- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2011 12:53 AM - edited 03-04-2019 01:08 PM
I have 3 routers: R1(S1/0:192.168.1.1/24)----(S1/0:192.168.1.2/24)R2(S1/1:192.168.2.1/24)--------------(S1/1:192.168.2.2/24)R3
R1 Loopback0: 1.1.1.1/24
R2 Loopback0: 2.2.2.2/24
R3 Loopback0: 3.3.3.3/24
All interfaces in EIGRP 100. I want to config authentication in R1, R2, R3. In R1 and R3, I use authentication with key chain cisco but not have the key-id 1, in R2 have the key chain cisco with 2 key-id. Key-id 2 with key-string abc match all Routers. When routers make relationship neighbor it has problem, in R1 and R3 i can't see the neighbor, but in R2 i have the log:
R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.2.2 Se1/1 13 00:00:01 1 2000 2 0
1 192.168.1.1 Se1/0 12 00:00:39 1 5000 2 0
*Aug 1 14:42:51.295: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is down: retry limit exceeded
*Aug 1 14:42:51.567: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is up: new adjacency
*Aug 1 14:43:24.407: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.2.2 (Serial1/1) is down: retry limit exceeded
*Aug 1 14:43:29.135: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.2.2 (Serial1/1) is up: new adjacency
*Aug 1 14:44:11.107: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is down: retry limit exceeded
*Aug 1 14:44:14.879: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is up: new adjacency
*Aug 1 14:44:48.671: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.2.2 (Serial1/1) is down: retry limit exceeded
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
R3#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
R1 Configuration:
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 cisco
serial restart-delay 0
key chain cisco
key 2
key-string abc
router eigrp 100
network 1.1.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
R2 configuration:
key chain cisco
key 1
key-string 123
key 2
key-string abc
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Serial1/0
ip address 192.168.1.2 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 cisco
no fair-queue
!
interface Serial1/1
ip address 192.168.2.1 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 cisco
router eigrp 100
network 2.2.2.0 0.0.0.255
network 192.168.1.0
network 192.168.2.0
no auto-summary
R3 Configuration:
key chain cisco
key 2
key-string abc
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Serial1/1
ip address 192.168.2.2 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 cisco
serial restart-delay 0
What's the problem?
Thanks
Solved! Go to Solution.
- Labels:
-
Routing Protocols
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2011 11:01 PM
Hello,
From the EIGRP Configuration Guide for IOS 12.4T at:
EIGRP Route Authentication
EIGRP route authentication provides message digest algorithm 5 (MD5) authentication of routing updates from the EIGRP routing protocol. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.
Each key has its own key identifier (specified with the key number key chain configuration command), which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use.
You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters
To put it into simple rules:
- Both key numbers and key strings must match for the authentication to be successful.
- For signing sent packets, the router will use the lowest-numbered key in the keychain. The key number will also be recorded in the sent packet.
- For authenticating received packets, the router will use the key identified by the key number in the received packet.
Now, to your questions.
So in key-chain only the lowest key-id will use.
For sending packets, yes. For receiving packets, the router will use the key that is indicated in the received packet.
If the key-chain cisco in 3 routers have key-id 1 with key-string mismatch, the key-id 2 and 3 or ... with key-string match, the authentication will fail ???
In general, the authentication will fail at least one of the following occurs:
- The key that was used to sign the packet does not exist at the receiving router (e.g. the packet was signed using the key 2, but there is no key 2 created in the receiver's keychain). Note that this also includes situations when using the same key-string but different key numbers.
- The key used to sign the packet exists at the receiving router but the key-strings differ (e.g. the sending router uses the key 1 with key-string 1234 while the receiving router uses the key 1 with key-string asdf).
- The packet was modified during transit from the sender to the receiver, either by accident or by some malicious action.
Please feel welcome to ask further.
Best regards,
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2011 01:19 AM
Hello,
R1 and R3 have a single key configured in its keychain (the key 2 - abc) and they use it for authenticating both sent and received EIGRP packets. Whenever they send an authenticated packet, they include the key number 2 into the authenticated packet so that the receiving party can use the appropriate key to verify the packet's integrity.
R2 has two keys configured, and because all of them are valid both for sending and receiving, R2 uses the lowest-numbered key, i.e key 1, to authenticate its sent packets. When it receives a packet, it uses the appropriate key that was used to authenticate the packet because the key number is carried along with the authenticated packet.
Hence, R2 uses the key 2 to authenticate packets coming from R1 and R3, and because the key 2 is configured correctly on all routers, the check is successful.
However, when R2 sends an EIGRP packet, it uses the lowest-numbered valid key, i.e. key 1, to authenticate it. Because R1 and R3 do not have any key 1 configured, they drop the packet because it does not pass the validity check.
Therefore you see the neighbors flapping on R2 - R2 can see and accept packets from R1 and R3, but they do not accept packets from R2.
The solution is to have the same key chain configured on all routers connected into the same network segment.
Best regards,
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2011 07:02 PM
So in key-chain only the lowest key-id will use. If the key-chain cisco in 3 routers have key-id 1 with key-string mismatch, the key-id 2 and 3 or ... with key-string match, the authentication will fail ??? If it's true, please show me the doccument about the proccess authen or the flowchart. Thanks..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2011 11:01 PM
Hello,
From the EIGRP Configuration Guide for IOS 12.4T at:
EIGRP Route Authentication
EIGRP route authentication provides message digest algorithm 5 (MD5) authentication of routing updates from the EIGRP routing protocol. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.
Each key has its own key identifier (specified with the key number key chain configuration command), which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use.
You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters
To put it into simple rules:
- Both key numbers and key strings must match for the authentication to be successful.
- For signing sent packets, the router will use the lowest-numbered key in the keychain. The key number will also be recorded in the sent packet.
- For authenticating received packets, the router will use the key identified by the key number in the received packet.
Now, to your questions.
So in key-chain only the lowest key-id will use.
For sending packets, yes. For receiving packets, the router will use the key that is indicated in the received packet.
If the key-chain cisco in 3 routers have key-id 1 with key-string mismatch, the key-id 2 and 3 or ... with key-string match, the authentication will fail ???
In general, the authentication will fail at least one of the following occurs:
- The key that was used to sign the packet does not exist at the receiving router (e.g. the packet was signed using the key 2, but there is no key 2 created in the receiver's keychain). Note that this also includes situations when using the same key-string but different key numbers.
- The key used to sign the packet exists at the receiving router but the key-strings differ (e.g. the sending router uses the key 1 with key-string 1234 while the receiving router uses the key 1 with key-string asdf).
- The packet was modified during transit from the sender to the receiver, either by accident or by some malicious action.
Please feel welcome to ask further.
Best regards,
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2011 05:57 PM
THanks Peter Paluch...
