[j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]

Daniel telecom at servidor.unam.mx
Mon Jun 16 11:36:31 EDT 2003



AFAIK, there's nothing you can do in Juniper to support fragmentation.. 
maybe the new AS PIC will have the support.. hopefully.. Cisco's solution 
on 12.2.13T is to prefragment.. but you always gonna have client who 
doesnt want to or can't do that..  



-------------


Hi Group

Thanks Lars and Tony for the feedback.

Just a couple of insights:
The tunnel status between both the boxes is up ie the IKE as well as IPsec 
part. Infact, when I established connectivity for the first time between 
the two, I was able to telnet and ftp (login only) from a host behind the 
Juniper to a host behind the VPN concentrator. Hence as Lars suggested 
below, I do not think it's got to do anything with IKE/IPSec negotiation. 
Also, there are no firewalls / ACLs defined in between.

The problem is definitely got to do some thing with resassembly of the ESP 
when it reaches the Juniper ES-PIC.

Well seems like there is a certain software upgrade possible on the Cisco 
Box, I have to get my hands on that one and test it out first, am planning 
to do so next week.

What I am seeking help from you guys about is that is there a way of 
re-configuring something on the Juniper or some software patch that allows 
me to configure fragmentation and packet assembly? You see most of our 
customers here are using a Cisco box, I can't keep telling them to upgrade 
to a higher IOS or Concentrator software version...... better try and 
change something from my side.

Thanks a ton for listening.

Cheers
Bosco

PS: Hey Tony! This Juniper Installation has been done by EPA itselF!! :) 
You can check it up with EPAHAHE..He has pointed out certain things for me 
to do here and check. Cheer



More information about the juniper-nsp mailing list