ipv6 ospf authentication not available (IOS-XE)

alexander.koeppe · ‎11-01-2018

Hi Community,

We've just purchased some ASR1001-HX devices and I'm facing a little issue while preparing the configuration

There is no ipv6 ospf authentication command:

Router(config)#int Gi0/0/0
Router(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  adjacency            Adjacency staggering
  bfd                  Enable BFD on this interface
  cost                 Route cost of this interface
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  manet                Mobile Adhoc Networking options
  mtu-ignore           Ignores the MTU in DBD packets
  neighbor             OSPF neighbor
  network              Network type
  prefix-suppression   OSPF prefix suppression
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
  shutdown             Shut down the interface in OSPFv3
  transmit-delay       Link state transmit delay

Router(config-if)#

The pre-installed software image is quite up2date and I normally a sufficient license:

Router#show ver
Cisco IOS XE Software, Version 16.07.01
Cisco IOS Software [Fuji], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9_NPE_NOLI-M), Version 16.7.1, RELEASE SOFTWARE (fc6)

[omitted]

Router#show lic right
Index 2 Feature: advipservices
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium

Router#

Any idea? Has the syntax being changed?

Regards

- Alex

balaji.bandi · ‎11-01-2018

I have not still tried on Fuji, but Everest works, for Fuji as below :

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16-7/iro-xe-16-7-book/ip6-route-ospfv3-xe.html?bookSearch=true

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

alexander.koeppe · ‎11-03-2018

Hey thanks for your answer.

I've "downgraded" to the current suggested Everest version.

But still no ipv6 ospf authentication interface-command.

I've played a bit with the licenses since I have advipservices active.

I've activated the adventservices and the ipsec license (right-to-use). but still the command isn't available.

I've noticed that instead a ospfv3 authentication interface-command is available though.

But not like it's described in the documentation following with a ipsec keyword. Only null and key-chain is available.

I tried to set up a key in a key chain and bind it on the interface for OSPFv3, and I think I got it finally working:

Router#
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ipv6 uni
Router(config)#ipv6 unicast-routing
Router(config)#router ospfv3 1
Router(config-router)#router-id 1.1.1.1
Router(config-router)#exit
Router(config)#
Router(config)#
Router(config)#int Gi0/0/1
Router(config-if)#ipv6 ospf 1 area 0
% OSPFv3: IPV6 is not enabled on this interface
Router(config-if)#
Router(config-if)#ipv6 ena
Router(config-if)#ipv6 ospf 1 area 0
Router(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  adjacency            Adjacency staggering
  bfd                  Enable BFD on this interface
  cost                 Route cost of this interface
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  manet                Mobile Adhoc Networking options
  mtu-ignore           Ignores the MTU in DBD packets
  neighbor             OSPF neighbor
  network              Network type
  prefix-suppression   OSPF prefix suppression
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
  shutdown             Shut down the interface in OSPFv3
  transmit-delay       Link state transmit delay

Router(config-if)#exit
Router(config)#
Router(config)#
Router(config)#key chain OSPF-KEYS
Router(config-keychain)#key 1
Router(config-keychain-key)#key-string ospf-key-1
Router(config-keychain-key)#cr
Router(config-keychain-key)#cryptographic-algorithm md5
Router(config-keychain-key)#send-li
Router(config-keychain-key)#send-lifetime 10:00:00 3 Nov 2018 inf
Router(config-keychain-key)#exit
Router(config-keychain)#exit
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#int Gi0/0/1
Router(config-if)#ospfv3 authen ?
  key-chain  Use a key-chain for cryptographic authentication keys
  null       Use no authentication

Router(config-if)#ospfv3 authen key-chain OSPF-KEYS
Router(config-if)#
*Nov  3 15:38:37.563: %OSPFv3-5-NOCRYPTOALG: Key ID 1 in key chain OSPF-KEYS does not have a valid cryptographic algorithm
*Nov  3 15:38:37.563: %OSPFv3-4-NOVALIDKEY: No valid authentication key under key-chain OSPF-KEYS
Router(config-if)#
Router(config-if)#no ospfv3 authen key-chain
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#exit
Router(config)#
Router(config)#key chain OSPF-KEYS
Router(config-keychain)#key 1
Router(config-keychain-key)#cry
Router(config-keychain-key)#cryptographic-algorithm hm
Router(config-keychain-key)#cryptographic-algorithm hmac-sha-1
Router(config-keychain-key)#exit
Router(config-keychain)#exit
Router(config)#
Router(config)#
Router(config)#int Gi0/0/1
Router(config-if)#ospfv3 authen key-chain OSPF-KEYS
Router(config-if)#
Router(config-if)#^Z
Router#
Router#
Router#
Router#
*Nov  3 15:40:18.774: %SYS-5-CONFIG_I: Configured from console by console
Router#show ospfv3 int
GigabitEthernet0/0/1 is administratively down, line protocol is down
  Link Local Address FE80::B28B:CFFF:FE1B:3601, Interface ID 8
  Area 0, Process ID 1, Instance ID 0, Router ID 1.1.1.1
  Network Type BROADCAST, Cost: 1
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm HMAC-SHA-1 - key chain OSPF-KEYS
  Transmit Delay is 1 sec, State DOWN, Priority 1
  No designated router on this network
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Router#
Router#
Router#

I've struggled a bit to choose the right parameters for the keys. So apparently the send-lifetime must be (!) in the past and it seems that only SHA1 is a valid algorithm for the IPsec/AH authentication for OSPFv3.

The key-string parameter must match both or all ends of the OSPF link.

Harold Ritter · ‎11-02-2018

Strange. I just tried it with a CSR1k image and it works. I would open a TAC case or upgrade to a new image if I were you.

XE-1#sh ver | incl Fuji
Cisco IOS Software [Fuji], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.7.1, RELEASE SOFTWARE (fc6)
XE-1#config t
Enter configuration commands, one per line. End with CNTL/Z.
XE-1(config)#int gi2
XE-1(config-if)#ipv6 ospf ?
<1-65535> Process ID
adjacency Adjacency staggering
authentication Enable authentication
bfd Enable BFD on this interface
XE-1(config-if)#ipv6 ospf

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México