Meraki VPN Client with PCI Compliance.

ncowger
Here to help

Meraki VPN Client with PCI Compliance.

The following page suggests that PCI compliance is possible with the Meraki Client VPN as long as support enables DH5 on that particular Security appliance.  Has anyone been able to do this and connect with Win 10 VPN?

 

https://documentation.meraki.com/MX/Client_VPN/MX_Security_Audit_Failed_-_Recommended_Steps

13 Replies 13
Nash
Kind of a big deal

The increased encryption worked in Windows 10 last time I tried it.That was about 6 months ago.

 

If I recall correctly, it may not be supported by MacOS in case that's a concern.

ncowger
Here to help

Thanks. Do you have any details of what was needed on the client side? Did you have to make any changes to the client itself? We we see it failing phase 1 after Meraki enabled the encryption.
Nash
Kind of a big deal

Hmm. No, for me it just worked. Setup a new connection using one of my scripts (see sig), connected just fine with Meraki Cloud creds.

 

I tested with an MX65, on Win10 1809.

ncowger
Here to help

OK, thank you. We may have to reach out to Meraki to see if it is setup correctly on the MX.
ncowger
Here to help

So Meraki support bumped the key exchange up to DH14 and it worked.  Go figure...

Nash
Kind of a big deal

Oooh right. I checked my ticket history: I had them up it to AES128/DH14. That's when it worked.

ntru42
Conversationalist

Hi,

 

I'm curious what settings you have configured for this to work with 128AES/DH Group 14.  I have this set for meraki and we aren't able to connect using windows 10 vpn but our mac users can connect with no issues.

ncowger
Here to help

Did you contact Meraki Support to have them enable it on your dashboard? We had to do that.
ntru42
Conversationalist

Yes I did.  For some reason when I set the configuration according to their guide I couldn't get it to work and it would fail phase 1.  I tried my default configuration that was working before we enabled the higher encryption and it just worked. Thanks.

PhilipDAth
Kind of a big deal
Kind of a big deal

>So Meraki support bumped the key exchange up to DH14 and it worked.

 

Just to play devils advocate, one end (the MX in this case) offers the encryption settings it is prepared to accept.  The client chooses and then says "I would like to use this" and they continue on.

 

Lets say DH2 and DH14 were offered but your client only supported DH2 - it will connect using DH2.  Just because you have something strong enabled does not imply it is being used.

 

I don't know how to verify it - but if it is important you should find a way to verify the settings that Windows 10 has actually negotiated.  Alternatively, you may need to find a way to configure the client to only use a specific set of crypto settings.

 

Otherwise it may not choose something just because you want it to.  🙂

Nash
Kind of a big deal

I think the question is then "When support changes the encryption/DH settings on client VPN, does the MX then offer only those settings?"

 

If it offers multiple, one may be able to use Set-VpnConnectionIPsecConfiguration to manually designate the acceptable parameters. I haven't tried it. I'm not seeing any easy way to check which parameters it would actually be using on Windows' end but again... I haven't tried it. 🙂

PhilipDAth
Kind of a big deal
Kind of a big deal

>I think the question is then "When support changes the encryption/DH settings on client VPN, does the MX then offer only those settings?"

 

Whoever next opens a support case to have the setting changed should ask this.

akatoast
New here

I have contacted support and they have applied DH14 and AES 128 but we are still failing. Error basically says "Remote Access Service Detected. CVE: CVE-NO-MATCH". This is on port 500 using UDP. We have no idea what to do next. We even turned off the client vpn but that had no effect.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels