ipsecPeerStatPfsIdentity
FEC-IPSEC-MIB ·
.0.28.1.9
Object
column
Enumeration
This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. If overrides the default setting ipsecGlobContDefaultPfsIdentity if not set to 'default'. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2), -- do not delete phase 1 SAs default(3) -- use setting in ipsecGlobContDefaultPfsIdentity.
Context
- MIB
- FEC-IPSEC-MIB
- OID
.0.28.1.9- Type
- column
- Access
- readonly
- Status
- current
- Parent
- ipsecPeerStatEntry
- Table
- ipsecPeerStatTable
- Siblings
- 46
Syntax
Enumeration
Values & Constraints
Enumerated Values
1 | true |
2 | false |
3 | default |
Related Objects
Sibling Objects
| Object | Type | Syntax | OID |
|---|---|---|---|
| ipsecPeerStatIndex A unique index identifying this entry. | column | Integer32 | .0.28.1.1 |
| ipsecPeerStatAuthMethod This object specifies the authentication method used for this peer.
It overrides the setting in the IKE proposals used.
Possible values:
pre-sh-key(1), -- Authentication using … | column | Enumeration | .0.28.1.10 |
| ipsecPeerStatIkeGroup This object specifies a special IKE group which is to be used
for this peer only. It overrides the setting in the ikeProposal
used.
Possible values:
0: use the value from the i… | column | Integer32 | .0.28.1.11 |
| ipsecPeerStatPfsGroup The Diffie Hellman group used for additional Perfect
Forward Secrecy (PFS) DH exponentiations.
Possible values:
-1: explicitly do not use PFS
(overrides ipsecGlob2DefaultP… | column | Integer32 | .0.28.1.12 |
| ipsecPeerStatPh1Mode This object specifies the exchange mode used for IKE
SA negotiation.
Possible values:
id-protect(1), -- Use identity protection (main) mode
aggressive(2), -- Use aggressive… | column | Enumeration | .0.28.1.13 |
| ipsecPeerStatIkeLifeTime This object specifies an index in the ipsecLifeTimeTable with the
lifetime settings to be used for IKE SA negotiation with this peer.
It overrides the setting in the IKE proposal… | column | Integer32 | .0.28.1.14 |
| ipsecPeerStatIpsecLifeTime This object specifies an index in the
ipsecLifeTimeTable. This lifetime overwrites the
lifetimes specified for all traffic entries and their
proposals referenced by this peer entr… | column | Integer32 | .0.28.1.15 |
| ipsecPeerStatKeepAlive This object specifies whether IKE SA's with this peer
are rekeyed even if there was no data transferred over
them.
Possible values:
true(1), -- rekey SA's even if no data was … | column | Enumeration | .0.28.1.16 |
| ipsecPeerStatGranularity This object specifies the granularity with which SA's
with this peer are created.
Possible values:
default(1), -- use the setting from the ipsecGlobalsTable
coarse(2), -- Cr… | column | Enumeration | .0.28.1.17 |
| ipsecPeerStatDontVerifyPad This object is a compatibility option for older ipsec
implementations. It enables or disables an old way of ESP
padding (no self describing padding).
Possible values:
false(1… | column | Enumeration | .0.28.1.18 |
| ipsecPeerStatNoPmtuDiscovery This object specifies the PMTU discovery policy for this peer.
Possible values:
true(1), -- do not perform PMTU discovery
false(2) -- perform PMTU discovery
default(3)-- use … | column | Enumeration | .0.28.1.19 |
| ipsecPeerStatNextIndex The index of the next peer in hierarchy. | column | Integer32 | .0.28.1.2 |
| ipsecPeerStatOperStatus Peer operational state. | column | Enumeration | .0.28.1.20 |
| ipsecPeerStatDefaultIpsecProposals The index of the default IPSec proposal used for
encrypting all the traffic bound to the (optional)
logical interface created for this peer. | column | Integer32 | .0.28.1.21 |
| ipsecPeerStatHeartbeat This object specifies whether heartbeats should be sent
over phase 1 SAs for this peer.
