Configure IPsec for the OSPF Virtual Link

Use the following procedure to configure and enable IPsec for the OSPF virtual link.

IPsec is disabled by default.

Before you begin

  • Configure the OSPF virtual link.

  • Create the IPsec security association.

About this task

Until you enable IPsec on both sides of the virtual links, the links cannot exchange OSPFv3 control messages, and the system drops OSPFv3 exchange packets.

You must disable IPsec before you can perform virtual link policy configuration changes.

For configuration examples of IPsec used with OSPFv3 virtual link, see OSPFv3 virtual link IPsec configuration example.

Procedure

  1. Enter OSPF Router Configuration mode:

    enable

    configure terminal

    router ospf

  2. Create the IPsec policy under the OSPF virtual link:

    ipv6 area virtual-link {A.B.C.D} {A.B.C.D} ipsec

  3. Configure the action of the IPsec policy under the OSPF virtual link:

    ipv6 area virtual-link {A.B.C.D} {A.B.C.D} ipsec action <drop|permit>

  4. Configure the direction of the IPsec policy under the OSPF virtual link:

    ipv6 area virtual-link {A.B.C.D} {A.B.C.D} ipsec direction <both|in|out>

  5. Link the security association to the OSPF virtual link:

    ipv6 area virtual-link {A.B.C.D} {A.B.C.D} ipsec security-association WORD<0–32>

  6. Enable the IPsec policy created under the OSPF virtual link:

    ipv6 area virtual-link {A.B.C.D} {A.B.C.D} ipsec enable

Example

Switch:1>enable
Switch:1#configure terminal
Switch:1#(config)router ospf
Switch:1(config-ospf)#ipv6 area virtual-link 1.1.1.1 2.2.2.2 ipsec
Switch:1(config-ospf)#ipv6 area virtual-link 1.1.1.1 2.2.2.2 ipsec action permit
Switch:1(config-ospf)#ipv6 area virtual-link 1.1.1.1 2.2.2.2 ipsec direction both
Switch:1(config-ospf)#ipv6 area virtual-link 1.1.1.1 2.2.2.2 ipsec security-association test1
Switch:1(config-ospf)#ipv6 area virtual-link 1.1.1.1 2.2.2.2 ipsec enable

Variable definitions

Use the data in the following table to use the ipv6 area virtual link {A.B.C.D} {A.B.C.D} ipsec command.

Variable

Value

{A.B.C.D}{A.B.C.D}

The first IP address specifies the area IP address, and the second IP address specifies the virtual-link IP address.

action <drop|permit>

Configures the action of the IPsec policy under the OSPF virtual tunnel to one of the following:
  • drop—Drops the IP packets.

  • permit—Permits the IP packets.

The default is permit.

direction <both|in|out>

Specifies the direction you want to protect with IPsec:
  • in—Specifies ingress traffic.

  • out—Specifies egress traffic.

  • both—Specifies both ingress and egress traffic.

The default is both.

enable

Enables the IPsec policy under the OSPF virtual link.

security-association WORD<0-32>

Links the security association to the OSPF virtual link.