CISCO-IPSEC-PROVISIONING-MIB

        IPSec is the next-generation network layer crypto
framework described in RFC2401-2411. 
This MIB defines the IPsec configurations.
It may be used to view and provision IPsec-based
VPNs.
        
To create an IPsec tunnel, you need first configure
Internet Key Exchange (IKE). IKE negotiates Security
Associations with the peer for IPsec. To find out
how to configure IKE, please see
CISCO-IKE-CONFIGURATION-MIB for detail.
        
Once you setup IKE, you will have to configure IPsec.
To configure IPsec, you need perform following steps.
1. Create an IPsec transform set.
   A transform set describes a security protocol
   (AH or ESP) with its corresponding algorithms.
   For example, ESP with the DES cipher algorithm
   and HMAC-SHA for authentication.
        
	2. Create a cryptomap and its peers.
   This will a) select data flows that need security
   processing and b) defines the policy for these flows
   and the crypto peer that traffic needs to go to.
        
3. Apply cryptomap to an interface
   A crypto map is applied to an egress interface.
   Outgoing data flows are protected by this cryptomap.
        
Acronyms
The following acronyms are used in this document:
        
  Static Cryptomap Template:
   A static cryptomap template (or static cryptomap)
   is a security template created for IPsec.
   A static cryptomap pulls together various parts
   to set up an IPsec security association
   which includes:
   - which traffic should be protected by IPsec
   - where IPsec protected traffic should be sent
   - the local address used for the the IPsec traffic
   - which transform sets should be applied to this
     traffic
        
  Dynamic Cryptomap Template:
   A dynamic cryptomap template (or a dynamic cryptomap)
   is essentially a crypto map entry without all the
   parameters configured.  It acts as a policy template
   where the missing parameters are later dynamically
   configured (as the result of an IPsec negotiation)
   to match a peer's requirements.
        
  Cryptomap Set:
   A cryptomap set may contain multiple cryptomap
   templates which specify an IPsec policy.
        
  TED:
   Tunnel Endpoint Discovery protocol
        
MIB Structure
-------------
  This MIB provides the operational information on 
  Cisco's IPsec implementation of IPsec. This MIB 
  delineates ISAKMP and IPsec configuration. This MIB
  deals only with IPsec (Phase-2) configuration.  The
  following entities are managed:
    a) IPsec Global Parameters
    b) IPsec transform set definitions
    c) Cryptomap Group
       - Cryptomap Set Table
       - Cryptomap Table
       - CryptomapSet Transform Binding Table
       - CryptomapSet Peer Binding Table
       - CryptomapSet Interface Binding Table
        
    d) Notification Control Group
    e) Notifications Group

Imported Objects

CIPsecSecuritySuite, CIPsecCryptomapType, CIPsecNumCryptoMaps, CIPsecDiffHellmanGrp, CIPsecEncapMode, CIPsecLifesize, CIPsecTunnelIdleTime, CIPsecLifetime, CIPsecTransform	CISCO-IPSEC-TC
ciscoMgmt	CISCO-SMI
ifIndex	IF-MIB
InetAddressType, InetAddress	INET-ADDRESS-MIB
SnmpAdminString	SNMP-FRAMEWORK-MIB
NOTIFICATION-GROUP, OBJECT-GROUP, MODULE-COMPLIANCE	SNMPv2-CONF
MODULE-IDENTITY, Unsigned32, NOTIFICATION-TYPE, OBJECT-TYPE	SNMPv2-SMI
TruthValue, RowStatus	SNMPv2-TC