Possible values:
none(1), -- neither send nor expect heartbeats
expect(2), -- ex… | column | Enumeration | .0.28.1.22 |
| ipsecPeerStatTtl This object shows the maximum period of time in seconds
the peer will remain in the current state. | column | Integer32 | .0.28.1.23 |
| ipsecPeerStatCurrentLocalAddress The currently used local IP-address for this peer. | column | SNMPv2-SMIIpAddress | .0.28.1.24 |
| ipsecPeerStatCurrentRemoteAddress The currently known remote IP-address of this peer. | column | SNMPv2-SMIIpAddress | .0.28.1.25 |
| ipsecPeerStatNumP1 The number of current IKE SAs for this peer. | column | Integer32 | .0.28.1.26 |
| ipsecPeerStatNumP1Negotiating The number of current IKE SAs in state 'negotiating'
for this peer. | column | Integer32 | .0.28.1.27 |
| ipsecPeerStatNumP1Established The number of current IKE SAs in state 'established'
for this peer. | column | Integer32 | .0.28.1.28 |
| ipsecPeerStatNumP1Deleted The number of current IKE SAs in state 'waiting_for_remove'
for this peer. | column | Integer32 | .0.28.1.29 |
| ipsecPeerStatCaCerts Receives a comma separated list with indices of optional
certificate authority certificates accepted for this peer. | column | SNMPv2-TCDisplayString | .0.28.1.3 |
| ipsecPeerStatNumBundles The number of current IPSec SA bundles for this peer. | column | Integer32 | .0.28.1.30 |
| ipsecPeerStatNumBundlesNegotiating The number of current IPSec SA bundles for this peer. | column | Integer32 | .0.28.1.31 |
| ipsecPeerStatNumBundlesEstablished The number of current IPSec SA bundles in state 'established'
for this peer. | column | Integer32 | .0.28.1.32 |
| ipsecPeerStatPh1LToken Locally generated token that must be used by triggered peer
upon call back. | column | Integer32 | .0.28.1.33 |
| ipsecPeerStatPh1RToken Remotely generated token which must be used during phase one
of IPsec connection establishment. | column | Integer32 | .0.28.1.34 |
| ipsecPeerStatIsdnCBNextMode Define callback mode that is to be tried next.
The following modes are defined:
unknown(1) -- still unset, derive it from other
settings
d-llc(2) -- use D channel … | column | Enumeration | .0.28.1.35 |
| ipsecPeerStatNatDetect The latest result of the NAT detection performed with the peer.
Possible values:
local(1), -- local NAT detected
remote(2), -- remote NAT detected
both(3), -- local and remote … | column | Enumeration | .0.28.1.36 |
| ipsecPeerStatNatTLocalPort The local port currently usd for NAT-T IKE and ESP SAs
with this Peer. | column | Integer32 | .0.28.1.37 |
| ipsecPeerStatNatTRemotePort The remote port currently usd for NAT-T IKE and ESP SAs
with this Peer. | column | Integer32 | .0.28.1.38 |
| ipsecPeerStatMtu The current MTU of this peer. This value is copied to ifMtu if
ipsecPeerVirtualInterface is set to enabled. | column | Integer32 | .0.28.1.39 |
| ipsecPeerStatPeerAddress This object shows the fixed IP-address of the peer, if any. | column | SNMPv2-SMIIpAddress | .0.28.1.4 |
| ipsecPeerStatRxIdle The time period for which no packet has been received
from this peer. | column | SNMPv2-SMITimeTicks | .0.28.1.40 |
| ipsecPeerStatTxIdle The time period for which no packet has been transmitted
to this peer. | column | SNMPv2-SMITimeTicks | .0.28.1.41 |
| ipsecPeerStatDPD The type of Dead Peer Detection (DPD) currently active
for this peer.
Possible values:
none(1) -- DPD not active
v1(2) -- DPD Version 1 active
v1-idle(3) -- DPD Version 1 in i… | column | Enumeration | .0.28.1.42 |
| ipsecPeerStatDPDRetries The nuber of DPD retries currently sent without reply. | column | Integer32 | .0.28.1.43 |
| ipsecPeerStatNumIkeSas The number of current IKE SAs for this peer (only for IKEv2). | column | Integer32 | .0.28.1.44 |
| ipsecPeerStatNumIkeSasNegotiating The number of current IKE SAs in state 'negotiating'
for this peer (only for IKEv2). | column | Integer32 | .0.28.1.45 |
| ipsecPeerStatNumIkeSasEstablished The number of current IKE SAs in state 'established'
for this peer (only for IKEv2). | column | Integer32 | .0.28.1.46 |
| ipsecPeerStatNumIkeSasDeleted The number of current IKE SAs in state 'waiting_for_remove'
for this peer (only for IKEv2). | column | Integer32 | .0.28.1.47 |
| ipsecPeerStatLocalId The local ID used for authentication.
Syntax:
- X500 distinguished name:
<obj-name=obj-value, obj-ID=obj-value, ...>
- IPV4-Address:
|123.456.789.012| with or without … | column | SNMPv2-TCDisplayString | .0.28.1.5 |
| ipsecPeerStatLocalCert The index of the certificate used for local authentication
in the certTable. Only useful for automatically keyed traffic
with dsa or rsa authentication. | column | Integer32 | .0.28.1.6 |
| ipsecPeerStatPublicInterface This object specifies the index of the public interface
for which the traffic list assigned to this peer should be
valid.
If set to -1, the traffic list is valid for all interfa… | column | Integer32 | .0.28.1.7 |
| ipsecPeerStatIkeProposals Index of default ike proposal used for peers with empty default
ike proposal. | column | Integer32 | .0.28.1.8 |