[j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]
Julian Eccli
je at juniper.net
Wed Jun 11 10:19:03 EDT 2003
IOS 12.2.13T and above has been tested for interop with JUNOS ES PICs
and works just fine. I had issues with IOS versions below this.
-Julian
> -----Original Message-----
> From: Lars Higham [mailto:lhigham at yahoo.com]
> Sent: Wednesday, June 11, 2003 6:39 AM
> To: juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20
> [7:70444]
>
>
> Hello Bosco,
>
> Cisco's general answer to everything is to upgrade
> IOS/hardware so your
> customers are probably used to hearing it - particularly when
> implementing new features.
>
>
> Regards,
> Lars
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bosco
> Sachanandani
> Sent: Wednesday, June 11, 2003 5:58 PM
> To: juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20
> [7:70444]
>
>
> Hi Group
>
> Thanks Lars and Tony for the feedback.
>
> Just a couple of insights:
> The tunnel status between both the boxes is up ie the IKE as well as
> IPsec part. Infact, when I established connectivity for the first time
> between the two, I was able to telnet and ftp (login only) from a host
> behind the Juniper to a host behind the VPN concentrator.
> Hence as Lars
> suggested below, I do not think it's got to do anything with IKE/IPSec
> negotiation. Also, there are no firewalls / ACLs defined in between.
>
> The problem is definitely got to do some thing with resassembly of the
> ESP when it reaches the Juniper ES-PIC.
>
> Well seems like there is a certain software upgrade possible on the
> Cisco Box, I have to get my hands on that one and test it out
> first, am
> planning to do so next week.
>
> What I am seeking help from you guys about is that is there a way of
> re-configuring something on the Juniper or some software patch that
> allows me to configure fragmentation and packet assembly? You see most
> of our customers here are using a Cisco box, I can't keep telling them
> to upgrade to a higher IOS or Concentrator software
> version...... better
> try and change something from my side.
>
> Thanks a ton for listening.
>
> Cheers
> Bosco
>
> PS: Hey Tony! This Juniper Installation has been done by EPA
> itselF!! :)
> You can check it up with EPAHAHE..He has pointed out certain
> things for
> me to do here and check. Cheers!
>
>
> -----Original Message-----
> From: Lars Higham [mailto:lhigham at yahoo.com]
> Sent: Tuesday, June 10, 2003 8:07 PM
> To: juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20
> [7:70444]
>
>
> Hello Bosco,
>
> First, ping across using small packet sizes, say 256 bytes.
> If it still
> doesn't work, it won't be an MTU/fragmentation issue.
>
> Set traceoptions on the Juniper and send us some output -
> including the
> initial IPSec negotiations, as well as when you're trying to
> send/receive the aforementioned pings.
>
>
> Regards,
> Lars Higham
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bosco
> Sachanandani
> Sent: Tuesday, June 10, 2003 3:43 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper
> M20 [7:70444]
>
>
> I have send this mail to the Cisco group too to get some
> insights.....would appreciate some feedback from you all too!
>
> TIA
> Bosco
>
>
> -----Original Message-----
> From: Bosco Sachanandani
> Sent: Tuesday, June 10, 2003 2:21 PM
> To: cisco at groupstudy.com
> Subject: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]
>
>
> Hey Group
>
> I have a Cisco 3005 series concentrator box configured to run
> between my
> Externel router and Checkpoint firewall such that:
>
> INTERNET Router -------> VPN 3005 --------> Checkpoint------LAN
>
> This is one segment of my network. On another segment of the network I
> have a Juniper M20 router with an encapsulation card that is connected
> to the internet via a different ISP.
>
> I have sucessfully established a 3DES IPSec tunnel between these too
> although I must admit that the freakin GUI interface of the VPN3005
> sucks big time and is confusing compared to the ultra cool
> Juniper CLI.
> It took me a while to explore the damn hidden options in the GUI!
>
> The problem is that although the tunnel is established, no
> data can pass
> through it! From what I have heard from a reliable source,
> there is some
> compatibility issue relating to the frame size and packet
> fragmentation
> when it arrives at the Juniper Interface. Juniper says that it's
> router's are designed for a high amount of Internet traffic and that
> packet fragmentation is not something a gateway router should be
> bothered about. However, they have suggested certain Cisco boxes like
> the 3662 that allows for packet fragmentation and other such stuff....
>
> Any of you guys wanna shed some like on this and tell me how
> I can make
> the 3005 talk to the M20?? Thanks a ton Cheers Bosco
>
>
>
>
> Message Posted at:
> http://www.groupstudy.com/form/read.php?f=7&i=70444&t=70444
> --------------------------------------------------
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to abuse at groupstudy.com
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list