hmSec2VpnConnIkeAuthRemId
HMSECURITY2-MIB ·
.1.3.6.1.4.1.248.52.1.13.1.2.3.1.19
Object
column
r/w
OctetString
Remote peer identifier to be compared with ID
payload during negotiation. The ID payload is
used to identify the initiator of the security
association. The identity is used by the
responder to determine the correct host system
security policy requirement for the association
(see RFC 2407, section 4.6.2 for details when
using IKEv1 and RFC 4306, section 3.5 for IKEv2).
Allowed formats for this entry depend on
'hmSec2VpnConnIkeAuthRemType':
o any: don't care
o ipaddr: IPv4 address
o keyid: key identifier
o fqdn: fully qualified domain name
o email: fully qualified RFC 822 email address
o asn1dn: X.500 distinguished name (DN)
If 'hmSec2VpnConnIkeAuthRemType' is 'asn1dn':
o and 'hmSec2VpnConnIkeAuthRemId' a character
string, then a typical X.500 distinguished name
syntax has to be used, e.g. CN=XY-D,C=DE,L=NT,
ST=BW,O=COMPANY,OU=DEV,E=testuser@company.com);
o and 'hmSec2VpnConnIkeAuthRemId' is a hex string with prefix 0x,
then the associated distinguished name must be
DER encoded (see RFC 2459);
o and 'hmSec2VpnConnIkeAuthRemId' is empty, then
the distinguished name from the certificate in
'hmSec2VpnConnIkeAuthCertRemote' is used here;
o then the subject from received certificate (remote
peer distinguished name) is compared against this
value.
Context
- MIB
- HMSECURITY2-MIB
- OID
.1.3.6.1.4.1.248.52.1.13.1.2.3.1.19- Type
- column
- Access
- readwrite
- Status
- current
- Parent
- hmSec2VpnConnEntry
- Table
- hmSec2VpnConnTable
- Siblings
- 33
Syntax
OctetString
Values & Constraints
No enumerated values or constraints recorded.
Related Objects
Sibling Objects
| Object | Type | Syntax | OID |
|---|---|---|---|
| hmSec2VpnConnIndex An index that uniquely identifies the entry in the
table. | column | Integer32 | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.1 |
| hmSec2VpnConnIkeAuthMode The phase 1 exchange mode to be used. | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.10 |
| hmSec2VpnConnIkeAuthCertCA PEM encoded X.509 certificate (RFC 1422),
if authentication type in 'hmSec2VpnConnIkeAuthType'
is 'x509rsa'. This certificate is used for RSA based
signature verification in local… | column | OctetString | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.11 |
| hmSec2VpnConnIkeAuthCertRemote PEM encoded X.509 certificate (RFC 1422),
if authentication type in 'hmSec2VpnConnIkeAuthType'
is 'x509rsa'. This certificate is used for RSA based
authentication of remote peer a… | column | OctetString | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.12 |
| hmSec2VpnConnIkeAuthCertLocal PEM encoded X.509 certificate (RFC 1422)
to be used, if authentication type in
'hmSec2VpnConnIkeAuthType' is 'x509rsa'. This
certificate is used for RSA based authentication
of lo… | column | OctetString | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.13 |
| hmSec2VpnConnIkeAuthPrivKey PEM encoded RSA private key (PKCS 1) to be used, if
authentication type in 'hmSec2VpnConnIkeAuthType' is
'x509rsa'. Notice that this object is write-only
and encrypted with 'hmSec… | column | OctetString | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.14 |
| hmSec2VpnConnIkeAuthPasswd Passphrase to be used for decryption of private key
from 'hmSec2VpnConnIkeAuthPrivKey'. The passphrase must
be set before the private key is set, else the SNMP
operation fails. | column | OctetString | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.15 |
| hmSec2VpnConnIkeAuthPsk Preshared key (passphrase) to be used if
authentication type in 'hmSec2VpnConnIkeAuthType'
is 'psk'. | column | OctetString | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.16 |
| hmSec2VpnConnIkeAuthLocId Local peer identifier to be sent within ID
payload during negotiation. The ID payload is
used to identify the initiator of the security
association. The identity is used by the
re… | column | OctetString | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.17 |
| hmSec2VpnConnIkeAuthLocType Type of local peer identifier in 'hmSec2VpnConnIkeAuthLocId':
o default: If 'hmSec2VpnConnIkeAuthType' is 'psk' then
use the IP address from 'hmSec2VpnConnIkeLocalAdd… | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.18 |
| hmSec2VpnConnIkeVersion Version of the IKE protocol:
o auto: accept IKEv1/v2 as responder, start with IKEv1 as initiator
o v1: used protocol is IKE version 1 (ISAKMP)
o v2: used protocol is IKE version 2 | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.2 |
| hmSec2VpnConnIkeAuthRemType Type of remote peer identifier in hmSec2VpnConnIkeAuthRemId:
o any: received remote identifier is not checked
o ipaddr: IPv4 address
o keyid: key identifier
o fqdn: fully qual… | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.20 |
| hmSec2VpnConnIkeAlgDh Diffie-Hellman key agreement algorithm to be used
for establishment of IKE-SA:
