SRX

srx-345 with Junos 15.1X49-D170.4

I have a setup with a VPN tunnel on the external interface (ge-0/0/8.0). This is working fine. Now I want to setup a second tunnel to a different customer. I created second IKE gateway.

IKE gateway for existing tunnel (remote is behind a dynamic IP Provider):

gateway IKE-GW-VSE {
     ike-policy IKE-POL;
     dynamic hostname srx345-e16;
     dead-peer-detection {
          always-send;
          interval 15;
          threshold 3;
     }
     external-interface ge-0/0/8.0;
     version v2-only;
}

Now the gateway for the new tunnel:

gateway IKE-GW-JMU {
     ike-policy IKE-POL-JMU;
     address 1.2.3.4;
     dead-peer-detection {
          always-send;
          interval 15;
          threshold 3;
     }
     local-identity key-id keylocal;
     remote-identity key-id keyremote;
     external-interface ge-0/0/8.0;
     version v2-only;
}

I expect now incoming calls from 1.2.3.4 for ID keylocal, coming from remote host with remote key keyremote to go to IKE gateway IKE-GW-JMU. However trace shows:

[Oct 27 13:17:46]iked_pm_dynamic_gw_local_addr_based_lookup: Found gateway matching local addr IKE-GW-VSE for remote dynamic peer, sa_cfg[VSE-PT]

So, the incoming call is associated with the wrong IKE gateway. Obviously no SA is established.

How to handle this situation?

Thx for help

The problem is solved. Remote site used IKEv1 and there is a chance of race conditions that might lead to using the wrong gateway if one vpn is dynamic and the other isn't. I was told so by Juniper support. However properly setting up IKEv2 avoids this situation.