NTP Authentication at Juniper ScreenOS

Yes, ScreenOS is end-of-everything (EoE), but for historical reasons I still have some of them in my lab. ;D They simply work, while having lots of features when it comes to IPv6 such as DHCPv6-PD. However, using IPv6-only NTP servers is beyond their possibilities. :(

Anyway, I tried using NTP authentication with legacy IP. Unfortunately, I had some issues with it. Not only that they don’t support SHA-1 but MD5, this MD5 key was also limited in its length to 16 characters. Strange, since ntp-keygen per default generates 20 ASCII characters per key. Let’s have a look:

This article is one of many blogposts within this NTP series. Please have a look!

I am using an SSG 5 with firmware version 6.3.0r20.0.

IPv6: Configurable but Failing

Entering an IPv6-only NTP server at Configuration -> Date/Time is possible without any errors:

However, having a deeper look reveals that it is not working at all since it tries to connect to an IPv4 address of rather than the actual IPv6 address:

Note that, for whatever reason, the debug command “debug ntp detail” is NOT documented. ;D Neither on the official docs nor in the CLI when using the question mark. Strange.

NTP Auth with Legacy IP Failing As Well

Ok, at first I configured an NTP server with legacy IP, but yet without authentication, which has worked correctly:

Adding MD5 authentication (since I read in the “ScreenOS Cookbook” that it only supports MD5):

Now it became strange. There was no error when configuring this key at the GUI. However, the authentication was not working:

Capturing with tcpdump on the NTP server itself (not on the SSG) reveals an incoming key ID, while the server responds with “key id: 0” with is the crypto-NAK (line 23), refer to Packet Capture: Network Time Protocol (NTP):

MD5 Key Limited to 16 Chars

I tried entering the MD5 key through the CLI which gave me a hunch:

Uh, “Preshare key cannot be more than 16 characters“. I have not seen this information in any kind of documentation. At least the error message tells it. Thanks.

Finally, I generated a 16 character MD5 key on my NTP server (Meinberg M200) which indeed worked:

Similar log events in the “get event” output (which is also displayed in the GUI):

Capturing on the NTP server again, you can now see a working NTP authentication since the server replies with the key ID and the MAC (lines 23+24):

In the end, this was my NTP config on this ScreenOS device:

Ok, hm. I’m not happy at all. However, it’s an outdated firewall anyway, you know. So I don’t bother.

Have a good time! Ciao.

Featured image “rusted boiler#24553” by prof.bizzarro is licensed under CC BY 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *