beautypg.com

Configuring ipsec for an area, Configuring ipsec for a virtual link – Brocade Communications Systems Layer 3 Routing Configuration ICX 6650 User Manual

Page 270

background image

252

Brocade ICX 6650 Layer 3 Routing Configuration Guide

53-1002603-01

OSPF V3 configuration

Configuring IPsec for an area

This application of the area command (for IPsec) applies to all of the interfaces that belong to an
area unless an interface has its own IPsec configuration. (As described in

“Disabling IPsec on an

interface”

on page 253, the interface IPsec can be operationally disabled if necessary.) To

configure IPsec for an area in the IPv6 router OSPF context, proceed as in the following example.

Brocade(config-ospf6-router)#area 2 auth ipsec spi 400 esp sha1

abcef12345678901234fedcba098765432109876

Syntax: area area-id authentication ipsec spi spinum esp sha1 [no-encrypt] key

The no form of this command deletes IPsec from the area.

The area command and the area-id variable specify the area for this IPsec configuration. The
area-id can be an integer in the range 0–2,147,483,647 or have the format of an IP address.

The authentication keyword specifies that the function to specify for the area is packet
authentication.

The ipsec keyword specifies that IPsec is the protocol that authenticates the packets.

The spi keyword and the spinum variable specify the index that points to the security association.
The near-end and far-end values for spinum must be the same. The range for spinum is decimal
256–4294967295.

The mandatory esp keyword specifies ESP (rather than authentication header) as the protocol to
provide packet-level security. In the current release, this parameter can be esp only.

The sha1 keyword specifies the HMAC-SHA1-96 authentication algorithm. This mandatory
parameter can be only the sha1 keyword in the current release.

Including the optional no-encrypt keyword means that the 40-character key is not encrypted upon
either its entry or its display. The key must be 40 hexadecimal characters.

If no-encrypt is not entered, then the key will be encrypted. This is the default. The system adds the
following in the configuration to indicate that the key is encrypted:

encrypt = the key string uses proprietary simple crytographic 2-way algorithm.

encryptb64 = the key string uses proprietary base64 crytographic 2-way algorithm.

The configuration in the preceding example results in the configuration for area 2 that is illustrated
in the following example.

Configuring IPsec for a virtual link

IPsec on a virtual link has a global configuration.

To configure IPsec on a virtual link, enter the IPv6 router OSPF context of the CLI and proceed as
the following example illustrates. (Note the no-encrypt option in this example.)

Brocade(config-ospf6-router)#area 1 vir 10.2.2.2 auth ipsec spi 360 esp sha1

no-encrypt 1234567890098765432112345678990987654321

ipv6 router ospf

area 0

area 1

area 2

area 2 auth ipsec spi 400 esp sha1 abcef12345678901234fedcba098765432109876

See also other documents in the category Brocade Communications Systems Hardware: