IPsec configuration examples
The following section provides examples to configure Internet Protocol Security (IPsec).
Note
If you downgrade your software, the current IPsec configurations are no longer supported. You must boot with the factory default settings for IPsec, and then reconfigure the IPsec features.
IPsec configuration example
Review the following information to understand IPsec configuration.
Create and configure an IPsec policy.
Enable the policy.
Create an IPsec security association to correspond with the IPsec policy.
Configure the key mode format.
Configure the security association.
Link the IPsec security association to the IPsec policy.
Enable the IPsec policy on the interface.
Link the IPsec policy with the interface.
Enable the IPsec on the interface that links to the IPsec policy.
For an example configuration and for more information on IPsec OSPFv3 and OSPFv3 virtual link, see OSPF.
Create a policy named newpolicy with a security association named new_sa on VLAN 100.
The following displays the IPsec policy configuration:
ipsec policy newpolicy raddr 2001:db8:0:0:0:0:0:1 ipsec policy newpolicy laddr 2001:db8:0:0:0:0:0:15 ipsec policy newpolicy protocol tcp sport 4 dport 5 ipsec policy newpolicy action permit
The following example displays the IPsec security association:
ipsec security-association new_sa ipsec security-association new_sa key-mode manual ipsec security-association new_sa mode transport ipsec security-association new_sa encap-proto ESP ipsec security-association new_sa Encrpt-algo 3DES-CBC encrypt-key 111111111111111111111111 KeyLength 24 ipsec security-association new_sa auth-algo SHA1 auth-key 11111111111111111111 KeyLength 20 ipsec security-association new_sa spi 1 ipsec security-association new_sa lifetime seconds 1000
IPsec with ICMPv6 configuration example
The following displays configuration of IPsec with ICMPv6.
Switch 10 security association configuration
The following example displays the configuration of the security association on Switch 10.
ipsec security-association icmp ipsec security-association icmp encap-proto ESP ipsec security-association icmp mode transport ipsec security-association icmp spi 1 ipsec security-association icmp auth-algo SHA1 auth-key 1234567890123456789012345678901234567890 keyLength 40 ipsec security-association icmp Encrpt-algo AES-CBC EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association icmp key-mode manual ipsec security-association icmp lifetime seconds 1 ipsec security-association icmp lifetime bytes 1
Switch 10 policy configuration
The following example displays the configuration of the security policy on Switch 10.
ipsec policy ICMP_Policy ipsec policy ICMP_Policy admin enable ipsec policy ICMP_Policy raddr 2001::2 ipsec policy ICMP_Policy laddr 2001::1 ipsec policy ICMP_Policy protocol icmpv6 ipsec policy ICMP_Policy action permit ipsec policy ICMP_Policy security-association icmp
Switch 10 interface configuration
The following example displays the configuration of IPsec on slot/port 1/10.
interface gigabitEthernet 1/10 no shut interface vlan 3 interface address 2000::1 interface enable ipv6 ipsec policy ICMP_Policy dir both ipv6 ipsec enable
Switch 10 VLAN configuration
The following example displays the creation and configuration of VLAN 3 with IPsec.
interface gigabitEthernet 1/10 no shut exit vlan create 3 type port-mstprstp 3 vlan members add 3 1/10 portmember interface vlan 3 interface enable interface address 2000::1 ipv6 ipsec policy ICMP_Policy dir both ipv6 ipsec enable
Switch 30 security association configuration
The following example displays the configuration of the security association on Switch 30.
ipsec security-association icmp ipsec security-association icmp encap-proto ESP ipsec security-association icmp mode transport ipsec security-association icmp spi 1 ipsec security-association icmp auth-algo SHA1 auth-key 1234567890123456789012345678901234567890 keyLength 40 ipsec security-association icmp Encrpt-algo AES-CBC EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association icmp key-mode manual ipsec security-association icmp lifetime seconds 1 ipsec security-association icmp lifetime bytes 1
Switch 30 policy configuration
The following example displays the configuration of the security policy on Switch 30.
