OSPFv3 with IPSec between Cisco and Juniper gears

Hello folks,

Quick question about incompatibility between Cisco and Juniper gears.

Without IPSec, OSPFv3 is working as expected.

I'm trying to configure IPSec authentification of OSPFv3 between a Juniper SRX and a Cisco router but it seems that they didn't agree to a common key length.

Can you confirm that this is a well-known problem or give me the right configuration that I should use ?

The error message on the juniper:

[edit security ipsec security-association ospfv3 manual direction bidirectional authentication key ascii-text]
  'ascii-text "..."'
    Authentication key size must be 20 bytes

On the cisco side:

cisco(config-if)#ipv6 ospf authentication ipsec spi 256 sha1 0 ?
  Hex-string SHA-1 key (40 chars)?

Here is an output of the config I'm using on the SRX side:

ipsec {
    security-association ospfv3 {
        mode transport;
        manual {
            direction bidirectional {
                protocol ah;
                spi 256;
                authentication {
                    algorithm hmac-sha1-96;
                    key ascii-text "..."; ## SECRET-DATA

interface ge-0/0/0.0 {
    ipsec-sa ospfv3;

Thanks for your help,

[EDSI-Tech Sarl]<http://www.edsi-tech.com>
Philippe Bonvin, Directeur
EDSI-Tech Sàrl<http://www.edsi-tech.com>
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | Téléphone: +41 (0) 21 566 14 15, ext. 99
Savoie Technolac, 17 Avenue du Lac Léman, 73375 Le Bourget-du-Lac, France | Téléphone: +33 (0)4 86 15 44 78, ext. 99

This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this information, be advised that you have received this email in error and that any usage, disclosure, distribution, copying of the information or any part of it in any form whatsoever is strictly prohibited.
If you have received this email in error please notify the EDSI-Tech helpdesk by phone on +41 21 566 14 15 and then delete this e-mail.

Wouldn’t you want to use hexadecimal instead of ascii-text, since that would match what the Cisco is asking for? I’m just throwing this out there, I’m not familiar with Juniper but their docs seem to suggest that using hex will cause it to ask for 40 hex chars.


Yes that was it... sorry for the noise.

Now the IPSec SA is up and the neighbors are stuck in ExStart state, but that's another story.