※noteから引っ越してきた記事
初期設定
R1—-R2
RT1
en
terminal length 0
conf t
hostname iosv-0
line console 0
logging synchronous
exit
!
ipv6 unicast-routing
!
router ospfv3 1
router-id 1.1.1.1
address-family ipv6 unicast
exit
exit
!
int gi0/0
ipv6 address 2001:1:1:12::1/64
ospfv3 1 ipv6 area 0
no shut
exit
!
int gi0/1
ipv6 address 2001:1:1:1::1/64
ospfv3 1 ipv6 area 1
no shut
end
!
[RT2にconfigを流す前に追加]
int gi0/0
ospfv3 authentication ipsec spi 256 md5 12345678901234567890123456789012
or
ipv6 ospf authentication ipsec spi 500 md5
どっちもmd5っぽいけど、片方ospfv3~で片方ipv6 ospf~で動くかも試す
RT2
en
terminal length 0
conf t
hostname iosv-1
line console 0
logging synchronous
exit
!
ipv6 unicast-routing
!
router ospfv3 1
router-id 2.2.2.2
address-family ipv6 unicast
exit
exit
!
int gi0/0
ipv6 address 2001:1:1:12::2/64
ospfv3 1 ipv6 area 0
no shut
exit
!
int gi0/1
ipv6 address 2001:1:1:2::2/64
ospfv3 1 ipv6 area 0
no shut
end
!
ospfv3 authentication
[iosv-0でのみauthenticationの設定]
(config)#int gi0/0
(config-if)#ospfv3 authentication ipsec spi 256 md5 0 12345678901234567890123456789012
iosv-0#sh run
<略>
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
media-type rj45
ipv6 address 2001:1:1:12::1/64
ospfv3 authentication ipsec spi 256 md5 12345678901234567890123456789012
ospfv3 1 ipv6 area 0
[iosv-1で確認]
iosv-1#sh ipv6 ospf neighbor
iosv-1#sh ipv6 route | b Application
lA - LISP away, a - Application
C 2001:1:1:2::/64 [0/0]
via GigabitEthernet0/1, directly connected
L 2001:1:1:2::2/128 [0/0]
via GigabitEthernet0/1, receive
C 2001:1:1:12::/64 [0/0]
via GigabitEthernet0/0, directly connected
L 2001:1:1:12::2/128 [0/0]
via GigabitEthernet0/0, receive
L FF00::/8 [0/0]
via Null0, receive
・今回はmd5 0でクリアテキストにしているのでrunning-configでパスワードが閲覧できるようになっている
・iosv-1にはauthenticationの設定が行われていないのでospfv3ネイバーを形成しない
iosv-1(config-if)#ospfv3 authentication ipsec spi 256 md5 0 1234567890123$ ipsec spi 256 md5 0 12345678901234567890123456789012
iosv-1(config-if)#
*Jun 20 11:50:33.229: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
iosv-1(config-if)#end
iosv-1#
*Jun 20 11:50:34.221: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
*Jun 20 11:50:34.794: %SYS-5-CONFIG_I: Configured from console by console
iosv-1#
*Jun 20 11:50:36.416: %OSPFv3-5-ADJCHG: Process 1, IPv6, Nbr 1.1.1.1 on GigabitEthernet0/0 from LOADING to FULL, Loading Done
iosv-1#sh ipv6 ospf neighbor
OSPFv3 Router with ID (2.2.2.2) (Process ID 1)
Neighbor ID Pri State Dead Time Interface ID Interface
1.1.1.1 1 FULL/BDR 00:00:31 2 GigabitEthernet0/0
iosv-1#sh ipv6 route | b Application
lA - LISP away, a - Application
OI 2001:1:1:1::/64 [110/2]
via FE80::5054:FF:FE11:7105, GigabitEthernet0/0
C 2001:1:1:2::/64 [0/0]
via GigabitEthernet0/1, directly connected
L 2001:1:1:2::2/128 [0/0]
via GigabitEthernet0/1, receive
C 2001:1:1:12::/64 [0/0]
via GigabitEthernet0/0, directly connected
L 2001:1:1:12::2/128 [0/0]
via GigabitEthernet0/0, receive
L FF00::/8 [0/0]
via Null0, receive
・認証が成功し、無事ネイバーを形成する
ipv6 ospf authentication
[一旦、ospfv3から始まるauthenticationの設定を消す]
iosv-0(config-if)#ipv6 ospf authentication ipsec spi 256 md5 0 123$ion ipsec spi 256 md5 0 12345678901234567890123456789012
iosv-0(config-if)#
*Jun 20 11:56:08.297: %OSPFv3-5-ADJCHG: Process 1, IPv6, Nbr 2.2.2.2 on GigabitEthernet0/0 from LOADING to FULL, Loading Don
iosv-1#sh ipv6 ospf neighbor
OSPFv3 Router with ID (2.2.2.2) (Process ID 1)
Neighbor ID Pri State Dead Time Interface ID Interface
1.1.1.1 1 FULL/BDR 00:00:34 2 GigabitEthernet0/0
iosv-1#sh ipv6 route | b Application
lA - LISP away, a - Application
OI 2001:1:1:1::/64 [110/2]
via FE80::5054:FF:FE11:7105, GigabitEthernet0/0
C 2001:1:1:2::/64 [0/0]
via GigabitEthernet0/1, directly connected
L 2001:1:1:2::2/128 [0/0]
via GigabitEthernet0/1, receive
C 2001:1:1:12::/64 [0/0]
via GigabitEthernet0/0, directly connected
L 2001:1:1:12::2/128 [0/0]
via GigabitEthernet0/0, receive
L FF00::/8 [0/0]
via Null0, receive
・iosv-0(config-if)#ipv6 ospf authentication ipsec spi ~ md5 [0|7] ~
・iosv-1(config-if)#ospfv3 authentication ipsec spi ~ md5 [0|7] ~
それぞれ異なるコマンドで設定した(キーは同じ)が、認証は成功してネイバーを形成した。
area 0 ospf authentication
iosv-0(config-router)#area 0 ipsec spi 678 md5 0 12345678901234567890123456789012
iosv-0(config-router)#
*Jun 20 12:21:53.728: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
iosv-1(config-if)#ospfv3 authentication ipsec spi 678 md5 0 1234567890123$ ipsec spi 678 md5 0 12345678901234567890123456789012
iosv-1(config-if)#
*Jun 20 12:22:35.935: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
iosv-1(config-if)#
*Jun 20 12:22:36.744: %OSPFv3-5-ADJCHG: Process 1, IPv6, Nbr 1.1.1.1 on GigabitEthernet0/0 from LOADING to FULL, Loading Done
・iosv-0側だけプロセス内でエリアに対してauthenticationの認証を行ったが、認証が成功した
・結果、ipv6 ospf/ospfv3/area 0 authenticationそれぞれに互換性があることがわかった
参考
Chapter: IPv6 Routing: OSPFv3 Authentication Support with IPsec