Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4T
IPsec and IKE MIB Support for Cisco VRF-Aware IPsec
Download this chapter
IPsec and IKE MIB Support for Cisco VRF-Aware IPsecIPsec and IKE MIB Support for Cisco VRF-Aware IPsec
Download the complete book
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4TCisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4T (PDF - 8 MB)
give_us_feedback

Table Of Contents

IPsec and IKE MIB Support for
Cisco VRF-Aware IPsec

Contents

Prerequisites for IPsec and IKE MIB Support for
Cisco VRF-Aware IPsec

Information About IPsec and IKE MIB Support for
Cisco VRF-Aware IPsec

MIBs Supported by the IPsec and IKE MIB Support for
Cisco VRF-Aware IPsec Feature

How to Configure IPsec and IKE MIB Support for
Cisco VRF-Aware IPsec

How to Troubleshoot the IPsec and IKE MIB Support for Cisco VRF-Aware IPsec Feature

Configuration Examples for IPsec and IKE MIB Support for Cisco VRF-Aware IPsec

Configuration That Has Two VRFs: Examples

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference


IPsec and IKE MIB Support for
Cisco VRF-Aware IPsec

The IPsec and IKE MIB Support for Cisco VRF-Aware IPsec feature provides manageability of Virtual Private Network routing and forwarding- (VRF-) aware IP security (IPsec) using MIBs. The benefit of this feature is that VRF-aware IPsec MIBs provide the granular details of IPsec statistics and performance metrics on a VRF basis.

History for the IPsec and IKE MIB Support for Cisco VRF-Aware IPsec Feature

Release
Modification

12.4(4)T

This feature was introduced.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for IPsec and IKE MIB Support for Cisco VRF-Aware IPsec

Information About IPsec and IKE MIB Support for Cisco VRF-Aware IPsec

How to Configure IPsec and IKE MIB Support for Cisco VRF-Aware IPsec

Configuration Examples for IPsec and IKE MIB Support for Cisco VRF-Aware IPsec

Additional References

Command Reference

Prerequisites for IPsec and IKE MIB Support for
Cisco VRF-Aware IPsec

You should be familiar with configuring Simple Network Management Protocol (SNMP).

Information About IPsec and IKE MIB Support for
Cisco VRF-Aware IPsec

To configure IPsec and MIB Support for Cisco VRF-Aware IPsec, you should understand the following concepts:

MIBs Supported by the IPsec and IKE MIB Support for Cisco VRF-Aware IPsec Feature

MIBs Supported by the IPsec and IKE MIB Support for
Cisco VRF-Aware IPsec Feature

The following MIBs are supported by the IPsec and IKE MIB Support for Cisco VRF-Aware IPsec feature:

CISCO-IPSEC-FLOW-MONITOR-MIB

CISCO-IPSEC-MIB

The CISCO-IPSEC-POLICY-MAP-MIB continues to be supported. However, because this MIB applies to the entire router rather than to a specific VPN VRF instance, it is not VRF aware; therefore, polling of the object identifiers (OIDs) that belong to this MIB is accomplished with respect to the global VRF context.

How to Configure IPsec and IKE MIB Support for
Cisco VRF-Aware IPsec

No special configuration is needed for this feature. The SNMP framework can be used to manage VRF-aware IPsec using MIBs. See the section "Configuration Examples for IPsec and IKE MIB Support for Cisco VRF-Aware IPsec" for a reference to configuring SNMP.

The following section provides information about troubleshooting this feature:

How to Troubleshoot the IPsec and IKE MIB Support for Cisco VRF-Aware IPsec Feature

How to Troubleshoot the IPsec and IKE MIB Support for Cisco VRF-Aware IPsec Feature

The following debug crypto mib command and keywords may be used to display information about the IPsec and Internet Key Exchange (IKE) MIB as it relates to Cisco VRF-aware IPsec.

SUMMARY STEPS

1. enable

2. debug crypto mib detail

3. debug crypto mib error

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

debug crypto mib detail

Example:

Router# debug crypto mib detail

Displays different events as they occur in the IPsec MIB subsystem.

Due consideration should be given to enabling debug crypto mib detail because the output for the detail keyword can be quite long.

Step 3 

debug crypto mib error

Example:

Router# debug crypto mib error

Displays error events in the MIB agent.

Configuration Examples for IPsec and IKE MIB Support for Cisco VRF-Aware IPsec

This section includes the following example:

Configuration That Has Two VRFs: Examples

Configuration That Has Two VRFs: Examples

The following output example is for a typical hub configuration that has two VRFs. The output is what you would see if you were to poll for the IPsec security association (SA). Router 3745b is the VRF-aware router.

Two VRFs Configured

The following output shows that two VRFs have been configured (vrf1 and vrf2). 

Router3745b# show running-config


Building configuration...


Current configuration : 6567 bytes

!

version 12.4

service timestamps debug datetime msec localtime

service timestamps log uptime

no service password-encryption

!

hostname ipsecf-3745b

!

boot-start-marker

boot-end-marker

!

no logging console

enable password lab

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

clock timezone PST -8

clock summer-time PDT recurring

ip subnet-zero

ip cef

!

