IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco Router w/ VTI

And finally: A route-based VPN between a Juniper ScreenOS SSG firewall and a Cisco router with a virtual tunnel interface (VTI). Both sides with tunnel interfaces and IPv4 addresses. Both sides with a real routing entry in the routing table. Great. ;)

(The VPN between those two parties without a tunnel interface on the Cisco router is documented here. However, use the route-based VPN where you can. It is easier and more flexible. Routing decisions based on the routing table. This is how it should be.)

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

My lab with a SSG5 (6.3.0r17.0) and a Cisco 2811 (12.4(24)T8):


S2S VPN Juniper ScreenOS - Cisco Router w VTI Laboratory

Juniper ScreenOS SSG

The configuration steps on the SSG are the following:

  1. P1 and P2 Proposals, e.g., PFS group 14 (!), AES256, SHA1, 28800/3600 sec
  2. Gateway with the IPv4 address of the other side (Cisco router), Preshared Key and user defined P1 Proposal
  3. Numbered (Fixed IP) Tunnel Interface
  4. AutoKey IKE profile which points to the just created gateway, P2 proposal and tunnel interface. The VPN Monitor can be set to automatically build the tunnel
  5. Route through the tunnel interface with a gateway IP address of the tunnel interface of the other side

Here are my configuration screenshots:

Cisco Router

These are the commands for the Cisco CLI. The crypto isakmp policy and crypto ipsec transform-set values are exactly the same as the P1 and P2 proposals on the SSG. The crypto ipsec profile references the transform-set and is configured with a perfect-forward secrecy group of 14. The interface Tunnel has an IPv4 address, a source and destination (outside/untrust IP addresses from the router and the firewall), a mode of ipsec and a reference to the ipsec profile. Finally, the route to the remote network flows through the tunnel. (Note that this VPN does not use the “crypto map” commands.)



After the tunnel establishment, the monitor status on the SSG is Up:

S2S SSG-IOS2 - SSG 09 Monitor Status

And the Cisco router can be queried with the following commands:


The end. ;)

One thought on “IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco Router w/ VTI

Leave a Reply

Your email address will not be published. Required fields are marked *