IPSec client is alternating between two IP addresses

Artur Jaroschek artur at jaroschek.net
Mon Jan 8 21:46:50 CET 2018 

We are using freeradius version (debian) 2.1.12+dfsg-1.2 to manage an
ip-pool for an ipsec vpn gateway. The gateway does xauth to the radius
server for authentication and IP assignment as well as accounting to
e.g. clean up the IP address. Upon re-keying the user gets a new IP
address (which is the same as the second to last one), so its basically
alternating between two IP addresses. We are using the ippool-module
(not SQL) and I already found the notes on the key-parameter. Its
currently set to "%{NAS-IP-Address} %{User-Name}" which is unique for
each dailed in client. Before we configured accounting on the vpn
gateway the reason for the alternating IPs was quite obvious to me
(from looking at the module code: "Found a stale entry for ip") but
with accounting properly configured I can't find a reason why its still
the same:


Before accounting was on:

Jan  5 14:52:43 s030v0047 freeradius[26299]: [s030v0047-test_pool]
#011expand: %{NAS-IP-Address} %{User-Name} -> 1.1.1.2 C023A0667
Jan  5 14:52:43 s030v0047 freeradius[26299]: [s030v0047-test_pool] MD5
on 'key' directive maps to: 4d7b2dcc10b9fa1a049fc4d1d05170c0
Jan  5 14:52:43 s030v0047 freeradius[26299]: [s030v0047-test_pool]
Searching for an entry for key: '4d7b2dcc10b9fa1a049fc4d1d05170c0'
Jan  5 14:52:43 s030v0047 freeradius[26299]: [s030v0047-test_pool]
Found a stale entry for ip: 10.151.222.215
Jan  5 14:52:43 s030v0047 freeradius[26299]: [s030v0047-test_pool] num:
0
Jan  5 14:52:43 s030v0047 freeradius[26299]: rlm_ippool: Allocating ip
to key: '4d7b2dcc10b9fa1a049fc4d1d05170c0'
Jan  5 14:52:43 s030v0047 freeradius[26299]: [s030v0047-test_pool] num:
1
Jan  5 14:52:43 s030v0047 freeradius[26299]: [s030v0047-test_pool]
Allocated ip 10.151.222.20 to client key:
4d7b2dcc10b9fa1a049fc4d1d05170c0
Jan  5 14:52:43 s030v0047 freeradius[26299]: +++[s030v0047-test_pool]
returns ok


Now with accounting its looking like this upon re-keying:

Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
#011expand: %{NAS-IP-Address} %{User-Name} -> 1.1.1.2 C023A0667
Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool] MD5
on 'key' directive maps to: 4d7b2dcc10b9fa1a049fc4d1d05170c0
Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
Searching for an entry for key: '1.1.1.2 C023A0667'
Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
Deallocated entry for ip: 10.151.222.215
Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool] num:
0

...

Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
#011expand: %{NAS-IP-Address} %{User-Name} -> 1.1.1.2 C023A0667
Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool] MD5
on 'key' directive maps to: 4d7b2dcc10b9fa1a049fc4d1d05170c0
Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
Searching for an entry for key: '4d7b2dcc10b9fa1a049fc4d1d05170c0'
Jan  8 21:37:37 s030v0047 freeradius[30859]: rlm_ippool: Allocating ip
to key: '4d7b2dcc10b9fa1a049fc4d1d05170c0'
Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool] num:
1
Jan  8 21:37:37 s030v0047 freeradius[30859]: [s030v0047-test_pool]
Allocated ip 10.151.222.39 to client key:
4d7b2dcc10b9fa1a049fc4d1d05170c0
Jan  8 21:37:37 s030v0047 freeradius[30859]: +++[s030v0047-test_pool]
returns ok


Is it because deallocation and reallocation are to close (in time) to
each other? Thank you.

More information about the Freeradius-Users mailing list