IPSec client is alternating between two IP addresses

Nathan Ward lists+freeradius at daork.net
Wed Jan 10 05:53:28 CET 2018

> On 10/01/2018, at 9:33 AM, Artur Jaroschek <artur at jaroschek.net> wrote:
> Even when I manually disconnect my VPN client (causing a deallocation
> message on freeradius-server side), and reconnect again (after a while)
> I will get the "other" IP. Is this inteded?

Once an IP is deallocated, it is deallocated. There is no information stored about what IP was given out previously.

> What must our VPN client send while re-keying to not cause freeradius
> to swap the IP but to just "renew" it? BTW does "renew" mean it just
> updates some meta-date in the DB?

Your NAS (i.e. VPN server) is probably sending an accounting Stop message. Tell it to not send that when re-keying.

I would be surprised if it was simply re-keying, as it sounds like it is sending a new Access-Request as well (which is giving it the new IP).
Why is it doing that? Is that what you expect? I would have a chat to your VPN vendor. Surely a re-key of an existing session doesn’t mean re-auth?

>>  Running the server in debugging mode will tell you what's going
>> on...
> The submitted logs were captured while running the server with "-xx”

There are a number of places that say things like:
"Always use radiusd -X when debugging!”

>>  But if the NAS sends a STOP before renewing the IP, well, that
>> explains everything.  The original session is gone, so a new lease is
>> allocated.
> When the old session is gone, why not handing out the same IP again for
> the new session, as long its the same requester,
> e.g. 4d7b2dcc10b9fa1a049fc4d1d05170c0 in my example?

Because there is no information stored to relate the old deallocated IP to the new session.

Nathan Ward

More information about the Freeradius-Users mailing list