cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
472
Views
0
Helpful
8
Replies
Addey Salameh
Beginner

site-to-site IPSec VPN

Hello guys

I establish a VPN  site-to-site connection between Cisco 877 and juniper firewall srx240h2 using these hashs and encryptions

 crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key testsharedkey address 83.xxx.xxx.xxx

crypto ipsec transform-set bilset esp-aes 256 esp-sha-hmac

 

crypto map RAM_TO_NET 10 ipsec-isakmp
 set peer 83.xxx.xxx.xxx
 set transform-set bilset
 match address VPN_TRAFFIC

under dialer 1

crypto map RAM_TO_NET

 

ip access-list extended VPN_TRAFFIC
 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

 

access-list 100 remark NAT
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

 

well everything went just fine and the tunnel is up and active ,then i tried to ping a  host from the remote site and it wont ping it just give request timed out so i went to the Cisco Configuration Professional and when i tested the tunnel it gives me 

Failure Reason(s) 
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets. 

Recommended Action(s) 
1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation. 

well i issued the crypto ipsec df-bit clear under the dialer 1 but it didn't work

 

so help me guys what i'm suppose to do?

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Set both sides to 1300 MTU and see if that helps.

 

Mike

View solution in original post

8 REPLIES 8
mariano.alfonso
Beginner

Hi Addey,

 

If the tunnel is up but the traffic won't flow I would double check the "NONAT" configuration on both ends.

 

Best Regards,

Thank you for you reply ,but i tried the NONAT but it's still not working :\

route-map nonat permit 10

match ip address 100

 

ip nat inside source route-map nonat interface Dialer1 overload

you beat me to it, hopefully you see this

Set both sides to 1300 MTU and see if that helps.

 

Mike

View solution in original post

that is a strange MTU size,  do you have cisco vpn client installed I know this can alter default mtu settings on host devices

Hi Addey,

 

Could you please advise why you added the deny on the ACL?

 

access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

 

 

The only ACL you need for the traffic you want to send over the Tunnel is the crypto ACL, in this case the VPN_TRAFFIC which defines your interesting traffic and which basically tells your router to "NONAT" that traffic and you should have a mirror of that ACL on your other end but changing the order of source-->destination of course.

 

I believe that the default MTU values are different on both devices,   

Juniper is 1514 and Cisco is 1500,  this could be causing an issue

i changed the MTU on the cisco for different values still not working :/