Another useful post for route-based vpn from

 Cisco router configuration:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp key 0 keyforlab123 address

crypto ipsec transform-set ESP_AES_256 esp-aes 256 esp-sha-hmac

crypto ipsec profile CIPHER-AES-256
set transform-set ESP_AES_256
Tunnel interface configuration:
interface Tunnel18
description tunnel_to_srx
ip address
tunnel source GigabitEthernet0/0
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile CIPHER-AES-256
Juniper SRX configuration:
interfaces {
st0 {
unit 0 {
family inet {
mtu 1514;

security {
ike {
proposal p1-aes {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
policy ike-policy-1 {
mode main;
proposals p1-aes;
pre-shared-key ascii-text "keyforlab123"
gateway cisco {
ike-policy ike-policy-1;
external-interface fe-0/0/0;
ipsec {
proposal ipsec-proposal-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
policy ipsec-policy-1 {
perfect-forward-secrecy {
keys group5;
proposals ipsec-proposal-1;
vpn vpn-to-cisco {
bind-interface st0.0;
ike {
gateway cisco;
ipsec-policy ipsec-policy-1;
establish-tunnels immediately;

By netsec

One thought on “Route-based VPN between Juniper and Cisco”
  1. Thanks a lot for working config ! I used subnet mask for tunnel interface /31 (, ip-addresses (Juniper) and (Cisco). VPN is a point-to-point connection.

Leave a Reply to Sanek FedorovCancel reply