OSPFv3 Authentication
This example shows the configuration required for enabling OSPFv3 authentication with IPSEC on an OSPFv3-enabled interface. R1 and R2 are two routers in Area 0 connecting to the network 2000::/64.
Note: You must explicitly specify a Router ID for the OSPFv3 process to be activated.
Topology
Figure 12-100: OSPFv3 Authentication
R1
#configure terminal | Enter configure mode. |
(config)#crypto ipsec transform-set tset1 esp-auth esp-md5 esp-enc esp-3des | Create a transform-set with the ESP Authentication and encryption parameters |
(config)#crypto map map1 ipsec-manual | Create manual key association to the crypto-map |
(config-crypto)#sequence 100 | Create sequence in crypto-map |
(config-crypto-seq)# set transform-set tset1 | Attach transform set to cryptomap |
(config-crypto-seq)# set peer fe80::923c:b3ff:fe82:8d88 spi 2 | Set IPv6 peer (OSPFv3 neighbor) and SPI value |
(config-crypto-seq)# set session-key outbound esp 1 cipher 66546A576E5A72346A586E3272357538782F413F4428472B authenticator 3777217A25432A46763979244226452948404D6351655468 | Set the outbound session-key with cipher and auth values |
(config-crypto-seq)#exit | Exit sequence mode in crypto |
(config-crypto)#exit | Exit crypto mode |
(config)#router ipv6 ospf 1 | Create an OSPFv3 routing instance. |
(config-router)#router-id 1.1.1.1 | Specify a Router ID for the OSPFv3 routing process. |
(config-router)#exit | Exit OSPF router mode. |
(config)#interface eth1 | Enter interface mode. |
(config-if)#ipv6 router ospf area 0 tag 1 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
(config-if)# ipv6 ospf authentication cryptomap map1 | Configure OSPFv3 authentication over the OSPFv3 interface by applying the configured cryptomap |
(config-if)#commit | Commit the candidate configuration to the running configuration. |
R2
#configure terminal | Enter configure mode. |
(config)#crypto ipsec transform-set tset1 esp-auth esp-md5 esp-enc esp-3des | Create a transform-set with the ESP Authentication and encryption parameters |
(config)#crypto map map1 ipsec-manual | Create manual key association to the crypto-map |
(config-crypto)#sequence 100 | Create sequence in crypto-map |
(config-crypto-seq)# set transform-set tset1 | Attach transform set to cryptomap |
(config-crypto-seq)# set peer fe80::fa8e:a1ff:fe0b:dd9a spi 1 | Set IPv6 peer (OSPFv3 neighbor) and SPI value |
(config-crypto-seq)# set session-key outbound esp 2 cipher 66546A576E5A72346A586E3272357538782F413F4428472B authenticator 3777217A25432A46763979244226452948404D6351655468 | Set the outbound session-key with cipher and auth values |
(config-crypto-seq)#exit | Exit sequence mode in crypto |
(config-crypto)#exit | Exit crypto mode |
(config)#router ipv6 ospf 1 | Create an OSPFv3 routing instance. |
(config-router)#router-id 2.2.2.2 | Specify a Router ID for the OSPFv3 routing process. |
(config-router)#exit | Exit OSPF router mode. |
(config)#interface eth2 | Enter interface mode. |
(config-if)#ipv6 router ospf area 0 tag 1 | Enable OSPFv3 routing on an interface, and assign the Area ID (0). |
(config-if)# ipv6 ospf authentication cryptomap map1 | Configure OSPFv3 authentication over the OSPFv3 interface by applying the configured cryptomap |
(config-if)#commit | Commit the candidate configuration to the running configuration. |
Validation
R1
R1#show running-config ipsec
!
crypto ipsec transform-set tset1 esp-auth esp-md5 esp-enc esp-3des
crypto map map1 ipsec-manual
sequence 100
set transform-set tset1
set peer fe80::fa8e:a1ff:fe0b:dd9a spi 2
set session-key outbound esp 1 cipher 66546A576E5A72346A586E3272357538782F413F4428472B authenticator 3777217A25432A467639792442264529
!
