TLS1.2 used for AutoVPN negotiation?

Eddiem
Conversationalist

TLS1.2 used for AutoVPN negotiation?

Hello, my partner is asking if TLS1.2 is typically used for AutoVPN negotiation as well nowadays on MX devices.   This document does not mention TLS version, but does mention SHA-1 and MD-5, which customer is concerned about:  https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Site-to-site_VPN_Settings

 

8 REPLIES 8
BHC_RESORTS
Head in the Cloud


@Eddiem wrote:

Hello, my partner is asking if TLS1.2 is typically used for AutoVPN negotiation as well nowadays on MX devices.   This document does not mention TLS version, but does mention SHA-1 and MD-5, which customer is concerned about:  https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Site-to-site_VPN_Settings

 


Indeed, there are other aspects of the AutoVPN that are worrying. DH groups 1,2,5 are supported for phase 1 - yet none of these are really recommended anymore. DES and 3DES shouldn't even be options, I'm surprised they are supported.

 

I'm not so sure SHA1 is really the security risk everyone says it is - collisions are still pretty hard to come by on it. MD5 is unacceptable though.

 

We don't use the site to site VPN so I've never looked much in to it - but these cryptographic options leave much to be desired. I'm curious if there is an update coming soon for them, all but the oldest of the MX series should be able to support higher key spaces without an issue.

BHC Resorts IT Department
PhilipDAth
Kind of a big deal
Kind of a big deal

AutoVPN uses IPSec.  TLS is not used.

Eddiem
Conversationalist

Thanks Phil, so the security protection for the autoVPN is only pre-shared key? Meraki does not support PKI to protect the tunnel?  I think the partner is asking in the case of certificates/PKI being used to protect the VPN, not pre-shared key.  If only pre-shared key is supported then that answers it.  Thanks again.

PhilipDAth
Kind of a big deal
Kind of a big deal

It uses IPSec, but I am not certain of the method it uses for the authentication.  I have heard it is a rotating key, and I have also heard it is a certificate.  I have not heard something I could say is 100% true.

Eddiem
Conversationalist

Thanks again.  If there is a certificate involved, then there must be some TLS/SSL stack, and hence the partner question if it's TLS 1.2 with SHA-2 support. 

PhilipDAth
Kind of a big deal
Kind of a big deal

TLS is an encryption transport system, and is not required if you are just doing authentication.  TLS is most commonly used for encrypting TCP (and sometimes) UDP connections (aka transport layer protocols).

 

IPSec does not require TLS but can use certificates for authentication.

PhilipDAth
Kind of a big deal
Kind of a big deal

I found this:

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_autovpn.pdf

"The VPN tunnel is negotiated. The Cisco Meraki cloud already knows VLAN and subnet information for each MX, and now, the IP addresses to use for tunnel creation. The cloud and MXs establish a 16-character pre-shared key (one key per organization), and a 128-bit AES encrypted IPsec tunnel. Local subnets specified in the dashboard by IT admins are exported across VPN."

Eddiem
Conversationalist

Okay, that implies it's PSK only, so no certs and hence no TLS.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels