OSPFv3 with IPSec between Cisco and Juniper gears

Philippe Bonvin p.bonvin at edsi-tech.com
Thu Nov 10 20:14:50 UTC 2016

Hello folks,

Quick question about incompatibility between Cisco and Juniper gears.

Without IPSec, OSPFv3 is working as expected.

I'm trying to configure IPSec authentification of OSPFv3 between a Juniper SRX and a Cisco router but it seems that they didn't agree to a common key length.

Can you confirm that this is a well-known problem or give me the right configuration that I should use ?

The error message on the juniper:

[edit security ipsec security-association ospfv3 manual direction bidirectional authentication key ascii-text]
  'ascii-text "..."'
    Authentication key size must be 20 bytes

On the cisco side:

cisco(config-if)#ipv6 ospf authentication ipsec spi 256 sha1 0 ?
  Hex-string  SHA-1 key (40 chars)?

Here is an output of the config I'm using on the SRX side:

ipsec {
    security-association ospfv3 {
        mode transport;
        manual {
            direction bidirectional {
                protocol ah;
                spi 256;
                authentication {
                    algorithm hmac-sha1-96;
                    key ascii-text "..."; ## SECRET-DATA

interface ge-0/0/0.0 {
    ipsec-sa ospfv3;

Thanks for your help,

[EDSI-Tech Sarl]<http://www.edsi-tech.com>
Philippe Bonvin, Directeur
EDSI-Tech Sàrl<http://www.edsi-tech.com>
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | Téléphone: +41 (0) 21 566 14 15, ext. 99
Savoie Technolac, 17 Avenue du Lac Léman, 73375 Le Bourget-du-Lac, France | Téléphone: +33 (0)4 86 15 44 78, ext. 99

This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this information, be advised that you have received this email in error and that any usage, disclosure, distribution, copying of the information or any part of it in any form whatsoever is strictly prohibited.
If you have received this email in error please notify the EDSI-Tech helpdesk by phone on +41 21 566 14 15 and then delete this e-mail.

More information about the NANOG mailing list