From: kym blair (kymblair@hotmail.com)
Date: Thu Dec 26 2002 - 20:00:21 GMT-3
Jerry,
Justin's comment was valid, except he reversed the statement ... should be:
"if you enable authentication for area 0, you must also ensure the virtual
links have authentication enabled":
router ospf 1
area 0 authentication
area 1 virtual-link ..... authentication
In this case, you need the "area 0 authentication" statement on the remote
router.
One other point ... I have found that if you have multiple virtual links
from a hub router, you should use a different key for each virtual-link.
They can use the same password, but should be R1-R2=key1, R1-R3=key2,
R1-R4=key3. Other people say they have no problem using the same key, but I
have encountered the problem on several different racks, so it isn't just
the IOS that I'm using at home. Distinct keys solves the problem for me.
HTH, Kym
>From: "Jerry Haverkos" <jhaverkos@columbus.rr.com>
>Reply-To: "Jerry Haverkos" <jhaverkos@columbus.rr.com>
>To: "'Lysyuk Andrew'" <lysyuk@ics.ua>
>CC: <ccielab@groupstudy.com>
>Subject: RE: Help me pls with OSPF authentication.
>Date: Thu, 26 Dec 2002 15:42:11 -0500
>
>Lysuk
>
>I am on IOS 12.1.13 and my configs show no correlation between
>authentication of area 0 and authentication on the virtual link. The
>following are excerpts from my configs on the router that houses area 0 and
>participates as part of the virtual link in my network. They show that
>there
>is no correlation in my network.
>
>3640-1_R1#sho ip ospf virtual-links
>Virtual Link OSPF_VL0 to router 0.0.0.4 is up
> Run as demand circuit
> DoNotAge LSA allowed.
> Transit area 4, via interface Serial1/0.4, Cost of using 781
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:05
> Adjacency State FULL (Hello suppressed)
> Index 1/4, retransmission queue length 0, number of retransmission 1
> First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> Last retransmission scan length is 1, maximum is 1
> Last retransmission scan time is 0 msec, maximum is 0 msec
> Message digest authentication enabled
> Youngest key id is 1
>
>
>Note -- on the router there is only one interface in area 0 and it does not
>specify authentication
>
>3640-1_R1#
>router ospf 100
> router-id 0.0.0.1
> log-adjacency-changes
> no discard-route internal
> area 0 range 149.1.254.0 255.255.255.0
> area 0 range 149.1.0.0 255.255.0.0
> area 1 range 149.1.1.0 255.255.255.0
> area 2 authentication message-digest
> area 2 stub no-summary
> area 2 range 149.1.2.0 255.255.255.0
> area 4 range 149.1.4.0 255.255.255.0
> area 4 virtual-link 0.0.0.4 authentication message-digest
> area 4 virtual-link 0.0.0.4 message-digest-key 1 md5 cubbies
> area 5 authentication message-digest
> area 5 nssa no-summary
> area 5 range 149.1.5.0 255.255.255.0
> summary-address 17.0.0.0 255.0.0.0 not-advertise
> network 149.1.1.0 0.0.0.255 area 1
> network 149.1.2.0 0.0.0.255 area 2
> network 149.1.4.0 0.0.0.255 area 4
> network 149.1.5.0 0.0.0.255 area 5
> network 149.1.254.254 0.0.0.0 area 0
> neighbor 149.1.2.254
> neighbor 149.1.4.254
> neighbor 149.1.5.254
>
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Justin Menga
>Sent: Thursday, December 26, 2002 1:11 AM
>To: Jude Servi; 'Robert Slaski'; 'Manish Gupta'
>Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
>Subject: RE: Help me pls with OSPF authentication.
>
>
>Also, if you enable authentication for a virtual link, you must also ensure
>area 0 has authentication enabled:
>
>router ospf 1
> area 0 authentication
> area 1 virtual-link .....
>
>Regards,
>Justin
>
>-----Original Message-----
>From: Jude Servi [mailto:jservi@cisco.com]
>Sent: Wednesday, December 25, 2002 12:36 PM
>To: 'Robert Slaski'; 'Manish Gupta'
>Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
>Subject: RE: Help me pls with OSPF authentication.
>
>
>Don't forget to add authentication to a virtual link if needed. Example
>for
>md5 auth:
>
>router ospf 1
> area # virtual-link <neighbor ip addr> authentication message-digest
>message-digest-key # <key>
>
>Jude
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Robert Slaski
>Sent: Saturday, December 21, 2002 11:16 AM
>To: Manish Gupta
>Cc: Lysyuk Andrew; ccielab@groupstudy.com
>Subject: Re: Help me pls with OSPF authentication.
>
>
>Manish Gupta wrote:
> > I always prefer
> >
> > Under router ospf x
> > area x authentication (plain or MD5)
> >
> > Under interface:
> > ip opsf authetication <password> if plain
>
>You meant 'ip ospf authentication-key' I think, but this does not answer
>
>the Andrew's question.
>
>There are two authentication types available in OSPF: per area and per
>interface, if both are configured then per interface authentication
>takes precedence. Both have plain-text and MD5 checksum variants.
>
>Per area:
>1. enable area authentication
>(config-router)# area <area> authentication [message-digest]
>2. setup keys (this should be done on each area interface)
>(config-if)# ip ospf authentication-key <text> # for plain text
> or
>(config-if)# ip ospf message-digest-key <key_id> md5 0 <text> # for MD5
>
>Per interface:
>1. enable interface authentication
>(config-if)# ip ospf authentication [message-digest | null]
>2. setup keys (same as above)
>
>mikrobi,
>--
>.
>.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:53 GMT-3