Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site-to-Site VPN with Non-Meraki Peer

Rod
Here to help
‎Jan 13 2020 11:30 AM
‎Jan 13 2020 11:30 AM

Site-to-Site VPN with Non-Meraki Peer

Hello everyone,

Has anyone come across or knows what the following error message means? Specifically the “(side: 0, status 5)” message – here is the complete msg: “failed to pre-process ph2 packet (side: 0, status 5).” I am attempting to establish a site-to-site VPN connection with a vendor who is using a pfSense device.

 

I appreciate the communities help,
Rodney

0 Kudos
12 Replies 12
Rod
Here to help
‎Jan 13 2020 11:38 AM
‎Jan 13 2020 11:38 AM

Thought I'd share the complete details log, line-by-line:

 

msg: IPsec-SA expired: ESP/Tunnel 137.103.240.138[500]->72.29.24.253[500]

msg: IPsec-SA expired: ESP/Tunnel 72.29.24.253[500]->137.103.240.138[500] spi=253442875(0xf1b3b3b)

msg: phase2 negotiation failed.

msg: failed to pre-process ph2 packet (side: 0, status 5).

msg: initiate new phase 2 negotiation: 137.103.240.138[4500]<=>72.29.24.253[4500]

0 Kudos
In response to Rod
Nash
Kind of a big deal
‎Jan 13 2020 11:53 AM
‎Jan 13 2020 11:53 AM

Have you verified fully matching settings with the remote end? Especially p2?

 

Remember, the MX can only pass over full subnets that it knows about. You can't have e.g. a vlan that's 192.168.50.0/24, have the remote end expect 192.168.50.128/25. They need to accept 192.168.50.0/24.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
Rod
Here to help
‎Jan 13 2020 12:12 PM
‎Jan 13 2020 12:12 PM

Thank you for the comment, Nash.

 

Yes, according to the remote engineer his system is listed with notation /32. This is also how I have his subnet entered on my end. I also have two other sites participating in VPN. I provided him those two additional subnets to configure/add on his device for the same peer, as I believe Meraki requires me to share all participating subnets, even if (let's go with your subnet example below) 192.168.50.0/24 will be the only network to communicate with this remote VPN site. 

0 Kudos
In response to Rod
Nash
Kind of a big deal
‎Jan 13 2020 12:59 PM
‎Jan 13 2020 12:59 PM

Yeah, unfortunately, on Meraki, if a subnet participates in _any_ VPN tunnel, it must be included in all tunnels. Then you use firewall rules to restrict that down.

 

So you've verified that your subnets, and p1 and p2 settings all match.

 

Has this tunnel ever worked?

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
SoCalRacer
Kind of a big deal
‎Jan 13 2020 4:10 PM
‎Jan 13 2020 4:10 PM

I am going to venture to say this has never worked. Also that the pfsense side is not configured correctly. /32 is host and not a network, so if they have /32 in the subnet tunnel that is a major issue. Also if you can share the config possibly I could see the exact issue.

0 Kudos
In response to SoCalRacer
Nash
Kind of a big deal
‎Jan 13 2020 5:20 PM
‎Jan 13 2020 5:20 PM

You can do a tunnel on a Meraki where the remote end has a /32. I have a couple of clients who have long term tunnels that way.

 

It's just, the Meraki end can't offer a /32. 

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
Rod
Here to help
‎Jan 14 2020 8:24 AM
‎Jan 14 2020 8:24 AM

Okay, below is a screenshot of the two additional subnets participating in remote VPN (on my side of the network). I trust the remote engineer entered these on his device, along with the intended subnet that will actually do the communicating with his system (192.168.50.0/24).

Rod_0-1579018537403.png

 

Below is a screenshot of the non-Meraki VPN configuration:

Rod_1-1579018775634.png

And finally, below is a screenshot of our IPsec policies:

Rod_2-1579018927780.png

 

0 Kudos
In response to Rod
Rod
Here to help
‎Jan 14 2020 8:31 AM
‎Jan 14 2020 8:31 AM

I'd like to also share initial information the remote pfSense engineer shared with me regarding how to configure phase 2, he listed the following:

 

ESP

AES-256

SHA1

PFS on – Group 5

Lifetime 28800

 

Please note ESP (the first setting). Meraki does not have a field for this type of setting. I'm taking a shot in the dark here,,,could this be a cause? Would he have to select a different option for this specific setting? 

0 Kudos
In response to Rod
Rod
Here to help
‎Jan 14 2020 8:58 AM
‎Jan 14 2020 8:58 AM

Also, to answer the question has it ever worked, no. 

0 Kudos
In response to Rod
Rod
Here to help
‎Jan 14 2020 9:39 AM
‎Jan 14 2020 9:39 AM

Never mind my ESP question...I believe this is the wire-level protocol Meraki uses by default...? 

0 Kudos
In response to Rod
Rod
Here to help
‎Jan 14 2020 10:33 AM
‎Jan 14 2020 10:33 AM

I asked the engineer to send me a screenshot of his phase 2 settings, here it is:

 

Rod_0-1579026729593.png

 

0 Kudos
In response to Rod
Rod
Here to help
‎Jan 14 2020 10:36 AM
‎Jan 14 2020 10:36 AM

Here is the rest of his config on the pfSense:

Rod_0-1579026972920.png

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.