Meraki

Eddiem · ‎Sep 18 2017

Hello, my partner is asking if TLS1.2 is typically used for AutoVPN negotiation as well nowadays on MX devices. This document does not mention TLS version, but does mention SHA-1 and MD-5, which customer is concerned about: https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Site-to-site_VPN_Settings

BHC_RESORTS · ‎Sep 18 2017

@Eddiem wrote:
Hello, my partner is asking if TLS1.2 is typically used for AutoVPN negotiation as well nowadays on MX devices. This document does not mention TLS version, but does mention SHA-1 and MD-5, which customer is concerned about: https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Site-to-site_VPN_Settings

Indeed, there are other aspects of the AutoVPN that are worrying. DH groups 1,2,5 are supported for phase 1 - yet none of these are really recommended anymore. DES and 3DES shouldn't even be options, I'm surprised they are supported.

I'm not so sure SHA1 is really the security risk everyone says it is - collisions are still pretty hard to come by on it. MD5 is unacceptable though.

We don't use the site to site VPN so I've never looked much in to it - but these cryptographic options leave much to be desired. I'm curious if there is an update coming soon for them, all but the oldest of the MX series should be able to support higher key spaces without an issue.

BHC Resorts IT Department

PhilipDAth · ‎Sep 19 2017

AutoVPN uses IPSec. TLS is not used.

Eddiem · ‎Sep 19 2017

Thanks Phil, so the security protection for the autoVPN is only pre-shared key? Meraki does not support PKI to protect the tunnel? I think the partner is asking in the case of certificates/PKI being used to protect the VPN, not pre-shared key. If only pre-shared key is supported then that answers it. Thanks again.

PhilipDAth · ‎Sep 19 2017

It uses IPSec, but I am not certain of the method it uses for the authentication. I have heard it is a rotating key, and I have also heard it is a certificate. I have not heard something I could say is 100% true.

Eddiem · ‎Sep 19 2017

Thanks again. If there is a certificate involved, then there must be some TLS/SSL stack, and hence the partner question if it's TLS 1.2 with SHA-2 support.

PhilipDAth · ‎Sep 19 2017

TLS is an encryption transport system, and is not required if you are just doing authentication. TLS is most commonly used for encrypting TCP (and sometimes) UDP connections (aka transport layer protocols).

IPSec does not require TLS but can use certificates for authentication.

PhilipDAth · ‎Sep 19 2017

I found this:

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_autovpn.pdf

"The VPN tunnel is negotiated. The Cisco Meraki cloud already knows VLAN and subnet information for each MX, and now, the IP addresses to use for tunnel creation. The cloud and MXs establish a 16-character pre-shared key (one key per organization), and a 128-bit AES encrypted IPsec tunnel. Local subnets specified in the dashboard by IT admins are exported across VPN."

Eddiem · ‎Sep 19 2017

Okay, that implies it's PSK only, so no certs and hence no TLS.

Meraki

Community

TLS1.2 used for AutoVPN negotiation?

TLS1.2 used for AutoVPN negotiation?