Considerations for ipsec on virtual links, Specifying the key rollover timer, Specifying the key add remove timer – Brocade Multi-Service IronWare Routing Configuration Guide (Supporting R05.6.00) User Manual
Page 688
660
Multi-Service IronWare Routing Configuration Guide
53-1003033-02
Configuring OSPFv3
If you configure IPsec for an area, all interfaces that utilize the area-wide IPsec (where
interface-specific IPsec is not configured) nevertheless receive an SPD entry (and SPDID number)
that is unique for the interface.
The area-wide SPI that you specify is a constant for all interfaces in the area that use the area
IPsec, but the use of different interfaces results in an SPDID and an SA that are unique to each
interface. (Recall from
on page 657 that the security policy database depends
partly on the source IP address, so a unique SPD for each interface results.)
Considerations for IPsec on virtual links
The IPsec configuration for a virtual link is global, so only one security association database and
one security policy database exist for virtual links if you choose to configure IPsec for virtual links.
The virtual link IPsec SAs and policies are added to all interfaces of the transit area for the
outbound direction. For the inbound direction, IPsec SAs and policies for virtual links are added to
the global database.
NOTE
The security association (SA), security protocol index (SPI), security protocol database (SPD), and key
have mutual dependencies, as the subsections that follow describe.
Specifying the key rollover timer
Configuration changes for authentication takes effect in a controlled manner through the key
rollover procedure as specified in RFC 4552, Section 10.1. The key rollover timer controls the
timing of the existing configuration changeover. The key rollover timer can be configured in the IPv6
router OSPF context, as the following example illustrates.
Brocade(config-ospf6-router)#key-rollover-interval 200
Syntax: key-rollover-interval time
The range for the key-rollover-interval is 0 – 14400 seconds. The default is 300 seconds.
Specifying the key add remove timer
The key-add-remove timer is used in an environment where interoperability with other vendors is
required on a specific interface. This parameter is used to determine the interval time when
authentication addition and deletion will take effect.
The key-add-remove-interval timer can be used to set the required value globally, or on a specific
interface as needed. Interface configuration takes preference over system level configuration.
By default, the key-add-remove-interval is set to 300 seconds to smoothly interoperate with
Brocade routers.
To set the key-add-remove-interval globally to 100 seconds, enter the following commands:
Brocade(config-ospf6-router)# key-add-remove-interval 100
To set the key-add-remove-interval to 100 seconds at a specific interface, enter the following
commands:
Brocade (config-if-e1000-1/10)#ipv6 ospf authentication ipsec
key-add-remove-interval 100