SRX

Hi evereyone!

We use a SRX220H and a SSG20 (ScreenOS 6.3). "Office A" uses the SRX, WAN-interface has static IP. In  "Office B" there is a extra ADSL-Router with dynamic WAN-IP and the SSG connected via LAN-Interface (the SSG has no ADSL-Interface). The IPSec-VPN works correctly in "aggressive mode" for round about 24 hours. The lifetime seconds vor Phase 1 (3600) and Phase 2 (1200) is equal on both junipers. The IPSec-tunnel shuts down when the WAN-IP in "Office B" is changed by Internet Service Provider. On "Office A"-SRX the syslog-message "IKE negotiatin failed with error: SA unusable. IKE Version: 1, VPN: MYVPN Gateway: MYGATEWAYB; Local: {static IP Office A} /500 Remote: {new dynamic IP Office B} /500, Local IKE-ID: Not Available, Remote IKE-ID: Not-Availabble, VR-ID: 0" is shown.

To activate the VPN I can only power on/off the ADSL-Router in Office B or deactivate/activate the VPN on SRX (i use the "commit confirmed" command with rollback).

I tried to use the VPN Monitor on the SSG (Optimze/Rekey with ping to a host in Office A), but the VPN don't come up. The DPD on both Sides don't help too. Any ideas?

Hi juni003,

In Aggresive Mode vpn tunnel setup , only Dynamic Wan IP end point has to initiate the tunnel all the time .

so in your case , it has to be SSG.

Disable VPN monitoring and DPD and establish tunnel immediately on SRX.

 and Ensure that you have config similar is enabled on SSG.

Regards,
rparthi
 
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Thank you.It works.

I have configured the SSG and in the last 50hours the VPN was going down twice and comes up 10minutes after tunnel shutdown.