IPSEC VPN between SRX and Cisco

In this post, I would like to share my site-to-site ipsec vpn configuration between srx100 (junos 11.1R4.4) and cisco3725 (ios 12.4) (on dynamips)

Cisco Configuration

JUNOS IPSEC related config

Troubleshooting outputs

And finally the proof that ipsec tunnel works

Actually I have tried to setup a multipoint tunnel interface on SRX side however I could never make it. If I use multipoint interface, I have to use NHTB like;

PS: is a dummy IP and it doesn’t have to be assigned to any interface

PS: Why can st0.0 interface be down? If you have multipoint vpn tunnels, for st0.0 interface to be up at least one of the tunnels must be UP (i.e IPSEC SA must be established)

6 thoughts on “IPSEC VPN between SRX and Cisco

  1. stephen


    I’m just looking through this document about Juniper SRX to Cisco IPSec tunnel. Good document by the way : )

    I have the tunnel established with interface st0.0 up/up, but when I add the static route on the Juniper for the remote Cisco subnet, it does not appear in the Juniper routing table so I dont think the Juniper is sending out encrypted packets as I do not see them arriving on the Cisco.

    Am I missing something stupid here?

    Thanks for your time


  2. rtoodtoo Post author

    Hi Stephen,
    I think you are talking about what I said at the end of my post. I don’t recall what exactly I did during my testing but I had also trouble doing this that routes weren’t showing up. I will check this point during my studies on jncie-sec and update this post hopefully for future reference.


  3. rtoodtoo Post author

    While I was doing some labs I have seen that you shouldn’t be leaving st0.0 without any IP assigned. If there is no IP, route doesn’t appear in the table. Also in multipoint configuration I have seen several cases that route isn’t being installed but each had different causes.

  4. diu618

    Could you let me know which version of Junos are you using?
    I am using the Olive 12.1R1.9 and 10.1R1.8 but there some commands missing.
    For instance i cannot find #set security ike gateway command. The “gateway” option is not there.



You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.