cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki VPN Client with PCI Compliance.

Highlighted
Here to help

Meraki VPN Client with PCI Compliance.

The following page suggests that PCI compliance is possible with the Meraki Client VPN as long as support enables DH5 on that particular Security appliance.  Has anyone been able to do this and connect with Win 10 VPN?

 

https://documentation.meraki.com/MX/Client_VPN/MX_Security_Audit_Failed_-_Recommended_Steps

12 REPLIES 12
Highlighted
Kind of a big deal

Re: Meraki VPN Client with PCI Compliance.

The increased encryption worked in Windows 10 last time I tried it.That was about 6 months ago.

 

If I recall correctly, it may not be supported by MacOS in case that's a concern.

Highlighted
Here to help

Re: Meraki VPN Client with PCI Compliance.

Thanks. Do you have any details of what was needed on the client side? Did you have to make any changes to the client itself? We we see it failing phase 1 after Meraki enabled the encryption.
Highlighted
Kind of a big deal

Re: Meraki VPN Client with PCI Compliance.

Hmm. No, for me it just worked. Setup a new connection using one of my scripts (see sig), connected just fine with Meraki Cloud creds.

 

I tested with an MX65, on Win10 1809.

Highlighted
Here to help

Re: Meraki VPN Client with PCI Compliance.

OK, thank you. We may have to reach out to Meraki to see if it is setup correctly on the MX.
Highlighted
Here to help

Re: Meraki VPN Client with PCI Compliance.

So Meraki support bumped the key exchange up to DH14 and it worked.  Go figure...

Highlighted
Kind of a big deal

Re: Meraki VPN Client with PCI Compliance.

Oooh right. I checked my ticket history: I had them up it to AES128/DH14. That's when it worked.

Highlighted
Kind of a big deal

Re: Meraki VPN Client with PCI Compliance.

>So Meraki support bumped the key exchange up to DH14 and it worked.

 

Just to play devils advocate, one end (the MX in this case) offers the encryption settings it is prepared to accept.  The client chooses and then says "I would like to use this" and they continue on.

 

Lets say DH2 and DH14 were offered but your client only supported DH2 - it will connect using DH2.  Just because you have something strong enabled does not imply it is being used.

 

I don't know how to verify it - but if it is important you should find a way to verify the settings that Windows 10 has actually negotiated.  Alternatively, you may need to find a way to configure the client to only use a specific set of crypto settings.

 

Otherwise it may not choose something just because you want it to.  🙂

Highlighted
Kind of a big deal

Re: Meraki VPN Client with PCI Compliance.

I think the question is then "When support changes the encryption/DH settings on client VPN, does the MX then offer only those settings?"

 

If it offers multiple, one may be able to use Set-VpnConnectionIPsecConfiguration to manually designate the acceptable parameters. I haven't tried it. I'm not seeing any easy way to check which parameters it would actually be using on Windows' end but again... I haven't tried it. 🙂

Highlighted
Kind of a big deal

Re: Meraki VPN Client with PCI Compliance.

>I think the question is then "When support changes the encryption/DH settings on client VPN, does the MX then offer only those settings?"

 

Whoever next opens a support case to have the setting changed should ask this.

Highlighted
Conversationalist

Re: Meraki VPN Client with PCI Compliance.

Hi,

 

I'm curious what settings you have configured for this to work with 128AES/DH Group 14.  I have this set for meraki and we aren't able to connect using windows 10 vpn but our mac users can connect with no issues.

Highlighted
Here to help

Re: Meraki VPN Client with PCI Compliance.

Did you contact Meraki Support to have them enable it on your dashboard? We had to do that.
Conversationalist

Re: Meraki VPN Client with PCI Compliance.

Yes I did.  For some reason when I set the configuration according to their guide I couldn't get it to work and it would fail phase 1.  I tried my default configuration that was working before we enabled the higher encryption and it just worked. Thanks.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.