L2TP/IPSec client VPN ciphers supported by MacOS

SvenS
Conversationalist

L2TP/IPSec client VPN ciphers supported by MacOS

The currently supported ciphers by MacOS High Sierra as pulled from a packet trace on our MX84 running firmware 15.33 are:

  1. Encryption: AES-256, Hashing: SHA-256, DH Group 14
  2. Encryption: AES-256, Hashing: SHA, DH Group 14
  3. Encryption: AES-256, Hashing: MD5, DH Group 14
  4. Encryption: AES-256, Hashing: SHA2-512, DH Group 14
  5. Encryption: AES-256, Hashing: SHA2-256, DH Group 5
  6. Encryption: AES-256, Hashing: SHA, DH Group 5
  7. Encryption: AES-256, Hashing: MD5, DH Group 5
  8. Encryption: AES-256, Hashing: SHA2-256, DH Group 2
  9. Encryption: AES-256, Hashing: SHA, DH Group 2
  10. Encryption: AES-256, Hashing: MD5, DH Group 2
  11. Encryption: AES-128, Hashing: SHA, DH Group 2
  12. Encryption: AES-128, Hashing: MD5, DH Group 2
  13. Encryption: 3DES, Hashing: SHA, DH Group 2
  14. Encryption: 3DES, Hashing: MD5, DH Group 2

These ciphers are not adjustable within MacOS AFAIK. I haven't pulled a trace for MacOS Mojave or Catalina, but doubt that the support for weaker ciphers has increased. 3DES, MD5, SHA, and DH groups below 14 are to be avoided as per Cisco (as of 2014), see https://community.cisco.com/t5/security-documents/diffie-hellman-groups/ta-p/3147010


DH Group 14 is minimally required for PCI compliance, but the required encryption level by MacOS (AES-256) is not enabled on the MX for client VPN. Upon request, Meraki support can switch client VPN encryption to DH Group 14 with AES-128 and SHA1-96 for PCI-compliant connections. This level of encryption is supported by Windows 10, but not by MacOS.

Since the MX appliance supports AES-256 for site-to-site VPN, it looks like Meraki made a choice not to support this key length for client VPN.


Bottom line: Meraki MX currently does not support PCI-compliant client VPN for MacOS. If you need this, send your wish to Meraki, or find a third-party MacOS VPN client.

3 Replies 3
LetGo_Fast_Adam
New here

running into this concern ourselves - I opened a support ticket and was advised:  for clearings PCI compliance we use modp2048 and aes128

 

which seems to be the same as you've mentioned from months back

 

resulting in:  aes128 for encryption and Diffie Hellman Group 14 with modp2048

 

That leads me to believe this back-end change support can make would result in a config that macOS X will not support with the built-in macOS and iOS VPN clients?

 

 

-Adam

Correct.

The changed parameters for the client VPN support these parameters (as per Windows VPN setup):

<CryptographySuite>
     <AuthenticationTransformConstants>SHA196</AuthenticationTransformConstants>
     <CipherTransformConstants>AES128</CipherTransformConstants>
     <EncryptionMethod>AES128</EncryptionMethod>
     <IntegrityCheckMethod>SHA196</IntegrityCheckMethod>
     <DHGroup>Group14</DHGroup>
</CryptographySuite>

 

These settings are not supported by settings in the MacOS built-in clients. 

@Meraki: Why aren't you changing to a setup that supports PCI-compliant VPN in Windows and MacOS? It would seem that using AES256 instead of AES128 would suffice.

So is there no way to get Mac OS to work with those standards?

Does Meraki support OpenVPN clients or such?
https://www.makeuseof.com/tag/best-free-mac-vpn-clients/

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels