Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki Client VPN & Passing PCI Compliance Scans

Network-dad
A model citizen
‎Jun 17 2020 2:27 PM
‎Jun 17 2020 2:27 PM

Meraki Client VPN & Passing PCI Compliance Scans

Hello Everyone, 

Hopefully this can help someone who is having issues with Client VPN and PCI. Hopefully this is helpful We were having issues passing PCI scans due to Meraki Client VPN.. After several call Meraki Support change the Client VPN Encryption to more stringent requirements (AES128 encryption with DH group 14 - Required by PCI-DSS 3.2). Now had to update all my end points to use this new encryption standard and configure the Meraki Client VPN... I was able to cerate a small PowerShell Script to automate this process for me and set all the settings needed.

 

$ServerAddress = "xxx.xxx.xxx.xxx"
$ConnectionName = "Meraki Client VPN"
$PresharedKey = "A Password"
Add-VpnConnection -Name "$ConnectionName" -ServerAddress "$ServerAddress" -TunnelType L2tp -L2tpPsk "$PresharedKey" -AuthenticationMethod PAP -Force
Start-Sleep -m 100
New-NetIPsecMainModeCryptoProposal -Encryption AESGCM128 -Hash SHA1 -KeyExchange DH14

 

Please note this only works on Windows 10 as far as I can tell. 

 

Meraki also has put out an article about there recommended settings for this: 

https://documentation.meraki.com/MX/Client_VPN/MX_Security_Audit_Failed_-_Recommended_Steps

 

Hopefully this was helpful and if you have any questions please feel free to ask and ill do the best I can. 

 

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
Subscribe
11 Replies 11
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 18 2020 4:00 AM
‎Jun 18 2020 4:00 AM

Whoa!  That is gold.

 

I assume you can specify multiple encryption options, to make both the weaker and stronger work at the same time?

 

I need to do some experiments with this.

 

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 18 2020 4:15 AM
‎Jun 18 2020 4:15 AM

Can you use SHA256 as well, and get rid of the horrible SHA1?

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 18 2020 4:22 AM
‎Jun 18 2020 4:22 AM

When you had Meraki update your client VPN settings - did you specify what you wanted, or they told you what you were going to get?

Subscribe
In response to PhilipDAth
Network-dad
A model citizen
‎Jun 18 2020 8:38 AM
‎Jun 18 2020 8:38 AM

@PhilipDAth Thank you for all the questions.

@PhilipDAth wrote:

I assume you can specify multiple encryption options, to make both the weaker and stronger work at the same time

I'm not sure yet I need to do some exploring with this and develop this more.

 

@PhilipDAth wrote:

Can you use SHA256 as well, and get rid of the horrible SHA1?

As far as I'm aware Sha256 is not currently supported by Meraki MX firewalls 😣

 

@PhilipDAth wrote:

When you had Meraki update your client VPN settings - did you specify what you wanted, or they told you what you were going to get?

Meraki recommended DH5 and a requested to go up to DH14.. wanted it to be a bit more secure. 

 

 

Hope this was helpful.

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
Subscribe
In response to Network-dad
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 18 2020 4:24 PM
‎Jun 18 2020 4:24 PM

I will look into this further. 

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 21 2020 3:11 AM
‎Jun 21 2020 3:11 AM

I've updated my client VPN wizard so it can now make PCI compliant client VPN connections.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

 

>New-NetIPsecMainModeCryptoProposal -Encryption AESGCM128 -Hash SHA1 -KeyExchange DH14

 

I've experimented with this - and AESGCM128 does not work.  Only AES128-CBC works.

Subscribe
BMG71
Here to help
‎Feb 3 2022 6:27 AM
‎Feb 3 2022 6:27 AM

Hi Philip 
Love your script so far. Works awesome for Win 10 w/ PCI compliance. Unfortunately, it does not work well with Win 11. 
With no PCI I am getting an error with the section: # Detect and Delete Previous VPN Profile
It would just post an error message and then shut down Powershell. Once I commented that section out it worked great
With PCI it is not working with Win 11 and I am getting the general error

BMG71_0-1643903433686.png

 



0 Kudos
Subscribe
In response to BMG71
Dylan_Adank
Conversationalist
‎Feb 17 2022 7:00 AM
‎Feb 17 2022 7:00 AM

I am getting the same error 😞 Love the script for Windows 10 though! 

0 Kudos
Subscribe
BMG71
Here to help
‎Feb 17 2022 7:02 AM
‎Feb 17 2022 7:02 AM

Fixed Win 11 error with 
Set-VpnConnectionIPsecConfiguration -ConnectionName "vpnprofile" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group14 -PassThru -Force

Subscribe
In response to BMG71
Dylan_Adank
Conversationalist
‎Feb 17 2022 7:28 AM
‎Feb 17 2022 7:28 AM

That worked great! Thank you so much!!

0 Kudos
Subscribe
In response to BMG71
RockHopper
Conversationalist
‎Mar 7 2022 11:50 AM
‎Mar 7 2022 11:50 AM

Was receiving same error on Win 11, thanks for you fix. Question is: were you then able to successfully perform a L2TP connection from Win 11 to Meraki MX that had been changed to AES128 and DH group14? 

 

Earlier in this thread there was some mention of running: New-NetIPsecMainModeCryptoProposal 

Is that command needed as well and does it affect VPN to Meraki MX devices that haven't been changed?

 

Thanks,

John

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.