ipsec policy ICMP_Policy ipsec policy ICMP_Policy admin enable ipsec policy ICMP_Policy raddr 2001::1 ipsec policy ICMP_Policy laddr 2001::2 ipsec policy ICMP_Policy action permit ipsec policy ICMP_Policy protocol icmpv6 ipsec policy ICMP_Policy security-association icmp
Switch 30 interface configuration
The following example displays the configuration of IPsec on slot/port 1/10.
interface gigabitEthernet 1/10 no shut ipv6 interface enable ipv6 interface vlan 3 ipv6 interface address 2001::2 ipv6 ipsec policy ICMP_Policy dir both ipv6 ipsec enable
Switch 30 VLAN configuration
The following example displays the creation and configuration of VLAN 3 with IPsec.
interface gigabitEthernet 1/10 no shut exit vlan create 3 type port-mstprstp 0 vlan members add 3 1/20 interface vlan 3 ipv6 interface enable ipv6 interface address 2001::2 ipv6 ipsec policy ICMP_Policy dir both ipv6 ipsec enable
OSPFv3 IPsec configuration example
The following example displays a network using IPsec used with OSPFv3.
The following example displays the configuration of IPsec with OSPFv3. For OSPFv3 conceptual and procedural information, see OSPF.
Switch 10 security associations
The following example displays the configuration of security associations for OSPFv3 for Switch 10.
ipsec security-association ospf1 ipsec security-association ospf1 encap-proto ESP ipsec security-association ospf1 mode transport ipsec security-association ospf1 spi 1 ipsec security-association ospf1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf1 key-mode manual ipsec security-association ospf1 lifetime seconds 1 ipsec security-association ospf1 lifetime bytes 1 ipsec security-association ospf2 ipsec security-association ospf2 encap-proto ESP ipsec security-association ospf2 mode transport ipsec security-association ospf2 spi 2 ipsec security-association ospf2 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf2 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf2 key-mode manual ipsec security-association ospf2 lifetime seconds 1 ipsec security-association ospf2 lifetime bytes 1 ipsec security-association ospf3 ipsec security-association ospf3 encap-proto ESP ipsec security-association ospf3 mode transport ipsec security-association ospf3 spi 3 ipsec security-association ospf3 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf3 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf3 key-mode manual ipsec security-association ospf3 lifetime seconds 1 ipsec security-association ospf3 lifetime bytes 1 ipsec security-association ospf4 ipsec security-association ospf4 encap-proto ESP ipsec security-association ospf4 mode transport ipsec security-association ospf4 spi 4 ipsec security-association ospf4 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf4 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf4 key-mode manual ipsec security-association ospf4 lifetime seconds 1 ipsec security-association ospf4 lifetime bytes 1 ipsec security-association ospf5 ipsec security-association ospf5 encap-proto ESP ipsec security-association ospf5 mode transport ipsec security-association ospf5 spi 5 ipsec security-association ospf5 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf5 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf5 key-mode manual ipsec security-association ospf5 lifetime seconds 1 ipsec security-association ospf5 lifetime bytes 1 ipsec security-association ospf6 ipsec security-association ospf6 encap-proto ESP ipsec security-association ospf6 mode transport ipsec security-association ospf6 spi 6 ipsec security-association ospf6 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf6 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf6 key-mode manual ipsec security-association ospf6 lifetime seconds 1 ipsec security-association ospf6 lifetime bytes 1
Switch 10 policy configuration
The following example displays the configuration of policies on Switch 10. The link local address is fe80:0:0:0:b2ad:aaff:fe43:100 and the remote link local address is fe80:0:0:0:b2ad:aaff:fe43:4d00. The following displays the policy with the laddr configured to the link local address and raddr configured to the remote link local address, with the direction configured as outbound.
ipsec policy ospf1 ipsec policy ospf1 admin enable ipsec policy ospf1 raddr fe80:0:0:0:b2ad:aaff:fe43:4d00 ipsec policy ospf1 laddr fe80:0:0:0:b2ad:aaff:fe43:100 ipsec policy ospf1 protocol ospfv3 ipsec policy ospf1 action permit
The following example displays the configuration of policies on Switch 10. The link local address is fe80:0:0:0:b2ad:aaff:fe43:100 and the remote link local address is fe80:0:0:0:b2ad:aaff:fe43:4d00. The following displays the policy with the laddr configured to the link local address and raddr configured to the remote link local address, with the direction configured as inbound.
