Meraki Client VPN & Passing PCI Compliance Scans

Network-dad
A model citizen

Meraki Client VPN & Passing PCI Compliance Scans

Hello Everyone, 

Hopefully this can help someone who is having issues with Client VPN and PCI. Hopefully this is helpful We were having issues passing PCI scans due to Meraki Client VPN.. After several call Meraki Support change the Client VPN Encryption to more stringent requirements (AES128 encryption with DH group 14 - Required by PCI-DSS 3.2). Now had to update all my end points to use this new encryption standard and configure the Meraki Client VPN... I was able to cerate a small PowerShell Script to automate this process for me and set all the settings needed.

 

$ServerAddress = "xxx.xxx.xxx.xxx"
$ConnectionName = "Meraki Client VPN"
$PresharedKey = "A Password"
Add-VpnConnection -Name "$ConnectionName" -ServerAddress "$ServerAddress" -TunnelType L2tp -L2tpPsk "$PresharedKey" -AuthenticationMethod PAP -Force
Start-Sleep -m 100
New-NetIPsecMainModeCryptoProposal -Encryption AESGCM128 -Hash SHA1 -KeyExchange DH14

 

Please note this only works on Windows 10 as far as I can tell. 

 

Meraki also has put out an article about there recommended settings for this: 

https://documentation.meraki.com/MX/Client_VPN/MX_Security_Audit_Failed_-_Recommended_Steps

 

Hopefully this was helpful and if you have any questions please feel free to ask and ill do the best I can. 

 

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
11 Replies 11
PhilipDAth
Kind of a big deal
Kind of a big deal

Whoa!  That is gold.

 

I assume you can specify multiple encryption options, to make both the weaker and stronger work at the same time?

 

I need to do some experiments with this.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Can you use SHA256 as well, and get rid of the horrible SHA1?

PhilipDAth
Kind of a big deal
Kind of a big deal

When you had Meraki update your client VPN settings - did you specify what you wanted, or they told you what you were going to get?

@PhilipDAth Thank you for all the questions.


@PhilipDAth wrote:

I assume you can specify multiple encryption options, to make both the weaker and stronger work at the same time


I'm not sure yet I need to do some exploring with this and develop this more.

 


@PhilipDAth wrote:

Can you use SHA256 as well, and get rid of the horrible SHA1?


As far as I'm aware Sha256 is not currently supported by Meraki MX firewalls 😣

 


@PhilipDAth wrote:

When you had Meraki update your client VPN settings - did you specify what you wanted, or they told you what you were going to get?


Meraki recommended DH5 and a requested to go up to DH14.. wanted it to be a bit more secure. 

 

 

Hope this was helpful.

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad

I will look into this further. 

PhilipDAth
Kind of a big deal
Kind of a big deal

I've updated my client VPN wizard so it can now make PCI compliant client VPN connections.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

 

>New-NetIPsecMainModeCryptoProposal -Encryption AESGCM128 -Hash SHA1 -KeyExchange DH14

 

I've experimented with this - and AESGCM128 does not work.  Only AES128-CBC works.

BMG71
Here to help

Hi Philip 
Love your script so far. Works awesome for Win 10 w/ PCI compliance. Unfortunately, it does not work well with Win 11. 
With no PCI I am getting an error with the section: # Detect and Delete Previous VPN Profile
It would just post an error message and then shut down Powershell. Once I commented that section out it worked great
With PCI it is not working with Win 11 and I am getting the general error

BMG71_0-1643903433686.png

 



Dylan_Adank
Conversationalist

I am getting the same error 😞 Love the script for Windows 10 though! 

BMG71
Here to help

Fixed Win 11 error with 
Set-VpnConnectionIPsecConfiguration -ConnectionName "vpnprofile" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group14 -PassThru -Force

Dylan_Adank
Conversationalist

That worked great! Thank you so much!!

RockHopper
Conversationalist

Was receiving same error on Win 11, thanks for you fix. Question is: were you then able to successfully perform a L2TP connection from Win 11 to Meraki MX that had been changed to AES128 and DH group14? 

 

Earlier in this thread there was some mention of running: New-NetIPsecMainModeCryptoProposal 

Is that command needed as well and does it affect VPN to Meraki MX devices that haven't been changed?

 

Thanks,

John

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels