Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

OSPF HMAC-SHA authentication 7.0.1

This enhancement adds support for RFC 5709 HMAC-SHA cryptographic authentication for OSPF. Prior to 7.0.1, only MD5 was supported.

An option to set the algorithm is available in the router key chain configuration:

config router key-chain
    edit <name>
        config key
            edit <id>
                ...
                set algorithm {md5 | hmac-sha1 | hmac-sha256 | hmac-sha384 | hmac-sha512}
            next
        end
    next
end
Note

The available options for set authentication in the OSPF settings are now none, text, and message-digest.

To configure HMAC-SHA cryptographic authentication for OSPF:
  1. Configure the router key chain:
    config router key-chain
        edit "11"
            config key
                edit "1"
                    set accept-lifetime 01:01:01 01 01 2021 2147483646
                    set send-lifetime 01:01:01 01 01 2021 2147483646
                    set key-string **********
                    set algorithm hmac-sha512
                next
            end
        next
    end
  2. Configure OSPF:
    config router ospf
        set router-id 2.2.2.2
        config area
            edit 0.0.0.0
                set authentication message-digest
            next
        end
        config ospf-interface
            edit "1"
                set interface "port1"
                set authentication message-digest
                set md5-keychain "11"
            next
        end
    end
  3. Verify that the OSPF neighbor can be established:
    # get router info ospf neighbor
    OSPF process 0, VRF 0:
    Neighbor ID     Pri   State           Dead Time   Address         Interface
    1.1.1.1           1   Full/DR         00:00:37    12.1.1.1        port1

OSPF HMAC-SHA authentication 7.0.1

This enhancement adds support for RFC 5709 HMAC-SHA cryptographic authentication for OSPF. Prior to 7.0.1, only MD5 was supported.

An option to set the algorithm is available in the router key chain configuration:

config router key-chain
    edit <name>
        config key
            edit <id>
                ...
                set algorithm {md5 | hmac-sha1 | hmac-sha256 | hmac-sha384 | hmac-sha512}
            next
        end
    next
end
Note

The available options for set authentication in the OSPF settings are now none, text, and message-digest.

To configure HMAC-SHA cryptographic authentication for OSPF:
  1. Configure the router key chain:
    config router key-chain
        edit "11"
            config key
                edit "1"
                    set accept-lifetime 01:01:01 01 01 2021 2147483646
                    set send-lifetime 01:01:01 01 01 2021 2147483646
                    set key-string **********
                    set algorithm hmac-sha512
                next
            end
        next
    end
  2. Configure OSPF:
    config router ospf
        set router-id 2.2.2.2
        config area
            edit 0.0.0.0
                set authentication message-digest
            next
        end
        config ospf-interface
            edit "1"
                set interface "port1"
                set authentication message-digest
                set md5-keychain "11"
            next
        end
    end
  3. Verify that the OSPF neighbor can be established:
    # get router info ospf neighbor
    OSPF process 0, VRF 0:
    Neighbor ID     Pri   State           Dead Time   Address         Interface
    1.1.1.1           1   Full/DR         00:00:37    12.1.1.1        port1