[j-nsp] IPSec tunnels between Juniper and Cisco routers

Alex alex.arseniev at gmail.com
Wed Feb 15 07:05:45 EST 2006


You may wish to try this and see if it helps
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftprefrg.htm
HTH
Cheers
Alex


> ----- Original Message ----- 
> From: "YCK CT1" <yckct1 at gmail.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Wednesday, February 15, 2006 5:17 AM
> Subject: [j-nsp] IPSec tunnels between Juniper and Cisco routers
>
>
>> Hello,
>>
>> I have IPsec tunnel setup between a M20 and a Cisco router. The M20
>> only has ES PIC and no AS PIC.
>>
>> R1---------------Juniper----------R2----------Cisco---------------R3
>>                             <-------------IPsec-------------->
>>
>>>From the Juniper Knowledge Base "PIC requirements for IPSec tunnels
>> between Juniper and Cisco routers (KB ID: KB2480)", it was stated that
>>
>> "For IPSec tunnels established between a Juniper and a Cisco router,
>> datagram fragmentation by the Cisco happens after IPSEC encryption
>> (post-fragmentation). On Juniper routers, datagram fragmentation
>> happens before IPSec encryption (pre-fragmentation). The Encryption
>> Services (ES) PIC cannot reassemble fragmented IPSec packets.
>> Therefore fragmented packets from the Cisco will be discarded. In
>> contrast to that, the Adaptive Services (AS) PIC can reassemble such
>> post-fragmented packets from a Cisco. An AS-PIC must be used to
>> terminate IPSec tunnels between a Juniper and a Cisco if fragmentation
>> occurs."
>>
>> Is there any workaround, other than installing the AS PIC? Is there
>> any way to make the Cisco do pre-fragmentation instead?
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 



More information about the juniper-nsp mailing list