On 03/19/2018 10:30 AM, Tobias Brunner wrote: > Hi, > >> I am not able to establish a connection with the Android app yet and so >> have no proposed ciphers in my log. > Did you check the server log? Sure. Please see "Re: [strongSwan] One to Many VPN (Host-Host)", 18/03/2018 17:08, this listserv.
>> I infer that which ciphers are supported by the app depend on the >> Android kernel, at least for encryption. > No, IPsec is handled completely in userland by libipsec on Android. > >> How would I find out which >> ones these are, currently? > The default ESP proposal can be found in the source [1]. Which other > algorithms are usable depends on the enabled plugins and the algorithms > supported by the used version of OpenSSL/BoringSSL (you can check the > IKE proposals, which include all supported algorithms that are not too > weak). You seem to be saying that OpenSSL/BoringSSL is installed in Android? How can it then be completely determined in userland by libipsec on Android? I'm just trying to find out what is supported so I can choose what I think are the best algos. And I'd like to know. >> PFS must be manually enabled, but which levels are currently supported >> in the app? > Don't know what you mean with levels. But you don't have to enable PFS > manually (unless you refer to the server config, where you do have to > configure DH groups), see default proposals above. I have in my Android notes: "/The IPsec proposal is limited to AES encryption with SHA2/SHA1 data integrity or AES-GCM authenticated encryption. Optionally, using PFS with one of a number of proposed ECP/MODP DH groups./" Apparently PFS must be manually enabled in ESP, but which groups are currently supported in the app? > >> And is any form of ntru supported for encryption or key >> exchange in the Android app? > No. In Android is this a limitation of libipsec or of OpenSSL/BoringSSL (or of something else)?