My customer is failing a PCI scan with these new routers.  Using a total of 3 routers.  1 router at the primary site and 2 remote sites.  IPSEC L2L vpn setup between remotes and the primary.  I have also enabled encrypted L2TP on the main site router only.  I don't have much configurability with the L2TP so my assumption is that is the weakest link.  What are my options to remedy this?

THREAT REFERENCE

Summary:
ISAKMP supports short block sizes (SWEET32 attack)

Risk: High (3)
Port: 500/udp
Protocol: udp
Threat ID: misc_isakmpsweet32

Details: SWEET32 Attack
08/29/16
CVE 2016-2183
Block ciphers with small block sizes are susceptible to a class of attacks known as birthday attacks.
These attacks take advantage of multiple blocks which return identical ciphertext, known as collisions. The probability of collisions occurring becomes significant after a large number of blocks have been encrypted using the same key.
The SWEET32 attack is a specific birthday attack which reveals the XOR (exclusive-OR) between a fixed secret and known plaintext, thus allowing the secret to be determined.
For https services, this attack can be launched in a browser session by javascript code which makes repeated requests containing an authentication token and predictable headers.
Successful exploitation requires about 785 GB of data to be captured, and the attacker must be able to inject javascript into a web session and to sniff data from the network.
Other attacks may be possible against SSH, ISAKMP, and other affected services.

Information From Target:
Service: isakmp
Encryption Algorithm: 3DES-CBC, Hash Algorithm: MD5, Group Description: Diffie-Hellman 1024-bit MODP, Authentication Method: pre-shared key, Life Type: seconds, Life Duration: 28800