Hi Noel, We have APs which located at various locations. APs get ip from strongswan.
We have to add the "rightsubnet=0.0.0.0/0" to let APs connect. (We do not know the APs private-public ip addreses) We have to add the "rightsourceip=10.254.0.0/24" to give APs tunnel ip. APs can get ip from the "righsourceip" pool successfully: ipsec primary tunnel ap tunnel ip :10.254.0.1 But why peer tunnel ip is "1.1.1.127" ipsec primary tunnel peer tunnel ip :1.1.1.127 We can establish vpn connections from APs to Aruba Controllers and that time APs get ip addresses as expected: ipsec primary tunnel ap tunnel ip :10.254.0.1 ipsec primary tunnel peer tunnel ip :<public ip of aruba controller> We are missing something? Also, VPN connection to strongswan restarts about every 3 hours. AP disconnect and reconnect because of packet loss. This should be subject of another topic, i wrote if something is related with that. Thanks for help. 2017-12-28 16:12 GMT+03:00 Noel Kuntze < [email protected]>: > Hello, > > It's because you set "rightsubnet=0.0.0.0/0" and evidently the AP > proposes "1.1.1.127" as its local TS, so it gets narrowed to that. I > propose you delete those two lines. > > Kind regards > > Noel > > On 27.12.2017 11:01, Yusuf Güngör wrote: > > Hi, > > > > I have a configuration like below and VPN connection successfully > established but client side get "1.1.1.127" as tunnel IP. Can we change > this tunnel IP? I can not find any clue about why StrongSwan assign > "1.1.1.127" as tunnel IP to clients? > > > > Thanks. > > > > > > *StrongSwan Config (Left)* > > > > conn vpn-test > > left=%defaultroute > > leftsubnet=172.30.1.1/25 <http://172.30.1.1/25> > > leftauth=psk > > leftfirewall=no > > right=%any > > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> > > rightsourceip=10.254.0.0/24 <http://10.254.0.0/24> > > auto=add > > keyexchange=ikev1 > > rightauth=psk > > rightauth2=xauth > > type=tunnel > > mobike=yes > > rightid=%any > > > > > > *Client VPN Status: (Aruba Instant AP - Right)* > > > > current using tunnel :primary tunnel > > current tunnel using time :1 hour 43 minutes > 31 seconds > > ipsec is preempt status :disable > > ipsec is fast failover status :disable > > ipsec hold on period :0s > > ipsec tunnel monitor frequency (seconds/packet) :5 > > ipsec tunnel monitor timeout by lost packet cnt :6 > > > > ipsec primary tunnel crypto type :PSK > > ipsec primary tunnel peer address :52.55.49.104 > > ipsec primary tunnel peer tunnel ip :1.1.1.127 > > ipsec primary tunnel ap tunnel ip :10.254.0.1 > > ipsec primary tunnel using interface :tun0 > > ipsec primary tunnel using MTU :1230 > > ipsec primary tunnel current sm status :Up > > ipsec primary tunnel tunnel status :Up > > ipsec primary tunnel tunnel retry times :6 > > ipsec primary tunnel tunnel uptime :1 hour 43 minutes > 31 seconds > > > > ipsec backup tunnel crypto type :PSK > > ipsec backup tunnel peer address :N/A > > ipsec backup tunnel peer tunnel ip :N/A > > ipsec backup tunnel ap tunnel ip :N/A > > ipsec backup tunnel using interface :N/A > > ipsec backup tunnel using MTU :N/A > > ipsec backup tunnel current sm status :Init > > ipsec backup tunnel tunnel status :Down > > ipsec backup tunnel tunnel retry times :0 > > ipsec backup tunnel tunnel > > > > >
