Re: OSPFv3 with IPSec between Cisco and Juniper gears

[David Hubbard]

Wouldn’t you want to use hexadecimal instead of ascii-text, since that would 
match what the Cisco is asking for?  I’m just throwing this out there, I’m not 
familiar with Juniper but their docs seem to suggest that using hex will cause 
it to ask for 40 hex chars.

David

On 11/10/16, 3:14 PM, "NANOG on behalf of Philippe Bonvin via NANOG" 
<nanog-boun...@nanog.org on behalf of nanog@nanog.org> wrote:

    Hello folks,
    
    
    Quick question about incompatibility between Cisco and Juniper gears.
    
    
    Without IPSec, OSPFv3 is working as expected.
    
    I'm trying to configure IPSec authentification of OSPFv3 between a Juniper 
SRX and a Cisco router but it seems that they didn't agree to a common key 
length.
    
    
    Can you confirm that this is a well-known problem or give me the right 
configuration that I should use ?
    
    
    The error message on the juniper:
    
    [edit security ipsec security-association ospfv3 manual direction 
bidirectional authentication key ascii-text]
      'ascii-text "..."'
        Authentication key size must be 20 bytes
    
    On the cisco side:
    
    cisco(config-if)#ipv6 ospf authentication ipsec spi 256 sha1 0 ?
      Hex-string  SHA-1 key (40 chars)?
    
    
    
    Here is an output of the config I'm using on the SRX side:
    
    
    
    ipsec {
        security-association ospfv3 {
            mode transport;
            manual {
                direction bidirectional {
                    protocol ah;
                    spi 256;
                    authentication {
                        algorithm hmac-sha1-96;
                        key ascii-text "..."; ## SECRET-DATA
                    }
                }
            }
        }
    }
    
    interface ge-0/0/0.0 {
        ipsec-sa ospfv3;
    }
    
    
    Thanks for your help,
    Philippe
    
    
    [EDSI-Tech Sarl]<http://www.edsi-tech.com>
    Philippe Bonvin, Directeur
    EDSI-Tech Sàrl<http://www.edsi-tech.com>
    EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | Téléphone: +41 
(0) 21 566 14 15, ext. 99
    Savoie Technolac, 17 Avenue du Lac Léman, 73375 Le Bourget-du-Lac, France | 
Téléphone: +33 (0)4 86 15 44 78, ext. 99
    
    Disclaimer:
    This email is confidential and intended solely for the use of the 
individual to whom it is addressed. If you are not the intended recipient of 
this information, be advised that you have received this email in error and 
that any usage, disclosure, distribution, copying of the information or any 
part of it in any form whatsoever is strictly prohibited.
    If you have received this email in error please notify the EDSI-Tech 
helpdesk by phone on +41 21 566 14 15 and then delete this e-mail.