macOS VPN client does not work with AES128 and DH Group 14

Solved
semsem2050
Here to help

macOS VPN client does not work with AES128 and DH Group 14

Hello,

 

After I asked for Cisco Meraki support for strong encryption and hashing algorithms (PCI complaint), I got a link in this community on how to create a script to configure Windows 10 with the new requirements, but I had a problem with macOS, it always fails to access Meraki.
 
I need help solving the problem. Or should I ask Meraki to change it to AES256 SHA1 DH 14, I think it's supported by macOS, but I have concerns that it won't work with Windows and Linux.
 
Also, please what do you advise me to do in this bad situation?
 
Thank you so much

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

>AES256 SHA1 DH 14,

 

Just note that if you have the settings change to allow MacOS to work, you'll also need to modify all your Windows clients and anything else configure to use the VPN to use the new settings.

View solution in original post

13 Replies 13
alemabrahao
Kind of a big deal
Kind of a big deal

Is AnyConnect an option?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Hi @alemabrahao 
Not AnyConnect, it is an L2TP IPsec VPN client.

I know, but, I think the anyconnect Is the best option for your case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

If It's not an option open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

We have ubuntu servers using L2TP over IPsec to access some services using VPN, I'm not sure if there is a script version of AnyConnect client to configure on the Ubuntu 20.04 server to access MX85 and the current version is MX 18.102.

Anyconnect It is an application, you can configure a profile and the profile is an XML file.

 

https://community.cisco.com/legacyfs/online/legacy/5/2/9/74925-ac03features.pdf

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

https://its.gmu.edu/knowledge-base/how-to-install-cisco-anyconnect-on-linux/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I am sorry @alemabrahao, I meant, there is no GUI in the servers to configure them to use AnyConnect.
Since I know the AnyConnect client is a GUI application, I'm not sure it can be set up in servers where there is no GUI that is just accessed by SSH.
Do you have information on this case please, I don't want to take the risk of going to AnyConnect and then I'll be stuck again configuring servers to access Meraki.

I recommend you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thank you so much @alemabrahao 😊, I will do so if there is no one experience this situation in this nice community.

Why don't you set up a site to site VPN (Strongswan) between the Linux server and the MX?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

>AES256 SHA1 DH 14,

 

Just note that if you have the settings change to allow MacOS to work, you'll also need to modify all your Windows clients and anything else configure to use the VPN to use the new settings.

Thank you so much @PhilipDAth and @alemabrahao , I'm working on it and take your advice.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels