Starting with FortiOS 7.0.1, OSPF supports RFC 5709 HMAC-SHA cryptographic authentication. Before this enhancement, only MD5 was supported. This new feature allows selecting from a range of cryptographic algorithms, providing enhanced security for OSPF communications.

Configuration Overview.

To configure HMAC-SHA cryptographic authentication for OSPF on FortiOS 7.0.1, follow these steps:

1. Configure the Router Key Chain: Define the algorithm and other key parameters.
2. Configure OSPF: Set up OSPF to use the configured key chain.

config router key-chain
    edit <name>
        config key
            edit <id>
                set accept-lifetime <Lifetime of received authentication key (format: hh:mm:ss day month year)>
                set send-lifetime <Lifetime of sent authentication key (format: hh:mm:ss day month year)>
                set key-string <Password for the key (maximum = 64 characters)>
                set algorithm {md5 | hmac-sha1 | hmac-sha256 | hmac-sha384 | hmac-sha512}
            next
end

The 'accept-lifetime' and 'send-lifetime' options are essential for key chain configuration in OSPF. Without specifying these options, the configuration will not be accepted. These lifetime settings manage the timing and validity of cryptographic keys in the OSPF protocol, allowing granular control over when a key is used to authenticate OSPF messages.

The 'set accept-lifetime' and 'set send-lifetime' commands define the start and end times during which a specific key is valid for OSPF authentication. Each command must include both a start ('START') and an end ('END') time in the specified format. The 'END' time can be configured using three options: 'TIME', 'duration', or 'infinite'. These options allow for:

• TIME: The exact expiration time, with the same level of detail as the start time.
• Duration <1-2147483646>: The duration of the key in seconds.
• Infinite: Specifies that the key has no end time, remaining valid indefinitely.

Format Details:

**START:
- `HH:MM:SS DAY MONTH YEAR`
- `HH:MM:SS:` Time of day when the lifetime starts (hours, minutes, seconds).
- `DAY <1-31>`: Day of the month to start.
- `MONTH <1-12>`: Month of the year to start.
- `YEAR <1993-2035>`: Year to start.

**END:
- `TIME | duration | infinite`
- `TIME = HH:MM:SS DAY MONTH YEAR`: Expiration time, with the same detail as the start time.
- `duration <1-2147483646>`: Duration of the key in seconds.

Additionally, it is possible to configure multiple entries, each with a different key-string and lifetime, under the 'config key' configuration. These entries can then be applied to an OSPF interface for use in scenarios like Key Rotation and Graceful Key Update.

In the below example, two FortiGate devices (FGT-A and FGT-B) are configured with 'hmac-sha1' with a specifically defined lifetime. 

FGT-A Configuration:

config router key-chain
    edit "ospf-hmac"
        config key
            edit "1"
                set accept-lifetime 05:00:00 21 08 2024 05:00:00 21 08 2025
                set send-lifetime 05:00:00 21 08 2024 05:00:00 21 08 2025
                set key-string 'password'
                set algorithm hmac-sha1
            next
        end
    next
end

config router ospf
    config ospf-interface
        edit "OSPF_INT"
            set interface "VPNp2p"
            set authentication message-digest 
            set keychain "ospf-hmac"
        next
end

• FGT-B Configuration:

config router key-chain
    edit "ospf"
        config key
            edit "1"
                set accept-lifetime 05:00:00 21 08 2024 05:00:00 21 08 2025
                set send-lifetime 05:00:00 21 08 2024 05:00:00 21 08 2025
                set key-string 'password'
                set algorithm hmac-sha1
            next
end

config router ospf
    config ospf-interface
        edit "OSPF_INT"
            set interface "VPNp2p"
            set authentication message-digest
            set keychain "ospf"
        next
end

• Verification on FGT-A:

get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
1.1.1.2 1 Full/ - 00:00:35 1.1.1.2 VPNp2p(tun-id:10.5.54.73)

• Verification on FGT-B:

get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 Full/ - 00:00:37 1.1.1.1 VPNp2p(tun-id:10.5.63.82)

Taking a Wireshark capture on the interface running OSPF can be used to verify that HMAC-SHA authentication is enabled on the FortiGate. Below is snippet of a Wireshark capture using the algorthim, HMAC 256:

The auth crypt data length can share what algorithm is being used in the key chain:

• md5 = 16 bytes
• hmac-sha1 = 20 bytes
• hmac-sha256 = 32 bytes
• hmac-sha384 = 48 bytes
• hmac-sha512 = 64 bytes

Note:

 A Wireshark capture can be done in two ways:

1. Go to Network -> Interface -> Diagnostics.
2. Use verbosity 6 and convert the sniffer to PCAP, such as:

diagnose sniffer packet <ospf_interface> 'proto 89' 6 0 l

Related article:

Technical Tip: How to import 'diagnose sniffer packet' data to WireShark