Hello, I’m trying to switch from an external strongswan application to the native ikev2 client which I have in my Google Pixel 4 with Android 11. I have a problem with configuring the encryption mechanisms, including extended logs, I can see that Android sends the following values:
feb/20 23:39:32 ipsec IKE Protocol: IKE
feb/20 23:39:32 ipsec proposal #1
feb/20 23:39:32 ipsec enc: aes256-cbc
feb/20 23:39:32 ipsec enc: aes192-cbc
feb/20 23:39:32 ipsec enc: aes128-cbc
feb/20 23:39:32 ipsec prf: hmac-sha1
feb/20 23:39:32 ipsec prf: unknown
feb/20 23:39:32 ipsec auth: sha512
feb/20 23:39:32 ipsec auth: unknown
feb/20 23:39:32 ipsec auth: sha256
feb/20 23:39:32 ipsec auth: unknown
feb/20 23:39:32 ipsec dh: modp4096
feb/20 23:39:32 ipsec dh: modp3072
feb/20 23:39:32 ipsec dh: modp2048
feb/20 23:39:32 ipsec proposal #2
feb/20 23:39:32 ipsec enc: aes256-gcm
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec enc: aes192-gcm
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec enc: aes128-gcm
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec prf: hmac-sha1
feb/20 23:39:32 ipsec prf: unknown
feb/20 23:39:32 ipsec dh: modp4096
feb/20 23:39:32 ipsec dh: modp3072
feb/20 23:39:32 ipsec dh: modp2048
RouterOS returns the configured values:
feb/20 23:39:32 ipsec can’t agree on IKE proposal, my config:
feb/20 23:39:32 ipsec enc: aes256-cbc aes192-cbc aes128-cbc
feb/20 23:39:32 ipsec auth: sha1
feb/20 23:39:32 ipsec dh: modp4096 modp3072 modp2048
feb/20 23:39:32 ipsec prf: hmac-sha1
feb/20 23:39:32 ipsec adding notify: NO_PROPOSAL_CHOSEN
And here is the problem, from my observations it appears that changing the Hash algoritm in the profile configuration changes both auth and prf and as you can see Android expects different algorithms for auth and prf.
Is there any option to send sha-256 for auth and hmac-sha1 for prf? Or some other workaround for this problem?
Thank you in advance.
