area <AREA-ID> encryption ipsec

Syntax

area <AREA-ID> encryption ipsec spi <SPI-INDEX> <AUTH-TYPE> <KEY-TYPE> <AUTH-KEY> 
({<ENCR-TYPE> <KEY-TYPE> <ENCR-KEY>} | NULL)

no area <AREA-ID> encryption

Description

Configures IPSec ESP with authentication/encryption algorithm type and key for the specified area. OSPFv3 interfaces with IPsec configured at interface context will not use area level IPsec ESP configuration.

The no form of this command removes IPSec ESP from the specified area.

Command context

config-ospf

Parameters

<AREA-ID>
Specifies the area ID is one of the following formats.
  • OSPF area identifier in IPv4 address format.

  • OSPF area identifier in decimal format. Range: 0-4294967295.

spi <SPI-INDEX>

Specifies the Security Parameters Index (SPI) to use. The SPI is an identification tag carried in the IPsec AH header. It enables the receiving OSPF process to select and use the Security Association (SA) from the SA table. The SPI must be unique on the switch. Range: 256-4294967295 characters.

<AUTH-TYPE>

Specifies the algorithm to use for authentication: md5 or sha1.

<ENCR-TYPE>

Specifies the algorithm to use for encryption: 3des, aes, des or null.

NOTE:

aes will be considered AES128, AES192 or AES256 based on key length.

<KEY-TYPE>

Specifies the key type to use: plaintext (unencrypted) hex-string (encrypted) or ciphertext (encrypted).

<AUTH-KEY>

Specifies authentication key.

<ENCR-KEY>

Specifies encryption key.

Authority

Administrators

Examples

Setting area 0 to use IPSec ESP:

switch# configure terminal
switch(config)# router ospfv3 1
switch(config-ospfv3-1)# area 0 encryption ipsec spi 256 md5 plaintext abcd des plaintext abcdefab

switch# configure terminal
switch(config)# router ospfv3 1
switch(config-ospfv3-1)# area 0 encryption ipsec spi 256 md5 plaintext abcd null

Removing IPSec ESP on area 0:

switch# configure terminal
switch(config)# router ospfv3 1
switch(config-ospfv3-1)# no area 0 encryption