在IOS12.0以前，如果在一个OSPF Area内任意一个接口上配置了认证，则所有area内的其它路由器的所

有接口也必须配置认证。
在IOS12.0以后，允许在单独在一个接口上配置认证，与area内其它路由器无关。

password:在特定接口、区域或Virtual Link上用于密码认证。可以是1-8个字符串。
key-id：用于加密密码的密钥。取值范围1-255。

key-id匹配检测是从小的ID到大的ID的。 大的ID被称为youngest-id。
key-id是基于接口、Virtual-link的，每个接口都有相应的一个key-id范围，相互之间key-id是分别开来的。

当ospf收到一个ospf packet时：
1>检测packet中的认证类型与当前接口、链路或区域配置是否匹配。0为无认证，1为明文认证，2为MD5认证。
2>检测packet中的密码是否匹配，如果是MD5认证则从key-id小的开始，找到一个匹配则结束。无匹配则不能建立Adjacency关系。

链路两端必须配置相同的password和key-id。

 

!
host r1
!
int s1/0
 description conn_to_r2
 ip add 192.168.1.1 255.255.255.0
 ip ospf authentication-key cisco
!
router ospf 100
 router-id 10.0.0.1
 net 192.168.1.0 0.0.0.255 area 0
 area 0 authentication
!
--------------------------------------------
!
host r2
!
int s1/0
 description conn_to_r1
 ip add 192.168.1.2 255.255.255.0
 ip ospf authentication-key cisco
!
router ospf 100
 router-id 10.0.0.2
 net 192.168.1.0 0.0.0.255 area 0
 area 0 authentication
!

++++++++++++++++++++++++++++++
service password-encryption
show ip ospf neighbor
debug ip ospf events
++++++++++++++++++++++++++++++

 

!
host r1
!
int s1/0
 description conn_to_r2
 ip add 192.168.1.1 255.255.255.0
 ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
 router-id 10.0.0.1
 net 192.168.1.0 0.0.0.255 area 0
 area 0 authentication message-digest
!
---------------------------------------------
!
host r2
!
int s1/0
 description conn_to_r1
 ip add 192.168.1.2 255.255.255.0
 ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
 router-id 10.0.0.2
 net 192.168.1.0 0.0.0.255 area 0
 area 0 authentication message-digest
!

Part III. AREA级md5认证切换

因为md5认证在收到时是从认证密码池中依次匹配密码的（密码ID从小到大），所以它可以同时配置多个密码，进而可以实现在多个密码中平滑的过度。
1>增加新密码
!
host r1
!
int s1/0
 description conn_to_r2
 ip add 192.168.1.1 255.255.255.0
 ip ospf message-digest-key 1 md5 cisco
 ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
 router-id 10.0.0.1
 net 192.168.1.0 0.0.0.255 area 0
 area 0 authentication message-digest
!
---------------------------------------------
!
host r2
!
int s1/0
 description conn_to_r1
 ip add 192.168.1.2 255.255.255.0
 ip ospf message-digest-key 1 md5 cisco
 ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
 router-id 10.0.0.2
 net 192.168.1.0 0.0.0.255 area 0
 area 0 authentication message-digest
!

2>取消旧密码
!
host r1
!
int s1/0
 description conn_to_r2
 ip add 192.168.1.1 255.255.255.0
 no ip ospf message-digest-key 1 md5 cisco
 ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
 router-id 10.0.0.1
 net 192.168.1.0 0.0.0.255 area 0
 area 0 authentication message-digest
!
---------------------------------------------
!
host r2
!
int s1/0
 description conn_to_r1
 ip add 192.168.1.2 255.255.255.0
 no ip ospf message-digest-key 1 md5 cisco
 ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
 router-id 10.0.0.2
 net 192.168.1.0 0.0.0.255 area 0
 area 0 authentication message-digest
!

!
host r1
!
int s1/0
 description conn_to_r2
 ip add 192.168.1.1 255.255.255.0
 ip ospf authentication
 ip ospf authentication-key cisco
!
router ospf 100
 router-id 10.0.0.1
 net 192.168.1.0 0.0.0.255 area 0
!
--------------------------------------------
!
host r2
!
int s1/0
 description conn_to_r1
 ip add 192.168.1.2 255.255.255.0
 ip ospf authentication
 ip ospf authentication-key cisco
!
router ospf 100
 router-id 10.0.0.2
 net 192.168.1.0 0.0.0.255 area 0
!

 

!
host r1
!
int s1/0
 description conn_to_r2
 ip add 192.168.1.1 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
 router-id 10.0.0.1
 net 192.168.1.0 0.0.0.255 area 0
!
---------------------------------------------
!
host r2
!
int s1/0
 description conn_to_r1
 ip add 192.168.1.2 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
 router-id 10.0.0.2
 net 192.168.1.0 0.0.0.255 area 0
!