o any: accept all algorithms as responder, use default as initiator
o modp768: RSA with 768 bits m… | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.21 |
| hmSec2VpnConnIkeAlgHash Hash algorithm to be used in IKE:
o any: accept all algorithms as responder, use all
as IKEv2 initiator (not allowed as IKEv1 initiator)
o md5: MD5
o sha1: SHA-1 | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.22 |
| hmSec2VpnConnIkeAlgMac Integrity (MAC) algorithm to be used in IKEv2:
o any: accept all algorithms as responder, use all
as IKEv2 initiator (not allowed as IKEv1 initiator)
o hmacmd5: HMAC-MD5… | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.23 |
| hmSec2VpnConnIkeAlgEncr Encryption algorithm to be used in IKE:
o any: accept all algorithms as responder, use all
as IKEv2 initiator (not allowed as IKEv1 initiator)
o des: DES
o des3: Triple… | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.24 |
| hmSec2VpnConnIpsecMode IPsec encapsulation mode. | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.25 |
| hmSec2VpnConnIpsecNatTraversal If 'on', then it forces UDP encapsulation of ESP
payloads (NAT traversal). When 'off', then the
remote peer is allowed to negotiate normal ESP
encapsulation or UDP encapsulation v… | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.26 |
| hmSec2VpnConnIpsecLifetime Lifetime of IPsec security association in seconds.
The maximum value is 8 hours (28800 seconds). | column | Integer32 | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.27 |
| hmSec2VpnConnIpsecAlgDh Diffie-Hellman key agreement algorithm to be used
for IPsec-SA session key establishment:
o any: accept all algorithms as responder, use all
as IKEv2 initiator (not allow… | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.28 |
| hmSec2VpnConnIpsecAlgMac Integrity (MAC) algorithm to be used in IPsec:
o any: accept all algorithms as responder, use all
as IKEv2 initiator (not allowed as IKEv1 initiator)
o hmacmd5: HMAC-MD5… | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.29 |
| hmSec2VpnConnIkeStartup If this host acts as a responder it does not
initiate a key exchange (IKE) nor connection
parameters negotiation. Otherwise, this host acts
as an initiator - then it initiates an … | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.3 |
| hmSec2VpnConnIpsecAlgEncr Encryption algorithm to be used for payload
encryption in IPsec:
o any: accept all algorithms as responder, use all
as IKEv2 initiator (not allowed as IKEv1 initiator)
o … | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.30 |
| hmSec2VpnConnOperStatus The current operational status of the VPN
connection:
o 'up': the IKE-SA and all IPsec SAs are up;
o 'down': the IKE-SA and all IPsec SAs are down;
o 'negotiation': key exchange a… | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.31 |
| hmSec2VpnConnDesc User defined text. | column | OctetString | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.32 |
| hmSec2VpnConnRowStatus The row status of this table entry. If the row
status is 'active' then it is not allowed to
change any value (this applies also to active
traffic selectors). The maximum number of… | column | SNMPv2-TCRowStatus | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.33 |
| hmSec2VpnConnServiceMode The service mode can be enabled for connections
which shall be established only, when the device
enters service mode
(redundant power supply not connected).
The connection is d… | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.34 |
| hmSec2VpnConnIkeCompat Compatibility mode for older IPsec clients. | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.4 |
| hmSec2VpnConnIkeLifetime Lifetime of IKE security association in seconds.
The maximum value is 24 hours (86400 seconds). | column | Integer32 | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.5 |
| hmSec2VpnConnIkeDpdTimeout If greater than zero, the local peer sends Dead
Peer Detection (DPD) messages (according to RFC
3706) to the remote peer. This value specifies
the timeout in seconds, the remote p… | column | Integer32 | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.6 |
| hmSec2VpnConnIkeLocalAddr Hostname (FQDN) or IP address of local
security gateway. If the value is 'any', then the
primary IP address of external interface is
used. In the case that this address is assigne… | column | OctetString | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.7 |
| hmSec2VpnConnIkeRemoteAddr Typically the hostname (FQDN) or IP address of
remote security gateway. If this value is 'any',
then any IP address is accepted when establishing
an IKE-SA as responder. Also a ne… | column | OctetString | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.8 |
| hmSec2VpnConnIkeAuthType Type of authentication to be used (X.509 RSA
certificates or pre-shared key). | column | Enumeration | .1.3.6.1.4.1.248.52.1.13.1.2.3.1.9 |