I have made the same ipsec vpn for many times,but sometimes it works sometimes it doesn’t.
I dont know how to figure it out.
below is my config
the left router
eth
set vpn ipsec esp-group ESP-FNET-01 compression ‘disable’
set vpn ipsec esp-group ESP-FNET-01 lifetime ‘3600’
set vpn ipsec esp-group ESP-FNET-01 mode ‘tunnel’
set vpn ipsec esp-group ESP-FNET-01 pfs ‘dh-group2’
set vpn ipsec esp-group ESP-FNET-01 proposal 1 encryption ‘3des’
set vpn ipsec esp-group ESP-FNET-01 proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-FNET-01 ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-FNET-01 key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-FNET-01 lifetime ‘28800’
set vpn ipsec ike-group IKE-FNET-01 proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKE-FNET-01 proposal 1 encryption ‘3des’
set vpn ipsec ike-group IKE-FNET-01 proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘public-interface’
set vpn ipsec nat-networks allowed-network ‘0.0.0.0/0’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer gg authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer gg authentication pre-shared-secret ‘both-win’
set vpn ipsec site-to-site peer gg authentication remote-id ‘0.0.0.0’
set vpn ipsec site-to-site peer gg connection-type ‘respond’
set vpn ipsec site-to-site peer gg default-esp-group ‘ESP-FNET-01’
set vpn ipsec site-to-site peer gg ike-group ‘IKE-FNET-01’
set vpn ipsec site-to-site peer gg ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer gg local-address ‘public’
set vpn ipsec site-to-site peer gg tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer gg tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer gg tunnel 1 local prefix ‘10.30.245.241/32’
set vpn ipsec site-to-site peer gg tunnel 1 remote prefix ‘10.30.245.1/32’
the right router
set vpn ipsec esp-group ESP-FNET-01 compression ‘disable’
set vpn ipsec esp-group ESP-FNET-01 lifetime ‘3600’
set vpn ipsec esp-group ESP-FNET-01 mode ‘tunnel’
set vpn ipsec esp-group ESP-FNET-01 pfs ‘dh-group2’
set vpn ipsec esp-group ESP-FNET-01 proposal 1 encryption ‘3des’
set vpn ipsec esp-group ESP-FNET-01 proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-FNET-01 ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-FNET-01 key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-FNET-01 lifetime ‘28800’
set vpn ipsec ike-group IKE-FNET-01 proposal 1 encryption ‘3des’
set vpn ipsec ike-group IKE-FNET-01 proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth2’ -->192.168.141.188
set vpn ipsec nat-networks allowed-network ‘0.0.0.0/0’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer xx authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xx authentication pre-shared-secret ‘both-win’
set vpn ipsec site-to-site peer xx authentication remote-id ‘left-router’s public ip’
set vpn ipsec site-to-site peer xx connection-type ‘respond’
set vpn ipsec site-to-site peer xx default-esp-group ‘ESP-FNET-01’
set vpn ipsec site-to-site peer xx ike-group ‘IKE-FNET-01’
set vpn ipsec site-to-site peer xx ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xx local-address ‘192.168.141.188’
set vpn ipsec site-to-site peer xx tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xx tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xx tunnel 1 local prefix ‘10.30.245.1/32’
set vpn ipsec site-to-site peer xx tunnel 1 remote prefix ‘10.30.245.241/32’
192.168.141.188 will nat to a public
Im not good at english,thank you so much