[Contents] [Prev] [Next] [Index] [Report an Error]

IPsec Phase 2 Security Association Table

jnxIpSecSaMonTable, whose object ID is {jjnxIpSecFlowMonPhaseTwo 3}, identifies the objects listed in Table 195. The IPsec Phase 2 Security Association table identifies the structure (in terms of component SAs) of each active Phase 2 IPsec tunnel. This table contains an entry for each active and expiring SA and maps each entry in the active Phase 2 tunnel table (ipSecTunTable) into a number of entries in this table.

The SA contains the information negotiated by IKE. The SA is like a contract laying out the rules of the VPN connection for the duration of the SA. An SA is assigned a 32-bit number that, when used in conjunction with the destination IP address, uniquely identifies the SA. This number is called the Security Parameters Index (SPI).

IPsec SAs are unidirectional and are unique in each security protocol. A set of SAs is needed for a protected data pipe, one per direction per protocol.

Table 195: IPsec Phase 2 Security Association Table

Object

Object ID

Description

jnxIpSecSaMonEntry

jnxIpSecSaMonTable 1

Each entry contains the attributes associated with active and expiring IPsec Phase 2 SAs.

Sequence of parameters:

  • jnxIpSecSaMonIndex
  • jnxIpSecSaMonProtocol
  • jnxIpSecSaMonInSpi
  • jnxIpSecSaMonOutSpi
  • jnxIpSecSaMonType
  • jnxIpSecSaMonEncapMode
  • jnxIpSecSaMonLifeSize
  • jnxIpSecSaMonLifeTime
  • jnxIpSecSaMonActiveTime
  • jnxIpSecSaMonLifeSizeThreshold (not supported in this release)
  • jnxIpSecSaMonLifeTimeThreshold
  • jnxIpSecSaMonEncryptAlgo
  • jnxIpSecSaMonAuthAlgo
  • jnxIpSecSaMonState

jnxIpSecSaMonIndex

jnxIpSecSaMonEntry 1

Index number, in the context of the IPsec tunnel ipSecTunIndex, of the SA represented by this table entry. The index number begins at 1 and is incremented with each SPI associated with an IPsec Phase 2 tunnel. The value of this object will wrap at 65535.

jnxIpSecSaMonProtocol

jnxIpSecSaMonEntry 2

Index number that represents the security protocol (AH, ESP or IPComp) for which this SA was set up

jnxIpSecSaMonInSpi

jnxIpSecSaMonEntry 3

Value of the incoming SPI

jnxIpSecSaMonOutSpi

jnxIpSecSaMonEntry 4

Value of the outgoing SPI

jnxIpSecSaMonType

jnxIpSecSaMonEntry 5

Types of SAs that can be either manual or dynamic

jnxIpSecSaMonEncapMode

jnxIpSecSaMonEntry 6

Encapsulation mode used by an IPsec Phase 2 tunnel

jnxIpSecSaMonLifeSize

jnxIpSecSaMonEntry 7

Negotiated lifesize of the IPsec Phase 2 tunnel in kilobytes

jnxIpSecSaMonLifeTime

jnxIpSecSaMonEntry 8

Negotiated lifetime of the IPsec Phase 2 tunnel in seconds

jnxIpSecSaMonActiveTime

jnxIpSecSaMonEntry 9

Length of time the IPsec Phase 2 tunnel has been active in hundredths of seconds

Note: The jnxIpSecSaMonLifeSizeThreshold object is not supported in this release.

jnxIpSecSaMonLifeSizeThreshold

jnxIpSecSaMonEntry 10

SA lifesize refresh threshold in kilobytes

jnxIpSecSaMonLifeTimeThreshold

jnxIpSecSaMonEntry 11

SA lifetime refresh threshold in seconds

jnxIpSecSaMonEncryptAlgo

jnxIpSecSaMonEntry 12

Encryption algorithm used to encrypt the packets that can be either es-cbc or 3des-cbc

jnxIpSecSaMonAuthAlgo

jnxIpSecSaMonEntry 13

Algorithm used for authentication of packets that can be hmac-md5-96 or hmac-sha1-96

jnxIpSecSaMonState

jnxIpSecSaMonEntry 14

This column represents the status of the SA represented by this table entry. If the status of the SA is active, the SA is ready for active use. The status expiring represents any of the various states that the SA transitions through before being purged.

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.