For a policy direction of inbound, laddr and raddr are reversed before storing to the stack. Because of this, even though the policy requires you to configure the laddr as the remote link local address, you need to configure laddr as the link local address in the configuration.
ipsec policy ospf2 ipsec policy ospf2 admin enable ipsec policy ospf2 raddr fe80:0:0:0:b2ad:aaff:fe43:4d00 ipsec policy ospf2 laddr fe80:0:0:0:b2ad:aaff:fe43:100 ipsec policy ospf2 protocol ospfv3 ipsec policy ospf2 action permit
Laddr is configured to the link local and raddr is configured to ff02::05 with the direction configured as outbound.
ipsec policy ospf3 ipsec policy ospf3 admin enable ipsec policy ospf3 raddr ff02::05 ipsec policy ospf3 laddr fe80:0:0:0:b2ad:aaff:fe43:100 ipsec policy ospf3 protocol ospfv3 ipsec policy ospf3 action permit
Laddr is configured to the remote link local and raddr is configured to ff02::05 with the direction configured as inbound.
ipsec policy ospf4 ipsec policy ospf4 admin enable ipsec policy ospf4 raddr fe80:0:0:0:b2ad:aaff:fe43:4d00 ipsec policy ospf4 laddr ff02::05 ipsec policy ospf4 protocol ospfv3 ipsec policy ospf4 action permit
Laddr is configured to the link local and raddr is configured to ff02::06 with the direction as outbound.
ipsec policy ospf5 ipsec policy ospf5 admin enable ipsec policy ospf5 raddr ff02::06 ipsec policy ospf5 fe80:0:0:0:b2ad:aaff:fe43:100 ipsec policy ospf5 protocol ospfv3 ipsec policy ospf5 action permit
Laddr is configured to the remote link local and raddr is configured to ff02::06 with the direction configured as inbound.
ipsec policy ospf6 ipsec policy ospf6 admin enable ipsec policy ospf6 raddr fe80:0:0:0:b2ad:aaff:fe43:4d00 ipsec policy ospf6 laddr ff02::06 ipsec policy ospf6 protocol ospfv3 ipsec policy ospf6 action permit
Switch 10 link table configuration
The following example displays the linking of the policy with the security association on Switch 10.
ipsec policy ospf1 security-association ospf1 ipsec policy ospf2 security-association ospf2 ipsec policy ospf3 security-association ospf3 ipsec policy ospf4 security-association ospf4 ipsec policy ospf5 security-association ospf5 ipsec policy ospf6 security-association ospf6
Switch 10 OSPFv3 configuration
The following example displays the OSPFv3 configuration on Switch 10.
router ospf ipv6-enable router ospf ipv6 router-id 1.1.1.1 ipv6 area 0.0.0.1
Switch 10 interface configuration
The following example displays the interface configuration on slot/port 1/10.
interface gigabitEthernet 1/10 no shut ipv6 interface vlan 3 ipv6 interface address 2000::1/64 ipv6 interface enable ipv6 ospf area 0.0.0.1 ipv6 ospf enable ipv6 ipsec policy ospf1 dir out ipv6 ipsec policy ospf2 dir in ipv6 ipsec policy ospf3 dir out ipv6 ipsec policy ospf4 dir in ipv6 ipsec policy ospf5 dir out ipv6 ipsec policy ospf6 dir in ipv6 ipsec enable
Switch 10 VLAN configuration
The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3.
interface gigabitEthernet 1/10 no shut exit vlan create 3 type port-mstprstp 3 vlan members add 3 1/10 portmember interface vlan 3 ipv6 interface enable ipv6 interface address 2000::1/64 ipv6 ospf area 0.0.0.1 ipv6 ospf enable ipv6 ipsec policy ospf1 dir out ipv6 ipsec policy ospf2 dir in ipv6 ipsec policy ospf3 dir out ipv6 ipsec policy ospf4 dir in ipv6 ipsec policy ospf5 dir out ipv6 ipsec policy ospf6 dir in ipv6 ipsec enable
Switch 30 security associations
The following example displays the configuration of security associations for OSPFv3 for Switch 30.
