<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>On 1/17/2022 3:41 PM, Mirsad Goran Todorovac wrote:<br>
</p>
<blockquote type="cite"
cite="mid:867bec17-e951-3d9b-0ae9-93d12ddbf681@alu.unizg.hr">I use
only USE_DH2=true as the compilation flag, which enables Android
native L2TP client to connect. I am also hoping this requirement
will go away soon, as Android 11 should abandon obsoleted and weak
MODP1024 a.k.a. DH2. It doesn't allow change unless the Android
device is "rooted", which voids the warranty.
<br>
<br>
As for Windows 10, I use the "Negotiate2048" registry hack on
clients, and pluto session log confirm Windows 10 is connecting
with MODP2048. Unfortunately, it apparently falls back to MODP1024
in rekeying, requiring the ms-dh-downgrade=yes conn configuration
parameter.
<br>
</blockquote>
<p>The empirical evidence shows that Windows 10 Pro 21H1 still
reverts back to MODP1024 when rekeying. This is just not logical
behaviour and IMHO defeats the purpose of having <span
class="mbox-text-span">NegotiateDH2048_AES256 key in the first
place.</span></p>
<p><span class="mbox-text-span">Even when Microsoft fixes this bug,
it will still take months and years for clients to upgrade to
the latest protocol fix.<br>
I wish I knew the people who could influence these things in
Microsoft and Android OS vendors.<br>
</span></p>
<p><span class="mbox-text-span">They say that the diplomacy is the
art of the possible.</span></p>
<p><span class="mbox-text-span">Kind regards,<br>
Mirsad<br>
</span></p>
<p><span class="mbox-text-span"></span></p>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
</body>
</html>