CLI Guide
An SPI number must be unique to one IPsec security policy (authentication or encryption) on the router.
If you have enabled IPsec encryption in an OSPFv3 area with the area encryption command, you cannot use
the area authentication command in the area at the same time.
The conguration of IPsec authentication on an interface-level takes precedence over an area-level conguration.
If you remove an interface conguration, an area authentication policy that has been congured is applied to the
interface.
area encryption
Congure an IPsec encryption policy for OSPFv3 packets in an OSPFv3 area.
Syntax
area area-id encryption ipsec spi number esp encryption-algorithm [key-
encryption-type] key authentication-algorithm [key-encryption-type] key | null
To remove an IPsec encryption policy from an interface, use the no area area-id encryption spi
number command.
Parameters
area area-id
Area for which OSPFv3 trac is to be encrypted. For area-id, enter a number.
The range is from 0 to 4294967295.
ipsec spi number
Security Policy index (SPI) value that identies an IPsec security policy.
The range is from 256 to 4294967295.
esp encryption-
algorithm
Encryption algorithm used with ESP.
Valid values are: 3DES, DES, AES-CBC, and NULL.
For AES-CBC, only the AES-128 and AES-192 ciphers are supported.
key-encryption-
algorithm
(OPTIONAL) Species if the key is encrypted.
Valid values: 0 (key is not encrypted) or 7 (key is encrypted).
key
Text string used in encryption.
The required lengths of a non-encrypted or encrypted key are:
3DES - 48 or 96 hex digits; DES - 16 or 32 hex digits; AES-CBC -32 or 64 hex digits for
AES-128 and 48 or 96 hex digits for AES-192.
authentication-
algorithm
Species the authentication algorithm to use for encryption.
Valid values are MD5 or SHA1.
key-encryption-
type
(OPTIONAL) Species if the authentication key is encrypted.
Open Shortest Path First (OSPFv2 and OSPFv3) 959