[strongSwan] IPSec Tunnel IP
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jan 12 11:14:38 CET 2018
Yes, strongSwan has nothing to do with that IP. Btw, don't use 0.0.0.0/0. Assign a virtual IP instead and use that to contact the APs.
Kind regards
Noel
On 12.01.2018 11:11, Yusuf Güngör wrote:
> Hi,
>
> There is no setting at AP side for this. I have asked Aruba Community. Can we say that there is nothing to do with that strange "1.1.1.127" ip at StrongSwan side?
>
> Thanks.
>
> 2018-01-11 20:37 GMT+03:00 Jafar Al-Gharaibeh <jafar at atcorp.com <mailto:jafar at atcorp.com>>:
>
> you also have to delete the setting at the AP side, just get rid of this:
>
> ipsec primary tunnel peer tunnel ip :1.1.1.127
>
> --Jafar
>
>
> On 1/11/2018 2:06 AM, Yusuf Güngör wrote:
>> Hi Jafar,
>>
>> I have tried both deleting "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" and adding "rightsubnet=%dynamic" now. AP still gets "1.1.1.127" as peer tunnel ip.
>>
>> ipsec primary tunnel peer tunnel ip :1.1.1.127
>> ipsec primary tunnel ap tunnel ip :10.254.0.1
>>
>> The problem caused from AP side?
>>
>>
>> 2018-01-10 21:00 GMT+03:00 Jafar Al-Gharaibeh <jafar at atcorp.com <mailto:jafar at atcorp.com>>:
>>
>> Yusuf,
>>
>> Have you tried deleting "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" as Noel suggested below?
>>
>> In a dynamic address setup like this I usually do (Which has the same effect of deleting it):
>>
>> rightsubnet=%dynamic
>>
>>
>> --Jafar
>>
>>
>> On 1/10/2018 4:28 AM, Yusuf Güngör wrote:
>>> Hi Noel,
>>>
>>> We have APs which located at various locations. APs get ip from strongswan.
>>>
>>> We have to add the "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" to let APs connect. (We do not know the APs private-public ip addreses)
>>>
>>> We have to add the "rightsourceip=10.254.0.0/24 <http://10.254.0.0/24>" to give APs tunnel ip.
>>>
>>> APs can get ip from the "righsourceip" pool successfully:
>>>
>>> ipsec primary tunnel ap tunnel ip :10.254.0.1
>>>
>>>
>>> But why peer tunnel ip is "1.1.1.127"
>>>
>>> ipsec primary tunnel peer tunnel ip :1.1.1.127
>>>
>>>
>>> We can establish vpn connections from APs to Aruba Controllers and that time APs get ip addresses as expected:
>>>
>>> ipsec primary tunnel ap tunnel ip :10.254.0.1
>>>
>>> ipsec primary tunnel peer tunnel ip :<public ip of aruba controller>
>>> *
>>> *
>>>
>>> We are missing something?
>>>
>>> Also, VPN connection to strongswan restarts about every 3 hours. AP disconnect and reconnect because of packet loss. This should be subject of another topic, i wrote if something is related with that.
>>>
>>> Thanks for help.
>>>
>>> 2017-12-28 16:12 GMT+03:00 Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>>:
>>>
>>> Hello,
>>>
>>> It's because you set "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" and evidently the AP proposes "1.1.1.127" as its local TS, so it gets narrowed to that. I propose you delete those two lines.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> On 27.12.2017 11:01, Yusuf Güngör wrote:
>>> > Hi,
>>> >
>>> > I have a configuration like below and VPN connection successfully established but client side get "1.1.1.127" as tunnel IP. Can we change this tunnel IP? I can not find any clue about why StrongSwan assign "1.1.1.127" as tunnel IP to clients?
>>> >
>>> > Thanks.
>>> >
>>> >
>>> > *StrongSwan Config (Left)*
>>> >
>>> > conn vpn-test
>>> > left=%defaultroute
>>> > leftsubnet=172.30.1.1/25 <http://172.30.1.1/25> <http://172.30.1.1/25>
>>> > leftauth=psk
>>> > leftfirewall=no
>>> > right=%any
>>> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>>> > rightsourceip=10.254.0.0/24 <http://10.254.0.0/24> <http://10.254.0.0/24>
>>> > auto=add
>>> > keyexchange=ikev1
>>> > rightauth=psk
>>> > rightauth2=xauth
>>> > type=tunnel
>>> > mobike=yes
>>> > rightid=%any
>>> >
>>> >
>>> > *Client VPN Status: (Aruba Instant AP - Right)*
>>> >
>>> > current using tunnel :primary tunnel
>>> > current tunnel using time :1 hour 43 minutes 31 seconds
>>> > ipsec is preempt status :disable
>>> > ipsec is fast failover status :disable
>>> > ipsec hold on period :0s
>>> > ipsec tunnel monitor frequency (seconds/packet) :5
>>> > ipsec tunnel monitor timeout by lost packet cnt :6
>>> >
>>> > ipsec primary tunnel crypto type :PSK
>>> > ipsec primary tunnel peer address :52.55.49.104
>>> > ipsec primary tunnel peer tunnel ip :1.1.1.127
>>> > ipsec primary tunnel ap tunnel ip :10.254.0.1
>>> > ipsec primary tunnel using interface :tun0
>>> > ipsec primary tunnel using MTU :1230
>>> > ipsec primary tunnel current sm status :Up
>>> > ipsec primary tunnel tunnel status :Up
>>> > ipsec primary tunnel tunnel retry times :6
>>> > ipsec primary tunnel tunnel uptime :1 hour 43 minutes 31 seconds
>>> >
>>> > ipsec backup tunnel crypto type :PSK
>>> > ipsec backup tunnel peer address :N/A
>>> > ipsec backup tunnel peer tunnel ip :N/A
>>> > ipsec backup tunnel ap tunnel ip :N/A
>>> > ipsec backup tunnel using interface :N/A
>>> > ipsec backup tunnel using MTU :N/A
>>> > ipsec backup tunnel current sm status :Init
>>> > ipsec backup tunnel tunnel status :Down
>>> > ipsec backup tunnel tunnel retry times :0
>>> > ipsec backup tunnel tunnel
>>> >
>>> >
>>>
>>>
>>
>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180112/d2b04fc0/attachment.sig>
More information about the Users
mailing list