Solved: Eigrp Authentication Problem! Need your help!

khoatrandangminh · ‎08-01-2011

I have 3 routers: R1(S1/0:192.168.1.1/24)----(S1/0:192.168.1.2/24)R2(S1/1:192.168.2.1/24)--------------(S1/1:192.168.2.2/24)R3

R1 Loopback0: 1.1.1.1/24

R2 Loopback0: 2.2.2.2/24

R3 Loopback0: 3.3.3.3/24

All interfaces in EIGRP 100. I want to config authentication in R1, R2, R3. In R1 and R3, I use authentication with key chain cisco but not have the key-id 1, in R2 have the key chain cisco with 2 key-id. Key-id 2 with key-string abc match all Routers. When routers make relationship neighbor it has problem, in R1 and R3 i can't see the neighbor, but in R2 i have the log:

R2#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 192.168.2.2 Se1/1 13 00:00:01 1 2000 2 0

1 192.168.1.1 Se1/0 12 00:00:39 1 5000 2 0

*Aug 1 14:42:51.295: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is down: retry limit exceeded

*Aug 1 14:42:51.567: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is up: new adjacency

*Aug 1 14:43:24.407: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.2.2 (Serial1/1) is down: retry limit exceeded

*Aug 1 14:43:29.135: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.2.2 (Serial1/1) is up: new adjacency

*Aug 1 14:44:11.107: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is down: retry limit exceeded

*Aug 1 14:44:14.879: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (Serial1/0) is up: new adjacency

*Aug 1 14:44:48.671: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.2.2 (Serial1/1) is down: retry limit exceeded

R1#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

R3#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

R1 Configuration:

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface Serial1/0

ip address 192.168.1.1 255.255.255.0

ip authentication mode eigrp 100 md5

ip authentication key-chain eigrp 100 cisco

serial restart-delay 0

key chain cisco

key 2

key-string abc

router eigrp 100

network 1.1.1.0 0.0.0.255

network 192.168.1.0

no auto-summary

R2 configuration:

key chain cisco

key 1

key-string 123

key 2

key-string abc

!

interface Loopback0

ip address 2.2.2.2 255.255.255.0

!

interface Serial1/0

ip address 192.168.1.2 255.255.255.0

ip authentication mode eigrp 100 md5

ip authentication key-chain eigrp 100 cisco

no fair-queue

!

interface Serial1/1

ip address 192.168.2.1 255.255.255.0

ip authentication mode eigrp 100 md5

ip authentication key-chain eigrp 100 cisco

router eigrp 100

network 2.2.2.0 0.0.0.255

network 192.168.1.0

network 192.168.2.0

no auto-summary

R3 Configuration:

key chain cisco

key 2

key-string abc

!

interface Loopback0

ip address 3.3.3.3 255.255.255.0

!

interface Serial1/1

ip address 192.168.2.2 255.255.255.0

ip authentication mode eigrp 100 md5

ip authentication key-chain eigrp 100 cisco

serial restart-delay 0

What's the problem?

Thanks

Peter Paluch · ‎08-01-2011

Hello,

From the EIGRP Configuration Guide for IOS 12.4T at:

http://www.cisco.com/en/US/docs/ios/iproute_eigrp/configuration/guide/ire_cfg_eigrp_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1060221

EIGRP Route Authentication

EIGRP route authentication provides message digest algorithm 5 (MD5) authentication of routing updates from the EIGRP routing protocol. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.

Each key has its own key identifier (specified with the key number key chain configuration command), which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use.

You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters

To put it into simple rules:

Both key numbers and key strings must match for the authentication to be successful.
For signing sent packets, the router will use the lowest-numbered key in the keychain. The key number will also be recorded in the sent packet.
For authenticating received packets, the router will use the key identified by the key number in the received packet.

Now, to your questions.

So in key-chain only the lowest key-id will use.

For sending packets, yes. For receiving packets, the router will use the key that is indicated in the received packet.

If the key-chain cisco in 3 routers have key-id 1 with key-string  mismatch, the key-id 2 and 3 or ... with key-string match, the  authentication will fail ???

In general, the authentication will fail at least one of the following occurs:

The key that was used to sign the packet does not exist at the receiving router (e.g. the packet was signed using the key 2, but there is no key 2 created in the receiver's keychain). Note that this also includes situations when using the same key-string but different key numbers.
The key used to sign the packet exists at the receiving router but the key-strings differ (e.g. the sending router uses the key 1 with key-string 1234 while the receiving router uses the key 1 with key-string asdf).
The packet was modified during transit from the sender to the receiver, either by accident or by some malicious action.

Please feel welcome to ask further.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎08-01-2011

Hello,

R1 and R3 have a single key configured in its keychain (the key 2 - abc) and they use it for authenticating both sent and received EIGRP packets. Whenever they send an authenticated packet, they include the key number 2 into the authenticated packet so that the receiving party can use the appropriate key to verify the packet's integrity.

R2 has two keys configured, and because all of them are valid both for sending and receiving, R2 uses the lowest-numbered key, i.e key 1, to authenticate its sent packets. When it receives a packet, it uses the appropriate key that was used to authenticate the packet because the key number is carried along with the authenticated packet.

Hence, R2 uses the key 2 to authenticate packets coming from R1 and R3, and because the key 2 is configured correctly on all routers, the check is successful.

However, when R2 sends an EIGRP packet, it uses the lowest-numbered valid key, i.e. key 1, to authenticate it. Because R1 and R3 do not have any key 1 configured, they drop the packet because it does not pass the validity check.

Therefore you see the neighbors flapping on R2 - R2 can see and accept packets from R1 and R3, but they do not accept packets from R2.

The solution is to have the same key chain configured on all routers connected into the same network segment.

Best regards,

Peter

khoatrandangminh · ‎08-01-2011

So in key-chain only the lowest key-id will use. If the key-chain cisco in 3 routers have key-id 1 with key-string mismatch, the key-id 2 and 3 or ... with key-string match, the authentication will fail ??? If it's true, please show me the doccument about the proccess authen or the flowchart. Thanks..

Peter Paluch · ‎08-01-2011

Hello,

From the EIGRP Configuration Guide for IOS 12.4T at:

http://www.cisco.com/en/US/docs/ios/iproute_eigrp/configuration/guide/ire_cfg_eigrp_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1060221

EIGRP Route Authentication

EIGRP route authentication provides message digest algorithm 5 (MD5) authentication of routing updates from the EIGRP routing protocol. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.

Each key has its own key identifier (specified with the key number key chain configuration command), which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use.

You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters

To put it into simple rules:

Both key numbers and key strings must match for the authentication to be successful.
For signing sent packets, the router will use the lowest-numbered key in the keychain. The key number will also be recorded in the sent packet.
For authenticating received packets, the router will use the key identified by the key number in the received packet.

Now, to your questions.

So in key-chain only the lowest key-id will use.

For sending packets, yes. For receiving packets, the router will use the key that is indicated in the received packet.

If the key-chain cisco in 3 routers have key-id 1 with key-string  mismatch, the key-id 2 and 3 or ... with key-string match, the  authentication will fail ???

In general, the authentication will fail at least one of the following occurs:

The key that was used to sign the packet does not exist at the receiving router (e.g. the packet was signed using the key 2, but there is no key 2 created in the receiver's keychain). Note that this also includes situations when using the same key-string but different key numbers.
The key used to sign the packet exists at the receiving router but the key-strings differ (e.g. the sending router uses the key 1 with key-string 1234 while the receiving router uses the key 1 with key-string asdf).
The packet was modified during transit from the sender to the receiver, either by accident or by some malicious action.

Please feel welcome to ask further.

Best regards,

Peter

khoatrandangminh · ‎08-02-2011

THanks Peter Paluch...