JUNIPER-IPSEC-FLOW-MON-MIB: View SNMP OID List / Download MIB

This module defines the object used to monitor the entries pertaining to IPSec objects and the management of the IPSEC VPN functionalities. tables: - IKE tunnel table - IPSec tunnel table - IPSec security associations table. This mib module is based on JNX-IPSEC-MONITOR-MIB. Building on the existing IKE infrastruature, the security IKE implementation integrates the value-added features for the security products

Number of IKE Tunnels (phase-1) actively negotiating between peers. The SA can be in either the up or down state. This attribute should detail the number of IKE tunnels in jnxIkeTunnelMonTable.

The IPsec Phase-1 Internet Key Exchange Tunnel Table. There is one entry in this table for each active IPsec Phase-1 IKE Tunnel.

Each entry contains the attributes associated with an active IPsec Phase-1 IKE Tunnel.

The IP address type of the remote gateway (endpoint) for the IPsec Phase-1 IKE Tunnel.

The IP address of the remote gateway (endpoint) for the IPsec Phase-1 IKE Tunnel.

The index of the IPsec Phase-1 IKE Tunnel Table. The value of the index is a number which begins at one and is incremented with each tunnel that is created. The value of this object will wrap at 2,147,483,647.

The IP address of the local endpoint (gateway) for the IPsec Phase-1 IKE Tunnel.

The IP address type of the local endpoint (gateway) for the IPsec Phase-1 IKE Tunnel.

The state of the IKE tunnel, It can be: 1. up - negotiation completed 2. down- being negotiated

Cookie as generated by the peer that initiated the IKE Phase-1 negotiation. This cookie is carried in the ISAKMP header.

Cookie as generated by the peer responding to the IKE Phase-1 negotiation initiated by the remote peer. This cookie is carried in the ISAKMP header.

The role of local peer identity. The Role of the local peer can be: 1. initiator. 2. or responder.

The type of local peer identity. The local peer may be identified by: 1. an IP address, or 2. or a fully qualified domain name string. 3. or a distinguished name string.

The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. If the local peer type is id_fqdn, then this is the FQDN of the remote peer. If the local peer type is a id_dn, then this is the distinguished name string of the local peer.

Name of the certificate used for authentication of the local tunnel endpoint. This object will have some valid value only if negotiated IKE authentication method is other than pre-saherd key. If the IKE negotiation do not use certificate based authentication method, then the value of this object will be a NULL string.

The type of remote peer identity. The remote peer may be identified by: 1. an IP address, or 2. or a fully qualified domain name string. 3. or a distinguished name string.

The value of the remote peer identity. If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is id_fqdn, then this is the FQDN of the remote peer. If the remote peer type is a id_dn, then this is the distinguished named string of the remote peer.

The negotiation mode of the IPsec Phase-1 IKE Tunnel.

The Diffie Hellman Group used in IPsec Phase-1 IKE negotiations.

The encryption algorithm used in IPsec Phase-1 IKE negotiations.

The hash algorithm used in IPsec Phase-1 IKE negotiations.

The authentication method used in IPsec Phase-1 IKE negotiations.

The negotiated LifeTime of the IPsec Phase-1 IKE Tunnel in seconds.

The length of time the IPsec Phase-1 IKE tunnel has been active in hundredths of seconds.

The total number of octets received by this IPsec Phase-1 IKE security association.

The total number of packets received by this IPsec Phase-1 IKE security association.

The total number of octets sent by this IPsec Phase-1 IKE security association.

The total number of packets sent by this IPsec Phase-1 IKE security association.

The extended Authentication (XAuth) User Identifier, identifies the user associated with this IPSec Phase negotiation.

The number of times that the remote peer is detected in a dead (or down) state. This attribute is obsolete

Number of IPSEC VPN Tunnels. This attribute should detail the number of IPSEC VPN tunnel in jnxIpSecTunnelTable.

The IPsec Phase-2 Tunnel Table. There is one entry in this table for each active IPsec Phase-2 Tunnel. If the tunnel is terminated, then the entry is no longer available after the table has been refreshed.

Each entry contains the attributes associated with an active IPsec Phase-2 Tunnel.

