[strongSwan] IPSec Tunnel IP
Jafar Al-Gharaibeh
jafar at atcorp.com
Thu Jan 11 18:37:48 CET 2018
you also have to delete the setting at the AP side, just get rid of this:
ipsec primary tunnel peer tunnel ip :1.1.1.127
--Jafar
On 1/11/2018 2:06 AM, Yusuf Güngör wrote:
> Hi Jafar,
>
> I have tried both deleting "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>"
> and adding "rightsubnet=%dynamic" now. AP still gets "1.1.1.127" as
> peer tunnel ip.
>
> ipsec primary tunnel peer tunnel ip :1.1.1.127
> ipsec primary tunnel ap tunnel ip :10.254.0.1
>
> The problem caused from AP side?
>
>
> 2018-01-10 21:00 GMT+03:00 Jafar Al-Gharaibeh <jafar at atcorp.com
> <mailto:jafar at atcorp.com>>:
>
> Yusuf,
>
> Have you tried deleting "rightsubnet=0.0.0.0/0
> <http://0.0.0.0/0>" as Noel suggested below?
>
> In a dynamic address setup like this I usually do (Which has the
> same effect of deleting it):
>
> rightsubnet=%dynamic
>
>
> --Jafar
>
>
> On 1/10/2018 4:28 AM, Yusuf Güngör wrote:
>> Hi Noel,
>>
>> We have APs which located at various locations. APs get ip from
>> strongswan.
>>
>> We have to add the "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" to
>> let APs connect. (We do not know the APs private-public ip addreses)
>>
>> We have to add the "rightsourceip=10.254.0.0/24
>> <http://10.254.0.0/24>" to give APs tunnel ip.
>>
>> APs can get ip from the "righsourceip" pool successfully:
>>
>> ipsec primary tunnel ap tunnel ip :10.254.0.1
>>
>>
>> But why peer tunnel ip is "1.1.1.127"
>>
>> ipsec primary tunnel peer tunnel ip :1.1.1.127
>>
>>
>> We can establish vpn connections from APs to Aruba Controllers
>> and that time APs get ip addresses as expected:
>>
>> ipsec primary tunnel ap tunnel ip :10.254.0.1
>>
>> ipsec primary tunnel peer tunnel ip :<public ip
>> of aruba controller>
>> *
>> *
>>
>> We are missing something?
>>
>> Also, VPN connection to strongswan restarts about every 3 hours.
>> AP disconnect and reconnect because of packet loss. This should
>> be subject of another topic, i wrote if something is related with
>> that.
>>
>> Thanks for help.
>>
>> 2017-12-28 16:12 GMT+03:00 Noel Kuntze
>> <noel.kuntze+strongswan-users-ml at thermi.consulting
>> <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>>:
>>
>> Hello,
>>
>> It's because you set "rightsubnet=0.0.0.0/0
>> <http://0.0.0.0/0>" and evidently the AP proposes "1.1.1.127"
>> as its local TS, so it gets narrowed to that. I propose you
>> delete those two lines.
>>
>> Kind regards
>>
>> Noel
>>
>> On 27.12.2017 11:01, Yusuf Güngör wrote:
>> > Hi,
>> >
>> > I have a configuration like below and VPN connection
>> successfully established but client side get "1.1.1.127" as
>> tunnel IP. Can we change this tunnel IP? I can not find any
>> clue about why StrongSwan assign "1.1.1.127" as tunnel IP to
>> clients?
>> >
>> > Thanks.
>> >
>> >
>> > *StrongSwan Config (Left)*
>> >
>> > conn vpn-test
>> > left=%defaultroute
>> > leftsubnet=172.30.1.1/25 <http://172.30.1.1/25>
>> <http://172.30.1.1/25>
>> > leftauth=psk
>> > leftfirewall=no
>> > right=%any
>> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> <http://0.0.0.0/0>
>> > rightsourceip=10.254.0.0/24 <http://10.254.0.0/24>
>> <http://10.254.0.0/24>
>> > auto=add
>> > keyexchange=ikev1
>> > rightauth=psk
>> > rightauth2=xauth
>> > type=tunnel
>> > mobike=yes
>> > rightid=%any
>> >
>> >
>> > *Client VPN Status: (Aruba Instant AP - Right)*
>> >
>> > current using tunnel :primary tunnel
>> > current tunnel using time :1 hour 43
>> minutes 31 seconds
>> > ipsec is preempt status :disable
>> > ipsec is fast failover status :disable
>> > ipsec hold on period :0s
>> > ipsec tunnel monitor frequency (seconds/packet) :5
>> > ipsec tunnel monitor timeout by lost packet cnt :6
>> >
>> > ipsec primary tunnel crypto type :PSK
>> > ipsec primary tunnel peer address
>> :52.55.49.104
>> > ipsec primary tunnel peer tunnel ip :1.1.1.127
>> > ipsec primary tunnel ap tunnel ip :10.254.0.1
>> > ipsec primary tunnel using interface :tun0
>> > ipsec primary tunnel using MTU :1230
>> > ipsec primary tunnel current sm status :Up
>> > ipsec primary tunnel tunnel status :Up
>> > ipsec primary tunnel tunnel retry times :6
>> > ipsec primary tunnel tunnel uptime :1 hour
>> 43 minutes 31 seconds
>> >
>> > ipsec backup tunnel crypto type :PSK
>> > ipsec backup tunnel peer address :N/A
>> > ipsec backup tunnel peer tunnel ip :N/A
>> > ipsec backup tunnel ap tunnel ip :N/A
>> > ipsec backup tunnel using interface :N/A
>> > ipsec backup tunnel using MTU :N/A
>> > ipsec backup tunnel current sm status :Init
>> > ipsec backup tunnel tunnel status :Down
>> > ipsec backup tunnel tunnel retry times :0
>> > ipsec backup tunnel tunnel
>> >
>> >
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/0cdbe637/attachment-0001.html>
More information about the Users
mailing list