[j-nsp] J4300 ipsec to C vendor

Jason LeBlanc jml at packetpimp.org
Tue Mar 7 10:43:18 EST 2006


I've opened a case with JTAC, hopefully they can help me resolve my 
confusion. 

I had actually looked at the link you sent, which didn't work for me.  I 
got the sa to establish after tinkering with the isakmp proposals, but 
couldn't get packets to use the tunnel correctly.  I was using acl on 
the C side and next hop on the J side.  Each side saw the other as non 
ipsec.  I may start from scratch again and see if I get better results, 
I changed the configs so many times experimenting.

I also saw the J class example docs using nat to send packets over the 
tunnel (the web gui ipsec config does this also), which confused me even 
more since this was completely unlike the C config.  I was really hoping 
to find a good example out in the googleable world but couldn't find 
much.  My juniper experience is pretty limited, I've never done ipsec 
with them which is throwing me a learning curve.

I really need the GRE for OSPF to the C spoke routers.  I may have to 
terminate my tunnels on a C router with DMVPN and let the J4300s handle 
edge duties.  I've already gotten this working and will use it as my 
backup plan.

Harshit Kumar wrote:
> Jason,
>        Config for IPSec/GRE on J-series should be exactly
> same as ASP PIC on M-series. We have some documentation
> on setting up IPSec tunnels using ASP PIC and running ospf
> over the ipsec tunnel (without GRE tunnel, this wont 
> work with cisco though :( ). What kind of service-set are you
> using ? How are you directing the packets to the tunnel ?
>
> http://www.juniper.net/techpubs/software/junos/junos75/feature-guide-75/
> html/fg-ipsec58.html#1029565
>
> Also:
>
> http://www.juniper.net/techpubs/software/junos/junos75/swconfig75-servic
> es/frameset.htm
>
> thx
> harshit
>
>   
>> -----Original Message-----
>> From: juniper-nsp-bounces at puck.nether.net 
>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
>> Jason LeBlanc
>> Sent: Thursday, February 23, 2006 10:52 AM
>> To: juniper-nsp at puck.nether.net
>> Subject: [j-nsp] J4300 ipsec to C vendor
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> All,
>>
>> I am trying to configure a J4300 as the ipsec vpn hub between 100+ C
>> vendor routers and have found that the ipsec vpn config differs from M
>> class Juniper routers.  I greatly prefer the M class method but the J
>> class was what fit the budget.  The plan was gre over ipsec 
>> so that ospf
>> would work.  I have had great success with ospf and gre to 
>> all sorts of
>> C vendor platforms, but now encryption is a requirement and 
>> I'm beating
>> my head on this one.
>>
>> Has anyone tried this (C to J4300 ipsec/gre) with any success?  The
>> documentation is a little lacking out on the net.  I can get the SA to
>> establish, but I can't seem to get the tunnel to recognize any packets
>> as ipsec, they both complain the packets are not encrypted.  I've been
>> working with very basic filters just to get this to work (/32 
>> loopbacks
>> both ways).
>>
>> I really don't need the power M class offers, this is hundreds of
>> ~20kbps tunnels with a max throughput of ~2mb/s without much growth in
>> the near future.  I may have to talk the powers into a M7i or revert
>> back to some C vendor platform if I can't find a manageable way to do
>> this.  Hopefully someone out there has gotten this to work without a
>> 1000 line config.  The C vendor DMVPN solution looks good for this, I
>> figured a dynamic vpn config on a Juniper would be pretty similar.
>>
>>
>>
>> - --
>> I abhor a system designed for the "user", if that word is a coded
>> pejorative meaning "stupid and unsophisticated". -- Ken Thompson
>> If you ask the wrong questions, you get answers like "42" and "God".
>> Unix is user friendly. However, it isn't idiot friendly.
>> The box said, "Requires Windows 98 or better," so I installed Linux.
>> Chuck Norris can divide by zero.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.2 (MingW32)
>>
>> iD8DBQFD/gQz3eYv47O9XMQRAu5YAJsFPRLv9Tds6VZJcSGNOj6AGT9YcgCg1lKV
>> Ug70ELav3iODMWMR2xBgvkw=
>> =jQtl
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>     



More information about the juniper-nsp mailing list