[strongSwan] IPSec Tunnel IP

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jan 12 11:14:38 CET 2018


Yes, strongSwan has nothing to do with that IP. Btw, don't use 0.0.0.0/0. Assign a virtual IP instead and use that to contact the APs.

Kind regards

Noel

On 12.01.2018 11:11, Yusuf Güngör wrote:
> Hi,
> 
> There is no setting at AP side for this. I have asked Aruba Community. Can we say that there is nothing to do with that strange "1.1.1.127" ip at StrongSwan side?
> 
> Thanks.
> 
> 2018-01-11 20:37 GMT+03:00 Jafar Al-Gharaibeh <jafar at atcorp.com <mailto:jafar at atcorp.com>>:
> 
>     you also have to delete the setting at the AP side, just get rid of this:
> 
>       ipsec     primary tunnel peer tunnel ip         :1.1.1.127
> 
>     --Jafar
> 
> 
>     On 1/11/2018 2:06 AM, Yusuf Güngör wrote:
>>     Hi Jafar,
>>
>>     I have tried both deleting "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" and adding "rightsubnet=%dynamic" now. AP still gets "1.1.1.127" as peer tunnel ip.
>>
>>     ipsec     primary tunnel peer tunnel ip        :1.1.1.127
>>     ipsec     primary tunnel ap tunnel ip           :10.254.0.1
>>
>>     The problem caused from AP side?
>>
>>
>>     2018-01-10 21:00 GMT+03:00 Jafar Al-Gharaibeh <jafar at atcorp.com <mailto:jafar at atcorp.com>>:
>>
>>         Yusuf,
>>
>>           Have you tried deleting "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" as Noel suggested below?
>>
>>           In a dynamic address setup like this I usually do (Which has the same effect of deleting it):
>>
>>           rightsubnet=%dynamic
>>
>>          
>>         --Jafar
>>
>>
>>         On 1/10/2018 4:28 AM, Yusuf Güngör wrote:
>>>         Hi Noel,
>>>
>>>         We have APs which located at various locations. APs get ip from strongswan. 
>>>
>>>         We have to add the "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" to let APs connect. (We do not know the APs private-public ip addreses)
>>>
>>>         We have to add the "rightsourceip=10.254.0.0/24 <http://10.254.0.0/24>" to give APs tunnel ip.
>>>
>>>         APs can get ip from the "righsourceip" pool successfully:
>>>
>>>             ipsec     primary tunnel ap tunnel ip           :10.254.0.1
>>>
>>>
>>>         But why peer tunnel ip is "1.1.1.127"
>>>
>>>             ipsec     primary tunnel peer tunnel ip         :1.1.1.127
>>>
>>>
>>>         We can establish vpn connections from APs to Aruba Controllers and that time APs get ip addresses as expected:
>>>
>>>             ipsec     primary tunnel ap tunnel ip           :10.254.0.1
>>>
>>>             ipsec     primary tunnel peer tunnel ip         :<public ip of aruba controller>
>>>             *
>>>             *
>>>
>>>         We are missing something?
>>>
>>>         Also, VPN connection to strongswan restarts about every 3 hours. AP disconnect and reconnect because of packet loss. This should be subject of another topic, i wrote if something is related with that.
>>>
>>>         Thanks for help.
>>>
>>>         2017-12-28 16:12 GMT+03:00 Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>>:
>>>
>>>             Hello,
>>>
>>>             It's because you set "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" and evidently the AP proposes "1.1.1.127" as its local TS, so it gets narrowed to that. I propose you delete those two lines.
>>>
>>>             Kind regards
>>>
>>>             Noel
>>>
>>>             On 27.12.2017 11:01, Yusuf Güngör wrote:
>>>             > Hi,
>>>             >
>>>             > I have a configuration like below and VPN connection successfully established but client side get "1.1.1.127" as tunnel IP. Can we change this tunnel IP? I can not find any clue about why StrongSwan assign "1.1.1.127" as tunnel IP to clients?
>>>             >
>>>             > Thanks.
>>>             >
>>>             >
>>>             > *StrongSwan Config (Left)*
>>>             >
>>>             >     conn vpn-test
>>>             >       left=%defaultroute
>>>             >       leftsubnet=172.30.1.1/25 <http://172.30.1.1/25> <http://172.30.1.1/25>
>>>             >       leftauth=psk
>>>             >       leftfirewall=no
>>>             >       right=%any
>>>             >       rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>>>             >       rightsourceip=10.254.0.0/24 <http://10.254.0.0/24> <http://10.254.0.0/24>
>>>             >       auto=add
>>>             >       keyexchange=ikev1
>>>             >       rightauth=psk
>>>             >       rightauth2=xauth
>>>             >       type=tunnel
>>>             >       mobike=yes
>>>             >       rightid=%any
>>>             >
>>>             >
>>>             > *Client VPN Status: (Aruba Instant AP - Right)*
>>>             >
>>>             >     current using tunnel                            :primary tunnel
>>>             >     current tunnel using time                       :1 hour 43 minutes 31 seconds 
>>>             >     ipsec is preempt status                         :disable
>>>             >     ipsec is fast failover status                   :disable
>>>             >     ipsec hold on period                            :0s
>>>             >     ipsec tunnel monitor frequency (seconds/packet) :5
>>>             >     ipsec tunnel monitor timeout by lost packet cnt :6
>>>             >
>>>             >     ipsec     primary tunnel crypto type            :PSK
>>>             >     ipsec     primary tunnel peer address           :52.55.49.104
>>>             >     ipsec     primary tunnel peer tunnel ip         :1.1.1.127
>>>             >     ipsec     primary tunnel ap tunnel ip           :10.254.0.1
>>>             >     ipsec     primary tunnel using interface        :tun0
>>>             >     ipsec     primary tunnel using MTU              :1230
>>>             >     ipsec     primary tunnel current sm status      :Up
>>>             >     ipsec     primary tunnel tunnel status          :Up
>>>             >     ipsec     primary tunnel tunnel retry times     :6
>>>             >     ipsec     primary tunnel tunnel uptime          :1 hour 43 minutes 31 seconds 
>>>             >
>>>             >     ipsec      backup tunnel crypto type            :PSK
>>>             >     ipsec      backup tunnel peer address           :N/A
>>>             >     ipsec      backup tunnel peer tunnel ip         :N/A
>>>             >     ipsec      backup tunnel ap tunnel ip           :N/A
>>>             >     ipsec      backup tunnel using interface        :N/A
>>>             >     ipsec      backup tunnel using MTU              :N/A
>>>             >     ipsec      backup tunnel current sm status      :Init
>>>             >     ipsec      backup tunnel tunnel status          :Down
>>>             >     ipsec      backup tunnel tunnel retry times     :0
>>>             >     ipsec      backup tunnel tunnel
>>>             >
>>>             >
>>>
>>>
>>
>>
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180112/d2b04fc0/attachment.sig>


More information about the Users mailing list