04-17-2013 11:39 PM
I may be misunderstanding something, but I've not been able to get Brocade and Cisco equipment to talk OSPFv3 with authentication or encryption enabled. I'm probably confused but I think my Brocade devices are setting up neighbors without authentication even when it's specified, on both FastIron SX and MLXe platforms.
Here's what I've run into. I'm adding SX800's and MLXe's to a network that includes Cisco IOS and IOS-XE devices.
So quick summary, sounds like Brocade only offers you one option, sha1 authentication in esp packets with no encryption, or no auth and no encryption. Cisco lets you do just authentication, using sha1 or md5, or encryption with sha1 or md5 authentication, and 3des, aes-cbc, des or null encryption.
The only working ospfv3 setup I have come up with is to set "ipv6 ospf authentication null" on my Cisco interfaces that talk to Brocade, then also set "ipv6 ospf encryption ipsec SPI # esp null sha1 KEY". I have yet to confirm with Cisco what it means if you are specifying sha1 auth in the encryption option while simultaneously specifying auth null as your auth parameter. The 'show' output on the Cisco side suggests 'null encryption' and 'authentication null' which I'd take to mean as none of either.
The weird part is that if I have that set on the Cisco side, and authentication set up on the Brocade side, the devices seem to accept these unauthenticated and unencrypted packets from the Cisco devices and set up the adjacency anyway. On the plus side, they only seem to do it if the SPI number and key match. So my questions end up being:
1) For true encryption, I believe Brocade would need to add support for that using a compatible protocol to match Cisco, such as AES?
2) I'm okay with just authentication for the time being, but is that what I'm really getting? Cisco says I'm not, Brocade says I am if I look at "show ipv6 ospf int X" on each side. I don't know enough about ESP to know if what is happening is effectively authentication.
04-18-2013 10:10 AM
Okay, to answer my own question after many hours of digging around and the help of Cisco support, here's the relevant info:
Supported IPSec Protocols: ESP (no AH support)
Supported ESP encryption algorithms: NULL
Supported ESP authentication algorithms: SHA1
Please note that in a multi-vendor network, you may need to enable encryption (with the algorithm set to null) in place of, or along with, authentication set to SHA1.
NULL encryption SHA-1 auth SPI 1000, secure socket UP (errors: 0)
What that really means is my interface actually is doing ESP with sha1 auth, but that the area auth has been disabled.
So there we have it, a five minute config turned into a day; ugh.
Anyone running into this, the config you need on each side is:
ipv6 ospf authentication null
ipv6 ospf encryption ipsec spi #### esp null sha1 KEY
ipv6 ospf authentication ipsec spi #### esp sha1 KEY