Site-to-site IPSec between Juniper and Cisco through Mikrotik’s NAT

Since my company has been using Cisco and Juniper network equipment we have a lot of IPSec tunnels to remote branches. To achieve some sort of high-availability we have decided to implement one of the IPSec tunnels over an LTE network.

To do so we bought Mikrotik wAP LTE kit to get connected to an LTE network and obtained a public IP address from a mobile data operator.

So.. we have:

  1. Cisco ISR in the DC with public IP address
  2. Mikrotik wAP LTE with public IP address
  3. Juniper SRX100 in the branch with private address connected to Mikrotik

Cisco ISR config

Tunnel interface:

IPSec config:


Juniper SRX config

Adding to zone and allowing IKE on the interface:


Mikrotik config


IPsec debug on SRX

To debug IPSec on Juniper you can use this commands:

Phase 1

Phase 2


Making Home Lab. Part 1

Due to a lot of experience that I have with real networking hardware, it is not mandatory to have a Home Lab to pass CCNA R&S. However, I’ve decided that it could be extremely useful for my further professional development to have a lab at home.

It is understood that there are two options:

Option 1. Buy real Cisco gear on Ebay


  • real hardware


  • lack of flexibility
  • quite expensive
  • noisy
  • require a lot of space


Cisco Certification

I have been around networks for over 8 years and I always have had a dream to become a CCIE. Now It is time to set the GOAL and to start my journey.

So that I’ve started studying for the CCNA R&S exam and thought I would put my notes on this blog. It might be useful for me and hopefully, my notes can be helpful to someone else. These notes are based on CCNAR&S 200-125 Official Cert Guide and CBT Nuggets.

Cisco native VLAN mystery revealed

Many people have trouble understanding cisco’s native vlan idea. Actually, it is very simple.

Let’s start with statement, that the native VLAN has two functions:

  1. It tags incoming untagged frames on trunk links with the native VLAN.
  2. It untags outgoing frames that has already been tagged with same VLAN that is being used for the native VLAN on the trunk.


The New Scary Trend Happening in Russia

We’ve just changed our Cisco 2911 to Mikrotik 1100 on one of our sites. And it’s happening with all Russian ISPs. They are migrating to Mikrotik because it is cheap, powerful and easy. Otherwise, Cisco is expensive and cisco professionals are expensive too 😉  As for me, it is scary enough…

Switchport Configurations Explained


Originaly it was posted by Brad Hedlund.

It always helps me to think of the English translation when trying to memorize and understand some the Cisco IOS settings I think are important.

Here are some Cisco IOS switchport configurations translated into English:

switchport mode trunk says: “Always trunk on this end, and I will send DTP to attempt to negotiate a trunk on the other end.”

switchport nonegotiate says: “Do not send or respond to DTP from this end. Disable all DTP on this port.” (Best used on user access ports, when trunking to non-Cisco switches, when trunking to a router[1], or if you are paranoid about fast convergence[2])

switchport mode dynamic desirable says: “Ask the other end to trunk using DTP and trunk if the negotiation succeeds. If DTP negotiation fails then become an access port.”

switchport mode dynamic auto says: “If the other end asks me to be a trunk with DTP, then become a trunk, but I wont initiate any negotitation from this end. If no one asks me to become a trunk then I will become an access port.”

switchport mode access says: “Never trunk on this end, and I will send out DTP to help my link partner reach the same conclusion.”

switchport trunk encapsulation says: “Do not negotiate the trunk protocol with DTP. Only use the trunk protocol specified in this command (isl or dot1q).

[1] Cisco routers do not talk DTP

[2] The process of DTP message exchange adds some delay in negotiating and bringing up a trunk. Use ‘switchport mode trunk’ + ‘switchport nonegotiate’ + ‘switchport trunk encapsulation’ for the fastest possible formation of a trunk.

Routes via DHCP

Basically, this is a very old post. Originally it was posted in my old Russian blog in early 2012. Nevertheless, I hope it might be useful.

When I was working in the University we used PPTP VPN servers to let our staff access Internet. Computers got default gateway from VPN server and it was a real problem due to the fact that we had a lot of internal servers and different subnets so that gateway was unique for each building. To address this problem our system administrators had to add routes on every computer manually.

Possible solutions were to distribute routes thought DHCP-server.
At that time we used Cisco 4503E as a default gateway and DHCP server.

Routes are controlled by 249 DHCP option, for example, option 249 ip (network) (mask) (gateway).

There is RFC

Unfortunately, it didn’t work /23 and /8 networks…windows computers just ignored them.

Lately, I realized, that it was possible to send option 249 in HEX format.

For instance:

write hex:
N byte: 1 2 3 4 5 6 7 8
hex: 15 AC AC 00 A8 A8 A8 A8

byte 1 – mask in hex (21dec -> 15 hex)
byte from 2 to 4 – our network
bytes from 5 to 8 – gateway

in configuration:
ip dhcp pool POOL
option 249 hex 15ACAC00A8A8A8A8

Actually, I found the script below to calculate HEX format for 249 option:


Site Footer

Sliding Sidebar

About Me

About Me

About Me

IPv6 Certification Badge for mvyudin