Virtual links

You can also configure IPsec protection for IPv6 OSPF virtual links. You can use the following method to configure manual tunnels for IPv6 OSPF virtual links.

Because the virtual link addresses are not known beforehand, you must specify the security endpoint addresses for the manual tunnel with a wildcard value. The Security Association does not protect multicast traffic, so the inbound and outbound SPI values and keys do not need to be identical. Whatever SPI values and keys you use must be coordinated with the virtual link peer.

IpManVpnAction tunnel-ipv6ospfvirt-internal
{
  LocalSecurityEndpointAddr  any6
  RemoteSecurityEndpointAddr any6
  HowToAuth                  AH HMAC_SHA1
    AuthOutboundSa      2702 0xf5c58a6e6f0761b68f424f39257f0ea89a4be3b4
    AuthInboundSa       2703 0x39a341ed1b7127b7905df2411ed0770854b54d10
  HowToEncrypt               DES
    EncryptOutboundSa   2704 0xb9571d20fe98ecca
    EncryptInboundSa    2705 0xfeba84c113fb40ed
  HowToEncap                 transport
}

Only one filter rule is needed for the virtual link. For this example, the same IP service used for the link-local traffic is used, which restricts this filter rule to OSPF traffic flowing over interfaces with SECCLASS 10. Because the virtual link addresses are not known beforehand, the filter rule addresses are specified with a wildcard value to include all global unicast addresses. If you have more specific information about the address prefixes for the virtual link endpoints, you can use this to further restrict the addresses on the filter rule.

IpFilterRule ipv6ospf-virtual-internal
{
  IpSourceAddr              4000::/3
  IpDestAddr                4000::/3
  IpServiceRef             service-ipv6ospf-internal
  IpGenericFilterActionRef ipsec-nolog
  IpManVpnActionRef        tunnel-ipv6ospfvirt-internal
}