<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
you also have to delete the setting at the AP side, just get rid of
this:<br>
<br>
ipsec primary tunnel peer tunnel ip :1.1.1.127<br>
<br>
--Jafar<br>
<br>
<div class="moz-cite-prefix">On 1/11/2018 2:06 AM, Yusuf Güngör
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPgCE5JTjj_oe4n=6peaihGyDRizP7ckaQh6jpJuDjF8h-TwdA@mail.gmail.com">
<div dir="ltr">Hi Jafar,
<div><br>
</div>
<div>I have tried both deleting <span style="font-size:12.8px">"</span><span
style="font-size:12.8px">rightsubnet=</span><a
href="http://0.0.0.0/0" target="_blank"
style="font-size:12.8px" moz-do-not-send="true">0.0.0.0/0</a><span
style="font-size:12.8px">" and adding "</span><span
style="font-size:12.8px">rightsubnet=%dynamic</span><span
style="font-size:12.8px">" now. AP still gets "1.1.1.127" as
peer tunnel ip.</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div>
<div><span style="font-size:12.8px">ipsec primary tunnel
peer tunnel ip :1.1.1.127</span></div>
<div><span style="font-size:12.8px">ipsec primary tunnel
ap tunnel ip :10.254.0.1</span></div>
<div style="font-size:12.8px"><br>
</div>
</div>
<div style="font-size:12.8px">The problem caused from AP side?</div>
<div style="font-size:12.8px"><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2018-01-10 21:00 GMT+03:00 Jafar
Al-Gharaibeh <span dir="ltr"><<a
href="mailto:jafar@atcorp.com" target="_blank"
moz-do-not-send="true">jafar@atcorp.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Yusuf,<br>
<br>
Have you tried deleting "<span style="font-size:12.8px">rightsubnet=</span><a
href="http://0.0.0.0/0" style="font-size:12.8px"
target="_blank" moz-do-not-send="true">0.0.0.0/0</a>" as
Noel suggested below? <br>
<br>
In a dynamic address setup like this I usually do (Which
has the same effect of deleting it): <br>
<br>
rightsubnet=%dynamic<span class="HOEnZb"><font
color="#888888"><br>
<br>
<br>
--Jafar</font></span>
<div>
<div class="h5"><br>
<br>
<div class="m_5740872371367772429moz-cite-prefix">On
1/10/2018 4:28 AM, Yusuf Güngör wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Noel,
<div><br>
</div>
<div>We have APs which located at various
locations. APs get ip from strongswan. </div>
<div><br>
</div>
<div>We have to add the "<span
style="font-size:12.8px">rightsubnet=</span><a
href="http://0.0.0.0/0"
style="font-size:12.8px" target="_blank"
moz-do-not-send="true">0.0.0.0/0</a>" to let
APs connect. (We do not know the APs
private-public ip addreses)</div>
<div><br>
</div>
<div>We have to add the "<span
style="font-size:12.8px">rightsourceip=</span><a
href="http://10.254.0.0/24"
style="font-size:12.8px" target="_blank"
moz-do-not-send="true">10.254.0.0/24</a>" to
give APs tunnel ip.</div>
<div><br>
</div>
<div>APs can get ip from the "righsourceip" pool
successfully:</div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div>
<div style="font-size:12.8px">ipsec
primary tunnel ap tunnel ip
:10.254.0.1</div>
</div>
</blockquote>
<div><br>
</div>
<div>But why peer tunnel ip is "1.1.1.127"</div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div>
<div style="font-size:12.8px">ipsec
primary tunnel peer tunnel ip
:1.1.1.127</div>
</div>
</blockquote>
<div><br>
</div>
<div>We can establish vpn connections from APs to
Aruba Controllers and that time APs get ip
addresses as expected:</div>
<div><br>
</div>
<div>
<blockquote style="font-size:12.8px;margin:0px
0px 0px 40px;border:none;padding:0px">
<div
id="m_5740872371367772429gmail-m_-8098580173571663388gmail-:71r.ma"
class="m_5740872371367772429gmail-m_-8098580173571663388gmail-Mu
m_5740872371367772429gmail-m_-8098580173571663388gmail-SP"
style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;opacity:1;word-wrap:break-word;word-break:break-word;outline:none;color:rgb(38,50,56)">ipsec
primary tunnel ap tunnel ip :<span
class="m_5740872371367772429gmail-il">10.254</span>.0.1<br>
</div>
</blockquote>
</div>
<div>
<blockquote style="font-size:12.8px;margin:0px
0px 0px 40px;border:none;padding:0px">
<div
id="m_5740872371367772429gmail-m_-8098580173571663388gmail-:71r.ma"
class="m_5740872371367772429gmail-m_-8098580173571663388gmail-Mu
m_5740872371367772429gmail-m_-8098580173571663388gmail-SP"
style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;opacity:1;word-wrap:break-word;word-break:break-word;outline:none;color:rgb(38,50,56)"><span
