beautypg.com

Configuring ipsec for a virtual link – Brocade FastIron Ethernet Switch Layer 3 Routing Configuration Guide User Manual

Page 345

background image

If no-encrypt is not entered, then the key will be encrypted. This is the default. The system adds the
following in the configuration to indicate that the key is encrypted:

• encrypt = the key string uses proprietary simple cryptographic 2-way algorithm
• encryptb64 = the key string uses proprietary base64 cryptographic 2-way algorithm

The configuration in the preceding example results in the configuration for area 2 that is illustrated in the
following.

ipv6 router ospf

area 0

area 1

area 2

area 2 auth ipsec spi 400 esp sha1 abcef12345678901234fedcba098765432109876

Configuring IPsec for a virtual link

IPsec on a virtual link has a global configuration.

To configure IPsec on a virtual link, enter the IPv6 router OSPF context of the CLI and proceed as the
following example illustrates. (Note the no-encrypt option in this example.)

device(config-ospf6-router)#area 1 vir 10.2.2.2 auth ipsec spi 360 esp sha1 no-

encrypt 1234567890098765432112345678990987654321

Syntax: [no] area area-id virtual nbr-id authentication ipsec spi spi-num esp sha1 [no-encrypt] key

The no form of this command deletes IPsec from the virtual link.

The area command and the area-id variable specify the area is to be configured. The area-id can be an
integer in the range 0 through 2,147,483,647 or have the format of an IP address.

The virtual keyword indicates that this configuration applies to the virtual link identified by the
subsequent variable nbr-id. The variable nbr-id is in dotted decimal notation of an IP address.

The authentication keyword specifies that the function to specify for the area is packet authentication.

The ipsec keyword specifies that IPsec is the protocol that authenticates the packets.

The spi keyword and the spi-num variable specify the index that points to the security association. The
near-end and far-end values for spi-num must be the same. The range for spi-num is decimal 256
through 4294967295.

The mandatory esp keyword specifies ESP (rather than authentication header) as the protocol to
provide packet-level security. In the current release, this parameter can be esp only.

The sha1 keyword specifies the HMAC-SHA1-96 authentication algorithm. This mandatory parameter
can be only the sha1 keyword in the current release.

Including the optional no-encrypt keyword means that the 40-character key is not encrypted in show
command displays. If no-encrypt is not entered, then the key will be encrypted. This is the default. The
system adds the following in the configuration to indicate that the key is encrypted:

• encrypt = the key string uses proprietary simple cryptographic 2-way algorithm
• encryptb64 = the key string uses proprietary base64 cryptographic 2-way algorithm

This example results in the following configuration.

area 1 virtual-link 10.2.2.2

area 1 virtual-link 10.2.2.2 authentication ipsec spi 360 esp sha1 no-encrypt 12

34567890098765432112345678990987654321

Configuring IPsec for a virtual link

FastIron Ethernet Switch Layer 3 Routing Configuration Guide

345

53-1003087-04

See also other documents in the category Brocade Computer Accessories: