Site-to-site IPSec between Juniper and Cisco through Mikrotik’s NAT

Since my company has been using Cisco and Juniper network equipment we have a lot of IPSec tunnels to remote branches. To achieve some sort of high-availability we have decided to implement one of the IPSec tunnels over an LTE network.

To do so we bought Mikrotik wAP LTE kit to get connected to an LTE network and obtained a public IP address from a mobile data operator.

So.. we have:

  1. Cisco ISR in the DC with public IP address 1.1.1.1
  2. Mikrotik wAP LTE with public IP address 2.2.2.2
  3. Juniper SRX100 in the branch with private address 172.16.1.2/30 connected to Mikrotik

Cisco ISR config

Tunnel interface:

IPSec config:

 

Juniper SRX config

Adding to zone and allowing IKE on the interface:

 

Mikrotik config

 

IPsec debug on SRX

To debug IPSec on Juniper you can use this commands:

Phase 1

Phase 2

 

The New Scary Trend Happening in Russia

We’ve just changed our Cisco 2911 to Mikrotik 1100 on one of our sites. And it’s happening with all Russian ISPs. They are migrating to Mikrotik because it is cheap, powerful and easy. Otherwise, Cisco is expensive and cisco professionals are expensive too 😉  As for me, it is scary enough…

Site Footer

Sliding Sidebar

About Me

About Me

About Me

Honors:
IPv6 Certification Badge for mvyudin