IPSec client is alternating between two IP addresses
Nathan Ward
lists+freeradius at daork.net
Wed Jan 10 05:53:28 CET 2018
> On 10/01/2018, at 9:33 AM, Artur Jaroschek <artur at jaroschek.net> wrote:
>
> Even when I manually disconnect my VPN client (causing a deallocation
> message on freeradius-server side), and reconnect again (after a while)
> I will get the "other" IP. Is this inteded?
Once an IP is deallocated, it is deallocated. There is no information stored about what IP was given out previously.
> What must our VPN client send while re-keying to not cause freeradius
> to swap the IP but to just "renew" it? BTW does "renew" mean it just
> updates some meta-date in the DB?
Your NAS (i.e. VPN server) is probably sending an accounting Stop message. Tell it to not send that when re-keying.
I would be surprised if it was simply re-keying, as it sounds like it is sending a new Access-Request as well (which is giving it the new IP).
Why is it doing that? Is that what you expect? I would have a chat to your VPN vendor. Surely a re-key of an existing session doesn’t mean re-auth?
>> Running the server in debugging mode will tell you what's going
>> on...
>
> The submitted logs were captured while running the server with "-xx”
There are a number of places that say things like:
"Always use radiusd -X when debugging!”
>> But if the NAS sends a STOP before renewing the IP, well, that
>> explains everything. The original session is gone, so a new lease is
>> allocated.
>
> When the old session is gone, why not handing out the same IP again for
> the new session, as long its the same requester,
> e.g. 4d7b2dcc10b9fa1a049fc4d1d05170c0 in my example?
Because there is no information stored to relate the old deallocated IP to the new session.
--
Nathan Ward
More information about the Freeradius-Users
mailing list