior to association with an instance of this class." ::= { ipSecRuleEntry 3 } ipSecRuleDirection OBJECT-TYPE SYNTAX INTEGER { in(1), out(2), bi-directional(3) } STATUS current DESCRIPTION "Specifies the direction of traffic to which this rule should apply." ::= { ipSecRuleEntry 4 } ipSecRuleIpSecSelectorSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecSelectorSetSelectorSetId } STATUS current DESCRIPTION "Identifies a set of selectors to be associated with this IPsec rule. " ::= { ipSecRuleEntry 5 } ipSecRuleipSecIpsoFilterSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecIpsoFilterSetFilterSetId } STATUS current DESCRIPTION "Identifies a set of IPSO filters to be associated with this IPsec rule. A value of zero indicates that there are no IPSO filters associated with this rule. When the value of this attribute is not zero, the set of IPSO filters is ANDed with the set of Selectors specified by ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a selector in the selector sets and a filter in the IPSO filter sets before the actions associated with this rule can be applied." ::= { ipSecRuleEntry 6 } ipSecRuleIpSecActionSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecActionSetActionSetId } STATUS current DESCRIPTION "Identifies a set of IPsec actions to be associated with this rule." ::= { ipSecRuleEntry 7 } ipSecRuleActionExecutionStrategy OBJECT-TYPE SYNTAX INTEGER { doAll(1), doUntilSuccess(2) } STATUS current DESCRIPTION "Specifies the strategy to be used in executing the sequenced actions in the action set identified by ipSecRuleIpSecActionSetId. DoAll (1) causes the execution of all the actions in the action set according to their defined precedence order. The precedence order is specified by the ipSecActionSetOrder in the ipSecActionSetTable. DoUntilSuccess (2) causes the execution of actions according to their defined precedence order until a successful execution of a single action. The precedence order is specified by the ipSecActionSetOrder in the ipSecActionSetTable." ::= { ipSecRuleEntry 8 } ipSecRuleOrder OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the precedence order of the rule within all the rules associated with {IfName, Roles}. A smaller value indicates a higher precedence order. " ::= { ipSecRuleEntry 9 } ipSecRuleLimitNegotiation OBJECT-TYPE SYNTAX INTEGER { initiator(1), responder(2), both(3) } STATUS current DESCRIPTION "Limits the negotiation method. Before proceeding with a phase 2 negotiation, the LimitNegotiation property of the IPsecRule is first checked to determine if the negotiation part indicated for the rule matches that of the current negotiation (Initiator, Responder, or Either). This attribute is ignored when an attempt is made to refresh an expiring SA (either side can initiate a refresh operation). The system can determine that the negotiation is a refresh operation by checking to see if the selector information matches that of an existing SA. If LimitNegotiation does not match and the selector corresponds to a new SA, the negotiation is stopped. " ::= { ipSecRuleEntry 10 } ipSecRuleAutoStart OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Indicates if this rule should be automatically executed." ::= { ipSecRuleEntry 11 } ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId } STATUS current DESCRIPTION "Identifies an IPsec rule time period set, specified in ipSecRuleTimePeriodSetTable, that is associated with this rule. A value of zero indicates that this IPsec rule is always valid." ::= { ipSecRuleEntry 12 } -- -- -- The ipSecActionSetTable -- ipSecActionSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecActionSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec action sets." ::= { ipSecAssociation 2 } ipSecActionSetEntry OBJECT-TYPE SYNTAX IpSecActionSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecActionSetPrid } UNIQUENESS { ipSecActionSetActionSetId, ipSecActionSetActionId, ipSecActionSetDoActionLogging, ipSecActionSetDoPacketLogging, ipSecActionSetOrder } ::= { ipSecActionSetTable 1 } IpSecActionSetEntry ::= SEQUENCE { ipSecActionSetPrid InstanceId, ipSecActionSetActionSetId TagId, ipSecActionSetActionId Prid, ipSecActionSetDoActionLogging TruthValue, ipSecActionSetDoPacketLogging TruthValue, ipSecActionSetOrder Unsigned16 } ipSecActionSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecActionSetEntry 1 } ipSecActionSetActionSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IPsec action set is composed of one or more IPsec actions. Each action belonging to the same set has the same ActionSetId." ::= { ipSecActionSetEntry 2 } ipSecActionSetActionId OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "A pointer to a valid instance in another table that describes an action to be taken. For IPsec static actions, it MUST point to an instance in the ipSecStaticActionTable. For IPsec negotiation actions, it MUST point to an instance in the ipSecNegotiationActionTable. For other actions, it may point to an instance in a table specified by other PIB modules." ::= { ipSecActionSetEntry 3 } ipSecActionSetDoActionLogging OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether a log message is to be generated when the action is performed. This applies for ipSecNegotiationActions with the meaning of logging a message when the negotiation is attempted (with the success or failure result). This also applies for ipSecStaticAction only for PreconfiguredTransport action or PreconfiguredTunnel action with the meaning of logging a message when the preconfigured SA is actually installed in the SADB." ::= { ipSecActionSetEntry 4 } ipSecActionSetDoPacketLogging OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether to log when the resulting security association is used to process a packet. For ipSecStaticActions, a log message is to be generated when the IPsecBypass, IpsecDiscard or IKEReject actions are executed." ::= { ipSecActionSetEntry 5 } ipSecActionSetOrder OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the precedence order of the action within the action set. An action with a smaller precedence order is to be applied before one with a larger precedence order. " ::= { ipSecActionSetEntry 6 } -- -- -- The ipSecStaticActionTable -- ipSecStaticActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecStaticActionEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec static actions." ::= { ipSecAssociation 3 } ipSecStaticActionEntry OBJECT-TYPE SYNTAX IpSecStaticActionEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecStaticActionPrid } UNIQUENESS { ipSecStaticActionAction, ipSecStaticActionTunnelEndpointId, ipSecStaticActionDfHandling, ipSecStaticActionSpi, ipSecStaticActionLifetimeSeconds, ipSecStaticActionLifetimeKilobytes, ipSecStaticActionSaTransformId } ::= { ipSecStaticActionTable 1 } IpSecStaticActionEntry ::= SEQUENCE { ipSecStaticActionPrid InstanceId, ipSecStaticActionAction INTEGER, ipSecStaticActionTunnelEndpointId ReferenceId, ipSecStaticActionDfHandling INTEGER, ipSecStaticActionSpi Unsigned32, ipSecStaticActionLifetimeSeconds Unsigned32, ipSecStaticActionLifetimeKilobytes Unsigned32, ipSecStaticActionSaTransformId Prid } ipSecStaticActionPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecStaticActionEntry 1 } ipSecStaticActionAction OBJECT-TYPE SYNTAX INTEGER { byPass(1), discard(2), ikeRejection(3), preConfiguredTransport(4), preConfiguredTunnel(5) } STATUS current DESCRIPTION "Specifies the IPsec action to be applied to the traffic. byPass (1) means that packets are to be allowed to pass in the clear. discard (2) means that packets are to be discarded. ikeRejection (3) means that that an IKE negotiation should not even be attempted or continued. preConfiguredTransport (4) means that an IPsec transport SA is pre-configured. preConfiguredTunnel (5) means that an IPsec tunnel SA is pre-configured. " ::= { ipSecStaticActionEntry 2 } ipSecStaticActionTunnelEndpointId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecAddressEntry } STATUS current DESCRIPTION "When ipSecStaticActionAction is preConfiguredTunnel (5), this attribute indicates the peer gateway IP address. This address MUST be a single endpoint address. When ipSecStaticActionAction is not preConfiguredTunnel, this attribute MUST be zero." ::= { ipSecStaticActionEntry 3 } ipSecStaticActionDfHandling OBJECT-TYPE SYNTAX INTEGER { copy(1), set(2), clear(3) } STATUS current DESCRIPTION "When ipSecStaticActionAction is preConfiguredTunnel, this attribute specifies how the DF bit is managed. Copy (1) indicates to copy the DF bit from the internal IP header to the external IP header. Set (2) indicates to set the DF bit of the external IP header to 1. Clear (3) indicates to clear the DF bit of the external IP header to 0. When ipSecStaticActionAction is not preConfiguredTunnel, this attribute MUST be ignored. " ::= { ipSecStaticActionEntry 4 } ipSecStaticActionSpi OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the SPI to be used with the SA Transform identified by ipSecStaticActionSaTransformId. When ipSecStaticActionAction is neither preConfiguredTransportAction nor preConfiguredTunnelAction, this attribute MUST be ignored." ::= { ipSecStaticActionEntry 5 } ipSecStaticActionLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the amount of time (in seconds) that a security association derived from this action should be used. When ipSecStaticActionAction is neither preConfiguredTransportAction nor preConfiguredTunnelAction, this attribute MUST be ignored. A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). The actual lifetime of the preconfigured SA will be the smallest of the value of this LifetimeSeconds property and of the value of the MaxLifetimeSeconds property of the associated SA Transform. Except if the value of this LifetimeSeconds property is zero, then there will be no lifetime associated to this SA." ::= { ipSecStaticActionEntry 6 } ipSecStaticActionLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the SA lifetime in kilobytes. When ipSecStaticActionAction is neither preConfiguredTransportAction nor preConfiguredTunnelAction, this attribute MUST be ignored. A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). The actual lifetime of the preconfigured SA will be the smallest of the value of this LifetimeKilobytes property and of the value of the MaxLifetimeKilobytes property of the associated SA transform. Except if the value of this LifetimeKilobytes property is zero, then there will be no lifetime associated with this action. " ::= { ipSecStaticActionEntry 7 } ipSecStaticActionSaTransformId OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "A pointer to a valid instance in another table that describes an SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable." ::= { ipSecStaticActionEntry 8 } -- -- -- The ipSecNegotiationActionTable -- ipSecNegotiationActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecNegotiationActionEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec negotiation actions." ::= { ipSecAssociation 4 } ipSecNegotiationActionEntry OBJECT-TYPE SYNTAX IpSecNegotiationActionEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecNegotiationActionPrid } UNIQUENESS { ipSecNegotiationActionAction, ipSecNegotiationActionTunnelEndpointId, ipSecNegotiationActionDfHandling, ipSecNegotiationActionIpSecSecurityAssociationId, ipSecNegotiationActionKeyExchangeId } ::= { ipSecNegotiationActionTable 1 } IpSecNegotiationActionEntry ::= SEQUENCE { ipSecNegotiationActionPrid InstanceId, ipSecNegotiationActionAction INTEGER, ipSecNegotiationActionTunnelEndpointId ReferenceId, ipSecNegotiationActionDfHandling INTEGER, ipSecNegotiationActionIpSecSecurityAssociationId ReferenceId, ipSecNegotiationActionKeyExchangeId Prid } ipSecNegotiationActionPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecNegotiationActionEntry 1 } ipSecNegotiationActionAction OBJECT-TYPE SYNTAX INTEGER { transport(1), tunnel(2) } STATUS current DESCRIPTION "Specifies the IPsec action to be applied to the traffic. transport(1) means that the packet should be protected