Disabling ipsec on an, Interface, Disabling ipsec on an interface – Brocade Communications Systems Layer 3 Routing Configuration ICX 6650 User Manual

Brocade ICX 6650 Layer 3 Routing Configuration Guide

253

53-1002603-01

OSPF V3 configuration

Syntax: [no] area area-id virtual nbrid authentication ipsec spi spinum esp sha1 [no-encrypt] key

The no form of this command deletes IPsec from the virtual link.

The area command and the area-id variable specify the area is to be configured. The area-id can
be an integer in the range 0–2,147,483,647 or have the format of an IP address.

The virtual keyword indicates that this configuration applies to the virtual link identified by the
subsequent variable nbrid. The variable nbrid is in dotted decimal notation of an IP address.

The authentication keyword specifies that the function to specify for the area is packet
authentication.

The ipsec keyword specifies that IPsec is the protocol that authenticates the packets.

The spi keyword and the spinum variable specify the index that points to the security association.
The near-end and far-end values for spinum must be the same. The range for spinum is decimal
256–4294967295.

The mandatory esp keyword specifies ESP (rather than authentication header) as the protocol to
provide packet-level security. In the current release, this parameter can be esp only.

The sha1 keyword specifies the HMAC-SHA1-96 authentication algorithm. This mandatory
parameter can be only the sha1 keyword in the current release.

Including the optional no-encrypt keyword means that the 40-character key is not encrypted in
show command displays. If no-encrypt is not entered, then the key will be encrypted. This is the
default. The system adds the following in the configuration to indicate that the key is encrypted:

•

encrypt = the key string uses proprietary simple crytographic 2-way algorithm.

•

encryptb64 = the key string uses proprietary base64 crytographic 2-way algorithm.

This example results in the following configuration.

area 1 virtual-link 10.2.2.2

area 1 virtual-link 10.2.2.2 authentication ipsec spi 360 esp sha1 no-encrypt 12

34567890098765432112345678990987654321

Disabling IPsec on an interface

For the purpose of troubleshooting, you can operationally disable IPsec on an interface by using the
ipv6 ospf authentication ipsec disable command in the CLI context of a specific interface. This
command disables IPsec on the interface whether its IPsec configuration is the area’s IPsec
configuration or is specific to that interface. The output of the show ipv6 ospf interface command
shows the current setting for the disable command.

To disable IPsec on an interface, go to the CLI context of the interface and proceed as in the
following example.

Brocade(config-if-e10000-1/1/2)#ipv6 ospf auth ipsec disable

Syntax: [no] ipv6 ospf authentication ipsec disable

The no form of this command restores the area and interface-specific IPsec operation.