[c-nsp] Cisco - Netscreen VPN
Ryan O'Connell
ryan at complicity.co.uk
Thu Oct 13 07:58:05 EDT 2005
Does anyone here have any experience in how to make a Netscreen firewall
and Cisco router reliably talk to each other using IPSec? It seems that
Netscreen don't support Phase 2 rekeying - so every hour (3600s) the VPN
drops. For some reason it takes the Cisco and Netscreen anything from a
few seconds to 15 minutes to reestablish the VPN because they disagree
on the IPSec lifetimes. (I have no idea why it works at all) Is there
any workaround - on either end - anyone is aware of?
Unfortunately, it seems I can't use Manual Keying with IPSec Tunnel
interfaces ("tunnel mode ipsec ipv4") as the various manual key commands
are only available with interface crypto maps - and I can't use
interface crypto maps as I need the endpoint of the VPN on the Cisco to
be the loopback interface. (The router has multiple outbound interfaces)
Thanks.
More information about the cisco-nsp
mailing list