Re: [j-nsp] Juniper IPSEC VPN
Hi Guys, Literally just got it working. Turns out for cisco to juniper ipsec tunnels to use policy based vpn and also reference each remote lan > local lan individually rather than a group. All working now though. Thanks for the help. Also turned PFS on/off which didn't seem to make a difference. Nick -Original Message- From: Kerry Milestone [mailto:k...@sanger.ac.uk] Sent: 06 May 2010 15:32 To: Nick Ryce Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Juniper IPSEC VPN Hi, i batteed me head on this one... turns out, to get our VPN stable even though the Checkoint's P2 proposal was set to "Group 2" set the P2 proposal on the juniper to "NO PFS" .. in stead of "DH GROUP2" I have done this, so our P2 proposal is now NOPFS -aes etc... and it worked... Not sure if this is a bug or a feature, but was the only way I got the VPN to work between vendors. For us, PFS just didn't work. You may see this error on the checkpoint > Information: encryption failure: Unknown SPI: 0xaeb72e99 for IPsec packet and something similar on the juniper. might be worth a shot. Regards, Kerry. On 03/05/10 22:26, Nick Ryce wrote: > After some further testing it looks like the juniper keeps re-establishing > the tunnel every 10-20 seconds or so. > > Does anyone have real world experience of getting a j2320 ipsec tunnel > working with an ASA5510? > > Nick > > From: Nicholas Oas [mailto:nicholas....@gmail.com] > Sent: 30 April 2010 13:03 > To: Nick Ryce > Subject: Re: [j-nsp] Juniper IPSEC VPN > -- -- .- Kerry Milestone -. .- Senior Systems Administrator -. .- Networks Team-. .- Wellcome Trust Sanger Institute -. .- -. .- http://www.sanger.ac.uk -. .- +44 (0)1223 492320 -. -- -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper IPSEC VPN
Hi, i batteed me head on this one... turns out, to get our VPN stable even though the Checkoint's P2 proposal was set to "Group 2" set the P2 proposal on the juniper to "NO PFS" .. in stead of "DH GROUP2" I have done this, so our P2 proposal is now NOPFS -aes etc... and it worked... Not sure if this is a bug or a feature, but was the only way I got the VPN to work between vendors. For us, PFS just didn't work. You may see this error on the checkpoint > Information: encryption failure: Unknown SPI: 0xaeb72e99 for IPsec packet and something similar on the juniper. might be worth a shot. Regards, Kerry. On 03/05/10 22:26, Nick Ryce wrote: After some further testing it looks like the juniper keeps re-establishing the tunnel every 10-20 seconds or so. Does anyone have real world experience of getting a j2320 ipsec tunnel working with an ASA5510? Nick From: Nicholas Oas [mailto:nicholas@gmail.com] Sent: 30 April 2010 13:03 To: Nick Ryce Subject: Re: [j-nsp] Juniper IPSEC VPN -- -- .- Kerry Milestone -. .- Senior Systems Administrator -. .- Networks Team-. .- Wellcome Trust Sanger Institute -. .- -. .- http://www.sanger.ac.uk -. .- +44 (0)1223 492320 -. -- -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper IPSEC VPN
Dear Nick, You could check your IPSec logs to dig down the exact reason due to which tunnel is dropping. It must be some parameter mismatch. Normally if your establish tunnel between cisco devices and there is a parameter mismatch, the tunnel wont establish. but incase of juniper the tunnel will establish but you will face abnormal behavior. regards, Asad On Tue, May 4, 2010 at 3:16 AM, Joe C wrote: > Nick, > > I have set up IPsec tunnels between Juniper SRX 240 (started with 9.6, > current one is a 10.x) and Cisco ISR and, the devil hides in the small > details. Off the top of my head, I remember the lifetime defaults on both > cisco and Juniper don't get along and I found the SRX setting a lifetime of > 0 seconds, endlessly dropping and re-establishing the SA. > > Although it's not the same hardware scenario, it might help. > > JC > > On 3 May 2010, at 22:26, Nick Ryce wrote: > > > After some further testing it looks like the juniper keeps > re-establishing the tunnel every 10-20 seconds or so. > > > > Does anyone have real world experience of getting a j2320 ipsec tunnel > working with an ASA5510? > > > > Nick > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper IPSEC VPN
