Fortinet black logo

Cookbook

OSPFv3 neighbor authentication

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:425672
Download PDF

OSPFv3 neighbor authentication is available for enhanced IPv6 security.

To configure an OSPF6 interface:
config router ospf6
    config ospf6-interface
        edit <name>
            set authentication {none | ah | esp | area}
            set key-rollover-interval <integer>
            set ipsec-auth-alg {md5 | sha1 | sha256 | sha384 | sha512}
            set ipsec-enc-alg {null | des | 3des | aes128 | aes192 | aes256}
            config ipsec-keys
                edit <spi>
                    set auth-key <string>
                    set enc-key <string>
                next
            end
        next
    end
end
To configure an OSPF6 virtual link:
config router ospf6
    config area
        edit <id>
            config virtual-link
                edit <name>
                    set authentication {none | ah | esp | area}
                    set key-rollover-interval <integer>
                    set ipsec-auth-alg {md5 | sha1 | sha256 | sha384 | sha512}
                    set ipsec-enc-alg {null | des | 3des | aes128 | aes192 | aes256}
                    config ipsec-keys
                        edit <spi>
                            set auth-key <string>
                            set enc-key <string>
                        next
                    end
                next
            end
        next
    end
end
To configure an OSPF6 area:
config router ospf6
    config area
        edit <id>
            set authentication {none | ah | esp}
            set key-rollover-interval <integer>
            set ipsec-auth-alg {md5 | sha1 | sha256 | sha384 | sha512}
            set ipsec-enc-alg {null | des | 3des | aes128 | aes192 | aes256}
            config ipsec-keys
                edit <spi>
                    set auth-key <string>
                    set enc-key <string>
                next
            end
        next
    end
end
CLI command descriptions

Command

Description

<id>

Area entry IP address.

authentication {none | ah | esp | area}

Authentication mode:

  • none: Disable authentication
  • ah: Authentication Header
  • esp: Encapsulating Security Payload
  • area: Use the routing area authentication configuration

key-rollover-interval <integer>

Enter an integer value (300 - 216000, default = 300).

ipsec-auth-alg {md5 | sha1 | sha256 | sha384 | sha512}

Authentication algorithm.

ipsec-enc-alg {null | des | 3des | aes128 | aes192 | aes256}

Encryption algorithm.

<spi>

Security Parameters Index.

auth-key <string>

Authentication key should be hexadecimal numbers.

Key length for each algorithm:

  • MD5: 16 bytes
  • SHA1: 20 bytes
  • SHA256: 32 bytes
  • SHA384:48 bytes
  • SHA512:84 bytes

If the key is shorter than the required length, it will be padded with zeroes.

enc-key <string>

Encryption key should be hexadecimal numbers.

Key length for each algorithm:

  • DES: 8 bytes
  • 3DES: 24 bytes
  • AES128: 16 bytes
  • AES192: 24 bytes
  • AES256: 32 bytes

If the key is shorter than the required length, it will be padded with zeroes.

OSPFv3 neighbor authentication is available for enhanced IPv6 security.

To configure an OSPF6 interface:
config router ospf6
    config ospf6-interface
        edit <name>
            set authentication {none | ah | esp | area}
            set key-rollover-interval <integer>
            set ipsec-auth-alg {md5 | sha1 | sha256 | sha384 | sha512}
            set ipsec-enc-alg {null | des | 3des | aes128 | aes192 | aes256}
            config ipsec-keys
                edit <spi>
                    set auth-key <string>
                    set enc-key <string>
                next
            end
        next
    end
end
To configure an OSPF6 virtual link:
config router ospf6
    config area
        edit <id>
            config virtual-link
                edit <name>
                    set authentication {none | ah | esp | area}
                    set key-rollover-interval <integer>
                    set ipsec-auth-alg {md5 | sha1 | sha256 | sha384 | sha512}
                    set ipsec-enc-alg {null | des | 3des | aes128 | aes192 | aes256}
                    config ipsec-keys
                        edit <spi>
                            set auth-key <string>
                            set enc-key <string>
                        next
                    end
                next
            end
        next
    end
end
To configure an OSPF6 area:
config router ospf6
    config area
        edit <id>
            set authentication {none | ah | esp}
            set key-rollover-interval <integer>
            set ipsec-auth-alg {md5 | sha1 | sha256 | sha384 | sha512}
            set ipsec-enc-alg {null | des | 3des | aes128 | aes192 | aes256}
            config ipsec-keys
                edit <spi>
                    set auth-key <string>
                    set enc-key <string>
                next
            end
        next
    end
end
CLI command descriptions

Command

Description

<id>

Area entry IP address.

authentication {none | ah | esp | area}

Authentication mode:

  • none: Disable authentication
  • ah: Authentication Header
  • esp: Encapsulating Security Payload
  • area: Use the routing area authentication configuration

key-rollover-interval <integer>

Enter an integer value (300 - 216000, default = 300).

ipsec-auth-alg {md5 | sha1 | sha256 | sha384 | sha512}

Authentication algorithm.

ipsec-enc-alg {null | des | 3des | aes128 | aes192 | aes256}

Encryption algorithm.

<spi>

Security Parameters Index.

auth-key <string>

Authentication key should be hexadecimal numbers.

Key length for each algorithm:

  • MD5: 16 bytes
  • SHA1: 20 bytes
  • SHA256: 32 bytes
  • SHA384:48 bytes
  • SHA512:84 bytes

If the key is shorter than the required length, it will be padded with zeroes.

enc-key <string>

Encryption key should be hexadecimal numbers.

Key length for each algorithm:

  • DES: 8 bytes
  • 3DES: 24 bytes
  • AES128: 16 bytes
  • AES192: 24 bytes
  • AES256: 32 bytes

If the key is shorter than the required length, it will be padded with zeroes.