• About SvenS
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: L2TP/IPSec client VPN ciphers supported by MacOS

by in Security / SD-WAN
‎12-10-2020 01:39 PM
‎12-10-2020 01:39 PM
Correct. The changed parameters for the client VPN support these parameters (as per Windows VPN setup): <CryptographySuite>      <AuthenticationTransformConstants>SHA196</AuthenticationTransformConstants>      <CipherTransformConstants>AES128</CipherTransformConstants>      <EncryptionMethod>AES128</EncryptionMethod>      <IntegrityCheckMethod>SHA196</IntegrityCheckMethod>      <DHGroup>Group14</DHGroup> </CryptographySuite>   These settings are not supported by settings in the MacOS built-in clients.  @Meraki: Why aren't you changing to a setup that supports PCI-compliant VPN in Windows and MacOS? It would seem that using AES256 instead of AES128 would suffice. ... View more

L2TP/IPSec client VPN ciphers supported by MacOS

by in Security / SD-WAN
‎07-29-2020 08:26 AM
‎07-29-2020 08:26 AM
The currently supported ciphers by MacOS High Sierra as pulled from a packet trace on our MX84 running firmware 15.33 are: Encryption: AES-256, Hashing: SHA-256, DH Group 14 Encryption: AES-256, Hashing: SHA, DH Group 14 Encryption: AES-256, Hashing: MD5, DH Group 14 Encryption: AES-256, Hashing: SHA2-512, DH Group 14 Encryption: AES-256, Hashing: SHA2-256, DH Group 5 Encryption: AES-256, Hashing: SHA, DH Group 5 Encryption: AES-256, Hashing: MD5, DH Group 5 Encryption: AES-256, Hashing: SHA2-256, DH Group 2 Encryption: AES-256, Hashing: SHA, DH Group 2 Encryption: AES-256, Hashing: MD5, DH Group 2 Encryption: AES-128, Hashing: SHA, DH Group 2 Encryption: AES-128, Hashing: MD5, DH Group 2 Encryption: 3DES, Hashing: SHA, DH Group 2 Encryption: 3DES, Hashing: MD5, DH Group 2 These ciphers are not adjustable within MacOS AFAIK. I haven't pulled a trace for MacOS Mojave or Catalina, but doubt that the support for weaker ciphers has increased. 3DES, MD5, SHA, and DH groups below 14 are to be avoided as per Cisco (as of 2014), see https://community.cisco.com/t5/security-documents/diffie-hellman-groups/ta-p/3147010 DH Group 14 is minimally required for PCI compliance, but the required encryption level by MacOS (AES-256) is not enabled on the MX for client VPN. Upon request, Meraki support can switch client VPN encryption to DH Group 14 with AES-128 and SHA1-96 for PCI-compliant connections. This level of encryption is supported by Windows 10, but not by MacOS. Since the MX appliance supports AES-256 for site-to-site VPN, it looks like Meraki made a choice not to support this key length for client VPN. Bottom line: Meraki MX currently does not support PCI-compliant client VPN for MacOS. If you need this, send your wish to Meraki, or find a third-party MacOS VPN client. ... View more
© 2021 Meraki