You are here:

MonitorTools.com > Technical documentation > SNMP > MIB > Cisco > CISCO-IPSEC-MIB
ActiveXperts Network Monitor 2019##AdminFavorites

CISCO-IPSEC-MIB by vendor Cisco

CISCO-IPSEC-MIB file content

The SNMP protocol is used to for conveying information and commands between agents and managing entities. SNMP uses the User Datagram Protocol (UDP) as the transport protocol for passing data between managers and agents. The reasons for using UDP for SNMP are, firstly it has low overheads in comparison to TCP, which uses a 3-way hand shake for connection. Secondly, in congested networks, SNMP over TCP is a bad idea because TCP in order to maintain reliability will flood the network with retransmissions.

Management information (MIB) is represented as a collection of managed objects. These objects together form a virtual information base called MIB. An agent may implement many MIBs, but all agents must implement a particular MIB called MIB-II [16]. This standard defines variables for things such as interface statistics (interface speeds, MTU, octets sent, octets received, etc.) as well as various other things pertaining to the system itself (system location, system contact, etc.). The main goal of MIB-II is to provide general TCP/IP management information.

Use ActiveXperts Network Monitor 2019 to import vendor-specific MIB files, inclusing CISCO-IPSEC-MIB.


Vendor: Cisco
Mib: CISCO-IPSEC-MIB  [download]  [view objects]
Tool: ActiveXperts Network Monitor 2019 [download]    (ships with advanced SNMP/MIB tools)
--
-- * $Source$
-- *------------------------------------------------------------------
-- * CISCO-IPSEC-MIB.my:  IOS-Specific IPSec Configuration 
--                        Monitoring MIB
-- *
-- * April 2000, S Ramakrishnan
-- *
-- * Copyright (c) 2000 by cisco Systems, Inc.
-- * All rights reserved.
-- *
-- *------------------------------------------------------------------

CISCO-IPSEC-MIB DEFINITIONS ::= BEGIN

  -- PREFACE:
  -- CISCO-IPSEC MIB Module defines Cisco
  -- implementation-specific metrics
  -- useful in managing IPsec VPNs on
  -- Cisco boxes. This is to be used as a 
  -- supplement to the standard IPsec MIB 
  -- proposed by Cisco.

  -- DISCLAIMER:
  -- Caution.  This MIB is temporary and experimental.
  -- In the future it will be removed from products,
  -- perhaps with short notice, in favor of more standard
  -- or generic MIBs.  Application developers should not
  -- depend on long-term access to this MIB.

  -- RELATIONSHIP TO CLI:
  -- Information contained in all the MIB elements defined 
  -- in this module are affected by CLI operations, EXCEPT 
  -- where it is explicitly noted to the contrary.


   IMPORTS
	MODULE-IDENTITY,
	OBJECT-TYPE,
	NOTIFICATION-TYPE,
        Counter32, Gauge32, Integer32
                      FROM SNMPv2-SMI

	MODULE-COMPLIANCE, OBJECT-GROUP 
                      FROM SNMPv2-CONF

	DisplayString, TruthValue,
	TEXTUAL-CONVENTION
                FROM SNMPv2-TC

        ifIndex
			 FROM IF-MIB
                  -- FROM RFC1213-MIB
        ciscoExperiment
                FROM CISCO-SMI;


   ciscoIPsecMIB MODULE-IDENTITY
	LAST-UPDATED	"200008071139Z"
	ORGANIZATION	"Cisco Systems, Inc."
	CONTACT-INFO
		"       Cisco Systems
			Enterprise Business Management Unit

		Postal: 170 W Tasman Drive
			San Jose, CA  95134
			USA

		   Tel: +1 800 553-NETS

		E-mail: cs-ipsecurity@cisco.com"
	DESCRIPTION
		"The MIB module for modeling Cisco-specific 
		 IPsec attributes

   	Overview of Cisco IPsec MIB
 
   	MIB description
 
        This MIB models the Cisco implementation-specific 
	attributes of a Cisco entity that implements IPsec. 
	This MIB is complementary to the standard IPsec MIB 
	proposed jointly by Tivoli and Cisco.

   	The ciscoIPsec MIB provides the operational information 
	on Cisco's IPsec tunnelling implementation.  
	The following entities are managed:
    	1) ISAKMP Group:
           a) ISAKMP global parameters
           b) ISAKMP Policy Table

    	2) IPSec Group:
	   a) IPSec Global Parameters
	   b) IPSec Global Traffic Parameters
	   c) Cryptomap Group
	       - Cryptomap Set Table
	       - Cryptomap Table
	       - CryptomapSet Binding Table

    	3) System Capacity & Capability Group:
	   a) Capacity Parameters
	   b) Capability Parameters

    	4) Trap Control Group
    	5) Notifications Group"
	       
	::= { ciscoExperiment 62 }

-- 
-- Textual Conventions
-- 
   CIPsecLifetime ::= TEXTUAL-CONVENTION
      STATUS     current
      DESCRIPTION
         "Value in units of seconds"
      SYNTAX  Gauge32(120..86400)

   CIPsecLifesize ::= TEXTUAL-CONVENTION
      STATUS     current
      DESCRIPTION
         "Value in units of kilobytes"
      SYNTAX  Gauge32(2560..536870912)

   CIPsecNumCryptoMaps ::= TEXTUAL-CONVENTION
      STATUS     current
      DESCRIPTION
         "Integral units representing count of cryptomaps"
      SYNTAX  Gauge32(0..2147483647)


