IPSec client is alternating between two IP addresses

Artur Jaroschek artur at jaroschek.net
Tue Jan 9 21:33:24 CET 2018 

> 
> > 
> > We are using freeradius version (debian) 2.1.12+dfsg-1.2
> 
>   You really need to upgrade to 2.2.10.  You don't have to change
> anything in your configuration.
> 
> > to manage an
> > ip-pool for an ipsec vpn gateway. The gateway does xauth to the
> > radius
> > server for authentication and IP assignment as well as accounting
> > to
> > e.g. clean up the IP address. Upon re-keying the user gets a new IP
> > address (which is the same as the second to last one), so its
> > basically
> > alternating between two IP addresses. We are using the ippool-
> > module
> > (not SQL) and I already found the notes on the key-parameter. Its
> > currently set to "%{NAS-IP-Address} %{User-Name}" which is unique
> > for
> > each dailed in client. Before we configured accounting on the vpn
> > gateway the reason for the alternating IPs was quite obvious to me
> > (from looking at the module code: "Found a stale entry for ip") but
> > with accounting properly configured I can't find a reason why its
> > still
> > the same:
> 
>   If the IP is still active, AND the query uses the same IP, then it
> should be renewed.

Even when I manually disconnect my VPN client (causing a deallocation
message on freeradius-server side), and reconnect again (after a while)
I will get the "other" IP. Is this inteded?


What must our VPN client send while re-keying to not cause freeradius
to swap the IP but to just "renew" it? BTW does "renew" mean it just
updates some meta-date in the DB?


> 
>   But... 2.1.12 is 6 years old.  You should really upgrade.  And take
> a serious look at v3, too.
> 
> > Now with accounting its looking like this upon re-keying:
> > 
> > Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
> > #011expand: %{NAS-IP-Address} %{User-Name} -> 1.1.1.2 C023A0667
> > Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
> > MD5
> > on 'key' directive maps to: 4d7b2dcc10b9fa1a049fc4d1d05170c0
> > Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
> > Searching for an entry for key: '1.1.1.2 C023A0667'
> > Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
> > Deallocated entry for ip: 10.151.222.215
> 
>   In 2.2.10, it only prints "Deallocated entry" when the NAS sends an
> accounting STOP.  i.e. when the session is closed.
> 
>   Running the server in debugging mode will tell you what's going
> on...

The submitted logs were captured while running the server with "-xx"

> 
>   But if the NAS sends a STOP before renewing the IP, well, that
> explains everything.  The original session is gone, so a new lease is
> allocated.

When the old session is gone, why not handing out the same IP again for
the new session, as long its the same requester,
e.g. 4d7b2dcc10b9fa1a049fc4d1d05170c0 in my example?

> 
>   Alan DeKok.
> 

Thank you very much for your response.

More information about the Freeradius-Users mailing list