The currently supported ciphers by MacOS High Sierra as pulled from a packet trace on our MX84 running firmware 15.33 are:
- Encryption: AES-256, Hashing: SHA-256, DH Group 14
- Encryption: AES-256, Hashing: SHA, DH Group 14
- Encryption: AES-256, Hashing: MD5, DH Group 14
- Encryption: AES-256, Hashing: SHA2-512, DH Group 14
- Encryption: AES-256, Hashing: SHA2-256, DH Group 5
- Encryption: AES-256, Hashing: SHA, DH Group 5
- Encryption: AES-256, Hashing: MD5, DH Group 5
- Encryption: AES-256, Hashing: SHA2-256, DH Group 2
- Encryption: AES-256, Hashing: SHA, DH Group 2
- Encryption: AES-256, Hashing: MD5, DH Group 2
- Encryption: AES-128, Hashing: SHA, DH Group 2
- Encryption: AES-128, Hashing: MD5, DH Group 2
- Encryption: 3DES, Hashing: SHA, DH Group 2
- Encryption: 3DES, Hashing: MD5, DH Group 2
These ciphers are not adjustable within MacOS AFAIK. I haven't pulled a trace for MacOS Mojave or Catalina, but doubt that the support for weaker ciphers has increased. 3DES, MD5, SHA, and DH groups below 14 are to be avoided as per Cisco (as of 2014), see https://community.cisco.com/t5/security-documents/diffie-hellman-groups/ta-p/3147010
DH Group 14 is minimally required for PCI compliance, but the required encryption level by MacOS (AES-256) is not enabled on the MX for client VPN. Upon request, Meraki support can switch client VPN encryption to DH Group 14 with AES-128 and SHA1-96 for PCI-compliant connections. This level of encryption is supported by Windows 10, but not by MacOS.
Since the MX appliance supports AES-256 for site-to-site VPN, it looks like Meraki made a choice not to support this key length for client VPN.
Bottom line: Meraki MX currently does not support PCI-compliant client VPN for MacOS. If you need this, send your wish to Meraki, or find a third-party MacOS VPN client.
