On Monday, 31 January 2022, Mirsad Goran Todorovac wrote: > I have just checked the January 1st, 2022 security upgrade for Samsung > Android 11, and it still requires USE_DH2 compile time option to connect L2TP > IKEv1 VPN. > > I just thought of a vendor compatibility/interoperability matrix that we > would maintain. Do we already have such a thing implemented?
Android uses mtpd for its L2TP and PPTP implementations and ipsec-tools for IKEv1, here are the corresponding AOSP (i.e. Android Open Source Project) repositories : https://android.googlesource.com/platform/external/mtpd/ https://android.googlesource.com/platform/external/ipsec-tools/ I think the Android hardware manufactures hardly ever deviate from the AOSP implementations of mtpd and ipsec-tools. If you have a look at the master source code of setup.c in ipsec-tools : https://android.googlesource.com/platform/external/ipsec-tools/+/refs/heads/master/setup.c You'll note for the add_proposal() function that OAKLEY_ATTR_GRP_DESC_MODP1024 is hard coded for the DH group. Google decided to remove L2TP (and PPTP) from their Pixel 6 Android 12 phone, so I don't think there is much hope in Android ever supporting something better than modp1024 (DH2) for its L2TP/IPsec VPN implementation. Cheers, Doug _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
