Technical Documentation

jnxIPSecSaTable

The IPsec phase 2 security association table (jnxIPSecSaTable), whose object identifier is {jnxIPSecPhaseTwo 2}, is used to monitor the IPsec SAs present for each tunnel in the IPsec tunnel table (jnxIPSecTunnelTable). More than one pair of SAs can be present for each of the IPsec tunnels.

The key for this table is a combination of a service set name, remote gateway address, IPsec tunnel index, and the SA index. While the IPsec tunnel table is queried using the service set name, the SA table can be queried for the IPsec tunnel using the service set name, remote gateway address, and the IPsec tunnel index.

The jnxIPSecSaEntry, whose object identifier is {jnxIPSecSaTable 1}, has 16 objects, which are listed in Table 1. Each entry contains SA components for an active IPsec phase 2 tunnel.

Table 1: jnxIPSecSaTable

Object

Object Identifier

Description

jnxIpSecSaProtocol

jnxIpSecSaEntry 1

The index represents the security protocol (AH, ESP, or IPComp) for which the SA was created.

jnxIpSecSaIndex

jnxIpSecSaEntry 2

The index (in the context of the IPsec tunnel) for the SA. The value of the index is a number that begins at 1 and is incremented with each security parameter index (SPI) associated with an IPsec phase 2 tunnel. When the index number reaches 2,147,483,647 the value wraps back to 1.

jnxIpSecSaInSpi

jnxIpSecSaEntry 3

The value of the incoming SPI.

jnxIpSecSaOutSpi

jnxIpSecSaEntry 4

The value of the outgoing SPI.

jnxIpSecSaInAuxSpi

jnxIpSecSaEntry 5

The value of the incoming auxiliary SPI. This object is valid for AH and ESP bundles.

jnxIpSecSaOutAuxSpi

jnxIpSecSaEntry 6

The value of the outgoing auxiliary SPI. This object is valid for AH and ESP bundles.

jnxIpSecSaType

jnxIpSecSaEntry 7

The type of SA (manual or dynamic).

jnxIpSecSaEncapMode

jnxIpSecSaEntry 8

The encapsulation mode used by the IPsec phase 2 tunnel.

jnxIpSecSaLifeSize

jnxIpSecSaEntry 9

The negotiated size (in kilobytes) of the IPsec phase 2 tunnel.

jnxIpSecSaLifeTime

jnxIpSecSaEntry 10

The negotiated lifetime (in seconds) of the IPsec phase 2 tunnel.

jnxIpSecSaActiveTime

jnxIpSecSaEntry 11

The number of seconds the IPsec phase 2 tunnel has been active.

jnxIpSecSaLifeSizeThreshold

jnxIpSecSaEntry 12

The refresh threshold (in kilobytes) of the SA size.

jnxIpSecSaLifeTimeThreshold

jnxIpSecSaEntry 13

The refresh threshold (in seconds) of the SA lifetime.

jnxIpSecSaEncryptAlgo

jnxIpSecSaEntry 14

The algorithm used to encrypt the packets (es-cbc or 3des-cbc).

jnxIpSecSaAuthAlgo

jnxIpSecSaEntry 15

The algorithm used to authenticate the packets (hmac-md5-96 or hmac-sha1-96).

jnxIpSecSaState

jnxIpSecSaEntry 16

The status of the SA. Status can be active (ready for active use) or expiring (any state an SA goes through before being purged).


Published: 2010-04-27