IPSec client is alternating between two IP addresses

Alan DeKok aland at deployingradius.com
Wed Jan 10 14:33:10 CET 2018

On Jan 10, 2018, at 6:54 AM, Nathan Ward <lists+freeradius at daork.net> wrote:
> This is because it is selecting addresses in order - it just appears to you with limited testing to behave as though it is swapping addresses back and forward, as the order of the IP addresses coming out is not chosen numerically. I will note that it is not immediately clear to my why it gives out the next free address, rather than the current address as that is now marked free. I think it is because of how the gdbm keys are iterated through.

  The code would need to be updated to add a check for the current key, *before* checking for a free IP.  e.g.

	get IP(key)
	if IP is free return that
	else get free IP

  Which is essentially what the sqlippool module does in v3:

	SELECT framedipaddress FROM ${ippool_table} \
	WHERE pool_name = '%{control:Pool-Name}' \
	AND (expiry_time < NOW() OR expiry_time IS NULL) \
		(username <> '%{User-Name}'), \
		(callingstationid <> '%{Calling-Station-Id}'), \
		expiry_time \
	LIMIT 1 \

  i.e. get me free IP based on User-Name or Calling-Station-Id.  If there's no matching IP, just allocate an expired one.

> Additionally, if you send Stop, the IP address is released to the pool for re-assignment. Even if you were able to make a subsequent Access-Request issue the same address, you may still have a race condition where a re-key or a new connection comes between the Stop and the Access-Request messages.


  If the OP wants static IPs, he should configure static IPs.  Using a "dynamic IP" module means that the IPs can change.

> Again, I urge you to consider what is going on in your NAS - why is it sending a Stop message if it does not want to stop the session? That is broken, and it needs to be fixed. The response to the Access-Request could be an Access-Challenge if you decided to implement 2 factor authentication or something. What now? The user has to enter their hardware token each time that your NAS wants to re-key?

  There are entirely too many broken NASes.  And entirely too many people who wonder why "FreeRADIUS" is doing something, when the debug log shows that it's the fault of the NAS.

  Alan DeKok.

More information about the Freeradius-Users mailing list