OS10 Enterprise Edition User Guide Release 10.4.0E(R3)

PDF

IPsec encryption on interfaces

Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area.

When you configure encryption on an interface, both IPsec encryption and authentication are enabled. You cannot configure encryption if you have already configured an interface for IPsec authentication ( ipv6 ospf authentication ipsec). To configure encryption, you must first delete the authentication policy.

  • Enable IPsec encryption for OSPFv3 packets in Interface mode.
    ipv6 ospf encryption ipsec spi 
                                        number esp 
                                        encryption-type
                                        key
                                        authentication-type
                                        key
                                     
    • ipsec spi number — Enter a unique security policy index (SPI) value (256 to 4294967295).
    • esp encryption-type key — Enter the encryption algorithm used with ESP (3DES, DES, AES-CBC, or NULL). For AES-CBC, only the AES-128 and AES-192 ciphers are supported.
    • key — Enter the text string used in the encryption algorithm. All neighboring OSPFv3 routers must share the key to decrypt information. Only a non-encrypted key is supported. Required lengths of the non-encrypted key are: 3DES — 48 hex digits; DES — 16 hex digits; AES-CBC — 32 hex digits for AES-128 and 48 hex digits for AES-192.
    • authentication-type key — Enter the encryption authentication algorithm to use (MD5 or SHA1).
    • key — Enter the text string used in the authentication algorithm. All neighboring OSPFv3 routers must share the key to exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits. For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported.

To delete an IPsec encryption policy, use the no ipv6 ospf encryption ipsec spi number or no ipv6 ospf encryption null command.

Configure IPsec encryption on interface
OS10(conf-if-eth1/1/1)# ipv6 ospf encryption ipsec spi 500 esp des 1234567812345678 md5
                                 12345678123456781234567812345678
                                 OS10(conf-if-eth1/1/1)# show configuration
                                 !
                                 interface ethernet1/1/1
                                 ipv6 ospf encryption ipsec spi 500 esp des 1234567812345678 md5 12345678123456781234567812345678
                                 no switchport
                                 no shutdown
                                 ipv6 address 1::1/64
                              

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\