OSPFv3 with IPSec between Cisco and Juniper gears

David Hubbard dhubbard at dino.hostasaurus.com
Thu Nov 10 21:02:59 UTC 2016


Wouldn’t you want to use hexadecimal instead of ascii-text, since that would match what the Cisco is asking for?  I’m just throwing this out there, I’m not familiar with Juniper but their docs seem to suggest that using hex will cause it to ask for 40 hex chars.

David

On 11/10/16, 3:14 PM, "NANOG on behalf of Philippe Bonvin via NANOG" <nanog-bounces at nanog.org on behalf of nanog at nanog.org> wrote:

    Hello folks,
    
    
    Quick question about incompatibility between Cisco and Juniper gears.
    
    
    Without IPSec, OSPFv3 is working as expected.
    
    I'm trying to configure IPSec authentification of OSPFv3 between a Juniper SRX and a Cisco router but it seems that they didn't agree to a common key length.
    
    
    Can you confirm that this is a well-known problem or give me the right configuration that I should use ?
    
    
    The error message on the juniper:
    
    [edit security ipsec security-association ospfv3 manual direction bidirectional authentication key ascii-text]
      'ascii-text "..."'
        Authentication key size must be 20 bytes
    
    On the cisco side:
    
    cisco(config-if)#ipv6 ospf authentication ipsec spi 256 sha1 0 ?
      Hex-string  SHA-1 key (40 chars)?
    
    
    
    Here is an output of the config I'm using on the SRX side:
    
    
    
    ipsec {
        security-association ospfv3 {
            mode transport;
            manual {
                direction bidirectional {
                    protocol ah;
                    spi 256;
                    authentication {
                        algorithm hmac-sha1-96;
                        key ascii-text "..."; ## SECRET-DATA
                    }
                }
            }
        }
    }
    
    interface ge-0/0/0.0 {
        ipsec-sa ospfv3;
    }
    
    
    Thanks for your help,
    Philippe
    
    
    [EDSI-Tech Sarl]<http://www.edsi-tech.com>
    Philippe Bonvin, Directeur
    EDSI-Tech Sàrl<http://www.edsi-tech.com>
    EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | Téléphone: +41 (0) 21 566 14 15, ext. 99
    Savoie Technolac, 17 Avenue du Lac Léman, 73375 Le Bourget-du-Lac, France | Téléphone: +33 (0)4 86 15 44 78, ext. 99
    
    Disclaimer:
    This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this information, be advised that you have received this email in error and that any usage, disclosure, distribution, copying of the information or any part of it in any form whatsoever is strictly prohibited.
    If you have received this email in error please notify the EDSI-Tech helpdesk by phone on +41 21 566 14 15 and then delete this e-mail.
    



More information about the NANOG mailing list