!

ip vrf vrf1

 rd 1:101

 context vrf-vrf1-context

 route-target export 1:101

 route-target import 1:101

!

ip vrf vrf2

 rd 2:101

 context vrf-vrf2-context

 route-target export 2:101

 route-target import 2:101

!

no ip domain lookup

!

!

crypto keyring vrf1-1 vrf vrf1

  pre-shared-key address 10.1.1.1 255.255.255.0 key vrf1-1

crypto keyring vrf2-1 vrf vrf2

  pre-shared-key address 10.1.2.1 255.255.255.0 key vrf2-1

!

!

crypto isakmp policy 1

 authentication pre-share

!

crypto isakmp policy 50

 authentication pre-share

crypto isakmp key global1-1 address 10.1.151.1

crypto isakmp key global2-1 address 10.1.152.1

crypto isakmp profile vrf1-1

   keyring vrf1-1

   match identity address 10.1.1.1 255.255.255.255 vrf1

crypto isakmp profile vrf2-1

   keyring vrf2-1

   match identity address 10.1.2.1 255.255.255.255 vrf2

!

crypto ipsec security-association lifetime kilobytes 99000

crypto ipsec security-association lifetime seconds 5000

!

crypto ipsec transform-set tset ah-sha-hmac esp-des esp-sha-hmac 

!

crypto map global1-1 10 ipsec-isakmp 

 set peer 10.1.151.1

 set transform-set tset 

 match address 151

!

crypto map global2-1 10 ipsec-isakmp 

 set peer 10.1.152.1

 set transform-set tset 

 match address 152

!

crypto map vrf1-1 10 ipsec-isakmp 

 set peer 10.1.1.1

 set transform-set tset 

 set isakmp-profile vrf1-1

 match address 101

!

crypto map vrf2-1 10 ipsec-isakmp 

 set peer 10.1.2.1

 set transform-set tset 

 set isakmp-profile vrf2-1

 match address 102

!

!

interface FastEthernet0/0

 ip address 10.1.38.25 255.255.255.0

 no ip mroute-cache

 duplex auto

 speed auto

!

interface Serial0/0

 no ip address

 shutdown

 clock rate 2000000

!

interface FastEthernet0/1

 no ip address

 no ip mroute-cache

 shutdown

 duplex auto

 speed auto

!

interface Serial0/1

 no ip address

 shutdown

 clock rate 2000000

!

interface Serial1/0

 no ip address

 encapsulation frame-relay

 no ip route-cache cef

 no ip route-cache

 no ip mroute-cache

 no keepalive

 serial restart-delay 0

 clock rate 128000

 no frame-relay inverse-arp

!

interface Serial1/0.1 point-to-point

 ip vrf forwarding vrf1

 ip address 10.3.1.1 255.255.255.0

 no ip route-cache

 frame-relay interface-dlci 21   

!

interface Serial1/0.2 point-to-point

 ip vrf forwarding vrf2

 ip address 10.3.2.1 255.255.255.0

 no ip route-cache

 frame-relay interface-dlci 22   

!

interface Serial1/0.151 point-to-point

 ip address 10.7.151.1 255.255.255.0

 no ip route-cache

 frame-relay interface-dlci 151   

!

interface Serial1/0.152 point-to-point

 ip address 10.7.152.1 255.255.255.0

 no ip route-cache

 frame-relay interface-dlci 152   

!

interface Serial1/1

 no ip address

 no ip mroute-cache

 shutdown

 serial restart-delay 0

!

interface Serial1/2

 no ip address

 encapsulation frame-relay

 no ip route-cache cef

 no ip route-cache

 no ip mroute-cache

 no keepalive

 serial restart-delay 0

 no frame-relay inverse-arp

!

interface Serial1/2.1 point-to-point

 ip vrf forwarding vrf1

 ip address 10.1.1.2 255.255.255.0

 no ip route-cache

 frame-relay interface-dlci 21   

 crypto map vrf1-1

!

interface Serial1/2.2 point-to-point

 ip vrf forwarding vrf2

 ip address 10.1.2.2 255.255.255.0

 no ip route-cache

 frame-relay interface-dlci 22   

 crypto map vrf2-1

!

interface Serial1/2.151 point-to-point

 ip address 10.5.151.2 255.255.255.0

 no ip route-cache

 frame-relay interface-dlci 151   

 crypto map global1-1

!

interface Serial1/2.152 point-to-point

 ip address 10.5.152.2 255.255.255.0

 no ip route-cache

 frame-relay interface-dlci 152   

 crypto map global2-1

!

interface Serial1/3

 no ip address

 no ip mroute-cache

 shutdown

 serial restart-delay 0

!

ip default-gateway 10.1.38.1

ip classless

ip route 10.1.1.6 255.255.255.255 10.1.151.1

ip route 10.2.1.6 255.255.255.255 10.1.152.1

ip route 10.6.2.1 255.255.255.255 10.7.151.2

ip route 10.6.2.2 255.255.255.255 10.7.152.2

ip route 172.19.216.110 255.255.255.255 FastEthernet0/0

ip route vrf vrf1 10.20.1.1 255.255.255.255 10.1.1.1

ip route vrf vrf1 10.22.1.1 255.255.255.255 10.30.1.1

ip route vrf vrf2 10.20.2.1 255.255.255.255 10.1.2.1

ip route vrf vrf2 10.22.2.1 255.255.255.255 10.30.1.2

!