ipsec security-association ospf1 ipsec security-association ospf1 encap-proto ESP ipsec security-association ospf1 mode transport ipsec security-association ospf1 spi 2 ipsec security-association ospf1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf1 key-mode manual ipsec security-association ospf1 lifetime seconds 1 ipsec security-association ospf1 lifetime bytes 1 ipsec security-association ospf2 ipsec security-association ospf2 encap-proto ESP ipsec security-association ospf2 mode transport ipsec security-association ospf2 spi 1 ipsec security-association ospf2 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf2 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf2 key-mode manual ipsec security-association ospf2 lifetime seconds 1 ipsec security-association ospf2 lifetime bytes 1 ipsec security-association ospf3 ipsec security-association ospf3 encap-proto ESP ipsec security-association ospf3 mode transport ipsec security-association ospf3 spi 4 ipsec security-association ospf3 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf3 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf3 key-mode manual ipsec security-association ospf3 lifetime seconds 1 ipsec security-association ospf3 lifetime bytes 1 ipsec security-association ospf4 ipsec security-association ospf4 encap-proto ESP ipsec security-association ospf4 mode transport ipsec security-association ospf4 spi 3 ipsec security-association ospf4 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf4 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf4 key-mode manual ipsec security-association ospf4 lifetime seconds 1 ipsec security-association ospf4 lifetime bytes 1 ipsec security-association ospf5 ipsec security-association ospf5 encap-proto ESP ipsec security-association ospf5 mode transport ipsec security-association ospf5 spi 6 ipsec security-association ospf5 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf5 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf5 key-mode manual ipsec security-association ospf5 lifetime seconds 1 ipsec security-association ospf5 lifetime bytes 1 ipsec security-association ospf6 ipsec security-association ospf6 encap-proto ESP ipsec security-association ospf6 mode transport ipsec security-association ospf6 spi 5 ipsec security-association ospf6 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf6 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf6 key-mode manual ipsec security-association ospf6 lifetime seconds 1 ipsec security-association ospf6 lifetime bytes 1
Switch 30 policy configuration
In the example, the local addrress is fe80:0:0:0:b2ad:aaff:fe43:4d00, and the remote addrress is fe80:0:0:0:b2ad:aaff:fe43:100. The policy has the laddr confiugred to the link local address and the raddr is configured to the remote link local address with the direction configured to outbound.
ipsec policy ospf1 ipsec policy ospf1 admin enable ipsec policy ospf1 raddr fe80:0:0:0:b2ad:aaff:fe43:100 ipsec policy ospf1 laddr fe80:0:0:0:b2ad:aaff:fe43:4d00 ipsec policy ospf1 protocol ospv3 ipsec policy ospf1 action permit
Laddr is configured to the remote link local address and raddr is configured to the local link local address with the direction configured to inbound.
ipsec policy ospf2 ipsec policy ospf2 admin enable ipsec policy ospf2 raddr fe80:0:0:0:b2ad:aaff:fe43:100 ipsec policy ospf2 laddr fe80:0:0:0:b2ad:aaff:fe43:4d00 ipsec policy ospf2 protocol ospfv3 ipsec policy ospf2 action permit
Laddr is configured to the link local address and raddr is configured to ff02::05 with the direction configured to outbound.
ipsec policy ospf3 ipsec policy ospf3 admin enable ipsec policy ospf3 raddr ff02::05 ipsec policy ospf3 laddr fe80:0:0:0:b2ad:aaff:fe43:4d00 ipsec policy ospf3 protocol ospfv3 ipsec policy ospf3 action permit
Laddr is configured to the remote link local address and the raddr is configured to ff02::05 with the direction configured to inbound.
