No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - VPN

S7700 and S9700 V200R013C00

This document describes the configurations of VPN, including GRE, IPSec, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, VPLS, L2VPN Access to L3VPN.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Application in OSPFv3

IPSec Application in OSPFv3

Service Overview

Stable and reliable routes provide a solid basis for network communication. OSPFv3 is widely applied to ASs and therefore requires high levels of protection. OSPFv3 itself does not define any authentication mechanism; therefore, if no additional authentication mechanism is configured for OSPFv3, packets will be prone to be intercepted, modified, or faked. This can potentially affect OSPFv3 neighbor relationships and interrupt network communication.

RFC introduces IPSec for authenticating OSPFv3 packets. An AH or ESP header inserted into an OSPFv3 packet provides a basis for data origin authentication and data integrity authentication, protecting OSPFv3 neighbor relationships and network communication.

Networking Description

As shown in Figure 2-14, SwitchA and SwitchB run OSPFv3 and are reachable. To prevent packets along the route between SwitchA and SwitchB from being intercepted or faked, IPSec is configured between SwitchA and SwitchB.

Figure 2-14  Typical Networking of IPSec Application in OSPFv3

Feature Deployment

IPSec can be deployed in an OSPFv3 process or area or on an interface.

OSPFv3 allows multiple instances on each link, and each instance is identified by the instance-id field. The IPSec header, however, does not support the instance-id field. Therefore, all OSPFv3 instances on an interface use the same SA.

As shown in Figure 2-14, IPSec is configured on all interfaces so that OSPFv3 neighbor relationships are set up only when IPSec authentication succeeds. Packets that fail IPSec authentication or undergo different authentication modes on IPSec peers will be dropped.

Updated: 2019-04-08

Document ID: EDOC1100065751

Views: 38011

Downloads: 50

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next