!

ip http server

no ip http secure-server

!

ip access-list standard vrf-vrf1-context

ip access-list standard vrf-vrf2-context

!

access-list 101 permit ip host 10.22.1.1 host 10.20.1.1

access-list 102 permit ip host 10.22.2.1 host 10.20.2.1

access-list 151 permit ip host 10.6.2.1 host 10.1.1.6

access-list 152 permit ip host 10.6.2.2 host 10.2.1.6

snmp-server group abc1 v2c context vrf-vrf1-context read view_vrf1 notify 
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F access vrf-vrf1-context

snmp-server group abc2 v2c context vrf-vrf2-context read view_vrf2 notify 
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F access vrf-vrf2-context

snmp-server view view_vrf1 iso included

snmp-server view view_vrf2 iso included

snmp-server community abc1 RW

snmp-server community global1 RW

snmp-server community abc2 RW

snmp-server community global2 RW

snmp-server enable traps tty

snmp-server enable traps config

snmp-server host 172.19.216.110 version 2c abc1 

snmp-server host 172.19.216.110 vrf vrf1 version 2c abc1 udp-port 2001  ipsec isakmp

snmp-server host 172.19.216.110 version 2c abc2 

snmp-server host 172.19.216.110 vrf vrf2 version 2c abc2 udp-port 2002  ipsec isakmp

snmp-server context vrf-vrf1-context

snmp-server context vrf-vrf2-context

!

!

snmp mib community-map  abc1 context vrf-vrf1-context

snmp mib community-map  abc2 context vrf-vrf2-context

!

!

control-plane

!

!

line con 0

 exec-timeout 0 0

line aux 0

line vty 0 4

 login

!

!

webvpn context Default_context

 ssl authenticate verify all

 !

 no inservice

!

!

end

Both VRFs Cleared

The following output, for abc1 and abc2, shows that both VRFs have been "cleared" to ensure that all the counters are initialized to a known value.

The following output shows that VRF abc1 has been cleared: 

orcas:2> setenv SR_MGR_CONF /users/green1

orcas:3> setenv SR_UTIL_SNMP_VERSION v2c

orcas:5> setenv SR_UTIL_COMMUNITY abc1

orcas:6> setenv SR_MGR_CONF_DIR /users/green1


orcas:7> /auto/sw/packages/snmpr/10.14.2.0/solaris2bin/getmany -v2c 10.1.38.25 
cipSecMIBObjects


