Project

General

Profile

Issue #2207

Android client updated to 1.7.2 will not work with the current setup (using 192-bit AES)

Added by Darko Kraus almost 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Category:
android
Affected version:
5.5.1
Resolution:
Won't fix

Description

Hello,

I have been using strongswan for the past year between linux firewall (running Linux strongSwan U5.3.5/K3.14.79) and Samsung Android version 6.0.1 with no issues, but yesterday I updated my android VPN client to strongswan 1.7.2 and the VPN would not connect any more. I was able to remove the version 1.7.2 and revert back to working strongswan 1.6.2.

The setup was to use only certificate, but skimming quickly through the client log, I saw something about AES encryption 192 key size not supported.

Any ideas? There are obviously some changes in android client version 1.7.2.

Here is part of my config on the linux/firewall side:

conn rw_Cert
        keyexchange = ikev2
        ike = aes192-sha256-modp2048!
        esp = aes192-sha256!
        left = 1.2.3.4
        leftid = @gateway.domain.net
        leftcert = gatewayCert.pem
        leftsubnet = 192.168.2.0/24
        leftfirewall = no
        right = %any
        rightsourceip = 192.168.5.101-192.168.5.105
        auto = add

History

#1 Updated by Tobias Brunner almost 4 years ago

  • Description updated (diff)
  • Category set to android
  • Status changed from New to Feedback

I saw something about AES encryption 192 key size not supported.

That's a side-effect of our switch to BoringSSL, which only supports the 128-bit and 256-bit versions of AES via the EVP_get_cipherbyname() function we use. They do provide EVP_aes_192_cbc() but they officially deprecated the 192-bit versions of AES, so they might remove that in future releases. To use 1.7.2 you will have to switch to either 128-bit or 256-bit AES.

#2 Updated by Tobias Brunner over 2 years ago

  • Subject changed from Android client updated to 1.7.2 will not work with the current setup to Android client updated to 1.7.2 will not work with the current setup (using 192-bit AES)
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to Won't fix

Also available in: Atom PDF