Dell PowerSwitch S4112F-ON OS10 Enterprise Edition User Guide Release 10.4.0ER - Page 383
IPsec authentication on interfaces, Enter the encryption algorithm used with ESP 3DES, DES, AES-CBC
View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 383 highlights
• There is no maximum AH or ESP header length because the headers have fields with variable lengths. Configure IPsec authentication on interfaces Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, then enable OSPFv3 on the interface, and assign it to an area. The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. You cannot configure the same SPI value on another interface even if it uses the same authentication or encryption algorithm. You cannot use an IPsec authentication type (MD5 or SHA-1) and the null setting at same time on an interface. These settings are mutually exclusive. • Enable IPsec authentication for OSPFv3 packets in Interface mode. ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} key} - null - Prevent an authentication policy configured for the area to be inherited on the interface. This parameter is only used if you configure IPsec area authentication. - ipsec spi number - Enter a unique security policy index (SPI) value (256 to 4294967295). - md5 - Enable message digest 5 (MD5) authentication. - sha1 - Enable secure hash algorithm 1 (SHA-1) authentication. - key - Enter the text string used in the authentication type. All neighboring OSPFv3 routers must share the key to exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits. For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported. To delete an IPsec authentication policy, use the no ipv6 ospf authentication ipsec spi number or no ipv6 ospf authentication null command. Configure IPsec authentication on interface OS10(conf-if-eth1/1/1)# ipv6 ospf authentication ipsec spi 400 md5 12345678123456781234567812345678 OS10(conf-if-eth1/1/1)# show configuration ! interface ethernet1/1/1 ipv6 ospf authentication ipsec spi 400 md5 12345678123456781234567812345678 no switchport no shutdown ipv6 address 1::1/64 IPsec encryption on interfaces Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area. When you configure encryption on an interface, both IPsec encryption and authentication are enabled. You cannot configure encryption if you have already configured an interface for IPsec authentication (ipv6 ospf authentication ipsec). To configure encryption, you must first delete the authentication policy. • Enable IPsec encryption for OSPFv3 packets in Interface mode. ipv6 ospf encryption ipsec spi number esp encryption-type key authentication-type key - ipsec spi number - Enter a unique security policy index (SPI) value (256 to 4294967295). - esp encryption-type key - Enter the encryption algorithm used with ESP (3DES, DES, AES-CBC, or NULL). For AESCBC, only the AES-128 and AES-192 ciphers are supported. - key - Enter the text string used in the encryption algorithm. All neighboring OSPFv3 routers must share the key to decrypt information. Only a non-encrypted key is supported. Required lengths of the non-encrypted key are: 3DES - 48 hex digits; DES - 16 hex digits; AES-CBC - 32 hex digits for AES-128 and 48 hex digits for AES-192. Layer 3 383