Troubleshooting Tip: FortiGate does not use the correct key ID configured for OSPF Authentication when the Interface is using PPPoE as addressing mode

jlim11 · ‎11-11-2024

Description

This article describes why the OSPF neighborship is not forming when OSPF authentication is enabled and the interface is on PPPoE addressing mode.

port2 pppoe mode.PNG

ospf config gui.PNG

Key ID '1' is used for the OSPF authentication.

cli ospf key chain config.PNG

However, The OSPF neighborship is not forming even though it is seen on the packet sniffer that FortiGate and its neighbor are trying to form the OSPF neighborship.

sniffer and ospf neigh output.PNG

When running the OSPF debug, 'Authentication error' will show. It is also seen that the FortiGate sent a key-id of '0' while the neighbor sent a key-id of '1', causing the authentication error.

diag ip router ospf all enable

diag ip router ospf level info

diag debug en

OSPF: SEND[Hello]: To 224.0.0.5 via ppp2:10.13.13.254, length 60
OSPF: -----------------------------------------------------
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 44
OSPF: Router ID 10.13.13.254
OSPF: Area ID 0.0.0.0
OSPF: Checksum 0x0
OSPF: AuType 2
OSPF: Cryptographic Authentication
OSPF: Key ID 0
OSPF: Auth Data Len 16
OSPF: Sequence number 2894
OSPF: Hello
OSPF: NetworkMask 255.255.255.255
OSPF: HelloInterval 10
OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 0.0.0.0
OSPF: BDRouter 0.0.0.0
OSPF: # Neighbors 0
OSPF: -----------------------------------------------------
OSPF: RECV[Hello]: From 192.168.145.230 via ppp2:10.13.13.254 (10.13.13.1 -> 224.0.0.5)
OSPF: -----------------------------------------------------
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 44
OSPF: Router ID 192.168.145.230
OSPF: Area ID 0.0.0.0
OSPF: Checksum 0x0
OSPF: AuType 2
OSPF: Cryptographic Authentication
OSPF: Key ID 1
OSPF: Auth Data Len 16
OSPF: Sequence number 3293
OSPF: Hello
OSPF: NetworkMask 255.255.255.255
OSPF: HelloInterval 10
OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
OSPF: RtrPriority 128
OSPF: RtrDeadInterval 40
OSPF: DRouter 0.0.0.0
OSPF: BDRouter 0.0.0.0
OSPF: # Neighbors 0
OSPF: -----------------------------------------------------
OSPF: RECV[Hello]: From 192.168.145.230 via ppp2:10.13.13.254: Authentication error

Scope

FortiGate.

Solution

When the authentication is enabled on the area configuration, it will send a key-id of '0' for all neighbors if the OSPF interface is not set manually to use a specific key-chain

.
Since the interface used is 'port2', which uses PPPoE addressing mode, FortiGate created a virtual interface for this. The virtual interface cannot be set on the OSPF interface configuration.

FortiGate # diag ip address list | grep ppp
IP=10.13.13.254->10.13.13.1/255.255.255.255 index=20 devname=ppp2

interface list not avail.PNG

Instead of setting the port2's addressing mode to pppoe, Configure a PPPoE interface.

PPPoE interface.PNG

pppoe interface gui.PNG

After, the debug shows that it will now use the correct key ID configured.

OSPF: SEND[Hello]: To 224.0.0.5 via PPPoE:10.13.13.255, length 60
OSPF: -----------------------------------------------------
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 44
OSPF: Router ID 10.0.100.1
OSPF: Area ID 0.0.0.0
OSPF: Checksum 0x0
OSPF: AuType 2
OSPF: Cryptographic Authentication
OSPF: Key ID 1
OSPF: Auth Data Len 16
OSPF: Sequence number 87
OSPF: Hello
OSPF: NetworkMask 255.255.255.255
OSPF: HelloInterval 10
OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 0.0.0.0
OSPF: BDRouter 0.0.0.0
OSPF: # Neighbors 0

OSPF: -----------------------------------------------------

The OSPF neighborship is now formed.

get router info ospf neighbor

OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
192.168.145.230 128 Full/ - 00:00:33 10.13.13.1 PPPoE

Related articles: