[strongSwan] IPSec Tunnel IP
Yusuf Güngör
yusufyusufyusuf at gmail.com
Fri Jan 12 11:37:13 CET 2018
Hi Noel, Jafar;
I have removed "rightsubnet=0.0.0.0/0" expression from config. Then I am
going to wait the answers from Aruba Community.
Thank a lot for your helps.
The VPN connection resets at ~ 3 hours. VPN connection should be always up,
it is critical for us. (Radius traffice routed in it) When using Aruba
controller as VPN Concentrator, connection does not resets for weeks.
I thought reset cause is probably about ikelifetime default value. I have
added:
rekey = no
reauth = no
into the config. We are also using ikev1 for keyexchange. (AP force us)
Does this change prevent the resets? Is it correct to do?
Does it cause serious vulnerability?
Should i change this settings?
Thanks.
2018-01-12 13:14 GMT+03:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting>:
> Yes, strongSwan has nothing to do with that IP. Btw, don't use 0.0.0.0/0.
> Assign a virtual IP instead and use that to contact the APs.
>
> Kind regards
>
> Noel
>
> On 12.01.2018 11:11, Yusuf Güngör wrote:
> > Hi,
> >
> > There is no setting at AP side for this. I have asked Aruba Community.
> Can we say that there is nothing to do with that strange "1.1.1.127" ip at
> StrongSwan side?
> >
> > Thanks.
> >
> > 2018-01-11 20:37 GMT+03:00 Jafar Al-Gharaibeh <jafar at atcorp.com <mailto:
> jafar at atcorp.com>>:
> >
> > you also have to delete the setting at the AP side, just get rid of
> this:
> >
> > ipsec primary tunnel peer tunnel ip :1.1.1.127
> >
> > --Jafar
> >
> >
> > On 1/11/2018 2:06 AM, Yusuf Güngör wrote:
> >> Hi Jafar,
> >>
> >> I have tried both deleting "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>"
> and adding "rightsubnet=%dynamic" now. AP still gets "1.1.1.127" as peer
> tunnel ip.
> >>
> >> ipsec primary tunnel peer tunnel ip :1.1.1.127
> >> ipsec primary tunnel ap tunnel ip :10.254.0.1
> >>
> >> The problem caused from AP side?
> >>
> >>
> >> 2018-01-10 21:00 GMT+03:00 Jafar Al-Gharaibeh <jafar at atcorp.com
> <mailto:jafar at atcorp.com>>:
> >>
> >> Yusuf,
> >>
> >> Have you tried deleting "rightsubnet=0.0.0.0/0 <
> http://0.0.0.0/0>" as Noel suggested below?
> >>
> >> In a dynamic address setup like this I usually do (Which has
> the same effect of deleting it):
> >>
> >> rightsubnet=%dynamic
> >>
> >>
> >> --Jafar
> >>
> >>
> >> On 1/10/2018 4:28 AM, Yusuf Güngör wrote:
> >>> Hi Noel,
> >>>
> >>> We have APs which located at various locations. APs get ip
> from strongswan.
> >>>
> >>> We have to add the "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>"
> to let APs connect. (We do not know the APs private-public ip addreses)
> >>>
> >>> We have to add the "rightsourceip=10.254.0.0/24 <
> http://10.254.0.0/24>" to give APs tunnel ip.
> >>>
> >>> APs can get ip from the "righsourceip" pool successfully:
> >>>
> >>> ipsec primary tunnel ap tunnel ip :10.254.0.1
> >>>
> >>>
> >>> But why peer tunnel ip is "1.1.1.127"
> >>>
> >>> ipsec primary tunnel peer tunnel ip :1.1.1.127
> >>>
> >>>
> >>> We can establish vpn connections from APs to Aruba Controllers
> and that time APs get ip addresses as expected:
> >>>
> >>> ipsec primary tunnel ap tunnel ip :10.254.0.1
> >>>
> >>> ipsec primary tunnel peer tunnel ip :<public
> ip of aruba controller>
> >>> *
> >>> *
> >>>
> >>> We are missing something?
