ipsecTunnelTable 1.3.6.1.4.1.838.3.14.1.4

The tunnel table is used to configure and monitor VPN tunnels. There two cases here: site-to-site and remote dial-in. For site-to-site VPN the entry in the tunnel table must be configured. There are two types of tunnels: static tunnels and dynamic tunnels. When dynamic tunnels are configured and become operational, the ISAKMP protocol creates an SA pair, one inbound and one outbound. When static tunnels are configured, inbound and outbound SAa need to be created through network management. In this case key and peer SPI (security profile index) must be set. Static SAs are like ATM PVCs. Dynamic SAs are like ATM SVCs. All dial-in clients are organized into user groups. One or more users (dial-in clients) may be in the group. All dial-in users that are members of the same group get the same security attributes. Actual users may be either configured internally (in the ipsecRemoteClient table) or in the external database such as X.500 directory or Radius, etc. The administrator has an option of defining a Default group. Users that do not have any User group membership are assigned into a Default group. For remote dial-in VPNs, the tunnel entries are first statically configured for every defined user group, for example XediaEngineering, etc. Tunnels for individual users in the group are created automatically when user of the group initiates a connection. These automatically created remote client tunnels are 'children' of a statically configured 'parent' user group tunnel. The name of automatically created dial-in tunnel (which must be unique) is constructed as follows: tunnelName.userName, for example XediaEngineering.schwartz. For site-to-site and dial-in-group tunnel VPNs the objects' access is as specified. For dial-in 'children' tunnel VPNs which are automatically created by the system, all objects are read-only except for ipsecTunnelAdminStatus. This object has write access and when set to down, it would result in tearing down user dial-in session, i.e. all security associations for this dial-in client will be deleted.