[solved] ipv6 ospf authentication not available (IOS-XE)

alexander.koeppe · ‎11-01-2018

Hi Community,

We've just purchased some ASR1001-HX devices and I'm facing a little issue while preparing the configuration

There is no ipv6 ospf authentication command:

Router(config)#int Gi0/0/0
Router(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  adjacency            Adjacency staggering
  bfd                  Enable BFD on this interface
  cost                 Route cost of this interface
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  manet                Mobile Adhoc Networking options
  mtu-ignore           Ignores the MTU in DBD packets
  neighbor             OSPF neighbor
  network              Network type
  prefix-suppression   OSPF prefix suppression
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
  shutdown             Shut down the interface in OSPFv3
  transmit-delay       Link state transmit delay

Router(config-if)#

The pre-installed software image is quite up2date and I normally a sufficient license:

Router#show ver
Cisco IOS XE Software, Version 16.07.01
Cisco IOS Software [Fuji], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9_NPE_NOLI-M), Version 16.7.1, RELEASE SOFTWARE (fc6)

[omitted]

Router#show lic right
Index 2 Feature: advipservices
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium

Router#

Any idea? Has the syntax being changed?

Regards

- Alex

balaji.bandi · ‎11-01-2018

I have not still tried on Fuji, but Everest works, for Fuji as below :

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16-7/iro-xe-16-7-book/ip6-route-ospfv3-xe.html?bookSearch=true

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

alexander.koeppe · ‎11-03-2018

Hey thanks for your answer.

I've "downgraded" to the current suggested Everest version.

But still no ipv6 ospf authentication interface-command.

I've played a bit with the licenses since I have advipservices active.

I've activated the adventservices and the ipsec license (right-to-use). but still the command isn't available.

I've noticed that instead a ospfv3 authentication interface-command is available though.

But not like it's described in the documentation following with a ipsec keyword. Only null and key-chain is available.

I tried to set up a key in a key chain and bind it on the interface for OSPFv3, and I think I got it finally working:

Router#
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ipv6 uni
Router(config)#ipv6 unicast-routing
Router(config)#router ospfv3 1
Router(config-router)#router-id 1.1.1.1
Router(config-router)#exit
Router(config)#
Router(config)#
Router(config)#int Gi0/0/1
Router(config-if)#ipv6 ospf 1 area 0
% OSPFv3: IPV6 is not enabled on this interface
Router(config-if)#
Router(config-if)#ipv6 ena
Router(config-if)#ipv6 ospf 1 area 0
Router(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  adjacency            Adjacency staggering
  bfd                  Enable BFD on this interface
  cost                 Route cost of this interface
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  manet                Mobile Adhoc Networking options
  mtu-ignore           Ignores the MTU in DBD packets
  neighbor             OSPF neighbor
  network              Network type
  prefix-suppression   OSPF prefix suppression
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
  shutdown             Shut down the interface in OSPFv3
  transmit-delay       Link state transmit delay

Router(config-if)#exit
Router(config)#
Router(config)#
Router(config)#key chain OSPF-KEYS
Router(config-keychain)#key 1
Router(config-keychain-key)#key-string ospf-key-1
Router(config-keychain-key)#cr
Router(config-keychain-key)#cryptographic-algorithm md5
Router(config-keychain-key)#send-li
Router(config-keychain-key)#send-lifetime 10:00:00 3 Nov 2018 inf
Router(config-keychain-key)#exit
Router(config-keychain)#exit
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#int Gi0/0/1
Router(config-if)#ospfv3 authen ?
  key-chain  Use a key-chain for cryptographic authentication keys
  null       Use no authentication

Router(config-if)#ospfv3 authen key-chain OSPF-KEYS
Router(config-if)#
*Nov  3 15:38:37.563: %OSPFv3-5-NOCRYPTOALG: Key ID 1 in key chain OSPF-KEYS does not have a valid cryptographic algorithm
*Nov  3 15:38:37.563: %OSPFv3-4-NOVALIDKEY: No valid authentication key under key-chain OSPF-KEYS
Router(config-if)#
Router(config-if)#no ospfv3 authen key-chain
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#exit
Router(config)#
Router(config)#key chain OSPF-KEYS
Router(config-keychain)#key 1
Router(config-keychain-key)#cry
Router(config-keychain-key)#cryptographic-algorithm hm
Router(config-keychain-key)#cryptographic-algorithm hmac-sha-1
Router(config-keychain-key)#exit
Router(config-keychain)#exit
Router(config)#
Router(config)#
Router(config)#int Gi0/0/1
Router(config-if)#ospfv3 authen key-chain OSPF-KEYS
Router(config-if)#
Router(config-if)#^Z
Router#
Router#
Router#
Router#
*Nov  3 15:40:18.774: %SYS-5-CONFIG_I: Configured from console by console
Router#show ospfv3 int
GigabitEthernet0/0/1 is administratively down, line protocol is down
  Link Local Address FE80::B28B:CFFF:FE1B:3601, Interface ID 8
  Area 0, Process ID 1, Instance ID 0, Router ID 1.1.1.1
  Network Type BROADCAST, Cost: 1
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm HMAC-SHA-1 - key chain OSPF-KEYS
  Transmit Delay is 1 sec, State DOWN, Priority 1
  No designated router on this network
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Router#
Router#
Router#

I've struggled a bit to choose the right parameters for the keys. So apparently the send-lifetime must be (!) in the past and it seems that only SHA1 is a valid algorithm for the IPsec/AH authentication for OSPFv3.

The key-string parameter must match both or all ends of the OSPF link.

alexander.koeppe · ‎06-15-2024

I have exactly the same issue The solution with the key chain doesn't work, as the OSPF neighbor is not a Cisco device. On the other device you have to set the SPI explicitly and the plaintext shared-key in hex. Exactly the way as it supposed to be done with the ipv6 ospf authentication interface command.

Are there any news on that issue?

Harold Ritter · ‎06-15-2024

Hi @alexander.koeppe ,

What NOS (IOS, IOS XE, IOS XR, NXOS, etc) are you using and what version? Can you please provide the output for the "show version" command?

As mentioned in my previous post from 2018, it has been supported in IOS XE for a long time.

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

alexander.koeppe · ‎06-15-2024

I am running version 17.09.04a.

As said hardware is ASR1001-HX

MHM Cisco World · ‎06-15-2024

Can I see config

MHM

alexander.koeppe · ‎06-15-2024

The config is not the problem. The problem is that none of the possible commands are available:


Router#
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int Te0/1/1
Router(config-if)#ipv6 ospf authentication ?
% Unrecognized command
Router(config-if)#ipv6 ospf ?
<1-65535> Process ID
adjacency Adjacency staggering
bfd Enable BFD on this interface
cost Route cost of this interface
database-filter Filter OSPF LSA during synchronization and flooding
dead-interval Interval after which a neighbor is declared dead
demand-circuit OSPF demand circuit
flood-reduction OSPF Flood Reduction
hello-interval Time between HELLO packets
interface-retry This command is deprecated
manet Mobile Adhoc Networking options
mtu-ignore Ignores the MTU in DBD packets
neighbor OSPF neighbor
network Network type
packet-size Customize size of OSPFV3 packets upto MTU
prefix-suppression OSPF prefix suppression
priority Router priority
retransmit-interval Time between retransmitting lost link state advertisements
shutdown Shut down the interface in OSPFv3
transmit-delay Link state transmit delay

Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#ospfv3 authentication ?
key-chain Use a key-chain for cryptographic authentication keys
null Use no authentication

Router(config-if)#ospfv3 authentication
% Incomplete command.

Router(config-if)#

MHM Cisco World · ‎06-15-2024

Router(config-if)#ospfv3 authentication ?

As I know opsfv3 never use IP in beginning of command.

Second command you share need key chain?

MHM

Harold Ritter · ‎06-15-2024

Hi @alexander.koeppe ,

Can you please provide the output of a "show ver"?

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Harold Ritter · ‎11-02-2018

Strange. I just tried it with a CSR1k image and it works. I would open a TAC case or upgrade to a new image if I were you.

XE-1#sh ver | incl Fuji
Cisco IOS Software [Fuji], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.7.1, RELEASE SOFTWARE (fc6)
XE-1#config t
Enter configuration commands, one per line. End with CNTL/Z.
XE-1(config)#int gi2
XE-1(config-if)#ipv6 ospf ?
<1-65535> Process ID
adjacency Adjacency staggering
authentication Enable authentication
bfd Enable BFD on this interface
XE-1(config-if)#ipv6 ospf

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)