My VPN IPSEC Flaps

Question

I am new with SOPHOS and I just set up one IPSEC VPN with UTM 9 and Juniper. 
 
 The IPSEC configuration provided by the Juniper administrator was particular, and I need to set up one new Policy. 
 The policy is: 
 Compression Off, not using strict policy. 
 IKE Settings: 3DES / SHA1 / Group 2: MODP 1024 Lifetime 180 Sec. 
 IPsec Settings: 3DES / SHA1 / Group 2: MODP 1024 Lifetime 180 Sec. 
 
 The VPN Status shows this detail: 
 IKE: Auth PSK / Enc 3DES_CBC / Hash HMAC_SHA1 / Lifetime 180s / PFS MODP_1024 / DPD ESP: Enc 3DES_CBC / Hash HMAC_SHA1 / Lifetime 180s 
 
 The issue is that the VPN goes down after some time. With one VPN restarts, the connection establishes ok, but after some time goes down again. 
 
 Any tip, to review this issue? 
 
 Thanks in advance. 
 Gabriel.

BAlfson · Accepted Answer

Hi, Gabriel, and welcome to the UTM Community! 
 It appears that you didn't select the correct 'IPsec PFS group' in your Policy. Also, confirm that the Juniper has DPD enabled. 
 180 seconds? 3DES? If your correspondent with the Juniper is open to a change, I would recommend the default "AES 128 PFS" Policy. More efficient and more secure than 3DES and 180 seconds when using PFS seems wasteful to me. 
 Cheers - Bob

GabrielPereira · Answer

Bob, thanks for your post. 
 
 The issue was solved with this changes. 
 
 Set time to 360 sec or more, now we set to 3600 sec. (like you recomend) 
 Disable on bouths sides the DPD detection. 
 Disable on Juniper side the IPSEC Packet Replay 
 https://kb.juniper.net/InfoCenter/index?page=content&id=KB29580 
 
 With this changes the VPN is up and stable. 
 
 Thanks four your colaboration. 
 Gabriel