[j-nsp] IPSec Tunnel between Remote office and main Office

Muhammad Atif Jauhar atif.jauhar at gmail.com
Tue Feb 19 05:25:47 EST 2013 

Hi,

One of our client has currently below topology to connect all remote sides
> to main office.
>
>
>
> Remote Site-1(SRX240) ----------------------E1----------------- Router
> --------------GE----------------- Main Office (SRX 650)
>
>            |
>
>            |
>
>            |
> Remote Site-x(SRX240) ----------------------E1------------------------
>
> Following are other part of configuration:
>
> 1. All devices running RIP because Router is very old and need extra
> support license for OSPF.
> 2. Route based IPSec tunnel is configured between both Remote site SRX240
> and SRX650.
> 3. All E1 links on remote side and Ge link between SRX650 are in Untrust
> Zone
> 4. All st interfaces are in VPN Zone, LAN interfaces are in Trust Zone.
> 5. Policies are allowed between different sources and destination between
> VPN and Trust Zone.
> 6. Traffic is denied between Untrust and VPN/Trust Zone.
>
> Client want to remove Router from topology and connect of E1 links on
> SRX650.
>
> We have perform following steps to migrate one link for testing:
>
> 1. Remove E1 link from router and connect it to SRX650.
> 2. Put above E1 link in RIP and Untrust Zone.
> 3. Put Routing Policies  E1 link in RIP to stop learning Trust subnets
> from E1 link. So that only routes will learn from St link. Only Ge
> interface IP is learned from E1 link.
> 3. We didn't change any VPN configuration on both side and IPSec tunnel is
> comes up and also traffic is passing.
>            External interface in VPN Configuration on SRX650 still is Ge
> interface
>            VPN IKE Gateway on Remote site is same Ge interface IP on
> SRX650.
>
> We observe following thing:
>
> 1. When we access remote firewall, session hanged sometime and also output
> of any command displayed slowly.
>
    2.  When we access remote firewall directly from main office SRX,
session completely hanged, Once we put command of bigger output like
request support information or show configuration etc.
    3. If we access same way in step 2 for other remote firewalls there is
no issue.

Kindly let us know, there is any issue If we have Directly connected link
but we are establishing IPSec tunnel with other Interface IP like Ge
interface on SRX650. IKE Gateway on SRX650 for remote firewall is same E1
link Interface. Means on remote firewall IKE gateway is Ge interface of
SRX650 and On SRX650 IKE Gateway is E1 link of remote firewall.

Any way to troubleshoot session hanging and slowness.
Regards,

Muhammad Atif Jauhar
(+966-56-00-04-985)

More information about the juniper-nsp mailing list