4 Replies Latest reply on Jan 8, 2015 9:04 PM by totti10

    IPsec VPN Client using external DHCP Server?


      Hi all,


      I configure IPsec VPN Client in this topology using external DHCP Server for assign Virtual Adapter IP address:



      VPN Client.PNG

      DHCP Server using Windows Server 2003 and have multiple scope.

      I use subnet for VPN client .

      Here's my configure on Mcafee NGFW 5.8



      I also have permit any any at the bottom to make sure DHCP relay is permit( By the way, Is DHCP Relay sub-policy missed on NGFW 5.8??)

      Stonesoft IPsec VPN Clients received no IP address from DHCP Server.

      Am I missing something?

      And how the DHCP Server know which pool used to assign to VPN Client?


      Thanks and Regards!

        • 1. Re: IPsec VPN Client using external DHCP Server?



          Which scope DHCP server uses to assign addresses to incoming requests is up to the server, but most often it assigns it based on the interface the request was coming in on, or in case of unicast requests, based on the source address.


          You would need to also enable "Use proxy ARP" and "Restrict ranges" in the same screen you sent the screenshot of, and define the range matching to the scope behind both of the two buttons on the right. "Use local relay" should not be necessary. It forces unicast request to be used even with directly connected DHCP server.


          DHCP relay subpolicy is no longer necessary with 5.8, same is done with automatic rules.


          In the access rule you have, put the address range matching to the scope also in the source field, and in the "source VPN" field on the far right, put the client VPN element involved. This is the most explicit way to configure a mVPN rule.


          Please use log browser to check for any related errors when the client connection is attempted.

          • 2. Re: IPsec VPN Client using external DHCP Server?

            Hi ilindblo,


            Thanks for your answer. As i know, DHCP Server on Windows 2k3 and 2k8 using Relay Agent IP Address information to find which scope is used. So in this VPN Client case, there's no way to assign Ip address that is out of to VPN Client, right? In real worl, when gateway using Public IP address, DHCP Request from VPN Client will hit the outside interface(that using IP address) and Relay Agent IP Address = outside interface's Ip address --> we have to assign IP address that belong to the outside interface subnets, it's impossible and nonsense .

            By the way, i didn't see the any DHCP policy in the automatic rules in my NGFW:



            Thanks and Regards!

            • 3. Re: IPsec VPN Client using external DHCP Server?



              the VPN Client does not use DHCP-over-IPsec, so there is no DHCP Request from the client. The client requests the virtual IP from gateway through IKE mode-cfg. The gateway then requests the DHCP lease from the DHCP server for the client. You can select the interface for DHCP relay in the engine properties, VPN > VPN Client section. That selection defines used source IP (and relay agent IP) when sending the DHCP Request to the DHCP Server (if unicast is used). The DHCP packets themselves sent by firewall are routed to the DHCP server based on routing table (not through the interface you selected in the VPN Client settings).


              You can also select an interface that is not directly facing the DHCP Server for relay, as long as the server is able to route its answer back to the firewall. So for example in this case if you select the as "interface for DHCP Relay", if the DHCP Server has a scope and it routes packets directed at back to the firewall (e.g. firewall is default gateway for the server) then there should be no problem and VPN Client receives a virtual IP from the scope.


              This means you can even create a dummy VLAN or tunnel interface that has IP from the scope that you want to use, and select that as the "interface for DHCP Relay".


              >By the way, i didn't see the any DHCP policy in the automatic rules in my NGFW:


              The rules are still created even though it's not listed there, this issue (i.e. missing DHCP Relay in automatic rule summary) should be fixed in a future release.




              • 4. Re: IPsec VPN Client using external DHCP Server?

                Hi Inurmi,


                You're absolutely right!!


                Thanks you guys!