[j-nsp] ex4200 egress filter
Another questionagain... We currently have an issue where we are unable to use tcp-established on egress firewall filters. We need this as we have firewall filters per customer applied to their own vlan. If the server initiates a connection we want the return traffic allowed ( normally we use tcp-established in cisco land ). Is there any known work around? Nick -- Nick Ryce Network Engineer Lumison t: 0845 1199 900 d: +44 131 514 4049 P.S. Fancy some light reading? Clouds to networks, download a Lumison whitepaper now at http://www.lumison.net/why-lumison/whitepapers -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex4200 egress filter
Hi Chris, The issue should be resolved next week in a service release against 11.1R1 http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2011-04-224actionBtn=Search Nick -Original Message- From: Chris Kawchuk [mailto:juniperd...@gmail.com] Sent: 28 April 2011 11:59 To: Nick Ryce Subject: Re: [j-nsp] ex4200 egress filter Why not perform this at the routed layer? Or, are you routing into the VLAN at the EX4200? (i.e. using the EX4200 as a router, not a switch which then uplinks the VLAN to something bigger like an MX...) - Chris. On 2011-04-28, at 7:35 PM, Nick Ryce wrote: Another questionagain... We currently have an issue where we are unable to use tcp-established on egress firewall filters. We need this as we have firewall filters per customer applied to their own vlan. If the server initiates a connection we want the return traffic allowed ( normally we use tcp-established in cisco land ). Is there any known work around? Nick -- Nick Ryce Network Engineer Lumison t: 0845 1199 900 d: +44 131 514 4049 P.S. Fancy some light reading? Clouds to networks, download a Lumison whitepaper now at http://www.lumison.net/why-lumison/whitepapers -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex4200 egress filter
Hello, Nick Ryce a écrit (Thu, Apr 28, 2011 at 10:35:53AM +0100) : We currently have an issue where we are unable to use tcp-established on egress firewall filters. We need this as we have firewall filters per customer applied to their own vlan. If the server initiates a connection we want the return traffic allowed ( normally we use tcp-established in cisco land ). We hit the same problem. Is there any known work around? No. Juniper told us this is a hardware limitation. tcp-flags will never be supported on EX4200 (don't know for EX8200). I don't have any knowledge in switch design, but I don't understand why pattern-matching some bits in TCP headers is difficult on egress. Also note that syslog on egress firewall filters is also not possible. Cheers, -- Emmanuel Halbwachs Observatoire de Paris-Meudon Resp. Réseau/Sécurité 5 Place Jules Janssen tel : +33 1 45 07 75 54F 92195 MEUDON CEDEX fax : +33 1 45 07 01 89 véhicules : 11 av. Marcellin Berthelot ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex4200 egress filter
On Thu, Apr 28, 2011 at 12:22:43PM +0100, Nick Ryce wrote: Hi Chris, The issue should be resolved next week in a service release against 11.1R1 We hit this issue while testing 11.1R1, and oh what a mighty big screwup it was on Juniper's part too (that it even tries to parse the packets that are killing it in the first place, when NOT CONFIGURED TO DO SO, simply boggles the mind). Unfortunately it's also not the only packet of death which crashes the FPCs issue in 11.1 on EX, we also discovered another one which DIDN'T get fixed in 11.1S1, so you're taking your life into your own hands if you try to run that code in production. Oh and BTW, 11.1 on EX will also blackhole your packets while BGP converges following bootup, for up to 15 minutes in our testing. Consider yourselves warned. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] blocking IPv6 RAs on EX2200/3200/4200
