<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    you also have to delete the setting at the AP side, just get rid of
    this:<br>
    <br>
      ipsec     primary tunnel peer tunnel ip         :1.1.1.127<br>
    <br>
    --Jafar<br>
    <br>
    <div class="moz-cite-prefix">On 1/11/2018 2:06 AM, Yusuf Güngör
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAPgCE5JTjj_oe4n=6peaihGyDRizP7ckaQh6jpJuDjF8h-TwdA@mail.gmail.com">
      <div dir="ltr">Hi Jafar,
        <div><br>
        </div>
        <div>I have tried both deleting <span style="font-size:12.8px">"</span><span
            style="font-size:12.8px">rightsubnet=</span><a
            href="http://0.0.0.0/0" target="_blank"
            style="font-size:12.8px" moz-do-not-send="true">0.0.0.0/0</a><span
            style="font-size:12.8px">" and adding "</span><span
            style="font-size:12.8px">rightsubnet=%dynamic</span><span
            style="font-size:12.8px">" now. AP still gets "1.1.1.127" as
            peer tunnel ip.</span></div>
        <div><span style="font-size:12.8px"><br>
          </span></div>
        <div>
          <div><span style="font-size:12.8px">ipsec     primary tunnel
              peer tunnel ip        :1.1.1.127</span></div>
          <div><span style="font-size:12.8px">ipsec     primary tunnel
              ap tunnel ip           :10.254.0.1</span></div>
          <div style="font-size:12.8px"><br>
          </div>
        </div>
        <div style="font-size:12.8px">The problem caused from AP side?</div>
        <div style="font-size:12.8px"><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">2018-01-10 21:00 GMT+03:00 Jafar
          Al-Gharaibeh <span dir="ltr"><<a
              href="mailto:jafar@atcorp.com" target="_blank"
              moz-do-not-send="true">jafar@atcorp.com</a>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Yusuf,<br>
              <br>
                Have you tried deleting "<span style="font-size:12.8px">rightsubnet=</span><a
                href="http://0.0.0.0/0" style="font-size:12.8px"
                target="_blank" moz-do-not-send="true">0.0.0.0/0</a>" as
              Noel suggested below? <br>
              <br>
                In a dynamic address setup like this I usually do (Which
              has the same effect of deleting it): <br>
              <br>
                rightsubnet=%dynamic<span class="HOEnZb"><font
                  color="#888888"><br>
                  <br>
                    <br>
                  --Jafar</font></span>
              <div>
                <div class="h5"><br>
                  <br>
                  <div class="m_5740872371367772429moz-cite-prefix">On
                    1/10/2018 4:28 AM, Yusuf Güngör wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">Hi Noel,
                      <div><br>
                      </div>
                      <div>We have APs which located at various
                        locations. APs get ip from strongswan. </div>
                      <div><br>
                      </div>
                      <div>We have to add the "<span
                          style="font-size:12.8px">rightsubnet=</span><a
                          href="http://0.0.0.0/0"
                          style="font-size:12.8px" target="_blank"
                          moz-do-not-send="true">0.0.0.0/0</a>" to let
                        APs connect. (We do not know the APs
                        private-public ip addreses)</div>
                      <div><br>
                      </div>
                      <div>We have to add the "<span
                          style="font-size:12.8px">rightsourceip=</span><a
                          href="http://10.254.0.0/24"
                          style="font-size:12.8px" target="_blank"
                          moz-do-not-send="true">10.254.0.0/24</a>" to
                        give APs tunnel ip.</div>
                      <div><br>
                      </div>
                      <div>APs can get ip from the "righsourceip" pool
                        successfully:</div>
                      <div><br>
                      </div>
                      <blockquote style="margin:0px 0px 0px
                        40px;border:none;padding:0px">
                        <div>
                          <div style="font-size:12.8px">ipsec   
                             primary tunnel ap tunnel ip         
                             :10.254.0.1</div>
                        </div>
                      </blockquote>
                      <div><br>
                      </div>
                      <div>But why peer tunnel ip is "1.1.1.127"</div>
                      <div><br>
                      </div>
                      <blockquote style="margin:0px 0px 0px
                        40px;border:none;padding:0px">
                        <div>
                          <div style="font-size:12.8px">ipsec   
