For Cisco router authentication, when performing the cisco Route Selection protocol (r12002; VPN) authentication, the key is irrelevant to the key ID when using plain text (General authentication, during MD5 authentication, the key and key ID are related, that is, the key IDs and keys at both ends must be the same, for example, R1 (config) # key chain key1 R1 (config-keychain) # key 1 R1 (config-keychain-key) # key-string cisco R1 (config-keychain-key) # int f0/0 R1 (config-if) # ip authentication key-chain Kerberos 1 key1 R2 (config) # key chain key2 R2 (config-keychain) # key 2 R2 (config-keychain-key) # key-string cisco R2 (co Nfig-keychain-key) # int f0/1 R2 (config-if) # ip authentication key-chain VPN 1 key2 R2 (config) # do ping 10.1.1.1Type escape sequence to abort. www.2cto.com Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/81/104 ms please note that the key ID of R1 and R2 here is different, indicates that the key is irrelevant to the key ID. When I configure to use MD5 authentication, I cannot establish a neighbor (VPN) at all, and then change it to the same key ID at both ends. Everything works normally. Send a ping packet and pass it !!! This proves that the key ID is related to the key, and the two ends must be the same. This is because when the MD5 authentication mode is used, the key ID and key must be exchanged simultaneously. If the key ID is different, the verification fails without checking whether the key is the same. You can run the debug command to view the process. Author kendy