OSPF MD5 Authentication Rotating Key


You work for the government as a contracted network engineer. They want you to improve their OSPF security. Instead of using a single key for all routers they want to ensure each OSPF neighbor adjacency has a different key. Let’s find out if you can lock this one down.


  • All IP addresses have been preconfigured for you.
  • Configure OSPF on all routers. Achieve full connectivity.
  • Router Twist and Turn have to use password “PASSWORD”.
  • Router Twist and Rotate have to use password “VAULT”.




OSPF MD5 Authentication Rotating Key Network Topology

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

René - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com


  1. Thanks Rene, I am loving your all labs. I learned a lot and learning. Keep postin’ labs.

  2. Hi Rene,

    I configured this lab and achieved full neighborship but when I check beck-end process with "debug ip ospf adj" I am getting mismatch errors too. Although neibourship is OK but I am just curious that is there any way we can stop these error messages. Here is the debug output of Router Turn:

    Turn(config)#do deb ip ospf adj
    OSPF adjacency events debugging is on
    *Mar 1 00:30:17.099: OSPF: Send with youngest Key 1
    *Mar 1 00:30:24.667: OSPF: Rcv pkt from, FastEthernet0/0 : Mismatch Authentication Key – No message digest key 2 on interface
    *Mar 1 00:30:24.891: OSPF: Rcv pkt from, FastEthernet0/0 : Mismatch Authentication Key – No message digest key 2 on interface"

    Thanks for the labs.. 🙂

    1. Under the constraints of this lab, I don’t think you can get rid of the error messages. Configuring key 2 on router Turn would do the trick, because it would successfully peer with Rotate, but then Turn and Twist would start using key 2 instead of key 1.

      I’m afraid Cisco just doesn’t support good key management for OSPF.

  3. Rene, I think you missed one thing. In your video solution, router Rotate becomes the DR for the segment. The DR must form a full adjacency with all other routers in the segment, but in this case Rotate won’t peer with Turn because they’re using different keys. Of course, that doesn’t present any problems in this topology with only one segment, but if you added other subnets you might run into some issues.

    I think you need to make sure Twist becomes the DR.

  4. Hi all,
    Rene congrats for your labs, they can really help finding weakness each one of us might have simply because we thought some things were not worth it to spent more time on.

    I modified the lab a bit after completing it (also getting the Mismatch error messages) and I set a 3rd key to use betweeen Turn and Rotate. Then I set keys 1, 2 and 3 to all routers where the “debug ip ospf adj” then showed:
    send with key 1
    send with key 2
    send with key 3

    The mismatch error messages stoped.

    Finally I did a wireshark capture on Twist fa0/0 and saw that he sends 3 hellos messages each one using a different key. The thing I could not figure what (I couldn’t be sure of) is which key actually the router sends to which router since all hellos are destined to multicast

    In any case this lab shows imo that OSPF is not capable of rotating keys as EIGRP can, it simply is able to use different keys between different peers. EIGRP on the other hand can have time limits on its keys and switch between preconfigured keys based on the configuration.

  5. Hey Rene

    May be too late to comment, but anyways i give it a go.

    Can you please expain how does router Turn/Twise has established adjacency even when they have different keys as shown in the debugs?

    *Mar 1 00:32:41.911: OSPF: Send with youngest Key 2
    *Mar 1 00:32:41.911: OSPF: Send hello to area 0 on FastEthernet0/0 from
    *Mar 1 00:32:49.291: OSPF: Rcv pkt from, FastEthernet0/0 : Mismatch Authentication Key – No message digest key 1 on interface

    Good labs though.

      1. I think i got my answer. If Twist interface is down, then there is no adj on Turn or Rotate. Adj forms up between Twist to Turn/Rotate and vice versa but not between Turn and Rotate.

Comments are closed.