Monday, March 15, 2010

Dual stack lab: OSPFv2/v3 virtual link

Hi all,
after a nice working week, I've started refreshing some small things like Virtual Links.

As you guys may know, virtual links are used for two main purposes:
-allow an area to reach the area 0 through another area
-repair (or provide a fallback) for a discontiguous area 0

Just simply remember that a Virtual Link belongs always to area 0, and requires at least one side connected to an area 0 ABR.

Here I've done a simple lab, with 4 routers, using Virtual Link to repair a disconnected area 0.



My goal with this lab is to refresh Virtual Link authentication, using a full dual stack config.



Here the initial configs:




let's start with the OSPFv2/v3 configuration, tuning hello/dead timers to improve convergence (ehehe real hardware advantage on simulators here :-) )


!-- ospf on R7
router ospf 1
router-id 7.7.7.7

ipv6 router ospf 1
router-id 7.7.7.7

int lo 0
ip ospf 1 area 0
ipv6 ospf 1 area 0

int fa 0/0
ip ospf 1 area 0
ipv6 ospf 1 area 0
ip ospf dead-interval minimal hello-multiplier 3
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
!-- END ospf on R7

!-- ospf on R8
router ospf 1
router-id 8.8.8.8

ipv6 router ospf 1
router-id 8.8.8.8

int lo 0
ip ospf 1 area 0
ipv6 ospf 1 area 0

int fa 0/0
ip ospf 1 area 0
ipv6 ospf 1 area 0
ip ospf dead-interval minimal hello-multiplier 3
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3

int fa 0/1
ip ospf 1 area 51
ipv6 ospf 1 area 51
ip ospf dead-interval minimal hello-multiplier 3
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
!-- END ospf on R8

!-- ospf on R9
router ospf 1
router-id 9.9.9.9

ipv6 router ospf 1
router-id 9.9.9.9

int lo 0
ip ospf 1 area 0
ipv6 ospf 1 area 0

int fa 0/0
ip ospf 1 area 0
ipv6 ospf 1 area 0
ip ospf dead-interval minimal hello-multiplier 3
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3

int fa 0/1
ip ospf 1 area 51
ipv6 ospf 1 area 51
ip ospf dead-interval minimal hello-multiplier 3
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
!-- END ospf on R9

!-- ospf on R10
router ospf 1
router-id 10.10.10.10

ipv6 router ospf 1
router-id 10.10.10.10

int lo 0
ip ospf 1 area 0
ipv6 ospf 1 area 0

int fa 0/0
ip ospf 1 area 0
ipv6 ospf 1 area 0
ip ospf dead-interval minimal hello-multiplier 3
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
!-- END ospf on R10


After our lovely igp converged so fast, we're ready to create the virtual links on R8 and R9 to connect the two area 0s :-)

without authentication the config looks like this, on both side, changing only the router-id:

router ospf 1
area 51 virtual-link 9.9.9.9 hello-interval 5 dead-interval 15

ipv6 router ospf 1
area 51 virtual-link 9.9.9.9 hello-interval 5 dead-interval 15

Note the hello/dead timers modified to speed up the convergence of virtual-links too.

If we want to authenticate the virtual-links, the configuration for ospfv2 is pretty simple:

R8#sh run | sec router ospf
router ospf 1
router-id 8.8.8.8
log-adjacency-changes
area 51 virtual-link 9.9.9.9 hello-interval 5 dead-interval 15 authentication message-digest
area 51 virtual-link 9.9.9.9 message-digest-key 1 md5 CISCO


Here I'm using md5 hash, we can use also a plain password with:

R8(config-router)#do sh run | sec router ospf
router ospf 1
router-id 8.8.8.8
log-adjacency-changes
area 51 virtual-link 9.9.9.9 authentication authentication-key CISCO


And finally I was really surprised but couldn't have a working authentication config on ospfv3! I have to say that ospfv3 doesn't provide itself an authentication mechanism, but relies on IPv6 ipsec AH or ESP/AH.
That means you must have a crypto image to perform authentication on ospfv3, but... for me there where something wrong.. I tryed different configurations, with different platforms/images.... (1841 with 12.4(24)T and 2811 with 12.4(22)T )

