[prev in list] [next in list] [prev in thread] [next in thread] 

List:       juniper-nsp
Subject:    Re: [j-nsp] IPSec tunnels between Juniper and Cisco routers
From:       "Alex" <alex.arseniev () gmail ! com>
Date:       2006-02-15 12:05:45
Message-ID: 000c01c63228$29226b40$6d001aac () jnpr ! net
[Download RAW message or body]

You may wish to try this and see if it helps
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftprefrg.htm
HTH
Cheers
Alex


> ----- Original Message ----- 
> From: "YCK CT1" <yckct1@gmail.com>
> To: <juniper-nsp@puck.nether.net>
> Sent: Wednesday, February 15, 2006 5:17 AM
> Subject: [j-nsp] IPSec tunnels between Juniper and Cisco routers
>
>
>> Hello,
>>
>> I have IPsec tunnel setup between a M20 and a Cisco router. The M20
>> only has ES PIC and no AS PIC.
>>
>> R1---------------Juniper----------R2----------Cisco---------------R3
>>                             <-------------IPsec-------------->
>>
>>>From the Juniper Knowledge Base "PIC requirements for IPSec tunnels
>> between Juniper and Cisco routers (KB ID: KB2480)", it was stated that
>>
>> "For IPSec tunnels established between a Juniper and a Cisco router,
>> datagram fragmentation by the Cisco happens after IPSEC encryption
>> (post-fragmentation). On Juniper routers, datagram fragmentation
>> happens before IPSec encryption (pre-fragmentation). The Encryption
>> Services (ES) PIC cannot reassemble fragmented IPSec packets.
>> Therefore fragmented packets from the Cisco will be discarded. In
>> contrast to that, the Adaptive Services (AS) PIC can reassemble such
>> post-fragmented packets from a Cisco. An AS-PIC must be used to
>> terminate IPSec tunnels between a Juniper and a Cisco if fragmentation
>> occurs."
>>
>> Is there any workaround, other than installing the AS PIC? Is there
>> any way to make the Cisco do pre-fragmentation instead?
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic