Hello,
We try to setup OSPFv3 authentication over IPSEC under a lsys user and a specific vr.
On one side , we use a SRX1500 (junos 18.2R3S2) and on another side, we use two Cisco ASR1000 (IOS XE3.16).
We plan to use full encryption mode (ESP AES/SHA1) but we had a first try just with authentication (AH / SHA1).
The three routers are already adjacent without OSPFv3 IPSEC. The OSPFv3 area works fine before the test.
- the Cisco config is quite simple and direct on the interface :
ipv6 ospf authentication ipsec spi 256 sha1 7 <secret>
- the SRX config is based on this documentation :
user@SRX1500> show configuration logical-systems lsys1 security ipsec
security-association sa-ospf3-ah {
description sa-ospfv3-ah;
mode transport;
manual {
direction bidirectional {
protocol ah;
spi 256;
authentication {
algorithm hmac-sha1-96;
key hexadecimal "secret"
}
}
}
}
auge@SRX1500> show configuration logical-systems lsys1 routing-instances vr1 protocols ospf3 area 0
interface reth2.1 {
priority 5;
ipsec-sa sa-ospf3-ah;
}
{primary:node0}
user@SRX1500>
With this config, it doesn't work :
- both Cisco routers did established the IPSEC traffic and became OSPFv3 adjacent
- the SRX see OSPFv3 AH packets from the Cisco routers but the SRX doesn't send any AH OSPFv3 packets !
I do not find any clear documentation regarding the way to configure OSPFv3 IPSEC authentication under a lsys user.
But if I take a look on VPN IPSEC documentation, I see that IPSEC sa have to be configured under the lsys root and then used under lsys user for VPN configuration :
I'm not sure that it should also be applied for OSPFv3 IPSEC.
Does anyone know how to use OSPFv3 IPSEC under a lsys user ?
Thank you
Regards