Solved: Switchting to OSPF Key Chain

K-Grev · ‎01-04-2021

I currently have around 40 devices linked to a central device all using "ospf message-digest-key 1 md5 xxxxxxxxxxxx".

I need to switch to using key chains.

Is there a proper way to do this that keeps everything online?

Thanks for your help.

Georg Pauwen · ‎01-04-2021

Hello,

you can only do this, to my best knowledge, with new subinterfaces and new OSPF processes. Below an example involving just two routers, but the process is the same for multiple routers.

Let's say you have this configured:

R1

interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
!
router ospf 1
router-id 1.1.1.1
network 192.168.1.0 0.0.0.255 area 0

R2

interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
!
router ospf 1
router-id 2.2.2.2
network 192.168.1.0 0.0.0.255 area 0

Add a subinterface and a new OSPF process:

R1

interface Loopback3
ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet0/0.10
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0
!
router ospf 2
router-id 3.3.3.3
network 192.168.10.0 0.0.0.255 area 0

R2

interface Loopback3
ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet0/0.10
encapsulation dot1q 10
ip address 192.168.10.2 255.255.255.0
!
router ospf 2
router-id 4.4.4.4
network 192.168.10.0 0.0.0.255 area 0

Remove the message digest key and add the key chain:

R1

key chain cisco
key 1
key-string cisco1
send-lifetime local 10:00:00 Jan 4 2021 infinite
cryptographic-algorithm hmac-sha-256
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
--> no ip ospf message-digest-key 1 md5 cisco
-> ip ospf authentication key-chain cisco

R2

key chain cisco
key 1
key-string cisco1
send-lifetime local 10:00:00 Jan 4 2021 infinite
cryptographic-algorithm hmac-sha-256
!
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
--> no ip ospf message-digest-key 1 md5 cisco
-> ip ospf authentication key-chain cisco

Remove the OSPF process, the loopback, and the subinterfaces:

R1

--> no interface Loopback3
--> no interface GigabitEthernet0/0.10
--> no router ospf 2

R2

--> no interface Loopback4
--> no interface GigabitEthernet0/0.10
--> no router ospf 2

View solution in original post

paul driver · ‎01-04-2021

Hello

No need to create additional sub-interfaces - Just create an additional digest-key Xx and ospf key rollover will take affect as when you apply it to both sides of the ospf interface adjacency ,Prior to this ospf will still keep using the old digest key.

Example:
rtr x
interface x/x
ip ospf message-digest-key 1 md5 stan
ip ospf message-digest-key 2 md5 stan-new

sh ip ospf interface x/x| be Mes < -- will show still using old key

rtr y
sh ip ospf interface x/x| be Mes < -- will show still using old key

interface x/x
ip ospf message-digest-key 1 md5 stan
ip ospf message-digest-key 2 md5 stan-new

rtr x-y
sh ip ospf interface x/x| be Mes < -- ospf will now show its using new key

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎01-04-2021

Hello,

you can only do this, to my best knowledge, with new subinterfaces and new OSPF processes. Below an example involving just two routers, but the process is the same for multiple routers.

Let's say you have this configured:

R1

interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
!
router ospf 1
router-id 1.1.1.1
network 192.168.1.0 0.0.0.255 area 0

R2

interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
!
router ospf 1
router-id 2.2.2.2
network 192.168.1.0 0.0.0.255 area 0

Add a subinterface and a new OSPF process:

R1

interface Loopback3
ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet0/0.10
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0
!
router ospf 2
router-id 3.3.3.3
network 192.168.10.0 0.0.0.255 area 0

R2

interface Loopback3
ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet0/0.10
encapsulation dot1q 10
ip address 192.168.10.2 255.255.255.0
!
router ospf 2
router-id 4.4.4.4
network 192.168.10.0 0.0.0.255 area 0

Remove the message digest key and add the key chain:

R1

key chain cisco
key 1
key-string cisco1
send-lifetime local 10:00:00 Jan 4 2021 infinite
cryptographic-algorithm hmac-sha-256
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
--> no ip ospf message-digest-key 1 md5 cisco
-> ip ospf authentication key-chain cisco

R2

key chain cisco
key 1
key-string cisco1
send-lifetime local 10:00:00 Jan 4 2021 infinite
cryptographic-algorithm hmac-sha-256
!
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
--> no ip ospf message-digest-key 1 md5 cisco
-> ip ospf authentication key-chain cisco

Remove the OSPF process, the loopback, and the subinterfaces:

R1

--> no interface Loopback3
--> no interface GigabitEthernet0/0.10
--> no router ospf 2

R2

--> no interface Loopback4
--> no interface GigabitEthernet0/0.10
--> no router ospf 2

K-Grev · ‎01-04-2021

I see, that's a good way. Thanks for your help.

paul driver · ‎01-04-2021

Hello

No need to create additional sub-interfaces - Just create an additional digest-key Xx and ospf key rollover will take affect as when you apply it to both sides of the ospf interface adjacency ,Prior to this ospf will still keep using the old digest key.

Example:
rtr x
interface x/x
ip ospf message-digest-key 1 md5 stan
ip ospf message-digest-key 2 md5 stan-new

sh ip ospf interface x/x| be Mes < -- will show still using old key

rtr y
sh ip ospf interface x/x| be Mes < -- will show still using old key

interface x/x
ip ospf message-digest-key 1 md5 stan
ip ospf message-digest-key 2 md5 stan-new

rtr x-y
sh ip ospf interface x/x| be Mes < -- ospf will now show its using new key

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎01-05-2021

@paul driver

I am lost...where is the key chain in what you are suggesting ? OP wants to go from message digest to key chain, not change the message digest key.

paul driver · ‎01-05-2021

Hello

That's fine, once enabled on the interface for key-chain ospf should ignore message-digest, I wouldn't say their is a requirement to create sub-interfaces.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎01-05-2021

What devices did you test this on ? In my test lab, as soon as I entered the key chain authentication on the main interface, the same as where the message digest was configured on, the OSPF neighbor went down. Not sure how you got this to work, might be IOS dependent, but I could only resolve this using subinterfaces...