cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Non-Meraki / Client VPN entries in event log

Highlighted
Here to help

Non-Meraki / Client VPN entries in event log

Hi all in Meraki Community.

I am running a site to site VPN with a non Meraki device at the distant end. The device in question is a virtual VPN server on AWS running on StrongSwan software.

The VPN is working fine although I often get the following message appearing in the logs 

 

Non-Meraki / Client VPN negotiationmsg: pfkey DELETE failed: No such process

 

Can anyone interpret this message ?

 

With Thanks.

 

Mel

4 REPLIES 4
Kind of a big deal

Re: Non-Meraki / Client VPN entries in event log

I'm going to guess that pfkey = perfect forward key.

 

I'll guess that either you are not using perfect forward secrecy (PFS) and some scheduled process is trying to clean up old keys (which wont exist), or that you are using PFS and the key has already expired, and some scheduled process is trying to clean up left overs.

Getting noticed

Re: Non-Meraki / Client VPN entries in event log

Do you utilize Meraki to Meraki VPNs as well? Just curious. It does appear to be what @PhilipDAth stated. But another issue ive had is you must limit the non meraki VPN to the specific network you want and you also cannot have subnets set to yes on your VPN settings to share if the non meraki end is not setup with them on their phase 2 selectors as well.

If you do have this the meraki will constantly have issues with Phase 2 due to the Meraki trying to share subnets with the non meraki peer that it doesn't know about. 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
Here to help

Re: Non-Meraki / Client VPN entries in event log

Hi NSGuru.

Thanks for responding I really appreciate it.

We currently only have one site to site VPN and it is a non-Meraki end type.

I have sent a reply to PhilipDath with a screen shot of the customised settings on the site to site phase 1 & 2 configs.

 

On the principle of KISS (Keep It Simple Stupid) I am debating with my AWS expert that we should use the AWS off the shelf product. I think he is coming round to the idea. That way we can run with the Meraki AWS template

 

Thanks Again.

Here to help

Re: Non-Meraki / Client VPN entries in event log

Hi PhilipDAth

Thanks for your reply, it's greatly appreciated

I have attached a snapshot of the phase 1 and phase 2 config. From what you have suggested I should set PFS Group to Off

Capture of customised site2site customised settings.JPG

 

 

I am unhappy with the current setup with a unorthodox Site 2 Site VPN into AWS, who have an off the shelf VPN gateway that Meraki have provided a template. We are likely to revert to a standard, pending a debate with my colleague who looks after the AWS end.

Interested in your thoughts however re the PFS Group. I set it to 2 in ignorance reflecting on the Diffie Hellman Group number.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.