[j-nsp] IPSec tunnels between Juniper and Cisco routers
YCK CT1
yckct1 at gmail.com
Wed Feb 15 00:17:14 EST 2006
Hello,
I have IPsec tunnel setup between a M20 and a Cisco router. The M20
only has ES PIC and no AS PIC.
R1---------------Juniper----------R2----------Cisco---------------R3
<-------------IPsec-------------->
>From the Juniper Knowledge Base "PIC requirements for IPSec tunnels
between Juniper and Cisco routers (KB ID: KB2480)", it was stated that
"For IPSec tunnels established between a Juniper and a Cisco router,
datagram fragmentation by the Cisco happens after IPSEC encryption
(post-fragmentation). On Juniper routers, datagram fragmentation
happens before IPSec encryption (pre-fragmentation). The Encryption
Services (ES) PIC cannot reassemble fragmented IPSec packets.
Therefore fragmented packets from the Cisco will be discarded. In
contrast to that, the Adaptive Services (AS) PIC can reassemble such
post-fragmented packets from a Cisco. An AS-PIC must be used to
terminate IPSec tunnels between a Juniper and a Cisco if fragmentation
occurs."
Is there any workaround, other than installing the AS PIC? Is there
any way to make the Cisco do pre-fragmentation instead?
More information about the juniper-nsp
mailing list