Page MenuHomeVyOS Platform
Create Task
Maniphest T7840

IPsec IKEv2 remote-access eap-radius accounting is disabled
Open, NormalPublicBUG
Actions

Description

I'm using IPsec remote-access with RADIUS EAP-TLS.

I ran into issue when ippool in radius was running out of IPs, though I had configured IP release.

Running radiusd -X showed, that no Accounting-Stop were sent.

In my configs, I haven't disabled accounting for RADIUS server,

vyos@vyos# delete vpn ipsec remote-access radius server 10.128.0.4 disable-accounting 

  Nothing to delete (the specified node does not exist)

Referring to strongSwan documentation, it is told to enable accounting in /etc/strongswan.d/charon/eap-radius.conf.
So I was looking into VyOS config file /etc/strongswan.d/charon/eap-radius.conf, and accounting was indeed disabled by default

eap-radius {
    # Send RADIUS accounting information to RADIUS servers.
    # accounting = no

    # Close the IKE_SA if there is a timeout during interim RADIUS accounting
    # updates.
    # accounting_close_on_timeout = yes

    # Interval in seconds for interim RADIUS accounting updates, if not
    # specified by the RADIUS server in the Access-Accept message.
    # accounting_interval = 0

Though it is commented out, but by default strongSwan does not enable accounting for eap-radius.

Relevant configuration:

set vpn ipsec remote-access connection mykola-vpn authentication client-mode 'eap-radius'
set vpn ipsec remote-access connection mykola-vpn authentication local-id ...
set vpn ipsec remote-access connection mykola-vpn authentication x509 ca-certificate ...
set vpn ipsec remote-access connection mykola-vpn authentication x509 certificate ...
set vpn ipsec remote-access connection mykola-vpn bind 'vti30'
set vpn ipsec remote-access connection mykola-vpn description 'Mykola IKEv2'
set vpn ipsec remote-access connection mykola-vpn esp-group 'esp-mykola-vpn'
set vpn ipsec remote-access connection mykola-vpn ike-group 'ike-mykola-vpn'
set vpn ipsec remote-access connection mykola-vpn local-address 'any'
set vpn ipsec remote-access connection mykola-vpn pool 'radius'
set vpn ipsec remote-access radius nas-identifier 'vyos'
set vpn ipsec remote-access radius server 10.128.0.4 key ...

Versions im experiencing this bug:

VyOS 2025.08.28-0019-rolling

and

VyOS 2025.07.04-0020-rolling

Details

Version
2025.07.04-0020-rolling
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

mykola2312 created this task.Sep 18 2025, 1:29 AM
pasik subscribed.Sep 18 2025, 6:23 AM
Viacheslav subscribed.EditedSep 18 2025, 8:58 AM

Disable-accounting in the current implementation affects only this config https://github.com/vyos/vyos-1x/blob/69d0a7499f4990c33c8d186763288dae7d2756a6/data/templates/ipsec/charon/eap-radius.conf.j2#L105-L107

Viacheslav triaged this task as Normal priority.Sep 18 2025, 9:00 AM
mykola2312 added a comment.Sep 18 2025, 9:06 AM
In T7840#236254, @Viacheslav wrote:

Disable-accounting in the current implementation affects only this config https://github.com/vyos/vyos-1x/blob/69d0a7499f4990c33c8d186763288dae7d2756a6/data/templates/ipsec/charon/eap-radius.conf.j2#L105-L107

I see.

It would be nice to have option to enable accounting for eap-radius, as I described in post, via CLI.

It is crucial for full fledged working IKEv2 remote access

Viacheslav added a comment.Sep 18 2025, 9:23 AM

@mykola2312 do you want to claim the task?

mykola2312 added a comment.Sep 18 2025, 9:32 AM
In T7840#236257, @Viacheslav wrote:

@mykola2312 do you want to claim the task?

Yes, sure