Description
This article describes how to configure OSPF MD5 authentication for OSPF-interfaces.
Scope
FortiGate.
Solution
FortiOS v6.0 and below.
- Use the following commands to enable OSPF md5 authentication.
config router ospf
config ospf-interface
edit [Interface Entry Name]
set interface [Interface]
set authentication md5
set md5-key [Key ID] [Key String Value]
next
end
- Example: MD5 authentication for port4.
config router ospf
config ospf-interface
edit "PORT4"
set interface "port4"
set authentication md5
set md5-key 1 fortinet123
next
end
- Verification commands.
get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 Full/Backup 00:00:34 10.162.0.100 port4
get router info ospf interface port4
Port4 is up, line protocol is up
Internet Address 10.162.0.114/20, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 3.3.3.3, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 3.3.3.3, Interface Address 10.162.0.114
Backup Designated Router (ID) 2.2.2.2, Interface Address 10.162.0.100
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 2334819
Hello received 87518 sent 87469, DD received 8 sent 7
LS-Req received 2 sent 2, LS-Upd received 2410 sent 1933
LS-Ack received 1926 sent 2408, Discarded 7
FortiOS v6.2 and above.
- The key cannot be configured directly under ‘config ospf-interface’ as ‘set md5-key’ option has been removed.
- Go under ‘config ospf-interface’ and then further go under ‘config md5-keys’ to configure the keys.
- Syntax.
config router ospf
config ospf-interface
edit [Interface Entry Name]
set interface [Interface]
set authentication md5
config md5-keys
edit [Key ID]
set key-string [Key String Value]
next
end
next
end
- Example.
config router ospf
config ospf-interface
edit "PORT4"
set interface "port4"
set authentication md5
config md5-keys
edit 1
set key-string fortinet123
next
end
next
end
- Verification commands.
get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 Full/DR 00:00:34 10.162.0.114 port4
get router info ospf interface port4
port4 is up, line protocol is up
Internet Address 10.162.0.100/20, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State Backup, Priority 1
Designated Router (ID) 3.3.3.3, Interface Address 10.162.0.114
Backup Designated Router (ID) 2.2.2.2, Interface Address 10.162.0.100
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:09
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 13694
Hello received 87449 sent 87545, DD received 7 sent 8
LS-Req received 2 sent 2, LS-Upd received 1927 sent 2410
LS-Ack received 2408 sent 1925, Discarded 0
Cryptographic authentication enabled
Sending SA: Key 1
FortiOS v7.0 and above:
- The key cannot be configured directly under 'config ospf-interface', 'config md5-keys', as the keychain needs to be created separately.
- Go under 'config router key-chain' and provide a name to a key section, then configure the key.
- Syntax.
config router key-chain
edit <name>
config key
edit <id>
set key-string <key_value>
set accept-lifetime START END ***
set send-lifetime START END
next
end
next
end
- Set the key in OSPF Interface configuration.
config router ospf
config ospf-interface
edit <ospf_interface>
set authentication message-digest
set keychain <name>
next
end
end
***
START HH:MM:SS DAY MONTH YEAR
HH:MM:SS Time of the day when lifetime starts, in
hours, minutes and seconds.
DAY <1-31> Specifies the sa of the month to start
MONTH <1-12> Specifies the month of the year to start
YEAR <1993-2035> Specifies the year to start
END TIME|duration|infinite
TIME = HH:MM:SS DAY MONTH YEAR
Time of the day when lifetime expires. Detail is the
same as in start time.
duration <1-2147483646>
Duration of the key in seconds.
config router key-chain
edit tEST-01
config key
edit 1
set key-string Fortinet123
set accept-lifetime 09:04:00 04 10 2025 09:04:00 04 10 2030
set send-lifetime 09:04:00 04 10 2025 09:04:00 04 10 2030
next
end
end
config router ospf
config ospf-interface
edit tEST-LAB_lan
set authentication message-digest
set keychain tEST-01
next
end
end
Note: OSPF authentication configuration can only be performed through CLI mode.
For a password mismatch, the following error is seen.
diagnose ip router ospf all enable
diagnose ip router ospf level info
diagnose debug console timestamp enable
diagnose debug enable
To disable the debugging:
diagnose debug disable
diagnose debug reset
[root] OSPF: RECV[Hello]: From 7.7.7.7 via port3:20.20.30.8: Cryptographic authentication error
[root] OSPF: IFSM[port3:20.20.30.8]: Wait timer expire
[root] OSPF: IFSM[port3:20.20.30.8]: DR-Election[1st]: Backup 0.0.0.0
[root] OSPF: IFSM[port3:20.20.30.8]: DR-Election[1st]: DR 0.0.0.0
[root] OSPF: IFSM[port3:20.20.30.8]: Waiting (WaitTimer)
[root] OSPF: IFSM[port3:20.20.30.8]: Status change Waiting -> DROther[
[root] OSPF: LSA[Refresh]: timer expired
[root] OSPF: LSA[MaxAge]: Maxage walker finished (0.000000 sec)
[root] OSPF: IFSM[port3:20.20.30.8]: Hello timer expire
[root] OSPF: RECV[Hello]: From 7.7.7.7 via port3:20.20.30.8 (20.20.30.7 -> 224.0.0.5)
For an authentication method mismatch, the following error is seen:
[root] OSPF: RECV[Hello]: From 7.7.7.7 via port3:20.20.30.8: Authentication type mismatch
[root] OSPF: LSA[Refresh]: timer expired
[root] OSPF: IFSM[port3:20.20.30.8]: Hello timer expire
[root] OSPF: LSA[MaxAge]: Maxage walker finished (0.000000 sec)
[root] OSPF: RECV[Hello]: From 7.7.7.7 via port3:20.20.30.8 (20.20.30.7 -> 224.0.0.5)