> >>>
> >>> Also, VPN connection to strongswan restarts about every 3
> hours. AP disconnect and reconnect because of packet loss. This should be
> subject of another topic, i wrote if something is related with that.
> >>>
> >>> Thanks for help.
> >>>
> >>> 2017-12-28 16:12 GMT+03:00 Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+
> strongswan-users-ml at thermi.consulting>>:
> >>>
> >>> Hello,
> >>>
> >>> It's because you set "rightsubnet=0.0.0.0/0 <
> http://0.0.0.0/0>" and evidently the AP proposes "1.1.1.127" as its local
> TS, so it gets narrowed to that. I propose you delete those two lines.
> >>>
> >>> Kind regards
> >>>
> >>> Noel
> >>>
> >>> On 27.12.2017 11:01, Yusuf Güngör wrote:
> >>> > Hi,
> >>> >
> >>> > I have a configuration like below and VPN connection
> successfully established but client side get "1.1.1.127" as tunnel IP. Can
> we change this tunnel IP? I can not find any clue about why StrongSwan
> assign "1.1.1.127" as tunnel IP to clients?
> >>> >
> >>> > Thanks.
> >>> >
> >>> >
> >>> > *StrongSwan Config (Left)*
> >>> >
> >>> > conn vpn-test
> >>> > left=%defaultroute
> >>> > leftsubnet=172.30.1.1/25 <http://172.30.1.1/25> <
> http://172.30.1.1/25>
> >>> > leftauth=psk
> >>> > leftfirewall=no
> >>> > right=%any
> >>> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <
> http://0.0.0.0/0>
> >>> > rightsourceip=10.254.0.0/24 <http://10.254.0.0/24>
> <http://10.254.0.0/24>
> >>> > auto=add
> >>> > keyexchange=ikev1
> >>> > rightauth=psk
> >>> > rightauth2=xauth
> >>> > type=tunnel
> >>> > mobike=yes
> >>> > rightid=%any
> >>> >
> >>> >
> >>> > *Client VPN Status: (Aruba Instant AP - Right)*
> >>> >
> >>> > current using tunnel
> :primary tunnel
> >>> > current tunnel using time :1
> hour 43 minutes 31 seconds
> >>> > ipsec is preempt status
> :disable
> >>> > ipsec is fast failover status
> :disable
> >>> > ipsec hold on period :0s
> >>> > ipsec tunnel monitor frequency (seconds/packet) :5
> >>> > ipsec tunnel monitor timeout by lost packet cnt :6
> >>> >
> >>> > ipsec primary tunnel crypto type :PSK
> >>> > ipsec primary tunnel peer address
> :52.55.49.104
> >>> > ipsec primary tunnel peer tunnel ip
> :1.1.1.127
> >>> > ipsec primary tunnel ap tunnel ip
> :10.254.0.1
> >>> > ipsec primary tunnel using interface :tun0
> >>> > ipsec primary tunnel using MTU :1230
> >>> > ipsec primary tunnel current sm status :Up
> >>> > ipsec primary tunnel tunnel status :Up
> >>> > ipsec primary tunnel tunnel retry times :6
> >>> > ipsec primary tunnel tunnel uptime :1
> hour 43 minutes 31 seconds
> >>> >
> >>> > ipsec backup tunnel crypto type :PSK
> >>> > ipsec backup tunnel peer address :N/A
> >>> > ipsec backup tunnel peer tunnel ip :N/A
> >>> > ipsec backup tunnel ap tunnel ip :N/A
> >>> > ipsec backup tunnel using interface :N/A
> >>> > ipsec backup tunnel using MTU :N/A
> >>> > ipsec backup tunnel current sm status :Init
> >>> > ipsec backup tunnel tunnel status :Down
> >>> > ipsec backup tunnel tunnel retry times :0
> >>> > ipsec backup tunnel tunnel
> >>> >
> >>> >
> >>>
> >>>
> >>
> >>
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180112/10f9aa0c/attachment-0001.html>
More information about the Users
mailing list