with a security association in transport mode. tunnel(2) means that the packet should be protected with a security association in tunnel mode. If tunnel (2) is specified, ipSecActionTunnelEndpointId MUST also be specified." ::= { ipSecNegotiationActionEntry 2 } ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecAddressEntry } STATUS current DESCRIPTION "When ipSecActionAction is tunnel (2), this attribute indicates the peer gateway IP address. This address MUST be a single endpoint address. When ipSecActionAction is not tunnel, this attribute MUST be zero." ::= { ipSecNegotiationActionEntry 3 } ipSecNegotiationActionDfHandling OBJECT-TYPE SYNTAX INTEGER { copy(1), set(2), clear(3) } STATUS current DESCRIPTION "When ipSecActionAction is tunnel, this attribute specifies how the DF bit is managed. Copy (1) indicates to copy the DF bit from the internal IP header to the external IP header. Set (2) indicates to set the DF bit of the external IP header to 1. Clear (3) indicates to clear the DF bit of the external IP header to 0. When ipSecActionAction is not tunnel, this attribute MUST be ignored. " ::= { ipSecNegotiationActionEntry 4 } ipSecNegotiationActionIpSecSecurityAssociationId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecAssociationEntry } STATUS current DESCRIPTION "Pointer to a valid instance in the ipSecSecurityAssociationTable." ::= { ipSecNegotiationActionEntry 5 } ipSecNegotiationActionKeyExchangeId OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "A pointer to a valid instance in another table that describes key exchange associations. If a single IKE phase one negotiation is used for the key exchange, this attribute MUST point to an instance in the ipSecIkeAssociationTable. If multiple IKE phase one negotiations (e.g., with different modes) are to be tried until success, this attribute SHOULD point to ipSecIkeRuleTable. For other key exchange methods, this attribute may point to an instance of a PRC defined in some other PIB. A value of zero means that there is no key exchange procedure associated." ::= { ipSecNegotiationActionEntry 6 } -- -- -- The ipSecAssociationTable -- ipSecAssociationTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAssociationEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec associations." ::= { ipSecAssociation 5 } ipSecAssociationEntry OBJECT-TYPE SYNTAX IpSecAssociationEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecAssociationPrid } UNIQUENESS { ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeKilobytes, ipSecAssociationIdleDurationSeconds, ipSecAssociationUsePfs, ipSecAssociationVendorId, ipSecAssociationUseKeyExchangeGroup, ipSecAssociationDhGroup, ipSecAssociationGranularity, ipSecAssociationProposalSetId } ::= { ipSecAssociationTable 1 } IpSecAssociationEntry ::= SEQUENCE { ipSecAssociationPrid InstanceId, ipSecAssociationMinLifetimeSeconds Unsigned32, ipSecAssociationMinLifetimeKilobytes Unsigned32, ipSecAssociationIdleDurationSeconds Unsigned32, ipSecAssociationUsePfs TruthValue, ipSecAssociationVendorId OCTET STRING, ipSecAssociationUseKeyExchangeGroup TruthValue, ipSecAssociationDhGroup Unsigned16, ipSecAssociationGranularity INTEGER, ipSecAssociationProposalSetId TagReferenceId } ipSecAssociationPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecAssociationEntry 1 } ipSecAssociationMinLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum SA seconds lifetime that will be accepted from a peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecAssociationEntry 2 } ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum kilobyte lifetime that will be accepted from a negotiating peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecAssociationEntry 3 } ipSecAssociationIdleDurationSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies how long, in seconds, a security association may remain unused before it is deleted. A value of zero indicates that idle detection should not be used for the security association (only the seconds and kilobyte lifetimes will be used)." ::= { ipSecAssociationEntry 4 } ipSecAssociationUsePfs OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether or not to use PFS when refreshing keys." ::= { ipSecAssociationEntry 5 } ipSecAssociationVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the IKE Vendor ID. This attribute is used together with the property ipSecAssociationDhGroup (when it is in the vendor- specific range) to identify the key exchange group. This attribute is ignored unless ipSecAssociationUsePFS is true and ipSecAssociationUseKeyExchangeGroup is false and ipSecAssociationDhGroup is in the vendor-specific range (32768- 65535)." ::= { ipSecAssociationEntry 6 } ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether or not to use the same GroupId for phase 2 as was used in phase 1. If UsePFS is false, then this attribute is ignored. A value of true indicates that the phase 2 GroupId should be the same as phase 1. A value of false indicates that the group number specified by the ipSecSecurityAssociationDhGroup attribute SHALL be used for phase 2. " ::= { ipSecAssociationEntry 7 } ipSecAssociationDhGroup OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the key exchange group to use for phase 2 when the property ipSecSecurityAssociationUsePfs is true and the property ipSecSecurityAssociationUseKeyExchangeGroup is false." ::= { ipSecAssociationEntry 8 } ipSecAssociationGranularity OBJECT-TYPE SYNTAX INTEGER { subnet(1), address(2), protocol(3), port(4) } STATUS current DESCRIPTION "Specifies how the proposed selector for the security association will be created. A value of 1 (subnet) indicates that the source and destination subnet masks of the filter entry are used. A value of 2 (address) indicates that only the source and destination IP addresses of the triggering packet are used. A value of 3 (protocol) indicates that the source and destination IP addresses and the IP protocol of the triggering packet are used. A value of 4 (port) indicates that the source and destination IP addresses and the IP protocol and the source and destination layer 4 ports of the triggering packet are used. " ::= { ipSecAssociationEntry 9 } ipSecAssociationProposalSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecProposalSetProposalSetId } STATUS current DESCRIPTION "Identifies a set of IPsec proposals that is associated with this IPsec association." ::= { ipSecAssociationEntry 10 } -- -- -- The ipSecProposalSetTable -- ipSecProposalSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecProposalSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec proposal sets. Proposals within a set are ORed with preference order. " ::= { ipSecAssociation 6 } ipSecProposalSetEntry OBJECT-TYPE SYNTAX IpSecProposalSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecProposalSetPrid } UNIQUENESS { ipSecProposalSetProposalSetId, ipSecProposalSetProposalId, ipSecProposalSetOrder } ::= { ipSecProposalSetTable 1 } IpSecProposalSetEntry ::= SEQUENCE { ipSecProposalSetPrid InstanceId, ipSecProposalSetProposalSetId TagId, ipSecProposalSetProposalId ReferenceId, ipSecProposalSetOrder Unsigned16 } ipSecProposalSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecProposalSetEntry 1 } ipSecProposalSetProposalSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IPsec proposal set is composed of one or more IPsec proposals. Each proposal belonging to the same set has the same ProposalSetId." ::= { ipSecProposalSetEntry 2 } ipSecProposalSetProposalId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecProposalEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecProposalTable." ::= { ipSecProposalSetEntry 3 } ipSecProposalSetOrder OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "An integer that specifies the precedence order of the proposal identified by ipSecProposalSetProposalId in a proposal set. The proposal set is identified by ipSecProposalSetProposalSetId. Proposals within a set are ORed with preference order. A smaller integer value indicates a higher preference." ::= { ipSecProposalSetEntry 4 } -- -- -- The ipSecProposalTable -- ipSecProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecProposalEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec proposals. It has references to ESP, AH and IPCOMP Transform sets. Within a proposal, different types of transforms are ANDed. Multiple transforms of the same type are ORed with preference order." ::= { ipSecAssociation 7 } ipSecProposalEntry OBJECT-TYPE SYNTAX IpSecProposalEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecProposalPrid } UNIQUENESS { ipSecProposalEspTransformSetId, ipSecProposalAhTransformSetId, ipSecProposalCompTransformSetId } ::= { ipSecProposalTable 1 } IpSecProposalEntry ::= SEQUENCE { ipSecProposalPrid InstanceId, ipSecProposalEspTransformSetId TagReferenceId, ipSecProposalAhTransformSetId TagReferenceId, ipSecProposalCompTransformSetId TagReferenceId } ipSecProposalPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecProposalEntry 1 } ipSecProposalEspTransformSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecEspTransformSetTransformSetId } STATUS current DESCRIPTION "An integer that identifies a set of ESP transforms, specified in ipSecEspTransformSetTable, that is associated with this proposal." ::= { ipSecProposalEntry 2 } ipSecProposalAhTransformSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecAhTransformSetTransformSetId } STATUS current DESCRIPTION "An integer that identifies an AH transform set, specified in ipSecAhTransformSetTable, that is associated with this proposal." ::= { ipSecProposalEntry 3 } ipSecProposalCompTransformSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecCompTransformSetTransformSetId } STATUS current DESCRIPTION "An integer that identifies a set of IPComp transforms, specified in ipSecCompTransformSetTable, that is associated with this proposal." ::= { ipSecProposalEntry 4 } -- -- -- The ipSecAhTransformSetTable -- ipSecAhTransformSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAhTransformSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies AH transform sets. Within a transform set, the transforms are ORed with preference order. " ::= { ipSecAhTransform 1 } ipSecAhTransformSetEntry OBJECT-TYPE SYNTAX IpSecAhTransformSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecAhTransformSetPrid } UNIQUENESS { ipSecAhTransformSetTransformSetId, ipSecAhTransformSetTransformId, ipSecAhTransformSetOrder } ::= { ipSecAhTransformSetTable 1 } IpSecAhTransformSetEntry ::= SEQUENCE { ipSecAhTransformSetPrid InstanceId, ipSecAhTransformSetTransformSetId TagId, ipSecAhTransformSetTransformId ReferenceId, ipSecAhTransformSetOrder Unsigned16 } ipSecAhTransformSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class. " ::= { ipSecAhTransformSetEntry 1 } ipSecAhTransformSetTransformSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An AH transform set is composed of one or more AH transforms. Each transform belonging to the same set has the same TransformSetId." ::= { ipSecAhTransformSetEntry 2 } ipSecAhTransformSetTransformId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecAhTransformEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecAhTransformTable." ::= { ipSecAhTransformSetEntry 3 } ipSecAhTransformSetOrder OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "An integer that specifies the precedence order of the transform identified by ipSecAhTransformSetTransformId within a transform set. The transform set is identified by ipSecAhTransformSetTransformSetId. Transforms within a set are ORed with preference order. A smaller integer value indicates a higher preference." ::= { ipSecAhTransformSetEntry 4 } -- -- -- The ipSecAhTransformTable -- ipSecAhTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAhTransformEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies AH transforms." ::= { ipSecAhTransform 2 } ipSecAhTransformEntry OBJECT-TYPE SYNTAX IpSecAhTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecAhTransformPrid } UNIQUENESS { ipSecAhTransformTransformId, ipSecAhTransformIntegrityKey, ipSecAhTransformUseReplayPrevention, ipSecAhTransformReplayPreventionWindowSize, ipSecAhTransformVendorId, ipSecAhTransformMaxLifetimeSeconds, ipSecAhTransformMaxLifetimeKilobytes } ::= { ipSecAhTransformTable 1 } IpSecAhTransformEntry ::= SEQUENCE { ipSecAhTransformPrid InstanceId, ipSecAhTransformTransformId INTEGER, ipSecAhTransformIntegrityKey OCTET STRING, ipSecAhTransformUseReplayPrevention TruthValue, ipSecAhTransformReplayPreventionWindowSize Unsigned32, ipSecAhTransformVendorId OCTET STRING, ipSecAhTransformMaxLifetimeSeconds Unsigned32, ipSecAhTransformMaxLifetimeKilobytes Unsigned32 } ipSecAhTransformPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class. " ::= { ipSecAhTransformEntry 1 } ipSecAhTransformTransformId OBJECT-TYPE SYNTAX INTEGER { md5(2), sha-1(3), des(4) } STATUS current DESCRIPTION "Specifies the transform ID of the AH algorithm to propose." ::= { ipSecAhTransformEntry 2 } ipSecAhTransformIntegrityKey OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "When this AH transform instance is used for a Static Action, this attribute specifies the integrity key to be used. This attribute MUST be ignored when this AH transform instance is used for a Negotiation Action." ::= { ipSecAhTransformEntry 3 } ipSecAhTransformUseReplayPrevention OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether to enable replay prevention detection." ::= { ipSecAhTransformEntry 4 } ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is ignored if UseReplayPrevention is false. It is assumed that the window size will be power of 2." ::= { ipSecAhTransformEntry 5 } ipSecAhTransformVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the vendor ID for vendor-defined transforms." ::= { ipSecAhTransformEntry 6 } ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the maximum amount of time to propose for a security association to remain valid. A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime." ::= { ipSecAhTransformEntry 7 } ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the maximum kilobyte lifetime to propose for a security association to remain valid. A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime." ::= { ipSecAhTransformEntry 8 } -- -- -- The ipSecEspTransformSetTable -- ipSecEspTransformSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecEspTransformSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies ESP transform sets. Within a transform set, the choices are ORed with preference order. " ::= { ipSecEspTransform 1 } ipSecEspTransformSetEntry OBJECT-TYPE SYNTAX IpSecEspTransformSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecEspTransformSetPrid } UNIQUENESS { ipSecEspTransformSetTransformSetId, ipSecEspTransformSetTransformId, ipSecEspTransformSetOrder } ::= { ipSecEspTransformSetTable 1 } IpSecEspTransformSetEntry ::= SEQUENCE { ipSecEspTransformSetPrid InstanceId, ipSecEspTransformSetTransformSetId TagId, ipSecEspTransformSetTransformId ReferenceId, ipSecEspTransformSetOrder Unsigned16 } ipSecEspTransformSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecEspTransformSetEntry 1 } ipSecEspTransformSetTransformSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An ESP transform set is composed of one or more ESP transforms. Each transform belonging to the same set has the same TransformSetId." ::= { ipSecEspTransformSetEntry 2 } ipSecEspTransformSetTransformId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecEspTransformEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecEspTransformTable." ::= { ipSecEspTransformSetEntry 3 } ipSecEspTransformSetOrder OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "An integer that specifies the precedence order of the transform identified by ipSecEspTransformSetTransformId within a transform set. The transform set is identified by ipSecEspTransformSetTransformSetId. Transforms within a set are ORed with preference order. A smaller integer value indicates a higher preference." ::= { ipSecEspTransformSetEntry 4 } -- -- -- The ipSecEspTransformTable -- ipSecEspTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecEspTransformEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies ESP transforms." ::= { ipSecEspTransform 2 } ipSecEspTransformEntry OBJECT-TYPE SYNTAX IpSecEspTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecEspTransformPrid } UNIQUENESS { ipSecEspTransformIntegrityTransformId, ipSecEspTransformCipherTransformId, ipSecEspTransformIntegrityKey, ipSecEspTransformCipherKey, ipSecEspTransformCipherKeyRounds, ipSecEspTransformCipherKeyLength, ipSecEspTransformUseReplayPrevention, ipSecEspTransformReplayPreventionWindowSize, ipSecEspTransformVendorId, ipSecEspTransformMaxLifetimeSeconds, ipSecEspTransformMaxLifetimeKilobytes } ::= { ipSecEspTransformTable 1 } IpSecEspTransformEntry ::= SEQUENCE { ipSecEspTransformPrid InstanceId, ipSecEspTransformIntegrityTransformId INTEGER, ipSecEspTransformCipherTransformId INTEGER, ipSecEspTransformIntegrityKey OCTET STRING, ipSecEspTransformCipherKey OCTET STRING, ipSecEspTransformCipherKeyRounds Unsigned16, ipSecEspTransformCipherKeyLength Unsigned16, ipSecEspTransformUseReplayPrevention TruthValue, ipSecEspTransformReplayPreventionWindowSize Unsigned32, ipSecEspTransformVendorId OCTET STRING, ipSecEspTransformMaxLifetimeSeconds Unsigned32, ipSecEspTransformMaxLifetimeKilobytes Unsigned32 } ipSecEspTransformPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecEspTransformEntry 1 } ipSecEspTransformIntegrityTransformId OBJECT-TYPE SYNTAX INTEGER { none(0), hmacMd5(1), hmacSha(2), desMac(3), kpdk(4) } STATUS current DESCRIPTION "Specifies the transform ID of the ESP integrity algorithm to propose." ::= { ipSecEspTransformEntry 2 } ipSecEspTransformCipherTransformId OBJECT-TYPE SYNTAX INTEGER { desIV64(1), des(2), tripleDES(3), rc5(4), idea(5), cast(6), blowfish(7), tripleIDEA(8), desIV32(9), rc4(10), null(11) } STATUS current DESCRIPTION "Specifies the transform ID of the ESP encryption algorithm to propose." ::= { ipSecEspTransformEntry 3 } ipSecEspTransformIntegrityKey OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "When this ESP transform instance is used for a Static Action, this attribute specifies the integrity key to be used. This attribute MUST be ignored when this ESP transform instance is used for a Negotiation Action." ::= { ipSecEspTransformEntry 4 } ipSecEspTransformCipherKey OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "When this ESP transform instance is used for a Static Action, this attribute specifies the cipher key to be used. This attribute MUST be ignored when this ESP transform instance is used for a Negotiation Action." ::= { ipSecEspTransformEntry 5 } ipSecEspTransformCipherKeyRounds OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the number of key rounds for the ESP encryption algorithm. For encryption algorithms that use fixed number of key rounds, this value is ignored." ::= { ipSecEspTransformEntry 6 } ipSecEspTransformCipherKeyLength OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies, in bits, the key length for the ESP encryption algorithm. For encryption algorithms that use fixed-length keys, this value is ignored." ::= { ipSecEspTransformEntry 7 } ipSecEspTransformUseReplayPrevention OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether to enable replay prevention detection." ::= { ipSecEspTransformEntry 8 } ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is ignored if UseReplayPrevention is false. It is assumed that the window size will be power of 2." ::= { ipSecEspTransformEntry 9 } ipSecEspTransformVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the vendor ID for vendor-defined transforms." ::= { ipSecEspTransformEntry 10 } ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the maximum amount of time to propose for a security association to remain valid. A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime." ::= { ipSecEspTransformEntry 11 } ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the maximum kilobyte lifetime to propose for a security association to remain valid. A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime." ::= { ipSecEspTransformEntry 12 } -- -- -- The ipSecCompTransformSetTable -- ipSecCompTransformSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCompTransformSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPComp transform sets. Within a transform set, the choices are ORed with preference order." ::= { ipSecCompTransform 1 } ipSecCompTransformSetEntry OBJECT-TYPE SYNTAX IpSecCompTransformSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecCompTransformSetPrid } UNIQUENESS { ipSecCompTransformSetTransformSetId, ipSecCompTransformSetTransformId, ipSecCompTransformSetOrder } ::= { ipSecCompTransformSetTable 1 } IpSecCompTransformSetEntry ::= SEQUENCE { ipSecCompTransformSetPrid InstanceId, ipSecCompTransformSetTransformSetId TagId, ipSecCompTransformSetTransformId ReferenceId, ipSecCompTransformSetOrder Unsigned16 } ipSecCompTransformSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecCompTransformSetEntry 1 } ipSecCompTransformSetTransformSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IPCOMP transform set is composed of one or more IPCOMP transforms. Each transform belonging to the same set has the same TransformSetId." ::= { ipSecCompTransformSetEntry 2 } ipSecCompTransformSetTransformId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecCompTransformEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecCompTransformTable." ::= { ipSecCompTransformSetEntry 3 } ipSecCompTransformSetOrder OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "An integer that specifies the precedence order of the transform identified by ipSecCompTransformSetTransformId within a transform set. The transform set is identified by ipSecCompTransformSetTransformSetId. Transforms within a set are ORed with preference order. A smaller integer value indicates a higher preference." ::= { ipSecCompTransformSetEntry 4 } -- -- -- The ipSecCompTransformTable -- ipSecCompTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCompTransformEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IP compression (IPCOMP) algorithms." ::= { ipSecCompTransform 2 } ipSecCompTransformEntry OBJECT-TYPE SYNTAX IpSecCompTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecCompTransformPrid } UNIQUENESS { ipSecCompTransformAlgorithm, ipSecCompTransformDictionarySize, ipSecCompTransformPrivateAlgorithm, ipSecCompTransformVendorId, ipSecCompTransformMaxLifetimeSeconds, ipSecCompTransformMaxLifetimeKilobytes } ::= { ipSecCompTransformTable 1 } IpSecCompTransformEntry ::= SEQUENCE { ipSecCompTransformPrid InstanceId, ipSecCompTransformAlgorithm INTEGER, ipSecCompTransformDictionarySize Unsigned16, ipSecCompTransformPrivateAlgorithm Unsigned32, ipSecCompTransformVendorId OCTET STRING, ipSecCompTransformMaxLifetimeSeconds Unsigned32, ipSecCompTransformMaxLifetimeKilobytes Unsigned32 } ipSecCompTransformPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecCompTransformEntry 1 } ipSecCompTransformAlgorithm OBJECT-TYPE SYNTAX INTEGER { oui(1), deflate(2), lzs(3) } STATUS current DESCRIPTION "Specifies the transform ID of the IPCOMP compression algorithm to propose." ::= { ipSecCompTransformEntry 2 } ipSecCompTransformDictionarySize OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the log2 maximum size of the dictionary for the compression algorithm. For compression algorithms that have pre- defined dictionary sizes, this value is ignored." ::= { ipSecCompTransformEntry 3 } ipSecCompTransformPrivateAlgorithm OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies a private vendor-specific compression algorithm." ::= { ipSecCompTransformEntry 4 } ipSecCompTransformVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the vendor ID for vendor-defined transforms." ::= { ipSecCompTransformEntry 5 } ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the maximum amount of time to propose for a security association to remain valid. A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime." ::= { ipSecCompTransformEntry 