Example: Configuring IPsec Authentication for an OSPF Interface on an SRX Series Device

This example shows how to configure and apply a manual security association (SA) to an OSPF interface.

Requirements

Before you begin:

Overview

You can use IPsec authentication for both OSPF and OSPFv3. You configure the manual SA separately and apply it to the applicable OSPF configuration. Table 11 lists the parameters and values configured for the manual SA in this example.

Table 11: Manual SA for IPsec OSPF Interface Authentication

Parameter

Value

SA name

sa1

Mode

transport

Direction

bidirectional

Protocol

AH

SPI

256

Authentication algorithm

Key

hmac-md5-96

(ASCII) 123456789012abc

Encryption algorithm

Key

des

(ASCII) cba210987654321

Configuration

Configuring a Manual SA

CLI Quick Configuration

To quickly configure a manual SA to be used for IPsec authentication on an OSPF interface, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

[edit] set security ipsec security-association sa1set security ipsec security-association sa1 mode transportset security ipsec security-association sa1 manual direction bidirectionalset security ipsec security-association sa1 manual direction bidirectional protocol ahset security ipsec security-association sa1 manual direction bidirectional spi 256set security ipsec security-association sa1 manual direction bidirectional authentication algorithm hmac-md5-96 key ascii-text 123456789012abcset security ipsec security-association sa1 manual direction bidirectional encryption algorithm des key ascii-text cba210987654321

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a manual SA:

  1. Specify a name for the SA.
    [edit]user@host# edit security ipsec security-association sa1
  2. Specify the mode of the manual SA.
    [edit security ipsec security-association sa1]user@host# set mode transport
  3. Configure the direction of the manual SA.
    [edit security ipsec security-association sa1]user@host# set manual direction bidirectional
  4. Configure the IPsec protocol to use.
    [edit security ipsec security-association sa1]user@host# set manual direction bidirectional protocol ah
  5. Configure the value of the SPI.
    [edit security ipsec security-association sa1]user@host# set manual direction bidirectional spi 256
  6. Configure the authentication algorithm and key.
    [edit security ipsec security-association sa1]user@host# set manual direction bidirectional authentication algorithm hmac-md5-96 key ascii-text 123456789012abc
  7. Configure the encryption algorithm and key.
    [edit security ipsec security-association sa1]user@host# set manual direction bidirectional encryption algorithm des key ascii-text cba210987654321

Results

Confirm your configuration by entering the show security ipsec command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Note: After you configure the password, you do not see the password itself. The output displays the encrypted form of the password you configured.

[edit]user@host# show security ipsec
security-association sa1 {mode transport;manual {direction bidirectional {protocol ah;spi 256;authentication {algorithm hmac-md5-96;key ascii-text "$9$AP5Hp1RcylMLxSygoZUHk1REhKMVwY2oJx7jHq.zF69A0OR"; ## SECRET-DATA}encryption {algorithm des;key ascii-text "$9$AP5Hp1RcylMLxSygoZUHk1REhKMVwY2oJx7jHq.zF69A0OR"; ## SECRET-DATA}}}}

If you are done configuring the device, enter commit from configuration mode.

Enabling IPsec Authentication for an OSPF Interface

CLI Quick Configuration

To quickly apply a manual SA used for IPsec authentication to an OSPF interface, copy the following command, paste it into a text file, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

[edit] set protocols ospf area 0.0.0.0 interface so-0/2/0 ipsec-sa sa1

Step-by-Step Procedure

To enable IPsec authentication for an OSPF interface:

  1. Create an OSPF area.

    Note: To specify OSPFv3, include the ospf3 statement at the [edit protocols] hierarchy level.

    [edit]user@host# edit protocols ospf area 0.0.0.0
  2. Specify the interface.
    [edit protocols ospf area 0.0.0.0]user@host# edit interface so-0/2/0
  3. Apply the IPsec manual SA.
    [edit protocols ospf area 0.0.0.0 interface so-0/2/0.0]user@host# set ipsec-sa sa1

Results

Confirm your configuration by entering the show ospf interface detail command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

[edit]user@host# show protocols ospf
area 0.0.0.0 { interface so-0/2/0.0 { ipsec-sa sa1; }}

To confirm your OSPFv3 configuration, enter the show protocols ospf3 command.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the IPsec Security Association Settings

Purpose

Verify the configured IPsec security association settings. Verify the following information:

Action

From operational mode, enter the show ospf interface detail command.

Verifying the IPsec Security Association on the OSPF Interface

Purpose

Verify that the IPsec security association that you configured has been applied to the OSPF interface. Confirm that the IPsec SA name field displays the name of the configured IPsec security association.

Action

From operational mode, enter the show ospf interface detail command for OSPF, and enter the show ospf3 interface detail command for OSPFv3.

Related Documentation