[vpn-help] Shrew disconnects from Juniper SRX210 after some minutes

[Kevin VPN]

On 04/14/2012 04:37 AM, Jeroen J.A.W. Hermans wrote:
> Thank you for your reply. I have checked my config, but DPD was not
> enabled. I cannot find any keepalive/heartbeat statements in my config
> (NAT-keepalive is off). The problem remains the same, also with other
> users at different remote locations. I feel i have tried all possible
> options, but nothing seems to work. Are there any other possible options
> i could try?
> Kind regards,
>
> Jeroen Hermans
>
> On 12-4-2012 4:31, Kevin VPN wrote:
>> On 04/03/2012 04:09 PM, Jeroen J.A.W. Hermans wrote:
>>> I have a problem i have been working on a few weeks now and i don't seem
>>> to be able to get Shrew to work nicely with my Juniper SRX210. Setting
>>> up a VPN to the SRX is not a problem. Phase 1 and 2 are completed
>>> succesfully. I am able to ping to the other netwerk without any
>>> problems, but after about 6 minutes Shrew disconnects (see tracedump
>>> under this mail). I am using a Juniper SRX210 running JunOS 11.1R1.10
>>> and Shrew VPN 2.2.0. I am using a cabled network and i am behind a NAT
>>> router.
>>
>> Hi Jeroen,
>>
>> I would look at the Dead Peer Detection (DPD) or Heartbeat/Keepalive
>> settings, they often have a timeout of 300 seconds (5 minutes). Try
>> turning DPD or Heartbeat off to see if that changes the problem.

Hi Jeroen,

If it is enabled on the gateway (SRX), you could try disabling 
NAT-Traversal (NAT-T).  I've seen occasionally where that causes 
problems if the gateway itself is not behind a NAT.

If the client (Shrew) NAT router supports proper handling of the 
IPSec+NAT, you may not need NAT-T enabled on the gateway.