<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Yusuf,<br>
<br>
Have you tried deleting "<span style="font-size:12.8px">rightsubnet=</span><a
href="http://0.0.0.0/0" target="_blank" style="font-size:12.8px">0.0.0.0/0</a>"
as Noel suggested below? <br>
<br>
In a dynamic address setup like this I usually do (Which has the
same effect of deleting it): <br>
<br>
rightsubnet=%dynamic<br>
<br>
<br>
--Jafar<br>
<br>
<div class="moz-cite-prefix">On 1/10/2018 4:28 AM, Yusuf Güngör
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPgCE5JsKC-uYY7mHd6gey+jfZBLXUcAwpAMJ0Gt+rqfyu_GXQ@mail.gmail.com">
<div dir="ltr">Hi Noel,
<div><br>
</div>
<div>We have APs which located at various locations. APs get ip
from strongswan. </div>
<div><br>
</div>
<div>We have to add the "<span style="font-size:12.8px">rightsubnet=</span><a
href="http://0.0.0.0/0" target="_blank"
style="font-size:12.8px" moz-do-not-send="true">0.0.0.0/0</a>"
to let APs connect. (We do not know the APs private-public ip
addreses)</div>
<div><br>
</div>
<div>We have to add the "<span style="font-size:12.8px">rightsourceip=</span><a
href="http://10.254.0.0/24" target="_blank"
style="font-size:12.8px" moz-do-not-send="true">10.254.0.0/24</a>"
to give APs tunnel ip.</div>
<div><br>
</div>
<div>APs can get ip from the "righsourceip" pool successfully:</div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div>
<div style="font-size:12.8px">ipsec primary tunnel ap
tunnel ip :10.254.0.1</div>
</div>
</blockquote>
<div><br>
</div>
<div>But why peer tunnel ip is "1.1.1.127"</div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div>
<div style="font-size:12.8px">ipsec primary tunnel peer
tunnel ip :1.1.1.127</div>
</div>
</blockquote>
<div><br>
</div>
<div>We can establish vpn connections from APs to Aruba
Controllers and that time APs get ip addresses as expected:</div>
<div><br>
</div>
<div>
<blockquote style="font-size:12.8px;margin:0px 0px 0px
40px;border:none;padding:0px">
<div id="gmail-m_-8098580173571663388gmail-:71r.ma"
class="gmail-m_-8098580173571663388gmail-Mu
gmail-m_-8098580173571663388gmail-SP"
style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;opacity:1;word-wrap:break-word;word-break:break-word;outline:none;color:rgb(38,50,56)">ipsec
primary tunnel ap tunnel ip :<span
class="gmail-il">10.254</span>.0.1<br>
</div>
</blockquote>
</div>
<div>
<blockquote style="font-size:12.8px;margin:0px 0px 0px
40px;border:none;padding:0px">
<div id="gmail-m_-8098580173571663388gmail-:71r.ma"
class="gmail-m_-8098580173571663388gmail-Mu
gmail-m_-8098580173571663388gmail-SP"
style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;opacity:1;word-wrap:break-word;word-break:break-word;outline:none;color:rgb(38,50,56)"><span
id="gmail-m_-8098580173571663388gmail-:71r.co"
class="gmail-m_-8098580173571663388gmail-tL8wMe
gmail-m_-8098580173571663388gmail-EMoHub" dir="ltr"
style="outline:none">ipsec primary tunnel peer
tunnel ip :<public ip of aruba controller></span></div>
<div><span class="gmail-m_-8098580173571663388gmail-tL8wMe
gmail-m_-8098580173571663388gmail-EMoHub" dir="ltr"
style="outline:none"><b><br>
</b></span></div>
</blockquote>
<span style="font-size:12.8px">
<div>We are missing something?</div>
<div><br>
</div>
<div>Also, VPN connection to strongswan restarts about every
3 hours. AP disconnect and reconnect because of packet
loss. This should be subject of another topic, i wrote if
something is related with that.</div>
<div><span style="font-size:12.8px"><br>
