[j-nsp] ES PIC required for BGP-over-IPSEC?

Daniel Roesen dr at cluenet.de
Fri Apr 16 15:17:01 EDT 2004


On Fri, Apr 16, 2004 at 08:59:12PM +0200, Daniel Roesen wrote:
> On Fri, Apr 16, 2004 at 02:37:17PM -0400, David Xu wrote:
> > Try the following configs (worked in my lab, no ES PIC required):
> 
> Thanks, indeed. Either AH _or_ ESP in transport mode works.
> But AH+ESP (which can do only tunnel mode) does not.
> 
> Is that expected?

It is. Found the comment in the description of "Tunnel mode":

<cite>
Tunnel mode requires the ES PIC.

In transport mode, the JUNOS software does not support authentication
header (AH) or encapsulating security payload (ESP) header bundles.

The JUNOS software supports only BGP in transport mode. 
</cite>

http://www.juniper.net/techpubs/software/junos/junos62/swconfig62-system-basics/html/security-config8.html#1317091

Well hidden. I think this comment should be put prominently on
the description of the "ipsec-sa" BGP option. :-)

[yes, I've filed a doc feedback :->]


Best regards,
Daniel


More information about the juniper-nsp mailing list