IPsec configuration examples

The following section provides examples to configure Internet Protocol Security (IPsec).

Note

Note

If you downgrade your software, the current IPsec configurations are no longer supported. You must boot with the factory default settings for IPsec, and then reconfigure the IPsec features.

IPsec configuration example

Review the following information to understand IPsec configuration.

Use the following steps to configure IPsec.
  1. Create and configure an IPsec policy.

  2. Enable the policy.

  3. Create an IPsec security association to correspond with the IPsec policy.

  4. Configure the key mode format.

  5. Configure the security association.

  6. Link the IPsec security association to the IPsec policy.

  7. Enable the IPsec policy on the interface.

  8. Link the IPsec policy with the interface.

  9. Enable the IPsec on the interface that links to the IPsec policy.

For an example configuration and for more information on IPsec OSPFv3 and OSPFv3 virtual link, see OSPF.

Create a policy named newpolicy with a security association named new_sa on VLAN 100.

The following displays the IPsec policy configuration:

ipsec policy newpolicy raddr 2001:db8:0:0:0:0:0:1 
ipsec policy newpolicy laddr 2001:db8:0:0:0:0:0:15
ipsec policy newpolicy protocol tcp sport 4 dport 5
ipsec policy newpolicy action permit

The following example displays the IPsec security association:

ipsec security-association new_sa
ipsec security-association new_sa key-mode manual
ipsec security-association new_sa mode transport
ipsec security-association new_sa encap-proto ESP
ipsec security-association new_sa Encrpt-algo 3DES-CBC encrypt-key 111111111111111111111111 KeyLength 24
ipsec security-association new_sa auth-algo SHA1 auth-key 11111111111111111111 KeyLength 20
ipsec security-association new_sa spi 1
ipsec security-association new_sa lifetime seconds 1000

IPsec with ICMPv6 configuration example

The following displays configuration of IPsec with ICMPv6.

Click to expand in new window
IPsec configuration with ICMPv6

Switch 10 security association configuration

The following example displays the configuration of the security association on Switch 10.

ipsec security-association icmp
ipsec security-association icmp encap-proto ESP
ipsec security-association icmp mode transport
ipsec security-association icmp spi 1
ipsec security-association icmp auth-algo SHA1 auth-key 1234567890123456789012345678901234567890 keyLength 40
ipsec security-association icmp Encrpt-algo AES-CBC EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association icmp key-mode manual
ipsec security-association icmp lifetime seconds 1
ipsec security-association icmp lifetime bytes 1

Switch 10 policy configuration

The following example displays the configuration of the security policy on Switch 10.

ipsec policy ICMP_Policy
ipsec policy ICMP_Policy admin  enable
ipsec policy ICMP_Policy raddr 2001::2
ipsec policy ICMP_Policy laddr 2001::1 
ipsec policy ICMP_Policy protocol icmpv6
ipsec policy ICMP_Policy action permit
ipsec policy ICMP_Policy security-association icmp

Switch 10 interface configuration

The following example displays the configuration of IPsec on slot/port 1/10.

interface gigabitEthernet 1/10
no shut
interface vlan 3
interface address 2000::1
interface enable
ipv6 ipsec policy ICMP_Policy dir both
ipv6 ipsec enable

Switch 10 VLAN configuration

The following example displays the creation and configuration of VLAN 3 with IPsec.

interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 3
vlan members add 3 1/10 portmember
interface vlan 3
interface enable
interface address 2000::1
ipv6 ipsec policy ICMP_Policy dir both
ipv6 ipsec enable

Switch 30 security association configuration

The following example displays the configuration of the security association on Switch 30.

ipsec security-association icmp
ipsec security-association icmp encap-proto ESP
ipsec security-association icmp mode transport
ipsec security-association icmp spi 1
ipsec security-association icmp auth-algo SHA1 auth-key 1234567890123456789012345678901234567890 keyLength 40
ipsec security-association icmp Encrpt-algo AES-CBC EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association icmp key-mode manual
ipsec security-association icmp lifetime seconds 1
ipsec security-association icmp lifetime bytes 1

