[j-nsp] J4300 ipsec to C vendor

Sat Mar 4 16:24:35 EST 2006

Jason,
       Config for IPSec/GRE on J-series should be exactly
same as ASP PIC on M-series. We have some documentation
on setting up IPSec tunnels using ASP PIC and running ospf
over the ipsec tunnel (without GRE tunnel, this wont 
work with cisco though :( ). What kind of service-set are you
using ? How are you directing the packets to the tunnel ?

http://www.juniper.net/techpubs/software/junos/junos75/feature-guide-75/
html/fg-ipsec58.html#1029565

Also:

http://www.juniper.net/techpubs/software/junos/junos75/swconfig75-servic
es/frameset.htm

thx
harshit

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
> Jason LeBlanc
> Sent: Thursday, February 23, 2006 10:52 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] J4300 ipsec to C vendor
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> All,
> 
> I am trying to configure a J4300 as the ipsec vpn hub between 100+ C
> vendor routers and have found that the ipsec vpn config differs from M
> class Juniper routers.  I greatly prefer the M class method but the J
> class was what fit the budget.  The plan was gre over ipsec 
> so that ospf
> would work.  I have had great success with ospf and gre to 
> all sorts of
> C vendor platforms, but now encryption is a requirement and 
> I'm beating
> my head on this one.
> 
> Has anyone tried this (C to J4300 ipsec/gre) with any success?  The
> documentation is a little lacking out on the net.  I can get the SA to
> establish, but I can't seem to get the tunnel to recognize any packets
> as ipsec, they both complain the packets are not encrypted.  I've been
> working with very basic filters just to get this to work (/32 
> loopbacks
> both ways).
> 
> I really don't need the power M class offers, this is hundreds of
> ~20kbps tunnels with a max throughput of ~2mb/s without much growth in
> the near future.  I may have to talk the powers into a M7i or revert
> back to some C vendor platform if I can't find a manageable way to do
> this.  Hopefully someone out there has gotten this to work without a
> 1000 line config.  The C vendor DMVPN solution looks good for this, I
> figured a dynamic vpn config on a Juniper would be pretty similar.
> 
> 
> 
> - --
> I abhor a system designed for the "user", if that word is a coded
> pejorative meaning "stupid and unsophisticated". -- Ken Thompson
> If you ask the wrong questions, you get answers like "42" and "God".
> Unix is user friendly. However, it isn't idiot friendly.
> The box said, "Requires Windows 98 or better," so I installed Linux.
> Chuck Norris can divide by zero.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> 
> iD8DBQFD/gQz3eYv47O9XMQRAu5YAJsFPRLv9Tds6VZJcSGNOj6AGT9YcgCg1lKV
> Ug70ELav3iODMWMR2xBgvkw=
> =jQtl
> -----END PGP SIGNATURE-----
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>