• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Cannot connect to company VPN

J

Jeremy Robertson

Lurker
We had to update our security for CPI compliance last week. We changed our VPN to AES128 and DH group 14. Since then I cannot connect my android phone to the VPN. I am told by Meraki that some devices do not support DH 14. Is there a way I can connect my S7 to the VPN?
 
Is it any Android devices that can't connect, or just this Galaxy S7? Does Cisco give you any specifics, as to which Android devices or versions that doesn't support DH?
 
Last edited:
I only have two S7's and neither will connect. I have a colleage that has an iPhone and she can connect without issue.

This is the responce from Meraki support
"Hello
Thank you contacting Cisco Meraki Technical Support.
I understand you are facing an issue with respect to client vpn.
AES128 and DH group to 14 was configured. However, it be a scenario where the change it may have a negative impact on the ability for different devices to connect to the client VPN if they are not compatible with that DH group. If any devices they try to connect to the client VPN do not support DH group 14, they will be unable to connect. we cas
Please let me know if you have any questions"
 
OK, so after re-reading that Meraki support response I got the sense that a) I'm guessing it really wasn't an answer to your original query at all and b) there's a 'English is not they're primary language' issue but even that aside just going by intent it was more about using verbage as a misdirection.
That said, instead of DH 14, any chance you can bump that up to DH 19 or more and see how that works out? DH 14 being the original 'modulus' Diffie-Hellman as opposed to newer 'elliptic-curve' Diffie-Hellman, at this time ECDH is more prevalent than the original DH.

https://community.cisco.com/t5/security-documents/diffie-hellman-groups/ta-p/3147010

https://arstechnica.com/information...rstand-primer-on-elliptic-curve-cryptography/
 
That is a great read, really helps. I thought since it worked with DH 5 that the device must not support DH 14 but if I understand correctly I can raise the DH group to maybe 19 and it should work?
 
Jeremy Robertson said:
We had to update our security for CPI compliance last week. We changed our VPN to AES128 and DH group 14. Since then I cannot connect my android phone to the VPN. I am told by Meraki that some devices do not support DH 14. Is there a way I can connect my S7 to the VPN?
Click to expand...
You could build a Android app that connects to the vpn
 
Jeremy Robertson said:
That is a great read, really helps. I thought since it worked with DH 5 that the device must not support DH 14 but if I understand correctly I can raise the DH group to maybe 19 and it should work?
Click to expand...

Well, I'm just assuming it will work given how dated DH 14 is at this point. Note that primer article is from 2013, which predates the release of those 'problematic' Galaxy S7 phones (early 2016). So my assumption is based on supposition for the most part.
Another clue to this puzzle is I rely on Signal Private Messenger as my texting messaging app, which also uses ECDH -- which I recall was working fine on an even more dated Galaxy S3 back in its day (released in 2012).
https://en.wikipedia.org/wiki/Signal_Protocol
 
You must log in or register to reply here.
Back
Top Bottom