[Swan] ECDSA Re: Libreswan 4.6: connection IKEv2 win10 to Linux freezes soon after Android device connects

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Tue Jan 18 09:31:11 EET 2022

On 1/17/2022 3:41 PM, Mirsad Goran Todorovac wrote:

> I use only USE_DH2=true as the compilation flag, which enables Android 
> native L2TP client to connect. I am also hoping this requirement will 
> go away soon, as Android 11 should abandon obsoleted and weak MODP1024 
> a.k.a. DH2. It doesn't allow change unless the Android device is 
> "rooted", which voids the warranty.
> As for Windows 10, I use the "Negotiate2048" registry hack on clients, 
> and pluto session log confirm Windows 10 is connecting with MODP2048. 
> Unfortunately, it apparently falls back to MODP1024 in rekeying, 
> requiring the ms-dh-downgrade=yes conn configuration parameter.

The empirical evidence shows that Windows 10 Pro 21H1 still reverts back 
to MODP1024 when rekeying. This is just not logical behaviour and IMHO 
defeats the purpose of having NegotiateDH2048_AES256 key in the first place.

Even when Microsoft fixes this bug, it will still take months and years 
for clients to upgrade to the latest protocol fix.
I wish I knew the people who could influence these things in Microsoft 
and Android OS vendors.

They say that the diplomacy is the art of the possible.

Kind regards,

Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220118/29ff4c4b/attachment.htm>

More information about the Swan mailing list