Technical Tip: How to configure the BGP neighbor 'set auth-options' for the TCP Authentication Option (TCP-AO) when the MD5 password is set

seyuboglu · ‎01-14-2024

Description

This article describes how to configure 'set auth-options' when the MD5 password is set for the BGP neighbor (TCP-AO).

Scope

A new feature has been released to improve BGP security with the TCP Authentication Option (TCP-AO) in version v7.4.2.

This integration provides enhanced security and reliability of BGP connections and contributes to the overall security of the internet.

Solution

Initial configuration for TCP-AO as described in the below link:

BGP incorporates the advanced security measures of TCP Authentication Option (TCP-AO) 7.4.2

The 'set auth-options' option is not visible If MD5 is already enabled for the neighbor (set password).

Example output :

FGT # config router bgp

FGT (bgp) # config neighbor

FGT (neighbor) # edit 10.10.10.10 <----- Select the neighbor to enable TCP-AO.

FGT (10.10.10.10) # show
config neighbor
edit "10.10.10.10"
set soft-reconfiguration enable
set remote-as 65500
set password ENC <----- MD5 password is configured for the neighbor. jJaC34s9ygwRThgtATIluyHG6PLGhTQazNOMIn7TRpkyG/yd8WTX5o4Wdvs+vaCcqdh3MzQ4j4c02eYyTXdviQ8C8xGZJGLBOGDMooyWN6o1Fytwev06Zujb8rHRKVIVpsQcSw9/YDWWQ53ynNa9dYJDIw4nOBVT/rjPR60sCx0qjg1M9vDcvYYmhThPZuXSnrR2xQ==
next
end

FGT (10.10.10.10) # set auth-options <----- Command will not be listed.

command parse error before 'auth-options'
Command fail. Return code -61

FGT (10.10.10.10) #

To configure the key-chain for the BGP neighbor, the MD5 password needs to be removed first.

FGT (10.10.10.10) #unset password

FGT (10.10.10.10) # next

FGT (neighbor) # edit 10.10.10.10

FGT (10.10.10.10) # set auth-options
<string> please input string value
TEST key-chain ===== > pre-configured key chains will be listed in here after you remove the password