DELL S50V User Manual
Open Shortest Path First (OSPFv2 and OSPFv3) | 737
Configuring IPsec Encryption on an Interface
Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, you must first enable IPv6
unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an
area (see
unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an
area (see
).
To configure IPsec encryption on an interface, enter the following command
Note that when you configure encryption with the
ipv6 ospf encryption ipsec
command, you enable both
IPsec encryption and authentication. However, when you enable authentication on an interface with the
ipv6 ospf authentication ipsec
command, you do not enable encryption at the same time.
An SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. You
must configure the same authentication policy (same SPI and key) on each OSPFv3 interface in a link.
must configure the same authentication policy (same SPI and key) on each OSPFv3 interface in a link.
Command Syntax
Command
Mode
Mode
Usage
ipv6 ospf encryption
{
null
|
ipsec
spi
number
esp
encryption-algorithm
[key-encryption-type] key
authentication-algorithm
[key-authentication-type] key }
authentication-algorithm
[key-authentication-type] key }
INTERFACE
Enable IPsec encryption for OSPFv3 packets on an
IPv6-based interface, where:
IPv6-based interface, where:
null causes an encryption policy configured for
the area to not be inherited on the interface
the area to not be inherited on the interface
.
ipsec spi
number is the Security Policy index
(SPI) value. Range: 256 to 4294967295.
esp
encryption-algorithm
specifies the
encryption algorithm used with ESP. Valid
values are: 3DES, DES, AES-CBC, and NULL.
For AES-CBC, only the AES-128 and AES-192
ciphers are supported.
values are: 3DES, DES, AES-CBC, and NULL.
For AES-CBC, only the AES-128 and AES-192
ciphers are supported.
key
specifies the text string
used in the encryption.
All neighboring OSPFv3 routers must share the same
key to decrypt information. Required lengths of a
non-encrypted or encrypted key are: 3DES - 48 or 96
hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or
64 hex digits for AES-128 and 48 or 96 hex digits for
AES-192.
key-encryption-type
key to decrypt information. Required lengths of a
non-encrypted or encrypted key are: 3DES - 48 or 96
hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or
64 hex digits for AES-128 and 48 or 96 hex digits for
AES-192.
key-encryption-type
(optional) specifies if the
key is encrypted. Valid values: 0 (key is not
encrypted) or 7 (key is encrypted).
encrypted) or 7 (key is encrypted).
authentication-algorithm
specifies the encryption
authentication algorithm to use. Valid values
are MD5
are MD5
or
SHA1.
key
specifies the text string
used in used in
authentication. All neighboring OSPFv3 routers must
share the same key to exchange information. For MD5
authentication, the key must be 32 hex digits
(non-encrypted) or 64 hex digits (encrypted). For
SHA-1 authentication, the key must be 40 hex digits
(non-encrypted) or 80 hex digits (encrypted).
key-authentication-type
share the same key to exchange information. For MD5
authentication, the key must be 32 hex digits
(non-encrypted) or 64 hex digits (encrypted). For
SHA-1 authentication, the key must be 40 hex digits
(non-encrypted) or 80 hex digits (encrypted).
key-authentication-type
(optional) specifies if the
authentication key is encrypted. Valid values: 0
or 7
or 7
.