Mailing List Archive

Hello Bosco,

First, ping across using small packet sizes, say 256 bytes. If it still
doesn't work, it won't be an MTU/fragmentation issue.

Set traceoptions on the Juniper and send us some output - including the
initial IPSec negotiations, as well as when you're trying to
send/receive the aforementioned pings.


Regards,
Lars Higham

-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Bosco
Sachanandani
Sent: Tuesday, June 10, 2003 3:43 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]


I have send this mail to the Cisco group too to get some
insights.....would appreciate some feedback from you all too!

TIA
Bosco


-----Original Message-----
From: Bosco Sachanandani
Sent: Tuesday, June 10, 2003 2:21 PM
To: cisco@groupstudy.com
Subject: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]


Hey Group

I have a Cisco 3005 series concentrator box configured to run between my
Externel router and Checkpoint firewall such that:

INTERNET Router -------> VPN 3005 --------> Checkpoint------LAN

This is one segment of my network. On another segment of the network I
have a Juniper M20 router with an encapsulation card that is connected
to the internet via a different ISP.

I have sucessfully established a 3DES IPSec tunnel between these too
although I must admit that the freakin GUI interface of the VPN3005
sucks big time and is confusing compared to the ultra cool Juniper CLI.
It took me a while to explore the damn hidden options in the GUI!

The problem is that although the tunnel is established, no data can pass
through it! From what I have heard from a reliable source, there is some
compatibility issue relating to the frame size and packet fragmentation
when it arrives at the Juniper Interface. Juniper says that it's
router's are designed for a high amount of Internet traffic and that
packet fragmentation is not something a gateway router should be
bothered about. However, they have suggested certain Cisco boxes like
the 3662 that allows for packet fragmentation and other such stuff....

Any of you guys wanna shed some like on this and tell me how I can make
the 3005 talk to the M20?? Thanks a ton Cheers Bosco




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70444&t=70444
--------------------------------------------------
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@groupstudy.com

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

Hi Group

Thanks Lars and Tony for the feedback.

Just a couple of insights:
The tunnel status between both the boxes is up ie the IKE as well as IPsec part. Infact, when I established connectivity for the first time between the two, I was able to telnet and ftp (login only) from a host behind the Juniper to a host behind the VPN concentrator. Hence as Lars suggested below, I do not think it's got to do anything with IKE/IPSec negotiation. Also, there are no firewalls / ACLs defined in between.

The problem is definitely got to do some thing with resassembly of the ESP when it reaches the Juniper ES-PIC.

Well seems like there is a certain software upgrade possible on the Cisco Box, I have to get my hands on that one and test it out first, am planning to do so next week.

What I am seeking help from you guys about is that is there a way of re-configuring something on the Juniper or some software patch that allows me to configure fragmentation and packet assembly? You see most of our customers here are using a Cisco box, I can't keep telling them to upgrade to a higher IOS or Concentrator software version...... better try and change something from my side.

Thanks a ton for listening.

Cheers
Bosco

PS: Hey Tony! This Juniper Installation has been done by EPA itselF!! :) You can check it up with EPAHAHE..He has pointed out certain things for me to do here and check. Cheers!


-----Original Message-----
From: Lars Higham [mailto:lhigham@yahoo.com]
Sent: Tuesday, June 10, 2003 8:07 PM
To: juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20
[7:70444]


Hello Bosco,

First, ping across using small packet sizes, say 256 bytes. If it still
doesn't work, it won't be an MTU/fragmentation issue.

Set traceoptions on the Juniper and send us some output - including the
initial IPSec negotiations, as well as when you're trying to
send/receive the aforementioned pings.


Regards,
Lars Higham

-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Bosco
Sachanandani
Sent: Tuesday, June 10, 2003 3:43 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]


I have send this mail to the Cisco group too to get some
insights.....would appreciate some feedback from you all too!

TIA
Bosco


-----Original Message-----
From: Bosco Sachanandani
Sent: Tuesday, June 10, 2003 2:21 PM
To: cisco@groupstudy.com
Subject: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]


Hey Group

I have a Cisco 3005 series concentrator box configured to run between my
Externel router and Checkpoint firewall such that:

INTERNET Router -------> VPN 3005 --------> Checkpoint------LAN

This is one segment of my network. On another segment of the network I
have a Juniper M20 router with an encapsulation card that is connected
to the internet via a different ISP.

I have sucessfully established a 3DES IPSec tunnel between these too
although I must admit that the freakin GUI interface of the VPN3005
sucks big time and is confusing compared to the ultra cool Juniper CLI.
It took me a while to explore the damn hidden options in the GUI!

The problem is that although the tunnel is established, no data can pass
through it! From what I have heard from a reliable source, there is some
compatibility issue relating to the frame size and packet fragmentation
when it arrives at the Juniper Interface. Juniper says that it's
router's are designed for a high amount of Internet traffic and that
packet fragmentation is not something a gateway router should be
bothered about. However, they have suggested certain Cisco boxes like
the 3662 that allows for packet fragmentation and other such stuff....

