Interface and area IPsec considerations
This section describes the precedence of interface and area IPsec congurations.
If you congure an interface IPsec by using the ipv6 ospf authentication command in the context of a specic interface, that interface’s
IPsec conguration overrides the area conguration of IPsec.
If you congure IPsec for an area, all interfaces that utilize the area-wide IPsec (where interface-specic IPsec is not congured)
nevertheless receive an SPD entry (and SPDID number) that is unique for the interface.
The area-wide SPI that you specify is a constant for all interfaces in the area that use the area IPsec, but the use of dierent interfaces
results in an SPDID and an SA that are unique to each interface. The security policy database depends partly on the source IP address,
so a unique SPD for each interface results.
Considerations for IPsec on virtual links
The IPsec
conguration for a virtual link is global, so only one security association database and one security policy database exist for
virtual links if you choose to congure IPsec for virtual links.
The virtual link IPsec SAs and policies are added to all interfaces of the transit area for the outbound direction. For the inbound direction,
IPsec SAs and policies for virtual links are added to the global database.
NOTE
The security association (SA), security protocol index (SPI), security protocol database (SPD), and key have mutual
dependencies, as the subsections that follow describe.
Specifying the key rollover timer
Conguration changes for authentication takes eect in a controlled manner through the key rollover procedure as specied in RFC
4552, Section 10.1. The key rollover timer controls the timing of the existing conguration changeover. The key rollover timer can be
congured in the IPv6 router OSPF context, as the following example illustrates.
device(config-ospf6-router)# key-rollover-interval 200
Syntax: key-rollover-interval time
The range for the key-rollover-interval is 0 through 14400 seconds. The default is 300 seconds.
Specifying the key add remove timer
The key-add-remove timer is used in an environment where interoperability with other vendors is required on a
specic interface. This
parameter is used to determine the interval time when authentication addition and deletion will take eect.
The key-add-remove-interval timer can be used to set the required value globally, or on a specic interface as needed. Interface
conguration takes preference over system level conguration.
By default, the key-add-remove-interval is set to 300 seconds to smoothly interoperate with Brocade routers.
To set the key-add-remove-interval globally to 100 seconds, enter the following commands:
device(config-ospf6-router)# key-add-remove-interval 100
To set the key-add-remove-interval to 100 seconds on a specic interface, enter the following command:
device(config-if-e1000-1/1/10)#ipv6 ospf authentication ipsec key-add-remove-interval 100
Syntax: [no] ipv6 ospf authentication ipsec key-add-remove-interval range
Conguring OSPFv3
FastIron Ethernet Switch Layer 3 Routing
314 53-1003627-04
To Next Page
Loading...
Need help?
General
