[j-nsp] IPSec Tunnel between Remote office and main Office
Hi, One of our client has currently below topology to connect all remote sides to main office. Remote Site-1(SRX240) --E1- Router --GE- Main Office (SRX 650) | | | Remote Site-x(SRX240) --E1 Following are other part of configuration: 1. All devices running RIP because Router is very old and need extra support license for OSPF. 2. Route based IPSec tunnel is configured between both Remote site SRX240 and SRX650. 3. All E1 links on remote side and Ge link between SRX650 are in Untrust Zone 4. All st interfaces are in VPN Zone, LAN interfaces are in Trust Zone. 5. Policies are allowed between different sources and destination between VPN and Trust Zone. 6. Traffic is denied between Untrust and VPN/Trust Zone. Client want to remove Router from topology and connect of E1 links on SRX650. We have perform following steps to migrate one link for testing: 1. Remove E1 link from router and connect it to SRX650. 2. Put above E1 link in RIP and Untrust Zone. 3. Put Routing Policies on SRX650 E1 link in RIP to stop learning Trust subnets of remote office from E1 link. So that only routes will learn from St link. 3. We didn't change any VPN configuration on both side and IPSec tunnel is comes up and also traffic is passing. External interface in VPN Configuration on SRX650 still is Ge interface VPN IKE Gateway on Remote site is same Ge interface IP on SRX650. We observe following thing: -- Regards, Muhammad Atif Jauhar (+966-56-00-04-985) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPSec Tunnel between Remote office and main Office
Hi, One of our client has currently below topology to connect all remote sides to main office. Remote Site-1(SRX240) --E1- Router --GE- Main Office (SRX 650) | | | Remote Site-x(SRX240) --E1 Following are other part of configuration: 1. All devices running RIP because Router is very old and need extra support license for OSPF. 2. Route based IPSec tunnel is configured between both Remote site SRX240 and SRX650. 3. All E1 links on remote side and Ge link between SRX650 are in Untrust Zone 4. All st interfaces are in VPN Zone, LAN interfaces are in Trust Zone. 5. Policies are allowed between different sources and destination between VPN and Trust Zone. 6. Traffic is denied between Untrust and VPN/Trust Zone. Client want to remove Router from topology and connect of E1 links on SRX650. We have perform following steps to migrate one link for testing: 1. Remove E1 link from router and connect it to SRX650. 2. Put above E1 link in RIP and Untrust Zone. 3. Put Routing Policies E1 link in RIP to stop learning Trust subnets from E1 link. So that only routes will learn from St link. Only Ge interface IP is learned from E1 link. 3. We didn't change any VPN configuration on both side and IPSec tunnel is comes up and also traffic is passing. External interface in VPN Configuration on SRX650 still is Ge interface VPN IKE Gateway on Remote site is same Ge interface IP on SRX650. We observe following thing: 1. When we access remote firewall, session hanged sometime and also output of any command displayed slowly. 2. When we access remote firewall directly from main office SRX, session completely hanged, Once we put command of bigger output like request support information or show configuration etc. 3. If we access same way in step 2 for other remote firewalls there is no issue. Kindly let us know, there is any issue If we have Directly connected link but we are establishing IPSec tunnel with other Interface IP like Ge interface on SRX650. IKE Gateway on SRX650 for remote firewall is same E1 link Interface. Means on remote firewall IKE gateway is Ge interface of SRX650 and On SRX650 IKE Gateway is E1 link of remote firewall. Any way to troubleshoot session hanging and slowness. Regards, Muhammad Atif Jauhar (+966-56-00-04-985) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPSec Tunnel between Remote office and main Office
http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-41894.html set security flow tcp-mss ipsec-vpn mss 1300 - should fix it. Thanks Alex - Original Message - From: Muhammad Atif Jauhar atif.jau...@gmail.com To: juniper-nsp@puck.nether.net Sent: Tuesday, February 19, 2013 3:25 PM Subject: Re: [j-nsp] IPSec Tunnel between Remote office and main Office Hi, One of our client has currently below topology to connect all remote sides to main office. Remote Site-1(SRX240) --E1- Router --GE- Main Office (SRX 650) | | | Remote Site-x(SRX240) --E1 Following are other part of configuration: 1. All devices running RIP because Router is very old and need extra support license for OSPF. 2. Route based IPSec tunnel is configured between both Remote site SRX240 and SRX650. 