[strongSwan] how to configure both IPv4 and IPv6 DNS addresses together in strongswan.conf of strongswan-5.0.0 with IKEv2

Sun, 09 Sep 2012 21:44:17 -0700 

Hi there,

If I configured both IPv4 and IPv6 DNS addresses in strongswan.conf on Moon as  
attr {  dns  = 1.2.3.4, 2002:c023:9c17:21c::1234  }, looks like Carol is 
assuming that  the second DNS it received should also be IPv4:
Aug 29 11:08:50 localhost charon: 09[ENC] invalid attribute length 16 for 
INTERNAL_IP4_DNS
Aug 29 11:08:50 localhost charon: 09[ENC] CONFIGURATION verification failed
Aug 29 11:08:50 localhost charon: 09[ENC] could not decrypt payloads
Aug 29 11:08:50 localhost charon: 09[IKE] message verification failed
Aug 29 11:08:50 localhost charon: 09[IKE] IKE_AUTH response with message ID 3 
processing failed

But if I swapped the place of the DNS addresses as attr {  dns  = 
2002:c023:9c17:21c::1234, 1.2.3.4  }, looks like Carol is assuming that  the 
second DNS it received should also be IPv6:
Aug 29 11:22:14 localhost charon: 13[ENC] invalid attribute length 4 for 
INTERNAL_IP6_DNS
Aug 29 11:22:14 localhost charon: 13[ENC] CONFIGURATION verification failed
Aug 29 11:22:14 localhost charon: 13[ENC] could not decrypt payloads
Aug 29 11:22:14 localhost charon: 13[IKE] message verification failed
Aug 29 11:22:14 localhost charon: 13[IKE] IKE_AUTH response with message ID 3 
processing failed

So my question to the server side is: is this the right way to configure both 
IPv4 and IPv6 DNS addresses together in strongswan.conf? Does it really send 
both IPv4 and IPv6 DNS addresses correctly (attribute type, length, data, etc)?

Or more general: does IKEv2 support sending different address types (IPv4 and 
IPv6) in the same message for DNS or DHCP?
If yes, then could this error be only localized on the client side: due to its 
inability to parse different address types? In other words, the strongsawn 
server is doing the right thing, and a non-strongswan client might still be 
able to parse the addresses correctly?

The reason I am asking this way is because we will be using strongswan as the 
server to test third party's VPN clients. As long as the server is doing the 
right thing, we should be fine. So I would very appreciate if someone could 
please confirm that. Thank you!

Regards,
Zhiheng


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to