Configuration Guide User guide
1310 FastIron Configuration Guide
53-1002494-02
OSPF V3 configuration
The area-wide SPI that you specify is a constant for all interfaces in the area that use the area
IPsec, but the use of different interfaces results in an SPDID and an SA that are unique to each
interface. (Recall from “IPSec for OSPFv3” on page 1307 that the security policy database
depends partly on the source IP address, so a unique SPD for each interface results.)
Considerations for IPsec on virtual links
The IPsec configuration for a virtual link is global, so only one security association database and
one security policy database exist for virtual links if you choose to configure IPsec for virtual links.
The virtual link IPsec SAs and policies are added to all interfaces of the transit area for the
outbound direction. For the inbound direction, IPsec SAs and policies for virtual links are added to
the global database.
NOTE
The security association (SA), security protocol index (SPI), security protocol database (SPD), and key
have mutual dependencies, as the subsections that follow describe.
Specifying the key rollover timer
Configuration changes for authentication takes effect in a controlled manner through the key
rollover procedure as specified in RFC 4552, Section 10.1. The key rollover timer controls the
timing of the configuration changeover. The key rollover timer can be configured in the IPv6 router
OSPF context, as the following example illustrates.
Brocade(config-ospf6-router)#key-rollover-interval 200
Syntax: key-rollover-interval <time>
The range for the key-rollover-interval is 0 – 14400 seconds. The default is 300 seconds.
Configuring IPsec on a interface
For IPsec to work, the IPsec configuration must be the same on all the routers to which an interface
connects.
For multicast, IPsec does not need or use a specific destination address—the destination address
is “do not care,” and this status is reflected by the lone pair of colons (::) for destination address in
the show command output.
To configure IPsec on an interface, proceed as in the following example.
NOTE
The IPsec configuration for an interface applies to the inbound and outbound directions. Also, the
same authentication parameters must be used by all routers on the network to which the interface
is connected, as described in section 7 of RFC 4552.
Brocade(config-if-e10000-1/2)#ipv6 ospf auth ipsec spi 429496795 esp sha1
abcdef12345678900987654321fedcba12345678
Syntax: [no] ipv6 ospf authentication ipsec spi <spinum> esp sha1 [no-encrypt] <key>
The no form of this command deletes IPsec from the interface.
The ipv6 command is available in the configuration interface context for a specific interface.