Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring IPsec Authentication for an OSPF Interface

Requirements

Before you begin:

• Configure the device interfaces. See the Router Interfaces or the Junos OS Interfaces Configuration Guide for Security Devices.
• Configure the router identifiers for the devices in your OSPF network. See Example: Configuring an OSPF Router Identifier.
• Control OSPF designated router election. See Example: Controlling OSPF Designated Router Election
• Configure a single-area OSPF network. See Example: Configuring a Single-Area OSPF Network.
• Configure a multiarea OSPF network. See Example: Configuring a Multiarea OSPF Network.

Overview

You can use IPsec authentication for both OSPFv2 and OSPFv3. You configure the actual IPsec authentication separately and apply it to the applicable OSPF configuration.

OSPFv2

Beginning with Junos OS Release 8.3, you can use IPsec authentication to authenticate OSPFv2 interfaces, the remote endpoint of a sham link, and the OSPFv2 virtual link by using manual security associations (SAs) to ensure that a packet’s contents are secure between the routing devices.

Note: You can configure IPsec authentication together with either MD5 or simple authentication.

• For an OSPFv2 interface, include the ipsec-sa name statement for a specific interface:
  interface interface-name ipsec-sa name;
• For a remote sham link, include the ispec-sa name statement for the remote end point of the sham link:
  sham-link-remote address ipsec-sa name;

  Note: If a Layer 3 VPN configuration has multiple sham links with the same remote endpoint IP address, you must configure the same IPsec security association for all the remote endpoints. You configure a Layer 3 VPN at the [edit routing-instances routing-instance-name instance-type] hierarchy level. For more information about Layer 3 VPNs, see the Junos OS VPNs Configuration Guide.

• For a virtual link, include the ipsec-sa name statement for a specific virtual link:
  virtual-link neighbor-id router-id transit-area area-id ipsec-sa name;

OSPFv3

OSPFv3 does not have a built-in authentication method and relies on IPsec to provide this functionality. You use IPsec authentication to secure OSPFv3 interfaces and protect OSPFv3 virtual links by using manual SAs to ensure that a packet’s contents are secure between the routing devices.

• For an OSPFv3 interface, include the ipsec-sa name statement for a specific interface:
  interface interface-name ipsec-sa name;
• For a virtual link, include the ipsec-sa name statement for a specific virtual link:
  virtual-link neighbor-id router-id transit-area area-id ipsec-sa name;

Tasks to Complete for Both OSPFv2 and OSPFv3

1. Configure IPsec authentication. To do this, define a manual SA named sa1 and specify the processing direction, the protocol used to protect IP traffic, the security parameter index (SPI), and the authentication algorithm and key.
   1. Configure the following option at the [edit security ipsec security-association sa-name mode] hierarchy level:

      transport—Specifies transport mode. This mode protects traffic when the communication endpoint and the cryptographic endpoint are the same. The data portion of the IP packet is encrypted, but the IP header is not.

   2. Configure the following option at the [edit security ipsec security-association sa-name manual direction] hierarchy level:

      bidirectional—Defines the direction of IPsec processing. By specifying bidrectional, the same algorithms, keys, and security paramater index (SPI) values you configure are used in both directions.

   3. Configure the following options at the [edit security ipsec security-association sa-name manual direction bidirectional] hierarchy level:

      protocol—Defines the IPsec protocol used by the manual SA to protect IP traffic. You can specify either the authentication header (AH) or the Encapsulating Security Payload (ESP). If you specify AH, which you do in this example, you cannot configure encryption.

      spi—Configures the SPI for the manual SA. An SPI is an arbitrary value that uniquely identifies which SA to use at the receiving host. The sending host uses the SPI to identify and select which SA to use to secure every packet. The receiving host uses the SPI to identify and select the encryption algorithm and key used to decrypt packets. In this example, you specify 256.

      authentication—Configures the authentication algorithm and key. The algorithm option specifies the hash algorithm that authenticates packet data. In this example, you specify hmac-md5-96, which produces a 128-bit digest. The key option indicates the type of authentication key. In this example, you specify ascii-text-key, which is 16 ASCII characters for the hmac-md5-96 algorithm.

2. Enable IPsec authentication on OSPF interface so-0/2/0.0 in the backbone area (area 0.0.0.0) by including the name of the manual SA sa1 that you configured at the [edit security ipsec] hierarchy level.

Configuration

• Configuring Security Associations
• Enabling IPsec Authentication for an OSPF Interface

Configuring Security Associations

CLI Quick Configuration

To quickly configure a manual SA to be used for IPsec authentication on an OSPF interface, copy the following commands, remove any line breaks, and then paste the commands into the CLI.

Step-by-Step Procedure

1. Specify a name for the SA.
   [edit]user@host# edit security ipsec security-association sa1
2. Specify the mode of the SA.
   [edit security ipsec security-association sa1 ]user@host# set mode transport
3. Configure the direction of the manual SA.
   [edit security ipsec security-association sa1 ]user@host# set manual direction bidirectional
4. Configure the IPsec protocol to use.
   [edit security ipsec security-association sa1 ]user@host# set manual direction bidirectional protocol ah
5. Configure the value of the SPI.
   [edit security ipsec security-association sa1 ]user@host# set manual direction bidirectional spi 256
6. Configure the authentication algorithm and key.
   [edit security ipsec security-association sa1 ]user@host# set manual direction bidirectional authentication algorithm hmac-md5-96 key ascii-text 123456789012abc
7. If you are done configuring the device, commit the configuration.
   [edit security ipsec security-association sa1 ]user@host# commit

   Note: Repeat this entire configuration on all peer OSPF routing devices.

Results

Confirm your configuration by entering the show security ipsec command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Note: After you configure the password, you do not see the password itself. The output displays the encrypted form of the password you configured.

Enabling IPsec Authentication for an OSPF Interface

CLI Quick Configuration

To quickly apply a manual SA used for IPsec authentication to an OSPF interface, copy the following command and paste it into the CLI.

Step-by-Step Procedure

1. Create an OSPF area.

   Note: To specify OSPFv3, include the ospf3 statement at the [edit protocols] hierarchy level.

   [edit]user@host# edit protocols ospf area 0.0.0.0
2. Specify the interface.
   [edit protocols ospf area 0.0.0.0]user@host# edit interface so-0/2/0
3. Apply the IPsec manual SA.
   [edit protocols ospf area 0.0.0.0 interface so-0/2/0.0]user@host# set ipsec-sa sa1
4. If you are done configuring the device, commit the configuration.
   [edit protocols ospf area 0.0.0.0 interface so-0/2/0.0]user@host# commit

   Note: Repeat this entire configuration on all peer OSPF routing devices.

Results

Confirm your configuration by entering the show protocols ospf command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

To confirm your OSPFv3 configuration, enter the show protocols ospf3 command.

Verification

Confirm that the configuration is working properly.

• Verifying the IPsec Security Association Settings
• Verifying the IPsec Security Association on the OSPF Interface

Verifying the IPsec Security Association Settings

Purpose

• The Security association field displays the name of the configured security association.
• The SPI field displays the value you configured.
• The Mode field displays transport mode.
• The Type field displays manual as the type of security association.

Action

From operational mode, enter the show ipsec security-associations command.

Verifying the IPsec Security Association on the OSPF Interface

Purpose

Verify that the IPsec security association that you configured has been applied to the OSPF interface. Confirm that the IPSec SA name field displays the name of the configured IPsec security association.

Action

From operational mode, enter the show ospf interface detail command for OSPFv2, and enter the show ospf3 interface detail command for OSPFv3.