Example: Configuring keychains

Network configuration

As shown in Figure 98, establish an OSPF neighbor relationship between Switch A and Switch B, and use a keychain to authenticate packets between the switches. Configure key 1 and key 2 for the keychain and make sure key 2 is used immediately when key 1 expires.

Figure 98: Network diagram

Procedure

  1. Configure Switch A:

    # Configure IP addresses for interfaces. (Details not shown.)

    # Configure OSPF.

    <SwitchA> system-view
    [SwitchA] ospf 1 router-id 1.1.1.1
    [SwitchA-ospf-1] area 0
    [SwitchA-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
    [SwitchA-ospf-1-area-0.0.0.0] quit
    [SwitchA-ospf-1] quit
    

    # Create a keychain named abc, and specify the absolute time mode for it.

    [SwitchA] keychain abc mode absolute
    

    # Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.

    [SwitchA-keychain-abc] key 1
    [SwitchA-keychain-abc-key-1] authentication-algorithm md5
    [SwitchA-keychain-abc-key-1] key-string plain 123456
    [SwitchA-keychain-abc-key-1] send-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06
    [SwitchA-keychain-abc-key-1] accept-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06
    [SwitchA-keychain-abc-key-1] quit
    

    # Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.

    [SwitchA-keychain-abc] key 2
    [SwitchA-keychain-abc-key-2] authentication-algorithm hmac-md5
    [SwitchA-keychain-abc-key-2] key-string plain pwd123
    [SwitchA-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
    [SwitchA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
    [SwitchA-keychain-abc-key-2] quit
    [SwitchA-keychain-abc] quit
    

    # Configure VLAN-interface 100 to use keychain abc for authentication.

    [SwitchA] interface vlan-interface 100
    [SwitchA-Vlan-interface100] ospf authentication-mode keychain abc
    [SwitchA-Vlan-interface100] quit
    
  2. Configure Switch B:

    # Configure IP addresses for interfaces. (Details not shown.)

    # Configure OSPF.

    [SwitchB] ospf 1 router-id 2.2.2.2
    [SwitchB-ospf-1] area 0
    [SwitchB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
    [SwitchB-ospf-1-area-0.0.0.0] quit
    [SwitchB-ospf-1] quit
    

    # Create a keychain named abc, and specify the absolute time mode for it.

    [SwitchB] keychain abc mode absolute
    

    # Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.

    [SwitchB-keychain-abc] key 1
    [SwitchB-keychain-abc-key-1] authentication-algorithm md5
    [SwitchB-keychain-abc-key-1] key-string plain 123456
    [SwitchB-keychain-abc-key-1] send-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06
    [SwitchB-keychain-abc-key-1] accept-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06
    [SwitchB-keychain-abc-key-1] quit
    

    # Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.

    [SwitchB-keychain-abc] key 2
    [SwitchB-keychain-abc-key-2] authentication-algorithm hmac-md5
    [SwitchB-keychain-abc-key-2] key-string plain pwd123
    [SwitchB-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
    [SwitchB-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
    [SwitchB-keychain-abc-key-2] quit
    [SwitchB-keychain-abc] quit
    

    # Configure VLAN-interface 100 to use keychain abc for authentication.

    [SwitchB] interface vlan-interface 100
    [SwitchB-Vlan-interface100] ospf authentication-mode keychain abc
    [SwitchB-Vlan-interface100] quit
    

Verifying the configuration

  1. When the system time is within the lifetime from 10:00:00 to 11:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc.

    # Display keychain information on Switch A. The output shows that key 1 is the valid key.

    [SwitchA] display keychain 
    
     Keychain name          : abc
       Mode                 : absolute
       Accept tolerance     : 0
       TCP kind value       : 254
       TCP algorithm value
         HMAC-MD5           : 5
         MD5                : 3
       Default send key ID  : None
       Active send key ID   : 1
       Active accept key IDs: 1
    
       Key ID               : 1
         Key string         : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==
         Algorithm          : md5
         Send lifetime      : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
         Send status        : Active
         Accept lifetime    : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
         Accept status      : Active
    
       Key ID               : 2
         Key string         : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==
         Algorithm          : hmac-md5
         Send lifetime      : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
         Send status        : Inactive
         Accept lifetime    : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
         Accept status      : Inactive
    

    # Display keychain information on Switch B. The output shows that key 1 is the valid key.

    [SwitchB]display keychain
    
     Keychain name          : abc
       Mode                 : absolute
       Accept tolerance     : 0
       TCP kind value       : 254
       TCP algorithm value
         HMAC-MD5           : 5
         MD5                : 3
       Default send key ID  : None
       Active send key ID   : 1
       Active accept key IDs: 1
    
       Key ID               : 1
         Key string         : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==
         Algorithm          : md5
         Send lifetime      : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
         Send status        : Active
         Accept lifetime    : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
         Accept status      : Active
    
       Key ID               : 2
         Key string         : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==
         Algorithm          : hmac-md5
         Send lifetime      : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
         Send status        : Inactive
         Accept lifetime    : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
         Accept status      : Inactive
    
  2. When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc.

    # Display keychain information on Switch A. The output shows that key 2 becomes the valid key.

    [SwitchA]display keychain
    
     Keychain name          : abc
       Mode                 : absolute
       Accept tolerance     : 0
       TCP kind value       : 254
       TCP algorithm value
         HMAC-MD5           : 5
         MD5                : 3
       Default send key ID  : None
       Active send key ID   : 2
       Active accept key IDs: 2
    
       Key ID               : 1
         Key string         : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==
         Algorithm          : md5
         Send lifetime      : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
         Send status        : Inactive
         Accept lifetime    : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
         Accept status      : Inactive
    
       Key ID               : 2
         Key string         : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==
         Algorithm          : hmac-md5
         Send lifetime      : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
         Send status        : Active
         Accept lifetime    : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
         Accept status      : Active
    

    # Display keychain information on Switch B. The output shows that key 2 becomes the valid key.

    [SwitchB]display keychain 
    
     Keychain name          : abc
       Mode                 : absolute
       Accept tolerance     : 0
       TCP kind value       : 254
       TCP algorithm value
         HMAC-MD5           : 5
         MD5                : 3
       Default send key ID  : None
       Active send key ID   : 1
       Active accept key IDs: 1
    
       Key ID               : 1
         Key string         : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==
         Algorithm          : md5
         Send lifetime      : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
         Send status        : Inactive
         Accept lifetime    : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
         Accept status      : Inactive
    
       Key ID               : 2
         Key string         : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==
         Algorithm          : hmac-md5
         Send lifetime      : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
         Send status        : Active
         Accept lifetime    : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
         Accept status      : Active