Nick, I have set up IPsec tunnels between Juniper SRX 240 (started with 9.6, current one is a 10.x) and Cisco ISR and, the devil hides in the small details. Off the top of my head, I remember the lifetime defaults on both cisco and Juniper don't get along and I found the SRX setting a lifetime of 0 seconds, endlessly dropping and re-establishing the SA. Although it's not the same hardware scenario, it might help. JC On 3 May 2010, at 22:26, Nick Ryce wrote: > After some further testing it looks like the juniper keeps re-establishing > the tunnel every 10-20 seconds or so. > > Does anyone have real world experience of getting a j2320 ipsec tunnel > working with an ASA5510? > > Nick ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper IPSEC VPN
After some further testing it looks like the juniper keeps re-establishing the tunnel every 10-20 seconds or so. Does anyone have real world experience of getting a j2320 ipsec tunnel working with an ASA5510? Nick From: Nicholas Oas [mailto:nicholas@gmail.com] Sent: 30 April 2010 13:03 To: Nick Ryce Subject: Re: [j-nsp] Juniper IPSEC VPN OFF-LIST PRIVATE RESPONSE. Spec sheet of "1000265-en.pdf" indicates a j2320 should be able to do 140mb/s IPsec VPN... Also 1000206-en.pdf says that crypto module you found is for a 2350 only. If you are not pushing more than that published limit I would say there a bug, which is entirely possible. Have you contacted TAC? Also an even cheaper punt would be to throw 9.6r3 on it... Or something in the 10 train for that matte (can be ugly in other ways though). -Nicholas On Fri, Apr 30, 2010 at 7:21 AM, Nick Ryce mailto:nick.r...@lumison.net>> wrote: Just found JXH-HC2-S Might give that a try but its an expensive 'punt' Nick From: Chris Evans [mailto:chrisccnpsp...@gmail.com<mailto:chrisccnpsp...@gmail.com>] Sent: 30 April 2010 12:13 To: Nick Ryce Cc: juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> Subject: Re: [j-nsp] Juniper IPSEC VPN The asa has a hardware encryption engine in it. I don't believe that the j series router has one. That is the root of your problem I would say. On Apr 30, 2010 5:13 AM, "Nick Ryce" mailto:nick.r...@lumison.net><mailto:nick.r...@lumison.net<mailto:nick.r...@lumison.net>>> wrote: Is there a default speed that a juniper ipec tunnel runs at? We have an asa5510 and an 1812 where the ipsec tunnel was running near full speed on a 10 meg link. We swapped the 1812 with a 2320 running 9.6R2.8 and we are seeing lost packets and slow throughput. The tunnel does not drop once established but packets continue to be lost. Any ideas? Nick -- Nick Ryce Network Engineer Lumison 0845119 P.S. do you love Lumison? Why not take a moment and vote for us? http://bit.ly/Vote_Lumison -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net><mailto:juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>> https://puck.nether.net/mailman/listinfo/juniper-nsp -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/juniper-nsp -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper IPSEC VPN
Can you share a sanitized config? From: Nick Ryce To: "juniper-nsp@puck.nether.net" Sent: Fri, April 30, 2010 4:08:21 AM Subject: [j-nsp] Juniper IPSEC VPN Is there a default speed that a juniper ipec tunnel runs at? We have an asa5510 and an 1812 where the ipsec tunnel was running near full speed on a 10 meg link. We swapped the 1812 with a 2320 running 9.6R2.8 and we are seeing lost packets and slow throughput. The tunnel does not drop once established but packets continue to be lost. Any ideas? Nick -- Nick Ryce Network Engineer Lumison 0845119 P.S. do you love Lumison? Why not take a moment and vote for us? http://bit.ly/Vote_Lumison -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper IPSEC VPN
