[j-nsp] Anyone know how to run IPSec on an M40?
Thanh_Mai at 3com.com
Thanh_Mai at 3com.com
Tue Sep 28 15:14:25 EDT 2004
Thanks,
Now, I've reconfigured it and the Tunnel can be initiated via the Cisco
side only. A ping from 10.6.0.12 to 10.101.175.253 will bring the tunnel
up.
But a ping from 10.101.175.253 to 10.6.0.12 will not bring the tunnel up.
After the tunnel is up, then pings from either side works. What do I need
to do to have the Juniper initiate the tunnel? :
fe-3/1/0 {
unit 0 {
family inet {
filter {
input Encrypt-Policy;
}
address 10.101.175.246/24;
}
}
}
t1-4/0/0:11 {
unit 0 {
family inet {
address 212.0.12.1/30;
}
}
}
es-4/2/0 {
unit 0 {
tunnel {
source 212.0.12.1;
destination 212.0.12.2;
}
family inet {
ipsec-sa Current;
}
}
}
security {
ipsec {
proposal Current {
protocol ah;
authentication-algorithm hmac-md5-96;
}
policy all {
proposals Current;
}
security-association Current {
mode tunnel;
dynamic {
ipsec-policy all;
}
}
}
ike {
proposal default {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm sha1;
encryption-algorithm des-cbc;
lifetime-seconds 86400;
}
policy 212.0.12.2 {
proposals default;
pre-shared-key ascii-text "$9$wosaUq.5F6AfT";
}
}
}
firewall {
filter Encrypt-Policy {
term Direct {
from {
source-address {
10.101.175.0/24;
}
destination-address {
10.6.0.0/24;
}
}
then ipsec-sa Current;
}
}
}
Daniel Verlouw <daniel at eu.tachyon.net> on 09/28/2004 01:15:41 PM
Sent by: Daniel Verlouw <daniel at eu.tachyon.net>
To: Thanh Mai/US/3Com
cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Anyone know how to run IPSec on an M40?
Traffic is never forwarded between the management port, fxp0 and the
forwarding engine (and vice-versa). You need to buy/use a seperate
(ethernet) interface PIC for the 10.101.175.0/24 subnet.
-Daniel.
On Sep 28, 2004, at 6:59 PM, Thanh_Mai at 3com.com wrote:
>
>
> fxp0 {
> unit 0 {
> family inet {
> filter {
> input Encrypt-Policy;
> }
> address 10.101.175.246/24;
> }
> }
> }
More information about the juniper-nsp
mailing list