area 2
area 2 auth ipsec spi 400 esp sha1 abcef12345678901234fedcba098765432109876
Conguring IPsec for a virtual link
IPsec on a virtual link has a global conguration.
To congure IPsec on a virtual link, enter the IPv6 router OSPF context of the CLI and proceed as the following example illustrates. (Note
the no-encrypt option in this example.)
device(config-ospf6-router)# area 1 vir 10.2.2.2 auth ipsec spi 360 esp sha1 no-encrypt
1234567890098765432112345678990987654321
Syntax: [no] area area-id virtual nbr-id authentication ipsec spi spi-num esp sha1 [no-encrypt] key
The no form of this command deletes IPsec from the virtual link.
The area command and the area-id variable specify the area is to be
congured. The area-id can be an integer in the range 0 through
2,147,483,647 or have the format of an IP address.
The virtual keyword indicates that this conguration applies to the virtual link identied by the subsequent variable nbr-id. The variable
nbr-id is in dotted decimal notation of an IP address.
The authentication keyword species that the function to specify for the area is packet authentication.
The ipsec keyword species that IPsec is the protocol that authenticates the packets.
The spi keyword and the spi-num variable specify the index that points to the security association. The near-end and far-end values for
spi-num must be the same. The range for spi-num is decimal 256 through 4294967295.
The mandatory esp keyword species ESP (rather than authentication header) as the protocol to provide packet-level security. In the
current release, this parameter can be esp only.
The sha1 keyword species the HMAC-SHA1-96 authentication algorithm. This mandatory parameter can be only the sha1 keyword in
the current release.
Including the optional no-encrypt keyword means that the 40-character key is not encrypted in show command displays. If no-encrypt
is not entered, then the key will be encrypted. This is the default. The system adds the following in the conguration to indicate that the
key is encrypted:
• encrypt = the key string uses proprietary simple cryptographic 2-way algorithm
• encryptb64 = the key string uses proprietary base64 cryptographic 2-way algorithm
This example results in the following conguration.
area 1 virtual-link 10.2.2.2
area 1 virtual-link 10.2.2.2 authentication ipsec spi 360 esp sha1 no-encrypt 12
34567890098765432112345678990987654321
Disabling IPsec on an interface
For the purpose of troubleshooting, you can operationally disable IPsec on an interface by using the ipv6 ospf authentication ipsec
disable command in the CLI context of a specic interface. This command disables IPsec on the interface whether its IPsec conguration
is the area’s IPsec conguration or is specic to that interface. The output of the show ipv6 ospf interface command shows the current
setting for the disable command.
To disable IPsec on an interface, go to the CLI context of the interface and proceed as in the following example.
device(config-if-e10000-1/1/2)# ipv6 ospf auth ipsec disable
Syntax: [no] ipv6 ospf authentication ipsec disable
Conguring OSPFv3
FastIron Ethernet Switch Layer 3 Routing
53-1003627-04 317
To Next Page
Loading...
Need help?
General
