[j-nsp] IPSec Tunnel between Remote office and main Office

Muhammad Atif Jauhar atif.jauhar at gmail.com
Tue Feb 19 09:31:21 EST 2013 

Hi Alex,

Its already configured with value 1350.

Regards,
Atif.

On Tue, Feb 19, 2013 at 8:03 PM, Alex Arseniev <alex.arseniev at gmail.com>wrote:

> http://www.juniper.net/**techpubs/software/junos-**
> security/junos-security10.2/**junos-security-swconfig-**
> security/topic-41894.html<http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-41894.html>
>
> set security flow tcp-mss ipsec-vpn mss 1300
>
> - should fix it.
> Thanks
> Alex
>
> ----- Original Message ----- From: "Muhammad Atif Jauhar" <
> atif.jauhar at gmail.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Tuesday, February 19, 2013 3:25 PM
> Subject: Re: [j-nsp] IPSec Tunnel between Remote office and main Office
>
>
>  Hi,
>>
>> One of our client has currently below topology to connect all remote sides
>>
>>> to main office.
>>>
>>>
>>>
>>> Remote Site-1(SRX240) ----------------------E1------**----------- Router
>>> --------------GE--------------**--- Main Office (SRX 650)
>>>
>>>            |
>>>
>>>            |
>>>
>>>            |
>>> Remote Site-x(SRX240) ----------------------E1------**------------------
>>>
>>> Following are other part of configuration:
>>>
>>> 1. All devices running RIP because Router is very old and need extra
>>> support license for OSPF.
>>> 2. Route based IPSec tunnel is configured between both Remote site SRX240
>>> and SRX650.
>>> 3. All E1 links on remote side and Ge link between SRX650 are in Untrust
>>> Zone
>>> 4. All st interfaces are in VPN Zone, LAN interfaces are in Trust Zone.
>>> 5. Policies are allowed between different sources and destination between
>>> VPN and Trust Zone.
>>> 6. Traffic is denied between Untrust and VPN/Trust Zone.
>>>
>>> Client want to remove Router from topology and connect of E1 links on
>>> SRX650.
>>>
>>> We have perform following steps to migrate one link for testing:
>>>
>>> 1. Remove E1 link from router and connect it to SRX650.
>>> 2. Put above E1 link in RIP and Untrust Zone.
>>> 3. Put Routing Policies  E1 link in RIP to stop learning Trust subnets
>>> from E1 link. So that only routes will learn from St link. Only Ge
>>> interface IP is learned from E1 link.
>>> 3. We didn't change any VPN configuration on both side and IPSec tunnel
>>> is
>>> comes up and also traffic is passing.
>>>            External interface in VPN Configuration on SRX650 still is Ge
>>> interface
>>>            VPN IKE Gateway on Remote site is same Ge interface IP on
>>> SRX650.
>>>
>>> We observe following thing:
>>>
>>> 1. When we access remote firewall, session hanged sometime and also
>>> output
>>> of any command displayed slowly.
>>>
>>>     2.  When we access remote firewall directly from main office SRX,
>> session completely hanged, Once we put command of bigger output like
>> request support information or show configuration etc.
>>    3. If we access same way in step 2 for other remote firewalls there is
>> no issue.
>>
>> Kindly let us know, there is any issue If we have Directly connected link
>> but we are establishing IPSec tunnel with other Interface IP like Ge
>> interface on SRX650. IKE Gateway on SRX650 for remote firewall is same E1
>> link Interface. Means on remote firewall IKE gateway is Ge interface of
>> SRX650 and On SRX650 IKE Gateway is E1 link of remote firewall.
>>
>> Any way to troubleshoot session hanging and slowness.
>> Regards,
>>
>> Muhammad Atif Jauhar
>> (+966-56-00-04-985)
>> ______________________________**_________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp>
>>
>>
>


-- 
Regards,

Muhammad Atif Jauhar
(+966-56-00-04-985)

More information about the juniper-nsp mailing list