Home > Security and SD-WAN > Site-to-site VPN > Deprecation of DES Encryption Algorithm

Deprecation of DES Encryption Algorithm

Table of contents

Overview

The DES encryption algorithm has been demonstrated to provide insufficient security for modern networks.

On May 8th 2018, we introduced changes to the configuration of Non-Meraki site-to-site VPN peers on new organizations as part of an effort to transition to stronger, more secure encryption algorithms and to deprecate support for the DES encryption algorithm.

 

 

To encourage more secure site-to-site VPN communications to Non-Meraki VPN peers, we will also be investigating other enhancements to the Meraki Dashboard to enable customers to make more informed decisions about the encryption algorithms used for these VPN connections.

FAQ

 

What is DES and where is it used?

DES (Data Encryption Standard) is a symmetric key algorithm used for establishing a secure end to end VPN tunnel between the peers.

 

Why can I not see the option to configure DES in the Dashboard?

The DES encryption algorithm has been demonstrated to provide insufficient security for modern networks. As part of an effort to deprecate support for DES, we have removed the option from Dashboard organizations that do not have IPSec peers using it.

 

Which encryption methods are recommended instead of using DES?

We support the following Encryption methods which can be used- AES-128, AES-192, AES-256.

 

Where do I change my VPN Encryption method on the dashboard?

The Encryption method can be defined under Security Appliance > Configure > Site-to-Site VPN > Organization Wide Settings > Non Meraki VPN peers > IPSec Policies > Phase 1/Phase 2 > Encryption

 

Does the deprecation of DES mean that my VPN peers will be interrupted?

No, MX-PM has applied a feature at the backend of the organizations that have at least one IPSec peer using DES algorithm for establishing a tunnel. Any organizations that have peers with DES configured will only see a warning message and highlighted DES. Once DES is removed from the configuration, we will automatically remove the option from the Dashboard completely.

 

Does the deprecation of DES affect Meraki-Meraki AutoVPN?

No. Auto VPN is not affected. DES Encryption algorithm was used only with Non-Meraki VPN peers and Meraki-Meraki VPN peers across separate organizations.

 

What if I need to use DES?

We have worked on a feature that can be enabled on the backend for customers that need to continue using the DES encryption algorithm. Please note that having this option configured, will cause disruptions to VPN peers when upgrading to MX 15 firmware.

 

How do we plan to transition from DES to other Encryption methods?

We will start removing the feature from the backend for organizations that have DES configured but are not using it for their VPN peers. Once we remove the option on the backend, a warning will appear when a user goes to configure IPsec policies for a peer that already has DES configured. When the user removes DES from the configuration and clicks on “Save changes”, the option will disappear from the UI. It will appear as shown below:

 

DES1.png

 

 

 

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 7726

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community