IPSec client is alternating between two IP addresses

Alan DeKok aland at deployingradius.com
Mon Jan 8 22:03:31 CET 2018


On Jan 8, 2018, at 3:46 PM, Artur Jaroschek <artur at jaroschek.net> wrote:
> 
> We are using freeradius version (debian) 2.1.12+dfsg-1.2

  You really need to upgrade to 2.2.10.  You don't have to change anything in your configuration.

> to manage an
> ip-pool for an ipsec vpn gateway. The gateway does xauth to the radius
> server for authentication and IP assignment as well as accounting to
> e.g. clean up the IP address. Upon re-keying the user gets a new IP
> address (which is the same as the second to last one), so its basically
> alternating between two IP addresses. We are using the ippool-module
> (not SQL) and I already found the notes on the key-parameter. Its
> currently set to "%{NAS-IP-Address} %{User-Name}" which is unique for
> each dailed in client. Before we configured accounting on the vpn
> gateway the reason for the alternating IPs was quite obvious to me
> (from looking at the module code: "Found a stale entry for ip") but
> with accounting properly configured I can't find a reason why its still
> the same:

  If the IP is still active, AND the query uses the same IP, then it should be renewed.

  But... 2.1.12 is 6 years old.  You should really upgrade.  And take a serious look at v3, too.

> Now with accounting its looking like this upon re-keying:
> 
> Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
> #011expand: %{NAS-IP-Address} %{User-Name} -> 1.1.1.2 C023A0667
> Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool] MD5
> on 'key' directive maps to: 4d7b2dcc10b9fa1a049fc4d1d05170c0
> Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
> Searching for an entry for key: '1.1.1.2 C023A0667'
> Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
> Deallocated entry for ip: 10.151.222.215

  In 2.2.10, it only prints "Deallocated entry" when the NAS sends an accounting STOP.  i.e. when the session is closed.

  Running the server in debugging mode will tell you what's going on...

  But if the NAS sends a STOP before renewing the IP, well, that explains everything.  The original session is gone, so a new lease is allocated.

  Alan DeKok.




More information about the Freeradius-Users mailing list