Example for Configuring IPSec for OSPFv3
Networking Requirements
As shown in Figure 1, Device A and Device B run Open Shortest Path First version 3 (OSPFv3) and are reachable.
If no authentication mechanism is configured, IP protocol packets along the route between DeviceA and DeviceB may be modified or faked, causing neighbor relationships between DeviceA and DeviceB to be interrupted or incorrect routes to be imported.
To prevent such attacks, IPsec can be configured between DeviceA and DeviceB to protect OSPFv3 protocol packets during transmission. ESP is configured as the security protocol, and SHA2-256 is configured as the authentication algorithm.
Precautions
- The encapsulation modes and security protocols on both IPsec peers must be identical.
- The authentication modes and encryption algorithms on both IPsec peers must be identical.
- The SPIs and authentication keys on both IPsec peers must be identical.
Configuration Roadmap
The configuration roadmap is as follows:
Configure a security proposal and define the security protocol and authentication algorithm and encapsulation mode.
Configure an SA and apply a proposal to SA, define inbound and outbound parameters which include SPI and keys.
Apply the SA to the OSPFv3 process to protect OSPFv3 protocol packets between DeviceA and DeviceB.
Data Preparation
Device Name |
Router ID |
Process ID |
SPI |
Authentication Key in the String Format |
|---|---|---|---|---|
Device A |
1.1.1.1 |
1 |
12345 |
abcdef |
Device B |
2.2.2.2 |
1 |
12345 |
abcdef |
Procedure
- Configure OSPFv3 on Device A and Device B.
# Configure Device A.
<HUAWEI> system-view [~HUAWEI] sysname DeviceA [*HUAWEI] commit [~DeviceA] ospfv3 1 [*DeviceA-ospfv3-1] router-id 1.1.1.1 [*DeviceA-ospfv3-1] area 1 [*DeviceA-ospfv3-1-area-0.0.0.1] commit [~DeviceA-ospfv3-1-area-0.0.0.1] quit
# Configure Device B.
<HUAWEI> system-view [~HUAWEI] sysname DeviceB [*HUAWEI] commit [~DeviceB] ospfv3 1 [*DeviceB-ospfv3-1] router-id 2.2.2.2 [*DeviceB-ospfv3-1] area 1 [*DeviceB-ospfv3-1-area-0.0.0.1] commit [~DeviceB-ospfv3-1-area-0.0.0.1] quit
- Configure IPv6 addresses and enable OSPFv3 on interfaces.
# Configure Device A.
[~DeviceA] interface gigabitethernet0/1/1 [~DeviceA-GigabitEthernet0/1/1] ipv6 enable [*DeviceA-GigabitEthernet0/1/1] ipv6 address 2001:db8::1 64 [*DeviceA-GigabitEthernet0/1/1] ospfv3 1 area 1 [*DeviceA-GigabitEthernet0/1/1] commit [~DeviceA-GigabitEthernet0/1/1] quit
# Configure Device B.
[~DeviceB] interface gigabitethernet0/1/1 [~DeviceB-GigabitEthernet0/1/1] ipv6 enable [*DeviceB-GigabitEthernet0/1/1] ipv6 address 2001:db8::2 64 [*DeviceB-GigabitEthernet0/1/1] ospfv3 1 area 1 [*DeviceB-GigabitEthernet0/1/1] commit [~DeviceB-GigabitEthernet0/1/1] quit
- Configure security proposals on Device A and Device B.
# Configure a security proposal on Device A.
[~DeviceA] ipsec proposal proposal1 [*DeviceA-ipsec-proposal-proposal1] encapsulation-mode transport [*DeviceA-ipsec-proposal-proposal1] transform esp [*DeviceA-ipsec-proposal-proposal1] undo esp encryption-algorithm [*DeviceA-ipsec-proposal-proposal1] esp authentication-algorithm sha2-256 [*DeviceA-ipsec-proposal-proposal1] commit [~DeviceA-ipsec-proposal-proposal1] quit
# Configure a security proposal on Device B.
[~DeviceB] ipsec proposal proposal2 [*DeviceB-ipsec-proposal-proposal2] encapsulation-mode transport [*DeviceB-ipsec-proposal-proposal2] transform esp [*DeviceB-ipsec-proposal-proposal2] undo esp encryption-algorithm [*DeviceB-ipsec-proposal-proposal2] esp authentication-algorithm sha2-256 [*DeviceB-ipsec-proposal-proposal2] commit [~DeviceB-ipsec-proposal-proposal2] quit
# Run the display ipsec proposal command on Device A and Device B to view configurations. Use the display on Device A as an example.
[~DeviceA] display ipsec proposal Total IP security proposal number: 1 IP security proposal name: proposal1 encapsulation mode: transport transform: esp-new ESP protocol: authentication SHA2-HMAC-256, not use encryption
- Configure SAs and apply them to Device A and Device B.
# Configure an SA and apply it to Device A.
[~DeviceA] ipsec sa sa1 [*DeviceA-ipsec-sa-sa1] proposal proposal1 [*DeviceA-ipsec-sa-sa1] commit
# Configure an SA and apply it to Device B.
[~DeviceB] ipsec sa sa2 [*DeviceB-ipsec-sa-sa2] proposal proposal2 [*DeviceB-ipsec-sa-sa2] commit
- Configure SPIs and authentication keys in the string format on Device A and Device B.
