OSPFv3 Authentication on a Palo Alto (Logical Router)

Authentication, IPv6, Palo Alto Networks, Routing, , , , , ,

I had a hard time figuring out how to configure OSPFv3 authentication on a Palo Alto Networks NGFW due to its different configuration formats compared to a Cisco router.

TL;DR: The SPI must be set in hexadecimal, while the actual key (40 chars, hexadecimal) must be grouped in 5 sections, separated with hyphens.

Talking about Cisco’s IOS, OSPFv3 authentication is set at the interface configuration level with the following command:

e.g.:

However, trying to set those values on Palo’s OSPFv3 Auth Profile, I encountered the following commit error: Error: Failed to parse IPSec manual-key tunnel/profile 'ah-sha1' authentication key.

Luckily, I wasn’t the first person struggling with this, hence DuckDuckGo led me to this post: “OSPFv3 Authentication Palo Alto to Cisco Router“.

That is: While the SPI is specified in decimal on Cisco’s IOS, it must be set in hexadecimal on PAN-OS. Meanwhile, the actual SHA-1 key with a length of 40 chars (hexadecimal) must be grouped into 5 sections, separated with hyphens. (For whatever reason.)

The corresponding values to the above-mentioned example are:

Configured under Network -> Routing -> Routing Profiles -> OSPFv3 -> OSPFv3 Auth Profile (using a PA-440 with PAN-OS 11.2.10, Advanced Routing Engine enabled):

(Of course, other hash algorithms than SHA-1 must be used, but my lab counterparts are not capable of it. ;))

Enabled either at the OSPFv3 – Area level:

OR at the individual Interface level (preferred from my point of view):

Now, the SPI is consistent with the representation in Wireshark. Note the “Authentication Header” within the IP header, as the OSPFv3 authentication leverages the IPv6 extension header for IPsec:

Speaking about the SPI, the hexadecimal format (Palo) makes more sense compared to the decimal format (Cisco). However, I find it rather nonsensical that you have to insert hyphens in the key. 🤦‍♂️

Final note: If you have set your intrazone-default policy (default: allow) to deny, you need explicit rules for OSPF to work. Little stumbling block here: with OSPFv3 authentication, you have to allow “ipsec-ah” in addition to “ospf” in order to work. Both the session table and the traffic log will show both applications (!), dependent on the originating node, which is either the Palo or the other routers on the network: (I’ve no idea where this “from port / to port” 20033 comes from.)

Soli Deo Gloria!

Photo by George Prentzas on Unsplash.

Leave a Reply

Your email address will not be published. Required fields are marked *