[strongSwan] IPSec Tunnel IP

Jafar Al-Gharaibeh jafar at atcorp.com
Wed Jan 10 19:00:46 CET 2018


Yusuf,

   Have you tried deleting "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" as 
Noel suggested below?

   In a dynamic address setup like this I usually do (Which has the same 
effect of deleting it):

   rightsubnet=%dynamic


--Jafar

On 1/10/2018 4:28 AM, Yusuf Güngör wrote:
> Hi Noel,
>
> We have APs which located at various locations. APs get ip from 
> strongswan.
>
> We have to add the "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" to let 
> APs connect. (We do not know the APs private-public ip addreses)
>
> We have to add the "rightsourceip=10.254.0.0/24 
> <http://10.254.0.0/24>" to give APs tunnel ip.
>
> APs can get ip from the "righsourceip" pool successfully:
>
>     ipsec     primary tunnel ap tunnel ip           :10.254.0.1
>
>
> But why peer tunnel ip is "1.1.1.127"
>
>     ipsec     primary tunnel peer tunnel ip         :1.1.1.127
>
>
> We can establish vpn connections from APs to Aruba Controllers and 
> that time APs get ip addresses as expected:
>
>     ipsec     primary tunnel ap tunnel ip           :10.254.0.1
>
>     ipsec     primary tunnel peer tunnel ip         :<public ip of
>     aruba controller>
>     *
>     *
>
> We are missing something?
>
> Also, VPN connection to strongswan restarts about every 3 hours. AP 
> disconnect and reconnect because of packet loss. This should be 
> subject of another topic, i wrote if something is related with that.
>
> Thanks for help.
>
> 2017-12-28 16:12 GMT+03:00 Noel Kuntze 
> <noel.kuntze+strongswan-users-ml at thermi.consulting 
> <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>>:
>
>     Hello,
>
>     It's because you set "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>"
>     and evidently the AP proposes "1.1.1.127" as its local TS, so it
>     gets narrowed to that. I propose you delete those two lines.
>
>     Kind regards
>
>     Noel
>
>     On 27.12.2017 11:01, Yusuf Güngör wrote:
>     > Hi,
>     >
>     > I have a configuration like below and VPN connection
>     successfully established but client side get "1.1.1.127" as tunnel
>     IP. Can we change this tunnel IP? I can not find any clue about
>     why StrongSwan assign "1.1.1.127" as tunnel IP to clients?
>     >
>     > Thanks.
>     >
>     >
>     > *StrongSwan Config (Left)*
>     >
>     >     conn vpn-test
>     >       left=%defaultroute
>     >       leftsubnet=172.30.1.1/25 <http://172.30.1.1/25>
>     <http://172.30.1.1/25>
>     >       leftauth=psk
>     >       leftfirewall=no
>     >       right=%any
>     >       rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>     >       rightsourceip=10.254.0.0/24 <http://10.254.0.0/24>
>     <http://10.254.0.0/24>
>     >       auto=add
>     >       keyexchange=ikev1
>     >       rightauth=psk
>     >       rightauth2=xauth
>     >       type=tunnel
>     >       mobike=yes
>     >       rightid=%any
>     >
>     >
>     > *Client VPN Status: (Aruba Instant AP - Right)*
>     >
>     >     current using tunnel :primary tunnel
>     >     current tunnel using time  :1 hour 43 minutes 31 seconds
>     >     ipsec is preempt status  :disable
>     >     ipsec is fast failover status  :disable
>     >     ipsec hold on period :0s
>     >     ipsec tunnel monitor frequency (seconds/packet) :5
>     >     ipsec tunnel monitor timeout by lost packet cnt :6
>     >
>     >     ipsec     primary tunnel crypto type :PSK
>     >     ipsec     primary tunnel peer address  :52.55.49.104
>     >     ipsec     primary tunnel peer tunnel ip  :1.1.1.127
>     >     ipsec     primary tunnel ap tunnel ip  :10.254.0.1
>     >     ipsec     primary tunnel using interface :tun0
>     >     ipsec     primary tunnel using MTU :1230
>     >     ipsec     primary tunnel current sm status :Up
>     >     ipsec     primary tunnel tunnel status :Up
>     >     ipsec     primary tunnel tunnel retry times  :6
>     >     ipsec     primary tunnel tunnel uptime :1 hour 43 minutes 31
>     seconds
>     >
>     >     ipsec      backup tunnel crypto type :PSK
>     >     ipsec      backup tunnel peer address  :N/A
>     >     ipsec      backup tunnel peer tunnel ip  :N/A
>     >     ipsec      backup tunnel ap tunnel ip  :N/A
>     >     ipsec      backup tunnel using interface :N/A
>     >     ipsec      backup tunnel using MTU :N/A
>     >     ipsec      backup tunnel current sm status :Init
>     >     ipsec      backup tunnel tunnel status :Down
>     >     ipsec      backup tunnel tunnel retry times  :0
>     >     ipsec      backup tunnel tunnel
>     >
>     >
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180110/54095dae/attachment-0001.html>


More information about the Users mailing list