Client VPN Phase 1 AES

Solved
Tony0727
New here

Client VPN Phase 1 AES

Hello,

 

I may be trying to do the impossible, but I am attempting to connect an IP phone through the client VPN.  It seems to be getting stuck on Phase 1 using AES instead of 3DES.  Is there any way to make the client VPN use AES for phase 1 instead?

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Got it.  I must be a bit slow today.  If you open a support ticket they should be able to turn that on for you.

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Encryption_Method 

Encryption Method

Client VPN uses the L2TP/IP protocol, with the following encryption and hashing algorithms: 3DES and SHA1 for Phase1, AES128/3DES and SHA1 for Phase2. As a best practice, the shared secret should not contain any special characters at the beginning or end.

 

Owing to changes in the PCI-DSS Standard version 3.2, some auditors are now enforcing requirements for stronger encryption than the Meraki Client VPN default settings provide. Please contact Meraki Support if these values need to be adjusted, but please be aware that some client devices may not support these more stringent requirements (AES128 encryption with DH group 5).

View solution in original post

8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal

You don't need to do anything to use AES.  It will already be enabled (assuming you aren't running an ancient firmware).

 

Have you tested the client VPN from other devices and confirmed it is working?

I am running 14.40.

 

I am able to connect my windows device and a Mikrotik router.  On my Mikrotik if I set the Enc Algorith to just AES then I get the same result on the Meraki with no connection.

 

This is the event log:

Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed.
Non-Meraki / Client VPN negotiationmsg: failed to pre-process ph1 packet (side: 1, status 1).
Non-Meraki / Client VPN negotiationmsg: failed to get valid proposal.
Non-Meraki / Client VPN negotiationmsg: no suitable proposal found.

 

This is the packet capture:

20:46:18.436486 IP (tos 0x20, ttl 58, id 0, offset 0, flags [DF], proto UDP (17), length 465)
XXXXXXXXXXXX.500 > XXXXXXXXXXXXX.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 2ba7e236e92b62b7->0000000000000000: phase 1 I agg:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=2
(t: #1 id=ike (type=enc value=aes)(type=keylen value=0080)(type=hash value=sha2-256)(type=group desc value=modp1536)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=7080))
(t: #2 id=ike (type=enc value=aes)(type=keylen value=0080)(type=hash value=sha1)(type=group desc value=modp1536)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=7080))))
(ke: key len=192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
(nonce: n len=32 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
(id: idtype=FQDN protoid=0 port=0 len=5 XXXXX)
(vid: len=8 XXXXXXXXXXXXXXXXX)
(vid: len=16 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
(vid: len=16 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
(vid: len=16 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)

PhilipDAth
Kind of a big deal
Kind of a big deal

Haha, I thought your problem was with client VPN.  Ok, so it is a site to site VPN.

 

Double check you have the Meraki phase 1 settings configured the same on both ends (encryption, hash and diffe-helman group).

Make sure the pre-shared key is the same.  Perhaps try a simple key without any special characters for the moment like "password".  Once you get it going you can make the key more complicated.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#Non-Meraki_VPN_peers 

 

Next comes the phase 2 settings.  Make sure the Microtek is configured to exactly mirror the encryption ranges configured on the Meraki.

I am trying to use Client VPN, not site-site.

PhilipDAth
Kind of a big deal
Kind of a big deal

So you configured the Microtik to be an L2TP over IPSec client?

Correct.  And I am able to get the Mikrotik to connect just fine as long as 3DES is enabled.  But like I said in my original post I am trying to get an IP phone connected to the client VPN but it appears to only be using AES and I dont see an option to change that on the phone.  So I am wondering if there is a way to change the client VPN to use AES instead.

PhilipDAth
Kind of a big deal
Kind of a big deal

Got it.  I must be a bit slow today.  If you open a support ticket they should be able to turn that on for you.

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Encryption_Method 

Encryption Method

Client VPN uses the L2TP/IP protocol, with the following encryption and hashing algorithms: 3DES and SHA1 for Phase1, AES128/3DES and SHA1 for Phase2. As a best practice, the shared secret should not contain any special characters at the beginning or end.

 

Owing to changes in the PCI-DSS Standard version 3.2, some auditors are now enforcing requirements for stronger encryption than the Meraki Client VPN default settings provide. Please contact Meraki Support if these values need to be adjusted, but please be aware that some client devices may not support these more stringent requirements (AES128 encryption with DH group 5).

Gave them a call and they made the change.  Thanks!

Get notified when there are additional replies to this discussion.