RE: Virtual-link Authentication

From: Brian Dennis (brian@labforge.com)
Date: Fri Jul 04 2003 - 02:16:51 GMT-3

• Next message: Biondino, Joseph: "RE: HK Lab Environment?"
• Previous message: John Humphrey: "Re: pure eBGP set up will not pass routes"
• Maybe in reply to: Brit Walker \(brwalker\): "Virtual-link Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The debug specified that the "other" router is using null
authentication. Can you send us the config from the other router?

02:40:42: OSPF: Rcv pkt from 172.16.26.6,
OSPF_VL3 : Mismatch Authentication type.
Input packet specified type 0, we use type 2
                       ^^^^^^^^^^^^^^^^^^^^^

The "other" router should have one of the following configurations to
correct the problem:

router ospf 1
 area 0 authentication message-digest
 area 26 virtual-link 192.100.2.2 message-digest-key 1 md5 cisco

router ospf 1
 area 26 virtual-link 192.100.2.2 authentication message-digest
 area 26 virtual-link 192.100.2.2 message-digest-key 1 md5 cisco

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brit Walker (brwalker)
Sent: Thursday, July 03, 2003 6:22 PM
To: ccielab@groupstudy.com
Subject: Virtual-link Authentication

Here is the task -
Configure MD5 authentication for Area 0. Use key 1. The MD5 password is
"cisco".
Do not configure explicit authentication on any interfaces or virtual
links.
 
If I do not add the following command for the virtual-link, then I get
the
Mismatch Authentication type error message via debug ip ospf adj.
area 26 virtual-link 172.16.26.6 authentication message-digest
 
debug ip ospf adj
02:40:42: OSPF: Rcv pkt from 172.16.26.6, OSPF_VL3 : Mismatch
Authentication typ
e. Input packet specified type 0, we use type 2
 
 
router ospf 1
 router-id 192.100.2.2
 log-adjacency-changes
 area 0 authentication message-digest
 area 26 virtual-link 172.16.26.6 authentication message-digest
 area 26 virtual-link 172.16.26.6 message-digest-key 1 md5 cisco
 network 172.16.26.0 0.0.0.255 area 26
 network 172.16.123.0 0.0.0.255 area 0
 network 192.100.2.0 0.0.0.255 area 0
 
 
I would think "area 26 virtual-link 172.16.26.6 authentication
message-digest"
is needed. However, I have seen working configs were it is not needed.
 
I have also gotten the following input from a collegue. We are still not
able
to follow the task to the letter. Suggestions?
 
------------------------------------------------------------------------
------------------------------------
 
"Do not configure explicit authentication on any interfaces or virtual
links."
I take this to mean that you can't use the IP OSPF Message command on
the interface or the virtual link.

This isn't a problem though. You can accomplish this task by
configuring

Router OSPF 100
area 0 authentication message-digest (for MD5)
or
area 0 authentication (for clear password)

on all area 0 routers, as well as on the ABR Router on both ends of the
virtual link (even though the virtual link router furthest away doesn't
have
any interfaces in OSPF Area ). Skip configuring any IP OSPF Message...
commands on the interfaces in Area 0 as well as on either end of the
virtual link. I can vouch for this working because I just tried it. I
think
that this is what other group members told you to do.

This works because placing the Area 0 Authentication command on the
router enables authentication on all interfaces that reside within Area
0.
You don't need any commands on the interface to do this. This was the
only way to configure OSPF Authentication in the early days of IOS.
There was no way to remove authentication from specific interfaces in
Area 0. It was all or nothing.

With recent versions of IOS, if you want to turn off authentication on a

single area 0 interface, add the following line to that interface.

Interface s0
ip ospf authentication null

This will allow authentication on all interfaces in area 0 except for
this one.

Finally, you can assign different keys to the Area 0 interfaces on the
router
by using the

IP OSPF Message-digest-key command or the IP OSPF Authentication-key
commands. In this way, you can run a key of cisco on one link, and a
key
of bananas on another. I don't think that you can mix clear password
and
MD5 in one area though.

The difficulty with this solution is that the problem goes on to say

"Configure MD5 authentication for Area 0. Use key 1. The MD5 password is
"cisco".

The Area 0 authentication message-digest seems to use a default key #0.

Unless I use a message digest key command on the interface, I don't know

how to tell OSPF to use key 1 - cisco instead of key 0. The problem
seems
to preclude using an OSPF Message-digest command.

I searched the Cisco web site, and played with the routers all
afternoon, and
didn't find a way around this.

Does anyone else have any clues?

------------------------------------------------------------------------
-----------------------
 
 
Any suggestions?
 
 
 
 
 
Brit

• Next message: Biondino, Joseph: "RE: HK Lab Environment?"
• Previous message: John Humphrey: "Re: pure eBGP set up will not pass routes"
• Maybe in reply to: Brit Walker \(brwalker\): "Virtual-link Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:23 GMT-3