                             primary tunnel peer tunnel ip       
                             :1.1.1.127</div>
                        </div>
                      </blockquote>
                      <div><br>
                      </div>
                      <div>We can establish vpn connections from APs to
                        Aruba Controllers and that time APs get ip
                        addresses as expected:</div>
                      <div><br>
                      </div>
                      <div>
                        <blockquote style="font-size:12.8px;margin:0px
                          0px 0px 40px;border:none;padding:0px">
                          <div
                            id="m_5740872371367772429gmail-m_-8098580173571663388gmail-:71r.ma"
class="m_5740872371367772429gmail-m_-8098580173571663388gmail-Mu
                            m_5740872371367772429gmail-m_-8098580173571663388gmail-SP"
style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;opacity:1;word-wrap:break-word;word-break:break-word;outline:none;color:rgb(38,50,56)">ipsec
                                primary tunnel ap tunnel ip           :<span
                              class="m_5740872371367772429gmail-il">10.254</span>.0.1<br>
                          </div>
                        </blockquote>
                      </div>
                      <div>
                        <blockquote style="font-size:12.8px;margin:0px
                          0px 0px 40px;border:none;padding:0px">
                          <div
                            id="m_5740872371367772429gmail-m_-8098580173571663388gmail-:71r.ma"
class="m_5740872371367772429gmail-m_-8098580173571663388gmail-Mu
                            m_5740872371367772429gmail-m_-8098580173571663388gmail-SP"
style="font-family:Roboto,Arial,sans-serif;font-size:13px;line-height:16px;margin-bottom:6px;margin-left:9px;margin-right:9px;opacity:1;word-wrap:break-word;word-break:break-word;outline:none;color:rgb(38,50,56)"><span
id="m_5740872371367772429gmail-m_-8098580173571663388gmail-:71r.co"
                              class="m_5740872371367772429gmail-m_-8098580173571663388gmail-tL8wMe
m_5740872371367772429gmail-m_-8098580173571663388gmail-EMoHub" dir="ltr"
                              style="outline:none">ipsec     primary
                              tunnel peer tunnel ip         :<public
                              ip of aruba controller></span></div>
                          <div><span
                              class="m_5740872371367772429gmail-m_-8098580173571663388gmail-tL8wMe
m_5740872371367772429gmail-m_-8098580173571663388gmail-EMoHub" dir="ltr"
                              style="outline:none"><b><br>
                              </b></span></div>
                        </blockquote>
                        <span style="font-size:12.8px">
                          <div>We are missing something?</div>
                          <div><br>
                          </div>
                          <div>Also, VPN connection to strongswan
                            restarts about every 3 hours. AP disconnect
                            and reconnect because of packet loss. This
                            should be subject of another topic, i wrote
                            if something is related with that.</div>
                          <div><span style="font-size:12.8px"><br>
                            </span></div>
                          Thanks for help.</span></div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">2017-12-28 16:12
                        GMT+03:00 Noel Kuntze <span dir="ltr"><<a
                            href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting"
                            target="_blank" moz-do-not-send="true">noel.kuntze+strongswan-users-<wbr>ml@thermi.consulting</a>></span>:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">Hello,<br>
                          <br>
                          It's because you set "rightsubnet=<a
                            href="http://0.0.0.0/0" rel="noreferrer"
                            target="_blank" moz-do-not-send="true">0.0.0.0/0</a>"
                          and evidently the AP proposes "1.1.1.127" as
                          its local TS, so it gets narrowed to that. I
                          propose you delete those two lines.<br>
                          <br>
                          Kind regards<br>
                          <br>
                          Noel<br>
                          <span><br>
                            On 27.12.2017 11:01, Yusuf Güngör wrote:<br>
                            > Hi,<br>
                            ><br>
                            > I have a configuration like below and
                            VPN connection successfully established but
                            client side get "1.1.1.127" as tunnel IP.
