Routing Configuration Guide, Cisco Catalyst SD-WAN Releases 17.x

Configure OSPFv3 IPSec authentication

Updated: February 6, 2026

On this page

Overview

Configure OSPFv3 IPSec authentication at an interface-level using CLI

Configure OSPFv3 IPSec authentication at an area-level using CLI

Configure OSPF using CLI

Configuration examples for IPv6 OSPFv3 IPSec authentication

Configuring IPv6 OSPFv3 authentication on an interface
Configuring IPv6 OSPFv3 authentication in an area

Overview

Use the procedures in this section to configure OSPFv3 authentication.

Once you have configured OSPFv3 and decided on your authentication, you must define the security policy on each of the devices within the group. The security policy consists of the combination of the key and the SPI. To define a security policy, you must define an SPI and a key.

You can configure an authentication or encryption policy either on an interface or for an OSPFv3 area. When you configure for an area, the security policy is applied to all of the interfaces in the area. For higher security, use a different policy on each interface.

You can configure authentication on virtual links.

Defining Authentication on an Interface
Defining Authentication in an OSPFv3 Area

Configure OSPFv3 IPSec authentication at an interface-level using CLI

Before you begin

Follow these steps to configure OSPFv3 IPSec authentication at an interface-level using CLI.

Procedure

	1.	Enter global configuration mode. Example: `Device# config-transaction`
	2.	In the configuration mode, configure an interface type such as, Gigabit Ethernet. Specifies an interface type and number, and places the device in interface configuration mode. Example: `Device(config)# interface GigabitEthernet3`
	3.	Configure OSPFv3 authentication on the interface. Specifies the authentication type for an interface. Example: `Device(config-if)# ospfv3 authentication ipsec spi 256 sha1 0 0987654321098765432109876543210987654321`

Configure OSPFv3 IPSec authentication at an area-level using CLI

Before you begin

Follow these steps to configure OSPFv3 IPSec authentication at an area-level.

Procedure

	1.	Enter global configuration mode. Example: `Device# config-transaction`
	2.	Enable OSPFv3 router configuration mode. Example: `Device(config)# router ospfv3 <process-id>`
	3.	Configure OSPFv3 authentication on the interface. Enables authentication in an OSPFv3 area. Example: `Device(config-rtr)# area <area-id> authentication ipsec spi <spi> authentication-algorithm`

Device(config)# router ospfv3 <process-id>
Device(config-rtr)# area <> authentication ipsec spi <> [md5/sha1] <>
interface GigabitEthernetY/Y
ospfv3 <> [ipv4/ipv6] area <>

Configure OSPF using CLI

To set up routing on the Cisco IOS XE Catalyst SD-WAN device, you provision VRFs if segmentation is required. Within each VRF, you configure the interfaces that participate in that VRF and the routing protocols that operate in that VRF.

When configuring OSPF from the CLI, ensure that the OSPF process id (PID) and the VRF ID match for OMP redistribution of OSPF to work for the specified VRF. The process ID is the ID of the OSPF process to which the interface belongs. The process ID is local to the router and is used as an identifier of the local OSPF process.

Here is an example of configuring service-side OSPF on a Cisco IOS XE Catalyst SD-WAN device.

config-transaction
 router ospf 1 vrf1  
  auto-cost reference-bandwidth 100  
  max-metric router-lsa 
  timers throttle spf 200 1000 10000
  router-id 172.16.255.15
  default-information originate
  distance ospf external 110
  distance ospf inter-area110
  distance ospf intra-area110
  distredistribute connected subnets route-map route_map
  exit
 interface GigabitEthernet0/0/1
  no shutdown
  arp timeout 1200
  vrf forwarding 1
  ip address 10.1.100.14 255.255.255.0
  ip redirects
  ip mtu 1500
  ip ospf 1 area 0  
  ip ospf network broadcast  
  mtu 1500
  negotiation auto
  exit

Configuration examples for IPv6 OSPFv3 IPSec authentication

You can configure OSPFv3 IPSec authentication on an interface or in an area.

Note

Interface-level authentication takes priority over area-level authentication

Configuring IPv6 OSPFv3 authentication on an interface

This example shows how to define authentication on Ethernet interface 0/0:

interface Ethernet0/0
 ospfv3 1 ipv6 area 0
 ospfv3 1 ipv6 dead-interval 40
 ospfv3 1 ipv6 hello-interval 10
 ospfv3 1 ipv6 retransmit-interval 5
 ospfv3 authentication ipsec spi 256 sha1 0 0987654321098765432109876543210987654321

Configuring IPv6 OSPFv3 authentication in an area

This example shows how to define authentication on OSPFv3 area 0:

router ospfv3 1
 router-id 10.11.11.1
 area 0 authentication ipsec spi 256 sha1 0 0987654321098765432109876543210987654321

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Configure OSPFv3 IPSec authentication

Overview

Configure OSPFv3 IPSec authentication at an interface-level using CLI

Before you begin

Procedure

Example:

Example:

Example:

Configure OSPFv3 IPSec authentication at an area-level using CLI

Before you begin

Procedure

Example:

Example:

Example:

Configure OSPF using CLI

Configuration examples for IPv6 OSPFv3 IPSec authentication

Configuring IPv6 OSPFv3 authentication on an interface

Configuring IPv6 OSPFv3 authentication in an area

Need help?