You can use Internet Protocol Security (IPsec) with OSPFv3 virtual link for the security protection of communication between the end points. You can also use IPsec with OSPFv3 on a brouter port or VLAN interface, for example, if you want to encrypt OSPFv3 control traffic on a broadcast network.
OSPF virtual link provides connectivity to the OSPF backbone area for redundancy or to provide a virtual link if a physical connection is not possible.
Because the device does not know the IPv6 addresses of the OSPFv3 virtual link end points at the time of configuration, you cannot manually configure the security policy ahead of time. The system must self-manage its security policy dynamically. The device also dynamically manages the IPsec enable flag, which the virtual link uses on a Layer 2 interface, either a VLAN or brouter port interface.
The following events can trigger an IPsec policy activation:
An OSPFv3 routing module detects the establishment of a virtual link.
IPsec is enabled on the already established virtual link.
On the other hand, the following two events can dynamically trigger an IPsec policy deactivation:
The virtual link is turn down.
IPsec is disabled on the virtual link.
IPsec policies can also change dynamically if a neighbor address or a local address changes.
You can enable IPsec support for IPv6 OSPF virtual link at the system level through CLI. You must disable IPsec before you can perform virtual link policy configuration changes.
Until you enable IPsec on both sides of the virtual links, the links cannot exchange OSPFv3 control messages, and the system drops OSPFv3 exchange packets.
You can configure the direction you want IPsec to protect, either, ingress, egress, or both. In addition, you can permit or drop communication for the OSPF virtual link.
You can also use IPsec with OSPFv3 on a brouter port or VLAN interface. For a full configuration example, see OSPFv3 IPsec configuration example and OSPFv3 virtual link IPsec configuration example.