Home > Security Appliances > Client VPN > MX Security Audit Failed - Recommended Steps

MX Security Audit Failed - Recommended Steps

Security Audit Failed due to Aggressive Mode IKE

Cisco Meraki MX Client VPN requires Aggressive Mode IKE in order to use Pre-Shared Key authentication and avoid the installation of certificates on clients. Customers who have Client VPN enabled may fail PCI, SOX, or other security audits because Aggressive Mode IKE is detected.  In some cases, this can be appealed if the PSK is complex enough.  If that's the case, something similar to the line below should appear in the remediation notes for the report:
 
"If you are unable to disable Aggressive Mode IKE, then you should ensure that the pre-shared keys are strong. Like any password, be sure to use complex PSK values, and rotate the keys as often as is practical. These are recommended to be an alphanumeric value greater than 16 characters. If you already have a strong password policy for the PSKs, then you can appeal this vulnerability."
 If the auditing entity being used does not allow appeals of this vulnerability, then client VPN may need to be disabled to address this concern.

Note: If client VPN is enabled, people commonly fail their PCI compliance tests due to CVE-2002-1623.

Security Audit Failed due to Client VPN Encryption

Owing to changes in the PCI-DSS Standard version 3.2, some auditors are now enforcing requirements for stronger encryption than the Meraki Client VPN default settings provide. Please contact Meraki Support if you need these values adjusted, but please be aware that some client devices may not support these more stringent requirements (AES128 encryption with DH group 5).

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1430

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community