6 } ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the maximum kilobyte lifetime to propose for a security association to remain valid. A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime." ::= { ipSecCompTransformEntry 7 } -- -- -- The ipSecIkeRuleTable -- ipSecIkeRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeRuleEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE rules. This table is required only when specifying: - Multiple IKE phase one actions (e.g., with different exchange modes) that are associated with one IPsec association. These actions are to be tried in sequence till one success. - IKE phase one actions that start automatically. Support of this table is optional." ::= { ipSecIkeAssociation 1 } ipSecIkeRuleEntry OBJECT-TYPE SYNTAX IpSecIkeRuleEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkeRulePrid } UNIQUENESS { ipSecIkeRuleIfName, ipSecIkeRuleRoles, ipSecIkeRuleIkeActionSetId, ipSecIkeRuleActionExecutionStrategy, ipSecIkeRuleLimitNegotiation, ipSecIkeRuleAutoStart } ::= { ipSecIkeRuleTable 1 } IpSecIkeRuleEntry ::= SEQUENCE { ipSecIkeRulePrid InstanceId, ipSecIkeRuleIfName SnmpAdminString, ipSecIkeRuleRoles RoleCombination, ipSecIkeRuleIkeActionSetId TagReferenceId, ipSecIkeRuleActionExecutionStrategy INTEGER, ipSecIkeRuleLimitNegotiation INTEGER, ipSecIkeRuleAutoStart TruthValue, ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId } ipSecIkeRulePrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIkeRuleEntry 1 } ipSecIkeRuleIfName OBJECT-TYPE SYNTAX SnmpAdminString STATUS current DESCRIPTION "The interface capability set to which this IKE rule applies. The interface capability name specified by this attribute must exist in the frwkIfCapSetTable [FR-PIB] prior to association with an instance of this class. This attribute MUST be ignored if ipSecIkeRuleAutoStart is false." ::= { ipSecIkeRuleEntry 2 } ipSecIkeRuleRoles OBJECT-TYPE SYNTAX RoleCombination STATUS current DESCRIPTION "Specifies the role combination of the interface to which this IKE rule should apply. There must exist an instance in the frwkIfCapSetRoleComboTable [FR-PIB] specifying this role combination, together with the interface capability set specified by ipSecIkeRuleIfName, prior to association with an instance of this class. This attribute MUST be ignored if ipSecIkeRuleAutoStart is false." ::= { ipSecIkeRuleEntry 3 } ipSecIkeRuleIkeActionSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecIkeActionSetActionSetId } STATUS current DESCRIPTION "Identifies a set of IKE actions to be associated with this rule." ::= { ipSecIkeRuleEntry 4 } ipSecIkeRuleActionExecutionStrategy OBJECT-TYPE SYNTAX INTEGER { doAll(1), doUntilSuccess(2) } STATUS current DESCRIPTION "Specifies the strategy to be used in executing the sequenced actions in the action set identified by ipSecRuleIpSecActionSetId. DoAll (1) causes the execution of all the actions in the action set according to their defined precedence order. The precedence order is specified by the ipSecActionSetOrder in ipSecIkeActionSetTable. DoUntilSuccess (2) causes the execution of actions according to their defined precedence order until a successful execution of a single action. The precedence order is specified by the ipSecActionSetOrder in ipSecIkeActionSetTable." ::= { ipSecIkeRuleEntry 5 } ipSecIkeRuleLimitNegotiation OBJECT-TYPE SYNTAX INTEGER { initiator(1), responder(2), both(3) } STATUS current DESCRIPTION "Limits the negotiation method. Before proceeding with a phase 1 negotiation, this property is checked to determine if the negotiation role of the rule matches that defined for the negotiation being undertaken (e.g., Initiator, Responder, or Both). If this check fails (e.g. the current role is IKE responder while the rule specifies IKE initiator), then the IKE negotiation is stopped. Note that this only applies to new IKE phase 1 negotiations and has no effect on either renegotiation or refresh operations with peers for which an established SA already exists." ::= { ipSecIkeRuleEntry 6 } ipSecIkeRuleAutoStart OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Indicates if this rule should be automatically executed." ::= { ipSecIkeRuleEntry 7 } ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId } STATUS current DESCRIPTION "Identifies a rule time period set, specified in ipSecRuleTimePeriodSetTable, that is associated with this rule. A value of zero indicates that this rule is always valid." ::= { ipSecIkeRuleEntry 8 } -- -- -- The ipSecIkeActionSetTable -- ipSecIkeActionSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeActionSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE action sets." ::= { ipSecIkeAssociation 2 } ipSecIkeActionSetEntry OBJECT-TYPE SYNTAX IpSecIkeActionSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkeActionSetPrid } UNIQUENESS { ipSecIkeActionSetActionSetId, ipSecIkeActionSetActionId, ipSecIkeActionSetOrder } ::= { ipSecIkeActionSetTable 1 } IpSecIkeActionSetEntry ::= SEQUENCE { ipSecIkeActionSetPrid InstanceId, ipSecIkeActionSetActionSetId TagId, ipSecIkeActionSetActionId Prid, ipSecIkeActionSetOrder Unsigned16 } ipSecIkeActionSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIkeActionSetEntry 1 } ipSecIkeActionSetActionSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IKE action set is composed of one or more IKE actions. Each action belonging to the same set has the same ActionSetId." ::= { ipSecIkeActionSetEntry 2 } ipSecIkeActionSetActionId OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecIkeAssociationTable." ::= { ipSecIkeActionSetEntry 3 } ipSecIkeActionSetOrder OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the precedence order of the action within the action set. An action with a smaller precedence order is to be tried before one with a larger precedence order. " ::= { ipSecIkeActionSetEntry 4 } -- -- -- The ipSecIkeAssociationTable -- ipSecIkeAssociationTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeAssociationEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE associations." ::= { ipSecIkeAssociation 3 } ipSecIkeAssociationEntry OBJECT-TYPE SYNTAX IpSecIkeAssociationEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkeAssociationPrid } UNIQUENESS { ipSecIkeAssociationMinLiftetimeSeconds, ipSecIkeAssociationMinLifetimeKilobytes, ipSecIkeAssociationIdleDurationSeconds, ipSecIkeAssociationExchangeMode, ipSecIkeAssociationUseIkeIdentityType, ipSecIkeAssociationUseIkeIdentityValue, ipSecIkeAssociationIkePeerEndpoint, ipSecIkeAssociationPresharedKey, ipSecIkeAssociationVendorId, ipSecIkeAssociationAggressiveModeGroupId, ipSecIkeAssociationLocalCredentialId, ipSecIkeAssociationDoActionLogging, ipSecIkeAssociationIkeProposalSetId } ::= { ipSecIkeAssociationTable 1 } IpSecIkeAssociationEntry ::= SEQUENCE { ipSecIkeAssociationPrid InstanceId, ipSecIkeAssociationMinLiftetimeSeconds Unsigned32, ipSecIkeAssociationMinLifetimeKilobytes Unsigned32, ipSecIkeAssociationIdleDurationSeconds Unsigned32, ipSecIkeAssociationExchangeMode INTEGER, ipSecIkeAssociationUseIkeIdentityType INTEGER, ipSecIkeAssociationUseIkeIdentityValue OCTET STRING, ipSecIkeAssociationIkePeerEndpoint ReferenceId, ipSecIkeAssociationPresharedKey OCTET STRING, ipSecIkeAssociationVendorId OCTET STRING, ipSecIkeAssociationAggressiveModeGroupId Unsigned16, ipSecIkeAssociationLocalCredentialId TagReferenceId, ipSecIkeAssociationDoActionLogging TruthValue, ipSecIkeAssociationIkeProposalSetId TagReferenceId } ipSecIkeAssociationPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIkeAssociationEntry 1 } ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum SA seconds lifetime that will be accepted from a peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecIkeAssociationEntry 2 } ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum kilobyte lifetime that will be accepted from a negotiating peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecIkeAssociationEntry 3 } ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies how long, in seconds, a security association may remain unused before it is deleted. A value of zero indicates that idle detection should not be used for the security association (only the seconds and kilobyte lifetimes will be used)." ::= { ipSecIkeAssociationEntry 4 } ipSecIkeAssociationExchangeMode OBJECT-TYPE SYNTAX INTEGER { baseMode(1), mainMode(2), aggressiveMode(4) } STATUS current DESCRIPTION "Specifies the negotiation mode that the IKE server will use for phase one." ::= { ipSecIkeAssociationEntry 5 } ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE SYNTAX INTEGER { ipV4-Address(1), fqdn(2), user-Fqdn(3), ipV4-Subnet(4), ipV6-Address(5), ipV6-Subnet(6), ipV4-Address-Range(7), ipV6-Address-Range(8), der-Asn1-DN(9), der-Asn1-GN(10), key-Id(11) } STATUS current DESCRIPTION "Specifies the type of IKE identity to use during IKE phase one negotiation." ::= { ipSecIkeAssociationEntry 6 } ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the ID payload value to be provided to the peer during IKE phase one negotiation." ::= { ipSecIkeAssociationEntry 7 } ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecIkePeerEndpointEntry } STATUS current DESCRIPTION "Pointer to a valid instance in the ipSecIkePeerEndpointTable to indicate an IKE peer endpoint." ::= { ipSecIkeAssociationEntry 8 } ipSecIkeAssociationPresharedKey OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This attribute specifies the preshared key or secret to use for IKE authentication. This is the key for all the IKE proposals of this association that set ipSecIkeProposalAuthenticationMethod to presharedKey(1)." ::= { ipSecIkeAssociationEntry 9 } ipSecIkeAssociationVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the value to be used in the Vendor ID payload. A value of NULL means that Vendor ID payload will be neither generated nor accepted. A non-NULL value means that a Vendor ID payload will be generated (when acting as an initiator) or is expected (when acting as a responder). " ::= { ipSecIkeAssociationEntry 10 } ipSecIkeAssociationAggressiveModeGroupId OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the group ID to be used for aggressive mode. This attribute is ignored unless the attribute ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If the value of this attribute is from the vendor-specific range (32768-65535), this attribute qualifies the group number." ::= { ipSecIkeAssociationEntry 11 } ipSecIkeAssociationLocalCredentialId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecCredentialSetSetId } STATUS current DESCRIPTION "Indicates a group of credentials. One of the credentials in the group MUST be used when establishing an IKE association with the peer endpoint." ::= { ipSecIkeAssociationEntry 12 } ipSecIkeAssociationDoActionLogging OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether a log message is to be generated when the negotiation is attempted (with the success or failure result)." ::= { ipSecIkeAssociationEntry 13 } ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecIkeProposalSetProposalSetId } STATUS current DESCRIPTION "Identifies a set of IKE proposals that is associated with this IKE association." ::= { ipSecIkeAssociationEntry 14 } -- -- -- The ipSecIkeProposalSetTable -- ipSecIkeProposalSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE proposal sets. Proposals within a set are ORed with preference order. " ::= { ipSecIkeAssociation 4 } ipSecIkeProposalSetEntry OBJECT-TYPE SYNTAX IpSecIkeProposalSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkeProposalSetPrid } UNIQUENESS { ipSecIkeProposalSetProposalSetId, ipSecIkeProposalSetProposalId, ipSecIkeProposalSetOrder } ::= { ipSecIkeProposalSetTable 1 } IpSecIkeProposalSetEntry ::= SEQUENCE { ipSecIkeProposalSetPrid InstanceId, ipSecIkeProposalSetProposalSetId TagId, ipSecIkeProposalSetProposalId ReferenceId, ipSecIkeProposalSetOrder Unsigned16 } ipSecIkeProposalSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIkeProposalSetEntry 1 } ipSecIkeProposalSetProposalSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IKE proposal