I have to try site_to_site vpn.
Main office has static IP ja remote office has dymamic IP.
The connection is UP 100sek and then its go down about 20sek, and UP again all the time.
I am beginner in juniper, and I take this config some examples.
Its may be some timeout. Or ...
Both divices are SRX240. MAIN IP number has little change.
Could anyone help to me?!
Many Thanks!!!
srxtimor@SRX_MAIN> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2072563 UP 224985dac6acafc3 993b53790f521d90 Aggressive remote IP address
srxtimor@SRX_MAIN> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173315 ESP:3des/sha1 5704c28b 3592/ unlim U root 500 remote IP address
>268173315 ESP:3des/sha1 46d24f3f 3592/ unlim U root 500 remote IP address
srxtimor@SRX_MAIN> show security ipsec security-associations index 268173315
ID: 268173315 Virtual-system: root, VPN Name: PITTIO
Local Gateway: 193.168.135.253, Remote Gateway: remote IP address
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.10
Port: 500, Nego#: 2156, Fail#: 0, Def-Del#: 0 Flag: 0x608a29
Last Tunnel Down Reason: VPN monitoring
Direction: inbound, SPI: 5704c28b, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 3557 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2979 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 46d24f3f, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 3557 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2979 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
srxtimor@SRX_MAIN> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173315 ESP:3des/sha1 5704c28b 3501/ unlim U root 500 remote IP address
>268173315 ESP:3des/sha1 46d24f3f 3501/ unlim U root 500 remote IP address
srxtimor@SRX_MAIN> show security ipsec security-associations
Total active tunnels: 0
##MAIN office
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 193.168.135.253/29;
}
}
}
st0 {
unit 10 {
family inet;
}
}
}
routing-options {
traceoptions {
file STATICROUTE;
flag route;
}
static {
route 0.0.0.0/0 next-hop 193.168.135.254;
route 193.168.135.128/27 next-hop st0.10;
}
}
}
security {
log {
disable;
mode event;
}
ike {
policy ike_pol_PITTIO {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$uA3KOBRhSrKv8IRSlMWx7bwY2ZUq.f3/C";
}
gateway gw_PITTIO {
ike-policy ike_pol_PITTIO;
dynamic user-at-hostname "timor@MAIN.fi";
local-identity inet 193.168.135.253;
external-interface ge-0/0/0;
}
}
ipsec {
policy ip_pol_PITTIO {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn PITTIO {
bind-interface st0.10;
vpn-monitor;
ike {
gateway gw_PITTIO;
ipsec-policy ip_pol_PITTIO;
}
establish-tunnels immediately;
}
}
}
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone VPN_PITTIO {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.10 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
}
}
##REMOTE office
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 193.168.135.129/27;
}
}
}
st0 {
unit 5 {
family inet;
}
}
routing-options {
static {
route 193.168.135.0/25 next-hop st0.5;
}
}
security {
ike {
policy ike_pol_REMOTE_PITTIO {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$x15N-bs24JZDVb2oGUHkf5Qz9AB1ElvW";
}
gateway gw_REMOTE_PITTIO {
ike-policy ike_pol_REMOTE_PITTIO;
address 193.168.135.253;
dead-peer-detection interval 10;
local-identity user-at-hostname "timor@MAIN.fi";
external-interface ge-0/0/0;
}
}
ipsec {
policy ipsec_pol_REMOTE_PITTIO {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn REMOTE_PITTIO {
bind-interface st0.5;
vpn-monitor;
ike {
gateway gw_REMOTE_PITTIO;
ipsec-policy ipsec_pol_REMOTE_PITTIO;
}
establish-tunnels immediately;
}
}
security-zone Internet {
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
security-zone VPN_PITTIO {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.5 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
}
}