Any of you guys wanna shed some like on this and tell me how I can make
the 3005 talk to the M20?? Thanks a ton Cheers Bosco




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70444&t=70444
--------------------------------------------------
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@groupstudy.com

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

Hello Bosco,

Cisco's general answer to everything is to upgrade IOS/hardware so your
customers are probably used to hearing it - particularly when
implementing new features.


Regards,
Lars

-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Bosco
Sachanandani
Sent: Wednesday, June 11, 2003 5:58 PM
To: juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20
[7:70444]


Hi Group

Thanks Lars and Tony for the feedback.

Just a couple of insights:
The tunnel status between both the boxes is up ie the IKE as well as
IPsec part. Infact, when I established connectivity for the first time
between the two, I was able to telnet and ftp (login only) from a host
behind the Juniper to a host behind the VPN concentrator. Hence as Lars
suggested below, I do not think it's got to do anything with IKE/IPSec
negotiation. Also, there are no firewalls / ACLs defined in between.

The problem is definitely got to do some thing with resassembly of the
ESP when it reaches the Juniper ES-PIC.

Well seems like there is a certain software upgrade possible on the
Cisco Box, I have to get my hands on that one and test it out first, am
planning to do so next week.

What I am seeking help from you guys about is that is there a way of
re-configuring something on the Juniper or some software patch that
allows me to configure fragmentation and packet assembly? You see most
of our customers here are using a Cisco box, I can't keep telling them
to upgrade to a higher IOS or Concentrator software version...... better
try and change something from my side.

Thanks a ton for listening.

Cheers
Bosco

PS: Hey Tony! This Juniper Installation has been done by EPA itselF!! :)
You can check it up with EPAHAHE..He has pointed out certain things for
me to do here and check. Cheers!


-----Original Message-----
From: Lars Higham [mailto:lhigham@yahoo.com]
Sent: Tuesday, June 10, 2003 8:07 PM
To: juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20
[7:70444]


Hello Bosco,

First, ping across using small packet sizes, say 256 bytes. If it still
doesn't work, it won't be an MTU/fragmentation issue.

Set traceoptions on the Juniper and send us some output - including the
initial IPSec negotiations, as well as when you're trying to
send/receive the aforementioned pings.


Regards,
Lars Higham

-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Bosco
Sachanandani
Sent: Tuesday, June 10, 2003 3:43 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]


I have send this mail to the Cisco group too to get some
insights.....would appreciate some feedback from you all too!

TIA
Bosco


-----Original Message-----
From: Bosco Sachanandani
Sent: Tuesday, June 10, 2003 2:21 PM
To: cisco@groupstudy.com
Subject: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]


Hey Group

I have a Cisco 3005 series concentrator box configured to run between my
Externel router and Checkpoint firewall such that:

INTERNET Router -------> VPN 3005 --------> Checkpoint------LAN

This is one segment of my network. On another segment of the network I
have a Juniper M20 router with an encapsulation card that is connected
to the internet via a different ISP.

I have sucessfully established a 3DES IPSec tunnel between these too
although I must admit that the freakin GUI interface of the VPN3005
sucks big time and is confusing compared to the ultra cool Juniper CLI.
It took me a while to explore the damn hidden options in the GUI!

The problem is that although the tunnel is established, no data can pass
through it! From what I have heard from a reliable source, there is some
compatibility issue relating to the frame size and packet fragmentation
when it arrives at the Juniper Interface. Juniper says that it's
router's are designed for a high amount of Internet traffic and that
packet fragmentation is not something a gateway router should be
bothered about. However, they have suggested certain Cisco boxes like
the 3662 that allows for packet fragmentation and other such stuff....

Any of you guys wanna shed some like on this and tell me how I can make
the 3005 talk to the M20?? Thanks a ton Cheers Bosco




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70444&t=70444
--------------------------------------------------
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@groupstudy.com

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

IOS 12.2.13T and above has been tested for interop with JUNOS ES PICs
and works just fine. I had issues with IOS versions below this.


