| Index |
| A unique index identifying this entry. |
| NextIndex |
| The index of the next peer in hierarchy. |
| CaCerts |
| Receives a comma separated list with indices of optional certificate authority certificates accepted for this peer. |
| PeerAddress |
| This object shows the fixed IP-address of the peer, if any. |
| LocalId |
| The local ID used for authentication. Syntax: - X500 distinguished name: <obj-name=obj-value, obj-ID=obj-value, ...> - IPV4-Address: |123.456.789.012| with or without '|' - IPV4 Address Range: |123.456.789.012-123.456.789.013| with or without '|' - IPV4 Address Subnet: |123.456.789.012/255.255.255.0| with or without '|' or: |123.456.789.012/24| with or without '|' - Key-ID: arbitrary length hexadecimal string with even number of digits: { 01 23 45 67 89 ab cd ef } - Fully Qualified User Name (FQUN): (anything) or user@domain with mandatory '@' - Fully Qualified Domain Name (FQDN): [anything] or any name without '@' not matching any other syntax The usage of this field is deprecated, use ikePrfLocalId now! |
| LocalCert |
| The index of the certificate used for local authentication in the certTable. Only useful for automatically keyed traffic with dsa or rsa authentication. |
| PublicInterface |
| This object specifies the index of the public interface over which an actually established IKE SA was initially built up. When no IKE SA ist established the value is -1. |
| IkeProposals |
| Index of default ike proposal used for peers with empty default ike proposal. |
| PfsIdentity |
| This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. If overrides the default setting ipsecGlobContDefaultPfsIdentity if not set to 'default'. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2), -- do not delete phase 1 SAs default(3) -- use setting in ipsecGlobContDefaultPfsIdentity. |
| AuthMethod |
| This object specifies the authentication method used for this peer. It overrides the setting in the IKE proposals used. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3), -- Authentication using RSA signatures rsa-enc(4), -- Authentication using RSA encryption default(14), -- Use the setting from the ikeProposalEntry -- used or the ipsecGlobDefaultAuthMethod delete(15) -- mark this entry for deletion. |
| IkeGroup |
| This object specifies a special IKE group which is to be used for this peer only. It overrides the setting in the ikeProposal used. Possible values: 0: use the value from the ikeProposal used 1: a 768-bit MODP group 2: a 1024-bit MODP group 5: a 1536-bit MODP group 14: a 2048-bit MODP group 15: a 3072-bit MODP group 16: a 4096-bit MODP group. |
| PfsGroup |
| The Diffie Hellman group used for additional Perfect Forward Secrecy (PFS) DH exponentiations. Possible values: -1: explicitly do not use PFS (overrides ipsecGlob2DefaultPfsGroup), 0: use default value from ipsecGlob2DefaultPfsGroup, 1: a 768-bit MODP group, 2: a 1024-bit MODP group, 5: a 1536-bit MODP group, 14: a 2048-bit MODP group, 15: a 3072-bit MODP group, 16: a 4096-bit MODP group. |
| Ph1Mode |
| This object specifies the exchange mode used for IKE SA negotiation. Possible values: id-protect(1), -- Use identity protection (main) mode aggressive(2), -- Use aggressive mode default(3) -- Use default settings from the -- ipsecGlobalsTable. |
| IkeLifeTime |
| This object specifies an index in the ipsecLifeTimeTable with the lifetime settings to be used for IKE SA negotiation with this peer. It overrides the setting in the IKE proposal used. If the lifetime pointed to by this index does not exist or is inappropriate, the lifetime from the IKE proposal used is taken. |
| IpsecLifeTime |
| This object specifies an index in the ipsecLifeTimeTable. This lifetime overwrites the lifetimes specified for all traffic entries and their proposals referenced by this peer entry. If the lifetime pointed to by this index does not exist or is inappropriate, the default lifetime from the ipsecGlobalsTable is used. |
| KeepAlive |
| This object specifies whether IKE SA's with this peer are rekeyed even if there was no data transferred over them. Possible values: true(1), -- rekey SA's even if no data was transferred false(2) -- do not rekey SA's if no data was transferred. |
| Granularity |
| This object specifies the granularity with which SA's with this peer are created. Possible values: default(1), -- use the setting from the ipsecGlobalsTable coarse(2), -- Create only one SA for each Traffic entry ip(3), -- Create one SA for each host proto(4), -- Create one SA for each protocol and host port(5) -- Create one SA for each port and host. |
| DontVerifyPad |
| This object is a compatibility option for older ipsec implementations. It enables or disables an old way of ESP padding (no self describing padding). Possible values: false(1), -- normal, self-describing ESP padding true(2) -- old style ESP padding. |
| NoPmtuDiscovery |
| This object specifies the PMTU discovery policy for this peer. Possible values: true(1), -- do not perform PMTU discovery false(2) -- perform PMTU discovery default(3)-- use default settings from -- ipsecGlobContNoPmtuDiscovery. |
