Table of contents
Cisco Meraki MX Client VPN requires Aggressive Mode IKE in order to use Pre-Shared Key authentication and avoid the installation of certificates on clients. Customers who have Client VPN enabled may fail PCI, SOX, or other security audits because Aggressive Mode IKE is detected. In some cases, this can be appealed if the PSK is complex enough. If that's the case, something similar to the line below should appear in the remediation notes for the report:
"If you are unable to disable Aggressive Mode IKE, then you should ensure that the pre-shared keys are strong. Like any password, be sure to use complex PSK values, and rotate the keys as often as is practical. These are recommended to be an alphanumeric value greater than 16 characters. If you already have a strong password policy for the PSKs, then you can appeal this vulnerability."
If the auditing entity being used does not allow appeals of this vulnerability, then client VPN may need to be disabled to address this concern.