Meraki

Community

Non-Meraki / Client VPN entries in event log

mel-astrosat
Here to help
‎Oct 18 2018 2:51 AM
‎Oct 18 2018 2:51 AM

Non-Meraki / Client VPN entries in event log

Hi all in Meraki Community.

I am running a site to site VPN with a non Meraki device at the distant end. The device in question is a virtual VPN server on AWS running on StrongSwan software.

The VPN is working fine although I often get the following message appearing in the logs 

 

Non-Meraki / Client VPN negotiationmsg: pfkey DELETE failed: No such process

 

Can anyone interpret this message ?

 

With Thanks.

 

Mel

Labels:
0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 18 2018 12:12 PM
‎Oct 18 2018 12:12 PM

I'm going to guess that pfkey = perfect forward key.

 

I'll guess that either you are not using perfect forward secrecy (PFS) and some scheduled process is trying to clean up old keys (which wont exist), or that you are using PFS and the key has already expired, and some scheduled process is trying to clean up left overs.

In response to PhilipDAth
NSGuru
Getting noticed
‎Oct 18 2018 1:19 PM
‎Oct 18 2018 1:19 PM

Do you utilize Meraki to Meraki VPNs as well? Just curious. It does appear to be what @PhilipDAth stated. But another issue ive had is you must limit the non meraki VPN to the specific network you want and you also cannot have subnets set to yes on your VPN settings to share if the non meraki end is not setup with them on their phase 2 selectors as well.

If you do have this the meraki will constantly have issues with Phase 2 due to the Meraki trying to share subnets with the non meraki peer that it doesn't know about. 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
In response to NSGuru
mel-astrosat
Here to help
‎Oct 22 2018 8:13 AM
‎Oct 22 2018 8:13 AM

Hi NSGuru.

Thanks for responding I really appreciate it.

We currently only have one site to site VPN and it is a non-Meraki end type.

I have sent a reply to PhilipDath with a screen shot of the customised settings on the site to site phase 1 & 2 configs.

 

On the principle of KISS (Keep It Simple Stupid) I am debating with my AWS expert that we should use the AWS off the shelf product. I think he is coming round to the idea. That way we can run with the Meraki AWS template

 

Thanks Again.

0 Kudos
In response to PhilipDAth
mel-astrosat
Here to help
‎Oct 22 2018 8:06 AM
‎Oct 22 2018 8:06 AM

Hi PhilipDAth

Thanks for your reply, it's greatly appreciated

I have attached a snapshot of the phase 1 and phase 2 config. From what you have suggested I should set PFS Group to Off

Capture of customised site2site customised settings.JPG

 

 

I am unhappy with the current setup with a unorthodox Site 2 Site VPN into AWS, who have an off the shelf VPN gateway that Meraki have provided a template. We are likely to revert to a standard, pending a debate with my colleague who looks after the AWS end.

Interested in your thoughts however re the PFS Group. I set it to 2 in ignorance reflecting on the Diffie Hellman Group number.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.