-Julian

> -----Original Message-----
> From: Lars Higham [mailto:lhigham@yahoo.com]
> Sent: Wednesday, June 11, 2003 6:39 AM
> To: juniper-nsp@puck.nether.net
> Subject: RE: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20
> [7:70444]
>
>
> Hello Bosco,
>
> Cisco's general answer to everything is to upgrade
> IOS/hardware so your
> customers are probably used to hearing it - particularly when
> implementing new features.
>
>
> Regards,
> Lars
>
> -----Original Message-----
> From: juniper-nsp-bounces@puck.nether.net
> [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Bosco
> Sachanandani
> Sent: Wednesday, June 11, 2003 5:58 PM
> To: juniper-nsp@puck.nether.net
> Subject: RE: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20
> [7:70444]
>
>
> Hi Group
>
> Thanks Lars and Tony for the feedback.
>
> Just a couple of insights:
> The tunnel status between both the boxes is up ie the IKE as well as
> IPsec part. Infact, when I established connectivity for the first time
> between the two, I was able to telnet and ftp (login only) from a host
> behind the Juniper to a host behind the VPN concentrator.
> Hence as Lars
> suggested below, I do not think it's got to do anything with IKE/IPSec
> negotiation. Also, there are no firewalls / ACLs defined in between.
>
> The problem is definitely got to do some thing with resassembly of the
> ESP when it reaches the Juniper ES-PIC.
>
> Well seems like there is a certain software upgrade possible on the
> Cisco Box, I have to get my hands on that one and test it out
> first, am
> planning to do so next week.
>
> What I am seeking help from you guys about is that is there a way of
> re-configuring something on the Juniper or some software patch that
> allows me to configure fragmentation and packet assembly? You see most
> of our customers here are using a Cisco box, I can't keep telling them
> to upgrade to a higher IOS or Concentrator software
> version...... better
> try and change something from my side.
>
> Thanks a ton for listening.
>
> Cheers
> Bosco
>
> PS: Hey Tony! This Juniper Installation has been done by EPA
> itselF!! :)
> You can check it up with EPAHAHE..He has pointed out certain
> things for
> me to do here and check. Cheers!
>
>
> -----Original Message-----
> From: Lars Higham [mailto:lhigham@yahoo.com]
> Sent: Tuesday, June 10, 2003 8:07 PM
> To: juniper-nsp@puck.nether.net
> Subject: RE: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper M20
> [7:70444]
>
>
> Hello Bosco,
>
> First, ping across using small packet sizes, say 256 bytes.
> If it still
> doesn't work, it won't be an MTU/fragmentation issue.
>
> Set traceoptions on the Juniper and send us some output -
> including the
> initial IPSec negotiations, as well as when you're trying to
> send/receive the aforementioned pings.
>
>
> Regards,
> Lars Higham
>
> -----Original Message-----
> From: juniper-nsp-bounces@puck.nether.net
> [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Bosco
> Sachanandani
> Sent: Tuesday, June 10, 2003 3:43 PM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] FW: VPN 3005 concentrator 3DES to Juniper
> M20 [7:70444]
>
>
> I have send this mail to the Cisco group too to get some
> insights.....would appreciate some feedback from you all too!
>
> TIA
> Bosco
>
>
> -----Original Message-----
> From: Bosco Sachanandani
> Sent: Tuesday, June 10, 2003 2:21 PM
> To: cisco@groupstudy.com
> Subject: VPN 3005 concentrator 3DES to Juniper M20 [7:70444]
>
>
> Hey Group
>
> I have a Cisco 3005 series concentrator box configured to run
> between my
> Externel router and Checkpoint firewall such that:
>
> INTERNET Router -------> VPN 3005 --------> Checkpoint------LAN
>
> This is one segment of my network. On another segment of the network I
> have a Juniper M20 router with an encapsulation card that is connected
> to the internet via a different ISP.
>
> I have sucessfully established a 3DES IPSec tunnel between these too
> although I must admit that the freakin GUI interface of the VPN3005
> sucks big time and is confusing compared to the ultra cool
> Juniper CLI.
> It took me a while to explore the damn hidden options in the GUI!
>
> The problem is that although the tunnel is established, no
> data can pass
> through it! From what I have heard from a reliable source,
> there is some
> compatibility issue relating to the frame size and packet
> fragmentation
> when it arrives at the Juniper Interface. Juniper says that it's
> router's are designed for a high amount of Internet traffic and that
> packet fragmentation is not something a gateway router should be
> bothered about. However, they have suggested certain Cisco boxes like
> the 3662 that allows for packet fragmentation and other such stuff....
>
> Any of you guys wanna shed some like on this and tell me how
> I can make
> the 3005 talk to the M20?? Thanks a ton Cheers Bosco
>
>
>
>
> Message Posted at:
> http://www.groupstudy.com/form/read.php?f=7&i=70444&t=70444
> --------------------------------------------------
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to abuse@groupstudy.com
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

AFAIK, there's nothing you can do in Juniper to support fragmentation..
maybe the new AS PIC will have the support.. hopefully.. Cisco's solution
on 12.2.13T is to prefragment.. but you always gonna have client who
doesnt want to or can't do that..



-------------


Hi Group

Thanks Lars and Tony for the feedback.

Just a couple of insights:
The tunnel status between both the boxes is up ie the IKE as well as IPsec
part. Infact, when I established connectivity for the first time between
the two, I was able to telnet and ftp (login only) from a host behind the
Juniper to a host behind the VPN concentrator. Hence as Lars suggested
below, I do not think it's got to do anything with IKE/IPSec negotiation.
Also, there are no firewalls / ACLs defined in between.

The problem is definitely got to do some thing with resassembly of the ESP
when it reaches the Juniper ES-PIC.

Well seems like there is a certain software upgrade possible on the Cisco
Box, I have to get my hands on that one and test it out first, am planning
to do so next week.

What I am seeking help from you guys about is that is there a way of
re-configuring something on the Juniper or some software patch that allows
me to configure fragmentation and packet assembly? You see most of our
customers here are using a Cisco box, I can't keep telling them to upgrade
to a higher IOS or Concentrator software version...... better try and
change something from my side.

Thanks a ton for listening.

Cheers
Bosco

PS: Hey Tony! This Juniper Installation has been done by EPA itselF!! :)
You can check it up with EPAHAHE..He has pointed out certain things for me
to do here and check. Cheer