Juniper SRX to Cisco IPsec site to site VPN

SRX240 to Cisco IPsec site to site VPN – an example


set security ike traceoptions file CustomerIKE
set security ike traceoptions flag all
#### Cisco Config for the IKE Phase 1:
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600

crypto isakmp key xxx address j.j.j.j
crypto isakmp invalid-spi-recovery
##### Juniper SRX240 config for the phase 1 stuff


Step 1 – Create an st0.x interface and put it into a zone eg. VPN zone

Nb. First attempt I created st1.0 instead of st0.0 …st1.x numbering doesn’t show up in the j-web when
trying to configure IPSECVPN…. when I tried st0.x numbering it does allow you to select from drop down menu via j-web.

Step 2 – Create a policy to permit traffic between zones eg. Between trust and VPN zone

Step 3 – add a route or policy with destination the st0.x interface

Step 4 – add IKE & IPsec info below to bind to external interface & st0.x tunnel

step 5 – enable ike as an inbound-service for Internet zone

Step 6 – ike phase 1 config

proposal CustomerIKEP1-3des {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;

policy CustomerCity {
mode main;
proposals CustomerIKEPhase1Proposal
pre-shared-key ascii-text xxx

gateway S2S-IKE-Gateway-CustomerCity {
ike-policy CustomerCity;
address c.c.c.c;
local-identity inet j.j.j.j;
external-interface ge-0/0/1.0;
##### Cisco config for the Phase 2 IPsec stuff

crypto ipsec transform-set <your-transform-set> esp-aes esp-md5-hmac

crypto map VPNS 60 ipsec-isakmp
set peer j.j.j.j
set transform-set your-transform-set
set pfs group2
match address 115

>> For eg a NAT rule already configured on the cisco device – make sure u exclude traffic destined
for the VPN  eg.

ip nat inside source list 101 interface Dialer1 overload

>>Nb. Make sure you exclude VPN traffic from being NAT (if you want to keep the private IP Ranges).
access-list 101 deny   ip d.d.d.0 k.k.0.0 /16
access-list 101 permit ip d.d.d.0 any

>> Make another ACL to define “interesting traffic” ie. traffic to send via tunnel
access-list 115 permit ip d.d.d.0 k.k.0.0


##### Juniper config for the Phase 2 IPsec stuff

proposal CustomerIPsecPhase2Proposal-aes {
description “Proposal with aes”;
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;

policy CustomerIPsecPolicy {
description “For site to site VPN to Customer City office”;
perfect-forward-secrecy {
keys group2;
proposals CustomerIPsecPhase2Proposal-aes
### Nb. Proxy-identity needed to match reverse of the VPN ACL on cisco side
(unless using tunnel interfaces on cisco side). If you don’t put this debug on the cisc side
will show errors about peer identity not matching. On Juniper side the errors will just say
something like peer did not select proposal for phase 2.

vpn CustomerAppCityVPN {
bind-interface st0.0;
ike {
gateway S2S-IKE-Gateway-CustomerCity;
proxy-identity {
local k.k.0.0/16;
remote d.d.d.0/24;
service any;
ipsec-policy CustomerIPsecPolicy;
establish-tunnels immediately;


This entry was posted in Cisco, Juniper. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s