Switch 30 policy configuration

The following example displays the configuration of the security policy on Switch 30.

ipsec policy ICMP_Policy
ipsec policy ICMP_Policy admin enable
ipsec policy ICMP_Policy raddr 2001::1
ipsec policy ICMP_Policy laddr 2001::2 
ipsec policy ICMP_Policy action permit 
ipsec policy ICMP_Policy protocol icmpv6
ipsec policy ICMP_Policy security-association icmp

Switch 30 interface configuration

The following example displays the configuration of IPsec on slot/port 1/10.

interface gigabitEthernet 1/10
no shut
ipv6 interface enable
ipv6 interface vlan 3
ipv6 interface address 2001::2
ipv6 ipsec policy ICMP_Policy dir both
ipv6 ipsec enable

Switch 30 VLAN configuration

The following example displays the creation and configuration of VLAN 3 with IPsec.

interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 0
vlan members add 3 1/20
interface vlan 3
ipv6 interface enable
ipv6 interface address 2001::2
ipv6 ipsec policy ICMP_Policy dir both
ipv6 ipsec enable

OSPFv3 IPsec configuration example

The following example displays a network using IPsec used with OSPFv3.

Click to expand in new window

The following example displays the configuration of IPsec with OSPFv3. For OSPFv3 conceptual and procedural information, see OSPF.

Switch 10 security associations

The following example displays the configuration of security associations for OSPFv3 for Switch 10.

ipsec security-association ospf1
ipsec security-association ospf1 encap-proto ESP
ipsec security-association ospf1 mode transport
ipsec security-association ospf1 spi 1
ipsec security-association ospf1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf1 key-mode manual
ipsec security-association ospf1 lifetime seconds 1
ipsec security-association ospf1 lifetime bytes 1

ipsec security-association ospf2
ipsec security-association ospf2 encap-proto ESP
ipsec security-association ospf2 mode transport
ipsec security-association ospf2 spi 2
ipsec security-association ospf2 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf2 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf2 key-mode manual
ipsec security-association ospf2 lifetime seconds 1
ipsec security-association ospf2 lifetime bytes 1
 
ipsec security-association ospf3
ipsec security-association ospf3 encap-proto ESP
ipsec security-association ospf3 mode transport
ipsec security-association ospf3 spi 3
ipsec security-association ospf3 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf3 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf3 key-mode manual
ipsec security-association ospf3 lifetime seconds 1
ipsec security-association ospf3 lifetime bytes 1

ipsec security-association ospf4
ipsec security-association ospf4 encap-proto ESP
ipsec security-association ospf4 mode transport
ipsec security-association ospf4 spi 4
ipsec security-association ospf4 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf4 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf4 key-mode manual
ipsec security-association ospf4 lifetime seconds 1
ipsec security-association ospf4 lifetime bytes 1

ipsec security-association ospf5
ipsec security-association ospf5 encap-proto ESP
ipsec security-association ospf5 mode transport
ipsec security-association ospf5 spi 5
ipsec security-association ospf5 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf5 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf5 key-mode manual
ipsec security-association ospf5 lifetime seconds 1
ipsec security-association ospf5 lifetime bytes 1
 
ipsec security-association ospf6
ipsec security-association ospf6 encap-proto ESP
ipsec security-association ospf6 mode transport
ipsec security-association ospf6 spi 6
ipsec security-association ospf6 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf6 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf6 key-mode manual
ipsec security-association ospf6 lifetime seconds 1
ipsec security-association ospf6 lifetime bytes 1

Switch 10 policy configuration

The following example displays the configuration of policies on Switch 10. The link local address is fe80:0:0:0:b2ad:aaff:fe43:100 and the remote link local address is fe80:0:0:0:b2ad:aaff:fe43:4d00. The following displays the policy with the laddr configured to the link local address and raddr configured to the remote link local address, with the direction configured as outbound.

