[j-nsp] Juniper IPSEC VPN

Kerry Milestone km4 at sanger.ac.uk
Thu May 6 10:31:55 EDT 2010


Hi,

i batteed me head on this one...  turns out, to get our VPN stable even though the Checkoint's P2 proposal was set to 
"Group 2"  set the P2 proposal on the juniper to "NO PFS" .. in stead of "DH GROUP2"

I have done this, so our P2 proposal is now NOPFS -aes etc...   and it worked...

Not sure if this is a bug or a feature, but was the only way I got the VPN to work between vendors.  For us, PFS just 
didn't work.  You may see this error on the checkpoint > Information: encryption failure: Unknown SPI: 0xaeb72e99 for 
IPsec packet   and something similar on the juniper.

might be worth a shot.

Regards,
Kerry.




On 03/05/10 22:26, Nick Ryce wrote:
> After some further testing it looks like the juniper keeps re-establishing the tunnel every 10-20 seconds or so.
>
> Does anyone have real world experience of getting a j2320 ipsec tunnel working with an ASA5510?
>
> Nick
>
> From: Nicholas Oas [mailto:nicholas.oas at gmail.com]
> Sent: 30 April 2010 13:03
> To: Nick Ryce
> Subject: Re: [j-nsp] Juniper IPSEC VPN
>


-- 
--------------------------------------
.- Kerry Milestone                  -.
.- Senior Systems Administrator     -.
.- Networks Team                    -.
.- Wellcome Trust Sanger Institute  -.
.-                                  -.
.- http://www.sanger.ac.uk          -.
.- +44 (0)1223 492320               -.
--------------------------------------


-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 


More information about the juniper-nsp mailing list