[j-nsp] IPSec Tunnel between Remote office and main Office

Alex Arseniev alex.arseniev at gmail.com
Tue Feb 19 07:03:27 EST 2013


http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-41894.html

set security flow tcp-mss ipsec-vpn mss 1300

- should fix it.
Thanks
Alex

----- Original Message ----- 
From: "Muhammad Atif Jauhar" <atif.jauhar at gmail.com>
To: <juniper-nsp at puck.nether.net>
Sent: Tuesday, February 19, 2013 3:25 PM
Subject: Re: [j-nsp] IPSec Tunnel between Remote office and main Office


> Hi,
>
> One of our client has currently below topology to connect all remote sides
>> to main office.
>>
>>
>>
>> Remote Site-1(SRX240) ----------------------E1----------------- Router
>> --------------GE----------------- Main Office (SRX 650)
>>
>>            |
>>
>>            |
>>
>>            |
>> Remote Site-x(SRX240) ----------------------E1------------------------
>>
>> Following are other part of configuration:
>>
>> 1. All devices running RIP because Router is very old and need extra
>> support license for OSPF.
>> 2. Route based IPSec tunnel is configured between both Remote site SRX240
>> and SRX650.
>> 3. All E1 links on remote side and Ge link between SRX650 are in Untrust
>> Zone
>> 4. All st interfaces are in VPN Zone, LAN interfaces are in Trust Zone.
>> 5. Policies are allowed between different sources and destination between
>> VPN and Trust Zone.
>> 6. Traffic is denied between Untrust and VPN/Trust Zone.
>>
>> Client want to remove Router from topology and connect of E1 links on
>> SRX650.
>>
>> We have perform following steps to migrate one link for testing:
>>
>> 1. Remove E1 link from router and connect it to SRX650.
>> 2. Put above E1 link in RIP and Untrust Zone.
>> 3. Put Routing Policies  E1 link in RIP to stop learning Trust subnets
>> from E1 link. So that only routes will learn from St link. Only Ge
>> interface IP is learned from E1 link.
>> 3. We didn't change any VPN configuration on both side and IPSec tunnel 
>> is
>> comes up and also traffic is passing.
>>            External interface in VPN Configuration on SRX650 still is Ge
>> interface
>>            VPN IKE Gateway on Remote site is same Ge interface IP on
>> SRX650.
>>
>> We observe following thing:
>>
>> 1. When we access remote firewall, session hanged sometime and also 
>> output
>> of any command displayed slowly.
>>
>    2.  When we access remote firewall directly from main office SRX,
> session completely hanged, Once we put command of bigger output like
> request support information or show configuration etc.
>    3. If we access same way in step 2 for other remote firewalls there is
> no issue.
>
> Kindly let us know, there is any issue If we have Directly connected link
> but we are establishing IPSec tunnel with other Interface IP like Ge
> interface on SRX650. IKE Gateway on SRX650 for remote firewall is same E1
> link Interface. Means on remote firewall IKE gateway is Ge interface of
> SRX650 and On SRX650 IKE Gateway is E1 link of remote firewall.
>
> Any way to troubleshoot session hanging and slowness.
> Regards,
>
> Muhammad Atif Jauhar
> (+966-56-00-04-985)
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 



More information about the juniper-nsp mailing list