Configure RIPv2 on routers using clear-text and MD5 hash for authC.

Posted: October 2, 2013 in Cisco Security - Firewalls

Configure RIPv2 on routers using clear-text and MD5 hash for authC

Simple diagram:
R1-> rip clear-text <-R3-> rip MD5 <-R2

Router1:

Router1(config)#key chain TEXT                                                   !– key chain name
Router1(config-keychain)#key 1                                                   !– key identifier
Router1(config-keychain-key)#key-string CLEARTEXT          !– key chain string

Router1(config)#router rip
Router1(config-router)#ver 2
Router1(config-router)#network 140.1.0.0                             !–RIP advertized networks
Router1(config-router)#network 160.1.0.0
Router1(config-router)#no auto-summary

Router1(config)#int f0/0
Router1(config-if)#ip rip authentication mode text                 !–clear-text authc mode
Router1(config-if)#ip rip authentication key-chain TEXT       !–key-chain name used for authc

Router2:
Router2(config)#router rip
Router2(config-router)#version 2
Router2(config-router)#network 140.1.0.0
Router2(config-router)#network 160.1.0.0
Router2(config-router)#no auto-summary
Router2(config-router)#exit

Router2(config)#key chain MD5
Router2(config-keychain)#key 1
Router2(config-keychain-key)#key-string MD5HASH

Router2(config-keychain-key)#int f0/0
Router2(config-if)#ip rip authentication mode md5
Router2(config-if)#ip rip authentication key-chain MD5

Router 3:
Router3(config)#key chain TEXT
Router3(config-keychain)#key 1
Router3(config-keychain-key)#key-string CLEARTEXT

Router3(config)#key chain MD5
Router3(config-keychain)#key 1
Router3(config-keychain-key)#key-string MD5HASH

Router3(config)#route rip
Router3(config-router)#version 2
Router3(config-router)#network 140.1.0.0
Router3(config-router)#network 160.1.0.0
Router3(config-router)#no auto-summary

Router3(config)#int f0/1
Router3(config-if)#ip rip authentication mode text
Router3(config-if)#ip rip authentication key-chain TEXT

Router3(config-if)#int f0/0
Router3(config-if)#ip rip authentication mode md5
Router3(config-if)#ip rip authentication key-chain MD5

Verify:
Router3#sh ip route rip
160.1.0.0/32 is subnetted, 2 subnets
R       160.1.1.1 [120/1] via 140.1.13.1, 00:00:27, FastEthernet0/1

Router1#
Router1#sh ip route rip

140.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
R        140.1.23.0/24 [120/1] via 140.1.13.3, 00:00:15, FastEthernet0/0
160.1.0.0/32 is subnetted, 2 subnets
R        160.1.3.3 [120/1] via 140.1.13.3, 00:00:15, FastEthernet0/0
Router1#

Router3#debug ip rip

RIP: received packet with text authentication CLEARTEXT
RIP: received v2 update from 140.1.13.1 on FastEthernet0/1
160.1.1.1/32 via 0.0.0.0 in 1 hops
RIP: sending v2 update to 224.0.0.9 via Loopback0 (160.1.3.3)
RIP: build update entries
140.1.13.0/24 via 0.0.0.0, metric 1, tag 0
140.1.23.0/24 via 0.0.0.0, metric 1, tag 0
160.1.1.1/32 via 0.0.0.0, metric 2, tag 0
RIP: ignored v2 packet from 160.1.3.3 (sourced from one of our addresses)
RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (140.1.

Wrong authentication shows this error outputs:

Router2#
RIP: ignored v2 packet from 136.1.23.3 (invalid authentication)
RIP: sending v2 update to 224.0.0.9 via Loopback0 (150.1.2.2)
RIP: build update entries
136.1.23.0/24 via 0.0.0.0, metric 1, tag 0
RIP: ignored v2 packet from 150.1.2.2 (sourced from one of our addresses)
RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (136.1.23.2)
RIP: build update entries
150.1.2.2/32 via 0.0.0.0, metric 1, tag 0
RIP: ignored v2 packet from 136.1.23.3 (invalid authentication)
RIP: sending v2 update to 224.0.0.9 via Loopback0 (150.1.2.2)
RIP: build update entries
136.1.23.0/24 via 0.0.0.0, metric 1, tag 0

##### Theory #####
RIP authentication is configured in three steps:

1. define a global key chain
2. enable authentication mode (clear-text or MD5) on the RIP interfaces
3. apply the key chain to the interface
Note that for MD5 based authentication, the key number in the key chain must match between the neighbors.

Verification – check if the routes from the RIP neighbor are installed in the routing table, authentication was successful.

################################################################

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s