[Swan] Interoperability test

Douglas Kosovic doug at uq.edu.au
Mon Jan 31 09:22:58 EET 2022

On Monday, 31 January 2022, Mirsad Goran Todorovac wrote:

> I have just checked the January 1st, 2022 security upgrade for Samsung Android 11, and it still requires USE_DH2 compile time option to connect L2TP IKEv1 VPN.
> I just thought of a vendor compatibility/interoperability matrix that we would maintain. Do we already have such a thing implemented?

Android uses mtpd for its L2TP and PPTP implementations and ipsec-tools for IKEv1, here are the corresponding AOSP (i.e. Android Open Source Project) repositories :

I think the Android hardware manufactures hardly ever deviate from the AOSP implementations of mtpd and ipsec-tools.

If you have a look at the master source code of setup.c in ipsec-tools :

You'll note for the add_proposal() function that OAKLEY_ATTR_GRP_DESC_MODP1024 is hard coded for the DH group.

Google decided to remove L2TP (and PPTP) from their Pixel 6 Android 12 phone, so I don't think there is much hope in Android ever supporting something better than modp1024 (DH2) for its L2TP/IPsec VPN implementation.


More information about the Swan mailing list