Hi evereyone!
We use a SRX220H and a SSG20 (ScreenOS 6.3). "Office A" uses the SRX, WAN-interface has static IP. In "Office B" there is a extra ADSL-Router with dynamic WAN-IP and the SSG connected via LAN-Interface (the SSG has no ADSL-Interface). The IPSec-VPN works correctly in "aggressive mode" for round about 24 hours. The lifetime seconds vor Phase 1 (3600) and Phase 2 (1200) is equal on both junipers. The IPSec-tunnel shuts down when the WAN-IP in "Office B" is changed by Internet Service Provider. On "Office A"-SRX the syslog-message "IKE negotiatin failed with error: SA unusable. IKE Version: 1, VPN: MYVPN Gateway: MYGATEWAYB; Local: {static IP Office A} /500 Remote: {new dynamic IP Office B} /500, Local IKE-ID: Not Available, Remote IKE-ID: Not-Availabble, VR-ID: 0" is shown.
To activate the VPN I can only power on/off the ADSL-Router in Office B or deactivate/activate the VPN on SRX (i use the "commit confirmed" command with rollback).
I tried to use the VPN Monitor on the SSG (Optimze/Rekey with ping to a host in Office A), but the VPN don't come up. The DPD on both Sides don't help too. Any ideas?