Hi all in Meraki Community.
I am running a site to site VPN with a non Meraki device at the distant end. The device in question is a virtual VPN server on AWS running on StrongSwan software.
The VPN is working fine although I often get the following message appearing in the logs
|Non-Meraki / Client VPN negotiation||msg: pfkey DELETE failed: No such process|
Can anyone interpret this message ?
I'm going to guess that pfkey = perfect forward key.
I'll guess that either you are not using perfect forward secrecy (PFS) and some scheduled process is trying to clean up old keys (which wont exist), or that you are using PFS and the key has already expired, and some scheduled process is trying to clean up left overs.
Do you utilize Meraki to Meraki VPNs as well? Just curious. It does appear to be what @PhilipDAth stated. But another issue ive had is you must limit the non meraki VPN to the specific network you want and you also cannot have subnets set to yes on your VPN settings to share if the non meraki end is not setup with them on their phase 2 selectors as well.
If you do have this the meraki will constantly have issues with Phase 2 due to the Meraki trying to share subnets with the non meraki peer that it doesn't know about.
Thanks for your reply, it's greatly appreciated
I have attached a snapshot of the phase 1 and phase 2 config. From what you have suggested I should set PFS Group to Off
I am unhappy with the current setup with a unorthodox Site 2 Site VPN into AWS, who have an off the shelf VPN gateway that Meraki have provided a template. We are likely to revert to a standard, pending a debate with my colleague who looks after the AWS end.
Interested in your thoughts however re the PFS Group. I set it to 2 in ignorance reflecting on the Diffie Hellman Group number.
Thanks for responding I really appreciate it.
We currently only have one site to site VPN and it is a non-Meraki end type.
I have sent a reply to PhilipDath with a screen shot of the customised settings on the site to site phase 1 & 2 configs.
On the principle of KISS (Keep It Simple Stupid) I am debating with my AWS expert that we should use the AWS off the shelf product. I think he is coming round to the idea. That way we can run with the Meraki AWS template