    CryptomapType ::= TEXTUAL-CONVENTION
    STATUS     current
    DESCRIPTION
         "The type of a cryptomap entry. Cryptomap 
         is a unit of IOS IPSec policy specification."
    SYNTAX INTEGER {
                cryptomapTypeNONE(0),
                cryptomapTypeMANUAL(1),
                cryptomapTypeISAKMP(2),
                cryptomapTypeCET(3),
                cryptomapTypeDYNAMIC(4),
                cryptomapTypeDYNAMICDISCOVERY(5)
             }


   CryptomapSetBindStatus  ::= TEXTUAL-CONVENTION
   STATUS     current
   DESCRIPTION
     "The status of the binding of a cryptomap set 
    to the specified interface. The value qhen queried
    is always 'attached'. When set to 'detached', the 
    cryptomap set if detached from the specified interface.
    Setting the value to 'attached' will result in 
    SNMP General Error."
   SYNTAX INTEGER {
                unknown(0),
                attached(1),
                detached(2)
             }

    IPSIpAddress ::= TEXTUAL-CONVENTION
    STATUS     current
    DESCRIPTION
         "An IP V4 or V6 Address."
    SYNTAX  OCTET STRING(SIZE(4 | 16))
                    -- IP V4 or V6 Address


   IkeHashAlgo   ::= TEXTUAL-CONVENTION
      STATUS     current
      DESCRIPTION
         "The hash algorithm used in IPsec Phase-1 
	 IKE negotiations."
      SYNTAX INTEGER {
                none(1),
                md5(2),
                sha(3)
             }

   IkeAuthMethod ::= TEXTUAL-CONVENTION
      STATUS     current
      DESCRIPTION
         "The authentication method used in IPsec Phase-1 IKE
          negotiations."
      SYNTAX INTEGER {
                none(1),
                preSharedKey(2),
                rsaSig(3),
                rsaEncrypt(4),
                revPublicKey(5)
             }

   IkeIdentityType ::= TEXTUAL-CONVENTION
      STATUS     current
      DESCRIPTION
         "The type of identity used by the local entity to
        identity itself to the peer with which it performs
        IPSec Main Mode negotiations. This type decides the
        content of the Identification payload in the
	Main Mode of IPSec tunnel setup."
      SYNTAX INTEGER {
                isakmpIdTypeUNKNOWN(0),
                isakmpIdTypeADDRESS(1),
                isakmpIdTypeHOSTNAME(2)
             }

   DiffHellmanGrp ::= TEXTUAL-CONVENTION
      STATUS     current
      DESCRIPTION
         "The Diffie Hellman Group used in negotiations."
      SYNTAX INTEGER {
                none(1),
                dhGroup1(2),
                dhGroup2(3)
             }

   EncryptAlgo   ::= TEXTUAL-CONVENTION
   STATUS     current
   DESCRIPTION
         "The encryption algorithm used in negotiations."
   SYNTAX INTEGER {
                none(1),
                des(2),
                des3(3)
             }

   TrapStatus    ::= TEXTUAL-CONVENTION
   STATUS     current
   DESCRIPTION
         "The administrative status for sending a TRAP."
   SYNTAX INTEGER {
                enabled(1),
                disabled(2)
             }
 



-- Objects, Notifications & Conformances

   ciscoIPsecMIBObjects     OBJECT IDENTIFIER  
               ::= { ciscoIPsecMIB 1 }
   ciscoIPsecMIBNotificationPrefix OBJECT IDENTIFIER 
               ::= {ciscoIPsecMIB 2}
   ciscoIPsecMIBConformance OBJECT IDENTIFIER 
               ::= {ciscoIPsecMIB 3}

-- 
-- Cisco IPSec MIB Object Groups
--
-- This MIB module contains the following groups:
-- 1) Cisco ISAKMP Group
-- 2) Cisco IPSec Group 
--    2a) Cisco IPSec Global Parameters
--    2b) Cisco IPSec Statistics
--    2c) Cisco IPSec Cryptomap Group
--         (i)  Statically Defined Cryptomap Sets 
--         (ii) Wild-carded Cryptomap Sets (Dynamic templates)
-- 3) Cisco IPsec Notifications Group
-- 4) Module Conformance
-- 

   cipsIsakmpGroup OBJECT IDENTIFIER  
              ::= { ciscoIPsecMIBObjects 1 }

   cipsIPsecGroup OBJECT IDENTIFIER  
              ::= { ciscoIPsecMIBObjects 2 }

   cipsIPsecGlobals OBJECT IDENTIFIER  
              ::= { cipsIPsecGroup 1 }

   cipsIPsecStatistics OBJECT IDENTIFIER  
              ::= { cipsIPsecGroup 2 }

   cipsCryptomapGroup   OBJECT IDENTIFIER  
              ::= { cipsIPsecGroup 3 }

   cipsSysCapacityGroup OBJECT IDENTIFIER  
              ::= { ciscoIPsecMIBObjects 3 }

   cipsTrapCntlGroup OBJECT IDENTIFIER  
                  ::= { ciscoIPsecMIBObjects 4 }

-- 
-- 
-- IOS ISAKMP Configuration Section
-- 
-- 
   cipsIsakmpEnabled  OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
          "The value of this object is TRUE if ISAKMP
	has been enabled on the managed entity. Otherise
	the value of this object is FALSE."

