The
key
variable must be 40 hexadecimal characters. To change an existing key, you must also specify a different SPI value. You cannot
just change the key without also specifying a different SPI, too. For example, in an interface context where you intend to change a key,
you must type a different SPI value -- which occurs before the key parameter on the command line -- before you type the new key.
If
no-encrypt
is not entered, then the key will be encrypted. This is the default. The system adds the following in the configuration to
indicate that the key is encrypted:
•
encrypt = the key string uses proprietary simple cryptographic 2-way algorithm
•
encryptb64 = the key string uses proprietary base64 cryptographic 2-way algorithm
This example results in the configuration shown in the screen output that follows. Note that because the optional
no-encrypt
keyword
was omitted, the display of the key has the encrypted form by default.
interface ethernet 1/1/2
enable
ip address 10.3.3.1/8
ipv6 address 2001:db8:3::1/64
ipv6 ospf area 1
ipv6 ospf authentication ipsec spi 429496795 esp sha1 encryptb64 $ITJkQG5HWnw4M09tWVd
Configuring IPsec for an area
This application of the
area
command (for IPsec) applies to all of the interfaces that belong to an area unless an interface has its own
IPsec configuration. The interface IPsec can be operationally disabled if necessary.) To configure IPsec for an area in the IPv6 router
OSPF context, proceed as in the following example.
device(config-ospf6-router)# area 2 auth ipsec spi 400 esp sha1 abcef12345678901234fedcba098765432109876
Syntax:
[no] area
area-id
authentication
ipsec
spi
spi-num
esp
sha1
[
no-encrypt
]
key
The
no
form of this command deletes IPsec from the area.
The
area
command and the
area-id
variable specify the area for this IPsec configuration. The
area-id
can be an integer in the range 0
through 2,147,483,647 or have the format of an IP address.
The
authentication
keyword specifies that the function to specify for the area is packet authentication.
The
ipsec
keyword specifies that IPsec is the protocol that authenticates the packets.
The
spi
keyword and the
spi-num
variable specify the index that points to the security association. The near-end and far-end values for
spi-num
must be the same. The range for
spi-num
is decimal 256 through 4294967295.
The mandatory
esp
keyword specifies ESP (rather than authentication header) as the protocol to provide packet-level security. In the
current release, this parameter can be
esp
only.
The
sha1
keyword specifies the HMAC-SHA1-96 authentication algorithm. This mandatory parameter can be only the
sha1
keyword in
the current release.
Including the optional
no-encrypt
keyword means that the 40-character key is not encrypted upon either its entry or its display. The key
must be 40 hexadecimal characters.
If
no-encrypt
is not entered, then the key will be encrypted. This is the default. The system adds the following in the configuration to
indicate that the key is encrypted:
•
encrypt = the key string uses proprietary simple cryptographic 2-way algorithm
•
encryptb64 = the key string uses proprietary base64 cryptographic 2-way algorithm
The configuration in the preceding example results in the configuration for area 2 that is illustrated in the following.
ipv6 router ospf
area 0
area 1
Configuring OSPFv3
FastIron Ethernet Switch Layer 3 Routing
316
53-1003627-04
Summary of Contents for FastIron SX 1600
Page 2: ...FastIron Ethernet Switch Layer 3 Routing 2 53 1003627 04 ...
Page 16: ...FastIron Ethernet Switch Layer 3 Routing 16 53 1003627 04 ...
Page 20: ...FastIron Ethernet Switch Layer 3 Routing 20 53 1003627 04 ...
Page 142: ...FastIron Ethernet Switch Layer 3 Routing 142 53 1003627 04 ...
Page 150: ...FastIron Ethernet Switch Layer 3 Routing 150 53 1003627 04 ...
Page 200: ...FastIron Ethernet Switch Layer 3 Routing 200 53 1003627 04 ...
Page 214: ...FastIron Ethernet Switch Layer 3 Routing 214 53 1003627 04 ...
Page 350: ...FastIron Ethernet Switch Layer 3 Routing 350 53 1003627 04 ...
Page 476: ...FastIron Ethernet Switch Layer 3 Routing 476 53 1003627 04 ...
Page 588: ...FastIron Ethernet Switch Layer 3 Routing 588 53 1003627 04 ...