set is composed of one or more IKE proposals. Each proposal belonging to the same set has the same ProposalSetId. " ::= { ipSecIkeProposalSetEntry 2 } ipSecIkeProposalSetProposalId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecIkeProposalEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecIkeProposalTable." ::= { ipSecIkeProposalSetEntry 3 } ipSecIkeProposalSetOrder OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "An integer that specifies the precedence order of the proposal identified by ipSecIkeProposalSetProposalId in a proposal set. The proposal set is identified by ipSecIkeProposalSetProposalSetId. Proposals within a set are ORed with preference order. A smaller integer value indicates a higher preference." ::= { ipSecIkeProposalSetEntry 4 } -- -- -- The ipSecIkeProposalTable -- ipSecIkeProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeProposalEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE proposals." ::= { ipSecIkeAssociation 5 } ipSecIkeProposalEntry OBJECT-TYPE SYNTAX IpSecIkeProposalEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkeProposalPrid } UNIQUENESS { ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalHashAlgorithm, ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalIkeDhGroup, ipSecIkeProposalVendorId } ::= { ipSecIkeProposalTable 1 } IpSecIkeProposalEntry ::= SEQUENCE { ipSecIkeProposalPrid InstanceId, ipSecIkeProposalMaxLifetimeSeconds Unsigned32, ipSecIkeProposalMaxLifetimeKilobytes Unsigned32, ipSecIkeProposalCipherAlgorithm INTEGER, ipSecIkeProposalHashAlgorithm INTEGER, ipSecIkeProposalAuthenticationMethod INTEGER, ipSecIkeProposalPrfAlgorithm Unsigned16, ipSecIkeProposalIkeDhGroup Unsigned16, ipSecIkeProposalVendorId OCTET STRING } ipSecIkeProposalPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIkeProposalEntry 1 } ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the maximum amount of time to propose for a security association to remain valid. A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime." ::= { ipSecIkeProposalEntry 2 } ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the maximum kilobyte lifetime to propose for a security association to remain valid. A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime." ::= { ipSecIkeProposalEntry 3 } ipSecIkeProposalCipherAlgorithm OBJECT-TYPE SYNTAX INTEGER { des-CBC(1), idea-CBC(2), blowfish-CBC(3), rc5-R16-B64-CBC(4), tripleDes-CBC(5), cast-CBC(6) } STATUS current DESCRIPTION "Specifies the encryption algorithm to propose for the IKE association." ::= { ipSecIkeProposalEntry 4 } ipSecIkeProposalHashAlgorithm OBJECT-TYPE SYNTAX INTEGER { md5(1), sha-1(2), tiger(3) } STATUS current DESCRIPTION "Specifies the hash algorithm to propose for the IKE association." ::= { ipSecIkeProposalEntry 5 } ipSecIkeProposalAuthenticationMethod OBJECT-TYPE SYNTAX INTEGER { presharedKey(1), dssSignatures(2), rsaSignatures(3), rsaEncryption(4), revisedRsaEncryption(5), kerberos(6) } STATUS current DESCRIPTION "Specifies the authentication method to propose for the IKE association." ::= { ipSecIkeProposalEntry 6 } ipSecIkeProposalPrfAlgorithm OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the Psuedo-Random Function (PRF) to propose for the IKE association." ::= { ipSecIkeProposalEntry 7 } ipSecIkeProposalIkeDhGroup OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the Diffie-Hellman group to propose for the IKE association. The value of this property is to be ignored when doing aggressive mode." ::= { ipSecIkeProposalEntry 8 } ipSecIkeProposalVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Further qualifies the key exchange group. The property is ignored unless the exchange is not in aggressive mode and the property GroupID is in the vendor-specific range." ::= { ipSecIkeProposalEntry 9 } -- -- -- The ipSecIkePeerEndpointTable -- ipSecIkePeerEndpointTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkePeerEndpointEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE peer endpoints." ::= { ipSecIkeAssociation 6 } ipSecIkePeerEndpointEntry OBJECT-TYPE SYNTAX IpSecIkePeerEndpointEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkePeerEndpointPrid } UNIQUENESS { ipSecIkePeerEndpointIdentityType, ipSecIkePeerEndpointIdentityValue, ipSecIkePeerEndpointAddressType, ipSecIkePeerEndpointAddress, ipSecIkePeerEndpointCredentialSetId } ::= { ipSecIkePeerEndpointTable 1 } IpSecIkePeerEndpointEntry ::= SEQUENCE { ipSecIkePeerEndpointPrid InstanceId, ipSecIkePeerEndpointIdentityType INTEGER, ipSecIkePeerEndpointIdentityValue OCTET STRING, ipSecIkePeerEndpointAddressType INTEGER, ipSecIkePeerEndpointAddress OCTET STRING, ipSecIkePeerEndpointCredentialSetId TagReferenceId } ipSecIkePeerEndpointPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIkePeerEndpointEntry 1 } ipSecIkePeerEndpointIdentityType OBJECT-TYPE SYNTAX INTEGER { ipV4-Address(1), fqdn(2), user-Fqdn(3), ipV4-Subnet(4), ipV6-Address(5), ipV6-Subnet(6), ipV4-Address-Range(7), ipV6-Address-Range(8), der-Asn1-DN(9), der-Asn1-GN(10), key-Id(11) } STATUS current DESCRIPTION "Specifies the type of identity that MUST be provided by the peer in the ID payload during IKE phase one negotiation." ::= { ipSecIkePeerEndpointEntry 2 } ipSecIkePeerEndpointIdentityValue OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the value to be matched with the ID payload provided by the peer during IKE phase one negotiation. Different Wildcards wildcard mechanisms can be used as well as the prefix notation for IPv4 addresses depending on the ID payload: - an IdentityValue of '*@company.com' will match an user FQDN ID payload of 'JDOE@COMPANY.COM' - an IdentityValue of '*.company.com' will match a FQDN ID payload of 'WWW.COMPANY.COM' - an IdentityValue of 'cn=*,ou=engineering,o=company,c=us' will match a DER DN ID payload of 'cn=John Doe, ou=engineering, o=company, c=us' - an IdentityValue of '193.190.125.0/24' will match an IPv4 address ID payload of 193.190.125.10. - an IdentityValue of '193.190.125.*' will also match an IPv4 address ID payload of 193.190.125.10. The above wildcard mechanisms MUST be supported for all ID payloads supported by the local IKE entity. The character '*' replaces 0 or multiple instances of any character." ::= { ipSecIkePeerEndpointEntry 3 } ipSecIkePeerEndpointAddressType OBJECT-TYPE SYNTAX INTEGER { ipV4(1), ipV6(2) } STATUS current DESCRIPTION "Specifies IKE peer endpoint address type. This attribute MUST be ignored if ipSecIkeRuleAutoStart is false." ::= { ipSecIkePeerEndpointEntry 4 } ipSecIkePeerEndpointAddress OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies an endpoint address with which this PEP establishes IKE association. This attribute is used only when the IKE association is to be started automatically. Hence, this attribute MUST be ignored if ipSecIkeRuleAutoStart is false." ::= { ipSecIkePeerEndpointEntry 5 } ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecCredentialSetSetId } STATUS current DESCRIPTION "Identifies a set of credentials. Any one of the credentials in the set is acceptable as the IKE peer credential." ::= { ipSecIkePeerEndpointEntry 6 } -- -- -- The ipSecCredentialSetTable -- ipSecCredentialSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCredentialSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies credential sets. For IKE peer credentials, any one of the credentials in the set is acceptable as peer credential during IEK phase 1 negotiation. For IKE local credentials, any one of the credentials in the set can be used in IKE phase 1 negotiation." ::= { ipSecCredential 1 } ipSecCredentialSetEntry OBJECT-TYPE SYNTAX IpSecCredentialSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecCredentialSetPrid } UNIQUENESS { ipSecCredentialSetPrid, ipSecCredentialSetSetId, ipSecCredentialSetCredentialId } ::= { ipSecCredentialSetTable 1 } IpSecCredentialSetEntry ::= SEQUENCE { ipSecCredentialSetPrid InstanceId, ipSecCredentialSetSetId TagId, ipSecCredentialSetCredentialId ReferenceId } ipSecCredentialSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecCredentialSetEntry 1 } ipSecCredentialSetSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "A credential set is composed of one or more credentials. Each credential belonging to the same set has the same CredentialSetId." ::= { ipSecCredentialSetEntry 2 } ipSecCredentialSetCredentialId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecCredentialEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecCredentialTable." ::= { ipSecCredentialSetEntry 3 } -- -- -- The ipSecCredentialTable -- ipSecCredentialTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCredentialEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies credentials." ::= { ipSecCredential 2 } ipSecCredentialEntry OBJECT-TYPE SYNTAX IpSecCredentialEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecCredentialPrid } UNIQUENESS { ipSecCredentialCredentialType, ipSecCredentialFieldsId, ipSecCredentialCrlDistributionPoint } ::= { ipSecCredentialTable 1 } IpSecCredentialEntry ::= SEQUENCE { ipSecCredentialPrid InstanceId, ipSecCredentialCredentialType INTEGER, ipSecCredentialFieldsId TagReferenceId, ipSecCredentialCrlDistributionPoint OCTET STRING } ipSecCredentialPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecCredentialEntry 1 } ipSecCredentialCredentialType OBJECT-TYPE SYNTAX INTEGER { certificateX509(1), kerberos-ticket(2) } STATUS current DESCRIPTION "Specifies the type of credential to be matched." ::= { ipSecCredentialEntry 2 } ipSecCredentialFieldsId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecCredentialFieldsSetId } STATUS current DESCRIPTION "Identifies a group of matching criteria to be used for the peer credential. The identified criteria MUST all be satisfied." ::= { ipSecCredentialEntry 3 } ipSecCredentialCrlDistributionPoint OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "When credential type is certificate X509, this attribute identifies the Certificate Revocation List (CRL) distribution point for this credential." ::= { ipSecCredentialEntry 4 } -- -- -- The ipSecCredentialFieldsTable -- ipSecCredentialFieldsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies sets of credential sub-fields and their values to be matched against. " ::= { ipSecCredential 3 } ipSecCredentialFieldsEntry OBJECT-TYPE SYNTAX IpSecCredentialFieldsEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecCredentialFieldsPrid } UNIQUENESS { ipSecCredentialFieldsName, ipSecCredentialFieldsValue, ipSecCredentialFieldsSetId } ::= { ipSecCredentialFieldsTable 1 } IpSecCredentialFieldsEntry ::= SEQUENCE { ipSecCredentialFieldsPrid InstanceId, ipSecCredentialFieldsName OCTET STRING, ipSecCredentialFieldsValue OCTET STRING, ipSecCredentialFieldsSetId TagId } ipSecCredentialFieldsPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecCredentialFieldsEntry 1 } ipSecCredentialFieldsName OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the sub-field of the credential to match with. This is the string representation of a X.509 certificate attribute, e.g.: 'serialNumber', 'issuerName', 'subjectName', etc.." ::= { ipSecCredentialFieldsEntry 2 } ipSecCredentialFieldsValue OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the value to match with for the sub-field identified by ipSecCredentialFieldsName. A wildcard mechanism can be used in the Value string. E.g., if the Name is 'subjectName' then a Value of 'cn=*,ou=engineering,o=foo,c=be' will match successfully a certificate whose subject attribute is 'cn=Jane Doe, ou=engineering, o=foo, c=be'. The wildcard character '*' can be used to represent 0 or several characters." ::= { ipSecCredentialFieldsEntry 3 } ipSecCredentialFieldsSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specifies the set this criteria belongs to. All criteria within a set MUST all be satisfied." ::= { ipSecCredentialFieldsEntry 4 } -- -- -- The ipSecSelectorSetTable -- ipSecSelectorSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecSelectorSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec selector sets." ::= { ipSecSelector 1 } ipSecSelectorSetEntry