cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7996
Views
10
Helpful
7
Replies
Highlighted
Explorer

IPv6 OSPFv3 authentication (MD5) not working

I'm configuring two 2800 routers (ADVENTERPRISEK9, 12.4(24)T2) for OSPFv3. The interfaces are Frame-relay multipoint interfaces on both routers. OSPFv3 is fine without authentication. But when I added same MD5 authentication to the two interfaces, OSPFv3 adjacency never came back up. I'm using the exact same command as IOS IPv6 configuration guide.

Here are the configs on the two routers. What could be incorrect? In "show ipv6 ospf interface", secure socket is shown "up".

R1#

interface Serial0/0/0.402 multipoint

ipv6 address FE80:1:1::1 link-local

ipv6 address 2001:1:1::1/64

ipv6 ospf network broadcast

ipv6 ospf 1 area 0

ipv6 ospf authentication ipsec spi 500 md5 1234567890abcdef1234567890abcdef

frame-relay map ipv6 FE80:1:1::2 402 broadcast

ipv6 router ospf 1

router-id 1.1.1.1

R2#

interface Serial0/0/0.204 multipoint

ipv6 address FE80:1:1::2 link-local

ipv6 address 2001:1:1::2/64

ipv6 ospf network broadcast

ipv6 ospf 1 area 0

ipv6 ospf authentication ipsec spi 500 md5 1234567890abcdef1234567890abcdef

frame-relay map ipv6 FE80:1:1::1 204 broadcast

ipv6 router ospf 1

router-id 1.1.1.2

R1#sh ipv6 ospf int s0/0/0.402

Serial0/0/0.402 is up, line protocol is up

  Link Local Address FE80:1:1::1, Interface ID 14

  Area 0, Process ID 1, Instance ID 0, Router ID 1.1.1.1

  Network Type BROADCAST, Cost: 64

  MD5 authentication SPI 1000, secure socket UP (errors: 0) Rack61R4#sh ipv6 os int s0/0/0.402

7 REPLIES 7
Highlighted
Beginner

From R1, please share the output of command

  1. show crypto ipsec sa
  2. sh ipv6 ospf 1 nei

Thought of sharing a useful link you might like to read,

http://packetlife.net/blog/2008/sep/3/ospfv3-authentication/

Regards,

Sunil.

Regards, Sunil Khanna
Highlighted

I hope the keys are not mismatching.

Please try to debug ipv6 ospf packets, that will tell you exactly what is happening in the background.

Regards,

Deepu

Highlighted

Before I added authentication, OSPFv3 adjacnecy and IPv6 routes were all correct. After I added authentication, OSPFv3 adjacency went down and never came back up. The link you posted is correct that OSPFv3 relies on IPSec for authentication. I have double checked MD5 password. It's the same on both routers.

Unlike in IPv4, the output from "debug ipv6 ospf packet" was really simple. I have checked debug ipv6 ospf hello too. It indicated Hello was sent out of the local router interface, but Hello from the other router was not received.

"show crypto ipsec sa" seems normal. Could this be IOS release specific? This is 2811 router 12.4(24)T2.

R2#sh crypto ipsec sa

interface: Serial0/0/0.204
    Crypto map tag: (none), local addr FE80:1:1::2

   IPsecv6 policy name: OSPFv3-1-500
   IPsecv6-created ACL name: Serial0/0/0.204-ipsecv6-ACL

   ...

    outbound esp sas:

     outbound ah sas:
      spi: 0x1F4(500)
        transform: ah-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2026, flow_id: NETGX:26, sibling_flags 80000001, crypto map: (none)
        no sa timing
        replay detection support: N
        Status: ACTIVE

Highlighted

This is interesting. So did you "debug" on both routers? I mean the on the other router which did not send "hello"?

It can be an IOS bug since many old IOS's have bugs for IPv6 and continuously updated. Please try to upgrade to the latest and check. But I would really like to see "debug" on the other router too.

Regards,

Deepu

Highlighted
Beginner

I have had the same problem. The reason is a bug in Cisco IOS CSCtc72699.

Workaround:

The setting of "no crypto engine onboard 0" is added, and the

command of "clear crypto sa" is executed.

Before:

r1(config-if)#do sh crypto ipsec sa           

interface: Serial0/0/1

    Crypto map tag: (none), local addr FE80::219:E8FF:FEE0:3640

   IPsecv6 policy name: OSPFv3-2001-256

   IPsecv6-created ACL name: Serial0/0/1-ipsecv6-ACL

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (FE80::/10/89/0)

   remote ident (addr/mask/prot/port): (::/0/89/0)

   current_peer :: port 500

     PERMIT, flags={origin_is_acl,}

   #pkts encaps: 416, #pkts encrypt: 416, #pkts digest: 416

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: FE80::219:E8FF:FEE0:3640,

     remote crypto endpt.: ::

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1

     current outbound spi: 0x100(256)

     inbound esp sas:

     inbound ah sas:

      spi: 0x100(256)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 2005, flow_id: NETGX:5, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

      spi: 0x100(256)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 2006, flow_id: NETGX:6, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

     outbound pcp sas:

After:

r1#sh crypto ipsec sa

interface: Serial0/0/1

    Crypto map tag: (none), local addr FE80::219:E8FF:FEE0:3640

   IPsecv6 policy name: OSPFv3-2001-256

   IPsecv6-created ACL name: Serial0/0/1-ipsecv6-ACL

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (FE80::/10/89/0)

   remote ident (addr/mask/prot/port): (::/0/89/0)

   current_peer :: port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 56, #pkts encrypt: 56, #pkts digest: 56

    #pkts decaps: 55, #pkts decrypt: 55, #pkts verify: 55

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: FE80::219:E8FF:FEE0:3640,

     remote crypto endpt.: ::

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1

     current outbound spi: 0x100(256)

     inbound esp sas:

     inbound ah sas:

      spi: 0x100(256)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 1, flow_id: SW:1, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

      spi: 0x100(256)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 2, flow_id: SW:2, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

     outbound pcp sas:

Highlighted

Golden Information I have 2 x 1841 with Version 12.4(24)T2. This is for my CCIE Lab. This case was driving me nuts I didn't want to let it go until I solved. Thanks to Petruxa now I can focus on something else.

Both routers fixed with

no crypto engine onboard 0

clear crypto sa

Highlighted

Had a similar problem on my CCIE LAB running IOS Version 12.4(15)T17 on 2811 routers.

Thanks a lot Petruxa.

Also fixed it with

no crypto engine onboard 0

clear crypto sa

Content for Community-Ad
This widget could not be displayed.