[Swan] Interoperability test
Paul Wouters
paul at nohats.ca
Mon Jan 31 19:32:00 EET 2022
On Mon, 31 Jan 2022, Douglas Kosovic wrote:
> On Monday, 31 January 2022, Mirsad Goran Todorovac wrote:
>
>> I have just checked the January 1st, 2022 security upgrade for Samsung Android 11, and it still requires USE_DH2 compile time option to connect L2TP IKEv1 VPN.
>>
>> I just thought of a vendor compatibility/interoperability matrix that we would maintain. Do we already have such a thing implemented?
We don't. We do keep a list of supported algorithms. Interoperability
almost often can be fixed with configuration changes. It is rare that
two devices do not have an overlap in supported algorithms.
> Android uses mtpd for its L2TP and PPTP implementations and ipsec-tools for IKEv1, here are the corresponding AOSP (i.e. Android Open Source Project) repositories :
> https://android.googlesource.com/platform/external/mtpd/
> https://android.googlesource.com/platform/external/ipsec-tools/
>
> I think the Android hardware manufactures hardly ever deviate from the AOSP implementations of mtpd and ipsec-tools.
>
> If you have a look at the master source code of setup.c in ipsec-tools :
> https://android.googlesource.com/platform/external/ipsec-tools/+/refs/heads/master/setup.c
>
> You'll note for the add_proposal() function that OAKLEY_ATTR_GRP_DESC_MODP1024 is hard coded for the DH group.
This is good to know. I'll add an entry to our FAQ.
> Google decided to remove L2TP (and PPTP) from their Pixel 6 Android 12 phone, so I don't think there is much hope in Android ever supporting something better than modp1024 (DH2) for its L2TP/IPsec VPN implementation.
Yes, IKEv1 stuff really should not be shipped anymore. The only reason
Android did it for so long was because they had no IKEv2 support at all
(libreswan and strongswan are GPL licensed, so they could not use it)
Paul
More information about the Swan
mailing list