ipsecGlobContDefaultPfsIdentity
FEC-IPSEC-MIB ·
.0.11.12
Object
scalar
r/w
Enumeration
This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. It may be overridden by the individual settings for a peer entry, if the ipsecPeerPfsIdentity is not set to 'default'. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2) -- do not delete phase 1 SAs.
Context
- MIB
- FEC-IPSEC-MIB
- OID
.0.11.12- Type
- scalar
- Access
- readwrite
- Status
- current
- Parent
- ipsecGlobalsContinued
Syntax
Enumeration
Values & Constraints
Enumerated Values
1 | true |
2 | false |