I haven't worked on then series at ll but I believe it is a full software based processing router. The CPU is stony enough to handle the ipsec tunnel count but that doesn't mean it can push the throughput. On Apr 30, 2010 7:21 AM, "Nick Ryce" wrote: Spec sheets say it should be able to hand a couple of hundred vpn tunnels so not sure if that would be? Is there a hardware encryption module for the junipers? Nick *From:* Chris Evans [mailto:chrisccnpsp...@gmail.com] *Sent:* 30 April 2010 12:13 *To:* Nick Ryce *Cc:* juniper-nsp@puck.nether.net *Subject:* Re: [j-nsp] Juniper IPSEC VPN The asa has a hardware encryption engine in it. I don't believe that the j series router has on... -- -- This email and any files transmitted with it are confidential and intended solely for the use o... ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper IPSEC VPN
Just found JXH-HC2-S Might give that a try but its an expensive 'punt' Nick From: Chris Evans [mailto:chrisccnpsp...@gmail.com] Sent: 30 April 2010 12:13 To: Nick Ryce Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Juniper IPSEC VPN The asa has a hardware encryption engine in it. I don't believe that the j series router has one. That is the root of your problem I would say. On Apr 30, 2010 5:13 AM, "Nick Ryce" mailto:nick.r...@lumison.net>> wrote: Is there a default speed that a juniper ipec tunnel runs at? We have an asa5510 and an 1812 where the ipsec tunnel was running near full speed on a 10 meg link. We swapped the 1812 with a 2320 running 9.6R2.8 and we are seeing lost packets and slow throughput. The tunnel does not drop once established but packets continue to be lost. Any ideas? Nick -- Nick Ryce Network Engineer Lumison 0845119 P.S. do you love Lumison? Why not take a moment and vote for us? http://bit.ly/Vote_Lumison -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/juniper-nsp -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper IPSEC VPN
Spec sheets say it should be able to hand a couple of hundred vpn tunnels so not sure if that would be? Is there a hardware encryption module for the junipers? Nick From: Chris Evans [mailto:chrisccnpsp...@gmail.com] Sent: 30 April 2010 12:13 To: Nick Ryce Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Juniper IPSEC VPN The asa has a hardware encryption engine in it. I don't believe that the j series router has one. That is the root of your problem I would say. On Apr 30, 2010 5:13 AM, "Nick Ryce" mailto:nick.r...@lumison.net>> wrote: Is there a default speed that a juniper ipec tunnel runs at? We have an asa5510 and an 1812 where the ipsec tunnel was running near full speed on a 10 meg link. We swapped the 1812 with a 2320 running 9.6R2.8 and we are seeing lost packets and slow throughput. The tunnel does not drop once established but packets continue to be lost. Any ideas? Nick -- Nick Ryce Network Engineer Lumison 0845119 P.S. do you love Lumison? Why not take a moment and vote for us? http://bit.ly/Vote_Lumison -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/juniper-nsp -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper IPSEC VPN
The asa has a hardware encryption engine in it. I don't believe that the j series router has one. That is the root of your problem I would say. On Apr 30, 2010 5:13 AM, "Nick Ryce" wrote: Is there a default speed that a juniper ipec tunnel runs at? We have an asa5510 and an 1812 where the ipsec tunnel was running near full speed on a 10 meg link. We swapped the 1812 with a 2320 running 9.6R2.8 and we are seeing lost packets and slow throughput. The tunnel does not drop once established but packets continue to be lost. Any ideas? Nick -- Nick Ryce Network Engineer Lumison 0845119 P.S. do you love Lumison? Why not take a moment and vote for us? http://bit.ly/Vote_Lumison -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Juniper IPSEC VPN
Is there a default speed that a juniper ipec tunnel runs at? We have an asa5510 and an 1812 where the ipsec tunnel was running near full speed on a 10 meg link. We swapped the 1812 with a 2320 running 9.6R2.8 and we are seeing lost packets and slow throughput. The tunnel does not drop once established but packets continue to be lost. Any ideas? Nick -- Nick Ryce Network Engineer Lumison 0845119 P.S. do you love Lumison? Why not take a moment and vote for us? http://bit.ly/Vote_Lumison -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