ipsec policy ospf1
ipsec policy ospf1 admin enable
ipsec policy ospf1 raddr fe80:0:0:0:b2ad:aaff:fe43:4d00
ipsec policy ospf1 laddr fe80:0:0:0:b2ad:aaff:fe43:100
ipsec policy ospf1 protocol ospfv3
ipsec policy ospf1 action permit

The following example displays the configuration of policies on Switch 10. The link local address is fe80:0:0:0:b2ad:aaff:fe43:100 and the remote link local address is fe80:0:0:0:b2ad:aaff:fe43:4d00. The following displays the policy with the laddr configured to the link local address and raddr configured to the remote link local address, with the direction configured as inbound.

For a policy direction of inbound, laddr and raddr are reversed before storing to the stack. Because of this, even though the policy requires you to configure the laddr as the remote link local address, you need to configure laddr as the link local address in the configuration.

ipsec policy ospf2
ipsec policy ospf2 admin enable
ipsec policy ospf2 raddr fe80:0:0:0:b2ad:aaff:fe43:4d00
ipsec policy ospf2 laddr fe80:0:0:0:b2ad:aaff:fe43:100
ipsec policy ospf2 protocol ospfv3
ipsec policy ospf2 action permit

Laddr is configured to the link local and raddr is configured to ff02::05 with the direction configured as outbound.

ipsec policy ospf3
ipsec policy ospf3 admin enable
ipsec policy ospf3 raddr ff02::05	
ipsec policy ospf3 laddr fe80:0:0:0:b2ad:aaff:fe43:100
ipsec policy ospf3 protocol ospfv3
ipsec policy ospf3 action permit

Laddr is configured to the remote link local and raddr is configured to ff02::05 with the direction configured as inbound.

ipsec policy ospf4
ipsec policy ospf4 admin enable
ipsec policy ospf4 raddr fe80:0:0:0:b2ad:aaff:fe43:4d00
ipsec policy ospf4 laddr ff02::05
ipsec policy ospf4 protocol ospfv3
ipsec policy ospf4 action permit

Laddr is configured to the link local and raddr is configured to ff02::06 with the direction as outbound.

ipsec policy ospf5
ipsec policy ospf5 admin enable
ipsec policy ospf5 raddr ff02::06
ipsec policy ospf5 fe80:0:0:0:b2ad:aaff:fe43:100
ipsec policy ospf5 protocol ospfv3
ipsec policy ospf5 action permit

Laddr is configured to the remote link local and raddr is configured to ff02::06 with the direction configured as inbound.

ipsec policy ospf6
ipsec policy ospf6 admin enable
ipsec policy ospf6 raddr fe80:0:0:0:b2ad:aaff:fe43:4d00
ipsec policy ospf6 laddr ff02::06
ipsec policy ospf6 protocol ospfv3
ipsec policy ospf6 action permit

Switch 10 link table configuration

The following example displays the linking of the policy with the security association on Switch 10.

ipsec policy ospf1 security-association ospf1
ipsec policy ospf2 security-association ospf2
ipsec policy ospf3 security-association ospf3
ipsec policy ospf4 security-association ospf4
ipsec policy ospf5 security-association ospf5
ipsec policy ospf6 security-association ospf6

Switch 10 OSPFv3 configuration

The following example displays the OSPFv3 configuration on Switch 10.

router ospf ipv6-enable
router ospf 
ipv6 router-id 1.1.1.1
ipv6 area 0.0.0.1

Switch 10 interface configuration

The following example displays the interface configuration on slot/port 1/10.

interface gigabitEthernet 1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2000::1/64
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
ipv6 ipsec policy ospf1 dir out
ipv6 ipsec policy ospf2 dir in
ipv6 ipsec policy ospf3 dir out
ipv6 ipsec policy ospf4 dir in
ipv6 ipsec policy ospf5 dir out
ipv6 ipsec policy ospf6 dir in
ipv6 ipsec enable

