Meraki

semsem2050 · ‎Oct 14 2022

Our enterprise uses Meraki MX68CW and for security reasons, I have the following questions:

FYI: Most workers in the company use Ubuntu 20.04, and I follow the instructions in this document (https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration#Linux:~:text=for%C2%A0suc.... -,%C2%A0Ubuntu% 2020.04, -Ubuntu%20does%20not) Configure the VPN client in Ubuntu, but I found the algorithms to be weak and not recommended, I tried to configure with strong algorithms but they don't work.

1) - Does Meraki MX68CW support strong Phase 1 and Phase 2 encryption and hash algorithms eg (AES 256, SHA2 256, MODP3072)?

2) - Does it support CHAP instead of PAP?

Thank you

PhilipDAth · ‎Oct 16 2022

I have not tried this - and do not know.

I do know there is a command-line version of AnyConnect - so I feel your chances would be pretty good.

View solution in original post

cmr · ‎Oct 14 2022

@semsem2050 the client VPN development focusses around AnyConnect now. There are Linux clients for AnyConnect available and they will have newer algorithms.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

semsem2050 · ‎Oct 14 2022

Thanks for the info @cmr, also we have some docker (Ubuntu 20.04 OS) containers used by Gitlab CICD Pipeline in the cloud that should access some servers in the company office, and this docker should be configured with IPsec l2tp (Commands) for this purpose.

alemabrahao · ‎Oct 14 2022

Client VPN

The client VPN service uses the L2TP tunneling protocol, and can be deployed without any additional software on PCs, Macs, iOS devices, and Android devices, since all of these operating systems natively support L2TP VPN connections.

Note: TLS (SSL) client VPN is supported on the MX with AnyConnect. To learn more, see AnyConnect on the MX Appliance

Note: Linux-based operating systems can support client VPN connections as well, although third-party packages may be necessary to support L2TP/IP.

Note: Establishing a client VPN connection when the client is located on the LAN of the MX is unsupported.

Encryption Method

Client VPN uses the L2TP/IP protocol with the following encryption and hashing algorithms: 3DES and SHA1 for Phase1; AES128/3DES and SHA1 for Phase2. As a best practice, the shared secret should not contain any special characters at the beginning or end.

Owing to changes in the PCI-DSS Standard version 3.2.1, some auditors are now enforcing requirements for stronger encryption than the Meraki Client VPN default settings provide. Please contact Meraki Support if you need these values adjusted, but please be aware that some client devices may not support these more stringent requirements (AES128 encryption with DH group 14 - Required by PCI-DSS 3.2.1).

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth · ‎Oct 16 2022

If you open a case with Meraki support, you can request they configure different settings for client VPN. Note that these affect every client. So if you request DH group 14 be enabled, then you will have to modify any other client connecting (including Windows) to use these new settings.

As others have stated, if you want security, you'll be much better to change over to AnyConnect. Note that you have to pay for AnyConnect licences (it is an extra cost), but they are not that much, and are really worth it.

semsem2050 · ‎Oct 16 2022

Thank you @PhilipDAth for the info, I have a question, is it possible and easy to configure docker containers to use the Anyconnect because the developers use the Gitlab CICD Pipeline and docker container?
Thanks

PhilipDAth · ‎Oct 16 2022

I have not tried this - and do not know.

I do know there is a command-line version of AnyConnect - so I feel your chances would be pretty good.

semsem2050 · ‎Oct 16 2022

Thank you so much @PhilipDAth