On Wed, Apr 27, 2011 at 10:21:31PM +0200, martin papik wrote: can I block (drop) router advertisemet (RA) only on specific ports in EX2400 (EX2200) configuration. The problem is in security, because when any station (PC, notebook) connected to LAN, starts own (but not official!!!) RA, I thing that this unoffical RA will pass throught switch. RA is using icmpv6 port 134. For example some PCs with Windows OS should generate own unoffical RA.Maybe I can use firewall filter, but this will generate CPU higher load :-(. Is possible to use another specific conf. command? Did anyone solve this type of problem in past? No, not today. There is no firewall filter match condition for ICMPv6 types on EX2200/3200/4200, but I've asked for this feature to be added. Firewall filters on EX will not cause higher CPU load as far as I know since they are processed in hardware. The best I've been able to do so far is block all native IPv6 ethernet frames based on ethertype, which only works until we start to deploy IPv6 officially. Here is an example that blocks IPv6 on a specific list of ports: [edit firewall] family ethernet-switching { filter DROP-IPv6 { term DROP-IPv6 { from { ether-type 0x86dd; } then { discard; inactive: log; count DROP-IPv6; } } term ACCEPT { then accept; } } } [edit interfaces] interface-range EDGE { member ge-0/0/[14-46]; member ge-1/0/[0-6]; member ge-1/0/[8-12]; member ge-1/0/[14-47]; member ge-2/0/[0-1]; member ge-2/0/[3-7]; member ge-2/0/[9-47]; member ge-0/0/[0-7]; member ge-0/0/[9-12]; unit 0 { family ethernet-switching { filter { input DROP-IPv6; output DROP-IPv6; } } } } ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex4200 egress filter
Thankfully only using ospf and vlans on our ex4200's :) Nick -Original Message- From: Richard A Steenbergen [mailto:r...@e-gerbil.net] Sent: 28 April 2011 14:05 To: Nick Ryce Cc: Chris Kawchuk; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] ex4200 egress filter On Thu, Apr 28, 2011 at 12:22:43PM +0100, Nick Ryce wrote: Hi Chris, The issue should be resolved next week in a service release against 11.1R1 We hit this issue while testing 11.1R1, and oh what a mighty big screwup it was on Juniper's part too (that it even tries to parse the packets that are killing it in the first place, when NOT CONFIGURED TO DO SO, simply boggles the mind). Unfortunately it's also not the only packet of death which crashes the FPCs issue in 11.1 on EX, we also discovered another one which DIDN'T get fixed in 11.1S1, so you're taking your life into your own hands if you try to run that code in production. Oh and BTW, 11.1 on EX will also blackhole your packets while BGP converges following bootup, for up to 15 minutes in our testing. Consider yourselves warned. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex4200 egress filter
On Thu, Apr 28, 2011 at 05:17:46PM +0200, Tore Anderson wrote: * Richard A Steenbergen We hit this issue while testing 11.1R1, and oh what a mighty big screwup it was on Juniper's part too (that it even tries to parse the packets that are killing it in the first place, when NOT CONFIGURED TO DO SO, simply boggles the mind). Unfortunately it's also not the only packet of death which crashes the FPCs issue in 11.1 on EX, we also discovered another one which DIDN'T get fixed in 11.1S1, so you're taking your life into your own hands if you try to run that code in production. Hi Richard, Could you be a bit more specific about this issue that remains outstanding in 11.1S1? Is there a PSN for it? I have a pair of EX4500s in my lab for setup currently, and any older release isn't an option due to the lack of IPv6 and VC support. No comment on how to reproduce it, at least until they fix it and ok the release of details. No PSN yet, but basically it's just another magic packet of death which crashes the FPCs, similar to the last NetBIOS issue. Almost all of our testing is on EX8200, but often times these things behave similarly across the smaller EX's too. I'm just warning people not to jump into 11.1S1 expecting everything to work great, because it most certainly does not. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ex4200 egress filter
* Richard A Steenbergen We hit this issue while testing 11.1R1, and oh what a mighty big screwup it was on Juniper's part too (that it even tries to parse the packets that are killing it in the first place, when NOT CONFIGURED TO DO SO, simply boggles the mind). Unfortunately it's also not the only packet of death which crashes the FPCs issue in 11.1 on EX, we also discovered another one which DIDN'T get fixed in 11.1S1, so you're taking your life into your own hands if you try to run that code in production. Hi Richard, Could you be a bit more specific about this issue that remains outstanding in 11.1S1? Is there a PSN for it? I have a pair of EX4500s in my lab for setup currently, and any older release isn't an option due to the lack of IPv6 and VC support. Best regards, -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com/ Tel: +47 21 54 41 27 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] juniper-nsp Digest, Vol 101, Issue 46
