Fw: [j-nsp] IPSec tunnels between Juniper and Cisco routers

Alex alex.arseniev at gmail.com
Wed Feb 15 04:49:53 EST 2006

You may wish to try this and see if it helps
> ----- Original Message ----- 
> From: "YCK CT1" <yckct1 at gmail.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Wednesday, February 15, 2006 5:17 AM
> Subject: [j-nsp] IPSec tunnels between Juniper and Cisco routers
>> Hello,
>> I have IPsec tunnel setup between a M20 and a Cisco router. The M20
>> only has ES PIC and no AS PIC.
>> R1---------------Juniper----------R2----------Cisco---------------R3
>>                             <-------------IPsec-------------->
>>>From the Juniper Knowledge Base "PIC requirements for IPSec tunnels
>> between Juniper and Cisco routers (KB ID: KB2480)", it was stated that
>> "For IPSec tunnels established between a Juniper and a Cisco router,
>> datagram fragmentation by the Cisco happens after IPSEC encryption
>> (post-fragmentation). On Juniper routers, datagram fragmentation
>> happens before IPSec encryption (pre-fragmentation). The Encryption
>> Services (ES) PIC cannot reassemble fragmented IPSec packets.
>> Therefore fragmented packets from the Cisco will be discarded. In
>> contrast to that, the Adaptive Services (AS) PIC can reassemble such
>> post-fragmented packets from a Cisco. An AS-PIC must be used to
>> terminate IPSec tunnels between a Juniper and a Cisco if fragmentation
>> occurs."
>> Is there any workaround, other than installing the AS PIC? Is there
>> any way to make the Cisco do pre-fragmentation instead?
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list