!--- authentication using AH and md5
area 51 virtual-link 8.8.8.8 authentication ipsec spi 1500 md5 0123456789ABCDEF0123456789ABCDEF

!--- also I tryed:
!--- authentication using AH and sha1
area 51 virtual-link 8.8.8.8 authentication ipsec spi 1501 sha1 0123456789ABCDEF0123456789ABCDEF01234567

!--- authentication using ESP w/o encryption and AH md5
area 51 vir 8.8.8.8 encryption ipsec spi 555 esp null md5 0 0123456789ABCDEF0123456789ABCDEF

!--- authentication using ESP w/o encryption and AH sha
area 51 virtual-link 8.8.8.8 encryption ipsec spi 1900 esp null sha1 0123456789ABCDEF0123456789ABCDEF01234567

It's embarassing to admit that authentication on virtual-link for ospfv3 hasn't worked as expected for me, here some troubleshooting output:


R8(config-rtr)#do sh run | sec ipv6 router
ipv6 router ospf 1
router-id 8.8.8.8
log-adjacency-changes
area 51 virtual-link 9.9.9.9 authentication ipsec spi 1500 md5 0123456789ABCDEF0123456789ABCDEF

R8(config-rtr)#do sh ipv6 ospf nei

Neighbor ID Pri State Dead Time Interface ID Interface
7.7.7.7 1 FULL/DR 00:00:02 3 FastEthernet0/0
9.9.9.9 1 FULL/ - 00:00:02 4 FastEthernet0/1

R8(config-rtr)#do sh ipv6 ospf int bri
Interface PID Area Intf ID Cost State Nbrs F/C
VL2 1 0 18 1 P2P 0/0
Lo0 1 0 12 1 LOOP 0/0
Fa0/0 1 0 3 1 BDR 1/1
Fa0/1 1 51 4 1 P2P 1/1

R8(config-rtr)#do sh ipv6 ospf int
OSPFv3_VL2 is up, line protocol is up
Interface ID 18
Area 0, Process ID 1, Instance ID 0, Router ID 8.8.8.8
Network Type VIRTUAL_LINK, Cost: 1
Configured as demand circuit.
Run as demand circuit.
DoNotAge LSA allowed.
MD5 authentication SPI 1500, secure socket UP (errors: 0)
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:01
Index 1/3/4, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)

R8(config-rtr)#do sh crypto ipsec sa

interface: FastEthernet0/1
Crypto map tag: (none), local addr FC00:10:89::8

IPsecv6 policy name: OSPFv3-1-1500
IPsecv6-created ACL name: FastEthernet0/1-ipsecv6-ACL

protected vrf: (none)
local ident (addr/mask/prot/port): (FC00:10:89::8/128/89/0)
remote ident (addr/mask/prot/port): (FC00:10:89::9/128/89/0)
current_peer FC00:10:89::9 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: FC00:10:89::8,
remote crypto endpt.: FC00:10:89::9
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x5DC(1500)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:
spi: 0x5DC(1500)
transform: ah-md5-hmac ,
in use settings ={Transport, }
conn id: 2007, flow_id: FPGA:7, sibling_flags 80000001, crypto map: (none)
no sa timing
replay detection support: N
Status: ACTIVE

inbound pcp sas:

outbound esp sas:

outbound ah sas:
spi: 0x5DC(1500)
transform: ah-md5-hmac ,
in use settings ={Transport, }
conn id: 2008, flow_id: FPGA:8, sibling_flags 80000001, crypto map: (none)
no sa timing
replay detection support: N
Status: ACTIVE

outbound pcp sas:
R8(config-rtr)#


seems that crypto ipsec is UP/ACTIVE, but they didn't form an adjacency, as they do without authentication.
Any suggestion/advice? {what a difficult world...}

:-)
Marco

No comments: