MX Security Audit Failed - Recommended Steps

Security Audit Failed due to Aggressive Mode IKE

Prior to the release of the MX 15 firmware branch, Cisco Meraki MX Client VPN supported the use of Aggressive Mode IKE with Pre-Shared Key authentication. You may occasionally run into issues on security audits or vulnerability scans because Aggressive Mode IKE is detected, however this is NOT supported, and hasn't been since MX 15 was released.

Scans typically pick this up because MX devices still respond to such requests, but do so by sending a NO-PROPOSAL-CHOSEN notification message in response, the standard way of indicating that the request has been rejected. There is no way for Meraki Support to modify this behavior, and any indications from security scans under this circumstance are false positives. Refer to https://datatracker.ietf.org/doc/htm...08#section-5.4 for more details.

Security Audit Failed due to Client VPN Encryption

Security audits may flag the encryption or DH groups used by legacy L2TP/IPsec Client VPN. These settings are part of the legacy Client VPN implementation. If stronger encryption or modern IKE negotiation is required, migrate to IKEv2 Client VPN which is available on MX firmware 26.1.X and later (for more information, see Client VPN Overview).