[Swan] Interoperability test
Douglas Kosovic
doug at uq.edu.au
Mon Jan 31 09:22:58 EET 2022
On Monday, 31 January 2022, Mirsad Goran Todorovac wrote:
> I have just checked the January 1st, 2022 security upgrade for Samsung Android 11, and it still requires USE_DH2 compile time option to connect L2TP IKEv1 VPN.
>
> I just thought of a vendor compatibility/interoperability matrix that we would maintain. Do we already have such a thing implemented?
Android uses mtpd for its L2TP and PPTP implementations and ipsec-tools for IKEv1, here are the corresponding AOSP (i.e. Android Open Source Project) repositories :
https://android.googlesource.com/platform/external/mtpd/
https://android.googlesource.com/platform/external/ipsec-tools/
I think the Android hardware manufactures hardly ever deviate from the AOSP implementations of mtpd and ipsec-tools.
If you have a look at the master source code of setup.c in ipsec-tools :
https://android.googlesource.com/platform/external/ipsec-tools/+/refs/heads/master/setup.c
You'll note for the add_proposal() function that OAKLEY_ATTR_GRP_DESC_MODP1024 is hard coded for the DH group.
Google decided to remove L2TP (and PPTP) from their Pixel 6 Android 12 phone, so I don't think there is much hope in Android ever supporting something better than modp1024 (DH2) for its L2TP/IPsec VPN implementation.
Cheers,
Doug
More information about the Swan
mailing list