[strongSwan-dev] SNMP and Strongswan

Philip Prindeville philipp_subx at redfish-solutions.com
Tue Mar 3 18:50:46 CET 2015

On Mar 3, 2015, at 1:59 AM, Gerd v. Egidy <lists at egidy.de> wrote:

> Hi Philip,
>> I'm looking at adding MIB support (because a client requested it) and
>> wondering what prior work anyone else had done in this realm.
>> I've seen that there's an RFC (4807) for SPD configuration, but I've not
>> found an IPsec SA MIB.
> I've done a bit of research and found that there is no standard that is used 
> by several vendors.
> Cisco, Checkpoint, Watchguard all have their own, vendor specific MIB to 
> monitor IPSec.
> Sophos (ex Astaro) don't have it, as they are using Strongswan internally, it 
> would have been handy.
> I couln't find any snmp support for the other opensource IPSec stacks 
> KAME/Racoon and OpenSWAN.
> So unless you are accustomed to IETF work and have the time to write, edit and 
> argument an RFC, I'd suggest to do it like the others and create a Strongswan 
> specific MIB.
> Kind regards,
> Gerd

As it turns out, I am accustomed to IETF work (RFC-1048 and RFC-1051) though it’s been a while, obviously.  I was on the MIB WG back in the 90’s, and worked on the IGMP MIB and an XNS MIB that died a slow death (the writing was on the wall back then that everything was converging on IP anyway).

I’ll need to ask my employer if I can throw the cycles at this.

We could always come up with a generic enough MIB of our own, implement it, and then try to argue it with the IETF… and if it gets approved, it’s a simple matter to change the root of the OID tree to the IANA assigned string…


More information about the Dev mailing list