Configuration Guide User guide
FastIron Configuration Guide 1311
53-1002494-02
OSPF V3 configuration
The ospf keyword identifies OSPFv3 as the protocol to receive IPsec security.
The authentication keyword enables authentication.
The ipsec keyword specifies IPsec as the authentication protocol.
The spi keyword and the <spinum> variable specify the security parameter that points to the
security association. The near-end and far-end values for spinum must be the same. The range for
<spinum> is decimal 256 – 4294967295.
The mandatory esp keyword specifies ESP (rather than authentication header) as the protocol to
provide packet-level security. In the current release, this parameter can be esp only.
The sha1 keyword specifies the HMAC-SHA1-96 authentication algorithm. This mandatory
parameter can be only the sha1 keyword in the current release.
Including the optional no-encrypt keyword means that when you display the IPsec configuration,
the key is displayed in its unencrypted form and also saved as unencrypted.
The <key> variable must be 40 hexadecimal characters. To change an existing key, you must also
specify a different SPI value. You cannot just change the key without also specifying a different SPI,
too. For example, in an interface context where you intend to change a key, you must type a
different SPI value—which occurs before the key parameter on the command line—before you type
the new key. The example in “IPsec for OSPFv3 configuration”illustrates this requirement.
If no-encrypt is not entered, then the key will be encrypted. This is the default. The system adds the
following in the configuration to indicate that the key is encrypted:
• encrypt = the key string uses proprietary simple crytographic 2-way algorithm.
• encryptb64 = the key string uses proprietary base64 crytographic 2-way algorithm.
This example results in the configuration shown in the screen output that follows. Note that
because the optional no-encrypt keyword was omitted, the display of the key has the encrypted
form by default.
Configuring IPsec for an area
This application of the area command (for IPsec) applies to all of the interfaces that belong to an
area unless an interface has its own IPsec configuration. (As described in “Disabling IPsec on an
interface” on page 1313, the interface IPsec can be operationally disabled if necessary.) To
configure IPsec for an area in the IPv6 router OSPF context, proceed as in the following example.
Brocade(config-ospf6-router)#area 2 auth ipsec spi 400 esp sha1
abcef12345678901234fedcba098765432109876
Syntax: area <area-id> authentication ipsec spi <spinum> esp sha1 [no-encrypt] <key>
The no form of this command deletes IPsec from the area.
The area command and the <area-id> variable specify the area for this IPsec configuration. The
<area-id> can be an integer in the range 0 – 2,147,483,647 or have the format of an IP address.
interface ethernet 1/1/2
enable
ip address 40.3.3.1/8
ipv6 address 40:3:3::1/64
ipv6 ospf area 1
ipv6 ospf authentication ipsec spi 429496795 esp sha1 encryptb64
$ITJkQG5HWnw4M09tWVd