cipSecMibLevel.0 = 1

cikeGlobalActiveTunnels.0 = 0

cikeGlobalPreviousTunnels.0 = 0

cikeGlobalInOctets.0 = 0

cikeGlobalInPkts.0 = 0

cikeGlobalInDropPkts.0 = 0

cikeGlobalInNotifys.0 = 0

cikeGlobalInP2Exchgs.0 = 0

cikeGlobalInP2ExchgInvalids.0 = 0

cikeGlobalInP2ExchgRejects.0 = 0

cikeGlobalInP2SaDelRequests.0 = 0

cikeGlobalOutOctets.0 = 0

cikeGlobalOutPkts.0 = 0

cikeGlobalOutDropPkts.0 = 0

cikeGlobalOutNotifys.0 = 0

cikeGlobalOutP2Exchgs.0 = 0

cikeGlobalOutP2ExchgInvalids.0 = 0

cikeGlobalOutP2ExchgRejects.0 = 0

cikeGlobalOutP2SaDelRequests.0 = 0

cikeGlobalInitTunnels.0 = 0

cikeGlobalInitTunnelFails.0 = 0

cikeGlobalRespTunnelFails.0 = 0

cikeGlobalSysCapFails.0 = 0

cikeGlobalAuthFails.0 = 0

cikeGlobalDecryptFails.0 = 0

cikeGlobalHashValidFails.0 = 0

cikeGlobalNoSaFails.0 = 0

cipSecGlobalActiveTunnels.0 = 0

cipSecGlobalPreviousTunnels.0 = 0

cipSecGlobalInOctets.0 = 0

cipSecGlobalHcInOctets.0 = 0x00

cipSecGlobalInOctWraps.0 = 0

cipSecGlobalInDecompOctets.0 = 0

cipSecGlobalHcInDecompOctets.0 = 0x00

cipSecGlobalInDecompOctWraps.0 = 0

cipSecGlobalInPkts.0 = 0

cipSecGlobalInDrops.0 = 0

cipSecGlobalInReplayDrops.0 = 0

cipSecGlobalInAuths.0 = 0

cipSecGlobalInAuthFails.0 = 0

cipSecGlobalInDecrypts.0 = 0

cipSecGlobalInDecryptFails.0 = 0

cipSecGlobalOutOctets.0 = 0

cipSecGlobalHcOutOctets.0 = 0x00

cipSecGlobalOutOctWraps.0 = 0

cipSecGlobalOutUncompOctets.0 = 0

cipSecGlobalHcOutUncompOctets.0 = 0x00

cipSecGlobalOutUncompOctWraps.0 = 0

cipSecGlobalOutPkts.0 = 0

cipSecGlobalOutDrops.0 = 0

cipSecGlobalOutAuths.0 = 0

cipSecGlobalOutAuthFails.0 = 0

cipSecGlobalOutEncrypts.0 = 0

cipSecGlobalOutEncryptFails.0 = 0

cipSecGlobalProtocolUseFails.0 = 0

cipSecGlobalNoSaFails.0 = 0

cipSecGlobalSysCapFails.0 = 0

cipSecHistTableSize.0 = 200

cipSecHistCheckPoint.0 = ready(1)

cipSecFailTableSize.0 = 200

cipSecTrapCntlIkeTunnelStart.0 = enabled(1)

cipSecTrapCntlIkeTunnelStop.0 = enabled(1)

cipSecTrapCntlIkeSysFailure.0 = disabled(2)

cipSecTrapCntlIkeCertCrlFailure.0 = disabled(2)

cipSecTrapCntlIkeProtocolFail.0 = disabled(2)

cipSecTrapCntlIkeNoSa.0 = disabled(2)

cipSecTrapCntlIpSecTunnelStart.0 = enabled(1)

cipSecTrapCntlIpSecTunnelStop.0 = enabled(1)

cipSecTrapCntlIpSecSysFailure.0 = disabled(2)

cipSecTrapCntlIpSecSetUpFailure.0 = disabled(2)

cipSecTrapCntlIpSecEarlyTunTerm.0 = disabled(2)

cipSecTrapCntlIpSecProtocolFail.0 = disabled(2)

cipSecTrapCntlIpSecNoSa.0 = disabled(2)

The following output shows that VRF abc2 has been cleared: 

orcas:8> setenv SR_UTIL_COMMUNITY abc2

orcas:9> /auto/sw/packages/snmpr/14.2.0.0/solaris2bin/getmany -v2c 10.1.38.25 
cipSecMIBObjects

cipSecMibLevel.0 = 1

cikeGlobalActiveTunnels.0 = 0

cikeGlobalPreviousTunnels.0 = 0

cikeGlobalInOctets.0 = 0

cikeGlobalInPkts.0 = 0

cikeGlobalInDropPkts.0 = 0

cikeGlobalInNotifys.0 = 0

cikeGlobalInP2Exchgs.0 = 0

cikeGlobalInP2ExchgInvalids.0 = 0

cikeGlobalInP2ExchgRejects.0 = 0

cikeGlobalInP2SaDelRequests.0 = 0

cikeGlobalOutOctets.0 = 0

cikeGlobalOutPkts.0 = 0

cikeGlobalOutDropPkts.0 = 0

cikeGlobalOutNotifys.0 = 0

cikeGlobalOutP2Exchgs.0 = 0

cikeGlobalOutP2ExchgInvalids.0 = 0

cikeGlobalOutP2ExchgRejects.0 = 0

cikeGlobalOutP2SaDelRequests.0 = 0

cikeGlobalInitTunnels.0 = 0

cikeGlobalInitTunnelFails.0 = 0

cikeGlobalRespTunnelFails.0 = 0

cikeGlobalSysCapFails.0 = 0

cikeGlobalAuthFails.0 = 0

cikeGlobalDecryptFails.0 = 0

cikeGlobalHashValidFails.0 = 0

cikeGlobalNoSaFails.0 = 0

cipSecGlobalActiveTunnels.0 = 0

cipSecGlobalPreviousTunnels.0 = 0

cipSecGlobalInOctets.0 = 0

cipSecGlobalHcInOctets.0 = 0x00

cipSecGlobalInOctWraps.0 = 0

cipSecGlobalInDecompOctets.0 = 0

cipSecGlobalHcInDecompOctets.0 = 0x00

cipSecGlobalInDecompOctWraps.0 = 0

cipSecGlobalInPkts.0 = 0

cipSecGlobalInDrops.0 = 0

cipSecGlobalInReplayDrops.0 = 0

cipSecGlobalInAuths.0 = 0

cipSecGlobalInAuthFails.0 = 0

cipSecGlobalInDecrypts.0 = 0

cipSecGlobalInDecryptFails.0 = 0

cipSecGlobalOutOctets.0 = 0

cipSecGlobalHcOutOctets.0 = 0x00

cipSecGlobalOutOctWraps.0 = 0

cipSecGlobalOutUncompOctets.0 = 0

cipSecGlobalHcOutUncompOctets.0 = 0x00

cipSecGlobalOutUncompOctWraps.0 = 0

cipSecGlobalOutPkts.0 = 0

cipSecGlobalOutDrops.0 = 0

cipSecGlobalOutAuths.0 = 0

cipSecGlobalOutAuthFails.0 = 0

cipSecGlobalOutEncrypts.0 = 0

cipSecGlobalOutEncryptFails.0 = 0

cipSecGlobalProtocolUseFails.0 = 0

cipSecGlobalNoSaFails.0 = 0

cipSecGlobalSysCapFails.0 = 0

cipSecHistTableSize.0 = 200

cipSecHistCheckPoint.0 = ready(1)