ipsec policy ospf4 ipsec policy ospf4 admin enable ipsec policy ospf4 raddr fe80:0:0:0:b2ad:aaff:fe43:100 ipsec policy ospf4 laddr ff02::05 ipsec policy ospf4 protocol ospfv3 ipsec policy ospf4 action permit
Laddr is configured to the link local address and raddr is configured to ff02::06 with the direction configured to outbound.
ipsec policy ospf5 ipsec policy ospf5 admin enable ipsec policy ospf5 raddr ff02::06 ipsec policy ospf5 laddr fe80:0:0:0:b2ad:aaff:fe43:4d00 ipsec policy ospf5 protocol ospfv3 ipsec policy ospf5 action permit
Laddr is configured to the remote link local address and raddr is configured to ff02::06 with the direction configured to inbound.
ipsec policy ospf6 ipsec policy ospf6 admin enable ipsec policy ospf6 raddr fe80:0:0:0:b2ad:aaff:fe43:100 ipsec policy ospf6 laddr ff02::06 ipsec policy ospf6 protocol ospfv3 ipsec policy ospf6 action permit
Switch 30 link table configuration
The following example displays the linking of the policy with the security association on Switch 30.
ipsec policy ospf1 security-association ospf1 ipsec policy ospf2 security-association ospf2 ipsec policy ospf3 security-association ospf4 ipsec policy ospf4 security-association ospf3 ipsec policy ospf5 security-association ospf5 ipsec policy ospf6 security-association ospf6
Switch 30 OSPFv3 configuration
The following example displays the OSPFv3 configuration on Switch 30.
router ospf ipv6-enable router ospf ipv6 router-id 2.2.2.2 ipv6 area 0.0.0.1
Switch 30 interface configuration
The following example displays the interface configuration on slot/port 1/10.
interface gigabitEthernet 1/10 no shut ipv6 interface vlan 3 ipv6 interface address 2001::2/64 ipv6 interface enable ipv6 ospf area 0.0.0.1 ipv6 ospf enable ipv6 ipsec policy ospf1 dir out ipv6 ipsec policy ospf2 dir in ipv6 ipsec policy ospf3 dir out ipv6 ipsec policy ospf4 dir in ipv6 ipsec policy ospf5 dir out ipv6 ipsec policy ospf6 dir in ipv6 ipsec enable
Switch 30 VLAN configuration
The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3.
interface gigabitEthernet 1/10 no shut exit minvlan create 3 type port-mstprstp 0 vlan members add 3 1/10 portmember interface vlan 3 ipv6 interface enable ipv6 interface address 2001::2/64 ipv6 ospf area 0.0.0.1 ipv6 ospf enable ipv6 ipsec policy ospf1 dir out ipv6 ipsec policy ospf2 dir in ipv6 ipsec policy ospf3 dir out ipv6 ipsec policy ospf4 dir in ipv6 ipsec policy ospf5 dir out ipv6 ipsec policy ospf6 dir in ipv6 ipsec enable
OSPFv3 virtual link IPsec configuration example
The following example displays a network using IPsec with OSPFv3 virtual link.
The following example displays the configuration of IPsec with OSPFv3 virtual link. For OSPFv3 conceptual and procedural information, see OSPF.
Switch 10 security association configuration
ipsec security-association ospf1 ipsec security-association ospf1 encap-proto ESP ipsec security-association ospf1 mode transport ipsec security-association ospf1 spi 1 ipsec security-association ospf1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf1 key-mode manual ipsec security-association ospf1 lifetime seconds 1 ipsec security-association ospf1 lifetime bytes 1
Switch 10 OSPFv3 configuration
The following example displays the OSPFv3 configuration on Switch 10.
router ospf ipv6-enable ipv6 forwarding router ospf ipv6 router-id 1.1.1.1 ipv6 area 0.0.0.1 ipv6 as-boundary-router ipv6 area 0.0.0.0
Switch 10 virtual link and policy configuration
The following example displays the configuration of a OSPFv3 virtual link.
