JNCIE-SEC: IPSEC VPN between SRX and Cisco

In JNCIE-SEC exam, one of the IPSEC topics is “Interoperability with 3rd party devices”.
In one of my previous post I had already written about this but this time, I will do
policy based VPN on SRX side.

IPsec VPNs


I will setup an IPSEC VPN between J41 SRX device Cisco1 cisco device. Just ignore the st0.0
interface on SRX as it is used in my other setups, also I won’t include some basic config e.g
zone address book, ike host-inbound enabling etc to make the post more clear.

What I want to achieve is
that I would like to ping from SRX J41 (network
towards and behind Cisco device. Lets configure the devices;

SRX IKE Config


SRX Security Policy Config
We create two pair policy here for<---> traffic.

Cisco Side Config

Now generate some traffic from to

Yes it works!

Check tunnel on SRX side

We can see that

  • IKE is established towards
  • an IPSEC sa with index number 4 is also established
  • Local and Remote Identities are determined according to the security policies configured

Check IPSEC on Cisco side

We can see the local and remote identities are taken form access-list 101

Now I will just duplicate my work. I also want to reach network
behind this cisco device. I will do the same: First SRX side;

Now we have to policies in both directions

Second Cisco side configuration:
(We are adding another access-list entry on 101)

Check SRX again after the second network addition;

As we can see we have an extra IPSEC sa established for the second policy.
This is possibly not a recommended method if you have many IPSEC tunnels.
You wouldn’t want to keep one tunnel per policy I suppose.

If you check cisco side, you will also see the opposite local/remote identities;

Now we have established a policy based IPSEC VPN between SRX and a 3rd party device in this post
and used some show commands to check the status of these connections.

1 thought on “JNCIE-SEC: IPSEC VPN between SRX and Cisco

  1. jerry

    hello rtodto,i have question for log.this message sent my mobile phone,Probably not clear enough.

    kmd[1341]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: sh-sydney Gateway: gw-sydney, Local: *.*.80.62/500, Remote: *.*.173.202/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.