<div dir="ltr">Hi Noel, Jafar;<div><br></div><div>I have removed "<span style="font-size:12.8px">rightsubnet=</span><a href="http://0.0.0.0/0">0.0.0.0/0</a>" expression from config. Then I am going to wait the answers from Aruba Community. </div><div><br></div><div>Thank a lot for your helps.</div><div><br></div><div>The VPN connection resets at ~ 3 hours. VPN connection should be always up, it is critical for us. (Radius traffice routed in it) When using Aruba controller as VPN Concentrator, connection does not resets for weeks.</div><div><br></div><div>I thought reset cause is probably about ikelifetime default value. I have added:</div><div><br></div><div><div> rekey = no</div><div> reauth = no</div></div><div><br></div><div>into the config. We are also using ikev1 for keyexchange. (AP force us) </div><div><br></div><div>Does this change prevent the resets? Is it correct to do?</div><div><br></div><div>Does it cause serious vulnerability? </div><div><br></div><div>Should i change this settings?</div><div><br></div><div>Thanks.</div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-01-12 13:14 GMT+03:00 Noel Kuntze <span dir="ltr"><<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" target="_blank">noel.kuntze+strongswan-users-ml@thermi.consulting</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Yes, strongSwan has nothing to do with that IP. Btw, don't use <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a>. Assign a virtual IP instead and use that to contact the APs.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<span class=""><br>
On 12.01.2018 11:11, Yusuf Güngör wrote:<br>
> Hi,<br>
><br>
> There is no setting at AP side for this. I have asked Aruba Community. Can we say that there is nothing to do with that strange "1.1.1.127" ip at StrongSwan side?<br>
><br>
> Thanks.<br>
><br>
</span>> 2018-01-11 20:37 GMT+03:00 Jafar Al-Gharaibeh <<a href="mailto:jafar@atcorp.com">jafar@atcorp.com</a> <mailto:<a href="mailto:jafar@atcorp.com">jafar@atcorp.com</a>>>:<br>
<span class="">><br>
> you also have to delete the setting at the AP side, just get rid of this:<br>
><br>
> ipsec primary tunnel peer tunnel ip :1.1.1.127<br>
><br>
> --Jafar<br>
><br>
><br>
> On 1/11/2018 2:06 AM, Yusuf Güngör wrote:<br>
>> Hi Jafar,<br>
>><br>
</span>>> I have tried both deleting "rightsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/<wbr>0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>>" and adding "rightsubnet=%dynamic" now. AP still gets "1.1.1.127" as peer tunnel ip.<br>
<span class="">>><br>
>> ipsec primary tunnel peer tunnel ip :1.1.1.127<br>
>> ipsec primary tunnel ap tunnel ip :10.254.0.1<br>
>><br>
>> The problem caused from AP side?<br>
>><br>
>><br>
</span>>> 2018-01-10 21:00 GMT+03:00 Jafar Al-Gharaibeh <<a href="mailto:jafar@atcorp.com">jafar@atcorp.com</a> <mailto:<a href="mailto:jafar@atcorp.com">jafar@atcorp.com</a>>>:<br>
>><br>
>> Yusuf,<br>
>><br>
>> Have you tried deleting "rightsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>>" as Noel suggested below?<br>
<span class="">>><br>
>> In a dynamic address setup like this I usually do (Which has the same effect of deleting it):<br>
>><br>
>> rightsubnet=%dynamic<br>
>><br>
>> <br>
>> --Jafar<br>
>><br>
>><br>
>> On 1/10/2018 4:28 AM, Yusuf Güngör wrote:<br>
>>> Hi Noel,<br>
>>><br>
>>> We have APs which located at various locations. APs get ip from strongswan. <br>
>>><br>
</span>>>> We have to add the "rightsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>>" to let APs connect. (We do not know the APs private-public ip addreses)<br>
>>><br>
>>> We have to add the "rightsourceip=<a href="http://10.254.0.0/24" rel="noreferrer" target="_blank">10.254.0.0/24</a> <<a href="http://10.254.0.0/24" rel="noreferrer" target="_blank">http://10.254.0.0/24</a>>" to give APs tunnel ip.<br>
<span class="">>>><br>
>>> APs can get ip from the "righsourceip" pool successfully:<br>
>>><br>
>>> ipsec primary tunnel ap tunnel ip :10.254.0.1<br>
>>><br>
>>><br>
>>> But why peer tunnel ip is "1.1.1.127"<br>
>>><br>
>>> ipsec primary tunnel peer tunnel ip :1.1.1.127<br>
>>><br>
>>><br>
