OSPFv3 with IPsec Authentication

Here comes a small lab consisting of three Cisco routers in which I used OSPFv3 for IPv6 with IPsec authentication. I am listing the configuration commands and some show commands. Furthermore, I am publishing a pcapng file so that you can have a look at it with Wireshark by yourself.

Note that I already published another lab about OSPFv3 for IPv6 with different routers and firewalls. This time I merely used three Cisco routers (2x 2851, 1x 2811, all with IOS version 15.1(4)M12a) but with IPsec authentication.

Laboratory

This is the complete lab with OSPFv3 in the middle between R4/R5 and R1:

Some notes about it:

  • single backbone area 0.0.0.0
  • passive-interface default
  • R4 and R5 distributing their default route ::/0
  • R1 is redistributing its routes learned from EIGRP, “Type-5 AS External Link States”
  • R1 also has a summary-prefix, just to have some variance in the lab. Note the “via Null0, directly connected” route in the show commands section.
  • OSPFv3 authentication via IPsec authentication header AH, manually configured on the involved interfaces with “ipv6 ospf authentication ipsec spi 2311 sha1 …”.
  • These “type 7 encrypted” stored passphrases can be reverted to its plain text values via password crackers. In my lab I used a randomly generated hex-string of 40 chars with KeePass pattern h{40}.
  • This automatically adds an IPv6 access-list. Refer to the show commands below where you can also see the appropriate IPsec crypto security associations.
  • In the trace file you’ll see the following three link-local IPv6 addresses:
    • R4: FE80::215:62FF:FE6A:FEF1
    • R5: FE80::225:45FF:FE60:17C1
    • R1: FE80::21E:7AFF:FE79:3F10

The configuration commands for all three routers are:

 

pcapng

Here you can download the zipped pcapng file. I captured in on R1 port fa0/0:

One more time I used my ProfiShark 1G for capturing the packets between the routers. See it hanging around in my lab. ;)

Analyzing the dump file with Wireshark you can see for example:

  1. The IPv6 Authentication Header. Note the “Next Header” field in the former packet, that is: the IPv6 header lists “Authentication Header” as the next header, while the authentication header lists “OSPF” as its next header.
  2. Note that OSPF is not a TCP/UDP protocol but an own IP protocol with number 89, refer to the IANA Protocol Numbers.
  3. OSPF update packet with LSA type 9 intra-area prefix LSA or
  4. OSPF update packet with LSA type 5 AS-external LSA advertising the default route ::/0 from both upstream routers in my lab, R4 and R5.

show

Finally, here are a few (many ;)) show commands from the router R1. Note the “SHA1 authentication SPI 2311” line at the neighbor, and the automatically generated IPv6 access-list entry and crypto policy:

 

Final note: I also tried to encrypt the OSPFv3 messages with IPsec/ESP aka “ipv6 ospf encryption …” rather than “ipv6 ospf authentication …” but I did not succeed. While I was able to configure those commands on all three routers without any errors (and also saw a couple of encrypted IPsec/ESP packets on the wire), no single neighborship was formed. Some further investigation using the Cisco Feature Navigator revealed that this feature called “OSPFv3 IPSec ESP Encryption and Authentication” is not available in the IOS version I am using in my lab (15.1(4)M12a) while the authentication featured called “IPv6 Routing: OSPFv3 Authentication Support with IPsec” in fact is. Don’t know why I was able to configure those commands while not fully implemented by Cisco?!?

Have a N.I.C.E. day!

For more posts about routing/switching you can follow the Routing” or “Switching” categories concerning various firewall/router vendors, or the “Cisco Router“/”Cisco Switch” tags for posts related to Cisco stuff.

Featured image “saentis_2017-09-21_32” by Jérôme is licensed under CC BY-NC-SA 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *