ipsecGlobContDefaultPfsIdentity
FEC-IPSEC-MIB ·
.0.11.12
Object
scalar
r/w
Enumeration
This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. It may be overridden by the individual settings for a peer entry, if the ipsecPeerPfsIdentity is not set to 'default'. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2) -- do not delete phase 1 SAs.
Context
- MIB
- FEC-IPSEC-MIB
- OID
.0.11.12- Type
- scalar
- Access
- readwrite
- Status
- current
- Parent
- ipsecGlobalsContinued
- Siblings
- 23
Syntax
Enumeration
Values & Constraints
Enumerated Values
1 | true |
2 | false |
Related Objects
Sibling Objects
| Object | Type | Syntax | OID |
|---|---|---|---|
| ipsecGlobContPreIpsecRules This object specifies an index in the IPsec traffic
table containing a list of traffic definitions which
has to be considered prior to the traffic lists of
the IPSec peers in IPSe… | scalar | Integer32 | .0.11.1 |
| ipsecGlobContSaSyncInterface This object specifies whether IKE and IPSec SA's should be
are deleted if the interface over which the packets are
initially sent is going down or dormant
Possible values:
tru… | scalar | Enumeration | .0.11.10 |
| ipsecGlobContPostIpsecRules This object specifies an index in the IPsec traffic
table containing a list of traffic definitions which
has to be considered after the traffic lists of
the IPSec peers in IPSec t… | scalar | Integer32 | .0.11.11 |
| ipsecGlobContIkeLoggingLevel This object specifies the IKE logging level.
IKE log messages are output as syslog messages on level debug.
Note that the global syslog table level must be set to debug
in order … | scalar | Integer32 | .0.11.13 |
| ipsecGlobContDialBlockTime Amount of time in minutes how long an ipsecDial entry remains
in state blocked-for-outgoing after a cost producing trigger
call was detected. Given value denotes time in minutes.
… | scalar | minutes Integer32 | .0.11.14 |
| ipsecGlobContPfsIdentityDelay This object specifies the number of seconds to wait before
deleting the underlying phase 1 SA after a Phase 2 SA has
been established, if PFS for identity is configured. | scalar | seconds Integer32 | .0.11.15 |
| ipsecGlobContHeartbeatDefault This object specifies whether heartbeats should be sent
over phase 1 SAs (not used for IPv6).
Possible values:
none(1), -- neither send nor expect heartbeats
expect(2), … | scalar | Enumeration | .0.11.16 |
| ipsecGlobContHeartbeatInterval This object specifies the time interval in seconds between
heartbeats. At this rate heartbeats are sent and/or
expected if configured (not used for IPv6). | scalar | seconds Integer32 | .0.11.17 |
| ipsecGlobContHeartbeatTolerance This object specifies the maximum number of missing heartbeats
allowed before an SA is discarded (not used for IPv6). | scalar | Integer32 | .0.11.18 |
| ipsecGlobContDefaultRule This object specifies how to treat packets which do not match
any entry in the traffic lists of the active peers or the
pre-and post IPSec rules.
Possible values:
drop(1), -- … | scalar | Enumeration | .0.11.2 |
| ipsecGlobContUse32BitCpi This object specifies whether the CPI values in IKE IPComP
negotiations should be sent as 16 bit numbers.
Possible values:
true(1), -- send CPI as 32 bit numbers
false(2) … | scalar | Enumeration | .0.11.4 |
| ipsecGlobContNoWellKnownCpis This object specifies whether the well known CPI values
should be used in IKE IPComP negotiations. If set to true,
IKE will allocate random CPI values from the negotiable
range… | scalar | Enumeration | .0.11.5 |
| ipsecGlobContObsoleteFeatureMask Some obsolete features are represented by a bit in this mask
and could be re-enabled for testing or compatibility purpose.
A mask-bit of 1 enable the approprate (obsolete) feature… | scalar | - | .0.11.66 |
| ipsecGlobContP1Always This object specifies whether a phase 1 rekeying is always
done immediately before phase 2 rekeying.
Note this is different from pfs for identity because the
latter discards the p… | scalar | Enumeration | .0.11.69 |
| ipsecGlobContNoPmtuDiscovery This object specifies the default PMTU discovery policy
if the ipsecPeerPmtuDiscovery flag is set to default.
Possible values:
true(1), -- do not perform PMTU discovery
fal… | scalar | Enumeration | .0.11.7 |
| ipsecGlobContHwAccel Enables/disables usage of encryption engine. | scalar | Enumeration | .0.11.70 |
| ipsecGlobContSupportVarKeyLength4Twofish Enables/disables support of variable key sizes for the
Twofish algorithm. Note that the Twofish related settings
within the ipsecAlgorithmTable will be synchronized
accordingly. I… | scalar | Enumeration | .0.11.71 |
| ipsecGlobContIkev2Profile This object specifies the default IKE_SA profile to use
(only for IKEv2). If set to 0 no profile is configured
as default. | scalar | SNMPv2-SMIUnsigned32 | .0.11.72 |
| ipsecGlobContMaxIkev2Sas This object specifies the maximum number of simultaneous IKEv2
Security associations allowed. If this limit is reached, the
entries are removed from the database, starting with th… | scalar | Integer32 | .0.11.73 |
| ipsecGlobContPathFinder Enables/disables the IPSec pathfinder mode, that means
all the traffic (IKE, ESP and AH) is embedded within a
pseudo HTTPS session between the peers (similar to the
NAT-T mode). | scalar | Enumeration | .0.11.74 |
| ipsecGlobContXauthTimeout If an extended authentication is requested, this is
the time (in seconds) the device will wait for response. A useful
value is important when username and password are entered man… | scalar | seconds Integer32 | .0.11.75 |
| ipsecGlobContDefaultPmtuTtl This object specifies the time-to-live (in minutes) of a
PMTU value derived from an ICMP PMTU message
received for an IPSec packet. After this time, the mtu is
increased step-by-s… | scalar | minutes Integer32 | .0.11.8 |
| ipsecGlobContPrivateInterface This object specifies the index of the systems' private
interface. If the private interface is set (i.e. non-negative),
certain address spoofing attacks are made impossible from … | scalar | Integer32 | .0.11.9 |