I am trying to configure our NGFW 5.9.1 with IPSec remote access (and the McAfee IPSec VPN client 5.9.1) and I always get a "Failed to acquire virtual IP address" error.
I configured an unused interface with the IP 192.168.125.1/24 and set that interface as a DHCP Server:
DHCP Mode: DHCP Server
DHCP Range: 192.168.125.100-192.168.125-200 (an object that I named VPN-Users)
Primary DNS Server: 18.104.22.168
Default Gateway: 192.168.125.1
For the endpoint tab, i enabled only the internet-facing interface:
IP Address: <public IP>
Phase-1 ID: <public>
VPN Type: All Type
For the VPN Client tab:
VPN Type: IPsec VPN
Local Security Check: None selected
Virtual IP Address: Enabled
Use Proxy ARP: Enabled. I used my VPN-User (192.168.125.100-192.168.125-200) object in the IPv4 Address Range.
Restrict Virtual Address Ranges: Enabled. I used my VPN-User (192.168.125.100-192.168.125-200) object in the IPv4 Address Range.
Use DHCP: Enabled. DHCP Server is set as my FW interface IP (192.168.125.1)
Use Local Relay: Enabled
Interface for DHCP Relay: 192.168.125.1 interface
In my policy, I added the following rule:
From: VPN-Users (192.168.125.100-192.168.125.200)
Action: Enforce VPN: Remote Access (my VPN definition)
Authentication: my user
Are are the logs from my VPN client:
|09:05:35||Initiator's proposing IKE SA payload SA( protocol = IKE (1), AES CBC key len = 256, AES CBC key len = 128, 3DES, HMAC-SHA256-128, HMAC-SHA1-96, HMAC-MD5-96, HMAC-SHA256 PRF, HMAC-SHA1 PRF, HMAC-MD5 PRF, 2048 bit MODP, 1536 bit MODP, 1024 bit MODP; )|
|09:05:35||Prompting for user name and password.|
|09:05:38||Initiator's proposing IPsec SA payload SA( protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 256, AES CBC key len = 128, 3DES, HMAC-SHA256-128, HMAC-SHA1-96, AES-XCBC-96, HMAC-MD5-96, No ESN, ESN; )|
|09:05:38||Gateway certificate issued by an unknown CA:|
|09:05:38||Prompting for gateway fingerprint validation.|
|09:05:39||Gateway fingerprint validated.|
|09:05:39||Client authentication successful|
|09:05:39||User authentication successful.|
|09:05:39||Acquiring virtual IP address...|
|09:05:39||Received IPsec error notify Internal address failure (36)|
And here are the error logs from the FW:
Failed to resolve DHCP interface: no match to ifnum (7)
Failed to resolve DHCP interface
DHCP session (a8c00f0), error: error
DHCP session (a8c00f0), dropping ipsec session 100000e: Failed to resolve DHCP interface
I have pretty the exact setup in my lab and it works perfectly so I know that the issue is not with my PC/VPN Client.
Is there anything that I'm missing to have DHCP work on this firewall?