IPSec client is alternating between two IP addresses

artur at jaroschek.net artur at jaroschek.net
Wed Jan 10 10:47:12 CET 2018 

>
>> On 10/01/2018, at 9:33 AM, Artur Jaroschek <artur at jaroschek.net> wrote:
>>
>> Even when I manually disconnect my VPN client (causing a deallocation
>> message on freeradius-server side), and reconnect again (after a while)
>> I will get the "other" IP. Is this inteded?
>
> Once an IP is deallocated, it is deallocated. There is no information
> stored about what IP was given out previously.

But as key-parameter is unique for each "client" it always points to the
same IP address for the same client coming in. See my second answer below.

>
>> What must our VPN client send while re-keying to not cause freeradius
>> to swap the IP but to just "renew" it? BTW does "renew" mean it just
>> updates some meta-date in the DB?
>
> Your NAS (i.e. VPN server) is probably sending an accounting Stop message.
> Tell it to not send that when re-keying.
>
> I would be surprised if it was simply re-keying, as it sounds like it is
> sending a new Access-Request as well (which is giving it the new IP).
> Why is it doing that? Is that what you expect? I would have a chat to your
> VPN vendor. Surely a re-key of an existing session doesn’t mean re-auth?
>
>>>  Running the server in debugging mode will tell you what's going
>>> on...
>>
>> The submitted logs were captured while running the server with "-xx”
>
> There are a number of places that say things like:
> "Always use radiusd -X when debugging!”
>
>>>  But if the NAS sends a STOP before renewing the IP, well, that
>>> explains everything.  The original session is gone, so a new lease is
>>> allocated.
>>
>> When the old session is gone, why not handing out the same IP again for
>> the new session, as long its the same requester,
>> e.g. 4d7b2dcc10b9fa1a049fc4d1d05170c0 in my example?
>
>
> Because there is no information stored to relate the old deallocated IP to
> the new session.

I found this commend in the code:

*  ---------------------------------------------
*  - NAS/PORT Entry  |||| Free Entry  ||| Time
*  -    IP1                 IP2(Free)    BEFORE
*  -    IP2(Free)           IP1          AFTER
*  ---------------------------------------------

By saying "alternating" I mean exactly this. A client X always gets IP1 or
IP2, eg. 10.151.222.214 and 10.151.222.20, than again 10.151.222.214 and
so on. I found out that if the pool usage gets above a certain level than
that client will always get IP1 as IP2 already is allocated to someone
else.

>
> --
> Nathan Ward
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list