And finally: A route-based VPN between a Juniper ScreenOS SSG firewall and a Cisco router with a virtual tunnel interface (VTI). Both sides with tunnel interfaces and IPv4 addresses. Both sides with a real routing entry in the routing table. Great. 
(The VPN between those two parties without a tunnel interface on the Cisco router is documented here. However, use the route-based VPN where you can. It is easier and more flexible. Routing decisions based on the routing table. This is how it should be.)
My lab with a SSG5 (6.3.0r17.0) and a Cisco 2811 (12.4(24)T8):
Laboratory
Juniper ScreenOS SSG
The configuration steps on the SSG are the following:
- P1 and P2 Proposals, e.g., PFS group 14 (!), AES256, SHA1, 28800/3600 sec
- Gateway with the IPv4 address of the other side (Cisco router), Preshared Key and user defined P1 Proposal
- Numbered (Fixed IP) Tunnel Interface
- AutoKey IKE profile which points to the just created gateway, P2 proposal and tunnel interface. The VPN Monitor can be set to automatically build the tunnel
- Route through the tunnel interface with a gateway IP address of the tunnel interface of the other side
Here are my configuration screenshots:
Cisco Router
These are the commands for the Cisco CLI. The crypto isakmp policy and crypto ipsec transform-set values are exactly the same as the P1 and P2 proposals on the SSG. The crypto ipsec profile references the transform-set and is configured with a perfect-forward secrecy group of 14. The interface Tunnel has an IPv4 address, a source and destination (outside/untrust IP addresses from the router and the firewall), a mode of ipsec and a reference to the ipsec profile. Finally, the route to the remote network flows through the tunnel. (Note that this VPN does not use the “crypto map” commands.)
crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 lifetime 28800 ! crypto isakmp key aXedLr6oO4P83QIM2HlQPQnHy3aO9f address 172.16.1.1 ! crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac ! crypto ipsec profile SSG set transform-set aes256-sha set pfs group14 ! interface Tunnel111 ip address 10.0.0.10 255.255.255.252 tunnel source 172.16.1.5 tunnel destination 172.16.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile SSG ! ip route 192.168.111.0 255.255.255.0 Tunnel111 10.0.0.9
Stats
After the tunnel establishment, the monitor status on the SSG is Up:
And the Cisco router can be queried with the following commands:
fd-wv-ro03#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1134 172.16.1.5 172.16.1.1 ACTIVE aes sha psk 14 00:58:33
Engine-id:Conn-id = SW:134
IPv6 Crypto ISAKMP SA
---------------------------------------
fd-wv-ro03#show crypto ipsec sa
interface: Tunnel111
Crypto map tag: Tunnel111-head-0, local addr 172.16.1.5
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 172.16.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 279508, #pkts encrypt: 279508, #pkts digest: 279508
#pkts decaps: 279547, #pkts decrypt: 279547, #pkts verify: 279547
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.5, remote crypto endpt.: 172.16.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xBFC4F0CA(3217354954)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0x665D5E6E(1717395054)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4171, flow_id: NETGX:2171, sibling_flags 80000046, crypto map: Tunnel111-head-0
sa timing: remaining key lifetime (k/sec): (4493506/2655)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBFC4F0CA(3217354954)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4172, flow_id: NETGX:2172, sibling_flags 80000046, crypto map: Tunnel111-head-0
sa timing: remaining key lifetime (k/sec): (4493506/2655)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
---------------------------------------
fd-wv-ro03#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
S 192.168.121.0/24 [1/0] via 10.0.0.5, Tunnel121
C 192.168.151.0/24 is directly connected, FastEthernet0/1.151
S 192.168.120.0/24 [1/0] via 172.16.1.2
C 192.168.150.0/24 is directly connected, FastEthernet0/1.150
S 192.168.111.0/24 [1/0] via 10.0.0.9, Tunnel111
S 192.168.125.0/24 [1/0] via 172.16.1.2
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, FastEthernet0/0
10.0.0.0/30 is subnetted, 2 subnets
C 10.0.0.8 is directly connected, Tunnel111
C 10.0.0.4 is directly connected, Tunnel121
S* 0.0.0.0/0 [1/0] via 172.16.1.1
The end.