 

因为md5认证在收到时是从认证密码池中依次匹配密码的（密码ID从小到大），所以它可以同时配置多个密码，进而可以实现在多个密码中平滑的过度。
1>增加新密码
!
host r1
!
int s1/0
 description conn_to_r2
 ip add 192.168.1.1 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 cisco
 ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
 router-id 10.0.0.1
 net 192.168.1.0 0.0.0.255 area 0
!
---------------------------------------------
!
host r2
!
int s1/0
 description conn_to_r1
 ip add 192.168.1.2 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 cisco
 ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
 router-id 10.0.0.2
 net 192.168.1.0 0.0.0.255 area 0
!

2>取消旧密码
!
host r1
!
int s1/0
 description conn_to_r2
 ip add 192.168.1.1 255.255.255.0
 ip ospf authentication message-digest
 no ip ospf message-digest-key 1 md5 cisco
 ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
 router-id 10.0.0.1
 net 192.168.1.0 0.0.0.255 area 0
!
---------------------------------------------
!
host r2
!
int s1/0
 description conn_to_r1
 ip add 192.168.1.2 255.255.255.0
 ip ospf authentication message-digest
 no ip ospf message-digest-key 1 md5 cisco
 ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
 router-id 10.0.0.2
 net 192.168.1.0 0.0.0.255 area 0
!

!
host r1
!
int s1/0
 description conn_to_r2
 ip add 192.168.1.1 255.255.255.0
 ip ospf authentication-key cisco
!
router ospf 100
 router-id 10.0.0.1
 net 192.168.1.0 0.0.0.255 area 0
 area 0 authentication
!
--------------------------------------------
!
host r2
!
int s1/0
 description conn_to_r1
 ip add 192.168.1.2 255.255.255.0
 ip ospf authentication-key cisco
!
int s1/1
 description conn_to_r3
 ip add 192.168.2.1 255.255.255.0
 ip ospf authentication null
!
router ospf 100
 router-id 10.0.0.2
 net 192.168.1.0 0.0.0.255 area 0
 net 192.168.2.0 0.0.0.255 area 0
 area 0 authentication
!
---------------------------------------------
!
host r3
!
int s1/0
 description conn_to_r2
 ip add 192.168.2.2 255.255.255.0
!
router ospf 100
 router-id 10.0.0.3
 net 192.168.2.0 0.0.0.255 area 0
!

 

命令语法：
area transit-area-id virtual-link router-id message-digest-key key-id md5 password

!
host r3
!
int s1/0
 description conn_to_area_0
 ip add 192.168.0.2 255.255.255.0
 ip ospf message-digest-key 1 md5 cisco0
!
router ospf 100
 router-id 10.0.0.3
 net 192.168.0.0 0.0.0.255 area 0
 area 0 authentication message-digest
!
--------------------------------------------
!
host r1
!
int s1/0
 dscription conn_to_area_1
 ip add 192.168.1.1 255.255.255.0
!
int s1/1
 description conn_to_area_0
 ip add 192.168.0.1 255.255.255.0
 ip ospf message-digest-key 1 md5 cisco0
!
router ospf 100
 router-id 10.0.0.1
 net 192.168.1.0 0.0.0.255 area 1
 net 192.168.0.0 0.0.0.255 area 0
 area 0 authentication message-digest
 area 1 virtual-link 10.0.0.2 message-digest-key 1 md5 cisco1
!
++++++++++++++++++++++++++++++++++++++++++
此处只需配置一个用于验证的密码即可，因为此处是在area0通过area1建立virtual-link，area0已经默认配置好了需要md5认证了。
如果没有最后的area 1 virtual-link 10.0.0.2 message-digest-key 1 md5 cisco1命令，则按规则应该是发送使用key-id为0的packet，当然virtual-link对端不可能配置key-id为0的密码条目，因为key-id可用范围是1-255。对端就会显示：
*Mar  1 00:28:34.043: OSPF: Rcv pkt from 192.168.1.1, OSPF_VL0 : Mismatch Authentication Key - No message digest key 0 on interface
++++++++++++++++++++++++++++++++++++++++++
---------------------------------------------
!
host r2
!
int s1/0
 ip add 192.168.1.2 255.255.255.0
!
int s1/1
 ip add 192.168.2.1 255.255.255.0
!
router ospf 100
 router-id 10.0.0.2
 net 192.168.1.0 0.0.0.255 area 1
 net 192.168.2.0 0.0.0.255 area 2
 area 1 virtual-link 10.0.0.1 authentication message-digest
 area 1 virtual-link 10.0.0.1 message-digest-key 1 md5 cisco01
!
----------------------------------------------