IPSec client is alternating between two IP addresses
Alan DeKok
aland at deployingradius.com
Wed Jan 10 14:04:33 CET 2018
On Jan 10, 2018, at 4:47 AM, artur at jaroschek.net wrote:
> But as key-parameter is unique for each "client" it always points to the
> same IP address for the same client coming in.
Only during a session. The difficulty with RADIUS is that there are multiple packets (Access-Request, followed by Accounting-Request).
If you want the Accounting-Request packets to cause the IP to be marked "still in use", or "stopped using it", then you need a key which identifies that session. Because not all NASes are smart enough to include Framed-IP-Address in accounting packets...
i.e. if your expectations differ from what the server does, then your expectations are wrong.
You should upgrade to v3, where both the documentation and debug output are better.
> By saying "alternating" I mean exactly this. A client X always gets IP1 or
> IP2, eg. 10.151.222.214 and 10.151.222.20, than again 10.151.222.214 and
> so on. I found out that if the pool usage gets above a certain level than
> that client will always get IP1 as IP2 already is allocated to someone
> else.
Which is entirely consistent with the idea that IPs are assigned based on availability, *not* on a key.
And all of this is moot. Who cares that the IPs change? It shouldn't be a problem.
If it is a problem, then stop arguing about how the module "should" work. It clearly doesn't do what you want. We WILL NOT "fix" v2.
Upgrade to v3, and use the sqlippool module. That is better documented, and you can more easily tweak it's behaviour.
Alan DeKok.
More information about the Freeradius-Users
mailing list