Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
seyuboglu
Staff
Staff

Created on ‎01-14-2024 10:17 PM Edited on ‎07-23-2025 08:53 AM By Moderator

Article Id 293965

Technical Tip: How to configure the BGP neighbor 'set auth-options' for the TCP Authentication Option (TCP-AO) when the MD5 password is set

Description This article describes how to configure 'set auth-options' when the MD5 password is set for the BGP neighbor (TCP-AO).
Scope

A new feature has been released to improve BGP security with the TCP Authentication Option (TCP-AO) in version v7.4.2. 

This integration provides enhanced security and reliability of BGP connections and contributes to the overall security of the internet.
Solution

Initial configuration for TCP-AO as described in the below link: 

BGP incorporates the advanced security measures of TCP Authentication Option (TCP-AO) 7.4.2

 

The 'set auth-options' option is not visible If MD5 is already enabled for the neighbor (set password).

 

Example output :

 

FGT # config router bgp

FGT (bgp) # config neighbor

FGT (neighbor) # edit 10.10.10.10  <----- Select the neighbor to enable TCP-AO.

FGT (10.10.10.10) # show
    config neighbor
        edit "10.10.10.10"
            set soft-reconfiguration enable
            set remote-as 65500
            set password ENC  <----- MD5 password is configured for the neighbor. jJaC34s9ygwRThgtATIluyHG6PLGhTQazNOMIn7TRpkyG/yd8WTX5o4Wdvs+vaCcqdh3MzQ4j4c02eYyTXdviQ8C8xGZJGLBOGDMooyWN6o1Fytwev06Zujb8rHRKVIVpsQcSw9/YDWWQ53ynNa9dYJDIw4nOBVT/rjPR60sCx0qjg1M9vDcvYYmhThPZuXSnrR2xQ==
        next
    end

FGT (10.10.10.10) # set auth-options   <----- Command will not be listed.

command parse error before 'auth-options'
Command fail. Return code -61

FGT (10.10.10.10) #

 

To configure the key-chain for the BGP neighbor, the MD5 password needs to be removed first.

 

FGT (10.10.10.10) #unset password 

 

FGT (10.10.10.10) # next

FGT (neighbor) # edit 10.10.10.10

FGT (10.10.10.10) # set auth-options 
<string> please input string value
TEST key-chain  <----- Pre-configured key chains will be listed in here after you remove the password.

 

The BGP key-chain feature supports only the HMAC-SHA1 or CMAC-AES-128 authentication algorithms.

 

config router key-chain
    edit "1"
        config key
            edit "11"
                set accept-lifetime 01:01:01 01 01 2026 2147483646
                set send-lifetime 01:01:01 01 01 2026 2147483646
                set key-string ENC 9wxlqfrtnRJ1anWHeVhorAhoY8hwY5KOD1HqMz34X/bwEOuId3l59rjiGXlbP+p4yMgW8qfAb4ol3WlQfGYq1x+0i2HAhi+aW/VRkPCFDFCRJMVHFfL4Kk2tshGkxXbZk6Kz
0tngTYLJsA5ZcRYZOlRRfCkLfAU8gTAsnDx6aAsLw2brkd8sIii47NJ5X5komGitIllmMjY3dkVA
                set algorithm hmac-sha1
            next
        end
    next
end

FGT(11) # set algorithm ?
md5 MD5.
hmac-sha1 HMAC-SHA1.
hmac-sha256 HMAC-SHA256.
hmac-sha384 HMAC-SHA384.
hmac-sha512 HMAC-SHA512.
cmac-aes128 CMAC-AES128.

FGT(11) # set algorithm md5

CGSF-FW1 (11) # next
This key is used by BGP auth-options, and can only use hmac-sha1 or cmac-aes128.
object set operator error, -7 discard the setting
Command fail. Return code 1
Labels:
1498
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.