[j-nsp] Juniper IPSEC VPN

Nick Ryce Nick.Ryce at lumison.net
Thu May 6 11:17:36 EDT 2010 

Hi Guys,

Literally just got it working.

Turns out for cisco to juniper ipsec tunnels to use policy based vpn and also reference each remote lan > local lan individually rather than a group.  All working now though.  Thanks for the help.

Also turned PFS on/off which didn't seem to make a difference.

Nick

-----Original Message-----
From: Kerry Milestone [mailto:km4 at sanger.ac.uk]
Sent: 06 May 2010 15:32
To: Nick Ryce
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Juniper IPSEC VPN

Hi,

i batteed me head on this one...  turns out, to get our VPN stable even though the Checkoint's P2 proposal was set to "Group 2"  set the P2 proposal on the juniper to "NO PFS" .. in stead of "DH GROUP2"

I have done this, so our P2 proposal is now NOPFS -aes etc...   and it worked...

Not sure if this is a bug or a feature, but was the only way I got the VPN to work between vendors.  For us, PFS just didn't work.  You may see this error on the checkpoint > Information: encryption failure: Unknown SPI: 0xaeb72e99 for
IPsec packet   and something similar on the juniper.

might be worth a shot.

Regards,
Kerry.




On 03/05/10 22:26, Nick Ryce wrote:
> After some further testing it looks like the juniper keeps re-establishing the tunnel every 10-20 seconds or so.
>
> Does anyone have real world experience of getting a j2320 ipsec tunnel working with an ASA5510?
>
> Nick
>
> From: Nicholas Oas [mailto:nicholas.oas at gmail.com]
> Sent: 30 April 2010 13:03
> To: Nick Ryce
> Subject: Re: [j-nsp] Juniper IPSEC VPN
>


--
--------------------------------------
.- Kerry Milestone                  -.
.- Senior Systems Administrator     -.
.- Networks Team                    -.
.- Wellcome Trust Sanger Institute  -.
.-                                  -.
.- http://www.sanger.ac.uk          -.
.- +44 (0)1223 492320               -.
--------------------------------------


--
 The Wellcome Trust Sanger Institute is operated by Genome Research
 Limited, a charity registered in England with number 1021457 and a
 company registered in England with number 2742969, whose registered
 office is 215 Euston Road, London, NW1 2BE.

--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison accept no liability for any
damage caused by any virus transmitted by this email.

More information about the juniper-nsp mailing list