Skip to main content

 

Cisco Meraki Documentation

MX Security Audit Failed - Recommended Steps

Security Audit Failed due to Aggressive Mode IKE (MX 14 firmware and earlier)

Prior to the release of the MX 15 firmware branch, Cisco Meraki MX Client VPN required the use of Aggressive Mode IKE in order to use Pre-Shared Key authentication and avoid the installation of certificates on clients. Customers who have Client VPN enabled on older firmware releases may fail PCI, SOX, or other security audits because Aggressive Mode IKE is detected. In some cases, this can be appealed provided the PSK is complex enough. If that's the case, something similar to the line below should appear in the remediation notes for the report:
 
"If you are unable to disable Aggressive Mode IKE, then you should ensure that the pre-shared keys are strong. Like any password, be sure to use complex PSK values, and rotate the keys as often as is practical. These are recommended to be an alphanumeric value greater than 16 characters. If you already have a strong password policy for the PSKs, then you can appeal this vulnerability."


In the event that the auditing entity being used does not allow appeals of this vulnerability, customers should plan to upgrade to MX15 firmware. If this is not immediately possible, then client VPN may need to be disabled to address this concern.

Note: If client VPN is enabled, people commonly fail their PCI compliance tests due to CVE-2002-1623.

Security Audit Failed due to Client VPN Encryption

Owing to changes in the PCI-DSS Standard version 3.2.1, some auditors are now enforcing requirements for stronger encryption than the Meraki Client VPN default settings provide. Please contact Meraki Support if you need these values adjusted, but please be aware that some client devices may not support these more stringent requirements (AES-128 encryption with DH group 14 - Required by PCI-DSS 3.2.1).