Phase1 and 2 VPN

SOLVED
SopheakMang
Building a reputation

Phase1 and 2 VPN

Hi Expert ,

 

i want to ask related to VPN tunnel on MX to MX , what algorithm and encryption method does it use to build VPN tunnel between each other ? As we just click click but when don't know what it use at the back end ?

what DH group ?

 

i need to verify this to tell back my customer's concern.

Thanks

1 ACCEPTED SOLUTION

@MerakiDave is correct we don't use fully standard IPSec, that's because phase one in IPSec is about mutual authentication creating a secure channel to negotiate how you are going to encrypt.  We do that via the dashboard as ever devices connection to the dashboard is mutually authenticated, it's actually more similar to the standard Cisco Zero Trust model (expect to see a blog on the Meraki blog soon about this).  

That means that we can jump straight into, essentially, phase 2 when we connect peer-to-peer, that's an oversimplification though as we carry over some elements that are traditionally in phase 1 to phase 2.  Meaning that if you capture the packets you will see IKEv2, DH19 and the AES128-CBC and SHA256 for the encrypted session.  If I quote the (recently updated) Meraki AutoVPN White Paper:

"The VPN tunnel is established. The Cisco Meraki cloud already knows VLAN and subnet information for each MX, and now, the IP addresses to use for tunnel creation. The dashboard and MXs establish two 16-character pre-shared keys (one per direction) and create a 128- bit AES-CBC tunnel. Meraki Auto VPN leverages elements of modern IPSec (IKEv2, DiffeHellman and SHA256) to ensure tunnel confidentiality and integrity. Local subnets specified in the dashboard by admins are exported across the VPN."

 

That is how it works, with respect to answering your question, how to prove that in a bank, that is typically done by engaging the Meraki SE to provide a version of this explanation along with some additional information once an NDA is in place.

View solution in original post

7 REPLIES 7
MerakiDave
Meraki Employee
Meraki Employee

@SopheakMang I'll steal from an old post from one of my colleagues, AutoVPN doesn't need/use DH since an MX-to-MX VPN connection has a shared management plane (Dashboard itself) which means that mutual authentication and creating a secure connection (via DH) isn't needed per se.

 

This is mentioned in some detail in his Meraki Blog post here - https://meraki.cisco.com/blog/2018/06/all-about-autovpn/ and to a less extend in the original AutoVPN white paper.  Just remember that AutoVPN isn't full standard IPSec, its IPSec-like VPN, as there are some elements of the standard that it doesn't really make sense to burn the CPU clock cycles on when you're cloud managed.

 

Hope that helps!

 

SopheakMang
Building a reputation

Hi ,
If it isn't a full standard IPSEC , What can be proof , if we deploy this into bank , Audit gonna ask , what can i give them the information that meraki will be compliance for VPN encryption ?

atlease it has its own algorithm right ? i need to know that

@MerakiDave is correct we don't use fully standard IPSec, that's because phase one in IPSec is about mutual authentication creating a secure channel to negotiate how you are going to encrypt.  We do that via the dashboard as ever devices connection to the dashboard is mutually authenticated, it's actually more similar to the standard Cisco Zero Trust model (expect to see a blog on the Meraki blog soon about this).  

That means that we can jump straight into, essentially, phase 2 when we connect peer-to-peer, that's an oversimplification though as we carry over some elements that are traditionally in phase 1 to phase 2.  Meaning that if you capture the packets you will see IKEv2, DH19 and the AES128-CBC and SHA256 for the encrypted session.  If I quote the (recently updated) Meraki AutoVPN White Paper:

"The VPN tunnel is established. The Cisco Meraki cloud already knows VLAN and subnet information for each MX, and now, the IP addresses to use for tunnel creation. The dashboard and MXs establish two 16-character pre-shared keys (one per direction) and create a 128- bit AES-CBC tunnel. Meraki Auto VPN leverages elements of modern IPSec (IKEv2, DiffeHellman and SHA256) to ensure tunnel confidentiality and integrity. Local subnets specified in the dashboard by admins are exported across the VPN."

 

That is how it works, with respect to answering your question, how to prove that in a bank, that is typically done by engaging the Meraki SE to provide a version of this explanation along with some additional information once an NDA is in place.

Nash
Kind of a big deal

@MerakiDave @CameronMoody Could we get a formal KB article from Meraki explaining this aspect of AutoVPN, for handing to auditors who have questions? That blog article doesn't specifically mention Diffie-Hellman from what I can see, and the auditor check list usually asks about DH groups.

 

Or some clarity could be added to this KB article, as AutoVPN is contrasted to the third party tunnels w/o mention of DH. Not stating anything about DH groups is not the same as an explanation of why DH groups are not needed for AutoVPN, when dealing with auditors.

 

Thank you!

 

Edit 9:58 CDT: I am now full of questions. Page 5 of the AutoVPN white paper specifically mentions DH groups. Which is it, please? And could this please be clarified in a KB article? I cannot easily hand a white paper to an auditor without them getting, as it were, annoyed. It's my job to minimally annoy my clients' auditors.

spadefist
Meraki Employee
Meraki Employee

The information I quoted in the White Paper is the only information we can/will share without an NDA in place.

Nash
Kind of a big deal

I'm not asking for secret sauce. Looks like we cross-posted. I'd like the information more easily accessible. There's an entire document about PCI compliance for MR, for instance.

SopheakMang
Building a reputation

Thanks all bro , for the solution and answer
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels