srx-345 with Junos 15.1X49-D170.4
I have a setup with a VPN tunnel on the external interface (ge-0/0/8.0). This is working fine. Now I want to setup a second tunnel to a different customer. I created second IKE gateway.
IKE gateway for existing tunnel (remote is behind a dynamic IP Provider):
gateway IKE-GW-VSE {
ike-policy IKE-POL;
dynamic hostname srx345-e16;
dead-peer-detection {
always-send;
interval 15;
threshold 3;
}
external-interface ge-0/0/8.0;
version v2-only;
}
Now the gateway for the new tunnel:
gateway IKE-GW-JMU {
ike-policy IKE-POL-JMU;
address 1.2.3.4;
dead-peer-detection {
always-send;
interval 15;
threshold 3;
}
local-identity key-id keylocal;
remote-identity key-id keyremote;
external-interface ge-0/0/8.0;
version v2-only;
}
I expect now incoming calls from 1.2.3.4 for ID keylocal, coming from remote host with remote key keyremote to go to IKE gateway IKE-GW-JMU. However trace shows:
[Oct 27 13:17:46]iked_pm_dynamic_gw_local_addr_based_lookup: Found gateway matching local addr IKE-GW-VSE for remote dynamic peer, sa_cfg[VSE-PT]
So, the incoming call is associated with the wrong IKE gateway. Obviously no SA is established.
How to handle this situation?
Thx for help