Home > Security Appliances > Client VPN > Security audit failed due to aggressive mode IKE

Security audit failed due to aggressive mode IKE

Table of contents
No headers

Cisco Meraki MX Client VPN requires Aggressive Mode IKE in order to use Pre-Shared Key authentication and avoid the installation of certificates on clients. Customers who have Client VPN enabled may fail PCI, SOX, or other security audits because Aggressive Mode IKE is detected.  In some cases, this can be appealed if the PSK is complex enough.  If that's the case, something similar to the line below should appear in the remediation notes for the report:
 
"If you are unable to disable Aggressive Mode IKE, then you should ensure that the pre-shared keys are strong. Like any password, be sure to use complex PSK values, and rotate the keys as often as is practical. These are recommended to be an alphanumeric value greater than 16 characters. If you already have a strong password policy for the PSKs, then you can appeal this vulnerability."
 If the auditing entity being used does not allow appeals of this vulnerability, then client VPN may need to be disabled to address this concern.

Note: If client VPN is enabled, people commonly fail their PCI compliance tests due to CVE-2002-1623.

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1430

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community