- The VPN-monitor enables the sending of ping packets across the tunnel (in encrypted form) to the remote side gateway.
- When these ping packets reach the remote side VPN, a SRX device accepts the packet, forwards it to the gateway, and sends a reply.
- However, with a non SRX device, the packet does not match the proxy-identity and sends no reply.
- Due to the ping reply not being received, the SRX device might think the VPN is down and then tries to rekey the VPN; which causes VPN to go up and down.
The solution is to provide a source IP and destination IP address pair in the VPN-monitoring configuration, so that the ping packet being sent matches the proxy-identity on the remote side. The configuration is:
set security ipsec vpn <vpn-name> vpn-monitor destination-ip <ip-address>
set security ipsec vpn <vpn-name > vpn-monitor source-interface <source-interface>
Another workaround is to change the VPN-monitoring to optimized, so that it will not send ping packets; but instead rely on the traffic passing through the VPN to test if the VPN should be brought down. The same can be done using the following configuration:
set security ipsec vpn <vpn-name> vpn-monitor optimized