On Wed, Apr 27, 2011 at 10:21:31PM +0200, martin papik wrote: Hi, can I block (drop) router advertisemet (RA) only on specific ports in EX2400 (EX2200) configuration. ka@ex4200# show firewall family ethernet-switching filter CUSTOMER-INGRESS term RA-DENY { from { icmp-type router-advertisement; } then discard; } term ACCEPT-DEFAULT { then accept; } ka@ex4200# show interfaces ge-0/0/3 unit 0 { family ethernet-switching { filter { input CUSTOMER-INGRESS; } } } Available match conditions: http://www.juniper.net/techpubs/en_US/junos/topics/reference/requirements/firewall-filter-ex-series-match-conditions.html#ipv6_match_tab Supported plattforms (3200/4200/8200 now): http://www.juniper.net/techpubs/en_US/junos/topics/concept/ex-series-software-features-overview.html#routing-policy-packet-filtering-features-by-platform-table Kari ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] RES: Trying to get OSPF to work across IPsec for Redundancy
Hello All: I'm trying to get OSPF up over IPsec. We have two IPsec tunnels, a primary and a secondary that our spoke router can use. We want to have the spoke router run OSPF across both and then in case of a failure of the primary hub router (where the primary IPsec tunnel terminates) OSPF will direct traffic over the backup tunnel to the backup hub. So far I have seen OSPF on the spoke router come up just a couple of times but only to one or the other peer. It never has come up to both peers. Here are my configurations for OSPF and the services interfaces below. Also BGP is up on all routers and all routers are reachable via BGP. If anyeone can guide me in the right direction to get OSPF working over IPsec that would be most apprectiated! As far as I know IPSec solely is not able to carry Multicast traffic. Are you using GRE over IPSec? If not, you may want to try unicast hellos. attachment: Leonardo Gama Souza (leonardo.souza@nec.com.br).vcf___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Blocking router advertisemet (RA) (was: Re: juniper-nsp Digest, Vol 101, Issue 46)
Message: 1 Date: Wed, 27 Apr 2011 22:21:31 +0200 From: martin papik pa...@utia.cas.cz To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] juniper-nsp Digest, Vol 101, Issue 46 Message-ID: 4db87acb.7010...@utia.cas.cz Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi, can I block (drop) router advertisemet (RA) only on specific ports in EX2400 (EX2200) configuration. The problem is in security, because when any station (PC, notebook) connected to LAN, starts own (but not official!!!) RA, I thing that this unoffical RA will pass throught switch. RA is using icmpv6 port 134. For example some PCs with Windows OS should generate own unoffical RA.Maybe I can use firewall filter, but this will generate CPU higher load :-(. Is possible to use another specific conf. command? Did anyone solve this type of problem in past? Thanks Martin Papik Martin, If you've got workstations sending RAs then you've probably got bigger problems than just rogue RAs. They're probably doing automatic v6-to-v4 tunneling (eiter 6-to-4 or teredo), so you've got uncontrolled v6 traffic on your net. Given the exhaustion of v4 addrs, v6 is only going to increase in use. You need to either do a proper v6 deployment or take strong steps to quash it, the half-baked environment only leads to misery. In general, if workstations hear official RAs then they tend to become just clients and don't try to do 6-to-4 tunnels (or configure each workstation to completely disable its v6 stack). Find a good source of IPv6 information and learn about the things that you need to know, both as a network engineer system-administrator. Good place to start: http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX 10.4R4.3
Any notes from the field on 10.4R4.3 deployment? Pros? Cons? fixes? Features? I saw some noise on the list recently. Anyone care to share a summary? Thanks in advance. -b -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX 10.4R4.3
