Users Guide

Table Of Contents
AH authentication verifies that data is not altered during transmission and ensures that users are communicating with the
intended individual or organization. The authentication header is inserted after the IP header with a value of 51. MD5 and
SHA1 authentication types are supported; encrypted and unencrypted keys are supported.
ESP encryption encapsulates data, enabling data protection that follows in the datagram. The ESP extension header is
inserted after the IP header and before the next layer protocol header. 3DES, DES, AES-CBC, and NULL encryption
algorithms are supported; encrypted and unencrypted keys are supported.
Apply IPsec authentication or encryption on a physical, port-channel, or VLAN interface or in an OSPFv3 area. Each
configuration consists of a security policy index (SPI) and the OSPFv3 packets validation key. After you configure an IPsec
protocol for OSPFv3, IPsec operation is invisible to the user.
You can only enable one authentication or encryption security protocol at a time on an interface or for an area. Enable IPsec AH
using the ipv6 ospf authentication command; enable IPsec ESP with the ipv6 ospf encryption command.
A security policy configured for an area is inherited on all interfaces in the area by default.
A security policy configured on an interface overrides any area-level configured security for the area where the interface is
assigned.
The configured authentication or encryption policy applies to all OSPFv3 packets transmitted on the interface or in the area.
The IPsec security associations are the same on inbound and outbound traffic on an OSPFv3 interface.
There is no maximum AH or ESP header length because the headers have fields with variable lengths.
Configure IPsec authentication on interfaces
Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, then
enable OSPFv3 on the interface, and assign it to an area.
The SPI value must be unique to one IPsec authentication or encryption security policy on the router. You cannot configure the
same SPI value on another interface even if it uses the same authentication or encryption algorithm.
You cannot use an IPsec MD5 or SHA-1 authentication type and the null setting at same time on an interface. These settings
are mutually exclusive.
Enable IPsec authentication for OSPFv3 packets in Interface mode.
ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} key}
null Prevent an authentication policy configured for the area to be inherited on the interface. Only use this
parameter if you configure IPsec area authentication.
ipsec spi number Enter a unique security policy index (SPI) value, from 256 to 4294967295.
md5 Enable message digest 5 (MD5) authentication.
sha1 Enable secure hash algorithm 1 (SHA-1) authentication.
key Enter the text string used in the authentication type. All neighboring OSPFv3 routers must share the key to
exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be
32 plain hex digits. For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not
supported.
To delete an IPsec authentication policy, use the no ipv6 ospf authentication ipsec spi number or no ipv6
ospf authentication null command.
Configure IPsec authentication on interface
OS10(conf-if-eth1/1/1)# ipv6 ospf authentication ipsec spi 400 md5
12345678123456781234567812345678
OS10(conf-if-eth1/1/1)# show configuration
!
interface ethernet1/1/1
ipv6 ospf authentication ipsec spi 400 md5 12345678123456781234567812345678
no switchport
no shutdown
ipv6 address 1::1/64
IPsec encryption on interfaces
Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, enable IPv6 unicast routing globally, enable OSPFv3
on the interface, and assign it to an area.
976
Layer 3