        ::= { cipsIsakmpGroup 1 }

   cipsIsakmpIdentity OBJECT-TYPE
        SYNTAX IkeIdentityType 
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
        "The value of this object is shows the type of
	identity used by the managed entity in ISAKMP
	negotiations with another peer."
        ::= { cipsIsakmpGroup 2 }

   cipsIsakmpKeepaliveInterval OBJECT-TYPE
        SYNTAX Integer32(10..3600)
	UNITS "seconds"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
        "The value of this object is time interval in
	seconds between successive ISAKMP keepalive
	heartbeats issued to the peers to which IKE
	tunnels have been setup."
        ::= { cipsIsakmpGroup 3 }

   cipsNumIsakmpPolicies OBJECT-TYPE
        SYNTAX Integer32(1..2147483647)
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
          "The value of this object is the number of
	ISAKMP policies that have been configured on the 
	managed entity."
        ::= { cipsIsakmpGroup 4 }

-- 
-- Cisco ISAKMP Policy Entries
-- 
   cipsIsakmpPolicyTable OBJECT-TYPE
      SYNTAX SEQUENCE OF CipsIsakmpPolicyEntry 
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
       "The table containing the list of all
       ISAKMP policy entries configured by the operator."
        ::= { cipsIsakmpGroup 5 }

   cipsIsakmpPolicyEntry OBJECT-TYPE
      SYNTAX CipsIsakmpPolicyEntry
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
         "Each entry contains the attributes 
	 associated with a single ISAKMP
	 Policy entry."
      INDEX { cipsIsakmpPolPriority }
      ::= { cipsIsakmpPolicyTable 1 }

   CipsIsakmpPolicyEntry ::= SEQUENCE {
      cipsIsakmpPolPriority Integer32,
      cipsIsakmpPolEncr EncryptAlgo,
      cipsIsakmpPolHash IkeHashAlgo,
      cipsIsakmpPolAuth IkeAuthMethod,
      cipsIsakmpPolGroup DiffHellmanGrp,
      cipsIsakmpPolLifetime Integer32
   }

   cipsIsakmpPolPriority OBJECT-TYPE
      SYNTAX Integer32(0..65535)
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
      "The priotity of this ISAKMP Policy entry.
      This is also the index of this table."
      ::= { cipsIsakmpPolicyEntry 1 }

   cipsIsakmpPolEncr OBJECT-TYPE
      SYNTAX EncryptAlgo
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The encryption transform specified by this 
      ISAKMP policy specification. The Internet Key Exchange
      (IKE) tunnels setup using this policy item would
      use the specified encryption transform to protect the
      ISAKMP PDUs."
      ::= { cipsIsakmpPolicyEntry 2 }

   cipsIsakmpPolHash OBJECT-TYPE
      SYNTAX IkeHashAlgo
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The hash transform specified by this 
      ISAKMP policy specification. The IKE tunnels
      setup using this policy item would use the 
      specified hash transform to protect the
      ISAKMP PDUs."
      ::= { cipsIsakmpPolicyEntry 3 }

   cipsIsakmpPolAuth OBJECT-TYPE
      SYNTAX IkeAuthMethod
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The peer authentication mthod specified by
      this ISAKMP policy specification. If this policy
      entity is selected for negotiation with a peer,
      the local entity would authenticate the peer using 
      the method specified by this object."
      ::= { cipsIsakmpPolicyEntry 4 }


   cipsIsakmpPolGroup OBJECT-TYPE
      SYNTAX DiffHellmanGrp
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "This object specifies the Oakley group used 
      for Diffie Hellman exchange in the Main Mode. 
      If this policy item is selected to negotiate
      Main Mode with an IKE peer, the local entity 
      chooses the group specified by this object to
      perform Diffie Hellman exchange with the
      peer."
      ::= { cipsIsakmpPolicyEntry 5 }

   cipsIsakmpPolLifetime OBJECT-TYPE
      SYNTAX Integer32(60..86400)
      UNITS "seconds"
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "This object specifies the lifetime in seconds
      of the IKE tunnels generated using this 
      policy specification."
      ::= { cipsIsakmpPolicyEntry 6 }

-- 
-- Cisco IPsec Global Configuration Group
-- 
   cipsSALifetime  OBJECT-TYPE
        SYNTAX CIPsecLifetime
	UNITS 	    "Seconds"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The default lifetime (in seconds) assigned 
	    to an SA as a global policy (maybe overridden 
	    in specific cryptomap definitions)."
        ::= { cipsIPsecGlobals 1 }

   cipsSALifesize  OBJECT-TYPE
        SYNTAX      CIPsecLifesize
	UNITS 	    "KBytes"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
        "The default lifesize in KBytes assigned to an SA 
	as a global policy (unless overridden in cryptomap 
	definition)"
        ::= { cipsIPsecGlobals 2 }

   cipsNumStaticCryptomapSets  OBJECT-TYPE
        SYNTAX      CIPsecNumCryptoMaps
	UNITS 	    "Integral Units"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
        "The number of Cryptomap Sets that are are fully
	configured. Statically defined cryptomap sets 
	are ones where the operator has fully specified
	all the parameters required set up IPSec 
	Virtual Private Networks (VPNs)."
        ::= { cipsIPsecGlobals 3 }

   cipsNumCETCryptomapSets  OBJECT-TYPE
        SYNTAX      CIPsecNumCryptoMaps
	UNITS 	    "Integral Units"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
        "The number of static Cryptomap Sets that have 
	 at least one CET cryptomap element
	 as a member of the set."
        ::= { cipsIPsecGlobals 4 }

   cipsNumDynamicCryptomapSets  OBJECT-TYPE
        SYNTAX      CIPsecNumCryptoMaps
	UNITS 	    "Integral Units"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
        "The number of dynamic IPSec Policy templates
         (called 'dynamic cryptomap templates') configured
         on the managed entity."
        ::= { cipsIPsecGlobals 5 }

   cipsNumTEDCryptomapSets  OBJECT-TYPE
        SYNTAX      CIPsecNumCryptoMaps
	UNITS 	    "Integral Units"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
        "The number of static Cryptomap Sets that have 
	 at least one dynamic cryptomap template 
	 bound to them which has the Tunnel Endpoint Discovery
	 (TED) enabled."
        ::= { cipsIPsecGlobals 6 }


-- 
-- Cisco IPsec Cryptomap Statistics Group
-- 
   cipsNumTEDProbesReceived  OBJECT-TYPE
        SYNTAX      Counter32
	UNITS 	    "Integral Units"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
        "The number of TED probes that were received by this 
	managed entity since bootup. Not affected by any 
	CLI operation."
        ::= { cipsIPsecStatistics 1 }

   cipsNumTEDProbesSent  OBJECT-TYPE
        SYNTAX      Counter32
	UNITS 	    "Integral Units"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
        "The number of TED probes that were dispatched by all
        the dynamic cryptomaps in this managed entity since 
        bootup. Not affected by any CLI operation."
        ::= { cipsIPsecStatistics 2 }

   cipsNumTEDFailures  OBJECT-TYPE
        SYNTAX      Counter32
	UNITS 	    "Integral Units"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
        "The number of TED probes that were dispatched by 
        the local entity and that failed to locate crypto 
        endpoint.  Not affected by any CLI operation."
        ::= { cipsIPsecStatistics 3 }

-- 
-- Cisco IPsec System Capacity/Capability Group
-- 

   cipsMaxSAs  OBJECT-TYPE
        SYNTAX      INTEGER(0..65535)
	UNITS 	    "Integral Units"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
          "The maximum number of IPsec Security Associations
	that can be established on this managed entity.
	If no theoretical limit exists, this
	returns value 0.

        Not affected by any CLI operation."
        ::= { cipsSysCapacityGroup 1 }

   cips3DesCapable  OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
          "The value of this object is TRUE if the 
	managed entity has the hardware nad software 
	features to support 3DES encryption algorithm.

        Not affected by any CLI operation."
        ::= { cipsSysCapacityGroup 2 }


-- 
--  IOS IPSec Configuration Group 
--

-- 
-- Cisco IPSec Static Cryptomaps Metrics
-- 
   cipsStaticCryptomapSetTable OBJECT-TYPE
      SYNTAX SEQUENCE OF CipsStaticCryptomapSetEntry
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
       "The table containing the list of all
       cryptomap sets that are fully specified
       and are not wild-carded.

       The operator may include different types of
       cryptomaps in such a set - manual, CET,
       ISAKMP or dynamic."
     ::= { cipsCryptomapGroup 1 }

   cipsStaticCryptomapSetEntry OBJECT-TYPE
      SYNTAX CipsStaticCryptomapSetEntry
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
         "Each entry contains the attributes 
	 associated with a single static 
	 cryptomap set."
      INDEX { cipsStaticCryptomapSetName }
      ::= { cipsStaticCryptomapSetTable 1}

   CipsStaticCryptomapSetEntry ::= SEQUENCE {
      cipsStaticCryptomapSetName DisplayString,
      cipsStaticCryptomapSetSize Gauge32,
      cipsStaticCryptomapSetNumIsakmp Gauge32,
      cipsStaticCryptomapSetNumManual Gauge32,
      cipsStaticCryptomapSetNumCET Gauge32,
      cipsStaticCryptomapSetNumDynamic Gauge32,
      cipsStaticCryptomapSetNumDisc Gauge32,
      cipsStaticCryptomapSetNumSAs Gauge32
   }

   cipsStaticCryptomapSetName OBJECT-TYPE
      SYNTAX DisplayString
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
      "The index of the static cryptomap table. The value 
      of the string is the name string assigned by the 
      operator in defining the cryptomap set."
      ::= { cipsStaticCryptomapSetEntry 1 }

   cipsStaticCryptomapSetSize OBJECT-TYPE
      SYNTAX Gauge32
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
         "The total number of cryptomap entries contained in
	  this cryptomap set. 
	  "
      ::= { cipsStaticCryptomapSetEntry 2 }

   cipsStaticCryptomapSetNumIsakmp OBJECT-TYPE
      SYNTAX Gauge32
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The number of cryptomaps associated with this 
      cryptomap set that use ISAKMP protocol to do key
      exchange."
      ::= { cipsStaticCryptomapSetEntry 3 }

   cipsStaticCryptomapSetNumManual OBJECT-TYPE
      SYNTAX Gauge32
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The number of cryptomaps associated with this 
      cryptomap set that require the operator to manually
      setup the keys and SPIs."
      ::= { cipsStaticCryptomapSetEntry 4 }

   cipsStaticCryptomapSetNumCET OBJECT-TYPE
      SYNTAX Gauge32
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The number of cryptomaps of type 'ipsec-cisco' 
       associated with this cryptomap set. Such
       cryptomap elements implement Cisco Encryption Technology
       based Virtual Private Networks."
      ::= { cipsStaticCryptomapSetEntry 5 }

   cipsStaticCryptomapSetNumDynamic OBJECT-TYPE
      SYNTAX Gauge32
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The number of dynamic cryptomap templates
       linked to this cryptomap set."
      ::= { cipsStaticCryptomapSetEntry 6 }

   cipsStaticCryptomapSetNumDisc OBJECT-TYPE
      SYNTAX Gauge32
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The number of dynamic cryptomap templates
       linked to this cryptomap set that have Tunnel Endpoint
       Discovery (TED) enabled."
      ::= { cipsStaticCryptomapSetEntry 7 }


   cipsStaticCryptomapSetNumSAs OBJECT-TYPE
      SYNTAX Gauge32
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The number of and IPsec Security Associations
       that are active and were setup using this cryptomap.  "

