Technical Documentation

Option: Securing OSPFv2 Networks with Transport Mode

By default, you can configure MD5 or simple text password-based authentication over OSPFv2 links. In addition to these basic authentications, the JUNOS Software supports OSPFv2 with a security authentication header (AH), Encapsulating Security Payload (ESP), or an IPSec protocol bundle that supports both AH and ESP. You can configure IPSec over OSPFv2 using transport mode security associations on physical, sham, or virtual links.

Because the JUNOS Software supports only bidirectional security associations over OSPFv2, OSPFv2 peers must be configured with the same IPSec security association. Configuring OSPFv2 peers with different security associations or with dynamic IKE will prevent adjacencies from being established. In addition, you must configure identical security associations for sham links with the same remote endpoint address, for virtual links with the same remote endpoint address, for all neighbors on OSPF nonbroadcast multiaccess (NBMA) or point-to-multipoint links, and for every subnet that is part of a broadcast link.

To create a manual bidirectional security association, include the security-association security-association-name statement at the [edit security ipsec] hierarchy level:

[edit]security {ipsec {security-association security-association name {mode transport;manual {direction bidirectional {protocol (ah | esp | bundle);spi spi--value;authentication {algorithm (hmac-md5-96 | hmac-sha1-96);key (ascii-text key | hexadecimal key);}}}}}}


To configure IPSec on an OSPFv2 interface, create a transport mode security association and include the ipsec-sa name statement at the [edit protocols ospf area area-id] hierarchy level:

[edit]protocols {ospf {area area-id {interface interface-name {ipsec-sa sa-name;}virtual-link neighbor-id a.b.c.d transit-area x.x.x.x {ipsec-sa sa-name;}sham-link-remote {ipsec-sa sa-name;}}}}

To verify your configuration, enter the show ospf interface detail command. This command gives detailed information about the ospfv2 interface and displays the interface’s security association at the bottom of the output. In the example below, the security association configured on this router is sa1.

user@router> show ospf interface detail
Interface              State     Area            DR ID           BDR ID Nbrs
fe-0/0/1.0 BDR 1
Type LAN, address, Mask, MTU 4460, Cost 40
DR addr, BDR addr, Adj count 1, Priority 128
Hello 10, Dead 40, ReXmit 5, Not Stub
t1-0/2/1.0 PtToPt 0
Type P2P, Address, Mask, MTU 1500, Cost 2604
Adj count 0
Hello 10, Dead 40, ReXmit 5, Not Stub
Auth type: MD5, Active key ID 3, Start time 2002 Nov 19 10:00:00 PST
IPsec SA Name: sa1

Published: 2010-04-15