Android client updated to 1.7.2 will not work with the current setup (using 192-bit AES)
I have been using strongswan for the past year between linux firewall (running Linux strongSwan U5.3.5/K3.14.79) and Samsung Android version 6.0.1 with no issues, but yesterday I updated my android VPN client to strongswan 1.7.2 and the VPN would not connect any more. I was able to remove the version 1.7.2 and revert back to strongswan 1.6.2.
The setup was to use only certificate, but skimming quickly through the client log, I saw something about AES encryption 192 key size not supported.
Any ideas? There are obviously some changes in android client version 1.7.2.
Here is part of my config on the linux/firewall side:
conn rw_Cert keyexchange = ikev2 ike = aes192-sha256-modp2048! esp = aes192-sha256! left = 220.127.116.11 leftid = @gateway.domain.net leftcert = gatewayCert.pem leftsubnet = 192.168.2.0/24 leftfirewall = no right = %any rightsourceip = 192.168.5.101-192.168.5.105 auto = add
#1 Updated by Tobias Brunner almost 4 years ago
- Description updated (diff)
- Category set to android
- Status changed from New to Feedback
I saw something about AES encryption 192 key size not supported.
That's a side-effect of our switch to BoringSSL, which only supports the 128-bit and 256-bit versions of AES via the
EVP_get_cipherbyname() function we use. They do provide
EVP_aes_192_cbc() but they officially deprecated the 192-bit versions of AES, so they might remove that in future releases. To use 1.7.2 you will have to switch to either 128-bit or 256-bit AES.
#2 Updated by Tobias Brunner over 2 years ago
- Subject changed from Android client updated to 1.7.2 will not work with the current setup to Android client updated to 1.7.2 will not work with the current setup (using 192-bit AES)
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to Won't fix