VPN: Which algorithms are chosen?

pdeleuw
Getting noticed

VPN: Which algorithms are chosen?

Hi all,

 

I have seen that IKEv2 is now available in the dashboard for Non-Meraki Peers. That's great.

There are two questions:

I can configure AES 128/192/256 - but which mode is it? CBC? I would prefer GCM ... Diffie Hellman is available with Group 14. This is 2048 MODP. What about ECDH? Will it be supported?

 

The second question is regarding Auto VPN: Here is no option to configure the algorithms. Which are used to form the tunnel?

 

Best regards,

 

Peter

 

4 Replies 4
Tadpole86
Getting noticed

It uses CBC and MODP today, these will continue to be developed out over time to meet the higher cipher options. 

 

That's correct, there is no option to configure Auto-VPN parameters 

 

Auto-VPN is proprietary technology, some of the details are shared in the following 

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_autovpn.pdf

pdeleuw
Getting noticed

Thank you, @Tadpole86, for your reply.

I had read the White Paper, but hoped for some more concrete informations.

"The dashboard and MXs establish two 16-character pre-shared keys (one per direction) and create a 128-bit AES-CBC tunnel. Meraki Auto VPN leverages elements of modern IPSec (IKEv2, Diffe-Hellman and SHA256) to ensure tunnel confidentiality and integrity. Local subnets specified in the dashboard by admins are exported across the VPN."

Is it really IKE? Because the dashboard has many informations there is no necessity for IKE, I think. And it seems that the MX is speaking to the dashboard for VPN registry (UDP 9350), no direct communication for establishing the tunnel between the two peers. So this statement in the White Paper is confusing.

If Meraki on one side states "Auto VPN leverages elements of modern IPsec", on the other side they use AES-CBC, this doesn't fit together. Besides that, "Diffie-Hellman" is no element of modern IPsec.

That is the reason why I asked.

 

Best regards

Peter

Tadpole86
Getting noticed

Hi @pdeleuw 

 

IKE is part of the Internet Engineering Task Forces (IETF) defined open standard for the IPSEC VPN framework.

 

Meraki Auto-VPN is a proprietary technology for creating VPN tunnels. 

 

So the short answer is no, it's not IKE in its truest sense.

 

They both have the same objective of achieving secure VPN connectivity, there are a lot of similarities but also some differences. Being a cloud platform Meraki can leverage certain elements to reduce CPU load on the MXes. A good example is taking advantage of the secure connection each MX already makes to the dashboard to be cloud-managed. Phase 1 can ultimately be skipped as each peer has already had to authenticate itself to the Meraki dashboard, Similarly, it does not need to negotiate any SA parameters as this can be pushed down to the device from the cloud over the created trusted connection. 

 

How come you ask? Just curiosity or are just trying to answer a specific question

 

 

 

 

pdeleuw
Getting noticed

Hi @Tadpole86 

 

I am asking, because I am interested in this topic. We are talking about security. I like to know what's going on, that's all. There is no debugging to answer the question. A packet capture on the internet interface just gives some packets to UDP Port 9350. The documentation is very vague.

You mentioned, phase one of IKE is obsolete in Auto VPN because there is an encrypted and authenticated session to the dashboard. But the White Paper states, that the Peers have an 16-character PSK. So there is another authentication between the peers.

 

Regards,

 

Peter

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels