TL;DR: Don’t rekey existing SA, make a new one. You can do this on a Junos peer with
set security ike policy your-ike-policy reauth-frequency 1
I recently switched from using a pair of Juniper EX2300-12P to a Brocade/Ruckus/CommScope ICX 7450-48P at home because I needed more 10G ports and faster1 inter-VLAN routing for 10G devices. I noticed that the 7450 also supports IPSec if you have a service module,2 so why not have one box that does it all?
Configuration was slightly annoying because the VPN featureset on the 7450 is limited to IKEv2 with SuiteB ciphers. No surprise since their target market is government sector doing CSfC. Anyway, I got a IPSec VTI tunnel running from the ICX to a Juniper SRX in colo. BGP came up & traffic is flowing.
It’s nearly perfect, just… every six hours it was crashing with the following error on console:
stack: 000396c0 0003db34 b6d2e6c8 b6bb37c1 014e2788 014e4a08 014e49f8 014920d8 01492174 007212fc 014915a8 b6d2b304 b6f37195 Disabled core-1
This was preceded by the following in syslog:
notice IKEV2 Invalid Payload Type Received with Source 192.168.69.2 Destination 203.0.113.42 SPI 0xcf902bc51d027ca PayloadType 43 notice IKEV2 Invalid Payload Type Received with Source 192.168.69.2 Destination 203.0.113.42 SPI 0xcf902bc51d027ca PayloadType 43 info IKEV2 Phase2 failed . Proposal Mismatch Source 192.168.69.2 Destination 203.0.113.42 VRF 0 Tunnel 1
I changed IKE rekey interval from 6 hours to 24 and crashes went to every 24 hours as well, which pointed to a problem during IKE rekey.
After a few days of trial & error I noticed the
reauth-frequency setting on the peer SRX. Default behavior for the SRX was to
rotate keys, but not force reauthentication. I tried changing it to reauth on every rekey and it has now been running for over a week without a crash.