Disabling ipsec on an, Interface, Disabling ipsec on an interface – Brocade Virtual ADX Switch and Router Guide (Supporting ADX v03.1.00) User Manual
Page 187
Brocade Virtual ADX Switch and Router Guide
173
53-1003246-01
Enabling OSPFv3
7
The authentication keyword enables authentication.
The ipsec keyword specifies IPsec as the authentication protocol.
The spi keyword and the spinum variable specify the security parameter that points to the security
association. The near-end and far-end values for spinum must be the same. The range for spinum
is decimal 256 through 4,294,967,295.
The mandatory esp keyword specifies ESP (rather than authentication header) as the protocol to
provide packet-level security. In the current release, this parameter can be esp only.
The sha1 keyword specifies the HMAC-SHA1-96 authentication algorithm. This mandatory
parameter can be only the sha1 keyword in the current release.
Including the optional no-encrypt keyword means that when you display the IPsec configuration,
the key is displayed in its unencrypted form and also saved as unencrypted.
The key variable must be 40 hexadecimal characters. To change an existing key, you must also
specify a different SPI value. You cannot just change the key without also specifying a different SPI,
too. For example, in an interface context where you intend to change a key, you must type a
different SPI value—which occurs before the key parameter on the command line—before you type
the new key. The example in
illustrates this requirement.
If no-encrypt is not entered, then the key is encrypted. This is the default. The system adds the
following in the configuration to indicate that the key is encrypted:
•
encrypt = the key string uses proprietary simple cryptographic 2-way algorithm (only for Virtual
ADX series devices).
•
encryptb64 = the key string uses proprietary base64 cryptographic 2-way algorithm (only for
Virtual ADX series devices).
This example results in the configuration shown in the screen output that follows. Note that
because the optional no-encrypt keyword was omitted, the display of the key has the encrypted
form by default.
Disabling IPsec on an interface
For the purpose of troubleshooting, you can operationally disable IPsec on an interface by using the
ipv6 ospf authentication ipsec disable command in the CLI context of a specific interface. This
command disables IPsec on the interface whether its IPsec configuration is the area’s IPsec
configuration or is specific to that interface. The output of the show ipv6 ospf interface command
shows the current setting for the disable command.
To disable IPsec on an interface, go to the CLI context of the interface and proceed as in the
following example.
Virtual ADX(config-if-e10000-1)#ipv6 ospf auth ipsec disable
Syntax: [no] ipv6 ospf authentication ipsec disable
The no form of this command restores the area and interface-specific IPsec operation.
interface ethernet 1
enable
ip address 40.3.3.1/8
ipv6 address 2001:db8:40:3:3::1/64
ipv6 ospf area 1
ipv6 ospf authentication ipsec spi 429496795 esp sha1 encryptb64
$ITJkQG5HWnw4M09tWVd