# Configure SPIs and authentication keys in the string format on Device A.
[~DeviceA] ipsec sa sa1 [*DeviceA-ipsec-sa-sa1] sa spi inbound esp 12345 [*DeviceA-ipsec-sa-sa1] sa spi outbound esp 12345 [*DeviceA-ipsec-sa-sa1] sa string-key inbound esp abcdef [*DeviceA-ipsec-sa-sa1] sa string-key outbound esp abcdef [*DeviceA-ipsec-sa-sa1] commit [~DeviceA-ipsec-sa-sa1] quit
# Configure SPIs and authentication keys in the string format on Device B.
[~DeviceB] ipsec sa sa2 [*DeviceB-ipsec-sa-sa2] sa spi outbound esp 12345 [*DeviceB-ipsec-sa-sa2] sa spi inbound esp 12345 [*DeviceB-ipsec-sa-sa2] sa string-key outbound esp abcdef [*DeviceB-ipsec-sa-sa2] sa string-key inbound esp abcdef [*DeviceB-ipsec-sa-sa2] commit [~DeviceB-ipsec-sa-sa2] quit
- Configure SAs for OSPFv3 processes.
# Configure an SA for the OSPFv3 process on Device A.
[~DeviceA] ospfv3 1 [*DeviceA-ospfv3-1] ipsec sa sa1 [*DeviceA-ospfv3-1] commit
# Configure an SA for the OSPFv3 process on DeviceB.
[~DeviceB] ospfv3 1 [*DeviceB-ospfv3-1] ipsec sa sa2 [*DeviceB-ospfv3-1] commit
- Verify the configuration.
# Run the display ipsec sa command on Device A and Device B to view configurations. Use the display on Device A as an example.
[~DeviceA] display ipsec sa Total IP security association number: 1 IP security association name: sa1 Number of references: 1 proposal name: proposal1 State: Complete inbound AH setting: AH spi: AH string-key: AH authentication hex key: inbound ESP setting: ESP spi: 12345 (0x3039) ESP string-key: %#%#<}jb{br9\zi%X+/Y@:Y>Lw(L\v#*^KsM"/8RaRe$%#%# ESP encryption hex key: ESP authentication hex key: outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbound ESP setting: ESP spi: 12345 (0x3039) ESP string-key: %#%#<}j/@X4355SE9JZTD0>GQf"}w2@X,k6.E\Z,z\{#%#%# ESP encryption hex key: ESP authentication hex key:
# Run the display ipsec statistics command to view statistics about incoming and outgoing protocol packets processed by IPsec and detailed information about dropped protocol packets. If statistics about incoming and outgoing protocol packets processed by IPsec are displayed, the configuration succeeds. For example:
[~DeviceA] display ipsec statistics IPv6 security packet statistics: input/output security packets: 184/19 input/output security bytes: 13216/1312 input/output dropped security packets: 0/0 dropped security packet detail: memory process problem: 0 cannot find SA: 0 queue is full: 0 authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 invalid SA: 0 policy deny: 0 the normal packet statistics: input/output dropped normal packets: 0/0 IPv4 security packet statistics: input/output security packets: 0/0 input/output security bytes: 0/0 input/output dropped security packets: 0/0 dropped security packet detail: memory process problem: 0 can't find SA: 0 queue is full: 0 authentication is failed: 0 wrong length: 0 replay packet: 0 too long packet: 0 invalid SA: 0 policy deny: 0 the normal packet statistics: input/output dropped normal packets: 0/0
Configuration Files
-
# sysname DeviceA # ipsec proposal proposal1 encapsulation-mode transport esp authentication-algorithm sha2-256 undo esp encryption-algorithm # ipsec sa sa1 proposal proposal1 sa spi inbound esp 12345 sa string-key inbound esp %#%#<}jb{br9\zi%X+/Y@:Y>Lw(L\v#*^KsM"/8RaRe$%#%# sa spi outbound esp 12345 sa string-key outbound esp %#%#<}j/@X4355SE9JZTD0>GQf"}w2@X,k6.E\Z,z\{#%#%# # ospfv3 1 router-id 1.1.1.1 ipsec sa sa1 area 0.0.0.1 # interface GigabitEthernet0/1/1 undo shutdown ipv6 enable ipv6 address 2001:db8::1/64 ospfv3 1 area 0.0.0.1 # return
-
# sysname DeviceB # ipsec proposal proposal2 encapsulation-mode transport esp authentication-algorithm sha2-256 undo esp encryption-algorithm # ipsec sa sa2 proposal proposal2 sa spi inbound esp 12345 sa string-key inbound esp %#%#<}j/@XSE9JZT5]2"T#]2"T<}j/@XSE9JZT5>%#%# sa spi outbound esp 12345 sa string-key outbound esp %#%#)YTP%@nFE7bL^B&WSBiQ1[p#M"/8RaRe%$7$%#%# # ospfv3 1 router-id 2.2.2.2 ipsec sa sa2 area 0.0.0.1 # interface GigabitEthernet0/1/1 undo shutdown ipv6 enable ipv6 address 2001:db8::2/64 ospfv3 1 area 0.0.0.1 # return