Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎12-23-2019 12:59 AM Edited on ‎04-24-2025 05:15 AM By Community Manager

Article Id 191861

Technical Tip: How to configure OSPF MD5 authentication

Description
This article describes how to configure OSPF MD5 authentication for OSPF-interfaces.

Related link:
https://docs.fortinet.com/document/fortigate/6.2.3/cli-reference/469620/router-ospf
Solution
FortiOS v6.0 and below.

1) Use the following commands to enable OSPF md5 authentication.

 config router ospf
 config ospf-interface
    edit [Interface Entry Name]
        set interface [Interface]
        set authentication md5
        set md5-key [Key ID] [Key String Value]
    next
end

2) Example: MD5 authentication for port4.

 config router ospf
 config ospf-interface
    edit "PORT4"
        set interface "port4"
        set authentication md5
        set md5-key 1 fortinet123
    next
end

3) Verification commands.

get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   Full/Backup     00:00:34    10.162.0.100    port4

get router info ospf interface port4
Port4 is up, line protocol is up
Internet Address 10.162.0.114/20, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 3.3.3.3, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 3.3.3.3, Interface Address 10.162.0.114
Backup Designated Router (ID) 2.2.2.2, Interface Address 10.162.0.100
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 2334819
Hello received 87518 sent 87469, DD received 8 sent 7
LS-Req received 2 sent 2, LS-Upd received 2410 sent 1933
LS-Ack received 1926 sent 2408, Discarded 7

FortiOS v6.2 and above.
 
1) The key cannot be configured directly under ‘config ospf-interface’ as ‘set md5-key’ option has been removed.

2) Go under ‘config ospf-interface’ and then further go under ‘config md5-keys’ to configure the keys.

3) Syntax.

 config router ospf
 config ospf-interface
    edit [Interface Entry Name]
        set interface [Interface]
        set authentication md5
         config md5-keys
            edit [Key ID]
                set key-string [Key String Value]
            next
        end
    next
end

4) Example.

 config router ospf
 config ospf-interface
    edit "PORT4"
        set interface "port4"
        set authentication md5
         config md5-keys
            edit 1
                set key-string fortinet123
            next
        end
    next
end

5) Verification commands.

get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           1   Full/DR         00:00:34    10.162.0.114    port4

get router info ospf interface port4
port4 is up, line protocol is up
Internet Address 10.162.0.100/20, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State Backup, Priority 1
Designated Router (ID) 3.3.3.3, Interface Address 10.162.0.114
Backup Designated Router (ID) 2.2.2.2, Interface Address 10.162.0.100
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:09
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 13694
Hello received 87449 sent 87545, DD received 7 sent 8
LS-Req received 2 sent 2, LS-Upd received 1927 sent 2410
LS-Ack received 2408 sent 1925, Discarded 0
Cryptographic authentication enabled
Sending SA: Key 1

 

FortiOS v7.0 and above.
 
1) The key cannot be configured directly under ‘config ospf-interface’ ,  ‘config md5-keys’ , as keychain needs to be created separately.
 
2) Go under ‘config router key-chain’, and then give a name to a key section, and configure key.
 
3) Syntax.
 config router key-chain
edit <name>
     config key
edit <id>
set key-string <key_value> 
set accept-lifetime START END ***
set send-lifetime START END
        next
end
next
end
 
4) Set the key in OSPF Interface configuration
 config router ospf
 config ospf-interface
edit <ospf_interface>
set authentication message-digest
set keychain <name>
next
end
end
 
***
START  HH:MM:SS DAY MONTH YEAR
           HH:MM:SS         Time of the day when lifetime starts, in
                            hours, minutes and seconds.
           DAY <1-31>       Specifies the sa of the month to start
           MONTH <1-12>     Specifies the month of the year to start
           YEAR <1993-2035> Specifies the year to start
 
    END    TIME|duration|infinite
           TIME = HH:MM:SS DAY MONTH YEAR
                      Time of the day when lifetime expires. Detail is the
                      same as in start time.
           duration <1-2147483646>
                      Duration of the key in seconds.
 
4) Example :

 config router key-chain
   edit tEST-01
       config key
         edit 1
            set key-string Fortinet123
            set accept-lifetime 09:04:00 04 10 2025 09:04:00 04 10 2030
            set send-lifetime 09:04:00 04 10 2025 09:04:00 04 10 2030
         next
      end
end

 config router ospf
    config ospf-interface
      edit tEST-LAB_lan
         set authentication message-digest
         set keychain tEST-01
      next
   end
end
21920
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.