IPSec client is alternating between two IP addresses

artur at jaroschek.net artur at jaroschek.net
Wed Jan 10 10:47:12 CET 2018

>> On 10/01/2018, at 9:33 AM, Artur Jaroschek <artur at jaroschek.net> wrote:
>> Even when I manually disconnect my VPN client (causing a deallocation
>> message on freeradius-server side), and reconnect again (after a while)
>> I will get the "other" IP. Is this inteded?
> Once an IP is deallocated, it is deallocated. There is no information
> stored about what IP was given out previously.

But as key-parameter is unique for each "client" it always points to the
same IP address for the same client coming in. See my second answer below.

>> What must our VPN client send while re-keying to not cause freeradius
>> to swap the IP but to just "renew" it? BTW does "renew" mean it just
>> updates some meta-date in the DB?
> Your NAS (i.e. VPN server) is probably sending an accounting Stop message.
> Tell it to not send that when re-keying.
> I would be surprised if it was simply re-keying, as it sounds like it is
> sending a new Access-Request as well (which is giving it the new IP).
> Why is it doing that? Is that what you expect? I would have a chat to your
> VPN vendor. Surely a re-key of an existing session doesn’t mean re-auth?
>>>  Running the server in debugging mode will tell you what's going
>>> on...
>> The submitted logs were captured while running the server with "-xx”
> There are a number of places that say things like:
> "Always use radiusd -X when debugging!”
>>>  But if the NAS sends a STOP before renewing the IP, well, that
>>> explains everything.  The original session is gone, so a new lease is
>>> allocated.
>> When the old session is gone, why not handing out the same IP again for
>> the new session, as long its the same requester,
>> e.g. 4d7b2dcc10b9fa1a049fc4d1d05170c0 in my example?
> Because there is no information stored to relate the old deallocated IP to
> the new session.

I found this commend in the code:

*  ---------------------------------------------
*  - NAS/PORT Entry  |||| Free Entry  ||| Time
*  -    IP1                 IP2(Free)    BEFORE
*  -    IP2(Free)           IP1          AFTER
*  ---------------------------------------------

By saying "alternating" I mean exactly this. A client X always gets IP1 or
IP2, eg. and, than again and
so on. I found out that if the pool usage gets above a certain level than
that client will always get IP1 as IP2 already is allocated to someone

> --
> Nathan Ward
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list