OBJECT-TYPE SYNTAX IpSecSelectorSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecSelectorSetPrid } UNIQUENESS { ipSecSelectorSetSelectorSetId, ipSecSelectorSetSelectorId, ipSecSelectorSetOrder } ::= { ipSecSelectorSetTable 1 } IpSecSelectorSetEntry ::= SEQUENCE { ipSecSelectorSetPrid InstanceId, ipSecSelectorSetSelectorSetId TagId, ipSecSelectorSetSelectorId Prid, ipSecSelectorSetOrder Unsigned16 } ipSecSelectorSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecSelectorSetEntry 1 } ipSecSelectorSetSelectorSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IPsec selector set is composed of one or more IPsec selectors. Each selector belonging to the same set has the same SelectorSetId." ::= { ipSecSelectorSetEntry 2 } ipSecSelectorSetSelectorId OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "A pointer to a valid instance in another table that describes selectors. To use selectors defined in this IPsec PIB module, this attribute MUST point to an instance in ipSecSelectorTable. This attribute may also point to an instance in a selector or filter table defined in other PIB modules." ::= { ipSecSelectorSetEntry 3 } ipSecSelectorSetOrder OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "An integer that specifies the precedence order of the selectors identified by ipSecSelectorId within a selector set. The selector set is identified by ipSecSelectorSetId. A smaller integer value indicates a higher preference. All selectors constructed from the instance pointed by ipSecSelectorId have the same order." ::= { ipSecSelectorSetEntry 4 } -- -- -- The ipSecSelectorTable -- ipSecSelectorTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecSelectorEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec selectors. Each row in the selector table represents multiple selectors. These selectors are obtained as follows: 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP addresses from the ipSecAddressTable whose ipSecAddressGroupId matches the ipSecSelectorSrcAddressGroupId. 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP addresses from the ipSecAddressTable whose ipSecAddressGroupId matches the ipSecSelectorDstAddressGroupId. 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports or ranges of port whose ipSecL4PortGroupId matches the ipSecSelectorSrcPortGroupId. 4. Substitute the ipSecSelectorDstPortGroupId with all the ports or ranges of port whose ipSecL4PortGroupId matches the ipSecSelectorDstPortGroupId. 5. Construct all the possible combinations of the above four fields. Then add to the combinations the ipSecSelectorProtocol, ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form all the selectors.el attributes to form the list of selectors. The relative order of the selectors constructed from a single row is unspecified. " ::= { ipSecSelector 2 } ipSecSelectorEntry OBJECT-TYPE SYNTAX IpSecSelectorEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecSelectorPrid } UNIQUENESS { ipSecSelectorSrcAddressGroupId, ipSecSelectorSrcPortGroupId, ipSecSelectorDstAddressGroupId, ipSecSelectorDstPortGroupId, ipSecSelectorProtocol, ipSecSelectorDscp, ipSecSelectorFlowLabel } ::= { ipSecSelectorTable 1 } IpSecSelectorEntry ::= SEQUENCE { ipSecSelectorPrid InstanceId, ipSecSelectorSrcAddressGroupId TagReferenceId, ipSecSelectorSrcPortGroupId TagReferenceId, ipSecSelectorDstAddressGroupId TagReferenceId, ipSecSelectorDstPortGroupId TagReferenceId, ipSecSelectorProtocol INTEGER, ipSecSelectorDscp INTEGER, ipSecSelectorFlowLabel OCTET STRING } ipSecSelectorPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecSelectorEntry 1 } ipSecSelectorSrcAddressGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecAddressGroupId } STATUS current DESCRIPTION "Indicates source addresses. All addresses in ipSecAddressTable whose ipSecAddressGroupId matches this value are included as source addresses. A value of zero indicates wildcard address, i.e., any address matches." ::= { ipSecSelectorEntry 2 } ipSecSelectorSrcPortGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecL4PortGroupId } STATUS current DESCRIPTION "Indicates source layer 4 port numbers. All ports in ipSecL4Port whose ipSecL4PortGroupId matches this value are included. A value of zero indicates wildcard port, i.e., any port number matches." ::= { ipSecSelectorEntry 3 } ipSecSelectorDstAddressGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecAddressGroupId } STATUS current DESCRIPTION "Indicates destination addresses. All addresses in ipSecAddressTable whose ipSecAddressGroupId matches this value are included as destination addresses. A value of zero indicates wildcard address, i.e., any address matches." ::= { ipSecSelectorEntry 4 } ipSecSelectorDstPortGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecL4PortGroupId } STATUS current DESCRIPTION "Indicates destination layer 4 port numbers. All ports in ipSecL4Port whose ipSecL4PortGroupId matches this value are included. A value of zero indicates wildcard port, i.e., any port number matches." ::= { ipSecSelectorEntry 5 } ipSecSelectorProtocol OBJECT-TYPE SYNTAX INTEGER (0..255) STATUS current DESCRIPTION "Specifies IP protocol to match against a packet's protocol. A value of zero indicates wildcard protocol, i.e., any protocol matches." ::= { ipSecSelectorEntry 6 } ipSecSelectorDscp OBJECT-TYPE SYNTAX INTEGER (-1..63) STATUS current DESCRIPTION "Specifies the DSCP value to match against the DSCP in a packet header. A value of -1 indicates match all." ::= { ipSecSelectorEntry 7 } ipSecSelectorFlowLabel OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the Flow Label to match against the Flow Label field in the IPv6 header of a packet. This attribute MUST be a zero length OCTET STRING when specifying selectors for IPv4 packets." ::= { ipSecSelectorEntry 8 } -- -- -- The ipSecAddressTable -- ipSecAddressTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAddressEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IP addresses. To specify a single IP address, ipSecAddressAddrMin MUST be specified. To specify a range of addresses, both ipSecAddressAddrMin and ipSecAddressAddrMax MUST be specified. To specify a subnet, both ipSecAddressAddrMin and ipSecAddressAddrMask MUST be specified. " ::= { ipSecSelector 3 } ipSecAddressEntry OBJECT-TYPE SYNTAX IpSecAddressEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecAddressPrid } UNIQUENESS { ipSecAddressAddressType, ipSecAddressAddrMask, ipSecAddressAddrMin, ipSecAddressAddrMax, ipSecAddressGroupId } ::= { ipSecAddressTable 1 } IpSecAddressEntry ::= SEQUENCE { ipSecAddressPrid InstanceId, ipSecAddressAddressType INTEGER, ipSecAddressAddrMask OCTET STRING, ipSecAddressAddrMin OCTET STRING, ipSecAddressAddrMax OCTET STRING, ipSecAddressGroupId TagId } ipSecAddressPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecAddressEntry 1 } ipSecAddressAddressType OBJECT-TYPE SYNTAX INTEGER { ipV4-Address(1), fqdn(2), user-Fqdn(3), ipV4-Subnet(4), ipV6-Address(5), ipV6-Subnet(6), ipV4-Address-Range(7), ipV6-Address-Range(8), der-Asn1-DN(9), der-Asn1-GN(10), key-Id(11) } STATUS current DESCRIPTION "Specifies the address type. " ::= { ipSecAddressEntry 2 } ipSecAddressAddrMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "A mask for the matching of the IP address. A zero bit in the mask means that the corresponding bit in the address always matches. This attribute MUST be ignored when ipSecAddressAddressType is not of IPv4 or IPv6 type." ::= { ipSecAddressEntry 3 } ipSecAddressAddrMin OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies an IP address. " ::= { ipSecAddressEntry 4 } ipSecAddressAddrMax OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "If a range of addresses is used then this specifies the ending address. The type of this address must be the same as the ipSecAddressAddrMin. If no range is specified then this attribute MUST be a zero length OCTET STRING." ::= { ipSecAddressEntry 5 } ipSecAddressGroupId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specifies the group this IP address, address range or subnet address belongs to." ::= { ipSecAddressEntry 6 } -- -- -- The ipSecL4PortTable -- ipSecL4PortTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecL4PortEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies layer four port numbers." ::= { ipSecSelector 4 } ipSecL4PortEntry OBJECT-TYPE SYNTAX IpSecL4PortEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecL4PortPrid } UNIQUENESS { ipSecL4PortPortMin, ipSecL4PortPortMax, ipSecL4PortGroupId } ::= { ipSecL4PortTable 1 } IpSecL4PortEntry ::= SEQUENCE { ipSecL4PortPrid InstanceId, ipSecL4PortPortMin Unsigned16, ipSecL4PortPortMax Unsigned16, ipSecL4PortGroupId TagId } ipSecL4PortPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecL4PortEntry 1 } ipSecL4PortPortMin OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies a layer 4 port or the first layer 4 port number of a range of ports. The value of this attribute must be equal or less than that of ipSecL4PortPortMax. A value of zero indicates any port matches." ::= { ipSecL4PortEntry 2 } ipSecL4PortPortMax OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the last layer 4 port in the range. If only a single port is specified, the value of this attribute must be equal to that of ipSecL4PortPortMin. Otherwise, the value of this attribute MUST be greater than that specified by ipSecL4PortPortMin. If ipSecL4PortPortMin is zero, this attribute MUST be ignored." ::= { ipSecL4PortEntry 3 } ipSecL4PortGroupId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specifies the group this port or port range belongs to." ::= { ipSecL4PortEntry 4 } -- -- -- The ipSecIpsoFilterSetTable -- ipSecIpsoFilterSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPSO filter sets." ::= { ipSecSelector 5 } ipSecIpsoFilterSetEntry OBJECT-TYPE SYNTAX IpSecIpsoFilterSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIpsoFilterSetPrid } UNIQUENESS { ipSecIpsoFilterSetFilterSetId, ipSecIpsoFilterSetFilterId, ipSecIpsoFilterSetOrder } ::= { ipSecIpsoFilterSetTable 1 } IpSecIpsoFilterSetEntry ::= SEQUENCE { ipSecIpsoFilterSetPrid InstanceId, ipSecIpsoFilterSetFilterSetId TagId, ipSecIpsoFilterSetFilterId ReferenceId, ipSecIpsoFilterSetOrder Unsigned16 } ipSecIpsoFilterSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIpsoFilterSetEntry 1 } ipSecIpsoFilterSetFilterSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IPSO filter set is composed of one or more IPSO filters. Each filter belonging to the same set has the same FilterSetId." ::= { ipSecIpsoFilterSetEntry 2 } ipSecIpsoFilterSetFilterId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecIpsoFilterEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecIpsoFilterTable." ::= { ipSecIpsoFilterSetEntry 3 } ipSecIpsoFilterSetOrder OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "An integer that specifies the precedence order of the filter identified by ipSecIpsoFilterSetFilterId within a filter set. The filter set is identified by ipSecIpsoFilterSetFilterSetId. A smaller integer value indicates a higher preference." ::= { ipSecIpsoFilterSetEntry 4 } -- -- -- The ipSecIpsoFilterTable -- ipSecIpsoFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIpsoFilterEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPSO filters." ::= { ipSecSelector 6 } ipSecIpsoFilterEntry OBJECT-TYPE SYNTAX IpSecIpsoFilterEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIpsoFilterPrid } UNIQUENESS { ipSecIpsoFilterMatchConditionType, ipSecIpsoFilterClassificationLevel, ipSecIpsoFilterProtectionAuthority } ::= { ipSecIpsoFilterTable 1 } IpSecIpsoFilterEntry ::= SEQUENCE { ipSecIpsoFilterPrid InstanceId, ipSecIpsoFilterMatchConditionType INTEGER, ipSecIpsoFilterClassificationLevel INTEGER, ipSecIpsoFilterProtectionAuthority INTEGER } ipSecIpsoFilterPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIpsoFilterEntry 1 } ipSecIpsoFilterMatchConditionType OBJECT-TYPE SYNTAX INTEGER { classificationLevel(1), protectionAuthority(2) } STATUS current DESCRIPTION "Specifies the IPSO header field to be matched." ::= { ipSecIpsoFilterEntry 