Hello Everyone,
Hopefully this can help someone who is having issues with Client VPN and PCI. Hopefully this is helpful We were having issues passing PCI scans due to Meraki Client VPN.. After several call Meraki Support change the Client VPN Encryption to more stringent requirements (AES128 encryption with DH group 14 - Required by PCI-DSS 3.2). Now had to update all my end points to use this new encryption standard and configure the Meraki Client VPN... I was able to cerate a small PowerShell Script to automate this process for me and set all the settings needed.
$ServerAddress = "xxx.xxx.xxx.xxx"
$ConnectionName = "Meraki Client VPN"
$PresharedKey = "A Password"
Add-VpnConnection -Name "$ConnectionName" -ServerAddress "$ServerAddress" -TunnelType L2tp -L2tpPsk "$PresharedKey" -AuthenticationMethod PAP -Force
Start-Sleep -m 100
New-NetIPsecMainModeCryptoProposal -Encryption AESGCM128 -Hash SHA1 -KeyExchange DH14
Please note this only works on Windows 10 as far as I can tell.
Meraki also has put out an article about there recommended settings for this:
https://documentation.meraki.com/MX/Client_VPN/MX_Security_Audit_Failed_-_Recommended_Steps
Hopefully this was helpful and if you have any questions please feel free to ask and ill do the best I can.
Whoa! That is gold.
I assume you can specify multiple encryption options, to make both the weaker and stronger work at the same time?
I need to do some experiments with this.
Can you use SHA256 as well, and get rid of the horrible SHA1?
When you had Meraki update your client VPN settings - did you specify what you wanted, or they told you what you were going to get?
@PhilipDAth Thank you for all the questions.
@PhilipDAth wrote:I assume you can specify multiple encryption options, to make both the weaker and stronger work at the same time
I'm not sure yet I need to do some exploring with this and develop this more.
@PhilipDAth wrote:Can you use SHA256 as well, and get rid of the horrible SHA1?
As far as I'm aware Sha256 is not currently supported by Meraki MX firewalls 😣
@PhilipDAth wrote:When you had Meraki update your client VPN settings - did you specify what you wanted, or they told you what you were going to get?
Meraki recommended DH5 and a requested to go up to DH14.. wanted it to be a bit more secure.
Hope this was helpful.
I will look into this further.
I've updated my client VPN wizard so it can now make PCI compliant client VPN connections.
https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html
>New-NetIPsecMainModeCryptoProposal -Encryption AESGCM128 -Hash SHA1 -KeyExchange DH14
I've experimented with this - and AESGCM128 does not work. Only AES128-CBC works.
Hi Philip
Love your script so far. Works awesome for Win 10 w/ PCI compliance. Unfortunately, it does not work well with Win 11.
With no PCI I am getting an error with the section: # Detect and Delete Previous VPN Profile
It would just post an error message and then shut down Powershell. Once I commented that section out it worked great
With PCI it is not working with Win 11 and I am getting the general error
I am getting the same error 😞 Love the script for Windows 10 though!
Fixed Win 11 error with
Set-VpnConnectionIPsecConfiguration -ConnectionName "vpnprofile" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group14 -PassThru -Force
That worked great! Thank you so much!!
Was receiving same error on Win 11, thanks for you fix. Question is: were you then able to successfully perform a L2TP connection from Win 11 to Meraki MX that had been changed to AES128 and DH group14?
Earlier in this thread there was some mention of running: New-NetIPsecMainModeCryptoProposal
Is that command needed as well and does it affect VPN to Meraki MX devices that haven't been changed?
Thanks,
John