Configuring ipsec for an area, Configuring ipsec for a virtual link – Brocade Communications Systems Layer 3 Routing Configuration ICX 6650 User Manual
Page 270
252
Brocade ICX 6650 Layer 3 Routing Configuration Guide
53-1002603-01
OSPF V3 configuration
Configuring IPsec for an area
This application of the area command (for IPsec) applies to all of the interfaces that belong to an
area unless an interface has its own IPsec configuration. (As described in
on page 253, the interface IPsec can be operationally disabled if necessary.) To
configure IPsec for an area in the IPv6 router OSPF context, proceed as in the following example.
Brocade(config-ospf6-router)#area 2 auth ipsec spi 400 esp sha1
abcef12345678901234fedcba098765432109876
Syntax: area area-id authentication ipsec spi spinum esp sha1 [no-encrypt] key
The no form of this command deletes IPsec from the area.
The area command and the area-id variable specify the area for this IPsec configuration. The
area-id can be an integer in the range 0–2,147,483,647 or have the format of an IP address.
The authentication keyword specifies that the function to specify for the area is packet
authentication.
The ipsec keyword specifies that IPsec is the protocol that authenticates the packets.
The spi keyword and the spinum variable specify the index that points to the security association.
The near-end and far-end values for spinum must be the same. The range for spinum is decimal
256–4294967295.
The mandatory esp keyword specifies ESP (rather than authentication header) as the protocol to
provide packet-level security. In the current release, this parameter can be esp only.
The sha1 keyword specifies the HMAC-SHA1-96 authentication algorithm. This mandatory
parameter can be only the sha1 keyword in the current release.
Including the optional no-encrypt keyword means that the 40-character key is not encrypted upon
either its entry or its display. The key must be 40 hexadecimal characters.
If no-encrypt is not entered, then the key will be encrypted. This is the default. The system adds the
following in the configuration to indicate that the key is encrypted:
•
encrypt = the key string uses proprietary simple crytographic 2-way algorithm.
•
encryptb64 = the key string uses proprietary base64 crytographic 2-way algorithm.
The configuration in the preceding example results in the configuration for area 2 that is illustrated
in the following example.
Configuring IPsec for a virtual link
IPsec on a virtual link has a global configuration.
To configure IPsec on a virtual link, enter the IPv6 router OSPF context of the CLI and proceed as
the following example illustrates. (Note the no-encrypt option in this example.)
Brocade(config-ospf6-router)#area 1 vir 10.2.2.2 auth ipsec spi 360 esp sha1
no-encrypt 1234567890098765432112345678990987654321
ipv6 router ospf
area 0
area 1
area 2
area 2 auth ipsec spi 400 esp sha1 abcef12345678901234fedcba098765432109876