Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11066
Views
10
Helpful
7
Replies

IPv6 OSPFv3 authentication (MD5) not working

gwhuang5398
Level 2
Level 2

‎11-09-2012 08:12 PM - edited ‎03-01-2019 05:37 PM

I'm configuring two 2800 routers (ADVENTERPRISEK9, 12.4(24)T2) for OSPFv3. The interfaces are Frame-relay multipoint interfaces on both routers. OSPFv3 is fine without authentication. But when I added same MD5 authentication to the two interfaces, OSPFv3 adjacency never came back up. I'm using the exact same command as IOS IPv6 configuration guide.

Here are the configs on the two routers. What could be incorrect? In "show ipv6 ospf interface", secure socket is shown "up".

R1#

interface Serial0/0/0.402 multipoint

ipv6 address FE80:1:1::1 link-local

ipv6 address 2001:1:1::1/64

ipv6 ospf network broadcast

ipv6 ospf 1 area 0

ipv6 ospf authentication ipsec spi 500 md5 1234567890abcdef1234567890abcdef

frame-relay map ipv6 FE80:1:1::2 402 broadcast

ipv6 router ospf 1

router-id 1.1.1.1

R2#

interface Serial0/0/0.204 multipoint

ipv6 address FE80:1:1::2 link-local

ipv6 address 2001:1:1::2/64

ipv6 ospf network broadcast

ipv6 ospf 1 area 0

ipv6 ospf authentication ipsec spi 500 md5 1234567890abcdef1234567890abcdef

frame-relay map ipv6 FE80:1:1::1 204 broadcast

ipv6 router ospf 1

router-id 1.1.1.2

R1#sh ipv6 ospf int s0/0/0.402

Serial0/0/0.402 is up, line protocol is up

  Link Local Address FE80:1:1::1, Interface ID 14

  Area 0, Process ID 1, Instance ID 0, Router ID 1.1.1.1

  Network Type BROADCAST, Cost: 64

  MD5 authentication SPI 1000, secure socket UP (errors: 0) Rack61R4#sh ipv6 os int s0/0/0.402

2 people had this problem
Labels:
0 Helpful
7 Replies 7

SunilKhanna
Level 1
Level 1

‎11-11-2012 10:47 PM

From R1, please share the output of command

  1. show crypto ipsec sa
  2. sh ipv6 ospf 1 nei

Thought of sharing a useful link you might like to read,

http://packetlife.net/blog/2008/sep/3/ospfv3-authentication/

Regards,

Sunil.

Regards, Sunil Khanna
0 Helpful

Deepak Ambotkar
Level 1
Level 1

‎11-12-2012 12:25 AM

I hope the keys are not mismatching.

Please try to debug ipv6 ospf packets, that will tell you exactly what is happening in the background.

Regards,

Deepu

0 Helpful

gwhuang5398
Level 2
Level 2
In response to Deepak Ambotkar

‎11-15-2012 02:56 PM

Before I added authentication, OSPFv3 adjacnecy and IPv6 routes were all correct. After I added authentication, OSPFv3 adjacency went down and never came back up. The link you posted is correct that OSPFv3 relies on IPSec for authentication. I have double checked MD5 password. It's the same on both routers.

Unlike in IPv4, the output from "debug ipv6 ospf packet" was really simple. I have checked debug ipv6 ospf hello too. It indicated Hello was sent out of the local router interface, but Hello from the other router was not received.

"show crypto ipsec sa" seems normal. Could this be IOS release specific? This is 2811 router 12.4(24)T2.

R2#sh crypto ipsec sa

interface: Serial0/0/0.204
    Crypto map tag: (none), local addr FE80:1:1::2

   IPsecv6 policy name: OSPFv3-1-500
   IPsecv6-created ACL name: Serial0/0/0.204-ipsecv6-ACL

   ...

    outbound esp sas:

     outbound ah sas:
      spi: 0x1F4(500)
        transform: ah-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2026, flow_id: NETGX:26, sibling_flags 80000001, crypto map: (none)
        no sa timing
        replay detection support: N
        Status: ACTIVE

0 Helpful

Deepak Ambotkar
Level 1
Level 1
In response to gwhuang5398

‎11-15-2012 09:32 PM

This is interesting. So did you "debug" on both routers? I mean the on the other router which did not send "hello"?

It can be an IOS bug since many old IOS's have bugs for IPv6 and continuously updated. Please try to upgrade to the latest and check. But I would really like to see "debug" on the other router too.

Regards,

Deepu

0 Helpful

petruxa_1980
Level 1
Level 1

‎02-18-2013 06:06 AM

I have had the same problem. The reason is a bug in Cisco IOS CSCtc72699.

Workaround:

The setting of "no crypto engine onboard 0" is added, and the

command of "clear crypto sa" is executed.

Before:

r1(config-if)#do sh crypto ipsec sa           

interface: Serial0/0/1

    Crypto map tag: (none), local addr FE80::219:E8FF:FEE0:3640

   IPsecv6 policy name: OSPFv3-2001-256

   IPsecv6-created ACL name: Serial0/0/1-ipsecv6-ACL

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (FE80::/10/89/0)

   remote ident (addr/mask/prot/port): (::/0/89/0)

   current_peer :: port 500

     PERMIT, flags={origin_is_acl,}

   #pkts encaps: 416, #pkts encrypt: 416, #pkts digest: 416

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: FE80::219:E8FF:FEE0:3640,

     remote crypto endpt.: ::

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1

     current outbound spi: 0x100(256)

     inbound esp sas:

     inbound ah sas:

      spi: 0x100(256)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 2005, flow_id: NETGX:5, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

      spi: 0x100(256)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 2006, flow_id: NETGX:6, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

     outbound pcp sas:

After:

r1#sh crypto ipsec sa

interface: Serial0/0/1

    Crypto map tag: (none), local addr FE80::219:E8FF:FEE0:3640

   IPsecv6 policy name: OSPFv3-2001-256

   IPsecv6-created ACL name: Serial0/0/1-ipsecv6-ACL

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (FE80::/10/89/0)

   remote ident (addr/mask/prot/port): (::/0/89/0)

   current_peer :: port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 56, #pkts encrypt: 56, #pkts digest: 56

    #pkts decaps: 55, #pkts decrypt: 55, #pkts verify: 55

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: FE80::219:E8FF:FEE0:3640,

     remote crypto endpt.: ::

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1

     current outbound spi: 0x100(256)

     inbound esp sas:

     inbound ah sas:

      spi: 0x100(256)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 1, flow_id: SW:1, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

      spi: 0x100(256)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 2, flow_id: SW:2, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

     outbound pcp sas:

Edwin Matos
Level 1
Level 1
In response to petruxa_1980

‎08-26-2013 02:38 PM

Golden Information I have 2 x 1841 with Version 12.4(24)T2. This is for my CCIE Lab. This case was driving me nuts I didn't want to let it go until I solved. Thanks to Petruxa now I can focus on something else.

Both routers fixed with

no crypto engine onboard 0

clear crypto sa

0 Helpful

VusiMtshali
Level 1
Level 1
In response to Edwin Matos

‎12-13-2013 05:59 AM

Had a similar problem on my CCIE LAB running IOS Version 12.4(15)T17 on 2811 routers.

Thanks a lot Petruxa.

Also fixed it with

no crypto engine onboard 0

clear crypto sa

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents