MX Security Audit Failed - Recommended Steps

Security Audit Failed due to Aggressive Mode IKE

Prior to the release of the MX 15 firmware branch, Cisco Meraki MX Client VPN supported the use of Aggressive Mode IKE with Pre-Shared Key authentication. You may occasionally run into issues on security audits or vulnerability scans because Aggressive Mode IKE is detected, however this is NOT supported, and hasn't been since MX 15 was released.

Scans typically pick this up because MX devices still respond to such requests, but do so by sending a NO-PROPOSAL-CHOSEN notification message in response, the standard way of indicating that the request has been rejected. There is no way for Meraki Support to modify this behavior, and any indications from security scans under this circumstance are false positives. Refer to https://datatracker.ietf.org/doc/htm...08#section-5.4 for more details.

Security Audit Failed due to Client VPN Encryption

Owing to revisions in data security standards some auditors are now enforcing requirements for stronger encryption than the default proposals MX devices use for IPsec Client VPN. Please contact Meraki Support if you need these values adjusted, but please be aware that some client devices may not support these more stringent requirements, or - in the case of Windows clients - may require edits to the Windows Registry to modify what values they use.