</span></div>
Thanks for help.</span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-12-28 16:12 GMT+03:00 Noel Kuntze
<span dir="ltr"><<a
href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting"
target="_blank" moz-do-not-send="true">noel.kuntze+strongswan-users-ml@thermi.consulting</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
It's because you set "rightsubnet=<a href="http://0.0.0.0/0"
rel="noreferrer" target="_blank" moz-do-not-send="true">0.0.0.0/0</a>"
and evidently the AP proposes "1.1.1.127" as its local TS,
so it gets narrowed to that. I propose you delete those two
lines.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<span class=""><br>
On 27.12.2017 11:01, Yusuf Güngör wrote:<br>
> Hi,<br>
><br>
> I have a configuration like below and VPN connection
successfully established but client side get "1.1.1.127"
as tunnel IP. Can we change this tunnel IP? I can not find
any clue about why StrongSwan assign "1.1.1.127" as tunnel
IP to clients?<br>
><br>
> Thanks.<br>
><br>
><br>
</span>> *StrongSwan Config (Left)*<br>
><br>
> conn vpn-test<br>
> left=%defaultroute<br>
> leftsubnet=<a href="http://172.30.1.1/25"
rel="noreferrer" target="_blank" moz-do-not-send="true">172.30.1.1/25</a>
<<a href="http://172.30.1.1/25" rel="noreferrer"
target="_blank" moz-do-not-send="true">http://172.30.1.1/25</a>><br>
> leftauth=psk<br>
> leftfirewall=no<br>
> right=%any<br>
> rightsubnet=<a href="http://0.0.0.0/0"
rel="noreferrer" target="_blank" moz-do-not-send="true">0.0.0.0/0</a>
<<a href="http://0.0.0.0/0" rel="noreferrer"
target="_blank" moz-do-not-send="true">http://0.0.0.0/0</a>><br>
> rightsourceip=<a href="http://10.254.0.0/24"
rel="noreferrer" target="_blank" moz-do-not-send="true">10.254.0.0/24</a>
<<a href="http://10.254.0.0/24" rel="noreferrer"
target="_blank" moz-do-not-send="true">http://10.254.0.0/24</a>><br>
<span class="">> auto=add<br>
> keyexchange=ikev1<br>
> rightauth=psk<br>
> rightauth2=xauth<br>
> type=tunnel<br>
> mobike=yes<br>
> rightid=%any<br>
><br>
><br>
</span>> *Client VPN Status: (Aruba Instant AP - Right)*<br>
<div class="HOEnZb">
<div class="h5">><br>
> current using tunnel
:primary tunnel<br>
> current tunnel using time
:1 hour 43 minutes 31 seconds <br>
> ipsec is preempt status
:disable<br>
> ipsec is fast failover status
:disable<br>
> ipsec hold on period
:0s<br>
> ipsec tunnel monitor frequency (seconds/packet)
:5<br>
> ipsec tunnel monitor timeout by lost packet cnt
:6<br>
><br>
> ipsec primary tunnel crypto type
:PSK<br>
> ipsec primary tunnel peer address
:52.55.49.104<br>
> ipsec primary tunnel peer tunnel ip
:1.1.1.127<br>
> ipsec primary tunnel ap tunnel ip
:10.254.0.1<br>
> ipsec primary tunnel using interface
:tun0<br>
> ipsec primary tunnel using MTU
:1230<br>
> ipsec primary tunnel current sm status
:Up<br>
> ipsec primary tunnel tunnel status
:Up<br>
> ipsec primary tunnel tunnel retry times
:6<br>
> ipsec primary tunnel tunnel uptime
:1 hour 43 minutes 31 seconds <br>
><br>
> ipsec backup tunnel crypto type
:PSK<br>
> ipsec backup tunnel peer address
:N/A<br>
> ipsec backup tunnel peer tunnel ip
:N/A<br>
> ipsec backup tunnel ap tunnel ip
:N/A<br>
> ipsec backup tunnel using interface
:N/A<br>
> ipsec backup tunnel using MTU
:N/A<br>
> ipsec backup tunnel current sm status
:Init<br>
> ipsec backup tunnel tunnel status
:Down<br>
> ipsec backup tunnel tunnel retry times
:0<br>
> ipsec backup tunnel tunnel<br>
><br>
><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>