id="m_5740872371367772429gmail-m_-8098580173571663388gmail-:71r.co"
class="m_5740872371367772429gmail-m_-8098580173571663388gmail-tL8wMe
m_5740872371367772429gmail-m_-8098580173571663388gmail-EMoHub" dir="ltr"
style="outline:none">ipsec primary
tunnel peer tunnel ip :<public
ip of aruba controller></span></div>
<div><span
class="m_5740872371367772429gmail-m_-8098580173571663388gmail-tL8wMe
m_5740872371367772429gmail-m_-8098580173571663388gmail-EMoHub" dir="ltr"
style="outline:none"><b><br>
</b></span></div>
</blockquote>
<span style="font-size:12.8px">
<div>We are missing something?</div>
<div><br>
</div>
<div>Also, VPN connection to strongswan
restarts about every 3 hours. AP disconnect
and reconnect because of packet loss. This
should be subject of another topic, i wrote
if something is related with that.</div>
<div><span style="font-size:12.8px"><br>
</span></div>
Thanks for help.</span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-12-28 16:12
GMT+03:00 Noel Kuntze <span dir="ltr"><<a
href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting"
target="_blank" moz-do-not-send="true">noel.kuntze+strongswan-users-<wbr>ml@thermi.consulting</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">Hello,<br>
<br>
It's because you set "rightsubnet=<a
href="http://0.0.0.0/0" rel="noreferrer"
target="_blank" moz-do-not-send="true">0.0.0.0/0</a>"
and evidently the AP proposes "1.1.1.127" as
its local TS, so it gets narrowed to that. I
propose you delete those two lines.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<span><br>
On 27.12.2017 11:01, Yusuf Güngör wrote:<br>
> Hi,<br>
><br>
> I have a configuration like below and
VPN connection successfully established but
client side get "1.1.1.127" as tunnel IP.
Can we change this tunnel IP? I can not find
any clue about why StrongSwan assign
"1.1.1.127" as tunnel IP to clients?<br>
><br>
> Thanks.<br>
><br>
><br>
</span>> *StrongSwan Config (Left)*<br>
><br>
> conn vpn-test<br>
> left=%defaultroute<br>
> leftsubnet=<a
href="http://172.30.1.1/25" rel="noreferrer"
target="_blank" moz-do-not-send="true">172.30.1.1/25</a>
<<a href="http://172.30.1.1/25"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://172.30.1.1/25</a>><br>
> leftauth=psk<br>
> leftfirewall=no<br>
> right=%any<br>
> rightsubnet=<a
href="http://0.0.0.0/0" rel="noreferrer"
target="_blank" moz-do-not-send="true">0.0.0.0/0</a>
<<a href="http://0.0.0.0/0"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://0.0.0.0/0</a>><br>
> rightsourceip=<a
href="http://10.254.0.0/24" rel="noreferrer"
target="_blank" moz-do-not-send="true">10.254.0.0/24</a>
<<a href="http://10.254.0.0/24"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://10.254.0.0/24</a>><br>
<span>> auto=add<br>
> keyexchange=ikev1<br>
> rightauth=psk<br>
> rightauth2=xauth<br>
> type=tunnel<br>
> mobike=yes<br>
> rightid=%any<br>
><br>
><br>
</span>> *Client VPN Status: (Aruba Instant
AP - Right)*<br>
<div class="m_5740872371367772429HOEnZb">
<div class="m_5740872371367772429h5">><br>
> current using tunnel
:primary tunnel<br>
> current tunnel using time
:1 hour 43 minutes 31
seconds <br>
> ipsec is preempt status
:disable<br>
> ipsec is fast failover status
:disable<br>
> ipsec hold on period
:0s<br>
> ipsec tunnel monitor frequency
(seconds/packet) :5<br>
> ipsec tunnel monitor timeout by
lost packet cnt :6<br>
><br>
> ipsec primary tunnel crypto
type :PSK<br>
> ipsec primary tunnel peer
address :52.55.49.104<br>
> ipsec primary tunnel peer
tunnel ip :1.1.1.127<br>
> ipsec primary tunnel ap
tunnel ip :10.254.0.1<br>
> ipsec primary tunnel using
interface :tun0<br>
> ipsec primary tunnel using
MTU :1230<br>
> ipsec primary tunnel current
sm status :Up<br>
> ipsec primary tunnel tunnel
status :Up<br>
> ipsec primary tunnel tunnel
retry times :6<br>
> ipsec primary tunnel tunnel
uptime :1 hour 43 minutes 31
seconds <br>
><br>
> ipsec backup tunnel crypto
type :PSK<br>
> ipsec backup tunnel peer
address :N/A<br>
> ipsec backup tunnel peer
tunnel ip :N/A<br>
> ipsec backup tunnel ap
tunnel ip :N/A<br>
> ipsec backup tunnel using
interface :N/A<br>
> ipsec backup tunnel using
MTU :N/A<br>
> ipsec backup tunnel current
sm status :Init<br>
> ipsec backup tunnel tunnel
status :Down<br>
> ipsec backup tunnel tunnel
retry times :0<br>
> ipsec backup tunnel tunnel<br>
><br>
><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>