On Mon, 31 Jan 2022, Douglas Kosovic wrote:
On Monday, 31 January 2022, Mirsad Goran Todorovac wrote:
I have just checked the January 1st, 2022 security upgrade for Samsung Android
11, and it still requires USE_DH2 compile time option to connect L2TP IKEv1 VPN.
I just thought of a vendor compatibility/interoperability matrix that we would
maintain. Do we already have such a thing implemented?
We don't. We do keep a list of supported algorithms. Interoperability
almost often can be fixed with configuration changes. It is rare that
two devices do not have an overlap in supported algorithms.
Android uses mtpd for its L2TP and PPTP implementations and ipsec-tools for
IKEv1, here are the corresponding AOSP (i.e. Android Open Source Project)
repositories :
https://android.googlesource.com/platform/external/mtpd/
https://android.googlesource.com/platform/external/ipsec-tools/
I think the Android hardware manufactures hardly ever deviate from the AOSP
implementations of mtpd and ipsec-tools.
If you have a look at the master source code of setup.c in ipsec-tools :
https://android.googlesource.com/platform/external/ipsec-tools/+/refs/heads/master/setup.c
You'll note for the add_proposal() function that OAKLEY_ATTR_GRP_DESC_MODP1024
is hard coded for the DH group.
This is good to know. I'll add an entry to our FAQ.
Google decided to remove L2TP (and PPTP) from their Pixel 6 Android 12 phone,
so I don't think there is much hope in Android ever supporting something better
than modp1024 (DH2) for its L2TP/IPsec VPN implementation.
Yes, IKEv1 stuff really should not be shipped anymore. The only reason
Android did it for so long was because they had no IKEv2 support at all
(libreswan and strongswan are GPL licensed, so they could not use it)
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