10.4R4.3 is not released software and should not be used by anyone. We have not yet completed the release process for Junos 10.4R4 ... -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Thursday, April 28, 2011 4:52 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] EX 10.4R4.3 Any notes from the field on 10.4R4.3 deployment? Pros? Cons? fixes? Features? I saw some noise on the list recently. Anyone care to share a summary? Thanks in advance. -b -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX 10.4R4.3
doh! My apologizes. This should read 10.4R3.4 --- JUNOS 10.4R3.4 built 2011-03-19 22:06:32 UTC -b On Thu, Apr 28, 2011 at 5:00 PM, Paul Goyette pgoye...@juniper.net wrote: 10.4R4.3 is not released software and should not be used by anyone. We have not yet completed the release process for Junos 10.4R4 ... -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Thursday, April 28, 2011 4:52 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] EX 10.4R4.3 Any notes from the field on 10.4R4.3 deployment? Pros? Cons? fixes? Features? I saw some noise on the list recently. Anyone care to share a summary? Thanks in advance. -b -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX 10.4R4.3
Phew! Thanks for the clarification! -Original Message- From: Bill Blackford [mailto:bblackf...@gmail.com] Sent: Thursday, April 28, 2011 5:08 PM To: Paul Goyette Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] EX 10.4R4.3 doh! My apologizes. This should read 10.4R3.4 --- JUNOS 10.4R3.4 built 2011-03-19 22:06:32 UTC -b On Thu, Apr 28, 2011 at 5:00 PM, Paul Goyette pgoye...@juniper.net wrote: 10.4R4.3 is not released software and should not be used by anyone. We have not yet completed the release process for Junos 10.4R4 ... -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Thursday, April 28, 2011 4:52 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] EX 10.4R4.3 Any notes from the field on 10.4R4.3 deployment? Pros? Cons? fixes? Features? I saw some noise on the list recently. Anyone care to share a summary? Thanks in advance. -b -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX 10.4R4.3
We upgraded a few (five?) EX4200's to 10.4R3.4 for the flash partitioning feature a few weeks ago. We haven't ran across anything terrible but we are mostly simple layer2. We did see a substantial drop in CPU, which was unexpected, but welcomed. -Michael On 4/28/2011 7:11 PM, Paul Goyette wrote: Phew! Thanks for the clarification! -Original Message- From: Bill Blackford [mailto:bblackf...@gmail.com] Sent: Thursday, April 28, 2011 5:08 PM To: Paul Goyette Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] EX 10.4R4.3 doh! My apologizes. This should read 10.4R3.4 --- JUNOS 10.4R3.4 built 2011-03-19 22:06:32 UTC -b On Thu, Apr 28, 2011 at 5:00 PM, Paul Goyettepgoye...@juniper.net wrote: 10.4R4.3 is not released software and should not be used by anyone. We have not yet completed the release process for Junos 10.4R4 ... -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Thursday, April 28, 2011 4:52 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] EX 10.4R4.3 Any notes from the field on 10.4R4.3 deployment? Pros? Cons? fixes? Features? I saw some noise on the list recently. Anyone care to share a summary? Thanks in advance. -b -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] RES: Trying to get OSPF to work across IPsec for Redundancy
I don't think OSPF carries multicast. I know cisco routers have a neighbor statement that will force it to unicast hello's I've never tried it on a juniper. I think if you do GRE over IPSEC (not to be confused with IPSEC over GRE) the multicast will work as well. It depends on your endpoints though, I don't think firewalls will do GRE. On Thu, Apr 28, 2011 at 3:59 PM, Leonardo Gama Souza leonardo.so...@nec.com.br wrote: Hello All: I'm trying to get OSPF up over IPsec. We have two IPsec tunnels, a primary and a secondary that our spoke router can use. We want to have the spoke router run OSPF across both and then in case of a failure of the primary hub router (where the primary IPsec tunnel terminates) OSPF will direct traffic over the backup tunnel to the backup hub. So far I have seen OSPF on the spoke router come up just a couple of times but only to one or the other peer. It never has come up to both peers. Here are my configurations for OSPF and the services interfaces below. Also BGP is up on all routers and all routers are reachable via BGP. If anyeone can guide me in the right direction to get OSPF working over IPsec that would be most apprectiated! As far as I know IPSec solely is not able to carry Multicast traffic. Are you using GRE over IPSec? If not, you may want to try unicast hellos. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] RES: Trying to get OSPF to work across IPsec for Redundancy