ipv6 area virtual-link 0.0.0.1 3.3.3.3 ipv6 area virtual-link 0.0.0.1 3.3.3.3 ipsec ipv6 area virtual-link 0.0.0.1 3.3.3.3 ipsec security-association ospf1 ipv6 area virtual-link 0.0.0.1 3.3.3.3 ipsec action permit ipv6 area virtual-link 0.0.0.1 3.3.3.3 ipsec direction both ipv6 area virtual-link 0.0.0.1 3.3.3.3 ipsec enable
Switch 10 interface configuration
The following example displays the interface configuration on slot/port 1/10.
interface gigabitEthernet 1/10 no shut ipv6 interface vlan 3 ipv6 interface address 2000::1/64 ipv6 interface enable ipv6 ospf area 0.0.0.1 ipv6 ospf enable
Switch 10 VLAN configuration
The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3.
interface gigabitEthernet 1/10 no shut exit vlan create 3 type port-mstprstp 3 vlan members add 3 1/10 port-member interface vlan 3 ipv6 interface enable ipv6 interface address 2000::1/64 ipv6 ospf area 0.0.0.1 ipv6 ospf enable
Switch 20 OSPFv3 configuration
The following example displays the OSPFv3 configuration on Switch 20.
router ospf ipv6-enable ipv6 forwarding router ospf ipv6 router-id 2.2.2.2 ipv6 area 0.0.0.1
Switch 20 interface configuration
The following example displays the interface configuration on slot/port 1/10 and 1/20.
interface gigabitEthernet 1/10 no shut ipv6 interface vlan 3 ipv6 interface address 2000::2/64 ipv6 interface enable ipv6 ospf area 0.0.0.1 ipv6 ospf enable interface gigabitEthernet 1/20 no shut ipv6 interface vlan 4 ipv6 interface address 2001::1/64 ipv6 interface enable ipv6 ospf area 0.0.0.1 ipv6 ospf enable
Switch 20 VLAN configuration
The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3 and VLAN 4.
interface gigabitEthernet 1/10 no shut exit vlan create 3 type port-mstprstp 0 vlan members add 3 1/10 portmember interface vlan 3 ipv6 interface enable ipv6 interface address 2000::2/64 ipv6 ospf area 0.0.0.1 ipv6 ospf enable interface gigabitEthernet 1/20 no shut exit vlan create 4 type port-mstprstp 0 vlan members add 4 1/20 portmember interface vlan 4 ipv6 interface enable ipv6 interface address 2001::1/64 ipv6 ospf area 0.0.0.1 ipv6 ospf enable
Switch 40 security association configuration
The following example displays the configuration of security associations for OSPFv3 for Switch 40.
ipsec security-association ospf1 ipsec security-association ospf1 encap-proto ESP ipsec security-association ospf1 mode transport ipsec security-association ospf1 spi 1 ipsec security-association ospf1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association ospf1 key-mode manual ipsec security-association ospf1 lifetime seconds 1 ipsec security-association ospf1 lifetime bytes 1
Switch 40 OSPFv3 configuration
The following example displays the OSPFv3 configuration on Switch 40.
router ospf ipv6-enable ipv6 forwarding router ospf ipv6 router-id 3.3.3.3 ipv6 area 0.0.0.1 ipv6 area 0.0.0.2 ipv6 as-boundary-router
Switch 40 OSPFv3 virtual link and policy configuration
The following example displays the configuration of a OSPFv3 virtual link.
ipv6 area virtual-link 0.0.0.1 1.1.1.1 ipv6 area virtual-link 0.0.0.1 1.1.1.1 ipsec ipv6 area virtual-link 0.0.0.1 1.1.1.1 ipsec security-association ospf1 ipv6 area virtual-link 0.0.0.1 1.1.1.1 ipsec action permit ipv6 area virtual-link 0.0.0.1 1.1.1.1 ipsec direction both ipv6 area virtual-link 0.0.0.1 1.1.1.1 ipsec enable
Switch 40 interface configuration
The following example displays the interface configuration on slot/port 1/20.
interface gigabitEthernet 1/20 no shut ipv6 interface vlan 4 ipv6 interface address 2001::2/64 ipv6 interface enable ipv6 ospf area 0.0.0.1 ipv6 ospf enable
Switch 40 VLAN interface configuration
The following example displays the creation of VLAN 4 and the configuration of IPsec on VLAN 4.
interface gigabitEthernet 1/20 no shut exit vlan create 4 type port-mstprstp 0 vlan members add 4 1/20 interface vlan 4 ipv6 interface enable ipv6 interface address 2001::2/64 ipv6 ospf area 0.0.0.1 ipv6 ospf enable
IPsec configuration of TCP
The following example displays the configuration of IPsec for TCP.
