[strongSwan] IPSec Tunnel IP
Yusuf Güngör
yusufyusufyusuf at gmail.com
Wed Jan 10 11:28:34 CET 2018
Hi Noel,
We have APs which located at various locations. APs get ip from strongswan.
We have to add the "rightsubnet=0.0.0.0/0" to let APs connect. (We do not
know the APs private-public ip addreses)
We have to add the "rightsourceip=10.254.0.0/24" to give APs tunnel ip.
APs can get ip from the "righsourceip" pool successfully:
ipsec primary tunnel ap tunnel ip :10.254.0.1
But why peer tunnel ip is "1.1.1.127"
ipsec primary tunnel peer tunnel ip :1.1.1.127
We can establish vpn connections from APs to Aruba Controllers and that
time APs get ip addresses as expected:
ipsec primary tunnel ap tunnel ip :10.254.0.1
ipsec primary tunnel peer tunnel ip :<public ip of aruba
controller>
We are missing something?
Also, VPN connection to strongswan restarts about every 3 hours. AP
disconnect and reconnect because of packet loss. This should be subject of
another topic, i wrote if something is related with that.
Thanks for help.
2017-12-28 16:12 GMT+03:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting>:
> Hello,
>
> It's because you set "rightsubnet=0.0.0.0/0" and evidently the AP
> proposes "1.1.1.127" as its local TS, so it gets narrowed to that. I
> propose you delete those two lines.
>
> Kind regards
>
> Noel
>
> On 27.12.2017 11:01, Yusuf Güngör wrote:
> > Hi,
> >
> > I have a configuration like below and VPN connection successfully
> established but client side get "1.1.1.127" as tunnel IP. Can we change
> this tunnel IP? I can not find any clue about why StrongSwan assign
> "1.1.1.127" as tunnel IP to clients?
> >
> > Thanks.
> >
> >
> > *StrongSwan Config (Left)*
> >
> > conn vpn-test
> > left=%defaultroute
> > leftsubnet=172.30.1.1/25 <http://172.30.1.1/25>
> > leftauth=psk
> > leftfirewall=no
> > right=%any
> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> > rightsourceip=10.254.0.0/24 <http://10.254.0.0/24>
> > auto=add
> > keyexchange=ikev1
> > rightauth=psk
> > rightauth2=xauth
> > type=tunnel
> > mobike=yes
> > rightid=%any
> >
> >
> > *Client VPN Status: (Aruba Instant AP - Right)*
> >
> > current using tunnel :primary tunnel
> > current tunnel using time :1 hour 43 minutes
> 31 seconds
> > ipsec is preempt status :disable
> > ipsec is fast failover status :disable
> > ipsec hold on period :0s
> > ipsec tunnel monitor frequency (seconds/packet) :5
> > ipsec tunnel monitor timeout by lost packet cnt :6
> >
> > ipsec primary tunnel crypto type :PSK
> > ipsec primary tunnel peer address :52.55.49.104
> > ipsec primary tunnel peer tunnel ip :1.1.1.127
> > ipsec primary tunnel ap tunnel ip :10.254.0.1
> > ipsec primary tunnel using interface :tun0
> > ipsec primary tunnel using MTU :1230
> > ipsec primary tunnel current sm status :Up
> > ipsec primary tunnel tunnel status :Up
> > ipsec primary tunnel tunnel retry times :6
> > ipsec primary tunnel tunnel uptime :1 hour 43 minutes
> 31 seconds
> >
> > ipsec backup tunnel crypto type :PSK
> > ipsec backup tunnel peer address :N/A
> > ipsec backup tunnel peer tunnel ip :N/A
> > ipsec backup tunnel ap tunnel ip :N/A
> > ipsec backup tunnel using interface :N/A
> > ipsec backup tunnel using MTU :N/A
> > ipsec backup tunnel current sm status :Init
> > ipsec backup tunnel tunnel status :Down
> > ipsec backup tunnel tunnel retry times :0
> > ipsec backup tunnel tunnel
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180110/d1fb6eb4/attachment.html>
More information about the Users
mailing list