      ::= { cipsStaticCryptomapSetEntry 8 }


-- 
-- Cisco IPSec Dynamic Cryptomaps Group
-- 
   cipsDynamicCryptomapSetTable OBJECT-TYPE
      SYNTAX SEQUENCE OF CipsDynamicCryptomapSetEntry
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
         "The table containing the list of all dynamic
          cryptomaps that use IKE, defined on 
	  the managed entity."
     ::= { cipsCryptomapGroup 2 }

   cipsDynamicCryptomapSetEntry OBJECT-TYPE
      SYNTAX CipsDynamicCryptomapSetEntry
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
      "Each entry contains the attributes associated
      with a single dynamic cryptomap template."
      INDEX { cipsDynamicCryptomapSetName }
      ::= {  cipsDynamicCryptomapSetTable 1 }

   CipsDynamicCryptomapSetEntry ::= SEQUENCE {
      cipsDynamicCryptomapSetName DisplayString,
      cipsDynamicCryptomapSetSize Gauge32,
      cipsDynamicCryptomapSetNumAssoc Gauge32
   }

   cipsDynamicCryptomapSetName OBJECT-TYPE
      SYNTAX DisplayString
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
         "The index of the dynamic cryptomap table. 
	 The value of the string is the one assigned 
	 by the operator in defining the cryptomap set."
      ::= { cipsDynamicCryptomapSetEntry 1 }


   cipsDynamicCryptomapSetSize OBJECT-TYPE
      SYNTAX Gauge32
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The number of cryptomap entries in this cryptomap."
      ::= { cipsDynamicCryptomapSetEntry 2 }

   cipsDynamicCryptomapSetNumAssoc OBJECT-TYPE
      SYNTAX Gauge32
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
         "The number of static cryptomap sets with which
	  this dynamic cryptomap is associated.  "
      ::= { cipsDynamicCryptomapSetEntry 3 }

-- 
-- Cisco IPSec Static Cryptomap Table
-- 
   cipsStaticCryptomapTable OBJECT-TYPE
      SYNTAX SEQUENCE OF CipsStaticCryptomapEntry
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
       "The table ilisting the member cryptomaps
       of the cryptomap sets that are configured
       on the managed entity."
     ::= { cipsCryptomapGroup 3 }

   cipsStaticCryptomapEntry OBJECT-TYPE
      SYNTAX CipsStaticCryptomapEntry
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
         "Each entry contains the attributes 
	 associated with a single static 
	 (fully specified) cryptomap entry.
	 This table does not include the members 
	 of dynamic cryptomap sets that may be
	 linked with the parent static cryptomap set."
      INDEX { cipsStaticCryptomapSetName, -- from Cryptomap Set Table
              cipsStaticCryptomapPriority  }
      ::= { cipsStaticCryptomapTable 1}

   CipsStaticCryptomapEntry ::= SEQUENCE {
      cipsStaticCryptomapPriority Integer32,
      cipsStaticCryptomapType CryptomapType,
      cipsStaticCryptomapDescr DisplayString,
      cipsStaticCryptomapPeer IPSIpAddress,
      cipsStaticCryptomapNumPeers Integer32,
      cipsStaticCryptomapPfs DiffHellmanGrp,
      cipsStaticCryptomapLifetime Integer32,
      cipsStaticCryptomapLifesize Integer32,
      cipsStaticCryptomapLevelHost TruthValue
   }

   cipsStaticCryptomapPriority OBJECT-TYPE
      SYNTAX Integer32(0..65535)
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
      "The priority of the cryptomap entry in the 
      cryptomap set. This is the second index component
      of this table."
      ::= { cipsStaticCryptomapEntry 1 }

   cipsStaticCryptomapType OBJECT-TYPE
      SYNTAX CryptomapType
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The type of the cryptomap entry. This can be an ISAKMP
      cryptomap, CET or manual. Dynamic cryptomaps are not
      counted in this table."
      ::= { cipsStaticCryptomapEntry 2 }

   cipsStaticCryptomapDescr OBJECT-TYPE
      SYNTAX DisplayString
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The description string entered by the operatoir
      while creating this cryptomap. The string generally
      identifies a description and the purpose of this
      policy."
      ::= { cipsStaticCryptomapEntry 3 }

   cipsStaticCryptomapPeer OBJECT-TYPE
      SYNTAX IPSIpAddress
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The IP address of the current peer associated with 
      this IPSec policy item. Traffic that is protected by
      this cryptomap is protected by a tunnel that terminates
      at the device whose IP address is specified by this
      object."
      ::= { cipsStaticCryptomapEntry 4 }

   cipsStaticCryptomapNumPeers OBJECT-TYPE
      SYNTAX Integer32(0..40)
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The number of peers associated with this cryptomap 
       entry. The peers other than the one identified by 
      'cipsStaticCryptomapPeer' are backup peers. 
      
