cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

OSPFv3 neighbors goes down, When IPsec authentication apply on interface

1737
Views
5
Helpful
0
Comments

 

Symptom:

User running OSPFv3 between two routers. Without IPsec authentication routers can able to form neighboship between them and exchange routes but when he employ the interface command:

ipv6 ospf authentication ipsec spi 111 sha1 <key>/ipv6 ospf authentication ipsec md5 <key> , neighbors go down. If you do "debug ipv6 ospf hello", you can see on the hellos coming in and going out.

 

OSPFv3 Authentication Steps:

 

Authentication is accomplished with one line command. IOS requires IPsec for OSPFv3 be configured separate from the normal configuration of an IPsec policy. IPsec authentication can be configured either per-interface or per-area. Below configuration shows per-interface authentication between R1 and R2.

 

R1:

 

ipv6 unicast-routing

ipv6 cef

 

interface FastEthernet1/0

no ip address

duplex auto

speed auto

ipv6 enable

ipv6 ospf 100 area 0

ipv6 ospf authentication ipsec spi 512 md5 1234567890ABCDEF1234567890ABCDEF

!

ipv6 router ospf 100

router-id 1.1.1.1

log-adjacency-changes

 

R2:

 

ipv6 unicast-routing

ipv6 cef

 

interface FastEthernet1/0

no ip address

duplex auto

speed auto

ipv6 enable

ipv6 ospf 100 area 0

ipv6 ospf authentication ipsec spi 512 md5 1234567890ABCDEF1234567890ABCDEF

!

ipv6 router ospf 100

router-id 2.2.2.2

log-adjacency-changes

 

Verification:

 

After configuring authentication on FastEthernet1/0 at both routers, you may notice the OSPFv3 adjacency drop and reform. The OSPFv3 interface display verifies that MD5 authentication is in use as below:

 

R1#sh ipv6 ospf int fa1/0

FastEthernet1/0 is up, line protocol is up

  Link Local Address FE80::C80D:18FF:FE4C:1C, Interface ID 4

  Area 0, Process ID 100, Instance ID 0, Router ID 1.1.1.1

  Network Type BROADCAST, Cost: 1

  MD5 authentication SPI 512, secure socket UP (errors: 0)

  Transmit Delay is 1 sec, State BDR, Priority 1

  Designated Router (ID) 2.2.2.2, local address FE80::C20E:28FF:FE68:0

  Backup Designated router (ID) 1.1.1.1, local address FE80::C80D:18FF:FE4C:1C

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

    Hello due in 00:00:02

  Graceful restart helper support enabled

  Index 1/1/1, flood queue length 0

  Next 0x0(0)/0x0(0)/0x0(0)

  Last flood scan length is 1, maximum is 1

  Last flood scan time is 0 msec, maximum is 0 msec

  Neighbor Count is 1, Adjacent neighbor count is 1

    Adjacent with neighbor 2.2.2.2  (Designated Router)

  Suppress hello for 0 neighbor(s)

R1#

 

You can also use "show crypto ipsec sa" command to verify

 

R1# show crypto ipsec sa

 

interface: FastEthernet1/0

    Crypto map tag: (none), local addr FE80::C80D:18FF:FE4C:1C

 

   IPsecv6 policy name: OSPFv3-100-512

   IPsecv6-created ACL name: FastEthernet1/0-ipsecv6-ACL

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (FE80::/10/89/0)

   remote ident (addr/mask/prot/port): (::/0/89/0)

   current_peer :: port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 77, #pkts encrypt: 77, #pkts digest: 77

    #pkts decaps: 72, #pkts decrypt: 72, #pkts verify: 72

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: FE80::C80D:18FF:FE4C:1C,

     remote crypto endpt.: ::

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0

     current outbound spi: 0x200(512)

     PFS (Y/N): N, DH group: none

 

     inbound esp sas:

 

     inbound ah sas:

      spi: 0x200(512)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 1, flow_id: SW:1, sibling_flags 80000001, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

      spi: 0x200(512)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 2, flow_id: SW:2, sibling_flags 80000001, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

 

     outbound pcp sas:

R1#

 

If your key strings are same on both side and your router shows desired output and showing above symptoms as mentioned above then you might be hitting bug CSCtc72699

 

Workaround:

 

There is a workaround of setting "no crypto engine onboard 0" and then "clear crypto sa" .You could try this and see if it works.

 

Source Information:

This document is created from source discussion "IPv6 OSPFv3 authentication (MD5) not working"