Technical Documentation


The IPsec phase 2 security association table (jnxIPSecSaTable), whose object identifier is {jnxIPSecPhaseTwo 2}, is used to monitor the IPsec SAs present for each tunnel in the IPsec tunnel table (jnxIPSecTunnelTable). More than one pair of SAs can be present for each of the IPsec tunnels.

The key for this table is a combination of a service set name, remote gateway address, IPsec tunnel index, and the SA index. While the IPsec tunnel table is queried using the service set name, the SA table can be queried for the IPsec tunnel using the service set name, remote gateway address, and the IPsec tunnel index.

The jnxIPSecSaEntry, whose object identifier is {jnxIPSecSaTable 1}, has 16 objects, which are listed in Table 1. Each entry contains SA components for an active IPsec phase 2 tunnel.

Table 1: jnxIPSecSaTable


Object Identifier



jnxIpSecSaEntry 1

The index represents the security protocol (AH, ESP, or IPComp) for which the SA was created.


jnxIpSecSaEntry 2

The index (in the context of the IPsec tunnel) for the SA. The value of the index is a number that begins at 1 and is incremented with each security parameter index (SPI) associated with an IPsec phase 2 tunnel. When the index number reaches 2,147,483,647 the value wraps back to 1.


jnxIpSecSaEntry 3

The value of the incoming SPI.


jnxIpSecSaEntry 4

The value of the outgoing SPI.


jnxIpSecSaEntry 5

The value of the incoming auxiliary SPI. This object is valid for AH and ESP bundles.


jnxIpSecSaEntry 6

The value of the outgoing auxiliary SPI. This object is valid for AH and ESP bundles.


jnxIpSecSaEntry 7

The type of SA (manual or dynamic).


jnxIpSecSaEntry 8

The encapsulation mode used by the IPsec phase 2 tunnel.


jnxIpSecSaEntry 9

The negotiated size (in kilobytes) of the IPsec phase 2 tunnel.


jnxIpSecSaEntry 10

The negotiated lifetime (in seconds) of the IPsec phase 2 tunnel.


jnxIpSecSaEntry 11

The number of seconds the IPsec phase 2 tunnel has been active.


jnxIpSecSaEntry 12

The refresh threshold (in kilobytes) of the SA size.


jnxIpSecSaEntry 13

The refresh threshold (in seconds) of the SA lifetime.


jnxIpSecSaEntry 14

The algorithm used to encrypt the packets (es-cbc or 3des-cbc).


jnxIpSecSaEntry 15

The algorithm used to authenticate the packets (hmac-md5-96 or hmac-sha1-96).


jnxIpSecSaEntry 16

The status of the SA. Status can be active (ready for active use) or expiring (any state an SA goes through before being purged).

Published: 2010-04-27