      Manual cryptomaps may have only one peer."
      ::= { cipsStaticCryptomapEntry 5 }


   cipsStaticCryptomapPfs OBJECT-TYPE
      SYNTAX DiffHellmanGrp
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "This object identifies if the tunnels instantiated
      due to this policy item should use Perfect Forward Secrecy 
      (PFS) and if so, what group of Oakley they should use."
      ::= { cipsStaticCryptomapEntry 6 }

   cipsStaticCryptomapLifetime OBJECT-TYPE
      SYNTAX Integer32(0|120..86400)
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "This object identifies the lifetime of the IPSec
      Security Associations (SA) created using this IPSec policy
      entry. If this value is zero, the lifetime assumes the 
      value specified by the global lifetime parameter."
      ::= { cipsStaticCryptomapEntry 7 }

   cipsStaticCryptomapLifesize OBJECT-TYPE
      SYNTAX Integer32(0|2560..536870912)
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "This object identifies the lifesize (maximum traffic
      in bytes that may be carried) of the IPSec SAs
      created using this IPSec policy entry. 
      If this value is zero, the lifetime assumes the 
      value specified by the global lifesize parameter."
      ::= { cipsStaticCryptomapEntry 8 }

   cipsStaticCryptomapLevelHost OBJECT-TYPE
      SYNTAX TruthValue
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "This object identifies the granularity of the
      IPSec SAs created using this IPSec policy entry. 
      If this value is TRUE, distinct SA bundles are created
      for distinct hosts at the end of the application traffic."
      ::= { cipsStaticCryptomapEntry 9 }


-- 
-- Cisco IPSec Cryptomap Set Binding Table
-- 
   cipsCryptomapSetIfTable OBJECT-TYPE
      SYNTAX SEQUENCE OF CipsCryptomapSetIfEntry
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
       "The table lists the binding of cryptomap sets
       to the interfaces of the managed entity."
     ::= { cipsCryptomapGroup 4 }

   cipsCryptomapSetIfEntry OBJECT-TYPE
      SYNTAX CipsCryptomapSetIfEntry
      MAX-ACCESS not-accessible
      STATUS current
      DESCRIPTION
         "Each entry contains the record of
	 the association between an interface
	 and a cryptomap set (static) that is defined
	 on the managed entity.

	 Note that the cryptomap set identified in 
         this binding must static. Dynamic cryptomaps cannot
	 be bound to interfaces."
      INDEX { ifIndex, -- from IF table
              cipsStaticCryptomapSetName  }
      ::= { cipsCryptomapSetIfTable 1}

   CipsCryptomapSetIfEntry ::= SEQUENCE {
      cipsCryptomapSetIfVirtual TruthValue,
      cipsCryptomapSetIfStatus CryptomapSetBindStatus
   }

   cipsCryptomapSetIfVirtual OBJECT-TYPE
      SYNTAX TruthValue
      MAX-ACCESS read-only
      STATUS current
      DESCRIPTION
      "The value of this object identifies if the
      interface to which the cryptomap set is attached
      is a tunnel (such as a GRE or PPTP tunnel)."
      ::= { cipsCryptomapSetIfEntry 1 }

   cipsCryptomapSetIfStatus OBJECT-TYPE
      SYNTAX CryptomapSetBindStatus
      MAX-ACCESS read-write
      STATUS current
      DESCRIPTION
       "This object identifies the status of the binding 
      of the specified cryptomap set with the specified
      interface. The value when queried is always 'attached'. 
      When set to 'detached', the cryptomap set if detached 
      from the specified interface. The effect of this is same 
      as the CLI command

	config-if# no crypto map cryptomapSetName

      Setting the value to 'attached' will result in 
      SNMP General Error."
      ::= { cipsCryptomapSetIfEntry 2 }

-- 
-- IOS-IPsec TRAP Control Group
--
-- This group of objects controls the sending of 
-- IOS-specific IPsec TRAPs.
-- 
   cipsCntlIsakmpPolicyAdded OBJECT-TYPE
      SYNTAX TrapStatus
      MAX-ACCESS read-write
      STATUS current
      DESCRIPTION
         "This object defines the administrative state of 
	 sending the IOS IPsec ISAKMP Policy Add trap."
      DEFVAL { disabled }
      ::= { cipsTrapCntlGroup 1 }

   cipsCntlIsakmpPolicyDeleted OBJECT-TYPE
      SYNTAX TrapStatus
      MAX-ACCESS read-write
      STATUS current
      DESCRIPTION
         "This object defines the administrative state of 
	 sending the IOS IPsec ISAKMP Policy Delete trap."
      DEFVAL { disabled }
      ::= { cipsTrapCntlGroup 2 }

   cipsCntlCryptomapAdded OBJECT-TYPE
      SYNTAX TrapStatus
      MAX-ACCESS read-write
      STATUS current
      DESCRIPTION
         "This object defines the administrative state of 
	 sending the IOS IPsec Cryptomap Add trap."
      DEFVAL { disabled }
      ::= { cipsTrapCntlGroup 3 }

   cipsCntlCryptomapDeleted OBJECT-TYPE
      SYNTAX TrapStatus
      MAX-ACCESS read-write
      STATUS current
      DESCRIPTION
         "This object defines the administrative state of 
	 sending the IOS IPsec Cryptomap Delete trap."
      DEFVAL { disabled }
      ::= { cipsTrapCntlGroup 4 }

