[c-nsp] IOS-XR IS-IS authentication

Dave Bell dave at geordish.org
Wed May 27 08:00:12 EDT 2020 

Keychain for XR would help too..

key chain ISIS-DOMAIN
 key 1
  accept-lifetime 00:00:00 january 01 2020 infinite
  key-string password <PASSWORD>
  send-lifetime 00:00:00 january 01 2020 infinite
  cryptographic-algorithm HMAC-MD5

On Wed, 27 May 2020 at 12:58, Dave Bell <dave at geordish.org> wrote:

> We've just turned up something similar. The difference is we are not using
> a keychain for the P2P password.
>
> >show configuration protocols isis
> topologies ipv6-unicast;
> overload timeout 300;
> level 1 disable;
> level 2 {
>     authentication-key-chain ISIS_DOMAIN;
>     wide-metrics-only;
> }
> interface ae6.0 {
>     ldp-synchronization;
>     lsp-interval 50;
>     point-to-point;
>     link-protection;
>     level 2 {
>         metric 10000;
>         ipv6-unicast-metric 10000;
>         hello-authentication-key "<password>"; ## SECRET-DATA
>         hello-authentication-type md5;
>     }
> }
>
> > show configuration security
> authentication-key-chains {
>     key-chain ISIS_DOMAIN {
>         key 1 {
>             secret "<PASSWORD>; ## SECRET-DATA
>             start-time "2019-1-1.00:00:00 +0000";
>             algorithm md5;
>         }
>     }
> }
>
>
>
> router isis ISIS
>  set-overload-bit on-startup wait-for-bgp
>  is-type level-2-only
>  net 49.0001.0511.4807.2051.00
>  lsp-password keychain ISIS-DOMAIN
>  address-family ipv4 unicast
>   metric-style wide level 2
>   maximum-paths 8
>   segment-routing mpls
>  !
>  address-family ipv6 unicast
>   metric-style wide level 2
>   maximum-paths 8
>  !
>  interface Bundle-Ether1
>   hello-password hmac-md5 encrypted <PASSWORD>
>   address-family ipv4 unicast
>    metric 10000
>
> On Wed, 27 May 2020 at 12:46, Eric Van Tol <eric at atlantech.net> wrote:
>
>> Sorry if this is a duplicate – Outlook chose the ‘bounces’ address as the
>> one to send to and I didn’t notice.
>>
>> Hi all,
>> I’m testing out an NCS540 for use in our network and this is my first
>> foray into IOS-XR. We have a mix of Juniper and Cisco IOS/IOS-XE devices
>> that the NCS needs to interoperate with. I’m having some minor trouble with
>> IS-IS authentication and it’s kind of driving me nuts because I can’t get
>> IS-IS to come up when authentication is configured. I keep getting this
>> error:
>>
>> BAD P2P IIH rcvd from TenGigE0/0/0/19 SNPA 5c5e.abde.1e00: dropped
>> because cryptographic password mismatch
>>
>> Seems pretty obvious, but my keychain key password is configured and
>> verified to match on both sides:
>>
>> key chain isis-chain
>> key 1
>>   accept-lifetime 00:00:00 january 01 1993 infinite
>>   key-string password <password>
>>   send-lifetime 00:00:00 january 01 1993 infinite
>>   cryptographic-algorithm HMAC-MD5
>> !
>> accept-tolerance infinite
>>
>> I’ve tried both MD5 and HMAC-MD5, neither works. Here is my IS-IS config
>> on the NCS540:
>>
>> router isis rtr1
>> set-overload-bit on-startup wait-for-bgp
>> is-type level-2-only
>> net 49.0001.1071.3820.2192.00
>> log adjacency changes
>> lsp-mtu 1497
>> lsp-password keychain isis-chain
>> address-family ipv4 unicast
>>   metric-style wide level 2
>> !
>> address-family ipv6 unicast
>>   metric-style wide level 2
>>   single-topology
>> !
>> interface Loopback1
>>   passive
>>   address-family ipv4 unicast
>>   !
>>   address-family ipv6 unicast
>>   !
>> !
>> interface TenGigE0/0/0/19
>>   circuit-type level-2-only
>>   point-to-point
>>   hello-password keychain isis-chain
>>   address-family ipv4 unicast
>>    metric 3500
>>   !
>>   address-family ipv6 unicast
>>    metric 3500
>>   !
>> !
>>
>> traceoptions on the Juniper shows something similar:
>>
>> ERROR: IIH from 1071.3820.2192 on xe-0/0/0.0 failed authentication
>>
>> Here’s the Juniper key config and isis stanza:
>>
>> authentication-key-chains {
>>     key-chain isis-chain {
>>         key 1 {
>>             secret "<password>"; ## SECRET-DATA
>>             start-time "1993-1-1.00:00:00 +0000";
>>             algorithm md5;
>>         }
>>     }
>> }
>> protocols {
>>     isis {
>>         level 1 disable;
>>         level 2 {
>>             authentication-key-chain isis-chain;
>>             wide-metrics-only;
>>         }
>>         interface xe-0/0/0.0 {
>>             point-to-point;
>>             level 2 {
>>                 metric 3500;
>>                 hello-authentication-key-chain isis-chain;
>>             }
>>             level 1 disable;
>>         }
>> }
>>
>> I know it’s got to be something simple, but it’s not clicking for me
>> today. It seems like any step forward I take with IOS-XR, I end up taking
>> two steps back on the next thing that ‘just works’ everywhere else.
>>
>> -evt
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

More information about the cisco-nsp mailing list