Hi Mikael, the current IKE proposal of the Android app is:
IKE: 3DES_CBC/ AES_CBC_128/AES_CBC_192/AES_CBC_256/ AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/ AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/ AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/ HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/ HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/ PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/ PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/ MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/ ECP_256/ECP_384/ECP_521/ MODP_1024_160/MODP_2048_224/MODP_2048_256/ ECP_192/ECP_224/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP With IKEv2 the initiator has to settle on a Diffie-Hellman group because the KE payload is sent in th IKE_SA_INIT request. Since MODP_1024 is in the first place of the default proposal, a 1024 bit KE payload is sent to the responder which rejects it in the IKE_SA_INIT response, requesting the MODP_2048 DH group instead. This is normal IKEv2 behavior. In a second round the initiator will repeat the IKE_SA_INIT request with a 2048 bit KE payload. Of course in the current times it might make sense to reorder the proposal by moving 3DES, MD5, SHA-1 and MODP_1024 to the back. I have to check with Tobias if this is possible for the Android client Best regards Andreas On 12/25/2013 04:14 PM, Mikael Magnusson wrote: > The Android app stopped working with my VPN gateway after upgrading to > version 1.3.3 in Google Play Store. Apparently the current version fails > to connect to a peer which requires MODP_2048, since the following > message can be seen in the logs on the peer. > > [IKE] DH group MODP_1024 inacceptable, requesting MODP_2048 > > I still run the older 1.3.0 on a device and it works with my gateway. > Any reason to remove or disable support for the stronger MODP_2048 in > the current version? > ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
