1 2 Previous Next 10 Replies Latest reply on Oct 21, 2015 6:23 AM by seebvey

    VPN Client addresses via DHCP

    seebvey

      Hi everybody,

       

      is it possible to assign IP addresses for vpn-clients via internal DHCP server but from an other DHCP-Pool than the internal?

      For example: My LAN is 172.20.1.0/24 and the DHCP Server is 172.20.1.10. The Addresspool for vpn-clients should be 172.20.8.0/24.

       

      Or is there any other way to get the clients working with 172.20.8. addresses?

       

      regards

      Sebastian

        • 1. Re: VPN Client addresses via DHCP

          In this case you are using an external DHCP server, not the one integrated in NGFW?

           

          Which scope the DHCP server chooses the address from is up to the server. You may be able to influence that by defining addresses on the NGFW engine and adjusting the "NDI for local relay" option.

          • 2. Re: VPN Client addresses via DHCP
            seebvey

            Hi,

             

            yes, i try to use an external DHCP Server.

            I configured an Tunnel-Interface with 172.20.8.1 address and tried using it for the DHCP Relay.

            The Relay worked and the client got an 172.20.8. address. But i was not able to get traffic through the tunnel and i thought it is because of the Tunnel-Interface.

             

            EDIT:

            Ok, i tested some more.

            My vpn-client is getting a 172.20.8. address and i can see a echo-request from the client to an internal server.

            On the internal server i can see the echo-request too and the echo-response.

            On the firewall-node i can see the response too.

            But the vpn-client does not get the response.

             

            What do i have to do for the return traffic?

            • 3. Re: VPN Client addresses via DHCP
              thyvarin

              Hi,

               

              Replies from server should be allowed based on state table entry as long as you didn't turn off connection tracking in mobile VPN rule that allowed the ping. If connection tracking is enabled, and you see ping match correct rule, verify with tcpdump that echo reply from server is coming with correct destination MAC address to firewall, i.e. FW will only process packets that has it's MAC address as dst MAC.

               

              BR,

              Tero

              • 4. Re: VPN Client addresses via DHCP
                totti10

                Hi Ilindblo,

                 

                "In this case you are using an external DHCP server, not the one integrated in NGFW?"

                What's is the integrated in NGFW? As i know, there're only two methods that define IP Address that VPN Client use:

                • Use NAT Pool
                • Use External DHCP Server

                Please correct me if i'm wrong

                Thanks and Regards!

                • 5. Re: VPN Client addresses via DHCP
                  lnurmi

                  Hi,

                   

                  the firewall also has a DHCP Server, it can be enabled in physical interfaces properties. I believe it was starting from version 5.5 that it can be used to distribute virtual IPs to vpn users. You'd configure the DHCP server on an interface, select it as "NDI for DHCP relay" in gateways IPsec Client settings and enable "use local relay".

                   

                  Note that DHCP Relay and DHCP Server cannot both be enabled at the same time on the same firewall's interfaces.

                   

                  BR,

                  Lauri

                  • 6. Re: VPN Client addresses via DHCP
                    seebvey

                    Hi,

                     

                    As far as i know, i can't use the Interface-DHCP-Server in a cluster environment.

                     

                    At this point I realize that I did not write that I use a cluster.

                    Does this make any difference to this issue?

                     

                    regards

                    Sebastian

                    • 7. Re: VPN Client addresses via DHCP
                      thyvarin

                      Yes, it does make difference as internal DHCP server can be used for this purpose only when using single-node installation:

                      https://kc.mcafee.com/agent/index?page=content&id=KB78980&actp=null&viewlocale=e n_US&showDraft=false&platinum_status=fal…

                       

                      Can I obtain a Virtual IP address for the VPN client from the engine DHCP server? 

                      Starting with Security Engine version 5.4.2, the local DHCP server can be used to issue virtual IP address for VPN clients in single node engine setups.
                      NOTE: This is not supported in cluster nor in active-standby setups.

                      In the security gateway configuration for IPsec Client, configure the engine interface IP that has the local DHCP server configured as the DHCP server for VPN clients. The Use Local Relay option must be selected.

                       

                      BR,

                      Tero

                      • 8. Re: VPN Client addresses via DHCP
                        seebvey

                        Exactly this is why i'm not using the internal=Firwall-integrated DHCP but the external=LAN-DHCP Server.

                         

                        But does the cluster scenario make any difference to the problem that i cant get traffic to the tunnel??

                         

                        **************************

                        yes, i try to use an external DHCP Server.

                        I configured an Tunnel-Interface with 172.20.8.1 address and tried using it for the DHCP Relay.

                        The Relay worked and the client got an 172.20.8. address. But i was not able to get traffic through the tunnel and i thought it is because of the Tunnel-Interface.

                         

                        EDIT:

                        Ok, i tested some more.

                        My vpn-client is getting a 172.20.8. address and i can see a echo-request from the client to an internal server.

                        On the internal server i can see the echo-request too and the echo-response.

                        On the firewall-node i can see the response too.

                        But the vpn-client does not get the response.

                        **************************

                        • 9. Re: VPN Client addresses via DHCP
                          lnurmi

                          Did you check the firewall logs? Probably there is a discard log for the Echo Reply with information message "spoofed packet".

                           

                          Antispoofing is built from interface and routing configuration. So if 172.20.8.0/24 is configured on tunnel1000, we by default only expect and accept traffic from that network on tunnel1000 interface. If traffic from that network might also be received on other interfaces, you need to add this network under those interfaces in antispoofing.

                           

                          Another option is to add this IP to the internal ethernet interface and use it as NDI for DHCP Relay.

                           

                          BR,

                          Lauri

                          1 2 Previous Next