[j-nsp] J4300 ipsec to C vendor

Jason LeBlanc jml at packetpimp.org
Thu Feb 23 13:51:31 EST 2006

Hash: SHA1


I am trying to configure a J4300 as the ipsec vpn hub between 100+ C
vendor routers and have found that the ipsec vpn config differs from M
class Juniper routers.  I greatly prefer the M class method but the J
class was what fit the budget.  The plan was gre over ipsec so that ospf
would work.  I have had great success with ospf and gre to all sorts of
C vendor platforms, but now encryption is a requirement and I'm beating
my head on this one.

Has anyone tried this (C to J4300 ipsec/gre) with any success?  The
documentation is a little lacking out on the net.  I can get the SA to
establish, but I can't seem to get the tunnel to recognize any packets
as ipsec, they both complain the packets are not encrypted.  I've been
working with very basic filters just to get this to work (/32 loopbacks
both ways).

I really don't need the power M class offers, this is hundreds of
~20kbps tunnels with a max throughput of ~2mb/s without much growth in
the near future.  I may have to talk the powers into a M7i or revert
back to some C vendor platform if I can't find a manageable way to do
this.  Hopefully someone out there has gotten this to work without a
1000 line config.  The C vendor DMVPN solution looks good for this, I
figured a dynamic vpn config on a Juniper would be pretty similar.

- --
I abhor a system designed for the "user", if that word is a coded
pejorative meaning "stupid and unsophisticated". -- Ken Thompson
If you ask the wrong questions, you get answers like "42" and "God".
Unix is user friendly. However, it isn't idiot friendly.
The box said, "Requires Windows 98 or better," so I installed Linux.
Chuck Norris can divide by zero.
Version: GnuPG v1.4.2 (MingW32)


More information about the juniper-nsp mailing list