3. All E1 links on remote side and Ge link between SRX650 are in Untrust Zone 4. All st interfaces are in VPN Zone, LAN interfaces are in Trust Zone. 5. Policies are allowed between different sources and destination between VPN and Trust Zone. 6. Traffic is denied between Untrust and VPN/Trust Zone. Client want to remove Router from topology and connect of E1 links on SRX650. We have perform following steps to migrate one link for testing: 1. Remove E1 link from router and connect it to SRX650. 2. Put above E1 link in RIP and Untrust Zone. 3. Put Routing Policies E1 link in RIP to stop learning Trust subnets from E1 link. So that only routes will learn from St link. Only Ge interface IP is learned from E1 link. 3. We didn't change any VPN configuration on both side and IPSec tunnel is comes up and also traffic is passing. External interface in VPN Configuration on SRX650 still is Ge interface VPN IKE Gateway on Remote site is same Ge interface IP on SRX650. We observe following thing: 1. When we access remote firewall, session hanged sometime and also output of any command displayed slowly. 2. When we access remote firewall directly from main office SRX, session completely hanged, Once we put command of bigger output like request support information or show configuration etc. 3. If we access same way in step 2 for other remote firewalls there is no issue. Kindly let us know, there is any issue If we have Directly connected link but we are establishing IPSec tunnel with other Interface IP like Ge interface on SRX650. IKE Gateway on SRX650 for remote firewall is same E1 link Interface. Means on remote firewall IKE gateway is Ge interface of SRX650 and On SRX650 IKE Gateway is E1 link of remote firewall. Any way to troubleshoot session hanging and slowness. Regards, Muhammad Atif Jauhar (+966-56-00-04-985) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] IPSec Tunnel between Remote office and main Office
Hi Alex, Its already configured with value 1350. Regards, Atif. On Tue, Feb 19, 2013 at 8:03 PM, Alex Arseniev alex.arsen...@gmail.comwrote: http://www.juniper.net/**techpubs/software/junos-** security/junos-security10.2/**junos-security-swconfig-** security/topic-41894.htmlhttp://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-41894.html set security flow tcp-mss ipsec-vpn mss 1300 - should fix it. Thanks Alex - Original Message - From: Muhammad Atif Jauhar atif.jau...@gmail.com To: juniper-nsp@puck.nether.net Sent: Tuesday, February 19, 2013 3:25 PM Subject: Re: [j-nsp] IPSec Tunnel between Remote office and main Office Hi, One of our client has currently below topology to connect all remote sides to main office. Remote Site-1(SRX240) --E1--**--- Router --GE--**--- Main Office (SRX 650) | | | Remote Site-x(SRX240) --E1--**-- Following are other part of configuration: 1. All devices running RIP because Router is very old and need extra support license for OSPF. 2. Route based IPSec tunnel is configured between both Remote site SRX240 and SRX650. 3. All E1 links on remote side and Ge link between SRX650 are in Untrust Zone 4. All st interfaces are in VPN Zone, LAN interfaces are in Trust Zone. 5. Policies are allowed between different sources and destination between VPN and Trust Zone. 6. Traffic is denied between Untrust and VPN/Trust Zone. Client want to remove Router from topology and connect of E1 links on SRX650. We have perform following steps to migrate one link for testing: 1. Remove E1 link from router and connect it to SRX650. 2. Put above E1 link in RIP and Untrust Zone. 3. Put Routing Policies E1 link in RIP to stop learning Trust subnets from E1 link. So that only routes will learn from St link. Only Ge interface IP is learned from E1 link. 3. We didn't change any VPN configuration on both side and IPSec tunnel is comes up and also traffic is passing. External interface in VPN Configuration on SRX650 still is Ge interface VPN IKE Gateway on Remote site is same Ge interface IP on SRX650. We observe following thing: 1. When we access remote firewall, session hanged sometime and also output of any command displayed slowly. 2. When we access remote firewall directly from main office SRX, session completely hanged, Once we put command of bigger output like request support information or show configuration etc. 3. If we access same way in step 2 for other remote firewalls there is no issue. Kindly let us know, there is any issue If we have Directly connected link but we are establishing IPSec tunnel with other Interface IP like Ge interface on SRX650. IKE Gateway on SRX650 for remote firewall is same E1 link Interface. Means on remote firewall IKE gateway is Ge interface of SRX650 and On SRX650 IKE Gateway is E1 link of remote firewall. Any way to troubleshoot session hanging and slowness. Regards, Muhammad Atif Jauhar (+966-56-00-04-985) __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp -- Regards, Muhammad Atif Jauhar (+966-56-00-04-985) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
