IPsec Phase 2 Security Association Table
jnxIpSecSaMonTable, whose object ID is {jnxIpSecFlowMonPhaseTwo 3}, identifies the objects listed in Table 1. The IPsec Phase 2 Security Association table identifies the structure (in terms of component SAs) of each active Phase 2 IPsec tunnel. This table contains an entry for each active and expiring SA and maps each entry in the active Phase 2 tunnel table (ipSecTunTable) into a number of entries in this table.
The SA contains the information negotiated by IKE. The SA is like a contract laying out the rules of the VPN connection for the duration of the SA. An SA is assigned a 32-bit number that, when used in conjunction with the destination IP address, uniquely identifies the SA. This number is called the Security Parameters Index (SPI).
IPsec SAs are unidirectional and are unique in each security protocol. A set of SAs is needed for a protected data pipe, one per direction per protocol.
Table 1: IPsec Phase 2 Security Association Table
Object | Object ID | Description |
|---|---|---|
jnxIpSecSaMonEntry | jnxIpSecSaMonTable 1 | Each entry contains the attributes associated with active and expiring IPsec Phase 2 SAs. Sequence of parameters:
|
jnxIpSecSaMonIndex | jnxIpSecSaMonEntry 1 | Index number, in the context of the IPsec tunnel ipSecTunIndex, of the SA represented by this table entry. The index number begins at 1 and is incremented with each SPI associated with an IPsec Phase 2 tunnel. The value of this object will wrap at 65535. |
jnxIpSecSaMonProtocol | jnxIpSecSaMonEntry 2 | Index number that represents the security protocol (AH, ESP or IPComp) for which this SA was set up. |
jnxIpSecSaMonInSpi | jnxIpSecSaMonEntry 3 | Value of the incoming SPI. |
jnxIpSecSaMonOutSpi | jnxIpSecSaMonEntry 4 | Value of the outgoing SPI. |
jnxIpSecSaMonType | jnxIpSecSaMonEntry 5 | Types of SAs that can be either manual or dynamic. |
jnxIpSecSaMonEncapMode | jnxIpSecSaMonEntry 6 | Encapsulation mode used by an IPsec Phase 2 tunnel. |
jnxIpSecSaMonLifeSize | jnxIpSecSaMonEntry 7 | Negotiated lifesize of the IPsec Phase 2 tunnel in kilobytes. |
jnxIpSecSaMonLifeTime | jnxIpSecSaMonEntry 8 | Negotiated lifetime of the IPsec Phase 2 tunnel in seconds. |
jnxIpSecSaMonActiveTime | jnxIpSecSaMonEntry 9 | Length of time the IPsec Phase 2 tunnel has been active in hundredths of seconds. |
Note: The jnxIpSecSaMonLifeSizeThreshold object is not supported in this release. | ||
jnxIpSecSaMonLifeSizeThreshold | jnxIpSecSaMonEntry 10 | SA lifesize refresh threshold in kilobytes. |
jnxIpSecSaMonLifeTimeThreshold | jnxIpSecSaMonEntry 11 | SA lifetime refresh threshold in seconds. |
jnxIpSecSaMonEncryptAlgo | jnxIpSecSaMonEntry 12 | Encryption algorithm used to encrypt the packets that can be either es-cbc or 3des-cbc. |
jnxIpSecSaMonAuthAlgo | jnxIpSecSaMonEntry 13 | Algorithm used for authentication of packets that can be hmac-md5-96 or hmac-sha1-96. |
jnxIpSecSaMonState | jnxIpSecSaMonEntry 14 | This column represents the status of the SA represented by this table entry. If the status of the SA is active, the SA is ready for active use. The status expiring represents any of the various states that the SA transitions through before being purged. |
