Has anyone come across or knows what the following error message means? Specifically the “(side: 0, status 5)” message – here is the complete msg: “failed to pre-process ph2 packet (side: 0, status 5).” I am attempting to establish a site-to-site VPN connection with a vendor who is using a pfSense device.
I appreciate the communities help,
Thought I'd share the complete details log, line-by-line:
msg: IPsec-SA expired: ESP/Tunnel 126.96.36.199->188.8.131.52
msg: IPsec-SA expired: ESP/Tunnel 184.108.40.206->220.127.116.11 spi=253442875(0xf1b3b3b)
msg: phase2 negotiation failed.
msg: failed to pre-process ph2 packet (side: 0, status 5).
msg: initiate new phase 2 negotiation: 18.104.22.168<=>22.214.171.124
Have you verified fully matching settings with the remote end? Especially p2?
Remember, the MX can only pass over full subnets that it knows about. You can't have e.g. a vlan that's 192.168.50.0/24, have the remote end expect 192.168.50.128/25. They need to accept 192.168.50.0/24.
Thank you for the comment, Nash.
Yes, according to the remote engineer his system is listed with notation /32. This is also how I have his subnet entered on my end. I also have two other sites participating in VPN. I provided him those two additional subnets to configure/add on his device for the same peer, as I believe Meraki requires me to share all participating subnets, even if (let's go with your subnet example below) 192.168.50.0/24 will be the only network to communicate with this remote VPN site.
Yeah, unfortunately, on Meraki, if a subnet participates in _any_ VPN tunnel, it must be included in all tunnels. Then you use firewall rules to restrict that down.
So you've verified that your subnets, and p1 and p2 settings all match.
Has this tunnel ever worked?
I am going to venture to say this has never worked. Also that the pfsense side is not configured correctly. /32 is host and not a network, so if they have /32 in the subnet tunnel that is a major issue. Also if you can share the config possibly I could see the exact issue.
You can do a tunnel on a Meraki where the remote end has a /32. I have a couple of clients who have long term tunnels that way.
It's just, the Meraki end can't offer a /32.
Okay, below is a screenshot of the two additional subnets participating in remote VPN (on my side of the network). I trust the remote engineer entered these on his device, along with the intended subnet that will actually do the communicating with his system (192.168.50.0/24).
Below is a screenshot of the non-Meraki VPN configuration:
And finally, below is a screenshot of our IPsec policies:
I'd like to also share initial information the remote pfSense engineer shared with me regarding how to configure phase 2, he listed the following:
PFS on – Group 5
Please note ESP (the first setting). Meraki does not have a field for this type of setting. I'm taking a shot in the dark here,,,could this be a cause? Would he have to select a different option for this specific setting?
Also, to answer the question has it ever worked, no.
Never mind my ESP question...I believe this is the wire-level protocol Meraki uses by default...?
I asked the engineer to send me a screenshot of his phase 2 settings, here it is:
Here is the rest of his config on the pfSense: