[192632] in North American Network Operators' Group
OSPFv3 with IPSec between Cisco and Juniper gears
daemon@ATHENA.MIT.EDU (Philippe Bonvin via NANOG)
Thu Nov 10 15:23:47 2016
X-Original-To: nanog@nanog.org
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 10 Nov 2016 20:14:50 +0000
From: Philippe Bonvin via NANOG <nanog@nanog.org>
Reply-To: Philippe Bonvin <p.bonvin@edsi-tech.com>
Errors-To: nanog-bounces@nanog.org
Hello folks,
Quick question about incompatibility between Cisco and Juniper gears.
Without IPSec, OSPFv3 is working as expected.
I'm trying to configure IPSec authentification of OSPFv3 between a Juniper =
SRX and a Cisco router but it seems that they didn't agree to a common key =
length.
Can you confirm that this is a well-known problem or give me the right conf=
iguration that I should use ?
The error message on the juniper:
[edit security ipsec security-association ospfv3 manual direction bidirecti=
onal authentication key ascii-text]
'ascii-text "..."'
Authentication key size must be 20 bytes
On the cisco side:
cisco(config-if)#ipv6 ospf authentication ipsec spi 256 sha1 0 ?
Hex-string SHA-1 key (40 chars)?
Here is an output of the config I'm using on the SRX side:
ipsec {
security-association ospfv3 {
mode transport;
manual {
direction bidirectional {
protocol ah;
spi 256;
authentication {
algorithm hmac-sha1-96;
key ascii-text "..."; ## SECRET-DATA
}
}
}
}
}
interface ge-0/0/0.0 {
ipsec-sa ospfv3;
}
Thanks for your help,
Philippe
[EDSI-Tech Sarl]<http://www.edsi-tech.com>
Philippe Bonvin, Directeur
EDSI-Tech S=E0rl<http://www.edsi-tech.com>
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | T=E9l=E9phone: +4=
1 (0) 21 566 14 15, ext. 99
Savoie Technolac, 17 Avenue du Lac L=E9man, 73375 Le Bourget-du-Lac, France=
| T=E9l=E9phone: +33 (0)4 86 15 44 78, ext. 99
Disclaimer:
This email is confidential and intended solely for the use of the individua=
l to whom it is addressed. If you are not the intended recipient of this in=
formation, be advised that you have received this email in error and that a=
ny usage, disclosure, distribution, copying of the information or any part =
of it in any form whatsoever is strictly prohibited.
If you have received this email in error please notify the EDSI-Tech helpde=
sk by phone on +41 21 566 14 15 and then delete this e-mail.
