[j-nsp] ISIS Authentication Problems

[John Neiberger]

On Fri, Mar 9, 2012 at 4:39 AM, Mark Tinka <mtinka at globaltransit.net> wrote:
> On Thursday, March 08, 2012 11:22:48 AM John Neiberger
> wrote:
>
>> I think some mixture of those commands would have helped,
>> but I think I also just spotted the real culprit. The
>> CRS that is working has the following configured:
>>
>> lsp-password hmac-md5 encrypted ##encrypted stuff##
>>
>> So, on the CRS I was working on, I need to enable md5 on
>> LSPs. I had no idea it was done separately.
>
> Yes, the CRS does this differently.
>
> In 'router isis' mode, you need to:
>
>        o Enable the 'lsp-password hmac-md5' command at the
>          global level.
>
>        o Enable the 'hello-password hmac-md5' at the
>          interface level.
>
>
> This is the case also when forming IS-IS adjacencies with
> other IOS and IOS XE devices.
>
> The other thing to look out for when running IOS XR and
> Junos side-by-side is authentication of RSVP messages.
>
> Your IOS XR authentication configuration would need to look
> like this:
>
> key chain your-key-chain-name
>  key 1
>  accept-lifetime 00:00:00 january 01 2000 infinite
>  key-string password <your-password-here>
>  send-lifetime 00:00:00 january 01 2000 infinite
>  cryptographic-algorithm HMAC-MD5
>
>
> The 'accept-lifetime' and 'send-lifetime' commands are
> required because of an inter-op issue between IOS XR and
> Junos, which IOS and IOS XE don't have.
>
> IOS XR would need to implement the changes that IOS and IOS
> XE did in order to inter-op with Junos without having these
> problems, or needing those commands in the first place.
>
> Without those commands, authentication between IOS XR and
> Junos won't work.
>
> Cheers,
>
> Mark.

Mark,

Do you have any tips regarding ISIS authentication between Junos and
IOS? We have a 7600 that is connected to this same MX960 and it's
having a similar problem. Do you know of any idiosyncrasies with
regard to Juniper-to-IOS ISIS authentication?

Thanks,
John