Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2275
Views
5
Helpful
0
Comments

OSPFv3 neighbors goes down, When IPsec authentication apply on interface

ashirkar
Level 7
Level 7

‎09-30-2013 11:51 AM - edited ‎03-01-2019 04:57 PM

 

Symptom:

User running OSPFv3 between two routers. Without IPsec authentication routers can able to form neighboship between them and exchange routes but when he employ the interface command:

ipv6 ospf authentication ipsec spi 111 sha1 <key>/ipv6 ospf authentication ipsec md5 <key> , neighbors go down. If you do "debug ipv6 ospf hello", you can see on the hellos coming in and going out.

 

OSPFv3 Authentication Steps:

 

Authentication is accomplished with one line command. IOS requires IPsec for OSPFv3 be configured separate from the normal configuration of an IPsec policy. IPsec authentication can be configured either per-interface or per-area. Below configuration shows per-interface authentication between R1 and R2.

 

R1:

 

ipv6 unicast-routing

ipv6 cef

 

interface FastEthernet1/0

no ip address

duplex auto

speed auto

ipv6 enable

ipv6 ospf 100 area 0

ipv6 ospf authentication ipsec spi 512 md5 1234567890ABCDEF1234567890ABCDEF

!

ipv6 router ospf 100

router-id 1.1.1.1

log-adjacency-changes

 

R2:

 

ipv6 unicast-routing

ipv6 cef

 

interface FastEthernet1/0

no ip address

duplex auto

speed auto

ipv6 enable

ipv6 ospf 100 area 0

ipv6 ospf authentication ipsec spi 512 md5 1234567890ABCDEF1234567890ABCDEF

!

ipv6 router ospf 100

router-id 2.2.2.2

log-adjacency-changes

 

Verification:

 

After configuring authentication on FastEthernet1/0 at both routers, you may notice the OSPFv3 adjacency drop and reform. The OSPFv3 interface display verifies that MD5 authentication is in use as below:

 

R1#sh ipv6 ospf int fa1/0

FastEthernet1/0 is up, line protocol is up

  Link Local Address FE80::C80D:18FF:FE4C:1C, Interface ID 4

  Area 0, Process ID 100, Instance ID 0, Router ID 1.1.1.1

  Network Type BROADCAST, Cost: 1

  MD5 authentication SPI 512, secure socket UP (errors: 0)

  Transmit Delay is 1 sec, State BDR, Priority 1

  Designated Router (ID) 2.2.2.2, local address FE80::C20E:28FF:FE68:0

  Backup Designated router (ID) 1.1.1.1, local address FE80::C80D:18FF:FE4C:1C

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

    Hello due in 00:00:02

  Graceful restart helper support enabled

  Index 1/1/1, flood queue length 0

  Next 0x0(0)/0x0(0)/0x0(0)

  Last flood scan length is 1, maximum is 1

  Last flood scan time is 0 msec, maximum is 0 msec

  Neighbor Count is 1, Adjacent neighbor count is 1

    Adjacent with neighbor 2.2.2.2  (Designated Router)

  Suppress hello for 0 neighbor(s)

R1#

 

You can also use "show crypto ipsec sa" command to verify

 

R1# show crypto ipsec sa

 

interface: FastEthernet1/0

    Crypto map tag: (none), local addr FE80::C80D:18FF:FE4C:1C

 

   IPsecv6 policy name: OSPFv3-100-512

   IPsecv6-created ACL name: FastEthernet1/0-ipsecv6-ACL

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (FE80::/10/89/0)

   remote ident (addr/mask/prot/port): (::/0/89/0)

   current_peer :: port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 77, #pkts encrypt: 77, #pkts digest: 77

    #pkts decaps: 72, #pkts decrypt: 72, #pkts verify: 72

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: FE80::C80D:18FF:FE4C:1C,

     remote crypto endpt.: ::

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0

     current outbound spi: 0x200(512)

     PFS (Y/N): N, DH group: none

 

     inbound esp sas:

 

     inbound ah sas:

      spi: 0x200(512)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 1, flow_id: SW:1, sibling_flags 80000001, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

      spi: 0x200(512)

        transform: ah-md5-hmac ,

        in use settings ={Transport, }

        conn id: 2, flow_id: SW:2, sibling_flags 80000001, crypto map: (none)

        no sa timing

        replay detection support: N

        Status: ACTIVE

 

     outbound pcp sas:

R1#

 

If your key strings are same on both side and your router shows desired output and showing above symptoms as mentioned above then you might be hitting bug CSCtc72699

 

Workaround:

 

There is a workaround of setting "no crypto engine onboard 0" and then "clear crypto sa" .You could try this and see if it works.

 

Source Information:

This document is created from source discussion "IPv6 OSPFv3 authentication (MD5) not working"

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents