08-01-2011 12:53 AM - edited 03-04-2019 01:08 PM
I have 3 routers: R1(S1/0:192.168.1.1/24)----(S1/0:192.168.1.2/24)R2(S1/1:192.168.2.1/24)--------------(S1/1:192.168.2.2/24)R3
R1 Loopback0: 1.1.1.1/24
R2 Loopback0: 2.2.2.2/24
R3 Loopback0: 3.3.3.3/24
All interfaces in EIGRP 100. I want to config authentication in R1, R2, R3. In R1 and R3, I use authentication with key chain cisco but not have the key-id 1, in R2 have the key chain cisco with 2 key-id. Key-id 2 with key-string abc match all Routers. When routers make relationship neighbor it has problem, in R1 and R3 i can't see the neighbor, but in R2 i have the log:
R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.2.2 Se1/1 13 00:00:01 1 2000 2 0
1 192.168.1.1 Se1/0 12 00:00:39 1 5000 2 0
*Aug 1 14:42:51.295: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is down: retry limit exceeded
*Aug 1 14:42:51.567: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is up: new adjacency
*Aug 1 14:43:24.407: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.2.2 (Serial1/1) is down: retry limit exceeded
*Aug 1 14:43:29.135: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.2.2 (Serial1/1) is up: new adjacency
*Aug 1 14:44:11.107: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is down: retry limit exceeded
*Aug 1 14:44:14.879: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is up: new adjacency
*Aug 1 14:44:48.671: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.2.2 (Serial1/1) is down: retry limit exceeded
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
R3#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
R1 Configuration:
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 cisco
serial restart-delay 0
key chain cisco
key 2
key-string abc
router eigrp 100
network 1.1.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
R2 configuration:
key chain cisco
key 1
key-string 123
key 2
key-string abc
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Serial1/0
ip address 192.168.1.2 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 cisco
no fair-queue
!
interface Serial1/1
ip address 192.168.2.1 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 cisco
router eigrp 100
network 2.2.2.0 0.0.0.255
network 192.168.1.0
network 192.168.2.0
no auto-summary
R3 Configuration:
key chain cisco
key 2
key-string abc
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Serial1/1
ip address 192.168.2.2 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 cisco
serial restart-delay 0
What's the problem?
Thanks
Solved! Go to Solution.
08-01-2011 11:01 PM
Hello,
From the EIGRP Configuration Guide for IOS 12.4T at:
EIGRP Route Authentication
EIGRP route authentication provides message digest algorithm 5 (MD5) authentication of routing updates from the EIGRP routing protocol. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.
Each key has its own key identifier (specified with the key number key chain configuration command), which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use.
You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters
To put it into simple rules:
Now, to your questions.
So in key-chain only the lowest key-id will use.
For sending packets, yes. For receiving packets, the router will use the key that is indicated in the received packet.
If the key-chain cisco in 3 routers have key-id 1 with key-string mismatch, the key-id 2 and 3 or ... with key-string match, the authentication will fail ???
In general, the authentication will fail at least one of the following occurs:
Please feel welcome to ask further.
Best regards,
Peter
08-01-2011 01:19 AM
Hello,
R1 and R3 have a single key configured in its keychain (the key 2 - abc) and they use it for authenticating both sent and received EIGRP packets. Whenever they send an authenticated packet, they include the key number 2 into the authenticated packet so that the receiving party can use the appropriate key to verify the packet's integrity.
R2 has two keys configured, and because all of them are valid both for sending and receiving, R2 uses the lowest-numbered key, i.e key 1, to authenticate its sent packets. When it receives a packet, it uses the appropriate key that was used to authenticate the packet because the key number is carried along with the authenticated packet.
Hence, R2 uses the key 2 to authenticate packets coming from R1 and R3, and because the key 2 is configured correctly on all routers, the check is successful.
However, when R2 sends an EIGRP packet, it uses the lowest-numbered valid key, i.e. key 1, to authenticate it. Because R1 and R3 do not have any key 1 configured, they drop the packet because it does not pass the validity check.
Therefore you see the neighbors flapping on R2 - R2 can see and accept packets from R1 and R3, but they do not accept packets from R2.
The solution is to have the same key chain configured on all routers connected into the same network segment.
Best regards,
Peter
08-01-2011 07:02 PM
So in key-chain only the lowest key-id will use. If the key-chain cisco in 3 routers have key-id 1 with key-string mismatch, the key-id 2 and 3 or ... with key-string match, the authentication will fail ??? If it's true, please show me the doccument about the proccess authen or the flowchart. Thanks..
08-01-2011 11:01 PM
Hello,
From the EIGRP Configuration Guide for IOS 12.4T at:
EIGRP Route Authentication
EIGRP route authentication provides message digest algorithm 5 (MD5) authentication of routing updates from the EIGRP routing protocol. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.
Each key has its own key identifier (specified with the key number key chain configuration command), which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use.
You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters
To put it into simple rules:
Now, to your questions.
So in key-chain only the lowest key-id will use.
For sending packets, yes. For receiving packets, the router will use the key that is indicated in the received packet.
If the key-chain cisco in 3 routers have key-id 1 with key-string mismatch, the key-id 2 and 3 or ... with key-string match, the authentication will fail ???
In general, the authentication will fail at least one of the following occurs:
Please feel welcome to ask further.
Best regards,
Peter
08-02-2011 05:57 PM
THanks Peter Paluch...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide