you also have to delete the setting at the AP side, just get rid of this:
ipsec primary tunnel peer tunnel ip :1.1.1.127
--Jafar
On 1/11/2018 2:06 AM, Yusuf Güngör wrote:
Hi Jafar,
I have tried both deleting "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>"
and adding "rightsubnet=%dynamic" now. AP still gets "1.1.1.127" as
peer tunnel ip.
ipsec primary tunnel peer tunnel ip :1.1.1.127
ipsec primary tunnel ap tunnel ip :10.254.0.1
The problem caused from AP side?
2018-01-10 21:00 GMT+03:00 Jafar Al-Gharaibeh <ja...@atcorp.com
<mailto:ja...@atcorp.com>>:
Yusuf,
Have you tried deleting "rightsubnet=0.0.0.0/0
<http://0.0.0.0/0>" as Noel suggested below?
In a dynamic address setup like this I usually do (Which has the
same effect of deleting it):
rightsubnet=%dynamic
--Jafar
On 1/10/2018 4:28 AM, Yusuf Güngör wrote:
Hi Noel,
We have APs which located at various locations. APs get ip from
strongswan.
We have to add the "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" to
let APs connect. (We do not know the APs private-public ip addreses)
We have to add the "rightsourceip=10.254.0.0/24
<http://10.254.0.0/24>" to give APs tunnel ip.
APs can get ip from the "righsourceip" pool successfully:
ipsec primary tunnel ap tunnel ip :10.254.0.1
But why peer tunnel ip is "1.1.1.127"
ipsec primary tunnel peer tunnel ip :1.1.1.127
We can establish vpn connections from APs to Aruba Controllers
and that time APs get ip addresses as expected:
ipsec primary tunnel ap tunnel ip :10.254.0.1
ipsec primary tunnel peer tunnel ip :<public ip
of aruba controller>
*
*
We are missing something?
Also, VPN connection to strongswan restarts about every 3 hours.
AP disconnect and reconnect because of packet loss. This should
be subject of another topic, i wrote if something is related with
that.
Thanks for help.
2017-12-28 16:12 GMT+03:00 Noel Kuntze
<noel.kuntze+strongswan-users-ml@thermi.consulting
<mailto:noel.kuntze+strongswan-users-ml@thermi.consulting>>:
Hello,
It's because you set "rightsubnet=0.0.0.0/0
<http://0.0.0.0/0>" and evidently the AP proposes "1.1.1.127"
as its local TS, so it gets narrowed to that. I propose you
delete those two lines.
Kind regards
Noel
On 27.12.2017 11:01, Yusuf Güngör wrote:
> Hi,
>
> I have a configuration like below and VPN connection
successfully established but client side get "1.1.1.127" as
tunnel IP. Can we change this tunnel IP? I can not find any
clue about why StrongSwan assign "1.1.1.127" as tunnel IP to
clients?
>
> Thanks.
>
>
> *StrongSwan Config (Left)*
>
> conn vpn-test
> left=%defaultroute
> leftsubnet=172.30.1.1/25 <http://172.30.1.1/25>
<http://172.30.1.1/25>
> leftauth=psk
> leftfirewall=no
> right=%any
> rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
<http://0.0.0.0/0>
> rightsourceip=10.254.0.0/24 <http://10.254.0.0/24>
<http://10.254.0.0/24>
> auto=add
> keyexchange=ikev1
> rightauth=psk
> rightauth2=xauth
> type=tunnel
> mobike=yes
> rightid=%any
>
>
> *Client VPN Status: (Aruba Instant AP - Right)*
>
> current using tunnel :primary tunnel
> current tunnel using time :1 hour 43
minutes 31 seconds
> ipsec is preempt status :disable
> ipsec is fast failover status :disable
> ipsec hold on period :0s
> ipsec tunnel monitor frequency (seconds/packet) :5
> ipsec tunnel monitor timeout by lost packet cnt :6
>
> ipsec primary tunnel crypto type :PSK
> ipsec primary tunnel peer address
:52.55.49.104
> ipsec primary tunnel peer tunnel ip :1.1.1.127
> ipsec primary tunnel ap tunnel ip :10.254.0.1
> ipsec primary tunnel using interface :tun0
> ipsec primary tunnel using MTU :1230
> ipsec primary tunnel current sm status :Up
> ipsec primary tunnel tunnel status :Up
> ipsec primary tunnel tunnel retry times :6
> ipsec primary tunnel tunnel uptime :1 hour
43 minutes 31 seconds
>
> ipsec backup tunnel crypto type :PSK
> ipsec backup tunnel peer address :N/A
> ipsec backup tunnel peer tunnel ip :N/A
> ipsec backup tunnel ap tunnel ip :N/A
> ipsec backup tunnel using interface :N/A
> ipsec backup tunnel using MTU :N/A
> ipsec backup tunnel current sm status :Init
> ipsec backup tunnel tunnel status :Down
> ipsec backup tunnel tunnel retry times :0
> ipsec backup tunnel tunnel
>
>