Hi Jafar, I have tried both deleting "rightsubnet=0.0.0.0/0" and adding " rightsubnet=%dynamic" now. AP still gets "1.1.1.127" as peer tunnel ip.
ipsec primary tunnel peer tunnel ip :1.1.1.127 ipsec primary tunnel ap tunnel ip :10.254.0.1 The problem caused from AP side? 2018-01-10 21:00 GMT+03:00 Jafar Al-Gharaibeh <[email protected]>: > Yusuf, > > Have you tried deleting "rightsubnet=0.0.0.0/0" as Noel suggested > below? > > In a dynamic address setup like this I usually do (Which has the same > effect of deleting it): > > rightsubnet=%dynamic > > > --Jafar > > > On 1/10/2018 4:28 AM, Yusuf Güngör wrote: > > Hi Noel, > > We have APs which located at various locations. APs get ip from > strongswan. > > We have to add the "rightsubnet=0.0.0.0/0" to let APs connect. (We do not > know the APs private-public ip addreses) > > We have to add the "rightsourceip=10.254.0.0/24" to give APs tunnel ip. > > APs can get ip from the "righsourceip" pool successfully: > > ipsec primary tunnel ap tunnel ip :10.254.0.1 > > > But why peer tunnel ip is "1.1.1.127" > > ipsec primary tunnel peer tunnel ip :1.1.1.127 > > > We can establish vpn connections from APs to Aruba Controllers and that > time APs get ip addresses as expected: > > ipsec primary tunnel ap tunnel ip :10.254.0.1 > > ipsec primary tunnel peer tunnel ip :<public ip of aruba > controller> > > We are missing something? > > Also, VPN connection to strongswan restarts about every 3 hours. AP > disconnect and reconnect because of packet loss. This should be subject of > another topic, i wrote if something is related with that. > > Thanks for help. > > 2017-12-28 16:12 GMT+03:00 Noel Kuntze <noel.kuntze+strongswan-users- > [email protected]>: > >> Hello, >> >> It's because you set "rightsubnet=0.0.0.0/0" and evidently the AP >> proposes "1.1.1.127" as its local TS, so it gets narrowed to that. I >> propose you delete those two lines. >> >> Kind regards >> >> Noel >> >> On 27.12.2017 11:01, Yusuf Güngör wrote: >> > Hi, >> > >> > I have a configuration like below and VPN connection successfully >> established but client side get "1.1.1.127" as tunnel IP. Can we change >> this tunnel IP? I can not find any clue about why StrongSwan assign >> "1.1.1.127" as tunnel IP to clients? >> > >> > Thanks. >> > >> > >> > *StrongSwan Config (Left)* >> > >> > conn vpn-test >> > left=%defaultroute >> > leftsubnet=172.30.1.1/25 <http://172.30.1.1/25> >> > leftauth=psk >> > leftfirewall=no >> > right=%any >> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> >> > rightsourceip=10.254.0.0/24 <http://10.254.0.0/24> >> > auto=add >> > keyexchange=ikev1 >> > rightauth=psk >> > rightauth2=xauth >> > type=tunnel >> > mobike=yes >> > rightid=%any >> > >> > >> > *Client VPN Status: (Aruba Instant AP - Right)* >> > >> > current using tunnel :primary tunnel >> > current tunnel using time :1 hour 43 minutes >> 31 seconds >> > ipsec is preempt status :disable >> > ipsec is fast failover status :disable >> > ipsec hold on period :0s >> > ipsec tunnel monitor frequency (seconds/packet) :5 >> > ipsec tunnel monitor timeout by lost packet cnt :6 >> > >> > ipsec primary tunnel crypto type :PSK >> > ipsec primary tunnel peer address :52.55.49.104 >> > ipsec primary tunnel peer tunnel ip :1.1.1.127 >> > ipsec primary tunnel ap tunnel ip :10.254.0.1 >> > ipsec primary tunnel using interface :tun0 >> > ipsec primary tunnel using MTU :1230 >> > ipsec primary tunnel current sm status :Up >> > ipsec primary tunnel tunnel status :Up >> > ipsec primary tunnel tunnel retry times :6 >> > ipsec primary tunnel tunnel uptime :1 hour 43 minutes >> 31 seconds >> > >> > ipsec backup tunnel crypto type :PSK >> > ipsec backup tunnel peer address :N/A >> > ipsec backup tunnel peer tunnel ip :N/A >> > ipsec backup tunnel ap tunnel ip :N/A >> > ipsec backup tunnel using interface :N/A >> > ipsec backup tunnel using MTU :N/A >> > ipsec backup tunnel current sm status :Init >> > ipsec backup tunnel tunnel status :Down >> > ipsec backup tunnel tunnel retry times :0 >> > ipsec backup tunnel tunnel >> > >> > >> > > >
