Securing OSPFv2 Networks with IPsec Transport Mode

By default, you can configure MD5 or simple text password-based authentication over OSPFv2 links. In addition to these basic authentications, the Junos OS supports OSPFv2 with a security authentication header (AH), Encapsulating Security Payload (ESP), or an IPsec protocol bundle that supports both AH and ESP. You can configure IPsec over OSPFv2 using transport mode security associations on physical, sham, or virtual links.

Because the Junos OS supports only bidirectional security associations over OSPFv2, OSPFv2 peers must be configured with the same IPsec security association. Configuring OSPFv2 peers with different security associations or with dynamic IKE will prevent adjacencies from being established. In addition, you must configure identical security associations for sham links with the same remote endpoint address, for virtual links with the same remote endpoint address, for all neighbors on OSPF nonbroadcast multiaccess (NBMA) or point-to-multipoint links, and for every subnet that is part of a broadcast link.

To create a manual bidirectional security association, include the security-association security-association-name statement at the [edit security ipsec] hierarchy level:

To configure IPsec on an OSPFv2 interface, create a transport mode security association and include the ipsec-sa name statement at the [edit protocols ospf area area-id] hierarchy level:

To verify your configuration, enter the show ospf interface detail command. This command gives detailed information about the ospfv2 interface and displays the interface’s security association at the bottom of the output. In the example below, the security association configured on this router is sa1.