tag:blogger.com,1999:blog-8889285000186294932.post6622612322690438842..comments2024-03-17T02:45:18.077-07:00Comments on Ken Felix Security Blog: exploring ipv6 ospf routing on the cisco ASAUnknownnoreply@blogger.comBlogger3125tag:blogger.com,1999:blog-8889285000186294932.post-84361465547103991392012-11-27T08:35:37.078-08:002012-11-27T08:35:37.078-08:00And just like with the cisco ISR you can execute...And just like with the cisco ISR you can execute the show crypto ipsec sa command for details;<br /><br />asaken# show crypto ipsec sa <br />interface: inside<br /> Crypto map tag: OSPFv3-10-256, seq num: 0, local addr: ::<br /><br /> local ident (addr/mask/prot/port): (::/0/89/0)<br /> remote ident (addr/mask/prot/port): (::/0/89/0)<br /> current_peer: ::<br /><br /> #pkts encaps: 119, #pkts encrypt: 0, #pkts digest: 119<br /> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0<br /> #pkts compressed: 0, #pkts decompressed: 0<br /> #pkts not compressed: 119, #pkts comp failed: 0, #pkts decomp failed: 0<br /> #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0<br /> #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0<br /> #TFC rcvd: 0, #TFC sent: 0<br /> #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0<br /> #send errors: 0, #recv errors: 0<br /><br /> local crypto endpt.: ::/0, remote crypto endpt.: ::/0<br /> path mtu 1500, ipsec overhead 66(48), media mtu 1500<br /> PMTU time remaining (sec): 0, DF policy: copy-df<br /> ICMP error validation: disabled, TFC packets: disabled<br /> current outbound spi: 00000100<br /> current inbound spi : 00000100<br /><br /> inbound esp sas:<br /> spi: 0x00000100 (256)<br /> transform: esp-null esp-md5-hmac no compression <br /> in use settings ={L2L, Transport, Manual key (OSPFv3), }<br /> slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256<br /> sa timing: remaining key lifetime (sec): 0<br /> IV size: 0 bytes<br /> replay detection support: N<br /> outbound esp sas:<br /> spi: 0x00000100 (256)<br /> transform: esp-null esp-md5-hmac no compression <br /> in use settings ={L2L, Transport, Manual key (OSPFv3), }<br /> slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256<br /> sa timing: remaining key lifetime (sec): 0<br /> IV size: 0 bytes<br /> replay detection support: N<br /><br />This concludes my OSPFv3 support within a ASA firewall. Key things to remember;<br /><br />ipv4 and ipv6 are still 2 uniqu process OPSFv3 is only used for IPV6<br /><br />OSPFv3 is enable per-interface<br /><br />you need at least one IPv4 addressed interface<br /><br />OSPFv3 support both AH or ESP within the interface configuration. <br /><br /><br />I'm going to see how and if ESP is an option within our cisco ISRs for the OSPFv3 enabled interfaces. I never seen or recall this, but I have been wrong numerous times in the past :)<br /><br /><br /><br /><br />socpuppetshttps://www.blogger.com/profile/13096043188091774607noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-67295038300027091212012-11-27T08:26:07.457-08:002012-11-27T08:26:07.457-08:00And just like with the cisco ISR you can execute...And just like with the cisco ISR you can execute the show crypto ipsec sa command for details;<br /><br />asaken# show crypto ipsec sa <br />interface: inside<br /> Crypto map tag: OSPFv3-10-256, seq num: 0, local addr: ::<br /><br /> local ident (addr/mask/prot/port): (::/0/89/0)<br /> remote ident (addr/mask/prot/port): (::/0/89/0)<br /> current_peer: ::<br /><br /> #pkts encaps: 119, #pkts encrypt: 0, #pkts digest: 119<br /> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0<br /> #pkts compressed: 0, #pkts decompressed: 0<br /> #pkts not compressed: 119, #pkts comp failed: 0, #pkts decomp failed: 0<br /> #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0<br /> #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0<br /> #TFC rcvd: 0, #TFC sent: 0<br /> #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0<br /> #send errors: 0, #recv errors: 0<br /><br /> local crypto endpt.: ::/0, remote crypto endpt.: ::/0<br /> path mtu 1500, ipsec overhead 66(48), media mtu 1500<br /> PMTU time remaining (sec): 0, DF policy: copy-df<br /> ICMP error validation: disabled, TFC packets: disabled<br /> current outbound spi: 00000100<br /> current inbound spi : 00000100<br /><br /> inbound esp sas:<br /> spi: 0x00000100 (256)<br /> transform: esp-null esp-md5-hmac no compression <br /> in use settings ={L2L, Transport, Manual key (OSPFv3), }<br /> slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256<br /> sa timing: remaining key lifetime (sec): 0<br /> IV size: 0 bytes<br /> replay detection support: N<br /> outbound esp sas:<br /> spi: 0x00000100 (256)<br /> transform: esp-null esp-md5-hmac no compression <br /> in use settings ={L2L, Transport, Manual key (OSPFv3), }<br /> slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256<br /> sa timing: remaining key lifetime (sec): 0<br /> IV size: 0 bytes<br /> replay detection support: N<br /><br />This concludes my OSPFv3 support within a ASA firewall. Key things to remember;<br /><br />ipv4 and ipv6 are still 2 uniqu process OPSFv3 is only used for IPV6<br /><br />OSPFv3 is enable per-interface<br /><br />you need at least one IPv4 addressed interface<br /><br />OSPFv3 support both AH or ESP within the interface configuration. <br /><br /><br />I'm going to see how and if ESP is an option within our cisco ISRs for the OSPFv3 enabled interfaces. I never seen or recall this, but I have been wrong numerous times in the past :)<br /><br /><br /><br /><br />socpuppetshttps://www.blogger.com/profile/13096043188091774607noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-49409146907536929872012-11-27T08:03:56.826-08:002012-11-27T08:03:56.826-08:00I want to make a correct, I re-review the release...I want to make a correct, I re-review the release <br />notes and found OPSFv3 is supported in the ASA.<br /><br />here's example of what I crafted<br /><br />ipv6 ospf encryption ipsec spi 256 esp null md5 aabbccddeeffaabbccddeeffaabbccdd<br /><br />socpuppetshttps://www.blogger.com/profile/13096043188091774607noreply@blogger.com