R1#
R1#show running-config ospfv3
!
router ipv6 ospf 1
router-id 1.1.1.1
!
interface eth1
ipv6 router ospf area 0.0.0.0 tag 1 instance-id 0
ipv6 ospf authentication cryptomap map1
!
R1#show ipv6 ospf neighbor
Total number of full neighbors: 1
OSPFv3 Process (1)
Neighbor ID Pri State Dead Time Interface Instance ID
2.2.2.2 1 Full/DR 00:00:12 eth1 0
R1#show ipv6 ospf neighbor detail
Neighbor 2.2.2.2, interface address fe80::923c:b3ff:fe82:8d88
In the area 0.0.0.0 via interface ce0
Neighbor priority is 1, State is Full, 6 state changes
DR is 2.2.2.2 BDR is 1.1.1.1
Options is 0x000113 (AF|*|*|-|R|-|-|E|V6)
Dead timer due in 00:00:34
Database Summary List 0
Link State Request List 0
Link State Retransmission List 0
Bidirectional Forwarding Detection is enabled
R1#show crypto ipsec sadb
SRC: fe80::923c:b3ff:fe82:8d88 DST:fe80::fa8e:a1ff:fe0b:dd9a
SA: spi=0x2 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Wed Jun 22 03:32:11 2022 First Used at=Never Used
Used bytes=0 Used Count=0
SRC: fe80::923c:b3ff:fe82:8d88 DST:ff02::6
SA: spi=0x2 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Wed Jun 22 03:32:11 2022 First Used at=Never Used
Used bytes=0 Used Count=0
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:ff02::6
SA: spi=0x1 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Wed Jun 22 03:32:11 2022 First Used at=Never Used
Used bytes=0 Used Count=0
SRC: fe80::923c:b3ff:fe82:8d88 DST:ff02::5
SA: spi=0x2 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Wed Jun 22 03:32:11 2022 First Used at=Wed Jun 22 03:32:20 2022
Used bytes=0 Used Count=0
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:ff02::5
SA: spi=0x1 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Wed Jun 22 03:32:11 2022 First Used at=Wed Jun 22 03:32:21 2022
Used bytes=908 Used Count=25
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:2000::2
SA: spi=0x1 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Wed Jun 22 03:32:11 2022 First Used at=Never Used
Used bytes=0 Used Count=0
R1#show crypto ipsec spdb
SRC:2000::2 DST:ff02::6
Policy Type=ipsec Dir=in
Added at=Wed Jun 22 03:32:11 2022 First Used at=Never Used
SRC:2000::2 DST:ff02::5
Policy Type=ipsec Dir=in
Added at=Wed Jun 22 03:32:11 2022 First Used at=Never Used
SRC:2000::2 DST:fe80::fa8e:a1ff:fe0b:dd9a
Policy Type=ipsec Dir=in
Added at=Wed Jun 22 03:32:11 2022 First Used at=Never Used
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:ff02::6
Policy Type=ipsec Dir=out
Added at=Wed Jun 22 03:32:11 2022 First Used at=Never Used
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:ff02::5
Policy Type=ipsec Dir=out
Added at=Wed Jun 22 03:32:11 2022 First Used at=Wed Jun 22 03:35:02 2022
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:2000::2
Policy Type=ipsec Dir=out
Added at=Wed Jun 22 03:32:11 2022 First Used at=Never Used
root@R1:~# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
03:33:20.393469 IP6 fe80::923c:b3ff:fe82:8d88 > ff02::5: ESP(spi=0x00000002,seq=0x8), length 68
03:33:21.174899 IP6 fe80::fa8e:a1ff:fe0b:dd9a > ff02::5: ESP(spi=0x00000001,seq=0x7), length 68
03:33:30.394602 IP6 fe80::923c:b3ff:fe82:8d88 > ff02::5: ESP(spi=0x00000002,seq=0x9), length 68
03:33:32.175157 IP6 fe80::fa8e:a1ff:fe0b:dd9a > ff02::5: ESP(spi=0x00000001,seq=0x8), length 68
R2
R2#show running-config ipsec
!
crypto ipsec transform-set tset1 esp-auth esp-md5 esp-enc esp-3des
crypto map map1 ipsec-manual
sequence 100
set transform-set tset1
set peer fe80::fa8e:a1ff:fe0b:dd9a spi 1
set session-key outbound esp 2 cipher 462D4A614E6452675166546A576E5A723475377821412544 authenticator 3777217A25432A467639792442264529
!