>>> We can establish vpn connections from APs to Aruba Controllers and that time APs get ip addresses as expected:<br>
>>><br>
>>> ipsec primary tunnel ap tunnel ip :10.254.0.1<br>
>>><br>
>>> ipsec primary tunnel peer tunnel ip :<public ip of aruba controller><br>
</span>>>> *<br>
>>> *<br>
<span class="">>>><br>
>>> We are missing something?<br>
>>><br>
>>> Also, VPN connection to strongswan restarts about every 3 hours. AP disconnect and reconnect because of packet loss. This should be subject of another topic, i wrote if something is related with that.<br>
>>><br>
>>> Thanks for help.<br>
>>><br>
</span>>>> 2017-12-28 16:12 GMT+03:00 Noel Kuntze <noel.kuntze+strongswan-users-<wbr>ml@thermi.consulting <mailto:<a href="mailto:noel.kuntze%2Bstrongswan-users-ml@thermi.consulting">noel.kuntze+<wbr>strongswan-users-ml@thermi.<wbr>consulting</a>>>:<br>
>>><br>
>>> Hello,<br>
>>><br>
>>> It's because you set "rightsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>>" and evidently the AP proposes "1.1.1.127" as its local TS, so it gets narrowed to that. I propose you delete those two lines.<br>
<span class="">>>><br>
>>> Kind regards<br>
>>><br>
>>> Noel<br>
>>><br>
>>> On 27.12.2017 11:01, Yusuf Güngör wrote:<br>
>>> > Hi,<br>
>>> ><br>
>>> > I have a configuration like below and VPN connection successfully established but client side get "1.1.1.127" as tunnel IP. Can we change this tunnel IP? I can not find any clue about why StrongSwan assign "1.1.1.127" as tunnel IP to clients?<br>
>>> ><br>
>>> > Thanks.<br>
>>> ><br>
>>> ><br>
>>> > *StrongSwan Config (Left)*<br>
>>> ><br>
>>> > conn vpn-test<br>
>>> > left=%defaultroute<br>
</span>>>> > leftsubnet=<a href="http://172.30.1.1/25" rel="noreferrer" target="_blank">172.30.1.1/25</a> <<a href="http://172.30.1.1/25" rel="noreferrer" target="_blank">http://172.30.1.1/25</a>> <<a href="http://172.30.1.1/25" rel="noreferrer" target="_blank">http://172.30.1.1/25</a>><br>
>>> > leftauth=psk<br>
>>> > leftfirewall=no<br>
>>> > right=%any<br>
>>> > rightsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
>>> > rightsourceip=<a href="http://10.254.0.0/24" rel="noreferrer" target="_blank">10.254.0.0/24</a> <<a href="http://10.254.0.0/24" rel="noreferrer" target="_blank">http://10.254.0.0/24</a>> <<a href="http://10.254.0.0/24" rel="noreferrer" target="_blank">http://10.254.0.0/24</a>><br>
<div class="HOEnZb"><div class="h5">>>> > auto=add<br>
>>> > keyexchange=ikev1<br>
>>> > rightauth=psk<br>
>>> > rightauth2=xauth<br>
>>> > type=tunnel<br>
>>> > mobike=yes<br>
>>> > rightid=%any<br>
>>> ><br>
>>> ><br>
>>> > *Client VPN Status: (Aruba Instant AP - Right)*<br>
>>> ><br>
>>> > current using tunnel :primary tunnel<br>
>>> > current tunnel using time :1 hour 43 minutes 31 seconds <br>
>>> > ipsec is preempt status :disable<br>
>>> > ipsec is fast failover status :disable<br>
>>> > ipsec hold on period :0s<br>
>>> > ipsec tunnel monitor frequency (seconds/packet) :5<br>
>>> > ipsec tunnel monitor timeout by lost packet cnt :6<br>
>>> ><br>
>>> > ipsec primary tunnel crypto type :PSK<br>
>>> > ipsec primary tunnel peer address :52.55.49.104<br>
>>> > ipsec primary tunnel peer tunnel ip :1.1.1.127<br>
>>> > ipsec primary tunnel ap tunnel ip :10.254.0.1<br>
>>> > ipsec primary tunnel using interface :tun0<br>
>>> > ipsec primary tunnel using MTU :1230<br>
>>> > ipsec primary tunnel current sm status :Up<br>
>>> > ipsec primary tunnel tunnel status :Up<br>
>>> > ipsec primary tunnel tunnel retry times :6<br>
>>> > ipsec primary tunnel tunnel uptime :1 hour 43 minutes 31 seconds <br>
>>> ><br>
>>> > ipsec backup tunnel crypto type :PSK<br>
>>> > ipsec backup tunnel peer address :N/A<br>
>>> > ipsec backup tunnel peer tunnel ip :N/A<br>
>>> > ipsec backup tunnel ap tunnel ip :N/A<br>
>>> > ipsec backup tunnel using interface :N/A<br>
>>> > ipsec backup tunnel using MTU :N/A<br>
>>> > ipsec backup tunnel current sm status :Init<br>
>>> > ipsec backup tunnel tunnel status :Down<br>
>>> > ipsec backup tunnel tunnel retry times :0<br>
>>> > ipsec backup tunnel tunnel<br>
>>> ><br>
>>> ><br>
>>><br>
>>><br>
>><br>
>><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>