ospfv3 authentication issue

Ospfv3 authentication using the command ospfv3 authentication ipsec is not working - Is anyone encounter the same issue on CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S1

I tried all the combination possible but ospfv3 still can't come up. I am getting an error about query key failed or invalid certificate. Is this a bug or am I missing something.

 

Interface    PID   Area            AF         Cost  State Nbrs F/C
Lo0          2001  0               ipv6       1     LOOP  0/0
Gi1.57       2001  0               ipv6       1     BDR   1/1
Gi1.15       2001  0               ipv6       1     DR    0/1
Rack19R5#

interface GigabitEthernet1.15
 encapsulation dot1Q 15
 ip address 19.19.15.5 255.255.255.0
 ipv6 address 2001:19:15::5/64
 ipv6 nd ra suppress
 ospfv3 authentication ipsec spi 500 md5 7 00564453530D5A555B71151A5E4F5D46415958537978747A63667341574F545301
 ospfv3 2001 ipv6 area 0
end

 

=======

Feb 26 02:56:13.074: %IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:000 TS:00000159312093568107 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 5, src_addr 0.0.0.0, dest_addr 0.0.0.0, SPI 0x1f4
Rack19R5#
*Feb 26 02:56:16.048: %PKI-4-CERTIFICATE_INVALID_SUBJECT: Certificate has a missing or invalid subject name.
Rack19R5#
*Feb 26 02:56:16.051: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Rack19R5#

Comments

  • works perfectly on gns, probably a csr1000v issue

  • There is a bug in the code dealing with ospfv3 authentication. Switch to encryption (ESP) and you should be good. Specifying null for the encryption will essientially provide you the same functionality as AH. 

     

    conf t

    int g1.15
    no ospfv3 authentication ipsec spi 500 md5 7 00564453530D5A555B71151A5E4F5D46415958537978747A63667341574F545301 

    ospfv3 encryption ipsec spi 500 esp null 7 00564453530D5A555B71151A5E4F5D46415958537978747A63667341574F545301

     

    end

     

  • Thanks so much.

    This sttupid bug makes me waste valuable study time.

Sign In or Register to comment.