Hi all,
Complete newb to Meraki and VPN, sorry if this has been asked or a silly question.
Sometime ago iOS stopped supporting SHA1 authentication on LT2P client VPN connections. I need to use my iPhone to connect to provide basic remote support on the go with my phone.
We have a MX device running site to site in hub formation. The IKE setup on non-peer meraki is set for SHA256 for encryption but SHA1 for authentication. If we change authentication to SHA256, will this affect any of the existing site to site VPN connections? Does anything need to be changed at our DC because of this change?
Do you need any other info? Am I missing anything else here to make this clear?
Thank you for your help.
Solved! Go to solution.
One more consideration, this is the standard for L2TP, so there's nothing that can be changed on Meraki's side.
Site to site VPN configuration has nothing to do with VPN Client configuration.
They are totally different things.
Thanks but I don’t see IPSec settings in the client VPN. Where do I find this setting? Could you elaborate or provide a link for what I need?
Unfortunately it's not possible change this configuration.
Client VPN uses 3DES encryption with SHA1 hashing algorithms for Phase1, and AES128/3DES encryption with SHA1 hashing algorithms for Phase2. As a best practice, the shared secret, or pre-shared key, should not contain special characters at the beginning or end.
Client VPN connections can only be established on the primary uplink.
Have you considered using on Anyconnect?
Thanks for the explanation.
so the settings phase 1 and phase 2 is not applicable for client vpn connections? I thought I could change Authentication value to sha256 instead of sha1.
a new radius server is outside of my job scope and budgetary means at the moment. So anyconnect won’t be an immediate solution at this time.
thanks for the insight and suggestion.
One more consideration, this is the standard for L2TP, so there's nothing that can be changed on Meraki's side.
As @alemabrahao says, AnyConnect would be the best solution all around.
However you can open a case with support and request they change the client VPN IPSec parameters. Note that every client that connects also has to be updated to use the same settings (or they will break). Changing these settings makes them in-compatible with existing client connections.
If your iPhone supports it, you could try asking support to change it to:
AES128-CBC+SHA256+DH Group 14
@PhilipDAth , I'm not sure about that, because it's a L2TP standard.
If you use my client VPN wizard:
https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html
and tick "PCI compliant" - it does exactly this. It builds the Windows client VPN with stronger crypto, and you have to raise a support ticket to get the L2TP settings on the Meraki end changed.
Done it many times to allow companies to get a more PCI-compliant VPN solution.
That's exactly the point, about support making any changes, as far as I remember I don't remember hearing about support making these changes.
I'm curious and a little skeptical about this.
Thanks Philip. I’m am bit concerned about your comment about affecting existing clients. Will it affect clients computers? You mean this should be done after hours? Do we have to fix existing windows configurations?
I might suggest anyconnect using meraki cloud as radius server. It’s more for our IT team to be able to support end users after hours. Won’t be a company wide deployment.
It only affects existing "client VPN" users - no other users will be affected.
If someone is using client VPN on Windows, and you get the setting changed to make it work on your iPhone - then the existing connections on Windows must be changed to match the new crypto connections or their client VPN will no longer work.
Thanks so much. Will ask if we can test this on our UAT site but this sounds promising. Your instructions are clear and helpful. Will run this by colleague and plan/schedule/test the change.