Meraki

Community

Meraki VPN encryption

Solved
PatWruk
Getting noticed
‎Apr 15 2024 12:38 PM
‎Apr 15 2024 12:38 PM

Meraki VPN encryption

I was doing some random reading today and found a page that says the AutoVPN tunnels use AES-128 for encryption. Is that true? I tried searching it some more and nothing says what encryption level it uses.

The page I was reading is here under FAQ:

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

Has anyone seen anything else or know if this is true or not?

Labels:
0 Kudos
1 Accepted Solution
In response to PatWruk
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 15 2024 12:45 PM
‎Apr 15 2024 12:45 PM

The VPN tunnel is established. The Cisco Meraki cloud already knows VLAN and subnet
information for each MX, and now, the IP addresses to use for tunnel creation. The dashboard
and MXs establish two 16-character pre-shared keys (one per direction) and create a 128-
bit AES-CBC tunnel. Meraki Auto VPN leverages elements of modern IPSec (IKEv2, DiffeHellman and SHA256) to ensure tunnel confidentiality and integrity. Local subnets specified
in the dashboard by admins are exported across the VPN

 

meraki_whitepaper_autovpn.pdf (cisco.com)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 15 2024 12:41 PM
‎Apr 15 2024 12:41 PM

Auto VPN vs Non-Meraki Site-to-Site VPN

  • Auto VPN is a VPN connection between/among the WAN Appliances in different networks of the same Meraki dashboard organization
  • Non-Meraki site-to-site VPN is used when you form a VPN tunnel with a third-party/non-Meraki device or when you establish a VPN connection with a Meraki WAN Appliance in a different dashboard organization
  • Like Non-Meraki Site-to-Site VPN, Auto VPN has encryption, authentication and a key. The traffic is encrypted using an AES cipher. However, all of this is transparent to users and does not need to be (and cannot be) modified.

    Meraki Auto VPN - Configuration and Troubleshooting - Cisco Meraki Documentation
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
PatWruk
Getting noticed
‎Apr 15 2024 12:45 PM
‎Apr 15 2024 12:45 PM

That's what I was seeing as well. My concern is the link I shared says it's AES-128, and since we have to adhere to PCI requirements, it has to be a minimum AES-256.

In response to PatWruk
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 15 2024 12:45 PM
‎Apr 15 2024 12:45 PM

The VPN tunnel is established. The Cisco Meraki cloud already knows VLAN and subnet
information for each MX, and now, the IP addresses to use for tunnel creation. The dashboard
and MXs establish two 16-character pre-shared keys (one per direction) and create a 128-
bit AES-CBC tunnel. Meraki Auto VPN leverages elements of modern IPSec (IKEv2, DiffeHellman and SHA256) to ensure tunnel confidentiality and integrity. Local subnets specified
in the dashboard by admins are exported across the VPN

 

meraki_whitepaper_autovpn.pdf (cisco.com)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
PatWruk
Getting noticed
‎Apr 15 2024 12:48 PM
‎Apr 15 2024 12:48 PM

That doc was what I needed. Thank you

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.