Switch 10 VLAN configuration

The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3.

interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 3
vlan members add 3 1/10 portmember
interface vlan 3	
ipv6 interface enable
ipv6 interface address 2000::1/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
ipv6 ipsec policy ospf1 dir out
ipv6 ipsec policy ospf2 dir in
ipv6 ipsec policy ospf3 dir out
ipv6 ipsec policy ospf4 dir in
ipv6 ipsec policy ospf5 dir out
ipv6 ipsec policy ospf6 dir in
ipv6 ipsec enable

Switch 30 security associations

The following example displays the configuration of security associations for OSPFv3 for Switch 30.

ipsec security-association ospf1
ipsec security-association ospf1 encap-proto ESP
ipsec security-association ospf1 mode transport
ipsec security-association ospf1 spi 2
ipsec security-association ospf1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf1 key-mode manual
ipsec security-association ospf1 lifetime seconds 1
ipsec security-association ospf1 lifetime bytes 1
ipsec security-association ospf2
ipsec security-association ospf2 encap-proto ESP
ipsec security-association ospf2 mode transport
ipsec security-association ospf2 spi 1
ipsec security-association ospf2 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf2 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf2 key-mode manual
ipsec security-association ospf2 lifetime seconds 1
ipsec security-association ospf2 lifetime bytes 1
ipsec security-association ospf3
ipsec security-association ospf3 encap-proto ESP
ipsec security-association ospf3 mode transport
ipsec security-association ospf3 spi 4
ipsec security-association ospf3 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf3 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf3 key-mode manual
ipsec security-association ospf3 lifetime seconds 1
ipsec security-association ospf3 lifetime bytes 1
ipsec security-association ospf4
ipsec security-association ospf4 encap-proto ESP
ipsec security-association ospf4 mode transport
ipsec security-association ospf4 spi 3
ipsec security-association ospf4 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf4 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf4 key-mode manual
ipsec security-association ospf4 lifetime seconds 1
ipsec security-association ospf4 lifetime bytes 1
ipsec security-association ospf5
ipsec security-association ospf5 encap-proto ESP
ipsec security-association ospf5 mode transport
ipsec security-association ospf5 spi 6
ipsec security-association ospf5 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf5 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf5 key-mode manual
ipsec security-association ospf5 lifetime seconds 1
ipsec security-association ospf5 lifetime bytes 1
ipsec security-association ospf6
ipsec security-association ospf6 encap-proto ESP
ipsec security-association ospf6 mode transport
ipsec security-association ospf6 spi 5
ipsec security-association ospf6 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf6 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf6 key-mode manual
ipsec security-association ospf6 lifetime seconds 1
ipsec security-association ospf6 lifetime bytes 1

Switch 30 policy configuration

In the example, the local addrress is fe80:0:0:0:b2ad:aaff:fe43:4d00, and the remote addrress is fe80:0:0:0:b2ad:aaff:fe43:100. The policy has the laddr confiugred to the link local address and the raddr is configured to the remote link local address with the direction configured to outbound.

ipsec policy ospf1
ipsec policy ospf1 admin enable
ipsec policy ospf1 raddr fe80:0:0:0:b2ad:aaff:fe43:100  
ipsec policy ospf1 laddr fe80:0:0:0:b2ad:aaff:fe43:4d00
ipsec policy ospf1 protocol ospv3
ipsec policy ospf1 action permit

Laddr is configured to the remote link local address and raddr is configured to the local link local address with the direction configured to inbound.

ipsec policy ospf2
ipsec policy ospf2 admin enable
ipsec policy ospf2 raddr fe80:0:0:0:b2ad:aaff:fe43:100  
ipsec policy ospf2 laddr fe80:0:0:0:b2ad:aaff:fe43:4d00
ipsec policy ospf2 protocol ospfv3
ipsec policy ospf2 action permit

Laddr is configured to the link local address and raddr is configured to ff02::05 with the direction configured to outbound.