The IP address type of the remote gateway (endpoint) for the IPsec Phase-2 Tunnel.

The IP address of the remote gateway (endpoint) for the IPsec Phase-2 Tunnel.

The index of the IPsec Phase-2 Tunnel Table. The value of the index is a number which begins at one and is incremented with each tunnel that is created. The value of this object will wrap at 2,147,483,647.

The IP address type of the local gateway (endpoint) for the IPsec Phase-2 Tunnel.

The IP address of the local gateway (endpoint) for the IPsec Phase-2 Tunnel.

Identifier for the local end.

Identifier for the remote end.

The type of key used by the IPsec Phase-2 Tunnel. It can be one of the following two types: - IKE negotiated - Manually installed

The type of the remote peer gateway (endpoint). It can be one of the following two types: - static (Remote peer whose IP address is known beforehand) - dynamic (Remote peer whose IP address is not known beforehand)

Number of bytes encrypted by this Phase-2 tunnel.

Number of packets encrypted by this Phase-2 tunnel.

Number of bytes decrypted by this Phase-2 tunnel.

Number of packets decrypted by this Phase-2 tunnel.

Number of incoming bytes authenticated using AH by this Phase-2 tunnel.

Number of incoming packets authenticated using AH by this Phase-2 tunnel.

Number of outgoing bytes applied AH by this Phase-2 tunnel.

Number of outgoing packets applied AH by this Phase-2 tunnel.

Number of packets dropped by this Phase-2 tunnel due to anti replay check failure.

Number of packets received by this Phase-2 tunnel that failed AH authentication.

Number of packets received by this Phase-2 tunnel that failed ESP authentication.

Number of packets received by this Phase-2 tunnel that failed decryption.

Number of packets received by this Phase-2 tunnel that failed due to bad headers.

Number of packets received by this Phase-2 tunnel that failed due to bad ESP trailers.

Total number of dropped packets for this Phase-2 tunnel. This attribute is obsolete.

The IPsec Phase-2 Security Association Table. This table identifies the structure (in terms of component SAs) of each active Phase-2 IPsec tunnel. This table contains an entry for each active and expiring security association and maps each entry in the active Phase-2 tunnel table (ipSecTunTable) into a number of entries in this table. SA contains the information negotiated by IKE. The SA is like a contract laying out the rules of the VPN connection for the duration of the SA. An SA is assigned a 32-bit number that, when used in conjunction with the destination IP address, uniquely identifies the SA. This number is called the Security Parameters Index or SPI. IPSec SAs area unidirectional and they are unique in each security protocol. A set of SAs are needed for a protected data pipe, one per direction per protocol.

Each entry contains the attributes associated with active and expiring IPsec Phase-2 security associations.

The index, in the context of the IPsec tunnel ipSecTunIndex, of the security association represented by this table entry. The value of this index is a number which begins at one and is incremented with each SPI associated with an IPsec Phase-2 Tunnel. The value of this object will wrap at 65535.

The index, represents the security protocol (AH, ESP or IPComp) for which this security association was setup. Enumeration: 'ah': 1, 'esp': 2.

The value of the incoming SPI.

The value of the outgoing SPI.

This field represents the type of security associations which can be either manual or dynamic

The encapsulation mode used by an IPsec Phase-2 Tunnel.

The negotiated LifeSize of the IPsec Phase-2 Tunnel in kilobytes.

The negotiated LifeTime of the IPsec Phase-2 Tunnel in seconds.

The length of time the IPsec Phase-2 Tunnel has been active in hundredths of seconds.

The security association LifeSize refresh threshold in kilobytes.

The security association LifeTime refresh threshold in seconds.

The Encryption algorithm used to encrypt the packets which can be either es-cbc or 3des-cbc.

The algorithm used for authentication of packets which can be hmac-md5-96 or hmac-sha1-96 or hmac-sha-256-128

This column represents the status of the security association represented by this table entry. If the status of the SA is 'active', the SA is ready for active use. The status 'expiring' represents any of the various states that the security association transitions through before being purged. Enumeration: 'active': 1, 'unknown': 0, 'expiring': 2.