The following page suggests that PCI compliance is possible with the Meraki Client VPN as long as support enables DH5 on that particular Security appliance. Has anyone been able to do this and connect with Win 10 VPN?
https://documentation.meraki.com/MX/Client_VPN/MX_Security_Audit_Failed_-_Recommended_Steps
The increased encryption worked in Windows 10 last time I tried it.That was about 6 months ago.
If I recall correctly, it may not be supported by MacOS in case that's a concern.
Hmm. No, for me it just worked. Setup a new connection using one of my scripts (see sig), connected just fine with Meraki Cloud creds.
I tested with an MX65, on Win10 1809.
So Meraki support bumped the key exchange up to DH14 and it worked. Go figure...
Oooh right. I checked my ticket history: I had them up it to AES128/DH14. That's when it worked.
Hi,
I'm curious what settings you have configured for this to work with 128AES/DH Group 14. I have this set for meraki and we aren't able to connect using windows 10 vpn but our mac users can connect with no issues.
Yes I did. For some reason when I set the configuration according to their guide I couldn't get it to work and it would fail phase 1. I tried my default configuration that was working before we enabled the higher encryption and it just worked. Thanks.
>So Meraki support bumped the key exchange up to DH14 and it worked.
Just to play devils advocate, one end (the MX in this case) offers the encryption settings it is prepared to accept. The client chooses and then says "I would like to use this" and they continue on.
Lets say DH2 and DH14 were offered but your client only supported DH2 - it will connect using DH2. Just because you have something strong enabled does not imply it is being used.
I don't know how to verify it - but if it is important you should find a way to verify the settings that Windows 10 has actually negotiated. Alternatively, you may need to find a way to configure the client to only use a specific set of crypto settings.
Otherwise it may not choose something just because you want it to. 🙂
I think the question is then "When support changes the encryption/DH settings on client VPN, does the MX then offer only those settings?"
If it offers multiple, one may be able to use Set-VpnConnectionIPsecConfiguration to manually designate the acceptable parameters. I haven't tried it. I'm not seeing any easy way to check which parameters it would actually be using on Windows' end but again... I haven't tried it. 🙂
>I think the question is then "When support changes the encryption/DH settings on client VPN, does the MX then offer only those settings?"
Whoever next opens a support case to have the setting changed should ask this.
I have contacted support and they have applied DH14 and AES 128 but we are still failing. Error basically says "Remote Access Service Detected. CVE: CVE-NO-MATCH". This is on port 500 using UDP. We have no idea what to do next. We even turned off the client vpn but that had no effect.