Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff

Created on ‎03-07-2025 08:45 AM

Article Id 380979

Technical Tip: Understanding neighbor authentication differences between OSPF and OSPFv3

Description This article describes how to configure neighbor authentication in OSPF for IPv4 (OSPFv2) and OSPF for IPv6 (OSPFv3) and explains the key differences between authentication mechanisms.
Scope FortiGate.
Solution

The main difference between OSPF authentication in IPv4 (OSPFv2) and IPv6 (OSPFv3) is how authentication is applied. OSPFv2 has built-in authentication options, while OSPFv3 relies on IPsec.

 

Key Differences Between OSPFv2 and OSPFv3 Authentication:

Feature OSPFv2 (IPv4) OSPFv3 (IPv6)
Authentication Method Built-in (Text, MD5) External via IPsec
Encryption Not supported Supported via IPsec (ESP)
Configuration Directly in OSPF process Requires separate IPsec configuration

 

Based on this, below is technical information about how to configure OSPFv3 neighbor authentication and a comparison between the IPv4 and IPv6 approaches related to that. 

 

OSPFv2 Authentication (IPv4):

In traditional OSPF (IPv4), authentication is integrated within the protocol and can be configured in different ways:

  • None.
  • Text.
  • Message digest MD5.

 

config router ospf
    set router-id 192.168.1.1
        config area
            edit 0.0.0.0
        next
    end
    config interface
        edit "port1"
            set authentication md5
            set md5-key 1 "securekey"
        next
    end
    config network
        edit 1
            set prefix 10.1.1.0 255.255.255.0
            set area 0.0.0.0
        next
    end
end

 

OSPFv3 Authentication (IPv6):

OSPFv3 (IPv6) does not have authentication built in, and to achieve that, it relies on IPsec (AH or ESP) for security.

The following is an explanation of how it works:

  • AH (Authentication Header): Checks authenticity and integrity, but does not encrypt data.
  • ESP (Encapsulating Security Payload): Adds encryption along with authentication and integrity.
  • Authentication is set per interface using IPsec keys that must be hexadecimal and match the required length for the selected algorithm.
  • Security Parameters Index (SPI): For each key pair, a unique SPI value is required between 256 and 4,294,967,295.
  • Authentication Key (auth-key): Ensures data integrity and must be a properly formatted hexadecimal string.
  • Encryption Key (enc-key): Used for encryption and must match the algorithm’s required length.

 

Example configuration using IPsec authentication:

 

config router ospf6
    set router-id 192.168.1.1
        config area
            edit 0.0.0.0
            next
        end
        config ospf6-interface
            edit "port1"
                set interface "port1"
                set network-type point-to-point
                set authentication esp
                set ipsec-auth-alg sha1
                set ipsec-enc-alg 3des
                    config ipsec-keys
                        edit 256
                            set auth-key A1B2C3D4E5F60789AABBCCDDEEFF0011A1B2C3D4E5F60789AABBCCDDEEFF0011 
                            set enc-key 00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF
                        next
                    end
                next
            end

 

Related articles:
210
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.