Site-to-Site VPN with Non-Meraki Peer

Rod
Here to help

Site-to-Site VPN with Non-Meraki Peer

Hello everyone,

Has anyone come across or knows what the following error message means? Specifically the “(side: 0, status 5)” message – here is the complete msg: “failed to pre-process ph2 packet (side: 0, status 5).” I am attempting to establish a site-to-site VPN connection with a vendor who is using a pfSense device.

 

I appreciate the communities help,
Rodney

12 Replies 12
Rod
Here to help

Thought I'd share the complete details log, line-by-line:

 

msg: IPsec-SA expired: ESP/Tunnel 137.103.240.138[500]->72.29.24.253[500]

msg: IPsec-SA expired: ESP/Tunnel 72.29.24.253[500]->137.103.240.138[500] spi=253442875(0xf1b3b3b)

msg: phase2 negotiation failed.

msg: failed to pre-process ph2 packet (side: 0, status 5).

msg: initiate new phase 2 negotiation: 137.103.240.138[4500]<=>72.29.24.253[4500]

Nash
Kind of a big deal

Have you verified fully matching settings with the remote end? Especially p2?

 

Remember, the MX can only pass over full subnets that it knows about. You can't have e.g. a vlan that's 192.168.50.0/24, have the remote end expect 192.168.50.128/25. They need to accept 192.168.50.0/24.

Rod
Here to help

Thank you for the comment, Nash.

 

Yes, according to the remote engineer his system is listed with notation /32. This is also how I have his subnet entered on my end. I also have two other sites participating in VPN. I provided him those two additional subnets to configure/add on his device for the same peer, as I believe Meraki requires me to share all participating subnets, even if (let's go with your subnet example below) 192.168.50.0/24 will be the only network to communicate with this remote VPN site. 

Nash
Kind of a big deal

Yeah, unfortunately, on Meraki, if a subnet participates in _any_ VPN tunnel, it must be included in all tunnels. Then you use firewall rules to restrict that down.

 

So you've verified that your subnets, and p1 and p2 settings all match.

 

Has this tunnel ever worked?

SoCalRacer
Kind of a big deal

I am going to venture to say this has never worked. Also that the pfsense side is not configured correctly. /32 is host and not a network, so if they have /32 in the subnet tunnel that is a major issue. Also if you can share the config possibly I could see the exact issue.

Nash
Kind of a big deal

You can do a tunnel on a Meraki where the remote end has a /32. I have a couple of clients who have long term tunnels that way.

 

It's just, the Meraki end can't offer a /32. 

Rod
Here to help

Okay, below is a screenshot of the two additional subnets participating in remote VPN (on my side of the network). I trust the remote engineer entered these on his device, along with the intended subnet that will actually do the communicating with his system (192.168.50.0/24).

Rod_0-1579018537403.png

 

Below is a screenshot of the non-Meraki VPN configuration:

Rod_1-1579018775634.png

And finally, below is a screenshot of our IPsec policies:

Rod_2-1579018927780.png

 

Rod
Here to help

I'd like to also share initial information the remote pfSense engineer shared with me regarding how to configure phase 2, he listed the following:

 

ESP

AES-256

SHA1

PFS on – Group 5

Lifetime 28800

 

Please note ESP (the first setting). Meraki does not have a field for this type of setting. I'm taking a shot in the dark here,,,could this be a cause? Would he have to select a different option for this specific setting? 

Rod
Here to help

Also, to answer the question has it ever worked, no. 

Rod
Here to help

Never mind my ESP question...I believe this is the wire-level protocol Meraki uses by default...? 

Rod
Here to help

I asked the engineer to send me a screenshot of his phase 2 settings, here it is:

 

Rod_0-1579026729593.png

 

Rod
Here to help

Here is the rest of his config on the pfSense:

Rod_0-1579026972920.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels