<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Yusuf,<br>
    <br>
      Have you tried deleting "<span style="font-size:12.8px">rightsubnet=</span><a
      href="http://0.0.0.0/0" target="_blank" style="font-size:12.8px">0.0.0.0/0</a>"
    as Noel suggested below? <br>
    <br>
      In a dynamic address setup like this I usually do (Which has the
    same effect of deleting it): <br>
    <br>
      rightsubnet=%dynamic<br>
    <br>
      <br>
    --Jafar<br>
    <br>
    <div class="moz-cite-prefix">On 1/10/2018 4:28 AM, Yusuf Güngör
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAPgCE5JsKC-uYY7mHd6gey+jfZBLXUcAwpAMJ0Gt+rqfyu_GXQ@mail.gmail.com">
      <div dir="ltr">Hi Noel,
        <div><br>
        </div>
        <div>We have APs which located at various locations. APs get ip
          from strongswan. </div>
        <div><br>
        </div>
        <div>We have to add the "<span style="font-size:12.8px">rightsubnet=</span><a
            href="http://0.0.0.0/0" target="_blank"
            style="font-size:12.8px" moz-do-not-send="true">0.0.0.0/0</a>"
          to let APs connect. (We do not know the APs private-public ip
          addreses)</div>
        <div><br>
        </div>
        <div>We have to add the "<span style="font-size:12.8px">rightsourceip=</span><a
            href="http://10.254.0.0/24" target="_blank"
            style="font-size:12.8px" moz-do-not-send="true">10.254.0.0/24</a>"
          to give APs tunnel ip.</div>
        <div><br>
        </div>
        <div>APs can get ip from the "righsourceip" pool successfully:</div>
        <div><br>
        </div>
        <blockquote style="margin:0px 0px 0px
          40px;border:none;padding:0px">
          <div>
            <div style="font-size:12.8px">ipsec     primary tunnel ap
              tunnel ip           :10.254.0.1</div>
          </div>
        </blockquote>
        <div><br>
        </div>
        <div>But why peer tunnel ip is "1.1.1.127"</div>
        <div><br>
        </div>
        <blockquote style="margin:0px 0px 0px
          40px;border:none;padding:0px">
          <div>
            <div style="font-size:12.8px">ipsec     primary tunnel peer
              tunnel ip         :1.1.1.127</div>
          </div>
        </blockquote>
        <div><br>
        </div>
        <div>We can establish vpn connections from APs to Aruba
          Controllers and that time APs get ip addresses as expected:</div>
        <div><br>
        </div>
        <div>
          <blockquote style="font-size:12.8px;margin:0px 0px 0px
            40px;border:none;padding:0px">
            <div id="gmail-m_-8098580173571663388gmail-:71r.ma"
              class="gmail-m_-8098580173571663388gmail-Mu
              gmail-m_-8098580173571663388gmail-SP"
style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;opacity:1;word-wrap:break-word;word-break:break-word;outline:none;color:rgb(38,50,56)">ipsec
                  primary tunnel ap tunnel ip           :<span
                class="gmail-il">10.254</span>.0.1<br>
            </div>
          </blockquote>
        </div>
        <div>
          <blockquote style="font-size:12.8px;margin:0px 0px 0px
            40px;border:none;padding:0px">
            <div id="gmail-m_-8098580173571663388gmail-:71r.ma"
              class="gmail-m_-8098580173571663388gmail-Mu
              gmail-m_-8098580173571663388gmail-SP"
style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;opacity:1;word-wrap:break-word;word-break:break-word;outline:none;color:rgb(38,50,56)"><span
                id="gmail-m_-8098580173571663388gmail-:71r.co"
                class="gmail-m_-8098580173571663388gmail-tL8wMe
                gmail-m_-8098580173571663388gmail-EMoHub" dir="ltr"
                style="outline:none">ipsec     primary tunnel peer
                tunnel ip         :<public ip of aruba controller></span></div>
            <div><span class="gmail-m_-8098580173571663388gmail-tL8wMe
                gmail-m_-8098580173571663388gmail-EMoHub" dir="ltr"
                style="outline:none"><b><br>
                </b></span></div>
          </blockquote>
          <span style="font-size:12.8px">
            <div>We are missing something?</div>
            <div><br>
            </div>
            <div>Also, VPN connection to strongswan restarts about every
              3 hours. AP disconnect and reconnect because of packet
              loss. This should be subject of another topic, i wrote if
              something is related with that.</div>
            <div><span style="font-size:12.8px"><br>
              </span></div>
            Thanks for help.</span></div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">2017-12-28 16:12 GMT+03:00 Noel Kuntze
          <span dir="ltr"><<a
              href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting"
              target="_blank" moz-do-not-send="true">noel.kuntze+strongswan-users-ml@thermi.consulting</a>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
            <br>
            It's because you set "rightsubnet=<a href="http://0.0.0.0/0"
              rel="noreferrer" target="_blank" moz-do-not-send="true">0.0.0.0/0</a>"
