| Index |
| A unique index identifying this entry. |
| Description |
| An optional description for this peer. |
| PeerIds |
| The IDs of the peer which are accepted for authentication. Syntax: - X500 distinguished name: <obj-name=obj-value, obj-ID=obj-value, ...> - IPV4-Address: |123.456.789.012| with or without '|' - IPV4 Address Range (only IKEv1): |123.456.789.012-123.456.789.013| with or without '|' - IPV4 Address Subnet (only IKEv1): |123.456.789.012/255.255.255.0| with or without '|' or: |123.456.789.012/24| with or without '|' - Key-ID: arbitrary string: {anything} - Fully Qualified User Name (FQUN) (for IKEv1) or Fully-qualified RFC 822 email address string (for IKEv2): (anything) or user@domain with mandatory '@' - Fully Qualified Domain Name (FQDN): [anything] or any name without '@' not matching any other syntax |
| LocalAddress |
| The local address used for IPSec encrypted packets. |
| TrafficList |
| This object specifies the first entry of possibly a chain of traffic entries from the ipsecTrafficTable which should be protected with IPSec using this peer. |
| DynamicAddress |
| The IP-address of the peer. This object may contain either an IP address or a domain name. |
| VirtualInterface |
| This object specifies if a virtual interface should be created for this peer. If set to enabled, all traffic routed towards this peer will be protected. The traffic list for this peer is ignored then. The index of the interface associated with this peer is calculated as follows: ifIndex = ipsecPeerIndex + 100000. |
| StartMode |
| This object specifies the events which make the IPSec peer go up. Possible values: on-demand(1), -- packet triggered start, -- fall back to dormant if unused always-up(2) -- always set up and keep up. |
| PreSharedKey |
| The pre-shared-key used with this peer, if pre-shared-keys are used for authentication. This field serves only as an input field and its contents are replaced with a single asterisk immediately after it is set. |
| IsdnCB |
| Switch for turning ISDN call back feature on and off specifically for peer. Default value is disabled. |
| Priority |
| Defines the matching priority. |
| IkeProfile |
| When ipsecPeerIkeVersion is set to ikev1 this is an index from the ikeProfileTable containing a special phase 1 profile to use for this peer. When ipsecPeerIkeVersion is set to ikev2 this is an index from the ikev2ProfileTable containing a special IKE_SA profile to use for this peer. |
| IpsecProfile |
| The index from the ipsecProfileTable containing a special phase 2 profile to use for this peer. |
| AdminStatus |
| Peer administrative state. |
| PreSharedKeyData |
| Field used for storing the pre-shared-key permanently. |
| IsdnCBMode |
| Define callback mode. The following modes are defined: compat(1) -- compatibility to old callback auto(2) -- automatically detect best method auto-d(3) -- automatically detect best D channel method d(4) -- use D channel only db(5) -- try D channel first, fall back to B b(6) -- use B channel only Default value for that variable is compat(1). |
| IsdnCBDChanMode |
| Define callback D channel mode. The following modes are defined: llc(1) -- code token into LLC information element only subaddr(2) -- code token into SUBADDR information element only llc-and-subaddr(3) -- redundantly use LLC and SUBADDR information elements llc-subaddr(4) -- try LLC first, then SUBADDR subaddr-llc(5) -- try SUBADDR first, then LLC Default value for that variable is LLC(1). |
| Type |
| The type of the peer. Dynamic peer entries are duplicated whenever an incoming IKE request matches the ID and/or address information of the remote side. Note: - For traffic list peers the duplication also includes the traffic list entries configured for this peer entry. - For virtual interface peers, host routes will be added for the peer address automatically. Possible values: fixed(1), -- only one peer allowed for this entry dynamic_client(2) -- duplicated for each incoming client. |
| DynAddrPoolId |
| Identifier of Dynamic Address Pool if IP address is assigned via IKE Configuration Method. A value of -1 means that no Pool is assigned. |
| DynAddrLocalIp |
| The local IP address used in the IKE communication when remote IP address is taken from IP address pool. |
| XauthProfile |
| The index from the xauthProfileTable containing a special XAUTH profile to use for this peer. A value of 0 means that no XAUTH profile is assigned. |
| DynAddrRole |
| Determines if IKE Config Mode is used and which role is performed: none(1), -- no IP address assignemt via IKE Config Mode client(2) -- get IP address via IKE Config Mode from remote server(3) -- assign IP address via IKE Config Mode to remote In server role ipsecPeerDynAddrPoolId defines IP address pool to use for address assignment to clients. If an invalid pool ID is configured, peer is treated as if role was 'none'. Default is 'none', that means IKE Config Mode is not used at all. |
| IkeVersion |
| Indicates the major version of IKE protocol to use. If set to ikev1 the value of ipsecPeerIkeProfile is used as index into ikeProfileTable. If set to ikev2 the value of ipsecPeerIkeProfile is used as index into ikev2ProfileTable. |
| LocalId |
| The local ID used for authentication with this profile. Syntax: - X500 distinguished name: <obj-name=obj-value, obj-ID=obj-value, ...> - IPV4-Address: |123.456.789.012| with or without '|' - Key-ID: arbitrary string: {anything} - Fully-qualified RFC 822 email address string: (anything) or user@domain with mandatory '@' - Fully Qualified Domain Name (FQDN): [anything] or any name without '@' not matching any other syntax (only for IKEv2). |
| AuthMethod |
| This object specifies the authentication method used by default. If the ipsecPeerAuthMethod field of an ipsecPeerEntry and the ikePropAuthMethod field of the ikeProposalTableEntry used are set to 'default', this value is assumed. Possible values: pre-sh-key(1), -- Authentication using pre shared keys dss-sig(2), -- Authentication using DSS signatures rsa-sig(3) -- Authentication using RSA signatures (only for IKEv2). |
| Cert |
| The index of the certificate used for authentication in the certTable. Ignored for AuthMethod == pre_shared_key. (only for IKEv2). |
| CaCerts |
| Receives a comma separated list with indices (0..32767) of special certificate authority certificates accepted for this profile. (only for IKEv2). |
| DynAddrMode |
| When IP address assignment via IKE Config Mode is configured (ipsecPeerDynAddrRole != none) this object specifies the used mode: pull(1), -- the client will request IP address and the gateway will answer the request push(2) -- the gateway will set IP address to the client and the client will accept or deny it The ipsecPeerDynAddrMode value has to be the same for both sides of the tunnel. With default value 'pull' the peer (ipsecPeerDynAddrRole == client) will request IP address and the gateway (ipsecPeerDynAddrRole == server) will answer the request. The 'push' mode is needed for partner devices that require this mode. This object matters only when ipsecPeerDynAddrRole != none. |
| Mobike |
| This object indicates whether the peer supports MOBIKE or not. Only when both sides of a VPN connection support MOBIKE an IP address change is possible. Possible values: enabled(1), -- Peer supports MOBIKE and signals MOBIKE support by including a MOBIKE_SUPPORTED notification in the IKE_AUTH message. disabled(2) -- Peer does not support MOBIKE. (only for IKEv2). |
| IpVersion |
| Determines whether the peer should be connected via IPv4 or via IPv6 in initiator case. As responder the IP version of the first received packet is used and therefore this value is ignored. |
| PublicIfIndex |
| The index value which uniquely identifies the physical interface that should be used for all ipsec traffic as initiator. When multiple eqivalent routes to the given peer are available this is used as additional parameter for routing decisions. If set to -1 then normal routing is used. As responder the interface from the first received packet is used and therefore this index value is ignored. |
| PublicIfIndexMode |
| This object defines the mode used in conjunction with ipsecPeerPublicIfIndex. force(1), -- the given interface is used, even if a route with lower metric is available. preferred(2) -- the given interface is used, if no route with lower metric is available. This object matters only when ipsecPeerPublicIfIndex > 0. |
| ChildAllocMode |
| Defines allocation-strategy for child-SAs shared with this peer. Relevant only for ipsecPeerIkeVersion 'ikev2'. multi(1), -- For each to-be-tunnelled frame, allocation of new child-SAs may be initiated with frame-specific traffic-selectors, depending on list of already allocated child-SAs, configured routes, matching ipsecPeerTraffic entries, relevant ipsecPeerTrafficTable, etc. single(2) -- Allocation of at most one child-SA may be initiated, to be used for ANY frames tunnelled to/from this peer (any target/source IP-address, any protocol, any port-numbers). Field ipsecPrfGranularity and table ipsecPeerTraffic are ignored in this case. |
| IfStateMode |
| Defines strategy for mapping ipsecPeerStatOperStatus on ifOperStatus of related virtual interface. Relevant only for ipsecPeerStartMode 'always-up'. full(1), -- Mapping is done like in ipsecPeerStartMode 'on-demand', covering also ifOperStatus 'dormant' or 'blocked'. reduced(2) -- Mapping is simplified, covering only ifOperStatus 'up' or 'down', allowing easier configuration of backup-tunnel-scenarios. |
| SecondaryPeerIndex |
| Index of the peer that has to be used as fallback for this (primary) peer. A value of 0 means that no other peer is used as fallback. Relevant only if ipsecPeerStartMode 'always-up' and ipsecPeerIfStateMode 'reduced'. |
| DelayBackToPrimary |
| If a configured secondary peer is used in fallback case and the primary peer is coming up again it may be desirable to delay the use of the primary peer and thus the reset of the secondary peer. This variable defines the wanted delay time in seconds. A value of 0 (default value) means no delay. Relevant only if ipsecPeerStartMode 'always-up', ipsecPeerIfStateMode 'reduced' and ipsecPeerSecondaryPeerIndex is not 0. |
| Ip6LocalAddress |
| The local IPv6-address used for IPSec encrypted packets. |
| IdRelatedToCertField |
| Indicates in case of 'ikePropAuthMethod == rsa-sig' (for IKEv1) or in case of 'ipsecPeerAuthMethod == rsa-sig' (for IKEv2) whether the ID of the peer is required to be related to a specific field in the certificate that is employed to authenticate the identity of that peer. Possible values: yes(1), -- It is required that the peer's ID is related to subject name or subject alternate name in peer's certificate. no(2), -- The peer's ID does not necessarily have to match anything in the peer's certificate. |