Another useful post for route-based vpn from

 Cisco router configuration:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp key 0 keyforlab123 address 2.2.2.2

crypto ipsec transform-set ESP_AES_256 esp-aes 256 esp-sha-hmac

crypto ipsec profile CIPHER-AES-256
set transform-set ESP_AES_256
Tunnel interface configuration:
interface Tunnel18
description tunnel_to_srx
ip address 192.168.100.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile CIPHER-AES-256
end
Juniper SRX configuration:
interfaces {
st0 {
unit 0 {
family inet {
mtu 1514;
address 192.168.100.2/30;

security {
ike {
proposal p1-aes {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
}
policy ike-policy-1 {
mode main;
proposals p1-aes;
pre-shared-key ascii-text "keyforlab123"
}
gateway cisco {
ike-policy ike-policy-1;
address 1.1.1.1;
dead-peer-detection;
external-interface fe-0/0/0;
}
}
ipsec {
proposal ipsec-proposal-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
}
policy ipsec-policy-1 {
perfect-forward-secrecy {
keys group5;
}
proposals ipsec-proposal-1;
}
vpn vpn-to-cisco {
bind-interface st0.0;
ike {
gateway cisco;
ipsec-policy ipsec-policy-1;
}
establish-tunnels immediately;
}
}
}

By netsec

One thought on “Route-based VPN between Juniper and Cisco”
  1. Thanks a lot for working config ! I used subnet mask for tunnel interface /31 (255.255.255.254), ip-addresses 192.168.100.0 (Juniper) and 192.168.100.1 (Cisco). VPN is a point-to-point connection.

Leave a Reply