[strongSwan] IPSec Tunnel IP

Yusuf Güngör yusufyusufyusuf at gmail.com
Fri Jan 12 11:11:05 CET 2018 

Hi,

There is no setting at AP side for this. I have asked Aruba Community. Can
we say that there is nothing to do with that strange "1.1.1.127" ip at
StrongSwan side?

Thanks.

2018-01-11 20:37 GMT+03:00 Jafar Al-Gharaibeh <jafar at atcorp.com>:

> you also have to delete the setting at the AP side, just get rid of this:
>
>   ipsec     primary tunnel peer tunnel ip         :1.1.1.127
>
> --Jafar
>
>
> On 1/11/2018 2:06 AM, Yusuf Güngör wrote:
>
> Hi Jafar,
>
> I have tried both deleting "rightsubnet=0.0.0.0/0" and adding "
> rightsubnet=%dynamic" now. AP still gets "1.1.1.127" as peer tunnel ip.
>
> ipsec     primary tunnel peer tunnel ip        :1.1.1.127
> ipsec     primary tunnel ap tunnel ip           :10.254.0.1
>
> The problem caused from AP side?
>
>
> 2018-01-10 21:00 GMT+03:00 Jafar Al-Gharaibeh <jafar at atcorp.com>:
>
>> Yusuf,
>>
>>   Have you tried deleting "rightsubnet=0.0.0.0/0" as Noel suggested
>> below?
>>
>>   In a dynamic address setup like this I usually do (Which has the same
>> effect of deleting it):
>>
>>   rightsubnet=%dynamic
>>
>>
>> --Jafar
>>
>>
>> On 1/10/2018 4:28 AM, Yusuf Güngör wrote:
>>
>> Hi Noel,
>>
>> We have APs which located at various locations. APs get ip from
>> strongswan.
>>
>> We have to add the "rightsubnet=0.0.0.0/0" to let APs connect. (We do
>> not know the APs private-public ip addreses)
>>
>> We have to add the "rightsourceip=10.254.0.0/24" to give APs tunnel ip.
>>
>> APs can get ip from the "righsourceip" pool successfully:
>>
>> ipsec     primary tunnel ap tunnel ip           :10.254.0.1
>>
>>
>> But why peer tunnel ip is "1.1.1.127"
>>
>> ipsec     primary tunnel peer tunnel ip         :1.1.1.127
>>
>>
>> We can establish vpn connections from APs to Aruba Controllers and that
>> time APs get ip addresses as expected:
>>
>> ipsec     primary tunnel ap tunnel ip           :10.254.0.1
>>
>> ipsec     primary tunnel peer tunnel ip         :<public ip of aruba
>> controller>
>>
>> We are missing something?
>>
>> Also, VPN connection to strongswan restarts about every 3 hours. AP
>> disconnect and reconnect because of packet loss. This should be subject of
>> another topic, i wrote if something is related with that.
>>
>> Thanks for help.
>>
>> 2017-12-28 16:12 GMT+03:00 Noel Kuntze <noel.kuntze+strongswan-users-
>> ml at thermi.consulting>:
>>
>>> Hello,
>>>
>>> It's because you set "rightsubnet=0.0.0.0/0" and evidently the AP
>>> proposes "1.1.1.127" as its local TS, so it gets narrowed to that. I
>>> propose you delete those two lines.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> On 27.12.2017 11:01, Yusuf Güngör wrote:
>>> > Hi,
>>> >
>>> > I have a configuration like below and VPN connection successfully
>>> established but client side get "1.1.1.127" as tunnel IP. Can we change
>>> this tunnel IP? I can not find any clue about why StrongSwan assign
>>> "1.1.1.127" as tunnel IP to clients?
>>> >
>>> > Thanks.
>>> >
>>> >
>>> > *StrongSwan Config (Left)*
>>> >
>>> >     conn vpn-test
>>> >       left=%defaultroute
>>> >       leftsubnet=172.30.1.1/25 <http://172.30.1.1/25>
>>> >       leftauth=psk
>>> >       leftfirewall=no
>>> >       right=%any
>>> >       rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>>> >       rightsourceip=10.254.0.0/24 <http://10.254.0.0/24>
>>> >       auto=add
>>> >       keyexchange=ikev1
>>> >       rightauth=psk
>>> >       rightauth2=xauth
>>> >       type=tunnel
>>> >       mobike=yes
>>> >       rightid=%any
>>> >
>>> >
>>> > *Client VPN Status: (Aruba Instant AP - Right)*
>>> >
>>> >     current using tunnel                            :primary tunnel
>>> >     current tunnel using time                       :1 hour 43 minutes
>>> 31 seconds
>>> >     ipsec is preempt status                         :disable
>>> >     ipsec is fast failover status                   :disable
>>> >     ipsec hold on period                            :0s
>>> >     ipsec tunnel monitor frequency (seconds/packet) :5
>>> >     ipsec tunnel monitor timeout by lost packet cnt :6
>>> >
>>> >     ipsec     primary tunnel crypto type            :PSK
>>> >     ipsec     primary tunnel peer address           :52.55.49.104
>>> >     ipsec     primary tunnel peer tunnel ip         :1.1.1.127
>>> >     ipsec     primary tunnel ap tunnel ip           :10.254.0.1
>>> >     ipsec     primary tunnel using interface        :tun0
>>> >     ipsec     primary tunnel using MTU              :1230
>>> >     ipsec     primary tunnel current sm status      :Up
>>> >     ipsec     primary tunnel tunnel status          :Up
>>> >     ipsec     primary tunnel tunnel retry times     :6
>>> >     ipsec     primary tunnel tunnel uptime          :1 hour 43 minutes
>>> 31 seconds
>>> >
>>> >     ipsec      backup tunnel crypto type            :PSK
>>> >     ipsec      backup tunnel peer address           :N/A
>>> >     ipsec      backup tunnel peer tunnel ip         :N/A
>>> >     ipsec      backup tunnel ap tunnel ip           :N/A
>>> >     ipsec      backup tunnel using interface        :N/A
>>> >     ipsec      backup tunnel using MTU              :N/A
>>> >     ipsec      backup tunnel current sm status      :Init
>>> >     ipsec      backup tunnel tunnel status          :Down
>>> >     ipsec      backup tunnel tunnel retry times     :0
>>> >     ipsec      backup tunnel tunnel
>>> >
>>> >
>>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180112/4b93e8d8/attachment-0001.html>

More information about the Users mailing list