Disabling ipsec on an, Interface, Changing the key – Brocade Multi-Service IronWare Routing Configuration Guide (Supporting R05.6.00) User Manual

Page 692: Rollover timer, Disabling ipsec on an interface, Changing the key rollover timer

Advertising
background image

664

Multi-Service IronWare Routing Configuration Guide

53-1003033-02

Configuring OSPFv3

The mandatory esp keyword specifies ESP (rather than authentication header) as the protocol to
provide packet-level security. In the current release, this parameter can be esp only.

The sha1 keyword specifies the HMAC-SHA1-96 authentication algorithm. This mandatory
parameter can be only the sha1 keyword in the current release.

Including the optional no-encrypt keyword means that the 40-character key is not encrypted in
show command displays. If no-encrypt is not entered, then the key will be encrypted. This is the
default. The system adds the following in the configuration to indicate that the key is encrypted:

encrypt = the key string uses proprietary simple cryptographic 2-way algorithm (only for
Brocade NetIron CES and Brocade NetIron CER devices).

encryptb64 = the key string uses proprietary base64 cryptographic 2-way algorithm (only for
Brocade NetIron XMR and Brocade MLX series devices)

This example results in the following configuration.

area 1 virtual-link 10.2.2.2

area 1 virtual-link 10.2.2.2 authentication ipsec spi 360 esp sha1 no-encrypt 12

34567890098765432112345678990987654321

Disabling IPsec on an interface

For the purpose of troubleshooting, you can operationally disable IPsec on an interface by using the
ipv6 ospf authentication ipsec disable command in the CLI context of a specific interface. This
command disables IPsec on the interface whether its IPsec configuration is the area’s IPsec
configuration or is specific to that interface. The output of the show ipv6 ospf interface command
shows the current setting for the disable command.

To disable IPsec on an interface, go to the CLI context of the interface and proceed as in the
following example.

Brocade(config-if-e10000-1/2)#ipv6 ospf auth ipsec disable

Syntax: [no] ipv6 ospf authentication ipsec disable

The no form of this command restores the area and interface-specific IPsec operation.

Changing the key rollover timer

Configuration changes for authentication takes effect in a controlled manner through the key
rollover procedure as specified in RFC 4552, Section 10.1. The key rollover timer controls the
timing of the configuration changeover. The key rollover timer can be configured in the IPv6 router
OSPF context, as the following example illustrates.

Brocade(config-ospf6-router)#key-rollover-interval 200

Syntax: key-rollover-interval time

The range for the key-rollover-interval is 0 – 14400 seconds. The default is 300 seconds.

Advertising
Popular Brands
Popular manuals