   cipsCntlCryptomapSetAttached OBJECT-TYPE
      SYNTAX TrapStatus
      MAX-ACCESS read-write
      STATUS current
      DESCRIPTION
         "This object defines the administrative state of 
	 sending the IOS IPsec trap that is issued
	 when a cryptomap set is attached to an interface."
      DEFVAL { disabled }
      ::= { cipsTrapCntlGroup 5 }

   cipsCntlCryptomapSetDetached OBJECT-TYPE
      SYNTAX TrapStatus
      MAX-ACCESS read-write
      STATUS current
      DESCRIPTION
         "This object defines the administrative state of 
	 sending the IOS IPsec trap that is issued
	 when a cryptomap set is detached from an interface.
	 to which it was earlier bound."
      DEFVAL { disabled }
      ::= { cipsTrapCntlGroup 6 }

   cipsCntlTooManySAs OBJECT-TYPE
      SYNTAX TrapStatus
      MAX-ACCESS read-write
      STATUS current
      DESCRIPTION
         "This object defines the administrative state of 
	 sending the IOS IPsec trap that is issued
	 when the number of SAs crosses the maximum
	 number of SAs that may be supported on
	 the managed entity."
      DEFVAL { disabled }
      ::= { cipsTrapCntlGroup 7 }
-- 
-- Cisco-specific IPSec Notifications
-- 
   cipsMIBNotifications OBJECT IDENTIFIER 
        ::= { ciscoIPsecMIBNotificationPrefix 0 }

   cipsIsakmpPolicyAdded NOTIFICATION-TYPE
      OBJECTS { 
          cipsNumIsakmpPolicies
      }
      STATUS  current
      DESCRIPTION
      "This trap is generated when a new ISAKMP
      policy element is defined on the managed entity.
      The context of the event includes the updated
      number of ISAKMP policy elements currently available."
	                       
      ::= { cipsMIBNotifications 1 }

   cipsIsakmpPolicyDeleted NOTIFICATION-TYPE
      OBJECTS { 
          cipsNumIsakmpPolicies
      }
      STATUS  current
      DESCRIPTION
      "This trap is generated when an existing ISAKMP
      policy element is deleted on the managed entity.
      The context of the event includes the updated
      number of ISAKMP policy elements currently available."
	                       
      ::= { cipsMIBNotifications 2 }

   cipsCryptomapAdded NOTIFICATION-TYPE
      OBJECTS { 
          cipsStaticCryptomapType,
          cipsStaticCryptomapSetSize
      }
      STATUS  current
      DESCRIPTION
      "This trap is generated when a new cryptomap is
      added to the specified cryptomap set."
	                       
      ::= { cipsMIBNotifications 3 }

   cipsCryptomapDeleted NOTIFICATION-TYPE
      OBJECTS { 
          cipsStaticCryptomapSetSize
      }
      STATUS  current
      DESCRIPTION
      "This trap is generated when a cryptomap is
      removed from the specified cryptomap set."
	                       
      ::= { cipsMIBNotifications 4 }

   cipsCryptomapSetAttached NOTIFICATION-TYPE
      OBJECTS { 
        cipsStaticCryptomapSetSize,
        cipsStaticCryptomapSetNumIsakmp,
        cipsStaticCryptomapSetNumDynamic
      }
      STATUS  current
      DESCRIPTION
         "A cryptomap set must be attached to an interface
	 of the device in order for it to be operational.
	 This trap is generated when the cryptomap set 
         attached to an active interface of the managed entity.

	 The context of the notification includes:
   	    Size of the attached cryptomap set,
   	    Number of ISAKMP cryptomaps in the set and
   	    Number of Dynamic cryptomaps in the set."
      ::= { cipsMIBNotifications 5 }

   cipsCryptomapSetDetached NOTIFICATION-TYPE
      OBJECTS { 
         cipsStaticCryptomapSetSize
      }
      STATUS  current
      DESCRIPTION
      "This trap is generated when a cryptomap set is
      detached from an interafce to which it was
      bound earlier. The context of the event identifies the
      size of the cryptomap set."
      ::= { cipsMIBNotifications 6 }
	                       

   cipsTooManySAs NOTIFICATION-TYPE
      OBJECTS { 
	cipsMaxSAs
      }
      STATUS  current
      DESCRIPTION
      "This trap is generated when a new SA is attempted 
      to be setup while the number of currently active SAs 
      equals the maximum configurable.  The variables are:
	     cipsMaxSAs"
	                       
      ::= { cipsMIBNotifications 7 }

-- 
-- Cisco IPsec Module Compliance
-- 

cipsMIBConformances OBJECT IDENTIFIER 
                    ::= { ciscoIPsecMIBConformance 1 }

cipsMIBGroups OBJECT IDENTIFIER
                    ::= { ciscoIPsecMIBConformance 2 }

cipsMIBCompliance MODULE-COMPLIANCE
        STATUS  current
        DESCRIPTION
           "The compliance statement for entities which
            implement the Cisco IPsec MIB"
        MODULE  -- this module
                MANDATORY-GROUPS {
                 cipsMIBConfIsakmpGroup,
                 cipsMIBConfIPSecGlobalsGroup,
                 cipsMIBConfCapacityGroup,
                 cipsMIBStaticCryptomapGroup,
                 cipsMIBMandatoryNotifCntlGroup
		}
          
        OBJECT   cipsCntlIsakmpPolicyAdded
        MIN-ACCESS read-only
        DESCRIPTION
          "Write access is not required."

