The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About SvenS
SvenS

SvenS

Conversationalist

Member since Jul 29, 2020

‎12-10-2020
Kudos from
User Count
BMG71
BMG71
1
nikiwaibel
nikiwaibel
1
M-DOS
M-DOS
1
View All

Community Record

2
Posts
3
Kudos
0
Solutions
Latest Contributions by SvenS
  • Topics SvenS has Participated In
  • Latest Contributions by SvenS

Re: L2TP/IPSec client VPN ciphers supported by MacOS

by SvenS in Security / SD-WAN
‎12-10-2020 01:39 PM
3 Kudos
‎12-10-2020 01:39 PM
3 Kudos
Correct. The changed parameters for the client VPN support these parameters (as per Windows VPN setup): <CryptographySuite>      <AuthenticationTransformConstants>SHA196</AuthenticationTransformConstants>      <CipherTransformConstants>AES128</CipherTransformConstants>      <EncryptionMethod>AES128</EncryptionMethod>      <IntegrityCheckMethod>SHA196</IntegrityCheckMethod>      <DHGroup>Group14</DHGroup> </CryptographySuite>   These settings are not supported by settings in the MacOS built-in clients.  @Meraki: Why aren't you changing to a setup that supports PCI-compliant VPN in Windows and MacOS? It would seem that using AES256 instead of AES128 would suffice. ... View more

L2TP/IPSec client VPN ciphers supported by MacOS

by SvenS in Security / SD-WAN
‎07-29-2020 08:26 AM
‎07-29-2020 08:26 AM
The currently supported ciphers by MacOS High Sierra as pulled from a packet trace on our MX84 running firmware 15.33 are: Encryption: AES-256, Hashing: SHA-256, DH Group 14 Encryption: AES-256, Hashing: SHA, DH Group 14 Encryption: AES-256, Hashing: MD5, DH Group 14 Encryption: AES-256, Hashing: SHA2-512, DH Group 14 Encryption: AES-256, Hashing: SHA2-256, DH Group 5 Encryption: AES-256, Hashing: SHA, DH Group 5 Encryption: AES-256, Hashing: MD5, DH Group 5 Encryption: AES-256, Hashing: SHA2-256, DH Group 2 Encryption: AES-256, Hashing: SHA, DH Group 2 Encryption: AES-256, Hashing: MD5, DH Group 2 Encryption: AES-128, Hashing: SHA, DH Group 2 Encryption: AES-128, Hashing: MD5, DH Group 2 Encryption: 3DES, Hashing: SHA, DH Group 2 Encryption: 3DES, Hashing: MD5, DH Group 2 These ciphers are not adjustable within MacOS AFAIK. I haven't pulled a trace for MacOS Mojave or Catalina, but doubt that the support for weaker ciphers has increased. 3DES, MD5, SHA, and DH groups below 14 are to be avoided as per Cisco (as of 2014), see https://community.cisco.com/t5/security-documents/diffie-hellman-groups/ta-p/3147010 DH Group 14 is minimally required for PCI compliance, but the required encryption level by MacOS (AES-256) is not enabled on the MX for client VPN. Upon request, Meraki support can switch client VPN encryption to DH Group 14 with AES-128 and SHA1-96 for PCI-compliant connections. This level of encryption is supported by Windows 10, but not by MacOS. Since the MX appliance supports AES-256 for site-to-site VPN, it looks like Meraki made a choice not to support this key length for client VPN. Bottom line: Meraki MX currently does not support PCI-compliant client VPN for MacOS. If you need this, send your wish to Meraki, or find a third-party MacOS VPN client. ... View more
Kudos from
User Count
BMG71
BMG71
1
nikiwaibel
nikiwaibel
1
M-DOS
M-DOS
1
View All
My Top Kudoed Posts
Subject Kudos Views

Re: L2TP/IPSec client VPN ciphers supported by MacOS

Security / SD-WAN
3 4134
View All
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Privacy Settings
  • Terms of Use
© 2023 Meraki