cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site-to-Site VPN with Non-Meraki Peer

Highlighted
Here to help

Site-to-Site VPN with Non-Meraki Peer

Hello everyone,

Has anyone come across or knows what the following error message means? Specifically the “(side: 0, status 5)” message – here is the complete msg: “failed to pre-process ph2 packet (side: 0, status 5).” I am attempting to establish a site-to-site VPN connection with a vendor who is using a pfSense device.

 

I appreciate the communities help,
Rodney

12 REPLIES 12
Highlighted
Here to help

Re: Site-to-Site VPN with Non-Meraki Peer

Thought I'd share the complete details log, line-by-line:

 

msg: IPsec-SA expired: ESP/Tunnel 137.103.240.138[500]->72.29.24.253[500]

msg: IPsec-SA expired: ESP/Tunnel 72.29.24.253[500]->137.103.240.138[500] spi=253442875(0xf1b3b3b)

msg: phase2 negotiation failed.

msg: failed to pre-process ph2 packet (side: 0, status 5).

msg: initiate new phase 2 negotiation: 137.103.240.138[4500]<=>72.29.24.253[4500]

Highlighted
Kind of a big deal

Re: Site-to-Site VPN with Non-Meraki Peer

Have you verified fully matching settings with the remote end? Especially p2?

 

Remember, the MX can only pass over full subnets that it knows about. You can't have e.g. a vlan that's 192.168.50.0/24, have the remote end expect 192.168.50.128/25. They need to accept 192.168.50.0/24.

Highlighted
Here to help

Re: Site-to-Site VPN with Non-Meraki Peer

Thank you for the comment, Nash.

 

Yes, according to the remote engineer his system is listed with notation /32. This is also how I have his subnet entered on my end. I also have two other sites participating in VPN. I provided him those two additional subnets to configure/add on his device for the same peer, as I believe Meraki requires me to share all participating subnets, even if (let's go with your subnet example below) 192.168.50.0/24 will be the only network to communicate with this remote VPN site. 

Highlighted
Kind of a big deal

Re: Site-to-Site VPN with Non-Meraki Peer

Yeah, unfortunately, on Meraki, if a subnet participates in _any_ VPN tunnel, it must be included in all tunnels. Then you use firewall rules to restrict that down.

 

So you've verified that your subnets, and p1 and p2 settings all match.

 

Has this tunnel ever worked?

Highlighted
Kind of a big deal

Re: Site-to-Site VPN with Non-Meraki Peer

I am going to venture to say this has never worked. Also that the pfsense side is not configured correctly. /32 is host and not a network, so if they have /32 in the subnet tunnel that is a major issue. Also if you can share the config possibly I could see the exact issue.

Highlighted
Kind of a big deal

Re: Site-to-Site VPN with Non-Meraki Peer

You can do a tunnel on a Meraki where the remote end has a /32. I have a couple of clients who have long term tunnels that way.

 

It's just, the Meraki end can't offer a /32. 

Highlighted
Here to help

Re: Site-to-Site VPN with Non-Meraki Peer

Okay, below is a screenshot of the two additional subnets participating in remote VPN (on my side of the network). I trust the remote engineer entered these on his device, along with the intended subnet that will actually do the communicating with his system (192.168.50.0/24).

Rod_0-1579018537403.png

 

Below is a screenshot of the non-Meraki VPN configuration:

Rod_1-1579018775634.png

And finally, below is a screenshot of our IPsec policies:

Rod_2-1579018927780.png

 

Highlighted
Here to help

Re: Site-to-Site VPN with Non-Meraki Peer

I'd like to also share initial information the remote pfSense engineer shared with me regarding how to configure phase 2, he listed the following:

 

ESP

AES-256

SHA1

PFS on – Group 5

Lifetime 28800

 

Please note ESP (the first setting). Meraki does not have a field for this type of setting. I'm taking a shot in the dark here,,,could this be a cause? Would he have to select a different option for this specific setting? 

Highlighted
Here to help

Re: Site-to-Site VPN with Non-Meraki Peer

Also, to answer the question has it ever worked, no. 

Highlighted
Here to help

Re: Site-to-Site VPN with Non-Meraki Peer

Never mind my ESP question...I believe this is the wire-level protocol Meraki uses by default...? 

Highlighted
Here to help

Re: Site-to-Site VPN with Non-Meraki Peer

I asked the engineer to send me a screenshot of his phase 2 settings, here it is:

 

Rod_0-1579026729593.png

 

Highlighted
Here to help

Re: Site-to-Site VPN with Non-Meraki Peer

Here is the rest of his config on the pfSense:

Rod_0-1579026972920.png

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.