        OBJECT   cipsCntlIsakmpPolicyDeleted
        MIN-ACCESS read-only
        DESCRIPTION
          "Write access is not required."

        OBJECT   cipsCntlCryptomapAdded
        MIN-ACCESS read-only
        DESCRIPTION
          "Write access is not required."

        OBJECT   cipsCntlCryptomapDeleted
        MIN-ACCESS read-only
        DESCRIPTION
          "Write access is not required."

        OBJECT   cipsCntlCryptomapSetAttached
        MIN-ACCESS read-only
        DESCRIPTION
          "Write access is not required."

        OBJECT   cipsCntlCryptomapSetDetached
        MIN-ACCESS read-only
        DESCRIPTION
          "Write access is not required."

        OBJECT   cipsCntlTooManySAs
        MIN-ACCESS read-only
        DESCRIPTION
          "Write access is not required."

        ::= { cipsMIBConformances 1 }

-- 
-- MIB Groups (Units of Conformance)
-- 
cipsMIBConfIsakmpGroup OBJECT-GROUP
        OBJECTS {
                cipsIsakmpEnabled,
                cipsIsakmpIdentity,
                cipsIsakmpKeepaliveInterval,
                cipsNumIsakmpPolicies
		-- cipsIsakmpPolPriority,
                -- cipsIsakmpPolEncr,
                -- cipsIsakmpPolHash,
                -- cipsIsakmpPolAuth,
                -- cipsIsakmpPolGroup,
                -- cipsIsakmpPolLifetime
	}
	STATUS  current
	DESCRIPTION
	"A collection of objects providing Global
         ISAKMP policy monitoring capability to a 
	 Cisco IPsec capable VPN router."
        ::= { cipsMIBGroups 1 }

cipsMIBConfIPSecGlobalsGroup OBJECT-GROUP
        OBJECTS {
                cipsSALifetime,
                cipsSALifesize
	}
	STATUS  current
	DESCRIPTION
	"A collection of objects providing Global
         IPSec policy monitoring capability to a 
	 Cisco IPsec capable VPN router."
        ::= { cipsMIBGroups 2 }


cipsMIBConfCapacityGroup OBJECT-GROUP
        OBJECTS {
                cipsMaxSAs,
                cips3DesCapable
	}
	STATUS  current
	DESCRIPTION
		"A collection of objects providing IPsec
                System Capacity monitoring capability to
		a Cisco IPsec capable VPN router."
        ::= { cipsMIBGroups 3 }

cipsMIBStaticCryptomapGroup OBJECT-GROUP
        OBJECTS {
                cipsStaticCryptomapSetSize,
		cipsStaticCryptomapSetNumIsakmp,
		cipsStaticCryptomapSetNumCET,
		cipsStaticCryptomapSetNumSAs
	}
	STATUS  current
	DESCRIPTION
		"A collection of objects instrumenting
                the properties of the Static (fully specified) 
                Cryptomap Sets on an IPsec-capable 
                IOS router."
        ::= { cipsMIBGroups 4 }

cipsMIBManualCryptomapGroup OBJECT-GROUP
        OBJECTS {
		cipsStaticCryptomapSetNumManual
	}
	STATUS  current
	DESCRIPTION
		"A collection of objects instrumenting
                the properties of the Manual Cryptomap entries
		on a Cisco IPsec capable IOS router."
        ::= { cipsMIBGroups 5 }


cipsMIBDynamicCryptomapGroup OBJECT-GROUP
        OBJECTS {
                cipsNumTEDProbesReceived,
                cipsNumTEDProbesSent,
		cipsNumTEDFailures,
		--
		cipsStaticCryptomapSetNumDynamic,
		cipsStaticCryptomapSetNumDisc,
                cipsNumTEDCryptomapSets,
                cipsDynamicCryptomapSetSize,
                cipsDynamicCryptomapSetNumAssoc
	}
	STATUS  current
	DESCRIPTION
		"A collection of objects instrumenting
                the properties of the Dynamic Cryptomap group
		on a Cisco IPsec capable IOS router."
        ::= { cipsMIBGroups 6 }

cipsMIBMandatoryNotifCntlGroup OBJECT-GROUP
        OBJECTS {
          cipsCntlIsakmpPolicyAdded,
          cipsCntlIsakmpPolicyDeleted,
          cipsCntlCryptomapAdded,
          cipsCntlCryptomapDeleted,
          cipsCntlCryptomapSetAttached,
          cipsCntlCryptomapSetDetached,
          cipsCntlTooManySAs
	}
	STATUS  current
	DESCRIPTION
	 "A collection of objects providing IPsec
         Notification capability to a IPsec-capable
	 IOS router. It is mandatory to implement
	 this set of objects pertaining to
	 IOS notifications about IPSec activity."

        ::= { cipsMIBGroups 7 }

--cipsMIBOptionalNotificationGroup NOTIFICATION-GROUP
--        NOTIFICATIONS {
--           cipsIsakmpPolicyAdded,
--           cipsIsakmpPolicyDeleted,
--           cipsCryptomapAdded,
--           cipsCryptomapDeleted,
--           cipsCryptomapSetAttached,
--           cipsCryptomapSetDetached,
--           cipsTooManySAs
--	}
--	STATUS  current
--	DESCRIPTION
--	"A collection of objects providing IPsec
--       Notification capability to a IPsec-capable 
--	IOS router. This set of notifications is optional."
--        ::= { cipsMIBGroups 8 }


END