Solved: Key chain validation for EIGRP

steven.crutchley · ‎06-26-2012

Hi have two directly connected EIGRP configure routers R2 and R5.

The are configured as follows: (this copy/paste was taken at about 5pm so all keys are valid now - both routers have identical clock settings)

R2#show key chain

Key-chain KEY_CHAIN_R2:

key 1 -- text "cisco"

accept lifetime (16:08:00 UTC Jun 26 2012) - (infinite) [valid now]

send lifetime (11:00:00 UTC Jun 26 2012) - (infinite) [valid now]

key 2 -- text "cisco"

accept lifetime (16:00:00 UTC Jun 26 2012) - (infinite) [valid now]

send lifetime (11:00:00 UTC Jun 26 2012) - (infinite) [valid now]

R2#show run interface serial 1/0
Building configuration...

Current configuration : 176 bytes
!
interface Serial1/0
ip address 10.1.1.1 255.255.255.252
ip authentication mode eigrp 12 md5
ip authentication key-chain eigrp 12 KEY_CHAIN_R2
serial restart-delay 0
end

R2#

R5#show key chain
Key-chain KEY_CHAIN_R5:
    key 1 -- text "cisco"
        accept lifetime (16:00:00 UTC Jun 26 2012) - (infinite) [valid now]
        send lifetime (15:00:00 UTC Jun 26 2012) - (infinite) [valid now]
R5#show run int serial 0/0
Building configuration...

Current configuration : 174 bytes
!
interface Serial0/0
ip address 10.1.1.2 255.255.255.252
ip authentication mode eigrp 12 md5
ip authentication key-chain eigrp 12 KEY_CHAIN_R5
clock rate 2000000
end

My question is, at 16:07:00 on Jun 26 2012 will the authentication work? From what I understand, when a router (in this case R2) recieves an md5 authentication packet (from R5) it will check all of its currently valid keys. It will not check key 1, as it does not go valid until 16:08. But it will check key 2 and find a match and thus authenticate. Right? But I find authentication does not work until 16:08. When I run debugging I get the following output:

Jun 26 16:07:56.335: EIGRP: pkt authentication key id = 1, key not defined or not live

Jun 26 16:07:56.339: EIGRP: Serial1/0: ignored packet from 10.1.1.2, opcode = 5 (invalid authentication)

Jun 26 16:07:56.607: EIGRP: Sending HELLO on Serial1/0

Jun 26 16:07:56.611: AS 12, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

Jun 26 16:07:57.151: EIGRP: pkt authentication key id = 1, key not defined or not live

Jun 26 16:07:57.155: EIGRP: Serial1/0: ignored packet from 10.1.1.2, opcode = 1 (invalid authentication)

Can anyone help?

(PS. I have no idea what "serial restart-delay 0" means on the R2's s1/0. I didnt configure it).

alex_ciobanu · ‎06-27-2012

Hello Steven,

I remember I had the same issue when I was studying for a Cisco Certification ( same CCNP Route exam ).

There is an error in the book, not all the key numbers are verified, they have to match, if you configured key 1 on one side, you must have key 1 configured on the other side. I have also tested this with real devices in the lab and got the same output.

Hope this helps, cheers.

View solution in original post

nathanaelminesso · ‎06-26-2012

Hi Steven,

Do both routers show the same time when issuing show clock? What happens if you change the value from Key2 to cisco2 and add the very same key to the EIGRP neighbor?

Regards,

Nate

steven.crutchley · ‎06-26-2012

I can confirm that the clock was the same on both devices.

My GNS3 lab crashed so I will try your second suggestion when I get a chance.

Nandan Mathure · ‎06-27-2012

Hi Steven,

Authentication will fail at 16:07:00 on Jun 26 2012, as R2 accepts "Key1" 16:00:00 UTC Jun 26 2012 and sends it

15:00:00 UTC Jun 26 2012 but R5 accepts "Key1" 16:08:00 UTC Jun 26 2012 and sends it 11:00:00 UTC Jun 26 2012.

For authentication to work even the Key numbers should match. Although Key 2 is active on R5 it will not work as R2 doesnt have a Key 2. Both key numbers and key-strings are a must match for authentication to be successful.

Thanks,

Nandan Mathure.

steven.crutchley · ‎06-27-2012

This is my setup at 12.27pm and it is not authenticating...

----------------------------------------------------------------------------------------------------

R5#show key chain

Key-chain ROUTER5_KEY_CHAIN:

key 1 -- text "cisco"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

R5#show run interface serial0/0

Building configuration...

Current configuration : 177 bytes
!
interface Serial0/0
ip address 10.1.1.2 255.255.255.252
ip authentication mode eigrp 12 md5
ip authentication key-chain eigrp 12 ROUTER5_KEY_CHAIN
clock rate 2000000
end

----------------------------------------------------------------------------------------------------

R2#show key chain
Key-chain ROUTER2_KEY_CHAIN:
    key 1 -- text "cisco"
        accept lifetime (12:30:00 UTC Jun 27 2012) - (infinite)
        send lifetime (always valid) - (always valid) [valid now]
    key 2 -- text "cisco"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

R2#show run interface serial 1/0
Building configuration...

Current configuration : 181 bytes
!
interface Serial1/0
ip address 10.1.1.1 255.255.255.252
ip authentication mode eigrp 12 md5
ip authentication key-chain eigrp 12 ROUTER2_KEY_CHAIN
serial restart-delay 0
end

R2#

----------------------------------------------------------------------------------------------------

Same as yesteday. At 12.30, everything begins to work ....

