Recently the company headquarters to replace the firewall, ipsec with several divisions need to re-build. Four divisions, two divisions are public IP, two divisions are pppoe network, followed by ip division headquarters, set up ipsec accessibility; but pppoe branch network, with headquarters building ipsec has a lot of problem
Division are juniper ssg140 equipment, these devices played all know, the consultation process will be helpful ipsec default records in events (event) which, for debugging troubleshooting.
A segment is pppoe network, with headquarters building ipsec course, events in the negotiations could not find records ipsec, and that configuration errors, check several times configuration confirmation. Because the address is assigned pppoe piulic ip, so I use this ip debugging a bit, second connection.
Modify back to the original configuration, using local id to match almost an hour to see events in ipsec consultation record and maintain records in the commentary of two one-hour consultation, ipsec tunnel naturally get up. One day later to see, ipsec tunnel has been established, view event logs, the morning period, ipsec in continuous consultations last ipsec tunne established. Ipsec tunnel with headquarters up, then configure ipsec Division Division A to B, and B is a division of public IP, with headquarters to configure exactly the same, then there has been no consultation ipsec, baffled.
Two days later, the headquarters of the Division A tunnel to disappear, view alarms, without prompting v pn down the record. events and no negotiation record of failure, with doubts about the carrier's network, in order to verify the conjecture, bad environment to be simulated and capture verification.
Bad environment simulation, topology as follows 
1. The network set up pppoe network, firewall dial, with the headquarters set up local firewall ipsec, affect the operator's screen. The results ipsec tunnel quickly established, when both ends of the preshared key mismatch, events where you can see ipsec been negotiated.
2. pppoe within the network to build the network, to build a firewall ipsec dial, with the Division Firewall, penetrate two layers of NAT, because the headquarters is public ip, suppose operators do not shielded. ipsec tunnel did not build a successful, but there has been pppoe firewall log from ipsec consultation and without negotiation does not occur. The reason ipsec tunnel can not be established with the Division of:
a.preshared key does not match (specially the investigation before, still go wrong, should not the key reason for the)
b headquartered firewall ipsec tunnel has been established with the divisions within the simulated network in the pppoe headquarters of the firewall. network, resulting in conflict.