Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Issue with Meraki MX65 and PFSense box

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 2.3k Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      NoNotSquirrels
      last edited by

      Hello,
      I have a Meraki MX65 firewall with a site to site to a virtual PFSense box, software version (Current Base System
      2.3.3_1).

      Meraki Settings
      Phase1
      Encryption:  3DES
      Auth: SHA1
      DH Group 2
      Lifetime: 28800

      Phase2
      Encryption:  3DES
      Auth:  SHA1
      PFS Group: OFF
      Lifetime: 28800

      PFSense Settings
      Key Exchange version:  IKEv1
      Internet Protocol:  IPv4
      Interface:  WAN
      Remote Gateway:  a public static IP
      Authentication Method:  Mutual PSK
      Negotiation Mode:  Main
      My Identifier:  IP Address (The local public static PFSense box IP)
      Peer Identifier:  IP Address (Same IP as above from Remote Gateway field)
      PSK:  The same on both sides, manually typed in
      Encryption Algorithm:  3DES
      Hash:  SHA1
      DHGroup 2
      Lifetime:  28800
      (Advanced Settings)
      NAT Traversal set to Auto
      Dead Peer Detection is enabled (delay 10, max failrues 5)

      Phase2
      Mode Tunnel IPv4
      Local Network "Network" IP Subnet/16 off to the right for what is local to the PFSense box
      NAT/BINAT None
      Remote Network:  "Network" IP Subnet/24 for what is local to the Meraki firewall site

      Phase 2 Proposal
      Protocol: ESP
      Encryption Algorithms:  Only 3DES checked
      Hash Algorithm:  Only SHA1 checked
      PFS Key Group: OFF
      Lifetime: 28800
      Ping Host:  IP of a server on remote end

      The tunnel comes up with phase 1 going active.  If I select "Status"–> "IPSEC" from the menus I can see phase1 established.  If I click the "Show Child SA Entries" the section at the bottom shows bytes in and packets in increasing but the bytes out and packets out are at zero.  Randomly within the 8 hour tunnel window, bytes out / packets out will suddenly start increasing and traffic between the two sites will work.  It will run for a while, 2-3 hours, and then drop.  Have opened Cisco Meraki ticket and they checked MX side, they "believe" the PFSense box is not seeing the request to build phase 2, which sounds odd.

      To note, I have 5 other IPSecs from other locations going through this PFSense box without issue.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.