[j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20 [7:7044 4]

Tony Frank (EPA) Tony.Frank at ericsson.com.au
Wed Jun 11 11:38:47 EDT 2003


Hi,

I have seen a related IPSec issue where juniper does not reassemble
fragmented ESP packets; hence ES-PIC discards the packet due to not
receiving all data.

Solution was to 'prefragment' the packets before encapsulating into ESP/AH -
most Cisco routers have such an option; not sure what the Junos equivalent
option is.

Also recommend what the other guy suggested; try pinging with increasing
packet size to determine if an MTU issue exists - perhaps a firewall/router
ACL is blocking ESP or AH protocol yet letting IKE through?

Regards,

Tony

-----Original Message-----
From: Bosco Sachanandani [mailto:Bosco.Sachanandani at orange.co.in]
Sent: Tuesday, 10 June 2003 20:13
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]


I have send this mail to the Cisco group too to get some insights.....would
appreciate some feedback from you all too!

TIA
Bosco


-----Original Message-----
From: Bosco Sachanandani 
Sent: Tuesday, June 10, 2003 2:21 PM
To: cisco at groupstudy.com
Subject: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]


Hey Group

I have a Cisco 3005 series concentrator box configured to run between my
Externel router and Checkpoint firewall such that:

INTERNET Router -------> VPN 3005 --------> Checkpoint------LAN

This is one segment of my network. On another segment of the network I have
a Juniper M20 router with an encapsulation card that is connected to the
internet via a different ISP.

I have sucessfully established a 3DES IPSec tunnel between these too
although I must admit that the freakin GUI interface of the VPN3005 sucks
big time and is confusing compared to the ultra cool Juniper CLI. It took me
a while to explore the damn hidden options in the GUI!

The problem is that although the tunnel is established, no data can pass
through it! From what I have heard from a reliable source, there is some
compatibility issue relating to the frame size and packet fragmentation when
it arrives at the Juniper Interface. Juniper says that it's router's are
designed for a high amount of Internet traffic and that packet fragmentation
is not something a gateway router should be bothered about. However, they
have suggested certain Cisco boxes like the 3662 that allows for packet
fragmentation and other such stuff....

Any of you guys wanna shed some like on this and tell me how I can make the
3005 talk to the M20??
Thanks a ton
Cheers
Bosco




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70444&t=70444
--------------------------------------------------
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse at groupstudy.com

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://puck.nether.net/pipermail/juniper-nsp/attachments/20030611/dd3593ad/attachment.htm


More information about the juniper-nsp mailing list