strong Phase 1 and Phase 2 encryption and hash algorithms

SOLVED
semsem2050
Here to help

strong Phase 1 and Phase 2 encryption and hash algorithms

Our enterprise uses Meraki MX68CW and for security reasons, I have the following questions:
 
FYI: Most workers in the company use Ubuntu 20.04, and I follow the instructions in this document (https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration#Linux:~:text=for%C2%A0suc.... -,%C2%A0Ubuntu% 2020.04, -Ubuntu%20does%20not) Configure the VPN client in Ubuntu, but I found the algorithms to be weak and not recommended, I tried to configure with strong algorithms but they don't work.
 
1) - Does Meraki MX68CW support strong Phase 1 and Phase 2 encryption and hash algorithms eg (AES 256, SHA2 256, MODP3072)?
 
2) - Does it support CHAP instead of PAP?
 
Thank you
1 ACCEPTED SOLUTION

I have not tried this - and do not know.

 

I do know there is a command-line version of AnyConnect - so I feel your chances would be pretty good.

View solution in original post

7 REPLIES 7
cmr
Kind of a big deal
Kind of a big deal

@semsem2050 the client VPN development focusses around AnyConnect now.  There are Linux clients for AnyConnect available and they will have newer algorithms.

Thanks for the info @cmr, also we have some docker (Ubuntu 20.04 OS) containers used by Gitlab CICD Pipeline in the cloud that should access some servers in the company office, and this docker should be configured with IPsec l2tp (Commands) for this purpose.

alemabrahao
Kind of a big deal
Kind of a big deal

Client VPN

The client VPN service uses the L2TP tunneling protocol, and can be deployed without any additional software on PCs, Macs, iOS devices, and Android devices, since all of these operating systems natively support L2TP VPN connections.

Note: TLS (SSL) client VPN is supported on the MX with AnyConnect. To learn more, see AnyConnect on the MX Appliance 

Note: Linux-based operating systems can support client VPN connections as well, although third-party packages may be necessary to support L2TP/IP.

Note: Establishing a client VPN connection when the client is located on the LAN of the MX is unsupported.

Encryption Method

Client VPN uses the L2TP/IP protocol with the following encryption and hashing algorithms: 3DES and SHA1 for Phase1; AES128/3DES and SHA1 for Phase2. As a best practice, the shared secret should not contain any special characters at the beginning or end.

Owing to changes in the PCI-DSS Standard version 3.2.1, some auditors are now enforcing requirements for stronger encryption than the Meraki Client VPN default settings provide. Please contact Meraki Support if you need these values adjusted, but please be aware that some client devices may not support these more stringent requirements (AES128 encryption with DH group 14 - Required by PCI-DSS 3.2.1).

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

If you open a case with Meraki support, you can request they configure different settings for client VPN.  Note that these affect every client.  So if you request DH group 14 be enabled, then you will have to modify any other client connecting (including Windows) to use these new settings.

 

As others have stated, if you want security, you'll be much better to change over to AnyConnect.  Note that you have to pay for AnyConnect licences (it is an extra cost), but they are not that much, and are really worth it.

Thank you  @PhilipDAth for the info, I have a question, is it possible and easy to configure docker containers to use the Anyconnect because the developers use the Gitlab CICD Pipeline and docker container?
Thanks

I have not tried this - and do not know.

 

I do know there is a command-line version of AnyConnect - so I feel your chances would be pretty good.

Thank you so much @PhilipDAth 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels