Showing results for 
Search instead for 
Did you mean: 
Addey Salameh

site-to-site IPSec VPN

Hello guys

I establish a VPN  site-to-site connection between Cisco 877 and juniper firewall srx240h2 using these hashs and encryptions

 crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key testsharedkey address

crypto ipsec transform-set bilset esp-aes 256 esp-sha-hmac


crypto map RAM_TO_NET 10 ipsec-isakmp
 set peer
 set transform-set bilset
 match address VPN_TRAFFIC

under dialer 1

crypto map RAM_TO_NET


ip access-list extended VPN_TRAFFIC
 permit ip


access-list 100 remark NAT
access-list 100 deny   ip
access-list 100 permit ip any


well everything went just fine and the tunnel is up and active ,then i tried to ping a  host from the remote site and it wont ping it just give request timed out so i went to the Cisco Configuration Professional and when i tested the tunnel it gives me 

Failure Reason(s) 
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets. 

Recommended Action(s) 
1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation. 

well i issued the crypto ipsec df-bit clear under the dialer 1 but it didn't work


so help me guys what i'm suppose to do?






Accepted Solutions

Set both sides to 1300 MTU and see if that helps.



View solution in original post


Hi Addey,


If the tunnel is up but the traffic won't flow I would double check the "NONAT" configuration on both ends.


Best Regards,

Thank you for you reply ,but i tried the NONAT but it's still not working :\

route-map nonat permit 10

match ip address 100


ip nat inside source route-map nonat interface Dialer1 overload

you beat me to it, hopefully you see this

Set both sides to 1300 MTU and see if that helps.



that is a strange MTU size,  do you have cisco vpn client installed I know this can alter default mtu settings on host devices

Hi Addey,


Could you please advise why you added the deny on the ACL?


access-list 100 deny   ip



The only ACL you need for the traffic you want to send over the Tunnel is the crypto ACL, in this case the VPN_TRAFFIC which defines your interesting traffic and which basically tells your router to "NONAT" that traffic and you should have a mirror of that ACL on your other end but changing the order of source-->destination of course.


I believe that the default MTU values are different on both devices,   

Juniper is 1514 and Cisco is 1500,  this could be causing an issue

i changed the MTU on the cisco for different values still not working :/