2.3.1_1 to Juniper

afinman

HELP!
I'm having issues with VPN establishment to a Juniper device for a client of ours.
I haven't seen their config myself, but we can get Phase 1 and 2 operational, but it never stays up and basically gets torn down and rebuilt at random intervals with the connection rarely lasting longer than 200 seconds, if ever. Usually get to around 100 seconds…

Below is a sample which then leads to deletion

Jun 8 19:07:57 charon 14[NET] <con1000|10>sending packet: from our.ip[500] to their.ip[500] (380 bytes)
Jun 8 19:08:10 charon 11[IKE] <con1000|10>sending retransmit 3 of request message ID 949832778, seq 4
Jun 8 19:08:10 charon 11[NET] <con1000|10>sending packet: from our.ip[500] to their.ip[500] (380 bytes)
Jun 8 19:08:33 charon 09[IKE] <con1000|10>sending retransmit 4 of request message ID 949832778, seq 4
Jun 8 19:08:33 charon 09[NET] <con1000|10>sending packet: from our.ip[500] to their.ip[500] (380 bytes)
Jun 8 19:09:15 charon 05[IKE] <con1000|10>sending retransmit 5 of request message ID 949832778, seq 4
Jun 8 19:09:15 charon 05[NET] <con1000|10>sending packet: from our.ip[500] to their.ip[500] (380 bytes)</con1000|10></con1000|10></con1000|10></con1000|10></con1000|10></con1000|10></con1000|10>

The otherside (Juniper) apparently do not have DPD turned on, but I am seeing 12[IKE] <con1000|14>received DPD vendor ID in the logs.

I am seeing entries like below

Jun 8 19:18:31 charon 16[IKE] <con1000|16>giving up after 5 retransmits
Jun 8 19:18:31 charon 16[KNL] <con1000|16>unable to delete SAD entry with SPI c2ae4dbc: No such file or directory (2)</con1000|16></con1000|16>

Help appreciated.</con1000|14>

shthead

Apart from the bug with 2.3 and IPSEC + OpenBGP, my tunnels all work fine with Juniper. I terminate them on MX routers (using MS-MIC-16G).

What is the config you are using on both ends?