Juniper防火墙建立VPN不成功，日志中出现下面的提示：Phase 1: Retransmission limit has been reached.

下面是从Juniper资料库中查到的相关资料，不过好像并没有彻底解决问题，不过可以参考一下Juniper防火墙的排错思路。

Synopsis:

VPN won't come up; It is failing in Phase 1, with Retransmission limit has been reached reported in the event log.

VPN无法建立连接，日志中出现“Phase 1, with Retransmission limit has been reached ”记录

Problem:

The VPN tunnel does not come up. It is failing in Phase 1, with 'Phase 1: Retransmission limit has been reached' reported in the Event log.

因为无法完成Phase 1的握手，因此VPN隧道无法建立。

Assumptions:

You are on the responder firewall, and there are no Phase 2 errors in the Event log.
You are on the responder firewall, and the only Phase 1 message in the event log is 'Retransmission limit has been reached'. If you have other Phase 1 errors, please refer to KB9238 - How to Analyze IKE Phase 1 Messages in the Event Logs.
You are on the initiator firewall, and there are no messages in the event log on the responder.
Note: It is always better to troubleshoot VPN connection problems by reviewing the messages in the responder side first.

Terminology:

The responder is the 'receiver' side of the VPN that is being pinged, receiving tunnel setup requests, or receiving the tunneled traffic.
The initiator is the side of the VPN that the ping or traffic is generated.

Solution: 解决办法

Use the following steps to determine what to do when you receive 'Phase 1: Retransmission limit has been reached' messages in the Event log. 通过下面几个步骤检查错误原因

1. From the firewall, can you ping the IP address of the Remote VPN Gateway OR any host on the Internet? 是否能ping通远端的外网ip？

Yes - Continue with Step 2 可以，直接到下一步
No - Verify that a default route is configured on the firewall. If so, can you ping the firewall's default gateway? If you cannot ping the firewall's default gateway, check connectivity between the firewall and the default gateway router. 查看本地路由，能否ping通网关，如果不能，请检查网络连线。

2. Is the Preshared Key specified in the IKE gateway configuration the same on both the initiator and the responder? 两边设备的“Preshared Key ”是否相同

Yes - Continue with Step 3 相同的话看下一步
No - In the IKE gateway configuration, reenter the Preshared Key on both the initiator and the responder and then attempt to bring up the VPN again. 如果不相同，重新配置两边的“Preshared Key ”

3. Does the IP address specified in the IKE gateway configuration match the public IP address of the Remote Gateway? 远端的ip地址是否正确。

Yes -Continue with Step 4
No - In the IKE gateway configuration, specify the correct IP address for the Remote Gateway, and then attempt to bring up the VPN again.

4 Does the IKE gateway's outgoing interface match the route to the destination

注：我曾经用基于策略的VPN，无论如何都无法建立IPSec VPN, 几乎升级的netscreen ssg140的IOS版本。最后实在无语，删除VPN，重新创建基于路由的VPN，突然就ok了。所以，查资料了解到，基于路由的VPN比基于策略的VPN容易建立。