Community discussions

MikroTik App
 
WojtusW5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Mon Oct 02, 2017 1:25 pm

Native IKEv2 client issue in Android 11

Sun Feb 21, 2021 12:41 pm

Hello, I'm trying to switch from an external strongswan application to the native ikev2 client which I have in my Google Pixel 4 with Android 11. I have a problem with configuring the encryption mechanisms, including extended logs, I can see that Android sends the following values:
feb/20 23:39:32 ipsec IKE Protocol: IKE
feb/20 23:39:32 ipsec proposal #1
feb/20 23:39:32 ipsec enc: aes256-cbc
feb/20 23:39:32 ipsec enc: aes192-cbc
feb/20 23:39:32 ipsec enc: aes128-cbc
feb/20 23:39:32 ipsec prf: hmac-sha1
feb/20 23:39:32 ipsec prf: unknown
feb/20 23:39:32 ipsec auth: sha512
feb/20 23:39:32 ipsec auth: unknown
feb/20 23:39:32 ipsec auth: sha256
feb/20 23:39:32 ipsec auth: unknown
feb/20 23:39:32 ipsec dh: modp4096
feb/20 23:39:32 ipsec dh: modp3072
feb/20 23:39:32 ipsec dh: modp2048
feb/20 23:39:32 ipsec proposal #2
feb/20 23:39:32 ipsec enc: aes256-gcm
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec enc: aes192-gcm
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec enc: aes128-gcm
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec enc: unknown
feb/20 23:39:32 ipsec prf: hmac-sha1
feb/20 23:39:32 ipsec prf: unknown
feb/20 23:39:32 ipsec dh: modp4096
feb/20 23:39:32 ipsec dh: modp3072
feb/20 23:39:32 ipsec dh: modp2048
RouterOS returns the configured values:
feb/20 23:39:32 ipsec can't agree on IKE proposal, my config:
feb/20 23:39:32 ipsec enc: aes256-cbc aes192-cbc aes128-cbc
feb/20 23:39:32 ipsec auth: sha1
feb/20 23:39:32 ipsec dh: modp4096 modp3072 modp2048
feb/20 23:39:32 ipsec prf: hmac-sha1
feb/20 23:39:32 ipsec adding notify: NO_PROPOSAL_CHOSEN
And here is the problem, from my observations it appears that changing the Hash algoritm in the profile configuration changes both auth and prf and as you can see Android expects different algorithms for auth and prf.

Is there any option to send sha-256 for auth and hmac-sha1 for prf? Or some other workaround for this problem?

Thank you in advance.
 
User avatar
Aquo
just joined
Posts: 2
Joined: Sat Mar 20, 2021 7:24 pm

Re: Native IKEv2 client issue in Android 11

Mon Aug 30, 2021 7:53 pm

Screenshot at 2021-08-30 21-51-10.png
Hello!
Which RouterOS version are you using? In my case it's possible to specify different hash/prf algs for phase1 (RouterOS stable channel 6.48.4).
You do not have the required permissions to view the files attached to this post.
 
fakeusername2022
newbie
Posts: 38
Joined: Sun Aug 14, 2022 4:36 pm

Re: Native IKEv2 client issue in Android 11

Mon Nov 28, 2022 12:02 pm

Maybe the same issue descibed in this post? viewtopic.php?t=191155

Who is online

Users browsing this forum: ccrsxx, johnson73, Qalderu, rano, rplant and 76 guests