ipsecPeerStatPfsIdentity
FEC-IPSEC-MIB ·
.0.28.1.9
Object
column
Enumeration
This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. If overrides the default setting ipsecGlobContDefaultPfsIdentity if not set to 'default'. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2), -- do not delete phase 1 SAs default(3) -- use setting in ipsecGlobContDefaultPfsIdentity.
Context
- MIB
- FEC-IPSEC-MIB
- OID
.0.28.1.9- Type
- column
- Access
- readonly
- Status
- current
- Parent
- ipsecPeerStatEntry
Syntax
Enumeration
Values & Constraints
Enumerated Values
1 | true |
2 | false |
3 | default |