cipSecFailTableSize.0 = 200

cipSecTrapCntlIkeTunnelStart.0 = enabled(1)

cipSecTrapCntlIkeTunnelStop.0 = enabled(1)

cipSecTrapCntlIkeSysFailure.0 = disabled(2)

cipSecTrapCntlIkeCertCrlFailure.0 = disabled(2)

cipSecTrapCntlIkeProtocolFail.0 = disabled(2)

cipSecTrapCntlIkeNoSa.0 = disabled(2)

cipSecTrapCntlIpSecTunnelStart.0 = enabled(1)

cipSecTrapCntlIpSecTunnelStop.0 = enabled(1)

cipSecTrapCntlIpSecSysFailure.0 = disabled(2)

cipSecTrapCntlIpSecSetUpFailure.0 = disabled(2)

cipSecTrapCntlIpSecEarlyTunTerm.0 = disabled(2)

cipSecTrapCntlIpSecProtocolFail.0 = disabled(2)

cipSecTrapCntlIpSecNoSa.0 = disabled(2)

orcas:10> 

orcas:10> 

orcas:10>

VRF abc1 Pinged

The following output shows that VRF abc1 has been pinged: 

Router3745a# ping


Protocol [ip]: 

Target IP address: 10.22.1.1

Repeat count [5]: 

Datagram size [100]: 

Timeout in seconds [2]: 

Extended commands [n]: y

Source address or interface: 10.20.1.1

Type of service [0]: 

Set DF bit in IP header? [no]: 

Validate reply data? [no]: 

Data pattern [0xABCD]: 

Loose, Strict, Record, Timestamp, Verbose[none]: 

Sweep range of sizes [n]: 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.22.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.20.1.1

VRF abc1 Polled

Polling VRF abc1 results in the following output:

Note After the ping, the counters should show some nonzero values. 

orcas:10> 

orcas:12> setenv SR_UTIL_COMMUNITY abc1

orcas:13> /auto/sw/packages/snmpr/10.14.2.0/solaris2bin/getmany -v2c 10.1.38.25 
cipSecMIBObjects

cipSecMibLevel.0 = 1

cikeGlobalActiveTunnels.0 = 1

cikeGlobalPreviousTunnels.0 = 0

cikeGlobalInOctets.0 = 336

cikeGlobalInPkts.0 = 2

cikeGlobalInDropPkts.0 = 0

cikeGlobalInNotifys.0 = 1

cikeGlobalInP2Exchgs.0 = 2

cikeGlobalInP2ExchgInvalids.0 = 0

cikeGlobalInP2ExchgRejects.0 = 0

cikeGlobalInP2SaDelRequests.0 = 0

cikeGlobalOutOctets.0 = 344

cikeGlobalOutPkts.0 = 2

cikeGlobalOutDropPkts.0 = 0

cikeGlobalOutNotifys.0 = 0

cikeGlobalOutP2Exchgs.0 = 1

cikeGlobalOutP2ExchgInvalids.0 = 0

cikeGlobalOutP2ExchgRejects.0 = 0

cikeGlobalOutP2SaDelRequests.0 = 0

cikeGlobalInitTunnels.0 = 0

cikeGlobalInitTunnelFails.0 = 0

cikeGlobalRespTunnelFails.0 = 0

cikeGlobalSysCapFails.0 = 0

cikeGlobalAuthFails.0 = 0

cikeGlobalDecryptFails.0 = 0

cikeGlobalHashValidFails.0 = 0

cikeGlobalNoSaFails.0 = 0

cikePeerLocalAddr.1.15.48.49.48.46.48.48.49.46.48.48.49.46.48.48.50.1.15.48.49.48.46.48.48
.49.46.48.48.49.46.48.48.49.1 = 0a 01  01 02   

cikePeerRemoteAddr.1.15.48.49.48.46.48.48.49.46.48.48.49.46.48.48.50.1.15.48.49.48.46.48.4
8.49.46.48.48.49.46.48.48.49.1 = 0a 01  01 01   

cikePeerActiveTime.1.15.48.49.48.46.48.48.49.46.48.48.49.46.48.48.50.1.15.48.49.48.46.48.4
8.49.46.48.48.49.46.48.48.49.1 = 13743

cikePeerActiveTunnelIndex.1.15.48.49.48.46.48.48.49.46.48.48.49.46.48.48.50.1.15.48.49.48.
46.48.48.49.46.48.48.49.46.48.48.49.1 = 1

