beautypg.com

Configuring ipsec for an area – Brocade FastIron Ethernet Switch Layer 3 Routing Configuration Guide User Manual

Page 344

background image

The sha1 keyword specifies the HMAC-SHA1-96 authentication algorithm. This mandatory parameter
can be only the sha1 keyword in the current release.

Including the optional no-encrypt keyword means that when you display the IPsec configuration, the
key is displayed in its unencrypted form and also saved as unencrypted.

The key variable must be 40 hexadecimal characters. To change an existing key, you must also
specify a different SPI value. You cannot just change the key without also specifying a different SPI,
too. For example, in an interface context where you intend to change a key, you must type a different
SPI value -- which occurs before the key parameter on the command line -- before you type the new
key.

If no-encrypt is not entered, then the key will be encrypted. This is the default. The system adds the
following in the configuration to indicate that the key is encrypted:

• encrypt = the key string uses proprietary simple cryptographic 2-way algorithm
• encryptb64 = the key string uses proprietary base64 cryptographic 2-way algorithm

This example results in the configuration shown in the screen output that follows. Note that because
the optional no-encrypt keyword was omitted, the display of the key has the encrypted form by
default.

interface ethernet 1/2

enable

ip address 10.3.3.1/8

ipv6 address 2001:db8:3::1/64

ipv6 ospf area 1

ipv6 ospf authentication ipsec spi 429496795 esp sha1 encryptb64

$ITJkQG5HWnw4M09tWVd

Configuring IPsec for an area

This application of the area command (for IPsec) applies to all of the interfaces that belong to an area
unless an interface has its own IPsec configuration. The interface IPsec can be operationally disabled
if necessary.) To configure IPsec for an area in the IPv6 router OSPF context, proceed as in the
following example.

device(config-ospf6-router)#area 2 auth ipsec spi 400 esp sha1

abcef12345678901234fedcba098765432109876

Syntax: [no] area area-id authentication ipsec spi spi-num esp sha1 [no-encrypt] key

The no form of this command deletes IPsec from the area.

The area command and the area-id variable specify the area for this IPsec configuration. The area-id
can be an integer in the range 0 through 2,147,483,647 or have the format of an IP address.

The authentication keyword specifies that the function to specify for the area is packet authentication.

The ipsec keyword specifies that IPsec is the protocol that authenticates the packets.

The spi keyword and the spi-num variable specify the index that points to the security association. The
near-end and far-end values for spi-num must be the same. The range for spi-num is decimal 256
through 4294967295.

The mandatory esp keyword specifies ESP (rather than authentication header) as the protocol to
provide packet-level security. In the current release, this parameter can be esp only.

The sha1 keyword specifies the HMAC-SHA1-96 authentication algorithm. This mandatory parameter
can be only the sha1 keyword in the current release.

Including the optional no-encrypt keyword means that the 40-character key is not encrypted upon
either its entry or its display. The key must be 40 hexadecimal characters.

Configuring IPsec for an area

344

FastIron Ethernet Switch Layer 3 Routing Configuration Guide

53-1003087-04

See also other documents in the category Brocade Computer Accessories: