[strongSwan] how to configure both IPv4 and IPv6 DNS addresses together in strongswan.conf of strongswan-5.0.0 with IKEv2

Mao, Zhiheng zmao at qualcomm.com
Mon Sep 10 06:44:02 CEST 2012


Hi there,

If I configured both IPv4 and IPv6 DNS addresses in strongswan.conf on Moon as  attr {  dns  = 1.2.3.4, 2002:c023:9c17:21c::1234  }, looks like Carol is assuming that  the second DNS it received should also be IPv4:
Aug 29 11:08:50 localhost charon: 09[ENC] invalid attribute length 16 for INTERNAL_IP4_DNS
Aug 29 11:08:50 localhost charon: 09[ENC] CONFIGURATION verification failed
Aug 29 11:08:50 localhost charon: 09[ENC] could not decrypt payloads
Aug 29 11:08:50 localhost charon: 09[IKE] message verification failed
Aug 29 11:08:50 localhost charon: 09[IKE] IKE_AUTH response with message ID 3 processing failed

But if I swapped the place of the DNS addresses as attr {  dns  = 2002:c023:9c17:21c::1234, 1.2.3.4  }, looks like Carol is assuming that  the second DNS it received should also be IPv6:
Aug 29 11:22:14 localhost charon: 13[ENC] invalid attribute length 4 for INTERNAL_IP6_DNS
Aug 29 11:22:14 localhost charon: 13[ENC] CONFIGURATION verification failed
Aug 29 11:22:14 localhost charon: 13[ENC] could not decrypt payloads
Aug 29 11:22:14 localhost charon: 13[IKE] message verification failed
Aug 29 11:22:14 localhost charon: 13[IKE] IKE_AUTH response with message ID 3 processing failed

So my question to the server side is: is this the right way to configure both IPv4 and IPv6 DNS addresses together in strongswan.conf? Does it really send both IPv4 and IPv6 DNS addresses correctly (attribute type, length, data, etc)?

Or more general: does IKEv2 support sending different address types (IPv4 and IPv6) in the same message for DNS or DHCP?
If yes, then could this error be only localized on the client side: due to its inability to parse different address types? In other words, the strongsawn server is doing the right thing, and a non-strongswan client might still be able to parse the addresses correctly?

The reason I am asking this way is because we will be using strongswan as the server to test third party's VPN clients. As long as the server is doing the right thing, we should be fine. So I would very appreciate if someone could please confirm that. Thank you!

Regards,
Zhiheng

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120910/49af2f2b/attachment.html>


More information about the Users mailing list