Technical Tip: How to configure OSPF MD5 authentication

Description

This article describes how to configure OSPF MD5 authentication for OSPF-interfaces.

Scope

FortiGate.

Solution

FortiOS v6.0 and below.

1. Use the following commands to enable OSPF md5 authentication.

config router ospf
    config ospf-interface
        edit [Interface Entry Name]
            set interface [Interface]
            set authentication md5
            set md5-key [Key ID] [Key String Value]
        next
    end

2. Example: MD5 authentication for port4.

config router ospf

    config ospf-interface

        edit "PORT4"

            set interface "port4"

            set authentication md5

            set md5-key 1 fortinet123

    next
end

3. Verification commands.

get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   Full/Backup     00:00:34    10.162.0.100    port4

get router info ospf interface port4
Port4 is up, line protocol is up
Internet Address 10.162.0.114/20, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 3.3.3.3, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 3.3.3.3, Interface Address 10.162.0.114
Backup Designated Router (ID) 2.2.2.2, Interface Address 10.162.0.100
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 2334819
Hello received 87518 sent 87469, DD received 8 sent 7
LS-Req received 2 sent 2, LS-Upd received 2410 sent 1933
LS-Ack received 1926 sent 2408, Discarded 7

FortiOS v6.2 and above.
 

1. The key cannot be configured directly under ‘config ospf-interface’ as ‘set md5-key’ option has been removed.
   
2. Go under ‘config ospf-interface’ and then further go under ‘config md5-keys’ to configure the keys.
   
3. Syntax.

config router ospf
    config ospf-interface
        edit [Interface Entry Name]
            set interface [Interface]
            set authentication md5
                config md5-keys
                    edit [Key ID]
                        set key-string [Key String Value]
                    next
                end
            next
        end

4. Example.

config router ospf
    config ospf-interface

        edit "PORT4"
        set interface "port4"
        set authentication md5

            config md5-keys

                edit 1
                    set key-string fortinet123
                next
            end
        next
    end

5. Verification commands.

get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           1   Full/DR         00:00:34    10.162.0.114    port4

get router info ospf interface port4
port4 is up, line protocol is up
Internet Address 10.162.0.100/20, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State Backup, Priority 1
Designated Router (ID) 3.3.3.3, Interface Address 10.162.0.114
Backup Designated Router (ID) 2.2.2.2, Interface Address 10.162.0.100
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:09
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 13694
Hello received 87449 sent 87545, DD received 7 sent 8
LS-Req received 2 sent 2, LS-Upd received 1927 sent 2410
LS-Ack received 2408 sent 1925, Discarded 0
Cryptographic authentication enabled
Sending SA: Key 1

1. The key cannot be configured directly under 'config ospf-interface', 'config md5-keys', as the keychain needs to be created separately.
   
   
2. Go under 'config router key-chain' and provide a name to a key section, then configure the key.
   
   
3. Syntax.