IPSec Issue with Meraki MX65 and PFSense box



  • Hello,
    I have a Meraki MX65 firewall with a site to site to a virtual PFSense box, software version (Current Base System
    2.3.3_1).

    Meraki Settings
    Phase1
    Encryption:  3DES
    Auth: SHA1
    DH Group 2
    Lifetime: 28800

    Phase2
    Encryption:  3DES
    Auth:  SHA1
    PFS Group: OFF
    Lifetime: 28800

    PFSense Settings
    Key Exchange version:  IKEv1
    Internet Protocol:  IPv4
    Interface:  WAN
    Remote Gateway:  a public static IP
    Authentication Method:  Mutual PSK
    Negotiation Mode:  Main
    My Identifier:  IP Address (The local public static PFSense box IP)
    Peer Identifier:  IP Address (Same IP as above from Remote Gateway field)
    PSK:  The same on both sides, manually typed in
    Encryption Algorithm:  3DES
    Hash:  SHA1
    DHGroup 2
    Lifetime:  28800
    (Advanced Settings)
    NAT Traversal set to Auto
    Dead Peer Detection is enabled (delay 10, max failrues 5)

    Phase2
    Mode Tunnel IPv4
    Local Network "Network" IP Subnet/16 off to the right for what is local to the PFSense box
    NAT/BINAT None
    Remote Network:  "Network" IP Subnet/24 for what is local to the Meraki firewall site

    Phase 2 Proposal
    Protocol: ESP
    Encryption Algorithms:  Only 3DES checked
    Hash Algorithm:  Only SHA1 checked
    PFS Key Group: OFF
    Lifetime: 28800
    Ping Host:  IP of a server on remote end

    The tunnel comes up with phase 1 going active.  If I select "Status"–> "IPSEC" from the menus I can see phase1 established.  If I click the "Show Child SA Entries" the section at the bottom shows bytes in and packets in increasing but the bytes out and packets out are at zero.  Randomly within the 8 hour tunnel window, bytes out / packets out will suddenly start increasing and traffic between the two sites will work.  It will run for a while, 2-3 hours, and then drop.  Have opened Cisco Meraki ticket and they checked MX side, they "believe" the PFSense box is not seeing the request to build phase 2, which sounds odd.

    To note, I have 5 other IPSecs from other locations going through this PFSense box without issue.


Log in to reply