<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi there,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If I configured both IPv4 and IPv6 DNS addresses in strongswan.conf on Moon as
<span style="color:red">attr { dns = 1.2.3.4, 2002:c023:9c17:21c::1234 }</span>, looks like Carol is assuming that the second DNS it received should also be IPv4:
<o:p></o:p></p>
<p class="MsoNormal">Aug 29 11:08:50 localhost charon: 09[ENC] invalid attribute length 16 for INTERNAL_IP4_DNS<o:p></o:p></p>
<p class="MsoNormal">Aug 29 11:08:50 localhost charon: 09[ENC] CONFIGURATION verification failed<o:p></o:p></p>
<p class="MsoNormal">Aug 29 11:08:50 localhost charon: 09[ENC] could not decrypt payloads<o:p></o:p></p>
<p class="MsoNormal">Aug 29 11:08:50 localhost charon: 09[IKE] message verification failed<o:p></o:p></p>
<p class="MsoNormal">Aug 29 11:08:50 localhost charon: 09[IKE] IKE_AUTH response with message ID 3 processing failed<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">But if I swapped the place of the DNS addresses as <span style="color:red">
attr { dns = 2002:c023:9c17:21c::1234, 1.2.3.4 }</span>, looks like Carol is assuming that the second DNS it received should also be IPv6:<o:p></o:p></p>
<p class="MsoNormal">Aug 29 11:22:14 localhost charon: 13[ENC] invalid attribute length 4 for INTERNAL_IP6_DNS<o:p></o:p></p>
<p class="MsoNormal">Aug 29 11:22:14 localhost charon: 13[ENC] CONFIGURATION verification failed<o:p></o:p></p>
<p class="MsoNormal">Aug 29 11:22:14 localhost charon: 13[ENC] could not decrypt payloads<o:p></o:p></p>
<p class="MsoNormal">Aug 29 11:22:14 localhost charon: 13[IKE] message verification failed<o:p></o:p></p>
<p class="MsoNormal">Aug 29 11:22:14 localhost charon: 13[IKE] IKE_AUTH response with message ID 3 processing failed<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So my question to the server side is: is this the right way to configure both IPv4 and IPv6 DNS addresses together in strongswan.conf? Does it really send both IPv4 and IPv6 DNS addresses correctly (attribute type, length, data, etc)?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Or more general: does IKEv2 support sending different address types (IPv4 and IPv6) in the same message for DNS or DHCP?<o:p></o:p></p>
<p class="MsoNormal">If yes, then could this error be only localized on the client side: due to its inability to parse different address types? In other words, the strongsawn server is doing the right thing, and a non-strongswan client might still be able to
parse the addresses correctly?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The reason I am asking this way is because we will be using strongswan as the server to test third party’s VPN clients. As long as the server is doing the right thing, we should be fine. So I would very appreciate if someone could please
confirm that. Thank you!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Zhiheng<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>