2 } ipSecIpsoFilterClassificationLevel OBJECT-TYPE SYNTAX INTEGER { topSecret(61), secret(90), confidential(150), unclassified(171) } STATUS current DESCRIPTION "Specifies the value for classification level to be matched against. This attribute MUST be ignored if ipSecIpsoFilterMatchConditionType is not 1 (classificationLevel)." ::= { ipSecIpsoFilterEntry 3 } ipSecIpsoFilterProtectionAuthority OBJECT-TYPE SYNTAX INTEGER { genser(0), siop-esi(1), sci(2), nsa(3), doe(4) } STATUS current DESCRIPTION "Specifies the value for protection authority to be matched against. This attribute MUST be ignored if ipSecIpsoFilterMatchConditionType is not 2 (protectionAuthority). " ::= { ipSecIpsoFilterEntry 4 } -- -- -- The ipSecRuleTimePeriodTable -- ipSecRuleTimePeriodTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies the time periods during which a policy rule is valid. The values of the first five attributes in a row are ANDed together to determine the validity period(s). If any of the five attributes is not present, it is treated as having value always enabled. " ::= { ipSecPolicyTimePeriod 1 } ipSecRuleTimePeriodEntry OBJECT-TYPE SYNTAX IpSecRuleTimePeriodEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecRuleTimePeriodPrid } UNIQUENESS { ipSecRuleTimePeriodTimePeriod, ipSecRuleTimePeriodMonthOfYearMask, ipSecRuleTimePeriodDayOfMonthMask, ipSecRuleTimePeriodDayOfWeekMask, ipSecRuleTimePeriodTimeOfDayMask, ipSecRuleTimePeriodLocalOrUtcTime } ::= { ipSecRuleTimePeriodTable 1 } IpSecRuleTimePeriodEntry ::= SEQUENCE { ipSecRuleTimePeriodPrid InstanceId, ipSecRuleTimePeriodTimePeriod OCTET STRING, ipSecRuleTimePeriodMonthOfYearMask OCTET STRING, ipSecRuleTimePeriodDayOfMonthMask OCTET STRING, ipSecRuleTimePeriodDayOfWeekMask OCTET STRING, ipSecRuleTimePeriodTimeOfDayMask OCTET STRING, ipSecRuleTimePeriodLocalOrUtcTime INTEGER } ipSecRuleTimePeriodPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecRuleTimePeriodEntry 1 } ipSecRuleTimePeriodTimePeriod OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that identifies an overall range of calendar dates and times over which a policy rule is valid. It reuses the format for an explicit time period defined in RFC 2445 : a string representing a starting date and time, in which the character 'T' indicates the beginning of the time portion, followed by the solidus character '/', followed by a similar string representing an end date and time. The first date indicates the beginning of the range, while the second date indicates the end. Thus, the second date and time must be later than the first. Date/times are expressed as substrings of the form yyyymmddThhmmss. There are also two special cases: - If the first date/time is replaced with the string THISANDPRIOR, then the property indicates that a policy rule is valid [from now] until the date/time that appears after the '/'. - If the second date/time is replaced with the string THISANDFUTURE, then the property indicates that a policy rule becomes valid on the date/time that appears before the '/', and remains valid from that point on. " ::= { ipSecRuleTimePeriodEntry 2 } ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies which months the policy is valid for. The octet string is structured as follows: - a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x00000006 for this property; - a 2-octet field consisting of 12 bits identifying the 12 months of the year, beginning with January and ending with December, followed by 4 bits that are always set to '0'. For each month, the value '1' indicates that the policy is valid for that month, and the value '0' indicates that it is not valid. If this property is omitted, then the policy rule is treated as valid for all twelve months." ::= { ipSecRuleTimePeriodEntry 3 } ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies which days of the month the policy is valid for. The octet string is structured as follows: -a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x0000000C for this property; -an 8-octet field consisting of 31 bits identifying the days of the month counting from the beginning, followed by 31 more bits identifying the days of the month counting from the end, followed by 2 bits that are always set to '0'. For each day, the value '1' indicates that the policy is valid for that day, and the value '0' indicates that it is not valid. For months with fewer than 31 days, the digits corresponding to days that the months do not have (counting in both directions) are ignored. " ::= { ipSecRuleTimePeriodEntry 4 } ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies which days of the week the policy is valid for. The octet string is structured as follows: - a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x00000005 for this property; - a 1-octet field consisting of 7 bits identifying the 7 days of the week, beginning with Sunday and ending with Saturday, followed by 1 bit that is always set to '0'. For each day of the week, the value '1' indicates that the policy is valid for that day, and the value '0' indicates that it is not valid. " ::= { ipSecRuleTimePeriodEntry 5 } ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies a range of times in a day the policy is valid for. It is formatted as follows: A time string beginning with the character 'T', followed by the solidus character '/', followed by a second time string. The first time indicates the beginning of the range, while the second time indicates the end. Times are expressed as substrings of the form Thhmmss. The second substring always identifies a later time than the first substring. To allow for ranges that span midnight, however, the value of the second string may be smaller than the value of the first substring. Thus, T080000/T210000 identifies the range from 0800 until 2100, while T210000/T080000 identifies the range from 2100 until 0800 of the following day." ::= { ipSecRuleTimePeriodEntry 6 } ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE SYNTAX INTEGER { localTime(1), utcTime(2) } STATUS current DESCRIPTION "This property indicates whether the times represented in this table represent local times or UTC times. There is no provision for mixing of local times and UTC times: the value of this property applies to all of the other time-related properties." ::= { ipSecRuleTimePeriodEntry 7 } -- -- -- The ipSecRuleTimePeriodSetTable -- ipSecRuleTimePeriodSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies time period sets. The ipSecRuleTimePeriodTable can specify only a single time period within a day. This table enables the specification of multiple time periods within a day by grouping them into one set. " ::= { ipSecPolicyTimePeriod 2 } ipSecRuleTimePeriodSetEntry OBJECT-TYPE SYNTAX IpSecRuleTimePeriodSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecRuleTimePeriodSetPrid } UNIQUENESS { ipSecRuleTimePeriodSetRuleTimePeriodSetId, ipSecRuleTimePeriodSetRuleTimePeriodId } ::= { ipSecRuleTimePeriodSetTable 1 } IpSecRuleTimePeriodSetEntry ::= SEQUENCE { ipSecRuleTimePeriodSetPrid InstanceId, ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId, ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId } ipSecRuleTimePeriodSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecRuleTimePeriodSetEntry 1 } ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An integer that uniquely identifies an ipSecRuleTimePeriod set. " ::= { ipSecRuleTimePeriodSetEntry 2 } ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecRuleTimePeriodEntry } STATUS current DESCRIPTION "An integer that identifies an ipSecRuleTimePeriod, specified by ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is included in this set." ::= { ipSecRuleTimePeriodSetEntry 3 } -- -- -- The ipSecIfCapsTable -- ipSecIfCapsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIfCapsEntry PIB-ACCESS notify STATUS current DESCRIPTION "Specifies capabilities that may be associated with an interface of a specific type. The instances of this table are referenced by the frwkIfCapSetCapability attribute of the frwkIfCapSetTable [FR- PIB]." ::= { ipSecIfCapability 1 } ipSecIfCapsEntry OBJECT-TYPE SYNTAX IpSecIfCapsEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIfCapsPrid } UNIQUENESS { ipSecIfCapsDirection, ipSecIfCapsMaxIpSecActions, ipSecIfCapsMaxIkeActions } ::= { ipSecIfCapsTable 1 } IpSecIfCapsEntry ::= SEQUENCE { ipSecIfCapsPrid InstanceId, ipSecIfCapsDirection INTEGER, ipSecIfCapsMaxIpSecActions Unsigned16, ipSecIfCapsMaxIkeActions Unsigned16 } ipSecIfCapsPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIfCapsEntry 1 } ipSecIfCapsDirection OBJECT-TYPE SYNTAX INTEGER { in(1), out(2), bi-directional(3) } STATUS current DESCRIPTION "Specifies the direction for which this capability applies." ::= { ipSecIfCapsEntry 2 } ipSecIfCapsMaxIpSecActions OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the maximum number of actions an IPsec action set may contain. IPsec action sets are specified by the ipSecActionSetTable. A value of zero indicates that there is no maximum limit." ::= { ipSecIfCapsEntry 3 } ipSecIfCapsMaxIkeActions OBJECT-TYPE SYNTAX Unsigned16 STATUS current DESCRIPTION "Specifies the maximum number of actions an IKE action set may contain. IKE action sets are specified by the ipSecIkeActionSetTable. A value of zero indicates that there is no maximum limit." ::= { ipSecIfCapsEntry 4 } -- -- -- Conformance Section -- ipSecPolicyPibConformanceCompliances OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 } ipSecPolicyPibConformanceGroups OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 } ipSecPibCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION " Compliance statement" MODULE -- this module MANDATORY-GROUPS { ipSecRuleGroup, ipSecActionSetGroup, ipSecStaticActionGroup, ipSecNegotiationActionGroup, ipSecAssociationGroup, ipSecProposalSetGroup, ipSecProposalGroup, ipSecAhTransformSetGroup, ipSecAhTransformGroup, ipSecEspTransformSetGroup, ipSecEspTransformGroup, ipSecCompTransformSetGroup, ipSecCompTransformGroup, ipSecIkeAssociationGroup, ipSecIkeProposalSetGroup, ipSecIkeProposalGroup, ipSecIkePeerEndpointGroup, ipSecCredentialSetGroup, ipSecCredentialGroup, ipSecCredentialFieldsGroup, ipSecSelectorSetGroup, ipSecSelectorGroup, ipSecAddressGroup, ipSecL4PortGroup, ipSecIfCapsGroup } GROUP ipSecIkeRuleGroup DESCRIPTION "This group is mandatory if any of the following is supported: 1) multiple IKE phase one actions (e.g., with different exchange modes) are associated with an IPsec rule. These actions are to be tried in sequence till one success; 2) IKE phase one actions that start automatically." GROUP ipSecIkeActionSetGroup DESCRIPTION "This group is mandatory if any of the following is supported: 1) multiple IKE phase one actions (e.g., with different exchange modes) are associated with an IPsec rule. These actions are to be tried in sequence till one success; 2) IKE phase one actions that start automatically." GROUP ipSecIpsoFilterSetGroup DESCRIPTION "This group is mandatory if IPSO filter is supported." GROUP ipSecIpsoFilterGroup DESCRIPTION "This group is mandatory if IPSO filter is supported." GROUP ipSecRuleTimePeriodGroup DESCRIPTION "This group is mandatory if policy scheduling is supported." GROUP ipSecRuleTimePeriodSetGroup DESCRIPTION "This group is mandatory if policy scheduling is supported." OBJECT ipSecRuleipSecIpsoFilterSetId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecRuleLimitNegotiation PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecRuleAutoStart PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecRuleIpSecRuleTimePeriodGroupId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecActionSetDoActionLogging PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecActionSetDoPacketLogging PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAssociationMinLifetimeSeconds PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAssociationMinLifetimeKilobytes PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAssociationIdleDurationSeconds PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAssociationVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAssociationUseKeyExchangeGroup PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAssociationGranularity PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAhTransformUseReplayPrevention PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAhTransformReplayPreventionWindowSize PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAhTransformVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecEspTransformCipherKeyRounds PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecEspTransformCipherKeyLength PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecEspTransformUseReplayPrevention PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecEspTransformReplayPreventionWindowSize PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecEspTransformVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecCompTransformDictionarySize PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecCompTransformPrivateAlgorithm PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecCompTransformVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationMinLiftetimeSeconds PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationMinLifetimeKilobytes PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationIdleDurationSeconds PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationPresharedKey PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationAggressiveModeGroupId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationLocalCredentialId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationDoActionLogging PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeProposalPrfAlgorithm PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeProposalVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkePeerEndpointAddressType PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkePeerEndpointAddress PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIfCapsMaxIkeActions PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecRuleActionExecutionStrategy SYNTAX INTEGER { doAll(1) } DESCRIPTION " Support of doUntilSuccess(2) is not required" OBJECT ipSecStaticActionAction SYNTAX INTEGER { byPass(1), discard(2), preConfiguredTransport(4), preConfiguredTunnel(5) } DESCRIPTION " Support of ikeRejection(3) is not required" ::= { ipSecPolicyPibConformanceCompliances 1 } ipSecRuleGroup OBJECT-GROUP OBJECTS { ipSecRuleIfName, ipSecRuleRoles, ipSecRuleDirection, ipSecRuleIpSecSelectorSetId, ipSecRuleipSecIpsoFilterSetId, ipSecRuleIpSecActionSetId, ipSecRuleActionExecutionStrategy, ipSecRuleOrder, ipSecRuleLimitNegotiation, ipSecRuleAutoStart, ipSecRuleIpSecRuleTimePeriodGroupId } STATUS current DESCRIPTION "Objects from the ipSecRuleTable." ::= { ipSecPolicyPibConformanceGroups 1 } ipSecActionSetGroup OBJECT-GROUP OBJECTS { ipSecActionSetActionSetId, ipSecActionSetActionId, ipSecActionSetDoActionLogging, ipSecActionSetDoPacketLogging, ipSecActionSetOrder } STATUS current DESCRIPTION "Objects from the ipSecActionSetTable." ::= { ipSecPolicyPibConformanceGroups 2 } ipSecStaticActionGroup OBJECT-GROUP OBJECTS { ipSecStaticActionAction, ipSecStaticActionTunnelEndpointId, ipSecStaticActionDfHandling, ipSecStaticActionSpi, ipSecStaticActionLifetimeSeconds, ipSecStaticActionLifetimeKilobytes, ipSecStaticActionSaTransformId } STATUS current DESCRIPTION "Objects from the ipSecStaticActionTable." ::= { ipSecPolicyPibConformanceGroups 3 } ipSecNegotiationActionGroup OBJECT-GROUP OBJECTS { ipSecNegotiationActionAction, ipSecNegotiationActionTunnelEndpointId, ipSecNegotiationActionDfHandling, ipSecNegotiationActionIpSecSecurityAssociationId, ipSecNegotiationActionKeyExchangeId } STATUS current DESCRIPTION "Objects from the ipSecNegotiationActionTable." ::= { ipSecPolicyPibConformanceGroups 4 } ipSecAssociationGroup OBJECT-GROUP OBJECTS { ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeKilobytes, ipSecAssociationIdleDurationSeconds, ipSecAssociationUsePfs, ipSecAssociationVendorId, ipSecAssociationUseKeyExchangeGroup, ipSecAssociationDhGroup, ipSecAssociationGranularity, ipSecAssociationProposalSetId } STATUS current DESCRIPTION "Objects from the ipSecAssociationTable." ::= { ipSecPolicyPibConformanceGroups 5 } ipSecProposalSetGroup OBJECT-GROUP OBJECTS { ipSecProposalSetProposalSetId, ipSecProposalSetProposalId, ipSecProposalSetOrder } STATUS current DESCRIPTION "Objects from the ipSecProposalSetTable." ::= { ipSecPolicyPibConformanceGroups 6 } ipSecProposalGroup OBJECT-GROUP OBJECTS { ipSecProposalEspTransformSetId, ipSecProposalAhTransformSetId, ipSecProposalCompTransformSetId } STATUS current DESCRIPTION "Objects from the ipSecProposalTable." ::= { ipSecPolicyPibConformanceGroups 7 } ipSecAhTransformSetGroup OBJECT-GROUP OBJECTS { ipSecAhTransformSetTransformSetId, ipSecAhTransformSetTransformId, ipSecAhTransformSetOrder } STATUS current DESCRIPTION "Objects from the ipSecAhTransformSetTable." ::= { ipSecPolicyPibConformanceGroups 8 } ipSecAhTransformGroup OBJECT-GROUP OBJECTS { ipSecAhTransformTransformId, ipSecAhTransformIntegrityKey, ipSecAhTransformUseReplayPrevention, ipSecAhTransformReplayPreventionWindowSize, ipSecAhTransformVendorId, ipSecAhTransformMaxLifetimeSeconds, ipSecAhTransformMaxLifetimeKilobytes } STATUS current DESCRIPTION "Objects from the ipSecAhTransformTable." ::= { ipSecPolicyPibConformanceGroups 9 } ipSecEspTransformSetGroup OBJECT-GROUP OBJECTS { ipSecEspTransformSetTransformSetId, ipSecEspTransformSetTransformId, ipSecEspTransformSetOrder } STATUS current DESCRIPTION "Objects from the ipSecEspTransformSetTable." ::= { ipSecPolicyPibConformanceGroups 10 } ipSecEspTransformGroup OBJECT-GROUP OBJECTS { ipSecEspTransformIntegrityTransformId, ipSecEspTransformCipherTransformId, ipSecEspTransformIntegrityKey, ipSecEspTransformCipherKey, ipSecEspTransformCipherKeyRounds, ipSecEspTransformCipherKeyLength, ipSecEspTransformUseReplayPrevention, ipSecEspTransformReplayPreventionWindowSize, ipSecEspTransformVendorId, ipSecEspTransformMaxLifetimeSeconds, ipSecEspTransformMaxLifetimeKilobytes } STATUS current DESCRIPTION "Objects from the ipSecEspTransformTable." ::= { ipSecPolicyPibConformanceGroups 11 } ipSecCompTransformSetGroup OBJECT-GROUP OBJECTS { ipSecCompTransformSetTransformSetId, ipSecCompTransformSetTransformId, ipSecCompTransformSetOrder } STATUS current DESCRIPTION "Objects from the ipSecCompTransformSetTable." ::= { ipSecPolicyPibConformanceGroups 12 } ipSecCompTransformGroup OBJECT-GROUP OBJECTS { ipSecCompTransformAlgorithm, ipSecCompTransformDictionarySize, ipSecCompTransformPrivateAlgorithm, ipSecCompTransformVendorId, ipSecCompTransformMaxLifetimeSeconds, ipSecCompTransformMaxLifetimeKilobytes } STATUS current DESCRIPTION "Objects from the ipSecCompTransformTable." ::= { ipSecPolicyPibConformanceGroups 13 } ipSecIkeRuleGroup OBJECT-GROUP OBJECTS { ipSecIkeRuleIfName, ipSecIkeRuleRoles, ipSecIkeRuleIkeActionSetId, ipSecIkeRuleActionExecutionStrategy, ipSecIkeRuleLimitNegotiation, ipSecIkeRuleAutoStart, ipSecIkeRuleIpSecRuleTimePeriodGroupId } STATUS current DESCRIPTION "Objects from the ipSecIkeRuleTable." ::= { ipSecPolicyPibConformanceGroups 14 } ipSecIkeActionSetGroup OBJECT-GROUP OBJECTS { ipSecIkeActionSetActionSetId, ipSecIkeActionSetActionId, ipSecIkeActionSetOrder } STATUS current DESCRIPTION "Objects from the ipSecIkeActionSetTable." ::= { ipSecPolicyPibConformanceGroups 15 } ipSecIkeAssociationGroup OBJECT-GROUP OBJECTS { ipSecIkeAssociationMinLiftetimeSeconds, ipSecIkeAssociationMinLifetimeKilobytes, ipSecIkeAssociationIdleDurationSeconds, ipSecIkeAssociationExchangeMode, ipSecIkeAssociationUseIkeIdentityType, ipSecIkeAssociationUseIkeIdentityValue, ipSecIkeAssociationIkePeerEndpoint, ipSecIkeAssociationPresharedKey, ipSecIkeAssociationVendorId, ipSecIkeAssociationAggressiveModeGroupId, ipSecIkeAssociationLocalCredentialId, ipSecIkeAssociationDoActionLogging, ipSecIkeAssociationIkeProposalSetId } STATUS current DESCRIPTION "Objects from the ipSecIkeAssociationTable." ::= { ipSecPolicyPibConformanceGroups 16 } ipSecIkeProposalSetGroup OBJECT-GROUP OBJECTS { ipSecIkeProposalSetProposalSetId, ipSecIkeProposalSetProposalId, ipSecIkeProposalSetOrder } STATUS current DESCRIPTION "Objects from the ipSecIkeProposalSetTable." ::= { ipSecPolicyPibConformanceGroups 17 } ipSecIkeProposalGroup OBJECT-GROUP OBJECTS { ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalHashAlgorithm, ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalIkeDhGroup, ipSecIkeProposalVendorId } STATUS current DESCRIPTION "Objects from the ipSecIkeProposalTable." ::= { ipSecPolicyPibConformanceGroups 18 } ipSecIkePeerEndpointGroup OBJECT-GROUP OBJECTS { ipSecIkePeerEndpointIdentityType, ipSecIkePeerEndpointIdentityValue, ipSecIkePeerEndpointAddressType, ipSecIkePeerEndpointAddress, ipSecIkePeerEndpointCredentialSetId } STATUS current DESCRIPTION "Objects from the ipSecIkePeerEndpointTable." ::= { ipSecPolicyPibConformanceGroups 19 } ipSecCredentialSetGroup OBJECT-GROUP OBJECTS { ipSecCredentialSetSetId, ipSecCredentialSetCredentialId } STATUS current DESCRIPTION "Objects from the ipSecCredentialSetTable." ::= { ipSecPolicyPibConformanceGroups 20 } ipSecCredentialGroup OBJECT-GROUP OBJECTS { ipSecCredentialCredentialType, ipSecCredentialFieldsId, ipSecCredentialCrlDistributionPoint } STATUS current DESCRIPTION "Objects from the ipSecCredentialTable." ::= { ipSecPolicyPibConformanceGroups 21 } ipSecCredentialFieldsGroup OBJECT-GROUP OBJECTS { ipSecCredentialFieldsName, ipSecCredentialFieldsValue, ipSecCredentialFieldsSetId } STATUS current DESCRIPTION "Objects from the ipSecCredentialFieldsTable." ::= { ipSecPolicyPibConformanceGroups 22 } ipSecSelectorSetGroup OBJECT-GROUP OBJECTS { ipSecSelectorSetSelectorSetId, ipSecSelectorSetSelectorId, ipSecSelectorSetOrder } STATUS current DESCRIPTION "Objects from the ipSecSelectorSetTable." ::= { ipSecPolicyPibConformanceGroups 23 } ipSecSelectorGroup OBJECT-GROUP OBJECTS { ipSecSelectorSrcAddressGroupId, ipSecSelectorSrcPortGroupId, ipSecSelectorDstAddressGroupId, ipSecSelectorDstPortGroupId, ipSecSelectorProtocol, ipSecSelectorDscp, ipSecSelectorFlowLabel } STATUS current DESCRIPTION "Objects from the ipSecSelectorTable." ::= { ipSecPolicyPibConformanceGroups 24 } ipSecAddressGroup OBJECT-GROUP OBJECTS { ipSecAddressAddressType, ipSecAddressAddrMask, ipSecAddressAddrMin, ipSecAddressAddrMax, ipSecAddressGroupId } STATUS current DESCRIPTION "Objects from the ipSecAddressTable." ::= { ipSecPolicyPibConformanceGroups 25 } ipSecL4PortGroup OBJECT-GROUP OBJECTS { ipSecL4PortPortMin, ipSecL4PortPortMax, ipSecL4PortGroupId } STATUS current DESCRIPTION "Objects from the ipSecL4PortTable." ::= { ipSecPolicyPibConformanceGroups 26 } ipSecIpsoFilterSetGroup OBJECT-GROUP OBJECTS { ipSecIpsoFilterSetFilterSetId, ipSecIpsoFilterSetFilterId, ipSecIpsoFilterSetOrder } STATUS current DESCRIPTION "Objects from the ipSecIpsoFilterSetTable." ::= { ipSecPolicyPibConformanceGroups 27 } ipSecIpsoFilterGroup OBJECT-GROUP OBJECTS { ipSecIpsoFilterMatchConditionType, ipSecIpsoFilterClassificationLevel, ipSecIpsoFilterProtectionAuthority } STATUS current DESCRIPTION "Objects from the ipSecIpsoFilterTable." ::= { ipSecPolicyPibConformanceGroups 28 } ipSecRuleTimePeriodGroup OBJECT-GROUP OBJECTS { ipSecRuleTimePeriodTimePeriod, ipSecRuleTimePeriodMonthOfYearMask, ipSecRuleTimePeriodDayOfMonthMask, ipSecRuleTimePeriodDayOfWeekMask, ipSecRuleTimePeriodTimeOfDayMask, ipSecRuleTimePeriodLocalOrUtcTime } STATUS current DESCRIPTION "Objects from the ipSecRuleTimePeriodTable." ::= { ipSecPolicyPibConformanceGroups 29 } ipSecRuleTimePeriodSetGroup OBJECT-GROUP OBJECTS { ipSecRuleTimePeriodSetRuleTimePeriodSetId, ipSecRuleTimePeriodSetRuleTimePeriodId } STATUS current DESCRIPTION "Objects from the ipSecRuleTimePeriodSetTable." ::= { ipSecPolicyPibConformanceGroups 30 } ipSecIfCapsGroup OBJECT-GROUP OBJECTS { ipSecIfCapsDirection, ipSecIfCapsMaxIpSecActions, ipSecIfCapsMaxIkeActions } STATUS current DESCRIPTION "Objects from the ipSecIfCapsTable." ::= { ipSecPolicyPibConformanceGroups 31 } END