SRX

I have to try site_to_site vpn.
Main office has static IP ja remote office has dymamic IP.
The connection is UP 100sek and then its go down about 20sek, and UP again all the time.
I am beginner in juniper, and I take this config some examples.
Its may be some timeout. Or ...
Both divices are SRX240. MAIN IP number has little change.

Could anyone help to me?!

Many Thanks!!!

srxtimor@SRX_MAIN> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2072563 UP 224985dac6acafc3 993b53790f521d90 Aggressive remote IP address

srxtimor@SRX_MAIN> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173315 ESP:3des/sha1 5704c28b 3592/ unlim U root 500 remote IP address
>268173315 ESP:3des/sha1 46d24f3f 3592/ unlim U root 500 remote IP address

srxtimor@SRX_MAIN> show security ipsec security-associations index 268173315
ID: 268173315 Virtual-system: root, VPN Name: PITTIO
Local Gateway: 193.168.135.253, Remote Gateway: remote IP address
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.10

Port: 500, Nego#: 2156, Fail#: 0, Def-Del#: 0 Flag: 0x608a29
Last Tunnel Down Reason: VPN monitoring
Direction: inbound, SPI: 5704c28b, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 3557 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2979 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: 46d24f3f, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 3557 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2979 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64

srxtimor@SRX_MAIN> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173315 ESP:3des/sha1 5704c28b 3501/ unlim U root 500 remote IP address
>268173315 ESP:3des/sha1 46d24f3f 3501/ unlim U root 500 remote IP address

srxtimor@SRX_MAIN> show security ipsec security-associations
Total active tunnels: 0

##MAIN office

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 193.168.135.253/29;
}
}
}

st0 {
unit 10 {
family inet;
}
}

}
routing-options {
traceoptions {
file STATICROUTE;
flag route;
}
static {
route 0.0.0.0/0 next-hop 193.168.135.254;
route 193.168.135.128/27 next-hop st0.10;
}
}

}
security {
log {
disable;
mode event;
}
ike {
policy ike_pol_PITTIO {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$uA3KOBRhSrKv8IRSlMWx7bwY2ZUq.f3/C";
}
gateway gw_PITTIO {
ike-policy ike_pol_PITTIO;
dynamic user-at-hostname "timor@MAIN.fi";
local-identity inet 193.168.135.253;
external-interface ge-0/0/0;
}
}
ipsec {
policy ip_pol_PITTIO {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn PITTIO {
bind-interface st0.10;
vpn-monitor;
ike {
gateway gw_PITTIO;
ipsec-policy ip_pol_PITTIO;
}
establish-tunnels immediately;
}
}

}
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone VPN_PITTIO {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.10 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
}
}

##REMOTE office

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 193.168.135.129/27;
}
}
}

st0 {
unit 5 {
family inet;
}

}
routing-options {
static {
route 193.168.135.0/25 next-hop st0.5;
}
}

security {
ike {
policy ike_pol_REMOTE_PITTIO {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$x15N-bs24JZDVb2oGUHkf5Qz9AB1ElvW";
}
gateway gw_REMOTE_PITTIO {
ike-policy ike_pol_REMOTE_PITTIO;
address 193.168.135.253;
dead-peer-detection interval 10;
local-identity user-at-hostname "timor@MAIN.fi";
external-interface ge-0/0/0;
}
}
ipsec {
policy ipsec_pol_REMOTE_PITTIO {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn REMOTE_PITTIO {
bind-interface st0.5;
vpn-monitor;
ike {
gateway gw_REMOTE_PITTIO;
ipsec-policy ipsec_pol_REMOTE_PITTIO;
}
establish-tunnels immediately;
}
}

security-zone Internet {
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
security-zone VPN_PITTIO {

host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.5 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
}
}

Hi,

The last tunnel down reason is seen as follows :-

Last Tunnel Down Reason: VPN monitoring

This means that VPN monitoring is causing your tunnel to be down when it does not get a response from the other side.

You can check if we are getting proper response from the other side and if VPN monitoring is configured properly there.

Removing vpn monitoring from your tunnel configuration should take care of this issue.

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Hi,

Yes, I removed vpn-monitor and now its working fine.

Many thanks.

-- Timo --