sorry I meant IPSEC doesn't carry multicast. OSPF technically doesn't carry anything. On Thu, Apr 28, 2011 at 11:28 PM, Keegan Holley keegan.hol...@sungard.comwrote: I don't think OSPF carries multicast. I know cisco routers have a neighbor statement that will force it to unicast hello's I've never tried it on a juniper. I think if you do GRE over IPSEC (not to be confused with IPSEC over GRE) the multicast will work as well. It depends on your endpoints though, I don't think firewalls will do GRE. On Thu, Apr 28, 2011 at 3:59 PM, Leonardo Gama Souza leonardo.so...@nec.com.br wrote: Hello All: I'm trying to get OSPF up over IPsec. We have two IPsec tunnels, a primary and a secondary that our spoke router can use. We want to have the spoke router run OSPF across both and then in case of a failure of the primary hub router (where the primary IPsec tunnel terminates) OSPF will direct traffic over the backup tunnel to the backup hub. So far I have seen OSPF on the spoke router come up just a couple of times but only to one or the other peer. It never has come up to both peers. Here are my configurations for OSPF and the services interfaces below. Also BGP is up on all routers and all routers are reachable via BGP. If anyeone can guide me in the right direction to get OSPF working over IPsec that would be most apprectiated! As far as I know IPSec solely is not able to carry Multicast traffic. Are you using GRE over IPSec? If not, you may want to try unicast hellos. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] RES: Trying to get OSPF to work across IPsec for Redundancy
Actually... OSPF will work across an ipsec tunnel. Unfortunately, last time I checked, it wouldn't work across a tunnel that's terminated within a routing instance on a srx. The issue was confirmed by JTAC. We haven't tried it on 10.4 yet, but it's a known issue with older code. OSPF just won't built a relationship across the tunnel. On the other hand, it works great across ipsec tunnels between netscreens. If I remember, I'll try to dig up the kb article/bug report that covers it. On Apr 28, 2011, at 10:58 PM, Keegan Holley wrote: sorry I meant IPSEC doesn't carry multicast. OSPF technically doesn't carry anything. On Thu, Apr 28, 2011 at 11:28 PM, Keegan Holley keegan.hol...@sungard.comwrote: I don't think OSPF carries multicast. I know cisco routers have a neighbor statement that will force it to unicast hello's I've never tried it on a juniper. I think if you do GRE over IPSEC (not to be confused with IPSEC over GRE) the multicast will work as well. It depends on your endpoints though, I don't think firewalls will do GRE. On Thu, Apr 28, 2011 at 3:59 PM, Leonardo Gama Souza leonardo.so...@nec.com.br wrote: Hello All: I'm trying to get OSPF up over IPsec. We have two IPsec tunnels, a primary and a secondary that our spoke router can use. We want to have the spoke router run OSPF across both and then in case of a failure of the primary hub router (where the primary IPsec tunnel terminates) OSPF will direct traffic over the backup tunnel to the backup hub. So far I have seen OSPF on the spoke router come up just a couple of times but only to one or the other peer. It never has come up to both peers. Here are my configurations for OSPF and the services interfaces below. Also BGP is up on all routers and all routers are reachable via BGP. If anyeone can guide me in the right direction to get OSPF working over IPsec that would be most apprectiated! As far as I know IPSec solely is not able to carry Multicast traffic. Are you using GRE over IPSec? If not, you may want to try unicast hellos. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp