[j-nsp] IPSEC Encrypting multicast-traffic with M10i+AS/MS-pic.

Sami Keski-Kasari sami.keskikasari at gmail.com
Fri Oct 31 10:20:22 EDT 2008


Hi all,

Has anyone succeeded to encrypt multicast traffic with IPSEC?
I have M10 with MS-pic and my setup is:

sender------SSG320M------M10------SSG550M----Listener
In M10 I have outside domain interfaces in inet.0 and inside domain in
routing-instance which type is virtual-router.

Everything works fine if I have ipsec between SSG320M----M10 and SSG550M is
connected directly with GigabitEthernet without encryption.

But if I have encyption between M10---SSG550M any applications multicast
traffic is not working, OSPF and PIM is working fine.
It doesn't matter if there is encryption between SSG320 and M10 or not.
Result is allways the same.
PIM signalling is working fine in that case and multicast routing table
looks correct. Traffic counters shows that traffic comes from SSG320 and
traffic counters is increasing in inside domain interface (it sees it as
output traffic) pointing to SSG550. But encryption counters and outside
domain interface counters are not increasing. So it seems that MS-pic is
droping the traffic before encryption.

I have allow-multicast configured in rule-set so it shouldn't be the case
either.

I have tried with JUNOS 9.1R3.5, 9.2R2.18 and also with AS-pic but the
result is still the same.

Does anyone have any hint?

Thanks,
 Sami


More information about the juniper-nsp mailing list