cikeTunLocalType.1 = ipAddrPeer(1)

cikeTunLocalValue.1 = 010.001.001.002

cikeTunLocalAddr.1 = 0a 01  01 02   

cikeTunLocalName.1 = ipsecf-3745b

cikeTunRemoteType.1 = ipAddrPeer(1)

cikeTunRemoteValue.1 = 010.001.001.001

cikeTunRemoteAddr.1 = 0a 01  01 01   

cikeTunRemoteName.1 = 

cikeTunNegoMode.1 = main(1)

cikeTunDiffHellmanGrp.1 = dhGroup1(2)

cikeTunEncryptAlgo.1 = des(2)

cikeTunHashAlgo.1 = sha(3)

cikeTunAuthMethod.1 = preSharedKey(2)

cikeTunLifeTime.1 = 86400

cikeTunActiveTime.1 = 13752

cikeTunSaRefreshThreshold.1 = 0

cikeTunTotalRefreshes.1 = 0

cikeTunInOctets.1 = 336

cikeTunInPkts.1 = 2

cikeTunInDropPkts.1 = 0

cikeTunInNotifys.1 = 1

cikeTunInP2Exchgs.1 = 2

cikeTunInP2ExchgInvalids.1 = 0

cikeTunInP2ExchgRejects.1 = 0

cikeTunInP2SaDelRequests.1 = 0

cikeTunOutOctets.1 = 344

cikeTunOutPkts.1 = 2

cikeTunOutDropPkts.1 = 0

cikeTunOutNotifys.1 = 0

cikeTunOutP2Exchgs.1 = 1

cikeTunOutP2ExchgInvalids.1 = 0

cikeTunOutP2ExchgRejects.1 = 0

cikeTunOutP2SaDelRequests.1 = 0

cikeTunStatus.1 = active(1)

cikePeerCorrIpSecTunIndex.1.15.48.49.48.46.48.48.49.46.48.48.49.46.48.48.50.1.15.48.49.48.
46.48.48.49.46.48.48.49.46.48.48.49.1.1 = 1

cipSecGlobalActiveTunnels.0 = 1

cipSecGlobalPreviousTunnels.0 = 0

cipSecGlobalInOctets.0 = 400

cipSecGlobalHcInOctets.0 = 0x0190

cipSecGlobalInOctWraps.0 = 0

cipSecGlobalInDecompOctets.0 = 400

cipSecGlobalHcInDecompOctets.0 = 0x0190

cipSecGlobalInDecompOctWraps.0 = 0

cipSecGlobalInPkts.0 = 4

cipSecGlobalInDrops.0 = 0

cipSecGlobalInReplayDrops.0 = 0

cipSecGlobalInAuths.0 = 4

cipSecGlobalInAuthFails.0 = 0

cipSecGlobalInDecrypts.0 = 4

cipSecGlobalInDecryptFails.0 = 0

cipSecGlobalOutOctets.0 = 704

cipSecGlobalHcOutOctets.0 = 0x02c0

cipSecGlobalOutOctWraps.0 = 0

cipSecGlobalOutUncompOctets.0 = 704

cipSecGlobalHcOutUncompOctets.0 = 0x02c0

cipSecGlobalOutUncompOctWraps.0 = 0

cipSecGlobalOutPkts.0 = 4

cipSecGlobalOutDrops.0 = 0

cipSecGlobalOutAuths.0 = 4

cipSecGlobalOutAuthFails.0 = 0

cipSecGlobalOutEncrypts.0 = 4

cipSecGlobalOutEncryptFails.0 = 0

cipSecGlobalProtocolUseFails.0 = 0

cipSecGlobalNoSaFails.0 = 0

cipSecGlobalSysCapFails.0 = 0

cipSecTunIkeTunnelIndex.1 = 1

cipSecTunIkeTunnelAlive.1 = true(1)

cipSecTunLocalAddr.1 = 0a 01  01 02   

cipSecTunRemoteAddr.1 = 0a 01  01 01   

cipSecTunKeyType.1 = ike(1)

cipSecTunEncapMode.1 = tunnel(1)

cipSecTunLifeSize.1 = 99000

cipSecTunLifeTime.1 = 5000

cipSecTunActiveTime.1 = 13749

cipSecTunSaLifeSizeThreshold.1 = 64

cipSecTunSaLifeTimeThreshold.1 = 10

cipSecTunTotalRefreshes.1 = 0

cipSecTunExpiredSaInstances.1 = 0

cipSecTunCurrentSaInstances.1 = 4

cipSecTunInSaDiffHellmanGrp.1 = dhGroup1(2)

cipSecTunInSaEncryptAlgo.1 = des(2)

cipSecTunInSaAhAuthAlgo.1 = hmacSha(3)

cipSecTunInSaEspAuthAlgo.1 = hmacSha(3)

cipSecTunInSaDecompAlgo.1 = none(1)

cipSecTunOutSaDiffHellmanGrp.1 = dhGroup1(2)

