Yes, strongSwan has nothing to do with that IP. Btw, don't use 0.0.0.0/0. Assign a virtual IP instead and use that to contact the APs.
Kind regards Noel On 12.01.2018 11:11, Yusuf Güngör wrote: > Hi, > > There is no setting at AP side for this. I have asked Aruba Community. Can we > say that there is nothing to do with that strange "1.1.1.127" ip at > StrongSwan side? > > Thanks. > > 2018-01-11 20:37 GMT+03:00 Jafar Al-Gharaibeh <[email protected] > <mailto:[email protected]>>: > > you also have to delete the setting at the AP side, just get rid of this: > > ipsec primary tunnel peer tunnel ip :1.1.1.127 > > --Jafar > > > On 1/11/2018 2:06 AM, Yusuf Güngör wrote: >> Hi Jafar, >> >> I have tried both deleting "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" >> and adding "rightsubnet=%dynamic" now. AP still gets "1.1.1.127" as peer >> tunnel ip. >> >> ipsec primary tunnel peer tunnel ip :1.1.1.127 >> ipsec primary tunnel ap tunnel ip :10.254.0.1 >> >> The problem caused from AP side? >> >> >> 2018-01-10 21:00 GMT+03:00 Jafar Al-Gharaibeh <[email protected] >> <mailto:[email protected]>>: >> >> Yusuf, >> >> Have you tried deleting "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" >> as Noel suggested below? >> >> In a dynamic address setup like this I usually do (Which has the >> same effect of deleting it): >> >> rightsubnet=%dynamic >> >> >> --Jafar >> >> >> On 1/10/2018 4:28 AM, Yusuf Güngör wrote: >>> Hi Noel, >>> >>> We have APs which located at various locations. APs get ip from >>> strongswan. >>> >>> We have to add the "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" to >>> let APs connect. (We do not know the APs private-public ip addreses) >>> >>> We have to add the "rightsourceip=10.254.0.0/24 >>> <http://10.254.0.0/24>" to give APs tunnel ip. >>> >>> APs can get ip from the "righsourceip" pool successfully: >>> >>> ipsec primary tunnel ap tunnel ip :10.254.0.1 >>> >>> >>> But why peer tunnel ip is "1.1.1.127" >>> >>> ipsec primary tunnel peer tunnel ip :1.1.1.127 >>> >>> >>> We can establish vpn connections from APs to Aruba Controllers and >>> that time APs get ip addresses as expected: >>> >>> ipsec primary tunnel ap tunnel ip :10.254.0.1 >>> >>> ipsec primary tunnel peer tunnel ip :<public ip of >>> aruba controller> >>> * >>> * >>> >>> We are missing something? >>> >>> Also, VPN connection to strongswan restarts about every 3 hours. AP >>> disconnect and reconnect because of packet loss. This should be subject of >>> another topic, i wrote if something is related with that. >>> >>> Thanks for help. >>> >>> 2017-12-28 16:12 GMT+03:00 Noel Kuntze >>> <[email protected] >>> <mailto:[email protected]>>: >>> >>> Hello, >>> >>> It's because you set "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" >>> and evidently the AP proposes "1.1.1.127" as its local TS, so it gets >>> narrowed to that. I propose you delete those two lines. >>> >>> Kind regards >>> >>> Noel >>> >>> On 27.12.2017 11:01, Yusuf Güngör wrote: >>> > Hi, >>> > >>> > I have a configuration like below and VPN connection >>> successfully established but client side get "1.1.1.127" as tunnel IP. Can >>> we change this tunnel IP? I can not find any clue about why StrongSwan >>> assign "1.1.1.127" as tunnel IP to clients? >>> > >>> > Thanks. >>> > >>> > >>> > *StrongSwan Config (Left)* >>> > >>> > conn vpn-test >>> > left=%defaultroute >>> > leftsubnet=172.30.1.1/25 <http://172.30.1.1/25> >>> <http://172.30.1.1/25> >>> > leftauth=psk >>> > leftfirewall=no >>> > right=%any >>> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> >>> <http://0.0.0.0/0> >>> > rightsourceip=10.254.0.0/24 <http://10.254.0.0/24> >>> <http://10.254.0.0/24> >>> > auto=add >>> > keyexchange=ikev1 >>> > rightauth=psk >>> > rightauth2=xauth >>> > type=tunnel >>> > mobike=yes >>> > rightid=%any >>> > >>> > >>> > *Client VPN Status: (Aruba Instant AP - Right)* >>> > >>> > current using tunnel :primary >>> tunnel >>> > current tunnel using time :1 hour >>> 43 minutes 31 seconds >>> > ipsec is preempt status :disable >>> > ipsec is fast failover status :disable >>> > ipsec hold on period :0s >>> > ipsec tunnel monitor frequency (seconds/packet) :5 >>> > ipsec tunnel monitor timeout by lost packet cnt :6 >>> > >>> > ipsec primary tunnel crypto type :PSK >>> > ipsec primary tunnel peer address >>> :52.55.49.104 >>> > ipsec primary tunnel peer tunnel ip :1.1.1.127 >>> > ipsec primary tunnel ap tunnel ip >>> :10.254.0.1 >>> > ipsec primary tunnel using interface :tun0 >>> > ipsec primary tunnel using MTU :1230 >>> > ipsec primary tunnel current sm status :Up >>> > ipsec primary tunnel tunnel status :Up >>> > ipsec primary tunnel tunnel retry times :6 >>> > ipsec primary tunnel tunnel uptime :1 hour >>> 43 minutes 31 seconds >>> > >>> > ipsec backup tunnel crypto type :PSK >>> > ipsec backup tunnel peer address :N/A >>> > ipsec backup tunnel peer tunnel ip :N/A >>> > ipsec backup tunnel ap tunnel ip :N/A >>> > ipsec backup tunnel using interface :N/A >>> > ipsec backup tunnel using MTU :N/A >>> > ipsec backup tunnel current sm status :Init >>> > ipsec backup tunnel tunnel status :Down >>> > ipsec backup tunnel tunnel retry times :0 >>> > ipsec backup tunnel tunnel >>> > >>> > >>> >>> >> >> > >
signature.asc
Description: OpenPGP digital signature