| OperStatus |
| Peer operational state. |
| DefaultIpsecProposals |
| The index of the default IPSec proposal used for encrypting all the traffic bound to the (optional) logical interface created for this peer. |
| Heartbeat |
| This object specifies whether heartbeats should be sent over phase 1 SAs for this peer. Possible values: none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4), -- send and expect heartbeats default(5) -- use setting from -- ipsecGlobContHeartbeatDefault. |
| Ttl |
| This object shows the maximum period of time in seconds the peer will remain in the current state. |
| CurrentLocalAddress |
| The currently used local IP-address for this peer. |
| CurrentRemoteAddress |
| The currently known remote IP-address of this peer. |
| NumP1 |
| The number of current IKE SAs for this peer. |
| NumP1Negotiating |
| The number of current IKE SAs in state 'negotiating' for this peer. |
| NumP1Established |
| The number of current IKE SAs in state 'established' for this peer. |
| NumP1Deleted |
| The number of current IKE SAs in state 'waiting_for_remove' for this peer. |
| NumBundles |
| The number of current IPSec SA bundles for this peer. |
| NumBundlesNegotiating |
| The number of current IPSec SA bundles for this peer. |
| NumBundlesEstablished |
| The number of current IPSec SA bundles in state 'established' for this peer. |
| Ph1LToken |
| Locally generated token that must be used by triggered peer upon call back. |
| Ph1RToken |
| Remotely generated token which must be used during phase one of IPsec connection establishment. |
| IsdnCBNextMode |
| Define callback mode that is to be tried next. The following modes are defined: unknown(1) -- still unset, derive it from other settings d-llc(2) -- use D channel mode with LLC next d-subaddr(3) -- use D channel mode with SUBADDR next d-llc-subaddr(4) -- use D channel mode with LLC and SUBADDR next b(5) -- use B channel mode next Default value for that variable is unknown(1). |
| NatDetect |
| The latest result of the NAT detection performed with the peer. Possible values: local(1), -- local NAT detected remote(2), -- remote NAT detected both(3), -- local and remote NAT detected none(4), -- no NAT present unknown(8) -- NAT detection not performed or not finished. |
| NatTLocalPort |
| The local port currently usd for NAT-T IKE and ESP SAs with this Peer. |
| NatTRemotePort |
| The remote port currently usd for NAT-T IKE and ESP SAs with this Peer. |
| Mtu |
| The current MTU of this peer. This value is copied to ifMtu if ipsecPeerVirtualInterface is set to enabled. |
| RxIdle |
| The time period for which no packet has been received from this peer. |
| TxIdle |
| The time period for which no packet has been transmitted to this peer. |
| DPD |
| The type of Dead Peer Detection (DPD) currently active for this peer. Possible values: none(1) -- DPD not active v1(2) -- DPD Version 1 active v1-idle(3) -- DPD Version 1 in idle mode active ikev2(4) -- IKEv2 INFORMATIONAL exchanges active. |
| DPDRetries |
| The nuber of DPD retries currently sent without reply. |
| NumIkeSas |
| The number of current IKE SAs for this peer (only for IKEv2). |
| NumIkeSasNegotiating |
| The number of current IKE SAs in state 'negotiating' for this peer (only for IKEv2). |
| NumIkeSasEstablished |
| The number of current IKE SAs in state 'established' for this peer (only for IKEv2). |
| NumIkeSasDeleted |
| The number of current IKE SAs in state 'waiting_for_remove' for this peer (only for IKEv2). |
| Ip6PeerAddress |
| This object shows the fixed IPv6-address of the peer, if any. |
| Ip6LocalAddress |
| The local IPv6 address used for IPSec encrypted packets. |
| Ip6CurrLocalAddress |
| The currently used local IPv6-address for this peer. |
| Ip6CurrRemoteAddress |
| The currently known remote IPv6-address of this peer. |
| IpVersion |
| Used IP version connecting this peer: none -- IP version not determined yet ipv4 -- IPv4 is to be used either because ipsecPeerIpVersion is set to ipv4_only or IPv4 was determined ipv6 -- IPv6 is to be used either because ipsecPeerIpVersion is set to ipv6_only or IPv6 was determined |
| RedirectRequested |
| Indicates whether a requested redirection is to be performed. Possible values: no(1), -- No redirect is requested or redirection request is already performed. yes(2), -- A redirect is requested and has to be performed. |
| RedirectCount |
| Total count of received valid redirection requests for this peer. |
| RedirectedFrom |
| The IP address of the original gateway from which we got redirected. |
| Ip6RedirectedFrom |
| The IPv6 address of the original gateway from which we got redirected. |
| SecondaryPeerIndex |
| Index of the secondary peer in backup case if used. |
| PrimaryPeerIndex |
| Index of the primary peer in backup case if used. |
| NumIkeSasResetted |
| The number of IKEv2 SA's resetted due to missing Child SA's. |