cipSecTunOutSaEncryptAlgo.1 = des(2)

cipSecTunOutSaAhAuthAlgo.1 = hmacSha(3)

cipSecTunOutSaEspAuthAlgo.1 = hmacSha(3)

cipSecTunOutSaCompAlgo.1 = none(1)

cipSecTunInOctets.1 = 400

cipSecTunHcInOctets.1 = 0x0190

cipSecTunInOctWraps.1 = 0

cipSecTunInDecompOctets.1 = 400

cipSecTunHcInDecompOctets.1 = 0x0190

cipSecTunInDecompOctWraps.1 = 0

cipSecTunInPkts.1 = 4

cipSecTunInDropPkts.1 = 0

cipSecTunInReplayDropPkts.1 = 0

cipSecTunInAuths.1 = 4

cipSecTunInAuthFails.1 = 0

cipSecTunInDecrypts.1 = 4

cipSecTunInDecryptFails.1 = 0

cipSecTunOutOctets.1 = 704

cipSecTunHcOutOctets.1 = 0x02c0

cipSecTunOutOctWraps.1 = 0

cipSecTunOutUncompOctets.1 = 704

cipSecTunHcOutUncompOctets.1 = 0x02c0

cipSecTunOutUncompOctWraps.1 = 0

cipSecTunOutPkts.1 = 4

cipSecTunOutDropPkts.1 = 0

cipSecTunOutAuths.1 = 4

cipSecTunOutAuthFails.1 = 0

cipSecTunOutEncrypts.1 = 4

cipSecTunOutEncryptFails.1 = 0

cipSecTunStatus.1 = active(1)

cipSecEndPtLocalName.1.1 = 

cipSecEndPtLocalType.1.1 = singleIpAddr(1)

cipSecEndPtLocalAddr1.1.1 = 16 01  01 01   

cipSecEndPtLocalAddr2.1.1 = 16 01  01 01   

cipSecEndPtLocalProtocol.1.1 = 0

cipSecEndPtLocalPort.1.1 = 0

cipSecEndPtRemoteName.1.1 = 

cipSecEndPtRemoteType.1.1 = singleIpAddr(1)

cipSecEndPtRemoteAddr1.1.1 = 14 01  01 01   

cipSecEndPtRemoteAddr2.1.1 = 14 01  01 01   

cipSecEndPtRemoteProtocol.1.1 = 0

cipSecEndPtRemotePort.1.1 = 0

cipSecSpiDirection.1.1 = in(1)

cipSecSpiDirection.1.2 = out(2)

cipSecSpiDirection.1.3 = in(1)

cipSecSpiDirection.1.4 = out(2)

cipSecSpiValue.1.1 = 3891970674

cipSecSpiValue.1.2 = 1963217493

cipSecSpiValue.1.3 = 3691920464

cipSecSpiValue.1.4 = 3458912974

cipSecSpiProtocol.1.1 = ah(1)

cipSecSpiProtocol.1.2 = ah(1)

cipSecSpiProtocol.1.3 = esp(2)

cipSecSpiProtocol.1.4 = esp(2)

cipSecSpiStatus.1.1 = active(1)

cipSecSpiStatus.1.2 = active(1)

cipSecSpiStatus.1.3 = active(1)

cipSecSpiStatus.1.4 = active(1)

cipSecHistTableSize.0 = 200

cipSecHistCheckPoint.0 = ready(1)

cipSecFailTableSize.0 = 200

cipSecTrapCntlIkeTunnelStart.0 = enabled(1)

cipSecTrapCntlIkeTunnelStop.0 = enabled(1)

cipSecTrapCntlIkeSysFailure.0 = disabled(2)

cipSecTrapCntlIkeCertCrlFailure.0 = disabled(2)

cipSecTrapCntlIkeProtocolFail.0 = disabled(2)

cipSecTrapCntlIkeNoSa.0 = disabled(2)

cipSecTrapCntlIpSecTunnelStart.0 = enabled(1)

cipSecTrapCntlIpSecTunnelStop.0 = enabled(1)

cipSecTrapCntlIpSecSysFailure.0 = disabled(2)

cipSecTrapCntlIpSecSetUpFailure.0 = disabled(2)

cipSecTrapCntlIpSecEarlyTunTerm.0 = disabled(2)

cipSecTrapCntlIpSecProtocolFail.0 = disabled(2)

cipSecTrapCntlIpSecNoSa.0 = disabled(2)

orcas:14> 

orcas:14> 

orcas:14>

VRF abc2 Polled

Polling VRF abc2 results in the following output:

Note The ping was completed for VRF abc1 only. Therefore, the counters of VRF abc2 should remain in the initialized state. 

