[strongSwan] Android Ciphers

Info infosec at quantum-equities.com
Mon Mar 19 18:59:43 CET 2018

On 03/19/2018 10:30 AM, Tobias Brunner wrote:
> Hi,
>> I am not able to establish a connection with the Android app yet and so
>> have no proposed ciphers in my log.
> Did you check the server log?
Sure.  Please see "Re: [strongSwan] One to Many VPN (Host-Host)",
18/03/2018 17:08, this listserv.

>> I infer that which ciphers are supported by the app depend on the
>> Android kernel, at least for encryption.
> No, IPsec is handled completely in userland by libipsec on Android.
>> How would I find out which
>> ones these are, currently?
> The default ESP proposal can be found in the source [1].  Which other
> algorithms are usable depends on the enabled plugins and the algorithms
> supported by the used version of OpenSSL/BoringSSL (you can check the
> IKE proposals, which include all supported algorithms that are not too
> weak).
You seem to be saying that OpenSSL/BoringSSL is installed in Android? 
How can it then be completely determined in userland by libipsec on
Android?  I'm just trying to find out what is supported so I can choose
what I think are the best algos.  And I'd like to know.

>> PFS must be manually enabled, but which levels are currently supported
>> in the app?
> Don't know what you mean with levels.  But you don't have to enable PFS
> manually (unless you refer to the server config, where you do have to
> configure DH groups), see default proposals above.
I have in my Android notes:  "/The IPsec proposal is limited to AES
encryption with SHA2/SHA1 data integrity or AES-GCM authenticated
encryption.  Optionally, using PFS with one of a number of proposed
ECP/MODP DH groups./"

Apparently PFS must be manually enabled in ESP, but which groups are
currently supported in the app?

>> And is any form of ntru supported for encryption or key
>> exchange in the Android app?
> No.
In Android is this a limitation of libipsec or of OpenSSL/BoringSSL (or
of something else)?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180319/3e4f676d/attachment.html>

More information about the Users mailing list