[192638] in North American Network Operators' Group
Re: OSPFv3 with IPSec between Cisco and Juniper gears
daemon@ATHENA.MIT.EDU (Philippe Bonvin via NANOG)
Thu Nov 10 16:26:42 2016
X-Original-To: nanog@nanog.org
To: David Hubbard <dhubbard@dino.hostasaurus.com>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Thu, 10 Nov 2016 21:24:00 +0000
In-Reply-To: <9F1A846F-D54D-46FE-8219-7C9655A8C314@dino.hostasaurus.com>
From: Philippe Bonvin via NANOG <nanog@nanog.org>
Reply-To: Philippe Bonvin <p.bonvin@edsi-tech.com>
Errors-To: nanog-bounces@nanog.org
Yes that was it... sorry for the noise.
Now the IPSec SA is up and the neighbors are stuck in ExStart state, but th=
at's another story.
________________________________________
From: David Hubbard <dhubbard@dino.hostasaurus.com>
Sent: Thursday, November 10, 2016 22:02
To: Philippe Bonvin; nanog@nanog.org
Subject: Re: OSPFv3 with IPSec between Cisco and Juniper gears
Wouldn=92t you want to use hexadecimal instead of ascii-text, since that wo=
uld match what the Cisco is asking for? I=92m just throwing this out there=
, I=92m not familiar with Juniper but their docs seem to suggest that using=
hex will cause it to ask for 40 hex chars.
David
On 11/10/16, 3:14 PM, "NANOG on behalf of Philippe Bonvin via NANOG" <nanog=
-bounces@nanog.org on behalf of nanog@nanog.org> wrote:
Hello folks,
Quick question about incompatibility between Cisco and Juniper gears.
Without IPSec, OSPFv3 is working as expected.
I'm trying to configure IPSec authentification of OSPFv3 between a Juni=
per SRX and a Cisco router but it seems that they didn't agree to a common =
key length.
Can you confirm that this is a well-known problem or give me the right =
configuration that I should use ?
The error message on the juniper:
[edit security ipsec security-association ospfv3 manual direction bidir=
ectional authentication key ascii-text]
'ascii-text "..."'
Authentication key size must be 20 bytes
On the cisco side:
cisco(config-if)#ipv6 ospf authentication ipsec spi 256 sha1 0 ?
Hex-string SHA-1 key (40 chars)?
Here is an output of the config I'm using on the SRX side:
ipsec {
security-association ospfv3 {
mode transport;
manual {
direction bidirectional {
protocol ah;
spi 256;
authentication {
algorithm hmac-sha1-96;
key ascii-text "..."; ## SECRET-DATA
}
}
}
}
}
interface ge-0/0/0.0 {
ipsec-sa ospfv3;
}
Thanks for your help,
Philippe
[EDSI-Tech Sarl]<http://www.edsi-tech.com>
Philippe Bonvin, Directeur
EDSI-Tech S=E0rl<http://www.edsi-tech.com>
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | T=E9l=E9phone=
: +41 (0) 21 566 14 15, ext. 99
Savoie Technolac, 17 Avenue du Lac L=E9man, 73375 Le Bourget-du-Lac, Fr=
ance | T=E9l=E9phone: +33 (0)4 86 15 44 78, ext. 99
Disclaimer:
This email is confidential and intended solely for the use of the indiv=
idual to whom it is addressed. If you are not the intended recipient of thi=
s information, be advised that you have received this email in error and th=
at any usage, disclosure, distribution, copying of the information or any p=
art of it in any form whatsoever is strictly prohibited.
If you have received this email in error please notify the EDSI-Tech he=
lpdesk by phone on +41 21 566 14 15 and then delete this e-mail.
[EDSI-Tech Sarl]<http://www.edsi-tech.com>
Philippe Bonvin, Directeur
EDSI-Tech S=E0rl<http://www.edsi-tech.com>
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | T=E9l=E9phone: +4=
1 (0) 21 566 14 15, ext. 99
Savoie Technolac, 17 Avenue du Lac L=E9man, 73375 Le Bourget-du-Lac, France=
| T=E9l=E9phone: +33 (0)4 86 15 44 78, ext. 99
Disclaimer:
This email is confidential and intended solely for the use of the individua=
l to whom it is addressed. If you are not the intended recipient of this in=
formation, be advised that you have received this email in error and that a=
ny usage, disclosure, distribution, copying of the information or any part =
of it in any form whatsoever is strictly prohibited.
If you have received this email in error please notify the EDSI-Tech helpde=
sk by phone on +41 21 566 14 15 and then delete this e-mail.
