Meraki

Tony0727 · ‎Apr 12 2020

Hello,

I may be trying to do the impossible, but I am attempting to connect an IP phone through the client VPN. It seems to be getting stuck on Phase 1 using AES instead of 3DES. Is there any way to make the client VPN use AES for phase 1 instead?

PhilipDAth · ‎Apr 12 2020

Got it. I must be a bit slow today. If you open a support ticket they should be able to turn that on for you.

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Encryption_Method

Encryption Method

Client VPN uses the L2TP/IP protocol, with the following encryption and hashing algorithms: 3DES and SHA1 for Phase1, AES128/3DES and SHA1 for Phase2. As a best practice, the shared secret should not contain any special characters at the beginning or end.

Owing to changes in the PCI-DSS Standard version 3.2, some auditors are now enforcing requirements for stronger encryption than the Meraki Client VPN default settings provide. Please contact Meraki Support if these values need to be adjusted, but please be aware that some client devices may not support these more stringent requirements (AES128 encryption with DH group 5).

View solution in original post

PhilipDAth · ‎Apr 12 2020

You don't need to do anything to use AES. It will already be enabled (assuming you aren't running an ancient firmware).

Have you tested the client VPN from other devices and confirmed it is working?

Tony0727 · ‎Apr 12 2020

I am running 14.40.

I am able to connect my windows device and a Mikrotik router. On my Mikrotik if I set the Enc Algorith to just AES then I get the same result on the Meraki with no connection.

This is the event log:

Non-Meraki / Client VPN negotiation	msg: phase1 negotiation failed.
Non-Meraki / Client VPN negotiation	msg: failed to pre-process ph1 packet (side: 1, status 1).
Non-Meraki / Client VPN negotiation	msg: failed to get valid proposal.
Non-Meraki / Client VPN negotiation	msg: no suitable proposal found.

This is the packet capture:

20:46:18.436486 IP (tos 0x20, ttl 58, id 0, offset 0, flags [DF], proto UDP (17), length 465)
XXXXXXXXXXXX.500 > XXXXXXXXXXXXX.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 2ba7e236e92b62b7->0000000000000000: phase 1 I agg:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=2
(t: #1 id=ike (type=enc value=aes)(type=keylen value=0080)(type=hash value=sha2-256)(type=group desc value=modp1536)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=7080))
(t: #2 id=ike (type=enc value=aes)(type=keylen value=0080)(type=hash value=sha1)(type=group desc value=modp1536)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=7080))))
(ke: key len=192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
(nonce: n len=32 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
(id: idtype=FQDN protoid=0 port=0 len=5 XXXXX)
(vid: len=8 XXXXXXXXXXXXXXXXX)
(vid: len=16 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
(vid: len=16 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
(vid: len=16 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)

PhilipDAth · ‎Apr 12 2020

Haha, I thought your problem was with client VPN. Ok, so it is a site to site VPN.

Double check you have the Meraki phase 1 settings configured the same on both ends (encryption, hash and diffe-helman group).

Make sure the pre-shared key is the same. Perhaps try a simple key without any special characters for the moment like "password". Once you get it going you can make the key more complicated.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#Non-Meraki_VPN_peers

Next comes the phase 2 settings. Make sure the Microtek is configured to exactly mirror the encryption ranges configured on the Meraki.

Tony0727 · ‎Apr 12 2020

I am trying to use Client VPN, not site-site.

PhilipDAth · ‎Apr 12 2020

So you configured the Microtik to be an L2TP over IPSec client?

Tony0727 · ‎Apr 12 2020

Correct. And I am able to get the Mikrotik to connect just fine as long as 3DES is enabled. But like I said in my original post I am trying to get an IP phone connected to the client VPN but it appears to only be using AES and I dont see an option to change that on the phone. So I am wondering if there is a way to change the client VPN to use AES instead.

PhilipDAth · ‎Apr 12 2020

Got it. I must be a bit slow today. If you open a support ticket they should be able to turn that on for you.

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Encryption_Method

Encryption Method

Client VPN uses the L2TP/IP protocol, with the following encryption and hashing algorithms: 3DES and SHA1 for Phase1, AES128/3DES and SHA1 for Phase2. As a best practice, the shared secret should not contain any special characters at the beginning or end.

Owing to changes in the PCI-DSS Standard version 3.2, some auditors are now enforcing requirements for stronger encryption than the Meraki Client VPN default settings provide. Please contact Meraki Support if these values need to be adjusted, but please be aware that some client devices may not support these more stringent requirements (AES128 encryption with DH group 5).

Tony0727 · ‎Apr 13 2020

Gave them a call and they made the change. Thanks!

Meraki

Community

Client VPN Phase 1 AES

Client VPN Phase 1 AES

Encryption Method

Encryption Method