Objects

ciscoIPsecProvisioningMIB		.1.3.6.1.4.1.9.9.431
ciscoIPsecProvisioningMIBNotifs		.1.3.6.1.4.1.9.9.431.0
ciscoIPsecProvisioningMIBObjects		.1.3.6.1.4.1.9.9.431.1
cipsIPsecGlobals		.1.3.6.1.4.1.9.9.431.1.1
cipsTunnelLifetime	seconds CISCO-IPSEC-TCCIPsecLifetime	.1.3.6.1.4.1.9.9.431.1.1.1
cipsTunnelLifesize	KBytes CISCO-IPSEC-TCCIPsecLifesize	.1.3.6.1.4.1.9.9.431.1.1.2
cipsTunnelIdleTimeout	seconds CISCO-IPSEC-TCCIPsecTunnelIdleTime	.1.3.6.1.4.1.9.9.431.1.1.3
cipsIPsecTransforms		.1.3.6.1.4.1.9.9.431.1.2
cipsIPsecXformSetTable		.1.3.6.1.4.1.9.9.431.1.2.1
cipsIPsecXformSetEntry	cipsXformSetName	.1.3.6.1.4.1.9.9.431.1.2.1.1
cipsXformSetName	OctetString	.1.3.6.1.4.1.9.9.431.1.2.1.1.1
cipsXformSetId	Unsigned32	.1.3.6.1.4.1.9.9.431.1.2.1.1.2
cipsXformSetSuite	CISCO-IPSEC-TCCIPsecSecuritySuite	.1.3.6.1.4.1.9.9.431.1.2.1.1.3
cipsXformSetEncryptionXform	CISCO-IPSEC-TCCIPsecTransform	.1.3.6.1.4.1.9.9.431.1.2.1.1.4
cipsXformSetIntegrityXformEsp	CISCO-IPSEC-TCCIPsecTransform	.1.3.6.1.4.1.9.9.431.1.2.1.1.5
cipsXformSetIntegrityXformAh	CISCO-IPSEC-TCCIPsecTransform	.1.3.6.1.4.1.9.9.431.1.2.1.1.6
cipsXformSetCompressionXform	CISCO-IPSEC-TCCIPsecTransform	.1.3.6.1.4.1.9.9.431.1.2.1.1.7
cipsXformSetMode	CISCO-IPSEC-TCCIPsecEncapMode	.1.3.6.1.4.1.9.9.431.1.2.1.1.8
cipsXformSetStatus	SNMPv2-TCRowStatus	.1.3.6.1.4.1.9.9.431.1.2.1.1.9
cipsCryptoMapGeneral		.1.3.6.1.4.1.9.9.431.1.3
cipsNumStaticCryptomapSets	CISCO-IPSEC-TCCIPsecNumCryptoMaps	.1.3.6.1.4.1.9.9.431.1.3.1
cipsNumDynamicCryptomapSets	CISCO-IPSEC-TCCIPsecNumCryptoMaps	.1.3.6.1.4.1.9.9.431.1.3.2
cipsNumTEDCryptomapSets	CISCO-IPSEC-TCCIPsecNumCryptoMaps	.1.3.6.1.4.1.9.9.431.1.3.3
cipsCryptoMaps		.1.3.6.1.4.1.9.9.431.1.4
cipsStaticCryptomapSetTable		.1.3.6.1.4.1.9.9.431.1.4.1
cipsStaticCryptomapSetEntry	cipsStaticCryptomapSetName	.1.3.6.1.4.1.9.9.431.1.4.1.1
cipsStaticCryptomapSetSize	Unsigned32	.1.3.6.1.4.1.9.9.431.1.4.1.1.1
cipsStaticCryptomapSetNumIsakmp	Unsigned32	.1.3.6.1.4.1.9.9.431.1.4.1.1.2
cipsStaticCryptomapSetNumManual	Unsigned32	.1.3.6.1.4.1.9.9.431.1.4.1.1.3
cipsStaticCryptomapSetNumDynamic	Unsigned32	.1.3.6.1.4.1.9.9.431.1.4.1.1.4
cipsStaticCryptomapSetNumTED	Unsigned32	.1.3.6.1.4.1.9.9.431.1.4.1.1.5
cipsStaticCryptomapSetNumSAs	Unsigned32	.1.3.6.1.4.1.9.9.431.1.4.1.1.6
cipsStaticCryptomapTable		.1.3.6.1.4.1.9.9.431.1.4.3
cipsStaticCryptomapEntry	cipsStaticCryptomapSetName cipsStaticCryptomapPriority	.1.3.6.1.4.1.9.9.431.1.4.3.1
cipsStaticCryptomapSetName	OctetString	.1.3.6.1.4.1.9.9.431.1.4.3.1.1
cipsStaticCryptomapCurPAddr	INET-ADDRESS-MIBInetAddress	.1.3.6.1.4.1.9.9.431.1.4.3.1.10
cipsStaticCryptomapPfs	CISCO-IPSEC-TCCIPsecDiffHellmanGrp	.1.3.6.1.4.1.9.9.431.1.4.3.1.11
cipsStaticCryptomapLifetime	seconds CISCO-IPSEC-TCCIPsecLifetime	.1.3.6.1.4.1.9.9.431.1.4.3.1.12
cipsStaticCryptomapLifesize	KBytes CISCO-IPSEC-TCCIPsecLifesize	.1.3.6.1.4.1.9.9.431.1.4.3.1.13
cipsStaticCryptomapLevelHost	SNMPv2-TCTruthValue	.1.3.6.1.4.1.9.9.431.1.4.3.1.14
cipsStaticCryptomapIdleTimeout	CISCO-IPSEC-TCCIPsecTunnelIdleTime	.1.3.6.1.4.1.9.9.431.1.4.3.1.15
cipsStaticCryptomapAutoPeer	SNMPv2-TCTruthValue	.1.3.6.1.4.1.9.9.431.1.4.3.1.16
cipsStaticCryptomapStatus	SNMPv2-TCRowStatus	.1.3.6.1.4.1.9.9.431.1.4.3.1.17
cipsStaticCryptomapPriority	Unsigned32	.1.3.6.1.4.1.9.9.431.1.4.3.1.2
cipsStaticCryptomapType	CISCO-IPSEC-TCCIPsecCryptomapType	.1.3.6.1.4.1.9.9.431.1.4.3.1.3
cipsStaticCryptomapDescr	OctetString	.1.3.6.1.4.1.9.9.431.1.4.3.1.4
cipsStaticCryptomapIpFilter	OctetString	.1.3.6.1.4.1.9.9.431.1.4.3.1.5
cipsStaticCryptomapXformSetList	OctetString	.1.3.6.1.4.1.9.9.431.1.4.3.1.6
cipsStaticCryptomapNumPeers	Unsigned32	.1.3.6.1.4.1.9.9.431.1.4.3.1.7
cipsStaticCryotomapNextPIndex	Unsigned32	.1.3.6.1.4.1.9.9.431.1.4.3.1.8
cipsStaticCryptomapCurPAddrType	INET-ADDRESS-MIBInetAddressType	.1.3.6.1.4.1.9.9.431.1.4.3.1.9
cipsIPsecCryMapPeerTable		.1.3.6.1.4.1.9.9.431.1.4.4
cipsIPsecCryMapPeerEntry	cipsStaticCryptomapSetName cipsStaticCryptomapPriority cipsCryMapPeerIndex	.1.3.6.1.4.1.9.9.431.1.4.4.1
cipsCryMapPeerIndex	Unsigned32	.1.3.6.1.4.1.9.9.431.1.4.4.1.1
cipsCryMapPeerAddrType	INET-ADDRESS-MIBInetAddressType	.1.3.6.1.4.1.9.9.431.1.4.4.1.2
cipsCryMapPeerAddr	INET-ADDRESS-MIBInetAddress	.1.3.6.1.4.1.9.9.431.1.4.4.1.3
cipsCryMapPeerOrder	Unsigned32	.1.3.6.1.4.1.9.9.431.1.4.4.1.4
cipsCryMapPeerStatus	SNMPv2-TCRowStatus	.1.3.6.1.4.1.9.9.431.1.4.4.1.5
cipsCryptomapSetIfTable		.1.3.6.1.4.1.9.9.431.1.4.5
cipsCryptomapSetIfEntry	cipsStaticCryptomapSetName IF-MIBifIndex	.1.3.6.1.4.1.9.9.431.1.4.5.1
cipsCryptomapSetIfStatus	SNMPv2-TCRowStatus	.1.3.6.1.4.1.9.9.431.1.4.5.1.1
cipsIfCryptomapSetInfoTable		.1.3.6.1.4.1.9.9.431.1.4.6
cipsIfCryptomapSetInfoEntry	IF-MIBifIndex	.1.3.6.1.4.1.9.9.431.1.4.6.1
cipsIfStaticCryptomapSetName	OctetString	.1.3.6.1.4.1.9.9.431.1.4.6.1.1
cipsNotificationCntl		.1.3.6.1.4.1.9.9.431.1.5
cipsCntlAllNotifs	SNMPv2-TCTruthValue	.1.3.6.1.4.1.9.9.431.1.5.1
cipsCntlCryptomapAdded	SNMPv2-TCTruthValue	.1.3.6.1.4.1.9.9.431.1.5.2
cipsCntlCryptomapDeleted	SNMPv2-TCTruthValue	.1.3.6.1.4.1.9.9.431.1.5.3
cipsCntlCryptomapSetAttached	SNMPv2-TCTruthValue	.1.3.6.1.4.1.9.9.431.1.5.4
cipsCntlCryptomapSetDetached	SNMPv2-TCTruthValue	.1.3.6.1.4.1.9.9.431.1.5.5
ciscoIPsecProvisioningMIBConform		.1.3.6.1.4.1.9.9.431.2
ciscoIPsecProvMIBCompliances		.1.3.6.1.4.1.9.9.431.2.1
ciscoIPsecProvMIBGroups		.1.3.6.1.4.1.9.9.431.2.2