            and evidently the AP proposes "1.1.1.127" as its local TS,
            so it gets narrowed to that. I propose you delete those two
            lines.<br>
            <br>
            Kind regards<br>
            <br>
            Noel<br>
            <span class=""><br>
              On 27.12.2017 11:01, Yusuf Güngör wrote:<br>
              > Hi,<br>
              ><br>
              > I have a configuration like below and VPN connection
              successfully established but client side get "1.1.1.127"
              as tunnel IP. Can we change this tunnel IP? I can not find
              any clue about why StrongSwan assign "1.1.1.127" as tunnel
              IP to clients?<br>
              ><br>
              > Thanks.<br>
              ><br>
              ><br>
            </span>> *StrongSwan Config (Left)*<br>
            ><br>
            >     conn vpn-test<br>
            >       left=%defaultroute<br>
            >       leftsubnet=<a href="http://172.30.1.1/25"
              rel="noreferrer" target="_blank" moz-do-not-send="true">172.30.1.1/25</a>
            <<a href="http://172.30.1.1/25" rel="noreferrer"
              target="_blank" moz-do-not-send="true">http://172.30.1.1/25</a>><br>
            >       leftauth=psk<br>
            >       leftfirewall=no<br>
            >       right=%any<br>
            >       rightsubnet=<a href="http://0.0.0.0/0"
              rel="noreferrer" target="_blank" moz-do-not-send="true">0.0.0.0/0</a>
            <<a href="http://0.0.0.0/0" rel="noreferrer"
              target="_blank" moz-do-not-send="true">http://0.0.0.0/0</a>><br>
            >       rightsourceip=<a href="http://10.254.0.0/24"
              rel="noreferrer" target="_blank" moz-do-not-send="true">10.254.0.0/24</a>
            <<a href="http://10.254.0.0/24" rel="noreferrer"
              target="_blank" moz-do-not-send="true">http://10.254.0.0/24</a>><br>
            <span class="">>       auto=add<br>
              >       keyexchange=ikev1<br>
              >       rightauth=psk<br>
              >       rightauth2=xauth<br>
              >       type=tunnel<br>
              >       mobike=yes<br>
              >       rightid=%any<br>
              ><br>
              ><br>
            </span>> *Client VPN Status: (Aruba Instant AP - Right)*<br>
            <div class="HOEnZb">
              <div class="h5">><br>
                >     current using tunnel                           
                :primary tunnel<br>
                >     current tunnel using time                     
                 :1 hour 43 minutes 31 seconds <br>
                >     ipsec is preempt status                       
                 :disable<br>
                >     ipsec is fast failover status                 
                 :disable<br>
                >     ipsec hold on period                           
                :0s<br>
                >     ipsec tunnel monitor frequency (seconds/packet)
                :5<br>
                >     ipsec tunnel monitor timeout by lost packet cnt
                :6<br>
                ><br>
                >     ipsec     primary tunnel crypto type           
                :PSK<br>
                >     ipsec     primary tunnel peer address         
                 :52.55.49.104<br>
                >     ipsec     primary tunnel peer tunnel ip       
                 :1.1.1.127<br>
                >     ipsec     primary tunnel ap tunnel ip         
                 :10.254.0.1<br>
                >     ipsec     primary tunnel using interface       
                :tun0<br>
                >     ipsec     primary tunnel using MTU             
                :1230<br>
                >     ipsec     primary tunnel current sm status     
                :Up<br>
                >     ipsec     primary tunnel tunnel status         
                :Up<br>
                >     ipsec     primary tunnel tunnel retry times   
                 :6<br>
                >     ipsec     primary tunnel tunnel uptime         
                :1 hour 43 minutes 31 seconds <br>
                ><br>
                >     ipsec      backup tunnel crypto type           
                :PSK<br>
                >     ipsec      backup tunnel peer address         
                 :N/A<br>
                >     ipsec      backup tunnel peer tunnel ip       
                 :N/A<br>
                >     ipsec      backup tunnel ap tunnel ip         
                 :N/A<br>
                >     ipsec      backup tunnel using interface       
                :N/A<br>
                >     ipsec      backup tunnel using MTU             
                :N/A<br>
                >     ipsec      backup tunnel current sm status     
                :Init<br>
                >     ipsec      backup tunnel tunnel status         
                :Down<br>
                >     ipsec      backup tunnel tunnel retry times   
                 :0<br>
                >     ipsec      backup tunnel tunnel<br>
                ><br>
                ><br>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>