Configuring ipsec for ospfv3, General considerations – Brocade Virtual ADX Switch and Router Guide (Supporting ADX v03.1.00) User Manual

Brocade Virtual ADX Switch and Router Guide

171

53-1003246-01

Enabling OSPFv3

7

Configuring IPsec for OSPFv3

This section describes how to configure IPsec for an interface. It also describes how to change the
key rollover timer if necessary and how to disable IPsec on a particular interface for special
purposes.

By default, OSPFv3 IPSec authentication is disabled. The following IPsec parameters are
configurable:

•

ESP security protocol

•

Authentication

•

HMAC-SHA1-96 authentication algorithm

•

Security parameter index (SPI)

•

A 40-character key using hexadecimal characters

•

An option for not encrypting the keyword when it appears in show command output

•

Key rollover timer

NOTE

In the current release, certain keyword parameters must be entered even though only one keyword
choice is possible for that parameter. For example, the only authentication algorithm in the current
release is HMAC-SHA1-96, but you must nevertheless enter the keyword for this algorithm. Also, ESP
currently is the only authentication protocol, but you must still enter the esp keyword. This section
describes all keywords.

General considerations

The IPsec component generates security associations and security policies based on certain
user-specified parameters. The parameters are described with the syntax of each command in this
section and also pointed out in the section with the show command examples,

“IPsec examples”

on page 174. User-specified parameters and their relation to system-generated values are as
follows:

•

Security association: Based on your entries for security policy index (SPI), destination address,
and security protocol (currently ESP), the system creates a security association for each
interface or virtual link.

•

Security policy database: Based on your entries for SPI, source address, destination
addresses, and security protocol, the system creates a security policy database for each
interface or virtual link.

•

You can configure the same SPI and key on multiple interfaces, but they still have unique IPsec
configurations because the SA and policies are added to each separate security policy
database (SPD) that is associated with a particular interface. If you configure an SA with the
same SPI in multiple places, the rest of the parameters associated with the SA—such as key,
crypto algorithm, and security protocol, and so on—must match. If the system detects a
mismatch, it displays an error message.