Switch 10 IPsec security association configuration
The following example displays the configuration of the IPsec security association for TCP for Switch 10.
ipsec security-association tcp1 ipsec security-association tcp1 encap-proto ESP ipsec security-association tcp1 mode transport ipsec security-association tcp1 spi 100 ipsec security-association tcp1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association tcp1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association tcp1 key-mode manual ipsec security-association tcp1 lifetime seconds 1 ipsec security-association tcp1 lifetime bytes 1
Switch 10 IPsec policy configuration
The following example displays the configuration of the IPsec policy for TCP for Switch 10.
ipsec policy tcp1 ipsec policy tcp1 admin enable ipsec policy tcp1 raddr 2000::2 ipsec policy tcp1 raddr 2000::2 laddr 2000::1 ipsec policy tcp1 raddr 2000::2 protocol tcp sport 23 dport 23 ipsec policy tcp1 raddr 2000::2 action permit
Switch 10 linking the IPsec policy with the IPsec security association
The following example displays the linking of the IPsec policy with the IPsec security association
ipsec policy tcp1 security-association tcp1
Switch 10 interface configuration
The following examples displays the configuration of IPsec for slot/port 1/10.
interface gigabitEthernet 1/10 no shut ipv6 interface vlan 3 ipv6 interface address 2000::1/64 ipv6 interface enable ipv6 ipsec policy tcp1 dir both ipv6 ipsec enable
Switch 10 VLAN configuration
The following example displays the creation and configuration of VLAN 3.
interface gigabitEthernet 1/10 no shut exit vlan create 3 type port-mstprstp 3 vlan members add 3 1/10 portmember interface vlan 3 ipv6 interface enable ipv6 interface address 2000::1/64 ipv6 ipsec policy tcp1 dir both ipv6 ipsec enable
Switch 30 IPsec security association configuration
The following example displays the configuration of the IPsec security association for TCP for Switch 10.
ipsec security-association tcp1 ipsec security-association tcp1 encap-proto ESP ipsec security-association tcp1 mode transport ipsec security-association tcp1 spi 100 ipsec security-association tcp1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32 ipsec security-association tcp1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32 ipsec security-association tcp1 key-mode manual ipsec security-association tcp1 lifetime seconds 1 ipsec security-association tcp1 lifetime bytes 1
Switch 30 IPsec policy configuration
The following example displays the configuration of the IPsec policy for TCP for Switch 10.
ipsec policy tcp1 ipsec policy tcp1 admin enable ipsec policy tcp1 raddr 2000::1 ipsec policy tcp1 raddr 2000::1 laddr 2000::2 ipsec policy tcp1 raddr 2000::1 protocol tcp sport 23 dport 23 ipsec policy tcp1 raddr 2000::1 action permit
Switch 30 linking the IPsec policy with the IPsec security association
The following example displays the linking of the IPsec policy with the IPsec security association
ipsec policy tcp1 security-association tcp1
Switch 30 interface configuration
The following examples displays the configuration of IPsec for slot/port 1/10.
interface gigabitEthernet 1/10 no shut ipv6 interface vlan 3 ipv6 interface address 2000::2/64 ipv6 interface enable ipv6 ipsec policy tcp1 dir both ipv6 ipsec enable
Switch 30 VLAN configuration
The following example displays the creation and configuration of VLAN 3.
interface gigabitEthernet 1/10 no shut exit vlan create 3 type port-mstprstp 3 vlan members add 3 1/10 portmember interface vlan 3 ipv6 interface enable ipv6 interface address 2000::2/64 ipv6 ipsec policy tcp1 dir both ipv6 ipsec enable