                            Can we change this tunnel IP? I can not find
                            any clue about why StrongSwan assign
                            "1.1.1.127" as tunnel IP to clients?<br>
                            ><br>
                            > Thanks.<br>
                            ><br>
                            ><br>
                          </span>> *StrongSwan Config (Left)*<br>
                          ><br>
                          >     conn vpn-test<br>
                          >       left=%defaultroute<br>
                          >       leftsubnet=<a
                            href="http://172.30.1.1/25" rel="noreferrer"
                            target="_blank" moz-do-not-send="true">172.30.1.1/25</a>
                          <<a href="http://172.30.1.1/25"
                            rel="noreferrer" target="_blank"
                            moz-do-not-send="true">http://172.30.1.1/25</a>><br>
                          >       leftauth=psk<br>
                          >       leftfirewall=no<br>
                          >       right=%any<br>
                          >       rightsubnet=<a
                            href="http://0.0.0.0/0" rel="noreferrer"
                            target="_blank" moz-do-not-send="true">0.0.0.0/0</a>
                          <<a href="http://0.0.0.0/0"
                            rel="noreferrer" target="_blank"
                            moz-do-not-send="true">http://0.0.0.0/0</a>><br>
                          >       rightsourceip=<a
                            href="http://10.254.0.0/24" rel="noreferrer"
                            target="_blank" moz-do-not-send="true">10.254.0.0/24</a>
                          <<a href="http://10.254.0.0/24"
                            rel="noreferrer" target="_blank"
                            moz-do-not-send="true">http://10.254.0.0/24</a>><br>
                          <span>>       auto=add<br>
                            >       keyexchange=ikev1<br>
                            >       rightauth=psk<br>
                            >       rightauth2=xauth<br>
                            >       type=tunnel<br>
                            >       mobike=yes<br>
                            >       rightid=%any<br>
                            ><br>
                            ><br>
                          </span>> *Client VPN Status: (Aruba Instant
                          AP - Right)*<br>
                          <div class="m_5740872371367772429HOEnZb">
                            <div class="m_5740872371367772429h5">><br>
                              >     current using tunnel             
                                            :primary tunnel<br>
                              >     current tunnel using time       
                                             :1 hour 43 minutes 31
                              seconds <br>
                              >     ipsec is preempt status         
                                             :disable<br>
                              >     ipsec is fast failover status   
                                             :disable<br>
                              >     ipsec hold on period             
                                            :0s<br>
                              >     ipsec tunnel monitor frequency
                              (seconds/packet) :5<br>
                              >     ipsec tunnel monitor timeout by
                              lost packet cnt :6<br>
                              ><br>
                              >     ipsec     primary tunnel crypto
                              type            :PSK<br>
                              >     ipsec     primary tunnel peer
                              address           :52.55.49.104<br>
                              >     ipsec     primary tunnel peer
                              tunnel ip         :1.1.1.127<br>
                              >     ipsec     primary tunnel ap
                              tunnel ip           :10.254.0.1<br>
                              >     ipsec     primary tunnel using
                              interface        :tun0<br>
                              >     ipsec     primary tunnel using
                              MTU              :1230<br>
                              >     ipsec     primary tunnel current
                              sm status      :Up<br>
                              >     ipsec     primary tunnel tunnel
                              status          :Up<br>
                              >     ipsec     primary tunnel tunnel
                              retry times     :6<br>
                              >     ipsec     primary tunnel tunnel
                              uptime          :1 hour 43 minutes 31
                              seconds <br>
                              ><br>
                              >     ipsec      backup tunnel crypto
                              type            :PSK<br>
                              >     ipsec      backup tunnel peer
                              address           :N/A<br>
                              >     ipsec      backup tunnel peer
                              tunnel ip         :N/A<br>
                              >     ipsec      backup tunnel ap
                              tunnel ip           :N/A<br>
                              >     ipsec      backup tunnel using
                              interface        :N/A<br>
                              >     ipsec      backup tunnel using
                              MTU              :N/A<br>
                              >     ipsec      backup tunnel current
                              sm status      :Init<br>
                              >     ipsec      backup tunnel tunnel
                              status          :Down<br>
                              >     ipsec      backup tunnel tunnel
                              retry times     :0<br>
                              >     ipsec      backup tunnel tunnel<br>
                              ><br>
                              ><br>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>