ipsec policy ospf3
ipsec policy ospf3 admin enable
ipsec policy ospf3 raddr ff02::05
ipsec policy ospf3 laddr fe80:0:0:0:b2ad:aaff:fe43:4d00
ipsec policy ospf3 protocol ospfv3
ipsec policy ospf3 action permit

Laddr is configured to the remote link local address and the raddr is configured to ff02::05 with the direction configured to inbound.

ipsec policy ospf4
ipsec policy ospf4 admin enable
ipsec policy ospf4 raddr fe80:0:0:0:b2ad:aaff:fe43:100  
ipsec policy ospf4 laddr ff02::05
ipsec policy ospf4 protocol ospfv3
ipsec policy ospf4 action permit

Laddr is configured to the link local address and raddr is configured to ff02::06 with the direction configured to outbound.

ipsec policy ospf5
ipsec policy ospf5 admin enable
ipsec policy ospf5 raddr ff02::06
ipsec policy ospf5 laddr fe80:0:0:0:b2ad:aaff:fe43:4d00
ipsec policy ospf5 protocol ospfv3
ipsec policy ospf5 action permit

Laddr is configured to the remote link local address and raddr is configured to ff02::06 with the direction configured to inbound.

ipsec policy  ospf6
ipsec policy  ospf6 admin enable
ipsec policy ospf6 raddr fe80:0:0:0:b2ad:aaff:fe43:100  
ipsec policy ospf6 laddr ff02::06
ipsec policy ospf6 protocol ospfv3
ipsec policy ospf6 action permit

Switch 30 link table configuration

The following example displays the linking of the policy with the security association on Switch 30.

ipsec  policy ospf1 security-association ospf1
ipsec  policy ospf2 security-association ospf2
ipsec  policy ospf3 security-association ospf4
ipsec  policy ospf4 security-association ospf3
ipsec  policy ospf5 security-association ospf5
ipsec  policy ospf6 security-association ospf6


Switch 30 OSPFv3 configuration

The following example displays the OSPFv3 configuration on Switch 30.

router ospf ipv6-enable
router ospf 
ipv6 router-id 2.2.2.2
ipv6 area 0.0.0.1


Switch 30 interface configuration

The following example displays the interface configuration on slot/port 1/10.

interface gigabitEthernet  1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2001::2/64
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
ipv6 ipsec policy ospf1 dir out
ipv6 ipsec policy ospf2 dir in
ipv6 ipsec policy ospf3 dir out
ipv6 ipsec policy ospf4 dir in
ipv6 ipsec policy ospf5 dir out
ipv6 ipsec policy ospf6 dir in
ipv6 ipsec enable


Switch 30 VLAN configuration

The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3.

interface gigabitEthernet 1/10
no shut
exit
minvlan create 3 type port-mstprstp 0
vlan members add 3 1/10 portmember
interface vlan 3
ipv6 interface enable
ipv6 interface address 2001::2/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
ipv6 ipsec policy ospf1 dir out
ipv6 ipsec policy ospf2 dir in
ipv6 ipsec policy ospf3 dir out
ipv6 ipsec policy ospf4 dir in
ipv6 ipsec policy ospf5 dir out
ipv6 ipsec policy ospf6 dir in
ipv6 ipsec enable

OSPFv3 virtual link IPsec configuration example

The following example displays a network using IPsec with OSPFv3 virtual link.

Click to expand in new window
OSPFv3 virtual link with IPsec configuration

The following example displays the configuration of IPsec with OSPFv3 virtual link. For OSPFv3 conceptual and procedural information, see OSPF.

