[strongSwan] android: No support for MODP_2048 in 1.3.3?
andreas.steffen at strongswan.org
Wed Dec 25 22:08:25 CET 2013
the current IKE proposal of the Android app is:
With IKEv2 the initiator has to settle on a Diffie-Hellman group
because the KE payload is sent in th IKE_SA_INIT request. Since
MODP_1024 is in the first place of the default proposal, a 1024 bit
KE payload is sent to the responder which rejects it in the
IKE_SA_INIT response, requesting the MODP_2048 DH group instead.
This is normal IKEv2 behavior. In a second round the initiator
will repeat the IKE_SA_INIT request with a 2048 bit KE payload.
Of course in the current times it might make sense to reorder
the proposal by moving 3DES, MD5, SHA-1 and MODP_1024 to the back.
I have to check with Tobias if this is possible for the Android
On 12/25/2013 04:14 PM, Mikael Magnusson wrote:
> The Android app stopped working with my VPN gateway after upgrading to
> version 1.3.3 in Google Play Store. Apparently the current version fails
> to connect to a peer which requires MODP_2048, since the following
> message can be seen in the logs on the peer.
> [IKE] DH group MODP_1024 inacceptable, requesting MODP_2048
> I still run the older 1.3.0 on a device and it works with my gateway.
> Any reason to remove or disable support for the stronger MODP_2048 in
> the current version?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users