Notifications/Traps

Name	OID	Description
ciscoIPsecProvCryptomapAdded cipsStaticCryptomapType cipsStaticCryptomapSetSize	.1.3.6.1.4.1.9.9.431.0.1	This notification is generated when a new cryptomap is added to the specified cryptomap set. Object 'cipsStaticCryptomapSetSize' contains the number of cryptomap entries after the addition.
ciscoIPsecProvCryptomapDeleted cipsStaticCryptomapSetSize	.1.3.6.1.4.1.9.9.431.0.2	This notification is generated when a cryptomap is removed from the specified cryptomap set. Object 'cipsStaticCryptomapSetSize' contains the number of cryptomap entries after the deletion.
ciscoIPsecProvCryptomapAttached cipsStaticCryptomapSetSize cipsStaticCryptomapSetNumIsakmp cipsStaticCryptomapSetNumDynamic	.1.3.6.1.4.1.9.9.431.0.3	A cryptomap set must be attached to an interface of the device in order for it to be operational. This trap is generated when the cryptomap set attached to an active interface of the managed entity. The contents of the notification includes: Size of the attached cryptomap set, Number of ISAKMP cryptomaps in the set and Number of Dynamic cryptomaps in the set.
ciscoIPsecProvCryptomapDetached cipsStaticCryptomapSetSize	.1.3.6.1.4.1.9.9.431.0.4	This trap is generated when a cryptomap set is detached from an interafce to which it was bound earlier. The context of the event identifies the size of the cryptomap set.