R2#show running-config ospfv3
!
router ipv6 ospf 1
router-id 2.2.2.2
bfd all-interfaces
!
interface ce1
ipv6 router ospf area 0.0.0.0 tag 1 instance-id 0
ipv6 ospf authentication cryptomap map1
!
R2#show ipv6 ospf neighbor
Total number of full neighbors: 1
OSPFv3 Process (1)
Neighbor ID Pri State Dead Time Interface Instance ID
1.1.1.1 1 Full/Backup 00:00:31 ce1 0
R2#show ipv6 ospf neighbor detail
Neighbor 1.1.1.1, interface address fe80::fa8e:a1ff:fe0b:dd9a
In the area 0.0.0.0 via interface ce1
Neighbor priority is 1, State is Full, 6 state changes
DR is 2.2.2.2 BDR is 1.1.1.1
Options is 0x000113 (AF|*|*|-|R|-|-|E|V6)
Dead timer due in 00:00:37
Database Summary List 0
Link State Request List 0
Link State Retransmission List 0
Bidirectional Forwarding Detection is enabled
R2#show crypto ipsec sadb
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:fe80::923c:b3ff:fe82:8d88
SA: spi=0x1 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Mon Feb 18 07:39:12 2019 First Used at=Never Used
Used bytes=0 Used Count=0
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:ff02::6
SA: spi=0x1 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Mon Feb 18 07:39:12 2019 First Used at=Never Used
Used bytes=0 Used Count=0
SRC:fe80::923c:b3ff:fe82:8d88 DST:ff02::6
SA: spi=0x2 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Mon Feb 18 07:39:12 2019 First Used at=Never Used
Used bytes=0 Used Count=0
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:ff02::5
SA: spi=0x1 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Mon Feb 18 07:39:12 2019 First Used at=Mon Feb 18 07:39:14 2019
Used bytes=16072 Used Count=399
SRC:fe80::923c:b3ff:fe82:8d88 DST:ff02::5
SA: spi=0x2 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Mon Feb 18 07:39:12 2019 First Used at=Mon Feb 18 07:39:20 2019
Used bytes=16096 Used Count=399
SRC:fe80::923c:b3ff:fe82:8d88 DST:fe80::fa8e:a1ff:fe0b:dd9a
SA: spi=0x2 sta=MATURE auth=SHA1HMAC enc=3DES
Added at=Mon Feb 18 07:39:12 2019 First Used at=Never Used
Used bytes=0 Used Count=0
R2#show crypto ipsec spdb
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:ff02::6
Policy Type=ipsec Dir=in
Added at=Mon Feb 18 07:39:12 2019 First Used at=Never Used
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:ff02::5
Policy Type=ipsec Dir=in
Added at=Mon Feb 18 07:39:12 2019 First Used at=Mon Feb 18 08:44:24 2019
SRC:fe80::fa8e:a1ff:fe0b:dd9a DST:fe80::923c:b3ff:fe82:8d88
Policy Type=ipsec Dir=in
Added at=Mon Feb 18 07:39:12 2019 First Used at=Never Used
SRC:fe80::923c:b3ff:fe82:8d88 DST:ff02::6
Policy Type=ipsec Dir=out
Added at=Mon Feb 18 07:39:12 2019 First Used at=Never Used
SRC:fe80::923c:b3ff:fe82:8d88 DST:ff02::5
Policy Type=ipsec Dir=out
Added at=Mon Feb 18 07:39:12 2019 First Used at=Mon Feb 18 08:44:21 2019
SRC:fe80::923c:b3ff:fe82:8d88 DST:fe80::fa8e:a1ff:fe0b:dd9a
Policy Type=ipsec Dir=out
Added at=Mon Feb 18 07:39:12 2019 First Used at=Never Used
Last modified date: 10/16/2023