Ipsec dh group modp 1024 android no suitable proposal found

Hi all, l2tp+ipsec works great with any android phone only if modp 1024 dh group is selected. Unfortunately when not selected phase 1 will fail, but strangely it says not suitable proposal found, I have booth 4096 bit dh group selected but 1024 has to be selected to work. Why is that? Is there any way to make it work without selecting modp1024 in the profile?

Enable ipsec logging and show full log when attempting to connect from smartphone:

/system logging add topics=ipsec action=memory

The peers negotiate the tuples of algorithms for encryption, authentication, and initial key exchange for both Phase 1 (initial negotiation) and Phase 2 (actual transport of data). They can only agree on algorithm tuples supported by both. So if you have to select modp1024, it means that modp4096 is not supported by the Android phone in combination with the AES-256 and SHA-512 algorithms.

If you activate logging of IPsec (/system logging add topic=ipsec,!packet), you will see in the log the list of algorithm tuples proposed by the phone.

If you want a stronger algorithm combination, consider using Strongswan on the mobile rather than the embedded VPN client (IKEv2 mode, there’s no L2TP/IPsec in that case).

Another question to ask yourself is whether the security of the phone itself is not weaker than AES256 + SHA512 + modp1024.