| PeerIndex |
| Index of first IPsec peer in ipsecPeerTable. If this object is set to a Value <= 0, IPSec is switched explicitly off. If the peer referenced by this object does not exist in the table, all packets will be dropped. CAUTION: This object is obsolete. |
| DefaultAuthMethod |
| This object specifies the authentication method used by default. If the ipsecPeerAuthMethod field of an ipsecPeerEntry and the ikePropAuthMethod field of the ikeProposalTableEntry used are set to 'default', this value is assumed. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4) -- Authentication using RSA encryption. CAUTION: This object is obsolete. |
| DefaultCertificate |
| The index of the default certificate in the certTable used for local authentication for ike keyed rules with non pre-shared-key authentication. This may be overwritten by the certificate specified for the individual ipsec peers. CAUTION: This object is obsolete. |
| DefaultLocalId |
| The default ID used for local authentication for ike keyed rules. If this is an empty or invaid id string one of the subject alternative names or the subject name from the default certificate is used. This does not relpace an empty local id string for an IPsec peer with a valid certificate. The subject name or one of the subject alternative names from this certificate is used then. CAUTION: This object is obsolete. |
| DefaultIpsecProposal |
| Index of default ipsec proposal used for traffic entries with empty ipsec proposal, defined for peers with empty default ipsec proposal. CAUTION: This object is obsolete. |
| DefaultIkeProposal |
| Index of default ike proposal used for peers with empty default ike proposal. CAUTION: This object is obsolete. |
| DefaultIpsecLifeTime |
| Index of default lifetime for ike SA's in ipsecLifeTimeTable. This lifetime is used, when there is no valid lifetime entry specified for an IPsec peer entry. CAUTION: This object is obsolete. |
| DefaultIkeLifeTime |
| This object specifies an index in the ipsecLifeTimeTable with the default lifetime settings used for IKE SA's. This lifetime is used whenever there is no valid lifetime entry specified for a peer entry and the IKE proposal used. CAUTION: This object is obsolete. |
| DefaultIkeGroup |
| Index of default IKE group used if no IKE group is defined for a peer. Possible values: 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP), 14 (2048 bit MODP), 15 (3072 bit MODP), 16 (4096 bit MODP). CAUTION: This object is obsolete. |
| MaxSysLogLevel |
| Maximum level for syslog messages issued by IPSec. All messages with a level higher than this value are suppressed, independently from other global syslog level settings. Possible settings: emerg(1), alert(2), crit(3), err(4), warning(5), notice(6), info(7), debug(8). |
| DefaultGranularity |
| This object specifies the default granularity used for IPSEC SA negotiation. Possible values: coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host. CAUTION: This object is obsolete. |
| DefaultPh1Mode |
| This object specifies the default exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2) -- Use aggressive mode. CAUTION: This object is obsolete. |
| DefaultPfsGroup |
| This object specifies the PFS group to use. PFS is done only for phase 2, i.e. the Phase 1 SAs are not deleted after phase 2 negotiation is completed. Note however, that if the peer has configured PFS for identity and destroys phase 1 SAs, this side will also destroy them when notified. Possible values: 0 (no PFS) 1 (768 bit MODP), 2 (1024 bit MODP), 5 (1536 bit MODP), 14 (2048 bit MODP), 15 (3072 bit MODP), 16 (4096 bit MODP). CAUTION: This object is obsolete. |
| IkePort |
| This object specifies the port the IKE key management service listens to. |
| MaxRetries |
| This object specifies the maximum number of retries sent by IKE for one message. |
| RetryTimeout0milli |
| This object specifies the period of time in milliseconds before an IKE message is repeated for the first time if the answer is missing. After each retry, this timeout is increased up to the value specified in ipsecGlobRetryTimeoutMaxsec. |
| RetryTimeoutMaxsec |
| This object specifies the maximum period of time in seconds before an IKE message is repeated if the answer is missing. The retry timeout is not increased beyond this limit. |
| MaxNegotiationTimeoutsec |
| This object specifies the maximum number of seconds after which a negotiation is canceled if it is not finished. |
| MaxIkeSas |
| This object specifies the maximum number of simultaneous ISAKMP Security associations allowed. If this limit is reached, the entries are removed from the database, starting with the ones that will expire very soon. If that is not enough, the entries are deleted in reverse LRU order. |
| IgnoreCrPayloads |
| This object specifies whether certificate request payloads should be ignored by IKE. Possible values: true(1), -- ignore all certificate requests false(2) -- process certificate request payloads. |
| NoCrPayloads |
| This object specifies whether IKE should suppress certificate requests. Possible values: true(1), -- suppress certificate requests false(2) -- send certificate requests. |
| NoKeyHashPayloads |
| This object specifies whether IKE should suppress key hash payloads. Possible values: true(1), -- suppress key hash payloads false(2) -- send key hash payloads. |
| NoCrls |
| This object specifies whether IKE should send certificate revocation lists. Possible values: true(1), -- do not send certificate revocation lists false(2) -- send certificate revocation lists. |
| SendFullCertChains |
| This object specifies whether IKE should send full certificate chains. Possible values: true(1), -- send full certificate chains false(2) -- do not send full certificate chains. |
| TrustIcmpMsg |
| This object specifies whether IKE should trust icmp port and host unreachable error messages. ICMP port and host unreachable messages are only trusted if there have not yet been received any datagrams from the remote host in this negotiation. This means, if the local side receives an ICMP port or host unreachable message as the first response to the initial packet of a new phase 1 negotiation, it cancels the negotiation immediately. Possible values: true(1), -- trust ICMP messages false(2) -- do not trust ICMP messages. |
| SpiSize |
| A compatibility flag that specifies the length of the SPI in bytes, which is used when an ISAKMP SA SPI (Cookie) is sent to the remote peer. This field takes effect only if ipsecGlobZeroIsakmpCookies is true. |
| ZeroIsakmpCookies |
| This object specifies whether zeroed ISAKMP cookies should be sent. Possible Values: true(1), -- send zero cookies in ISAKMP messages false(2) -- send ISAKMP cookies. |
| MaxKeyLength |
| This object specifies the maximum length of an encryption key (in bits) that is accepted from the remote end. This limit prevents denial of service attacks where the attacker asks for a huge key for an encryption algorithm that allows variable length keys. |
| NoInitialContact |
| Do not send IKE initial contact messages in IKE negotiations even if no SA's exist with a peer. Possible values: true(1), -- do not send initial contact messages false(2) -- send initial contact messages if appropriate. |
| IkeProfile |
| This object specifies the default IKE (phase 1) profile to use. |
| IpsecProfile |
| This object specifies the default IPSec (phase 2) profile to use. |
| Enabled |
| Enables/disables IPSec globally. |
| BlockTimeout |
| For peers with nonzero block time, the value of this object is used instead of ipsecGlobMaxNegotiationTimeoutSec. |
| DPDIdleThreshold |
| The minimum idle time period after which a dpd request is sent. |
| DPDMaxRetries |
| The number of DPD retries sent before a peer is considered dead. |
| DPDRetryTimeout |
| The number of seconds between retries. |
| Ikev2Enabled |
| Enables/disables IKEv2 globally. |