setenv SR_UTIL_COMMUNITY abc2

orcas:15> 

orcas:15> /auto/sw/packages/snmpr/10.14.2.0/solaris2bin/getmany -v2c 10.1.38.25 
cipSecMIBObjects

cipSecMibLevel.0 = 1

cikeGlobalActiveTunnels.0 = 0

cikeGlobalPreviousTunnels.0 = 0

cikeGlobalInOctets.0 = 0

cikeGlobalInPkts.0 = 0

cikeGlobalInDropPkts.0 = 0

cikeGlobalInNotifys.0 = 0

cikeGlobalInP2Exchgs.0 = 0

cikeGlobalInP2ExchgInvalids.0 = 0

cikeGlobalInP2ExchgRejects.0 = 0

cikeGlobalInP2SaDelRequests.0 = 0

cikeGlobalOutOctets.0 = 0

cikeGlobalOutPkts.0 = 0

cikeGlobalOutDropPkts.0 = 0

cikeGlobalOutNotifys.0 = 0

cikeGlobalOutP2Exchgs.0 = 0

cikeGlobalOutP2ExchgInvalids.0 = 0

cikeGlobalOutP2ExchgRejects.0 = 0

cikeGlobalOutP2SaDelRequests.0 = 0

cikeGlobalInitTunnels.0 = 0

cikeGlobalInitTunnelFails.0 = 0

cikeGlobalRespTunnelFails.0 = 0

cikeGlobalSysCapFails.0 = 0

cikeGlobalAuthFails.0 = 0

cikeGlobalDecryptFails.0 = 0

cikeGlobalHashValidFails.0 = 0

cikeGlobalNoSaFails.0 = 0

cipSecGlobalActiveTunnels.0 = 0

cipSecGlobalPreviousTunnels.0 = 0

cipSecGlobalInOctets.0 = 0

cipSecGlobalHcInOctets.0 = 0x00

cipSecGlobalInOctWraps.0 = 0

cipSecGlobalInDecompOctets.0 = 0

cipSecGlobalHcInDecompOctets.0 = 0x00

cipSecGlobalInDecompOctWraps.0 = 0

cipSecGlobalInPkts.0 = 0

cipSecGlobalInDrops.0 = 0

cipSecGlobalInReplayDrops.0 = 0

cipSecGlobalInAuths.0 = 0

cipSecGlobalInAuthFails.0 = 0

cipSecGlobalInDecrypts.0 = 0

cipSecGlobalInDecryptFails.0 = 0

cipSecGlobalOutOctets.0 = 0

cipSecGlobalHcOutOctets.0 = 0x00

cipSecGlobalOutOctWraps.0 = 0

cipSecGlobalOutUncompOctets.0 = 0

cipSecGlobalHcOutUncompOctets.0 = 0x00

cipSecGlobalOutUncompOctWraps.0 = 0

cipSecGlobalOutPkts.0 = 0

cipSecGlobalOutDrops.0 = 0

cipSecGlobalOutAuths.0 = 0

cipSecGlobalOutAuthFails.0 = 0

cipSecGlobalOutEncrypts.0 = 0

cipSecGlobalOutEncryptFails.0 = 0

cipSecGlobalProtocolUseFails.0 = 0

cipSecGlobalNoSaFails.0 = 0

cipSecGlobalSysCapFails.0 = 0

cipSecHistTableSize.0 = 200

cipSecHistCheckPoint.0 = ready(1)

cipSecFailTableSize.0 = 200

cipSecTrapCntlIkeTunnelStart.0 = enabled(1)

cipSecTrapCntlIkeTunnelStop.0 = enabled(1)

cipSecTrapCntlIkeSysFailure.0 = disabled(2)

cipSecTrapCntlIkeCertCrlFailure.0 = disabled(2)

cipSecTrapCntlIkeProtocolFail.0 = disabled(2)

cipSecTrapCntlIkeNoSa.0 = disabled(2)

cipSecTrapCntlIpSecTunnelStart.0 = enabled(1)

cipSecTrapCntlIpSecTunnelStop.0 = enabled(1)

cipSecTrapCntlIpSecSysFailure.0 = disabled(2)

cipSecTrapCntlIpSecSetUpFailure.0 = disabled(2)

cipSecTrapCntlIpSecEarlyTunTerm.0 = disabled(2)

cipSecTrapCntlIpSecProtocolFail.0 = disabled(2)

cipSecTrapCntlIpSecNoSa.0 = disabled(2)

orcas:16>

Additional References

The following sections provide references related to the IPsec and IKE MIB Support for
Cisco VRF-Aware IPsec feature.

Related Documents

Related Topic
Document Title

Cisco IOS commands by technology

Cisco IOS Release Command References

Cisco IOS master commands list

Master Command List

Configuring SNMP

The chapter "Configuring SNMP Support" in the Cisco IOS Network Management Configuration Guide.

Configuring VRF-Aware IPsec

VRF-Aware IPSec


Standards

Standard
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIB
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Command Reference

The following commands are introduced or modified in the feature or features

debug crypto mib

For information about these commands, see the Cisco IOS Security Command Reference at

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.

For information about all Cisco IOS commands, see the Command Lookup Tool at

http://tools.cisco.com/Support/CLILookup or the Master Command List.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)


Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2009 Cisco Systems, Inc. All rights reserved.