Switch 10 security association configuration

The following example displays the configuration of security associations for OSPFv3 for Switch 10.
ipsec security-association ospf1
ipsec security-association ospf1 encap-proto ESP
ipsec security-association ospf1 mode transport
ipsec security-association ospf1 spi 1
ipsec security-association ospf1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf1 key-mode manual
ipsec security-association ospf1 lifetime seconds 1
ipsec security-association ospf1 lifetime bytes 1

Switch 10 OSPFv3 configuration

The following example displays the OSPFv3 configuration on Switch 10.

router ospf ipv6-enable
ipv6 forwarding
router ospf 
ipv6 router-id 1.1.1.1
ipv6 area 0.0.0.1
ipv6 as-boundary-router
ipv6 area 0.0.0.0

Switch 10 virtual link and policy configuration

The following example displays the configuration of a OSPFv3 virtual link.

ipv6 area virtual-link 0.0.0.1 3.3.3.3
ipv6 area virtual-link 0.0.0.1 3.3.3.3 ipsec 
ipv6 area virtual-link 0.0.0.1 3.3.3.3 ipsec security-association  ospf1
ipv6 area virtual-link 0.0.0.1 3.3.3.3 ipsec action permit
ipv6 area virtual-link 0.0.0.1 3.3.3.3 ipsec direction both
ipv6 area virtual-link 0.0.0.1 3.3.3.3 ipsec  enable

Switch 10 interface configuration

The following example displays the interface configuration on slot/port 1/10.

interface gigabitEthernet 1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2000::1/64
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable

Switch 10 VLAN configuration

The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3.

interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 3
vlan members add 3 1/10 port-member
interface vlan 3	
ipv6 interface enable
ipv6 interface address 2000::1/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable

Switch 20 OSPFv3 configuration

The following example displays the OSPFv3 configuration on Switch 20.

router ospf ipv6-enable
ipv6 forwarding
router ospf 
ipv6 router-id 2.2.2.2
ipv6 area 0.0.0.1

Switch 20 interface configuration

The following example displays the interface configuration on slot/port 1/10 and 1/20.

interface gigabitEthernet 1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2000::2/64
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable

interface gigabitEthernet 1/20
no shut
ipv6 interface vlan 4
ipv6 interface address 2001::1/64
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable

Switch 20 VLAN configuration

The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3 and VLAN 4.

interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 0
vlan members add 3 1/10 portmember
interface vlan 3
ipv6 interface enable
ipv6 interface address 2000::2/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable

interface gigabitEthernet 1/20
no shut
exit
vlan create 4 type port-mstprstp 0
vlan members add 4 1/20 portmember
interface vlan 4
ipv6 interface enable
ipv6 interface address 2001::1/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable

Switch 40 security association configuration

The following example displays the configuration of security associations for OSPFv3 for Switch 40.

ipsec security-association ospf1
ipsec security-association ospf1 encap-proto ESP
ipsec security-association ospf1 mode transport
ipsec security-association ospf1 spi 1
ipsec security-association ospf1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association ospf1 key-mode manual
ipsec security-association ospf1 lifetime seconds 1
ipsec security-association ospf1 lifetime bytes 1

Switch 40 OSPFv3 configuration

The following example displays the OSPFv3 configuration on Switch 40.

router ospf ipv6-enable
ipv6 forwarding
router ospf 
ipv6 router-id 3.3.3.3
ipv6 area 0.0.0.1
ipv6 area 0.0.0.2
ipv6 as-boundary-router

Switch 40 OSPFv3 virtual link and policy configuration

The following example displays the configuration of a OSPFv3 virtual link.

ipv6 area virtual-link 0.0.0.1 1.1.1.1
ipv6 area virtual-link 0.0.0.1 1.1.1.1 ipsec 
ipv6 area virtual-link 0.0.0.1 1.1.1.1 ipsec security-association  ospf1
ipv6 area virtual-link 0.0.0.1 1.1.1.1 ipsec action permit
ipv6 area virtual-link 0.0.0.1 1.1.1.1 ipsec direction both
ipv6 area virtual-link 0.0.0.1 1.1.1.1 ipsec enable

Switch 40 interface configuration

The following example displays the interface configuration on slot/port 1/20.

interface gigabitEthernet 1/20
no shut
ipv6 interface vlan 4
ipv6 interface address 2001::2/64
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable

Switch 40 VLAN interface configuration

The following example displays the creation of VLAN 4 and the configuration of IPsec on VLAN 4.

interface gigabitEthernet 1/20
no shut
exit
vlan create 4 type port-mstprstp 0
vlan members add 4 1/20
interface vlan 4
ipv6 interface enable
ipv6 interface address 2001::2/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable

IPsec configuration of TCP

The following example displays the configuration of IPsec for TCP.

Click to expand in new window

Switch 10 IPsec security association configuration

The following example displays the configuration of the IPsec security association for TCP for Switch 10.

ipsec security-association tcp1
ipsec security-association tcp1 encap-proto ESP
ipsec security-association tcp1 mode transport
ipsec security-association tcp1 spi 100
ipsec security-association tcp1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association tcp1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association tcp1 key-mode manual
ipsec security-association tcp1 lifetime seconds 1
ipsec security-association tcp1 lifetime bytes 1

Switch 10 IPsec policy configuration

The following example displays the configuration of the IPsec policy for TCP for Switch 10.

ipsec policy tcp1
ipsec policy tcp1 admin enable
ipsec policy tcp1 raddr 2000::2
ipsec policy tcp1 raddr 2000::2 laddr 2000::1
ipsec policy tcp1 raddr 2000::2 protocol tcp sport 23 dport 23
ipsec policy tcp1 raddr 2000::2 action permit

Switch 10 linking the IPsec policy with the IPsec security association

The following example displays the linking of the IPsec policy with the IPsec security association

ipsec policy tcp1 security-association tcp1

Switch 10 interface configuration

The following examples displays the configuration of IPsec for slot/port 1/10.

interface gigabitEthernet 1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2000::1/64
ipv6 interface enable
ipv6 ipsec policy tcp1 dir both
ipv6 ipsec enable

Switch 10 VLAN configuration

The following example displays the creation and configuration of VLAN 3.

interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 3
vlan members add 3 1/10 portmember
interface vlan 3
ipv6 interface enable
ipv6 interface address 2000::1/64
ipv6 ipsec policy tcp1 dir both
ipv6 ipsec enable

Switch 30 IPsec security association configuration

The following example displays the configuration of the IPsec security association for TCP for Switch 10.

ipsec security-association tcp1
ipsec security-association tcp1 encap-proto ESP
ipsec security-association tcp1 mode transport
ipsec security-association tcp1 spi 100
ipsec security-association tcp1 auth-algo MD5 auth-key 12345678901234567890123456789012 keyLength 32
ipsec security-association tcp1 Encrpt-algo AES-CTR EncrptKey 12345678901234567890123456789012 keyLength 32
ipsec security-association tcp1 key-mode manual
ipsec security-association tcp1 lifetime seconds 1
ipsec security-association tcp1 lifetime bytes 1

Switch 30 IPsec policy configuration

The following example displays the configuration of the IPsec policy for TCP for Switch 10.

ipsec policy tcp1
ipsec policy tcp1 admin enable
ipsec policy tcp1 raddr 2000::1
ipsec policy tcp1 raddr 2000::1 laddr 2000::2
ipsec policy tcp1 raddr 2000::1 protocol tcp sport 23 dport 23
ipsec policy tcp1 raddr 2000::1 action permit

Switch 30 linking the IPsec policy with the IPsec security association

The following example displays the linking of the IPsec policy with the IPsec security association

ipsec policy tcp1 security-association tcp1

Switch 30 interface configuration

The following examples displays the configuration of IPsec for slot/port 1/10.

interface gigabitEthernet 1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2000::2/64
ipv6 interface enable
ipv6 ipsec policy tcp1 dir both
ipv6 ipsec enable

Switch 30 VLAN configuration

The following example displays the creation and configuration of VLAN 3.

interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 3
vlan members add 3 1/10 portmember
interface vlan 3
ipv6 interface enable
ipv6 interface address 2000::2/64
ipv6 ipsec policy tcp1 dir both
ipv6 ipsec enable