Jun 27 12:30:03.903: EIGRP: received packet with MD5 authentication, key id = 1

but not before.

My CCNP route book says that the key NUMBER does not need to match ... only the key STRING

I will now try it with a second string on the R5 router...

-----------------------------------------------------------------------------------------------------

R5#show key chain

Key-chain ROUTER5_KEY_CHAIN:

key 1 -- text "cisco"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

key 2 -- text "cisco"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

R5#

R2(config)#key chain ROUTER2_KEY_CHAIN

R2(config-keychain)#key 1

R2(config-keychain-key)#accept-lifetime 12:40:00 27 JUNE 2012 infinite

(time now is 12:37)

-----------------------------------------------------------------------------------------------------

hmmm.... it seems that even with a second key on R5, the authentication does not come up until 12:40pm. This makes sense based on what my cisco book says. It says that:

when SENDING eigrp authentication use the lowest valid key number (in the case of R5: only send key 1)

when RECEIVING eigrp authentication check against all valid keys (prior to key 1 becoming valid, key 2 is the only valid key. But R2 does not check key 2. It simply states that key 1 is not valid and fails authenticaton).

So I think the problem is that R2 is not moving on to check key 2 after it notices key 1 is invalid.

Any advice?

Nandan Mathure · ‎06-27-2012

Yea thats right it wont move to key 2 until they agree upon the same key number. i.e negotiate the key number first and then agree upon hash of keystring.

Just for testing configure Key 2 on R5 and mismatch the keystring and let us know about it.

Thanks,

Nandan Mathure

Jan Hrnko · ‎06-27-2012

Hi Steven,

it is like guys above have suggested.

The key numbers of active keys MUST match. It is because EIGRP checks against the FIRST valid key, not ALL keys! In addition - it sends the first valid key it founds.

Best regards,

Jan

Peter Paluch · ‎06-27-2012

Hello Jan,

It's VERY good to see you posting again!

Best regards,

Peter

Jan Hrnko · ‎06-27-2012

Hi Peter!

All thanks to great CCNP ROUTE course - taught by GREAT instructor - that I'm enrolled in!!! ;-)

Best regards,

Jan

alex_ciobanu · ‎06-27-2012

Smells like Slovakia Cisco Academy student/instructor forum meeting

Peter Paluch · ‎06-27-2012

Hey Alex,

Smells like Slovakia Cisco Academy student/instructor forum meeting

You're spot on Wanna join us some day? We do have ties to Romania as well

Best regards,

Peter

alex_ciobanu · ‎06-28-2012

Thanks for invitation, but I'm out of that country... actually im living and working close to you guys, in Brno.

alex_ciobanu · ‎06-27-2012

Hello Steven,

I remember I had the same issue when I was studying for a Cisco Certification ( same CCNP Route exam ).

There is an error in the book, not all the key numbers are verified, they have to match, if you configured key 1 on one side, you must have key 1 configured on the other side. I have also tested this with real devices in the lab and got the same output.

Hope this helps, cheers.

steven.crutchley · ‎06-28-2012

So just to confirm, if Router 5 has two valid keys - it will only send the first one (lowest numbered one) ... it will never send the second one. Then, when Router 2 recieves the packet, it will only check against the same numbered key and no others.

Is that correct?

Michal Gurbski · ‎10-30-2013

Hi Steven,

it is correct.

Key string and Key ID must match

Kind regards,

Michał

P.S.

Look at example in wich R1 and R2 have the same key string "KEY_1" but different key id. Authentication is invalid.

-------------

R1

-------------

R1#sh run int fa0/0

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip authentication mode eigrp 100 md5

ip authentication key-chain eigrp 100 KEYCHAIN

R1#sh key chain

Key-chain KEYCHAIN:

key 0 -- text "KEY_1"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

key 1 -- text "KEY_0"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

R1#

*Mar 1 00:38:33.879: EIGRP: pkt authentication key id = 10, key not defined or not live

*Mar 1 00:38:33.883: EIGRP: FastEthernet0/0: ignored packet from 192.168.1.2, opcode = 5 (invalid authentication)

! R2 is using key id = 10 "KEY_1" nonetheless

! R1 has acitve key id = 0 "KEY_1" but we get invalid authentication, because key id does not match!

! R1 expect key id = 0 not key id = 10

-------------

R2

-------------

R2#sh run int fa0/0

!

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

ip authentication mode eigrp 100 md5

ip authentication key-chain eigrp 100 GERDA

end

R2#sh key chain

Key-chain GERDA:

key 0 -- text "KEY_0"

accept lifetime (00:22:30 UTC Mar 1 2002) - (60 seconds)

send lifetime (00:22:00 UTC Mar 1 2002) - (60 seconds)

key 10 -- text "KEY_1"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

R2#

*Mar 1 00:36:09.411: EIGRP: pkt authentication key id = 0, key not defined or not live

*Mar 1 00:36:09.411: EIGRP: FastEthernet0/0: ignored packet from 192.168.1.1, opcode = 5 (invalid authentication)

! R1 is using key id = 1 "KEY_1"

! R2 has acitve key id = 10 "KEY_1" we get invalid authentication, because key id does not match!

! R2 expect key id = 10 not key id = 1