Junos OS

Hi,

Does Junos OS 11.4 or a later version support IPsec TP ALG? if it does on which document can I find this detail.

http://www.trapezenetworks.com/techpubs/en_US/junos12.1/information-products/topic-collections/config-guide-services/index.html?topic-41874.html

Hello,

IKE-ESP ALG is supported on SRX but is disabled by default.

IKE-ESP ALG is not supported on MSDPC or MS-PIC.

HTH

Thanks

Alex

Thanks,

So this will not work on MX960?

Hello there,

---

@freeair wrote:

Thanks,

 

So this will not work on MX960?

---

If your question is about passing IKE & ESP (ip.proto 50) through MX960 with MSDPC & Stateful Firewall enabled then the answer is "it depends". You can create a rule to allow IKE (udp/500) only from inside to outside and returning IKE flows will be allowed in only when originating IKE flow was established from inside. For ESP it is more difficult, you may have to allow any ESP traffic from outside to inside.

If your question is about passing IKE & ESP (ip.proto 50) through MX960 with MSDPC & NAT44 enabled then the answer is "possible with basic-nat44 only, but you may have to NAT to the same basic-nat44 pool all of the below protocols/ports:

- udp/500, 

- esp, 

- udp/4500 

- any custom TCP/UDP port your client could use (like tcp/11000 which CSCO VPN client uses)".

So your basic-nat44 pool must be sized properly to be able to accept all this traffic.

HTH

Thanks

Alex

P.S. for definition of basic-nat44 & more please see RFC 2663 http://tools.ietf.org/html/rfc2663