Meraki

Community

Meraki VPN Client with PCI Compliance.

ncowger
Here to help
‎Feb 28 2020 9:26 AM
‎Feb 28 2020 9:26 AM

Meraki VPN Client with PCI Compliance.

The following page suggests that PCI compliance is possible with the Meraki Client VPN as long as support enables DH5 on that particular Security appliance.  Has anyone been able to do this and connect with Win 10 VPN?

 

https://documentation.meraki.com/MX/Client_VPN/MX_Security_Audit_Failed_-_Recommended_Steps

0 Kudos
13 Replies 13
Nash
Kind of a big deal
‎Feb 28 2020 9:34 AM
‎Feb 28 2020 9:34 AM

The increased encryption worked in Windows 10 last time I tried it.That was about 6 months ago.

 

If I recall correctly, it may not be supported by MacOS in case that's a concern.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
ncowger
Here to help
‎Feb 28 2020 9:39 AM
‎Feb 28 2020 9:39 AM

Thanks. Do you have any details of what was needed on the client side? Did you have to make any changes to the client itself? We we see it failing phase 1 after Meraki enabled the encryption.
0 Kudos
In response to ncowger
Nash
Kind of a big deal
‎Feb 28 2020 9:43 AM
‎Feb 28 2020 9:43 AM

Hmm. No, for me it just worked. Setup a new connection using one of my scripts (see sig), connected just fine with Meraki Cloud creds.

 

I tested with an MX65, on Win10 1809.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
ncowger
Here to help
‎Feb 28 2020 10:03 AM
‎Feb 28 2020 10:03 AM

OK, thank you. We may have to reach out to Meraki to see if it is setup correctly on the MX.
In response to ncowger
ncowger
Here to help
‎Feb 28 2020 12:27 PM
‎Feb 28 2020 12:27 PM

So Meraki support bumped the key exchange up to DH14 and it worked.  Go figure...

In response to ncowger
Nash
Kind of a big deal
‎Feb 28 2020 1:16 PM
‎Feb 28 2020 1:16 PM

Oooh right. I checked my ticket history: I had them up it to AES128/DH14. That's when it worked.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
ntru42
Conversationalist
‎Apr 30 2020 12:54 PM
‎Apr 30 2020 12:54 PM

Hi,

 

I'm curious what settings you have configured for this to work with 128AES/DH Group 14.  I have this set for meraki and we aren't able to connect using windows 10 vpn but our mac users can connect with no issues.

0 Kudos
In response to ntru42
ncowger
Here to help
‎Apr 30 2020 1:50 PM
‎Apr 30 2020 1:50 PM

Did you contact Meraki Support to have them enable it on your dashboard? We had to do that.
0 Kudos
In response to ncowger
ntru42
Conversationalist
‎Apr 30 2020 3:46 PM
‎Apr 30 2020 3:46 PM

Yes I did.  For some reason when I set the configuration according to their guide I couldn't get it to work and it would fail phase 1.  I tried my default configuration that was working before we enabled the higher encryption and it just worked. Thanks.

0 Kudos
In response to ncowger
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 28 2020 1:56 PM
‎Feb 28 2020 1:56 PM

>So Meraki support bumped the key exchange up to DH14 and it worked.

 

Just to play devils advocate, one end (the MX in this case) offers the encryption settings it is prepared to accept.  The client chooses and then says "I would like to use this" and they continue on.

 

Lets say DH2 and DH14 were offered but your client only supported DH2 - it will connect using DH2.  Just because you have something strong enabled does not imply it is being used.

 

I don't know how to verify it - but if it is important you should find a way to verify the settings that Windows 10 has actually negotiated.  Alternatively, you may need to find a way to configure the client to only use a specific set of crypto settings.

 

Otherwise it may not choose something just because you want it to.  🙂

0 Kudos
In response to PhilipDAth
Nash
Kind of a big deal
‎Feb 28 2020 2:22 PM
‎Feb 28 2020 2:22 PM

I think the question is then "When support changes the encryption/DH settings on client VPN, does the MX then offer only those settings?"

 

If it offers multiple, one may be able to use Set-VpnConnectionIPsecConfiguration to manually designate the acceptable parameters. I haven't tried it. I'm not seeing any easy way to check which parameters it would actually be using on Windows' end but again... I haven't tried it. 🙂

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 28 2020 2:24 PM
‎Feb 28 2020 2:24 PM

>I think the question is then "When support changes the encryption/DH settings on client VPN, does the MX then offer only those settings?"

 

Whoever next opens a support case to have the setting changed should ask this.

0 Kudos
akatoast
New here
‎Feb 25 2022 4:15 AM
‎Feb 25 2022 4:15 AM

I have contacted support and they have applied DH14 and AES 128 but we are still failing. Error basically says "Remote Access Service Detected. CVE: CVE-NO-MATCH". This is on port 500 using UDP. We have no idea what to do next. We even turned off the client vpn but that had no effect.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.