Bug #1304
Invalid attribute length 16 for INTERNAL_IP6_ADDRESS when using IKEv1
Description
Tried to set up the ipv6 in ipv6 tunnel to an established headend (not strongswan ), get the following error message:
invalid attribute length 16 for INTERNAL_IP6_ADDRESS
CONFIGURATION_V1 verification failed
could not decrypt payloads
ipsec statusall shows the setup stuck at:
vig[3]: Tasks queued: QUICK_MODE ISAKMP_DPD ISAKMP_DPD
vig[3]: Tasks active: MODE_CONFIGwhile charon reports back 'connection established successfully'
Associated revisions
History
#1 Updated by Tobias Brunner over 6 years ago
- Tracker changed from Issue to Bug
- Subject changed from invalid attribute length 16 for INTERNAL_IP6_ADDRESS to Invalid attribute length 16 for INTERNAL_IP6_ADDRESS when using IKEv1
- Status changed from New to Feedback
- Priority changed from High to Normal
- Target version set to 5.4.0
invalid attribute length 16 for INTERNAL_IP6_ADDRESS
That's because currently the code for verifying IKEv1 and IKEv2 configuration attributes is the same and with IKEv2 the INTERNAL_IP6_ADDRESS attribute is 17 bytes long (it includes a prefix). However, according to draft-dukes-ike-mode-cfg only the IP is sent for IKEv1 so the length is 16 bytes there.
I pushed a fix for this to the ikev1-conf-ip6 branch.
#2 Updated by Tobias Brunner over 6 years ago
- Category set to interoperability
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to Fixed
ikev1: Send and verify IPv6 addresses correctly
According to the mode-config draft there is no prefix sent for
IPv6 addresses in IKEv1. We still accept 17 bytes long addresses for
backwards compatibility with older strongSwan releases.
Fixes #1304.