[j-nsp] IPSEC VPN with Cisco 3660
Bosco Sachanandani
Bosco.Sachanandani at orange.co.in
Wed Mar 17 23:48:07 EST 2004
hi Eric,
Though you problem is solved and maybe not directly related to this, I would like to add a small piece of info.
I have had a fair share of problems when establishing an IPSec tunnel between a Cisco box and a Juniper ES-PIC. This is mainly due to packet pre-fragmentation and the way Juniper PICs handle it (in a better way than old IOS versions do).
All new Cisco IOS releases for IPSec come with the pre-fragmentation support, though turned 'off' by default.
Maybe this link will help someone in the future......
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftprefrg.htm
regards,
Bosco
-----Original Message-----
From: Eric Mellott [mailto:mellotte at netcsc.com]
Sent: Wednesday, March 17, 2004 10:13 PM
To: 'Andrew Ramsey'; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] IPSEC VPN with Cisco 3660
Actually moved from the 3660 to a 7206 and the problem went away.
Believe I have bad hardware on the 3660. Thanks for your response!
-Eric
-----Original Message-----
From: Andrew Ramsey [mailto:akramsey at juniper.net]
Sent: Wednesday, March 17, 2004 10:58 AM
To: Eric Mellott; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] IPSEC VPN with Cisco 3660
Hi,
Could you disable the crypto hardware on the 3660 side and try it?
Thanks,
Andy
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Eric Mellott
> Sent: Wednesday, March 17, 2004 9:44 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] IPSEC VPN with Cisco 3660
>
>
> I am trying to setup a vpn between a Juniper M10 and a Cisco
> 3660. Everything seems to be configured correctly and the
> tunnel comes up fine, however only packets less than 300
> bytes are making it through the vpn. Packets greater than
> 300 bytes are making it to the Juniper and back to the 3660.
> The 3660 is just not decrypting them properly. The
> pad_size_error variable is incrementing when I look at the
> crypto engine statistics. Anyone know what is going on or
> have a working example of a vpn between a Juniper and Cisco.
> I am using dynamic SAs for ipsec and ike.
>
>
>
> Thank you in advance for any input.
>
>
>
> -Eric
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/junipe> r-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list