Hi Noel, Jafar; I have removed "rightsubnet=0.0.0.0/0" expression from config. Then I am going to wait the answers from Aruba Community.
Thank a lot for your helps. The VPN connection resets at ~ 3 hours. VPN connection should be always up, it is critical for us. (Radius traffice routed in it) When using Aruba controller as VPN Concentrator, connection does not resets for weeks. I thought reset cause is probably about ikelifetime default value. I have added: rekey = no reauth = no into the config. We are also using ikev1 for keyexchange. (AP force us) Does this change prevent the resets? Is it correct to do? Does it cause serious vulnerability? Should i change this settings? Thanks. 2018-01-12 13:14 GMT+03:00 Noel Kuntze < noel.kuntze+strongswan-users-ml@thermi.consulting>: > Yes, strongSwan has nothing to do with that IP. Btw, don't use 0.0.0.0/0. > Assign a virtual IP instead and use that to contact the APs. > > Kind regards > > Noel > > On 12.01.2018 11:11, Yusuf Güngör wrote: > > Hi, > > > > There is no setting at AP side for this. I have asked Aruba Community. > Can we say that there is nothing to do with that strange "1.1.1.127" ip at > StrongSwan side? > > > > Thanks. > > > > 2018-01-11 20:37 GMT+03:00 Jafar Al-Gharaibeh <ja...@atcorp.com <mailto: > ja...@atcorp.com>>: > > > > you also have to delete the setting at the AP side, just get rid of > this: > > > > ipsec primary tunnel peer tunnel ip :1.1.1.127 > > > > --Jafar > > > > > > On 1/11/2018 2:06 AM, Yusuf Güngör wrote: > >> Hi Jafar, > >> > >> I have tried both deleting "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" > and adding "rightsubnet=%dynamic" now. AP still gets "1.1.1.127" as peer > tunnel ip. > >> > >> ipsec primary tunnel peer tunnel ip :1.1.1.127 > >> ipsec primary tunnel ap tunnel ip :10.254.0.1 > >> > >> The problem caused from AP side? > >> > >> > >> 2018-01-10 21:00 GMT+03:00 Jafar Al-Gharaibeh <ja...@atcorp.com > <mailto:ja...@atcorp.com>>: > >> > >> Yusuf, > >> > >> Have you tried deleting "rightsubnet=0.0.0.0/0 < > http://0.0.0.0/0>" as Noel suggested below? > >> > >> In a dynamic address setup like this I usually do (Which has > the same effect of deleting it): > >> > >> rightsubnet=%dynamic > >> > >> > >> --Jafar > >> > >> > >> On 1/10/2018 4:28 AM, Yusuf Güngör wrote: > >>> Hi Noel, > >>> > >>> We have APs which located at various locations. APs get ip > from strongswan. > >>> > >>> We have to add the "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" > to let APs connect. (We do not know the APs private-public ip addreses) > >>> > >>> We have to add the "rightsourceip=10.254.0.0/24 < > http://10.254.0.0/24>" to give APs tunnel ip. > >>> > >>> APs can get ip from the "righsourceip" pool successfully: > >>> > >>> ipsec primary tunnel ap tunnel ip :10.254.0.1 > >>> > >>> > >>> But why peer tunnel ip is "1.1.1.127" > >>> > >>> ipsec primary tunnel peer tunnel ip :1.1.1.127 > >>> > >>> > >>> We can establish vpn connections from APs to Aruba Controllers > and that time APs get ip addresses as expected: > >>> > >>> ipsec primary tunnel ap tunnel ip :10.254.0.1 > >>> > >>> ipsec primary tunnel peer tunnel ip :<public > ip of aruba controller> > >>> * > >>> * > >>> > >>> We are missing something? > >>> > >>> Also, VPN connection to strongswan restarts about every 3 > hours. AP disconnect and reconnect because of packet loss. This should be > subject of another topic, i wrote if something is related with that. > >>> > >>> Thanks for help. > >>> > >>> 2017-12-28 16:12 GMT+03:00 Noel Kuntze > <noel.kuntze+strongswan-users-ml@thermi.consulting <mailto:noel.kuntze+ > strongswan-users-ml@thermi.consulting>>: > >>> > >>> Hello, > >>> > >>> It's because you set "rightsubnet=0.0.0.0/0 < > http://0.0.0.0/0>" and evidently the AP proposes "1.1.1.127" as its local > TS, so it gets narrowed to that. I propose you delete those two lines. > >>> > >>> Kind regards > >>> > >>> Noel > >>> > >>> On 27.12.2017 11:01, Yusuf Güngör wrote: > >>> > Hi, > >>> > > >>> > I have a configuration like below and VPN connection > successfully established but client side get "1.1.1.127" as tunnel IP. Can > we change this tunnel IP? I can not find any clue about why StrongSwan > assign "1.1.1.127" as tunnel IP to clients? > >>> > > >>> > Thanks. > >>> > > >>> > > >>> > *StrongSwan Config (Left)* > >>> > > >>> > conn vpn-test > >>> > left=%defaultroute > >>> > leftsubnet=172.30.1.1/25 <http://172.30.1.1/25> < > http://172.30.1.1/25> > >>> > leftauth=psk > >>> > leftfirewall=no > >>> > right=%any > >>> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> < > http://0.0.0.0/0> > >>> > rightsourceip=10.254.0.0/24 <http://10.254.0.0/24> > <http://10.254.0.0/24> > >>> > auto=add > >>> > keyexchange=ikev1 > >>> > rightauth=psk > >>> > rightauth2=xauth > >>> > type=tunnel > >>> > mobike=yes > >>> > rightid=%any > >>> > > >>> > > >>> > *Client VPN Status: (Aruba Instant AP - Right)* > >>> > > >>> > current using tunnel > :primary tunnel > >>> > current tunnel using time :1 > hour 43 minutes 31 seconds > >>> > ipsec is preempt status > :disable > >>> > ipsec is fast failover status > :disable > >>> > ipsec hold on period :0s > >>> > ipsec tunnel monitor frequency (seconds/packet) :5 > >>> > ipsec tunnel monitor timeout by lost packet cnt :6 > >>> > > >>> > ipsec primary tunnel crypto type :PSK > >>> > ipsec primary tunnel peer address > :52.55.49.104 > >>> > ipsec primary tunnel peer tunnel ip > :1.1.1.127 > >>> > ipsec primary tunnel ap tunnel ip > :10.254.0.1 > >>> > ipsec primary tunnel using interface :tun0 > >>> > ipsec primary tunnel using MTU :1230 > >>> > ipsec primary tunnel current sm status :Up > >>> > ipsec primary tunnel tunnel status :Up > >>> > ipsec primary tunnel tunnel retry times :6 > >>> > ipsec primary tunnel tunnel uptime :1 > hour 43 minutes 31 seconds > >>> > > >>> > ipsec backup tunnel crypto type :PSK > >>> > ipsec backup tunnel peer address :N/A > >>> > ipsec backup tunnel peer tunnel ip :N/A > >>> > ipsec backup tunnel ap tunnel ip :N/A > >>> > ipsec backup tunnel using interface :N/A > >>> > ipsec backup tunnel using MTU :N/A > >>> > ipsec backup tunnel current sm status :Init > >>> > ipsec backup tunnel tunnel status :Down > >>> > ipsec backup tunnel tunnel retry times :0 > >>> > ipsec backup tunnel tunnel > >>> > > >>> > > >>> > >>> > >> > >> > > > > > >